<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<?rfc rfcedstyle="yes"?>
<?rfc tocindent="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc text-list-symbols="-o*+"?>
<?rfc docmapping="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="pre5378Trust200902" docName="draft-ietf-tls-rfc9147bis-02" category="std" consensus="true" obsoletes="9147" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="DTLS 1.3">The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc9147bis-02"/>
    <author initials="E." surname="Rescorla" fullname="Eric Rescorla">
      <organization>Independent</organization>
      <address>
        <email>ekr@rtfm.com</email>
      </address>
    </author>
    <author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
      <organization abbrev="UniBw M.">University of the Bundeswehr Munich</organization>
      <address>
        <postal>
          <city>Neubiberg</city>
          <region>Bavaria</region>
          <code>85577</code>
          <country>Germany</country>
        </postal>
        <email>hannes.tschofenig@gmx.net</email>
      </address>
    </author>
    <author initials="N." surname="Modadugu" fullname="Nagendra Modadugu">
      <organization>Google, Inc.</organization>
      <address>
        <email>nagendra@cs.stanford.edu</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup>TLS</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 88?>

<t>This document specifies version 1.3 of the Datagram Transport Layer Security
(DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the
Internet in a way that is designed to prevent eavesdropping, tampering, and message
forgery.</t>
      <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS)
1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability.  Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
      <t>This document obsoletes RFC 6347.</t>
    </abstract>
  </front>
  <middle>
    <?line 100?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The primary goal of the TLS protocol is to establish an authenticated,
confidentiality- and integrity-protected channel between two communicating peers.
The TLS protocol is composed of two layers:
the TLS record protocol and the TLS handshake protocol. However, TLS must
run over a reliable transport channel -- typically TCP <xref target="RFC0793"/>.</t>
      <t>There are applications that use UDP <xref target="RFC0768"/> as a transport and
the Datagram Transport Layer Security (DTLS) protocol has been developed
to offer communication security protection for those applications.
DTLS is deliberately designed to be
as similar to TLS as possible, both to minimize new security invention and to
maximize the amount of code and infrastructure reuse.</t>
      <t>DTLS 1.0 <xref target="RFC4347"/> was originally defined as a delta from TLS 1.1 <xref target="RFC4346"/>, and
DTLS 1.2 <xref target="RFC6347"/> was defined as a series of deltas to TLS 1.2 <xref target="RFC5246"/>.  There
is no DTLS 1.1; that version number was skipped in order to harmonize version numbers
with TLS.  This specification describes the most current version of the DTLS protocol
as a delta from TLS 1.3 <xref target="TLS13"/>. It obsoletes DTLS 1.2.</t>
      <t>Implementations that speak both DTLS 1.2 and DTLS 1.3 can interoperate with those
that speak only DTLS 1.2 (using DTLS 1.2 of course), just as TLS 1.3 implementations
can interoperate with TLS 1.2 (see Appendix D of <xref target="TLS13"/> for details).
While backwards compatibility with DTLS 1.0 is possible, the use of DTLS 1.0 is not
recommended, as explained in Section 3.1.2 of <xref target="RFC7525"/>.
<xref target="DEPRECATE"/> forbids the use of DTLS 1.0.</t>
    </section>
    <section anchor="conventions-and-terminology">
      <name>Conventions and Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/>
when, and only when, they appear in all capitals, as shown here.</t>
      <t>The following terms are used:</t>
      <ul spacing="normal">
        <li>
          <t>client: The endpoint initiating the DTLS connection.</t>
        </li>
        <li>
          <t>association: Shared state between two endpoints established with
a DTLS handshake.</t>
        </li>
        <li>
          <t>connection: Synonym for association.</t>
        </li>
        <li>
          <t>endpoint: Either the client or server of the connection.</t>
        </li>
        <li>
          <t>epoch: one set of cryptographic keys used for encryption and decryption.</t>
        </li>
        <li>
          <t>handshake: An initial negotiation between client and server that establishes
the parameters of the connection.</t>
        </li>
        <li>
          <t>peer: An endpoint. When discussing a particular endpoint, "peer" refers to
the endpoint that is remote to the primary subject of discussion.</t>
        </li>
        <li>
          <t>receiver: An endpoint that is receiving records.</t>
        </li>
        <li>
          <t>sender: An endpoint that is transmitting records.</t>
        </li>
        <li>
          <t>server: The endpoint which did not initiate the DTLS connection.</t>
        </li>
        <li>
          <t>CID: Connection ID</t>
        </li>
        <li>
          <t>MSL: Maximum Segment Lifetime</t>
        </li>
      </ul>
      <t>The reader is assumed to be familiar with <xref target="TLS13"/>.
As in TLS 1.3, the HelloRetryRequest has the same format as a ServerHello
message, but for convenience we use the term HelloRetryRequest throughout
this document as if it were a distinct message.</t>
      <t>DTLS 1.3 uses network byte order (big-endian) format for encoding messages
based on the encoding format defined in <xref target="TLS13"/> and earlier (D)TLS specifications.</t>
      <t>The reader is also assumed to be familiar with <xref target="RFC9146"/>
as this document applies the CID functionality to DTLS 1.3.</t>
      <t>Figures in this document illustrate various combinations of the DTLS protocol exchanges, and the symbols have the following meaning:</t>
      <ul spacing="normal">
        <li>
          <t>'+'  indicates noteworthy extensions sent in the previously noted message.</t>
        </li>
        <li>
          <t>'*'  indicates optional or situation-dependent messages/extensions that are not always sent.</t>
        </li>
        <li>
          <t>'{}' indicates messages protected using keys derived from a [sender]_handshake_traffic_secret.</t>
        </li>
        <li>
          <t>'[]' indicates messages protected using keys derived from traffic_secret_N.</t>
        </li>
      </ul>
    </section>
    <section anchor="dtls-rational">
      <name>DTLS Design Rationale and Overview</name>
      <t>The basic design philosophy of DTLS is to construct "TLS over datagram transport".
Datagram transport neither requires nor provides reliable or in-order delivery of data.
The DTLS protocol preserves this property for application data.
Applications such as media streaming, Internet telephony, and online gaming use
datagram transport for communication due to the delay-sensitive nature
of transported data.  The behavior of such applications is unchanged when the
DTLS protocol is used to secure communication, since the DTLS protocol
does not compensate for lost or reordered data traffic. Note that while
low-latency streaming and gaming use DTLS to protect data (e.g., for
protection of a WebRTC data channel), telephony utilizes DTLS for
key establishment and the Secure Real-time Transport Protocol (SRTP) for
protection of data <xref target="RFC5763"/>.</t>
      <t>TLS cannot be used directly over datagram transports for the following four reasons:</t>
      <ol spacing="normal" type="1"><li>
          <t>TLS relies on an implicit sequence number on records.  If a record is not
received, then the recipient will use the wrong sequence number when
attempting to remove record protection from subsequent records. DTLS solves
this problem by adding sequence numbers to records.</t>
        </li>
        <li>
          <t>The TLS handshake is a lock-step cryptographic protocol.  Messages
must be transmitted and received in a defined order; any other
order is an error.  The DTLS handshake includes message sequence
numbers to enable fragmented message reassembly and in-order
delivery in case datagrams are lost or reordered.</t>
        </li>
        <li>
          <t>Handshake messages are potentially larger than can be contained in a single
datagram.  DTLS adds fields to handshake messages to support fragmentation
and reassembly.</t>
        </li>
        <li>
          <t>Datagram transport protocols are susceptible to abusive behavior
effecting denial-of-service (DoS) attacks against nonparticipants.  DTLS adds a
return-routability check and DTLS 1.3 uses the TLS 1.3 HelloRetryRequest message
(see <xref target="dos"/> for details).</t>
        </li>
      </ol>
      <section anchor="packet-loss">
        <name>Packet Loss</name>
        <t>DTLS uses a simple retransmission timer to handle packet loss.
<xref target="dtls-retransmission"/> demonstrates the basic concept, using the first
phase of the DTLS handshake:</t>
        <figure anchor="dtls-retransmission">
          <name>DTLS Retransmission Example</name>
          <artwork><![CDATA[
         Client                                   Server
         ------                                   ------
         ClientHello           ------>

                                 X<-- HelloRetryRequest
                                                  (lost)

         [Timer Expires]

         ClientHello           ------>
         (retransmit)
]]></artwork>
        </figure>
        <t>Once the client has transmitted the ClientHello message, it expects
to see a HelloRetryRequest or a ServerHello from the server. However, if the
timer expires, the client knows that either the
ClientHello or the response from the server has been lost, which
causes the client
to retransmit the ClientHello. When the server receives the retransmission,
it knows to retransmit its HelloRetryRequest or ServerHello.</t>
        <t>The server also maintains a retransmission timer for messages it
sends (other than HelloRetryRequest) and retransmits when that timer expires. Not
applying retransmissions to the HelloRetryRequest avoids the need to
create state on the server.  The HelloRetryRequest is designed to be
small enough that it will not itself be fragmented, thus avoiding
concerns about interleaving multiple HelloRetryRequests.</t>
        <t>For more detail on timeouts and retransmission,
see <xref target="timeout-retransmissions"/>.</t>
      </section>
      <section anchor="reordering">
        <name>Reordering</name>
        <t>In DTLS, each handshake message is assigned a specific sequence
number.  When a peer receives a handshake
message, it can quickly determine whether that message is the next
message it expects.  If it is, then it processes it.  If not, it
queues it for future handling once all previous messages have been
received.</t>
      </section>
      <section anchor="fragmentation">
        <name>Fragmentation</name>
        <t>TLS and DTLS handshake messages can be quite large (in theory up to
2^24-1 bytes, in practice many kilobytes).  By contrast, UDP
datagrams are often limited to less than 1500 bytes if IP fragmentation is not
desired.  In order to compensate for this limitation, each DTLS
handshake message may be fragmented over several DTLS records, each
of which is intended to fit in a single UDP datagram
(see <xref target="pmtu-issues"/> for guidance). Each DTLS
handshake message contains both a fragment offset and a fragment
length.  Thus, a recipient in possession of all bytes of a handshake
message can reassemble the original unfragmented message.</t>
      </section>
      <section anchor="replay-detection">
        <name>Replay Detection</name>
        <t>DTLS optionally supports record replay detection.  The technique used
is the same as in IPsec AH/ESP, by maintaining a bitmap window of
received records.  Records that are too old to fit in the window and
records that have previously been received are silently discarded.
The replay detection feature is optional, since packet duplication is
not always malicious but can also occur due to routing errors.
Applications may conceivably detect duplicate packets and accordingly
modify their data transmission strategy.</t>
      </section>
    </section>
    <section anchor="the-dtls-record-layer">
      <name>The DTLS Record Layer</name>
      <t>The DTLS 1.3 record layer is different from the TLS 1.3 record layer and
also different from the DTLS 1.2 record layer.</t>
      <ol spacing="normal" type="1"><li>
          <t>The DTLSCiphertext structure omits the superfluous version number and
type fields.</t>
        </li>
        <li>
          <t>DTLS adds an epoch and sequence number to the TLS record header.
This sequence number allows the recipient to correctly decrypt and verify DTLS records.
However, the number of bits used for the epoch and sequence number fields in
the DTLSCiphertext structure has been reduced from those in previous
versions.</t>
        </li>
        <li>
          <t>The DTLS epoch serialized in DTLSPlaintext is 2 octets long for compatibility
with DTLS 1.2. However, this value is set as the least significant 2 octets
of the connection epoch, which is an 8 octet counter incremented on every
KeyUpdate. See <xref target="seq-and-epoch"/> for details. The sequence number is set to
be the low order 48 bits of the 64 bit sequence number. Plaintext records
MUST NOT be sent with sequence numbers that would exceed 2^48-1, so the
upper 16 bits will always be 0.</t>
        </li>
        <li>
          <t>The DTLSCiphertext structure has a variable-length header.</t>
        </li>
      </ol>
      <t>DTLSPlaintext records are used to send unprotected records and DTLSCiphertext
records are used to send protected records.</t>
      <t>The DTLS record formats are shown below. Unless explicitly stated the
meaning of the fields is unchanged from previous TLS/DTLS versions.</t>
      <figure anchor="dtls-record">
        <name>DTLS 1.3 Record Formats</name>
        <artwork><![CDATA[
    struct {
        ContentType type;
        ProtocolVersion legacy_record_version;
        uint16 epoch = 0
        uint48 sequence_number;
        uint16 length;
        opaque fragment[DTLSPlaintext.length];
    } DTLSPlaintext;

    struct {
         opaque content[DTLSPlaintext.length];
         ContentType type;
         uint8 zeros[length_of_padding];
    } DTLSInnerPlaintext;

    struct {
        opaque unified_hdr[variable];
        opaque encrypted_record[length];
    } DTLSCiphertext;
]]></artwork>
      </figure>
      <dl>
        <dt>legacy_record_version:</dt>
        <dd>
          <t>This value MUST be set to {254, 253} for all records other
than the initial ClientHello (i.e., one not generated after a HelloRetryRequest),
where it may also be {254, 255} for compatibility purposes.
It MUST be ignored for all purposes. See <xref target="TLS13"/>, Appendix D.1
for the rationale for this.</t>
        </dd>
        <dt>epoch:</dt>
        <dd>
          <t>The least significant 2 bytes of the connection epoch value.</t>
        </dd>
        <dt>unified_hdr:</dt>
        <dd>
          <t>The unified header (unified_hdr) is a structure of variable length, shown in <xref target="cid_hdr"/>.</t>
        </dd>
        <dt>encrypted_record:</dt>
        <dd>
          <t>The encrypted form of the serialized DTLSInnerPlaintext structure.</t>
        </dd>
      </dl>
      <figure anchor="cid_hdr">
        <name>DTLS 1.3 Unified Header</name>
        <artwork><![CDATA[
    0 1 2 3 4 5 6 7
    +-+-+-+-+-+-+-+-+
    |0|0|1|C|S|L|E E|
    +-+-+-+-+-+-+-+-+
    | Connection ID |   Legend:
    | (if any,      |
    /  length as    /   C   - Connection ID (CID) present
    |  negotiated)  |   S   - Sequence number length
    +-+-+-+-+-+-+-+-+   L   - Length present
    |  8 or 16 bit  |   E   - Epoch
    |Sequence Number|
    +-+-+-+-+-+-+-+-+
    | 16 bit Length |
    | (if present)  |
    +-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <dl>
        <dt>Fixed Bits:</dt>
        <dd>
          <t>The three high bits of the first byte of the unified header are set to
001. This ensures that the value will fit within the DTLS region when
multiplexing is performed as described in <xref target="RFC7983"/>. It also ensures
that distinguishing encrypted DTLS 1.3 records from encrypted DTLS 1.2
records is possible when they are carried on the same host/port quartet;
such multiplexing is only possible when CIDs <xref target="RFC9146"/>
are in use, in which case DTLS 1.2 records will have the content type tls12_cid (25).</t>
        </dd>
        <dt>C:</dt>
        <dd>
          <t>The C bit (0x10) is set if the Connection ID is present.</t>
        </dd>
        <dt>S:</dt>
        <dd>
          <t>The S bit (0x08) indicates the size of the sequence number.
0 means an 8-bit sequence number, 1 means 16-bit.
 Implementations MAY mix sequence numbers of different lengths
 on the same connection.</t>
        </dd>
        <dt>L:</dt>
        <dd>
          <t>The L bit (0x04) is set if the length is present.</t>
        </dd>
        <dt>E:</dt>
        <dd>
          <t>The two low bits (0x03) include the low-order two bits of the epoch.</t>
        </dd>
        <dt>Connection ID:</dt>
        <dd>
          <t>Variable-length CID. The CID functionality
is described in <xref target="RFC9146"/>. An example
can be found in <xref target="connection-id-example"/>.</t>
        </dd>
        <dt>Sequence Number:</dt>
        <dd>
          <t>The low-order 8 or 16 bits of the record sequence number.  This value is 16
bits if the S bit is set to 1, and 8 bits if the S bit is 0.</t>
        </dd>
        <dt>Length:</dt>
        <dd>
          <t>Identical to the length field in a TLS 1.3 record.</t>
        </dd>
      </dl>
      <t>As with previous versions of DTLS, multiple DTLSPlaintext
and DTLSCiphertext records can be included in the same
underlying transport datagram.</t>
      <t><xref target="hdr_examples"/> illustrates different record headers.</t>
      <figure anchor="hdr_examples">
        <name>DTLS 1.3 Header Examples</name>
        <artwork><![CDATA[
 0 1 2 3 4 5 6 7       0 1 2 3 4 5 6 7       0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+     +-+-+-+-+-+-+-+-+     +-+-+-+-+-+-+-+-+
| Content Type  |     |0|0|1|1|1|1|E E|     |0|0|1|0|0|0|E E|
+-+-+-+-+-+-+-+-+     +-+-+-+-+-+-+-+-+     +-+-+-+-+-+-+-+-+
|   16 bit      |     |               |     |8 bit Seq. No. |
|   Version     |     / Connection ID /     +-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+     |               |     |               |
|   16 bit      |     +-+-+-+-+-+-+-+-+     |   Encrypted   |
|    Epoch      |     |    16 bit     |     /   Record      /
+-+-+-+-+-+-+-+-+     |Sequence Number|     |               |
|               |     +-+-+-+-+-+-+-+-+     +-+-+-+-+-+-+-+-+
|               |     |   16 bit      |
|   48 bit      |     |   Length      |       DTLSCiphertext
|Sequence Number|     +-+-+-+-+-+-+-+-+         Structure
|               |     |               |         (minimal)
|               |     |  Encrypted    |
+-+-+-+-+-+-+-+-+     /  Record       /
|    16 bit     |     |               |
|    Length     |     +-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+
|               |      DTLSCiphertext
|               |        Structure
/   Fragment    /          (full)
|               |
+-+-+-+-+-+-+-+-+

 DTLSPlaintext
   Structure
]]></artwork>
      </figure>
      <t>The length field MAY be omitted by clearing the L bit, which means that the
record consumes the entire rest of the datagram in the lower
level transport. In this case, it is not possible to have multiple
DTLSCiphertext format records without length fields in the same datagram.
Omitting the length field MUST only be used for the last record in a
datagram. Implementations MAY mix records with and without length
fields on the same connection.</t>
      <t>If a Connection ID is negotiated, then it MUST be contained in all
datagrams. Sending implementations MUST NOT mix records from multiple DTLS associations
in the same datagram. If the second or later record has a connection
ID which does not correspond to the same association used
for previous records, the rest of the datagram MUST be discarded.</t>
      <t>When expanded, the epoch and sequence number can be combined into an
unpacked RecordNumber structure, as shown below:</t>
      <artwork><![CDATA[
    struct {
        uint64 epoch;
        uint64 sequence_number;
    } RecordNumber;
]]></artwork>
      <t>This 128-bit value is used in the ACK message.
The entire header value shown in <xref target="hdr_examples"/> (but prior to record number
encryption; see <xref target="rne"/>) is used as the additional data value for the
AEAD
function. For instance, if the minimal variant is used,
the Associated Data (AD)
is 2 octets long. Note that this design is different from the additional data
calculation for DTLS 1.2 and for DTLS 1.2 with Connection IDs.
In DTLS 1.3 the 64-bit sequence_number is used as the sequence number for
the AEAD computation; unlike DTLS 1.2, the epoch is not included.</t>
      <section anchor="demultiplexing-dtls-records">
        <name>Demultiplexing DTLS Records</name>
        <t>DTLS 1.3's header format is more complicated to demux than
DTLS 1.2, which always carried the content type as the first
byte. As described in <xref target="demux"/>, the first byte determines how an incoming
DTLS record is demultiplexed. The first 3 bits of the first byte
distinguish a DTLS 1.3 encrypted record from record types used in
previous DTLS versions and plaintext DTLS 1.3 record types. Hence, the
range 32 (0b0010 0000) to 63 (0b0011 1111) needs to be excluded
from future allocations by IANA to avoid problems while demultiplexing;
see <xref target="iana-considerations"/>.
Implementations can demultiplex DTLS 1.3 records
by examining the first byte as follows:</t>
        <ul spacing="normal">
          <li>
            <t>If the first byte is alert(21), handshake(22), or ack(26),
the record MUST be interpreted as a DTLSPlaintext record.</t>
          </li>
          <li>
            <t>If the first byte is any other value, then receivers
MUST check to see if the leading bits of the first byte are
001. If so, the implementation MUST process the record as
DTLSCiphertext; the true content type will be inside the
protected portion.</t>
          </li>
          <li>
            <t>Otherwise, the record MUST be rejected as if it had failed
deprotection, as described in <xref target="handling-invalid-records"/>.</t>
          </li>
        </ul>
        <t><xref target="demux"/> shows this demultiplexing procedure graphically,
taking DTLS 1.3 and earlier versions of DTLS into account.</t>
        <figure anchor="demux">
          <name>Demultiplexing DTLS 1.2 and DTLS 1.3 Records</name>
          <artwork><![CDATA[
             +----------------+
             | Outer Content  |
             |   Type (OCT)   |
             |                |
             |   OCT == 20   -+--> ChangeCipherSpec (DTLS <1.3)
             |   OCT == 21   -+--> Alert (Plaintext)
             |   OCT == 22   -+--> DTLSHandshake (Plaintext)
             |   OCT == 23   -+--> Application Data (DTLS <1.3)
             |   OCT == 24   -+--> Heartbeat (DTLS <1.3)
packet  -->  |   OCT == 25   -+--> DTLSCiphertext with CID (DTLS 1.2)
             |   OCT == 26   -+--> ACK (DTLS 1.3, Plaintext)
             |                |
             |                |   /+----------------+\
             | 31 < OCT < 64 -+--> |DTLSCiphertext  |
             |                |    |(header bits    |
             |      else      |    | start with 001)|
             |       |        |   /+-------+--------+\
             +-------+--------+            |
                     |                     |
                     v          Decryption |
               +---------+          +------+
               |  Reject |          |
               +---------+          v
                            +----------------+
                            | Decrypted      |
                            | Content Type   |
                            | (DCT)          |
                            |                |
                            |     DCT == 21 -+--> Alert
                            |     DCT == 22 -+--> DTLSHandshake
                            |     DCT == 23 -+--> Application Data
                            |     DCT == 24 -+--> Heartbeat
                            |     DCT == 26 -+--> ACK
                            |     else ------+--> Error
                            +----------------+
]]></artwork>
        </figure>
      </section>
      <section anchor="seq-and-epoch">
        <name>Sequence Number and Epoch</name>
        <t>DTLS uses an explicit or partly explicit sequence number, rather than an implicit one,
carried in the sequence_number field of the record.  Sequence numbers
are maintained separately for each epoch, with each sequence_number
initially being 0 for each epoch.</t>
        <t>The epoch number is initially zero and is incremented each time
keying material changes and a sender aims to rekey. More details
are provided in <xref target="dtls-epoch"/>.</t>
        <section anchor="processing-guidelines">
          <name>Processing Guidelines</name>
          <t>Because DTLS records could be reordered, a record from epoch
M may be received after epoch N (where N &gt; M) has begun.
Implementations SHOULD discard records from earlier epochs but
MAY choose to
retain keying material from previous epochs for up to the default MSL
specified for TCP <xref target="RFC0793"/> to allow for packet reordering.  (Note that
the intention here is that implementers use the current guidance from
the IETF for MSL, as specified in <xref target="RFC0793"/> or successors,
not that they attempt to interrogate the MSL that
the system TCP stack is using.)</t>
          <t>Conversely, it is possible for records that are protected with the
new epoch to be received prior to the completion of a
handshake.  For instance, the server may send its Finished message
and then start transmitting data.  Implementations MAY either buffer
or discard such records, though when DTLS is used over reliable
transports (e.g., SCTP <xref target="RFC4960"/>), they SHOULD be buffered and
processed once the handshake completes.  Note that TLS's restrictions
on when records may be sent still apply, and the receiver treats the
records as if they were sent in the right order.</t>
          <t>Implementations MUST send retransmissions of lost messages using the same
epoch and keying material as the original transmission.</t>
          <t>Implementations MUST either abandon an association or rekey prior to
allowing the sequence number to wrap.</t>
          <t>Implementations MUST NOT allow the epoch to wrap, but instead MUST
establish a new association, terminating the old association.</t>
        </section>
        <section anchor="reconstructing">
          <name>Reconstructing the Sequence Number and Epoch</name>
          <t>When receiving protected DTLS records, the recipient does not
have a full epoch or sequence number value in the record and so there is some
opportunity for ambiguity.  Because the full sequence number
is used to compute the per-record nonce and the epoch determines
the keys, failure to reconstruct these
values leads to failure to deprotect the record, and so implementations
MAY use a mechanism of their choice to determine the full values.
This section provides an algorithm which is comparatively simple
and which implementations are RECOMMENDED to follow.</t>
          <t>If the epoch bits match those of the current epoch, then
implementations SHOULD reconstruct the sequence number by computing
the full sequence number which is numerically closest to one plus the
sequence number of the highest successfully deprotected record in the
current epoch.</t>
          <t>During the handshake phase, the epoch bits unambiguously indicate the
correct key to use. After the
handshake is complete, if the epoch bits do not match those from the
current epoch, implementations SHOULD use the most recent past epoch
which has matching bits, and then reconstruct the sequence number for
that epoch as described above.</t>
        </section>
        <section anchor="rne">
          <name>Record Number Encryption</name>
          <t>In DTLS 1.3, when records are encrypted, record sequence numbers are
also encrypted. The basic pattern is that the underlying encryption
algorithm used with the AEAD algorithm is used to generate a mask
which is then XORed with the sequence number.</t>
          <t>When the AEAD is based on AES, then the mask is generated by
computing AES-ECB on the first 16 bytes of the ciphertext:</t>
          <artwork><![CDATA[
  Mask = AES-ECB(sn_key, Ciphertext[0..15])
]]></artwork>
          <t>When the AEAD is based on ChaCha20, then the mask is generated
by treating the first 4 bytes of the ciphertext as the block
counter and the next 12 bytes as the nonce, passing them to the ChaCha20
block function (Section 2.3 of <xref target="CHACHA"/>):</t>
          <artwork><![CDATA[
  Mask = ChaCha20(sn_key, Ciphertext[0..3], Ciphertext[4..15])
]]></artwork>
          <t>The sn_key is computed as follows:</t>
          <artwork><![CDATA[
   [sender]_sn_key = HKDF-Expand-Label(Secret, "sn", "", key_length)
]]></artwork>
          <t>[sender] denotes the sending side. The per-epoch Secret value to be used is described
in Section 7.3 of <xref target="TLS13"/>. Note that a new key is used for each epoch:
because the epoch is sent in the clear, this does not result in ambiguity.</t>
          <t>The encrypted sequence number is computed by XORing the leading
bytes of the mask with the on-the-wire representation of the
sequence number. Decryption is accomplished by the same process.</t>
          <t>This procedure requires the ciphertext length to be at least 16 bytes. Receivers
MUST reject shorter records as if they had failed deprotection, as described in
<xref target="handling-invalid-records"/>. Senders MUST pad short plaintexts out (using the
conventional record padding mechanism) in order to make a suitable-length
ciphertext. Note that most of the DTLS AEAD algorithms have a 16 byte authentication
tag and need no padding. However, some algorithms, such as
TLS_AES_128_CCM_8_SHA256, have a shorter authentication tag and may require padding
for short inputs.</t>
          <t>Future cipher suites, which are not based on AES or ChaCha20, MUST define
their own record sequence number encryption in order to be used with
DTLS.</t>
          <t>Note that sequence number encryption is only applied to the DTLSCiphertext
structure and not to the DTLSPlaintext structure, even though it also contains a
sequence number.</t>
        </section>
      </section>
      <section anchor="transport-layer-mapping">
        <name>Transport Layer Mapping</name>
        <t>DTLS messages MAY be fragmented into multiple DTLS records.
Each DTLS record MUST fit within a single datagram.  In order to
avoid IP fragmentation, clients of the DTLS record layer SHOULD
attempt to size records so that they fit within any Path MTU (PMTU) estimates
obtained from the record layer. For more information about PMTU issues,
see <xref target="pmtu-issues"/>.</t>
        <t>Multiple DTLS records MAY be placed in a single datagram.  Records are encoded
consecutively.  The length field from DTLS records containing that field can be
used to determine the boundaries between records.  The final record in a
datagram can omit the length field.  The first byte of the datagram payload MUST
be the beginning of a record.  Records MUST NOT span datagrams.</t>
        <t>DTLS records without CIDs do not contain any association
identifiers, and applications must arrange to multiplex between associations.
With UDP, the host/port number is used to look up the appropriate security
association for incoming records without CIDs.</t>
        <t>Some transports, such as DCCP <xref target="RFC4340"/>, provide their own sequence
numbers.  When carried over those transports, both the DTLS and the
transport sequence numbers will be present.  Although this introduces
a small amount of inefficiency, the transport layer and DTLS sequence
numbers serve different purposes; therefore, for conceptual simplicity,
it is superior to use both sequence numbers.</t>
        <t>Some transports provide congestion control for traffic
carried over them.  If the congestion window is sufficiently narrow,
DTLS handshake retransmissions may be held rather than transmitted
immediately, potentially leading to timeouts and spurious
retransmission.  When DTLS is used over such transports, care should
be taken not to overrun the likely congestion window. <xref target="RFC5238"/>
defines a mapping of DTLS to DCCP that takes these issues into account.</t>
      </section>
      <section anchor="pmtu-issues">
        <name>PMTU Issues</name>
        <t>In general, DTLS's philosophy is to leave PMTU discovery to the application.
However, DTLS cannot completely ignore the PMTU for three reasons:</t>
        <ul spacing="normal">
          <li>
            <t>The DTLS record framing expands the datagram size, thus lowering
the effective PMTU from the application's perspective.</t>
          </li>
          <li>
            <t>In some implementations, the application may not directly talk to
the network, in which case the DTLS stack may absorb ICMP
"Datagram Too Big" indications <xref target="RFC1191"/> or ICMPv6
"Packet Too Big" indications  <xref target="RFC4443"/>.</t>
          </li>
          <li>
            <t>The DTLS handshake messages can exceed the PMTU.</t>
          </li>
        </ul>
        <t>In order to deal with the first two issues, the DTLS record layer
SHOULD behave as described below.</t>
        <t>If PMTU estimates are available from the underlying transport
protocol, they should be made available to upper layer
protocols. In particular:</t>
        <ul spacing="normal">
          <li>
            <t>For DTLS over UDP, the upper layer protocol SHOULD be allowed to
obtain the PMTU estimate maintained in the IP layer.</t>
          </li>
          <li>
            <t>For DTLS over DCCP, the upper layer protocol SHOULD be allowed to
obtain the current estimate of the PMTU.</t>
          </li>
          <li>
            <t>For DTLS over TCP or SCTP, which automatically fragment and
reassemble datagrams, there is no PMTU limitation.  However, the
upper layer protocol MUST NOT write any record that exceeds the
maximum record size of 2^14 bytes.</t>
          </li>
        </ul>
        <t>The DTLS record layer SHOULD also allow the upper layer protocol to
discover the amount of record expansion expected by the DTLS
processing; alternately, it MAY report PMTU estimates minus the
estimated expansion from the transport layer and DTLS record
framing.</t>
        <t>Note that DTLS does not defend against spoofed ICMP messages;
implementations SHOULD ignore any such messages that indicate
PMTUs below the IPv4 and IPv6 minimums of 576 and 1280 bytes,
respectively.</t>
        <t>If there is a transport protocol indication that the PMTU was exceeded
(either via ICMP or via a
refusal to send the datagram as in Section 14 of <xref target="RFC4340"/>), then the
DTLS record layer MUST inform the upper layer protocol of the error.</t>
        <t>The DTLS record layer SHOULD NOT interfere with upper layer protocols
performing PMTU discovery, whether via <xref target="RFC1191"/> and <xref target="RFC4821"/> for
IPv4 or via <xref target="RFC8201"/> for IPv6.  In particular:</t>
        <ul spacing="normal">
          <li>
            <t>Where allowed by the underlying transport protocol, the upper
layer protocol SHOULD be allowed to set the state of the Don't Fragment (DF) bit
(in IPv4) or prohibit local fragmentation (in IPv6).</t>
          </li>
          <li>
            <t>If the underlying transport protocol allows the application to
request PMTU probing (e.g., DCCP), the DTLS record layer SHOULD
honor this request.</t>
          </li>
        </ul>
        <t>The final issue is the DTLS handshake protocol.  From the perspective
of the DTLS record layer, this is merely another upper layer
protocol.  However, DTLS handshakes occur infrequently and involve
only a few round trips; therefore, the handshake protocol PMTU
handling places a premium on rapid completion over accurate PMTU
discovery.  In order to allow connections under these circumstances,
DTLS implementations SHOULD follow the following rules:</t>
        <ul spacing="normal">
          <li>
            <t>If the DTLS record layer informs the DTLS handshake layer that a
message is too big, the handshake layer SHOULD immediately attempt to fragment
the message, using any existing information about the PMTU.</t>
          </li>
          <li>
            <t>If repeated retransmissions do not result in a response, and the
PMTU is unknown, subsequent retransmissions SHOULD back off to a
smaller record size, fragmenting the handshake message as
appropriate.  This specification does not specify an exact number of
retransmits to attempt before backing off, but 2-3 seems
appropriate.</t>
          </li>
        </ul>
      </section>
      <section anchor="record-payload-protection">
        <name>Record Payload Protection</name>
        <t>Like TLS, DTLS transmits data as a series of protected records.  The
rest of this section describes the details of that format.</t>
        <section anchor="anti-replay">
          <name>Anti-Replay</name>
          <t>Each DTLS record contains a sequence number to provide replay protection.
Sequence number verification SHOULD be performed using the following
sliding window procedure, borrowed from Section 3.4.3 of <xref target="RFC4303"/>.
Because each epoch resets the sequence number space, a separate sliding
window is needed for each epoch.</t>
          <t>The received record counter for an epoch MUST be initialized to
zero when that epoch is first used. For each received record, the
receiver MUST verify that the record contains a sequence number that
does not duplicate the sequence number of any other record received
in that epoch during the lifetime of the association.
This check SHOULD happen after
deprotecting the record; otherwise, the record discard might itself
serve as a timing channel for the record number. Note that computing
the full record number from the partial is still a potential timing
channel for the record number, though a less powerful one than whether
the record was deprotected.</t>
          <t>Duplicates are rejected through the use of a sliding receive window.
(How the window is implemented is a local matter, but the following
text describes the functionality that the implementation must
exhibit.) The receiver SHOULD pick a window large enough to handle
any plausible reordering, which depends on the data rate.
(The receiver does not notify the sender of the window
size.)</t>
          <t>The "right" edge of the window represents the highest validated
sequence number value received in the epoch.  Records that contain
sequence numbers lower than the "left" edge of the window are
rejected.  Records falling within the window are checked against a
list of received records within the window.  An efficient means for
performing this check, based on the use of a bit mask, is described in
Section 3.4.3 of <xref target="RFC4303"/>. If the received record falls within the
window and is new, or if the record is to the right of the window,
then the record is new.</t>
          <t>The window MUST NOT be updated due to a received record until that
record has been deprotected  successfully.</t>
        </section>
        <section anchor="handling-invalid-records">
          <name>Handling Invalid Records</name>
          <t>Unlike TLS, DTLS is resilient in the face of invalid records (e.g.,
invalid formatting, length, MAC, etc.).  In general, invalid records
SHOULD be silently discarded, thus preserving the association;
however, an error MAY be logged for diagnostic purposes.
Implementations which choose to generate an alert instead MUST
generate fatal alerts to avoid attacks where the attacker
repeatedly probes the implementation to see how it responds to
various types of error.  Note that if DTLS is run over UDP, then any
implementation which does this will be extremely susceptible to
DoS attacks because UDP forgery is so easy.
Thus, generating fatal alerts is NOT RECOMMENDED for such transports, both
to increase the reliability of DTLS service and to avoid the risk
of spoofing attacks sending traffic to unrelated third parties.</t>
          <t>If DTLS is being carried over a transport that is resistant to
forgery (e.g., SCTP with SCTP-AUTH <xref target="RFC6083"/>), then it is safer to send alerts
because an attacker will have difficulty forging a datagram that will
not be rejected by the transport layer.</t>
          <t>Note that because invalid records are rejected at a layer lower than
the handshake state machine, they do not affect pending
retransmission timers.</t>
        </section>
        <section anchor="aead-lim">
          <name>AEAD Limits</name>
          <t>Section 5.5 of <xref target="TLS13"/> defines limits on the number of records that can
be protected using the same keys. These limits are specific to an AEAD
algorithm and apply equally to DTLS. Implementations SHOULD NOT protect more
records than allowed by the limit specified for the negotiated AEAD.
Implementations SHOULD initiate a key update before reaching this limit.</t>
          <t><xref target="TLS13"/> does not specify a limit for AEAD_AES_128_CCM, but the analysis in
<xref target="ccm-bounds"/> shows that a limit of 2^23 packets can be used to obtain the
same confidentiality protection as the limits specified in TLS.</t>
          <t>The usage limits defined in TLS 1.3 exist for protection against attacks
on confidentiality and apply to successful applications of AEAD protection. The
integrity protections in authenticated encryption also depend on limiting the
number of attempts to forge packets. TLS achieves this by closing connections
after any record fails an authentication check. In comparison, DTLS ignores any
packet that cannot be authenticated, allowing multiple forgery attempts.</t>
          <t>Implementations MUST count the number of received packets that fail
authentication with each key. If the number of packets that fail authentication
exceeds a limit that is specific to the AEAD in use, an implementation SHOULD
immediately close the connection. Implementations SHOULD initiate a key update
with update_requested before reaching this limit. Once a key update has been
initiated, the previous keys can be dropped when the limit is reached rather
than closing the connection. Applying a limit reduces the probability that an
attacker is able to successfully forge a packet; see <xref target="AEBounds"/> and
<xref target="ROBUST"/>.</t>
          <t>For AEAD_AES_128_GCM, AEAD_AES_256_GCM, and AEAD_CHACHA20_POLY1305, the limit
on the number of records that fail authentication is 2^36. Note that the
analysis in <xref target="AEBounds"/> supports a higher limit for AEAD_AES_128_GCM and
AEAD_AES_256_GCM, but this specification recommends a lower limit. For
AEAD_AES_128_CCM, the limit on the number of records that fail authentication
is 2^23.5; see <xref target="ccm-bounds"/>.</t>
          <t>The AEAD_AES_128_CCM_8 AEAD, as used in TLS_AES_128_CCM_8_SHA256, does not have a
limit on the number of records that fail authentication that both limits the
probability of forgery by the same amount and does not expose implementations
to the risk of denial of service; see <xref target="ccm-short"/>. Therefore,
TLS_AES_128_CCM_8_SHA256 MUST NOT be used in DTLS without additional safeguards
against forgery. Implementations MUST set usage limits for AEAD_AES_128_CCM_8
based on an understanding of any additional forgery protections that are used.</t>
          <t>Any TLS cipher suite that is specified for use with DTLS MUST define limits on
the use of the associated AEAD function that preserves margins for both
confidentiality and integrity. That is, limits MUST be specified for the number
of packets that can be authenticated and for the number of packets that can fail
authentication before a key update is required. Providing a reference to any analysis upon which values are
based -- and any assumptions used in that analysis -- allows limits to be adapted
to varying usage conditions.</t>
        </section>
      </section>
    </section>
    <section anchor="dtls">
      <name>The DTLS Handshake Protocol</name>
      <t>DTLS 1.3 reuses the TLS 1.3 handshake messages and flows, with
the following changes:</t>
      <ol spacing="normal" type="1"><li>
          <t>To handle message loss, reordering, and fragmentation, modifications to
the handshake header are necessary.</t>
        </li>
        <li>
          <t>Retransmission timers are introduced to handle message loss.</t>
        </li>
        <li>
          <t>A new ACK content type has been added for reliable message delivery of handshake messages.</t>
        </li>
      </ol>
      <t>In addition, DTLS reuses TLS 1.3's "cookie" extension to provide a return-routability
check as part of connection establishment. This is an important DoS
prevention mechanism for UDP-based protocols, unlike TCP-based protocols, for which
TCP establishes return-routability as part of the connection establishment.</t>
      <t>DTLS implementations do not use the TLS 1.3 "compatibility mode" described in
Appendix D.4 of <xref target="TLS13"/>. DTLS servers MUST NOT send ChangeCipherSpec messages
when negotiating DTLS 1.3.</t>
      <t>Additionally, the "legacy_session_id_echo" field of the ServerHello
message, described in Section 4.1.3 of <xref target="TLS13"/>, MUST be empty in
DTLS 1.3. DTLS 1.3 servers MUST NOT echo the "legacy_session_id" value
from the ClientHello. DTLS 1.3 clients MUST abort the handshake with
an "illegal_parameter" alert if the field is not empty. This applies
even if the "legacy_session_id" field of the ClientHello is non-empty
due to a cached session set by a pre-DTLS 1.3 server.</t>
      <t>With these exceptions, the DTLS message formats, flows, and logic are
the same as those of TLS 1.3.</t>
      <section anchor="dos">
        <name>Denial-of-Service Countermeasures</name>
        <t>Datagram security protocols are extremely susceptible to a variety of
DoS attacks.  Two attacks are of particular concern:</t>
        <ol spacing="normal" type="1"><li>
            <t>An attacker can consume excessive resources on the server by
transmitting a series of handshake initiation requests, causing
the server to allocate state and potentially to perform
expensive cryptographic operations.</t>
          </li>
          <li>
            <t>An attacker can use the server as an amplifier by sending
connection initiation messages with a forged source address that belongs to a
victim.  The server then sends its response to the victim
machine, thus flooding it. Depending on the selected
parameters, this response message can be quite large, as
is the case for a Certificate message.</t>
          </li>
        </ol>
        <t>In order to counter both of these attacks, DTLS borrows the stateless
cookie technique used by Photuris <xref target="RFC2522"/> and IKE <xref target="RFC7296"/>.  When
the client sends its ClientHello message to the server, the server
MAY respond with a HelloRetryRequest message. The HelloRetryRequest message,
as well as the "cookie" extension, is defined in TLS 1.3.
The HelloRetryRequest message contains a stateless cookie (see
<xref target="TLS13"/>, Section 4.2.2).
The client MUST send a new ClientHello
with the cookie added as an extension.  The server then verifies the cookie
and proceeds with the handshake only if it is valid.  This mechanism forces
the attacker/client to be able to receive the cookie, which makes DoS attacks
with spoofed IP addresses difficult.  This mechanism does not provide any defense
against DoS attacks mounted from valid IP addresses.</t>
        <t>The DTLS 1.3 specification changes how cookies are exchanged
compared to DTLS 1.2. DTLS 1.3 reuses the HelloRetryRequest message
and conveys the cookie to the client via an extension. The client
receiving the cookie uses the same extension to place
the cookie subsequently into a ClientHello message.
DTLS 1.2, on the other hand, used a separate message, namely the HelloVerifyRequest,
to pass a cookie to the client and did not utilize the extension mechanism.
For backwards compatibility reasons, the cookie field in the ClientHello
is present in DTLS 1.3 but is ignored by a DTLS 1.3-compliant server
implementation.</t>
        <t>The exchange is shown in <xref target="dtls-cookie-exchange"/>. Note that
the figure focuses on the cookie exchange; all other extensions
are omitted.</t>
        <figure anchor="dtls-cookie-exchange">
          <name>DTLS Exchange with HelloRetryRequest Containing the "cookie" Extension</name>
          <artwork><![CDATA[
      Client                                   Server
      ------                                   ------
      ClientHello           ------>

                            <----- HelloRetryRequest
                                    + cookie

      ClientHello           ------>
       + cookie

      [Rest of handshake]
]]></artwork>
        </figure>
        <t>The "cookie" extension is defined in Section 4.2.2 of <xref target="TLS13"/>. When sending the
initial ClientHello, the client does not have a cookie yet. In this case,
the "cookie" extension is omitted and the legacy_cookie field in the ClientHello
message MUST be set to a zero-length vector (i.e., a zero-valued single byte length field).</t>
        <t>When responding to a HelloRetryRequest, the client MUST create a new
ClientHello message following the description in Section 4.1.2 of <xref target="TLS13"/>.</t>
        <t>If the HelloRetryRequest message is used, the initial ClientHello and
the HelloRetryRequest are included in the calculation of the
transcript hash. The computation of the
message hash for the HelloRetryRequest is done according to the description
in Section 4.4.1 of <xref target="TLS13"/>.</t>
        <t>The handshake transcript is not reset with the second ClientHello,
and a stateless server-cookie implementation requires the content or hash
of the initial ClientHello (and HelloRetryRequest)
to be stored in the cookie. The initial ClientHello is included in the
handshake transcript as a synthetic "message_hash" message, so only the hash
value is needed for the handshake to complete, though the complete
HelloRetryRequest contents are needed.</t>
        <t>When the second ClientHello is received, the server can verify that
the cookie is valid and that the client can receive packets at the
given IP address. If the client's apparent IP address is embedded
in the cookie, this prevents an attacker from generating an acceptable
ClientHello apparently from another user.</t>
        <t>One potential attack on this scheme is for the attacker to collect a
number of cookies from different addresses where it controls endpoints
and then reuse them to attack the server.
The server can defend against this attack by
changing the secret value frequently, thus invalidating those
cookies. If the server wishes to allow legitimate clients to
handshake through the transition (e.g., a client received a cookie with
Secret 1 and then sent the second ClientHello after the server has
changed to Secret 2), the server can have a limited window during
which it accepts both secrets.  <xref target="RFC7296"/> suggests adding a key
identifier to cookies to detect this case. An alternative approach is
simply to try verifying with both secrets. It is RECOMMENDED that
servers implement a key rotation scheme that allows the server
to manage keys with overlapping lifetimes.</t>
        <t>Alternatively, the server can store timestamps in the cookie and
reject cookies that were generated outside a certain
interval of time.</t>
        <t>DTLS servers SHOULD perform a cookie exchange whenever a new
handshake is being performed.  If the server is being operated in an
environment where amplification is not a problem, e.g., where
ICE <xref target="RFC8445"/> has been used to establish bidirectional connectivity,
the server MAY be configured not to perform a cookie exchange.  The default SHOULD be
that the exchange is performed, however.  In addition, the server MAY
choose not to do a cookie exchange when a session is resumed or, more
generically, when the DTLS handshake uses a PSK-based key exchange
and the IP address matches one associated with the PSK.
Servers which process 0-RTT requests and send 0.5-RTT responses
without a cookie exchange risk being used in an amplification attack
if the size of outgoing messages greatly exceeds the size of those that are received.
A server SHOULD limit the amount of data it sends toward a client address
to three times the amount of data sent by the client before
it verifies that the client is able to receive data at that address.
A client address is valid after a cookie exchange or handshake completion.
Clients MUST be prepared to do a cookie exchange with every
handshake. Note that cookies are only valid for the existing
handshake and cannot be stored for future handshakes.</t>
        <t>If a server receives a ClientHello with an invalid cookie, it
MUST terminate the handshake with an "illegal_parameter" alert.
This allows the client to restart the connection from
scratch without a cookie.</t>
        <t>As described in Section 4.1.4 of <xref target="TLS13"/>, clients MUST
abort the handshake with an "unexpected_message" alert in response
to any second HelloRetryRequest which was sent in the same connection
(i.e., where the ClientHello was itself in response to a HelloRetryRequest).</t>
        <t>DTLS clients which do not want to receive a Connection ID SHOULD
still offer the "connection_id" extension <xref target="RFC9146"/> unless
there is an application profile to the contrary. This permits
a server which wants to receive a CID to negotiate one.</t>
      </section>
      <section anchor="dtls-handshake-message-format">
        <name>DTLS Handshake Message Format</name>
        <t>DTLS uses the same Handshake messages as TLS 1.3. However,
prior to transmission they are converted to DTLSHandshake
messages, which contain extra data needed to support
message loss, reordering, and message fragmentation.</t>
        <artwork><![CDATA[
    enum {
        client_hello(1),
        server_hello(2),
        new_session_ticket(4),
        end_of_early_data(5),
        encrypted_extensions(8),
        request_connection_id(9),           /* New */
        new_connection_id(10),              /* New */
        certificate(11),
        certificate_request(13),
        certificate_verify(15),
        finished(20),
        key_update(24),
        message_hash(254),
        (255)
    } HandshakeType;

    struct {
        HandshakeType msg_type;    /* handshake type */
        uint24 length;             /* bytes in message */
        uint16 message_seq;        /* DTLS-required field */
        uint24 fragment_offset;    /* DTLS-required field */
        uint24 fragment_length;    /* DTLS-required field */
        select (msg_type) {
            case client_hello:          ClientHello;
            case server_hello:          ServerHello;
            case end_of_early_data:     EndOfEarlyData;
            case encrypted_extensions:  EncryptedExtensions;
            case certificate_request:   CertificateRequest;
            case certificate:           Certificate;
            case certificate_verify:    CertificateVerify;
            case finished:              Finished;
            case new_session_ticket:    NewSessionTicket;
            case key_update:            KeyUpdate;
            case request_connection_id: RequestConnectionId;
            case new_connection_id:     NewConnectionId;
        } body;
    } DTLSHandshake;
]]></artwork>
        <t>In DTLS 1.3, the message transcript is computed over the original
TLS 1.3-style Handshake messages without the message_seq,
fragment_offset, and fragment_length values. Note that this is
a change from DTLS 1.2 where those values were included
in the transcript.</t>
        <t>The first message each side transmits in each association always has
message_seq = 0. Whenever a new message is generated, the
message_seq value is incremented by one. Implementations MUST NOT
allow message_seq to wrap, but instead MUST establish a new
association, terminating the old association. When a message is
retransmitted, the old message_seq value is reused, i.e., not
incremented. From the perspective of the DTLS record layer, the
retransmission is a new record. This record will have a new
DTLSPlaintext.sequence_number value.</t>
        <t>Note: In DTLS 1.2, the message_seq was reset to zero in case of a
rehandshake (i.e., renegotiation). On the surface, a rehandshake in DTLS 1.2
shares similarities with a post-handshake message exchange in DTLS 1.3. However,
in DTLS 1.3 the message_seq is not reset, to allow distinguishing a
retransmission from a previously sent post-handshake message from a newly
sent post-handshake message.</t>
        <t>DTLS implementations maintain (at least notionally) a
next_receive_seq counter.  This counter is initially set to zero.
When a handshake message is received, if its message_seq value matches
next_receive_seq, next_receive_seq is incremented and the message is
processed.  If the sequence number is less than next_receive_seq, the
message MUST be discarded.  If the sequence number is greater than
next_receive_seq, the implementation SHOULD queue the message but MAY
discard it.  (This is a simple space/bandwidth trade-off).</t>
        <t>In addition to the handshake messages that are deprecated by the TLS 1.3
specification, DTLS 1.3 furthermore deprecates the HelloVerifyRequest message
originally defined in DTLS 1.0. DTLS 1.3-compliant implementations MUST NOT
use the HelloVerifyRequest to execute a return-routability check. A
dual-stack DTLS 1.2 / DTLS 1.3 client MUST, however, be prepared to
interact with a DTLS 1.2 server.</t>
      </section>
      <section anchor="clienthello-message">
        <name>ClientHello Message</name>
        <t>The format of the ClientHello used by a DTLS 1.3 client differs from the
TLS 1.3 ClientHello format, as shown below.</t>
        <artwork><![CDATA[
    uint16 ProtocolVersion;
    opaque Random[32];

    uint8 CipherSuite[2];    /* Cryptographic suite selector */

    struct {
        ProtocolVersion legacy_version = { 254,253 }; // DTLSv1.2
        Random random;
        opaque legacy_session_id<0..32>;
        opaque legacy_cookie<0..2^8-1>;                  // DTLS
        CipherSuite cipher_suites<2..2^16-2>;
        opaque legacy_compression_methods<1..2^8-1>;
        Extension extensions<8..2^16-1>;
    } ClientHello;
]]></artwork>
        <dl>
          <dt>legacy_version:</dt>
          <dd>
            <t>In previous versions of DTLS, this field was used for version
negotiation and represented the highest version number supported by
the client. Experience has shown that many servers do not properly
implement version negotiation, leading to "version intolerance" in
which the server rejects an otherwise acceptable ClientHello with a
version number higher than it supports. In DTLS 1.3, the client
indicates its version preferences in the "supported_versions"
extension (see Section 4.2.1 of <xref target="TLS13"/>) and the
legacy_version field MUST be set to {254, 253}, which was the version
number for DTLS 1.2. The supported_versions entries for DTLS 1.0 and DTLS 1.2 are
0xfeff and 0xfefd (to match the wire versions). The value 0xfefc is used
to indicate DTLS 1.3.</t>
          </dd>
          <dt>random:</dt>
          <dd>
            <t>Same as for TLS 1.3, except that the downgrade sentinels described
in Section 4.1.3 of <xref target="TLS13"/> when TLS 1.2 and TLS 1.1 and below are negotiated
apply to DTLS 1.2 and DTLS 1.0, respectively.</t>
          </dd>
          <dt>legacy_session_id:</dt>
          <dd>
            <t>Versions of TLS and DTLS before version 1.3 supported a "session resumption"
feature, which has been merged with pre-shared keys (PSK) in version 1.3.  A client
which has a cached session set by a pre-DTLS 1.3 server SHOULD set this
field according to that session. Otherwise, it MUST be set as a zero-length vector
(i.e., a zero-valued single byte length field).</t>
          </dd>
          <dt>legacy_cookie:</dt>
          <dd>
            <t>A DTLS 1.3-only client MUST set the legacy_cookie field to zero length.
If a DTLS 1.3 ClientHello is received with any other value in this field,
the server MUST abort the handshake with an "illegal_parameter" alert.</t>
          </dd>
          <dt>cipher_suites:</dt>
          <dd>
            <t>Same as for TLS 1.3; only suites with DTLS-OK=Y may be used.</t>
          </dd>
          <dt>legacy_compression_methods:</dt>
          <dd>
            <t>Same as for TLS 1.3.</t>
          </dd>
          <dt>extensions:</dt>
          <dd>
            <t>Same as for TLS 1.3.</t>
          </dd>
        </dl>
      </section>
      <section anchor="serverhello-message">
        <name>ServerHello Message</name>
        <t>The DTLS 1.3 ServerHello message is the same as the TLS 1.3
ServerHello message, except that the legacy_version field
is set to 0xfefd, indicating DTLS 1.2.</t>
      </section>
      <section anchor="handshake-message-fragmentation-and-reassembly">
        <name>Handshake Message Fragmentation and Reassembly</name>
        <t>As described in <xref target="transport-layer-mapping"/>, one or more handshake
messages may be carried in a single datagram. However, handshake messages are
potentially bigger than the size allowed by the underlying datagram transport.
DTLS provides a mechanism for fragmenting a handshake message over a
number of records, each of which can be transmitted in separate datagrams, thus
avoiding IP fragmentation.</t>
        <t>When transmitting the handshake message, the sender divides the
message into a series of N contiguous data ranges. The ranges MUST NOT
overlap.  The sender then creates N DTLSHandshake messages, all with the
same message_seq value as the original DTLSHandshake message.  Each new
message is labeled with the fragment_offset (the number of bytes
contained in previous fragments) and the fragment_length (the length
of this fragment).  The length field in all messages is the same as
the length field of the original message.  An unfragmented message is
a degenerate case with fragment_offset=0 and fragment_length=length.
Each handshake message fragment that is placed into a record
MUST be delivered in a single UDP datagram.</t>
        <t>When a DTLS implementation receives a handshake message fragment corresponding
to the next expected handshake message sequence number, it
MUST process it, either by buffering it until it has the entire handshake message
or by processing any in-order portions of the message.
The transcript consists of complete TLS Handshake messages (reassembled
as necessary). Note that this requires removing the message_seq,
fragment_offset, and fragment_length fields to create the Handshake
structure.</t>
        <t>DTLS implementations MUST be able to handle overlapping fragment ranges.
This allows senders to retransmit handshake messages with smaller
fragment sizes if the PMTU estimate changes. Senders MUST NOT change
handshake message bytes upon retransmission. Receivers MAY check
that retransmitted bytes are identical and SHOULD abort the handshake
with an "illegal_parameter" alert if the value of a byte changes.</t>
        <t>Note that as with TLS, multiple handshake messages may be placed in
the same DTLS record, provided that there is room and that they are
part of the same flight.  Thus, there are two acceptable ways to pack
two DTLS handshake messages into the same datagram: in the same record or in
separate records.</t>
      </section>
      <section anchor="endofearlydata-message">
        <name>EndOfEarlyData Message</name>
        <t>The DTLS 1.3 handshake has one important difference from the
TLS 1.3 handshake: the EndOfEarlyData message is omitted both
from the wire and the handshake transcript. Because DTLS
records have epochs, EndOfEarlyData is not necessary to determine
when the early data is complete, and because DTLS is lossy,
attackers can trivially mount the deletion attacks that EndOfEarlyData
prevents in TLS. Servers SHOULD NOT accept records from epoch 1 indefinitely once they are able to process records from epoch 3. Though reordering of IP packets can result in records from epoch 1 arriving after records from epoch 3, this is not likely to persist for very long relative to the round trip time. Servers could discard epoch 1  keys after the first epoch 3 data arrives, or retain keys for processing epoch 1 data for a short period.
(See <xref target="dtls-epoch"/> for the definitions of each epoch.)</t>
      </section>
      <section anchor="dtls-handshake-flights">
        <name>DTLS Handshake Flights</name>
        <t>DTLS handshake messages are grouped into a series of message flights. A flight starts with the
handshake message transmission of one peer and ends with the expected response from the
other peer. <xref target="tab-flights"/> contains a complete list of message combinations that constitute flights.</t>
        <table anchor="tab-flights">
          <name>Flight Handshake Message Combinations</name>
          <thead>
            <tr>
              <th align="left">Note</th>
              <th align="left">Client</th>
              <th align="left">Server</th>
              <th align="left">Handshake Messages</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left"> </td>
              <td align="left">x</td>
              <td align="left"> </td>
              <td align="left">ClientHello</td>
            </tr>
            <tr>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left">x</td>
              <td align="left">HelloRetryRequest</td>
            </tr>
            <tr>
              <td align="left"> </td>
              <td align="left"> </td>
              <td align="left">x</td>
              <td align="left">ServerHello, EncryptedExtensions, CertificateRequest, Certificate, CertificateVerify, Finished</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left">x</td>
              <td align="left"> </td>
              <td align="left">Certificate, CertificateVerify, Finished</td>
            </tr>
            <tr>
              <td align="left">1</td>
              <td align="left"> </td>
              <td align="left">x</td>
              <td align="left">NewSessionTicket</td>
            </tr>
          </tbody>
        </table>
        <t>Remarks:</t>
        <ul spacing="normal">
          <li>
            <t><xref target="tab-flights"/> does not highlight any of the optional messages.</t>
          </li>
          <li>
            <t>Regarding note (1): When a handshake flight is sent without any expected response, as is the case with
 the client's final flight or with the NewSessionTicket message, the flight must be
 acknowledged with an ACK message.</t>
          </li>
        </ul>
        <t>Below are several example message exchanges illustrating the flight concept.
The notational conventions from <xref target="TLS13"/> are used.</t>
        <figure anchor="dtls-full">
          <name>Message Flights for a Full DTLS Handshake (with Cookie Exchange)</name>
          <artwork><![CDATA[
Client                                             Server

                                                            +--------+
 ClientHello                                                | Flight |
                        -------->                           +--------+

                                                            +--------+
                        <--------        HelloRetryRequest  | Flight |
                                          + cookie          +--------+


                                                            +--------+
ClientHello                                                 | Flight |
 + cookie               -------->                           +--------+



                                               ServerHello
                                     {EncryptedExtensions}  +--------+
                                     {CertificateRequest*}  | Flight |
                                            {Certificate*}  +--------+
                                      {CertificateVerify*}
                                                {Finished}
                        <--------      [Application Data*]



 {Certificate*}                                             +--------+
 {CertificateVerify*}                                       | Flight |
 {Finished}             -------->                           +--------+
 [Application Data]

                                                            +--------+
                        <--------                    [ACK]  | Flight |
                                       [Application Data*]  +--------+

 [Application Data]     <------->      [Application Data]
]]></artwork>
        </figure>
        <figure anchor="dtls-psk">
          <name>Message Flights for Resumption and PSK Handshake (without Cookie Exchange)</name>
          <artwork><![CDATA[
 ClientHello                                              +--------+
  + pre_shared_key                                        | Flight |
  + psk_key_exchange_modes                                +--------+
  + key_share*         -------->


                                             ServerHello
                                        + pre_shared_key  +--------+
                                            + key_share*  | Flight |
                                   {EncryptedExtensions}  +--------+
                       <--------              {Finished}
                                     [Application Data*]
                                                          +--------+
 {Finished}            -------->                          | Flight |
 [Application Data*]                                      +--------+

                                                          +--------+
                       <--------                   [ACK]  | Flight |
                                     [Application Data*]  +--------+

 [Application Data]    <------->      [Application Data]
]]></artwork>
        </figure>
        <figure anchor="dtls-zero-rtt">
          <name>Message Flights for the Zero-RTT Handshake</name>
          <artwork><![CDATA[
Client                                            Server

 ClientHello
  + early_data
  + psk_key_exchange_modes                                +--------+
  + key_share*                                            | Flight |
  + pre_shared_key                                        +--------+
 (Application Data*)     -------->

                                             ServerHello
                                        + pre_shared_key
                                            + key_share*  +--------+
                                   {EncryptedExtensions}  | Flight |
                                              {Finished}  +--------+
                       <--------     [Application Data*]


                                                          +--------+
 {Finished}            -------->                          | Flight |
 [Application Data*]                                      +--------+

                                                          +--------+
                       <--------                   [ACK]  | Flight |
                                     [Application Data*]  +--------+

 [Application Data]    <------->      [Application Data]
]]></artwork>
        </figure>
        <figure anchor="dtls-post-handshake-ticket">
          <name>Message Flights for the NewSessionTicket Message</name>
          <artwork><![CDATA[
Client                                            Server

                                                          +--------+
                       <--------       [NewSessionTicket] | Flight |
                                                          +--------+

                                                          +--------+
[ACK]                  -------->                          | Flight |
                                                          +--------+
]]></artwork>
        </figure>
        <t>KeyUpdate, NewConnectionId, and RequestConnectionId follow a similar
pattern to NewSessionTicket: a single message sent by one side
followed by an ACK by the other.</t>
      </section>
      <section anchor="timeout-retransmissions">
        <name>Timeout and Retransmission</name>
        <section anchor="state-machine">
          <name>State Machine</name>
          <t>DTLS uses a simple timeout and retransmission scheme with the
state machine shown in <xref target="dtls-timeout-state-machine"/>.</t>
          <figure anchor="dtls-timeout-state-machine">
            <name>DTLS Timeout and Retransmission State Machine</name>
            <artwork><![CDATA[
                             +-----------+
                             | PREPARING |
                +----------> |           |
                |            |           |
                |            +-----------+
                |                  |
                |                  | Buffer next flight
                |                  |
                |                 \|/
                |            +-----------+
                |            |           |
                |            |  SENDING  |<------------------+
                |            |           |                   |
                |            +-----------+                   |
        Receive |                  |                         |
           next |                  | Send flight or partial  |
         flight |                  | flight                  |
                |                  |                         |
                |                  | Set retransmit timer    |
                |                 \|/                        |
                |            +-----------+                   |
                |            |           |                   |
                +------------|  WAITING  |-------------------+
                |     +----->|           |   Timer expires   |
                |     |      +-----------+                   |
                |     |          |  |   |                    |
                |     |          |  |   |                    |
                |     +----------+  |   +--------------------+
                |    Receive record |   Read retransmit or ACK
        Receive |  (Maybe Send ACK) |
           last |                   |
         flight |                   | Receive ACK
                |                   | for last flight
               \|/                  |
                                    |
            +-----------+           |
            |           | <---------+
            | FINISHED  |
            |           |
            +-----------+
                |  /|\
                |   |
                |   |
                +---+

          Server read retransmit
              Retransmit ACK
]]></artwork>
          </figure>
          <t>The state machine has four basic states: PREPARING, SENDING, WAITING,
and FINISHED.</t>
          <t>In the PREPARING state, the implementation does whatever computations
are necessary to prepare the next flight of messages.  It then
buffers them up for transmission (emptying the transmission
buffer first) and enters the SENDING state.</t>
          <t>In the SENDING state, the implementation transmits the buffered
flight of messages. If the implementation has received one or more
ACKs (see <xref target="ack-msg"/>) from the peer, then it SHOULD omit any messages or
message fragments which have already been acknowledged. Once the messages
have been sent, the implementation then sets a retransmit timer
and enters the WAITING state.</t>
          <t>There are four ways to exit the WAITING state:</t>
          <ol spacing="normal" type="1"><li>
              <t>The retransmit timer expires: the implementation transitions to
the SENDING state, where it retransmits the flight, adjusts and re-arms the
retransmit timer (see <xref target="timer-values"/>), and returns to the WAITING state.</t>
            </li>
            <li>
              <t>The implementation reads an ACK from the peer: upon receiving
an ACK for a partial flight (as mentioned in <xref target="sending-acks"/>),
the implementation transitions
to the SENDING state, where it retransmits the unacknowledged portion
of the flight, adjusts and re-arms the retransmit timer, and returns to the
WAITING state. Upon receiving an ACK for a complete flight,
the implementation cancels all retransmissions and either
remains in WAITING, or, if the ACK was for the final flight,
transitions to FINISHED.</t>
            </li>
            <li>
              <t>The implementation reads a retransmitted flight from the peer when
none of the messages that it sent in response to that flight
have been acknowledged: the
implementation transitions to the SENDING state, where it
retransmits the flight, adjusts and re-arms the retransmit timer, and returns
to the WAITING state.  The rationale here is that the receipt of a
duplicate message is the likely result of timer expiry on the peer
and therefore suggests that part of one's previous flight was
lost.</t>
            </li>
            <li>
              <t>The implementation receives some or all of the next flight of messages: if
this is the final flight of messages, the implementation
transitions to FINISHED.  If the implementation needs to send a new
flight, it transitions to the PREPARING state. Partial reads
(whether partial messages or only some of the messages in the
flight) may also trigger the implementation to send an ACK, as
described in <xref target="sending-acks"/>.</t>
            </li>
          </ol>
          <t>Because DTLS clients send the first message (ClientHello), they start
in the PREPARING state.  DTLS servers start in the WAITING state, but
with empty buffers and no retransmit timer.</t>
          <t>In addition, for at least twice the default MSL defined for <xref target="RFC0793"/>,
when in the FINISHED state, the server MUST respond to retransmission
of the client's final flight with a retransmit of its ACK.</t>
          <t>Note that because of packet loss, it is possible for one side to be
sending application data even though the other side has not received
the first side's Finished message.  Implementations MUST either
discard or buffer all application data records for epoch 3 and
above until they have received the Finished message from the
peer. Implementations MAY treat receipt of application data with a new
epoch prior to receipt of the corresponding Finished message as
evidence of reordering or packet loss and retransmit their final
flight immediately, shortcutting the retransmission timer.</t>
        </section>
        <section anchor="timer-values">
          <name>Timer Values</name>
          <t>The configuration of timer settings varies with implementations, and certain
deployment environments require timer value adjustments. Mishandling
of the timer can lead to serious congestion problems -- for example, if
many instances of a DTLS time out early and retransmit too quickly on
a congested link.</t>
          <t>Unless implementations have deployment-specific and/or external information about the round trip time,
implementations SHOULD use an initial timer value of 1000 ms and double
the value at each retransmission, up to no less than 60 seconds (the
maximum as specified in RFC 6298 <xref target="RFC6298"/>). Application-specific profiles MAY
recommend shorter or longer timer values. For instance:</t>
          <ul spacing="normal">
            <li>
              <t>Profiles for specific deployment environments, such as in low-power,
multi-hop mesh scenarios as used in some Internet of Things (IoT) networks,
MAY specify longer timeouts. See <xref target="I-D.ietf-uta-tls13-iot-profile"/> for
more information about one such DTLS 1.3 IoT profile.</t>
            </li>
            <li>
              <t>Real-time protocols MAY specify shorter timeouts. It is RECOMMENDED
that for DTLS-SRTP <xref target="RFC5764"/>, a default timeout of
400 ms be used; because customer experience degrades with one-way latencies
of greater than 200 ms, real-time deployments are less likely
to have long latencies.</t>
            </li>
          </ul>
          <t>In settings where there is external information (for instance, from an ICE <xref target="RFC8445"/>
handshake, or from previous connections to the same server)
about the RTT, implementations SHOULD use 1.5 times that RTT estimate
as the retransmit timer.</t>
          <t>Implementations SHOULD retain the current timer value until a
message is transmitted and acknowledged without having to
be retransmitted, at which time the value SHOULD be adjusted
to 1.5 times the measured round trip time for that
message. After a long period of idleness, no less
than 10 times the current timer value, implementations MAY reset the
timer to the initial value.</t>
          <t>Note that because retransmission is for the handshake and not dataflow, the effect on
congestion of shorter timeouts is smaller than in generic protocols
such as TCP or QUIC. Experience with DTLS 1.2, which uses a
simpler "retransmit everything on timeout" approach, has not shown
serious congestion problems in practice.</t>
        </section>
        <section anchor="large-flight-sizes">
          <name>Large Flight Sizes</name>
          <t>DTLS does not have any built-in congestion control or rate control;
in general, this is not an issue because messages tend to be small.
However, in principle, some messages -- especially Certificate -- can
be quite large. If all the messages in a large flight are sent
at once, this can result in network congestion. A better strategy
is to send out only part of the flight, sending more when
messages are acknowledged. Several extensions have been standardized
to reduce the size of the Certificate message -- for example,
the "cached_info" extension <xref target="RFC7924"/>; certificate
compression <xref target="RFC8879"/>; and <xref target="RFC6066"/>, which defines the "client_certificate_url"
extension allowing DTLS clients to send a sequence of Uniform
Resource Locators (URLs) instead of the client certificate.</t>
          <t>DTLS stacks SHOULD NOT send more than 10 records in a single transmission.</t>
        </section>
        <section anchor="state-machine-duplication">
          <name>State Machine Duplication for Post-Handshake Messages</name>
          <t>DTLS 1.3 makes use of the following categories of post-handshake messages:</t>
          <ol spacing="normal" type="1"><li>
              <t>NewSessionTicket</t>
            </li>
            <li>
              <t>KeyUpdate</t>
            </li>
            <li>
              <t>NewConnectionId</t>
            </li>
            <li>
              <t>RequestConnectionId</t>
            </li>
            <li>
              <t>Post-handshake client authentication</t>
            </li>
          </ol>
          <t>Messages of each category can be sent independently, and reliability is established
via independent state machines, each of which behaves as described in <xref target="state-machine"/>.
For example, if a server sends a NewSessionTicket and a CertificateRequest message,
two independent state machines will be created.</t>
          <t>Sending multiple instances of messages of
a given category without having completed earlier transmissions is allowed for some
categories, but not for others. Specifically, a server MAY send multiple NewSessionTicket
messages at once without awaiting ACKs for earlier NewSessionTicket messages first. Likewise, a
server MAY send multiple CertificateRequest messages at once without having completed
earlier client authentication requests before. In contrast, implementations MUST NOT
send KeyUpdate, NewConnectionId, or RequestConnectionId messages if an earlier message
of the same type has not yet been acknowledged.</t>
          <t>Note: Except for post-handshake client authentication, which involves handshake messages
in both directions, post-handshake messages are single-flight, and their respective state
machines on the sender side reduce to waiting for an ACK and retransmitting the original
message. In particular, note that a RequestConnectionId message does not force the receiver
to send a NewConnectionId message in reply, and both messages are therefore treated
independently.</t>
          <t>Creating and correctly updating multiple state machines requires feedback from the handshake
logic to the state machine layer, indicating which message belongs to which state machine.
For example, if a server sends multiple CertificateRequest messages and receives a Certificate
message in response, the corresponding state machine can only be determined after inspecting the
certificate_request_context field. Similarly, a server sending a single CertificateRequest
and receiving a NewConnectionId message in response can only decide that the NewConnectionId
message should be treated through an independent state machine after inspecting the handshake
message type.</t>
        </section>
      </section>
      <section anchor="cryptographic-label-prefix">
        <name>Cryptographic Label Prefix</name>
        <t>Section 7.1 of <xref target="TLS13"/> specifies that HKDF-Expand-Label uses
a label prefix of "tls13 ". For DTLS 1.3, that label SHALL be
"dtls13".  This ensures key separation between DTLS 1.3 and
TLS 1.3. Note that there is no trailing space; this is necessary
in order to keep the overall label size inside of one hash
iteration because "DTLS" is one letter longer than "TLS".</t>
      </section>
      <section anchor="alert-messages">
        <name>Alert Messages</name>
        <t>Note that alert messages are not retransmitted at all, even when they
occur in the context of a handshake.  However, a DTLS implementation
which would ordinarily issue an alert SHOULD generate a new alert
message if the offending record is received again (e.g., as a
retransmitted handshake message).  Implementations SHOULD detect when
a peer is persistently sending bad messages and terminate the local
connection state after such misbehavior is detected. Note that alerts
are not reliably transmitted; implementations SHOULD NOT depend on
receiving alerts in order to signal errors or connection closure.</t>
        <t>Any data received with an epoch/sequence number pair after
that of a valid received closure alert MUST be ignored. Note:
this is a change from TLS 1.3 which depends on the order of
receipt rather than the epoch and sequence number.</t>
      </section>
      <section anchor="establishing-new-associations-with-existing-parameters">
        <name>Establishing New Associations with Existing Parameters</name>
        <t>If a DTLS client-server pair is configured in such a way that
repeated connections happen on the same host/port quartet, then it is
possible that a client will silently abandon one connection and then
initiate another with the same parameters (e.g., after a reboot).
This will appear to the server as a new handshake with epoch=0.  In
cases where a server believes it has an existing association on a
given host/port quartet and it receives an epoch=0 ClientHello, it
SHOULD proceed with a new handshake but MUST NOT destroy the existing
association until the client has demonstrated reachability either by
completing a cookie exchange or by completing a complete handshake
including delivering a verifiable Finished message.  After a correct
Finished message is received, the server MUST abandon the previous
association to avoid confusion between two valid associations with
overlapping epochs.  The reachability requirement prevents
off-path/blind attackers from destroying associations merely by
sending forged ClientHellos.</t>
        <t>Note: It is not always possible to distinguish which association
a given record is from. For instance, if the client performs
a handshake, abandons the connection, and then immediately starts
a new handshake, it may not be possible to tell which connection
a given protected record is for. In these cases, trial decryption
may be necessary, though implementations could use CIDs to avoid
the 5-tuple-based ambiguity.</t>
      </section>
    </section>
    <section anchor="example-of-handshake-with-timeout-and-retransmission">
      <name>Example of Handshake with Timeout and Retransmission</name>
      <t>The following is an example of a handshake with lost packets and
retransmissions. Note that the client sends an empty ACK message
because it can only acknowledge Record 2 sent by the server once it has
processed messages in Record 0 needed to establish epoch 2 keys, which
are needed to encrypt or decrypt messages found in Record 2.  <xref target="ack-msg"/>
provides the necessary background details for this interaction.
Note: For simplicity, we are not resetting record numbers in this
diagram, so "Record 1" is really "Epoch 2, Record 0", etc.</t>
      <figure anchor="dtls-msg-loss">
        <name>Example DTLS Exchange Illustrating Message Loss</name>
        <artwork><![CDATA[
Client                                                Server
------                                                ------

 Record 0                  -------->
 ClientHello
 (message_seq=0)

                             X<-----                 Record 0
                             (lost)               ServerHello
                                              (message_seq=0)
                                                     Record 1
                                          EncryptedExtensions
                                              (message_seq=1)
                                                  Certificate
                                              (message_seq=2)


                           <--------                 Record 2
                                            CertificateVerify
                                              (message_seq=3)
                                                     Finished
                                              (message_seq=4)

 Record 1                  -------->
 ACK []


                           <--------                 Record 3
                                                  ServerHello
                                              (message_seq=0)
                                          EncryptedExtensions
                                              (message_seq=1)
                                                  Certificate
                                              (message_seq=2)

                           <--------                 Record 4
                                            CertificateVerify
                                              (message_seq=3)
                                                     Finished
                                              (message_seq=4)


 Record 2                  -------->
 Certificate
 (message_seq=1)
 CertificateVerify
 (message_seq=2)
 Finished
 (message_seq=3)

                           <--------               Record 5
                                                    ACK [2]
]]></artwork>
      </figure>
      <section anchor="dtls-epoch">
        <name>Epoch Values and Rekeying</name>
        <t>A recipient of a DTLS message needs to select the correct keying material
in order to process an incoming message. With the possibility of message
 loss and reordering, an identifier is needed to determine which cipher state
has been used to protect the record payload. The epoch value fulfills this
role in DTLS. In addition to the TLS 1.3-defined key derivation steps (see
Section 7 of <xref target="TLS13"/>), a sender may want to rekey at any time during
the lifetime of the connection. It therefore needs to indicate that it is
updating its sending cryptographic keys.</t>
        <t>This version of DTLS assigns dedicated epoch values to messages in the
protocol exchange to allow identification of the correct cipher state:</t>
        <ul spacing="normal">
          <li>
            <t>Epoch value (0) is used with unencrypted messages. There are
three unencrypted messages in DTLS, namely ClientHello, ServerHello,
and HelloRetryRequest.</t>
          </li>
          <li>
            <t>Epoch value (1) is used for messages protected using keys derived
from client_early_traffic_secret. Note that this epoch is skipped if
the client does not offer early data.</t>
          </li>
          <li>
            <t>Epoch value (2) is used for messages protected using keys derived
from [sender]_handshake_traffic_secret. Messages transmitted during
the handshake, such as EncryptedExtensions,
CertificateRequest, Certificate, CertificateVerify, and Finished,
belong to this category. Note, however, that post-handshake messages are
protected under the appropriate application traffic key and are not included in this category.</t>
          </li>
          <li>
            <t>Epoch value (3) is used for payloads protected using keys derived
from the initial [sender]_application_traffic_secret_0. This may include
handshake messages, such as post-handshake messages (e.g., a
NewSessionTicket message).</t>
          </li>
          <li>
            <t>Epoch values (4 to 2^64-1) are used for payloads protected using keys from
the [sender]_application_traffic_secret_N (N&gt;0).</t>
          </li>
        </ul>
        <t>Using these reserved epoch values, a receiver knows what cipher state
has been used to encrypt and integrity protect a
message. Implementations that receive a record with an epoch value
for which no corresponding cipher state can be determined SHOULD
handle it as a record which fails deprotection.</t>
        <t>Note that epoch values do not wrap. If a DTLS implementation would
need to wrap the epoch value, it MUST terminate the connection.</t>
        <t>The traffic key calculation is described in Section 7.3 of <xref target="TLS13"/>.</t>
        <t><xref target="dtls-msg-epoch"/> illustrates the epoch values in an example DTLS handshake.</t>
        <figure anchor="dtls-msg-epoch">
          <name>Example DTLS Exchange with Epoch Information</name>
          <artwork><![CDATA[
Client                                             Server
------                                             ------

 Record 0
 ClientHello
 (epoch=0)
                            -------->
                                                     Record 0
                            <--------       HelloRetryRequest
                                                    (epoch=0)
 Record 1
 ClientHello                -------->
 (epoch=0)
                                                     Record 1
                            <--------             ServerHello
                                                    (epoch=0)
                                        {EncryptedExtensions}
                                                    (epoch=2)
                                                {Certificate}
                                                    (epoch=2)
                                          {CertificateVerify}
                                                    (epoch=2)
                                                   {Finished}
                                                    (epoch=2)
 Record 2
 {Certificate}              -------->
 (epoch=2)
 {CertificateVerify}
 (epoch=2)
 {Finished}
 (epoch=2)
                                                     Record 2
                            <--------                   [ACK]
                                                    (epoch=3)
 Record 3
 [Application Data]         -------->
 (epoch=3)
                                                     Record 3
                            <--------      [Application Data]
                                                    (epoch=3)

                         Some time later ...
                 (Post-Handshake Message Exchange)
                                                     Record 4
                            <--------      [NewSessionTicket]
                                                    (epoch=3)
 Record 4
 [ACK]                      -------->
 (epoch=3)

                         Some time later ...
                           (Rekeying)
                                                     Record 5
                            <--------      [Application Data]
                                                    (epoch=4)
 Record 5
 [Application Data]         -------->
 (epoch=4)
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="ack-msg">
      <name>ACK Message</name>
      <t>The ACK message is used by an endpoint to indicate which handshake records
it has received and processed from the other side. ACK is not
a handshake message but is rather a separate content type,
with code point 26. This avoids having ACK being added
to the handshake transcript. Note that ACKs can still be
sent in the same UDP datagram as handshake records.</t>
      <t>DTLS 1.3 endpoints MUST NOT send ACK records until the sender knows that
the peer is negotiating DTLS 1.3. A server knows this after it has received
and processed a complete ClientHello and selected DTLS 1.3. A client knows
this after it has received and processed a ServerHello or HelloRetryRequest
selecting DTLS 1.3.</t>
      <t>Until that point, ACK records received in epoch 0 MUST be ignored. This
preserves compatibility with DTLS 1.2 endpoints, which do not define the
ACK content type and might treat it as a fatal error.</t>
      <t>After an endpoint knows that the peer is negotiating DTLS 1.3, it MAY send
and process ACK records in epoch 0. Such ACKs are processed according to the
normal ACK rules. In particular, epoch 0 ACKs can acknowledge plaintext
handshake records and are used for the epoch 1 exception described below.</t>
      <artwork><![CDATA[
    struct {
        RecordNumber record_numbers<0..2^16-1>;
    } ACK;
]]></artwork>
      <dl>
        <dt>record_numbers:</dt>
        <dd>
          <t>A list of the records containing handshake messages in the current
flight which the endpoint has received and either processed or buffered,
in numerically increasing
order.</t>
        </dd>
      </dl>
      <t>Implementations MUST NOT acknowledge records containing
handshake messages or fragments which have not been
processed or buffered. Otherwise, deadlock can ensue.
As an example, implementations MUST NOT send ACKs for
handshake messages which they discard because they are
not the next expected message.</t>
      <t>During the handshake, ACKs only cover the current outstanding flight (this is
possible because DTLS is generally a lock-step protocol). In particular,
receiving a message from a handshake flight implicitly acknowledges all
messages from the previous flight(s).  Accordingly, an ACK
from the server would not cover both the ClientHello and the client's
Certificate message, because the ClientHello and client Certificate are in different
flights. Implementations can accomplish this by clearing their ACK
list upon receiving the start of the next flight.</t>
      <t>For post-handshake messages, ACKs SHOULD be sent once for each received
and processed handshake record (potentially subject to some delay) and MAY
cover more than one flight. This includes records containing messages which are
discarded because a previous copy has been received.</t>
      <t>During the handshake, ACK records MUST be sent with an epoch which is
equal to or higher than the record which is being acknowledged.
Note that some care is required when processing flights spanning
multiple epochs. For instance, if the client receives only the ServerHello
and Certificate and wishes to ACK them in a single record,
it must do so in epoch 2, as it is required to use an epoch
greater than or equal to 2 and cannot yet send with any greater
epoch. Implementations SHOULD simply use the highest
current sending epoch, which will generally be the highest available.
The exception is that implementations MUST NOT send ACK records in epoch 1
(early data). If the highest current sending epoch is epoch 1 (early data),
implementations MUST use epoch 0 (unencrypted) to send ACK records.
After the handshake, implementations MUST use the highest available
sending epoch.</t>
      <section anchor="sending-acks">
        <name>Sending ACKs</name>
        <t>When an implementation detects a disruption in the receipt of the
current incoming flight, it SHOULD generate an ACK that covers the
messages from that flight which it has received and processed so far.
Implementations have some discretion about which events to treat
as signs of disruption, but it is RECOMMENDED that they generate
ACKs under two circumstances:</t>
        <ul spacing="normal">
          <li>
            <t>When they receive a message or fragment which is out of order,
either because it is not the next expected message or because
it is not the next piece of the current message.</t>
          </li>
          <li>
            <t>When they have received part of a flight and do not immediately
receive the rest of the flight (which may be in the same UDP
datagram). "Immediately" is hard to define. One approach is to
set a timer for 1/4 the current retransmit timer value when
the first record in the flight is received and then send an
ACK when that timer expires. Note: The 1/4 value here is somewhat
arbitrary. Given that the round trip estimates in the DTLS
handshake are generally very rough (or the default), any
value will be an approximation, and there is an inherent
compromise due to competition between retransmission due to over-aggressive ACKing
and over-aggressive timeout-based retransmission.
As a comparison point,
QUIC's loss-based recovery algorithms
(Section 6.1.2 of <xref target="RFC9002"/>)
work out to a delay of about 1/3 of the retransmit timer.</t>
          </li>
        </ul>
        <t>In general, flights MUST be ACKed unless they are implicitly
acknowledged. In the present specification, the following flights are implicitly acknowledged
by the receipt of the next flight, which generally immediately follows the flight:</t>
        <ol spacing="normal" type="1"><li>
            <t>Handshake flights other than the client's final flight of the
main handshake.</t>
          </li>
          <li>
            <t>The server's post-handshake CertificateRequest.</t>
          </li>
        </ol>
        <t>ACKs SHOULD NOT be sent for these flights unless
the responding flight cannot be generated immediately.
All other flights MUST be ACKed.
In this case,
implementations MAY send explicit ACKs for the complete received
flight even though it will eventually also be implicitly acknowledged
through the responding flight.
A notable example for this is
the case of client authentication in constrained
environments, where generating the CertificateVerify message can
take considerable time on the client.
Implementations MAY acknowledge the records corresponding to each transmission of
each flight or simply acknowledge the most recent one. In general,
implementations SHOULD ACK as many received packets as can fit
into the ACK record, as this provides the most complete information
and thus reduces the chance of spurious retransmission; if space
is limited, implementations SHOULD favor including records which
have not yet been acknowledged.</t>
        <t>Note: While some post-handshake messages follow a request/response
pattern, this does not necessarily imply receipt.
For example, a KeyUpdate sent in response to a KeyUpdate with
request_update set to "update_requested" does not implicitly
acknowledge the earlier KeyUpdate message because the two KeyUpdate
messages might have crossed in flight.</t>
        <t>ACKs MUST NOT be sent for records of any content type
other than handshake or for records which cannot be deprotected.</t>
        <t>After DTLS 1.3 has been selected, it can still be useful to send an
ACK which does not contain any record numbers. Such an ACK does not
acknowledge any record; it only indicates that the sender is still live
and can trigger faster retransmission. For example, after processing a
HelloRetryRequest that selects DTLS 1.3 and sending a second ClientHello,
a client might receive the protected EncryptedExtensions record from the
server before receiving the ServerHello. Because the client cannot yet
derive the handshake traffic keys, it cannot deprotect and therefore
safely acknowledge that record. Sending an empty ACK can avoid waiting
for the server's retransmission timeout. Empty ACKs MUST NOT be sent
before DTLS 1.3 has been selected.</t>
      </section>
      <section anchor="receiving-acks">
        <name>Receiving ACKs</name>
        <t>When an implementation receives an ACK, it SHOULD record that the
messages or message fragments sent in the records being
ACKed were received and omit them from any future
retransmissions. Upon receipt of an ACK that leaves it with
only some messages from a flight having been acknowledged,
an implementation SHOULD retransmit the unacknowledged
messages or fragments. Note that this requires implementations to
track which messages appear in which records. Once all the messages in a flight have been
acknowledged, the implementation MUST cancel all retransmissions
of that flight.
Implementations MUST treat a record
as having been acknowledged if it appears in any ACK; this
prevents spurious retransmission in cases where a flight is
very large and the receiver is forced to elide acknowledgements
for records which have already been ACKed.
As noted above, the receipt of any record responding
to a given flight MUST be taken as an implicit acknowledgement for the entire
flight to which it is responding.</t>
        <t>If any element of record_numbers in the ACK references an epoch that
is higher than the epoch in which the ACK was received, the
implementation MUST terminate the connection with an "illegal_parameter" alert.</t>
      </section>
      <section anchor="design-rationale">
        <name>Design Rationale</name>
        <t>ACK messages are used in two circumstances, namely:</t>
        <ul spacing="normal">
          <li>
            <t>On sign of disruption, or lack of progress; and</t>
          </li>
          <li>
            <t>To indicate complete receipt of the last flight in a handshake.</t>
          </li>
        </ul>
        <t>In the first case, the use of the ACK message is optional, because
the peer will retransmit in any case and therefore the ACK just
allows for selective or early retransmission, as opposed to the timeout-based whole
flight retransmission in previous versions of DTLS. When DTLS 1.3 is used in deployments
with lossy networks, such as low-power, long-range radio networks as well as
low-power mesh networks, the use of ACKs is recommended.</t>
        <t>The use of the ACK for the second case is mandatory for the proper functioning of the
protocol. For instance, the ACK message sent by the client in Figure 13
acknowledges receipt and processing of Record 4 (containing the NewSessionTicket
message), and if it is not sent, the server will continue retransmission
of the NewSessionTicket indefinitely until its maximum retransmission count is reached.</t>
      </section>
    </section>
    <section anchor="key-updates">
      <name>Key Updates</name>
      <t>As with TLS 1.3, DTLS 1.3 implementations send a KeyUpdate message to
indicate that they are updating their sending keys.  As with other
handshake messages with no built-in response, KeyUpdates MUST be
acknowledged. Acknowledgements are used to both control
retransmission and transition to the next epoch. Implementations MUST
NOT send records with the new keys until the KeyUpdate and all
preceding messages have been acknowledged. This facilitates epoch
reconstruction (<xref target="reconstructing"/>) and avoids too many epochs in active
use, by ensuring the peer has processed the KeyUpdate and started
receiving at the new epoch.</t>
      <t>A KeyUpdate message terminates the post-handshake stream in an epoch.
After sending KeyUpdate in an epoch, implementations MUST NOT send
any new post-handshake messages in that epoch. If a peer violates this
rule, the receiving peer MUST treat it as a protocol violation, send an
"unexpected_message" alert, and terminate the connection. Note that, if
the implementation has sent KeyUpdate but is waiting for an ACK, the
next epoch is not yet active. In this case, subsequent post-handshake
messages may not be sent until receiving the ACK.</t>
      <t>Due to loss and/or reordering, DTLS 1.3 implementations
may receive a record with an older epoch than the
current one (the requirements above preclude receiving
a newer record). They SHOULD attempt to process those records
with that epoch (see <xref target="reconstructing"/> for information
on determining the correct epoch) but MAY opt to discard
such out-of-epoch records.</t>
      <t>Due to the possibility of an ACK message for a KeyUpdate being lost and thereby
preventing the sender of the KeyUpdate from updating its keying material,
receivers MUST retain the pre-update keying material until receipt and successful
decryption of a message using the new keys.</t>
      <t><xref target="dtls-key-update"/> shows an example exchange illustrating that successful
ACK processing updates the keys of the KeyUpdate message sender, which is
reflected in the change of epoch values.</t>
      <figure anchor="dtls-key-update">
        <name>Example DTLS Key Update</name>
        <artwork><![CDATA[
Client                                             Server

      /-------------------------------------------\
     |                                             |
     |                 Handshake                   |
      \-------------------------------------------/


 [Application Data]         -------->
 (epoch=3)

                            <--------      [Application Data]
                                                    (epoch=3)

      /-------------------------------------------\
     |                                             |
     |              Some time later ...            |
      \-------------------------------------------/


 [Application Data]         -------->
 (epoch=3)


 [KeyUpdate]
 (+ update_requested        -------->
 (epoch 3)


                            <--------      [Application Data]
                                                    (epoch=3)


                                                        [ACK]
                            <--------               (epoch=3)


 [Application Data]
 (epoch=4)                  -------->



                            <--------             [KeyUpdate]
                                                    (epoch=3)


 [ACK]                      -------->
 (epoch=4)


                            <--------      [Application Data]
                                                    (epoch=4)
]]></artwork>
      </figure>
      <t>With a 128-bit key as in AES-128, rekeying 2^64 times has a high
probability of key reuse within a given connection. Note that even if
the key repeats, the IV is also independently generated. In order to
provide an extra margin of security, sending implementations MUST NOT
allow the epoch to exceed 2^48-1. If a sending implementation receives a KeyUpdate
with request_update set to "update_requested", it MUST NOT send
its own KeyUpdate if that would cause it to exceed these limits
and SHOULD instead ignore the "update_requested" flag.
Note: this overrides the requirement in TLS 1.3 to always
send a KeyUpdate in response to "update_requested".</t>
      <t>Exceeding the above limit is not possible with the key update
mechanisms defined in this document.  After the handshake, each epoch
change consumes a message_seq value, which is limited to 2^16-1.
As a result, the maximum possible number an epoch can reach
is 2^16+1. In order to allow implementations to store epochs in
a 16-bit value, MAY choose to enforce an epoch limit of 2^16-1.
In this case, the implementation MUST check for
this limit, if reached, terminate the association.</t>
    </section>
    <section anchor="connection-id-updates">
      <name>Connection ID Updates</name>
      <t>If the client and server have negotiated the "connection_id"
extension <xref target="RFC9146"/>, either side
can send a new CID that it wishes the other side to use
in a NewConnectionId message.</t>
      <artwork><![CDATA[
    enum {
        cid_immediate(0), cid_spare(1), (255)
    } ConnectionIdUsage;

    opaque ConnectionId<0..2^8-1>;

    struct {
        ConnectionId cids<0..2^16-1>;
        ConnectionIdUsage usage;
    } NewConnectionId;
]]></artwork>
      <dl>
        <dt>cids:</dt>
        <dd>
          <t>Indicates the set of CIDs that the sender wishes the peer to use.</t>
        </dd>
        <dt>usage:</dt>
        <dd>
          <t>Indicates whether the new CIDs should be used immediately or are
spare.  If usage is set to "cid_immediate", then one of the new CIDs
MUST be used immediately for all future records. If it is set to
"cid_spare", then either an existing or new CID MAY be used.</t>
        </dd>
      </dl>
      <t>Endpoints SHOULD use receiver-provided CIDs in the order they were provided.
Implementations which receive more spare CIDs than they wish to maintain
MAY simply discard any extra CIDs.
Endpoints MUST NOT have more than one NewConnectionId message outstanding.</t>
      <t>Implementations which either did not negotiate the "connection_id" extension
or which have negotiated receiving an empty CID MUST NOT
send NewConnectionId. Implementations MUST NOT send RequestConnectionId
when sending an empty Connection ID. Implementations which detect a violation
of these rules MUST terminate the connection with an "unexpected_message"
alert.</t>
      <t>Implementations SHOULD use a new CID whenever sending on a new path
and SHOULD request new CIDs for this purpose if path changes are anticipated.</t>
      <artwork><![CDATA[
    struct {
      uint8 num_cids;
    } RequestConnectionId;
]]></artwork>
      <dl>
        <dt>num_cids:</dt>
        <dd>
          <t>The number of CIDs desired.</t>
        </dd>
      </dl>
      <t>Endpoints SHOULD respond to RequestConnectionId by sending a
NewConnectionId with usage "cid_spare" containing num_cids CIDs as soon as
possible.  Endpoints MUST NOT send a RequestConnectionId message
when an existing request is still unfulfilled; this implies that
endpoints need to request new CIDs well in advance.  An endpoint MAY
handle requests which it considers excessive by responding with
a NewConnectionId message containing fewer than num_cids CIDs,
including no CIDs at all. Endpoints MAY handle an excessive number
of RequestConnectionId messages by terminating the connection
using a "too_many_cids_requested" (alert number 52) alert.</t>
      <t>Endpoints MUST NOT send either of these messages if they did not negotiate a
CID. If an implementation receives these messages when CIDs
were not negotiated, it MUST abort the connection with an "unexpected_message"
alert.</t>
      <section anchor="connection-id-example">
        <name>Connection ID Example</name>
        <t>Below is an example exchange for DTLS 1.3 using a single
CID in each direction.</t>
        <t>Note: The "connection_id" extension,
which is used in ClientHello and ServerHello messages,
is defined in <xref target="RFC9146"/>.</t>
        <figure anchor="dtls-example">
          <name>Example DTLS 1.3 Exchange with CIDs</name>
          <artwork><![CDATA[
Client                                             Server
------                                             ------

ClientHello
(connection_id=5)
                            -------->


                            <--------       HelloRetryRequest
                                                     (cookie)

ClientHello                 -------->
(connection_id=5)
  + cookie

                            <--------             ServerHello
                                          (connection_id=100)
                                          EncryptedExtensions
                                                      (cid=5)
                                                  Certificate
                                                      (cid=5)
                                            CertificateVerify
                                                      (cid=5)
                                                     Finished
                                                      (cid=5)

Certificate                -------->
(cid=100)
CertificateVerify
(cid=100)
Finished
(cid=100)
                           <--------                      ACK
                                                      (cid=5)

Application Data           ========>
(cid=100)
                           <========         Application Data
                                                      (cid=5)
]]></artwork>
        </figure>
        <t>If no CID is negotiated, then the receiver MUST reject any
records it receives that contain a CID.</t>
      </section>
    </section>
    <section anchor="application-data-protocol">
      <name>Application Data Protocol</name>
      <t>Application data messages are carried by the record layer and are split
into records
and encrypted based on the current connection state. The messages
are treated as transparent data to the record layer.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>Security issues are discussed primarily in <xref target="TLS13"/>.</t>
      <t>The primary additional security consideration raised by DTLS is that
of denial of service by excessive resource consumption.  DTLS includes a cookie exchange designed to
protect against denial of service.  However, implementations that do
not use this cookie exchange are still vulnerable to DoS.  In
particular, DTLS servers that do not use the cookie exchange may be
used as attack amplifiers even if they themselves are not
experiencing DoS.  Therefore, DTLS servers SHOULD use the cookie
exchange unless there is good reason to believe that amplification is
not a threat in their environment.  Clients MUST be prepared to do a
cookie exchange with every handshake.</t>
      <t>Some key properties required of the cookie for the cookie-exchange mechanism
to be functional are described in Section 3.3 of <xref target="RFC2522"/>:</t>
      <ul spacing="normal">
        <li>
          <t>The cookie MUST depend on the client's address.</t>
        </li>
        <li>
          <t>It MUST NOT be possible for anyone other than the issuing entity to generate
cookies that are accepted as valid by that entity.  This typically entails
an integrity check based on a secret key.</t>
        </li>
        <li>
          <t>Cookie generation and verification are triggered by unauthenticated parties,
and as such their resource consumption needs to be restrained in order to
avoid having the cookie-exchange mechanism itself serve as a DoS vector.</t>
        </li>
      </ul>
      <t>Although the cookie must allow the server to produce the right handshake
transcript, it SHOULD be constructed so that knowledge of the cookie
is insufficient to reproduce the ClientHello contents. Otherwise,
this may create problems with future extensions such as Encrypted Client Hello <xref target="ECH"/>.</t>
      <t>When cookies are generated using a keyed authentication mechanism,
it should be possible to rotate the associated
secret key, so that temporary compromise of the key does not permanently
compromise the integrity of the cookie-exchange mechanism.  Though this secret
is not as high-value as, e.g., a session-ticket-encryption key, rotating the
cookie-generation key on a similar timescale would ensure that the
key rotation functionality is exercised regularly and thus in working order.</t>
      <t>The cookie exchange provides address validation during the handshake.
DTLS with Connection IDs allows for endpoint addresses to change during the
association; any such updated addresses are not covered by the cookie exchange
during the handshake.
DTLS implementations MUST NOT update the address they send to in response
to packets from a different address unless they first perform some
reachability test; no such test is defined in this specification and
a future specification would need to specify a complete
procedure for how and when to update addresses.
Even
with such a test, an active on-path adversary can also black-hole traffic or
create a reflection attack against third parties because a DTLS peer
has no means to distinguish a genuine address update event (for
example, due to a NAT rebinding) from one that is malicious. This
attack is of concern when there is a large asymmetry of
request/response message sizes.</t>
      <t>With the exception of order protection and non-replayability, the security
guarantees for DTLS 1.3 are the same as TLS 1.3. While TLS always provides
order protection and non-replayability, DTLS does not provide order protection
and may not provide replay protection.</t>
      <t>Unlike TLS implementations, DTLS implementations SHOULD NOT respond
to invalid records by terminating the connection.</t>
      <t>TLS 1.3 requires replay protection for 0-RTT data (or rather, for connections
that use 0-RTT data; see Section 8 of <xref target="TLS13"/>).  DTLS provides an optional
per-record replay-protection mechanism, since datagram protocols are
inherently subject to message reordering and replay.  These two
replay-protection mechanisms are orthogonal, and neither mechanism meets the
requirements for the other.</t>
      <t>DTLS 1.3's handshake transcript does not include the new DTLS fields,
which makes it have the same format as TLS 1.3. However, the DTLS 1.3 and
TLS 1.3 transcripts are disjoint because they use different version
numbers. Additionally, the DTLS 1.3 key schedule uses a different label
and so will produce different keys for the same transcript.</t>
      <t>The security and privacy properties of the CID for DTLS 1.3 build
on top of what is described for DTLS 1.2 in <xref target="RFC9146"/>. There are,
however, several differences:</t>
      <ul spacing="normal">
        <li>
          <t>In both versions of DTLS, extension negotiation is used to agree on the use of the CID
feature and the CID values. In both versions, the CID is carried in the DTLS record header (if negotiated).
However, the way the CID is included in the record header differs between the two versions.</t>
        </li>
        <li>
          <t>The use of the post-handshake message allows the client and the server
to update their CIDs, and those values are exchanged with confidentiality
protection.</t>
        </li>
        <li>
          <t>The ability to use multiple CIDs allows for improved privacy properties
in multihomed scenarios. When only a single CID is in use on multiple
paths from such a host, an adversary can correlate the communication
interaction across paths, which adds further privacy concerns. In order
to prevent this, implementations SHOULD attempt to use fresh CIDs
whenever they change local addresses or ports (though this is not always
possible to detect). The RequestConnectionId message can be used by a peer
to ask for new CIDs to ensure that a pool of suitable CIDs is available.</t>
        </li>
        <li>
          <t>The mechanism for encrypting sequence numbers (<xref target="rne"/>) prevents
trivial tracking by on-path adversaries that attempt to correlate the
pattern of sequence numbers received on different paths; such tracking
could occur even when different CIDs are used on each path, in the
absence of sequence number encryption. Switching CIDs based on certain
events, or even regularly, helps against tracking by on-path
adversaries.  Note that sequence number encryption is used for all
encrypted DTLS 1.3 records irrespective of whether a CID is used or
not.  Unlike the sequence number, the epoch is not encrypted because it acts as a key identifier, which
may improve correlation of packets from a single connection across
different network paths.</t>
        </li>
        <li>
          <t>DTLS 1.3 encrypts handshake messages much earlier than in previous
DTLS versions. Therefore, less information identifying the DTLS client, such as
the client certificate, is available to an on-path adversary.</t>
        </li>
      </ul>
    </section>
    <section anchor="changes-since-dtls-12">
      <name>Changes since DTLS 1.2</name>
      <t>Since TLS 1.3 introduces a large number of changes with respect to TLS 1.2, the list
of changes from DTLS 1.2 to DTLS 1.3 is equally large. For this reason,
this section focuses on the most important changes only.</t>
      <ul spacing="normal">
        <li>
          <t>New handshake pattern, which leads to a shorter message exchange.</t>
        </li>
        <li>
          <t>Only AEAD ciphers are supported. Additional data calculation has been simplified.</t>
        </li>
        <li>
          <t>Removed support for weaker and older cryptographic algorithms.</t>
        </li>
        <li>
          <t>HelloRetryRequest of TLS 1.3 used instead of HelloVerifyRequest.</t>
        </li>
        <li>
          <t>More flexible cipher suite negotiation.</t>
        </li>
        <li>
          <t>New session resumption mechanism.</t>
        </li>
        <li>
          <t>PSK authentication redefined.</t>
        </li>
        <li>
          <t>New key derivation hierarchy utilizing a new key derivation construct.</t>
        </li>
        <li>
          <t>Improved version negotiation.</t>
        </li>
        <li>
          <t>Optimized record layer encoding and thereby its size.</t>
        </li>
        <li>
          <t>Added CID functionality.</t>
        </li>
        <li>
          <t>Sequence numbers are encrypted.</t>
        </li>
      </ul>
    </section>
    <section anchor="updates-affecting-dtls-12">
      <name>Updates Affecting DTLS 1.2</name>
      <t>This document defines several changes that optionally affect
implementations of DTLS 1.2, including those which do not also support
DTLS 1.3.</t>
      <ul spacing="normal">
        <li>
          <t>A version downgrade protection mechanism as described
in <xref target="TLS13"/>, Section 4.1.3 and applying to DTLS as
described in <xref target="clienthello-message"/>.</t>
        </li>
        <li>
          <t>The updates described in <xref target="TLS13"/>, Section 1.3.</t>
        </li>
        <li>
          <t>The new compliance requirements described in <xref target="TLS13"/>, Section 9.3.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA has allocated the content type value 26 in the "TLS ContentType"
registry for the ACK message, defined in <xref target="ack-msg"/>.
The value for the "DTLS-OK" column is "Y".  IANA has reserved
the content type range 32-63 so that content types in this range are not
allocated.</t>
      <t>IANA has allocated value 52 for the "too_many_cids_requested" alert in
the "TLS Alerts" registry. The value for the "DTLS-OK" column is "Y".</t>
      <t>IANA has allocated two values in the "TLS HandshakeType"
registry, defined in <xref target="TLS13"/>, for request_connection_id (9) and
new_connection_id (10), as defined in this document.  The value for the
"DTLS-OK" column is "Y".</t>
      <t>IANA has added this RFC as a reference to the "TLS Cipher Suites" registry
along with the following Note:</t>
      <artwork><![CDATA[
Any TLS cipher suite that is specified for use with DTLS MUST
define limits on the use of the associated AEAD function that
preserves margins for both confidentiality and integrity,
as specified in Section 4.5.3 of RFC 9147.
]]></artwork>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC0768">
          <front>
            <title>User Datagram Protocol</title>
            <author fullname="J. Postel" initials="J." surname="Postel"/>
            <date month="August" year="1980"/>
          </front>
          <seriesInfo name="STD" value="6"/>
          <seriesInfo name="RFC" value="768"/>
          <seriesInfo name="DOI" value="10.17487/RFC0768"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC1191">
          <front>
            <title>Path MTU discovery</title>
            <author fullname="J. Mogul" initials="J." surname="Mogul"/>
            <author fullname="S. Deering" initials="S." surname="Deering"/>
            <date month="November" year="1990"/>
            <abstract>
              <t>This memo describes a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path. It specifies a small change to the way routers generate one type of ICMP message. For a path that passes through a router that has not been so changed, this technique might not discover the correct Path MTU, but it will always choose a Path MTU as accurate as, and in many cases more accurate than, the Path MTU that would be chosen by current practice. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1191"/>
          <seriesInfo name="DOI" value="10.17487/RFC1191"/>
        </reference>
        <reference anchor="RFC4443">
          <front>
            <title>Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification</title>
            <author fullname="A. Conta" initials="A." surname="Conta"/>
            <author fullname="S. Deering" initials="S." surname="Deering"/>
            <author fullname="M. Gupta" initials="M." role="editor" surname="Gupta"/>
            <date month="March" year="2006"/>
            <abstract>
              <t>This document describes the format of a set of control messages used in ICMPv6 (Internet Control Message Protocol). ICMPv6 is the Internet Control Message Protocol for Internet Protocol version 6 (IPv6). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="89"/>
          <seriesInfo name="RFC" value="4443"/>
          <seriesInfo name="DOI" value="10.17487/RFC4443"/>
        </reference>
        <reference anchor="RFC4821">
          <front>
            <title>Packetization Layer Path MTU Discovery</title>
            <author fullname="M. Mathis" initials="M." surname="Mathis"/>
            <author fullname="J. Heffner" initials="J." surname="Heffner"/>
            <date month="March" year="2007"/>
            <abstract>
              <t>This document describes a robust method for Path MTU Discovery (PMTUD) that relies on TCP or some other Packetization Layer to probe an Internet path with progressively larger packets. This method is described as an extension to RFC 1191 and RFC 1981, which specify ICMP-based Path MTU Discovery for IP versions 4 and 6, respectively. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4821"/>
          <seriesInfo name="DOI" value="10.17487/RFC4821"/>
        </reference>
        <reference anchor="RFC0793">
          <front>
            <title>Transmission Control Protocol</title>
            <author fullname="J. Postel" initials="J." surname="Postel"/>
            <date month="September" year="1981"/>
          </front>
          <seriesInfo name="RFC" value="793"/>
          <seriesInfo name="DOI" value="10.17487/RFC0793"/>
        </reference>
        <reference anchor="RFC6298">
          <front>
            <title>Computing TCP's Retransmission Timer</title>
            <author fullname="V. Paxson" initials="V." surname="Paxson"/>
            <author fullname="M. Allman" initials="M." surname="Allman"/>
            <author fullname="J. Chu" initials="J." surname="Chu"/>
            <author fullname="M. Sargent" initials="M." surname="Sargent"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>This document defines the standard algorithm that Transmission Control Protocol (TCP) senders are required to use to compute and manage their retransmission timer. It expands on the discussion in Section 4.2.3.1 of RFC 1122 and upgrades the requirement of supporting the algorithm from a SHOULD to a MUST. This document obsoletes RFC 2988. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6298"/>
          <seriesInfo name="DOI" value="10.17487/RFC6298"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9146">
          <front>
            <title>Connection Identifier for DTLS 1.2</title>
            <author fullname="E. Rescorla" initials="E." role="editor" surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <author fullname="A. Kraus" initials="A." surname="Kraus"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document specifies the Connection ID (CID) construct for the Datagram Transport Layer Security (DTLS) protocol version 1.2.</t>
              <t>A CID is an identifier carried in the record layer header that gives the recipient additional information for selecting the appropriate security association. In "classical" DTLS, selecting a security association of an incoming DTLS record is accomplished with the help of the 5-tuple. If the source IP address and/or source port changes during the lifetime of an ongoing DTLS session, then the receiver will be unable to locate the correct security context.</t>
              <t>The new ciphertext record format with the CID also provides content type encryption and record layer padding.</t>
              <t>This document updates RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9146"/>
          <seriesInfo name="DOI" value="10.17487/RFC9146"/>
        </reference>
        <reference anchor="TLS13">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="CHACHA">
          <front>
            <title>ChaCha20 and Poly1305 for IETF Protocols</title>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <date month="June" year="2018"/>
            <abstract>
              <t>This document defines the ChaCha20 stream cipher as well as the use of the Poly1305 authenticator, both as stand-alone algorithms and as a "combined mode", or Authenticated Encryption with Associated Data (AEAD) algorithm.</t>
              <t>RFC 7539, the predecessor of this document, was meant to serve as a stable reference and an implementation guide. It was a product of the Crypto Forum Research Group (CFRG). This document merges the errata filed against RFC 7539 and adds a little text to the Security Considerations section.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8439"/>
          <seriesInfo name="DOI" value="10.17487/RFC8439"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC7296">
          <front>
            <title>Internet Key Exchange Protocol Version 2 (IKEv2)</title>
            <author fullname="C. Kaufman" initials="C." surname="Kaufman"/>
            <author fullname="P. Hoffman" initials="P." surname="Hoffman"/>
            <author fullname="Y. Nir" initials="Y." surname="Nir"/>
            <author fullname="P. Eronen" initials="P." surname="Eronen"/>
            <author fullname="T. Kivinen" initials="T." surname="Kivinen"/>
            <date month="October" year="2014"/>
            <abstract>
              <t>This document describes version 2 of the Internet Key Exchange (IKE) protocol. IKE is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). This document obsoletes RFC 5996, and includes all of the errata for it. It advances IKEv2 to be an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="79"/>
          <seriesInfo name="RFC" value="7296"/>
          <seriesInfo name="DOI" value="10.17487/RFC7296"/>
        </reference>
        <reference anchor="RFC2522">
          <front>
            <title>Photuris: Session-Key Management Protocol</title>
            <author fullname="P. Karn" initials="P." surname="Karn"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="March" year="1999"/>
            <abstract>
              <t>This document defines the basic protocol mechanisms. This document defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2522"/>
          <seriesInfo name="DOI" value="10.17487/RFC2522"/>
        </reference>
        <reference anchor="RFC4303">
          <front>
            <title>IP Encapsulating Security Payload (ESP)</title>
            <author fullname="S. Kent" initials="S." surname="Kent"/>
            <date month="December" year="2005"/>
            <abstract>
              <t>This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4303"/>
          <seriesInfo name="DOI" value="10.17487/RFC4303"/>
        </reference>
        <reference anchor="RFC4340">
          <front>
            <title>Datagram Congestion Control Protocol (DCCP)</title>
            <author fullname="E. Kohler" initials="E." surname="Kohler"/>
            <author fullname="M. Handley" initials="M." surname="Handley"/>
            <author fullname="S. Floyd" initials="S." surname="Floyd"/>
            <date month="March" year="2006"/>
            <abstract>
              <t>The Datagram Congestion Control Protocol (DCCP) is a transport protocol that provides bidirectional unicast connections of congestion-controlled unreliable datagrams. DCCP is suitable for applications that transfer fairly large amounts of data and that can benefit from control over the tradeoff between timeliness and reliability. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4340"/>
          <seriesInfo name="DOI" value="10.17487/RFC4340"/>
        </reference>
        <reference anchor="RFC4346">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.1</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="April" year="2006"/>
            <abstract>
              <t>This document specifies Version 1.1 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4346"/>
          <seriesInfo name="DOI" value="10.17487/RFC4346"/>
        </reference>
        <reference anchor="RFC4347">
          <front>
            <title>Datagram Transport Layer Security</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2006"/>
            <abstract>
              <t>This document specifies Version 1.0 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4347"/>
          <seriesInfo name="DOI" value="10.17487/RFC4347"/>
        </reference>
        <reference anchor="RFC5238">
          <front>
            <title>Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP)</title>
            <author fullname="T. Phelan" initials="T." surname="Phelan"/>
            <date month="May" year="2008"/>
            <abstract>
              <t>This document specifies the use of Datagram Transport Layer Security (DTLS) over the Datagram Congestion Control Protocol (DCCP). DTLS provides communications privacy for applications that use datagram transport protocols and allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering or message forgery. DCCP is a transport protocol that provides a congestion-controlled unreliable datagram service. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5238"/>
          <seriesInfo name="DOI" value="10.17487/RFC5238"/>
        </reference>
        <reference anchor="RFC5246">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.2</title>
            <author fullname="T. Dierks" initials="T." surname="Dierks"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2008"/>
            <abstract>
              <t>This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5246"/>
          <seriesInfo name="DOI" value="10.17487/RFC5246"/>
        </reference>
        <reference anchor="RFC6347">
          <front>
            <title>Datagram Transport Layer Security Version 1.2</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="January" year="2012"/>
            <abstract>
              <t>This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6347"/>
          <seriesInfo name="DOI" value="10.17487/RFC6347"/>
        </reference>
        <reference anchor="RFC7525">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="R. Holz" initials="R." surname="Holz"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7525"/>
          <seriesInfo name="DOI" value="10.17487/RFC7525"/>
        </reference>
        <reference anchor="RFC6083">
          <front>
            <title>Datagram Transport Layer Security (DTLS) for Stream Control Transmission Protocol (SCTP)</title>
            <author fullname="M. Tuexen" initials="M." surname="Tuexen"/>
            <author fullname="R. Seggelmann" initials="R." surname="Seggelmann"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>This document describes the usage of the Datagram Transport Layer Security (DTLS) protocol over the Stream Control Transmission Protocol (SCTP).</t>
              <t>DTLS over SCTP provides communications privacy for applications that use SCTP as their transport protocol and allows client/server applications to communicate in a way that is designed to prevent eavesdropping and detect tampering or message forgery.</t>
              <t>Applications using DTLS over SCTP can use almost all transport features provided by SCTP and its extensions. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6083"/>
          <seriesInfo name="DOI" value="10.17487/RFC6083"/>
        </reference>
        <reference anchor="AEBounds" target="http://www.isg.rhul.ac.uk/~kp/TLS-AEbounds.pdf">
          <front>
            <title>Limits on Authenticated Encryption Use in TLS</title>
            <author initials="A." surname="Luykx">
              <organization/>
            </author>
            <author initials="K." surname="Paterson">
              <organization/>
            </author>
            <date year="2016" month="March" day="08"/>
          </front>
        </reference>
        <reference anchor="ROBUST" target="https://eprint.iacr.org/2020/718">
          <front>
            <title>Robust Channels: Handling Unreliable Networks in the Record Layers of QUIC and DTLS 1.3</title>
            <author initials="M." surname="Fischlin">
              <organization/>
            </author>
            <author initials="F." surname="Günther">
              <organization/>
            </author>
            <author initials="C." surname="Janson">
              <organization/>
            </author>
            <date year="2020" month="June" day="15"/>
          </front>
        </reference>
        <reference anchor="DEPRECATE">
          <front>
            <title>Deprecating TLS 1.0 and TLS 1.1</title>
            <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <date month="March" year="2021"/>
            <abstract>
              <t>This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.</t>
              <t>This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.</t>
              <t>This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="8996"/>
          <seriesInfo name="DOI" value="10.17487/RFC8996"/>
        </reference>
        <reference anchor="RFC5763">
          <front>
            <title>Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)</title>
            <author fullname="J. Fischl" initials="J." surname="Fischl"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document specifies how to use the Session Initiation Protocol (SIP) to establish a Secure Real-time Transport Protocol (SRTP) security context using the Datagram Transport Layer Security (DTLS) protocol. It describes a mechanism of transporting a fingerprint attribute in the Session Description Protocol (SDP) that identifies the key that will be presented during the DTLS handshake. The key exchange travels along the media path as opposed to the signaling path. The SIP Identity mechanism can be used to protect the integrity of the fingerprint attribute from modification by intermediate proxies. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5763"/>
          <seriesInfo name="DOI" value="10.17487/RFC5763"/>
        </reference>
        <reference anchor="RFC7983">
          <front>
            <title>Multiplexing Scheme Updates for Secure Real-time Transport Protocol (SRTP) Extension for Datagram Transport Layer Security (DTLS)</title>
            <author fullname="M. Petit-Huguenin" initials="M." surname="Petit-Huguenin"/>
            <author fullname="G. Salgueiro" initials="G." surname="Salgueiro"/>
            <date month="September" year="2016"/>
            <abstract>
              <t>This document defines how Datagram Transport Layer Security (DTLS), Real-time Transport Protocol (RTP), RTP Control Protocol (RTCP), Session Traversal Utilities for NAT (STUN), Traversal Using Relays around NAT (TURN), and ZRTP packets are multiplexed on a single receiving socket. It overrides the guidance from RFC 5764 ("SRTP Extension for DTLS"), which suffered from four issues described and fixed in this document.</t>
              <t>This document updates RFC 5764.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7983"/>
          <seriesInfo name="DOI" value="10.17487/RFC7983"/>
        </reference>
        <reference anchor="RFC4960">
          <front>
            <title>Stream Control Transmission Protocol</title>
            <author fullname="R. Stewart" initials="R." role="editor" surname="Stewart"/>
            <date month="September" year="2007"/>
            <abstract>
              <t>This document obsoletes RFC 2960 and RFC 3309. It describes the Stream Control Transmission Protocol (SCTP). SCTP is designed to transport Public Switched Telephone Network (PSTN) signaling messages over IP networks, but is capable of broader applications.</t>
              <t>SCTP is a reliable transport protocol operating on top of a connectionless packet network such as IP. It offers the following services to its users:</t>
              <t>-- acknowledged error-free non-duplicated transfer of user data,</t>
              <t>-- data fragmentation to conform to discovered path MTU size,</t>
              <t>-- sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages,</t>
              <t>-- optional bundling of multiple user messages into a single SCTP packet, and</t>
              <t>-- network-level fault tolerance through supporting of multi-homing at either or both ends of an association.</t>
              <t>The design of SCTP includes appropriate congestion avoidance behavior and resistance to flooding and masquerade attacks. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4960"/>
          <seriesInfo name="DOI" value="10.17487/RFC4960"/>
        </reference>
        <reference anchor="RFC8201">
          <front>
            <title>Path MTU Discovery for IP version 6</title>
            <author fullname="J. McCann" initials="J." surname="McCann"/>
            <author fullname="S. Deering" initials="S." surname="Deering"/>
            <author fullname="J. Mogul" initials="J." surname="Mogul"/>
            <author fullname="R. Hinden" initials="R." role="editor" surname="Hinden"/>
            <date month="July" year="2017"/>
            <abstract>
              <t>This document describes Path MTU Discovery (PMTUD) for IP version 6. It is largely derived from RFC 1191, which describes Path MTU Discovery for IP version 4. It obsoletes RFC 1981.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="87"/>
          <seriesInfo name="RFC" value="8201"/>
          <seriesInfo name="DOI" value="10.17487/RFC8201"/>
        </reference>
        <reference anchor="RFC8445">
          <front>
            <title>Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal</title>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <author fullname="C. Holmberg" initials="C." surname="Holmberg"/>
            <author fullname="J. Rosenberg" initials="J." surname="Rosenberg"/>
            <date month="July" year="2018"/>
            <abstract>
              <t>This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol is called Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).</t>
              <t>This document obsoletes RFC 5245.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8445"/>
          <seriesInfo name="DOI" value="10.17487/RFC8445"/>
        </reference>
        <reference anchor="I-D.ietf-uta-tls13-iot-profile">
          <front>
            <title>TLS/DTLS 1.3 Profiles for the Internet of Things</title>
            <author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
              <organization>University of the Bundeswehr Munich</organization>
            </author>
            <author fullname="Thomas Fossati" initials="T." surname="Fossati">
              <organization>Linaro</organization>
            </author>
            <author fullname="Michael Richardson" initials="M." surname="Richardson">
              <organization>Sandelman Software Works</organization>
            </author>
            <author fullname="Daniel Migault" initials="D." surname="Migault">
              <organization>Ericsson</organization>
            </author>
            <date day="4" month="July" year="2026"/>
            <abstract>
              <t>   RFC 7925 offers guidance to developers on using TLS/DTLS 1.2 for
   Internet of Things (IoT) devices with resource constraints.  This
   document is a companion to RFC 7925, defining TLS/DTLS 1.3 profiles
   for IoT devices.  Additionally, it updates RFC 7925 with respect to
   the X.509 certificate profile and ciphersuite requirements.

Discussion Venues

   This note is to be removed before publishing as an RFC.

   Source for this draft and an issue tracker can be found at
   https://github.com/thomas-fossati/draft-tls13-iot.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-uta-tls13-iot-profile-22"/>
        </reference>
        <reference anchor="RFC5764">
          <front>
            <title>Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)</title>
            <author fullname="D. McGrew" initials="D." surname="McGrew"/>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="May" year="2010"/>
            <abstract>
              <t>This document describes a Datagram Transport Layer Security (DTLS) extension to establish keys for Secure RTP (SRTP) and Secure RTP Control Protocol (SRTCP) flows. DTLS keying happens on the media path, independent of any out-of-band signalling channel present. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5764"/>
          <seriesInfo name="DOI" value="10.17487/RFC5764"/>
        </reference>
        <reference anchor="RFC7924">
          <front>
            <title>Transport Layer Security (TLS) Cached Information Extension</title>
            <author fullname="S. Santesson" initials="S." surname="Santesson"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <date month="July" year="2016"/>
            <abstract>
              <t>Transport Layer Security (TLS) handshakes often include fairly static information, such as the server certificate and a list of trusted certification authorities (CAs). This information can be of considerable size, particularly if the server certificate is bundled with a complete certificate chain (i.e., the certificates of intermediate CAs up to the root CA).</t>
              <t>This document defines an extension that allows a TLS client to inform a server of cached information, thereby enabling the server to omit already available information.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7924"/>
          <seriesInfo name="DOI" value="10.17487/RFC7924"/>
        </reference>
        <reference anchor="RFC8879">
          <front>
            <title>TLS Certificate Compression</title>
            <author fullname="A. Ghedini" initials="A." surname="Ghedini"/>
            <author fullname="V. Vasiliev" initials="V." surname="Vasiliev"/>
            <date month="December" year="2020"/>
            <abstract>
              <t>In TLS handshakes, certificate chains often take up the majority of the bytes transmitted.</t>
              <t>This document describes how certificate chains can be compressed to reduce the amount of data transmitted and avoid some round trips.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8879"/>
          <seriesInfo name="DOI" value="10.17487/RFC8879"/>
        </reference>
        <reference anchor="RFC6066">
          <front>
            <title>Transport Layer Security (TLS) Extensions: Extension Definitions</title>
            <author fullname="D. Eastlake 3rd" initials="D." surname="Eastlake 3rd"/>
            <date month="January" year="2011"/>
            <abstract>
              <t>This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6066"/>
          <seriesInfo name="DOI" value="10.17487/RFC6066"/>
        </reference>
        <reference anchor="RFC9002">
          <front>
            <title>QUIC Loss Detection and Congestion Control</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="I. Swett" initials="I." role="editor" surname="Swett"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes loss detection and congestion control mechanisms for QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9002"/>
          <seriesInfo name="DOI" value="10.17487/RFC9002"/>
        </reference>
        <reference anchor="ECH">
          <front>
            <title>TLS Encrypted Client Hello</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="K. Oku" initials="K." surname="Oku"/>
            <author fullname="N. Sullivan" initials="N." surname="Sullivan"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document describes a mechanism in Transport Layer Security (TLS) for encrypting a message under a server public key.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9849"/>
          <seriesInfo name="DOI" value="10.17487/RFC9849"/>
        </reference>
        <reference anchor="CCM-ANALYSIS">
          <front>
            <title>On the Security of CTR + CBC-MAC</title>
            <author fullname="Jakob Jonsson" initials="J." surname="Jonsson">
              <organization/>
            </author>
            <date year="2003"/>
          </front>
          <seriesInfo name="Lecture Notes in Computer Science" value="pp. 76-93"/>
          <seriesInfo name="DOI" value="10.1007/3-540-36492-7_7"/>
          <seriesInfo name="ISBN" value="[&quot;9783540006220&quot;, &quot;9783540364924&quot;]"/>
          <refcontent>Springer Berlin Heidelberg</refcontent>
        </reference>
        <reference anchor="I-D.irtf-cfrg-aead-limits">
          <front>
            <title>Usage Limits on AEAD Algorithms</title>
            <author fullname="Felix Günther" initials="F." surname="Günther">
              <organization>IBM Research Europe - Zurich</organization>
            </author>
            <author fullname="Martin Thomson" initials="M." surname="Thomson">
              <organization>Mozilla</organization>
            </author>
            <author fullname="Christopher A. Wood" initials="C. A." surname="Wood">
              <organization>Cloudflare</organization>
            </author>
            <date day="4" month="December" year="2025"/>
            <abstract>
              <t>   An Authenticated Encryption with Associated Data (AEAD) algorithm
   provides confidentiality and integrity.  Excessive use of the same
   key can give an attacker advantages in breaking these properties.
   This document provides simple guidance for users of common AEAD
   functions about how to limit the use of keys in order to bound the
   advantage given to an attacker.  It considers limits in both single-
   and multi-key settings.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-irtf-cfrg-aead-limits-11"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
      </references>
    </references>
    <?line 2533?>

<section anchor="protocol-data-structures-and-constant-values">
      <name>Protocol Data Structures and Constant Values</name>
      <t>This section provides the normative protocol types and constants definitions.</t>
      <section anchor="record-layer">
        <name>Record Layer</name>
        <artwork><![CDATA[
struct {
    ContentType type;
    ProtocolVersion legacy_record_version;
    uint16 epoch = 0
    uint48 sequence_number;
    uint16 length;
    opaque fragment[DTLSPlaintext.length];
} DTLSPlaintext;

struct {
     opaque content[DTLSPlaintext.length];
     ContentType type;
     uint8 zeros[length_of_padding];
} DTLSInnerPlaintext;

struct {
    opaque unified_hdr[variable];
    opaque encrypted_record[length];
} DTLSCiphertext;

0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
|0|0|1|C|S|L|E E|
+-+-+-+-+-+-+-+-+
| Connection ID |   Legend:
| (if any,      |
/  length as    /   C   - Connection ID (CID) present
|  negotiated)  |   S   - Sequence number length
+-+-+-+-+-+-+-+-+   L   - Length present
|  8 or 16 bit  |   E   - Epoch
|Sequence Number|
+-+-+-+-+-+-+-+-+
| 16 bit Length |
| (if present)  |
+-+-+-+-+-+-+-+-+

struct {
    uint64 epoch;
    uint64 sequence_number;
} RecordNumber;
]]></artwork>
      </section>
      <section anchor="handshake-protocol">
        <name>Handshake Protocol</name>
        <artwork><![CDATA[
enum {
    hello_request_RESERVED(0),
    client_hello(1),
    server_hello(2),
    hello_verify_request_RESERVED(3),
    new_session_ticket(4),
    end_of_early_data(5),
    hello_retry_request_RESERVED(6),
    encrypted_extensions(8),
    request_connection_id(9),           /* New */
    new_connection_id(10),              /* New */
    certificate(11),
    server_key_exchange_RESERVED(12),
    certificate_request(13),
    server_hello_done_RESERVED(14),
    certificate_verify(15),
    client_key_exchange_RESERVED(16),
    finished(20),
    certificate_url_RESERVED(21),
    certificate_status_RESERVED(22),
    supplemental_data_RESERVED(23),
    key_update(24),
    message_hash(254),
    (255)
} HandshakeType;

struct {
    HandshakeType msg_type;    /* handshake type */
    uint24 length;             /* bytes in message */
    uint16 message_seq;        /* DTLS-required field */
    uint24 fragment_offset;    /* DTLS-required field */
    uint24 fragment_length;    /* DTLS-required field */
    select (msg_type) {
        case client_hello:          ClientHello;
        case server_hello:          ServerHello;
        case end_of_early_data:     EndOfEarlyData;
        case encrypted_extensions:  EncryptedExtensions;
        case certificate_request:   CertificateRequest;
        case certificate:           Certificate;
        case certificate_verify:    CertificateVerify;
        case finished:              Finished;
        case new_session_ticket:    NewSessionTicket;
        case key_update:            KeyUpdate;
        case request_connection_id: RequestConnectionId;
        case new_connection_id:     NewConnectionId;
    } body;
} DTLSHandshake;

uint16 ProtocolVersion;
opaque Random[32];

uint8 CipherSuite[2];    /* Cryptographic suite selector */

struct {
    ProtocolVersion legacy_version = { 254,253 }; // DTLSv1.2
    Random random;
    opaque legacy_session_id<0..32>;
    opaque legacy_cookie<0..2^8-1>;                  // DTLS
    CipherSuite cipher_suites<2..2^16-2>;
    opaque legacy_compression_methods<1..2^8-1>;
    Extension extensions<8..2^16-1>;
} ClientHello;
]]></artwork>
      </section>
      <section anchor="acks">
        <name>ACKs</name>
        <artwork><![CDATA[
struct {
    RecordNumber record_numbers<0..2^16-1>;
} ACK;
]]></artwork>
      </section>
      <section anchor="connection-id-management">
        <name>Connection ID Management</name>
        <artwork><![CDATA[
enum {
    cid_immediate(0), cid_spare(1), (255)
} ConnectionIdUsage;

opaque ConnectionId<0..2^8-1>;

struct {
    ConnectionId cids<0..2^16-1>;
    ConnectionIdUsage usage;
} NewConnectionId;

struct {
  uint8 num_cids;
} RequestConnectionId;
]]></artwork>
      </section>
    </section>
    <section anchor="ccm-bounds">
      <name>Analysis of Limits on CCM Usage</name>
      <t>TLS <xref target="TLS13"/> and <xref target="AEBounds"/> do not specify limits on key usage for
AEAD_AES_128_CCM. However, any AEAD that is used with DTLS requires limits on
use that ensure that both confidentiality and integrity are preserved. This
section documents that analysis for AEAD_AES_128_CCM.</t>
      <t><xref target="CCM-ANALYSIS"/> is used as the basis of this
analysis. The results of that analysis are used to derive usage limits that are
based on those chosen in <xref target="TLS13"/>.</t>
      <t>This analysis uses symbols for multiplication (*), division (/), and
exponentiation (^), plus parentheses for establishing precedence. The following
symbols are also used:</t>
      <dl>
        <dt>t:</dt>
        <dd>
          <t>The size of the authentication tag in bits. For this cipher, t is 128.</t>
        </dd>
        <dt>n:</dt>
        <dd>
          <t>The size of the block function in bits. For this cipher, n is 128.</t>
        </dd>
        <dt>l:</dt>
        <dd>
          <t>The number of blocks in each packet (see below).</t>
        </dd>
        <dt>q:</dt>
        <dd>
          <t>The number of genuine packets created and protected by endpoints. This value
is the bound on the number of packets that can be protected before updating
keys.</t>
        </dd>
        <dt>v:</dt>
        <dd>
          <t>The number of forged packets that endpoints will accept. This value is the
bound on the number of forged packets that an endpoint can reject before
updating keys.</t>
        </dd>
      </dl>
      <t>The analysis of AEAD_AES_128_CCM relies on a count of the number of block
operations involved in producing each message. For simplicity, and to match the
analysis of other AEAD functions in <xref target="AEBounds"/>, this analysis assumes a
packet length of 2^10 blocks and a packet size limit of 2^14 bytes.</t>
      <t>For AEAD_AES_128_CCM, the total number of block cipher operations is the sum
of: the length of the associated data in blocks, the length of the ciphertext
in blocks, and the length of the plaintext in blocks, plus 1. In this analysis,
this is simplified to a value of twice the maximum length of a record in blocks
(that is, <tt>2l = 2^11</tt>). This simplification is based on the associated data
being limited to one block.</t>
      <section anchor="ccm-confidentiality">
        <name>Confidentiality Limits</name>
        <t>For confidentiality, Theorem 2 in <xref target="CCM-ANALYSIS"/> establishes that an attacker
gains a distinguishing advantage over an ideal pseudorandom permutation (PRP) of
no more than:</t>
        <artwork><![CDATA[
(2l * q)^2 / 2^n
]]></artwork>
        <t>For a target advantage in a single-key setting of 2^-60, which matches that used by TLS 1.3,
as summarized in <xref target="I-D.irtf-cfrg-aead-limits"/>, this results in the relation:</t>
        <artwork><![CDATA[
q <= 2^23
]]></artwork>
        <t>That is, endpoints cannot protect more than 2^23 packets with the same set of
keys without causing an attacker to gain an larger advantage than the target of
2^-60.</t>
      </section>
      <section anchor="ccm-integrity">
        <name>Integrity Limits</name>
        <t>For integrity, Theorem 1 in <xref target="CCM-ANALYSIS"/> establishes that an attacker
gains an advantage over an ideal PRP of no more than:</t>
        <artwork><![CDATA[
v / 2^t + (2l * (v + q))^2 / 2^n
]]></artwork>
        <t>The goal is to limit this advantage to 2^-57, to match the target in
TLS 1.3, as summarized in <xref target="I-D.irtf-cfrg-aead-limits"/>. As <tt>t</tt> and <tt>n</tt> are both 128, the first term is negligible relative
to the second, so that term can be removed without a significant effect on the
result. This produces the relation:</t>
        <artwork><![CDATA[
v + q <= 2^24.5
]]></artwork>
        <t>Using the previously established value of 2^23 for <tt>q</tt> and rounding, this leads
to an upper limit on <tt>v</tt> of 2^23.5. That is, endpoints cannot attempt to
authenticate more than 2^23.5 packets with the same set of keys without causing
an attacker to gain an larger advantage than the target of 2^-57.</t>
      </section>
      <section anchor="ccm-short">
        <name>Limits for AEAD_AES_128_CCM_8</name>
        <t>The TLS_AES_128_CCM_8_SHA256 cipher suite uses the AEAD_AES_128_CCM_8 function,
which uses a short authentication tag (that is, t=64).</t>
        <t>The confidentiality limits of AEAD_AES_128_CCM_8 are the same as those for
AEAD_AES_128_CCM, as this does not depend on the tag length; see
<xref target="ccm-confidentiality"/>.</t>
        <t>The shorter tag length of 64 bits means that the simplification used in
<xref target="ccm-integrity"/> does not apply to AEAD_AES_128_CCM_8. If the goal is to
preserve the same margins as other cipher suites, then the limit on forgeries
is largely dictated by the first term of the advantage formula:</t>
        <artwork><![CDATA[
v <= 2^7
]]></artwork>
        <t>As this represents attempts that fail authentication, applying this limit might
be feasible in some environments. However, applying this limit in an
implementation intended for general use exposes connections to an inexpensive
denial-of-service attack.</t>
        <t>This analysis supports the view that TLS_AES_128_CCM_8_SHA256 is not suitable
for general use. Specifically, TLS_AES_128_CCM_8_SHA256 cannot be used without
additional measures to prevent forgery of records, or to mitigate the effect of
forgeries. This might require understanding the constraints that exist in a
particular deployment or application. For instance, it might be possible to set
a different target for the advantage an attacker gains based on an
understanding of the constraints imposed on a specific usage of DTLS.</t>
      </section>
    </section>
    <section anchor="implementation-pitfalls">
      <name>Implementation Pitfalls</name>
      <t>In addition to the aspects of TLS that have been a source of interoperability
and security problems (Appendix C.3 of <xref target="TLS13"/>), DTLS presents a few new
potential sources of issues, noted here.</t>
      <ul spacing="normal">
        <li>
          <t>Do you correctly handle messages received from multiple epochs during a key
transition?  This includes locating the correct key as well as performing
replay detection, if enabled.</t>
        </li>
        <li>
          <t>Do you retransmit handshake messages that are not (implicitly or explicitly)
acknowledged (<xref target="timeout-retransmissions"/>)?</t>
        </li>
        <li>
          <t>Do you correctly handle handshake message fragments received, including
when they are out of order?</t>
        </li>
        <li>
          <t>Do you correctly handle handshake messages received out of order?
This may include either buffering or discarding them.</t>
        </li>
        <li>
          <t>Do you limit how much data you send to a peer before its address is
validated?</t>
        </li>
        <li>
          <t>Do you verify that the explicit record length is contained within the
datagram in which it is contained?</t>
        </li>
      </ul>
    </section>
    <section anchor="contributors">
      <name>Contributors</name>
      <t>Many individuals have contributed to previous versions of DTLS up to 1.2,
and their contributions are acknowledged in earlier DTLS specifications
or in the referenced documents. The following individuals made significant
contributions to DTLS 1.3:</t>
      <ul spacing="normal">
        <li>
          <t>David Benjamin<br/>
Google<br/>
davidben@google.com</t>
        </li>
        <li>
          <t>Thomas Fossati<br/>
Arm Limited (now Nvidia)<br/>
tfossati@nvidia.com</t>
        </li>
        <li>
          <t>Tobias Gondrom<br/>
Huawei (now United Overseas Bank Limited)</t>
        </li>
        <li>
          <t>Felix Günther<br/>
ETH Zurich (now IBM Research Europe - Zurich)<br/>
mail@felixguenther.info</t>
        </li>
        <li>
          <t>Benjamin Kaduk<br/>
Akamai Technologies<br/>
kaduk@mit.edu</t>
        </li>
        <li>
          <t>Ilari Liusvaara<br/>
Independent<br/>
ilariliusvaara@welho.com</t>
        </li>
        <li>
          <t>Martin Thomson<br/>
Mozilla<br/>
mt@lowentropy.net</t>
        </li>
        <li>
          <t>Christopher A. Wood<br/>
Apple Inc.<br/>
cawood@apple.com</t>
        </li>
        <li>
          <t>Yin Xinxing<br/>
Huawei<br/>
yinxinxing@huawei.com</t>
        </li>
        <li>
          <t>Hanno Becker<br/>
Arm Limited (now Amazon Web Services (AWS))</t>
        </li>
      </ul>
      <t>The sequence number encryption concept is taken from QUIC <xref target="RFC9000"/>.
We would like to thank the authors of RFC 9000 for their work.</t>
      <t>Felix Günther and Martin Thomson contributed the analysis in <xref target="ccm-bounds"/>.</t>
      <t>We would like to thank Bernard Aboba, Antony Antony, Andy Cunningham, Jonathan Hammell, Nick Harper, John Mattsson, Sean Turner, Michael Tüxen, and Anna Weine for their valuable review comments and contributions.</t>
      <t>Finally, we would like to thank the following IESG members for their review
comments: Martin Duke, Erik Kline, Francesca Palombini, Lars Eggert,
Zaheduzzaman Sarker, John Scudder, Éric Vyncke, Robert Wilton,
Roman Danyliw, Benjamin Kaduk, Murray Kucherawy, Martin Vigoureux
and Alvaro Retana.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+y9a3/bRpY3+L4+BR7lRaSEpHWz4shJnlFku+ONHfuxlO7p
Taf1g0hQQhsE2ABomWN7Ptm+2y+2515VAChbTs/s/naXPdMtk0BdT5061/8Z
j8euzdsiO07Or7PkUdqmV3W6SM7rtGyWVd0mz9J1Vidn2XRV5+062X50/uxs
J3lZV201rYrkz1nd5FWZ7E0OXHp5WWdvjhN8hL6YVdMyXUDbszqdt+M8a+fj
tmjG9Xz67d7hN5d5M97dd9O0za6qen2cNO3MVZdNVWRt1hwn+Ixz+bI+TpZ1
dv/gmwfn9app93d3v4XX0jpLj21g7qaqX1/V1WoJM3l25l5na/hmdpw8Ldus
LrN2/AjH4FzTpuXsIi2qEsa1zhq3zI9dksCQslnTrgv5NklgfsGfeTnLyla/
aGBl6mze2L/Xi+ifbZ1P7eFptVjAu/ZrXhZ56bvJ3rbjIm/aMTRyWRXw2Lj6
6mv4BVZvkS6XeXnFz6ar9rqqYbBj+JE+eQlPP54kr7JmWtVFqt/zoj+GQfR+
quqrtMz/I21h03BxZtkyo6npA9kizYvjJHtd/1vdzhcTGL3rdvnTJDlvptfV
PCvzq7jTn9KyzJqBn+OOfy3zN0g5QFHVPGmB9H5cwTCam+y6Tp6vynx6rS8q
VcErP94kzyf6/RRePk5+yVaX+WVWWz91dkU9/Ji+Sevc5j2tVmWLNPanrF6k
5dp/P4NRP7h//5tvOitwTTOZtDaTf7tavJ0AJfWW45dJ8ryapbPV1SpejF/S
K1jcOu39HC/Gn6rqqshGsBvTSWcQpbTwb9NmgpQ7B5qeZLOVc2UF82hhFZF6
Xz053f3m6IH8ub+39638CX/tyZ+Hh4cH+ueD/T177Vv99mj/W23hwd43h/In
HMKjYziF2HXU4Tf73x5ph/f397Xpg13r5eBw1/955P/8Rv68v3/wwP60B478
A9/c37+v3+4+oHZPHv8IOzlrjmmhhHVtPcsXedskwIdO4JAANefIVGbJ43Ja
r5e4ysmvTQa7hbxhi16100SfMe/kySR5tlq/fht/+/MkeQnN1U1V0g8z+Mdx
sr+7dzTePRjvPuChpPVVBmd+67ptl8f37t3c3Ezy5mpSX6+KSTqdrF7f+8/X
y3vQ//jk8SXNYbKczXEwr178+OvZeTyjV9UlsLrklKgQmQIcrBnwjSs4B3VW
5OllkQHxt8j2GpwYnqFXGZz1GbPsBg/W//r16WkCLxpLvmXuzyfJkxyIHTqJ
f3gySf70f/4fJXRQxz+cTpL/Da6Jzqrs7453j8Z79/ur0sCyZMs6L9tJnk7r
CZyCe/j8vW/2Hmw5Nx6P4bAD70yncMbOr/MGWeAKeWfSLLNpPs+Bs7zxF46y
jo/eWk5uraXcWhNbjyQtiuqmSaZFDt3ca7Ia2k+A6xZIQdBPA8yfODjyJJhh
UuED0KvTiwUXP01u0jV8m8K/YNRZk1+VQH7wKlxcb3ACWfoma2Z1Rfx8BOuy
WGY1/Ynbs8iaBk66gzN2ldXrCU4/84PUcWPjl2kDLVe84ZuvaZyvi97FfuAf
b3IYXpL9c5W/SQtaWn3napVCc20GP9/k7TV1kL2dZnx+YK2BtqAPbDCb0nf3
krIqx3W2LNJ1epkX0Mok8dvRABPDo9joRiGLr4s1UnFrI4d7HFeJln6WXK55
S3Hqtl1dajAZATlDggxjwuSzyGezInPOfZHgxV9XsxWNlNcTSG+R1jDRKi10
SGE/uLywZRkw2ku4ka9hyeioGD8ZuWlVznO8LvMUZzumVQWCzq5wCceyNjCP
KR/c5BKOaJbBbt2EZIQrsMyAkic0sO4g4MFlRds8pxcLOtDHTgdc8zmPtlZ/
g35nzXX6Oguo/afqBqiwHtEDC+Arrl6VTMlpYtzEb4kOHla0XS9hwEWxTs5P
Xybv3smV8eED0yjsHe5ffGDwGKyA3f76yN44evDhQ5I20F2w8eXMfdLxTTrH
F+YI5wBXdQbTKqplBg1VsFhzeClYZKBQI+6AauGQwRhhfaNhTxzRHB3fAiUK
2HCYdXiWLzMHHTdw1xRpjV/gC/AN7FWTX+INflnhuamADkt46j+ypMxu/Bjy
ElkBDoE2rHKL9C0/hsuQLlBEwS1HmUQIa16nwBCBiFewynUGqwrrLnxhlxcX
L1RY3BsYSFXnV3lJuzXL5jkOm9YcZtSmybyuFgm/umevHn34QCxIG93nX458
o1FLcEqRCcMgqc1GV8FexIsciCNJiDgcLGdZKSPbe8i0oSy8XC1gnamT5nW+
hG1EXspcBtq9TutFVeLyxC80jtgTtEndQBdyO8iew5ZNa9jBhpZ1UcE1ChtQ
I+PQhvTiCA+eG16qA5jX/4A/9w6+fzp+NAl1mAeHh0egw+B0n4ZMSZcSturp
YllkyLPCswHDTV8zrdiqh5d0MgXGg0wFrguiQ+XHQLMuaKEqYaOthe1Vg2zF
/k2EtKqbbGeU/ANlCZifdpDHw3LDHVrLTZYlJ0tUFPK3ySNs+d07WhIgETxN
s6wFabXZmbi/XOfASS7T6eubtJ4xJ4M++G7gVo168/Dk0PUARxLaDh8oK+BV
GWtQM2DAOInsLdw3RJJALWdyqA8mMmeiQhQckUW9e/c/Hz1++erx6cn54+9R
rv322yMe82U+a4Y6ndDdcVrpUW1oZ85BacjLqqiu1nyVgHqZoH7ZJFvPQXbb
GvH/Jr+8oL9fPQbJ69XjR/j32U8nz57ZH/rE2U8vfn0Gvzv5y795+uL588e/
POKX4duk89Xzk79usdSw9eLl+dMXv5w822IBMG+cXZHIlYll8b7CBdvyGdbT
Qav3I/D0vUNeM9QaYG3ob5T/P3xwN3D1cVdEavxPWLQ1cs4MeCCKPkUB9LrM
27RoaHua6+qmTPD0ixgzr1DGoksflrGhocGqz0CrQFGSRS+2P8AmLysYMDSc
wxVL96QdVLh7S97tCb+ZNg0o5qJEnQG7gEnB3Q3kG9662mbjL3Z4DkmRZWFu
3K5Nadt3Bk2vQcxZL4jUgz7lSW0fFO4cZWQaME8KeFkiIqVwnN4csmU1vT6G
9c3gSeb+qLFUcCEur0F/B0JraLWo98zrM7grs0z/Ka3ZLECVKWURC7iErqqW
x2wrIwPEVmSExFj8EjUsv6PYBGLhImtFpRicBcoy1KUuxiT5yzXez6BQrBri
Sym2A3LUCu9OfQzIGV/dgqttju3Dnai9GimoVF1nC7jCkajbQJZrVpf/gKHQ
jSSd2aiAcWRoZohGFrSHv+LQWJxq5K0GOc2Gd0h4AVWzHXqtpq4iMr6BLbyG
gc2QkSlRZ7eQ9OnTR8fIfeTb5Okj/v752TPQ0FBcWC2A513RGX+Wz7M2X2R8
zOosxYsTRgk0CkxARJZknoK8ksOiE/c1xj1xJ40oxHglMAf+KYOj+ipr6/Ur
0BCAGEjUwl8aIIGETQAsCZzRfOkFJ+oLyD+rluh0SvwTKGwKVwnzWGwEz/9A
H+11Xa2urqtV69pIzoeO8nmSwzqSoIk7DCsPuy0delnoAPuA64IVYtAiUFMj
QWL7Mr8a482Vljs6ATlK1Qy3UdpqXKRZ2c/yikpBsGL+7sPTA2wQjhL082gH
hxKJIs2ktzVFU31kf8TmAuyXlj5aD5RXRa4BSknmq5LIhHQRbE5XA/p9kl+B
zNjozeAbyYtihUo2rBBayKoV3dKXIDfyfTckG6EeCLwFVmlkyoaYK4FC3vDu
ej6/yNISzZZIu18lX379JRrKZqRD0ZWewSa112totc3KhnptaGilnO3sDY4L
rhx8eOa3m5r7KmquWvIKEK/N2xXNYmxmTdvee0FndJzxGsJTmRagu/MApIN3
H74MOtAGEq/csaRFrBn2NUe9lSTGNPnbb8w+fr8wVnwBaz0HirgAPQBuYenj
b7/9/pmdxM1d/DIhdZe26xEpK8mrlJeElYgXcEzf5KCHvPtiRoKr/PqBaROo
Hq4ZVnMSuHKKqqmW12uTiXKxgJSshyRb+CWpjjPV20yl2wIlqvclHEq+F2s0
OtREAbW3RJj6WaE4MeZDiyoYdEGjwG4m3h5iJKk2AzkkS5Jd4RjQLe0VO3n/
JNRQmxVw5RRXHdgCWuszOINoizGbDuh+2fIabn0Tf+D0J1f0GLIa15+8ML5Q
+5yt7L6CGaXrcYMUiDbUBE4bHE+Hh00bgA2msZLuBJwBDlZekeTA4w1nABOG
s09HckZyGZmk4gXKRXCAEZAKmsWjG8FxQf7cV4RmFR9Tkt5hxMgqcHIFqlIV
biTtkoxXCXKS/EL3M56tG1QDHHCDcQEvl9O1X2RaT7+Q3DUZyojwucntbHI1
GWGnLlDcYSXS5C/Z5avzU35M7BSg4Nh+JasWuOl/qBaGLaCsbnLNQqUenPYZ
L8urLC3GeJEGFghzcG2fvTp/uTMwFBoBKBio9H5zJBYRvNNhTLB2lyzkwp0F
ckILrGzDmWnEHhHyzznobXhpNLDVwET3JmL1IeZPsh9pcPk0R/MdXKK4j6JN
w88qmCTJ0zkZeMhaJNoUuUhILprRnc8sF77KlyQR3sD9YBf2TV3BcLpdIL1h
O2nbZoslC+kVyWdvstA2pfYW5Fogp3EzrR8e7RAozW9Y2NRjDMxggXbAdEYX
cKf3hvtS0Wt/kqgFzVu+8KIFap2+HjdttuxI1N4sljzXqx96R7MYbpqJeKgu
AZ3oYrGZV8UAOgAP4QHYVzWMM+vCvkFyrOuqlpP8qDO4clqsZp7n2wSxjWCO
WUlscV6nJO35a5Aoo8kWl0BUbCVironvG+OE0U5BnjGCY7Wrd4JhBQ8m5Fvg
wdk9RFZZ2EKydEJHBRrySUkoyTxxSVpAa3p4itzkqqBJaJ9oCyYT2Qz05Hme
FbOG7Tq93pBFrZbMRWW+xKOIymgTdMYw4MNJMnDL6Lby0JtVQ4ZrsmuCxHUJ
t+kbz1Sx3Ww+RwIFCgM5ASY5ruZjvFByILXtR9XZDtJ3On0NDV7BNGHhQAtk
HSZfpqBPRtNL+WABUy/HIM22Yg4HFpVNX8fWHZJU1VyLX/QlYvUHQJtkfHn3
blY1PWOL++KLJHkJQ4QL61nVNCINU/u4H2jkwTExRZNmlCCbq3UXClTu6HUg
jAbNJSwhRK9AtzM42iXLjDxyFhqAAHCRRyKqEA/L66Z1y+uUrSptj/yBnf3n
f/6nejmT5JT10I9/WN/wL47p8wkv8oPdHmnNe0/94Fy/gc7n37+Dbntb9vH3
ep9tPI07QY+/ndPmPH67RDHpd/epY/Yt2s5Bu7jM746TLwa2lL2M32/R1ryK
f3r8NkW62QLx8IWKB2IsIF0wYI+khgQjMzUQrqXsLShCbeNI+EDdrU/kKKeF
aqSIt6ha0JeB3yInUnJMvBmvzygc2usSvXhswjArjAsHJ5csvLgEWs66nXmf
Au7KiDV3N03tsHJHji4fXYTuCojVI2hVbo9G+g5XeuRyG3fUKHqyB1crWCtR
LNVfiVrlApgU8uOGrvyBQ4/Mwzhu3jrUVJpku5LlAqbe63VHuK+OrVFZE9Y5
2gwS/hyKqGs2jYT9NyoE92eVvqnUEFtmJKs60GpQ4GRDXlVGBEH3ab+Vjs/1
MnPNAu2SWYl2BbHeiGhDhpi2yYo5Kd92uyI5gSpMA4IpOGJuNa7mJbBztqIW
WUoGo8WqaHNkrr2hoEjyBNe5qjPh1IlsALTSxMspZMAMXh7pnNSGxErk86/4
ysahuaclcdVRkqWgGPTuU7EB8XqkZpLwggZLGbCcRK4pme88qaa+RRceabz2
QYObvib3Uksm8QwJQgmoDQfAW/q2dfadMQUWTJHSGxFBc7q/p/AkkSY/ADuF
/ToY9Iq+Jgqer8gXdq3hELhNZIRWq4GncbJM4Jl2KsTJWj6JZAyS2u2GHpBO
RN6BuQNFkiCUbLOpogJJa7VEqt3/+/7heI8MTzAp+HWJYQwoS2C0UfIa9Gr6
bQfm9uOaZCd07Y3QSepiIa2at8iGMKSF6bmAgfAB3bu/u8t9IEt8+jKWllTE
x7OAsh36wL07raPMkbRNnYg2SLSES+D6BLVI1/FpYW2mQe6cFrxwIpNzQ6jY
svEzb+jsoPcGRzHP21BcJB+xTt+JrLNctKsx0D/susg8V6t8lsJGw+o9vmWY
IpE27FtLbbzoGkbrOm6y/9YVWXnVXhNXWaFhK9CCcAMrpEZ1FyKF8cKTFto7
IUQkJqbytanuWFDV+1K8HWsMnkgeZaItiQynVq1irYJxo5oVh1vQCWTLMXNF
+Nd1mcNZIbXT5YHZNiUr4NOXTTZNTn669/js5Qj1K70w2Dp/mbeLdAk8spxV
NzBJOzOBOsnxRYH9rK3gYi3CjSWtkdtAr3IdvkHnMTDu0XVr3ZDYnmNICvKX
vJmmQLmziRhQ4zkn84zsJ0hdulRqzxCJdrbyJqC8cYGlD64GEOGRU6C5GveN
7s9qOgWtW0w2KMLjupAe13TMR3ga6HrI36SXhQ7LetQhMLdPp7gCSOxrt6hm
+ZwCXPLabCf+mmYJ+2rNFj1THcOork5gkJAExYfQLZhjDAQSsIk3g4/i1tCk
B14wB3L4xoStEPLzab4Elo+Rq4mPTqhIPiCiWy2zel6scIk7vn7sGATVdr3M
RCNkHT5QpEr2iYlrKrY8iBwRxMBck2mdwiY5FKDzhsR3xTYO4oa12GXEiUb9
wWhxg0J+Rk2bIEq3mhha5nhmAuccuQ02Dl30Xw6ua29bSJNEgYevpmb2pYgV
ulj4AGE7sroNq/FGGjwKjNVI0RZGCjr+8BL95tQbrNQ+UHyLVFpU7OaInfXY
fOiv35+EqwDvv0mLFR1A4qy8xCAggTiGkgf5QGCptRcykHS9hzzQkb8pYPMf
8AscsItUXYJAqJcOvIHWDWzs52z96xJjDicgF+OtAQs+hoUfU5uxrsxL090R
GTr7HC+ZZRfI++jGPHzA2yuDPjrEf3bbmCR+SYVesDENBcBWGzaqtdcDhiwy
lVYrYKAYZwcT3P/74YPxHnAyonNsCpg/DGbviAdDEqywMWh7l60htx7La/LW
USw03EtjvvPs2LiYLJRdq4uebcdAzavSOybsIRGZfLdu4/u9t8MQRznK7GkT
+w0FEVxmsB+T5NeSJCCM+0CTJ96JbSoKqBNfk+6THrPQPk7nx8RD6PEedRsc
HjVJiI/jnanUpxXKLu058itkWg/tFzUQawJEkV2l0/UFz+VC2vaPr2CFYRf5
ZH6f7EY/AK0pcVwwcfRe5H3zX1fLFO96lSt+i/Zxwk//zo9/iM/+Qzc8VW1y
ylO+rcWPLA2N+UHyH1ldNb/xixfV/GLJBt1oVE+BFdQfHZqMbIVcJZtdXM/q
35Sgf+8ticRIwHO8F78NLIYn2YddOwmRYmgfwctTruAnTKFoGxnc7mN3zLcQ
80ZiA5eZcJnk3f79w1Gyf/+AeRNKlHpe1IZMQj6SsYZuhBaM7XySTUYUKoLS
zFVWUqwWiBjzliI5++r7CNq8oShN4F0ottClD0PSsdz/0Of8yXJVY/gpXX1P
W5sGcPWqlruOFC59TBiweMVHQajYZA+a0LuxNrek6h9w8jj+xXHcxND1YUL3
0NXBCw3NBKShjclXwuqS7eCRHfYQBLLL3DiknLSRsCDy909zeo108S55aXf2
PfExHXBwB/fJ3Q9gAhR4WX/wjGg32YO5HySHyf3kKOHUlK/Hnf/Qt+934T97
70/fn71/9v5x8vj9bc/GoSXw7yR5lmGGybH8vg1qZYpeT/pwW/cSWRO85fnf
yWlC0SpRa9unTx/tsFtW0omgfY09ymY79O/kjN4869zF3MHw0HGQ9NIzHkWn
hwdoGuMLknt4TA8/RvrgZ6yzX6iz21dIWpK+3gfrIv3u6Lr0W1BWIvTSYyO/
Ckn+RCSJbORJ/hb+/SPc7UpH7XUNp+k6v7qO5A8yrEtciwbTR/RNt6aKM7u7
JK0DlYPGT2EgbLK7zoQ1kSAxz1kyEbVN7mJMn1IXnxq63uINi945kOuBugci
CdkR+s23Dw4kHJY4jfTOnK2V+B1Q5ptrUq7syHQUmoav7N7v+y6xJ4LoUXOA
r2kVQHGscx/JQyowCM/tPfIT/XOVAuNv8TYgt3p3ihTpGLcMdN1EgTkJ9QOz
BhmHjD0swJLDraM+icxmQTJyu7IGBDfO3v4FUEuyvX8fHTqnSgWnRITbu2/3
dndUUGUjeOfQkcs04+AVd6avn+nruw92gigTWg4MqDbuFEuzSDkUvMOS+HhA
4h0BY+In9o7wd1KPulHOz0/+miyA//ckXorSU42TzzxrBsFWRTFxz3RGz2xG
h90FEeYUrcRjO06YPgFCPZ0lfP1gRz2wKvBLzAk+GZ44umBwT8L1xmb/3JGl
gTxYBu+FZLm8d0qMiCYUYMjOFicWxjmmhcmVY72Oc9Bp+Dm6gDrczO5Om0jA
EG0yItf01JdQXMlxTx29JSvLZGR6UrLH0TCiGXUfQm2E2SaO6emM02YKVdpl
tUhAZxNgfOjh7RPJPDJZXUV0jUYaedN7JJ66vi5i50/WVjZ9pkYqpDU3mJBk
7mvn3r0DNn4hq4/GSB88FxpbIluE6ROdO1yk1E/61g1dgsNX49A99F6F84Sk
c7oVTVLg/6CkEH67S/8h+eGP9p3YbSw3tP23/8i3REkoDKD/aAL3Kn6vGpV/
7l6H6d3b0PfwGDf03f12w8g3t/nYrid9m4WOXi9BozoftaXys/c2jbwrudwy
8v4M77Jjw+sTrQY9x1aR7nMiLEWj61gGhqcyPET8nKlofMvw+t/iZ5uSr9Ji
Z/Ob4c4lmwj+XrxHsEnDm7lhO4I12TDXfr8bRtxby01z94uGFKZeLpmMrc98
VQwtzsBwXIfLRl2osBtyyJ7Ey5KuBhWQ5nzevQtQWrhk+3HLGaBTUARrDSmh
m19thCx6qDAr9iaKTl0tRMDBa4eS5ZpWbz+LuhPeD3clqNsFJg96vj9BbxlZ
NlGOG7F/kjRtkwYpbAYEOb2EXOfKkVhxL/m1GNQezbYJ75/gqnmhWQW9q5LU
b5JKNaRQFeoCtWWN7oML1fnAq00SWTg0usvjMToZ40Z5jAIKexKoV/K8P1et
BnGUWFF4ZyfaDUoK8cu7o1X7aThkUgmi6z9Mxmnc4LqiH5klXRgHhu0lGJBa
241NxlE/QwfzkZwNHwNbc8zITAUZ8alZ1+xwm1NQs8gt5guVkJM+JeryBI4u
R9747O0y5VS32/0JFoSHofu0uhjnVoJIQ96nmTAv5rbe0hCkaJF19fgW4yea
8Y4OeQwPu98OGiw/RL2ybY1zt/f2WZ0wUZMoWfbs5PRn7xY992dYVFt+J7DH
dISybfTjLWsMlrbYUFkmNdegLTZh73Jdghy9Y0MQzwXaJiWRgBxz3KecNHfy
+OSRU9F+gnZAREBo0SWtwUmJXDtsSCpb7WBEOc4nQi6oy1KA88mjHdd1woQR
1JyzwVH5w469zohBhygwucpSnKPU0ugLOvzRIQaZVWJKiGuzwyNS/y680yRc
tp6Xq6p5vrBgZFVc8Zl+mKzKIn/t1eOQvIXNqoTOnvFHWaSZB57Qxmf9fNko
jQjrhaYo9Aa7LgQEBGhiBo29Jeuq8wPggy7eFDUa9HR0mSgHNqL9BRS3nlZH
7aPps2OqsTAZGCd5xHGSFca+u9DzQVtt08XIjXNr52CDGcgFxhRNYsS980YT
dasgwahdG2ZkR88Zu4rcIQwUYTbKrq+ZmpjAxU60T5cwelmSg31Qry93d/d2
k1347OCyHx3Id3vJHnx2KMarkbyn7C1vt6MBSlgPumvVzQ6CwNOTX04ofhej
sjQ2vOH0gnDJYB0eShwVnL10jAJBPsvY4kwxVN0LEdln0EDPAgVbTdo5h0d0
tjVtJFgfo/O/0jsmeIAyvUAo2N7f2xn5YJHt/X34J5rPp6+39492mDfIwpqZ
Pc7XTTueW1OWN/WrIenMwuRC1lTIxlE3HJUssZlmRknpMt5gdUxB5COzIvTa
VEzp8b3NM5A4rtDqkDYdQekh/QrXTeeskamMlgB3j4jLOw5RRmMh5KvkBU7w
Jm+yUTKwgnX2D37F8gevUzgHKRDNzM0yn5owGjBjamDZOC9hAfOZuIQ4EM9O
Ot1Gmp4XcypagBkSs2QcYBQP7HT6OkjPP4hyB7tmDrnMp+QDn3QiplmX6Hy+
jn9/n7xYoZijZgCxWEcaA5kGtl+cnu8kg793tIPe7/Bm8v33yf4u/A3awvgH
Aiu6ynibz5bZlHE7ku9gujub39+z90/wyCTbRuu3vLRvL2EXPn/hk14+8D0G
eWJ8L3/KiA/tfVBv6vYyg4snfFEikBJ8InrxfjTqQHHgGxl9KHo93dL9kR8+
yE36xsEouW3uH9vN3hf3+jT2t+5rB3vJdzSs7zA+gsf0vjO1T+oseb8t9zhx
n41DzIomC9/CQIBalg+Y086Gvt6HX9jEvt40sf4DUaPDof69ed328Bv/5yPL
4e8/7Lfg696XX3cffo/2CsqFD4byaU2+uTV74WPMpjcOmVI22zCGzuOxrfKj
j28/YpalX3zk8e4Xn/D4I+NMAV+6w3v7Q6zpDu8fbOBOd2jisMug7vDukecu
n/AWHUk7Lz8kjzFi8q70ZDEYLKeLEWlAA+hB5YhKgIYlUBo6RkZ6lG2y776I
48OiXKnSYotQOMMcr2Ltv+p5wECstJSJMBWzKrORU0VCzREd/YltOpFXZpJ0
3eENgptafC6immQIwkGAVIRdgDHQGjuHvI++6HTlJIaEDEe4gLuddyUEi3Uw
r9751zCAhzMMmygMj5og4InXGflOFmhTwXAVAQmQQGtOhU/SfCEpLvA4QmVa
agTPU1LBVZXCMByJ4SNN8AsMtUKREnv60yrHFEdQqJz7MaP0nChaE8MGYX1J
CJQUx5FPgWWvMgUGPNeYdh9/TFE0vBq/JNscNvNL8kPyfEdCMq9WZV+REPge
seN0HNgi31GjFG7s0BA3va4wlrOtXI3LUCbdZYwD1uRt3DzKNWBDUjZP4XQg
MIhTcERW8zs4baQ+oa5CP4poUlsyCRDftlkdHIcetYJSxoFDYm41WR/9uJof
rLhaGp9PI6dWnj4+f0I9wgDZ5mSDVD+ojA9xG1ZT3OCqbkYUqK323bWmGOMk
SC+qqysFUIGG/aCbdQMP0twbTNpkOwXOb4c8uChhw+lRq65ZdOdVbVtmUe1e
51AcRIc4bkwarLwa1ZjZiQ0HuEiWq+4zFGCVY5tR65O3kA4pRhIlnydw+gif
SDNAJVW9FEknAqARtIAhW68kwV2u0GzkMBJW6JNiHgLzJCVIUZSDoj2QdaDi
5DWGZnBBsrpk5p+dnr+UmI/Db492P3zYEWAoOQ6wRNw3Z1E7ze6Zcb4OTt+n
b8iyoVkhsIDBcL5syHiKYMpk4pXAFNsxOcIUYtu0FBuLGWgeo0TV3gTRBzg6
3ceoqgd7zfAyIQJJnV9dtxwIPADiRnombVk3zw12nVKsLXXIZ8aSv9mbc7tH
XsxMljIStrtpCLLJ6SU0yKgAoVWaKBuxD5REXWo4XAOWOyDhG9BXN/WF1nhm
I95uJ68w7A/SNojw9LQLIDQJAjEY1yhhk5gH98IEkhhWC5k+XuyCOaIP3na7
19HjH8SY7jGe/JmOk5XixAC1+jty86QJuspksgTlFS+Z2LLL4C5nUz1xA+ad
TQXbXlEGz6rMFZ5kcZkDyyS0VL3FyNyC3XV6cQGMBxtU+dllVmu0ask5cELz
PFxveST+iDAyIzKBrBgYLlgvfKvJHM2mITMQXdfBw2YzCWY60ql2sQSR/eCE
UjgFKA/kjUZD5jVefZgTR21qBqHNnEcwcZLIwcZpA4qhPJ0rOCDt9cJnDFDk
ak241BgXToMhpilPdGgZ2XuAp0fzJEse+7b8+pEeCqdzKriLFoEqN55IX8ia
XbcT4YGdJe6RDzo6aUPRHLxp+/1M4d/AKhiLdVpg4C1dixgOvCxWzNt6YCA8
aIwmxMflnsV+1n5TvamYSdlFc8QcgZU5YwN02etUzW/Biq1Kpm1O8NLIM26V
M24IOhHGjVCmyQnJXPhrBN6hF4L5VoIeZhU5C8KtUZeI62zOhn3R00bIoMgh
4I0lulJZMuQFR4mP+lCTqF0q5Uc3lp0gaaveu9DGmF7C1RqwOFh14WYBVjmw
szL74EKfzCi++ZCOzdI/2hDeRY85CcSUZ9m1wPgNS5Su6tJEvPY6gmj2rjPn
Dx6xIoOHJjeP/zFgVRqdjmwgbV47I2NawX9/8SpspheH6CyPnnoIYa9PHp8F
uDXYNv7sg+Ev185OFT48fnz6o/qz2ZyNERxRULkZq8wZ+hyb/V5f327KC6Da
UeLNWr/tTiZ7939nlIVbRnt6ncL/7e/eNmR0NZB8EnsaDjeNUmWFS0S4cZon
pewfc66TPY2bl0fphhghlas8slCZVUfoqDmLX0y2FVl1n4HW3737H6c/ncD/
EY7q4cG3IPN110vb2rBgB79H3xyGS4hUyW8pA1iJBd97WsQMbhBr8vz3yU8/
P3oyfkyO8/Gz9DIrcPAgm42SraZEzFT4f3jygoMcpEdtBuFfKouOlYgE9D/w
UcF7ls8xtym3PqsB7EkLzrcLIGm/sYVTyMVAumW5SKbr8T1NOT92l4FgYH7S
UEilKBlJxrNwBZCXUS3EWAsTMkTPN8fgQCKcLTjQIhxOH4hCPiEXUSIRsJ3d
qhzD/4xvOOZGInBT1YEGLqVJaPJEh9WUnbWk9gj8O4VYiM6g6O/er2JAcp1z
IWEzvDVpK+kketyxTErkBGM3EXpyah8SEukF3m2U3Oo2cre6jSjMBbkx+8eg
TerS+1hhZUGA3jZdwU0NfjjVHKFEsqe8ULUTgWUv8OpM4YbP2yA22fnVCYmP
br4Qnifm44KckOrShSD4eBu0KaO4EWJHWenQggRRlHqD9kaKuIdQCxfAVS/2
9h9cnJ4+v3hwcfbTyf79o5F2qbsRd5lol6jxyfZrtxR5wyual0DEBMHB3mSe
PS0KojKIw19wH8MbBaV7z6ppnxjpy7HYipEnw3dsCMkb7ocyB8IZxjWGUfkN
uK0RSUFgrE8LOuqEAPrUJdqIqg2fG0gwGmHibKn6fi7pGYaXkPYOKaMTdBH5
n3M9IhBQzCQwpvzwsVQqUruqKcAS3BfgH5BvM47jspxQA3eIXLpBnorhRgQY
YwHIheNAgS4wxkjQe2Jw0ygjnmVDF9ibKFFCmQKpdGqUCsdTrrE2zHXy/PzX
ZPsl/PcOYg3mqNc3rroU+60F7UQ59YkhxVh1HVTjCW8Gm0oYA0MRYiJYDNig
50NrqAsOzGUaI7OFS/YqFiMrDMNAmTabrliTElCJKBCRJtExthqABK0OP8eR
aU4lwVjRo8o3KRURUChqjy/BUS8B04uiGqnhSmGXwqHZq90cKXt1ma6LSq0T
kut9mV3lpeYOq404WByzezTLtPRAego63I3ypCwh0U5kYYg8AtOG49IhMOZa
9IkI1JMgCNOa42mCQ/LWlioMeJy4v+Ad/Oujl6yF+RSnTqgWIshU1WsyHl9T
0Yu6WtYERK2lKVxoOJqTpZLDlAZniUkoyOC9WdAYfPLoVM3PWP4JQ6JEgU88
J+3gEDUKRGSJWwxHTjbyoAsurqGnV+Rdb5vsaz8aTqJpQUlyUggHJKEplwox
WFstYcQoX4QDCBZRTRHDej2SeBXtyUA0BMKyMx+27AYxe5op+5DtQrDA2Uhx
shFBbwUU36gbaU3AYCjrIYyGWJdREKT5dyfZ3wtbcGj8CnkRbCnBDVUFxzMy
XKvrrHa2YNQltmPbm4LlQsOR9UDnWAkvVzcj14FM6tpDxUB7jWwh9JoFKHIu
XxAMb0vm+QhyUgKS8GYL8bMaWE4CwIh7Uyrq27GJNkNKmgrEwKqYETOAoZd6
ieIbWB2HeEz+Gq1KveWYaK2TgwcfPjiWFBrSdPl61DAeROTG88BXB/TSsK1N
GHs3zIfgHJHvP+Wf330RsnwyB7DSWIyo/S+bELCZgZoRoizjVtDkXxEYqMgG
AbOZOJPVHgWgtWp4QdsNZXvTe9Qah8JibqoHph17yBHzsDGyL0cxNzETxhtV
YNYoAh+FNwH7ZyxOHbmPcfUj/pKyT9GLhM9hvSe8+EnQ7Nh5Rt1XiQxxeobF
26bFa86UZZWZUOO7mZzGatijROnzl01VXyZPT5+/hHe3fOWiqkp+zK+21OJF
xE80ggX42MmFL705wtcEsnPwJeGdh4cMKBys8AZgMkEO0X2aEJmYGDrLgLWY
rsYXJCY6imQxLAw5c+KwUB4qOwzJQcZS2ioTdrgO1BvQlgS2VrZwKMXOKVir
OI34KCKnWKSzsBXkfASAwuMyjFfK1fD1JIgUn2iIM515uxaD9z00tvdSkU+D
gQeThOU1T/M6udAVL7+DiKnASN2u8cj/ob7NjKndizQj+9vtD52eiA55ev7S
dJxVW6E4ydZig0Fj9KUApcyEmpH3WIBCR5P32HCTGADJJcMTM3nppkagPJR9
NGaYjKFEqI20sJBaFqpVSVby/t/3xO41ABATSupSScE8UoMjgoVVJsg8wW53
aZHYFCUbMjRhFhWgU68lRhdDV2grlWsK81tAzq4zxgqPDwIwQDHH63dhR3Yw
NooTPDYnrDTSG+l3s/XAxYNOSIUnhsaqOfSFjMZ4xMNN3gnh77hLnAdvWMzk
7RfLvcO5NXzqhe7fHNJQ4Y8jznlYLUivuv/NEf0Aqr1gFI4cZs4wwybkZhYv
agHo7mM3B5zQW6RpdW+o7hMSEEgM2+L4fJOnPNmK/06hv/mq4ZRj8s9G1w/D
4Kl1DuhMq0WxpLrjbbSuT3VE3KymbaY3zRwn8O+P0C8eFAppQBmRWfRQm40T
zAVkoPG1PjLsTZx8eNvgNvDMHuzvMRSWo42r9Fl03D/Y35UfaTNZk+4w1b9w
iT9hVHI2BrOmI5bOU4Fj/gm8j5PLrw3xVTR0uPFbn8K4/ejJDrphoMltwjJ8
c7iTcBmJ6xzzVDBtoOjAYcqTRzssLdxSg9JXUvRwcaEAQRy6FrRZ2gXMRcA2
JB4Cef7OhutUbQsJqGilIm9KY1oii5ReupQVO7Vz5weo9U+UgwTykNtk2BD7
MObFwE4SYjxnBwzdqyGjj/tvBB4RKxIyjL+Bz79BAH/HNqtknt0gdiIevTpf
xgpPx3+oS47L6QzOlewWyB1AaVvkcEFgPYN0mc+i4BoCPcYBIcVQA3YqOqin
fEP4DL+GCUDk8GleT4F9UVBOI9rMBn7JbggWo6xQQ70qMhaEn24yLDHPGNxT
foDdAXglBuC5FWJRXHXXLGIggd4UhkkZuinLtgbgy9ZlZPfZW84cGrA6RVLG
U7wml1nKDuJYsRM7R+BtSBRZ2xylLlErFqw5Al1jyZGwDETcpPIGlLWr+Zw2
D0FaUC/3GZusQ+gk+25pXcQUcUUCU8eGUpF6lfLXaw4FTaetd6DTwff41zgq
WexLomsaMCt9c46E2R8fYF7NojsCp4ivNJGXYpF6aW4F555hhhzBXLD6aL1S
SmKnAGcfUo+sYM6nmwZRFHFNTIm+5KdSzVsWr3RyAus6Zlxa17fIepvxUAiR
2h4EsNX7TCburBs9g1ibuhH+YvAQQ0FVAT1wrikInVvNEuYTQusQWiTU1urL
Qh6qF06Kk6NapTE33t2G1Ju1wzmNzTJF52lqUbiJjMJ540hJkslwgG0HSNeQ
LSkSSIHMfPYXRd8SYhjcOhSC6zHXzQ/ImhyaONiKTJ12OpLsPA2Box4E4NSE
q0/YVAyx9CKnYdwOrVQ1D9LPaoUr5kFxfrbNYeZjSgopY6dXfxQLRoeW09WE
Rq6x9mTJ4bpBNpc0xr0+5DH0MsQ0CnJB8X0MA+/YWsfFiXOSs7T+sSHXhSnF
oSNtIH4netZL+yRX0R2vkYre1iXdulu7tWDNlPHAl2hBgR4pAIiMaiINhjmF
XL/XOAXF8sgGssJuqXJSg49FJA53SpXOdQ/V+uW2f5Kb0B8AHx48s/I7MLMF
hZgwX4xPMvmnYrbUKWenNNrJMqT61dlbEvsmO0lwwuxqXOZYc0VHx4jtWgtA
K584pFRgUisOBPYR0apDcwk5w0IgFlwTH9+O+rSzAf8v6M4a+S4EzeNweHVh
ODK+vUURpltJNrvK4se8E50XRWO3yKtM4SLDYYh1UKeo1ZCBLma3nPNuE2KP
Swx+cqvI5sOjw4giJZqg9Tlc0syXDU7Ov8DnN/OaauqKvFE9PAIZ7zeAVvsy
UVt8KwggVI7LK0atcYlREpVxNFK+JADMBo18Hd/9rVeFynVdHo7zDQfrPOY5
Xwc3lOebR+hbuRXCkPjicGUpF7jsPA7tyCUi7YfIwiuCP54pZHnaGyRcM3nB
DDzAu5DC6V58iMICWUr5gkpC0Y4+5XgGn3v/KyfyezGFtJkmL/IgNmUOVyZ7
Ufht3V5Wl5x+zYJHS6dOcTefn5yOkqydTnZYlDeTd6ctb6UcgI0XM7PUCNTL
IbhZHrpr1XS0XJe6Tovq6krucpCvr8oKGPY0AEXtxkeLyViTOoLQt5KzwOPY
aPt5Dhyl4Ccan+SuRac4/4RGTd8AY1dpvCDBSrlmhz1KUjfCDeStCOUU0Ou0
2ieDAMDmaJEyf5/lvugj+kAiSyp5MzvWpBAshc6gutyAuWO6EJUvCCtxuUfV
mU1RI5ywBgSs9hXVLSNfe5Y2a7z7sSyDrBfVxQtXDJ7sVMemLes5e9Bt5ih/
BCvLiF2fUxsY7la9NVr8K2WoF94OPq3Na1SwycBGWpRMQKPFxKVG5uoSmhZw
6pzCduDeJ2vmU7+2nI8VOeBCc5ivUNzkqJsSqKcuUJiAQVYj/Gt88uv5T8y4
jnYRglONWeJJTOcsnpNRjNfP4suQSoXCAqxKdF6iHYgj1q+4RoSvXkjI5fCw
k1KHJkeIiahj3IyMmNpxlzdE8giFyLG+6+8mF+t6bDBapBikm4krQRTTlBxK
yZI3yA3VQ2qU1VHw07OcFK13X6RwUMdFvvjg7Ga4P7kfB/Il6vIr+C25bLwU
HKUUTWHgl2FWUZwUQrH5FGvYZNog+Se1bA/h+tAogzhcDR4Adf6fK7LyS/nf
PvZTYHDUMH4MOglrc5RdEx+NI4kTy9hVpkhPNKCN6XBW6jqlGEe+qlRjrrOU
46p9DRrCVvDL21PLZUA4DOw3jCHzwmUKkuO6Icc+tDadLsYUbdIEcA1MVtQW
eRv2D6xYhwAqaciE98c4hcGac/gGi6dBgUstfsB7FyW6ceDXOUkiaJaQZ4Jq
0obbglYZztELWlaBiRmOY1d+NA5PCFREUW/yOLIE5kpUHujjZCtAA/RVHU+H
rORB+B16L4Ky81Q1hERjJHuaj4YtBlogm0g4jwQZl64yVzLF7c+scu8l5zMQ
S/R2Oieo5t6LNCebRVp2YwNJ7iOPICeD5A1GfDGvJScHgaIoKoMeSWFc0URH
iaVIWYCa8l2d0qYEKdLq+2xAsgSFxtjaAvNwnTn4LF7KkRWp07fUa6Abk6ne
NaVuvUNCLoJNcoS6IBdL8nJwn4upOrQtUq4JvRsgwW1iMoPn3ol3A/++EMM3
uZI3coOESg9GvENFV6ddCEKapclSpWw5xLO6Wi4zXxlZFoXuVOgt02gUx/VM
hfq6czzRcna6qFyQpZF+q0uVIJivlM7uUdSAxX8d5dzwWUhlOxWR7OTxj8qn
0EML1/iLH4GkKADgSZfj/Qk5nn2zf/+Iv0E2QN9ykP7+7sXLF8/+unewe3/k
F8DdflEN0BUVivn7wVEMTYbKs7HaeAJWrSplzbXexLlh1DTb/lSYnfdstThU
IMuSiZxkAiEWWCPXvxX8tt951oTMBnfD5L5uUXiZCEPv9njxgL6i4HAFt9sc
7mxXHIdYuM8cqUhUGBkmV0vLoEmXgXSrLCwMrhdXOJKNDSV7u6QaQ52EPtNZ
m9cE4E3VcqksOQvM4RpRHDbqzefm99kY8x0rs7JixLY12DCAuEMR9mqVot6n
l6JMawDskvNz2/jOHZIdLh44MxcAIyDXEErcM40KLdfhIHQhw8vSssbJGOvc
CbxCEVVB7HmXG4tAhUKwL7EURJ17udIFRoxQgxX5y6frUA+i7mIMQooyO0+a
FKAhscFuf9yulMsxSs9WuqQvAXJWavdOEsYbyw2KPHjLXYbvDV2IcjlEV4C4
Tbm24UvyNDB3BkrDQEtOLKU9U/a0WpqSKvmtaMDiPR+PWXjiGN3VYin+QQOm
JKYuDeHD7BvWc8ZZJrMUU2rwjIB6veai9lKKkMmm6VRz81hVVmL+HdWe+eBh
DWFCvSLRA+FftLw4JkYBcbFvUrA4pH68FXxWBxlWfB5FZk9qLg6bp4J1JkVy
paxYBwuqT8C9iW3Xay7p9mpI55LCCRJ3OwsKUYfj4nJmJ5QihRhXEUic2bDg
YApdKlCBNWJl0IHc+gvHMXJ6rkfq3qIl98CSW9Oqep1nW2jLyDh2J3BwUY3d
TrFvJ8W+G9L6se+wXo2mxC8oFPlcvPIsggHTRDX/UXVGoIyCv+Hzp3GSvz56
OWbCtdiQkaJqnp8O/IYvcRljjBCz/rNmYOjhoGMxqDNwN+wkF7Vb89WUaLfi
wkJATrCekfU1qBV02M2WM6uMJU9RND6qHj2oOd1bRyKfqqkh4h7yZmPlhcR0
b0kdJ6n0eZHPLmDRq60YpycovOwr4ka4gWoqOJzsdbP+RsZMUX/ApGg75xOP
Y9SbJg5jwxC3mJc5cy5FJaitSc15oSbTS7YshWeXmAYQ4FZeYB/FBbo3F5iu
saWGy6ComsK00iyEgDlJqXGUXCQPD403Ws2wphW1WY6pTWeG7CnL6Fp+Fa/y
yzXHhIw7K4a5whLe2hCmaLYMgoDDXCStLzdSnon8rqiuQDfCO8FLRsh3JePf
kw4h0qLgM67m4zOxFJ6yJ3eRpVxkBxh5RXzcIp4lv8IfS0652WAdlUJ9GYlt
oakUXfs3ldkduUpwEKuVSLVqZvYngUUP71eBR6fVgRV9Q5DU1apGVSYqsI3J
08jhQ5CZMOQgSNJnJYzlcq58jWH1ZNnSS0LalCCcqS/qTQCzQaA/slX25eCr
GIlZ0ijJ6FAJimZSLRXPle+X7iyV92hNdDYVYFIF5tsgAYm5FjsJ+FswFbtZ
GR6d5T0EucC1wgujlkrMLUVElleNRqkkbxCjZiGJSDpzwu0hjSWn+r1Sel4E
an4FXw5MmKDIAnlWDIveYq6s2DD9ThVkRcT37Lw2EuZlXYRViePS1SMOjdEw
M4p0p0iE5BROPN/2WVCkOC4hzZELpG/waW7UP9HIPcpxGBJJgduN3mrHd2mn
SDHuycvrCu6iXKLl9+/v70v84tOfH/N33+x/S+VyKLuDjikztmBlQ46iM1ew
dtqKEHDJceQuQ7rLRvdLyusCbKg4r7eAAzK7yQrD7+kLDeJw7Nr7GOd8Y8NR
RIauYiKriGWyXXjB+Ntnf7K/w03LInmsIs44D5bKWV6AtMsCVSqAeDL+AZLm
yB3Nv6Z3CXKFonEyrS4Q3zUUH5hL1Xd2ZmtIViTmTAWwRo/2PZmHiNvCJzUg
wQ/ACkRQsGLAOnmWFhv9Uo+xFPAhH0d/JKYTm7xXrjneuslMAQ19WaROa/QR
+zXCviadws2xaUNh864pVBGno/eElDB1bNlkgdkX5B3SFzaSFG0RZZavw50z
7DJeZ4qjjrbfE5PzcErB+9Yz3Z6xsIzBnC541of/EToM3XgDh3cSoLQL2+OY
IqSnkQDQ+3AsE8nKlC5VW4Y/U7STrMMIlTREwKCKDwNTJ1tIztnUqzbHGCyO
pLApGX1MyC6HkX83KSfChmKuJEiNwlWyslcdCcj5smVm/sAdJUitxmpukvij
P44ZMCElHkgsLRbHFfBBqIcMD754AgEs8qjG+kiETcF6ZH6F2eXzakr7K7sg
k9HXHlIdUN4aWyUGdZRqLhF4NU/7NmhQ+bC8LW8xRugnvMUPRn0xVXUf+cHd
ik/6HXfYO0i3vqSfr5UhftI4Nrz02yuJ4TT++XtcprazfVHZncf6JTG+Pjs4
DZO2s+RvcmX9bQvelC3UMj0DKnB8mUUXT1d9+4uKP+ofGihqOwoPYMcmqtS2
zrq1edzwVUvYCVJFSOFwRBn52CnUa7dTsjclDFQt9PcGZgvHXurwym+kis00
x56Sz8PU9J2JQdGRxCEJrQMiR7QU7FJCUKCML243JON4Yw++ygqpQVGEKml3
bwzsbLMAouVLOMZkoBwxGu+Hm2AbT1xuL6xOIrgwpGbQiNGmcy03ja8Zos/p
iPAhMyf2eyUUnDKjfNraEofjdXHRusDK9NblPJJagiHmhq+TtSFyFdUVCina
CfitSW3Mo+XMdh1uMZaN2LmqmiarSR2DxaCxl37BZ8dyUtPSrZGHXJvXd6gt
hvcNt8sNLgEHoK9LeAAjorZkYy5wrFv+Fm4qlvZYAIRpWM2fIEo6lg4F25Ax
3yxF3yODuv52y1o1YnrMghJKwxvD5mN2yEYArKgjBXHRobyioqqwEwlIlTOK
76kgqjZtcY9d5WgQ8QKgeXT51S/JcpJSkqd/CHvLFpcZSuEu2jrR7sQ02EQh
OyRwBjFS+NsUbQqE3BodWOmSMkKrhc8EasiM8gKBBC0kmdvnex/lh+l1tqD1
0M2zAdDeFaiUgibsrfwqx1JXHgrBS99Wl1zACbBW8WxZgVTYeNRbEmzxz4Vk
XuCg/N6xqhPsYyclksYubyEwHF6MHgA1gPPyWU2ihEtwkoKyVU0mOmwT1BSj
bm/Ypmq5RnDj5JK3qxa4tgoPVBBpTYcr52Q1jutKlbo8LrUSI5nrBIRsz6MR
kui4geRTxVfUwcJ5dKJT4Iiltf2d3oGQK5icHQRjROGnHLWvYH6tUFqj0BTY
GNqqAr0dRP4rBE9oEsGvIo9OAITC9MO0Imgx09bf9WznkdxbPGmUUZNSFoQj
zAyGN6jXcoY1CrkzpqfEwSPoTzzranY1riwep7oS/iyEz84gnxwocjcBb5V4
OVH0AfWL4XyFAEFoagPqfyd+Emp9DtabODY5SeDiWCybmHfTZSt4ZbZYFIOH
Z8iDHyJGBnsnpllNkd6UYvqG/bXYuhrwdeIaMc/2N09sJlqiPT3jCEUUQyKc
To5jtIwdDyAiE7NH2HYneESly8o3eV2VtN7MBsRO54MOKIhPKz6NEj4c9Kx7
evpYM1gPD+8DiZlHSGO3PPzwZc6YD+y/VavfG0JZCQYqkb/kJEW9xyC1Nq6L
mEUUht1ikZ3dEqH6ZUs0SiTsmGObvQ8qHoyTaGIZxazasDGkBTcq+2I2HiZO
VfWII/yIMKQAkY+F6WQhcgmE5OXZz+JCQvrXXpQTh9cUwaKSThj5o00mgpYw
24vpi1mFFoXaHb86PzeLsdQ1hP/andyXX9h+yVYbCgHozZviEJis1FXrDb1C
QMzynXgkFFwA2ruqGENP7LxXKGFTrQfDJggKpHPck7j3lR9P3IlulGy6BlyF
+AKULZKrjbKt0EzgebusJEdWIKQKnfuhJoi5S9yGvMyeccQICuxwsWQShB+p
gMIZhBIXplIJTCUeUSDwcPRdb/Wrug/cTiaH09DbxKBLZrEapl8KeUMvbYiT
H+ZWeUMYyZOWMiDHi7NYA45EBi6L7BMZGJ+X4nI+m1krmcpGyiI1HWuUFEm1
QGUVxvKWASQVyLyLZ6/vbfSrSVpbcJ94Kyemb6biqgu8FFRYAeRwgj3uHg4u
nb7RIXnYdUiGnkG3yTNIM1iVCoxxIYfGXIOlnVYnURcigPRldWYCmIwW4pd2
qss60at94kO0F2kj+XphzxtU6R295XSimqZADPUm1ZXmo9EtaCsxkJymV83n
IkFt+aGST9ObHUjc+XbvEMWdVUn+jtZgLsoISAAY4TwvvOURRV+MmGD78xIJ
qiU0MpEtZeFYiAxH/JSwyy0cG5mxIEh1okyei/b8hLyfYdkb2wP/sA8tsUgI
j+rpfK2LKLCD6nRQzU0ss9F6I7WvfaTtqpVe8fHQEcppBaobUsQkhRC62yNV
zAYSRqwE5sYMVJGgli1TwsU1ksr23s7IfuCVlh/2gx9A2jEfNqi7oN5tHwY/
A2O/qOYXWOJlfYEz2L4f/SpguxfeLrr9IHhA7sCLiKi2vwVB3H/ufZX8kt0k
X92LxhS/sbcbvTL41tQ79rb3wrkHP2hc7vbewYYHWLze3gunOZdyJdv7u8G3
CLXMIVvb++GShfaC7f374U/wz/s7UkLYyAYLgj10w7WJo4eSRXN1gcFBD2UB
Am0Lfw7WAqsX7x+Kie5hd+EY5zg3T3D3zb0jm0ST/fNh8CbS+1ij08TO2O9W
iRUoZ95gAPBnvRwM/uMvs7842dYl2gkWkbYYHcDh6Tj2vwUM+GH/pfDkBC8F
wTIDL/WODb/5uJy9mD/GLzF2YvC9/oE6ThQ0P5uZ7boZeHmAzrHbwOEtF8ft
7waTDN/9SId8bo47L7FrauBVPVJhZ/DRwkADb/QZFb0LTOCMvz2nLwfe9Ac1
6u3nbP0rfTvwyiDfOk5k/fxF+nTTSDsvykiHX/wASvxsraXFoytFaotHFRLw
QjP3f2S5NXhzgwLTQjtOfWpNuy4Gr0IVtoLW8fCPXOcwxwGUF+oz4Jom3cre
OV7yIgh7XF0qzi3iDyofErJKSr5aaNUy6CdoGEJ1YL7ninCEu2ooInjhpgTT
6sFepfw12oWCySXfg0pGDhyv+oeeAbM4jEILPb1pxt6wYhxoMCigDEdq//Li
nEsThcu7ubhQoN2zSeJOxYXYK5UGk/HJga0lleBbg5MieyQ8xKIqVgoKpjkZ
hGbaiDmt+ByRNEXYCbjaCkd8znE9DOdg6Zk88wjse9ItNUiDlszL48SflP1R
l5ZJumbPBiw7YY7kJR9ZqmNWZ/5CFSm9zizGsip3MGGH5clVPRe0lPAl79ne
d/AN+jsa0JqLtM4xO1bDcJZV0477WD7ekuJPeyCW5p3K9eHEQq/NyNtog9rp
ZJPs7gLbxy23qFiz4rJhfPI07Eixdrc8uCl4VtElk20rWoBYEhynuoNWddje
CxH+aVoSiKVxKxqXlYfVG4PdnDih+v7YI6cIxec0A5QvJp/eQEZJb2idk6/2
o+C8WS240F7Yq0hRSKhd2esi4jlmb7DU/1tbJYOPZhMPNjycEZdAS6ssmgny
JTTVKaYMRusl2xbXLbWoGD3oHpZou8lnLaWmz7IxXBk7cRi6qoQDcf5mg0LU
hmyaBnnWQvcuiica+fMwX9Woii6q8O0gUCiKkLFIIb0cqUqUOful0d3JUCBK
l6aNs2tY5kB3aKl9i5Dzw+H0mth54martBgzCq/dk/e6gc7UpdlXRx0bFBvC
EdlLeI01ZHHEqD2HJgfRnOV2JfV5KIRZIxnT3oDY69X4+lT6e/g6N8wlMilI
RxF2VZEVvUOzRf7MteJZKKqWKQZTvsICgIvfDvZ/F3UJ33kgtXbOMPbzN/gJ
fwB94TSKquX8JFYSQLkHxWFY3+p0r3EVUrke5IV3CWh0o/37B8mHh8k93p03
yO+1BR5kUtP/eBlPptALGv8OCwbt/7DpQTZ84UP7f38w3vshVuXoI4OwBoLl
kOysC64M8t0+trJ3NL6tuwVGadHYFhlIZ7Pmuz3r214yLSQIh/rugbSuD36I
9SqSY+PlPHZ0X1tqq3zdKFSF+INZ17tJgwJC8qRLkuB6JiZssEICFm24QrKD
CnbGxhcupJUEtskJTA7x6ImhXhu1cj0Ztv6xxV+sbIh7h0Cb0Ih3rllnfnCj
EOd9Sx/A2MACzit0hvjY0AgbjgI3CbvDyMJmYF+B63vAkgutdGYrKap0zaC1
XpJXJ0lPr5AIyMSQcTnyWNtbWgqaee62bCl1W5stlwRmQwzjjSKoOtEoOwGQ
Yue48c53gpXe4QGEU3jwYRRYXHEoAVVYhbogjJR86L3BgsrdUuB/8PBuWHx7
n/ImkmT37Tybz+kX+nOWbJNftJX9otJQ2uoOd8diBT0+1VAjJLfK1wwM8naY
Z+CpOJMMDSp0rPvDWR/eCzIDwrzCa5akNri+irBCV7IhX0fBJ8hPZjOESfHf
7HFnIGQOOVEkDIZ59Agc3SLlu6Okg4PcY3Y4tT8Hh1wLXHBEPadC6t5T+LCd
0hToTDyA5P6jMKctNwcxh2ARfTVD8pAuMspooPOA2TQkjM/Ye7398uxnKioV
9IToW0r7vqk7ZeioBMUwvyD/MfF2wrSoKJLUcXjRGnZf3kZUTn33Q/LcnUPy
olsEV//ECzXkbIrD57XkTD+WUPUl7mDCbqVHQxd9IGmrf0WhEoNCssrWY/f0
bRlcH/E0ueiq23CGHrKHjZ/xOcnjFz9//1ct4iH5zZsvxA1twzuByW7TM++O
L+vkA8lggQExlsFsWcMnQtRcdWikUeqsG3i8zzSGOKwjBFVirszZRoZQ7hML
98XvMuByidCo8Ty/Uuj9dd9j9+7dpppaH0bka9diUdc9t4pukSJKDVd9Mmjn
oVRi4ORhStZlfnUVAgKSU3wzDLgHhtIpSAi/r97byWYNEXyH9FIGxXI9JIQR
m7DgC63UQQlOgQUHZ2+pAVGBg1XD9cEI1u5lz3PEsYNh7tugPqaxGoTwOMt5
eqFGKnkNPm3uF/J3cVVcxZHEfA++CvlvrzBJ/JDl3ShcdSnxwA20F5lCbRcJ
vsbXrKej0Nflu5XGB9uC3gn5F61MwQkrsLhmGOvRsYHCzX8dpvqTP8WJt4+3
xoRafbUxOadnPN3mg0mVDBXRWJ/ZGSpRlhOQlSfrmCm4tvu8qHO2Fn72J4gG
EVStC+wXKZxbA/EjIxktR2cpvt8dsgd/r/cEre6QKUkA7xUxwuq4KcIjloYw
mwenuXdOPMLp2al3avoZsDyFcQ+3DIUKN2vwuqKBUJlZK5rRf7tje/FBExoK
lIPOK3UcgJ9crlBV5qRHwa3MKSycYz3gi3rgKLqKXvZlOuhOzcsxZywiH1KJ
KrDccNBo4CDA/Ni84eqAGnGcxF50o6htXz1lhsl/Bnqw07PxW2h3nS0qy5q6
uwuBSJX8/5IQQOYUuwSsxuMm86JSi4YECeBCGKdoey2MKYpPaaR8KQUgKH8c
ukQ4047x2m1qdHVoSdVOWR3Je+tUSMXsd4k+69MVe2gJ1qNb/svKu1I4HxmP
OBovMvBrYWR0qcwYcKSgZde6Mn0xy31UzNLpMYdlwNl1MEEX4h+mslKkyBvO
2MB6yq1uLMDnqAe+BCuw5wPUOfKkrqpFFLe+5ls+QHmgtuYFgtESN11ZHSBc
HqwTFejT5CeiFDpc15tqY1Uq4lXWvHKi4yjsRxwaVGnQ2W1tdUBJoIp9whtE
wQCJJOWQRA+noVHn06xvgrP3jmlQnb6CK08TighFxxAXSKfVa2soWWKSKMg8
2aAUx4mcNwTNDEvd6VR8FcZRouKZzsI3yXUuAYZNkDbB6qnvk+7rqmnWI8Ml
Y3w00OrfsJS3MMw6uEmyIHJSbM7xAJ3lHwiwYXIWBxHjwWWCMdwqWjBGfN9D
2RmtyTnBylUE16OxQ8qb9HYYeP8AxSWKnPehQEjIIMmFEI6+JMXgGFBCJl7M
AY5D/fiSKbgdUgOQY4EbxWgkcBlEAEgI7pVykQUmy6qfcLy1LdKUapypt0DH
w6q3j9NnL66MRKI2ccgo3RHSDTmK6CXBitSrT1ukdzijX+pMYxVJUN22zwim
ixII6WEp/sP7Txujt2VQw2DHDYaVPSGu0bhuBchQo0iuYDGWXnrxErHJGNwK
Yv3wnwkFP/oM8oEbIHLUYVQv5q1kUkCLwm1NOjX5xOIFjQ+w4o3vYTFH4HBj
GQssSpB7b+KAApb7/PzFJfmZDQMMpYg2b9GbodNy7j0LBe819/W9kAP80dMX
m+S9e0+JoV+P5dP/w3/waTI603+/1T/4m9DwED3XeaEfq3nb04EiPRoKvRkN
hNRE3436ITAjC22hrveGp/MZTXTG3g2HgUcxnTbYec2iZdIe0OdPgz3HFNlX
2SKtX3P9ny4N+VxW+IYbJHuPKBxLyUgIIKnGIMBcpWwSK5Fotvd2jpOe41bO
SS6xtBYKTIV9OuROXqUQ6INSiJLQrP9lI8WnpF3EjNLj01uySAOWF6ho8SXa
gYH3Y5WfAqsGmImL8Lu8//tHs582aIuAfrO3KflJu85+GHhRQNu1j+WQHqVo
LovxpSTqcHaHIGcJPw8QhQOAPvS3fHImuv9ITvonJYFv+vjj7DYkhn/S571w
XyDhTY9oRz982mj+ZbPa8PnOmJZ8+nznU2Y10LemFQyN5l82rT+wV9G0+qOl
z103687zCvHLPumFdwPM/cMn7XTcTP86+OrDZ+503NpXnzGaqAG+Ob76cGcS
ead3zeZXO9T+20mQAICC9Fe/0x5253OHTzj1oVl9YjPhRvh5RY/ckTb7k/39
v5+5hJ/f4P75/XNIbmDXOiyzP9VoOD9saKcD5UFFo0TyMMeBCCQsxT/BJzri
9zZdr6fMTRTxYweFEgob+WyGFS3312isvWAX4QVmBX7iJ1psaKR5jW9f6M1+
gTCQzR1Hgg3QSL6yJ4w078oQ78wOk6G1uDP70YbCqdyNLj+bLW84Ip/Ay6LP
ECf7pBcHPxETG+Q+n8B8wgUcPLJ3HMm/aD7Dn9s41Wcyqs9lU3fkUnCGb2NS
ryz0gLTwl2c/d3kV6iib2NXdpXETxkMMHzxbPq/kv5T1fMKnywQ/i5OGI9nu
7fQOPROwwbuM71/CBf8A57sb+9zA+T5TkkwifnPXczssz92t//Dz//PB8PP/
bD5I8UV1297GDNFU8b/jc4hoYGzwX8DsPvtz9x35rWv7+f3zz9qGkfxrWhFy
6X7ueGL+FSOJ78soAWTMaXkfI5qevU0eRNKxnLxRN11uJJFFvQQ8LVmeaq6N
W1I1Vko16PZ17OMHvAufsSfQwI6ZZI7bk2h3tuxJKBBZ09ltd54vMjZIzrol
AN590fKP407t7w9ciO2M0KGfMxgyPE0QamMBR/4Qpq5bdkUb9NbJ4RHkHh8O
E1aL6wFi6sjiPj9E+JUfo4GPX2bvk5evHr88efX0lz8NkF3Q0A/eho2v9R59
v+kfH3n09rG+737x0fb0qx8pfoOjQthM+69q/G/v7/3LpnS3NT17/Msj3Kjk
/Xfj3ucuPXWf/Hjv0ZxufV2CHoZ3ZdMn6p32bPB1jMoI/AJawjp8XX4dfF1+
u733TSP9xMFvfv0sCwM/uPzIp74ONPeZvX/6xg2+fneyiRyD8MpfTp6eM9H2
aXYj0XIjP3R7P6c1y94uKYpp8+Df94dyl7m/j754v2Hq/1Wvfx0N+n1nHh9b
Oj1+Es/ynr5KZyHlYdmp05+HDuz283R9mfExg0d24jEWmAf6ESLYfPzgO+0p
7D2ee/c7FESo22EWPngsPk16ip/aRCnxUzE5frdhK0CMe/rL07OfHj+69f3N
/Q+tzb33fxtcsmEiGj6VkYR7pjlLEW103nvliQb3LBIoB+WTCPf5FsErEqwU
3DmWh64pIH+FoOYNpgXij82xF1dGeh2OlMUw0K0uPiezUoifSTjUyGBSLXnH
b67hZ8I/9Ji/DB4ehUBJEqePOtUbae695wniO2KMtONAUnJ5L5LVkmXrcC22
qdaMupTDn+RdDsHZkXCSVhozaYAm5WcbfT04V4+/gD9yH9nMDc1C8pY7DVyn
QeZIkAjggEgaziJ79y6dvh4vmivMGpt7EAIBGaDkNgnSwng2ihawSJ2qdt2Y
38byhhBroECyXUvRrcDHL2U6g6jWxtEb9CSqD8MLwqilVCOye0O7zqrrdaar
fm7RiUSsGpOYvRUEvuh5KX2GQVldQUAuteONG5Z3S551NtrQa33TTRCkAErZ
7B8rxTiss3FaLxrJ5euPRvaQ/sHZSw2V8BatZlXTSAYXRNL3eoHd6axRHS2i
h2ONnZVKDhS3Ic+Rt0mlPKHP7RTxACiqQtNUBNJ9jHGCOExdoc3LSE9Ud1rG
VRlFk0goNzYkITQfWefeIg+tJjYXL2jya7Q68dJYMJj0vWHiU8xaLSh8uqOT
8ig56p0JYUFxZrCsylQJvFOiibHnm9TbB8JAHe48otSQFx/cRhadgGjZ6YhM
KAsSuyiJ4UTx8xLvxuiWERCgpfJ5+cHzg3A/j3X1bz16txFMfI4+6ejdThIB
jXZIQrJ0OMoIKx7Wkm0mmWNELcuWoVKgldmKTYgRyAalnnAoqUSoCiCv8KK1
ltjA1edDOeNYbEr+NBRlrvMpMdywN182QUYNb+QNF3gqqgbT/w43UIJkfjTV
gi4UKuQxv+2SPQayZIrPLagsDh3zzw7x/dsINtlw9ZWMyloFFYywGd1o3Mg+
xXQEkEnyUlgakT++vw1UxPGf8ktwF0omJC1Lh+wFG98GsEMR+lQRva01Ya7P
B3X0xEq0/FYn9S/mqRQoF0RyK4wlteOjhJW8tgMvGCN5rzmOVrGieisSl1Zk
wFF5NiJ+Ql/i9AcuXqjiFVJnWfVOVLeyJvFNxbRpb3KRFhQ1+fnZMwMYwUcJ
SHP3m28RpJQD3mVQJuIHYlaYG6vlvMIUFZbpqg7ufkSxAgUSKmuMgAMbNQlT
NjSu3qrXCiglV7Nawt9UwW9O5JMJ7hZWYnBa/yQEAaUIbSqZGJQ64IBkehMF
PkYtYqHP+S3H32EWFu/qE9YGobXkqtGgc0yXYhkXj3tvSBYMD89pBDoCj6eX
1ZtMsrKIuIipm0hKG9QZkA+05hDr3uhO/gpnJkvbiHt2ByT7g6eex2MIpMFb
tL1hilp/MClWqMRsn2nGqaQ+f6AONzQ2IxN3z2smGZXX88Uim2HaP0JqU3z9
dOWTRTsmaD0TX4hdvE7+TMIdK2CKNu6LndAjIBljew2XgpRo9k5OF99civE+
y5ZFtaZkqwBZ3RLQpF3J/qS7kX6fJM9hmTAZDOVAWUl+FhMpEJaDmVdNtwsM
F68gRrsgWHaqikzEwjG8KLi4BafgYRXtKQf7S+4htowQ3JLA0l3qqsIqhdPX
lBqC4HjcHewiDO81LOKvhKzby24jWvQrMFYkJOzgXsV1qWo883nJUDsUpHCp
iH6ddI2R67YvahOe/lSLRRbRksIU93Z3d5NFI+XUV1h5w6eDpS3nU8TEMULt
FCF8qwDq6mhXQJQbyn2FxXybL1YLAgeyStzAE4FNJkf73z5gjol/gSA+SQLn
pV8HgRymM0d5SEDBiLuOtItZujXlseDd5ecEtPGEcrN4G0GR+goRgLgd3HFr
fQPtwdlYEdIgjraobsbL6gax2hJOeBtfV0s8nddJM81KoPOKIIcVz51u36eo
BZYZnfHzazoR20+r8x1gB+1NVb9usDXkIzyWdTgNrIOAmTeoVf3Pp+NHkzxr
5+NVm47botk7GOdVO5Z14SQYHFhFKItdIiF+jnOxlDMYhC7qBBfmVZYWZJ8J
qryG49KV9gPrFaNwicjNArUyPnt1/lKKHNz/5ugQIQBSuzbV6VWhPHbIlCcA
DQ/tqprCMa9EvFTYnllGsChaqKLMxqBAJwVws3KKZXxJuQoh0pJ9ah0BTHSO
fsM5x4eIlyVbl3B66ZuMU6OsYRYLjLEZwjcL0oMndHse0N9IC9Yk3doPPj+I
0qPoMZOHPdSoyYaUfMiSw47zXODV+fmox1mCk783uW8Y/bBN6NjXJFaXDisX
OOfhBiWHi+6tVU1VcUJ2wvdsGqbdh9oaVZfqJlrgPGDdGU3FXWaxhjdCFiT4
SfkiCzJVrWyF3AtcyT6cLYq/VN141mWVopamBtQN/EeKBtDuc9oZSVSzIisz
lJeE2Tmirb3doJeBlejviFRuZTgWx4/KxipjDkEvY9mtD7TZr0PFYm1L0gdW
iWZJMwORaYqcwAV3IMyre7ApKYfTn/n0wC5LCQ7PGpwyRizKDgP4X78+PY2w
tQx9haE6ed/Y680Fb6D1rYDaqIRCe60lgnksW1YnZ2TiJLm83W3XOcEzpHBi
pplILc+wZLAGSpxhJre44Tu1+kpUDfKiHedl2LKUdqLMRUr45n8/dLoyaRFn
W+KiNc0qs13zNoeM5XtEAsI1njjDM6Fh58BpSAahy8NeAwmFsJc44TUscQy/
gJjj4urIZINF4bir+KX8u2oOnMFUtg4xAYlDScWiMAFVLqpgQTDR8TLDIIyE
MpuyqzVizKiKyPcNjDNM0lZlVzUJuqfIPBPlWsaG2TPLrtJoucASg0x1hplm
/8HnHQ73SjQzX/wkG6oH3RX4pBAjgUFdIPuOyyIgn/7m2324vh6GkNguAA9S
bv7gm2/xKTyA/M3R7tHRB0MyYy1RaywzWnkIsr2qiy0PM8TIBYbR48twqR3B
0Clgqr+WOZUefyU10ZNnWKu8AiV3+9dXz5odAx+OVMlwPlZTiVOng2xo6o42
TDme6lghYEcEYzAUCvNo5RUjXP6XGF00kD/aCZkZz/x7Gj6DAgzXSBZ9lkjM
6kjidK4qTdMdhrFt2K7ejSAiW7SFKZEJshOpRMaogUAl5+5PeE5BaRmpS7NC
b0Erk3DOpqpJyjLgtQIBiUlyRmXTMy7oxqpGkSuuKMociiENJwBLHgdvxI6x
HuDQZYYHicTVrg2nGzr0JFaNfL0ZrgqU9gO+uHRkP2vK1xtH4IXNg2WEaESC
IiEO0x3PlG0o0ESkm3nD1xx0Li5baEvakSzU/D0jDY5Kt0W2bUUMEWMO8mHn
6YmBvJHHk5UEpT8U0RW3lkpU2QKR+ExnR0fdozbP/JgD+0zYmzQnhZzcY8St
ZLib8lkbNq5MkmcgxjLuXOo2jmTz7vTH0l05p0MZJG9fGIsh/wiGkkvEYB71
RohdGt9tAYIUod+PD/T325xqfsvYDFwnAAmhMhoqSKwR7a/nDFSg8ccMrEbo
BJ9wppXD5+WbqsCD1ec3KC1QNT+r5QbUtIE38c1MfHVs/gC2muZ1gMPIB8fZ
wam0bCjBbZEZTq9FLD7EFEXmTPYIxeYLDzevZQVMJkYcV7QyY/XbesSZ3QwD
c9ueePkK+pS7WQxuVHVQ7rHOTnuHA9LSUnkfrV20QN6x0DKjcBHLhL08xe/Z
AzZj89oUC6VRtYiInXQYkIEezbNshgXSvV/J4+kU1RWIxKqSRXEIgowfwOwx
eRj+T4bKBd3l/EP0+kd57qedYtpbXxIskFyiBdYk+74FMp4TXk0k1hFklwC6
aIk1YMdEklIje6BUyQWVukWfDAJBAc/kaN6IYZqZWWWK/vycnxY/eSvxiEPP
hj4DPj0zdKusd7Vb0PA1wZxcGmUlWu+U9KENF9fgWvSBDokNCTpQDGP9DIHp
kpdA1PlbvPMY3fUbhdRVGAA1ooke/9PPj56MQfWCfsbcAupZLmWcOwL1zd9i
C1tkNkq22CwWIgOjd4MePvvp5NkztPhvzejhLQXnB5F0hQcC034E6QjHBmrA
DfJQk8rQ0m7FDUIoMTGTlFR3Ky+IvhBU/qHXnDReBjklY5/B+XidZUtmSqQL
FDJQEvFhpXE7BT6FqjTnbWZDY92L4oq2CAQJTybrLWplQ3l2C3+X/TghHCyV
zyK8K/ol4j/s3YjMGlRedcRuEcU6WrtqOl3VvhYqnwOyKQc1Az2y5SDMnQDX
3hBhEuZsWufFWhRNLNBGAxSx3ZD9uAwH/eaPvcB3zOdy3iTuL8R2pdrDVs63
CYtLtINYeTsD3hsZjFTDJW0vZcc8l4lDICJi1XbyL9NZzMHi6oQFKDWFCwoK
8vnjc0cmCZDjSLZFDwvWUqeuUZfs7KSEaNEOokyN4Eh+eg83mdFQHeLTj4aU
gA9Rm0lIuE1+hebArK5RC6vqsA7itKgaxro7KdfmtopQddl3da9b/WGZggBA
82VUOKIiLuxoLUjrQhEKnAfDwVKSvBLHrrUSD2EBHz3Gqq8u6b4RsYKnBjK2
+q2Awgx4nExM5N5KqR5qNGzFQlN9BZcMy7ud+Jo2Ys59LAUx0d3N4HSNC+CI
Wfgay31Bi0HwYVbxFu3uZJrCqCo27IEMwTw8tKRep0uYmwlMKB1egyx2D0N0
kn+uQNbJWh91hvU+1D0qYo+IgaSqNHnBZJxihQw0q5VR2UsR3bCOcc6FDrVq
uaHU0AgMkK+xkye2yDq7rCqsCEnMmDrFCaRmOZQVSbXwTgddmXbm+12q1+sQ
REft13b3AlPNszcECM/o2KUVJ41KLeF0pDJ8b8FoonkbiB2l9hzmuBKMppZs
Rugvo/rO0Kk4iYIpgp7a1hVn6ljZ1HBk5trVvbkm7XaBiFZct7lGJVj1Z4Pt
dFoAluSJgVKxl+uk84hEUPmrnetaEYgwo5nyk1zblmDhBpzdJ1adlgRT1/P4
RmVtutECSmsUbiPOgmg9EK0MgYLpeKya8LpG/Vsq5HZPoAsRNRnjT4OHwtUT
CZlcZoqoB7rWfLwEnnAPDjlK9gbYR7xFNrBDUBiYV2NA0eXawgxApkefQEAy
ja8A1ZqVlYt++YNZhRWRhIUFPZlpwF93OK7YSWhha0JDUvMaxanASSNr3+iF
LgfdlLQy9LALGpzrUDfFXWDojVT6DecBrxW+yKiWltXxoxVeIbJsJlVNWhp0
3jBMFoYv1ehMAKEXpUxsQbA4TdIaaexG97pjmD8Un06fPmqMlMhSen/cruBp
qbOdLi6B9QJJUO0Z4N8MhAX30k8xC9oc2a21adR8lwv3sZbSLjvDqDDDS0yp
qnxkxemInrqZYrEqJQwoAPVyKi3Cnpi2EBgGMA0BV3o/qmUtx5GMJcw2fVmo
yO4ub+8G9WF9/Te+NfcJDlHsCBI/bs9y2jjyItnMwOhD/izfxz6c1iCQ2hl2
OQfFaUg6KrVX7AuboSevUEcSVb7iIkNkyOVTh0eE3Db5FKvOJzdZIAGLS1Sp
ka/8RisBODgGCJ2KPo1kS0a5t8XMjfwZW495BUa2TlsgQrdTpKjPxDmzZAXH
+RF3fZnfcs7v3IZHELEgxm/YDrCRv9/d+UiG8L9/Nzw+7ff2t7fxIOx0vvwc
SARprjP0u70tH93hO7w9AIvwR0a+9zkjD+0jf6Dv/Z3bURQ2gwbo+b1T7z3U
rD8y9oPP3HGVW/5I34c7/rDt9Z8NDhty7d8+glXx0VU++IyZ/t9xrv5fdjJu
efajW3b4/92D4bz40fuE11C4Ub19H1iR7v4EA+7O/3O2TgZ9/7MWj475fge4
BESaMYW4SsqgSptkG1BEpuRpCLmqMBXP4DVMGkRDBMsbHMUq8igIX/j0uy8C
YGnnTlCmyZckfvgYUFXPgrh+qk5uFnT4W9rD2CoUwiOTpsKDky0ZlEl6ULXC
v6hFgPUB1ra8j9OFIb4aADyipqgOwDxn65oXHs1WrwoFVVISz5GV1KKgRR5b
q3MReW6ZrosqnXEGBgurHHc1XxXzvCgaFvPqqrDatqSKdGuCamUqjZVHUzKO
/00qprxsyYmA3vLdKSXHrgLybaEmc4Pw+BT5gU2lnBDI4X2rmqp8ULrKPOOg
3XlHW5tIuqX4kGw3rXabJgjB5MxjlEsCAzlEI+M9iu+U25f7gnpS6RC10Pyq
RGsENz0L15E67aZnaKSVN0RY2V/d6KkPuQ4IL9zeYzq2Xwm986Zt7+5oqTrW
pValVaUPkjjPNUWRD297XWfZ4KO65aOkTBeo7UaGnhBrm1tCyu3h5k4Gxrnn
x4maifXntd8VIcYTijzRkTJasjZIeA1DqQEzmMOCATObgqbYq3HCm4Fxb6/z
JUG9z3XapjuaK7Oi1ANfv2Bo7Pt/bOx/+42p/PcL03t7U7AYktAqL3RvYw+M
DRqwNwR4zi98Duo5JU/LpSHNsG+TDz0Fk3EcBi96UNmWc8A2+7+5tWDFtIQU
BwUuazakBtkWskTEWCgGRTRULTpvtelsTANbdxBvnTC/T966MIpTt/Fvv18E
w+zs5MWuVEdHjiYj5fb6y+J3cdO6qdmYW9gUKrLTnzi8eoh7tv/3o8MxHD2F
Gv+ERcB5e5L7tEn/kmz/8sMu1jD8tRFHKQW3kkUl5o5chZ2DBhI0yHDO/Ufu
MTWZkEW6hO2u8R7V2y0NIhs6li+ptcOgE5pNFDtleGAOV4av1LLqeM7DsWlM
V+AzZ9u3kxJGuVSE1K6oyTmZZLDYNY2YY+o824quD6lVe1NjvTXvK+lk8JHn
0OEtR2EH8HDgs9FQZbG3x1634Mp0WnXKDto0LTAopJVo5CiazHuwD+KbHNoR
xCqU6LSMh0Hli7UqmiSGGnqjYFyv4w/j4X+GkahnIeqagcTxcbvqEEjvn/P5
JCtRVzzv3b6f1XcwP2/xuQWxOZjppy3Nxs8nGZiGdZLPV+H5c/eRD0J+/pG+
9+++aiG2+n9f331E9//ueSd3x4be3Lc3z0XLGT/fJ3J8dXAlwt+DQf6h2X6i
EfGjwKV/ZK0O/FodbESXx09/rT7XzPJJNr2PlTP4o5Pe/PoZpnKQClpQStpk
Muk/vD0cDe9hpv/Q0txuO+suTQ819V9ED4cu2QB0ip9BeviDqxqMRk08f2wh
b7dl/ZfS2KFfyPt3PFjwas+MxsLVrXY0Dsih5576pEY2opF9Ton03Rfqb2T5
MHCsmjLFaKugGiyrnM02ZmdRlCalfckucRKJ4mPSQJb3/lVTtzzmwIR65vAA
N1QNFgNK0O/IcUupr7BMQXk4rPUyGzFUxLSaoREOB7t/JDoaOcEbDYgn6NiM
4hlmM05CihPxwkKKXnaniH5UCpqW8xycItBYIFBY/BaVg97aTIJEGF3ToPBo
I2B8lqjjY2PEfsaKFMVHtYqWQ2bDqwojlILK4AeY7iWebn0r12J/nS1y8RYF
oTKhZMgBYgUrkmEvYmqhXtzmXpJuL2FpdFDK+gIu9xZNClPxeU3IDJEjzFe4
YtZZrlrfbj+UDokCC0rS8nAZS1g7MdpGKZB+lywZjLU2toaSzQ+7DwmR5rmg
TD1GmVBNcQ6kIZGFGELIYUTB4fKbm3xsc1nnk/SQcPuixfBrMEnO0ARBNIw2
gmAbptOK674JLFWJHKPgdlYFIcPFWQS6rHYgwoCLZZHmFCjresRvxh0zUHht
cQ8NphkXcfC6KNqkbgIUZK42nLwL8Syh5V84xpK7uZA4hu92J5P9v+8djfd+
eEjPf8ABP6S2XPzosTsGKtYii96E3mgxRlydwVqzYfawM0RMyXbGyenW9s6B
hLH5fTB4FLbIYQbnaoHZuxRrkZeYVNWwlZD8BwMp3sZHwg3pT6Vf1rLh9PUB
+D0OcspKNzjQSfICZ8FZS7MsnRXV9DWRBMadg35/EoYEbU4iMsZH0SxD47Ml
XVsRUw39abW4MI61ve5WB/fl/x6RlbVrYKVeKW5oiiF0UT445lVjuioFtwkk
nQTg+sDSbtlbSS3GQCQMfH49Rg+JpWDvdI9TGI0cA9gMFV6UUJ44yolS33xO
msdSi7G5thsM9j7R884JOgT2aW/IfcHR6rievCaUw0NZuZ3rIEQ3cgMpu6Nw
l3pvy70RvkeVsUsrntw6K9LaJXZmPHRRYTQWbQtGfBZZqtucM/gtHewYeFBz
f3yic4A7BqTypJ8/5o25RDEevICkAIol43Q/AlsZvFe7HDHZXlZ4a3B6eLO6
/Ae58CrOIp9lRbpmJFAET+Gd8Om8GKus1bPPOfyLjNDNEPPqnCM8LXKMMn+Q
0hC8YrlOzDir07ntDFmvetlagVBvf5Vcu8bB9Y4wNnTrY4nSMBg9MqfinrKk
FiX7eaGMVmqaStFxDm6dcQpHUJ1Ya6w2y7QkDmiZWBope1ssqYVFE5fAH0J7
FO5PRMElmp2ba/YP4sq0iAYbplxL7XQUlKmA6Qx33F/W+1w5tY2mBG0JChA9
5CKgFKQ7XdJ9PlowUUmWJN4qG7FWgBWGtOqfKiFrihlcJ3pwaY9AHlO+qJ5U
akQFI4pu98zvMnoVRPA0LzCimiun+ttewQw/ejf0pZo9t+39eTuGYKtdDo42
Mb/hXhK+3cdeogHgCqi8sx34UXcsnz8Y2URkus7p2Njw4Pq4aLgTjnzQPGpk
Pc5xWd6yh2tMSTMoaMLZrleyvHaqAsgy20iLYwhADXupSKVQcSrXAUPJdq8b
A97Uo3ur8A/0Pk9BhunSHwkdzP6AP9VZgIXEzUoReJRVkZIRAId99DAzP23O
9867SEcmW69teoxjLE7KmyqZ5vV0tZAkdSqu/BfNBwvcS3pPB2KT51iMjsRS
GopymrHgQ5UlEn6jsEIyFj+OomD/hWWeTX1ohGyml3TCQcdweYrtkRqWCIGG
sb/Vx767xCbL1NN0EEEQxZIyYzkyvaMEw+uqBsOx3HrqG6b44WsU3yjEBXUo
BHLODDGG+AFa+RFoJxVEHrxY9+4dRrPt4RizI1igY1sDLdRY+zIcfd4hzJZR
oQko03EQk6QBph3QZsnDoqAaHBL3qmmSSLno5YQ20voyhxGiB/1P+RtrK0Z9
Uxwn0yVQiHShD5kq2RtTRbSdhDNat0V/ElwuAmzGfZNlECgGFJJwZd/mizRK
deDxUijTdSbqCyGjAD9oMBKHIlfwGziDUc5oB8pInkTGME6vrghZhXH/WVnB
/ro/Kp48pyLEDaI58KQRGwSIcg1iBJGeDz8gXtGXDcVS2cvEkxAJFaEe2usF
RlpuqwvzaIJKPDkxEdfl293d/Q8f0JZI2DiEwFURuBnIWnQuiNXs3TvwmuAQ
yKjBB6lkoVIPTJtiHgRVjzWTQGx3MVLOU8sDInFJge1kq9oovUK7ihuMJCMn
CQ4dgMpAttXL2pNUmPHCnYV4xoy28lNHD2nEeGdC24Zy7nzZgO6NSNOh31eA
w1nd+LIXF9EPaUF7SSB2o1ygMqYYEho/OF5+J5xLnftawJ0lo8vMroBZuAZw
hyMYMU1vcHMnDL5P4SjNAGSjYXYAw6A98lAg7JQXy5rpCDKuEJI1lwRFuuxW
rEsi0O/l5p3XRPfBScOkqFY9qqvqivdpI7xSOBvcsWFwEEbWQi8/RkK4GG2R
UxJlOVU96DnP7HJD4KuWIDkqSgSvaVwc7BeSU186wLUNbRuxqSaM5MBQErxN
IlZVzR196asKiZzbbXNR8cXBmh3jaOiR34TRSbgcGA5UrsPrVnKdWF+d54iK
LPZmLziSvE97EWX90CiMXgJ8Qsc8fNUISojks12nAirVLFcMsxZz1oeo11Dy
PsJ+FTnwNExQ3DCfefqGdCJNkNR15kQnMw7dDsfyl+u8EHluU+iT1YkTwIl7
Cv+gBeME3cwC+TQZirLoafuE3XXwN1KPSjOIFR/+ThmUinix0nfoctjifyoe
Rjbb8kMZ5uts+RM8G9+HBxHxFhGUOD1qla0JG49pjad11QgwqVkniKGYfhTy
Qd0kvMnKdWSVdgHL9ttQ1dF7EmpsLNICmWhPWbsxB4bZB9QpMNI0PPWQoJYz
XxUBCrlj0YoN6bKKYqdI5OQEuWhitRYNRF+I1tq/9BB7JxVdPVSBLV3cJyii
0dgw2deJomz46fO0acmOHMkjSUxVtAaBbSF1Pb+FmCZoVZoIYyOESiGo3Sjs
1ll6OhNAKIL7EL6ByBRdNsO9tuRwCpGOzV6B8WKS/BgQo2LLmenAcZxk3zum
UWSN7jh7RCxML6we4Jp0nvV4bKqC+cR02yi/k6x7lAUt8EdOL1CTGQbgrkF2
mySPtZH+GXGyIJtJmBEPXtmC3apwh/nyhK7vtWfZEKU/Fxra+/VuQkeiHkWy
ezmWJ2+yOosVlkoQwhcKTgvC26pdwXL3Ump9UREBOg/0+SJLBTuAc8it+kCs
3Zu2KB7UHsPHckzd1fGAswGieae0iht0QPQCvQ3XqXtXgaYIrU9fxzhNjYIs
5KX8oAYarhk0DLHpp8hIlZGoPlhLiMiLC64M1VthDLPUm5UH/TXsItQwUpc2
GxcZr290JdLcJLKSCJ2xeJzm82+6/0mIizAkTBt2pEIxyKja9S14l9PUpxKg
WyB0TzAs2jHXv0T61ZtEfD4hJo50jMj+o67CEtwCXp5zdF9zGr0MWoVylCTL
hJEv9D7ujs87G0GihTMiTRiMl9patbsJY5fASDLeMAbuD32GelxZiiNnxTRA
zmAXPdo6OuZtMUKWgZNQK+1EmBFuiNY2xfeanX0L7rbsKi0uDJJki+FkmK89
ytBWlrzScjIkSsTgSIqC3rOFaaII2cRelGR16xrdqIIfnEZE76wrUvcJVRXe
OA8CR2IdyOupQfU/PpJhpLCoymzUIdWL+YkHEu2Er1RLnqX5oHzEBClXAWOS
o0QqUFz6RttFfGqXsnZM+JIcmfCGJCg2I3cR9lMcAki9fG5I2ovMHjfXVWGk
2D+p5ouRpKRGs5ImbNyzOyz30PUBPLpTwIVm7THrLQ/Bg+ITpNa4psChOp3l
lT2Nz90goEXaOHuecfN9g8EW0I3LhjVG+afb9Ly/R/4mJwmIVp0SKcoZQt+u
7QFMF0GxbFUSlRPINJsU1Jvaddx0ySBEfRDxBpbpCYEOJXsHLnKiKjUGlmrp
UgPhku3Ap4ZtbgIGlfJpzLDFeOtL0qmXFakQG8zLVRchXPEve6kgiGI3x0wV
lKk4PAhz27RWQ4eOptWqFN5GMMnIBlDhSFjjANHmRACcLK7E01XnthLUx75C
A5dwnHtndi9Lv2NnrAq/lHJHVj4uBYDHbdDpj7+WlQf39qiHNgqzznQsayed
G8ozN4TxrihQjODAOwITn3+r66RHl830wz4zHIAzT5XdgpoQiugxlHDjg7n8
GlJITFHg3Q0XbOSqHS5eJs7eeTrFaCVaAHYIYr8lB8jguLffvQu/Kak4I/XG
sXBY8oRsFewBJRZIDM2tcH3hzBB0oBI6sU2Ulr0Lpz8RcqhnszCiobUlUHfW
yRAF6b3GloyOqaBBEWmhmSTcDKuiSlC+xeChj4SbOJw8DmyTYSIXk73uOjpN
aBmALRcyVsyfXRWhEEPTpscC6U4DwCw7lJuga0IV461VqW6gCxmD3N2jAUS9
MB3WhGUqgTMgp+K+ESf06yQRlX1sWRY+PLkr90I7DxOIWK3VAIpxCwwb100L
DOwZHi6JxsEnIVZLuerVI/YmaLL0PRIrfb70JuZECEkbs7+qAnV/k8vKyAWK
cRTbvH0GjdWwbIp3MMVU+KEyGpQFm+2QHXutug4arED7DJPF2+uq8aGxwhQs
E0xqb3ZPasL1R7zBT7y7SAG6Xpo4TA3tMObayV9R6hFELYzu4HoPKHNUcwkd
DiJRV5myt07SuqiIpqhSAcqAeCgkg8CcTFq6/L+6u7b1to0kfY+nwHovhkpI
WqIkW7bjiRlZiTWxE6+lJDuTncggCYkYk4ACEFLowwPsO83dvNjWsbsaAOVD
dnf2W80hkYA+oru6uqr+v9Z6/3DhNWxykYPMl6YbZQDMboDuNSQKtWxJsOZy
lkAbA7HPNUrZRSWHOAwev8F5vYg8mRZ7P3VotcIYnZj2GDf4TdpC8tY5qn4G
yuYA3pmlLWDLj28Xp9HoErWcWdggnQmt2TGaC7qPfcwMKKQSeqthh0J0dx4A
7n43pk5iK28PPvxH0lV3Zj7f+PN2UyHvbNpYKP6Pj+jdbSTi+FhAy/8FTMo/
6RN0IDQ6Cv0vfAIo4vYFTGnv87hpit9YPt59D5/T//w3/DS8SvwhUK5NQLBw
7jpG5HAl7Tr9FH7cxGmn7Zf6hJ9G1z8CbbT3T/3STYiOPzM6MTr+6oVwnJ+Y
PHVndDCYZCvmPyC9c3x0MoC/9pkiBQ8OxPdLwipieSW7El6DJ4k/tl9RjBLe
tlHPIAuKJNXo0hbZ4ywaIxdFwl251B//yCk1qiDjx8IHTnH0gpLjKF8hn5Bw
GsK5XF5knKkqBV2L6AdVX9+YTIKZUrydjLKrE9Hs6Je9g8GOqOHd9Rh7vHGq
kcr1oa49D6V31wRUUIrr3N4xxKzLUdIuqMv3laMRyMFakZNJ1EPN5cM4FBpm
h3fxfJFcKH8jqdkY31I6r7BlcIX5VYWYaGaQWDVq3dMbfs92k6AzHFHPVRdi
7ZcGoPq/C3d391pcMrU6LlEZyapl5TLqKmfHrJjW2FfHmxs4kyS/Dd9gRaFB
Vbhe0lc0ZFZKdeCi7MR/zeQXCPNgtEHMGbB4EatVxHVe2LidlZZTZkEX0FSL
1Xy+Eyxrpe5puR3gUoqf0F2e4V4AfcBdLP1EXXw6Lwqe8zTnTBquYZ5b2Bza
9/BOtdHZME8xqUVRMsyKaqFwZbHv9BvXREOjS6YfnzUhPn7sjUDHQbwz+ynJ
RMVufsEfyZ3/lpcmZ9nMJr6ifKD3dvYodZZEPWKAR0Q+YZdEG7lpYyVp0lDp
eZCEmKOdIxJhGzJFGFhQCp/VgIKm2ezMRfT0trf69JfqMinT3g781hvt728J
JMjW/ANW+4APk+Iygd0RPGZA0QHhibrRSEE3oc02Bqn51g9yCaGGuUeN4Qpg
CWtDmNKxcW2zHIM1xFy/DVe3mVgyR/CUwqxRa2FdmpFc70FUoU+mweZlEyeG
90H07OKUcvr0Wq3uKlqDj3BLKNnxru1i0riZSP04rUbOJTE8+zW9C+9Yjarc
VHTLfV1tRpaepUKHunTl4c6U9oZwcE9KOImPHBbT5N3UW+hAzrYZz0tmWfXJ
1EnuWX2p7eZzLkiyThCCg7rrvptE6l4TjqWgYDlKrUyhZBzioqAnstjR+YqF
h6bj7tSiPRviRDYlWzH4pg44mQRc82TOsplE34gw6JIFPv9e5Eh2miLEGAfV
4U9fJcgn1ehwt83VowO60rpda0hv2JQVgO1qNX8ChzF4M52Y43FR1Au1Ob/f
G9dh0ovUHbcBecFAHF2rOIjUpthBAzVbLZPV3OoWcpr77evi+y7rEr1QeEpg
IbEbSN5GjPDLLiVb2waYZQ3r6wCPzjOUQiqnOuZcZJW+iTIG3T9y6KqgAkUG
ES3Djl0nHljcBF3pqSY+4UgSNdc0k+LRsjYSwYKgtF/cDbSJFjidHso3ROLW
blD2jfmyeK1ZcaNfw8Ub1bmwLmKSEg67RF+1hChFHguuRE+t70muODwQZ1fo
60J9ykCHESEmvFQuj5vzbWucZUUKKodgT9Y2TJSiPzYnZTKTeE7WT5IswXz2
TS6FvJApprQ6QzupINGkmzRd2hteIhG52m5IFYeePNl03gzqePbZlpfEt1ZF
cYa+DeqdVa17nFpFFuT+aMs5x7sEKUfxsvhz+9+mrVsxHLUpGJPokGTL+U0h
Q43aaAXReUiHSVDhzN9KQDEvV58kbtD9H2p/ejF986++rkE2G4iBE07Fr1JS
frvNnpotnG4fOvUMcMPxE0oLdXuXNs8FhZ7edHD0I6fhq1e7CRu1tAEOlRll
wd3DqKL/TJYxSy3WC4b8cP9DGcY+zhzz38MSho5uzKeyFQzhhk52De5zScry
KfakT2P8avRiZ/t/mbTb9+P9H7j759NJu39P27+Xdfv3tO1+PpF1u9l2AENv
/Nj1quujPXb/zHXJ/+mGHtzEzxUTqOz3Dq1pujTvPJSfP35gX/V9371G3b+z
r4FVVA+PLpMoHh8hdREeg2gehQOUNQlLgiLhcQbV6jIrlenfOPp4HTmo8Mqe
uImJNcd6ySTSGnj8XLz04XxTtrcgVA4uZGXGFEk+cJdziDqqkwoqEMyH+oCJ
/cPxMXMsmOJexCfdzJTHaCmXkTbxqVMJOYLRKqjtIt0x9lKcurZDPNQTscSi
JsDIG/aeR+4BpSXk4eGVs6ZIj8syWwreIg/ZQE/JJYtP1443PFk4i69H+LDy
k2RCKaVcGaT8YhBhmqMLl4zF5VU2Jf3Uq4elZkdn2+AlW7KlFqU9aOcAm1G4
I+nTkYtNxwSJiLlvtmgzObbsfbh0ZgUxjHC0PGWvC1ujz03K/lW9yBXVVMSP
ixPO32Y5dDhlOx1yrvrYV5+2amegbUQ6EToAKEdXjPuIuOMrteazUoqR4VVK
GY2FTTlC1RCWaz4lGiHq06mGOTb6Y66iviuR64pHNzKI9KIoKEdbxeFSkpGO
RyUdVBRZRVMIK3TOcTG5RIYZPBn0i1UOj7u7LJHvS2jxQQeMmpPDufIohtmG
jJInE83UHEi4ylJDqOD416kqD8/DXwd+2tWyHdHIXCwiLB3aI120ubtKm4uI
09H+aPTuHQXNnvrmaGQuIaUxvv6hwn2EgbME4z5eBRgGZ8fmeJ012dNWQXwx
bmBiD4CbPWxA6LVDusfSuiw4uv9PkYaBlxQnlpusxTlE5TWN7Gp9KUREuCmy
RUXAXsPQzIZpJ8wI3lKm5NOigRzyuBUjKHF2nGdPFgdLNULisJCocwNCFOw6
5nIXUDFe4GsOoebk2i0R4XMDTBjDzuhFm+4T6yKYiQTd37gGMFglXbDESDmi
CzYSjGK6YkavheA3zcIigg/v1hK7OgcIcYZvlNSCPNDAKU9AZzElkzR2YUJM
oUBfysNqgiUdESVMVSNWh24+dATZVq1mL0ixyjI6sY8BBc+UDhvsMiy+pcQ2
il029SikFle9NMGXEtwQR4dPHuLF7GDvHp0fFMmsq9JD3T1TeYIrCNdnCEd1
n4RIVLyl2ibjA4HfdIOAJufXZd/NIAZtFQjVtwh4mUzKdqFINRAiyyQnP2hk
XqV957ZC8BU6VhHtKVkmZMXGDkWaHJERAwNG8SdVPxZmeHiP4lMHK4oDHogG
gZNBY6HRZprHm9s2uw2HwfuS83ezLxm2dCpuTE4U7bwIETmEC7FaeKnHOgJ8
9LScZoy/v6gpH3jsQKkIbijKV2x2Z6ay044TzWFdReCxABJlq4NmaMjUiawi
WktGFZvAfGcRk1qZhkcVAletzbj5gKzqtHjZnzkzhTUZAbEMeGWvMZjohg5v
jELVOAFcoDIFdHiT3YmINp3fFk8fxRILIstRZLnClnWAYRKSBZMgXVGQB3QF
0vABqtcsQsVW2XTeBnwEBORIdNuHj4QwTGyX/GxteCSZPm6GBfEjzRHwmwtP
EzqmJIZYZ30YHYE2w657SQu8orwWiUYpw2KmlKVoDgWVhfYuJdNGlDxiUAaI
rnBYxaKMRIahg5gC6WhEokWJTghjLt0xY2ix6DOiE43yFeRodUrYC2wTlyYo
vGrKJ68fhIdFUZFxD722DkYqrBlJ/N0YLy6TjOywW/xxi1yT2KD4RURTUVfC
Wildzih0cIq0Y6VPWS6kHgrkqtbLJVqCOPdziK72gYbZa4oadAmMPDWTktgo
+FSP7RwmH44SuFjIclJYA2v90UWdwAG2StMqtBImEvRANDEwk45ClGHilHFH
ksOKbIg+tH1qw8tpCUZplqa7lwYj60tck3mLOEYX2SvuUWP79ruSNAS8FGJW
j2gHuxTfjOm8yX6NYlImyuEdW32jCd0evDg95asessAwLW6fHplc2ZxoHFew
f/9BjAHHqqgesJqqaZr0RuUFc+5AVBGIkoGD5WGnBqZT/jhGCzCoF44EVyPe
OTWMcs2EbHe6En2gt+TJwmb4mlIRVD66oWWW1EUJGtgFo75opYj53qtwyxRl
KJ4AQby36v+kTRuW3j9UIfJZ1DJDAcDXT+fTpoJwI1vMKjVlL6Gs5Oe+MhuA
o7uDffDEJ9lJA9y4Wxm+C+6S/jc67gI2TPwXfz4IgCxyoPqxu6kv1o228Niv
MJKkXpCLvApOmkUClzvaRCBmCb6k+qR/h3PLKMQLB2rolFkTcOYBRlplV8k0
uKOJBoWWn0B+IA5oFtEt8xJfuhYZ6W9h5vVR0w3gc2P1I5fNqMJ/YLJl6T+T
fmGSneOcYUJN+F3fa7yemZd57BReBEs/dVwmBvwGA4rO4RSqS4+yxUFK5Har
yb57gwKD2NpkiKLUwjNPE5RzPbj9ezPZ1jAKlhPIVVtdmFwpbVTF01H5xONz
5qrQng15jk7D8XUjaVQ7a0QY+dtQ5DUAvsuRP1FeQs+1pJJJSq9wib8XU6Rz
XjVSTaNAiGsPnc7DFIqO+/GwoTpmqNBfpV1LEiORqNwcNClY/dM0T8qsqASL
yWmnld7RzTDPTe5aREaTuShwotbA+EStCfQYAncsfGjBclnnomtFJs0zKENI
D0J+fUdQDdoHtFGXK+YX5qGIplD56DZSKRmxQcreRiIYA2rB8ZyXiABlV6VG
J5DQER17UUzROOIUaGJSLUFc9Vbm1hPkgo+CXPAUfMHAmpu8wZqfybHUs4aG
26+iEDnvOqcAPH+9gTeLgk1/dcakSBzYU1mWSrd8/NnB9wu+d8Ehxainaeoy
ZyPmLk8RaKdQfLjJZ1doZySWAkL1r1uqq7fI+JkOFoAy4bC1stGoo4UoDG0u
r4gHot1L2xFnhy+mIH3ZXEh6oy/EG0JxkoU4cLGqvuY3TCZVqixDYU9ifyMd
xiewO6dzHC/V6exCsAYpsolnhwDj1BF3i+yDBFpcVl4lb89bZOYNtAPDBbux
Q0FqOIRbevv7Y69zicuAaKQU3H3uYuMS3dc8OSVaMqF50RRZmgXts9gNQHTG
7O/JIJMpE0SRqcOkA9Wc8pRgjkWTWxainTeuhCJ/jPeA5UPkP7Egt3l9yCI3
GQmoe1bl8RA+XElKakTWRoNRZ3XJHQ7WsExXUgNl0wGuVQGmonwuOHx6ZM6K
qU1laLconbR5+yLIro5DiXJifVR1gig6od8djBAhwEyhpbcmH62kgVISQU6L
AhuVuvj7Irl0ZF6mT+FUEDT/G5w+kfQuhGiDsevCb4LGczG4VU7Tn5ICJnoE
sYFlaKhaYf5UbQ+PHvmO34G881/OsWfxqbBIEzaFJmguK1ep56HRM3VItXyP
Z9n4aPxYsuGxRKjqS2yZkNXez0NXEJtJzvPpZOKZmHGtL9IlHa1SD23E6xT6
ya4yRmiGiVk9oSNX0aZZgmn3ASikynB8PfydXmZ/rslV+ln8DOMi4f7/Gx03
mu8PjoHUKnNDN59idaOocjEqe0MevfX85NumdbJMxZDi62kkzZ3DLkrK6RxU
9RUoJ6/Z1Jm3X3QGX67qWFUUzVTb6vT30MklXOlnoT8StnYx05vVigGbnBQX
3uWS45mEuIbmPn540jx2SBlTccZbTgH5YxA2QdaOkaTXVSyA2Jkqp33rYiYx
rldOVKmophbjnqbnpU3ow85YWQyydJA9SNacu9PJdhm7SZwV1zmsulkad90s
UTa7GwZ5xeliIbfmvrtN7w2V5AsTaK6FhVDyCFO5wFv05g0LuDmu1IHsRTKK
O81a5rNRrNWwH9KpXEKZFZ/oAINb7vtqukc14bc8Hn83bnmJ6Y8EP1qglqeA
gCD3CRuuR3f0XnELx3/Ib5zCC7fg3n0BMtPQfBiocT+M4dL0RO+YNFzSV0ux
Wzi1g++/xRjPRb2kQ/7Wn28NpfNMPs2JSaNWN5nwZHc0uLPr3AD2hcrZQEvn
3CXqOR35sHM6uIf7I9/JjbGIHIoIupCbpTH+pboV6wSxCvxhg+7+OHhjc2k4
XTsOYBt+j8bc/4tbHcztxACqIMAq7t0jTokI1lzzyQ7iLpIb8UCt0UUfMjqS
UlQVXO01A6vc3TXygRcdC/cTFO5mVuETFhLxSu96gl2KTuRgtXG+pqMlOCDU
JCumb1EnFW7HO524QHivU34gBoF12AK8S4oPW5W5HBKBNfj8RAyl40uqUpfY
a2+YLZfzOSe2n8Y5vTfcZ/c0zt69nb27Q4xvBA19+go3vsa+cCTMCR09dZly
7h6UB6R8/EiLSqS66isBd2nO+t5V6jkveFsR56LUI6uDtInKMe/hofUUD62N
IBuVJVSlB9Zo338UsY5MWNP1mfB2ibD3r2NY+84dUdAfmmSs+GDvwKnzwvjV
KrhI84vV3P9ZIEPKYvczrofnmg1pyG//VaPng4eb8ERapQimm2p8z9RIDP/r
FK4DP3PBs+L87BJjdvKLoFfHsI3L93ZNelbntMDO5rPy5yu4kaFe/tfWlDg9
Qb7Fzx2TwbvVNLkd78SjeDfei/fjO/Fd+tvng8Z/6K9vt+E/O28P3568ffr2
KD56e9O7jSBoxL4/TS/SfHZfnqMVDeR1n0fAdd2O5WvjtuLf40P436BRWw+0
py1l85b6rEmOsfYnVLKhUUkD3V3HTlKhp9yLRgsHeI+GFYnwQ2rhiF6mFID8
jmuMU2XdPENSk7T11syLtLul89KuoXu14Oq7s8db7UHzr5377F2Q2utBxAHs
nhrCxejhyw38H2lUetSevTg6OXrx49FjBAJ6iCCpXmf0JmIC3QO2SMqDkXnA
lVLAyrpd9655Ew9DuTacsbO+t2cew1LDrUeccWd4gertt5pBSqqOVu4E1eie
8gEYvQPzQueJDQd2P/Y/t/ly8tntoPNhCTrIg592KXNH7+10TCdcas70lumH
s2Pn11ShA+/t7G74MmezIrcV7W2oiD9Xb2e//ek3dMlO8blE//ZG2xvqr8uF
Lzva2fAWhnDWlXnRjhsvJ3K5WdByMO/Z4WN/+ULQG9nhKkQadKN5b7RvH1mc
a6DzbRLqwUsxKN5ndIrINzd+MHxsPj9u5NGeHojNtTJZS34LtTc0SoK4MTjv
B6YkaYMuYI+cah3N6oELu+q8SlcPPq2w6fz7CzP7Y9zTKdqyhzZ+faQ0tDLm
vn9moq4etAvZVW4KGThER6GWSOGSR/ns+/Mj/CMqc53l2jLkficOoqNwx4bF
ZtupG24uawZpy76nQd7Y9xuF2N7TUVR3sm0s9oiDjhJtIU5lm3SMHSX9Rg1a
c3QMHUU6RfX9boRlZ08bBaWn3QXfwRVitraql9v2IhdkUzbUaS4hGt0LKFIs
f94d/dWUOZArF924foZH+AA202Fg1uO7FO8gUFtgV3ULow3avNpsHsZvYhB3
/dH+bvzuQXz7Ng3lCo1NWgN3Ei/w8I+WUir16UfOCN+/O/rjphc54suQAMSt
H+mEv6r46ZCb5BmNvvpiJLwANzW3vCylb8t0NS9m1Rc7noBAC7ktauIwvzho
ZT4NhA7rUsRs3jnzn5BUtQtf+CzJEybf7FLS/p+RNHS19RG46Yhzc+fJYl1x
aNdTZzg4PHwW/yD5uqfT5WCC6aOqdxwt9ObNl2KnoZv1mzfjo6/4+Tu1gWo0
njdFEHOLMvtFaH44Gx+dnO2MDs6gMROGQvziaJ1Q0weZ2b21w8UpubojjkGh
AHLvcX2/0UKSEou9TmLd1LKgNiN1k+o0oT2k1Xuk7/sS/mUw/m789M8nxycP
H39/PNzZhv9u3729O9jf2x7s3tm7NxrcPbsLs6SjSthwMUnkAxC5pzbFpjim
lpGntiOWW1ZyJvD8yrxovH1k0D5oq57i/+dsb9PvOBSziqucnEDVejnBKCoc
soQTqLeh9xlsl1l2lZEY6N1m7mHEexQ5zTa/9Qv8/XJRY7BASWbnSsLzYDHC
tR0OQmIuJR7alADmp9Y6FmkPCDaAZnUc8P0owhRRjOlFV4Izb4UekVVygaOE
a2Vl3F4sE/sxLS34fjD0vLO2CeUVdiayzTXlvqaFq8l79KieykGT2X3KJJyU
anoLyv3aUU4DO9XfOlXwFTNFS2IO4swVFLnQ9JJ5EzZ+JouLMr+JMdBXr9Wy
FZrDGky1zESujJlRrDSVVx09hVcvTN4h2YkKbaeQLcZ82A5K96DmDR3sqtUm
LmcaJYrn495CVY7hU3pLkThGwDU3LlRAfAgUpc681UoVE36/CINyxBOU5VfF
QrK9cygaYV8SnwuCF0mlmQHWEleELCsrBo9EtleMpgksshXvTy9YJSGR3/2V
8FVFsqDEVsTsTtu66sgzpGuOVrclgdrje5LkHm5ODvuaVwXmj29Mh9qo7awI
O1C9jIrz++ymdl1qGJ/JhYsbijrZ73h56ixzkXlPQ7jCd132d1slSZ0dTxus
Eyf+bjQhO28xe6h5VWKd15mAVZTKy7fnaH5dU1FPzql+/HK0ABUR5nXn5ZYs
dW3EYdFC7GVjTiIhufUsYxiVTe14NoXgPJMTmw/pxmH3jj9r46993LywW5ax
BCsG5xacTU40p37TcQB4WkYUIcPJXjUGnRy8yA+yInafKyZBghZh2VxWaT0r
WBkmIEst4I7e8xfPtzBEHAPblTboPpMm9GAaP4t/3fplFN+G2cyZ4OVr4gNe
YRDDyrRnUhwPKI40Xa2EQH/0y+DOtoYi0M7TEWn4lvLPU0LXeol409fqivry
ePB4mJWr88H0vLwYJGkyG/DJ6jajHs0umpEDEmQYv8Zf4GIY7XL/T3WVeMko
OYwUJerpk7CUE3zOaURxrcy+FVHAKz7BzJEY1SOEQ/qhCIPH+a048KM0c+Zw
ezKbUB/NlayxY6cfBavLqU2yrrzvx62onU9fUfnGNQQrBb9mx0K5ovWxij+P
ecn0ruBff91qLBw8Ay4KqIiSvIr8Y5ngZwT5/Ab7d/uBkNb5yXINhe7HHSvl
hoUyxHwDL1cvSXK9zF+SIkOKKTFtkiuQQDMYoS+I80V2QXEivJyuCIYjSIci
n1kAGRSRg7uUSBddEQllSiG5A0daShENInMiXrUiny41EqljAdNsyiLeG+7z
bP7guKs1Dgvxme4Dz7wYpUWMut7LX3n8lIKWGNWZRxCDgyKOp6ovMeeGHE15
/PLqpdYw3Meebto6PngxsrDNxlYa7t+4meKuzRR9+mbipSSbSbZQ163h7EB2
FsVGveOVCgstfOfs5Ml4tH8n9AqTek5hDO06VYVQJIAE1FMjXSqyP79WD+/s
bTngXHjQ6GWrrUNBk02MDV80uu55PuukAzOEiGTskZpFQUWGe1XXyaY0ABpV
5kthD+/skaquiCnHURiexRK9JS146fbOd41iavDrt8fsEr970RLpVdLPhTrR
E01ea79iZUgl3NInrbek6O+KFxsR8U1XycoDAY3MUOXKrUcMeqwXidvDtH/v
8uYdV3pwiVOt0h0k03SeZIvGGumbyCJH/8m5AiPEpqcJR1HD9qAkbjZLq73V
d1RCO6qZcwo/BKbxoS0j+U8phgHvlriUDdpIojEzoqDKkbUhYooFzDygpA68
i1s3XAnQ4m10laXXPAMb958m1JHo7ajRvWF8ouBEArhs3scuz6Wza4DYiQyR
BSzbisIfTLA8L4u1TwnGccx4WkGxCw3aV0l/Hrl1JIJekzuS7YRTzysLo8ZT
MVTdXeCQVo4+keGQMMmeiI/TU5U0kyLpGmkCpEHkRhbdI1JTQ438Orbyl3UE
D/TPo3AADv3sx4BBq54XQD6NGEg0pxXZv0JKxPh5tjqHL1hR7i/9KBrik1A4
bqUxoDRPJmNOLGwA8JjwEnQ7YhwI45cUguQw7b3xJQq/7Lf4UPkbFBjXV1yc
blRkwUPDe3RZrFgSSnvUH+ZQ6UuWO4y1JAqEx0W8LmrN27FYKxGeC7F2kfwU
Q+xgKsIxLAhjihKH67VPUfSlcDQ4IhQK/2qmCRFycUnopchgticIypCRFyRn
snMQHri3ZrbrJmNaR4S4I5XAPdUzeaopfar+hjbdIKlh780bzYvWyJ8IM//l
TRPXRhr5jJo+l56LD4WGFSfL5kZUMRTi+nENWdRFUIl8CgrZF2CgIBAnNW4z
oaIVNlf5Rks7xyyOESBNEfd0Pce/KyhcchCJUQiPVkUbZ2jOFwx9OrMDYm+Z
P31dZnINEebjmjhtiB5JhKFgPmIP53R5C5mB173+pZBLr8psUq+KEvbsMzQe
I6z5KpvVyULyWU31Hb5Tb0xyB2ooPscIX8l2jcAwV5peZQITmx8zdwgF5rOx
GHXEEvvroQQMzrxtuWHvDLq+xNhgo8ZHYUdMlD+c9Z/FjxMoGH+V5n9LYId9
MSn/CHP4TVHAxVh+meEbkzR/dEF/HU6LJRY8nRdL2Jxfg5CGPsu7Y1AtnooZ
ogeDjb+DslmyJY9X5/z2o5z+7KoqJhlU9Q3cU0CayLtP6uQ6zbiWH3Kq8Xuc
eTjl4q+S/JW2s4U1fJ0uQBh+84+/o7G4lBqOTp/EfwFJhLmLsJbjr57FL0As
YjB7fFSjnI0H8ob2cAmazKNzrO2iJstzOURACLahcxR/m8zqVzrgVwkUiU/T
6TwvFsUFnJzy5BW+9Qi6OExnNZY/hoMwg17X1VWSlIm8duwTFshfkPIChL+8
9gik4LzQmXqGR2pOc18V+rWeFa+zxUIrXK4ewapIESxyuR7mcG5CucN5Ccdy
QUrkeBj/VBQzHQCGdEAvpkP5wzS5hqeP8Ix23/rP0Oa/Z/lvsNaCryO/rOkR
Pn00p79ruSeotGDe5lfuo7RWyHiZvIaj8qd0QpEDGR5MvfFPJ1tbCsDdiJQi
oOAl7W7OrEqH0b/9cHwohEb3tre3Uen/SZlDGP9EN2FYQWr8BxngokyhhGoV
sIkRf4RmzmB50a00/BKhrLDWY46e964wYpLp7s5XaZkjb/Z4UkySfjzOVwX6
tOgf+OtsHR/WOTLbzpNlP/4TaH10i3ySLJdwVPbj77LpK/itvETN+U/FPIde
rlYVwnVgbuHN07rM8dkzWPFJuohP//H339KcDaTjPE/gK6DrwI8fb+UJWxVI
1+VsmSsXGusFC85SJijt683T7WXW8dHJN3BGMULDt8gNRdrQfZ3oxzVmYDgq
s1fxtwvoZD/+uqRcr9Mkfp4siuUky7N+/BSzDR8hL9OqH/0lQXD469ewRfP4
JClfuXk5mdYzSln1j/+E3R//uM6nWP2LYoKB7j9lixVehF8UWPAxHA6L7Lrf
EAAwi3VZwuH5LZx9oLBdw8Clrz9mF6BhpfVvdByMF1dJiSTRoHYmw+i/AHMN
o5NJ6AEA

-->

</rfc>
