<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-wirtgen-bgp-tls-05" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="bgp-tls">BGP over TLS/TCP</title>
    <seriesInfo name="Internet-Draft" value="draft-wirtgen-bgp-tls-05"/>
    <author initials="T." surname="Wirtgen" fullname="Thomas Wirtgen">
      <organization>Unaffiliated</organization>
      <address>
        <email>thomas.wirtgen@gmail.com</email>
      </address>
    </author>
    <author initials="O." surname="Bonaventure" fullname="Olivier Bonaventure">
      <organization>UCLouvain &amp; WELRI</organization>
      <address>
        <email>olivier.bonaventure@uclouvain.be</email>
      </address>
    </author>
    <author initials="A." surname="MahendraBabu" fullname="AravindBabu MahendraBabu">
      <organization>Cisco Systems</organization>
      <address>
        <email>aramahen@cisco.com</email>
      </address>
    </author>
    <author initials="C. R." surname="Gaddam" fullname="Chennakesava Reddy Gaddam">
      <organization>Cisco Systems</organization>
      <address>
        <email>chgaddam@cisco.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Routing</area>
    <workgroup>IDR</workgroup>
    <keyword>tcp</keyword>
    <keyword>tls</keyword>
    <keyword>bgp</keyword>
    <keyword>tcp-ao</keyword>
    <abstract>
      <?line 60?>

<t>This document specifies the use of TLS over TCP to support BGP. The
Border Gateway Protocol (BGP) relies on TCP to establish sessions
between routers. While the TCP Authentication Option (TCP-AO) provides
transport-layer integrity protection against spoofing and reset attacks,
it does not provide confidentiality, cryptographic peer identity, or
scalable key management. This document specifies a method for
establishing a secure BGP session by running BGP over a TLS 1.3
session. The underlying TCP transport <bcp14>MUST</bcp14> be protected using TCP-AO.
An "Implicit TLS" model on TCP port 179 is specified as the preferred
mechanism.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-wirtgen-bgp-tls/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        IDR Working Group mailing list (<eref target="mailto:idr@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/idr/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/idr/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/IPNetworkingLab/draft-bgp-tls"/>.</t>
    </note>
  </front>
  <middle>
    <?line 73?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Border Gateway Protocol (BGP) <xref target="RFC4271"/> relies on TCP to
establish BGP sessions between routers. A recent draft
<xref target="I-D.retana-idr-bgp-quic"/> has proposed replacing TCP with the QUIC
protocol <xref target="RFC9000"/>. QUIC provides several advantages over TCP,
including security, support for multiple streams, and datagram
transport.</t>
      <t>From a security viewpoint, an important benefit of QUIC compared to TCP
is that QUIC, by design, prevents the injection attacks that are
possible when TCP is used by BGP <xref target="RFC4272"/>. Several techniques exist
to counter such attacks <xref target="RFC5082"/> and <xref target="RFC5925"/>.</t>
      <t>TCP-AO <xref target="RFC5925"/> authenticates the packets exchanged over a BGP
session and enhances transport-layer integrity by protecting TCP
segments against spoofing and reset attacks. However, TCP-AO does not
provide encryption, cryptographic identity, or scalable key management.
TCP-AO <bcp14>SHOULD</bcp14> be used to protect BGP transport traffic.</t>
      <t>TLS <xref target="RFC8446"/> introduces authenticated peer identities,
confidentiality of routing messages, and cryptographic agility aligned
with modern compliance requirements. The widespread deployment of TLS
creates an interest in using Mutual TLS (mTLS) to secure BGP sessions.
TLS complements TCP-AO: TCP-AO authenticates the entire TCP segment,
covering both the TCP header and payload, to provide integrity and
peer authentication at the transport layer. mTLS additionally encrypts
and authenticates the application data (the TCP payload), and
authenticates both BGP endpoints.</t>
      <t>This document describes how to establish a secure BGP session using
mTLS. The underlying TCP transport <bcp14>MUST</bcp14> be protected using TCP-AO
<xref target="RFC5925"/> with pre-shared key authentication or deriving TCP-AO
keys from the TLS handshake as described in <xref target="I-D.piraux-tcp-ao-tls"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>This document uses network byte order (that is, big-endian). Fields are
placed starting from the high-order bits of each byte.</t>
    </section>
    <section anchor="summary-of-operation">
      <name>Summary of Operation</name>
      <t>A BGP over TLS/TCP-AO session is established in two phases:</t>
      <ol spacing="normal" type="1"><li>
          <t>A TCP connection is established on port 179. The integrity of the
TCP segments is protected by using TCP-AO.</t>
        </li>
        <li>
          <t>A TLS session is established over this TCP connection.</t>
        </li>
      </ol>
      <t>With mandatory TCP-AO as the underlying transport protection, TCP port
179 continues to provide authenticated transport establishment. This
avoids the need for a new port while preserving the existing BGP
operational model.</t>
      <t>The key benefits of this approach are as follows:</t>
      <ul spacing="normal">
        <li>
          <t>The existing BGP TCP port 179 transport is reused.</t>
        </li>
        <li>
          <t>TCP-AO protects the integrity of the TCP segment.</t>
        </li>
        <li>
          <t>Firewall, ACL, and operational deployment changes are avoided.</t>
        </li>
      </ul>
      <t>During the establishment of the TLS session, the router that initiates
the connection <bcp14>MUST</bcp14> use the "botls" token in the Application-Layer
Protocol Negotiation (ALPN) extension <xref target="RFC7301"/>. Other ALPN tokens
<bcp14>MUST NOT</bcp14> be included in the TLS handshake.</t>
      <t>Once the TLS handshake is complete, the BGP session is initiated as
defined in <xref target="RFC4271"/>, and the protocol operates in the same manner as
a classic BGP-over-TCP session, except that the session is encrypted
and authenticated by the TLS layer.</t>
    </section>
    <section anchor="transport">
      <name>Transport</name>
      <section anchor="overview">
        <name>Overview</name>
        <t>This document specifies the use of TCP port 179 rather than a dedicated
port. The use of a dedicated port is purely an operational and
deployment choice.</t>
      </section>
      <section anchor="tls-authentication-for-bgp">
        <name>TLS Authentication for BGP</name>
        <t><xref target="I-D.hbq-bgp-tls-auth"/> discusses authentication considerations for
running BGP over TLS protocols and defines a PKI framework to provide
for authenticating BGP peering sessions.</t>
      </section>
      <section anchor="initiating-the-tls-procedure">
        <name>Initiating the TLS Procedure</name>
        <t>This document specifies the Implicit TLS model for BGP session
establishment. Both peers <bcp14>MUST</bcp14> be pre-configured to enable TLS
on port 179. After the TCP-AO connection is established, the
active peer (TLS client) <bcp14>MUST</bcp14> transmit a TLS ClientHello as its
first application-layer bytes; the passive peer (TLS server)
<bcp14>MUST</bcp14> expect a TLS ClientHello before sending any data. BGP
exchanges <bcp14>MUST NOT</bcp14> commence until the TLS handshake has
completed successfully. No plaintext BGP bytes appear on the
wire; use of TLS is assumed entirely by configuration.</t>
        <figure anchor="fig-implicit-tls">
          <name>Implicit TLS Establishment on Port 179</name>
          <artwork><![CDATA[
Peer A (active = TLS client)         Peer B (passive = TLS server, :179)
  |--- TCP SYN + AO(MAC) (port 179) ------>|
  |<-- TCP SYN-ACK + AO(MAC) --------------|
  |--- TCP ACK + AO(MAC) ----------------->|
  |                                        |  <- TCP up (TCP-AO), no BGP yet
  |--- TLS ClientHello ------------------->|  <- TLS 1.3 begins
  |<-- ServerHello, {EncryptedExtensions}, |
  |    {CertificateRequest}, {Certificate},|
  |    {CertificateVerify}, {Finished} ----|  <- server's whole flight;
  |                                        |     server is already "done"
  |--- {Certificate}, {CertificateVerify}, |
  |    {Finished} ------------------------>|  <- client authenticates and
  |                                        |     sends the LAST Finished
  |                                        |  <- Encrypted, mutually-
  |                                        |     authenticated channel up
  |--- BGP OPEN (inside TLS) ------------->|  <- BGP exchanges start here
  |<-- BGP OPEN (inside TLS) --------------|
  |--- BGP KEEPALIVE --------------------->|
  |<-- BGP KEEPALIVE ----------------------|
  |                                        |  <- ESTABLISHED
]]></artwork>
        </figure>
        <t>This model is simple, requires no protocol changes to BGP, and incurs
no negotiation overhead. In this model, both endpoints <bcp14>MUST</bcp14> be
explicitly configured for TLS.</t>
        <t>Implementations <bcp14>MUST</bcp14> support TLS 1.3 <xref target="RFC8446"/> with mutual TLS
authentication. The connection <bcp14>MUST NOT</bcp14> proceed for any lower TLS
version.</t>
      </section>
      <section anchor="connection-establishment-failures">
        <name>Connection Establishment Failures</name>
        <t>An active BGP peer <bcp14>MUST</bcp14> connect over a TLS-protected TCP-AO
connection and never over plaintext TCP. Any failure within the TLS
layer is abstracted from the BGP Finite State Machine (FSM), which
observes only a generic connection failure event. TLS error alerts
are defined in Section 6.2 of <xref target="RFC8446"/>. The active BGP peer should
continue attempting the TLS establishment. After the configured number
of failed attempts, it may proceed based on the local policy decisions
described in <xref target="operational-considerations">Operational Considerations</xref>,
using TCP-AO authentication only.</t>
        <figure anchor="fig-tls-abstraction">
          <name>Abstraction of TLS Failures from the BGP FSM</name>
          <artwork><![CDATA[
TCP connected (TCP-AO authenticated)
  -> TLS layer
       -> TLS succeeded? -> BGP socket ready -> send OPEN
       -> TLS failed?    -> TcpConnectionFails
                            -> Local Policy decision
]]></artwork>
        </figure>
        <section anchor="tls-clienthello-received-by-a-non-tls-peer">
          <name>TLS ClientHello received by a non-TLS peer</name>
          <t>A non-TLS peer reads the TLS ClientHello (0x16 0x03 0x01 ...)
as a BGP message header. As per Section 6.1 of <xref target="RFC4271"/>, the
16-octet Marker <bcp14>MUST</bcp14> be all 0xFF; because the record begins with 0x16,
the check fails immediately. As per Section 4.5 of <xref target="RFC4271"/>, the
BGP connection is closed immediately after the NOTIFICATION message
is sent.</t>
          <figure anchor="fig-clienthello-malformed">
            <name>ClientHello Interpreted as a Malformed BGP Header</name>
            <artwork><![CDATA[
Peer A (active = TLS client)          Peer B (plain BGP, non-TLS)
  |-- TCP handshake ------------------->|  <- TCP up
  |-- TLS ClientHello ----------------->|
  |   Content Type: 16                  |  Marker byte 0x16 != 0xFF
  |   Version:      03 01               |  -> Connection Not Synchronized
  |<- BGP NOTIFICATION -----------------|
  |<- TCP FIN --------------------------|
]]></artwork>
          </figure>
          <t>After receiving TcpConnectionFails (Event 18), Peer A <bcp14>SHOULD</bcp14> terminate
the connection and <bcp14>MAY</bcp14> initiate a new connection attempt based on local
policy.</t>
        </section>
        <section anchor="tls-handshake-timeout">
          <name>TLS Handshake Timeout</name>
          <t>If a non-TLS peer accepts the TCP connection but neither sends a BGP
NOTIFICATION message nor resets the connection after receiving a TLS
ClientHello, the TLS-capable peer that initiated the TLS handshake may
eventually experience a TLS connection timeout and transition, via
TcpConnectionFails (Event 18) or ConnectRetryTimer expiry, back to the
Idle state.</t>
        </section>
      </section>
      <section anchor="alpn-for-bgp-over-tls">
        <name>ALPN for BGP over TLS</name>
        <t>Application-Layer Protocol Negotiation <xref target="RFC7301"/> allows a TLS client
to declare the application protocol it intends to use within the TLS
session. For BGP over TLS, the ALPN identifier is the octet sequence
0x62 0x6F 0x74 0x6C 0x73 ("botls"), defined by this document and
registered as specified in <xref target="iana-considerations"/>.</t>
        <t>An active BGP peer initiating the TLS exchange <bcp14>MUST</bcp14> include the following
extension in its ClientHello:</t>
        <figure anchor="fig-alpn-clienthello">
          <name>ALPN Extension in ClientHello</name>
          <artwork><![CDATA[
TLS ClientHello extensions:
  application_layer_protocol_negotiation (0x0010):
    ProtocolNameList:
      list length: 00 06
      name length: 05
      "botls":     62 6F 74 6C 73
]]></artwork>
        </figure>
        <t>The passive BGP peer <bcp14>MUST</bcp14> indicate the selected protocol in the
EncryptedExtensions message:</t>
        <figure anchor="fig-alpn-encrypted">
          <name>ALPN Extension in EncryptedExtensions</name>
          <artwork><![CDATA[
application_layer_protocol_negotiation (0x0010):
  ProtocolNameList:
    list length: 00 06
    name length: 05
    "botls":     62 6F 74 6C 73
]]></artwork>
        </figure>
        <t>If the responding BGP peer does not recognize "botls", it <bcp14>MUST</bcp14> send a
fatal TLS alert:</t>
        <figure anchor="fig-tls-alert">
          <name>Fatal Alert on Unrecognized ALPN Identifier</name>
          <artwork><![CDATA[
TLS Alert (fatal):
  Level       : 02   (fatal)
  Description : 78   (no_application_protocol = 120)
]]></artwork>
        </figure>
        <t>ALPN provides an early, explicit signal that the remote endpoint is not
a BGP-over-TLS endpoint, which is preferable to completing the
handshake and failing later on a malformed OPEN message.</t>
      </section>
    </section>
    <section anchor="connection-and-session-management">
      <name>Connection and Session Management</name>
      <t>Since BGP operates as a peer-to-peer protocol rather than a strict
client/server protocol, either peer <bcp14>MAY</bcp14> initiate the TCP connection.
The peer that sends the TLS ClientHello is designated the active peer
and acts as the TLS client; the peer that receives it is the passive
peer and acts as the TLS server. Therefore, each BGP speaker
implementing TLS <bcp14>MUST</bcp14> be capable of operating in both roles.</t>
      <section anchor="connection-collision-detection">
        <name>Connection Collision Detection</name>
        <t>When both peers simultaneously initiate a TCP connection, two TCP
connections may form. Section 6.8 of <xref target="RFC4271"/> resolves this as
follows:</t>
        <ul spacing="normal">
          <li>
            <t>The peer with the higher BGP Identifier (Router-ID) retains its
outgoing connection.</t>
          </li>
          <li>
            <t>The peer with the lower BGP Identifier drops its outgoing connection
and uses the incoming connection.</t>
          </li>
        </ul>
        <t>If a connection collision is detected in the OpenSent or OpenConfirm
state, the procedures defined in Section 6.8 of <xref target="RFC4271"/> apply. The
BGP speaker detecting the collision <bcp14>SHALL</bcp14> send a NOTIFICATION message
with the Cease Error Code, terminate the corresponding TCP connection,
and transition the FSM to the Idle state.</t>
        <t>Since the BGP Identifier is not known until the BGP OPEN message is
received, both competing TCP/TLS sessions may complete full TLS
establishment prior to collision resolution. Once the BGP Identifier
comparison is performed, the speaker determined to have the
lower-precedence connection, as defined by <xref target="RFC4271"/>, <bcp14>MUST</bcp14> terminate
the corresponding TCP/TLS connection.</t>
        <t>As a result, the use of TLS does not modify the collision resolution
algorithm itself but may increase the connection establishment cost and
delay associated with collision handling, since one fully established
TCP/TLS session may subsequently be discarded.</t>
        <figure anchor="fig-collision">
          <name>Teardown Sequence on the Losing Connection</name>
          <artwork><![CDATA[
Peer A (lower Router-ID - loses)         Peer B (higher Router-ID - wins)
  |                                         |
  | <- both TCP+TLS connections up <-       |
  | <- both BGP OPENs exchanged    <-       |
  |                                         |
  |  ** Collision: Peer A drops its         |
  |     outgoing connection **              |
  |                                         |
  |--- BGP NOTIFICATION (Cease) ----------->|  (over outgoing conn, encrypted)
  |--- TLS close_notify ------------------->|
  |--- TCP FIN ---------------------------->|
  |                                         |
  |<===== Established on Peer B's conn ====>|
]]></artwork>
        </figure>
      </section>
      <section anchor="tls-session-continuity-and-certificate-expiry-handling">
        <name>TLS Session Continuity and Certificate Expiry Handling</name>
        <t>If a new TCP/TLS connection is established, full TLS certificate
validation procedures <bcp14>MUST</bcp14> be performed during the new TLS handshake.</t>
        <t>Certificate validity and peer authentication are performed during TLS
session establishment. Expiration or revocation of a certificate after
successful establishment of an active TCP/TLS-protected BGP session
<bcp14>SHOULD NOT</bcp14>, by itself, trigger termination of the existing session.</t>
        <t>Implementations are not required to perform periodic TLS
re-authentication or certificate revalidation for active BGP sessions.
Existing TLS sessions <bcp14>MAY</bcp14> continue operating until normal BGP or
transport-layer termination occurs.</t>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>An implementation <bcp14>MAY</bcp14> support locally configurable transport security
policy modes for BGP over TCP-AO and TLS deployments.</t>
      <t>The following operational modes are <bcp14>RECOMMENDED</bcp14>:</t>
      <dl>
        <dt>tls-required:</dt>
        <dd>
          <t>TLS is mandatory. Session establishment <bcp14>MUST</bcp14> fail if TLS negotiation
or peer validation fails.</t>
        </dd>
        <dt>tls-preferred:</dt>
        <dd>
          <t>TLS establishment <bcp14>SHOULD</bcp14> be attempted. If TLS negotiation or
validation fails, the implementation <bcp14>MAY</bcp14> continue operation using
TCP-AO-protected BGP transport based on local policy.</t>
        </dd>
        <dt>ao-only:</dt>
        <dd>
          <t>The BGP session operates using TCP-AO-protected transport without TLS
establishment.</t>
        </dd>
      </dl>
      <t>These modes allow operators to deploy BGP over TLS incrementally while
preserving interoperability with existing TCP-AO-protected deployments.</t>
      <t>Implementations supporting the "tls-preferred" mode <bcp14>SHOULD</bcp14> provide
configurable timeout behavior for TLS establishment prior to fallback
to TCP-AO-protected BGP transport.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This document improves the security of BGP sessions, as the information
exchanged over the session is protected using TLS. This document
mandates the use of TCP-AO, which protects the TLS stack against
payload injection attacks.</t>
      <t>It is <bcp14>RECOMMENDED</bcp14> that an opportunistic TCP-AO approach be used, as
described in <xref target="I-D.piraux-tcp-ao-tls"/>. A router attempts to connect
using TCP-AO with a default key; once the TLS handshake completes, it
derives a new TCP-AO key from the TLS key.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="registration-of-the-botls-alpn-identification-string">
        <name>Registration of the BOTLS ALPN Identification String</name>
        <t>This document requests registration of a new entry in the "TLS
Application-Layer Protocol Negotiation (ALPN) Protocol IDs" registry.
The "botls" string identifies BGP over TLS:</t>
        <figure anchor="fig-botls-alpn">
          <name>BOTLS ALPN Registration</name>
          <artwork><![CDATA[
Protocol                : BOTLS (BGP over TLS)
Identification Sequence : 0x62 0x6F 0x74 0x6C 0x73 ("botls")
Reference               : This document
]]></artwork>
        </figure>
        <ul empty="true">
          <li>
            <t><strong>Editor's Note:</strong> Earlier revisions of this draft requested
allocation of a dedicated TCP port (TBD1) for "botls" from the
"Service Name and Transport Protocol Port Number Registry". That
request has been WITHDRAWN in favor of reusing TCP port 179 with the
Implicit TLS model described in this document. Accordingly, no new
transport port is requested.</t>
          </li>
        </ul>
      </section>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>The authors thank Dmitry Safonov for the TCP-AO implementation in Linux.</t>
    </section>
    <section numbered="false" anchor="contributors">
      <name>Contributors</name>
      <t>Serge Krier
   Cisco Systems
   De Kleetlaan 6a
   1831 Diegem
   Belgium
   Email: sekrier@cisco.com</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC4271">
          <front>
            <title>A Border Gateway Protocol 4 (BGP-4)</title>
            <author fullname="Y. Rekhter" initials="Y." role="editor" surname="Rekhter"/>
            <author fullname="T. Li" initials="T." role="editor" surname="Li"/>
            <author fullname="S. Hares" initials="S." role="editor" surname="Hares"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>This document discusses the Border Gateway Protocol (BGP), which is an inter-Autonomous System routing protocol.</t>
              <t>The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability from which routing loops may be pruned, and, at the AS level, some policy decisions may be enforced.</t>
              <t>BGP-4 provides a set of mechanisms for supporting Classless Inter-Domain Routing (CIDR). These mechanisms include support for advertising a set of destinations as an IP prefix, and eliminating the concept of network "class" within BGP. BGP-4 also introduces mechanisms that allow aggregation of routes, including aggregation of AS paths.</t>
              <t>This document obsoletes RFC 1771. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4271"/>
          <seriesInfo name="DOI" value="10.17487/RFC4271"/>
        </reference>
        <reference anchor="RFC5925">
          <front>
            <title>The TCP Authentication Option</title>
            <author fullname="J. Touch" initials="J." surname="Touch"/>
            <author fullname="A. Mankin" initials="A." surname="Mankin"/>
            <author fullname="R. Bonica" initials="R." surname="Bonica"/>
            <date month="June" year="2010"/>
            <abstract>
              <t>This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5925"/>
          <seriesInfo name="DOI" value="10.17487/RFC5925"/>
        </reference>
        <reference anchor="RFC7301">
          <front>
            <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
            <author fullname="S. Friedl" initials="S." surname="Friedl"/>
            <author fullname="A. Popov" initials="A." surname="Popov"/>
            <author fullname="A. Langley" initials="A." surname="Langley"/>
            <author fullname="E. Stephan" initials="E." surname="Stephan"/>
            <date month="July" year="2014"/>
            <abstract>
              <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7301"/>
          <seriesInfo name="DOI" value="10.17487/RFC7301"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="I-D.piraux-tcp-ao-tls">
          <front>
            <title>Opportunistic TCP-AO with TLS</title>
            <author fullname="Maxime Piraux" initials="M." surname="Piraux">
              <organization>UCLouvain</organization>
            </author>
            <author fullname="Olivier Bonaventure" initials="O." surname="Bonaventure">
              <organization>UCLouvain &amp; WELRI</organization>
            </author>
            <author fullname="Thomas Wirtgen" initials="T." surname="Wirtgen">
              <organization>UCLouvain</organization>
            </author>
            <date day="7" month="July" year="2025"/>
            <abstract>
              <t>   This document specifies an opportunistic mode for TCP-AO.  In this
   mode, the TCP connection starts with a well-known authentication key
   which is later replaced by a secure key derived from the TLS
   handshake.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-piraux-tcp-ao-tls-03"/>
        </reference>
        <reference anchor="I-D.hbq-bgp-tls-auth">
          <front>
            <title>TLS Authentication for BGP</title>
            <author fullname="Jeff Haas" initials="J." surname="Haas">
              <organization>HPE</organization>
            </author>
            <author fullname="Bob Beck" initials="B." surname="Beck">
              <organization>OpenSSL</organization>
            </author>
            <author fullname="Yingzhen Qu" initials="Y." surname="Qu">
              <organization>Futurewei Technologies</organization>
            </author>
            <date day="1" month="March" year="2026"/>
            <abstract>
              <t>   The Border Gateway Protocol, Version 4 (BGP-4) (RFC 4271) uses TCP
   (RFC 9293) as its transport layer protocol.  There are proposals to
   run BGP over TLS-based transport protocols, including QUIC.  This
   document discusses authentication considerations for running BGP over
   TLS protocols and defines a PKI framework to provide for
   authenticating BGP peering sessions.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-hbq-bgp-tls-auth-00"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.retana-idr-bgp-quic">
          <front>
            <title>BGP over QUIC</title>
            <author fullname="Alvaro Retana" initials="A." surname="Retana">
              <organization>Futurewei Technologies</organization>
            </author>
            <author fullname="Yingzhen Qu" initials="Y." surname="Qu">
              <organization>Futurewei Technologies</organization>
            </author>
            <author fullname="Jeffrey Haas" initials="J." surname="Haas">
              <organization>Juniper Networks</organization>
            </author>
            <author fullname="Shuanglong Chen" initials="S." surname="Chen">
              <organization>Huawei Technologies</organization>
            </author>
            <author fullname="Jeff Tantsura" initials="J." surname="Tantsura">
              <organization>Nvidia</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies the procedures for BGP to use QUIC as a
   transport protocol with a mechanism to carry Network Layer protocols
   (AFI/SAFI) over multiple QUIC streams to achieve high resiliency.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-retana-idr-bgp-quic-09"/>
        </reference>
        <reference anchor="RFC4272">
          <front>
            <title>BGP Security Vulnerabilities Analysis</title>
            <author fullname="S. Murphy" initials="S." surname="Murphy"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>Border Gateway Protocol 4 (BGP-4), along with a host of other infrastructure protocols designed before the Internet environment became perilous, was originally designed with little consideration for protection of the information it carries. There are no mechanisms internal to BGP that protect against attacks that modify, delete, forge, or replay data, any of which has the potential to disrupt overall network routing behavior.</t>
              <t>This document discusses some of the security issues with BGP routing data dissemination. This document does not discuss security issues with forwarding of packets. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4272"/>
          <seriesInfo name="DOI" value="10.17487/RFC4272"/>
        </reference>
        <reference anchor="RFC5082">
          <front>
            <title>The Generalized TTL Security Mechanism (GTSM)</title>
            <author fullname="V. Gill" initials="V." surname="Gill"/>
            <author fullname="J. Heasley" initials="J." surname="Heasley"/>
            <author fullname="D. Meyer" initials="D." surname="Meyer"/>
            <author fullname="P. Savola" initials="P." role="editor" surname="Savola"/>
            <author fullname="C. Pignataro" initials="C." surname="Pignataro"/>
            <date month="October" year="2007"/>
            <abstract>
              <t>The use of a packet's Time to Live (TTL) (IPv4) or Hop Limit (IPv6) to verify whether the packet was originated by an adjacent node on a connected link has been used in many recent protocols. This document generalizes this technique. This document obsoletes Experimental RFC 3682. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5082"/>
          <seriesInfo name="DOI" value="10.17487/RFC5082"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6Vc63LbRpb+30/RI1ftSBmSlmzHdpTYCa1LrIosaSVlXKmp
qVQTaJIYgwAHDUrmeJxn2WfZJ9vvnNMNNEA6sWf1QyIB9O1cvnOFhsOhqrM6
t4d659WPV7q8s5W+Pb95eHt0taPMZFLZu0M9mS2Hde5UWiaFWeDZtDLTenif
VfXMFkN/e7j/tUpMbWdltT7Urk6VcqvJInMuK4t6vcS4s5PbU60faJO7Eitm
RWqXFr+Kemegd2ya1WWVmZy+nI1f4U9Z4dP17emOSjHzoUrKwtnCrdyhrquV
VdjcY2UqazDbdbmqs2K2o+7L6t2sKldLXDw7vt5R7+wa19JDpYe6Tpb8B8fB
H2zdXxyaUqk7W6ywitad4VrL7nfeYmKsoH+ku3R9YbKczpFWP2S2no7KakaX
TZXMcXle10t3+PAhPUWXsjs7Co89pAsPJ1V57+xDjH9I42ZZPV9NaNmrC1vf
y2rnZvJQ6O3pvKOUWdXzsqLzYJTWwpTbebkwTr8VrvANLGSK7F+mBgcO9c+F
mU6zPAMlU75tZf81Dxx5dv4wo6ujpFx0p7/Ms7sM0vGqLAzoVK8qu22No/Ny
dWeyQv+Xfntyfn0WL1TKFKNJO8UPqySXAaOJ7S44rswdJOSVmaz0GzOHnFSG
vmxZ9ShzSalv1q62CxevaCqzoKE/JPTE5qGOcK8w76wzd0Zf2zRd6x9NmprF
lyySzGc8JlpEFWW1wLg7lqbr06NHBwff+I/PD5498R+fPHp24D9+/c2jr/3H
Z4/3w9XnT548pY9nw+PRMqvM6v1QZJUEIdyYT/7Z6CBJxqFSWTGNN0BPVbY2
hRlC1vjhf66ypN3Fo7CL/efh4zf7+/uYaTgcajNxdWWSWqnbeeY0YGC1APu0
W9okm2bWQYSsXjmryymhh4eRoytdl9qtlsuyqjXgZQQZteoVVBG3f4QY3pu1
vqrKukzKXO/iiT1d2ZwmLIsw3rraTPLMzbWzDCVOTaAc1hYaaljbyo3023mW
W94EDRqDBtheljDj9OWS/+zi1nB8uaeXVXmXpdYpnKlwtLdhbtbYUVYAvKqs
XtMjtU14mJlBNh2dtSynpPymSLFJZ2tt6tok79xAZTVogk0XZR1m10CqaUbI
BjzDlAOdVOtlXc4qs5xniV5aWpDv082yUi4xOQ5qNdAKwFKYmSUiE82209zo
hYXqphqsVg2VeIsgVQLlIpoHqunJWleroqD7DdIb5tbB6LHyTzGH9AqQXOVr
epSZEOik3/x8c6snNtDHpmC6fwqkHalxAexaLPMsAUkw9Y5elKnNAzd5joNn
32gcKJwj1UbEZ1nZqa0qQNPCJnPonVuMRPwWWZrmVqkH+qyoqzJdMWdIGHHC
3xWmDx+8kn38uCFYLcliMjm9IVxjDE2I9IzC6sOHT2gT1pjjLKDNsnSWhGSZ
myQQ8R7Yzuf875/PjtQy7JN3SKr28eOIbzXiiR2BRSbXJr0zRQ1xcI1eQeSK
JF+lNDmzmoUoaBrkQS9WeZ0tIU3QXGsWbsByCyNqIIGLVvRB4tOqXASRIeEH
RN8vSygDjdHZgh7DBkCYwk7BV+g4bxQ4t4TpTUlJsSeVER9NzTcHJG44RDYr
BsRZQnthc1b8I2iWqI8MwkQKZHMZacA91JeJhilXREpMRjwK7HxExLrx5IEg
zovsnyuQx77PXK2wnaRcQZcrUCSZN+vwaAI4MIqIId8Bu5gNwsQiHF/UpsUR
D3FLTGRrWogkdIadeTXC7oIK8dy2wP2ERn0SYyYtzIiIYILZgun0x5gz0q/L
eyLAwOteA0AqAJAtGHGwoz72xLCjPwU7gSA3ry9/Pj8mpWdOgLh+18yRFhrw
Cc5FQpQEpDAZyXiBjJlXWoKsiKJpBwOhmgPVw0yStEqcOkCdc6QCIsfd85hZ
xo9j0KwAfrCqEfBUBQspPB7wAgSEllZ8Oic4d096Buk00Awoa7lmhBUbphJc
J76TDpAwAS7wwQPem1W9guzRUXcX+L3Hlm4DdN2IqcGbkIU9uw4D2zZljL5V
Ysi8QBBhwGpad1J6FKHbc2ycpA8EWZp1Xpp04PnDAtCKGp5QTGzTtYzQO5qr
ZSLL6EjTiQA7cMfxlMnzdRAmp2ixzT2bJWG+TEoYo3fDHv3G9phvqjuSD0PU
gmvHgONGfQ8D/EmqbIKH5+V91xvYauSYO4r2//+yZCqGARYnSMnQzRnuSFF6
hIQeYR04t+0MeMrpKUErkwIEBSKkmOKdJYsXDpaSTIlJ2fDvGJce6KOyIPhk
40TkPwYKF8waJzaQNkTxjdM7dCyKnvh4F5f8+foEiHx9ckyfb16Pz8+bD8o/
ITrefmpHHl2+eXNycSyDcVV3LqmdN+NfdkQldy6vbs8uL8bnO3SiusNFkI14
NxGZrEDLmu2+6lDh1dHV//7PwRNQ40/eYQbx5Qu5zMQJ0FxWKwsIpXwFedcK
AmgNoStAINeJWWY1YswBUdpBcgroSmVBza/+RpT5+6H+bpIsD5689BfowJ2L
gWadi0yzzSsbg4WIWy5tWaahZud6j9Ld/Y5/6XwPdI8ufvd9nhVWDw+ef/9S
9VUKMA5DIeEljFANp51dqF22wxmINslmQ6gkUHNvpE8zm0Oy2D7DnQGroIEV
Y3Ij3fNsNh/KLJMMGAcEtQaWl2ZnEb5ZLRamYkC/XMJqi/821v2UAyFiUGXs
uVF2ERBsWS/hYllEPuqAHDPSaRiNwnsUvSG4EjxOQYMWEbERbFxFIOtodIsG
sM5d11Y94gWhx5/YIJ+D5b67Kwx9ywYJcmvqElQI0O/DphaiWnhqA5BB4zkr
8pwxL2hPzk6E9F2z2s7SbK8NJJS5K7NUVi6s5eABUFrYe6HVPUdSS3I2KoYz
NknkV/nAQZWBgbB/7N2PWhTyLqIT+oIU0MuqJFEgCMCBp2Wel/fEv6+YI/HM
3RChPQWmqSw5HyMeJcTzBAo+ZZevsfHkQaewqPdAhoEeH517BImOERl/8euc
7JdIxcser6qGFjFNm/VasWBA8sGDuLYM1mTwFN2JxJWRh6Jmur4Da5i7HbD1
nS0EQq0et3Z1eE62WTUBzoWdlTQth7bj86uLPRCztgWLJpsvSiOQo3yJmSpN
j8jkTgXIE0SmQMIrWN9S4eiX5DptmjAwRbya2sqJYyuMm+HQHuZhsYKpayIy
4YOEfv5QwhTrwmacWVhSnIJ8F8iuTnKDJRJabUgKNxROe8rDLbfLWqjOwyNN
FQcG3mHfg2FdDwcUB4gg6zbIH7480Jd3pA72/vMyILEc4zxzkQTYJkhaKosq
Dr7ER5FR0U0d5H4J/yYn/60jruRJdUS2zBLG2Qd8hl76gxSc9NYHrv1kEcxq
mrlk5VzXP6ehlG2FBsjCjvMMGykEWjHwT/wT4TblJ65+OoORAA/Z1rSApRh0
orX8hOSjSkgbvGc605mIUlBAWhBaAEtEGcjf5UecivCZCE+NsITqQeQrcklp
Gy7yEO2QA5PZyge7tuCAiYKEjokZT0XnbQCpT5omVhllEsrPSRi0y3FCnmEX
e7I0A+ACm5ckzRHfe22BnwSkAFk1zSrEJJHv7WNMMrvuWx+w4pidNQjXbbUn
GGDfLymS21xhYkEoUqAilfhzzX79iCUpRL+eRgQkwAIQMCFrVmf5FryA2VYB
MFKKyxEOuukKscVIX0AwckMg/l6iSj6A9j5dyVCAoK6y38Y5RrIuzoHtqQ+Z
co6pA6uMt72//fabuqLTj/WuJ/gLHRM7/PBDr/RuINkL3ZJroA/B4T2l9b8p
IUUKfvPLhf6LHl/uvhkf7WGUl4I9PeSfl/+mh79rHx6Oj36KBgw7P/+OZ/69
B5uZ9Wf+4MHvZNrVskmBDnRRMqHXtm5W7knAxrq0skwmKUPIyCwrXDjmDROK
xw70h5MAtyfBJjngfbPzD0cWLuSU0e7aUu6mxu346sfB1of/CoCYrunZU1gY
UqWPvFPZmTDrzw5eTAkFnebwS+tvv5Bc+JF5WMJyyg6s9U5aFnYn0Kq70e0b
bLff3em2H09YkcheeE1g/x8coPA+3vkYGhp28OWC0/BxoBec8sjXwy/fTtfc
EngUgOLVMtCTRPHy6uRC72ZscDRnVLaRiLMFDfxwJMKhXZDCz5ipVTZ6+KeT
k6vx+dlfT7Yzp1Xjz3h4+B9o5snN7fjV+dnN65NjhqoPh/oB8GuYedNFdlpz
hfZFJ7OuT7p+aKGvPALtfPRGUQwepdppMrhpPgFGacLW5Qq0rBkRxCeDT7iq
nMJjReRlkrmnlNMIFlm8e15hIHmcJocTDCfMhGw3b0HZxxuUnlHqLCTFvHvB
40IOO4BMnEiUvF6TeVNdb0Wcqb57TcZpSd5CCHVgyRCBiOOicCInZuIB51nC
0C5xT02WY+9OUX3D25DgrsgqftWoqDJsQ0mfEIp2RjQuKHsrA1rjh0fhRmCL
U1mSj9w65srnkF1TkaNThSictkSajoj+BjS1+g0CL8oD7J7evAHmI7RL5qqc
MLo5SaEYPUPIVsGjjrYXFues/YhZYauKiJcD6BzV23Xk0t/4YU9Hj8g2RxwT
lvQp5ublKk9ViGQppW0Xy45/1/PKWscqEqRitZggIMKKtF8KNGQeN4BzhKBh
3fB9YpxkA2iGvEwgPssSokkViiSTkmInE/W3y8jbPuo4wX/ffRC54sOuh7w3
UHHSYCNLCIp7jyRKEWDJ3S3J4JS8jeHLNipRHjf8NXahLEKG7+kKu7QlFSe0
GCxcIyPAYNgbKeT6PlxJlq3gk6Q7tR2vmjnOmYJXXQp2wItjCy+hdHCPX+Po
knfigmr1pPjmDaHYAx/QxG4JleIgTRy0GQBZMeQABHJF+aT4OxPCNSIVT7K7
//7gqd5/v/+Yfh3o0Wi0p4yTOk4oNfj0OqQPcRima8X8oBHzEMiSg3rwdFiC
mzXUrnoXgAHxAyUk99+fnn6LL4kJ4T7OUVap96EE2WhTA8kRzG3yjvkERx+O
dUqRNHnKva08GX29dSt0im7skeRckowm06ZRKmDk2enZ0ZjyiOH0VM1zkj75
bA+6daEJ0MSceI5411nKFk1Q8Ds+JjusYdAfuaaNSwxJrgmxb7lfBzzeZnU9
fzj1yYLwpxfMID/HX8UmHMrzJCIHm3NADSJzcVHW+mZdJPOqLLJ/iZ/lnZUO
bbc7DP64p2dbHoiejBVMKD8nagwXJqdeDwpNRc1iUp118u0Q8DfN07S71yzi
pGsCsaJdjGAbsKB3T8ge6IPnsCVeHnxaG0MXWQGx6me4yNC9Gf/SZIN8pjF+
QkC7xWjGZyX4PGox4HUjNLfZwparGv7DtIcAsDSU/3FNCjBaZ7KqsXTGuRjx
jqVou032MWkl5Van+wfqkYltvYooPgiAM0zMktMEvLNOIjDdEh/DXim2tyup
tyEwrzKOqCU4j/ZQCwEke0ZJgkzyxHeZUb/LNipT+bvXtq7WRMmKlsqqNbw4
k3COhgDkLOXOAVP7tBInD0PqJKR9IDT99KTemp6MspGEhuW9C4diulHBHmYk
5ypRr5jYuKlZzVleDmtKTgP0XKOmgeW0t03hCJ9AasvTTHwouiyI7SgEBa3V
/vunj4AFT0/x69kT+nREnx7rXZ+ehegHz4ezhp0qFyK1CnjuqFjM6tb2uHDm
M6OOka7HwCW+LV5ltpnzCmGPGBaftuW7klSnwmebAcaClIePJPPQex49MG2G
cDtZRPtf2ev4NXDg1zgUgAHd3z/Y3ztkXyEw/cIs7DmOf+g9CDhwtc5tMavn
h3p/X+8/9Teo96698bW/6kkswAs+gAvgATjw7HEH/Ey+LGIEbNwLYvFJTIHo
nBIVtQmxrv+eFZJ59VnjXNyyVvgkBbUlqREgwxP3PyDfduJ9gnTbCPdFZGvS
4J8m2pZTEvHOpt5vcctSkoINCZveN3JqZmQBw6bYFZe4jpxRo6am9m0THEtE
Mjmm73qXH2DCnAMOc29xcdhH+OPv4uYxu+vS2Heonz2nm0X5a0z/hnsv9MGj
/b1NB5UX9GQ45X3JHjDlz0VzlFSg46yBDraWdKlp1DKFtqbK11SA8BE6NT5R
b1KoRFR2gXCwCZIJfqhXx0SFDFJxf9vHalKRpK44NiTc18QZVA8LKuooAHXJ
X6Q7uSEbRcZKt74BJ0W8sIaugthK3/hSyZumA0ipm4zsD2NpqMuwD0FMH9bl
kJnfkLlb6ICnnyW1EjV96BNq4VkQSiyxaGDsIGya7pHobWNF29xWH8oy51vO
GhsbZdil7kMVQ9OOlu35VHmzgo8xHBud0PjFsOG7aLbMJCfkgLfi3PlASuAc
mC0teFSpLCQ82MHCoBAiBFcBvrwPLvEAVJETK1WZW7eRoTgC5nPgBVXwlWKl
3lLf3KQtYbiM2gBNAXfBwamIvLAuiQdcWqcWtPaa4xCapGcUhT7Pe/EG4UGZ
33G9hRPyql/hZYo1zY/UKWDFPrcapXevuVw6PDum/t+amt+4wKE1rs9Kokan
nr5tZknq9CZOq3LJU22biMxdkUo/hFSRoV4ba7GXGXlfSUN4Fjef4/GOyOXS
Fjecj6v48xGlK6qFYldqEGqdUrpy23MoGxQmTFv7zulWmPzSwUFodyUtKQK3
2yO7hmRHFk63PuHUzlGZ0gaDI+8nrSK474mM6rqfPABxu/cgdceDFCAJ0f1Z
xwsju/GuoBadtnTUZHGDQ545FQJ/n24kJLShc/JhVH8XuQ2lJk0lJvYPu3X7
ZZXh0IyogXAsySvJJF5u36+SltfMCfehqoKuwtmYM0RGKRbOzR1PpVhAh0s6
R8qOfax/xsV+ZSegl2JgL8LqMeZhN0Qgn5KAGg9B/wf97vzGXi/KNJuuewLU
0kGZfFZWkJYFqZDNpxxFEXnBz4qFpxcedYmclK72xWo4Q1StKxOJf1gE2yXJ
jpHpGgCxiDJlIYxbxzVT1WM0b8StJuK8U5YZSEqlbFNJ00actxB0aGBGDzUl
RNxm9c8DVPwkPGu39yWZfV/7QVzPoop9/6XLH0fFONze9nSQ/bjJWOv+01+2
E/3VV63BOAzBewuOvaf1VtylSbbN/SU7CVWXDi7tMg51qjSUBdrlAK6zkUHb
xtHWYtmMg5m/QqJJmj9ZxRkOPyfR8qUFVjnYdy/op60bSC5DhOrPjjev6YmX
vTxOowLeD72FI5kSGN74kDSkrc9LTiy3HoAkSPn4wXc7koy67/jVUVUSHj4F
+ZxFIUULyRN7vwU9NnoVAobqpJ1R3Zk8S5sgPZi0pmkiQKNO29YpXq7XXhRv
kqcMu9/ar1xtmTkK/vt1Az5106Fb2bsyZOLZqEdLc15HtW0Jm21epgnSPcWi
Ck/cUNJ2evI7EAKcgOAqm83IwfRA7nfR6a4LKYzN0hgdXAIsruBJG74Qgv5m
wPGECVHZ4WZrcnxQEKFlHBfE2sxD23ZzErbUMazkqDdVm9ZRFbvNL7zlEi1U
G69WdY6dUHWRg5BP11k4K5J1yMDrh/ogpwmjyqJESE3PYHiZxScSuVLpehks
X3OBrLFRbBqqnG9obNIqut/yKAyJGnTh7VJIGdhzqA5Di0rT9Tlq1LQrWqwx
FLrpTKxzlCggB9gHSTHXKK03khWbl6bCkt3J25c3fJ7VUvV2Yx3imN5YQvyG
LTzoy0DTd689UXuq0bKlm+XVTZbXlEMqjvEher2ETegZV9aiBdrJyamgvCjp
ge5BAXMU/ornHjHWz1xWnFEU9nfb2tjL4aPn3G2e5QgA285Y7mXnSSby/gl7
NY02b+y0K2F9FfeCHbByp8NdeY8usDN00XVl32eFJxYeJzm3vtCuP+H4TnEo
SvkqeXvrd7gmHdzh7bC+mnb77yAt2JwPqJo3ygB0Mb4MQuDcvKVKjXjdV6p6
7Zsbr2nICx7R0ko0baMTEwcL6ZROzzAjG71LFd62Uv5Vlc031IhbnAmINN6/
tUbySTRaFcT1pAGV0PbsX5sabLzs8OlXPuh9Q+keDgVtiVPYPHfryyxw1Dc6
NfDzqQP7WyjX1n7dEBBxdVzxyyrcouldAJqNGrg7L6zgAvP+bHwx3uA7fI9r
TnZXHWP26pKTeXHKzBuim7piz6MrMJV0f1GLd3cy2RoeqdYhut4hzf7MmoNv
iW7unR27nbDGWlJKoePa8cba4oDroIBPUTYT9X4O/Yl34zF7qn/24M0d6j8u
Mahr0np+vL9WV+JjT5LHco43uJIRJ2JGkd/4Er78Cf+zBfimF1CKQ/j2J6bK
My5u3UlPRNPEz++9Bk4hEHvJABq7Um3nctP7vHv76vhgj1EoEDoIFybYoXbB
DCektLfY4AbHG1JzR9MFt3mEI6x3SO1NjSn8fvid2wm9sPv27Pb18fX47QXJ
y9TcYWV6gdA2KtM2ZYcUCKbZ0iPcUdROjQfKmVDdHhNSupcbpO4xSfTiRvPG
gqcWa9A4oRRHblN51QRck+4Vm77YARA7G8oT8o8d+J3Y4p0+XmQk/jdmWhbl
HdMy6i7uWWbs9RxW+X3I7kKqEa5jsu2rQZ7Ag5nVP1WZNJds/H+DY9zMra1z
A5x7aujSwfPHB/o4szPL/yHhlc1n2Yo/nsj/QnD2Hc0X/ysE/PwfZeDAlmdE
AAA=

-->

</rfc>
