<?xmlversion='1.0' encoding='utf-8'?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.10 (Ruby 3.0.2) -->version="1.0" encoding="UTF-8"?> <!DOCTYPE rfcSYSTEM "rfc2629-xhtml.ent">[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-quic-applicability-18" number="9308" submissionType="IETF" category="info" consensus="true" tocInclude="true" sortRefs="true" symRefs="true" xml:lang="en" updates="" obsoletes="" version="3"><!-- xml2rfc v2v3 conversion 3.5.0 --><front> <title abbrev="QUIC Applicability">Applicability of the QUIC Transport Protocol</title> <seriesInfoname="Internet-Draft" value="draft-ietf-quic-applicability-18"/>name="RFC" value="9308"/> <author initials="M."surname="Kuehlewind"surname="Kühlewind" fullname="MirjaKuehlewind">Kühlewind"> <organization>Ericsson</organization> <address> <email>mirja.kuehlewind@ericsson.com</email> </address> </author> <author initials="B." surname="Trammell" fullname="Brian Trammell"><organization>Google</organization><organization>Google Switzerland GmbH</organization> <address> <postal> <street>Gustav-Gull-Platz 1</street><city>8004 Zurich</city><city>Zurich</city> <code>8004</code> <country>Switzerland</country> </postal> <email>ietf@trammell.ch</email> </address> </author> <date year="2022"month="July" day="15"/> <keyword>Internet-Draft</keyword>month="September"/> <area>tsv</area> <workgroup>quic</workgroup> <keyword>QUIC</keyword> <keyword>application protocol mapping</keyword> <keyword>deployment</keyword> <abstract> <t>This document discusses the applicability of the QUIC transport protocol, focusing on caveats impacting application protocol development and deployment over QUIC. Its intended audience is designers of application protocol mappings toQUIC,QUIC and implementors of these application protocols.</t> </abstract> </front> <middle> <section anchor="introduction"> <name>Introduction</name> <t>QUIC <xreftarget="QUIC"/>target="RFC9000"/> is a new transport protocol providing a number of advanced features. While initially designed for the HTTP use case, it provides capabilities that can be used with a much wider variety of applications. QUIC is encapsulated in UDP. QUIC version 1 integrates TLS 1.3 <xreftarget="TLS13"/>target="RFC8446"/> to encrypt all payload data and most control information. The version of HTTP that uses QUIC is known as HTTP/3 <xreftarget="QUIC-HTTP"/>.</t>target="RFC9114"/>.</t> <t>This document provides guidance for application developersthatwho want to use the QUIC protocol without implementing it on their own. This includes general guidance for applications operating over HTTP/3 or directly over QUIC.</t> <t>In the followingsectionssections, we discuss specific caveats to QUIC'sapplicability,applicability and issues that application developers must consider when using QUIC as a transport for theirapplication.</t>applications.</t> </section> <section anchor="fallback"> <name>The Necessity of Fallback</name> <t>QUIC uses UDP as a substrate. This enables userspace implementation and permits traversal of network middleboxes (including NAT) without requiring updates to existing network infrastructure.</t> <t>Measurement studies have shown betweenthree3% <xref target="Trammell16"/> andfive5% <xref target="Swett16"/>percentof networks block all UDP traffic, though there is little evidence of other forms of systematic disadvantage to UDP traffic compared to TCP <xref target="Edeline16"/>. This blocking implies that all applications running on top of QUIC must either be prepared to accept connectivity failure on suchnetworks,networks or be engineered to fall back to some other transport protocol. In the case of HTTP, this fallback is TLS over TCP.</t> <t>The IETFTAPSTransport Services (TAPS) specifications <xref target="I-D.ietf-taps-arch"/> describe a system with a common API for multiple protocols. This is particularly relevant for QUIC as it addresses the implications of fallback among multiple protocols.</t> <t>Specifically, fallback to insecure protocols or to weaker versions of secure protocols needs to be avoided. In general, an application that implements fallback needs to consider the security consequences. A fallback to TCP and TLS exposes control information to modification and manipulation in the network. Additionally, downgrades toolderTLS versions older than 1.3, which is used in QUIC version 1, might result in significantly weaker cryptographic protection. For example, the results of protocol negotiation <xref target="RFC7301"/> only have confidentiality protection if TLS 1.3 is used.</t> <t>These applications must operate, perhaps with impaired functionality, in the absence of features provided by QUIC not present in the fallback protocol. For fallback to TLS over TCP, the most obvious difference is that TCP does not provide streammultiplexingmultiplexing, and therefore stream multiplexing would need to be implemented in the application layer if needed. Further, TCP implementations and network paths often do not support the TCP Fast Open (TFO) option <xref target="RFC7413"/>, which enables sending of payload data together with the first control packet of a new connection as also provided by 0-RTT session resumption in QUIC. Note that there is some evidence of middleboxes blocking SYN data even if TFO was successfully negotiated (see <xref target="PaaschNanog"/>). And even if Fast Open successfully operatesend-to-end,end to end, it is limited to a single packet of TLS handshake and application data, unlike QUIC 0-RTT.</t> <t>Moreover, while encryption (in this case TLS) is inseparably integrated with QUIC, TLS negotiation over TCP can be blocked. If TLS over TCP cannot be supported, the connection should be aborted, and the application then ought to present a suitable prompt to the user that secure communication is unavailable.</t> <t>In summary, any fallback mechanism is likely to impose a degradation of performance and can degrade security; however, fallback must not silently violate the application's expectation of confidentiality or integrity of its payload data.</t> </section> <section anchor="zero-rtt"><name>Zero RTT</name><name>0-RTT</name> <t>QUIC provides for 0-RTT connection establishment. Though the same facility exists in TLS 1.3 with TCP, 0-RTT presents opportunities and challenges for applications using QUIC.</t> <t>A transport protocol that provides 0-RTT connection establishment is qualitatively different from one that does not provide 0-RTT from the point of view of the application using it. Relative trade-offs between the cost of closing and reopening a connection and trying to keep it open are different; see <xref target="resumption-v-keepalive"/>.</t> <t>An application needs to deliberately choose to use 0-RTT, as 0-RTT carries a risk of replay attack. Application protocols that use 0-RTT require a profile that describes the types of information that can be safely sent. For HTTP, this profile is described in <xreftarget="HTTP-REPLAY"/>.</t>target="RFC8470"/>.</t> <section anchor="replay-attacks"> <name>Replay Attacks</name> <t>Retransmission or(malicious)malicious replay of data contained in 0-RTT packets could cause the server side to receive multiple copies of the same data.</t> <t>Application data sent by the client in 0-RTT packets could be processed more than once if it is replayed. Applications need to be aware of what is safe to send in 0-RTT. Application protocols that seek to enable the use of 0-RTT need a careful analysis and a description of what can be sent in 0-RTT; seeSection 5.6 of<xreftarget="QUIC-TLS"/>.</t>target="RFC9001" sectionFormat="of" section="5.6"/>.</t> <t>In some cases, it might be sufficient to limit application data sent in 0-RTT to data thatwhich only causesdoes not cause actions with lasting effects at aserver that are known to be free of lasting effect.server. Initiating data retrieval or establishing configuration are examples of actions that could be safe. Idempotent operations--- those for which repetition has the same net effect as a single operation--- might be safe. However, it is also possible to combine individually idempotent operations into a non-idempotent sequence of operations.</t> <t>Once a server accepts 0-RTTdatadata, there is no means of selectively discarding data that is received. However, protocols can define ways to reject individual actions that might be unsafe if replayed.</t> <t>Some TLS implementations and deployments might be able to provide partial or even complete replay protection, which could be used to manage replay risk.</t> </section> <section anchor="resumption-v-keepalive"> <name>SessionresumptionResumption versusKeep-alive</name>Keep-Alive</name> <t>Because QUIC is encapsulated in UDP, applications using QUIC must deal with short network idle timeouts. Deployed stateful middleboxes will generally establish state for UDP flows on the first packetsent,sent and keep state for much shorter idle periods than for TCP. <xref target="RFC5382"/> suggests a TCP idle period of at least 124 minutes, though there is no evidence of widespread implementation of this guideline in the literature.ShortHowever, short network timeout forUDP, however,UDP is well-documented. According to a 2010 study (<xref target="Hatonen10"/>), UDP applications can assume that any NAT binding or other state entry can expire after just thirty seconds of inactivity. <xref section="3.5" sectionFormat="of" target="RFC8085"/> further discusses keep-alive intervals for UDP: it requires that there is a minimum value of 15 seconds, but recommends larger values, oromittingthat keep-alive is omitted entirely.</t> <t>By using a connection ID, QUIC is designed to be robust to NATaddressrebinding after a timeout. However, this only helps if one endpoint maintains availability at the address its peeruses,uses and the peer is the one to send after the timeout occurs.</t> <t>Some QUIC connections might not be robust to NAT rebinding because the routing infrastructure (in particular, load balancers) uses the address/portfour-tuple4-tuple to direct traffic. Furthermore, middleboxes with functions other than address translation could still affect the path. In particular, some firewalls do not admit server traffic for which the firewall has no recent state for a corresponding packet sent from the client.</t> <t>QUIC applications can adjust idle periods to manage the risk of timeout. Idle periods and the network idle timeout are distinct from the connection idle timeout, which is defined as the minimum of either endpoint's idle timeout parameter; see <xref section="10.1" sectionFormat="of"target="QUIC"/>).target="RFC9000"/>. There are three options:</t> <ul spacing="normal"> <li>Ignore theissue,issue if the application-layer protocol consists only of interactions with no or very short idleperiods,periods or if the protocol's resistance to NAT rebinding is sufficient.</li> <li>Ensure there are no long idle periods.</li> <li>Resume the session after a long idle period, using 0-RTT resumption when appropriate.</li> </ul> <t>The first strategy is the easiest, but it only applies to certain applications.</t> <t>Either the server or the client in a QUIC application can send PING frames askeep-alives,keep-alives to prevent the connection and any on-path state from timing out. Recommendations for the use of keep-alives areapplication-specific,application specific, mainly depending on the latency requirements and message frequency of the application. In this case, the application mapping must specify whether the client or server is responsible for keeping the application alive. While <xref target="Hatonen10"/> suggests that 30 seconds might be a suitable value for the public Internet when a NAT is on path, larger values are preferable if the deployment can consistently survive NAT rebinding or is known to be in a controlled environment(e.g.(e.g., datacentres)centers) in order to lower network and computational load.</t> <t>Sending PING frames more frequently than every 30 seconds over long idle periods may result in excessive unproductive traffic in somesituations,situations and unacceptable power usage for power-constrained (mobile) devices. Additionally, timeouts shorter than 30 seconds can make it harder to handle transient network interruptions, such asVMVirtual Machine (VM) migration or coverage loss during mobility. See <xref target="RFC8085"/>, especially Section3.5.</t><xref target="RFC8085" sectionFormat="bare" section="3.5"/>.</t> <t>Alternatively, the client (but not the server) can use session resumption instead of sendingkeepalivekeep-alive traffic. In this case, a client that wants to send data to a server over a connection that has been idle longer than the server's idle timeout (available from the idle_timeout transport parameter) can simply reconnect. When possible, this reconnection can use 0-RTT session resumption, reducing the latency involved with restarting the connection. Of course, this approach is only valid in cases in which it is safe to use 0-RTT and when the client is the restarting peer.</t> <t>Thetradeoffstrade-offs between resumption and keep-alives need to be evaluated on a per-application basis. In general, applications should use keep-alives only in circumstances where continued communication is highly likely; <xreftarget="QUIC-HTTP"/>,target="RFC9114"/>, for instance, recommends using keep-alives only when a request is outstanding.</t> </section> </section> <section anchor="use-of-streams"> <name>Use of Streams</name> <t>QUIC's stream multiplexing feature allows applications to run multiple streams over a singleconnection,connection without head-of-line blocking between streams. Stream data is carried withinframes,frames where one QUIC packet on the wire can carry one or multiple stream frames.</t> <t>Streams can be unidirectional or bidirectional, and a stream may be initiated either by client or server. Only the initiator of a unidirectional stream can send data on it.</t> <t>Streams and connections can each carry a maximum of 2<sup>62</sup>-1 bytes in eachdirection,direction due to encoding limitations on stream offsets and connection flow control limits. In the presently unlikely event that this limit is reached by an application, a new connection would need to be established.</t> <t>Streams can be independently opened and closed, gracefully or abruptly. An application can gracefully close the egress direction of a stream by instructing QUIC to send a FIN bit in a STREAM frame. It cannot gracefully close the ingress direction without a peer-generated FIN, much like in TCP. However, an endpoint can abruptly close the egress direction or request that its peer abruptly close the ingress direction; these actions are fully independent of each other.</t> <t>QUIC does not provide an interface for exceptional handling of any stream. If a stream that is critical for an application is closed, the application can generate error messages on the application layer to inform the other end and/or the higher layer, which can eventually terminate the QUIC connection.</t> <t>Mapping of application data to streams isapplication-specificapplication specific and described for HTTP/3 in <xreftarget="QUIC-HTTP"/>.target="RFC9114"/>. There are a few general principles to apply when designing an application's use of streams:</t> <ul spacing="normal"> <li>A single stream provides ordering. If the application requires certain data to be received in order, that data should be sent on the same stream. There is no guarantee of transmission, reception, or delivery order across streams.</li> <li>Multiple streams provide concurrency. Data that can be processed independently, and therefore would suffer fromhead of linehead-of-line blocking if forced to be received in order, should be transmitted over separate streams.</li> <li>Streams can provide messageorientation,orientation and allow messages to becancelled.canceled. If one message is mapped to a single stream, resetting the stream to expire an unacknowledged message can be used to emulate partial reliability for that message.</li> </ul> <t>If a QUIC receiver has opened the maximum allowed concurrent streams, and the sender indicates that more streams are needed, it does not automatically lead to an increase of the maximum number of streams by the receiver. Therefore, an application should consider the maximum number of allowed, currently open, and currently used streams when determining how to map data to streams.</t> <t>QUIC assigns a numericalidentifier to each stream,identifier, called the streamID.ID, to each stream. While the relationship between these identifiers and stream types is clearly defined in version 1 of QUIC, future versions might change this relationship for various reasons. QUIC implementations should expose the properties of each stream (which endpoint initiated the stream, whether the stream is unidirectional or bidirectional, the stream ID used for the stream); applications should query for these properties rather than attempting to infer them from the stream ID.</t> <t>The method of allocating stream identifiers to streams opened by the application might vary between transport implementations. Therefore, an application should not assume a particular stream ID will be assigned to a stream that has not yet been allocated. For example, HTTP/3 uses stream IDs to refer to streams that have already beenopened,opened but makes no assumptions about future stream IDs or the way in which they are assigned (see <xref section="6" sectionFormat="of"target="QUIC-HTTP"/>).</t>target="RFC9114"/>).</t> <section anchor="stream-versus-flow-multiplexing"> <name>Stream versus Flow Multiplexing</name> <t>Streams are meaningful only to the application; since stream information is carried inside QUIC's encryption boundary, a given packet exposes no information about which stream(s) are carried within the packet. Therefore, stream multiplexing is not intended to be used for differentiating streams in terms of network treatment. Application traffic requiring different network treatment should therefore be carried over differentfive-tuples (i.e.5-tuples (i.e., multiple QUIC connections). Given QUIC's ability to send application data in the first RTT of a connection (if a previous connection to the same host has been successfully established to provide the necessary credentials), the cost of establishing another connection is extremely low.</t> </section> <section anchor="prioritization"> <name>Prioritization</name> <t>Stream prioritization is not exposed to either the network or the receiver. Prioritization is managed by the sender, and the QUIC transport should provide an interface for applications to prioritize streams <xreftarget="QUIC"/>.target="RFC9000"/>. Applications can implement their own prioritization scheme on top of QUIC: an application protocol that runs on top of QUIC can define explicit messages for signaling priority, such as those defined in <xreftarget="I-D.draft-ietf-httpbis-priority"/>target="RFC9218"/> forHTTP; itHTTP. An application protocol can define rules that allow an endpoint to determine priority based oncontext;context oritcan provide ahigher levelhigher-level interface and leave the determination to the application on top.</t> <t>Priority handling of retransmissions can be implemented by the sender in the transport layer. <xreftarget="QUIC"/>target="RFC9000"/> recommends retransmitting lost data before new data, unless indicated differently by the application. When a QUIC endpoint uses fully reliable streams for transmission, prioritization of retransmissions will be beneficial in most cases, filling in gaps and freeing up the flow control window. For partially reliable or unreliable streams, priority scheduling of retransmissions over data of higher-priority streams might not be desirable. For such streams, QUIC could either provide an explicit interface to controlprioritization,prioritization or derive the prioritization decision from the reliability level of the stream.</t> </section> <section anchor="ordered-and-reliable-delivery"> <name>Ordered and Reliable Delivery</name> <t>QUIC streams enable ordered and reliable delivery. Though it is possible for an implementation to provide options that use streams for partial reliability or out-of-order delivery, most implementations will assume that data is reliably delivered in order.</t> <t>Under this assumption, an endpoint that receives stream data might not make forward progress until data that is contiguous with the start of a stream is available. In particular, a receiver might withhold flow control credit until contiguous data is delivered to the application; see <xref section="2.2" sectionFormat="of"target="QUIC"/>.target="RFC9000"/>. To support this receive logic, an endpoint will send stream data until it is acknowledged, ensuring that data at the start of the stream is sent and acknowledged first.</t> <t>An endpoint that uses a different sending behavior and does not negotiate that change with its peer might encounter performance issues or deadlocks.</t> </section> <section anchor="flow-control-deadlocks"> <name>Flow Control Deadlocks</name> <t>QUIC flow control<xref(<xref section="4" sectionFormat="of"target="QUIC"/>target="RFC9000"/>) provides a means of managing access to the limited buffers that endpoints have for incoming data. This mechanism limits the amount of data that can be in buffers in endpoints or in transit on the network. However, there are several ways in which limits can produce conditions that can cause a connection to either perform suboptimally ordeadlock.</t>become deadlocked.</t> <t>Deadlocks in flow control are possible for any protocol that uses QUIC, though whether they become a problem depends on how implementations consume data and provide flow control credit. Understanding what causes deadlocking might help implementations avoid deadlocks.</t> <t>The size and rate oftransportupdates to flow control creditupdatescan affect performance. Applications that use QUIC often have a data consumer that reads data from transport buffers. Some implementations might have independenttransport-layer and application-layerreceivebuffers.buffers at the transport layer and application layer. Consuming data does not always imply it is immediately processed. However, a commonflow controlimplementation technique is to extend flow control credit to thesender,sender by emitting MAX_DATA and/or MAX_STREAM_DATAframes,frames as data is consumed. Delivery of these frames is affected by the latency of the back channel from the receiver to the data sender. If credit is not extended in a timely manner, the sending application can be blocked, effectively throttling the sender.</t> <t>Large application messages can produce deadlocking if the recipient does not read data from the transport incrementally. If the message is larger than the flow control credit available and the recipient does not release additional flow control credit until the entire message is received and delivered, a deadlock can occur. This is possible even where stream flow control limits are not reached because connection flow control limits can be consumed by other streams.</t> <t>A length-prefixed message format makes it easier for a data consumer to leave data unread in the transport buffer and thereby withhold flow control credit. If flow control limits prevent the remainder of a message from being sent, a deadlock will result. A length prefix might also enable the detection of this sort of deadlock. Where application protocols have messages that might be processed as a single unit, reserving flow control credit for the entire message atomically makes this style of deadlock less likely.</t> <t>A data consumer can eagerly read all data as it becomesavailable,available in order to make the receiver extend flow control credit and reduce the chances of a deadlock. However, such a data consumer might need other means for holding a peer accountable for the additional state it keeps for partially processed messages.</t> <t>Deadlocking can also occur if data on different streams is interdependent. Suppose that data on one stream arrives before the data on a second stream on which it depends. A deadlock can occur if the first stream is left unread, preventing the receiver from extending flow control credit for the second stream. To reduce the likelihood of deadlock for interdependent data, the sender should ensure that dependent data is not sent until the data it depends on has been accounted for in both stream- andconnection- levelconnection-level flow control credit.</t> <t>Some deadlocking scenarios might be resolved bycancellingcanceling affected streams with STOP_SENDING or RESET_STREAM.CancellingCanceling some streams results in the connection being terminated in some protocols.</t> </section> <section anchor="stream-limit-commitments"> <name>Stream Limit Commitments</name> <t>QUIC endpoints are responsible for communicating the cumulative limit of streams they would allow to be opened by their peer. Initial limits are advertised using the initial_max_streams_bidi and initial_max_streams_uni transport parameters. As streams are opened andclosedclosed, they are consumed, and the cumulative total is incremented. Limits can be increased using the MAX_STREAMSframeframe, but there is no mechanism to reduce limits. Once stream limits are reached, no more streams can be opened, which prevents applications using QUIC from making further progress. At thisstagestage, connections can be terminated via idle timeout or explicit close; see <xreftarget="sec-termination"/>).</t>target="sec-termination"/>.</t> <t>An application that uses QUIC andcommunicatedcommunicates a cumulative stream limit might require the connection to be closed before the limit isreached. For example,reached, e.g., to stop the server in order to perform scheduled maintenance. Immediate connection close causes abrupt closure of actively used streams. Depending on how an application uses QUIC streams, this could be undesirable or detrimental to behavior or performance.</t> <t>A more graceful closure technique is to stop sending increases to stream limits and allow the connection to naturally terminate once remaining streams are consumed. However, the period of time it takes to do so is dependent on thepeerpeer, and an unpredictable closing period might not fit application or operational needs. Applications using QUIC can be conservative with open stream limits in order to reduce the commitment and indeterminism. However, being overly conservative with stream limits affects stream concurrency. Balancing these aspects can be specific to applications and their deployments.</t> <t>Instead of relying on stream limits to avoid abrupt closure, anapplication-layerapplication layer's graceful close mechanism can be used to communicate the intention to explicitly close the connection at some future point. HTTP/3 provides such a mechanism using the GOAWAY frame. In HTTP/3, when the GOAWAY frame is received by a client, it stops opening new streams even if the cumulative stream limit would allow. Instead, the client would create a new connection on which to open further streams. Once all streams are closed on the old connection, it can be terminated safely by a connection close or after expiration of the idletime outtimeout (seealso<xref target="sec-termination"/>).</t> </section> </section> <section anchor="packetization-and-latency"> <name>Packetization and Latency</name> <t>QUIC exposes an interface that provides multiple streams to the application; however, the application usually cannot control how data transmitted over those streams is mapped into frames or how those frames are bundled into packets.</t> <t>By default, many implementations will try tomaximallypackQUIC packets DATASTREAM frames from one or more streams into each QUIC packet, in order to minimize bandwidth consumption and computational costs (see <xref section="13" sectionFormat="of"target="QUIC"/>).target="RFC9000"/>). If there is not enough data available to fill a packet, an implementation might wait for a shorttime,time to optimize bandwidth efficiency instead of latency. This delay can either bepre-configuredpreconfigured or dynamically adjusted based on the observed sending pattern of the application.</t> <t>If the application requires low latency, with only small chunks of data to send, it may be valuable to indicate to QUIC that all data should be sent out immediately. Alternatively, if the application expects to use a specific sending pattern, it can also provide a suggested delay to QUIC for how long to wait beforebundlebundling frames into a packet.</t> <t>Similarly, an applicationhasusually has no controlaboutover the length of a QUIC packet on the wire. QUIC provides the ability to add a PADDING frame to arbitrarily increase the size of packets. Padding is used by QUIC to ensure that the path is capable of transferring datagrams of at least a certainsize,size during the handshake (see Sections <xreftarget="QUIC"target="RFC9000" section="8.1" sectionFormat="bare"/> and <xreftarget="QUIC"target="RFC9000" section="14.1" sectionFormat="bare"/> of <xreftarget="QUIC"/>)target="RFC9000"/>) and for path validation after connection migration (see <xref section="8.2" sectionFormat="of"target="QUIC"/>)target="RFC9000"/>) as well as for Datagram Packetization Layer PMTU Discovery(DPLMTUD)(DPLPMTUD) (see <xref section="14.3" sectionFormat="of"target="QUIC"/>).</t>target="RFC9000"/>).</t> <t>Padding can also be used by an application to reduce leakage of information about the data that is sent. A QUIC implementation can expose an interface that allows an application layer to specify how to apply padding.</t> </section> <section anchor="error-handling"> <name>Error Handling</name> <t>QUIC recommends that endpoints signal any detected errors to the peer. Errors can occur at the transportlevellayer and the applicationlevel.layer. Transport errors, such as a protocol violation, affect the entire connection. Applications that use QUIC can define their own error detection and signaling (see, for example, <xref section="8" sectionFormat="of"target="QUIC-HTTP"/>).target="RFC9114"/>). Application errors can affect an entire connection or a single stream.</t> <t>QUIC defines an error code space that is used for error handling at the transport layer. QUIC encourages endpoints to use the most specific code, although any applicable code is permitted, including generic ones.</t> <t>Applications using QUIC define an error code space that is independent of QUIC or other applications (see, for example, <xref section="8.1" sectionFormat="of"target="QUIC-HTTP"/>).target="RFC9114"/>). The values in an application error code space can be reused across connection-level and stream-level errors.</t> <t>Connection errors lead to connection termination. They are signaled using a CONNECTION_CLOSE frame, which contains an error code and a reason field that can be zero length. Different types of CONNECTION_CLOSEframeframes are used to signal transport and application errors.</t> <t>Stream errors lead to stream termination. These are signaled using STOP_SENDING or RESET_STREAM frames, which contain only an error code.</t> </section> <section anchor="acknowledgment-efficiency"> <name>Acknowledgment Efficiency</name> <t>QUIC version 1 without extensions uses an acknowledgment strategy adopted from TCP (see <xref section="13.2" sectionFormat="of"target="QUIC"/>).target="RFC9000"/>). That is, it recommends that every other packet is acknowledged. However, generating and processing QUIC acknowledgments consumes resources at a sender and receiver. Acknowledgments also incur forwarding costs and contribute to link utilization, which can impact performance over some types of network. Applications might be able to improve overall performance by using alternative strategies that reduce the rate of acknowledgments. <xref target="I-D.ietf-quic-ack-frequency"/> describes an extension to signal the desired delay of acknowledgments and discusses use cases as well as implications for congestion control and recovery.</t> </section> <section anchor="ports"> <name>Port Selection and Application Endpoint Discovery</name> <t>In general, port numbers serve two purposes: "first, they provide a demultiplexing identifier to differentiate transport sessions between the same pair of endpoints, and second, they may also identify the application protocol and associated service to which processes connect"<xref target="RFC6335"/>.(<xref target="RFC6335" sectionFormat="of" section="3"/>). The assumption that an application can be identified in the network based on the port number is less true today due to encapsulation and mechanisms for dynamic port assignments, asalsonoted in <xref target="RFC6335"/>.</t> <t>As QUIC is a general-purpose transport protocol, there are no requirements that servers use a particular UDP port for QUIC. Forapplicationsan application with a fallback to TCP thatdodoes not already have an alternate mapping to UDP, it is usuallythe registrationappropriate to register (if necessary) and useofthe UDP port number corresponding to the TCP port already registered for theapplication is appropriate.application. For example, the default port for HTTP/3 <xreftarget="QUIC-HTTP"/>target="RFC9114"/> is UDP port 443, analogous to HTTP/1.1 or HTTP/2 over TLS over TCP.</t> <t>Given the prevalence of the assumption in network management practice that a port number maps unambiguously to an application, the use of ports that cannot easily be mapped to a registered service name might lead to blocking or other changes to the forwarding behavior by network elements such as firewalls that use the port number for application identification.</t> <t>Applications could define an alternate endpoint discovery mechanism to allow the usage of ports other than the default. For example, HTTP/3 (Sections <xreftarget="QUIC-HTTP"target="RFC9114" section="3.2" sectionFormat="bare"/> and <xreftarget="QUIC-HTTP"target="RFC9114" section="3.3" sectionFormat="bare"/> of <xreftarget="QUIC-HTTP"/>)target="RFC9114"/>) specifies the use of HTTP Alternative Services <xref target="RFC7838"/> for an HTTP origin to advertise the availability of an equivalent HTTP/3 endpoint on a certain UDP port by usingthe"h3" as the Application-Layer Protocol Negotiation (ALPN) <xref target="RFC7301"/> token.</t> <t>ALPN permits the client and server to negotiate which of several protocols will be used on a given connection. Therefore, multiple applications might be supported on a single UDP port based on the ALPN token offered. Applications using QUIC are required to register an ALPN token for use in the TLS handshake.</t> <t>As QUIC version 1 deferred defining a complete version negotiation mechanism, HTTP/3 requires QUIC version 1 and defines the ALPN token ("h3") to only apply to that version. Sofarfar, no single approach has been selected for managing the use of different QUIC versions, neither in HTTP/3 nor in general. Application protocols that use QUIC need to consider how the protocol will manage different QUIC versions. Decisions for those protocols might be informed by choices made by other protocols, like HTTP/3.</t> <section anchor="source-port-selection"> <name>Source Port Selection</name> <t>Some UDP protocols are vulnerable to reflection attacks, where an attacker is able to direct traffic to a third party as a denial of service. For example, these source ports are associated with applications known to be vulnerable to reflection attacks, often due to server misconfiguration:</t> <ul spacing="normal"> <li>port 53 - DNS <xref target="RFC1034"/></li> <li>port 123 - NTP <xref target="RFC5905"/></li> <li>port 1900 - SSDP <xref target="SSDP"/></li> <li>port 5353 - mDNS <xref target="RFC6762"/></li> <li>port 11211 -memcached</li>memcache</li> </ul> <t>Services might block source ports associated with protocols known to be vulnerable to reflectionattacks,attacks to avoid the overhead of processing large numbers of packets. However, this practice has negative effects onclients:clients -- not only does it require establishment of a newconnection,connection but in someinstances,instances might cause the client to avoid using QUIC for that service for a period oftime, downgradingtime and downgrade to a non-UDP protocol (see <xref target="fallback"/>).</t> <t>As a result, client implementations are encouraged to avoid using source ports associated with protocols known to be vulnerable to reflection attacks. Note that following the general guidance for client implementations given in <xref target="RFC6335"/>, to use ephemeral ports in the range 49152-65535, has the effect of avoiding these ports. Note that other source ports might be reflection vectors as well.</t> </section> </section> <section anchor="connection-migration"> <name>Connection Migration</name> <t>QUIC supports connection migration by the client. If the client's IP address changes, a QUIC endpoint can still associate packets with an existing transport connection using the Destination Connection ID field (seealso<xref target="connid"/>) in the QUIC header. This supports cases where the address information changes, such as NAT rebinding, the intentional change of the local interface, the expiration of a temporary IPv6 address <xref target="RFC8981"/>, or the indication from the serverindicatingof a preferred address<xref(<xref section="9.6" sectionFormat="of"target="QUIC"/>.</t>target="RFC9000"/>).</t> <t>Use of a non-zero-length connection ID for the server is strongly recommended if any clients arebehind a NATor couldbe.be behind a NAT. A non-zero-length connection ID is also strongly recommended when active migration is supported. If a connection is intentionally migrated to a new path, a new connection ID is used to minimize linkability by network observers. The other QUIC endpoint uses the connection ID to link different addresses to the same connection and entity if a non-zero-length connection ID is provided.</t> <t>The base specification of QUIC version 1 only supports the use of a single network path at a time, which enables failover use cases. Path validation is required so that endpoints validate paths before use to avoid address spoofing attacks. Path validation takes at least oneRTTRTT, and congestion control will also be reset after path migration. Therefore, migration usually has a performance impact.</t> <t>QUIC probing packets, which can be sent on multiple paths at once, are used to perform address validation as well as measure path characteristics. Probing packets cannot carry application data but likely contain padding frames. Endpoints can use information about their receipt as input to congestion control for that path. Applications could use information learned from probing to inform a decision to switch paths.</t> <t>Only the client can actively migrate in version 1 of QUIC. However, servers can indicate during the handshake that they prefer to transfer the connection to a different address after the handshake. For instance, this could be used to move from an address that is shared by multiple servers to an address that is unique to the server instance. The server can provide an IPv4 and an IPv6 address in a transport parameter during the TLShandshakehandshake, and the client can select between the two if both are provided. Seealso<xref section="9.6" sectionFormat="of"target="QUIC"/>.</t>target="RFC9000"/>.</t> </section> <section anchor="sec-termination"> <name>Connection Termination</name> <t>QUIC connections are terminated in one of three ways: implicit idle timeout, explicit immediate close, or explicit stateless reset.</t> <t>QUIC does not provide any mechanism for graceful connection termination; applications using QUIC can define their own graceful termination process (see, for example, <xref section="5.2" sectionFormat="of"target="QUIC-HTTP"/>).</t>target="RFC9114"/>).</t> <t>QUIC idle timeout is enabled via transport parameters.ClientThe client and server announce a timeoutperiodperiod, and the effective value for the connection is the minimum of the two values. After the timeout period elapses, the connection is silently closed. An application therefore should be able to configure its own maximum value, as well as have access to the computed minimum value for this connection. An application may adjust the maximum idle timeout for new connections based on the number of open or expectedconnections,connections since shorter timeout values mayfree-upfree up resources more quickly.</t> <t>Application data exchanged on streams or in datagrams defers the QUIC idle timeout. Applications that provide their own keep-alive mechanisms will therefore keep a QUIC connection alive. Applications that do not provide their own keep-alive can use transport-layer mechanisms (see <xref section="10.1.2" sectionFormat="of"target="QUIC"/>,target="RFC9000"/> and <xref target="resumption-v-keepalive"/>). However, QUIC implementation interfaces for controlling such transport behavior can vary, affecting the robustness of such approaches.</t> <t>An immediate close is signaled by a CONNECTION_CLOSE frame (see <xref target="error-handling"/>). Immediate close causes all streams to become immediately closed, which may affect applications; see <xref target="stream-limit-commitments"/>.</t> <t>A stateless reset is an option of last resort for an endpoint that does not have access to connection state. Receiving a stateless reset is an indication of an unrecoverable error distinct from connection errors in that there is no application-layer information provided.</t> </section> <section anchor="connid"> <name>Information Exposure and the Connection ID</name> <t>QUIC exposes some information to the network in the unencrypted part of theheader,header either before the encryption context is established or because the information is intended to be used by the network. For more information on manageability ofQUICQUIC, seealso<xreftarget="I-D.ietf-quic-manageability"/>.target="RFC9312"/>. QUIC has a long header that exposes some additional information (the version and the source connection ID), while the short header exposes only the destination connection ID. In QUIC version 1, the long header is used during connection establishment, while the short header is used for data transmission in an established connection.</t> <t>The connection ID can be zero length.Zero lengthZero-length connection IDs can be chosen on each endpointindividually,individually and on any packet except the first packets sent by clients during connection establishment.</t> <t>An endpoint that selects a zero-length connection ID will receive packets with a zero-length destination connection ID. The endpoint needs to use other information, such as the source and destination IP address and port number to identify which connection is referred to. This could mean that the endpoint is unable to match datagrams to connections successfully if these values change, making the connection effectively unable to survive NAT rebinding or migrate to a new path.</t> <section anchor="server-generated-connection-id"> <name>Server-Generated Connection ID</name> <t>QUIC supports a server-generated connectionID,ID that is transmitted to the client during connection establishment (see <xref section="7.2" sectionFormat="of"target="QUIC"/>).target="RFC9000"/>). Servers behind load balancers may need to change the connection ID during the handshake, encoding the identity of the server or information about its load balancing pool, in order to support stateless load balancing.</t> <t>Server deployments with load balancers and other routing infrastructure need to ensure that this infrastructure consistently routes packets to the server instance that has the connection state, even if addresses, ports,and/oror connection IDs change. This might require coordination between servers and infrastructure. One method of achieving this involves encoding routing information into the connection ID. For an example of this technique, see <xreftarget="QUIC-LB"/>.</t>target="I-D.ietf-quic-load-balancers"/>.</t> </section> <section anchor="mitigating-timing-linkability-with-connection-id-migration"> <name>Mitigating Timing Linkability with Connection ID Migration</name> <t>If QUIC endpoints do not issue fresh connection IDs, then clients cannot reduce the linkability of address migration by using them. Choosing values that are unlinkable to an outside observer ensures that activity on different paths cannot be trivially correlated using the connection ID.</t> <t>While sufficiently robust connection ID generation schemes will mitigate linkability issues, they do not provide full protection. Analysis of the lifetimes ofsix-tuples6-tuples (source and destination addresses as well as the migratedCID)Connection ID) may expose these links anyway.</t> <t>In the case where connection migration in a server pool is rare, it is trivial for an observer to associate two connection IDs. Conversely,in the opposite limitwhere every server handles multiple simultaneous migrations, even an exposed server mapping may be insufficient information.</t> <t>The most efficient mitigations for these attacks are through network design and/or operationalpractice,practices, by using aload balancingload-balancing architecture that loads more flows onto a single server-side address, by coordinating the timing of migrations in an attempt to increase the number of simultaneous migrations at a given time, orthroughby using other means.</t> </section> <section anchor="using-server-retry-for-redirection"> <name>Using Server Retry for Redirection</name> <t>QUIC provides a Retry packet that can be sent by a server in response to the client Initial packet. The server may choose a new connection ID in thatpacketpacket, and the client will retry by sending another client Initial packet with the server-selected connection ID. This mechanism can be used to redirect a connection to a different server, e.g., due to performance reasons or when servers in a server pool are upgradedgradually,gradually and therefore may support different versions of QUIC.</t> <t>In this case, it is assumed that all servers belonging to a certain pool are served in cooperation with load balancers that forward the traffic based on the connection ID. A server can choose the connection ID in the Retry packet such that the load balancer will redirect the next Initial packet to a different server in that pool.AlternativelyAlternatively, the load balancer can directly offer a Retry offload as further described in <xreftarget="QUIC-RETRY"/>.</t> <t><xreftarget="I-D.ietf-quic-retry-offload"/>.</t> <t>The approach described in <xref section="4" sectionFormat="of" target="RFC5077"/>describes an example approachfor constructing TLS resumption tickets provides an example that can be also appliedforto validationtokens, however,tokens. However, the use of more modern cryptographic algorithms is highly recommended.</t> </section> </section> <section anchor="quality-of-service-qos-and-dscp"> <name>Quality of Service (QoS) andDSCP</name>Diffserv Code Point (DSCP)</name> <t>QUIC, as defined in <xreftarget="QUIC"/>,target="RFC9000"/>, has a single congestion controller and recovery handler. This design assumes that all packets of a QUIC connection, or at least with the same 5-tuple {dest addr, source addr, protocol, dest port, source port}, that have the sameDiffServDiffserv Code Point (DSCP) <xref target="RFC2475"/> will receive similar network treatment since feedback about loss or delay of each packet is used as input to the congestion controller. Therefore, packets belonging to the same connection should use a single DSCP.Section 5.1 of<xreftarget="RFC7657"/>target="RFC7657" sectionFormat="of" section="5.1"/> provides a discussion ofDiffServDiffserv interactions with datagram transport protocols <xref target="RFC7657"/> (in thisrespectrespect, the interactions with QUIC resemble those ofSCTP).</t>Stream Control Transmission Protocol (SCTP)).</t> <t>When multiplexing multiple flows over a single QUIC connection, the selected DSCP value should be the one associated with the highest priority requested for all multiplexed flows.</t> <t>If differential network treatment is desired, e.g., by the use of different DSCPs, multiple QUIC connections to the same server may be used.However, in generalIn general, it is recommended to minimize the number of QUIC connections to the sameserver,server to avoid increased overhead and, more importantly, competing congestion control.</t> <t>As in other uses ofDiffServ,Diffserv, when a packet enters a network segment that does not support the DSCP value, this could result in the connection not receiving the network treatment it expects. The DSCP value in this packet could also be remarked as the packet travels along the network path, changing the requested treatment.</t> </section> <section anchor="use-of-versions-and-cryptographic-handshake"> <name>Use of Versions and Cryptographic Handshake</name> <t>Versioning in QUIC may change the protocol's behavior completely, except for the meaning of a few header fields that have been declared to be invariant <xreftarget="QUIC-INVARIANTS"/>.target="RFC8999"/>. A version of QUIC with a higher version number will not necessarily provide a betterservice,service but might simply provide a different feature set. As such, an application needs to be able to select which versions of QUIC it wants to use.</t> <t>A new version could use an encryption scheme other than TLS 1.3 or higher. <xreftarget="QUIC"/>target="RFC9000"/> specifies requirements for the cryptographic handshake as currently realized by TLS 1.3 and described in a separate specification <xreftarget="QUIC-TLS"/>.target="RFC9001"/>. This split is performed to enablelight-weightlightweight versioning with different cryptographic handshakes.</t> <t>TheQUIC Versions Registry"QUIC Versions" registry established in <xreftarget="QUIC"/>target="RFC9000"/> allows for provisional registrations for experimentation. Registration, also of experimental versions, is important to avoid collision. Experimental versions should not be used long-term or registered as permanent to minimize the risk of fingerprinting based on the version number.</t> </section> <section anchor="enabling-deployment-of-new-versions"> <name>Enabling Deployment of New Versions</name> <t>QUIC version 1 does not specify a version negotiation mechanism in the base specification, but <xreftarget="I-D.draft-ietf-quic-version-negotiation"/>target="I-D.ietf-quic-version-negotiation"/> proposes an extension that provides compatible version negotiation.</t> <t>This approach uses a three-stage deployment mechanism, enabling progressive rollout and experimentation with multiple versions across a large server deployment. In this approach, all servers in the deployment must accept connections using a new version (stage 1) before any server advertises it (stage 2), and authentication of the new version (stage 3) only proceeds after advertising of that version is completely deployed.</t> <t>See <xref section="5" sectionFormat="of"target="I-D.draft-ietf-quic-version-negotiation"/>target="I-D.ietf-quic-version-negotiation"/> for details.</t> </section> <section anchor="unreliable-datagram-service-over-quic"> <name>Unreliable Datagram Service over QUIC</name> <t><xref target="RFC9221"/> specifies a QUIC extension to enable sending and receiving unreliable datagrams over QUIC. Unlike operating directly over UDP, applications that use the QUIC datagram service do not need to implement their own congestion control, per <xref target="RFC8085"/>, as QUIC datagrams are congestion controlled.</t> <t>QUIC datagrams are notflow-controlled,flow controlled, and as such data chunks may be dropped if the receiver is overloaded. While the reliable transmission service of QUIC provides a stream-based interface to send and receive data in order over multiple QUIC streams, the datagram service has an unordered message-based interface. If needed, anapplication layerapplication-layer framing can be used on top to allow separate flows of unreliable datagrams to be multiplexed on one QUIC connection.</t> </section> <section anchor="iana-considerations"> <name>IANA Considerations</name> <t>This document has no actions for IANA; however, note that <xref target="ports"/> recommends that an applicationbindingsthat has already registered a TCP port but wants to specify QUICfor applications using TCPas a transport should register a UDPportsport analogous to their existing TCPregistrations.</t>registration.</t> </section> <section anchor="security-considerations"> <name>Security Considerations</name> <t>See the security considerations in <xreftarget="QUIC"/>target="RFC9000"/> and <xreftarget="QUIC-TLS"/>;target="RFC9001"/>; the security considerations for the underlying transport protocol are relevant for applications usingQUIC, as well.QUIC. Considerations on linkability, replay attacks, and randomness discussed in <xreftarget="QUIC-TLS"/>target="RFC9001"/> should be taken into account when deploying and using QUIC.</t> <t>Further, migration to a new address exposes a linkage between client addresses to the server and may expose this linkage also to the path if the connection ID cannot be changed or flows can otherwise be correlated. When migration is supported, this needs to be considered with respective to user privacy.</t> <t>Application developers should note that any fallback they use when QUIC cannot be used due to network blocking of UDP should guarantee the same security properties asQUIC; ifQUIC. If this is not possible, the connection should fail to allow the application to explicitly handle fallback to a less-secure alternative. See <xref target="fallback"/>.</t> <t>Further, <xreftarget="QUIC-HTTP"/>target="RFC9114"/> provides security considerations specific to HTTP. However, discussions such as on cross-protocol attacks, traffic analysis and padding, or migration might be relevant for other applications using QUIC as well.</t> </section><section anchor="contributors"> <name>Contributors</name> <t>The following people have contributed significant text to and/or feedback on this document:</t> <ul spacing="normal"> <li>Gorry Fairhurst</li> <li>Ian Swett</li> <li>Igor Lubashev</li> <li>Lucas Pardue</li> <li>Mike Bishop</li> <li>Mark Nottingham</li> <li>Martin Duke</li> <li>Martin Thomson</li> <li>Sean Turner</li> <li>Tommy Pauly</li> </ul> </section> <section anchor="acknowledgments"> <name>Acknowledgments</name> <t>Special thanks to last-call reviewers Chris Lonvick and Ines Robles.</t> <t>This work was partially supported by the European Commission under Horizon 2020 grant agreement no. 688421 Measurement and Architecture for a Middleboxed Internet (MAMI), and by the Swiss State Secretariat for Education, Research, and Innovation under contract no. 15.0268. This support does not imply endorsement.</t> </section></middle> <back> <displayreference target="RFC9000" to="QUIC"/> <displayreference target="RFC9001" to="QUIC-TLS"/> <displayreference target="RFC8999" to="QUIC-INVARIANTS"/> <displayreference target="RFC9114" to="QUIC-HTTP"/> <displayreference target="RFC8446" to="TLS13"/> <displayreference target="I-D.ietf-taps-arch" to="TAPS-ARCH"/> <displayreference target="RFC8470" to="HTTP-REPLAY"/> <displayreference target="I-D.ietf-quic-ack-frequency" to="QUIC-ACK-FREQUENCY"/> <displayreference target="I-D.ietf-quic-load-balancers" to="QUIC-LB"/> <displayreference target="I-D.ietf-quic-retry-offload" to="QUIC-RETRY"/> <displayreference target="I-D.ietf-quic-version-negotiation" to="QUIC-VERSION-NEGOTIATION"/> <displayreference target="RFC9312" to="QUIC-MANAGEABILITY"/> <references> <name>References</name> <references> <name>Normative References</name><reference anchor="QUIC"> <front> <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title> <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"> <organization/> </author> <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"> <organization/> </author> <date month="May" year="2021"/> <abstract> <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t> </abstract> </front> <seriesInfo name="RFC" value="9000"/> <seriesInfo name="DOI" value="10.17487/RFC9000"/> </reference> <reference anchor="QUIC-TLS"> <front> <title>Using TLS to Secure QUIC</title> <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"> <organization/> </author> <author fullname="S. Turner" initials="S." role="editor" surname="Turner"> <organization/> </author> <date month="May" year="2021"/> <abstract> <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t> </abstract> </front> <seriesInfo name="RFC" value="9001"/> <seriesInfo name="DOI" value="10.17487/RFC9001"/> </reference> <reference anchor="QUIC-INVARIANTS"> <front> <title>Version-Independent Properties of QUIC</title> <author fullname="M. Thomson" initials="M." surname="Thomson"> <organization/> </author> <date month="May" year="2021"/> <abstract> <t>This document defines the properties of the QUIC transport protocol that are common to all versions of the protocol.</t> </abstract> </front> <seriesInfo name="RFC" value="8999"/> <seriesInfo name="DOI" value="10.17487/RFC8999"/> </reference><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9000.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9001.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8999.xml"/> </references> <references> <name>Informative References</name> <reference anchor="Trammell16" target="https://ripe72.ripe.net/wp-content/uploads/presentations/86-atlas-udpdiff.pdf"> <front> <title>Internet Path Transparency Measurements using RIPEAtlas (RIPE72 MAT presentation)</title>Atlas</title> <author initials="B."surname="Trammell">surname="Trammell" fullname="Brian Trammell"> <organization/> </author> <author initials="M."surname="Kuehlewind">surname="Kühlewind" fullname="Mirja Kühlewind"> <organization/> </author> <date year="2016" month="May" day="25"/> </front> <refcontent>RIPE 72 MAT Presentation</refcontent> </reference> <reference anchor="Edeline16" target="https://arxiv.org/abs/1612.07816"> <front> <title>Using UDP for Internet TransportEvolution (arXiv preprint 1612.07816)</title>Evolution</title> <author initials="K."surname="Edeline">surname="Edeline" fullname="Korian Edeline"> <organization/> </author> <author initials="M."surname="Kuehlewind">surname="Kühlewind" fullname="Mirja Kühlewind"> <organization/> </author> <author initials="B."surname="Trammell">surname="Trammell" fullname="Brian Trammell"> <organization/> </author> <author initials="E."surname="Aben">surname="Aben" fullname="Emile Aben"> <organization/> </author> <author initials="B."surname="Donnet">surname="Donnet" fullname="Benoit Donnet"> <organization/> </author> <date year="2016" month="December" day="22"/> </front> <seriesInfo name="DOI" value="10.48550/arXiv.1612.07816"/> </reference> <reference anchor="Swett16" target="https://www.ietf.org/proceedings/96/slides/slides-96-quic-3.pdf"> <front> <title>QUIC Deployment Experienceat Google (IETF96 QUIC BoF presentation)</title>@Google</title> <author initials="I."surname="Swett">surname="Swett" fullname="Ian Swett"> <organization/> </author> <date year="2016" month="July" day="20"/> </front> <refcontent>IETF96 QUIC BoF Presentation</refcontent> </reference> <reference anchor="PaaschNanog" target="https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf"> <front> <title>NetworkSupportsupport for TCP FastOpen (NANOG 67 presentation)</title>Open</title> <author initials="C."surname="Paasch">surname="Paasch" fullname="Christoph Paasch"> <organization/> </author> <date year="2016" month="June" day="13"/> </front> <refcontent>NANOG 67 Presentation</refcontent> </reference> <referenceanchor="Hatonen10">anchor="Hatonen10" target="https://conferences.sigcomm.org/imc/2010/papers/p260.pdf"> <front> <title>Anexperimental studyExperimental Study ofhome gateway characteristics (Proc. ACM IMC 2010)</title>Home Gateway Characteristics</title> <author initials="S."surname="Hatonen">surname="Hätönen" > <organization/> </author> <author initials="A." surname="Nyrhinen"> <organization/> </author> <author initials="L." surname="Eggert"> <organization/> </author> <author initials="S." surname="Strowes"> <organization/> </author> <author initials="P." surname="Sarolahti"> <organization/> </author> <author initials="M." surname="Kojo"> <organization/> </author> <date year="2010"month="October"/> </front> </reference> <reference anchor="RFC5077"> <front> <title>Transport Layer Security (TLS) Session Resumption without Server-Side State</title> <author fullname="J. Salowey" initials="J." surname="Salowey"> <organization/> </author> <author fullname="H. Zhou" initials="H." surname="Zhou"> <organization/> </author> <author fullname="P. Eronen" initials="P." surname="Eronen"> <organization/> </author> <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"> <organization/> </author> <date month="January" year="2008"/> <abstract> <t>This document describes a mechanism that enables the Transport Layer Security (TLS) server to resume sessions and avoid keeping per-client session state. The TLS server encapsulates the session state into a ticket and forwards it to the client. The client can subsequently resume a session using the obtained ticket. This document obsoletes RFC 4507. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5077"/> <seriesInfo name="DOI" value="10.17487/RFC5077"/> </reference> <reference anchor="QUIC-HTTP"> <front> <title>HTTP/3</title> <author fullname="Mike Bishop"> <organization>Akamai</organization> </author> <date day="2" month="February" year="2021"/> <abstract> <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-http-34"/> </reference> <reference anchor="RFC8085"> <front> <title>UDP Usage Guidelines</title> <author fullname="L. Eggert" initials="L." surname="Eggert"> <organization/> </author> <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"> <organization/> </author> <author fullname="G. Shepherd" initials="G." surname="Shepherd"> <organization/> </author> <date month="March" year="2017"/> <abstract> <t>The User Datagram Protocol (UDP) provides a minimal message-passing transport that has no inherent congestion control mechanisms. This document provides guidelines on the use of UDP for the designers of applications, tunnels, and other protocols that use UDP. Congestion control guidelines are a primary focus, but the document also provides guidance on other topics, including message sizes, reliability, checksums, middlebox traversal, the use of Explicit Congestion Notification (ECN), Differentiated Services Code Points (DSCPs), and ports.</t> <t>Because congestion control is critical to the stable operation of the Internet, applications and other protocols that choose to use UDP as an Internet transport must employ mechanisms to prevent congestion collapse and to establish some degree of fairness with concurrent traffic. They may also need to implement additional mechanisms, depending on how they use UDP.</t> <t>Some guidance is also applicable to the design of other protocols (e.g., protocols layered directly on IP or via IP-based tunnels), especially when these protocols do not themselves provide congestion control.</t> <t>This document obsoletes RFC 5405 and adds guidelines for multicast UDP usage.</t> </abstract>month="November"/> </front><seriesInfo name="BCP" value="145"/> <seriesInfo name="RFC" value="8085"/> <seriesInfo name="DOI" value="10.17487/RFC8085"/><refcontent>Proc. ACM IMC 2010</refcontent> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5077.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9114.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8085.xml"/> <reference anchor="SSDP" target="https://openconnectivity.org/upnp-specs/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf"> <front> <title>UPnP Device Architecture 2.0</title> <author initials="A."surname="Donoho"> <organization/>surname="Donoho" fullname="Andrew Donoho"> <organization>IBM</organization> </author> <author initials="B."surname="Roe"> <organization/>surname="Roe" fullname="Bryan Roe"> <organization>Intel</organization> </author> <author initials="M."surname="Bodlaender"> <organization/>surname="Bodlaender" fullname="Maarten Bodlaender"> <organization>Phillips</organization> </author> <author initials="J."surname="Gildred"> <organization/>surname="Gildred" fullname="John Gildred"> <organization>Pioneer</organization> </author> <author initials="A."surname="Messer"> <organization/>surname="Messer" fullname="Alan Messer"> <organization>Samsung</organization> </author> <author initials="Y."surname="Kim"> <organization/>surname="Kim" fullname="YoonSoo Kim"> <organization>Samsung</organization> </author> <author initials="B."surname="Fairman"> <organization/>surname="Fairman" fullname="Bruce Fairman"> <organization>Sony</organization> </author> <author initials="J."surname="Tourzan"> <organization/>surname="Tourzan" fullname="Jonathan Tourzan"> <organization>Sony</organization> </author> <date year="2020" month="April" day="17"/> </front> </reference> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-taps-arch.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7301.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7413.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8470.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5382.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9218.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-quic-ack-frequency.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6335.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7838.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5905.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8981.xml"/> <referenceanchor="TLS13">anchor="RFC9312" target="https://www.rfc-editor.org/info/rfc9312"> <front><title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"> <organization/> </author> <date month="August" year="2018"/> <abstract> <t>This document specifies version 1.3<title>Manageability of the QUIC TransportLayer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="I-D.ietf-taps-arch"> <front> <title>An Architecture for Transport Services</title>Protocol</title> <authorfullname="Tommy Pauly"> <organization>Apple Inc.</organization>fullname="Mirja Kühlewind"> <organization>Ericsson</organization> </author> <author fullname="Brian Trammell"> <organization>Google Switzerland GmbH</organization> </author><author fullname="Anna Brunstrom"> <organization>Karlstad University</organization> </author> <author fullname="Godred Fairhurst"> <organization>University of Aberdeen</organization> </author> <author fullname="Colin Perkins"> <organization>University of Glasgow</organization> </author><dateday="27" month="June"month="September" year="2022"/><abstract> <t> This document describes an architecture for exposing transport protocol features to applications for network communication, a Transport Services system. The Transport Services Application Programming Interface (API) is based on an asynchronous, event-driven interaction pattern. This API uses messages for representing data transfer to applications, and describes how implementations can use multiple IP addresses, multiple protocols, and multiple paths, and provide multiple application streams. This document further defines common terminology and concepts to be used in definitions of a Transport Service API and a Transport Services implementation. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-taps-arch-13"/> </reference> <reference anchor="RFC7301"> <front> <title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title> <author fullname="S. Friedl" initials="S." surname="Friedl"> <organization/> </author> <author fullname="A. Popov" initials="A." surname="Popov"> <organization/> </author> <author fullname="A. Langley" initials="A." surname="Langley"> <organization/> </author> <author fullname="E. Stephan" initials="E." surname="Stephan"> <organization/> </author> <date month="July" year="2014"/> <abstract> <t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t> </abstract> </front> <seriesInfo name="RFC" value="7301"/> <seriesInfo name="DOI" value="10.17487/RFC7301"/> </reference> <reference anchor="RFC7413"> <front> <title>TCP Fast Open</title> <author fullname="Y. Cheng" initials="Y." surname="Cheng"> <organization/> </author> <author fullname="J. Chu" initials="J." surname="Chu"> <organization/> </author> <author fullname="S. Radhakrishnan" initials="S." surname="Radhakrishnan"> <organization/> </author> <author fullname="A. Jain" initials="A." surname="Jain"> <organization/> </author> <date month="December" year="2014"/> <abstract> <t>This document describes an experimental TCP mechanism called TCP Fast Open (TFO). TFO allows data to be carried in the SYN and SYN-ACK packets and consumed by the receiving end during the initial connection handshake, and saves up to one full round-trip time (RTT) compared to the standard TCP, which requires a three-way handshake (3WHS) to complete before data can be exchanged. However, TFO deviates from the standard TCP semantics, since the data in the SYN could be replayed to an application in some rare circumstances. Applications should not use TFO unless they can tolerate this issue, as detailed in the Applicability section.</t> </abstract></front> <seriesInfo name="RFC"value="7413"/>value="9312"/> <seriesInfo name="DOI"value="10.17487/RFC7413"/>value="10.17487/RFC9312"/> </reference><reference anchor="HTTP-REPLAY"> <front> <title>Using Early Data in HTTP</title> <author fullname="M. Thomson" initials="M." surname="Thomson"> <organization/> </author> <author fullname="M. Nottingham" initials="M." surname="Nottingham"> <organization/> </author> <author fullname="W. Tarreau" initials="W." surname="Tarreau"> <organization/> </author> <date month="September" year="2018"/> <abstract> <t>Using TLS early data creates an exposure to the possibility of a replay attack. This document defines mechanisms that allow clients to communicate with servers about HTTP requests that are sent in early data. Techniques are described that use these mechanisms<xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-quic-load-balancers.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-quic-retry-offload.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2475.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7657.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-quic-version-negotiation.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9221.xml"/> </references> </references> <section anchor="acknowledgments" numbered="false"> <name>Acknowledgments</name> <t>Special thanks tomitigate the risk of replay.</t> </abstract> </front> <seriesInfo name="RFC" value="8470"/> <seriesInfo name="DOI" value="10.17487/RFC8470"/> </reference> <reference anchor="RFC5382"> <front> <title>NAT Behavioral Requirements for TCP</title> <author fullname="S. Guha" initials="S." role="editor" surname="Guha"> <organization/> </author> <author fullname="K. Biswas" initials="K." surname="Biswas"> <organization/> </author> <author fullname="B. Ford" initials="B." surname="Ford"> <organization/> </author> <author fullname="S. Sivakumar" initials="S." surname="Sivakumar"> <organization/> </author> <author fullname="P. Srisuresh" initials="P." surname="Srisuresh"> <organization/> </author> <date month="October" year="2008"/> <abstract>Last Call reviewers <contact fullname="Chris Lonvick"/> and <contact fullname="Ines Robles"/>.</t> <t>Thisdocument defines a set of requirements for NATs that handle TCP that would allow many applications, such as peer-to-peer applications and online games toworkconsistently. Developing NATs that meet this set of requirements will greatly increase the likelihood that these applications will function properly. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="142"/> <seriesInfo name="RFC" value="5382"/> <seriesInfo name="DOI" value="10.17487/RFC5382"/> </reference> <reference anchor="I-D.draft-ietf-httpbis-priority"> <front> <title>Extensible Prioritization Scheme for HTTP</title> <author fullname="Kazuho Oku"> <organization>Fastly</organization> </author> <author fullname="Lucas Pardue"> <organization>Cloudflare</organization> </author> <date day="17" month="January" year="2022"/> <abstract> <t>This document describes a scheme that allows an HTTP client to communicate its preferences for how the upstream server prioritizes responses to its requests, and also allows a server to hint to a downstream intermediary how its responses should be prioritized when they are forwarded. This document defines the Priority header field for communicating the initial priority in an HTTP version-independent manner, as well as HTTP/2 and HTTP/3 frames for reprioritizing responses. These share a common format structure that is designed to provide future extensibility. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-priority-12"/> </reference> <reference anchor="I-D.ietf-quic-ack-frequency"> <front> <title>QUIC Acknowledgement Frequency</title> <author fullname="Jana Iyengar"> <organization>Fastly</organization> </author> <author fullname="Ian Swett"> <organization>Google</organization> </author> <date day="11" month="July" year="2022"/> <abstract> <t> This document describes a QUIC extension for an endpoint to control its peer's delaying of acknowledgements. Note to Readers Discussion of this draft takes place on the QUIC working group mailing list (quic@ietf.org), which is archived at https://mailarchive.ietf.org/arch/search/?email_list=quic. Source code and issues list for this draft can be found at https://github.com/quicwg/ack-frequency. Working Group information can be found at https://github.com/quicwg. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-ack-frequency-02"/> </reference> <reference anchor="RFC6335"> <front> <title>Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry</title> <author fullname="M. Cotton" initials="M." surname="Cotton"> <organization/> </author> <author fullname="L. Eggert" initials="L." surname="Eggert"> <organization/> </author> <author fullname="J. Touch" initials="J." surname="Touch"> <organization/> </author> <author fullname="M. Westerlund" initials="M." surname="Westerlund"> <organization/> </author> <author fullname="S. Cheshire" initials="S." surname="Cheshire"> <organization/> </author> <date month="August" year="2011"/> <abstract> <t>This document defines the procedures that the Internet Assigned Numbers Authority (IANA) uses when handling assignment and other requests related to the Service Name and Transport Protocol Port Number registry. It also discusses the rationale and principles behind these procedures and how they facilitate the long-term sustainability of the registry.</t> <t>This document updates IANA's procedureswas partially supported byobsoletingtheprevious UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the IANA Allocation Guidelines, and it updates the IANA service nameEuropean Commission under Horizon 2020 grant agreement no. 688421 Measurement andport assignment proceduresArchitecture forUDP-Lite, the Datagram Congestion Control Protocol (DCCP), and the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV specification to clarify whataservice name is and how it is registered. This memo documents anMiddleboxed InternetBest Current Practice.</t> </abstract> </front> <seriesInfo name="BCP" value="165"/> <seriesInfo name="RFC" value="6335"/> <seriesInfo name="DOI" value="10.17487/RFC6335"/> </reference> <reference anchor="RFC7838"> <front> <title>HTTP Alternative Services</title> <author fullname="M. Nottingham" initials="M." surname="Nottingham"> <organization/> </author> <author fullname="P. McManus" initials="P." surname="McManus"> <organization/> </author> <author fullname="J. Reschke" initials="J." surname="Reschke"> <organization/> </author> <date month="April" year="2016"/> <abstract> <t>This document specifies "Alternative Services" for HTTP, which allow an origin's resources to be authoritatively available at a separate network location, possibly accessed with a different protocol configuration.</t> </abstract> </front> <seriesInfo name="RFC" value="7838"/> <seriesInfo name="DOI" value="10.17487/RFC7838"/> </reference> <reference anchor="RFC1034"> <front> <title>Domain names - concepts(MAMI) andfacilities</title> <author fullname="P.V. Mockapetris" initials="P.V." surname="Mockapetris"> <organization/> </author> <date month="November" year="1987"/> <abstract> <t>This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describesby thedomain style names and their usedSwiss State Secretariat forhost address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them.</t> </abstract> </front> <seriesInfo name="STD" value="13"/> <seriesInfo name="RFC" value="1034"/> <seriesInfo name="DOI" value="10.17487/RFC1034"/> </reference> <reference anchor="RFC5905"> <front> <title>Network Time Protocol Version 4: ProtocolEducation, Research, andAlgorithms Specification</title> <author fullname="D. Mills" initials="D." surname="Mills"> <organization/> </author> <author fullname="J. Martin" initials="J." role="editor" surname="Martin"> <organization/> </author> <author fullname="J. Burbank" initials="J." surname="Burbank"> <organization/> </author> <author fullname="W. Kasch" initials="W." surname="Kasch"> <organization/> </author> <date month="June" year="2010"/> <abstract> <t>The Network Time Protocol (NTP) is widely used to synchronize computer clocks in the Internet.Innovation under contract no. 15.0268. Thisdocument describes NTP version 4 (NTPv4), which is backwards compatible with NTP version 3 (NTPv3), described in RFC 1305, as well as previous versions of the protocol. NTPv4 includes a modified protocol header to accommodate the Internet Protocol version 6 address family. NTPv4 includes fundamental improvements in the mitigation and discipline algorithms that extend the potential accuracy to the tens of microseconds with modern workstations and fast LANs. It includes a dynamic server discovery scheme, so that in many cases, specific server configuration is not required. It corrects certain errors in the NTPv3 design and implementation and includes an optional extension mechanism. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5905"/> <seriesInfo name="DOI" value="10.17487/RFC5905"/> </reference> <reference anchor="RFC6762"> <front> <title>Multicast DNS</title> <author fullname="S. Cheshire" initials="S." surname="Cheshire"> <organization/> </author> <author fullname="M. Krochmal" initials="M." surname="Krochmal"> <organization/> </author> <date month="February" year="2013"/> <abstract> <t>As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, butsupport does notlimited to, host names) in the absence of a conventional managed DNS server is useful.</t> <t>Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names.</t>imply endorsement.</t> </section> <section anchor="contributors" numbered="false"> <name>Contributors</name> <t>Theprimary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures.</t> </abstract> </front> <seriesInfo name="RFC" value="6762"/> <seriesInfo name="DOI" value="10.17487/RFC6762"/> </reference> <reference anchor="RFC8981"> <front> <title>Temporary Address Extensions for Stateless Address Autoconfiguration in IPv6</title> <author fullname="F. Gont" initials="F." surname="Gont"> <organization/> </author> <author fullname="S. Krishnan" initials="S." surname="Krishnan"> <organization/> </author> <author fullname="T. Narten" initials="T." surname="Narten"> <organization/> </author> <author fullname="R. Draves" initials="R." surname="Draves"> <organization/> </author> <date month="February" year="2021"/> <abstract> <t>This document describes an extension to IPv6 Stateless Address Autoconfiguration that causes hostsfollowing people have contributed significant text togenerate temporary addresses with randomized interface identifiers for each prefix advertised with autoconfiguration enabled. Changing addresses over time limits the window of time during which eavesdroppers and other information collectors may trivially perform address-based network-activity correlation when the same address is employed for multiple transactions by the same host. Additionally, it reduces the window of exposure of a host as being accessible via an address that becomes revealed as a result of active communication. This document obsoletes RFC 4941.</t> </abstract> </front> <seriesInfo name="RFC" value="8981"/> <seriesInfo name="DOI" value="10.17487/RFC8981"/> </reference> <reference anchor="I-D.ietf-quic-manageability"> <front> <title>Manageability of the QUIC Transport Protocol</title> <author fullname="Mirja Kuehlewind"> <organization>Ericsson</organization> </author> <author fullname="Brian Trammell"> <organization>Google Switzerland GmbH</organization> </author> <date day="11" month="July" year="2022"/> <abstract> <t> This document discusses manageability of the QUIC transport protocol, focusing on the implications of QUIC's design and wire image on network operations involving QUIC traffic. Its intended audience is network operators and equipment vendors who relyor feedback onthe use of transport-aware network functions. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-manageability-17"/> </reference> <reference anchor="QUIC-LB"> <front> <title>QUIC-LB: Generating Routable QUIC Connection IDs</title> <authorthis document:</t> <contact fullname="Gorry Fairhurst"/> <contact fullname="Ian Swett"/> <contact fullname="Igor Lubashev"/> <contact fullname="Lucas Pardue"/> <contact fullname="Mike Bishop"/> <contact fullname="Mark Nottingham"/> <contact fullname="MartinDuke"> <organization>Google</organization> </author> <author fullname="Nick Banks"> <organization>Microsoft</organization> </author> <author fullname="Christian Huitema"> <organization>Private Octopus Inc.</organization> </author> <date day="11" month="July" year="2022"/> <abstract> <t> QUIC address migration allows clients to change their IP address while maintaining connection state. To reduce the ability of an observer to link two IP addresses, clients and servers use new connection IDs when they communicate via different client addresses. This poses a problem for traditional "layer-4" load balancers that route packets via the IP address and port 4-tuple. This specification provides a standardized means of securely encoding routing information in the server's connection IDs so that a properly configured load balancer can route packets with migrated addresses correctly. As it proposes a structured connection ID format, it also provides a means of connection IDs self-encoding their length to aid some hardware offloads. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-load-balancers-14"/> </reference> <reference anchor="QUIC-RETRY"> <front> <title>QUIC Retry Offload</title> <authorDuke"/> <contact fullname="MartinDuke"> <organization>Google</organization> </author> <author fullname="Nick Banks"> <organization>Microsoft</organization> </author> <date day="28" month="March" year="2022"/> <abstract> <t> QUIC uses Retry packets to reduce load on stressed servers, by forcing the client to prove ownership of its address before the server commits state. QUIC also has an anti-tampering mechanism to prevent the unauthorized injection of Retry packets into a connection. However, a server operator may want to offload production of Retry packets to an anti-Denial-of-Service agent or hardware accelerator. "Retry Offload" is a mechanism for coordination between a server and an external generator of Retry packets that can succeed despite the anti-tampering mechanism. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-duke-quic-retry-offload-00"/> </reference> <reference anchor="RFC2475"> <front> <title>An Architecture for Differentiated Services</title> <author fullname="S. Blake" initials="S." surname="Blake"> <organization/> </author> <author fullname="D. Black" initials="D." surname="Black"> <organization/> </author> <author fullname="M. Carlson" initials="M." surname="Carlson"> <organization/> </author> <author fullname="E. Davies" initials="E." surname="Davies"> <organization/> </author> <author fullname="Z. Wang" initials="Z." surname="Wang"> <organization/> </author> <author fullname="W. Weiss" initials="W." surname="Weiss"> <organization/> </author> <date month="December" year="1998"/> <abstract> <t>This document defines an architecture for implementing scalable service differentiation in the Internet. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="2475"/> <seriesInfo name="DOI" value="10.17487/RFC2475"/> </reference> <reference anchor="RFC7657"> <front> <title>Differentiated Services (Diffserv) and Real-Time Communication</title> <author fullname="D. Black" initials="D." role="editor" surname="Black"> <organization/> </author> <author fullname="P. Jones" initials="P." surname="Jones"> <organization/> </author> <date month="November" year="2015"/> <abstract> <t>This memo describes the interaction between Differentiated Services (Diffserv) network quality-of-service (QoS) functionality and real- time network communication, including communication based on the Real-time Transport Protocol (RTP). Diffserv is based on network nodes applying different forwarding treatments to packets whose IP headers are marked with different Diffserv Codepoints (DSCPs). WebRTC applications, as well as some conferencing applications, have begun using the Session Description Protocol (SDP) bundle negotiation mechanism to send multiple traffic streams with different QoS requirements using the same network 5-tuple. The results of using multiple DSCPs to obtain different QoS treatments within a single network 5-tuple have transport protocol interactions, particularly with congestion control functionality (e.g., reordering). In addition, DSCP markings may be changed or removed between the traffic source and destination. This memo covers the implications of these Diffserv aspects for real-time network communication, including WebRTC.</t> </abstract> </front> <seriesInfo name="RFC" value="7657"/> <seriesInfo name="DOI" value="10.17487/RFC7657"/> </reference> <reference anchor="I-D.draft-ietf-quic-version-negotiation"> <front> <title>Compatible Version Negotiation for QUIC</title> <author fullname="David Schinazi"> <organization>Google LLC</organization> </author> <author fullname="Eric Rescorla"> <organization>Mozilla</organization> </author> <date day="11" month="July" year="2022"/> <abstract> <t> QUIC does not provide a complete version negotiation mechanism but instead only provides a way for the server to indicate that the version the client chose is unacceptable. This document describes a version negotiation mechanism that allows a client and server to select a mutually supported version. Optionally, if the client's chosen version and the negotiated version share a compatible first flight format, the negotiation can take place without incurring an extra round trip. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-quic-version-negotiation-09"/> </reference> <reference anchor="RFC9221"> <front> <title>An Unreliable Datagram Extension to QUIC</title> <author fullname="T. Pauly" initials="T." surname="Pauly"> <organization/> </author> <author fullname="E. Kinnear" initials="E." surname="Kinnear"> <organization/> </author> <author fullname="D. Schinazi" initials="D." surname="Schinazi"> <organization/> </author> <date month="March" year="2022"/> <abstract> <t>This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.</t> </abstract> </front> <seriesInfo name="RFC" value="9221"/> <seriesInfo name="DOI" value="10.17487/RFC9221"/> </reference> </references> </references>Thomson"/> <contact fullname="Sean Turner"/> <contact fullname="Tommy Pauly"/> </section> </back><!-- ##markdown-source: H4sIAAAAAAAAA5V963IbSXbm/3yK8vSPoRwARFJ3tb02W5ceriU1LbJtjzc2 OoqoBFEjoAquCylOhyL2HfYN90n2fOeSlwLY7XGEp0WgUJl58tyv8/ncDfWw 8a+Ls91uUy/L63pTD/dFuyqGtS/+9efzN8VVVzb9ru2G4qJrh3bZblx5fd35 29fyffZLV7XLptzSC6uuXA3z2g+r+X+N9XJepo/NT166qhz8a7ek/71pu/vX Rd2sWufqXfe6GLqxH06Pj18dn7ov/v6u7arXxXkz+K7xw/wt3uxcP5RN9Uu5 aRta7d73ble/Lv4XbXBW9LTbzq96+tf9Fv/4386V47Buu9euKOb0/wUt178u Pi6Kfxn9euPv6qbij2XzH+vuL+X0q7a7eV286+pl37cNf+K3Zb15XWzx9OJL ePqfvT60WLbbfMEfFoDndus3m2S5H7q6bPIveLEf2/Zm49OlAM9/HvTBxXLN 3/V0WD/Q4wS18nb+47jZzC825fDX4oS/XxLEXxcvj4+fFv850tbkV8t2bAYA /vKuHv7quw2Bk+BPt9Bty6G+9YCV7enk+Wv+kWKL3UVxUQ5rxZCy883yvvjo y37s/NY3Q1+Mfd3cFJ/PL94VZ8Om7Isj/PvFafHx7KrYdb6np2ittnnEb493 hP+b638fAN3eA/uXOZTdDQCzHoZd//rx467e+RenC/xnQbt/fLebL1s6SjM8 Hnebtqz6x+mm+scvn89L7Hs+VruqXq0Wu2rFb2bkLU6PT57Pj5/NT5/Rh+8q v6kbP4HUzwyBn99eFATXCLdIVO9u282I1YqjsvuP+hZg2XV1MxQnz09OF8cv Xp48/29A518WtoH/LnD+dgC/WxRn17558Ndv24bOdhDyZfe1vl0QUj8ur/vH 8WRTYJ6czk9P6cPLOz8ME1Ayt3nr6aLugV3Fu687IjRCOl+Ug9JKcXT+7ur9 q+fy8A/t+78Vy84XsvbBU9zd3S1AgXyQXdcuva/oevvHr54/7jd15Xv9z/zV c+F6Tw5izIv56TF9eFGW/XL9qWzam+ygn/xALO9LcTnuGEWAOVdvLor3ZT8U P+08ocqns08//Vg8f/G3Hu/NQld98HwNtsMH7OuBDlT5VTluhserekN/yY9/ 0R3+ojs8eEi6zCf04Z/KgTh0c3KcHfGsKTxfH26y3BALGysWO+t264sbes1d eV8s12VXLolk6n4gjlockQRaEhK++Vicf3yDdY4f5esez0+Ofx8Klwvb1uHv zxbFp/tuXT/4wAeitpsb3w0Pvv9y6No7EkoHv7+g78uu3ZTroX6YXNu/tPTh 5/dvnh2/eIGTAKfnf7q6uiA0nb9dRNmK+5NHXx6/fIZHLy/fXuR86KK5IOK5 rYlazrrlmu52ORCfLogQMxCeHs+Pn85PXvw+FM+Y4tt1+yBD+Nw+zI1+aKtN 6ZvKd4cf+Z+L4sd6U3X+AW5Fq3/0ff/Qz/9MAKy3D+7sfVmTlHvgdmnpq3bs /qrfT6mkJQpcgtUtSUqSaGViGXfNbt7v/LJ/DFDPS4LxXOCdgnt+S/CeA8rH T09eMN04N5/PC2KLA3Dduat13RekRo3M5Kq6X450zJ4VsvJBLW0IAmWnWtrM reglLH5IuCzLW1+SRK63O1oFH+q7WPTYb4rK3/pNu+OlSR+gv43duvbWd7zW ojjHiyA3K18RjlTChLFt39c3je967O3gAlv6FCzTDS2/bMbL0K42rDK08lM6 Vu8PvqBfCLy2dVWRauS+g0zt2mpc4jHnGBi//vp3+O8/EkG8Oj4+/vYNeyuL xt8dgBP+cVtXDJKiGbfXdMx25crqtqRTVcWK4EY31y+Kf18TD6SD10Ndbjb3 dtqKGTRuArRJOo8naPd+VtSDvpv4wLLcybXVfJUksJak8l17PF4VpIGtafXt uFzTv4kmituSRJvccQIG2gQfsO4dgbzc9SOpefT7uoGKoV/SPfUA2Qnf0U1H T/TF1YfL4mTxhEDzT/TPkyeAzcunT58TbIYWL+vud3TlGwJHeQ9VCAyh5MvZ tiR2oCcRxyqCfkjabXFFZ7bVaKN8fJzNjUBY3WnxpWnvmoKUP3z/GFsIjOzb t8UU4Q1ixc1YV7gBhm6KCoqjwDIG5F1JPyN0okVdoIdwuwBtOw4RxXDRdDP0 Inq4pru+45PUQOnlZuSlPeFwuXEPbYFwlJYv+VVMFnoyeqqqO6J0Qo5ILs6d 81r0ls2mvcOPer+U99x5o/ACzKNe1ctAqkohf+xzsp85ppi+Hw2THgDOdpR7 6xmh7takNwg7YADRfZQuUoOicJ2dcwH6wiV/8kvitcpz3hOWXJfLL8Wv3630 n9+U8Pjeoezi7UU/MlMbvMLXN+U1KRF4qiN7ASzDLkU2j4PR1rf10GNrQC3S DWjJRjUiofrr9iu95UiuCwf6dHb1KFx050kmdvh43FWM+0Dwr1Ah6DN7E+Fx R+pUNzJbpoMmdgtrI6DTNW2h6NdA32v6nfe4R7K1CIWjYUQUBMtpRRYTfa6K K31IB1niZXH7fXG9aQluoDIAiY64ogufFdj4zRrw77wjQNE1k9AuPAgB6Eev aPElbmnLDLK/7wcPMlwCf5hXDeWNB84kb3Zkf8Iuq/A5NMhffw1WCpGe3Arv iYmCLiNwJ+wxxXjXjU2jsmRod9gD3zgjma95d8TNYLzYguVy6XeMgUFUFiuy YgnKjt7Sg9kZZGagHfq9b25od17fAPQqGNXojx6aoYAhoK0zMieZJDQGzmu8 CIClAxqSgheBDTJlEjSY9fgCBkNxdXZxGShQaZxYZVCzBuK1LNPpYolDLLua NlvqNSj7BrS3dLCzi3Mmpy2pzTXhdyK7lM/0xGQ7ujvi3h2xis5vPC6Qf6XE 6YhFlRWpP0H28/UE/rOKxypp0ZtDqzl3aScicTWLvyBokqLjl9D/wuO4Afri zpdfIH+ErQuy8ZMuPkk3VDF/AhBuW8LSii9A+SZkesaUGKMCrfcubCS8KLAp nJTXA7bgU6Jm0ADB7iw7ANAZdIcbJVOiBZgOCCk8um2rcK0i0cqm3kF04oOa EccpJtIyVVXjC4FZRcRPIrRiNlK0G+wRSwb40NkaSNYZcdiaMJpEM4t0em0u jWfEvW7W4E8ktQd8D+2BN9ZAYAjgHQvilpbc0ev4dkRWkM5KF+S/lgDjjOEk b+IrCuKu8TctqSesDBECk5R/8eT4hLC2bWgNZmgEpRUYC7QYQDmuUdSroCjU zKcrIZJcGVPRIjKQ9kL/XRN9CBlAwaxBv6uxWQocIbQMzKTnGkszxcpEflVc 3wvMmnYww1Z/F68+UjzBw2UYkdC2AIg1l/b6tm5H0jDq1cp3pqkySgKHqpZ2 QAs63QV708ptoKevrBgS0jB3Jrw6/MRdO24qxmehCxfQXXAh0d4Z0pvynnZa r/gnIJ/3Y4cVZrypXC72LPFNcu3KYY07J/WbNs+w6tVRgEWik6Dd8UqKBU9P nnz7pkjqTBIThFmAAoNStY8Q0DOn5Stl+NddogWS8P7iWbSxVu2Mx7es55Wb vs0u9Xj++eqKFuuZEoC2253RnlgUnwgFRXVkMOOGmN+nIjAV/kFoXf75k2yZ 9B7B3/c/kUbYOxIv0FlWIzR1owrazlHP8jvxvXz79oioniBsrwggzF+i+A49 ppoP7Zz+wzo+C2zSWVTqFdCxwIcDjAgxHXGJql8ThTMuZRob7X5WjM2m/qK6 K4MLKgkhGxCabw36gGjp7CtklKKVWd7RAo8KVmB7iF+62/uo+4t14cTYAo0k LCLQi1kjDFfm5quMnvA9MI0QW5HNV0JjydWTpgQigFC41ieUcCbSAMhJCs8A I9DoHOpiPQAtgTqEHwAmfgptUchVJRbE7NjY28Bvm/KW9Ar8VpRtwq9t2d1j +fvIObZ+SbdQ91u5sS+eoARJuIXwoPUrwKtSuKwc3TZLEfYv0jEAIXkkSqjv C1IOPV9RXAa8kamS7gyc3RH/gZk2BQQp9vCBLQdbco8zE8OXa1TNG3pxSqes n/+n79oC9PXrd3+lf867YTB1PNhSUCyECJPr8j3AXfdrMBqoJqaEFn25Bcdd SkiHdWcgV5ANzBWYy8pL9Q5hFgE1xkbMXIbamuBCWp1swmVSJFojdJCzQ6Y5 X3s4xW+fAJjwXyMAx9EL2OfK8UmxIowiCSgsJrB8+RgH3rW1aOq3tb9TB0S6 V91qTWD67Df8fmy38vN2teoT4wDY2fOblpu2V9HhiIyJm4iHIWWVII7uHp8T Hn7xfseGKXg36dBx+98TvnmS5pFxzm/neJwOe+vZhj7LFa6gV0Hbv2a2tYE7 tQWmi6ks0JyBXytcy67jW3Nd3X/BEUiXJzFVlMNAeL0oLNKX+2MEpOGFan6B nugROI2dwFyVZtFlh/udZ70l09QSr0hfrrDjnjETik/U552+V/1N/FYWsSTo 8NT887uLD2d/FgfHi2MGz3ff0b3xYc74ML1znz3j27YWoURLHG0JnkvoCo/s 6LRDFi6Qe2XdyDqK88zeoXMSz3PLEhAQ5bUDz4Q2C0h3ZDkDW4J6vmx3tTcn l1CakvLZRCjw6SE+Ga3INBNt6MDyYnm1EFUe/pqOgU6HYmVnpUJKzgTmfpZS YdRZivIOeEdbu2OFvedrgPkMPSGsvfgtRCBMZWVMNAxj4Hin7BuruRLI5kmq EgmUm/u+Fl5R6n3ujB/epRiRHp8porgUOnLPFs/xtHr95sSl+NIhCKBDQET2 LKlFAcfLRpjHDFHaK0vvPZmcr+hYGsHbxFo+a9N86bR19eWULMTk+sWGJmCK 80vAu4LrgCTLphRfhCf6Xg6wnGqWx/QRL9wRatZkEW6AlYHH4WsWEDdjp6YM 3bMaBOJw1Y0IIRli4A5pjcqTnBvYISG+Kzw5h+uhF/+WaIaEJH5g+4eMhT7i KIKWsl/17YiSE95VzBPoYkX3J5OMgn2iFLZEbYwXMPm210RSBOGqJv4+sku1 PrhNYs4tIU1DjC95wExDdo+Eh+nif2KRbVchbgjjcqLemo7ZkHHoS7NyN+ym EMnRE4ZCNXb6g1JJiKmZSCicLuK/KAgrnOmuvO+F+v8CiMUjuuyOAsTGhimt XkUiJeMdyAuRO7EGJo75Pr6mVNCaKcNeBkYjx7ot3EEbP3hjb9HyM+s1YA3b sLCdiUJvwg8gGYSdXu4r87B0yc76FxJMc5ZMpJE8ILKc+8ELyzQn8QF39qx4 QFsQFavypXh3HemdpDQEz14FINRb345Dv9CAMb2U6GhgnpPaEXf1ZmNuC9LU ArHJ00wXHLvftHe9uozVFFL1HkxC1FyW3+Fnjn35vDPYedgTwp1tpR4Djeku 1Dx79uTlKRnp/XhDmtIAAmMzECEO+RnT91BsPGyTk9OndIpmHMDXUueh4nRq NSGc0JOCVlZu4m1lEVSLo52dgmankgoFaoJftLjMYKtg5QPyDQX1t4Yve7OZ mx+fxcxy2TIRiV2E8KwEet3Rr7+GuDCZXzPxGae3DWIqe0Ie1dmgyX86uyqu a7VYO/EFOoG4RyoL/4hUalY/VoD7X4AodMhugC5B3LNSraO02F0Bn63qY08W zxx9q2FUuo6V2ORJEO5LRG5o5h0x6d6w5DVxOqfqD26QbqjejtuCnhn5Kk6e 2SZmxTV7qmHKeGxqgxhjJ4+yM9S1JJNYJCRLwjLoiD8RCf5wrwSRaZTnb2eB okJ0SoRP114zMFoGo7oWabsGUAFYaVeccDhGEnEf+c2uB5eCKk37FrV5S5oR tKPeqRkm0clS/BG6EmwXogBaYmRpbIYhf1SLoGEFvWWnhJPtsK6oONcuyebq jS/yKePJjQmKjTo5bDzktY+KWkcvBYPPIwFsWUfv7KxgY+u63MAO7EgzHEMs Vg72WMMnYzcfxh3U3VaDQOaFD74dKGazCfshQ8ocZb15t8Ef7IJYSVVPpTBn 0h3gmxdZzCAshzW7X9Nts+ZDnMrfEWPr1VHkygqajukosr0o/I278W9Y/Dei wHJIxPgh/Nwd7W3XCkwTRhgNKlFXF2qH7lN2xZSZs8UgbPh21AYJ6HgeeWEf sOcQz1fbCSrWMt1RpBJmq/p0dNuq7K4KVXuMfGkTGt8wjCfDPV3QweWyJbHa iVoaGcrJ8eLEIiXsZbpiJo0NShxJXHT9a+fmxflN03ZyeA7uzUBoE5fBXNyG wT5mtznkBZNniyQcZkumZTB+0SW27NC/F3mUgZ0DL4xF+s4/QsvBS4Hw9L49 GoJZENTnBW38XYPAmQognI0W3CAkka6DBz975ec++AKN60yfnyl3M5syKBkI Y9KuCCZdu+vg0tMwjkhliTfe3BtLIXFJ1tYg/JajvgQnBqg49ImmwbryGLtz 72qlxGDPKZSiGVYWU9RmzGZL6eL804+EeYQUPUI5kYNDXLPL65ZNjxwt2QQi MUfXDJI2kmMEJgsFQo8IgQxXlRpKT5Z8oGZWshhfRoo9FuCaMc8mfYe0SPMA q+inJZHFqWJM9EsOmdCFgTZXnWjdIfskCxefJ17J2Z7jT3M/RH2TvdzjQgOs Fbp0IIG6Y5UbnEasBhwV52OVYvJyPjKJc0nSyPSLoFaJK+LJcdAFouYcvY8i rg2qu5H0wWVM3OQwegmScCwVmfvOcvnNcKdLXvmO36h0HFV2xhSlXXEREgXd QsLnpNZ2MX9CpDgjnnrhN8SrfHNbd23DLz3yi5uF2Ctg2QS4R3ieVDDPkT3S YekfxjLZOUf2wCjaIOnSkHQQr4oRKRJDctnVI1bFIsozS0mgyc7iQMmBWW9h OISgl//KqQS3MHp2mrgj3jQWRrUa7X09jILgrCvAx8t2nDiI+SSjICQBif9G Ki/In3n40bYlNcQ/Qj5ELdHDNKxn3L8PGjqfKDkLbmgLdz0xjXVpIIQXf+PF U8moqtB0zHW7cac75tg2yZF/+wgUUwuZNroEiLDrDRnCRTVymgJvFboogR6Y G/TPGRn/oBK2jBMlFb6iDfBRHZ2zlHiOwOmgBkXm9YhPA/6wH4KhnRMOlpVY wHLzwU6LGkxO2KUtFvJv+qC4afwo2t+MFZmWyr+CenENpylzfWCN3ULc+B97 l0n2o+Dnj3IdD/xiDyQuZJPJcvgets+9g8bN20AyF61t/ghVcsPXxs2jW3Mf cjN6G2Gv8SLjnHVz225uLaerg0XZDfZQfP2i+An+ftJodXHHIq0UVYTFFDGT mm1hdmDhH6qqpK65ZIugaGZPcF6boOotUmzbgMKtIpM92JkDOxG0ZtKaLEnc hHBNjWyo4znQ+TzlxNckc/tJPkCqAGqYCBtPF+Az141b1h2ZkKJ/9DgQh3yQ tzX6ai/4U6yJhdMPJZ7zfZ5cNmNDFRiOl81Sg0vUi731lb0zp+sZfOASqDSh xznc8rOI2UuOAfei4JLOdCgmrAFu5NLAfZABAc6hsYlu4V7fp9Si7rWIL7OQ 37Qmap23qzlb7CEOajeo7yFBKDsUemTKhXtf0JJQSRj7TOELy0siRhq0FCq8 gyXNsop+DMXEuzSvRc8sr4LkkLVDZmNTiyEk4gUJPukHM/X5GuRISlxbdiXh lrOkovs9tYBop9mIW1wfhzcAsejJkvpq2o94sBkWQJsh2a0IwmhIshMBdCiH Jju+/KqGgCtO/6Efd//j+ek/PMZ/5ye0vUFok38SFp8Rc/fiB1+2zFTZyWzZ O7Qf2Rqozw/TTbC/KQTb+Zd9yHDSYBsBQGLGcFvdBmbMfEwc2szQaFcSg89T cmaaDpusyRkMLiVzc4aJNzK/XNJQWHeUnSBmBcsJpyDRhsgvSb2l18A5YfQ1 hOPmHoF2N9WZk0f516K537DbIEBULljBdg1OITY7THjJgBYBRA+9P/9EqKZa +uXV53dnHwVJkblskeyDi9LL2OqOqxrVlcw458LRwPpokZkk7HLgHtFRuPOC 1wRYpPaiY5NXIfCbR+wC5xGPs/lM8h+7ZKvx199b1rSFI6Cy8fmSu2JrFpjK rgazz0NA1BzHZSN25KrU5FdobTulKlaCNGsE9orcCSn/yQWZw3zZEX0u6Ufs OciDlPhakWWqzINiDdQFKVbgOmKABC/sfjINZ7UhnCjOJDPZgZWPSQzgQwgL 6Kh4Pri8RZVtBolADMg/bSxcP3EzISlDjZhJgrupPcp/OeJxwPJS371FLSGe NHeYA5hpYnTiLChJlNyZNC1QHbasOegDPYtWEbnlxOMnQedJooEah7o79jec mZDRKwthdjYYIO6QBDIFdfBvmuWsB3fwuml0JFgdM423czQtJIewp0hvkWNL ikB6YFKFmra4GUmBIxTkbaeRWpbigovsu4Drmg0RsXPKZQfV2sQgDvpxImMD ltO9LseOyxYXxdsQ51EOFwKqLuN1wXWpyWCS+AWPCPJzoZWuVZ3OBTQZgfT8 kl6n/th9YEUQ6YEH1rE4nMx5PYPPDpayZDuT2ektKuMG4/WgAighkYpkE0vo RTAkmXqhBdjv657N9UlOk6yOKyCpFbRao/k2ON8bttdguNK7b3x0H6RFD3h+ yxGfEKjq6DKtklgscETJ5LeI6K7M7aLQ69iMUOnDTjuV1XxaVhf1igeVuInr uefqIw7OLSVPnFeLGX7CQyVBD2FMF/hkOQ4tZ18zy9jgwgEmcM0l/VKILd1P rCuxV2tc3w6i2L9iF/GEUSpepDmybu/FduRZoQdWsSznjZ8x6G0TyjaE5+E6 14Qj7IjdTTla8OX2YDK91Mqg0JmuTXKWVrUwYZYvhimAkN6Nosn5W/PSOAGA eLf7db1LE2l6n7xWFCTDM04eYenhOX9aHbdEp0nti7pdyQQYWQkPCbvi80Eq GLuaWUtKtgC0Q/FNOyI6UvZJ0c0kDKvXIsnH5kMlY2jQ/I4EDu5IZE2ImQQ1 N4HMLPOF6WGRhjvVo91Ej86AKxds7iv5+NH3By0w0jSIb65ENvbZ9onXxFAE sSEYhRLHIxErO9xGGzzerBiWZHivNWRJSLmU1AY7UHKpibxUGlaqSHbr5L7o Su4jegQzf3Inv09FjslXAotlEjFJAMgxYfgE+xhAyxUbCY0Mxb0fHPsw9JgI euZp2ircOWgUVtDUgJWQi0GAs185QbvcIFx7L+4RAYw4sOGQ4qAMH2Cnet41 R2QFy5M1VOVBHW1wHdAH96JR2NmO8ojFc6Mb1UIeabRfXqsR/veQJB8TSzcx pjrPGRX0IULtbFNrHmdyF99DniwjjidJYDVK5cRSrZndWQ1UkvxKB24qye8s bmokNqjZqnUA0B/SdwqEJL9FljzqH/FWJ0axRNPwqoVLEOmQbV8LBoQqSJGn gfZC7p7k9QSuj0W81vCEoDp9NUgOZppYZR7RWM8UXur2fmokHfWS63g61iCS ZEgCmcQqUUS1IMEaLPppVPURinABYCtE09husLWmGnDduJgiAacUW22JlXlU rzg10EtSfuoVbKNGuEYSJVGZUFeWhZ1YpWmqi0QD8RgYBQlhTaPtH1macj8g uJ+lU5WNWAlpbBBJuQMiHxDs7Z3g/wXJA1gyfxWWpOgOTTz52HBCsFD0mxhH sitTxhzkvrvYe4mEQQMzFD0l6i2Tel/law+ablO3U9h0VHPE8EDS3Nk0UhsY LJaWasnpsfslCQM/KQx7DSXwYAUwc9BubPppKVmSP0UgRCpm0P161gbBskq2 PHUH99HTLnlsFsKtufgF1VtJGxrUb1/X/dx+jAQPzSz9Hk7VZP1uJOJwVghH 3C6x5iWtVlQmH3YCr6c4RLmjyNfhe47e8Fvj3QQDFFWayT3hakmZufUaKDIj NNJFBksBHKHmha2e2uRdltkaPTZJQUqGWVaaE1GK7eNFQIvUbxpeLur/BoTK lH8tbAdOJa5oIAtgw3kfql5XkQMRZe3LefXIq34fgA3J6YTyxThI7DhWcjLT cIKZB4AB4Q5b9ZqkKmLY0F4bLXGWPNEVPcEcviluUNWEu0HmplSUSo4EoYQz 9xwaqhCfYLmvdky6Wfp0bKZbn7mAN6Ceanzo7oR1s9typcgzjz9Vn3GW+gIn AIcdZUdMH8H0Uf7Oaquwpsg2XCC6iJdSmSclPxlo1fTu6lvTfDMGWfllzXp4 UBETy06x3zKg1XsENvsT7GD1I342kL1VA1/tD7t8TTBuk58EKJtPgLQxrWoQ d2hIPxVv1DQhLhEnmphRhOT2FOcOWavwQI8D/PLih7AtzAS3prYD65hpfpu6 6Z2e4d5ekDgICEY/N2L/wbsUVMBZzp2YvYp0CTonvz2iCfRIcNS7sqtwZPEk jiQwN0WW78pxl5sRkjpUgnEkKfPG1iHzC1g3zUQqo7EuO8Cb1i2hYOblhsim W+JNuGRdi19EeBzUJzMt9nRxGtNuSJVrkwq5mMVLzOsGuRAp9PheWLVJISeQ YRxyqVtjRj/sJYgbL1Hz3gKYcmOu184a2XtEX5IyjvwiJcE8Ud4sRnvtyVSo GY2r6L8NdW5iTaiRK3WZ5kuWS0BcYgSdF2mdk3YVYNouK7iueqFMVvnf6FW9 te/QAYC+mOsdzsOPrAApu+F4P0/j7US3YxlTsVkBYgWNFT+nN25VdtfsbOsD qLRQf8XlUiSpLJGeyR/6VCj8klAKq6jlFucPFR6p548Izpaom2SVVkQlB//N gxnrhtOESXPc9vgAacrIBw9WmOzC3HbVuGRXpKQnqNYhQbeR69JyHdn4ttwa eiyAV21LDbTYFdC1xWuqJxElzk/JeeH9REELHTwswdglzgmYpst2q0U+9JJt IR5S1ungQ5ryO/iuRi11YfQ3RnuABxAomc9Z2NXKQHhLdj5OnGBMRlKq20uR R1V6hsTwS/RQellSgETMsSwJnId4kfaP4PAN51umRYGTMpogKRjxpTxXrPlQ QgQIdMagy6qX2KyIyLARxbxFwWmu03PpkcvbLAIXVTdNEJzUmOqnxvfCEm94 T6HuJJRClxtBWORMqOisSf+raqkjC57xNNxVaPeDFJB7ApYIsan/a5QKbLiL YT0buM0AVHOHVERvaubHs//45e3Z1ZmTWA7/LYE9/jhEs8soLxTe1SIoELGx kDyOBC651qgRWxaH8m0u6ATzaEhhSXQZlWe6YyzpZNscM9HzBHNQXQQcjkSm CoFwi1cKq3DG0qdh0ViOO9PSGylOGdZEqcMmeN9lYec+IActT7gzb3/KalIK 0sw0OlC94xh7QAEgaJHg59qnXjd4uaVzG0K6GiZKQgeaDmfpPO4QdcVcHjNs 97fBrTHgTi9D9laufKdag8RUOUU+3UsItEjoTbWIGVebCSQ4Psvp5UmDDmOP XDgjWRKW77AfnNe0VwabBNw10fy3Y/p2zYarwELxSESn+1mB8tlhPUdCYf01 iaWIg0udggQEznXthJ9PeU4r5qVTdYZvVx1eU9YT41u0m9/S1XDx7tCp0vzW Do1LWWtljTGmkRJSXXvphcQVNM5uQ3QwSRhE0amev5DzKwfkarKkxhAmc0gT 4HQq9IBl6W4CEUEHnyfEJsVbzFJjdCytznKxtDItfUOVs0TCulvO9jmA4+aG z7HSlQMpKRI7kttjtbQf7jc+3XLBBrTkeDAm5JcqiSpEZ2xulhziUwHL+CAy uo+ENkvTQR1nN2bsTNnxQWJl84r5B3vT1pKdhTt1CYSDOBC3zGTDaoAgw0Sw XBQ+AAk4xjzQSb7DkrXT0vSTYZ2xAMmMpm0hfyuzyVLp5Ow6E12IiyghzoE/ TPLggZYXlKjZMYzP1nAQtQvHPS/71Gxjj0xgD3C6wvRSh4gJCM6V0/RSe5Qs 5ZDSpwoUY3xAgMCYjFOHLHc1JzZ+NSg9w6fAdGeCIdwrE5tc7u8hquzPWUS+ uGrTa2dUrNetxHbCLlfapyBCSZtamHQDQ9NgmdUKlHZie9rEJRtIkZ+zbI3g KbQuVaIugiXqcofW3g7m7JhPUqrm6nU4ID2spCgVjP2SmEtXt0mKOFG6JHZe 31vcXOqmVIMIMVWUJF5e/XTxy+W7T2+RRE2b+/zu8t2VqiwE1jfx95LtrL+1 jj619RKw7TvhlSE5pQqJ0mm7pxip+cAZYG9IJasH6bnkMr+aSKxpbn2SXGkJ qyNH6Nla5lfGJBLHhoCkP4iTVGIgWSSv7iThVGucM3lZVreINoKvcjamiwl9 m1+25ddfdKFfEO6UNpEHvqT9Hkr7JXCchTQQXm4vRy1Gw0z+Rh97cu6hRYNa kihB64FS+SET4Bb215PwK6KOeikKJ4fwhlim6aJdOgQys2S/n5L4WAIz1S9m XLmcZirAzRyAb6lNyhAmqadJIS1zBhIEzBa02NH8QQTAwQQTp25MciSRphLR 8bYu8yosjoKqQ5Hh/b0TJw2xmHni35YY46R/RW6CWq2C4iYuMb2gFEpCrlaF OSEiS3qR20/48zRfMu+15ThI2+6UQXaq+QcLXBy4UMxKDgeKcXhuBlO6AUnf s74BnNTHn43SdqE0FT9N0uAS5lils5ZoRBohj4AKjl5J1g/F3E3wCouPYAiN lxkk6kpqu8y+hcbBOGapkmGrUzuOoWNmjNEC912cYHDIQ9q/mAa50pMMPO5f IRpkGkRNSTarU7XqMSschFwdRMFqUQJJMp89iWY2axKaqBycKchFKXRvS9E9 rImLvjZ6UFeThhEo2LUWBOVG+q9MHAQJ2SVqP0qIGYvZSce9XzRlRGGWVvCk Glhg7coZQxZPv01gwmKDk8o39wfWm1wPi7LgNM7S437gCljl0jDIkNEYGWDI b9SMxHBqZah1l3Ys4OYcVnYCl/e9Ine+H7yL/Tg5pUwzO9S7YVjqJME2MtdJ zlnCSAqROKjBMu+asqw0TzfrbjZoZa2kW7AsXViWR3BlqvYbtxCkgvvxp7N/ P/tzSEdu9LezULlRpE9k9iuSuDUXnrPRQHWSOCONTe9ibEQbmU0kWcYoE8G9 sNvIConkAdDy4PezxduQUtIK1qr4cIFriQiDTZLRrTBfpbx2k+poM4vCks2V iBbtBSTHn/BSzi3nGlJOPUwaG/gojhCZcZzowmr/AyLou+KCUz8seAjM/SDu IFOetM1kFmLPW1RN6zkOBSvcOuVYeZcpyUHWFHVTU8HyxUk9TQvlqLdLjBXN 2UTDFKvdY+vqTgPkVpSKBJERtWz6rLYTksYC2vIfVaLN/eHQFbotcJ7gV3U9 4wVpCUnvEsdc7L+FRO5UbcE7UGcNx+w1Qfyuroa1MvdQh+TyOkWkcvTTxKWT J1mhtbikTNNCuIPDgGxNRMcTgMSBON00c5aJz1JjVqUaSaXWUAOvUMzr2Pue b99rdfRSqhQsHVhwSV1MlUc/FTbhrXku7Le5dfjBDRPPvG9K8xRIzTz4QJlS 0DVrJFUQvzuk63XcwW4aYecE2inOhYRuiGXd40ylEbK3etwvGfxj86WP0RJp CSVNlaRwh2vCFKgW87cW1kVoKXwwFZyoM3Evk9jMixv3y+C1b15v9W9lkD9u AobAUtKelFztyxXBvtKLsI2ulFq4ipVOyfeumqIQjKE0k00Z0sXcJWEBt/Pd SzyEvWqU3cSAumSlsfopDq7WspvdfhXWInQ1Fz7DAInJWGUFnfji7O3bULSL 3ZfddU08o6u5CEQzkwcLhHDTTyF7Yn2VFfeznLROrFzBFEx2Jwlyw1oKynai UGoYZeW7zkIJJIslxy20rClDwQDWnmntqxRlhNaYOU33xcvFCbPhk6dZHwVJ yWCnD22FyyRFERZJkMiIWHw7YRcv0wjxIzjM0L0G/8V73+oRXC4RPrCecfHx 6ufibd1zLe99cfT24gN98vbRHkd6ush4knMG5ICPppXslWelBqEvv3BC/8rt 5zQG55IF7KVh3tmhhGXrjsPNLhs3kWBWo9gcLqyxan3ND5eik52ch2XnOy7S +ZOmIanATPKGeJHofZBULo47iusWtex4BVsNppQv5LV94gfT6HqSq8RunUN9 RvmbhYujlmSBmDNWxpintOiUZIrYWUXdtmn9z2/E/JL8sZgrJ8VL0T3NeeyW x8ZKyUwLrDRjOMHRvVzcLD/UR9DolpHDM91x0SblpCHXRqq+eK9857LLZYvW pruAE8YMeH/8REgzk2vYTxlTJxMKm9mRHm9cWTUHitrQ/wHjDmjVmSs32scK KGHzDrgCtmIhLmMBuKds7PvPFVH0CtIs+ryBYmZu6aXYOd2Bc05K5CSGqy2m coMmXJk7dGWRT8VLQ+RZG0MgBJhTWIS8kx2ptdJ5Br2WMyV+zIjv6uiUDwQb CAhvkvaogiFWnpLa21H55f2JG0zwMjixSvfmp0+f3r25Ov/p0y9vPvx0+U4k S+wVJ22fJggkVb1SOkHqleesZElpgIcKPWpV4i2IjZrDPXQEPbwm708tOKfM IyLftKVyAIZ6QyeAsFT+CRB6fwAKU0+uSz25SRV1AhBtMpMChVnkWcj4kfFl QUtUeoy1K1Z0yj77XtFZKLXMX2L9blxZkSIKWoWmjd5xe/pxJvGQ386YzwpS wqelqYfgvaohCJMnyUpJZ0ct0bQO6Rp5iSNGsr2GkDy7uYlB0LNOe2ZyiEBi TFYONQGXNpCs4ZIoNHVNOmL24lgSp359PYraSVzqSzEOpCFZwmKs9pQZSFni kxTZkWXvAiJaYk/OVvZ6LdLLSCmTN/D4nPhWdx2atEWN1q4sTNpInDqWljIB 3MKloyhkmubyyzy04klmUggxGtowsiuxrDU11FdOVN79dSRCHnrd2SCjPlWP sikUK2amaO4sCoZptnKRrB8R5sOyBpVeSoNNFYKpKHtnOW9Rrfr1O1A2EsnS PhJM7VLy1osrtqBLKnZjx5b56+IPHCCbiWs/qPt04rx4I6tXS2s1Us1CW37k 7Z1RnuAw4YArvEy6SeBAgme6OMwiQVlZbC/hOSgf3N2/7Pt2KRVhHFCW5Ftz 40tEM8iBP2jXyOdPnjzTSuEkH1Tz1ptDCSXh5CH8b3UJmVWZwJnn0SAOPXTc 0aCic8XeBtqz0y41eLxEj1bzlV/npOSIEW0WpgSQbR6aN8cDOcRurI9hadc/ 12s+NOssybnjnnVJ9yo2XMRt36u1mJR9ofFkGIAkswjeT4smdDpXMmvCgcNq L3EpCNWSLcn4agLB+9D0amilp6lZglCfOmIDzA6sMiZUsIiNM8ZC0rBPLfjM e/BpjQB2JQJRtyMLcNZsCKPnFfhpI7VJ1IM5BnuCIoQOjfDCa8L2nj59MuOu zu0NsndpY/yTk8WJs5+f6lSBfBSP1BlJLjkazFj/0iHDbaBKGAbFZTI8m27H He+CLZNBaosk/pEQ8VoyiqUibdoOA+BTcDPjCToLe4/KHib0tc9qohPgGsli nK+m45uyEQrAgzopWbnBNZgIsxCJub4PnaW8Ds0JVkts6hjMjwnJTst+nFF9 8APlZT7sjYlKcsTdkItcBb6cxSzZaGREkV5cAXhJI8sEjRYHayOPEoOflBTm hk+i6Wx6tBkM6vwY45in1F9EQoZvorfhNy+fvNQ6n1J87aiMv6kb8ZpoAFqQ LG1eyq0tCrARRsXBujQEiHA2h7k0AvYHgY8X/mH95A+pmJuz/8DZFO3iUzKH 4+jsw8WnR0U2sWdov3i+LPrKxqJJPEIc9CJyLBwZU7+1Q/kqZB/HLCcrbR17 a94k9ZNpX6q0hDa4s8uDOlAYBSLvUiszQiMVKXwKPhKa3oBq8okCqcXmJNTN TLwSX4iQGi4leRGuFYigogwcJTiTEiESFesKRbedV2y39rnaFNseS+ejBHSf GQYEf+nk1ZJdKBY1LinZ5hEw4RFHSqz9pFbFEv3qGxbuEvPOOogvhWNoCBYS XqRFufYNCUnyCTnEBKZ0dyRvG/Uy1xZwonX4L5WtmZZ7aLiDzGWS5kAudCJY ayg3mba42Vgb1wc2s3BvtTrIele2fTqGLGCXuLs04Wbdgqrp1aTPWZZknEg2 kyY8cjRNhGELY6J5aqYPY2hYEMh2O24a7dYotdlBVZV5EdYoq7RPuGuxsx/k DX9FPKDtdMWqxr04m4gJ1zLOUMXFvsBFoZHsW/iolmqbZiiKSEozaW/I7Azu 0Bl0aNSobZY7qcnps6kCr537eyHfZ0+KefH206VypZPjJ0+/fbMvT07x7aer C2tg/ur4WfLtq+Nj+hpTiGGD0n/id8+e8Iu38c3PXzw/TX57cnpyggf8dsnZ GGhJKUzdcIOzznJATYAUbzeBkPv9Ww4hZ46tEHysmUti23JyszMrJPWi5y2z g1LC7QL8jQgor0F2Qkbh42S1QMdg1sB5z7XNsPSTATc2bisLmXJj28ZxVNo6 3fU2ay52u7aGjXa+NAnIGq2YFsODeiapFHESXujnjnEMKSWZyyEMBZXMnp5V pZ4DitaVcFqt0fnoNKymm0wv2v23Lvp3yVkGjomhFKeyAk7WZCkb/frAtkV2 1jZoT4yXmXk6/Q5l0Sx/GUVVSHVckvX01cmz0//3f/7v82dEDjMbteF0wgYu GgDQTfV6+GRMmqWJpzQQ8pWT897Sf+H6Ugue/VCJh/CjxUesuFIEen84hpKN oglp//LnH/vi/CJ0LVcVd7ZXzsu9OActfpSLDAFj4W5wX+is1mjnJduJ+tVb uB20SDo50/lbJ17HNOKPF9QV1Ei9Bt4WiBulExyRjWdnn4fye+ten4RewuFM I8+a9s5cSChBrFoq8NSOQZOQpOxbEgDyxAWSGxhw0pEN6M4vbp+HHQiOvXz1 8gQ4FtJ1mYdrvFX0GWk8DD9P/Kl5AV8tnkcnIOpJRW0QWubpYRqLzGYKJNnB shynCLWkpNxH1yHM+JWD917ZmiQZ+HXN/mDAiJ2hEvlFjOq314R0xd0dXEna dErn4Iif8RJ1gl2aL+I0lVtvBqn3tc7HY+35Tjs572W68F7iPBTNVnBwMJq1 EM01i8d30opGyXS/pH2aV0SLmNMyqk3J/NekN0ZyJOicOBBtof79W6zjpE2t h4OCnk+9DcGPpJESZwEYcSTKpoWVXDqZUqYgicTIZ01i9C/b+8GvSAbARR7B lXwn1fv7dhI1dPqg1xmYGpcfZaaZpoopzhPfaFcSqVKOP13LSWZgiFAjPcXa 6B5wakrFtkZtuf+ZJh5hLy4gYdaBKKKmeX3WEnZMS27ZGb2IE/uu41CFPvVa J53z4qxfhgPEAfe3TYMklp5qAEmAnLhztzL1Wq6OmBVUFpL7dPQlg0y248K0 MU1Mks6o0+YvUEV0rqKFQjREHHrEvgvxQGuvfDCoXWux4o6nTdXNbhw0gjW5 ltglTqZgHHBsTBdB07DGIiUG79A70kFP1+YFUJJJKMEDCzjzZKlNNo6Ng6+W tKv8pDjUhizRDc0VueQgvCbKVFZFnqZDaENX9mRbtyhLtTiQQVu6PdZRxDEq 0TBmqyM2RZ6kChufI1J1DKI4jCRmGax5xjexvZjvpqdS19rkByNnC1sdd5Ba sgXhlPph2suQ/kki8Kml5mbiEJFUdyDvP4Vk5g+Iqf3x6sSeNv8+O7IQTiBe ypUk0sZfOWZxGbWJh8RppltdJT1cfv1umnKo9J4m1fNYkKzAgzPmoDpgVghK cl9r/KUesmT7WdK7I6adIz9yluXhc90UO/OZgf1G+9fU0QcSiyngB4PI3z80 2PNwUkR4W9rnRi0sCbC7B3IinsUoZtKhTEIFafVBbQ1CpDLhYIFI8WbqR3Ng b6NMj7M3qRlk2BMKcSdzIvIWUpDuyfwYQyzJAiAutTfcSFfxm3LXy1CvySud TZPVDFo0Up5O1bXx1MkYXhu1p0mF3AWCbiC0j+QdzVKJIBEM7rtgaoekX6LA IZtoJUdHw7bEezjZFUfBKh3DFdthZneF9+RDpPvcdRh7XHKmsWC0OMKS38ys qZxMdLARD5Z6gZ2gjc983MX4sySjIqL6RUospyLNfxUNvorZ6dYHIua5sVex j2ZFOl/oUJeApGeZEkQy4ysJoXGvonivPGCunPZos8En+8toaCpbzU1WMyk8 bSCQ7CJPJHCYaZSmEkjo8+HhtI8S0XcgKy3mofVagiazTdjwh32VlCdbdASb vpX+f0KNmlsvU78aYC6cbGydqQ9V8oOaKXtkYWb5Hpxg/kD6yZFM4OWMjrll QUmm8eSNVtyT5L2zT2Ip7RxCmquz3tei4TGhaBpXcpPW2cZyfZC6P4+1H70E S6eMnQN7YQA85x73A2O9hvH2GgYFEQDyd5H8EzzjNTD/GBkaYmoeXtasUTVo 0QtYswGYH2lGXDaga7mXtFQ3Qf0J9XL7NR+pXpfYNiSIz5Nv3iHpkQcxKBPP vAUknNU7MEnzV5daMqC4zSLm6kkYG21N6cXba+Ojxbkwi/ndodwsaWWpzeJY XiWNDRECjKPqXN4g82DTSfXNhG407y3TPv0tuqmybz4Jc4nfJ+o2k0ST7Hlg mzhO2IzhJGk5pkTZM8gl9drpHo6wTdOPQytm8WNl9uqjmZOx9/wAJ93rWrZM a9p4lXiCsnfwRKrcnp2pJyZu3ax71RxTXEzdrw9uJ02TTMs0ZGCMpPwll5uK SzHDczNdbb0sT+4/4x/501aA5ZaIonBZDrcdThoNx+m6Mw7TNfexXSoaqUsQ Oplp2jsbPG2enN+BzKHGVaJaA0sedkhoowdpSmMmpngBXfqrh6+XLYewcJh6 zg4KjhAlmJf2igwYp+34w+ujD1My2pKgOtnUIZUn5PslOp+53ehBrfEQowpN DgIvSy6mR490VdBoh8t1olFknLfPG6DW1sVGFRtRUGZOy3gnmmPaOCau9+C4 MbNhZd6yOsVs4i9U5PmPYQJG7nOdOJBt/FMyMSO7ullWzGSKpijkWhvwELpN Uxtf5JmNutHefI8Ya+bCAE8WtDbkJDQBn9LgIXN8Fma5SKF6pZ43a/EW5gTu ezSgdSdzRNnB0yJrqW5cKO60FnVRqOY/WUgczGeVlEIu+YxSxlxxPOqM02Iy 49TiuGk3BnYDTJ5bJiPq+F2EbkanmS0fZiwVoT/2BKh8qlmoTAyuTcnpkwS6 x5JOmHE3viGlJwlwWGxs2fJwYQ1N2PgjvXskhOaHQUl91pl8ua79rdwyn5zH dvVxYE8yHzYK3yaYRBkbeq86lRisYbJyqJOG1wf64z+x4frhh3/MhSzubx7u T1wJ3xUfSXzeiFf/SuY/fkh8znzxuSKTRHPOV7nT2SbASoc/GEL9VJKwYGwC zxdXn8u6f8TV23CFeXwoRGe2C/dm3Ur1tDIqyc2Ci7KRVwkvgqI6Dtzq25zn ipj2k6XMas47tIjrUx2SPDKDHpLqSaTG8SBxF4NFE7XAyZjIOMiUEZyHBuec wFKcW+tzrEk0W7mcPA4g7RM1AXRifoF5JwPXYSmXm/seE8akUm9TrzyMRjFe 6q+hRfcDoipGBxLrXRwPGtd4Q0oU87s4oqCXawSB3N+V91yILfBBKCAMW9uP /dVNnOgH3sUSr4STWzonKPidWhd2k3zBIdIHH0iOdNyDDhQrlX5a04gGOzXD liuVeVeSmK5vlTmMabltjX+WjUfSYdh1rwxHmtty4bFlPdgoUps6FjEh5d82 zwAFKz48oHdfJ9NXkVYqgQab7svFLGYqyGQe616XdgqwJIFZpJ5yKivKjngV 8CbU4eEBm8qpo+mHdEyLiF6mKUUTfn9kmWox21zZVQIzK1KRqQ/iGU9KB6Mz JoW5S37PESCJjUsciEEkAEn6PgmT+5mPrILtsx9kIAX9K0y4iJER6xMqj6kS mzbuNL21jC5m63Hjra5MdQzrR6P1m6kLGjixBO86UPaOMJpoc1akOXErq06L DV7fh6Lc0Gj+0OLSMSgK03lI89pTdrNmppO+Bp2CjAd0Z3GBrH1sx54YjIoN M+rScJSOPCl4JrhvQuL0Hv0zI98hIYSWx3/UxMinIwGWqtgk0Ykwi8WiI24y OVh4ivRH1vIhdqgEzQ72W0hEsTRM25fTkmiMzmwDsR1UlTQDRDohD+s4hzZ1 QLrJPZylwQrFlH0dUplZhqywQFywBbK9GOZYKhkb81/3cCW/TxfxXDyLBAGk VaYF1AeWYqc8r8NTw7npn2zU0V/8LBKNtSFQHFcmefqsw3x+d/X5z6zGVOMX L2oMo/1c38BazKTlL/LEjl+82K9XEbUpJDyqIzAO+EMkJ5lNSgxTdNCE9tl9 IZO9Kx3iEwKenIbZz/LGCxrFZia6bSvUzLNbpiVk3q0xqm1zg57ma+msoHNG kywEDvj8K6G9KkSapVYc/Wt7Kfn7by/fXAj7ktakYTpBaK0/U1dKnPc5CXBu pDDKWT2Nir4utBEQwdJLYVWgFNPSQ015ljPWdjHsbX29HScXPBOto/gVmgbL jlkwlfmPWHHBT4CwZ2ka0reZUxNAO8Pza1HnB/CQtK+QkwkD+AjQsZTn06cv nhFasMfbPAK9VNTvz0lRR/+KrBiuxxAji0cqy0C48t7Z/KVYwzZqA8cQTVaS 3Qd4GsMPoe+M5xxIxkjH2ob7xBEx1tmCVxwP1iTv589e5O2vtfJK/aYBZOwg 16GOkiNlfoIDhTB9/vajWtlqx5OkB/UmxhfK9Wuxdu+30k+z1Rm3b64uHrGu 7Jt8+k3Qu1j7mAyt3UM3EW0q0wASDSAl8+7WPIN2L7uPDXBMPQCq2dgDHZGp ZA5sD3vz0r2yl1YXSWHX5gAWKfmgGawTeahO1L1kauy5T7LhOUc9ddCkKJFo ESqdkwhIzLjWdvJpVlPaDCVXtfZixfsLcjMSyYGJ3ehCBmuJujTxByO7jLQ2 HmWIyJ4f1Lc3IQTJ3UQUmqUARzUSvIQ7lOd1mDMRWMVj4RTQvb/RuTFpfCE2 4vcJKoBpBIdZnBU/EarSENjCD6krPlwqWkVqcxDR6RJ0M1rQDS+1AZJl9GzL 7otwCBCJiduO+BhyxKUhSLKkZIuxfyI23DTEjCOdkpHR/2ZaD0TDm0zU/Mmc TM7pU+K1kYsXhTS4qozW/9gnITEtYsClilvXWWRax3GJKMAcUXVbc5JkX0Ru zSUGlV9uyi7EFuoGs/AIW0iU/x0L/vNP/3b2+fzs09XlP3I+4qtXqEA8Cw52 xVbN5rSBN6G2QlCadR0ZWCAFb/UmKdeEN2fwneUjzxzPPmPnj8xxTx5Nxlrp tG0kNhRnUi+114uFXcQ6gTM4QyULRHy6U9UUZBoG3BMNcLgNRoGdKCYZcVAt RHZsKtIQKqGgxJygsKlTqKCuV6cgxOKmrHYxZBdk2JLktPRxsiN6T2+IdXAs yNbKx82qEm+jRNPEv3C/9Etc7Ktj1CCpltETAAftwqA1GYO1XyYjnS5mfudl TF/EXhFV4XoeOIK15mdYBwr5LIWR+bSvRG2ydiXIVGdc6MWaTgsqe+2rgdSK EG5e2Kut2Qf3AV655LFNUjbDje+VX8YcwyXi01y0g9Bi+J0LuKOCTT1TrHiA f3ACkAx5DpWDpbS2ICtaVgj5pcxQ6v4LEBGJjL7D3F/m1VlyRE5Z0osFF4MH 3wZHMd7yibDWILzXciAyaO30Uv52PZSxZ+zFZZgkJQn747fYRNB3zpN3ihJk ndVcUryedVYDh6PnQbMHNsZYZOWs0Pt0cAqnTs2lgWl0mydlXYLFnOOofU+h ekIP5KnfTTXFIMHroAqEO5dOHa6U8hDTAuKaOr892eMss2lrK5W0H7gtvJEI xe+GTPablyjlQkdyxJNHFmfmwdya1GRljlxaok+ePtKxwCO8vkMSsBcht/fq J48cx1s5TQtxNkkttJerhElL2mQKg8klPZnMks/iN8/ww78BW1bSUKesuecx 5Gucr2Wdm4IxxqopCySt0nh1enqSMVwrUUibJmhneXXfuNiZAsdMxnklva5s nQVth4vR1PHAcxvN1MZ1cBV4uZetY4U6kpFnx7CSHHUmW+Aq5NC4mEO0r8HN wFoI0JDTxy+5NqXs8wXYXXmghwOPhHb7j0rz02Tmz8a6JpdaoSwt36VdnOrA FZH3DvN5w7QJ6UteC9jgLYCS/O8hvB7gm0XSDRamYSSmk6bHCGPMxpf1OgE+ xJl1TKU2VeUbycdfJj10/f5FsLmONrE2eEybzMvaMZuJ6w9sdPTBrlpILLJu YElJLjcaJk2e2+QGWa1e3tVh5BN9JrWCWkkenRgqmhpz9umMR7+ghFNQULln 1S5H5o8y4LYwIxEUh199XwQPShMqkX79VTp1fHPTdl/pmTXG3Ged9vaTRrmF Qaj2tUriPu8oIDgfyoTiT/Q0LASJu4xsLk5PCuYjFqk+sMweyNUMTm0LitG3 b99nP3WTn5q6hn7LnTS13TfRtY/3xt9CqeBau8O5syEtczE5A243CTthCMUO HV2silH4Ff1Pu+VkOGvpoipUcpzUBC+/eA1wal99mw4Otm0tfuLuCMjvxUGY 1jlIYSBJD4sO2kjeUnZ840Oo1qrY94pcRHJyO5E0doU+JPIKKQzSx6Ud4eqA AzbGBkMOZ6eEhNx71szvUP3PrZgtZqhzKA9XFWm2fEg0ufYBBcxloZ4W6RwP qkZH9fq2XO7ll6JvF4REqi9aBwuS3rHdCKKJo4TnmpBVjeCssQ3144dWLqHl xIpJSF9/MxIvIf6U+OUCIiejv1VEfC9AlWk4HMjUiTh7ycn6etT3RM6FZyYN DZPeyuLETDuqIOpFaDDnHeGGgwdbMu/TstIU9fJOJLED8wPEnfapxm+SZlbR /RZ7bUAgQq2bR+INlcIaKCg1jMtEp+Uus5hKo1FUGyERqf5Qb7m0A0JesCmd rdquF2sp1qzufAvJxQZ87IAlPQZZJYdZgTgCR9o5/Gh+U2l/nrB9Lv3+sUVt z/uy7tZj1w/0yTkJqMs7Msnx7xt6wYeRhN3a39LfH8Yl7fSi7AgF6c+PUHx+ IHOt3eGvkpDxU8sjvNblVj6hP4q34xcf/7pat9ueLNC/p4uGmTx2DQnlvy+u SJjc07tHsm332qeBkeMuubVVCWUD9XNlP8zRLbfAfGl/B9p6syYrqvjQNiS+ vzBXOUeLhs8YW9eb2cBkcwdbLIyRib0t1Cv4bgSNlI1M1RCVhBl98ae2q/9K f50enx67G9BYQYLZy9jkpl0Uz1++fHp6UnyUYqvQtP0sjetKc+GPdUWEcd2S DHfn0CWIpoujj2cfz1Vf181cEuPqi0ueg0OSriN1GD18+C3vqtEssc++94ge 82/phU17q/VovHFGGLRCwyZPni2OT5+/NJNf/XTBLhTHCwl3QkIvrq3/D6hB sf0/wAAA --></rfc>