<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.2 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
]>

<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc docmapping="yes"?>

<rfc ipr="trust200902" docName="draft-ietf-quic-transport-04" category="std">

  <feedback xmlns='http://purl.org/net/xml2rfc/ext' template="mailto:quic@ietf.org?subject={docname},%20%22{section}%22&amp;body=%3c{ref}%3e:"/><front>
    <title abbrev="QUIC Transport Protocol">QUIC: A UDP-Based Multiplexed and Secure Transport</title>

    <author initials="J." surname="Iyengar" fullname="Jana Iyengar" role="editor">
      <organization>Google</organization>
      <address>
        <email>jri@google.com</email>
      </address>
    </author>
    <author initials="M." surname="Thomson" fullname="Martin Thomson" role="editor">
      <organization>Mozilla</organization>
      <address>
        <email>martin.thomson@gmail.com</email>
      </address>
    </author>

    <date year="2017" month="6" day="13"/>

    <area>Transport</area>
    <workgroup>QUIC</workgroup>
    

    <abstract>


<t>This document defines the core of the QUIC transport protocol.  This document
describes connection establishment, packet format, multiplexing and reliability.
Accompanying documents describe the cryptographic handshake and loss detection.</t>



    </abstract>


    <note title="Note to Readers">


<t>Discussion of this draft takes place on the QUIC working group mailing list
(quic@ietf.org), which is archived at
<eref target="https://mailarchive.ietf.org/arch/search/?email_list=quic">https://mailarchive.ietf.org/arch/search/?email_list=quic</eref>.</t>

<t>Working Group information can be found at <eref target="https://github.com/quicwg">https://github.com/quicwg</eref>; source
code and issues list for this draft can be found at
<eref target="https://github.com/quicwg/base-drafts/labels/transport">https://github.com/quicwg/base-drafts/labels/transport</eref>.</t>


    </note>


  </front>

  <middle>


<section anchor="introduction" title="Introduction">

<t>QUIC is a multiplexed and secure transport protocol that runs on top of UDP.
QUIC aims to provide a flexible set of features that allow it to be a
general-purpose transport for multiple applications.</t>

<t>QUIC implements techniques learned from experience with TCP, SCTP and other
transport protocols.  Using UDP as the substrate, QUIC seeks to be compatible
with legacy clients and middleboxes.  QUIC authenticates all of its headers and
encrypts most of the data it exchanges, including its signaling.  This allows
the protocol to evolve without incurring a dependency on upgrades to
middleboxes.
This document describes the core QUIC protocol, including the conceptual design,
wire format, and mechanisms of the QUIC protocol for connection establishment,
stream multiplexing, stream and connection-level flow control, and data
reliability.</t>

<t>Accompanying documents describe QUIC’s loss detection and congestion control
<xref target="QUIC-RECOVERY"/>, and the use of TLS 1.3 for key negotiation <xref target="QUIC-TLS"/>.</t>

</section>
<section anchor="conventions-and-definitions" title="Conventions and Definitions">

<t>The words “MUST”, “MUST NOT”, “SHOULD”, and “MAY” are used in this document.
It’s not shouting; when they are capitalized, they have the special meaning
defined in <xref target="RFC2119"/>.</t>

<t>Definitions of terms that are used in this document:</t>

<t><list style="hanging">
  <t hangText='Client:'>
  The endpoint initiating a QUIC connection.</t>
  <t hangText='Server:'>
  The endpoint accepting incoming QUIC connections.</t>
  <t hangText='Endpoint:'>
  The client or server end of a connection.</t>
  <t hangText='Stream:'>
  A logical, bi-directional channel of ordered bytes within a QUIC connection.</t>
  <t hangText='Connection:'>
  A conversation between two QUIC endpoints with a single encryption context
that multiplexes streams within it.</t>
  <t hangText='Connection ID:'>
  The identifier for a QUIC connection.</t>
  <t hangText='QUIC packet:'>
  A well-formed UDP payload that can be parsed by a QUIC receiver.  QUIC packet
size in this document refers to the UDP payload size.</t>
</list></t>

<section anchor="notational-conventions" title="Notational Conventions">

<t>Packet and frame diagrams use the format described in <xref target="RFC2360"/> Section 3.1,
with the following additional conventions:</t>

<t><list style="hanging">
  <t hangText='[x]'>
  Indicates that x is optional</t>
  <t hangText='{x}'>
  Indicates that x is encrypted</t>
  <t hangText='x (A)'>
  Indicates that x is A bits long</t>
  <t hangText='x (A/B/C) …'>
  Indicates that x is one of A, B, or C bits long</t>
  <t hangText='x (*) …'>
  Indicates that x is variable-length</t>
</list></t>

</section>
</section>
<section anchor="a-quic-overview" title="A QUIC Overview">

<t>This section briefly describes QUIC’s key mechanisms and benefits.  Key
strengths of QUIC include:</t>

<t><list style="symbols">
  <t>Low-latency connection establishment</t>
  <t>Multiplexing without head-of-line blocking</t>
  <t>Authenticated and encrypted header and payload</t>
  <t>Rich signaling for congestion control and loss recovery</t>
  <t>Stream and connection flow control</t>
  <t>Connection migration and resilience to NAT rebinding</t>
  <t>Version negotiation</t>
</list></t>

<section anchor="low-latency-connection-establishment" title="Low-Latency Connection Establishment">

<t>QUIC relies on a combined cryptographic and transport handshake for
setting up a secure transport connection.  QUIC connections are
expected to commonly use 0-RTT handshakes, meaning that for most QUIC
connections, data can be sent immediately following the client
handshake packet, without waiting for a reply from the server.  QUIC
provides a dedicated stream (Stream ID 0) to be used for performing
the cryptographic handshake and QUIC options negotiation.  The format
of the QUIC options and parameters used during negotiation are
described in this document, but the handshake protocol that runs on
Stream ID 0 is described in the accompanying cryptographic handshake
draft <xref target="QUIC-TLS"/>.</t>

</section>
<section anchor="stream-multiplexing" title="Stream Multiplexing">

<t>When application messages are transported over TCP, independent application
messages can suffer from head-of-line blocking.  When an application multiplexes
many streams atop TCP’s single-bytestream abstraction, a loss of a TCP segment
results in blocking of all subsequent segments until a retransmission arrives,
irrespective of the application streams that are encapsulated in subsequent
segments.  QUIC ensures that lost packets carrying data for an individual stream
only impact that specific stream.  Data received on other streams can continue
to be reassembled and delivered to the application.</t>

</section>
<section anchor="rich-signaling-for-congestion-control-and-loss-recovery" title="Rich Signaling for Congestion Control and Loss Recovery">

<t>QUIC’s packet framing and acknowledgments carry rich information that help both
congestion control and loss recovery in fundamental ways.  Each QUIC packet
carries a new packet number, including those carrying retransmitted data.  This
obviates the need for a separate mechanism to distinguish acknowledgments for
retransmissions from those for original transmissions, avoiding TCP’s
retransmission ambiguity problem.  QUIC acknowledgments also explicitly encode
the delay between the receipt of a packet and its acknowledgment being sent, and
together with the monotonically-increasing packet numbers, this allows for
precise network roundtrip-time (RTT) calculation.  QUIC’s ACK frames support up
to 256 ACK blocks, so QUIC is more resilient to reordering than TCP with SACK
support, as well as able to keep more bytes on the wire when there is reordering
or loss.</t>

</section>
<section anchor="stream-and-connection-flow-control" title="Stream and Connection Flow Control">

<t>QUIC implements stream- and connection-level flow control.  At a high level, a
QUIC receiver advertises the maximum amount of data that it is willing to
receive on each stream.  As data is sent, received, and delivered on a
particular stream, the receiver sends MAX_STREAM_DATA frames that increase the
advertised limit for that stream, allowing the peer to send more data on that
stream.</t>

<t>In addition to this stream-level flow control, QUIC implements connection-level
flow control to limit the aggregate buffer that a QUIC receiver is willing to
allocate to all streams on a connection.  Connection-level flow control works in
the same way as stream-level flow control, but the bytes delivered and the
limits are aggregated across all streams.</t>

</section>
<section anchor="authenticated-and-encrypted-header-and-payload" title="Authenticated and Encrypted Header and Payload">

<t>TCP headers appear in plaintext on the wire and are not authenticated, causing a
plethora of injection and header manipulation issues for TCP, such as
receive-window manipulation and sequence-number overwriting.  While some of
these are mechanisms used by middleboxes to improve TCP performance, others are
active attacks.  Even “performance-enhancing” middleboxes that routinely
interpose on the transport state machine end up limiting the evolvability of the
transport protocol, as has been observed in the design of MPTCP <xref target="RFC6824"/> and
in its subsequent deployability issues.</t>

<t>Generally, QUIC packets are always authenticated and the payload is typically
fully encrypted.  The parts of the packet header which are not encrypted are
still authenticated by the receiver, so as to thwart any packet injection or
manipulation by third parties.  Some early handshake packets, such as the
Version Negotiation packet, are not encrypted, but information sent in these
unencrypted handshake packets is later verified as part of cryptographic
processing.</t>

<t>PUBLIC_RESET packets that reset a connection are currently not authenticated.</t>

</section>
<section anchor="connection-migration-and-resilience-to-nat-rebinding" title="Connection Migration and Resilience to NAT Rebinding">

<t>QUIC connections are identified by a 64-bit Connection ID, randomly generated by
the client.  QUIC’s consistent connection ID allows connections to survive
changes to the client’s IP and port, such as those caused by NAT rebindings or
by the client changing network connectivity to a new address.  QUIC provides
automatic cryptographic verification of a rebound client, since the client
continues to use the same session key for encrypting and decrypting packets.
The consistent connection ID can be used to allow migration of the connection to
a new server IP address as well, since the Connection ID remains consistent
across changes in the client’s and the server’s network addresses.</t>

</section>
<section anchor="benefit-version-negotiation" title="Version Negotiation">

<t>QUIC version negotiation allows for multiple versions of the protocol to be
deployed and used concurrently. Version negotiation is described in
<xref target="version-negotiation"/>.</t>

</section>
</section>
<section anchor="versions" title="Versions">

<t>QUIC versions are identified using a 32-bit value.</t>

<t>The version 0x00000000 is reserved to represent an invalid version.  This
version of the specification is identified by the number 0x00000001.</t>

<t>Version 0x00000001 of QUIC uses TLS as a cryptographic handshake protocol, as
described in <xref target="QUIC-TLS"/>.</t>

<t>Versions with the most significant 16 bits of the version number cleared are
reserved for use in future IETF consensus documents.</t>

<t>Versions that follow the pattern 0x?a?a?a?a are reserved for use in forcing
version negotiation to be exercised.  That is, any version number where the low
four bits of all octets is 1010 (in binary).  A client or server MAY advertise
support for any of these reserved versions.</t>

<t>Reserved version numbers will probably never represent a real protocol; a client
MAY use one of these version numbers with the expectation that the server will
initiate version negotiation; a server MAY advertise support for one of these
versions and can expect that clients ignore the value.</t>

<t>[[RFC editor: please remove the remainder of this section before
publication.]]</t>

<t>The version number for the final version of this specification (0x00000001), is
reserved for the version of the protocol that is published as an RFC.</t>

<t>Version numbers used to identify IETF drafts are created by adding the draft
number to 0xff000000.  For example, draft-ietf-quic-transport-13 would be
identified as 0xff00000D.</t>

<t>Implementors are encouraged to register version numbers of QUIC that they
are using for private experimentation on the
<eref target="https://github.com/quicwg/base-drafts/wiki/QUIC-Versions">github wiki</eref>.</t>

</section>
<section anchor="packet-types-and-formats" title="Packet Types and Formats">

<t>We first describe QUIC’s packet types and their formats, since some are
referenced in subsequent mechanisms.</t>

<t>All numeric values are encoded in network byte order (that is, big-endian) and
all field sizes are in bits.  When discussing individual bits of fields, the
least significant bit is referred to as bit 0.  Hexadecimal notation is used for
describing the value of fields.</t>

<t>Any QUIC packet has either a long or a short header, as indicated by the Header
Form bit. Long headers are expected to be used early in the connection before
version negotiation and establishment of 1-RTT keys, and for public resets.
Short headers are minimal version-specific headers, which can be used after
version negotiation and 1-RTT keys are established.</t>

<section anchor="long-header" title="Long Header">

<figure title="Long Header Format" anchor="fig-long-header"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
|1|   Type (7)  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                       Connection ID (64)                      +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                       Packet Number (32)                      |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                         Version (32)                          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Payload (*)                        ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>Long headers are used for packets that are sent prior to the completion of
version negotiation and establishment of 1-RTT keys. Once both conditions are
met, a sender SHOULD switch to sending short-form headers. While inefficient,
long headers MAY be used for packets encrypted with 1-RTT keys. The long form
allows for special packets, such as the Version Negotiation and the Public Reset
packets to be represented in this uniform fixed-length packet format. A long
header contains the following fields:</t>

<t><list style="hanging">
  <t hangText='Header Form:'>
  The most significant bit (0x80) of the first octet is set to 1 for long
headers and 0 for short headers.</t>
  <t hangText='Long Packet Type:'>
  The remaining seven bits of first octet of a long packet is the packet type.
This field can indicate one of 128 packet types.  The types specified for this
version are listed in <xref target="long-packet-types"/>.</t>
  <t hangText='Connection ID:'>
  Octets 1 through 8 contain the connection ID. <xref target="connection-id"/> describes the
use of this field in more detail.</t>
  <t hangText='Packet Number:'>
  Octets 9 to 12 contain the packet number.  <xref target="packet-numbers"/> describes the
use of packet numbers.</t>
  <t hangText='Version:'>
  Octets 13 to 16 contain the selected protocol version.  This field indicates
which version of QUIC is in use and determines how the rest of the protocol
fields are interpreted.</t>
  <t hangText='Payload:'>
  Octets from 17 onwards (the rest of QUIC packet) are the payload of the
packet.</t>
</list></t>

<t>The following packet types are defined:</t>

<texttable title="Long Header Packet Types" anchor="long-packet-types">
      <ttcol align='left'>Type</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Section</ttcol>
      <c>01</c>
      <c>Version Negotiation</c>
      <c><xref target="packet-version"/></c>
      <c>02</c>
      <c>Client Initial</c>
      <c><xref target="packet-client-initial"/></c>
      <c>03</c>
      <c>Server Stateless Retry</c>
      <c><xref target="packet-server-stateless"/></c>
      <c>04</c>
      <c>Server Cleartext</c>
      <c><xref target="packet-server-cleartext"/></c>
      <c>05</c>
      <c>Client Cleartext</c>
      <c><xref target="packet-client-cleartext"/></c>
      <c>06</c>
      <c>0-RTT Protected</c>
      <c><xref target="packet-protected"/></c>
      <c>07</c>
      <c>1-RTT Protected (key phase 0)</c>
      <c><xref target="packet-protected"/></c>
      <c>08</c>
      <c>1-RTT Protected (key phase 1)</c>
      <c><xref target="packet-protected"/></c>
      <c>09</c>
      <c>Public Reset</c>
      <c><xref target="packet-public-reset"/></c>
</texttable>

<t>The header form, packet type, connection ID, packet number and version fields of
a long header packet are version-independent. The types of packets defined in
<xref target="long-packet-types"/> are version-specific.  See <xref target="version-specific"/> for
details on how packets from different versions of QUIC are interpreted.</t>

<t>(TODO: Should the list of packet types be version-independent?)</t>

<t>The interpretation of the fields and the payload are specific to a version and
packet type.  Type-specific semantics for this version are described in the
following sections.</t>

</section>
<section anchor="short-header" title="Short Header">

<figure title="Short Header Format" anchor="fig-short-header"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
|0|C|K| Type (5)|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                     [Connection ID (64)]                      +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                      Packet Number (8/16/32)                ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Protected Payload (*)                   ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The short header can be used after the version and 1-RTT keys are negotiated.
This header form has the following fields:</t>

<t><list style="hanging">
  <t hangText='Header Form:'>
  The most significant bit (0x80) of the first octet of a packet is the header
form.  This bit is set to 0 for the short header.</t>
  <t hangText='Connection ID Flag:'>
  The second bit (0x40) of the first octet indicates whether the Connection ID
field is present.  If set to 1, then the Connection ID field is present; if
set to 0, the Connection ID field is omitted.</t>
  <t hangText='Key Phase Bit:'>
  The third bit (0x20) of the first octet indicates the key phase, which allows
a recipient of a packet to identify the packet protection keys that are used
to protect the packet.  See <xref target="QUIC-TLS"/> for details.</t>
  <t hangText='Short Packet Type:'>
  The remaining 5 bits of the first octet include one of 32 packet types.
<xref target="short-packet-types"/> lists the types that are defined for short packets.</t>
  <t hangText='Connection ID:'>
  If the Connection ID Flag is set, a connection ID occupies octets 1 through 8
of the packet.  See <xref target="connection-id"/> for more details.</t>
  <t hangText='Packet Number:'>
  The length of the packet number field depends on the packet type.  This field
can be 1, 2 or 4 octets long depending on the short packet type.</t>
  <t hangText='Protected Payload:'>
  Packets with a short header always include a 1-RTT protected payload.</t>
</list></t>

<t>The packet type in a short header currently determines only the size of the
packet number field.  Additional types can be used to signal the presence of
other fields.</t>

<texttable title="Short Header Packet Types" anchor="short-packet-types">
      <ttcol align='left'>Type</ttcol>
      <ttcol align='left'>Packet Number Size</ttcol>
      <c>01</c>
      <c>1 octet</c>
      <c>02</c>
      <c>2 octets</c>
      <c>03</c>
      <c>4 octets</c>
</texttable>

<t>The header form, connection ID flag and connection ID of a short header packet
are version-independent.  The remaining fields are specific to the selected QUIC
version.  See <xref target="version-specific"/> for details on how packets from different
versions of QUIC are interpreted.</t>

</section>
<section anchor="packet-version" title="Version Negotiation Packet">

<t>A Version Negotiation packet has long headers with a type value of 0x01 and is
sent only by servers.  The Version Negotiation packet is a response to a client
packet that contains a version that is not supported by the server.</t>

<t>The packet number, connection ID and version fields echo corresponding values
from the triggering client packet.  This allows clients some assurance that the
server received the packet and that the Version Negotiation packet was not
carried in a packet with a spoofed source address.</t>

<t>The payload of the Version Negotiation packet is a list of 32-bit versions which
the server supports, as shown below.</t>

<figure title="Version Negotiation Packet" anchor="version-negotiation-format"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Supported Version 1 (32)                 ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                   [Supported Version 2 (32)]                ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                   [Supported Version N (32)]                ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>See <xref target="version-negotiation"/> for a description of the version negotiation
process.</t>

</section>
<section anchor="cleartext-packet" title="Cleartext Packets">

<t>Cleartext packets are sent during the handshake prior to key negotiation.</t>

<t>All cleartext packets contain the current QUIC version in the version field.</t>

<t>The payload of cleartext packets also includes an integrity check, which is
described in <xref target="QUIC-TLS"/>.</t>

<section anchor="packet-client-initial" title="Client Initial Packet">

<t>The Client Initial packet uses long headers with a type value of 0x02.
It carries the first cryptographic handshake message sent by the client.</t>

<t>The client populates the connection ID field with randomly selected values,
unless it has received a packet from the server.  If the client has received a
packet from the server, the connection ID field uses the value provided by the
server.</t>

<t>The packet number used for Client Initial packets is initialized with a random
value each time the new contents are created for the packet.  Retransmissions of
the packet contents increment the packet number by one, see
(<xref target="packet-numbers"/>).</t>

<t>The payload of a Client Initial packet consists of a STREAM frame (or frames)
for stream 0 containing a cryptographic handshake message, plus any PADDING
frames necessary to ensure that the packet is at least the minimum PMTU size
(see <xref target="packetization"/>).  The stream in this packet always starts at an offset
of 0 (see <xref target="stateless-retry"/>) and the complete cyptographic handshake message
MUST fit in a single packet (see <xref target="handshake"/>).</t>

<t>The client uses the Client Initial Packet type for any packet that contains an
initial cryptographic handshake message.  This includes all cases where a new
packet containing the initial cryptographic message needs to be created, this
includes the packets sent after receiving a Version Negotiation
(<xref target="packet-version"/>) or Server Stateless Retry packet
(<xref target="packet-server-stateless"/>).</t>

</section>
<section anchor="packet-server-stateless" title="Server Stateless Retry Packet">

<t>A Server Stateless Retry packet uses long headers with a type value of 0x03.
It carries cryptographic handshake messages and acknowledgments.  It is used
by a server that wishes to perform a stateless retry (see
<xref target="stateless-retry"/>).</t>

<t>The packet number and connection ID fields echo the corresponding fields from
the triggering client packet.  This allows a client to verify that the server
received its packet.</t>

<t>After receiving a Server Stateless Retry packet, the client uses a new Client
Initial packet containing the next cryptographic handshake message.  The client
retains the state of its cryptographic handshake, but discards all transport
state.  In effect, the next cryptographic handshake message is sent on a new
connection.  The new Client Initial packet is sent in a packet with a newly
randomized packet number and starting at a stream offset of 0.</t>

<t>Continuing the cryptographic handshake is necessary to ensure that an attacker
cannot force a downgrade of any cryptographic parameters.  In addition to
continuing the cryptographic handshake, the client MUST remember the results of
any version negotiation that occurred (see <xref target="version-negotiation"/>).  The client
MAY also retain any observed RTT or congestion state that it has accumulated for
the flow, but other transport state MUST be discarded.</t>

<t>The payload of the Server Stateless Retry packet contains STREAM frames and
could contain PADDING and ACK frames.  A server can only send a single Server
Stateless Retry packet in response to each Client Initial packet that is
receives.</t>

</section>
<section anchor="packet-server-cleartext" title="Server Cleartext Packet">

<t>A Server Cleartext packet uses long headers with a type value of 0x04.  It is
used to carry acknowledgments and cryptographic handshake messages from the
server.</t>

<t>The connection ID field in a Server Cleartext packet contains a connection ID
that is chosen by the server (see <xref target="connection-id"/>).</t>

<t>The first Server Cleartext packet contains a randomized packet number.  This
value is increased for each subsequent packet sent by the server as described in
<xref target="packet-numbers"/>.</t>

<t>The payload of this packet contains STREAM frames and could contain PADDING and
ACK frames.</t>

</section>
<section anchor="packet-client-cleartext" title="Client Cleartext Packet">

<t>A Client Cleartext packet uses long headers with a type value of 0x05, and is
sent when the client has received a Server Cleartext packet from the server.</t>

<t>The connection ID field in a Client Cleartext packet contains a server-selected
connection ID, see <xref target="connection-id"/>.</t>

<t>The Client Cleartext packet includes a packet number that is one higher than the
last Client Initial, 0-RTT Protected or Client Cleartext packet that was sent.
The packet number is incremented for each subsequent packet, see
<xref target="packet-numbers"/>.</t>

<t>The payload of this packet contains STREAM frames and could contain PADDING and
ACK frames.</t>

</section>
</section>
<section anchor="packet-protected" title="Protected Packets">

<t>Packets that are protected with 0-RTT keys are sent with long headers.  Packets
that are protected with 1-RTT keys MAY be sent with long headers.  The different
packet types explicitly indicate the encryption level and therefore the keys
that are used to remove packet protection.</t>

<t>Packets protected with 0-RTT keys use a type value of 0x06.  The connection ID
field for a 0-RTT packet is selected by the client.</t>

<t>The client can send 0-RTT packets after having received a packet from the server
if that packet does not complete the handshake.  Even if the client receives a
different connection ID from the server, it MUST NOT update the connection ID it
uses for 0-RTT packets.  This enables consistent routing for all 0-RTT packets.</t>

<t>Packets protected with 1-RTT keys that use long headers use a type value of 0x07
for key phase 0 and 0x08 for key phase 1; see <xref target="QUIC-TLS"/> for more details on
the use of key phases.  The connection ID field for these packet types MUST
contain the value selected by the server, see <xref target="connection-id"/>.</t>

<t>The version field for protected packets is the current QUIC version.</t>

<t>The packet number field contains a packet number, which increases with each
packet sent, see <xref target="packet-numbers"/> for details.</t>

<t>The payload is protected using authenticated encryption.  <xref target="QUIC-TLS"/> describes
packet protection in detail.  After decryption, the plaintext consists of a
sequence of frames, as described in <xref target="frames"/>.</t>

</section>
<section anchor="packet-public-reset" title="Public Reset Packet">

<t>A Public Reset packet is only sent by servers and is used to abruptly terminate
communications. Public Reset is provided as an option of last resort for a
server that does not have access to the state of a connection.  This is intended
for use by a server that has lost state (for example, through a crash or
outage). A server that wishes to communicate a fatal connection error MUST use a
CONNECTION_CLOSE frame if it has sufficient state to do so.</t>

<t>A Public Reset packet uses long headers with a type value of 0x09.</t>

<t>The connection ID and packet number of fields together contain octets 1 through
12 from the packet that triggered the reset.  For a client that sends a
connection ID on every packet, the Connection ID field is simply an echo of the
client’s Connection ID, and the Packet Number field includes an echo of the
client’s packet number.  Depending on the client’s packet number length it might
also include 0, 2, or 3 additional octets from the protected payload of the
client packet.</t>

<t>The version field contains the current QUIC version.</t>

<t>A Public Reset packet sent by a server indicates that it does not have the
state necessary to continue with a connection.  In this case, the server will
include the fields that prove that it originally participated in the connection
(see <xref target="public-reset-proof"/> for details).</t>

<t>Upon receipt of a Public Reset packet that contains a valid proof, a client MUST
tear down state associated with the connection.  The client MUST then cease
sending packets on the connection and SHOULD discard any subsequent packets that
arrive. A Public Reset that does not contain a valid proof MUST be ignored.</t>

<section anchor="public-reset-proof" title="Public Reset Proof">

<t>TODO: Details to be added.</t>

</section>
</section>
<section anchor="connection-id" title="Connection ID">

<t>QUIC connections are identified by their 64-bit Connection ID.  All long headers
contain a Connection ID.  Short headers indicate the presence of a Connection ID
using the CONNECTION_ID flag.  When present, the Connection ID is in the same
location in all packet headers, making it straightforward for middleboxes, such
as load balancers, to locate and use it.</t>

<t>The client MUST choose a random connection ID and use it in Client Initial
packets (<xref target="packet-client-initial"/>) and 0-RTT packets (<xref target="packet-protected"/>).
If the client has received any packet from the server, it uses the connection ID
it received from the server for all packets other than 0-RTT packets.</t>

<t>When the server receives a Client Initial packet and decides to proceed with the
handshake, it chooses a new value for the connection ID and sends that in a
Server Cleartext packet.  The server MAY choose to use the value that the client
initially selects.</t>

<t>Once the client receives the connection ID that the server has chosen, it uses
this for all subsequent packets that it sends, except for any 0-RTT packets,
which all have the same connection ID.</t>

</section>
<section anchor="packet-numbers" title="Packet Numbers">

<t>The packet number is a 64-bit unsigned number and is used as part of a
cryptographic nonce for packet encryption.  Each endpoint maintains a separate
packet number for sending and receiving.  The packet number for sending MUST
increase by at least one after sending any packet, unless otherwise specified
(see <xref target="initial-packet-number"/>).</t>

<t>A QUIC endpoint MUST NOT reuse a packet number within the same connection (that
is, under the same cryptographic keys).  If the packet number for sending
reaches 2^64 - 1, the sender MUST close the connection by sending a
CONNECTION_CLOSE frame with the error code QUIC_SEQUENCE_NUMBER_LIMIT_REACHED
(connection termination is described in <xref target="termination"/>.)</t>

<t>To reduce the number of bits required to represent the packet number over the
wire, only the least significant bits of the packet number are transmitted over
the wire, up to 32 bits.  The actual packet number for each packet is
reconstructed at the receiver based on the largest packet number received on a
successfully authenticated packet.</t>

<t>A packet number is decoded by finding the packet number value that is closest to
the next expected packet.  The next expected packet is the highest received
packet number plus one.  For example, if the highest successfully authenticated
packet had a packet number of 0xaa82f30e, then a packet containing a 16-bit
value of 0x1f94 will be decoded as 0xaa831f94.</t>

<t>The sender MUST use a packet number size able to represent more than twice as
large a range than the difference between the largest acknowledged packet and
packet number being sent.  A peer receiving the packet will then correctly
decode the packet number, unless the packet is delayed in transit such that it
arrives after many higher-numbered packets have been received.  An endpoint MAY
use a larger packet number size to safeguard against such reordering.</t>

<t>As a result, the size of the packet number encoding is at least one more than
the base 2 logarithm of the number of contiguous unacknowledged packet numbers,
including the new packet.</t>

<t>For example, if an endpoint has received an acknowledgment for packet 0x6afa2f,
sending a packet with a number of 0x6b4264 requires a 16-bit or larger packet
number encoding; whereas a 32-bit packet number is needed to send a packet with
a number of 0x6bc107.</t>

<t>Version Negotiation (<xref target="packet-version"/>), Server Stateless Retry
(<xref target="packet-server-stateless"/>), and Public Reset (<xref target="packet-public-reset"/>)
packets have special rules for populating the packet number field.</t>

<section anchor="initial-packet-number" title="Initial Packet Number">

<t>The initial value for packet number MUST be selected from an uniform random
distribution between 0 and 2^31-1.  That is, the lower 31 bits of the packet
number are randomized.  <xref target="RFC4086"/> provides guidance on the generation of
random values.</t>

<t>The first set of packets sent by an endpoint MUST include the low 32-bits of the
packet number.  Once any packet has been acknowledged, subsequent packets can
use a shorter packet number encoding.</t>

<t>A client that receives a Version Negotiation (<xref target="packet-version"/>) or Server
Stateless Retry packet (<xref target="packet-server-stateless"/>) MUST generate a new initial
packet number.  This ensures that the first transmission attempt for a Client
Initial packet (<xref target="packet-client-initial"/>) always contains a randomized packet
number, but packets that contain retransmissions increment the packet number.</t>

<t>A client MUST NOT generate a new initial packet number if it discards the server
packet.  This might happen if the information the client retransmits its Client
Initial packet.</t>

</section>
</section>
<section anchor="version-specific" title="Handling Packets from Different Versions">

<t>Between different versions the following things are guaranteed to remain
constant:</t>

<t><list style="symbols">
  <t>the location of the header form flag,</t>
  <t>the location of the Connection ID flag in short headers,</t>
  <t>the location and size of the Connection ID field in both header forms,</t>
  <t>the location and size of the Version field in long headers, and</t>
  <t>the location and size of the Packet Number field in long headers.</t>
</list></t>

<t>Implementations MUST assume that an unsupported version uses an unknown packet
format. All other fields MUST be ignored when processing a packet that contains
an unsupported version.</t>

</section>
</section>
<section anchor="frames" title="Frames and Frame Types">

<t>The payload of cleartext packets and the plaintext after decryption of protected
payloads consists of a sequence of frames, as shown in <xref target="packet-frames"/>.</t>

<figure title="Contents of Protected Payload" anchor="packet-frames"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Frame 1 (*)                        ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Frame 2 (*)                        ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                               ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                          Frame N (*)                        ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>Protected payloads MUST contain at least one frame, and MAY contain multiple
frames and multiple frame types.</t>

<t>Frames MUST fit within a single QUIC packet and MUST NOT span a QUIC packet
boundary. Each frame begins with a Frame Type byte, indicating its type,
followed by additional type-dependent fields:</t>

<figure title="Generic Frame Layout" anchor="frame-layout"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Type (8)    |           Type-Dependent Fields (*)         ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>Frame types are listed in <xref target="frame-types"/>. Note that the Frame Type byte in
STREAM and ACK frames is used to carry other frame-specific flags.  For all
other frames, the Frame Type byte simply identifies the frame.  These frames are
explained in more detail as they are referenced later in the document.</t>

<texttable title="Frame Types" anchor="frame-types">
      <ttcol align='left'>Type Value</ttcol>
      <ttcol align='left'>Frame Type Name</ttcol>
      <ttcol align='left'>Definition</ttcol>
      <c>0x00</c>
      <c>PADDING</c>
      <c><xref target="frame-padding"/></c>
      <c>0x01</c>
      <c>RST_STREAM</c>
      <c><xref target="frame-rst-stream"/></c>
      <c>0x02</c>
      <c>CONNECTION_CLOSE</c>
      <c><xref target="frame-connection-close"/></c>
      <c>0x03</c>
      <c>GOAWAY</c>
      <c><xref target="frame-goaway"/></c>
      <c>0x04</c>
      <c>MAX_DATA</c>
      <c><xref target="frame-max-data"/></c>
      <c>0x05</c>
      <c>MAX_STREAM_DATA</c>
      <c><xref target="frame-max-stream-data"/></c>
      <c>0x06</c>
      <c>MAX_STREAM_ID</c>
      <c><xref target="frame-max-stream-id"/></c>
      <c>0x07</c>
      <c>PING</c>
      <c><xref target="frame-ping"/></c>
      <c>0x08</c>
      <c>BLOCKED</c>
      <c><xref target="frame-blocked"/></c>
      <c>0x09</c>
      <c>STREAM_BLOCKED</c>
      <c><xref target="frame-stream-blocked"/></c>
      <c>0x0a</c>
      <c>STREAM_ID_NEEDED</c>
      <c><xref target="frame-stream-id-needed"/></c>
      <c>0x0b</c>
      <c>NEW_CONNECTION_ID</c>
      <c><xref target="frame-new-connection-id"/></c>
      <c>0xa0 - 0xbf</c>
      <c>ACK</c>
      <c><xref target="frame-ack"/></c>
      <c>0xc0 - 0xff</c>
      <c>STREAM</c>
      <c><xref target="frame-stream"/></c>
</texttable>

</section>
<section anchor="life-of-a-connection" title="Life of a Connection">

<t>A QUIC connection is a single conversation between two QUIC endpoints.  QUIC’s
connection establishment intertwines version negotiation with the cryptographic
and transport handshakes to reduce connection establishment latency, as
described in <xref target="handshake"/>.  Once established, a connection may migrate to a
different IP or port at either endpoint, due to NAT rebinding or mobility, as
described in <xref target="migration"/>.  Finally a connection may be terminated by either
endpoint, as described in <xref target="termination"/>.</t>

<section anchor="version-negotiation" title="Version Negotiation">

<t>QUIC’s connection establishment begins with version negotiation, since all
communication between the endpoints, including packet and frame formats, relies
on the two endpoints agreeing on a version.</t>

<t>A QUIC connection begins with a client sending a handshake packet. The details
of the handshake mechanisms are described in <xref target="handshake"/>, but all of the
initial packets sent from the client to the server MUST use the long header
format and MUST specify the version of the protocol being used.</t>

<t>When the server receives a packet from a client with the long header format, it
compares the client’s version to the versions it supports.</t>

<t>If the version selected by the client is not acceptable to the server, the
server discards the incoming packet and responds with a Version Negotiation
packet (<xref target="packet-version"/>).  This includes a list of versions that the server
will accept.</t>

<t>A server sends a Version Negotiation packet for every packet that it receives
with an unacceptable version.  This allows a server to process packets with
unsupported versions without retaining state.  Though either the initial client
packet or the version negotiation packet that is sent in response could be lost,
the client will send new packets until it successfully receives a response.</t>

<t>If the packet contains a version that is acceptable to the server, the server
proceeds with the handshake (<xref target="handshake"/>).  This commits the server to the
version that the client selected.</t>

<t>When the client receives a Version Negotiation packet from the server, it should
select an acceptable protocol version.  If the server lists an acceptable
version, the client selects that version and reattempts to create a connection
using that version.  Though the contents of a packet might not change in
response to version negotiation, a client MUST increase the packet number it
uses on every packet it sends.  Packets MUST continue to use long headers and
MUST include the new negotiated protocol version.</t>

<t>The client MUST use the long header format and include its selected version on
all packets until it has 1-RTT keys and it has received a packet from the server
which is not a Version Negotiation packet.</t>

<t>A client MUST NOT change the version it uses unless it is in response to a
Version Negotiation packet from the server.  Once a client receives a packet
from the server which is not a Version Negotiation packet, it MUST ignore other
Version Negotiation packets on the same connection.  Similarly, a client MUST
ignore a Version Negotiation packet if it has already received and acted on a
Version Negotiation packet.</t>

<t>A client MUST ignore a Version Negotiation packet that lists the client’s chosen
version.</t>

<t>Version negotiation uses unprotected data. The result of the negotiation MUST be
revalidated as part of the cryptographic handshake (see <xref target="version-validation"/>).</t>

<section anchor="using-reserved-versions" title="Using Reserved Versions">

<t>For a server to use a new version in the future, clients must correctly handle
unsupported versions. To help ensure this, a server SHOULD include a reserved
version (see <xref target="versions"/>) while generating a Version Negotiation packet.</t>

<t>The design of version negotiation permits a server to avoid maintaining state
for packets that it rejects in this fashion.  However, when the server generates
a Version Negotiation packet, it cannot randomly generate a reserved version
number. This is because the server is required to include the same value in its
transport parameters (see <xref target="version-validation"/>).  To avoid the selected
version number changing during connection establishment, the reserved version
SHOULD be generated as a function of values that will be available to the server
when later generating its handshake packets.</t>

<t>A pseudorandom function that takes client address information (IP and port) and
the client selected version as input would ensure that there is sufficient
variability in the values that a server uses.</t>

<t>A client MAY send a packet using a reserved version number.  This can be used to
solicit a list of supported versions from a server.</t>

</section>
</section>
<section anchor="handshake" title="Cryptographic and Transport Handshake">

<t>QUIC relies on a combined cryptographic and transport handshake to minimize
connection establishment latency.  QUIC allocates stream 0 for the cryptographic
handshake.  Version 0x00000001 of QUIC uses TLS 1.3 as described in
<xref target="QUIC-TLS"/>; a different QUIC version number could indicate that a different
cryptographic handshake protocol is in use.</t>

<t>QUIC provides this stream with reliable, ordered delivery of data.  In return,
the cryptographic handshake provides QUIC with:</t>

<t><list style="symbols">
  <t>authenticated key exchange, where  <list style="symbols">
      <t>a server is always authenticated,</t>
      <t>a client is optionally authenticated,</t>
      <t>every connection produces distinct and unrelated keys,</t>
      <t>keying material is usable for packet protection for both 0-RTT and 1-RTT
packets, and</t>
      <t>1-RTT keys have forward secrecy</t>
    </list></t>
  <t>authenticated values for the transport parameters of the peer (see
<xref target="transport-parameters"/>)</t>
  <t>authenticated confirmation of version negotiation (see <xref target="version-validation"/>)</t>
  <t>authenticated negotiation of an application protocol (TLS uses ALPN
<xref target="RFC7301"/> for this purpose)</t>
  <t>for the server, the ability to carry data that provides assurance that the
client can receive packets that are addressed with the transport address that
is claimed by the client (see <xref target="address-validation"/>)</t>
</list></t>

<t>The initial cryptographic handshake message MUST be sent in a single packet.
Any second attempt that is triggered by address validation MUST also be sent
within a single packet.  This avoids having to reassemble a message from
multiple packets.  Reassembling messages requires that a server maintain state
prior to establishing a connection, exposing the server to a denial of service
risk.</t>

<t>The first client packet of the cryptographic handshake protocol MUST fit within
a 1232 octet QUIC packet payload.  This includes overheads that reduce the space
available to the cryptographic handshake protocol.</t>

<t>Details of how TLS is integrated with QUIC is provided in more detail in
<xref target="QUIC-TLS"/>.</t>

</section>
<section anchor="transport-parameters" title="Transport Parameters">

<t>During connection establishment, both endpoints make authenticated declarations
of their transport parameters.  These declarations are made unilaterally by each
endpoint.  Endpoints are required to comply with the restrictions implied by
these parameters; the description of each parameter includes rules for its
handling.</t>

<t>The format of the transport parameters is the TransportParameters struct from
<xref target="figure-transport-parameters"/>.  This is described using the presentation
language from Section 3 of <xref target="I-D.ietf-tls-tls13"/>.</t>

<figure title="Definition of TransportParameters" anchor="figure-transport-parameters"><artwork><![CDATA[
   uint32 QuicVersion;

   enum {
      initial_max_stream_data(0),
      initial_max_data(1),
      initial_max_stream_id(2),
      idle_timeout(3),
      truncate_connection_id(4),
      max_packet_size(5),
      (65535)
   } TransportParameterId;

   struct {
      TransportParameterId parameter;
      opaque value<0..2^16-1>;
   } TransportParameter;

   struct {
      select (Handshake.msg_type) {
         case client_hello:
            QuicVersion negotiated_version;
            QuicVersion initial_version;

         case encrypted_extensions:
            QuicVersion supported_versions<2..2^8-4>;
      };
      TransportParameter parameters<30..2^16-1>;
   } TransportParameters;
]]></artwork></figure>

<t>The <spanx style="verb">extension_data</spanx> field of the quic_transport_parameters extension defined in
<xref target="QUIC-TLS"/> contains a TransportParameters value.  TLS encoding rules are
therefore used to encode the transport parameters.</t>

<t>QUIC encodes transport parameters into a sequence of octets, which are then
included in the cryptographic handshake.  Once the handshake completes, the
transport parameters declared by the peer are available.  Each endpoint
validates the value provided by its peer.  In particular, version negotiation
MUST be validated (see <xref target="version-validation"/>) before the connection
establishment is considered properly complete.</t>

<t>Definitions for each of the defined transport parameters are included in
<xref target="transport-parameter-definitions"/>.</t>

<section anchor="transport-parameter-definitions" title="Transport Parameter Definitions">

<t>An endpoint MUST include the following parameters in its encoded
TransportParameters:</t>

<t><list style="hanging">
  <t hangText='initial_max_stream_data (0x0000):'>
  The initial stream maximum data parameter contains the initial value for the
maximum data that can be sent on any newly created stream.  This parameter is
encoded as an unsigned 32-bit integer in units of octets.  This is equivalent
to an implicit MAX_STREAM_DATA frame (<xref target="frame-max-stream-data"/>) being sent on
all streams immediately after opening.</t>
  <t hangText='initial_max_data (0x0001):'>
  The initial maximum data parameter contains the initial value for the maximum
amount of data that can be sent on the connection.  This parameter is encoded
as an unsigned 32-bit integer in units of 1024 octets.  That is, the value
here is multiplied by 1024 to determine the actual maximum value.  This is
equivalent to sending a MAX_DATA (<xref target="frame-max-data"/>) for the connection
immediately after completing the handshake.</t>
  <t hangText='initial_max_stream_id (0x0002):'>
  The initial maximum stream ID parameter contains the initial maximum stream
number the peer may initiate, encoded as an unsigned 32-bit integer.  This is
equivalent to sending a MAX_STREAM_ID (<xref target="frame-max-stream-id"/>) immediately
after completing the handshake.</t>
  <t hangText='idle_timeout (0x0003):'>
  The idle timeout is a value in seconds that is encoded as an unsigned 16-bit
integer.  The maximum value is 600 seconds (10 minutes).</t>
</list></t>

<t>An endpoint MAY use the following transport parameters:</t>

<t><list style="hanging">
  <t hangText='truncate_connection_id (0x0004):'>
  The truncated connection identifier parameter indicates that packets sent to
the peer can omit the connection ID.  This can be used by an endpoint where
the 5-tuple is sufficient to identify a connection.  This parameter is zero
length.  Omitting the parameter indicates that the endpoint relies on the
connection ID being present in every packet.</t>
  <t hangText='max_packet_size (0x0005):'>
  The maximum packet size parameter places a limit on the size of packets that
the endpoint is willing to receive, encoded as an unsigned 16-bit integer.
This indicates that packets larger than this limit will be dropped.  The
default for this parameter is the maximum permitted UDP payload of 65527.
Values below 1252 are invalid.  This limit only applies to protected packets
(<xref target="packet-protected"/>).</t>
</list></t>

</section>
<section anchor="zerortt-parameters" title="Values of Transport Parameters for 0-RTT">

<t>Transport parameters from the server MUST be remembered by the client for use
with 0-RTT data.  If the TLS NewSessionTicket message includes the
quic_transport_parameters extension, then those values are used for the server
values when establishing a new connection using that ticket.  Otherwise, the
transport parameters that the server advertises during connection establishment
are used.</t>

<t>A server can remember the transport parameters that it advertised, or store an
integrity-protected copy of the values in the ticket and recover the information
when accepting 0-RTT data.  A server uses the transport parameters in
determining whether to accept 0-RTT data.</t>

<t>A server MAY accept 0-RTT and subsequently provide different values for
transport parameters for use in the new connection.  If 0-RTT data is accepted
by the server, the server MUST NOT reduce any limits or alter any values that
might be violated by the client with its 0-RTT data.  In particular, a server
that accepts 0-RTT data MUST NOT set values for initial_max_data or
initial_max_stream_data that are smaller than the remembered value of those
parameters.  Similarly, a server MUST NOT reduce the value of
initial_max_stream_id.</t>

<t>A server MUST reject 0-RTT data or even abort a handshake if the implied values
for transport parameters cannot be supported.</t>

</section>
<section anchor="new-transport-parameters" title="New Transport Parameters">

<t>New transport parameters can be used to negotiate new protocol behavior.  An
endpoint MUST ignore transport parameters that it does not support.  Absence of
a transport parameter therefore disables any optional protocol feature that is
negotiated using the parameter.</t>

<t>New transport parameters can be registered according to the rules in
<xref target="iana-transport-parameters"/>.</t>

</section>
<section anchor="version-validation" title="Version Negotiation Validation">

<t>The transport parameters include three fields that encode version information.
These retroactively authenticate the version negotiation (see
<xref target="version-negotiation"/>) that is performed prior to the cryptographic handshake.</t>

<t>The cryptographic handshake provides integrity protection for the negotiated
version as part of the transport parameters (see <xref target="transport-parameters"/>).  As
a result, modification of version negotiation packets by an attacker can be
detected.</t>

<t>The client includes two fields in the transport parameters:</t>

<t><list style="symbols">
  <t>The negotiated_version is the version that was finally selected for use.  This
MUST be identical to the value that is on the packet that carries the
ClientHello.  A server that receives a negotiated_version that does not match
the version of QUIC that is in use MUST terminate the connection with a
QUIC_VERSION_NEGOTIATION_MISMATCH error code.</t>
  <t>The initial_version is the version that the client initially attempted to use.
If the server did not send a version negotiation packet <xref target="packet-version"/>,
this will be identical to the negotiated_version.</t>
</list></t>

<t>A server that processes all packets in a stateful fashion can remember how
version negotiation was performed and validate the initial_version value.</t>

<t>A server that does not maintain state for every packet it receives (i.e., a
stateless server) uses a different process. If the initial and negotiated
versions are the same, a stateless server can accept the value.</t>

<t>If the initial version is different from the negotiated_version, a stateless
server MUST check that it would have sent a version negotiation packet if it had
received a packet with the indicated initial_version.  If a server would have
accepted the version included in the initial_version and the value differs from
the value of negotiated_version, the server MUST terminate the connection with a
QUIC_VERSION_NEGOTIATION_MISMATCH error.</t>

<t>The server includes a list of versions that it would send in any version
negotiation packet (<xref target="packet-version"/>) in supported_versions.  This value is
set even if it did not send a version negotiation packet.</t>

<t>The client can validate that the negotiated_version is included in the
supported_versions list and - if version negotiation was performed - that it
would have selected the negotiated version.  A client MUST terminate the
connection with a QUIC_VERSION_NEGOTIATION_MISMATCH error code if the
negotiated_version value is not included in the supported_versions list.  A
client MUST terminate with a QUIC_VERSION_NEGOTIATION_MISMATCH error code if
version negotiation occurred but it would have selected a different version
based on the value of the supported_versions list.</t>

</section>
</section>
<section anchor="stateless-retry" title="Stateless Retries">

<t>A server can process an initial cryptographic handshake messages from a client
without committing any state. This allows a server to perform address validation
(<xref target="address-validation"/>, or to defer connection establishment costs.</t>

<t>A server that generates a response to an initial packet without retaining
connection state MUST use the Server Stateless Retry packet
(<xref target="packet-server-stateless"/>).  This packet causes a client to reset its
transport state and to continue the connection attempt with new connection state
while maintaining the state of the cryptographic handshake.</t>

<t>A server MUST NOT send multiple Server Stateless Retry packets in response to a
client handshake packet.  Thus, any cryptographic handshake message that is sent
MUST fit within a single packet.</t>

<t>In TLS, the Server Stateless Retry packet type is used to carry the
HelloRetryRequest message.</t>

</section>
<section anchor="address-validation" title="Proof of Source Address Ownership">

<t>Transport protocols commonly spend a round trip checking that a client owns the
transport address (IP and port) that it claims.  Verifying that a client can
receive packets sent to its claimed transport address protects against spoofing
of this information by malicious clients.</t>

<t>This technique is used primarily to avoid QUIC from being used for traffic
amplification attack.  In such an attack, a packet is sent to a server with
spoofed source address information that identifies a victim.  If a server
generates more or larger packets in response to that packet, the attacker can
use the server to send more data toward the victim than it would be able to send
on its own.</t>

<t>Several methods are used in QUIC to mitigate this attack.  Firstly, the initial
handshake packet is padded to at least 1280 octets.  This allows a server to
send a similar amount of data without risking causing an amplification attack
toward an unproven remote address.</t>

<t>A server eventually confirms that a client has received its messages when the
cryptographic handshake successfully completes.  This might be insufficient,
either because the server wishes to avoid the computational cost of completing
the handshake, or it might be that the size of the packets that are sent during
the handshake is too large.  This is especially important for 0-RTT, where the
server might wish to provide application data traffic - such as a response to a
request - in response to the data carried in the early data from the client.</t>

<t>To send additional data prior to completing the cryptographic handshake, the
server then needs to validate that the client owns the address that it claims.</t>

<t>Source address validation is therefore performed during the establishment of a
connection.  TLS provides the tools that support the feature, but basic
validation is performed by the core transport protocol.</t>

<section anchor="client-address-validation-procedure" title="Client Address Validation Procedure">

<t>QUIC uses token-based address validation.  Any time the server wishes to
validate a client address, it provides the client with a token.  As long as the
token cannot be easily guessed (see <xref target="token-integrity"/>), if the client is able
to return that token, it proves to the server that it received the token.</t>

<t>During the processing of the cryptographic handshake messages from a client, TLS
will request that QUIC make a decision about whether to proceed based on the
information it has.  TLS will provide QUIC with any token that was provided by
the client.  For an initial packet, QUIC can decide to abort the connection,
allow it to proceed, or request address validation.</t>

<t>If QUIC decides to request address validation, it provides the cryptographic
handshake with a token.  The contents of this token are consumed by the server
that generates the token, so there is no need for a single well-defined format.
A token could include information about the claimed client address (IP and
port), a timestamp, and any other supplementary information the server will need
to validate the token in the future.</t>

<t>The cryptographic handshake is responsible for enacting validation by sending
the address validation token to the client.  A legitimate client will include a
copy of the token when it attempts to continue the handshake.  The cryptographic
handshake extracts the token then asks QUIC a second time whether the token is
acceptable.  In response, QUIC can either abort the connection or permit it to
proceed.</t>

<t>A connection MAY be accepted without address validation - or with only limited
validation - but a server SHOULD limit the data it sends toward an unvalidated
address.  Successful completion of the cryptographic handshake implicitly
provides proof that the client has received packets from the server.</t>

</section>
<section anchor="address-validation-on-session-resumption" title="Address Validation on Session Resumption">

<t>A server MAY provide clients with an address validation token during one
connection that can be used on a subsequent connection.  Address validation is
especially important with 0-RTT because a server potentially sends a significant
amount of data to a client in response to 0-RTT data.</t>

<t>A different type of token is needed when resuming.  Unlike the token that is
created during a handshake, there might be some time between when the token is
created and when the token is subsequently used.  Thus, a resumption token
SHOULD include an expiration time.  It is also unlikely that the client port
number is the same on two different connections; validating the port is
therefore unlikely to be successful.</t>

<t>This token can be provided to the cryptographic handshake immediately after
establishing a connection.  QUIC might also generate an updated token if
significant time passes or the client address changes for any reason (see
<xref target="migration"/>).  The cryptographic handshake is responsible for providing the
client with the token.  In TLS the token is included in the ticket that is used
for resumption and 0-RTT, which is carried in a NewSessionTicket message.</t>

</section>
<section anchor="token-integrity" title="Address Validation Token Integrity">

<t>An address validation token MUST be difficult to guess.  Including a large
enough random value in the token would be sufficient, but this depends on the
server remembering the value it sends to clients.</t>

<t>A token-based scheme allows the server to offload any state associated with
validation to the client.  For this design to work, the token MUST be covered by
integrity protection against modification or falsification by clients.  Without
integrity protection, malicious clients could generate or guess values for
tokens that would be accepted by the server.  Only the server requires access to
the integrity protection key for tokens.</t>

<t>In TLS the address validation token is often bundled with the information that
TLS requires, such as the resumption secret.  In this case, adding integrity
protection can be delegated to the cryptographic handshake protocol, avoiding
redundant protection.  If integrity protection is delegated to the cryptographic
handshake, an integrity failure will result in immediate cryptographic handshake
failure.  If integrity protection is performed by QUIC, QUIC MUST abort the
connection if the integrity check fails with a QUIC_ADDRESS_VALIDATION_FAILURE
error code.</t>

</section>
</section>
<section anchor="migration" title="Connection Migration">

<t>QUIC connections are identified by their 64-bit Connection ID.  QUIC’s
consistent connection ID allows connections to survive changes to the client’s
IP and/or port, such as those caused by client or server migrating to a new
network.  Connection migration allows a client to retain any shared state with a
connection when they move networks.  This includes state that can be hard to
recover such as outstanding requests, which might otherwise be lost with no easy
way to retry them.</t>

<section anchor="migration-linkability" title="Privacy Implications of Connection Migration">

<t>Using a stable connection ID on multiple network paths allows a
passive observer to correlate activity between those paths.  A client
that moves between networks might not wish to have their activity
correlated by any entity other than a server. The NEW_CONNECTION_ID
message can be sent by a server to provide an unlinkable connection ID
for use in case the client wishes to explicitly break linkability
between two points of network attachment.</t>

<t>A client which wishes to break linkability upon changing networks MUST
use the NEW_CONNECTION_ID as well as incrementing the packet sequence
number by an externally unpredictable value computed as described in
<xref target="packet-number-gap"/>. Packet number gaps are cumulative.  A client
might skip connection IDs, but it MUST ensure that it applies the
associated packet number gaps in addition to the packet number gap
associated with the connection ID that it does use.</t>

<t>A client might need to send packets on multiple networks without receiving any
response from the server.  To ensure that the client is not linkable across each
of these changes, a new connection ID and packet number gap are needed for each
network.  To support this, a server sends multiple NEW_CONNECTION_ID messages.
Each NEW_CONNECTION_ID is marked with a sequence number.  Connection IDs MUST be
used in the order in which they are numbered.</t>

<t>A server that receives a packet that is marked with a new connection ID recovers
the packet number by adding the cumulative packet number gap to its expected
packet number.  A server SHOULD discard packets that contain a smaller gap than
it advertised.</t>

<t>For instance, a server might provide a packet number gap of 7 associated with a
new connection ID.  If the server received packet 10 using the previous
connection ID, it should expect packets on the new connection ID to start at 18.
A packet with the new connection ID and a packet number of 17 is discarded as
being in error.</t>

<section anchor="packet-number-gap" title="Packet Number Gap">

<t>In order to avoid linkage, the packet number gap MUST be externally
indistinguishable from random. The packet number gap for a connection
ID with sequence number is computed by encoding the sequence number
as a 32-bit integer in big-endian format, and then computing:</t>

<figure><artwork><![CDATA[
Gap = HKDF-Expand-Label(packet_number_secret,
                        "QUIC packet sequence gap", sequence, 4)
]]></artwork></figure>

<t>The output of HKDF-Expand-Label is interpreted as a big-endian
number. “packet_number_secret” is derived from the TLS key exchange,
as described in <xref target="QUIC-TLS"/> Section 5.6.</t>

</section>
</section>
<section anchor="address-validation-for-migrated-connections" title="Address Validation for Migrated Connections">

<t>TODO: see issue #161</t>

</section>
</section>
<section anchor="termination" title="Connection Termination">

<t>Connections should remain open until they become idle for a pre-negotiated
period of time.  A QUIC connection, once established, can be terminated in one
of three ways:</t>

<t><list style="numbers">
  <t>Explicit Shutdown: An endpoint sends a CONNECTION_CLOSE frame to
initiate a connection termination.  An endpoint may send a GOAWAY frame to
the peer prior to a CONNECTION_CLOSE to indicate that the connection will
soon be terminated.  A GOAWAY frame signals to the peer that any active
streams will continue to be processed, but the sender of the GOAWAY will not
initiate any additional streams and will not accept any new incoming streams.
On termination of the active streams, a CONNECTION_CLOSE may be sent.  If an
endpoint sends a CONNECTION_CLOSE frame while unterminated streams are active
(no FIN bit or RST_STREAM frames have been sent or received for one or more
streams), then the peer must assume that the streams were incomplete and were
abnormally terminated.</t>
  <t>Implicit Shutdown: The default idle timeout is a required parameter in
connection negotiation.  The maximum is 10 minutes.  If there is no network
activity for the duration of the idle timeout, the connection is closed.  By
default a CONNECTION_CLOSE frame will be sent.  A silent close option can be
enabled when it is expensive to send an explicit close, such as mobile
networks that must wake up the radio.</t>
  <t>Abrupt Shutdown: An endpoint may send a Public Reset packet at any time
during the connection to abruptly terminate an active connection.  A Public
Reset packet SHOULD only be used as a final recourse.  Commonly, a public
reset is expected to be sent when a packet on an established connection is
received by an endpoint that is unable decrypt the packet.  For instance, if
a server reboots mid-connection and loses any cryptographic state associated
with open connections, and then receives a packet on an open connection, it
should send a Public Reset packet in return.  (TODO: articulate rules around
when a public reset should be sent.)</t>
</list></t>

<t>TODO: Connections that are terminated are added to a TIME_WAIT list at the
server, so as to absorb any straggler packets in the network.  Discuss TIME_WAIT
list.</t>

</section>
</section>
<section anchor="frame-types-and-formats" title="Frame Types and Formats">

<t>As described in <xref target="frames"/>, Regular packets contain one or more frames.
We now describe the various QUIC frame types that can be present in a Regular
packet. The use of these frames and various frame header bits are described in
subsequent sections.</t>

<section anchor="frame-stream" title="STREAM Frame">

<t>STREAM frames implicitly create a stream and carry stream data. The type byte
for a STREAM frame contains embedded flags, and is formatted as <spanx style="verb">11FSSOOD</spanx>.
These bits are parsed as follows:</t>

<t><list style="symbols">
  <t>The first two bits must be set to 11, indicating that this is a STREAM frame.</t>
  <t><spanx style="verb">F</spanx> is the FIN bit, which is used for stream termination.</t>
  <t>The <spanx style="verb">SS</spanx> bits encode the length of the Stream ID header field.
The values 00, 01, 02, and 03 indicate lengths of 8, 16, 24, and 32 bits
long respectively.</t>
  <t>The <spanx style="verb">OO</spanx> bits encode the length of the Offset header field.
The values 00, 01, 02, and 03 indicate lengths of 0, 16, 32, and
64 bits long respectively.</t>
  <t>The <spanx style="verb">D</spanx> bit indicates whether a Data Length field is present in the STREAM
header.  When set to 0, this field indicates that the Stream Data field
extends to the end of the packet.  When set to 1, this field indicates that
Data Length field contains the length (in bytes) of the Stream Data field.
The option to omit the length should only be used when the packet is a
“full-sized” packet, to avoid the risk of corruption via padding.</t>
</list></t>

<t>A STREAM frame is shown below.</t>

<figure title="STREAM Frame Format" anchor="stream-format"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Stream ID (8/16/24/32)                   ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                      Offset (0/16/32/64)                    ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       [Data Length (16)]      |        Stream Data (*)      ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The STREAM frame contains the following fields:</t>

<t><list style="hanging">
  <t hangText='Stream ID:'>
  The stream ID of the stream (see <xref target="stream-id"/>).</t>
  <t hangText='Offset:'>
  A variable-sized unsigned number specifying the byte offset in the stream for
the data in this STREAM frame.  When the offset length is 0, the offset is 0.
The first byte in the stream has an offset of 0.  The largest offset delivered
on a stream - the sum of the re-constructed offset and data length - MUST be
less than 2^64.</t>
  <t hangText='Stream Data:'>
  The bytes from the designated stream to be delivered.</t>
  <t hangText='Data Length:'>
  An optional 16-bit unsigned number specifying the length of the Stream Data
field in this STREAM frame.  This field is present when the <spanx style="verb">D</spanx> bit is set to
1.</t>
</list></t>

<t>A STREAM frame MUST have either non-zero data length or the FIN bit set.  When
the FIN flag is sent on an empty STREAM frame, the offset in the STREAM frame
MUST be one greater than the last data byte sent on this stream.</t>

<t>Stream multiplexing is achieved by interleaving STREAM frames from multiple
streams into one or more QUIC packets.  A single QUIC packet can include
multiple STREAM frames from one or more streams.</t>

<t>Implementation note: One of the benefits of QUIC is avoidance of head-of-line
blocking across multiple streams.  When a packet loss occurs, only streams with
data in that packet are blocked waiting for a retransmission to be received,
while other streams can continue making progress.  Note that when data from
multiple streams is bundled into a single QUIC packet, loss of that packet
blocks all those streams from making progress.  An implementation is therefore
advised to bundle as few streams as necessary in outgoing packets without losing
transmission efficiency to underfilled packets.</t>

</section>
<section anchor="frame-ack" title="ACK Frame">

<t>Receivers send ACK frames to inform senders which packets they have received and
processed, as well as which packets are considered missing.  The ACK frame
contains between 1 and 256 ACK blocks.  ACK blocks are ranges of acknowledged
packets.</t>

<t>To limit ACK blocks to those that have not yet been received by the sender, the
receiver SHOULD track which ACK frames have been acknowledged by its peer.  Once
an ACK frame has been acknowledged, the packets it acknowledges SHOULD not be
acknowledged again.</t>

<t>A receiver that is only sending ACK frames will not receive acknowledgments for
its packets.  Sending an occasional MAX_DATA or MAX_STREAM_DATA frame as data is
received will ensure that acknowledgements are generated by a peer.  Otherwise,
an endpoint MAY send a PING frame once per RTT to solicit an acknowledgment.</t>

<t>To limit receiver state or the size of ACK frames, a receiver MAY limit the
number of ACK blocks it sends.  A receiver can do this even without receiving
acknowledgment of its ACK frames, with the knowledge this could cause the sender
to unnecessarily retransmit some data.  When this is necessary, the receiver
SHOULD acknowledge newly received packets and stop acknowledging packets
received in the past.</t>

<t>Unlike TCP SACKs, QUIC ACK blocks are cumulative and therefore irrevocable.
Once a packet has been acknowledged, even if it does not appear in a future ACK
frame, it is assumed to be acknowledged.</t>

<t>QUIC ACK frames contain a timestamp section with up to 255 timestamps.
Timestamps enable better congestion control, but are not required for correct
loss recovery, and old timestamps are less valuable, so it is not guaranteed
every timestamp will be received by the sender.  A receiver SHOULD send a
timestamp exactly once for each received packet containing retransmittable
frames. A receiver MAY send timestamps for non-retransmittable packets.
A receiver MUST not send timestamps in unprotected packets.</t>

<t>A sender MAY intentionally skip packet numbers to introduce entropy into the
connection, to avoid opportunistic acknowledgement attacks.  The sender SHOULD
close the connection if an unsent packet number is acknowledged.  The format of
the ACK frame is efficient at expressing blocks of missing packets; skipping
packet numbers between 1 and 255 effectively provides up to 8 bits of efficient
entropy on demand, which should be adequate protection against most
opportunistic acknowledgement attacks.</t>

<t>The type byte for a ACK frame contains embedded flags, and is formatted as
<spanx style="verb">101NLLMM</spanx>.  These bits are parsed as follows:</t>

<t><list style="symbols">
  <t>The first three bits must be set to 101 indicating that this is an ACK frame.</t>
  <t>The <spanx style="verb">N</spanx> bit indicates whether the frame has more than 1 range of acknowledged
packets (i.e., whether the ACK Block Section contains a Num Blocks field).</t>
  <t>The two <spanx style="verb">LL</spanx> bits encode the length of the Largest Acknowledged field.
The values 00, 01, 02, and 03 indicate lengths of 8, 16, 32, and 48
bits respectively.</t>
  <t>The two <spanx style="verb">MM</spanx> bits encode the length of the ACK Block Length fields.
The values 00, 01, 02, and 03 indicate lengths of 8, 16, 32, and 48
bits respectively.</t>
</list></t>

<t>An ACK frame is shown below.</t>

<figure title="ACK Frame Format" anchor="ack-format"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[Num Blocks(8)]|   NumTS (8)   |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                Largest Acknowledged (8/16/32/48)            ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|        ACK Delay (16)         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     ACK Block Section (*)                   ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                     Timestamp Section (*)                   ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the ACK frame are as follows:</t>

<t><list style="hanging">
  <t hangText='Num Blocks (opt):'>
  An optional 8-bit unsigned value specifying the number of additional ACK
blocks (besides the required First ACK Block) in this ACK frame.  Only present
if the ‘N’ flag bit is 1.</t>
  <t hangText='Num Timestamps:'>
  An unsigned 8-bit number specifying the total number of &lt;packet number,
timestamp&gt; pairs in the Timestamp Section.</t>
  <t hangText='Largest Acknowledged:'>
  A variable-sized unsigned value representing the largest packet number the
peer is acknowledging in this packet (typically the largest that the peer has
seen thus far.)</t>
  <t hangText='ACK Delay:'>
  The time from when the largest acknowledged packet, as indicated in the
Largest Acknowledged field, was received by this peer to when this ACK was
sent.</t>
  <t hangText='ACK Block Section:'>
  Contains one or more blocks of packet numbers which have been successfully
received, see <xref target="ack-block-section"/>.</t>
  <t hangText='Timestamp Section:'>
  Contains zero or more timestamps reporting transit delay of received packets.
See <xref target="timestamp-section"/>.</t>
</list></t>

<section anchor="ack-block-section" title="ACK Block Section">

<t>The ACK Block Section contains between one and 256 blocks of packet numbers
which have been successfully received. If the Num Blocks field is absent, only
the First ACK Block length is present in this section. Otherwise, the Num Blocks
field indicates how many additional blocks follow the First ACK Block Length
field.</t>

<figure title="ACK Block Section" anchor="ack-block-format"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|              First ACK Block Length (8/16/32/48)            ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  [Gap 1 (8)]  |       [ACK Block 1 Length (8/16/32/48)]     ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  [Gap 2 (8)]  |       [ACK Block 2 Length (8/16/32/48)]     ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                             ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  [Gap N (8)]  |       [ACK Block N Length (8/16/32/48)]     ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the ACK Block Section are:</t>

<t><list style="hanging">
  <t hangText='First ACK Block Length:'>
  An unsigned packet number delta that indicates the number of contiguous
additional packets being acknowledged starting at the Largest Acknowledged.</t>
  <t hangText='Gap To Next Block (opt, repeated):'>
  An unsigned number specifying the number of contiguous missing packets from
the end of the previous ACK block to the start of the next.  Repeated “Num
Blocks” times.</t>
  <t hangText='ACK Block Length (opt, repeated):'>
  An unsigned packet number delta that indicates the number of contiguous
packets being acknowledged starting after the end of the previous gap.
Repeated “Num Blocks” times.</t>
</list></t>

</section>
<section anchor="timestamp-section" title="Timestamp Section">

<t>The Timestamp Section contains between zero and 255 measurements of packet
receive times relative to the beginning of the connection.</t>

<figure title="Timestamp Section" anchor="timestamp-format"><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+
| [Delta LA (8)]|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    [First Timestamp (32)]                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[Delta LA 1(8)]| [Time Since Previous 1 (16)]  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[Delta LA 2(8)]| [Time Since Previous 2 (16)]  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
                       ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|[Delta LA N(8)]| [Time Since Previous N (16)]  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the Timestamp Section are:</t>

<t><list style="hanging">
  <t hangText='Delta Largest Acknowledged (opt):'>
  An optional 8-bit unsigned packet number delta specifying the delta between
the largest acknowledged and the first packet whose timestamp is being
reported.  In other words, this first packet number may be computed as
(Largest Acknowledged - Delta Largest Acknowledged.)</t>
  <t hangText='First Timestamp (opt):'>
  An optional 32-bit unsigned value specifying the time delta in microseconds,
from the beginning of the connection to the arrival of the packet indicated by
Delta Largest Acknowledged.</t>
  <t hangText='Delta Largest Acked 1..N (opt, repeated):'>
  This field has the same semantics and format as “Delta Largest Acknowledged”.
Repeated “Num Timestamps - 1” times.</t>
  <t hangText='Time Since Previous Timestamp 1..N(opt, repeated):'>
  An optional 16-bit unsigned value specifying time delta from the previous
reported timestamp.  It is encoded in the same format as the ACK Delay.
Repeated “Num Timestamps - 1” times.</t>
</list></t>

<t>The timestamp section lists packet receipt timestamps ordered by timestamp.</t>

<section anchor="time-format" title="Time Format">

<t>DISCUSS_AND_REPLACE: Perhaps make this format simpler.</t>

<t>The time format used in the ACK frame above is a 16-bit unsigned float with 11
explicit bits of mantissa and 5 bits of explicit exponent, specifying time in
microseconds.  The bit format is loosely modeled after IEEE 754.  For example, 1
microsecond is represented as 0x1, which has an exponent of zero, presented in
the 5 high order bits, and mantissa of 1, presented in the 11 low order bits.
When the explicit exponent is greater than zero, an implicit high-order 12th bit
of 1 is assumed in the mantissa.  For example, a floating value of 0x800 has an
explicit exponent of 1, as well as an explicit mantissa of 0, but then has an
effective mantissa of 4096 (12th bit is assumed to be 1).  Additionally, the
actual exponent is one-less than the explicit exponent, and the value represents
4096 microseconds.  Any values larger than the representable range are clamped
to 0xFFFF.</t>

</section>
</section>
<section anchor="ack-frames-and-packet-protection" title="ACK Frames and Packet Protection">

<t>ACK frames that acknowledge protected packets MUST be carried in a packet that
has an equivalent or greater level of packet protection.</t>

<t>Packets that are protected with 1-RTT keys MUST be acknowledged in packets that
are also protected with 1-RTT keys.</t>

<t>A packet that is not protected and claims to acknowledge a packet number that
was sent with packet protection is not valid.  An unprotected packet that
carries acknowledgments for protected packets MUST be discarded in its entirety.</t>

<t>Packets that a client sends with 0-RTT packet protection MUST be acknowledged by
the server in packets protected by 1-RTT keys.  This can mean that the client is
unable to use these acknowledgments if the server cryptographic handshake
messages are delayed or lost.  Note that the same limitation applies to other
data sent by the server protected by the 1-RTT keys.</t>

<t>Unprotected packets, such as those that carry the initial cryptographic
handshake messages, MAY be acknowledged in unprotected packets.  Unprotected
packets are vulnerable to falsification or modification.  Unprotected packets
can be acknowledged along with protected packets in a protected packet.</t>

<t>An endpoint SHOULD acknowledge packets containing cryptographic handshake
messages in the next unprotected packet that it sends, unless it is able to
acknowledge those packets in later packets protected by 1-RTT keys.  At the
completion of the cryptographic handshake, both peers send unprotected packets
containing cryptographic handshake messages followed by packets protected by
1-RTT keys. An endpoint SHOULD acknowledge the unprotected packets that complete
the cryptographic handshake in a protected packet, because its peer is
guaranteed to have access to 1-RTT packet protection keys.</t>

<t>For instance, a server acknowledges a TLS ClientHello in the packet that carries
the TLS ServerHello; similarly, a client can acknowledge a TLS HelloRetryRequest
in the packet containing a second TLS ClientHello.  The complete set of server
handshake messages (TLS ServerHello through to Finished) might be acknowledged
by a client in protected packets, because it is certain that the server is able
to decipher the packet.</t>

</section>
</section>
<section anchor="frame-max-data" title="MAX_DATA Frame">

<t>The MAX_DATA frame (type=0x04) is used in flow control to inform the peer of
the maximum amount of data that can be sent on the connection as a whole.</t>

<t>The frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                        Maximum Data (64)                      +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the MAX_DATA frame are as follows:</t>

<t><list style="hanging">
  <t hangText='Maximum Data:'>
  A 64-bit unsigned integer indicating the maximum amount of data that can be
sent on the entire connection, in units of 1024 octets.  That is, the updated
connection-level data limit is determined by multiplying the encoded value by
1024.</t>
</list></t>

<t>All data sent in STREAM frames counts toward this limit, with the exception of
data on stream 0.  The sum of the largest received offsets on all streams -
including closed streams, but excluding stream 0 - MUST NOT exceed the value
advertised by a receiver.  An endpoint MUST terminate a connection with a
QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA error if it receives more data than the
maximum data value that it has sent, unless this is a result of a change in the
initial limits (see <xref target="zerortt-parameters"/>).</t>

</section>
<section anchor="frame-max-stream-data" title="MAX_STREAM_DATA Frame">

<t>The MAX_STREAM_DATA frame (type=0x05) is used in flow control to inform a peer
of the maximum amount of data that can be sent on a stream.</t>

<t>The frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Stream ID (32)                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                    Maximum Stream Data (64)                   +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the MAX_STREAM_DATA frame are as follows:</t>

<t><list style="hanging">
  <t hangText='Stream ID:'>
  The stream ID of the stream that is affected.</t>
  <t hangText='Maximum Stream Data:'>
  A 64-bit unsigned integer indicating the maximum amount of data that can be
sent on the identified stream, in units of octets.</t>
</list></t>

<t>When counting data toward this limit, an endpoint accounts for the largest
received offset of data that is sent or received on the stream.  Loss or
reordering can mean that the largest received offset on a stream can be greater
than the total size of data received on that stream.  Receiving STREAM frames
might not increase the largest received offset.</t>

<t>The data sent on a stream MUST NOT exceed the largest maximum stream data value
advertised by the receiver.  An endpoint MUST terminate a connection with a
QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA error if it receives more data than the
largest maximum stream data that it has sent for the affected stream, unless
this is a result of a change in the initial limits (see <xref target="zerortt-parameters"/>).</t>

</section>
<section anchor="frame-max-stream-id" title="MAX_STREAM_ID Frame">

<t>The MAX_STREAM_ID frame (type=0x06) informs the peer of the maximum stream ID
that they are permitted to open.</t>

<t>The frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Maximum Stream ID (32)                     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields in the MAX_STREAM_ID frame are as follows:</t>

<t><list style="hanging">
  <t hangText='Maximum Stream ID:'>
  ID of the maximum peer-initiated stream ID for the connection.</t>
</list></t>

<t>Loss or reordering can mean that a MAX_STREAM_ID frame can be received which
states a lower stream limit than the client has previously received.
MAX_STREAM_ID frames which do not increase the maximum stream ID MUST be
ignored.</t>

<t>A peer MUST NOT initiate a stream with a higher stream ID than the greatest
maximum stream ID it has received.  An endpoint MUST terminate a connection with
a QUIC_TOO_MANY_OPEN_STREAMS error if a peer initiates a stream with a higher
stream ID than it has sent, unless this is a result of a change in the initial
limits (see <xref target="zerortt-parameters"/>).</t>

</section>
<section anchor="frame-blocked" title="BLOCKED Frame">

<t>A sender sends a BLOCKED frame (type=0x08) when it wishes to send data, but is
unable to due to connection-level flow control (see <xref target="blocking"/>). BLOCKED
frames can be used as input to tuning of flow control algorithms (see
<xref target="fc-credit"/>).</t>

<t>The BLOCKED frame does not contain a payload.</t>

</section>
<section anchor="frame-stream-blocked" title="STREAM_BLOCKED Frame">

<t>A sender sends a STREAM_BLOCKED frame (type=0x09) when it wishes to send data,
but is unable to due to stream-level flow control.  This frame is analogous to
BLOCKED (<xref target="frame-blocked"/>).</t>

<t>The STREAM_BLOCKED frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Stream ID (32)                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The STREAM_BLOCKED frame contains a single field:</t>

<t><list style="hanging">
  <t hangText='Stream ID:'>
  A 32-bit unsigned number indicating the stream which is flow control blocked.</t>
</list></t>

<t>An endpoint MAY send a STREAM_BLOCKED frame for a stream that exceeds the
maximum stream ID set by its peer (see <xref target="frame-max-stream-id"/>).  This does not
open the stream, but informs the peer that a new stream was needed, but the
stream limit prevented the creation of the stream.</t>

</section>
<section anchor="frame-stream-id-needed" title="STREAM_ID_NEEDED Frame">

<t>A sender sends a STREAM_ID_NEEDED frame (type=0x0a) when it wishes to open a
stream, but is unable to due to the maximum stream ID limit.</t>

<t>The STREAM_ID_NEEDED frame does not contain a payload.</t>

</section>
<section anchor="frame-rst-stream" title="RST_STREAM Frame">

<t>An endpoint may use a RST_STREAM frame (type=0x01) to abruptly terminate a
stream.</t>

<t>After sending a RST_STREAM, an endpoint ceases transmission of STREAM frames on
the identified stream.  A receiver of RST_STREAM can discard any data that it
already received on that stream.  An endpoint sends a RST_STREAM in response to
a RST_STREAM unless the stream is already closed.</t>

<t>The RST_STREAM frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Stream ID (32)                         |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Error Code (32)                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                       Final Offset (64)                       +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields are:</t>

<t><list style="hanging">
  <t hangText='Error code:'>
  A 32-bit error code which indicates why the stream is being closed.</t>
  <t hangText='Stream ID:'>
  The 32-bit Stream ID of the stream being terminated.</t>
  <t hangText='Final offset:'>
  A 64-bit unsigned integer indicating the absolute byte offset of the end of
data written on this stream by the RST_STREAM sender.</t>
</list></t>

</section>
<section anchor="frame-padding" title="PADDING Frame">

<t>The PADDING frame (type=0x00) has no semantic value.  PADDING frames can be used
to increase the size of a packet.  Padding can be used to increase an initial
client packet to the minimum required size, or to provide protection against
traffic analysis for protected packets.</t>

<t>A PADDING frame has no content.  That is, a PADDING frame consists of the single
octet that identifies the frame as a PADDING frame.</t>

</section>
<section anchor="frame-ping" title="PING frame">

<t>Endpoints can use PING frames (type=0x07) to verify that their peers are still
alive or to check reachability to the peer. The PING frame contains no
additional fields. The receiver of a PING frame simply needs to acknowledge the
packet containing this frame. The PING frame SHOULD be used to keep a connection
alive when a stream is open. The default is to send a PING frame after 15
seconds of quiescence. A PING frame has no additional fields.</t>

</section>
<section anchor="frame-new-connection-id" title="NEW_CONNECTION_ID Frame">

<t>A server sends a NEW_CONNECTION_ID to provide the client with alternative
connection IDs that can be used to break linkability when migrating connections
(see <xref target="migration-linkability"/>).</t>

<t>The NEW_CONNECTION_ID is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Sequence (16)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                        Connection ID (64)                     +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields are:</t>

<t><list style="hanging">
  <t hangText='Sequence:'>
  A 16-bit sequence number.  This value starts at 0 and increases by 1 for each
connection ID that is provided by the server.  The sequence value can wrap;
the value 65535 is followed by 0.  When wrapping the sequence field, the
server MUST ensure that a value with the same sequence has been received and
acknowledged by the client.  The connection ID that is assigned during the
handshake is assumed to have a sequence of 65535.</t>
  <t hangText='Connection ID:'>
  A 64-bit connection ID.</t>
</list></t>

</section>
<section anchor="frame-connection-close" title="CONNECTION_CLOSE frame">

<t>An endpoint sends a CONNECTION_CLOSE frame (type=0x02) to notify its peer that
the connection is being closed.  If there are open streams that haven’t been
explicitly closed, they are implicitly closed when the connection is closed.
(Ideally, a GOAWAY frame would be sent with enough time that all streams are
torn down.)  The frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                        Error Code (32)                        |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|   Reason Phrase Length (16)   |      [Reason Phrase (*)]    ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields of a CONNECTION_CLOSE frame are as follows:</t>

<t><list style="hanging">
  <t hangText='Error Code:'>
  A 32-bit error code which indicates the reason for closing this connection.</t>
  <t hangText='Reason Phrase Length:'>
  A 16-bit unsigned number specifying the length of the reason phrase.  Note
that a CONNECTION_CLOSE frame cannot be split between packets, so in practice
any limits on packet size will also limit the space available for a reason
phrase.</t>
  <t hangText='Reason Phrase:'>
  A human-readable explanation for why the connection was closed.  This can be
zero length if the sender chooses to not give details beyond the Error Code.
This SHOULD be a UTF-8 encoded string <xref target="RFC3629"/>.</t>
</list></t>

</section>
<section anchor="frame-goaway" title="GOAWAY Frame">

<t>An endpoint uses a GOAWAY frame (type=0x03) to initiate a graceful shutdown of a
connection.  The endpoints will continue to use any active streams, but the
sender of the GOAWAY will not initiate or accept any additional streams beyond
those indicated.  The GOAWAY frame is as follows:</t>

<figure><artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                  Largest Client Stream ID (32)                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                  Largest Server Stream ID (32)                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork></figure>

<t>The fields of a GOAWAY frame are:</t>

<t><list style="hanging">
  <t hangText='Largest Client Stream ID:'>
  The highest-numbered, client-initiated stream on which the endpoint sending
the GOAWAY frame either sent data, or received and delivered data.  All
higher-numbered, client-initiated streams (that is, odd-numbered streams) are
implicitly reset by sending or receiving the GOAWAY frame.</t>
  <t hangText='Largest Server Stream ID:'>
  The highest-numbered, server-initiated stream on which the endpoint sending
the GOAWAY frame either sent data, or received and delivered data.  All
higher-numbered, server-initiated streams (that is, even-numbered streams) are
implicitly reset by sending or receiving the GOAWAY frame.</t>
</list></t>

<t>A GOAWAY frame indicates that any application layer actions on streams with
higher numbers than those indicated can be safely retried because no data was
exchanged.  An endpoint MUST set the value of the Largest Client or Server
Stream ID to be at least as high as the highest-numbered stream on which it
either sent data or received and delivered data to the application protocol that
uses QUIC.</t>

<t>An endpoint MAY choose a larger stream identifier if it wishes to allow for a
number of streams to be created.  This is especially valuable for peer-initiated
streams where packets creating new streams could be in transit; using a larger
stream number allows those streams to complete.</t>

<t>In addition to initiating a graceful shutdown of a connection, GOAWAY MAY be
sent immediately prior to sending a CONNECTION_CLOSE frame that is sent as a
result of detecting a fatal error.  Higher-numbered streams than those indicated
in the GOAWAY frame can then be retried.</t>

</section>
</section>
<section anchor="packetization" title="Packetization and Reliability">

<t>The Path Maximum Transmission Unit (PMTU) is the maximum size of the entire IP
header, UDP header, and UDP payload. The UDP payload includes the QUIC public
header, protected payload, and any authentication fields.</t>

<t>All QUIC packets SHOULD be sized to fit within the estimated PMTU to avoid IP
fragmentation or packet drops. To optimize bandwidth efficiency, endpoints
SHOULD use Packetization Layer PMTU Discovery (<xref target="RFC4821"/>) and MAY use PMTU
Discovery (<xref target="RFC1191"/>, <xref target="RFC1981"/>) for detecting the PMTU, setting the PMTU
appropriately, and storing the result of previous PMTU determinations.</t>

<t>In the absence of these mechanisms, QUIC endpoints SHOULD NOT send IP packets
larger than 1280 octets. Assuming the minimum IP header size, this results in
a QUIC packet size of 1232 octets for IPv6 and 1252 octets for IPv4.</t>

<t>QUIC endpoints that implement any kind of PMTU discovery SHOULD maintain an
estimate for each combination of local and remote IP addresses (as each pairing
could have a different maximum MTU in the path).</t>

<t>QUIC depends on the network path supporting a MTU of at least 1280 octets. This
is the IPv6 minimum and therefore also supported by most modern IPv4 networks.
An endpoint MUST NOT reduce their MTU below this number, even if it receives
signals that indicate a smaller limit might exist.</t>

<t>Clients MUST ensure that the first packet in a connection, and any
retransmissions of those octets, has a QUIC packet size of least 1232 octets for
an IPv6 packet and 1252 octets for an IPv4 packet.  In the absence of extensions
to the IP header, padding to exactly these values will result in an IP packet
that is 1280 octets.</t>

<t>The initial client packet SHOULD be padded to exactly these values unless the
client has a reasonable assurance that the PMTU is larger.  Sending a packet of
this size ensures that the network path supports an MTU of this size and helps
reduce the amplitude of amplification attacks caused by server responses toward
an unverified client address.</t>

<t>Servers MUST ignore an initial plaintext packet from a client if its total size
is less than 1232 octets for IPv6 or 1252 octets for IPv4.</t>

<t>If a QUIC endpoint determines that the PMTU between any pair of local and remote
IP addresses has fallen below 1280 octets, it MUST immediately cease sending
QUIC packets on the affected path.  This could result in termination of the
connection if an alternative path cannot be found.</t>

<t>A sender bundles one or more frames in a Regular QUIC packet (see <xref target="frames"/>).</t>

<t>A sender SHOULD minimize per-packet bandwidth and computational costs by
bundling as many frames as possible within a QUIC packet.  A sender MAY wait for
a short period of time to bundle multiple frames before sending a packet that is
not maximally packed, to avoid sending out large numbers of small packets.  An
implementation may use heuristics about expected application sending behavior to
determine whether and for how long to wait.  This waiting period is an
implementation decision, and an implementation should be careful to delay
conservatively, since any delay is likely to increase application-visible
latency.</t>

<t>Regular QUIC packets are “containers” of frames; a packet is never retransmitted
whole.  How an endpoint handles the loss of the frame depends on the type of the
frame.  Some frames are simply retransmitted, some have their contents moved to
new frames, and others are never retransmitted.</t>

<t>When a packet is detected as lost, the sender re-sends any frames as necessary:</t>

<t><list style="symbols">
  <t>All application data sent in STREAM frames MUST be retransmitted, unless the
endpoint has sent a RST_STREAM for that stream.  When an endpoint sends a
RST_STREAM frame, data outstanding on that stream SHOULD NOT be retransmitted,
since subsequent data on this stream is expected to not be delivered by the
receiver.</t>
  <t>ACK and PADDING frames MUST NOT be retransmitted.  ACK frames are cumulative,
so new frames containing updated information will be sent as described in
<xref target="frame-ack"/>.</t>
  <t>All other frames MUST be retransmitted.</t>
</list></t>

<t>Upon detecting losses, a sender MUST take appropriate congestion control action.
The details of loss detection and congestion control are described in
<xref target="QUIC-RECOVERY"/>.</t>

<t>A packet MUST NOT be acknowledged until packet protection has been successfully
removed and all frames contained in the packet have been processed.  For STREAM
frames, this means the data has been queued (but not necessarily delivered to
the application).  This also means that any stream state transitions triggered
by STREAM or RST_STREAM frames have occurred. Once the packet has been fully
processed, a receiver acknowledges receipt by sending one or more ACK frames
containing the packet number of the received packet.</t>

<t>To avoid creating an indefinite feedback loop, an endpoint MUST NOT generate an
ACK frame in response to a packet containing only ACK or PADDING frames.</t>

<t>Strategies and implications of the frequency of generating acknowledgments are
discussed in more detail in <xref target="QUIC-RECOVERY"/>.</t>

<section anchor="special-considerations-for-pmtu-discovery" title="Special Considerations for PMTU Discovery">

<t>Traditional ICMP-based path MTU discovery in IPv4 <xref target="RFC1191"/> is potentially
vulnerable to off-path attacks that successfully guess the IP/port 4-tuple and
reduce the MTU to a bandwidth-inefficient value. TCP connections mitigate this
risk by using the (at minimum) 8 bytes of transport header echoed in the ICMP
message to validate the TCP sequence number as valid for the current
connection. However, as QUIC operates over UDP, in IPv4 the echoed information
could consist only of the IP and UDP headers, which usually has insufficient
entropy to mitigate off-path attacks.</t>

<t>As a result, endpoints that implement PMTUD in IPv4 SHOULD take steps to
mitigate this risk. For instance, an application could:</t>

<t><list style="symbols">
  <t>Set the IPv4 Don’t Fragment (DF) bit on a small proportion of packets, so that
most invalid ICMP messages arrive when there are no DF packets outstanding, and
can therefore be identified as spurious.</t>
  <t>Store additional information from the IP or UDP headers from DF packets (for
example, the IP ID or UDP checksum) to further authenticate incoming Datagram
Too Big messages.</t>
  <t>Any reduction in PMTU due to a report contained in an ICMP packet is
provisional until QUIC’s loss detection algorithm determines that the packet is
actually lost.</t>
</list></t>

</section>
</section>
<section anchor="streams" title="Streams: QUIC’s Data Structuring Abstraction">

<t>Streams in QUIC provide a lightweight, ordered, and bidirectional byte-stream
abstraction modeled closely on HTTP/2 streams <xref target="RFC7540"/>.</t>

<t>Streams can be created either by the client or the server, can concurrently send
data interleaved with other streams, and can be cancelled.</t>

<t>Data that is received on a stream is delivered in order within that stream, but
there is no particular delivery order across streams.  Transmit ordering among
streams is left to the implementation.</t>

<t>The creation and destruction of streams are expected to have minimal bandwidth
and computational cost.  A single STREAM frame may create, carry data for, and
terminate a stream, or a stream may last the entire duration of a connection.</t>

<t>Streams are individually flow controlled, allowing an endpoint to limit memory
commitment and to apply back pressure.  The creation of streams is also flow
controlled, with each peer declaring the maximum stream ID it is willing to
accept at a given time.</t>

<t>An alternative view of QUIC streams is as an elastic “message” abstraction,
similar to the way ephemeral streams are used in SST
<xref target="SST"/>, which may be a more appealing description
for some applications.</t>

<section anchor="stream-id" title="Stream Identifiers">

<t>Streams are identified by an unsigned 32-bit integer, referred to as the Stream
ID.  To avoid Stream ID collision, clients initiate streams using odd-numbered
Stream IDs; streams initiated by the server use even-numbered Stream IDs.</t>

<t>Stream ID 0 (0x0) is reserved for the cryptographic handshake.  Stream 0 MUST
NOT be used for application data, and is the first client-initiated stream.</t>

<t>A QUIC endpoint cannot reuse a Stream ID.  Streams MUST be created in sequential
order.  Open streams can be used in any order.  Streams that are used out of
order result in lower-numbered streams in the same direction being counted as
open.</t>

<t>Stream IDs are usually encoded as a 32-bit integer, though the STREAM frame
(<xref target="frame-stream"/>) permits a shorter encoding when the leading bits of the
stream ID are zero.</t>

</section>
<section anchor="life-of-a-stream" title="Life of a Stream">

<t>The semantics of QUIC streams is based on HTTP/2 streams, and the lifecycle of a
QUIC stream therefore closely follows that of an HTTP/2 stream <xref target="RFC7540"/>,
with some differences to accommodate the possibility of out-of-order delivery
due to the use of multiple streams in QUIC.  The lifecycle of a QUIC stream is
shown in the following figure and described below.</t>

<figure title="Lifecycle of a stream" anchor="stream-lifecycle"><artwork><![CDATA[
                            +--------+
                            |        |
                            |  idle  |
                            |        |
                            +--------+
                                 |
                        send/recv STREAM/RST
                             recv MSD/SB
                                 |
                                 v
                 recv FIN/  +--------+    send FIN/
                 recv RST   |        |    send RST
                  ,---------|  open  |-----------.
                 /          |        |            \
                v           +--------+             v
         +----------+                          +----------+
         |   half   |                          |   half   |
         |  closed  |                          |  closed  |
         | (remote) |                          |  (local) |
         +----------+                          +----------+
             |                                        |
             |   send FIN/  +--------+    recv FIN/   |
              \  send RST   |        |    recv RST   /
               `----------->| closed |<-------------'
                            |        |
                            +--------+

   send:   endpoint sends this frame
   recv:   endpoint receives this frame

   STREAM: a STREAM frame
   FIN:    FIN flag in a STREAM frame
   RST:    RST_STREAM frame
   MSD:    MAX_STREAM_DATA frame
   SB:     STREAM_BLOCKED frame
]]></artwork></figure>

<t>Note that this diagram shows stream state transitions and the frames and flags
that affect those transitions only.  It is possible for a single frame to cause
two transitions: receiving a RST_STREAM frame, or a STREAM frame with the FIN
flag cause the stream state to move from “idle” to “open” and then immediately
to one of the “half-closed” states.</t>

<t>The recipient of a frame that changes stream state will have a delayed view of
the state of a stream while the frame is in transit.  Endpoints do not
coordinate the creation of streams; they are created unilaterally by either
endpoint.  Endpoints can use acknowledgments to understand the peer’s subjective
view of stream state at any given time.</t>

<t>In the absence of more specific guidance elsewhere in this document,
implementations SHOULD treat the receipt of a frame that is not expressly
permitted in the description of a state as a connection error (see
<xref target="error-handling"/>).</t>

<section anchor="idle" title="idle">

<t>All streams start in the “idle” state.</t>

<t>The following transitions are valid from this state:</t>

<t>Sending or receiving a STREAM or RST_STREAM frame causes the identified stream
to become “open”.  The stream identifier for a new stream is selected as
described in <xref target="stream-id"/>.  A RST_STREAM frame, or a STREAM frame with the FIN
flag set also causes a stream to become “half-closed”.</t>

<t>An endpoint might receive MAX_STREAM_DATA or STREAM_BLOCKED frames on
peer-initiated streams that are “idle” if there is loss or reordering of
packets.  Receiving these frames also causes the stream to become “open”.</t>

<t>An endpoint MUST NOT send a STREAM or RST_STREAM frame for a stream ID that is
higher than the peers advertised maximum stream ID (see
<xref target="frame-max-stream-id"/>).</t>

</section>
<section anchor="open" title="open">

<t>A stream in the “open” state may be used by both peers to send frames of any
type.  In this state, endpoints can send MAX_STREAM_DATA and MUST observe the
value advertised by its receiving peer (see <xref target="flow-control"/>).</t>

<t>Opening a stream causes all lower-numbered streams in the same direction to
become open.  Thus, opening an odd-numbered stream causes all “idle”,
odd-numbered streams with a lower identifier to become open and the same applies
to even numbered streams.  Endpoints open streams in increasing numeric order,
but loss or reordering can cause packets that open streams to arrive out of
order.</t>

<t>From the “open” state, either endpoint can send a frame with the FIN flag set,
which causes the stream to transition into one of the “half-closed” states.
This flag can be set on the frame that opens the stream, which causes the stream
to immediately become “half-closed”.  Once an endpoint has completed sending all
stream data and a STREAM frame with a FIN flag, the stream state becomes
“half-closed (local)”.  When an endpoint receives all stream data a FIN flag the
stream state becomes “half-closed (remote)”.  An endpoint MUST NOT consider the
stream state to have changed until all data has been sent, received or
discarded.</t>

<t>A RST_STREAM frame on an “open” stream causes the stream to become
“half-closed”.  A stream that becomes “open” as a result of sending or receiving
RST_STREAM immediately becomes “half-closed”.  Sending a RST_STREAM frame causes
the stream to become “half-closed (local)”; receiving RST_STREAM causes the
stream to become “half-closed (remote)”.</t>

<t>Any frame type that mentions a stream ID can be sent in this state.</t>

</section>
<section anchor="half-closed-local" title="half-closed (local)">

<t>A stream that is in the “half-closed (local)” state MUST NOT be used for sending
on new STREAM frames.  Retransmission of data that has already been sent on
STREAM frames is permitted.  An endpoint MAY also send MAX_STREAM_DATA and
RST_STREAM in this state.</t>

<t>An endpoint that closes a stream MUST NOT send data beyond the final offset that
it has chosen, see <xref target="state-closed"/> for details.</t>

<t>A stream transitions from this state to “closed” when a STREAM frame that
contains a FIN flag is received and all prior data has arrived, or when a
RST_STREAM frame is received.</t>

<t>An endpoint can receive any frame that mentions a stream ID in this state.
Providing flow-control credit using MAX_STREAM_DATA frames is necessary to
continue receiving flow-controlled frames.  In this state, a receiver MAY ignore
MAX_STREAM_DATA frames for this stream, which might arrive for a short period
after a frame bearing the FIN flag is sent.</t>

</section>
<section anchor="state-hc-remote" title="half-closed (remote)">

<t>A stream is “half-closed (remote)” when the stream is no longer being used by
the peer to send any data.  An endpoint will have either received all data that
a peer has sent or will have received a RST_STREAM frame and discarded any
received data.</t>

<t>Once all data has been either received or discarded, a sender is no longer
obligated to update the maximum received data for the connection.</t>

<t>An endpoint that receives a RST_STREAM frame (and which has not sent a FIN or a
RST_STREAM) MUST immediately respond with a RST_STREAM frame, and MUST NOT send
any more data on the stream.</t>

<t>Due to reordering, an endpoint could continue receiving frames for the stream
even after the stream is closed for sending.  Frames received after a peer
closes a stream SHOULD be discarded.  An endpoint MAY choose to limit the period
over which it ignores frames and treat frames that arrive after this time as
being in error.</t>

<t>An endpoint will know the final offset of the data it receives on a stream when
it reaches the “half-closed (remote)” state, see <xref target="final-offset"/> for details.</t>

<t>A stream in this state can be used by the endpoint to send any frame that
mentions a stream ID.  In this state, the endpoint MUST observe advertised
stream and connection data limits (see <xref target="flow-control"/>).</t>

<t>A stream transitions from this state to “closed” by completing transmission of
all data.  This includes sending all data carried in STREAM frames up including
the terminal STREAM frame that contains a FIN flag.</t>

<t>A stream becomes “closed” when the endpoint sends and receives acknowledgment of
a RST_STREAM frame.</t>

</section>
<section anchor="state-closed" title="closed">

<t>The “closed” state is the terminal state for a stream.</t>

<t>Once a stream reaches this state, no frames can be sent that mention the stream.
Reordering might cause frames to be received after closing, see
<xref target="state-hc-remote"/>.</t>

</section>
</section>
<section anchor="stream-concurrency" title="Stream Concurrency">

<t>An endpoint limits the number of concurrently active incoming streams by
adjusting the maximum stream ID.  An initial value is set in the transport
parameters (see <xref target="transport-parameter-definitions"/>) and is subsequently
increased by MAX_STREAM_ID frames (see <xref target="frame-max-stream-id"/>).</t>

<t>The maximum stream ID is specific to each endpoint and applies only to the peer
that receives the setting. That is, clients specify the maximum stream ID the
server can initiate, and servers specify the maximum stream ID the client can
initiate.  Each endpoint may respond on streams initiated by the other peer,
regardless of whether it is permitted to initiated new streams.</t>

<t>Endpoints MUST NOT exceed the limit set by their peer.  An endpoint that
receives a STREAM frame with an ID greater than the limit it has sent MUST treat
this as a stream error of type QUIC_TOO_MANY_OPEN_STREAMS (<xref target="error-handling"/>),
unless this is a result of a change in the initial offsets (see
<xref target="zerortt-parameters"/>).</t>

<t>A receiver MUST NOT renege on an advertisement; that is, once a receiver
advertises a stream ID via a MAX_STREAM_ID frame, it MUST NOT subsequently
advertise a smaller maximum ID.  A sender may receive MAX_STREAM_ID frames out
of order; a sender MUST therefore ignore any MAX_STREAM_ID that does not
increase the maximum.</t>

</section>
<section anchor="sending-and-receiving-data" title="Sending and Receiving Data">

<t>Once a stream is created, endpoints may use the stream to send and receive data.
Each endpoint may send a series of STREAM frames encapsulating data on a stream
until the stream is terminated in that direction.  Streams are an ordered
byte-stream abstraction, and they have no other structure within them.  STREAM
frame boundaries are not expected to be preserved in retransmissions from the
sender or during delivery to the application at the receiver.</t>

<t>When new data is to be sent on a stream, a sender MUST set the encapsulating
STREAM frame’s offset field to the stream offset of the first byte of this new
data.  The first byte of data that is sent on a stream has the stream offset 0.
The largest offset delivered on a stream MUST be less than 2^64. A receiver
MUST ensure that received stream data is delivered to the application as an
ordered byte-stream.  Data received out of order MUST be buffered for later
delivery, as long as it is not in violation of the receiver’s flow control
limits.</t>

<t>An endpoint MUST NOT send data on any stream without ensuring that it is within
the data limits set by its peer.  The cryptographic handshake stream, Stream 0,
is exempt from the connection-level data limits established by MAX_DATA.  Stream
0 is still subject to stream-level data limits and MAX_STREAM_DATA.</t>

<t>Flow control is described in detail in <xref target="flow-control"/>, and congestion control
is described in the companion document <xref target="QUIC-RECOVERY"/>.</t>

</section>
<section anchor="stream-prioritization" title="Stream Prioritization">

<t>Stream multiplexing has a significant effect on application performance if
resources allocated to streams are correctly prioritized.  Experience with other
multiplexed protocols, such as HTTP/2 <xref target="RFC7540"/>, shows that effective
prioritization strategies have a significant positive impact on performance.</t>

<t>QUIC does not provide frames for exchanging prioritization information.  Instead
it relies on receiving priority information from the application that uses QUIC.
Protocols that use QUIC are able to define any prioritization scheme that suits
their application semantics.  A protocol might define explicit messages for
signaling priority, such as those defined in HTTP/2; it could define rules that
allow an endpoint to determine priority based on context; or it could leave the
determination to the application.</t>

<t>A QUIC implementation SHOULD provide ways in which an application can indicate
the relative priority of streams.  When deciding which streams to dedicate
resources to, QUIC SHOULD use the information provided by the application.
Failure to account for priority of streams can result in suboptimal performance.</t>

<t>Stream priority is most relevant when deciding which stream data will be
transmitted.  Often, there will be limits on what can be transmitted as a result
of connection flow control or the current congestion controller state.</t>

<t>Giving preference to the transmission of its own management frames ensures that
the protocol functions efficiently.  That is, prioritizing frames other than
STREAM frames ensures that loss recovery, congestion control, and flow control
operate effectively.</t>

<t>Stream 0 MUST be prioritized over other streams prior to the completion of the
cryptographic handshake.  This includes the retransmission of the second flight
of client handshake messages, that is, the TLS Finished and any client
authentication messages.</t>

<t>STREAM frames that are determined to be lost SHOULD be retransmitted before
sending new data, unless application priorities indicate otherwise.
Retransmitting lost STREAM frames can fill in gaps, which allows the peer to
consume already received data and free up flow control window.</t>

</section>
</section>
<section anchor="flow-control" title="Flow Control">

<t>It is necessary to limit the amount of data that a sender may have outstanding
at any time, so as to prevent a fast sender from overwhelming a slow receiver,
or to prevent a malicious sender from consuming significant resources at a
receiver.  This section describes QUIC’s flow-control mechanisms.</t>

<t>QUIC employs a credit-based flow-control scheme similar to HTTP/2’s flow control
<xref target="RFC7540"/>.  A receiver advertises the number of octets it is prepared to
receive on a given stream and for the entire connection.  This leads to two
levels of flow control in QUIC: (i) Connection flow control, which prevents
senders from exceeding a receiver’s buffer capacity for the connection, and (ii)
Stream flow control, which prevents a single stream from consuming the entire
receive buffer for a connection.</t>

<t>A receiver sends MAX_DATA or MAX_STREAM_DATA frames to the sender to advertise
additional credit by sending the absolute byte offset in the connection or
stream which it is willing to receive.</t>

<t>A receiver MAY advertise a larger offset at any point by sending MAX_DATA or
MAX_STREAM_DATA frames.  A receiver MUST NOT renege on an advertisement; that
is, once a receiver advertises an offset, it MUST NOT subsequently advertise a
smaller offset.  A sender could receive MAX_DATA or MAX_STREAM_DATA frames out
of order; a sender MUST therefore ignore any flow control offset that does not
move the window forward.</t>

<t>A receiver MUST close the connection with a
QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA error (<xref target="error-handling"/>) if the
peer violates the advertised connection or stream data limits.</t>

<t>A sender MUST send BLOCKED frames to indicate it has data to write but is
blocked by lack of connection or stream flow control credit.  BLOCKED frames are
expected to be sent infrequently in common cases, but they are considered useful
for debugging and monitoring purposes.</t>

<t>A receiver advertises credit for a stream by sending a MAX_STREAM_DATA frame
with the Stream ID set appropriately. A receiver could use the current offset of
data consumed to determine the flow control offset to be advertised.  A receiver
MAY send MAX_STREAM_DATA frames in multiple packets in order to make sure that
the sender receives an update before running out of flow control credit, even if
one of the packets is lost.</t>

<t>Connection flow control is a limit to the total bytes of stream data sent in
STREAM frames on all streams.  A receiver advertises credit for a connection by
sending a MAX_DATA frame.  A receiver maintains a cumulative sum of bytes
received on all streams, which are used to check for flow control violations. A
receiver might use a sum of bytes consumed on all contributing streams to
determine the maximum data limit to be advertised.</t>

<section anchor="edge-cases-and-other-considerations" title="Edge Cases and Other Considerations">

<t>There are some edge cases which must be considered when dealing with stream and
connection level flow control.  Given enough time, both endpoints must agree on
flow control state.  If one end believes it can send more than the other end is
willing to receive, the connection will be torn down when too much data arrives.</t>

<t>Conversely if a sender believes it is blocked, while endpoint B expects more
data can be received, then the connection can be in a deadlock, with the sender
waiting for a MAX_DATA or MAX_STREAM_DATA frame which will never come.</t>

<t>On receipt of a RST_STREAM frame, an endpoint will tear down state for the
matching stream and ignore further data arriving on that stream.  This could
result in the endpoints getting out of sync, since the RST_STREAM frame may have
arrived out of order and there may be further bytes in flight.  The data sender
would have counted the data against its connection level flow control budget,
but a receiver that has not received these bytes would not know to include them
as well.  The receiver must learn the number of bytes that were sent on the
stream to make the same adjustment in its connection flow controller.</t>

<t>To avoid this de-synchronization, a RST_STREAM sender MUST include the final
byte offset sent on the stream in the RST_STREAM frame.  On receiving a
RST_STREAM frame, a receiver definitively knows how many bytes were sent on that
stream before the RST_STREAM frame, and the receiver MUST use the final offset
to account for all bytes sent on the stream in its connection level flow
controller.</t>

<section anchor="response-to-a-rststream" title="Response to a RST_STREAM">

<t>Since streams are bidirectional, a sender of a RST_STREAM needs to know how many
bytes the peer has sent on the stream.  If an endpoint receives a RST_STREAM
frame and has sent neither a FIN nor a RST_STREAM, it MUST send a RST_STREAM in
response, bearing the offset of the last byte sent on this stream as the final
offset.</t>

</section>
<section anchor="fc-credit" title="Data Limit Increments">

<t>This document leaves when and how many bytes to advertise in a MAX_DATA or
MAX_STREAM_DATA to implementations, but offers a few considerations.  These
frames contribute to connection overhead.  Therefore frequently sending frames
with small changes is undesirable.  At the same time, infrequent updates require
larger increments to limits if blocking is to be avoided.  Thus, larger updates
require a receiver to commit to larger resource commitments.  Thus there is a
tradeoff between resource commitment and overhead when determining how large a
limit is advertised.</t>

<t>A receiver MAY use an autotuning mechanism to tune the frequency and amount that
it increases data limits based on a roundtrip time estimate and the rate at
which the receiving application consumes data, similar to common TCP
implementations.</t>

</section>
</section>
<section anchor="stream-limit-increment" title="Stream Limit Increment">

<t>As with flow control, this document leaves when and how many streams to make
available to a peer via MAX_STREAM_ID to implementations, but offers a few
considerations.  MAX_STREAM_ID frames constitute minimal overhead, while
withholding MAX_STREAM_ID frames can prevent the peer from using the available
parallelism.</t>

<t>Implementations will likely want to increase the maximum stream ID as
peer-initiated streams close.  A receiver MAY also advance the maximum stream ID
based on current activity, system conditions, and other environmental factors.</t>

<section anchor="blocking" title="Blocking on Flow Control">

<t>If a sender does not receive a MAX_DATA or MAX_STREAM_DATA frame when it has run
out of flow control credit, the sender will be blocked and MUST send a BLOCKED
or STREAM_BLOCKED frame.  These frames are expected to be useful for debugging
at the receiver; they do not require any other action.  A receiver SHOULD NOT
wait for a BLOCKED or STREAM_BLOCKED frame before sending MAX_DATA or
MAX_STREAM_DATA, since doing so will mean that a sender is unable to send for an
entire round trip.</t>

<t>For smooth operation of the congestion controller, it is generally considered
best to not let the sender go into quiescence if avoidable.  To avoid blocking a
sender, and to reasonably account for the possibiity of loss, a receiver should
send a MAX_DATA or MAX_STREAM_DATA frame at least two roundtrips before it
expects the sender to get blocked.</t>

<t>A sender sends a single BLOCKED or STREAM_BLOCKED frame only once when it
reaches a data limit.  A sender MUST NOT send multiple BLOCKED or STREAM_BLOCKED
frames for the same data limit, unless the original frame is determined to be
lost.  Another BLOCKED or STREAM_BLOCKED frame can be sent after the data limit
is increased.</t>

</section>
</section>
<section anchor="final-offset" title="Stream Final Offset">

<t>The final offset is the count of the number of octets that are transmitted on a
stream.  For a stream that is reset, the final offset is carried explicitly in
the RST_STREAM frame.  Otherwise, the final offset is the offset of the end of
the data carried in STREAM frame marked with a FIN flag.</t>

<t>An endpoint will know the final offset for a stream when the stream enters the
“half-closed (remote)” state.  However, if there is reordering or loss, an
endpoint might learn the final offset prior to entering this state if it is
carried on a STREAM frame.</t>

<t>An endpoint MUST NOT send data on a stream at or beyond the final offset.</t>

<t>Once a final offset for a stream is known, it cannot change.  If a RST_STREAM or
STREAM frame causes the final offset to change for a stream, an endpoint SHOULD
respond with a QUIC_STREAM_DATA_AFTER_TERMINATION error (see
<xref target="error-handling"/>).  A receiver SHOULD treat receipt of data at or beyond the
final offset as a QUIC_STREAM_DATA_AFTER_TERMINATION error, even after a stream
is closed.  Generating these errors is not mandatory, but only because
requiring that an endpoint generate these errors also means that the endpoint
needs to maintain the final offset state for closed streams, which could mean a
significant state commitment.</t>

</section>
</section>
<section anchor="error-handling" title="Error Handling">

<t>An endpoint that detects an error SHOULD signal the existence of that error to
its peer.  Errors can affect an entire connection (see <xref target="connection-errors"/>),
or a single stream (see <xref target="stream-errors"/>).</t>

<t>The most appropriate error code (<xref target="error-codes"/>) SHOULD be included in the
frame that signals the error.  Where this specification identifies error
conditions, it also identifies the error code that is used.</t>

<t>Public Reset is not suitable for any error that can be signaled with a
CONNECTION_CLOSE or RST_STREAM frame.  Public Reset MUST NOT be sent by an
endpoint that has the state necessary to send a frame on the connection.</t>

<section anchor="connection-errors" title="Connection Errors">

<t>Errors that result in the connection being unusable, such as an obvious
violation of protocol semantics or corruption of state that affects an entire
connection, MUST be signaled using a CONNECTION_CLOSE frame
(<xref target="frame-connection-close"/>). An endpoint MAY close the connection in this
manner, even if the error only affects a single stream.</t>

<t>A CONNECTION_CLOSE frame could be sent in a packet that is lost.  An endpoint
SHOULD be prepared to retransmit a packet containing a CONNECTION_CLOSE frame if
it receives more packets on a terminated connection.  Limiting the number of
retransmissions and the time over which this final packet is sent limits the
effort expended on terminated connections.</t>

<t>An endpoint that chooses not to retransmit packets containing CONNECTION_CLOSE
risks a peer missing the first such packet.  The only mechanism available to an
endpoint that continues to receive data for a terminated connection is to send a
Public Reset packet.</t>

</section>
<section anchor="stream-errors" title="Stream Errors">

<t>If the error affects a single stream, but otherwise leaves the connection in a
recoverable state, the endpoint can send a RST_STREAM frame
(<xref target="frame-rst-stream"/>) with an appropriate error code to terminate just the
affected stream.</t>

<t>Stream 0 is critical to the functioning of the entire connection.  If stream 0
is closed with either a RST_STREAM or STREAM frame bearing the FIN flag, an
endpoint MUST generate a connection error of type QUIC_CLOSED_CRITICAL_STREAM.</t>

<t>Some application protocols make other streams critical to that protocol.  An
application protocol does not need to inform the transport that a stream is
critical; it can instead generate appropriate errors in response to being
notified that the critical stream is closed.</t>

<t>An endpoint MAY send a RST_STREAM frame in the same packet as a CONNECTION_CLOSE
frame.</t>

</section>
<section anchor="error-codes" title="Error Codes">

<t>Error codes are 32 bits long, with the first two bits indicating the source of
the error code:</t>

<t><list style="hanging">
  <t hangText='0x00000000-0x3FFFFFFF:'>
  Application-specific error codes.  Defined by each application-layer protocol.</t>
  <t hangText='0x40000000-0x7FFFFFFF:'>
  Reserved for host-local error codes.  These codes MUST NOT be sent to a peer,
but MAY be used in API return codes and logs.</t>
  <t hangText='0x80000000-0xBFFFFFFF:'>
  QUIC transport error codes, including packet protection errors.  Applicable to
all uses of QUIC.</t>
  <t hangText='0xC0000000-0xFFFFFFFF:'>
  Cryptographic error codes.  Defined by the cryptographic handshake protocol
in use.</t>
</list></t>

<t>This section lists the defined QUIC transport error codes that may be used in a
CONNECTION_CLOSE or RST_STREAM frame. Error codes share a common code space.
Some error codes apply only to either streams or the entire connection and have
no defined semantics in the other context.</t>

<t><list style="hanging">
  <t hangText='QUIC_INTERNAL_ERROR (0x80000001):'>
  Connection has reached an invalid state.</t>
  <t hangText='QUIC_STREAM_DATA_AFTER_TERMINATION (0x80000002):'>
  There were data frames after the a fin or reset.</t>
  <t hangText='QUIC_INVALID_PACKET_HEADER (0x80000003):'>
  Control frame is malformed.</t>
  <t hangText='QUIC_INVALID_FRAME_DATA (0x80000004):'>
  Frame data is malformed.</t>
  <t hangText='QUIC_MULTIPLE_TERMINATION_OFFSETS (0x80000005):'>
  Multiple final offset values were received on the same stream</t>
  <t hangText='QUIC_STREAM_CANCELLED (0x80000006):'>
  The stream was cancelled</t>
  <t hangText='QUIC_CLOSED_CRITICAL_STREAM (0x80000007):'>
  A stream that is critical to the protocol was closed.</t>
  <t hangText='QUIC_MISSING_PAYLOAD (0x80000030):'>
  The packet contained no payload.</t>
  <t hangText='QUIC_INVALID_STREAM_DATA (0x8000002E):'>
  STREAM frame data is malformed.</t>
  <t hangText='QUIC_UNENCRYPTED_STREAM_DATA (0x8000003D):'>
  Received STREAM frame data is not encrypted.</t>
  <t hangText='QUIC_MAYBE_CORRUPTED_MEMORY (0x80000059):'>
  Received a frame which is likely the result of memory corruption.</t>
  <t hangText='QUIC_INVALID_RST_STREAM_DATA (0x80000006):'>
  RST_STREAM frame data is malformed.</t>
  <t hangText='QUIC_INVALID_CONNECTION_CLOSE_DATA (0x80000007):'>
  CONNECTION_CLOSE frame data is malformed.</t>
  <t hangText='QUIC_INVALID_GOAWAY_DATA (0x80000008):'>
  GOAWAY frame data is malformed.</t>
  <t hangText='QUIC_INVALID_WINDOW_UPDATE_DATA (0x80000039):'>
  WINDOW_UPDATE frame data is malformed.</t>
  <t hangText='QUIC_INVALID_BLOCKED_DATA (0x8000003A):'>
  BLOCKED frame data is malformed.</t>
  <t hangText='QUIC_INVALID_PATH_CLOSE_DATA (0x8000004E):'>
  PATH_CLOSE frame data is malformed.</t>
  <t hangText='QUIC_INVALID_ACK_DATA (0x80000009):'>
  ACK frame data is malformed.</t>
  <t hangText='QUIC_INVALID_VERSION_NEGOTIATION_PACKET (0x8000000A):'>
  Version negotiation packet is malformed.</t>
  <t hangText='QUIC_INVALID_PUBLIC_RST_PACKET (0x8000000b):'>
  Public RST packet is malformed.</t>
  <t hangText='QUIC_DECRYPTION_FAILURE (0x8000000c):'>
  There was an error decrypting.</t>
  <t hangText='QUIC_ENCRYPTION_FAILURE (0x8000000d):'>
  There was an error encrypting.</t>
  <t hangText='QUIC_PACKET_TOO_LARGE (0x8000000e):'>
  The packet exceeded kMaxPacketSize.</t>
  <t hangText='QUIC_PEER_GOING_AWAY (0x80000010):'>
  The peer is going away. May be a client or server.</t>
  <t hangText='QUIC_INVALID_STREAM_ID (0x80000011):'>
  A stream ID was invalid.</t>
  <t hangText='QUIC_INVALID_PRIORITY (0x80000031):'>
  A priority was invalid.</t>
  <t hangText='QUIC_TOO_MANY_OPEN_STREAMS (0x80000012):'>
  Too many streams already open.</t>
  <t hangText='QUIC_TOO_MANY_AVAILABLE_STREAMS (0x8000004c):'>
  The peer created too many available streams.</t>
  <t hangText='QUIC_PUBLIC_RESET (0x80000013):'>
  Received public reset for this connection.</t>
  <t hangText='QUIC_INVALID_VERSION (0x80000014):'>
  Invalid protocol version.</t>
  <t hangText='QUIC_INVALID_HEADER_ID (0x80000016):'>
  The Header ID for a stream was too far from the previous.</t>
  <t hangText='QUIC_INVALID_NEGOTIATED_VALUE (0x80000017):'>
  Negotiable parameter received during handshake had invalid value.</t>
  <t hangText='QUIC_DECOMPRESSION_FAILURE (0x80000018):'>
  There was an error decompressing data.</t>
  <t hangText='QUIC_NETWORK_IDLE_TIMEOUT (0x80000019):'>
  The connection timed out due to no network activity.</t>
  <t hangText='QUIC_HANDSHAKE_TIMEOUT (0x80000043):'>
  The connection timed out waiting for the handshake to complete.</t>
  <t hangText='QUIC_ERROR_MIGRATING_ADDRESS (0x8000001a):'>
  There was an error encountered migrating addresses.</t>
  <t hangText='QUIC_ERROR_MIGRATING_PORT (0x80000056):'>
  There was an error encountered migrating port only.</t>
  <t hangText='QUIC_EMPTY_STREAM_FRAME_NO_FIN (0x80000032):'>
  We received a STREAM_FRAME with no data and no fin flag set.</t>
  <t hangText='QUIC_FLOW_CONTROL_RECEIVED_TOO_MUCH_DATA (0x8000003b):'>
  The peer received too much data, violating flow control.</t>
  <t hangText='QUIC_FLOW_CONTROL_SENT_TOO_MUCH_DATA (0x8000003f):'>
  The peer sent too much data, violating flow control.</t>
  <t hangText='QUIC_FLOW_CONTROL_INVALID_WINDOW (0x80000040):'>
  The peer received an invalid flow control window.</t>
  <t hangText='QUIC_CONNECTION_IP_POOLED (0x8000003e):'>
  The connection has been IP pooled into an existing connection.</t>
  <t hangText='QUIC_TOO_MANY_OUTSTANDING_SENT_PACKETS (0x80000044):'>
  The connection has too many outstanding sent packets.</t>
  <t hangText='QUIC_TOO_MANY_OUTSTANDING_RECEIVED_PACKETS (0x80000045):'>
  The connection has too many outstanding received packets.</t>
  <t hangText='QUIC_CONNECTION_CANCELLED (0x80000046):'>
  The QUIC connection has been cancelled.</t>
  <t hangText='QUIC_BAD_PACKET_LOSS_RATE (0x80000047):'>
  Disabled QUIC because of high packet loss rate.</t>
  <t hangText='QUIC_PUBLIC_RESETS_POST_HANDSHAKE (0x80000049):'>
  Disabled QUIC because of too many PUBLIC_RESETs post handshake.</t>
  <t hangText='QUIC_TIMEOUTS_WITH_OPEN_STREAMS (0x8000004a):'>
  Disabled QUIC because of too many timeouts with streams open.</t>
  <t hangText='QUIC_TOO_MANY_RTOS (0x80000055):'>
  QUIC timed out after too many RTOs.</t>
  <t hangText='QUIC_ENCRYPTION_LEVEL_INCORRECT (0x8000002c):'>
  A packet was received with the wrong encryption level (i.e. it should
have been encrypted but was not.)</t>
  <t hangText='QUIC_VERSION_NEGOTIATION_MISMATCH (0x80000037):'>
  This connection involved a version negotiation which appears to have been
tampered with.</t>
  <t hangText='QUIC_IP_ADDRESS_CHANGED (0x80000050):'>
  IP address changed causing connection close.</t>
  <t hangText='QUIC_ADDRESS_VALIDATION_FAILURE (0x80000051):'>
  Client address validation failed.</t>
  <t hangText='QUIC_TOO_MANY_FRAME_GAPS (0x8000005d):'>
  Stream frames arrived too discontiguously so that stream sequencer buffer
maintains too many gaps.</t>
  <t hangText='QUIC_TOO_MANY_SESSIONS_ON_SERVER (0x80000060):'>
  Connection closed because server hit max number of sessions allowed.</t>
</list></t>

</section>
</section>
<section anchor="security-and-privacy-considerations" title="Security and Privacy Considerations">

<section anchor="spoofed-ack-attack" title="Spoofed ACK Attack">

<t>An attacker receives an STK from the server and then releases the IP address on
which it received the STK.  The attacker may, in the future, spoof this same
address (which now presumably addresses a different endpoint), and initiate a
0-RTT connection with a server on the victim’s behalf.  The attacker then spoofs
ACK frames to the server which cause the server to potentially drown the victim
in data.</t>

<t>There are two possible mitigations to this attack.  The simplest one is that a
server can unilaterally create a gap in packet-number space.  In the non-attack
scenario, the client will send an ACK frame with the larger value for largest
acknowledged.  In the attack scenario, the attacker could acknowledge a packet
in the gap.  If the server sees an acknowledgment for a packet that was never
sent, the connection can be aborted.</t>

<t>The second mitigation is that the server can require that acknowledgments for
sent packets match the encryption level of the sent packet.  This mitigation is
useful if the connection has an ephemeral forward-secure key that is generated
and used for every new connection.  If a packet sent is protected with a
forward-secure key, then any acknowledgments that are received for them MUST
also be forward-secure protected.  Since the attacker will not have the forward
secure key, the attacker will not be able to generate forward-secure protected
packets with ACK frames.</t>

</section>
<section anchor="slowloris-attacks" title="Slowloris Attacks">

<t>The attacks commonly known as Slowloris <xref target="SLOWLORIS"/> try to keep many
connections to the target endpoint open and hold them open as long as possible.
These attacks can be executed against a QUIC endpoint by generating the minimum
amount of activity necessary to avoid being closed for inactivity.  This might
involve sending small amounts of data, gradually opening flow control windows in
order to control the sender rate, or manufacturing ACK frames that simulate a
high loss rate.</t>

<t>QUIC deployments SHOULD provide mitigations for the Slowloris attacks, such as
increasing the maximum number of clients the server will allow, limiting the
number of connections a single IP address is allowed to make, imposing
restrictions on the minimum transfer speed a connection is allowed to have, and
restricting the length of time an endpoint is allowed to stay connected.</t>

</section>
<section anchor="stream-fragmentation-and-reassembly-attacks" title="Stream Fragmentation and Reassembly Attacks">

<t>An adversarial endpoint might intentionally fragment the data on stream buffers
in order to cause disproportionate memory commitment.  An adversarial endpoint
could open a stream and send some STREAM frames containing arbitrary fragments
of the stream content.</t>

<t>The attack is mitigated if flow control windows correspond to available
memory.  However, some receivers will over-commit memory and advertise flow
control offsets in the aggregate that exceed actual available memory.  The
over-commitment strategy can lead to better performance when endpoints are well
behaved, but renders endpoints vulnerable to the stream fragmentation attack.</t>

<t>QUIC deployments SHOULD provide mitigations against the stream fragmentation
attack.  Mitigations could consist of avoiding over-committing memory, delaying
reassembly of STREAM frames, implementing heuristics based on the age and
duration of reassembly holes, or some combination.</t>

</section>
<section anchor="stream-commitment-attack" title="Stream Commitment Attack">

<t>An adversarial endpoint can open lots of streams, exhausting state on an
endpoint.  The adversarial endpoint could repeat the process on a large number
of connections, in a manner similar to SYN flooding attacks in TCP.</t>

<t>Normally, clients will open streams sequentially, as explained in <xref target="stream-id"/>.
However, when several streams are initiated at short intervals, transmission
error may cause STREAM DATA frames opening streams to be received out of
sequence.  A receiver is obligated to open intervening streams if a
higher-numbered stream ID is received.  Thus, on a new connection, opening
stream 2000001 opens 1 million streams, as required by the specification.</t>

<t>The number of active streams is limited by the concurrent stream limit transport
parameter, as explained in <xref target="stream-concurrency"/>.  If chosen judisciously, this
limit mitigates the effect of the stream commitment attack.  However, setting
the limit too low could affect performance when applications expect to open
large number of streams.</t>

</section>
</section>
<section anchor="iana-considerations" title="IANA Considerations">

<section anchor="iana-transport-parameters" title="QUIC Transport Parameter Registry">

<t>IANA [SHALL add/has added] a registry for “QUIC Transport Parameters” under a
“QUIC Protocol” heading.</t>

<t>The “QUIC Transport Parameters” registry governs a 16-bit space.  This space is
split into two spaces that are governed by different policies.  Values with the
first byte in the range 0x00 to 0xfe (in hexadecimal) are assigned via the
Specification Required policy <xref target="RFC5226"/>.  Values with the first byte 0xff are
reserved for Private Use <xref target="RFC5226"/>.</t>

<t>Registrations MUST include the following fields:</t>

<t><list style="hanging">
  <t hangText='Value:'>
  The numeric value of the assignment (registrations will be between 0x0000 and
0xfeff).</t>
  <t hangText='Parameter Name:'>
  A short mnemonic for the parameter.</t>
  <t hangText='Specification:'>
  A reference to a publicly available specification for the value.</t>
</list></t>

<t>The nominated expert(s) verify that a specification exists and is readily
accessible.  The expert(s) are encouraged to be biased towards approving
registrations unless they are abusive, frivolous, or actively harmful (not
merely aesthetically displeasing, or architecturally dubious).</t>

<t>The initial contents of this registry are shown in
<xref target="iana-tp-table"/>.</t>

<texttable title="Initial QUIC Transport Parameters Entries" anchor="iana-tp-table">
      <ttcol align='left'>Value</ttcol>
      <ttcol align='left'>Parameter Name</ttcol>
      <ttcol align='left'>Specification</ttcol>
      <c>0x0000</c>
      <c>initial_max_stream_data</c>
      <c><xref target="transport-parameter-definitions"/></c>
      <c>0x0001</c>
      <c>initial_max_data</c>
      <c><xref target="transport-parameter-definitions"/></c>
      <c>0x0002</c>
      <c>initial_max_stream_id</c>
      <c><xref target="transport-parameter-definitions"/></c>
      <c>0x0003</c>
      <c>idle_timeout</c>
      <c><xref target="transport-parameter-definitions"/></c>
      <c>0x0004</c>
      <c>truncate_connection_id</c>
      <c><xref target="transport-parameter-definitions"/></c>
      <c>0x0005</c>
      <c>max_packet_size</c>
      <c><xref target="transport-parameter-definitions"/></c>
</texttable>

</section>
</section>


  </middle>

  <back>

    <references title='Normative References'>

<reference anchor="QUIC-RECOVERY" >
  <front>
    <title>QUIC Loss Detection and Congestion Control</title>
    <author initials="J." surname="Iyengar" fullname="Jana Iyengar" role="editor">
      <organization>Google</organization>
    </author>
    <author initials="I." surname="Swett" fullname="Ian Swett" role="editor">
      <organization>Google</organization>
    </author>
    <date />
  </front>
  <seriesInfo name="Internet-Draft" value="draft-ietf-quic-recovery-latest"/>
</reference>
<reference anchor="QUIC-TLS" >
  <front>
    <title>Using Transport Layer Security (TLS) to Secure QUIC</title>
    <author initials="M." surname="Thomson" fullname="Martin Thomson" role="editor">
      <organization>Mozilla</organization>
    </author>
    <author initials="S." surname="Turner" fullname="Sean Turner" role="editor">
      <organization>sn3rd</organization>
    </author>
    <date />
  </front>
  <seriesInfo name="Internet-Draft" value="draft-ietf-quic-tls-latest"/>
</reference>




<reference  anchor="RFC2119" target='http://www.rfc-editor.org/info/rfc2119'>
<front>
<title>Key words for use in RFCs to Indicate Requirement Levels</title>
<author initials='S.' surname='Bradner' fullname='S. Bradner'><organization /></author>
<date year='1997' month='March' />
<abstract><t>In many standards track documents several words are used to signify the requirements in the specification.  These words are often capitalized. This document defines these words as they should be interpreted in IETF documents.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='14'/>
<seriesInfo name='RFC' value='2119'/>
<seriesInfo name='DOI' value='10.17487/RFC2119'/>
</reference>



<reference anchor="I-D.ietf-tls-tls13">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</title>

<author initials='E' surname='Rescorla' fullname='Eric Rescorla'>
    <organization />
</author>

<date month='April' day='28' year='2017' />

<abstract><t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol.  TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t></abstract>

</front>

<seriesInfo name='Internet-Draft' value='draft-ietf-tls-tls13-20' />
<format type='TXT'
        target='http://www.ietf.org/internet-drafts/draft-ietf-tls-tls13-20.txt' />
</reference>



<reference  anchor="RFC3629" target='http://www.rfc-editor.org/info/rfc3629'>
<front>
<title>UTF-8, a transformation format of ISO 10646</title>
<author initials='F.' surname='Yergeau' fullname='F. Yergeau'><organization /></author>
<date year='2003' month='November' />
<abstract><t>ISO/IEC 10646-1 defines a large character set called the Universal Character Set (UCS) which encompasses most of the world's writing systems.  The originally proposed encodings of the UCS, however, were not compatible with many current applications and protocols, and this has led to the development of UTF-8, the object of this memo.  UTF-8 has the characteristic of preserving the full US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values.  This memo obsoletes and replaces RFC 2279.</t></abstract>
</front>
<seriesInfo name='STD' value='63'/>
<seriesInfo name='RFC' value='3629'/>
<seriesInfo name='DOI' value='10.17487/RFC3629'/>
</reference>



<reference  anchor="RFC4821" target='http://www.rfc-editor.org/info/rfc4821'>
<front>
<title>Packetization Layer Path MTU Discovery</title>
<author initials='M.' surname='Mathis' fullname='M. Mathis'><organization /></author>
<author initials='J.' surname='Heffner' fullname='J. Heffner'><organization /></author>
<date year='2007' month='March' />
<abstract><t>This document describes a robust method for Path MTU Discovery (PMTUD) that relies on TCP or some other Packetization Layer to probe an Internet path with progressively larger packets.  This method is described as an extension to RFC 1191 and RFC 1981, which specify ICMP-based Path MTU Discovery for IP versions 4 and 6, respectively.  [STANDARDS-TRACK]</t></abstract>
</front>
<seriesInfo name='RFC' value='4821'/>
<seriesInfo name='DOI' value='10.17487/RFC4821'/>
</reference>



<reference  anchor="RFC1191" target='http://www.rfc-editor.org/info/rfc1191'>
<front>
<title>Path MTU discovery</title>
<author initials='J.C.' surname='Mogul' fullname='J.C. Mogul'><organization /></author>
<author initials='S.E.' surname='Deering' fullname='S.E. Deering'><organization /></author>
<date year='1990' month='November' />
<abstract><t>This memo describes a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path.  It specifies a small change to the way routers generate one type of ICMP message.  For a path that passes through a router that has not been so changed, this technique might not discover the correct Path MTU, but it will always choose a Path MTU as accurate as, and in many cases more accurate than, the Path MTU that would be chosen by current practice.  [STANDARDS-TRACK]</t></abstract>
</front>
<seriesInfo name='RFC' value='1191'/>
<seriesInfo name='DOI' value='10.17487/RFC1191'/>
</reference>



<reference  anchor="RFC1981" target='http://www.rfc-editor.org/info/rfc1981'>
<front>
<title>Path MTU Discovery for IP version 6</title>
<author initials='J.' surname='McCann' fullname='J. McCann'><organization /></author>
<author initials='S.' surname='Deering' fullname='S. Deering'><organization /></author>
<author initials='J.' surname='Mogul' fullname='J. Mogul'><organization /></author>
<date year='1996' month='August' />
<abstract><t>This document describes Path MTU Discovery for IP version 6.  It is largely derived from RFC 1191, which describes Path MTU Discovery for IP version 4.  [STANDARDS-TRACK]</t></abstract>
</front>
<seriesInfo name='RFC' value='1981'/>
<seriesInfo name='DOI' value='10.17487/RFC1981'/>
</reference>



<reference  anchor="RFC5226" target='http://www.rfc-editor.org/info/rfc5226'>
<front>
<title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
<author initials='T.' surname='Narten' fullname='T. Narten'><organization /></author>
<author initials='H.' surname='Alvestrand' fullname='H. Alvestrand'><organization /></author>
<date year='2008' month='May' />
<abstract><t>Many protocols make use of identifiers consisting of constants and other well-known values.  Even after a protocol has been defined and deployment has begun, new values may need to be assigned (e.g., for a new option type in DHCP, or a new encryption or authentication transform for IPsec).  To ensure that such quantities have consistent values and interpretations across all implementations, their assignment must be administered by a central authority.  For IETF protocols, that role is provided by the Internet Assigned Numbers Authority (IANA).</t><t>In order for IANA to manage a given namespace prudently, it needs guidelines describing the conditions under which new values can be assigned or when modifications to existing values can be made.  If IANA is expected to play a role in the management of a namespace, IANA must be given clear and concise instructions describing that role.  This document discusses issues that should be considered in formulating a policy for assigning values to a namespace and provides guidelines for authors on the specific text that must be included in documents that place demands on IANA.</t><t>This document obsoletes RFC 2434.  This document specifies an Internet Best  Current Practices for the Internet Community, and requests discussion and  suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='26'/>
<seriesInfo name='RFC' value='5226'/>
<seriesInfo name='DOI' value='10.17487/RFC5226'/>
</reference>




    </references>

    <references title='Informative References'>

<reference anchor="EARLY-DESIGN" target="https://goo.gl/dMVtFi">
  <front>
    <title>QUIC: Multiplexed Transport Over UDP</title>
    <author initials="J." surname="Roskind">
      <organization></organization>
    </author>
    <date year="2013" month="December" day="02"/>
  </front>
</reference>
<reference anchor="SLOWLORIS" target="https://web.archive.org/web/20150315054838/http://ha.ckers.org/slowloris/">
  <front>
    <title>Welcome to Slowloris...</title>
    <author initials="R." surname="RSnake Hansen">
      <organization></organization>
    </author>
    <date year="2009" month="June"/>
  </front>
</reference>




<reference  anchor="RFC2360" target='http://www.rfc-editor.org/info/rfc2360'>
<front>
<title>Guide for Internet Standards Writers</title>
<author initials='G.' surname='Scott' fullname='G. Scott'><organization /></author>
<date year='1998' month='June' />
<abstract><t>This document is a guide for Internet standard writers.  It defines those characteristics that make standards coherent, unambiguous, and easy to interpret.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='22'/>
<seriesInfo name='RFC' value='2360'/>
<seriesInfo name='DOI' value='10.17487/RFC2360'/>
</reference>



<reference  anchor="RFC6824" target='http://www.rfc-editor.org/info/rfc6824'>
<front>
<title>TCP Extensions for Multipath Operation with Multiple Addresses</title>
<author initials='A.' surname='Ford' fullname='A. Ford'><organization /></author>
<author initials='C.' surname='Raiciu' fullname='C. Raiciu'><organization /></author>
<author initials='M.' surname='Handley' fullname='M. Handley'><organization /></author>
<author initials='O.' surname='Bonaventure' fullname='O. Bonaventure'><organization /></author>
<date year='2013' month='January' />
<abstract><t>TCP/IP communication is currently restricted to a single path per connection, yet multiple paths often exist between peers.  The simultaneous use of these multiple paths for a TCP/IP session would improve resource usage within the network and, thus, improve user experience through higher throughput and improved resilience to network failure.</t><t>Multipath TCP provides the ability to simultaneously use multiple paths between peers.  This document presents a set of extensions to traditional TCP to support multipath operation.  The protocol offers the same type of service to applications as TCP (i.e., reliable bytestream), and it provides the components necessary to establish and use multiple TCP flows across potentially disjoint paths.  This  document defines an Experimental Protocol for the Internet community.</t></abstract>
</front>
<seriesInfo name='RFC' value='6824'/>
<seriesInfo name='DOI' value='10.17487/RFC6824'/>
</reference>



<reference  anchor="RFC4086" target='http://www.rfc-editor.org/info/rfc4086'>
<front>
<title>Randomness Requirements for Security</title>
<author initials='D.' surname='Eastlake 3rd' fullname='D. Eastlake 3rd'><organization /></author>
<author initials='J.' surname='Schiller' fullname='J. Schiller'><organization /></author>
<author initials='S.' surname='Crocker' fullname='S. Crocker'><organization /></author>
<date year='2005' month='June' />
<abstract><t>Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts.  However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities.  The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space.</t><t>Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult.  This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities.  It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications.  This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t></abstract>
</front>
<seriesInfo name='BCP' value='106'/>
<seriesInfo name='RFC' value='4086'/>
<seriesInfo name='DOI' value='10.17487/RFC4086'/>
</reference>



<reference  anchor="RFC7301" target='http://www.rfc-editor.org/info/rfc7301'>
<front>
<title>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension</title>
<author initials='S.' surname='Friedl' fullname='S. Friedl'><organization /></author>
<author initials='A.' surname='Popov' fullname='A. Popov'><organization /></author>
<author initials='A.' surname='Langley' fullname='A. Langley'><organization /></author>
<author initials='E.' surname='Stephan' fullname='E. Stephan'><organization /></author>
<date year='2014' month='July' />
<abstract><t>This document describes a Transport Layer Security (TLS) extension for application-layer protocol negotiation within the TLS handshake. For instances in which multiple application protocols are supported on the same TCP or UDP port, this extension allows the application layer to negotiate which protocol will be used within the TLS connection.</t></abstract>
</front>
<seriesInfo name='RFC' value='7301'/>
<seriesInfo name='DOI' value='10.17487/RFC7301'/>
</reference>



<reference  anchor="RFC7540" target='http://www.rfc-editor.org/info/rfc7540'>
<front>
<title>Hypertext Transfer Protocol Version 2 (HTTP/2)</title>
<author initials='M.' surname='Belshe' fullname='M. Belshe'><organization /></author>
<author initials='R.' surname='Peon' fullname='R. Peon'><organization /></author>
<author initials='M.' surname='Thomson' fullname='M. Thomson' role='editor'><organization /></author>
<date year='2015' month='May' />
<abstract><t>This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2).  HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection.  It also introduces unsolicited push of representations from servers to clients.</t><t>This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax.  HTTP's existing semantics remain unchanged.</t></abstract>
</front>
<seriesInfo name='RFC' value='7540'/>
<seriesInfo name='DOI' value='10.17487/RFC7540'/>
</reference>

<reference anchor="SST" >
  <front>
    <title>Structured streams</title>
    <author initials="B." surname="Ford" fullname="Bryan Ford">
      <organization></organization>
    </author>
    <date year="2007" month="October"/>
  </front>
  <seriesInfo name="ACM SIGCOMM Computer Communication Review" value="Vol. 37, pp. 361"/>
  <seriesInfo name="DOI" value="10.1145/1282427.1282421"/>
</reference>




    </references>


<section anchor="contributors" title="Contributors">

<t>The original authors of this specification were Ryan Hamilton, Jana Iyengar, Ian
Swett, and Alyssa Wilk.</t>

<t>The original design and rationale behind this protocol draw significantly from
work by Jim Roskind <xref target="EARLY-DESIGN"/>. In alphabetical order, the contributors to
the pre-IETF QUIC project at Google are: Britt Cyr, Jeremy Dorfman, Ryan
Hamilton, Jana Iyengar, Fedor Kouranov, Charles Krasic, Jo Kulik, Adam Langley,
Jim Roskind, Robbie Shade, Satyam Shekhar, Cherie Shi, Ian Swett, Raman Tenneti,
Victor Vasiliev, Antonio Vicente, Patrik Westin, Alyssa Wilk, Dale Worley, Fan
Yang, Dan Zhang, Daniel Ziegler.</t>

</section>
<section anchor="acknowledgments" title="Acknowledgments">

<t>Special thanks are due to the following for helping shape pre-IETF QUIC and its
deployment: Chris Bentzel, Misha Efimov, Roberto Peon, Alistair Riddoch,
Siddharth Vijayakrishnan, and Assar Westerlund.</t>

<t>This document has benefited immensely from various private discussions and
public ones on the quic@ietf.org and proto-quic@chromium.org mailing lists. Our
thanks to all.</t>

</section>
<section anchor="change-log" title="Change Log">

<t><list style='empty'>
  <t><spanx style="strong">RFC Editor’s Note:</spanx> Please remove this section prior to publication of a
final version of this document.</t>
</list></t>

<t>Issue and pull request numbers are listed with a leading octothorp.</t>

<section anchor="since-draft-ietf-quic-transport-02" title="Since draft-ietf-quic-transport-02">

<t><list style="symbols">
  <t>The size of the initial packet payload has a fixed minimum (#267, #472)</t>
  <t>Define when Version Negotiation packets are ignored (#284, #294, #241, #143,
#474)</t>
  <t>The 64-bit FNV-1a algorithm is used for integrity protection of unprotected
packets (#167, #480, #481, #517)</t>
  <t>Rework initial packet types to change how the connection ID is chosen (#482,
#442, #493)</t>
  <t>No timestamps are forbidden in unprotected packets (#542, #429)</t>
  <t>Cryptographic handshake is now on stream 0 (#456)</t>
  <t>Remove congestion control exemption for cryptographic handshake (#248, #476)</t>
  <t>Version 1 of QUIC uses TLS; a new version is needed to use a different
handshake protocol (#516)</t>
  <t>STREAM frames have a reduced number of offset lengths (#543, #430)</t>
  <t>Split some frames into separate connection- and stream- level frames
(#443)
  <list style="symbols">
      <t>WINDOW_UPDATE split into MAX_DATA and MAX_STREAM_DATA (#450)</t>
      <t>BLOCKED split to match WINDOW_UPDATE split (#454)</t>
      <t>Define STREAM_ID_NEEDED frame (#455)</t>
    </list></t>
  <t>A NEW_CONNECTION_ID frame supports connection migration without linkability
(#232, #491, #496)</t>
  <t>Transport parameters for 0-RTT are retained from a previous connection (#512)
  <list style="symbols">
      <t>A client in 0-RTT no longer required to reset excess streams (#425, #479)</t>
    </list></t>
  <t>Expanded security considerations (#440, #444, #445, #448)</t>
</list></t>

</section>
<section anchor="since-draft-ietf-quic-transport-01" title="Since draft-ietf-quic-transport-01">

<t><list style="symbols">
  <t>Defined short and long packet headers (#40, #148, #361)</t>
  <t>Defined a versioning scheme and stable fields (#51, #361)</t>
  <t>Define reserved version values for “greasing” negotiation (#112, #278)</t>
  <t>The initial packet number is randomized (#35, #283)</t>
  <t>Narrow the packet number encoding range requirement (#67, #286, #299, #323,
#356)</t>
  <t>Defined client address validation (#52, #118, #120, #275)</t>
  <t>Define transport parameters as a TLS extension (#49, #122)</t>
  <t>SCUP and COPT parameters are no longer valid (#116, #117)</t>
  <t>Transport parameters for 0-RTT are either remembered from before, or assume
default values (#126)</t>
  <t>The server chooses connection IDs in its final flight (#119, #349, #361)</t>
  <t>The server echoes the Connection ID and packet number fields when sending a
Version Negotiation packet (#133, #295, #244)</t>
  <t>Defined a minimum packet size for the initial handshake packet from the client
(#69, #136, #139, #164)</t>
  <t>Path MTU Discovery (#64, #106)</t>
  <t>The initial handshake packet from the client needs to fit in a single packet
(#338)</t>
  <t>Forbid acknowledgment of packets containing only ACK and PADDING (#291)</t>
  <t>Require that frames are processed when packets are acknowledged (#381, #341)</t>
  <t>Removed the STOP_WAITING frame (#66)</t>
  <t>Don’t require retransmission of old timestamps for lost ACK frames (#308)</t>
  <t>Clarified that frames are not retransmitted, but the information in them can
be (#157, #298)</t>
  <t>Error handling definitions (#335)</t>
  <t>Split error codes into four sections (#74)</t>
  <t>Forbid the use of Public Reset where CONNECTION_CLOSE is possible (#289)</t>
  <t>Define packet protection rules (#336)</t>
  <t>Require that stream be entirely delivered or reset, including acknowledgment
of all STREAM frames or the RST_STREAM, before it closes (#381)</t>
  <t>Remove stream reservation from state machine (#174, #280)</t>
  <t>Only stream 1 does not contribute to connection-level flow control (#204)</t>
  <t>Stream 1 counts towards the maximum concurrent stream limit (#201, #282)</t>
  <t>Remove connection-level flow control exclusion for some streams (except 1)
(#246)</t>
  <t>RST_STREAM affects connection-level flow control (#162, #163)</t>
  <t>Flow control accounting uses the maximum data offset on each stream, rather
than bytes received (#378)</t>
  <t>Moved length-determining fields to the start of STREAM and ACK (#168, #277)</t>
  <t>Added the ability to pad between frames (#158, #276)</t>
  <t>Remove error code and reason phrase from GOAWAY (#352, #355)</t>
  <t>GOAWAY includes a final stream number for both directions (#347)</t>
  <t>Error codes for RST_STREAM and CONNECTION_CLOSE are now at a consistent offset
(#249)</t>
  <t>Defined priority as the responsibility of the application protocol (#104,
#303)</t>
</list></t>

</section>
<section anchor="since-draft-ietf-quic-transport-00" title="Since draft-ietf-quic-transport-00">

<t><list style="symbols">
  <t>Replaced DIVERSIFICATION_NONCE flag with KEY_PHASE flag</t>
  <t>Defined versioning</t>
  <t>Reworked description of packet and frame layout</t>
  <t>Error code space is divided into regions for each component</t>
  <t>Use big endian for all numeric values</t>
</list></t>

</section>
<section anchor="since-draft-hamilton-quic-transport-protocol-01" title="Since draft-hamilton-quic-transport-protocol-01">

<t><list style="symbols">
  <t>Adopted as base for draft-ietf-quic-tls</t>
  <t>Updated authors/editors list</t>
  <t>Added IANA Considerations section</t>
  <t>Moved Contributors and Acknowledgments to appendices</t>
</list></t>

</section>
</section>


  </back>

<!-- ##markdown-source:
H4sIANHoQFkAA+y9eXvcRnY3+n99CkT+Y8hJN8WmFsvyZKFFasx3tEWkPXce
z0QDdqNJRN2NDoAmxci+n/2evU4BaFLOWPP6Sa6yWCKBQi2nzn5+Zzweh7Zs
F8XT7N6/fXfy7Gl2mH139Gb8Td4Us+zlZtGW60XxAf6er2bZaTHd1EV2Vuer
Zl3V7b2Qn5/XxdXTDN+NP8/e1FVbTatFmFXTVb6E0Wd1Pm/HZdHOx/+5Kafj
Vp8dL/K2aNowg/88zT4eHZ4d/xSm8I+Lqr55mjXtLJTr+mnW1pumPdjf/2r/
IOR1kT+NnwvXVf3+oq42a55ICE0L032XL6oVjHlTNGFdPs1+gCmNsgZeqIt5
A3+7WfJfYJLLfL0uVxd/CSHftJdV/TRk2Rj+L8vKVfM0+z972clNsbrIa/oZ
L+n/5Ks8+XFVXzzNfl9VF4uC/l0s83LxNPuPuvzXC/rp3rRa0m/qCne8mJVt
VadfermXnV1Wy6ZauS+9zOu2XCW/oG+9rP6rXCxy/7ElPbrX8qP/eoE/Hf5s
WFX1Mm/Lq+JpgN/ixo3fHj97/f3x2z89pcc9YWQvqqbJjoq2mLZltSJyeFat
LuDo8J/w1xZGv0fvJUeJP2iKuiyacjWveOAsO1m1Rb0q2vER0kWfPOpiWl0V
9Y1SB74TTwb/jOW/wyd0yykNndTAmQx842QvO70u2rbzhZN81fn5ncPrfp+9
OE23+jvYpQt3kV7kN0XN965sb7IdeGE3ayu9iTjIL7bn7aL55O3ukOmtpDpI
rp+246fwmQ3MuXuopwXseec39Ilm9aCebdlz3AtP8ceHb1/8aXx0fHry+1d9
gn+acL94Iq+BLJFF3hvaJKPFt1XzvlzN3NEc7E8ejCcHY2Bf9Km8vijgEO5d
tu26eXr/PnCIvYvF/dnL79vn5T2c3+mL13988frtSYdE/lgs4D4XRAWL6npR
1WWzt7d3y3zewnxOV/n7IvsWVlGsklntfzXef+ynxO/avK6L8728nl7Cru3B
FuO/78NaHu0/gP979PDJgyf38VF48jLfm74v6oYea3Rq92EtYTweZ/l5A0x/
2oZwdlk2yHQ3y2LVZrNiXq6KJmsvi2xaAVFXc/o7cR0TE9laRMpeliXvh1nR
TOvyHEaYVquVsCcg4vx8UTaX+MgoW+cwszbj8x9lSz1ZvGzIyepiUebn5QLu
2F44nML+rvPVDf5WPwMflO/wROubdVtd1Pn6spxmlzBGc4kbjIMtkFPOlFPu
yfJXVVu8e4X/r63evS3yGexUCEdlM900DU6Zlo0Lw2sJh/EeVrRe5FPYkFXc
EBR1OC8Sdxlyd/wXrLQNO3iL/xXvM57A7ii7hrldZjCknB8I8Tb8Tg8W39WD
1Zfu4w/uNwX9519IpLzDsf8Jh/5nWMof5fO/p8/bjYIZTuFGwubMq80Kv5PZ
dy7K9nJzjjLoPo5yffHPX4MQ3tTTIkyrGW9Z2TQbWC5+Cg/Jb0Rn3LB93Pvn
oLSM6a3m/iI/LxbNfaMfnDwew7KczYArhy+QHdbVbEOHFAJtLm5VJA5Rehpm
tX1KhFnCOuvNqqETqtZ4hMAZ9niwvFw2eEnh8asS15nNkeLOFwUM2eKz8yJv
YeiGB8oXcGWyssV3YMF5uCiAveWL8XpTr6vGzwC3SKeZgeayKKd0CM2eLmQJ
v2GyBTK8XJX/SdsL57qCVc3rapkVH9YoIVZAX9ewk9nZszej7PTZ2RtadAUE
V4f+mhu4fiyjYKFZzre22dDVbosR02hTFO8bWQZdpRZXHegzi+Iin95k00VJ
s8Nv8ZGcVx8KHJ33DtgY/B6XBfOGncHtKuH5S744+F6AueMtbLJl1bTKNYCt
5biJxYcp3EpQT0ZApdPFZoZzxhGa8mKV46VRRkL73gR8OZ5slRVX1eKK96ba
tDjIpq6JX8DdXherGXz+Bg9+swY2MMNTrIJfSo/NKZsyRkdL1W/6efITcDTr
dpMv8FWY9Ag2sC6Mh9HOFbjIsgFC80zTloF0spUpgpIMavQyYYagFPMPcfT4
5nhRXBUwHBLolDU9ngDudkiY553cE2f4m6bDJPV7qk7KR8LHj4la+tNP/Flc
6aYhSQEKUTbZe0BLfV/cZCuwG9qSWZK8DY/89BOy4S9QTb1CuoKrQgMdoewp
6d8olgpkr7Mmu/fyu9OzeyP+b/bqNf399NvX3704usczuPfy8E/3gK/SPIB/
rYRlyXr3wkkLiwSenzVIPrAXXwM7LoiR39B703xdtkCI/1XMRvzTy/yKhUuz
LqYlnPsStBx4M7CEpK98/PgPb58/O5hMvqIlufkTBRT1UrnJtqmB6vOMLh/8
BWwo+BzQ8roqV0jjJW0dETlRUiQB+NhpUYPu038tnyKh0v1awdnjXzovI186
lsftfWYBoLahqopKVYF8Zw6fTr9KBElvHQLVXABPAOI7L8czuA30EOwUXoNV
QVwCDrCoYd3nN8g68PrCDgwt55n9QwafInHUDdPOedFeF3he1xW/q8vlMWFE
5IIL3AbiQkq1xQfUnukIoiBp5FrZfMo2mUB2cmTbAqICCHRewoYgTQ/NnC85
qTQy9etisRgjZ4CFI2Ne5zeLKp/xPESCrvO6oX3RMWH7ChD+tTJdHhFm3wBR
9ugGHp8j5wXWiDTqv4LP0/36IgMFJ5czcXcthDesgOHVmdegwmezMge2CTuC
9xgHZL5mfEKo/V+Q2h883v/pJzR5aK8e7E1GLEv4NWTfRLKzWankED8NG/Tn
Hz78+S+wTSermQgU2pYPKO6rNb8CT3388OeftjwlZ1zMQviQ7RzubnnsEMiy
RdYGd5YevP/N/We7GSjn276+Ih52OMq+GeFFeNYZ4Le3vXyV18B2FwUw59VF
e0n87ZBPEm2Uq7K4FlW7kZ07B3k/X9w4USTMGBmnkyV4SuegfMxhMkAcfyhu
SFbgV4jNsIpB0gotqd9mL6prshxRIm6TN/jcS693q2RFkT6u5mOQyUV2vqim
qGDi04dOCWBVzM5B9AD6oVAhvvEW9V0T8Cr+OkIl6ujqZMBXT4fkXiLx8Cl3
ZZcl0K/JLtDiygVrU3BBXh2ewU/OwQCUpXwPNwcfddKJ7wvu3AvZOTf4cbpz
cl3hA6RqIodcnpNISO0Qko2ms0WrBDYigM5JPBrU9ryv0zr+kvW4NwqTgPri
FLce1gefX1YroCS8vPvjt2dn8WOgcIncYlolXRUVNPLMuVFHrKsJd2qQxZRL
YGCwPQUMHS92a8IixCUxsxoZFV3nZatnnsNerXEI1HNJoJKAkZUFUcgb0uRm
Ql6i9+wIHZwcZfu7osKSGMVxQWFGLoVnepcNSFvIzKXxp05KpzK74JU2fZhJ
Gnlki+yWPj7bkObpdRs8koRXJswaBCTsCY7tdmzIbAluvchUOkMWKNyjOrdl
xYEttY66BdQtg/trDyYkqkHOaAFyaZr8oiAyiyQJU8DLyXYJ3CTRuVv/arBX
kYqazXyOUhNPfZCpwObzxzvfj3I6LGGlJqxztOng+79pRNiPSakQTiHuDBgB
VEJmKKS9wAtAcBd0c4EtwOANbqZOgh4CgwaNpgLMMliRPA2HDdxuQeRL27As
2TOQg+FxBRcrlDUMiNcQ/qkav1+JTtw0QOAr+RqmQCRertxHg35U73uxaqIt
usALy1cM97auWZvH+0oXbIUnUsItQvOEvxqIIYDhCXvCg5AaOwdC4QfgQ0c4
gKgdM+RkZGbatPEQkdmWq00R+O7BL5qmWIKYYwkwAyZ4Rfqd6CFu+UxzJANO
ExnQ91PTWOTRfmsyQGShuorgBqp3CH6yqq5hCnJMtCFZTc4V5wGhRV8Wi3V2
DusKnyJ58Ezmm9Usx4FhK6/zGzyQ4xyG9joZfrEkjrUqrnWKq83yvKhTuxH9
BHZeRkYtHj+enti8oTq/KkWdKGBI4W8oF5D1tEXUBnCfZ2WDvHUD8qi3Fyha
UnJtlO/iXHDYqi4vSlTLkqfg0lxVJU2brljoEj1IOPhke4OMC85/ab6Bzgzy
RVOhNwPIoGyBBIHmq1lBHBqoJb+JqvxlwcS3bvmmrqNSimpXOjC8hnNriJui
uwEYX0HkaronyEBgqSu0SBY3YzgGpFZ8KTmgZsS8mf0MtGFrmEbZ4M636M/L
anRutXW5Hrcl6MY7IFB34RgXU7y5USYDdR4++wMr0MCSNmsS3Zs13pWDR4/p
l8RmMLglZkuJ7pG6MAWF3Et1QVaSyOgVsSxa1SkMEWTgEbp30LDA/6KiiW++
L4o1D8j2lbgmyTOh9i38tWzcNwLQAFJ9IhMkfqQKz3NUtJ6potX1YTGDGN/t
lYCNOoQDzS7LC3Q1wa9hFSGxdsBOgP/fwvYz9S/zD+VyAxNawiEQYRCbo8tc
triS63JBrKStggyCyy7wjhpnO2zE89QIxSiXG3XYFlJ2WGOQBA9Xed8oEidO
EYaYNdnLw//n3enZ2+PDl++ODs8O9dx5ZkxsZDoFWxFwlxJuu7hQkQXL6LnX
pdYFfALOEr/CZ0lTFw4mbiE4rJOV2VTMbUs7iSF/UPfQugcV/OM4IM+VmPjF
RV1cIN85ZxnOAiw1UztHgUtC1Q1HInkqQkT0Y6fOPruNYsihjgKaGEaDpikw
YST5W5aqyhXfgXi44psKtDLWZ2xpKEZq5P1usnwj+nbOsdk530Y7543aOXhb
zQ+6XhdARSBG1ou8JPdDcidJfMF/0RPlnapAl9N8Q8wKyHFRYNQoJyfr6j+c
S07MLNCKyrXwIvXVI42RbtZs4CLkjd6NMdDZDDYreYf96Kh4TIsxs0XS7q5r
0tpJMSvRMY6BrWqOZwG0jRN3ZulG3BfOyYqHDyQHCn1BTEw09Bw+M2Llgo2X
nFWmvG2BM5OEvQJedc89Pi5W8J0pTOZe+gFSlsmFB1ZJwC1mb7zscjShwGRD
wQlsAXVOvFtgahEl6MUjl7J4SkV9G3CxE9+9hP87R6FVnZPxYvo4+4Lx7Zdv
cMXsInn85ODhTz+RmCLvUuPVS1CdF9WNfpePDyjv9xxeWNyMvKohVLtATSSl
GPO8qtsH7mN7s2bpF+abBcteJlyxc5DRmW9apKLQFAenlDajZY/HBeoGip3k
63DwnkeShMvFHXUNn8lQc5dPRCIGYZsQIo1S1mRitSUFHE6R5uASLW6yrnnZ
GHXTWakV/8rZYWqH9hbCXMLrh2zi0jE2RdisnDej+13cW1Ta6wyWis7AGc4B
54ybmZhhaM5OwQzCaxTCm+++eXHy7N3b49PjMxuMabjAqJNnjeyG3oBNsUK9
qccimDs5If0ycXm87bk83kaXx5ALIbo2xQv5+OH4HCRA4gcFyQmDV0uYEMe/
+OxDdAJEZQjGb0A1xW2d+jFU1fLfR3m3qa+AdIIEhtSC4FFhuBMOfbHuE8+d
VWplPolrp0H6EsIUdzYNzsY663Y6iSu8fCirSIUHwQoHYsaXuiQw+6hCcpl2
bG0mAzHzSHmFSVBIlL87Qgt1WnhfiVpStFD1spKAawpWsdHth2xcXdhi7swK
+6dQ0B7FRrZut7hwaItYGiP/N2KR6+/eQfFN2yCef9x53hDVOf16EvqAdS9B
0PnDDyJY9VyFU9q5Kt/ij2FYRo5GvkncEEl96H5//EI8oeMr/u3YeWF+EkK/
6rv3nLofQ7XyXOSILt54jv4cZNTCaWk3MQioF3RvyIvY9dmEjx+H5inhr+/1
+x+/0Kl0ltC7qKIjZA8O6K5e5YsN+vqRHnTV+x/25Q/r/SKwyM5Y4z/RaYMe
A3i5nOlraorqKLIl6jSw1aVMg+xV1h/ssxOYz/fduUzMUb1BTR/DhGjGbHXa
eekbOkGIxK1le+jMwKYlrzPNGxY7ecx+fFmSUQfPe4pheBF0tllIJnhHyR+A
SQHZyfHZcyJydMxEz17jpyAOVrpvLGFbTPGCXfiXnP+HjnPwK1WNyk4YIl12
vRQfihqtVJblaHOgzQ5CtrOea7L48PMwjTCvNrWtngL301YE2mR/sp/toCus
XOX1zS6aTf0o4MvDP0UTTW1R8Tqp1tS4NSnhwr687fxMDXAyG8iNAGYshojx
O4420cu0MAr4GqmEWSjOheLMqyJ+uT+40AF7yJ0vKDIdmkGQ+GoxxC++Ju9L
fwcyvwN+HiHeWJQCcMH4+xLzk/wKoMpKTkev7p9/+PMPoDJKWtxTMBzIkAS+
Wkn8mVksKmmak2QRpAKmUYT15tycbn/5S8oNhCrYBC2yOXl+kkuO4yW3fCfe
2t0RUEp6LfwV6vFNpsuMJtRcspoEWwHrc0xBT0oFlLCUG75jnDDEyhAQguia
aPmK2k4PBFkXvL7/YT7n6QIFP0f5+SFHs3d0S5Lz5AEYmpsFxtWC42gwWxvt
CE1uNZ8rNlzImbWp8wvlpxco8uoeDSqvU7K7CRz/Vw/oui6vkPA46YecjSya
SVSGHziXCqj0ffmXnU9LsMJn7xNnVHa0y0JGQr1nN+uCafM5acBNCH9Ecqib
tpcMImp7a6/ApMpaoiSN6gJkHDLXnAPLgR91fNrOWMREFLjzsD+w3inTftzR
Gb+pegCa8Zw3kO20yunOywuwCWdlvtoluwp5GZzZgsPdIidXxOo0rjCTZD7K
hDD3uDJDepmcgUXAK5fKjHP2NdHSxL2NJiD8FKnsWyAxUMvKJYy3khA7Pq6h
KZVYSrK03vhR3A1gns7MIwOzKMmfmVPAOWMH8CVFDslEI0O0XM1SA4w9EgEP
Fae3l73Al80fUSsf5DWoWsj2lWpmUaEThjKoQGHA18dBcT0TCjaC4tqwY42I
m7gRGziw1FO3BJ7QEhjvMnKhsQUm5CHNlPR6LNA4rHLbvOI0eMU6TTWaaE9k
p8L/i39Ctp/1/0wGfnYw8LMH+PoEfvUge5g9yh5nX2ZPsq9+zs/CP447/xN+
nPwIQ+M9zXa+3M2yH/vP/Nz/CT8OTP7n/IE5bPlNagXsPH64O/zcLzKHz7YP
whxfsTDZeXCwZRWf9yxUMG7//uefg/ozKctlyx9Mfvnb58D37+PT7Is58HTk
dWPxQVFK/T/dc7dVhNU9MIt6fC3mAXi/Cv6G1EiQsVVtToUKJbmYv/8d9raX
vUaZh5FE5JezMmZiLMnfRO57rA2htMSsATUUWJi49SlyhXyQksJ0FXviZS3B
oAX2R36DsPDLRNXzfGCl0VVF2q6f5hkp/qxnLIOzejWLcciVNmhqq53+hvk5
avNtsL2WcLAo7S7nYQMyFBc5Lz8UM0mGShP+9yhzEIwdOXb0jJAPIU0gY1n5
NARHCpaW1zPyUDSD4vpkf1e1UtZtyN7hOBDF2ia0GfT5zKcvA1OmXfLSak+o
zqlQNgFWyjkkic7rqFbEr5JjiA5DHaGN97yifrUXJO2ZdZmphPIpkiLmxeTg
SaKRiS+XtTORnaabg7aemTqKdwFz+NVwprvGQ43pdbKg+3mPr9lGnMB4dbW5
uAShJWfU1RdOjvZgXBdaKmc//ZTmVsN8JDe4jeuEkTjSVbRYEGcJicyI/SS+
okM7SCaQxHNhOz5+lEWJ/r19CmkkONokybIf0CcfJ59sigUrUWbrpH4TW5ck
BsInWYlxppIGgGFInA779jBHmOptLsVpABeq7RpWMBrfBlFzMehRF+wTFr7t
V0AB/8mXQEDXOeZP7/hxnda5yyk+LoYgUZBMHhDPUryTqWVAB0i50PD1H1l1
+TF7hT7N7VLMEkeHZdyPT8f4R/6z9c/tv4dhsv0JfW2Is/nZGO3IQQHt+Nlk
+wf0GOdoZyfkMlj0F2XDsKU/Zt/CgkajYR7I2smlcIqxqUVB+S5tfTMwDPse
xo0+CAPRMA/9MM/QdUUxxm2zkWGm+qAO88gv6u5hZFG9YR7TY5xxiDXGfEW2
DrPWR+Im0zBf0mOTzjA76A9fX6IzBJj6Jwzz5K5hJp80zFc0jJd6A3TqhqEH
x2TuyEg/knbT47ZD+o23zlHLwesmYhGF5cjfuFHKeUcpNyN+otxGuAXoOiKA
ZExNsanNhzN2uXx7TrAYs2yyWO8QBmVIMpwacxjJK4os+r/1F/A8W8jI+Sk/
ADmffotY16yck0ehTTz0nG3U4387Z6+PXj/NwMxEfw75PUvmdAmzOh9c8b/s
8pbbkEmIRHluJ9BKKqbarBRCMoG7mgUv3NmciwZuA0oDhvOaWFXnZXU32zNE
xtvEyg3K2iE15Vdv0e7/+OzHP4hg2Hm0+2u2aH/oG7R/GR7hV23RdgzaJ/cn
j+8PWJW/jCU3PIfIem83KT+HNclGVmpO+rvi7Em89l7b77ubElf3gJtJzUdk
Q6QDOsZNDr3PZ8/4fEkxKvjjqCnCuKqVihtTbJ99c+D7hXdNgOz5Ir+wiQHj
qbD+hKfzcIt5ZfUw15eclNkLFKsKS+EBNhphkidzs8vIE7saiDB3X/s6K+dY
FSVrGt32SsXJtrDEP4AW8Ia0gG/KWPTGySeyuIO7Foe/MW1CvZRSr5pR3Gpa
rkvxHdj5+AiHs15E/ZDAf6dMEGvWKn3EvWVSNcZA6UxFmmJ9Hp3s7RbroyQe
mq6VqojU9HxwkFqeAW0tvmMdFQBlLm+QqDq6GlUeonFtSQwDlufJfOA0kR6F
ikdpxgz8sppON2sqxOkZrTDbJNXJNq9rr3JNjJmjzaA9So4V9makCVQaYSOa
Y83CEnE7yoAZijA1YTdA9wfo63+oCyB1jYeh8oSVu7CJ4yD0GC3N841oUloW
6Vmc5JHpKefC0UwTVhVH7D73uYyqNlN+aalKzoqlqgOaMBYtijk5sFEYbI4F
gkwznbwVLhwTOxhv/pRyEblGwQIpZnamku8UP3+7NemMxImQfyKjzfY70KPp
/JZNuodDv0V51L8ngxLpTgsgpfc5XoZOWRxeg3n3eKRUYauq3+EJzr/gddvE
90HlWtHvcZt+n32Sfh8+Qb/flgkk+/bxi479HsLh4PMu0Jb4WOWeEJFbnG7/
A1AGI2EE8iYTXZ/fSE6A+uBu+Q5hV2B5EKaMsJUgWQx6qygvQF2f0YbQGDoV
q3OyQYz2SeVccj217qSTc9e3BovpJdYK1jwr4i4ciA1WmdfW5cUFVyJIJoix
TgfOYOkMHAJumk2dc3YYh7uDZE5YaZFjhWxMSTbGLft3ndMWSKnNjPmP/k5Y
27qq5lgrSOgllsOnm+M9WneelNqMmldlWUUo44PLHJEjaSgaCxfuGnkWbMoe
mWG/PiPsl1HqT40QdSMnw9Gqz2dY/NCfwwHNoWem/TJzGNqG/1sLffU5F6r2
00Ci4lhQAERubWfDKLhScZCkO0o5G/s31t7FMhCK0wxq4f3RO6mazccvzBEp
4vUnBNHQx3ziPPFuKddtO+W3Eh7soJRIpsq0N1wSAWHVJ0uyTeV3CdPtM6P+
wFQwJypZw5mZbXFB+HLTy2L6PgJH3ZoICXv1RddN3ZWRHec0T67zjnBFStP8
JEF5gOgqmZZERotiW2qnFAnz2STZ2rJbKnkqKhMwhJ6+gUczsvx0U1NYqI3C
ZkUu9pKFvgkjEyP9enQxP2QC6Vth+K3R1tlttKSNN0tyylWUh+2iPMZ7B4+m
4RgS/QjhavRgeCMCf43K4ah6kVJ0C66W4gJNl1mn/gCT8m87taNc/KPzszGo
3o2i5H1D6BxhmMA8booi7PRDc7v9O5FvoUHJKZdCbq69E7ySnaqWArzdQKYl
lzHu6zXlLOk7SHCUrRebhhJZ3xweHZ28+n2Qoj44THykphIBLsWOWovTG9qM
U8co7xjTmjbL7M3Ls+/I/Ak7DbFEfr78L2GGu6I8ypQ1bq76EZtoTUulOjml
alfzOcbe8bplMqYFhsZYp3sDo5qbWnId4C+3Lj4QmNK8bMW0Y/gcmYV8xV6K
xyZ3w4h7mOMQk9Ak4WGFdyX5t4u7Tkl1z8gikT/nDXubsDoK6Ts4EpXzb8mx
P/QNZUFYam3IaHwluDo42MfigXMpqbgGmS8wlQ2IRUf4FlfcRTN/SwBQjLWd
W+J/u8rjtwzR5fW9EdAwuvXzP4PnP0h4/h0H2AxV7SO3bTVnMlD9kWjYRCfX
mL3HeH1cFIi/t1kTzRORhqGrMMhU+zazN4v44njTSH6L7D78DNNIzTycOlUJ
3XSTz4PJFHTCWaD9sEdXtx7WyEsqOjgu4eH7GPqc1N+KFeofn3LtrHoJQ2Oa
osOVlYIAuGUULrfDDFzKQMAra9nXgQZAAlhlxXwOBzL65FlpRTfXFeO9T2qL
z0TYDcsTfXfAloSXFjeBRSgJ1T7xEEumk2mJGIl7M2umW8EOTazxMpScLWsp
bxEwCIZCZbFAKNN8hV4ArA1BLjcDY5OwDUkeAmNNx48oNby1rlhci8/umFhC
UyQeUMhznj1nkBB6CkaVfd2JL1XBJaBLlpKmRYoMmgS7KX1RkQUqwkxoXFyi
tbboo0yxo5gEFRQAFbUcProUZBWML5MeCjeSCZGdht3iYFrieaFkWgyo6zjM
7UzTJJrXTxgRc0ohaTUcRMUgWoq4EVR1I5wPHaDkaCIoAJPJ/P2w5fswsncz
keI3TP7iWVL+03QEStfQ6omSmP7hREnX7voZQuShyoCgLl9Gcsm7iCKrLrDW
gIhRtTzVq4f0crr922bvHHLJu0HdclMsQF2l/jgl9E5cQeUQm0Of8MVt7Mdq
82jzysbgJliBZ+iLWHYh73r7SuaZ96oTu9r50A2Iyul2Ws+20npwtJ5aqdsJ
rpdvhATXe+tnE9yjUeLTVYCUYXtv64F1zcY7KG3btN25q6omBmyYpmk+g8S1
lxjvvdGjstyRZErHGOFDWBb+EaebLNCUSXnHqJfdFc3S3kdZc8tZyu4N6GCl
sxxvJV62Hv+vkGeSv6AOp17KmEYIXaQzRtGI/vbTZAGmOIJcdqS6pxkbTdg2
jks6kHTwrUPh1sTYSpL+5ACZLL8YadjBpTKyiliRNRUCacTbzU5ZtdQn9oLZ
e3Fntm8Ipb/27+dj1QkSzst3iT2IPIZX58Tnc4sfibDoUKD6lxux4y7zK4bm
usM5FMo5n7T8elYVHKIxaztxLyqkSZk4lFTwZnmIKW4dxtH1LpWiib16fZZt
1jM9t/Stsg3EBXGTklWqcVKsEDEqgWhgEBVBaAT1PH1v6yk6cqT9wKNMmO+W
s/0yKCS0pHRy0v2H/SdZ+ovJ18LwOikOPkCPSIm4C5LVbS83QwSURQJqqWI4
uRi4ucH7dnnSXcLS47iNFyeeX6nzjIF1c91tcyAPWq1SFhBlRSfoJ65h0QdE
9CFP1evP8FfeEeWy5NPUEc9ZS3/wAjqQ4L9ExkEJ+O6wLPU+9JgDSkRJ+Qe1
ly6golsgbCP5Wgw3KfH+BYUrohoLYtejrjoD0+DfqD88TeLtKhlJ4i4qGMnT
kceoRt66+K/oERFj47zerJG5ciIE7FBAUNbNyjoBpKPz9rI/mEukKwuLkBSG
WVmdffCOEWM8BE+OWN+NQaeYYd5B3GL3WUOBhRV8MijwQM/twtHxRg2knbkv
p9bEGvSr5s0lgq0ADwHte3cv2jAd703cBeq4kLcMB22QxHUNXyAGR3wjPHv9
6tXxs7OT16/ePXvx+vRY3L3lXO08RBXlWik1AivYk6yp9rYd4afrh18N6nKM
AOsvpRXyZgZCqBykm4UUJgeRp3s1SdxJEhwnIpTy9ehBIsg4SifKU52QAO+u
io4zaEsOXIMgcDdIY+Tpkpwcg2PpwP1Y1VeSTqP6bAxSDY7VtVqOumlMw09q
XhUc8RJU0jb4kBhm+B0QHPcDjyleuVIXThHq5DClk0sLWlJOndSfbeHMw6Sl
XMEuUZkCg5fd+0oGKpFt4gBSbCClzOT2nkiAYEpJh86aExAL3iWOuzFRkp5S
M3wEz0IxPxc3jLQ1LdeKQZtqExazcMwR1d5qnooLtG2/W1erFMFzaI96eS6E
OkNDjiKtkxhuETsPvVxytfOmqaaUYBtRPXruPu+uQgGVTVESBi27VMFb9WrX
qIMeV2uKA4i8Tj1bhDc0MOovcrpklSlTVjaQLNP8TIz+wTXpXeGEDwJxUi3D
kWg50nlmNrNEqPSKf/wiVUQ+CeerJSyHIawvlMmgCHpWGeKCuo+mdf2JUeHS
9bovBtYliF1FVi95bQrcIIm+Q1ytNDwphM4KhDkpigUqsZrkpUACy/w9N5pB
f22OvAVoGIviWKWMwIJcDhtI/AHvOM8XmNFEYLFVJsiWAgPF3SK6pAfssCLN
l504AzKEX8WZpia21dTubC0i4+Bear/sDBUywbW8LYYdg3FDdobF9FL7q2zj
CJ3XzHiwW9aaQ6FrT/xRvS1pclizNfor2GflrNC+TdPCcYLg3NZlK/uvURCW
6hrd7p8FS1WBbgXpusXXo5HaCAQkx+wg3PhTFuMRf7YcnaUl4A68ThHh4g70
59jFK8JjZM+jnVTgclo5gC1ciygf1zrCDkzFOiI3JcczCpbL7treoOKV1vqK
Vu1VA+cdUbtiyI6hJDthOpsVpvbCUbrgiurSDlYRdJ7E6bvCDkyuDD41QQij
23rgYFZr9K4xiHY3DbmqrTafW0ZI5M2wMrc9TbLKEH9R/GsaADrV2K8QR446
muSj0B25JiwpLd5WqStUM042lB3Jh2nbm+gUqAu2uNP5SmOboXMkTJ2AmDob
QiyIzyTbjSb+bsyJ2bodoUZzE6j44N8fP8zGUsihcAjMGxdV03NbnN/ETdqm
9kcsL7ITqD8dbsO70+N/++741bPjd6++e/nN8dt3L05enpy9e3t8+Ozb46Ow
47ENxSArqx44H2y4+y0YjVgMiJ6t2UYuatT3qWCihhtW1l0svf7uVGwIFdQh
bBRz4gdhhrp4rHoptPmCwMXjmOTz4DE3a5zEgwMFPEKKzafUnqx/UuRjNYMW
4z+gGrT1htRlYTQG63xOcQVRlxbYg9J6D+iYvmUAWKcbMkIZcTZ1EsTgdp8d
AGuvJB1qzvCdA7vgmCtqwEhHmG1TBYsXG7pRwrGHfmWFUuj1bqJQ6/AFSgmC
i9wFExNXnr69fdU63mU+611LsjPz/MnB/MF+IRVP9kySujR5jLwyOPN0Mv/q
IUPnYchSdo8Qy2DAB/hbUUv81RviDVSaoQjykY6X7PDFWMB1iQHnJtDxs05z
ob9zPmYERHFg/kosMX4X995VxmqamOH5UwiUUNBj9oMjBVoya/aYoDFtFzeB
l98nGGOy7jdEa4v8RswdvFNly+gnIiJFt1efMDUd4diIsGDnwCPxSFDQSj84
/ZVjzId/CrzrtB/10OZjdUs+Ly42ZHRcoKCSGUWYfrw1UkOwWYgu7IpqOsMS
jBqpuk0qjuxU6crg5c4OsG9bXgNvXepgkTzJFL3YVBtEchk6Se2iENL+iLER
Bky8e3Fytz8djbTb5sHJ9/0Pj/N5fjAfmTHXy9pwt+rx+cMDEEDCoxu7Qug5
SE4idLbsa04jIzhSSf/vMStMFJOqJA7Nu3mE7jymk/0vHdyhz5YeSgsbbUkw
uD0bjD01iQ25swWTYDckxKtAQPVmISEDybQdZsGax0w2ayfNT7xDH78YVly0
tp7fiTp5+gG1js3lTkYGUIYiCUliK7Y9AdG9EaA65jscRjj49weT8cQDoxI/
qq5h+AeTASkbnJSNUXfyZCN++8P9J49/+slgoLOLTTmjChcRiwKFzQ5byRqS
tOMk5i+pQbr95i5adfQ478RB8FgmQ51zyjhhkmRIOGPO0On9fR0N2QSgdAhz
olqxHnfSO0Ei27shnbX2qXQd0x23pa7cSuC8Mwo6LnZdmZjMaXpE2jKptUNI
29iAMrVUM2hLstytdjin596WtBFUFGHiUWKMqTOl26DnlmxqfxCm8g9vSpdr
kcvcMvBcKNNpStiOBr0iQELrdYxXpm2UnMGqGmlDuX+D2ydG4rewLdQbROOI
dKuPLOypKKUR+zpWEIbwjVzvASQQOljXjI5w3/EeozQFnbqw+DRsdSBNN6c2
p7+V6zVNMD58zT76oEbbHux416kmeZXihfXfJV+DE9qDLvoVw8q5mXzCSN8n
LmwYw7vtuEPSXUMMu/jTpAKHgcuBLKZCrPlbxoxFsOitZkl965yTir9DnqTV
dsEg4BCLuo2lvF0nKWfnxGYKrp7eO5TD8NcZ+vZ5zP+gvwoI7scvJEz4KcU5
iv1iYcm8E7YkBq8euCCDNWn0MtsSveT6QbJEheO4AOb/4HJC/sNnMvn8iJN3
zuHg889h+xT+ngt99XeB96RywoSgtYLwmRYQwT3owRdgEeGbbhhPGIPFIbxt
Q2OzIky+WXlG+zsEl/9lPR/YsSRwFkE4hJXCWH9qSb31EM30GRXBzTq3NtbC
2aj/R17f7LEvkj90XlyUK4s4Ry5EINcjDZtwjKJhlC9BfYq45w4kYRz7bhqc
zP8cPsE4UU+IQD0pE4jWka38OQsMT8m/LOnS0Y0X+Q12shXKpfZMYGrxEb6g
3yHBPo/01MPb5HEUaRObcbtAQYcWMB1X0hbTBHGfZsL50SI2aXDDakCFpNEM
gsUiuIfEHOp+UPICLDooqhU+xV60prAMSm44jDKw6IJ3CoTsjbS2MCh47pek
bbKkXUYE7PierEE4ZjctQY78MTtC0JhyGCXSQD1uQYL8BHTID/t2ZX60fFD3
FTu+Nbce8LiQmYwwiU+/PT2T5oD9EcAIGXO5SAdp8MP+QXy65wJ3I7gwL/lA
cRwZ4UEc4fevD/8IbHBwFRdVDoZLsggd4WF8GlscUm/DgRGW+YcxNibsAWR+
IDRJN4JvktgdQbr42UAywuPBEUBF7s9BRihnBrZII3zpTjM9yvQ0u0cZR3gS
n/7mxetnfzg+GhyBOnp60Mg4wlfxaVmBGyiOICtIBpIR8t4IJ0fvXh0fH+EY
vRHK2ZgdU44ezuMIr47/+C4NsscRwG4cp8kDAun5Id/PxvCf8zk8jVxo206C
0OtupIww5RHmc1vF8AjdO8EjRAacYOY4BR7Z7hfZi3LeSzCwMJkLAFHkUcQ5
/BgNhDxxIbXXVRpb0zZgv2l81lUKDk4YNe01YR4NFULFfJWkOdyWjvANW6wU
d9r6yQX3pR/qiOTqdNU95HogdECzlvmNdANjXBqXi3zyJiN3ILbva7UfhW7L
KJttrLec9VzLKDWXmxkOTc36jtHUnksSUm9CYPhZ6iQpPvzxED/eT/ZMg3e3
tAwbKkCzBtNb99urbgNHrG1QUNgmuZ5JTMRoyveFdgola4nWWaUuFiCIg7hd
kDJtgCy/qItCcunyJDWtS/Kp0inOm+hD77Y3ZNhXSewK6hdxJVbW8rMHUpqQ
Hnu8qMkU+y3LDm4B+T8thSTWybpEBwtasefCPBHiN4hKOCs+HFd1GNuaCkgQ
3RxiQuXp9vwTnxNj+2U32OPn8iwwBwPPfJ3Xmr2heY2G4lT5mREIhSIHoU8l
BT8ZrmJQECjM8V23Gq/zOTtthFpK/HxAadWyQ2hS2WxUMVS03vN/Rmduvwjf
IJOcZy6tc6bAHc+eyFQRlDij9TZIJgpau/xWy2XRQwu8ihXFqGx7IjRZWpGt
qcmV+pOMIil+M+A/4t+g+s/1qBSqlKrls0vKghbu2LoIRwrw1emVteovU+Pa
WpRsdZxT6U1Fudgj12yTg6EUg4oBN4zUtaCIl52otKNwHTnSXhpzHgIgu5Xu
zJfMWVmu7VpkHDsdAAk5FmSWZes90jJ+SGbgFq33w9/iXknNrfQ0kO3WEGB0
4LE5EGnrHQD5l22TCTPcZfKSzn7Un7lcDV0eX0eJRHCWPGFPJFLREiXji5H2
JJXGXCnGwtiZT5mo1H0TrUpfHTwox5Ik3KSVeTekIGVGnexzSzKL1WzRaUNp
zZIulyTho4e6F/xCoo6wuv1z6OddDsiKzMkKHZx6MBtAkMqLVfDJi3aLMJ7m
sX5xnE8EEQqK1cSs+xaiHIzsyKl5vqGJmRHNiHNgE2zBW3ohD8Accfxw4Aqp
j76T5fnJa4rlatLokLwQt0zO8rI7SWqYX1wuywW2KetmicvQt174WC+SL4Ca
Zzc+5QCxSFrNXvoZB/QpH6b7GsFwTS/g5M0Q6fj7AbEg5xxLGdBM3hOgTswC
sXQN95LETeCaU8o5twaPWZQ9G8Qz6BSfQd4Xgc8B/++IC1knT43acYqHl6wc
Vabc2xQPjfunjgwzcrlBbDDN5KHZLIpBGQwrr+BKL9YRIIN6nupXJXk/otlq
n0oTJOkCKap8TS2XNIC/Db8nLReJTd4HhTmaIW2qZ+RXVTmzLFTTHkKvXRXp
NP9BMkKBoOZ5c8lX4NvqurjiKr9Ud9UAcBPuvI2CIdLr4u22S1cVNJyu9WLn
BTXa9l8u0yxIz7vpCgtEATW9D9HSjdgktxNdhkfOm8cflYp423fp2atdvQXa
b5sNN5LUxs46hXDOC9fTnNJ/5pvVVGN60qNS6tk46y6/AhOprxEFOh92eDrK
KinjptNKnpMhm2IzqyRvxD7Kag+5A4TtaBduH4/fcX3RuRXmgKYUdQ18eQ16
LLc77UCZ1YynYyV14Sqvy5yNecMzdPtgJL7hLt2RPx7+qZMZpY2qu5vfydlI
MZ9DU1GVurMuBlRzsdMMfgHrYhIOh9tzZrT3rR3Bxy+iPiq1Mmxws0kNiuk5
ObinvdEGfDZIAgT5hkhvdzlttLE8miRcH2aAdVakkDiKfCW53vDbmmlP9h4M
oHvEqlzsZxz9PGmXdLlTRCCujofOO8IJ3NWpO3a22pO9tfQp7jHMC2bMRth1
vEYjbvOKkg5+QiolrIylHta9gfG1qVdiAG3/Pn+FvonDU65HmoiMFeLFB9au
RpzvFzAk+1tXutdock/y6siei1Y51+rmvcxffZaVY0cTMEf07TVopgNrmLJu
ulnBPuj0Gn0Z/o43Z4ncBI1KCv8Qz3Gpc66kGn9K+SNc0WF9KjjirAUenBBC
H3CaLeUDakVUU4DiP73pb55wACXUQa6urpdC0HCoU0DstxyfxHTE3hdgq+al
MrgtYvY2udEf0b9JaFlZvl5rk+xIszt4d+gSHb548ypo/t+XD/YnUu/I+CKb
eg36G33HWmg4Y1hZpoXokIQzq8Mk8hyAyc48RIUoqKl6gA43EQK+CDIegUoI
qunIOEk+L5c9X5Lsnjze3T2fpnkXAFtM11QktQQ6co9aG0vXEM22U5dCLHrm
0DZNPc5Fcouw+Fc+ELoB+TR3jTSFRkE8yIcO21ws8bbkNmOC8LMEAJXDiHUq
D9N9UyApSyBOJZ7qcqLIGXywsXtBHLVLjxVXQDSaVOt0Q2B2K9xplG7w03IK
ynvZvE8yR5Oq5bv0eCPnTh4DaIeTgwfSviDJZdA+D12vHlaZoBHdaNanlcI0
8GYRegrQXVOCRWk1KywCOwHgjRMsgos61vZqc0SDRehEmTvyTLIMo5R/YxwG
vniXVkj8MnrWlzjjlH/MCrhHHLhQl3hZD7I+i5X7V7jPNUL1bVYlKYYkLTCu
gdgc+mmsW4v+fYqfR92akGVu4qXHBo51KXW9GLvngl4UjgRqohP6miPuKda2
lADJM/HAYxI4KuyXkrRpfR/JjyLUN8j3pabGziEeQ8YVRnz7Pn6clxegeY6H
RYLDqIgaTKwUlgoVdlIvQIZv9FpbM8kHOMuPH//hZHy0VxbtfNwuGvy/yYOY
S5dlG9houA//timnolR9TUKxAB0o+yg5WsII3y3zD+9YaXmH7Hxnf3c08AT9
ajL4K3m5nO0cxN+DsfsOcZmrTbvzwH4MW7VCwnsXaRbfe2gP4Hh8d99hCufO
I/vNzuNHjx482sV//TRwDiczXqKchi5y6MF4rl/LU9U6/8+NmAC/29/bO/j3
yePx5J+/3vaxwU+Jh3XH9PC9ZXPxDoO7u/ZMlhG8gbC9d2D0L6qnSc6cOzPn
IXx3pce47Vk9kCt/3u6L1kr5XfEBVHWyMLZ/2awRHa/53QFuy5Pxw3/WOfz0
9dY9djfndw8+YT+br4Prbrbt/miI3GXNwGUYGE3by/zVlkrk+1fJ/ZV7Dhxo
+s6+8859x15LW0I67B8XThhiCURIeNlBBljFErMgTDFqDXdME57ooWIr+1FL
gx9rtrCoFQldn4LL4CHWwYuBzlaKpRFhMYaFm3pQ02iHAoFxttWw74NFRFTO
SF0mHU/lareSOahTbxuUPGEIF4xevxJwjw18ZDTYWkGVt+gqvE2thicNBc5F
JjqZEJLrzHYcTG1d1Isb2w5SAJQum1iOKsSmhDS4XdwMyM4kDFoU41kcPjZC
GFAMXFYZ6AiHt9Xg+IbHjo5os5nWZmGAvsHw3CI8sL0cWu671kpM1W0xi+F5
Ao+nh6OcTqBp+oVUbEQk73J2PHtVDCh5dcMAx4b7z19Vsev0AmxkJysUYCqr
1pfaOFLcOLMPdBuOP/F9clIc1RiYJmrw1MkOu1osGYGwlyImgP5bs8R2Xako
hmwyBjygR1ARAmMHZQEa45SaDwS4Yh2mK6flFCb9U/hvb7++ibNaVhtu/bf1
INKLNLT9Rl7Zz9j+yf7BQ38GrgaOJkud7tnXJ2aQYMHQiwigpQ3c2JrlOnLd
E2PafLZIIHa6WhHJxo+lD+70kwZ3B9A40GDtHZ8wjl7Hlr3By1XO5FAPth+q
XLGTo7tONn0BZmeYqcKqMVOJH8bk7U+6J5+8cTHncegqEJ6w3y0kkDv3yymb
sk0P3DbN0IyT35YCzcTOezbfNUTRbFup1KhnyVqLlHDw9cf7+zbkzmQf3aYb
kGgEa5FWTls411V4DUgGWMOwxiyrfBhXqc8l4P+W81wnNlGC3ZUkLbUV8jEl
A8LpXpZth5wZF6nn1u4UfLLzkUd7NG436JNInPBJw9AhJL+EX/xXUePcGEEN
NRPEi4iVvFsW51PTnA9cnFJJkRozXwUJKNPQP5xgxzKRE3gUT0DJQVwP9FCc
2HqRTyWdCHdUw8FSpuadYbJnNu2yobiMeX7Ifbb1VkoxuFJqMM/H4KFLwbgg
HsBzPDtDXwAtZ12w+wR3DFSQHMOz0WHoj6j1m0DBQiTH747e+NIzsOIOvsRp
fc/eVmoql00OHh2IGkSamZKAbhZyTfRrGkRSCjcKw22DiWI1ST7mzQXnSXF4
sh+/QEKr28RuD1EJ8opSN31AlU5tJtBzTgocZXAwwRoDYC0R7YVXxfVpQQWz
ZyXnumhHCNeqJXyC8WKNhhGURnzbhmyceneD/Jriex1Pn/RU0pvi0nXaUnyU
r1tB+rnFJOgiPeUz+P9tiS7pO4KbQSftk+vYk+yaNmz/KIbZ9GMzAlhsWspv
QENIOpBFooFprG+saxtvi5hJvF4FUVLwGx+05AAp50rhkpIzPvRBxVs8Taug
agoOYY2mKxnXD+o2hBpL+AeoCtYq4xEQka0pX2tsAY/hM1P4VFl/SglMtXEy
MZWO+9wMJ9J5PCfyuaLOTre8yaiipy0Yt8uFYwNne6E5V1YLTZx294ruE46Q
3qnUTFQPt0B800z9G67mrfBb0/OCIR7sNvPHghnNEpT3yFkTpmBYN3Q1Q+Ji
TbKBtmxZNJCr+bCumBAG9zfB3Au/Ws48BWI9p/CK79oitfHiedXWqdWwW1gT
L1D7V6eRcl1gZVs81/ibbaP53sjmAeM00JjwjKGQqiZImtCxbzl76VZ+YDiW
MmUc59w6L+dDL2fRaTMrG0YZp+YtEiONk5uD6WnJB6AOuzw/5+rVcffu3oy6
uMBiOyQdINuqnokqQGRFTiXyGZT5Kt/md1YxOJBD830MS8UKAuceYVfaFlal
roS6SFFZxZ8VU6SMRVK7hKYgjIUKLDDQZTrh5cxnBXYjo2Fbmx3T4aWPFvlo
JHZ1m49LMi3vCrrHXpWdkLRPU3MJPJ3MtNsyhLZEj5EmMe9JcZGW1YzQ1G6L
Hatax6q49lcSOiKxIunFZy773tSK60rPUAXesEnyW4Ee6zqnVQdM0puxTcZc
qmEi8g0LFu33kkVQhBlTwcIKCxJgtCrtNs+eB+vHCeMwUse36Fb3ErcL7TIw
9xTfFmh1eimKuKu6ICesToaTQASQV2t6uqYS5+8HTot59/3x21MsUXt1/PvX
ZyeHVK728uT05eHZs28d9t+e7nHHqT+4wa0/SgXjlIA0M1FKVelmds/AiCQO
yNlMt2Tv96skRrQzYpcMHlt/g71I0oQBTOGXPodKuRwDx9DzfLPQFMFU27us
rsPQdJHS4uWnvuDi/fXOD9tLdvd0Z+UowMfB+5Uarkgj2yn3ir0RQgQa/g+P
uasd66LOpU1/9TjUJ5OvZgN8pFGnPWUdjnRv3Cdob0TxswsTyx/MmRcpKM7F
DJj+cSWfCl6VoF69Jkk53Y7xtiiT7zZK0mzlWejnl1v4Vy3VWffEWOE0rSh+
OajamVyObpCje/6KeMIchjfFtUE0JW1ob7r67F3X/xMvv+EaCsb6HSVItv10
h6WZnOW49rd/ELyqHAr2qfmtnq2AKnEhjV4IbekTmUe/Q427k8K8hgVJ5/hC
f5K8K3iMY5zW3SxhrNsWEqoVmZROxdWipMnxyVGH3lH/LD4vqnYY2AHzKeI2
d0l5y17gXMPwXP97kxtks9b1EIsguxxA9jLvA1qFBG/VmUDbl8OpLymmWkm4
Rt1WqB3HgFa/5RYW/8S+epr8GLQqjmu4WkU4ltK4rVV32sK1l/GFGIdDOWnk
jqDAxJyd9cPZtdOqkYxqL6ssO94VvmkQKoVK6xX5ecJ1PSLVK/23dO815y3X
3eUiAWMVbM2dYZK8eemDsJolXSI6zFSz7IiYO24pzlbjogdfjkD0pe1ibrcD
Dnv2NrE3S6i7dVMGSpUMmb5bhQwbtKFM1W5n034Soq+cDFvRe4zXnqzQhTi6
+wy5J0wPcQWZESnP9OxbdB015oCMbeMwEjrPTqsN9ms9FGJ/fQ3UCOraGu7n
AKknPlQxlblGkvsOrVmU1AguhPmTa1Y0zNloFFRdczTLUY/et7RkQGUkJYo2
nF9ezm/6IyJYZDcrtdEARRszTfsfFFuwidi2a9gcvF/asc9XNIBVtswxNoyg
s1ImRAIS1fpierkq/3MTDwWs12Vel4ubWGdD5gcxqljxnYljBqMqAZFoo5HI
9h97wgh012zCUdS7yrjWqFphtTAtBUPofMxDJRq8wxFXBzQBzNtbpppaiHyK
Eh27OLW9q+MiFJJ27AzZ0CnUUahazqEkH1xFad4kZmg67IQzUXUeQaHxzVBx
vgPQFRzGKSr5GCItgGPOnMMc5sjWH1ZDtOUFawCEQiy7/BwTWtFx57TN0L39
5KGgTie044ryNTl4st/JLujLl2DtcslH2A3EG5MvG7o2yHpZcGVDdBFknyh4
RF10yMZC7CY5a88TUfnDaDllvFASe9O5RUnZKG6oiVat6tpaWpFUc1t+UQrc
iVbmKgYPR0Hq0gdqt2JXrlhhhaNuOLOSOnOxPh1jyiGJKZNY1i5NhNlh0Yse
MrXLYKeLxNGMdDwy3KuK6d6njwhGMcJTLZGz5BIlIketFHCw+ivZ2TQhXKDE
wcij71P++QowPwCNl+99T0MItfD2cf/yyTVix4rpnAU6pfk3HWSLPeomwLQZ
Udw4w0Q9cJ3g/W19uWMXuGJFeNR0kn2zoSMOkgoBx/bhSqcMzKXhsztFvLrR
TpB4FK06UcO4WUcSp35x6st/cAdRrHFHM1Zr6cfiE2bkENCEgVen84hf19BG
x4kd88x9a2EVvs6J+waVX1hCITmDHG2q3herMavg/Y0gN/oN5UgM3iNLzou3
XQah0stkA3xIJufvkieTC9dzEd34Yxc5AB6Igu5iw/Uf6hilSZvnlcDA00aj
yCYRkoC0SiyhEvLAF21qRewb6JRn3+2HDw5najn1dL8jKOsdhQnDVsQIyYPR
QfS60afpWDgXnxr/sDviHHm3i/ZpHyBvNwUvfbnwW4iQvqL8wCrESMfkzTZn
rEuqdBWViqjXNR1GArqTr6RHEXeBVLp2ZSCBBBbOKk6e+KiufYDuyE1FH3AN
kLY/P0Btw8WEXfI7u0xxJEhw874g38a8zo27ez5QGJUXo5IR6ETMONhAJy4l
SNuikV+DEj3WnE+BAgZhKnQvFYiC2OCOlImAT4V1zk6BrGi4gTRc1OLwzgKP
Wq4ZHpQiUkRByH0Ez7i+6QFdu856NPuQslhZaFrafkeohCqmSY6UWsRXrDDA
A9fH8brYDid4ru2eEHqtsoQ6D0FTugDKxHrBBCTGyuKDj9zzIKR5YPzfY5B4
69LnOvcW5+ip+ACseNo6ImD5lDfvpSAz11ow4qJ2j+NWNiFiqGjVJ4tdd8dE
qRm6YIRYRlk1fMcUkobLk+Nj0jzbfKKqFg7s9BjHpKtCNhiF4dH37J8gqKsO
EgFn5ZimoLAomdcoLfM6qDaZZaem55lCUK3u4q2aT7u4CXb1ud1gVxVINFBV
zvpd7El+DghO+F9JvEEciM2SArudDAvlsAryoPBMW8lYdIlqlfgKfc7sRth7
7vsYJErG4ZDmEgZ1R5dZpIqxHd66Qv6nzdoYm8r1aArdvN7K1QKnOmInAyX6
+sirgCcjJK/9ROgeYiBzyX3HvlstyvdFcpk4Vq5527JteUc3xGIzVcmbaslp
nYZDZ+gRduN0OGSNvd+m2TGUYGSuGZ7sOh5k6IJwrLDssZTmGDgNvNOskWBd
54ZWSP2wUiLFkwqx4YqGdkjAX1fZUL/05ms7etVMkD2UjS8kse9xTandNHMw
qMqFvzYd4I7qxl7WcthaBqqV/3w+tAcRgmMlLd1nuvnz4LuD0SmucwoGavJ0
Kve4or2xrn5Y/xozAhz24u4QI79dSvFmyNYGr79GvZD4NepZCQF1/fKSIKZO
OyQpyptxxGT9LUcRbchZWvnW9L9bGNcZzefEMhQ+ftHVnCn/eCuP0uA70h5m
S5EGR7o4rVvRHKXRUyhWhM3lu8HYBrDUVTeLM9dJjpDaxcjeloZrKIUc3VUK
l2GjZHEOs8PEnGmml/CuuktSz1A1n1Peqfnuu612Q7IZqcbxXJNcBRYHfn9d
1e9HbqW6c5QMyCr1YKKIugfTHI46m8M9iT8A1UgXmWV/ZLE9ON6o70cUpdKu
HAxOJ5jk+OGcFenFXGGqJyS6L5V+LfxPXMMp7cUe2NE1sF6EoSC/JH3RHNOJ
nd4jQ8zvAB4D+7BBqKSZDwmnPseAY+l8RubjaC8Lf9UI56HtNZZmmOs47+Dm
LexxVoCuKezqVv6oVvmIPU3cJXKG8Pgrj13B/tDBneKmbbd8zbd/JetMB5nn
5QLTzMS+JNgsLN1Slr1t0kFevH1SiT8CGbsoqYxcoOqp12mspY4OyIkCc6qJ
9/HHw6Ojt8enp+++P3xxcsThx+eHJy++e3sckhSYTh/ol8rkgb9Fhv+3t4KO
CMjYxySVvNRGlxmL/wJ6jjf1FcYLVDAlzAOGYzvtvqAMexrFbGzSzGbxwlNS
snn4BFaJFLBVcR1WoN8A44G5urnbFkRHsQ+xcRMJZHuXVIjJ3E/SEXzUWrSi
G+BNVxgAp0/FEjfNQeD3vd56SU72KmgqtK4QmBZ2IuKSVzblrQKVlYPYGFaQ
PyWiV6Ef6CZc5zeyBo5ILVX0vanLq3x6k50szd1J1vxdRDJelKv3Al0CBPOd
IDY1jIGZnnYV22roZoBm0l5Gf3xARQWPvjqPgoZw3hYkYDClEck/oiNXBFsA
Y7hkAnYuLMk7pU/q5jt0S/X0arNiIGP9QLBvSunNTYY039745tSGHkVKUQ8o
PWic0dfv4WAplCw7mVekZOJOdnctuETxqUJqmiKlznhsrMCGXHYO+tv7zB1L
8CDlghNBuTd8AhSxuJTGCpaPwTQVP9AbFbROZOoKomb7S/CKGjToo8cDEaP/
hjHFpGNZp2egFlmrJi+1Tx9AReZURwypAB+eCmAvaTMcg+CSnQ6AVdJPcHyR
rxEr4k0CSgo/ZN423Sypi+FV4emJaaZ5j4FTfzbNSBM1iHV7YDR0jGhRDfBy
pxqt+18uV+bdV2bXeyp0tKuuB0MbfmsGNmNo2XkK2UtjMwooOPTM7rX00MXa
TRUuQYSB7eOBnlVdYLgOBLWRdz6tK9BRCMSE/RON8fpRvyhGuq33NoTOS2xg
rQh37BzDJhYkSCAfWeu1JfdpVD3Oe4HK6PsPYOAsr9/rSThcAAOmSyShNSYL
Gu7E7SHYMvwH37VW+59ou9heTkofbVytoXQ2/Q0UOUJGbWcnpT+QBo+M/gc2
XEL22hK510DxsOPKEjzxNJZnTZisjIOGxuaySTGRdIAtqfXetHDnx6RsrHNg
okBVX3atERAuvX3pQTJ3PFzZZD9FkLlCsyAkYzgcaNmZLixt/zjwBrY5N0iY
PNmLna3tYg/fgYFO0JMvOe2UdprYX+D8BSyylLzHL0jAJ436fg8MBQ0HpkGL
5tIdvWB/0MC+qkkWeXHAjFKEo7vYgKhghDlkDWzAsmTsj8PufFfDDeujpXfu
EeNCCGNH3COF++AjS54NvveuK3A/Ly/G6BPPVwa8L9mpKxkbBpQOWLAr2T9l
3/7h6Pn4+MMaHhu/yM+LxY6UpvKH3rHtM0rwXfyfex4ky2YJ6743sn+Osoe7
9Ely+wOjRXhNOM7etxXmqgbqM4jRuCaDW703NMd7bALVRNLGstHAS7AMQ78t
hoNjUXSkR3uPb/GT4JGygghDRObXwAJfH71+mmHUsWwakNRfTB5PegbIWWzD
gS4W15QjBDeaXjRuzEkoDYK4TdzzHNjcUorSmcZg18Yu8xssr7JikBr2Kvb6
Xozg1nY7n4gC53qL4LdXBUsvLM9ByEegoclediyKWHZ6uWln1fXqadLYW33D
vUZN0lIOy7ANHSDtcOI2pdMtHBEFJH1F2jf50egqY8W5JQwMfJ5geD1qZ0e7
QEOYYJmqqrMXtInJZ9Ghky/MbKNvS5PPG9awC0F4IvANsrE9yvu5RYdx8883
WtpKDekloCEf5Bhb1aa7tkpa3ul3yE8tz2tSv4CaZNbsQh7Gko7sdbLn+mVe
gD44GtpM6UUjbekxW2vFAGGfRgScaLlZOXqzNdSF28EdsOqen7zKpEG5ax8m
Lddin/lGDGETcHg9sP0hdd6p/YHsWm2zAlYg2LZv1krHoadX1NIrhBKLeJcZ
nCDLz1fIcVFld/QSwsGemJnJNUFGqDXwfVgJA7XzcAT4EUekLpO6gyIBQ0TI
CJP6LsZMWiPNWU1MrT+bberk/P3URt1rQtCZFUc7vkF4DVvR9tOWMp9GQ7FN
SdgeNI5UQGqRGRERCtmZRV9L1sdWZDVba/mVGYQ8TvSRUJslGslUfbaW8ZCv
0e+2WbOzL5+VFRzWg73s8LzerLdxNMd8kkby2jaGLxluGG1HzADxrA3THvAb
nlK4MwZdtjRiJ9/B4ZJPidZJ4VaN/TEiN5bIkQ68qakw7plkxlKqpg0mudNR
wdV4D9vDGJE2LM0V7XEUEikR8Ghy0zrQHRbAoIPUHsBO4RLveFR8yzkRZtRR
z6sKUwDLmeu+RhcPj7oZyH3uuudxPA5Nr0kLMvnqdKO+scGL7rxCbYyQeVzG
aplhSigVihkWuMNKgVaQt4UBuGGKMk1P9psH4qORb+hl2VXdwisIli/ouKcA
4EpaaHZ28vL43R8PT86kyKV1sRJKP8k5v/G8qepzCW/U+cXFIs2qZTVdzc0j
0MA3oBLZ4EHKLL5I2kZTG2lu1AXWXU/t0s7NI9i6Cyyttw+q2eR4tnD5vfBH
mEh1bWNJjKemEIakNcf+ot7N6ABZcv2idXZH/ol+HDPRXSdcHZ0Hlo4p52Xb
7+4VXOC9kUPS4hOWVbw90k9b+/mFkEqymKgQ+9wIJBPOhzPs5Qex4UWrfUoD
a4N+zIjehLExog5qf8pXoGzEWhCd+6+TyfPT09evj/6qNda2WhBIwmkYbyhW
8TIKL3rd6GFisUS85EeeTJLWvSJZOXc1nSqVrP71+V81pi0y30U5LVldtsDr
ijqbv56e/pUn4gARGfJHZdupgVxpExwsWWacGwPs2N8fZfsw9/0D3qr9B1F1
5OHIvfhklE0ej7KDh/zUgwP6NqIMVeS8xgwLLlCPM3z9+q4Zvp7Pcfv+9unt
8/Qe8FMwxOOH/OlbpndEs3NwP5qJlGdHmNXxgqfKQJgEQ2zXi3aXjpRw1HD2
GIe8JNWMyGF/xKcvb/ehluRw6Ev0EGKBIR7NzFRtZL5J/nTnG5NbvgGj9ReR
IJzJSeygUX2D0Fsdsokz0yOpNMkjIl3JIMLKE1ltSSQxmx+Lu+9h6voYc8Nn
92Llgs8/x6R8zjivUYmgEr8yz6TpLrnRkptfkh15vWJ8pL3/Sd2ve3/ild55
cn/y+P7Bw/sPDoa6t3/W5vFybXf2cQoPDu4/fjjYQP6XncMPnp53Jo93/8I/
tzl6urVG4L9sF3BB3hMQbMHYTQQfawOKqjssoZDII5idNW23szWYtIhSqOWf
/ANJ+vY4gED2fCr08mHGXVsWBd+0iHkmnjhplanKOzX/rvhUtXCWP4XJEOx0
4PxFyQ9I5JlwJXKC8xjCFuDB/ZH/Of5AuQmLU+lz7j95yTBt8goydzH/KKeG
qlHoN9IfhPRfTgrk98c8GNiJsms1dctmCGpMIOTXUZrQmmSyY/PqI3QeV0es
soN/f/xwz84GactOh7hm9MNx6ouz78XesGlixnwkYT6nVQTFETS6O05qUMLj
sDBrlQODR3TmJEWUZcakTRo2Il1gvEmf19IWkR9C0m9X1WqMMHDJVoqtrc6M
xiRX0B+jbmb1dGJ+Lddgp/uvpaTjpS7/3qCLUYu+ID3SoUgtsFiMZsWt7Q1v
1RrPxHPV6NEHcrVj3s5lWYi1R+7aRcH9JFI1ls5e3w0GP4vg0l6xdw7kRnwC
lPnuHcvT3GAYYl+Kga/5cc27FdD/wgns7Dmp2uJp9npl5VfnxaqYCzKsdlUg
gZsL+jXqMONqjuH/IlAXcooRcmjP5qMflAtvpuQCn6Ji92bESkD0BraXIXKO
PDoSYP7S7Ty7zkvSmVmrx2SGfNUsy0a75hKuE5vfI6lblsR9+Qpunrkcl/l7
RqcEe5nz8l5V6gYlcrfCrNBdGDU4k4wqhQjvHdVIljv36+E9Y3wWzmLQIZlG
enM6ZPRjd2i+wirks6tSyo15QmSQFNfRdYgJw+hU5ZIFjDlcVLG/b4z4Lqjf
SEj2tJBcwyllj2zQEzsvF4uYCi4mHfZ6T+057PAewls+jbphBwE+JjRKjmcq
7GcHbyNGTYwZFjfMP3zzxeAcxC6jIH1Vq08EVZzWQhnSyIttCsGkrKZJTIjT
Hzx6TA/xOeEB2D+4ywbnJmHZ2vQ9mN+wGRcWE224bo9z+d2LpKdXjRAXLQu9
0TdFy25a7zSKTm8u3ZPfWXQViybey5Ldhkafr59XB+UdoecD3AF7j2Ro7y0f
B6Suoe6Xjc6Dy8xC8jXKySRhYLOOMFMLq1Lx8zbXvFaLxwGXlISJigUtwfji
qWIfE3BG3rBYNABpjEgNwoRjuItBFSNWDn3eJzC49fD38dBjqz9K5NHd1Jyr
Ucg7UMTqDzt59Xv5OIWX1rAhmOaPDlvtVrfqrNiTkO2iwC0IvqjUy8Zd5Ox6
eRa/b9UkIYaMHT26prvuqKggrWLBR8A0vWSQkE4VR8Wj8ROxULZtIw/IubS+
rhhJPBBbUQZVUuNp4UAtVyMI8KQojuwmMYamPRp5AVpP4I5QoOt7FSwE5NlW
a/es44mRPEq1TMmnJyUWZ8/eZKew5kbyNzscwuVSiFdV6gnKui6uqikVKwXp
oytSbss19PBACqKVr9dFXrPvjovIcAJBFCHWzDhqo45sP6Z2vXA3MGZmWOGb
uuz4NDeUAnLw6FF8ABjdmf1dghPISAUeHbVvil/A0DWm8lLFU13IRZeQzpzy
UqmZayBRKekqN+zBqRYz90F6faHZ19wAsKlkvTjsxSYHwmmx8I5BxeJqNNYy
zGbTSyA0xBc4xDGKDzn1nKV7bJ0ouokjspecp6mEzC2+xWvrv2Wcwi0Th0Zd
ufN6FLj+fVRrDTPKDVKuklbAvn2oxFPx0yUVb5bSjZDS3JKcDZHSLTcgxEzI
GqsBSeFJE5WdY6ai3KvNCrNDpl1uKjAJ0vdK58JbHjjy1Y2szQWJ23U0i0ki
CWWLtah9p8iEiIIOeZqhpCOa5gc0bSjJR+4uMDPRFXTDvqZNWSPj62xMV2d4
hIOr5zCW0/LNecIeRuykZc1SdTMRXaBYwiDq1Y3BjnwGFwXZ/mDRQ9OGT9tq
wRpVl7goz3Fjfo4/PPx1sj959eLFy5d/tdZln+4Qp5SJQZf4/mS7S9xpK9El
+2qbS5ZcJqbZLLkDTY4HRYpbT2+zLpcKOOgHwg9/g8RhyTCuR9GrzZJ/Kdby
rs0OPf9/ffHiLp/2C/FSHHoN6m/3vItrO3v4BEahGQx6tWmScI53TDJugXcQ
N593hoer9OL+j/Ta/hAJaOfJ7l/QOwk/OTvN4F/orfwcXtlBkmMH8YOD+w+f
JN7ZX9gzjCd6VCzyG/LJ2lc+yzrtg+ntNWdv8udzesBNSfq7zEG9z8DROq7n
aKCnfucUmzheOgqde0buuN1OtW53e17JJ6lTkrPzOz7JaIu4PC1UXjOVwTvn
RWNAFKYoEgpUPM9dc11GySC1deKuxLYyzL9+8+o37EMUnyW6KnEtUXvVldjU
eSXDXtW2amHKcR2/S/QCwvDVgf8ZJEtZ2972KAEmMnQd73DL877WhSzUvL0y
UqohtYTfTMlcibIkecKtwxTcAQUBwYalPlHHsygkDQIiNWBPRjLFMA0grzEb
w252bJyDxcfk0DK/sY6Y+AvUUZbHZioGTrqFWxHFjgh1JVXny0ZSDiv9qBDI
tcyaC126TIHm/EzFuveaRrWwo/yxouaS7BzUVogZQKNM+ibDbaSxxmJVEXZ8
jx7SiZCrXGfiNHs4edD5rLdRSdGNnCA6ukYuyuhTBv3R95MZcEpvj0l+/KI/
YWYWt6hDqg/j/qkXbdv+hdv2z1ZhYM5dPYsBihoqgEanEocKUg7h4kpJMJ4C
CZJQljZYcZ8J3TA5dh5edrJLZXHMILOhKbC+FESh+5+itaRzGl7z59cofsCM
/QlqSn+Jcd0f4jwmQzP5y2eYw8H2ORx87jkMKhyfZ6tfbV/mq8+9TK/UMFfq
qzYJV9qu26TMC3Qc4LnDJNxTClLBCjxXG9P4bBqv4VCY6WKDdUOZZxzWTqLg
wJkTbVQbRD9ttxqIwEnwQM6q7FXxoZU5o0Y2QtFAyCy7vckP6zJDc+16QDj8
Zc3TLMtISqKi69Pg4FrXoWMFU9zDbF2eWHbvFTW7ZDZ7j8VaIpOVlO5Yz992
GJ90AnNpTzO46ot8jcI1WVdvVdxKtqf/f/yiL42ZXvvP9sQraQXqcVoWOYYt
lgrAJgFGjaPQZzKqZpYccQ7wgva38vB7Mcf6VyqkgAv9cERn/OKQ+NBnMxl/
YGYQD2LnwYFmD3X+/CJziMuasAvgB/x0dlqij/mNUttEk5j+G9/03zi45RsH
f8s3fkkR5Cf86pYJv/pbJqwiJd7EVKT0buKwSOlfWBYpsoBBX8un2M5D7K3D
u/mHwhaEPw9aWNqRg12wWm7KsWibfinMkIwXaTdGEC+cPXFd1bPGUkjrnpkp
dU+uFB97Rw6uf5xt3xw0JXsXcHC/pNrzdmcD2aC8TyVCe2CKCveRRTPdsrFu
YYjKMxFKCj6Rptg6g/Ucrb5b1jVAEfDWZG/v1aCkcwlYl7lDM2swTtCWU45e
CsXCA/e2f/peX0y5sN04m0RxNXTJ4jngZLdI5a15af1TiSdi22/F1ZH0ImEa
/Jv2ZdX8P9yOuAGq3pEP4mes+LIYiHhi+YZ5RUiWrltvgFPltPgcbJ5Biq1p
E9nDBod+cvrsu9PTd4evjt69PX7z4vDZ8dPsTVFfIvQDQdXyjeJ1NJTlU7t5
6W88doDz0J0jtgzVDHQ3HvG5pKZ8MglWEaZBKKKipsmJjB7F2JQ+B38BMx7N
6+7Zlavg75FE3PDbMlXsLlvBrxcIfYMYTDPRpE6Oj4+zLx89lCKn4gOip4Pl
PfEDMpCcGOwcSdr/MBmZv6WRAjeaHU4Z1aFRFl8oOW/wUXZZXlxKjTsuj8MN
tm4sn09fo72dTDK05eNre8HSVXubg3NNMgl5Lr5XPU5izKNNDuAssN01ftoH
6OXTOrXu9uR8lgL3yt1d9j882d+X3Qj9efHiXHKULwr0W7BvNbYrG01jmMmD
D/e/egzSVpbQTy+Y7DKeZqmhZM5bkk7wfsPgL+OYMTu4r1aJ1vV0NoHm0aG/
w9jVNG277N6k8DlH/yg9YwGby+i8+x+ewx/vCnsea50EOOGNBV/ZUNH8tU6u
UL9/cgSy81CEDsAjKEXHxu6IMCdEtSiuioVznjnksxDedFHy49f52hOY6Pvi
Js4i0QrK2NaQZkLufoSX3DoO5Q500Ecw8yC+QPVYhA9PyQBua7rwFfRJdOA2
hgrZW6SOr52rD4cyGngk7VY4kDh2y6lE6IySe1WgN70u2pve9iqeDZdvOzTY
/qQHN1swwa0DmU0lTg6Eidtq1wcebLyBloRNkCpSbkSIv2v6iXNlAnGyDbnO
YNa5gg8kKGa+14QhlqTEmuCl3DKBSYv9w0lV5AxeRbxyX0+WSszWU9Z3/VyV
Lrqb9aXk1wdbUIU+ePwoQjen5D+UHoMYuvZTzeikfbnaLDABULY8RZgkJ32E
oExHsYwyqbxMdXOqOWP679Epc4vOjzk2bpmGA/lunbpR6lly18lbUeuHdtsl
s4zBEQKWUc8a6xSANQB+CgrOZutYEEO7m+oPFf/wE2GsQYBVuHeFJRgPnGq4
eydcqwFy5/PUhuYb/HzvOAmc+MB8hJIFNyHcsrxhEhgZCLXm9SI/iMlvhmxn
kKKyyX1uJbdvC9xSkvObE3qM6wQbMyMjjQgjpjXh49wtix7/WhvscPG9612Y
Cgp8rdcsK6TfcgdqAPGd2Vl7AkGnkPog6UEwcPA7nflishIh8sL2PYdvYa3/
bsTJTlKIKCU4gnoPsLJ4YoQUUdSUbxm5qkiG2HgDOzesNQvJrj5m2luWc5pu
v8w/jJH3ip/CnmJbAYO7xT/tf9h/uGtVwzCBOaq7kqLpEvIt3Cs5dAqm0cUy
dwXlsWYmbS6HhHN9WS20z4Fl9CS5Bb9Kr+PPd1xtcYN96p8fwz9u+9VLOQGu
WNxSRJllv8gc/uZ9MHSr1FnWIclegolfo+RACLis2bUR3culCn4KfUr4XymU
Nb0UzAI1AjGEJ/sHD33fMFJ2OUgsiOvBw8+MWVPnsjZKuyfwLS7FZ1Ei5UPm
mlJ3Bps45D7Cj6J0X8hIGrNOK7umuELrCUHuA/qkS7svPiDCEQtPVscQtpmr
17Q+0pU8qtPQkge4io5A7LBGScuIxqE00HKGuolQSGhGwmflt/otrZPEpo84
qcKZdSHi/XFFhaY0dxCuOh1XE1ws3wb4+YvXhNV49vb1i3dvj58dn3x/fPTu
7PXrdy+/e/Yt0x3jIHMyvYGcuA53YjcGJSf6qW+Vzln6nHggSlDEbRCwaExt
EkxLzWNRVZUOyhrUo7ugbrvt6SOP99UrfVYvBb0djt+veDHG/+hTGD8Xtgg2
589h+3msk/xfy+Vdwf1wof0vx2E/k6RRDpyUxw8Lm1+9pBko/uoKnE+vold/
R07uMXLoD+zVZxZaDn2dp5UKLZFXgV2WJCfwU2nzzigufL0aGAosVhT6TGRC
6MiEdJJWk+3A5bQRFjODLHtB9a81DERuUG6g2XVqbJFASaW+8BvxjQXz8XE6
ptbD0eTSyaBjXWfz1iCNE6EaIjI4IVMr1vaWeQmPi0Laz3NI4Ok4euIOrWhQ
GLauou1XIA5vm35XLhoF6U0xUmV5GT5BXmZ/k7yEu7tVWpazvqyE5zuS8vGu
iMPGG0LJnTU+EZSIGcCZO4kJgBzipf1vlYcd7nibTPz7yAE75q1mh5MGT50E
0CNHMhgr0ujMSQql+CSNRvhetpXv5YOTEy4Xa5Mx7hWo9BevDHqmDOlLC3yF
EbpubRpR9bm0YeBzmsc8q/q8r0fpBnkCQq1SjHK6G8byHHqtvCaw5BgHixNn
vHqeNfNzkDT975Vp67mfyQiDtEUhlnf46k/vXr85fiUbcBpZXy7+M5l5s2Xq
oTP1/6YloJwtfDpn++bF62d/OO7yNIHD+MmVcyq0rL7QYWpPdg04NLZ2II8p
8nHpZuCjCjOG5O1ZuYnlIAtQFBBqFCYTCGqwun58lOSPeNeYVrHRlItkxHxx
UdWw9ctG25DNp+MpNn1oeVPwlqdrtLroWMa8zm+wQ1UCN/hueCtFNNyyo53X
Oxv71e0bG3hjs97Gynf7m2oAPCYzVvmiusBsjLYKOosdgYy0idvmDE73f5Ho
wT9/R1PMRM/gvrtqUYGHIQnVMz4OexlNWuKcGg3KnBT+Mbk7QgqdEJEDoxic
onTYdYYOq65N4guJDBA1c4cpojxgSNmSvoHoDZM7GghENq5EGE9X3RIRuTIU
G6r24ZYflrQQEkGIQo+TOTigUiTYzeadcPzg5Ojdq+Pjo20coZyN+YO38IQ4
RIcr5ENcgdaeh2TlA5xhWPzSKtMr3v36nYzQ4YSnS66bNuKvdjGeud1pF2M8
rnWyuw3GOdi2H1IOkIK/+NFSS3SKCkiTJRBEcISpD7TiJJ+ePZzCOMBrbs6E
bCJdSbCQx1svIV/A67ObWyzHISR/N3rayTUkvzP1wG4vdTPlLwpmOB9rb4v/
f679ubj21jkck2b4DEvhb5vEr9iJl2FRFmZjKvTm1mjRr9SJxynUx9a0MBWQ
sZmhSkGHAHHTuWZc4GGXrO/wk0Ej5aV+P34/aWHAe1t5AM1PdPghrPhi06YQ
mvI9rjEJGfOl6xqdCKsOBqG6hhybEPga5u5vDo+OEG0qZe2ChSuOD32mw8L3
d8meWVWWYsyOKeB8yRuJOh8obuBsRvXCabYXvi0dprwV4F8jKEO2ibSTs6QT
iByE36IctEJw/MYoq5Ieen10FMSwQ6AV0p1vmnJLKhjZsOmWyDagBOW2DBb9
yztPSmvLxkiG9LtAbliRLCqgBMdVIcg6I+nxxaHt7PjgjkXy8O6jOH7jTsQO
8UuSwyD6ynlskF3Wkh2TEwokNnPJF9RnkTssUjfRGpGMtLufa97CWOpvkjWz
OruqgqtoE0QQetrL3wT+jNKbb0iJ6+UHojbXz+1ozQzqTUSybRxJvS+Kddpa
itcp7QQiTyC3XNpzJNpsyYw5cXnyKEi2KS4JyLBoptjICXGc3vQIp78rfLr9
VnLpNQVV1/V0YE+ldVVTjaM/iLsFzgnEvosFteqiljFp78Ikgqf712/zSDsX
G6e6ZhFBdP7hXqBmiQ62z/sfrNCcasevBN7k164spA0Lt6sLv2ZlQXdeBLKU
Q/R7M5ItKlUpWOjZYKHtPuNciUhqKCkx9pVM+gxZq81Gr12/wzfFEfXL0qIU
rtp1na+/ljot/unjR48ePGJ8rZhzuK9Ih/j8utfxTrAv2ksODtaGAZcAWMoH
LCNEiodkDEMaTHBVsx5qaGQolkw3tBHYt5fUntjhBzsdxBzGpFqAExPjZICl
0j7s+W5v0SsiqlXau1F6yA13VVKG6pgp6X8dw/aOTlwmVA9IqIJRjULVfB6U
dd5Jdeuqm67XFMpeMv41l8ZAYFe/YfzX4Nr48vujGFXyLVA48cYwVQY7UIWd
k1nBZRidvnDXvo0O00ex4izHUnt8+Zwf+DpoeTWCgl6v9nYFX+9/o236d7YL
3wIrgjN9c1mjluw6GWQGwfBD+szOb7lO+ZeDXPBslpS5LXelF1GLe/XJphuH
vGk9hAnKUNSZ4Ma6wNrQxqRc/2eh4ss31zScFDsQk85vadwG7Jyhj2HsBZbV
SW1+LFyoOA0Ym5hNcTz0OEnMp9Ln2FwiYFIqvDHAXhg1R2TYq7xccF9VATvH
qSJ6AU+2sxeyCZcbsN/G6FyiV5Gt5KvYqFNNZB8ty13rOis7oewTAhtQIB2t
JSE/6PSyoo5jzBuzC9S0ZwUo7gvkgjeVVHBFSmC4wLJxmnuefXf2fPzEciGB
6eAhffz4D2+fP3vw+OArxShSHpZqzBdVfp3fdNj6htqgpUzPePmDXbY9LUoJ
2uu0mG+A30mDO6Jzpy2L4CvMAOu1rCTnqHW3TDMiyUd9W/PKOBc84diYcqCH
JW9q4MoKKzyW+SXL/V/DmLXcmbP+7/AefiYdXOdwKu2vP/scBhlzcv6sEW/b
HPN8UWC7acfac3wkul4/x6FyfcpTBYoBA9ouBUq/D9IxOLrsU8SomYo2OlFw
70NqMsvB9runhE4PdctUs5m9YI1MSXHJvOLEfQTPIwC9TUkFg1+CQ+brnuwt
G8j6+K9qA7dMyW8ghs0+yw52mgN3GpsRn8PiQSmiw7LDmthoRSh8aV8QySAx
VGrOH0l4oaUk5/NCUOQxNKSVNyvpO4NYgNr/ejCphBCJzUjrIPXKdYKlM11E
l7IirWNHo5za5nINuqATdKmlRxtlG7rHfsepGziF20V0cVZTzOlGC4WkIabB
DISEWYJjUhFXTauDTH2WmhkYw5c5Ad2RMuJ6CphJQ8vnFo2mSSBwA+lfBCup
sO3sjE3yqawjzjUZTFbDSGFcIK+V62cyVSMGk2oYAvFrkMMcWOTVaGhYpkkz
1zpSN2GtDsO2OCuTuk5J4DGH1YSkekQonUtNA5duLMHkxcURKKk04I4R0G19
wH1mLfqKQ8wmwpKSqcxpnmPeK2nUsNnfpvfe25m9e6K1dMnlnHI+lmSf0c0h
3Utq4Mv/yq3V7FsgQnURfvxi7X+vQYYc9EVNqzvzodzvYFuznTcvz77b1ZaW
FumW4IErzzl5E7hh4ij77uhNpn/HSeC/NbZN3Nj9QJsj8fjcjodb/eoIPhBA
r/CgxJI2uA2t3ifz4WJZjm/O5PRYxmfFquCSbWrZYOyAsCTOhAuO+PiwLNj0
i9jOp9LS2GxWV2v0o1eEqbLELTmHmV2XM7TUrRXPKGqk2vGCogLJWb0ghkqf
xha11FYB04ZQu3745GDy00+7tGqkWXobngy9JyeTrybYlVb+9dUTeg8vcKRG
XCy+jeKmTX4SgDfBkmq+BiNtumGdoCNtG7IaTViLp3LtGnuy0hCaeo1aqnhf
FsjJy2apnTiiqi4bg4mJ5No/eWMFwR4oYnLwZN9qvQ7RUWUJ+hJ7OlHSk+AT
GaU8c8xnk0zDxKrDGrKDBwcyLm3XyZurx7T+ycGj7i8eak+OOHvmA9r2iUjz
fclAdLxDdlCyzmVeStLHKijlxS4VwOnOXTv7RTUF7oGzqYsl1vfDGoH9YTsE
jCgB36G3EL4YVRTmuOK6m5XzOTCZVUwIx/lYgW57uaurmRVr8rJVSctkeiZr
NmuFsc1pAGSpKjuTM0FBEoRZ0CbquaStVciGllGl5q6iNglwcCvaZOt7vhd6
Qh+pBBgnNrngoBlOieDm+bgF3dm3Y9GU+UC9/BZ6ZAp6n2fNEuQO4niQYc81
BsUH7g3NekTT991SoNAjbFEajxc1wqlC2vxMwpDUOZ42bsSQLoO0qbucUCh2
MKL91bZrA7Say05afLd/L6kxLc0oiH5yElm3BKORF2o3Fb7HguBChrEwBSLl
eGuDSkZPHCxvDAoiiSBHBr22FuCDH40JOsElUavDhRQWdGDX1ADPDoluYamg
M74nlXVNn3O1A+06n7Fr6jt0GwgMRi5DfBUP4rJYrLEpkVJohvBAZQtSji4O
/sPgKKTtB3damrHGLv3jOUVJy0cD9VWhgDFqyrJ44QOYLkGvCZFy2rcL2Gfr
BbIchIyQBROkVyyE585QsUAHL3HE/hnkj1W9jT2ezJWW7eJahW3TORX1xyHT
RBY2xPFCwvHwwOd4W6XHhCcy6qjEW+A0OkpUMxsu0QyE3VkFDJ6wudaIk0YK
d2JOhJqP1XLrGxfIZWqJ/sd5tVnNfFMf7gCYophrI3XX6j3hCj6BUzLPbTwV
LshykRbXoGXKa1ExIdwfgv7LxWs1rTAx4vwm0HzoVjQMoK2t5JtsXQHjwssl
KlPCqrj3ZWxUhH0fmUlhK5C6xYmUFeOyUuTCmh9ao0b50jmLh6Z7O4WdBNxJ
EmRkotAvZ66ZkRm72B8Rr7rZoGj74Eu+XecqdDo1av7kZbGpqUkPIjxUVC29
FtAkZ73px84LkLVsMQSj8thznLH/CJSc8GMQ7x72R2lMe2TKFlEGeXdeCC/R
OHHS7TAZexBN85psH8KkACMd6RP5Sc69WkaY9zJlHyjj0FOJ4Xu8I0miT1zm
+Kqkgw+ICgPaLHmye2TJGSv3JB0ENvwe1QrQoX4dj5F6wTFzs25ZYOMw5AQY
RrBHPr8Uw5ILsQxib06NaXUUFuqYJLdSe0ycVksjLUqp4ayW5Osj7ltH+hJr
E5JOhOV1VySJAhq01rkP9To8Wh5yYD1a1emXzfo3V1UgVNPI++frYiwRzuTO
Wds8asyENo0nv1tgBxTWqrNOJzozv8lqvyYprVXdSarlJfWDsojf2EmFHYlD
ZNMiSg3fyCRH16v7vXlirJyotNmcc+RZHSxpgh26K/ReSmTDd2WWoHhs8FBT
LyXEhCO4uDRTzvTK7nSko6gjotgvkKZaZZE6fD6UYE9IunwutU7c2E79BWD2
TuvynKEQM8vLB6qhaAofOoO63na0CMm1Jj6hRh7eFm4zqWyZKrAwwu+MvIHW
f+LT2+OiWYkRkURulIjVtTD0MmGSuTV9/IhMYvz2+Nnr74/f/olWZbh0fs+T
dAYshlZO7fMFLRci6eCBKoL63JDDp0dRuKaQ0rpR+1hYc1qBcWQSDnrRidaw
BpAZEJGgzQDIcoP4wBg5QsrzLTEjCQLr6Pj8rMaCLCAdXTysQtjcPFScZWQt
tHV5cUEd0c+tkzZMuHvvpKssNWzGoj/qH5uuXabPO+e788ZUwARIShFVvSfZ
aSvxaoQkFdC+GF2P7aUrlTSMpDMV3eY8JJ11VsxRcQXmXRSz8xw7hFTVOq0+
MPLRbq8oOV0fsiTLPzJjN0/qcYtvwHJSfsDpxzDmRSnwkuxbz9tovaFk4cQY
aucis0gx6q0lbUAXwKYRQA+u26bbhf8cuiVY+cK+WEz5oubI8nFkzamjCLax
zi0IefLs5Zvxed6IMpulDohSjELvMKIMqYqaS6JeFVL4vGo+H9NAaqowI/dN
YC42WjRx8uY+2kbZw3G7Qb0Ok5WcIaSutaiPjuGKWp9HSWPGhq0ugREU2ra8
oDuB3gVQzd4jPW4apbWdvFU/wy52b7xpueMzXSGajriEiullFRkCbpSi6lEy
LmJX8me4aWwnJQ05Nj0Tq4jxnq3aJAYNSgyqBITpShpStSbqhBnh7fru6M3I
DoEcjzonExPiwZGUZaZSoTi0g8ShyktqFG5302xIJ76kss1m0+tcCQu0fewe
KXLlWAs72u7ZQro7sulrh2sUK01brKnmMTmsDA9rL+tA1q0SRYZWSyrOqQRz
aPCjCtOtnovvNds5er5LeLaM38C6PCwM3VJsjvmEDgqokEupXPGR4WFnDjyz
tnTjmPW1qrKj59EyjOoLaX1B3O7iwjpPappQiVqD1VBtGhLcpy3Z3zE1wKsB
hqYNx1nV/jT5V24SO2hGGb6wvIOVD/waZYQ3SPbo0d7UbHJErziyQTD28KIg
5skFMDdguVX2TXlhm8GKxuqGXWpsyq7Eb7kR3slY36lMRX8PbqopuYGyLKW9
N8twvAC/aXrag5YND3oF4ngMSQxETeCmGODgAF7zVAcm0Bv4Icyb8xkPz5u2
zrV1h0RWftJiErKr2WyRPGzEALu4bK8L/P8jRQtnLf+8nJU1Txk7SAFXkbK7
kLuvKHA2ZeVQw+Hs27OzN/cPLK7z8eO/AKv98tHDfeLsOhWJgEoQTsPISSqn
dRAn386IXoEzELYjDdoZNQydO/WiyK8UC5jVRktxIY1NvojXcLFgpHsPEOMr
6nwSflRoypXgbVvkxHR6yqIJfJkIDBgbzAIRkqkoI9zI2zmCQqsiT6ht2kPc
ABjyJaiXFmgkZ9TcCk1S+1cci1ZFysHXhqhCeINLkUyMBtKXSHTgCatMCsM+
EnZzcGFwUvmHfgM+xpFg3tKRwNVlxuGRD3SzfB0vvr/Im9aH02ab2hxNeZpV
d+oWgx5sIGS+Jr6+eEFUjKFUUapMb2o1e20JinONLoIl/EsCF7QryJ1vMlK7
qOnypi40qdhV6rqzIWUWvx781zljlUITBTXGmAIpdAGVEgiJkp3K7HQOmmOF
pinmrK3Ie8TRce9muyrBAIMJ0cX2s2K4btzZcprdE353L3O3dxQE51Qp6xqO
olhfAnHVeZJZa2Bsp6dnYNb8C/znn45en+xN9vcmk4eP7k8Onhw8PPhyj/9L
UTgWzNJtI2elj7rB0wLZTiLov4D6BHkhnFzUWhTNWbBQf2OMjQtPEnKIEglx
+lwPJsnqlGo37AsxL2q2UTTrgQcKJ0d42KqXx5SJKRyruKGmEhCxjDjdKNbJ
fJZPzLnA9tzGhTXDJYWdRudbmuES3/YVgdl+trP/YX+XmRa97JSyYXjePStZ
3SfTIYjlSedK4ZKOc8U6ascoz5YMJzJqU3e3eH3rguuxbeY2C4c3LwKgXInC
SQV2xAixTarPRPdVQCW7zPU5HdUg5ukhdF5Wcx7MObIJmqafgODbdZjo0zx5
xBwjRScIVFI8GvkeMyFNEKWoTJfq2kvOX79MOWgwgAypa/9pV9CZCIsBfcio
vePIOJfYpBS0JnLBllbZ58BfcFaYFCsX6UU5l4JHIfTAxR/apWWAg7AV1ZPo
senBAsac3kwXPHBw7ztNUTUDyfLkI6ooWpCMmygKo0Dsk7iCBnGnktozRZZd
manCvnnO8UBouU07rubSyUIFb3BwBUiS2FdEfe/u+Cn9iFl9ujS/NaiacYtv
IRheGB7EvLzY1IVKYPEDJY3Ab/nzj2P5c3uvREvs/PGux0oMMdz92KeM9olz
u2MkVNfuw726Euq//xb40K1j0cMvT4/un37zt3zY/lz1H6FPPD95dd+vUmdL
v9jyDkw+8xto7wyvaqSDj+FJKrDJfhzHP3v9V+67pfX+gn/+3Hvnyv09XU18
JPSf6D6T/PFPxXdxIpf5Yt6dU/rHP5W8K7VBd7xrT/l3dzgounvHuzsURd31
7/4t69XVfNKfH/vvGTV1D8bRX4+C/xwpKusSgaPBHoX+1RHWP/+o2/jj78b+
z29+YcYQZJVPs6wbJYnF0UFmnjxkgI7uOXyQucRTg7CJQ8B+4Qj4X+6XTjHZ
7lOwO/RU11GMvwOmQr8bhF+lj39Dvx/EIbKWfAqMZcJCWvK9SKUHP4Zt+XyD
EjQtS3JKoIy/brY7wK0tXuz3g6tuOM+Eg/eSUONfQ9eZNSWzELZgKAnCEydy
VpyAEdrryo/w1CVN91F1xIpLbEEr44STCXQynNHcRpwKWV5F8UX2+NxDUXUP
f3YPOeM9XfDKpzFgig4539kXeA/5CpdLzu7xoJpjU2M/glLaS+U+WZVTqTs7
TWEpTRiTljJiVHErnJadhg5v77JcFC4WWzYuvxd2PIIgMFwh2IWgj7AN3A7b
kV/jL7iEUjXizaqkXiSkV4KlwC6SoNcm+Y6CLXR971j1gxEwcuWxugTG6G8a
jC7+B3fPCmpAJpsiMZnE8OwnUJFRx0VrYGxcbMoZJR4Vi6bg5GjtYz6rphuc
0agT3LfUR/x2G6Mk6/7ZSYul4gMZ5Ri/MQBTUcScTanHRUtpUshFLu0TxD76
x5hC7QIKKP21kCQ5lVYVRG4WLN8SkqUvKHCq6YHJ3a3/v86+tamNLMv2+/kV
ee0PbXcID28/KmbiyiBsujAQAtvhnnuHSKQUZFsoGaVkTLnqv89+n30yUxiP
I9rtAum8zz77sfbahbrN2e9JIVz4FqWCd2Qn5A+EuPg2sU3WopQKBGsfocrM
10gTvFtoeRYBjrGMQNxTDdEHH8QEtdyRpJET6H8nCDBXgTwlMofI4xaH7e90
Iw+AMYlaLrgpti1+mQpq4t/qZEN1pqJsZakZ0KV4bFNKVBAGETwz9LkkdRTM
bnpO4rX2JXSDOhPmu87tT/jvYl67ppwYVanQqESm5ra/SRkru6nw5BLgcAlh
JcdEzj4Lab5d4uBR+J6rcaQ8JboTE4KCIlBFwZh6FXzIBSUZfa25xYT/xqWq
LsnlQeYuJ76klNRoDcfrlPD+wf1cEx8dzxL9C1Kah6eohxPu/S+5CRZVkD1m
zha4eUvM+NL2Z13JX743PoW90JUjpgSvzKnrLnI8WczXJzKexibVzlAqEBK4
2WjyfiQZ/1hijrFQlM4CgnsO0p1uAnOEdlwP8s3TU59UjkqZBCqNPHnHDPJU
aUTIn6yexgS8V0nvSFvIZCpkeoE9j533MEpm9Mo8QqFgelNWZKSKhJHcu8cJ
x+37UvdnaxBEROWwmZ2SL2PoQgoGqy0FKCL94OCox4d87rkXIG6NcluhXlsV
4yHUwY9BzacnXdAn09cj/YJ0HzfC+aKSXrK0F7HlnnQlt6FIHEnwv92ehi8k
O04ibrlWpIlgGeI9jrGdebBaiuS4bMlYCqHEk+jvaZdMD82tM2lJB8OmLYpt
yrnclZ4YPFdj66TUraMSsdwrtIXQ/RR17fZvTnAmhJQ6/fCTdmw/8Ym71xuC
2ERaDdT7WCtyL5Evz1L6Z0FfoY6RukdJlUN9nLrmJWfGQ67M8a24aNh31IgS
RBE99U2Cz0jHSdh7Yce0w4YqRwpLQutLddXmQe9/kWyQFU9eSJk7k8XxDbF5
M60SzSrVLGjcjvBg4tgBGTIgVOEjtCRnmCFVkPYHvcmC/vWXplMhMu6F3wWn
8jYUXbLrVK4KxVlyTLkuamQfjla9C8oqvo3TE+2O84MyJhWU2w5d1KSRWz5Z
NTx6qlLm8byuPKqNHTilMDp5fp1mkTEFuESDOh0MNWOBBeCKyoPxNMQL6NvE
ELsdyYbu5MBreJw4+SGs6JfDRAYjtTAdadfyOouW6bDrgenl9N29LGIk028W
Hv/OS6suOwzd4Wm6Hq3xj/7y2uWqxyFGPOInZxXhyREyQAEa0T+Dar+RJU8I
dBsXLxr9omXEg6ZPCNca5tYMJozHzL4av9OWvRQEsKq9nAQln6bhgO5Jb3zr
wWqOB0+7tuMgrX4NQnU5JdQRxTMZepuEmZOuu6tAtIRJfOU7+JRxdrHQOdrl
AqLG40BZ1/E7z9sZKQxNHKty0jYoTdlX6RVwH2PBl7R2Twj7HN+JCmmDqlkh
Za075m+F6WikL/ORT0+dnEz3bCB4ltuIh0HuCpUna4rkmOkV1ZD2kyAJ7wvP
tCM3kWB0moYvl732nkH2pMgPxMila60TwphuSeyege9OKT6Rximgc47upPZr
ISozQ2/cUfHIGby0gX6Zj65FeVpxv0WQiZGGHa1xR6vfm0QSJ5Fhial7wIcJ
AvfedMn3tmxNWkqsz2hzqk4kqHB1M8USi/Vq+/OX30+YnVYcVkdTVE2CShPj
NNDscmcw8MBcmfdUWVneZlY7kaSpwHem7Tc763iz/ZxMY00e/2RJNfFj7MRN
4sKkWbUEhD4ycpL0WRElhd1xTxJTTpEMNhv+qXeomEjW8ceTGw8EyNyUXZjk
ntcYEsE0jBYyP7FsI+vtrJIKOnxBhU+MrkNQ9Ss+mH+lwJg9xcON7iMwZhR/
2OCckvOIQ4zY9ARTJ+RQBpxU4x3e1nz8r2Xdqgnnb08/ZlyyZ4aUAnOaGiI5
xPIxejfsd7G0zJrg4PFSKANAWbvEmOl90KQtuveddYMervnAZ6UDjlVHvzZ6
UBDHFWvQzcZWTJ7wyY6HOKSPJ8N7iGngReRnVgSR8L2tgISRvcXQoJHlsi7k
dawl4fWnTbjy1UGbQN9PMiP04umjXHlPUAOpxLBKnGcP9JkreL8oqQoOkWb8
MY4tKS4WW3HUKC88V3RnJTp6+YTHZ2Hs0I3XkmS5U1U6fB/EACrF+KKLVIrf
ugwwThLCz3EudO7eBo4Z4LOHtuwD1ZqedYQUeuHXyy5ZZVvx066qu+SKSDhy
gFlxpY4Me6dQPP2m1jLYSyzq9NuxrF9q8Xwr0a3TcbFiqjGpaP5OWlOOWECP
JosJVWL52LVc+vHyVssFVnglIfpbM5/LIEaW790UATRbq+fSVTRMck30eSTO
GFUOER3cfBPKWuNz3mmtqbOpp0XUDnvbRPFv3zxxasKVLtlRnj7JIMfz25qy
7rRIplO0Anu+UkU1lgHIFKdsvmoHl8s5S15w38GBvBOYqDqW79nsgTfQ4NUE
PS8clQwmS/pUsuwS875zmhlnGSwSDDJyHhiIkbKWUqoIzRYwdsK5kvcaqrqD
W8rHEjn3kbyYKH9YadXHt1kUs5k0qAxbyR4k/p2/1aoVEwGPjkaWMVWYGUcp
NRVYHMCQgqlszU90FDB1GvZ1Xnd0tc7Zi1oJU34aQeytCqCXhaM62Pyv3e0X
rjRNaLF+mLriPb8JTL5rPyixW86ZTyaAae+nhVApNCBIeR3f5ZIggGx5UVA8
6O73OKeY0/ZLCxPDSfpWVtOksJLO6W9pLSqpcPdgVM4uXcxTxCNP2fG4NqwU
cX3RspbrEMxGErWrUY7KUOWdiF07kIrb7QXK+S1ubhcxh+aByu7IZ7bIL6dI
imbqEfqCTACEdTpXWGlBAQGtcm++vbzto8Toja/rVaZpvUmaX2r+9Fak0YZm
EzzNm9t8RmaVIAk60wadYnyKfsJSGaYMr6uwz++4Y8ydghBxYiSBRgvG0lRp
jhZoM5S+hC9BOUGWs2o5H3EApBqp38XD5UfVHKWt0qnhOMjQH3xHM57gEzFN
JdigMGlRWPEwk2s5Ik4+gckm+FiBDHENNBo0Qjluk0njiDSJU7nM3VxvKzQ4
v1E+Sc6TdhM1YiQt1KU5Q85lItyEFGZNe3b5XmRU14siH7M3QLRmH6Ll7953
Z4n5jaDpOqbAU10s+w0jdeld00plaESwctBcnhFmOmSS0AkHPLCamdJcCECa
1BajLGRjTppWPvSYYIdpa0y15OcXd5SxWvx1OuO8xb9lpfqqpOn5cipenMCU
ho1Ulsi4YYtoqG0icvgOOl81j+1SjhS9pwlvWYfMjrD+Bt+GuLD0PNzl9xR8
YZ9UM7uR85kpGS+wDJ4KO4yON2KgNNaIhB+CdMcmXfh4XEhT8QouKmFTc+Ry
rEfHs9Ssf5DM8gDkEz1uldYWlwI8rfFJuEDTCEBiEvMd0gsl90ZETTzWNfN7
wdyLb3jz7lbOUng/mSghpEQMJ5MFRmUYpKJcCpGp+84VSnFf9CHHwMa+eqiS
goxpTm+HXJ6SwseRp3d6cQtB5uv5acbKaGx3yC0zg4tBctuU2kgyxV57vVuT
5Uwyny01mnCMZj3bNXYeXFZIUYUJTeXZkVkRcAEET8WaQ3uSPQFXOu1AEpij
lJ3exz1eNxXFyXlOdU4yECOrpr5m6MFzREors3ZSPx5foeYqs5MB6/7A0FEy
0UYrP5jqEyqdetEIxC+eH51hETbWEpRakr8cGgyTLmc2XWTDUpk8Ut0ec1ed
0zsh7hC+o6DOSdXOjaslZYvl9SV2KOGtoyW+K5FgfhgbFgaQRcOKwqsxwVsD
V/cKdHkNfRnhqgWOiDZoiR7yZq1FA1lM5kWBrtLkCt3BwCjVIzzNSCnak1/8
eJqoPiEcLpoBQOfoz29ICCXqf+4tZqa5iPnZQcCa6NWn/O+85mJLVGWUCFjr
hTZA7yoeUBBC0xvBPuFgVTvuBa1Ypl8HCQfXEAkvfRu8SOQidEqF040WRAgr
Bpgc5Fqd46Lg1ZrKnARQI1OmkU3ChanuCchJwVVheEi+Jc+5S2nkV7Wp7icJ
yUkZTucDST2kwvEmvq15cZsLv4la9mRUMVjWRQM0rCRJrQ2ufsrqzbnA2OKu
CqRv160q05KX9CZ7Vj739Y/8h/Qsy57VYiyL9cxONd5qZwOxUQX3ArQ/fKba
YUGWhs/K8rnKu4c6jahyWYLGMYkrYcsmQ2AvfBqOjLvCMQI1XvChWhHbVsub
Dym+57qfvgCcROcdpYuAmtsFD834sEWvjK45huB81q6OuuGZQ5SHc4oJp6v0
IreXdTo3LDfjFdH89PQ+2v8XOvx//uyjR4iGttrH56cT1MfHX/L+PaUQjB6+
n2zhL/v7Uh0mYlmi14/SDHAbWTzjYUNCyQ7fKQWMmjvOPmSSQhcHRydUJe58
eHJ0AYbn4PDTYJ8dwR/33vNEBF3e4QYWhDHhkcU5IYLG4VeTs5YohdFL0XBQ
wRVtgJ7J5y5vpHi4lYQdy3UWUs45SBFuPHRTTHdP1cPYf7LIfH9glxudIs1P
w7EnkC4hCsJjU6KmdXNDlgFRdEntEcl8ELQfwvlqZPILHP29XF5dqXsWvlsK
K/Ptcn6L0fV0K91BlqueoKbdBctXZP8YrNRyfBm87vmhvY9MjrlaHqpCm+uP
KSpEqRinZht5BbvOMDP028FIrnqwOumr0EWzmN+qeFwjr8DUG/IvqUsvOKkZ
QykzBZIIK+V8OZspu2TzjeKFNsrh4GC11n2tPCYr3jAOjIgaJNYE8bEaoZG/
DXK0GnoosatMnT35iHPhTvzlfUjPRlzTtC0lsCaFxAjxYEXRC8sDjnCfdFCm
ds5jPUuubIrDSRbEHJjI9h1i5+R74Mx632M8YdIjtVPCDfNx3ISm0wcNo5Bp
Hz5yrA2w+uleXgvO5ITsm5Sdi6KpQidEudtUMZWuugLNljURFbqrLtYw+0o4
7dtUKM8wy/5Iv0KwKe9I53KF4XqcguBiM9hjfoUKO3JN+AVmc5aK3+GJxQt1
if4pPP+lw5sT7sgih5Wi0lGEtp/+XvsFYVPditMJDqKCe4j+IDYqCKNT8/XA
wC7CpMpJfAL9wDA3n0V3T3LRzCf0VoIrNQ1aJE8+8zgDGmBLs5EPUSIlbMYY
2++5sow0iqB8rXx1fvqgy6ZzDamCRSWhN05maZ5XFwKsgURaFMikg8sXoRv4
nN7ki9F1POGMEmAFQSmh4gq3yTgTtuPg2I6vfS2tKykWIMKvvp+NlE0WP9gC
yKmZFgSfmoY1jA1es2d0oHyPy5mY8RIgUIFHGxDp7ZWTwqIMUlCanC4P3ht4
deFeLjiZw+mABmpm8g6RXwtKceKhcff4awaGVeqaoNBfgK/eFdOpjDtKLLyC
YOvMZw27ihulbu+KeYzGpUhzeq0WltdCKJQbQYs35ppyAM09xSLnIRZruHfX
c9Ai2AvcS0+fV63c1Bj+Frxx4MbayI9qoZUwn8Nn+LUgygmIV1Ev6GmiZa6J
PpkoqWUX0rWCF9wQVxMWVe1BRNaOVOlVrcXj+0LDF4qPCffcPemVBy4kW4GI
rWFCShkHGcIZs966IErCQOYCs02JYWW66UzqWgU9XEUTwptAtEj6d2e3+OFF
UK+1MxOkLoPfZiQR4zei7STR/QTIH5Scs5eAqdNoMZFi0ZGL444EwHntDqaY
XrzGFFA9opf8ECEPnAr84+lktMaaDyHkXFYuRwVqAdDjHNPz5k1pfiEesk0p
wylJ8mU1v0JbH5d1UtzZ+6/6DQqMWqir66i5cG66s0lgFEgWyF8Qc9DZF6q+
CSsraxPElqip32VNGdF1SQyfqNYtomxhBSJaLKICo8/4v5fouBDLvYzLqq67
Gl9repUJUqv4ApI9UmQKEwKlAWk3SLuJEKZaT6KGycfVq5ZFtrJampSHBJVn
jBeMC1hmqyrQ8T1m8JZlVN2L9UEKiSJRO3HH50EgUnWqCTb8GlxUElkXq8WS
mjDvHanxSzVyjC2WfMzs49Ssk1jQ2oebLZIFq4MgEjgStwxdtqIxJtM4Zz3E
2nVO3CZsm6Qi1+Jndr5CMUvP906bKeppXLlxr4g6lI5Z6hpbPO5+udgWvnIh
FlJl0l52FTQBWI+5YaF1wzoBVvipRbnAm6ZEgHo4RLekS3RdTc0n1W4jn5m3
2MQtOf8iSa1NjKCf8CBM4YAgp0CDDoBUPeHkv8s5yNmF23IQtbxeleJNDp2G
k0wTruBM56q+tdoMMYgqxjzBYjmGe18vCvJrskvRk+LDK/KtBN2CJgRPIHyr
mteKVn6r0gHabcQHVHD8JdVD5KWz4LslKT1K50YjnBU5MNrDQwa7s/zVTFGn
kKVgyPsl7p6wItVeRbjnim+4g9inkyU+ndBAagkPBvNmZCYekeqNH1v1n7s9
jXT6QWtvxPGuogZoFtt44EVTTX9ckZlR8VIhe3kjOENvi95ezn2nQkRBAgAk
xZDO/BZhM+hfu6nQWOUQowvmdUZfe2L6MdU2koJEIzpcItZL6gBMBbMmo7qq
ONcZlrKoRwWDWPhhkifQdGR7v3KJIPSUFHOuBYbuE82QrjsTsEmsHEOsiTrL
5TmCnKKfH1+rrIVkNCb3rTgK1p4UCzd19l8huIrPrneSSoaBhiZ+diqYbprw
OXyNgmYB5O5tSkq+JEAxc7ut7Cg4AI0pHrFpX6gCvlxekV5uiYzNAGuYCjXr
jO/Hz+bnsxZihlPsPnC0mTH16ct3QCM5YRUVtEmfp6N1fl2OkCRcjDSY2RlR
s8CxDwvjix9MPT/w3tvI1UvhiabhQvBcyWxRVA55ncMqu0wjyN1ttXXygura
RWTfijwaeFLmX4txM/v+8RlWic+6mf9YzBZcWbYID2VUcU0ZpmP37Cae1WSu
F3ZmxELiYIz2ejIwAzLQIEotfC9JNhOWUUGXpWom+z4OZWk2DiVcrshZjvk6
q1cORobrO+uJPw/FI1sCYvj5QwGSfxXZTporXSlm3/eVuqz4TQqNREeKIjmR
d9E/OB8ML+B/Hw6P+1hg9WfsRF0PH2f8OX8ae4MaaxeSOVi9vccMRxz7mtgo
uHPLh0Q3bCz/wO4i+l6taFzQdWFMFWJuSE+dMZ8BcY7xG28AWr+IVtoiabNZ
O8R76oL5AqzGZGv7ovtQrk3DM8/RHHre8+CxDZJraKYUIz0GtGHvZY86EmmZ
+Z3ZmOmzsm0MEOThY6nFWC0UMZ30yUUVHFh4wPNHES6cb7RYDWyBJjw5ZDAv
HGWiePI3uSPPNM+fUL/2WU2NQiSNr5rDI0OW2xjlxP+iFK2I9BHnmSJ4g0sb
jEUoC6sK/JmEE4sSybsSJKmy3dT82eAV71IopdyHrFEeoj4YS37OTqm4Lnqh
CoOKI/TTSj2jpilr7/B0PGKT56FVELmDrAkmlfTmySfo+SWK6pCelQjpx6VO
AEIJ803V9N/LU+1ia3xaQpBTI9h97972kS9Oop8ta1yJCFRFKMAlFbsNCZze
wHqOQHhOqOel8a9J8mqkKKzjeXVxnZ5B6GyVtUB2d93pSJfsjjhdZRKQrVzq
rqi+pA8HGPzM10qNp4dklI07vTKkX64oim0Vv5XPpFnFLzONLUotV/8zgosc
WC7rqt+zsi53OQk+KZuiV67gY+6zgxJMEvk21GI3Xa1VvVWdLuSKcfnoTN9J
ojaWfqNliGmnoZhMkFcCdfjZmDWEzuE08zGEv7GidHq8tukCWRX2uD7N1aHS
ObV6VWg2MlVOuqEzbyUdUfbRGYjurNQ507y6yi5Qu1hg5FtYsejiKOS7nUon
KxLlVHC904f+pK44pPLUqoKrPqj2RSCUHm4jTa0r8d0Rb7W4VO0ywhI6/nJN
vVzxcqBn0MpCYDyHzoaVIbVrZjBbyrsrEYk6VXSA4oSZnS9bBbQ7NODAelRZ
pDqDOvATJTBV5Lu4TlJ1mcRXrMLVpppM0kbpKO5f7A0Pzw/3+kfSLU61UQEh
ZoJwACzFE6eLkS/s01zas6ud6E2aFZqYi6h1vstWLEpdGqpAB+3qN42Jl5zO
4ebc3OS6WX+M3hesX8qElaa32TSaHBtNO0EBLx1kJJ6QT+tB1x3SMTjqANHa
9lBvkSeSDib7rbY2mVMf08pcDJzFBLol6LcCsdLDIZ52MQ7jWX8Twvr3dfmz
tv5964D/vAlvsr6rNGrp5vGr6LXdlyQRJIDFxFFfnBS5audx57Gj7djRS9fR
0JeJuIYHaI2LDKd9sQOP16GlrphDGus+omjBPXHlGPqnhyiQl/OZriRs17S6
qmlcr+K43rpxEbg3nj03nF6koeiohcinDM86LwcLZRgYhnrIapN6BtT5Xuz8
wHW+l4DuVy774oEcPV176LkkBt4XElpToPO0rMVTpdk+q6fM18ITapJ0fpyy
6c8wjG3Okoihdihxa1hEGB1JGd8nV7tRFgORiCplVuGXJRD6rYArbROLqmDp
gTKShiRI7ovDYzAvj0HwDYbDkyEWMpGjsfGc9iT2Qf5rcr5x1V8pZaY5KI8w
XmPjm9Q4g5Moes4Ps7iqzQ9GrgRm42MHgwz5U//ocP/itL/3++D84v2gvz/w
I9/SkZNr3Vx1N/kUxSvJsqSdg2H/w4BdnrGRbWqEuIQspbbVwoePR+eHp0cD
P8uLk4ODs8H5mWtrh9r6YNWlvfWr1etxETxEzUSoWPfJ+u71j/cGR0eDfdfJ
ri6peanyOhbXku93v3aulZfUSovMr/nW2xtGnegLwWtyeHZ2ePwOdufL0Unf
jXBr3UaYKs9IRIH1ue6nVd7aHO+QtqY2B9RU8uys3KSPx4PjveGX0/PBita2
9p+zTJbV72yW8uRnJHfcXPtf3g4u9k6Gw4/U/IfBh5Phl9jyzuu0ZSNKZbB6
rHZNEReloOBKWM56a65JlDbNU8uHoPUkr1wbbbEp05rt8rFYYd/8tPV3J/3P
/S/NNl9Rm/y7x7b0+fB4/+TzxcdTaKs5yC1e7OQjj21XnPLNFvvUYuqx/2lb
p/3z952ruM2nNv7+sS2CnGsuHs811pf9aRufBsMz3LjjwbuT80OWVCxAXas8
30/FnDLZZsVVhRFcUlrNgFw9749vj+A/8fC1Gr7kmYs9BZrMA+3tD+i24gAP
+odHH4cD19DIPxy5c+KNC7qbyOsj7cit725nvKodueOuHXlmMK3gqD9851sp
mhKNU3vgpn/9kH8/pZ+dlX/Y83g6gBfx3QmKRzr11tKGk40FRy6vKLqZ3+X3
L7IPWrUtFmJkvqEV0vLQid2NjVSkw+/uqCorPd+tTRwensDj4Ia2pd+3/NmO
r68g37ExyHuPEFsPs9CEPqnhlTbV/wS71n8Lr2urve1RulxaomGhHUTXQKQ3
4h2QQzo48+dzYyuV07d8UEnriBSdiXev63K5Bll9OBQdyZ7Lb3y1mt9nFSbd
tviev+dywQjwSKJQlFZYZZN8HrPzEfchZV+THvTag4yDH3x0h3iDZfsxX/ZL
ylAQTiOXaMmUGlHRvs7HpgFyneR4e08+nML6nnVevI1XD1zg6oZqSSirjjZ5
PDj/fDL8HZYHNa3DD4OTj37vXttCOYUYfWGM8pVSY6BhzAqwFedfDTui7b/v
H++fve//3tH49tbDjXv8NS5/XCCGMBE/uAkk1LBBP3o3BPGLImB/H9fJTSV/
QCoRuhg9kTfllVb2Ho9xvYp6VQ+nJ0M3mZ3dX2ue7CEqWqPNfzg9/6IyhrXm
45ML9MJEacE3/XNCxuq/weY7mimau4sUfgSxZr547ewxyV2x28tUIESwtEf1
9zSFQ9h8LW+hq8uzwfH5yu4maXdikP9vu0q1G3f61lfMyplf3RnPrOxHde3w
FM7CSWIwbBVdR9tobw9PYf+rKRm95F7loBgXX2zKwSj+P56fncN1wsNHC8iP
pxfd26u6NeHtUql5ZbXQx0O92Qlp97jzSz3aIjd69cpv2/zajuKaHApdS+or
HVOTb/tmxII6eHYxRI01NsmCeb+kGJA4KiRKi2YCFhlRvYOJFJwh7t+5M9h7
UMpMzLkuXj/chS2Qb45qVzkiA9sWFp5ncIxBwe1WBLbzR3aIIhZ3xScg1d16
wvD8xPWww7vNXh2T0+JS0NbhK3WHmng0+DTA24gGHWy1szdHqgPxct/ljl/Y
/JF3c6S9UgXSgPfPyhfFC/TVCvIq43QRJpdWi5I8eHec6vHiuQytS2cH8/pD
/3zvvbvIL+XoJSoKCohqyvL3W4dCL1lvWACYa8PYoGCAi/zmlnPBYG6mSpzq
i3WxB2fpnT/+OyypQGjIm2R1IHBrU6EhMFBpVZskCdjv1tZ3xBfFyq/2QPJP
yIlA2yvayig/Ue/6p/58sOav+fMKjpzba4E80Bg6ulqCGoUQ9sqnJ0lR3BEm
B1GyPKxWzD60A4aEFq3hnLFSdHYBczwbDD95p9XuetPdJoERvRxCPHqNtEb5
d4fcqgsNAyJxhoDEsrNitCRlHV/YU5hdPrpvJQdiIAuE/AS6QUuyv1jA8eaC
1vTPRv7p2fnvUdGU8VhlOCTTyRWe485BNQuWmu9TmLA1CetZZzf5fc+quC6R
yLCX1ThAASJgfEvbfcatIlgLlcblDWMhVSNCeKDUqV1Y2OK5FFHWOtF5WF8b
np+308t1duKH+1bCL2+QoqFAeFdz2DR/GmcdzCJ39AfzGJJ11ff4x0jsUS24
yjKMfzzHhLrYZyhnqgqfWyYnRjysfCBGiK8ErE09Yn4AjUzLjRE0HZkHZ8K6
TEwgjsg2KWzHphSyZ+TIPC0ST0ogiddaaLmRPHK2xp0FRLLmYCFKuiVfVQLU
Ce2mc1aYxJR0CuYmZi5BYkkMkXSa4Exa6Y66ytKubBs40u++aVH6IGcKpsQB
SLcBdcGHu0FzzZaWRwqQcEbwXuASNo3ArSBT8kusDj1+oeWciQQo7pFtgBsB
s1gxsJo3p1E0kNjLnB6UUYqlRAIaj42xD9nHNaEyGUQQ7Hc5ac7jWuwCqzov
/AxrNUqUIvta3JtXWAOOWA1gHCu4FMQCOuOsoiTwayvKYIxaQ0gRydPuTdJj
yapvVlNUtKoJFrHDmEkzEBbpsmhOwTpF4kXLGbVzxNmx1YJfRJJF/P3QGFTH
Vy4jz51FY1f1rvXreOpRcCjEAKT5tJrDIrFc5mRu6bOWWJJkJBKhZ/zCjx9n
YF4cnQwPz/76K1swXulrUdxyIp4DdVhmP967KChj+TJMNOEV5R9Fbk+VQERv
WruB8UUovsN0ie9MsmDzRk36y3tdImMwx4SX5U2IhEtqqafIK8HGcyH4WAGi
nJlhb0ceubdEEbLMAs4/405qhWf2MrB6x1wzXovEdZhW6PgKRtugv1tE4Puc
0BoVvmWzJeabsOPEPwsMuSOSAnyCSI1v6u/ZuECCJT7mDYI/L/HV7xD3XrbB
IGPBlY5buNwaRzcv5Of+scLzTPpEj7FC8u2QkNTbITKki3v3S1NINJmqh0lS
xKWPMNzFvJRvyyMru8+h2Am9NQVpryk6xzWK95Ne9NieTHJazK4wj2MilTUc
ciFtAqy+e+2gha+f51eRZZGpqHPQLW5Q0bA72RdKHzicSBPeAG3Dv7gKAR2s
ibQYMf7G7S7aJG5XpAVhbQEUUoRzwLuC7WBimMaHDPhK6LWuYQR+FPnu+ox8
epSJEqLByubwbPPLEjZjHsddB31euCEKJRPuNkqmLD416DuYdN8i4mNlKDZd
aE1G46l5oDyNURHWko+G4Kg1ScqUxaAkRsuJ9bnOxtwuSkB+dYVM+QqFFIZ7
vKmwbtFvbCOBqQXXIe2fELnek7BD0jDG1CwWRMYfyWkpUSCyFuQU7Z5OA+qR
xPyAVt9cuMHi574tpzOBf6Xs1ZP0SLKa92sSQ8XxqlaDKY8f3LesYE9d1iyZ
UQYT0isuzYKzTW8IV06Vm/mu26VpMqn3YtokeZcLEJY1IRYs3493jBJLw3gZ
s7Jcq/BEYVMYE6kI8HlzKSyqzdIctn/e0um6vLitdGem1cJR3UAvxffrXIpu
SB3qmQefqWnQ2aiQb91qZWXYnhGbSMpBJlI55QUl6A3R/iE21ufInn1B/FtV
MUOOvL8lJc2+wNrmc3zp7mN5C748vgSoEIiV/Lm8piydXFlw01LDwe4kHesa
/53Hcsz5vMhiyme+kIJlKAHnoOAju6VDrQZ2PCO4hqWcHIyEfEzeYZeU68uz
SNFSNcjTVAyQQkkRLpo1jyVtFFPvpF5vqxws1x2xWnVWRBZ3I1VvrbKsMj9s
skNfCpFuwBWcTkuT9jWttSj9BmpKgPYiVOODK4VgbNw1v8wOE2VlY3T8wh7U
rvLywFaPXK2av1hr5/qD2b+W6BopySvCCdWSka7iXsD+QtndeClivrvKlyji
mcyFcHpKeISl1O7UpOMWW4LVQe9qyW3VrQ7+OnlKY3KOHPaP+13OEJKj5wYF
O7U42LC4AsE0x5I+ZT7L1zqK49SYKozt/r//PHvfPzpCRejfyJgaj4vx/6cM
TGkElbYnq/qqn3CFeDiV/Bnl1H6SYRI4x6XxZDzUgnV1heKZNLSN3bVL9EGK
Ac+gOPwPtAZrWMgFO/rRuUA/d+YVt8InLXpVbivM5yN03icBMYldH1zVBHl1
55SfhcBL3KL175Miewa/ui6+50i8DILqObOE15h1AF1hlj02dZZknwz1ylDn
sB8//s/wYG9nc3OXDmtjHL56A3Q5IU68uYdekmcMfvuxLtK2QpA9l+PVJqCx
6vJUZqJ+EwL1Dv/PYQCt08zODbkOPD26B8/mSQeW7i1UEYxRpXcvo/WaTDAF
KJ7JY/h/6qwvkvZmViAZ3ygmAutnEc3sl1G+lrBF5xL0nibB82TxtV2N97KA
qhRFjzdwvnhWP0d/M5dAYuRy0ghFkWqtHYXh/xJL1IzwJSwl/fm6cI1R4jrG
J0FLsdT1yzJnrja0rGsGPH9jbcMvakzdvRcO+mVNlGAT2PdqWi1Zb8iFRxos
ivkNukWeEVElLA6uBtgW1wWh39BBB8r4lM0p/up8dF2iPb9k99l4eYkSUrO1
tHqQaMq1lRmxG0rUbNdowoNl+eMHi5fbNcqAonP4J5/qLPszSzc/sz9/Zukt
6f7zZ/jzzRr/sX+0/qz+TfIpGJUc0D91jhdgWV6wmL0g2+bPx1QRy6ypjUZT
1IZN8Jea2uweVTn+9aa2sKnxtLiQgFSyoL/W1DZ8YTFfzpAG9CKqDjSsX2xq
B76AE2MP0kVd/lH88qh+vMmeJqcNbOXFtPj3J4dyZle+L9kA2YCK+gk8eQFO
A2jrqEw/Zcgt0gRRUgxl7GjCPDKXYx6C+fKTA0vo1+E9aN3vc9CUFqhQ/QPG
lh3egyWfg45wiETyd6AosAu/P72v6zz7XE6/vmj0hFxCV2yvsxjIpyhVr8uZ
cI7F/It5fufJsslCr24CgUTgqftHeZMNq/orfvPHj0F/ePRlbX9wdvjuGB+b
QyR1vL3OL1k2sNVubmFbB4TBCzBn7XBwfsDLCmOg6i4gIN9VFbpOQA68yd7O
wYrK9u6hnX/AktzcZ/vVfAIqT49WJ6xanYNiDLLod5SRs+pbL9sDQYaFKn6f
g6Qawaer7PfltPzay/pj5MzJ0Vtz3wtuhtBDdXlZgiJ+DS9yLzvLF/dYH/W6
+HqNXexdY6EU+O+SNiOTzRjmMLrsvIDTvCh74VOJDCsgseoS6RGhP9ApZmWV
wS8wQb0HxwiW5mv2Gek0YB5uI3vZPm7V52qOY8sOYL5fchSz+9DDP6/1n/Da
Zv8siyvhMMv6qVNYnjpK5M1nX9kuEQxQ493G1ItiekvWwHV+29wjeqKgwWhY
v4FVQB/bW/j3H8W0ByYyfDEbTMobXHVYQHizquy0qGhmIODzEpTHcjyuRte9
cAb/gLUE3eRT+a/8Pv8KbV3PcqH17qN/k9almE9BBXzRJAVjHMEMrjF5Vm7g
h8RKSSG5bxgQWVJdA1JoUFVfxvzAIIi2alaYww00qdH/LYvF5EU1Zy5fuhlr
9HOk5Lsplzf0uxvQB4jFH5/uF9nJkqoq4uKi4jCdsla9xzn4R9VVCP+R/f3v
oExlgzGSA/+tzo6rRfHm73/PTilKmCExwjfNLxbnnjEZ8FjN1M+hNYbMaxxb
hYguDfIW1fWS6adul6BIEbkVqH5sAPAhwNFHCogpK9NIfFGhaLqVynPMLDPP
J4s1XBtaDafvr2+CyJO42h+m1ukzr4kxDGWXekaT8jvBqti9+ezp5u7LXvZ0
++Xmc2iJ81rYnlHc7XELdyvWNbFojrGJV9vQxOZr+nt7A/7e2N7CPCBodvu5
DHB3mzT+g+NPaxs5bNMVojevbzT7Wnzmi+KK4sQumQcmtZzFMEVmg3j2dIPH
/mqd/saOdzZeYofDgqRmYyEwza52/AzXQq3hXLpsY4uJ+Qwa3eR5bG9iF6+3
sPHjivy4NcISeClg7Jdwm8im94N1Q93hFjZfYwt7K/KFCNh/59yw6ziGnV2e
Ep3RNvePFP1SlXhVLhJs0/Yr2mlqTnd3Q1OhOC/q/OjsN3En6PGmUhSEIsbq
4cQrbFYXoUea2U442w3qJHXmSpEpODPLESZZRLYXzj1hNzkv1haOdGudGiFr
kJxpxl9NSbGoTCySGmfsS2bPgfJMMtVfhgu5DduXZWsNTL6zNo1+qKOUGe3E
OjegEHz+KgUUMATa1S5+a5u/JZfLQNEXx4PBvgH58YM7ON9+djz4nKDl9CP1
8hZvfYKrEXykYAVQJQTZ+DW/BBG5uKdpb27x2d2gv2lfohrlKu3i4WEAAscw
JReG5HluSN6ESgL2eZPn1tcYO1wAbsTKz0fHEmU+14JLr2tzHsHUN3foaNLt
GHy/zSn5u1bUSEpWR1tJV357m/6m726/eh4eJzM3gkm6sRirnIwYcwmvCeNM
Pa2TOMObs7W78dx904BM9GJzdRE+f0wXQXY4rVHzu5kZ/XrHJO2KXDFXEh97
kgCkQNht4D5uvnylErUh3eQ+oTUHw4Dn8g8Szlu4OpuvWHLl87nIvPRLaNEy
3JAEo+wYOwaekpDdfLVLMv41TmaTpfsWSia3IqOViChYBRz8xgau48bmOk1k
x63IoutE0nuFBYiK72Cu1tzQ9mtqgp6rs72Pp7Tmeyen58k3qZSoHkCGpuIK
7tIgXj7yDki6Iy6EeGLpMjDVGNvbNfJFwlqAOZNjvpRsJPS1uav7pMAKYSdI
XptaCXJZpWBiZxoqLTRNVs6Oa6qAtsS/uZe8XaRxJDsrx1B85MJeDwNe/bpj
71tbtNl0dLa3k03OTXdQ8ARqHuqM0TPpXgX+VCxJybWjUDLt0lZu0aZs0b93
SV0Apfw6+3D+EYGZXIwLP4x3fWN9t3n6f9ZT5P+dlMK4IeFhQePgSLa2XtEk
D+ghbxeZ7yKQILgDRtIJ09bfR9wvitvXG/xcOwiNIz2UKIsS23uFyqOMcEyk
0Gxtb8TXX6FqJ6cXn/uHiKm3x2OXFma/mv0t8iK2S4ERfCLqLhMm+Fp4QAB0
vE4iZm8KSnzMx3dzYO5Fx8lmhTqSunpS8ZdKi2foJoODtUOy5DWvNiclK39V
5lwCtCU78fX3Kcn0Uk/AuFRVHT/NeqZsHw5EELwJZ8YdYdZaaYNlRI+QMvva
nfeO5HIuuogDZOmX7LQxbUtWNPrgYm3duTLTxeT19KjBOqGJASZDo3IF3y7P
H22Ehww6qfnEOE1RhsJvjauayYHCmxxp8WlPXpLe/oqUrRM81PLNjUgJsYpx
ea2DPR6WcJ1240ybGTG2Rd2jHvexKkqEjWzQsDZT5feBjkGrmC5r1YNJYTQN
AzWO20W28ZxVom1WqWNiqrKk/GxqG7v0ju3Sc5qUthXeSyJKUuBpUjxDmQJn
zNSgNCyg1FwTbpcqSDCjtgUVYU9f8l35QNefVeQ1T8ksAt4i8/l84SLbZMrD
5caRv6JXlx6//ngswkQ0RTJ087H5+00YbOzw17wN4phauH45kn9mt9fznAhe
4YxJGi1qH7heW6zZyk+tXKFS88nO64uFvHTIe2r07nS2t2ngnsdgkjIdsB7Q
uNssru6oipYCBmL1HTkMr5MHzhILcy2oSEQlpSyUhk66KFRguda3WTVa33qs
OrrOQuR2mqNVtH9IMPuDwz1Gnx+fHO8NOBuJXAW/D75cnL7vn/HP3LCjMmr2
L2bKUSU9I91SAhSqUYgPxzS/x6JafmEtDgcbwHVRSeJiiEAxXnSAMZ+smqHQ
WqOA1WWJ2QbjMp9ZVYAk6FS31+NaHIjNNdEFFV29P65upVbpJR0xzM9rLui0
xnEQcfpY/bv/VpDDpyZnix37jnirPiV20bzvmC9RE+xZUbYCkrzAzP4HzRA8
h686AgA=

-->

</rfc>

