IETF Logo Mail Archive

Re: Request for NAS-Port-Type Allocation

Alan DeKok <aland@deployingradius.com> Fri, 01 August 2008 08:40 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D00A528C0F2 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 1 Aug 2008 01:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.237
X-Spam-Level:
X-Spam-Status: No, score=-1.237 tagged_above=-999 required=5 tests=[AWL=-0.742, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5R-8osaFikU8 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Fri, 1 Aug 2008 01:40:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id D95473A6AFA for <radext-archive-IeZ9sae2@lists.ietf.org>; Fri, 1 Aug 2008 01:39:50 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1KOq6z-000Gjn-Oc for radiusext-data@psg.com; Fri, 01 Aug 2008 08:35:45 +0000
Received: from [88.191.76.128] (helo=liberty.deployingradius.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <aland@deployingradius.com>) id 1KOq6w-000GjH-7G for radiusext@ops.ietf.org; Fri, 01 Aug 2008 08:35:43 +0000
Received: from [130.129.21.106] (unknown [130.129.21.106]) by liberty.deployingradius.com (Postfix) with ESMTPSA id 0453512342B3; Fri, 1 Aug 2008 10:35:40 +0200 (CEST)
Message-ID: <4892CAB6.1040200@deployingradius.com>
Date: Fri, 01 Aug 2008 10:35:02 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: Bernard Aboba <aboba@internaut.com>
CC: radiusext@ops.ietf.org
Subject: Re: Request for NAS-Port-Type Allocation
References: <Pine.LNX.4.64.0808010108130.3452@internaut.com>
In-Reply-To: <Pine.LNX.4.64.0808010108130.3452@internaut.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>

Bernard Aboba wrote:
> Are there any objections to granting the allocation as requested below?

  It looks fine to me.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>



Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 30 Jul 2008 13:19:03 +0000
Date: Wed, 30 Jul 2008 06:17:37 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Request for Minutes, Slides
Message-ID: <Pine.LNX.4.64.0807300616220.12311@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

If you took minutes at the RADEXT WG meeting at IETF 72, please send them 
to me (Bernard_Aboba@hotmail.com) and/or Dave Nelson. 

Also, if you presented and did not send slides, please do so. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 30 Jul 2008 11:32:23 +0000
Message-ID: <20080730133041.loire3nc0kkgo0c0@webmail.restena.lu>
Date: Wed, 30 Jul 2008 13:30:41 +0200
From: stefan.winter@restena.lu
To: radiusext@ops.ietf.org
Subject: RadSec slides
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_43n2rxr3njeo"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

This message is in MIME format.

--=_43n2rxr3njeo
Content-Type: text/plain;
	charset=ISO-8859-1;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hi,

we had some problems shipping the slides, so they are now attached to  
this mail.

Have fun,

Stefan

--=_43n2rxr3njeo
Content-Type: application/pdf;
	name="ietf-72-radext-radsec.pdf"
Content-Disposition: attachment;
	filename="ietf-72-radext-radsec.pdf"
Content-Transfer-Encoding: base64

JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURl
Y29kZT4+CnN0cmVhbQp4nIVSS2scMQy++1foHBiv5LdhMDT7KA30kGYgh9BTk7Qsuy3dS/5+P3lm
twmUZow/yxrp08tshV7Mb2IaGGJ2ijEonp7o/op+GiFdp+/GJ4bd0SgesGGGEy6vJD1nuwP9MM9X
nVoX/K8nkzlZT8k6mh5ptQMxpOeRpU17s53MrWFbiG2s+OD15SMIxAa9veB+g72nbFMSV+mzkYBE
Qw7IqovRRSBS4Wjr5XYH3v/TVERF6RE8s2u/zJ5vM0IdoIpFlViVbUb5WdNwHvjtaFafjoE2v0iD
opFc1d+nklw/OZelG9GpWxHg0g6v7XgY2bVBRvYc2pBGjm3wI6c2xJFzl0vH2tzIH7rpNa9505Xb
jrv2dbqZO/pOEr4P+59ZVKUWbn4UWQKqwqksvmOYdVxmiwXjm+iv5u+YMXsXig3nYKH0YJKaltEG
lLRGXZI770YVUriKl16u/lvMdm0IanGJdXmpMWVypWCaQUKXDqSS7vmd/pXmv2eP5dXe0h8om6TM
CmVuZHN0cmVhbQplbmRvYmoKCjMgMCBvYmoKMzg1CmVuZG9iagoKNCAwIG9iago8PC9UeXBlL1hP
YmplY3QvU3VidHlwZS9JbWFnZS9XaWR0aCAyNDAgL0hlaWdodCAxMzYgL0JpdHNQZXJDb21wb25l
bnQgOCAvQ29sb3JTcGFjZS9EZXZpY2VSR0IvRmlsdGVyL0RDVERlY29kZS9MZW5ndGggODIwMj4+
CnN0cmVhbQr/2P/gABBKRklGAAEBAAABAAEAAP/bAEMAAwICAwICAwMDAwQDAwQFCAUFBAQFCgcH
BggMCgwMCwoLCw0OEhANDhEOCwsQFhARExQVFRUMDxcYFhQYEhQVFP/bAEMBAwQEBQQFCQUFCRQN
Cw0UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFP/CABEI
AIgA8AMBIgACEQEDEQH/xAAcAAACAwEBAQEAAAAAAAAAAAADBAIFBgABBwj/xAAZAQADAQEBAAAA
AAAAAAAAAAAAAQIDBAX/2gAMAwEAAhADEAAAAfikpeeh4/E8ecQTOyKvg0NUpM0SoRIIIwlCaH4c
o0IWxRUcrBdUKLJAQ8sggnNiCYCSkC7MjA5xWtuWMYOkxiczhUFhEKry0gVVxtJp1MrCYVblgAXi
oFyowiCNmArkVPLgbaRnZLIaXnOoQ58k3de2L23DST1pUsiTYup4Xvock/m/u1paijTvLJmXNKhK
LVTFHQIRQrUHThOkfYRTmVaYjFSiF4JCVQw+qIWp0uaPrw7i9xOvyvQ6OH1Dm9Khessnl2lqRCqM
r8k+vW+3F+cF3xdfn1IbJNaJgdhOlfzYloqCwCqT8ZDNcI0Rh73yaLd5+yqNLYis9vPlpqzSyvsW
sym14Pfz9ynTzposS1rGfIkt7jax+VUH1nE9nj5BfbY3SKyGwxs7Snoc0mEGux5fi+ryc6Q90NIC
UWQzQ3VHB6Z6oPv595cUFu8fqv3X8i/ZuL1/qibUsPRzdFsviLzjsUn9eJf4v9SoNOej+a6bNb8/
0D5a2yaGoNmy8/Pl2irY6foPyqz8m/oPzd6bilBYoLSDabidm+1Lfh9sUzvLTEpLGUZxOWXTX7bK
lc72nzbJLSyVdebNIUFzTBfRW7z+egKyrhQWjrVDIdyIBHC9ZaCnWlM7KNrmxy1xryaBqnsa5xes
pA4WvgDIowBhqp8T0NPEwqpdmtNZzS8m3K5uTdZ6RONjQCQfns105CAObcPVtJzse68nLfu05rJr
urCsB3DmDuVLS7i5z7iV63unRfzuW3jHcgiXc5VH3TtL3uTgv3Jjb7pv/8QAKxAAAQQCAgIBAwQC
AwAAAAAAAQACAwQREgUTBiEQFCIxIyQyNCBBBxUz/9oACAEBAAEFAvloLj/5hwQjTnLC0WoC9fBR
wtP8WjKcF+Pn+a/CLcrCrj9xj0mtyfUTfyhHqHgldayvyiiFhapoKZDl/Ts5lJwEzAm6Bb6nf3nK
/TXU0rqc1EbCP0Xs0NX+wW4WuUGiNMDd2x6DUvJaGhrR29ZWi611rqXUtUK5kREQbFK6QviJd0MC
6o1qCeslSRELXCEhaq+kjpISxznlxr/2dEI+tv8AIsZoA0vOMLRaLqRiXUVphFuVHEXHRkakeSnv
bs6VxQU3o/6b7DfREz1sx6MBCgOCHnPU2RRxfrxRJzNzHWwutzj1YQhXSutdRQiTwiwktgUjhEx1
lH2iij6J9oLZA/GclshYmazBw0TpFSm2suLCoIA5CsJGClq1vHbJnFl6HCko8IVLxEjFLXMaEOTJ
QEEU1n28lxKPwVj0PwfnK/C2TJy0MmwWxtcK7cWozhRSMEdXBMbd1DXVPj32jDwcLB/1dbFnhhiP
i4oR5F5RTiimsvnTwuoYc0ZLQiwJzML/AGxo7HM+7Hz+f8GvLTD90zB1iN2DFNquOl2NGv8AWTRR
NhY97Y22vKuPruPIc5ySm8YsSwVeBntO8j5Ph+Dpx/xewJ8aIRCwizKI9key1ELCCcP8Krj3ZyYT
iOFhLaT9D4yzaGWF0iPA0nuhgjrtnsxVWWfMqofc5fkrUlfwaDk4+S4z6C0QYwU9uUfXxlGPcyM1
KIRCwiPXzVP62kDZBHVAoXoq0cXKw48UtNs0FNJbUlDkrRj8RobwVoareUhoR3eU8gnsxt4Sw4Sw
MeJfHZ+o+k3x2zM2Ruro/Grj62yt+O2qjNlN43yMV7fKq8Jcu8ePaI+af9poOThRKH8eH8m2nf8A
iWz1KS9yD1cr8m6DjuLEzhRjZHa5Z1YdEjFa8nru49jg5VfL4ePgdmxY+sMfBiL1znlNTmKwzit/
yDNV5eJuVW80PGNldG6y/wCagP1LJnFRuUbtTA/44Dy5rogQ4K7fr8dDy3Oyc/YoubCySz6mlZIb
MTVeqgot1MmCowFAWqejHILNXDzAV9PldRah7XSCpY8EtWqqH9zGPtYmJjlC7ZTRh4r3L/HqXyTm
yP17k1HWJptgCa65OtOKdcIEz+xSRKVqZJgtlTbZzYm3d2hNkCGpDoQtFI3KezCKrH9ya5DWsWmE
PSik1QlytkfwHhqFnCFkgl2zXFSPRl1T5MqROYgS1duFvlH2iE2UtQnXcFuiiAoIx9QyfYRuCaAu
sPRaWISIPXanPQk97+4rGpkOwkynIyYXYs5Thhrh8bfBHxthbrtXYq5/csdhsOxjjk2QcWu/mnNI
QdhB/wBz/YaDrlbYUcxaiewSBPX4XZhb7Is3MkZYXLK2+Ho/NU/uWn7Y3fayTCjlwmS4Thu1zCPj
b052q7EJMrZbJ5ynrK/Ca722VH7k5iI+OzVbZTmot+Kn9r//xAAkEQACAQMEAgIDAAAAAAAAAAAA
ARECAxIQICExE0EEUSIyQv/aAAgBAwEBPwEbJgnZJmkTJJJK0kkmCSTIzMjKRUikg5Rl9nTFUiTk
hmFQ5QhKSlRtgxaOGMofotWsuWY0odK7SLtp3PymCYExMkT2NDFH2Wv0WnI0v6LtGD4IaIfsdLRD
XZDWxrT4t1NYvSpwTJdqzUDrdShjuPGDys8mXY7kjuemJ6OqRicC+RUjzN9mcmT0RjIqR0fRDKXB
kVUbY0RAuDvWCCoqWyNKdGhCIE9P/8QAIBEAAgICAgIDAAAAAAAAAAAAAAECERAgEiEwMQNBcf/a
AAgBAgEBPwHeiisUVitaKK2rDWLRyRzQmn4LLzJEpHZZCSj1rWixKyXvP4Rnfsuzossvb5I/eFiH
Qkl6FFJlJHGhRoUR6NHBHA40JZssvLQn5bLELZ+D/8QAPBAAAQMBBQQHBgQFBQAAAAAAAQACAxEE
EBIhMRMgQVEiMFJhcoGRBSMyQnGhFCSx4TNAYoLRNEOTosH/2gAIAQEABj8C3KDW6pWWm5+y1+y+
UrMUWWfVd91RdF4hud91Xel2ay3ua7Kp91iOfcuytCVkwLNrfRfA1Ztp9F0X+RWird3KLxC/XNHH
0sjpz4Kp1u5lNx5trn1GWTRqSqCjiiHVpyCOjfqVnIPILKT7L41kQfosxdktKORIVCo/ELqnW7Ef
K6g9eoyWfSPJe8OED5f2XRHmV8S793X1WYwlVGYXJZrkVEeIcFiN2I3UHndnvVOQ5rsD7o4RTv47
ld/VcjcCowe0FRtfO4moFPl5r63G/RZi7G/XlyXR15r67p6iizzCNCovEFSqw1OOoWei53UY3o8X
FdMl59FTZ08yiYsz2XLbW6KzRRjg8YijZ7FZ2Z/Pgp6Krzc7Ec+F2m4MXw8UaadTGa/MFXjwuoqF
NjGnHuCDGCjQi5xDWjUlYI5Da5exZxiVLLYm2GM/7loPS9P2T5J7W60WnUDh9EDDZYGjjLOyo+6N
ndZrNaLYW4dmyJuvM8v5KHxAXOFBqDXii+hLW6nkgaZKSX+1fxnx+CixSxm0O5zvL/1WGKNsbeTB
RY5pGRN5vNFs7HHJbpeUYyRhlcLB/SK1/wAoyC2DvIjOvmpYWvErWGmMcU8UGYpvNpxVOpZ4gmgT
OLOLsGn3Q/Mv/wCL90WOi2meq/0wUlBhpJp5C73MEf1lkp+gK957RbZ2dmzRf+lbSfa2yTtWiQlY
YYmRN5MbRG0WycaACEarYWFn4aDSo+I/4UbfdY5G4msMrQ4+Sqo5dpZ42yDE0SztYSPMohQuxWaP
bjExstoY1zuGhKLTqDRfiBJY9jWmM2uOgPLVUVZpLLEcGPA+0sD6a6VustkdZ8MtqFYanou87rRb
oYMVmg+N1d2LxBZgoEODq8BwvNneaMnFAT2uF9BHJIeTWqkHs6n9U8rR+lU+a3e0WWSBozZZG5n+
4ovNTXi7MrRNoyrRHs8qYh3go6071DYrRZ7SWsZgdspQ0O/6ruVkYYLU7YgDC2cYHerVJJhw43F2
HkprBsjWSds2OvIEXNinstqq1gwhs4wBwFAaYbtu6z7exdAizSGuBzWBuJp4HL73WGGzez4DZrO3
C4SVLn1+PPvUjoWmOEuJaxxrhHLci8QRq6t1Lu9Mg9ou2UmjZzo/68lUGoPEXGW0ytiYOLk1sbTH
ZGHIHV3eVTS7NGiJ3KOCqzI7ud2l8XiCO7RflbVLGOTXZeip+OeB3ALaWmV8z+1I6qyWt2ea1uru
ao116mLxBfCR5dTkVqsQ0/ko/EEN+m53Krd7v6uLxBBGT5AcNbiOOlx3C/5QaHcJpoKm/VZXBo1R
ByI6mLxjcpdktFosz1Nesh8YX//EACYQAQACAgIBBAMAAwEAAAAAAAEAESExQVFhEHGBoZGx8MHR
4fH/2gAIAQEAAT8hDiBXpSAjWwhFzMOkjuMIE8QbueF8sfI+IU6TZ4+mC1I5beDxElehmWIo1LgL
l04xP47gr8wD+Y9Nf9WZyXnr0WomgbzKh8w6hnMwzhGmBUR2g9BvGE4qnTKarja4zNQsOBcDlrvy
/U7T8tQOG+9szhkDi8EzaR+Ue+QW24dktgZN1A9niMClLUQ/1ZnauZKNy1AOVLMSIo+B/aoWLxwT
yDFFV2S+hoU7PSv/ABGnNPmX6h2gNBcM8EzB9giWGF5qWHCacEu+rwTif3GUO2eH/JUrfk0wVHmo
JdkcLY6ZZ2aIKdF3XU7E/UCDWf8ANLLO4nEzYw6XPCWHazB+XtLJnUehUXtnggntA64fpnGx4mOp
tnx9fL/qMlet0giy3/NTDXxwYKiHBAa9y3K5bRE7IZNjqFdeQI40eKWdNqlyK4N6IeFsvzDMOCNd
WOpXpxwdxuqu+oo7O0YyktuLGiorMuSEFBM4ioe/ufaAL9nagFP2T5hVmXqoEzC0Nbi2dMrnkjXU
HmLVJKb4rj4Szsp6nwjmVUc7qYKdj7w8xzwil6JlSoC3bqVLVvDojBQMcTXAovPMKtRYg1OapD6Q
fMYirXjuAqej17v9R8sBp8e3Udq32YqjSXLRT+aC34zMok1CW1LTV1TGSIWwsjVBrm94iTdUxxNM
D2Ezf+JR2PdB8l5Z3amPI40CAe/5pKKP4vMc3938wijrb94yp+LnYniKn6TeXo4Jc4zMuwDE7s38
XOCv0JmrImWyBXhKqkTSNhzCNsOLjKelUiRKgM3Broh3zJ9yyWXCh5i0vrfvKeFjaWV+RgeSUBMh
NF0EQ8SX786+5/YSDp+UNvT9iL/5LNyP0Na/glLLoyqfD5rf7gHLdRFy3JmcFS2LHU3TD67ZNem5
TCZokLJthM//AGR19GiXjTkzBLwPWfog2ZBXhOv0yxtlEKjyoX4t/ZNGDof5DAZ9/wAW0PxPDxqP
qeKk0fcsk+kn5Vf4GFyEFMAdWl/pF7laVfYTCsmNEMRtxLrI4/EGJT6YLRYWZQtqEXtGI+SX69df
FRPRnxv9y5JbKvw2glszAjt73oxKhBrWv9RmNMI9BWPeL6WPyTqgGq/nWF974/VTxkAD6lmsomVe
DL9R7i2Hg+IX7RChTFJuILFTxl+KF0EskzTWMkC7BGoqEuZSYOClTeZojTAQWJ1fE/1YlEVGdgpz
2nErUVmJQUpeNfc4guEWxxcV3RtoRa0SoxM7ElT+F3MELNZJhZjbZ8XH6itnxysm2gB/lafj0WiE
vIr/AG0fcYs34afDUuIifPAZB4iNXLUs93mUYyDcwB1pOFXhr2bnuA14Qexiy1dor9xJTC0MSCMY
pbyIg9DAJooHZuo2CANRhK+Yge6hxIpvktfi/SNBscTkPzP5cU7j4C2Lb6IHvGqJep2Qtwnmu4Ld
xvv05HX+aAWBvL/dxMS2teNwShxcLQpackNkHG1fZ51DZjWJY+nIV434Dl8Es3U3j+MQjsgDqvYY
pKZxCFB6AaY1MAYXUWUE8kOaCExydwGp2bnEITDaI8bmwgY0mLv/AN43uNQtRVKghVzU6GIycjf+
Smcs6b+QgC7uD+4qtLljDnFnD5gmho7jucPAVeZkX9Qi4a1iVMzAMHyHHiWCDZmXNxZUSYhSe8I+
gzGU/wAWZZkl7YxweRBpHit48wFSiHEylzCxRg8tw7jLcpz3LtQVl+J8OUZfqOW8Sy+5izklIYcT
FXMcxRDpjGMltr/2matruNc5udSV4z2EccYiOYYQg5jHixYm49lvcgO+HgjHLFXps4QOzlFpeWXX
pW/QyRojhPckz5l/82Y3fq5hXBVtKKfpnAzzGxo2zcSqxTDWZTzuJ8mLJFMMBOluv0wLuLW4rY46
lPULjrIftJ0owKt4nlBdFFvUU5aaPeE1YpJ1gyEGYLWNIt7l+Y/9u49cynwfMTRiJVNNYYSILNCs
5ibtFfCDUB8Sh7x8oeDCjNcfJDG6ZkxruXT6SjbUzZiB6TGJk0ywziBi3MoiVP5Pc//aAAwDAQAC
AAMAAAAQoNmzct7SBNqhDDjNESvhv7iZzHA3PHmtwuXhtrN0qpyEjp4ITwfEUZc1HkMU2Ngn5a2E
4i1K9z8H/wB3Eh4YqLDPk4maAvfxvSC0jzlMLINKPCGUo/B/AvUutg/PHfHXQwX3PPYoP//EAB4R
AQEBAQEBAQEBAQEAAAAAAAEAESExQWFREJGx/9oACAEDAQE/ENsOHsDt9gPW2IyQWDrGWhaHcj82
0v2NGk5n0Z/6jMXiXm7a8SJDxto7sicgPBdRPIDkvdtfYf5fjD2JPyT3B4iLJNu7Y55AGfyG9gWH
/BZ8wtfR/wCXVYH5HhafZSA/4jtuW8vJL+CIdcROVw8Lr8tDrSVUcuFTIIEZYbl8CPQSpikMvJp4
38Tf4A6z7by7L5AvUlhfLQB+WSPqx4sqQST+QdWGXzBZPqSxyYN3ZCYz8ojjadVj7JAPpZeSIx32
yD/GOxG/MvqMmZHXIN+YEUkOwdsZIXFkDcuF4sZs18v/xAAeEQEBAQACAwEBAQAAAAAAAAABABEh
MRBBUSBxYf/aAAgBAgEBPxCC7s+WTxNyttwcsOpmiD1MC7sk38DMlnO7d9WjcOrhJEuLCQ8PSSh3
bkuz5G4WWVPCHNhaoXS3CjVs0kssmZJ4Xq0kuMu277uIWZcgOjanBgPUB6bD1GPUkQ7PJOOPA2y5
duc9pQls/sdZCtIR0gjf2DItZZser7QsGcT9PBn+rSTZfwZ4cY4m37PMuW7PE+Qv22G7m3nJL3f/
xAAmEAEAAgICAgEEAwEBAAAAAAABABEhMUFRYXGBkaGxwdHw8eEQ/9oACAEBAAE/EKzDPcTpD1cN
TF+RMxIpb5glpHh5l4dXXMQoS9BNywbAuv1EmRvs+x/MrMB8v5Zw83Y/7KNCL4BfqCXg7J9H+Zgs
PMyfG4mcRb/2A3qBpCQq4gRklhVfP/gFclHPM2vBz4/1AaNDZKG0fKeYK6qMj6vrKC0ECmzNv4+s
BdQFYsUFbu8QOQq7gDMFwstq4OI02165lBpv7/cxS7vuFRUS8GZiNV8RbcZlB6msiWaZUX8MQqXs
FML5gGyS5xrmZQ6m745e2MrVug/a48TObh+YsKyzbVeFwyrT2m/8yuq8Cn6xwgGskwhf7EGIKcJz
crwHlfxClBvf68QFVMBsb2XCsLbQQZeCwtD33AYVq3IlvQ16J34DtQtUX4YKYHhg9RuIu2m3IPGJ
fkDz2fG4i0i10rPrM8R0WH8SnKk7NfWKhoRTkqvEXDXM9wGt7lxBnIJQ+u3XiYKAFBL6PW4iMi1l
fTcsCp1+ilk6dmVQAbU0LAOcxjSZmHdv2i1ujrqDzqW8p/yOlG0LC49Eag39HMBqAMUYUV6w6+MA
K+kKo6FEfYLAVlFr+WYE7y6P0SlJY/0dEEXCnJv1FFq4W5WMyrWrYiqX7TMpAXwTH0ZegNSb+pBT
Q3vp6hRvrDi4gVX4Wm8UZfX1Qv0Vn2DXzVxcujZ+Bg+bldQoCRS8GLJmARp78S5miWJOaXM7SiJ3
BMiQyRxZBPcNXj0sXlWR3+kJ4YTbTKJA2HXiotXsDuEqizHOMNeQB3HKwagEbXYbTLVKgEo9lp5e
jxBLD0H5Y1c6FB1G5SK0E7CvMQGTzWZR89oZ+ZgTHEPirQZpwOa+kEiNji/Jjfmjq5afjQG/Zw+K
+YmVnedvuJPQ8cxkyQ5j1ejx4g0S8trz1CFNhwwG5B4lz8ICzM5XiNQUfEClpq5iNB7VukdLY8HB
AWXkWaYYGlboSu4mtjOAr42wBgGVeoOiNxqtkBVFZtNm4wZQnagzrm/sxAuxS539sfeHMxJXsFHn
N8GH0mEDKBrKZ84mP5BwVMoFax/eoxK+BDIsIBaupWP3TXi7u8c7vkjyjoEsHTQP1xqKTWQlt/7E
WHDNbHHzGmjnuEDeGn7/AF9IIKzg/f6gVco7g8JcU87uG+KdVLhtb7jw34Cf256yL2n8wl1VC0L0
eZQAy6JWMU8nCCsOVvFXXm3qM7QABbC9exxPcThhuwW8HzFUosCG/wCk0NDbJv8AtyiZpg/FfLzR
Hjq76EM/eFuhwjJ9YEiWbA9Q1XyfMA/DQj11cYCclEIicGoG8AGyZd700zZb6LOA4l+ZbSX3D4Rv
OPDL7CHSILeXMUXoeZsnsyQanZiUInRuKBNGtLSO2rhYlQeCl4vzUIc/7K+MQK1ELfWIK+YHa4zI
1BRVbKUMY8U8qqM1XFUxWs0kQhbw+Y63lf18Q0vIv7i6Wl4P8Dyk/YWcT2vcNfdBP2rgJygavrGS
9EkAI6bF+mGtzFpS1DtCvPFA1iPhaWEG6fJ6L5Ieg5FYlQORBfYrGAJsrJitr4dxaLasjiV2qJsq
WsfeWYwmcPgj2a3TGs1d017/APAIXvqCcCFRn1KA8Mt7fmDLUDxSg3VwOSu5qHAHUVV0uCBOAs05
8UAlnU3FF4XB3TFcLXOLKU+LPqSmTwaAF8/YgqLcUtnldfkT4iM2sDnr1UAn+M/LAREd4b76tBcC
3yL/AJstZ8LzA/lYSGmspzXw4ilGoAoKWl3usyz6VGB1vI2Jbkcu5VAJ2lbq4dL6U5lW1Q7zwtRU
HjFwxKYNNfMq6W5dCtRpYzouyxTD8QoVIxb+I402c6i1iPWazFmEhJepaVoTmAd0gI+P8wNxVvBn
Bd9xuUANvuY/vuXh/JpgBYj04vljlMHhLeaMYOtwAsUHHyfEWhavwS55Ux3eT45ofiZdiwjnDVmu
ggsNhanyUPpGeVfbewEwjldobUbl4oG4pIbgFCqNBvWfPEzvOuDIHIHjh6g4a3G6gwBdpg0qVY8c
RVwkSxK6TD7IH1dnUgYgMZStxK4QkKNIIolmxqYEW1l41FBb04cYjmpFBs7FF08nmAXTG7FWGgQC
tgZl1zJ4zHkYgxOxmCWN2LCy3KbE19PUUBvumE2C4gQiowFYbqpVv8RHAfSApoRBPhK/aRYr3CVY
QisULgLQOSUmbsBCjZcvgpRvDuXmKhSbTxTyF/8AAIt0F4LYkCSxwf4nmDA7Tqo3L1hjmMmh4RGt
CtrLv/5mM2hl28yk9cqzeJhQOUrhdTOgY+rR2+wJbFvrfEowNFHOKN1rhCVUKu0L7lqr9Pd2+1Eg
ChW4Ek+SwKA4urrRqcb8JbGK1at3xqM9NP2YzdTFtCTMq7bdTs14gYOQorQ7LGikQ20GC06smCC9
Zt9BMAMbACW6WG4mpLBDAurqAuQ6q5xMA3tZYbo3+sLUxa5tyDb7QVi8tfP9qYIdAer5INoFLfPc
SxGsRE8jwzNJg6Y59O1l2OE5EBAHSJs/8LwzorC+V4hXqXNlzWnUNGNZVnLeGW0FNF31eql4a1SB
az9pj9bl11HpF3kPG46Baq+vMGjAqEgTcu6ZVXOt0wXwjkPrAKoGL3i4qyqChnUdQCaxCqwHpMXS
PEKoOFdzRh25goXBi4Z0ntljaPuUWOqn1g99lT7wfKjRwX/kZHbZ9o/RSHNFjC9xo0dL16ghtxS/
a1b5qJkdpfgFk+s06ZgW7oU0eCodwAXiAaTJ7ChxEtQeX4lhoas2/E2BDvHzbvYMQnVW5hVKdPUA
JT3EaArWGNRQNpy/ylGgs0jhO4hlh8x9KPWYDwz4li6YSI6ch1EDg1317i6oN+iW4su5s9esMktl
wHBslCEtvZMIZI1WOckULVHFGLhGDt8I+zz8y3VZ9TEght4jJUOEcw2bMLwy7ByDp8Rb6dnqXUWA
yRAUHnuZYgWwEA1zzNiNgKKP4iYC3t6MwVP8Bhh2AckfFcO9kWy/ZgzaprmPc3UtlKHc58b7j66x
cesuSWGzcRAppLg0az7I35QhQdTAKZzBrR9wrlxmbvFGajsSmy5kbwP8y2EO+/EwcaK7jxEHJqWW
Z9sfIafzGuL9ItZg6N3GdMuDmjuCeZKL+sC7/cRxQ+YGbUstGCwJrzAyqL3AFm/UUa+8IO4jOMkb
7DfGL+XsGn+kRTV0wgq7yNdcR1TtSi+At+0RsFCAWNOTCeoxGaLfUsKlLW1z/wBgW7tHcIW7dHdy
oOXiuZhU7EwUH2fS4m8/GrgZPR8dSwopnpBaBseg2T4HzAtWDOHcsILu400H0OZRgy6WPMkVfcrL
MV7T/wBJaSTepGmHOF+5jbT3mG7xOnMapVdaZyFS5Y+dxo4UDSW6O8Z2ENF+3+SOLZbVck5r5/MU
FD05lrqiQRzwmH3GCmn6SzhFhCb4P9+0xky2Lf5hvyNkIoKwcvpBSvlxHF4xTB7MQbBz+Yu7iVtj
nWyXA4nNccyxWFaSZPwpq4l2QLqI5Lb+Y8RL3mX5Ny4RrcLuDplFVTpl3kXsmWHMa9lMsQ3/AEMZ
/9kKZW5kc3RyZWFtCmVuZG9iagoKNiAwIG9iago8PC9MZW5ndGggNyAwIFIvRmlsdGVyL0ZsYXRl
RGVjb2RlPj4Kc3RyZWFtCnicpVRLa9wwEL77V+gcWGdmZMkSGMHuZl0a6CHtQg+lp7ZpCUlLc8nf
7zzkx4aSB1ljSdbOjL7vmxlBi+6h+evAbYCXPckYOhnvf7jPZ+53g06e+5+Nj8B2d42Mt/yyGc/s
slrJbHa37ldzfaah5WH/3bHpIbbk5D1+d+cjB+bV9QCpHG+aw7G5aqBNDtqQ+cdeH99xAGw7+Xrg
70t+b1zfxoiU3YcGOwba9R2j0mWgwCNDgdDm+esTx306TOZTmXrgOOaqH+Z5ioh5cKiQZJOfDG3P
9HuBQZ7Hb3fN+fu7zl38cXIoCwlZ/H1MkXSGPlU1KEAbGX7PZ1U9fGQ9vgxAhQaIZRMH3Javx0sT
R+I9AsNhfGI9vUdGolHIYWQKoivOuj4DJQaJQT2Hr0jIkOCubPyA+7LpBhjhomwY2FbHzDNPuoVJ
DND+3pXZZvFgmwNkHDGrfVc2OBAULzZqFQfYn1J9Di/lNHGe8QIHDgOhhqeCAnM0oAKLvJ5eUVC3
ojNC5oRk0D2KArgX7ryl6KqrEtWA1CvnbN7MRY40b/+inFGUunlbzij6pZsmDfYrWsJ6Tp+wMqA1
L2P9K85ZsuxZBLM5zM7/scFxXQB6AKINJxKQR9+LDBCSEMLUeVyIeEeeZilCG1UKeqkU3Ibcs1y+
8bEU24UIpSXnlBWuEdzXch5Xkj1dKDXptdBl75VsMce2eyNfzDSVz9Ku1ofaXQs8S7ml+iT9lTlG
6cOgTK1zlCmC+O6mge180Yzr1rpEMl1I28FKpmpbpmsjzqfZEXaxsOrEJqa2GVSwVk967qj3hORg
6kI6vFbvKIq9Ue8Ql4u66k2jXjfd0hp7RamADapusHbJrEwXS1AVxIOaTFKmk4ozjSWCx7ku1/Vo
9otSkr56ZflVE165f2/LrnsKZW5kc3RyZWFtCmVuZG9iagoKNyAwIG9iago2ODUKZW5kb2JqCgo5
IDAgb2JqCjw8L0xlbmd0aCAxMCAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicpVZL
bxMxEL7vr/AZKVt7/FpLq5WatIuoxKEQiQPiBBRUtSB66d9nXt5HUmirNKrj3bHH33zzzTi2deax
+WOs2VicZqAxBhofvptPb8yvxhn6PPxofLK47r6h8Q7/cRl+45bFjL5l3Z352dy8Ydf0wf3bfZNt
ar1JLZj9N3M2omOc3fTODvvb5nLfXDe27YxtY8E/3PXhLTpwbaCnR3y+wv9bk9uUHBTzvnEBgYYc
EBVPI0QcEYqNbZmePqLf/7speCqGHtGPbOUH2blGhHGgq9jRS/wU22YMPxMM8Dh+vW/O3t0Hc/Hb
0KFIpC2036cuAX/b3CkbLhRkAuG3qfLhcXbzubcXwwZ6u6PR+WETe3s+QA/BbukVdPhgy1CNbhw2
vrdb2PHSi+HL/kroJAQH8PFg3+G53jvEzueCcQmDxkxYN2XiGfApkg/I6F6xg2IPCoKwj0Po7WgL
wqeA9CWixq8wIObRoRUCR+V5TREH4IaN6wEGR69Gjh+jl2VJPLvC+wK9kAWjh3Xw4J3PRICNHYXi
uuDdHII3UFKlH2mINEca4KU0oABQLQVmSSsN3g8CDfpl8JUKsXirGSZWmCeOkPMuU4skCTGyQEJm
m+uGTeh9UMdkDMxZmKhnci9YIjtavGBxp0KacqX0j2y2I548+RITXL5IVxDLybqCGKuPiVB3ToAI
a9LEs4Ik+5DFICVzpKiZLhknIbI+y1JHC8ZJnK9VEwRsHCeqiZvwQVEBAlVUu6qmysMqfwur6mYR
MYZadTBpkDTAFq3VZfp1b5HjQcgalb1u9lQlqHyqrMiTD8NMN7asFZ3PMeGKO2biKPyl6iETKA1p
LesCZUGEEJArIeJDbZfsgwnQAq3Wl+ifLod4ov5dnGQ063/LTX53mOUq+VnEk7KXMWhCuWR4ijnO
mt1R+xT12ZoqadpTC+OewWldFAg1kdSvmhJqoPY58ST04tjJTpGNQlhlSLDlV1acw2vXn1hxzpVD
shNdTsLvtl5WKuuimSgwchD1UgK9zf5Fp0a+7Kh+cStKOdW+W5Qlv8iTnFezV3n2ka/Ip4wqBj9I
Abyu+LrSHrKyusXn5qvQp8bh5yBfl0usnHxiKrFwwlO9U/teZas2MZH4UWNAOlmrlDVWAscmP8cy
J3+Zs3TUbbjzrVvH/Hvu8lgK6UkpVKVp4xVdJQliIvba/AUu/YE6CmVuZHN0cmVhbQplbmRvYmoK
CjEwIDAgb2JqCjg5OQplbmRvYmoKCjEyIDAgb2JqCjw8L0xlbmd0aCAxMyAwIFIvRmlsdGVyL0Zs
YXRlRGVjb2RlPj4Kc3RyZWFtCnicpVRNj9MwEL3nV/i8UrPjGduxpShSv4JYicNCJQ6IE1DQagti
L/v3eWO7SVsQu7CNMvHHzJs3z55Sa81j89OQWRCGHav1Tu3DF/P+ynxvrNHn4WsjgeB3aNTe44Ub
vgg5Gem3+N2bb83+KkPrg/jVrukotGz03X021yOAMdr3vBx2d81219w21EZDrU/4IertKwDY1uns
EfMbvHema0OwnMybxjoQdZ0Dqzz07GFBhXybptk74P4dJiErSvfAKaF5UiLPGaEOQPmoi3gStR3K
75QGC+ynQ3P9+uDM5ofRpBCSksZLiIHzl7pY1WBOyAL6bTjqIRjtP/TMw8L21tGKZVhwb8fh4+6m
KKSgF4yAhUCJAXAZiI0NqALSkp2kfYJNECDwTIULFVoO3NNGWVBQy6NyYzcsQt1cn5NjsdIpQfJR
k9noxE5JoJF4nMVE1GtKEOXnEo0RmovrLoiyHRa+t6KMlpPZKM0iIo2U/kRea6K8nN04r8A1zju0
HRZO11w+jXWZSQCALUelae1II/ylOpRQG7PzSnOV3ZK9JJNOSVPK+5VmzW9T/irJynes6TNiHbt/
1R56x5dqb+3xok3qWxSCwlMlpWoW5VT0XLVUWSVX7+biss6zQBqasmbl0l1qE/ozxKr1fKJP4uGY
NkXHaT+zqScSn9Fq3EVtrxe0GqPr0+UNPlalZ1041su4PCnpWIYkTGWpsstK1vnyBwBI2ffZyuDU
4Bou1UG8Dlcao+1ie9lioUTIiODiG8roGTo4Punk/9JB4hFh0sHR4Grn0rGl5t7U8z/9U1rNXdyV
vvztSlByVmt2xNqytfSTg741vwCTf33mCmVuZHN0cmVhbQplbmRvYmoKCjEzIDAgb2JqCjYzMgpl
bmRvYmoKCjE1IDAgb2JqCjw8L0xlbmd0aCAxNiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3Ry
ZWFtCnicfVDBSgMxEL3nK+Zc2HSSTJINhBxKXbHgobrgoXhSq5RWsZf+vi8btIroDpl5s8y8NzOs
DZ3UOzF1DBht9V6qPz7R3YxelaFqx2flAqPuoKrf46EMES3fUI2tbk8vajubqKuhfzGqyEE7CtrS
+EjzAcRA2yy2jDt1Maq1Yt0Ta5/woevmEgRGS81OyFd4O4o6BGMTXSsjGFSiYKoJeuvhMQp7nb6y
W/D+T5OgitU9eFrrlLTOnxNhD1D5vv6EJdYR68c6hnXwDwc1vzoILd9o3ZbXYlL4DO0Mtp80bDof
wjEOscksxWWzLJ3JvCidZOsqdsLJRisVG1dCFlfux1U72d8q9SQm2F8qIhMJTzpm4KF0LluuWdNo
qmZw/VlmTR8ZSHNoCmVuZHN0cmVhbQplbmRvYmoKCjE2IDAgb2JqCjI5MwplbmRvYmoKCjE4IDAg
b2JqCjw8L0xlbmd0aCAxOSAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMTE4OD4+CnN0
cmVhbQp4nOVTS2sTURT+5pmmViUS8LEoE7DYgsSkNmohiOBCCiaFBiOu6mQyeUBmEmYm0iBYg/6E
uNBVcaUQ3HRR3JWSRUG3rl3qHyhiaqzfxGlSJP/AM8yd7zuve+45dzynaWIazyFBMyy9ERUEEUAX
EM4ZTzytAF+EXS5yudYq7aXC38h75E7F1Ivb3sEcIN4iv1Gh4sXgYYi8QX65YnkbX5CNkHfIZ2p1
Q88gRihucZmy9I3Gadzz+Tsumq1b5n0v+4B8n3t8bNRdL4pnR9z6pW/3C+Hjywyh6nMR/70UIKIN
SG21xCmy+9cjschcLBJrSxhsivgNtfTzTVspsXdddJSsskQ/3KRXV37bkbcOHzMDJ6A6ymdawmwr
o6/EznMRpuXbh3sFRe31+z3hqpwu7vd/+dP35yBcfL3+Pby9fjZ9gFNTw2J2i5Gdk8WpDqvirHE8
KMaF8oPNEy7CP+eRZKCtXkI3tORXhSivzPLQS+JN/ZtHxPFduDOKO4MPo1yzo7wCY2YDLLI78wH2
c10LsEy8HGCFd+tugFXqV+kpyOwJ0ngUYIE1vQqwyH3fB1iififAMvGnACu4gK8BVqn/MW8saIuJ
RErLNW0tUzWcuttyPdNytRXbiK82TDvXsgr12ppZbtZ0Z6wYo7zpuNW6rSXjycRYy+MZWOCvsogE
nxRRDk3Y/GZQpc1BHS5afD2YsPjVsEK7gTiP2qDOZkSLlgI9a1ijpswMNeiMneQxSZenxmHuKpm/
d5LZk6xnku9wFkM5esreTJA/xc6ZXAplbmRzdHJlYW0KZW5kb2JqCgoxOSAwIG9iago1ODcKZW5k
b2JqCgoyMCAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0NBQUFBQStPcGVu
U3ltYm9sCi9GbGFncyA0Ci9Gb250QkJveFstMTc5IC0zMTIgMTA4MiA5MTZdL0l0YWxpY0FuZ2xl
IDAKL0FzY2VudCA3OTkKL0Rlc2NlbnQgLTIwMAovQ2FwSGVpZ2h0IDkxNgovU3RlbVYgODAKL0Zv
bnRGaWxlMiAxOCAwIFI+PgplbmRvYmoKCjIxIDAgb2JqCjw8L0xlbmd0aCAyMzAvRmlsdGVyL0Zs
YXRlRGVjb2RlPj4Kc3RyZWFtCnicXZDBTsMwDIbveQofx2FK2wO7VJHQ2KQegInCA6SJWyKtSeSm
h749TjZA4pDIv/x/1m/LY/fceZfkhYLpMcHovCVcwkoGYcDJeVE3YJ1Jd1V+M+soJLP9tiScOz+G
thXynXtLog12TzYM+CDkG1kk5yfYfR571v0a4xVn9AkqoRRYHHnOi46vekZZqH1nue3Stmfkz/Cx
RYSm6PoWxQSLS9QGSfsJRVtVCtrzWQn09l+vuRHDaL40sbPOzurxpLhuSn2oC3d35Al5xZ9kYFYi
TlXuUOLkIM7j76liiJkq7xs0rHADCmVuZHN0cmVhbQplbmRvYmoKCjIyIDAgb2JqCjw8L1R5cGUv
Rm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0NBQUFBQStPcGVuU3ltYm9sCi9GaXJzdENo
YXIgMAovTGFzdENoYXIgMgovV2lkdGhzWzUwMCA3NjIgOTAwIF0KL0ZvbnREZXNjcmlwdG9yIDIw
IDAgUgovVG9Vbmljb2RlIDIxIDAgUgo+PgplbmRvYmoKCjIzIDAgb2JqCjw8L0xlbmd0aCAyNCAw
IFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMzQ4MDA+PgpzdHJlYW0KeJzsvQt8VMX1OD5n
5j727uPu3Vc2yZJkk0AILpBIICGCza08ClIUKVKihiSQhIRXAgQUkQYFREAKIgERq/wsUl+FRRGD
jxotDx9VqFpaaxXq2yqVr6W+IJv/mbm7m/Cy/X2/n9/38/n+P9/d3LtzZ86cOXNm5sw5M2dumufO
ryVOsoQwYk6dVd00ctrEywghvyMEvFMXNIcbf3C7D8PHCFG/qWuaNmvBz355CyHan/C5c9rMhXXf
9fW+RogHn697qr62uubqaYZKyOwNiKO4HiM2xG7hz4iP9Kyf1XxDdY8f2/D5BOL0z2ycWt329p1P
EtIkYfrts6pvaNov3yjj8zp8Ds+unlX71I1FNfgcJcR3W1PjvOaN5KJOQpYN5ulNc2ubPr5obyY+
TyKEtWIc4Jd/nBhU+DNlkqyoNs3ucLp0t+Hx+vyBlGBqWnqoR0ZmVjg7J7dnr7ze+X0uivTt17+g
8OIBRQMHFZcMLr1kyNBLf1Bm/vCyYcPJ/+SPfIik4X0pv5/7kbxWfOfHXXf+idXzMOYlsd3/VQps
8Uv6ryJaScYTo/P6zh2dJ8g2UkVsndd1bu38Bg7SUkxNQ4rtnV+RfGmeNI9UdW4lv8XYNvIg+TW5
l/Ba7MDr/yCWvfjLn39FVgi895N78H4PuRvvPOZhvO6+EBGw/YzHL/Abw98/nAf0HvF9A787yCKo
J9eQxm6pd5HFZCa7DkNZnX/F+8TOh0X8YjIN4VqRktVYyzmda8n99HKymOVijjX/Gbb97+d/P//7
+d/P/37+//GJPUjWkuXkE3I5WUpqSS0MgkFqVPkEY0vEdxz/mpeNHz3qB5cOHXJJ6eCS4kEDiwZc
XFjQv1/fyEV98nvn9eqZm5MdzsrM6BFKT0sNpgT8Pq/HcOsup8Ou2VRFlhgF0hdSo6nDJo2YHk0b
VhV15g7PNcJR5xUnxhZEiTeUnesJFxWU94tDReVIlPjGRP3jJu0i5uDyqBI5G+SKKOtlfJmNmceG
wiOiUi/8y728uiaaP35Sdq5xJJRML8c80fRhk7KzQ1HaC/9GYxL+XV4droka4zA+O2TFjI6ScZP4
1db53mCMJIOzy/E+flI0M/FYXn4+IlEL6Gw/i8wrYJWxy5k2bHiU+HcR53tREuBgJwaTKBkazY8g
IQaGBDZSEAX/l1HwRSEwFkk+swie7djg8/BgRM303BE1DcjRmqounp6wOJodXhVeNX6SpwiDgugx
0RevmrTLYR+WO6zWnowgu+wOjHGECEYRRNK0C5w/ABGgzhGX7KLE5kIGejnBI/g1PWqursJA7nDk
HKb4ulLaOttv755EMFsi5LNCVqlRZVhUtcgIN0TN6ihZHd7Vt33V7W0GmVIVcdbk1lRfNynKqhFg
F2G9RtRPiPYYM+4ajMKi8KqqD/MGHy5uvPnCI+rDq/CZw1bhPXc4b/Yz4mvqa6t4R4Gq3OGYpg2b
tCK7PRT14u+IqCcS/RGC/ejGD0IYW16eipStGpGLyBB2xPTLOM8Lku0iutvoGsF9c3V1OLpkynSr
c1Xfnujg2auMqPOrbGQ/NgDmFBnjnKqpms4pml7NazFienjV6lpRk9sF5dghwyOmD+cXz4jdm1yN
ua+ZNKI+d0RXgVgvDLBeZ+fNzo6mRXjGVatGcBKra5B6i2RM6KKfd/pQBJCeYVFzgvghEwSLsUSz
enh5PCoOcA3PxlOqhpeXZ1vNiqBRtdcKuX9ueBXHqPaK+iNG9j5Ma+/Xd8z4SSOGh0Tto3TYpEuP
p4aOY3jMuGQ0pCLMqoLjIYtHY36SO+Yqq5HrE7eqCdYIpcmGRdA4vMD6amroVQyPzB1ZtWrVyNzw
yFVVq6rbOpdMyQ0buat2OZ2rmkZUhcXQBox/anUoOvL28qhRVQ+XYCPz7jRy/Jio76prefOMDNdX
W9KgLDd7cCjbU56AGXeh5PhAwg6N3doaSKuMz5E6JwqdUHgklyBtOPBDUWMwH4lIy9WTsKNPFZ1S
3HAA/ATRh/hQYOW9RjT8JM6iUHaiy3DRdlU8FpFkZ/NBsrrNJFPwIbrkqknWc5hMCT1GzIIItl4V
T2lPpASu5ilLEinJ7FW52FqpY37yL3p19x69ypPrDZcWiBYQErUm2j4B6/jN4KhtcLzBfcMmsRCN
h2iI8ZA9ghJqaDQYERk5T1AQrjJyw4dzo0YkKg+b1B4aWh42PCjBINkd4hghaqZzoXk49yXgopL4
jSgMjUIKTyIoOoUEZ8HBmJjMGx6xqire17pXMS7va+rPX0+EMXKxqiEL3uPN5bX9nZBfccHcayQf
WaFsC+Ly8qjOxW9U/1zcsH6hYZPCKGpw7F4lAuER4Xre8NFw1XAhFMpD3aPbOo9VDecyDknmIKF4
J8d7+b8uNc0qNvXfHwZLcBjcfHt5/SVns3nMhGRo/KTFoRvL+xFC+UKIjF/CiEpSTbsKMvPKTJNI
wX7j3f2kbH/B/osLsz3Znl54A7TPT4dZ+2lTJqdIWGrnaykHEc378lo034vMHtJm2UZvoLdR5qVU
ZUBWS6YKmh1W64URWGzsT099bexxUlBWVDm54shxRJ3rUXIHhUuK6Pu7f/Y3yLhpqbRx8YOvId7n
EflCeSlSdp/ZRBFVC5gEwlAIJkgeJsnQUlNoylAoQ1gGQwYiQ+kJGaIybJWhSYYqGcbJYIoEjG9P
JFmRRiJ+pwzrzoRHdBXxz5z4Z278M1nERgCpT081RE1EHYpgYVsbEot0byNEeguDDjLKzNHWK4pd
Xk+Zfb0JqmpnzE5cPtmOdXHCDBp2ASLjmDrax+DsuSS93HjNU1qAf6Qg/XjZcW9pAWcS8j4Qv6S3
Tr0iZZ/exAKnP2OL5aX3xEbeE3NguREsdw+Wq9L5ZieR15sKY0ym5IYhtIWZbgYOZtMY8myhBg0a
jNagVIOIBmkaaBp8/a0Gn2rwkgZ7NVipwSKRjAkY/5aIf1rEY+ZykXlIIudXInWzBqsTeK34g5+K
nK9osEckrxTJmLmPBiENFJH6kEhamIhPE+VhxrdF0kaRBenopwE4NNh0SoPPBCWPiOKQyBkaTBDE
YE0Q4pRI3Wa+JBLHiJSeIvoVkbJF5GvRgFZqcKUGhRq4NZh2VINDGkQ1WKuBlYCxJzSw4ndqcJ8G
TSLJ1CBLgy9EEkY2isgyEUk0KMGEwxqs02CJSBunQYFIOCywrBNFW/GIKKyBoUGnBsc0eE6DrQKg
SiSViVQkQp1cUXF2ZzyrN54nRSRUnpE2t+szOZF0/sSzcZ5bXlf/j5DUgrJ07L0XF0K2J9eTPShb
2hML7I2lSaulj0+lSR/fkxgT87FvaqTMzMDhQFVYb9qYypiiOXygtKgoenA4OM4/HHCUpceHAljD
AEuS5p/+mNHTsTb2e+njmOeejm3W+LsM2mg9nYJyw/0EbKY4yAuM14iVd1A2re/4M82DtocRsh7F
XgwzKaTeHIQCBtZQ5qeUaaSc0A8JMMI2mzID6jVQUNJCSm38CVHayE1UlRfRSAQ83tLUgqIByJA5
pKwdeXG8tLJiDmpOkRWL911cyLXQJz5lMIkCzKkoB8jlVLBYxx2/oXUdF7ON0jenbNLRbZzy8UjP
aflekkKi5siARKU1PrS5fIEG32YftftA90kBzbnFoW3RJRrYDN6tPljgA+bL9RX5pvokH5N8lCgr
Pamm0xmgQYoEgqeoKLUg3Xh37PF93tLSSt6EpOx4aVnHkeNIeik+r9CRVjlB7F7i6jxh9vSlFl+j
TldvVF9WpToZFANuNTYaXxlMNgIGVYfbT9opVGDuOWRORaS8DwwqJmhB5uXmqL2LiwagsYhtnM1O
n574HVy+ZWvLzt8W/f79Vzru3xPbRg/e+TfI++zG5tvq1s754LHlsdP3xw7y+q/GmeQZKUIMUmHm
K60DneB0am7SCqzVbdhxMBBMKiTMxojXYVuumR6tlsb7yz7jCNYtbT/vj/G6FVQct6pk2tN0eEl/
S/9UZ1AxpxxUJFNRAtiLigLFSC19pqh/XklN9Y5tYxZcOUairT2mvwYdUcn7H1saCSXjOj+U/EhX
JrmIfGtWZbVKkhLetFN/Tqe6nu9NaXUHsgIFAWZnAW9rmkHyWxUfLEVaM3Qpa3mG2TejngbCKaa3
x6iUXkh2RKuj7X1ha19Y1xeW9IWmvlDVF8b1hUIRmRx5VtWOL34zkp72arye+9uNI4OPYwsWYC2x
xvGKeksXF6QmquvZmwNSyB/qGWKqP2ykjbKjEmL6dc8om2F3jYqosCf3QC7dlg7pPCGg2ket9Gz2
PORhmqPBsRDnidUMRONGsLNURCIRDJZn5+blDVJyc/IGDSwuLikRba1gY4vW9vh7D9JZwJ9SNKBY
8j9jBPe+e+eTs95+6PPm9SMP/ahowj9qDx/ccWz1suF14+qOpF2XuWPzbTNbJzjc2evnXpq/fEDZ
M8/HLv/lkYMu94CJ5mVXVWNHIOM7P2Qfy4eITnqQL8xxRquzp3OgkxKn4aQ9WiN0CKVumkWpU6JO
vNldxNdqN9JaJR94nW5YTlKWqmYmqacZah1dlwlNmZCVCZ2ZcCwT2jPBknCROI+NjvZ2UlaGM24Z
HxUFBXygHK+oMBI87f+2DR4LfhmkzwY6AnQMhTEhGO6F4Q5o1pZplOKMonm19zT2gvK6QpW2zk/M
nsH0UYvk1TJ1yeCSM+TjMkMdy0CNj0X8gFquP+pnnA6CsoOzek5C9JbLuZzT1DPQWzQg6ClinjzO
bIu9xezjHXPaX/z7yT2vz9ixI7d14u2bt64uWXAtvflu1I1sn0HuXXToqSp49kdVrzz1zBuDai1e
SlnYg/lOztvmFa5NaWaKkbYprTCl1WaQTWFvoRc1NqOV+twyqLKX+JY6zZCzgaa5lspmulxHD4eg
PQRbQ7AuBEtC0BSCqhCMC0FhCOac2V879sd5eiRtP3KRpPKOWoGcjRARHWdo34bUh1L3pr6UKgX0
Wp26/Bl+ykjQCIaDzOkOAHGDvprPneM0qrZ1fma6g6Md6rUqdRNmMBqU+Bw0mbNtMv8jfEor74Vc
I4MGkqIBJBDITkF2lTDBOlXKeueNzth7oL33CtDTp217t//2mbtd9868fmvq5IWQ13kS+sU+/bTg
6QNzYFPLxjuWcXmUhfL4qOQlDomaFTab5nDYUUvGCUKWJQUUSsHhIHZmt9lUWVYkTQKVqCsU8CsK
aCgNVkiaX5I0m+ygErFrquKWcJbxojaMAIoEGgEbsxvEkJ7qPEEUFLudqD07JEXrYwe7HfL49mQe
OUI+IpKDuFRFQcUcXsKMUprURxotlUuyS7rVBQtcUOeCiS4Y6YJiF+S5IMUFigu+/sgFB1yw3QW3
CojhLhjogp4u8LtAcsFJF3zggjddsM8Fu12wzQUbXLBMoKsR6IYLdD0FOoT/ygWI8HUXtLvgsX8D
/uBXooAjooA9IsNGQcqF6P3I7BTgFs0WrAWliMiNieLquhWXJ8raZBF3QBS0PQFkJX/UjcoJ56vV
hYisSRSfpHDaRwkCz6LuLRds/l62JQvYfiYXkixAJCVfmXMEsAWGqaUuyHEBGC4gor2OueCw4D+2
11YXrHPBEhc0u6BK1MwU7Ru+QPsiPLUyNLlgnCuONKFgVp6j9cVVv8qzFcN/pYyeoz+eq1ueJ/uF
0JyHonNBC7giUlRUUGQcQFk6YEDBnCJPsHQwfoTCgxpPe3s7v7zB0rhqtqJ/qqWhGaptqG3ouXeh
uTkoSDYgc+bg9Md1Nyjif+zoM7G3Y+88AzfHNj8PEtgei22D+2OTaQb8M3Y7NMfcKD0yOj+kpXIB
8ZNZZm+75lZauTKzye9FKetyuf0nEMbpXq5qRDGUsGIqkorTRrtp96eOUpSUwJIUqOCTO06+7a92
tL+Jyg1XNQnXbsraO9qNVxPaDQurxiiJ3yIQETIwb5And1CRB7+BXI8fpSAtrb5kxaKWlh0vvji9
f4mSfdf9tGYtZMTeX9ux7VE/UlKCs+03qHvmkBNmmHi3jPNV+Zb4mM+nZIS2kHSws/T01C0Zkm2L
ZmqczH6aVqxpji2KrzwAEtaS6iTs84X0wMqwvpL1NEkIUljIZjMNb7GtIAKpxgFuNXBN9E2htXiK
JgtddEBBfGbgwS6VpjSuPEuZ/kzao63zGzPblzrqxhSY6K/z03J3g5tOdNW5qANnrG3Zu7P3ZbNs
rs5kop4zMasua0EWuyUNltphpDRRqpPYSDqR1lFmmfYRPulagXJIQW2V5Ob0LuHTK9drcgeFz1Bl
Vfrp4vWxv7713aGiZ353+9NPP94P5t697OFHB+4/dOTrY8zWu/3mJ2Onb153/S9vWrHmrrcabkDF
9rVft/8UZ96qzg8kL/LVQYLkZ2aqd4smObcwn3slMdPQiAisVMxUZVFciz0e/yFcEYm37tCRwe3B
PUFWnDIy5UgKu8R/uf9h/5/9ErvSAFMHYh9nr7IzYhtnq7Ixt1QpNUrMTStpI2WqXNltcJeDQXuj
TmGgTuGFAV6PQXPFo+Q9/vnfP/v8+OfHY73Xrl9599q16+grsWWxVoBZsBAaYHps4+kxoMAPoC8E
Ykdjx2Lvxt4ltPOO2AS4AjU0F0mDQ2anXydCOVOdbsXWynp4SFAmyx2m2/Gc45CDeVl6yLG8pjCp
Q5SFoCAEX4TgaAjCITiUUC+s+KwQuEPw+rEQoOqxVugaZgg6Q9AYgspE8okQHEtkuzIE2OW2Iprn
QrBToPlCZEa9JSryXCkiraKeE0gxQ+MXiRLKBHrMeZ94bEyUWSjyHBVYkkVZRGL+SzvjdTBNjjfa
TUOyaOwUeZNkWdk7BeEWcUngC9nk5zfzJ3eP6QbWlXlyVzbx3GW279tn7ENBcqBsckVZUozQfM1b
LFRqNOhkv5IcEaiA8lEQ1/1hyOLVl0/KvqxfWb8dk/qWlfW96AeXXvfrX+auCJRXSU3wLI/4wUX9
fsA1qBVch0cNykOeMX/kbqXc/KBU8tjc4OKKurHcY/o89VRbbjO9tlp62AftPoj64IS4d/rgmA+S
kWjuNvm6uCRq1G3YdLQLs6jdgzIzMXqKDQdIDr+DGg4lpEQUpoTR2nHpl+pj9QodRworY1eySia5
5Sy5QGZeSeYAEOEjp7KCRFC15LLfMnxQoHIVvAQZ8vGOXz65tW3H/Jpf/HzHHY8+/Sg90DFtwa0P
08+w1muw6kNwXDCyyLyaYsRyMCUZsO+fkOGYDEcTi5H3ybBELD1myeAWi5FHu61TrpPhShk6RZbD
Ij4JfKGekpAfyVXJITt2cActRiaiBRBCORQkuaQAFPOHihOVS9CJ86It3CgpTGXu1FQlc4tX6oky
HWem0Epu1lJPoPdKlr0S1XEvc/dbqZkXs5tooSbWPkRhb3KRbRx/czK3QkuF6EL5jU9icSHeDoua
++/r/2Z/Vt63oS8tz2/Ip815+/LezGMT8+ry6MScupwFOUdypIVhWNgDFqTDqpS7Ux5OYcv9rf4H
/Ez2BXxU9gQ8dLnRajxgsFWuu10Pu5hdTVepXU6XqTrRD2n2PnaaZutjoylSnkRTaJ6Q+JLFLXKO
YhGX/FJuTk/s1iV5vHMLca/0sqYBYXH5uoWZ7ZY7Yl+++YfYl+uWVC54b1/7J82x1+puWz5j+tJ1
lT97JLrwxl3bmC3ym5ZnY52/WfRs/x7bpt3zxu/vrb+/3/V1VfObq+vnd/T75c+at22fe8t9ODds
I0S+X16K8jNAfm+OpwA3E5efEJdLoet1XQqsVxgBGYiBHUolq11bXHSh6yXXWy420DXBheaS6xif
/6hL8i62BwNSi2ymyDPokiA0BSEc5BVPDA3jyHFr+YdPBagkDR5ACg63WwvMHqETLTbiK0DmoGku
WOR7xUdf8UCFf5afVhizDLrIB5oTvnPASsdDDrpIgy81WKZt0LZpTNFSNEoSbLX4zRUmsU43QEKO
qr2ykY9GdrZ8/0exUGx5Gy09DaG2uzra4PqH9sbWxTbRso7n5aV/PNh6qPfNK1tQowCyCPvsO9hn
82AJ1zhabskKl4ZsDtvNGSF/RkaIOnIcaAeaPPqhDJiUcVsGVTLyMoozDmR8lSGroYxA7noHsIGO
CY5mByMO07HVwWySw2awvLDbW5y3IUzYejNX8m4I+wLrTcMXykgNO2wuhYR1bzFx52XlFeSxAMtL
bXGZLk6D4UsrduX7vEoLCRthqoZ5Rz+y33it22DYLxYFS/mFxm/62I4j6WnHMSB+I8QTX4arrIiv
v1VECD6v0Punjo2s0Bfvi8SboTItG55JAfY0hcf9QG/xr/ff72fpvot8l/hYAHrBIGAvheBUGiyw
fWT7ysb+oAJgvUZJ2f7sZdkbsrdly9dmzch6JIs1B2FisC5IHXpIp6rk9Dup08mVJTuCc9FHXYwT
EeEmtaUWxRuykv/NKYfEAoScSfmQCfcukSxlKa93fzpoYM+iAVJQmnLVP2Zu27cEyMNvbIy1fRr7
XUcJkC8f+fP0X9z2q1fXQc9vrgfvHGnepeMWTh4+fUT/n/zipkOfLL93+brm0dWX5PUbv/nGRw6P
HSFWQnHeeEmK4LjYbHrlTUQBB1O4UmF4NhmmwVsi3W4vNgy91efzyI6lxAzKDTSF1NEs7PbJVZ0D
51Mv4+xNLfWv9NNieiulB9xH3HS7c4+TznMC8uVPZopDH/WQfa+d3oSWeD4+pHkhhUuSSJw3FeU+
gxQNCKrJhZmSIF98GA/5f3nqwaI77tnwmxfWt24r3vH8x7Gj1A4UsqbcXv6n3U/+qW7lPOiHo391
rF7KxjrqJET+bl5ptNqH2MFtz7JTN3dSNghf1CJ2YktrdV1GDV+rzecIpSyVieFY7jQzsLo9nLU0
mgFlGbAuA5oyICsDOjPgWAa0Z0Bi2o8kBEC7cVwscH1wPLG+ZXRf3xo3RoMxnkUeOjwEwwGkAOwO
nAzQp4OnsNeosFoFl5qhLlaPq9JuZZ/ypsKWMaD8z8vmsveYpDpSQ6mRVObwh/wRP4O2zk8eC6Ti
TBpf36oQ61tzLLmLctYb4Ppnb74G6/GkJDTvHAVKl/xmz8l/Pv3cwh078jeNW3nP3atH3snuvCv2
zmexU7FXN3R8IT8bOxgbNnra688+9UoFicvRKpSjNtQz5pvpnvWEaettrsWS6ZMaqdbCdYsZNOxL
bC4k1eyCLjW7YLsMTncPd1/3o27J6ejh6Ot41CHZ2LXKIwqVlIEKvZYuovgZQKdQ5hCrT3x4cBMG
+0J2mHgMkp1dkj2AB3Kzt8GX8GP4Wezm2NMxWxsM/RZcsf/4OrZPXhr7eeyx2G9jN94DGWADDTKw
BnaswRV87w5DX5tX2CjG25mkSaqmDNb4/unNRMWZQdUkzSbdLCt+WVYwrcS+3ixksIStY5Qwk1GV
7/lpKp83UOPAXiTJclvnCbOPJmtk1qWqomlhh1O7rKYw6oRxTjjhhHYnrHNClRMKnVDghIRmEYHB
nqIiccc/klogLOginC/4VsfcdOQizhoosmw4cfCQCES4PS0PRRN6qDCgzfTVGgQ0YIYKigoehwKp
hIGbQposWCgEDl+8w/mCZbNcKPJhDa7Y/0LHgfbf0sujq99/H/4ay5KXnv6ORjr+gLLBhk2+XH6H
BGCEud/ualWJYRhUNdC2BtbqB6fN5hA7BdRBVMdytw5BppuGMyXoXJ5WeF8Q1gahJQiNQagMwpVB
KAtCQRBQbLiD0BmEL4JwNAiHgvBcEJLAFqQFZgFg6k6RVCYyDnlOAJ2LK4miKgiFYlK28mNmUwC7
g0mWd9fmuunu51n5iIDRnp76GjIQR/abkxNLAwVibWByRTvfj+Psf7ynF7xczntt7lG+cFom3jAk
8RBEIhESSeyGBAJ8qSCXLxsINYgu73N18aWFH3ywY8eO2+64St6zIm3qzGlrTy9mS9e2PLHJ2q1h
n6Ny6SG/Ni9TW51OTW7VDezJGiwnpo/UU7FH49X+s2p9R3tynLaXJbbCrS0qo/PY496UUWIi6Kk6
RhW7R7ppT9SJalzNLilbuUqpVuYoUhb2NJbFqMF4nxXqUAT7mUfY9kLyCIWPfb5T6PE7tu3Zupfe
df2yhzuC8qGO6KNPP4L1vLfTgHvJO6illZia0/G4EjWJz8lL9qjeYifDCu9ipu5muwYUxgkuLTAO
RMTcf/wkmldyl2qp9i6GtEHDh108ePxbvReFlMsLikZea+6bPWoollSDs96DOCP0hAHm3FTVrq5I
T/Wnp6duSIfr02GLHX5qn2ZfYWep6f5su4oVbiW0NdvwtHr9rW5fanpKpl11yqRnCs4PbicKkDxn
A/V65OWZJsnEx16ZddTIA9SnTuTBsTxoz4Mq1K3yoCwPMD7e27rbiUfS9nc9vJm2v5tew3tafA+R
X7ztxEainthINCe2BeBz/bROB2eBOwuoC9Q3wu+H6Z4waGHYq4Oi5+l0I9vOaGmPhh50dAikLH9W
z6zhWZLDFXJFXGNcku1HjhWOTQ72kh389uH2CXbG9czJXXpmXGFBDcWaiIPBFMtW5cYrX8bp3Z9Z
3A+yy+7bdMOSqytWHbzj/efff3bgrl0gzXx83fQJvf/08tUvj2OllZdfVnBpqPfgtbPverRh5eQt
Q8dfnB/50aSS235VcjFK6UWomlwh7Do3WWBeaZdQEhnczYW6UT1fbrrA8HArr9MDxzxw1APtHoh6
4D4PLPFAkweyPEA8cKJb0lYPrPPAlSLpfNZcqrEP9cd9OLArLUudG3VnGuM7kka45O1mfAOp6vxQ
XoHac4B8bg7/xAYf6yBvCLuVLIUqtvUmYx5Uf4XoZIa+3vT5lLDLW6zIHoP/Gp4gcYBTcSwmZgqZ
Sbk1Ee/dXHV4dz8n7sj+SFzD5X0kruTyQNLuu/bDADzlhOMAmwHG+Bf56WrvFu/TXjbCgGfd8JAb
Vru3uKnPlesqcj3ukvxaT20gmhS7tX2a8hzXO7aodIQCq6Ut0tMS201hI4XRdCH9NLGS1/UhCbUs
O4xqWXYOn4iLwqiW4eRcBZtgDAz7+4S3Y7GvYn+EXt+B/dPxp2J7Yg/Hmukz8CPY8ts72mLPxjrw
++Iza1+Cn8c1C+mvOC/biY8sM/s51hs2sNk0H9cwvJOkeom6W4hUJVEfkwIOrcVu+u2oaQQA/yrm
JG2vd7naWUEsIZZUQPNmGIsMWqM36/QVA/Zh88hQx0BhX+E8Xu5p8NByV4OLAu/icxK1E+aUlIuW
lS/bUpmyt9Hx74Ae+/ajWH1bGyzf8tCjd8UWyUs/feLJjo5D9NU7lzavIwl5jdLlLHnt/p8krwMX
lNeS904uruN7nblYT77iutdcPSIFrk6pTXkihV3jn+5/ys9UX9BHVU/QQ68xphtPGWyEDlfrtfoT
OkMbscmxxNHuOOyQ3WqLulY9pB5VZbfcIq+VD8lHZZlAEyyBdjgMsip7W4nhbFV87qXMTGMNNLBU
M1O1Oro1DdalwZI0aEqDqjQYlwaFaXA0LTnCz7vYG9cnsaXncD0ZBhCxKM13M7svQdAhfwU19u1f
34t9C+p7P9/+f+7c8H+2S5HYm19/HXsTIt98CxednvDBA4/98cjj29/n5xw7P6alKAUYudz0ch+X
dywfF0YkCj6KuuEeYjAiAy0oMtoHDB7MnVjaz3BfMZ0qTIOD8DF8jbWGyRXlGuQCLY1NugMelO/9
brT8ZMLHZxCOFZlkmwZl0nrwElVqAVOBGYn1beM1XtuLC/sAzr3Z0qDTjW30LXnpqTQCnSdjE9kJ
yYsq61RzjtutO50uh+GocoPbDXbZ6aCDHYaxglBUg6lbdxv6CpfT73I5tzl3Oz9wssVOmIHaqxPG
OCHdeZHzEidjDic4UNV08twlussgburQ3E6vqrWaUg/qcCsKRhJDd7m4ktzpdrnJtEudbnfY43Wj
jnyrF2q8MNELI72AmlSKFxQvfP2BF4544YAXtnthoxcQqC4BVOyFvATcV174KAG5pxvwgnPgk8BJ
yCRYd5iDFtC+BNCy8wH9O4iSMNvPpN7sTBK/6aQXjnnhdS+84IXdXtjqhfVeuMULzV6o8sJ4L1zm
hYFeCKN+6QXqBYT/oBv8tm7wNd3ge/578BO7wacI+GlWhiPdMmz83gzd4SEqarBB8KxJ1GCCl7tv
FIoa+L2Ac+cJZMAqrPObgsX/To6SJHQSNAmXBDovDB2XwES80O6FdV5Y4gWMLPCCISLV7gZA5Xn2
Sr93n7Tyv7izem6GC8FN/h6E50UmLMqEWekpSi1AK5NwHeJAGRqXpXyTNmK5dsR3pFecYWTq3MgU
lmNi51aIqJzH3OBioEos1WUUb3Y/5KYbnaA5+zhXOtkq+912VBcEPiIW27gjnpLc4Cjhu7rsROya
sbsfuKqyV8WAnywtjE15HC4F1KlO/eX5P/ZZnXn77ZJ+ej8bEp9JFT7DhNn9j9s2hUJCdrg8o7yt
wRB+/Wlya4bRmmYE3OD0c0ck33K/6fQ7SO2QEF+7yc5xopZYkQOlORDJgbQc0HLgu1M58FYOvJID
e3PgkRzYnAMrc6A8B0bnwBABh0AI86kAeykHnhYwq3NgYQ405MC13SC/zYHPEtieTYBZMFhknxwI
CWwvnxJwL4kirfIsoLHd4JK4uhe5OAdghgAdIwrMyjE7QRKQWORzObBTgLXknAUFjhy4u1PAHRXo
EG7LmaBXikr0FKBnga0VYDUCXVkCo7sb2CMC1aIcaBRIrPKmW0Q93Y0oq5iQ4OcXInMSYEOigIgA
wDqdzIG3E6gtKgeKJCy49JRIw5xbc8wreN7mc6p7KsGVbYIyKzUk0B7OAdrO88K6HKgSNBXmQEEO
kBywJQdW5ble6GeMu/OOuPN5Wpw7xM8zeCvPB3mm5LggwoRzvJjqByS1X64PcoXw8HHLtc44Hkks
Oz75ZuYHmSczWSZfo9BU56g30t9Pp8IrMV1zjjri/shN97rhDxLslWCzDteoT6k0K+G0SNKNdLRe
uMrId/Ekg+93VwqfMKGeRvjuflx9VNQU7u95hiYZFNqkkrtj6pQfrCmlOyoqVt+yY8fKx98Yvfa5
ex6kdy3+2RUjPBd1DOGhuIq5Y0fbDiI2ZISuotCYOZDKMFhWZElZQQCVE5AlWZFWMOpnjGJaCVEk
5kYFS0GVFAwFFRzGhMiQmYzqBlBZDqs2GfWNZTa41gbDbRCycbeTr9+2wT4bbLGBlTBGJDhsgPGv
iPjVZ8Z32uBNkWWrDTaIXFU2mCAwhm3gF0gPHjsHyIKwkq2k7vEWLWeRkozfdCFakvHnpYITYb50
AVotkGnnkuL/XlKS8WdRUnIuiWVnkfKvmHYuAB1ngwIboD1IbPHJ+jweVOcZQmcnnX+S/ZfZLjDz
nj0Uu9ZwcVxYy7hFYoo9/9qtmEszZsjACpRGhYa5aeumjZSqBMAlAWQo1tyM5tkcUmn5s1uTZ9XW
WFViyvy75LXmSkpK0SooktegBe0iN5g/Ul1O188V1a8oqs2JBoIzrHuKg04gqrO3k6pgU3CcaK7N
oMpBGQcGc6qMeVUnGqmrnZOk2yRKJMmlFBQVFVRWDO0Y+qq3FM1qvirNn0orK8QOp7WhJmoorBjI
FUcTAPWNbA9IRW/s7lhDN9z5Rmxh7FIoib0EJdtZ9PQ4urpjPqe5Hi3IXsIPvxf5ozlMIvABOYnx
WsYW7ns6jq1jksaY5vZsIV7DS+3M6/VvcUvBLZrPY7q9ozzpK5VcstJp9lZuonnO5F55x37j+L6I
MPi6PJ3EvnnFnDjzr97eE25M+XMK1ezl9gY7+9T2rY3aDKcxymEL2agk+aUJUo30gXRSUtTcXnf2
oizgC+QG7gxIG9yQp9+qb9TZHjsMVIerE1Q2UB4uT5CTSyVkcnz7qhyKxR6Mn+Za6yTxnSyIm5rc
l9sL2YVtdXs7vnzry04COR1P3VO6Zt3DbXDxrXdsXtbz8uFDht7LnGPKY98dejf2CcyEa2EO3Fy9
dmLH6Zui97Q+npJfPMF4NHZC2OSxCexj1JhSSR6MMfWgO6/V6Ux1ukelt6akcFk4F8POFGeKntHq
N3Jb3TroPnlToWIq4xTGhDuRy5Ph4XuX6cHlqWZ+aj1V5PBSj9nbU0fNfAjnw6F8iObDOhEm+TDu
aD6058OV+bA1H5bkQ0E+uPPhRD4cFgExwcaHzOT4GEps4qbtT+6acQ/muANzhfBswAksImawsniL
Ve/OhqezwO6Gv7lB9sGHPhjtgtG9YGQPGBngFoicA1fn1ObMz/lnjiRnwtWZtZnzM/+ZKS3yrfZR
1R1000Xu1W6qGbpnVJMaValE0UQ/YBwxqANCQMV0FrG2z+ILQSJUcYaXTjeP8UHneIx//pd3Xyv4
3ePL75zT/spnJ/e81tjdczzrhVfmrGm45YZ77ob+YOcO5Is7srr5j6PGG9tN64WnV5EZhLBKcKQS
t2PpAgl6SyskelgCqQCpOm4caS8agCPS4s1jk+wAFXyHgfuZlQQVir2K1o9+4/nn3xjdumZV7P2C
D2EbyCDBtg8LXo7VfHUyNpVr2MOxvGxR3jAzrIQJSWN9WCljNoblKq4qFVTdvnQhW8kocxtHeLkV
WLDwJ4yX/UQfGfoAFl9R7kvhzm5q72LvoIG095p46Wta5UMfxq6LnY6dil2HpcMvvvsK7nkZS+fv
QnoYZ3enNMSc0M4Os2OMhRhoaF+A0+GMT/PU7rDfZs3ykmbTbmMSBiVZtakrFGwXRb7WAYqDTzgM
p4iA7AhrzmIbvzGuwPSwG8URBsKZnamKXXMSt83hkGQKXkWoB8QA2ungPuaI9oQNltjW2bbamM3G
gRkjqhJW2hV6WDmh0EoFxhF4joCbZJGjhKmMmClpo3Qyn7qUZjpRR9EAkg7ffaXDBzoc0eGADtt1
2KDDMh0W6DBSh4ECKEUHhPlIAGzTYaMOC3Wo02GCgCnWIU2HkwJgnw57dK6V3apDs4Ap1aGnDn6+
sg8vf5vAskdgaeiWXxNJe0VOzDZR5Iwkclr07TM7Rdb7BZEIOFeHGgE7XJCakwDfjOS+rsMLOuwW
VbLqUyMovqxbrbD2X+rwng5vJuq2PgHcvXo9E8DJSj6WYMStCcjhAtIqvuGrbkitqi5L8KM7RiWB
cY9AZ9WpIVGh4u41FzDbdXM2rBTVhipRak9B1uCTorB9AssSUdIYHQoTnD8lkraKAhYJNljsCulw
QhTwiuCT1e6YWqYDNXQguhCIZ58LPEffqDw7/XtNiu9dELiww/i/0HHOY3Xg/Mo99rh3wRwPagNp
BQOKhFJQUVQkvImLigYPJqlc8ykyhCM4Birm8B1QrjDMEQf2LG0h7hd+5g+Ibf6EflRs52dSX5Le
kj6V2AF6hH5E2RAZBgLk83NTc+daMyzkMrGf7cM/+eHYKxtjsdbYK7t//8WDJ37PlSQ28vRTqCj9
hfXkF/cIQb0jW5x4CoFkjjVa7XY+RybdQWThDkJdJK3V8gdxpiyVhSeILnxC/i1/kMTE1uUqeMah
p27GmTlES01LpeWpDalU86f5abm/wU//LEO6Ck+p8IEKshpQ56vLVSmdwQcMZBZg89lyJqnC/cPs
FUgd1RJ8LkibAtEAdWvg9nCP2UMqLFHWKbSdL0eDo6uNLa9L0YhiguvuJxL4v/UTWSgf6sjochMB
UscWQZZYnw6aDlgiMbklKAGRUJE8TsrSX0U1keWyQUWQldvYe6/0YOwN6Pc23wPqPAF3Sr3EfsKg
vUTpbDd7oI6nRInh5MqeM+r1MfdOUwukpgV21hRae/OWN2oE/xBvtw07X/fNu9CAkSMHFA0fXhT/
lXqNGDBgxAgMnm7DyOHDMWStrON0spQ4WdDsdOB0cYvd4bfbHZokSzfbNQxqDirz6cnO3FKWVCAx
VVIdQFuw40AZgSsJaPIS1XTzaVs9oVIns6t2MuNSJtntYbcdHMyl29EARflic+jQacmYp4WQmCEE
zMCEaFktRM6QhCBB6EOPiOSwkD9EiLnDAjQqZJQlDS0RZgpIQwiyTZY82ifQWAIL4cYJgVWYkHaI
65igBWHWcVzmH6Gpm1izCk2WeFZxybKmJQvqXkqyCAv/sm54LaQWRqvGFjqEL+kuRJsTiBwJRE8n
EI1JIDqVqKclsGmTKN8UshfpzxJMS673Vn6/lfh9Kz3/3iKtBZXQfrtOjE+2jnVbFqMw8qx1HByJ
xnE0HQsOT64Q0rOoqP3sMzRCXIwMUOhFB9GrKRskXy3TT+yw1/6Snf7Yfp2drrWD3VTtowJarUZ7
aVDMJrI6diuT3kINx3CgeVOIqXs00FByPO5wj9K4G56BcddKqyX6EiqYhuoQ7mSRCP/jJ48j8Qrx
RR40RPm6DkC2orTFxm2MDX8wBm3wKI7we09NkbaeqpKXnmqU7ojvhH6DctYBD5hVqF5RCszOHA7u
pbeCOFC5c9g07TY7w5HFhgvRZqMO1sLWMr5xpinErrlRdHjfoiDTVvoAZfYq0kQoc1CmtXMvvrV2
6sGxBYTwLc9b3d5iQkwUJiRMqEZcNrZcNokMduaUa2mZC7Jc0OmCoy445ILnXLDTBZUusOJbuoXd
Lii1zn9tFQe5qkSeZJi44IQ4I5YEMF1QePZJrzNafvIZHaeb70dHuzhLFT9AzgVzkXFgQKVw1yrj
rmBlYmINFom5c2xESiwlrLAt3metzCd2f22d7Y+PvWqUjbMiN9J/lORodlBDMzFOM/HZQSHVBWOB
pklgBFKLId7/+LljInaAwfLW4Uevvnk1tnLRjh3w9IuxBirNj82RD52eD6/FqrmXO9+D/BwlpY62
exbZavYjWevD7kI3WgluNWW9jQXXq1xDpi6ZqL4WpzO0mGWnBFtUM6wmNin5fv3x0gI09bjtV2C5
s1cmzyOZl87IWJSxJYPNSFuURhs8Cz30iOsjF/2tLg4a9HQsc2xwbHMoipQi3SptlCQ0foopvcgP
xY6JDmHLJdoh4X+eHXeSFj7SA/nLPuI7+2z3hm2xI7/r2EH7fAzSyo5+cN2aJ2NtsQdh2v0HXn4o
to3GQk/e+sIH8tK9v5q2pfeCqQdOPbF28Q23Y0fLYm/QNfJWtKBCZIp5iUFTbFGqE/o4MUMuSTdV
7JHiJlMq73IYRppDT9sV9hX6TN9Wn+TzZfTYmQH3ccXBOo514DX8MSzXJu710Z7+6tgPjHYD2cVf
/qAEUpITW4l8xhNds2jQ8MsGDB7/VmwvhoYNGHzVW/KkoVcpowuLRl77w9/OHtUtzFcLQuz3dKV8
r6D9WtOV7kxzPK6TqOlXpHTsQ49ztyvel3pw+onm1HaxdI+ue5hnVzB4Jt3HBdUHjOMH+Ek6i25s
4ZPt73Ciz/DL6nXGE5XilPZeFFufdNiStp+X6FFDxarRCfYlUp1KepJ3zXqPpmq3uD1+t9vzlRs+
c4PmVj0e1a1JTkrWp6amrKeSM40rEGnRLK/mhm0qGKqpLlHb1cOqrHpQxDh9LYVykxyVj8mS7CYo
LlB7QQvU4eyxM8fslZcj1A3L5QzVNw9fFZtcwV8HEOQOWaSsI/IaX2o67sGIAvyc46OV/rQdFqAY
preo61W6Owh9AnDEBnkobrkNqumeUbIUkCjf9rdOqBNuUCObhFe/oqi5P6AlxfE3P3RXdOpf3/cX
SB25cmoNvYeVTRrZMODXP7+nHeYWjRzJNRu535x3d4z7xbyfrJrVuKXqkkkzSubdUXe6NKn1MHJN
Zz/Jr1xGskk+KYAhZnlGQf/M/s6c/N6u3hhY4+rtd7l6r8yEGZkwMnNiJvVn9syky7ioK3SZrnGu
JpfskHpn5mQ4C1z9+2g9csXZRdMmzi3mSrlbFCalbUk3eZ8yf4LR6ek9Uvw9tgR9dZ4FHtpAFpKV
hPV39XVm9iY5fqXAGWQZOTl982x9V3vS8lYTc5xnnYe6PWs9z3kYV9HDpIpIGrvY00gLyUy+6ie8
OkQDYR/cx3skWh7v4NXlN4dqYvurnqKkl3r78VeN9qTTOm+5xCk+0XYSbztVHyp1Odk+4fZl+Sj3
5TCd2J8sp7RlITRFCG+1ct/A4pJBRYGUoJrXG1Vo/iZHRQ3kDsrrXZIS9PRnskdRAv6gTzRj78nv
HJzx5/svXfzCzx6KXP3hCzM+aS848PjuSdUlsO2Gnx28e+6KBUul3K0vGdu3+5s3zwzGinpPunjq
LU987n/qKccN997goJ6h+de13AwPO5quWXVpRy//7VXjZ/flqzrcy/nH3E+bucxS1aYqtluspRRV
UW3KzbLkl2WpDV4E2gdKgbZJL0q0j1QqUZBUlcmKjTDmleNrIyq0mJIk24giZ4mXOFURMEmUUC7f
D5Gj5Asiq8xOrqeavICW2rkT9alP7VCOxpsdXrLDQ3bYbIeJ4hHTvrXDSpGaZgfFDi/j80cCbq+I
QogDIs9CAYQm4KciCTP3Qf0ZcWGGIwLoMTtss8NGO9xih2Y71IlCLrPDQDv0tIPXDpIdTgrsb9ph
nx322GG7HdbbYRmORTtMscMEO4wUZSB8ioD/0g5wzA6HRYao3fwMttphgx2a7FBjBzOB3I8ahx0a
EPsHCeDdgpp1dlgiqKmywzg7DLdDWEBbpBxLkBIVwBsEZI2gA1EXCtREQO4TqJYJgAkCT88EnlIL
yzaR3JTIb9FlFYM0tQuCLBRWqpX5A5H3aZEd89IqUWwBV6XgXK34AksE37fYcJYOXPmvnB+66UXn
RMSXjOPDew5fcuCLDqkF/OU/3INKnDQvLSgqEqMWdeUz9lni65P1MkxD+3cOmrlcc+XbKPKPO55q
63jmVXgD/iovPX1Xx4c0xOo7IvQP4iTxh/Jb8ZPET5iZ3juI5LxD8bkXc+ezRhpYzJ3PZtIlaRBO
g4qzjzp0O1FcsccPG4MgpfhTKD+tQTf7UAUPGXSzB+0bv061BS5UVuoctzrYw7x1Btp329kDfC9t
iI3epsJtMjikIRJ9GAcmHUh3o97LCBTCOGB6fAu265MI83Vg65CEuIN1TkJsPrAsKINFsSWxA7F9
scVwPYz6HJyx//j089gJtFvvjc2K7Ym9EJsC98IP4Eew8bv3YRA4QIVLMMO3sW9iLwov7Q/lPihb
PGSVOcCjMucdzGe08NOls6kN9TuvKk6AJD0YlwgnxiofjPNB2Nf1vrdz2RZ3pTf7uF2VrhbXWlcn
Ko+OccJTUHJY9naLJHGpG6ZNOKlL8YMNWGE/r23i2Cg/SCv3ib0W+zx2PPZa25t7n33nUWr7JvYH
yP+atZxe0/b7N/eyRuEJ1yC1xD7DOdB4AvgLrCSDn9cteNV6hZXUcmq+tDrWcEvc606+XLxt7g0z
+yxb5uakLXOLZcuIbefh/mBxDYM9llFTyRqFUaPYNcZNGj/tSek2CvdR4MYMmjBh7kVYRajKuN3S
IptOuZuqzM/08xcucOOgQrwCiy+vJSyD+DbjBW0DM6BpaVqpxvyXwOWwChhzAwTEHiO3NM7Q/OXL
P+p4dHdbGz14tGMNPbit4x15aUcV3dqxJ8GHXMGHCrOErbfZZIfCQLZDCzFdZDZVpTjlYWEdRRMG
UpMwnMaJt2ac1QkS/qwd7dyhtT3+Kr5cT7agKBsbM3fv6S/b2pi+l97TUYPU7KY/JnHP6404UtPg
CnPeReQSQgO+IKHB9aY7tSC1LLUxVVJZaqrPhcLNK9nDulFs3+AIO0zVVuxwrbdJvvWmeBOPXw4G
jYCD+2M77AGsCTFz81FvT80sFlaMh4WwasZi/ooeHPninTzhUNexz+NCQiUP6u6Pv61M7GmhrCrr
OIBaRpp4jRvfHo6nYYqX6yaJ9U59ewDe80Cep9hThzo270OVqGYcd0Mfd6m7wc3cBj5+rsD7ElxO
riFPkZeJ9JAGznzdO2qQ9wkvDXh7eQd5H8Dgh15lkA4BvZc+SH9C/1CXezngCQ0GqcvVVvUBVRrE
lrNW1uXaHRHbXfFDd+W9lPg5q7iDdwCDA0r4S+fkjZ/GdsXuj1l+3peenPCXWOep2F9gMKR8cFts
MR26cANsgR/CZZafd9u3sX/EXp0AZffE3/OjzuLra9JPzdF8hyeultgpozc77H4cTXyH55auHZ6b
rR2eRxwQcgxx0Ee4qwHKxgcYPMD2sz+wD5nE+PpFhs01ijCI7+8wmyPiAJcDzt7lsbZ4um3smGSJ
pcjgqNPJ69StVCr3KYeUowqaAeJlIczDXMrv6U/FJkOJDkEdVB2+/VqHgzo8qcMKHa7XYZoOPxXJ
vQXEH3XYJOInJvYmrHhFB8z4cSLvrxJ5S8TeiYX6pY9FfoRo0+FBHe7S4QaxgTFJh8E65IuNHYT7
RIe3dHhRwGzWYZUO9QJmtECXqoNNlPSiKOY23eyEUSK3lbL5YAL5bd0y5id2jRD5n8Tq21M6PKzD
3WJx7kYdputwjQ6Xi32kiwSwHZmhw98EMS8Lmh8S9KxMkG3BX6JDHx3SdXBicR06fK7DOzr8Todn
dXhEh3tEATeJRdDrxJLeULFR1UMs+J3W4TMd/iIIeiYBT9bo0KLDLB0qdRgrFvkKdMjQwa0DFvCF
KOCQKGCnDr/QzfWwVofFIse1IscQHfqJDRsXcvaUDsd1eFuHV8XS4q912KLDGrG3Y2UYk9g8SxM0
fStoekfQZNXhF6IOi0UdKgT8pTrwDFk60E4djurwnA73CaorkztBlpbUzR/sfErS97iUns9l9ftz
XFCxuyAB5136PDs5sZYkJuXue0PWzlC3jaGKiq6toYjYYLdWti60KZQ4R4zKO0q7h2ToI8EmCe6i
sB1gHwNSAXMswoSbjOUpg3/qrNjsaOye2Ipo7OZ9kAX1T0Id9JOXfrdYuvtUnbz01AZpJr9QMo3s
/FDiK//pZKWZT1JwHtlCqS19c5DZtxAHaDjRu7bYfGnGStnsId9EyeoUMwXN2d12d3GKveDAmdrM
PpLwOxFrWh0HPKWJRa3sx5wwQalRmhXG3UuaJaYaTvco8YIFvq1D+eJhBCrih3els16Yk6P25q/l
hMunTPkQfLHP3v/2UNGzL695um1ddfldLKOjhU3M+OfLr4h35Dy6cvnW7Ay6Y1tib0XsyXjoIrNT
YlQxxd6K04v6C5UXS6ZkZmYWS5K20216fe6dNYUNPjjgg5U+GO2DYh/k+eAtH7zkg+3iZZh9fJDm
A8UHf/zWB0cEnAWxR6Rhwl4faD6460sffOCDN32wzwcI+p4PXhfh3T643wfrfbDMB3N9MMUHE3ww
3AcDfJDjA78PJB98KeCtvI/5YJsPNiTgaxLwA33QMwE/7aQo9iEfbBYULRTEX+qDfj7I8oFbHLH5
wme+Am/74BUfPO2DR3zwCx+s8cFiHzT6oNIHY3wwxAcRH4RQXfdBhw+O++AdH7yagN/ig9UCfoYP
rvXBWFGCxQ+ELznlg8/OzJAkpkFksApAkjJ8wEEtWp7zwU4f3OeDRQJxkgQkmh4SyZi21gctQps2
ExXqtth8hgipnDv3gmP4fPLg/D6v3wM7OenVc+YZ2rnJs5ndVsysFTJr5++sg3Utveb3+W1NYmNu
UMdg+iJcceqa5AIVt8hiv5ffFn5iOeSUOexW10eur1wszdXHNdq10CVlrFclj3s9f9Fjk3+JX0Id
3BVcT3yuxfx/aqUvtoexe/e0N9JcCZW3nhDuCRVdry7gr2st4AZI6Ts4YjsOlHUdqpu3JwfC2YXZ
tCCrLIs+lQlP9YCCUFmIhtMK0+ieVHg4ALc6Nzo/crLrNfiVDUbaFtgO2L6ySb9SYKSyQDmgfKVI
T8iwnR1hHzE2mr5E6fasI1mUv3aFOlJCKZEUpg7SR+j0U+e3TrpM4X40wpQjZ7eBeFtl0rDzEzXx
KoQ81t3E66UkbDsw4abYt+9V/mrCuPS5V0Sfr/sc9NiJvwljL5Sw8WIzY0+ejt30wzuNtRk3Q4Ew
+BQYkjT4+Mamddn/0bu00j30nyRkE//55P73M15I/BcU/oYqdZbC/1edGv+fbyKP+oPYFWRY8p+l
ADnzM0LBKGke4f8z7Hl5ItkmvU8ieG2jD5PLML4er/H8/4nh82oMj+PP4iIkC+MzMFzC/78YHOy8
A39XwEGyBn8nygfJNsS3COE4/Or4sx3z2Pgz/t6LaTUIvwjTqkTZ80QZojz83SaRzpMKL5cf7p9H
SpP0YBxewzFfGs8DK0gd5tmGsJgHy5oo6M/CKxTPcw0vWynFcg5iufM6T3IYThOPU9eQLIQZKXDg
M/Ilm4wlD5EPaRFtoD+jB9hI/K6Xxkr/kH+u/tom2aJapr3A/rD9pOM3zitcY1zP6lP037rLjQzj
DuOAZ6PnuHet95++Bt8Jfy//iJS7U7ekF6avChX18PUY02NV5oGs+Vl3ZL2efWPOtJzPcy/PfaDn
2F7FeX/oXdP75d7H8mvyH+5zS+RQ37J+9/avEC02gr8KWLQXJQYpID9BC/AVaSrG8dQgpCfb9fFk
G/M1yMfjYYp94tl4mOEMuy8elhDm3XhYJk7ySTysEI2cjIdVMpV08JIkDZHWQVU8DMRPD8TDlOj0
z/EwIwPpJ/GwRPysRzwsk1RWGA8rxMtGxcMqOcCuiYdtZIAUjoc1MlgaHw/byTfSqnjYQYrlW+Jh
J2mS2+Jhl3Okkh8P64R4Zw9vmNbQ3HBjbU24prq5Ojy1sWnh3IZp9c3hh8IDCgsLwz+cVlcdHts4
u7F5YVNteFjj3KbGudXNDY2z+4d/OHNmWMDOC8+tnVc7d0FtDY+cUj174cPhhnnh6nDz3Oqa2lnV
c2eEG+sujClcPbsmPKt6YXhKLSKa1jCvuXYu0tMwOzy1dm5zNf5Onz+3YV5Nw1QOPa+/VUT4h2Mn
jK+dNn9m9dwzMfcLdwF0hSbWzp3Hy7q4f2GhFZtM/n9KLBlOGsg0vJrxupHUkhoSxqsan6sxNJU0
kiaykMwVUPUYG8YRFSYDsC/zb5j8EOPrBOxYhJ2NVzPCNyGmMEqsRszZJO7VogQO0V/kmonfcDe8
88RTLf7W4u8CQUkCcgrmnk0WogEdRngOyctrFlhrEHIW/s4lMzCuEWn5z9AUFiXwunNcC/F3ioDm
FE0TZTYLuiz+NIgcU0UM55P1PJ3MF/WZhzANmJrAPQ/r0a0Wgr6xZAIZL3DPxxRO/ffR3O9MPiQx
nC9uoqBqXrJeF2PpvKW6w56T+380Z/9vKfq+HMMF5PWi3Gn4fCVC1okya7+HX/NE7DwRqhWU1gku
Wlh5WVMFdh6ahakzBR9qRG/n/X92vPbNSEuCP7Pw3ixwTcVcM+N5+HichVit2kzBWA57vRi/9aJ9
eA4Ov4P0FbjmizHLRzHPMavbKK8TfOE0TxX8rxW8rhH1ahK9cqHgMB+dzRhzCc5ZBVgW//bH1Gnx
+pzJw/5xGv9zuQpEvllYesFZ/JmbjKkUrcPDN8Sp4/AunF+uwPaaQEaTkXgNQ17w8JUYy9txJN5/
LOJHYMxP8M659SMchSPwO1bETsA4lzj5YcdwfbyFz23HRHy9eGpC2hoFxFwB+18ZK/nxsdmn27hp
iEvH+aJ38TblZSzEHPOTtHDuLeg2jubHOTS3G53WOJsl4C0KOW0z4717dhw7byGrN8wSsc1CCpfH
S6vH9AUCrhHpSIzQRO+9MMfmiRKbsQ9UC+xhvBrilM2N9zoez8e21dPrBFdnJeVaON5b+RiZJsZG
Im9X7z+3lJq4hJkrRst8wYOaJA8bBe0JbiT41MWRqYIPXfyyKOl/3l5ybtld8mGBGJHz8Z4YsdWY
Nk/U4lzcV2PJM0W587q1cxfnrVY5U2ZaksOSRU2Cjw1xufXvtHBYxFSLcELyJcrl80BNXD/g/Ko+
Z97um4Se262XdvH0+/kzMy6Vmkl3GdiFZbZ4akqm8FpZfMgng8Q4uV70jBminbuPpYR866KtEWFn
ixE7X7QEp6A+WWOrzO69PTFjWWO3SxtK9MXz9a7vq3P3njNa8Ofc1k3M5nMwvlZgT8x1Vvmz47Pj
7LNaai45W5tK4OZ1bBR6Rg2x5t0FCFeLVJ2vz1+4jyTwWeO0Nt4ONWeMwAS+c1vb4phVg2YhF5q7
je1EW1WfxeXzj8vvk1QJ/n6f9J0quJyYac+kyaoR70eXdMN2Nc4YP8TnwWQgKUF9rAT1qsH4W4jP
lh4cFiN3DN4H4jcf4/ogTAkpwiuMVzH21lJxdWHl18h4zc+uXXdpnZgJ5gtNY1pcfzpzBDYJmVEd
z71A9MCGuHyZH5eTtVjjcDy+NllLTsV/Zn5OpBWcRfuZczK/fhzXOmbjfYrgsNV354t7bXyMW3W8
QoyjG+Np8+K9rT5OcV1y7ud5fiL6Ma/HfNFT5scpmBufGX4qajwvPtfU/rfUdVyS301C5s8TcqK3
oNvq5bO6SalzR3V1fLTNjM88NWIeTOgAHNN8kduSXt3lXe0Z+S4sPyztnvd1DjEznqOv6DW1GNcQ
j7sxmWOekB7N8TiLV3Pj4/y/k7PVgvKE7lEb1wvDZ/GWz33/iFseFlenilw1cSnSGNdRPhXwDYLC
ed3Su2b/BpFvYbdcNfHeNVXI1K5c84XE63vGyKsVvEq0wlwxe81LzqTheB+uFfPpT+Njk8f99/Cy
Ni51uiRgjRilVm9pOKu3NIveUi3whpN6R0JvaxDpDcn+eS4vquP8aBC1tTh+Jk8au0koy97pHR/r
Vgk34rfx/zlvWHwdtjfZeL7/Um3uqjzWeIwePZYS7PHmH/C26KaU0KKb0sI3bL2B/v51jFhwPd5m
NeFtZiPeZsxOCV05u3J24+yW2dKSGdEZ7TPYjNktc9Ob5/sDPaZNx1tdA95q6/2hrNqW+rX199Uf
qj9arxTWV9Y31T9X314vP1cXbWhvYLX1y+ekp81LuXFYWvZCvCh97Xcs8nw7i7QvZxFzn2orXfsh
7PzwuQ/puheg6b2d79F3nmORvZ3t7MvH7PbSNvbZY60s0sb+Jn462x+PpmaUclfSlJ0YiO6kkZ3L
U7M2b1EiW1rlyIY7eFKG3j93/R1y5I475cidrUpkUyuNNLa2tK5tZTtbgeP+Dwv3383Cv0oR8y++
lNLnnqWR3+C181lo33V4F92FWHcuh8jPlyuRNXitXK1EVuMvJ2FJJCJI6L8kK1y6pIVGbrmZRm5u
USKL8WpBoNvwWoHXMryW4jVuOaxbLgr+1HzEZisNlQRSiwOBQQHvwIC7KOAcENAuDij/X1vXrtMw
DEXtpEALSVwCEYUopWpQqeoKEEggoSuBUjplSUuHmEo8JHaGsMOClIXHH/QXbrYwsbLxCXwCnwA2
dOBl6fr6nHuPLd3Vrw1HX3fImtNYtZqrrMWtNmd131rxWXXZqi0zVp41StMzhrrUrxcmDEI1ddqB
35MR0dQT+xf6SH/RJ/bYCbtiI/bEXtkbe2fFEmO06FLPrEwtmU55wbQL82YbWtCEBqxAHWpQBRcq
4IANDEowCToQiLYo2iEJBwHOUekPA9ziYa7X+rjJQ5yKhnFG6Z2QLGppTskAC2muSWd3joZxThdV
+MZ9JJQSDE9vbkWmkQBpiv5hrNx+L8ZampfJIM40GgghcCeMYpUluIfn6svZa0/gpho8eIKEuNtD
1w/4f+04OU6S5DuTNRtdbHXPsN09PfiRS5PLP/rLLy35HaJcTvvJdWJXKOMcK+jLgkjRWDVe+LNP
spIqUNQPQiz2pUVDXPIleJZgWwLDV5slH75TIDAKZW5kc3RyZWFtCmVuZG9iagoKMjQgMCBvYmoK
MTkxOTMKZW5kb2JqCgoyNSAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JB
QUFBQStBbGJhbnlBTVQKL0ZsYWdzIDQKL0ZvbnRCQm94Wy0yMjIgLTMwNiAxMDcyIDEwMzddL0l0
YWxpY0FuZ2xlIDAKL0FzY2VudCA5MDUKL0Rlc2NlbnQgLTIxMQovQ2FwSGVpZ2h0IDEwMzcKL1N0
ZW1WIDgwCi9Gb250RmlsZTIgMjMgMCBSPj4KZW5kb2JqCgoyNiAwIG9iago8PC9MZW5ndGggNTE1
L0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nF2Uy46bQBBF93wFy8liBP0APJKF5LHHkhd5
KJ58AIa2B2kMCOOF/z5961YSKQtbh6b69qHpItsedoehX7If89gew5Ke+6Gbw228z21IT+HSD4mx
ade3i17Jf3ttpiSLc4+P2xKuh+E8rtdJ9jPeuy3zI33adOMpfEmy73MX5n64pE+/tsd4fbxP02e4
hmFJ86Su0y6cY87XZvrWXEMms54PXbzdL4/nOOVfwftjCqmVa0OVduzCbWraMDfDJSTrPK/T9X5f
J2Ho/rtXrjjldG4/mjmWmlia587Uka2wfwE7cgH2woUHFxwvwaWw3YEr5lTgFdmCX1iTgzfClYy/
Cpey7pYs+TuyrPvG+hV4T0aNyZnvwOqPfEP/cgOmf4UcQ/9yC6a/Q6ahfwEfQ/9CMulfCtO/knz6
e3Ggv4e/UX/siVF/yae/lXXVH5mW/iX22dLfyzj9C6xl6V++gdV/D6a/Faa/R76lfyWZ6o/3YtUf
bpb+Dv6W/k7G1R/vztLfwt+qv2SqP2qc+mPfHP2tjNPfYf+dnh84OPV/Bev5kbnwt7mBv6vIUq/n
B8/o9PzA2dG/gI/T/Zca+hd4147+hYzT38u69Pd4Lk9/D2dP/0JY/ZHj6W/xfr2efyMNpZ2D1kLv
/2nZtL3Pc2xX+UBIn6JD+yH8/YZM44RZ8vsNeOQKfAplbmRzdHJlYW0KZW5kb2JqCgoyNyAwIG9i
ago8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9CYXNlRm9udC9CQUFBQUErQWxiYW55QU1U
Ci9GaXJzdENoYXIgMAovTGFzdENoYXIgNjgKL1dpZHRoc1s3NTAgNTU2IDI3NyA2NjYgNjEwIDYx
MCAzMzMgNTU2IDU1NiAyNzcgMzMzIDU1NiA1NTYgNTU2IDUwMCAyNzcKNTU2IDU1NiAyMjIgNTU2
IDIyMiA1NTYgNzIyIDY2NiA1MDAgNTU2IDcyMiA2NjYgMjc3IDU1NiAyNzcgNTAwCjIyMiA3MjIg
NjY2IDU1NiA1NTYgMjc3IDU1NiA1MDAgODMzIDUwMCA1NTYgNTU2IDU1NiAzMzMgMzMzIDcyMgo1
NTYgMTkwIDI3NyA4MzMgNTAwIDY2NiAzMzMgMzMzIDU1NiA1NTYgNjY2IDc3NyA3MjIgNTU2IDY2
NiA3MjIKNzc3IDk0MyA1NTYgMjc3IDc3NyBdCi9Gb250RGVzY3JpcHRvciAyNSAwIFIKL1RvVW5p
Y29kZSAyNiAwIFIKPj4KZW5kb2JqCgoyOCAwIG9iago8PC9GMSAyNyAwIFIvRjIgMjIgMCBSCj4+
CmVuZG9iagoKMjkgMCBvYmoKPDwvRm9udCAyOCAwIFIKL1hPYmplY3Q8PC9JbTQgNCAwIFI+Pgov
UHJvY1NldFsvUERGL1RleHQvSW1hZ2VDL0ltYWdlSS9JbWFnZUJdCj4+CmVuZG9iagoKMSAwIG9i
ago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94WzAg
MCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9D
b250ZW50cyAyIDAgUj4+CmVuZG9iagoKNSAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAg
Ui9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNw
YXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyA2IDAgUj4+CmVuZG9iagoKOCAw
IG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94
WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+
Pi9Db250ZW50cyA5IDAgUj4+CmVuZG9iagoKMTEgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCAx
NyAwIFIvUmVzb3VyY2VzIDI5IDAgUi9NZWRpYUJveFswIDAgNzIwIDU0MF0vR3JvdXA8PC9TL1Ry
YW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMTIgMCBSPj4KZW5kb2Jq
CgoxNCAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01l
ZGlhQm94WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9J
IHRydWU+Pi9Db250ZW50cyAxNSAwIFI+PgplbmRvYmoKCjMwIDAgb2JqCjw8L0NvdW50IDUvRmly
c3QgMzEgMCBSL0xhc3QgMzUgMCBSCj4+CmVuZG9iagoKMzEgMCBvYmoKPDwvQ291bnQgMC9UaXRs
ZTxGRUZGMDA2NTAwNjQwMDc1MDA3MjAwNkYwMDYxMDA2RDAwMjAwMDUzMDA3NDAwNjEwMDcyMDA3
NDAwNzMwMDY1MDA2OTAwNzQwMDY1PgovRGVzdFsxIDAgUi9YWVogMCA1NDAgMF0vUGFyZW50IDMw
IDAgUi9OZXh0IDMyIDAgUj4+CmVuZG9iagoKMzIgMCBvYmoKPDwvQ291bnQgMC9UaXRsZTxGRUZG
MDA1NzAwNjkwMDZDMDA2QzAwNkIwMDZGMDA2RDAwNkQwMDY1MDA2RT4KL0Rlc3RbNSAwIFIvWFla
IDAgNTQwIDBdL1BhcmVudCAzMCAwIFIvUHJldiAzMSAwIFIvTmV4dCAzMyAwIFI+PgplbmRvYmoK
CjMzIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTQwMDY1MDA2OTAwNkMwMDZFMDA2NTAw
NjgwMDZEMDA2NTAwNzI+Ci9EZXN0WzggMCBSL1hZWiAwIDU0MCAwXS9QYXJlbnQgMzAgMCBSL1By
ZXYgMzIgMCBSL05leHQgMzQgMCBSPj4KZW5kb2JqCgozNCAwIG9iago8PC9Db3VudCAwL1RpdGxl
PEZFRkYwMDQyMDA2NTAwNzIwMDY1MDA2MzAwNjgwMDc0MDA2OTAwNjcwMDc0MDA2NTAwMjAwMDQ5
MDA2RTAwNzMwMDc0MDA2OTAwNzQwMDc1MDA3NDAwNjkwMDZGMDA2RTAwNjUwMDZFPgovRGVzdFsx
MSAwIFIvWFlaIDAgNTQwIDBdL1BhcmVudCAzMCAwIFIvUHJldiAzMyAwIFIvTmV4dCAzNSAwIFI+
PgplbmRvYmoKCjM1IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNDUwMDZFMDA2NDAwNjU+
Ci9EZXN0WzE0IDAgUi9YWVogMCA1NDAgMF0vUGFyZW50IDMwIDAgUi9QcmV2IDM0IDAgUj4+CmVu
ZG9iagoKMTcgMCBvYmoKPDwvVHlwZS9QYWdlcwovUmVzb3VyY2VzIDI5IDAgUgovTWVkaWFCb3hb
IDAgMCA1OTUgODQyIF0KL0tpZHNbIDEgMCBSIDUgMCBSIDggMCBSIDExIDAgUiAxNCAwIFIgXQov
Q291bnQgNT4+CmVuZG9iagoKMzYgMCBvYmoKPDwvVHlwZS9DYXRhbG9nL1BhZ2VzIDE3IDAgUgov
T3BlbkFjdGlvblsxIDAgUiAvWFlaIG51bGwgbnVsbCAwXQovT3V0bGluZXMgMzAgMCBSCj4+CmVu
ZG9iagoKMzcgMCBvYmoKPDwvQ3JlYXRvcjxGRUZGMDA0OTAwNkQwMDcwMDA3MjAwNjUwMDczMDA3
Mz4KL1Byb2R1Y2VyPEZFRkYwMDRGMDA3MDAwNjUwMDZFMDA0RjAwNjYwMDY2MDA2OTAwNjMwMDY1
MDAyRTAwNkYwMDcyMDA2NzAwMjAwMDMyMDAyRTAwMzQ+Ci9DcmVhdGlvbkRhdGUoRDoyMDA4MDcz
MDEzMjkyMCswMicwMCcpPj4KZW5kb2JqCgp4cmVmCjAgMzgKMDAwMDAwMDAwMCA2NTUzNSBmIAow
MDAwMDMzNzM4IDAwMDAwIG4gCjAwMDAwMDAwMTkgMDAwMDAgbiAKMDAwMDAwMDQ3NSAwMDAwMCBu
IAowMDAwMDAwNDk1IDAwMDAwIG4gCjAwMDAwMzM4ODIgMDAwMDAgbiAKMDAwMDAwODg1NiAwMDAw
MCBuIAowMDAwMDA5NjEyIDAwMDAwIG4gCjAwMDAwMzQwMjYgMDAwMDAgbiAKMDAwMDAwOTYzMiAw
MDAwMCBuIAowMDAwMDEwNjAzIDAwMDAwIG4gCjAwMDAwMzQxNzAgMDAwMDAgbiAKMDAwMDAxMDYy
NCAwMDAwMCBuIAowMDAwMDExMzI5IDAwMDAwIG4gCjAwMDAwMzQzMTYgMDAwMDAgbiAKMDAwMDAx
MTM1MCAwMDAwMCBuIAowMDAwMDExNzE2IDAwMDAwIG4gCjAwMDAwMzUyODkgMDAwMDAgbiAKMDAw
MDAxMTczNyAwMDAwMCBuIAowMDAwMDEyNDEwIDAwMDAwIG4gCjAwMDAwMTI0MzEgMDAwMDAgbiAK
MDAwMDAxMjYyMiAwMDAwMCBuIAowMDAwMDEyOTIyIDAwMDAwIG4gCjAwMDAwMTMwODcgMDAwMDAg
biAKMDAwMDAzMjM2NyAwMDAwMCBuIAowMDAwMDMyMzkwIDAwMDAwIG4gCjAwMDAwMzI1ODIgMDAw
MDAgbiAKMDAwMDAzMzE2NyAwMDAwMCBuIAowMDAwMDMzNTk2IDAwMDAwIG4gCjAwMDAwMzM2Mzkg
MDAwMDAgbiAKMDAwMDAzNDQ2MiAwMDAwMCBuIAowMDAwMDM0NTE4IDAwMDAwIG4gCjAwMDAwMzQ2
ODMgMDAwMDAgbiAKMDAwMDAzNDgyOCAwMDAwMCBuIAowMDAwMDM0OTczIDAwMDAwIG4gCjAwMDAw
MzUxNzkgMDAwMDAgbiAKMDAwMDAzNTQxNSAwMDAwMCBuIAowMDAwMDM1NTE3IDAwMDAwIG4gCnRy
YWlsZXIKPDwvU2l6ZSAzOC9Sb290IDM2IDAgUgovSW5mbyAzNyAwIFIKL0lEIFsgPDQ1ODI4NkRC
NDczQUNDNjQ0RkQyRjEwMTZFOURBRjkwPgo8NDU4Mjg2REI0NzNBQ0M2NDRGRDJGMTAxNkU5REFG
OTA+IF0KL0RvY0NoZWNrc3VtIC9CNDQ5N0YzMzU3NTUzNzQzNzUyQjBFMDFBQTYyMDExMQo+Pgpz
dGFydHhyZWYKMzU3MDgKJSVFT0YK

--=_43n2rxr3njeo--


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 30 Jul 2008 11:32:16 +0000
Message-ID: <20080730133043.7nt77xfd7o8ogsoc@webmail.restena.lu>
Date: Wed, 30 Jul 2008 13:30:43 +0200
From: stefan.winter@restena.lu
To: radiusext@ops.ietf.org
Subject: RadSec slides
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=_4ee9yxyk2800"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

This message is in MIME format.

--=_4ee9yxyk2800
Content-Type: text/plain;
	charset=ISO-8859-1;
	DelSp="Yes";
	format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Hi,

we had some problems shipping the slides, so they are now attached to  
this mail.

Have fun,

Stefan

--=_4ee9yxyk2800
Content-Type: application/pdf;
	name="ietf-72-radext-radsec.pdf"
Content-Disposition: attachment;
	filename="ietf-72-radext-radsec.pdf"
Content-Transfer-Encoding: base64

JVBERi0xLjQKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURl
Y29kZT4+CnN0cmVhbQp4nIVSS2scMQy++1foHBiv5LdhMDT7KA30kGYgh9BTk7Qsuy3dS/5+P3lm
twmUZow/yxrp08tshV7Mb2IaGGJ2ijEonp7o/op+GiFdp+/GJ4bd0SgesGGGEy6vJD1nuwP9MM9X
nVoX/K8nkzlZT8k6mh5ptQMxpOeRpU17s53MrWFbiG2s+OD15SMIxAa9veB+g72nbFMSV+mzkYBE
Qw7IqovRRSBS4Wjr5XYH3v/TVERF6RE8s2u/zJ5vM0IdoIpFlViVbUb5WdNwHvjtaFafjoE2v0iD
opFc1d+nklw/OZelG9GpWxHg0g6v7XgY2bVBRvYc2pBGjm3wI6c2xJFzl0vH2tzIH7rpNa9505Xb
jrv2dbqZO/pOEr4P+59ZVKUWbn4UWQKqwqksvmOYdVxmiwXjm+iv5u+YMXsXig3nYKH0YJKaltEG
lLRGXZI770YVUriKl16u/lvMdm0IanGJdXmpMWVypWCaQUKXDqSS7vmd/pXmv2eP5dXe0h8om6TM
CmVuZHN0cmVhbQplbmRvYmoKCjMgMCBvYmoKMzg1CmVuZG9iagoKNCAwIG9iago8PC9UeXBlL1hP
YmplY3QvU3VidHlwZS9JbWFnZS9XaWR0aCAyNDAgL0hlaWdodCAxMzYgL0JpdHNQZXJDb21wb25l
bnQgOCAvQ29sb3JTcGFjZS9EZXZpY2VSR0IvRmlsdGVyL0RDVERlY29kZS9MZW5ndGggODIwMj4+
CnN0cmVhbQr/2P/gABBKRklGAAEBAAABAAEAAP/bAEMAAwICAwICAwMDAwQDAwQFCAUFBAQFCgcH
BggMCgwMCwoLCw0OEhANDhEOCwsQFhARExQVFRUMDxcYFhQYEhQVFP/bAEMBAwQEBQQFCQUFCRQN
Cw0UFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFP/CABEI
AIgA8AMBIgACEQEDEQH/xAAcAAACAwEBAQEAAAAAAAAAAAADBAIFBgABBwj/xAAZAQADAQEBAAAA
AAAAAAAAAAAAAQIDBAX/2gAMAwEAAhADEAAAAfikpeeh4/E8ecQTOyKvg0NUpM0SoRIIIwlCaH4c
o0IWxRUcrBdUKLJAQ8sggnNiCYCSkC7MjA5xWtuWMYOkxiczhUFhEKry0gVVxtJp1MrCYVblgAXi
oFyowiCNmArkVPLgbaRnZLIaXnOoQ58k3de2L23DST1pUsiTYup4Xvock/m/u1paijTvLJmXNKhK
LVTFHQIRQrUHThOkfYRTmVaYjFSiF4JCVQw+qIWp0uaPrw7i9xOvyvQ6OH1Dm9Khessnl2lqRCqM
r8k+vW+3F+cF3xdfn1IbJNaJgdhOlfzYloqCwCqT8ZDNcI0Rh73yaLd5+yqNLYis9vPlpqzSyvsW
sym14Pfz9ynTzposS1rGfIkt7jax+VUH1nE9nj5BfbY3SKyGwxs7Snoc0mEGux5fi+ryc6Q90NIC
UWQzQ3VHB6Z6oPv595cUFu8fqv3X8i/ZuL1/qibUsPRzdFsviLzjsUn9eJf4v9SoNOej+a6bNb8/
0D5a2yaGoNmy8/Pl2irY6foPyqz8m/oPzd6bilBYoLSDabidm+1Lfh9sUzvLTEpLGUZxOWXTX7bK
lc72nzbJLSyVdebNIUFzTBfRW7z+egKyrhQWjrVDIdyIBHC9ZaCnWlM7KNrmxy1xryaBqnsa5xes
pA4WvgDIowBhqp8T0NPEwqpdmtNZzS8m3K5uTdZ6RONjQCQfns105CAObcPVtJzse68nLfu05rJr
urCsB3DmDuVLS7i5z7iV63unRfzuW3jHcgiXc5VH3TtL3uTgv3Jjb7pv/8QAKxAAAQQCAgIBAwQC
AwAAAAAAAQACAwQREgUTBiEQFCIxIyQyNCBBBxUz/9oACAEBAAEFAvloLj/5hwQjTnLC0WoC9fBR
wtP8WjKcF+Pn+a/CLcrCrj9xj0mtyfUTfyhHqHgldayvyiiFhapoKZDl/Ts5lJwEzAm6Bb6nf3nK
/TXU0rqc1EbCP0Xs0NX+wW4WuUGiNMDd2x6DUvJaGhrR29ZWi611rqXUtUK5kREQbFK6QviJd0MC
6o1qCeslSRELXCEhaq+kjpISxznlxr/2dEI+tv8AIsZoA0vOMLRaLqRiXUVphFuVHEXHRkakeSnv
bs6VxQU3o/6b7DfREz1sx6MBCgOCHnPU2RRxfrxRJzNzHWwutzj1YQhXSutdRQiTwiwktgUjhEx1
lH2iij6J9oLZA/GclshYmazBw0TpFSm2suLCoIA5CsJGClq1vHbJnFl6HCko8IVLxEjFLXMaEOTJ
QEEU1n28lxKPwVj0PwfnK/C2TJy0MmwWxtcK7cWozhRSMEdXBMbd1DXVPj32jDwcLB/1dbFnhhiP
i4oR5F5RTiimsvnTwuoYc0ZLQiwJzML/AGxo7HM+7Hz+f8GvLTD90zB1iN2DFNquOl2NGv8AWTRR
NhY97Y22vKuPruPIc5ySm8YsSwVeBntO8j5Ph+Dpx/xewJ8aIRCwizKI9key1ELCCcP8Krj3ZyYT
iOFhLaT9D4yzaGWF0iPA0nuhgjrtnsxVWWfMqofc5fkrUlfwaDk4+S4z6C0QYwU9uUfXxlGPcyM1
KIRCwiPXzVP62kDZBHVAoXoq0cXKw48UtNs0FNJbUlDkrRj8RobwVoareUhoR3eU8gnsxt4Sw4Sw
MeJfHZ+o+k3x2zM2Ruro/Grj62yt+O2qjNlN43yMV7fKq8Jcu8ePaI+af9poOThRKH8eH8m2nf8A
iWz1KS9yD1cr8m6DjuLEzhRjZHa5Z1YdEjFa8nru49jg5VfL4ePgdmxY+sMfBiL1znlNTmKwzit/
yDNV5eJuVW80PGNldG6y/wCagP1LJnFRuUbtTA/44Dy5rogQ4K7fr8dDy3Oyc/YoubCySz6mlZIb
MTVeqgot1MmCowFAWqejHILNXDzAV9PldRah7XSCpY8EtWqqH9zGPtYmJjlC7ZTRh4r3L/HqXyTm
yP17k1HWJptgCa65OtOKdcIEz+xSRKVqZJgtlTbZzYm3d2hNkCGpDoQtFI3KezCKrH9ya5DWsWmE
PSik1QlytkfwHhqFnCFkgl2zXFSPRl1T5MqROYgS1duFvlH2iE2UtQnXcFuiiAoIx9QyfYRuCaAu
sPRaWISIPXanPQk97+4rGpkOwkynIyYXYs5Thhrh8bfBHxthbrtXYq5/csdhsOxjjk2QcWu/mnNI
QdhB/wBz/YaDrlbYUcxaiewSBPX4XZhb7Is3MkZYXLK2+Ho/NU/uWn7Y3fayTCjlwmS4Thu1zCPj
b052q7EJMrZbJ5ynrK/Ca722VH7k5iI+OzVbZTmot+Kn9r//xAAkEQACAQMEAgIDAAAAAAAAAAAA
ARECAxIQICExE0EEUSIyQv/aAAgBAwEBPwEbJgnZJmkTJJJK0kkmCSTIzMjKRUikg5Rl9nTFUiTk
hmFQ5QhKSlRtgxaOGMofotWsuWY0odK7SLtp3PymCYExMkT2NDFH2Wv0WnI0v6LtGD4IaIfsdLRD
XZDWxrT4t1NYvSpwTJdqzUDrdShjuPGDys8mXY7kjuemJ6OqRicC+RUjzN9mcmT0RjIqR0fRDKXB
kVUbY0RAuDvWCCoqWyNKdGhCIE9P/8QAIBEAAgICAgIDAAAAAAAAAAAAAAECERAgEiEwMQNBcf/a
AAgBAgEBPwHeiisUVitaKK2rDWLRyRzQmn4LLzJEpHZZCSj1rWixKyXvP4Rnfsuzossvb5I/eFiH
Qkl6FFJlJHGhRoUR6NHBHA40JZssvLQn5bLELZ+D/8QAPBAAAQMBBQQHBgQFBQAAAAAAAQACAxEE
EBIhMRMgQVEiMFJhcoGRBSMyQnGhFCSx4TNAYoLRNEOTosH/2gAIAQEABj8C3KDW6pWWm5+y1+y+
UrMUWWfVd91RdF4hud91Xel2ay3ua7Kp91iOfcuytCVkwLNrfRfA1Ztp9F0X+RWird3KLxC/XNHH
0sjpz4Kp1u5lNx5trn1GWTRqSqCjiiHVpyCOjfqVnIPILKT7L41kQfosxdktKORIVCo/ELqnW7Ef
K6g9eoyWfSPJe8OED5f2XRHmV8S793X1WYwlVGYXJZrkVEeIcFiN2I3UHndnvVOQ5rsD7o4RTv47
ld/VcjcCowe0FRtfO4moFPl5r63G/RZi7G/XlyXR15r67p6iizzCNCovEFSqw1OOoWei53UY3o8X
FdMl59FTZ08yiYsz2XLbW6KzRRjg8YijZ7FZ2Z/Pgp6Krzc7Ec+F2m4MXw8UaadTGa/MFXjwuoqF
NjGnHuCDGCjQi5xDWjUlYI5Da5exZxiVLLYm2GM/7loPS9P2T5J7W60WnUDh9EDDZYGjjLOyo+6N
ndZrNaLYW4dmyJuvM8v5KHxAXOFBqDXii+hLW6nkgaZKSX+1fxnx+CixSxm0O5zvL/1WGKNsbeTB
RY5pGRN5vNFs7HHJbpeUYyRhlcLB/SK1/wAoyC2DvIjOvmpYWvErWGmMcU8UGYpvNpxVOpZ4gmgT
OLOLsGn3Q/Mv/wCL90WOi2meq/0wUlBhpJp5C73MEf1lkp+gK957RbZ2dmzRf+lbSfa2yTtWiQlY
YYmRN5MbRG0WycaACEarYWFn4aDSo+I/4UbfdY5G4msMrQ4+Sqo5dpZ42yDE0SztYSPMohQuxWaP
bjExstoY1zuGhKLTqDRfiBJY9jWmM2uOgPLVUVZpLLEcGPA+0sD6a6VustkdZ8MtqFYanou87rRb
oYMVmg+N1d2LxBZgoEODq8BwvNneaMnFAT2uF9BHJIeTWqkHs6n9U8rR+lU+a3e0WWSBozZZG5n+
4ovNTXi7MrRNoyrRHs8qYh3go6071DYrRZ7SWsZgdspQ0O/6ruVkYYLU7YgDC2cYHerVJJhw43F2
HkprBsjWSds2OvIEXNinstqq1gwhs4wBwFAaYbtu6z7exdAizSGuBzWBuJp4HL73WGGzez4DZrO3
C4SVLn1+PPvUjoWmOEuJaxxrhHLci8QRq6t1Lu9Mg9ou2UmjZzo/68lUGoPEXGW0ytiYOLk1sbTH
ZGHIHV3eVTS7NGiJ3KOCqzI7ud2l8XiCO7RflbVLGOTXZeip+OeB3ALaWmV8z+1I6qyWt2ea1uru
ao116mLxBfCR5dTkVqsQ0/ko/EEN+m53Krd7v6uLxBBGT5AcNbiOOlx3C/5QaHcJpoKm/VZXBo1R
ByI6mLxjcpdktFosz1Nesh8YX//EACYQAQACAgIBBAMAAwEAAAAAAAEAESExQVFhEHGBoZGx8MHR
4fH/2gAIAQEAAT8hDiBXpSAjWwhFzMOkjuMIE8QbueF8sfI+IU6TZ4+mC1I5beDxElehmWIo1LgL
l04xP47gr8wD+Y9Nf9WZyXnr0WomgbzKh8w6hnMwzhGmBUR2g9BvGE4qnTKarja4zNQsOBcDlrvy
/U7T8tQOG+9szhkDi8EzaR+Ue+QW24dktgZN1A9niMClLUQ/1ZnauZKNy1AOVLMSIo+B/aoWLxwT
yDFFV2S+hoU7PSv/ABGnNPmX6h2gNBcM8EzB9giWGF5qWHCacEu+rwTif3GUO2eH/JUrfk0wVHmo
JdkcLY6ZZ2aIKdF3XU7E/UCDWf8ANLLO4nEzYw6XPCWHazB+XtLJnUehUXtnggntA64fpnGx4mOp
tnx9fL/qMlet0giy3/NTDXxwYKiHBAa9y3K5bRE7IZNjqFdeQI40eKWdNqlyK4N6IeFsvzDMOCNd
WOpXpxwdxuqu+oo7O0YyktuLGiorMuSEFBM4ioe/ufaAL9nagFP2T5hVmXqoEzC0Nbi2dMrnkjXU
HmLVJKb4rj4Szsp6nwjmVUc7qYKdj7w8xzwil6JlSoC3bqVLVvDojBQMcTXAovPMKtRYg1OapD6Q
fMYirXjuAqej17v9R8sBp8e3Udq32YqjSXLRT+aC34zMok1CW1LTV1TGSIWwsjVBrm94iTdUxxNM
D2Ezf+JR2PdB8l5Z3amPI40CAe/5pKKP4vMc3938wijrb94yp+LnYniKn6TeXo4Jc4zMuwDE7s38
XOCv0JmrImWyBXhKqkTSNhzCNsOLjKelUiRKgM3Broh3zJ9yyWXCh5i0vrfvKeFjaWV+RgeSUBMh
NF0EQ8SX786+5/YSDp+UNvT9iL/5LNyP0Na/glLLoyqfD5rf7gHLdRFy3JmcFS2LHU3TD67ZNem5
TCZokLJthM//AGR19GiXjTkzBLwPWfog2ZBXhOv0yxtlEKjyoX4t/ZNGDof5DAZ9/wAW0PxPDxqP
qeKk0fcsk+kn5Vf4GFyEFMAdWl/pF7laVfYTCsmNEMRtxLrI4/EGJT6YLRYWZQtqEXtGI+SX69df
FRPRnxv9y5JbKvw2glszAjt73oxKhBrWv9RmNMI9BWPeL6WPyTqgGq/nWF974/VTxkAD6lmsomVe
DL9R7i2Hg+IX7RChTFJuILFTxl+KF0EskzTWMkC7BGoqEuZSYOClTeZojTAQWJ1fE/1YlEVGdgpz
2nErUVmJQUpeNfc4guEWxxcV3RtoRa0SoxM7ElT+F3MELNZJhZjbZ8XH6itnxysm2gB/lafj0WiE
vIr/AG0fcYs34afDUuIifPAZB4iNXLUs93mUYyDcwB1pOFXhr2bnuA14Qexiy1dor9xJTC0MSCMY
pbyIg9DAJooHZuo2CANRhK+Yge6hxIpvktfi/SNBscTkPzP5cU7j4C2Lb6IHvGqJep2Qtwnmu4Ld
xvv05HX+aAWBvL/dxMS2teNwShxcLQpackNkHG1fZ51DZjWJY+nIV434Dl8Es3U3j+MQjsgDqvYY
pKZxCFB6AaY1MAYXUWUE8kOaCExydwGp2bnEITDaI8bmwgY0mLv/AN43uNQtRVKghVzU6GIycjf+
Smcs6b+QgC7uD+4qtLljDnFnD5gmho7jucPAVeZkX9Qi4a1iVMzAMHyHHiWCDZmXNxZUSYhSe8I+
gzGU/wAWZZkl7YxweRBpHit48wFSiHEylzCxRg8tw7jLcpz3LtQVl+J8OUZfqOW8Sy+5izklIYcT
FXMcxRDpjGMltr/2matruNc5udSV4z2EccYiOYYQg5jHixYm49lvcgO+HgjHLFXps4QOzlFpeWXX
pW/QyRojhPckz5l/82Y3fq5hXBVtKKfpnAzzGxo2zcSqxTDWZTzuJ8mLJFMMBOluv0wLuLW4rY46
lPULjrIftJ0owKt4nlBdFFvUU5aaPeE1YpJ1gyEGYLWNIt7l+Y/9u49cynwfMTRiJVNNYYSILNCs
5ibtFfCDUB8Sh7x8oeDCjNcfJDG6ZkxruXT6SjbUzZiB6TGJk0ywziBi3MoiVP5Pc//aAAwDAQAC
AAMAAAAQoNmzct7SBNqhDDjNESvhv7iZzHA3PHmtwuXhtrN0qpyEjp4ITwfEUZc1HkMU2Ngn5a2E
4i1K9z8H/wB3Eh4YqLDPk4maAvfxvSC0jzlMLINKPCGUo/B/AvUutg/PHfHXQwX3PPYoP//EAB4R
AQEBAQEBAQEBAQEAAAAAAAEAESExQWFREJGx/9oACAEDAQE/ENsOHsDt9gPW2IyQWDrGWhaHcj82
0v2NGk5n0Z/6jMXiXm7a8SJDxto7sicgPBdRPIDkvdtfYf5fjD2JPyT3B4iLJNu7Y55AGfyG9gWH
/BZ8wtfR/wCXVYH5HhafZSA/4jtuW8vJL+CIdcROVw8Lr8tDrSVUcuFTIIEZYbl8CPQSpikMvJp4
38Tf4A6z7by7L5AvUlhfLQB+WSPqx4sqQST+QdWGXzBZPqSxyYN3ZCYz8ojjadVj7JAPpZeSIx32
yD/GOxG/MvqMmZHXIN+YEUkOwdsZIXFkDcuF4sZs18v/xAAeEQEBAQACAwEBAQAAAAAAAAABABEh
MRBBUSBxYf/aAAgBAgEBPxCC7s+WTxNyttwcsOpmiD1MC7sk38DMlnO7d9WjcOrhJEuLCQ8PSSh3
bkuz5G4WWVPCHNhaoXS3CjVs0kssmZJ4Xq0kuMu277uIWZcgOjanBgPUB6bD1GPUkQ7PJOOPA2y5
duc9pQls/sdZCtIR0gjf2DItZZser7QsGcT9PBn+rSTZfwZ4cY4m37PMuW7PE+Qv22G7m3nJL3f/
xAAmEAEAAgICAgEEAwEBAAAAAAABABEhMUFRYXGBkaGxwdHw8eEQ/9oACAEBAAE/EKzDPcTpD1cN
TF+RMxIpb5glpHh5l4dXXMQoS9BNywbAuv1EmRvs+x/MrMB8v5Zw83Y/7KNCL4BfqCXg7J9H+Zgs
PMyfG4mcRb/2A3qBpCQq4gRklhVfP/gFclHPM2vBz4/1AaNDZKG0fKeYK6qMj6vrKC0ECmzNv4+s
BdQFYsUFbu8QOQq7gDMFwstq4OI02165lBpv7/cxS7vuFRUS8GZiNV8RbcZlB6msiWaZUX8MQqXs
FML5gGyS5xrmZQ6m745e2MrVug/a48TObh+YsKyzbVeFwyrT2m/8yuq8Cn6xwgGskwhf7EGIKcJz
crwHlfxClBvf68QFVMBsb2XCsLbQQZeCwtD33AYVq3IlvQ16J34DtQtUX4YKYHhg9RuIu2m3IPGJ
fkDz2fG4i0i10rPrM8R0WH8SnKk7NfWKhoRTkqvEXDXM9wGt7lxBnIJQ+u3XiYKAFBL6PW4iMi1l
fTcsCp1+ilk6dmVQAbU0LAOcxjSZmHdv2i1ujrqDzqW8p/yOlG0LC49Eag39HMBqAMUYUV6w6+MA
K+kKo6FEfYLAVlFr+WYE7y6P0SlJY/0dEEXCnJv1FFq4W5WMyrWrYiqX7TMpAXwTH0ZegNSb+pBT
Q3vp6hRvrDi4gVX4Wm8UZfX1Qv0Vn2DXzVxcujZ+Bg+bldQoCRS8GLJmARp78S5miWJOaXM7SiJ3
BMiQyRxZBPcNXj0sXlWR3+kJ4YTbTKJA2HXiotXsDuEqizHOMNeQB3HKwagEbXYbTLVKgEo9lp5e
jxBLD0H5Y1c6FB1G5SK0E7CvMQGTzWZR89oZ+ZgTHEPirQZpwOa+kEiNji/Jjfmjq5afjQG/Zw+K
+YmVnedvuJPQ8cxkyQ5j1ejx4g0S8trz1CFNhwwG5B4lz8ICzM5XiNQUfEClpq5iNB7VukdLY8HB
AWXkWaYYGlboSu4mtjOAr42wBgGVeoOiNxqtkBVFZtNm4wZQnagzrm/sxAuxS539sfeHMxJXsFHn
N8GH0mEDKBrKZ84mP5BwVMoFax/eoxK+BDIsIBaupWP3TXi7u8c7vkjyjoEsHTQP1xqKTWQlt/7E
WHDNbHHzGmjnuEDeGn7/AF9IIKzg/f6gVco7g8JcU87uG+KdVLhtb7jw34Cf256yL2n8wl1VC0L0
eZQAy6JWMU8nCCsOVvFXXm3qM7QABbC9exxPcThhuwW8HzFUosCG/wCk0NDbJv8AtyiZpg/FfLzR
Hjq76EM/eFuhwjJ9YEiWbA9Q1XyfMA/DQj11cYCclEIicGoG8AGyZd700zZb6LOA4l+ZbSX3D4Rv
OPDL7CHSILeXMUXoeZsnsyQanZiUInRuKBNGtLSO2rhYlQeCl4vzUIc/7K+MQK1ELfWIK+YHa4zI
1BRVbKUMY8U8qqM1XFUxWs0kQhbw+Y63lf18Q0vIv7i6Wl4P8Dyk/YWcT2vcNfdBP2rgJygavrGS
9EkAI6bF+mGtzFpS1DtCvPFA1iPhaWEG6fJ6L5Ieg5FYlQORBfYrGAJsrJitr4dxaLasjiV2qJsq
WsfeWYwmcPgj2a3TGs1d017/APAIXvqCcCFRn1KA8Mt7fmDLUDxSg3VwOSu5qHAHUVV0uCBOAs05
8UAlnU3FF4XB3TFcLXOLKU+LPqSmTwaAF8/YgqLcUtnldfkT4iM2sDnr1UAn+M/LAREd4b76tBcC
3yL/AJstZ8LzA/lYSGmspzXw4ilGoAoKWl3usyz6VGB1vI2Jbkcu5VAJ2lbq4dL6U5lW1Q7zwtRU
HjFwxKYNNfMq6W5dCtRpYzouyxTD8QoVIxb+I402c6i1iPWazFmEhJepaVoTmAd0gI+P8wNxVvBn
Bd9xuUANvuY/vuXh/JpgBYj04vljlMHhLeaMYOtwAsUHHyfEWhavwS55Ux3eT45ofiZdiwjnDVmu
ggsNhanyUPpGeVfbewEwjldobUbl4oG4pIbgFCqNBvWfPEzvOuDIHIHjh6g4a3G6gwBdpg0qVY8c
RVwkSxK6TD7IH1dnUgYgMZStxK4QkKNIIolmxqYEW1l41FBb04cYjmpFBs7FF08nmAXTG7FWGgQC
tgZl1zJ4zHkYgxOxmCWN2LCy3KbE19PUUBvumE2C4gQiowFYbqpVv8RHAfSApoRBPhK/aRYr3CVY
QisULgLQOSUmbsBCjZcvgpRvDuXmKhSbTxTyF/8AAIt0F4LYkCSxwf4nmDA7Tqo3L1hjmMmh4RGt
CtrLv/5mM2hl28yk9cqzeJhQOUrhdTOgY+rR2+wJbFvrfEowNFHOKN1rhCVUKu0L7lqr9Pd2+1Eg
ChW4Ek+SwKA4urrRqcb8JbGK1at3xqM9NP2YzdTFtCTMq7bdTs14gYOQorQ7LGikQ20GC06smCC9
Zt9BMAMbACW6WG4mpLBDAurqAuQ6q5xMA3tZYbo3+sLUxa5tyDb7QVi8tfP9qYIdAer5INoFLfPc
SxGsRE8jwzNJg6Y59O1l2OE5EBAHSJs/8LwzorC+V4hXqXNlzWnUNGNZVnLeGW0FNF31eql4a1SB
az9pj9bl11HpF3kPG46Baq+vMGjAqEgTcu6ZVXOt0wXwjkPrAKoGL3i4qyqChnUdQCaxCqwHpMXS
PEKoOFdzRh25goXBi4Z0ntljaPuUWOqn1g99lT7wfKjRwX/kZHbZ9o/RSHNFjC9xo0dL16ghtxS/
a1b5qJkdpfgFk+s06ZgW7oU0eCodwAXiAaTJ7ChxEtQeX4lhoas2/E2BDvHzbvYMQnVW5hVKdPUA
JT3EaArWGNRQNpy/ylGgs0jhO4hlh8x9KPWYDwz4li6YSI6ch1EDg1317i6oN+iW4su5s9esMktl
wHBslCEtvZMIZI1WOckULVHFGLhGDt8I+zz8y3VZ9TEght4jJUOEcw2bMLwy7ByDp8Rb6dnqXUWA
yRAUHnuZYgWwEA1zzNiNgKKP4iYC3t6MwVP8Bhh2AckfFcO9kWy/ZgzaprmPc3UtlKHc58b7j66x
cesuSWGzcRAppLg0az7I35QhQdTAKZzBrR9wrlxmbvFGajsSmy5kbwP8y2EO+/EwcaK7jxEHJqWW
Z9sfIafzGuL9ItZg6N3GdMuDmjuCeZKL+sC7/cRxQ+YGbUstGCwJrzAyqL3AFm/UUa+8IO4jOMkb
7DfGL+XsGn+kRTV0wgq7yNdcR1TtSi+At+0RsFCAWNOTCeoxGaLfUsKlLW1z/wBgW7tHcIW7dHdy
oOXiuZhU7EwUH2fS4m8/GrgZPR8dSwopnpBaBseg2T4HzAtWDOHcsILu400H0OZRgy6WPMkVfcrL
MV7T/wBJaSTepGmHOF+5jbT3mG7xOnMapVdaZyFS5Y+dxo4UDSW6O8Z2ENF+3+SOLZbVck5r5/MU
FD05lrqiQRzwmH3GCmn6SzhFhCb4P9+0xky2Lf5hvyNkIoKwcvpBSvlxHF4xTB7MQbBz+Yu7iVtj
nWyXA4nNccyxWFaSZPwpq4l2QLqI5Lb+Y8RL3mX5Ny4RrcLuDplFVTpl3kXsmWHMa9lMsQ3/AEMZ
/9kKZW5kc3RyZWFtCmVuZG9iagoKNiAwIG9iago8PC9MZW5ndGggNyAwIFIvRmlsdGVyL0ZsYXRl
RGVjb2RlPj4Kc3RyZWFtCnicpVRLa9wwEL77V+gcWGdmZMkSGMHuZl0a6CHtQg+lp7ZpCUlLc8nf
7zzkx4aSB1ljSdbOjL7vmxlBi+6h+evAbYCXPckYOhnvf7jPZ+53g06e+5+Nj8B2d42Mt/yyGc/s
slrJbHa37ldzfaah5WH/3bHpIbbk5D1+d+cjB+bV9QCpHG+aw7G5aqBNDtqQ+cdeH99xAGw7+Xrg
70t+b1zfxoiU3YcGOwba9R2j0mWgwCNDgdDm+esTx306TOZTmXrgOOaqH+Z5ioh5cKiQZJOfDG3P
9HuBQZ7Hb3fN+fu7zl38cXIoCwlZ/H1MkXSGPlU1KEAbGX7PZ1U9fGQ9vgxAhQaIZRMH3Javx0sT
R+I9AsNhfGI9vUdGolHIYWQKoivOuj4DJQaJQT2Hr0jIkOCubPyA+7LpBhjhomwY2FbHzDNPuoVJ
DND+3pXZZvFgmwNkHDGrfVc2OBAULzZqFQfYn1J9Di/lNHGe8QIHDgOhhqeCAnM0oAKLvJ5eUVC3
ojNC5oRk0D2KArgX7ryl6KqrEtWA1CvnbN7MRY40b/+inFGUunlbzij6pZsmDfYrWsJ6Tp+wMqA1
L2P9K85ZsuxZBLM5zM7/scFxXQB6AKINJxKQR9+LDBCSEMLUeVyIeEeeZilCG1UKeqkU3Ibcs1y+
8bEU24UIpSXnlBWuEdzXch5Xkj1dKDXptdBl75VsMce2eyNfzDSVz9Ku1ofaXQs8S7ml+iT9lTlG
6cOgTK1zlCmC+O6mge180Yzr1rpEMl1I28FKpmpbpmsjzqfZEXaxsOrEJqa2GVSwVk967qj3hORg
6kI6vFbvKIq9Ue8Ql4u66k2jXjfd0hp7RamADapusHbJrEwXS1AVxIOaTFKmk4ozjSWCx7ku1/Vo
9otSkr56ZflVE165f2/LrnsKZW5kc3RyZWFtCmVuZG9iagoKNyAwIG9iago2ODUKZW5kb2JqCgo5
IDAgb2JqCjw8L0xlbmd0aCAxMCAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicpVZL
bxMxEL7vr/AZKVt7/FpLq5WatIuoxKEQiQPiBBRUtSB66d9nXt5HUmirNKrj3bHH33zzzTi2deax
+WOs2VicZqAxBhofvptPb8yvxhn6PPxofLK47r6h8Q7/cRl+45bFjL5l3Z352dy8Ydf0wf3bfZNt
ar1JLZj9N3M2omOc3fTODvvb5nLfXDe27YxtY8E/3PXhLTpwbaCnR3y+wv9bk9uUHBTzvnEBgYYc
EBVPI0QcEYqNbZmePqLf/7speCqGHtGPbOUH2blGhHGgq9jRS/wU22YMPxMM8Dh+vW/O3t0Hc/Hb
0KFIpC2036cuAX/b3CkbLhRkAuG3qfLhcXbzubcXwwZ6u6PR+WETe3s+QA/BbukVdPhgy1CNbhw2
vrdb2PHSi+HL/kroJAQH8PFg3+G53jvEzueCcQmDxkxYN2XiGfApkg/I6F6xg2IPCoKwj0Po7WgL
wqeA9CWixq8wIObRoRUCR+V5TREH4IaN6wEGR69Gjh+jl2VJPLvC+wK9kAWjh3Xw4J3PRICNHYXi
uuDdHII3UFKlH2mINEca4KU0oABQLQVmSSsN3g8CDfpl8JUKsXirGSZWmCeOkPMuU4skCTGyQEJm
m+uGTeh9UMdkDMxZmKhnci9YIjtavGBxp0KacqX0j2y2I548+RITXL5IVxDLybqCGKuPiVB3ToAI
a9LEs4Ik+5DFICVzpKiZLhknIbI+y1JHC8ZJnK9VEwRsHCeqiZvwQVEBAlVUu6qmysMqfwur6mYR
MYZadTBpkDTAFq3VZfp1b5HjQcgalb1u9lQlqHyqrMiTD8NMN7asFZ3PMeGKO2biKPyl6iETKA1p
LesCZUGEEJArIeJDbZfsgwnQAq3Wl+ifLod4ov5dnGQ063/LTX53mOUq+VnEk7KXMWhCuWR4ijnO
mt1R+xT12ZoqadpTC+OewWldFAg1kdSvmhJqoPY58ST04tjJTpGNQlhlSLDlV1acw2vXn1hxzpVD
shNdTsLvtl5WKuuimSgwchD1UgK9zf5Fp0a+7Kh+cStKOdW+W5Qlv8iTnFezV3n2ka/Ip4wqBj9I
Abyu+LrSHrKyusXn5qvQp8bh5yBfl0usnHxiKrFwwlO9U/teZas2MZH4UWNAOlmrlDVWAscmP8cy
J3+Zs3TUbbjzrVvH/Hvu8lgK6UkpVKVp4xVdJQliIvba/AUu/YE6CmVuZHN0cmVhbQplbmRvYmoK
CjEwIDAgb2JqCjg5OQplbmRvYmoKCjEyIDAgb2JqCjw8L0xlbmd0aCAxMyAwIFIvRmlsdGVyL0Zs
YXRlRGVjb2RlPj4Kc3RyZWFtCnicpVRNj9MwEL3nV/i8UrPjGduxpShSv4JYicNCJQ6IE1DQagti
L/v3eWO7SVsQu7CNMvHHzJs3z55Sa81j89OQWRCGHav1Tu3DF/P+ynxvrNHn4WsjgeB3aNTe44Ub
vgg5Gem3+N2bb83+KkPrg/jVrukotGz03X021yOAMdr3vBx2d81219w21EZDrU/4IertKwDY1uns
EfMbvHema0OwnMybxjoQdZ0Dqzz07GFBhXybptk74P4dJiErSvfAKaF5UiLPGaEOQPmoi3gStR3K
75QGC+ynQ3P9+uDM5ofRpBCSksZLiIHzl7pY1WBOyAL6bTjqIRjtP/TMw8L21tGKZVhwb8fh4+6m
KKSgF4yAhUCJAXAZiI0NqALSkp2kfYJNECDwTIULFVoO3NNGWVBQy6NyYzcsQt1cn5NjsdIpQfJR
k9noxE5JoJF4nMVE1GtKEOXnEo0RmovrLoiyHRa+t6KMlpPZKM0iIo2U/kRea6K8nN04r8A1zju0
HRZO11w+jXWZSQCALUelae1II/ylOpRQG7PzSnOV3ZK9JJNOSVPK+5VmzW9T/irJynes6TNiHbt/
1R56x5dqb+3xok3qWxSCwlMlpWoW5VT0XLVUWSVX7+biss6zQBqasmbl0l1qE/ozxKr1fKJP4uGY
NkXHaT+zqScSn9Fq3EVtrxe0GqPr0+UNPlalZ1041su4PCnpWIYkTGWpsstK1vnyBwBI2ffZyuDU
4Bou1UG8Dlcao+1ie9lioUTIiODiG8roGTo4Punk/9JB4hFh0sHR4Grn0rGl5t7U8z/9U1rNXdyV
vvztSlByVmt2xNqytfSTg741vwCTf33mCmVuZHN0cmVhbQplbmRvYmoKCjEzIDAgb2JqCjYzMgpl
bmRvYmoKCjE1IDAgb2JqCjw8L0xlbmd0aCAxNiAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlPj4Kc3Ry
ZWFtCnicfVDBSgMxEL3nK+Zc2HSSTJINhBxKXbHgobrgoXhSq5RWsZf+vi8btIroDpl5s8y8NzOs
DZ3UOzF1DBht9V6qPz7R3YxelaFqx2flAqPuoKrf46EMES3fUI2tbk8vajubqKuhfzGqyEE7CtrS
+EjzAcRA2yy2jDt1Maq1Yt0Ta5/woevmEgRGS81OyFd4O4o6BGMTXSsjGFSiYKoJeuvhMQp7nb6y
W/D+T5OgitU9eFrrlLTOnxNhD1D5vv6EJdYR68c6hnXwDwc1vzoILd9o3ZbXYlL4DO0Mtp80bDof
wjEOscksxWWzLJ3JvCidZOsqdsLJRisVG1dCFlfux1U72d8q9SQm2F8qIhMJTzpm4KF0LluuWdNo
qmZw/VlmTR8ZSHNoCmVuZHN0cmVhbQplbmRvYmoKCjE2IDAgb2JqCjI5MwplbmRvYmoKCjE4IDAg
b2JqCjw8L0xlbmd0aCAxOSAwIFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMTE4OD4+CnN0
cmVhbQp4nOVTS2sTURT+5pmmViUS8LEoE7DYgsSkNmohiOBCCiaFBiOu6mQyeUBmEmYm0iBYg/6E
uNBVcaUQ3HRR3JWSRUG3rl3qHyhiaqzfxGlSJP/AM8yd7zuve+45dzynaWIazyFBMyy9ERUEEUAX
EM4ZTzytAF+EXS5yudYq7aXC38h75E7F1Ivb3sEcIN4iv1Gh4sXgYYi8QX65YnkbX5CNkHfIZ2p1
Q88gRihucZmy9I3Gadzz+Tsumq1b5n0v+4B8n3t8bNRdL4pnR9z6pW/3C+Hjywyh6nMR/70UIKIN
SG21xCmy+9cjschcLBJrSxhsivgNtfTzTVspsXdddJSsskQ/3KRXV37bkbcOHzMDJ6A6ymdawmwr
o6/EznMRpuXbh3sFRe31+z3hqpwu7vd/+dP35yBcfL3+Pby9fjZ9gFNTw2J2i5Gdk8WpDqvirHE8
KMaF8oPNEy7CP+eRZKCtXkI3tORXhSivzPLQS+JN/ZtHxPFduDOKO4MPo1yzo7wCY2YDLLI78wH2
c10LsEy8HGCFd+tugFXqV+kpyOwJ0ngUYIE1vQqwyH3fB1iififAMvGnACu4gK8BVqn/MW8saIuJ
RErLNW0tUzWcuttyPdNytRXbiK82TDvXsgr12ppZbtZ0Z6wYo7zpuNW6rSXjycRYy+MZWOCvsogE
nxRRDk3Y/GZQpc1BHS5afD2YsPjVsEK7gTiP2qDOZkSLlgI9a1ijpswMNeiMneQxSZenxmHuKpm/
d5LZk6xnku9wFkM5esreTJA/xc6ZXAplbmRzdHJlYW0KZW5kb2JqCgoxOSAwIG9iago1ODcKZW5k
b2JqCgoyMCAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0NBQUFBQStPcGVu
U3ltYm9sCi9GbGFncyA0Ci9Gb250QkJveFstMTc5IC0zMTIgMTA4MiA5MTZdL0l0YWxpY0FuZ2xl
IDAKL0FzY2VudCA3OTkKL0Rlc2NlbnQgLTIwMAovQ2FwSGVpZ2h0IDkxNgovU3RlbVYgODAKL0Zv
bnRGaWxlMiAxOCAwIFI+PgplbmRvYmoKCjIxIDAgb2JqCjw8L0xlbmd0aCAyMzAvRmlsdGVyL0Zs
YXRlRGVjb2RlPj4Kc3RyZWFtCnicXZDBTsMwDIbveQofx2FK2wO7VJHQ2KQegInCA6SJWyKtSeSm
h749TjZA4pDIv/x/1m/LY/fceZfkhYLpMcHovCVcwkoGYcDJeVE3YJ1Jd1V+M+soJLP9tiScOz+G
thXynXtLog12TzYM+CDkG1kk5yfYfR571v0a4xVn9AkqoRRYHHnOi46vekZZqH1nue3Stmfkz/Cx
RYSm6PoWxQSLS9QGSfsJRVtVCtrzWQn09l+vuRHDaL40sbPOzurxpLhuSn2oC3d35Al5xZ9kYFYi
TlXuUOLkIM7j76liiJkq7xs0rHADCmVuZHN0cmVhbQplbmRvYmoKCjIyIDAgb2JqCjw8L1R5cGUv
Rm9udC9TdWJ0eXBlL1RydWVUeXBlL0Jhc2VGb250L0NBQUFBQStPcGVuU3ltYm9sCi9GaXJzdENo
YXIgMAovTGFzdENoYXIgMgovV2lkdGhzWzUwMCA3NjIgOTAwIF0KL0ZvbnREZXNjcmlwdG9yIDIw
IDAgUgovVG9Vbmljb2RlIDIxIDAgUgo+PgplbmRvYmoKCjIzIDAgb2JqCjw8L0xlbmd0aCAyNCAw
IFIvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgMzQ4MDA+PgpzdHJlYW0KeJzsvQt8VMX1OD5n
5j727uPu3Vc2yZJkk0AILpBIICGCza08ClIUKVKihiSQhIRXAgQUkQYFREAKIgERq/wsUl+FRRGD
jxotDx9VqFpaaxXq2yqVr6W+IJv/mbm7m/Cy/X2/n9/38/n+P9/d3LtzZ86cOXNm5sw5M2dumufO
ryVOsoQwYk6dVd00ctrEywghvyMEvFMXNIcbf3C7D8PHCFG/qWuaNmvBz355CyHan/C5c9rMhXXf
9fW+RogHn697qr62uubqaYZKyOwNiKO4HiM2xG7hz4iP9Kyf1XxDdY8f2/D5BOL0z2ycWt329p1P
EtIkYfrts6pvaNov3yjj8zp8Ds+unlX71I1FNfgcJcR3W1PjvOaN5KJOQpYN5ulNc2ubPr5obyY+
TyKEtWIc4Jd/nBhU+DNlkqyoNs3ucLp0t+Hx+vyBlGBqWnqoR0ZmVjg7J7dnr7ze+X0uivTt17+g
8OIBRQMHFZcMLr1kyNBLf1Bm/vCyYcPJ/+SPfIik4X0pv5/7kbxWfOfHXXf+idXzMOYlsd3/VQps
8Uv6ryJaScYTo/P6zh2dJ8g2UkVsndd1bu38Bg7SUkxNQ4rtnV+RfGmeNI9UdW4lv8XYNvIg+TW5
l/Ba7MDr/yCWvfjLn39FVgi895N78H4PuRvvPOZhvO6+EBGw/YzHL/Abw98/nAf0HvF9A787yCKo
J9eQxm6pd5HFZCa7DkNZnX/F+8TOh0X8YjIN4VqRktVYyzmda8n99HKymOVijjX/Gbb97+d/P//7
+d/P/37+//GJPUjWkuXkE3I5WUpqSS0MgkFqVPkEY0vEdxz/mpeNHz3qB5cOHXJJ6eCS4kEDiwZc
XFjQv1/fyEV98nvn9eqZm5MdzsrM6BFKT0sNpgT8Pq/HcOsup8Ou2VRFlhgF0hdSo6nDJo2YHk0b
VhV15g7PNcJR5xUnxhZEiTeUnesJFxWU94tDReVIlPjGRP3jJu0i5uDyqBI5G+SKKOtlfJmNmceG
wiOiUi/8y728uiaaP35Sdq5xJJRML8c80fRhk7KzQ1HaC/9GYxL+XV4droka4zA+O2TFjI6ScZP4
1db53mCMJIOzy/E+flI0M/FYXn4+IlEL6Gw/i8wrYJWxy5k2bHiU+HcR53tREuBgJwaTKBkazY8g
IQaGBDZSEAX/l1HwRSEwFkk+swie7djg8/BgRM303BE1DcjRmqounp6wOJodXhVeNX6SpwiDgugx
0RevmrTLYR+WO6zWnowgu+wOjHGECEYRRNK0C5w/ABGgzhGX7KLE5kIGejnBI/g1PWqursJA7nDk
HKb4ulLaOttv755EMFsi5LNCVqlRZVhUtcgIN0TN6ihZHd7Vt33V7W0GmVIVcdbk1lRfNynKqhFg
F2G9RtRPiPYYM+4ajMKi8KqqD/MGHy5uvPnCI+rDq/CZw1bhPXc4b/Yz4mvqa6t4R4Gq3OGYpg2b
tCK7PRT14u+IqCcS/RGC/ejGD0IYW16eipStGpGLyBB2xPTLOM8Lku0iutvoGsF9c3V1OLpkynSr
c1Xfnujg2auMqPOrbGQ/NgDmFBnjnKqpms4pml7NazFienjV6lpRk9sF5dghwyOmD+cXz4jdm1yN
ua+ZNKI+d0RXgVgvDLBeZ+fNzo6mRXjGVatGcBKra5B6i2RM6KKfd/pQBJCeYVFzgvghEwSLsUSz
enh5PCoOcA3PxlOqhpeXZ1vNiqBRtdcKuX9ueBXHqPaK+iNG9j5Ma+/Xd8z4SSOGh0Tto3TYpEuP
p4aOY3jMuGQ0pCLMqoLjIYtHY36SO+Yqq5HrE7eqCdYIpcmGRdA4vMD6amroVQyPzB1ZtWrVyNzw
yFVVq6rbOpdMyQ0buat2OZ2rmkZUhcXQBox/anUoOvL28qhRVQ+XYCPz7jRy/Jio76prefOMDNdX
W9KgLDd7cCjbU56AGXeh5PhAwg6N3doaSKuMz5E6JwqdUHgklyBtOPBDUWMwH4lIy9WTsKNPFZ1S
3HAA/ATRh/hQYOW9RjT8JM6iUHaiy3DRdlU8FpFkZ/NBsrrNJFPwIbrkqknWc5hMCT1GzIIItl4V
T2lPpASu5ilLEinJ7FW52FqpY37yL3p19x69ypPrDZcWiBYQErUm2j4B6/jN4KhtcLzBfcMmsRCN
h2iI8ZA9ghJqaDQYERk5T1AQrjJyw4dzo0YkKg+b1B4aWh42PCjBINkd4hghaqZzoXk49yXgopL4
jSgMjUIKTyIoOoUEZ8HBmJjMGx6xqire17pXMS7va+rPX0+EMXKxqiEL3uPN5bX9nZBfccHcayQf
WaFsC+Ly8qjOxW9U/1zcsH6hYZPCKGpw7F4lAuER4Xre8NFw1XAhFMpD3aPbOo9VDecyDknmIKF4
J8d7+b8uNc0qNvXfHwZLcBjcfHt5/SVns3nMhGRo/KTFoRvL+xFC+UKIjF/CiEpSTbsKMvPKTJNI
wX7j3f2kbH/B/osLsz3Znl54A7TPT4dZ+2lTJqdIWGrnaykHEc378lo034vMHtJm2UZvoLdR5qVU
ZUBWS6YKmh1W64URWGzsT099bexxUlBWVDm54shxRJ3rUXIHhUuK6Pu7f/Y3yLhpqbRx8YOvId7n
EflCeSlSdp/ZRBFVC5gEwlAIJkgeJsnQUlNoylAoQ1gGQwYiQ+kJGaIybJWhSYYqGcbJYIoEjG9P
JFmRRiJ+pwzrzoRHdBXxz5z4Z278M1nERgCpT081RE1EHYpgYVsbEot0byNEeguDDjLKzNHWK4pd
Xk+Zfb0JqmpnzE5cPtmOdXHCDBp2ASLjmDrax+DsuSS93HjNU1qAf6Qg/XjZcW9pAWcS8j4Qv6S3
Tr0iZZ/exAKnP2OL5aX3xEbeE3NguREsdw+Wq9L5ZieR15sKY0ym5IYhtIWZbgYOZtMY8myhBg0a
jNagVIOIBmkaaBp8/a0Gn2rwkgZ7NVipwSKRjAkY/5aIf1rEY+ZykXlIIudXInWzBqsTeK34g5+K
nK9osEckrxTJmLmPBiENFJH6kEhamIhPE+VhxrdF0kaRBenopwE4NNh0SoPPBCWPiOKQyBkaTBDE
YE0Q4pRI3Wa+JBLHiJSeIvoVkbJF5GvRgFZqcKUGhRq4NZh2VINDGkQ1WKuBlYCxJzSw4ndqcJ8G
TSLJ1CBLgy9EEkY2isgyEUk0KMGEwxqs02CJSBunQYFIOCywrBNFW/GIKKyBoUGnBsc0eE6DrQKg
SiSViVQkQp1cUXF2ZzyrN54nRSRUnpE2t+szOZF0/sSzcZ5bXlf/j5DUgrJ07L0XF0K2J9eTPShb
2hML7I2lSaulj0+lSR/fkxgT87FvaqTMzMDhQFVYb9qYypiiOXygtKgoenA4OM4/HHCUpceHAljD
AEuS5p/+mNHTsTb2e+njmOeejm3W+LsM2mg9nYJyw/0EbKY4yAuM14iVd1A2re/4M82DtocRsh7F
XgwzKaTeHIQCBtZQ5qeUaaSc0A8JMMI2mzID6jVQUNJCSm38CVHayE1UlRfRSAQ83tLUgqIByJA5
pKwdeXG8tLJiDmpOkRWL911cyLXQJz5lMIkCzKkoB8jlVLBYxx2/oXUdF7ON0jenbNLRbZzy8UjP
aflekkKi5siARKU1PrS5fIEG32YftftA90kBzbnFoW3RJRrYDN6tPljgA+bL9RX5pvokH5N8lCgr
Pamm0xmgQYoEgqeoKLUg3Xh37PF93tLSSt6EpOx4aVnHkeNIeik+r9CRVjlB7F7i6jxh9vSlFl+j
TldvVF9WpToZFANuNTYaXxlMNgIGVYfbT9opVGDuOWRORaS8DwwqJmhB5uXmqL2LiwagsYhtnM1O
n574HVy+ZWvLzt8W/f79Vzru3xPbRg/e+TfI++zG5tvq1s754LHlsdP3xw7y+q/GmeQZKUIMUmHm
K60DneB0am7SCqzVbdhxMBBMKiTMxojXYVuumR6tlsb7yz7jCNYtbT/vj/G6FVQct6pk2tN0eEl/
S/9UZ1AxpxxUJFNRAtiLigLFSC19pqh/XklN9Y5tYxZcOUairT2mvwYdUcn7H1saCSXjOj+U/EhX
JrmIfGtWZbVKkhLetFN/Tqe6nu9NaXUHsgIFAWZnAW9rmkHyWxUfLEVaM3Qpa3mG2TejngbCKaa3
x6iUXkh2RKuj7X1ha19Y1xeW9IWmvlDVF8b1hUIRmRx5VtWOL34zkp72arye+9uNI4OPYwsWYC2x
xvGKeksXF6QmquvZmwNSyB/qGWKqP2ykjbKjEmL6dc8om2F3jYqosCf3QC7dlg7pPCGg2ket9Gz2
PORhmqPBsRDnidUMRONGsLNURCIRDJZn5+blDVJyc/IGDSwuLikRba1gY4vW9vh7D9JZwJ9SNKBY
8j9jBPe+e+eTs95+6PPm9SMP/ahowj9qDx/ccWz1suF14+qOpF2XuWPzbTNbJzjc2evnXpq/fEDZ
M8/HLv/lkYMu94CJ5mVXVWNHIOM7P2Qfy4eITnqQL8xxRquzp3OgkxKn4aQ9WiN0CKVumkWpU6JO
vNldxNdqN9JaJR94nW5YTlKWqmYmqacZah1dlwlNmZCVCZ2ZcCwT2jPBknCROI+NjvZ2UlaGM24Z
HxUFBXygHK+oMBI87f+2DR4LfhmkzwY6AnQMhTEhGO6F4Q5o1pZplOKMonm19zT2gvK6QpW2zk/M
nsH0UYvk1TJ1yeCSM+TjMkMdy0CNj0X8gFquP+pnnA6CsoOzek5C9JbLuZzT1DPQWzQg6ClinjzO
bIu9xezjHXPaX/z7yT2vz9ixI7d14u2bt64uWXAtvflu1I1sn0HuXXToqSp49kdVrzz1zBuDai1e
SlnYg/lOztvmFa5NaWaKkbYprTCl1WaQTWFvoRc1NqOV+twyqLKX+JY6zZCzgaa5lspmulxHD4eg
PQRbQ7AuBEtC0BSCqhCMC0FhCOac2V879sd5eiRtP3KRpPKOWoGcjRARHWdo34bUh1L3pr6UKgX0
Wp26/Bl+ykjQCIaDzOkOAHGDvprPneM0qrZ1fma6g6Md6rUqdRNmMBqU+Bw0mbNtMv8jfEor74Vc
I4MGkqIBJBDITkF2lTDBOlXKeueNzth7oL33CtDTp217t//2mbtd9868fmvq5IWQ13kS+sU+/bTg
6QNzYFPLxjuWcXmUhfL4qOQlDomaFTab5nDYUUvGCUKWJQUUSsHhIHZmt9lUWVYkTQKVqCsU8CsK
aCgNVkiaX5I0m+ygErFrquKWcJbxojaMAIoEGgEbsxvEkJ7qPEEUFLudqD07JEXrYwe7HfL49mQe
OUI+IpKDuFRFQcUcXsKMUprURxotlUuyS7rVBQtcUOeCiS4Y6YJiF+S5IMUFigu+/sgFB1yw3QW3
CojhLhjogp4u8LtAcsFJF3zggjddsM8Fu12wzQUbXLBMoKsR6IYLdD0FOoT/ygWI8HUXtLvgsX8D
/uBXooAjooA9IsNGQcqF6P3I7BTgFs0WrAWliMiNieLquhWXJ8raZBF3QBS0PQFkJX/UjcoJ56vV
hYisSRSfpHDaRwkCz6LuLRds/l62JQvYfiYXkixAJCVfmXMEsAWGqaUuyHEBGC4gor2OueCw4D+2
11YXrHPBEhc0u6BK1MwU7Ru+QPsiPLUyNLlgnCuONKFgVp6j9cVVv8qzFcN/pYyeoz+eq1ueJ/uF
0JyHonNBC7giUlRUUGQcQFk6YEDBnCJPsHQwfoTCgxpPe3s7v7zB0rhqtqJ/qqWhGaptqG3ouXeh
uTkoSDYgc+bg9Md1Nyjif+zoM7G3Y+88AzfHNj8PEtgei22D+2OTaQb8M3Y7NMfcKD0yOj+kpXIB
8ZNZZm+75lZauTKzye9FKetyuf0nEMbpXq5qRDGUsGIqkorTRrtp96eOUpSUwJIUqOCTO06+7a92
tL+Jyg1XNQnXbsraO9qNVxPaDQurxiiJ3yIQETIwb5And1CRB7+BXI8fpSAtrb5kxaKWlh0vvji9
f4mSfdf9tGYtZMTeX9ux7VE/UlKCs+03qHvmkBNmmHi3jPNV+Zb4mM+nZIS2kHSws/T01C0Zkm2L
ZmqczH6aVqxpji2KrzwAEtaS6iTs84X0wMqwvpL1NEkIUljIZjMNb7GtIAKpxgFuNXBN9E2htXiK
JgtddEBBfGbgwS6VpjSuPEuZ/kzao63zGzPblzrqxhSY6K/z03J3g5tOdNW5qANnrG3Zu7P3ZbNs
rs5kop4zMasua0EWuyUNltphpDRRqpPYSDqR1lFmmfYRPulagXJIQW2V5Ob0LuHTK9drcgeFz1Bl
Vfrp4vWxv7713aGiZ353+9NPP94P5t697OFHB+4/dOTrY8zWu/3mJ2Onb153/S9vWrHmrrcabkDF
9rVft/8UZ96qzg8kL/LVQYLkZ2aqd4smObcwn3slMdPQiAisVMxUZVFciz0e/yFcEYm37tCRwe3B
PUFWnDIy5UgKu8R/uf9h/5/9ErvSAFMHYh9nr7IzYhtnq7Ixt1QpNUrMTStpI2WqXNltcJeDQXuj
TmGgTuGFAV6PQXPFo+Q9/vnfP/v8+OfHY73Xrl9599q16+grsWWxVoBZsBAaYHps4+kxoMAPoC8E
Ykdjx2Lvxt4ltPOO2AS4AjU0F0mDQ2anXydCOVOdbsXWynp4SFAmyx2m2/Gc45CDeVl6yLG8pjCp
Q5SFoCAEX4TgaAjCITiUUC+s+KwQuEPw+rEQoOqxVugaZgg6Q9AYgspE8okQHEtkuzIE2OW2Iprn
QrBToPlCZEa9JSryXCkiraKeE0gxQ+MXiRLKBHrMeZ94bEyUWSjyHBVYkkVZRGL+SzvjdTBNjjfa
TUOyaOwUeZNkWdk7BeEWcUngC9nk5zfzJ3eP6QbWlXlyVzbx3GW279tn7ENBcqBsckVZUozQfM1b
LFRqNOhkv5IcEaiA8lEQ1/1hyOLVl0/KvqxfWb8dk/qWlfW96AeXXvfrX+auCJRXSU3wLI/4wUX9
fsA1qBVch0cNykOeMX/kbqXc/KBU8tjc4OKKurHcY/o89VRbbjO9tlp62AftPoj64IS4d/rgmA+S
kWjuNvm6uCRq1G3YdLQLs6jdgzIzMXqKDQdIDr+DGg4lpEQUpoTR2nHpl+pj9QodRworY1eySia5
5Sy5QGZeSeYAEOEjp7KCRFC15LLfMnxQoHIVvAQZ8vGOXz65tW3H/Jpf/HzHHY8+/Sg90DFtwa0P
08+w1muw6kNwXDCyyLyaYsRyMCUZsO+fkOGYDEcTi5H3ybBELD1myeAWi5FHu61TrpPhShk6RZbD
Ij4JfKGekpAfyVXJITt2cActRiaiBRBCORQkuaQAFPOHihOVS9CJ86It3CgpTGXu1FQlc4tX6oky
HWem0Epu1lJPoPdKlr0S1XEvc/dbqZkXs5tooSbWPkRhb3KRbRx/czK3QkuF6EL5jU9icSHeDoua
++/r/2Z/Vt63oS8tz2/Ip815+/LezGMT8+ry6MScupwFOUdypIVhWNgDFqTDqpS7Ux5OYcv9rf4H
/Ez2BXxU9gQ8dLnRajxgsFWuu10Pu5hdTVepXU6XqTrRD2n2PnaaZutjoylSnkRTaJ6Q+JLFLXKO
YhGX/FJuTk/s1iV5vHMLca/0sqYBYXH5uoWZ7ZY7Yl+++YfYl+uWVC54b1/7J82x1+puWz5j+tJ1
lT97JLrwxl3bmC3ym5ZnY52/WfRs/x7bpt3zxu/vrb+/3/V1VfObq+vnd/T75c+at22fe8t9ODds
I0S+X16K8jNAfm+OpwA3E5efEJdLoet1XQqsVxgBGYiBHUolq11bXHSh6yXXWy420DXBheaS6xif
/6hL8i62BwNSi2ymyDPokiA0BSEc5BVPDA3jyHFr+YdPBagkDR5ACg63WwvMHqETLTbiK0DmoGku
WOR7xUdf8UCFf5afVhizDLrIB5oTvnPASsdDDrpIgy81WKZt0LZpTNFSNEoSbLX4zRUmsU43QEKO
qr2ykY9GdrZ8/0exUGx5Gy09DaG2uzra4PqH9sbWxTbRso7n5aV/PNh6qPfNK1tQowCyCPvsO9hn
82AJ1zhabskKl4ZsDtvNGSF/RkaIOnIcaAeaPPqhDJiUcVsGVTLyMoozDmR8lSGroYxA7noHsIGO
CY5mByMO07HVwWySw2awvLDbW5y3IUzYejNX8m4I+wLrTcMXykgNO2wuhYR1bzFx52XlFeSxAMtL
bXGZLk6D4UsrduX7vEoLCRthqoZ5Rz+y33it22DYLxYFS/mFxm/62I4j6WnHMSB+I8QTX4arrIiv
v1VECD6v0Punjo2s0Bfvi8SboTItG55JAfY0hcf9QG/xr/ff72fpvot8l/hYAHrBIGAvheBUGiyw
fWT7ysb+oAJgvUZJ2f7sZdkbsrdly9dmzch6JIs1B2FisC5IHXpIp6rk9Dup08mVJTuCc9FHXYwT
EeEmtaUWxRuykv/NKYfEAoScSfmQCfcukSxlKa93fzpoYM+iAVJQmnLVP2Zu27cEyMNvbIy1fRr7
XUcJkC8f+fP0X9z2q1fXQc9vrgfvHGnepeMWTh4+fUT/n/zipkOfLL93+brm0dWX5PUbv/nGRw6P
HSFWQnHeeEmK4LjYbHrlTUQBB1O4UmF4NhmmwVsi3W4vNgy91efzyI6lxAzKDTSF1NEs7PbJVZ0D
51Mv4+xNLfWv9NNieiulB9xH3HS7c4+TznMC8uVPZopDH/WQfa+d3oSWeD4+pHkhhUuSSJw3FeU+
gxQNCKrJhZmSIF98GA/5f3nqwaI77tnwmxfWt24r3vH8x7Gj1A4UsqbcXv6n3U/+qW7lPOiHo391
rF7KxjrqJET+bl5ptNqH2MFtz7JTN3dSNghf1CJ2YktrdV1GDV+rzecIpSyVieFY7jQzsLo9nLU0
mgFlGbAuA5oyICsDOjPgWAa0Z0Bi2o8kBEC7cVwscH1wPLG+ZXRf3xo3RoMxnkUeOjwEwwGkAOwO
nAzQp4OnsNeosFoFl5qhLlaPq9JuZZ/ypsKWMaD8z8vmsveYpDpSQ6mRVObwh/wRP4O2zk8eC6Ti
TBpf36oQ61tzLLmLctYb4Ppnb74G6/GkJDTvHAVKl/xmz8l/Pv3cwh078jeNW3nP3atH3snuvCv2
zmexU7FXN3R8IT8bOxgbNnra688+9UoFicvRKpSjNtQz5pvpnvWEaettrsWS6ZMaqdbCdYsZNOxL
bC4k1eyCLjW7YLsMTncPd1/3o27J6ejh6Ot41CHZ2LXKIwqVlIEKvZYuovgZQKdQ5hCrT3x4cBMG
+0J2mHgMkp1dkj2AB3Kzt8GX8GP4Wezm2NMxWxsM/RZcsf/4OrZPXhr7eeyx2G9jN94DGWADDTKw
BnaswRV87w5DX5tX2CjG25mkSaqmDNb4/unNRMWZQdUkzSbdLCt+WVYwrcS+3ixksIStY5Qwk1GV
7/lpKp83UOPAXiTJclvnCbOPJmtk1qWqomlhh1O7rKYw6oRxTjjhhHYnrHNClRMKnVDghIRmEYHB
nqIiccc/klogLOginC/4VsfcdOQizhoosmw4cfCQCES4PS0PRRN6qDCgzfTVGgQ0YIYKigoehwKp
hIGbQposWCgEDl+8w/mCZbNcKPJhDa7Y/0LHgfbf0sujq99/H/4ay5KXnv6ORjr+gLLBhk2+XH6H
BGCEud/ualWJYRhUNdC2BtbqB6fN5hA7BdRBVMdytw5BppuGMyXoXJ5WeF8Q1gahJQiNQagMwpVB
KAtCQRBQbLiD0BmEL4JwNAiHgvBcEJLAFqQFZgFg6k6RVCYyDnlOAJ2LK4miKgiFYlK28mNmUwC7
g0mWd9fmuunu51n5iIDRnp76GjIQR/abkxNLAwVibWByRTvfj+Psf7ynF7xczntt7lG+cFom3jAk
8RBEIhESSeyGBAJ8qSCXLxsINYgu73N18aWFH3ywY8eO2+64St6zIm3qzGlrTy9mS9e2PLHJ2q1h
n6Ny6SG/Ni9TW51OTW7VDezJGiwnpo/UU7FH49X+s2p9R3tynLaXJbbCrS0qo/PY496UUWIi6Kk6
RhW7R7ppT9SJalzNLilbuUqpVuYoUhb2NJbFqMF4nxXqUAT7mUfY9kLyCIWPfb5T6PE7tu3Zupfe
df2yhzuC8qGO6KNPP4L1vLfTgHvJO6illZia0/G4EjWJz8lL9qjeYifDCu9ipu5muwYUxgkuLTAO
RMTcf/wkmldyl2qp9i6GtEHDh108ePxbvReFlMsLikZea+6bPWoollSDs96DOCP0hAHm3FTVrq5I
T/Wnp6duSIfr02GLHX5qn2ZfYWep6f5su4oVbiW0NdvwtHr9rW5fanpKpl11yqRnCs4PbicKkDxn
A/V65OWZJsnEx16ZddTIA9SnTuTBsTxoz4Mq1K3yoCwPMD7e27rbiUfS9nc9vJm2v5tew3tafA+R
X7ztxEainthINCe2BeBz/bROB2eBOwuoC9Q3wu+H6Z4waGHYq4Oi5+l0I9vOaGmPhh50dAikLH9W
z6zhWZLDFXJFXGNcku1HjhWOTQ72kh389uH2CXbG9czJXXpmXGFBDcWaiIPBFMtW5cYrX8bp3Z9Z
3A+yy+7bdMOSqytWHbzj/efff3bgrl0gzXx83fQJvf/08tUvj2OllZdfVnBpqPfgtbPverRh5eQt
Q8dfnB/50aSS235VcjFK6UWomlwh7Do3WWBeaZdQEhnczYW6UT1fbrrA8HArr9MDxzxw1APtHoh6
4D4PLPFAkweyPEA8cKJb0lYPrPPAlSLpfNZcqrEP9cd9OLArLUudG3VnGuM7kka45O1mfAOp6vxQ
XoHac4B8bg7/xAYf6yBvCLuVLIUqtvUmYx5Uf4XoZIa+3vT5lLDLW6zIHoP/Gp4gcYBTcSwmZgqZ
Sbk1Ee/dXHV4dz8n7sj+SFzD5X0kruTyQNLuu/bDADzlhOMAmwHG+Bf56WrvFu/TXjbCgGfd8JAb
Vru3uKnPlesqcj3ukvxaT20gmhS7tX2a8hzXO7aodIQCq6Ut0tMS201hI4XRdCH9NLGS1/UhCbUs
O4xqWXYOn4iLwqiW4eRcBZtgDAz7+4S3Y7GvYn+EXt+B/dPxp2J7Yg/Hmukz8CPY8ts72mLPxjrw
++Iza1+Cn8c1C+mvOC/biY8sM/s51hs2sNk0H9cwvJOkeom6W4hUJVEfkwIOrcVu+u2oaQQA/yrm
JG2vd7naWUEsIZZUQPNmGIsMWqM36/QVA/Zh88hQx0BhX+E8Xu5p8NByV4OLAu/icxK1E+aUlIuW
lS/bUpmyt9Hx74Ae+/ajWH1bGyzf8tCjd8UWyUs/feLJjo5D9NU7lzavIwl5jdLlLHnt/p8krwMX
lNeS904uruN7nblYT77iutdcPSIFrk6pTXkihV3jn+5/ys9UX9BHVU/QQ68xphtPGWyEDlfrtfoT
OkMbscmxxNHuOOyQ3WqLulY9pB5VZbfcIq+VD8lHZZlAEyyBdjgMsip7W4nhbFV87qXMTGMNNLBU
M1O1Oro1DdalwZI0aEqDqjQYlwaFaXA0LTnCz7vYG9cnsaXncD0ZBhCxKM13M7svQdAhfwU19u1f
34t9C+p7P9/+f+7c8H+2S5HYm19/HXsTIt98CxednvDBA4/98cjj29/n5xw7P6alKAUYudz0ch+X
dywfF0YkCj6KuuEeYjAiAy0oMtoHDB7MnVjaz3BfMZ0qTIOD8DF8jbWGyRXlGuQCLY1NugMelO/9
brT8ZMLHZxCOFZlkmwZl0nrwElVqAVOBGYn1beM1XtuLC/sAzr3Z0qDTjW30LXnpqTQCnSdjE9kJ
yYsq61RzjtutO50uh+GocoPbDXbZ6aCDHYaxglBUg6lbdxv6CpfT73I5tzl3Oz9wssVOmIHaqxPG
OCHdeZHzEidjDic4UNV08twlussgburQ3E6vqrWaUg/qcCsKRhJDd7m4ktzpdrnJtEudbnfY43Wj
jnyrF2q8MNELI72AmlSKFxQvfP2BF4544YAXtnthoxcQqC4BVOyFvATcV174KAG5pxvwgnPgk8BJ
yCRYd5iDFtC+BNCy8wH9O4iSMNvPpN7sTBK/6aQXjnnhdS+84IXdXtjqhfVeuMULzV6o8sJ4L1zm
hYFeCKN+6QXqBYT/oBv8tm7wNd3ge/578BO7wacI+GlWhiPdMmz83gzd4SEqarBB8KxJ1GCCl7tv
FIoa+L2Ac+cJZMAqrPObgsX/To6SJHQSNAmXBDovDB2XwES80O6FdV5Y4gWMLPCCISLV7gZA5Xn2
Sr93n7Tyv7izem6GC8FN/h6E50UmLMqEWekpSi1AK5NwHeJAGRqXpXyTNmK5dsR3pFecYWTq3MgU
lmNi51aIqJzH3OBioEos1WUUb3Y/5KYbnaA5+zhXOtkq+912VBcEPiIW27gjnpLc4Cjhu7rsROya
sbsfuKqyV8WAnywtjE15HC4F1KlO/eX5P/ZZnXn77ZJ+ej8bEp9JFT7DhNn9j9s2hUJCdrg8o7yt
wRB+/Wlya4bRmmYE3OD0c0ck33K/6fQ7SO2QEF+7yc5xopZYkQOlORDJgbQc0HLgu1M58FYOvJID
e3PgkRzYnAMrc6A8B0bnwBABh0AI86kAeykHnhYwq3NgYQ405MC13SC/zYHPEtieTYBZMFhknxwI
CWwvnxJwL4kirfIsoLHd4JK4uhe5OAdghgAdIwrMyjE7QRKQWORzObBTgLXknAUFjhy4u1PAHRXo
EG7LmaBXikr0FKBnga0VYDUCXVkCo7sb2CMC1aIcaBRIrPKmW0Q93Y0oq5iQ4OcXInMSYEOigIgA
wDqdzIG3E6gtKgeKJCy49JRIw5xbc8wreN7mc6p7KsGVbYIyKzUk0B7OAdrO88K6HKgSNBXmQEEO
kBywJQdW5ble6GeMu/OOuPN5Wpw7xM8zeCvPB3mm5LggwoRzvJjqByS1X64PcoXw8HHLtc44Hkks
Oz75ZuYHmSczWSZfo9BU56g30t9Pp8IrMV1zjjri/shN97rhDxLslWCzDteoT6k0K+G0SNKNdLRe
uMrId/Ekg+93VwqfMKGeRvjuflx9VNQU7u95hiYZFNqkkrtj6pQfrCmlOyoqVt+yY8fKx98Yvfa5
ex6kdy3+2RUjPBd1DOGhuIq5Y0fbDiI2ZISuotCYOZDKMFhWZElZQQCVE5AlWZFWMOpnjGJaCVEk
5kYFS0GVFAwFFRzGhMiQmYzqBlBZDqs2GfWNZTa41gbDbRCycbeTr9+2wT4bbLGBlTBGJDhsgPGv
iPjVZ8Z32uBNkWWrDTaIXFU2mCAwhm3gF0gPHjsHyIKwkq2k7vEWLWeRkozfdCFakvHnpYITYb50
AVotkGnnkuL/XlKS8WdRUnIuiWVnkfKvmHYuAB1ngwIboD1IbPHJ+jweVOcZQmcnnX+S/ZfZLjDz
nj0Uu9ZwcVxYy7hFYoo9/9qtmEszZsjACpRGhYa5aeumjZSqBMAlAWQo1tyM5tkcUmn5s1uTZ9XW
WFViyvy75LXmSkpK0SooktegBe0iN5g/Ul1O188V1a8oqs2JBoIzrHuKg04gqrO3k6pgU3CcaK7N
oMpBGQcGc6qMeVUnGqmrnZOk2yRKJMmlFBQVFVRWDO0Y+qq3FM1qvirNn0orK8QOp7WhJmoorBjI
FUcTAPWNbA9IRW/s7lhDN9z5Rmxh7FIoib0EJdtZ9PQ4urpjPqe5Hi3IXsIPvxf5ozlMIvABOYnx
WsYW7ns6jq1jksaY5vZsIV7DS+3M6/VvcUvBLZrPY7q9ozzpK5VcstJp9lZuonnO5F55x37j+L6I
MPi6PJ3EvnnFnDjzr97eE25M+XMK1ezl9gY7+9T2rY3aDKcxymEL2agk+aUJUo30gXRSUtTcXnf2
oizgC+QG7gxIG9yQp9+qb9TZHjsMVIerE1Q2UB4uT5CTSyVkcnz7qhyKxR6Mn+Za6yTxnSyIm5rc
l9sL2YVtdXs7vnzry04COR1P3VO6Zt3DbXDxrXdsXtbz8uFDht7LnGPKY98dejf2CcyEa2EO3Fy9
dmLH6Zui97Q+npJfPMF4NHZC2OSxCexj1JhSSR6MMfWgO6/V6Ux1ukelt6akcFk4F8POFGeKntHq
N3Jb3TroPnlToWIq4xTGhDuRy5Ph4XuX6cHlqWZ+aj1V5PBSj9nbU0fNfAjnw6F8iObDOhEm+TDu
aD6058OV+bA1H5bkQ0E+uPPhRD4cFgExwcaHzOT4GEps4qbtT+6acQ/muANzhfBswAksImawsniL
Ve/OhqezwO6Gv7lB9sGHPhjtgtG9YGQPGBngFoicA1fn1ObMz/lnjiRnwtWZtZnzM/+ZKS3yrfZR
1R1000Xu1W6qGbpnVJMaValE0UQ/YBwxqANCQMV0FrG2z+ILQSJUcYaXTjeP8UHneIx//pd3Xyv4
3ePL75zT/spnJ/e81tjdczzrhVfmrGm45YZ77ob+YOcO5Is7srr5j6PGG9tN64WnV5EZhLBKcKQS
t2PpAgl6SyskelgCqQCpOm4caS8agCPS4s1jk+wAFXyHgfuZlQQVir2K1o9+4/nn3xjdumZV7P2C
D2EbyCDBtg8LXo7VfHUyNpVr2MOxvGxR3jAzrIQJSWN9WCljNoblKq4qFVTdvnQhW8kocxtHeLkV
WLDwJ4yX/UQfGfoAFl9R7kvhzm5q72LvoIG095p46Wta5UMfxq6LnY6dil2HpcMvvvsK7nkZS+fv
QnoYZ3enNMSc0M4Os2OMhRhoaF+A0+GMT/PU7rDfZs3ykmbTbmMSBiVZtakrFGwXRb7WAYqDTzgM
p4iA7AhrzmIbvzGuwPSwG8URBsKZnamKXXMSt83hkGQKXkWoB8QA2ungPuaI9oQNltjW2bbamM3G
gRkjqhJW2hV6WDmh0EoFxhF4joCbZJGjhKmMmClpo3Qyn7qUZjpRR9EAkg7ffaXDBzoc0eGADtt1
2KDDMh0W6DBSh4ECKEUHhPlIAGzTYaMOC3Wo02GCgCnWIU2HkwJgnw57dK6V3apDs4Ap1aGnDn6+
sg8vf5vAskdgaeiWXxNJe0VOzDZR5Iwkclr07TM7Rdb7BZEIOFeHGgE7XJCakwDfjOS+rsMLOuwW
VbLqUyMovqxbrbD2X+rwng5vJuq2PgHcvXo9E8DJSj6WYMStCcjhAtIqvuGrbkitqi5L8KM7RiWB
cY9AZ9WpIVGh4u41FzDbdXM2rBTVhipRak9B1uCTorB9AssSUdIYHQoTnD8lkraKAhYJNljsCulw
QhTwiuCT1e6YWqYDNXQguhCIZ58LPEffqDw7/XtNiu9dELiww/i/0HHOY3Xg/Mo99rh3wRwPagNp
BQOKhFJQUVQkvImLigYPJqlc8ykyhCM4Birm8B1QrjDMEQf2LG0h7hd+5g+Ibf6EflRs52dSX5Le
kj6V2AF6hH5E2RAZBgLk83NTc+daMyzkMrGf7cM/+eHYKxtjsdbYK7t//8WDJ37PlSQ28vRTqCj9
hfXkF/cIQb0jW5x4CoFkjjVa7XY+RybdQWThDkJdJK3V8gdxpiyVhSeILnxC/i1/kMTE1uUqeMah
p27GmTlES01LpeWpDalU86f5abm/wU//LEO6Ck+p8IEKshpQ56vLVSmdwQcMZBZg89lyJqnC/cPs
FUgd1RJ8LkibAtEAdWvg9nCP2UMqLFHWKbSdL0eDo6uNLa9L0YhiguvuJxL4v/UTWSgf6sjochMB
UscWQZZYnw6aDlgiMbklKAGRUJE8TsrSX0U1keWyQUWQldvYe6/0YOwN6Pc23wPqPAF3Sr3EfsKg
vUTpbDd7oI6nRInh5MqeM+r1MfdOUwukpgV21hRae/OWN2oE/xBvtw07X/fNu9CAkSMHFA0fXhT/
lXqNGDBgxAgMnm7DyOHDMWStrON0spQ4WdDsdOB0cYvd4bfbHZokSzfbNQxqDirz6cnO3FKWVCAx
VVIdQFuw40AZgSsJaPIS1XTzaVs9oVIns6t2MuNSJtntYbcdHMyl29EARflic+jQacmYp4WQmCEE
zMCEaFktRM6QhCBB6EOPiOSwkD9EiLnDAjQqZJQlDS0RZgpIQwiyTZY82ifQWAIL4cYJgVWYkHaI
65igBWHWcVzmH6Gpm1izCk2WeFZxybKmJQvqXkqyCAv/sm54LaQWRqvGFjqEL+kuRJsTiBwJRE8n
EI1JIDqVqKclsGmTKN8UshfpzxJMS673Vn6/lfh9Kz3/3iKtBZXQfrtOjE+2jnVbFqMw8qx1HByJ
xnE0HQsOT64Q0rOoqP3sMzRCXIwMUOhFB9GrKRskXy3TT+yw1/6Snf7Yfp2drrWD3VTtowJarUZ7
aVDMJrI6diuT3kINx3CgeVOIqXs00FByPO5wj9K4G56BcddKqyX6EiqYhuoQ7mSRCP/jJ48j8Qrx
RR40RPm6DkC2orTFxm2MDX8wBm3wKI7we09NkbaeqpKXnmqU7ojvhH6DctYBD5hVqF5RCszOHA7u
pbeCOFC5c9g07TY7w5HFhgvRZqMO1sLWMr5xpinErrlRdHjfoiDTVvoAZfYq0kQoc1CmtXMvvrV2
6sGxBYTwLc9b3d5iQkwUJiRMqEZcNrZcNokMduaUa2mZC7Jc0OmCoy445ILnXLDTBZUusOJbuoXd
Lii1zn9tFQe5qkSeZJi44IQ4I5YEMF1QePZJrzNafvIZHaeb70dHuzhLFT9AzgVzkXFgQKVw1yrj
rmBlYmINFom5c2xESiwlrLAt3metzCd2f22d7Y+PvWqUjbMiN9J/lORodlBDMzFOM/HZQSHVBWOB
pklgBFKLId7/+LljInaAwfLW4Uevvnk1tnLRjh3w9IuxBirNj82RD52eD6/FqrmXO9+D/BwlpY62
exbZavYjWevD7kI3WgluNWW9jQXXq1xDpi6ZqL4WpzO0mGWnBFtUM6wmNin5fv3x0gI09bjtV2C5
s1cmzyOZl87IWJSxJYPNSFuURhs8Cz30iOsjF/2tLg4a9HQsc2xwbHMoipQi3SptlCQ0foopvcgP
xY6JDmHLJdoh4X+eHXeSFj7SA/nLPuI7+2z3hm2xI7/r2EH7fAzSyo5+cN2aJ2NtsQdh2v0HXn4o
to3GQk/e+sIH8tK9v5q2pfeCqQdOPbF28Q23Y0fLYm/QNfJWtKBCZIp5iUFTbFGqE/o4MUMuSTdV
7JHiJlMq73IYRppDT9sV9hX6TN9Wn+TzZfTYmQH3ccXBOo514DX8MSzXJu710Z7+6tgPjHYD2cVf
/qAEUpITW4l8xhNds2jQ8MsGDB7/VmwvhoYNGHzVW/KkoVcpowuLRl77w9/OHtUtzFcLQuz3dKV8
r6D9WtOV7kxzPK6TqOlXpHTsQ49ztyvel3pw+onm1HaxdI+ue5hnVzB4Jt3HBdUHjOMH+Ek6i25s
4ZPt73Ciz/DL6nXGE5XilPZeFFufdNiStp+X6FFDxarRCfYlUp1KepJ3zXqPpmq3uD1+t9vzlRs+
c4PmVj0e1a1JTkrWp6amrKeSM40rEGnRLK/mhm0qGKqpLlHb1cOqrHpQxDh9LYVykxyVj8mS7CYo
LlB7QQvU4eyxM8fslZcj1A3L5QzVNw9fFZtcwV8HEOQOWaSsI/IaX2o67sGIAvyc46OV/rQdFqAY
preo61W6Owh9AnDEBnkobrkNqumeUbIUkCjf9rdOqBNuUCObhFe/oqi5P6AlxfE3P3RXdOpf3/cX
SB25cmoNvYeVTRrZMODXP7+nHeYWjRzJNRu535x3d4z7xbyfrJrVuKXqkkkzSubdUXe6NKn1MHJN
Zz/Jr1xGskk+KYAhZnlGQf/M/s6c/N6u3hhY4+rtd7l6r8yEGZkwMnNiJvVn9syky7ioK3SZrnGu
JpfskHpn5mQ4C1z9+2g9csXZRdMmzi3mSrlbFCalbUk3eZ8yf4LR6ek9Uvw9tgR9dZ4FHtpAFpKV
hPV39XVm9iY5fqXAGWQZOTl982x9V3vS8lYTc5xnnYe6PWs9z3kYV9HDpIpIGrvY00gLyUy+6ie8
OkQDYR/cx3skWh7v4NXlN4dqYvurnqKkl3r78VeN9qTTOm+5xCk+0XYSbztVHyp1Odk+4fZl+Sj3
5TCd2J8sp7RlITRFCG+1ct/A4pJBRYGUoJrXG1Vo/iZHRQ3kDsrrXZIS9PRnskdRAv6gTzRj78nv
HJzx5/svXfzCzx6KXP3hCzM+aS848PjuSdUlsO2Gnx28e+6KBUul3K0vGdu3+5s3zwzGinpPunjq
LU987n/qKccN997goJ6h+de13AwPO5quWXVpRy//7VXjZ/flqzrcy/nH3E+bucxS1aYqtluspRRV
UW3KzbLkl2WpDV4E2gdKgbZJL0q0j1QqUZBUlcmKjTDmleNrIyq0mJIk24giZ4mXOFURMEmUUC7f
D5Gj5Asiq8xOrqeavICW2rkT9alP7VCOxpsdXrLDQ3bYbIeJ4hHTvrXDSpGaZgfFDi/j80cCbq+I
QogDIs9CAYQm4KciCTP3Qf0ZcWGGIwLoMTtss8NGO9xih2Y71IlCLrPDQDv0tIPXDpIdTgrsb9ph
nx322GG7HdbbYRmORTtMscMEO4wUZSB8ioD/0g5wzA6HRYao3fwMttphgx2a7FBjBzOB3I8ahx0a
EPsHCeDdgpp1dlgiqKmywzg7DLdDWEBbpBxLkBIVwBsEZI2gA1EXCtREQO4TqJYJgAkCT88EnlIL
yzaR3JTIb9FlFYM0tQuCLBRWqpX5A5H3aZEd89IqUWwBV6XgXK34AksE37fYcJYOXPmvnB+66UXn
RMSXjOPDew5fcuCLDqkF/OU/3INKnDQvLSgqEqMWdeUz9lni65P1MkxD+3cOmrlcc+XbKPKPO55q
63jmVXgD/iovPX1Xx4c0xOo7IvQP4iTxh/Jb8ZPET5iZ3juI5LxD8bkXc+ezRhpYzJ3PZtIlaRBO
g4qzjzp0O1FcsccPG4MgpfhTKD+tQTf7UAUPGXSzB+0bv061BS5UVuoctzrYw7x1Btp329kDfC9t
iI3epsJtMjikIRJ9GAcmHUh3o97LCBTCOGB6fAu265MI83Vg65CEuIN1TkJsPrAsKINFsSWxA7F9
scVwPYz6HJyx//j089gJtFvvjc2K7Ym9EJsC98IP4Eew8bv3YRA4QIVLMMO3sW9iLwov7Q/lPihb
PGSVOcCjMucdzGe08NOls6kN9TuvKk6AJD0YlwgnxiofjPNB2Nf1vrdz2RZ3pTf7uF2VrhbXWlcn
Ko+OccJTUHJY9naLJHGpG6ZNOKlL8YMNWGE/r23i2Cg/SCv3ib0W+zx2PPZa25t7n33nUWr7JvYH
yP+atZxe0/b7N/eyRuEJ1yC1xD7DOdB4AvgLrCSDn9cteNV6hZXUcmq+tDrWcEvc606+XLxt7g0z
+yxb5uakLXOLZcuIbefh/mBxDYM9llFTyRqFUaPYNcZNGj/tSek2CvdR4MYMmjBh7kVYRajKuN3S
IptOuZuqzM/08xcucOOgQrwCiy+vJSyD+DbjBW0DM6BpaVqpxvyXwOWwChhzAwTEHiO3NM7Q/OXL
P+p4dHdbGz14tGMNPbit4x15aUcV3dqxJ8GHXMGHCrOErbfZZIfCQLZDCzFdZDZVpTjlYWEdRRMG
UpMwnMaJt2ac1QkS/qwd7dyhtT3+Kr5cT7agKBsbM3fv6S/b2pi+l97TUYPU7KY/JnHP6404UtPg
CnPeReQSQgO+IKHB9aY7tSC1LLUxVVJZaqrPhcLNK9nDulFs3+AIO0zVVuxwrbdJvvWmeBOPXw4G
jYCD+2M77AGsCTFz81FvT80sFlaMh4WwasZi/ooeHPninTzhUNexz+NCQiUP6u6Pv61M7GmhrCrr
OIBaRpp4jRvfHo6nYYqX6yaJ9U59ewDe80Cep9hThzo270OVqGYcd0Mfd6m7wc3cBj5+rsD7ElxO
riFPkZeJ9JAGznzdO2qQ9wkvDXh7eQd5H8Dgh15lkA4BvZc+SH9C/1CXezngCQ0GqcvVVvUBVRrE
lrNW1uXaHRHbXfFDd+W9lPg5q7iDdwCDA0r4S+fkjZ/GdsXuj1l+3peenPCXWOep2F9gMKR8cFts
MR26cANsgR/CZZafd9u3sX/EXp0AZffE3/OjzuLra9JPzdF8hyeultgpozc77H4cTXyH55auHZ6b
rR2eRxwQcgxx0Ee4qwHKxgcYPMD2sz+wD5nE+PpFhs01ijCI7+8wmyPiAJcDzt7lsbZ4um3smGSJ
pcjgqNPJ69StVCr3KYeUowqaAeJlIczDXMrv6U/FJkOJDkEdVB2+/VqHgzo8qcMKHa7XYZoOPxXJ
vQXEH3XYJOInJvYmrHhFB8z4cSLvrxJ5S8TeiYX6pY9FfoRo0+FBHe7S4QaxgTFJh8E65IuNHYT7
RIe3dHhRwGzWYZUO9QJmtECXqoNNlPSiKOY23eyEUSK3lbL5YAL5bd0y5id2jRD5n8Tq21M6PKzD
3WJx7kYdputwjQ6Xi32kiwSwHZmhw98EMS8Lmh8S9KxMkG3BX6JDHx3SdXBicR06fK7DOzr8Todn
dXhEh3tEATeJRdDrxJLeULFR1UMs+J3W4TMd/iIIeiYBT9bo0KLDLB0qdRgrFvkKdMjQwa0DFvCF
KOCQKGCnDr/QzfWwVofFIse1IscQHfqJDRsXcvaUDsd1eFuHV8XS4q912KLDGrG3Y2UYk9g8SxM0
fStoekfQZNXhF6IOi0UdKgT8pTrwDFk60E4djurwnA73CaorkztBlpbUzR/sfErS97iUns9l9ftz
XFCxuyAB5136PDs5sZYkJuXue0PWzlC3jaGKiq6toYjYYLdWti60KZQ4R4zKO0q7h2ToI8EmCe6i
sB1gHwNSAXMswoSbjOUpg3/qrNjsaOye2Ipo7OZ9kAX1T0Id9JOXfrdYuvtUnbz01AZpJr9QMo3s
/FDiK//pZKWZT1JwHtlCqS19c5DZtxAHaDjRu7bYfGnGStnsId9EyeoUMwXN2d12d3GKveDAmdrM
PpLwOxFrWh0HPKWJRa3sx5wwQalRmhXG3UuaJaYaTvco8YIFvq1D+eJhBCrih3els16Yk6P25q/l
hMunTPkQfLHP3v/2UNGzL695um1ddfldLKOjhU3M+OfLr4h35Dy6cvnW7Ay6Y1tib0XsyXjoIrNT
YlQxxd6K04v6C5UXS6ZkZmYWS5K20216fe6dNYUNPjjgg5U+GO2DYh/k+eAtH7zkg+3iZZh9fJDm
A8UHf/zWB0cEnAWxR6Rhwl4faD6460sffOCDN32wzwcI+p4PXhfh3T643wfrfbDMB3N9MMUHE3ww
3AcDfJDjA78PJB98KeCtvI/5YJsPNiTgaxLwA33QMwE/7aQo9iEfbBYULRTEX+qDfj7I8oFbHLH5
wme+Am/74BUfPO2DR3zwCx+s8cFiHzT6oNIHY3wwxAcRH4RQXfdBhw+O++AdH7yagN/ig9UCfoYP
rvXBWFGCxQ+ELznlg8/OzJAkpkFksApAkjJ8wEEtWp7zwU4f3OeDRQJxkgQkmh4SyZi21gctQps2
ExXqtth8hgipnDv3gmP4fPLg/D6v3wM7OenVc+YZ2rnJs5ndVsysFTJr5++sg3Utveb3+W1NYmNu
UMdg+iJcceqa5AIVt8hiv5ffFn5iOeSUOexW10eur1wszdXHNdq10CVlrFclj3s9f9Fjk3+JX0Id
3BVcT3yuxfx/aqUvtoexe/e0N9JcCZW3nhDuCRVdry7gr2st4AZI6Ts4YjsOlHUdqpu3JwfC2YXZ
tCCrLIs+lQlP9YCCUFmIhtMK0+ieVHg4ALc6Nzo/crLrNfiVDUbaFtgO2L6ySb9SYKSyQDmgfKVI
T8iwnR1hHzE2mr5E6fasI1mUv3aFOlJCKZEUpg7SR+j0U+e3TrpM4X40wpQjZ7eBeFtl0rDzEzXx
KoQ81t3E66UkbDsw4abYt+9V/mrCuPS5V0Sfr/sc9NiJvwljL5Sw8WIzY0+ejt30wzuNtRk3Q4Ew
+BQYkjT4+Mamddn/0bu00j30nyRkE//55P73M15I/BcU/oYqdZbC/1edGv+fbyKP+oPYFWRY8p+l
ADnzM0LBKGke4f8z7Hl5ItkmvU8ieG2jD5PLML4er/H8/4nh82oMj+PP4iIkC+MzMFzC/78YHOy8
A39XwEGyBn8nygfJNsS3COE4/Or4sx3z2Pgz/t6LaTUIvwjTqkTZ80QZojz83SaRzpMKL5cf7p9H
SpP0YBxewzFfGs8DK0gd5tmGsJgHy5oo6M/CKxTPcw0vWynFcg5iufM6T3IYThOPU9eQLIQZKXDg
M/Ilm4wlD5EPaRFtoD+jB9hI/K6Xxkr/kH+u/tom2aJapr3A/rD9pOM3zitcY1zP6lP037rLjQzj
DuOAZ6PnuHet95++Bt8Jfy//iJS7U7ekF6avChX18PUY02NV5oGs+Vl3ZL2efWPOtJzPcy/PfaDn
2F7FeX/oXdP75d7H8mvyH+5zS+RQ37J+9/avEC02gr8KWLQXJQYpID9BC/AVaSrG8dQgpCfb9fFk
G/M1yMfjYYp94tl4mOEMuy8elhDm3XhYJk7ySTysEI2cjIdVMpV08JIkDZHWQVU8DMRPD8TDlOj0
z/EwIwPpJ/GwRPysRzwsk1RWGA8rxMtGxcMqOcCuiYdtZIAUjoc1MlgaHw/byTfSqnjYQYrlW+Jh
J2mS2+Jhl3Okkh8P64R4Zw9vmNbQ3HBjbU24prq5Ojy1sWnh3IZp9c3hh8IDCgsLwz+cVlcdHts4
u7F5YVNteFjj3KbGudXNDY2z+4d/OHNmWMDOC8+tnVc7d0FtDY+cUj174cPhhnnh6nDz3Oqa2lnV
c2eEG+sujClcPbsmPKt6YXhKLSKa1jCvuXYu0tMwOzy1dm5zNf5Onz+3YV5Nw1QOPa+/VUT4h2Mn
jK+dNn9m9dwzMfcLdwF0hSbWzp3Hy7q4f2GhFZtM/n9KLBlOGsg0vJrxupHUkhoSxqsan6sxNJU0
kiaykMwVUPUYG8YRFSYDsC/zb5j8EOPrBOxYhJ2NVzPCNyGmMEqsRszZJO7VogQO0V/kmonfcDe8
88RTLf7W4u8CQUkCcgrmnk0WogEdRngOyctrFlhrEHIW/s4lMzCuEWn5z9AUFiXwunNcC/F3ioDm
FE0TZTYLuiz+NIgcU0UM55P1PJ3MF/WZhzANmJrAPQ/r0a0Wgr6xZAIZL3DPxxRO/ffR3O9MPiQx
nC9uoqBqXrJeF2PpvKW6w56T+380Z/9vKfq+HMMF5PWi3Gn4fCVC1okya7+HX/NE7DwRqhWU1gku
Wlh5WVMFdh6ahakzBR9qRG/n/X92vPbNSEuCP7Pw3ixwTcVcM+N5+HichVit2kzBWA57vRi/9aJ9
eA4Ov4P0FbjmizHLRzHPMavbKK8TfOE0TxX8rxW8rhH1ahK9cqHgMB+dzRhzCc5ZBVgW//bH1Gnx
+pzJw/5xGv9zuQpEvllYesFZ/JmbjKkUrcPDN8Sp4/AunF+uwPaaQEaTkXgNQ17w8JUYy9txJN5/
LOJHYMxP8M659SMchSPwO1bETsA4lzj5YcdwfbyFz23HRHy9eGpC2hoFxFwB+18ZK/nxsdmn27hp
iEvH+aJ38TblZSzEHPOTtHDuLeg2jubHOTS3G53WOJsl4C0KOW0z4717dhw7byGrN8wSsc1CCpfH
S6vH9AUCrhHpSIzQRO+9MMfmiRKbsQ9UC+xhvBrilM2N9zoez8e21dPrBFdnJeVaON5b+RiZJsZG
Im9X7z+3lJq4hJkrRst8wYOaJA8bBe0JbiT41MWRqYIPXfyyKOl/3l5ybtld8mGBGJHz8Z4YsdWY
Nk/U4lzcV2PJM0W587q1cxfnrVY5U2ZaksOSRU2Cjw1xufXvtHBYxFSLcELyJcrl80BNXD/g/Ko+
Z97um4Se262XdvH0+/kzMy6Vmkl3GdiFZbZ4akqm8FpZfMgng8Q4uV70jBminbuPpYR866KtEWFn
ixE7X7QEp6A+WWOrzO69PTFjWWO3SxtK9MXz9a7vq3P3njNa8Ofc1k3M5nMwvlZgT8x1Vvmz47Pj
7LNaai45W5tK4OZ1bBR6Rg2x5t0FCFeLVJ2vz1+4jyTwWeO0Nt4ONWeMwAS+c1vb4phVg2YhF5q7
je1EW1WfxeXzj8vvk1QJ/n6f9J0quJyYac+kyaoR70eXdMN2Nc4YP8TnwWQgKUF9rAT1qsH4W4jP
lh4cFiN3DN4H4jcf4/ogTAkpwiuMVzH21lJxdWHl18h4zc+uXXdpnZgJ5gtNY1pcfzpzBDYJmVEd
z71A9MCGuHyZH5eTtVjjcDy+NllLTsV/Zn5OpBWcRfuZczK/fhzXOmbjfYrgsNV354t7bXyMW3W8
QoyjG+Np8+K9rT5OcV1y7ud5fiL6Ma/HfNFT5scpmBufGX4qajwvPtfU/rfUdVyS301C5s8TcqK3
oNvq5bO6SalzR3V1fLTNjM88NWIeTOgAHNN8kduSXt3lXe0Z+S4sPyztnvd1DjEznqOv6DW1GNcQ
j7sxmWOekB7N8TiLV3Pj4/y/k7PVgvKE7lEb1wvDZ/GWz33/iFseFlenilw1cSnSGNdRPhXwDYLC
ed3Su2b/BpFvYbdcNfHeNVXI1K5c84XE63vGyKsVvEq0wlwxe81LzqTheB+uFfPpT+Njk8f99/Cy
Ni51uiRgjRilVm9pOKu3NIveUi3whpN6R0JvaxDpDcn+eS4vquP8aBC1tTh+Jk8au0koy97pHR/r
Vgk34rfx/zlvWHwdtjfZeL7/Um3uqjzWeIwePZYS7PHmH/C26KaU0KKb0sI3bL2B/v51jFhwPd5m
NeFtZiPeZsxOCV05u3J24+yW2dKSGdEZ7TPYjNktc9Ob5/sDPaZNx1tdA95q6/2hrNqW+rX199Uf
qj9arxTWV9Y31T9X314vP1cXbWhvYLX1y+ekp81LuXFYWvZCvCh97Xcs8nw7i7QvZxFzn2orXfsh
7PzwuQ/puheg6b2d79F3nmORvZ3t7MvH7PbSNvbZY60s0sb+Jn462x+PpmaUclfSlJ0YiO6kkZ3L
U7M2b1EiW1rlyIY7eFKG3j93/R1y5I475cidrUpkUyuNNLa2tK5tZTtbgeP+Dwv3383Cv0oR8y++
lNLnnqWR3+C181lo33V4F92FWHcuh8jPlyuRNXitXK1EVuMvJ2FJJCJI6L8kK1y6pIVGbrmZRm5u
USKL8WpBoNvwWoHXMryW4jVuOaxbLgr+1HzEZisNlQRSiwOBQQHvwIC7KOAcENAuDij/X1vXrtMw
DEXtpEALSVwCEYUopWpQqeoKEEggoSuBUjplSUuHmEo8JHaGsMOClIXHH/QXbrYwsbLxCXwCnwA2
dOBl6fr6nHuPLd3Vrw1HX3fImtNYtZqrrMWtNmd131rxWXXZqi0zVp41StMzhrrUrxcmDEI1ddqB
35MR0dQT+xf6SH/RJ/bYCbtiI/bEXtkbe2fFEmO06FLPrEwtmU55wbQL82YbWtCEBqxAHWpQBRcq
4IANDEowCToQiLYo2iEJBwHOUekPA9ziYa7X+rjJQ5yKhnFG6Z2QLGppTskAC2muSWd3joZxThdV
+MZ9JJQSDE9vbkWmkQBpiv5hrNx+L8ZampfJIM40GgghcCeMYpUluIfn6svZa0/gpho8eIKEuNtD
1w/4f+04OU6S5DuTNRtdbHXPsN09PfiRS5PLP/rLLy35HaJcTvvJdWJXKOMcK+jLgkjRWDVe+LNP
spIqUNQPQiz2pUVDXPIleJZgWwLDV5slH75TIDAKZW5kc3RyZWFtCmVuZG9iagoKMjQgMCBvYmoK
MTkxOTMKZW5kb2JqCgoyNSAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JB
QUFBQStBbGJhbnlBTVQKL0ZsYWdzIDQKL0ZvbnRCQm94Wy0yMjIgLTMwNiAxMDcyIDEwMzddL0l0
YWxpY0FuZ2xlIDAKL0FzY2VudCA5MDUKL0Rlc2NlbnQgLTIxMQovQ2FwSGVpZ2h0IDEwMzcKL1N0
ZW1WIDgwCi9Gb250RmlsZTIgMjMgMCBSPj4KZW5kb2JqCgoyNiAwIG9iago8PC9MZW5ndGggNTE1
L0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nF2Uy46bQBBF93wFy8liBP0APJKF5LHHkhd5
KJ58AIa2B2kMCOOF/z5961YSKQtbh6b69qHpItsedoehX7If89gew5Ke+6Gbw228z21IT+HSD4mx
ade3i17Jf3ttpiSLc4+P2xKuh+E8rtdJ9jPeuy3zI33adOMpfEmy73MX5n64pE+/tsd4fbxP02e4
hmFJ86Su0y6cY87XZvrWXEMms54PXbzdL4/nOOVfwftjCqmVa0OVduzCbWraMDfDJSTrPK/T9X5f
J2Ho/rtXrjjldG4/mjmWmlia587Uka2wfwE7cgH2woUHFxwvwaWw3YEr5lTgFdmCX1iTgzfClYy/
Cpey7pYs+TuyrPvG+hV4T0aNyZnvwOqPfEP/cgOmf4UcQ/9yC6a/Q6ahfwEfQ/9CMulfCtO/knz6
e3Ggv4e/UX/siVF/yae/lXXVH5mW/iX22dLfyzj9C6xl6V++gdV/D6a/Faa/R76lfyWZ6o/3YtUf
bpb+Dv6W/k7G1R/vztLfwt+qv2SqP2qc+mPfHP2tjNPfYf+dnh84OPV/Bev5kbnwt7mBv6vIUq/n
B8/o9PzA2dG/gI/T/Zca+hd4147+hYzT38u69Pd4Lk9/D2dP/0JY/ZHj6W/xfr2efyMNpZ2D1kLv
/2nZtL3Pc2xX+UBIn6JD+yH8/YZM44RZ8vsNeOQKfAplbmRzdHJlYW0KZW5kb2JqCgoyNyAwIG9i
ago8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9CYXNlRm9udC9CQUFBQUErQWxiYW55QU1U
Ci9GaXJzdENoYXIgMAovTGFzdENoYXIgNjgKL1dpZHRoc1s3NTAgNTU2IDI3NyA2NjYgNjEwIDYx
MCAzMzMgNTU2IDU1NiAyNzcgMzMzIDU1NiA1NTYgNTU2IDUwMCAyNzcKNTU2IDU1NiAyMjIgNTU2
IDIyMiA1NTYgNzIyIDY2NiA1MDAgNTU2IDcyMiA2NjYgMjc3IDU1NiAyNzcgNTAwCjIyMiA3MjIg
NjY2IDU1NiA1NTYgMjc3IDU1NiA1MDAgODMzIDUwMCA1NTYgNTU2IDU1NiAzMzMgMzMzIDcyMgo1
NTYgMTkwIDI3NyA4MzMgNTAwIDY2NiAzMzMgMzMzIDU1NiA1NTYgNjY2IDc3NyA3MjIgNTU2IDY2
NiA3MjIKNzc3IDk0MyA1NTYgMjc3IDc3NyBdCi9Gb250RGVzY3JpcHRvciAyNSAwIFIKL1RvVW5p
Y29kZSAyNiAwIFIKPj4KZW5kb2JqCgoyOCAwIG9iago8PC9GMSAyNyAwIFIvRjIgMjIgMCBSCj4+
CmVuZG9iagoKMjkgMCBvYmoKPDwvRm9udCAyOCAwIFIKL1hPYmplY3Q8PC9JbTQgNCAwIFI+Pgov
UHJvY1NldFsvUERGL1RleHQvSW1hZ2VDL0ltYWdlSS9JbWFnZUJdCj4+CmVuZG9iagoKMSAwIG9i
ago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94WzAg
MCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9D
b250ZW50cyAyIDAgUj4+CmVuZG9iagoKNSAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAg
Ui9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNw
YXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyA2IDAgUj4+CmVuZG9iagoKOCAw
IG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01lZGlhQm94
WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+
Pi9Db250ZW50cyA5IDAgUj4+CmVuZG9iagoKMTEgMCBvYmoKPDwvVHlwZS9QYWdlL1BhcmVudCAx
NyAwIFIvUmVzb3VyY2VzIDI5IDAgUi9NZWRpYUJveFswIDAgNzIwIDU0MF0vR3JvdXA8PC9TL1Ry
YW5zcGFyZW5jeS9DUy9EZXZpY2VSR0IvSSB0cnVlPj4vQ29udGVudHMgMTIgMCBSPj4KZW5kb2Jq
CgoxNCAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDE3IDAgUi9SZXNvdXJjZXMgMjkgMCBSL01l
ZGlhQm94WzAgMCA3MjAgNTQwXS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9J
IHRydWU+Pi9Db250ZW50cyAxNSAwIFI+PgplbmRvYmoKCjMwIDAgb2JqCjw8L0NvdW50IDUvRmly
c3QgMzEgMCBSL0xhc3QgMzUgMCBSCj4+CmVuZG9iagoKMzEgMCBvYmoKPDwvQ291bnQgMC9UaXRs
ZTxGRUZGMDA2NTAwNjQwMDc1MDA3MjAwNkYwMDYxMDA2RDAwMjAwMDUzMDA3NDAwNjEwMDcyMDA3
NDAwNzMwMDY1MDA2OTAwNzQwMDY1PgovRGVzdFsxIDAgUi9YWVogMCA1NDAgMF0vUGFyZW50IDMw
IDAgUi9OZXh0IDMyIDAgUj4+CmVuZG9iagoKMzIgMCBvYmoKPDwvQ291bnQgMC9UaXRsZTxGRUZG
MDA1NzAwNjkwMDZDMDA2QzAwNkIwMDZGMDA2RDAwNkQwMDY1MDA2RT4KL0Rlc3RbNSAwIFIvWFla
IDAgNTQwIDBdL1BhcmVudCAzMCAwIFIvUHJldiAzMSAwIFIvTmV4dCAzMyAwIFI+PgplbmRvYmoK
CjMzIDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNTQwMDY1MDA2OTAwNkMwMDZFMDA2NTAw
NjgwMDZEMDA2NTAwNzI+Ci9EZXN0WzggMCBSL1hZWiAwIDU0MCAwXS9QYXJlbnQgMzAgMCBSL1By
ZXYgMzIgMCBSL05leHQgMzQgMCBSPj4KZW5kb2JqCgozNCAwIG9iago8PC9Db3VudCAwL1RpdGxl
PEZFRkYwMDQyMDA2NTAwNzIwMDY1MDA2MzAwNjgwMDc0MDA2OTAwNjcwMDc0MDA2NTAwMjAwMDQ5
MDA2RTAwNzMwMDc0MDA2OTAwNzQwMDc1MDA3NDAwNjkwMDZGMDA2RTAwNjUwMDZFPgovRGVzdFsx
MSAwIFIvWFlaIDAgNTQwIDBdL1BhcmVudCAzMCAwIFIvUHJldiAzMyAwIFIvTmV4dCAzNSAwIFI+
PgplbmRvYmoKCjM1IDAgb2JqCjw8L0NvdW50IDAvVGl0bGU8RkVGRjAwNDUwMDZFMDA2NDAwNjU+
Ci9EZXN0WzE0IDAgUi9YWVogMCA1NDAgMF0vUGFyZW50IDMwIDAgUi9QcmV2IDM0IDAgUj4+CmVu
ZG9iagoKMTcgMCBvYmoKPDwvVHlwZS9QYWdlcwovUmVzb3VyY2VzIDI5IDAgUgovTWVkaWFCb3hb
IDAgMCA1OTUgODQyIF0KL0tpZHNbIDEgMCBSIDUgMCBSIDggMCBSIDExIDAgUiAxNCAwIFIgXQov
Q291bnQgNT4+CmVuZG9iagoKMzYgMCBvYmoKPDwvVHlwZS9DYXRhbG9nL1BhZ2VzIDE3IDAgUgov
T3BlbkFjdGlvblsxIDAgUiAvWFlaIG51bGwgbnVsbCAwXQovT3V0bGluZXMgMzAgMCBSCj4+CmVu
ZG9iagoKMzcgMCBvYmoKPDwvQ3JlYXRvcjxGRUZGMDA0OTAwNkQwMDcwMDA3MjAwNjUwMDczMDA3
Mz4KL1Byb2R1Y2VyPEZFRkYwMDRGMDA3MDAwNjUwMDZFMDA0RjAwNjYwMDY2MDA2OTAwNjMwMDY1
MDAyRTAwNkYwMDcyMDA2NzAwMjAwMDMyMDAyRTAwMzQ+Ci9DcmVhdGlvbkRhdGUoRDoyMDA4MDcz
MDEzMjkyMCswMicwMCcpPj4KZW5kb2JqCgp4cmVmCjAgMzgKMDAwMDAwMDAwMCA2NTUzNSBmIAow
MDAwMDMzNzM4IDAwMDAwIG4gCjAwMDAwMDAwMTkgMDAwMDAgbiAKMDAwMDAwMDQ3NSAwMDAwMCBu
IAowMDAwMDAwNDk1IDAwMDAwIG4gCjAwMDAwMzM4ODIgMDAwMDAgbiAKMDAwMDAwODg1NiAwMDAw
MCBuIAowMDAwMDA5NjEyIDAwMDAwIG4gCjAwMDAwMzQwMjYgMDAwMDAgbiAKMDAwMDAwOTYzMiAw
MDAwMCBuIAowMDAwMDEwNjAzIDAwMDAwIG4gCjAwMDAwMzQxNzAgMDAwMDAgbiAKMDAwMDAxMDYy
NCAwMDAwMCBuIAowMDAwMDExMzI5IDAwMDAwIG4gCjAwMDAwMzQzMTYgMDAwMDAgbiAKMDAwMDAx
MTM1MCAwMDAwMCBuIAowMDAwMDExNzE2IDAwMDAwIG4gCjAwMDAwMzUyODkgMDAwMDAgbiAKMDAw
MDAxMTczNyAwMDAwMCBuIAowMDAwMDEyNDEwIDAwMDAwIG4gCjAwMDAwMTI0MzEgMDAwMDAgbiAK
MDAwMDAxMjYyMiAwMDAwMCBuIAowMDAwMDEyOTIyIDAwMDAwIG4gCjAwMDAwMTMwODcgMDAwMDAg
biAKMDAwMDAzMjM2NyAwMDAwMCBuIAowMDAwMDMyMzkwIDAwMDAwIG4gCjAwMDAwMzI1ODIgMDAw
MDAgbiAKMDAwMDAzMzE2NyAwMDAwMCBuIAowMDAwMDMzNTk2IDAwMDAwIG4gCjAwMDAwMzM2Mzkg
MDAwMDAgbiAKMDAwMDAzNDQ2MiAwMDAwMCBuIAowMDAwMDM0NTE4IDAwMDAwIG4gCjAwMDAwMzQ2
ODMgMDAwMDAgbiAKMDAwMDAzNDgyOCAwMDAwMCBuIAowMDAwMDM0OTczIDAwMDAwIG4gCjAwMDAw
MzUxNzkgMDAwMDAgbiAKMDAwMDAzNTQxNSAwMDAwMCBuIAowMDAwMDM1NTE3IDAwMDAwIG4gCnRy
YWlsZXIKPDwvU2l6ZSAzOC9Sb290IDM2IDAgUgovSW5mbyAzNyAwIFIKL0lEIFsgPDQ1ODI4NkRC
NDczQUNDNjQ0RkQyRjEwMTZFOURBRjkwPgo8NDU4Mjg2REI0NzNBQ0M2NDRGRDJGMTAxNkU5REFG
OTA+IF0KL0RvY0NoZWNrc3VtIC9CNDQ5N0YzMzU3NTUzNzQzNzUyQjBFMDFBQTYyMDExMQo+Pgpz
dGFydHhyZWYKMzU3MDgKJSVFT0YK

--=_4ee9yxyk2800--


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 28 Jul 2008 15:47:37 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <aboba@internaut.com>
Subject: RE: IETF 72: Request for Slides
Date: Mon, 28 Jul 2008 11:46:42 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <1F16E99510C441E8920124D8713C1392@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjwyKFHLmwRXFyMRlyMS1nE1RgYLwAACvaw

> If you have slides to present at IETF 72, please send them to me
> (Bernard_Aboba@hotmail.com> ASAP, so we can get them loaded on the 
> server.

Please copy the slides to Dave Nelson, (dnelson@elbrysnetworks.com) as well.
Thanks!

Regards,

Dave



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 28 Jul 2008 15:40:56 +0000
Date: Mon, 28 Jul 2008 08:40:04 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: IETF 72: Request for Slides
Message-ID: <Pine.LNX.4.64.0807280838510.20244@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

If you have slides to present at IETF 72, please send them to me 
(Bernard_Aboba@hotmail.com> ASAP, so we can get them loaded on the server. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 28 Jul 2008 15:37:15 +0000
Date: Mon, 28 Jul 2008 08:36:18 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER: RADEXT WG Last call on "Extended RADIUS Attributes"
Message-ID: <Pine.LNX.4.64.0807280832530.20188@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a reminder of the RADEXT WG Last Call on "Extended 
RADIUS Attributes", prior to requesting that the IESG publish it as a Proposed Standard. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt
 
WG Last Call was originally to have completed on July 24, 2008.   
However, due to lack of response to the RADEXT WG last call, 
we will be extending the WG last call to August 10, 2008.  Please 
review the document and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 28 Jul 2008 15:33:47 +0000
Date: Mon, 28 Jul 2008 08:32:49 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Message-ID: <Pine.LNX.4.64.0807280832180.20188@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a reminder of the ongoing RADEXT WG Last Call on "Crypto-Agility 
Requirements for RADIUS" prior to requesting that the IESG publish it as 
an Informational RFC. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt
 
WG Last Call will last until August 10, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 28 Jul 2008 15:33:07 +0000
Date: Mon, 28 Jul 2008 08:31:35 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Take Three: RADEXT WG Agenda at IETF 72
Message-ID: <Pine.LNX.4.64.0807280828350.20144@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

9:00 - 9:10  Preliminaries
 Blue Sheets
 Note Takers
 Jabber Scribe
 Agenda bashing
 Document Status

Completed WG Last Call (20 minutes)

Extended RADIUS Attributes, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt

RADIUS Design Guidelines, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-04.txt

Transport Documents (40 minutes)

TCP Transport, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-tcp-transport-00.txt

Status Server, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-status-server-00.txt

RADIUS over DTLS, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-dtls-01.txt

RADSEC, Stefan Winter, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-radsec-00.txt

RADIUS Cryptoagility (20 minutes)

RADIUS Cryptoagility requirements, David Nelson, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt

RADIUS Confidentiality, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-11.txt

Additional Documents (30 minutes)

RADIUS Attributes for IEEE 802 Networks, Bernard Aboba, 10 minutes
http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt

Problem Statement and Requirements for Diameter/Radius Prefix 
Authorization Application, B. Sarikaya, 10 minutes
http://www.ietf.org/internet-drafts/draft-sarikaya-dimeradext-prefix-auth-ps-00.txt

IPv6 Attributes for DHCP Networks, B. Lourdelet, 10 minutes
http://www.ietf.org/internet-drafts/draft-lourdelet-radext-ipv6-dhcp-00.txt

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 21 Jul 2008 02:49:55 +0000
Date: Sun, 20 Jul 2008 19:48:39 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Take Two: RADEXT WG Agenda at IETF 72
Message-ID: <Pine.LNX.4.64.0807201947380.12034@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

9:00 - 9:10  Preliminaries
 Blue Sheets
 Note Takers
 Jabber Scribe
 Agenda bashing
 Document Status

Completed WG Last Call (20 minutes)

Extended RADIUS Attributes, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt

RADIUS Design Guidelines, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-04.txt

Transport Documents (40 minutes)

TCP Transport, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-tcp-transport-00.txt

Status Server, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-status-server-00.txt

RADIUS over DTLS, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-dtls-01.txt

RADSEC, Stefan Winter, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-radsec-00.txt

RADIUS Cryptoagility (20 minutes)

RADIUS Cryptoagility requirements, David Nelson, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt

RADIUS Confidentiality, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-11.txt

Additional Documents (20 minutes)

RADIUS Attributes for IEEE 802 Networks, Bernard Aboba, 10 minutes
http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt

IPv6 Attributes for DHCP Networks, B. Lourdelet, 10 minutes
http://www.ietf.org/internet-drafts/draft-lourdelet-radext-ipv6-dhcp-00.txt

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sun, 20 Jul 2008 19:36:35 +0000
Date: Sun, 20 Jul 2008 12:35:44 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Message-ID: <Pine.LNX.4.64.0807201234310.9235@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a reminder of the ongoing RADEXT WG Last Call on "Crypto-Agility 
Requirements for RADIUS" prior to requesting that the IESG publish it as 
an Informational RFC. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt
 
WG Last Call will last until August 10, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sun, 20 Jul 2008 19:35:25 +0000
Date: Sun, 20 Jul 2008 12:34:28 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER: RADEXT WG Last call on "Extended RADIUS Attributes" 
Message-ID: <Pine.LNX.4.64.0807201233330.9235@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a reminder of the ongoing RADEXT WG Last Call on "Extended RADIUS 
Attributes" prior to requesting that the IESG publish it as a Proposed 
Standard. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt
 
WG Last Call will last until July 24, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sun, 20 Jul 2008 19:33:41 +0000
Date: Sun, 20 Jul 2008 12:32:11 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Issue 271:  IETF Last Call Comments on RADIUS GEOPRIV Document
Message-ID: <Pine.LNX.4.64.0807201229520.9158@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

In order to make forward progress on resolving the RADIUS GEOPRIV IETF 
Last Call comments, I am reposting Glen's original review to the RADEXT WG 
list. 

Suggested text changes to resolve these comments are welcome.  

=======================================================================
Issue 271: Review
Submitter name: Glen Zorn
Submitter email address: gzorn@arubanetworks.com
Date first submitted: April 27, 2008
Reference: http://www.ietf.org/mail-archive/web/ietf/current/msg51649.html
Document: LOCATION-09
Comment type:  Technical
Priority: S
Section:  Various
Rationale/Explanation of issue:

In the description of the Operator-Name Attribute (section 3.1), the
discussion of the encoding of a name in the "REALM" namespace is
incomplete, at best. First, there is no discussion of the steps (if
any) to be taken if the toASCII conversion fails in the case of a realm
name containing non-ASCII characters. In any case, however, it is not
possible to encapsulate a maximum-length FQDN in a RADIUS attribute
because the maximum length of a RADIUS Attribute data payload is 253
octets, while the maximum length of an ASCII FQDN is 255 octets.
Furthermore, due to the addition of the ACE prefix(es) as a result of
the toASCII conversion process, the actual length of a converted realm
name may be considerably less than 253 octets. The conventional way to
deal with type of problem in RADIUS would be to split the offending
string up into multiple attributes; however, the formatting of the
Operator-Name attribute into distinct sub-fields would seem to preclude
the use of that technique. I suggest that (in order of preference)
a) the Operator-Name Attribute be split into separate
Operator-Namespace and Operator-Name Attributes with instructions
included on handling too-long FQDNs
b) the attribute be redefined in terms of the new Extended
RADIUS Attributes
(http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attribut
es-03.txt)
or at the least
c) text be added noting the actual restrictions on realm name
length

Section 3.3, paragraph 2 doesn't make a lot of sense to me: suggest
rewriting it in less florid if more precise language. For example,
something like this: "In order to enable the on-demand mid-session
location delivery method, the RADIUS server MUST return an instance of
the Requested-Location-Info Attribute with the 'FUTURE_REQUESTS' flag
set and instances of the Basic-Location-Policy-Rules and
Extended-Location-Policy-Rules Attributes in the Access-Accept message
for the session. Upon receipt of a CoA-Request message containing a
Service-Type Attribute with value "Authorize Only" for the same session,
the NAS MUST include location information and echo the previously
received Basic-Location-Policy-Rules and Extended-Location-Policy-Rules
Attributes in the subsequent Access-Request message."

Section 4.2 says:

Length:

>= 21

String:

This field is at least two octets in length, and the format
is shown below. The data type of this field is string.

Suggestion: change "at least two" to "at least 19". Later in the same
section, it says:

Method (variable):

Describes the way that the location information was
determined. The values are registered with the 'method' Tokens
registry by RFC 4119. The data type of this
field is a string.

Does "registered with the 'method' tokens" mean "along with the token
values in the same registry" or something else? I _think_ that what the
authors are trying to say is "This field MUST contain the value of
exactly one IANA-registered 'method' token [RFC4119]." If so, maybe
they should.

Section 4.2.1 says "The location format is based on the encoding format
defined in Section 3.1 of [RFC4776] whereby the first 3 octets (i.e.,
the code for this DHCP option, the length of the DHCP option, and the
'what' element are not included) are not put into the Location field of
the above-described RADIUS Location-Data Attribute." I don't really
understand: does this mean that 'the location format is identical to
that defined in RFC 4776 with the exception that the first three octets
are omitted'? In any case, RFC 4776 say in the last paragraph of
section 1:

The DHCPv4 long-options mechanism described in RFC 3396 [8] MUST be
used if the civic address option exceeds the maximum DHCPv4 option
size of 255 octets.

My comments on are similar to those on the Operator-Name Attribute
above; this case is a little more complicated, due to the use of the
Index field to associate this attribute with the corresponding
Location-Information attribute (there seems to be an implicit assumption
that these always come in pairs).

Section 4.3 says: "Implementations SHOULD treat this attribute as
undistinguished octets." In context, this statement doesn't make sense
in at least two ways. First, I have no idea how any implementation can
treat an entire attribute as undistinguished octets, since at least the
Type and Length fields have to be distinguished. Maybe the authors mean
that the String field of the attribute should be treated in this way,
but that doesn't seem reasonable, either, because that field is itself
formatted into two distinct fields.

Section 4.4 says "The Basic-Location-Policy-Rules Attribute MAY be sent
in an Access-Request, Access-Accept, an Access-Challenge, an
Access-Reject, a Change-of-Authorization and in an Accounting-Request
message." but RFC 2865 says (section 2, paragraph 7) "If any condition
is not met, the RADIUS server sends an "Access-Reject" response
indicating that this user request is invalid. If desired, the server
MAY include a text message in the Access-Reject which MAY be displayed
by the client to the user. No other Attributes (except Proxy-State) are
permitted in an Access-Reject." This being the case, it seems like
there should be an "Updates: 2865" in the first page header of the
draft.

The Location-Capable (section 4.6) attribute can take only a "True"
value (presumably the lack of client ability would be signified by the
absence of the Location-Capable Attribute in the Access-Request). This
puzzles me a bit: isn't it possible that a NAS might be capable of
discovering (& therefore, communicating) one or a few type of location
data and not others? For example, it seems rather likely that a dial-up
NAS might be capable of conveying its own civic location but not the
geospatial location of the remote node. I guess what I'm asking is if
there isn't a need for a little greater granularity here.

The discussion of the Requested-Location-Info Attribute in section 4.7
is remarkably soft and fluffy, attributing such things as "wants" and
"desires" to servers and clients. To the best of my knowledge, software
does not (yet) display needs, let alone desires. This would just be a
little annoying except that the warm fuzziness spills over into the
actual specification of what are presumably requirements. For example:

If the RADIUS server wants to dynamically decide on a per-request
basis to ask for location information from the RADIUS client then the
following cases need to be differentiated. If the RADIUS client and
the RADIUS server have agreed out-of-band to mandate the transfer of
location information for every network access authentication request
then the processing listed below is not applicable.

o If the RADIUS server requires location information for computing
the authorization decision and the RADIUS client does not provide
it with the Access-Request message then the Requested-Location-
Info Attribute is attached to the Access-Challenge with a hint
about what is required. Two cases can be differentiated:

1. If the RADIUS client sends the requested information then the
RADIUS server can process the location-based attributes.

2. If the RADIUS server does not receive the requested
information in response to the Access-Challenge (including the
Requested-Location-Info Attribute) then the RADIUS server may
respond with an Access-Reject message with an Error-Cause
Attribute (including the "Location-Info-Required" value).

In the case of #1, "the RADIUS server can process the location-based
attributes". This seems fairly obvious, but just because it _can_
doesn't mean that it _will_; it might not (presumably based upon its
"desires" ;-). Must the server process the location information? If
so, the document should say so. Similarly in case #2, "the RADIUS
server may respond with an Access-Reject message with an Error-Cause
Attribute (including the "Location-Info-Required" value)." If it "may"
then it may also not; just guessing (since there are supposedly only two
cases and the information is stated to be required in order to process
the authorization request) it seems to me that the authors really mean
"MUST" in both cases but that is not clear at all.

o If the RADIUS server would like location information in the
Accounting-Request message but does not require it for computing
an authorization decision then the Access-Accept message MUST
include a Required-Info Attribute. This is typically the case
when location information is used only for billing. The RADIUS
client SHOULD attach location information, if available, to the
Accounting-Request (unless authorization policies dictate
something different).

Once again the server exhibits desire, but this paragraph begs another
question: if the data referred to by the Requested-Location-Info
Attribute is actually required and the Required-Info Attribute signifies
data that is optional, why are they named the way they are?

Change "8.3. New Registry: Location Capable Attribute" to "8.3. New
Registry: Location-Capable Attribute".

Many references are out of date or incorrect.
Given that Bernard is a co-author, it may be a bit excessive to mention
him (thrice!) in the Acknowledgements section _and_ in the Contributors
section as well ;-).

In section A.1, paragraph 1 change "This section discusses the privacy
implication for making location information available to other
entities." to "This section discusses the privacy implications of making
location information available to other entities."

Last but not least, this draft fairly universally violates several of
the guidelines given in
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-02.txt, in
particular those regarding the use of tags to associate different
attributes (called "Index" in this document) and the creation of
"complex" attributes. I realize that the RADIUS design guidelines
document is just an Internet-Draft, but it is a radext WG document & has
been under construction for some period of time. More important than
the standardization status of the document is the question of whether
the guidelines make sense; if so, then it may not be such a good idea to
so completely ignore them; if not, then maybe radext should rethink this
work item (especially since a co-chair of that WG is also a co-author of
the document under review).

[BA] Can you provide specific instances in which this
document violates "Design Guidelines" (applying the tests in
Appendix A?.

OK. As you noted above, the Design Guidelines say

If the RADIUS Server simply passes the contents of an attribute to
some non-RADIUS portion of the network, then the data is opaque, and
SHOULD be defined to be of type String. A concrete way of judging
this requirement is whether or not the attribute definition in the
RADIUS document contains delineated fields for sub-parts of the data.
If those fields need to be delineated in RADIUS, then the data is not
opaque, and it SHOULD be separated into individual RADIUS attributes.

But section 4.7 of the draft under review says

o If the RADIUS server requires location information for computing
the authorization decision and the RADIUS client does not provide
it with the Access-Request message then the Requested-Location-
Info Attribute is attached to the Access-Challenge with a hint
about what is required. Two cases can be differentiated:

1. If the RADIUS client sends the requested information then the
RADIUS server can process the location-based attributes.

2. If the RADIUS server does not receive the requested
information in response to the Access-Challenge (including the
Requested-Location-Info Attribute) then the RADIUS server may
respond with an Access-Reject message with an Error-Cause
Attribute (including the "Location-Info-Required" value).

The RADIUS server "requires location information for computing the
authorization decision". How can it make a decision based upon data
that it cannot understand? It doesn't have to because "[i]f the RADIUS
client sends the requested information then the RADIUS server can
process the location-based attributes". Of course, "process" can mean
many things and if these attributes are opaque then "process" might mean
just writing the data to a file or forwarding it over some unspecified
interface to another entity. So maybe the RADIUS server is making the
decision based just upon the fact that it received a
Location-Information/Location-Data pair in the new Access-Request (along
with the echoed Attributes). The problem is that the RADIUS server
didn't request just any old location data; it requested a very specific
set of data (in the example later in section 4.7 it is the civic
location of the user). AFAICT, the only way that the RADIUS server can
tell if it has actually received the information it requested is to
examine the Code and Entity sub-fields of the returned
Location-Information Attribute and check that there is an associated
instance of the Location-Data Attribute by matching the Index fields of
the Attributes. Remember that this check for the requested information
takes place before the RADIUS server processes the data; this suggests
to me that these fields "need to be delineated in RADIUS" and therefore
"the data is not opaque, and it SHOULD be separated into individual
RADIUS attributes". Further, section A.2.2 of the Design Guidelines
asks the (how I wish it was a musical ;-) question:

Does the attribute define a complex data type for purposes other than
authentication or security? If so, this data type SHOULD be replaced
with simpler types, as discussed above in Section A.2.1.

Neither the Location-Information nor the Location-Data Attributes seem
to be used for authentication (authorization != authentication) or
security. Section A.1.3 of the same document says (WRT Attributes
encapsulating complex data types):

Does the attribute encapsulate an existing data structure defined
outside of the RADIUS specifications? Can the attribute be treated
as opaque data by RADIUS servers (including proxies?) If both
questions can be answered affirmatively, a complex structure MAY be
used in a RADIUS specification.

The specification of the attribute SHOULD define the encapsulating
attribute to be of type String. The specification SHOULD refer to an
external document defining the structure. The specification SHOULD
NOT define or describe the structure[...]

However, section 4.2 of draft-ietf-geopriv-radius-lo describes the
structure of the Location-Information Attribute in detail; the question
of opacity was dealt with above.

WRT the Index fields of the Location-Information and Location-Data
Attributes, the fact that they are both mandatory and large avoids many
of the drawbacks mentioned WRT tags in the Design Guidelines document,
nevertheless that document does state 'new attributes SHOULD use the
grouping method described in
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-03.txt'.

Additional discussion is available here:
http://www.ietf.org/mail-archive/web/ietf/current/msg51657.html
http://www.ietf.org/mail-archive/web/ietf/current/msg51686.html
http://www.ietf.org/mail-archive/web/ietf/current/msg51691.html

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 14 Jul 2008 15:18:55 +0000
Date: Mon, 14 Jul 2008 08:17:54 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: PROTO WRITEUP: RADIUS Authorization for NAS Management
Message-ID: <Pine.LNX.4.64.0807140817180.1581@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Title:  RADIUS Authorization for NAS Management
I-D:
http://www.ietf.org/internet-drafts/draft-ietf-radext-management-authorization-05.txt
 
Status: Proposed Standard
 
Response to template:
 
1) Have the chairs personally reviewed this version of the ID and do
   they believe this ID is sufficiently baked to forward to the IESG
   for publication?
 
Yes.
 
2) Has the document had adequate review from both key WG members and
   key non-WG members? Do you have any concerns about the depth or
   breadth of the reviews that have been performed?
 
Yes. The ID has had 2 working group last calls.
 
3) Do you have concerns that the document needs more review from a
   particular (broader) perspective (e.g., security, operational
   complexity, someone familiar with AAA, etc.)?
 
No concerns.  The document has been reviewed both by the ISMS WG
as well as by RADEXT WG. 
 
4) Do you have any specific concerns/issues with this document that
   you believe the ADs and/or IESG should be aware of? For example,
   perhaps you are uncomfortable with certain parts of the document,
   or whether there really is a need for it, etc., but at the same
   time these issues have been discussed in the WG and the WG has
   indicated it wishes to advance the document anyway.
 
No.
 
5) How solid is the WG consensus behind this document?  Does it
   represent the strong concurrence of a few individuals, with others
   being silent, or does the WG as a whole understand and agree with
   it?
 
There is solid consensus behind this document.  7 people other 
than the author have commented on various aspects of the 
document. The issues raised, available for inspection at
http://www.drizzle.com/~aboba/RADEXT/, were resolved in the -04
version of the document.
 
6) Has anyone threatened an appeal or otherwise indicated extreme
   discontent?  If so, please summarize what are they upset about.
 
No.
 
7) Have the chairs verified that the document adheres to _all_ of the
   ID nits?  (see http://www.ietf.org/ID-nits.html).
 
Yes. An output of the run on this revision of the ID by the online nits
checker:
 
idnits 2.08.10 
 
tmp/draft-ietf-radext-management-authorization-05.txt:
 
  Checking boilerplate required by RFC 3978 and 3979, updated by RFC 4748:
----------------------------------------------------------------------------
     No issues found here.
  Checking nits according to http://www.ietf.org/ietf/1id-guidelines.txt:
----------------------------------------------------------------------------
     No issues found here.
  Checking nits according to http://www.ietf.org/ID-Checklist.html:
----------------------------------------------------------------------------
     No issues found here.
  Miscellaneous warnings:
----------------------------------------------------------------------------
     No issues found here.
  Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
     (See RFCs 3967 and 4897 for information about using normative 
references
     to lower-maturity documents in RFCs)
 
     No issues found here.
     No nits found.
--------------------------------------------------------------------------------
 
8) Does the document a) split references into normative/informative,
   and b) are there normative references to IDs, where the IDs are not
   also ready for advancement or are otherwise in an unclear state?
   (Note: the RFC editor will not publish an RFC with normative
   references to IDs, it will delay publication until all such IDs are
   also ready for publication as RFCs.)
 
The document splits references into normative and informative ones.
There are no normative references to IDs.
 
9) For Standards Track and BCP documents, the IESG approval
   announcement includes a writeup section with the following
   sections:
 
   - Technical Summary
 
   This document specifies RADIUS attributes for authorization and
   service provisioning of Network Access Server (NAS) management.
   Both local and remote management are supported, with granular access 
   rights and management privileges.  Specific provisions are made for 
   remote management via framed management protocols, and for 
   specification of a protected transport protocol.  
 
    - Working Group Summary
 
    There have been 2 WGLCs on the document.  Much of the discussion on
    the document has centered around the model for provisioning of 
    protected transports, as well as the different remote administration
    mechanisms (secure and insecure) to be supported.  There has also
    been discussion of the relationship between Framed Management 
    (introduced in this draft) and the pseudo-TTY management model 
    supported in RFC 2865.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 14 Jul 2008 14:46:59 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-management-authorization-05.txt 
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20080714144501.EC7943A6887@core3.amsl.com>
Date: Mon, 14 Jul 2008 07:45:01 -0700 (PDT)

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.


	Title           : Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management
	Author(s)       : D. Nelson, G. Weber
	Filename        : draft-ietf-radext-management-authorization-05.txt
	Pages           : 24
	Date            : 2008-07-14

This document specifies Remote Authentication Dial-In User Service
(RADIUS) attributes for authorizing management access to a Network
Access Server (NAS).  Both local and remote management are supported,
with granular access rights and management privileges.  Specific
provisions are made for remote management via framed management
protocols, and for management access over a secure transport
protocol.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-management-authorization-05.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Message/External-body;
	name="draft-ietf-radext-management-authorization-05.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:     <2008-07-14073713.I-D@ietf.org>

--NextPart--

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sun, 13 Jul 2008 21:37:44 +0000
Date: Sun, 13 Jul 2008 14:36:09 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Comment on draft-ietf-radext-design-04.txt, Appendix A
Message-ID: <Pine.LNX.4.64.0807131128470.27225@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

There are a few cases where the text in Appendix A is not backed by 
discussion in the rest of the document, and vice versa.  

A.4

      * Extending the RADIUS packet length limitation past 4096 octets.
        A multi-packet sequence of Access-Request / Access-Challenge
        SHOULD be used instead.  If that is not possible, then a method
        other than RADIUS SHOULD be used to transport the data.

[BA] Generally, the Design Guidelines in Appendix A are supported by text 
elsewhere in the document.  This one has no corresponding discussion, and 
it seems to me that there are enough issues so  that adding a section for 
such a discussion could be beneficial.  For example:

* Discussion of the length restriction.  As far as I can tell, the length 
restriction is mentioned only in RFC 2865 Section 3.  However, there 
is no normative language or even discussion on how receivers behave 
on encountering larger packets.  Based on this, one thing we can say is 
that a sender cannot by default assume that a receiver will be able to 
handle a RADIUS packet longer than 4096 octets.  So my suggestion 
would be to rephrase the first sentence to state that attribute designers 
SHOULD NOT assume that receivers can handle packets larger than 4096 
octets.  In the discussion section, you can then talk about potential 
alternatives for designers. 

* Support for Access-Challenge.  In looking back at the WG discussion on 
attribute length, the most frequently discussed cases where large 
attributes (and hence large packets) might be required are filter rules 
(e.g. NAS-Filter-Rule).  Unfortunately, Section 3 of RFC 4849 does not 
permit this attribute to be placed in an Access-Challenge.  There are 
quite a few other attributes that also do not permit this usage (although 
most are not large enough to be an issue).   Even if this were to be 
fixed, using a multi-packet sequence would imply that RADIUS attributes in 
a subsequent packet would be concatenated to those in a new packet, as 
opposed to replacing them.  So it seems to me that the attribute would 
need to be specially designed for fragmentation across multi-packet 
sequences.  I don't think we can see that even the Extended Attributes are 
designed for such a use. 

Also, as we discussed in the RADIUS location work, not all NASes are going 
to be "Challenge capable" for a access mechanism.  Does this imply wider 
use of the Challenge-Capable Attribute than what is implied in the RADIUS 
location draft? 

Given all of this, it is not clear to me that the suggestion in the rest 
of the paragraph will be workable in all situations.  

My suggestion is to change A.4 to the following:

A.4. Changes to the RADIUS Protocol

   Does the attribute specification change the RADIUS operational model?
   If so, then another mmethod of achieving the design objectives SHOULD 
   be used.  Potential problems include: 

      * Defining new commands in RADIUS using attributes.  
        The addition of new commands to RADIUS should be handled 
        via allocation of a new command Code, not by use of an attribute.  
        This includes new commands created by overloading attributes such 
        as the Service-Type attribute to define new values that modify
        the functionality of Access-Request packets.
      * Using RADIUS as a transport protocol for data unrelated to
        authentication, authorization or accounting.  Using RADIUS
        to transport authentication methods such as EAP is explicitly
        permited, even if those methods require the transport of 
        relatively large amounts of data.  Transport of opaque
        data relating to AAA is also permitted, as discussed in
        Section 2.1.3.  However, if the specification does not
        relate to AAA, then RADIUS SHOULD NOT be used.  
      * Assuming support for packet lengths greater than 4096 octets.
        Attribute designers cannot assume that RADIUS implementations 
        can successfully handle packets larger than 4096 octets.  
        If a specification could lead to a RADIUS packet larger than
        4096 octets, then alternatives described in Section 3.3 
        SHOULD be considered. 
      * Stateless operation.  The RADIUS protocol is stateless, and 
        documents which require stateful protocol behavior without use of  
        the State Attribute need to be redesigned. 
      * Provisioning of service in an Access-Reject.  This is not 
        permitted.  If limited access needs to be provided, then an
        Access-Accept with appropriate authorizations can be used instead.
      * Lack of user authentication or authorization restrictions.  
        In an authorization check, where there is no demonstration of a 
        live user, confidential data cannot be returned.  Where there 
        is a link to a previous user authentication, the State attribute 
        needs to be present. 
      * Lack of per-packet integrity and authentication. 
        It is expected that documents will support per-packet
        integrity and authentication. 
      * Modification of RADIUS packet sequences.  In RADIUS,
        each request is encapsulated in its own packet, and
        elicits a single response, sent to the requester.  Since
        changes to this paradigm are likely to require major modifications
        to RADIUS client and server implementations, they SHOULD be
        avoided if possible. 

For further details, see Section 3.3. 

Also, change Section 3.3 to the following:

3.3.  RADIUS Operational Model

   The RADIUS operational model includes several assumptions:

      * The RADIUS protocol is stateless; 
      * Provisioning of services is not possible within an Access-Reject; 
      * Distinction between authorization checks and user authentication; 
      * Authentication and integrity protection of RADIUS packets; 
      * RADIUS is a Client/Server protocol;
      * Packet length restriction. 

   While RADIUS server implementations may keep state, the RADIUS
   protocol is stateless, although information may be passed from one
   protocol transaction to another via the State Attribute.  As a
   result, documents which require stateful protocol behavior without
   use of the State Attribute are inherently incompatible with RADIUS as
   defined in [RFC2865], and need to be redesigned.  See [RFC5080]
   Section 2.1.1 for a more in-depth discussion of the use of the State
   Attribute.

   As noted in [RFC5080] Section 2.6, the intent of an Access-Reject is
   to deny access to the requested service.  As a result, RADIUS does
   not allow the provisioning of services within an Access-Reject.
   Documents which include provisioning of services within an Access-
   Reject are inherently incompatible with RADIUS, and need to be
   redesigned.

   As noted in [RFC5080] Section 2.1.1, a RADIUS Access-Request may not
   contain user authentication attributes or a State Attribute linking
   the Access-Request to an earlier user authentication.  Such an
   Access-Request, known as an authorization check, provides no
   assurance that it corresponds to a live user.  RADIUS specifications
   defining attributes containing confidential information (such as
   Tunnel-Password) should be careful to prohibit such attributes from
   being returned in response to an authorization check.  Also,
   [RFC5080] Section 2.1.1 notes that authentication mechanisms need to
   tie a sequence of Access-Request/Access-Challenge packets together
   into one authentication session.  A similar need exists when 
   dynamic authorization is used in as noted in [RFC5176] Section 3.3. 
   The State Attribute is RECOMMENDED for this purpose.  

   While [RFC2865] did not require authentication and integrity
   protection of RADIUS Access-Request packets, subsequent
   authentication mechanism specifications such as RADIUS/EAP [RFC3579]
   and Digest Authentication [RFC5090] have mandated authentication and
   integrity protection for certain RADIUS packets.  [RFC5080] Section
   2.1.1 makes this behavior RECOMMENDED for all Access-Request packets,
   including Access-Request packets performing authorization checks.  It
   is expected that specifications for new RADIUS authentication
   mechanisms will continue this practice.

   The RADIUS protocol as defined in [RFC2865] is a request-response
   protocol spoken between RADIUS clients and servers.  A single RADIUS
   Access-Request packet will solicit in response at most a single
   Access-Accept, Access-Reject or Access-Challenge packet, sent to the
   IP address and port of the RADIUS Client that originated the Access-
   Request.  Similarly, a single Change-of-Authorization (CoA)-Request
   packet [RFC5176] will solicit in response at most a single CoA-ACK or
   CoA-NAK packet, sent to the IP address and port of the Dynamic
   Authorization Client (DAC) that originated the CoA-Request.  A single
   Disconnect-Request packet will solicit in response at most a single
   Disconnect-ACK or Disconnect-NAK packet, sent to the IP address and
   port of the Dynamic Authorization Client (DAC) that originated the
   CoA-Request.  Changes to this model are likely to require major
   revisions to existing implementations and so this is NOT RECOMMENDED.

   The Length field in the RADIUS packet header is defined in [RFC2865]
   Section 3.  It is noted there that the maximum length of a RADIUS
   packet is 4096 octets.  As a result, attribute designers SHOULD NOT
   assume that a RADIUS implementation can successfully process 
   RADIUS packets larger than 4096 octets.  If a situation is envisaged
   where it may be necessary to carry authentication, authorization or
   accounting data in a packet larger than 4096 octets, then one of 
   the following approaches is RECOMMENDED: 

     1. Utilization of a sequence of packets.  In the case of RADIUS
        accounting, this would include a sequence of Accounting-Request
        packets.  This is non-trivial since RADIUS accounting clients 
        would need to be modified to split the attribute stream across 
        multiple Accounting-Requests, and billing servers would need to be 
        modified to re-assemble and interpret the attribute stream. 
        For RADIUS authentication, a sequence of Access-Request/
        Access-Challenge packets would be used; for this to be feasible,
        attribute designers need to enable inclusion of
        attributes that can consume considerable space within 
        Access-Challenge packets.  To maintain compatibility with 
        existing NASes,  either the use of Access-Challenge 
        packets needs to be permissible (as with RADIUS/EAP, defined in 
        [RFC3579]), or support for receipt of an Access-Challenge needs to 
        be indicated by the NAS (as in RADIUS Location [RADIUSLOC]). Also, 
        the specification needs to clearly describe how attribute 
        splitting is signalled and how attributes included within
        the sequence are to be interpretted, without requiring
        stateful operation.  Unfortunately, previous specifications
        have not always exhibited the required foresight.  For example, 
        even though very large filter rules are conceivable, the NAS-Filter-Rule
        Attribute defined in [RFC4849] is not permitted in an 
        Access-Challenge packet, nor is a mechanism specified to
        allow a set of NAS-Filter-Rule attributes to be split across
        an Access-Request/Access-Challenge sequence. 

     2. Utilization of names rather than values.  Where an attribute
        relates to a policy that could conceivably be pre-provisioned
        on the NAS, then the name of the pre-provisioned policy can be 
        transmitted in an attribute, rather than the policy itself, 
        which could be quite large.  An example of this is the Filter-Id 
        Attribute defined in [RFC2865] Section 5.11, which enables a set 
        of pre-provisioned filter rules to be referenced by name. 

     3. Utilization of Packetization Layer Path MTU Discovery
        techniques, as specified in [RFC4821].  As a last resort, where
        the above techniques cannot be made to work, it may be possible
        to apply the techniques described in [RFC4821] to discovery of
        of the maximum supported RADIUS packet size on the path between
        a RADIUS client and a home server.  While such an approach 
        can avoid the complexity of utilization of a sequence of 
        packets, dynamic discovery is likely to be time consuming
        and cannot be guaranteed to work with existing RADIUS 
        implementations.  As a result, this technique is not 
        generally applicable. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sat, 12 Jul 2008 03:17:56 +0000
Date: Fri, 11 Jul 2008 20:16:14 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: "David B. Nelson" <dnelson@elbrysnetworks.com>
cc: radiusext@ops.ietf.org, 'Bernard Aboba' <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Message-ID: <Pine.LNX.4.64.0807112013580.16064@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> OK, I don't know what typical NAS implementations use for NAS-Port and/or
> NAS-Port-Id for remote connections, e.g. when the NAS-Port-Type is Virtual.
> 
> I could imagine that they might use a number of things.  Remote IP address
> and Remote TCP Port are one possibility.  The file descriptor value for use
> with the open socket might be another.  By definition, the values are
> transient, or if the value is not transient, the status of the particular
> virtual port instance they describe certainly would be.  I suppose that what
> would be important is that the NAS *has* some unique and meaningful values
> for those attributes, valid for the duration of the remote management
> session.

Right.  The issue isn't so much how they fill in the values, but that they 
need to include *some* kind of port and session identification if dynamic 
authorization is to work well.  This might not be obvious to readers.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 20:08:12 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Date: Fri, 11 Jul 2008 16:06:53 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <22AA312D3F1E49A480194DE1B7F910C8@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjjXiqH5jfTd/GPQK+GcWoGUGg+tQAMh87g

> Typically, the way that this kind of problem is solved is via 
> addition of session identification attributes, such as the
> Acct-Session-Id, NAS-Port or NAS-Port-Id.  Is a NAS-Port/
> NAS-Port-Id Attribute likely to be available in the case of 
> a management session (local or remote)?

OK, I don't know what typical NAS implementations use for NAS-Port and/or
NAS-Port-Id for remote connections, e.g. when the NAS-Port-Type is Virtual.

I could imagine that they might use a number of things.  Remote IP address
and Remote TCP Port are one possibility.  The file descriptor value for use
with the open socket might be another.  By definition, the values are
transient, or if the value is not transient, the status of the particular
virtual port instance they describe certainly would be.  I suppose that what
would be important is that the NAS *has* some unique and meaningful values
for those attributes, valid for the duration of the remote management
session.

> If an Acct-Session-Id exists, this is probably the
> cleanest way to solve the problem.

Yes.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 19:49:30 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
Cc: <radiusext@ops.ietf.org>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Date: Fri, 11 Jul 2008 15:48:16 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <D472E56937E944008468EF97E5FE2893@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjjjMr07xnyqXAOQOyMsTBQ/R+IOwAAMyqw

> So I think we're talking about trying to dis-ambiguate a situation
> where there is a valid User-Name attribute, but perhaps multiple
> sessions associated with that.  It might be worth quoting some
> text from RFC 5176 regarding the recommended NAS and session 
> identification attributes, since it might not necessarily be 
> obvious that an Access-Request for a management session should
> necessarily have a NAS-Port/NAS-Port-Id + Acct-Session-Id 
> associated with it.

I can remove the Framed-Management-Protocol and
Management-Transport-Protection Attributes from usage as "session
identifiers" for Dynamic Authorization and quote chapter and verse from RFC
5176 as to what SHOULD be used as "session identifiers".

I think that will cover the "80% problem" without introducing too many
opportunities for odd behaviors and wild-card usages.

The only reason that I could see for a NAS to not include the appropriate
session identifier attributes in an Access-Request message would be if the
NAS implementation didn't assign identifiers until it processed the
Access-Accept message, i.e. didn't want to assign IDs to sessions that may
never materialize, or the NAS implementation didn't support RADIUS
accounting, and thus had no notion of session identifiers.

Do we need to add some wiggle room to cover those corner cases?



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 19:29:43 +0000
Date: Fri, 11 Jul 2008 12:27:54 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: "David B. Nelson" <dnelson@elbrysnetworks.com>
cc: radiusext@ops.ietf.org, 'Bernard Aboba' <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Message-ID: <Pine.LNX.4.64.0807111224280.3167@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> I think RFC 5176 already says that.  But then it goes on to provide for
> additional forms of session identifying attributes, for the cases when the
> "SHOULD" doesn't apply.
>
> One of the use cases that motivate some of this behavior is the "privacy
> NAI", i.e. anonymous (external) authentication, in which the RADIUS entities
> don't have the actual user identity.  I think that makes sense for certain
> forms of network access.  I can't imagine a valid use for anonymous
> authentication for the purpose of NAS management, however.  :-)

Right.  So I think we're talking about trying to dis-ambiguate a situation 
where there is a valid User-Name attribute, but perhaps multiple sessions 
associated with that.  It might be worth quoting some text from RFC 5176 
regarding the recommended NAS and session identification attributes, since 
it might not necessarily be obvious that an Access-Request for a 
management session should necessarily have a NAS-Port/NAS-Port-Id + 
Acct-Session-Id associated with it. 

> As an "overlay" to the "SHOULD" in RFC 5176?

Quoting from RFC 5176 would be sufficient. 

> > Assuming we do this, then the remaining use of
> > Framed-Management-Protocol and Management-Transport-Protection in 
> > a CoA-Request would be as a wildcard.  As you say, this kind of
> > use will probably not be mainstream - which raises the question
> > of whether putting it in is worth the interoperability issues it
> > might end up raising.
> 
> Right.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 16:20:39 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Date: Fri, 11 Jul 2008 12:18:33 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <75F159F3CDB946CA91F48C99323A0FF1@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjjXiqH5jfTd/GPQK+GcWoGUGg+tQAEga4g

> Another way to solve the problem is to specify that one or more
> of the above session identification attributes SHOULD be present
> in a management Access-Request.

I think RFC 5176 already says that.  But then it goes on to provide for
additional forms of session identifying attributes, for the cases when the
"SHOULD" doesn't apply.

> That way those attributes are likely to be available for session
> identification in the event that dynamic authorization is needed.

Indeed.  We *could* say that if your implementation doesn't follow the
"SHOULD" in RFC 5176 regarding the inclusion of session IDs, and the Dynamic
Authorization Client doesn't have the appropriate session ID attribute(s)
available, you're simply out of luck.

One of the use cases that motivate some of this behavior is the "privacy
NAI", i.e. anonymous (external) authentication, in which the RADIUS entities
don't have the actual user identity.  I think that makes sense for certain
forms of network access.  I can't imagine a valid use for anonymous
authentication for the purpose of NAS management, however.  :-)

> I think it might be worthwhile to add a section on dynamic 
> authorization, clarifying what session identification attributes 
> SHOULD be included in an Access-Request.

As an "overlay" to the "SHOULD" in RFC 5176?

> Assuming we do this, then the remaining use of
> Framed-Management-Protocol and Management-Transport-Protection in 
> a CoA-Request would be as a wildcard.  As you say, this kind of
> use will probably not be mainstream - which raises the question
> of whether putting it in is worth the interoperability issues it
> might end up raising.

Right.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 14:20:57 +0000
Message-ID: <48776BFD.1030409@deployingradius.com>
Date: Fri, 11 Jul 2008 16:19:41 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: Bernard Aboba <aboba@internaut.com>
CC: "David B. Nelson" <d.b.nelson@comcast.net>, radiusext@ops.ietf.org
Subject: Re: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Bernard Aboba wrote:
> Ugh.  I wonder how the RADSEC proxy would function when receiving packets 
> from an implementation like that.

  If both IP's are listed as clients, then all the packets get processed.

> RFC 5080 does suggest that NAS-Identifier be used to avoid 
> multi-homing confusion, at least within the RADIUS packet itself.  
> Using different source addresses does seem "novel" - and quite 
> likely to confuse.  One can imagine quite bizarre scenarios for an interop 
> torture test - like having a NAS sending RADIUS/EAP packets within the 
> same session from different IP addresses.  The RFC 5080 algorithm in 
> Section 2.1.2 references "source IP", so it would be confused by this, 
> wouldn't it? 

  Yes.  Luckily so far, devices do this only for accounting packets.

  Anyone crazy enough to do this for EAP will quickly discover that it
Just Doesn't Work.  They'll then fix their implementation.

  For accounting packets, it's harder to claim that this behavior
violates the spec.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 14:02:40 +0000
Date: Fri, 11 Jul 2008 07:01:44 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: "David B. Nelson" <d.b.nelson@comcast.net>
cc: radiusext@ops.ietf.org, 'Alan DeKok' <aland@deployingradius.com>
Subject: RE: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Message-ID: <Pine.LNX.4.64.0807110653300.501@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> >   e.g. I just ran into devices with multiple interfaces that send
> > Accounting-Requests from IP (1) for Start/Stop, and from IP (2) for
> > Interim-Updates.
> > 
> >   Since this isn't forbidden by the specs, they have no interest in
> > fixing it.  It's everyone *else* that has to butcher their systems in
> > order to deal with such nonsense.

Ugh.  I wonder how the RADSEC proxy would function when receiving packets 
from an implementation like that.

RFC 5080 does suggest that NAS-Identifier be used to avoid 
multi-homing confusion, at least within the RADIUS packet itself.  
Using different source addresses does seem "novel" - and quite 
likely to confuse.  One can imagine quite bizarre scenarios for an interop 
torture test - like having a NAS sending RADIUS/EAP packets within the 
same session from different IP addresses.  The RFC 5080 algorithm in 
Section 2.1.2 references "source IP", so it would be confused by this, 
wouldn't it? 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 13:54:19 +0000
Date: Fri, 11 Jul 2008 06:52:54 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: "David B. Nelson" <d.b.nelson@comcast.net>
cc: radiusext@ops.ietf.org, 'Bernard Aboba' <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Message-ID: <Pine.LNX.4.64.0807110635470.501@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

> For example suppose there are three sessions with a User-Name of "dave", one
> with a Service-Type of "NAS-Prompt", and two with a Service-Type of
> "Framed-Management".  Of the latter two, one has a
> Framed-Management-Protocol of "Web-based" and the other has a
> Framed-Management-Protocol of "SNMP".  If you want to affect the web
> session, you need to "address" the session either by an available session ID
> attribute, which is preferable in my opinion, or by the value of
> Framed-Management-Protocol, if the session ID information is not available.

Typically, the way that this kind of problem is solved is via addition of 
session identification attributes, such as the Acct-Session-Id, NAS-Port 
or NAS-Port-Id.  Is a NAS-Port/NAS-Port-Id Attribute likely to be 
available in the case of a management session (local or remote)?  This is 
not clear to me. If an Acct-Session-Id exists, this is probably the 
cleanest way to solve the problem.  

> >    In this case, if it is desired to identify a single session,
> >    session identification MAY be performed by using one or more of the
> >    Framed-IP-Address, Framed-IPv6-Prefix/Framed-Interface-Id, Called-
> >    Station-Id, Calling-Station-Id, NAS-Port, and NAS-Port-Id attributes.
> 
> It is in the sprit of this last paragraph that I proposed that some of the
> management provisioning attributes, specifically Framed-Management-Protocol
> and Management-Transport-Protection *could* be used to further identify one
> session from another.  Unfortunately, that usage also allows any of these
> "provisioning" attributes to be use alone (or in combination with others) to
> form all sorts of interesting (maybe not useful) wild-card matches.

Another way to solve the problem is to specify that one or more of the 
above session identification attributes SHOULD be present in a management 
Access-Request.  That way those attributes are likely to be available for 
session identification in the event that dynamic authorization is needed. 

> We can eliminate Framed-Management-Protocol and
> Management-Transport-Protection from such usage in this document.  We can't
> go back and clarify the "murkiness" that exists in RFC 5176 about using this
> sort of wild-card matching when selecting one or more sessions for action.

I think it might be worthwhile to add a section on dynamic authorization, 
clarifying what session identification attributes SHOULD be included in an 
Access-Request.  Assuming we do this, then the remaining use of 
Framed-Management-Protocol and Management-Transport-Protection in a 
CoA-Request would be as a wildcard.  As you say, this kind of use will 
probably not be mainstream - which raises the question of whether putting 
it in is worth the interoperability issues it might end up raising. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 12:37:09 +0000
From: "David B. Nelson" <d.b.nelson@comcast.net>
To: <radiusext@ops.ietf.org>
Cc: "'Alan DeKok'" <aland@deployingradius.com>
Subject: RE: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Date: Fri, 11 Jul 2008 08:36:37 -0400
Message-ID: <01e201c8e352$c33df4a0$6401a8c0@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjjOT07EPspkJfYT/+SqsH4378cdAAGNk2Q

>   Leaving it open ended might not be catastrophic.  The rest of RADIUS
> is open ended.

It might not be catastrophic.  OTOH, just because there are so many "issues"
that arise because RADIUS is so open-ended, the engineer in me wants to
"fix" some of that, at least in any new features we introduce.

>   e.g. I just ran into devices with multiple interfaces that send
> Accounting-Requests from IP (1) for Start/Stop, and from IP (2) for
> Interim-Updates.
> 
>   Since this isn't forbidden by the specs, they have no interest in
> fixing it.  It's everyone *else* that has to butcher their systems in
> order to deal with such nonsense.

Yeah, well that's the kind of thing that motivates me to craft tighter
specifications for new features we're adding to RADIUS.  We can't fix the
past, but we don't need to add fuel to the fire, either.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 12:29:47 +0000
From: "David B. Nelson" <d.b.nelson@comcast.net>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: RE: Question on draft-ietf-radext-management-authorization-04.txt
Date: Fri, 11 Jul 2008 08:28:34 -0400
Message-ID: <01d801c8e351$a301a7f0$6401a8c0@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjjIXlij6BNrX8KS+6Zf5IZglX3NwAK3Kag

> [BA] Using the Framed-Management-Protocol and
> Management-Transport-Protection attributes for session identification
> would seem to imply the need to change the Management-Policy-Id and
> Management-Privilege-Level attributes based on values of those
> attributes, affecting multiple sessions.  The text does not talk about
> when this might be used, so wanted to make sure we understand what the
> potential uses are.

I did send the proposed table of attributes text in an e-mail to the list,
soliciting WG feedback, *before* I submitted -04.  However...   We're
getting that feedback now.

> Some possibilities that come to mind:
> 
> 1. Change the Management-Policy-Id of all sessions with
> Framed-Management-Protocol equal to a particular value.
> 
> A potential example might involve configuration of a new Management policy
> for web-based management; a CoA-Request might be used to cause this to be
> activated for all web-based management sessions currently active on a
> particular NAS.

I suppose.

The whole issue of using RADIUS attributes, other than the User-Name or one
of the session ID attributes, to identify one or more sessions seems pretty
murky to me.  I can see some scenarios where adding some "provisioning"
attributes into a request as further specification makes sense, however.
For example suppose there are three sessions with a User-Name of "dave", one
with a Service-Type of "NAS-Prompt", and two with a Service-Type of
"Framed-Management".  Of the latter two, one has a
Framed-Management-Protocol of "Web-based" and the other has a
Framed-Management-Protocol of "SNMP".  If you want to affect the web
session, you need to "address" the session either by an available session ID
attribute, which is preferable in my opinion, or by the value of
Framed-Management-Protocol, if the session ID information is not available.

> 2. Change the Mangement-Privilege-Level of all sessions with
> Management-Transport-Protection equal to a particular value.
> 
> A potential example might involve discovery of a vulnerability in a
> particular Management transport (e.g. the GNU TLS vulnerability discovered
> recently).  To avoid the potential for compromise, dynamic authorization
> might be used to lower the privileges of all sessions using that
> protection mechanism, at least until a patch becomes available.
> 
> Do people think that these examples make sense?

I think they make sense.  Whether they are within the bounds of "the 80%
problem" is another matter.

> Typically, dynamic authorization has been used to affect particular
> sessions, but the changes in [RFC5176] now make it possible to affect
> several sessions at once, using identification attributes, so discussions
> like this are likely to become more common.

Yes.  I've already indicated, above, that I think this extra flexibility can
be "murky" in its potential applications.

> Here is what RFC 5176 Section 3 says about NAS and session
> identificaiton attributes:
> 
>    In Disconnect-Request and CoA-Request packets, certain attributes are
>    used to uniquely identify the NAS as well as user session(s) on the
>    NAS.  The combination of NAS and session identification attributes
>    included in a CoA-Request or Disconnect-Request packet MUST match at
>    least one session in order for a Request to be successful; otherwise
>    a Disconnect-NAK or CoA-NAK MUST be sent.  If all NAS identification
>    attributes match, and more than one session matches all of the
>    session identification attributes, then a CoA-Request or Disconnect-
>    Request MUST apply to all matching sessions.
> 
>    . . .
> 
>    To address security concerns described in Section 6.1, either the
>    User-Name or Chargeable-User-Identity attribute SHOULD be present in
>    Disconnect-Request and CoA-Request packets.
> 
>    . . .
> 
>    A NAS implementing this specification SHOULD send an Acct-Session-Id
>    or Acct-Multi-Session-Id Attribute within an Access-Request.  Where
>    an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included
>    within an Access-Request, the Dynamic Authorization Client will not
>    know the Acct-Session-Id or Acct-Multi-Session-Id of the session it
>    is attempting to target, unless it also has access to the accounting
>    data for that session.
> 
>    Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not
>    present in a CoA-Request or Disconnect-Request, it is possible that
>    the User-Name or Chargeable-User-Identity attributes will not be
>    sufficient to uniquely identify a single session (e.g., if the same
>    user has multiple sessions on the NAS, or if the privacy NAI is
>    used).  In this case, if it is desired to identify a single session,
>    session identification MAY be performed by using one or more of the
>    Framed-IP-Address, Framed-IPv6-Prefix/Framed-Interface-Id, Called-
>    Station-Id, Calling-Station-Id, NAS-Port, and NAS-Port-Id attributes.

It is in the sprit of this last paragraph that I proposed that some of the
management provisioning attributes, specifically Framed-Management-Protocol
and Management-Transport-Protection *could* be used to further identify one
session from another.  Unfortunately, that usage also allows any of these
"provisioning" attributes to be use alone (or in combination with others) to
form all sorts of interesting (maybe not useful) wild-card matches.

We can eliminate Framed-Management-Protocol and
Management-Transport-Protection from such usage in this document.  We can't
go back and clarify the "murkiness" that exists in RFC 5176 about using this
sort of wild-card matching when selecting one or more sessions for action.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 09:30:34 +0000
Message-ID: <487727BD.4030105@deployingradius.com>
Date: Fri, 11 Jul 2008 11:28:29 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: "David B. Nelson" <dnelson@elbrysnetworks.com>
CC: radiusext@ops.ietf.org
Subject: Re: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

David B. Nelson wrote:
> OK, so that's not a viable simplification.  I'm still fishing for a
> definition of "security functionality", as used in this context, that's less
> open-ended than the plain meaning as found in the dictionary.

  Leaving it open ended might not be catastrophic.  The rest of RADIUS
is open ended.

  e.g. I just ran into devices with multiple interfaces that send
Accounting-Requests from IP (1) for Start/Stop, and from IP (2) for
Interim-Updates.

  Since this isn't forbidden by the specs, they have no interest in
fixing it.  It's everyone *else* that has to butcher their systems in
order to deal with such nonsense.

>>   If SDOs need functionality that is useful to *everyone*, they can
>> request standard space allocation.  If SDOs are defining their own
>> specifications, they do not need standard space allocation.
> 
> How, exactly, do we define "everyone"?

  "The wider Internet community".

>> I'm not sure many SDOs would agree to cede change control over
>> their allocations to IANA.  I'm not sure that IANA wants that work,
>> either.
> 
> Isn't IANA funded to allocate code points to anyone who presents a valid
> request, even individuals?

  Yes.. but change control?  I don't think any SDO forum would be
willing to go through IANA for SDO specific attribute allocation.

> To some extent, I think this is a matter of nomenclature.  If we say that
> the RADIUS code space is divided between "standard" space and "Vendor
> Specific" space, we effectively lump SDO uses, would could be very broadly
> adopted, with proprietary vendor uses, which could have minimal, if any,
> deployment.

  Yes.  That's the reality, unfortunately.

>  That's why I've been touting the term SDO Specific Attribute.
> True, it uses the Vendor Specific Attribute format (and top-level ID), but
> it allows for a distinction between proprietary vendor uses and standardized
> uses.  The distinction between "IETF standard" space and "other SDO
> standard" space then becomes merely a matter of which registry is used, and
> not a matter of "standard" vs. "non-standard".

  The document already refers to SSA's.  I think that's good enough.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 06:39:32 +0000
Date: Thu, 10 Jul 2008 23:38:09 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Question on draft-ietf-radext-management-authorization-04.txt
Message-ID: <Pine.LNX.4.64.0807102313240.30663@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

8. Table of Attributes

   Change-of-Authorization Messages
   Request  ACK   NAK   #     Attribute
   --------------------------------------------------------------------
   0-1     0     0   TBA-2   Framed-Management-Protocol (Note 1)
   0-1     0     0   TBA-3   Management-Transport-Protection (Note 1)
   0-1     0     0   TBA-4   Management-Policy-Id (Note 2)
   0-1     0     0   TBA-5   Management-Privilege-Level (Note 2)


  Disconnect Messages
  Request  ACK   NAK   #     Attribute
  ----------------------------------------------------------------------
  0-1      0     0   TBA-2   Framed-Management-Protocol (Note 1)
  0-1      0     0   TBA-3   Management-Transport-Protection (Note 1)
  0        0     0   TBA-4   Management-Policy-Id
  0        0     0   TBA-5   Management-Privilege-Level
 
    (Note 1) Where NAS or session identification attributes are included
    in Disconnect-Request or CoA-Request packets, they are used for
    identification purposes only.  These attributes MUST NOT be used for
    purposes other than identification (e.g., within CoA-Request packets
    to request authorization changes).

[BA] Using the Framed-Management-Protocol and 
Management-Transport-Protection attributes for session identification 
would seem to imply the need to change the Management-Policy-Id and 
Management-Privilege-Level attributes based on values of those 
attributes, affecting multiple sessions.  The text does not talk about 
when this might be used, so wanted to make sure we understand what the 
potential uses are. 

Some possibilities that come to mind: 

1. Change the Management-Policy-Id of all sessions with 
Framed-Management-Protocol equal to a particular value. 

A potential example might involve configuration of a new Management policy 
for web-based management; a CoA-Request might be used to cause this to be 
activated for all web-based management sessions currently active on a 
particular NAS. 

2. Change the Mangement-Privilege-Level of all sessions with 
Management-Transport-Protection equal to a particular value. 

A potential example might involve discovery of a vulnerability in a 
particular Management transport (e.g. the GNU TLS vulnerability discovered 
recently).  To avoid the potential for compromise, dynamic authorization 
might be used to lower the privileges of all sessions using that 
protection mechanism, at least until a patch becomes available. 

Do people think that these examples make sense? 

Typically, dynamic authorization has been used to affect particular 
sessions, but the changes in [RFC5176] now make it possible to affect 
several sessions at once, using identification attributes, so discussions 
like this are likely to become more common. 

Here is what RFC 5176 Section 3 says about NAS and session 
identificaiton attributes:

   In Disconnect-Request and CoA-Request packets, certain attributes are
   used to uniquely identify the NAS as well as user session(s) on the
   NAS.  The combination of NAS and session identification attributes
   included in a CoA-Request or Disconnect-Request packet MUST match at
   least one session in order for a Request to be successful; otherwise
   a Disconnect-NAK or CoA-NAK MUST be sent.  If all NAS identification
   attributes match, and more than one session matches all of the
   session identification attributes, then a CoA-Request or Disconnect-
   Request MUST apply to all matching sessions.

   . . .

   To address security concerns described in Section 6.1, either the
   User-Name or Chargeable-User-Identity attribute SHOULD be present in
   Disconnect-Request and CoA-Request packets.

   . . .

   A NAS implementing this specification SHOULD send an Acct-Session-Id
   or Acct-Multi-Session-Id Attribute within an Access-Request.  Where
   an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not included
   within an Access-Request, the Dynamic Authorization Client will not
   know the Acct-Session-Id or Acct-Multi-Session-Id of the session it
   is attempting to target, unless it also has access to the accounting
   data for that session.

   Where an Acct-Session-Id or Acct-Multi-Session-Id Attribute is not
   present in a CoA-Request or Disconnect-Request, it is possible that
   the User-Name or Chargeable-User-Identity attributes will not be
   sufficient to uniquely identify a single session (e.g., if the same
   user has multiple sessions on the NAS, or if the privacy NAI is
   used).  In this case, if it is desired to identify a single session,
   session identification MAY be performed by using one or more of the
   Framed-IP-Address, Framed-IPv6-Prefix/Framed-Interface-Id, Called-
   Station-Id, Calling-Station-Id, NAS-Port, and NAS-Port-Id attributes.






--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 05:28:21 +0000
Date: Thu, 10 Jul 2008 22:26:30 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Conclusion of RADEXT WG last call on "RADIUS Design Guidelines"
Message-ID: <Pine.LNX.4.64.0807102226080.30058@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

The RADEXT WG last call on "RADIUS Design Guidelines" has 
completed.  Comments were received, corresponding to Issues 260-269 in 
the Issues Tracker.  Of the issues, 5 were technical, and 5 were 
editorial.

To view the discussion relating to these issues, click on the following 
link:
http://ops.ietf.org/lists/radiusext/2008/threads.html

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Fri, 11 Jul 2008 03:17:26 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-management-authorization-04.txt 
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20080711031501.BE6543A6ACF@core3.amsl.com>
Date: Thu, 10 Jul 2008 20:15:01 -0700 (PDT)

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.


	Title           : Remote Authentication Dial-In User Service (RADIUS) Authorization for Network Access Server (NAS) Management
	Author(s)       : D. Nelson, G. Weber
	Filename        : draft-ietf-radext-management-authorization-04.txt
	Pages           : 23
	Date            : 2008-07-10

This document specifies Remote Authentication Dial-In User Service
(RADIUS) attributes for authorizing management access to a Network
Access Server (NAS).  Both local and remote management are supported,
with granular access rights and management privileges.  Specific
provisions are made for remote management via framed management
protocols, and for management access over a secure transport
protocol.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-management-authorization-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Message/External-body;
	name="draft-ietf-radext-management-authorization-04.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:     <2008-07-10200317.I-D@ietf.org>

--NextPart--

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 10 Jul 2008 19:46:42 +0000
Date: Thu, 10 Jul 2008 12:45:44 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: RADEXT WG Last Call on "Crypto-Agility Requirements for RADIUS"
Message-ID: <Pine.LNX.4.64.0807101243040.16814@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is an announcement of RADEXT WG Last Call on "Crypto-Agility 
Requirements for RADIUS" prior to requesting that the IESG publish it as 
an Informational RFC. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt
 
WG Last Call will last until August 10, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 10 Jul 2008 19:25:18 +0000
Date: Thu, 10 Jul 2008 12:24:27 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: RADEXT WG Last Call on Extended RADIUS Attributes
Message-ID: <Pine.LNX.4.64.0807101221560.16659@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is an announcement of RADEXT WG Last Call on "Extended RADIUS 
Attributes" prior to requesting that the IESG publish it as a Proposed 
Standard. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt
 
WG Last Call will last until July 24, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 10 Jul 2008 19:21:16 +0000
Date: Thu, 10 Jul 2008 12:19:20 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Take one: RADEXT WG Agenda at IETF 72
Message-ID: <Pine.LNX.4.64.0807101201300.16497@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

9:00 - 9:10  Preliminaries
 Blue Sheets
 Note Takers
 Jabber Scribe
 Agenda bashing
 Document Status

Completed WG Last Call (30 minutes)

NAS Management Authorization, David Nelson, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-management-authorization-04.txt

Extended RADIUS Attributes, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt

RADIUS Design Guidelines, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-05.txt

Transport Documents (40 minutes)

TCP Transport, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-tcp-transport-00.txt

Status Server, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-status-server-00.txt

RADIUS over DTLS, Alan DeKok, 10 minutes
http://www.ietf.org/internet-drafts/draft-dekok-radext-dtls-01.txt

RADSEC, Stefan Winter, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-radsec-00.txt

RADIUS Cryptoagility (30 minutes)

RADIUS Cryptoagility requirements, David Nelson, 10 minutes
http://www.ietf.org/internet-drafts/draft-ietf-radext-crypto-agility-requirements-00.txt

RADIUS Cryptoagility, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-zorn-radius-keywrap-13.txt

RADIUS Confidentiality, Glen Zorn, 10 minutes
http://www.ietf.org/internet-drafts/draft-zorn-radius-encattr-10.txt

Additional Documents (20 minutes)

RADIUS Attributes for IEEE 802 Networks, Bernard Aboba, 10 minutes
http://www.ietf.org/internet-drafts/draft-aboba-radext-wlan-08.txt

IPv6 Attributes for DHCP Networks, B. Lourdelet, 10 minutes
http://www.ietf.org/internet-drafts/draft-lourdelet-radext-ipv6-dhcp-00.txt

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 10 Jul 2008 12:46:46 +0000
From: "David B. Nelson" <d.b.nelson@comcast.net>
To: <radiusext@ops.ietf.org>
Subject: RE: Additional comments on draft-ietf-radext-management-authorization-03.txt
Date: Thu, 10 Jul 2008 08:45:38 -0400
Message-ID: <015201c8e28a$db2b2060$041716ac@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
thread-index: AcjWDNpFBM9lW8yqTripxrKpZlc0EgKUz0eAAGXOpmAAJHlq4A==

More follow up:

I could also envision permitting Framed-Management-Protocol and
Management-Transport-Protection as session identification attributes is a
CoA-Request, similar to their usage in a Disconnect-Request message.

> Add the following text to Section 12 (as currently numbered):
> 
> Change-of-Authorization Messages
> 
>    Request   ACK   NAK    #     Attribute
> 
>       0       0     0   TBA-2   Framed-Management-Protocol
>       0       0     0   TBA-3   Management-Transport-Protection
>       0-1     0     0   TBA-4   Management-Policy-Id (Note 2)
>       0-1     0     0   TBA-5   Management-Privilege-Level (Note 2)

    Request   ACK   NAK    #     Attribute
 
       0-1     0     0   TBA-2   Framed-Management-Protocol (Note 1)
       0-1     0     0   TBA-3   Management-Transport-Protection (Note 1)
       0-1     0     0   TBA-4   Management-Policy-Id (Note 2)
       0-1     0     0   TBA-5   Management-Privilege-Level (Note 2)

I don't think it makes any sense to allow re-provisioning of the session
transport parameters, as that would almost certainly require a disconnect
and re-establishment of the session.

> Disconnect Messages
> 
>    Request   ACK   NAK   #   Attribute
> 
>       0-1     0     0   TBA-2   Framed-Management-Protocol (Note 1)
>       0-1     0     0   TBA-3   Management-Transport-Protection (Note 1)
>       0       0     0   TBA-4   Management-Policy-Id
>       0       0     0   TBA-5   Management-Privilege-Level
> 
> 
> 
> (Note 1) Where NAS or session identification attributes are included
>    in Disconnect-Request or CoA-Request packets, they are used for
>    identification purposes only.  These attributes MUST NOT be used for
>    purposes other than identification (e.g., within CoA-Request packets
>    to request authorization changes).
> 
> (Note 2) When included within a CoA-Request, these attributes
>    represent an authorization change request.  When one of these
>    attributes is omitted from a CoA-Request, the NAS assumes that the
>    attribute value is to remain unchanged.  Attributes included in a
>    CoA-Request replace all existing values of the same attribute(s).

Similar logic applies to the Disconnect-Request case.  Those attributes
which might aid in distinguishing one of a user's concurrent sessions from
among others may be useful.  The primary indicator here is likely to be the
Service-Type, but that is already permitted by RFC 5176.  We only need to
discuss the newly introduced attributes, in this document.

I'm planning to crate a -04 version of the draft today, to submit prior to
the upcoming "blackout" period on ID submissions.  Now would be a good time
to submit comments on this issue (or any other open issue against -03).  :-)



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 09 Jul 2008 21:37:08 +0000
Date: Wed, 9 Jul 2008 14:35:42 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER:  Call for Agenda Items for IETF 72
Message-ID: <Pine.LNX.4.64.0807091430540.30872@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Currently the RADEXT WG is scheduled to meet at IETF 72 in Dublin, Ireland 
on Wednesday morning from 9 AM - 11:30 AM on July 30, 2008 in the Conservatory Room. 

This is a call for agenda items for that meeting. If you have an item 
you'd like to put on the agenda, please contact myself 
(Bernard_Aboba@hotmail.com) or Dave. 


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 09 Jul 2008 19:54:11 +0000
From: "David B. Nelson" <d.b.nelson@comcast.net>
To: <radiusext@ops.ietf.org>
Subject: RE: Additional comments on draft-ietf-radext-management-authorization-03.txt
Date: Wed, 9 Jul 2008 15:52:55 -0400
Message-ID: <00c801c8e1fd$61fd60f0$041716ac@NEWTON603>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
thread-index: AcjWDNpFBM9lW8yqTripxrKpZlc0EgKUz0eAAGXOpmA=

Following up on an open issue:

> > Section 12
> >
> > Within the document, the CoA-Request is mentioned, but the table
> > does not describe which attributes can be included in CoA or
> > Disconnect Request, ACK or NAK packets.  Is it accurate to assume
> > that none of the attributes defined in this document can be
> > contained in a CoA or Disconnect packet?
> 
> Good question.  I need to think about this for a bit.

I've taken the time to re-read RFC 5176.  It's not entirely clear to me if
and how Dynamic Authorization ought to apply to NAS management.  There's a
clear and straightforward application for Disconnect-Request, to terminate a
management session for administrative reasons.

I'm a little less clear that there is an application for
Change-of-Authorization for management sessions.  One could well imagine
possible, hypothetical use cases, of course.  The question remains whether
there is an actual user requirement to be met.  OTOH, I see no reason to
explicitly prohibit the usage of Dynamic Authorization with NAS Management
Authorization, especially if such usage is entirely optional.

RCF 5176 Section 2.3 (page 9, second to last paragraph) requests that future
documents defining RADIUS attributes specify the nature of their usage in
CoA or Disconnect messages, and whether each attribute can be used as a
session identifier, for session provisioning, or for both.

I will take a stab at that, and hereby solicit WG feedback on the proposal.

Add the following text to Section 12 (as currently numbered):

Change-of-Authorization Messages

   Request   ACK   NAK    #     Attribute

      0       0     0   TBA-2   Framed-Management-Protocol
      0       0     0   TBA-3   Management-Transport-Protection
      0-1     0     0   TBA-4   Management-Policy-Id (Note 2)
      0-1     0     0   TBA-5   Management-Privilege-Level (Note 2)


Disconnect Messages

   Request   ACK   NAK   #   Attribute

      0-1     0     0   TBA-2   Framed-Management-Protocol (Note 1)
      0-1     0     0   TBA-3   Management-Transport-Protection (Note 1)
      0       0     0   TBA-4   Management-Policy-Id
      0       0     0   TBA-5   Management-Privilege-Level



(Note 1) Where NAS or session identification attributes are included
   in Disconnect-Request or CoA-Request packets, they are used for
   identification purposes only.  These attributes MUST NOT be used for
   purposes other than identification (e.g., within CoA-Request packets
   to request authorization changes).

(Note 2) When included within a CoA-Request, these attributes
   represent an authorization change request.  When one of these
   attributes is omitted from a CoA-Request, the NAS assumes that the
   attribute value is to remain unchanged.  Attributes included in a
   CoA-Request replace all existing values of the same attribute(s).


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Wed, 09 Jul 2008 00:14:54 +0000
From: IESG Secretary <iesg-secretary@ietf.org>
To: IETF Announcement list <ietf-announce@ietf.org>
Cc: Bernard_Aboba@hotmail.com, d.b.nelson@comcast.net, radiusext@ops.ietf.org
Subject: WG Action: RECHARTER: RADIUS Extensions Working Group (radext) 
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
Message-Id: <20080709001312.CDD293A6B37@core3.amsl.com>
Date: Tue,  8 Jul 2008 17:13:12 -0700 (PDT)

The charter of the RADIUS Extensions Working Group (radext) working group
in the Operations and Management Area of the IETF has been updated.  For 
additional information, please contact the Area Directors or the working 
group Chairs.

RADIUS Extensions Working Group (radext)
----------------------------------------
Last Modified: 2008-05-29

Chair(s):
* Bernard Aboba <Bernard_Aboba@hotmail.com>
* David Nelson <d.b.nelson@comcast.net>

Operations and Management Area Director(s):
* Dan Romascanu <dromasca@avaya.com>
* Ronald Bonica <rbonica@juniper.net>

Operations and Management Area Advisor:
* Dan Romascanu <dromasca@avaya.com>

Technical Advisor(s):
* Paul Congdon <paul.congdon@hp.com>

Mailing Lists:
General Discussion: radiusext@ops.ietf.org
To Subscribe: radiusext-request@ops.ietf.org
In Body: In Body: subscribe
Archive: https://ops.ietf.org/lists/radiusext

Description of Working Group:

The RADIUS Extensions Working Group will focus on extensions to the
RADIUS protocol required to define extensions to the standard
attribute space as well as to address cryptographic algorithm
agility and use over new transports. In addition, RADEXT will
work on RADIUS Design Guidelines and define new attributes for
particular applications of authentication, authorization and
accounting such as NAS management and local area network (LAN) usage.

In order to enable interoperation of heterogeneous RADIUS/Diameter
deployments, all RADEXT WG work items MUST contain a Diameter
compatibility section, outlining how interoperability with
Diameter will be maintained.

Furthermore, to ensure backward compatibility with existing RADIUS
implementations, as well as compatibility between RADIUS and Diameter,
the following restrictions are imposed on extensions considered by the
RADEXT WG:

- All documents produced MUST specify means of interoperation with
legacy RADIUS and, if possible, be backward
compatible with existing RADIUS RFCs, including RFCs 2865-2869,
3162, 3575, 3579, 3580, 4668-4673,4675, 5080, 5090 and 5176.
Transport profiles should, if possible, be compatible with RFC 3539.

- All RADIUS work MUST be compatible with equivalent facilities in
Diameter. Where possible, new attributes should be defined so that
the same attribute can be used in both RADIUS and Diameter without
translation. In other cases a translation considerations
section should be included in the specification.


Work Items

The immediate goals of the RADEXT working group are to address the
following issues:

- RADIUS design guidelines. This document will provide guidelines for
design of RADIUS attributes. It will specifically consider how
complex data types may be introduced in a robust manner, maintaining
backwards compatibility with existing RADIUS RFCs, across all the
classes of attributes: Standard, Vendor-Specific and SDO-Specific.
In addition, it will review RADIUS data types and associated
backwards compatibility issues.

- RADIUS Management authorization. This document will define the
use of RADIUS for NAS management over IP.

-RADIUS attribute space extension. The standard RADIUS attribute
space is currently being depleted. This document will provide
additional standard attribute space, while maintaining backward
compatibility with existing attributes.

-RADIUS Cryptographic Algorithm Agility. RADIUS has traditionally
relied on MD5 for both per-packet integrity and authentication as well
as attribute confidentiality. Given the increasingly successful
attacks being mounted against MD5, the ability to support
alternative algorithms is required. This work item will
include documentation of RADIUS crypto-agility requirements,
as well as development of one or more Experimental RFCs providing
support for negotiation of alternative cryptographic algorithms
to protect RADIUS.

- IEEE 802 attributes. New attributes have been proposed to
support IEEE 802 standards for wired and wireless LANs. This
work item will support authentication, authorization and
accounting attributes needed by IEEE 802 groups including
IEEE 802.1, IEEE 802.11 and IEEE 802.16.

- New RADIUS transports. A reliable transport profile for
RADIUS will be developed, as well as specifications for
Secure transports, including TCP/TLS (RADSEC) and UDP/DTLS.

- Documentation of Status-Server usage. A document
describing usage of the Status-Server facility will be
developed.

Goals and Milestones:

Jun 2008 RADIUS Design Guidelines submitted as a Best Current Practice
RFC
Jun 2008 RADIUS Management Authorization I-D submitted as a Proposed
Standard RFC
Sep 2008 RADIUS Crypto-agility Requirements submitted as an
Informational RFC
Sep 2008 Extended Attributes I-D submitted as a Proposed Standard RFC
Dec 2008 IEEE 802 Attributes I-D submitted as a Proposed Standard RFC
Jan 2009 Reliable Transport Profile for RADIUS I-D submitted as a
Proposed Standard RFC
Mar 2009 Status-Server I-D submitted as a Proposed Standard RFC
Mar 2009 RADSEC (RADIUS over TCP/TLS) draft submitted as an Experimental
RFC
June 2009 RADIUS over DTLS I-D submitted as an Experimental RFC
June 2009 RADIUS Cryptographic Algorithm Agility I-D submitted as an
Experimental RFC

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 08 Jul 2008 18:12:14 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Alan DeKok'" <aland@deployingradius.com>
Subject: RE: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Date: Tue, 8 Jul 2008 14:11:05 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <A55B370B1CBA4B85A66CD99B56068DC2@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: Acjg/Xvknd8pR5PZQRGDH2+MWm/VMgAIekeg

Alan DeKok writes...

> > (3) Undefined term.
> ...
> > Add a definition of what constitutes "security functionality". 
> > Given that I'm having difficulty in suggesting specific text to 
> > accomplish this, I'm thinking it's not all that obvious.  Do we
> > need to reference "security functionality" at all, or is an 
> > exception for "authentication credentials" sufficient?
> 
>   The Message-Authenticator attribute provides authentication of 
> RADIUS packets that is independent of any user authentication 
> credentials.

OK, so that's not a viable simplification.  I'm still fishing for a
definition of "security functionality", as used in this context, that's less
open-ended than the plain meaning as found in the dictionary.

>   SDOs don't have a problem referencing RADIUS specifications from other
> SDOs.  That's not the issue.  The issue is whether or not everyone
> *else* finds the specifications useful.

>   If SDOs need functionality that is useful to *everyone*, they can
> request standard space allocation.  If SDOs are defining their own
> specifications, they do not need standard space allocation.

How, exactly, do we define "everyone"?

> I'm not sure many SDOs would agree to cede change control over
> their allocations to IANA.  I'm not sure that IANA wants that work,
> either.

Isn't IANA funded to allocate code points to anyone who presents a valid
request, even individuals?

To some extent, I think this is a matter of nomenclature.  If we say that
the RADIUS code space is divided between "standard" space and "Vendor
Specific" space, we effectively lump SDO uses, would could be very broadly
adopted, with proprietary vendor uses, which could have minimal, if any,
deployment.  That's why I've been touting the term SDO Specific Attribute.
True, it uses the Vendor Specific Attribute format (and top-level ID), but
it allows for a distinction between proprietary vendor uses and standardized
uses.  The distinction between "IETF standard" space and "other SDO
standard" space then becomes merely a matter of which registry is used, and
not a matter of "standard" vs. "non-standard".

I'm an engineer but I recognize that sometimes marketing considerations are
important.  :-)

>   How about adding 2.1.6:
> 
>   The extended RADIUS attribute document [EXTEN] defines a number of
>   extensions to RADIUS.  The standard attribute space is extended by
>   permitting standard allocations from within a specific subset of the
>   VSA space; the format of extended attributes is defined; and
>   extended data types are defined within that format.
> 
>   New specifications seeking to extend the standard RADIUS data model
>   SHOULD examine [EXTEN] to see if their needs fit within the extended
>   RADIUS data model.

Yes, I think that would be helpful.

>   We could add the following sentence after the existing bullet points
> that discuss "SDOs or groups of SDOs".
> 
>   Any new RADIUS attributes or values intended for interoperable use
>   across a broad spectrum of the Internet Community SHOULD follow the
>   normal IETF process, and SHOULD result in allocations from the RADIUS
>   standard space.

I think that would also helpful, although the interpretation of "broad"
remains subjective.  I'm not sure ewe can do much better, though.

>   As noted in my response, there are many uses of attributes *outside*
> of SDOs and groups of SDOs.  The text here can be clarified a bit, but I
>  think it's relatively good.
> 
>   How about this text:
> 
>   When attributes are used primarily within a group of SDOs, and are
>   not applicable to the wider Internet community, we expect that one SDO
>   will be responsible for allocation from their own private space.

I guess this OK.   See my discussion, above.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 08 Jul 2008 17:23:40 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: RE: Additional comments on draft-ietf-radext-management-authorization-03.txt
Date: Tue, 8 Jul 2008 13:22:22 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <EA1BE2E7564C4ADF8889E0D31F689739@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Acjgdi5xjTxGUhOtQj235JAgVzoOrgAqGQhg

Bernard Aboba writes...

> > > "MAY use these hint attributes" -> "may use these attributes
> > > as a hint"=20
> > OK, but why "MAY" --> "may"?
>=A0
> Hints are inherently optional.

Well, quoting RFC 2119:

   MAY   This word, or the adjective "OPTIONAL", mean that an
   item is truly optional.

Since MAY means "truly optional", which I can't distinguish from =
"inherently
optional", I'm proposing to leave the text as is.  :-)



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 08 Jul 2008 13:22:52 +0000
Message-ID: <487369B7.2080109@deployingradius.com>
Date: Tue, 08 Jul 2008 15:20:55 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: "David B. Nelson" <dnelson@elbrysnetworks.com>
CC: radiusext@ops.ietf.org
Subject: Re: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

David B. Nelson wrote:
> My review comments on the -04 version as are follows:
> 
> (1) Short-lived reference.
...
> The RADEXT WG mailing list is a relatively short-lived entity.  We hope the
> WG completes its charter and closes one of these days.  :-)  This text
> provides no guidance to the reader as to how to determine what constitutes
> an "equivalent" IETF mailing list.

  The introduction references the AAA doctors list.  A similar reference
should be added here.

> Requested change:
> 
> * Reviews of specifications are posted to the RADEXT WG mailing list or
> another IETF mailing list suggested by the Operations & Management Area
> Directors of the IETF;

  I think that referencing the AAA doctors list would be useful, too.

> (2) Misplaced modifier.
...
> Requested change:

  OK.

> (3) Undefined term.
...
> Add a definition of what constitutes "security functionality".  Given that
> I'm having difficulty in suggesting specific text to accomplish this, I'm
> thinking it's not all that obvious.  Do we need to reference "security
> functionality" at all, or is an exception for "authentication credentials"
> sufficient?

  The Message-Authenticator attribute provides authentication of RADIUS
packets that is independent of any user authentication credentials.

> (4) Needlessly IETF-centric viewpoint.
..
> This leads me to believe that the authors think that other (non-IETF) SDOs
> (or worse yet, groups of SDOs) are unlikely to define attributes that are
> useful to the broad Internet Community.

  SDOs don't have a problem referencing RADIUS specifications from other
SDOs.  That's not the issue.  The issue is whether or not everyone
*else* finds the specifications useful.

  e.g. 3GPP2 defines a number of RADIUS attributes.  I haven't seen them
implemented in a Wifi hotspot or in a low-end Wifi home router... and I
don't expect to see them there.  As such, the 3GPP2 specifications
belong in the SDO space, and not in the IETF space.

>  That may or may not be true.  I'm
> guessing that what this really means is that only the IETF ought to be
> consuming standard RADIUS attribute IDs, based on IANA allocation, and all
> other bodies need to host attributes in a private code-point space (i.e. the
> assigned VSA block).  Does this document intend to Update RFC 3575?

  Yes (to the first sentence), and no (to the second).  Pointing out
that IETF and IANA are responsible for standard-space allocations isn't
an update to IETF processes.  It's a re-iteration that vendors and SDOs
SHOULD NOT stomp on the IETF space for vendor-specific, or SDO-specific
allocations.

> I think the conditional phrase "for attributes matching any of the following
> criteria" will almost always evaluate to TRUE because of the second and
> third bullet items, so the whole paragraph makes little sense to me.

  If SDOs need functionality that is useful to *everyone*, they can
request standard space allocation.  If SDOs are defining their own
specifications, they do not need standard space allocation.

> If the issue is standard attribute scarcity, isn't this addressed by the
> RADIUS Extended Attribute format [EXTEN]?

  No.  While the guidelines document was started when [EXTEN] had 8-bit
attributes, the issue isn't attribute scarcity.  The issue as I see it
is requesting "standard" space allocation for SDO-specific
functionality.  I'm not sure many SDOs would agree to cede change
control over their allocations to IANA.  I'm not sure that IANA wants
that work, either.

> I think that this document should provide better guidance as to when an IANA
> allocation from the standard RADIUS Attribute code-point space is
> appropriate.  Does the need for interoperability between multiple SDOs meet
> that threshold? 

  I don't think so.  WiMAX is referencing 3GPP attributes.  There's no
need to re-host the 3GPP attributes in the IETF standard space just
because another SDO decides to reference them.

> Or must the usage be of general applicability to the
> Internet Community?

  Yes.  And it should be *new* functionality.

>  How does the existence of the Extended RADIUS Attribute
> (a VSA with a code-point block assigned to the IETF) change the distinction
> between "standard" and "VSA" allocations?

  How about adding 2.1.6:

  The extended RADIUS attribute document [EXTEN] defines a number of
  extensions to RADIUS.  The standard attribute space is extended by
  permitting standard allocations from within a specific subset of the
  VSA space; the format of extended attributes is defined; and
  extended data types are defined within that format.

  New specifications seeking to extend the standard RADIUS data model
  SHOULD examine [EXTEN] to see if their needs fit within the extended
  RADIUS data model.

> Requested change:

  We could add the following sentence after the existing bullet points
that discuss "SDOs or groups of SDOs".

  Any new RADIUS attributes or values intended for interoperable use
  across a broad spectrum of the Internet Community SHOULD follow the
  normal IETF process, and SHOULD result in allocations from the RADIUS
  standard space.

> (5) Format issues.

  Fixed.

> (6) Bad reference.

  Fixed.

> (7) Missing definition/reference.
...
> Where do we normatively define the term "extended data types"?

  I would suggest in a new section, 2.1.6, as shown above.

> (8) Duplicate section title.
...
> Both of these sections are entitled "Complex data types".  One of them is
> permissive and the other prohibitive.

  The first talks about Opaque data types being OK.  I've changed the
title to "Opaque data types".  The second is about Complex data types in
RADIUS being NOT RECOMMENDED.

> (9) Confusion over allocation policy.
...
> As discussed in comment (4), above, attributes intended for interoperable
> use across multiple SDOs *could* qualify for allocation from the standard
> RADIUS attribute space, or from the Extended RADIUS Attribute (IETF/SDO)
> space.

  As noted in my response, there are many uses of attributes *outside*
of SDOs and groups of SDOs.  The text here can be clarified a bit, but I
 think it's relatively good.

  How about this text:

  When attributes are used primarily withing a group of SDOs, and are
  not applicable to the wider Internet community, we expect that one SDO
  will be responsible for allocation from their own private space.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 21:46:35 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D ACTION:draft-ietf-radext-extended-attributes-04.txt 
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20080707214501.7E38B28C2A0@core3.amsl.com>
Date: Mon,  7 Jul 2008 14:45:01 -0700 (PDT)

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.

	Title		: Extended Remote Authentication Dial In User Service (RADIUS) Attributes
	Author(s)	: Y. Li, A. Lior, G. Zorn
	Filename	: draft-ietf-radext-extended-attributes-04.txt
	Pages		: 13
	Date		: 2008-7-7
	
For the Remote Authentication Dial In User Service (RADIUS) protocol
   to continue to support new applications the RADIUS attribute type
   space must be extended beyond the current limit of 255 possible
   attribute types while maintaining backwards compatibility with the
   existing protocol.  This document defines a mechanism to accomplish
   that task, along with standard methods to group together related
attributes and to encode values that don't fit into 253 octets.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-extended-attributes-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Message/External-body;
	name="draft-ietf-radext-extended-attributes-04.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:	<2008-7-7143117.I-D@ietf.org>

--NextPart--


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 19:13:35 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <bernard_aboba@hotmail.com>
Subject: RE: Additional comments on draft-ietf-radext-management-authorization-03.txt
Date: Mon, 7 Jul 2008 15:12:33 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <69C61DEE097F4E5AB1582222AB04AFBC@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjWDNpFBM9lW8yqTripxrKpZlc0EgKUz0eA

Bernard Aboba writes...

> Section 8.1
> 
> "Service-Type of Framed-Management" -> "Service-Type Attribute
> with the value Framed-Management"

OK.
 
> "in Access-Request packet" -> "in an Access-Request packet"

OK.

> "MAY use these hint attributes" -> "may use these attributes as a hint"

OK, but why "MAY" --> "may"?

> "MUST treat the response" -> "MUST treat the Access-Accept"

OK.

Reference issues have been previously discussed.

> Section 8.2
> 
>    The Management-Transport-Protection Attribute specifies whether a
>    secure transport protocol (e.g.  SSH, TLS, DTLS, etc.) is required
>    for use with the associated framed or non-framed management access
>    session.  The value of this attribute specifies the minimum level of
>    protection that is required from the protected transport.  The
>    protected transport MAY provide a greater level of protection than is
>    called for by the value of Management-Transport-Protection.
> 
> [BA] The second sentence is more on target.  How about this?
> 
>    The Management-Transport-Protection Attribute specifies the minimum
>    level of protection that is required for a protected transport used
>    with the framed or non-framed management access session.  The protected
>    transport used by the NAS MAY provide a greater level of protection,
>    but MUST NOT provide a lower level of protection.

OK.
 
> "in Access-Request packet" -> "in an Access-Request packet"
> "RADIUS Client" -> "RADIUS client"
> "RADIUS Server" -> "RADIUS server"
> "MAY use this hint attribute" -> "may use this attribute as a hint"

OK, but same question on "MAY"...

> Section 8.3
> 
> "application to SMNP services" -> "SNMP"
> "NAS behavior in such cases is not predictable." -> "The behavior of the
> NAS in this case is undefined."
> "a single service provisioning message, such as" -> "an Access-Accept or
> CoA-Request".

All OK.

> ", within a flat namespace of significance to the NAS"
> 
> [BA] Are you saying that "." can't be used?  Can this be deleted?

Eh?  By "flat", I mean a monolithic name that can be searched by a
non-structured text comparison (e.g. strcasecmp()).  This is effectively a
prohibition on sub-fields within the name text that a client or server would
need to take special heed of.  You can include ".", but it has no more
significance than any other character.

> "Overloading or subdividing this flat name with" ->
> "Overloading or subdividing this attribute with"

Hmm.  Module the resolution of the "flatness" issue, above, this might be
OK.

> "If a simple flat policy name" -> "If a simple policy name"
> "sufficient to the anticipated use case" -> "sufficient"

Ditto.
 
> Section 12
> 
> Within the document, the CoA-Request is mentioned, but the table
> does not describe which attributes can be included in CoA or
> Disconnect Request, ACK or NAK packets.  Is it accurate to assume
> that none of the attributes defined in this document can be 
> contained in a CoA or Disconnect packet?

Good question.  I need to think about this for a bit.

> Section 14
> 
>    Any of the attributes described in this memo, with the exception of
>    Service-Type, may not be understood by the NAS which receives it.  A
>    legacy NAS not compliant with this specification may silently discard
>    these attributes while permitting the user to access the management
>    interface(s) of the NAS.  This can lead to users improperly receiving
>    unauthorized management access to the NAS, or access with greater
>    levels of access rights than were intended.  RADIUS servers SHOULD
>    attempt to ascertain whether or not the NAS supports these attributes
>    before sending them in an Access-Accept.
> 
> [BA] This paragraph could be more clear.  There are really two cases.
> When a Service-Type value of Framed-Management is used, I'd assume 
> that a NAS implementing this specification would be required to behave
> as specified (e.g. treat the Access-Accept as an Access-Reject if the
> attribute or value wasn't supported).

Right.  Service-Type is the one implicitly "mandatory" (as in the Diameter
Mandatory bit) attribute in RADIUS.

Can we assume that if the NAS supports a value of Framed-Management for the
Service-Type attribute that it also at least *recognizes* all the other
Framed Management related attributes in this document, even though it may
not support those services?  Or is that expecting too much?

> I think that an issue could occur when a legacy Service-Type value
> is used though, since then the NAS might ignore the new attributes 
> instead of treating the Access-Accept like an Access-Reject.

Um, yeah.

> I don't think you need to talk about the potential behavior of an
> implementation that claims to conform to the spec, but doesn't do 
> what it says.

:-)

How about:

  A legacy NAS may not recognize the attributes in this document
  that supplement the provisioning of CLI management access.  If
  the value of the Service Type Attribute is NAS-Prompt or 
  Administrative, the legacy NAS may silently discard such 
  attributes, while permitting the user to access the CLI
  management interface(s) of the NAS.  This can lead to users
  improperly receiving unauthorized management access to the NAS,
  or access with greater levels of access rights than were intended.
  RADIUS servers SHOULD attempt to ascertain whether or not the
  NAS supports these attributes before sending them in an 
  Access-Accept provisioning CLI access.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 18:31:15 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Cc: "'Bernard Aboba'" <aboba@internaut.com>
Subject: RE: Editorial review of draft-ietf-radext-management-authorization-03.txt
Date: Mon, 7 Jul 2008 14:30:14 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <72F93F8B338146A396310828430D7D83@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjWB/omJanCHyJNRY+ezPx3//Rx9wKVS2yw

Bernard Aboba writes...
 
> Abstract
> 
>    This document describes Remote Authentication Dial-In User Service
>    (RADIUS) attributes for the authorization and service provisioning of
>    Network Access Servers (NASes).  Both local and remote management are
>    supported, with granular access rights and management privileges.
>    Specific provisions are made for remote management via framed
>    management protocols, and for specification of a protected transport
>    protocol.
> 
> [BA] This document is about NAS management authorization, not
> authorization of NASes.  Suggest the following:
> 
>    This document specifies Remote Authentication Dial-In User Service
>    (RADIUS) attributes for Network Access Server (NAS) management.
>    Both local and remote management are
>    supported, with granular access rights and management privileges.
>    Specific provisions are made for remote management via framed
>    management protocols, which may run over a secure transport
>    protocol.

Yeah, something went awry in the editing.  How about:

  This document specifies Remote Authentication Dial-In User Service
  (RADIUS) attributes for authorizing management access to a Network 
  Access Server (NAS).  Both local and remote management are supported,
  with granular access rights and management privileges.  Specific
  provisions are made for remote management via framed management
  protocols, which may run over a secure transport protocol.
 
> 2. Introduction and Rationale
> 
> [BA] How about combining Sections 2, part of 3 and 6 into a Section 1 that
> reads as follows?  The Terminology section can then be Section 1.1.
> 
> 1. Introduction
> 
>    RFC 2865 [RFC 2865] defines the NAS-Prompt and Administrative values of
>    the Service-Type Attribute.   Both of these values provide access to
>    the interactive, text-based Command Line Interface (CLI) of the NAS,
>    and were originally developed to control access to the physical
>    console port of the NAS, most often a serial port.
> 
>    Remote access to the CLI of the NAS has been available in NAS
>    implementations for many years, using protocols such as Telnet,
>    Rlogin and the remote terminal service of SSH.  In order to distinguish
>    local, physical, console access from remote access, the NAS-Port-Type
>    Attribute is generally included in Access-Request and Access-Accept
>    messages, along with the Service-Type Attribute, to indicate the form
>    of access.  A NAS-Port-Type of Async (0) is used to signify a local
>    serial port connection, while a value of Virtual (5) is used to
>    signify a remote connection, via a remote terminal protocol.  This
>    usage provides no selectivity among the various available remote
>    terminal protocols (e.g.  Telnet, Rlogin, SSH, etc.).

OK with me.

>    Today, it is common for network devices to support more than two
>    privilege levels for management access than just NAS-Prompt
>    (non-privileged) and Administrative (privileged).  Also, other
>    management mechanisms may be used, such as Web-based management,
>    Simple Network Management Protocol (SNMP) and NETCONF.
>    To provide support for these additional features, this specification
>    defines attributes for framed management protocols, management protocol
>    security, and management access privilege levels.

Looks OK to me, with minor grammatical tweaking.  How about:

  Today, it is common for network devices to support more than the two
  privilege levels for management access provided by NAS-Prompt
  (non-privileged) and Administrative (privileged).

>    Remote management via the command line is carried over protocols
>    such as Telnet, Rlogin and the remote terminal service of SSH.  Since
>    these protocols are primarily for the delivery of terminal or
>    pseudo-TTY services,  the term "Framed Management" is used to describe
>    management protocols supporting techniques other than the command-line.
>    Typically these mechanisms format management information in a binary or
>    textual encoding such as HTML, XML or ASN.1/BER.  Examples include
>    web-based management (HTML over HTTP or HTTPS), NETCONF (XML over
>    SSH/BEEP/SOAP) and SNMP (SMI over ASN.1/BER).  Command line
>    interface, menu interface or other text-based (e.g. ASCII or UTF-8)
>    terminal emulation services are not considered to be Framed Management
>    protocols.

OK with me.

> [BA] How about combining part of Section 3, as well as 4, 5 and 6 into
> a Section 2 that reads as follows?
> 
> 2. Overview
> 
>    To support the authorization and provisioning of Framed Management
>    access to managed entities, this document introduces a new value for
>    the Service-Type Attribute [RFC2865], and one new attribute.  The new
>    value for the Service-Type Attribute is Framed-Management, used for
>    remote device management via a Framed Management Protocol.  The new
>    attribute is Framed-Management-Protocol, the value of which specifies a
>    particular protocol for use in the remote management session.
> 
>    Two new attributes are introduced in this document in support of
>    granular management access rights or command privilege levels.
>    The Management-Policy-Id Attribute provides a text string
>    specifying  a policy name of local scope, that is assumed to have
>    been pre-provisioned on the NAS.  This use of an attribute to
>    specify use of a pre-provisioned policy is similar to
>    the Filter-Id Attribute defined in [RFC2865] Section 5.11.
> 
>    The local application of the Management-Policy-Id within the managed
>    entity may take the form of (a) one of an enumeration of command
>    privilege levels, (b) a mapping into an SNMP Access Control Model,
>    such as the View Based Access Control Model (VACM) [RFC3415], or (c)
>    some other set of management access policy rules that is mutually
>    understood by the managed entity and the remote management
>    application.  Examples are given in Section X.
> 
>    The Management-Privilege-Level Attribute contains an
>    integer-valued management privilege level indication.  This attribute
>    serves to modify or augment the management permissions provided by
>    the NAS-Prompt value of the Service-Type Attribute, and thus applies to
>    CLI management.
> 
>    To enable management security requirements to be specified, the
>    Management-Transport-Protection Attribute is introduced.  The value
>    of this attribute indicates the minimum level of secure transport
>    protocol protection required for the provisioning of NAS-Prompt,
>    Administrative or Framed-Management service.

This looks, OK, too.

Obviously we need to see the edited version, in context, but I don't see any
loss of information in this condensed version.


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 18:01:18 +0000
From: "David B. Nelson" <dnelson@elbrysnetworks.com>
To: <radiusext@ops.ietf.org>
Subject: RE: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Date: Mon, 7 Jul 2008 13:59:30 -0400
Organization: Elbrys Networks, Inc.
Message-ID: <6A2BB8CCBEB94217B36A3D8B3F015564@xpsuperdvd2>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: Acje0nghTRj4aUmRTkOTstmvS+hHqwBcbLAg

My review comments on the -04 version as are follows:

(1) Short-lived reference.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Technical
Priority: '1' Should fix 
Section: 1.1
Rationale/Explanation of issue:

* Reviews of specifications are posted to the RADEXT WG or
equivalent IETF mailing list;

The RADEXT WG mailing list is a relatively short-lived entity.  We hope the
WG completes its charter and closes one of these days.  :-)  This text
provides no guidance to the reader as to how to determine what constitutes
an "equivalent" IETF mailing list.

Requested change:

* Reviews of specifications are posted to the RADEXT WG mailing list or
another IETF mailing list suggested by the Operations & Management Area
Directors of the IETF;


(2) Misplaced modifier.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Editorial
Priority: '1' Should fix 
Section: 1.1
Rationale/Explanation of issue:

   RADIUS protocol changes, or specification of attributes that
   can be used to, in effect, provide new RADIUS commands (such as
   Service-Type) require greater expertise and deeper review, as
   do changes to the RADIUS operational model, as described in
   Section 3.3.

Service-Type is an attribute, not a command.

Requested change:

   RADIUS protocol changes, or specification of attributes (such
   as Service-Type) that can be used to, in effect, provide new
   RADIUS commands, require greater expertise and deeper review,
   As do changes to the RADIUS operational model, as described in
   Section 3.3.


(3) Undefined term.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Technical
Priority: '1' Should fix 
Section: 2.1.3
Rationale/Explanation of issue:

   As a result, the introduction of new complex data types
   within RADIUS attribute specifications SHOULD be avoided,
   except in the case of complex attributes involving authentication
   or security functionality.

"Security functionality" is a term that could be assigned a fairly broad
range of possible meanings.  Well intentioned RADIUS Attribute designers
might think this applies to any attribute that they wish to remain "secure"
or which has security implications for their product, e.g. important service
provisioning parameters.  While the term is defined by various examples in
Appendix B, I think a better "normative" definition is required here.

Requested change:

Add a definition of what constitutes "security functionality".  Given that
I'm having difficulty in suggesting specific text to accomplish this, I'm
thinking it's not all that obvious.  Do we need to reference "security
functionality" at all, or is an exception for "authentication credentials"
sufficient?


(4) Needlessly IETF-centric viewpoint.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Technical
Priority: '1' Should fix 
Section: 3.1.3
Rationale/Explanation of issue:

  SDO RADIUS Attribute specifications SHOULD allocate attributes from
  the vendor space, rather than requesting an allocation from the
  RADIUS standard attribute space, for attributes matching any of the
  following criteria:

   * attributes relying on data types not defined within RADIUS
   * attributes intended primarily for use within an SDO
   * attributes intended primarily for use within a group of SDOs.

This leads me to believe that the authors think that other (non-IETF) SDOs
(or worse yet, groups of SDOs) are unlikely to define attributes that are
useful to the broad Internet Community.  That may or may not be true.  I'm
guessing that what this really means is that only the IETF ought to be
consuming standard RADIUS attribute IDs, based on IANA allocation, and all
other bodies need to host attributes in a private code-point space (i.e. the
assigned VSA block).  Does this document intend to Update RFC 3575?

I think the conditional phrase "for attributes matching any of the following
criteria" will almost always evaluate to TRUE because of the second and
third bullet items, so the whole paragraph makes little sense to me.

If the issue is standard attribute scarcity, isn't this addressed by the
RADIUS Extended Attribute format [EXTEN]?

I think that this document should provide better guidance as to when an IANA
allocation from the standard RADIUS Attribute code-point space is
appropriate.  Does the need for interoperability between multiple SDOs meet
that threshold?  Or must the usage be of general applicability to the
Internet Community?  How does the existence of the Extended RADIUS Attribute
(a VSA with a code-point block assigned to the IETF) change the distinction
between "standard" and "VSA" allocations?

Requested change:

  SDO RADIUS Attribute specifications SHOULD allocate attributes from
  the vendor space, rather than requesting an allocation from the
  RADIUS standard attribute space, unless the attributes match any of the
  following criteria:

   * attributes intended for interoperable use across multiple SDOs.
   * attributes intended for interoperable use across a broad spectrum 
     of the Internet Community.


(5) Format issues.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Editorial
Priority: '1' Should fix 
Section: 3.3
Rationale/Explanation of issue:

      * The RADIUS protocol is stateless; * Provisioning of services is
      not possible within an Access-Reject; * Distinction between
      authorization checks and user authentication; * Authentication and
      integrity protection of RADIUS packets; * The RADIUS protocol is a
      Request/Response protocol.

Bulleted list not well formatted.

Requested change:

  * The RADIUS protocol is stateless;
  * Provisioning of services is not possible within an Access-Reject;
  * Distinction between authorization checks and user authentication;
  * Authentication and integrity protection of RADIUS packets;
  * The RADIUS protocol is a Request/Response protocol.


(6) Bad reference.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Editorial
Priority: '1' Should fix 
Section: A.1.2
Rationale/Explanation of issue:

A.1.2. Extended data types

   Where possible, the data types defined above in Section A.1.2 SHOULD
   be used.  The extended data types SHOULD be used only where there is
   no clear method of expressing the data using existing types.

Requested change:

A.1.2. Extended data types

   Where possible, the data types defined above in Section A.1.1 SHOULD
   be used.  The extended data types SHOULD be used only where there is
   no clear method of expressing the data using existing types.

A.1.2 --> A.1.1


(7) Missing definition/reference.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Editorial
Priority: '1' Should fix 
Section: A.1.2
Rationale/Explanation of issue:

A.1.2. Extended data types

   Where possible, the data types defined above in Section A.1.2 SHOULD
   be used.  The extended data types SHOULD be used only where there is
   no clear method of expressing the data using existing types.

Where do we normatively define the term "extended data types"?

Requested change:

Add a definition, or a reference to a definition.  Does this, in fact, mean
the RADIUS Attribute format defined in [EXTEN]?

A.1.2. Extended data types

   Where possible, the data types defined above in Section A.1.2 SHOULD
   be used.  The extended data types [EXTEN] SHOULD be used only where 
   there is no clear method of expressing the data using existing types.


(8) Duplicate section title.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Editorial
Priority: '1' Should fix 
Section: A.1.3, A.2.2
Rationale/Explanation of issue:

Both of these sections are entitled "Complex data types".  One of them is
permissive and the other prohibitive.

Requested change:

Clarify the subject of each of these sections in its title.


(9) Confusion over allocation policy.

Submitter name: Dave Nelson
Submitter email address: d.b.nelson@comcast.net
Date first submitted: July 7, 2008
Document: draft-ietf-radext-design-04.txt
Comment type: Technical
Priority: '1' Should fix 
Section: A.5
Rationale/Explanation of issue:

A.5. Allocation of attributes

   Does the attribute have a limited scope of applicability, as outlined
   below?  If so, then the attributes SHOULD be allocated from the
   Vendor-Specific space.

      * attributes intended for a vendor to support their own systems,
      and not suitable for general usage
      * attributes relying on data types not defined within RADIUS
      * attributes intended primarily for use within an SDO
      * attributes intended primarily for use within a group of SDOs.

As discussed in comment (4), above, attributes intended for interoperable
use across multiple SDOs *could* qualify for allocation from the standard
RADIUS attribute space, or from the Extended RADIUS Attribute (IETF/SDO)
space.

Requested change:

A.5. Allocation of attributes

   Does the attribute have a limited scope of applicability, as outlined
   below?  If so, then the attributes SHOULD be allocated from the
   Vendor-Specific space.

      * attributes intended for a vendor to support their own systems,
      and not suitable for general usage
      * attributes relying on data types not defined within RADIUS
      * attributes intended for use within an single SDO
     


--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 12:46:31 +0000
From: Internet-Drafts@ietf.org
To: i-d-announce@ietf.org
Cc: radiusext@ops.ietf.org
Subject: I-D Action:draft-ietf-radext-design-04.txt 
Content-Type: Multipart/Mixed; Boundary="NextPart"
Mime-Version: 1.0
Message-Id: <20080707124501.C19913A6A9F@core3.amsl.com>
Date: Mon,  7 Jul 2008 05:45:01 -0700 (PDT)

--NextPart

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the RADIUS EXTensions Working Group of the IETF.


	Title           : RADIUS Design Guidelines
	Author(s)       : G. Weber, et al.
	Filename        : draft-ietf-radext-design-04.txt
	Pages           : 34
	Date            : 2008-07-07

This document provides guidelines for the design of attributes used
by the Remote Authentication Dial In User Service (RADIUS) protocol.
It is expected that these guidelines will prove useful to authors and
reviewers of future RADIUS attribute specifications, both within the
IETF as well as other Standards Development Organizations (SDOs).

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-04.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.

--NextPart
Content-Type: Message/External-body;
	name="draft-ietf-radext-design-04.txt";
	site="ftp.ietf.org";
	access-type="anon-ftp";
	directory="internet-drafts"

Content-Type: text/plain
Content-ID:     <2008-07-07053311.I-D@ietf.org>

--NextPart--

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Mon, 07 Jul 2008 12:35:14 +0000
Message-ID: <48720CF4.9010902@deployingradius.com>
Date: Mon, 07 Jul 2008 14:32:52 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: Bernard Aboba <aboba@internaut.com>
CC: radiusext@ops.ietf.org
Subject: Re: Review of draft-ietf-radext-design-03.txt
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Bernard Aboba wrote:
...

  I've just submitted -04, which incorporates this review.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Sat, 05 Jul 2008 19:01:42 +0000
Date: Sat, 5 Jul 2008 11:59:25 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: REMINDER: RADEXT WG Last Call on Design Guidelines Document
Message-ID: <Pine.LNX.4.64.0807051158250.31226@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

This is a reminder of the ongoing RADEXT WG Last Call on "RADIUS Design 
Guidelines" prior to requesting that the IESG publish it as a Best
Current Practice RFC. 
 
The document is available here:
http://www.ietf.org/internet-drafts/draft-ietf-radext-design-03.txt
 
WG Last Call will last until July 10, 2008.   Please review the document 
and post your comments to the RADEXT WG mailing list 
(radiusext@ops.ietf.org) in the format described on the RADEXT WG Issues 
list (http://www.drizzle.com/~aboba/RADEXT/).   
 
If you have read the document and approve of its publication, but have no
comments, please also post this to the list. 

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 03 Jul 2008 12:21:01 +0000
Message-ID: <486CC3EE.4010505@deployingradius.com>
Date: Thu, 03 Jul 2008 14:19:58 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: Stefan Winter <stefan.winter@restena.lu>
CC: radiusext@ops.ietf.org
Subject: Re: TCP transport draft
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Stefan Winter wrote:
> some small glitches:

  Fixed, thanks.

> Should there be some more TCP usage profile guidelines in it, like
> recommending TCP PSH when a RADIUS message is complete,

  There's no socket API to do that, so far as I know.  The closest thing
is that the kernel *usually* will send the data if it's written by
write() or send(), as one call.

> or should it
> remain at the sentence "We RECOMMEND that implementors of this
> ~   specification familiarize themselves with TCP application programming
> ~   concepts." IMHO, a little more handholding wouldn't hurt.

  I think that this document isn't the place to get into programming
guidelines.  If people want to know about TCP application programming,
there are books && lots of source available.  This document should
concentrate on RADIUS && TCP interaction issues.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 03 Jul 2008 12:14:18 +0000
Message-ID: <486CC24E.40708@restena.lu>
Date: Thu, 03 Jul 2008 14:13:02 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Thunderbird 2.0.0.12 (X11/20071114)
MIME-Version: 1.0
To: Alan DeKok <aland@deployingradius.com>, radiusext@ops.ietf.org
Subject: Re: TCP transport draft
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

some small glitches:

2.2.  TCP Ports

~   IANA has already assigned TCP ports for RADIUS transport, as outlined
~   below:

~      * radius          1812/udp
~      * radius-acct     1813/tcp
~      * radius-dynauth  3799/tcp

1812/tcp.

2.6.3

~      * Packet from an unknown client (using the key as defined above)
~      * Packet with an invalid code field
~      * Packet that is less than the minimim RADIUS packet length
~      * Packet that is more than the minimim RADIUS packet length

more than the maximum.

Should there be some more TCP usage profile guidelines in it, like
recommending TCP PSH when a RADIUS message is complete, or should it
remain at the sentence "We RECOMMEND that implementors of this
~   specification familiarize themselves with TCP application programming
~   concepts." IMHO, a little more handholding wouldn't hurt.

Greetings,

Stefan Winter

- --
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkhswk4ACgkQ+jm90f8eFWY7bgCeI497U6BcTdsGT/iOy9CSIbbQ
TTwAoIXYaIVDfXQJpfOR/OjmH4d2sLHU
=M56L
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Thu, 03 Jul 2008 10:36:39 +0000
Message-ID: <486CAB46.8050305@deployingradius.com>
Date: Thu, 03 Jul 2008 12:34:46 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: 'radext mailing list' <radiusext@ops.ietf.org>
Subject: TCP transport draft
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

  I've just submitted a draft describing TCP as a transport for RADIUS.
 Much of the text re-iterates existing specifications, and says that
nothing has changed.

  A few TCP-specific issues are noted.

http://www.ietf.org/internet-drafts/draft-dekok-radext-tcp-transport-00.txt

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 14:18:57 +0000
Date: Tue, 1 Jul 2008 07:17:29 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Review of draft-ietf-radext-design-03.txt
Message-ID: <Pine.LNX.4.64.0807010516250.10397@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Section 1.1

Suggest chasnging:

"  The advice in this document applies to attributes used to encode
   service-provisioning or authentication data.  RADIUS protocol
   changes, or specification of attributes that can be used to, in
   effect, provide new RADIUS commands (such as Service-Type) are out of
   scope.  Since protocol changes require greater expertise and deeper
   review, such changes should not be undertaken outside the IETF and
   when handled within the IETF require "IETF Consensus" for adoption,
   as noted in [RFC3575] Section 2.1.

   As with protocol changes, this document does not provide guidance to
   document authors seeking to change the RADIUS operational model.
   While RADIUS server implementations may keep state, the RADIUS
   protocol is stateless, although information may be passed from one
   protocol transaction to another via the State Attribute.  As a
   result, documents which require stateful protocol behavior without
   use of the State Attribute are inherently incompatible with RADIUS as
   defined in [RFC2865], and need to be redesigned.

   See [RFC5080] Section 2.1.1 for a more in-depth discussion of the use
   of the State Attribute."

To:

"  The advice in this document applies to attributes used to encode
   service-provisioning or authentication data.  RADIUS protocol
   changes, or specification of attributes that can be used to, in
   effect, provide new RADIUS commands (such as Service-Type) require
   greater expertise and deeper review, as do changes to the RADIUS
   operational model, as described in Section 3.3. Such changes should 
   not be undertaken outside the IETF and when handled within the IETF 
   require "IETF Consensus" for adoption, as noted in "IANA Considerations 
   for RADIUS" [RFC3575] Section 2.1."

Add Section 3.3: 

"  3.3 RADIUS Operational Model

   The RADIUS operational model includes several assumptions:

     * The RADIUS protocol is stateless; 
     * Provisioning of services is not possible within an Access-Reject; 
     * Distinction between authorization checks and user authentication; 
     * Authentication and integrity protection of RADIUS packets; 
     * The RADIUS protocol is a Request/Response protocol; 

   While RADIUS server implementations may keep state, the RADIUS  
   protocol is stateless, although information may be passed from one
   protocol transaction to another via the State Attribute.  As a
   result, documents which require stateful protocol behavior without
   use of the State Attribute are inherently incompatible with RADIUS as
   defined in [RFC2865], and need to be redesigned.  See "Common
   RADIUS Implementation Issues and Suggested Fixes" [RFC5080] 
   Section 2.1.1 for a more in-depth discussion of the use
   of the State Attribute.

   As noted in [RFC5080] Section 2.6, the intent of an Access-Reject is
   to deny access to the requested service.  As a result, RADIUS does
   not allow the provisioning of services within an Access-Reject. 
   As a result, documents which include provisioning of services
   within an Access-Reject are inherently incompatible with RADIUS
   and need to be redesigned.

   As noted in [RFC5080] Section 2.1.1, a RADIUS Access-Request
   may not contain user authentication attributes or a State
   Attribute linking the Access-Request to an earlier user
   authentication.  Such an Access-Request, known as an 
   authorization check, provides no assurance that it 
   corresponds to a live user.  RADIUS specifications
   defining attributes containing confidential information
   (such as Tunnel-Password) should be careful to prohibit
   such attributes from being returned in response to an
   authorization check.  Also, [RFC5080] Section 2.1.1 notes that 
   authentication mechanisms need to tie a sequence of 
   Access-Request/Access-Challenge packets together into one 
   authentication session.  The State Attribute is RECOMMENDED
   for this purpose. 

   While [RFC2865] did not require authentication and integrity
   protection of RADIUS Access-Request packets, subsequent
   authentication mechanism specifications such as RADIUS/EAP
   [RFC3579] and Digest Authentication [RFC5090] have mandated
   authentication and integrity protection for all
   RADIUS packets.  It is expected that specifications for new
   RADIUS authentication mechanisms will continue this practice.
   As noted in [RFC5080] Section 2.1.1, integrity protection 
   should also be extended to Access-Request packets performing
   authorization checks.

   The RADIUS protocol as defined in [RFC2865] is a request-response
   protocol spoken between RADIUS clients and servers.  A single 
   RADIUS Access-Request packet will solicit in response at most a single 
   Access-Accept, Access-Reject or Access-Challenge packet, sent to the IP 
   address of the RADIUS Client that sent the original Access-Request.  
   Similarly, a single Change-of-Authorization (CoA)-Request packet
   will solicit in response at most a single CoA-ACK or CoA-NAK packet,
   sent to the IP address of the Dynamic Authorization Client (DAC)
   that sent the original CoA-Request. A single Disconnect-Request packet
   will solicit in response at most a single Disconnect-ACK or 
   Disconnect-NAK packet, sent to the IP address of the Dynamic 
   Authorization Client (DAC) that sent the original CoA-Request."

NITs:

Section 1

"such an "Expert Review"" -> "such as an "Expert Review""

Section 1.1

"In order enable" -> "In order to enable"

Prior to the first recommendation, insert:

"Encouraging SDOs to request review of RADIUS attribute specifications by 
sending email to the AAA Doctors or equivalent mailing list;"

"Development of a program to encourage SDOs to make" -> "SDOs to make"

"proposed in this document;" -> "proposed in this document, with reviews
posted to the RADEXT WG or equivalent IETF mailing list;" 

Section 2.1.1

"most significant octet first" -> "in network byte order"

"this usage is NOT RECOMMENDED" -> "this usage is NOT 
RECOMMENDED."

Section 2.1.3

"complex structures" -> "complex structures;"
"well-known types" -> "well-known types;"

"implement a new attribute, as the" -> "implement a new attribute. The"

"to send a new attribute" -> "to send a new static attribute"
"dictionary and policy management" -> "dictionary" 

"required in the RADIUS server's" -> "required in the policy management 
code and in the RADIUS server's"

"error prone implmentations, and interoperability problems." ->
"error prone implementations, interoperability problems, and even
security vulnerabilities."

"most of the complex attributes" -> "most of the existing complex 
attributes"

Section 2.1.4

"does not originate from, or is checked" -> "originates from the user
and is not validated" 
"on an unauthenticated host." -> "on the user."

Section 2.1.5

"RADIUS also SHOULD NOT be extended to new commands via attributes." ->
"New attributes or new values of existing attributes SHOULD NOT be used 
to define new RADIUS commands." 

"Specifications SHOULD NOT" -> "Specifications also SHOULD NOT"

Section 3.1.1

"attribute ID" -> "attribute" 

Section 3.1.3

"via IETF process" -> "via the IETF process"
"SDO specificiations" -> "SDO specifications."



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 12:17:13 +0000
Date: Tue, 1 Jul 2008 05:15:32 -0700 (PDT)
From: Bernard Aboba <aboba@internaut.com>
To: radiusext@ops.ietf.org
Subject: Completion of RADEXT WG last call on "RADIUS Authorization for NAS Management"
Message-ID: <Pine.LNX.4.64.0807010510560.10397@internaut.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

The RADEXT WG last call on "RADIUS Authorization for NAS Management" has 
completed.  Comments were received, corresponding to Issues 257 and 258 in 
the Issues Tracker.  

To view the discussion relating to these issues, click on the following 
link:
http://ops.ietf.org/lists/radiusext/2008/threads.html

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 09:31:11 +0000
Message-ID: <4869F8FE.2080603@restena.lu>
Date: Tue, 01 Jul 2008 11:29:34 +0200
From: Stefan Winter <stefan.winter@restena.lu>
User-Agent: Thunderbird 2.0.0.14 (X11/20080421)
MIME-Version: 1.0
To: radiusext@ops.ietf.org
CC: Milan Sova <sova@cesnet.cz>
Subject: Re: I-D Action:draft-ietf-radext-radsec-00.txt
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

| Apart from that, the title, abstract, some sections in the main body
| were updated to reflect the splitting. No real content changes in it.

It has been brought to my attention that the feature of Trusted CA
Indication (which I thought is not there before TLS 1.2) is already
present in TLS 1.1 - at least RFC-wise, I didn't check any
implementations. Anyway, the section dealing with this should be
corrected, I suggest the following text:

~   The list of Certification Authorities that a node which acts as a
~   client is willing to accept SHOULD be signaled within the TLS
~   Extension "Trusted CA Indication" during the TLS handshake, as
~   described in [8], section 3.4 (or equivalent extensions in future TLS
~   versions).  Omitting this indication makes it impossible to
~   deterministically select the right certificate if a RadSec node which
~   is acting as a server for multiple roaming consortia (in possession
~   of multiple certificates from different CAs) is contacted by a
~   client.

( [8] being RFC4266)

Greetings,

Stefan Winter

- --
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFIafj++jm90f8eFWYRAmoCAKCG0yrTwTvHfhMfj/hHvy7Z+rtr0ACcDN8j
PCkQZToKFPvXcJFrJnMhxME=
=gmRO
-----END PGP SIGNATURE-----

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 06:48:46 +0000
From: "Glen Zorn" <glenzorn@comcast.net>
To: "'Alan DeKok'" <aland@deployingradius.com>
Cc: "'David B. Nelson'" <dnelson@elbrysnetworks.com>, <radiusext@ops.ietf.org>
Subject: RE: Additional comments ondraft-ietf-radext-management-authorization-03.txt
Date: Tue, 1 Jul 2008 13:47:02 +0700
Message-ID: <002d01c8db46$4e5f4800$eb1dd800$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjbQ+C/o5AkRFYUTrWdWx2hNMdJRwAAT3dQ
Content-Language: en-us

Alan DeKok [mailto:aland@deployingradius.com] writes:
> Glen Zorn wrote:
> > Uh-huh...what's your point?  Everything that is copyrighted is also
> subject
> > to "fair use", at least in the US, & this would certainly constitute
> fair
> > use.
> 
>  "cut and paste" of the pages is fair use only if *quotes* are
> included.
>  Including the pages verbatim would likely not fall under fair use
> guidelines.

First, man pages are portions of a larger document (the manual) and as such
reproducing one is by definition a quotation from the full document.  Be
that as it may, however, see
http://www.freebsd.org/copyright/freebsd-doc-license.html &
http://www.freebsd.org/copyright/freebsd-license.html for the ability to
reproduce BSD man pages (the most likely candidate for rcp, anyway).  

> 
>   Alan DeKok.



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 06:30:58 +0000
Message-ID: <4869CED5.70001@deployingradius.com>
Date: Tue, 01 Jul 2008 08:29:41 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: Glen Zorn <glenzorn@comcast.net>
CC: "'David B. Nelson'" <dnelson@elbrysnetworks.com>,  radiusext@ops.ietf.org
Subject: Re: Additional comments ondraft-ietf-radext-management-authorization-03.txt
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Glen Zorn wrote:
> Uh-huh...what's your point?  Everything that is copyrighted is also subject
> to "fair use", at least in the US, & this would certainly constitute fair
> use.

 "cut and paste" of the pages is fair use only if *quotes* are included.
 Including the pages verbatim would likely not fall under fair use
guidelines.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 06:02:05 +0000
From: "Glen Zorn" <glenzorn@comcast.net>
To: "'Alan DeKok'" <aland@deployingradius.com>, "'David B. Nelson'" <dnelson@elbrysnetworks.com>
Cc: <radiusext@ops.ietf.org>
Subject: RE: Additional comments ondraft-ietf-radext-management-authorization-03.txt
Date: Tue, 1 Jul 2008 13:00:00 +0700
Message-ID: <002c01c8db3f$c1f2da40$45d88ec0$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjbPMKilZXLKDrySwe2xdAeQuCwVgAAbn3w
Content-Language: en-us

Alan DeKok [aland@deployingradius.com] writes:

> David B. Nelson wrote:
> > Well, yes.  I suppose there is no copyright issue with cut and paste
> of UNIX
> > "man" pages into an RFC.
> 
>   s/copyright/license/
> 
>   Everything is copyrighted by someone, unless explicitly place in the
> public domain.

Uh-huh...what's your point?  Everything that is copyrighted is also subject
to "fair use", at least in the US, & this would certainly constitute fair
use.

> 
> > Does anyone else on the list think that including "man" pages in
> appendices
> > is the best way to go?
> 
>   No.
> 
>   I would suggest referring to a specific version of the "man" page as
> a
> stable reference.  e.g.:
> 
>     "foo", as described in MyOS Release 1.2 "man" page.  Other systems
>     may have similar definitions.

OK, the problem is that while the reference may be stable, it may not
necessarily be readily available after some period of time: i.e., stable but
useless.

> 
>   Alan DeKok.
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 05:36:31 +0000
Message-ID: <4869C21A.20502@deployingradius.com>
Date: Tue, 01 Jul 2008 07:35:22 +0200
From: Alan DeKok <aland@deployingradius.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080502)
MIME-Version: 1.0
To: "David B. Nelson" <dnelson@elbrysnetworks.com>
CC: radiusext@ops.ietf.org
Subject: Re: Additional comments ondraft-ietf-radext-management-authorization-03.txt
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

David B. Nelson wrote:
> Well, yes.  I suppose there is no copyright issue with cut and paste of UNIX
> "man" pages into an RFC.

  s/copyright/license/

  Everything is copyrighted by someone, unless explicitly place in the
public domain.

> Does anyone else on the list think that including "man" pages in appendices
> is the best way to go?

  No.

  I would suggest referring to a specific version of the "man" page as a
stable reference.  e.g.:

    "foo", as described in MyOS Release 1.2 "man" page.  Other systems
    may have similar definitions.

  Alan DeKok.

--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>


Envelope-to: radiusext-data@psg.com
Delivery-date: Tue, 01 Jul 2008 05:09:45 +0000
From: "Glen Zorn" <glenzorn@comcast.net>
To: "'David B. Nelson'" <dnelson@elbrysnetworks.com>
Cc: <radiusext@ops.ietf.org>
Subject: RE: Additional comments ondraft-ietf-radext-management-authorization-03.txt
Date: Tue, 1 Jul 2008 12:07:24 +0700
Message-ID: <002301c8db38$63d40530$2b7c0f90$@net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Thread-Index: AcjWqBjcX9Y3RWDZQwe1oKjYZIXyNgBKopewALHr3XAAEX7N4AAVzF1A
Content-Language: en-us

David B. Nelson [dnelson@elbrysnetworks.com] writes:

...

> Does anyone else on the list think that including "man" pages in
> appendices is the best way to go?

Slight clarification: I don't think that it's necessarily the _best_ way,
but it is _a_ way & in the absence of another...BTW, if you're going to
include rsh at all, you should mention Kerberos.  Unfortunately, Kerberos is
not transport security, so it kind of messes up your structure.

> 
> 
> 
> --
> to unsubscribe send a message to radiusext-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.
> archive: <http://psg.com/lists/radiusext/>



--
to unsubscribe send a message to radiusext-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://psg.com/lists/radiusext/>

v2.23.0 | Report a Bug | By Email