<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-lear-iotops-mudextras-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="More MUD">Some MUD Extensions and Clarifications</title>
    <seriesInfo name="Internet-Draft" value="draft-lear-iotops-mudextras-00"/>
    <author fullname="Eliot Lear">
      <organization>Cisco Systems, Inc.</organization>
      <address>
        <email>lear@cisco.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Operations and Management</area>
    <workgroup>IOT Operations</workgroup>
    <keyword>MUD</keyword>
    <keyword>IOT</keyword>
    <abstract>
      <?line 37?>

<t>Manufacturer Usage Descriptions (MUD) provide a means to describe device network behavior.  This memo clarifies some aspects that may improve both usability and interoperability.  Some examples include how to handle IP-based access-lists, broadcasts and multicasts of various forms, and QoS.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://elear.github.io/draft-lear-mudextras/draft-lear-iotops-mudextras.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-lear-iotops-mudextras/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        IOT Operations Working Group mailing list (<eref target="mailto:iotops@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/iotops/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/iotops/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/elear/draft-lear-mudextras"/>.</t>
    </note>
  </front>
  <middle>
    <?line 42?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Manufacturer Usage Descriptions (MUD) <xref target="RFC8520"/> provide a means to describe device network behavior.  Since its initial standardization, there have been a number of questions and clarifications that have arisen.  The goal of a MUD file is to accurately describe the network behavior of a device in a way that is independent of the network topology.  Primarily the topological concern is local; that is, within an enterprise or home network.  Certain cases make that challenging:</t>
      <ul spacing="normal">
        <li>
          <t>Some devices make use of directed broadcasts, which are not supported in all networks.  When they are, there is a need to understand each and every network segment to which such a device may be attached.</t>
        </li>
        <li>
          <t>Some devices hardcode certain IP addresses.
MUD itself augments <xref target="RFC8519"/>, which specifies an access control list (ACL) schema in YANG.  Within that context, therefore, it should be possible to employ ACLs that match that schema.</t>
        </li>
      </ul>
      <t>While one could argue whether or not either of these approaches should be used by device manufacturers, the reality is that they are used.  Therefore, MUD should provide a means to describe them.</t>
      <section anchor="conventions-and-definitions">
        <name>Conventions and Definitions</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
    </section>
    <section anchor="clarifications">
      <name>Clarifications</name>
      <section anchor="acls-in-mud">
        <name>ACLs in MUD</name>
        <t>As mentioned above, RFC 8519 specifies a YANG schema for ACLs.  Nothing in the specification prevents the use of ACLs to describe the network behavior of devices in a MUD file.  For example, the following is a valid MUD file that describes a device that is allowed to connect to a cloud service.</t>
        <figure anchor="figacl">
          <name>Example ACL in MUD file</name>
          <artwork><![CDATA[
{
  "ietf-mud:mud": {
    "mud-version": 1,
    "mud-url": "https://iot.example.com/modelX.json",
    "mud-signature": "https://iot.example.com/modelX.p7s",
    "last-update": "2022-01-05T13:30:31+00:00",
    "cache-validity": 48,
    "is-supported": true,
    "systeminfo": "Sample IoT device",
    "mfg-name": "Example, Inc.",
    "documentation": "https://iot.example.com/doc/modelX",
    "model-name": "modelX",
    "from-device-policy": {
      "access-lists": {
        "access-list": [
          {
            "name": "mud-65443-v4fr"
          }
        ]
      }
    },
    "to-device-policy": {
      "access-lists": {
        "access-list": [
          {
            "name": "sample-ipv4-acl"
          }
        ]
      }
    }
  },
  "ietf-access-control-list:acls": {
    "acl": [
      {
        "name": "sample-ipv4-acl",
        "type": "ipv4-acl-type",
        "aces": {
          "ace": [
            {
              "name": "permit-https-to-my-cloud-service",
              "matches": {
                "ipv4": {
                  "protocol": 6,
                  "destination-ipv4-network": "10.1.2.3.4/32"
                },
                "tcp": {
                  "destination-port": {
                    "operator": "eq",
                    "port": 443
                  }
                }
              },
              "actions": {
                "forwarding": "accept"
              }
            }
          ]
        }
      }
    ]
  }
}
]]></artwork>
        </figure>
        <t>A few cautions about using native IP addresses in MUD files:</t>
        <ul spacing="normal">
          <li>
            <t>They should only ever refer to globally unique addresses that are coordinated by the device manufacturer.</t>
          </li>
          <li>
            <t>Address changes will necessitate a new MUD file, which must be signed retrieved by mud managers.</t>
          </li>
        </ul>
        <section anchor="discussion">
          <name>Discussion</name>
          <t>Some device manufacturers will use hardcoded IP addresses to bootstrap functions like the domain name system (DNS).  The use of anycast servers is not uncommon.  Others simply do not want to introduce a dependency on DNS.</t>
        </section>
      </section>
      <section anchor="directed-broadcasts">
        <name>Directed Broadcasts</name>
        <t>Some devices make use of directed broadcasts to communicate with devices either on the same subnet or on remote networks.  Directed broadcasts require local toplogical knowledge, specifically the subnet mask of the network to which the device is attached.  That information cannot be used across deployments, and so is inappropriate for MUD files.</t>
        <t>To address this, we specify a MUD extension here that indicates that the device uses directed broadcasts.</t>
        <t>Extension name: directed-broadcasts</t>
        <t>A new object is added to the MUD file, called directed-broadcasts.  It contains two boolean elements:</t>
        <ul spacing="normal">
          <li>
            <t>inbound: indicates whether the device must receive directed broadcasts.</t>
          </li>
          <li>
            <t>outbound: indicates whether the device must send directed broadcasts.</t>
          </li>
        </ul>
        <section anchor="the-directed-broadcast-extension">
          <name>The directed-broadcast extension</name>
          <t>The YANG tree for this extension is as follows:</t>
          <figure anchor="figmud-directed-broadcasts">
            <name>YANG tree for directed-broadcasts extension</name>
            <artwork><![CDATA[
module: ietf-mud-directed-broadcasts

  augment /mud:mud:
    +--rw directed-broadcasts
       +--rw inbound?    boolean
       +--rw outbound?   boolean
]]></artwork>
          </figure>
          <t>The YANG model for this extension is as follows:</t>
          <figure anchor="figmud-directed-broadcasts-yang">
            <name>YANG model for directed-broadcasts extension</name>
            <artwork><![CDATA[
module ietf-mud-directed-broadcasts {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-mud-directed-broadcasts";
  prefix mud-directed-broadcasts;

  import ietf-mud {
    prefix mud;
    reference "RFC 8520: Manufacturer Usage Description (MUD)";
  }

  organization
    "IETF IOTOPS Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/iotops/>
     WG List:  <mailto:iotops@ietf.org>
     Author:   Eliot Lear <mailto:lear@lear.ch>";
  description
    "
     Copyright (c) 2026 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX
     (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
     for full legal notices.

    This module defines a MUD extension for directed broadcasts.";
  revision 2024-06-01 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: Some MUD Extensions and Clarifications";
  }
  grouping directed-broadcasts-group {
    description
      "Indicates whether the device uses directed broadcasts.";
    container directed-broadcasts {
      description
        "Indicates whether the device uses directed broadcasts.";
      leaf inbound {
        type boolean;
        description
          "Indicates whether the device must receive directed broadcasts.";
      }
      leaf outbound {
        type boolean;
        description
          "Indicates whether the device must send directed broadcasts.";
      }
    }
  }
  augment "/mud:mud" {
    description
      "Augments the MUD model with directed-broadcasts.";
    uses directed-broadcasts-group;
  }
}
]]></artwork>
          </figure>
        </section>
        <section anchor="example">
          <name>Example</name>
          <t>The following is an example of a MUD file that indicates that the device uses directed broadcasts in both directions.</t>
          <figure anchor="figmud-directed-broadcasts-example">
            <name>Example MUD file with directed-broadcasts extension</name>
            <artwork><![CDATA[
{
  "ietf-mud:mud": {
    "mud-version": 1,
    "mud-url": "https://iot.example.com/modelX.json",
    "mud-signature": "https://iot.example.com/modelX.p7s",
    "last-update": "2022-01-05T13:30:31+00:00",
    "extensions": [
      "directed-broadcasts"
    ],
    "cache-validity": 48,
    "is-supported": true,
    "systeminfo": "Sample IoT device",
    "mfg-name": "Example, Inc.",
    "documentation": "https://iot.example.com/doc/modelX",
    "model-name": "modelX",
    "directed-broadcasts": {
      "inbound": true,
      "outbound": true
    }
  }
}
]]></artwork>
          </figure>
          <t>Note that in all likelihood there would also be ACLs in the MUD file, but they are omitted here for brevity.</t>
        </section>
        <section anchor="dibroaddisc">
          <name>Discussion</name>
          <t>Directed broadcasts have well known security issues (see <xref target="RFC2644"/>).  However, they are used in circumstances where a limited amount of configuration is considered acceptable, and where other mechanisms such as multicast cannot be expected to be available in <strong>all</strong> deployments.  The purpose of this extension is <strong>not</strong> to encourage the use of directed broadcasts, but rather to provide a means to describe them in MUD files when they are used.</t>
        </section>
      </section>
      <section anchor="handling-of-multicast">
        <name>Handling of Multicast</name>
        <t><xref target="RFC8520"/> does not specify how multicast should be handled.  The reason was that MUD primarily specified abstractions, and multicast is anything but.  Use of multicast for discovery is relatively common.  However, support for multicast beyond the local link is by no means guaranteed.</t>
        <t>Unlike directed broadcasts, however, multicast addresses are not typically tied to a local network topology.  For this reason, MUD files <bcp14>MAY</bcp14> contain multicast addresses in ACLs.</t>
        <t>To facilitate a better understanding of how a device behaves, an extension is provided to indicate whether a device requires multicast routing.</t>
        <t>Extension name: multicast-routing</t>
        <t>Note that no new YANG model is specified for this extension, as it is simply a signal that the device requires multicast routing.</t>
      </section>
      <section anchor="handling-of-broadcasts">
        <name>Handling of Broadcasts</name>
        <t><xref target="RFC8520"/> does not specify how broadcast should be handled.  Devices may make use of broadcast for many reasons, including discovery, fast failover, expedited processing, and so on.  There are a sufficient number of reasons to use broadcasts, that simply identifying that a device uses broadcasts seems as useful as saying that a device uses IP.</t>
        <t>Broadcasts can still be filtered in several ways:</t>
        <ul spacing="normal">
          <li>
            <t>For outbound use, they <bcp14>MAY</bcp14> be listed in ACLs.</t>
          </li>
          <li>
            <t>For inbound use, the existing abstractions in <xref target="RFC8520"/> may be used to authorize the source of the broadcast traffic.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The YANG module specified in this document defines a schema for data
that is designed to be accessed via network management protocols such
as NETCONF <xref target="RFC6241"/> or RESTCONF <xref target="RFC8040"/>.  The lowest NETCONF layer
is the secure transport layer, and the mandatory-to-implement secure
transport is Secure Shell (SSH) <xref target="RFC6242"/>.  The lowest RESTCONF layer
is HTTPS, and the mandatory-to-implement secure transport is TLS
<xref target="RFC8446"/>.</t>
      <t>The NETCONF access control model <xref target="RFC8341"/> provides the means to
restrict access for particular NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.</t>
      <t>MUD files are intended to be retrieved from a web server, and so the security considerations of <xref target="RFC8520"/> apply.  In addition, see <xref target="dibroaddisc"/> for a discussion of the security implications of directed broadcasts.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="directed-broadcasts-mud-extension">
        <name>Directed Broadcasts MUD Extension</name>
        <t>IANA is requested to make the following additions to the "Manufacturer Usage Description (MUD) Extensions" registry:</t>
        <artwork><![CDATA[
Name: directed-broadcasts
Reference: [RFCXXXX] (this document)

Name: multicast-routing
Reference: [RFCXXXX] (this document)
]]></artwork>
        <t>The following YANG namespace is registered for the directed-broadcasts MUD extension:</t>
        <ul spacing="normal">
          <li>
            <t>Namespace: urn:ietf:params:xml:ns:yang:ietf-mud-directed-broadcasts</t>
          </li>
          <li>
            <t>Prefix: mud-directed-broadcasts</t>
          </li>
        </ul>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8520">
          <front>
            <title>Manufacturer Usage Description Specification</title>
            <author fullname="E. Lear" initials="E." surname="Lear"/>
            <author fullname="R. Droms" initials="R." surname="Droms"/>
            <author fullname="D. Romascanu" initials="D." surname="Romascanu"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This memo specifies a component-based architecture for Manufacturer Usage Descriptions (MUDs). The goal of MUD is to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control. Later work can delve into other aspects.</t>
              <t>This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, a Link Layer Discovery Protocol (LLDP) TLV, a URL, an X.509 certificate extension, and a means to sign and verify the descriptions.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8520"/>
          <seriesInfo name="DOI" value="10.17487/RFC8520"/>
        </reference>
        <reference anchor="RFC8519">
          <front>
            <title>YANG Data Model for Network Access Control Lists (ACLs)</title>
            <author fullname="M. Jethanandani" initials="M." surname="Jethanandani"/>
            <author fullname="S. Agarwal" initials="S." surname="Agarwal"/>
            <author fullname="L. Huang" initials="L." surname="Huang"/>
            <author fullname="D. Blair" initials="D." surname="Blair"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This document defines a data model for Access Control Lists (ACLs). An ACL is a user-ordered set of rules used to configure the forwarding behavior in a device. Each rule is used to find a match on a packet and define actions that will be performed on the packet.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8519"/>
          <seriesInfo name="DOI" value="10.17487/RFC8519"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2644">
          <front>
            <title>Changing the Default for Directed Broadcasts in Routers</title>
            <author fullname="D. Senie" initials="D." surname="Senie"/>
            <date month="August" year="1999"/>
            <abstract>
              <t>This document discusses and defines a number of tests that may be used to describe the performance characteristics of a network interconnecting device. In addition to defining the tests this document also describes specific formats for reporting the results of the tests. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="34"/>
          <seriesInfo name="RFC" value="2644"/>
          <seriesInfo name="DOI" value="10.17487/RFC2644"/>
        </reference>
        <reference anchor="RFC6241">
          <front>
            <title>Network Configuration Protocol (NETCONF)</title>
            <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
            <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6241"/>
          <seriesInfo name="DOI" value="10.17487/RFC6241"/>
        </reference>
        <reference anchor="RFC8040">
          <front>
            <title>RESTCONF Protocol</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8040"/>
          <seriesInfo name="DOI" value="10.17487/RFC8040"/>
        </reference>
        <reference anchor="RFC6242">
          <front>
            <title>Using the NETCONF Protocol over Secure Shell (SSH)</title>
            <author fullname="M. Wasserman" initials="M." surname="Wasserman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>This document describes a method for invoking and running the Network Configuration Protocol (NETCONF) within a Secure Shell (SSH) session as an SSH subsystem. This document obsoletes RFC 4742. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6242"/>
          <seriesInfo name="DOI" value="10.17487/RFC6242"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8341">
          <front>
            <title>Network Configuration Access Control Model</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model.</t>
              <t>This document obsoletes RFC 6536.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="91"/>
          <seriesInfo name="RFC" value="8341"/>
          <seriesInfo name="DOI" value="10.17487/RFC8341"/>
        </reference>
      </references>
    </references>
    <?line 351?>

<section anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>TODO acknowledge.</t>
    </section>
    <section anchor="changes">
      <name>Changes</name>
      <ul spacing="normal">
        <li>
          <t>Initial revision.</t>
        </li>
      </ul>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA91aW3PbRpZ+x6/opR/W9gjUxYonQ2fjUSQ7VpUtaUy5PKmp
PIBAk+wxgGbQgGiOSvNb9rfsL5vvnNMNgBfJqmztPoyrEhF9O6fP/dJxHEe1
qXM9UoOxLbT68OlMvfla69IZWzqVlJk6zZPKTE2a1DQ0iJLJpNI32PDBVrxh
EGFOz2y1GilXZ1GU2bRMCpyZVcm0jnOdVLGxtV24uGgy/bWuEhcfHESumRTG
EaR6tcDy8zfXb5V6opLcWZxvykwvNP5X1oM9NdCZqW1lkpw+zk9+wh9b4dfH
67eDqGyKia5GUQZMRlEKRHGFxo1UXTU6ArYvoqTSCU69XOhKrsK3+5CUyUwX
BCNa2urLrLLNAsvOL69Vt3QQfdErTGejSMV0Z/qDJdGNLhsAVOq+fUrJ3Qaf
cbgpZ+pnWkjjRWJyuiUT5s9G19OhrWY0k1TpHDPzul640f4+LaQhc6OHYdk+
DexPKrt0el+O2KetM1PPmwk2a6L6fo8BLeVpWQ4yuboHg5cPZffQ2J0b9x9g
53BeF/kgipKmntuKqAQoSk2bPBdRGLzJsUe9x+YBT+ESSWn+wXQaqVPjUqvG
K1frwu2p8zId8irtqURA/5zSomFqCwAqbVVg7w2IH5ly2vsaDodRFMexSiYO
qKV1FIHJzRS/mkpX6pMDw9WZdmllFiIIT8HRZ2pR2RuTaZWoQicYra3KeNVE
48eNSbUqdU1CoiZ6ntwYWw2Vup4bhw2FVakoinbKkSolbqHTGsfMkxrMXilT
EAStJraeq8YlE5ObesVSaMpaV5bERgZxLquj/poUixwnmjLNQWs1t0vCa45N
uVbnV/EkcTpTSZpq5+LcuBrUg1gkWZrgNx9eNHlt5NNO1Q2QtI1TRDKspQV/
sWOQjGlWmAwHR9ETsKCubNakRKHHUvD29j8+vj39/rujg7u730nOMW6qlanp
yqaGtsOkAMekyrys7IGgGoYHO0BKrUsAEO2n2/3WQK5b5U7XTJdwgvdhGAaC
uafVzAIK9iZs/aYGhDWMLqjaQJF1vuowB/AttGWzv5MhhJZgN0MzdI/WjNHC
/gHQIZvbGbH7qjIFsMpXvMBPAPNcwZiluirpqNxi4FU4eU8toa8Er1SaBGhB
tyKjOCfZ8UBw9qmu6gTrIAMQpSL5ouWIdJ7kuS5nMEvQm+cicnINv6yh86Yq
MxVEGXLWSRaAz006ByUBCYrtmsXCVrSGEMrzAN4B/uc5uIRrrWh14B+uA8Zp
bAClG5CnYkYrndCp9ONGV6uWVE7PyEjTYgHsGloXqE76Be4kdY3tOhtuXWcO
CUotxDH1xDi/UkmWVVAb7YYRcR5Cp3NwsmFIrpXmwz/d3YXrkk6LjoPoonXE
IKhKrkj71NOT0/fPlAMSRUKk+OXk4mcigXBKyI71sJqeENBD0MSAgnPb5Bnd
YmHhFCc5iQEM4CK3K4VTW0tSAw/+KVBw189zElpb4nZ8RlLNGg2MNUEggSAO
aSNfLILga7KAhhK1XA90Q9ZksurI2qm9Y4QVvCibLePxCXzlraJR4VJEVH/0
Q8YAJxRkf548Uae2hEftFPhMT9kM4DuKSFfhhhX5YYfw49P4mkIB+qsuLvn3
xzd/+XT+8c0Z/R6/O3n/vv0R+RXjd5ef3p91v7qdp5cfPry5OJPNGFVrQ9Hg
w8kvA7GXg8ur6/PLi5P3A8U8BSkQ8jQsn0QJXG6ixaYvKk06kbgoXJcV5KfT
q//578NjL2JHhyRiQd4O/3iMDzCvFGi2hFGQT6J1BL7BGQY1S5OFqREwYS3z
cVkqYgApwN+IMr+O1A+TdHF4/KMfoAuvDQaarQ0yzbZHtjYLEXcM7QDTUnNt
fIPS6/ie/LL2HejeG/zhdW4g9/Hh969/JBnaCFdZqlh5QC+K26IT8tYsYsSX
CRzyngLZFel5X71Zc4MiQ575FMj3hSVNngnnddgh4CDm+oZtB0154ymqa7/t
QoKpYg8SXBEgvsW0DwREBac2z+2SkSBEb6CQWee7WCsDMNeZyOCPEtosZheW
qIRhZ18HZ2mbDHa2otWQn3/Sv+gWYdiAok6K9Ub4bzBStxyaDfARw0ZT/I7B
w71utKnyQS+4ROA39Beg6G2/gB3O/zr8u8PG3i5nZmVCpuYRexd/dGFrDncU
NwuK/Gnj0cHRUXxwGB98d334YvTiYPTi8A8HB6ODg7A+JZsXM9Fgx7Dl+Hs/
Y1zcurGBpA5+xnFgSnEmgRgzOurcXnvatreYzmIKd2nRm8AximXDgmAmWFoe
uiYW+qu2Z9NXe/r63LSyRSyoxAgcTLpquYTZfnDYG1+fwcTf2gnVW8QLW7Bg
08vvjo9fxDfHUx/Iy7+79vevUX/kzqNY2/8XBB2TMDaLm+M4SfNHYRh5LEXM
PUjv1Bn0CCd1iA3o3A6ZHrb3IbHXLaFkkJaEuZgH9vo31us0kLGN22/evwcc
SURh6pgFKwbVi1XMmh17ze4B8zs5otiC6icJ0Z0zmINTr21qiRovN0/lBRkF
4yULu1DDmz3C8/BgeDg8Gr4YHu+/OBps7b7bPnBQp4v7UOlDIgW+Zx1WcpZV
24pw0L9tUSNcTc6ApO+Yv9vGdmNkC3vwUAoCO4kM97KkDKecEVYkgYt6kyTr
IPpfv0abo/KXxu+iu2DIR0+mZgaRU1zw+a9goMg/eefI/mNwBx+ppnqJ0KLx
kdjENjXcGXmcktPstei5v9txInFNMaGP/Dh8oVgekeMU/4evmeV2Ai+0Qthv
kLD1TmIfRSFUai3RI6klHCWvtyMkHQLWiWymZKac4Yil4eSDlBiBUa05y1i2
CIZAvmgQrMMZk9MBDIRplQGWDA1WjsAgya2QGiCCeKLOjEsbLlVFUS+vWA+Q
BTa5/ZBtZOuEosDQ2prKEgs1bUqRCSQOXyQqyGxBqQmpshKXo56eXYyf+UTV
BxRJuaIUjF01QYVPp/gex9misJTVXlKkj3DQgMGI5S3PLxNJn4xP7DWHBpKZ
pivwSQEUXxe39fneT22+t3btb2aHElwUBRhMtUFOVNu9IRHxARRftpnANFCm
gtFKF7bW/QTybAeESv/WYFhyYkqYQ778pbTLXGczsLoNznKfV3s4ReK+bOfi
XjJ6skbRUsgoiQUUQIVak6V8uiTChrQpSSskbkRTZGycQkoA76yUATjhQo5O
BKGAstUZEP3aBjHhfAJSGkLLlQ8GdajKcnzvo7kyY/p2qVjAvCFx28EYgGrL
u8oXaf2qeNJj9gkrjZ38ncJDIkOWSchIMDpdIspifMcRoNe5pLqQaOC3ZNHP
NdUqcq63iqkwJYxLmY16dwl5a1/pSVsBQ5Pt2Xmt5wo26tFHOUj9PeQhbWdt
275UxwNJRjlDqCst7OQ8sOMSEc35UJ2uykYYYVtDxfYQUMc7ia9CDULt+6B7
xAb9D3FcLXfyy9t/WeBJ+ppGPM3XFwRKve4t6PmIe/AKfmP91rsWtkQgX9JR
imPWx5Iq0OpBUrEvXcHuhzxEHQ4PX2GMJNstEDepQVOVIzpjtEiqpHCjr0U+
Kt2Ido0eOntA5yCfm5qv6p4lr4hVsLGIFVo0vXvvNr7ib/Z9mkqbA0k2jw5G
6uGiqtRUGY07AtQvmEsgyv2S88vry6uxWm8v0CbWvbSWpZ9/Vp/1ZISfP4SU
AwlTQvXxL/CjbVthOQvdhB9FZrDxPYXA2Eil+NqONhoWft2JFP7xqyv0t1u4
es8dhnT+IyOXdfcUBOWUU7tYVWY2r9XT9JlCKvdSmkLXFWktGVPSZERwjvym
oZoqpetcYOEDpP/ggnEnHwxLdAK3zMeS22C3SRVC3vBRZ7geUmWOdRgEuTV4
YWebipwkRiYw3tUqlMzZmdlK9tMHRUeQ1rYMsEcSLXE4mZdFU7lGnK93CI3Y
1drKGYQpciJoA+w6trlgN7lYJDn/R1gvcjI/jc/AEFnrtHCXEANKwHmsOaRQ
x8M0kKCj3386cGUGD3lFxThu8AUa5MAbwgP7zsvPfJrq558GkanpGN3rQnms
Y/KKzwJJuSMSFJKxwHewAI1U16GMXA0nZfgr/m0AWi6Xw2qaxtLzY1AEYh9j
tPrZK9xdQiY6QAq3LSm466Ryvir8M8UcHjXp1QgSGZUWuT6y7l37Rq3vGVhs
Ky2EI9E8jg9exgeHXuE3BZrU0zcwwiY5omcLwsJAhJF6ZA9WbIJvOhLjdhin
mCcfwu4BJ3lv+OCvEORzt/0PGc421P8tXAW2JtPg4XqpFKXRwZe9akd3IfAt
FL4ZarSo3PVRCj71/w6ne2OWDYTuvHCEGGIQgojB/cJwEnoeIbwTXy1h+47g
zoNcY9eW7L3akX/e40ljcsdrAUYXLHwzwqCIzSezEm2s10fLUDzd6PH9zgia
zCx3cGWO9PHfuFjaEtr1KlCDXeGSlBz+fWusu+7cq2F6k7R2Jao2ebPgx3sK
+ji9CKK7UbNphfg+DV3XkAvKp728c9eIKg65mVub+W7sUvqGuePWVWiYrCd7
CJG6bp/1wQ3vJjWlR0H0cmGzXqJun2SGEUOglQKZXck8N+WXOpfsHbGXTptK
uoyugR4+JXd/e/uammUvj4/v7qgk8s4uqa60t96CJLxTU0EGqJ+cikGtqNiR
G+BMsWIBjnD0ATcG2jfyWIeMBT0cQlRZ+ScVizqZ0M3JBcsplk1zoanaZBwi
NWlDu+6RRa8qoL8u5KbSEExu6CEP9XWB4vPn4MPz5/1qga/yIFxcWKmsbOdJ
z5/jbGyjznCZIkKlpKHXbNrZqSfG4Y5zqb59qxW7Vs7jxuNGj5dLRO/oBQqZ
WAD9EO4eRbe33QOQzGqpTIVCBj1e6ejUNZ3lNYtvHlODGbZOLRNvkwmXRfs6
InTosvZ5DxmnvfWHLmL3V9Kow+1x8iehT7dEXItLLT8zMJQZ5FzbBJC2kNaK
mLdZvKs7Y6JX1uckUoYCRb7QWZMVLu7pO2uQeJYIm4lyn0ou9u1k0zwA6wB0
pcPwzgJBRahnGZGsxMPe8ajkbci1haZ7Pb5+OPklRHE74WGYG55cmkKSSs+S
pJo60VD8qvdkw0sBcbdtNnJfUzNf1gXYS18mlcjMlwd9yNNu98W9vlohoqAc
ZUcBq10T+zV9gwc2UCWrF1MAiU6ItqsR3Eg3LEK+fppwkZiKjBshwoNYbuhI
v5L6TSXpKk67lOSsrcGu1uqw3S6WUiiA5zvYIO/HJFXwMr8HttJaGCXLYkfm
KmMLCSZx/byctRVMW4a3HSyKoEkzRUJiKMLsnl95ePykB0j1pVterAhFfeK+
4pyTS/5rUVfPMcDuF1wdwgTSOn7kkNy37/wKdO8ITZZYuZpq8qAfxL5mw06p
PekZGLpMVlKFJEVpI3ic5X0KKclE88Me2SgqIetDEhKWg37GcRrdt0y0q89v
/1CJPRUpL9crzD/EiPuSg8/cO37iNCI2SRWl+OIaT72vSnrPY/pZdifkW49U
uty3976B6kFReCQAjyCNEe+6uCmKzxuTtIamaJ/OqtAJFH8YgUsXb65PLy/e
eqf98uj4EJcHlI9vxv2J7w+OQRVv+eldAm4btubJSleRkaSEIwJNlCgdW2Ke
3WtrQgU9EqxttaKeJ0mZICbbom4bjhvLUeM5xRtPx+N3zzosjzaRafFtsXl3
fX01fiRgtQb4+v048tc+Pn4JSMK0cN+N52Rirfz6F0w/bzyFIsF7R7BAdWXS
OhxAzKT6ikmbPKna4/vEh/hV8sQxWsAT+TBIc2nKaY6NKEzsIpZdhwSmR3b9
STW/bytr3K5zN2Qz6EFUmbUy1bXc6PkCPZrUE9/Taq1Oy3kS+HRN4AnHvmIl
C1gW6jqU5MWM1OEkbOzHn3dMnoTNoA9Qvbp1MSeY2L4Z3R1TsSaen1ycbGnh
7u7Zek0ninirkSaWdj5E9A8z+/lruIkLrZfBY2rGverRACBmVOBctXX1i3u7
Ph9DYQqpHghLJalf1dM10/Es8vu3ne6jdgsKG1k6W62uZM90IaTZXIuH3tWO
ceuVOzbkF+GUkfq9hX+ccsXV+9F9df8o8q+lJ0n6hSThJA1NR6maRteXZ5dQ
x7YVyfJyKh1qQnOrNBj9C6ChEzCKMQAA

-->

</rfc>
