<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-masque-connect-udp-listen-13" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CONNECT-UDP Bind">Proxying Bound UDP in HTTP</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-masque-connect-udp-listen-13"/>
    <author initials="D." surname="Schinazi" fullname="David Schinazi">
      <organization>Google LLC</organization>
      <address>
        <email>dschinazi.ietf@gmail.com</email>
      </address>
    </author>
    <author initials="A." surname="Singh" fullname="Abhi Singh">
      <organization>Google LLC</organization>
      <address>
        <email>abhisinghietf@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <area>Transport</area>
    <workgroup>MASQUE</workgroup>
    <keyword>quic</keyword>
    <keyword>http</keyword>
    <keyword>datagram</keyword>
    <keyword>udp</keyword>
    <keyword>proxy</keyword>
    <keyword>tunnels</keyword>
    <keyword>quic in quic</keyword>
    <keyword>turtles all the way down</keyword>
    <keyword>masque</keyword>
    <keyword>http-ng</keyword>
    <keyword>listen</keyword>
    <keyword>bind</keyword>
    <abstract>
      <?line 53?>

<t>The mechanism to proxy UDP in HTTP only allows each UDP proxying request to
transmit to a specific host and port. This is well suited for UDP
client-server protocols such as HTTP/3, but is not sufficient for some UDP
peer-to-peer protocols like WebRTC. This document defines an extension to
UDP proxying in HTTP that enables such use-cases.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-masque.github.io/draft-ietf-masque-connect-udp-listen/draft-ietf-masque-connect-udp-listen.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-masque-connect-udp-listen/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        MASQUE Working Group mailing list (<eref target="mailto:masque@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/masque/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/masque/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-masque/draft-ietf-masque-connect-udp-listen"/>.</t>
    </note>
  </front>
  <middle>
    <?line 61?>

<section anchor="intro">
      <name>Introduction</name>
      <t>The mechanism to proxy UDP in HTTP <xref target="CONNECT-UDP"/> allows creating
tunnels for communicating UDP payloads <xref target="UDP"/> to a fixed host and
port; this enables proxying of HTTP/3 connections, since they run over UDP.
Similarly, the HTTP CONNECT method (see <xref section="9.3.6" sectionFormat="of" target="HTTP"/>)
allows proxying HTTP/1.x and HTTP/2, which run over TCP. Combining both
allows proxying the majority of a Web browser's HTTP traffic. However, WebRTC
<xref target="WebRTC"/> relies on ICE <xref target="ICE"/> to provide connectivity between
two Web browsers, and ICE relies on the ability to send and receive UDP
packets to multiple hosts. While in theory it might be possible to
accomplish this using multiple UDP proxying HTTP requests, HTTP semantics
<xref target="HTTP"/> do not guarantee that distinct requests will be handled by the same
server. This can lead to the UDP packets being sent from distinct IP
addresses, thereby preventing ICE from operating correctly. Consequently,
UDP proxying requests cannot enable WebRTC connectivity between peers.</t>
      <t>This document describes an extension to UDP Proxying in HTTP that allows
sending and receiving UDP payloads to multiple hosts within the scope of a
single UDP proxying HTTP request.</t>
      <section anchor="conventions-and-definitions">
        <name>Conventions and Definitions</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

<t>This document uses terminology from <xref target="CONNECT-UDP"/> and notational
conventions from <xref target="QUIC"/>. This document uses the terms Boolean,
List, and String from <xref section="3" sectionFormat="of" target="STRUCTURED-FIELDS"/> to specify
syntax and parsing. This document uses Augmented Backus-Naur Form and
parsing/serialization behaviors from <xref target="ABNF"/>.</t>
      </section>
    </section>
    <section anchor="mechanism">
      <name>Bound UDP Proxying Mechanism</name>
      <t>In unextended UDP proxying requests, the target host is encoded in the HTTP
request path or query. For bound UDP proxying, the target is either conveyed
in each HTTP Datagram (see <xref target="uncompressed"/>), or registered via capsules
and then compressed (see Sections <xref format="counter" target="contextid"/> and
<xref format="counter" target="compressed-operation"/>).</t>
      <t>When performing URI Template Expansion of the UDP proxying template (see
<xref section="3" sectionFormat="of" target="CONNECT-UDP"/>), the client follows the same template as
unextended UDP proxying and sets the "target_host" and the "target_port"
variables to one of its targets. It adds the Connect-UDP-Bind header field
as specified in <xref target="hdr"/> to request bind. If the proxy supports bound UDP
proxying, it returns the Connect-UDP-Bind response header field value set to
true.</t>
      <t>When "target_host" and "target_port" are set to a valid target, the client
is requesting bound UDP proxying but would accept fallback to unextended UDP
proxying to that target. If the client does not have a specific target, or if
it wants bound UDP proxying without fallback, it sets both the "target_host"
and the "target_port" variables to the '<tt>*</tt>' character (ASCII character
0x2A). Note that the '<tt>*</tt>' character <bcp14>MUST</bcp14> be percent-encoded before sending,
per <xref section="3.2.2" sectionFormat="of" target="TEMPLATE"/>.</t>
      <t>If only one of the "target_host" and the "target_port" variables is set to
the '<tt>*</tt>' character, the request is malformed. The recipient of such a
malformed request <bcp14>MUST</bcp14> respond with an error and <bcp14>SHOULD</bcp14> use the 400
(Bad Request) status code.</t>
    </section>
    <section anchor="contextid">
      <name>Context Identifiers</name>
      <t>As with unextended UDP proxying, the semantics of HTTP Datagrams are
conveyed by Context IDs (see <xref section="4" sectionFormat="of" target="CONNECT-UDP"/>). Endpoints first
allocate a new Context ID (per <xref target="CONNECT-UDP"/>, clients allocate even
Context IDs while proxies allocate odd ones), and then use the
COMPRESSION_ASSIGN capsule (see <xref target="capsule-assign"/>) to convey the semantics
of the new Context ID to their peer. This process is known as registering
the Context ID.</t>
      <t>Each Context ID can have either compressed or uncompressed semantics. The
uncompressed variant encodes the target IP and port into each HTTP Datagram.
Conversely, the compressed variant exchanges the target IP and port once in
the capsule during registration, and then relies on shared state to map from
the Context ID to the IP and port.</t>
      <t>Context ID 0 was reserved by unextended UDP proxying to represent UDP
payloads sent to and from the "target_host" and "target_port" from the URI
template. When the mechanism from this document is in use:</t>
      <ul spacing="normal">
        <li>
          <t>if the "target_host" and "target_port" variables are set to '<tt>*</tt>', then
Context ID 0 <bcp14>MUST NOT</bcp14> be used in HTTP Datagrams. If one is received, the
recipient <bcp14>MUST</bcp14> abort the request stream.</t>
        </li>
        <li>
          <t>otherwise, HTTP Datagrams with Context ID 0 have the same semantics as in
unextended UDP proxying.</t>
        </li>
      </ul>
      <section anchor="capsule-assign">
        <name>The COMPRESSION_ASSIGN capsule</name>
        <t>The Compression Assign capsule (capsule type 0x11) is used to register the
semantics of a Context ID. It has the following format:</t>
        <figure anchor="fmt-capsule-assign">
          <name>Compression Assign Capsule Format</name>
          <artwork><![CDATA[
COMPRESSION_ASSIGN Capsule {
  Type (i) = 0x11,
  Length (i),
  Context ID (i),
  IP Version (8),
  [IP Address (32..128)],
  [UDP Port (16)],
}
]]></artwork>
        </figure>
        <t>It contains the following fields:</t>
        <dl>
          <dt>IP Version:</dt>
          <dd>
            <t>The IP Version of the following IP Address field. <bcp14>MUST</bcp14> be 0, 4 or 6.
Setting this to zero indicates that this capsule registers an uncompressed
Context ID. Otherwise, the capsule registers a compressed Context ID for
the IP address and UDP port it carries.</t>
          </dd>
          <dt>IP Address:</dt>
          <dd>
            <t>The IP Address of this context. This field is omitted if the IP Version
field is set to 0. Otherwise, it has a length of 32 bits when the
corresponding IP Version field value is 4, and 128 when the IP Version is 6.</t>
          </dd>
          <dt>UDP Port:</dt>
          <dd>
            <t>The UDP Port of this context, in network byte order. This field is omitted
if the IP Version field is set to 0.</t>
          </dd>
        </dl>
        <t>When an endpoint receives a COMPRESSION_ASSIGN capsule, it <bcp14>MUST</bcp14> either
accept or reject the corresponding registration:</t>
        <ul spacing="normal">
          <li>
            <t>if it accepts the registration, first the receiver <bcp14>MUST</bcp14> save the mapping
from Context ID to address and port (or save the fact that this Context ID
is uncompressed). Second, the receiver <bcp14>MUST</bcp14> return a COMPRESSION_ACK
capsule with the Context ID set to the one from the received
COMPRESSION_ASSIGN capsule back to its peer, indicating it has accepted
the registration.</t>
          </li>
          <li>
            <t>if it rejects the registration, the receiver <bcp14>MUST</bcp14> respond by sending a
COMPRESSION_CLOSE capsule with the Context ID set to the one from the
received COMPRESSION_ASSIGN capsule.</t>
          </li>
        </ul>
        <t>As mandated in <xref section="4" sectionFormat="of" target="CONNECT-UDP"/>, clients can only allocate even
Context IDs, while proxies can only allocate odd ones. Since the value 0 was
reserved by unextended UDP proxying, the Context ID value of
COMPRESSION_ASSIGN can never be zero.</t>
        <t>Endpoints <bcp14>MUST NOT</bcp14> send two COMPRESSION_ASSIGN capsules with the same
Context ID. If a recipient detects a repeated Context ID, it <bcp14>MUST</bcp14> treat the
capsule as malformed. Receipt of a malformed capsule <bcp14>MUST</bcp14> be treated as an
error processing the Capsule Protocol, as defined in <xref section="3.3" sectionFormat="of" target="HTTP-DGRAM"/>.</t>
        <t>If the uncompressed Context ID is closed, the proxy <bcp14>MUST NOT</bcp14> open new
compressed Context IDs. Allowing the proxy to do so would permit
traffic from source tuples not selected by the client, defeating the
IP restriction described in <xref target="restricting-ips"/>. Note that compressed
Context IDs that were established prior to the closing of the
uncompressed Context ID are not impacted.</t>
        <t>Only one Context ID can be used per IP-port tuple. Endpoints <bcp14>MUST NOT</bcp14>
register a Context ID for a tuple for which there is already an existing
Context ID. This can however happen if both endpoints register Context IDs
simultaneously for the same tuple before learning that the peer also
opened one. If an endpoint detects that both it and its peer have opened a
Context ID for the same tuple, the endpoint <bcp14>MUST</bcp14> close the Context ID that
was opened by the proxy. If an endpoint receives a COMPRESSION_ASSIGN
capsule whose tuple matches another open Context ID that was opened by its
peer, it <bcp14>MUST</bcp14> treat the capsule as malformed.</t>
        <t>Endpoints <bcp14>MAY</bcp14> pre-emptively use Context IDs not yet acknowledged by the peer
via COMPRESSION_ACK, knowing that those HTTP Datagrams can be dropped if
they arrive before the corresponding COMPRESSION_ASSIGN capsule, or if the
peer rejects the registration.</t>
      </section>
      <section anchor="capsule-ack">
        <name>The COMPRESSION_ACK capsule</name>
        <t>The Compression Acknowledgment capsule (capsule type 0x12) serves to confirm
registration of a Context ID that was received via a COMPRESSION_ASSIGN
capsule.</t>
        <figure anchor="fmt-capsule-ack">
          <name>Compression Acknowledgment Capsule Format</name>
          <artwork><![CDATA[
COMPRESSION_ACK Capsule {
  Type (i) = 0x12,
  Length (i),
  Context ID (i),
}
]]></artwork>
        </figure>
        <t>An endpoint can only send a COMPRESSION_ACK capsule if it received a
COMPRESSION_ASSIGN capsule with the same Context ID. If an endpoint receives
COMPRESSION_ACK capsule for a Context ID it did not attempt to register via
COMPRESSION_ASSIGN, that capsule is considered malformed.</t>
      </section>
      <section anchor="capsule-close">
        <name>The COMPRESSION_CLOSE capsule</name>
        <t>The Compression Close capsule (capsule type 0x13) serves two purposes. It
can be sent as a direct response to a received COMPRESSION_ASSIGN capsule,
to indicate that the registration was rejected. It can also be sent later to
indicate the closure of a previously assigned registration.</t>
        <figure anchor="fmt-capsule-close">
          <name>Compression Close Capsule Format</name>
          <artwork><![CDATA[
COMPRESSION_CLOSE Capsule {
  Type (i) = 0x13,
  Length (i),
  Context ID (i),
}
]]></artwork>
        </figure>
        <t>Once an endpoint has either sent or received a COMPRESSION_CLOSE for a given
Context ID, it <bcp14>MUST NOT</bcp14> send any further datagrams with that Context ID.
Since the value 0 was reserved by unextended UDP proxying, a
COMPRESSION_CLOSE capsule with Context ID set to zero is malformed.</t>
        <t>Endpoints <bcp14>MAY</bcp14> close any Context ID regardless of which endpoint registered
it. This is useful for example, when a mapping is unused for a long time.
Another potential use is restricting some targets (see <xref target="restricting-ips"/>).</t>
        <t>Once a registration is closed, endpoints can instead use an uncompressed
Context ID to exchange UDP payloads for the given target, if such a Context
has been registered (see <xref target="uncompressed"/>).</t>
        <t>Once a Context ID has been closed, that ID cannot be reused; see
<xref section="4" sectionFormat="of" target="CONNECT-UDP"/>.</t>
      </section>
    </section>
    <section anchor="uncompressed">
      <name>Uncompressed Operation</name>
      <t>If the client wishes to send or receive uncompressed datagrams, it <bcp14>MUST</bcp14>
first send a COMPRESSION_ASSIGN capsule (see <xref target="fmt-capsule-assign"/>) to the
proxy with the IP Version set to zero. This registers the Context ID as
having uncompressed semantics: all HTTP Datagrams with this Context ID have
the following format:</t>
      <figure anchor="fmt-dgram-uncomp">
        <name>Uncompressed Bound UDP Proxying HTTP Datagram Format</name>
        <artwork><![CDATA[
Uncompressed Bound UDP Proxying Payload {
  IP Version (8),
  IP Address (32..128),
  UDP Port (16),
  UDP Payload (..),
}
]]></artwork>
      </figure>
      <t>It contains the following fields:</t>
      <dl>
        <dt>IP Version:</dt>
        <dd>
          <t>The IP Version of the following IP Address field. <bcp14>MUST</bcp14> be 4 or 6.</t>
        </dd>
        <dt>IP Address:</dt>
        <dd>
          <t>The IP Address of this proxied UDP packet. When sent from client to proxy,
this is the target host to which the proxy will send this UDP payload. When
sent from proxy to client, this represents the source IP address of the UDP
packet received by the proxy. This field has a length of 32 bits when the
corresponding IP Version field value is 4, and 128 when the IP Version is 6.</t>
        </dd>
        <dt>UDP Port:</dt>
        <dd>
          <t>The UDP Port of this proxied UDP packet in network byte order. When sent
from client to proxy, this is the target port to which the proxy will send
this UDP payload. When sent from proxy to client, this represents the source
UDP port of the UDP packet received by the proxy.</t>
        </dd>
        <dt>UDP Payload:</dt>
        <dd>
          <t>The unmodified UDP Payload of this proxied UDP packet (referred to as
"data octets" in <xref target="UDP"/>).</t>
        </dd>
      </dl>
      <t>A client <bcp14>MUST NOT</bcp14> open an uncompressed Context ID if one is already open. If
a server receives a request to open an uncompressed Context ID and it
already has one open, then the server <bcp14>MUST</bcp14> treat the second capsule as
malformed. Note that it's possible for the client to close the uncompressed
Context ID and reopen it later with a different Context ID, as long as there
aren't two uncompressed Context IDs open at the same time. Only the client
can request uncompressed Context IDs. If a client receives a
COMPRESSION_ASSIGN capsule with the IP Version set to 0, it <bcp14>MUST</bcp14> treat it
as malformed.</t>
    </section>
    <section anchor="compressed-operation">
      <name>Compressed Operation</name>
      <t>Endpoints <bcp14>MAY</bcp14> choose to compress the IP and port information per datagram
for a given target using Context IDs. This is accomplished by registering a
compressed Context ID using the COMPRESSION_ASSIGN capsule (see
<xref target="fmt-capsule-assign"/>).</t>
      <t>If the Context ID in an HTTP Datagram matches one previously registered for
compressed operation, the rest of the HTTP Datagram represents the UDP
payload:</t>
      <figure anchor="fmt-dgram-comp">
        <name>Compressed Bound UDP Proxying HTTP Datagram Format</name>
        <artwork><![CDATA[
Compressed Bound UDP Proxying Payload {
  UDP Payload (..),
}
]]></artwork>
      </figure>
      <t>It contains the following field:</t>
      <dl>
        <dt>UDP Payload:</dt>
        <dd>
          <t>The unmodified UDP Payload of this proxied UDP packet (referred to as
"data octets" in <xref target="UDP"/>).</t>
        </dd>
      </dl>
    </section>
    <section anchor="hdr">
      <name>The Connect-UDP-Bind Header Field</name>
      <t>The "Connect-UDP-Bind" header field’s value is a Boolean Structured Field
set to true. Clients and proxy both indicate support for this extension by
sending the Connect-UDP-Bind header field with a value of <tt>?1</tt>. Once an
endpoint has both sent and received the Connect-UDP-Bind header field set to
true, this extension is enabled. Any other value type <bcp14>MUST</bcp14> be handled as if
the field were not present by the recipients (for example, if this field is
defined multiple times, its type becomes a List and therefore is to be
ignored). This document does not define any parameters for the
Connect-UDP-Bind header field value, but future documents might define
parameters. Receivers <bcp14>MUST</bcp14> ignore unknown parameters.</t>
    </section>
    <section anchor="addr-hdr">
      <name>The Proxy-Public-Address Response Header Field</name>
      <t>Upon accepting the request, the proxy <bcp14>MUST</bcp14> select at least one public IP
address to bind. The proxy <bcp14>MAY</bcp14> assign more addresses. For each selected
address, it <bcp14>MUST</bcp14> select an open port to bind to this request. From then and
until the tunnel is closed, the proxy <bcp14>SHALL</bcp14> send packets received on these
IP-port tuples to the client. The proxy <bcp14>MUST</bcp14> communicate the selected
addresses and ports to the client using the "Proxy-Public-Address" header
field. The header field is a List. Each member of the List is a String,
comprised of the ip-port tuple. The format of the String is defined using
IP-literal, IPv4address, and port from <xref section="3.2" sectionFormat="of" target="URI"/>.</t>
      <figure anchor="target-format">
        <name>Proxy Address Format</name>
        <artwork><![CDATA[
ip-port-tuple = DQUOTE ( IP-literal / IPv4address ) ":" port DQUOTE
]]></artwork>
      </figure>
      <t>When a single IP-Port tuple is provided in the Proxy-Public-Address field,
the proxy <bcp14>MUST</bcp14> use the same public IP and Port for the lifetime of the
tunnel. When multiple tuples are provided, maintaining address stability
per address family for the duration of the tunnel is <bcp14>RECOMMENDED</bcp14>.</t>
      <t>Note that since the addresses are conveyed in HTTP response headers, a
subsequent change of addresses on the proxy cannot be conveyed to the client.</t>
      <t>If the proxy only shares IP addresses from a single address family, that
indicates that the proxy only supports that family. The client <bcp14>SHOULD NOT</bcp14>
attempt to register compressed Context IDs or send uncompressed datagrams
intended for targets whose IP address families were not indicated via the IP
addresses listed in the Proxy-Public-Address header field, as the proxy will
drop those datagrams and reject those registrations.</t>
    </section>
    <section anchor="behavior">
      <name>Proxy Behavior</name>
      <t>After accepting the bound UDP proxying request, the proxy uses an assigned
IP address and port to transmit UDP payloads received from the client to the
target IP Address and UDP Port specified in each HTTP Datagram received from
the client. The proxy uses the same ports to listen for UDP packets from any
authorized target and forwards them to the client by encapsulating them in
HTTP Datagrams, using the corresponding Context ID.</t>
      <t>If the proxy receives UDP payloads that don't correspond to any registration
(i.e., no compression for the given target was ever established and there is
no uncompressed registration), the proxy will either drop the datagram or
temporarily buffer it (see <xref section="5" sectionFormat="of" target="CONNECT-UDP"/>).</t>
      <section anchor="restricting-ips">
        <name>Restricting IPs</name>
        <t>If a client does not wish to receive datagrams from unknown senders, it can
close the uncompressed Context ID (or not open it in the first place). In
that scenario, the proxy effectively acts as a firewall against unwanted or
unknown IPs.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security considerations described in <xref section="7" sectionFormat="of" target="CONNECT-UDP"/> also
apply here. Since TURN can be run over this mechanism, implementors will
benefit from reviewing the security considerations in <xref section="21" sectionFormat="of" target="TURN"/>.</t>
      <t>Since unextended UDP proxying requests carry the target as part of the
request, the proxy can protect against unauthorized targets by rejecting
requests before creating the tunnel, and communicate the rejection reason
in response header fields. The uncompressed Context ID allows transporting
datagrams to and from any target. Clients that keep the uncompressed
Context ID open need to be able to receive from all targets. If the UDP
proxy were to reject unextended UDP proxying requests to some targets
(as recommended in <xref section="7" sectionFormat="of" target="CONNECT-UDP"/>), then for bound UDP
proxying requests where the uncompressed Context ID is open, the UDP
proxy needs to perform checks on the target of each uncompressed Context
ID datagram it receives. Similarly, the UDP proxy needs to perform checks
on the IP address and port of received COMPRESSION_ASSIGN capsules and
reject the registration of compressed Context IDs to disallowed targets.</t>
      <t>When an endpoint accepts the registration of a Context ID, it will need to
store it in memory. To prevent unbounded memory growth, endpoints <bcp14>MUST</bcp14>
place a limit on how many Context IDs can be open simultaneously and reject
registrations beyond the limit.</t>
      <t>Note that if the compression response (COMPRESSION_ACK or COMPRESSION_CLOSE)
cannot be immediately sent due to flow or congestion control, an upper limit
on how many compression responses the endpoint is willing to buffer <bcp14>MUST</bcp14> be
set to prevent memory exhaustion. The proxy <bcp14>MUST</bcp14> abort the request stream if
this limit is reached.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>When moving traffic between uncompressed and compressed Context IDs, the
effective MTU will change. This can hinder Datagram Packetization Layer PMTU
Discovery (DPLPMTUD) between the client and the target
<xref target="DPLPMTUD"/>. To avoid that, if an endpoint intends to use
compression, it <bcp14>SHOULD</bcp14> request it as early as possible.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="iana-fields">
        <name>HTTP Fields</name>
        <t>This document requests IANA to register the following new items in the
"HTTP Field Name" registry maintained at
&lt;<eref target="https://www.iana.org/assignments/http-fields"/>&gt;:</t>
        <table anchor="iana-fields-table">
          <name>New Fields</name>
          <thead>
            <tr>
              <th align="left">Field Name</th>
              <th align="left">Structured Type</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Connect-UDP-Bind</td>
              <td align="left">Item</td>
            </tr>
            <tr>
              <td align="left">Proxy-Public-Address</td>
              <td align="left">List</td>
            </tr>
          </tbody>
        </table>
        <t>All of these new entries use the following values for these fields:</t>
        <dl spacing="compact">
          <dt>Status:</dt>
          <dd>
            <t>provisional (permanent if this document is approved)</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>This document</t>
          </dd>
          <dt>Comments:</dt>
          <dd>
            <t>None</t>
          </dd>
        </dl>
      </section>
      <section anchor="iana-capsules">
        <name>Capsules</name>
        <t>This document requests IANA to register the following new items to the
"HTTP Capsule Types" registry maintained at
&lt;<eref target="https://www.iana.org/assignments/masque"/>&gt;:</t>
        <table anchor="iana-capsules-table">
          <name>New Capsules</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Capsule Type</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x11</td>
              <td align="left">COMPRESSION_ASSIGN</td>
            </tr>
            <tr>
              <td align="left">0x12</td>
              <td align="left">COMPRESSION_ACK</td>
            </tr>
            <tr>
              <td align="left">0x13</td>
              <td align="left">COMPRESSION_CLOSE</td>
            </tr>
          </tbody>
        </table>
        <t>All of these new entries use the following values for these fields:</t>
        <dl spacing="compact">
          <dt>Status:</dt>
          <dd>
            <t>provisional (permanent if this document is approved)</t>
          </dd>
          <dt>Reference:</dt>
          <dd>
            <t>This document</t>
          </dd>
          <dt>Change Controller:</dt>
          <dd>
            <t>IETF</t>
          </dd>
          <dt>Contact:</dt>
          <dd>
            <t>MASQUE Working Group <eref target="mailto:masque@ietf.org">masque@ietf.org</eref></t>
          </dd>
          <dt>Notes:</dt>
          <dd>
            <t>None</t>
          </dd>
        </dl>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="CONNECT-UDP">
          <front>
            <title>Proxying UDP in HTTP</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9298"/>
          <seriesInfo name="DOI" value="10.17487/RFC9298"/>
        </reference>
        <reference anchor="UDP">
          <front>
            <title>User Datagram Protocol</title>
            <author fullname="J. Postel" initials="J." surname="Postel"/>
            <date month="August" year="1980"/>
          </front>
          <seriesInfo name="STD" value="6"/>
          <seriesInfo name="RFC" value="768"/>
          <seriesInfo name="DOI" value="10.17487/RFC0768"/>
        </reference>
        <reference anchor="HTTP">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="QUIC">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="STRUCTURED-FIELDS">
          <front>
            <title>Structured Field Values for HTTP</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="P-H. Kamp" surname="P-H. Kamp"/>
            <date month="September" year="2024"/>
            <abstract>
              <t>This document describes a set of data types and associated algorithms that are intended to make it easier and safer to define and handle HTTP header and trailer fields, known as "Structured Fields", "Structured Headers", or "Structured Trailers". It is intended for use by specifications of new HTTP fields.</t>
              <t>This document obsoletes RFC 8941.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9651"/>
          <seriesInfo name="DOI" value="10.17487/RFC9651"/>
        </reference>
        <reference anchor="ABNF">
          <front>
            <title>Augmented BNF for Syntax Specifications: ABNF</title>
            <author fullname="D. Crocker" initials="D." role="editor" surname="Crocker"/>
            <author fullname="P. Overell" initials="P." surname="Overell"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="68"/>
          <seriesInfo name="RFC" value="5234"/>
          <seriesInfo name="DOI" value="10.17487/RFC5234"/>
        </reference>
        <reference anchor="TEMPLATE">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="M. Hadley" initials="M." surname="Hadley"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="D. Orchard" initials="D." surname="Orchard"/>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="HTTP-DGRAM">
          <front>
            <title>HTTP Datagrams and the Capsule Protocol</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="L. Pardue" initials="L." surname="Pardue"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection.</t>
              <t>In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections.</t>
              <t>HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9297"/>
          <seriesInfo name="DOI" value="10.17487/RFC9297"/>
        </reference>
        <reference anchor="URI">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="WebRTC" target="https://www.w3.org/TR/webrtc/">
          <front>
            <title>WebRTC</title>
            <author>
              <organization/>
            </author>
            <date year="2021" month="January" day="26"/>
          </front>
          <seriesInfo name="W3C" value="Recommendation"/>
        </reference>
        <reference anchor="ICE">
          <front>
            <title>Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal</title>
            <author fullname="A. Keranen" initials="A." surname="Keranen"/>
            <author fullname="C. Holmberg" initials="C." surname="Holmberg"/>
            <author fullname="J. Rosenberg" initials="J." surname="Rosenberg"/>
            <date month="July" year="2018"/>
            <abstract>
              <t>This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol is called Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).</t>
              <t>This document obsoletes RFC 5245.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8445"/>
          <seriesInfo name="DOI" value="10.17487/RFC8445"/>
        </reference>
        <reference anchor="TURN">
          <front>
            <title>Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)</title>
            <author fullname="T. Reddy" initials="T." role="editor" surname="Reddy"/>
            <author fullname="A. Johnston" initials="A." role="editor" surname="Johnston"/>
            <author fullname="P. Matthews" initials="P." surname="Matthews"/>
            <author fullname="J. Rosenberg" initials="J." surname="Rosenberg"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>If a host is located behind a NAT, it can be impossible for that host to communicate directly with other hosts (peers) in certain situations. In these situations, it is necessary for the host to use the services of an intermediate node that acts as a communication relay. This specification defines a protocol, called "Traversal Using Relays around NAT" (TURN), that allows the host to control the operation of the relay and to exchange packets with its peers using the relay. TURN differs from other relay control protocols in that it allows a client to communicate with multiple peers using a single relay address.</t>
              <t>The TURN protocol was designed to be used as part of the Interactive Connectivity Establishment (ICE) approach to NAT traversal, though it can also be used without ICE.</t>
              <t>This document obsoletes RFCs 5766 and 6156.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8656"/>
          <seriesInfo name="DOI" value="10.17487/RFC8656"/>
        </reference>
        <reference anchor="DPLPMTUD">
          <front>
            <title>Packetization Layer Path MTU Discovery for Datagram Transports</title>
            <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"/>
            <author fullname="T. Jones" initials="T." surname="Jones"/>
            <author fullname="M. Tüxen" initials="M." surname="Tüxen"/>
            <author fullname="I. Rüngeler" initials="I." surname="Rüngeler"/>
            <author fullname="T. Völker" initials="T." surname="Völker"/>
            <date month="September" year="2020"/>
            <abstract>
              <t>This document specifies Datagram Packetization Layer Path MTU Discovery (DPLPMTUD). This is a robust method for Path MTU Discovery (PMTUD) for datagram Packetization Layers (PLs). It allows a PL, or a datagram application that uses a PL, to discover whether a network path can support the current size of datagram. This can be used to detect and reduce the message size when a sender encounters a packet black hole. It can also probe a network path to discover whether the maximum packet size can be increased. This provides functionality for datagram transports that is equivalent to the PLPMTUD specification for TCP, specified in RFC 4821, which it updates. It also updates the UDP Usage Guidelines to refer to this method for use with UDP datagrams and updates SCTP.</t>
              <t>The document provides implementation notes for incorporating Datagram PMTUD into IETF datagram transports or applications that use datagram transports.</t>
              <t>This specification updates RFC 4960, RFC 4821, RFC 6951, RFC 8085, and RFC 8261.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8899"/>
          <seriesInfo name="DOI" value="10.17487/RFC8899"/>
        </reference>
        <reference anchor="CONNECT-IP">
          <front>
            <title>Proxying IP in HTTP</title>
            <author fullname="T. Pauly" initials="T." role="editor" surname="Pauly"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="A. Chernyakhovsky" initials="A." surname="Chernyakhovsky"/>
            <author fullname="M. Kühlewind" initials="M." surname="Kühlewind"/>
            <author fullname="M. Westerlund" initials="M." surname="Westerlund"/>
            <date month="October" year="2023"/>
            <abstract>
              <t>This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9484"/>
          <seriesInfo name="DOI" value="10.17487/RFC9484"/>
        </reference>
      </references>
    </references>
    <?line 547?>

<section anchor="example">
      <name>Example</name>
      <t>In the example below, the client is configured with URI Template
"https://example.org/.well-known/masque/udp/{target_host}/{target_port}/"
and listens for traffic on the proxy, eventually decides that it no longer
wants to listen for connections from new targets, and limits its
communication with only 203.0.113.11:60000 and no other UDP target.</t>
      <artwork><![CDATA[
 Client                                             Server

 STREAM(44): HEADERS            -------->
   :method = CONNECT
   :protocol = connect-udp
   :scheme = https
   :path = /.well-known/masque/udp/%2A/%2A/
   :authority = proxy.example.org
   connect-udp-bind = ?1
   capsule-protocol = ?1

            <--------  STREAM(44): HEADERS
                         :status = 200
                         connect-udp-bind = ?1
                         capsule-protocol = ?1
                         proxy-public-address = "192.0.2.45:54321",  \
                                            "[2001:db8::1234]:54321"

// Register Context ID 2 to be used for uncompressed UDP payloads
// to/from any target.

 CAPSULE                       -------->
   Type = COMPRESSION_ASSIGN
   Context ID = 2
   IP Version = 0

// Proxy confirms registration.

            <-------- CAPSULE
                        Type = COMPRESSION_ACK
                        Context ID = 2

// Target talks to Client using the uncompressed Context ID.

            <--------  DATAGRAM
                         Quarter Stream ID = 11
                         Context ID = 2
                         IP Version = 4
                         IP Address = 192.0.2.42
                         UDP Port = 50000
                         UDP Payload = Encapsulated UDP Payload

// Client responds on the same uncompressed Context ID.

 DATAGRAM                       -------->
   Quarter Stream ID = 11
   Context ID = 2
   IP Version = 4
   IP Address = 192.0.2.42
   UDP Port = 50000
   UDP Payload = Encapsulated UDP Payload

// Another target talks to Client using the uncompressed Context ID.

            <--------  DATAGRAM
                         Quarter Stream ID = 11
                         Context ID = 2
                         IP Version = 4
                         IP Address = 203.0.113.11
                         UDP Port = 60000
                         UDP Payload = Encapsulated UDP Payload

// Client responds on the same uncompressed Context ID.

 DATAGRAM                       -------->
   Quarter Stream ID = 11
   Context ID = 2
   IP Version = 4
   IP Address = 203.0.113.11
   UDP Port = 60000
   UDP Payload = Encapsulated UDP Payload

// Register 203.0.113.11:60000 to compress it in the future.

 CAPSULE                       -------->
   Type = COMPRESSION_ASSIGN
   Context ID = 4
   IP Version = 4
   IP Address = 203.0.113.11
   UDP Port = 60000


// Proxy confirms registration.

            <-------- CAPSULE
                        Type = COMPRESSION_ACK
                        Context ID = 4

// Omit IP and Port for future packets intended for
// 203.0.113.11:60000 hereon.

 DATAGRAM                       -------->
   Context ID = 4
   UDP Payload = Encapsulated UDP Payload

            <--------  DATAGRAM
                        Context ID = 4
                        UDP Payload = Encapsulated UDP Payload

// Request packets without a corresponding compressed Context
// to be dropped by closing the uncompressed Context ID.

 CAPSULE                       -------->
   Type = COMPRESSION_CLOSE
   Context ID = 2

// Context ID 4 = 203.0.113.11:60000 traffic is accepted,
// and other traffic is dropped at the proxy.
]]></artwork>
    </section>
    <section anchor="comparison-with-connect-ip">
      <name>Comparison with CONNECT-IP</name>
      <t>While the use cases described in <xref target="intro"/> could be supported using IP
proxying in HTTP <xref target="CONNECT-IP"/>, it would require that every HTTP
Datagram carries a complete IP header. This would lead to both
inefficiencies in the wire encoding and reduction in available Maximum
Transmission Unit (MTU). Furthermore, Web browsers would need to support
IPv4 and IPv6 header generation, parsing, validation and error handling.</t>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>This proposal is the result of many conversations with MASQUE working group
participants. In particular, the authors would like to thank <contact fullname="Alejandro Sedeño"/>, <contact fullname="Ben Schwartz"/>, <contact fullname="Ines Robles"/>, <contact fullname="Lucas Pardue"/>,
<contact fullname="Mike Bishop"/>, <contact fullname="Magnus Westerlund"/>, <contact fullname="Marius Kleidl"/>,
<contact fullname="Mark Nottingham"/>, <contact fullname="Marten Seemann"/>, <contact fullname="Tommy Pauly"/>,
and <contact fullname="Yaroslav Rosomakho"/> for their reviews.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+U9a3Ibx5n/+xQdqLZMpgDwKVlCTDsQSdmsUBJNgnG5vK64
gWkSbQEzyPQMIZhWaq+x//YKe4Xdm+xJ9nt09/QMBhTtZCvZCksqAjP9/N6v
bvZ6PVGYYqYHsnORZ+9XJr2VL7MyTeT1yYU0qfxqNLroCDUe5/oOGh2/ffPm
9HjUw7cvTZp0xEQV+jbLVwNpi0Qk2SRVcxguydVN0TO6uOnNlf1zqXuTLE31
pOiVyaI3M7bQaW/vQNhyPDfWmiwtVgvod3Y6eiXScj7W+UAkMPZAQEerU1va
gSzyUgtYx4FQuVYDOcpVahdZXojl7UC+Hl59fX0q7nRaQjcpb/OsXMCi+XkH
nvAcnW+y/B3u9EtsgM/nyszgOa/097jqfpbf4huVT6bwZloUCzvY2cGG+Mjc
6b5vtoMPdsZ5trR6h4fYwa63ppiWY+hMUFjeOkDsPAY02H8Gu7dFNHl9nD6P
3zfZo0Z8VKP+tJjPOuKdXi2zPEEY9uSfSzOhD7gM+gBoUbe5mtMX6Ey/F0g+
9KkoYdiZDZ2RjMIgRZkDuVmpZjNZTLVcqpVMsmVKL3ldYbJeekufeW30cQw0
J1RZTLOcVgf/JYwPpHHSl1eAl1T9ZOghk+GJujNJ/QVgbCC/zLLbmZbn58f0
TDMBJNY1JNz+/haf9ifZvD7TEGYC6plG0wzHUxM9fGAKBS0tNmzMkGb5XBVA
VgNh0pvqi5Tf6PHl6HhAg3he5WcdekZMIvd39/d6u3u9/Wf00OrcaIsjcUcY
5uB4IC81zDXXKfQBjuMhVX6rYypbLpf95QER9uhyZ6nHeTEBeha9Xg9Wb4tc
TQohRoC7uZ5MVWrsXBYZ4z+WGjJLZyvEM/CF1GoypZcLL2VyDai2BXQVBXLx
3OBnqaRd6Im5AbKZZvBagShCBu/LEQBOwr+lBtKxpSl0IgFQOKqYzIxOix7s
+k7nOEeRTbKZhWYwrbK0np2DrhyXBQ6RZgW8uoFJsBuNYrO5pqEWWue9Iuvh
72ikmXmnHSrcUkDUlXPsnugbkyJJp1K/B0JFYYbbqm3XA6WYqkLqVI2RCWh5
pQVOVFbbPsN4bpJkpoV4Is/SIs+ScoK4kvdPDH798CjQ39//JpLUR5evjl/s
v3j+4YNHxwSkZwHLEo5XCQRIGmVqJvSGkaVWs0wlFsdz4+x++gzHIUzdmPeA
A48mgWj6HWwQYOM3GLaf3TgcSCd0YEu2K4FCJxrlwErmZSozxB5M1BdXZo6C
drbqkpSgTbkdwd6B/RO5ZbWGhV3xYPJF/6D/DOf5DTamLe/t7X74sC3cnsNa
aCF7/fdEW/RlvyuXUwO4CIsYHV/05XE2B3mDXcZZMV0bBxc2Vz9muSlWOLFC
+pCsB/JPrMM3SF2gs778KltqGLnriEjc3/MHAGaugXwt8Is8Oz6FLX0Bv3AD
zw8PnzKsYU6QYzoA7w6nHOtiqUEuFsssnhnAihvDoaqBca1qbGbYD8YDfZpQ
q1xPNMgZpnw1eacLi+/n5awwC5BeiFzbl99MDXwxNA7oegm8Oje30wLWANwJ
6huwjSSvJkBEC5DXU6aDEkVdNVqNIwg8TgrAmumrBSmZFmZiATz4AHafZMSu
t6UCKVFozRyUgEoA2inCAHJpQCzAcoAtgH0SOV7Rpi3IZ8FywfHtBPh0plWC
+8QWTOi89bHGlVkSCnk2r6Y5uxAqSXJtgU+JJHMNEyzAKIK22AfBTV2yhc6Z
gyZZDuAtZiukJDBhYKEpfOuKNjlI68KNMus4KmlFuETRhNKiKYbsJDfjdUFE
O7xoFURM0gLJAd9VFLEmAdaIAgAOKGbKshPYNbGAQIQ/hGlY9pMnCA8CHICF
Jj1BEWroO8s3sEAkmiAWrLfrq1Gny7/lm7f0+fL06+uzy9MT/Hz11fD8PHwQ
rsXVV2+vz0+qT1XP47evX5++OeHO8FTWHgmwFr/tMAt13l6Mzt6+GZ53mPRj
aIP9iTAZI1cUOgdKQH2krPBoSLDPy+OL//qPvUOUn8DP+3t7L4Ci+cvzvU8P
4ctyqlOejdQlf0WBKNRioVWOo6CtNFELU6gZMjfojSlYTBKJEMD52+8QMt8P
5GfjyWLv8HP3ADdce+hhVntIMFt/staZgdjyqGWaAM3a8wak6+sdflv77uEe
PfzsixkoWdnbe/7F56JJ+qBCgUJ1PjdpNstuV8yJ9/eRDkTdB0AGDiPTR83Q
rQg06Nr/BiB0TKpjdxdUR1PR8zRAnTiVBT8pAzmSdsU5SAnG4VWRI8G74bxq
OiC1dDW6vD4eXQMGeq/OTs9PrmiiZ0/3WMSz2bMSdpUWinXTQuXITq3LGJa3
+AXI7CXIrtL23qgyl6/AcGRdzF130A5UM/MTbRqodQr2cJZXGx6+fPMK1/F0
/wCoEZkzcv+CzHgdrI37J8HyAEvkLJVlSqIm0UmrecfC0hmZbCqQeTDJEuYQ
r92FtwcXqpiCAQ0eg85BcsKOQPv6Ffnha6PigAZFsiSUrnQCJjRbnCR5Tpy7
4i2GMkUlRbI8Afugi7Pl+hadjBwWdWcUcpstwYARiAYYOpVVFx7G4RZNo89g
2gKgYBImMkGPfPOeUwhZCnMBgL+ZkgTP0cYnKXt5JkcalCaY8fL0/UKx2AaK
CcopGBy+Ga5ANOirRuvbDCA2i8G4Y8vF68NqIJBXmxCIO7dkDkCvDoP6T4jA
jnRACU/R8OuIOwWkRlYfUHOWkj4w2J8agRFxBlIzSXjAY+d6wpQ9jCOAMFMJ
YPDG6Bk4eNZ7AUwk9/fTJGc28WSCjiAMyVBiA9iWC1yJrehFVPRi0FQA5zPd
MD8ga4FKurYQeadmpUYwsJtSao/AdYDUgEHqgbuBWQijgBPK72PECKBctx82
MptkTv7KMithJWBZ6QWgEnTBGBgeB65jTlRkkrFy5wkDkBwxJJlmBwhEgY7d
Lb8+4AZzIwBeS7C3bNuqUPNnZbUYgi7RCtrJ6wQjWglG1ggGX3/yw29/+ESC
eEEXE3CwNbw6PjurHojd9/vD7b58kxXODGzrRcoP7VKdT9Ap9MJmrIHltHS2
ThccvTyW0f39/j7J6dHp64vz4Ygs8GdPP90lsQgwJP3s6PqRPBFtEVDtyWh9
zUwUnrSh6VzNUD7oBGU/vpmYBWEP5mafVoQmoR9tnOk4IRyRIZjngFDSTayv
QXvQbIe7u2LrJZjBl9x9W1pQjSXYoQAtUgTHLNbkWYJqEhgC9Mb9k0rYCTFk
K3CTEuBtBZveO4FBIFtkE+GFNlrsYcoT2/TvDteFXF+epskiM0imNya3Bblo
ExJsMtXLaDi5xeiuDdB1PEHRKO6H9ryIV7Ekzwd3ZHTULkvQYNN2uyuDinCQ
FWDjXFyeXl2BCfOnIfz68o3XJ35P7mtPged0i3oBOYDhUAeZcLTW2Azzi8nJ
E3DmASxxAgoHqeddiuahskGrkafPUs8NAQg+RQUZDYp+EcmEoEyDxgMKipVm
tT4iT1F7RySfFk7H21hRn12EcA5azVmLju4Lcg1yq73r3zb0ezRBbjcPnmFU
waS0Zw/6pMzZLkGQsEKOcFd5yhaYErdYIJrR61ELspYaAPQyK5oWYBq93wX5
iRgg35OIe5OmJa2Ge0QGZ0fcOV30BFUIzEAWW7vcqcuc0BAsC+E1Pbrwmq2t
KnTkWsa2JYbYiJIH4FiAHnjUjJWUi9QeiThCIcYZa4Dx7glK6dKyiq8LBlJa
KGtJQ1KIIqGxYKhKGNI4aowYj+UnoFcjJcEGMqTkpbG625Q8JLdqqyLaDyZS
JbUUggTm3YA+mAc9WhTTDzA+yM06z7Obe+yIGwXckF5UosJ/wJyF3H2/t7ct
KaKiE6YYZm0CSk3EqpjN0eiaKmYUNgPJP6H4MqD4L3/5S5u4Ovarhm2PcPot
sy2PaBFdeHSu01uAHjzs1lHrngBP/BFYGDe19ZyefAePhhw/kVsH+/3+3v7z
7e/pDTkaiMKtvWf46AMt6n4gn9zMi14dahz/Puq0gM0v+RVtrYPOSYEitVAm
Xds+2nYWtl8tFL4MCIfR2p3srfpFm6Ah+sHW2O2ifsrls7640kXB0UFDhs1P
Os+AgBKMq5LEIrOF4lC8Yo9JitvEolTEeHxbUXIs1aLOsaSMcAK4Fl5QucUr
b9CRIAYwqRyzBX0CiNthDBC/aQIIrpxHd4qHLWX4kM1NgQ6pkxoVJEVo4mTD
bm0/hklUyRnTFUxzsA8GPsaYnNASFEsjy8YhwiMpttNhgkOW6UBeoW/cGloA
ioSnubDJQISNLXZRNKW6WGb5OxDhqPjzJKjc5s7F2s7l+s6dA4GmmTNevIRD
EGwWIQQnojfWz8J5BOS8/ghGktOWMZxiZecFOozCPa0TmrE+JCvKPac1OXPa
etkI2nBhKC1HyqOuD2P6ItrawsSK73qjaI2e/KuuMBgKtojywbIDsw820W1Z
C7txTVgd/wGG8VxBwr2hrx0C8CkqlqAlvXpBSbZZfnufC4kSja6uZ2kKqToC
JrDSSE3I9ivgM7LagN+2VTbmwXgIIdrGOo/P316d/pqNsyalrT+w8T4Z+aBd
MMvofPHNFnllUKMxGfJ/rZZ1t2Far/fwNjalWzlN5BidbCvxCNuq2wQG989u
2o105HUEPkh0FNtoJAcHIxgtlDvBnMtmqNkKEZR/qClk1NCVDZPogsgBny00
AblqXfE8mjQFS0KHalXzEi8RlYuC9X/lGvrGXk/RMBSnBiYV7Bs6x8FntLwi
vXCpTwo4c4qzgf+DPgaeBOXbeidfXg5fu0Tjp95lxvFqzkGECRSys8w6u86F
cAKQs4VGZCxFa2cgiaFXylVnIPIkkzZzEZMFxoML4RJwTPc2K3OkpHIxc1EQ
cDRgO1W+iAm4izvmFCkB/QzzF8Cphndei/Hf34dX6W3PLCwGjqsQRas+d3bA
UoO9DJ3BeDZ2CsMtcgMYcdyK4HG506LpZUWARJsbd2LmCwwmJAD6tz5U0XDv
vL2NvvDZRY9kNMEi9qQ9DkQwMVXDnoAH1Is+c+KUMmKIUzUDEktWnIOi7Nlt
jfxDCm7K+VCQnAvENQhHCh7psI4wfQQ2YQ1moVSqs9LCHnEBVVST1uTCPDOt
8pTR5+JElNBXM5sJJC5NsoXZMVLFnh2pFy3IcA2CF/zsJrgRlGgApr4Wpuww
NgGWaL4plXA2ge6iG9fRIpH12hIftBaCeFhOaR4CCRjEkynlBckfYuZqTC/r
08N2hdNzTQkkWyVQTVQOv8XUaA98TyxiATxhaCSmfqTXlUZLBGMVM53cRruG
aQUG4Rv6vUtxjQiluMGGV+eIPMkzICq0RAXVFqB9exdIY91OesjqonAoMSCh
f5P67rd7gcd/aHMBJ+/a/L8AC/LEN/qB+9uS9J51QSOw2eYiXkrTCazwGxQ+
gvch8um3uIawlc1+4f7H/cINjh3aVS1eXR0Y697dMOKIYDpwWcNGDHgDzAFB
PRSpqylw2VTgLey4Biw/EgvMWPNh+QKlIqUqMEBT1Bx6wE3LwrpOm/itkIti
TUIpq5gNW6iwbiNWdEiyqIUSj0lGbSTAg4oAwQpalPkiw+oleVYIx38UtyKX
LjFYAlFlVygf8gi7syuKymuuZHiNzJmifyT1TYEOnB0FfFgCRr5QnYpoJNar
Zc71ClTCYViZcIyBAuo1vm5yAoNzMy8c/FpecLphnRsYIetM8BbN4pgY0Q1x
4VsCADmHntxbaIJp89bUbfNK6Ad7V6WgbMucRk7qQTRCThxZbrXWHxMJ7TZY
ssW3WfdrOL7ykCpisOIOot6AY5UnMxfWYCMm4mmfDRYmqjwELXZTzgho+r2a
k4anKIPyfjE7smRjMWhnGeorMweJOnTadwGmYVoYNSOtSAHOYD5yGaLLmPps
wZp5ud33qK8zRGRSV2YUMoVJYTcqoQk3B5kQmj60Xi/+8aYNEUpIFBqfi/Jw
FUh+Y03h9JBOb0+6VzuI5g/dK8dAedsVpeUYBQAC93eyngBf90QpgXUdW8xv
fRoeBGBtMcFTcQnSJZriNlTJVSxUd2UCFwRuERw9aVNCrVmg9fimywSRsUEu
TdBCUUgpontHmlUQsGFXgpOMBR9AV+3pmwGVFrVFxhshGrJ6xQNB5BqoWypI
LpiUSFquh4fbosP4vBYbDg/cUFv9/pokTXALPd6sF6QfW1q9RuTvEz/2weNH
BmA5ZpJEpYsuv1NVLjpi9tXBoE+dEItSZlSOAy2CCyc91WGFNYU5sFMkCnga
UU0TPG/vNxdMkC6d5WpO2OuOItBVdYurOq3UVN33ieKs/3Ax4nUsbIoWB9yI
VtzIFtywb/4AbkQ7buSvwo0I6YC47ughzDgA8dQBRmU6zxIu24lZ9QGIbeX6
Ruc5J7VAXnVQrsoMbLrCdji84pL9YPN7yNXDRA2NVjO1QxbRxyWwB9rwQkl3
WiDyp6szCR8dmWMCwg+LxEm1IQtXv+kKY3mKhgNtKbYd+dEiiuRVkSNTfGKr
6mqvgyviqUIJmxQ61/PSVoy3hrkwBAzzG4A7+VaR3Qe7IIuFM4a5xmNW6ScF
GfobIGEdqIoo+IH2jqQgVLVi8g08gDeN5cKjbo8VZh7lqa3ryN1m+AIxVjcV
nwTPp2EjtFbwrZmW0yxjr8Y3bxYFyHCaJ6Oyv+rwVGR7e6bncvkaPLztWVXW
MydGpR0AnnYaLaug7sPGiNhgjFRR3JiniC/qWtNHmJAFIo8qMgMxDRlXlHiQ
+rSHDaKnPnJDXEXlET59/Wi743HGQ2w6PDz2rzQcBn8P0emCAs2qx6+42PEV
Kcj7J1hlyeGATrNpp1YY+T//9u+2UqjKl0Jj/XM5KUpcE40pfPIJSyfBjXXV
VsgbpJw4wuqdc1fA6UQdlvWGUwzjVTikUHysfNSLOJ/rkT98sfcDyiNylkXN
WaYFcLiiOg2TPGKOqCa021xsOAAF4nwIbif7fbwcCqJ4s8+fVcESkxs2r3kD
2sX0fVWQU70hbQR2cs0LNY5KfLpZ+IRNOLOBMplcFctLGONJQFJ6WL3uC6Fy
jpBy5cJYCxAD8B3zsY2zJr6IlOch53qhgA00uSFOV4mHQUgA4TN5NyUSTRjf
utNFPLqoRnaJLiwQYyDyAoF5uOYtaulpnti1d1GOZ2bS84b0pY9HNRgA7dMe
c8E1NHApXU91TnutJaw4h4QqEJgABRlKQZowOjdEEKWi5VHVG1SIq2yZ4zbC
ESOue6fyOJ+g8uNUKs1Pm7IG9hYjTsJeZFVeDOO5tG9KFeoluH98/pYPALZn
4/goCDkC/oBU4BA+U2YxNRblkWyVu0Iyre2Vsh/hiKErtWpsTlfFA42hImXW
aUOpl0/CeVY4cY3ajKf1vqTKx7nGM+Ze6RATUBM+wtFlZWVIV3ETs6glzEYk
2VHm+wbu8Iep0qW0ZoTQzABNqlkX6OHuMCAy2AjN8yKuEvn68gwzqgcvnj+j
iAYqK7eKHmd2juTJ19dvR6dyS1azyJ14GrktO4MOz8ONg9Jjq6PnduF0HgE3
eJyVVuOqFenOd8FsFwEYkvUTnlAMZzpa2Y4w0RUN9vEVyWQ7Br4h6FxU6kDL
mbnRKMZ8QpRJ17k9laBjOsSsqF9TF8/3k0Ima8ktBtOudCCSKsH90xs1N1Fi
MSmrnEqdXaKzTICaymoPR1plRNO5DmdTQrFj48QB0gPehuDOCUoXh8MgdRjH
HeRk2FVBsTB0nfmC8cbtOUOC1a02csW1OwsUMFsHBMfgxFr9Wn1Qf/CCXnJH
ZhDHu9VRMdGW8djkV+Qse9rDbgLP3VEImXDlQqac9owiDbQarC8JOtXvhbNg
bK5H8ocuG3iYjGO50nW+UuSeC0w/uvxkFStn+8IVauGrOHTL6opZ76U7pAXq
yJ/XwnzXDWXia/qo5WhGi4oqWaqG9IZoVAJ6vRFO4ddCv0Hgh4KpygElJgzV
18NGdSHxbu0YT8uRrNrwol1zhGN3LCC8buBbIfwVAEFDMTWnK3dLhPlJ+6M3
XEad5UuV8ymkeUPFgJWlU3aCQunHHIt/6xHSbqSLGnnkuL6+xnzBla0fqqWj
zBl62NVAXPC9qtGH2DJ93e8C/QZmocBWS1yeki1UWREXlgT7Do3DtOHMxzNt
dxvU7PNJjqgrkpZYWAq8nOUqR5E5LjGigNZJ4+TG05aTG5SnvIwSH2cXeLik
meogKKq1o0tLOmCehcB8xWWEfW8NovQgwUo1rqloD5jUknMAUJzAh0ycFODA
/mKmJhpM4TM8WICSfgJWfm6yGGIaYDBxRQ+K6rosXZSQ6yWG2tUteoUY/8DD
VXSyQvjVAgRICgDYSrpS4NgleFV0Ltr6l5Pay2ZFkgf9p2ug5woYtVjAAukA
sSuuG11fvvHlE+EWBDIhw3mBLpYYzTQa6HiElETdWKdg6zgLBh1/HYqyNi21
tsD9PSwh+wJnpxsPnj1lU4cX9bHDpVS5vIrDpgBu8AG8SSZaxCHuEa/1INM5
oGNNWFgOsqC8RhsuzOhqSPwFGpFRwPZc08J1Q2QY+1IWONmk7WcN+SzN5nij
O8LpLzzCRVVkH58RQdnhj/55j5vo9Z3WiwfDha7ojg2JMV4YQbc6BDbj4fHi
nnCkM4rjs8TQuetCmu6jCMQsW5TyFFtcpcKX1HycmrddrPUmPiUs1qdZkuh7
iPONrWK30X4QGrRKd2IXzDI9eRcsMUd1sCzSbW2DCxg8iMyq/ISqWmt3nAQA
bZpUZCFXsaa/YQWPqKqgDiIqF2+WDW2wxLCy0lgiwYpB2irZN1WWN0uSSCST
dnHkJmxBgQcSueCaZXj2e5T5GzYAsoRejGjQS7zba1lM40Q3pWBJRmOayKAl
k1GZIZYv148WOjlH9N6oKKzMtFpNFTL+KnNnPGnwmtHvCv9j3RyYfKtZGAS0
ulblsC0qc94A8ScGBAhXNIHeK4mnbgD8ku7pwbNvBFaMM+ZUo5tKMMJBltDa
RLzxtkUxhgLaDEtzdxjNKXIXpPIhPI8JB3/9fqpKWsSak7/pRBbHuIx1yKHo
BHCNC8OH2Ds4sE3Nxx5eRplsX8/rL0Op8ZyTwC00zKfHgnqWr0fXTIDsZ8WF
qQathspEvSDD0l+hcK5W8PICuosTYyeoJldy6+TiHB+dbIdlRWalPxrMfCPu
77/wzUnlPX/xgq6aABF+l+E5cSAoiujFjMXODnEimMMiwimxknOwwgliUoQa
ZQtpRJdDIjifDd8M1wAMxhjZuBQHQ0PMqFT1WC99aN62EaQqDdU4ixZFu/HQ
qgEL0TozSnSqOeQbsOU7XkasgoOOOCzEZ999vxVfR4ar4Zv2yIehEOEO3RDH
S9z+fCDEz3zPWTU8f/85DkpTodbP4udBr+1n/fHPNOpaGBNHpZ8z2J5080DT
Vm/RNaUIk2+K0ZcIxL2CVS1HYN4A3BgRVOgINMrWjOVzwLB5PK0VwiYVwCmg
GqKvVleFCld0tHsgBhwTscxmeCYaRASd+3QB5PggKBiJ0Fgn20JcakoWTvSA
shVRQzzzOieE4Ks3Wapxcxa8MVjRUQcJFexg3Ahe++PVkCMwr5b+BiTm3FEm
MV8ph+i2fx2V8ZWEjsD+SCF8Qmg8hUP/YBMVeULC85PQu0U/+9f7zdegLhxt
UWVh4zUXyMX05CG6TlEe9v8/aIqDX8es3mZ4F6i7GpTsVaAofMD3esrabZ7y
s8Ylnp+znv4oeeLVe3jKC2XkKedV6IIbUpT8HYQ7QKV2tQrX4d6YWxIvlHiK
L3QR4VZFNwTRVx+vMOyR1+fvCy2Txc59dMz6Q/iG5t2HHb5Dg0MeDhtOD8Yx
wS6dsipKsNRW4BJOTOIjdqARwOvH3L7OBV/sUQ+hRNfysZ2PZOEsPfZsSGtb
OhkQ3RSIdbi4awoE7u8e9Hf7e3sH8H/wbBd+3KVLLgWGJq5zTTia7RwU+Ut+
rqimQgh5Nbo8Hb7eOjzcHsivTocnp5dXcTvPep/jNZcDd2ngkfcf6KG/3hEe
R3eh0isLhskcA+yEQG6NNxMdyU3o+5f9If2nts6fBO/3yBXMRASALeK7Vylj
cyS/2KMXLgkfrQ1eiHhnn/mtyTYY1JrWfgbuho8jQNTu5mYbl7aheeuCNzYn
aPQ4zN/zfsyR7Oy92Afa2e8fPh08PTzY3+t0pfzXzcO0/HS+g23tDZLx88Fg
b//g8Hs3kBA7O/Jy/TSR3Hd+bqjXrdmScaQORyiynaZ/DWg5Hl5cXZ+fblhS
jQZJVRy1nbqQtQpxQA8+icpZjuQubYIDxO7Mh5WNOvV44opE3AI3QrJtVXSY
tv2nsU5c1Yid4ELN3pFUOW4m7Db43BuXLE+GoyGeJ9yM/q9LlSM2r9izoNXs
PUB16+Bt/6kB/fDBdsNAu4F0Hxg4RMSP5FMUjB9p6ao/juRpCEjXC0MI8se+
TooCxyEqQXHyB4DuwbthATWi3Qzoj1DsoXgYTG0A+QVb99X0xT878cU691Hk
9+yflPyagGoDyS/YfFAoLUZPXA8YZRGoyOX/TGkc/i1g8A+pZg5pVW8xaNSs
C3CFQz75F+eEsU8LbjASzPv4JXS4DunHkko7uD4uZdZnbP35RRTrb9hkYPlr
/FQji9kSwybzJz5ZO16F4+kfEbJ/Ha2Th9vC7iR+qkeHDdr2fOh8JFNdztHF
nnTdLquPqoXfWlzf0CcvxRUJq9xY7+74LMTZBUYn8R4LAgMdm8TwaiMfx1e3
fwDQ4s0E41Dq6GuEsARh7ar4+/svqmnoaoXD54d4yYbxl0JimMTkLgatKRRJ
d6mG2KW72cddDjTTBWUPOO3kQp48kr8Qmy46N6l2d+NPsLMTX0uciW51q66K
9pfTY03wHf5pDAw6vFbvzbycixEXFHDk+TrFxPDr0fV2X77ig4RY8tat3Vzu
FuNTUA5IAquZ+E7zi7tnPml2q9NQQuxuu+3yTZvslWJ7vuCCqiz5pq4njYPF
VtwP+I+N6OSoc6NmVnd8MArwscismvmDGUDd5YwyLS6sTvfUuewAEYWLRyxd
PIL+/AgWLxYAywX63Jg7lvwAeNRd+8iuYkAE/p0BvsEzfQckcD+c6R9hA3km
rnSi//s/gYyABODFS/DcrybTJQz3k392hn+H4DLDu9j8o/MSKBLkQJ6UGp8J
ePYaJ3lp7DRb+Gav1W0KruE3GnXarEyT6kVu4MUfZtokszCAyt/hSQVMQ07V
PGqL8YQrjQfMUv90lM3nK1hBOVtRf8QMPP5W5ZmdqTtYr83m6t0Ud+YDTSZ3
2WTbF/8L/cNIi6VmAAA=

-->

</rfc>
