<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<?rfc tocompact="yes"?>
<?rfc tocindent="yes"?>
<?rfc compact="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-bonica-tcpm-tcp-ao-long-algs-04" category="exp" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="tcp-ao-384-algs">384-bit Cryptographic Algorithms For Use With TCP-AO</title>
    <seriesInfo name="Internet-Draft" value="draft-bonica-tcpm-tcp-ao-long-algs-04"/>
    <author initials="R." surname="Bonica" fullname="Ron Bonica">
      <organization>HPE</organization>
      <address>
        <postal>
          <country>USA</country>
        </postal>
        <email>ronald.bonica@hpe.com</email>
      </address>
    </author>
    <author initials="T." surname="Li" fullname="Tony Li">
      <organization>HPE</organization>
      <address>
        <postal>
          <country>USA</country>
        </postal>
        <email>tony.li@tony.li</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Transport</area>
    <workgroup>TCPM Working Group</workgroup>
    <keyword>TCP-AO</keyword>
    <abstract>
      <?line 49?>

<t>RFC5926 creates a list of cryptographic algorithms that can be used with TCP-AO. This document expands that list, adding two Message Authentication Code (MAC) algorithms, HMAC-SHA384 and KMAC384.  For each MAC algorithm, a corresponding Key Derivation Function (KDF) is also added.</t>
      <t>The MAC algorithms described by this document produce 384-bit (i.e., 48-byte) MACs. When 48-byte MACs are encoded in TCP-AO, the TCP-AO consumes 52 bytes. This exceeds TCP's 40-byte option size limitation. Therefore, it depends on a solution that extends TCP Option space.</t>
    </abstract>
  </front>
  <middle>
    <?line 55?>

<section anchor="intro">
      <name>Introduction</name>
      <t><xref target="RFC5926"/> creates a list of cryptographic algorithms that can be used with TCP-AO <xref target="RFC5925"/>. This document expands that list, adding two Message Authentication Code (MAC) algorithms, HMAC-SHA384 and KMAC384.  For each MAC algorithm, a corresponding Key Derivation Function (KDF) is also added.</t>
      <t>The MAC algorithms described by this document produce 384-bit (i.e., 48-byte) MACs. When 48-byte MACs are encoded in TCP-AO, the TCP-AO consumes 52 bytes. This exceeds TCP's <xref target="RFC9293"/> 40-byte option size limitation. Therefore, it depends on a solution that extends TCP Option space.</t>
    </section>
    <section anchor="requirements-language">
      <name>Requirements Language</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

</section>
    <section anchor="algorithm-classes">
      <name>Algorithm Classes</name>
      <t><xref target="RFC5925"/> requires the following cryptographic algorithm classes:</t>
      <ul spacing="normal">
        <li>
          <t>Key Derivation Functions (KDFs)</t>
        </li>
        <li>
          <t>MAC Algorithms</t>
        </li>
      </ul>
      <t><xref target="kdf"/> of this document addresses KDFs while <xref target="mac"/> addresses MAC algorithms.</t>
      <section anchor="kdf">
        <name>Key Derivation Functions (KDFs)</name>
        <t>A KDF converts Input Keying Material (IKM) into cryptographically secure Output Keying Material (OKM). In the case of TCP-AO, a KDF converts an administratively assigned Master_Key into a Traffic_Key.</t>
        <t>KDFs have the following interface:</t>
        <ul spacing="normal">
          <li>
            <t>Traffic_Key = KDF_alg(Master_Key, Context, Output_Length)</t>
          </li>
        </ul>
        <t>where:</t>
        <ul spacing="normal">
          <li>
            <t>KDF_alg is the KDF algorithm being used.</t>
          </li>
          <li>
            <t>Master_Key is a variable length pre-shared key (PSK).</t>
          </li>
          <li>
            <t>Context is binary string containing information related to the TCP connection, as defined in Section 5.2 of <xref target="RFC5925"/>.</t>
          </li>
          <li>
            <t>Output_Length is the desired length of the Traffic_Key. In this document, the Output_Length is always equal to 384 bits.</t>
          </li>
        </ul>
        <t>This document defines two KDFs:</t>
        <ul spacing="normal">
          <li>
            <t>HKDF-SHA384</t>
          </li>
          <li>
            <t>KMAC384-KDF</t>
          </li>
        </ul>
        <t><xref target="HKDFSHA384"/> of this document describes HKDF-SHA384 while <xref target="KMAC384KDF"/> describes KMAC384-KDF.</t>
        <section anchor="HKDFSHA384">
          <name>HKDF-SHA384</name>
          <t>HKDF-SHA384 is as described in <xref target="RFC5869"/>. HKDF-SHA384 executes in the following stages:</t>
          <ul spacing="normal">
            <li>
              <t>Extract</t>
            </li>
            <li>
              <t>Expand</t>
            </li>
          </ul>
          <t>The interface to the Extract stage is:</t>
          <ul spacing="normal">
            <li>
              <t>PRK = HKDF-Extract(salt, IKM)</t>
            </li>
          </ul>
          <t>where:</t>
          <ul spacing="normal">
            <li>
              <t>PRK is a Pseudo-random key, to be used in the Expand stage.</t>
            </li>
            <li>
              <t>salt is an all-zero byte string whose length equals 32 bytes.</t>
            </li>
            <li>
              <t>IKM is the Master_Key argument provided to the KDF interface.</t>
            </li>
          </ul>
          <t>According to <xref target="RFC5869"/>, the goal of the extract stage is to concentrate the possibly dispersed entropy of the input keying material into a short, but cryptographically strong pseudorandom key. Implementations <bcp14>MUST</bcp14> execute the extract stage.</t>
          <t>The interface to the Expand stage is:</t>
          <ul spacing="normal">
            <li>
              <t>OKM = HKDF-Expand(PRK, info, L)</t>
            </li>
          </ul>
          <t>where:</t>
          <ul spacing="normal">
            <li>
              <t>OKM is the Traffic_Key.</t>
            </li>
            <li>
              <t>PRK is the value produced by the Extract stage.</t>
            </li>
            <li>
              <t>info is the Context argument provided to the KDF interface.</t>
            </li>
            <li>
              <t>L is equal to 48 bytes.</t>
            </li>
          </ul>
          <t>The expand stage expands the pseudorandom key to the desired length. The output key length depend on the specific cryptographic algorithms for which the keys are needed. Implementations <bcp14>MUST</bcp14> execute the expand stage.</t>
        </section>
        <section anchor="KMAC384KDF">
          <name>KMAC384-KDF</name>
          <t>KMAC384-KDF is as described in <xref target="DOI.10.6028_NIST.SP.800-185"/> and <xref target="DOI.10.6028_NIST.SP.800-56Cr2"/>. So, the interface to KMAC384-KDF as described in <xref target="DOI.10.6028_NIST.SP.800-56Cr2"/>:</t>
          <ul spacing="normal">
            <li>
              <t>OKM = KMAC384(Z, salt, x, H_outputBits, S)</t>
            </li>
          </ul>
          <t>where:</t>
          <ul spacing="normal">
            <li>
              <t>Z is is the Master_Key argument provided to the KDF interface.</t>
            </li>
            <li>
              <t>salt is an all-zero byte string whose length equals 132 bytes.</t>
            </li>
            <li>
              <t>x is the Context argument provided to the KDF interface.</t>
            </li>
            <li>
              <t>H_outputBits is equal to 384 bits.</t>
            </li>
            <li>
              <t>S is  the byte string 01001011 || 01000100 || 01000110, which represents the sequence of characters "K", "D," and "F" in 8-bit ASCII.</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="mac">
        <name>MAC Algorithms</name>
        <t>Each MAC algorithm defined for TCP-AO has the following fixed elements as part of its definition:</t>
        <ul spacing="normal">
          <li>
            <t>KDF_Alg is the name of the KDF algorithm used to generate the Traffic_Key.</t>
          </li>
          <li>
            <t>Key_Length is the length of the Traffic_Key used in this MAC, measured in bits. In this document, the Key_Length is always 384 bits.</t>
          </li>
          <li>
            <t>MAC_Length is the desired length of the MAC to be produced by the algorithm. In this document, the MAC_Length is always 384 bits.</t>
          </li>
        </ul>
        <t>MACs computed for TCP-AO have the following interface:</t>
        <ul spacing="normal">
          <li>
            <t>MAC = MAC_alg(Traffic_Key, Message)</t>
          </li>
        </ul>
        <t>where:</t>
        <ul spacing="normal">
          <li>
            <t>MAC is the value to be encoded in TCP-AO.</t>
          </li>
          <li>
            <t>MAC_alg is MAC Algorithm used.</t>
          </li>
          <li>
            <t>Traffic_Key is the result of KDF.</t>
          </li>
          <li>
            <t>Message is the message to be authenticated, as specified in Section 5.1 of <xref target="RFC5925"/>.</t>
          </li>
        </ul>
        <section anchor="the-use-of-hmac-sha384">
          <name>The Use of HMAC-SHA384</name>
          <t>The three fixed elements for HMAC-SHA384 are:</t>
          <ul spacing="normal">
            <li>
              <t>KDF_Alg: HKDF-SHA384.</t>
            </li>
            <li>
              <t>Key_Length:  384 bits.</t>
            </li>
            <li>
              <t>MAC_Length:  384 bits.</t>
            </li>
          </ul>
          <t>For:</t>
          <ul spacing="normal">
            <li>
              <t>MAC = MAC_alg (Traffic_Key, Message)</t>
            </li>
          </ul>
          <t>HMAC-SHA384 for TCP-AO has the following values:</t>
          <ul spacing="normal">
            <li>
              <t>MAC is the value to be encoded in TCP-AO.</t>
            </li>
            <li>
              <t>MAC_alg is HMAC-SHA384.</t>
            </li>
            <li>
              <t>Traffic_Key is the result of the KDF.</t>
            </li>
            <li>
              <t>Message is the message to be authenticated, as specified in Section 5.1 of <xref target="RFC5925"/>.</t>
            </li>
          </ul>
        </section>
        <section anchor="the-use-of-kmac384">
          <name>The Use of KMAC384</name>
          <t>The three fixed elements for KMAC384 are:</t>
          <ul spacing="normal">
            <li>
              <t>KDF_Alg: KMAC384-KDF</t>
            </li>
            <li>
              <t>Key_Length:  384 bits.</t>
            </li>
            <li>
              <t>MAC_Length:  384 bits.</t>
            </li>
          </ul>
          <t>For:</t>
          <ul spacing="normal">
            <li>
              <t>MAC = MAC_alg (Traffic_Key, Message)</t>
            </li>
          </ul>
          <t>KMAC384 for TCP-AO has the following values:</t>
          <ul spacing="normal">
            <li>
              <t>MAC is the value to be encoded in TCP-AO.</t>
            </li>
            <li>
              <t>MAC_alg is KMAC384.</t>
            </li>
            <li>
              <t>Traffic_Key is the result of the KDF.</t>
            </li>
            <li>
              <t>Message is the message to be authenticated, as specified in Section 5.1 of <xref target="RFC5925"/>.</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
    <section anchor="seccon">
      <name>Security Considerations</name>
      <t>This document inherits all of the security considerations of <xref target="RFC5869"/>, <xref target="RFC5925"/>, <xref target="RFC8702"/>, and <xref target="RFC9688"/>.</t>
      <t>The security of cryptography-based systems depends on both the
   strength of the cryptographic algorithms chosen and the strength of
   the keys used with those algorithms.  The security also depends on
   the engineering of the protocol used by the system to ensure that
   there are no non-cryptographic ways to bypass the security of the
   overall system.</t>
      <t>Master Keys <bcp14>MUST</bcp14> be kept secret.  Each party in the Master Key
   distribution path is an opportunity for compromise and disclosure.
   Master Keys <bcp14>MUST</bcp14> be changed immediately if compromise is suspected.</t>
      <t>Master_Keys <bcp14>SHOULD</bcp14> have at least 384 bits of entropy.  This document
   RECOMMENDS that operators use Master_Keys generated by a
   cryptographic random number generator, or similar.  However, it is
   understood that they may not do so.</t>
      <t>TCP-AO Master Key Tuples <bcp14>MUST</bcp14> be rotated at a rate commensurate with
   the strength of the cryptographic algorithms.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is requested to add the following entries to the "Cryptographic Algorithms for TCP-AO Registration" (https://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-3).</t>
      <table anchor="iana">
        <name>IANA Actions</name>
        <thead>
          <tr>
            <th align="left">Algorithm</th>
            <th align="left">Reference</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td align="left">HMAC-SHA384</td>
            <td align="left">This Document</td>
          </tr>
          <tr>
            <td align="left">KMAC384</td>
            <td align="left">This Document</td>
          </tr>
        </tbody>
      </table>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to Eric Biggers, Lars Eggert, Gorry Fairhurst, C.M.  Heard, Russ Housley, John Mattsson, Yoshifumi Nishida, Joe Touch, Michael Tuxen, and Magnus Westerlund for their review and comments.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-normative-references">
      <name>Normative References</name>
      <reference anchor="RFC2119">
        <front>
          <title>Key words for use in RFCs to Indicate Requirement Levels</title>
          <author fullname="S. Bradner" initials="S." surname="Bradner"/>
          <date month="March" year="1997"/>
          <abstract>
            <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="2119"/>
        <seriesInfo name="DOI" value="10.17487/RFC2119"/>
      </reference>
      <reference anchor="RFC5869">
        <front>
          <title>HMAC-based Extract-and-Expand Key Derivation Function (HKDF)</title>
          <author fullname="H. Krawczyk" initials="H." surname="Krawczyk"/>
          <author fullname="P. Eronen" initials="P." surname="Eronen"/>
          <date month="May" year="2010"/>
          <abstract>
            <t>This document specifies a simple Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), which can be used as a building block in various protocols and applications. The key derivation function (KDF) is intended to support a wide range of applications and requirements, and is conservative in its use of cryptographic hash functions. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5869"/>
        <seriesInfo name="DOI" value="10.17487/RFC5869"/>
      </reference>
      <reference anchor="RFC5925">
        <front>
          <title>The TCP Authentication Option</title>
          <author fullname="J. Touch" initials="J." surname="Touch"/>
          <author fullname="A. Mankin" initials="A." surname="Mankin"/>
          <author fullname="R. Bonica" initials="R." surname="Bonica"/>
          <date month="June" year="2010"/>
          <abstract>
            <t>This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5925"/>
        <seriesInfo name="DOI" value="10.17487/RFC5925"/>
      </reference>
      <reference anchor="RFC5926">
        <front>
          <title>Cryptographic Algorithms for the TCP Authentication Option (TCP-AO)</title>
          <author fullname="G. Lebovitz" initials="G." surname="Lebovitz"/>
          <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
          <date month="June" year="2010"/>
          <abstract>
            <t>The TCP Authentication Option (TCP-AO) relies on security algorithms to provide authentication between two end-points. There are many such algorithms available, and two TCP-AO systems cannot interoperate unless they are using the same algorithms. This document specifies the algorithms and attributes that can be used in TCP-AO's current manual keying mechanism and provides the interface for future message authentication codes (MACs). [STANDARDS-TRACK]</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="5926"/>
        <seriesInfo name="DOI" value="10.17487/RFC5926"/>
      </reference>
      <reference anchor="RFC8174">
        <front>
          <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
          <author fullname="B. Leiba" initials="B." surname="Leiba"/>
          <date month="May" year="2017"/>
          <abstract>
            <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
          </abstract>
        </front>
        <seriesInfo name="BCP" value="14"/>
        <seriesInfo name="RFC" value="8174"/>
        <seriesInfo name="DOI" value="10.17487/RFC8174"/>
      </reference>
      <reference anchor="RFC8702">
        <front>
          <title>Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)</title>
          <author fullname="P. Kampanakis" initials="P." surname="Kampanakis"/>
          <author fullname="Q. Dang" initials="Q." surname="Dang"/>
          <date month="January" year="2020"/>
          <abstract>
            <t>This document updates the "Cryptographic Message Syntax (CMS) Algorithms" (RFC 3370) and describes the conventions for using the SHAKE family of hash functions in the Cryptographic Message Syntax as one-way hash functions with the RSA Probabilistic Signature Scheme (RSASSA-PSS) and Elliptic Curve Digital Signature Algorithm (ECDSA). The conventions for the associated signer public keys in CMS are also described.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="8702"/>
        <seriesInfo name="DOI" value="10.17487/RFC8702"/>
      </reference>
      <reference anchor="RFC9235">
        <front>
          <title>TCP Authentication Option (TCP-AO) Test Vectors</title>
          <author fullname="J. Touch" initials="J." surname="Touch"/>
          <author fullname="J. Kuusisaari" initials="J." surname="Kuusisaari"/>
          <date month="May" year="2022"/>
          <abstract>
            <t>This document provides test vectors to validate implementations of the two mandatory authentication algorithms specified for the TCP Authentication Option over both IPv4 and IPv6. This includes validation of the key derivation function (KDF) based on a set of test connection parameters as well as validation of the message authentication code (MAC). Vectors are provided for both currently required pairs of KDF and MAC algorithms: KDF_HMAC_SHA1 and HMAC- SHA-1-96, and KDF_AES_128_CMAC and AES-128-CMAC-96. The vectors also validate both whole TCP segments as well as segments whose options are excluded for middlebox traversal.</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9235"/>
        <seriesInfo name="DOI" value="10.17487/RFC9235"/>
      </reference>
      <reference anchor="RFC9293">
        <front>
          <title>Transmission Control Protocol (TCP)</title>
          <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/>
          <date month="August" year="2022"/>
          <abstract>
            <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
          </abstract>
        </front>
        <seriesInfo name="STD" value="7"/>
        <seriesInfo name="RFC" value="9293"/>
        <seriesInfo name="DOI" value="10.17487/RFC9293"/>
      </reference>
      <reference anchor="RFC9688">
        <front>
          <title>Use of the SHA3 One-Way Hash Functions in the Cryptographic Message Syntax (CMS)</title>
          <author fullname="R. Housley" initials="R." surname="Housley"/>
          <date month="November" year="2024"/>
          <abstract>
            <t>This document describes the conventions for using the one-way hash functions in the SHA3 family with the Cryptographic Message Syntax (CMS). The SHA3 family can be used as a message digest algorithm, as part of a signature algorithm, as part of a message authentication code, or as part of a Key Derivation Function (KDF).</t>
          </abstract>
        </front>
        <seriesInfo name="RFC" value="9688"/>
        <seriesInfo name="DOI" value="10.17487/RFC9688"/>
      </reference>
      <reference anchor="DOI.10.6028_NIST.SP.800-185">
        <front>
          <title>SHA-3 derived functions: cSHAKE, KMAC, TupleHash and ParallelHash</title>
          <author fullname="John Kelsey" initials="J." surname="Kelsey">
            <organization/>
          </author>
          <author fullname="Shu-jen Change" initials="S." surname="Change">
            <organization/>
          </author>
          <author fullname="Ray Perlner" initials="R." surname="Perlner">
            <organization/>
          </author>
          <date month="December" year="2016"/>
        </front>
        <seriesInfo name="DOI" value="10.6028/nist.sp.800-185"/>
        <refcontent>National Institute of Standards and Technology</refcontent>
      </reference>
      <reference anchor="DOI.10.6028_NIST.SP.800-56Cr2">
        <front>
          <title>Recommendation for Key-Derivation Methods in Key-Establishment Schemes</title>
          <author fullname="Elaine Barker" initials="E." surname="Barker">
            <organization/>
          </author>
          <author fullname="Lily Chen" initials="L." surname="Chen">
            <organization/>
          </author>
          <author fullname="Richard Davis" initials="R." surname="Davis">
            <organization/>
          </author>
          <date month="August" year="2020"/>
        </front>
        <seriesInfo name="DOI" value="10.6028/nist.sp.800-56cr2"/>
        <refcontent>National Institute of Standards and Technology</refcontent>
      </reference>
    </references>
    <?line 280?>

<section anchor="test-vectors">
      <name>Test Vectors</name>
      <t>This appendix provides test vectors to validate the correct implementation of TCP-AO and the cryptographic algorithms defined in this document.  It includes the specification of all endpoint parameters to generate the variety of TCP segments covered by different keys and MAC coverage, i.e., both the default case and the variant where TCP options are ignored for middlebox traversal.</t>
      <section anchor="input-test-vectors">
        <name>Input Test Vectors</name>
        <t>Input test vectors are as described in Section 3 of <xref target="RFC9235"/>.</t>
      </section>
      <section anchor="ipv4-hmac-sha384-output-test-vectors">
        <name>IPv4 HMAC-SHA384 Output Test Vectors</name>
        <t>In the following sections, all values are indicated as 2-digit hexadecimal values with spacing per line representing the contents of 16 consecutive bytes, as is typical for data dumps.  The IP/TCP data indicates the entire IP packet, including the TCP segment and its options (whether covered by TCP-AO or not, as indicated), including TCP-AO.</t>
        <section anchor="hmac-sha384-default-covers-tcp-options">
          <name>HMAC-SHA384 (Default - Covers TCP Options)</name>
          <section anchor="send-client-syn-covers-options">
            <name>Send (Client) SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0xfbfbab5a

   Send_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c dd 0f 40 00 ff 06 bf 6b 0a 0b 0c 0d
     ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5a 00 00 00 00
     e0 02 ff ff ca c4 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 00 15 5a b7 00 00 00 00 1d 10 3d 54
     2e e4 37 c6 f8 ed e6 d7 c4 d6 02 e7

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-covers-options">
            <name>Receive (Server) SYN-ACK (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0x11c14261

   Receive_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c 65 06 40 00 ff 06 37 75 ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 61 fb fb ab 5b
     e0 12 ff ff 37 76 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 84 a5 0b eb 00 15 5a b7 1d 10 54 3d
     ee ab 0f e2 4c 30 10 81 51 16 b3 be

   MAC:

     TBD
]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-covers-options">
            <name>Send (Client) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 36 a1 40 00 ff 06 65 9f 0a 0b 0c 0d
     ac 1b 1c 1d e9 d7 00 b3 fb fb ab 5b 11 c1 42 62
     c0 18 01 04 a1 62 00 00 01 01 08 0a 00 15 5a c1
     84 a5 0b eb 1d 10 3d 54 70 64 cf 99 8c c6 c3 15
     c2 c2 e2 bf ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-covers-options">
            <name>Receive (Server) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 1f a9 40 00 ff 06 7c 97 ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 e9 d7 11 c1 42 62 fb fb ab 9e
     c0 18 01 00 40 0c 00 00 01 01 08 0a 84 a5 0b f5
     00 15 5a c1 1d 10 54 3d a6 3f 0e cb bb 2e 63 5c
     95 4d ea c7 ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
        </section>
        <section anchor="hmac-sha384-omits-tcp-options">
          <name>HMAC-SHA384 (Omits TCP Options)</name>
          <section anchor="send-client-syn-omits-options">
            <name>Send (Client) SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0xcb0efbee

   Send_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c 53 99 40 00 ff 06 48 e2 0a 0b 0c 0d
     ac 1b 1c 1d ff 12 00 b3 cb 0e fb ee 00 00 00 00
     e0 02 ff ff 54 1f 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 00 02 4c ce 00 00 00 00 1d 10 3d 54
     80 af 3c fe b8 53 68 93 7b 8f 9e c2

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-omits-options">
            <name>Receive (Server) SYN-ACK (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xacd5b5e1

   Receive_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c 32 84 40 00 ff 06 69 f7 ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e1 cb 0e fb ef
     e0 12 ff ff 38 8e 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 57 67 72 f3 00 02 4c ce 1d 10 54 3d
     09 30 6f 9a ce a6 3a 8c 68 cb 9a 70

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-omits-options">
            <name>Send (Client) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 a8 f5 40 00 ff 06 f3 4a 0a 0b 0c 0d
     ac 1b 1c 1d ff 12 00 b3 cb 0e fb ef ac d5 b5 e2
     c0 18 01 04 6c 45 00 00 01 01 08 0a 00 02 4c ce
     57 67 72 f3 1d 10 3d 54 71 06 08 cc 69 6c 03 a2
     71 c9 3a a5 ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-omits-options">
            <name>Receive (Server) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 54 37 40 00 ff 06 48 09 ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 ff 12 ac d5 b5 e2 cb 0e fc 32
     c0 18 01 00 46 b6 00 00 01 01 08 0a 57 67 72 f3
     00 02 4c ce 1d 10 54 3d 97 76 6e 48 ac 26 2d e9
     ae 61 b4 f9 ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
        </section>
      </section>
      <section anchor="ipv4-kmac384-output-test-vectors">
        <name>IPv4 KMAC384 Output Test Vectors</name>
        <t>In the following sections, all values are indicated as 2-digit hexadecimal values with spacing per line representing the contents of 16 consecutive bytes, as is typical for data dumps.  The IP/TCP data indicates the entire IP packet, including the TCP segment and its options (whether covered by TCP-AO or not, as indicated), including TCP-AO.</t>
        <section anchor="kmac384-default-covers-tcp-options">
          <name>KMAC384 (Default - Covers TCP Options)</name>
          <section anchor="send-client-syn-covers-options-1">
            <name>Send (Client) SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0x787a1ddf

   Send_SYN_traffic_key:

     TBD

   IP/TCP:

     45 e0 00 4c 7b 9f 40 00 ff 06 20 dc 0a 0b 0c 0d
     ac 1b 1c 1d c4 fa 00 b3 78 7a 1d df 00 00 00 00
     e0 02 ff ff 5a 0f 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 00 01 7e d0 00 00 00 00 1d 10 3d 54
     e4 77 e9 9c 80 40 76 54 98 e5 50 91

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-covers-options-1">
            <name>Receive (Server) SYN-ACK (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xfadd6de9

   Receive_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c 4b ad 40 00 ff 06 50 ce ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 c4 fa fa dd 6d e9 78 7a 1d e0
     e0 12 ff ff f3 f2 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 93 f4 e9 e8 00 01 7e d0 1d 10 54 3d
     d6 ad a7 bc 4c dd 53 6d 17 69 db 5f

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-covers-options-1">
            <name>Send (Client) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD 

   IPv4/TCP:

     45 e0 00 87 fb 4f 40 00 ff 06 a0 f0 0a 0b 0c 0d
     ac 1b 1c 1d c4 fa 00 b3 78 7a 1d e0 fa dd 6d ea
     c0 18 01 04 95 05 00 00 01 01 08 0a 00 01 7e d0
     93 f4 e9 e8 1d 10 3d 54 77 41 27 42 fa 4d c4 33
     ef f0 97 3e ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-covers-options-1">
            <name>Receive (Server) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 b9 14 40 00 ff 06 e3 2b ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 c4 fa fa dd 6d ea 78 7a 1e 23
     c0 18 01 00 e7 db 00 00 01 01 08 0a 93 f4 e9 e8
     00 01 7e d0 1d 10 54 3d f6 d9 65 a7 83 82 a7 48
     45 f7 2d ac ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD
]]></sourcecode>
          </section>
        </section>
        <section anchor="kmac384-omits-tcp-options">
          <name>KMAC384 (Omits TCP Options)</name>
          <section anchor="send-client-syn-omits-options-1">
            <name>Send (Client) SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0x389bed71

   Send_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c f2 2e 40 00 ff 06 aa 4c 0a 0b 0c 0d
     ac 1b 1c 1d da 1c 00 b3 38 9b ed 71 00 00 00 00
     e0 02 ff ff 70 bf 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a 00 01 85 e1 00 00 00 00 1d 10 3d 54
     c4 4e 60 cb 31 f7 c0 b1 de 3d 27 49

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-omits-options-1">
            <name>Receive (Server) SYN-ACK (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xd3844a6f

   Receive_SYN_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 4c 6c c0 40 00 ff 06 2f bb ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 da 1c d3 84 4a 6f 38 9b ed 72
     e0 12 ff ff e4 45 00 00 02 04 05 b4 01 03 03 08
     04 02 08 0a ce 45 98 38 00 01 85 e1 1d 10 54 3d
     3a 6a bb 20 7e 49 b1 be 71 36 db 90

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-omits-options-1">
            <name>Send (Client) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 ee 91 40 00 ff 06 ad ae 0a 0b 0c 0d
     ac 1b 1c 1d da 1c 00 b3 38 9b ed 72 d3 84 4a 70
     c0 18 01 04 88 51 00 00 01 01 08 0a 00 01 85 e1
     ce 45 98 38 1d 10 3d 54 75 85 e9 e9 d5 c3 ec 85
     7b 96 f8 37 ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da bf 00 b4 0a 0b 0c 0d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da bf 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-omits-options-1">
            <name>Receive (Server) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv4/TCP:

     45 e0 00 87 6a 21 40 00 ff 06 32 1f ac 1b 1c 1d
     0a 0b 0c 0d 00 b3 da 1c d3 84 4a 70 38 9b ed 72
     c0 18 01 00 04 49 00 00 01 01 08 0a ce 45 98 38
     00 01 85 e1 1d 10 54 3d 5c 04 0f d9 23 33 04 76
     5c 09 82 f4 ff ff ff ff ff ff ff ff ff ff ff ff
     ff ff ff ff 00 43 01 04 da c0 00 b4 ac 1b 1c 1d
     26 02 06 01 04 00 01 00 01 02 02 80 00 02 02 02
     00 02 02 42 00 02 06 41 04 00 00 da c0 02 08 40
     06 00 64 00 01 01 00

   MAC:

     TBD
]]></sourcecode>
          </section>
        </section>
      </section>
      <section anchor="ipv6-hmac-sha384-output-test-vectors">
        <name>IPv6 HMAC-SHA384 Output Test Vectors</name>
        <section anchor="hmac-sha384-default-covers-tcp-options-1">
          <name>HMAC-SHA384 (Default - Covers TCP Options)</name>
          <section anchor="send-client-syn-covers-options-2">
            <name>Send (Client) SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0x176a833f

   Send_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 08 91 dc 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 3f
     00 00 00 00 e0 02 ff ff 47 21 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 00 41 d0 87 00 00 00 00
     1d 10 3d 54 90 33 ec 3d 73 34 b6 4c 5e dd 03 9f

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-covers-options-2">
            <name>Receive (Server) SYN-ACK (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0x3f51994b

   Receive_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 01 00 9e 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4b
     17 6a 83 40 e0 12 ff ff bf ec 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a bd 33 12 9b 00 41 d0 87
     1d 10 54 3d f1 cb a3 46 c3 52 61 63 f7 1f 1f 55

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-covers-options-2">
            <name>Send (Client) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 08 91 dc 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f7 e4 00 b3 17 6a 83 40
     3f 51 99 4c c0 18 01 00 32 9c 00 00 01 01 08 0a
     00 41 d0 91 bd 33 12 9b 1d 10 3d 54 bf 08 05 fe
     b4 ac 7b 16 3d 6f cd f2 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-covers-options-2">
            <name>Receive (Server) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 01 00 9e 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f7 e4 3f 51 99 4c
     17 6a 83 83 c0 18 01 00 ee 6e 00 00 01 01 08 0a
     bd 33 12 a5 00 41 d0 91 1d 10 54 3d 6c 48 12 5c
     11 33 5b ab 9a 07 a7 97 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
        </section>
        <section anchor="hmac-sha384-omits-tcp-options-1">
          <name>HMAC-SHA384 (Omits TCP Options)</name>
          <section anchor="send-client-syn-omits-options-2">
            <name>Send (Client) SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0x020c1e69

   Send_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 07 8f cd 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 69
     00 00 00 00 e0 02 ff ff a4 1a 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 00 9d b9 5b 00 00 00 00
     1d 10 3d 54 88 56 98 b0 53 0e d4 d5 a1 5f 83 46

   MAC:

     TBD
]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-omits-options-2">
            <name>Receive (Server) SYN-ACK (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xeba3734d

   Receive_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 0a 7e 1f 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4d
     02 0c 1e 6a e0 12 ff ff 77 4d 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 5e c9 9b 70 00 9d b9 5b
     1d 10 54 3d 3c 54 6b ad 97 43 f1 2d f8 b8 01 0d

   MAC:

     TBD
]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-omits-options-2">
            <name>Send (Client) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 07 8f cd 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 c6 cd 00 b3 02 0c 1e 6a
     eb a3 73 4e c0 18 01 00 83 e6 00 00 01 01 08 0a
     00 9d b9 65 5e c9 9b 70 1d 10 3d 54 48 bd 09 3b
     19 24 e0 01 19 2f 5b f0 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-omits-options-2">
            <name>Receive (Server) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 0a 7e 1f 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 c6 cd eb a3 73 4e
     02 0c 1e ad c0 18 01 00 71 6a 00 00 01 01 08 0a
     5e c9 9b 7a 00 9d b9 65 1d 10 54 3d 55 9a 81 94
     45 b4 fd e9 8d 9e 13 17 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
        </section>
      </section>
      <section anchor="ipv6-kmac384-output-test-vectors">
        <name>IPv6 KMAC384 Output Test Vectors</name>
        <section anchor="kmac384-default-covers-tcp-options-1">
          <name>KMAC384 (Default - Covers TCP Options)</name>
          <section anchor="send-client-syn-covers-options-3">
            <name>Send (Client) SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0x193cccec

   Send_SYN_traffic_key:

     TBD

   IP/TCP:

     6e 04 a7 06 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ec
     00 00 00 00 e0 02 ff ff de 5d 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 13 e4 ab 99 00 00 00 00
     1d 10 3d 54 59 b5 88 10 74 81 ac 6d c3 92 70 40

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-covers-options-3">
            <name>Receive (Server) SYN-ACK (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xa6744ecb

   Receive_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 06 15 20 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cb
     19 3c cc ed e0 12 ff ff ea bb 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 71 da ab c8 13 e4 ab 99
     1d 10 54 3d dc 28 43 a8 4e 78 a6 bc fd c5 ed 80

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-covers-options-3">
            <name>Send (Client) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 04 a7 06 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f8 5a 00 b3 19 3c cc ed
     a6 74 4e cc c0 18 01 00 32 80 00 00 01 01 08 0a
     13 e4 ab a3 71 da ab c8 1d 10 3d 54 7b 6a 45 5c
     0d 4f 5f 01 83 5b aa b3 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-covers-options-3">
            <name>Receive (Server) Non-SYN (Covers Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 06 15 20 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f8 5a a6 74 4e cc
     19 3c cd 30 c0 18 01 00 52 f4 00 00 01 01 08 0a
     71 da ab d3 13 e4 ab a3 1d 10 54 3d c1 06 9b 7d
     fd 3d 69 3a 6d f3 f2 89 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
        </section>
        <section anchor="kmac384-omits-tcp-options-1">
          <name>KMAC384 (Omits TCP Options)</name>
          <section anchor="send-client-syn-omits-options-3">
            <name>Send (Client) SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Client ISN = 0xb01da74a

   Send_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 09 3d 76 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4a
     00 00 00 00 e0 02 ff ff 75 ff 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 14 27 5b 3b 00 00 00 00
     1d 10 3d 54 3d 45 b4 34 2d e8 bb 15 30 84 78 98

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-syn-ack-omits-options-3">
            <name>Receive (Server) SYN-ACK (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Server ISN = 0xa6246145

   Receive_SYN_traffic_key:

     TBD

   IPv6/TCP:

     6e 0c 60 0a 00 38 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 45
     b0 1d a7 4b e0 12 ff ff a7 0c 00 00 02 04 05 a0
     01 03 03 08 04 02 08 0a 17 82 24 5b 14 27 5b 3b
     1d 10 54 3d 1d 01 f6 c8 7c 6f 93 ac ff a9 d4 b5

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="send-client-non-syn-omits-options-3">
            <name>Send (Client) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Send_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 09 3d 76 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 f2 88 00 b3 b0 1d a7 4b
     a6 24 61 46 c0 18 01 00 c3 6d 00 00 01 01 08 0a
     14 27 5b 4f 17 82 24 5b 1d 10 3d 54 29 0c f4 14
     cc b4 7a 33 32 76 e7 f8 ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 79 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD

]]></sourcecode>
          </section>
          <section anchor="receive-server-non-syn-omits-options-3">
            <name>Receive (Server) Non-SYN (Omits Options)</name>
            <sourcecode type="asvg"><![CDATA[
   Receive_other_traffic_key:

     TBD

   IPv6/TCP:

     6e 0c 60 0a 00 73 06 40 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 02 fd 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 01 00 b3 f2 88 a6 24 61 46
     b0 1d a7 8e c0 18 01 00 34 51 00 00 01 01 08 0a
     17 82 24 65 14 27 5b 4f 1d 10 54 3d 99 51 5f fc
     d5 40 34 99 f6 19 fd 1b ff ff ff ff ff ff ff ff
     ff ff ff ff ff ff ff ff 00 43 01 04 fd e8 00 b4
     01 01 01 7a 26 02 06 01 04 00 01 00 01 02 02 80
     00 02 02 02 00 02 02 42 00 02 06 41 04 00 00 fd
     e8 02 08 40 06 00 64 00 01 01 00

   MAC:

     TBD
]]></sourcecode>
          </section>
        </section>
      </section>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1c63LbOJb+76q8Azb+sU6vpfAminRNz4zbSSbeXDdOtqvn
UimQBG1WJFJDUr5MOl3zILtV+yz7KPMk+x0AJEFdEkV2x9PbmdI4FAkcAOd8
55wPB1QPBoM7O3GRZPnpAZvX6SAwvlYDXsVZdmfnzk6d1RNxwNzAG0RZzY7K
q1ldnJZ8dpbF7HByWpRZfTat2KOiZG8qwb7HV/b66OXg8MWdHR5FpTg/YHU8
G/BiQEL45LS6s5MUcc6nkJuUPK0HUZFnMR+g2XSg206K/FQ2HlgeZsZrgaGu
Dpi4nN3ZqebRNKuqrMjrqxmkHD98/YgmW9U8T95y9MXNK4GBZtkB+1NdxPsM
f4rpjMe1vMzyROS4rIqyLkVa4epqqi50s7+QwGxWYvblvKodywotB0sqBT9g
r0ueVzP0vbNzAYVhvc/Y90X5DupjfyiLOeb47uKg1QO6zeuzojygS8YG9Iex
LK8O2Ksh+06uXt1TWnlV5L27RYlBHr98qL7FxTyvSRdvTg7VHTHl2eSAlUXO
J8lQafP3ZzMxxFqWh3w9ZE8zc7jXRX7V3tpwrBp9hpPs9/pfPKOB8qKc8jo7
FwfU+NWjI8e2w+Z6FPjddeiMjGu/uQ7ssddejy2nuQ4dd9Rdh2577QeBvH7w
4nhoW0PfcoL7z49PXg9PXg4DyxrYweijz0f+USlHubMzGAwYj6q6hPVpMXpq
LIbJa1ExziZZVbMixR3TC3jnBfUZr1nMcxYJeJFI2EXnDkP2+iyrGKA/nwJ7
hGSgVfchyfuMJ+SArL4o2DNRVfxUsEMAB61h0BpwZ0dFItjes8Oje8aw++wx
7gxOHh/CwxiEsif4jushk34peHzGcKfrgqFg2rIUAHEux3wirtgDUWbnapxH
8zyWF3tPHjy6xzBvPqkKmqBIhqSc12eiLxIrE1VcZhFWHV1hVeZaZ2WRzGPR
hpG9bCiG+8wLBtFVLe6RpGrIvsdKm3vyFoO3MZEjLkFolmtFwoExuLrGKvIK
Y1Rs5DDqV2k1i8tYCGgXzf61Yp6lhBYzuagq+5uAyqdZLVdLXQScvyjFPsPs
EjETZBm05IgQk7nsJO0kLmv5CGLZCy0M0UJInRCAplmSTAR922XHcB1at2z2
fjejrx/o0fv3GlsfPtwUulgjc/Thw1ek3R7SpBkoQsG0XwZ1u+yV+Os8KwWt
v2JPeX46hz0b1b2Dui+KEr3vPntz8vruvvqXPX8hr189/I83x68ePqBrmPXp
0/ZiR7c4efzizdMH3VXX8+jFs2cPnz9QnXGX9W7t3H12+AOeEEruvnj5+vjF
88Ond0m5fYuR5uuCMA0HEeWsFDVswKudzsro893Ry//9H9uDfv9FpxUoWH2h
nIEvF7CpGq3IJ1f6K+x3tcNnM8FLksInEzjQDBaYAMu8YtVZcZEzssNwZ+eb
P5Fm/nLAfhPFM9v7rb5BC+7dbHTWuyl1tnxnqbNS4opbK4Zptdm7v6Dp/nwP
f+h9b/Ru3PzN7yZZLhgy4+9+u3NnR0GoZXLsaMKriqhTF6YQUlipMFZJj0iL
yaS4IGdeE6tYrKRIwvPNOpevpM9X91Qj8vGOUKrx3yUpxkZMXIBMkmAqkM+o
P0ydTQTAMOUxWncP+1FDOcvupyaDQE2jUuNDEk9+fy5KeNZxPpvX1J0W/gxB
u8z4hO0dP3l2j6Bb9JUBqF2xSsRzwPvFvF7Z9QW6DiFXKjXmoM9YahN6eH90
hH2eTLM8I4JCFAvioePsNIeDPOMVZL6lpcmZcGKoaZrFdEsuXCrqjJ+LBQNK
n0sRS7SpjH7sW5oB6PTpXid/H4kBXS6RQ9Sq3j4V+Wl9Jo14QY7U2Fx1pYBO
I9JaOnhEgsamHDbUxjcWQLnwnENDEaw6kdIR1sWgOkOoSGRA23t58gSaU331
hKhjlOW8hNrrUoITDzg0JpeZKmoKi5diwinEQE86vFPLXEgYyKiQiDTLVdw5
UbfZaOiQccwsq0bvaaFZLUJXRnPVs5cAFj2bKKsboFa5Zkkan1zwKySZv84B
GMyY8i7yGpIPYyrEm46hJl7JvE4W17Z4jGudtKVpVM4e4K5yM3quHq/ytiYO
V6ac1um0MDxB366pMYZ2vN1e9/e7xqDUwHxI6zazPOygFI8dBNEbs624hI8R
gcryBWhjN3jahqCHl5rX0yXRoSY/tg7Q4EG3VN0xFS3g5asncAg5sm6xV/EJ
zEb+vwh+aixx/LIS86QYYLuYFFOC7r7OdZK/6SmrCakBh9SdBMv+MmMN/ibK
QlKOBtgXZ0XVuoaERsXchpWQAMypgaLhWbw8bUnSeZZ0LkDO2epBmuswBmlT
FLEwda9QeloAjBrUYkFd1AHuFGMcxCkVbmYFAlWEgJVk1UyUtHR6XMyuGimZ
jK3vVICcNgFSxzIk6RKKjtBiRYiFHPSZSUV3eoaDTWcTyYm4Cu8ylWu0LM98
+BE8dNbp4IDQ3cGBGuzB5vsyzuyzp0uAeNEZpB+ZW6zQo3M+mYuGwmpyuwBI
2YVGafo00W9j437DnlLfNqJ4QQscpQFhLrjbO4glHTcj9KOd5LWsUCmPWmmc
Kn7LCoV54CDOoIb1ux0EbAoy2FDUisYqkp6DbCNtbGLenlepEGSEJYYYZAQv
mSSNpytj0EeqDMQ8MNz6NrLSQNHrpNjXmDeQZg69+bhaZg+TWtLeH/eZClCX
2LW9Vfb4Dpljn50swfOPtNxrBYztgpZtRC2Scbk1qmWaM1bZg3ibNFW7E3oo
pZjzs2wLH9tmf/7xzz/Kb/R/85tt7WtElgKEpJL7LQlmjITNo6RvMVgKvBVR
jv3j7//15B9//+99uniwjyuJEHx5RNcwbCC3qIcnR8fHQ83Edxd4MEBKtJae
PVzaXLdEhXxFb1PP+CJHT7NLCrgTvUHE8xkvZaWB9CRFZORDBnE77IgblQib
KN0ncTKFQbunIhdtqF+Mbvh3gRut5URGTswked9nU8GreanuKtazmjb1R9Gc
ybC63F1sxNFIvypDL4bhduHrJtEfYnkSd3ZkpYHqy/N60WifJOY0sW/lGETI
DbXtNxWcJa+mLr3Moha2VOYYts0bxt7DoMnTTXNp0XCE+UTCqeF637Q1Jd1k
qr+q8XlXaBKJ2oWrZLDIuO1VjFvFcUoxb9R+yahINRmsPiuFWMQ9qbtXvept
VbDaA5NXLoD3gK2DU//JnZ1Husy/YDG23mTmpD7qyNKI1bWNa4y3iVW149+C
ZXUm+6RVdbtVFu1tdb6UQZv5fAljNvXXfzJDUpM5oscVZfIKibvUNO39biWw
t8g/LG9esxyxi1ISVen0fKtGTNwX046qdyXGFPQXOj2iL4qU6aMiPUEJslZ0
v+R+NYg45aHqCjRI1prbsmxU1JKMyoMwsIZe4ljLY2PiPbmch1xR10/Kaclt
V9GvJVMyKlesP2FZIO/m1YqBXLABIdmMnhWSGB18TpR0ncnU0sjUIqf0KovM
jRR8lTS7wCcf9FclMxoh5GrGq6pvIDWglFKcw06woRpHaZxpXkkuqMl6RAuf
1SSiFDUWKQkOcZOrZmfc9ZEiEip+ZZGqjM+4TrQ5K2Z0FjvPaR7kdJRiy2Ka
kRahdnSLJwWtdLh2JqBt+SmhezoVSQbYY2uZpaYkDFXNyQ1qnQ1bSW+lJF3F
lamczllAXeo2kpB69JZXWtPAvRTU1nNPVMW/mBHUi1LCojdMw7akNdX5cN9I
en+Wz6cRFqmbF+U+g2KqbJpNeIkpPC4uBMwkTx6ySoqZ5/Cvqi6KRM2BaufY
i18BCDVmy6qiWbYOap0e2es5dmOdNoE6OUVI4UxyQyhyKtFGXwjlLWo3dSR9
2HF8+PxwIajQA3kbWqU6tah0eY8nyULUJRtkomp2EXfXvs9gxO5X4lQXXYv8
Lts7q+tZdXD//sXFxTDjOR8W5el9VYmVKek+vcEAFIM30y5g4evw8qyeTnb7
NwfuPR04fzRo148YOYU/0sbiRzwatP/7t+5yQE96vAb9JL4eNHFVtmhy0qqn
7w/YLq2EyZc9vr0rdXmoquJ3P7RHBPG7vLiYiORUpV4VwHn+TmrzYQn9fZed
nmI5++wpB3If0hdw4z8UZXnFHvGsPJuXdPh4NHxGCBS8RG55NUckeVzMqwml
0X8vznIqkNdVRbXYH4rqLEvn04w9z3CVcGqBTUMxj8+Qc7EV42IC8F02Rz/P
+Gk+r9j3BIFyAkRLQ8LUWQlonGfiQjZTaNQJno5tIx6/U8t8ja7sP+HlcL42
R9EJUp5kl802FEumZueqGa0faRvT05sgeeAZw7F6NYquuN8mg7VJw6hA93Ya
0NsxZcp4Mk/0YUxTSWnHoNCL2c6KjPbNLciWtmpUYxcqclMNvBKnilLFFL9V
fEmyVCKw1vUX0jCoimwBtoDoIU9Xm8RI0+bENuRZRrNIWcuHCLk1kUOpA1FV
z4HbFKXeDanD86i4ZHA3DFHxiSry7+7q05dF66i7PWOQ0MUKSkNY3JY40Asl
mg2Q8JfnXs+J9InN8nCLNWYlmA4ToXXF6dSyAJdYxcCKOYMkO0WgPROXPIG1
prxtKxM+HeaSNAR9Jg/n2vqCrMBKRGE7mKs8YvuSDVGlKztXNQx1mElU7mpG
dVGpTcCRs2Q+nTUE4vjlfdK+vN/Mr9LMocZeGA2Al/idqPc1xJrhDXxIs8qM
po24B7sSbzBxo2GOSSB3qLk1+rhnyjZYrTwgMCyw90BjaYBoT1gwTr/VkeEu
dTmhmuLe0STD1O6xkx+e44tqbjb96aefeHV+qtOXas2OT56DzluXaZRGPBpx
/ZQkvoWgt7Um04C+fnGLUt93D/Q1YYb02T3zRkxYzLKYFzNkHitlnvyapszy
WZQyP2IWZxb+xsxKdC8eMztiNv5iWxOyZExdIpelEX14xEac7jQf3YsGckgy
PjFnsdc0cJiF6xGL8Ndmlis/ge5Fj9AgkNOwmD0i4dHYlE/TsC3mJmzk6V4O
AOIxd8xin6UBo+2XT/PEoIlPAsW44UOHR0uqgu5ba70SsSDM7p2IEkaSBhsc
Hj3ZwGiqR2s0245tz/Ft/VQLvr7d/BHZyrQb1j0emVZqdNlZUltMWc+2WWwz
z2G+bdgw6uxmN3Yjyf5n2402uiMaWkQ9Gyq7jWCoZobYLWNowFA4tDTXogaB
zUY2xRBMOBJr7WZare9jz7Et2MzPpCcVFBuuYZNgzFyfcbtnE1gpTLfypciw
j6N7xVBMILXu0UC+09jElp++t8S27mXawfAZNraY77E4ZWHIgph8JnbRtxnL
oQ8MEqUaBR/96F7mTcKpq2ebcJJDa/RWaMORzgl1qcZ6ReqvQ5+ghR59Gqw1
dzynuYZDtBKsZlCJR6+JR5YEsu8ZerO2DQobIcxw+huAmA3aFPYgNo5ZON7K
7Z0ObqFYgpglR4lXQKwFVDrqTNGAznRvxhGVMEnQgohFEcVn32WjWPcKR8wD
/NFrfDMQiy0NsWVt/HwQi63rQ4ytJBYvpkRfNmUTqvXGZCKOLJFGQpgh8NpJ
aeRSMDHR6QUUQz4eANHSdjRGARTABaBETvg4mQDC7HQbMmHJJBP35K8gEwAE
R+qLWQrqGtDS/ICFLhtHLEDMBKada5OJT9lsgUvwOBlFI3HjXMJ1yKd7eStk
6WZBRRkPLRNoHzJtw4RpZ7aOSwQsEJ9tttGY+SAhEOL2TLjMJayQ+IMPC3Fq
QBGIU3qD8TAx3BxvGu7XsIlP2+xmyAQPEF97RsHaPb6VL6WGgVaRCT+moVeS
iUbVupdpiB6ZsGXYg5JjAg8EwpS8GQtP45AMgbzxlUx8gkx8CmA3yCZGcre0
EK/hQds4vtPgjeLJKjYBJu+vwJiBqJ4tlhycaA62Ib6gSWJcGNoh9tx4gaCN
DCCRhr9yNmHWippy6tc60W3UiRrtf7ka0TgYcztJ0s+mdevZAQhP2K8QOYBq
/IlEFMMRuQ4V44CNOd1MWsK2jtRxKgNsQ+psNhYssUz5K0idQKYa00YojMlH
sShEFESXEDQVGxiLhfa28XujCtEyp0t5kvgJRbGb5XQe9nVJz2pYHRGiDUK7
sh0+ScJ8WaBoLSgMq7WcDlwgdT7bauDSqUfCRdCz4DKnS3xaCx+zKNYlS2Lj
aDYmrpFEbJRuaLWfsULENsq4YGNe35k4LqxtnAkyOxPxFawO+2trHavTym52
4oYpeqxuTPnJGVPGwlienInb5GnQSswcWdkVX1nddUpEN03ropDZ/f2ccJkT
beX7vAGcYI67BDKLiTE54DLIDEgZxljh4yz1WRJSpRQOHrgscOjCC7p1YScK
oofJ/2ppXQexjlL8rNUhNwgjkYxtM/xdOyUhRziiH/s43f947IP27FiD0w1Y
GNG5ztj+BJEYWzqabEEkAlnG+DiRgJt42HBYtOlxbYIoTBzZLBHUjCJmuG3I
2KQ6tMwjEoDC4366EE2uf84U08p67C+lWu4msUSZLnFldYlTUaYzoNMZreUR
YGddGWJjo4HUoBcYnBv0DLjMI1zMgctCtEVxyAvJYpEgNLk+hbHwF1IbEgJE
te9JCW2At/EkpzPQuPEkk0UEAZ3DrWMRUtVNL8MQPRYxks1CeQAxolMmAfbd
nB3Q9kIe17o3dArw/5lFfMHaEDzF6WPMdeTx0+c7PoLxsuObJAKahDMuY8xA
VI9ELDk4G8XSHClRCQfwdunr2G+qljFVtcAsQEm+kggyvL/JW0SExW3edbmJ
QoY99nngup9fyDj3+5j2BakM4TKRsY+ShHxvIk16KX6BS6x6RPrdppdD9EB4
2jds6Vogum66opfJYbwxeeBCOuTtWF1SXOQwwE0ifXh5hmZcDi3yE8RifB1j
Ph4VaOkUT8i3glwWbrqtvrnXZdx0ZIehF21FY1ZYXuovFNe2vLMlXpTNlf3d
lDIpHZA2L9m0WPCsHhFCNhFxN/SGlo8SsieEhJGJgp7l9ZZLntJxl4rySMcj
+Q6QL+eJCI/PaHT7BZVNPRrQ/Sfx6DYud5aOe3kOGTRc8UZFN5ayGZZm2tL0
WeIZAaEhbU7kVBICi7J9agOSHSe01do8t63Lc9CMKs1FnoE8+RmHm+S5xdxm
Od31ujyXti+FBW22+4VUZD4efq4F05sNP/Fi+MGnV9MRcvJrYNpCk496kDUD
DB0oB9SmfdnHtqnXSL1thCw1pipPuJby3xBM+S8Dpl/wvR/LsWJb+KEZh7fO
rmN6FSZOrp1dt43C9M5is+cgK8RUpvTDFb1MXsU9ZvNOyOa8KkyotDqKVszQ
jNG0Y/Zp1xJZdFBhgU55tPHlNhulMk/4G1T6bvC9IRFxd+x6yU2RKk7VE/Xy
1S2SKmV8IXkMgqvXbkdbIPAeqaLDjKQbekOzgwzHIWXhsWVCYAWpcmO68OW5
GwIb4hNolpNQaSNSkTXZyOxforb0cV++FUa12pebpNOZWfRSFbxJrHirpBtL
Gcwf9Qxpeiv9Z2US+dpYa1SQG09GDFtep+TyqfWVUX3p6tTHQ88tEqrF0CMW
Qw9CgInSsU3BaB1KO2QaWQaI7dW3RsSaAvC3BjmeLI2n8ng+SIhk2nIr8pVQ
UQVKlrg+8fKTLFV9+Vd07NCN41jEn83Alr3BIxKtlHQ7da1A/+iLdsEhZcA4
ZiJe0cvkX4lgo89PxEA3NjG0ewhXzNCM6KOQXkgEC8OdsUdOgw2yn1ClI3Qo
/Htbh7qt61rcH3ueiG+sruXTDy4c69qWv+bGUtqf+6RmSsxGBtVYSPoHfPL0
7XMtj+iZcLJ8HJgoWEHBkpg5AQUyHtB8xgHNLYppjfGIJhNc84DvZ69rGR59
O3WtlR7dnia2ll6qawUmOPr5rbUZZUvTluYZYUQZEjmtLRhYCb0phQ0Tnfeo
ygHX7x1/ZWG3Xdcyws9t1rUWwk/cDz8J/RLEhOlIHgCug2kLzcTtQdYMMLFN
iyWq1pgT86d6l/x1A3KMehUyWPsK+q+Khn2pt5Uiy0742Nvih/EroB3K47Bb
5FQOURcF8EhuVel1OL6iV+99p5GGz2dlVtujV5UQWt1P1bTwV204XE/+6iKg
RI4YAA+DeZFow+DanOpzfw3nO55ve6OFqLa14WN6nUsV+m6TUknzI6Y5Hh3K
ec1rMh0Uoh6lIrrw+UeF2CcGDg1BvzPvQLCCUuGaoOxTwh7H8od1rn4Xk4dU
2IyueVT4c9e1DH++HUa10p8bVXeG9nupKpYvuK9LVa3JwJB6pjQ81gkJGMh3
dvvOYkwOjNzhusTYoBMxphz6lVHdfl3LCD63SagWgo+/GHyCfvUVyWDVu4EN
ShtkUi3LRKz5m76QJIDlpw15S+SPXiEZjxB2wOWwIjv69RIqYG3n/wBDlqru
Bm8AAA==

-->

</rfc>
