<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-masque-connect-ethernet-10" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CONNECT-ETHERNET">Proxying Ethernet Frames in HTTP</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-masque-connect-ethernet-10"/>
    <author initials="A. R." surname="Sedeño" fullname="Alejandro R Sedeño">
      <organization>Google LLC</organization>
      <address>
        <email>asedeno@google.com</email>
      </address>
    </author>
    <date year="2026" month="June" day="30"/>
    <area>Transport</area>
    <workgroup>Multiplexed Application Substrate over QUIC Encryption</workgroup>
    <keyword>quic</keyword>
    <keyword>http</keyword>
    <keyword>datagram</keyword>
    <keyword>VPN</keyword>
    <keyword>proxy</keyword>
    <keyword>tunnels</keyword>
    <keyword>masque</keyword>
    <keyword>http-ng</keyword>
    <keyword>layer-2</keyword>
    <keyword>ethernet</keyword>
    <abstract>
      <?line 55?>

<t>This document describes how to proxy Ethernet frames in HTTP. This protocol
is similar to IP proxying in HTTP, but for Layer 2 instead of Layer 3. More
specifically, this document defines a protocol that allows an HTTP client to
create a tunnel to exchange Layer 2 Ethernet frames through an HTTP server
with an attached physical or virtual Ethernet segment.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://ietf-wg-masque.github.io/draft-ietf-masque-connect-ethernet/draft-ietf-masque-connect-ethernet.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-masque-connect-ethernet/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        MASQUE Working Group mailing list (<eref target="mailto:masque@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/masque/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/masque/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/ietf-wg-masque/draft-ietf-masque-connect-ethernet"/>.</t>
    </note>
  </front>
  <middle>
    <?line 64?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>HTTP provides the CONNECT method (see <xref section="9.3.6" sectionFormat="of" target="HTTP"/>) for
creating a TCP <xref target="TCP"/> tunnel to a destination, a similar mechanism for
UDP <xref target="CONNECT-UDP"/>, and an additional mechanism for IP
<xref target="CONNECT-IP"/>. However, these mechanisms can't carry Layer 2 frames
without further encapsulation inside of IP, for instance with EtherIP
<xref target="ETHERIP"/> or L2TP <xref target="L2TP"/> <xref target="L2TPv3"/>, which
consume additional header bytes, reducing the available MTU.</t>
      <t>This document describes a protocol for exchanging IEEE 802.3 <xref target="IEEE802.3"/>
Ethernet frames with an HTTP server. Either participant in the HTTP connection
can then relay Ethernet frames to and from a local or virtual interface. This
can be used by a node to support remote bridging of two Ethernet broadcast
domains to establish a Layer 2 VPN. This can simplify connectivity to
network-connected appliances that are configured to only interact with peers
connected to the same Ethernet broadcast domain.</t>
      <t>This protocol supports all existing versions of HTTP by using HTTP Datagrams
<xref target="HTTP-DGRAM"/>. When using HTTP/2 <xref target="H2"/> or HTTP/3 <xref target="H3"/>, it uses
HTTP Extended CONNECT as described in <xref target="EXT-CONNECT2"/> and
<xref target="EXT-CONNECT3"/>. When using HTTP/1.x <xref target="H1"/>, it uses HTTP Upgrade as
defined in <xref section="7.8" sectionFormat="of" target="HTTP"/>.</t>
      <t>This protocol necessarily incurs additional encapsulation overhead. When
possible, users should use higher-level proxying protocols, such as
<xref target="CONNECT-IP"/> or <xref target="CONNECT-UDP"/>.</t>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>In this document, we use the term "Ethernet proxy" to refer to the HTTP server
that responds to the Ethernet proxying request. The term "client" is used in the
HTTP sense; the client constructs the Ethernet proxying request. If there are
HTTP intermediaries (as defined in <xref section="3.7" sectionFormat="of" target="HTTP"/>) between the client
and the Ethernet proxy, those are referred to as "intermediaries" in this
document. The term "Ethernet proxying endpoints" refers to both the client and
the Ethernet proxy.</t>
      <t>This document uses terminology from <xref target="QUIC"/>. Where this document
defines protocol types, the definition format uses the notation from <xref section="1.3" sectionFormat="of" target="QUIC"/>. This specification uses the variable-length integer encoding
from <xref section="16" sectionFormat="of" target="QUIC"/>. Variable-length integer values do not
need to be encoded in the minimum number of bytes necessary.</t>
      <t>Note that, when the HTTP version in use does not support multiplexing streams
(such as HTTP/1.1), any reference to "stream" in this document represents the
entire connection.</t>
    </section>
    <section anchor="client-config">
      <name>Configuration of Clients</name>
      <t>Clients are configured to use Ethernet proxying over HTTP via a URI Template
<xref target="TEMPLATE"/>. The URI Templates used by this protocol do not require
any variables; implementations or extensions <bcp14>MAY</bcp14> specify their own. URI
Templates specified for this protocol <bcp14>MAY</bcp14> use the well-known location
<xref target="WELL-KNOWN"/> registered by this document.</t>
      <t>Examples are shown below:</t>
      <artwork><![CDATA[
https://example.org/.well-known/masque/ethernet/
https://proxy.example.org:4443/masque/ethernet/
https://masque.example.org/?user=bob
]]></artwork>
      <t>An implementation that supports connecting to multiple Ethernet segments might
add a "vlan-identifier" variable to specify which segment to connect to. The
optionality of variables needs to be considered when defining the template so
that variables are either self-identifying or possible to exclude in the syntax.
How valid values for such variables are communicated to the client is not a part
of this protocol.</t>
      <t>Hypothetical examples are shown below:</t>
      <artwork><![CDATA[
https://proxy.example.org:4443/masque/ethernet?vlan={vlan-identifier}
https://etherproxy.example.org/{vlan-identifier}
]]></artwork>
      <t>The following requirements apply to the URI Template:</t>
      <ul spacing="normal">
        <li>
          <t>The URI Template <bcp14>MUST</bcp14> be a level 3 template or lower.</t>
        </li>
        <li>
          <t>The URI Template <bcp14>MUST</bcp14> be in absolute form and <bcp14>MUST</bcp14> include non-empty scheme,
authority, and path components.</t>
        </li>
        <li>
          <t>The path component of the URI Template <bcp14>MUST</bcp14> start with a slash "/".</t>
        </li>
        <li>
          <t>All template variables <bcp14>MUST</bcp14> be within the path or query components of the URI.</t>
        </li>
        <li>
          <t>The URI Template <bcp14>MUST NOT</bcp14> contain any non-ASCII Unicode characters and <bcp14>MUST</bcp14>
only contain ASCII characters in the range 0x21-0x7E inclusive (note that
percent-encoding is allowed; see <xref section="2.1" sectionFormat="of" target="URI"/>).</t>
        </li>
        <li>
          <t>The URI Template <bcp14>MUST NOT</bcp14> use Reserved Expansion ("+" operator), Fragment
Expansion ("#" operator), Label Expansion with Dot-Prefix, Path Segment
Expansion with Slash-Prefix, nor Path-Style Parameter Expansion with
Semicolon-Prefix.</t>
        </li>
      </ul>
      <t>Clients <bcp14>SHOULD</bcp14> validate the requirements above; however, clients <bcp14>MAY</bcp14> use a
general-purpose URI Template implementation that lacks this specific
validation. If a client detects that any of the requirements above are not met
by a URI Template, the client <bcp14>MUST</bcp14> reject its configuration and abort the
request without sending it to the Ethernet proxy.</t>
    </section>
    <section anchor="tunnelling-ethernet-frames-over-http">
      <name>Tunnelling Ethernet frames over HTTP</name>
      <t>To allow negotiation of a tunnel for Ethernet frames over HTTP, this document
defines the "connect-ethernet" HTTP upgrade token. The resulting Ethernet
tunnels use the Capsule Protocol (see <xref section="3.2" sectionFormat="of" target="HTTP-DGRAM"/>) with HTTP
Datagrams in the format defined in <xref target="payload-format"/>.</t>
      <t>To initiate an Ethernet tunnel associated with a single HTTP stream, a client
issues a request containing the "connect-ethernet" upgrade token.</t>
      <t>By virtue of the definition of the Capsule Protocol (see <xref section="3.2" sectionFormat="of" target="HTTP-DGRAM"/>), Ethernet proxying requests do not carry any message content.
Similarly, successful Ethernet proxying responses also do not carry any message
content.</t>
      <t>Ethernet proxying over HTTP <bcp14>MUST</bcp14> be operated over TLS or QUIC encryption, or another
equivalent encryption protocol, to provide confidentiality, integrity, and
authentication.</t>
      <section anchor="ethernet-proxy-handling">
        <name>Ethernet Proxy Handling</name>
        <t>Upon receiving an Ethernet proxying request:</t>
        <ul spacing="normal">
          <li>
            <t>If the recipient is configured to use another HTTP proxy, it will act as an
intermediary by forwarding the request to another HTTP server. Note that
such intermediaries may need to re-encode the request if they forward it
using a version of HTTP that is different from the one used to receive it,
as the request encoding differs by version (see below).</t>
          </li>
          <li>
            <t>Otherwise, the recipient will act as an Ethernet proxy. The Ethernet proxy
can choose to reject the Ethernet proxying request or establish an Ethernet
tunnel.</t>
          </li>
        </ul>
        <t>The lifetime of the Ethernet tunnel is tied to the Ethernet proxying request
stream.</t>
        <t>A successful response (as defined in Sections <xref format="counter" target="resp1"/> and <xref format="counter" target="resp23"/>)
indicates that the Ethernet proxy has established an Ethernet tunnel and is
willing to proxy Ethernet frames. Any response other than a successful response
indicates that the request has failed; thus, the client <bcp14>MUST</bcp14> abort the request.</t>
      </section>
      <section anchor="req1">
        <name>HTTP/1.1 Request</name>
        <t>When using HTTP/1.1 <xref target="H1"/>, an Ethernet proxying request will meet the following
requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The method <bcp14>SHALL</bcp14> be "GET".</t>
          </li>
          <li>
            <t>The request <bcp14>SHALL</bcp14> include a single Host header field containing the host
and optional port of the Ethernet proxy.</t>
          </li>
          <li>
            <t>The request <bcp14>SHALL</bcp14> include a Connection header field with value "Upgrade"
(note that this requirement is case-insensitive as per <xref section="7.6.1" sectionFormat="of" target="HTTP"/>).</t>
          </li>
          <li>
            <t>The request <bcp14>SHALL</bcp14> include an Upgrade header field with value "connect-ethernet".</t>
          </li>
        </ul>
        <t>An Ethernet proxying request that does not conform to these restrictions is
malformed. The recipient of such a malformed request <bcp14>MUST</bcp14> respond with an error
and <bcp14>SHOULD</bcp14> use the 400 (Bad Request) status code.</t>
        <t>For example, if the client is configured with the URI Template
"https://example.org/.well-known/masque/ethernet/" and wishes to open an
Ethernet tunnel, it could send the following request.</t>
        <figure anchor="fig-req-h1">
          <name>Example HTTP/1.1 Request</name>
          <sourcecode type="http-message"><![CDATA[
GET https://example.org/.well-known/masque/ethernet/ HTTP/1.1
Host: example.org
Connection: Upgrade
Upgrade: connect-ethernet
Capsule-Protocol: ?1
]]></sourcecode>
        </figure>
      </section>
      <section anchor="resp1">
        <name>HTTP/1.1 Response</name>
        <t>The server indicates success by replying with a response that conforms to the
following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The HTTP status code on the response <bcp14>SHALL</bcp14> be 101 (Switching Protocols).</t>
          </li>
          <li>
            <t>The response <bcp14>SHALL</bcp14> include a Connection header field with value "Upgrade"
(note that this requirement is case-insensitive as per <xref section="7.6.1" sectionFormat="of" target="HTTP"/>).</t>
          </li>
          <li>
            <t>The response <bcp14>SHALL</bcp14> include a single Upgrade header field with value
"connect-ethernet".</t>
          </li>
          <li>
            <t>The response <bcp14>SHALL</bcp14> meet the requirements of HTTP responses that start the
Capsule Protocol; see <xref section="3.2" sectionFormat="of" target="HTTP-DGRAM"/>.</t>
          </li>
        </ul>
        <t>If any of these requirements are not met, the client <bcp14>MUST</bcp14> treat this proxying
attempt as failed and close the connection.</t>
        <t>For example, the server could respond with:</t>
        <figure anchor="fig-resp-h1">
          <name>Example HTTP/1.1 Response</name>
          <sourcecode type="http-message"><![CDATA[
HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: connect-ethernet
Capsule-Protocol: ?1
]]></sourcecode>
        </figure>
      </section>
      <section anchor="req23">
        <name>HTTP/2 and HTTP/3 Requests</name>
        <t>When using HTTP/2 <xref target="H2"/> or HTTP/3 <xref target="H3"/>, Ethernet proxying requests use HTTP
Extended CONNECT. This requires that servers send an HTTP Setting as specified
in <xref target="EXT-CONNECT2"/> and <xref target="EXT-CONNECT3"/> and that requests use HTTP
pseudo-header fields with the following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The :method pseudo-header field <bcp14>SHALL</bcp14> be "CONNECT".</t>
          </li>
          <li>
            <t>The :protocol pseudo-header field <bcp14>SHALL</bcp14> be "connect-ethernet".</t>
          </li>
          <li>
            <t>The :authority pseudo-header field <bcp14>SHALL</bcp14> contain the authority of the IP
proxy.</t>
          </li>
          <li>
            <t>The :path and :scheme pseudo-header fields <bcp14>SHALL NOT</bcp14> be empty. Their values
<bcp14>SHALL</bcp14> contain the scheme and path from the configured URI Template; see
<xref target="client-config"/>.</t>
          </li>
        </ul>
        <t>An Ethernet proxying request that does not conform to these restrictions is
malformed; see <xref section="8.1.1" sectionFormat="of" target="H2"/> and <xref section="4.1.2" sectionFormat="of" target="H3"/>.</t>
        <t>For example, if the client is configured with the URI Template
"https://example.org/.well-known/masque/ethernet/" and wishes to open an
Ethernet tunnel, it could send the following request.</t>
        <figure anchor="fig-req-h2">
          <name>Example HTTP/2 or HTTP/3 Request</name>
          <sourcecode type="http-message"><![CDATA[
HEADERS
:method = CONNECT
:protocol = connect-ethernet
:scheme = https
:path = /.well-known/masque/ethernet/
:authority = example.org
capsule-protocol = ?1
]]></sourcecode>
        </figure>
      </section>
      <section anchor="resp23">
        <name>HTTP/2 and HTTP/3 Responses</name>
        <t>The server indicates success by replying with a response that conforms to the
following requirements:</t>
        <ul spacing="normal">
          <li>
            <t>The HTTP status code on the response <bcp14>SHALL</bcp14> be in the 2xx (Successful) range.</t>
          </li>
          <li>
            <t>The response <bcp14>SHALL</bcp14> meet the requirements of HTTP responses that start the
Capsule Protocol; see <xref section="3.2" sectionFormat="of" target="HTTP-DGRAM"/>.</t>
          </li>
        </ul>
        <t>If any of these requirements are not met, the client <bcp14>MUST</bcp14> treat this proxying
attempt as failed and abort the request. As an example, any status code in the
3xx range will be treated as a failure and cause the client to abort the
request.</t>
        <t>For example, the server could respond with:</t>
        <figure anchor="fig-resp-h2">
          <name>Example HTTP/2 or HTTP/3 Response</name>
          <sourcecode type="http-message"><![CDATA[
HEADERS
:status = 200
capsule-protocol = ?1
]]></sourcecode>
        </figure>
      </section>
    </section>
    <section anchor="context-identifiers">
      <name>Context Identifiers</name>
      <t>The mechanism for proxying Ethernet frames in HTTP defined in this document
allows future extensions to exchange HTTP Datagrams that have different
semantics, similar to the extension mechanisms specified in <xref section="5" sectionFormat="of" target="CONNECT-IP"/>. Some of these extensions could augment Ethernet payloads with
additional data or compress Ethernet frame header fields. To provide this
extension point, all HTTP Datagrams associated with Ethernet proxying request
streams start with a Context ID field; see <xref target="payload-format"/>.</t>
      <t>Context IDs are 62-bit integers (0-2<sup>62</sup>-1). Context IDs are encoded as
variable-length integers; see <xref section="16" sectionFormat="of" target="QUIC"/>. The Context ID value of 0
is reserved for Ethernet payloads, while non-zero values are dynamically
allocated. Non-zero even-numbered Context-IDs are client allocated, and
odd-numbered Context IDs are proxy-allocated. The Context ID namespace is tied
to a given HTTP request; it is possible for a Context ID with the same numeric
value to be simultaneously allocated in distinct requests, potentially with
different semantics. Context IDs <bcp14>MUST NOT</bcp14> be re-allocated within a given HTTP
request but <bcp14>MAY</bcp14> be allocated in any order. The Context ID allocation
restrictions to the use of even-numbered and odd-numbered Context IDs exist in
order to avoid the need for synchronization between endpoints. However, once a
Context ID has been allocated, those restrictions do not apply to the use of the
Context ID; it can be used by either the client or the Ethernet proxy,
independent of which endpoint initially allocated it.</t>
      <t>Registration is the action by which an endpoint informs its peer of the
semantics and format of a given Context ID. This document does not define how
registration occurs. Future extensions <bcp14>MAY</bcp14> use HTTP header fields or capsules
to register Context IDs. Depending on the method being used, it is possible for
datagrams to be received with Context IDs that have not yet been registered.
For instance, this can be due to reordering of the packet containing the
datagram and the packet containing the registration message during transmission.</t>
    </section>
    <section anchor="payload-format">
      <name>HTTP Datagram Payload Format</name>
      <t>When associated with Ethernet proxying request streams, the HTTP Datagram
Payload field of HTTP Datagrams (see <xref target="HTTP-DGRAM"/>) has the format defined in
<xref target="dgram-format"/>. Note that when HTTP Datagrams are encoded using QUIC DATAGRAM
frames, the Context ID field defined below directly follows the Quarter Stream
ID field which is at the start of the QUIC DATAGRAM frame payload.</t>
      <figure anchor="dgram-format">
        <name>Ethernet Proxying HTTP Datagram Format</name>
        <artwork><![CDATA[
Ethernet Proxying HTTP Datagram Payload {
  Context ID (i),
  Payload (..),
}
]]></artwork>
      </figure>
      <t>The Ethernet Proxying HTTP Datagram Payload contains the following fields:</t>
      <dl spacing="compact">
        <dt>Context ID:</dt>
        <dd>
          <t>A variable-length integer that contains the value of the Context ID. If an
HTTP/3 datagram which carries an unknown Context ID is received, the receiver
<bcp14>SHALL</bcp14> either drop that datagram silently or buffer it temporarily (on the order
of a round trip) while awaiting the registration of the corresponding Context
ID.</t>
        </dd>
        <dt>Payload:</dt>
        <dd>
          <t>The payload of the datagram, whose semantics depend on value of the previous
field. Note that this field can be empty.</t>
        </dd>
      </dl>
      <t>Ethernet frames are encoded using HTTP Datagrams with the Context ID set to
zero. When the Context ID is set to zero, the Payload field contains a full
Layer 2 Ethernet Frame (from the MAC destination field until the last byte of
the Frame check sequence field), as defined by IEEE 802.3 <xref target="IEEE802.3"/>. A
complete frame could include include an IEEE 802.1Q <xref target="IEEE802.1Q"/> tag (see
<xref target="vlan-recommendations"/>).</t>
      <t>The Frame check sequence field is included in the proxied Ethernet frame rather
than being omitted and recomputed by the Ethernet proxying endpoints for
simplicity and to reduce compute requirements, though a future extension could
introduce a different encoding.</t>
      <t>If an Ethernet proxy receives an HTTP Datagram before it has received the
corresponding request, it <bcp14>SHALL</bcp14> either drop that HTTP Datagram silently or
buffer it temporarily (on the order of a round trip) while awaiting the
corresponding request.</t>
      <t>Note that buffering datagrams (either because the request was not yet received
or because the Context ID is not yet known) consumes resources. Receivers that
buffer datagrams <bcp14>SHOULD</bcp14> apply buffering limits in order to reduce the risk of
resource exhaustion occurring. For example, receivers can limit the total number
of buffered datagrams or the cumulative size of buffered datagrams on a
per-stream, per-context, or per-connection basis.</t>
    </section>
    <section anchor="ethernet-frame-handling">
      <name>Ethernet Frame Handling</name>
      <t>This document defines a tunnelling mechanism that is conceptually an Ethernet
link. An Ethernet proxying connection established between two Ethernet proxying
endpoints emulates a single Ethernet link between those two endpoints. This
provides an Ethernet MAC service that will deliver each Ethernet frame that is
received at the ingress to the egress at the other end of the tunnel.</t>
      <t>Endpoints implementing this mechanism might need to handle some of the
responsibilities of an Ethernet switch or bridge if they do not delegate them to
another component of the endpoint such as a kernel. Those responsibilities are
beyond the scope of this document, and include, but are not limited to, the
handling of broadcast packets and multicast groups, topological loop prevention
using a spanning tree protocol (STP, RSTP, etc.) <xref target="IEEE802.1Q"/>, or the local
termination of PAUSE frames.</t>
      <t>Implementations <bcp14>SHOULD</bcp14> be aware of physical topology and work to prevent
loops. Strategies could include implementing STP or RSTP, or delegating that
responsibility to a dedicated ethernet-handling device.</t>
      <t>If an Ethernet proxying endpoint fails to deliver a frame to an underlying
Ethernet segment, the endpoint <bcp14>MUST</bcp14> drop the frame.</t>
    </section>
    <section anchor="examples">
      <name>Examples</name>
      <t>Ethernet proxying in HTTP enables the bridging of Ethernet broadcast domains.
These examples are provided to help illustrate some of the ways in which Ethernet
proxying can be used.</t>
      <section anchor="example-remote">
        <name>Remote Access L2VPN</name>
        <t>The following example shows a point to point VPN setup where a client
appears to be connected to a remote Layer 2 network.</t>
        <figure anchor="diagram-tunnel">
          <name>L2VPN Tunnel Setup</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="128" width="520" viewBox="0 0 520 128" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,96" fill="none" stroke="black"/>
                <path d="M 80,32 L 80,96" fill="none" stroke="black"/>
                <path d="M 248,32 L 248,96" fill="none" stroke="black"/>
                <path d="M 320,32 L 320,96" fill="none" stroke="black"/>
                <path d="M 424,32 L 424,96" fill="none" stroke="black"/>
                <path d="M 8,32 L 80,32" fill="none" stroke="black"/>
                <path d="M 248,32 L 320,32" fill="none" stroke="black"/>
                <path d="M 424,32 L 456,32" fill="none" stroke="black"/>
                <path d="M 80,48 L 248,48" fill="none" stroke="black"/>
                <path d="M 88,64 L 104,64" fill="none" stroke="black"/>
                <path d="M 224,64 L 240,64" fill="none" stroke="black"/>
                <path d="M 320,64 L 456,64" fill="none" stroke="black"/>
                <path d="M 80,80 L 248,80" fill="none" stroke="black"/>
                <path d="M 8,96 L 80,96" fill="none" stroke="black"/>
                <path d="M 248,96 L 320,96" fill="none" stroke="black"/>
                <path d="M 424,96 L 456,96" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="464,96 452,90.4 452,101.6" fill="black" transform="rotate(0,456,96)"/>
                <polygon class="arrowhead" points="464,64 452,58.4 452,69.6" fill="black" transform="rotate(0,456,64)"/>
                <polygon class="arrowhead" points="464,32 452,26.4 452,37.6" fill="black" transform="rotate(0,456,32)"/>
                <polygon class="arrowhead" points="96,64 84,58.4 84,69.6" fill="black" transform="rotate(180,88,64)"/>
                <g class="text">
                  <text x="484" y="36">HOST</text>
                  <text x="512" y="36">1</text>
                  <text x="284" y="52">L2</text>
                  <text x="360" y="52">Layer</text>
                  <text x="392" y="52">2</text>
                  <text x="44" y="68">Client</text>
                  <text x="128" y="68">Layer</text>
                  <text x="160" y="68">2</text>
                  <text x="196" y="68">Tunnel</text>
                  <text x="288" y="68">Proxy</text>
                  <text x="484" y="68">HOST</text>
                  <text x="512" y="68">2</text>
                  <text x="376" y="84">Broadcast</text>
                  <text x="364" y="100">Domain</text>
                  <text x="484" y="100">HOST</text>
                  <text x="512" y="100">3</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
+--------+                    +--------+            +---> HOST 1
|        +--------------------+   L2   |  Layer 2   |
| Client |<--Layer 2 Tunnel---|  Proxy +------------+---> HOST 2
|        +--------------------+        |  Broadcast |
+--------+                    +--------+  Domain    +---> HOST 3

]]></artwork>
          </artset>
        </figure>
        <t>In this case, the client connects to the Ethernet proxy and immediately can
start sending Ethernet frames to the attached broadcast domain.</t>
        <figure anchor="fig-full-tunnel">
          <name>VPN Full-Tunnel Example</name>
          <artwork><![CDATA[
[[ From Client ]]             [[ From Ethernet Proxy ]]

SETTINGS
  H3_DATAGRAM = 1

                              SETTINGS
                                ENABLE_CONNECT_PROTOCOL = 1
                                H3_DATAGRAM = 1

STREAM(44): HEADERS
:method = CONNECT
:protocol = connect-ethernet
:scheme = https
:path = /.well-known/masque/ethernet/
:authority = proxy.example.com
capsule-protocol = ?1

                              STREAM(44): HEADERS
                              :status = 200
                              capsule-protocol = ?1

DATAGRAM
Quarter Stream ID = 11
Context ID = 0
Payload = Encapsulated Ethernet Frame

                              DATAGRAM
                              Quarter Stream ID = 11
                              Context ID = 0
                              Payload = Encapsulated Ethernet Frame
]]></artwork>
        </figure>
      </section>
      <section anchor="site-to-site-l2vpn">
        <name>Site-to-Site L2VPN</name>
        <t>The following example shows a site-to-site VPN setup where a client
joins a locally attached broadcast domain to a remote broadcast domain
through the Proxy.</t>
        <figure anchor="diagram-s2s">
          <name>Site-to-site L2VPN Example</name>
          <artset>
            <artwork type="svg"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="256" width="432" viewBox="0 0 432 256" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 80,32 L 80,96" fill="none" stroke="black"/>
                <path d="M 96,96 L 96,192" fill="none" stroke="black"/>
                <path d="M 152,32 L 152,96" fill="none" stroke="black"/>
                <path d="M 280,32 L 280,96" fill="none" stroke="black"/>
                <path d="M 336,96 L 336,192" fill="none" stroke="black"/>
                <path d="M 352,32 L 352,96" fill="none" stroke="black"/>
                <path d="M 80,32 L 152,32" fill="none" stroke="black"/>
                <path d="M 280,32 L 352,32" fill="none" stroke="black"/>
                <path d="M 152,48 L 280,48" fill="none" stroke="black"/>
                <path d="M 160,64 L 176,64" fill="none" stroke="black"/>
                <path d="M 256,64 L 272,64" fill="none" stroke="black"/>
                <path d="M 152,80 L 280,80" fill="none" stroke="black"/>
                <path d="M 80,96 L 152,96" fill="none" stroke="black"/>
                <path d="M 280,96 L 352,96" fill="none" stroke="black"/>
                <path d="M 64,128 L 96,128" fill="none" stroke="black"/>
                <path d="M 336,128 L 368,128" fill="none" stroke="black"/>
                <path d="M 64,160 L 96,160" fill="none" stroke="black"/>
                <path d="M 336,160 L 368,160" fill="none" stroke="black"/>
                <path d="M 64,192 L 96,192" fill="none" stroke="black"/>
                <path d="M 336,192 L 368,192" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="376,192 364,186.4 364,197.6" fill="black" transform="rotate(0,368,192)"/>
                <polygon class="arrowhead" points="376,160 364,154.4 364,165.6" fill="black" transform="rotate(0,368,160)"/>
                <polygon class="arrowhead" points="376,128 364,122.4 364,133.6" fill="black" transform="rotate(0,368,128)"/>
                <polygon class="arrowhead" points="72,192 60,186.4 60,197.6" fill="black" transform="rotate(180,64,192)"/>
                <polygon class="arrowhead" points="72,160 60,154.4 60,165.6" fill="black" transform="rotate(180,64,160)"/>
                <polygon class="arrowhead" points="72,128 60,122.4 60,133.6" fill="black" transform="rotate(180,64,128)"/>
                <g class="text">
                  <text x="316" y="52">L2</text>
                  <text x="116" y="68">Client</text>
                  <text x="188" y="68">L2</text>
                  <text x="228" y="68">Tunnel</text>
                  <text x="320" y="68">Proxy</text>
                  <text x="20" y="132">HOST</text>
                  <text x="48" y="132">A</text>
                  <text x="128" y="132">Layer</text>
                  <text x="160" y="132">2</text>
                  <text x="288" y="132">Layer</text>
                  <text x="320" y="132">2</text>
                  <text x="396" y="132">HOST</text>
                  <text x="424" y="132">1</text>
                  <text x="144" y="148">Broadcast</text>
                  <text x="288" y="148">Broadcast</text>
                  <text x="20" y="164">HOST</text>
                  <text x="48" y="164">B</text>
                  <text x="132" y="164">Domain</text>
                  <text x="300" y="164">Domain</text>
                  <text x="396" y="164">HOST</text>
                  <text x="424" y="164">2</text>
                  <text x="20" y="196">HOST</text>
                  <text x="48" y="196">C</text>
                  <text x="396" y="196">HOST</text>
                  <text x="424" y="196">3</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art"><![CDATA[
         +--------+               +--------+
         |        +---------------+   L2   |
         | Client |---L2 Tunnel---|  Proxy |
         |        +---------------+        |
         +-+------+               +------+-+
           |                             |
HOST A <---+ Layer 2             Layer 2 +---> HOST 1
           | Broadcast         Broadcast |
HOST B <---+ Domain               Domain +---> HOST 2
           |                             |
HOST C <---+                             +---> HOST 3



]]></artwork>
          </artset>
        </figure>
        <t>In this case, the client connects to the Ethernet proxy and immediately can
start relaying Ethernet frames from its attached broadcast domain to the
proxy. The difference between this example and <xref target="example-remote"/> is limited to
what the Client is doing with the tunnel; the exchange between the Client and
the Proxy is the same as in <xref target="fig-full-tunnel"/> above.</t>
      </section>
    </section>
    <section anchor="performance-considerations">
      <name>Performance Considerations</name>
      <t>When the protocol running inside the tunnel uses congestion control (e.g.,
<xref target="TCP"/> or <xref target="QUIC"/>), the proxied traffic will incur at least two nested
congestion controllers. Implementers will benefit from reading the guidance in
<xref section="3.1.11" sectionFormat="of" target="UDP-USAGE"/>. By default, the tunneling of Ethernet
frames <bcp14>MUST NOT</bcp14> assume that the carried Ethernet frames contain congestion
controlled traffic. Optimizations for traffic flows carried within the Ethernet
Frames <bcp14>MAY</bcp14> be done in cases where the content of the Ethernet Frames have been
identified to be congestion controlled traffic.</t>
      <t>Some implementations might find it benefitial to maintain a small buffer of
frames to be sent through the tunnel to smooth out short term variations and
bursts in tunnel capacity. As such a buffer is limited, Ethernet frames can get
dropped when the buffer limit is exceeded.</t>
      <t>When the protocol running inside the tunnel uses loss recovery (e.g., <xref target="TCP"/> or
<xref target="QUIC"/>) and the outer HTTP connection runs over TCP, the proxied traffic will
incur at least two nested loss recovery mechanisms. This can reduce performance,
as both can sometimes independently retransmit the same data. To avoid this,
Ethernet proxying <bcp14>SHOULD</bcp14> be performed over HTTP/3 to allow leveraging the QUIC
DATAGRAM frame.</t>
      <section anchor="mtu-and-frame-ordering-considerations">
        <name>MTU and Frame Ordering Considerations</name>
        <t>When using HTTP/3 with the QUIC Datagram extension <xref target="QUIC-DGRAM"/>,
Ethernet frames can be transmitted in QUIC DATAGRAM frames. Since DATAGRAM
frames cannot be fragmented, they can only carry Ethernet frames up to a given
length determined by the QUIC connection configuration and the Path MTU
(PMTU). Implementations <bcp14>MAY</bcp14> rely on <xref target="QUIC"/>'s use of <xref target="DPLPMTUD"/> to
probe and discover the PMTU over the connection's lifetime, and adjust any
associated interface MTU as needed. Furthermore, the UDP packets carrying these
frames could be reordered by the network.</t>
        <t>When using HTTP/1.1 or HTTP/2, and when using HTTP/3 without the QUIC Datagram
extension <xref target="QUIC-DGRAM"/>, Ethernet frames are transmitted in DATAGRAM capsules as
defined in <xref target="HTTP-DGRAM"/>. DATAGRAM capsules are transmitted reliably over an
underlying stream, maintaining frame order, though they could be split across
multiple QUIC or TCP packets.</t>
        <t>The trade-off between supporting a larger MTU and avoiding fragmentation should
be considered when deciding what mode(s) to operate in. Implementations <bcp14>SHOULD
NOT</bcp14> intentionally reorder Ethernet frames, but are not required to provide
guaranteed in-order delivery. If in-order delivery of Ethernet frames is
required, DATAGRAM capsules can be used.</t>
      </section>
      <section anchor="vlan-recommendations">
        <name>IEEE 802.1Q tagging</name>
        <t>When the proxy transports Etherent frames that carry an IEEE 802.1Q
<xref target="IEEE802.1Q"/> VLAN tag, these are by default transparently forwarded through
the tunnel. When the tunnel ingress and/or egress interprets the tags, there
must be agreement (signaled or manually configured) on how to consistently
process each tag at the ingress and the egress. The procedure for this
signalling/configuration is not defined in this document.</t>
        <t>A proxy that is used to access to multiple VLANs <bcp14>MAY</bcp14> map each individual
VLAN to a distinct URI, such that each Ethernet proxying request is
associated with only one VLAN. This provides flexibility in forwarding,
while meeting the requirements for the relative priority and ordering
between frames associated with a VLAN. To reduce overhead, the IEEE 802.1Q
field could be stripped and, when required, could be reapplied at the egress
associating the frame with the appropriate priority and VLAN.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>There are risks in allowing arbitrary clients to establish a tunnel to a Layer 2
network. Bad actors could abuse this capability to attack hosts on that network
that they would otherwise be unable to reach. HTTP servers that support Ethernet
proxying <bcp14>SHOULD</bcp14> restrict its use to authenticated users. Depending on the
deployment, possible authentication mechanisms include mutual TLS between IP
proxying endpoints, HTTP-based authentication via the HTTP Authorization header
field <xref target="HTTP"/>, or even bearer tokens. Proxies can enforce policies for
authenticated users to further constrain client behavior or deal with possible
abuse. For example, proxies can rate limit individual clients that send an
excessively large amount of traffic through the proxy.</t>
      <t>Users of this protocol may send arbitrary Ethernet frames through the tunnel,
including frames with arbitrary source MAC addresses. This could allow
impersonation of other hosts, poisoning of ARP <xref target="RFC826"/>, NDP <xref target="RFC4861"/> and
CAM (Content Addressable Memory) tables, and cause a denial of service to other
hosts on the network. These are the same attacks available to an arbitrary
client with physical access to the network. An implementation that is intended
for point-to-site connections might limit clients to a single source MAC
address, or Ethernet proxying endpoints might be configured to limit forwarding
to pre-configured MAC addresses, or clients could be authenticated by
<xref target="IEEE802.1X"/> Port Based Network Access Control, though such filtering is outside
the scope of this protocol. Dynamic signalling or negotiation of MAC address
filtering is left to future extensions.</t>
      <t>This protocol is agnostic to where on the Ethernet segment a gateway for
higher-level routing might be located. A client may connect via an Ethernet
proxy and discover an existing gateway on the Ethernet segment, supply a new
gateway to the Ethernet segment, both, or neither.</t>
      <t>Opportunistic sending of Ethernet frames is not allowed in HTTP/1.x because a
server could reject the HTTP Upgrade and attempt to parse the Ethernet frames as
a subsequent HTTP request, allowing request smuggling attacks; see
<xref target="OPTIMISTIC"/>. In particular, an intermediary that re-encodes a request
from HTTP/2 or 3 to HTTP/1.1 <bcp14>MUST NOT</bcp14> forward any received capsules until it has
parsed a successful Ethernet proxying response.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="http-upgrade-token">
        <name>HTTP Upgrade Token</name>
        <t>This document will request IANA to register "connect-ethernet" in the HTTP
Upgrade Token Registry maintained at
&lt;<eref target="https://www.iana.org/assignments/http-upgrade-tokens"/>&gt;.</t>
        <dl spacing="compact">
          <dt>Value:</dt>
          <dd>
            <t>connect-ethernet</t>
          </dd>
          <dt>Description:</dt>
          <dd>
            <t>Proxying of Ethernet Payloads</t>
          </dd>
          <dt>Expected Version Tokens:</dt>
          <dd>
            <t>None</t>
          </dd>
          <dt>References:</dt>
          <dd>
            <t>This document</t>
          </dd>
        </dl>
      </section>
      <section anchor="iana-suffix">
        <name>Updates to the MASQUE URI Suffixes Registry</name>
        <t>This document will request IANA to register "ethernet" in the MASQUE URI
Suffixes Registry maintained at &lt;<eref target="https://www.iana.org/assignments/masque"/>&gt;,
created by <xref section="12.2" sectionFormat="of" target="CONNECT-IP"/>.</t>
        <table anchor="iana-suffixes-table">
          <name>New MASQUE URI Suffixes</name>
          <thead>
            <tr>
              <th align="left">Path Segment</th>
              <th align="left">Description</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">ethernet</td>
              <td align="left">Ethernet Proxying</td>
              <td align="left">This Document</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <displayreference target="H1" to="HTTP/1.1"/>
    <displayreference target="H2" to="HTTP/2"/>
    <displayreference target="H3" to="HTTP/3"/>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="H1">
          <front>
            <title>HTTP/1.1</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document specifies the HTTP/1.1 message syntax, message parsing, connection management, and related security concerns.</t>
              <t>This document obsoletes portions of RFC 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="99"/>
          <seriesInfo name="RFC" value="9112"/>
          <seriesInfo name="DOI" value="10.17487/RFC9112"/>
        </reference>
        <reference anchor="H2">
          <front>
            <title>HTTP/2</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="C. Benfield" initials="C." role="editor" surname="Benfield"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This specification describes an optimized expression of the semantics of the Hypertext Transfer Protocol (HTTP), referred to as HTTP version 2 (HTTP/2). HTTP/2 enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.</t>
              <t>This document obsoletes RFCs 7540 and 8740.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9113"/>
          <seriesInfo name="DOI" value="10.17487/RFC9113"/>
        </reference>
        <reference anchor="H3">
          <front>
            <title>HTTP/3</title>
            <author fullname="M. Bishop" initials="M." role="editor" surname="Bishop"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9114"/>
          <seriesInfo name="DOI" value="10.17487/RFC9114"/>
        </reference>
        <reference anchor="IEEE802.3">
          <front>
            <title>IEEE Standard for Ethernet</title>
            <author>
              <organization/>
            </author>
            <date month="July" year="2022"/>
          </front>
          <seriesInfo name="DOI" value="10.1109/ieeestd.2022.9844436"/>
          <seriesInfo name="ISBN" value="[&quot;9781504487252&quot;]"/>
          <refcontent>IEEE</refcontent>
        </reference>
        <reference anchor="IEEE802.1Q">
          <front>
            <title>IEEE Standard for Local and Metropolitan Area Networks--Bridges and Bridged Networks</title>
            <author>
              <organization/>
            </author>
            <date month="December" year="2022"/>
          </front>
          <seriesInfo name="DOI" value="10.1109/ieeestd.2022.10004498"/>
          <seriesInfo name="ISBN" value="[&quot;9781504491884&quot;]"/>
          <refcontent>IEEE</refcontent>
        </reference>
        <reference anchor="HTTP">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="TCP">
          <front>
            <title>Transmission Control Protocol (TCP)</title>
            <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="7"/>
          <seriesInfo name="RFC" value="9293"/>
          <seriesInfo name="DOI" value="10.17487/RFC9293"/>
        </reference>
        <reference anchor="CONNECT-UDP">
          <front>
            <title>Proxying UDP in HTTP</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes how to proxy UDP in HTTP, similar to how the HTTP CONNECT method allows proxying TCP in HTTP. More specifically, this document defines a protocol that allows an HTTP client to create a tunnel for UDP communications through an HTTP server that acts as a proxy.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9298"/>
          <seriesInfo name="DOI" value="10.17487/RFC9298"/>
        </reference>
        <reference anchor="CONNECT-IP">
          <front>
            <title>Proxying IP in HTTP</title>
            <author fullname="T. Pauly" initials="T." role="editor" surname="Pauly"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="A. Chernyakhovsky" initials="A." surname="Chernyakhovsky"/>
            <author fullname="M. Kühlewind" initials="M." surname="Kühlewind"/>
            <author fullname="M. Westerlund" initials="M." surname="Westerlund"/>
            <date month="October" year="2023"/>
            <abstract>
              <t>This document describes how to proxy IP packets in HTTP. This protocol is similar to UDP proxying in HTTP but allows transmitting arbitrary IP packets. More specifically, this document defines a protocol that allows an HTTP client to create an IP tunnel through an HTTP server that acts as an IP proxy. This document updates RFC 9298.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9484"/>
          <seriesInfo name="DOI" value="10.17487/RFC9484"/>
        </reference>
        <reference anchor="HTTP-DGRAM">
          <front>
            <title>HTTP Datagrams and the Capsule Protocol</title>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <author fullname="L. Pardue" initials="L." surname="Pardue"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document describes HTTP Datagrams, a convention for conveying multiplexed, potentially unreliable datagrams inside an HTTP connection.</t>
              <t>In HTTP/3, HTTP Datagrams can be sent unreliably using the QUIC DATAGRAM extension. When the QUIC DATAGRAM frame is unavailable or undesirable, HTTP Datagrams can be sent using the Capsule Protocol, which is a more general convention for conveying data in HTTP connections.</t>
              <t>HTTP Datagrams and the Capsule Protocol are intended for use by HTTP extensions, not applications.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9297"/>
          <seriesInfo name="DOI" value="10.17487/RFC9297"/>
        </reference>
        <reference anchor="EXT-CONNECT2">
          <front>
            <title>Bootstrapping WebSockets with HTTP/2</title>
            <author fullname="P. McManus" initials="P." surname="McManus"/>
            <date month="September" year="2018"/>
            <abstract>
              <t>This document defines a mechanism for running the WebSocket Protocol (RFC 6455) over a single stream of an HTTP/2 connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8441"/>
          <seriesInfo name="DOI" value="10.17487/RFC8441"/>
        </reference>
        <reference anchor="EXT-CONNECT3">
          <front>
            <title>Bootstrapping WebSockets with HTTP/3</title>
            <author fullname="R. Hamilton" initials="R." surname="Hamilton"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The mechanism for running the WebSocket Protocol over a single stream of an HTTP/2 connection is equally applicable to HTTP/3, but the HTTP-version-specific details need to be specified. This document describes how the mechanism is adapted for HTTP/3.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9220"/>
          <seriesInfo name="DOI" value="10.17487/RFC9220"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="QUIC">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="TEMPLATE">
          <front>
            <title>URI Template</title>
            <author fullname="J. Gregorio" initials="J." surname="Gregorio"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="M. Hadley" initials="M." surname="Hadley"/>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <author fullname="D. Orchard" initials="D." surname="Orchard"/>
            <date month="March" year="2012"/>
            <abstract>
              <t>A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6570"/>
          <seriesInfo name="DOI" value="10.17487/RFC6570"/>
        </reference>
        <reference anchor="WELL-KNOWN">
          <front>
            <title>Well-Known Uniform Resource Identifiers (URIs)</title>
            <author fullname="M. Nottingham" initials="M." surname="Nottingham"/>
            <date month="May" year="2019"/>
            <abstract>
              <t>This memo defines a path prefix for "well-known locations", "/.well-known/", in selected Uniform Resource Identifier (URI) schemes.</t>
              <t>In doing so, it obsoletes RFC 5785 and updates the URI schemes defined in RFC 7230 to reserve that space. It also updates RFC 7595 to track URI schemes that support well-known URIs in their registry.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8615"/>
          <seriesInfo name="DOI" value="10.17487/RFC8615"/>
        </reference>
        <reference anchor="URI">
          <front>
            <title>Uniform Resource Identifier (URI): Generic Syntax</title>
            <author fullname="T. Berners-Lee" initials="T." surname="Berners-Lee"/>
            <author fullname="R. Fielding" initials="R." surname="Fielding"/>
            <author fullname="L. Masinter" initials="L." surname="Masinter"/>
            <date month="January" year="2005"/>
            <abstract>
              <t>A Uniform Resource Identifier (URI) is a compact sequence of characters that identifies an abstract or physical resource. This specification defines the generic URI syntax and a process for resolving URI references that might be in relative form, along with guidelines and security considerations for the use of URIs on the Internet. The URI syntax defines a grammar that is a superset of all valid URIs, allowing an implementation to parse the common components of a URI reference without knowing the scheme-specific requirements of every possible identifier. This specification does not define a generative grammar for URIs; that task is performed by the individual specifications of each URI scheme. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="66"/>
          <seriesInfo name="RFC" value="3986"/>
          <seriesInfo name="DOI" value="10.17487/RFC3986"/>
        </reference>
        <reference anchor="QUIC-DGRAM">
          <front>
            <title>An Unreliable Datagram Extension to QUIC</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9221"/>
          <seriesInfo name="DOI" value="10.17487/RFC9221"/>
        </reference>
        <reference anchor="DPLPMTUD">
          <front>
            <title>Packetization Layer Path MTU Discovery for Datagram Transports</title>
            <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"/>
            <author fullname="T. Jones" initials="T." surname="Jones"/>
            <author fullname="M. Tüxen" initials="M." surname="Tüxen"/>
            <author fullname="I. Rüngeler" initials="I." surname="Rüngeler"/>
            <author fullname="T. Völker" initials="T." surname="Völker"/>
            <date month="September" year="2020"/>
            <abstract>
              <t>This document specifies Datagram Packetization Layer Path MTU Discovery (DPLPMTUD). This is a robust method for Path MTU Discovery (PMTUD) for datagram Packetization Layers (PLs). It allows a PL, or a datagram application that uses a PL, to discover whether a network path can support the current size of datagram. This can be used to detect and reduce the message size when a sender encounters a packet black hole. It can also probe a network path to discover whether the maximum packet size can be increased. This provides functionality for datagram transports that is equivalent to the PLPMTUD specification for TCP, specified in RFC 4821, which it updates. It also updates the UDP Usage Guidelines to refer to this method for use with UDP datagrams and updates SCTP.</t>
              <t>The document provides implementation notes for incorporating Datagram PMTUD into IETF datagram transports or applications that use datagram transports.</t>
              <t>This specification updates RFC 4960, RFC 4821, RFC 6951, RFC 8085, and RFC 8261.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8899"/>
          <seriesInfo name="DOI" value="10.17487/RFC8899"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="IEEE802.1X">
          <front>
            <title>IEEE Standard for Local and Metropolitan Area Networks--Port-Based Network Access Control</title>
            <author>
              <organization/>
            </author>
            <date month="February" year="2020"/>
          </front>
          <seriesInfo name="DOI" value="10.1109/ieeestd.2020.9018454"/>
          <seriesInfo name="ISBN" value="[&quot;9781504464406&quot;]"/>
          <refcontent>IEEE</refcontent>
        </reference>
        <reference anchor="ETHERIP">
          <front>
            <title>EtherIP: Tunneling Ethernet Frames in IP Datagrams</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="S. Hollenbeck" initials="S." surname="Hollenbeck"/>
            <date month="September" year="2002"/>
            <abstract>
              <t>This document describes EtherIP, an early tunneling protocol, to
provide informational and historical context for the assignment of IP
protocol 97. EtherIP tunnels Ethernet and IEEE 802.3 media access
control frames in IP datagrams so that non-IP traffic can traverse an
IP internet. The protocol is very lightweight, and it does not
provide protection against infinite loops.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3378"/>
          <seriesInfo name="DOI" value="10.17487/RFC3378"/>
        </reference>
        <reference anchor="L2TP">
          <front>
            <title>Layer Two Tunneling Protocol "L2TP"</title>
            <author fullname="W. Townsley" initials="W." surname="Townsley"/>
            <author fullname="A. Valencia" initials="A." surname="Valencia"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="G. Pall" initials="G." surname="Pall"/>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="B. Palter" initials="B." surname="Palter"/>
            <date month="August" year="1999"/>
            <abstract>
              <t>This document describes the Layer Two Tunneling Protocol (L2TP). [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2661"/>
          <seriesInfo name="DOI" value="10.17487/RFC2661"/>
        </reference>
        <reference anchor="L2TPv3">
          <front>
            <title>Layer Two Tunneling Protocol - Version 3 (L2TPv3)</title>
            <author fullname="J. Lau" initials="J." role="editor" surname="Lau"/>
            <author fullname="M. Townsley" initials="M." role="editor" surname="Townsley"/>
            <author fullname="I. Goyret" initials="I." role="editor" surname="Goyret"/>
            <date month="March" year="2005"/>
            <abstract>
              <t>This document describes "version 3" of the Layer Two Tunneling Protocol (L2TPv3). L2TPv3 defines the base control protocol and encapsulation for tunneling multiple Layer 2 connections between two IP nodes. Additional documents detail the specifics for each data link type being emulated. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3931"/>
          <seriesInfo name="DOI" value="10.17487/RFC3931"/>
        </reference>
        <reference anchor="UDP-USAGE">
          <front>
            <title>UDP Usage Guidelines</title>
            <author fullname="L. Eggert" initials="L." surname="Eggert"/>
            <author fullname="G. Fairhurst" initials="G." surname="Fairhurst"/>
            <author fullname="G. Shepherd" initials="G." surname="Shepherd"/>
            <date month="March" year="2017"/>
            <abstract>
              <t>The User Datagram Protocol (UDP) provides a minimal message-passing transport that has no inherent congestion control mechanisms. This document provides guidelines on the use of UDP for the designers of applications, tunnels, and other protocols that use UDP. Congestion control guidelines are a primary focus, but the document also provides guidance on other topics, including message sizes, reliability, checksums, middlebox traversal, the use of Explicit Congestion Notification (ECN), Differentiated Services Code Points (DSCPs), and ports.</t>
              <t>Because congestion control is critical to the stable operation of the Internet, applications and other protocols that choose to use UDP as an Internet transport must employ mechanisms to prevent congestion collapse and to establish some degree of fairness with concurrent traffic. They may also need to implement additional mechanisms, depending on how they use UDP.</t>
              <t>Some guidance is also applicable to the design of other protocols (e.g., protocols layered directly on IP or via IP-based tunnels), especially when these protocols do not themselves provide congestion control.</t>
              <t>This document obsoletes RFC 5405 and adds guidelines for multicast UDP usage.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="145"/>
          <seriesInfo name="RFC" value="8085"/>
          <seriesInfo name="DOI" value="10.17487/RFC8085"/>
        </reference>
        <reference anchor="RFC826">
          <front>
            <title>An Ethernet Address Resolution Protocol: Or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware</title>
            <author fullname="D. Plummer" initials="D." surname="Plummer"/>
            <date month="November" year="1982"/>
            <abstract>
              <t>The purpose of this RFC is to present a method of Converting Protocol Addresses (e.g., IP addresses) to Local Network Addresses (e.g., Ethernet addresses). This is an issue of general concern in the ARPA Internet Community at this time. The method proposed here is presented for your consideration and comment. This is not the specification of an Internet Standard.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="37"/>
          <seriesInfo name="RFC" value="826"/>
          <seriesInfo name="DOI" value="10.17487/RFC0826"/>
        </reference>
        <reference anchor="RFC4861">
          <front>
            <title>Neighbor Discovery for IP version 6 (IPv6)</title>
            <author fullname="T. Narten" initials="T." surname="Narten"/>
            <author fullname="E. Nordmark" initials="E." surname="Nordmark"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <author fullname="H. Soliman" initials="H." surname="Soliman"/>
            <date month="September" year="2007"/>
            <abstract>
              <t>This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4861"/>
          <seriesInfo name="DOI" value="10.17487/RFC4861"/>
        </reference>
        <reference anchor="OPTIMISTIC">
          <front>
            <title>Security Considerations for Optimistic Protocol Transitions in HTTP/1.1</title>
            <author fullname="B. Schwartz" initials="B." surname="Schwartz"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>In HTTP/1.1, the client can request a change to a new protocol on the existing connection. This document discusses the security considerations that apply to data sent by the client before this request is confirmed and adds new requirements to RFCs 9112 and 9298 to avoid related security issues.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9931"/>
          <seriesInfo name="DOI" value="10.17487/RFC9931"/>
        </reference>
      </references>
    </references>
    <?line 694?>

<section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Much of the initial version of this draft borrows heavily from <xref target="CONNECT-IP"/>.</t>
      <t>The author would like to thank Alexander Chernyakhovsky and David Schinazi
for their advice while preparing this document, and Etienne Dechamps for
useful discussion on the subject material. Additionally, Mirja Kühlewind,
Magnus Westerlund, Martin Thompson, and Gorry Fairhurst provided valuable
feedback on the document.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+V923Lb1pbg+/6K3fLDkU5IWqQcx1bipBVJjlUty4pEJ911
KnUKJLZIxCDAxgYkM7LOt8wvzPs8Tf/YrNu+ACRlp6anpmtGD7YIYt/WXveb
+v2+qrM6N4d657IqP66yYqZP67mpClPr11WyMFZnhX4zHl/uqGQyqcwtvHr8
7uLi9HjcPx2/Ob26OB3vqGlSm1lZrQ61rVOVltMChh7qtEpu6n5m6pv+IrH/
3pj+tCwKM637RhbpD/eVbSaLzNqsLOrVEkadnY5fq6JZTEx1qFKY+VDBMGsK
29hDXVeNUbCLA5VUJoHdjKuksMuyqnfUXVl9mFVls4THb5u8zpa5+WhSfbRc
5hnsEZbQ183E1hXMqstbU+mf358d69NiWq2W+PWO+mBWME16qHRf/3uTTfH/
eV0v8X/YTDIDqODvv1xe4H9LBBv+Ujdwstzir3xWN7BfzPDXPFmZqj/CX93h
1a0pGjid1n7TR9c/vz/dgScMip1f4UR4KT/hC/h8kWQ5POcl/hlBOyirGX6T
VNM5fINL2sOnT/FFfJTdmoF77Sk+eDqpyjtrnvIUT3HoLKvnzQQG01XdzeS2
nn7+/nB0DsC0dbR0e5YBzz7Iyi+Y7wteGczrRb6jVNLU87LCe4I9aEBTQI6j
gb4a6GuTmv/47yU9ZkQ8ys3vSZFWpb5qfQswSYrsD8KMQ/1TWc5yo8/Pj+lL
w7BOLAwoyn+e0beDablQqiirBQy6pct7Mzyk918d6qvXxy+HwxF9TDO7hEs/
JOp5OhwM8dVR59WDDa/i8DcHnRefbXgRB5+dnp6+2B8NDg71ybuzwXB/MBzu
v3yKj6/HJ4PR/mg0ePni2bNnB8+jt4c/P/L6cH9//9mzly+Uyoqb+KB+9L9u
Hb0/eLk/fPHs62dK9ft9nRCtTWulxvPMamAMzcIUtU6NnVbZBLjLvLzTdclk
FFjPTYv1DDSNhnfqclrmCn632QLRG4eeXfJoJBMZ0NOTBiYpK32OVKdHiB21
SVJd3sijg4F+W1ZG2aWZZjfAHPJ81dN1Z5c3WQHbSPzS8EJSa3gXKEgnvJie
5hm+XZdqChwJGEsizAB3Zz5O50kxM34n3TPWcyDt2dzPZk0FfEndAdHgs6Su
k+kceNhyvrK4TcBZfZtVdQO/+rmsmeGOB4rBvsjSNDdKPdFnRV2VaTNFBFeK
FoCz3GYprWy0sHK9AOoqU71rjdH399eGBuiXg4PBc4TZP+HIV4yJ+w8Pewhb
Pi1CPdHj40sY9k/wH700ennw8BABIcELh1eJznrw0V3fwiB0MrugCd+f0CxO
vMBHme3FwwOMKlICSJpmOA0cvzUa8EBFg8947LMXzx4eBvpNeWcAqnjBxpow
0OppUvylhn+rauWviG+GrqBEPGoqhLM2xTRZ2iZnOQIYBVBE4JwBvuEGEMeS
Ymo03R3dDe3pB5KTvKGDg2/gMHiH56MxnvYH/B+/GT1/PoRv5MntAb398mCI
R7+bZ9M5CUFAzBgCc8Bp2NlkBRy4pysDN40Xgjeb3KIAmAA/ezt+P9hOgBFy
4yEEX3EWJGtNvAV25fnMw4PqorDD1Qh/B/o0I6Atk6rOptkygUWBOnFnTDTM
1REt4QrweQH7B962TiAlXf1NVS5gs3nZoYGsqE11k0wNcwmabWJ0A1wb4AIj
ihKuCSaxzRK1BFhlUQKRTqospWPCDdZ3ZVgWxGOSThNbgx4DEqCgHQD6Aiwz
C+f0aAIagHAmXBNQGpSMm5U/2W1Wr5ApwJyolzg5BttKUB1BTLHCTyqDo26y
WQNXiMuVRb7ikwHzZPgujamsCpPAWwhMCzDasHfNe3f37q9YgGCRh8FdZ5YI
GC4M1S+LsKDbAcA1Fr+hTyei9lgkMHzSP/np6uitEOc3SGC/4v2FIU9HgDJv
RozpLKvwwQEic1bj5VhmRqcfa1OkcBzHiBLrcTNFhIEVT/913JevR7gmSDOk
FEAK1f72gHc02t+0o+HgI25hGG2BT/d+CWcDFEmsYoYv6zom+M3ghYMLzNsF
KNyGsTapMrqwaVPZmD7bLAMVTqRY3pxalqD0AoH2cDMwzgK3yVP8oOfZDG60
nwPTyoN0c4sCqdtmOscd398HhsfQDk+Af9KGn+jjsgBVs6YrRlo6wXPSHi2e
x2hQejVqvRZU0PfX450e/68v3tHvV6egJl+dnuDv12+Ozs/9L0reuH7z7v35
SfgtjDx+9/bt6cUJD4anuvVIgcr7bzvM3HfeXY7P3l0cne8wp4j5FZIIYDwQ
NlHFsjJESHhlEbL8eHz5P//b8BkiDXLU4fAlcVT88GL4DUgC4KSm4NWIxPgj
UM9KAVGaBJk4kQZcW1YnCOmELuauAF5bGYDmX/+GkPntUH83mS6Hz76XB3jg
1kMHs9ZDgtn6k7XBDMQNjzYs46HZet6BdHu/R//W+uzgHj387occKEH3hy9+
+B6UirPOfYBIIhZLLAjuY6F3PA8idN3B26rMjakco4qVG+J6lQGrrUite6E9
AeJ7ZUD/tzUyWbcK61qAIJY5PIsUJZODkfgtzSUqGUpMsBentf3cCmc3+AYg
GSAaz0Z4tjBpBrQNrGKXGNMG9nAw+Cawhz3A0PrOmCLahUJsW18e0a60tCAD
Slg/rLPTXtuTg3LgjyGyfihgqMsSpoCBNDFBeFKCDIlAg9xzfVNregKxSVwo
K8q8nK1YDANJod1M7BaMBWG3SKLxYOX056A9g1Frid4YlsSCNNsYshR8VZQ1
80tZSyCthqCIAKRxZVyRNurVdxrgp7gFwKHuAxy0mMHBEaAzVuHKFGCk2lPr
IWu53UP9smWa2yQHtIGD4l5BwPPNAXOi+T1agh5eZItmodmZgUuQpuaFBsL7
ApURJIgecaNAKyKUcS6ktLTEgWXt9ZiFc3DgnQOaGxTQuyIYvNG5h9xuxYhg
UDmFje7w2xvYbGWAswIdMcEolBmsm4iu5qQJqSoi1G70MaGU1fdPGLn6rMw8
KOW+Wddw8EjrqEsuGT59loCq9f7qTI8NKFZgVqGwH5++vTw/Gp/iJT3/+pt9
xgPTes963a9uSWq+LSJ5OJRCqDg0sd9q1N4MwiBhMUmqMOgmrBcBxxRUw1lN
Bnd5VwxwWRWWFVyEtVGRbi+OEzh+eWfyvP+hQJmC2izhNpzt19Pz8/6/XLz7
9YKUnOfDr0FeVWYGOpqpogN5JqDU6ccEt83wZSk1MWCbHir1j3/8Qzl/jOHX
yAM0CKs7D5D3vfgBzAuiYYfoQNj+vjh64nV+QJ3m1aSc0E7UUdGBMGu+Xh11
KIbGS+lRe83AtUBSszmw1BSEv965zZOiD1YYoCnAvdrxF0r6vtwXGU9uAvxC
1oJfCXlUuWRtDfV1wGaPFBoJ2wployiBlfAiiEyZf4mtVQsOaFuybAtz4M0Y
NoWsyW/cbhnbwTwSHVBcBXmTGsc87ApA9XGgwHZFhpOlju0gdhGZt1eZlotF
UyArDNaBMPuMOUdC1phCgydGTkCkN6slyAdTk4PBfBlWfRmS/IB39Oq+c1MP
ATfxvbWpnq4PIDRCWr8p0f3ipDeQMiMGGlUrd+6YH8C2/7rGJDTpbBP01bCS
fRAuEcALC4AN++hAVBQntsyb2pAEI6WSvgQzgO6xKIs+jAKsstM57LKHTlpy
WgKmsRK6TECqwMWBIoSH8Cu2n5OJunEfYJVWYh8m2uYJ2Kc7T3domiPQYv2R
Aqa47eMYQTRaDA4N11atot1Eyz4CClQ0gTjqBAECPBVPfXR9fHam3wMyou09
nSdoxqIi4mAEkCD92w3kAdGLsrWKXGf7H0fD/v7Hb04ZtDa7NXq3cHIT5lqa
aopyx4l3RHhy0pn0W912aY0GQxL1cBD2sLx4DmrbZ86HnPvKkPKagsm6TEgs
6N2dr3Z0CYsndVmBoH1dJcRkYEfxS09aL50nQEzR93R5J2XdvwQZnX3s6Uu8
jmuzPhO9eY2X7N8t4Nrw/f51vQImcpmgywQA2BkF01ybBdxGDpfDYwdBOItl
QTwmqVlGtUlrAnL5W3TVshNtKgOdUEvUzBRwwLy/bKolKrUtMG5i/Hky/WCZ
DTkVTskGUM1AfTxx3CuFE7EKj76SYuXwcn2PxLGQ0wEQFDl/4o30YpZId1uZ
31EQZCyAIqWGfI0T1LJQDRIrQTuHIChIjGX1ZtuFtKQxeT/zVkRNPFpeywGG
VjKigqyZlXXmVSrvQkZmv3V8x2HtFW7c0s5aqIYVq0bcHXX5wRSsPYHKhwI3
2qmSaJbXWY7JjQEY5hSajqf4YDByVhA7h9AWIoSlc3oPkiNs0flbFtUyWeVl
kvb5O/a1lJqsBPKqFwEQApzE2nKakcBzPBBOkTtjk7TcnkcklVnbkMfTXaiw
HyfGN4CsDS2lflyx49E4JIzsGHnyZaBSLVD1ttumzswQHzXi/wKNhxnpJDUp
gtfsTscIBigGaFvcNPnGKdHkRiMpyW25dWLlJ1aPqehOlDBzgzugr8bn1yhM
KK5qfFy1h8+SApWMSiHdArEjGYY3vDrSk3gQBimYLEkLIP2sxyaYF6AUBMRv
WY1GwnsSzk0hbf0G3kMyVOo9HB5gMDXZLYUtiu1QB6VB/1W8AjgkWzpFat2M
kWNpF11B2z5DbgESGN23Cco9RSFKb9avUJ0HRL9LqtShn8NKcnhHUzqP+kUk
8VgB7PgoFslKO2O0MiwNTWvqjA7kV4Zt4lzsJU28xem8wMRwkb9kN2Q91myR
44SgIbCZRUshRIHP16jh4HHjJb1M5lksHtwtRJRBuiVKYAD4Ozz1XWaFVwfA
t4HZ5bfExdrPcCfolp/OSxRItE1i9o86gsjsC67+sBBOx0xnwFpont2Aurzw
fKDLmgBsdRYU8a0rKuZSMOtRTLuOUrt+J2EiYGvff4fviCPcfRwdADNRGYin
KZmkdIPr6+s5zOrPadKNvBVmzTAIxjJsW4x2oI/IvSDbZbSFZQtkxuvn2bQ3
B3vc1E2S5ai01fPGrstrL5K9444I3vk6QEfjme6fwPfDB6XWgwBDHwR4jPwZ
3xbG1CKtxORQsc7hDQsJnrIrFxjizk+n4x2vUrop+WtnHARRVeLROY4Hlk6e
dqXSHF5AywF91mKpanIAdTHP6R6PL3vsnTntVUmAkoWpdyQkgskdQc9mXSMC
AHHDxJp+Rsk5GaYJIH2COGiFT56Tyo1JDewj/dwWCx+S2brBNUE9IBfD9vuk
A3gXGvJwNNmYOC1pQHWVCWkB1i+SHF8wqVOQHB8CmLOHTftX/BqiUpJX28dE
TVWVFbmARc12GtWz/X29+2OSOqTdQ2OublDApBhneE0eKLKIe8K3I3M+kkK0
Utc8VDt/1vmzQxh2h/yAfB4g1VEPVh2+QKJtSoEqVIPb5BGRJZjrnP3kdAqg
Cf1n9xRSZ5BKDnU0TgU8PnT4ouT/Q93FDyVKWd8pZYf6hyG5FO4P9ROAZB92
3p8PNWXDvdoRx9oaZ9l56DIc4XvIcZAbs3Bgia0DrxNOiLKvMsucUFM0Vs86
CUUFM11QRG12dnjOI3quxxtdit3sJvU8abg/1LvXsOZ0jrM5ONiYGltj/oty
jC17FGb6GcYBM25kHRsn99y/ZWc63Sio0uzIJEcM3pheMwC6LogNthLsAS1e
b9varnUb7Np1qYgKRO1desT3VFKj74fUJRapRN3TvBTu03Lpt1hNHfCXyTzm
aIcbCNsTA6LYBgz7z6dUu3ycVPlmYlod0fElEeHKGVakJoDKtK4nPJK+8Iih
hqydzN1uVoMEq+RKHcoQkC2zUZc9c21qTqmKwgmKrOM4C8IrfXHygzyU2Gp3
S0trmrTsx4Rhg+j4DJs5FA1nwySR1iMbCQR16MMfjw/cTpKH3l/6yBTOiYgH
Ce+LdnR2if7BlmZ0SA5PhNUhO2Y3zW21j8xTYA/9uKQMZC78h061tfVlQu/b
9QZTJLBjOU28AWa6v2+Hzh7+Tyk0XWb0YjBkj+ibgFXuu2fwHbOqA9rQ/2sq
yZvTo5PTq2vl0PuVo1cVMPfVOodyWPOK9RnF+PRKPx5bi1D5VUuRmQrDi5bc
pJuMNjK8UcShNugoHb7nRBZrK8T5/ouqK0JOo48fQWvxZuQeBwT+P5LY6xav
PiIPiKdD3EIMUsmIOQDIcfSETFkAKS1KSVNwjbhEUzGjmibOJvGZzOvO7/99
NcERm2z2lR7t738R8qO4/xLsj8Q+6qy1+VjrMx9BlEy3ds6wZ6tbMs9j10vb
1S454DdNjWCMUgXinO929iTj3TwBndd71JQ1iwT9l5jTF3LaEbp+zjhdOeQY
tJKQvkZ1Oc4EHOjr0junbGuDfF1Jw/HwIGHY+85KgYpyGLHoBeGMgcEKuUIb
Vi1d24KIDM5bylkKx6CkpB6l13UA0/Xjf85bZtuBT3/ZJ7wLR74bAgrhVSbR
56P+JKtdYo/Vu/v90Xe2WX7/fPTdU/y/P9wb6O4ol+aTWLUl08h2WQhnGIXc
JRPvmo0o+H5fkZookcZW7MfdD2WD5xxd/sNUpcsKwH2lqyJZcC0DISjlAqDj
WF41t6boczISKqe8gb47lcsMcwPZw16m6doQDwi6n360VOdgWH1jl8nUOH+o
omqAGdh9hePKdLHfogxHdujyIfDsrZv1OgVlPMOOTMUxw8ZlhgL9NHmdFKZs
bL4K50BSSSnTeRo04x4sVXNcAfNAEeeDm9sTZfvqfTx4guw4HNsF0+OD+aAh
VqJgoBRzDeIdkeioUnTsd4Amr2FaUEuNE76AzBpQpX2X5B3cdlOU5w1rKlqP
2PttmbGiRPECyihZFdN5VbpqKJ/I6LMJoyqKEhPJkoiYyHc7wdcj7OH8xtYR
JOLUytWQ86CsCRMSPnRS+SWNJhJUZbUpsRJ9zGaJBhg77DgByJ1DAop5G0NQ
vl1RrpVEgDOOYiRMvROXRpQU8USs+2D4GLPz3Sk89nDdAkc6KabL6BFOKXZh
qMpw+jyLHYy4qyreVTnFDPOBfr0mdlwsnoiqbcgg72YxaxXFQTilLEaRgT4h
iFGAT3IXWSeeGHyGV9DbQKIqDcKtZLKgWJDw8RgJg/DDA66wWMFQzYdLcBuQ
guGKaCS0LSiQNhLCIQx2VRuUuzL9YLqBXL8r7VJvN76mW6B1QdW0oflrrCqV
slSK57dElr5kbqxf8+3eP+nIGnEpfLFgcwmcvZD/6dZSbi22eZ06G6SnxJfb
sfe5hOHWAu3q/j7FcUEqhsAip7Z1hXMk8NhFQrHdk6PxES6mWGPijXclsV+X
gnzAhQE/6nwl5hnv8OcGRDmg4zVBQPmhTHCYycMKMIt8uffWFkQRkStgSy8Y
ib6wefMN3qP+H7a9m+1hFNN9uzsYwOcHr5HGoPMq6WdWYhzZEWPrS/cluOpu
0dlVTNOHsSYDHw710dacZ2eohdm8utG+Ms66KZQo1J6I+CIwSwCDzECQTcHZ
qxHYSG1h0vehW/xUKTbNhHenVbkU14Wb3WaYCJCjMARZiRKY8mrAFiorLqvZ
FY5EtK+IkVZlg5RdZcs9UYeSuySrNxK2nHNaVmKi4FuydcA2QBcBOcFxPPeI
5FM8ZKuoeaFEC/ydxQxyzBZIQU2+zUAJUXRZMX0RT5MoH3M2diwhbqGeBFt7
tYOKNsgdRJiuWbJOix1i9VpSdDfWUHEqaoBSFtV5AZOw6B2N7/D9tZmORx+w
HJs8V2vFrNQrQO96d9fbo+O45lOmaQBsOX2fY40aJsOj4YIPeILp3Ew/wGaA
J6KKQaP2ejqKgYMk3laXCKaxQtjlBlMyeT6ydVyYIIow+jmGP0eTDH/GstVk
RiwVGCUloQImlwsQz5yaZjkcMX50ywhRWczXAiDHR7utYz0Bks65IqYQWVsu
sroWlY7WXja1S//elEjgFTQSyFyGOEU3Ewm/kqtCKT0YJ2p5KUhHo+LjNUOW
QQeqFNcPY4wl6Mcup8M5QbrpBUL8oUTac7eJgU1iqggJKK8toNBuE6jIRVI6
trCQ9swRH1FfwEf0F/CRzVuKazaEY1F6S5DHstOJCZ4Vn1eQWK//uNOrsv1u
mzLd28Ry97QUAZOVWDbVFDMwroTXspLlTh82JJFn1rrDjvNsgaor4Ke3CwRX
aMeZ/YDE6dYB1JjDFoMainMMdMspVPmNIHej+WmuuqyTXKpgkIHzHuDewx5F
lQdFmKolb9Gc+4M46qaXQbNSS1P1XYof/j5lsFGmmXx2YctJYjNLWlyHYYXc
sG55tKv8r0MaZ3AducSoKRpCSyxDRmsiyhaC9z9gZswGco22FWfg+LqxuBTZ
OwcDjRuCD21NYp7+bVw0qj+jUB/MFhlwVCDt6/9jukV+jV6HbOo0QfQapibH
69Qmmc67jEtgoDwNi5oGmyIvkfNi8Sf5ktODSGayqPQ5Vaf+hD5dmKkQwBwA
T9UfPsdtjreHRRfe06XEyZtNshzI2JD3Nz6npfgk6RpY/218RpxYpnBiM5Mk
aAynKJeJt5aM781AV3GV6A+4Ro5gFsO3vRUsLZyYVSk2iZ2WS9l3q7KSEq9Y
eHAfC+dKJnqik5OIVnNBXiISX/jNpg7bnlRHQ0+pwQzy+3KJdXxU55GXwElR
V+HSYOXSAEERKdhGqowJJUy715hwfEX/mno62OsIzp6jYSrRV1w06FWwy6P3
16cuZwzERqfcSljUhBhwRWDxDS9kzyzQsJSek9Fo3woPAZh9TS19ZgjmjsyP
sQn2jpvkM8AvctuMaMA5W1e2cp0rUqmp8T2LPOBTgwSzRQrGspn87UQTjqQS
R0Yla9TAgCnOElQ+qVjqtbGNfFAiA0XLYcYmRTubUnadM9sUXAOCI+P2B1vb
B8BNjcV9HJUECQNhEjT5UgOraKSnUkSLIOtWJF3YfvC8MXDC4N7hPL4r7sxw
xMGn89EvlxdgWcvafe7b8NAtApKvqVCJulkQmBBD6BecA5TbZom2LQY8fFUu
1XtH5V2hr0LiekQ4NVdaOEgMMUnsLUiMr/ry85Xe8LP5W3z6vX7zDu5wqD6t
vRv/4LjzEfwDr7l9wAcYxXUb+tN3/b77gosNYBS8zFnPrTmjZUdfsCz9wGs/
enT49CdOe0Ko0zntgQomdEZSvO/aw7ARzbfN58AsiGaJ9o+rO8ekoVYYTe5r
S/E489AFZUbXBuuMwKxl/4Gr3djQZYT8fa7dzoZOGniAv/0NNAewceQOfvut
BQb3bScD/bfflLo+HY/PLn66pt5Of/eei1eAB2oTRMNPNPLxn9OLox/PT/8u
YaC/X169G787fndOa3xu7NqersdXp0dvd5892zvU//fi5O3CQGy9tTlg+DkQ
bjjM4yPaUcrH392yJe8gazu4UK0HCA9j7/krve+9fK+wG500DYnNRVJYP3dQ
v+bjr23Z0eODOvt9/OUvO00c50W/QocnIEd4jY+FLYiMQ8aA4uIatKF+Xfbx
f5YWn5MNVkbg/9slw+8lezpIj0HFfhtPaMmK7pfKNfYib4okIEXiw4NqK2cN
X4SXtzLvIC7il52ogBfON0mJT184M78R7/mrR/f8VbznaO6NP58UiYgj/R1N
GIRd+HHPWvKztUCQVe4nll404kdZIAio6EcetiTlnz3BsSzw2E9bJq5LRTuy
Dv2vY2xl+RhRwH++aKT2W5tkI3n10FXwKCWgSRKV4zhv0dRENmlmPU1yqllH
uXtAqzrYOerO1Ygc+zSztPTZSMGA/FYyJiTvIm7Cctzud8J4L9E9CiUnlnMp
OkwIs+GwppS060tTkc8fT3MsnQAS6Z/kPaqe/1cN20/SIi5skxuUwAXNDDtS
0GdRoW1lBrNBT93fj499GyfOFdjrtbyHoGXf3GRTNs+p3xSa1rnBq0Bjv4CJ
TarWl8gNxg292YU+GkkMKsxNJpVdIA18NdqsyVI6L4WMQibUcDCkfMEf3p9c
9t9fH/1EzThe7L/4Gj2wP67Qd5KA3dmLzt2xMyRkFOLpiaXGdr4iiGMNXV+p
9ZmW4XjKH8/DZqDfLWtAoT/EtKRmHAK2G4o6uemjGni/NWl6KxH7FOvccMEE
L+5Oetz4ysu1EhwZTWFODG8q38EgDYbG2s2ErYPehQZUtxkJuz1uMiTd2l1Z
RqYxNoSV4nttF5hbI+6/8kYF1RazIyizK5JJoT2jXZTYHYhKm+eU94WdhSie
5HuGqUlTWfYWykAQ6wn6mSkjTYpinOPVE3Fv/Q7B6psBoNGGXbpuGmSR8lj2
GhKjmBqTkm34p0ksLy15l7EidSXUpQN1KU9dPkIMh3f1lpGHDpaRcmsYup0S
1VZK7OwkZHJFnQPF6boMPKanMJ0C74Q6CwJKYKkhAt8nNuToZZcgdR2YGfpI
KQfLZXhktrfBIxDcLbKqq96V2F/tytKxOUaVzBxTQKipdtiVTfe34/cESnar
vnNR+o28MsqzPwiMnCO6zpsf4hDSaypuOTjC+r212Ji4ExxMJM1mQ6AY3UUZ
crZOCBtnQD/bhPwq5HyRaCZJSelYQcXS3bVBiQyJTUoCsNi3AH1gIXhDm4nQ
a73pAIfeYDAAVO1ewr97EdcWckTmVKHsJvAwJv/FukQaANjJ5TkOPSHO/OIl
dsEDYQq3P2G5m2aWEJKXw7vzn8Lu/mJ9kas0X01/byx1YFBRXoPvv8k4wF1z
MBXsNbdNXZSV6CfY3tV5JwmMglXW+Asg1x2lkVBIIkAueGA2lXS6LNARb/Ru
I5Yhe1tDNBUjWsCzVqFHFHvtIJfHK5dfs9ZEspUyvOn9zqRwrRjEX/GFgGoW
PIO+n4Hj+JQOQPRGwPLBPEZYB0q7zIFBJNMKGJHyjZUICCWxNXcnEtWssS6n
X97ceC1KmjSxczhPKkwqcPRObEY2Mgs9PriVpdrYN2nKA0i1W5Sp2bV7ktxP
HsSsWEd4ZlfYa5LQreDMVGKBHLrq3FXbby4RzzTqK6BmYAEnMBXdU58nEdfs
ivIg1p62HKUuS9i6gmDgE+uXu+bgjKPOgH/EVu+fbIwyt4UeqKy1a3MvCbhc
ji8tpJPQxSFeRHVC27+cH13gwq4PMkJo4jU2WSKpWLxIjwCKzpLWoKKATcgj
cPXuEvYBpHiKIUH+5Jt1sr4NS3OiUGUAFS2xWiBDw8WBuzabwbWiKKoAyQsO
q4Wykj3kd9IvnNDK1rRTZGzkMaYwFYbvO6Eox1h5U2ye0JgUQ96uWZvi5VFZ
fdpmzFmclLeeC061+3JJEhh0rRESdmXHLc3wDpiFL5IlbxkLLwAr4byKb4ji
Di5j9f3VmfR7pdnbsbi1PDI4RzfpjOQWKrI4eeilzkHAG2wgKPGOrIhaUvQU
B8SxqCLuUOErHG4k3INmIwVsl1XGfjtKRhUVQDku4rjoWssW2ZUPPrsuuSw0
Ymx2uSiOs2HcfsmZEtI8MVBjJEqo3XIIUDIWeCi5szEn9eoIDAIFtaLOM62D
0XbRJgSTqKGnXSVn7BqJUgzdSktZ9kgl1SQDMsM+W9JEqdNcOm6aLl4P10Ea
rKskxYzUsvJZ/BNOGiBNcplEcSu01D9Q7wCrXdMlmUc5Owt7/uIsFOHErhvE
rQrXQK9CVBvEPUhc6Yx0oFwP6Yhe6XJ+yWnQcPuNqFMLJS+RPdrNOgXhuczL
Fce9fKJpu8lLXA7honyLhnqBY+8Zh29nl2otDAfMhwTyBP+mQ3da7DhZu+TL
I3ZCSy4059MK/rFQl3gnBiFhSbjsinsEwaEuyUJg9m8wRxiV+xKTcrh5n9oA
CoSQ6zPPXWvJzmXfxcSAQQkoyCFLOCc3BBfwKEKCTibGMtoDiVUxqzynCfjH
tahUg6rQ5rLYXw04Bkl6nSzKRgxdMXhiG9IVVr6nM3QbC1JDGp7ao/22P38Q
RAnmb+OtevXGNZj3c0hCCuYsJGmK1Gy8PcVkgeSmwIqGXZUhBs2RfKIJxK4M
vhPPxNEV9eJHdXn0HK/24sQ9ePbiues2fgzCffdYTP8jXpk77BvQclegxlB8
tRdVVWH8uEBLHRtHuPyKkneiIuoMGq4ee9EcXFREzTbq6c9hYw8SJZjCiOEC
50H6tBbY0oszY3GNdcuKaqOQYrz/MdgFzh3BGBWxMZ+REu5Hyf0QrTyWusZT
TrpdYnmNIJQUR/770VstLKB13Ja8CGjT22Sl/hb+kslv+hJZ2Y/EES4YRC4C
fcwOGq9YkxC+yfKajVsAGNgUyPrVej6Hb66pT7goRwf1AjfZ6fcWnUK1VsjN
Tc3MoZPxv9aJHjOlZwWgFNJoKc6qsu3e8m1QwVQFYNwlpOapVrt5oEcSiv5K
fHHPkWNISNeuiyo16i06sqBtZVK5ovypAbfslo31SLjk9HcbzJ1yb3dd2f5t
dJL0GJ6UdAdQeUfCqSkygoSL927U3rkYhRtFuiwJ+kMBLh0vUZ0aR99Cqv2n
A5DFSf0mYmhSSSrfmg0JegeccMLponWrBKoXtARfFLBoZjPCGOEAXC4OjAlb
tr89ux5Lv2r6OyFgtxTy9zYaYN7U4ajVckxaA0hjsKgRHrfDDiWV5ADy1rV3
07quYdxQWtK+vLXDyb2c2akIBGm7B9T2fnSkT50dXRyt6VJSyOwhPUYZ283W
I0e2gxlNE5e5bOjqF/0hEtWaWUsN0Mob2aQ3qu/+9tuuq16/u7sbZEmR8B/U
skjWpBA/pXJXaRjYZ2Vg73s42i+YG07J5WshcnVCf76A2jrRG74oIMZXCaZi
bs/HJWep/CId1GjXloZegIqPRUwSdbGSzh4XrW7JMgcgv1+m3JSLCY3/DhmV
7183IPU/wlceNPdP8Ph9S188/MnLWLuEsJRaX6p1C/qLboETCva+78lfYyIX
UlSHOeJa7laxrFKfWm1XOdwX3Y0LAXroUtDv02ErUNr5uPHZJ06/cVDAWdcL
Qj7xtZ04kH6iCGEEdGP7NasBHCm8MHebrgzvFtbUE2AdSGFHU8y5AAObe2nD
rK5c8NXOTZJz7fRbFHIS15BSubgxIFu++EfagPdW+JfkUDu+xfxq6anfgSwa
25zSIdZGnn0wjGdJ8QH/MtvHBH1c+hjBsEo+zMtb+4ElyAlMnOprbCiT/JEp
sTgzkCgpaVJsoYJCAOzGZ4u2MylPa5BYYPueoNGwWLICDqwdGRIKqMbyyaR9
RzMhDr9IUAInIL2PfCE0dtd8m1W/J/pf/uN/zHMDnDrtqbcgcxurf0Vvf5U3
aIm+RRZcYBYorFfKnxv5qUT3zOskq+YYSAlJdFg5gnepboxJ8abcXoJ74X8B
b2nDOKdxAAA=

-->

</rfc>
