<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-radext-deprecating-radius-10" category="std" consensus="true" submissionType="IETF" updates="2865, 2866, 5176, 7585" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.24.0 -->
  <front>
    <title abbrev="Deprecating Insecure RADIUS">Deprecating Insecure Practices in RADIUS</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-radext-deprecating-radius-10"/>
    <author initials="A." surname="DeKok" fullname="Alan DeKok">
      <organization>InkBridge Networks</organization>
      <address>
        <email>aland@inkbridgenetworks.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Internet</area>
    <workgroup>RADEXT Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 107?>

<t>RADIUS crypto-agility was first mandated as future work by RFC 6421.  The outcome of that work was the publication of RADIUS over TLS (RFC 6614) and RADIUS over DTLS (RFC 7360) as experimental documents.  Those transport protocols have been in wide-spread use for many years in a wide range of networks, and have recently been standardized in <xref target="I-D.ietf-radext-radiusdtls-bis"/>.  TLS has proven to be a useful replacment for UDP (RFC 2865) and TCP (RFC 6613) transports.  With that knowledge, the continued use of insecure transports for RADIUS has serious and negative implications for privacy and security.</t>
      <t>The publication of the "BlastRADIUS" exploit has also shown that RADIUS security needs to be updated.  It is no longer acceptable for RADIUS to rely on MD5 for security.  It is no longer acceptable to send device or location information in clear text across the wider Internet.  This document therefore deprecates many insecure practices in RADIUS, and mandates support for secure TLS-based transport layers.  Related security issues with RADIUS are discussed, and recommendations are made for practices which increase both security and privacy.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        RADEXT Working Group mailing list (<eref target="mailto:radext@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/radext/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/radext/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/freeradius/deprecating-radius.git"/>.</t>
    </note>
  </front>
  <middle>
    <?line 113?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>With the publication of <xref target="I-D.ietf-radext-radiusdtls-bis"/>, the <xref target="RFC6421"/> work on crypto-agility is nearing completion.  The RADIUS protocol now has a secure transport which is standards-track.  This specification therefore completes the work of <xref target="RFC6421"/> by deprecating insecure uses of RADIUS, including RADIUS/UDP and RADIUS/TCP.</t>
      <t>This specification mandates new behavior for RADIUS to address those issues, most notably the BlastRADIUS vulnerability <xref target="BLAST"/>.  In the interest of keeping this document simple, these mandates are given with minimal explanation.</t>
      <section anchor="overview-of-radius-security-and-privacy">
        <name>Overview of RADIUS Security and Privacy</name>
        <t>The reader is directed to <xref target="I-D.dekok-radext-review-radius"/> for a detailed review of of the security and privacy issues in RADIUS.  That document explains the background behind the mandates in this document, which provides design motivation that is missing from this specification.  In the interest of providing some justification in this document, we provide a brief overview here.</t>
        <t>The RADIUS protocol <xref target="RFC2865"/> was first standardized in 1997, though its roots go back much earlier to 1993.  The protocol uses MD5 <xref target="RFC1321"/> to authenticate some packets types, and to obfuscate certain attributes such as User-Password.  As originally designed, Access-Request packets were entirely unauthenticated, and could be trivially spoofed (<xref section="7.1" sectionFormat="comma" target="RFC2869"/> and <xref section="4.3.2" sectionFormat="comma" target="RFC3579"/>).</t>
        <t>The insecurity of MD5 was first noted in relation to RADIUS in 1996 on the IETF RADIUS working group mailing list <xref target="MD5-1996"/>, which also discussed using an HMAC construct to increase security.  While it was common knowledge at the time, the earliest documented concern being raised about Access-Request packets spoofing was on the RADIUS working group mailing list in 1998 <xref target="DATTACK"/>.  There was substantial further discussions about the lack of integrity checks on that list over the next few years.  The outcome of that discussion was the definition of Message-Authenticator as an optional HMAC-based attribute in <xref section="5.14" sectionFormat="comma" target="RFC2869"/>.</t>
        <t>The packet forgery issue was further discussed in 2004 in <xref section="4" sectionFormat="comma" target="RFC3579"/>, and again in 2007 in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>.  The state of MD5 security was again discussed in <xref target="RFC6151"/>, which states in Section 2:</t>
        <ul empty="true">
          <li>
            <t>MD5 is no longer acceptable where collision resistance is required such as digital signatures.</t>
          </li>
        </ul>
        <t>That statement led to RADIUS security being reviewed in <xref section="3" sectionFormat="comma" target="RFC6421"/>, but no protocol changes were made at that time.  The outcome of that review was the text in the remainder of <xref target="RFC6421"/>, which created crypto-agility requirements for RADIUS.  The work of <xref target="RFC6421"/> was completed in <xref target="I-D.ietf-radext-radiusdtls-bis"/>.</t>
        <t>Another issue with RADIUS is that most information (but not passwords) is sent "in the clear".  This practice has obvious privacy implications.  The data which is publicly available in RADIUS includes information such as names, MAC addresses, locations, etc., which allows individuals to be tracked with minimal effort.  The reader is refered to <xref target="RFC6973"/>, and specifically to <xref section="5" sectionFormat="comma" target="RFC6973"/> for detailed discussion, and to <xref section="6" sectionFormat="comma" target="RFC6973"/> for recommendations on threat mitigations.</t>
        <t>It is no longer acceptable for RADIUS to rely on MD5 for security.  It is no longer acceptable to send device or location information in clear text across the wider Internet.  This document therefore deprecates all insecure uses of RADIUS, and mandates the use of secure TLS-based transport layers.</t>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
      <ul spacing="normal">
        <li>
          <t>RADIUS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>The Remote Authentication Dial-In User Service protocol, as defined in <xref target="RFC2865"/>, <xref target="RFC2866"/>, and <xref target="RFC5176"/> among others.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/UDP</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the User Datagram Protocol as define above.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/TCP</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Transport Control Protocol <xref target="RFC6613"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/TLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Transport Layer Security protocol <xref target="RFC6614"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RADIUS/DTLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>RADIUS over the Datagram Transport Layer Security protocol  <xref target="RFC7360"/></t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>RadSec</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>Either RADIUS/TLS or RADIUS/DTLS.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>TLS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>the Transport Layer Security protocol.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>NAS</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>Network Access Server, which is a RADIUS client.</t>
        </li>
      </ul>
      <ul spacing="normal">
        <li>
          <t>MS-CHAP</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <t>Microsoft Challenge-Handshake authentication, as defined for MS-CHAPv1 in <xref target="RFC2433"/>, MS-CHAPv2 in <xref target="RFC2759"/>, and EAP-MSCHAPv2 <xref target="KAMATH"/></t>
        </li>
      </ul>
      <t>In order to be consistent with the terminology of <xref target="RFC2865"/>, this document describes the Request Authenticator, Response Authenticator, and Message-Authenticator as "signing" the packets.  This terminology is not consistent with modern cryptographic terms, but using other terminology could be misleading to long-term RADIUS implementers.  The reader is assured that no modern cryptographic methods are used with RADIUS/UDP.</t>
    </section>
    <section anchor="deprecating-insecure-practices">
      <name>Deprecating Insecure Practices</name>
      <t>The solution to an insecure protocol which uses thirty year-old cryptography is to deprecate the use insecure cryptography, and to mandate modern cryptographic transport.  This section deprecates insecure transports, mandates the use of secure transports, officially deprecates MS-CHAP nearly two decades after it was broken, and finally closes out the <xref target="RFC6421"/> crypto-agility requirements for RADIUS.</t>
      <section anchor="radiusudp-and-radiustcp-are-deprecated">
        <name>RADIUS/UDP and RADIUS/TCP are Deprecated</name>
        <t>RADIUS/UDP and RADIUS/TCP MUST NOT be used outside of secure networks.  A secure network is one which is believed to be safe from eavesdroppers, attackers, etc.  For example, if IPsec is used between two systems, then those systems may use RADIUS/UDP or RADIUS/TCP over the IPsec connection.</t>
        <t>However, administrators should not assume that such uses are always secure.  An attacker who breaks into a critical system could use that access to view RADIUS traffic, and thus be able to attack it.  Similarly, a network misconfiguration could result in the RADIUS traffic being sent over an insecure network.</t>
        <t>Neither the RADIUS client nor the RADIUS server would be aware of any network misconfiguration (e.g. such as could happen with IPsec).  Neither the RADIUS client nor the RADIUS server would be aware of any attacker snooping on RADIUS/UDP or RADIUS/TCP traffic.</t>
        <t>In contrast, when RadSec is used, the RADIUS endpoints are aware of all security issues, and can enforce any necessary security policies.</t>
        <t>Any use of RADIUS/UDP and RADIUS/TCP is therefore NOT RECOMMENDED, even when the underlying network is believed to be secure.</t>
      </section>
      <section anchor="secure-transports-are-mandated">
        <name>Secure Transports are Mandated</name>
        <t>All systems which send RADIUS packets outside of secure networks MUST use either RadSec, or transport-layer security such as IPSec.  For operational and security reasons, it is RECOMMENDED to use RadSec instead of IPsec.</t>
        <t>Unlike RadSec, use of IPsec means that the RADIUS server is unaware of transport-layer security. Any problem with IPsec such as configuration issues, negotiation or re-keying problems are typically presented to the RADIUS servers as 100% packet loss.  These issues may occur at any time, independent of any changes to a RADIUS application using that transport.  Further, network misconfigurations which remove all security are completely transparent to the RADIUS application.  A transport layer misconfiguration can cause packets can be sent over an insecure link, and the RADIUS server will be unaware of the failure of security at the transport layer.</t>
        <t>In contrast, RadSec gives the RADIUS application completely knowledge and control over transport-layer security.  The failure cases around RadSec are therefore often clearer, easier to diagnose and faster to resolve than failures in IPsec.   For example, a failed TLS connection may return a "connection refused" error to the application, or any one of many TLS errors indicating which exact part of the TLS conversion failed during negotiation.</t>
      </section>
      <section anchor="ms-chap">
        <name>MS-CHAP is Deprecated</name>
        <t>MS-CHAP (as defined for v1 in <xref target="RFC2433"/>, v2 in <xref target="RFC2759"/>, and EAP-MSCHAPv2 <xref target="KAMATH"/>) have major design flaws, as discussed in <xref section="TBD" sectionFormat="comma" target="I-D.dekok-radext-review-radius"/>.  MS-CHAP MUST NOT be used in any situation where it is not protected by RadSec.   MS-CHAP MUST NOT be sent over RADIUS/UDP or RADIUS/TCP, unless that data is protected by a a secure transport layer such as IPSec.</t>
        <t>As packets can be proxied outside of a secure transport, MS-CHAP MUST NOT be sent over RADIUS/UDP or RADIUS/TCP.  For authentication protocols such as EAP, MS-CHAP methods MUST NOT be used outside of a secure tunnel such as PEAP or TTLS.  This recommendation includes EAP-MSCHAPv2 <xref target="KAMATH"/>.</t>
        <t>Due to the <xref target="ASLEAP"/> attack, implementers and administrators MUST treat MS-CHAP as being equivalent to sending passwords in the clear, without any encryption or obfuscation.  That is, the User-Password attribute with the <xref section="5.2" sectionFormat="comma" target="RFC2865"/> obfuscation is substantially more secure than MS-CHAP.</t>
        <t>Existing RADIUS client implementations which originate Access-Request packets SHOULD therefore deprecate all uses of MS-CHAP.  Clients SHOULD forbid new configurations from enabling MS-CHAP authentication.  New RADIUS clients MUST NOT implement MS-CHAPv1, MS-CHAPv2, or EAP-MSCHAPv2.</t>
        <t>These prohibitions do not apply to EAP methods which transport MS-CHAP inside of a TLS tunnel.</t>
      </section>
      <section anchor="crypto-agility">
        <name>Crypto-Agility</name>
        <t>The crypto-agility requirements of <xref target="RFC6421"/> are defined in <xref target="RFC6614"/> Appendix C, and in Section 10.1 of <xref target="RFC7360"/>.  For clarity, we repeat the text of <xref target="RFC7360"/> here, with some minor modifications to update references, without changing the content.</t>
        <t>Section 4.2 of <xref target="RFC6421"/> makes a number of recommendations about security properties of new RADIUS proposals.  All of those recommendations are satisfied by using RadSec. as the transport layer.</t>
        <t>Section 4.3 of <xref target="RFC6421"/> makes a number of recommendations about backwards compatibility with RADIUS.  <xref target="RFC7360"/> Section 3 addresses these concerns in detail.</t>
        <t>Section 4.4 of <xref target="RFC6421"/> recommends that change control be ceded to the IETF, and that interoperability is possible.  Both requirements are satisfied.</t>
        <t>Section 4.5 of <xref target="RFC6421"/> requires that the new security methods apply to all packet types.  This requirement is satisfied by allowing RadSec to be used for all RADIUS traffic.  In addition, <xref target="RFC7360"/> Section 3, addresses concerns about documenting the transition from legacy RADIUS to crypto-agile RADIUS.</t>
        <t>Section 4.6 of <xref target="RFC6421"/> requires automated key management.  This requirement is satisfied by using TLS or DTLS key management.</t>
        <t>This specification finalizes the work began in <xref target="RFC6421"/>.</t>
        <section anchor="forbidden">
          <name>All new Cryptographic work in RADIUS is forbidden</name>
          <t>This document mandates that new RADIUS specifications MUST NOT introduce new cryptographic primitives to authenticate packets (e.g. <xref target="RFC6218"/>).  Specifications MUST NOT introduct new cryptographic primitives to obfuscate attributes (e.g. User-Password in <xref section="5.2" sectionFormat="comma" target="RFC2865"/>, and Tunnel-Password in <xref section="3.5" sectionFormat="comma" target="RFC2868"/>).</t>
          <t>RADIUS-specific cryptographic methods which exist at the time of the publication of this document MAY continue to be used for historical compatibility.  However, all new cryptographic work which is specific to the RADIUS protocol is forbidden.</t>
          <t>As the BlastRADIUS attack shows (<xref target="BLAST"/> and <xref section="TBD" sectionFormat="comma" target="I-D.dekok-radext-review-radius"/>), RADIUS/UDP security is inadequate for modern networks.  The solution is not to fix RADIUS/UDP.  The solution is to deprecate it entirely, and to instead use modern cryptographic methods which provide security and privacy.</t>
          <t>All new security and privacy requirements in RADIUS therefore MUST be provided by a secure transport layer such as TLS or IPsec.  As noted above, simply using IPsec is not always enough, as the use (or not) of IPsec is unknown to the RADIUS application.</t>
          <t>The restriction which forbids new cryptographic work in RADIUS does not apply to the data being transported in RADIUS attributes.  For example, a new authentication method could use new cryptographic methods, and would be permitted to be transported in RADIUS.  This authentication method could be a new EAP method, or any other data which is opaque to the RADIUS transport.  In those cases, RADIUS serves as a transport layer for the authentication method.  The authentication data is treated as opaque data for the purposes of Access-Request, Access-Challenge, etc. packets.</t>
          <t>For those situations, there is no need for the RADIUS protocol to define any new cryptographic methods in order to transport the data.  As a result, those new cryptographic methods do not require chantes to the RADIUS protocol, and are not affected by this prohibition.</t>
        </section>
      </section>
    </section>
    <section anchor="securing-access-request-packets">
      <name>Securing Access-Request Packets</name>
      <t>Despite the above mandates to use secure transports for RADIUS, the reality is that RADIUS/UDP is likely to remain in wide-spread use for many years.  It is therefore important to update RADIUS/UDP and RADIUS/TCP in order to secure them from the BlastRADIUS attack (<xref target="BLAST"/>).</t>
      <t>These updates require a number of changes to both clients and servers in order for all possible attack vectors to be closed.  Implementing only some of these mitigations means that an attacker could bypass those partial mitigations, and still perform the attack.</t>
      <t>This section outlines the mitigations which protect RADIUS/UDP and RADIUS/TCP systems from the BlastRADIUS attack.  These mitigations MUST be applied to RADIUS/UDP and RADIUS/TCP, and MUST NOT be applied to RADIUS/TLS or RADIUS/DTLS.</t>
      <t>Unless otherwise noted, the mitigations here apply only to Access-Request packets, and to responses to Access-Request (i.e. Access-Accept, Access-Reject, Access-Challenge, and Protocol-Error packets).  All behavior involving other types of request and response packets MUST remain unchanged from legacy RADIUS.</t>
      <t>The mitigation methods outlined here allow updated systems to protect themselves from the attack, while ensuring that they are interoperable with legacy systems.  That is, there is no global “flag day” required for these changes to take effect.  Systems which implement these recommendations are fully compatible with legacy RADIUS implementations, and can help to protect those legacy implementations.  However, when these mitigations are not fully implemented, systems may still be vulnerable to the attack.</t>
      <t>Note that when the RADIUS system does not do proxying, the attack can be mitigated simply by upgrading the RADIUS server, so that it sends Message-Authenticator as the first attribute in all responses to Access-Request packets.  However, the goal of this specification is to fix all architectures supported by RADIUS systems, rather than only a limited subset.  We therefore mandate new behavior for all RADIUS clients and servers, while acknowledging that some organizations may choose to not configure all of the new functionality.</t>
      <t>For overall network security and good practice, is RECOMMENDED that all RADIUS clients and servers be upgraded to use the new software which contains the mitigations, and also be configured with the highest level of security.  Doing so will ensure that configuration mistakes on one system will not reintroduce the vulnerability.</t>
      <section anchor="new-configuration-flags">
        <name>New Configuration Flags</name>
        <t>The goal of these flags is to secure the RADIUS protocol without preventing communication between clients and servers, even when only one party has been upgraded.  These flags are designed to allow a gradual migration from both parties using legacy RADIUS, to fully upgraded and secured systems with all of the mitigations in place.</t>
        <t>Clients and servers MUST implement the new configuration flags defined below when RADIUS/UDP or RADIUS/TCP is used.  These flags MUST NOT be exposed in any administrative interface or be examined by code when RADIUS/DTLS or RADIUS/TLS is used.</t>
        <t>The behavior and meaning of these flags will be discussed in the following sections.  Introducing these flags before discussing their meaning makes the subsequent discussion simpler and easier to understand.</t>
        <ul empty="true">
          <li>
            <t>Clients MUST have a per-server boolean configuration flag, which we call “require Message-Authenticator”.</t>
            <t>Servers MUST have a per-client boolean configuration flag, which we call “require Message-Authenticator”.</t>
            <t>Servers MUST have a per-client boolean configuration flag, which we call “limit Proxy-State”.</t>
          </li>
        </ul>
        <t>The default value of all three configuration flags SHOULD be "false", in order to maintain compatibility with legacy clients.  Implementers and Vendors MAY choose to set the default value for these values to "true" instead, when they have determined that the added security benefit outweighs the configuration effort to disable the security measures for legacy clients.</t>
        <t>It is RECOMMENDED that implementations support both a global setting, and per-client or per-server setting for the above flags.  For example, an implementation could support a global setting which is over-ridden by a more specific per-client or per-server setting.  The global setting could also be used if there was no client-specific or server-specific setting defined.</t>
        <t>The combination of global and any more narrow configuration flags allows administrators to upgrade systems gradually, without requiring a "flag day" when all systems are required to change at the same time.</t>
        <t>The following sections explain how these flags are used, by following the flow of an Access-Request packet being sent from the client, to being received by the server, to the server sending a response, and finally to that response being received by the client.  To be clear: the requirements in this section apply only to RADIUS/UDP and RADIUS/TCP, and do not apply to RadSec.</t>
      </section>
      <section anchor="client-access-request">
        <name>Clients and Access-Request</name>
        <t>The following new behavior is mandated for RADIUS/UDP and RADIUS/TCP clients:</t>
        <ul empty="true">
          <li>
            <t>Clients MUST add Message-Authenticator to all Access-Request packets.</t>
          </li>
        </ul>
        <t>This behavior MUST NOT be configurable.  Disabling it would open the system up to attack, and would prevent the other mitigation methods from working.  The root cause of the attack is that Access-Request packets lack integrity checks.  Therefore, the most important fix is to add integrity checks to those packets.</t>
        <t>The Message-Authenticator SHOULD be the first attribute in all Access-Request packets.  That is, it should be placed immediately after the packet header.  Implementations MAY place the Message-Authenticator elsewhere in an Access-Request packet.</t>
        <t>From a cryptographic point of view, the location of Message-Authenticator does not matter for Access-Request packets, it just needs to exist somewhere in the packet.  However, the location of Message-Authenticator does matter for responses to Access-Request (Access-Accept, etc.).  It is better to have consistent and clear messaging for addressing this attack, instead of having different recommendations for different kinds of packets.</t>
        <t>However, many existing RADIUS clients do not currently send Message-Authenticator.  It also may be difficult to upgrade some client equipment, as the relevant vendor may have gone out of business, or may have marked equipment as “end of life” and thus unsupported.  It is therefore necessary for servers to work with such systems so as to not break existing RADIUS deployments, while at the same time protecting them as much as practically possible.</t>
      </section>
      <section anchor="server-access-request">
        <name>Servers and Access-Request</name>
        <t>The following new behavior is mandated for for RADIUS/UDP and RADIUS/TCP servers:</t>
        <ul empty="true">
          <li>
            <t>When receiving an Access-Request packet, servers MUST consult the value of the "require Message-Authenticator" flag prior to accepting the packet for processing.  This flag MUST NOT be consulted for other types of request packets.</t>
            <t>If the "require Message-Authenticator" flag is set to “false”, servers MUST follow legacy behavior for validating and enforcing the existence of Message-Authenticator in Access-Request packets.  For example, enforcing the requirement that all packets containing EAP-Message also contain a Message-Authenticator attributes, but otherwise accepting and validating the Message-Authenticator attribute if it is present, while taking no action if the attribute is missing.</t>
            <t>If the "require Message-Authenticator" flag is set to "false", servers MUST also check the value of the "limit Proxy-State" flag and either accept or discard the packet, based on the checks discussed in <xref target="limit-proxy-state"/>, below.</t>
            <t>If the "require Message-Authenticator" flag is set to “true”, the server MUST examine all Access-Request packets for the existence of the Message-Authenticator attribute. Access-Request packets which do not contain Message-Authenticator MUST be silently discarded.  This discard process MUST occur before the Message-Authenticator or Request Authenticator have been validated.</t>
            <t>For packets which are not discarded by the preceding check, the server MUST then validate the contents of any Message-Authenticator and then discard packets which fail this validation as per <xref section="5.14" sectionFormat="comma" target="RFC2869"/>.</t>
            <t>Servers MUST NOT discard a packet based on the location of the Message-Authenticator attribute.  We extend <xref section="5" sectionFormat="comma" target="RFC2865"/> to state that RADIUS clients and servers MUST NOT discard packets based on the order or location of any attribute.  If Message-Authenticator passes validation, then the packet is authentic and it has not been modified.  The location of Message-Authenticator within the packet does not matter if the packet can be authenticated.</t>
          </li>
        </ul>
        <t>The default value for the "require Message-Authenticator" flag is “false” because many clients do not send the Message-Authenticator attribute in all Access-Request packets.  Defaulting to a value of "true" would mean that the server would be unable to accept packets from many legacy clients, and existing networks could break.</t>
        <t>We note that if this flag is “false”, the server can be vulnerable to the attack, even if the client has been updated to always send Message-Authenticator in all Access-Requests.  An attacker could simply strip the Message-Authenticator from the Access-Request, and proceed with the attack as if client had not been updated.  The server then does not see any Message-Authenticator in the Access-Request, and would accept the modified packet for processing.</t>
        <t>When the "require Message-Authenticator" flag is set to "true", the server is protected from the BlastRADIUS attack on this client to server link.  Any packet which has been modified by the attacker to remove Message-Authenticator will be discarded by the server.  Any packet containing Message-Authenticator will be validated using the HMAC-MD5 construct, which is not vulnerable to this attack.</t>
        <t>The server may still, however, be vulnerable to the attack if it proxies packets to another server.  That is, the RADIUS infrastructure as a whole is secure only when all possible client to server links are secured.</t>
        <t>Unfortunately, there is no way in RADIUS for clients and servers to negotiate protocol-layer features.  A server cannot know if invalid packets are being discarded due to an ongoing attack, or if they are being discarded due to a mismatched configuration between client and server.  Servers SHOULD therefore log the fact that an Access-Request packet was discarded (with rate limits) in order to inform the administrator that either an attack is underway, or that there is a configuration mismatch between client and server.</t>
        <section anchor="detecting-configuration-mismatches">
          <name>Detecting Configuration Mismatches</name>
          <t>As a special case for debugging purposes, instead of discarding the packet, servers MAY instead send a Protocol-Error (<xref section="4" sectionFormat="comma" target="RFC7930"/>) or Access-Reject response packet.  This packet MUST contain a Message-Authenticator attribute as the first attribute in the packet, otherwise an attacker could rewrite this response into an Access-Accept.  The response MUST also contain an Error-Cause attribute with value 510 (Missing Message-Authenticator).  The server MUST not send this response by default, as this behavior could cause the server to respond to forged Access-Request packets.</t>
          <t>The purpose of this Protocol-Error response is to allow administrators to signal misconfigurations between client and server.  It is intended to only be used temporarily when new client to server connections are being configured, and MUST be disabled permanently once a client-server connection is verified to work.</t>
          <t>This behavior SHOULD only be enabled when specifically configured by an administrator.  It MUST also be rate-limited, as there is no need to signal this error on every packet received by the server.  It SHOULD be automatically disabled when the server receives an Access-Request from a client which contains Message-Authenticator.  Implementations MAY instead automate this process, by sending a few such responses when packets from a client are first seen, and then not sending responses thereafter.</t>
          <t>As RADIUS clients are upgraded over time, RADIUS server implementations SHOULD enable the “require Message-Authenticator” flag by default.</t>
          <t>The next step is to protect servers when legacy clients do not send Message-Authenticator.</t>
        </section>
      </section>
      <section anchor="limit-proxy-state">
        <name>Updated Servers and Legacy Clients</name>
        <t>The following new behavior is mandated for RADIUS/UDP and RADIUS/TCP servers:</t>
        <ul empty="true">
          <li>
            <t>When receiving an Access-Request and where the "require Message-Authenticator" flag is set to "false", servers MUST then consult the value of the "limit Proxy-State" flag for the client.</t>
            <t>If the "limit Proxy-State" flag is set to "false", servers MUST follow legacy behavior for validating and enforcing the existence of Message-Authenticator in Access-Request packets.  For example, enforcing the requirement that all packets containing EAP-Message also contain a Message-Authenticator attributes, but otherwise accepting and validating the Message-Authenticator attribute if it is present, while taking no action if the attribute is missing.  This behavior is the same as mandated by the previous section.</t>
            <t>If the "limit Proxy-State" flag is set to "true",  servers MUST require that all Access-Request packets which contain a Proxy-State attribute also contain a Message-Authenticator attribute.  Access-Request packets which contain Proxy-State but no Message-Authenticator MUST be silently discarded.</t>
            <t>If the packet does contain a Message-Authenticator. servers MUST validate its contents, and discard packets which fail this validation (<xref section="5.14" sectionFormat="comma" target="RFC2869"/>).</t>
          </li>
        </ul>
        <t>This flag is motivated by the realization that NASes (i.e. not proxies) will never send Proxy-State in an Access-Request packet.  If a server sees Proxy-State in a packet from a NAS, it is a strong signal that an attacker is attempting the BlastRADIUS attack.  The BlastRADIUS attack depends on the construction and behavior of Proxy-State, so the attack is difficult or impossible when there is no Proxy-State in an Access-Request.</t>
        <t>It is therefore useful to add a configuration flag which checks for Proxy-State, because well-behaving NASes will never send it.  The only time the server will see a Proxy-State from a NAS is when the attack is taking place.</t>
        <t>The behavior of this flag is not to simply discard Access-Request packets which contain an "unexpected" Proxy-State.  Instead, the behavior is to require such packets to be authenticated.  If a packet is authenticated via the existence of Message-Authenticator with validated contents, then the existence (or not) of Proxy-State does not matter; the packets are authentic, and can therefore be accepted and processed by the server.</t>
        <t>On the other hand, if the packet cannot be authenticated by validating its Message-Authenticator, then the existence of an unexpected Proxy-State is suspicious, and the packet should be discarded.</t>
        <t>As with the previous section, servers SHOULD log a message when packets are discarded due to this flag.  Servers MAY also send an error response as discussed above, subject to the caveats and considerations described in the previous section for those responses.</t>
        <t>After a server receives an Access-Request and processes it, it needs to send a response.  The next step is to ensure that an upgraded server can protect legacy clients.</t>
      </section>
      <section anchor="server-responses">
        <name>Server Responses to Access-Request</name>
        <t>The following behavior is mandated for RADIUS/UDP and RADIUS/TCP servers, when they send responses to Access-Request packets:</t>
        <ul empty="true">
          <li>
            <t>Servers MUST add Message-Authenticator as the first attribute in all responses to Access-Request packets.  That is, all Access-Accept, Access-Reject, Access-Challenge, and Protocol-Error packets.  The attribute MUST be the first one in the packet, immediately after the 20 octet packet header.</t>
          </li>
        </ul>
        <t>Adding Message-Authenticator as the first attribute means that for the purposes of MD5 known prefix attacks, the unknown suffix begins with the Message-Authenticator, and continues for the remainder of the packet.  The attacker is therefore unable to leverage the attack using a known prefix, and the vulnerability is mitigated.</t>
        <t>As it is difficult to upgrade both clients and servers simultaneously, we also need a method to protect clients when the server has not been updated.  That is, clients cannot depend on the Message-Authenticator existing in response packets.  Clients need to take additional steps to protect themselves, independent of any server updates.</t>
      </section>
      <section anchor="client-responses">
        <name>Clients Receiving Responses</name>
        <t>The following new behavior is mandated for RADIUS/UDP and RADIUS/TCP clients:</t>
        <ul empty="true">
          <li>
            <t>When receiving any response to an Access-Request packet (Access-Accept, Access-Challenge, Access-Reject, or Protocol-Error), clients MUST consult the "require Message authenticator" flag prior to accepting the packet for processing.  This flag MUST NOT be consulted for responses to other types of request packets.</t>
            <t>If the "require Message-Authenticator" flag is set to “false”, clients MUST follow legacy behavior for validating and enforcing the existence of Message-Authenticator in response packets.  For example, enforcing the requirement that all packets containing EAP-Message also contain a Message-Authenticator attributes, but otherwise accepting and validating the Message-Authenticator attribute if it is present, while taking no action if the attribute is missing.</t>
            <t>If the "require Message-Authenticator" flag is set to “true”, the client MUST examine the response packets for the existence of the Message-Authenticator attribute.  Response packets which do not contain Message-Authenticator MUST be silently discarded. This check MUST be done before the Response Authenticator or Message-Authenticator has been verified.  No further processing of discarded packets should take place.</t>
            <t>The client MUST validate the contents of the Message-Authenticator and discard packets which fail this validation (<xref section="5.14" sectionFormat="comma" target="RFC2869"/>).</t>
            <t>Clients MUST NOT discard a packet based on the location of the Message-Authenticator attribute.  If Message-Authenticator passes validation, then the packet is authentic and it has not been modified.  The location of Message-Authenticator within the packet does not matter for authenticated packets.</t>
          </li>
        </ul>
        <t>When the response is discarded, the client MUST behave as if no response was received.  That is, any retransmission timers MUST NOT be modified as a result of receiving a packet which is silently discarded.</t>
        <t>Unfortunately, the client cannot determine if invalid packets are being discarded due to an ongoing attack, or if they are being discarded due to a mismatched configuration between client and server (e.g. a mismatched shared secret).  The client SHOULD log the fact that the packet was discarded (with rate limits) in order to inform the administrator either that an attack is underway, or that there is a configuration mismatch between client and server.</t>
        <t>The above discussions have now followed the complete path from client to server and back again.  If each client to server hop is secured via the above mitigations, then by extension, all systems using RADIUS/UDP or RADIUS/TCP will be protected from the BlastRADIUS attack.</t>
      </section>
      <section anchor="status-server">
        <name>Status-Server</name>
        <t>While the BlastRADIUS attack works only for Access-Request packets, Access-Accept or Access-Reject can also be sent in response to Status-Server packets (<xref target="RFC5997"/>).  In order to simplify client implementations, we mandate the following new behavior with respect to Status-Server:</t>
        <ul empty="true">
          <li>
            <t>Servers MUST follow the above recommendations relating to Message-Authenticator when sending Access-Accept, Access-Challenge, or Access-Reject packets, even if the original request was Status-Server.</t>
          </li>
        </ul>
        <t>This requirement ensures that clients can examine responses independent of any requests.  That is, a client can perform a simple verification pass of response packets prior to doing any more complex correlation of responses to request.</t>
        <t>We note that <xref section="3" sectionFormat="comma" target="RFC5997"/> states:</t>
        <ul empty="true">
          <li>
            <t>.. all Status-Server packets MUST include a Message-Authenticator attribute.  Failure to do so would mean that the packets could be trivially spoofed.</t>
          </li>
        </ul>
        <t>As a result, compliant implementations of <xref target="RFC5997"/> do not need to change their behavior with respect to sending or receiving Status-Server packets: they are already protected against the BlastRADIUS attack.</t>
      </section>
      <section anchor="documentation-and-logging">
        <name>Documentation and Logging</name>
        <t>It is RECOMMENDED that all RADIUS implementations document the behavior of these flags in detail, including how they help protect against this attack.  An informed administrator is more likely to engage in secure practices.</t>
        <t>Similarly, when any of the above flags cause a packet to be discarded, the system SHOULD log a descriptive message (subject to rate limiting) about the problematic packet.  This log is extremely valuable to administrators who wish to determine exactly what is going wrong, and what actions can be taken to correct the issue.</t>
      </section>
    </section>
    <section anchor="new-requirements-on-clients-and-servers">
      <name>New Requirements on Clients and Servers</name>
      <t>This section defines a number of updates to the RADIUS protocol which address interoperability issues.  While these updates do not directly increase the security of the protocol, they correct implementation errors which have caused RADIUS ssytems to be fragile.</t>
      <section anchor="attribute-location">
        <name>Attribute Location and Ordering</name>
        <t>While <xref section="5" sectionFormat="comma" target="RFC2865"/> states that attribute ordering does not matter, some implementations would discard packets attributes were not received in a particular order chosen by the implementer.  In one such case, some implementations misunderstood the BlastRADIUS mitigations which required that Message-Authenticator be sent as the first attribute in responses to Access-Request packets.  Despite the communicated requirement that clients do not check the location of Message-Authenticator, non-compliant implementations would discard valid and authentic Access-Request packets where Message-Authenticator was not the first attribute.  This behavior is not appropriate.</t>
        <t>The <xref section="5" sectionFormat="comma" target="RFC2865"/> text which discusses attribute order (quoted below) does not cover all possible cases.  The previous requirement is:</t>
        <artwork><![CDATA[
If multiple Attributes with the same Type are present, the order of
Attributes with the same Type MUST be preserved by any proxies.  The
order of Attributes of different Types is not required to be
preserved.  A RADIUS server or client MUST NOT have any dependencies
on the order of attributes of different types.  A RADIUS server or
client MUST NOT require attributes of the same type to be contiguous.
]]></artwork>
        <t>This specification adds the following requirement to cover a situation which was not covered in that text.</t>
        <t>A RADIUS client or server MUST NOT have dependencies on the order or location of a particular attribute.  A RADIUS client or server MUST NOT discard otherwise valid packets which have attributes in an order which is unexpected to the implementation, but which is valid by the above rules.</t>
        <t>For example, if Message-Authenticator passes validation, then the packet is authentic and it has not been modified. The location of Message-Authenticator within the packet does not matter for authenticated packets.  If can be the first, second, or last attribute, without any difference in meaning or security.</t>
      </section>
      <section anchor="unknown-attributes">
        <name>Unknown Attributes</name>
        <t>Another outcome of the BlastRADIUS mitigations was the discovery that some implementations would discard packets which contained an attribute that they did not recognize.  While this behavior is not explicitly permitted by previous specifications, it is not explicitly forbidden, either.  This document corrects that failure.</t>
        <t>Unknown attributes are defined as attributes which are well-formed, but which are not recognized by the implementation.  Processing of unknown attributes is discussed in <xref section="5" sectionFormat="comma" target="RFC2866"/>:</t>
        <ul empty="true">
          <li>
            <t>A RADIUS server MAY ignore Attributes with an unknown Type.</t>
            <t>A RADIUS client MAY ignore Attributes with an unknown Type.</t>
          </li>
        </ul>
        <t>This specification adds the following requirement to cover a situation which was not covered in that text.</t>
        <t>RADIUS client and server implementations MUST ignore Attributes with an unknown Type.   Those attributes MUST be treated in the same manner as an "Invalid Attribute" which is defined in <xref section="2.8" sectionFormat="comma" target="RFC6929"/>.  The only exception to the above requirement is CoA-Request and Disconnect-Request packets, as discussed in <xref section="4.3.2" sectionFormat="comma" target="RFC8559"/>.</t>
        <t>For all situations other than the ones discussed in  <xref section="4.3.2" sectionFormat="comma" target="RFC8559"/>, implementations MUST NOT discard a packet if it contains an attribute with an unknown Type.</t>
        <t>This behavior is secure, so long as implementations follow some additional guidance for Access-Accept packets.  This guidance follows logically from existing text in <xref section="4.4" sectionFormat="comma" target="RFC2865"/> for similar situations with Access-Challenge:</t>
        <ul empty="true">
          <li>
            <t>If the NAS does not support challenge/response, it MUST treat an
Access-Challenge as though it had received an Access-Reject
instead.</t>
          </li>
        </ul>
        <t>Additional requirements are given for Service-Type in <xref section="5.6" sectionFormat="comma" target="RFC2865"/>:</t>
        <ul empty="true">
          <li>
            <t>A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.</t>
          </li>
        </ul>
        <t>It is not practical to require that a RADIUS client implement all possible authorizations which can be sent in an Access-Accept. This specification adds the following requirement to cover a situation which was not covered by the above text.</t>
        <t>A RADIUS client MUST treat Access-Accepts with no known or supported authorizations as though an Access-Reject had been received instead.</t>
        <t>This requirement is already met by most RADIUS implementations.  That is, experience has shown that discarding packets for arbitrary reasons causes problems.  Implementations have largely chosen to follow reasonable practices, and the recommendation here codifies existing practices.</t>
      </section>
      <section anchor="obfuscated-attributes">
        <name>Obfuscated Attributes</name>
        <t>The content obfuscation methods such as User-Password have not been proven to be insecure.  However, they have also not been proven to be secure.  As such, outside of limited situations, all existing obfuscation methods are deprecated or forbidden.  The reader is directed to <xref target="I-D.dekok-radext-review-radius"/> for descriptions of the known security issues for those obfuscation methods.</t>
        <section anchor="user-password-obfuscation-method">
          <name>User-Password obfuscation method</name>
          <t>The User-Password obfuscation method was defined in <xref section="5.2" sectionFormat="comma" target="RFC2865"/>, and has been used for other attributes such as MS-CHAP-MPPE-Keys (<xref section="2.4.1" sectionFormat="comma" target="RFC2548"/>).</t>
          <t>Specifications MAY define new attributes which use this obfuscation method. Specifications MAY allow these attribute in Access-Request, but MUST NOT allow them in any other packet type.</t>
          <t>Implementations MAY allow these attributes in Access-Request.  Implementations MUST NOT allow these attributes in other packet types.</t>
        </section>
        <section anchor="tunnel-password-obfuscation-method">
          <name>Tunnel-Password obfuscation method</name>
          <t>The Tunnel-Password obfuscation method was defined in <xref section="3.5" sectionFormat="comma" target="RFC2868"/>, and has been used for other attributes such as MS-MPPE-Send-Key (<xref section="2.3.2" sectionFormat="comma" target="RFC2548"/>).</t>
          <t>Specifications MAY define new attributes which use this obfuscation method.  Specifications MAY allow these attributes in Access-Accept, but MUST NOT allow them in any other packet type.</t>
          <t>Implementations MAY MAY allow these attributes in Access-Accept.  Implementations MUST NOT allow these attributes in packets types other than Access-Accept or CoA-Request.</t>
          <t>Due to the limited entropy in CoA-Request packets <xref target="I-D.dekok-radext-review-radius"/>, the use of these attributes in CoA-Request packets is NOT RECOMMENDED.</t>
        </section>
        <section anchor="other-obfuscation-methods">
          <name>Other obfuscation methods</name>
          <t>Other attribute obfuscation methods have been defined by implementors.  One common one is used for Ascend-Send-Secret and Ascend-Recv-Secret vendor-specific attributes.  These methods have not had any cryptographic analysis, and are therefore inappropriate for use.</t>
          <t>As noted above in <xref target="forbidden"/>, specifications MUST NOT define any new attribute obfuscation methods.  This prohibition includes defining attributes which use the above Ascend-Send-Secret obfuscation method, as there is no specification which describes how that method works.</t>
        </section>
      </section>
      <section anchor="rate-limiting">
        <name>Rate Limiting</name>
        <t>The design of network access means that anyone can cause a NAS to send Access-Request packets at will, simply by attempting to gain network access.  If this process is not rate-limited, it can be abused by an attacker to perform dictionary or denial of service (DoS) attacks.</t>
        <t>Real-world corner cases can also turn into effective DoS attacks on the RADIUS infrastructure.  For example, if a large area of a city loses power and then regains it, the RADIUS server may see hundreds of thousands of authentication attempts within a short period of time.</t>
        <t>A naive RADIUS client implementation will simply send an Access-Request packet for every authentication attempt, without limit.  The cost to the RADIUS server to process these packets is likely significantly higher than the cost to the RADIUS client to generate them.</t>
        <t>Poor client implementations can compound this problem when they are configured to send Accounting-Request packets.  Some clients do not implement jitter in retransmissions, as suggested by <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.  The result is that when many Access-Request packets are grouped together in time, the resulting Accounting-Request packets are also grouped together.  This grouping leads to the RADIUS server seeing periods of low activity, followed by sudden spikes of traffic.</t>
        <t>Other client implementations implement a single fixed retransmission timer for all accounting traffic.  That is, they have one timer which fires at a fixed interval (e.g. 10 minutes).  When that timer fires, the client sends Accounting-Request packets for all active sessions.  This practice may result in enormous spikes of traffic, where up to hundreds of thousands of packets are sent in only a few seconds.</t>
        <t>Such practices create network instability, and need to be avoided.</t>
        <section anchor="mandating-retransmission-timers">
          <name>Mandating Retransmission Timers</name>
          <t>RADIUS clients MUST implement either the retransmission algorithm defined in <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>, or an equivalent one which offers similar functionality including jitter and exponential backoff.</t>
          <t>This behavior was only recommended in <xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.  Many implementations chose to ignore that recommendation, which created network instabilities as noted in the previous section.</t>
          <t>The cost of these issues are not trivial, and there is therefore no reason to permit such behavior to continue.</t>
        </section>
        <section anchor="attacks-by-unauthenticated-devices">
          <name>Attacks by Unauthenticated Devices</name>
          <t>As unauthenticated devices can cause a RADIUS client to send Access-Request packets, the RADIUS ecosystem is subject to a DoS attack unless those packets are rate limited.  A  misconfigured or poorly implemented device can simply restart the authentication process if it does not receive a response within a tiny time window.  A malicious device can also send authentication attempts as quickly as possible.</t>
          <t>Anecdotal evidence from network operators indicates that this is a real-world problem.  Due to either poor device implemrentation or active attacks, operators sometimes see traffic spikes from individual devices which send thousands of packets a second.</t>
          <t>Similarly, many devices are known to immediately reauthenticate after receiving an authentication failure.  That issue is addressed in <xref target="access-reject"/>, below.  In the interest of preventing unauthenticated devices from causing DoS attacks on the RADIUS infrastructure, it is necessary to mandate new behavior for RADIUS clients.</t>
        </section>
        <section anchor="rate-limiting-access-request">
          <name>Rate Limiting Access-Request</name>
          <t>Client implementations which control network access for unauthenticated devices MUST rate limit the number of Access-Request packets that they originate.  This requirement does not apply to proxies, as they do not directly control network access for unauthenticated devices.</t>
          <t>Implementations SHOULD implement rate limits separately for each of individual device, network port, and globally across the client.  Network security and stability is improved when a client limits network access to malicious or misconfigured devices.  The alternative is for the client to contribute to the problem by simply forwarding the problematic traffic.  Since the cost to servers can be large, this forwarding effectively amplifies the attack.</t>
          <t>For individual devices or wired network ports, authentication requests can be limited to once per second.  Longer rate limit windows are likely to be humanly noticable, while shorter times are likely to still have negative impact on the RADIUS ecosystem.</t>
          <t>These rate limits will not affect well-behaved devices.  Rate limiting malicious devices will only have a positive effects.</t>
          <t>For global rate limits, implementations SHOULD provide a configuration option which can be set by an administrator.  Enforcing this limit in overload situations may cause some devices to fail authentication for a short period of time, until they retry.  However, if authentications are not globally rate limited, the RADIUS server will likely be overloaded, and the devices will be unable to authenticate even when there are no global rate limits.</t>
          <t>It is difficult to offer specific advice for setting global rate limits on sending Access-Request packets.  Networks can vary widely in performance and capability.  A local RADIUS server may have low latency, and could be capable of processing tens or hundreds of thousands of requests per second.  A remote RADIUS server at the end of a long proxy chain may have high latency, and could therefore process a much smaller number of requests per second.</t>
          <t>One possible rate limiting method is to use a method similar to the TCP window size.  A client could limit the number of sent Access-Requests which have not yet seen an Access-Accept or an Access-Reject.  If there are too many outstanding Access-Requests, then the server is deemed to be overloaded.  The client then waits for existing sessions to finish (or time out) before sending Access-Requests for new sessions.</t>
          <t>Other rate limiting methods are possible, but are not discussed here.  This topic is the subject of ongoing research.</t>
        </section>
        <section anchor="access-reject">
          <name>Delaying Access-Rejects</name>
          <t>Many devices are known to immediately reauthenticate after receiving an authentication failure.  While these devices are behaving poorly and not maliciously, the effect on the RADIUS systems is similar.</t>
          <t>In order to prevent rejected devices from reauthenticating immediately, servers MUST be able to delay Access-Reject packets.  Servers SHOULD enforce a minimum delay between reception of the Access-Request and transmission of any corresponding Access-Reject.  This delay SHOULD be configurable.  Experience shows that values of about one (1) second work well in practice.</t>
          <t>This delay can be enforced by any RADIUS server, including a proxy.  Howerver, for proxies, this delay MUST NOT be additive.  That is, proxies MUST NOT add a fixed delay to Access-Reject packets.  If multiple servers in a chain of proxies were to each add a delay, the delays woud be cumultative, and therefore problematic.</t>
          <t>Instead, proxies need only to enforce a minimum delay between Access-Request and Access-Reject.</t>
          <t>Servers SHOULD also add a small random jitter to any preconfigured delay, in order to better protect themselves from timing attacks.</t>
          <t>A NAS does not need add delays when rejecting a device.  Instead, it should send the reject to the device immediately.  As discussed above, a NAS should rate limit authentication requests from a device or port.  This rate limiting is likely to be easier for the NAS to implement than delaying rejects, and will have much the same effect.</t>
        </section>
      </section>
    </section>
    <section anchor="migrating-away-from-insecure-transports">
      <name>Migrating Away from Insecure Transports</name>
      <t>It can be difficult to upgrade legacy devices with new cryptographic protocols and user interfaces.  The problem is made worse due to the volume of RADIUS devices which are in use.  The exact number is unknown, and can only be approximated.  Our best guess is that at the time of this writing there are millions of devices supporting RADIUS/UDP in daily use.  It will take significant time and effort to correct the deficiencies of all of them.</t>
      <t>This section therefore documents a migration path from RADIUS/UDP to secure transports.  In the following sections, we give a number of migration steps which could each be done independently.  We recommend increased entropy for shared secrets. Finally, where <xref target="RFC6614"/> Section 2.3 makes support for TLS-PSK optional, we suggest that RADIUS/TLS and RADIUS/DTLS implementations SHOULD support TLS-PSK.</t>
      <section anchor="network-operators">
        <name>Network Operators</name>
        <t>It is RECOMMENDED that all RADIUS traffic be sent over a logically or physically separate management network.  This recommendation should be followed even if TLS transport is used.  There is no reason to mix user traffic and management traffic on the same network.</t>
        <t>Using a management network for RADIUS traffic will generally prevent anyone other than trusted administrators from attacking RADIUS.  We say “generally”, because security is limited by the least secure part of the network.  If a network device has a vulnerability, then an attacker could exploit that vulnerability in order to gain access to the management network.  The attacker would then be free to exploit the RADIUS infrastructure.</t>
        <t>As noted above, it is RECOMMENDED that all RADIUS traffic use TLS transport between client and server, even when the local network is believed to be secure.  While IPSec is useful to connect disparate sites across untrusted networks, it is still useful to use TLS transport to secure RADIUS traffic.  A defense in depth strategy helps to protect the network from both active attacks, and from accidental changes which decrease network security.</t>
        <t>All networking equipment should be physically secure.  There is no reason to have critical portions of networking infrastructure physically accessibly to the public.  Where networking equipment must be in public areas (e.g. access points), that equipment SHOULD NOT have any security role in the network.  Instead, any network security validation or enforcement SHOULD be done by separate equipment which is in a physically secure location.</t>
        <t>Similarly, the use of RADIUS/TCP in any circumstances is NOT RECOMMENDED.  Any system which supports RADIUS/TCP is also likely to support TLS, and that SHOULD be used instead.</t>
      </section>
      <section anchor="recommending-tls-psk">
        <name>Recommending TLS-PSK</name>
        <t>Given the insecurity of RADIUS/UDP, the absolute minimum acceptable security is to use strong shared secrets.  However, administrator overhead for TLS-PSK is not substantially higher than for shared secrets, and TLS-PSK offers significantly increased security and privacy.</t>
        <t>It is therefore RECOMMENDED that implementations support TLS-PSK.  In some cases TLS-PSK is preferable to certificates.  It may be difficult for RADIUS clients to upgrade all of their interfaces to support the use of certificates, and TLS-PSK more closely mirrors the historical use of shared secrets, with similar operational considerations.</t>
        <t>Additional implementation and operational considerations for TLS-PSK are given in <xref target="I-D.ietf-radext-tls-psk"/>.</t>
      </section>
    </section>
    <section anchor="practices-to-increase-radius-security-and-privacy">
      <name>Practices to Increase RADIUS Security and Privacy</name>
      <t>While we still permit the use of UDP and TCP transports in secure environments, there are opportunities for increasing the security of RADIUS when those transport protocols are used.  The amount of personal identifiable information (PII) sent in packets should be minimized.  Information about the size, structure, and nature of the visited network should be omitted or anonymized.  The choice of authentication method also has security and privacy impacts.</t>
      <t>The recommendations here for increasing the security of RADIUS transports also applies when TLS is used.  TLS transports protect the RADIUS packets from observation by from third-parties.  However, TLS does not hide the content of RADIUS packets from intermediate proxies, such as ones uses in a roaming environment.  As such, the best approach to minimizing the information sent to proxies is to minimize the number of proxies which see the RADIUS traffic, and to minimize the amount of PII which is sent.</t>
      <t>Implementers and administrators need to be aware of all of these issues, and then make the best choice for their local network which balances their requirements on privacy, security, and cost.  Any security approach based on a simple "checklist" of "good / bad" practices is likely to result in decreased security as compared to an end-to-end approach which is based on understanding the issues involved.</t>
      <section anchor="shared-secrets">
        <name>Use Long and Complex Shared Secrets</name>
        <t><xref target="RFC2865"/> Section 3 says:</t>
        <ul empty="true">
          <li>
            <t>It is preferred that the secret be at least 16
octets.  This is to ensure a sufficiently large range for the
secret to provide protection against exhaustive search attacks.
The secret MUST NOT be empty (length 0) since this would allow
packets to be trivially forged.</t>
          </li>
        </ul>
        <t>This recommendation is no longer adequate, so we strengthen it here.</t>
        <t>RADIUS implementations MUST support shared secrets of at least 32 octets, and SHOULD support shared secrets of 64 octets.  Implementations MUST warn administrators that the shared secret is insecure if it is 12 octets or less in length.</t>
        <t>Administrators SHOULD use shared secrets of at least 24 octets, generated using a source of secure random numbers.   Any other practice is likely to lead to compromise of the shared secret, user information, and possibly of the entire network.</t>
        <t>Creating secure shared secrets is not difficult.  The following figure outlines four separate ways to create shared secrets.</t>
        <artwork><![CDATA[
    openssl rand -base64 16

    dd if=/dev/urandom bs=1 count=16 | base64

    dd if=/dev/urandom bs=1 count=16 | base32

    dd if=/dev/urandom bs=1 count=16 |
        (hexdump -ve '/1 "%02x"' && echo)
]]></artwork>
        <t>Only one of the above commands should be run, as they are functionally equivalent.  Each command reads 128 bits (16 octets) of random data from a secure source, and encodes it as printable / readable ASCII.  This form of PSK will be accepted by any implementation which supports at least 32 octets for PSKs.  Larger PSKs can be generated by changing the "16" number in the command to a larger value.  The above derivation assumes that the random source returns one bit of entropy for every bit of randomness which is returned.  Sources failing that assumption are NOT RECOMMENDED.</t>
        <t>Given the simplicity of creating strong secrets, there is no excuse for using weak shared secrets with RADIUS.  The management overhead of dealing with complex secrets is less than the management overhead of dealing with compromised networks.</t>
        <t>Over all, the security analysis of shared secrets is similar to that for TLS-PSK.  It is therefore RECOMMENDED that implementers manage shared secrets with same the practices which are recommended for TLS-PSK, as defined in <xref target="RFC8446"/> Section E.7 and <xref target="RFC9257"/> Section 4.</t>
        <t>On a practical note, implementers SHOULD provide tools for administrators to help them create and manage secure shared secrets.  The cost to do so is minimal for an implementer.  Providing such tools can further enable and motivate administrators to use secure practices.</t>
      </section>
      <section anchor="use-constant-time-comparisons">
        <name>Use Constant Time Comparisons</name>
        <t>Both clients and servers SHOULD use constant-time operations to compare received versus calculated values which depend on secret information.  If comparison operations are stopped as soon as a difference is seen, an attacker could using timing attacks to determine the correct underlying values, even without seeing them.  A constant-time operation instead compares the entire value, accumulating the result along the way.  Only when the entire value has been examined does the comparison return a "match" or "no-match" result.</t>
        <t>Constant-time operations SHOULD be used for the Request Authenticator and Response Authenticator fields.  Constant time comparisons SHOULD be used for attributes which directly contain secret values (e.g. User-Password), or are derived from secret values (e.g. CHAP-Password, and Message-Authenticator).</t>
      </section>
      <section anchor="limit-the-use-of-user-password">
        <name>Limit the use of User-Password</name>
        <t>The design of RADIUS means that when proxies receive Access-Request packets, the clear-text contents of the User-Password attribute are visible to the proxy.  Despite various claims to the contrary, the User-Password attribute is never sent "in the clear" over the network.  Instead, the password is protected by TLS (RADIUS/TLS) or via the obfuscation methods defined in <xref section="5.2" sectionFormat="comma" target="RFC2865"/>.  However, the nature of RADIUS means that each proxy must first undo the password obfuscation of <xref target="RFC2865"/>, and then re-do it when sending the outbound packet.  As such, the proxy has the clear-text password visible to it, and stored in its application memory.</t>
        <t>It is therefore possible for every intermediate proxy to snoop and record all User-Name and User-Password values which they see.  This exposure is most problematic when the proxies are administered by an organization other than the one which operates the home server.  Even when all of the proxies are operated by the same organization, the temporary existence of clear-text passwords on multiple machines is a security risk.</t>
        <t>It is therefore NOT RECOMMENDED for organizations to send the User-Password attribute in packets which are sent outside of the organization.  If RADIUS proxying is necessary, another authentication method which provides for end-to-end security of user information SHOULD be used, such as EAP-TLS, TTLS, or PEAP.</t>
        <t>Organizations MAY still use User-Password attributes within their own systems.</t>
        <t>Client and server implementations MUST use secure programming techniques to wipe passwords and other sensitive data from memory when they are no longer needed.</t>
      </section>
      <section anchor="use-pap-in-preference-to-chap-and-ms-chap">
        <name>Use PAP in preference to CHAP and MS-CHAP</name>
        <t>When the system as a whole is taken into account, the risk of password compromise is substantially less with PAP than with CHAP or MS-CHAP.  The full reasons are outlined in <xref target="I-D.dekok-radext-review-radius"/> an <xref target="ms-chap"/>.</t>
        <t>It is therefore RECOMMENDED that administrators use PAP in preference to CHAP or MS-CHAP.  It is also RECOMMENDED that administrators store passwords "at rest" in a secure form (salted, hashed), as with the "crypt" format discussed elsewhere:  TBD - add ref to review document.</t>
        <t>That being said, other authentication methods such as EAP-TLS <xref target="RFC9190"/> do not expose clear-text passwords to the RADIUS server or any intermediate proxy.  Thor methods therefore lower the risk of password exposure even more than using PAP.  It is RECOMMENDED that administrators avoid password-based authentication methods where at all possible.</t>
      </section>
      <section anchor="use-eap-where-possible">
        <name>Use EAP Where Possible</name>
        <t>If more complex authentication methods are needed, there are a number of EAP methods which can be used.  These methods variously allow for the use of certificates (EAP-TLS), or passwords (EAP-TTLS <xref target="RFC5281"/>, PEAP <xref target="I-D.josefsson-pppext-eap-tls-eap"/>)) and EAP-pwd <xref target="RFC5931"/>.</t>
        <t>We also note that the TLS-based EAP methods which transport passwords also hide the passwords from intermediate RADIUS proxies, which also increases security.</t>
        <t>Finally, password-based EAP methods still send PAP / CHAP / MS-CHAP inside of the TLS tunnel.  As such, the security of a home server which checks those passwords is subject to the analysis above about PAP versus CHAP, along with the issues of storing passwords in a database.</t>
      </section>
      <section anchor="clients-need-to-implement-exponential-backoff">
        <name>Clients need to Implement Exponential Backoff</name>
        <t>RADIUS client retransmission behavior is defined in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>.  That specification notes:</t>
        <ul empty="true">
          <li>
            <t>Some existing RADIUS clients implement excessively aggressive
retransmission behavior, utilizing default retransmission timeouts of
one second or less without support for congestive backoff.  When
deployed at a large scale, these implementations are susceptible to
congestive collapse.</t>
          </li>
        </ul>
        <t>Despite that specification being almost two decades old, many clients still follow the inappropriate behavior quoted above.  Perhaps unsurprisingly, those implementations failures continue to result in many issues, including contributing to congestive collapse.</t>
        <t>As a result, where <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> suggests that clients implement these behaviors, this specification now requires that clients MUST implement the jitter and congestive backoff algorithm defined in <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/>.</t>
      </section>
      <section anchor="minimize-the-use-of-proxies">
        <name>Minimize the use of Proxies</name>
        <t>The design of RADIUS means that even when RADIUS/TLS is used, every intermediate proxy has access to all of the information in each packet.  The only way to secure the network from such observers is to minimize the use of proxies.</t>
        <t>Where it is still necessary to use intermediate proxies such as with eduroam (<xref target="EDUROAM"/>, <xref target="RFC7593"/>) and OpenRoaming (<xref target="OPENROAMING"/>), it is RECOMMENDED to use EAP methods instead of bare PAP, CHAP, or MS-CHAP.  If passwords are used, they can be can be protected from being seen by proxies via TLS-based EAP methods such as EAP-TTLS or PEAP.  Passwords can also be omitted entirely from being sent over the network, as with EAP-TLS <xref target="RFC9190"/> or EAP-pwd <xref target="RFC5931"/>.</t>
        <t>In many cases, however, the existence of proxies is to either due contractual obligations, or to a need to solve "N by M" connection problems.  A centralized proxy system can often simplify overall network management and maintenance.</t>
        <section anchor="eliminate-proxies-where-possible">
          <name>Eliminate Proxies Where Possible</name>
          <t>The best way to avoid malicious proxies is to eliminate proxies entirely.  The use of dynamic peer discovery (<xref target="RFC7585"/>) means that the number of intermediate proxies is minimized.</t>
          <t>However, the server on the visited network still acts as a proxy between the NAS and the home network.  As a result, all of the above analysis still applies when <xref target="RFC7585"/> peer discovery is used.  There is an intermediate system which may have access to passwords or PII.  The only solution is using end-to-end security for AAA, which would involve a completely new protocol.</t>
        </section>
        <section anchor="there-is-no-radius-routing-protocol">
          <name>There is no RADIUS Routing Protocol</name>
          <t>While <xref target="RFC7585"/> allows for a client to connect directly to a server, that configuration is not always used.  Historically, RADIUS systems implemented realm <xref target="RFC7542"/> roaming, where multiple visited networks were connected to multiple home via chains of intermediate proxies <xref target="RFC2194"/>.  As there is no RADIUS routing protocol to control realm forwarding through these proxies, there is therefore no way to automatically determine which realms are routable, or how best to route packets for known realms.</t>
          <t>The outcome of this limitation is that all such realm routing rules are largely configured statically, manually, and individually on multiple systems.  This process can be automated within one administrative system, but it is open to mistakes or abuse in multi-system networks.</t>
          <t>In RADIUS, each proxy which sees traffic is completely trusted.  It can modify, filter, or record any packets which transit the proxy.  This ability means that a proxy can engage in a large number of negative behaviors.  For example, a proxy could forge Access-Request packets for realms which it knows about, and potentially perform dictionary attacks on home networks.  A proxy could also alter or invent data in Accounting-Request packets, in order to defraud a home server of revenue.  A proxy could also observe Accounting-Request traffic, and use the obtained information to forge Disconnect-Request packets.</t>
          <t>Proxies can also inject traffic for realms which do not normally transit the proxy.  Without a routing protocol, there is no way for a home server to automatically control which set of realms is allowed to be sent from a particular client.  There is also no general way for a proxy to signal that a particular Access-Request or Accounting-Request is non-routable: it must be either rejected or discarded.</t>
          <t>Visited sites also have no control over proxies past the ones that they have relationships with.  Subsequent proxies are completely unknown, and unknowable to the visited network.  Despite these systems being completely unknown, they are completely trusted due to limitations in the RADIUS protocol.</t>
          <t>That is, there is no fine-grained way for a visited or home network to limit which intermediary systems see traffic for their realms, or what traffic can be seen by those systems.  While these filtering rules can be manually documented as seen in <xref target="FILTER"/>, this process is error-prone, and fragile.</t>
          <t>Administrators should be aware of the above issues: fraud, forgery, and filtering are all possible in a "trusted" RADIUS ecosystem.</t>
          <t>Historically, these issues do not appear to have been widely exploited.  The most common defense against these attacks is to limit RADIUS relationships to entities which share a contractual relationship.  This relationship can be direct between clients, servers, and proxies.  This relationship can also be indirect, as when multiple organizations are members of a shared consortium such as eduroam.</t>
          <t>Implementations therefore SHOULD provide methods by which routing information can be tied to particular clients and to particular home servers.  Implementations SHOULD allow packets to be filtered by some combination of realm and client or home server.  Administrators SHOULD take advantage of these filters to double-check that received traffic is coming from the expected sources, and contains the expected realms.</t>
        </section>
        <section anchor="dynamic-discovery-and-filtering">
          <name>Dynamic Discovery and Filtering</name>
          <t>When <xref target="RFC7585"/> dynamic discovery is used, intermediate proxy hops are avoided.  There are a number of possible attacks here, though <xref section="5" sectionFormat="comma" target="RFC7585"/> largely limits its discussion to rate limiting of connections.</t>
          <t>A client which supports dynamic discovery of home servers still has to perform filtering on NAI realms before doing any lookups.  When no filtering takes place, an attacker can cause a RADIUS client to do DNS lookups for arbitrary domains, and then cause it to connect to arbitrary servers.  As there is no RADIUS routing protocol, there is no general way for a client to determine which realms are part of a particular organization, and are thus permitted for dynamic DNS lookups.</t>
          <t>Organizations relying on dynamic discovery SHOULD have some way of automatically sharing which realms are valid, and which are not.  There are a number of possibilities here, and choosing the best one is up to each individual organization.</t>
          <t>Clients supporting dynamic discovery SHOULD require that servers use certificates from a private Certification Authority (CA).  Clients MUST NOT automatically accept server certificates rooted from public CAs (e.g. as is done for web servers).  Instead, clients MUST be configurable to use only a limited set of CAs.  The default list of accepted CAs SHOULD be empty.</t>
          <t>Similarly, servers SHOULD require that clients use certificates from a private Certification Authority (CA).  Servers MUST NOT accept client certificates rooted from a public CA.</t>
          <t>Servers which accept connections from dynamic discover are necessarily open to the Internet.</t>
          <t>TBD - care should be taken.  Where possible, IP filtering is used.  Do NAI filtering, etc.</t>
          <t>Administrators SHOULD limit the source IP of allowed connections.  Server SHOULD filter packets received by NAI, and close connections when the NAIs in incoming packets do not match the NAI(s) that the server expects.  This mismatch indicates either a misconfigured or malicious client.</t>
          <t>Both clients and servers can send any data inside of a TLS tunnel.  Implementations SHOULD take care to treat the data inside of a TLS tunnel as a potential source of attacks.</t>
          <t>Where multiple realms resolve to the same destination IP address, implementations MAY send packets for multiple realms across a connection to that IP address.  Clients SHOULD use SNI to indicate which realm they are connecting to.  Servers SHOULD present a certificate for the requested realm, instead of using a shared or "hosting" certificate which is owned by the hosting provider, and is used by multiple realms.  Such certificate sharing decreases security, and increases operational costs.</t>
          <t>TBD:   Let's say that the RADIUS or EAP server certificate for the "example.com" is instead from the hosting company "example.org".  When your company changes hosting providers, you will need to re-provision every system with a new server certificate.    If instead the server certificate is for your domain, no re-provisioning is necessary.</t>
          <t>Where systems do not have a pre-defined list of allowed realms, implementations MUST support negative caching.  That is, if the lookup for a particular realm fails, or a connection to that realm fails, then the implementation needs to cache that negative result for a period of time.  This cache needs to be examined prior to any new lookup or connection being made.  If there is an entry in the negative cache, then the server MUST skip the lookup or connection attempt, and instead return an immediate error.  This negative cache time SHOULD be configurable.</t>
          <t>Other attacks are possible.  If there are implementation bugs in a clients TLS library, an attacker could use dynamic discovery to cause the client to connect to a malicious server, and then use the server to attack the client.  A malicious server could also slow down its TCP connection to engage client resources for extended periods of time.  This process could even be done even before any TLS credentials are exchanged.</t>
          <t>In general, <xref target="RFC7585"/> dynamic discovery is substantially different from normal application protocols which use TLS.  There is substantial attack surface added by an unknown, and unauthenticated user who can cause a RADIUS client to connect to arbitrary systems under an attacker control.  Dynamic discovery should be used with care, and only with substantial amounts of filtering on the NAI realms which are allowed, and only with stringent limits on the number of lookups, connection attempts, open connections, etc.</t>
        </section>
      </section>
      <section anchor="use-rate-limiting">
        <name>Use Rate Limiting</name>
        <t>TBD:</t>
      </section>
      <section anchor="minimize-personal-identifiable-information">
        <name>Minimize Personal Identifiable Information</name>
        <t>One approach to increasing RADIUS privacy is to minimize the amount of PII which is sent in packets.  Implementers of RADIUS products and administrators of RADIUS systems SHOULD ensure that only the minimum necessary PII is sent in RADIUS.</t>
        <t>Where possible, identities should be anonymized (e.g. <xref target="RFC7542"/> Section 2.4).  The use of anonymized identities means that the the Chargeable-User-Identifier <xref target="RFC4372"/> should also be used.  Further discussion on this topic is below.</t>
        <t>Device information SHOULD be either omitted, or randomized.  e.g. MAC address randomization could be used on end-user devices.  The details behind this recommendation are the subject of ongoing research and development.  As such, we do not offer more specific recommendations here.</t>
        <t>Information about the visited network SHOULD be replaced or anonymized before packets are proxied outside of the local organization.  The attribute Operator-NAS-Identifier <xref target="RFC8559"/> can be used to anonymize information about NASes in the local network.</t>
        <t>Location information (<xref target="RFC5580"/> SHOULD either be omitted, or else it SHOULD be limited to the broadest possible information, such as country code. For example, <xref target="I-D.tomas-openroaming"/> says:</t>
        <ul empty="true">
          <li>
            <t>All OpenRoaming ANPs MUST support signaling of location information</t>
          </li>
        </ul>
        <t>This location information is required to include at the minimum the country code.  We suggest the country code SHOULD also be the maximum amount of location information which is sent over third-party networks.</t>
        <section anchor="creating-chargeable-user-identity">
          <name>Creating Chargeable-User-Identity</name>
          <t>Where the Chargeable-User-Identity (CUI) <xref target="RFC4372"/> is used, it SHOULD be unique per session.  This practice will help to maximize user privacy, as it will be more difficult to track users across multiple sessions.  Due to additional constraints which we will discuss below, we cannot require that the CUI change for every session.</t>
          <t>What we can do is to require that the home server MUST provide a unique CUI for each combination of user and visited network.  That is, if the same user visits multiple networks, the home server MUST provide different CUIs to each visited network for that user.  The CUI MAY be the same across multiple sessions for that user on one particular network.  The CUI MAY be the same for multiple devices used by that user on one particular network.</t>
          <t>We note that the MAC address is likely the same across multiple user sessions on one network.  Therefore changing the CUI offers little additional benefit, as the user can still be tracked by the unchanging MAC address.  Never the less, we believe that having a unique CUI per session can be useful, because there is ongoing work on increasing user privacy by allowing more MAC address randomization.  If we were to recommend that the CUI remain constant across multiple sessions, that would in turn negate much of the effort being put into MAC address randomization.</t>
          <t>One reason to have a constant CUI value for a user (or user devices) on one network is that network access providers may need to enforce limits on simultaneous logins.  Network providers may also need to correlate user behavior across multiple sessions in order to track and prevent abuse.  Both of these requirements are impossible if the CUI changes for every user session.</t>
          <t>The result is that there is a trade-off between user privacy and the needs of the local network.  While perfect user privacy is an admirable goal, perfect user privacy may also allow anonymous users to abuse the visited network.  The network would then likely simply refuse to provide network access.  Users may therefore have to accept some limitations on privacy, in order to obtain network access.</t>
          <t>Although the CUI contents are not directly related to security, we still give recommendations for creating and managing of the CUI.  We believe that these recommendations will help implementers satisfy the preceding requirements, while not imposing undue burden on the implementations.</t>
          <t>In general, the simplest way to track CUIs long term is to associate the CUI to user identity in some kind of cache or database.  This association could be created at the tail end of the authentication process, and before any accounting packets were received.  This association should generally be discarded after a period of time if no accounting packets are received.  If accounting packets are received, the CUI to user association should then be tracked along with the normal accounting data.</t>
          <t>The above method for tracking CUI works no matter how the CUI is generated.  If the CUI can be unique per session, or it could be tied to a particular user identity across a long period of time.  The same CUI could also be associated with multiple devices.</t>
          <t>Where the CUI is not unique for each session, the only minor issue is the cost of the above method is that the association is stored on a per-session basis when there is no need for that to be done.  Storing the CUI per session means that is it possible to arbitrarily change how the CUI is calculated, with no impact on anything else in the system.  Designs such as this which decouple unrelated architectural elements are generally worth the minor extra cost.</t>
          <t>For creating the CUI, that process should be done in a way which is scalable and efficient.  For a unique CUI per user, implementers SHOULD create a value which is unique both to the user, and to the visited network.  There is no reason to use the same CUI for multiple visited networks, as that would enable the tracking of a user across multiple networks.</t>
          <t>Before suggesting a method for creating the CUI, we note that <xref target="RFC4372"/> Section 2.1 defines the CUI as being of data type 'string' (<xref target="RFC8044"/> Section 3.5).  <xref target="RFC4372"/> Section 2.1 further suggests that the value of the CUI is interpreted as an opaque token, similar to the Class attribute (<xref target="RFC2865"/> Section 5.25).  Some organizations create CUI values which use the Network Access Identifier (NAI) format as defined in <xref target="RFC7542"/>.  This format can allow the home network to be identified to the visited network, where the User-Name does not contain a realm.  Such formats SHOULD NOT be used unless all parties involved have agreed to this behavior.</t>
          <t>The CUI SHOULD be created via a construct similar to what is given below, where "+" indicates concatenation:</t>
          <artwork><![CDATA[
CUI = HASH(Visited Network Data + User Identifier + Key)
]]></artwork>
          <t>This construct has the following functional parameters.</t>
          <ul empty="true">
            <li>
              <t>HASH</t>
              <ul empty="true">
                <li>
                  <t>A cryptographic hash function.  It is RECOMMENDED to use an HMAC instead of a hash function.</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>Visited Network Data</t>
              <ul empty="true">
                <li>
                  <t>Data which identifies the visited network.</t>
                  <t>This data could be the Operator-Name attribute (<xref target="RFC5580"/> Section 4.1).</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>User Identifier</t>
              <ul empty="true">
                <li>
                  <t>The site-local user identifier.  For tunneled EAP methods such as PEAP or TTLS, this could be the user identity which is sent inside of the TLS tunnel.</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>Key</t>
              <ul empty="true">
                <li>
                  <t>A secret known only to the local network.  The key is generally a large random string.  It is used to help prevent dictionary attacks on the CUI.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>Where the CUI needs to be constant across multiple user sessions or devices, the key can be a static value.  It is generated once by the home network, and then stored for use in further CUI derivations.</t>
          <t>Where the CUI needs to be unique per session, the above derivation SHOULD still be used, except that the "key" value will instead be a random number which is different for each session.  Using such a design again decouples the CUI creation from any requirement that it is unique per session, or constant per user.  That decision can be changed at any time, and the only piece which needs to be updated is the derivation of the "key" field.  In contrast, if the CUI is generated completely randomly per session, then it may be difficult for a system to later change that behavior to allow the CUI to be constant for a particular user.</t>
          <t>If an NAI format is desired, the hash output can be converted to printable text, truncated if necessary to meet length limitations, and then an "@" character and a realm appended to it.  The resulting text string is then in NAI form.</t>
          <t>We note that the above recommendation is not invertible.  That is, given a particular CUI, it is not possible to determine which visited network or user identifier was used to create it.  If it is necessary to use the CUI to look up a user, the home network needs to store the full set of CUI values which a user has been assigned.</t>
          <t>If this tracking is too complex for a network, it is possible to create the CUI via an invertible encryption process as follows:</t>
          <artwork><![CDATA[
CUI = ENCRYPT(Key + Visited Network Data + User Identifier)
]]></artwork>
          <t>This construct has the following functional parameters.</t>
          <ul empty="true">
            <li>
              <t>ENCRYPT</t>
              <ul empty="true">
                <li>
                  <t>A cryptographically secure encryption function.</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>Key</t>
              <ul empty="true">
                <li>
                  <t>The encryption key.  Note that the same key must not be used for more both hashing and encryption.</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>Visited Network Data</t>
              <ul empty="true">
                <li>
                  <t>Data which identifies the visited network.</t>
                  <t>This data could be the Operator-Name attribute (<xref target="RFC5580"/> Section 4.1).</t>
                </li>
              </ul>
            </li>
          </ul>
          <ul empty="true">
            <li>
              <t>User Identifier</t>
              <ul empty="true">
                <li>
                  <t>The site-local user identifier.  For tunneled EAP methods such as PEAP or TTLS, this could be the user identity which is sent inside of the TLS tunnel.</t>
                </li>
              </ul>
            </li>
          </ul>
          <t>However, it is RECOMMENDED that HMAC based methods are used instead of methods based on reversible encryption.</t>
          <t>The intent is for CUI to leak as little information as possible, and ideally be different for every session.  However, business agreements, legal requirements, etc. may mandate different behavior.  The intention of this section is not to mandate complete CUI privacy, but instead to clarify the trade-offs between CUI privacy and business realities.</t>
        </section>
      </section>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>The primary focus of this document is addressing privacy and security considerations for RADIUS.</t>
      <t>Deprecating insecure transport for RADIUS, and requiring secure transport means that personally identifying information is no longer sent "in the clear".  As noted earlier in this document, such information can include MAC addresses, user identifiers, and user locations.</t>
      <t>In addition, this document suggests ways to increase privacy by minimizing the use and exchange of PII.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The primary focus of this document is addressing privacy and security considerations for RADIUS.</t>
      <t>Deprecating insecure transports for RADIUS, and requiring secure transports, means that many historical security issues with the RADIUS protocol are mitigated.</t>
      <t>We reiterate the discussion above that any security analysis must be done on the system as a whole.  It is not reasonable to put an expensive lock on the front door of a house while leaving the window next to it open, and then somehow declare the house to be "secure".  Any approach to security based on a simple checklist is at best naive, and more truthfully is deeply misleading.  At worst, such practices will decrease security by causing people to follow false security practices, and to ignore real security practices.</t>
      <t>Implementers and administrators need to be aware of the issues raised in this document.  They can then make the best choice for their local network which balances their requirements on privacy, security, and cost.  Only informed choices will lead to the best security.</t>
      <section anchor="historical-considerations">
        <name>Historical Considerations</name>
        <t>The BlastRADIUS vulnerability is the result of RADIUS security being a low priority for decades.  Even the recommendation of <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> that all clients add Message-Authenticator to all Access-Request packets was ignored by nearly all implementers.  If that recommendation had been followed, then the BlastRADIUS vulnerability notification would have been little more than "please remember to set the require Message-Authenticator flag on all RADIUS servers."</t>
        <t>For MS-CHAP, it has not previously been deprecated for similar reasons, even though it has been proven to be insecure for decades.  This continued use of MS-CHAP has likely resulted in the leaking of many users clear-text passwords.</t>
      </section>
      <section anchor="practical-implications">
        <name>Practical Implications</name>
        <t>This document either deprecates or forbids methods and behaviors which have been common practice for decades.  While insecure practices have been viewed as tolerable, they are no longer acceptable.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is instructed to update the RADIUS Types registry, and the "Values for RADIUS Attribute 101, Error-Cause Attribute" sub-registry with the following addition:</t>
      <artwork><![CDATA[
Value,Description,Reference
510,Missing Message-Authenticator,[THIS-DOCUMENT]
]]></artwork>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>Thanks to the many reviewers and commenters for raising topics to discuss, and for providing insight into the issues related to increasing the security of RADIUS.  In no particular order, thanks to Margaret Cullen, Alexander Clouter, and Josh Howlett.</t>
      <t>Many thanks to Nadia Heninger and the rest of the BlastRADIUS team, along with Heikki Vatiainen, for extensive discussions and feedback about the issue.</t>
      <t>The author is deeply indebted to the late Bernard Aboba for decades of advice and guidance.</t>
    </section>
    <section anchor="changelog">
      <name>Changelog</name>
      <ul spacing="normal">
        <li>
          <t>01 - added more discussion of IPsec, and move TLS-PSK to its own document,</t>
        </li>
        <li>
          <t>02 - Added text on Increasing the Security of Insecure Transports</t>
        </li>
        <li>
          <t>03 - add text on CUI.  Add notes on PAP vs CHAP security</t>
        </li>
        <li>
          <t>04 - add text on security of MS-CHAP.  Rearrange and reword many sections for clarity.</t>
        </li>
        <li>
          <t>05 - Rework title to deprecating "insecure practices".  Clarifications based on WG feedback.</t>
        </li>
        <li>
          <t>00 - adoption by WG.</t>
        </li>
        <li>
          <t>01 - review from Bernard Aboba.  Added discussion on accounting, clarified and re-arranged text.  Added discussion of server behavior for missing Message-Authenticator</t>
        </li>
        <li>
          <t>02 - BlastRADIUS updates.</t>
        </li>
        <li>
          <t>03 - add delay Access-Reject, constant-time comparison, no routing protocol.  Updated the text significantly and made it more consistent with the BlastRADIUS recommendations.  Add "updates" other RFCs.</t>
        </li>
        <li>
          <t>04 - updates with review from Fabian Mauchle</t>
        </li>
        <li>
          <t>05 - merge in spelling fixes from Andrew Wood.  Update and rewrite BlastRADIUS mitigations to make them clearer.  Add section describing processes administrators can use to upgrade their networks.</t>
        </li>
        <li>
          <t>06 - updates and clarifications based on reviews.</t>
        </li>
        <li>
          <t>07 - move "review" text into draft-dekok-radext-review-radius</t>
        </li>
      </ul>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC6421">
          <front>
            <title>Crypto-Agility Requirements for Remote Authentication Dial-In User Service (RADIUS)</title>
            <author fullname="D. Nelson" initials="D." role="editor" surname="Nelson"/>
            <date month="November" year="2011"/>
            <abstract>
              <t>This memo describes the requirements for a crypto-agility solution for Remote Authentication Dial-In User Service (RADIUS). This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6421"/>
          <seriesInfo name="DOI" value="10.17487/RFC6421"/>
        </reference>
        <reference anchor="RFC8044">
          <front>
            <title>Data Types in RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>RADIUS specifications have used data types for two decades without defining them as managed entities. During this time, RADIUS implementations have named the data types and have used them in attribute definitions. This document updates the specifications to better follow established practice. We do this by naming the data types defined in RFC 6158, which have been used since at least the publication of RFC 2865. We provide an IANA registry for the data types and update the "RADIUS Attribute Types" registry to include a Data Type field for each attribute. Finally, we recommend that authors of RADIUS specifications use these types in preference to existing practice. This document updates RFCs 2865, 3162, 4072, 6158, 6572, and 7268.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8044"/>
          <seriesInfo name="DOI" value="10.17487/RFC8044"/>
        </reference>
        <reference anchor="I-D.ietf-radext-radiusdtls-bis">
          <front>
            <title>RadSec: RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Jan-Frederik Rieckers" initials="J." surname="Rieckers">
              <organization>Deutsches Forschungsnetz | German National Research and Education Network</organization>
            </author>
            <author fullname="Margaret Cullen" initials="M." surname="Cullen">
              <organization>Painless Security</organization>
            </author>
            <author fullname="Stefan Winter" initials="S." surname="Winter">
              <organization>Fondation Restena | Restena Foundation</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   This document defines transport profiles for running RADIUS over
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS), allowing the secure and reliable transport of RADIUS
   messages.  RADIUS/TLS and RADIUS/DTLS are collectively referred to as
   RadSec.

   This document obsoletes RFC6614 and RFC7360, which specified
   experimental versions of RADIUS over TLS and DTLS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-radiusdtls-bis-16"/>
        </reference>
        <reference anchor="I-D.dekok-radext-review-radius">
          <front>
            <title>A Review of RADIUS Security and Privacy</title>
            <author fullname="Alan DeKok" initials="A." surname="DeKok">
              <organization>InkBridge Networks</organization>
            </author>
            <date day="15" month="March" year="2026"/>
            <abstract>
              <t>   This document provides a comprehensive review of security issues
   related to the RADIUS Protocol.  This review motivates the changes to
   RADIUS security which are made in
   [I-D.ietf-radext-deprecating-radius].

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-dekok-radext-review-radius-01"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC1321">
          <front>
            <title>The MD5 Message-Digest Algorithm</title>
            <author fullname="R. Rivest" initials="R." surname="Rivest"/>
            <date month="April" year="1992"/>
            <abstract>
              <t>This document describes the MD5 message-digest algorithm. The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. This memo provides information for the Internet community. It does not specify an Internet standard.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="1321"/>
          <seriesInfo name="DOI" value="10.17487/RFC1321"/>
        </reference>
        <reference anchor="RFC2433">
          <front>
            <title>Microsoft PPP CHAP Extensions</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="S. Cobb" initials="S." surname="Cobb"/>
            <date month="October" year="1998"/>
            <abstract>
              <t>The Point-to-Point Protocol (PPP) provides a standard method for transporting multi-protocol datagrams over point-to-point links. PPP defines an extensible Link Control Protocol and a family of Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2433"/>
          <seriesInfo name="DOI" value="10.17487/RFC2433"/>
        </reference>
        <reference anchor="RFC2759">
          <front>
            <title>Microsoft PPP CHAP Extensions, Version 2</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <date month="January" year="2000"/>
            <abstract>
              <t>This document describes version two of Microsoft's PPP CHAP dialect (MS-CHAP-V2). MS-CHAP-V2 is similar to, but incompatible with, MS-CHAP version one (MS-CHAP-V1). This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2759"/>
          <seriesInfo name="DOI" value="10.17487/RFC2759"/>
        </reference>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC2868">
          <front>
            <title>RADIUS Attributes for Tunnel Protocol Support</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="D. Leifer" initials="D." surname="Leifer"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="J. Shriver" initials="J." surname="Shriver"/>
            <author fullname="M. Holdrege" initials="M." surname="Holdrege"/>
            <author fullname="I. Goyret" initials="I." surname="Goyret"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document defines a set of RADIUS (Remote Authentication Dial In User Service) attributes designed to support the provision of compulsory tunneling in dial-up networks. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2868"/>
          <seriesInfo name="DOI" value="10.17487/RFC2868"/>
        </reference>
        <reference anchor="RFC2869">
          <front>
            <title>RADIUS Extensions</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="W. Willats" initials="W." surname="Willats"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes additional attributes for carrying authentication, authorization and accounting information between a Network Access Server (NAS) and a shared Accounting Server using the Remote Authentication Dial In User Service (RADIUS) protocol described in RFC 2865 and RFC 2866. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2869"/>
          <seriesInfo name="DOI" value="10.17487/RFC2869"/>
        </reference>
        <reference anchor="RFC3579">
          <front>
            <title>RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method- specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3579"/>
          <seriesInfo name="DOI" value="10.17487/RFC3579"/>
        </reference>
        <reference anchor="RFC5176">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5176"/>
          <seriesInfo name="DOI" value="10.17487/RFC5176"/>
        </reference>
        <reference anchor="RFC5580">
          <front>
            <title>Carrying Location Objects in RADIUS and Diameter</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="F. Adrangi" initials="F." surname="Adrangi"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document describes procedures for conveying access-network ownership and location information based on civic and geospatial location formats in Remote Authentication Dial-In User Service (RADIUS) and Diameter.</t>
              <t>The distribution of location information is a privacy-sensitive task. Dealing with mechanisms to preserve the user's privacy is important and is addressed in this document. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5580"/>
          <seriesInfo name="DOI" value="10.17487/RFC5580"/>
        </reference>
        <reference anchor="RFC6151">
          <front>
            <title>Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms</title>
            <author fullname="S. Turner" initials="S." surname="Turner"/>
            <author fullname="L. Chen" initials="L." surname="Chen"/>
            <date month="March" year="2011"/>
            <abstract>
              <t>This document updates the security considerations for the MD5 message digest algorithm. It also updates the security considerations for HMAC-MD5. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6151"/>
          <seriesInfo name="DOI" value="10.17487/RFC6151"/>
        </reference>
        <reference anchor="RFC6613">
          <front>
            <title>RADIUS over TCP</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Server (RADIUS) protocol has, until now, required the User Datagram Protocol (UDP) as the underlying transport layer. This document defines RADIUS over the Transmission Control Protocol (RADIUS/TCP), in order to address handling issues related to RADIUS over Transport Layer Security (RADIUS/TLS). It permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. This document defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6613"/>
          <seriesInfo name="DOI" value="10.17487/RFC6613"/>
        </reference>
        <reference anchor="RFC6614">
          <front>
            <title>Transport Layer Security (TLS) Encryption for RADIUS</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <author fullname="S. Venaas" initials="S." surname="Venaas"/>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6614"/>
          <seriesInfo name="DOI" value="10.17487/RFC6614"/>
        </reference>
        <reference anchor="RFC6973">
          <front>
            <title>Privacy Considerations for Internet Protocols</title>
            <author fullname="A. Cooper" initials="A." surname="Cooper"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Peterson" initials="J." surname="Peterson"/>
            <author fullname="J. Morris" initials="J." surname="Morris"/>
            <author fullname="M. Hansen" initials="M." surname="Hansen"/>
            <author fullname="R. Smith" initials="R." surname="Smith"/>
            <date month="July" year="2013"/>
            <abstract>
              <t>This document offers guidance for developing privacy considerations for inclusion in protocol specifications. It aims to make designers, implementers, and users of Internet protocols aware of privacy-related design choices. It suggests that whether any individual RFC warrants a specific privacy considerations section will depend on the document's content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6973"/>
          <seriesInfo name="DOI" value="10.17487/RFC6973"/>
        </reference>
        <reference anchor="RFC7360">
          <front>
            <title>Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="September" year="2014"/>
            <abstract>
              <t>The RADIUS protocol defined in RFC 2865 has limited support for authentication and encryption of RADIUS packets. The protocol transports data in the clear, although some parts of the packets can have obfuscated content. Packets may be replayed verbatim by an attacker, and client-server authentication is based on fixed shared secrets. This document specifies how the Datagram Transport Layer Security (DTLS) protocol may be used as a fix for these problems. It also describes how implementations of this proposal can coexist with current RADIUS systems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7360"/>
          <seriesInfo name="DOI" value="10.17487/RFC7360"/>
        </reference>
        <reference anchor="I-D.ietf-radext-tls-psk">
          <front>
            <title>Operational Considerations for RADIUS and TLS-PSK</title>
            <author fullname="Alan DeKok" initials="A." surname="DeKok">
              <organization>InkBridge Networks</organization>
            </author>
            <date day="21" month="January" year="2025"/>
            <abstract>
              <t>   This document provides implementation and operational considerations
   for using TLS-PSK with RADIUS/TLS (RFC6614) and RADIUS/DTLS
   (RFC7360).  The purpose of the document is to help smooth the
   operational transition from the use of the RADIUS/UDP to RADIUS/TLS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-tls-psk-12"/>
        </reference>
        <reference anchor="I-D.tomas-openroaming">
          <front>
            <title>WBA OpenRoaming Wireless Federation</title>
            <author fullname="Bruno Tomas" initials="B." surname="Tomas">
              <organization>Wireless Broadband Alliance, Inc.</organization>
            </author>
            <author fullname="Mark Grayson" initials="M." surname="Grayson">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Necati Canpolat" initials="N." surname="Canpolat">
              <organization>Intel Corporation</organization>
            </author>
            <author fullname="Elizabeth A Cockrell" initials="B." surname="Cockrell">
              <organization>Independent</organization>
            </author>
            <author fullname="Sri Gundavelli" initials="S." surname="Gundavelli">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Seb Adamski" initials="S." surname="Adamski">
              <organization>IronWiFi</organization>
            </author>
            <date day="12" month="June" year="2026"/>
            <abstract>
              <t>   This document describes the Wireless Broadband Alliance's OpenRoaming
   system.  The OpenRoaming architecture enables a seamless onboarding
   experience for devices connecting to access networks that are part of
   the federation of access networks and identity providers.  The
   primary objective of this document is to describe the protocols that
   form the foundation for this architecture, enabling providers to
   correctly configure their equipment to support interoperable
   OpenRoaming signalling exchanges.  In addition, the topic of
   OpenRoaming has been raised in different IETF working groups, and
   therefore a secondary objective is to assist those discussions by
   describing the federation organization and framework.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-tomas-openroaming-08"/>
        </reference>
        <reference anchor="I-D.josefsson-pppext-eap-tls-eap">
          <front>
            <title>Protected EAP Protocol (PEAP) Version 2</title>
            <author fullname="Ashwin Palekar" initials="A." surname="Palekar">
              <organization>Microsoft Corporation</organization>
            </author>
            <author fullname="Simon Josefsson" initials="S." surname="Josefsson">
              <organization>Extundo</organization>
            </author>
            <author fullname="Daniel Simon" initials="D." surname="Simon">
              <organization>Microsoft Corporation</organization>
            </author>
            <author fullname="Glen Zorn" initials="G." surname="Zorn">
              <organization>Cisco Systems</organization>
            </author>
            <date day="21" month="October" year="2004"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP) provides support for
   multiple authentication methods. This document defines the Protected
   Extensible Authentication Protocol (PEAP) Version 2, which provides
   an encrypted and authenticated tunnel based on transport layer
   security (TLS) that encapsulates EAP authentication mechanisms.
   PEAPv2 uses TLS to protect against rogue authenticators, protect
   against various attacks on the confidentiality and integrity of the
   inner EAP method exchange and provide EAP peer identity privacy.
   PEAPv2 also provides support for chaining multiple EAP mechanisms,
   cryptographic binding between authentications performed by inner EAP
   mechanisms and the tunnel, exchange of arbitrary parameters (TLVs),
   and fragmentation and reassembly.
              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-josefsson-pppext-eap-tls-eap-10"/>
        </reference>
        <reference anchor="ASLEAP" target="https://github.com/joswr1ght/asleap">
          <front>
            <title>asleap - recovers weak LEAP and PPTP passwords</title>
            <author initials="J." surname="Wright" fullname="Joshua Wright">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="BLAST" target="33rd USENIX Security Symposium (USENIX Security 24), 2024, pp. 7429 - 7446.">
          <front>
            <title>RADIUS/UDP Considered Harmful</title>
            <author initials="" surname="Goldberg, S , et al" fullname="Golberg, Sharon, et. al">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="DATTACK" target="https://www.ietf.org/ietf-ftp/ietf-mail-archive/radius/1998-11.mail">
          <front>
            <title>CHAP and Shared Secret</title>
            <author initials="A." surname="DeKok" fullname="Alan DeKok">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="KAMATH">
          <front>
            <title>Microsoft EAP CHAP Extensions</title>
            <author initials="R. H. and A." surname="Palekar" fullname="Ryan Hurst and Ashwin Palekar">
              <organization/>
            </author>
            <date year="2007" month="June"/>
          </front>
        </reference>
        <reference anchor="MD5-1996" target="https://www.ietf.org/ietf-ftp/ietf-mail-archive/radius/1998-02">
          <front>
            <title>MD5 Key recovery attack</title>
            <author initials="I. R. W." surname="group" fullname="IETF RADIUS Working group">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="EDUROAM" target="https://eduroam.org">
          <front>
            <title>eduroam</title>
            <author initials="" surname="eduroam" fullname="eduroam">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="FILTER" target="https://community.jisc.ac.uk/library/janet-services-documentation/filtering-invalid-realms">
          <front>
            <title>Filtering of Invalid Realms</title>
            <author initials="J. I. S." surname="Committee" fullname="Joint Information Systems Committee">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="OPENROAMING" target="https://wballiance.com/openroaming/">
          <front>
            <title>OpenRoaming: One global Wi-Fi network</title>
            <author initials="W. B." surname="Alliance" fullname="Wireless Broadband Alliance">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="RFC5080">
          <front>
            <title>Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes</title>
            <author fullname="D. Nelson" initials="D." surname="Nelson"/>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="December" year="2007"/>
            <abstract>
              <t>This document describes common issues seen in Remote Authentication Dial In User Service (RADIUS) implementations and suggests some fixes. Where applicable, ambiguities and errors in previous RADIUS specifications are clarified. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5080"/>
          <seriesInfo name="DOI" value="10.17487/RFC5080"/>
        </reference>
        <reference anchor="RFC6218">
          <front>
            <title>Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <author fullname="T. Zhang" initials="T." surname="Zhang"/>
            <author fullname="J. Walker" initials="J." surname="Walker"/>
            <author fullname="J. Salowey" initials="J." surname="Salowey"/>
            <date month="April" year="2011"/>
            <abstract>
              <t>This document defines a set of vendor-specific RADIUS Attributes designed to allow both the secure transmission of cryptographic keying material and strong authentication of any RADIUS message. These attributes have been allocated from the Cisco vendor-specific space and have been implemented by multiple vendors. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6218"/>
          <seriesInfo name="DOI" value="10.17487/RFC6218"/>
        </reference>
        <reference anchor="RFC7930">
          <front>
            <title>Larger Packets for RADIUS over TCP</title>
            <author fullname="S. Hartman" initials="S." surname="Hartman"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The RADIUS-over-TLS experiment described in RFC 6614 has opened RADIUS to new use cases where the 4096-octet maximum size limit of a RADIUS packet proves problematic. This specification extends the RADIUS-over-TCP experiment (RFC 6613) to permit larger RADIUS packets. This specification compliments other ongoing work to permit fragmentation of RADIUS authorization information. This document registers a new RADIUS code, an action that required IESG approval.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7930"/>
          <seriesInfo name="DOI" value="10.17487/RFC7930"/>
        </reference>
        <reference anchor="RFC5997">
          <front>
            <title>Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document describes a deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, enabling clients to query the status of a RADIUS server. This extension utilizes the Status-Server (12) Code, which was reserved for experimental use in RFC 2865. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5997"/>
          <seriesInfo name="DOI" value="10.17487/RFC5997"/>
        </reference>
        <reference anchor="RFC6929">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS) Protocol Extensions</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Service (RADIUS) protocol is nearing exhaustion of its current 8-bit Attribute Type space. In addition, experience shows a growing need for complex grouping, along with attributes that can carry more than 253 octets of data. This document defines changes to RADIUS that address all of the above problems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6929"/>
          <seriesInfo name="DOI" value="10.17487/RFC6929"/>
        </reference>
        <reference anchor="RFC8559">
          <front>
            <title>Dynamic Authorization Proxying in the Remote Authentication Dial-In User Service (RADIUS) Protocol</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>RFC 5176 defines Change-of-Authorization (CoA) and Disconnect Message (DM) behavior for RADIUS. RFC 5176 also suggests that proxying these messages is possible, but it does not provide guidance as to how that is done. This specification updates RFC 5176 to correct that omission for scenarios where networks use realm-based proxying as defined in RFC 7542. This specification also updates RFC 5580 to allow the Operator-Name attribute in CoA-Request and Disconnect-Request packets.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8559"/>
          <seriesInfo name="DOI" value="10.17487/RFC8559"/>
        </reference>
        <reference anchor="RFC2548">
          <front>
            <title>Microsoft Vendor-specific RADIUS Attributes</title>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <date month="March" year="1999"/>
            <abstract>
              <t>This document describes the set of Microsoft vendor-specific RADIUS attributes. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2548"/>
          <seriesInfo name="DOI" value="10.17487/RFC2548"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9257">
          <front>
            <title>Guidance for External Pre-Shared Key (PSK) Usage in TLS</title>
            <author fullname="R. Housley" initials="R." surname="Housley"/>
            <author fullname="J. Hoyland" initials="J." surname="Hoyland"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <author fullname="C. A. Wood" initials="C. A." surname="Wood"/>
            <date month="July" year="2022"/>
            <abstract>
              <t>This document provides usage guidance for external Pre-Shared Keys (PSKs) in Transport Layer Security (TLS) 1.3 as defined in RFC 8446. It lists TLS security properties provided by PSKs under certain assumptions, then it demonstrates how violations of these assumptions lead to attacks. Advice for applications to help meet these assumptions is provided. This document also discusses PSK use cases and provisioning processes. Finally, it lists the privacy and security properties that are not provided by TLS 1.3 when external PSKs are used.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9257"/>
          <seriesInfo name="DOI" value="10.17487/RFC9257"/>
        </reference>
        <reference anchor="RFC9190">
          <front>
            <title>EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3</title>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9190"/>
          <seriesInfo name="DOI" value="10.17487/RFC9190"/>
        </reference>
        <reference anchor="RFC5281">
          <front>
            <title>Extensible Authentication Protocol Tunneled Transport Layer Security Authenticated Protocol Version 0 (EAP-TTLSv0)</title>
            <author fullname="P. Funk" initials="P." surname="Funk"/>
            <author fullname="S. Blake-Wilson" initials="S." surname="Blake-Wilson"/>
            <date month="August" year="2008"/>
            <abstract>
              <t>EAP-TTLS is an EAP (Extensible Authentication Protocol) method that encapsulates a TLS (Transport Layer Security) session, consisting of a handshake phase and a data phase. During the handshake phase, the server is authenticated to the client (or client and server are mutually authenticated) using standard TLS procedures, and keying material is generated in order to create a cryptographically secure tunnel for information exchange in the subsequent data phase. During the data phase, the client is authenticated to the server (or client and server are mutually authenticated) using an arbitrary authentication mechanism encapsulated within the secure tunnel. The encapsulated authentication mechanism may itself be EAP, or it may be another authentication protocol such as PAP, CHAP, MS-CHAP, or MS-CHAP-V2. Thus, EAP-TTLS allows legacy password-based authentication protocols to be used against existing authentication databases, while protecting the security of these legacy protocols against eavesdropping, man-in-the-middle, and other attacks. The data phase may also be used for additional, arbitrary data exchange. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5281"/>
          <seriesInfo name="DOI" value="10.17487/RFC5281"/>
        </reference>
        <reference anchor="RFC5931">
          <front>
            <title>Extensible Authentication Protocol (EAP) Authentication Using Only a Password</title>
            <author fullname="D. Harkins" initials="D." surname="Harkins"/>
            <author fullname="G. Zorn" initials="G." surname="Zorn"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This memo describes an Extensible Authentication Protocol (EAP) method, EAP-pwd, which uses a shared password for authentication. The password may be a low-entropy one and may be drawn from some set of possible passwords, like a dictionary, which is available to an attacker. The underlying key exchange is resistant to active attack, passive attack, and dictionary attack. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5931"/>
          <seriesInfo name="DOI" value="10.17487/RFC5931"/>
        </reference>
        <reference anchor="RFC7593">
          <front>
            <title>The eduroam Architecture for Network Roaming</title>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="T. Wolniewicz" initials="T." surname="Wolniewicz"/>
            <date month="September" year="2015"/>
            <abstract>
              <t>This document describes the architecture of the eduroam service for federated (wireless) network access in academia. The combination of IEEE 802.1X, the Extensible Authentication Protocol (EAP), and RADIUS that is used in eduroam provides a secure, scalable, and deployable service for roaming network access. The successful deployment of eduroam over the last decade in the educational sector may serve as an example for other sectors, hence this document. In particular, the initial architectural choices and selection of standards are described, along with the changes that were prompted by operational experience.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7593"/>
          <seriesInfo name="DOI" value="10.17487/RFC7593"/>
        </reference>
        <reference anchor="RFC7585">
          <front>
            <title>Dynamic Peer Discovery for RADIUS/TLS and RADIUS/DTLS Based on the Network Access Identifier (NAI)</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <date month="October" year="2015"/>
            <abstract>
              <t>This document specifies a means to find authoritative RADIUS servers for a given realm. It is used in conjunction with either RADIUS over Transport Layer Security (RADIUS/TLS) or RADIUS over Datagram Transport Layer Security (RADIUS/DTLS).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7585"/>
          <seriesInfo name="DOI" value="10.17487/RFC7585"/>
        </reference>
        <reference anchor="RFC7542">
          <front>
            <title>The Network Access Identifier</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>In order to provide inter-domain authentication services, it is necessary to have a standardized method that domains can use to identify each other's users. This document defines the syntax for the Network Access Identifier (NAI), the user identifier submitted by the client prior to accessing resources. This document is a revised version of RFC 4282. It addresses issues with international character sets and makes a number of other corrections to RFC 4282.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7542"/>
          <seriesInfo name="DOI" value="10.17487/RFC7542"/>
        </reference>
        <reference anchor="RFC2194">
          <front>
            <title>Review of Roaming Implementations</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Lu" initials="J." surname="Lu"/>
            <author fullname="J. Alsop" initials="J." surname="Alsop"/>
            <author fullname="J. Ding" initials="J." surname="Ding"/>
            <author fullname="W. Wang" initials="W." surname="Wang"/>
            <date month="September" year="1997"/>
            <abstract>
              <t>This document reviews the design and functionality of existing roaming implementations. Examples of cases where roaming capability might be required include ISP "confederations" and ISP-provided corporate network access support. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2194"/>
          <seriesInfo name="DOI" value="10.17487/RFC2194"/>
        </reference>
        <reference anchor="RFC4372">
          <front>
            <title>Chargeable User Identity</title>
            <author fullname="F. Adrangi" initials="F." surname="Adrangi"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <author fullname="J. Korhonen" initials="J." surname="Korhonen"/>
            <author fullname="J. Loughney" initials="J." surname="Loughney"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>This document describes a new Remote Authentication Dial-In User Service (RADIUS) attribute, Chargeable-User-Identity. This attribute can be used by a home network to identify a user for the purpose of roaming transactions that occur outside of the home network. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4372"/>
          <seriesInfo name="DOI" value="10.17487/RFC4372"/>
        </reference>
        <reference anchor="RFC8018">
          <front>
            <title>PKCS #5: Password-Based Cryptography Specification Version 2.1</title>
            <author fullname="K. Moriarty" initials="K." role="editor" surname="Moriarty"/>
            <author fullname="B. Kaliski" initials="B." surname="Kaliski"/>
            <author fullname="A. Rusch" initials="A." surname="Rusch"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document provides recommendations for the implementation of password-based cryptography, covering key derivation functions, encryption schemes, message authentication schemes, and ASN.1 syntax identifying the techniques.</t>
              <t>This document represents a republication of PKCS #5 v2.1 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series. By publishing this RFC, change control is transferred to the IETF.</t>
              <t>This document also obsoletes RFC 2898.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8018"/>
          <seriesInfo name="DOI" value="10.17487/RFC8018"/>
        </reference>
      </references>
    </references>
    <?line 932?>

<section anchor="best-practice-checklist">
      <name>Best Practice Checklist</name>
      <t>In the interest of simplifying the above explanations, this section provides a short-form checklist of recommendations.  Following this checklist does not guarantee that RADIUS systems are secure from all possible attacks.  However, systems which do not follow this checklist are likely to be vulnerable to known attacks, and are therefore less secure than they could be.</t>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Do not use RADIUS/UDP or RADIUS/TCP across the wider Internet</t>
            </li>
          </ul>
          <t>Exposing user identifiers, device identifiers, and locations is a privacy and security issue.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Avoid RADIUS/UDP or RADIUS/TCP in other networks, too.</t>
            </li>
          </ul>
          <t>It can take time to upgrade equipment, but the long-term goal is to entirely deprecate RADIUS/UDP.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Implement the BlastRADIUS mitigations</t>
            </li>
          </ul>
          <t>Both Implementers and administrators should implement the mitigations in order to secure Access-Request packets.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Use strong shared secrets</t>
            </li>
          </ul>
          <t>Shared secrets should be generated from a cryptographically strong pseudo-random number generator.  They should contain at least 128 bits of entropy.  Each RADIUS client should have a unique shared secret.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Minimize the use of RADIUS proxies.</t>
            </li>
          </ul>
          <t>More proxies means more systems which could be compromised, and more systems which can see private or secret data.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Do not proxy from secure to insecure transports</t>
            </li>
          </ul>
          <t>If user information (credentials or identities) is received over a secure transport (IPsec, RADIUS/TLS, TLS-based EAP method), then proxying the protected data over RADIUS/UDP or RADIUS/TCP degrades security and privacy.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Prefer EAP authentication methods to non-EAP methods.</t>
            </li>
          </ul>
          <t>EAP authentication methods are better at hiding user credentials from observers.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>For EAP, use anonymous outer identifiers</t>
            </li>
          </ul>
          <t>There are few reasons to use individual identities for EAP.  Identifying the realm is usually enough.</t>
          <t><xref target="RFC7542"/> Section 2.4 recommends that "@realm" is preferable to "anonymous@realm", which is in turn preferable to "user@realm".</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Prefer using PAP over CHAP or MS-CHAP.</t>
            </li>
          </ul>
          <t>PAP allows for credentials to be stored securely "at rest" in a user database.  CHAP and MS-CHAP do not.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Do not use MS-CHAP outside of TLS-based EAP methods such as PEAP or TTLS.</t>
            </li>
          </ul>
          <t>MS-CHAP can be cracked with minimal effort.  The attack has been available for two decades.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Store passwords in "crypt"ed form</t>
            </li>
          </ul>
          <t>Where is is necessary to store passwords, use systems such as PBKDF2 (<xref target="RFC8018"/>.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Regularly update to the latest cryptographic methods.</t>
            </li>
          </ul>
          <t>TLS 1.0 with RC4 was acceptable at one point in time.  It is no longer acceptable.  Similarly, the current cryptographic methods will at some point will be deprecated, and replaced by updated methods.  Upgrading to recent cryptographic methods should be a normal part of operating a RADIUS server.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Regularly deprecate older cryptographic methods.</t>
            </li>
          </ul>
          <t>Administrators should actively deprecate the use of older cryptographic methods.  If no system is using older methods, then those methods should be disabled or removed entirely.  Leaving old methods enabled makes the server more vulnerable to attacks.</t>
        </li>
      </ul>
      <ul empty="true">
        <li>
          <ul spacing="normal">
            <li>
              <t>Send the minimum amount of information which is needed,.</t>
            </li>
          </ul>
          <t>Where proxying is used, it is a common practice is to simply forward all of the information from a NAS to other RADIUS servers.  Instead, the proxy closest to the NAS should filter out any attributes or data which are not needed by the "next hop" proxies, or by the home server.</t>
        </li>
      </ul>
    </section>
    <section anchor="blastradius-mitigations">
      <name>BlastRADIUS Mitigations</name>
      <section anchor="implementor-checklist">
        <name>Implementor Checklist</name>
        <t>The following list outlines the requirements on client implementations, and references the prior sections which contain the normative text.  The intent is to give readers a short checklist which lets them quickly validate that their implementations are correct.  While the following list does not contain normative text (in order to avoid potential conflict or confusion), the reader should follow the references below to verify that the behavior described below is truly normative.</t>
        <ul spacing="normal">
          <li>
            <t>clients include Message-Authenticator in all Access-Request packets,
<xref target="client-access-request"/>  </t>
            <ul spacing="normal">
              <li>
                <t>clients can place Message-Authenticator as the first attribute in
all Access-Request packets, but this placement is not required for
security.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>clients validate the contents of Message-Authenticator in all
packets that they receive, <xref section="5.14" sectionFormat="comma" target="RFC2869"/></t>
          </li>
          <li>
            <t>clients do not check the location of Message-Authenticator in any
response packet that they receive, <xref target="client-responses"/></t>
          </li>
          <li>
            <t>clients do not discard packets which contain unknown attributes,
<xref target="unknown-attributes"/></t>
          </li>
          <li>
            <t>clients implement a boolean configuration flag "require
Message-Authenticator", <xref target="new-configuration-flags"/>  </t>
            <ul spacing="normal">
              <li>
                <t>If set to "false", clients do not take any additional steps.</t>
              </li>
              <li>
                <t>if set to "true", clients discard all responses to Access-Request
packets which do not contain Message-Authenticator.  This discard
happens before the Response Authenticator or Message-Authenticator
are validated.</t>
              </li>
            </ul>
          </li>
        </ul>
        <t>The following list outlines requirements on server implementations, with the same explanations and caveats given above for the list of requirements on client implementations.</t>
        <ul spacing="normal">
          <li>
            <t>servers validate the contents of Message-Authenticator in all
packets that they receive, <xref target="server-access-request"/></t>
          </li>
          <li>
            <t>server do take check the location of Message-Authenticator in any
request packet that they receive, <xref target="server-responses"/></t>
          </li>
          <li>
            <t>servers do not discard packets which contain unknown attributes,
<xref target="unknown-attributes"/></t>
          </li>
          <li>
            <t>servers implement a boolean configuration flag "require
Message-Authenticator", <xref target="new-configuration-flags"/>  </t>
            <ul spacing="normal">
              <li>
                <t>If set to "false", servers implement checks for the "limit
Proxy-State" flag.</t>
              </li>
              <li>
                <t>if set to "true", servers discard all Access-Request packets which
do not contain a Message-Authenticator attribute.  This discard
happens before the Request Authenticator or Message-Authenticator
are validated.  Servers then do not implement the checks for the
"limit Proxy-State" flag.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>servers implement a boolean configuration flag "limit Proxy-State",
<xref target="new-configuration-flags"/> and <xref target="limit-proxy-state"/>.  </t>
            <ul spacing="normal">
              <li>
                <t>servers check this flag only when the "require
Message-Authenticator" flag is set to "false".</t>
              </li>
              <li>
                <t>If set to "false", servers take no further action.</t>
              </li>
              <li>
                <t>If set to "true", servers discard all Access-Request packets which
do not contain Message-Authenticator, and which also contain one
or more Proxy-State attributes.  This discard happens before the
Request Authenticator or Message-Authenticator are validated.</t>
              </li>
            </ul>
          </li>
          <li>
            <t>servers include Message-Authenticator in all responses to
Access-Request packets, <xref target="server-responses"/></t>
          </li>
          <li>
            <t>servers include Message-Authenticator in all Access-Accept,
Access-Reject, Access-Challenge, and Protocol-Error packets,
<xref target="server-responses"/> and <xref target="status-server"/></t>
          </li>
          <li>
            <t>servers place Message-Authenticator as the first attribute in all
responses to Access-Request packets, and in all Access-Accept,
Access-Reject, and Access-Challenge packets, <xref target="server-responses"/>.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="administrator-upgrade-process">
      <name>Administrator Upgrade Process</name>
      <t>The preceding sections define requirements for client and server implementations which address the BlastRADIUS attack.
   It is useful to also provide guidelines for administrators as to how, and when, to set the new configuration flags.  The guidelines provided in this section are a suggestion only.  Administrators are free to take other actions as they see fit.</t>
      <t>The guidelines provided here are known to provide minimal outages while upgrading complex systems.  As such, it is RECOMMENDED that administrators follow the steps outlined here, in order, so that RADIUS systems can be upgraded with minimal impact to operational networks.</t>
      <ol spacing="normal" type="1"><li>
          <t>Administrators SHOULD upgrade servers before upgrading clients.  There are many fewer clients than servers, and upgrading servers can often protect clients which are not upgraded.</t>
        </li>
        <li>
          <t>Administrators SHOULD configure servers to set "limit Proxy-State" to "true" for all clients which are NASes.  i.e. clients which are not proxies.</t>
        </li>
        <li>
          <t>Administrators of servers which proxy packets SHOULD verify that all "next hop" proxies have been upgraded, and that they return Message-Authenticator in all responses to Access-Request packets.</t>
        </li>
        <li>
          <t>Once step (3) has been validated, administrators SHOULD configure their proxy so that the outgoing client configuration sets the "require Message-Authenticator" flag to "true".</t>
        </li>
        <li>
          <t>Administrators of servers which receive proxied packets (i.e. packets not from a NAS) SHOULD configure the server to set the the "require Message-Authenticator" flag to "true" for each client which is an upgraded proxy.</t>
        </li>
      </ol>
      <t>Once the above five steps are followed, the network should be secure, and any client upgrade and configuration can be done over time.</t>
      <t>For client upgrades, administrators can proceed with the following steps:</t>
      <ol spacing="normal" type="1"><li>
          <t>Administrators SHOULD upgrade clients individually, i.e. one at a time. Upgrading multiple clients at the same time is NOT RECOMMENDED.</t>
        </li>
        <li>
          <t>Once a client has been upgraded, administrators SHOULD verify that it sends Message-Authenticator in all Access-Request packets.</t>
        </li>
        <li>
          <t>Once step (2) has been validated, administrators SHOULD configure each server that receives packets from that client to set the "require Message-Authenticator" flag to "true" for that client.</t>
        </li>
        <li>
          <t>If a server has been updated, administrators SHOULD verify that it sends Message-Authenticator as the first attribute in all responses to Access-Request packets.</t>
        </li>
        <li>
          <t>Once step (4) has been validated, administrators SHOULD configure each client receiving packets from that server to set the "require Message-Authenticator" flag to "true" for that server.</t>
        </li>
      </ol>
      <t>Once all of the above steps are followed for all clients and servers, the network is secure from the BlastRADIUS attack.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIADjMR2oAA+2963LcSJYm+J9PgWXaTIndEZSoe2q3q5spKSs5pQtXVHZ2
29jYGiICQSKFAKIABKmonFzrB5k122fZR+kn2XP34w6AYmZl9fSudZlVlUgC
Dr8cP/fznfl8ftCXfVW8yF4V27ZY5n1ZX2ZndVcsd22Rnbf5si+XRZeVdfbh
9NXZ9xcH+WLRFtcTL8gzq2ZZ5xsYddXm635eFv163uar4nM/X4XX8Fflrpuf
PDjYbVd5X3QvsofPnz6Z4f8+nWVPTp7B/z578vzJwUHX5/Xq/8irpoZR+3ZX
HJTblv7V9Q8fPPj6wcODvC3yFzCVvmjroj+4uXyB03n9Tx+zH5r2E07zD22z
2x58uglPzV/hBA9gPi+yrl8ddLvFpuy6sqk/7rfwpbPXH789ONiWLzL4z1fZ
Mq+zXVdkedvm++xeuc7yqsr2RXeUNW12lXdX2VXRFgdZ1jfLF/gH+GfXtH1b
rLsXNMSqWOe7qu/gCf37fsN/xh8P8l1/1bQvDg7msOfwy9Nj2Ok/Np/gQd7S
0womob9q2ktczKdv2nJ1WWTviv4G1oqjFpu8rF7A/GDf/qGsPy3oiVoeOF42
m4ODumk3cBLXxQt44cO3L5+fPHss/8RzkH8+ffzwRB948JgeOJu/OvaHyge5
6qtuvig7fWJVfGo+2SPFdVncyJOwvLJeJ18/eWTfefj40SP957MnX4c5PQ3/
fB7+qQ88evJM/4m0o/988vyBLuXkiX7i6dOTR+GfuuynXz/T3z579PTB2Fpx
kdvuk/6pbzZ5N2+2Rd02+QaoTP/wY9PBqXZNPd9ut/hikW/pZfh/fOb04s3r
03P8F/xHLuFh3lXw52yewR1prou2y26K/FOGT2ZwkNn5+cfzbJt3HZziqjvk
l5VkMv4Pk8l/abqrXZ790JaXVz3/iTfcnvv4Tx9fZFd9v+1e3L9/WfZXuwWS
xX2Y+E17Am/d59nA89+8Ob34mEyVr/r971+dZy+buitXQPir7Lu83ax31fjM
iKD/0FSrRdFezrKL41lW9MdAo/HU4Ql54Cpvmzp+aGwR2aNH7Sr7/uL1u7N/
yi6QE5X9PrvYb7ZNV+422b30Tw8fHwGTefDw8Szbbo+zZ48ffg17/uzx46fH
MPCr048fT1/+MVnvy+/kDHBWsFIYrC36244guqlTU9cDuLm5ITI7hit9n+ht
3W/5H3iT53m7vIK7cp8v0P2Tr79+Pj85Oca/wYB/PH17+vG7ZMZvy2XbdM26
z5B8aP6vP/dFjexNaQfZLhDLri5gPx48u2U1H/awmu92bdfTLpx2VzcgFM7z
qviUt/Do21dP5jCrp+kkXj3J/ljslaD3Wd73+fLTbfuGTFckibHuS2Ldf51t
BNmRZa9fff/h/enbZPbFaofX+rbZyiN3mJs8iVODB749e/Px9Yfke9+WFQgm
XHCzBr5+nVflKvtQ5NXmC5e9rHt4XlhqUwPxd32x6eBqbjZl3xfFHeYHl3+z
q+F+HP9YdsvjfHm8+3S/Khdt3u7v/5ijuOyK9hr1gTlI+N2mqHv62v21Tnte
8pyB3eOc4Tvvz1+/w409e/eHZK3vgWd+EJ6ZvQcCvKyaRV5lP5Tzb8tMJNVt
q/6hbIuq6LrsG9jW1YKosqrKvF7eZbU38C1+mLie4+D3Dw6ui3pHconoThUJ
+JmlKouCf1BCw+eIf77I1m1RCG0NNZ1jeAoE+3ye5YuuR93q4EDofNnut30z
zy/LChnUTd5l6xLv2gaWBXd0leFvdj0qWbgv2WKPQipD4XwMS7sqsmbXw0IK
pJz+Ku/5MRyohz9ud4uqXDJtwAPyVbyR2cc3F9k9Ggvk4BFdbv/nV/Z3lIhH
OI/i8xZOm46/ypQSOpoGCD1QyvK624LWk23bBhShpupAN7ouskVR1KhJ3oCw
mHewO/mK1Ck4J1znHjSgvCVdM6dnYJ/rS1qQ6i0zmh4NBnsLX632PCrph3m7
Kv8MWwUD/PTT7TrKzz/jdGFloLThNOHAUSNbgG6HUwIRBh/YVvkSl0YTREFH
24CqEW/Tx5fntnOPjsK6cSt+AILgc/hUNzdVAcrXjE5i2dRAEruClw5rK1V5
Du/TB+UQcIJw7cpm19FH6+KStKas3Gz1SPmFbVte58s9PdWJqDs+OPg4PH6c
x+E3Vd71/JFDPNKqKXv6Wl51TdZdNTc1L0AmokPCDIpVJ7vFivsKFnzWZ2WX
1U0GOvol0E2+XBbbPl9UhV8NvAWXdp/BPFAy4F9sqreOAS92BSxsVSADQnW7
amRBpeN7cPRLUFrarIczh/dBAPIFQHpqTe8nWoVPKfHiI6CEN3AKem3B6CGa
tOPZDo0hJke5onBMuy2Rva2qQBKbL/IOTjvciirfg2YHU/hQVHS1bWfB9NjB
ODdIO7JhOU4J2PGug0H4eyhKNzDrlZw9PrIBIhci0FneXJXLK5grqCkwgWzR
wKD2JRxH6OWYWdKmXK2q4uDgK9yktlntljj6wYEQ8oCGvnzDmN5/+klsiJ9/
ZpYEryfcDs8czgzFHqxsWxX4DeFqsg3KSYA4bphIs/TW6II7YwbdHJnsJz3s
blssy7UuIZy4fLMQQqE5rqN5A7N13DyQBNzgLrDTGW52tVvhI047Dgz1PjAM
upCDyRgJ1cUNXCtgcCWcZXxv8tWqLYiakckyqcyyTQNCom7wkuxp/u5aZ9e7
qgZxtOBt/ukn0uOJ9Z3RBsCE4T4UMAIs4lNRbHHqfXQxOmQzzLq6IswTae6y
RK5JxApis9yAMEA2kte0JljoV19l769RY4BFBaFz4WnwnGmQuRQKBLik+HkQ
7Uu8GrBuJrRpYxLOBzcqhyPqQToXeEH0k8LrxsheL5tdZiITYHe2dFoMnDUN
sQBCQmUABoDzKeH/8Le2H2Ud79tMqBFFC3Ae+EPRlZdw0A3wbiXAnNgdORxg
39dts+FBItoYPyweF1/rUOb/uOv6QE0jkyl0JrBPi7Ys1iTcaZvwHoiYSC8b
3QGUd3h3TSVJZS0o0c+QQJrdJVw/kF5t08D/Xja0adlmB/sA17sq4WzhPOHx
R3K57UN0kVAg0BfREwBfRJoHvQ8WgAsreKVbGLJA98l+W4g6AM81i/Wuo4eW
RQtUUKOZ0ZaLHbNlmADM/nsQo/NzMZ5hBqdwd8E8LmtQBPdyQMhjT0HqdN38
Q/GnHe62fvEG9inDyZAA29V+bsKZl82uQvoAplRelzQssKZmDft0T/fy6xne
ADqnZ8e4THyR/ojui/DHx8ePjh/+/PORHI3wHCRiOH7cqnAgcP35JFoUKERb
jZ4ln8/TjDleZFvdeNuKNFv8qSphxJ9+UnMO2TiTMqkFJorgyPBptAnfnr5E
rQY0WpAZ+GmTOU60/3AFVxOog6aN8gsmZJoRnBbNrgelkqUG00sXbmOBuwvK
elvD/uKX27zEaeQL0Hunjow2Hx/Gj8oOfHnxvGXPYRPEE8DKIt4TGqjbLfAK
9HDAoJK3KEh0X1ge05TwWxXSP6l4fXFJZ7e8KpafZC6waPoeqdn4eI06yxqu
JOnBE2p9+JIp96sCFlmqYH4LO5FfFvPTQJ/IHlF7zJotPgXzxkMTxcRuCuvN
Ayp9cnzyGHZAFEnaWWS4l2jMEw9lSow3gunx4YMHj23UhLyRsJD080u8rvzw
M37479Fr9+D5g/D0w+OHeBlkS2D3+0KvgV0LnAUPFs2B5fjJk5NAyfQ+8Wwb
/8XBwe9puCn984aOH3gVHBm+AYy4RCpYoiiGn/60K9ErpLxmBXwFrSPkKTla
bR1tYN7zx0m+VCzfUvVayJtkmF8CqCJhQx7hauDQcLLGRZdXaC8JpyKNkO4V
/g9crAl6EmGptER6c8lXpUUnco0iOdaHdB/xltPFjNU52QwyCp0OI98f06+E
J5AWdlfz7eDgFPjeFekLRIROaS47XhspR948uMdb1gcf6hEpjHgch7Jqsh8O
VWlUfZqUzmZxTXaYqRDOBJPlgTqQB02UdWYQA/k1cBgiJNM3RFskQgwzVAJC
FwfIN+Stovjhj2rzdOgUXR4H1lw1NzjOCsTOagecWswz0n9hS2MlbQ2f62W+
QecCbZhcuKRyiS9cL6lpJCjS/AOOTYgeZlpYYFQmpkdeeyqvpUYNcUikL5h2
X17KHh8c/P/QzMQY0qRJERmY+AXxGnzZvkRT7mPRwqk3VXMpKvanYp8R3WeH
b7+/+Hg44//P3r2nf394/b9/f/bh9Sv898V3p2/e2D8O5ImL795//+ZV+Fd4
8+X7t29fv3vFL8Nvs+hXB4dvT//5kNdz+P7849n7d6dvDgeqKhkWTLuk7sIm
sfPrAC7KEuQU84dvXp7/P//3yWMgqP8F5dXJyddARvwDBrGQpYDs4681NRAC
/wj7tz/It1s8OdQRYeOX+RYZNaqSnTg9WCH+3/4eNIIimz/9+98fHBz8jYY2
QUyQplyAJl9kTsYiWbwClWAO2jpqmkDh5Cs19kxfIFHtuDor1zP74aneOPoF
RrFQQwRl6TIjZofH+jfOusT5eG8dUgh9/RXwocs234CFJdLBvo4KynXhBwK7
dGygj0ZSLxv0CVRhML7JT0+AQ/hx3lzcPs4bJM1gAW7T4R5Hw72aGM/W9uWB
eWT0XMrI+QoewkFflyQ8wswzYx/0YdofmcCdFkEvvDulFyQQK3opkULRzoJc
yHVNS9By655efXsxxxgNKSIWuXl5BURaAJeafwdU0V3lnwpvFDFzDWSFjE7G
uT4JRPb4EXFy/cvD8JdnT75Wint9ej5/eyEP/PQTh5Rw14CggWOw8bYgByaq
PnhZb9Q31Ac+Y7JdSTu+33qNmZmpwh7pqjP4New0cMT09zjNSfX2EHUtUJ0O
2VvFJoByYD9B4v39YB2bZoXWBSszQF5bOCx6r2NNiw0eVjn8cGb0gSEPMoGM
8p5lyxyfM3GP+g2ZMqbbB+EL6siOhC+qLSCZRiezKcDIXrHzZdepWA/MgFj+
7YkcLAW6ptqpnZjX3sUp14YJlWQRHF/bs2t+3lQrPyXaShjCZJkJKBvRP21q
gMiziR3Xe2ZuO9EUnMQccZnPbpOS/rFmDXpMKSa/jShXg/yQqOLc4KqWOWpn
+brHM2LLddE2n1SwrMVzsKwaEtpi9HnF9o6aMbnKJl2GdN56rMVKY0ZjT6os
J9c8UghMCkPzbi8sBSTLTpPf4XE2dRHY1KIA9nTNOiGM2OXrgt1URX5ddKu2
AVHaouikmC79E9XSLPsW1lZ8ztl1WK6zs3P4Eo5Ik1rA5zBog7vccaCSZHMt
vk35HZzong7SrTfwaFyuSQQeH250zcQCO/pdc1MQ081XqPhivA0YBcl4vK/I
AfDSbQq+c6R3E8HjbufVTb7vZHtwp2pbI+wObAbc3E9Ih3iB4JRL5EOVTFw4
As6chs5ZCMCjZGmpitrmSIlyKa52HQWfRAfljwHRwbcvyg2YDkCV8KidFPAa
WO26vNy1rHrwN8FO2FVmv8VfEsOSbB3aOH/zZVzYt3cFC0Y3AAsp2LLotx0J
NdAmhf3lN7hzQGgYNZmc573i+PLYrBye9RWqZOJJppM8gmX/NvOwU+vqpiH3
dlNP05Ps1DHJPAzUtXlHrlyYHWsOSsMzPwMwGLYYgRfase+DepmEdsRNCDtf
oDUB2iFvFhJI3u7D49sG7MaSvAan9V7Z2fTFJ4tXbYtE+YZLSY56vmDAGNCk
r/a4Ge7ip3edSZ8404XYGiE+iSt8K5FpmGFV2Z0VD0sRosjqjJtmRcy2cI1y
5rzXMzwdY91zMmvCDikJnZ3Do8JyGmBHuXi4fBQUBW1HVnNJpp/bHFwu8Rg5
3hqWka8o/QIpETbg+7oqPxU2JzkK5jibIq/F1zCkSCSV2qhhaiHHGR4wSF64
+ht3B9wd8fdH6aguLpu+lGgcms9zMO3wSGUkPqN+vxWjHaRHx25UWPBgrqiA
ZCcPHvwndfCBSBMlxWJNxI6bJcwa3UpIt+yuRQ8RXN8V8RW+deqIIu6ogcyt
+UpEleJtc+L+W/Yhzia5h5IXiFDgYPEFy10kDyU4jQu/rPtkxW4iJAMTw3mE
teb4Xzx3JWX8Dd2RMVYKZuMn5eoDJlXClFE2O7qAh9Z5We3acDVoPeISj2eX
siYhWwzFdROL9LviPO4UrmCrjsXoJH2SqqpTXOYsIykSJl8nSjPuA2ZLIe4R
PEu4eRL4WZX5ZY3ynZQnmD7/Ggizqa5JVtb6GXLO8gXMEm0ip2eAjtFkCxKf
qLMt+l2L2SOH7g8wLeTYh1nRtk2rxOA2iPgMki3qPnAEFPbH0ekFdquJQs3k
B3NZogux7fUAZS54k/CTMsPVrmUma1eV+akqm8AgglqX/fTVppvDzdmCyaVP
3EtsuxGj7pdZc0ecPLPJfyRXHcUk11V+w/6PxHF+e9w1+PA+fvOKfPM664EW
ir4W2NOu7HdMkuxNL3u1xdDw4IAv5jURVeHBjw0YLt2UGAceXVccKcd4CTpk
yZHrPpGP5Q8I3UdyBYRbl157GOlzGevWw9Fmv3LyIsliG98lUun04HzDJ9Qw
vE39D1PcwdWobKBzTA6FL35En4eYXLEzNjiqJ4gKdunVrtCb9dNPnNqMjivS
vmaR6ctBn1gnp3n35O3VJaGtRfoqmkzXeSV8HBULknLqv8+8135G8hMNMSS3
oibzSySkhog1tYSC7zNzmFlg2MXDzL1h/gwfFXsIC3SDUhwhRAaB2W6QG+qm
I3OTtcF2vf4Miw95IqrZ2j5F0k6C1OhuHA9ziid2xLlMIlJdyvr5LHtJn7MX
4Z1FuaLck0TcsrFXg1mCk7WziYiTdPWbeCWOFG1NwTHlPFHEez1ZcZyxo1t2
VS5KnseqYYMNmDbFH147oudNCtfYuGsdSB/5M9M9c+CXbJefsl3OTpHbbPUk
XkVJWYknl72X2SmaMqvyc/aS+bALMp48OD6xkdglKbd9CfYdfJPyNFpQplT2
Y3AhfoGc00zmnA+BbqgWPSmW/kFqF+flSUynXqLGqFeDlDPWvzgbkR2QIe/g
YbrcTf4JZX5W7zYLDgYOUtAo5N05lyho4n3JdFcH6sA/NF1ekfcBSJPEJ6oE
YzltHfy7W5fMsVllVNGgwcqBcuSyJ37tKjBp5Qazx0hxgj9J+pRzth1HfuUQ
lA2hOsmXkpQF4lIcGIvm+Dido81IhBcr0qaoofe1WAUdHrM5VNVEfoYMlmyg
hSXWwXZ3JRgEMOVvMAMwIutol6OZPRnOjN5zxg4eq524uSb1hiLjEVuCUnWC
aLHvE8f0Z0xhzHDMmmLaifKDQ8YuDc6Ngk0vWY8bPZSZOxU7Dz5q9UrrbSB6
4kQK4nxVcYlh3hBUdDxCVe1o255ObhvwzGZDeh6G4EDFzC9pE+6yL0z7EqKg
fOxkjNGcQnJPln/2aY0LWE8dZRSQ8P4KOCLeRjzRl5Ezlp0DIWLdiawAYw/0
Vfv3zzIB8/I7Xyz6swMDiKbopYTknDJZxR7hbVtiDPhaDEqfEqYSkL1KnDny
9OHJc8ybyrKLL3ys/+LHQl6Zyyfjj8VKg4/nJUoCX9CPJH1GX3ju0jqOn3DK
F2/XXLdrIhCg5ghmEbkUKrVKBlnf/ojenv6z5aKnNw0eBL2MXJoRD4Q9DW5V
IZjlkGBCIq5OP7bALczg6YlV7TSDVRyhGJjtMIdOMlglRPqLDJSjmVe6nWMO
zgLe/tMOj3nNwhTDEs5RHsVMxGSBJa1BzLvoy/C5KDYC1o5mD1okRN1N6Fy4
NeQTZZNOpXHrHR5Nd40Yf7jSQWmk67GwRFGxk75gJQlTUlP9tJNkRAoxzzh7
WBmYBQFIlWMPe1Fj1uhMBTruwz0YD544Cl42cqSh66K+xZWjKcRgVJRLMTJx
z5jAuilaDTuxaoou1jJ7zedhS8T2gLW+QKHCGNK4R07fTCw5PlAXIhjOS86c
icTc2lsMOfa9OWhHZ6PS5LaPUo0LfjUo0cEDwjl8UQ5Ts83/FKy7IIDNbXem
cRvyDc0ilxc5FvMB+azFhT86T7lIyd/Uju8l6Sy3mdFfdMTtrt02YvDE5pIl
9lpMXaJVGio+OPiWBqEQlLoq2ERsC8kYwtoX+1bKzui6c4YFefUnDhaPywLq
YWeU2vga5RLLmcmEpkcT20juN6mMPUuvkTlKziU635HS12tzifSc7WZGFwWT
OckBaD+xPM95y8DuL7ptKYFfuvNO9LNj/bbippmkGeaqrbp6I+LS8Ct0vvN1
5HTELxeQWYZX4G3AhuDTOfsQxDa6JZjizsfs92KjGfqjEirIpiMzYQXVwI7G
2x7ORU6VOWo3c9iCffI2D9V+VZnXj17D6aH/RBIzMA5NpVhqcnO8C7PQLeOT
qjhCRp2PYOQuyCmsYo9+FqFA9HdiyrN7W5IDe/RqA3/C/DimBBrG1FKRwqBx
Y0oVc3o/BxNu6KC75Vw0xnTLOVjMwo+vko3EhU+6HfmIJJk4R9rwrdFkoe/Z
50gc9KbsChaEs8FiiZmwiKGjgWHH3TqmJLSSDdONPHuvPAbTTn55SnmMroDh
R9jPMbbHlTfMEeavyS0uHz0Sw9xqkMr6uqmuXeYLGnNsPPMMuCJN8nVUH6f9
k/u6q5nWVyM2lUjtsD/G1YRYVrJfaBlqsaHRQd8Y0eD97IoKBY5Rh3ofb6j0
oKg7ZmVqwHLIyNnMlXj8ZIbylcRZaJJAqpX/9V/+x7rKL4Fz7//1X/6vkAgu
MqIr/E3vMX2rIKaL5kkUMg1+Mn5tzCOy3lG+iajkyXzTNCN/RdFzfVVU23jL
8FbLy8lbXtHXuHFyqVSG8JyChxdI3udvMHOAa6S1aJWpEsYl3jW9pEpYjFp1
CE6oMNVsRdP/jIHOmRtDPfMyPyQRVjzReN5etpKUlYbjYKaNeE568ix309ll
FKajapuoXgK58m33M6Sh2X7iSJdNXplJFpvtbDagaYFjE14BHhcFxaTAVMIk
fovgnNtc8iWwzgM5Sw6yE3aEqhIWHWUj/+ADdZqGNag5dI6WEbGkFwpWJtFE
u1UsZtrLvC7/rPIlx3BwQ3XhjebdkYuZndNiquIc1sApOHjPhcsU0YcvsqXJ
EeHItLlsmpUl6M8GgX2SabcuhSuYkT6Yv3PKjri2mnVPMVqpdQBT2YoBByKQ
aqM4N5LXtgrBg6vy8gpJoYLjr3yIF87jVcMlfBwYJhYlNyEOQW+w1gTdlyhG
a82Q4rdY+QsOFPxmVPjJLm/00b+MBv0W+FaX/fQVrHYefW6OHK37mXlzIFXk
APQXodGgGg00YfU1g4p2LXqIoEsIlWsK2Ch9hXQVomNcMCofe6rBoHJ/PTQT
9zwv9stzHZ84IUFs5Bk+vCPV5VLWTkKCFC9Sa4pObNSIl87oJhJ/MyqxtBIn
h+ioHTF7Ngk8AmEEMJPm5QgBkqCMWP8wDCOL04DDosBFcU7SVCKTZCkl2+O1
muIzmkkWmnUBOcIWQKm4zrkCgp5GZAzmO8tmVUSffxXrQ/iTfp9JyJgLFTOA
wikAJ56kNDMiCkET023UKyx6JOn3Qu3C1m2UhcS/pPSE/1q29lGOAeCwxBKB
R9dRRR1XO/NEQ+ICJUxR1esxZme/9CEuCqfnqP3OJcdj0TRVkdcjZ6gJ4Ddo
KlekO6hpMCp3QKE4Pvg9fPHCU4v7ooQN/51/kaQQ6puf9/MLrH6jrxBlCBpa
dp1XO8uZw7qfYvQKSLwSyORwDSy3OJxFthqqm1T8OxK4kYst/MYbSRqT/kdQ
ACgYjY5Rk1hdIZZ5NNOg3dHPxA4PEZbuUF16QW/a8/6tCk4a1yRv0l5WKw//
sChquOM96r43BUiNTkN0biO4eIvTaTrWpnyBOxB6R6oCzjBZsxZPDYRkGnZW
HAvij7lqurATPeld5FUMtIDGQ6B+eSp4eMgpQMc38I/VyZfF6tTPp192Lin4
0rzlMAR5KTnUrt7mL01OHEzJ6PxxleSct7IWlR9Tv0Hn50GDV57KynDk8Csd
Tbi10DkQ5KKszRMvXybNoZZEgToHO2yc80t5X5I0QZ4MkkomiETOoYNZJTBf
dyrVhksjlsohE2fu8jZRdJrxgpEujjwKoXb5hkMLsp4hU1a0hOwKFtEnMpkz
ZuGkwnvE2lGQUcrguNrsM5bNquMzmLHPgytll0V5rU6swnR7sTLs6DlxJDd1
PU7i78USMFN2fHCp1wECEpdLkSMM5VUx8K/33vUR2/tfcD6kyQ4S9ObEBadD
JHv201dCnpxvPhcD/ef0xCJ1v+wCwlTwy405X4SLvBhIQGBiE2aThIEnTCLx
DtlUvHZit4Aj16+I1RH0Si8eccTr4vNlVXi3DXnz3nMuGig9yh6MEWcDEZcg
AmhpToOmSi7Zvs7UVC/lRC4Olfyn9f4KH4DKiXiEqDLZvJJo7rFSjbs5gAsg
4myCf0Vu4fiuByF5i806aaaarwNN4isLPqAKCxPbbIpVmVMqKZfF9AET4IqK
mbxkVfcbCFQagJ4en3QB0lySAutJfoA2IZ5UnsZsCf4OjgmDf7y/VrU7CYhg
PoUNbI74WKcccbAXiLASkK845Irmrk067ERq7N9xLm4et3r8EmcfhjCOzOUN
dpWk1ZLS4WrcyA1ENcsbmoMKaUmOMOQfy9kLmfB4QVGklWvKJuoHvimq+7a/
wi1akYswUKvtB3npi9HsN4tkgCrTMrQblRGMbhkvmIQ1ehjIcMCMEFTRvGBE
h4SoAsiftwyHI/4chA+8xut3TaofjUTbdkmZwDuiqQUahjAFipHZE5u8xbp6
GxOHBFUX5wvvVOUaldxQ2rOrzXUzEp0I9R9r0yjo6DmaTrleGG9VWQ2Lzjt1
p1Ap0mBLV8W2avYkjMxfk4hydQSKNN7gmBsJ64pThSsHNINIakGkXmBMAIky
9JcIoNuFkOwNCaEfUIVh+SxINKPXdxbb2ngjiEiuimB14A+HtxpGh6TNYDBd
5BrdPlVkAioKbuqSr5PGYunFRLjhFGTBE251uztojZ39gimS1kGXAF3TaCUB
JSabwGeh9kHk+yP4Tk52JyOYypR0nURlmE44zcrKiWMYaP/xyD79yRx3lnfN
vjd8llJF+cN8++VvIBMmXLcWnucq3hCfCUeIC3XrnpZSToyuJXtd6mr0kvU5
oQrVSCHszjXlQd80xK+/5GzN/o3OlXcEdYYR+h6Y4TIoHTPXXfGWZA3D+OTt
ylE3bB/hTAiMkmgmkbvmv/63e1/RV+bkpJ8T1M3RjD1WfyElo3FNhOx0elqz
uKZu0WrMFo3I9w6nfDwJBUaG6Mr82USB44Np7LErK5ZpsrPinCs722rhHPwG
11mJO2t6qsgsx0roHd6qEDaaongA34ZYn4LHSCDHJqa2DiYuFWQ00WEPtx4/
aOOrr6LXhGmU9BMbzLVRdVh6NCGsnmFdRC8lWlAdGvK34VMN3FbIbvULuZmU
noi9ZnYnesAASoEY2qvRdD8GrWN4Kg+dOhZ6GExRNyGaIfu2PAxNKGy1SZ1N
MWOM3hd+G63M2mSWTxbihHUGgSXVAumHU8vVl3wHZRb1lUgfHqjawhPlrxK7
i+D0Rt2Deo3vyjyc/IMPsC1H+meib5KWeSem/wXb6RVPVwAg8sB/xTXIFin6
ooMLMK1e3tVWA87M2JgYWj40/ditx8au6X9WUysZHKgdwm7+wPkI4u+TwOPI
RkWXXE5mKnIrgRo5TdGyXYiGlTpyAkg1/SR8x+jOdknhvXgHObKLaX7bW07N
/EVpEhjnRAKr9TE6se1h7rAaW8kq3IKAc/wx7A/zMCXurihu4XlyI8Zmw2cv
x83OAb5yE3olnKZe4l+qNRAdRmccVcbdluDUiEtLdodc4zQC1rvSSe11vszG
jRJsOSJX7EA5pwv9w1OcJMSEIsnEX44/6pTE20czgWhlyAXDISJSmOFYOrAe
PNz0DpihLJxK9sIyHmboB2WT95YbJGokFxSGOkNCZWG7wFYaFawZgNwaq4Bx
uhROx6zBm6umKvjIKTpr6FdxAtnoKUpBCEc3KaUJYw27mhw+cfYLXGiXA7um
GqahjEMTVYpfA7iM1BevC8FFZBwSZTi42ZhXQFsjDRB0X3B27JYNFLHi1FTK
ebikaLoyp0YFzf7WF1EbB7kEKs4qcb7HMWq3MMzdkRUOSu+qRnzb+VItmSnv
9k3eufncI2bU4k6RDo3IhC62xehzEjVycQD+hurvtfNSUtQSzolhFETe8AHm
w/QC2oJblsxVIq8K9RjEqQRvdQ87yuLPORaD5QO5pGeuisXukpxOmqEbuZhk
H2KD2lk3p/9sT5MYydP8tXtc/PHs60cPIpBR6swUJcSl2WqG9Minol6Cu1mV
t6QG+XU4q3Mg0NripuUUWioDkrkxtEwdp/YZbJQ85Iw+nXCd0X7MX5K6k9Sy
skLy5ORBdu+toE6Pru8olnP0Gacp+XkSNDqpPeJW8y59XiBrXk7mWE4jaQeE
JTtwJsWebqEZS5lKDj/sWufSPgbhMgJjrUZQJW676eysQ5d8LVlCxFI1RNgX
6MTP21LZLKVvpNw1wBF4LhayhVzWKcs7lBUUZQWNj+1GrFzDiyshyHRcnCT8
hgWtuA4HIRbhVroAKuxFNQjnHUF8ujwmjK/W8WbyrgTiWxTEt+aSbqb+1Thp
Puw/nSCDMWBAm7oCyeUbj+Xx90JcQ2rpZK62W5Y8KJsjg3UjHHgtYQQ+pyTD
a9LhPBLXUKak5X2ZptEvyWW82LvAIyI7kx83uPdpypGGb5OifE/GWy8UcYwU
Tr2IHJ60QAHuN8VkuJAqtTxbl+nGeB8E3pIg1iQrlC0vaks0uEMCCSudgS8c
Z3yHCd0admsrt1TzUJXH017Etk1koY0fCzmlvxdbwzun3/BIGqr8aeiZ+q0i
o7/IKU0KP92N38zrR1Qx7dee8vupOa0QlN49N/XOl6byH47lfxeOZdFoPC33
GvrJHV0HRx/jWneKnvcLaUHMypgWlLRt1291pobtdl/yetYvOhM0Ku7yNf8t
QVP/xW5cv1ne4fWFyR7Hu2Vu1FLoMvh2foGXdKzLBPtHj1QZ0LOTTiSBCqgM
68+uN8m70wusdqYKEwHpQTP1SNKOC02riXbxtvA9eSrzkJFTdINXzeXBshCm
oJhtObp8EAfZtIikZIlNclDH7K5NlQeNuTcYw8y6RJgfgHzP3PSF7xIwKDdp
KSHw2SEhEN2QRFWTW9UTU4u+tG2WsBesS2lNJnkiqRlHRysEzuEZZLzRbNUP
elNU1ZzXBJvFJ50ea6n2BuctlZtIiaenyecVLSQcHM7cVDKXPMOMTJOiP/r8
4CZxTEqdtbj89B7cjY/U2eGuxk516Nk69HOk/GFJ0uz951kvUb5FqppzyQx8
1ELOI450ulbXZX5X2abGmfilwvU3b30YxJdH+41PnOz/q+NHgkupnwwlQYGw
Fiq2JMVdNNiBJn5w8F4CE+RwuIJnZ0N/PrtNk/2AgZwsRDY3uhmji+YkwXCe
8d3BjNVuWy5RhgXkPZlOSGJyLBs1ZHP+puIv6DSi/6JPJ5e0mSLW2bU9W+RT
Mhp2jiI0FrixHrkvajGAzHKN0Ne0en63IIeF+AyX+XWRi4dtKS13RVGPwPHH
1iTaHkPtiM2A20BJXPkdLCZPFGAO98SWLR9KfDI6tPCNVOP39S15KOLw4QY1
Cgapy5Z6YuDgY8lRloJiixwo+b9ewfcp3bTgOxR+kVEQRSWn0yV/iyozcxM7
hes3KAvVknyblOpDYcKYMpV4vcbTBR8+yBq4w+YGlbxBIMbVatp7P7E5rnx5
DAEAXfoMHAEXgmrqSA6JG11BJbrdGv+2KC7R/De+MMGeFDkTgVNCbkHUKyds
Qtg4U1KcNLdYH9aGtchcnKyUBlvR/AN3i1v7ke4vtY/M3VhpGk2Km6w3BzkL
j+Z1AYyjYjQyYlnkv8kVRcKZ7jpI6nmJAsg+dCbEqe+JqGDdS1WviQRRDXBS
m7O43Ngh2qmriSptFRgKk/yBC00UDI8i2MpCpII/zr3+YOZ9YEWWfD3NeH6D
vOuBd2Ef9iJyFyeRhjRndHj1E97AaqNjBEfh0AZpdKkTw8v9v2bmXMQR/43S
6KJN+Ot6O0ao/D/8HL9ZAl2aUiZe1yilrPexlr88mSy0NfmN88josnDan4UQ
UBy79LHxjip4z8c/Z8F7jSkgymdjXf7CXXXBuyK4KETpJi4slt7vpXOS3+jJ
3LFb9vM3dIj8Pi1l+WtkjP1/LTmLagIiwy2E4izvxAfc7PSHF4lYYiFpNXVA
MqHQt8Z6Iq2VJBphBdEdx10vN1G63MLlx+QBJ0nwPFUyxqkoeO1HHHcjCQ46
fdNMpGjz33M6ggASRq92V3nLpaWwnRrOlTedVdtHmQqOKn6b3ARr4eFddX+N
3ATSsanS1DdiJeLDXBIW1MVK+AzD4cNSYVHkrxrEa8njRxlh2FCUb3GRL6+G
T14125BtE5w+goXlcSLoci/2nD8qbRFdAaYA3E5V9Gv20p2StcRe7vN+183F
bAbTmH/mif+Mt7mUqN6IP5STCMnzd1tlVKRYDlMt0KTXEDGVcXq9BjYxnqKh
eUoL2K+/fsZAnr4DGTkDy7X6BoZ4NzcB2aSfVsCZoguMeveDmQytdlH1wtGm
JVDcepkzPydYL0XZJXD7RYV8sJW25T7pUvtXm76L9zZairr9vX7IfhiFGA62
mCk+QbMeMY3akJ0Z+Lbjm4YElgucgugQCmWPiGLErBNlyCyEVaPGDRVG8339
DP/fWn9r9775bNljHiW6BjqKOudKA2A65eNjuoXjhMjoHIx+f6eg07fSJYNW
QbguIym/QSuf6hZ+LFlUCgFIW1DmIwjxCjfMd0VVSbWCpYi7JwyMSdJXmmxa
J0FHN+RFkF95heh7e8ePiFV2/a0s6ZWgz+YWV3nTUFbYJDaBA/BJ1+67qiYx
BAdVo8DbMzlIXJzUqO8ZE0tdAmEBIbuTMpBZvhVJ2wIOolHDF0UohKuLdlVZ
a/alghOh8uT6eHE+Zr230uIAkiDZUqbAcOAh0bGk5jlyT7MLeEvwLeqqvuc8
yEF6ww4cuSbl0jAI82mSjDgcGFN1PvfIOCry3+8sPT1Or8KuaGAVXjEIpmpN
1CmFMqOIUWSsEt1gHE9yn7lBGh+o5Juj1UBIr3Tj2VfDPYgIk5KaDUTg/HVU
Fi98OwEfZDyGGP9d8RnHoTK1PIbrY8fA1bErkrW27yPIR7mIqxIXgPhoNTbL
tjQ4QetQV6GBcxJR6rITcAzpRqPJ1Vjdm1MKmubwdHtFxVtgHI5AyvnanZrx
/EYtBNyp9yhT8UB++sqY2FxtCFMQJgpdpIk6X1Ibv9EhE7NixqW4gwYXxAJT
e85hbVMrc0a4kswwiRK3Pfo181YUgyWGNmoNVrl+I6I91BLPw3zUibmAoilA
PwgrlnKxIV5lQMvALRiXDar2TLv27+bW9zCrAUirWA3dPmkttRUDftE2nMEL
9Xxa1MRnxaYQIZiYhToZmC2m3DICrNKP7c5YFovgYsA9bDGuIJr/VCkWhp/E
xSKhtS4l1ezen3YEWE01ikeBbJfc1yvKmUd4YzGlLL4W4/aDSvF/wn8OwFxA
V3qJ2s+po2YNLVAmzsf9tiBZai4wVuk4iHBw+3sBrbsghV4SNfeapcHzPNDR
/CzIY6PF+h/JYypb6wFgFsWBjU05+nGqoGX8B8ucbf16n6nKiA0MD+JCtrW/
3NFEtEvE8EMH6YcMTzcayvYHR1JIXIzTXO7goI75YMYaJQCH7xJTIbpWjRJD
1MCKQK5yRywafEUtDygPdbikvY8V9yd75vfr9sI/z/iiZKcvf0kvbvDfxt4M
J1fcvnImBU/GfCkuDi+iM+YV7Ci2x/k7WvzD1tOuKhRw2/eJ/bfwlP31HWXk
LlBlRhkbZhUAOTLWOgqWsM1x2yq9EkuSDwaX5zrycc6rBC/dxf7pK4lozsMJ
/owNRDk4Ah9YBhzoaekmwgoJpqHk7IDteTf5HWXiUEKJY7sBfndVrlS0N5d1
+efC6VIjfB8BpsplidpUwMJf7F2qQ9TuY+bay7lXrd/ETLxTVoat1oSoXxpV
ZouOnIW84e52+D5Qeay3WGk1ZVqx/eDvRR70Gl78aqC8aHet88jZvhtOoxx0
7mN5+DSSh2TuptyVctgvazRjUnlDCTf8LRQSx/C2H0CZ8i8Y4N+U+cbTdN7S
lIbZyL/bEjIklqaLWKSlQkhjAuEaJIo2eV0XlLyA+Whn4kC2rxwGJhm1E6M2
Nl8/dDGLh8fPqVvYR03HKz5T8K2xlhjqloraCL1sTqMMnldU+oIlIyNo4wMq
wmk8f/LETePx8SNsaSOcm9yX1ihBQ7BXuUgwNLeiEW8bcjZ+LqMRGY4dWr1G
xF4mji2thDGXLSVwVphXilGKZAri9SPW55IJLncgh5A/O8/oaVStrUzFPckY
fmBSS9kKt9bTrAbSVcebCD0+xr5yhAzEHgS/57Tc1HtIN13CopiIGUqUBVlx
qU/eD2B4Ze/bMOY13vVkXDZjsGELi9dVsMp86gF6HOBtKY2RxB7ZukH7Mexc
y9lpaLeXy2JO6u1UP6WnxsckwxSWBT96xTWg6QZI3o5TU8ola4edq7ei9cIQ
SjAwE4fWFM2qcxswsmDcENI1nK2qW3DmWp0KtJLPNWUreqobZNL7AXSOpjWA
bRG2riNxlEushYN/VdYb6XYTyq8jrmhqQsN1k9n+h91P1jq9/bdu/liDNfVf
bjDCu2c8vnE/o/dzo97blqSboXaJbalE6rgCVp8pkIO20bcI7SUtyNlp01mb
7pG6MtLB4Z5fostNHBtUJ0nMiMchL5x5F0NaWNK5lSzvJau+XeA23i0JquR7
7XLmRFOnwKUUlI8anSpqovaAijuhSdBN1G5sJsXTXxTWIjsByBNINU41G33R
Xjvlr858Y1sDuXcte/DC2GrH5p77LqmrjLN2pBGZFtliWiLrVq0ZO1/qOSac
2pyx4qPHo5Fcw9B3rAv5g1TbOpymVF3HGzx8jo/qS09xTDfpWjrZry7geGhT
OBbvTvHR85eGq/O35+ev538s9hbAe/jk8XOvwjw+PuFClLQxH+iQ0jiJOmal
ajSXDyPu72BRx4Mmf5RnXRkIbeRsS9E3UB03NcPe2igoOq/YdbFERj5SBDr6
vW74wbEa0sHXB2MMZqFkkbYUnCKMLz83RRppZ8JfQxpEFRfAkZA0piiDVMDf
mjLuTBr+qDQi+xuRxi/45q+jDitQ4czHoIIPIvPOFogbdisDLRBUf0u4Ht5u
0C98mfVJVrVB5g4mOzYsHB6u0AX+hLzfs9NiyBUPDt7H9DbK4QMCmjVOcG1q
GmoT9r5md7p01ZCuBazWd0uk2Qv+H8yiYchL/vWHYnmtv2bw0IAAHjUE/Mh9
c/ycUMShtkJIVBGObQ4a8r4rtadI65u1lLXze9MMYaocJ3YdFxWFz4TZ0Wyy
5WrSqu7W3TSMjNAfLnSFp4Ek1WnseqpiOLKlw08NwANinVXc+VLu0kkkF/Qv
ZWTUsZO0mg+4UW8k4Kl4Ylg8yD2puZ8MQ5XGXdD2SAuoUGsoFk0NLXKZiHFg
7yKC/QmNh3wxYpNhbDn5KvsJPWCA+eEjNIUyYKQtdl2AZHAwSppyseLWl6hv
khZSl7m0nGHj596r5uJIiyDQSVLk1RymhCgdTVtTEQ71Sda8nX7X1oxFwm2r
MLoMY+gQ6q0eBSRKE5ZLdGCTXou0nbNDe4m6UEX1GlvQCR04YFtQPJ5qjdw3
PNJSAWr4rl61xUq0rGbX5QI+nLSPlNPo1LGbo/IOpjDq8w1B0Ai8/WlW57jK
CVtMyJCKHwWJTAq6xlPv8aYyxMX4hILvl85bM/XQHInD0gE7RYmFOazjo5KI
gDRON4byHan9kHPLjAwdktouCywq4UDjBjbjvAlxntQ5Qjek2WybnYLCiE3j
yqTyNuqJ5C4RvIVXYyTWeREwmy2MGUzhH0uGEKyTPFF2YHW7y0sYje8IJ8Y8
eP7AaxoPUQcNODqYOaqI7jRtQtibuuTor2ib3ZaWclmQFCprgdLobURJ8JpY
oqTPwOVKxzKvEf6euxHlqzQ9IVRPkyVH5EsET5g3eEPhRs1CyiNCkOyoU0a3
LT9JqEzap6sknThh54DI0P1cYSjjM0Wdhym61jkst5W7Nu0evkzsPeSy/Kbk
b3OfdPwYf4UyLq6BgXF+68mDbFPWKF2OKFBQqL+Xv45vRym83NDtlnMIEya2
1hVMSEHWsZFMrEZJpcaOxe2Gww3Jds4k0s2tCCYZkycD9ddIv7Y1N29uajL9
LqgAWU31bEn+ZZMh6N6QVBTWFzTpC+XEdVNyhjMqUm8pG5LrlaJz+0ip1Ymr
fNCTypJ4i/Tc8+qyAVv2ajOwHUZvnXQZJtB0OFZyK9TaX63BoFdnLs6oF5zL
3JLrz5CX2waxkVDEYa4ujDAAPEK7hvbW/CJfmiSc/ltkAQNudyUNgSRSIM1C
vLdFIQOXEggYnlTJLkRW2CYqda1jTNcHNVqcBRo0koRBc/uwshSURUq1RzeR
6AYI4EEmmW1M31gNo1DJqUh04Bff13Fc81WBygNDu+2Sv634b5G+NBArt2hO
kWyH7ZTUNqrptty13OkcMIOqcE1pw2UKGW6SseCRvtjJswV5FnerlAXQ/EWg
Yw/xXBoyJ0Lb9DSKQJhfXXyOrgI6qBmwxwKecFOCoXBDM9vkFZer+8+78vAJ
3QVoB+7O8hMyi84D85/WxXLV9HATCuzdThEHjC8oCVLeGuXpwRzo5DoNxJYd
Z923QRUUOY55R2wlCgvA3dMJ8xa2phHh1WY+aiW24aMYQMEt6EhlE3apDJQm
itOCmWOTPqUovkwCOTfGP4VVxqmVG05A4SGQKqxvvK9GhsU6Kpbi5Ai2KTkC
DQObJIP7SPvG2YEB/9x6HyDtGva5NEmXxnoFX23XHHHqVnF1Qs61AXfVuy3y
bW0l+ma62WfM/IUZRLZTcnO1keEwGcDC/m1TpRYWWawTq2S4ILu9tLKQpTmh
jIU8AkmCDxlj3tVvd9TaKUmClBqa+0Gu5i9fwYjzR3Jzgxh11TNAuNu8ZUok
+yAnATi8BDObA8ZDmN1z7zDkAMu26Tqn8WCJ3libVNMTCMhwQ551QcuzvH2Z
WLJkohvlVE2b8FNdvJS4V0DZtbSPDGWSQQjQtkoOSOMzj0lFZdYLb914GFCX
mhx0yYuyXmoqZOdqcSyBmGzMGfM2N6JZsLh5VERSSjNIS1H/lkpvB6yI8oFa
J9Kpkf0sZRJaGWHzEMcaYUbClLektxPPyrI3TX2JTCeQPcsH5lohp3yBNi7c
XvgJqBQ+tUBbmotlyYQVLL/0PW68zB6n4lLOZbPFYq+YeZjQtb71nlStxWxO
u+eAgyIK+OCzywfiTYYhTUybSTZdSXPiU9FkMOmM52YwTAyQq4V0XFJdRlww
1mydp8jiov0EkOVrV0VNJjSeBGrkQFBVk/uwEvcyJh2HMgJ0bRibw9rTVGQ0
7YSXYZahRVIx90Gdeu8jYmXquwh6n919r+qMeUdou4UWYPm6GAUapfQufzIx
8LwXjaEXL+uZPJWRc7Igd4Q5QWp96MyYr0h54DZH3ChxOBLSZ1InNfQSvDOc
+xx7ULTY5nNVUKa9esMo8YKhjrbaChmVL0z+q0bcSRx3xYL+HAu79wr1IVU6
NEpVsOS2jCys5UP+MGnuGVOIbv8pIZ/36blJhZC0kco5MYUgKzFnA9MBdZ7o
1hmbaDACVFfNuatTt8EsjtYJ1rGZIb5TEXIN2vhas4+VwXxY1ZdfqdkmjJ0L
FpGbwV/+zAmqWiBGsxyT82QLJx0AfFYqXoB9wXCogwQHMS2jnAD1ryrZ9k3D
6iEGj7Gb75DAPORWAMhfFcXGbOtwl+KqWnrvJi/FsWDRZ3UrEJtA1nNFEF5k
EcBEjrRKf5zieTDqR67uCXXajJ0Nswo9Po5i+f4unIqFO6K6Ut9s4V4qQKSY
XHAaWr6MKeDYhN4AwKt8H03zR8qV/ClWfH8+OHj711bEfdmN/46h2omxR74R
StsVoaSl3ix5Emmo5bil+SKQsbn6U20oyQtNdfVoPQRXExabYKWSP5857gp3
dbzec4g1z7gfdPmAnDa7jbyu9dG4e1uPUTCC5BW5caSuk/JeCZV7cL6WI0sf
CkDMSZvO1yE7BjNjREeXDsn4Fao5Q5/PvZMj4TjS4w60CuLc4u1SRw5/UIS4
LNwqHSLW6cv7cmaZIlT5r4Iww5p/H8b2uAKc4nddeH+l9mYIoVgCXmQPJQ/h
C3eSo/N1IHr45BVgbs6ihManQic0tXOuOaOKvioXUqV/Uro1i6IdATXhXJ0P
SLm+qsxEuIJzqJ8hJ6H2of0SJY0QTkwWYHnHtEkuDJ49yRtgUiAFNuq2I2QE
ytiOzAhapgcUkC6WQ6wmKXqHi2nICgRjF6c5Ml7VamXbxuGkH6V1QS5X1uNA
hm6n1g2IX1CRZm4Pu86cjjQA7eNwoQzmtPspW0EAM2V88lG1duFiHh9CPCyK
pEO9mloSpgwmJ8V8VsqxeT0SXL4x44CUA0tYZp5IdZZvy8uWedgpdvugeZ5J
Blf2ERkIWUGk9skNHYUbE3ikoG9ith+C5Mc9XKUGkms4Qblo2Veyzpeu6Irt
RQLPgpGBdSDvD5kM10214wIHa4PpfUk5d2rdGUAhlaeqCkKFLSSkAkCmIuVT
7P1zuREgs/fUmw2uxOVOorZSBkmzYNEukV3s7SDmrKghIFQqzQvT+UnGY4IA
gbXLOTYW4BmfcYyZUXVckI8/SC5xaw7vS2fROb8stbxo7dJiN8dJlWzgI1oO
QfojUwIV7ytkhpsmGeBEFb1RRfB4DVuFE0TDJftLg/oXPsJYbepNwmtETFFR
jRwkAV3CH1zWo9XZhmwWsjU8GgrM7Vtu+q0BG4oGPH2KqEA+JwmI7FM4Gxro
45uL+fnFH8XGRA/8TaFBx8x1fLsPD3ogt1f484Qdq+PL2Jy8oI6c9+pDvUuB
vDpWNRFYsndDzjlyl6t9Jz+pFwqV4vySWYY4OIInLUonDViqFl5UNApcoB2/
ZtIcS99rSeUIMYlN+ZnvuE4Z98pNQ3/duFoKndrBwfeCjDict/do6hh0Zziw
Te1sRX+TPA9ftNDuKHScVLYzgyZZE+4n010HfPFf/+V/2OCEJqYQyy7T0zxB
kihdFTn1dWCMAIw1iKoWtp+ghXVVIhyuCO8oQn4Ue2XYVQZLnppSiDIBi3SS
ltJSgrcP5zBBDQ7E8kYtzZorzQvWXOyLU/kgabaSOqrvQtO4ozGNTeIBzWKn
hdj7Fo3D8CC8cm0WnWUXs0Vxdg48QChYwLalZgaFvVyZrqT6L3bB7molHe2+
pytjJ1wYaLiKwDzjBZPNDJy74GZAmKyMbaCRKItLBq5I8SzDJUCKJZTPNCSD
m8T0vFxinAgjRgwSYmB0hQAV1IkrGU+vsm0kf6o1v3aN4j17WWrEZIwFMIIB
Skc8HZJ+IhTdJ5IOZ250plmwcvfmTd4tKtq3H+h7oxPdYBd3ykSXxykTqVME
Lb4H1E6+O5oxLYaXhV9Hpc52yVtqu1ant1j1S86yS5zzDqcOPQasjftPGZCf
Y9ZhPlY7xpAI6c5bkWscIHMpmg5eStJal2ULYh+dI8tiNDWTW+5JkFYidCy/
umi4jk0B544OUk5Nltyvc9dFJRsYg1LZg0cowvHg4A9UL8ShNI+jEfSRmaQc
dqAMonAT04bRKsni9pxZLqX2FkgUheCVjaFfULIibnGkFJRaZLXADewZ0cen
Xw1VEd4K0yo0B8LnbwWNJgrqbNvyGtTqkR4BA26a6h2pwkGqGnm0OfnPrQdR
h0PjwmUBl3TN4WPWRzdkLTq9fxhR9KZA0DxLr957+nDk6T8XbxTjQmHWIGzQ
pmRgFHwTdBY4HuIoMki632R+qLuSI9RcmRYjqsdVa0n2H05l+tWIJkKJG2Wd
YAZ1WfRrTaDuq26+7T5RReVX2bnl+sCGnClijGznhT/9cz59hWhBJZQkjeR6
uE1URGG8lUE9dxBFRX1dAu2Trq89HnHWDZ3HruaslTUFxmhGGpwb3j4VuZQp
YxLOWXbcwUIdp/kGM7PICQJkzxuNMgnOnCiOYZcEx/P87OzI0qUSmNGF3HKs
oiZqDu8FmCN0RM8yFyQnvyD1oFTt67rsSp+4E4ZvpNycvMxNvddPkf/3qiml
RUFs4otvnBghVYuN3F8JyWmfuxRVjk7jbnvvDpe9MNttVWqLMTI/gk7+Jnrc
qxCKgeRbkjUL1KsEhHKvuINlu5oTGkUR8Ukc2xwxVxif630Z2Xr0C8QKxLES
vHRaREKFxLtO0ChA0ubk/nGE6yvDegID6wQnBg1HsjeIPHT7PGV1Ep5WDxnL
BKWnJEZh3jrJTSn8plkaYM6NDaMxArEDJTtYUpy9yx7Q7mWJDeJz+25yptio
upUTxFyXOLRdw14IjYqnqGwTnZins8grlvv8SFSqS7lPRLEzIz4NO1Fh06lX
hmzrDTvXsAAPCZGogqUdUmfsSwRbug8Prg5drmPk6Qq5l6qcelnYURJyLunF
mF5Yr+Z9M6c8Kp2H7bdNSKCeJArUX1mOXVlfN9W1JE9iUR1F6mmpLwWJ8IJl
CtcwYOyDhcxchMzPBwdWW+c8Co/QXGTQwbM+CFdDkJJ7jWUReMy9WIknT+EF
aphgmalRN42c2xeggwfVBc6vbwn3T44b3pdxmcwpai6Xnnik4N4Vn6/AcJVc
WIz5BA/r76UdKI3iXeaYl7bP7mF5OMjVB0eYJ7yUmizpa42OAhgg7qQTIA+5
/Weo0o0cDmw0VJwqASLzTzvtuUQir6XPonDtOahluayjYAKqY8Q6AYMSyW4/
eih7zcSduGiGLz59HM5mtHoLbms9aEVqx+3HY01epLLBo5/ohAg2hoHoMt5u
0lGigWW6pNBOr/HhY1uj5vuvrNtE1+xalmYyE/HgMw/EZdJVl/o3TZGO7itm
rbPVjLlGm9LqweJJzdTLa7xYmrM3YtfJSyhRW+/+eYn5teJQxBkmSxU13HRS
EdPBD8mBBwy+VgQJuIYlB/uKWtXj7DndOrEIBN8LdgE1wLrrOMSRzZGxADHA
baU/rsCYWf/d/VVxfX8nO7jo/u4ko2T0vzt5mv33jN/4RY8/enjXx+kx/M+9
q+LzarfZZnO41r+7f5Id/qcHDz8f/i77z/85K0AsHAku1vuaeszaUXHJFl5G
SmQIqlC7q0PqHDUptVRthCWx3G6MBxJiMg9B9dRIzs+zBcbI78EsmQqpk5Ws
Aq59rhERPV0iyJm0UVg2K2o/RPmvLegNpCnep9Hpn6cXL8/OrIEE1kShyAVN
XPNcrM2VRBHTyp7Yph0yBu6pdvFHvApvkNnyTxoCCTdqsWfXisqXw5OnhxZr
0Foc3htKca54MAqXqobMkNYFSl5m1SCjNoXjILJvcmuBRHdtTRoT7jIu3bvB
uQ5J/sBv1shRTDry+6QjXtCIHcXbeQXol8PPc2wZT35Ytxmsc4ZpXoqOurQr
K3a2mmO98w0Vn5e7TmsbCSe0yD+lt5vsN/PBfoz9lWaWU2glp4nTC4oh7HiE
JJFLVdRdB2F+Fhx9mI0hQIGzWDPXYs6hEepyC9h3lUfBhWPtOX0Xkx71RZ77
6EYxHt6Vg4pwoTBfE+G+z0hAKRzR88ePnzpl5vXxM7qR/MevHz555v74mNvE
5Q7rBL2+s3jaSRpf36CJSElzg8bdBNOL8SrlyiFcMC4EkjI6xmKmxiGgksN0
1pwuFOOEntNMiEopJkoTwmutXS+kDzJ9XLpnjkzWfP8x/K8oky+xsSQG7bD4
hjTKvC0RGOTg4JupvkxOrC/l9TkHGbfmdBB5K+fKCCj48g6XUCFiIPUk5FwM
dfVq2yVVQIIoFgw7m57/FBUu9c12y6hnXUOMCWPYDrmOUv1JoqeRCb7bcQw/
Rg1m1sgBTNLTKwpg8+TVuy9Vk1IHR8FMSjMb3yBr1C2b1HnVggaeoWTAvIrc
etiI4ZFTFh7+AnQDqhrXXu/pGAEaQZDUV2wLC6/XvWQ2Cxt2SJ0NDlG1O6yb
ufzEn0VFZ+qwE7epJgBoosawY8pE+5d1WVRU3G1USV8KUx391KDMO8qcz0uj
J6E2dq5H8CRHXAvWinDTbgZj7xG0iL4nuE1jiI1HfMfelKkDzH83LQNX+MNQ
/s3dHcXM17qe20qXlqAftHPC70o72MSILK6Xccu+JnGrMn/mhCUF+r2G/cf8
6WWVlxsLzVEKfd6KF39qeCr9kC6ufXaougbO81B6v48HKWgiOl5pjiHWZdCx
cy9Et4/wALXbxRj+wh2QZhIcIOeNG54LpQBwJiwFcRgsGLhDE0/bT0XB8dkQ
d86RtpjDe2Uf92Sglez6BRU0GxJ65FjiCVzlXXr09n13rqVUbKBLmjcCFV/y
y9lebZp2zIdvCbhBbRv4yDisUjfNNmP9eklkAFouEca7XJJCYjKJJEDPrSwt
GRRLKsmpQND2XR8VYBjH09tBdcwi/hQGjMBiL/NaG0kPMQG13pO4mfDGKww+
SDMXMBssehtcXNFH5d3QmxaX6j/Lh4VFcw1hb0W9ukZOjfxblqi3AVIjw7Ds
1AyhCF/ZfRo5qkQJZjwcN5fQH/XWOxuc2kFB4ySOgHRFO+iGZiEdYOs/7yVL
zCq/kAAFnGfUN83fEhVMEpeD+8x7mVNbPREMwVuLDeYoyPeR/heNJfgVaoTR
piAwjkXHp7bF0BrYI0n4WZyfe2xVaF9C9ozUMUw322w4b395VZfIz/F8bspt
4aiBAjy0bR226iGXWDBN+dYmKAfBTYW+Wu8+PD8959TWQpUj+CBKNZZlDJ7l
emtJcJU0qpsrCit30hOBgDikvl4AB4AouShS9s45XbiG1sUiyeQhuwDnRJeS
fqLJYCs4nos6THbUdZZR6/LgMFmFUNatOGg5F0RuujmYwduju0QqE2V6d+vu
RRM+6y3m/KVRiR27wz6kQm70RzMsCNMKuQ7udVjVBsQNHP+qQK0ld2Dsh5TB
eJjxnXCZoEXVFZRZ9gJ28ptX2ZySUWEF7M3GbbL8OnJ85r30A+vyEgGip29s
l94ztcBOvn4Q+r8QHx+VTxNoEqQmjskYogWs/JOvh8OrCK1llAZNjJCmvpFy
+Vo0/3N3YF86KwIysIHn7L2f2BjO5ctjtMxwDWG/JDPkXP52QDD9vsXQxMh0
v+lW+wCpT17EwcM8XOFZCHc6GChR7jCLhXC9VH8fiXtn9+ScWWMOx8i/DwTw
5OFzglhAZiu380eggXUH13e+BVsNbmiRbyniDP//889HR8R/cJjtzcpaJT06
oWD0DwGPMUB2k4eAz2C4YBfwDXyUQp8aBAy/Hwb9nBCj2J8IQXxfEyBCABVr
BTWDM6ENPy8WLyR6kYvcZ7ZxX7kGmoROsFJQlJDyUqXPi8Hc6yp61BjRCoAE
usgYwoB8quoSYr8ex6ZxamKo46xmYm4al5GwFHqRMLWB8EXtE8iwUDDh4uMm
xRoxtKAEVmcYXsY3jJeRomQn+B4eLfnLCB8PBVcHseIjzC6kIWmEjntnlVFJ
nohDHPlMuV1cqHt52fIPBPM7Or9ZtoOj5vAuzDNHo30EogY1KWys8XtuB8Pl
JxpVMX+Cy/ZdokDngJgCjDDwDAyxKrZVs0du1BuqFdgdFQMBdUOofFLowDTB
2hw2EGAU94VlU1X5lo4xdHsZ7CWLibwi7RwMOAyJ5qi6NdVKwA90P5n8XeO6
GELODlcaoBBNohesaEFcdwSC3MKzBPxDFmczsiopx+oMTSQO2NKENDYdCnSs
FFzA0ca3IWqB5jK1R0lPs7CTrna+GAJPRVetRUAppd5o2DsZJ8HEwe10UDRD
QvlF2DiMqI5IPT5jQKTBObPEL3suQtKry0GXpI/ZtBFJScWWAOwsLq/sI+4R
GeC+qT0VR9xwAZQWAKRZqKStcAIJ1T4Nkytkmdq2hhRhtEBd/mwEZLHritF8
EVOMiHMWqx3miSDe6OtX3394f/oWhSMLuWcg5UD+cQusbVF/kIQSePb9+et3
+PDZuz/AE6P5yTwDL2fUtQirWOAtP0cuzrw81lHXXjS2ajiRCSHqgvxf0uRT
dMOCG1zpetH5Mi6QIxURqUCNMLjdNgHfmlPTm9iXqeD0+lmtJHCHGxThUTUU
vjehV5wJT6BMwxnCNwb3T2Slx+k4AkCDpT7sA1v2iM/QLKrQX5VRjXKTfB2m
cWSH73DP3h5qDreg+Cj29iloWzheRR04+EaIAUb1P+u+qEPLUdyGPCRB+6gR
RySQMGtMopFy2deY+I/QJHqNByroR03RkYvEGm8AUEj2wcbT3+uRyZ2U27Ta
10DTy2xb4K5ZI5d7egGeP8EL4JhHnOY0er80fEKpbwcHkedOzYh6PI+ObjGm
ubFVy9us+fu9lK4pMAEpWME7GUkBx55Eh1KVSr7hk978YtOdGClQyet43VGS
s9XdB1bpnEctJnV5rki5x5LAwlbPmFuFcGZPT1Xb5XwZyT8iWAtuVFwxQKvm
USr6s4ucijD40LBEPZcnQwc/txE5N6JgdIoInUVKHMSXT3dJCypYFkYwG5Jm
kVeUMCGb+Z3l36LKkJZUO9QtRJva2MQeowCXvD4V9eaOS6hJSmVlvnzV7Vmi
HWSMVF/bTdKyoFCffP2YlNbTGHJW5t3KdlpDSAWxaSqZfwRX01JjAlYzXKXx
GDib3vVd35BvlbwzIf6l/QXhE4JsBjNh3BdEmmhumGOgptXs+gCChmfKVfb8
riSVRn2ftBjJDtEKbkhq8Lp05dSmi3FltB1BqNvFBpB60sAId/wv6r1lCDqU
U+JKoMV5F9CE6TIpui1vB2ITsdcP1XTnEKDENBqBgQ1YOGMaDisVXU/1ekjY
C9YS+MtzuckuZn+mStLMBxYsq7OzsqOy89dQynzYfYGzpq5iiLZZVtTkklvo
kg8T65wjjy7ZI6X1XBXfClmDXJflQYgV9IPyGbWprNoZgVEbso/ptSnoro1E
zIWS7aYQtdY0eyI6yQjpiZw6tlQ1O6sv1J84gjrs8Mk8H2dR62fCOcq4axml
N1NNHvlYGRd9ArQzrhMH1brNd6vEKidoExhvV4x/VdTRsa9EKbyKXt0spI+Z
14ipIQdu5nRLJcTPFX5jylZZs0NAyGuw5drAGb9TEcUNieYHbRY34FBxPg1V
bROb97sz4DvK0pT6OTuIJ0U+VS707EMTd0nQcr0IDYAsSFP2HmnhpZtMiF2B
KYNtcITgw2gJfXKTpfSoaI31XFnjC6RWLe8SddEgOpo2dFCGU/lHkShSxMf5
+YQwY5tBCq9Ki20uba0pEz0Az9FL2pO8uyq3rBNj9tQOaAzmWfdR4MqxkqjU
nH/IXTw4EXrHUQvYzjip6Ohj4/YBfznlX1oyHwRBpxlpSQ9k9U6XSaoWWrTz
y5avRThanTVJqXD77VvKV0wkt3tbiUeGDHnqTIfEWKlVtD5huF7a9LfpvHjx
2DDMm4M4k1dVZJknXrJZCq3V+fbszcfXH7irQQzRTp2Y5/CLutCSSm22nCTk
hrRJS9sPuiv7RV5kxMNmzE5aEaFh0owW7fo/kSA4lKM8HENxi7Ww3iPICn8B
Pbng7LPQJkHws6SM18pbyNMkTRK0HtW1eu+sulRMFD5oVaGiy0FJ6z0XFAm3
uWJPujfq/DuhDj38LoBNUIJQXAbcGciOiCvXDXdsHLWAUWXB4diwpQIKVVri
YC4hOBSUC83+YEk8w7wjrGHdbcz8Fh/ECDhkUAaTJDi14BeqjCiH96JHO4uW
zJUHbLjTAhT3FycBxlLVDb4FfYVxpj5TogCJN5wdtEAbVDIsWGMkL5j1no3j
+eNJ6oRika+uc5jEpesYwt/jjLBmBwQ/1x7WuesCHutnlNXNZUlFZr1pOSm2
0zIV6RYYPWJ6MmFbidH8yqxEfPFbvYkSoo2MKbWzB4blbNTV1mwla0LwuVVe
puGk0OtNrhY+RS5YNDHCDOJ+16qjC4oe/ldikqKwxGgyGGkynwij6MgJJjnQ
w0XCq56gDGuyE7xp0goDC4Ovvzs9U51ioQAjDPCF3R+aT7ttp6DuJF70VVbp
t1XOKeAul/A2vGngcq/eXejASSO2VYN+Gl8rxeOUkR2MapK9Ei7O3SzFWFgO
VSA302mjT3Ehkm73PssltInZda4pLnUgU2IO+zDIwUC/kZzP8IzlmpJ8oHuP
0+ciR6c8IvejBOl09lTbLlhDvuHtF2heUdKZ4OniXjWN1T2S3auteraGl+Ug
W6P8GE0SiQB2JpcaNWNU0qakWx+QVeW35fzfl/Y3vGSn3K8QS6JenmKbgpc+
fkDwYdH2cTGCqubRd9qmMQewYBW8PDWkAm76izuBh31TLHTCRz6hL4peJHht
6smW1gPWRY/1f/iUyH8NqGHJHp2/1k/gbEISEBWCxUgDSfpytL06s79wey88
oB5tL2+ogk1ObWgettSBmAmhyhCBN/I7Kd1IWgCHJhClST0RSKhnyP1B/UUF
mjJAlhT/M3WQ8nkMqyIANp6dO+YXnJSvGuKg9qdZVvSI7zYlXAO+plSGwLhc
Mkq2nOf7uon6Kn/DlACTuCD+YQpyJ6umK6IdsuRAeIaMibIWuawDieZJOc76
5L3uKHO1jzQNls2msW3Kjl8JwPVi3eVDeP/gNheD9JakegL859Y9e3U8aD5A
HmcDTGhLpMEsGVlUOpviOm4ZS9zf6kJxxXYBy+6H2PspLLUtOJwh5EUZjysM
OYoiBucrUPQjjZQx1a6oV5GjJ/2AQNnkPk6ixSlhcMfRXFHCxbszyneVE/LC
wJuhPC5FfIeollsEGqVOM+7SWmaMoOWpxjbzMTerXGRFHHPpwRrEDx1GY1mV
E5jHIXdUHlUNvBUPpnSCw86w8UaRcY9JH25kFYJanhwyVdQfqr+PUSM6rvv/
5tWLLMveFP3vOkKUshsh2gVH00aEhG3Pobj7juHOHUodKW2PKcW6TErtB4K3
N0BeHqrmtcdCSH1CYYHSDQICg+cEF1xCbW0xpz+TosmRZo2eUDtuAbBN54/F
pBgV1dk6LuBXKWjyNDtW3mYMJRQ+mua9wrbKRVL3grAfRR/HDHCJy5tgE+ao
LodbS4jN8bqkZOFLDxlaspHPWpc6vYIKJ6GDvKzYrzF65aKHemWuSa0ibj9X
/sAkRLDaxCQJQz4fdzkT3sqv2SiLIpStgPxtDK8TT09Ww1kxOlv2PiEWo8da
5lgahlX3ARHJbVcxBFnmvf1Ubv3Oxd+yfml8o5hitJKmDsCc7J3RJcYf5vKW
Cfxa11aSbC6PpJxCSScHsdhdKq6rcEfk+VW5aCUHe1gDVYzooXSS6nUehuYo
IhdEnMbmzIzRN52jlzvmhOGO4+YzetmCb7xDB8AKQ0hoPiJoTEycEoywfLFO
y0Qp5tBzMaFrSubJzcI9DFB3zfBxpMTKD2QYIsXh9gHPXLGc5LMoPjNLWnH8
Rqyq2R0M8jgLWqvUxI/NrvaoLCMg1oQ2ljAj7952Q+oudztCM0JRabUQiZc3
bh5CKfU3V83ttuy4QSpcjarjEvoiBzbqjIOtCOonCTcuas3V0OJ0Hqoa9Ysj
3BI6y8igFw0ujl6IrxLZ6GDMHt8sQqsRGSMYgGKlzkYuPTcTqr3GqRqwZPem
zT5RpsYpVeeKMXTmMYYcVhBD33vUGAe6Y35xQe0Z5jHdAvDiqju8NikuxOBy
X+2W/Sj8S3hKD96wwLudmlSM6nwVEM9C2hTOyM1FyqdVRAbrg+GXyAB3nmsD
PBLjM4rau+7eR3EOinvPjZvknOB/X16h4wqPY051IHpAQBb8qcePnlGG31Xg
UyG1+lspznWuLiItj23PTZgwsZJBnEfLWMSskFwojuVSjbxgPdHa356+VF3Y
/ipe2ehuNYxDQ1c87pOzKnqU6hixLbVxZoJ6Ip1/b4PjJyqBgWFh2xQB6aZQ
bYe7b1CKu7XgGIOYIo46BpqVZvKE3WoLcsolkFjKw31bNnbBr9JCJkYgSsqZ
cINCUZSC387fnV4MqeL5kydfA1W4RHvWV2Qu0SnzimCYwiJdEQISbMAbQUuM
Ycc4Y/PJc8xq0zvHdBLS5ohUsOYDXYhhh1z3H3Jdtdg0AqPDIZDjkE80aEBx
zhajsqhURaF8zupH91E3R3YoCTN4MxRYCBE6fUrj6bvzFPuGgq7i/61G1ixA
PGN/YogI8uKshD9iB2jFvVa+Q+pGtAzCyjWU5PivEXT8ggl/k39mzEbjqaPT
iZms5CgqLtne53uge99gY8b5Tb9XfjjNk8jx9P3ZUcyXgss/ArSk6jLprUJ8
KehBgprDIOyEbdDwmpFuiWcY2FZOaCcKXkJXOUJZx7DZJ3rHbHjXccA6mkoj
vzxgGlKhPEZwLUHlRmYknJS5JrETuGPc5tB58GiXvj8TO9EVqupqcTuxoJqz
WleNCM3BID45gUg1NHaSPcTPWJ+0JPxEu4XMcBgxTw0ycprQ8/Ss26gA23vr
hILmCDPqzPucMkm2yuHb+C1hargE9MMIgdNUpo4rHiBrOBHKWZAxLPPY0JGH
R0Hm1aNxl6GpAigu/vGiz+E9Ta2GPmBLki9FM5cQaASSg4sRGNQKmGtVeJJd
gMq/LnuFH+JPkB+vl/tBtyE4d3a1De5mf4zdozShuSKX2U2hoNC8XukgE1Gg
u8lO6Kx3VYD8NvtXxTU336y9JumvN1kJCktFd3tSv2ALFK+oNAoJmPfRdWwL
dJAYDMYkkUlOp+accqN3spalJYSib3FLAbb0t5h1hzWo09NkLTqBec7DfHCO
jJXBngnajnsE+RNUpaOEXixPMelPaD4pys9Vb5S2NXHdxErql1IXaPQiHH7t
Woglo3DikgxFKCQIncLTs5qZyavrs9OYNXMWgmDOL7iTAzmlLeIdAS2Kd8F0
hHXCaDvHaf0VMwDRqKV5cMjgbFbFHEtTNGMiokTNvmZvUKSjhUvLaTUY4CVo
Fv8+O33QbuHo0mWDtvnoo7bLnG7AGhueDEsxFFML9WWMcfVAFg6IXtiRtfBd
77hds/LumHJgnO87PfGQjUHEyiXWFJZDQeCTpDwKpj9pzhBMv4GA6RKytzNU
hJDQlEvSrZnMVlZLQ85jw/W9ZI9erLlTiZoqNYaIJKqdfJF1r4i3KdHFgwVd
JAJp6uDP3Xov+YdgUK7YCgkUq70ocTVEuNzPFlPMFrsW+843Y87LLvHikByh
R0ItBF8gkrUMwVO0G9Ei8q5rluTu063lcGartia5HukAP5XcTY89gBga14JJ
zb+VsSIrTpt4q52KDR6lLR9Z+6N9odnp4fxYueUthmTgwkE0jU1BzNzQsYJy
nSR7UTqkpR5d5BN1M/a5PP7a2fpLD80GOzoyuV56P6i8TWpW1acWvoR7LiyK
k98EgIJUnVZaa+BHOcW/Rn2YyuuupHgR/wYbZfB65pHleyXyeKBzk21W9uFc
NWsqcsnHhGOhMO6+OHSdi8bDF9q7JIwqxbmWqmDHkYnBK8J7I/M2Hdcm32tB
CdhWVIcrbafZiLIO8fGeOuYfnV3ZKRQNAfLCwuaqz8B1KEMQ1zJXSAyaNsoh
AvTXYhBMipF1JV47cj6ekswXE2fOiYkRc7EdkjMOeGUC1143rnMtXCssDrgU
i9tjZnCWLBi4oQSOgWi1s0WzI820VmaLnpQSK+12mJ9TVE4Gh+sHFClkzYdQ
fIbpM+wx96w1HixrENVK3d3BkybtixDXI9876xUWbMByhWL5SiL/QAVFWh1H
0lNsPNGvbHwZgBqCiDOCB5E0wUk5a3QQ1DmLMegFiCyNtFRHNHXTMwVAjxiq
XnoKkTOfSZQqZ79/Iz0y2Ycg3X8CBxmewI23XsiJI8Z68FeeSGVuZ7SXaz41
VtBhFL/fb4vsd+y6/p04g54/eOz7RD06foJ+z6lPKHRgXJ1MO06HFCQ1h23h
PEHMSi4yFiBu8z+R6f4JwfSSNqsvqxz5lPnL7o3BTj85fkgzpNr7OJdVCMZU
ch/vIP++6DOcj585D9y9d6dnRwp8ksJFmnPYw7DmveTbajV6miCOSbj6gSmy
1Now/FMAuTK4eYWfyzkqoaF6/nzn+7eow3BXU/E/5Vczlr3hf4vlctkWOh1y
JLMBIKIMd85FE0VlwPozsXiw2YA/tRvhidwSQh0stKbDvz10OS7wNv6D/Rwv
BHUYP/d32XenF9/d0xIGPaJXSK5/S5viz+lvsz8We4X45ZivTUtRzBwwsiH5
4m7A1iJ3OUa/In7z4PcHv/89FsxGffsQGcdeHMd1kV7BdfYdmo0ucyNP3sYv
jS2Mv0xLFKamK+xGmRc8jS9wB1F8K0j/K+9VJrdFcnvU12tQpidHNK9kZw/k
C9wJas6GklMj8Bnh4Jz6M1GiTXAtiL1KYFk9n5CbbKyZpFGlCfwSnC+cux6Y
oCpyZaD2/hwz73A5n4p90LMqTg1USHlCGiZmaAetbneyHNTMHa8HU4sk1YF8
/sGk2yLxJpmngFWkT6GCPpe6RMNR5nkGWOYGC8wt+WfjS9o1kC5aEgMRk8RW
No7zDXDMQ33Or2VMGQ26mgN1VpB5dWIJYMNnskFNXhzCIg9VtJfULpcvEi06
QmkPdOJi3YluSRawYd3miixBlR2mKgXRyBIWJsvpk/Xe24Ci6vVO2UhVcDtY
VWHUPwufKr1LTWL8BKsCX0GdO/SsJ+LdlsVStZtov7crOmBRj90Gyw3hHSTM
U0qSlaqTrp95N0tELK52ineYqx6jA6XuA6ONkHLNgsKymBytGVF4e0b8EmdS
3zixKIaXvwuDDCLaP0KvyjmzXgQswfR0GJ0RRzZy12bXo9tOt7epr4tWHA0B
QB0xwmZYHlZzagKakx50Y1MUvXQd8A4Rd2dg+MN/OMQFYnRDfPK5Vodst5wZ
QqiYwmnYVcVYfJ97YSxyelSCpSsbc0bzJRrrFtFTMWnbS9qOBQFY5Eb7SJpi
2et73kpJ8/JTH3/TptwedPrADkWzKqUHvXwjhTFx543JD5jRnotqPtCQjNIZ
vo4E947grThfO9XhRKc2QGLQFOF+c/KM1IGbCk4ulcZQ0JjejC3y5P3myOp0
+qTv1G7bEacflQTnGUFZx4pGF2szr9+9/PDP5x/vgbwCbeVuas1voNDIZ0d1
Gt9Dz60kUlNMvCIlu4eAxaBnOaJVspVQRFF5KlKaR1Mmtz/ZZnhd1ZUXhvwP
reg304oMsmSi7Sjppwyn46H/fGtC6lSsRXraSwjVnrZLKF9MhJIbX0kOq952
bGyQW4grylToXD4OpTpiD4LKpIuT5lG01UEpLzAjmu4cGi/ipMUu3FXiuMUM
KpJc2IQCb3T4gBk6zKt5FSZLy9AxWngnBbB5EJWZ7LFQdzkBNmieb4O41m0p
fmWLTHQWmnCvsktVl4TyhBKJpGEeP/IyasDHGw+vb5DXrpvlrrNpa7EvxSs4
gMXJzeFbBs8y0tbPMqdeFegNz6U2M21/7Z6dCTgz7rvrWRMedc4ybYOHXR/5
vuzT2s/SN0QawffmPCDusQs/V6U2G3Frl2STtKRUszlcbA/16+T6doaN0FpS
hvjyNVI7S7bafB/aWkfz4X0YNOnQxhbjypI+Ja+OTt06If57O/buF5w77KM7
ecLEcs0rXYdSKts2z3pSny8N5XtEwSLZTs3Qgfe2KqBdWhzrTAy3EHVrUwwl
hU8gP2UzgUZsJhVnhKBjUMvJUM/EzO/P2BkJI1ZAIJ90IDAc0DRsmlZxNPGM
OXYEpHutJw+CewW6cI06IamLlPrprTNQi9BjDJZDpZlyPBjrzYe81XQV6n2U
0GlLHvals7Z0RCI9VxrWeXktbJhRbNtdf4Vq15517WJLrvkOO16xVXyKrs62
0zvm2q5QZo02Vw4T2VPmLxFj0Wx5HwWzcZ1X/lEbyxy3oNA1LRemjDz2K9sK
UqiOqa7NSxZ98SVimcAWd/8/o9cgNeBg9lWs5Huyw9p7zGbjMGO/+srhU40y
j28qsAbliiU901mnkvC6y8e1g2RgzowK6LF4QgG+BKBTce15lMhsoTYFfz8J
bGkATVbFtppogaEAjhP4PmigMMlQgkyN8oHyT6JoggbWuNrez/OKnA1FLfQp
ViYvaXrngE2EAk4OAwTMCVGAAkT04baiC4K0QK4MurXS60oyx8bXvq5ySkx3
veO1bPuQ4zSCxEjqH9oKZPMhHDdjMdOEVsLgRTlX163AoEvvGQnqyzD0HqYZ
cPXnogiSIT5/NVcIJ3WladKKRnyVW04VU5nePGKPGiohQcF5EmPo3kzl59Z2
6WxjVQ2d2EsmChVTUVdMbjWY8aJcdUH/pXi2YEvJ3Q3HJ7AgltAYr5ezRWwz
Ai8MAyAUOsc6ehAtLWOc9UNM/dC8mzSAs9N3p4MLTL+U2je0B5m1sVfIy86P
+y21drlEPrgPzqXDf2T7Ochw4OZqBp08OJllrwn35SWletmfDjFNe67DBUkd
rFDVi9jwPaDPzF4V3bItyVKYfVBs+4MnJw9mb0tWTkbJfPZfP353djF/9f7l
92C5fPxvYgl/BXce/btgUDEeJZ12Xn8yvPcN++xow0UY8OUm2UA4VHnJdfaY
Nc/4G6w7CCJN00oyjSg/5eWVZIN5kRHSWL7YspidcHUT4xusBG9Q5v42by9z
dF+/BLGLesBpVXzOqezlZYXodxLH/C9Nd4UmEFgeGJd9S85DG+UdyOc8+67A
QkHxTQk7txC652BgpWwiIO7vivLTpzL7R6A1xDyqZ6HgiRSdoGXx1q5BsC4o
+8tS6WmDNAWC6tidDgE6T7FwyeKUcvZN0dZ5u8pOF80i93eLFKgVlTLgxy53
5UoxRzFxGZZYNZcHB3+TPTjh3gPFSjOHQ43EOjs7hzNR7ea6sJ7lpHVRmWww
GWi0hzDaKY1GXAfLjuMzvnBnfKb3/qOpvDTII2mHoENwkhIMyzjh+CuCRGc4
dCMbevdx8q6nqYCz+wH4IjfAZRWcehJsROV1qVNogpJiACM/gZE/FByLLHv1
AQZl/3DIxg6pGBrNWOWwQa384Q9GAjz+A5p5w04iEL4//OHYDkg6QpBnPTpz
3hfE64pqW0JazUzsaIyY8lrnsnTeo9EB1prbbA5ockPdxnXs9P0lYc7aHUen
uoL7vw8KyI8EqRT3ZAvdxbiMN8FOwcCEePLJOUC+YVBbaJupxTGnuq2o3ELa
N8At7MjPYuzXzzTJdRNyO5QFHEq/DVDAZDFIZvJHHtCf0Leg2ICi8jYH/R4B
fIV4NkXLII3dtqiovmJdflY8i9MaTM6b7IemWdnylDhbBHXzsxVzrpTWQapc
b1jgC6LSyhwwKxIkC9nCJVntqZ6/zKU6FOXhJbpbRO92KRawjqdu3QzzME7d
vB3y0jNcPLKPQ/71IR8ZCYZVm6/7+XSXmIOD+XxOkOnIur5BbnyuusRLNcjI
t9CLE0o5tkIyK+dh2xaxy/JaYxORn8p6HCFQADCjOWEUBauPkKxSMvnWZDj7
IO1pSzm43OVw3/pC7OqkSo+bOLEqSHEzj+OmkA/Oc6fvRViQhuAfzYBAWa3l
MiidqnUz7+Jgr3zCAwVZ+xZKTVLU9lw6GamXlZy7f4OwI5Se1qnydP/7V+SY
VYT5l+caqWXTHcWyQp+gM5iaToS098iNtJJivNS1ZF4lzlse9dGoMMVJnhJi
9uT8Sm1C5oo8muaYZicorgTkQbzJXRA0NrbsLluICEd9YE5JqJjdrJDciplu
irSbi0wxNOFIWZO77DQjygz/ktkuGWVxOwLPNnxuspzxuE0o88MKWu3MG/VR
hb9i2464s2xIaAuBUkHVGYmj8LDbrtitmnkcppbX1ctsBcqWx6PNl61rdGho
fCztpeN6aRlAig4kFh0tSVY81mkh7kHDFPK2aQNqNDvsuJwyuqkhazi0CHZu
o+RhAp4pDOIIzUzO0JAkWXfzGDdOe2PuuPJjxPHI1DzSpe2er6JvWleJe8TV
fILuw4BGQ+/0PVESQ0uJ2WjTgSPxBVgXuv7KtzGgeBN9Y/Kergq6d533S670
9suunFMXMPrsRKumviFUWBdU4nO85RXki4uCe3n02K3I2JXfOzoDa2Qh8/mW
oVlm4q7WOgYySzxjoyk43LN1cWOd1XptaWEQZq5aes0fQEvJBQTYdMHAOmXg
MIxpUaNTglfrcvB8gXaQcOJ2PvwHGuaQm33i3qr8OLTVyCOzEGbTaqHkDdwy
eTg+Lmv7xRSQNm+jGeNfHTK933kWb5KTwwQKy026tnH1UEjsT/vriTAdyjX9
u6tOvr2pho9NCo+QITTFQnLiOQNcGk5zGVWocEbbMMTmr/OSM4DJaRq6+sh0
L5KOdbBi6T3HbqoNTeMHTdhNUw2ShndMrQa7q8v65o+vvn2oHSKePzh5Tv06
8PMfissdQbqZMyUYqejvjfIBo1uH0deT4wfStP3lY3JBBl9OljOY37YpGZhA
Muw1vjDi/ckyBzBHYa9dSwHL0VmwTziXSh7+jJbSBk+fhmqkoH2xt1QiXQzq
7MidpF0Rcs3JTzrgBK2DUCRHQX8iP3HkohxsdNAlmmpFnGhyj8cRh1GJvo61
EifpbhuU3L+w9xL4KbWBBb8jT5nnt3Ft7Vyie9nhaa0YDx+tg5VvVPJGwj0w
pL3MqeErMnc6cRiRlUoSNFZuA1ga3Q7trar156FqfLRYXDr5HbtL43unWil3
yWhosYeTdT6pMpP2D1NNk0Qnwt4mWCPGRmbsmU6bLzNUPaLrddY1Dt+XrRVs
PgJ/r/e+T6qUNcVYm7JUzXY8pJjaVbM9DP0p4D2fC2nk+FWkpb51Wio6mE1B
xZSGYKd9jNyebFZxz1CNnsRRHlHaksIwvY7iE+1kZ0rWkxRukNUu1hN7LTki
pCdxfMTJF7CXUkOXU6WnWIHOoOIhKwI+Rmsbpgp/2TOQae7yecpho1nGt6OG
9R58PN2MQaJ6POnsntfbpfWlYQUiVlVVLnvJplzv0JtzNFNlAN9SKgkt39wu
UrI5DgwHzJkXkp5kbiDxJBCKBz5LKWI77D6j0ySL31qrab7AaDimrG8JRc0O
MuoNy0PNuV5yLiB/RwhrGT6DUpU488SHNOmL+oH7hsoHiC53yxzErCsFXljT
AxzQAQlXGsZFEcPMHGUUUe/323YEhjN8bWskIGr4zNqVf+07pZ88/vln/13x
CygsdhHAMW79dr2Hb4PKtG3qThFaxubgDkaf7o5Gvi81iUmXEyVtQb5yPEoP
Xf4yD3+JRg9WbZ4tmgYMwDrpPESRvkM5Ixh0dMmHvJC6uJlHb8/x7U5o7GzN
wUXQXinYfjhLF8ko5chrAwwBMGwCU8YRyjAC3JVoANmenLooyz7igzE5EnnF
W6jnKzs5ujwNJ8pXaJQrSrM1gG0Keelxx+SA2veon5eujKI3S0rJbVw95ejj
jbhnwS1LuZDeTceORrDXsUJHcnTJl6fYlsE7dxfhQRdUIV7/ChcUaYqHH3It
/TAeIGPD/rob6tnUF+YQX1Bd91/ngloPx/+5F3Q4Dem/a2ColKBOpIztd/bz
C6CN4pBmNXlrbevcrZ1Ko8BtpOGTi5pPSSjdxztfWv7gr76zAVyXtHSZZuwu
jDeNBuGNG920X376w7GUvKZOnDgBPkCvzkkXnmMxT3Ekx2bQzXKvMKmWsz6w
TFdTURzhTZEev0bRAU9cx18kOrrW2KBA6oFyzQhP3vsNqWo8DcAD62PxuT4N
5jQNoonl7gDcTU8IcYQIaZBfRogDweGI5i6qoheSCGw+obV9kfv9Er30lDwL
M/85DlnKjy+vcsw6uJQkQG2sOKdMkFSbHczKKBqpeNfN+YFosr9KsxUxdYtW
EbaL0XLvtGZ8NF33F/adLMXIAyGeEqI8HEqzchU6xEw4LhmOxTqH5UmuB6j2
gbUlZC/wQ2lEhZ0Dx0jAVqK43lWcG9cFQBjMmihYi6GCl9iNwq1MrrA8l28a
5ny4XDSERB6yPcV4dGPL50IWpQYkuf+FVrQ3XJk57JZD7uK2YKcbcp/GMZ5O
aGRPAYV12Yu6NvZ9cz6z2HfQOOqjxE5ql1xAhBWX5vHSuqDQXsugJicKKZLN
dAYp6c6qP66kzYeavcAwm9E4qsJ7MGklrlWBhkAXi0NXd5Htk+OJLgka6tPL
KOzPrZx1+ahnCSWSrDGLylR9ip9GbafCEL7dAHcTlqiIvR27bHSNMO+HU/O2
pgdBLjFljklwE0dM5i6PNHyYgDFhleUx6Cjj8wr9uR8NpmUpJfoS+7FUtMms
vd8BpzF0R7nEQN0GTc8LSjCFHu4sSKbjno+Ps/dYCowUmd17dBTc8SbDZikh
D/af3UHSNroJPhUgcAaA00YkEavoxMlkqsqtaoodIEz6yZf3XswEg13VU7hH
h6s/UWKB+SePRlfmgMSV7f3ySTvgRt9ciuHC7EJza0vEjlsWLp9jTS1fiWUQ
H/R5x6G7tLmdOTgk2Q7YwoC/qNdc2oC5g9BOclTvQEvFAISgukQvdwNaIL8U
yjjlR7HDj2b94g7MJ7jTQtPcGd9E6n+LijbHRUIMwsriLSXcVRoyHlRHOBeO
MzNDoQ22BlRG8u66jU7W392yp24i3a9x/DH7cPfu4a+7d1LJzuTpGsN1occJ
d76wVkOein8FBbuRmHecra09tt/GW+f/C3bxVt3vjhzuSbTTj/+CnTa4f9xk
DxwWdnnIK37tLlsMgmk17fg+ZAcDweba/MSsorSUJ2uMMqY6/r/bOzZYF4EB
AA==

-->

</rfc>
