<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-netana-opsawg-telemetry-over-quic-00" category="info" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Telemetry over QUIC">QUIC Transport for Network Telemetry</title>
    <seriesInfo name="Internet-Draft" value="draft-netana-opsawg-telemetry-over-quic-00"/>
    <author fullname="Benoît Claise">
      <organization>Everything OPS &amp; Arrcus</organization>
      <address>
        <postal>
          <country>Belgium</country>
        </postal>
        <email>benoit@everything-ops.net</email>
      </address>
    </author>
    <author fullname="Thomas Graf">
      <organization>Swisscom</organization>
      <address>
        <email>thomas.graf@swisscom.com</email>
      </address>
    </author>
    <author fullname="Paolo Lucente">
      <organization>NTT</organization>
      <address>
        <email>paolo@ntt.net</email>
      </address>
    </author>
    <author fullname="Holger Keller">
      <organization>Deutsche Telekom</organization>
      <address>
        <email>holger.keller@telekom.de</email>
      </address>
    </author>
    <author fullname="Alan DeKok">
      <organization>InkBridge Networks</organization>
      <address>
        <email>alan.dekok@inkbridge.io</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Operations and Management</area>
    <workgroup>OPSAWG</workgroup>
    <keyword>QUIC</keyword>
    <keyword>Network Telemetry</keyword>
    <keyword>IPFIX</keyword>
    <keyword>syslog</keyword>
    <keyword>YANG-Push</keyword>
    <keyword>RADIUS</keyword>
    <keyword>RFC 9221</keyword>
    <keyword>DATAGRAM</keyword>
    <abstract>
      <?line 87?>

<t>This document describes the use of the QUIC transport protocol as a
common transport substrate for operational Network Telemetry protocols
that currently rely on UDP.  Specifically, it discusses carrying
protocols such as IPFIX, Syslog, YANG-Push UDP-Notif, and RADIUS
Accounting over QUIC connections.  For telemetry protocols whose data
plane is inherently loss-tolerant (where a missing sample is preferable
to a delayed retransmission) this document recommends use of the
Unreliable Datagram Extension to QUIC (DATAGRAM frames).</t>
      <t>A primary motivation for this work is the unification of transport-
layer security across heterogeneous telemetry protocols.  Protocols
that currently have no mandatory transport security (syslog over UDP)
or optional-only security (IPFIX over UDP with DTLS) or weak security
(RADIUS with MD5 obfuscation) would all
benefit from the mandatory TLS 1.3 mutual authentication that QUIC
provides.  This document specifically addresses the operational
advantages of managing a single PKI certificate lifecycle per Network
Node to authenticate all telemetry streams.</t>
      <t>This document is intended as a framework and applicability statement.
Per-protocol bindings that require normative specification are
expected to be chartered in their respective IETF working groups.</t>
    </abstract>
  </front>
  <middle>
    <?line 112?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Network operators depend on a diverse set of telemetry protocols to
monitor and manage their infrastructure, exporting operational data on which
capacity planning, fault detection, and security analysis depend.<br/>
Some of the protocols are connectionless, such as YANG-Push UDP-Notif <xref target="RFC8639"/> <xref target="RFC8641"/> <xref target="I-D.ietf-netconf-udp-notif"/>,
IP Flow Information Export (IPFIX) <xref target="RFC7011"/>, Syslog <xref target="RFC5424"/>, RADIUS <xref target="RFC2865"/> or RADIUS Accounting
<xref target="RFC2866"/> while some others are connection-oriented, such as BMP <xref target="RFC7854"/> or NETCONF <xref target="RFC6241"/>.</t>
      <t>These protocols share a common characteristic: many of their current
deployments use UDP as the transport, accepting the possibility of
packet loss in exchange for low overhead and high throughput.  This is
a rational design choice for telemetry data where a stale or
retransmitted sample provides less value than a fresh one received in
a timely manner.</t>
      <t>However, this same UDP deployment model brings significant operational
liabilities:</t>
      <ul spacing="normal">
        <li>
          <t>No mandatory transport-layer security.  An attacker on the path
can inject or spoof telemetry records.  Syslog over UDP has no
transport security at all.  IPFIX over UDP optionally supports
DTLS <xref target="RFC6347"/> but deployment is uncommon; plain UDP is the norm.</t>
        </li>
        <li>
          <t>No confidentiality.  Telemetry data, which may include flow
records, routing state, and accounting data, is transmitted in
the clear.</t>
        </li>
        <li>
          <t>Weak authentication.  RADIUS <xref target="RFC2865"/> uses MD5 to obfuscate
the User-Password attribute, and both RADIUS <xref target="RFC2865"/> and
RADIUS Accounting <xref target="RFC2866"/> use an MD5-based shared-secret
mechanism to compute the Request/Response Authenticator field.
These MD5 uses are widely acknowledged to be cryptographically
inadequate.  </t>
          <t><xref target="I-D.ietf-radext-radiusdtls-bis"/> defines TLS as a transport for
RADIUS, but still uses MD5.  <xref target="RFC9765"/> uses TLS as a transport,
removes the use of MD5, but is experimental.</t>
        </li>
        <li>
          <t>Fragmented certificate management.  When operators do deploy
security (e.g., DTLS for IPFIX <xref target="RFC6347"/> or <xref target="RFC9147"/>), each
protocol requires a separate security association and a separate
certificate or key lifecycle.</t>
        </li>
      </ul>
      <t>The QUIC protocol <xref target="RFC9000"/>, with its mandatory TLS 1.3 integration
<xref target="RFC9001"/>, addresses all of these liabilities.  The Unreliable
Datagram Extension to QUIC <xref target="RFC9221"/> further allows applications to
send data without retransmission semantics while retaining the
security, congestion awareness, and connection migration properties
of the QUIC connection.  This combination makes QUIC DATAGRAM frames
a natural replacement for the UDP transport used by loss-tolerant
telemetry protocols.  For example, losing a YANG-Push UDP-Notif
Notification Message is generally acceptable for network monitoring
applications, but may not be for security-sensitive applications.</t>
      <t>This document is motivated by the observation that the IETF community
is producing several independent drafts mapping specific protocols to
QUIC (see <xref target="related-work"/>).  Rather than leaving certificate
management, connection lifecycle, and operational
guidance to be re-specified independently in each protocol draft, this
document defines a common framework, or at least a common problem space.</t>
      <section anchor="applicability">
        <name>Applicability</name>
        <t>This document covers protocols that satisfy all three of the following
criteria:</t>
        <ol spacing="normal" type="1"><li>
            <t>The protocol currently has a defined UDP transport profile.</t>
          </li>
          <li>
            <t>The protocol's data plane is inherently loss-tolerant; that is,
retransmission of a missing record either provides no value (stale
sample), is already handled at the application layer (e.g., IPFIX
Template Record retransmission), or occasional record loss is acceptable
for the target application (e.g., network monitoring).</t>
          </li>
          <li>
            <t>The protocol does not require sub-millisecond latency for telemetry
data transmission that would be defeated by the QUIC software stack.</t>
          </li>
        </ol>
        <t>Protocols that do not satisfy criterion 3 (e.g., NTP, PTP) are
out of scope for this document.</t>
      </section>
      <section anchor="related-work">
        <name>Related Work</name>
        <t>The following IETF drafts address individual protocol mappings to
QUIC:</t>
        <ul spacing="normal">
          <li>
            <t>NETCONF over QUIC <xref target="I-D.ietf-netconf-over-quic"/>: uses QUIC streams
for reliable NETCONF messaging.</t>
          </li>
          <li>
            <t>BMP over QUIC <xref target="I-D.liu-grow-bmp-over-quic"/>: BGP Monitoring
Protocol over QUIC streams.</t>
          </li>
          <li>
            <t>RPKI-RTR over QUIC <xref target="I-D.liu-sidrops-rpki-rtr-over-quic"/>: RPKI to
Router Protocol over QUIC.</t>
          </li>
          <li>
            <t>IPFIX over QUIC <xref target="I-D.llg-opsawg-ipfix-over-quic"/>: IPFIX over QUIC.</t>
          </li>
          <li>
            <t>BGP over QUIC <xref target="I-D.retana-idr-bgp-quic"/>: BGP session over QUIC.</t>
          </li>
          <li>
            <t>RADIUS over QUIC <xref target="I-D.yl-radext-quic-transport"/>: RADIUS transport
over QUIC streams.</t>
          </li>
          <li>
            <t>PCEP over QUIC <xref target="I-D.yang-pce-pcep-over-quic"/>: Path Computation
Element Communication Protocol over QUIC.</t>
          </li>
        </ul>
        <t>This document complements those drafts by providing a shared framework
specifically for the UDP-based, loss-tolerant telemetry subset.</t>
      </section>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>
      </section>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>As in <xref target="RFC7011"/>, the first letter of each term defined in this section
is capitalized throughout this document.</t>
      <t>The following term is used as defined in <xref target="RFC9232"/>:</t>
      <dl newline="true">
        <dt>Network Telemetry:</dt>
        <dd>
          <t>The process and instrumentation for acquiring and utilizing network
data remotely for network monitoring and operation.  A general term
for a large set of network visibility techniques and protocols,
concerning aspects like data generation, collection, correlation, and
consumption.</t>
        </dd>
      </dl>
      <t>The following terms are used as defined in <xref target="RFC7011"/>:</t>
      <dl newline="true">
        <dt>Data Record:</dt>
        <dd>
          <t>A record that contains values of the parameters corresponding to a
Template Record.</t>
        </dd>
        <dt>Data Set:</dt>
        <dd>
          <t>A Set that contains one or more Data Records defined by the same
Template Record.</t>
        </dd>
        <dt>Exporter:</dt>
        <dd>
          <t>A device that runs an Exporting Process, sending IPFIX Messages to
one or more Collecting Processes.</t>
        </dd>
        <dt>Flow Record:</dt>
        <dd>
          <t>A record that contains information about a specific Flow.</t>
        </dd>
        <dt>Information Element:</dt>
        <dd>
          <t>A protocol-independent description of an attribute that has been
observed or metered.</t>
        </dd>
        <dt>Observation Domain:</dt>
        <dd>
          <t>The largest set of Observation Points for which Flow information can
be aggregated by a Metering Process.</t>
        </dd>
        <dt>Options Template Set:</dt>
        <dd>
          <t>A collection of one or more Options Template Records that have been
grouped together in an IPFIX Message.</t>
        </dd>
        <dt>Template Record:</dt>
        <dd>
          <t>A record that defines the structure of a Data Record.</t>
        </dd>
        <dt>Template Set:</dt>
        <dd>
          <t>A collection of one or more Template Records that have been grouped
together in an IPFIX Message.</t>
        </dd>
      </dl>
      <t>The following terms are used as defined in <xref target="RFC8639"/>, <xref target="RFC8641"/>, and
<xref target="I-D.ietf-netconf-udp-notif"/>:</t>
      <dl newline="true">
        <dt>Message Publisher ID:</dt>
        <dd>
          <t>A field in the UDP-Notif shim header that identifies the originating
publisher process within a distributed notification architecture
(for example, a line card process).</t>
        </dd>
        <dt>On-Change Subscription:</dt>
        <dd>
          <t>A subscription that delivers information to a Receiver whenever a
change in a datastore is detected.</t>
        </dd>
        <dt>Periodic Subscription:</dt>
        <dd>
          <t>A subscription that delivers information to a Receiver at periodic
intervals.</t>
        </dd>
        <dt>Notification Message:</dt>
        <dd>
          <t>Information intended for a Receiver indicating that one or more
events have occurred.</t>
        </dd>
        <dt>Publisher:</dt>
        <dd>
          <t>An actor that pushes subscribed event stream data to Receivers.  In
this document, the Publisher corresponds to the network device
exporting Network Telemetry.</t>
        </dd>
        <dt>Receiver:</dt>
        <dd>
          <t>An actor that receives subscribed event stream data.  In this
document, the Receiver corresponds to the Network Telemetry collector.</t>
        </dd>
      </dl>
      <t>The following terms are used as defined in <xref target="RFC9000"/> and <xref target="RFC9221"/>:</t>
      <dl newline="true">
        <dt>Connection ID:</dt>
        <dd>
          <t>An identifier assigned to a QUIC connection that decouples the
connection from the underlying network address (IP address and port
tuple), enabling connection migration.</t>
        </dd>
        <dt>DATAGRAM frame:</dt>
        <dd>
          <t>An unreliable, unordered data unit defined in <xref target="RFC9221"/> and carried
within a QUIC connection.  Lost DATAGRAM frames are not retransmitted
by the transport; however, they are subject to congestion control.</t>
        </dd>
        <dt>STREAM frame:</dt>
        <dd>
          <t>A reliable, ordered data unit defined in <xref target="RFC9000"/> and carried
within a QUIC connection.  Lost STREAM frame data is retransmitted
transparently by the QUIC transport.</t>
        </dd>
      </dl>
      <t>The following terms are used in later in this document:</t>
      <dl>
        <dt>Session Initiator:</dt>
        <dd>
          <t>The Network Node that actively opens the QUIC session; the session
initiator is responsible for starting the connection, performing the
TLS handshake, and for detecting and recovering from session silence
by re-establishing the session when required.
The following term is defined in this document:</t>
        </dd>
        <dt>Network Node:</dt>
        <dd>
          <t>Any IP-connected network element -- including routers, switches,
servers, and appliances -- that generates and exports Network
Telemetry data.  In this document, Network Node is the entity
that acts as Publisher (<xref target="RFC8639"/>, in YANG-Push contexts),
Exporter (<xref target="RFC7011"/>, in IPFIX contexts), Originator
(<xref target="RFC5424"/>, in syslog contexts), or RADIUS client (in RADIUS
contexts), originating telemetry data and transmitting it to a
collector over QUIC.</t>
        </dd>
      </dl>
    </section>
    <section anchor="background">
      <name>Background</name>
      <section anchor="quic-and-rfc-9221-datagram-frames">
        <name>QUIC and RFC 9221 DATAGRAM Frames</name>
        <t>QUIC <xref target="RFC9000"/> is a UDP-based, multiplexed, secure transport
protocol.  Every QUIC connection requires completion of a TLS 1.3
handshake <xref target="RFC9001"/>, which authenticates both endpoints (optionally
mutual) and derives the session keys used to protect all subsequent
packets.</t>
        <t>QUIC supports two data-carrying abstractions:</t>
        <ul spacing="normal">
          <li>
            <t>STREAM frames: provide reliable, ordered delivery semantics
equivalent to TCP.  Lost packets are detected and retransmitted.</t>
          </li>
          <li>
            <t>DATAGRAM frames (<xref target="RFC9221"/>): provide
unreliable delivery within the established, encrypted, congestion-
aware QUIC connection.  Lost packets are not retransmitted.  The
application is optionally notified of loss (implementation-
dependent).</t>
          </li>
        </ul>
        <t>Support for DATAGRAM frames is negotiated via the
max_datagram_frame_size transport parameter during the QUIC handshake.
Endpoints that do not include this parameter do not support DATAGRAM
frames on that connection.</t>
      </section>
      <section anchor="why-datagram-frames-for-telemetry">
        <name>Why DATAGRAM Frames for Telemetry</name>
        <t>Telemetry data streams such as IPFIX Flow Records, syslog messages, 
YANG-Push UDP-Notif periodic notifications, or RADIUS accounting share the property that a delayed
retransmission has less value than a fresh observation.  For these
streams, DATAGRAM frames are the correct primitive:</t>
        <ul spacing="normal">
          <li>
            <t>Loss of a DATAGRAM frame does not block delivery of subsequent
frames (no head-of-line blocking at the transport layer).</t>
          </li>
          <li>
            <t>Unlike raw UDP, DATAGRAM frames are subject to the connection's
congestion controller (<xref target="RFC9002"/>).  A Network Node under load will
back off rather than continue to flood the network.</t>
          </li>
          <li>
            <t>DATAGRAM frames are encrypted, authenticated, and
integrity-protected by the same TLS 1.3 session keys as all
other QUIC packets.  The QUIC handshake authenticates the
communicating parties via TLS 1.3 certificates.  IPFIX Flow
Records and syslog messages carried over plain UDP are designed
for use within limited domains (<xref target="RFC8799"/>) where the network
path is considered trusted; they are neither encrypted nor
source-authenticated.  Where such records drive traffic
engineering decisions -- route optimization, load balancing,
anomaly-triggered policy changes -- or inform network monitoring,
an on-path attacker within or at the boundary of the limited
domain can inject forged records to influence those decisions or
simply discredit monitoring results by introducing spurious data.
Once the QUIC handshake completes, every DATAGRAM frame is
automatically confidential, its origin cryptographically
authenticated, and any in-transit modification is detected and
discarded, at no additional configuration cost.</t>
          </li>
          <li>
            <t>A single QUIC connection may carry multiple logical telemetry
streams, distinguished by application-layer demultiplexing within
the DATAGRAM payload.  This eliminates the need for per-protocol
UDP sockets and separate security associations.</t>
          </li>
          <li>
            <t>All telemetry protocols multiplexed on a single QUIC connection
share one TLS 1.3 handshake and one certificate lifecycle. A
Network Node exporting IPFIX, syslog, and YANG-Push notifications
simultaneously via a single QUIC connection requires only one
set of cryptographic keys and one certificate, rather than
separate TLS contexts and key material per protocol.</t>
          </li>
          <li>
            <t>The cost of issuing and maintaining certificates may depend on the number of certificates required. In large-scale deployments, 
requiring separate certificates for each protocol or application instead of a single certificate per Network Node can significantly increase operational costs, 
particularly when certificate licensing or management fees are charged on a per-certificate basis.
These cost implications SHOULD be considered when defining certificate deployment models, especially for deployments consisting of a large number of Network Nodes.</t>
          </li>
          <li>
            <t>With UDP-based telemetry, the Collector identifies the
originating Network Node by the source IP address of the UDP socket
-- typically the IP address of the outgoing interface.  If
that interface fails over, the source IP changes and the
Collector loses track of the Network Node, unless the Network Node is
explicitly configured to bind to a stable address (e.g.,
"source interface loopback0").  The QUIC Connection ID
(<xref target="RFC9000"/>) provides a stable, transport-layer Network Node
identifier that persists across address changes, eliminating
this source-address configuration dependency.</t>
          </li>
        </ul>
        <t>For protocol components that require reliability (notably IPFIX
Template Records), QUIC STREAM frames on the same
connection provide reliable delivery without a separate TCP connection.</t>
      </section>
      <section anchor="relationship-to-dtls">
        <name>Relationship to DTLS</name>
        <t>DTLS <xref target="RFC6347"/> has been specified as a security layer for UDP-based telemetry
(e.g., IPFIX over DTLS <xref target="RFC7011"/>).  DTLS 1.2 <xref target="RFC6347"/> is the version
referenced in existing protocol security specifications; DTLS 1.3
<xref target="RFC9147"/> is the current specification.  QUIC mandates TLS 1.3 <xref target="RFC9001"/>
for all connections, and as a result offers the following advantages relative to
DTLS 1.2, with notes where DTLS 1.3 narrows the gap:</t>
        <ul spacing="normal">
          <li>
            <t>QUIC's 1-RTT handshake for new connections is faster than the
2-RTT full handshake required by DTLS 1.2 <xref target="RFC6347"/>.  DTLS 1.3
<xref target="RFC9147"/> also achieves 1-RTT for new connections, so this
advantage applies primarily to deployments that have not yet
migrated to DTLS 1.3.</t>
          </li>
          <li>
            <t>QUIC's 0-RTT resumption allows loss-tolerant data to begin flowing
before the handshake completes for resumed connections.  DTLS 1.2
<xref target="RFC6347"/> does not support 0-RTT resumption.  DTLS 1.3
<xref target="RFC9147"/> does support 0-RTT resumption (Section 5 of
<xref target="RFC9147"/>), so this advantage does not apply when comparing
against DTLS 1.3 deployments.</t>
          </li>
          <li>
            <t>Connection migration, driven by the Connection ID mechanism, allows
telemetry streams to survive network address changes (e.g., line
card failover, management plane IP renumbering) without session
restart.</t>
          </li>
          <li>
            <t>A single QUIC connection replaces multiple parallel DTLS sessions
when a Network Node exports several telemetry streams to the same
collector.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="problem-statement-security-gaps-in-udp-telemetry">
      <name>Problem Statement: Security Gaps in UDP Telemetry</name>
      <section anchor="protocols-with-no-or-optional-transport-security">
        <name>Protocols with No or Optional Transport Security</name>
        <t>Syslog over UDP <xref target="RFC5426"/> defines no transport security in its base
UDP profile.  IPFIX over UDP (RFC 7011 Section 10.4) optionally supports
DTLS <xref target="RFC9147"/> for transport security, but this is not mandatory and
in practice most deployments use plain UDP without DTLS, relying instead
on network-layer access control (ACLs, routing policy) as a substitute
for authentication.  This provides no protection against on-path
attackers and is invisible to the receiving collector, which cannot
verify the origin of records.</t>
      </section>
      <section anchor="radius-authentication-weakness">
        <name>RADIUS Authentication Weakness</name>
        <t>RADIUS <xref target="RFC2865"/> uses MD5 with a shared secret to obfuscate the
User-Password attribute.  Both RADIUS <xref target="RFC2865"/> and RADIUS
Accounting <xref target="RFC2866"/> derive the Request Authenticator and Response
Authenticator fields using an MD5 hash of the packet contents and the
shared secret.  The MD5 weaknesses involved are well-documented and
widely acknowledged.  While RADIUS over TLS (RadSec, <xref target="I-D.ietf-radext-radiusdtls-bis"/>) exists,
adoption has been limited by operational
complexity and the need to manage separate TLS contexts for RADIUS
alongside existing TLS deployments on the same Network Node.</t>
        <t><xref target="I-D.ietf-radext-radiusdtls-bis"/> also maintains the use of MD5,
which is only removed in <xref target="RFC9765"/>, which is experimental.</t>
      </section>
      <section anchor="absence-of-unified-certificate-management">
        <name>Absence of Unified Certificate Management</name>
        <t>Even where individual protocols support transport security, operators
face the burden of managing separate security contexts per protocol:</t>
        <ul spacing="normal">
          <li>
            <t>A Network Node exporting IPFIX over DTLS, syslog over TLS (<xref target="RFC5425"/>),
and YANG-Push over HTTPS requires three separate certificate
deployments, three renewal cycles, and three independent revocation
verification paths (whether via Certificate Revocation Lists
(CRL) or Online Certificate Status Protocol (OCSP) queries)
for what is functionally the same Network Node identity.</t>
          </li>
          <li>
            <t>Certificate rotation in one protocol does not benefit the others.</t>
          </li>
          <li>
            <t>Monitoring certificate expiry requires per-protocol tooling.</t>
          </li>
        </ul>
        <t>This fragmentation is a significant operational burden, particularly
at scale.</t>
      </section>
    </section>
    <section anchor="framework-telemetry-over-quic-datagram-frames">
      <name>Framework: Telemetry over QUIC DATAGRAM Frames</name>
      <section anchor="connection-model">
        <name>Connection Model</name>
        <t>A QUIC connection for Network Telemetry is established from the Network Node to the telemetry collector (Receiver).  This
follows the same direction as the data flow for push-based Network Telemetry.</t>
        <t>QUIC mandates TLS 1.3 (<xref target="RFC9001"/>).  Mutual
authentication (both client and server certificates) SHOULD be
used.  The Network Node certificate authenticates the Exporter; the
collector certificate authenticates the Receiver.</t>
        <t>The QUIC connection carries all telemetry streams between a given
Network Node-to-collector pair.  STREAM frames and DATAGRAM frames co-exist on
the same connection.  The application layer MUST provide a
demultiplexing header in the DATAGRAM payload to identify the protocol
and stream identity (see <xref target="datagram-format"/>).</t>
      </section>
      <section anchor="application-layer-protocol-negotiation-alpn-identification">
        <name>Application-Layer Protocol Negotiation (ALPN) Identification</name>
        <t>Each telemetry protocol using this framework SHOULD register a
dedicated ALPN <xref target="RFC9001"/>
identifier.  Recommended identifiers are specified in
<xref target="iana-considerations"/>.  An implementation MAY use the generic
"telq" ALPN when multiplexing multiple protocols on a
single connection, with per-protocol identification delegated to the
DATAGRAM payload header.</t>
      </section>
      <section anchor="datagram-format">
        <name>Telemetry Payload Format</name>
        <t>A two-byte Telemetry Type field prepended to each QUIC frame payload
identifies the encapsulated telemetry protocol.  This header applies
to both DATAGRAM frames (unreliable telemetry data) and STREAM frames
(reliable control and state-change data, such as IPFIX Template
Records, YANG-Push on-change notifications, and subscription state
change notifications).  This allows a single QUIC connection to carry
multiple telemetry protocols without ambiguity, regardless of the
reliability mechanism used.</t>
        <figure anchor="fig-datagram">
          <name>QUIC Frame Payload Format</name>
          <artwork><![CDATA[
 0                   1
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|       Telemetry Type          |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Protocol-Specific Payload    |
|         (variable)            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        </figure>
        <t>Telemetry Type values are defined in <xref target="iana-considerations"/>.
The protocol-specific payload for each protocol is identical to the
payload that would be transmitted in the corresponding UDP datagram.
No further encapsulation is required.  This design allows existing
encoder/decoder implementations to function without modification when
the UDP socket is replaced by a QUIC DATAGRAM or STREAM API.</t>
      </section>
      <section anchor="streamdatagram-split">
        <name>Stream/Datagram Split</name>
        <t>For protocols that mix reliable and unreliable data, the following
split applies:</t>
        <ul spacing="normal">
          <li>
            <t>Protocol control information, Template Records, and configuration
messages MUST be carried on QUIC STREAM frames to ensure reliable
delivery.</t>
          </li>
          <li>
            <t>Telemetry data records (Flow Records, log messages, notification
updates, accounting records) SHOULD be carried on QUIC DATAGRAM
frames.</t>
          </li>
        </ul>
        <t>An implementation MAY carry all data on QUIC STREAM frames if the
application requires guaranteed delivery.  This is a per-deployment
configuration choice, not a protocol violation.</t>
      </section>
      <section anchor="maxdatagramframesize-negotiation">
        <name>max_datagram_frame_size Negotiation</name>
        <t>Endpoints MUST advertise a max_datagram_frame_size sufficient to
accommodate the largest expected telemetry record without
fragmentation.  A value of 65535 is RECOMMENDED as a safe upper
bound.  Per <xref target="RFC9221"/>, DATAGRAM frames larger than the negotiated
maximum may not be sent; implementations MUST either fragment at the
application layer or fall back to STREAM frames for oversized records.</t>
      </section>
      <section anchor="connection-lifecycle-and-keepalive">
        <name>Connection Lifecycle and Keepalive</name>
        <t>Unlike TCP-based telemetry protocols (gRPC/gNMI, NETCONF), a QUIC
connection silently expires when no packets are exchanged within the
idle timeout. The Session Initiator SHOULD monitor for the absence
of expected telemetry and re-establish the QUIC session when the
peer remains silent beyond its configured reporting interval.</t>
        <t>QUIC idle timeout is configured via the max_idle_timeout transport
parameter.  For long-lived telemetry sessions, implementations SHOULD
send QUIC PING frames at an interval not exceeding half the
max_idle_timeout to maintain the connection and any intermediate NAT
bindings.  According to section 3.2 of <xref target="RFC9308"/>, it is recommended
to set the interval to 30 seconds to ensure that possible NAT states in
transit remain active, while section 10.1 of <xref target="RFC9000"/> states that the
PING frames interval should be set so that at least 3 PING frames can be
sent before max_idle_timeout is reached.  Therefore, a recommended idle
timeout for telemetry connections is 120 seconds, with PING frames sent
at 30-second intervals.</t>
      </section>
    </section>
    <section anchor="cert-management">
      <name>Certificate Management Advantages</name>
      <t>This section describes the specific operational improvements that arise
from consolidating UDP-based Network Telemetry under a single QUIC connection
with TLS 1.3 mutual authentication.</t>
      <section anchor="unified-network-node-identity">
        <name>Unified Network Node Identity</name>
        <t>A Network Node that currently exports IPFIX, Syslog, and YANG-Push
UDP-Notif over UDP has no cryptographic Network Node identity in those
channels.  Under this framework, a single X.509 certificate issued to
the Network Node (identified by its Common Name or Subject Alternative
Name) authenticates the Network Node for all telemetry streams carried on
the QUIC connection.  The collector need only maintain one trust
anchor per Network Node, independent of how many telemetry protocols that
Network Node exports.</t>
      </section>
      <section anchor="single-certificate-lifecycle">
        <name>Single Certificate Lifecycle</name>
        <t>Certificate issuance, renewal, and revocation are managed once per
Network Node, not once per protocol.  This has direct operational
consequences:</t>
        <ul spacing="normal">
          <li>
            <t>Automated certificate management tools (e.g., ACME, EST) need to
manage one certificate per Network Node for all Network Telemetry, rather than
one per protocol per Network Node.</t>
          </li>
          <li>
            <t>Certificate expiry monitoring requires one alert per Network Node.</t>
          </li>
          <li>
            <t>Key rotation is performed once; all telemetry protocols on the
renewed connection immediately benefit from the new key material
via QUIC's post-handshake key update mechanism.</t>
          </li>
          <li>
            <t>OCSP stapling (supported in TLS 1.3 and thus in QUIC <xref target="RFC9001"/>)
provides revocation status to the collector without requiring
the collector to independently query an OCSP responder per
protocol.</t>
          </li>
        </ul>
      </section>
      <section anchor="elimination-of-radius-md5-dependency">
        <name>Elimination of RADIUS MD5 Dependency</name>
        <t>RADIUS Accounting <xref target="RFC2866"/> derives the Accounting-Request
Authenticator as an MD5 hash over the packet contents and the shared
secret (<xref target="RFC2866"/> Section 3), providing only weak integrity
protection.  By mapping RADIUS Accounting messages to QUIC DATAGRAM
frames, this MD5-based shared-secret dependency is replaced by AEAD
encryption (AES-128-GCM or ChaCha20-Poly1305) derived from the
TLS 1.3 handshake.  No shared secret configuration is required. The collector
authenticates the Network Node by its certificate; the Network Node authenticates
the collector by its certificate.</t>
      </section>
      <section anchor="connection-migration-and-failover">
        <name>Connection Migration and Failover</name>
        <t>When a Network Node's management plane IP address changes -- due to interface
failover or ECMP re-hashing -- a
TCP-based telemetry session breaks and requires a new TLS handshake
(and certificate verification) on the replacement connection.  Under
QUIC, Connection IDs decouple the session identity from the
underlying IP/port 4-tuple.  The connection, and its associated
authenticated identity, survives the address change.  No certificate
re-validation is required for the migrated path.</t>
      </section>
      <section anchor="comparison-with-current-security-mechanisms">
        <name>Comparison with Current Security Mechanisms</name>
        <table anchor="tbl-security">
          <name>Security Comparison for UDP Telemetry Protocols</name>
          <thead>
            <tr>
              <th align="left">Protocol</th>
              <th align="left">Current UDP Security</th>
              <th align="left">Under This Framework</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">IPFIX</td>
              <td align="left">DTLS (optional, <xref target="RFC6347"/> / <xref target="RFC9147"/>)</td>
              <td align="left">TLS 1.3 mutual auth, AEAD</td>
            </tr>
            <tr>
              <td align="left">Syslog</td>
              <td align="left">None (<xref target="RFC5426"/> UDP)</td>
              <td align="left">TLS 1.3 mutual auth, AEAD</td>
            </tr>
            <tr>
              <td align="left">YANG-Push UDP-Notif</td>
              <td align="left">Optional DTLS</td>
              <td align="left">TLS 1.3 mutual auth, AEAD</td>
            </tr>
            <tr>
              <td align="left">RADIUS Acct</td>
              <td align="left">MD5 obfuscation</td>
              <td align="left">TLS 1.3 mutual auth, AEAD</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
    <section anchor="per-protocol-mappings">
      <name>Per-Protocol Mappings</name>
      <section anchor="ipfix">
        <name>IPFIX</name>
        <t>IPFIX <xref target="RFC7011"/> uses a Template/Data Record architecture.  Template
Records define the Information Elements present in Data Records.  A
Receiver that has not received the relevant Template Record cannot
decode Data Records.</t>
        <section anchor="template-records">
          <name>Template Records</name>
          <t>Template Records MUST be carried on QUIC STREAM frames.  The stream
MUST be a unidirectional stream initiated by the Exporter.  Template
Records within this stream follow the normal IPFIX encoding with
Set ID 2 (Template Set) or Set ID 3 (Options Template Set).  The
reliable delivery semantics of QUIC streams ensure that the Receiver
obtains all templates before or concurrent with the first Data
Records referencing them.</t>
          <t>This is architecturally equivalent to the TCP-based IPFIX transport
(RFC 7011 Section 10.3), replacing the TCP byte stream with a QUIC
stream.</t>
        </section>
        <section anchor="data-records">
          <name>Data Records</name>
          <t>IPFIX Data Records SHOULD be carried on QUIC DATAGRAM frames.  Each
DATAGRAM frame payload, after the two-byte Telemetry Type header
defined in <xref target="datagram-format"/>, contains one or more IPFIX
Data Sets encoded according to RFC 7011.</t>
          <t>Loss of a DATAGRAM frame results in loss of the contained Flow Records,
consistent with the existing behavior of the IPFIX UDP
transport (RFC 7011 Section 10.2).</t>
          <t>The Observation Domain ID is preserved in each IPFIX Message Header
within the DATAGRAM payload.  No mapping between QUIC stream
identifiers and IPFIX Observation Domain IDs is required.</t>
        </section>
        <section anchor="relationship-to-draft-llg-opsawg-ipfix-over-quic">
          <name>Relationship to draft-llg-opsawg-ipfix-over-quic</name>
          <t><xref target="I-D.llg-opsawg-ipfix-over-quic"/> defines a more complete IPFIX
binding to QUIC, potentially including stream-per-template-set
designs.  This document focuses on the DATAGRAM-based data plane
as the direct replacement for the UDP export profile, and defers
normative detail to that draft.</t>
        </section>
      </section>
      <section anchor="syslog">
        <name>Syslog</name>
        <t>Syslog over UDP <xref target="RFC5426"/> sends syslog messages as individual UDP
datagrams.  Each syslog message is self-contained, making it directly
suitable for DATAGRAM frame transport.</t>
        <t>Each DATAGRAM frame payload, after the Telemetry Type header, contains
exactly one syslog message encoded per RFC 5424 <xref target="RFC5424"/>.
The message format is unchanged from the UDP transport.</t>
        <t>Syslog over TLS <xref target="RFC5425"/> provides a reference for certificate-
based authentication of syslog.  Under this framework, the same PKI
infrastructure is used, but via the QUIC connection rather than a
separate TLS-over-TCP session.</t>
      </section>
      <section anchor="yangpush">
        <name>YANG-Push UDP-Notif</name>
        <t>This section covers YANG-Push exclusively in its UDP-based transport
variant: YANG-Push UDP-Notif <xref target="I-D.ietf-netconf-udp-notif"/>.  Other
YANG-Push transports (HTTPS-Notif, NETCONF) are TCP-based and out
of scope for this document.  YANG-Push UDP-Notif sends Notification Messages as UDP datagrams
with a shim header providing message segmentation and sequence numbering.</t>
        <t>Under this framework, YANG-Push UDP-Notif messages are carried in
QUIC DATAGRAM frames using the UDP-Notif shim header unchanged.
The shim header's sequence number field provides loss detection at
the application layer, consistent with its use in the UDP transport.</t>
        <t>Three notification types warrant different treatment:</t>
        <ul spacing="normal">
          <li>
            <t>push-update notifications: data samples are time-bound and
stale if retransmitted.  DATAGRAM frames SHOULD be used.</t>
          </li>
          <li>
            <t>push-change-update notifications: missed change notifications
result in the collector maintaining an incorrect view of Network Node
state.  For On-Change Subscriptions, implementations SHOULD use QUIC
STREAM frames to ensure reliable delivery.</t>
          </li>
          <li>
            <t>subscription state change notifications: missed subscription
state change notifications result in the collector maintaining an
incorrect view of YANG-Push subscription state.  For subscription
state change notifications, implementations SHOULD use QUIC STREAM
frames to ensure reliable delivery.</t>
          </li>
        </ul>
        <t>This per-subscription-type split is the primary rationale for using
this framework for YANG-Push: the DATAGRAM/STREAM choice maps directly
onto the existing periodic/on-change distinction, while the UDP-Notif
shim header is preserved unchanged.</t>
        <section anchor="distributed-notifications">
          <name>Distributed Notifications</name>
          <t>The Distributed Notifications architecture
<xref target="I-D.ietf-netconf-distributed-notif"/> allows line card processes to
export directly to collectors without routing through the Route
Processor.  QUIC DATAGRAM frames are well-suited to this model:
each line card process opens a QUIC connection to the collector
and sends DATAGRAM frames.  The Message Publisher ID in the shim
header identifies the originating process.</t>
        </section>
      </section>
      <section anchor="radius">
        <name>RADIUS Accounting</name>
        <t>RADIUS Accounting <xref target="RFC2866"/> uses UDP transport with MD5-based
message authentication.  Accounting-Request and Accounting-Response
messages are self-contained.</t>
        <t>Under this framework:</t>
        <ul spacing="normal">
          <li>
            <t>Accounting-Request messages are carried in QUIC DATAGRAM frames.</t>
          </li>
          <li>
            <t>The base RADIUS protocol is updated to use RADIUS/1.1 <xref target="RFC9765"/>.
Most notably:</t>
          </li>
          <li>
            <t>RADIUS packets no longer use MD5 for authentication
(<xref section="4" sectionFormat="comma" target="RFC9765"/>).</t>
          </li>
          <li>
            <t>RADIUS attributes are no longer obfuscated <xref section="5" sectionFormat="comma" target="RFC9765"/>.</t>
          </li>
          <li>
            <t>RADIUS/1.1 allows more than 256 packets to be outstanding over
one connection.</t>
          </li>
          <li>
            <t>Accounting-Response messages from the collector to the Network Node
travel in the reverse direction.  As QUIC DATAGRAM frames are
bidirectional, the collector responds using a DATAGRAM frame on
the same connection.</t>
          </li>
        </ul>
        <t><xref target="I-D.yl-radext-quic-transport"/> defines an alternative RADIUS mapping
over QUIC STREAM frames, providing reliable delivery semantics for
RADIUS.  The present document's DATAGRAM approach is appropriate for
high-volume accounting scenarios where occasional record loss is
acceptable.  Implementations MUST choose one approach per connection
based on deployment requirements.</t>
        <section anchor="radius-authentication-requests">
          <name>RADIUS Authentication Requests</name>
          <t>RADIUS can also transport Access-Request packets, and responses to
those packets.  While it is possible to transport those packets via
this specification, that behavior is not addressed here.</t>
        </section>
        <section anchor="radius-status-server">
          <name>RADIUS Status-Server</name>
          <t>RADIUS also provides for connection oriented status checks via the
Status-Server packet <xref target="RFC5997"/>.  Where implementations of this
specification need <xref target="RFC3539"/> application-layer watchdog signaling,
QUIC PING frames MUST be used instead of Status-Server packets.</t>
        </section>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <section anchor="collector-scalability">
        <name>Collector Scalability</name>
        <t>A single collector may receive QUIC connections from a large number of
Network Nodes.  Each QUIC connection carries its own TLS context.  Collectors
MUST be designed to handle large numbers of concurrent QUIC connections
efficiently.  Connection-level flow control (MAX_DATA) SHOULD be tuned
to accommodate bursty telemetry export patterns.</t>
      </section>
      <section anchor="connection-re-establishment">
        <name>Connection Re-establishment</name>
        <t>If a QUIC connection is lost (idle timeout, network failure, Network Node
reboot), the Network Node MUST re-establish the connection and re-transmit
any stateful protocol information (e.g., IPFIX Template Records) before
resuming DATAGRAM-based data export.  Network Nodes SHOULD implement
exponential backoff for re-establishment attempts.</t>
      </section>
      <section anchor="interaction-with-distributed-export">
        <name>Interaction with Distributed Export</name>
        <t>In distributed architectures (e.g., line card direct export), each
line card process MAY maintain a separate QUIC connection to the
collector, or MAY share a connection with the Route Processor.  The Message Publisher ID in YANG-Push UDP-Notif
<xref target="I-D.ietf-netconf-udp-notif"/> identifies the originating Publisher
process (e.g., a line card process) regardless of the connection
topology.  Similarly, in a distributed router architecture, IPFIX
<xref target="RFC7011"/> deployments have each line card run its own Metering
Process with a distinct Observation Domain ID carried in each IPFIX
Message Header, identifying the originating Observation Domain
regardless of the connection topology.</t>
      </section>
      <section anchor="impact-on-network-node-resources">
        <name>Impact on Network Node Resources</name>
        <t>QUIC connections consume memory and CPU for TLS context, congestion
state, and Connection ID management.  Network Nodes with high line card
counts and multiple telemetry protocols should evaluate the resource
impact of maintaining one QUIC connection per collector per line card
against the resource savings of multiplexing protocols on fewer
connections.</t>
      </section>
      <section anchor="legacy-udp-interoperability">
        <name>Legacy UDP Interoperability</name>
        <t>Network Nodes that do not support QUIC MUST continue to support their
existing UDP transport profiles.  This framework does not deprecate
UDP transport for any protocol.  QUIC transport availability SHOULD
be advertised via the YANG capabilities model <xref target="RFC9196"/> to allow
collectors to negotiate the preferred transport.</t>
      </section>
      <section anchor="quasi-anycast">
        <name>Quasi-Anycast</name>
        <t>A telemetry collector MAY be reachable via an anycast address for
initial QUIC rendezvous, with the connection subsequently migrated to
a stable unicast address using QUIC Preferred Address. This document
refers to that deployment model as Quasi-Anycast. The term describes
an operational pattern, not a new anycast routing semantic, and is
consistent with the service and routing terminology of <xref target="RFC4786"/>
and <xref target="RFC7094"/>.</t>
        <t>In such deployments, the server SHOULD advertise a Preferred Address
only when the backend can accept the migrated connection state and
the client can successfully validate the new path. The client MUST
validate the new path before sending non-probing packets to it.
Operators SHOULD use this pattern when anycast is desirable for
discovery or nearest-ingress selection, but a long-lived telemetry
session benefits from stable backend affinity.
## Manual Certificate Lifecycle</t>
        <t>In smaller deployments, automated certificate lifecycle management may not be available, and certificate provisioning, renewal, and replacement are performed manually.
A single Network Node may use multiple certificates for different applications or protocol stacks. Since certificates are commonly managed and activated independently by each consuming application, 
certificate rollover may occur at different points in time. During such transition periods, some applications may continue to rely on legacy configurations, 
including unsecured UDP-based transport, until certificate updates have been completed consistently across all consumers.
Implementations SHOULD minimize the duration of such transition periods and SHOULD provide mechanisms to coordinate certificate replacement across all affected applications.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security properties of all telemetry data transported using this
framework are determined by the QUIC connection's TLS 1.3 handshake.
The considerations in <xref target="RFC9000"/>, <xref target="RFC9001"/>, and <xref target="RFC9221"/> apply.</t>
      <t>Mutual certificate authentication SHOULD be used for all deployments.
A collector that does not authenticate the Network Node certificate cannot
trust the origin of telemetry records.  A Network Node that does not
authenticate the collector certificate may export sensitive operational
data to an adversary.</t>
      <t>Certificate revocation MUST be checked.  OCSP stapling is RECOMMENDED
as the revocation mechanism because it allows the Network Node to provide
proof of validity at connection establishment without requiring the
collector to query an OCSP responder separately.</t>
      <t>DATAGRAM frames, like all QUIC packet payloads, are AEAD-protected.
An on-path observer cannot read or modify DATAGRAM frame contents.
The QUIC invariants (Connection IDs, packet type bits) are observable
but do not reveal telemetry content.</t>
      <t>0-RTT connection resumption (<xref target="RFC9001"/> Section 4.6.1) allows early
data, including telemetry DATAGRAM frames, to be sent before the
handshake completes.  0-RTT data does not provide forward secrecy and
is susceptible to replay attacks.  For telemetry protocols, replay
of a periodic sample record is generally harmless but implementations
SHOULD document their 0-RTT behavior and MAY disable 0-RTT for
security-sensitive deployments.</t>
      <t>The replacement of RADIUS Accounting's MD5-based message authenticator
(<xref target="radius"/>) with QUIC's AEAD protection is a security
improvement.  Implementations should ensure that existing RADIUS
processing pipelines do not rely on the MD5 Message-Authenticator for
any purpose other than transport-level authentication.</t>
      <t>Using a single certificate across multiple protocols or applications increases the impact of a certificate compromise. 
An attacker obtaining the corresponding private key can potentially impersonate the Network Node towards all relying parties that trust this certificate, instead of only affecting a single protocol or application.
Conversely, using separate certificates can limit the scope of a compromise, but increases the operational effort required for certificate lifecycle management and incident response. 
A Network Node may communicate with multiple client systems, such as telemetry collectors, management systems, and application-specific consumers. When a compromised certificate is replaced, 
all affected relying parties need to update their trust configuration in a coordinated manner to maintain authenticated communication.
This coordination is particularly relevant when migrating unreliable UDP-based communication to QUIC DATAGRAM. 
<xref target="RFC9221"/> specifies that DATAGRAM frames do not provide explicit flow control and may be dropped by the receiver if they cannot be processed. 
It also specifies that DATAGRAM frames are subject to QUIC congestion control and may be delayed or dropped when congestion control does not allow immediate transmission. 
Consequently, applications using QUIC DATAGRAM cannot assume that certificate-related transition messages, telemetry data, or other operational signals carried over DATAGRAM frames are reliably delivered.
Therefore, certificate rollover and compromise recovery procedures SHOULD NOT rely solely on unreliable datagram delivery for critical state synchronization. 
Implementations SHOULD provide a reliable and authenticated mechanism, for example using QUIC streams or another reliable management channel, 
to coordinate certificate replacement, revocation handling, and trust-store updates across affected Network Nodes and client systems.
While certificate renewal due to expiration is a routine operational process, emergency certificate replacement following a compromise typically requires substantially greater coordination and operational effort. 
These considerations SHOULD be taken into account when selecting between per-Network Node and per-protocol certificate deployment models.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="alpn-protocol-identifiers">
        <name>ALPN Protocol Identifiers</name>
        <t>This document requests that IANA register the following Application-
Layer Protocol Negotiation (ALPN) protocol identifiers in the
"TLS Application-Layer Protocol Negotiation (ALPN) Protocol IDs"
registry:</t>
        <table anchor="tbl-alpn">
          <name>Requested ALPN Identifiers</name>
          <thead>
            <tr>
              <th align="left">Identification Sequence</th>
              <th align="left">Protocol</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x69 0x70 0x66 0x78 0x71 ("ipfxq")</td>
              <td align="left">IPFIX over QUIC</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">0x73 0x79 0x73 0x71 ("sysq")</td>
              <td align="left">Syslog over QUIC</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">0x79 0x70 0x71 ("ypq")</td>
              <td align="left">YANG-Push over QUIC</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">0x72 0x61 0x64 0x71 ("radq")</td>
              <td align="left">RADIUS over QUIC</td>
              <td align="left">This document</td>
            </tr>
            <tr>
              <td align="left">0x74 0x65 0x6c 0x71 ("telq")</td>
              <td align="left">Generic Telemetry</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="telemetry-type-registry">
        <name>Telemetry Type Registry</name>
        <t>This document requests that IANA create a new registry "QUIC
Telemetry Type Values" under the "QUIC" registry group with the
following initial values:</t>
        <table anchor="tbl-types">
          <name>QUIC Telemetry Type Values</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">Protocol</th>
              <th align="left">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x0001</td>
              <td align="left">IPFIX</td>
              <td align="left">
                <xref target="RFC7011"/></td>
            </tr>
            <tr>
              <td align="left">0x0002</td>
              <td align="left">Syslog</td>
              <td align="left">
                <xref target="RFC5424"/></td>
            </tr>
            <tr>
              <td align="left">0x0003</td>
              <td align="left">YANG-Push UDP-Notif</td>
              <td align="left">
                <xref target="I-D.ietf-netconf-udp-notif"/></td>
            </tr>
            <tr>
              <td align="left">0x0004</td>
              <td align="left">RADIUS Accounting</td>
              <td align="left">
                <xref target="RFC2866"/></td>
            </tr>
            <tr>
              <td align="left">0xFFFF</td>
              <td align="left">Reserved</td>
              <td align="left">This document</td>
            </tr>
          </tbody>
        </table>
        <t>New values are assigned by Expert Review.</t>
      </section>
      <section anchor="udp-port-numbers">
        <name>UDP Port Numbers</name>
        <t>This document does not request new UDP port numbers.  QUIC-based
Network Telemetry operates over existing QUIC port allocations.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC9002">
          <front>
            <title>QUIC Loss Detection and Congestion Control</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="I. Swett" initials="I." role="editor" surname="Swett"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes loss detection and congestion control mechanisms for QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9002"/>
          <seriesInfo name="DOI" value="10.17487/RFC9002"/>
        </reference>
        <reference anchor="RFC9221">
          <front>
            <title>An Unreliable Datagram Extension to QUIC</title>
            <author fullname="T. Pauly" initials="T." surname="Pauly"/>
            <author fullname="E. Kinnear" initials="E." surname="Kinnear"/>
            <author fullname="D. Schinazi" initials="D." surname="Schinazi"/>
            <date month="March" year="2022"/>
            <abstract>
              <t>This document defines an extension to the QUIC transport protocol to add support for sending and receiving unreliable datagrams over a QUIC connection.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9221"/>
          <seriesInfo name="DOI" value="10.17487/RFC9221"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC3539">
          <front>
            <title>Authentication, Authorization and Accounting (AAA) Transport Profile</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="J. Wood" initials="J." surname="Wood"/>
            <date month="June" year="2003"/>
            <abstract>
              <t>This document discusses transport issues that arise within protocols for Authentication, Authorization and Accounting (AAA). It also provides recommendations on the use of transport by AAA protocols. This includes usage of standards-track RFCs as well as experimental proposals. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3539"/>
          <seriesInfo name="DOI" value="10.17487/RFC3539"/>
        </reference>
        <reference anchor="RFC4786">
          <front>
            <title>Operation of Anycast Services</title>
            <author fullname="J. Abley" initials="J." surname="Abley"/>
            <author fullname="K. Lindqvist" initials="K." surname="Lindqvist"/>
            <date month="December" year="2006"/>
            <abstract>
              <t>As the Internet has grown, and as systems and networked services within enterprises have become more pervasive, many services with high availability requirements have emerged. These requirements have increased the demands on the reliability of the infrastructure on which those services rely.</t>
              <t>Various techniques have been employed to increase the availability of services deployed on the Internet. This document presents commentary and recommendations for distribution of services using anycast. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="126"/>
          <seriesInfo name="RFC" value="4786"/>
          <seriesInfo name="DOI" value="10.17487/RFC4786"/>
        </reference>
        <reference anchor="RFC5424">
          <front>
            <title>The Syslog Protocol</title>
            <author fullname="R. Gerhards" initials="R." surname="Gerhards"/>
            <date month="March" year="2009"/>
            <abstract>
              <t>This document describes the syslog protocol, which is used to convey event notification messages. This protocol utilizes a layered architecture, which allows the use of any number of transport protocols for transmission of syslog messages. It also provides a message format that allows vendor-specific extensions to be provided in a structured way.</t>
              <t>This document has been written with the original design goals for traditional syslog in mind. The need for a new layered specification has arisen because standardization efforts for reliable and secure syslog extensions suffer from the lack of a Standards-Track and transport-independent RFC. Without this document, each other standard needs to define its own syslog packet format and transport mechanism, which over time will introduce subtle compatibility issues. This document tries to provide a foundation that syslog extensions can build on. This layered architecture approach also provides a solid basis that allows code to be written once for each syslog feature rather than once for each transport. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5424"/>
          <seriesInfo name="DOI" value="10.17487/RFC5424"/>
        </reference>
        <reference anchor="RFC5425">
          <front>
            <title>Transport Layer Security (TLS) Transport Mapping for Syslog</title>
            <author fullname="F. Miao" initials="F." role="editor" surname="Miao"/>
            <author fullname="Y. Ma" initials="Y." role="editor" surname="Ma"/>
            <author fullname="J. Salowey" initials="J." role="editor" surname="Salowey"/>
            <date month="March" year="2009"/>
            <abstract>
              <t>This document describes the use of Transport Layer Security (TLS) to provide a secure connection for the transport of syslog messages. This document describes the security threats to syslog and how TLS can be used to counter such threats.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5425"/>
          <seriesInfo name="DOI" value="10.17487/RFC5425"/>
        </reference>
        <reference anchor="RFC5426">
          <front>
            <title>Transmission of Syslog Messages over UDP</title>
            <author fullname="A. Okmianski" initials="A." surname="Okmianski"/>
            <date month="March" year="2009"/>
            <abstract>
              <t>This document describes the transport for syslog messages over UDP/ IPv4 or UDP/IPv6. The syslog protocol layered architecture provides for support of any number of transport mappings. However, for interoperability purposes, syslog protocol implementers are required to support this transport mapping. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5426"/>
          <seriesInfo name="DOI" value="10.17487/RFC5426"/>
        </reference>
        <reference anchor="RFC5997">
          <front>
            <title>Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document describes a deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, enabling clients to query the status of a RADIUS server. This extension utilizes the Status-Server (12) Code, which was reserved for experimental use in RFC 2865. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5997"/>
          <seriesInfo name="DOI" value="10.17487/RFC5997"/>
        </reference>
        <reference anchor="RFC6241">
          <front>
            <title>Network Configuration Protocol (NETCONF)</title>
            <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
            <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6241"/>
          <seriesInfo name="DOI" value="10.17487/RFC6241"/>
        </reference>
        <reference anchor="RFC6347">
          <front>
            <title>Datagram Transport Layer Security Version 1.2</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="January" year="2012"/>
            <abstract>
              <t>This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS version 1.2. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6347"/>
          <seriesInfo name="DOI" value="10.17487/RFC6347"/>
        </reference>
        <reference anchor="RFC7011">
          <front>
            <title>Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information</title>
            <author fullname="B. Claise" initials="B." role="editor" surname="Claise"/>
            <author fullname="B. Trammell" initials="B." role="editor" surname="Trammell"/>
            <author fullname="P. Aitken" initials="P." surname="Aitken"/>
            <date month="September" year="2013"/>
            <abstract>
              <t>This document specifies the IP Flow Information Export (IPFIX) protocol, which serves as a means for transmitting Traffic Flow information over the network. In order to transmit Traffic Flow information from an Exporting Process to a Collecting Process, a common representation of flow data and a standard means of communicating them are required. This document describes how the IPFIX Data and Template Records are carried over a number of transport protocols from an IPFIX Exporting Process to an IPFIX Collecting Process. This document obsoletes RFC 5101.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="77"/>
          <seriesInfo name="RFC" value="7011"/>
          <seriesInfo name="DOI" value="10.17487/RFC7011"/>
        </reference>
        <reference anchor="RFC7094">
          <front>
            <title>Architectural Considerations of IP Anycast</title>
            <author fullname="D. McPherson" initials="D." surname="McPherson"/>
            <author fullname="D. Oran" initials="D." surname="Oran"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="E. Osterweil" initials="E." surname="Osterweil"/>
            <date month="January" year="2014"/>
            <abstract>
              <t>This memo discusses architectural implications of IP anycast and provides some historical analysis of anycast use by various IETF protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7094"/>
          <seriesInfo name="DOI" value="10.17487/RFC7094"/>
        </reference>
        <reference anchor="RFC7854">
          <front>
            <title>BGP Monitoring Protocol (BMP)</title>
            <author fullname="J. Scudder" initials="J." role="editor" surname="Scudder"/>
            <author fullname="R. Fernando" initials="R." surname="Fernando"/>
            <author fullname="S. Stuart" initials="S." surname="Stuart"/>
            <date month="June" year="2016"/>
            <abstract>
              <t>This document defines the BGP Monitoring Protocol (BMP), which can be used to monitor BGP sessions. BMP is intended to provide a convenient interface for obtaining route views. Prior to the introduction of BMP, screen scraping was the most commonly used approach to obtaining such views. The design goals are to keep BMP simple, useful, easily implemented, and minimally service affecting. BMP is not suitable for use as a routing protocol.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7854"/>
          <seriesInfo name="DOI" value="10.17487/RFC7854"/>
        </reference>
        <reference anchor="RFC8639">
          <front>
            <title>Subscription to YANG Notifications</title>
            <author fullname="E. Voit" initials="E." surname="Voit"/>
            <author fullname="A. Clemm" initials="A." surname="Clemm"/>
            <author fullname="A. Gonzalez Prieto" initials="A." surname="Gonzalez Prieto"/>
            <author fullname="E. Nilsen-Nygaard" initials="E." surname="Nilsen-Nygaard"/>
            <author fullname="A. Tripathy" initials="A." surname="Tripathy"/>
            <date month="September" year="2019"/>
            <abstract>
              <t>This document defines a YANG data model and associated mechanisms enabling subscriber-specific subscriptions to a publisher's event streams. Applying these elements allows a subscriber to request and receive a continuous, customized feed of publisher-generated information.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8639"/>
          <seriesInfo name="DOI" value="10.17487/RFC8639"/>
        </reference>
        <reference anchor="RFC8641">
          <front>
            <title>Subscription to YANG Notifications for Datastore Updates</title>
            <author fullname="A. Clemm" initials="A." surname="Clemm"/>
            <author fullname="E. Voit" initials="E." surname="Voit"/>
            <date month="September" year="2019"/>
            <abstract>
              <t>This document describes a mechanism that allows subscriber applications to request a continuous and customized stream of updates from a YANG datastore. Providing such visibility into updates enables new capabilities based on the remote mirroring and monitoring of configuration and operational state.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8641"/>
          <seriesInfo name="DOI" value="10.17487/RFC8641"/>
        </reference>
        <reference anchor="RFC9147">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9196">
          <front>
            <title>YANG Modules Describing Capabilities for Systems and Datastore Update Notifications</title>
            <author fullname="B. Lengyel" initials="B." surname="Lengyel"/>
            <author fullname="A. Clemm" initials="A." surname="Clemm"/>
            <author fullname="B. Claise" initials="B." surname="Claise"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>This document defines two YANG modules, "ietf-system-capabilities" and "ietf-notification-capabilities".</t>
              <t>The module "ietf-system-capabilities" provides a placeholder structure that can be used to discover YANG-related system capabilities for servers. The module can be used to report capability information from the server at runtime or at implementation time by making use of the YANG instance data file format.</t>
              <t>The module "ietf-notification-capabilities" augments "ietf-system-capabilities" to specify capabilities related to "Subscription to YANG Notifications for Datastore Updates" (RFC 8641).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9196"/>
          <seriesInfo name="DOI" value="10.17487/RFC9196"/>
        </reference>
        <reference anchor="RFC8799">
          <front>
            <title>Limited Domains and Internet Protocols</title>
            <author fullname="B. Carpenter" initials="B." surname="Carpenter"/>
            <author fullname="B. Liu" initials="B." surname="Liu"/>
            <date month="July" year="2020"/>
            <abstract>
              <t>There is a noticeable trend towards network behaviors and semantics that are specific to a particular set of requirements applied within a limited region of the Internet. Policies, default parameters, the options supported, the style of network management, and security requirements may vary between such limited regions. This document reviews examples of such limited domains (also known as controlled environments), notes emerging solutions, and includes a related taxonomy. It then briefly discusses the standardization of protocols for limited domains. Finally, it shows the need for a precise definition of "limited domain membership" and for mechanisms to allow nodes to join a domain securely and to find other members, including boundary nodes.</t>
              <t>This document is the product of the research of the authors. It has been produced through discussions and consultation within the IETF but is not the product of IETF consensus.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8799"/>
          <seriesInfo name="DOI" value="10.17487/RFC8799"/>
        </reference>
        <reference anchor="RFC9232">
          <front>
            <title>Network Telemetry Framework</title>
            <author fullname="H. Song" initials="H." surname="Song"/>
            <author fullname="F. Qin" initials="F." surname="Qin"/>
            <author fullname="P. Martinez-Julia" initials="P." surname="Martinez-Julia"/>
            <author fullname="L. Ciavaglia" initials="L." surname="Ciavaglia"/>
            <author fullname="A. Wang" initials="A." surname="Wang"/>
            <date month="May" year="2022"/>
            <abstract>
              <t>Network telemetry is a technology for gaining network insight and facilitating efficient and automated network management. It encompasses various techniques for remote data generation, collection, correlation, and consumption. This document describes an architectural framework for network telemetry, motivated by challenges that are encountered as part of the operation of networks and by the requirements that ensue. This document clarifies the terminology and classifies the modules and components of a network telemetry system from different perspectives. The framework and taxonomy help to set a common ground for the collection of related work and provide guidance for related technique and standard developments.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9232"/>
          <seriesInfo name="DOI" value="10.17487/RFC9232"/>
        </reference>
        <reference anchor="RFC9308">
          <front>
            <title>Applicability of the QUIC Transport Protocol</title>
            <author fullname="M. Kühlewind" initials="M." surname="Kühlewind"/>
            <author fullname="B. Trammell" initials="B." surname="Trammell"/>
            <date month="September" year="2022"/>
            <abstract>
              <t>This document discusses the applicability of the QUIC transport protocol, focusing on caveats impacting application protocol development and deployment over QUIC. Its intended audience is designers of application protocol mappings to QUIC and implementors of these application protocols.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9308"/>
          <seriesInfo name="DOI" value="10.17487/RFC9308"/>
        </reference>
        <reference anchor="RFC9765">
          <front>
            <title>RADIUS/1.1: Leveraging Application-Layer Protocol Negotiation (ALPN) to Remove MD5</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="April" year="2025"/>
            <abstract>
              <t>This document defines Application-Layer Protocol Negotiation (ALPN) extensions for use with RADIUS/TLS and RADIUS/DTLS. These extensions permit the negotiation of an application protocol variant of RADIUS called "RADIUS/1.1". No changes are made to RADIUS/UDP or RADIUS/TCP. The extensions allow the negotiation of a transport profile where the RADIUS shared secret is no longer used, and all MD5-based packet authentication and attribute obfuscation methods are removed.</t>
              <t>This document updates RFCs 2865, 2866, 5176, 6613, 6614, and 7360.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9765"/>
          <seriesInfo name="DOI" value="10.17487/RFC9765"/>
        </reference>
        <reference anchor="I-D.ietf-netconf-udp-notif">
          <front>
            <title>UDP-based Transport for Configured Subscriptions</title>
            <author fullname="Alex Huang Feng" initials="A. H." surname="Feng">
              <organization>INSA-Lyon</organization>
            </author>
            <author fullname="Pierre Francois" initials="P." surname="Francois">
              <organization>INSA-Lyon</organization>
            </author>
            <author fullname="Tianran Zhou" initials="T." surname="Zhou">
              <organization>Huawei</organization>
            </author>
            <author fullname="Thomas Graf" initials="T." surname="Graf">
              <organization>Swisscom</organization>
            </author>
            <author fullname="Paolo Lucente" initials="P." surname="Lucente">
              <organization>NTT</organization>
            </author>
            <date day="28" month="January" year="2026"/>
            <abstract>
              <t>   This document describes a UDP-based transport for YANG notifications
   to collect data from network nodes within a controlled environment.
   A shim header is defined to facilitate the data streaming directly
   from a publishing process on a network device to telemetry receivers.
   Such a design enables higher frequency updates and less performance
   overhead on publisher and receiver processes compared to already
   established notification mechanisms.  A YANG data model is also
   defined for management of the described UDP-based transport.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-netconf-udp-notif-25"/>
        </reference>
        <reference anchor="I-D.ietf-netconf-distributed-notif">
          <front>
            <title>Subscription to Notifications in a Distributed Architecture</title>
            <author fullname="Tianran Zhou" initials="T." surname="Zhou">
              <organization>Huawei</organization>
            </author>
            <author fullname="Guangying Zheng" initials="G." surname="Zheng">
              <organization>Huawei</organization>
            </author>
            <author fullname="Eric Voit" initials="E." surname="Voit">
              <organization>Cisco Systems</organization>
            </author>
            <author fullname="Thomas Graf" initials="T." surname="Graf">
              <organization>Swisscom</organization>
            </author>
            <author fullname="Pierre Francois" initials="P." surname="Francois">
              <organization>INSA-Lyon</organization>
            </author>
            <date day="13" month="April" year="2026"/>
            <abstract>
              <t>   This document describes extensions to the YANG notifications
   subscription to allow metrics being published directly from
   processors on line cards to target receivers, while subscription is
   still maintained at the route processor in a distributed forwarding
   system of a network node.


              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-netconf-distributed-notif-19"/>
        </reference>
        <reference anchor="I-D.ietf-netconf-over-quic">
          <front>
            <title>NETCONF over QUIC</title>
            <author fullname="Jinyou Dai" initials="J." surname="Dai">
              <organization>Fiberhome Telecom LTD./CICT.</organization>
            </author>
            <author fullname="Shaohua Yu" initials="S." surname="Yu">
              <organization>China PCL.</organization>
            </author>
            <author fullname="Weiqiang Cheng" initials="W." surname="Cheng">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Marc Blanchet" initials="M." surname="Blanchet">
              <organization>Viagenie</organization>
            </author>
            <author fullname="Per Andersson" initials="P." surname="Andersson">
              <organization>Ionio Systems</organization>
            </author>
            <date day="27" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies how to use QUIC as a secure transport for
   exchanging Network Configuration Protocol (NETCONF) messages.
   NETCONF over QUIC allows to take advantage of QUIC streams, for
   example, to eliminate some TCP head-of-line blocking issues.  NETCONF
   over QUIC provides security properties similar to NETCONF over TLS.

   This document also defines a YANG module which augments the ietf-
   netconf-client and ietf-netconf-server YANG modules.

Editorial note (to be removed by the RFC Editor

   This draft contains placeholder values that need to be replaced with
   finalized values at the time of publication.  This note summarizes
   all of the substitutions that are needed.  No other RFC Editor
   instructions are specified elsewhere in this document.

   Artwork in this document contains shorthand references to drafts in
   progress.  Please apply the following replacements:

   *  AAAA --&gt; the assigned RFC value for this draft

   *  BBBB --&gt; the assigned RFC value for draft-ietf-netconf-netconf-
      client-server

   *  CCCC --&gt; the assigned RFC value for draft-ietf-netconf-quic-
      client-server

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-netconf-over-quic-09"/>
        </reference>
        <reference anchor="I-D.llg-opsawg-ipfix-over-quic">
          <front>
            <title>IPFIX Protocol over QUIC</title>
            <author fullname="Yisong Liu" initials="Y." surname="Liu">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Changwang Lin" initials="C." surname="Lin">
              <organization>New H3C Technologies</organization>
            </author>
            <author fullname="Thomas Graf" initials="T." surname="Graf">
              <organization>Swisscom</organization>
            </author>
            <author fullname="Benoît Claise" initials="B." surname="Claise">
              <organization>Everything OPS</organization>
            </author>
            <date day="23" month="June" year="2026"/>
            <abstract>
              <t>   The IP Flow Information Export (IPFIX) protocol provides a means for
   transmitting Traffic Flow information over the network.  IPFIX Flow
   Records and Template Records can be carried over a number of
   transport protocols from an IPFIX Exporter to an IPFIX Collector.
   The supported transport protocols are SCTP, UDP and TCP.  QUIC
   provides inherently secure, stream-multiplexed, and reliable
   connections for IPFIX protocol.  Especially, a single QUIC connection
   can carry multiple independent streams, which can improve management
   scalability between Exporters and Collectors.  This document
   describes how to use IPFIX protocol over the QUIC transport protocol,
   named IPFIXoQUIC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-llg-opsawg-ipfix-over-quic-03"/>
        </reference>
        <reference anchor="I-D.liu-grow-bmp-over-quic">
          <front>
            <title>Using BMP over QUIC connection</title>
            <author fullname="Yisong Liu" initials="Y." surname="Liu">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Changwang Lin" initials="C." surname="Lin">
              <organization>New H3C Technologies</organization>
            </author>
            <author fullname="Thomas Graf" initials="T." surname="Graf">
              <organization>Swisscom</organization>
            </author>
            <author fullname="Paolo Lucente" initials="P." surname="Lucente">
              <organization>NTT</organization>
            </author>
            <author fullname="Mukul Kumar Srivastava" initials="M. K." surname="Srivastava">
              <organization>Hewlett Packard Enterprise</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>   The BGP Monitoring Protocol (BMP) provides a convenient interface
   for obtaining route views by monitoring BGP sessions. BMP operates
   over TCP and is unidirectional (from client to server). QUIC
   provides multiple simultaneous streams to carry data in one
   direction, enabling much better efficiency and performance for both
   peers, in particular unidirectional streams can provide reverse data
   protection for the sender. QUIC also provides shorter handshake and
   includes TLS. This document describes how to use BMP over the QUIC
   transport protocol, named BMPoQUIC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liu-grow-bmp-over-quic-06"/>
        </reference>
        <reference anchor="I-D.liu-sidrops-rpki-rtr-over-quic">
          <front>
            <title>RPKI to Router Protocol over QUIC</title>
            <author fullname="Shengnan Yue" initials="" surname="Yue">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Changwang Lin" initials="C." surname="Lin">
              <organization>New H3C Technologies</organization>
            </author>
            <author fullname="Jishnu Roy" initials="J." surname="Roy">
              <organization>HPE Networking</organization>
            </author>
            <author fullname="Di Ma" initials="D." surname="Ma">
              <organization>ZDNS</organization>
            </author>
            <author fullname="Yisong Liu" initials="Y." surname="Liu">
              <organization>China Mobile</organization>
            </author>
            <date day="27" month="February" year="2026"/>
            <abstract>
              <t>   The Resource Public Key Infrastructure (RPKI) to Router Protocol
   provides a simple but reliable mechanism to receive cryptographically
   validated RPKI prefix origin data and router keys from a trusted
   cache.  RPKI to Router (RTR) Protocol can be carried over various
   transports such as TCP, SSH or else.  QUIC provides practical and
   secure semantics for the RTR protocol, particularly fast connection
   establishment and multi-stream carrying, thereby reducing the time
   required to complete RTR data synchronization.  This document
   describes how to use RTR Protocol over the QUIC transport protocol,
   named RTRoQUIC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-liu-sidrops-rpki-rtr-over-quic-03"/>
        </reference>
        <reference anchor="I-D.retana-idr-bgp-quic">
          <front>
            <title>BGP over QUIC</title>
            <author fullname="Alvaro Retana" initials="A." surname="Retana">
              <organization>Futurewei Technologies</organization>
            </author>
            <author fullname="Yingzhen Qu" initials="Y." surname="Qu">
              <organization>Futurewei Technologies</organization>
            </author>
            <author fullname="Jeffrey Haas" initials="J." surname="Haas">
              <organization>Juniper Networks</organization>
            </author>
            <author fullname="Shuanglong Chen" initials="S." surname="Chen">
              <organization>Huawei Technologies</organization>
            </author>
            <author fullname="Jeff Tantsura" initials="J." surname="Tantsura">
              <organization>Nvidia</organization>
            </author>
            <date day="24" month="June" year="2026"/>
            <abstract>
              <t>   This document specifies the procedures for BGP to use QUIC as a
   transport protocol with a mechanism to carry Network Layer protocols
   (AFI/SAFI) over multiple QUIC streams to achieve high resiliency.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-retana-idr-bgp-quic-09"/>
        </reference>
        <reference anchor="I-D.yl-radext-quic-transport">
          <front>
            <title>RADIUS over QUIC</title>
            <author fullname="Shengnan Yue" initials="" surname="Yue">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Changwang Lin" initials="C." surname="Lin">
              <organization>New H3C Technologies</organization>
            </author>
            <author fullname="Feng Yang" initials="F." surname="Yang">
              <organization>China Mobile</organization>
            </author>
            <date day="12" month="May" year="2026"/>
            <abstract>
              <t>   The Remote Authentication Dial-In User Server (RADIUS) Protocol can
   use the User Datagram Protocol (UDP) and the Transport Control
   Protocol (TCP) as its underlying transport layer.  But it permits TCP
   to be used as a transport protocol for RADIUS only when a transport
   layer such as TLS or IPsec provides confidentiality and security.
   QUIC inherently supports encryption (using TLS 1.3), which could
   provide a higher level of security.  And QUIC supports multiple
   streams over a single connection, enhancing throughput and
   efficiency.  This document defines RADIUS over the QUIC transport
   protocol, named RADIUSoQUIC.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-yl-radext-quic-transport-04"/>
        </reference>
        <reference anchor="I-D.yang-pce-pcep-over-quic">
          <front>
            <title>PCEP over QUIC</title>
            <author fullname="Feng Yang" initials="F." surname="Yang">
              <organization>China Mobile</organization>
            </author>
            <author fullname="Changwang Lin" initials="C." surname="Lin">
              <organization>New H3C Technologies</organization>
            </author>
            <author fullname="Samuel Sidor" initials="S." surname="Sidor">
              <organization>Cisco Systems, Inc.</organization>
            </author>
            <author fullname="HAN TINGTING" initials="T." surname="Han">
              <organization>China Mobile</organization>
            </author>
            <date day="25" month="April" year="2026"/>
            <abstract>
              <t>   This document specifies the use of QUIC streams to implement the PCEP
   protocol for efficient and secure data transmission.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-yang-pce-pcep-over-quic-04"/>
        </reference>
        <reference anchor="I-D.ietf-radext-radiusdtls-bis">
          <front>
            <title>RadSec: RADIUS over Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Jan-Frederik Rieckers" initials="J." surname="Rieckers">
              <organization>Deutsches Forschungsnetz | German National Research and Education Network</organization>
            </author>
            <author fullname="Margaret Cullen" initials="M." surname="Cullen">
              <organization>Painless Security</organization>
            </author>
            <author fullname="Stefan Winter" initials="S." surname="Winter">
              <organization>Fondation Restena | Restena Foundation</organization>
            </author>
            <date day="5" month="May" year="2026"/>
            <abstract>
              <t>   This document defines transport profiles for running RADIUS over
   Transport Layer Security (TLS) and Datagram Transport Layer Security
   (DTLS), allowing the secure and reliable transport of RADIUS
   messages.  RADIUS/TLS and RADIUS/DTLS are collectively referred to as
   RadSec.

   This document obsoletes RFC6614 and RFC7360, which specified
   experimental versions of RADIUS over TLS and DTLS.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-radext-radiusdtls-bis-16"/>
        </reference>
      </references>
    </references>
    <?line 1017?>

<section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors would like to thank the authors and contributors of the
related drafts referenced in this document, particularly those working
on IPFIX over QUIC, NETCONF over QUIC, and UDP-Notif, for their
foundational work that motivates this framework document.</t>
      <t>The authors also thank the QUIC Working Group for the development of
RFC 9221, without which this framework would not be possible.</t>
    </section>
    <section anchor="open-issues">
      <name>Open Issues</name>
      <t>The following issues are identified for future resolution:</t>
      <ol spacing="normal" type="1"><li>
          <t>Should this document define normative per-protocol bindings, or
remain informational and defer normative content to individual
WG-chartered documents?</t>
        </li>
        <li>
          <t>The Telemetry Type header format (<xref target="datagram-format"/>)
should be discussed with the relevant WGs to avoid conflicts with
existing shim headers (e.g., the UDP-Notif shim, IPFIX Message
Header).</t>
        </li>
        <li>
          <t>The RADIUS Accounting mapping (<xref target="radius"/>) interacts with
work in RADEXT WG.  Coordination with <xref target="I-D.yl-radext-quic-transport"/>
is needed to determine whether DATAGRAM and STREAM profiles should
be in separate documents.</t>
        </li>
        <li>
          <t>YANG module augmentations for advertising QUIC telemetry transport
capability per <xref target="RFC9196"/> are not defined in this version and should
be added in a future revision.</t>
        </li>
      </ol>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA6196XLcSJLm/3gKmGS2RfZmZpGi7rKxbRZ1NK10cERqq+dX
G5iJJLHKBLIBJKnsKs0j7Uvsi61/fsQBgJRmbWt3qlkkEIjw8PDzc4/pdOq6
slsVL7MH//759CS7aPKq3dRNly3rJvtQdLd18yW7KFbFuuia3QOXX142xQ09
7n+X1TdFk+HtB26ed8VV3exeZmW1rN2inlf5mgZfNPmym1ZFl1f5tN60+e3V
tLMBphhg+s9tOZ8eHLh2e7ku27asq263oVdPX1+8cdV2fVk0L92Cxn+ZPTp4
9HR68Gx6cOTmddUWVbttX2Zdsy0czezI5U2R0ww/boom72igNsurRfaevn1F
X6y6Bw6rumrq7QaPnZ0f//72gftS7OjXi5cum/Jq8L8DAuCXp2dvTv+OH9pd
u6qv8NN/HH94Oz3bttf4j0/Hr04/n/NPb06yF48eHeLnV8cXx28/Hb93Lt92
13WD77iM/lluVyuh0q9FVf+f/91lJ6u8bAv+Y91c5VX5L17Gy+w1EWrXXZfV
VUazzv5bdtw0823LT87rbdWB8r8Wq6tyu+ZfFuu8XL3MLmngsvtr4V/HHsxo
O4ZzuLiu13mbvaUNG5nA+S1tzbxOBu/4jdkVvfHXVv8+42f6Y5/l9arO3m3n
tAdjy/twcREPvMHjf626bnymf6tXV8R4vxWrVdGMjPaq2Hbt/LrgzfuSzvma
35194Xf/2skDs0Ux/MrxKq9oqN/qLyOfOK2+/NqUi6vCGKWNP5LTqzTml/rL
X8vqyyU/OCtr56q6WdMINwXxAHjk0eHhC/3x+eGzx/rji4ODg/DjYfjxkf1I
nPXSOZy03njPnz4JPz7VH4+eHNlXHj97br998vjR4/Djk/Cjf+DFi2f649NH
j20aT48e22+fHRwe+h9f2GDPnj+xH58/9R9+/tSP8OLQj/Di8IV97fmzFy/8
8o78So8OntuPz2Rtp9NXs7LolhAqJASW0+1iM63qrlyO/nVRtl1TXm67YnHP
U14Q2V9XqysTV+VmWX4deaLcTkmS3E4v15vxv7bloqExps3mSzltumb4VCNy
kZ6bXl5tkj/tVtMmXxRfO5GPnYln//ecDvNmXuD/Rr7Pq9MB6H/KbbvoVu30
smyJcabTaZZfEl3yeefcxXXZZiSwt5CQ2aJo50SvoqXjXWTbtsjqJf/IWsJP
I9s0dVfP61VGMiMnabxe11X0ZxLmGL8rWJ3UJpDz1VCy+qFa113nXTbfNg3N
ZLXLmoL+RcN+fnU2y7LzTTEvl+U8X612k6ykqZYtycCWpjrPm2ZH0s35oWgC
82vMjWX2JDtniT0J8hqDTj+AISasJFR2H89ZnELQeu1GEraqijkrFJrHG1pQ
N5x8dntdE7VIUeVuQwKgyIisZXVd6GJWddtOu5rETk5k3rvFH7I8Y5VHX2vz
9WbF72yaYkkPXa4K19X0xKJY5btiQdRg8qqO3KdNifetKbAHRbVoo01znyui
YYmxslc0MRLV6+z1144UZ4ntqmV9e6aisiU9ULT7M+eOaR7lOqcVrolIN7x7
vJf8Wd7BUnmk4l3hB/BZ44Gpw7ybrC1oR8tul+XzhmiQXRdd0dRXRVXU23aM
kkTjs7tY4jq/KbKqzta0Z3lHBkfMc/ahPdHPsoO0z/uOeVAYcFpXNE54lhnE
P5rdlt119uri3fk+ifzstsi/+GfdnjCJPPP+1ZOsvlxuW1n6PtFku1qQ7F85
0rrFkhh02dRrJlGYLQ2cHc6OsvW229JhgEVACzPy8WLZBCFi3JR0FokW6fls
o1OQ5YtFU/AJwFeiU+byxQ2xGZk9LfZkDQsIXJZnYDbihrPfTrN50XSydUW2
KpfFfDenv9Agdkbdh3pRgEuiaRZYYbRrdMqLfN3O+nKEmZ8YbUGcCxEhrMV8
g+OWbzYrGu6yXGET2o4Gxmszd0aCzMuWy7Ja0HxbIUxTkIRrsP2q9QIxmHpk
/bniK/2KZD1mfVlk8+u8IW6j/y5B3aJsaBS8xa/DwmRWBmnYKsQ6IB3X5WJB
5889JE3fNfViy6ffORNeQuq6oQUXG1okpBSdVBq0ocPXFh2fhBEh0dWOBGVJ
rzIZeGMKnRnp8yYnetLHtk0xyWgtxNYsiiL5CQGDz91el/Nrsrs3+RwkhMip
6NlJtsy3K8jxTkSWiLdwCGmMXVvaxIm/3Hm99lI+zJSoGQm+FbHZxAvVESma
/fGHavxv3+znx4f8890a+9u3iTs9y96s6lsitFoztLbXvHI9m/syHKwNel4l
ufwONgx+p+eSfwcbiD5LBNbfBpHu7IGn9ADRj7i95bXTypv+iqd1U8JcXYRl
//r+TOdCNo5848Pri5OPH97Ir2EmffvGR6FoY1q21zkLe1WT4EpSvUVDtgmp
bHDBTjeA2ECFnaMNWtU7nAoR6ZBOuZx0L/Noc+ek/5lJePtIwJZ6qOqlI974
QrwI1YMDUHylL1dXopNBc0i96yJfMItcl1fXNAgdg6vrzbYzyVO2Ls8C9xVt
eYUV1OVcxglczpxpeo2ONJG3bpxXWx2Opao5E28Z+Cq7yVdbHIK8YjlREF/V
pD9JpRV0onB2aQpduYY5QLSqyIB37m/1LdyaiSgkGlcoFKhGiotUZ0bmNyQI
ps2igv4QC0poR9CrLGAZ/SXLPowql2mqy4g4xzTZrgOBm4xFN60q767hB9BH
aM7/i/gILELvJ8IAmrpZQLKfp2qKlFtLwg0jjCg1EoAkeemtnsIyvQaltt3g
HfZFoMKUK8liJ2YlEzgmDtFsWwk//gLhUbKZZTodInZm5MCZpc2iI5SvZO0X
yZ5PRBYR2Xa07PlqS0pjSeyFaehiJxmxFXMpi3qRSXmwtWQYfDziFdp2kIKm
Q3opb2Q+v0Mjp2qTJjQiALZQi1DSpAlMTxc24OeW1MxZ3rZw/LGP4iLIvC5J
HoyNSH/D+wOxksViBSeVtp8+PL3MW3A8zv5iSvvYwJnNsnWBU1i2a8yMdoDO
GmuA7BPpt6Ltfv5EGgrRjew4LJP4aFkWq8UMI4h4wdp4kZAtt7RBMAjmX6r6
dlWQw+lVYLPbdDVZfptrsRowQlmRa/DPLVGEqEr/HQnpUaeBFrYgk6air4Gv
WKF3ccQoEGbCnEaCjcwE24NZJjSCD2dbMxxnIgyzJtZOvA8aQAYl/oB+J7uU
qJKvhCHeNPnVmgV1YtCsfdCHPv47kTHW2bWeBHwwWILF7Go2kYMDwSbnLD5C
9EtZxiH+c580dD7nA+8NFjVRsKy22OTsAIUT3Lb1vFRbBfzvn2GhEU2ePvSl
2AWjTFSKGOv+WzKVg4MDaEA2SUvSFENTE2bYlcg7Z++wJg3WI0w60T8tTEEv
EVkH0GnxXoS7x4uQsR89gtJfbhvoVAxc37Zm7UlIjkygFiaTqAuaN0mGnnND
hKF1EOO3qqbhKJeVajlnFJ1ANJGJKxS9pXNQsZkC4gZFTsacLh+024DMReti
rzY8a0qPjiXZnvLSOv9CJOIHe34SaSV6Ztvk2HiSoXPmN/WSRB2FQ7KFMLjs
+YFu3P2Bi1l8ZVU5wQtiuo9YXY7/bQbwe1o9zElaANyrRnwENhDYBcTEKrVg
1QqFVRTvjhw0SHIy0CA+8I7Re4qIa8mmc/zOmO2vTqMsmZ2TSxK5N5Gbg1+y
AQ4lRD4k+Vfs/MLYZkUB7U6UJReALVUOTiCaDB7fbPgRNf9T+1pc2rYoiCOJ
bzGJKZZMJxaaImfGZGODtMoNxomOngtyYxLzkD+Kwl2xBXG1LRd5NS9U3jbF
VOfFKsxPfrVjE4wkRjjCvB6xYFwUgRFB681F7zlNIBiIdDTvtgt/p+Fod9dE
DuJA2oyHD7Pj2L3qb88ctkMbEw370dJ62uVO3LvrpvAuwbLGIQajzIkJSPrm
ZCgdzlgy+JXEHnrLQQssYtE7A/T4smRx9ih9/6dWxMF3Aye/yGTLVpVFIjVo
wiGgIpZHVpS8397grGo1N/fYQmUNwAdtn+2PfEXu7AKrqMgBhGnANIjYPRNL
ULWFpgRgEtEgkN2f5Lu9aA1vXT2f563Y0To7sczb6JBiLBMgXd5ckfkef1w/
OzzFiNkc9TZlUfOCg+fcbi+na1LMJZ3omtgYE67mu9SOxwx4MxLaMtklxEFM
TttbxKebz1xbLzsIYdh48y80n7OUw0jtYjLGaMpNNPaRLevDxdkkO7s422df
HnqBtrSd02kLoSdjY2H0T3LAs99BjT8eJuddlKZnX5E2KkJU9+GAlsQYiMV4
sql48cJE/QL19EJYcMSz9XHYb99eipkjlJEgie2tj8nZmGsW3PRNMWngZ/Y/
Mx5uxmd+fXuWvQ/SPAvRs2iQEKah8T+d/XY6/XTxafQjd0et8TG8CrrA3KP9
odeHH5OPRG5K/IU74+oYvfeOUuPtkBojgXMjBRFdhEE6ilrt/YHuCrPzWuUV
/zss+g6Knp28Hk7yjhA9hj4jLZSdsO0vhhkN/Xol5sOJ6EM98KPk7ctzyC8J
FHQShBYmv9yp3NPQH3siQZ24JJYYWS3iuUx6Ieso5rclZe4PIIsW+fo7WvGW
1KecPJiw8K/a7MH7z+cXDybyv9mHj/zzp9e0mk+vX+Hn878dv3vnf5AnHP3H
x8/v9O/4Kbx58vH9+9cfXsnL9Nus96v3x//xgDW1e/Dx7OL044fjdw8kBBgT
DrJKlDZs5GZDXCXRSkuCsA/668lZdvhYnbzDwxDfOnz2mONIhcbYOLAs/0mE
3EFuk9uKzyIoPM83JWkcmKcICNW3VQYVR1R0D0l7NOuyqlf1FWnrYw7WJEEv
1sNl00L3dzh1JBfZlKCf117Z2gJbMVpgT+lXy3/BH5TYDsRqX5KmgpIHLVsx
WZkcfnw18o8eERc798fL7Iatjn97cPDgmxukdl66l5mppDnELchUVohxsgvn
kwr5HFzEbEpPbMl5LP+F/1I951USvMOuUG4dKsHUNkOQxgxhXpPJ35wUH2lW
i9PaODelj5115KNXJdxxHtKbSmx1kKQni5G9kZxjyS2Zh18k9aPfk8ArvbGy
ICype1ZOFpHVgdrtmuM3o3sgrv1duyC8MdwFuGhqhTD9j83YkFRKXcGV0qBb
6+O+OaRCB7uQZ4oIBIsNRP9H7BuaL3/nvOj0I/RT7wuI4RG113Uj2Sd9NaxE
jQfE7sY/IXFg4D/4E4viBlFHSQZsGd2hoWLM9Ex4bJLBu2R9z9pEnaJWtVY8
qRPdn/ByAXnO4ejvE7CMAtb5JU5VHjwSjEFDJUFtkdE6pLHUNPFvWO5sLJWW
VyE0JR+HcX1ZFKwvxKMiMmI5BWc56IsfIz/rVb2mmfpDyEzfdsb28ZNndQn5
jcMhsTymQbzCec4fJVmZX101xZVZfzkRGGZcoCEmsRFX3+9oYJNwJjCHeDcG
Lxm76MrJ67Slc66GI1xkH8O8h4yt0g3HiUpHGtlM87WYDS3zIn5ExLHxUD+y
ku+swKbPwcjvrOC/KBMk/zKJEzAibe7PwgyFiIUSzraX5C1ggqevdN0ch9R8
WpT/aa/LdYZkgnjX5KNxyJie1uxkU15xSEVs1I0f2HQDQkGlpNE8ZCOr4vhG
3syvS6S1aJMwxt4yjpOQVCdaAAuwsDHhFH2spieS9Tgns8WOl66ljX5lHLHi
LF7C/JyH/yTpiIZVPIITIhg1pSIzJ55pO7AAJ9g6TkXCEYKfsyCx8P9rCvTU
RseUcG6Ho7zC2RuLCPGnYlnkU7OiDv24cIfmuaaT6CMRV+M7tGqICeZkcmbh
8/PybC9lSUSJeVcrF2y29IfWVgmTigdR81kdzdrPANGvU437RyaKWECBGYOO
glyXlIVqcVESPFuvGgaGCU3avjgyZ0083T9rnqiEbmCdJBP19ByZ5xD/ooKk
bv4fDrzEf9lIieKvw/N8EkJZdpCrcEIbxKbLq0qSBnk/KmpsOSextZLjrOaL
PeCRDlviqma1i2w372rvnZ75n9moUpeq20r0pajIJ+Zw3EjoFvZGEny1NWx9
bHpCP5O05Ww/sxWCiiO2KweoOUScN00pYtjLnmE8+F1NKrMX+OUtkcBKlLBi
/bhLE7S/ZNchTwmfQKIwnBvk9I+PX8OuaGokNc4vPr1Ol5mFNf7ACgNL/BdW
GH9UBqfjN1ierCvXyFwc/PEr/h4TlxWHnZqBO0ZMe66++ymtq0QWw9sudmoE
kQJ2zBnDAYAYWU9tFIWSMX4RnS7/ITJSx5SFcYqttKh42+WNT6IH4kwgZSE1
LfMAK/XdOUcHyZv+otFgjKB4C/VBYGPciFXER8OCEm25KiqRTpfIBE9p83MW
avZxexJKxuJ2JGPHHbS+4xeR8g7XDPTTo7Mja2Oqa4Wm1ScKDUNMp5rM5WAq
x3pgWxMfzUmgTyR11tzwbz2iB3HwFq/yFqkvpE6UiOPWg4uyfh45SNRInCYb
r9lpSK1uJ0pCOKGFbAzqYS8xhog6IXWCY1Z87dp9XoE5GPqGudulWWLh6eyj
2i+S69xL8Cf0vELOohcCAmW+ApIk26PHDCKepU9606gPpwDh/BnE38vOu2Re
bySxIfcw+zWfM8id7D6EaPhYMMZRUelBnL2RPJaLEngiPRCTjkNB6+2qK0lO
f2U8DPJBkZDzsEvaQUaqDxSIz4tKrMo7OJakdP5EZUmKUpyRGH7WSnqerJeN
+Cx7AQDhBFW3z4slMVlaItkO1Zdip1ENoiEmDTGMhAdHtMjdrzrFzMCSEnGi
mIqM2JC3ZGpgUw+hhdciMeJYiLYvLekwJr3FxNuFRCcbLEQksuLAKzS/i5Mz
E846JxaiZlaqnIkEtIQi+6pqL1J7+35O+FxQnWE+qib4lJlowpaT1AKOAD8G
ncWQec673qVV4okP9KVkl3mMKMNBnBdBWsT+h5O7lGTJXmnBztxPwTvQsPfP
ZcNYKPdpQWNXxVUNPUBD3pQ5C/V1/vUfC81r/4Of/Edb/quI81YWHckW28Yk
NS/Z8+3MvfYsGWc7DBDDYi0aR3MhOllfI6ITNZsroigf5d+vd/3DywsNZSou
lakWpk7x0FkU4oBQF9m11kjJJHNjAD9zOBKfrI3lXAToEcSbIgqRc9+prDY4
s+vl7hDZuBMMFiIVhr8GUsHp2iaj5plocjK/5x1DmUupk8AReQdGEic/eTEk
zC5X9fxLOBXIQgUJgSiinq2qZpd3Wi+n7HzyeywbutQOlKzhvhzRzxXHC5v8
FuQdn35kJKY2yU+tao+e4bjyWgyVIpLsPk7VJxvndIzyBZ3z1YqtEDqgtLwl
EH4+L44Ry2rLwfHlqq4XsYM1LmUw5UhGxBJ74eOdgkQBkEBlbxoD9IiVRFzn
DE/hgBfPUEAwKqTFOExPYk9deGfFZ1VoezY5o0BYBNhXIxRA62F2bxTHZpEc
xtKmx8WsbNHCAUonwlrcKos8A9GkInYFloQq4CCdyWmUwdDeKYwyIjvHTJA1
YnQKma6iSLpm29IovwTvotKMt98NgPnYWqu3zbyYJlsj2ChmNxIPjcVnoTnB
u8ulxBeKiuyTQuxZcgPLlgN1ZOaxXcjyeq21URPhr0vUQAHHwWZWXtEiV7tp
R4bOFc97U5PA32nwhIeqG413jMT1dRASi1OmgQdeKi0FFgFqXcLqyRuD0xqV
xUUHoWNwJn3tqlj4ZRO30wxI+jCYQxJpfrFKQ2ifHVee0CrKLs49kKgiI4mz
bqWCxgWkQioDlQ5s4mKQjzL+gG/VNoIA5oK9vnSSSAPtX40ojmTtYmzmhAFg
YkyOw/6GxzID9LisJPHJ61mE6FEUxLIjjJXnZMTg7Q5gCvLoS8UG81yutoq1
mpP+F1lxbEUHfasQMCO2prx5ScxzhemmaAQv5xEZpKG2bJRw9DkYDorQXRTe
VAX1hUEM9ukJusl3YFODexVgk8rEBTGgRsY2UTECxsCxbms1aRhVfw/GT1PD
x0m5RADdRBa1VA+ME4nXz8oUsTiTVZGw48RjMV7MMcuO8X6iBEJUTEujWi2N
wkhB7ydKXlmfZpxz1Q4xHiTnXXMO5j6nRGl64i1y2iFhTBXxwzVMYoUkbyup
QQLznfhNpJnXOQOTVly94r0Rpv8Fa8+Wv022xtZcdAgDAxXGop+5MlR1MD9w
ETJPPn7Qe+dwWzm5MqXDwda0R+6TLSWPCaRN15AMw0HsBBYGcRZbxBWJ+Hwh
FotSPN7uqGJHthgiLsK7M/KM5FXeJjVCTBVMkJXhfEsr0Px1j5nmQP2hCqWJ
ULXZslC1j2qGK2NinJj4bXIfy3amBRG8DZCgHguqef3LItZpPAUObfT2ZgDu
h6TklJtHMMRFEzxkKwU0S5/0DZsZ04w0vsDLgaP1fm84uBLXPfEed5rcYOsk
cuKT3TALh9VvFgVBVUUFoYJhEDvZbVS6M0Zy8ALp3KuaYwEI+y8B+iNzZenj
If7X2TIvSdLUFn6M5mCKl+MLsoCwOHK0Cobis22YRK2xIgRa2VTv/0E1FEkY
2uGyM/VEKkHR6GWlAeZWAKk+NMzwL7z7QKcY1kD25wZW6sGD/djcSwLaISIj
4Yv9gPezb00GtRzxzNk6DdFwyVwUDdintbpFm6ySbuK1hma0BHqhRpY9m6hE
81PnyD/AjQnwSVL9JAG982iAPXHQBZNAzgZWslPMYT/JuD8RwiQxCJNgnGKP
BHQ/MpEGADSX7SXuydnAEf2kWIb2utxgS4Gad25QdGL56ixAYnMBx6u+lK3A
yR05dC4GWYp5Hb4gsTrwxCvRio+SL2uoEPFJaFGuqYVht5BCKJULfgP8hJKS
wvYXG/zIRch/G1xBr+k7NCHeBwHia6EDdHYU2HKcdlut4spiNcdAHbEk4ZYh
C5hgcLOosFPwJLDUa2c00EoAYpWiVSfCVpBVZGoBjY8Br/KN+MKY609tdjj9
dHERmRWCr7mNJ4hVL/O2My9RxcYjfhN9E6LXTTVC+I1tT9i1Iyk/CbTNVy1J
iPl1WSB6J/MamQ3ZLbXPvnmiiN4sWi1eLiFD60QphFQ8/PydluRwmkmElM1r
FpPngKeBfRG4jhU2pAg5S2ZeFrDAl4qaZtTEslZ3bsTcV0wojV3EdQttxNqe
SMrdPlBhAaT+BO8hML9713vZ3rmKiCcoIExf3fdEjyjupwLSm/1AS8sNjZpf
wb/tAh9G2yFEPhlJ+E3EC61MfSbyPtRQTXQnWAD3i5KxF+22ucEZ6WcjTQGq
iEH0hsMEQA9AbYrSjOwdgaaT6qQjzyYEQNdeXEaJpqbgbNJ3fB8tGAl+AAcH
SQOvhFA6IC+MaZqPmfGtL5MYXXyMroqzzO4hwDpcNHBupdcvs3OTgW/zDUMQ
YZlEkcWHD0NdvoiZDzWMwo8aro16CNlQzvVrHC1v8jQqKSM3cqTgkSYAfxY6
weFNKx4YVEDuIa8BdZAZ7x4ezB7vj1ZGBv2hp4Fhr4OPSxlMJ/WvzN2hrgqe
cAkVitA/GShrWLX9Yt0QBjIOwZcn3NJCTDe26R1NVjlTrRJUAojhgKBetnd8
8i6qnpSwyb4qUfTYKLttV4g+6RdFsmsbFz5o1I3llx5Kjag4i6goRBPbz3DI
VWF8JKAIyc8rJ1l+hpwMIpFDwnO5i8A+MB6t2lWsBi2dTLseoKQThVvO3VfG
yQznQcxSTpnUdrJCuqOwk6jx691VnSPNP+KSTskkZVGJZq8yk4fQok03UrQJ
lhC3k1dCRtF1wF1yhTY7tFUX7PFkmWr3MhWUVgXvUL0C/o/rP4vVampZUw3X
jNSEcrwPBXUxHB5HYu9TvqDTM/mBStB9MZ/aicsXcsSCmWdBzctdUiIlqu6r
9B+waLKoW+2AMO7eL31uweWrurqChxiMNzwan7vI1k1kJfHeD9S3st1hQYFB
/akTTi81pCFVqhHmggtb7TwM61RRknXZcmCRBvxciSl8Erm2oUmZc6+h98R4
G6lPCcp7TG75KlfH3hPHRLfNoqiSPiDDwJWneRxBeak67L4AUrDLfSIpcJVJ
+ycwHiSIGweZ+MG/XVycnYeQkdSejYVKNNUXQivyKKo+bxHOQMRLzWj5Swyt
bYqbeu5rLVhUmfyBAGy5Iw9HnBDZinfmk38zewe+Z2fz5NM7bhDzseK8T/w8
NOq2DYUbex9Pzs/2MxIcDVmm+5YKuJU6NrKcq7nXU6P8q55pt1NrKfoWfcNi
RBxBG5Z+WS8alspYn9pcoWIoibDQ5pbco0B3I46A0nGtV1KkxKplqZXXPlic
39VlQVlwksWhJoeiQ8TLxCB5Y2UpL7ORDoNDyAIdqcgmfI9wELoW9e2s0W6G
fEJDejvA11KYkSi+bgjUI3GpCL991bNOPLQ27OCibEzXym/ZO4BTIKFl4n/1
d8fQieMu5F7kQ+LL7xnv4HpdhPYYIaGgEwlTNwxGjKKO+yH05gCImI3ArGK+
GOTUPHSGU08ukOb+t4xucUV7tFuSSmvHewzRXLvbgk3hK7gGCaiJvLBpmMQm
L5tZD4/BpOjnLef1lPUJnR7nt65XDz5W/smFTBZFyV0v66AwaAVS9LMOnGiS
YNPOUuSSYuDNEoipnXmrZDaAwlRAvNj/uNKXMyDveGpe8HxQqAPzxPG7sw/7
2anGuFQSutdSQ9TPTqi90ukp175NyjENebccBcCyF5JLyjB8EuEI0bSZZE+5
ORlUpv+DJrqjYmnS0yXq+iwYLEEYDhcArpogP7L3x//BGprDGUCalXP3gNby
zwcyG/aakm0JrpZXpTiezmLqEe6Prc1E+JUJ6RAw0yIIERNusMvCBLJLQfKc
6V/f8DZmfzzsbyyEGLH19HLXFdF7FzsUwTL0ftOIVuNPc+aAj5EkCfXrroe+
J9ODnLqtFMsON9y8BWVcjaKg/xzLkgGmKIIOpYA1wV4l587t+WfNqxE+p7lM
FT0v/V9SjIoFOJ3HqUSGQ2Vv9sAoPHKMqOfPuLGHTXT7JhV3uerA6SJL6Tz/
jLb/s8Dp+rK82rIthjKZZrEKoXsXx3NDHxgWwM7953/+p8sOsuE/h/j1YfYo
O8oeZ0+yp9mz7Hn2Iv6d++/T7/w/96cO1mMp/8+fPzaGSZeptWP0HM1j/OnH
27vJG971/XgpP/IV0OGPl9nDZXk1tdORcbPif5NexWwC9E7Sg28x9ImXphVu
gsOIMNLjIsZdRJJ4GlpL6FeGWTo4yQvRbisTAl7CJ9XyaVOjgEzyRXbcuEpX
OnMfat8/JRxbNbFCzlH7Ako/LmVhc40cvUc6sfkZmH3WRIno5NiQ2Z2ecZPU
P4SnS7NT8nmOWmnlV2qYEYH03B+fnYrYO2dd9rNvGnNOYqVLUx8akV2XX0My
gmtAI3AiC4ckDO5ajGRyStyUs5BMESkTlc9MBjVZvktMyM9wJNhAPazgL4sA
7qnG0isQwFW7bUImRZwUSaZoAjoF5BnaZC/F4KUAvFhQMVRzw4bgJIbY6UD7
cRK1N1kPK/SQNXT2HNWkgsOA3WUNBkeWW4oUi80h7ylcbXMEwYsI3RpayGlm
OHhvrgcW4X5yE4kjhyN2U9YrK/8gdroLqBkZOi6CYfIW5osbGKQt91q94/12
C6BTKbhbBxKv6TBoSMmXTYbWkr1WbnaCXOIQMfxOwIwk/J8+eXL0BISICtU1
ipcvC9pfIo9j8BK6nxZNXKwyBAjylEIaJgK1AsxarrfruIVPW6BvSl8EMHUU
K2YTVxSVG9q7CGWBORgvSFyf8sVSMegt15knIb/IR3vne4zi6P1WkIsPPnFO
8ZAXJ4MMYCQm9q4+nZ38fPXh/enE+mbsT1QIxalNLrFA7pldWcmCVRz9jLDI
1glxEQGeyWSCai/XRY3uh1AHg3oUO2vWw9OaJuQS3EFXqRE2EaR2qPUYFKvI
HFmBFAVyQQIJlKXQFu7QrKXs2jifTqJYwzBW/QcIA48aL0TxgvaWYp75KOCx
f9hjEZjfQMqKtUXgbbriRoyRS6bpicmAr4RC0uKLZ3N2+uGtd8HgkPoJM4PS
VpDMYK8pXy09IDudXIjM9dCwEYYNRTE0EI7th+MLZ71jcQ7nYEitZtfmCNnR
7BEOppyzo4PnXMehSs57K45fkOiJnzX97uggkxY6sQoQ1AB34FzxHMT4RKTW
Gb5OtlaLlybWhDSkLQ7DnKQQQ4ewllkupqafUXttpgYmyzm6vAudoo6SPQA6
6BJN1Ji1ODE5IDhTgawdCww0/Nwky2PiMJ85eyXtBdrLGx8+8gRT3yqeEaaC
aNDRwVQbE8UFre7hHYHS7Djkwv94iLjDNOTrvmmQymib9jX35l0cpCJOJoe+
iPLEZMG2hePoEOzFelUuBOATwArD2JKgrO/E8/Hq720DLYLTgsRJSOZUowJw
EoclcaEJl2UHe93Pk+irC9D+XgfSHkZvNBYphmzdim9VFdy37nMl1d9x2GAS
SPH32ZODF0mACIA89mPdIPq25z1YtjYh/U6k39kHWP+QxQqRP14Rs1QMhXD4
2/5I3CkZ2tAXwwhTMKBcNwxPzQxNaGEmTmJwQsCLJ0RhGZTt8oqsmmaAzpsk
YWk67ddkBnIH4NF+0bSvbizxqwa2EDY+H17LOnfSozSq8yYWL5+oWvLB7byx
rplY05xxhS6dOeS1/WkYO0B5Mgc9e7mfSgon5maoHwuC+c6GnRxn9pn545P3
ryfZ6/OLfcsZsZ0uaaM+8nUAhbStHhzTAcCUw+fRsgZjDaPvGixPMOAe+IpG
6UXT3THMb8UuCt63VmeqpP+lx55JvEpxN7yNCWCEBJgqQNTm9nvQAz8TQ2U5
DVLmhnAhvdVNAzgFT4rTEeIUMnNkM6CVNlyrvae5KPFsTaxJCmbLIIKktBBx
a65ksKx0xH+t5E18wYsdstAiVHG0huYOjzByP+60iGQL7C6ZrXraBR9G/bwh
hOkQvTYcnxQlamoU2dZXHrDnc9P35ohF1oRHppov7iWF8zZNBd8UzX3JYM15
O81578XfNcTDEdnCodeXdKJCp2RfcuNC8h/J8J1vojlcl/eBrbNrrzpNW27f
0eI4Qjn2IwbHr49fOa1LkaD06/Pp4aPn07cnHD44uc7p/z86mJ7Vq93h0cGT
faVryNC4AQJ+xj2qU1hA6lwmYZNEgLvvKArVO5GE+WX4UDKGSxlzOMDAK3rv
u9Niu98o9Mi534egn5/aUUBSH9I0nWYLKd7yKFpnkCaQ+fXJe5yJKZgP+43b
YNyY82XeySUpxy+t6gvf4BgCJSmGd3scUokEZJxm3bf8fNwqN9GtbD2wBzNJ
4V6t7z2RVPN6U8QzR9R94vTsZ86MP55yfwmvukOIP1efyko26IQl9TF+/ImB
yIRDUnIL+8VZaqIsWa5sKabM571FDzdE5tkYghFzrcbjshOFlnpM1nuTwq1z
f4ZYF0Kq/mFYcP4F/osYZKyefX7VR2L/nMb/pP/1Y3/BH2k2Eq+PgrwCYfOV
2ZMEu/hzAimkh0eM4QnLCgkoK4IsGv0DtOtejCTDJS/yt+8MNlbY+mdAsPG8
w4e+M1gQnZ2+0LsUJqHJvYMh3t1drqYej6Hxbr+dEYMoWjpOKpl9gCg4wH0A
QRmLvNd2psxn2tT8ITffpIejJucCqNaW8j5e+nPUBytpwDQLDdssQ6Nhdilb
GHY+46uN2O0ksyBuCAcX3ffjMYSuda7VOyBEcqwKeHyDZrsKQJNodzo0Vv1w
EP0d9Ab7wYCvihFxF5y9wo1YfL4f/rjmcCVsFKpcLWc+RjsfiILTKu9LuFus
NxBzpdvH0X2rbnNovHf6KnuU7cVNyhidon86yvbGOrJpPYUbFgGE9utkD8Xd
TpNQR5zPd/Wl4KbEcJWPtBZfACyA7FoVUyzgOt/REtvlqWA4fS2yXxvWBCHk
wHyMlUm7JWC8oMOETiGmNQoRhc0kyshK+lHpwHlX3QDFHHKIUX6l/BSzmB2i
pMXh92PygaOQhO91N7K0E2mpZafW4V1JYcnZuiTFNUALTMbbMkopiXVybIWz
Crmaw0fMjHa09jsr5634FYXNdShV0o/SiEm2w2lpVsINHtd3WVznN2Xd2CBC
XpJ4LgDeRjf00b7CSoZNEHEMShVAjSL3OJ2XdNzL/ia0jLpgjJSM8g0xYjwb
IiU6Iy4BOFTGi6NTahPbVFirX1kjN6je3TfZwI33dVaOesrztlvpge6/hkrN
3idPou6kpHhlN7rI1S1Y3xSJHDvhpK8gdpGDHF5VtqQf2lCDZJTUIxr6vTsD
SEnw4K6rFCTwYTDwiTZ5QYlMuFcT9cpk6YpAyPXCAA2V6L1RDwWk+O1+aHrL
N+n1K/3zpGE4ONIOmp3j3isZRyBXy6k/CKgp+KKNfGTBq51rt2W4oaF3suLG
WvyF70uKUQERJIArvub4LEuC3nxNACBqgSOGDkfxXVuSJrenRbroXUKaUPEB
h6T1/ywlt0fhCzY0LtfzlVpMjMiwnjphnB7aDb05eOQ7448e13X226lLL1mz
LseC97fkyKBWI+qNkbsYqiyHDGpDnRLhtdH70R6iHzhgf/3QtN7HEF4qvtKR
a6W7mVZBRNVxXqkxwAKFG+PXsd3X8JNo9RFrihq9+HHbbI8huXY7piXbOEAY
VCwXbW87d0+H/mx0ZnK0xtpU8gGLsRCt86j/0Fw0hDmMDdsiwqEK4FECjpmv
1JkhyzjGHGMzDOe9Cfq7rNyY/vZQubt6ofqTIUcn+tNPbX+iHuBlt6NBlfqb
/LK84/DCIDs7yfr6tNQylNCltdegD/DopLcq7twmI5QWy5Vs5ZJPIfKCRd5p
T7m/ZAJb1cBggqZ6qe2GuBmrduAp18WUc9rWPUIuhSuXgz5QfaIG80mxUfZp
oeUdM0AvIURER8BeWpiFskqfQ7QgTdwJgLOT1jbopixu+4XiugwuKXnDAPCx
9rJ35kV5V+SS8T48dYgl6QFJhri20aV6OsTP+2mPvvKDpJEePn3qhBM0nKAS
6cdn8l26KdGiJkz3002KoEhIx3OYgtszwRBpLa/ddmt5i0L79SDe3MPB4g9+
0S8T2+Zn3VK9H3GNQjqv5Un91qmlay21fg54RmlxYihUTg8nssXFsiWxaCNB
Iz5K1Eb5Q3IWWBDd+ee0zfKIHhlcqc3VM1IP2+/ALH3X1XQzSkjnU+WxgJy0
Ije9p0D8SzQYctpZvG6suHqs/RSXQMGSMkwuX0NFrPDSsaU/mJt2Dh1pd9tL
QQgum9XW0HvjyqyRbtl2mLBfzvbrzpbYNqe0Ti7KNTyUgqVv30tEsMWd3rpk
1xWL4namNQf1gsO8BSvT5Nda5JZoyNTAvUPTaupv+Ik7lO24s+w7umApRqYY
kSmKgRlg65/4+XB2GNdpcRem9yjb1JYKL3EJ4l/8JTGGFKpqBr8U0rcLsb1h
naUTsKsffeId0seC0Y8H9vWI1hHRxvdFjItsZCSecjwQL0iP3Foqy0lxPXry
1E9drjWhw0OiVpw7zirwZDlpGvdz6G+MXj/pd8ab9EnGrZ8I0f7AZLUa6zeF
3IfsQ2NgsvGr9PjCJxrgMo6jTXof9a20tZyy7wrVvtFTv4zDnOS7r/sJLjLQ
tB5QYDunDr8LBUmJ8o6Tb/eF03BTpow4s4tRJCJqNvNPkYihTzZ1LvWE/DPp
KOhNDILLeqc39YpeStouzouKvILaej/ceeOYCzeOoaB6DBtIOgwt0DiTbTPZ
cE9zj2URT0A6m1hjnia6EMhCGqNlvyoAQtnvnEnfxsXgx1wN7WWFcrdBF4RP
W4GPYK6hLaBUuYp695CsLh46eQOun6j5pJfHRKIIPiClteB2cebCbvCJFinV
f9NzLrnyS+NlebN+WcdUzOyiacuAz6+L+ZfWtydNRrQcsTjPL15ILw3p4de3
nDh8Rlud3pLOIAp+/egJX9Y97KF2m3fz6wX56ojr5CtuwDeA8lnwW5t6+xZV
Y9NVGNfHCGx1kuDvNQdmB/18nq/85YW+hUJslu4sM9BX3iqtBt2eEiSLj9bc
VX/GjfRuq7gaeRZ1SGp96N8aPIK35M7A5MO8CVHouz9ZVxjyeLWbxY0wpqsC
gpTLBX0vgPfHf/8HpEMM+e62lcAUY9jy5bZpuxhQZLGzHJdHVUNo7qcInSo1
yKfLEcOoZJcUnawjhGm4jRBJZr65PlELTXFZ193+ZJg5ZyIOgLE9cCf93XxF
B5QU+w7LbXRfX3xNRtIxaNAiSfMRjvudQF6OxSSFVrO0bZ73Q/whY6O2kjAp
w6LRRVU6uaS0hNaniRhk6xQ5+TyUXiSGuCSIcG9QcgtKbJEnLUvEntXAqUzc
riUemruA+XucWtTfadz8DSWd3OIXL4dr7P2zPnrPhnoWG+r3GcZjV9neH7G6
z3b2oztbqpJo7EqYYVVWrNG6esO3sKF4tFyXXKg8yQbX0kg//GRf7C7QOJca
dyfgnkM9R6TZVl7U2DVK5uxY8skcwjuSGpHFHPIZLs1nTHy5qYWqYuoNx3X3
kSjzJBJ2XpOIByowPdpkRHInNOstHwtoufYM9uVa+6lkJ2efpY91kLdxo3EX
3RrfawQUX/OdHlimH+ykQHDHhpKkZe4t5lNAdYH6DasDaXRJrtQlL5PwCOyk
/kkSc8kXJaP5sp+KdWCJhya7FR1WmOpJ5WoCAFwWt8TqcaMo3ol3tGnzHft+
LGMYhGlKNCVNch2rNpPguYvhF7V/9q0mrouycT5wMXqtr88AhVCJb0NAJ4Fk
FPLd6avsUFVJIWp6nUiW35BWsZpJLS5Azt3qekJNA4QKLjz015eL+29wkxdw
j6Eo4Te5KP5Av/MFNBoLQg6iiYPtQuJ/35I1PT2udmRVd1yoO9IbAJKS74Gm
48h+ALdKhTLj1zx+CGa8IARWsuYGsLl/3dRbw8j3Dl5oQQ7AcWhZ5nw/RW5w
HX1C/CQx3fyajuWPszRbJx3y2pA567XaRGg+Wb5A6fT+ScXWO/Rojow8tTes
rguIMaOCBXvMN1I8VjuaGoaAQjyN7QGLEoUrM33NxONnz2mTnb8N6dnBC85Z
QZ9ycXGvfUhhrRFUucfFYgOCOX+/J78JlV/wHTuVXt+cYrvijeNwJ2LgvKPS
mIGbtG7Zv0HzvF2moDHr+n0r6DCBrckrOJ1u9DEDWtjVhxX6OjX1pfQ69yGB
kvj4ozWIiSOrejsB75a2G9N90hrTxtKTDh2ga+mKDwB8jnZnU/oOM1xb+Asv
L7mJ5FjxkPO4QsEoq8muPGx0RfPxipue0MF7n1fIuN6Bc8furnPugJ9scD4K
NPfdkWMwZVQupwLHUswJvBweHKYOl6gPpA9Za1hJAdC95rmTfR88mURV4tPY
A6+QBt2BQzYm8tXQ6TvqX4n2XXSmz0tkk5IRckn4r7VOQQD+XDaFIiRBOibg
6cudmBKipznSEj47ydw8aUCzElwpVsFXwqHsKExYSzERECJvYZa9kvsz+DBq
TZQqyrLmqyjqdZGukpuERxqp4Tufqmwl6i6B+qKbccArbCu5qGYxlj1FE9uu
XCXbq1W20U2NBpRYRBk2bqklHWGlgyeMGbTV6UdRrFaQ2HjN94kA42CgZL5S
YpQI0kFB3rUOIx6D30rsnME5vfZIKQuGGdJB0hbuEVnFIY/Qhak3zplK+6Pe
4FHKbbFpZUK4KF6rAELnEBfMALu3BhK7SC+Njy+2GLY3l5xpWqvfu+hskt4Y
1LsJT7pS0mqlVc5d3WlA/jTn6CtHkm6Vx5GeVyPKul9G0OGhpxt/VsGKXCQU
GeNsafcqi9vhHR7JV93gq+N9eHCGNATQFsxuN0krcGedS6HLoAPbnJNnSaup
UKnhoZIIVHH+Ni0KScucDd4TDRBaX1ySUciJ6s7i2QPadT5yBvcOV60uRVdy
O7kYQ56lfvegcCR1azHwXXUi5hsz6/RC1RO57Rm8Ed1FYjgcqB3iduB6wy0n
MxTd2+UVem9vo4wAQ1Hu8EX/hcGlD1YMMgv9kspKkR/k56Y4+YlNhvObl6Ra
BbWhF+igPQHUslr+CM8nnUP1W7RkaQubtCsNHWKj8xaSHbOns8N934eC+3tJ
34Ygj8OHBhSVdEVckoqtGumVS7wmc2OO9afP5CS9egvHmutA5tqrEw3zWhho
FgRmQbnTW0Rau1Jo6AYqPHTnGPHo7z8SjIMF1Gl4vWOcFMN13qzZbQaZe/FY
pwLG4+PYp9Ll+BAz5Bc8CDKz2Bw6sAbIzuTxNBzhtJPuRa+4ItQyhezOT3Hd
zkgmkL5D+6u5xm/S39ZKxBirHvUQLeNO3i6qnh3JKJhDHcGHvTOpHR41QMMm
a7kpVpyN8awqSh/CAXk4jW9Me802OVVLG7htNpy6CLCtqPk7B1YHFbefNaU0
cr+C6tKx7lFNaqvYNQsixUKcIE8VQA1SrcnNmGUQDP42G8FQW4wmbRGzadhW
48I8uA4JRHONXvV1Nap6uhonQkwB6z5r1x8JjFsVUdmmF3BEMX02HcWOSKh0
x40VM1w3y6k/BM/EIhi/+wIr4Z6h4owxjkzo5WkknkRK2djHLJZL6LWkyOa7
5j77mtW81NaQkkjCbgxN83BxlFzdFNnp4pW1O6ITbqex9lUjQYE2aSXt3/D3
Zmr6xZelB6sy0zqwQJBFr4Lal9iR8ZvYe/3dtparCp4S8SO73yuYkw+akcku
TFU0SRuGtFQqul0L28+RBT+AyorkmhFfyiFd2qQGjm12nz4NRnsy+qAqkbYt
Nvisn5xydz/PrALFFIbdVZFmWuR+mB0neMj43QSbtfE3ZXNcdGdK/LLwiBey
h9xpJym/70ymd9GbGcS9m92S6cjteThwNjPtuD54K5imXEXii4OtHZXgVTOc
VR9WmqTyLIof+anrgvOWY7jSdyAC6fKlBOZolWrtWVuj1G/gvILI6PhAS9Kx
d63aGOWUU3aWaFeIpfWqGHVTpemTHSW7p3cnm7fg9Iqq6Q8fL0TttPVKtU+v
JxW3tPJJfpY7pAm5HZhEfNpdNb9u6kqvRgNfjLuIvpFk2gMrPWNRz/vo3vt4
j6xIh80IIawfLxI/2rCBxMUP+ZKT2HLnHCdHP+RmWhIeU7nx3pxn8zxNCqWR
Z6Z/IjdnTnL16delpa+WsXKdfdRlVkKAqRrQ0zfJaM7NFVcf3+UbR5dpxLwQ
rt3xRa7cYT03NXsFKCxH9CPBxjDogTqirb7QK48S1zXK25JZy51wasNvyEHW
CFpUWwLwYlpwXC3S1pT3XpEknv7p8YfjnpePKsCRTnjSVRQNNH0F4WmoaFFA
pbdhGwVxiCDgr/j+oF3csS1pVOq+36l00HcTwWlt1PQAcYL/WuPTsJZX7QMn
U2yA+/qz1xOVPBqFZGdpme3IP39mn3yxwlhJ7Y9X0Y49gArTg69PX9C/nh3g
p6f46Tn+dZjtPSg3y6//fID62agNN4sBqTZNtknGenaEf73wP2EYOoUYxRYU
F2noYHeM5efFw+w2YRQbq9fnG8PdMdYjLO8Q/3psA5ILEs8r7ld//7wwwtMn
+NfcxuKmsGGst9IsNiqTGRnLCnLz1aayYlyFIVm72+hYPPjWa/PKhTeflM1+
4NDMWbZojsTYM+N2l/22lv+T21o+0D5DOGT82IPwGu7+3vjsiQtn0NJN0hmT
uZ9HG+f1e9h7jJnH+ffg4OAwG5aIY/Q4U55l/vFH2bDm2z8uVUjx40fZXVXd
3wEU+BEeZ3+OIG7/TGC19sE39A8TRkHXcX33HRwklRVx/9LxDf2GLO1t3LWU
bCwBF5Hx+RoXCnRoRl8Wt9oh6tVZdgbf54Ngjfps5g1A5TfmLb5JBS8pQEkT
rooNHnazEt1WyC1ywWeXyBfnZ4m5QlCZ9p0zONA5x+HiCQ5RSIQCRg2jvjkg
wKE0yTlWX6S9gv5d23MK5KJu4ha6bA5xaV8oGLbWqhEB0nbzCvjD8hjIWfXl
pq90in+FWXiemlg9YtnQocJFs6r0mWbSx7SWnErbgz+HoqiUCoJ39Itnsv4u
U8ze8jG2EsgF4hb1RiM7DsV58HgmPswpd0/0PitUNg9FgZAzBeMRCdB/Szcm
EhP8W2bBqAkXJrLcdlJoQUbxFosnGXI4y84lutOl7CfNAEJtZmKzWHu+id6s
q43xIixXvgolntEoGqTUnj9ai4kRfn+LGgqU14M7dBbt/3DukSRRR6sirYRx
b6zDuty9aq31kPjcMurT56W9F/v7W07M5Dd1KU1lyTTpBIIiNyLqsYmKNzxI
aVg6NkmrkjGCAHmAJz+S1Yy07dGa5CR+VyraLMyF2YIoTQO8/vsFzZxxh5FF
y6v7HlyaS4EkpCBBBZ/eyewejYBjDh3BDSmiZJW70TAbHx7yG0dLfTwTTAcZ
slu4RNuryHXi/Izm671ECg5mKJPMsgAK2TEIJwaECA7fuDUIEb04UMoJ48nm
i4U8lofTIEnhmfu/lml8ClazAAA=

-->

</rfc>
