<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-pang-opsawg-cd-oam-problem-00" category="info" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="CD-OAM-PS-REQ">Cross-Domain OAM Problem Statement and Requirements:Across Trust Boundaries</title>
    <seriesInfo name="Internet-Draft" value="draft-pang-opsawg-cd-oam-problem-00"/>
    <author initials="R." surname="Pang" fullname="Ran Pang">
      <organization>China Unicom</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>pangran@chinaunicom.cn</email>
      </address>
    </author>
    <author initials="J." surname="Li" fullname="Jianfei Li">
      <organization>China Unicom</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>lijf299@chinaunicom.cn</email>
      </address>
    </author>
    <author initials="J." surname="Zhao" fullname="Jing Zhao">
      <organization>China Unicom</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>zhaoj501@chinaunicom.cn</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Operations and Management Area</area>
    <workgroup>opsawg</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 50?>
<t>As network service deployments increasingly span multiple administrative domains—such as operator edge clouds, tenant datacenters, multi-cloud environments, and managed security services—operators lack standardized OAM (Operations, Administration, and Maintenance) mechanisms to localize faults across these trust boundaries. Existing OAM mechanisms, such as RFC 9516 for Service Function Chaining (SFC), typically assume all network elements reside within a single administrative domain.</t>
      <t>This document describes the generic problem space, typical use cases, and gaps in existing standards for cross-domain OAM across trust boundaries, and outlines the requirements for a cross-domain OAM proxy mechanism. This document is intended to provide a problem baseline and requirement definitions for the OPSAWG and the broader operations community; it does not specify protocols or data models.</t>
    </abstract>
  </front>
  <middle>
    <?line 55?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The deployment models of modern network services are undergoing profound changes. Service paths are no longer confined within the core network of a single operator; instead, they are widely distributed across Multi-access Edge Computing (MEC) nodes, public cloud environments, and tenant-owned datacenters. In such <strong>cross-domain deployments</strong>, service chains (e.g., SFC), tunnels, or security paths frequently need to <strong>traverse distinct trust boundaries</strong>.</t>
      <t>Existing IETF OAM standards, such as SFC OAM defined in <xref target="RFC9516"/>, are primarily designed for single administrative domains, assuming that the entity initiating the probe and the probed network elements operate under unified management. When an OAM probe must cross administrative domains, existing mechanisms fail to provide secure, privacy-preserving fault localization because:
* The target domain <strong>distrusts</strong> external probe packets.
* The target domain is <strong>reluctant to expose</strong> its internal topology.</t>
      <t>Consequently, operators currently resort to ad-hoc methods (e.g., manual Pings across VPNs, proprietary orchestrator APIs), which are non-interoperable and break OAM semantics.</t>
      <t>This document uses cross-domain Service Function Chaining (SFC) as a primary use case, while also covering MEC offloading, multi-cloud interconnection, and managed security services, to describe the generic problem space of OAM across trust boundaries. It analyzes the gaps in current OAM standards and specifies requirements for a <strong>Cross-Domain OAM Proxy (CD-OAM Proxy)</strong>.</t>
      <t>The scope of this document is strictly limited to problem statements, use cases, gap analysis, and requirements for cross-domain OAM. The following items are <strong>explicitly out of scope</strong>:
* Cross-domain service orchestration (assumed to be handled by existing orchestrators).
* Automated discovery of cross-domain service capabilities.
* Billing or SLA enforcement mechanisms.
* Modifications to existing data plane forwarding behaviors (such as NSH, VXLAN-GPE, or SFF forwarding logic).</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "<strong>MUST</strong>", "<strong>MUST NOT</strong>", "<strong>REQUIRED</strong>", "<strong>SHALL</strong>", "<strong>SHALL NOT</strong>", "<strong>SHOULD</strong>", "<strong>SHOULD NOT</strong>", "<strong>RECOMMENDED</strong>", "<strong>NOT RECOMMENDED</strong>", "<strong>MAY</strong>", and "<strong>OPTIONAL</strong>" in this document are to be interpreted as described in BCP 14 <xref target="RFC8174">RFC2119</xref> when, and only when, they appear in all capitals, as shown here.</t>
      <ul spacing="normal">
        <li>
          <t><strong>Administrative Domain:</strong> A network region governed by a single administrative entity, operating under independent security and management policies.</t>
        </li>
        <li>
          <t><strong>CD-OAM (Cross-Domain OAM):</strong> OAM operations that span two or more administrative domains.</t>
        </li>
        <li>
          <t><strong>CD-OAM Proxy:</strong> An entity deployed at the boundary of an administrative domain, consisting of data-plane relay components and control-plane policy management components.</t>
        </li>
        <li>
          <t><strong>Cross-Domain SFC:</strong> A service chain where its SFFs and one or more SFs reside in different administrative domains.</t>
        </li>
      </ul>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <section anchor="mec-offloading-and-managed-security-services">
        <name>MEC Offloading and Managed Security Services</name>
        <t>An operator deploys service forwarding capabilities at an MEC site close to the user. Traffic must traverse a firewall and Deep Packet Inspection (DPI) functions. The firewall resides in the operator's core cloud, whereas the DPI is hosted in the tenant's private datacenter.</t>
        <t>The operator needs to verify that the cross-domain link to the tenant SFF is healthy and that the tenant SFF is reachable, <strong>without requiring the tenant to expose its internal SF topology or modify its service function implementations</strong>.</t>
        <t>In a variant of managed security services, a third-party security provider does not accept OAM probes directly entering its internal network and provides no guarantee that its SFs support specific technologies (e.g., NSH OAM).</t>
      </section>
      <section anchor="multi-cloud-interconnection">
        <name>Multi-Cloud Interconnection</name>
        <t>An enterprise workload is distributed across two public clouds. A service path in Cloud A steers egress traffic through a security gateway hosted by Cloud B. Cloud A and Cloud B represent different administrative domains with no shared management plane.</t>
        <t>Cloud A requires a standardized mechanism to <strong>probe the reachability of Cloud B's boundary node</strong> without establishing a full management-plane trust relationship.</t>
      </section>
      <section anchor="enterprise-vpn-and-segmented-security-services">
        <name>Enterprise VPN and Segmented Security Services</name>
        <t>A large enterprise connects hundreds of branches via an operator VPN. The operator provides a shared security service chain (Firewall, IDS, DLP) hosted across multiple vendor clouds.</t>
        <t>When application performance degrades, the enterprise IT team needs to know <strong>which segment of the service chain is at fault</strong>.  These vendors will not expose internal SF health to either the enterprise or the operator, and multi-tenancy constraints restrict what information can be exposed to an individual tenant.</t>
      </section>
    </section>
    <section anchor="problem-statement">
      <name>Problem Statement</name>
      <section anchor="trust-boundary-traversing">
        <name>Trust Boundary Traversing</name>
        <t>Existing single-domain OAM mechanisms assume that the network element initiating a probe can send probe packets directly to all downstream elements. In cross-domain scenarios:
1. The source domain <strong>lacks the security credentials</strong> to inject packets into the target domain.
2. The target domain <strong>does not trust</strong> unauthenticated external probes.</t>
        <t>Feedback from operators indicates that cross-domain fault resolution times are typically orders of magnitude longer than intra-domain resolution, largely due to the need for manual escalation of trouble tickets between domains.</t>
      </section>
      <section anchor="oam-unaware-service-nodes">
        <name>OAM-Unaware Service Nodes</name>
        <t>Within a single domain, an operator can uniformly configure all nodes. However, in cross-domain scenarios, the source domain has no visibility into the capabilities of the target domain's nodes. Nodes in the target domain may be legacy devices, third-party virtualized functions, or cloud-native services that do not support specific OAM extensions (such as the NSH O-bit).</t>
        <t>Standard OAM probes entering the target domain are silently dropped, leading to <strong>false-positive fault detections</strong>. Existing standards provide no mechanism for a target domain to signal <em>"boundary reachable only, do not probe deeper"</em>, nor do they allow the source domain to gracefully degrade to boundary-only probing based on target domain capabilities.</t>
      </section>
      <section anchor="fault-localization-vs-privacy">
        <name>Fault Localization vs. Privacy</name>
        <t>When a cross-domain OAM probe fails, source domain operators cannot determine whether the fault lies within the source domain, on the inter-domain link, or within the target domain. Standard IP Ping or BFD can verify Layer 3 reachability but <strong>cannot interpret upper-layer (e.g., SFC/NSH) semantics</strong>.</t>
        <t>Target domains are reluctant to expose internal topologies due to security and commercial reasons. Any cross-domain OAM mechanism <strong>MUST</strong> support privacy-preserving fault localization, revealing only the minimum necessary information.</t>
      </section>
    </section>
    <section anchor="gap-analysis">
      <name>Gap Analysis</name>
      <section anchor="limitations-of-single-domain-oam-standards">
        <name>Limitations of Single-Domain OAM Standards</name>
        <t>Taking SFC OAM <xref target="RFC9516"/> as an example, it explicitly states that proxy functions are out of scope. The resulting gap is that <strong>no IETF standard defines a CD-OAM proxy operating at administrative domain boundaries</strong>. The absence of such a proxy means there is no standardized source-domain authentication, authorization for service path probing, or relaying of OAM forwarding context across boundaries.</t>
      </section>
      <section anchor="semantic-disconnect-in-generic-l3-oam-tools">
        <name>Semantic Disconnect in Generic L3 OAM Tools</name>
        <t>Standard IP Ping or Bidirectional Forwarding Detection (BFD) can verify Layer 3 reachability, but in complex cross-domain service chaining scenarios, they are <strong>unaware of service function states</strong> and cannot locate which specific service node segment or security policy caused the failure. Application-layer monitoring is too coarse and introduces significant latency.</t>
      </section>
      <section anchor="mismatch-between-security-protocols-and-oam-real-time-needs">
        <name>Mismatch between Security Protocols and OAM Real-Time Needs</name>
        <t>IPsec and TLS could theoretically protect cross-domain OAM traffic. However:</t>
        <ul spacing="normal">
          <li>
            <t><strong>IPsec</strong> tunnel establishment imposes heavy overhead, making it unsuitable for frequent, short-lived OAM probes.</t>
          </li>
          <li>
            <t><strong>TCP-based TLS</strong> introduces head-of-line blocking and connection setup latency, conflicting with real-time OAM constraints.</t>
          </li>
        </ul>
        <t>Neither efficiently carries the forwarding context (such as NSH SPI, SI, or other metadata) required to reconstruct OAM replies.</t>
      </section>
    </section>
    <section anchor="requirements">
      <name>Requirements</name>
      <section anchor="functional-requirements">
        <name>Functional Requirements</name>
        <ul spacing="normal">
          <li>
            <t><strong>REQ-1:</strong> The mechanism <strong>MUST</strong> operate without requiring any modifications to the data plane forwarding behavior of existing network elements (such as SFFs or SFs).</t>
          </li>
          <li>
            <t><strong>REQ-2:</strong> The mechanism <strong>SHOULD</strong> maintain backward compatibility with existing single-domain OAM standards (such as RFC 9516).</t>
          </li>
          <li>
            <t><strong>REQ-3:</strong> To prevent spurious probe timeouts, the data plane components of boundary proxies <strong>SHOULD</strong> process and relay packets in a low-latency, stateless manner.</t>
          </li>
          <li>
            <t><strong>REQ-4:</strong> The mechanism <strong>MUST</strong> support both IPv4 and IPv6 transport.</t>
          </li>
          <li>
            <t><strong>REQ-5:</strong> The mechanism <strong>MUST</strong> provide a "boundary-reachability-only" mode to gracefully degrade when downstream nodes or SFs lack OAM capabilities.</t>
          </li>
        </ul>
      </section>
      <section anchor="security-and-privacy-requirements">
        <name>Security and Privacy Requirements</name>
        <ul spacing="normal">
          <li>
            <t><strong>REQ-6:</strong> The proxy <strong>MUST</strong> authenticate the source administrative domain and perform path-level authorization before processing any cross-domain probe.</t>
          </li>
          <li>
            <t><strong>REQ-7:</strong> Cross-boundary OAM traffic <strong>MUST</strong> be protected by integrity, confidentiality, and anti-replay mechanisms, and <strong>SHOULD</strong> support confidentiality protection where policy demands.</t>
          </li>
          <li>
            <t><strong>REQ-8:</strong> By default, the information exposed externally <strong>MUST</strong> be restricted to the binary path status and end-to-end delay.</t>
          </li>
          <li>
            <t><strong>REQ-9:</strong> The mechanism <strong>MUST NOT</strong> disclose internal topology details (such as node types, hop counts, or internal IP addresses) unless explicitly authorized by the target domain's policy.</t>
          </li>
          <li>
            <t><strong>REQ-10:</strong> The mechanism <strong>MUST</strong> support rate limiting to mitigate DoS vectors and <strong>SHOULD</strong> provide the capability to coarsen or fuzz latency measurements against timing side-channel analysis.</t>
          </li>
        </ul>
      </section>
      <section anchor="operations-management-and-extensibility-requirements">
        <name>Operations, Management, and Extensibility Requirements</name>
        <ul spacing="normal">
          <li>
            <t><strong>REQ-11:</strong> The mechanism <strong>MUST</strong> provide a standardized fault localization model that unambiguously differentiates between faults in the source domain, the inter-domain link, and the internal target domain.</t>
          </li>
          <li>
            <t><strong>REQ-12:</strong> To minimize operational coupling, the mechanism <strong>SHOULD NOT</strong> require real-time control plane interactions between domains and <strong>MUST</strong> support asymmetric or offline policy configuration exchanges.</t>
          </li>
          <li>
            <t><strong>REQ-13:</strong> The mechanism <strong>SHOULD</strong> provide a YANG data model for policy configuration, and this model <strong>SHOULD</strong> align with generic OAM management models (such as RFC 8531).</t>
          </li>
          <li>
            <t><strong>REQ-14:</strong> The framework <strong>MUST</strong> be extensible to support future network data plane technologies (such as SRv6-based service chaining or SAV rule-related information announcement scenarios) without modifying its core control logic.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <ul spacing="normal">
        <li>
          <t><strong>Topology Reconnaissance Mitigation:</strong> Solutions <strong>SHOULD</strong> prevent the abuse of cross-domain probes for scanning internal domain nodes.</t>
        </li>
        <li>
          <t><strong>Denial of Service (DoS):</strong> Rate limiting and strict control plane filtering mechanisms <strong>MUST</strong> be applied at the CD-OAM proxy boundary to avoid message amplification vulnerabilities.</t>
        </li>
      </ul>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>TBD.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>TBD.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC9516" target="https://www.rfc-editor.org/info/rfc9516" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9516.xml">
          <front>
            <title>Active Operations, Administration, and Maintenance (OAM) for Service Function Chaining (SFC)</title>
            <author fullname="G. Mirsky" initials="G." surname="Mirsky"/>
            <author fullname="W. Meng" initials="W." surname="Meng"/>
            <author fullname="T. Ao" initials="T." surname="Ao"/>
            <author fullname="B. Khasnabish" initials="B." surname="Khasnabish"/>
            <author fullname="K. Leung" initials="K." surname="Leung"/>
            <author fullname="G. Mishra" initials="G." surname="Mishra"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>A set of requirements for active Operations, Administration, and Maintenance (OAM) for Service Function Chaining (SFC) in a network is presented in this document. Based on these requirements, an encapsulation of active OAM messages in SFC and a mechanism to detect and localize defects are described.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9516"/>
          <seriesInfo name="DOI" value="10.17487/RFC9516"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC8531" target="https://www.rfc-editor.org/info/rfc8531" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8531.xml">
          <front>
            <title>Generic YANG Data Model for Connection-Oriented Operations, Administration, and Maintenance (OAM) Protocols</title>
            <author fullname="D. Kumar" initials="D." surname="Kumar"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <author fullname="Z. Wang" initials="Z." surname="Wang"/>
            <date month="April" year="2019"/>
            <abstract>
              <t>This document presents a base YANG data model for connection-oriented Operations, Administration, and Maintenance (OAM) protocols. It provides a technology-independent abstraction of key OAM constructs for such protocols. The model presented here can be extended to include technology-specific details. This guarantees uniformity in the management of OAM protocols and provides support for nested OAM workflows (i.e., performing OAM functions at different levels through a unified interface).</t>
              <t>The YANG data model in this document conforms to the Network Management Datastore Architecture.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8531"/>
          <seriesInfo name="DOI" value="10.17487/RFC8531"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA61a23LbSJJ9V4T+ocLzMBKD4Fp2d09b87K0Lm5NyLJGlHt2
dqMfikCRRBsEuCiAMvtpP2K+cL5kz8m6AKAo9zxMdIRbJIGqrKyTJ09mVZIk
x0dN3hTmXF3UlbXJZbXWeak+TT+q+7qaF2atZo1uzNqUjdJlph7M/7Z5LZ/t
+TTlS+qxbm2j3ldtmek6N/b4SM/ntdli0MsEQyX3s+Th6q/HR1mVlnqNybJa
L5pko8tlUm2sflomaZZUep1s3KTJ69fHR9XcVoVpjD0/Pmo3mXZ/8f/n6vgo
xf+XVb07V3m5qI6PbDtf59bmVfm42+CJm6vH6+Oj46N8U5+rhha+ef363es3
MK42+lx92phaN3jcyro+6lIv3TKn+P346Kmqvyzrqt2cK2fi8dEXs8O3GcYu
G1OXpkkuuQ7OottmVdUwT6kEBtlz9TBR91gfv1HKrfpBl73vqnoJB63yUqvP
ZZ5Wa/d1mjdY03uT/5qHJ1N4tuFK5Wn3ncE+FeeKLqx1+Z8pf2llmEla0qJo
yF8m6jbvm/GXXJcLk8dv/y2GFPmvizfv3v2OIf+90tXQlHLZ+/LfYslvGO7X
71+fHTDl+Kis6jV2fWtkqx6uL96cnb0Lf/949qfvwt/vvj/74VzwA3TtvfPj
92/P5LfJZOKGTZJE6bltap0CDlOrAA4CSFlTb/PUqMxsimonUQNnpECYxVqK
nbLYQbVuiybfFEbpbJ2XOcfhfCqTaLT//L9/2DZdKW0BRaK2qpXJlkalRdVm
dqwaU2oAF6GhU0Ns4jsZM5EnlCm3eV2VMv1Y4L4WuGewL21ruDcYyrnCHFYV
OsUSGs24zvLf8DyJ4aQLnbGa9iyuyrGPpbwUk1JzqtYmXWk8sbaqqVRRpbrA
SGqhYR9CzzFIszLWuChV88gjE3X1FUMTI5y3G2msgj+wG4pbpbBJauadfd2W
Ka0BOGAJXz+ZXV+cwk+7TY754XZtbbuGv4sibpUpHKup2tg8M+opbwAgpZXs
1At7I/v/uMotPqet0EdmbFrncyOrUktTmjpPlSc27ndqoiWqxbJTbY3flqXe
EB/KhHUH51tZoDgryTqODu7bc5wbrGqbIi+9HXWPt2Us/Xw02Ph117l5ooYL
y2ka9jUDDrCVeHpLP+m4tjkWwhll9t6EcMkCrnNky7lp0Kf72fRvH+RRfpzX
lc5M7QEuTyJu1wjfZvdnlWOMCispqwYeNGm+2HHWpkqrAkFRC/TVuspMYSch
INd5lhXGBSj/+wN5u66yVsDhNq4fmf59VS3kr7rcj2LAtTYKTjb1suLuwIQF
na7osSUBGyC40c3KPV4S9PgRu1eVcAOc55HFZacVH/HTYOKIthCEfyZ3NkZn
Yz6/kyGf4HZgOCMY83nbYEgPhI8S9DqFrVZdkSIuqvWmFSidfLy6OIU5GfGx
aecFUPkSPThCSaonmtujlQlc6GJvNBrAp8dvo9E40l7KALTqxEyWk7HyQdiW
Jdw85rZF+nH+WhA0GAOLK41D2WiEgNtiaiPrBXc2z+A+GsmeR7Jg6hdAx+jp
CAM2yE8CSUwB2//H0/0vY/Hups7XGJYOBhEs+RAx+y0WoNdIKJy8WelGthbr
4MoE+LpxPxmJFRNRL5+y5xTkdt9jDf/mi9wE0uYTE/W3lQE3xbjFmGs6xcHg
JSMjrfRIeYGk2Q9n2RIwFNyw1ekOiszIbuIt4exA4RKkam5SDQ5DNhwpRlOj
66Vp/IzYPMEoDMMeYXaqJpCesxdE+MU0DNdDr4JsRqPaFAhWpjYYaL5uKmsw
Tt44IpKxmmpTFdVyJwi4AG0EBI1Vl8ewotrBCoupahlOZ8mqSuEJCLcsQhQu
bjHqPZYbk9PP93eMmLqCSwys3AG5KRJW4zLx9P7GAtZPq5wIk4gvE7FPDJgX
brshiPUXh0oIFWAjtQeSB3xph8T8O0mNmNYes7uYTsQcTlzYChyD+OELIABw
zKIA0+LjUCKIwWCo0qRdIn9RJYzpwZDoXs5zZLRvpCmwCYsKXex+C9nS5z+/
YcMgFpMc++PlQxltNDpUxSCnnbhCxH06BV+oQP82xS7RzmY/15FcU2KmyNd5
E3OeW12oieCJXgqH+W49NvdE+szI/aQ7EewvqqKonrhHmGntEsdoBMSDpHPa
gFxOI8Xa0UjC7aI/UiDcDpmEyomTOWI69gkhj4QIKO46JuhD2Z5KME7bBoNy
xYheAc+Oc6eH5kv1Rs/zAhRnXCS/z4vCjatmt1OQIBadOhXQkY48+bHKsJGp
T/YS4N4mSeabQpd0TP1E7Ylv52altznD+SSQ+d3sp7H6+b9up3fJh/srySiz
6+v+S6CGPD2d9EXAo6nBjkIaAQQo7BQrO6tejUYfP88eR6NX4/C3uvsUP6OK
/XzzcHUZPs9+mt7eDj70n5799Onz7eXw03C0i08fP17dXXYD4ld14OuP07/L
n4QUPn66f7z5dDflzEqERB+6xI7bb4lp8LcIBBvjVZLe+4t7dfad5D6WQL/I
XyyAfgF1GB//VQnouY9OfGw2Rtd8ncIZe583upDkp+wKYkGtTG3E2SPAdzrM
Qi4oz0Hg05jwarMkTpcEWemQ+ZLeduk0sDr31iXHHP9uKEqx9MhTHXmJS5Ai
EEceoSAJRwYn+2RxSuP4S0+ESjqXIg0WE2BrKrbDCXY4vHCNLLcMWsCpJO6G
kwieCiW8MMPBUcfUjTZE60KCI3HBgfSod5TJm6oUguGy8TREbuEfkZXv+r7o
Hg/m9r2AlOJ2aKDgiAGsmokX8WU9Nkx0x+w6Vk3UgvliYYS+X3STi8TPYM4L
Mqd8/IPkp08xP/XaMhmyoN9Znw7xCtwaq2HnWBut7jFAn6Hod/iZ81gQLeWv
lWDhZoDHa7BxrRdgJaemovTUagEWfyLqadWlMRt1L/oFgpgpydHt5f3NqVr4
RG09tYcXnYOs8so/2P5H64oAScNj52ntsiGGYyJaVbZxQcsvnTTHWyLQsIhO
nndZLTqGMlrIlRIARVNUpwM2B2N/CW7wvQTyKOc2umhWOy9Y/bvDR2AuQIK0
OAaYWNowV7m8F0SvfyGKuKGEm11HFecQldFSPhK3M2iffL1xEtlFZ0jkNyzT
t9AUnIXl28u6RZMt6yzZ6Fq+D/WHU791V2ayiNo0nb4Gf2InRRCIs12y7i0j
cBpd5YfjSGrZ6hp2GeMc6IIIa2s3G0pRL2hSOCldSVoiUL0cRYITYpqECBHF
diGK7Wao2CQgjGP8HC6mLYwkbtGBSpFs1i8CgdYu6FmNEW9uInwP65F3zbI2
IuNciDSrumqXKzJ2cOMSgHwCJ3nIgs7dEO8ncSy6x38JlEh1wQ7B73CG1Mz0
pl0hvw3JnUTncBDm8KqLynjQvYoKxFWWrg5x3RHBMGlCyNgbiCiLFM3CGcwY
AA7NBMzndiVMBYQiwjujPPs6wUuaFriu8k3YyKtuo1BeiFNmZslXXyA7VbA8
6m+w33rEKCysGeYwfA6oUdCpba5JdZEIMIvjo/hNxKgOTt0PF0/+J9eewsbq
5nI2Vpe396dhhz2aYgNzi0xMleshxdW6SnVDKetUKQyQlmopfdFlraUj4Uvm
sLqbRwSEXncE9qWsnkgwUmZZ5yun282evbnwvBSrJAiu2gbLCCT2/BDggYp6
NOTYTngK22zqfaN86yq40BdJEpOu37mTZA3s5r6RKDUESJ2BHxrJcEGqWTp7
E0Se4wsomRw7wvrTEWZMlM+OYjyKBgcvO+YupitpksdmiFNT/TZfr/j3bdDI
7HuNiH7zQvuynaYjZLNhFd+RI9cCD2eQg1g9tzB0NaR5NKwikLfA2hXPdc4c
PG3V1qnpGghsQVu/yR6dKbBKQQXpiYDEfHn5K+aOpsD3PpX1Owpw5pvJ4R5F
oHwJVwzZljzO4RSplEHDxoXTL9fA5Zzt8UVdrXutBm4i3/LKcbBc1z9hC6Jo
BQZNvvZNxa4zjTKEXCtZbAn3txBVvoGIEYkSwCuM2I01dgTBrlUbJY000Vh1
+rYGCgDtuEgiB/TN7gSWKX6bY/MNYrUv0wAyHuB9LvUTzQzNiDt2ERHaey3y
oFj7xEO8sIEF7Bc71wNdtrVvvXOYifqpejIA7lgq/4P4cPQwxMZKS3rd5jb3
xB03fqD5PEcMdv2PNswtK4naaoCMNRIZEF6YpU6p3UPno6cftnndtHKgkXW6
T+pQYcCkdEks9o8FE1nl+tj7AoCxSaiVViqPWOXSMhECyTxvTh2pznxa6+uT
KEueL4V7Z/PC9cCyukIdB61ZGCe0JRkuEE4mAR/lYrLDaobaMY1S6+r5qUTo
GmIjuuTqmjFDCzAHm6kA4ehVzKlROkqlOQ6eccySQWSb+tVojO+oy3wJykbJ
ATRgfGSS1DAR70JakTrYT5ZIMcuhpZmgybsMwYGVe+0Mwf+1eOK23/XcAjj3
rj8a8tvB05S5kfYq288DY3udSV1yxfQzuxKG+j9mHt9vJYh7RwaDocayhpVP
Y309LyjsvTYkQxUBdHMv3U4+/f76UsLV1wq3egdD3g7FEUQke//O7NhgUMAy
pi/kja7b/x+A7WnX74x9t74pjv8OdHqf9XjpB09ug0Kf50RQwsgHNNVK5TUt
d893pENo6PLEIPyXut1jjL+FRBB3EU30K9XquqVQ4aELUd1L9JOu7fRBb2CV
6w16ZN2ysej7DGCpmcvUveZl2CTrvPaFE4cDjHhqIR1gHhlqFkdjnpX1GofS
qfTE4873Ik+J4/uNRZce4QEqGkzFdmbu3x2NEOJysBKC3x+hUD/6jocbv2vQ
6BfU/PDoRibVc2gK1zB2tBcPI7U0YaT9IHw/EPQuFsIe97K2a2HLpYwQtHKI
0y9wPBdIoEgrxXdYuJR+A6ECDr82Qer22td+G2ce3+qS7VIR5UwoH3xH/Pat
jPhYVYUdUHc/8nKnn2AnUHzdTX4ZCFidIDpPfy88xxKfJLKKYPj6QtM2nCAM
8+vOt51bn+y5F/sFuIMTAkcCz7EAQ6Qx/gAkZrPwKvNsp9f7R36uNSXnR5nn
u7yANED0dtWC55R1BSlUuaKb5QBPNbR0Zko5u5BjXWCROUa6ypgMSgeY2sXa
GYGvG5gYdE4ss+7jSTJH42Y9IMqTR6gzdcf6Q3oM97BcHni8nfH+SSFGV2A/
r9x4IM29f8Y7vmCOQuc8dEhlTGpYORLtakqnvddkQWnBbBFVeG8lx8BrxwMI
87a0bd5I/iS4w+npmM3YukkKRFxfIPh+3+PFfeLSHxbC47TOe5wgqRaJHOLP
sa9fQh+u6zNgA5t2E5wr3ckFNksCXor0mr6jspWpe/WQbMSdr6wMPZI7QZLq
mvHkMPA88PrtfjW7v0FquZGgrWSktWk0e2CnoeyXegrRJDMjq4gdtdkUIWYd
IfdvsoVU72GOGBz+Sr89XP01OWNzlHx1IJWEM9vnLTCNZLTeP+3gYr990MEA
jGciz46IT7oT7WvrTj7saey909g3h4wNZxKK6GyEjFHFcGrhDNjnE73spXm5
iuw04Mn+ZZyhGW/FDJ6dAfts0m8QdVVrvUAiUuAuL/F7Hun1tdnYCJqReYFg
6S0FX8mFB3fgxp54Vwoik0AwJhGuQmAFnwZpg6AHpn73je0NSmEO1IG6t9/J
dPjjB8Z3afnjYLDvvzFYd3cmiuGkz+MiVl/JNZQXlC1PZfpFtpQzHgbu3pZE
3wE9O+trJ69inwVDWMQPYREuHccF9Avkvio9nO+lJeq6PpJ6kwJQKPby89ws
Krl+IZsZ4mZApoKYgZP/RPvcCUZESI9yO4PnJvCz60tSXC5rSZlSk/qOgnxB
c5nRE5KG3g0unvG3HvQCKvbGCHNxXe7sxGe7jFohs4M1/Mg1vOdvIjnHXs93
3aLQJgp9iGI3WFdoMznik3OlvJRQocoh4FsXG6bMkqZK2LzJGCYDK969BFd3
YilnwcUhWU7DG1Y5HRFIzm92G5bLq2rjbmu6uji+DfWjs4wNZWNPkcokJnvC
NYDDbdehCt65dLCIs9f/QgQLS8uhvi9++Rc71+qymkFdpVKZ7W10iNhBe0G6
XU6IlFzcov3tt5AZKV1tG47+9ZKlTkO2c3SamYQGMu2HGwOx4dK7XtldS3bQ
u3L9AT/7S1F79q081XHPQEofuNwj9+Gc/IcmXM/zZQvelptnvlufS3ERBJW/
03m4Tn2hSA03oTpU7TXteqt64zOJlFy8RBrPafEeMLYpRM43B1Oeh7HXCD2V
4g9MfdYRO7QvkPY6Yh4Te3DSdof6kxEommSxEPUU1K3vd4VADhcFB+t6+81E
3e3X36d3H3o3HUX0HZoneBVK2T3YGw27uyxdcg9XdqQ07s5T/C3IQVbnjedh
Vj+LuXJR67URbdInJd/Ikv5iFX21aJu2d+Gxl+2Hp19R2zxsf/Bi9Vnxwlw3
/VnVLXSJHLHIGWnHmixOoOfcomKlcxr1mTtnDMd47gzWQ0FujcTue0yYvF7G
Q0IXnMEbj4EGHyg5S51bK0cbHx2r4FF6aub7tHvCxUmiRipgXiTav2fjW3tS
u7LcEnNDqPhnXCczmHNpSnZC2E/wHjsBrcnVhocB8cltKnc+MQyBRV74RmLv
pKC/t3KY091iGFT/MQvzHGBb5Tx0g0OWeAsVaZTAatsWJW/HDcSJmqY85il4
uT2S2uP7S//rzfRuemATwgPu1i/l7NH/A4OZXcjZMgAA

-->

</rfc>
