<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-tian-dtn-sbam-05" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="SBAM">Securing BPSec Against Arbitrary Packet Dropping</title>
    <seriesInfo name="Internet-Draft" value="draft-tian-dtn-sbam-05"/>
    <author initials="B." surname="Dowling" fullname="Benjamin Dowling">
      <organization>King's College London</organization>
      <address>
        <email>benjamin.dowling@kcl.ac.uk</email>
      </address>
    </author>
    <author initials="B." surname="Hale" fullname="Britta Hale">
      <organization>Naval Postgraduate School</organization>
      <address>
        <email>britta.hale@nps.edu</email>
      </address>
    </author>
    <author initials="X." surname="Tian" fullname="Xisen Tian">
      <organization>Naval Postgraduate School</organization>
      <address>
        <email>xisen.tian1@nps.edu</email>
      </address>
    </author>
    <author initials="B." surname="Wimalasiri" fullname="Bhagya Wimalasiri">
      <organization>King's College London</organization>
      <address>
        <email>bhagya.wimalasiri@kcl.ac.uk</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Internet</area>
    <workgroup>Delay/Disruption Tolerant Networking</workgroup>
    <keyword>security</keyword>
    <keyword>audit-pair</keyword>
    <keyword>report-pair</keyword>
    <abstract>
      <?line 147?>

<t>In this document we describe Secure Bundle Protocol Audit Mechanism (SBAM), an authentication protocol designed to provide cryptographic auditing services for the Bundle Security protocol.</t>
      <?line 493?>



    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://bwimad.github.io/draft-xxx-str-bpsec/draft-tian-dtn-sbam.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-tian-dtn-sbam/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Delay/Disruption Tolerant Networking Working Group mailing list (<eref target="mailto:[dtn@ietf.org](dtn@ietf.org)"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/dtn/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/bwimad/draft-xxx-str-bpsec"/>.</t>
    </note>
  </front>
  <middle>
    <?line 151?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines additional security features for the Bundle Protocol Security (BPSec) <xref target="RFC9172"/> and is intended in use for Delay Tolerant Networking (DTN) environments using BPSec to provide security guarantees, Secure Bundle Audit Mechanism (SBAM) is intended to provide additional security guarantees for BPSec communication between a bundle source acting as origin security source, any intermediate security acceptors, and a destination security acceptor also acting as the bundle destination.</t>
      <t>The BPSec specification <xref target="RFC9172"/> defines BPSec as "an end-to-end security service that operates in all of the environments where the BP operates" and claims to provide "integrity and confidentiality services for BP bundles". In particular, BPSec enables partial processing of bundles, where an intermediate node acting as a security acceptor can process and remove security services. As a result, it is possible for an intermediate malicious node to simply drop blocks along with any associated security operations attached to them.</t>
      <t>SBAM provides in-band cryptographic integrity guarantees between a bundle source and its destination while remaining consistent with the operational requirements of BPSec, which permit intermediate nodes to process and discard security blocks added by the bundle source. At the same time, SBAM enables the destination node to detect adversarial modifications to security operations added to the bundle by the bundle source and to verify whether security service blocks added by the bundle source were maliciously dropped, processed, or modified during transit, while retaining compatibility with existing BPSec deployments.</t>
      <section anchor="scope">
        <name>Scope</name>
        <t>This document defines a new security service for the Bundle Protocol Security (BPSec) <xref target="RFC9172"/> and is intended in use for Delay Tolerant Networking (DTN) environments using BPSec to provide security guarantees.
Specifically, the Secure Bundle Audit Mechanism (SBAM) enables the cryptographic detection of unauthorized modifications to security operations added by the bundle source, which also acts as the security source for a destination node that accepts the bundle payload.
Explicitly, the end-to-end security guarantee provided by SBAM is limited to security operations inserted by a bundle source acting as the security source for a destination node that accepts the bundle payload.
Any security operations added to a bundle by security sources other than the bundle source are outside the scope of SBAM. In particular, security operations added by security sources along the bundle path between the bundle source and the destination, following bundle creation and the addition of SBAM operations, are legitimate and independent and are not covered by SBAM.</t>
      </section>
      <section anchor="notation">
        <name>Notation</name>
        <t>This section defines terminology that either is unique to the BPSec or SBAM and is necessary for understanding the concepts defined in this specification.</t>
        <ul spacing="normal">
          <li>
            <t>Bundle Destination: the Bundle Protocol Agent (BPA) that receives a bundle and delivers the payload of the bundle to an Application Agent.  Also, an endpoint comprising the node(s) at which the bundle is to be delivered. The bundle destination acts as the security acceptor for every security target in every security block in every bundle it receives.</t>
          </li>
          <li>
            <t>Bundle Protocol Agent: a node component that offers the Bundle Protocol services and executes its procedures.</t>
          </li>
          <li>
            <t>Bundle Source: the BPA that originates a bundle. Also, any node ID of the node of which the BPA is a component.</t>
          </li>
          <li>
            <t>Cipher Suite: a set of one or more algorithms providing integrity and/or confidentiality services. Cipher suites may define user parameters (e.g., secret keys to use), but they do not provide values for those parameters.</t>
          </li>
          <li>
            <t>Destination Node: a security acceptor BPA that is the bundle destination and processes the bundle payload.</t>
          </li>
          <li>
            <t>Forwarder: any BPA that transmits a bundle in DTN. Also, any node ID of the node of which the BPA that sent the bundle on its most recent hop is a component.</t>
          </li>
          <li>
            <t>Intermediate Node: a security acceptor BPA that is not the bundle destination.</t>
          </li>
          <li>
            <t>Intermediate Receiver, Waypoint, or Next Hop: any BPA that receives a bundle from a forwarder that is not the bundle destination. Also, any node ID of the node of which the BPA is a component.</t>
          </li>
          <li>
            <t>Path: the ordered sequence of nodes through which a bundle passes on its way from source to destination. The path is not necessarily known in advance by the bundle or any BPAs in DTN.</t>
          </li>
          <li>
            <t>Security Acceptor: a BPA that processes and dispositions one or more security blocks in a bundle. Security acceptors act as the endpoint of a security service represented in a security block. They remove the security blocks they act upon as part of processing and disposition. Also, any node ID of the node of which the BPA is a component.</t>
          </li>
          <li>
            <t>Security Block: a BPSec extension block in a bundle.</t>
          </li>
          <li>
            <t>Security Context: the set of assumptions, algorithms, configurations, and policies used to implement security services.</t>
          </li>
          <li>
            <t>Security Operation: the application of a given security service to a security target, denoted as OP(security service, security target). For example, OP(bcb-confidentiality, payload).  Every security operation in a bundle MUST be unique, meaning that a given security service can only be applied to a security target once in a bundle. A security operation is implemented by a security block.</t>
          </li>
          <li>
            <t>Security Service: a process that gives some protection to a security target. For example, the BPSec specification defines security services for plaintext integrity (bib-integrity) and authenticated plaintext confidentiality with additional authenticated data (bcb-confidentiality). This SBAM specification defines security services for cryptographic auditing of security services added by the bundle source to the bundle destination.</t>
          </li>
          <li>
            <t>Security Source: a BPA that adds a security block to a bundle. Also, any node ID of the node of which the BPA is a component.</t>
          </li>
          <li>
            <t>Security Target: the block within a bundle that receives a security service as part of a security operation.</t>
          </li>
          <li>
            <t>Security Verifier: a BPA that verifies the data integrity of one or more security blocks in a bundle. Unlike security acceptors, security verifiers do not act as the endpoint of a security service, and they do not remove verified security blocks. Also, any node ID of the node of which the BPA is a component.</t>
          </li>
          <li>
            <t>Source Node: A BPA that creates an initial bundle.</t>
          </li>
          <li>
            <t>Audit Pair: A logical pairing consisting of a Manifest Block and its corresponding BIB, created by the bundle source acting as the initial security source and verified only by the destination node acting as the final security acceptor. The underlying Manifest Block records identifying data for each security operation added to the bundle by the bundle source.</t>
          </li>
          <li>
            <t>Report Pair: A logical pairing consisting of a Manifest Block and its corresponding BIB, created by an intermediate node that processed and discarded source-added blocks. The underlying Manifest Block duplicates identifying data for each bundle source–added security operation that is processed and discarded by an intermediate security acceptor.</t>
          </li>
        </ul>
      </section>
      <section anchor="motivation-and-problem-statement">
        <name>Motivation and Problem Statement</name>
        <t>DTN recognizes an attacker with complete network access, affording them read/write access to bundles traversing the network. Eavesdropping, modification, topological, and injection attacks are all described in <xref section="8.2" sectionFormat="comma" target="RFC9172"/>. Therein, these "on-path attackers" can be unprivileged, legitimate, or privileged nodes depending on their access to cryptographic material: unprivileged nodes only have access to publicly shared information, legitimate nodes have additional access to keys provisioned for itself, and privileged nodes have further access to keys (privately) provisioned for others. There are currently no guarantees against privileged attacks.</t>
        <t>In an effort to distinguish malice by intermediate nodes, these classes can be further abstracted into honest security acceptors and dishonest forwarders. Honest forwarders are privileged nodes that faithfully execute the role of a BPA as described in <xref section="3" sectionFormat="comma" target="RFC9171"/>. Dishonest forwarders are unprivileged nodes that attempt to violate the integrity or confidentiality of blocks it processes (e.g. by dropping or modifying blocks). Under its default security context <xref target="RFC9173"/>, BPSec currently provides no cryptographic auditing mechanism that enables a destination node to detect adversarial modifications to security services added to a bundle by the bundle source.</t>
        <t>SBAM addresses this security gap by providing a mechanism that allows a bundle source, acting as the initial security source, to create a verifiable record of all security operations added to the bundle at origin, which is intended to be verified only by the final bundle destination. At the same time, SBAM preserves the default behavior of BPSec, allowing intermediate nodes to process and discard security operations added by the bundle source, provided they attach a verifiable record that duplicates the identifying data for each discarded security operation, which will subsequently be verified by the bundle destination.</t>
      </section>
    </section>
    <section anchor="design-decisions">
      <name>Design Decisions</name>
      <t>In this section we describe the design decisions of BPSec <xref target="RFC9172"/>, and describe how these are impacted through the use of SBAM. The design of SBAM is consistent with that of BPSec and, where necessary, mandates specific security-policy behaviors in order to provide stronger cryptographic integrity guarantees.</t>
      <section anchor="cose-context-considerations">
        <name>COSE-Context Considerations</name>
        <t>In conjunction with a proper PKI mechanism, SBAM may be used in the COSE-Context <xref target="draft-ietf-dtn-bpsec-cose"/> to provide further authentication enhancements to auditing. Specifically, through the use of digital signature algorithms rather than message authentication codes as described herein, SBAM in the COSE-context adds source authentication as well as authentication of intermediate nodes.</t>
      </section>
      <section anchor="scope-flag">
        <name>Scope Flag</name>
        <t>The Integrity Security Context BIB_HMAC-SHA2 includes Integrity Scope Flags as a parameter set (see 3.2 and 3.3.3 in <xref target="RFC9173"/>). The value of the Integrity Scope Flag describes what information is used to construct the Integrity Protected Plain Text (IPPT) for a BIB. The existing Integrity Scope Flags in bit 2 and bit 3 refer to an excessive amount of information (block type code, block number, block processing control flags). Since we explicitly only use the block number in our calculations, this scope flag is redundant and we choose to remove it.</t>
      </section>
      <section anchor="security-blocks">
        <name>Security Blocks</name>
        <t>In this section we describe the different Security Blocks used in BPSec and SBAM. In particular, we note that BPSec introduced two types of security blocks: the Block Integrity Block (BIB) and the Block Confidentiality Block (BCB) providing integrity and confidentiality and integrity, respectively.</t>
        <t>In SBAM we also introduce the <tt>audit-pair</tt> logical block and the <tt>report-pair</tt> logical block, which (when combined) enable security acceptors to verify only honest intermediate security acceptors have processed and discarded  BIB or BCBs added to a bundle at origin.</t>
      </section>
      <section anchor="block-definitions">
        <name>Block Definitions</name>
        <t>The BPSec specification defines two types of security blocks: the Block Integrity Block (BIB) and the Block Confidentiality Block (BCB). The SBAM specification defines two additional types of logical blocks; the <tt>audit-pair</tt> and <tt>report-pair</tt> operations.</t>
        <ul spacing="normal">
          <li>
            <t>The BIB is used to ensure the integrity of its plaintext security target(s). The integrity information in the BIB MAY be verified by any node along the bundle path from the BIB security source to the bundle destination. Waypoints add or remove BIBs from bundles in accordance with their security policy. BIBs are never used for integrity protection of the ciphertext provided by a BCB. Because security policy at BPSec nodes may differ regarding integrity verification, BIBs do not guarantee hop-by-hop authentication, as discussed in <eref target="https://www.rfc-editor.org/rfc/rfc9172.html#sup_sec_svc">Section 1.1</eref>.</t>
          </li>
          <li>
            <t>The BCB indicates that the security target or targets have been encrypted at the BCB security source in order to protect their content while in transit. As a matter of security policy, the BCB is decrypted by security acceptor nodes in the network, up to and including the bundle destination. BCBs additionally provide integrity-protection mechanisms for the ciphertext they generate.</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="bundle-protocol-manifest-block">
      <name>Bundle Protocol Manifest Block</name>
      <t>The Bundle Protocol Manifest Block introduced in <xref target="sipos-dtn-manifest-block"/> defines a new structured block type for BPv7 bundles. A primary purpose of the Manifest Block is to provide a structured and auditable mechanism for maintaining a record of bundle security components between the bundle source, acting also as the security source, and the intended destination node. This mechanism allows honest intermediary nodes to act as legitimate security acceptors, enabling them to process, and discard security blocks added by the source node while preserving an auditable record of those security-related components within the proposed manifest structure.
Manifest blocks enable the enumeration and identification of elements within a bundle in a consistent and machine-processable manner. While manifest blocks are not defined as security-specific mechanisms in itself, they provide a structured representation of bundle content that can be used by such security mechanisms as SBAM.</t>
      <t>By listing covered components and associated metadata, manifest blocks create an environment in which integrity protection and authentication operations can be applied in a systematic way.
In this sense, manifest blocks do not directly perform security functions, but it enables and supports such functions by supplying a well-defined container for describing and referencing BPSec bundle elements.</t>
      <t>Below is a diagram of the proposed Manifest Block structure as defined in <xref target="sipos-dtn-manifest-block"/>.</t>
      <figure anchor="fig-manifest-blk">
        <name>Manifest Block structure</name>
        <artwork type="cddl" align="left"><![CDATA[
; ---- General Manifest Block structure ----
; From sipos-dtn-manifest-block

; Type aliases
block-id = [
  ; From the IANA Bundle Block Types registry
  block-type: uint,
  block-num:  uint,
]
btsd-len      = uint
btsd-hash     = (
  ; From the IANA COSE Algorithms registry
  alg:   tstr / int,
  value: bstr
)
bpsec-targets = [+ uint]

$$metadata-item //= (
  0: int16
  ; Reason code from the Manifest Reason Codes registry
  2: embed-eid-structure
  3: dtn-time
)

$$blockdata-item //= (
  1:  block-id
  2:  block-control-flags
  5:  btsd-len
  6:  [+ btsd-hash]
  -1: bpsec-targets
  ; keys -1 and -2 apply only to BPSec security blocks (types 11, 12)
  -2: int16
  ; bpsec-security-context
)
]]></artwork>
      </figure>
      <t>SBAM leverages and extends the proposed Manifest Block structure to provide a verifiable audit trail between the source node and the destination node.
Manifest blocks enable SBAM functionality in two ways:</t>
      <t>(1) they define an object type for the <tt>audit-pair</tt> operation between the bundle source and the final security-acceptor destination node; and</t>
      <t>(2) they define an object type for the <tt>report-pair</tt> operation, which supports intermediary processing of source–generated security blocks while preserving the associated original audit information.</t>
      <t>Together, these two object types establish a verifiable audit trail between the bundle source and its destination node. This audit trail preserves the BPSec-defined behavior that permits intermediary nodes to process and discard security blocks as required, while also providing a mechanism to detect any unauthorized modification to the security operations of a bundle enforced by its source.</t>
    </section>
    <section anchor="securebpsec-audit-mechanism-protocol-overview">
      <name>SecureBPSec Audit Mechanism Protocol Overview</name>
      <t>The core guarantee provided by SBAM is a guarantee that, after correctly verifying <tt>audit-pair</tt> and <tt>report-pair</tt> security operations, the destination node is assured that either</t>
      <ul spacing="normal">
        <li>
          <t>all security blocks added by the bundle source have arrived without an unprivileged node dropping or modifying them; or</t>
        </li>
        <li>
          <t>an honest intermediary has processed and discarded security block/s added by the bundle source.</t>
        </li>
      </ul>
      <t>Thus, for any bundle, its source node also acting as initial security source, will generate security blocks for their destination node exactly as specified in BPSec <xref target="RFC9172"/>. Additionally, the source node will create a logical <tt>audit-pair</tt> block, which provides a cryptographically-authenticated record of all security services it provided for the bundle, as well as all necessary uniquely identifying information for each security operation, such as its key and block identifiers.</t>
      <t>SBAM further specifies that any honest intermediary node that processes a security block created by the bundle source also provides a cryptographic proof that it was authorized to perform this operation. This is achieved by replacing the processed and discarded security operation with a <tt>report-pair</tt> logical block that duplicates and authenticates, to the destination node (the final security acceptor), the uniquely identifying information associated with the discarded security service contained in the security block.
The SBAM <tt>report-pair</tt> therefore provides a cryptographically authenticated digest of the uniquely identifying information of the security block it processes, such as key and block identifiers. This allows the relevant identifying information of a bundle source–added security operation to remain verifiable by the final security acceptor even after the original security block has been processed and discarded.</t>
      <t>Upon receiving the bundle, the destination node first verifies the <tt>audit-pair</tt> to validate its authenticity. It then verifies each <tt>report-pair</tt> to confirm that it was added by an honest intermediary node. The destination node subsequently collates the identifying information contained in the <tt>audit-pair</tt> and compares it with the identifying information collated from the <tt>report-pair</tt> blocks. Successful verification at each stage enables the destination node to confirm that no unprivileged node modified or removed any bundle source–added security operation during transit between the source and destination nodes.</t>
      <section anchor="unique-key-identifiers">
        <name>Unique Key Identifiers</name>
        <t>The Bundle Protocol Security (BPSec) and its defined security contexts, as described in <xref target="RFC9172"/> and <xref target="RFC9173"/> respectively, rely on the assumption that local security policies will inform Bundle Protocol Agents (BPAs) of the appropriate cryptographic keys to use for each security context. This decentralized, policy-driven approach allows flexibility but introduces ambiguity when these policies are not uniformly enforced or clearly defined across participating nodes. In the absence of standardized key selection mechanisms, there is a risk that different BPAs may select conflicting keys for the same security context or inadvertently reuse keys across incompatible contexts. Such ambiguity can lead to key collisions, where multiple security contexts reference the same key identifier or cryptographic material unintentionally, undermining the security operations BPSec is intended to enforce. To mitigate this ambiguity, SBAM introduces <tt>key-id</tt> as an explicit security context parameter, enabling BPAs to uniquely identify the correct cryptographic key for each security operation.</t>
        <t>Key identifiers are always represented as a CBOR unsigned integer, in accordance with the parameter identification requirements of Section 3.10 of <xref target="RFC9172"/>. Key identifiers MUST be unique across all security operations within a given bundle and MUST distinctly identify a cryptographic key used for a given security operation within its security context.</t>
        <t>Within the SBAM design, three independent use cases for <tt>key-id</tt> are identified. When combined, these use cases enable the establishment of a reciprocal trust relationship between the bundle source acting as the initial security source, privileged intermediary nodes, and the bundle destination acting as the final security acceptor. The three distinct but interconnected <tt>key-id</tt> use cases are as follows:</t>
        <ul spacing="normal">
          <li>
            <t><tt>key-id</tt> for BPSec security services: This identifier uniquely identifies the key used by the bundle source to provide a BPSec integrity or confidentiality service (BIB and BCB respectively, as defined in <xref target="RFC9172"/>) when the bundle is created at origin. This identifier MUST be carried as security context parameter TBA1 (see <xref target="iana-considerations">IANA Considerations</xref>) within the Security Context Parameters field of the Abstract Security Block (ASB) structure defined in Section 3.6 of <xref target="RFC9172"/>, for every BIB and BCB within an SBAM bundle. Each BPSec security operation MUST have a corresponding unique <tt>key-id</tt> to facilitate SBAM integration.</t>
          </li>
          <li>
            <t><tt>key-id</tt> for auditing: This identifier uniquely identifies the key used by the bundle source to authenticate the <tt>audit-pair</tt> logical block to the bundle destination. The <tt>audit-pair</tt> contains the uniquely identifying information for each security operation added to the bundle at origin, including the corresponding security service <tt>key-id</tt> values. This identifier MUST be carried as security context parameter TBA1 (see <xref target="iana-considerations">IANA Considerations</xref>) within the ASB of the BIB authenticating the <tt>audit-pair</tt> manifest block, and MUST be independent of the security service <tt>key-id</tt> values recorded within the manifest itself.</t>
          </li>
          <li>
            <t><tt>key-id</tt> for reporting: This identifier uniquely identifies the key used by a privileged intermediary node to authenticate the <tt>report-pair</tt> logical block to the bundle destination. The <tt>report-pair</tt> duplicates the uniquely identifying information for each bundle source-added security operation (including the corresponding security service <tt>key-id</tt> values) that the intermediary processes and discards. This identifier MUST be carried as security context parameter TBA1 (see <xref target="iana-considerations">IANA Considerations</xref>) within the ASB of the BIB authenticating the <tt>report-pair</tt> manifest block, and MUST be independent of both the security service <tt>key-id</tt> values recorded within the manifest and the <tt>key-id</tt> used for auditing.</t>
          </li>
        </ul>
        <t>In addition to its presence in the ASB of every BIB and BCB, the <tt>key-id</tt> associated with each covered security operation MUST also be recorded as map key <tt>-3</tt> in the corresponding blockdata-map of every SBAM audit-pair and report-pair manifest block. This duplicate record enables the destination node to correlate the identifying information in the manifest against the security operations it received or that were reported as processed by an intermediary.</t>
        <t>The use of these distinct <tt>key-id</tt> roles enables SBAM to bind the integrity of each bundle source-added BPSec security operation (via its associated security service <tt>key-id</tt>) to the <tt>key-id</tt> used to authenticate the <tt>audit-pair</tt>. Upon successful verification, the destination node can confirm that the integrity of the BPSec security operations added at the bundle origin has been preserved.</t>
        <t>Independently, privileged intermediary nodes bind the <tt>report-pair</tt> <tt>key-id</tt> to the uniquely identifying information of each corresponding security service <tt>key-id</tt> associated with a bundle source-added security block that they process and discard. This enables the destination node to verify that any modification to bundle source-added security operations was performed by a legitimate intermediary node.</t>
        <t>The management of <tt>key-id</tt> values, including how trust in them is established, maintained, and escrowed, is determined at the policy level and is outside the scope of this document.</t>
      </section>
      <section anchor="audit-creation">
        <name>Audit Creation</name>
        <t>The audit creation process is described in detail in the following section.</t>
        <t>At the time of bundle creation, the source node SHALL generate a verifiable <tt>audit-pair</tt> logical block that covers all security operations added by the source node. Structurally, an <tt>audit-pair</tt> consists of a manifest block that records all security operations added to a bundle by its originator, and a BIB that authenticates the manifest contents.</t>
        <t>The  <tt>audit-pair</tt> SHALL contain all relevant identifying information for each relevant security block (represented by independent manifest block-data-map), which SHALL include at minimum the identity of the security block <tt>block-id</tt>, information about its security context including a unique <tt>key-id</tt>, a list of target block identifiers <tt>security-targets</tt> to which the security block operation applies, and the <tt>payload</tt> (encoded in <tt>btsd-hash</tt>) of the bundle. This <tt>audit-pair</tt> SHALL then be cryptographically authenticated by a BIB generated by the source node which computes a cryptographic MAC over the <tt>audit-pair</tt> using a unique <tt>audit-pair</tt> operation key shared with the destination node. The <tt>key-id</tt> for the BIB authenticating the <tt>audit-pair</tt> SHALL be included in the BIB security context and SHALL be independent of the security context information contained in the associated manifest block.</t>
        <t>The destination node SHALL discard any <tt>audit-pair</tt> (along with any source-generated <tt>payload</tt> intended for it) that is not cryptographically verified by a BIB generated by the source node. Thus, once added, an audit-pair constitutes a <em>critical block</em> <xref target="SecDTNBPSec"/> for the corresponding bundle; accordingly, it MUST be present in the bundle for correct processing by the destination payload acceptor.</t>
        <t>A further flag MAY be added to the <tt>audit-pair</tt> and its BIB to indicate that it is expected only to be verified by the intended bundle destination security acceptor.</t>
        <t>The uniquely identifying information associated with the BIB that authenticates the <tt>audit-pair</tt> MUST NOT be included in the <tt>audit-pair</tt> record, as this would introduce a circular verification dependency.</t>
        <t>See <xref target="sbam-integration-with-manifest-block">SBAM Integration with Manifest Block</xref> for more details on <tt>audit-pair</tt> design specifications.</t>
      </section>
      <section anchor="reporting">
        <name>Reporting</name>
        <t>The reporting process is described in detail in the following section.</t>
        <t>Any security accepting intermediary that processes an SBAM bundle security operation added by the bundle source SHALL replace the processed operation with a <tt>report-pair</tt> operation. Structurally, a <tt>report-pair</tt> consists of a manifest block, and a BIB that authenticates the manifest contents.</t>
        <t>The <tt>report-pair</tt> SHALL contain all relevant identifying information for each security block processed and discarded by the intermediary along the bundle path. Such <tt>report-pair</tt> SHALL include at minimum the identity of the security block (<tt>block-id</tt>) processed, a duplicate record of its security context (including its unique security service <tt>key-id</tt>) and a duplicate record of the security targets to which the security block operation applies. This <tt>report-pair</tt> SHALL then be cryptographically authenticated by a BIB generated over the manifest which computes a cryptographic MAC over the manifest block-data-map using a unique <tt>report-pair</tt> operation key the processing intermediary shares with the destination node. The <tt>key-id</tt> for the BIB authenticating the <tt>report-pair</tt> SHALL be included in the BIB security context and SHALL be independent of the security context information contained in the associated manifest block.</t>
        <t>A further flag MAY be added to the <tt>report-pair</tt> to indicate that it is expected only to be verified by the intended destination security acceptor. Once added, a report-pair constitutes a <em>critical block</em> <xref target="SecDTNBPSec"/> for the corresponding bundle; accordingly, it MUST be present in the bundle for correct processing by the destination payload acceptor.</t>
        <t>The uniquely identifying information associated with the BIB that authenticates the <tt>report-pair</tt> MUST NOT be included in the <tt>report-pair</tt> record, as this would introduce a circular verification dependency.</t>
        <t>See <xref target="sbam-integration-with-manifest-block">SBAM Integration with Manifest Block</xref> for more details on the <tt>report-pair</tt> design specifications.</t>
      </section>
      <section anchor="verification">
        <name>Verification</name>
        <t>The verification process is described in detail in the following section.</t>
        <t>When the destination node receives an SBAM bundle, it SHALL verify that the <tt>audit-pair</tt> and <tt>report-pair</tt>(s) it received can be cryptographically authenticated before accepting the bundle as valid. An SBAM bundle SHALL be considered valid by accepting destination node only if the following conditions are met:</t>
        <ol spacing="normal" type="1"><li>
            <t>The <tt>audit-pair</tt> is cryptographically verified by the attached BIB generated by the source node. Failure indicates tampering or corruption of the bundle or associated block-type-specific-data.</t>
          </li>
          <li>
            <t>Each <tt>report-pair</tt> generated by an intermediary along the bundle path is cryptographically verified by its associated BIB. This enables the destination node to validate that the corresponding discarded bundle source-added security operation, which the <tt>report-pair</tt> replaced, was processed by an authorized intermediary and that the original security configuration of that operation remains cryptographically verifiable.</t>
          </li>
          <li>
            <t>The block-type-specific-data of the <tt>audit-pair</tt> manifest block matches a concatenation of blockdata-item(s) for each <tt>report-pair</tt> manifest block.</t>
          </li>
        </ol>
      </section>
      <section anchor="blocks-excluded-by-sbam">
        <name>Blocks Excluded by SBAM</name>
        <t>SBAM participants should exclude blocks that necessarily change throughout a bundle's life cycle from auditing. Extension blocks such as Hop-Count or Previous Node which change values SHOULD be excluded from SBAM protection to avoid unnecessary processing and overhead.</t>
      </section>
      <section anchor="sbam-integration-with-manifest-block">
        <name>SBAM Integration with Manifest Block</name>
        <t>Instead of defining a separate extension block, the SBAM can be integrated within the proposed Manifest Block structure. This approach leverages the existing manifest framework and would involve minor modifications or extensions to the Manifest Block fields currently defined in <xref target="sipos-dtn-manifest-block"/> to accommodate SBAM audit data.</t>
        <t>When a manifest block is used as part of an <tt>audit-pair</tt> (see <xref target="audit-creation">Audit Creation</xref>), the <em>reason</em> item of the meta-data-map SHALL be set to <tt>security-sourcing</tt>. The resulting manifest-block SHALL then act as the security-target of a further BIB block which authenticates its content. This manifest block and its associated BIB block are generated by the initial bundle source and together form the logical unit referred to as an <tt>audit-pair</tt>. A further flag MAY be added to the <tt>audit-pair</tt> to indicate that it is expected only to be verified by the intended destination security acceptor.
The BIB SHALL be generated by the original source node and SHALL contain a cryptographic MAC over its associated manifest block using a unique <tt>audit-pair</tt> operation key shared with the destination node. Furthermore, an additional item that identifies the cryptographic key used for the corresponding cryptographic operation, <tt>key-id</tt>, SHALL be added to the <tt>audit-pair</tt> when used for SBAM auditing.</t>
        <figure anchor="fig-manifest-audit">
          <name>Manifest Block structure adapted to facilitate SBAM auditing</name>
          <artwork type="cddl" align="left"><![CDATA[
; ---- Audit-pair manifest block structure ----
; Reason: security-sourcing (code 3)
; Created by bundle source, covers all source-added security blocks.

$$metadata-item //= (
0: int16
; reason = 3 (security-sourcing)
2: embed-eid-structure
3: dtn-time
)
; One blockdata-item per source-generated security operation
$$blockdata-item //= (
1:  block-id
2:  block-control-flags
5:  btsd-len
6:  [+ btsd-hash]
-1: bpsec-targets
-2: int16
; bpsec-security-context
-3: key-id
; key-id of the covered security operation, CBOR unsigned integer
)
]]></artwork>
        </figure>
        <t>When a manifest block is used as part of a <tt>report-pair</tt>, the <em>reason</em> item of the meta-data-map SHALL be set to <tt>security-acceptance</tt>. This <tt>report-pair</tt> is generated every time an intermediary acceptor processes a bundle source-generated security block. The resulting manifest-block SHALL then act as the security-target of a further BIB block which authenticates its content. This manifest block and its associated BIB block are generated by the SBAM-processing intermediary and together form the logical unit referred to as an <tt>report-pair</tt>. A further flag MAY be added to the <tt>report-pair</tt> to indicate that it is expected only to be verified by the intended destination security acceptor.</t>
        <t>Furthermore, an additional item that identifies the cryptographic key used for the corresponding cryptographic operation, <tt>key-id</tt>, SHALL be added to the <tt>report-pair</tt> when used for SBAM reporting. This enables an intermediary security acceptor that processes a source-generated security block to append a verifiable record of the processed security-block-specific-data for use by the intended destination security acceptor.
The btsd-len and btsd-hash fields in the manifest block do not serve a functional purpose within a <tt>report-pair</tt> and as such MAY be excluded without any functional impact.</t>
        <t>This hop-by-hop generated <tt>report-pair</tt>  SHALL subsequently be used by the intended destination security acceptor to verify the integrity of the received bundle.</t>
        <figure anchor="fig-manifest-report">
          <name>Manifest Block structure adapted to facilitate SBAM reporting</name>
          <artwork type="cddl" align="left"><![CDATA[
; ---- Report-pair manifest block structure ----
; Reason: security-acceptance (code 4)
; Created by intermediary acceptor per discarded source-added operation.
; btsd-len (5) and btsd-hash (6) omitted per SBAM Section 3.7.

$$metadata-item //= (
  0: int16
  ; reason = 4 (security-acceptance)
  2: embed-eid-structure
  3: dtn-time
)

$$blockdata-item //= (
  1:  block-id
  2:  block-control-flags
  -1: bpsec-targets
  -2: int16
  ; bpsec-security-context
  -3: key-id
  ; key-id of the discarded security operation
)
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="processing-rules">
      <name>Processing Rules</name>
      <ul spacing="normal">
        <li>
          <t><strong>source-node</strong>: Adds <tt>audit-pair</tt> consisting of a manifest block along with its verifying BIB after other security blocks and before payload.</t>
        </li>
        <li>
          <t><strong>intermediate-node</strong>: Processes BIB/BCB, adds <tt>report-pair</tt>consisting of a manifest block along with its verifying BIB.</t>
        </li>
        <li>
          <t><strong>destination-node</strong>: Validates all block-data-items within <tt>audit-pair</tt> and all <tt>report-pair</tt>(s), and checks whether the block-type-specific-data of the <tt>audit-pair</tt> manifest matches a concatenation of all block-type-specific-data for each <tt>report-pair</tt> manifest, prior to accepting payload. If any validation fails, the bundle MUST be discarded.</t>
        </li>
      </ul>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="trivial-block-removal">
        <name>Trivial Block Removal</name>
        <t>SBAM allows for the detection of unauthorized deletion of source-added BIB/BCB. This requires that the intended recipient performing the SBAM verifications described in <xref target="verification"/> to avoid a trivial attack by a malicious intermediary of simply removing all security blocks.</t>
      </section>
      <section anchor="insider-attack">
        <name>Insider Attack</name>
        <t>SBAM protected bundles are still vulnerable to <strong>privileged insider</strong> attacks unless asymmetric crypto is introduced. Malicious nodes with privileged access to keys associated with protected blocks may be able to modify SBAM block values undetected (e.g. forge or overwrite <tt>report-pair</tt>).</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="new-registry-sbam-security-context-parameters">
        <name>New Registry: SBAM Security Context Parameters</name>
        <t>IANA is requested to create, under the "Bundle Protocol" registry group <xref target="IANA-BUNDLE"/>, a new registry titled "SBAM Security Context
Parameters".</t>
        <t>The registration policy for this registry is Specification Required <xref target="RFC8126"/>. The value range is unsigned integer.</t>
        <t>This registry defines parameters that MUST be supported by any security context used within an SBAM bundle, in addition to parameters defined by that security context's own specification. Each parameter is identified by an unsigned integer and applies to the Security Context Parameters field of the Abstract Security
Block (ASB) structure defined in Section 3.6 of <xref target="RFC9172"/>, for both Block Integrity Blocks (BIB) and Block Confidentiality Blocks (BCB) within an SBAM bundle.</t>
        <t>IANA is requested to initialize this registry with the following entry:</t>
        <table anchor="tab-sbam-params">
          <name>SBAM Security Context Parameters</name>
          <thead>
            <tr>
              <th align="left">Parm Id</th>
              <th align="left">Parm Name</th>
              <th align="left">CBOR Encoding Type</th>
              <th align="left">Block Types</th>
              <th align="left">References</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">TBA1</td>
              <td align="left">BPSec Key ID</td>
              <td align="left">unsigned integer</td>
              <td align="left">11, 12</td>
              <td align="left">This specification</td>
            </tr>
          </tbody>
        </table>
        <ul empty="true">
          <li>
            <t>RFC EDITOR: Replace TBA1 with the value assigned by IANA and
remove this note prior to publication.</t>
          </li>
        </ul>
        <t>The BPSec Key ID parameter (Parm Id TBA1) uniquely identifies the cryptographic key used for the security operation represented by the enclosing BIB or BCB. Its presence is REQUIRED in every
BIB and BCB within an SBAM bundle, as defined in Section 3.1 of this document. The value MUST be encoded as a CBOR unsigned integer and MUST be unique across all security operations within a given bundle.</t>
        <t>Each security context used within an SBAM bundle MUST define how this parameter is encoded and interpreted within its ASB, in accordance with the parameter identification requirements of
Section 3.10 of <xref target="RFC9172"/>. The specific encoding is defined by the security context specification; the semantic meaning is
defined here.</t>
      </section>
      <section anchor="manifest-data-items-registry">
        <name>Manifest Data Items Registry</name>
        <t>This document requests registration of one new block data item in the "Manifest Data Items" registry under the "Bundle Protocol"
registry group <xref target="IANA-BUNDLE"/>, as defined in <xref target="sipos-dtn-manifest-block"/>:</t>
        <table anchor="tab-manifest-items">
          <name>Manifest Data Items Registry Entry</name>
          <thead>
            <tr>
              <th align="left">Block Type</th>
              <th align="left">Key</th>
              <th align="left">Name</th>
              <th align="left">Value Type</th>
              <th align="left">References</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">11, 12</td>
              <td align="left">-3</td>
              <td align="left">BPSec Key ID</td>
              <td align="left">uint</td>
              <td align="left">This specification</td>
            </tr>
          </tbody>
        </table>
        <ul empty="true">
          <li>
            <t>RFC EDITOR: Confirm that key -3 is unassigned in the Manifest
Data Items registry at time of publication and remove this note.</t>
          </li>
        </ul>
        <t>The Block Type column specifies both 11 (Block Integrity Block) and 12 (Block Confidentiality Block) as defined in <xref target="RFC9172"/>,
since the <tt>key-id</tt> item applies when the covered block provides either an integrity or a confidentiality service.</t>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9171" target="https://www.rfc-editor.org/info/rfc9171">
          <front>
            <title>Bundle Protocol Version 7</title>
            <author initials="S." surname="Burleigh" fullname="S. Burleigh">
              <organization/>
            </author>
            <author initials="K." surname="Fall" fullname="K. Fall">
              <organization/>
            </author>
            <author initials="E." surname="Birrane" fullname="E. Birrane">
              <organization/>
            </author>
            <date year="2022" month="January"/>
          </front>
          <seriesInfo name="RFC" value="9171"/>
          <seriesInfo name="DOI" value="10.17487/RFC9171"/>
        </reference>
        <reference anchor="RFC9172" target="https://www.rfc-editor.org/info/rfc9172">
          <front>
            <title>Bundle Protocol Security (BPSEC)</title>
            <author initials="E." surname="Birrane" fullname="E. Birrane">
              <organization/>
            </author>
            <author initials="K." surname="Fall" fullname="K. Fall">
              <organization/>
            </author>
            <date year="2022" month="January"/>
          </front>
          <seriesInfo name="RFC" value="9172"/>
          <seriesInfo name="DOI" value="10.17487/RFC9172"/>
        </reference>
        <reference anchor="RFC9173" target="https://www.rfc-editor.org/info/rfc9173">
          <front>
            <title>Bundle Protocol Security (BPSEC) Default Security Contexts</title>
            <author initials="E." surname="Birrane" fullname="E. Birrane">
              <organization/>
            </author>
            <date year="2022" month="January"/>
          </front>
          <seriesInfo name="RFC" value="9173"/>
          <seriesInfo name="DOI" value="10.17487/RFC9173"/>
        </reference>
        <reference anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126">
          <front>
            <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
            <author initials="M." surname="Cotton" fullname="Michelle Cotton">
              <organization/>
            </author>
            <author initials="B." surname="Leiba" fullname="Barry Leiba">
              <organization/>
            </author>
            <author initials="D. T." surname="Narten" fullname="Dr. Thomas Narten">
              <organization/>
            </author>
            <date year="2017" month="June"/>
          </front>
          <seriesInfo name="RFC" value="8126"/>
          <seriesInfo name="DOI" value="10.17487/RFC8126"/>
        </reference>
        <reference anchor="RFC2104">
          <front>
            <title>HMAC: Keyed-Hashing for Message Authentication</title>
            <author initials="H." surname="Krawczyk" fullname="H. Krawczyk">
              <organization/>
            </author>
            <author initials="M." surname="Bellare" fullname="M. Bellare">
              <organization/>
            </author>
            <author initials="R." surname="Canetti" fullname="R. Canetti">
              <organization/>
            </author>
            <date year="1997" month="February"/>
          </front>
          <seriesInfo name="RFC" value="2104"/>
          <seriesInfo name="DOI" value="10.17487/RFC2104"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author initials="S. O." surname="Bradner" fullname="Scott O. Bradner">
              <organization/>
            </author>
            <date year="1997" month="March"/>
          </front>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="IANA-BUNDLE" target="https://www.iana.org/assignments/bundle/">
          <front>
            <title>IANA, Bundle Protocol</title>
            <author>
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="CryptoRocket" target="https://doi.org/10.62056/a39qudhdj">
          <front>
            <title>Cryptography is Rocket Science</title>
            <author initials="B." surname="Dowling" fullname="B. Dowling">
              <organization/>
            </author>
            <author initials="B." surname="Hale" fullname="B. Hale">
              <organization/>
            </author>
            <author initials="X." surname="Tian" fullname="X. Tian">
              <organization/>
            </author>
            <author initials="B." surname="Wimalasiri" fullname="B. Wimalasiri">
              <organization/>
            </author>
            <date year="2025" month="January"/>
          </front>
        </reference>
        <reference anchor="SecDTNBPSec" target="https://doi.org/10.1002/9781119823513.ch13">
          <front>
            <title>Securing Delay-Tolerant Networks with BPSec</title>
            <author initials="E. J." surname="Birrane" fullname="E. J. Birrane">
              <organization/>
            </author>
            <author initials="S." surname="Heiner" fullname="S. Heiner">
              <organization/>
            </author>
            <author initials="K." surname="McKeever" fullname="K. McKeever">
              <organization/>
            </author>
            <date year="2022" month="December"/>
          </front>
        </reference>
        <reference anchor="draft-ietf-dtn-bpsec-cose" target="https://datatracker.ietf.org/doc/draft-ietf-dtn-bpsec-cose/">
          <front>
            <title>Bundle Protocol Security (BPSec) COSE Context</title>
            <author initials="B." surname="Sipos" fullname="B. Sipos">
              <organization/>
            </author>
            <date year="2025" month="June" day="03"/>
          </front>
        </reference>
        <reference anchor="sipos-dtn-manifest-block" target="https://datatracker.ietf.org/doc/html/draft-sipos-dtn-manifest-block-00">
          <front>
            <title>Bundle Protocol (BP) Manifest Block</title>
            <author initials="B." surname="Sipos" fullname="Brian Sipos">
              <organization/>
            </author>
            <date year="2025" month="December" day="29"/>
          </front>
        </reference>
      </references>
    </references>
    <?line 495?>

<section anchor="example">
      <name>Example</name>
      <t>This appendix is informative.</t>
      <t>This appendix presents a series of examples of constructing SBAM logical blocks using manifest blocks defined in
<xref target="sipos-dtn-manifest-block"/> and bundle integrity blocks defined in <xref target="RFC9172"/>.</t>
      <sourcecode type="cddl"><![CDATA[
; ---- Shared manifest structure ----
; From sipos-dtn-manifest-block

manifest-structure = { * int16 => any }
int16 = -32768 .. 32767
metadata-map  = {* $$metadata-item  } .within manifest-structure
blockdata-map = {* $$blockdata-item } .within manifest-structure

ext-data-manifest = [
  metadata-map,
  [* blockdata-map]
]

block-id      = [ block-type: uint, block-num: uint ]
btsd-len      = uint
btsd-hash     = ( alg: tstr / int, value: bstr )
bpsec-targets = [+ uint]
bpsec-key-id  = uint
; bpsec-key-id: CBOR unsigned integer, per SBAM Section 3.1

; ---- Audit-pair manifest (reason: security-sourcing, code 3) ----
; Created by bundle source, covers all source-added security blocks.

$$metadata-item //= (
  0: int16
  ; reason = 3 (security-sourcing)
  2: embed-eid-structure
  3: dtn-time
)

$$blockdata-item //= (
  1:  block-id
  2:  block-control-flags
  5:  btsd-len
  6:  [+ btsd-hash]
  -1: bpsec-targets
  -2: int16
  ; bpsec-security-context
  -3: key-id
  ; key-id for the covered security operation
)

; ---- Report-pair manifest (reason: security-acceptance, code 4) ----
; Created by intermediary acceptor per discarded source-added security operation..

$$metadata-item //= (
  0: int16
  ; reason = 4 (security-acceptance)
  2: embed-eid-structure
  3: dtn-time
)

$$blockdata-item //= (
  1:  block-id
  2:  block-control-flags
  -1: bpsec-targets
  -2: int16
  ; bpsec-security-context
  -3: key-id
  ; key-id of the discarded security operation
)

; ---- BIB authenticating either manifest (shared structure) ----
; Per RFC 9172 Section 3.6

abstract-security-block = [
  security-targets:       [+ uint]
  security-context-id:    uint
  security-context-flags: uint
  security-source:        eid-structure
  security-parameters:    [* security-parameter]
  security-results:       [* [* security-result]]
]

security-parameter = [ parm-id: uint, parm-value: any ]
security-result    = [ result-id: uint, result-value: any ]

bib-block = [
  block-type:  11
  block-num:   uint
  block-flags: uint
  crc-type:    0 / 1 / 2
  data:        bstr .cbor abstract-security-block
]
]]></sourcecode>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+196XLbVrrgfzzFKflWteghKUtO7ESudLUWp62beBlL6dxb
KVcMkkckYhBgA6BkxnHXvMO84TzJfNtZAVCSne57MzXp6kTEcpbvfPuG0WiU
NFmT60O1c66n6yor5ur4FfypjuZpVtSNOqomWVOl1Ua9SqfvdKNOq3K1gud2
knQyqfQVvnp89HwnmZXTIl3CULMqvWxGTZYWo1lTjOpJuhw9+DKZpo2el9Xm
UNXNLEnq9WSZ1XVWFs1mBW+dPb34Vql7Ks3rEsbMipleafhX0ewM1Y6eZU1Z
ZWmOP86OjuE/ZQV/vb74dicp1suJrg6TGcxwmEzLotZFva4PVVOtdQIrfJik
lU5h1LOi0VWhm53kuqzezatyvYKrpzpPN3unWV2tVw0sSF2Uua7SolEvdIMP
0nbf6Q38PTtUP9UEqmYzVOka1jVapVk1VJVelRX/eJMkV7pYw2ISpe42i1IM
jp0f+Yr6K76O15dplsP1nwCmf8l0czkuq/mbXf/XAB9Lq+kCHls0zao+3NvD
t/BSdqXH5rk9vLA3qcrrWu/BAHs7tM6sWawn8OrkOlumsz0+xvfv34/qphpN
VrBrHD8HINeNNwM/PubXx1nZ9eJeB06MF80yh5nTdbMo4fSSkQKMg4GPx+q0
vM4FHIxTO8e6+CVdZoV/C7aSFtmvKUITHvkOLv+pVidlnuu5Vt+Xxaws8DnN
oJvIEOMZD/GXd9N8nE7H63f+1M/SXPvzwkE3qb0aTfkivUpz9aqsm3mVztYA
GnU+XZRl7k9LI4wXMMJfilU91rO1ne8/xuoCYOLN9x8ZIK+9+AnTvccBxgjp
/dZ0sL0f4bDytM6qzN/kIp1v0ujeXaFLY4yv7RgeeJOirJYw0BVQhFKvvz35
ev/xPv4J2C7s53hdzHKtXlVlU07LXP1NV8gb1OMdeswgiaJ/RrLw87E6Xle5
zuaL6M53Y/VtmufR1afwfFYBzWm6QfxCHTw4OBg92Kcrta4yXWfFZWmmgsUe
Klyu/D59eXao9h+M9x9/8dXjPdkK7ySt5hoIw9DF9fX1uLqcjph1Ed3hwHtw
jd6xkDjYDolz4TZqFzjz05PBNoBEG+yGx122fbBl2wefsO0Dt+2Hd9u2OtWX
6Tpv3I0TEB36fVPfASB32frDLVt/+Albfyhb/2r/4FG49b+us5kGjqRrdQlS
7UfYHXL+tFBnRy+OcJ81PFARJda4fxIfwAthtK27f55NFxroFYZomrKI7h6n
FYj173U2SaM7pxXwpUW5TGv1Iq0aXQTA2388evBoG/Bwh33As/fuADx6h4F3
sP/gixB4z54fwZTf6Y2ejZ6l9QIhh1B8rus6BUZ1BJABJSKbEvi2QevZWH1X
pdfTXzfvYjgCFgEcQYmIbrweqxPArabJPAjtf/01QOhgG4RwG30Qontmt/tf
h7uFfSrUQhhT1rU2aKCaUp0VM9ymVq/139dZpZewbzjfK51vxZLzKWCHegl7
BKFS6Kq1lYfbt7L/df9W4B7cRDQeHf/w4vT7p+F28MZQRaS/04sfINRSVmBA
cZwXuL96b0Jv7ymVJLg4T9CcVJtVU74uUW8N5+U7IERXi43KasXPACQyXUz1
NmA55aR9A5WE6KoI+PazTtaGjOlLw5ji/c/KjLYO8H108ODLR3vpw6//vp4t
Zr/A48ATTi9ekOYebtRq9aR9jmKVs1bXoLaxyn8DG/33PtECQviZzgzeBCLn
+fQ7DehXhVs8GO13iw5vi/sPHhzsff34q33AoK8OHn65/3A8XewjIrImiaos
aZKkXo6mZa3vIE70dKBOXp4/NSLkhgM/z1Zl3TqmR4YwWttImxRMJsCoyqnc
YB3t9S59D8apcRK6vgS16xJ07NEkB7Tcvi3YzUA9lxfUMb6wdTNgQhXd+9k/
GB18fbf9oAIvm+pb/ejBgyQZj8fJaDRS6aTGcZokOStUswC6g1HWxKWutZrp
elplE81HpWOuAIwcJAOw9ekCZqiXahfNzsEQxWQa8Hi1Mq/AkMAm9AyZI1y8
Aimqpo70sykbcEgfwN2usqlIYBjNTG/xxgw6Tmgvy2wGt5PkHnDdpipnaxLK
SXIRbGumL0mspzOcpixAezfGo7rUaQP7bM3Yj7IfPoji9fEj7HqGjCsD/AUj
eYZiAKUBjkWk3mVdql1gEgOli6usKpl7wkvO5vegZFc5X6c4itb1MDqY7vMI
FuUN2AUBNzatmxcxLZfLdWGOcgKL12AQpYrZvKrLdTWF4aasItVgpmRz2Lwd
lB9AtNjQQqolaBQoFO0T6XSqAQWqekhQTBFNYDSesPUUOSS8+fCkZC3ee2M8
eS1bqFd6ml2aLfinZvCBn4PRdgB7AVajphzBf7xdMDrCbGmjyhUqfxoBC6vJ
VXlJqwjO8XqhK81o9Mq+sEMbnOZptqz9w9hBwMx5m/hAWVxm6GnJ0tyb3JyK
bLfeGQOuqxUohNl0DcrQULahi3QCt/kOnC/MAi8TXsFK5eWhrDAtwlMpypl/
mmnHAUzTwoxJywXFprzSLVjVY3WEAwBJgZkwVICcgIvAluoMlkd7iScHEZxN
s3Jd8zIAQnW2XOUbEDLlShEDgxHzEtZGchJxClSPcopve6fF8CbtPAVbH5Ru
wn04jSUgBtKFAT2e4WhCQA/4kDsQjyh6kR9pH87cx9vrRQYPVGiMFwhL9IJl
dUO8FZeOmGGXCYdUORWxxmOio8RDApNBwXNLBF98UAaJ7FHMsnqaVh4kDMxm
SP6TjU8tvHg4pIau1iCQQKwtgVQJQAaL8J6/MXMyM92A4QMjgz5Rp+gKVMty
ZsmMltZ5ILOZPQ2zlK6F0X7gMRg+u9wgtsIjVZsib9whyLLKQy3BppWeDQ3o
8E/ARl4+jDJjFQ1kI5xZM7Rn2dizXK5gN5OMqJOOU7/P6sZx7ple5eWGDhMQ
7t491OlXulcaqUJft3f2B5FD4+Tc8Nc83wxpybeSTD6GhdTHuIXYBpSwLlh3
yn6F7dwBxbpwwRCUkSG1kSCRuGLu1IH3yP6ZEQaSZ5Vu8jKdjZOn71eIZ40B
RJcssaAzUKW1EtHByeUZkDpTSNfesgLQo+FX+oXw77mlo2KznZBTj4yjSYGV
EdXCJEUXiQOOlOsGvSm8ZKQSPHMERku6bT3q1sQsJoINAZ0aFt7DbkJeNwSY
5Xl5jUCVh6eVZtiZx40eZVbtLW5I+8v1HB5YIssm2nRxFNZ2KmTlDfAUYHQO
E5hrvCib1FNjayEKwzdQGmRFmZfzDR+jzgja8ChobH9fa8NmmYzh/GmFwiIK
jbwPI0nkuoAlVXUD9zIBG0gsRgqejlgJGQmBOoXqt6HzUwe6w07OdTTHbQPb
OhrwgitYQ3ZFLFAATFJM5xlKFRpD8NAoWfIYol2hjlZIbXwgNPZYqSMgbTJC
AMirEvggsesqq82+EOt36wFoBsIMvGEz4ikTbZagZ+h461Iwu7mH1ZEQpGhp
e4jJZhxCMbpBEsxdN0tx0Bk7EIegPETRgUSMWywLBC4rqJeXBnzxe1aXREDr
97AGUmRhLyQMZ2gBefOdE3HIab46kuFJxScN2Jzb2MJ9wys6OzUnRj/hbwds
HCjDd+2yccaTbIXIe77O0AZGxRM3ouA+C2dUVvM5zN0slrWwTjzTQHfeQ/20
R30emylqnKIGlWAjuI0iskJeAzpQg5Db1eP5mDgOSH31Tm8IL+ApsG8na1KY
4N2SKNeIxqs0X1vrsay1Nx5uzyMOoOuZbDHGGwvjrM+yoYMziks3xx6pb8vq
GvRAXR3SidhRSaVZ4mlbgsMQ3sWLO58fDVczxtkVoBccxl6WNSMv3F2A4t4+
6zNfk70dNBDUfbZeNOBrphsQGT+mG+IBpN+90O8b9axcRTBp86DLqlzCr0sD
xNus4fPx/xXIJya0EiclewZ4ODBhfFvU/UVVrucLo8W4kydcEPBfA17TFkSy
kbLurfRiIcJQdmQEQQaq8buivKZQBuj1KU4dalFksxHsaoM4sHKrkB7JweFp
Wvg6XBULBUzAjKW3T9uxyZIVHnM5b/kKkP8a9ms5PcApbevRlV4BUwMoswxL
o6kIIBtjxQbsXJZC1I7zrVdIf2xZ42SeZR3t7XfAB7tn8iIySMm8fw+qPcVi
reCwgPJfE1/qoWyJoVPX6+XKaCeWmw6ZZ87XTnNBJlOiKqvRFmBFD21xDmK0
bX1/5pdGBeK5U09K0wnNgdyK9jmRKhmJyyGgLuAozA9gf/lqN35pGL8wGCPz
AyCluNghvjOZTkaRTBgaZgmPq6ehOLYKnA9Z9fyH8wtUDFixGqqlTgvWKFB9
7tsSukrKAuhqImAwGnOsFaCuFaL8UeeKancIxgaIsNk/iHNeBuKO8RLQeufE
7+pySSaIsbW6FhZB0ymToU/NaKQtvCBxuMrTjHDRk9W7k2wysj8HrAs7tzFs
zr0VC3T2/TgHZvgeusdV16EPkNIBgqQE32X9PS5qwOX281v8EKHPIxJg7sxE
4/I4KIxZtw7at7x+T25zIdEGWipNhOD2SSGWmi2s9zhk2oHFwXR/Q/dOpkOR
ccUXxfmE5+kQJ1IJt4qNH4o8e9ftabbXZK6qNvrcrQXL0BiBVhUUGSJDttxw
v8cxMSqxynTkIEZ2KYlYgEBGbl8nEtj/8irNKnwHzEV01ShMjPM8k4LRaRS9
ss7NaVmBFIWVkNJ9fHY8lEl7sD10RphFxU4JHN2CiznlptvlGI4H5OqPZg6W
lRuyZfMNPh5tBrCWgvXMFS7pEcIvstdSAH0H072txxJB/ZqSDv+5sO502Qeq
1sx3BiMe0vpGwpsEF7dDarZmoa23ASvY/v/5X/+bJ+gAoVGg+xbYsav22ZJL
5HnZZFfOEAK7dgLiUJ038A5KxSQBpZTOeV5kvzJFUAzgHejxJDiQnnKNcGMH
KE1Qo85zCRsz7o8ljJHO9q5hCVqeINcAR0/QkEIPhfUp8FBj9RQu1zNJyR0G
7kqQnuWqFIwYijPoF5G9vMSa3EEYUjLBV9JYrX93aJONvhoffPxIZ1jprCDB
DBbnTlmMSLM3O653SAUhvWVVZVcZ5grOhp5Tiiwjd0vsDPZREZqSryyrPBiE
4hAHQe//YTCFjEMUvQCYeK+v1hPALLheL9KKNihJIggiz1vGI/DLnqy345BV
TsY3KsMwEKIlUI/OL0V/jVdDY12uK3KSRQPt4tMwbQ66SDwo+TBrgTYdEaBm
BciWIx/3I0SpZGl7U8vJjinIjm4pxLKGjDLmBOusXnB4gthKO8hjTneas5kn
J2o3IlF8AiUMu4B1102H0DM0Jw9Y8xZ29iy+RLtsAZDI+DIFKrpc57B58R8R
CVRlrpmpoVBK624U3nco/BAR+LRjOTR3BzKxLtQAna8IfldZicnPIl+sftB2
AGHUU7QD3xwlJw+C3NCrDQIRq+NXBqhFoA+AA3yc8mhhO2Uby24P9mSisA5F
bKixiGnHqpJLGxthP65ERrrc9XeMvEWKaeSu75BhHB6FpyvjYMo8vXiervA9
531L47Wn6DH3nCk2/n8bfWDI/EWTt1wUAwSFCG7CrzzvkDDdcUXrqzRxnygZ
YqK7lQ/WLjq9PN3BUnIwVFc2XMpoMtHAcTJkIDaem5p4wifEcm8Z4bJBJXZb
UPy7E5h0XJ6cp3PplfWeNtFakAHvdYaHs56w46phu9dCOFxumKxxD/2j2byA
/0yJ9dYuKcmEPfycJFER8Y2ZecOC2Q+IDiWiIO8tymvhpshkwJZmxmn8ajgs
hkttCOrCzWMCPFndEcwnp7tJIylmJrvCxlhAFYDLBGZjeVo4jsjRsrHoQkZM
yY5HL/LaVGUx17E12pWowJoSJtSNxAkU5SwTbGETv6wLAS1Z1DgXHKl69d2Z
o2rBcHSWTzS7gjKOnwUTfPjQm0338aO/Dyu2whwxXSzQ38jBZ+RSwhrHKo4u
t05qBhTeIC+BU6IULj9OADu2AcilpCBHU0+J+gKJZdQqPnBvu4bhk0lubJhw
OBjoWgMdYPZMeAfW2iZ7Lz9AfZunc05cOrPHGvvz0Bz4GZOsR+fPjg5gwGm+
xvV7b9ixak7hsYEIcgPu1lqrh+MDIoyHY/ifL6BBgg0Y7SmeYezTrtEtvDDb
CfV7p8hRCFK8hkgsTbWeNtFAr9jzBA+9Qk+PusDN7Z69enUxkFg17JSXYrMr
ujcJL09AsvOO8K+HwOIumXxQ43pPTlrUI5flmq15f6274k/ZrDThwlD8HlzG
Zn55vl5EAlB31CXOPsB81ILSTGAmE/1ncYII6vwoPB4R9xqzqHKMa4u/lRkd
7QlHRfiBbgycMpU4MYyOlUU1aQDiZ8gaQZ7AU3wbzplhgBDZV/SqpW/LybpD
8dcUtBark5/NJO0SD/26JGjWgYuM9SkJJRJA3Gny71048IGNrPO1k0iXM0+e
HA/6YoAt/Y9NLXkCCwORBWNSer5htZzI/FpzWojdCK3irSspfGvN+Ym11ukR
r9IwesYIxl0QB8holhOMpJvUly4d3WU8se3EyvENiZNs2fQZ10hHqNoCzLrU
QKskMTIxgE/RIZqJsLi4wev7Lzpv5gVbvLe4Ds9UtEsKjqR+0j5XXEJ4ik7X
AqgkI5oZwejxNaxprVrWxyXH0q3vOvKn79ayDfdKwDZZ1OBMz4/+M9aerN+w
O7eFYn7m9djR1u98tkFSQg5EFGEvMEzNgxqvBzpXp6g7UmjQ5DFmXlYeqzJj
fpdyWzCpgWFG9rndthd4EBkzpeg8Qc1PjEoRcbHgZ5oiP42mUpYBsRJNQX1i
b7CNeVpF7IHBaRwytErx3bqsrEW5Gk02I4xchwJ8SEoC0NW6Fjb5kzFm98f7
b3a3lE7BT1NxR3W29+r16mfYys/11XQwthh2cowJQlYfT5swHmmCRZX8JYQ/
wYwmXZBiSB4HxoKTNhZEiiXZkXyCpNgUjeQ6Ih5y9qMk8S7R7q4C+mb4D+1c
mNmozRr8jCwbzucTEhwXl9lQrVcsp2eiy2QhageoaliYkLgzrt0RjzzEskqs
S+r3kIzso7kuKDebbJA4WSb0iQoj3PqMLwZJq+orxPCSzyX9k3SkdWU8tKyP
cMb31WNDghgXXFXZEtO2VutqVdZWRYsXEmSYp/74HGsDIJIQcvY7Tob5yibP
NfXMbmNkOs+HRCXq/pw6Z/RTumVnWqINojjDPPZ5SNjOrVNcDC3ZWG2cJS1R
HM+f2BUFIjlsPb7OAB/ePptaKIv4MhOPOAOkZNQB2gGT84Os/VfpnHz7Hkwl
5oYToFFWIr8xCOSOcpzYQ5eliWLBwav10oYwkLrYtPeMEZ2LvRVH+Ohvz8jF
15fpFJ7RI4EQo05aAPWABKF9L6O1mNRGkz+YOj/SyBrBHolmhXXfEml24q5N
5rC7MJmZwsA4HCZO71pY0dqP7HhTprXJtjzeqFyMDJOK6R0HUYwrNABjKkXv
yLC1Z+O7KvxsatyZ+J+6xF8U+qZtOVePbMVkD3ACywbOBVWGKSb7jD19v6h1
e1Ei4WYZYCA5JHWFKodX+iR+gJqz2zLPA4mJy+sVakY1g9E+y4CFZW2YV6DR
OzJnjaeRYhEiMRUxPkyeDBlnIK9chrmcoUFIPA8NNM4BUKDsORiwhs9ZeogY
nkUSNuVtzuo2HgwT/eMf/1DT2SxPnqgRFpL9lQRCi6+70fEpePhbyrDqGTmB
By6Qf4MSm9a6Trj4Lpupb9RPiVLyOhnEWFIuQoWnuiC9FbQXwMdqA0/zy9yH
ZI3ZbPYakPihkmtvkklTz0Y5cGL65xu6zhcXab2Qi7sd01Pt5ZHnNHFzp/n8
EGsQ4afaUzI5uQYOFQYekkHCnh6jkcAG/wfN/CZJ/u3fDKWMMkBYtbfH8z84
xJH2H9FSXuu0Fi+MU2Et9OXuCfF1b10Hh0qDOT0b6Ww2socDNx4eKjwPdM7C
2mAJBKn2GvYPDRCzGY8nP8W6H5F1D3e+xDsCWfj5CH7CDi1Y38C1EQwWQIE2
RnGl0T6h/OiAKFisOhA0Yk9FkmWXbZb9/aHaPxjgyAc+qHgOy0TFGQXbBCRO
Phyqe5fZ3MfEd1yn+s1OHzLvAJMmNWwEiDovvtnJ9WWz81GCADnq7uncJguj
fK5vSYOB7uH5nkkconKZ5YHi4IvRjlR8VgT6xB2t1jAmthtReII5COyxPkyS
3f2BJGpwvi+mZU1+Ie3XaFkto9BFr28uGgjTEUZW44138ATfgOUc3G453Sap
cSpYvhxoQGG1nw3NGz23rc20lBbK2XPCTrK9czk6z1zFIstyTnVZJkaJMPe2
AidUo/KDIc5bocHNhXWeRugPEkZgiLqsMLJxGE6SoGK6ukdvvFU1XW3K9Wam
OIw03J6omIvYgf3eW81kLPSucA+FVY2MRPhPWa/Bbdi4nfgBtfQLi2qurL3y
8gqPWV+zNTPFHKrtBUmpdx8BiIkSaAtSkgrpE+ywwn3f4FXp2NuwO9sH561r
0vi8yha0k4P4383Ff5w/UFXZFTyBem65xoNox5d7osBoGDyBSzhz0WlyLNL+
vJZwoXtbCzHxQNb1UApjTR3I0Dtk4/wJ6p97I6kUjDNk3wKZ8JiszaMw25OO
NbWxKt8n7MXWwBj1TPFh2xzCFdhorvHCBTgSeEltoDwNg1w4+ihM8uyJB9to
d+b5kAw7NQD1AzTwH1cHxbm9sHM/Cuq757ZkiQ1ZO065luadZq+zZGiL5UWV
IIkIK46CGQCb7Iaiw+Ur7EnF2fRxQuj2dDzHoNoAxhukXaek/F9L6Eq4FHJF
sRjIynCJnMyGkVbBNtRXPDdQfJ5OjSC5kTKcmJUg5BZ3eitkHWcN10PDRltY
vbslbXDAuHvj+XtS0RZxd2zJZn+LEWQjpnGqtvVnh3tGzNCXZaW3UkSc9pzN
EW3ESLpxK/JcXITmIZjD6H5sFjnM/hjKAgIT7gpjVlvmTe+QN1hKCb2vOwRJ
Gm0vo8ZMfBZRDRXTiPoSbRXZNjlOezAUKPUHLPfgROfQKdkjtC6zqo6SlwNm
h7Ed0E4xDYC4hD1AWNVYnZFHsnDvE6eJMKPk4Fa1DIl15pIo+9iHzWUI1xxk
a4B+kHemgvgn2MLqltCn+viKubClk/7hcvZ+Wdsv3LJJVz1fU8Le5ToPnPjo
7WaW3GBo/6auBQH0irJDDbBdAGwgZOaJ41vgbNg9oMvIkYyUYHGSB/AD1+1i
W7EzR2fdnmcbuzV9AJy6zHpvnKZWD3vz8kzrAC8NIIiTYtSUrFdjHUgZEQMS
jsgnMFs4RAoAH3Z3AWtNxcD1wLAjsJFBC6sozBlKKK8Gs0MMywaFH82o9LAC
UvuVujxQoGI0q6hGh6aglCjmWpe5fm9aOZDzyzjwgayWk2y+poqTBZ8gVnWa
zRn3JrBa3CCmQxrVHHMQc51W+cY5P6dVWUtPlmmG7SMAR/jg1ZlAFShRqv2o
EBuDVyh/kf3WwFfjmMaQBQXr6FVWG/Fog/tUpocBMX6bkB8WT1MTPI1mROls
raRGCtdRlmHD7KHSCH16U7aTFaYXhvHAApYRrS486KELE8Axk2RbInlO2TJ5
Ust13mSrvL2I2joLtVspjuGkkGpV6JiUZDwacgpbDZXy3ZdZYdh5l7El6Qxh
pqAcLSBYqcB6zOaceJp5SGKzhSz+vIWFjrLZW9I0C5sd0oa0TdDxIhJ0eIjw
sSTnMBYbX20i2aajAov5LgCdyTdHL0lQJklpQyfHL1/D9NKyi1zXuMLuILCX
ZBQFGuLONjb/d7z/AH8HBkW8vrDszqBdXw6ojWNwOZ7XUoDG4YRrsm0sMGNN
GEFoo9Wtur5QWeWARZsLJcmPLnxDSMEphJS9pnXQAwIpaoouYprQYUylHRxm
GGHx8keMs8W964d9jMOFIg+kbgGmZKjlYE5EtababEk8WmSrbe6X26XsehK0
7VNx8b3uHgq3relhyJkTNJxaVwDzgrPILOwcWFIOBnAXj5paWtunXIezlvV4
KHaNYzExERr1zmJLX8Gf84HaLKn+PHVjN2BeDIENw+qhFI5DG5Z0BlZGeb0s
jEXoUnxaOzMENkUfSRika7MndXF8tM8JhD91tMJ9s3sPO4KOpsHVwcCPZrbS
GV+5rguwoNw2+jiSsoYoRU3tHp0fDzxHswcOx1keRYxl6DXk8IFrGIakgJm6
wafIPyPkcKRPIGO/UlSpJVzK4hggwCWYwnC41BpcxAMggGudEuCjSXr9HRHQ
NxJvSmjbkiN0Eb8pVkB9O2vzruV1XuJ+mBQSwrtlcVtocjOO/3p0B2Q1CE14
54V5ZUcBVMPI7dCJrkkoNWLrvWf/4iYTd4Usyc7BwfY2FrL59clomG4VCN04
uc3lcwNSBq9G1Qy3x8uAbka9tt3u52DjwGV0dUVsdBB0+GPgbgD8OyDvpBSt
8fMw2GbgeqJ/FnBSKbszTbqwiQW1OtJsaoU7bcmHYTh67P4jzDHZIn2Cghyv
E+02kqJNtiKSeTt6+NasIcQlF7TGZ+3auDbLMgzJprBnEB2BMYcNURiv+c1O
kopTkrY6blqHIbWPfXaVa2hFBjLRArVm5A0wZJwzLi4JrjbS03VtU95qTyG0
h4R1iLXdIgEMK70yL8vMpur2kn6v7N+9ylL23XW0HY1xeGCYV4ifN0nlsSLH
Y93t8OrxPaKNHTi3Wpu1cdEtFWVp2M6JW/l6nlKOsc6IqixBo1661QZw0A8Z
hq8n3dZpLTR3O74bE2y6nc97MYZGEtDiWLCQ1E0UJCn8NqYTB3pvJ25qcu5K
7MUIVy+jse3jZQoBkkzn2th/EUf1NSqqhiOLkIl5iUaDNSDR0DTpoPg3JYHU
YIFf4y/ys3EHQoc4kpONiSO56TPY2eAx6DbOrk+OWJ9Ig0XeCUf4bdNFcyBZ
5MWcYWvW3HAk17RR6l9gfKnbxKwgP2dQBm6HLs+fHX3/vYueBrkL2zRoSj4s
qXnh9kLVdvboWJ2LUcO+KiDoWOPGfEzJBgg5vTI9Wai7xY0lsn4JMDIz09Cv
rEwLbhSCjL1+dC1k+JJxWQvWhatlAIqVQCu6MTRklTH7ZESZu76LikrlnVIR
wmNkROfAxJZ5PVIth+iKXsDleumJOMcmo3nfmjyxt8MwHDgpKVuyQw9zNJbG
VuEQiTiTUB0n9LcCa+qtzSWSjDJikq47TLRCz5qiPFHP7fJWOl29Vbug8pTS
E/itzV97a53vxvolDtdxmBSdmugbI5FcswEI5HKOunOlp9yMY910RKSfH50o
pKO2jcSdiR1Yu3O2yGnODSZcqLYjjUiHts9tDTWGCCm2hFE2GBbU3thqUayj
c2/023EOfbbE2/xE5FDfY0JsCSSe2mQzoTwK9rIbdVQXqeROz6GQdYlzrw2x
aKSPYBsvguKlG1ECjwMTYKgXGvGqoU2gZ/WWSkmzRhDmZxAAjWO+P6sPH87d
d1c+fnQ1H6FqTWj+RJzYcAWZLeZKiakiLMZA2/SELG3Gk59i19GtyDSs9frW
HNl8DyrulNKuwPHRCqIiWyEuXNqSIBvzRSn9fsVuT5NQ2lFpb0+rw/XadrOK
dv0pORBbpEWwLwLxi5cXXYQTPMiSbMieYdjtdbnOZ15lJnCLrKJa1DAYbChr
isbCOdq+ZACcOacbLzpMWwVjmD6K6fnmRvhYlNTNZcnUdYwVDuq4GaxbWgUE
5YkS2X1tvCoMZ+tk+RylpmhVWYWtJSpRQX0Pg+/p7HfHdboTmY9wfg/rc85c
uyGNx8sZirSc6MFtWs5nKCfhJJ+jnESSd0tHq5ajp7NsU6KlXQv8NG1l16kr
A/8LB2nbESDVqi3x47m58L5I2i12rny3pWP8YIGmRuBOqoxRSDoA9BkaidUt
LMbcRSHp0TZbukk3DZBy4pFPi2hJcal/N8WlA3L//TSX28jIOBfqswXjdomo
XvqaSOBo+6NqIv8UER8cy1YZHzz5BxLy7cVvkfR/8xbLEA+W/+ny/kcT4W1p
+K4bayDfCZuYfH2PVKe+GWwPv4/g+2ulCPFGPstZq04V8dAWTpmSH8fqKNRB
LHsxsQgYiJ4ktm2Hau2Z6Du7jKA1RdoSdwcmFuGXJpP9jgAmhce3GSzEsMzX
o262Xb6Fw8N4tFe/ny6B40tFAVKsfGc8/JIFBiscvblSP1siS9IFTv9A4tIh
HgaLihzmPX0ibtx55N+WNjy3cXua7FaLZiHD89SjWzlAh56aEPMOUkKx/qYj
auAlr4fwKGZuae3E4KAJujIJ8U5scypyP/QQOHBQD+WbIT1Hac5/S+AXM9gA
7bj7b4HYVLhy56CcEQnVqqbbwnFec5daPX0vfFnKfMw30UxyImZq1Qtix5of
da3w0/CDAZiMOKf0HGzLRcU1crh/wm8ZXQIKbKb2mwq2qdfTsIl9bXPNn5Wr
0Ql3aarUq0pf0efgXngeI55QwoPnz17+8P0pcg9t9kQzmW+8+b3Nr0rgKevC
1XtE7ftRu1to/IAGNVW6hUzBMEjdaP46DSWisPpXa4zDNjru1S8fx8KRhaMa
aRQGOG8srzSJ9yaX1VVq4uu2XZZFgUuMCnOzW+wlJYL2qsyvNJoW9uNnpoMk
9XyXpddG/YoWQ9k6tdfn8pY119ydAT8rWc5sWgw7+oXTkZxrubhN6x2/u3hk
fnO4OwwkgNznR4yzfyDVHvcrKi2+r6gsWIgS65WdOm9FE/ZNg2U7rywxLgDx
W6Z1/sahD3LerW+neH3FI+cu27pG/UVRI43X+SsfgcLF7aHJtjV9MUIwGd9R
yMDNTaz2i8VY2DA8/PweV3cqKf7RNtwBOmTDqbmVhBTq+DSwVcnd3F7/fI2e
8+gBHPZkW9BwYiGqSI6cBn3mYQT76HR+T+f1twxc1FXZUepaXxFKMwjDRJ0t
ya5tcR0+7EllF8qwcOw/VcpLtLM4aufsjHYDhiPn742A1+rBwM0BDlWLLNUu
tRN4OICHTlxZXNSdxg/U9QeEUavvbmRg2xg8UcxL1DfqodptrWaQ9HQrCHsV
PAF7U0fyHaO/bYd8W1Pq63MQdDno63EQdDho9zdodzdwXQl6exKMYG+MJckT
+cP2+erNmBl255z3NTiQ+u/tLQ4AM9OVfFAxTsY0eNjbBuH2kihUvn4HCcM8
C3Ps33Z6wOCCQwjODqLodssGMHVxfuVoqH739Qb4f0C24TGP+txsnybi/FO4
nYz7F7utkuS/sWQIYNEhGmxcJDI5Y7Ru1322y6O3Yzcd6QpdSX2txsMIh0Vs
ZqGhTUef0Kz1p6gjtmsPldjabj2iXsdZdrx06ehE2VhEXqb1iW0KZ0thQohz
Iyu2tgRXreHkuiNs/BG5SfZYvkHqNUf0AsTBHHL0cR9wP039dvAJMqk6stms
e8p86qalS7zuzY28hTLhOLCoE19E6kQPnwVe0PPpFa8S64k7990vB9HZ7z4a
qHKZNfQZLC2U4aobHvdqJFFrJauVfOFpJW5bg39pH6WuJkm3am8EjzllQhor
eerEtp4CfZoD4+vnqA6WT/XqDvew1tXInddrYGKYaX//vmAE6vD37x9iC426
M9HLfiQoFoIuWwNloWu+QuEfqnvnjy63uqQU1kPrfSr0/n2/ubBd1ivLSGHY
PcqFpp7nAal/xkp5ao/87cx/EyciK+ZegA3Rztb4tfzX+HDsw+aA8XShuc8R
C/rmk31zW7xybqkdg97goKPsWeZ2zt1tTkidXRJDFtcqhaIxKjH03bomYOQ3
L7gXlFoFzf/v3VMXmK8LzJ0x/jXWuae5+faHFEaL5O//GPtM59rcCNOnGWVE
hEsBqNfQ1rJ/qkzMMMYlWa4maEAL8cMmUbDkJz/I8mb3nv/owHn7UtXIRvkz
PBwJpo/tkF8x4OC4C/y6onwLlBuXtpoNsXfwjCGqjmhY4z+1He1Nw2TUSQHD
YZSrdY7ScsLfrr5/P0iYprHu37dfgVoXOeUd15slcPkKVCxWuKQqWRrMjtVz
uxHOsyZS8789FH7jKI7reetlDiEfeTCr5C5IEqwhRBGvK5ZRy5v8ER04ujmF
MtC0429mBbg+IITsqEPhz5zra0BBbu13aIVdX5lgktA4glhAP8ygudZRSrwJ
h3ailgM7tn+gmlfleqU+fMCRRsc/vDj9/il9KoQ68dqnSDzM1E7nihK3op2x
yemhFyXMx6nQTEWZ612ICz8P2pe/ll5iXLD41f7BI/m0l3yCoSKHN33UPbSL
jU5mhzYdhb0vWRPNGf4gHeNMnGTTDt+TktZZFcmF314hjTeJbbQmAcZ42D/V
Cj8rHH44nqNZXtm4V+xkAjnxjpnTc16IMSk+vaI0+eyKUqpj6mxuX3vd7bd0
tq/lUwbdhag9qC4OW+DBEWpZZ6GLh2IjjM1hkvyGYFmqs5mSv15gJwX4QR6X
p5gZjI9T09LfgkakvwGCSguGWrl/fkt+G5l/3F/xj+6LnY/AZVglla3h8FKr
Qp1QTuFnCxV+kzaZshyWNeGHAXCVqPs16WREwX/CttrofTdxGtDi/qzgxNXT
07OLl68P0Zyg1DdapAU2UykwV14fYC6dGnZ6/LP7rDQnyWon6/k7eKYSmBzT
/o4dYeyak8NpB701mDcY8B2pflE6PYWOimle1kab5I9GYGsiv2auVq+f/s8f
zl4/PUUSIddTcmNRdVy67nWBaNeDeMzPsC6Tu97fmSKoN/yMfhFwGE+7msts
4Y3SXoKbefInprI6ZG12/fItkgrg6UX9UD8GNvTZ3TWSrd01EKy287Y2NJ9F
DLwjqysgqyfyDOivDXXw5i9hZ3VihsGeLvK5TqM7n6IifEYavBH1Ir3MqRse
V4dyVL73i4JZfB/0PWA0QcU3stMxiSfrtygEyY0Kwa07SROLdWwT+BHS8W/C
Zg3PROMG0FKeuJGvWlYZMcyb+S0zU49B/gZGdBdXxa8bb+egyrJQu2e2xGLr
ueOIQbDAv1t89MQvVEROBWsj/cYyUTlaMza8741uTw3NCano8ripVMWGfNew
WHdCgADrZeF1YCRhvr8PErlLoLMoB2jubhHng/4GHcOkzkwXI5u5SWhs9Bnb
wMMESGyGMfcA5B6oxhNqu4ikfX1EsLJ/NKJ/qQlZKffUU/6Su5Aeuz+z92xX
SALglR7Ht0VMcM/JKuOv6shH4elv+40vZATcOzr45o7EPVuN6S2kkq0ZA+S5
MJ8mMFtvjRHwurYv8JwDqu2vKNyyo7v97V78Rn1Q99mBpb75M2nUHxP5CTh9
8PjRV2o8VvjH48T66zDug6/eV7ETT31UYxEI7dmSsCZcBoi8clsHSICVm9CT
AIHb0ftLw/7uP90PC9DfJG8S18JeGsn/1O5L73elJ85y25703GbeazLvt5hX
W1rM8w1xCJrhjSeRLx/2NbLq8KzuJ9ui0LtVX7x5qCTebHDpnxd07nPxdgee
/wCN8j/LB+zCU30xZdzbtmhA+1Cdg1yO9YuuY72z87+jH9v/9+Pf3o9vDrGj
yEEEoztSyZ2xYLDn9woeQ0UEhYRv3CeJ+Yq2WzZLX2aQcTXuoehMlg95j8h2
ifMo/jhH120C52HrNqOMGV/Fp2mfc94XehY4dvtWsCwO47uV3w/e4btviNG3
ByJuD7+WtClm9fRTuDQKvjdJNJiREvzLe1MuBO8mk2wSQNyXLaCURV88MWDj
ayEop9XUvAdkBPJkH/5/ADcQ5y1gSbCMp5PSfUA9OnoABcaOnPr0fwFssNK3
nqsAAA==

-->

</rfc>
