<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-xia-ipsecme-eesp-stateless-encryption-03" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="EESP Stateless Encryption">Stateless Encryption Profile for Enhanced Encapsulating Security Payload (EESP)</title>
    <seriesInfo name="Internet-Draft" value="draft-xia-ipsecme-eesp-stateless-encryption-03"/>
    <author initials="L." surname="Xia" fullname="Liang Xia">
      <organization>Huawei Technologies</organization>
      <address>
        <email>frank.xialiang@huawei.com</email>
      </address>
    </author>
    <author initials="W." surname="Jiang" fullname="Weiyu Jiang">
      <organization>Huawei Technologies</organization>
      <address>
        <email>jiangweiyu1@huawei.com</email>
      </address>
    </author>
    <author initials="S." surname="Yue" fullname="Shengnan Yue">
      <organization>China Mobile</organization>
      <address>
        <email>yueshengnan@chinamobile.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <workgroup>IPSECME Working Group</workgroup>
    <keyword>IPsec</keyword>
    <keyword>EESP</keyword>
    <keyword>Stateless Encryption</keyword>
    <abstract>
      <?line 54?>

<t>This document specifies a stateless encryption profile for Enhanced Encapsulating Security Payload (EESP). The profile is intended for large-scale deployment scenarios in which maintaining per-flow or per-session encryption state is operationally expensive or infeasible. Instead of storing a distinct data key for each secure flow, endpoints derive per-packet or per-context data keys from a smaller set of provisioned root keying material together with packet-carried context.</t>
      <t>The document describes the deployment motivation, the stateless keying model, the mapping of required fields onto EESP extension points, context construction rules, data-key derivation processing, IV construction requirements, security considerations, and operational considerations. The intent is to realize stateless encryption as an extension profile over EESP, rather than as a parallel encapsulation format.</t>
    </abstract>
  </front>
  <middle>
    <?line 60?>

<section anchor="intro">
      <name>Introduction</name>
      <t>Large-scale cloud services, AI computing networks, high-performance computing clusters, and pooled NIC/DPU deployments create pressure on conventional IPsec processing pipelines. In such environments, a device may need to support a very large number of protected flows while operating under tight hardware memory constraints. Even when cryptographic processing is available in hardware, maintaining per-flow or per-session data-key state at scale can become a practical bottleneck.</t>
      <t>EESP <xref target="I-D.ietf-ipsecme-eesp"/> and its IKEv2 negotiation extensions <xref target="I-D.ietf-ipsecme-eesp-ikev2"/> provide a flexible framework for extending protected packet processing, including finer-grained treatment of packet fields and optional metadata carriage. This document builds on that framework and defines a stateless encryption profile for EESP.</t>
      <t>The key idea is to replace large quantities of stored encryption state with deterministic derivation. A sender and receiver that possess the same provisioned root keying material can derive the same data key from a canonical context carried in, or inferable from, the packet. This approach can reduce the amount of per-flow state that must be stored in endpoints, NICs, DPUs, or accelerators, while still allowing isolation across connections, devices, jobs, or trust groups.</t>
      <t>This document does not define a new encapsulation protocol parallel to EESP. Instead, it defines how stateless key derivation, context signaling, and IV construction are realized as an EESP extension profile.</t>
    </section>
    <section anchor="relationship-to-eesp">
      <name>Relationship to EESP</name>
      <t>This document depends on EESP and is intended to be used only in conjunction with EESP-capable endpoints. The stateless encryption mechanism specified here reuses EESP packet-processing structure, EESP extensibility points, and the EESP/IKEv2 negotiation framework.</t>
      <t>All additional semantics required by this document are expected to be carried through EESP-defined extension mechanisms, including base-header option signaling and peer-coordinated metadata carriage. This document therefore specifies a stateless keying profile over EESP, not a replacement for EESP.</t>
      <t>Where this document refers to packet fields for stateless derivation, those fields are to be mapped onto EESP extension locations rather than interpreted as a standalone new security header. The exact wire encoding is therefore constrained by EESP and any associated negotiation definitions.</t>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <section anchor="general-computing-of-cloud-service">
        <name>General Computing of Cloud Service</name>
        <t>Public cloud services provide IPsec VPN access for a massive number of users, and the infrastructure nodes serving those users may need to handle a very large number of secure sessions. If hardware offload is used, the device typically prefers compact and regular cryptographic state. In this environment, storing a distinct data key for each active secure flow can create memory pressure.</t>
        <t>A stateless encryption approach similar in spirit to the PSP architecture can reduce endpoint state by deriving data keys from provisioned keying material and connection-specific context. This is especially useful when the client and server are not in the same trust domain and when minimizing server-side flow state is more important than eliminating all out-of-band provisioning.</t>
      </section>
      <section anchor="cluster-communication-in-hpc-network">
        <name>Cluster Communication in HPC Network</name>
        <t>Large HPC jobs may involve many instances communicating with one another, creating security association scale that grows rapidly with the number of jobs, participants, and traffic relationships. In such environments, all entities participating in a job may belong to the same trust domain, making shared root keying material operationally feasible.</t>
        <figure anchor="fig-ipsecme-eesp-stateless-encryption-hpc">
          <name>Encrypted Communication for Large Scale HPC Networks</name>
          <artwork><![CDATA[
                           M Jobs
        +------------------------------------------+
        | +----------------------------------------+-+
        | | +--------------------------------------+-+-+
        | | |               Job 0                  | | |
        | | |  +---------+ +---------+ +---------+ | | |
        | | |  |Instance1| |Instance2| |Instance3| | | |
        | | |  +---------+ +---------+ +---------+ | | |
        +-+-+--------------------------------------+ | |
          +-+----------------------------------------+ |
            +------------------+-----------------------+
                               |
                               |Deploy Jobs
                               |to Server Cluster
                               |
+------------------------------V--------------------------------------+
|                        Server Cluster                               |
|                                                                     |
| +-----------+             +-----------+             +-----------+   |
| |+----------++            |+----------++            |+----------++  |
| ||+---------+++           ||+---------+++           ||+---------+++ |
| |||Instancei||| Ciphertext|||Instancej||| Ciphertext|||Instancek||| |
| |||  Keyi   ||<----------->||  Keyj   ||<----------->||  Keyk   ||| |
| +++---------+||           +++---------+||           +++---------+|| |
|  ++----------+|            ++----------+|            ++----------+| |
|   +----+------+             +-----------+             +-------+---+ |
|        |                    Ciphertext                        |     |
|        +------------------------------------------------------+     |
|                                                                     |
+---------------------------------------------------------------------+

]]></artwork>
        </figure>
        <t>A stateless design similar to concepts used in UEC TSS can reduce or eliminate dependence on stored per-connection data keys. This improves scalability when a large number of encrypted communications must be established quickly across a cluster fabric.</t>
      </section>
      <section anchor="nicdpu-pool-for-general-computing">
        <name>NIC/DPU Pool for General Computing</name>
        <t>For large-scale north-south or east-west traffic, NIC or DPU pooling can be used to improve resource utilization and provide transparent service continuity. In such a pool, multiple devices may need to process traffic associated with the same protected tenant, service, or connection namespace.</t>
        <figure anchor="fig-ipsecme-eesp-stateless-encryption-nic-pool">
          <name>Encrypted Communication for NIC Pool</name>
          <artwork><![CDATA[
VM Pool
+--------------------------------------------------+
|                                                  |
|       +----+  +----+  +----+  +----+             |
|       | VM |  | VM |  | VM |  | VM |             |
|       +----+  +----+  +----+  +----+             |
|                                                  |
|    +----------------------------------+          |
|    |                                  |          |
|    |  NIC pool with shared master key |          |
|    |       and security context       |          |
|    |   +-----+  +-----+     +-----+   |          |
|    |   | NIC |  | NIC | ... | NIC |   |          |
|    |   +---X\*  +-/-*-+     +---/++   |          |
|    |      / \ \\ /  |\       --/ |    |          |
|    +------/--\-/X\--+-\\-----//--+----+          |
+----------/---\/---\\+---\---/----+---------------+
           /   /\     \\-  \ /     |
          /   /  Ciphertext X\     |
          /  /    \-  |   \X  \    |
         / //  --- \  |  // \\ \   |
         // ---    \  | /     \\\\ |
        //--        \ |/        \\\|
   +--------+   +----\*--+   +----\|--+
   | client |   | client |   | client |
   +--------+   +--------+   +--------+

]]></artwork>
        </figure>
        <t>If those devices are in the same trust domain and share provisioned root keying material, a stateless profile can avoid synchronization of a large number of per-flow data keys across the pool. This can simplify load balancing and failover while reducing synchronization overhead.</t>
      </section>
      <section anchor="ai-computing">
        <name>AI Computing</name>
        <t>AI computing deployments may contain a large number of CPUs, XPUs, switches, and DPUs participating in coordinated task execution. Some of these entities may belong to the same trust domain, while others may communicate across trust-domain boundaries using proxy-capable infrastructure elements.</t>
        <figure anchor="fig-ipsecme-eesp-stateless-encryption-ai-computing">
          <name>Encrypted Communication for AI Computing Network</name>
          <artwork><![CDATA[
                +-----------------------------+
                |         Trusted Domain 1    |
                | +-----+ +-----+     +-----+ |
                | | CPU | | CPU | ... | CPU | |
                | +-----+ +-----+     +-----+ |
                | +-----+ +-----+     +-----+ |
                | | XPU | | XPU | ... | XPU | |
                | +-----+ +-----+     +-----+ |
                | +-----+ +-----+     +-----+ |
                | | XPU | | XPU | ... | XPU | |
                | +-----+ +-----+     +-----+ |
                ++----------+-----+----------++
                 |DPU/Switch|     |DPU/Switch|
                 +-----+----+     +------+---+
                       |   Global Trusted|Domain
       +---------------+-----------------+------------------+
 +-----+----+     +----+-----+       +---+------+    +------+---+
 |DPU/Switch|     |DPU/Switch|       |DPU/Switch|    |DPU/Switch|
++----------+-----+----------++     ++----------+----+----------+-+
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
| | CPU | | CPU | ... | CPU | |     | | CPU | | CPU | ... | CPU | |
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
| | XPU | | XPU | ... | XPU | |     | | XPU | | XPU | ... | XPU | |
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
| | XPU | | XPU | ... | XPU | |     | | XPU | | XPU | ... | XPU | |
| +-----+ +-----+     +-----+ |     | +-----+ +-----+     +-----+ |
|         Trusted Domain 2    |     |         Trusted Domain 3    |
+-----------------------------+     +-----------------------------+

]]></artwork>
        </figure>
        <t>Intra-domain stateless encryption can reduce key-management latency between accelerators. For cross-domain proxying, a DPU or similar element may derive one data key for traffic in one trust domain and another data key for the adjacent trust domain, then perform secure proxy conversion under tightly controlled policy.</t>
      </section>
    </section>
    <section anchor="requirement-summary">
      <name>Requirement Summary</name>
      <t>Based on the use cases above, a general EESP stateless encryption profile needs the following properties:</t>
      <ul spacing="normal">
        <li>
          <t>It supports entities within a trust group sharing common provisioned root keying material.</t>
        </li>
        <li>
          <t>It supports traffic isolation through context construction, so that different connections, devices, jobs, or protection domains derive different data keys.</t>
        </li>
        <li>
          <t>It supports canonical and interoperable derivation inputs, rather than implementation-specific context formatting.</t>
        </li>
        <li>
          <t>It supports root-key lifecycle management and data-key refresh through epoch changes and rekey events.</t>
        </li>
        <li>
          <t>It supports extremely efficient KDF execution because derivation may occur on a per-packet basis.</t>
        </li>
        <li>
          <t>It supports carriage of the information necessary for derivation and IV construction through EESP-compatible signaling.</t>
        </li>
        <li>
          <t>It supports deployment models involving proxy processing across trust domains.</t>
        </li>
      </ul>
    </section>
    <section anchor="stateless-keying-model">
      <name>Stateless Keying Model</name>
      <t>This section specifies the abstract stateless keying model used by this profile.</t>
      <t>Each participating endpoint is provisioned with one or more root keys associated with a local policy scope. The implementation derives a profile-specific master secret from those root keys. This document does not require a specific method for composing multiple root keys, but any such method MUST produce the same master secret at all authorized participants within the same derivation scope.</t>
      <t>A packet data key is then derived as a function of at least the following inputs:</t>
      <ul spacing="normal">
        <li>
          <t>the provisioned master secret,</t>
        </li>
        <li>
          <t>a canonical context,</t>
        </li>
        <li>
          <t>profile identification or domain-separation information, and</t>
        </li>
        <li>
          <t>any additional inputs required by the negotiated KDF.</t>
        </li>
      </ul>
      <t>The stateless property means that successful decryption does not depend on the receiver storing a previously negotiated per-flow data key. The receiver reconstructs the same derivation inputs from local provisioning plus packet-visible and policy-visible context, then recomputes the data key.</t>
      <t>This profile MAY still permit local caching of recently derived data keys as an implementation optimization. Such caching does not change the protocol model and MUST NOT alter the externally visible derivation result.</t>
    </section>
    <section anchor="packet-format-mapping-to-eesp">
      <name>Packet Format Mapping to EESP</name>
      <t>This document requires three classes of information to be available to the receiver:</t>
      <ul spacing="normal">
        <li>
          <t>key-derivation context inputs,</t>
        </li>
        <li>
          <t>IV construction inputs, and</t>
        </li>
        <li>
          <t>any selectors needed to interpret confidentiality and integrity processing scope consistently.</t>
        </li>
      </ul>
      <t>These items MUST be encoded using EESP-supported structures rather than a new parallel stateless-encryption header. In particular, metadata needed by this profile SHOULD be carried using EESP option signaling and any EESP-defined peer metadata fields appropriate for per-packet interpretation.</t>
      <t>Typical metadata elements include a Key Scope Identifier, a Device Identifier or Connection Identifier, an Epoch value, a packet counter or nonce-related value, and flags indicating the selected stateless profile behavior. If confidentiality or integrity coverage offsets are used, they MUST be defined in a way consistent with EESP processing semantics rather than as an unrelated parallel mechanism.</t>
      <t>The following figure is retained to illustrate the logical stateless-encryption metadata set that needs to be mapped onto EESP extension points. It is an informational field layout example only, and MUST NOT be interpreted as defining a new standalone protocol header.</t>
      <figure anchor="fig-ipsecme-eesp-stateless-security-header">
        <name>Example Logical Field Layout for Stateless Encryption Metadata</name>
        <artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version|    HL |   V   |    Reserve    |   COffset     |IOffset|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                 DeviceID/ConnectionID (4B-8B)                 |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Master Key Options (variable, optional)             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|             Epoch             |             Counter           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

]]></artwork>
      </figure>
      <t>The following option example is likewise retained as an illustration of the logical contents that may need to be carried by EESP option signaling for master-key selection and derivation scope identification.</t>
      <figure anchor="fig-ipsecme-eesp-stateless-security-header-option">
        <name>Example Logical Master Key Option for Stateless Encryption Metadata</name>
        <artwork><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Option Type  | Option Length |Root Key Index |   Padding     |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
|                   Root Key ID (16B-32B)                       |
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
      </figure>
      <t>This document intentionally separates logical fields from final bit-level encoding. Concrete wire-format allocation is expected to follow EESP extension design and any associated IANA assignments.</t>
    </section>
    <section anchor="context-construction-and-kdf-processing">
      <name>Context Construction and KDF Processing</name>
      <section anchor="canonical-context">
        <name>Canonical Context</name>
        <t>To ensure interoperability, the context used for data-key derivation MUST be canonically encoded. The context MUST include enough information to ensure separation between independent protection domains that would otherwise risk deriving the same data key.</t>
        <t>At minimum, the canonical context for this profile MUST include:</t>
        <ul spacing="normal">
          <li>
            <t>a Key Scope Identifier,</t>
          </li>
          <li>
            <t>either a Device Identifier or a Connection Identifier,</t>
          </li>
          <li>
            <t>an Epoch value, and</t>
          </li>
          <li>
            <t>a direction or equivalent domain-separation indicator when the same root keying material can be used in both directions.</t>
          </li>
        </ul>
        <t>The profile definition or negotiated transform MUST specify the exact field ordering, field widths, byte order, and any length-prefix or type-prefix rules. Implementations MUST NOT rely on ambiguous local string encodings or implementation-specific serialization.</t>
      </section>
      <section anchor="kdf-requirements">
        <name>KDF Requirements</name>
        <t>The KDF used by this profile MUST be explicitly identified by negotiation or profile definition. The KDF specification MUST define all inputs, including the master secret input, the canonical context input, any salt or label input, and the output length.</t>
        <t>A receiver that cannot reconstruct the exact canonical context or cannot identify the negotiated KDF parameters MUST treat the packet as undecryptable. Implementations MUST NOT fall back to heuristics or trial-and-error parsing for context interpretation.</t>
      </section>
      <section anchor="example-derivation-model">
        <name>Example Derivation Model</name>
        <t>A simplified abstract derivation form is:</t>
        <artwork><![CDATA[
DataKey = KDF(MasterSecret, ProfileLabel, CanonicalContext, OutputLength)
]]></artwork>
        <t>The exact KDF instantiation is out of scope for this version until aligned with the relevant EESP key-derivation framework. However, this document requires that the selected construction be interoperable, efficiently implementable, and cryptographically suitable for packet-scale invocation.</t>
      </section>
    </section>
    <section anchor="iv-construction-and-counterepoch-rules">
      <name>IV Construction and Counter/Epoch Rules</name>
      <t>For AEAD algorithms such as AES-GCM, IV reuse under the same data key is not acceptable. Therefore, this profile MUST ensure that IV construction is unambiguous and prevents reuse within the same data-key scope.</t>
      <t>This document recommends an IV construction model based on an Epoch value combined with a packet counter or equivalent monotonic sender contribution. A representative abstract form is:</t>
      <artwork><![CDATA[
IV = Encode(Epoch, PacketCounter, OptionalSenderField)
]]></artwork>
      <t>The precise encoding MUST be defined by the negotiated profile. That definition MUST specify counter width, sender responsibility for uniqueness, behavior on counter exhaustion, and any constraints that apply when multiple transmit engines may emit packets for the same derivation scope concurrently.</t>
      <t>If multiple senders can operate under the same root keying scope and could otherwise generate colliding IV input tuples, the canonical context or IV input set MUST include an additional sender-unique field. An implementation MUST rekey, advance the epoch, or otherwise terminate use of the relevant derivation scope before IV uniqueness can no longer be guaranteed.</t>
    </section>
    <section anchor="ikev2-negotiation-considerations">
      <name>IKEv2 Negotiation Considerations</name>
      <t>This profile is intended to be negotiated using the EESP-related IKEv2 framework rather than private bilateral configuration alone. The negotiation design is expected to identify at least the stateless profile, the KDF transform or transform parameters, the context format, and any option behavior required for wire interoperability.</t>
      <t>Depending on the final EESP/IKEv2 design, this may require one or more new transform values, attributes, notify payloads, or capability indications. The exact allocation strategy is left for subsequent alignment with the companion EESP negotiation document.</t>
      <t>A successful negotiation MUST result in both peers having an identical understanding of:</t>
      <ul spacing="normal">
        <li>
          <t>the stateless profile identifier,</t>
        </li>
        <li>
          <t>the KDF and its parameters,</t>
        </li>
        <li>
          <t>the canonical context format,</t>
        </li>
        <li>
          <t>the IV construction rules,</t>
        </li>
        <li>
          <t>any confidentiality or integrity scope interpretation rules, and</t>
        </li>
        <li>
          <t>any constraints on trust-domain proxy behavior.</t>
        </li>
      </ul>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The security of this profile depends heavily on control-plane protection because compromise of provisioned root keying material can affect all derivation scopes reachable from that material. Deployments MUST protect root keys in storage, transport, and use, and MUST restrict distribution to authorized participants only.</t>
      <t>When multiple root keys are combined into a master secret, the security properties of the composition method MUST be clearly understood. Operators MUST also evaluate the blast radius of a root-key compromise, especially in deployments where many nodes in one trust group share common keying material.</t>
      <t>The derivation inputs MUST guarantee data-key separation across protection domains that should not share data keys. In particular, the context format MUST avoid accidental collisions between different devices, connections, or directions.</t>
      <t>IV reuse under the same data key MUST be prevented. Implementations therefore need clear rules for packet-counter allocation, counter wrap handling, concurrency across transmit engines, and epoch transition.</t>
      <t>Cross-trust-domain proxy deployments require special care because the proxy may be trusted with keying material or derivation capability for more than one domain. Such deployments MUST define strict authorization boundaries, auditing requirements, and limitations on key exposure. They SHOULD minimize the amount of plaintext and long-lived keying material visible to proxy elements.</t>
      <t>This profile does not by itself define a universal replay-protection solution for fully stateless receivers. A deployment using reduced receive-side state MUST explicitly evaluate the trade-off between replay detection strength, memory consumption, and implementation complexity.</t>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>Large-scale deployments need coordinated procedures for root-key rotation, epoch advancement, rollback handling, member admission and removal, and consistency across control-plane systems such as controllers, KMS components, and offload devices.</t>
      <t>If a deployment uses pre-key, current-key, and next-key style rollover windows, all participants need a well-defined transition policy so that packets sent during a rotation interval remain decryptable for the intended overlap period. Rotation cadence SHOULD account for both cryptographic policy and operational packet volume.</t>
      <t>Operators SHOULD maintain auditability for key-scope definitions, profile negotiation, epoch transitions, and trust-domain proxy authorization. They SHOULD also define failure procedures for desynchronization between provisioning state and packet-visible epoch or scope metadata.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document is expected to require IANA actions related to EESP extension signaling and EESP-associated IKEv2 negotiation parameters.</t>
      <t>At minimum, future versions are expected to identify whether new registrations are needed for:</t>
      <ul spacing="normal">
        <li>
          <t>one or more EESP option types used by the stateless profile,</t>
        </li>
        <li>
          <t>one or more IKEv2 transform identifiers or transform parameters,</t>
        </li>
        <li>
          <t>any new IKEv2 attributes, and</t>
        </li>
        <li>
          <t>any capability or notify values required for negotiation.</t>
        </li>
      </ul>
      <t>The exact registrations are TBD pending alignment with the corresponding EESP and EESP-IKEv2 specifications.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-informative-references">
      <name>Informative References</name>
      <reference anchor="PSP" target="https://github.com/google/psp/blob/main/doc/PSP_Arch_Spec.pdf">
        <front>
          <title>PSP Architecture Specification</title>
          <author>
            <organization/>
          </author>
          <date>n.d.</date>
        </front>
      </reference>
      <reference anchor="UEC_TSS" target="https://ultraethernet.org/wp-content/uploads/sites/20/2025/06/UE-Specification-6.11.25.pdf">
        <front>
          <title>Ultra Ethernet Specification v1.0</title>
          <author>
            <organization/>
          </author>
          <date>n.d.</date>
        </front>
      </reference>
      <reference anchor="I-D.ietf-ipsecme-eesp" target="https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-eesp-03" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-eesp.xml">
        <front>
          <title>Enhanced Encapsulating Security Payload (EESP)</title>
          <author fullname="Steffen Klassert" initials="S." surname="Klassert">
            <organization>secunet Security Networks AG</organization>
          </author>
          <author fullname="Antony Antony" initials="A." surname="Antony">
            <organization>secunet Security Networks AG</organization>
          </author>
          <author fullname="Christian Hopps" initials="C." surname="Hopps">
            <organization>LabN Consulting, L.L.C.</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>This document describes the Enhanced Encapsulating Security Payload (EESP) protocol, which builds on the existing IP Encapsulating Security Payload (ESP) protocol. It is designed to modernize and overcome limitations in the ESP protocol. EESP adds Session IDs (e.g., to support CPU pinning and QoS support based on the inner traffic flow), changes some previously mandatory fields to optional, and moves the ESP trailer into the EESP header. Additionally, EESP adds header options adapted from IPv6 to allow for future extension. New header options are defined which add a crypt- offset to allow for exposing inner flow information for middlebox use.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-eesp-03"/>
      </reference>
      <reference anchor="I-D.ietf-ipsecme-eesp-ikev2" target="https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-eesp-ikev2-02" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ipsecme-eesp-ikev2.xml">
        <front>
          <title>IKEv2 negotiation for Enhanced Encapsulating Security Payload (EESP)</title>
          <author fullname="Steffen Klassert" initials="S." surname="Klassert">
            <organization>secunet Security Networks AG</organization>
          </author>
          <author fullname="Antony Antony" initials="A." surname="Antony">
            <organization>secunet Security Networks AG</organization>
          </author>
          <author fullname="Tobias Brunner" initials="T." surname="Brunner">
            <organization>codelabs GmbH</organization>
          </author>
          <author fullname="Valery Smyslov" initials="V." surname="Smyslov">
            <organization>ELVIS-PLUS</organization>
          </author>
          <date day="2" month="March" year="2026"/>
          <abstract>
            <t>This document specifies how to negotiate the use of the Enhanced Encapsulating Security Payload (EESP) protocol using the Internet Key Exchange protocol version 2 (IKEv2). The EESP protocol, which is defined in [I-D.ietf-ipsecme-eesp], provides the same security services as Encapsulating Security Payload (ESP), but has richer functionality and provides better performance in specific circumstances. This document specifies negotiation of version 0 of EESP.</t>
          </abstract>
        </front>
        <seriesInfo name="Internet-Draft" value="draft-ietf-ipsecme-eesp-ikev2-02"/>
      </reference>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+08a3PbxrXf+St2ki9JRYi206at5/beOpKSqLFjT2Sn7oxm
OktgSW4MAigWkMxG6W+/57UPAKREt74znc5VYokE9nH2vM/Zs5tl2ayzXWme
qk+uOt2Z0jinLqq83TWdrSv1qq1XtjRqVbfweKOr3BT4XjeuL3Vnq7W6Mnnf
2m6nXuldWetCfXZxcfXq809merlszQ2MjN/VvuE/meXwcF23u6fKdcXM9cut
dQ7evN41ANPlxeuvZ7Zpn6qu7V335NGj3z96MpsVdV7pLbwvWr3qsvdWZ7Zx
Jt+azBjXZM5PlZkwVfboi2T4Lg5f9dulaZ/OCujzdJbXlTOV6x1NaWaz27p9
t27rvoHmr64uzl5cqD/DI1z4N/h49s7soE3xdKYyaAFQ4AdcMf7dt+jZTPfd
poYplcrgn1K8mOdWw6BvraZndbt+qr7t9a2x6rXJN1Vd1mtrHL00W23Lp2rV
6urdKSy/xK5/3FDr07zejkb+s7G7Xv0JGx099k/Y+hY7Ph4OzD+jGa42plpX
ulJ/AZyFKc42ttLqRb0EDkrH3vXGSYc/5thmS01oAqRA19pl3yGGZlXdboHN
boA0M1ut4jelXl29ekqjCgPDd/WshfE6k3d9a9RVY3K7ssBiiHVsGREvEH5T
12uBjelP4+l2bbqnatN1jXu6WKxtt+mXCN1iTe0XjWsWy7JeLmA91QLYcQGT
/xUn/ytOetoUqxkM9ebiTL2+uhpA+absWq0uuo1pK9MNYVQ3j08f7Qd01O0M
2LRuO9tvH4C9x35Gup3CUIvbJkMUm6pb9A3Kq1s4QJlbPHkE/z/5zeLRl4s3
F9kAsOzL08ePT5/8hheWZZnSSwcD591s9npjnQIU9FsYUjnuZpzSKoihimKo
mn9aoZyq1xsT+sOkFldRQHccq8SFZy7X8K4wsLAdw5ObSre2xtbqdmPzjUKa
dfAPp2pMm63K+haQTJ+dIfWQAkyrwOlqaEDY0GW5U+Z9A3oCWBG7Amca7ewS
eFhdVq4zAHS9gq51i7NoVVgHS8s7pJRWoDIIZqMBHIerBXwAFHOYt2hqAA8w
alocHIFqdP4OaC4gEvHex5EcqIF6i+jeAmCmhQE7nBwQdWNxMYCgtq47bIvA
gADB0LpUXb0mxlC3wN+KJ8ly3bYWesgsp0hfE8lbGJeDcAJ5u80Az9saxJKw
M6dXkfZ+2rowJb/b6qbBRwBka/7W2xZJaE1ZAI6rriblCfjtEL/IMYSQuQcJ
/wLv9TlRp+1hkjkhI0O0Etq057QcyVmt5+ryx1E3nhdBh97OMxy2sYWQGV7o
qkjJPnrPDElc2CGDAOitAV38d7Of9TUIRZUuTFi5vgEi4KLnCkZGinQgF9Qc
yNIiVUscx4sIdGVFeMqyuLVFAUps9inwXtfWhazx508tfv1lNnueyEZe1n0B
K25vbI6Ye3YJq9o2PUke6Ai0d/B4Y9ebDFZOE4GMJo3yEkyxaQU9TV2XQL/v
L88W56/eJCzhVA7Y6FBiAQ/I4gATIPAG3jE2yVomZFKNbUxpK+NQipTrQTpM
dWPbuhJCgSAZhBtYaAfAwryAc9c3DehCeAl43LEiUGzVRQ7QICCPgYg5VAKI
c6YqTNqDCgGMw3o7tdFtcasB1K3ZglMiPIP6AkC6AMihN/wiitbrVjegUNIF
ABPoGzBxeokaqgrjzY9SOoGJWeVo1F5EMmCGpQECGGQI1Lqglku1rDuwKJXJ
3wEfkMz8/PP/XGbnp9Z0q4FD9MsvRCoLNLn87uLmCaBuDfLKrBT40R3sn9l3
5uYJjEI6pUAwVqV5j/oOfZCtQaZhjYaDFbTIgHZRX6k4giose2q2AnK32Rpx
jNREjiF9goTjfqIZWBSFc7am06T/SF3ptUFRTM3QsresTlCUugRIHKYwOOtx
FgrQKjoQCQNr10HSm1IDJzK7/a3XwNUd2j3R+7CaiREhRVsYEJ4tcAJYhDzR
V6fqGYglMSMC2Zrc2BvWBYC82iGXsGqFtTys3ZFpxIaETtH4sMWANnVFvBR0
q6h/C2pc7Fqrmcz1lrU3k0UQDpq8rdGK4XSw5j7n6cCj64WKntkZBbSaLSgQ
4GiPJ1tFuzdHTQK/QZc4AkHnOVAIZLVGjcPCC5grSwV6sb5lqatFLeq8BUTh
akAsRIezxoAPP9VLHpJiCUVOvTsdOzBFDTSs6k64BLBUmduR9kXervO6jNpZ
rFaw/sDiXeCzjV+9t4cJ1aNZcxb84ZLEA+k/tliolcS6FGJJxnaS+fYUDcEP
hkF1G9t44CYrNeDBsJDQSKQiEq8KugGNegcf6wo8Hkvq+6e+YoCImbEj+AwN
8UggIhvGvcK1hXBDA+9vg6dYKLB4uDaYyTEk4oskipXx0KMmTVcNUQOabc86
uALkPmyymGq6oAUARc+QgYrCikJxEJmAAOcueiTLHYyV4gspgF4fKTVGjheX
bgPMtBZ0MNmLhDJh0S5VfUvtTLYBZkE7JWrC8wCbVkPuHgSXECLhpA+qPXQe
DOgtc8APFyWxx/FAjtdeqdFYifr7M1FoiA2YB3wAxMNQT2O3OGHK6BDROBPU
OQ5IOERvkFhs6vmVNYcfbuAXIYO24FR0Igg4XVXoEnQhyWrw5hi3zIzmPZhN
4FmkYZXXhVjriLBg6pn0QSJ0tYNZXJ1bIkHKT0Roy64gCt0bWN4ZENXBl0/V
N2CaQTtAqOYdJ9CGZ+R9XbH3NZu96pclGIGhTxasLPtHP776npSgY9xqQJij
uCO6OCA5bcL+oLVbHSQGSAteO48OQDAVqMfAiwLMghN5yImSIEU8FfTPVtFZ
qlcrCtMAn6gt5hIbkKPW7Ro0MKA+GuEYdCSRFmzk1qBT25FDRexDLiCxXOIC
zo8LqdBDujFpZEX2SfxR8e28W4rK4IC/7o2bs1uLYIIGdI0F3kKE4SIx5aDT
lENiBr02FMO3FK2PwI9Ct9SWj804Yimas0zEOg/xGSsAxBK9IkwDEVZ9ya4q
QpmXlvRXxTyGDgaxRYcLCs4BW8WiRk+V2lJ/dFS29u+kg6lvhgGQSiw6zL1F
AbJb9MI1aSEMc0roV7GLDVCpuu+yepUtSbH5BcPLUxKWM44pUFi2feXTIQDI
t6/O1PcclUgcQ4/QlhP72uqmLm9Qi1T4BVUBilAex4H5yVShegB/ByV+zqzA
ixJl4WWc1DC53eSqgJdwi+qnsQVglgZCjEXJYK8CHAGwHrbR0Q61eoWEahNL
fDiuKTHAEwcyjEUAIjFwElrt0oCWW3vum5ANwwzKTDqQzUOO4TCNEfIWs9k/
/vGPWcjv7fl5of4Eaw0tTrKjf05Cp7vju50Muh3d8WTS8W60DliFejRdHjUd
d4yTnhz8vLfj3aXw4uO7+PlJ8vmLu481I634SOQMOnLXI39OBh33kv/QWCf3
cRUt/cEG55RWGDLgobYgHVes5kSrPDz9A1j48UgUzcasFn6GAD0Iz8FxPugH
x0lXdjJ4e/wbHOcueXgyaH78GxoneXgyaH78Gx4nSJKFz+rMNqDY0SQmb346
+OYdvpFxlPoOVCTN81/Jyv9b3vx08M07esPjAFwRxruUfse/IbqfpEgb8MHR
b5h/6NnJMfSdvjnJWODDLHsZMmJ239vYLRnnA4xG+nMyHudf+nlQ3o+Fim3m
z0/Vpyu7PmILctPkvA30h09kOxCM9NDlQR+W3ZwrckIS/8d98svQVQW3HuLF
4J2C3gOvMDdNx344ug6yA5X6pegki29mJAdgMMFLWSrKx8gug/ic0Vv1zuYW
/TcMKQBCLSE4OYt6EjeYsMw8XaYLKSADy4EYyG2gCQTe+TvwSSSLo32mWa30
srU5e4o+0fyqrkvC1iTOms2+Hu0HVeCYbjIHLuiGlg/BUXYLM3snjZJO+AYH
xoQ2pbkp68qYBNTKqgGLME4L+IK5Svt3yTt5p7ZAh0xXDnw42n3ikI68dVv1
gKjoAWqaCVy2vuxsU/qIaRiVSQokeJNJJBp8UZ8PlHQrBM+aIiWemzJeCTVx
vxbAy73H9+MLQuU/IxL32Lv7hM93OhHJPvR3b6c7BQDfHf778Wb68DUdgcKT
SacjpkuaxE7IschAzAfi8G81yQsGw3s70Q/HgXHHK1Hg+zudeNBPkjXEz/s7
3RGEd/HD6elpfHjPTG+vf4UfFtmvkpkWJ4dngp+FulbX1/BH3V1LA+ijxgge
0mmRZdfZ4u01mrvra360EJM5oFNCV3ifXdOva3x6LY8mru/A5V3gP4YL5oFf
9GTo9i74X2JS317va0Q9cRBcyfVbHGzYaKEWC1x9hm+gEXwDzFyPGi2ohVLc
aCGwQcPYCHHhP8PzRfh8fU2NwpJP/JfrX6Vf7gQLdz7/cHf4y/7xpl8+1OCC
vclISI6wusiZqAnRyl6uJE/mdTImTO5NlpAAPrgrMx9kY30aFi2NvqktjLKr
8k1bV96ugAWd2tSwoxLTSGIxaXsGliCGGscF56Ap7WqnKEO3BINd5T6/vNK2
pBQw76qQf0DZgzEU0AZzqWyAn12mpnawfZxu/qIVQ+VCCJqs4Yy2d97Sbwca
LN8YyZvgxs80BZJmwTvt3inzHjQYb5td4cZojRQzzsQ0ylH5EtkMxqSQB9nz
hQlYxR6Z0HpZ91WhW5ygd5JLf78LWyCj1CvQmbBxKLtyv8WYxs1Rl71GoAAZ
5wzW47Gq8O29mt6nuve1v0PSJH9Za8uzjzD+h8PzVuB5m8Dz9j8UnkEgl/zm
j3vyKHcgLosrEqC7yYNp82TMFBSO9w6lSXDgb8oadIfnujvmutlg1DHk9z/B
6fZDk2KKH6VB7BDge5d/AEUDDD2A8P1EGXw/mT1A5KMY4QHBkzHuF86PA8fH
Wcs9QhLWcp8g/f9axnD4n5Hif+Il9B7j8AW9fSDCG+iDQ20+1P/SNovewRE+
WOpb+LQH+WMVBMDeBO/dq0sSHOARZVtd6TXvY5fQusrRF+huDSYpkoKSU4Wp
AjLzfnSy51yFQekA3M6WBItYc/ITpLQGN5UG+48+UIeR8N3ET5QdqFEnrJgp
foKgHHfPBg5Kh3kVqcPzG5oEIpfStbRPnpSwlex1tXWJVXlNXdp8JxUhoeJR
XfXbrW53s9lXmqs7CILeoSuKRRh6CS4fImAtuRXaDb+3WAoTFuyArmpflwPv
AHJ0xp7OZpm67HypnoteGkav5CEmRTnkTFMKBhiE57jXqz4dDR5oEOqCfH3G
vhJScEBr3usr7GplKG/zQAGRJFsoOUZ0CuW6cYiYNRtBF4uuqOAGixloS25J
KaBQvWorEAM3rAhFX54oqPduBktVaEe7qsNJEW1UWgixgMl3eUk7pl5EqCjO
Fx+2ZtUatwk4M02N9V0w/9o42bXHduaGPdsRYd93yGRYII00oPDuu/Ovo7+O
lYy6d4O1okDVOfA2sqJOa56X2tk9GOTqF3H6VTgXgOktg/kyYG4SrGSOfTVV
g7IdqkvoqKYxlOGMZx4UPBemdLL/HAKBtBg0DR88n5AoxkMh3zEjv8CxpDzL
CWPFAh7SDlJuf6CumrOUvmIpFoJdYPXCMJgKZQnWDQQr7JED2mg/30uamyQd
NRXmlKJdlMuBf6UWesCgIhRUxswgRZaVTBWstsXaISyD4Ig7TDuubQqFeVKh
haF0GM1AZz4HgGSsCf8hsRqGnKtl31FFD2VgpdeLN1evEcBQvEhx4hBA0A64
R8/HMqgEL93x91osFlpGvmPsYOJeWDpofi4/8liSWqaVL6/D0B+MF+aqR2qV
NQOp1G4zzDkMgJ5Dgz01nvg4HKIoUBGH4ycoMcSnmTNY2iiKKEgXReg4KtZE
xeI5BmhUOWdCqRQ8AQ0gVbSD7Adahx2QQVeONTCQBaUHq1cKE2xMUpKJuxXe
XoUK2VgT1LSgq+velbt09knChJk19IcPXiu4vTSUBRKXCusnFSyqKXvnaxbx
KaoQLo1H+QiPPP6Z6jgpejr+KIUHTdSAp9CLZ3+RctcGq4Y7mT/XeG5KjlCg
21DuAh8laSEqEx0JJZYabiW1cwquABXv8mgB0aztPXtxrSsrGlwXCcz3L1+D
SHSGvRes2Wu5osQvN8Ef2BOQRdJ9r1gIviaWUi/kJMiBClXhKMRQa7COSWMV
NC46VflcRhjr7iXb48lLgoI+YQKQN5hiZFHLj0yDN7+R4R2wbY5OI/k6sink
SxGx84qlSdN+mLfta8qyp5WsqA/4IInriHAsGaD6bGe2jrG7lDJFmIbTTGSi
xA7Bw5BiGpZGcrFyqEre55OHqsjLSnQYVuDNY22prG5kTNTVty/fPD9Pi14j
YPvLVxFpg4JYrGeN8/hCUCyya1qUVNLfifEP2GVeBTRxMWEcw+fXpKoWbQKY
VHVFOL4U5Yb1XuDLcz1ifIja7izuiw1aV+qCvJ4bXfbkCAtEOVa1c9cKt1oz
qu6CpfmGmFUt9RoBKnz1GWkUYh4i3Dj7uzQbDUqrpZrKMRtRDb7nohwTsez3
rJzpOCsdKi53gXM8vsmvvtW7hNti1faAJ2P18+j8EcYWfo2BrUI5s+j0aJog
KsQAxaIx6ORIB0hJifu4LZf/G4VnTZGKe7kzkBZPsZFNkMjioVphX3l+SZ6N
HtgtmIy4DWLBXQ0egHmvUSdSWft8qNKWZlxfzFW+ZF6oujgWGwfVKCLlk7x7
iss4QTv6ebLn2RfY/TG8+kL9Wv1Gfal+q36nfv8hz2ZcD/Yv/De7+5EDS8oo
fPucMgs/+gzDD4YKQX3G4ewlMSNnIC75y93HgGGCGpbgy/NFlNrLc/XZr7/K
fvfV55PW/3qxyMdexQt2zlBBvWy4CuKzGwh00WjNw9mmz/9PYVCi2AZzDL6d
iYr7IBgexOS/Ay2OyV35fXF/LsPnrERhPBfV9TVpk+esTdBq7b074YXoMsxg
DfWk2Euvh0BhlfadubUY/3jFKc6b150SE6QKVI5xi++clo0kVtqfZZiYaASb
4wU+c0gWykfK4wBmFCn8B6k6JcKo8MYJFAb5+txUazCVdz9g8Igye1kV5j0J
yyuMfQCDH4cx9wtHnBZU3OMvv8q+eLJHyXnh+HcQrw+Xrkx48oCQTfTlsZKW
hhB8OttXu0tYC16zlyF/aglDO7DzeKzWdllpbvjINR0UOkU/ESNqQweIMvYr
6PyhP6jgBifDWNDHHoqU6+05VHT57Ptn+B1e++3iT3FOilHOBqcAKwqm8VoW
cd74+EQI8qUXoKFWeI9Ja9IUI9Xq8fkcHwJR5ohyZXuO0HuPMiQRMK/HcQnH
0H4UauidcFNRVm0Uowk0SWbBZ+TBV5YyxG5fapW0223dg8al3DmrSevexQM1
kxOumHDp+PBKL+dWp4ddOfWeBtvJKihsPBBOwBtjyVE+EFfoA5EFhZKj2IID
TFUAZ+U+C4NxL7zntNc0IUOhRd3GEz609oPHgH0VI5Uv4AlkP5UTB96vPx5o
owgnZlCoppG2IAhFnHfbSeSPaUl2r+sWKYJ7J/z91hbdBrNuu87wy3lg/5L0
a4anwux7OpUL+td/pVsdwJcfZC5c9NJbTDCjOGyXEHHUvZO0CAgK5zhZcB3F
TweS5o4Q5BMhJEYoWck+iWPs4NN9+dUYqb9vSptbzMF4M8mt08OCvG0wQjML
EU7gBvfA0Mj+AHJZhmxEPDzK92ikKUpqc4jV5SXlMXRJd4mUemnK+IKPDoI/
A9+FOJS1HJ5Dh5E5BRuSJQkTTKfFfCz3EMTsywxSYLnFU/FCYboFIDlrjq4Q
bnGRutd8ycohzlghupbQjc40GjA3jgJb2poDemew0sy0LZJDt847QhFPo5QD
cIW3S+eJXuSE/TNfXoX0Din6RH+SyFjM1aJ1PAflhPrkD7jqz9i8XXGq1t+z
9RyJMo/6/MznDF8SYdgp+Zydr3isFZHIZ988t+F1NT2dv2f3Lai6uGXYWTxC
DyYnrSUGwTI3eIaPbNcoaxbPT6tv61swke18cig4JOyEgiHxMciuLQdWCcOf
sFuEQhSIS6/oCGR6QJRNeW87vpmASEnJV672xi2Z4KZ+ipm9iQmVIGfBmvgH
1DZcNf7s4tk5YGVdg5uy2Tqp1Hbw/Cr75uwFXSRDJ9X9nuvkagXLGVTcZfbM
+tofMp7v0R9iFglhkyQk8n3UcVxlzvtuAsVk4yFcISLbDuOEKm6p0ql/sAvj
6TjDu/R7wkNLhRsrSxuYZV9KLLFa2xqQgCzsr7QIt3pZvumiNXj+lgX4Jtnf
GkoMQPgH9PMAsM8IlrkkkIWAc/EMdXlF01BclogHzJFblxz5HqfIplsVfvMM
qKa71CIOLJ9fNVm4uV8krKip47UEyJl9Zf/Wmwp8tXnI9PFFODyAeb/REOD5
zRXS0MmtM8wXumlKOWIRNrXIJOOGAKgEumUC4z+DD5gwLlQW7N2RoqMifdv6
DPTlKg7Nq+H6UT4tOmH31Nfg8fig8tBJ4/KBDicrS0sEAIqSyVFd39DNTfvt
FYAeWmJ2aeBfYm4yvboBQcsY0ex4AINNtj1oBNq5BkQXN3SnEZkuZiukSoCb
L2ihZbuwyxxU4wSVS75BAACO1CbkVbXC+lNAHLDcugczB6szBaslup7i+8RD
OBtcLjXaB5pezJHwLGfi/c0XISnNU8S7b9LkbkNrANgttm0Z9ZS+le1yzHCy
ezK88oBimFG8E4z7YMdykupmYqOxiv4kl8zIl+gIDGMUjiOigEjcGOQp3iKG
TrHdE/MAys8pxqDsCytMDveSu0J4caKkUZz8TnO6LY454AgxqUbcJupYu+Fn
0HyIi4Yvr+OKEaoPZq3gdwbCBWJsw5NoknPla7IlpVlxoOL6pTPIXB1b7W3I
5jOmto2urL/KZUAyUf58z0HcYE3biHDgLl2IEnC3xinEMO3nCJFRSEkXUB6c
tyDDVvR0c8MOYh9Pfn8ZVUJvebs3SEPay/vJPW50/Zvs0N27eSJprIF/52+P
i5t8qepFNklLv7nAI2zXUCWHP0YzlV0Tz9iQAklk2V+8szEwEgcyUrOVNaWu
TBoE+2oZJHBbby3ro6Nuf9KrlWHGmqgsdB90vgk3O/kMotRTqfOkkN+XRyBE
SVGI5eOCeo1iTUfe6lZEFOBNdlWArUA20C+2LrgAqDUOFVPgrgxfOlPtqeGg
Ta/gi1jcCdKjugdxPAX7sQrNa3IpEfH7TaEGBBMdoL5avEKDWbyuwZa8bKRa
kFvp0tXKoOD7Da1liSqv1YXtHR/ZCOVWkWzz9IYOWw3OStzS/Tp0hQVf1jKo
How1ccZXxE0K4PiWxknFAgEcDE/iHcZsglQpHcq7uA3ZdHRpGYLkNOhoB3mq
sQVhdLQFHGKSTRJt8Ab4xjmfAkrq5ny13aAGD/NTadbiQTfcE1T8ZcxXjWPG
ePcPpc2J9KwR0pjCO2pRP8+j9wfxCF+cQ0mP4FLlu1j8NfTSWC64pI7eWYlT
zqgGdY++SfnE2yNhJMzxm6AhpFgDuvDJF+Ye769PbgEZFMcl5mnlDR25CVTf
SuBIqUgx1gySpRAZ9zItCb5wWAbW3aPHBiAMr95EdOBpZE8UZm70Lmq6nAct
5M4XH8hlNJMr5kpU2Mh2NBp4XFlJlTDjRfvSFD5YC5hKzucMvK1QCAPxARgq
U67idXDg42EQDcPRbVm7LBEdV5d9yFSDkS13iU30mRSH8U9SScjeGxcvh3v/
+JodvmGH48SYZBooH+CiwmT1ahVkicGiewZz709Q3mCeXmvZb5sYdYx8ZdRa
eL9jx6XDL5MbUMeG7vnea3ediFRyaovKDQqqWEHkBA0JyBOpYqkQ35xve8Iy
ZkrmRCGDJeAZMl3ITd5Skbqtb+h4HV+XxNUOUQyH5tXtHFXa+OA+FEyj3/nd
iys2EFVkUH/BlegmDpf0kIZ0b5fJKL6QwIq/4AAVMKfc7LkjY1bKwTtwButb
uQBoYAQJf1rdmrIM9TNRYYTSS6lc9iGfIw3aSzWcRy17PTfEsaRZklRaiBJD
dIGAlaDXgOgWzd8PfpRc80UBIoyg0EkAcQByGEe3ojKE4xt0JWtwA4KyxfxE
NK5exuWiVFYYqVbCbBR7ccnFa/OkAj34s/OJhg2XMk3060BjDdUNWXqRezwr
KbX3KRuDsR4dlvRSOKgQlAtdq2JcJshwontPC/PVLxwh4q7Q3qAw7m4N4zBv
H3g/iY2l8tHgtGRmWK5FoWO6KTW5PzG666PtlVVPpx0lt+gmNyWG+BAcHQpB
MYhqzdr6nW3uIpVnq5pr9tKoK93Cxo0Cl2Tk90Wao+68lhi2xbDEHYxAJSJA
ULl7GuMlEUM0nVQVRuvksHAYlyaYPE2Tt1M8vP7qXPlYdW+s13KiqQj1d4F+
DOlgM8HJLdGoR2f/CznJAZvwYQAA

-->

</rfc>
