<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.3.8) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-yang-spring-sid-as-source-address-13" category="info" submissionType="IETF" xml:lang="en">
  <front>
    <title abbrev="SID as source address">SID as source address in SRv6</title>

    <author initials="F." surname="Yang" fullname="Feng Yang">
      <organization>China Mobile</organization>
      <address>
        <postal>
          <country>CN</country>
        </postal>
        <email>yangfeng@chinamobile.com</email>
      </address>
    </author>
    <author initials="C." surname="Lin" fullname="Changwang Lin">
      <organization>New H3C Technologies</organization>
      <address>
        <postal>
          <country>CN</country>
        </postal>
        <email>linchangwang.04414@h3c.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="01"/>

    <area>RTG</area>
    <workgroup>SPRING</workgroup>
    

    <abstract>


<?line 40?>

<t>SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. Both the carrier market and the enterprise market are adopting SRv6 for end-to-end service delivery. However, if a firewall exists along an SRv6 path, not only legitimate SRv6 traffic but also ICMP packets generated on SRv6 transit node will be dropped. This proposal addresses this issue by using SID as source address in SRv6 packets.</t>



    </abstract>



  </front>

  <middle>


<?line 44?>

<section anchor="introduction"><name>Introduction</name>

<t>SRv6 is being rapidly deployed and is currently primarily used in trusted-domain backbone networks. Both the carrier market and the enterprise market are adopting SRv6 for end-to-end service delivery. However, if a firewall exists along an SRv6 path, not only legitimate SRv6 traffic but also ICMP packets generated on SRv6 transit node will be dropped.</t>

<t>The reason has been elaborated in Section 8.1 of <xref target="I-D.draft-ietf-spring-srv6-security"></xref>. SRv6 implementations use the ingress PE's loopback IPv6 address as the outer IPv6 source address for encapsulated traffic. This design leads to asymmetric bidirectional flow tuples. When stateful firewalls exist along the SRv6 forwarding path, legitimate bidirectional traffic and all upstream response packets, e.g., ICMP response, are dropped by firewalls, as they fail to match stateful session rules. Operators are forced to deploy additional multi-layer tunneling such as IPsec to bypass firewall filtering, which introduces significant header overhead and weakens the native programmability advantages of SRv6.</t>

<section anchor="requirements-language"><name>Requirements Language</name>

<t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

<?line -18?>

</section>
<section anchor="terminology"><name>Terminology</name>
<t>AC: attachment circuit.</t>

<t>PE: Provider Edge.</t>

<t>SID:  Segment Identifier, defined in <xref target="RFC8402"></xref>.</t>

<t>SRv6: SR over IPv6, defined in <xref target="RFC8402"></xref>.</t>

<t>VPLS: Virtual Private LAN Service.</t>

<t>VPWS: Virtual Private Wire Service.</t>

<t>VPN: Virtual Private Network.</t>

</section>
</section>
<section anchor="using-srv6-sid-as-source-address"><name>Using SRv6 SID as Source Address</name>

<t>Only unicast traffic is eligible for using SID as source address. Several cases <bcp14>SHOULD</bcp14> be considered for using SRv6 SID as source address when there is firewall in middle.</t>

<t><list style="symbols">
  <t>User traffic. This includes IP VPN over SRv6 and Global IP over SRv6.</t>
  <t>ICMP traffic. This is mainly for SRv6 Ping in SRv6 OAM<xref target="RFC9259"></xref> scenario.</t>
</list></t>

<section anchor="user"><name>User Traffic</name>

<section anchor="ip-vpn-over-srv6"><name>IP VPN over SRv6</name>

<t>The user traffic <bcp14>SHOULD</bcp14> use the SRv6 service SID as the source address of the outer IPv6 header. All those End.DX* and End.DT* SIDs except End.DT2M <bcp14>SHOULD</bcp14> be used for source address. Service SIDs in SRv6 VPN deployments may be allocated per-AC, per-VRF, or per-prefix, and these three granularities can coexist within the same network and even within the same VRF.</t>

<t>There are 3 options:</t>

<t><list style="symbols">
  <t>Option A: Use the VRF-bound SID as source address.</t>
  <t>Option B: Use the AC-bound SID  as source address.</t>
  <t>Option C: Use the prefix SID as source address, and perform a source-IP-based lookup in the VRF to select the SID associated with the route matching the source address.</t>
</list></t>

<t>Option A requires zero additional lookup, as the VRF is identified from the incoming AC. This is operationally simple and sufficient for many deployments. However, all CEs in the same VRF will appear to the firewall as originating from the same source SID, which may limit per-CE state tracking. Option B provides the symmetry at the AC level, and with zero additional lookup. Option C introduces significant additional lookup cost, as the PE must perform a separate lookup on the source IP address of the customer packet. This is operationally expensive and may impact forwarding performance.</t>

<t>The selection of the source service SID on the ingress PE is dependent on and <bcp14>MUST</bcp14> mirror the service SID that the egress PE expects to receive for the corresponding VPN flow; the most granular available SID that matches the incoming context <bcp14>MUST</bcp14> be chosen, which typically means using the per-prefix SID when available, falling back to the per-AC SID, and last is per VPN SID.</t>

</section>
<section anchor="global-ip-over-srv6"><name>Global IP over SRv6</name>

<t>Sections 5.3 and 5.4 of <xref target="RFC9252"></xref> specify the SRv6 Service SIDs to be used for Global IP over SRv6 Core (both IPv4 and IPv6). Accordingly, for the IPv4 over SRv6 Core scenario, End.DX4, End.DT4, or End.DT46 <bcp14>SHOULD</bcp14> be selected as the source address; for the IPv6 over SRv6 Core scenario, End.DX6, End.DT6, or End.DT46 <bcp14>SHOULD</bcp14> be selected as the source address.</t>

</section>
</section>
<section anchor="icmp-traffic"><name>ICMP Traffic</name>

<t>For SRv6 ping, the ICMP Echo Request <bcp14>MAY</bcp14> use an End SID as the outer IPv6 source address to verify the reachability of the return path.</t>

<t>When an SRv6 transit node generates an ICMP error response, using its own SID (the one from the segment list that caused the processing error) as the source address offers a clear operational benefit: the head-end can immediately pinpoint exact SID and node on which the error occurred. When the ICMP error is triggered by VPN traffic, the ingress PE, upon receiving the ICMP error response, <bcp14>MUST</bcp14> process the Upper-Layer header of the embedded packet as specified in Section 4.1.1 of <xref target="RFC8986"></xref>. This ensures that the inner ICMP can be forwarded to the CE.</t>

</section>
<section anchor="control-and-management-traffic"><name>Control and Management Traffic</name>

<t>Control and Management Traffic will not be terminated by VPN, thus will not be impacted.</t>

</section>
</section>
<section anchor="use-cases"><name>Use Cases</name>

<section anchor="srv6-network-with-sr-aware-stateful-firewall"><name>SRv6 Network with SR-aware Stateful Firewall</name>

<section anchor="problem-statement"><name>Problem Statement</name>

<t>To provide VPN service in an SRv6 network <xref target="RFC9252"></xref>, the ingress PE encapsulates the payload in an outer IPv6 header with the Segment Routing Header (SRH) <xref target="RFC8754"></xref> carrying the SR Policy segment list along with the VPN Service SID. If the VPN service provides best-effort connectivity, the destination address of the outer IPv6 header carries the VPN service SID and the SRH is omitted.</t>

<t>Along the forwarding path in the SRv6 network, firewalls may be deployed to filter the traffics. If a firewall is SR-aware, it will retrieve the final destination of an SRv6 packet from the last entry in the SRH rather than the destination address field of the IPv6 header <xref target="I-D.draft-ietf-spring-sr-service-programming"></xref>.</t>

<t>A stateful firewall keeps a track of the state of the network connections traveling across it. Whenever a packet arrives to seek permission to pass through it, the firewall checks from its state table if there is an active connection between identified by 3-tuple or 5-tuple. Thus only legitimate packets are allowed to be transmitted across it.</t>

<t><xref target="f4"/> and <xref target="f5"/> show the bidirectional VPN traffic packets passing through a firewall in an SRv6 network.</t>

<t>The source address of the outer IPv6 header is the IPv6 address of
   ingress PE. The final destination address of the outer IPv6 header
   is the VPN Service SID of egress PE. In the SR-Policy-based way, the
   final destination address is encapsulated in the last entry in the
   SRH, Segment[0]. In the best-effort way, the SRH is omitted.</t>

<figure align="center" anchor="f4" title="SR-Policy-based VPN Traffic across Firewall"><artwork type="ascii-art"><![CDATA[
+---+   +---+       +--------+       +---+   +---+
|CE1|---|PE1|--...--|Firewall|--...--|PE2|---|CE2|
+---+   +---+       +--------+       +---+   +---+

Packet (PE1 ---> PE2):        Packet (PE1 <--- PE2):
**********************        **********************
*        IPv6        *        *        IPv6        *
* SA=PE1-IP-ADDR     *        * SA=PE2-IP-ADDR     *
* DA=NextSegment     *        * DA=NextSegment     *
**********************        **********************
*        SRH         *        *        SRH         *
* Seg[0]=PE2-VPN-SID *        * Seg[0]=PE1-VPN-SID *
* Seg[...]           *        * Seg[...]           *
**********************        **********************
*    Eth/IPv4/IPv6   *        *    Eth/IPv4/IPv6   *
* Source=CE1         *        * Source=CE2         *
* Destination=CE2    *        * Destination=CE1    *
**********************        **********************
*       Payload      *        *       Payload      *
**********************        **********************

]]></artwork></figure>

<figure align="center" anchor="f5" title="Best-Effort VPN Traffic across Firewall"><artwork type="ascii-art"><![CDATA[
 +---+   +---+       +--------+       +---+   +---+
 |CE1|---|PE1|--...--|Firewall|--...--|PE2|---|CE2|
 +---+   +---+       +--------+       +---+   +---+

Packet (PE1 ---> PE2):        Packet (PE1 <--- PE2):
**********************        **********************
*        IPv6        *        *        IPv6        *
* SA=PE1-IP-ADDR     *        * SA=PE2-IP-ADDR     *
* DA=PE2-VPN-SID     *        * DA=PE1-VPN-SID     *
**********************        **********************
*    Eth/IPv4/IPv6   *        *    Eth/IPv4/IPv6   *
* Source=CE1         *        * Source=CE2         *
* Destination=CE2    *        * Destination=CE1    *
**********************        **********************
*       Payload      *        *       Payload      *
**********************        **********************

]]></artwork></figure>

<t>The stateful firewall will check the association relationships of the bidirectional VPN traffic packets. A common implementation may record the key information of the packets in the forward way(internal to external), such as source address and destination address. When receiving a packet on backward way(external to internal), it checks the state table if there is an existing forward packet flow. For example, the firewall may require that the source address of packet on backward way matches the destination address of packet on forward way, and destination address will be checked in the similar way. If not matched, the packet on the backward path will be regarded as illegal and thus dropped.</t>

<t>An SR-aware firewall is able to retrieve the final destination of an SRv6 packet from the last entry in the SRH. The &lt;source, destination&gt; tuple of the packet from PE1 to PE2 is &lt;PE1-IP-ADDR, PE2-VPN-SID&gt;, and the other direction is &lt;PE2-IP-ADDR, PE1-VPN-SID&gt;. However, the source address of the outer IPv6 packet is usually a loopback interface of the ingress PE. Consequently, the source address and destination address of the forward and backward VPN traffic are regarded as different flows, and they may be blocked by the firewall.</t>

</section>
<section anchor="solution-for-srv6-traffic-pass-thru-sr-aware-stateful-firewall"><name>Solution for SRv6 Traffic Pass Thru SR-aware Stateful Firewall</name>

<t>In the SRv6-based VPN service, the final destination of the outer IPv6 header is the VPN-SID of the egress PE, which is associated with that VPN service. But the source address of the outer IPv6 header is usually unrelated to the VPN service. So, it can be difficult for a stateful firewall to establish the association relationship between the bidirectional traffic flows.</t>

<t>The proposed solution is to unify the semantic of the source and destination address thus ensure the symmetry of the bidirectional flow.</t>

<t>When an ingress PE receives the client packet from CE, it checks which L3 VPN service it belongs to, and uses the VPN-SID associated with that L3 VPN service as the source address when encapsulating the outer IPv6 header with the optional SRH.</t>

<figure align="center" anchor="f6" title="Outer IPv6 Header in the Proposed Solution"><artwork type="ascii-art"><![CDATA[
Outer IPv6 Header of SR-Policy-based VPN Traffic:

**********************        **********************
*        IPv6        *        *        IPv6        *
* SA=PE1-VPN-SID     *        * SA=PE2-VPN-SID     *
* DA=NextSegment     *        * DA=NextSegment     *
**********************        **********************
*        SRH         *        *        SRH         *
* Seg[0]=PE2-VPN-SID *        * Seg[0]=PE1-VPN-SID *
* Seg[...]           *        * Seg[...]           *
**********************        **********************

Outer IPv6 Header of Best-effort VPN Traffic:

**********************        **********************
*        IPv6        *        *        IPv6        *
* SA=PE1-VPN-SID     *        * SA=PE2-VPN-SID     *
* DA=PE2-VPN-SID     *        * DA=PE1-VPN-SID     *
**********************        **********************

]]></artwork></figure>

<t>According to <xref target="RFC8402"></xref> and <xref target="RFC8986"></xref>, an SRv6 VPN Service SID is an IPv6 address, and it is routable by its Locator prefix in the SRv6 network. In the proposed solution, when an SRv6 VPN Service SID is used as the source address of the outer IPv6 header in the SRv6 network, it is treated as a normal IPv6 address and does not perform any special behavior.</t>

</section>
</section>
</section>
<section anchor="considerations-on-srv6-compression"><name>Considerations on SRv6 Compression</name>

<t>When an SRv6 packet is forwarded in the SRv6 domain, its IPv6 destination address is modified in each segment, and the final destination address is not available in the IPv6 header. It is therefore possible to retrieve the final destination of an SRv6 packet from the last entry in the SRH.</t>

<t>When compressed segment lists<xref target="RFC9800"></xref> are used, the last element of the Routing Header may be different from the destination address as received by the final destination. Furthermore, compressed segment lists can be used in the destination address without the presence of a Routing Header, and in this case the IPv6 destination address can be modified along the path. To ensure proper operation of the stateful firewall, it is <bcp14>RECOMMENDED</bcp14> that during the deployment of <xref target="RFC9800"></xref>, the last destination address remains uncompressed and be carried as the last element in the SRH.</t>

</section>
<section anchor="implementation-status"><name>Implementation Status</name>

<t>[Note to the RFC Editor - remove this section before publication, as well as remove the reference to <xref target="RFC7942"></xref>. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in <xref target="RFC7942"></xref>. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs.  Please note that the listing of any individual implementation here does not imply endorsement by the IETF.  Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors.  This is not intended as, and must not be construed to be, a catalog of available implementations or their features.  Readers are advised to note that other implementations may
exist.</t>

<t>According to <xref target="RFC7942"></xref>, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".</t>

<section anchor="new-h3c-technologies"><name>New H3C Technologies</name>

<t><list style="symbols">
  <t>Organization: New H3C Technologies.</t>
  <t>Implementation: H3C CR16000 and CR19000 series routers implement SID as source address in SRv6.</t>
  <t>Description: All sections including all the "<bcp14>MUST</bcp14>" and "<bcp14>SHOULD</bcp14>" clauses have been implemented in the above-mentioned New H3C products(running version 7.1.119 and above).</t>
  <t>Maturity Level: Production</t>
  <t>Coverage: All sections.</t>
  <t>Version: Draft-13</t>
  <t>Licensing: N/A</t>
  <t>Implementation experience: Nothing specific.</t>
  <t>Contact: linchangwang.04414@h3c.com</t>
  <t>Last updated: June 30, 2026</t>
</list></t>

</section>
</section>
<section anchor="Security"><name>Security Considerations</name>

<t>This document is subject to the same security considerations discussed in <xref target="RFC8402"></xref>, <xref target="RFC8754"></xref>, and <xref target="RFC8986"></xref>.</t>

<t>The proposed use of an SRv6 SID as the IPv6 source address introduces specific considerations:</t>

<t><list style="symbols">
  <t>Source Accountability: Using an SRv6 SID as the source address may impair traceability mechanisms that rely on source address validation, reducing the trustworthiness of the source identity within the domain.</t>
  <t>Access Control Bypass: Since SRv6 Locator prefixes are typically advertised throughout the routing domain, any node can originate traffic with a spoofed source address matching an internal SID prefix. This could allow attackers to bypass intra-domain access control policies by masquerading as trusted internal traffic.</t>
  <t>Stateful Device Impact: The dynamic and programmable nature of SRv6 SIDs, when used as source addresses, can lead to rapid churn in the session tables of stateful devices like firewalls. This may cause excessive resource consumption, abnormal session aging, and potential session table overflow, impacting device performance and stability.</t>
  <t>Operational Requirement: Deployment of this mechanism requires strict operational controls to govern which service flows are permitted to use an SRv6 SID as a source address. Unrestricted use amplifies the associated risks.</t>
</list></t>

</section>
<section anchor="IANA"><name>IANA Considerations</name>

<t>This document has no IANA actions.</t>

</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC8402">
  <front>
    <title>Segment Routing Architecture</title>
    <author fullname="C. Filsfils" initials="C." role="editor" surname="Filsfils"/>
    <author fullname="S. Previdi" initials="S." role="editor" surname="Previdi"/>
    <author fullname="L. Ginsberg" initials="L." surname="Ginsberg"/>
    <author fullname="B. Decraene" initials="B." surname="Decraene"/>
    <author fullname="S. Litkowski" initials="S." surname="Litkowski"/>
    <author fullname="R. Shakir" initials="R." surname="Shakir"/>
    <date month="July" year="2018"/>
    <abstract>
      <t>Segment Routing (SR) leverages the source routing paradigm. A node steers a packet through an ordered list of instructions, called "segments". A segment can represent any instruction, topological or service based. A segment can have a semantic local to an SR node or global within an SR domain. SR provides a mechanism that allows a flow to be restricted to a specific topological path, while maintaining per-flow state only at the ingress node(s) to the SR domain.</t>
      <t>SR can be directly applied to the MPLS architecture with no change to the forwarding plane. A segment is encoded as an MPLS label. An ordered list of segments is encoded as a stack of labels. The segment to process is on the top of the stack. Upon completion of a segment, the related label is popped from the stack.</t>
      <t>SR can be applied to the IPv6 architecture, with a new type of routing header. A segment is encoded as an IPv6 address. An ordered list of segments is encoded as an ordered list of IPv6 addresses in the routing header. The active segment is indicated by the Destination Address (DA) of the packet. The next active segment is indicated by a pointer in the new routing header.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8402"/>
  <seriesInfo name="DOI" value="10.17487/RFC8402"/>
</reference>
<reference anchor="RFC8754">
  <front>
    <title>IPv6 Segment Routing Header (SRH)</title>
    <author fullname="C. Filsfils" initials="C." role="editor" surname="Filsfils"/>
    <author fullname="D. Dukes" initials="D." role="editor" surname="Dukes"/>
    <author fullname="S. Previdi" initials="S." surname="Previdi"/>
    <author fullname="J. Leddy" initials="J." surname="Leddy"/>
    <author fullname="S. Matsushima" initials="S." surname="Matsushima"/>
    <author fullname="D. Voyer" initials="D." surname="Voyer"/>
    <date month="March" year="2020"/>
    <abstract>
      <t>Segment Routing can be applied to the IPv6 data plane using a new type of Routing Extension Header called the Segment Routing Header (SRH). This document describes the SRH and how it is used by nodes that are Segment Routing (SR) capable.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8754"/>
  <seriesInfo name="DOI" value="10.17487/RFC8754"/>
</reference>
<reference anchor="RFC8986">
  <front>
    <title>Segment Routing over IPv6 (SRv6) Network Programming</title>
    <author fullname="C. Filsfils" initials="C." role="editor" surname="Filsfils"/>
    <author fullname="P. Camarillo" initials="P." role="editor" surname="Camarillo"/>
    <author fullname="J. Leddy" initials="J." surname="Leddy"/>
    <author fullname="D. Voyer" initials="D." surname="Voyer"/>
    <author fullname="S. Matsushima" initials="S." surname="Matsushima"/>
    <author fullname="Z. Li" initials="Z." surname="Li"/>
    <date month="February" year="2021"/>
    <abstract>
      <t>The Segment Routing over IPv6 (SRv6) Network Programming framework enables a network operator or an application to specify a packet processing program by encoding a sequence of instructions in the IPv6 packet header.</t>
      <t>Each instruction is implemented on one or several nodes in the network and identified by an SRv6 Segment Identifier in the packet.</t>
      <t>This document defines the SRv6 Network Programming concept and specifies the base set of SRv6 behaviors that enables the creation of interoperable overlays with underlay optimization.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8986"/>
  <seriesInfo name="DOI" value="10.17487/RFC8986"/>
</reference>
<reference anchor="RFC9252">
  <front>
    <title>BGP Overlay Services Based on Segment Routing over IPv6 (SRv6)</title>
    <author fullname="G. Dawra" initials="G." role="editor" surname="Dawra"/>
    <author fullname="K. Talaulikar" initials="K." role="editor" surname="Talaulikar"/>
    <author fullname="R. Raszuk" initials="R." surname="Raszuk"/>
    <author fullname="B. Decraene" initials="B." surname="Decraene"/>
    <author fullname="S. Zhuang" initials="S." surname="Zhuang"/>
    <author fullname="J. Rabadan" initials="J." surname="Rabadan"/>
    <date month="July" year="2022"/>
    <abstract>
      <t>This document defines procedures and messages for SRv6-based BGP services, including Layer 3 Virtual Private Network (L3VPN), Ethernet VPN (EVPN), and Internet services. It builds on "BGP/MPLS IP Virtual Private Networks (VPNs)" (RFC 4364) and "BGP MPLS-Based Ethernet VPN" (RFC 7432).</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9252"/>
  <seriesInfo name="DOI" value="10.17487/RFC9252"/>
</reference>
<reference anchor="RFC9259">
  <front>
    <title>Operations, Administration, and Maintenance (OAM) in Segment Routing over IPv6 (SRv6)</title>
    <author fullname="Z. Ali" initials="Z." surname="Ali"/>
    <author fullname="C. Filsfils" initials="C." surname="Filsfils"/>
    <author fullname="S. Matsushima" initials="S." surname="Matsushima"/>
    <author fullname="D. Voyer" initials="D." surname="Voyer"/>
    <author fullname="M. Chen" initials="M." surname="Chen"/>
    <date month="June" year="2022"/>
    <abstract>
      <t>This document describes how the existing IPv6 mechanisms for ping and traceroute can be used in a Segment Routing over IPv6 (SRv6) network. The document also specifies the OAM flag (O-flag) in the Segment Routing Header (SRH) for performing controllable and predictable flow sampling from segment endpoints. In addition, the document describes how a centralized monitoring system performs a path continuity check between any nodes within an SRv6 domain.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9259"/>
  <seriesInfo name="DOI" value="10.17487/RFC9259"/>
</reference>
<reference anchor="RFC9800">
  <front>
    <title>Compressed SRv6 Segment List Encoding</title>
    <author fullname="W. Cheng" initials="W." role="editor" surname="Cheng"/>
    <author fullname="C. Filsfils" initials="C." surname="Filsfils"/>
    <author fullname="Z. Li" initials="Z." surname="Li"/>
    <author fullname="B. Decraene" initials="B." surname="Decraene"/>
    <author fullname="F. Clad" initials="F." role="editor" surname="Clad"/>
    <date month="June" year="2025"/>
    <abstract>
      <t>Segment Routing over IPv6 (SRv6) is the instantiation of Segment Routing (SR) on the IPv6 data plane. This document specifies new flavors for the SRv6 endpoint behaviors defined in RFC 8986, which enable the compression of an SRv6 segment list. Such compression significantly reduces the size of the SRv6 encapsulation needed to steer packets over long segment lists.</t>
      <t>This document updates RFC 8754 by allowing a Segment List entry in the Segment Routing Header (SRH) to be either an IPv6 address, as specified in RFC 8754, or a REPLACE-CSID container in packed format, as specified in this document.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9800"/>
  <seriesInfo name="DOI" value="10.17487/RFC9800"/>
</reference>
<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">



<reference anchor="RFC7942">
  <front>
    <title>Improving Awareness of Running Code: The Implementation Status Section</title>
    <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
    <author fullname="A. Farrel" initials="A." surname="Farrel"/>
    <date month="July" year="2016"/>
    <abstract>
      <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
      <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="205"/>
  <seriesInfo name="RFC" value="7942"/>
  <seriesInfo name="DOI" value="10.17487/RFC7942"/>
</reference>

<reference anchor="I-D.draft-ietf-spring-sr-service-programming">
   <front>
      <title>Service Programming with Segment Routing</title>
      <author fullname="Ahmed Abdelsalam" initials="A." surname="Abdelsalam">
         <organization>Cisco Systems, Inc.</organization>
      </author>
      <author fullname="Xiaohu Xu" initials="X." surname="Xu">
         <organization>China Mobile</organization>
      </author>
      <author fullname="Clarence Filsfils" initials="C." surname="Filsfils">
         <organization>Cisco Systems, Inc.</organization>
      </author>
      <author fullname="Daniel Bernier" initials="D." surname="Bernier">
         <organization>Bell Canada</organization>
      </author>
      <author fullname="Cheng Li" initials="C." surname="Li">
         <organization>Huawei</organization>
      </author>
      <author fullname="Bruno Decraene" initials="B." surname="Decraene">
         <organization>Orange</organization>
      </author>
      <author fullname="Shaowen Ma" initials="S." surname="Ma">
         <organization>Mellanox</organization>
      </author>
      <author fullname="Chaitanya Yadlapalli" initials="C." surname="Yadlapalli">
         <organization>AT&amp;T</organization>
      </author>
      <author fullname="Wim Henderickx" initials="W." surname="Henderickx">
         <organization>Nokia</organization>
      </author>
      <author fullname="Stefano Salsano" initials="S." surname="Salsano">
         <organization>Universita di Roma &quot;Tor Vergata&quot;</organization>
      </author>
      <date day="3" month="November" year="2025"/>
      <abstract>
	 <t>   This document defines data plane functionality required to implement
   service segments and achieve service programming in SR-enabled MPLS
   and IPv6 networks, as described in the Segment Routing architecture.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-spring-sr-service-programming-12"/>
   
</reference>

<reference anchor="I-D.draft-ietf-spring-srv6-security">
   <front>
      <title>Segment Routing IPv6 Security Considerations</title>
      <author fullname="Nick Buraglio" initials="N." surname="Buraglio">
         <organization>Energy Sciences Network</organization>
      </author>
      <author fullname="Tal Mizrahi" initials="T." surname="Mizrahi">
         <organization>Huawei</organization>
      </author>
      <author fullname="tongtian124" initials="" surname="tongtian124">
         <organization>China Unicom</organization>
      </author>
      <author fullname="Luis M. Contreras" initials="L. M." surname="Contreras">
         <organization>Telefonica</organization>
      </author>
      <author fullname="Fernando Gont" initials="F." surname="Gont">
         <organization>SI6 Networks</organization>
      </author>
      <date day="24" month="June" year="2026"/>
      <abstract>
	 <t>   SRv6 is a traffic engineering, encapsulation and steering mechanism
   utilizing IPv6 addresses to identify segments in a pre-defined
   policy.  This document discusses security considerations in SRv6
   networks, including the potential threats and the possible mitigation
   methods.  The document does not define any new security protocols or
   extensions to existing protocols.

	 </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-spring-srv6-security-15"/>
   
</reference>



    </references>

</references>


<?line 279?>

<section numbered="false" anchor="acknowledgements"><name>Acknowledgements</name>

<t>The authors would like to thank Bruno Decraene of the SPRING Working Group for his detailed review and constructive comments on this document.</t>

</section>


  </back>

<!-- ##markdown-source:
H4sIAAAAAAAAA+1c63IbN5b+30+BlX+s7SEZSZYdmxN7hqbkWFuyzJXkZFMe
1xbYDZJYNRtMo1sKx3GeZZ5lnmy/cwD0jaScdWa2areiKketblzP9TsHB+n3
+5EtZJb8p0xNpoaiyEsV6VXOT7Y43N9/tn8YxbIYCp3NTGTL6VJbq01WrFdo
f3py9SqSuZJDcXH1bXQ7H4rLycXp+bdRlJg4k0u0SXI5K/prmc37dpVr+qWT
vrR9a8o8Vn2ZJLmytn/wKIoKXaTocnl6LKQVroHwDbACcXlx8ySS02mubna0
ilJMNBQqi2RZLEw+jPqRQFc7FK8G4gd8xJ9uYa9UNg9vTI5O44XOpHhjpjpV
eBebMivyNd6f4y+1lDodCtrHDB3/HFPjJbcdxGZZTzMeiDOdVbOMF+hxi3/+
Lc90rm7F60djcaXiRWZSM9fK7pox1VkcxhjsHx0dHP158SjmOaPM5EtZ6Bs1
RPuLV+OnR/uH4fHrx0fh8dnTJ/7x2eHjw/rxWXh8ur8/jIjD7eG+fnbErU/7
xwPHRq2KWcXGvG9VfqPBw1Vu5rlcLvH6rvY3T9AjLnNdrIdR1O/3hZzaIpdx
EUXEWqGtmCq0Fblc6SRdi0StUrNWiYCQ0ld0zlVW4AvGXMpc46m0+A7hYJFV
ST8xIFwmpjK+nkKqRaaKW5Nf24F4aYqFKBZKxDLPtcoFRrhWBQ9OrzGyyjGw
VdWXnCTLrApaFC8RNEK7pF+YPn4JTwEsNAXd8vVAvDa3Ck89oWdCipnO1a1M
U6F+0rawghRtjgndYCtZLHoiM4UwGXaSqrkusK1Cuc8gzWymYzEtsZLUGnE6
fjNBpxhLs2KuMpWjbYLOVfvM6gIDJkrcasw6xcpys1qpZCCuFiAgOLUyVqZB
X5TFzvEeWl0qMSVq8lbv0sCwgoHj4VInCRQmuidOIb0mKeMCBuJ3jv7zORpF
V9gjzK9F+4UkUqtMqFROjRuGGKaYHeLp4ECYmXj/K3Tzw8BNrperVC1BQkkj
WGILExUdWBwmJ/9qRWrMihgjTifoEiRFWm5pSpDffemIkiN6LFe2THmpnjJe
TBNl9TwD+WSCkQzGWy+XqsiJdDoBB3hTEONZam5FUWKhkIbvF9g+HFqhZmVa
Mco6TnlG0bIC229lnpAYOKY1eNWeIzCNhIoYX65gtJRcgvJ2BcKowMCeUIP5
oOeYGj72WOQ8z0jDqnX1PJnwCpaetonJ40W9A2gn+VqRl7y9tyuSDpNbHhHr
j4luxqsUkVb7FS/LtND9VK5B/aLMMogytmlLDI4pTyfgNHWcrleSeBEkeqZT
8AtNe+J2odFYe4WGlSB+aFBBZoVYgC0Y2UAp6JEJc6vktcoc2zN2IiJ4BQkn
CbHCAm/QW84xGiSRmAALcu+euFA/llgCSZoVZ3BzJdo42b4GcaDqEIK9N+8u
r/Z67rc4f8vPFyf//u704uSYni9fj87OqofIt7h8/fbd2XH9VPccv33z5uT8
2HXGW9F6Fe29Gf2AL7S1vbeTq9O356OzPTZKLJ8mLmm9zAmiJGkFmxpFwixt
BAmOcz11SvhyPPn73w6OxMeP/wK3enhw8OzTJ//H04Ovj/DHLUTXzcZ2w/1J
shFJyI3MaRRiETRGF9LLjl2YWyi+yhUI+fA9UebDUHwzjVcHRy/8C9pw62Wg
Wesl02zzzUZnR8Qtr7ZMU1Gz9b5D6fZ6Rz+0/g50b7z85k8QZSX6B0//9CJi
6blSOXAHgah1NBoPhSwKGS+YObHO41IXIM7kZCgmubnRJLcnyZwIBh83FLCP
c257muC/EHCy84maYRLm3HuPqj4MnEMD7LxgwWertrPpd5Ozy6H4TudFCXWc
5PqGzMrZ6BzzsXvhNt9vafM9NKHV6Hyzzbnzf6Q94p2tHJl32pfO0o48II7e
kkCVGVQXRjDYMsgwjMJcT1O2JHe5fXgDcn+ShI/wgmc4RD6GfSOKYv+NMRpL
6Rh9kmoSauxQN8wOaOcwBHm0h9gRWa2WOwAETktoFIguQBHHAJ6INObb1Eyx
Onyr3g8wDlvhzjhWEJIAPWi9PMCE1hyAzdvRm/ceGn8QNlYZ8IhxRopXdeWp
9/EefGH+iT7c21iTs1xlYxeBZMGB8lwBZ3hS0fsOuWAkO07UGd6BGIFqiG4w
3EmWDI7/4yHTgZ+vHtKI5PNitSr8u8M3Da4xuqL9b7K5WlGN9WhrzsE4+7yU
axoEfDMxO244pf5o3OPf31286iHC4WeYwpn+qRegGG89V0rAJWTw+QAaCHog
UhnEyDnoWw3bmjlKIHYKMI9HgARmGw0wnQdBBOrw75EgYAeppPAC/pKRz2hI
zONe6NCfIshKdkh6o9fLutdo3Oh0d69x3cvtf/tEjiqgEkVcwJQ+FD6d9KeS
uANQdV2uhN8rVk0+xqoUkMQJEA9qTayZBUQXfp+TrDgUoT3W2VhroAoACrtd
K/6qctNED272gE54etKdYCAhPLlZeiSIMJRmGo1rDTMMU3goKJplFMn7tSUp
gyZrS+K3lNm6KVoNoE1WYXxiRYfZDgF7hwiK0LfKimC1JodFI/CBFVVr5M6e
CqBbgDYkx6leAluTsI5PHOoijY2v0X9QyQHBGPIbXkUdDgWYKbxsADfeqNRx
lBmxnZzVgONdqGqjCxTDFhUbJieAdbZoSo1aScL5obnJmhyHWeoYkhjdzRK2
xMHVXRxTP60A5AjA0ZaITmAhYvQWYnaLkBk7KbJ3Tjppg342v4ymmfMLrOMH
wVAf05Fs0WeakVHLUuc5ZIQHaoxQLDzdVTUELTcuOEoAZFe07pnvGZvcoXBe
M1kyChf+yN+WoG1li4S8AQKX5AyrWViLPNcrOYfHK9RPhVsjeUAywlmQqWK9
AiuJhkslOWAKWlgbRJ6AHWE1Zw/4P2WEzoGUF2xnV53IEllSct8UwYOBtBV8
GDgHtMX/Aaw4bljxePCI+z8eHHEA6LNA8G+gm56ta4/Usv8O1Fa+YsscYmxg
cu9PKQSHdzriWchNPYCDikF7onq67lXs4Ead7sHJ9rwnO/IPV0fsSPzzk4b7
coLGIHuLgftjc7Ynn5vtSZjtyZfN5qABAw0PDaLoVUAWKw6keCnU4ASywqGO
Ah+BdBkNwPud1N7o7pAZHMFuAscQgMaLEFl5lUPwUeYZh7PkFzkcltsyCSHR
YOkzr06xutUxqxNdDb2iEIPWd59XB+xdW1YPnVNy3qwzsWSBce7PxBS+YhQe
+8FOkDNTFNGKOCWr3jBFIH8GjSmG3I2gD+dnCDFoGOGEfB+ljXS2MjCpMARk
pJiUaMb7hEXxmkkmg7doYs44JT5bULHHfYV+FXAic8a0iNVJ0TyI63VsF2i0
oticbU7Q8620ZGPh6cGt3q1Iuc84PA+xtOOgWiJiTAhVsYlm5MBqqtvZnKPB
gc/n+PzuB2/NYbnLnK2WN5Qa0X/u1kWUm6pgxl3ugJqMT5wcjw05ptQZYZkh
CGf2VpJ993fnnCnzhTkKDsoYnDgqEvVK22rjvAo44cIYrIPCC14JS6yPcpxT
vbzoy1uCeJchOfLKO35nAxHcwZIu3WdaFrySCa6b2RjciK51IgDMyiZ2edxM
UTnWreQ6NTLxo2xA8xqKhbjyAm1IOl677/cvL14/cFz7+vHRB85brnWVlxIT
k+p43VYtl7iqRmbjX5vqgTidVe/DJivMMoW16asZeF6Q88pIfm5gMtxO0aJg
wESu9zNRh0+x2o25gsa5HbxmQAFc5Tg7qpJunXxbwHZNRvQaOTsfZ1TpYsiq
S09xL6+TljffyMli7iApPVgvJ285JQ4B0jxeJNPS3Dg2LFuJ7drCsc9VdCZT
L/e1gIFa8DpktpOKUNg0CbRsUnFnAnbbYQqlEkabGU1xrdSKbCaj1QpwMYD1
fwTRDjwnJIDWNy4TKOPcUD6/cFaQQDdGCzYHbL5R1oUc6poAhz/0o1ecMUQk
Z8o5eFj02iAciCm+to6A5Dw8qGZkpWd17A/KyZiThPUCwe7ilhLYjUgDxuNR
n9O75J8fu0cydbAl3QR7yKJzhh/h6a2Tmqlyvs+JZGPrUfTx44xybyS8eHyM
R8qo8Y7aGeCGG6imIUI4xXW0kK2ERsfEYDIhxNWvj/HZEwXRqRvTKLV5GvCI
mxL9ucF5FLvNmFAXVQ9/GoS+7+ySD09vpbMfNM7u2dkbNTL8XoM2dIpGgVr1
gsn8y/v9v3yo5m4asDDvppn5OATLEUs934v5yGcPDADeyp/vzY7wnDMT+nRo
/XxP2ljrPt7tCT5vfr7X3R8RJXg1Ly/B2+x9iqJffvkliv7Q7/f/gJWH38I/
80/zRdUo+nl8cvAznn6e8O/BYIDnMHD1YnJyyI3G+P0ls0QTp8b3MYvAmxfg
5OGDoW8rml+/oeM7/ho93PoTOm3/GlXfWbZC242H1ld0uhw9x+yU7RgdH190
O/HXw/ZXdDoePT9H5BXcaqfTtq+/cU8kY7v31PpKe1Lz9/sfeOWQnj6pUnNP
4etB/dV3AtM/iPqn06n79Tfs6aRYfEUR2FeeHe09bXyl5bGpeg6p3bq88PWw
RYjj2hKEb00+tb4e/AP4NPGAbDuf2l+/bCan73dYmMeftzAvyYqdOCv2a6yL
+ALFF19gX75knv+/BqapvV3BHbW097cK7u/K+JuU8SrA3RYqZrDPCJRBQkiQ
8wm6Sl0Rw0KvKlz0WYw3ECPg0+XSZJ1aCI5O0NXkLuyhY+qqfKpOgQao6JGP
j4AIxtzn02IuLjACjoufH/SqI/oOSiSEugVi+RxGnYKoMLxx1TLVdGEKmi5M
/YAjJI/Y6wBiK1jnAxpOq/s9hEgJMHsgKOWlfpJEok484OjE5wx1SmITAm9f
dSsFuwPf1j0b1O3tIlhVQsO7rjGp1UtNaWD05YiSMhRu8qTX4GRIYFeL5EA2
jJmruUurgH94hb9SHxcjWAk1O4jnsjqZ0YxbmeycxP6HRqsuRvjG0bzXHOqF
8IFVU1jdaGS7sRTYQ1rZNw1j2hMNI/miOt0ThkPiSp98t8Nmt8p6vmic9Pyq
Y0+/NE0Z9ZLz67KuO2Jxnsm42kgzPhpTBu7HkgvMtk62S1D8WEGoqFnF9aal
IC42GZ9oymfyERdUw1YEWoeExjQ1LHnTdUtTfCr/0qQlr6M6nw5IYUJx99Ui
L+9MhZ3WSZVGLOMzC73dInVnDBqcXshR1hlQXyVktxxGyqI59UC8LHcp/865
A7PLjM13nbBsDXxpnB1zyU2iv47L1B0xyi1eggyuJSOn7eJOP1HlIzZ9ReA+
89gfgLnKSizSBh5qzqGUWUjZW7WUWYFu7ROyXSLIdsPlc9tHj1vdF1viOuff
yGH6UzHHyzjl89emso9Pmo7AsfTsUTtnSglbyuTRjpxMl1a1pWOrCHTG2X4E
wKdhdaogZEPvSK66U37smgzcndj8yeex+dt6Hp+k9dZzEjgatLKC55tduKBt
ZxZhGP02XPVl+HcHlL3cAnR/D7Crmb4IlW4ViJeN1NX/PWH4XwmGnDpVp8Vk
L6syOjYz1flWr4I93ZSlQ6jNRKmzUJoRA5XEMLSCw6WM9BmVLVGJkjuN33IK
UaUeNyx6zx/c714IH3/+z6q5th+EuMVTmbE/fJaCL3uknTpr8h0GlpgQa1UZ
kq3dqSGfoS7kjTY5H7KNfb2er+cOReZjs1zlrtS4c2hcA6/60LC5XFeY32PC
8rp25IGXJqmOMOncOpxv1fjxzjQyba6u0PALaBXEnRYerICrdNAPvln9zwLU
nkixJxsJSOO4zr73N2o+MDgkieg1RnNRZJCGzulgOPSqQWRYyjbKQCq8b2/A
yc72EJyVOdFlaehIbNeaA3yqbl7smJI8sPFIjgaC12bcLTs78Rroq6WpbrTm
2bZx/fSVnNS1+q6Y4coEJERKqRp1Aq3TrybQCzrUKDZ2mCQp8wAx6uqzqjSG
GNfg17bF5nQzi8p7sgY5OUII91AqG9DieUOG+LZMO6VAaL60UfT+3BQqIF2s
SJwkmgxWn+Y1LMbYla3OzJy8l8CzsXRGCnPfKlcRV3WhKIVlKlbByNLtrlA2
EIZzOY06HVCy3brOqAikex0kxI25KUxs0qoUmkVRV4ULsSeeE5pCL1lgoKAs
LjwIGp9yUkIV/WM6Gu2F20EOSVH3+uZSq7K+tRHlv62CYHSXHATS1lEqhY+Z
L4agEz3r1kk3G6k5WbYE++DjT1/DoXggPqb1FS58nstoH8uxAyEmqSKZz5iV
Ie+R6mrPZKJ1lugbnVBhdye7xImXyqzTxzXdUDK5dYLklZ3WiLlaCp5BURzi
qO4DgQ/o064eaiarnB6Tm+F5ebm3lIMqV6vUH8IyOaj4DYQv6QrKQFTVg7zG
QEXpnS+XKvpCDyoTp5ul/ji2R8U+soCKO1LUhr0rYHzWr3MxgxekqhZMesHm
xR/yJjfaulFrQrtERHcoGNaIc1hkvTfgBgtQT+yxbLgaUzo/hjbcaHXL01Fx
JxwzdZoDUqxskJd5BoNSl8I7ktKlHH9DxJfiwAsrf57JRU2087zMMldUmKhm
WSpFSxwrKarh8Bb2RqYlU4nqHXNdCwstbaZU4moHq7mWoJNjdSAFVRV5XSWP
nHOhMMgavGe5ClanIZmbm3ZF7Kw5tQyFi0xWkQ8q9lxB0dZrrkCXb/O5zPRf
uev2y7Bcv9/i4ZDbjC8Onuzv7/Om8fyMnkEuKkvh2mewqtrv3ZcYBy49HqzF
kGvqbSiVcBcOOKXKpfbK3z9y94H8pSIE05LDYCY461qT2N7cyykscJ/eYWS8
DttduauS9n4QA6gnW5mvqbbr4Jm7bkadH9Ba3xCvqNbvjMqN+TZLuGn5EAiO
LmjMVXsX1O07N+hQsF2lS9YPxRkAa0Z2C7T/arRBaS9hJHhoYAouJQ/GfMCz
oWVc3Hk1GbOQ6ytXCQHYofi3MlPi0X5PHO4fPiHvd+kvG3ZB6cd74csnyqs0
71qR4S6n/8VF8E5QXW13GCluj5RoG5fWdi7n9Oriq147wujmcUjQG+CwUaO5
rTqzWdTtadVZEMV91eWcmO96+/rNob/Fs2WqziyhGlvz3ZJYhQLQpSJGaLv0
5ianykiwstMdRkQnHiXkCqsNQIhv2kLXidmNYMV3dwU5mKZxAcNBfxIH7IW6
hOrAl3ypcCguNVku3k875lLOetfF0rDjKi+cKXfFNAFi5h5UhjiD3CYXdhJe
DNX+VTWYyw9J0N+YGYdtHdr5axGcHvPnIURqtyyPhMCXNPH2n6+SXZNRqS9L
Ep9luJEs3dZjv/UVpX/IFk0p3Wt/LMF6Z0RsuMtczxxuJpFQBOx6rDiYPOXK
yKFDNOtMLv3l0/pCZcqXLAkP+5uUXLTt49MQhLb3r/CZyEZ3ajksogvZIl5Q
xXA4BvH3TTlgZiGoUHXCK7NQ+es6aW09zUgqufSXbx1ZvjuAKd30pATlcuWh
6dRHsWEqOecqad4dfDjErPHRBe5k2yi72fMVoywQjlCNawjuhknQKKLq20Yp
ceOKKUxhC/WzL6v0p74VY+m2cdEqSPZ8ZnGY07JCeXHIb3I+mKWbi+YKn7P2
ld5N3ZYbt6/eZfjNc3rbQ+dpFA3ZVpYaH3Ntr60LIUbno00DSm83jCfBQYBD
7iGDf+D7+wQcCBQRyk9VMvcXcaPnGz/RxyF8VbmcUnn0J2cu3f9mA7CJ9YbF
g42zzK7FS7g2A3LHuQTqCUbF/R9CxPceWXxLyIKz9e7idwE4SJtk7MVc9fgx
1Asu3fpM5yruIPpv9xNZDM9EAAA=

-->

</rfc>

