<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-yu-dtn-access-gateway-ip-edge-networks-00" category="exp" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="DTN Access Gateway">DTN Access Gateway for IP Edge Networks</title>
    <seriesInfo name="Internet-Draft" value="draft-yu-dtn-access-gateway-ip-edge-networks-00"/>
    <author initials="J." surname="Yu" fullname="Jianhao Yu">
      <organization>Nanjing University</organization>
      <address>
        <email>jianhaoyu@smail.nju.edu.cn</email>
      </address>
    </author>
    <date year="2026" month="July" day="01"/>
    <area>Internet</area>
    <workgroup>Delay/Disruption Tolerant Networking</workgroup>
    <keyword>DTN</keyword>
    <keyword>Bundle Protocol</keyword>
    <keyword>IP edge network</keyword>
    <keyword>access gateway</keyword>
    <abstract>
      <?line 39?>

<t>Delay- and disruption-tolerant networking (DTN) is used in environments with long propagation delay, constrained links, intermittent connectivity, and scheduled contacts.  At the edge of such systems, local IP networks may exist, such as lunar surface networks, spacecraft internal networks, and edge computing networks.  End systems in these IP edge networks may continue to use conventional IP stacks and may not process DTN-specific semantics such as endpoint identifiers, Bundle lifetimes, contact schedules, or DTN storage constraints.</t>
      <t>This document describes a DTN access gateway for IP edge networks.  The gateway is placed at the boundary between an IP edge network and a DTN domain.  It organizes authorized IP-side data into Bundle payloads, submits those payloads to the DTN side under controlled admission, and reflects DTN-side admission constraints back to IP edge senders through bounded pre-admission state and passive back-pressure.</t>
      <t>The main focus is edge-to-edge transit mode, in which a pair of gateways connects two IP edge networks across a DTN domain.  This document also discusses an optional edge-to-DTN service access extension, in which selected IP-side requests are mapped, under local rules, to service transactions in the DTN domain.</t>
      <t>This document does not define a new BP extension block, convergence-layer protocol, Bundle payload encoding, routing protocol, contact-plan exchange protocol, or mandatory gateway implementation.</t>
    </abstract>
  </front>
  <middle>
    <?line 49?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>DTN provides store-and-forward communication for environments such as cislunar and Mars networks, where communication may be affected by long propagation delay, constrained links, intermittent connectivity, and scheduled contacts. BPv7 <xref target="RFC9171"/> and the Licklider Transmission Protocol (LTP) <xref target="RFC5326"/> are common parts of DTN protocol stacks.</t>
      <t>Not all systems attached to a DTN domain are themselves DTN endpoints. At the edge, there may be local IP networks with low delay and continuous connectivity, such as lunar surface networks, spacecraft internal networks, and edge computing networks. End systems in these networks may continue to use existing IP stacks, application interfaces, and local security mechanisms. They may not handle DTN endpoint identifiers (EIDs), Bundle lifetimes, contact plans, storage limits, or other DTN-specific semantics.</t>
      <t>This creates a boundary access problem. IP-side data streams and requests cannot be injected into a DTN domain as unbounded IP traffic. They need to be admitted at the boundary, organized into Bundle payloads, and paced according to DTN-side contacts, storage, link capacity, and admission state.</t>
      <t>This document describes a DTN access gateway for this boundary function. The gateway is deployed at the edge of a DTN domain. On the IP side, it acts as an authorized proxy or receiving function for local TCP <xref target="RFC9293"/> or QUIC <xref target="RFC9000"/> connections according to local policy. On the DTN side, it acts as a Bundle Protocol Agent (BPA), or uses BPA functionality, to submit and receive Bundles. This can reduce the need to make edge applications BP-native.</t>
      <t>The main operating case is edge-to-edge transit mode. In this mode, a pair of DTN access gateways connects two IP edge networks across a DTN backbone. The ingress gateway receives IP-side data units or logical flows, constructs Bundle payloads, and submits them into the DTN domain under controlled admission. The egress gateway receives delivered Bundles, recovers the carried data, and delivers it into the target IP edge network.</t>
      <t>This document also discusses an optional edge-to-DTN service access extension. The extension reuses the same IP-side control, Bundle construction, DTN-side admission, finite pre-admission state, and passive back-pressure mechanisms. It applies only when local service mapping rules are configured and the gateway is authorized to terminate or process the relevant IP-side connection. It is a rule-constrained service access mechanism, not a general application semantic translation framework.</t>
      <t>The gateway also reflects DTN-side constraints to the IP edge network. DTN domains may be limited by contact windows, storage capacity, link rate, and admission availability, which are usually not visible to IP-side end systems. The gateway limits the amount of data held before DTN-side admission and uses passive back-pressure to convey DTN-side constraints back to IP edge senders without defining new cross-domain back-pressure signaling.</t>
      <t>This document focuses on reference architecture, boundary processing, state and failure semantics, and security implications. It does not define a new convergence-layer protocol, Bundle payload encoding, routing protocol, contact-plan exchange protocol, service mapping rule format, or mandatory implementation behavior. This document is intended as Experimental and is not a Standards Track specification.</t>
    </section>
    <section anchor="terminology-and-scope">
      <name>Terminology and Scope</name>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>This document uses the following terms:</t>
        <dl>
          <dt>DTN access gateway:</dt>
          <dd>
            <t>A boundary function between an IP edge network and a DTN domain.  Under local authorization policy, it acts as an authorized proxy for IP-side TCP or QUIC connections.  On the DTN side, it acts as a BPA, or uses BPA functionality, to submit and receive Bundles.</t>
          </dd>
          <dt>IP edge network:</dt>
          <dd>
            <t>A local IP network at the edge of a DTN system.  Examples include a lunar surface network, a spacecraft internal network, and an edge computing network.</t>
          </dd>
          <dt>Edge-to-edge transit mode:</dt>
          <dd>
            <t>An operating case in which a pair of gateways connects two IP edge networks through a DTN domain.  The ingress gateway organizes IP-side byte streams into Bundle payloads.  The egress gateway recovers the byte streams and delivers them into the target IP edge network.</t>
          </dd>
          <dt>Edge-to-DTN service access extension:</dt>
          <dd>
            <t>An optional extension in which a gateway maps selected IP-side requests to DTN-side service transactions under local service mapping rules.  The extension reuses the basic mechanisms of edge-to-edge transit mode.</t>
          </dd>
          <dt>Logical flow:</dt>
          <dd>
            <t>A gateway-internal abstraction of an admitted IP-side connection or data stream.  A logical flow keeps the information needed to identify the flow and recover byte order.</t>
          </dd>
          <dt>Shared aggregation buffer:</dt>
          <dd>
            <t>A bounded gateway buffer shared by multiple logical flows before data is admitted into the DTN side as Bundle payloads.</t>
          </dd>
          <dt>Pre-admission control domain:</dt>
          <dd>
            <t>The state controlled by the gateway before DTN-side admission.  It includes data authorized by IP-side flow control but not yet consumed by the gateway.  It also includes data read by the gateway and stored in the shared aggregation buffer.</t>
          </dd>
          <dt>Passive back-pressure:</dt>
          <dd>
            <t>The feedback effect created by gateway read suspension, bounded pre-admission state, and IP-side transport flow control.  It carries DTN-side service limits back to the IP edge sender without new cross-domain back-pressure signaling.</t>
          </dd>
          <dt>Payload subframing:</dt>
          <dd>
            <t>Gateway-local organization inside a Bundle payload.  A pair of gateways uses it to distinguish logical flows and recover byte order.  Payload subframing is not a BP extension block or convergence-layer frame.</t>
          </dd>
          <dt>Service mapping rule:</dt>
          <dd>
            <t>A local gateway rule that describes when an IP-side request can generate a DTN-side service transaction.  The rule binds the target object, endpoint, service parameters, and response handling.</t>
          </dd>
        </dl>
      </section>
      <section anchor="relationship-to-the-bpv7-architecture">
        <name>Relationship to the BPv7 Architecture</name>
        <t>A DTN access gateway is a boundary node that contains or invokes BPA functionality.  On the IP edge side, it acts as a proxy or receiving function for local TCP or QUIC connections.  On the DTN side, it uses BP services to construct, submit, and receive Bundles.</t>
        <t>The following figure shows the gateway position.</t>
        <artwork><![CDATA[
+------------------------------------------+
|           DTN access gateway             |
|  +----------------+  +----------------+  |
|  | IP-side proxy  |  | DTN-side BPA   |  |
|  | (TCP/QUIC/TLS) |  | (BP + CL(s))   |  |
|  +----------------+  +----------------+  |
|         |                    |           |
|    IP edge network      DTN backbone     |
+------------------------------------------+
]]></artwork>
        <t>The gateway is not a replacement for the BPA.  It does not modify BP semantics.  It uses BP service functions such as Bundle submission and delivery.  The interface between the gateway application and the local DTN stack is deployment-specific and is outside the scope of this document.</t>
        <t>The gateway is complementary to DTN convergence layers.  For example, TCPCL version 4 <xref target="RFC9174"/> defines a TCP-based convergence layer for transferring Bundles between BPAs over an IP network.  The gateway described here performs a higher-layer boundary function.  It handles IP-side connections, multi-flow aggregation, contact-aware admission, and optional service mapping.  A gateway can use TCPCL or any other configured convergence layer to communicate with a peer BPA.</t>
      </section>
      <section anchor="scope-and-non-goals">
        <name>Scope and Non-Goals</name>
        <t>This document discusses:</t>
        <ol spacing="normal" type="1"><li>
            <t>the reference architecture of a DTN access gateway;</t>
          </li>
          <li>
            <t>boundary processing between IP-side data and DTN-side Bundle admission;</t>
          </li>
          <li>
            <t>dynamic Bundle payload construction in edge-to-edge transit mode;</t>
          </li>
          <li>
            <t>contact-aware admission and passive back-pressure;</t>
          </li>
          <li>
            <t>finite gateway-controlled state before DTN-side admission;</t>
          </li>
          <li>
            <t>a rule-constrained edge-to-DTN service access extension; and</t>
          </li>
          <li>
            <t>security considerations introduced by this gateway function.</t>
          </li>
        </ol>
        <t>This document does not define:</t>
        <ol spacing="normal" type="1"><li>
            <t>a new BP extension block;</t>
          </li>
          <li>
            <t>a new convergence-layer protocol;</t>
          </li>
          <li>
            <t>a new Bundle payload encoding;</t>
          </li>
          <li>
            <t>a new cross-domain signaling protocol;</t>
          </li>
          <li>
            <t>a routing protocol;</t>
          </li>
          <li>
            <t>a contact-plan exchange protocol;</t>
          </li>
          <li>
            <t>a general application-layer semantic translation framework;</t>
          </li>
          <li>
            <t>a data model, encoding, or distribution protocol for service mapping rules; or</t>
          </li>
          <li>
            <t>changes to BP <xref target="RFC9171"/>, BPSec <xref target="RFC9172"/>, LTP <xref target="RFC5326"/>, TCPCL <xref target="RFC9174"/>, TLS <xref target="RFC8446"/>, QUIC <xref target="RFC9000"/>, or HTTP <xref target="RFC9110"/>.</t>
          </li>
        </ol>
        <t>This document also does not modify CFDP.</t>
      </section>
    </section>
    <section anchor="edge-to-edge-transit-mode">
      <name>Edge-to-Edge Transit Mode</name>
      <t>Edge-to-edge transit mode is used when two IP edge networks exchange data through a DTN domain.  A pair of DTN access gateways is deployed at each side of the DTN domain.  The ingress gateway acts as an authorized proxy for local IP-side connections and organizes their byte sequences into Bundle payloads.  The egress gateway receives Bundles delivered through the DTN domain, recovers the data, and delivers it into the target IP edge network.</t>
      <t>This section describes the general boundary function.  It does not define a specific application-over-BP encapsulation.  It describes how a gateway handles IP-side connections, constructs Bundle payloads, controls DTN-side admission, and reflects DTN-side constraints to the IP edge side.</t>
      <section anchor="reference-architecture-and-trust-boundary">
        <name>Reference Architecture and Trust Boundary</name>
        <t>The following figure shows the reference architecture for edge-to-edge transit mode.</t>
        <artwork><![CDATA[
+------------------+       +------------------+
| Source IP edge   |       | Ingress gateway  |
| network          | ----> |  DTN access GW   |
+------------------+       +------------------+
                                      |
                                      | Bundles
                                      v
                              +------------------+
                              | DTN backbone     |
                              +------------------+
                                      |
                                      | Bundles
                                      v
+------------------+       +------------------+
| Target IP edge   | <---- | Egress gateway   |
| network          |       |  DTN access GW   |
+------------------+       +------------------+

        Figure 1: Edge-to-edge transit mode
]]></artwork>
        <t>Connections from the source IP edge network can reach the ingress gateway through local routing, service discovery, proxy configuration, or other deployment-specific mechanisms.  The ingress gateway acts as an authorized proxy for the source IP edge network.  It converts ordered IP-side byte streams into Bundle payloads.  After Bundles enter the DTN domain, they are handled by DTN store-and-forward processing, contact scheduling, and configured transport mechanisms.</t>
        <t>The egress gateway extracts payload data from delivered Bundles. It recovers the carried data units or byte streams and delivers them to service endpoints in the target IP edge network.</t>
        <t>The gateway is not a transparent forwarding device.  It is an authorized boundary function.  For protected IP-side connections, the gateway can parse requests or perform application-layer processing only when it has the required authorization and security context.  Cases where the gateway is not authorized to terminate the relevant IP-side connection or access the information needed for gateway processing are outside the scope of this document.</t>
        <t>However, this trust model also limits what edge-to-edge transit mode provides.  The mode can carry byte sequences generated by IP-side connections across a DTN domain through a pair of gateways.  It does not transparently preserve the original TCP or QUIC session, original end-to-end security context, or application semantics.</t>
      </section>
      <section anchor="dynamic-bundle-payload-construction">
        <name>Dynamic Bundle Payload Construction</name>
        <t>The ingress gateway converts IP-side data into Bundle payloads. IP edge networks can have short RTT and high local injection rate. The DTN backbone can be constrained by contacts, link capacity, storage, and forwarding opportunities. The gateway therefore performs controlled aggregation and admission before data enters the DTN side.</t>
        <section anchor="logical-flow-abstraction">
          <name>Logical-Flow Abstraction</name>
          <t>The ingress gateway represents each admitted IP-side connection as a logical flow. The logical flow is a gateway-internal abstraction. It maintains the flow identifier, byte ordering information, and state needed by the egress gateway.</t>
          <t>The number of concurrent logical flows is limited by local configuration.  Connections beyond that limit can be delayed, blocked, or rejected according to local policy.  This bounds the number of flows that can enter the pre-admission control domain.</t>
        </section>
        <section anchor="shared-aggregation-buffer">
          <name>Shared Aggregation Buffer</name>
          <t>The ingress gateway maintains a shared aggregation buffer between IP-side logical flows and the DTN-side submission interface. The buffer capacity is configured locally. Multiple logical flows share the buffer.</t>
          <t>The gateway does not need to reserve a fixed buffer for each connection. Readable flows can write data to the shared buffer. Idle or temporarily unreadable flows do not consume additional reserved space.</t>
          <t>When the shared aggregation buffer reaches its capacity limit, the gateway stops reading new data from IP-side connections.  During this read suspension, data already in the buffer remains available for Bundle payload construction when admission conditions are met.</t>
        </section>
        <section anchor="gateway-defined-payload-subframing">
          <name>Gateway-Defined Payload Subframing</name>
          <t>When a Bundle payload carries bytes from multiple logical flows, the egress gateway needs to distinguish those flows and recover byte order. A pair of gateways can use gateway-defined payload subframing inside the Bundle payload for this purpose.</t>
          <t>A subframe needs to carry at least:</t>
          <artwork><![CDATA[
logical-flow identifier
byte offset or sequence number
payload length
payload bytes
]]></artwork>
          <t>The logical-flow identifier identifies a gateway-internal flow. The byte offset or sequence number supports ordering within that flow. The payload length identifies the fragment length. The payload bytes are the carried data.</t>
          <t>The logical-flow identifier is allocated locally or agreed by the paired gateways. It is not required to match an original TCP or QUIC connection identifier.</t>
          <t>Payload subframing is interpreted only by the paired gateways. It is not a BP extension block, convergence-layer frame, or DTN protocol structure. It is carried inside the Bundle payload and is transparent to BP processing.</t>
        </section>
        <section anchor="bundle-payload-assembly">
          <name>Bundle Payload Assembly</name>
          <t>During an admission attempt, the ingress gateway extracts bytes from the shared aggregation buffer and assembles them into a Bundle payload. A Bundle payload can contain data from one or more logical flows. If one logical flow contributes adjacent fragments during the same cycle, the gateway can combine them into one subframe.</t>
          <t>Let <tt>S_k</tt> be the service bytes in the <tt>k</tt>-th Bundle payload. Let <tt>H_k</tt> be the subframing overhead. The admission size is:</t>
          <artwork><![CDATA[
L_k = S_k + H_k
]]></artwork>
          <t>The gateway uses a configured maximum Bundle payload budget, <tt>B_max</tt>, to limit one admission:</t>
          <artwork><![CDATA[
L_k <= B_max
]]></artwork>
          <t>Here, <tt>B_max</tt> is the payload budget exposed by the gateway. It does not include BP internal overhead, convergence-layer overhead, or other DTN stack overhead.</t>
          <t>The gateway does not need to wait until the shared aggregation buffer is full before constructing a Bundle. As long as the admission conditions are satisfied, the gateway can extract the resident data from the buffer to construct a smaller Bundle payload. This behavior facilitates early progress during startup, small‑object transfer, or low‑load connections, while keeping the payload size admitted to the DTN side bounded.</t>
        </section>
        <section anchor="contact-aware-bundle-admission">
          <name>Contact-Aware Bundle Admission</name>
          <t>The gateway does not pre-construct Bundle payloads for later admission.  Bundle payload construction and DTN-side submission occur as one admission action.  When the admission conditions are met, the gateway takes data from the shared aggregation buffer, assembles a Bundle payload, and submits it to the DTN side.</t>
          <t>The ingress gateway can make admission decisions based on DTN contact availability, DTN-side admission capacity, and local pacing. A Bundle payload is typically constructed and submitted when:</t>
          <artwork><![CDATA[
1. a serviceable DTN contact is available;
2. the local admission interval has elapsed;
3. the shared aggregation buffer contains data that can be submitted;
4. the DTN-side interface can accept a new Bundle payload.
]]></artwork>
          <t>Let <tt>chi(t)</tt> be a contact availability indicator. <tt>chi(t)=1</tt> means that a serviceable DTN contact is available. <tt>chi(t)=0</tt> means that no such contact is available.</t>
          <t>Let <tt>I_dtn(t)</tt> be a DTN-side admission indicator. <tt>I_dtn(t)=1</tt> means that the DTN-side interface can accept a new Bundle payload.</t>
          <t>For the <tt>k</tt>-th Bundle payload, the contact, pacing, and DTN-side admission conditions can be described by:</t>
          <artwork><![CDATA[
chi(tau_k) = 1
tau_k - tau_{k-1} >= T_wait(k-1)
I_dtn(tau_k) = 1
]]></artwork>
          <t>Here, <tt>tau_k</tt> is the admission time of the <tt>k</tt>-th Bundle payload, and <tt>T_wait(k-1)</tt> is the waiting time after the previous admission. In addition to these conditions, the shared aggregation buffer is non-empty at admission time.</t>
          <t>One implementation strategy is two-boundary admission pacing. Let <tt>C_eff(t)</tt> be the estimated effective DTN-side service rate during a serviceable contact. For the <tt>k</tt>-th Bundle payload, the bandwidth-bound interval is:</t>
          <artwork><![CDATA[
T_bw,k = L_k / C_eff(tau_k)
]]></artwork>
          <t>The gateway can also use a configured minimum admission interval, <tt>T_min</tt>, to avoid generating small Bundles too often in low-load or small-object cases. The waiting time can be:</t>
          <artwork><![CDATA[
T_wait(k) = max(T_bw,k, T_min)
]]></artwork>
          <t>When backlog persists, Bundle payloads usually approach the configured payload budget. The bandwidth boundary then dominates. During startup, low-load periods, or small-object transfer, the minimum interval may dominate and reduce the small-Bundle generation rate.</t>
          <t>This pacing method is only an example. Other admission strategies can be used if they limit DTN-side admission rate and bound pre-admission state. The architectural point is that the gateway controls admission at the DTN boundary and avoids unbounded injection of IP-side data into the DTN domain.</t>
        </section>
      </section>
      <section anchor="pre-admission-state-bound-and-passive-back-pressure">
        <name>Pre-Admission State Bound and Passive Back-Pressure</name>
        <t>Dynamic Bundle construction determines how IP-side bytes are assembled into Bundle payloads. The pre-admission control domain determines how much data the gateway can hold before DTN-side admission. Passive back-pressure reflects DTN-side service limits back to the IP edge sender without a new signaling protocol.</t>
        <section anchor="finite-pre-admission-control-domain">
          <name>Finite Pre-Admission Control Domain</name>
          <t>The pre-admission control domain is the state controlled by the gateway before DTN-side admission. It includes:</t>
          <ul spacing="normal">
            <li>
              <t>data authorized by IP-side flow control but not yet consumed by the gateway; and</t>
            </li>
            <li>
              <t>data read by the gateway and stored in the shared aggregation buffer.</t>
            </li>
          </ul>
          <t>Data already admitted to the DTN side is outside this control domain. It is managed by the DTN stack.</t>
          <t>The number of concurrent logical flows is bounded. Each logical flow also has a bounded flow-control budget. Therefore, the total amount of authorized but unconsumed IP-side data is bounded. Together with the shared aggregation buffer capacity, this gives a finite bound on data controlled by the gateway before DTN-side admission.</t>
          <t>Data already admitted to the DTN side but not yet released by the DTN stack is managed by that stack. It is not part of the pre-admission control process described here.</t>
        </section>
        <section anchor="establishing-passive-back-pressure">
          <name>Establishing Passive Back-Pressure</name>
          <t>Passive back-pressure is created by the loop between DTN-side admission, finite gateway state, and IP-side transport flow control.</t>
          <t>When admission conditions are met, the gateway takes data from the shared aggregation buffer, constructs a Bundle payload, and submits it to the DTN side as one admission action. When the IP-side input rate is higher than the DTN-side admission rate, the shared aggregation buffer first absorbs the difference. As the buffer fills, the gateway stops reading from IP-side connections. Backlog then moves to the IP-side TCP or QUIC flow-control boundary. When remaining flow-control credit is consumed, the sender is limited by its existing transport flow-control mechanism.</t>
          <t>As a result, DTN-side contact loss, admission blocking, or service-rate reduction can be reflected back to the IP edge sender through gateway read suspension and IP-side flow control. This document defines no new cross-domain back-pressure signaling.</t>
          <t>DTN-side admission can be limited by two kinds of conditions.  The first is gateway-side admission pacing.  DTN-side interface availability alone is not sufficient for admission; the gateway may also enforce a configured admission interval.  The second is DTN-side unavailability, such as no serviceable contact or no DTN-side admission capacity.</t>
          <t>During admission suspension, the pre-admission control domain can absorb only a finite amount of extra IP-side data. After that bound is reached, the gateway stops consuming more IP-side data. IP-side transport flow control then limits further injection. When contact availability or DTN-side admission availability returns, the gateway resumes Bundle construction and submission according to local policy.</t>
        </section>
        <section anchor="gateway-controlled-boundary">
          <name>Gateway-Controlled Boundary</name>
          <t>The gateway directly controls the data path only up to the DTN-side admission boundary. Before admission, it can limit active connections, constrain IP-side flow-control budgets, limit shared buffer occupancy, control Bundle payload size, and pace submission. After admission, data is handled by the DTN stack and configured DTN forwarding behavior.</t>
          <t>This separation matters when a high-rate IP edge network connects to a constrained DTN domain. The gateway uses finite pre-admission state and IP-side back-pressure to avoid becoming an unbounded cache. It also avoids unlimited injection from the IP edge side into the DTN domain. It does not modify the internal forwarding behavior of the DTN domain.</t>
        </section>
      </section>
      <section anchor="contact-plan-interaction">
        <name>Contact-Plan Interaction</name>
        <t>The gateway does not generate, modify, or maintain the contact plan. It obtains current contact availability from the DTN stack or other deployment-specific mechanisms. When a serviceable contact is available, the gateway can perform Bundle construction and submission according to Section 3.2.5. When no serviceable contact is available, the gateway suspends new Bundle submission. IP-side backlog is then reflected through the passive back-pressure mechanism in Section 3.3.2.</t>
        <t>The gateway does not expose the contact plan directly to IP edge end systems. IP edge end systems can interact with the gateway without understanding the DTN contact plan.</t>
      </section>
      <section anchor="delivery-considerations">
        <name>Delivery Considerations</name>
        <t>After the ingress gateway submits a Bundle to the DTN side, retention, forwarding, retransmission, expiration, and delivery-status handling are performed by the DTN stack and configured DTN mechanisms.  This document does not define any new retention, retransmission, custody-transfer, or delivery-guarantee mechanism for admitted Bundles.</t>
        <t>If a Bundle is not delivered because it expires, no route is available, no return path exists, or another DTN-side failure occurs, the gateway may learn about the failure through Bundle status reports, return Bundles, or deployment-specific feedback paths.  How the gateway handles such failures is a matter of local policy and is not specified here.</t>
      </section>
    </section>
    <section anchor="optional-edge-to-dtn-service-access-extension">
      <name>Optional Edge-to-DTN Service Access Extension</name>
      <t>The edge-to-DTN service access extension is used when an IP edge network accesses service endpoints within the DTN domain. In this extension, the target is not another IP edge network.  The target is a DTN-side endpoint that can execute a selected service transaction.</t>
      <t>This extension is optional and is not required for the edge-to-edge transit mode described in Section 3.  It reuses the same gateway mechanisms: IP-side authorization and control, Bundle construction, DTN-side admission, finite pre-admission state, and passive back-pressure.  The difference is the interpretation of admitted data.  In edge-to-edge transit mode, a paired egress gateway recovers Bundle payload data and delivers it into a target IP edge network.  In the service access extension, local rules map selected IP-side requests to DTN-side service transactions.  A paired egress gateway is not required.</t>
      <t>The following figure shows the basic form of the extension.</t>
      <artwork><![CDATA[
+------------------+       +------------------+
| IP Edge Network  |       |  DTN access GW   |
| (clients)        | ----> |                  |
+------------------+       +------------------+
                                      |
                                      | Bundles
                                      v
                              +------------------+
                              | DTN Backbone     |
                              | +--------------+ |
                              | | Service      | |
                              | | Endpoint(s)  | |
                              | +--------------+ |
                              +------------------+

        Figure 2: Edge-to-DTN service access extension
]]></artwork>
      <t>The gateway can perform service mapping only when it is authorized to terminate or process the relevant IP-side connection.  If the IP-side connection is protected by TLS or QUIC security, the gateway needs the required authorization and security context before it can parse the request or perform mapping.  Otherwise, the request cannot be mapped by this extension.</t>
      <section anchor="rule-constrained-service-mapping">
        <name>Rule-Constrained Service Mapping</name>
        <t>Service mapping is driven by local configuration.  A service mapping rule describes when a class of IP-side requests can generate a DTN-side service transaction.  This document discusses the information such rules need to express.  It does not define a rule data model, rule encoding, or rule distribution protocol.</t>
        <t>A service mapping rule can include:</t>
        <ul spacing="normal">
          <li>
            <t>the supported source-side protocol, method, or service entry point;</t>
          </li>
          <li>
            <t>the binding from a source-side object name to a DTN-side object or service endpoint;</t>
          </li>
          <li>
            <t>the target DTN endpoint identifier or service endpoint;</t>
          </li>
          <li>
            <t>the target service type and transaction parameters;</t>
          </li>
          <li>
            <t>Bundle lifetime, priority, and status-handling policy; and</t>
          </li>
          <li>
            <t>local failure handling and response recovery behavior.</t>
          </li>
        </ul>
        <t>Before generating a DTN-side service transaction, the gateway determines whether:</t>
        <ol spacing="normal" type="1"><li>
            <t>the request can be parsed within the authorized security context;</t>
          </li>
          <li>
            <t>the request matches a local service mapping rule;</t>
          </li>
          <li>
            <t>the target object can be bound;</t>
          </li>
          <li>
            <t>the target service is available for the requested operation; and</t>
          </li>
          <li>
            <t>required attributes can be preserved, explicitly degraded, rejected, or locally compensated.</t>
          </li>
        </ol>
        <t>If these conditions are not satisfied, the gateway returns a local error on the source side.  This avoids consuming DTN backbone resources for requests that cannot be executed.</t>
        <t>Service mapping can take different forms.  In transport adaptation, the application protocol remains the same, but transport changes from an IP-side transport to BP delivery in the DTN domain.  This form assumes that an application-over-BP encapsulation exists or is defined elsewhere, and that the target DTN-side endpoint supports the corresponding application protocol.  HTTP-over-BP is one possible related case <xref target="I-D.blanchet-dtn-http-over-bp"/>, but this document does not define or replace such an encapsulation.</t>
        <t>In native service mapping, the gateway maps an IP-side request to a DTN-side service transaction with different native semantics.  For example, a configured rule could interpret an authorized source-side retrieve request as a DTN-side file or object retrieval transaction.  This document does not define HTTP-to-CFDP mapping, CFDP proxy behavior, or any CFDP transaction profile.</t>
      </section>
      <section anchor="response-recovery-and-failure-boundary">
        <name>Response Recovery and Failure Boundary</name>
        <t>The service access extension needs to distinguish local mapping failures from DTN-side or target-side failures.</t>
        <t>Local mapping failures include request parsing failure, rule mismatch, object binding failure, and policy rejection.  These failures occur before DTN-side admission.  They do not generate a target DTN service transaction and do not consume DTN backbone resources.  The gateway returns an error through the source-side protocol.</t>
        <t>Failures after DTN-side admission are DTN-side or target-side failures.  They can include Bundle expiration, target service rejection, target transaction failure, or lack of a return path.  The gateway may learn about these failures through status reports, return Bundles, or deployment-specific feedback paths.</t>
        <t>When a target transaction succeeds, the gateway can generate a successful source-side response if the source-side protocol can represent the result.  When a target transaction fails, the gateway maps the failure to an explicit source-side error.  For source-side protocols with connection lifetime limits, the source-side connection may close or time out before the DTN transaction completes.  In that case, the gateway can cancel the wait, cache the result, return a timeout error, or make the result available through a deployment-specific asynchronous retrieval mechanism.</t>
      </section>
      <section anchor="scope-and-limits-of-the-extension">
        <name>Scope and Limits of the Extension</name>
        <t>The edge-to-DTN service access extension describes rule-driven, capability-constrained, rejectable, and recoverable gateway-side mapping.  It is not a general application semantic translation framework.</t>
        <t>The extension does not require DTN-side services to understand HTTP, TCP, QUIC, or other IP application semantics.  It also does not assume that arbitrary IP application requests can be converted into DTN service transactions.  If there is no valid mapping rule, if the target object cannot be bound, if required attributes cannot be preserved or explicitly handled, or if the result cannot be recovered, the request is expected to fail locally or return an explicit source-side error rather than generating a DTN service transaction.</t>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The DTN access gateway is placed between an IP edge network and a DTN domain.  It can terminate authorized IP-side connections, construct Bundle payloads, generate DTN-side service transactions for IP-side requests, and perform local service mapping and response recovery.  The gateway therefore creates a trust boundary and a state boundary.</t>
      <t>This document does not define new cryptographic mechanisms.  It does not replace BP <xref target="RFC9171"/>, BPSec <xref target="RFC9172"/>, TLS <xref target="RFC8446"/>, QUIC <xref target="RFC9000"/> <xref target="RFC9001"/>, TCPCL <xref target="RFC9174"/>, or convergence-layer security mechanisms.  This section discusses security considerations introduced by the gateway architecture.</t>
      <section anchor="gateway-trust-boundary">
        <name>Gateway Trust Boundary</name>
        <t>The gateway is not a transparent forwarding device.  It is an authorized boundary function.  If the gateway terminates an IP-side connection, security semantics are segmented at the gateway.  Deployments need to decide which connections the gateway can terminate, which application content it can inspect, and when it can generate Bundles or service transactions for IP-side entities.</t>
        <t>A compromised gateway can forge IP-side requests, modify Bundle payloads, bind requests to wrong target EIDs, or access DTN-side services without authorization.  The gateway therefore needs protection appropriate to a component at a DTN trust boundary.  Relevant protections include authentication, authorization, key management, access control, audit logging, and operational monitoring.</t>
      </section>
      <section anchor="identity-and-authorization-mapping">
        <name>Identity and Authorization Mapping</name>
        <t>IP-side identity is not automatically equivalent to DTN-side identity.  IP addresses, TLS client identity, HTTP Authorization information, local accounts, DTN EIDs, and DTN service permissions do not have a natural one-to-one mapping.</t>
        <t>When the gateway constructs Bundles or service transactions for IP-side connections, it needs a local policy that binds source identity, target EID, service permission, and allowed operations.  In the service access extension, incorrect identity mapping or object binding can cause unauthorized access, unintended service invocation, or data disclosure.</t>
        <t>Service mapping rules need to constrain accessible target objects, service endpoints, and operations.  If authorization, target binding, or required attributes cannot be determined, the request is expected to fail locally rather than being silently mapped to a DTN service transaction.</t>
      </section>
      <section anchor="applicability-of-bpsec">
        <name>Applicability of BPSec</name>
        <t>BPSec <xref target="RFC9172"/> provides integrity protection through the Block Integrity Block (BIB) and confidentiality protection through the Block Confidentiality Block (BCB).  In this gateway architecture, BPSec applicability depends on the gateway role in Bundle construction and payload processing.</t>
        <t>The gateway can act as the BPSec security source for Bundles that it constructs.  It can apply BIB protection to provide integrity protection for the Bundle payload in the DTN domain.  If confidentiality is required, it can apply BCB protection to the Bundle payload.</t>
        <t>In edge-to-edge transit mode, BPSec protection is typically configured so that the egress gateway, or the security domain represented by that gateway, can verify integrity protection or decrypt protected payloads.  In the service access extension, the corresponding processing entity is typically the DTN-side service endpoint or its security domain.</t>
        <t>If the IP-side connection uses TLS over TCP <xref target="RFC8446"/> or QUIC <xref target="RFC9000"/> <xref target="RFC9001"/> for IP-side security, BPSec protects a different security segment.  Deployments need to define the trust assumptions, responsible parties, and protection scope for each segment.</t>
        <t>This document does not specify a BPSec configuration.  Deployments select BPSec policies according to their threat model, contact characteristics, resource constraints, and operational requirements.</t>
      </section>
      <section anchor="bundle-payload-and-subframing-protection">
        <name>Bundle Payload and Subframing Protection</name>
        <t>In edge-to-edge transit mode, the Bundle payload can contain gateway-defined payload subframing.  The logical-flow identifier, byte offset, length field, and payload bytes can affect demultiplexing and byte-order recovery at the egress gateway.</t>
        <t>If these fields are modified, the result can be incorrect demultiplexing, out-of-order release, flow confusion, or data injection.  Bundle payloads that carry subframing information therefore need integrity protection appropriate to the deployment risk.  If the payload contains sensitive data, object names, or access context, confidentiality protection also needs to be considered.</t>
        <t>Such protection can be provided by BPSec, convergence-layer security, or other deployment-specific mechanisms.  This document does not define a new payload protection format.</t>
      </section>
      <section anchor="resource-exhaustion-and-admission-control">
        <name>Resource Exhaustion and Admission Control</name>
        <t>An IP edge network can have short RTT and high local injection rate.  A DTN domain can be constrained by contacts, link rate, and storage capacity.  A malicious or misconfigured IP-side entity can try to exhaust gateway resources or DTN-side admission capacity by opening many connections, sending at high rate, generating many small objects, or submitting requests that cannot be executed.</t>
        <t>The mechanisms in Section 3 also have security relevance.  The logical-flow concurrency limit, shared aggregation buffer, Bundle payload budget, contact-aware admission, and finite pre-admission state limit how much data the gateway holds before DTN-side admission.  They also allow DTN-side unavailability or admission blocking to be reflected to the IP edge sender through transport flow control.</t>
        <t>Deployments need to configure these limits according to link capacity, contact schedules, storage resources, and service policy.  Otherwise, the gateway can become an unbounded buffer or a resource exhaustion point.</t>
      </section>
      <section anchor="service-mapping-and-response-recovery-risks">
        <name>Service Mapping and Response Recovery Risks</name>
        <t>The service access extension applies only to configured service classes.  Incorrect mapping rules, silent degradation of required attributes, incorrect object binding, or incorrect response recovery can cause wrong service invocation or misleading responses.</t>
        <t>When the gateway cannot preserve required attributes, bind the target object, or recover a meaningful source-side response, it needs to return an explicit error rather than generating a semantically uncertain success response.</t>
        <t>Long delay and asynchronous delivery in DTN environments also create request-response binding risks.  A source-side connection may have closed or timed out before the target DTN transaction completes.  The gateway needs a local policy for delayed results, duplicate results, and expired results, so that old results are not incorrectly bound to new source-side requests.</t>
        <t>Deployments that use service mapping should log mapping decisions, rejection reasons, target EIDs, Bundle admission state, and failure categories.  Such logging supports audit, troubleshooting, and incident analysis.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no IANA requests.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC9171">
          <front>
            <title>Bundle Protocol Version 7</title>
            <author fullname="S. Burleigh" initials="S." surname="Burleigh"/>
            <author fullname="K. Fall" initials="K." surname="Fall"/>
            <author fullname="E. Birrane, III" initials="E." surname="Birrane, III"/>
            <date month="January" year="2022"/>
            <abstract>
              <t>This document presents a specification for the Bundle Protocol, adapted from the experimental Bundle Protocol specification developed by the Delay-Tolerant Networking Research Group of the Internet Research Task Force and documented in RFC 5050.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9171"/>
          <seriesInfo name="DOI" value="10.17487/RFC9171"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC9172">
          <front>
            <title>Bundle Protocol Security (BPSec)</title>
            <author fullname="E. Birrane, III" initials="E." surname="Birrane, III"/>
            <author fullname="K. McKeever" initials="K." surname="McKeever"/>
            <date month="January" year="2022"/>
            <abstract>
              <t>This document defines a security protocol providing data integrity and confidentiality services for the Bundle Protocol (BP).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9172"/>
          <seriesInfo name="DOI" value="10.17487/RFC9172"/>
        </reference>
        <reference anchor="RFC9174">
          <front>
            <title>Delay-Tolerant Networking TCP Convergence-Layer Protocol Version 4</title>
            <author fullname="B. Sipos" initials="B." surname="Sipos"/>
            <author fullname="M. Demmer" initials="M." surname="Demmer"/>
            <author fullname="J. Ott" initials="J." surname="Ott"/>
            <author fullname="S. Perreault" initials="S." surname="Perreault"/>
            <date month="January" year="2022"/>
            <abstract>
              <t>This document describes a TCP convergence layer (TCPCL) for Delay-Tolerant Networking (DTN). This version of the TCPCL protocol resolves implementation issues in the earlier TCPCL version 3 as defined in RFC 7242 and provides updates to the Bundle Protocol (BP) contents, encodings, and convergence-layer requirements in BP version 7 (BPv7). Specifically, TCPCLv4 uses BPv7 bundles encoded by the Concise Binary Object Representation (CBOR) as its service data unit being transported and provides a reliable transport of such bundles. This TCPCL version also includes security and extensibility mechanisms.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9174"/>
          <seriesInfo name="DOI" value="10.17487/RFC9174"/>
        </reference>
        <reference anchor="RFC5326">
          <front>
            <title>Licklider Transmission Protocol - Specification</title>
            <author fullname="M. Ramadas" initials="M." surname="Ramadas"/>
            <author fullname="S. Burleigh" initials="S." surname="Burleigh"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <date month="September" year="2008"/>
            <abstract>
              <t>This document describes the Licklider Transmission Protocol (LTP), designed to provide retransmission-based reliability over links characterized by extremely long message round-trip times (RTTs) and/or frequent interruptions in connectivity. Since communication across interplanetary space is the most prominent example of this sort of environment, LTP is principally aimed at supporting "long-haul" reliable transmission in interplanetary space, but it has applications in other environments as well.</t>
              <t>This document is a product of the Delay Tolerant Networking Research Group and has been reviewed by that group. No objections to its publication as an RFC were raised. This memo defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5326"/>
          <seriesInfo name="DOI" value="10.17487/RFC5326"/>
        </reference>
        <reference anchor="RFC9293">
          <front>
            <title>Transmission Control Protocol (TCP)</title>
            <author fullname="W. Eddy" initials="W." role="editor" surname="Eddy"/>
            <date month="August" year="2022"/>
            <abstract>
              <t>This document specifies the Transmission Control Protocol (TCP). TCP is an important transport-layer protocol in the Internet protocol stack, and it has continuously evolved over decades of use and growth of the Internet. Over this time, a number of changes have been made to TCP as it was specified in RFC 793, though these have only been documented in a piecemeal fashion. This document collects and brings those changes together with the protocol specification from RFC 793. This document obsoletes RFC 793, as well as RFCs 879, 2873, 6093, 6429, 6528, and 6691 that updated parts of RFC 793. It updates RFCs 1011 and 1122, and it should be considered as a replacement for the portions of those documents dealing with TCP requirements. It also updates RFC 5961 by adding a small clarification in reset handling while in the SYN-RECEIVED state. The TCP header control bits from RFC 793 have also been updated based on RFC 3168.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="7"/>
          <seriesInfo name="RFC" value="9293"/>
          <seriesInfo name="DOI" value="10.17487/RFC9293"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC9001">
          <front>
            <title>Using TLS to Secure QUIC</title>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <author fullname="S. Turner" initials="S." role="editor" surname="Turner"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document describes how Transport Layer Security (TLS) is used to secure QUIC.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9001"/>
          <seriesInfo name="DOI" value="10.17487/RFC9001"/>
        </reference>
        <reference anchor="RFC8446">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC9110">
          <front>
            <title>HTTP Semantics</title>
            <author fullname="R. Fielding" initials="R." role="editor" surname="Fielding"/>
            <author fullname="M. Nottingham" initials="M." role="editor" surname="Nottingham"/>
            <author fullname="J. Reschke" initials="J." role="editor" surname="Reschke"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes.</t>
              <t>This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="97"/>
          <seriesInfo name="RFC" value="9110"/>
          <seriesInfo name="DOI" value="10.17487/RFC9110"/>
        </reference>
        <reference anchor="I-D.blanchet-dtn-http-over-bp">
          <front>
            <title>Encapsulation of HTTP over Delay-Tolerant Networks(DTN) using the Bundle Protocol</title>
            <author fullname="Marc Blanchet" initials="M." surname="Blanchet">
         </author>
            <date day="28" month="September" year="2025"/>
            <abstract>
              <t>   This document describes the encapsulation of HTTP requests and
   responses in the payload of bundles of the Bundle Protocol for the
   use case of Delay-Tolerant Networks(DTN) such as in space
   communications.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-blanchet-dtn-http-over-bp-04"/>
        </reference>
      </references>
    </references>
    <?line 474?>

<section numbered="false" anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>TBD.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+1d25LbRnq+51Mg9o1UJrmS1s5mpewmMyNpPSmtd2LNVipX
Mgg0h/CQAIMGZsTY3sor5BXzJPmPfQAa5Ixs5ypblXgEAo0+/IfvP2KxWMy6
qtual9lnr6+/yc6Kwlib/SnvzH1+yNZNm11eZW/KG5N9Y7r7pr21n83y1ao1
d8knPpuVTVHnOxyvbPN1tzj0i7KrFzndtrjh2xbVfmFg0EUtgy6ePftsVsCP
N017eJmZj/tZtW9fZl3b2+7Fs2e/f/ZiZru8Lj/k26Y29IOZ2X61q6ytmro7
7OHi5Zvrt7O8NTm8/bLuTAvDfzbDF9y0Tb/HGZttfvjN68q2/b6D57LrZmva
vO50eVV989ns1hzg7/LlLMsWGSyS/nve1+XWZFdt0zVFs6VrsDe4jEyWQdd4
pZmsdDbL+27TtDQW/F+WVbWFifzLMvv3/jO6INv1L1Veb/LGXW7aG7j6TV5/
D3PK/lpXd6a1VXfgX80ur7bw+/f81KH/Z4tXlvX3/dKU/bKoP5vN6qbd5R08
iG//9u3F75//7vnL2ayq1+MfXvg/v5Q/v/rti7/Xqy9+/1v989mzZ/7P5/Ln
P3z5pbv3+XO64XLxerna5nWxMR3RwKbr9osGlrFY7V/OFkB6+P+yfGW7Ni+6
2YxOBy7UZVa6I1p0ekS1O6LsCZzK06yyWW9NCVuamfquapt6Z+rOZvdVt8mA
Tm6yfdvsczgKPOoSR59nRVPj+6oaHtxW9a2dw/NAK7uq6+Bp/L02BWwO7PWc
5mJhBWW/hfvhtw5mapdZdtZl3cbw8TfrzPbFJrMH25kdDLhtinyL1KH0ne2A
m8zHynZzvjW32bav8xb+1a7zwpEQPGz38O8CmYcnVsNQ/lecEL20aHb7vsPN
0B9hVm9wujwL3BWYoTVDKuXJ4FKqujdZ1+Am4r/vYPmwUTxz4LYCbsXX4e11
0+FmEmnD3i/s3hTVuioyC5QIjxXWrcvU5b6BmWdViQOuK6DbubLPtlqbrtoZ
O9fNdNsLl0DcoEyxXdPmtEQ5Ktjx2ex6A+cN4qXHQ4bTtEVbrQxMkZ6J2U4l
V7Ru2J9rODK9BUbbb2Gryyzns1w1MMe8PWQreMCYGhY/HIP2g19YNsBwNYx5
2SGv5nX1nzgZ4nb4s4RHFxa2ICvzLseTbHQP9vlh2+QlHjUKMCBYeMb663gk
OB/aChwBHjMt7VfbbJEO81LkHtNDa9ZbIFk5GXzC3RDuYbaCI8XBdVHW4MD4
ehCPNxveABh+35qFHwEooTP0nn0OV+4MjbOAmywQr6GTMRluBux60VvcWBLu
XUNCHmR1XoPkynZNaZDZsvtNhaQC41UtMo+ciFXegxndN2OyzYu2sXa4/TFZ
5FvboPCAeVg8jjpr9kLUOifaVtPeVcB1QjXmI7A+76ebnjW4p8E5tuY/emNh
cqBhYLn7vSnncjTM7y0TMWywDk8rBxqHkZUfw8mPaLqBKSOnlWYN8glWWpv7
7PzKzy9bwatu58yt7Y2pC7MAqQZT2Itemg+oDNixaEoQE/MMDpnkhb9VWHAB
fAAi9GOxyWvYcP87MBFwNxAwaGXPN7v91uB8SawuWYjvqhJeOpt9nl0ilZY9
LRpEOqwWxruDDbTE10BZdbkA9rzPWxSou11fVwVLaGTaSJCrSCkqy9ISqfDP
OZCsF4j3G9OawUAosVawf+s1H+Hq8Curg/Oru99lP/zwd6Jkf/qJ7sTjflcV
t9sKieQaiUGZSmFE9uTd9dVTePSfROHio7IeuG2ft7ANwCKyj/wMy2bY+W8a
pPitE/l5B7/A7JAGQzahIWE2OyDqO0NywolpmH2gy+b4F9E37eBYkYluvef9
o2WKKml6O9itX1HTJRXdUQVH2hcHccoNXrHfb5VmaAY4QXk1L92aom9hMdnO
IHdUdgcvB3l3cFoRriK7hVsaar7syZvL1/bpMQWI3Ie7IVpvW6FOIOZr8DAm
9K1KjwLwbkdq0OkvkWpALyvg1GWsiYDaTb6zojhEpBV5jWuBE6/q75lnSGPF
RARwq1YdAbsIbLOGKcl+1IbpbsXap+vGinXuFGU5oRBZy5BOLgqA4HhecJ/T
a8pxbrfmxLQwf3jKcehAd30KdujwAbeh674mebYcAojS7LfNwa9U4WCso/7C
kh8JryIVCFyLWi4nBRVABjixjwc8+NYUBpgIVq+vplkxTV5fXInAQFgOAgN+
+de/Xl7oRQDocFFZEVVPtJk8yL4Byj+4uSnWiCc3NHqysxvcvyfnV2dPiUB7
VLLwLzfNfEungDqQsI2QGa7GyGjEQBXRHPwCmoJEk6OfXX4r+xhwJ75kUZPJ
EuKNZg+WATF1kQOLHwMewAU1nyrDEI8+xhTwKCCCYGgFNinTBsylDWlJlm5j
HgRNhWIdD/SmwtNYg0S1qox6fHGSNTxeNDvmoBhRHEGKPD0zMTsQ5mhfwgNy
RnP8DW01ehlsb9tW8CvOnqciT1ikFzeTLgdM0g03bMR/PxOkyVIcJmoNkSFO
wIIt7bZatsGJXre7BPTGWHmeAeqqOpPCv/NpABypBjAGiGxhPk29PSA6qZ0q
4eUgdESSJbgoyr5eVzc9br/ChkDGBPIBtxmhSY2IvGmdRYZPtIBX79BMDpYv
AoCmhSPROxch5BnssVvKnHRbngG/A4ttI02pKoj5ayvYrYWtd6ftF0BnPTZQ
QrNEiGdINQFdW4dHUDcyoFPteV/VJTGPsxqdLiDV0LrT80ea3+XVNl9VLKzE
HIGD6G0PcIr1+l1lK1CfbC/xpI0HHbEmYJVNq8h3oDQ6lCvE6RuzhdkaEN4m
ZZ3htIh405QF7yakf0hv3JQ9hxgNsD6bEYyb7jOSWQuRE/FrbHWDgru+GXEq
GXREy3iGICBqpJW22MApFB08O/dKUoiRTA1vM65hp+kdiltEkimuQmtChTzR
adoI+j8yeFI8mrG3bGANxVYQHPEmv6uadjmwRytLwJIgE2jUNx9BY1X02Jb2
obLCaO/RuwkmkUU7AY5VAZ8aWZ9n18T5DagMht3vC1B/8EP0y/AAnWRcgz5o
7gkCwN32JZtmsd57OXuZnY1RzyP9IX8NTGKVXbxJjDlO4h/23TC5I9ZReBMg
GnjNCeBydfYzAMpsNlgn78zQGkqjPpYQ6Iz7mCORIAUU2x75Pm0JIRg5YgqJ
8KonjCGY7Jsp0EPTHsOkT/bAqKNo5IIZAx/vEtOjXB1AJKj1kYL/MtIYo3gc
Eo0RwZAYEk0CkTcPwBdu1xSTOKQR7JxODySFPeIrCo2XpFcodCAlEYLuSgru
rHILatjjDzzKaQQ8m70L4CaTtAvIKNGpNx7fhCRde2tuDCyQwwKjEt3iEaTN
bo3Z81Rd0AGeQqjPaEYM5QOLKHxC2BGPnE8bDBfTwtzfb3ICSDdAHuLCWfVr
0EmB1ILf9Vz4t8zyU4AXdv22q/ZogYeYW3UzO2mtX2yErllrj0A5zOoqgoqC
OIUzcGJ4dKwMA1C+OkQYbxIesHNZpIflOQbSEobRI6Gt07evQPWjUjkYcl9Z
0ATDd/LIhM3i4eEYR/MjfY2uu1J9mHbqLHBHUkhGt2INJ0+oxZBrTpwX9EbP
7zkaOqD/xCN7xCvNolE3gYh937RdtB28VDZg7JgZBboplAqBKMMph6YeAaKu
BIqAikFcDBdxAyRGumBmFwGpzic++QGFEUONZDSxPzB1R0YUyvW+spsBXU/w
UZaN5+ZByNjVjBw+xl4E9pEnEwIrVJXuTBFGdZs8dL2QZUSIIhKZ5BZgqwMR
5FHpKaKRRl+BGWBD2d+s0JE1d045D+72OU6/o7AUbxNQTQ2KkVx5fIKAqr41
bNrYTbVX0iA/71mAf2ezs5QLqYr8cXVTyvIJf6I9A9ta1XfNbQqdeHDjKHEM
cB7uKno4fBKwpBtlxf5go1mjVfMJxHQdgUy2Z0FQIC2GwmTfgD5iSPu3v/1t
9sXiwf/7YvZj5v+X2PTwfz/izaPBv0hfo5t/dJTIW5vRNUd+eEp8jW9+Alv7
G9zX31y/e/+Ub34Ce/dFdvHuiX36NLj5UdPQ+WeJ/4UX5eYhHnd7o24puflR
+4wHExnxTkC0hkKmYhu2whNnLGOd5QZoA3U6UZJ6q+mOAYE5ivWRHpF/PrMj
RHkHhzXFVe8sk0hdBa4KdacwN3BsGSW9c93iSrxzXSwykPasUFDVoZWF4rcL
7arlaH8Ql4tBCBzPsC+UnBlJTtyHtxjlYtNgjgx68S6j1A6Y7pfqwn3+uy9/
+kksYOR2uG0BYI9jTvGQfA4oFEH/tsh7wpNuc+CAYE2oCNiAcw6WyIehkrnM
KAAEJgMCNnz5prqBSyL6Ez5xPFmOgtgERgQhS9BrwfDOQwZvjef36HwZBLUd
/B6gYtKJOmlUFhjc4W1scIUHiZoETrXxnpFg04ih4aAWyFQDPyE5k/wn+5qm
8k1TL/7UAFoaBRLUhwnm9POluOFSbhJvHcYy69XsxTLlQXFnF7mNcS5eIDGn
uF17NfvtMisPNaj0YugSCT2flC0zZSO8mn25nDqWaQ/oq9lXS/WdqkERwF3G
v5Mo99Xs75cp1+RDXMGvcFKz3y29PwlHwHBrrkF3jkYrAq6CMI8S8IkwPJ/t
VCyeTvCUj4rORkZIO6to4/MxxnSoMhjrK9qugW9LdvG4g+sVblXSqSsTPu7a
fTX7B3ycaBGpZTsPnG1oCgIaBRHSs7NHY0Yon5KW7St4ZvZ7oDeaJKGN86so
ij6HC+9N4aXiC7z27voqCpirFA1lJ1x7916uYG4aXhnFyGjSX1+74TBz7aef
JsIVA+V28fb1Fbnl1KNASZLXwkt/ht054pdxmWsEgpOuFnd2tNsTjpezo0Gs
QXzS5JjVgqxH2syc9uGcctKpP2wk8lmAOw8QvKwSK8Qiyq8L80gPEEepVLH5
aJXuS7ycQfDqZwWtrHg6vOFCWEM4aEIbjn3YHmIEPEe5kChS6iLf257ZTUZw
r9ug1nR7cVTPHgsfijxO5YhNJZEdidHg72olqb4LzSIa8RqTd7Nz2aKTFsKE
5qSkoCM+rQkr4gvByamfADq/b/q28Ovx2BrMgAEXENSO8DXfh0P9EZ8LeO9P
/zaFto/OJwX2E/D/ofcpozzw/rsT933ClH9M2SC/+Fvc2361jXk8YV3H0gRf
+o/4G/z3zYCupgjL/ffnE5Zb6Fvmtucvs0mlxGbfRSDF122zYyMo5hadM2dw
oFrpEtpDZbMkRzJe8V4YxM4oAA9z0SgK2MU4cOlPKUMtDLl/kuqaXpX4CwnL
UZJGSZrmMVGMs3WHhoRoK4PW6khDdZgzhfiaJTrBU819jnMkw7jqIGearkkK
nho73gsabBIL34FeBSTb0j4pGCWoQYc+ygeh0OxkSohPaDkRoAlyY13+oTqV
j+jhhCeClwkbyJ4I3CnUKqXBwcVxPjz+lLZ+y2kUXRy/idRq6FxAkoe32iDE
gwOwsZwA1IFJ5/NBKrSXVen9R1+RLz2KlEYhcjx0OCuY7EVu2XPK6ZyjXZnI
FDmRHkJ2c+ESSRKRGuQY58DzK0LyfZCv5Ovm3gARzPkHKuphA4Kxtfjg79FD
OqnqXRqxcDxdw+NAQjwM0aV6kKMoSZwSN0omD1D20Oc+gHUB8W1xRwwSNe8B
7P9NVQ9cr9YI0HK/AvXTKhPnTKIvlW9jGXG9jm189edfBDY+88xQJjqZdrIy
YTm2R3CnN/kdATaQLd9eXxORom9IJDxnjlKEEpMu6ZAiFIBDrAJYGeXx2FEm
p8vwpDQSz+LNHqUbSpzKDPJwKHeZ3AzOfRXmwgXhqjgfKAwCkri2kXOc9v3z
TKKni7foyDrzcdL0breG6AIFHKnIY2FU8uiH8RteVhRKpZDCsXAtiWikY44w
uIiqT0aeB5Egivt4TpesHPLUCNNLFDBWGiKO6363MsQhsAogXxLDcQAK5htk
azGJRCoe5VnAkCtzaMhbC0KAHlR6oURzrLUgfwv+QVEPSVM+ktrKqTgk9Hk7
/Kx5ihySQUeJU9H7I/FcIQMJRJ8F1HROwc80HfgTyafjpiN/3ziYJwQpwTDv
H3fOcKYZGU/ZiF3TDhzQBm1hb/6cjobTBDm1QOO5kY9YBaAm66rkA9hQfcST
5reTzYZEH+YgfmvyMseMOn4V7vt9iy5D9nA0YWRZ3p5dolRCuGZ2wPR5W4G4
7es2HqlsaE4S6gZGKytxHcv0Sk6vgcX828aciGAzoKUAq/W7SAQZIwEQT3tL
0WrNsPPwKaFwgBxf98R1pANHUW528G7x+kERkZsR50BK1iJnpB118XJsNSRj
3hKpXTKdkLJGpF+Tm6J0uuS9iw3Llg0D0y6ejgJFDIV0gsU8IUSIfOwwfs1F
cMej14louIYAVDSWspZ9Is5dO6gyWI5L+d/37R6mscS4rjxp/HQZaqCAMrnt
XrLzQZa7GAjbGc97vbYYjG4dNhEpNNNXb019023cP2lDfQRuYnD/Z1IreBVy
fBKwRFKm1usEDIUQ+eVdMEw82fDtpGZAT5OnlH+OH2EKUbESWg3LE0u0WNvU
FITiRHARNAJa8uoJ6cGn/VhNdUaB4LA1VRV0qIPrND4LVLGfQDKPQxM6W1AU
OC8C9aenkkqtSFXxEb25Otig4As5G4stZUzdxmmKllBmaCaxf93j92XGUmAA
JM8sAM7V9jCbicDKQ1mSdyiLRRYOdZ2zKAOxcFzaEg7jF5owiW+cCXM2FkG1
5lMEoheBJibqIp6LBBFs3Zp+jVAVaXgMWSCNlt+DlkB7UugZVIuKbCktKA7F
1owtwqLZrdDP6+ePL1L5gYl3wH7fvf9w+x0CGhpNrGDeKJH3391+twDuGq6c
Hv46fNiTI0rIjcG7kJWC9CiwAuH8RUS9+3Cb/SGD92dfZDDQOMBPgfk8RAq7
/GO163fDTV/1YBXA6X93/gHu+I4SaRmt4Yrd+4P3/uMfMrqXX/q1wZxxeZoI
dDMcHLs/NDaRshZaYJpSCwTtpJ7uRYqx/G9hWZ1kA7hNPIF27nNMkgHxsD1B
1bCudb/dql3hdTNyk2wpULTlqlRxBUzqawtjW5BI5ZjwhOHEwrckvAJmCEBE
mMqDSHQH4tQMUYRkr2syewawEmskqL7Q5C3Zug2zvHAGbCDYYvs5D/g///Xf
nHblEhLmXOV0D78oTPGOlftNBe/GHFFlMqe0kXydxTTMxJSMQAExFxLyPKNw
tSzoTDdz4kgR5/v9GJi/HNzK0SYIczGPIa4oNB+g86YA6whPOGKPzOWvOUB6
DK3F597lt5qteVrAzgPpOpSpcU0ZJxQOzN6kGyGvuUjPT7k0RWXZiqMkFbgk
6S/krYzLbVJNCqLyTbHi4ArqqJHcR6Fx2FeMB9whSO0Ur6aT0KqIIQrfi8Ql
/BxOrgqANQXzfb6QnyDJmDu4hH47sEf3sEoK6h+XAy7dT4K4uTNq3Twp8B/Z
dj67Ce9Fx9y+SyYPLFmkknooNtWT7ilpiDy57zBsiQ4lLFGRu//w/DugrrwW
Q/hhW+SffhY9XTecw5V8RiZ5+aHsaj/NBCGEk9S7B9P81L2avRW3f1LLMovJ
5OdCfPOYrZMs6pwUmj21OgjV0Tbl/Yfbp6B7n8/oz2yR4X9/uF08/yn74x+y
6w+oU57AP5/OZL3+iVBh0mWnMP1MsJRc4/kTC8M1fBe8yI2CV0jw4hj5OnCB
gPDvbSj7LmtnVouU4JYxsgvz0/qwbuoFAkcyn+L5w9n8BaTjoKIK/VqduSEP
RnffLHx1u3tYRQQR18UHs14rcZHNCabljowHTjbHtKVRNjFlGYsuixlAaGGZ
PYBuVrDH91XZbXiWXlw4BHb9YXU/RxCGkOg3mUyWznqMxoiW0TGOdm2Myqqa
UNlYMs3xjOFnhmT5XVOV6gQnPY3q2YWkugYQKhw4JYOBdl6QYEX7EG9biA7H
YiFxsEakwiTvFsaEhSQLmO4JL3Se0WRkbaTk0A0M0Bs9sxasfjus27Ou+jLf
A8rQqGKw+Bgmin2rO++DOx2+rWw49gHzfz1AKm69WIrXlNxpIVq4By84A91z
d6g7AhISW2FPhati53FkZbr/6hKXlBImW1Tsm4bzTdGIJDRHWaHL7C8EUMNi
B+IFtLdF3nDfqzWHERmAJ+RUqzNkskxUUIjd4BMuyH9aceWik7dBBIGTSEJ7
0GEGz6Fo1CEFhg0jfHgAxNU4AjFISKJIBxbXOCCHFZKwGkonoTdoock5piJe
SSoiGK1xeCRCaaXhoJik1YQxXQZbCpbS/SnEsXHERTx8ww5Voij/mL83zbHC
4GWWLKNJJOk8vo6F1eM4sVDg9FvO44z3/kJW+ZpWydLq6D6IivkZpU9B5ROI
msUvWf3EWaOLX6ri6XXoup00WqK88soONkwdO7u8zm/8hJ2N+qi4i9pH2RuU
opG/g9TKJnflKRjcRYHod8/JVo6ksQzsGipYdrXt4Tn0aBO7nY45O5jLdQMD
b4QOT+FmZw9wxi5l/+WaYszCrBGvz6cQ10PPLKQlDKDnNnE0o2MDkchnFjgA
sZGT4rQ042gvhzgPX5jyDQy42lZ2gww7IfjSEsN1CHIT3zbN3sWbjnTB8IGO
h1baabDg1zJlg/zGx9qy0ya4s8B1cVW9h2Mn1Qmbx8UPeKquYCqlZU8h4HXV
2g6jtU27kqzUai35juQJClw162q7tceCTdMxpnMBWYSBds2dCTI3xwX1MeeL
9pYd4aATvS28C2iprDqJKhLHy8pZx8RBXzwK13Yrphk3oEtSwpALtSgxtt92
gZtALcptY7Fgzwft0YmuqeeiBhd0bITHOnYsEFoStYmzmtaPmv0xUYgaMUBc
YDrsLsVVO2ARP6JkNOkVqQc9TzBT/JYKHVkDCHNJRgzTmK9wGI6n5lLKfI5c
BdRjVyWX7bHJV6UVX75sIyLQnbZ6MZhTUAzMlrG5IlO2BleBr3Jz6uvYXaSV
YXWTMs/w7OvmmE9p6eMYHvoGgddTUX+2xohxBairgPTqkNywkepbShIgaQMx
Cq3ElssUbzM7kV2ASise67jcZW4XALjuW9KyDm4LPyd9Qk2bbEoT3tIaMAqG
WXDIozuXkD/2hIble5P5GXEI+sKr8Thj3LluqxYWtA2MEJKiqDv2OSAKOpt+
Hwj+4bq8hDtnZBDoPEk3YUsqZ2dBIrce6SGUAQPcRElMOEKUxkBO4H1eFweX
hj/0aaK/23e/C/ZP6SiYqiKrIHE0xiODhFD8IUifcp1qXIED1kNL28yOcp84
fYBUHwvUUeKv6xLSMKO7hK6wpmQUYJpurxUJ11EPJPZmrEBW7CQe6c3KAjlq
6boZOLNTpaY3Ox3CCIsYksZnqpiVw50aXx9vZ6KohmxYjU5cYUEWNSUPk8ZG
cQnNW5zLe6XrEKcQhT5K6hpJM21W7GNWcyDJ6W7xQdTroQnWkgGSkr6hlzeR
KCtpsY8VE+/lxH67fLH8St4/If6nJ8AyvrShMzjkq5DaEDKxxVoHWCEsLjrR
+Q3NRD9rnPfE+XJsc3SQXroF7byidmOJi7THlZCUN6v0nWrvU4cZap6vUbbQ
t09kxHmlUmRNmaS+hBJgmXMND0NBircdGh+gbizE6rir+DxgGrocdMOd47ZU
bZCIqAXfC5QOvXWdGciMELJ6oOgblAoc7bdcH4hagkkPJ1r0oK7LwyKKb7rZ
3vQ5dqo3IWUoaCIDM2gwtfa7VuksNOkeRF2Ovt+q453BfozAAFhDYQYkj5dJ
RbMWJLjNLs28DtrHksKSVmwUkxxodMRvYN+2CHWQaPA3vV/5QJmIj6Q1lDk0
19e7xpFNWqK41i84TzyLrwHBhFPQ0jYCfPJuy2mvrJhQxIYIImygJq8JrObs
L1pAHvZ80o4l8tmKN5qSIwUSDyg5jms3Uy3R6AFcyKjSwSVXDdSNdCYN2pCT
04ULIjSFSI5zXK5yHd0bxNVcP2Kf6PrRFD31VXEtq1J9VQQaRGt29fjBrrsM
Ky2pmc7e926NSFRmXFcSN/B0ROlY96UT1+M6ieL/ps2nbLQ329XH6dLBctc0
S9md0Tue75GG+Lkmjk01PhtgRdcKYFTNmk/V0GRMYmaSqPWTFdyTdJfvf0ZL
M1eXPF7SgGxOd43hBmcEIgRf+S6wn1r6OfigzYmKux+zJ8UWrV/71Ffo4VB/
TPVo+f/STyn9PH9M6eePw/d88YBHfnSyXC884JE3IhGf4Gk+5JFHT+xBZZgv
XkZKaYor05FhRdXDngpRfdkv1DcYcyZD72GYKGuDujkAYthvwdc7cUlTjDEk
jXrzqKo39eKLgc61dzoG9gsLyu98hxgKoN5XVmyCoLeYtLnn73e4niChVMGi
duxFchGYtUpqf+Y3jDufIaxsQRrX08UuZ+nussOOaFmxBfUTBknDLv2Pao2W
bFUjOsvX+BHeYsGviY4AOlFuTzUz4HkHXUDoQtQKhG9J9QPh1PrUTrA5QyE/
iviRwuIEdcQpVK3rOnRJw14OoocuYCzmwV46yOavZBRsDucc53k0lIT88SNc
7qsZ0S/RyGU0rGjbiU8/POBJd3AH6TQUnGDQpg6fGnw+Aoumq6b1HyUhUL5w
dhIjZA10MkEqnvfGVNj8TuDGIXQQiZ8syCM5TnUxvwexcCBt5MiwTZLv9rcy
zNZliI8D6TUUCS5LTweh5H7DNXRTfVRdtl7UHlDfT94kl4o3OJ1qWHoTvBuT
HfdiKvNuf7UMxFvnkst1oVqSRDYvnFGFRn8JOCkv8aLWtUnerCY57tBdjUE8
thyH+VdkFpMZlE4VFieu2yDTtuj9EUzIZfCU8SlSQ7xo3icd1XHCEugRzpP1
uFCMDJGwYmqUiTaRuBcY+nNgmkILZKAjTnVO7rzM913uCSssinW1EVodpdbD
nKK2fhDtLsS8Xyd86VwXoUZ84jtNsitc4m3Z9c0pk/Xpfi5iklPHR5tpdZLZ
WkN13HMp7pM8Gi9SBiacq9Rh11HLfEtSLbUtaF9fX1+5KVUc/tw3lrvat9jc
ktynQEg//PBPRz/Wh52SaFOPek+IFqg9oMRs6kFjGyDdOuOPeAxZdOiM2NtU
a9BYPifkDzvBPFW5l/kuhFH3vShIxTqo6belN+kGDQRCxYGeocrc+dnlke29
rrhyUeSM3A28d1RJD7aUjhBAIjab8ltF/+JWFiqr59r7jn6LtEjb4FS0WY8I
+29V2CPxvRW9EMddJv0fyeI9livK4M57Q0znNWor9B35oyw1pk4+rlUeusWo
JoIbBHiABU8aYK6b7dS93kZGPfuMWMDq5qMYdW/jXP1j3ZivMdtOyk0DIBbg
gBRRkq0e16im5emgI6OT2rUI7NAhnYJDmOSsi+F83lR0L1zc1InIUgNEpgAk
9NQO9KTbWvdLuAvuMKi2AuMPa4r2O9/lYPUJj2R4WLoXv4w30pW5JiYOwqxA
kh/HNwISoJusXffbgZAQhuNUzeSpSRsd6RYg4AJzILQ8JDkr3IiRD1d6rTvH
bcNZpYwzopcTQYk4TE1KPvQW2HuKPN33yYbrCe6l769tMdCBBEYp6r2z5FS5
hqvh7qmUrsuuqpzTjxOldqCjDNdfYeLxnAOAwa45EsjpzfhiWqxE0m7DewNc
53t/JBvD2gOoxrapG6I1leVh8krUMfQdB+PFZ/UpXmZvFlJjTDYu55TVwCG9
sFem4kYOCQTF07S0KB3E28hhdeonf+YnmLDqLkG/I0VNOsMHo0i5UetG7swY
VOZdXk30P/Fd693bGI8JHGtXFUy2PQxHiCzoldFOKJrmOyG4rfN/tBKjyeDQ
qzKyK+bK2iO7QnAwmRZ014RZIPc5yyAjhOJsAwnz0/bIq4R4/bNy2gr7VV2S
Y2MvwcyGxEJYSK18ckxEYHKby38b2oETsYPP0b/PFtswlHgtvD9uly6f4n30
p3fJlnC+rcTnd9MdEscNEp0wP/69jvDjNEpWAjDEC5W2QZO29kDlda59jf+o
IzdLilPrtaOu5rOc+o4sp6Ed9l0DZuZ+M+yfFvp4FME/qBHrA1qs+n88n2rU
mvzCQPK7m1nckdN5tB7a/DdI8A46TLLsljykZNPKX635mHhX3fkrHUfWjyfg
uV+p/+w2VQgbqlc37juU/jMfr5028+49LNeEgflTNmFTrKGydRNyH0kLhCp5
Y9Dj1QlORG0pnwdQN3SEkrT6KPCLTbIWOtGovxN6CxEdgCFRWd9dgUaGB25M
ghu1//yQxdEuiOJY9y3WX4vkxu+0zoNeaGP95SooQq/1JA+znSQ+ckLeWNe0
bytqycaJUzuQB9RiuBPRFrM7jP2tuuf9QMEHpXpMWenkRObxxObZLX2mFjPT
8fznujAXMM17zOXdNjc3rtjRObMQ3TR11TWt+yDGJbk2OxZCZ5Hn3vnFXRK1
3utb0zXob2blg4oQVKk0pfDpqPLQkr5rkJdlS4F0FjQchXP3zLlxczyNqKGV
1PAWBWZpWooEyxlLVaf/IAiSueUCZjHUqNVZjg4EKomCU0LEhtaaAqigmVBQ
HhX3330YrUcaquqEcPI414ETSSn3Vxx2fic8Ac8Ta5Lvh2GMNfRWOqh9LCoM
hIaupsLvuw83tUNzm+E55q30dSD4eFT8VLr7Ep7zrNZ3jdKufkoKxTqYDiyY
Ux+Y8XLM52TyO/h7jSEOs35DXBbGgNAF5Q1YR0aRpUnLsWPwzTm7H4HBQmy1
MlSkWG25p6DEp9wnmCeQ1ufZGUtkTehds6Kezcb62n+HHc/hhtRIIJ1C58I5
ffrn0t3G/35yfnn+1KdYEUHQB2uOD3MxuFkHuzh/qiQYdOWPPy7Jq8ijNYJ9
Rnl9Tcx8INHo03ZTyYaaPhH0v0lU3RadtuPgV3uFy0znO2+JC7jqArb3kBSn
DEu9PI/2ptEzSB+B+6LKoOFBwiF9uR4dAuWXM4m6fGaZxsVwGuO3sHf2SJoK
70cwzLAPg/pRbePd2XH+B7ERCxzZVUmxd96PoITKPYPrAHSIGj25a+ThIXgb
BKSDbrwnhdzYox70OPVqzC82yi8fyhey0zo7XKML3KRi6ZT+RAF0bHjmv+/N
sDr9fe8QWEfqxAffoyNDjeI94wGQJOg4iRTX0tdIkAmZ23vRVWLPkNjFArfK
qCnkT4d7wrqGgPq6SZOFXS4H6piFsx9G0cNZco6SLhP1JPVDC1OJO/r0AAgl
sKc0Wq2pr2BYYOYskJblD9OqI9YrlpG2oKaCxGQ0BZbBgwZa9HFW36Lpym3G
KRZL8H7Y5Op0hzvBohMd1eZhN7i59nKDX7blPBKRXA9N8oM/01cabe73UW1Z
vGdBXeN85DjJ9GHEkt4ltYCI0SuvLdWjgbrUo474xXN0Iy6atXsvVWTOXTHM
urcRlAhqYEbNBsTFiP38og6BPi8iRvJp2TOA9LgU7z7MgLBuvZUX9A3ihH2L
AogCVPyFiiAVITJECu0LfETtklPMRWaky25FrcsRRmE8LrjbBaNJGZHMJSZK
dc7y4uQxHdmPplmTQyLQx4H+g713oSrmxTcfN4ApnRof1aSDgTj2FT2+W3F2
FnaCflCrYv9l8eGnx2m4XY4CCR3G6HjGbvdORUZWrpja/NUww6sNK60k1p6u
1XIdSmF6IKSoYHOHgcDIqMAKR2LcjreAZx648+gR7hHigDOaLtyliJD36TA/
ip7gW7Rhnq/Wnd8Ful8SzwqTklquvL1wzVePFAZPNKkrjn1f7EgxEtdwTfdv
wN4N9nSgkAuS0O6aqm7MwoJKV9AqHBwUohytV50sxk4pdEeEIpGlajCu0ov7
cKu6lG8OoGxSenfUqR91F9tTGzAP0vBCpE3VXCau5dJyuZbLgJn/jed/wlcS
aokT8uj14+j2tyCA7YlwNhkXRpqwhDvk10MZeRKbUs0UWaRzMdwkkcclgidM
xtCmju1n9vC7H8eJWd6+Zr/V2IoWSbOVOnEdwiadFczCrnl9cq7kMRtFN8Qc
5va8OTXngtdNxT4Dn0bXpIIOJwIN6uok6N2DvGgJDUnE1b2GsgjICbuVDh5R
0C5M7+GEvbsKfmLuIE5ln7sKuoXbf3VvoDbn5PYjUU8ScRT6LDX2WQ6Dn0G6
wFQMNLRLk+6gNZcdYWN0AU9wWmXP3lnjL+E+cAlRcJ9aaNiCRi66DDJHgNjX
luqWO65jj4+WlcFAyNCgSJ/D4AdoYUyrwTI7veRaBmrskuN0ueV2YqFLdvil
w7BUQ0PduOqbpqUvAmQEd8St6ROnyNsJQ4PUxHaIm6bpnNsTVs29M3NA+Adb
EbDPLs++OUuEsEJss6MOFnXD9wb7slgsKMMDxzkrbuvmfovCmzZq9sPLvuZW
Lqb8CYY8f72c/S/xCfxXi5cAAA==

-->

</rfc>
