<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-shang-agent-network-admission-00" category="info" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Agent Network Admission">Use Cases and Requirements for Network Admission of AI Agent Instances</title>
    <seriesInfo name="Internet-Draft" value="draft-shang-agent-network-admission-00"/>
    <author initials="C." surname="Shang" fullname="Chao Shang">
      <organization>Huawei</organization>
      <address>
        <email>chao.shang@huawei.com</email>
      </address>
    </author>
    <author initials="W." surname="Jiang" fullname="Weiyu Jiang">
      <organization>Huawei</organization>
      <address>
        <email>jiangweiyu1@huawei.com</email>
      </address>
    </author>
    <author initials="X." surname="Liang" fullname="Liang Xia">
      <organization>Huawei</organization>
      <address>
        <email>frank.xialiang@huawei.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Security</area>
    <workgroup/>
    <keyword>AI Agent</keyword>
    <keyword>Network Admission</keyword>
    <keyword>Workload Identity</keyword>
    <keyword>Authentication</keyword>
    <keyword>Agent Instance</keyword>
    <abstract>
      <?line 50?>

<t>Artificial intelligence (AI) agents increasingly access enterprise
resources, external models, tools, and other agents through managed
networks.  Application-layer authentication
can authenticate an agent to a cooperating service, but it cannot by itself
provide complete network admission control.  In particular, application
proofs are normally verified only after network reachability exists, cannot
be consumed consistently by heterogeneous or legacy services, and do not
reliably identify which Agent Instance originated traffic when multiple
Agents share one host,
IP address, or egress gateway.</t>
      <t>This document describes operational use cases, the resulting problem
statement, and requirements for network admission of AI Agent Instances.  It
focuses on establishing a verifiable and time-bounded binding among an
Agent Instance, its credential key, optional runtime evidence, and a Network
Context on which the network can enforce reachability policy.  This document
does not define a new Agent-ID format, authentication protocol, OAuth grant,
or routing extension.</t>
    </abstract>
  </front>
  <middle>
    <?line 71?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>AI agents increasingly perform enterprise tasks without continuous human
supervision.  They retrieve internal documents, query databases, invoke
Model Context Protocol (MCP) servers and Web APIs, call external models,
communicate with other Agents,
and initiate long or multi-step workflows.  These activities ultimately
produce network connections that cross access networks, campus fabrics,
cloud virtual networks, security gateways, and Internet egress points.</t>
      <t>Application-layer mechanisms are necessary but are not sufficient for
complete Agent admission control.  Workload identity, mutual TLS, signed
HTTP messages, OAuth tokens, and proof-of-possession mechanisms can allow a
cooperating application peer to authenticate or authorize an Agent.  However,
these mechanisms normally operate only after the Agent already has a path to
the peer.  They also require the peer to understand and enforce the Agent
identity.  This assumption is difficult to satisfy across heterogeneous,
legacy, third-party, and non-HTTP services.</t>
      <t>For these reasons, part of the control needs to be performed at the network
admission layer.  The network is the common enforcement point traversed by
Agent traffic and can restrict reachability before a specific application
accepts a request.  Network enforcement does not replace application-layer
authorization; it provides an earlier and broader control boundary.</t>
      <t>Existing network admission mechanisms, including EAP <xref target="RFC3748"/> and
EAP-TLS <xref target="RFC5216"/> <xref target="RFC9190"/>, commonly authenticate a device, host, user,
or supplicant.  The resulting authorization is typically associated with a
physical port, wireless association, virtual interface, tunnel, or source
address.  This granularity is insufficient when several Agent Instances and
ordinary applications share the same host and IP address.</t>
      <t>The key new problem is therefore not merely how to assign an Agent-ID, but
how to authenticate a specific running Agent Instance and bind that result to
a Network Context that cannot be reused by another local process.  The
following use cases illustrate this problem.</t>
      <t>Existing mechanisms for workload identity, Agent authentication,
application authorization, runtime attestation, and Agent-aware networking
may provide credentials, authorization decisions, runtime evidence, or
Agent-related context.  This document does not replace those mechanisms.  It
focuses on the distinct deployment question of how an authenticated Agent
Instance and its relevant security attributes are bound to a Network Context
on which network reachability policy can be enforced, particularly when
multiple Agent Instances share a host, source address, or egress gateway.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals.</t>
      <dl>
        <dt>Agent:</dt>
        <dd>
          <t>Software that performs tasks on behalf of a Principal and may autonomously
invoke services, tools, or other agents.</t>
        </dd>
        <dt>Agent Instance:</dt>
        <dd>
          <t>A particular running instantiation of Agent software.  Two executions of
the same image or package are distinct Agent Instances unless continuity
is explicitly and securely preserved.</t>
        </dd>
        <dt>Agent Identifier (Agent-ID):</dt>
        <dd>
          <t>An identifier for an Agent Instance.  An Agent-ID is an assertion, not
proof, unless it is cryptographically bound to an authenticated key or
credential.</t>
        </dd>
        <dt>Agent Credential:</dt>
        <dd>
          <t>A certificate, signed token, workload credential, proof-of-possession
credential, or other verifiable object used to authenticate an Agent
Instance.</t>
        </dd>
        <dt>Agent Runtime:</dt>
        <dd>
          <t>The process, container, virtual machine, trusted execution environment, or
other execution context in which an Agent Instance runs.</t>
        </dd>
        <dt>Network Admission Function (NAF):</dt>
        <dd>
          <t>The function that verifies Agent admission evidence and decides whether an
Agent Binding may be installed.</t>
        </dd>
        <dt>Enforcement Point (EP):</dt>
        <dd>
          <t>A network entity that applies reachability or traffic policy based on an
Agent Binding.</t>
        </dd>
        <dt>Agent Binding:</dt>
        <dd>
          <t>A time-bounded association among an authenticated Agent Instance, the key
proved during admission, relevant security attributes, and an enforceable
Network Context.</t>
        </dd>
        <dt>Network Context:</dt>
        <dd>
          <t>Network-visible or network-controlled state that associates traffic with an
Agent Instance, such as a logical interface, virtual port, a trusted
namespace-associated interface, overlay identity, anti-spoofed source
address, security association,
tunnel, connection, or trusted per-Agent gateway context.</t>
        </dd>
        <dt>Principal:</dt>
        <dd>
          <t>The user, organization, service, or other entity on whose behalf an Agent
acts.</t>
        </dd>
      </dl>
    </section>
    <section anchor="use-cases">
      <name>Use Cases</name>
      <section anchor="enterprise-employee-device-with-multiple-agents">
        <name>Enterprise Employee Device with Multiple Agents</name>
        <t>An employee device may simultaneously run a personal assistant, a coding
Agent, an enterprise knowledge Agent, browser automation, and ordinary user
applications.  Some Agents may be approved by the enterprise, while others
may be downloaded by the user or created dynamically by an orchestration
framework.</t>
        <figure anchor="fig-multi-agent-host">
          <name>Multiple Agents sharing one admitted host</name>
          <artwork type="ascii-art"><![CDATA[
                    Enterprise Network
                           |
                    +------+------+
                    | Access Edge |
                    +------+------+
                           |
                    one device / one IP
                           |
          +----------------+----------------+
          |                                 |
   +------+-------+                  +------+-------+
   | Approved     |                  | Other Local  |
   | Agent A      |                  | Processes    |
   +--------------+                  +--------------+
   +--------------+                  +--------------+
   | Approved     |                  | Unapproved   |
   | Agent B      |                  | Agent C      |
   +--------------+                  +--------------+
]]></artwork>
        </figure>
        <t>Traditional device admission authenticates the device or user and then
associates policy with the shared attachment or source IP address.  It cannot
determine whether a subsequent connection was created by Agent A, Agent B,
Agent C, or an ordinary process.  Source ports, process names, and
self-asserted headers are controlled by the host and can be copied or reused.</t>
        <t>The enterprise needs to grant different reachability to each approved Agent
Instance while preventing the unapproved Agent from inheriting the device's
network permissions.</t>
      </section>
      <section anchor="enterprise-agent-accessing-internal-and-external-services">
        <name>Enterprise Agent Accessing Internal and External Services</name>
        <t>An enterprise Agent may retrieve data from an internal knowledge base, call
an external large-model service, and invoke a Software as a Service (SaaS)
API as part of one task.
The internal services may use different authentication technologies, and
some legacy services may not understand Agent identities at all.</t>
        <figure anchor="fig-enterprise-access">
          <name>Agent access across heterogeneous services</name>
          <artwork type="ascii-art"><![CDATA[
 +-----------+       +----------------+       +------------------+
 | Agent     |------>| Campus / Cloud |------>| Internal Service |
 | Instance  |       | Network        |       +------------------+
 |           |       | Enforcement    |------>| External Model   |
 +-----------+       +----------------+       +------------------+
                                            ->| SaaS / Web API   |
                                              +------------------+
]]></artwork>
        </figure>
        <t>Relying only on application-layer authentication requires every destination
to understand the Agent credential and to apply consistent policy.  This is
not realistic for heterogeneous and legacy services.  Moreover, the Agent
must already have network reachability before the remote service can reject
it.</t>
        <t>The network therefore needs to restrict which destinations the Agent can
reach based on an authenticated Agent Instance, while application-layer
authorization continues to restrict operations at cooperating services.</t>
      </section>
      <section anchor="multiple-agents-behind-a-shared-egress-gateway">
        <name>Multiple Agents behind a Shared Egress Gateway</name>
        <t>Enterprises commonly require Agents to access external services through a
security gateway, service mesh proxy, or controlled egress gateway.  Several
Agents may share one public IP address, a gateway connection pool, or even a
single multiplexed HTTP/2 or HTTP/3 connection toward the same external
service.</t>
        <figure anchor="fig-shared-gateway">
          <name>Multiple Agents behind one egress gateway</name>
          <artwork type="ascii-art"><![CDATA[
 Agent A ----+
 Agent B ----+--> Shared Egress Gateway --> External Service
 Agent C ----+
]]></artwork>
        </figure>
        <t>The external service may distinguish gateway-originated transport
connections, HTTP requests, or multiplexed streams.  However, a source port,
connection, request, or stream identifies only gateway-maintained forwarding
state and does not by itself provide authenticated identity of the
originating Agent Instance.</t>
        <t>The external service can authenticate the gateway, but gateway authentication
alone does not prove which Agent Instance caused a particular request.
Reliable attribution requires the gateway to receive or establish
trustworthy per-Agent context and to propagate that context using a protected
mechanism, such as an Agent-specific credential, token, or signed assertion.
If the gateway receives only an unprotected Agent-ID header, one Agent may
select another Agent's identity or policy context.</t>
        <t>The gateway therefore needs trustworthy per-Agent admission state and
isolation among Agent credentials, requests, connections, and policy
contexts.  When connections are pooled or multiplexed, the gateway must
preserve the binding between each request and the originating Agent Instance.
The local network also needs to prevent an Agent from bypassing the gateway
through another path.</t>
      </section>
      <section anchor="dynamically-created-and-short-lived-agents">
        <name>Dynamically Created and Short-Lived Agents</name>
        <t>An orchestration platform may create an Agent for a single task, create
sub-Agents, restart an Agent after failure, migrate it to another runtime, or
terminate it within minutes.  The host and its device-level admission session
may remain active for days.</t>
        <t>A device-level network session therefore outlives many Agent Instances.  A
new Agent execution must not automatically inherit the admission state of a
previous execution merely because it uses the same image, host, or IP
address.  Admission state needs an Agent-specific lifetime and must be
removed when the Agent terminates, migrates, or becomes non-compliant.</t>
      </section>
      <section anchor="agent-to-agent-collaboration-in-a-managed-network">
        <name>Agent-to-Agent Collaboration in a Managed Network</name>
        <t>A group of Agents may collaborate on one enterprise task.  For example, a
planning Agent invokes a retrieval Agent, which then invokes a data-analysis
Agent.  The Agents may run on the same host, on different enterprise hosts,
or across branch and cloud networks.</t>
        <t>The network may need to permit only an approved collaboration graph and deny
unrelated Agent-to-Agent reachability.  Device identity is too coarse when
multiple Agents share an endpoint, and application authentication alone does
not stop unauthorized network scanning, connection attempts, or bypass paths
before the application protocol is reached.</t>
      </section>
    </section>
    <section anchor="problem-statement">
      <name>Problem Statement</name>
      <section anchor="network-enforcement-is-required-but-lacks-agent-granularity">
        <name>Network Enforcement Is Required but Lacks Agent Granularity</name>
        <t>Application-layer authentication answers whether a cooperating service
accepts an Agent credential.  Network admission answers whether an Agent
Instance should receive reachability to a destination or network segment.
These are complementary controls.</t>
        <t>Application-layer mechanisms cannot fully provide network admission because:</t>
        <ul spacing="normal">
          <li>
            <t>they are usually evaluated only after a network path is available;</t>
          </li>
          <li>
            <t>they require every destination to understand the Agent identity;</t>
          </li>
          <li>
            <t>they cannot consistently cover legacy, third-party, and non-HTTP services;</t>
          </li>
          <li>
            <t>they do not prevent connection attempts, scanning, or bypass paths; and</t>
          </li>
          <li>
            <t>their result is not automatically available to switches, virtual switches,
routers, or security gateways that enforce reachability.</t>
          </li>
        </ul>
        <t>Network-layer enforcement is therefore needed as a common pre-service control
point.  However, existing network admission commonly associates identity
with a device, user, interface, tunnel, or IP address rather than a specific
Agent Instance.</t>
      </section>
      <section anchor="one-ip-address-can-represent-multiple-security-subjects">
        <name>One IP Address Can Represent Multiple Security Subjects</name>
        <t>A single IP address may simultaneously carry traffic from multiple approved
Agents, unapproved Agents, ordinary applications, and the user.  Therefore:</t>
        <artwork type="ascii-art"><![CDATA[
       one source IP address
               |
       +-------+-------+-------+
       |               |       |
   Agent A         Agent B   Other Process
]]></artwork>
        <t>The following implications hold:</t>
        <ul spacing="normal">
          <li>
            <t>successful device authentication does not authenticate every Agent;</t>
          </li>
          <li>
            <t>a source IP address is not an Agent identity;</t>
          </li>
          <li>
            <t>a transport source port is not a stable or trustworthy Agent identity;</t>
          </li>
          <li>
            <t>an Agent-ID in a host-controlled header is not sufficient proof; and</t>
          </li>
          <li>
            <t>application credentials do not by themselves bind all surrounding traffic
to the process that owns the credential.</t>
          </li>
        </ul>
        <t>Different admission policies for multiple Agents sharing one IP address
therefore require an additional trusted per-Agent Network Context.</t>
      </section>
      <section anchor="agent-identity-does-not-automatically-provide-traffic-attribution">
        <name>Agent Identity Does Not Automatically Provide Traffic Attribution</name>
        <t>Existing Agent identity and workload identity work can define who the Agent
is and how it proves possession of a credential key.  Existing OAuth work can
define what the Agent is authorized to do at a Resource Server.  Existing
attestation work can provide evidence about the runtime.</t>
        <t>None of these functions alone establishes which packets, connections, or
flows at a local network EP belong to the authenticated Agent Instance.  The
missing function is a verifiable binding:</t>
        <artwork type="ascii-art"><![CDATA[
 Authenticated Agent Instance
              +
 Credential-Key Possession
              +
 Optional Runtime Evidence
              +
 Enforceable Network Context
              =
       Agent Binding
]]></artwork>
        <t>The Network Context must be controlled or protected such that another local
process cannot simply reuse it.  Examples may include a per-Agent namespace,
virtual port, tunnel, security association, anti-spoofed address, or trusted
gateway context.</t>
      </section>
      <section anchor="admission-must-precede-general-reachability">
        <name>Admission Must Precede General Reachability</name>
        <t>An Agent requires limited connectivity to identity, credential, attestation,
and remediation services in order to complete admission.  It should not
receive unrestricted enterprise or Internet reachability before that process
finishes.</t>
        <t>A deployment therefore needs a constrained pre-admission state and a
controlled transition to Agent-specific reachability after the Agent Binding
is installed.</t>
      </section>
      <section anchor="agent-lifecycle-and-network-lifecycle-are-different">
        <name>Agent Lifecycle and Network Lifecycle Are Different</name>
        <t>Agent Instances may be created, restarted, cloned, suspended, migrated, or
terminated independently of the host network session.  A static device or IP
binding can therefore become stale and may unintentionally authorize a new
Agent execution.</t>
        <t>Agent admission state must have an independent lifetime and explicit renewal,
revocation, migration, and termination behavior.</t>
      </section>
    </section>
    <section anchor="requirement-summary">
      <name>Requirement Summary</name>
      <t>Based on the preceding use cases and problem statement, an Agent network
admission architecture has the following core requirements.</t>
      <section anchor="agent-instance-authentication">
        <name>Agent Instance Authentication</name>
        <t>The architecture MUST authenticate a particular Agent Instance, or an
explicitly defined instance-continuity domain, using a credential bound to a
cryptographic key or equivalent proof mechanism.  The Agent Instance MUST
prove possession of that key with freshness protection.</t>
        <t>Authentication of only a user, device, host, image, Agent software class, or
orchestration platform MUST NOT be treated as authentication of every Agent
Instance running there.  Self-asserted identifiers, process names, source
ports, or unprotected application headers MUST NOT be sufficient for
admission.</t>
      </section>
      <section anchor="binding-identity-to-enforceable-traffic">
        <name>Binding Identity to Enforceable Traffic</name>
        <t>A successful authentication result MUST be bound to a Network Context on
which an EP can enforce policy.  The binding MUST identify which traffic is
covered and MUST be protected against reuse by another local process.</t>
        <t>When multiple Agents share a host, interface, source address, or gateway, the
deployment MUST provide a trusted means to distinguish their traffic.  A
source address MAY be used only when address ownership and anti-spoofing are
enforced at the relevant attachment.</t>
      </section>
      <section anchor="shared-gateway-attribution">
        <name>Shared-Gateway Attribution</name>
        <t>A gateway serving multiple Agents MUST authenticate, or receive authenticated
context for, each originating Agent Instance.  It MUST isolate per-Agent
credentials and policy state and prevent one Agent from selecting or reusing
another Agent's context.</t>
        <t>When connections are pooled or multiplexed, the gateway MUST preserve the
binding between each request and the originating Agent Instance.  Gateway
authentication alone MUST NOT be represented as proof of the originating
Agent unless that binding is securely preserved and conveyed to the remote
peer through a protected mechanism.</t>
      </section>
      <section anchor="admission-lifetime-and-revocation">
        <name>Admission, Lifetime, and Revocation</name>
        <t>Before admission completes, an Agent Instance SHOULD have only the minimum
connectivity required for identity, credential, attestation, remediation, and
admission services.  General reachability SHOULD be denied until an Agent
Binding is installed.</t>
        <t>Every Agent Binding MUST have a finite lifetime.  A restart, clone, or
migration MUST NOT automatically inherit an old binding unless continuity is
explicitly proven.  The deployment MUST support renewal and prompt removal of
the binding when the Agent terminates, its credential is revoked, its runtime
becomes non-compliant, its attachment changes, or policy requires withdrawal.</t>
      </section>
      <section anchor="non-bypassability-and-layered-authorization">
        <name>Non-Bypassability and Layered Authorization</name>
        <t>The topology and enforcement configuration MUST prevent Agent traffic from
bypassing the EP through alternate interfaces, direct underlay access,
unprotected gateways, or other paths.</t>
        <t>Successful network admission establishes authenticated and constrained
reachability; it MUST NOT imply unrestricted application authority.  The
Principal identity and Agent-ID MUST remain distinguishable, and an Agent
MUST NOT automatically inherit all reachability or authority of its
Principal.</t>
      </section>
      <section anchor="evidence-audit-and-privacy">
        <name>Evidence, Audit, and Privacy</name>
        <t>When runtime or platform evidence is used, it MUST be bound to the same Agent
Instance key and admission context.  The NAF and EP SHOULD record the Agent
Instance, verified credential, installed Network Context, and binding
lifecycle events.</t>
        <t>Deployments SHOULD minimize disclosure and retention of Principal identity,
Agent identifiers, and runtime measurements, and SHOULD use short-lived or
locally scoped identifiers where appropriate.</t>
      </section>
    </section>
    <section anchor="functional-model">
      <name>Functional Model</name>
      <figure anchor="fig-model">
        <name>Agent Instance network-admission model</name>
        <artwork type="ascii-art"><![CDATA[
+--------------------+       +-------------------------+
| Agent Instance     |       | Identity / Attestation  |
|                    |       | Services                |
| instance key       |       +------------+------------+
+---------+----------+                    |
          | admission proof               | validation data
          v                               v
+---------+-------------------------------------------+
| Network Admission Function                         |
| verifies credential, possession, freshness,       |
| optional runtime evidence, and policy              |
+--------------------------+--------------------------+
                           | install Agent Binding
                           v
+--------------------------+--------------------------+
| Network Enforcement Point                          |
| Agent-ID / key / attributes -> Network Context     |
+--------------------------+--------------------------+
                           |
                    admitted traffic
                           v
                    Network Resources
]]></artwork>
      </figure>
      <t>A deployment MAY distribute these functions across an endpoint component,
network device, controller, and gateway.  The security property depends on
the integrity of the complete path from the authenticated Agent key to the
Network Context, not on the physical location of one component.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>The primary security failure is a false association between an authenticated
Agent-ID and traffic generated by another entity.  Implementations need to
protect both the cryptographic proof and the local mechanism that creates and
uses the Agent Binding.</t>
      <t>Bearer credentials are insufficient when they can be copied to another
process or host.  Proof-of-possession credentials reduce this risk only when
the private key is protected and the proof is bound to the admission session
and Network Context.</t>
      <t>Runtime attestation does not replace Agent Instance authentication.  Agent
Instance authentication does not by itself prove that the runtime is
trustworthy.  Deployments requiring both properties need an explicit binding
among the runtime evidence, Agent Instance key, and Network Context.</t>
      <t>A trusted gateway can preserve Agent attribution across a second connection,
but it becomes a high-value security boundary.  It needs per-Agent isolation,
protected binding state, anti-replay protection, and clear behavior when
either side of the communication is re-established.  Connection pooling and
HTTP/2 or HTTP/3 multiplexing must not cause requests from different Agent
Instances to inherit or reuse the wrong Agent context.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>Agent admission can expose relationships among a Principal, an Agent
Instance, a device, a runtime, and its destinations.  Stable Agent-IDs may
permit tracking across tasks or administrative domains.  Deployments should
minimize identifier scope and retention, disclose only attributes required by
policy, and avoid unnecessary export of runtime evidence.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>This document makes no requests of IANA.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors thank participants in the IETF Agent identity, WIMSE, RATS,
OAuth, and Agent-aware networking discussions whose work helped clarify the
boundary between application authentication and network admission.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC3748" target="https://www.rfc-editor.org/info/rfc3748" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.3748.xml">
          <front>
            <title>Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="L. Blunk" initials="L." surname="Blunk"/>
            <author fullname="J. Vollbrecht" initials="J." surname="Vollbrecht"/>
            <author fullname="J. Carlson" initials="J." surname="Carlson"/>
            <author fullname="H. Levkowetz" initials="H." role="editor" surname="Levkowetz"/>
            <date month="June" year="2004"/>
            <abstract>
              <t>This document defines the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication methods. EAP typically runs directly over data link layers such as Point-to-Point Protocol (PPP) or IEEE 802, without requiring IP. EAP provides its own support for duplicate elimination and retransmission, but is reliant on lower layer ordering guarantees. Fragmentation is not supported within EAP itself; however, individual EAP methods may support this. This document obsoletes RFC 2284. A summary of the changes between this document and RFC 2284 is available in Appendix A. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3748"/>
          <seriesInfo name="DOI" value="10.17487/RFC3748"/>
        </reference>
        <reference anchor="RFC5216" target="https://www.rfc-editor.org/info/rfc5216" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5216.xml">
          <front>
            <title>The EAP-TLS Authentication Protocol</title>
            <author fullname="D. Simon" initials="D." surname="Simon"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="R. Hurst" initials="R." surname="Hurst"/>
            <date month="March" year="2008"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides support for multiple authentication methods. Transport Layer Security (TLS) provides for mutual authentication, integrity-protected ciphersuite negotiation, and key exchange between two endpoints. This document defines EAP-TLS, which includes support for certificate-based mutual authentication and key derivation.</t>
              <t>This document obsoletes RFC 2716. A summary of the changes between this document and RFC 2716 is available in Appendix A. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5216"/>
          <seriesInfo name="DOI" value="10.17487/RFC5216"/>
        </reference>
        <reference anchor="RFC9190" target="https://www.rfc-editor.org/info/rfc9190" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9190.xml">
          <front>
            <title>EAP-TLS 1.3: Using the Extensible Authentication Protocol with TLS 1.3</title>
            <author fullname="J. Preuß Mattsson" initials="J." surname="Preuß Mattsson"/>
            <author fullname="M. Sethi" initials="M." surname="Sethi"/>
            <date month="February" year="2022"/>
            <abstract>
              <t>The Extensible Authentication Protocol (EAP), defined in RFC 3748, provides a standard mechanism for support of multiple authentication methods. This document specifies the use of EAP-TLS with TLS 1.3 while remaining backwards compatible with existing implementations of EAP-TLS. TLS 1.3 provides significantly improved security and privacy, and reduced latency when compared to earlier versions of TLS. EAP-TLS with TLS 1.3 (EAP-TLS 1.3) further improves security and privacy by always providing forward secrecy, never disclosing the peer identity, and by mandating use of revocation checking when compared to EAP-TLS with earlier versions of TLS. This document also provides guidance on authentication, authorization, and resumption for EAP-TLS in general (regardless of the underlying TLS version used). This document updates RFC 5216.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9190"/>
          <seriesInfo name="DOI" value="10.17487/RFC9190"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA7Vca5fbxpH93r+ij/wh9oYcyUo2iScnOUtL43h29ZjVyMfJ
RxBokh2BAAOAM2Ii57dv3arqBwBq5Gh35/hYMyTQ6K6uunXr0Vgul2bwQ+0u
7Q+9s8+K3vW2aCr7xv3t6Du3d83Q203b2VduuG+7d3ZV7X3f+7ax7cauru1q
S5fY66YfiqZ0vSnW687dXerns7tM1ZZNsafnVV2xGZb9rmi2ywIXLxu5eFmE
i5dPnpiyGNy27U6X1jeb1vTHtX45nA40yvXV2++MP3SXduiO/fD0yZNvnjw1
ReeKS3vrymPnh5PBqNuuPR4u7aNHxrxzJ/qkujR2GVeA3+eTpQ9/pE/qtqjs
dUWXYTTcdRx2+Ismp5eNxWBMQVe0HR5hLP1sjnUty362K1p7i1XzF77xgy/q
nr644A/6YycXpmvabls0/u/8rEv7/bG4d56/cPvC15e2pCEvWJD/seMvL8p2
P3/yj86fjvY//fzRP04ena751KP/iivvMfDXDz77Ba6zf/bF5Ml/njz5xc9+
8qYrmncX72kYP1m4qUhlLu3TJ09/s3zy2+WT3xjTtN2eRrpztCH2zXfPnn79
9TeXdjcMh/7y8eO1X194N2wu6JmPD8d17cvH3abE5+/39ePObVznaFcv6M4L
3HpBH8tAv/v6t7/+zIFwKw9koNjj+f3qt7/+3WcOi1vT/P796de/+cyBcGsa
6Juvv3nymQPhVh5oSWCD/9li3Q9dUQ7GrLrBb3xJu0hKMbi69lvcZ79cXX9l
GRV6+qIkc+59s61PtigJZHpLX7ju0Pnemc717bGjTxfWvadPGxpr31aupg+G
tsU/ALSWLLYLQw47QoPtzu6Lhj6pjCJPf2Ht6nCo1a6XdXHCPWNjL4sm/8hZ
/M3WP7S2sGXbHlxHl5K+966786Vb2PVxsH6wdGvTDnZ9oj96V2/MoWvvfOXo
pv2hdjSWTsRGCKSvmqFra5rZdWMPBcmrPNZFR4tKE8U47YaAu6MRoEo1SerO
dSRaRytvILcNiSYOT/Ik0Fj7mvCMpOb7gaQkszNrTKfpj3u6Fb/Ql7Q4GoKm
vaM5di0t1rXHnkzU1m5blKewUBV11VoM1DkyzTXd6Bk5Nyd7v/PlbgKVNIrf
+oYEWRGEFxvSBrrONXZ/rAdPUjEr2TMCOFpe2zi7a/thYa5vSEoV7T49lWbi
tvjVbmmg++J0Yczbne9pKuURPsxWri87vybvptvTQk+O5PNK+DxSlZ0jsfR4
KO0cCXRdu72hOQ7sBGVl3dQrzvfrrFfE7g1mQ5OBf6WrHH1BVtPv8LBC94o+
cfyYwe/dct0em4qEsvZNxVftW/y/MeOxF9AlSxbCQqY1kXcjgRx0hd2xwWjW
Qc/4cjygCL7OPCP1IrPBnGR3IIewKqi6AziVbqwyh5ZU70SrGgmZfDutDhpe
uY2njSpopHuRxfL6uRWUW0wMCrIe2rKtF/Y1/KrdErLT/pJ0yUh5N2DXDaR7
Ifix91VFimG+ICmQcVTHkq3AkODPYQZtOB6dgYYdiv5db+89OWkyTdiYb47Q
6d2RMIFYxgEazY/EIt2J1j903t05xikGmbBsUp6/HV13suR3irVok2/u2nfO
vAQO2SDjG12o/fLls5uv2GhcJ3TrR7e2q5trtsK6ngGZIYDYHxvBG8xa4UxM
Y2EwhDhV+r6GnpD02ICWZL0Hi93c1O19L6shARD6+ju6gTYMl9G+uPoEHCFh
ZgrQNo1j4QIzC5JU15KRKQgH1MSk9wcS3qZYd77EdOv2WNk73w1HWkS6rldG
FsxUAeOaReqGYMSHloTc02bPwXjvSAsb3+8V7RxmUpDwAbGCfwPRCcCIh5nQ
xpuIrmI557A1sjyvLG9B4uPJv31xS/P224bcxPdv397QDOiBW2yyqOtAG93o
QhiHl/TfgcTk5CHZjNl11LQPtjC5n8ignJSVVglPkruYVrwQQeXf2d/wQmja
37f3pJLdwgy8qdmjohuQp7jcC8DEVRQ1WUlFuF6QOMm78HIwGE8jqD4xtTZA
nw1fYo4AqA4wVPHqA1TE8U2QZkCKoie/wtBkgRse20Tqh7F6Wn6/gYNnFRt5
moURPwOU9l21hBs8icQb0gzeluCCSGu+a3mNPYNW32JzcAegGVPTXSfdcVWP
R69dgAiCW1LyDAJNUhbWPxFJtA/f64j7fRuhkv0NqzAcGkwcKH5S3A4+DpOH
PpDCE7CUwxhg146GAoD2B1d6vj5z97C/w4Atw67QADStELzkk4h43LlDXdDO
FFN7MkGt+LPfg6QoJwEuWVd0tQcFosmuO7IP+j2Ij/0TWR4J/AoMAoo8d4dJ
JQGKZX1kX3a1urH/+IcS3Z9+wviGPluSscnnIJ/0Of8O/vjTTwuVMrR4xL7I
2QjJYloAl96x8yAM58WyobwdeffRonkTTwdfsrmQhralZzbCOFuYw+7U40va
0o7GvycjqAFS4UoaYhGhjp3DpsB0hiNhZ83cRAiqUboSjAF+DlQO++3hsjLY
YgbUw7Zp0AmZYGlR/EqkiXAv29LAkaCSPYVTLBEB2MiVmBg5kAT2zcpzVJE7
0TpozJ7+IHHsCKsARj0QMCIPOXPmtCZ8Pd6QqLNEPhrIe8L4WJs8eA5cimwL
cCeykugxxecoa8YOHsWWaAhxgHXLO9O1ZRCsI5oFiMVzI72zvq6PiDkGSIcW
q+vOdTcDTzC7+7lHUMwcsRfyvRl4jxRrEclXMQwgfPIhVi9SLO7FhfGaaQpm
X5xsDAkio+sXE4WtSLwwrn5xht6Rv5PRaf9YjUuR5ZSszcGBHjHyITPSCr2q
WFolKN6hbk88EkOQcl9oxCRA0uWa0f6DtMKQ7sg+Ey0gQRFJPw5OvDtDjIRV
E80wka+eDWmEnzK+ktooJFaLLH6qT2xjJkQZMyMTUyoUVcSCHw44vrBvXbf3
TVu321MyM6Saevvo5Q+3bx8t5F/76jX//ubqv3+4fnP1HL/ffr968SL+IlcY
+uP1Dy/0e/yW7nz2+uXLq1fP5Wb61E4+ern6yyNWNvPo9c3b69evVi8eEcaI
+kclYLhgD+iFHDvsF7GBEC+BV9pvn93Yr39tGI2R/wjIjBQG/Q5BapDdqFw5
nmJwIheCIcBqy+LgB9JnEDtI+9Jc2tt2M9wLaJGpqxvulZ+32L5dUW+gWQXx
Z9I8fyCDx7NgLKRmbdPuiSIQebXKurNoVON/2q08/A/Pj7uNiawy5YjA5fmC
QVCeQzu+r9dJw6buW2LrpL8CwO2GphHxl2j1lsnboSjf4VcsNFrQVOOODfsV
DUY40whcdu+BLx4ROJbNtgJopr3iCKJKy5E4Gw77y4DTX/HamhCD4zugW0Dy
+HhkPhK647mwYiKxnaAWAnor/HYRZkpkwSP0PB2GlpzZYac+NJntFAhgDwRQ
NkO3OPtn8SPZjtJJbohuDARcuPYiYXMaZnGOe48elKlBFm63679SgGPZr8w8
WRNyw0lMYbZvBHgxVRi6eqAF715BsW+XOMGegIk+WUiGmp4T9YWQiS5qG0kw
sGBkgukKRW+YkODdbOegrFDpeYL+u2PDsZv98tXqu6/CVDfhU7Y4zRL1s9go
eBTJ6JDHASUk0xY7gmjljm81PQFzZBihWdU1a+VVRkVvmA9/eXUjChlhW3yr
zIU9qevHUA4ur5RZUR0hNqDmzCzi9ujf8qxROiWjbTGlcs5dZQmWQZBc9J8M
zlbkrXBjENbiQVemKZcYH0DvjJ16tGwH9RNMXj9aIhfB6hpTTkvl4SRqy1kq
lWHgr33KpjGPTbJKC+uPUCjEEeSymONm/DWor9DeImgvDYNUfU+Q5pYZW87u
JBl1FF1kzAkYuuwPZKCYrbBhm7xpElrGqQGkSqFTGmIh+iB2RN5iKUtSJxy5
jjHRVwS157hgVFVYpPxsRAZVR2YXYEPqfjIkKEp2IF+kehn98YW9Srmlqz2Y
kXP2OQcmIv+XI55B9xDaunChRDBsQr0HIyk47CUoJdtGYE4xJGfzwMPZIy04
0wwVF4VfiH7FObxr2nvSjK0+b4Ho7b6XZHa7z5hojCMgn5zLgv7dtvsw4WDf
dIXYwPrEdpGeuQBAQUUhyN7o9VV73wCq0x14EASOBB12sTqRPgXPAR9HX5Y7
x2wdGL7pSN2g8ST1f/7znySD0vsl+WquBk1/sn0IKc5zl+nPh7Nf/nLJP+Gf
s9d8sCtJgl1ByJ8/zoMTQbJbdeMx/3F983MH0Yemn/kH2dUfHhg1G3u8oOUv
55dNrzA8+CoozUee9cG+Zut7wdGcPOuDotXqozP8gIQq9oCwbjLD5SdnOJLC
5931c9b1Q1Oka0br+vaBdSkh0j8/c4ZkK+Yfl/aLjd8uJRUsVXZOCnDN/w+P
JqjEQQ88G3QN3m2AgeKGRz9RQNMVldeygmplogu5B5WkmF5Cls4Wz3UNRFyZ
h1KHzgDJpBkxF1JwAxEApg0xeZKnMBCXhmpVhTzhHsWGyE3Ira175MWaIfMc
9r7oI+YQzqh2haj+20WgoewNGIUUGVN24VamAo/YL8Ln4g4l1EJRbymsGYJz
SJhJKJt5a8XBmJzRKLVsD1yt6zTNoZmaDNRjwpIrJJw+RZl1kjqk7/FnQupJ
9C0oTdHDHfaLNptBuRlfbjdduyefTgL18SLZ0V/0oVwKv6T7zy5x5AVVvgyS
GOA6lE2w5KtQ37jVUE384fRu+JBYd0F1RaZF8opFmOToQAulfGLgC8MTKJzb
uiXXUZK/l3oJB4tFCkGZCemM7Je3RXH7lVndXOPzkD+GYSA2veC9ibMIESfP
GFmntDeTYtfgyh1nCHzUGTjZSR2Vx0FuJsuwi0iUU4Emg+3V9dwr/vIMUMzR
/2NfMLgFCGL8kU//+IHYDld5HttnXN5JX8S9DcL7gCGixkWQ+xBJb/zg4Vnk
oBj+zaOK0fSiUknVjZHz/0AW/8IPZgG1IRFpQc9+zLV//OfsLHIwT2ay1EKc
ormGcPLZuTpK1C/A+RtXnwTraya8s9rAVHW1AtRbpKVPyBANqNuDo41rQam+
lJWlC00J0FNOWV/BpJTsCVw4JVnUSJOUnKwYrwEDTcyF7n7Zdg5xxyKrPu2P
fV7iunPnk4Vaa5EGgH07xASS1meQIDB+UDwOQ2Tp8gDLsZQjkXomoD6XCYVi
/Pw8kP1EBCqY/YnqTcgcufFkYr8DI8aZ9hTF7ikXoNDHc6vArXjlK8l3/klC
LUT3QQ37VJoJVUIdAxuuDTvvp1AZenAKM60Kx8AMtdYd/Oz7E3vlzIlOsq/k
m6VYYrJwJXWMSIuSzVtGijxoDByBIlTJE8E5YmZoIHCxFeU9PRjFxsdPcQ3/
9qv89qElP1Kl/F9YtNH1zLE6cFzFmkAN+U8CtfOyt/hm6kJNZI1zxBBetQwL
/gj50w2HvMbSZfK3c7M9ZCFLOnN79LRTev1y3NLT9CBMJuslWLDsQvFSErS5
jElzXcEFiFDgBqtL5Gth8oyADiOVNr4zZTt7gbcwsX3hJT1XAViwWYigJX0i
nUtaE4ktWrEeMzbQkNrQmrIJK55Xuy4+IrtZGxm0JhoAuhnCdk36z4qaw8Iw
U2Zt5zuryoLTmsUos60FY8C/NhxpomoE8dlkBExK5++YzMfOJcNpGMLCYXfK
UjEhYal4T9M7FNuYngrfHntpfELvD+2jq0ysO2VpqZCQjgXFPJuruWBsuiSH
Y7b6wlxvRivQ6asy0LDHJj445byFri/YACL/BKVHgjgUHPmLX/SZAnSx2hST
T29z6U39xFmppUAqKqPxfVvnecqpS+0XmQWNrItbUXhSRicFW/oRNeW8owfo
CMSTqCMzwMVIenCjJlQb+JvQkrYmX+hcI/GGziUEevYhk4CApHQbOwbQYxI9
qUYnKdnNvH99OhQSTGTTM9GP6A6hi0U82vMss/RMIz/M7pZ85rB84WO0I+HH
KO1kDyR77hoDyEncmE2n5ThTvAPigYVegv70pXZlsQtG3BBvk/abTeHrY0de
fe+3XJH20jqq89eSLtcDJLbVaxAm+4buapBV1qaGGEWioCoB2rIm4dW5Smk1
RMIpYKC0fzleR1WcuCI2vjvsS+hiSmrcHoeajWlfNKfJznIDrYlNf1kdg7kY
8CokIGVbNMLkDZ3aAGp+0Ls7D9qXDSWtCWvH+AbJcIF6XHUL7SC0wOubrPNi
NXmIqNwcaWq/cVK7R6kRk1+j1XjPITJ3ZyRGF3epj3sqPo2mSMFdz01K3ITm
0Y3CuimPG1q1/2fEaop1q7qHDbIvpTc5pjFph/gMQyxDCskp452gOuK9x32O
tGp0RLn3BdrgFhBqXeSNGRIJSzsRB9uh52SRekKb7CpE4kuaXX0iEm9CL9rb
3ShXjMy19gzEXhRgaxYaZ/PEtz237WjcsibewNWuykozYWzRHtNwDpSdFO84
HTFEkI8ZjXIkXK5UalWrOZljExolJluSxwi0PE3mR9xHx0zb0thF17tzvQSx
hQCJjYr7wbQSNGkYyUKs5Ns5DOqH9oDUTGj9q5JZlrKDOfBzm8n+oHxKwJLR
sDdZiDPqNQwNqV6Lbpx1+gJ5Ve4Kug3dz6yyIXbPA/DrPpwUqpizvCjKd6GW
+KfU33Suk3O69Ka/R7IspfHOhCqp862ZucOsBy5LS05HDYWcSJL6XXusq8hw
pqm0Ig/jsvIbzWgLCbAv653m+GBg+BRpQw1WPtnGqu1NOCuTun/mjXQKd5fG
/Jv2VnSopRwZRmGyR1birM2ziKNwYydK+nfkekD6fh8GCfHaLKS3HwvpgwHE
IXT+o6MCJUJx+/ObNuNgcnQg+v+zyp10f6Lmv2faxCP5LvSV+f6M24mC4M5T
cqzw/KnkGT8xlnvQSQpCNKfty0Jqz7XIp3Ku7njelznutiP0kp6bIjSS0vKX
MU4QNTIMIHlE5D7edJk6JVOuPeybkXJw7JqUuuj5vsUUL1uywx23DgNYY4ef
mRI74MRrLlSRp5U7n9EdbxzzR7o0Bp3hcJ69PXILBjhYYFTZc8/URMuiI10N
1W1mhhF5A+abwMGmiW3eyDOtk4vIWyEQcWeyQZcfKTsCqWe1iWmuLyb/YkVs
+m+4YFoI+pCPMCqFxb9RQpLCmRbCOOhn95h6IP0+6w/dtXXFCEIhFm4g0Iml
nDEcx/hyFKMKTPDTYbLFXADR3pozeFGkdEAezsd7LMeWLtb4NUw6M1DeqtRo
l17eESGxXBg4a6zlLqEAFLkvzOKqgEJSqNlTBAi6yx2raGPrj12HZhIOREQL
0avQSmu8FoUYGNp7zfyN2p2ep9pAtFiO1pCu2GSR2LmqXKZqCUICisM2q1ij
m7dJzFtOAhONp1vtc2z8K1r9aoSYN+qY3qrZrVLWIOuhHe8Um9Ssj9bGo0V6
Suh+1+ZHBiTDiz5SbUbnQmE8TsGdgOPjTmStcQZyJiM8wsRHaFu/TrC3Gaei
naMNRzWFcErV8pbP5mQDm6yHN60guOvULLXGeSJOJUsYBz+AfZM8UZ/ar3ol
ezGfwu1VYNtoFnSzmJ6iQT7BIxMdB89XN0QP+NiPauFD2WTtkmbNoztiOxiE
knfGrUML1Sxn+cDgE/wjdEttfcv/Igd/kzfnTS59HQ6taXOdvVKxzi+9Sq1U
s9bg8cV/CH+PGsMSUk5bzjXWy3PNSPHEdBEnp6TVKu9BN8HwlQ71wN2TlHJJ
kVmTOP4SlyZHIZz09qh1xraqhRn3XgWPfLZNatxblTcoh4ateXMUrD5Cz0ss
+Ab8l+bzJ9fwkYM3GZXh5EiIiTQ/WHuKtKS5nFX0TulyavnKU3V5/7uRc5R7
V2kTXiwIeK65y8mieGQrQqRU/ZWty/FSYewI4KTUgbJACinBX8K5svP1nmII
cG0IJdgENRESW9un2buCeS6hPueQwdPOZO74dFfUHnZ5PnDqSZphNLHp6ayg
q3I4JLZVRsx+4TeuPJV6aDQocvp0RdOOzmba8xw7urQnIqar8GsJaKqQiaWZ
om0yJjaqcV4KZXQSF65h4q9HrDgrNUkhIfnCMqJlp96Q6xsTsokA1CRvyZ3g
Bl0fl9YbENVGYEJPAumhOBxnMZOsU2wHnW4SGzlXBLmXIK5gnPYJndckGRqc
FJl07q7Vcx8qkNhIF0TitWn9zrcdB9PZmzSI6+73xDyN+TaU/oQzwPjGB1b0
NCGH4aNDyLr38/NpRVfuPEDqSNLDgb5hxAPLjCjwqdWR9w/R8OTFFoyQo4H5
+MLkvE9WXpgWLrmVxmQt7OKQK+2sL90ytbuTF0ZuchGLA5mXTy3lZtRvrh3l
FuuiGDgyvBRg55mptE4sw0jpZMwtGBX42AbCpA3ZxK7hI6niAFSpxlyZ+0Kg
jRpMjQ+kaTpyfHKALKwQmDYfSTuHcyIw0SEkr/spTadHZ5zc5D3hjSbK+ZjC
7agxKR0GmLcxaXeu9jiheyurleSEOXQ35ROdHLxN4M26FlrFI9ek/cwduXJL
DgRTfDLrQuCwnp+6fuiIEO2JiS3zxJDyw+xZ00GqZvCQk3cVhCjT94ZzGlpB
CE/PJLMtoNLq8D96Qs2YH/N3G0wyhUFjUjB+5txRrBGi7pi5Kp5TrFZG9r93
RcM1lbxQKxkSXRzn7McPsi9Xf8H6jr3LDvXEbymuoZ3f+YN2tgcCwmbbORMO
XIXDtLE7PnX2iUZIeXsZ6tqjoGIVC1DMEHDEYCK1GRYtpHtOeMGIA4c6GNRy
IfWqB+pTTDVEHbgG5xJLM3mcmOpsmfMPuatURuQUhdQRvRzNh5ZwUDGpKiaK
9rnFOtWCVKwz/9tinY0tH2eT1bn5dyHNI1glSKyUIHuCOmU9RcSIGybp+zMH
nKQK0DZ37iThWmrVMXIUPZQAM4NMDmDMdxdMkKTCJi+6Ci6dvLKeus4TaUxD
+8zzRozVE3lMI9hGMC3iAH5/3JsRMe5CihzR/acpck6PpUcwr+XFlqfA1Ucc
UieFznvXoJ8UoVSd8t7fJkGPjuokJxJhmndWSJIFP8arJVR0zOWULypbZF8W
OVFSi/P1PvTX1undJrOjbwDcjDWwp9ZXcdgp5uGgN7JIytICddofBlYSVLPa
jcnr1g/U7yYvU+HCCOpelXylUb05W9mTS7LuZWjgVmuBihMxggK/qLrinlNC
qK7QSN9yMjuGA7SOF8gdI8rOG72Elg3tgU+a5q9e2GvSfOO3x3wjAibperPU
qRkX1clPRmOquWNlcMkf0Uoqmnypfak44yPtXQuTs4T0co94robz87TQ2+TX
52nrPBUyzmAoAITAy+Qqzy8tiOomYfcoJjxzQFvfSOHSMaFx0iomF3lcrZln
DhR0JR7rEsP6lMLXE0NNr/SQLiJSnTQb7aaOh7pXx8pr9ZCuuSvKk3qIcP4b
ChaYY0xGkfLCgS+igHK+FAuzE+YI7ssLG70lJRwgd/bV6jtp4b4JWEMK0XZZ
icgk+h/fQZVDXcSdKWNbxDcDwEnUMY5l3YX2PI+W34eHM94iAKTdIRzqj53T
NzVpnAjZznc5dPuPmDDfpwIl2oSx9P0+3DUiDwS967mBpOYGEkI9pni0133Z
HsbsGkjTaVXi0KEQwyFhOJgZepWnKbYzLcAPdinHWsKHqY8aVRIS8X4MqhXT
mfaDOXsAKN0Y2vRnV9CNPtec8Y2jqY7/yNaYfXHmXMu4gfpDnjNnejGdMsG9
r7SGUQxFdu/ducGzn7vzc/rkD8T+wOHbj/1AdvH07eggcwxIFykAXWR3feLl
XuppJg97YEUPffXgebNgypN81c+U8b82jw9n+w/kWPGDMo5Y/pg19HH+konl
H2dR4/+ftM5+GU9ZpUrSA8I792lYQKhd9OOTX3wWYnRAIILD7H2r8roxtPuO
kqAIBuH8RGrzOoa+FCz1uTBvJk6I17gFNx+SIjEz2om2pg5ueJeY4gZgug5J
Ic7NoXWTKRy4yDb4zGGXvTqRmxw41PpYBQTbL55vetSa328Q03HhhT91myd4
XFoVg3gsYD9D50MVmuyFnBHYI9GX1qNNf1Jl2VDw6EYn0UNwNj0JYKL2cqSm
xG3LzH8YvwrHhTdtXccuFNkfbY8yStCIAuhxu3EmTeA0BISStohBVHj7m+Ne
AoQkseduZPsXCKIoVO1G9VTErvPXG4XukezwW2qDjPUUnP9o+Q1XN2derpY/
hX49lvp+n87371LiQt5oBuI0iJvyfZ660SWLAOirEUeat1HmyfZUSX0zf9fP
/BU7EwMcB9QXdvainI/U5Mfd6VrKyIqOiJ6yAjp3ryXmJCEIpwSgCWpp8EKs
KXx4ThPfgYtJA3L+hORyJmvi10+eF9EqJqViSYprqJqs0FR91o4ekAVm1DZV
lg9ZGH2lagjECrvz290SfVAZisR3lHFGR0o4qeAWG6wXJmlDiBE5oaPVNd6+
U5YDXmhjIl5uE5L9omnOszECEDKE0nc3apm1c8sU6lQ0t2fjEyicRmvkdYOj
oyYx6yPZMO2olTbY0AouEJiaLMcqxZnAEJOEo6Y8y/su6zFPlcIQb8xQblpY
KUVvWp6KiBUZwj68ZCOR8JRLySKF1JBUpA7o1NecTlIhmS1dIgEauZJltPkT
7xV+xwIU3dEXCXU808ZLnh2nSbnW0E9MQ8qLJgYV2VtzmNyPQ4tFCDrC2xUT
sYgZnzXNjPmYhot3rUdOJr23EjKTs6VT02LxX69erc54mPwdTvviHeNCUgEa
DPfxAKsyHpHlNWpNh0NPTr4177SAQ3sjr05lfcCL1Sf9HAv74/XL26uFfbN6
e7sw3Grx0PvMWDxHOR+s79NgRNi5GnFSid7QzUmSlGqoyRE+0CTbVPPkgb4Z
dk27b/4HlvDGYtVeAAA=

-->

</rfc>
