From root@core3.amsl.com Wed Jul 1 03:00:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 4742428C311; Wed, 1 Jul 2009 03:00:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090701100001.4742428C311@core3.amsl.com> Date: Wed, 1 Jul 2009 03:00:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-cert-01.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2009 10:00:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : HIP Certificates Author(s) : T. Heer, S. Varjonen Filename : draft-ietf-hip-cert-01.txt Pages : 10 Date : 2009-07-01 This document specifies a certificate parameter called CERT for the Host Identity Protocol (HIP). The CERT parameter is a container for Simple Public Key Infrastructure (SPKI) and X.509.v3 certificates. It is used for carrying these certificates in HIP control messages. Additionally, this document specifies the representations of Host Identity Tags in SPKI and X.509.v3 certificates. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-cert-01.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-07-01025953.I-D@ietf.org> --NextPart-- From ari.keranen@nomadiclab.com Wed Jul 1 03:27:20 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A678B3A6A01 for ; Wed, 1 Jul 2009 03:27:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.199 X-Spam-Level: X-Spam-Status: No, score=-6.199 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HxGmtR6yJQPy for ; Wed, 1 Jul 2009 03:27:19 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 503563A67F3 for ; Wed, 1 Jul 2009 03:27:17 -0700 (PDT) X-AuditID: c1b4fb3e-b7be1ae000004757-2e-4a4b3a1957e1 Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 85.8F.18263.91A3B4A4; Wed, 1 Jul 2009 12:27:37 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Jul 2009 12:27:36 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Jul 2009 12:27:36 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 685C1246A; Wed, 1 Jul 2009 13:27:36 +0300 (EEST) Message-ID: <4A4B3A16.8010908@nomadiclab.com> Date: Wed, 01 Jul 2009 13:27:34 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jul 2009 10:27:36.0579 (UTC) FILETIME=[8D7DF530:01C9FA36] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2009 10:27:20 -0000 Henderson, Thomas R wrote: >> -----Original Message----- >> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] >> Sent: Tuesday, June 30, 2009 4:22 AM >> To: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Gonzalo Camarillo wrote: >>> we would like to start the WGLC on the following draft: >>> >>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >> Here are some comments on the HIP native API draft. Indented text is >> copy-pasted from the draft. >> >> The draft does not seem to take NAT traversal into account. For NAT >> traversal purposes an application that is not using a >> resolver should be >> able to get the local UDP port used by the HIP daemon for receiving >> incoming HIP messages. Also the application should be able create a >> HIT-to-locator mapping that includes a (possibly >> non-standard) UDP port >> number for a peer. Probably this is more of an issue for the >> shim6 API >> draft, though. > > I'm concerned that you have hit upon a real problem here. The shim6 > draft or protocol framework do not seem to have any concept of NAT > traversal support. I do not think this is a simple patch for the shim6 > document; for instance, is shim6 WG willing to rewrite Figure 1 of > http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- > 08.txt > to show the shim6 layer sitting on top of UDP? The concept of a locator > in shim6 is an IPv6 address, not a transport address. True. Overall shim6 is really IPv6 centric, and even in the shim6 WG charter it's said that: - IPv6 NAT devices are assumed not to exist, or not to present an obstacle about which the shim6 solution needs to be concerned. - Only IPv6 is considered. So this could actually be quite a bit out of scope for the shim6 API draft. > One possibility would be to remove the explicit locator-related messages > in the native HIP API document (leaving them for further study), but > that would also strip out the support for outbound opportunistic mode. > > The other options seem to be to ask the shim6-api draft authors, and WG, > to support NAT traversal, or to just write a HIP-specific API for these > aspects. In either case, I think we (HIP WG) should decide what we want > this API to be. Probably writing a HIP-specific API would be the easier way, but surely it doesn't hurt to ask from the shim6 API draft authors (and WG?) too. Anyway, I think this is an important issue and should be addressed somehow. The NAT traversal related requirements for the API include at least: - ability for an application to learn the local HIP UDP port number and IP address (so it can publish them e.g., to a DHT) - ability for an application to set the port (in addition to IP address) for a peer locator when creating a HIT-locator mapping to the daemon In addition, it would be helpful to have a way to store the port number to DNS, but I don't see this as important as the two requirements above. Cheers, Ari From gonzalo.camarillo@ericsson.com Wed Jul 1 08:18:22 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 71CC13A6F49 for ; Wed, 1 Jul 2009 08:18:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.249 X-Spam-Level: X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WBD61KdRzxme for ; Wed, 1 Jul 2009 08:18:21 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 737233A6F3F for ; Wed, 1 Jul 2009 08:18:21 -0700 (PDT) X-AuditID: c1b4fb3c-b7bdcae0000052f9-15-4a4b7e30246d Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id 57.87.21241.03E7B4A4; Wed, 1 Jul 2009 17:18:08 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.171]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Jul 2009 17:18:08 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 1 Jul 2009 17:18:07 +0200 Received: from [131.160.126.222] (rvi2-126-222.lmf.ericsson.se [131.160.126.222]) by mail.lmf.ericsson.se (Postfix) with ESMTP id BA537246A; Wed, 1 Jul 2009 18:18:07 +0300 (EEST) Message-ID: <4A4B7E2F.1090403@ericsson.com> Date: Wed, 01 Jul 2009 18:18:07 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Jul 2009 15:18:07.0781 (UTC) FILETIME=[234C4D50:01C9FA5F] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] HIP draft agenda X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jul 2009 15:18:22 -0000 Folks, you can fetch our draft agenda for Stockholm from: http://www.ietf.org/proceedings/09jul/agenda/hip.html Cheers, Gonzalo HIP co-chair From ari.keranen@nomadiclab.com Thu Jul 2 03:43:24 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 374EA3A6B31 for ; Thu, 2 Jul 2009 03:43:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.206 X-Spam-Level: X-Spam-Status: No, score=-6.206 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wYGxTsL61pnG for ; Thu, 2 Jul 2009 03:43:23 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 2FC013A683A for ; Thu, 2 Jul 2009 03:43:22 -0700 (PDT) X-AuditID: c1b4fb3e-b7be1ae000004757-93-4a4c8f5ae6ca Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id A8.8F.18263.A5F8C4A4; Thu, 2 Jul 2009 12:43:38 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 12:43:38 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 12:43:37 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id DC0BA233F for ; Thu, 2 Jul 2009 13:43:37 +0300 (EEST) Message-ID: <4A4C8F57.8090800@nomadiclab.com> Date: Thu, 02 Jul 2009 13:43:35 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Jul 2009 10:43:38.0057 (UTC) FILETIME=[F4FD9B90:01C9FB01] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] Comments on draft-ietf-hip-cert-01.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 10:43:24 -0000 Hi, Here's some comments/editorial nits on the HIP Certificates draft. Indented text is copy-pasted from the draft. 1. Introduction This document specifies the CERT parameter that is used to transmit digital signatures in HIP. It corresponds to the placeholder specified in Section 2 of [RFC5201]. You probably mean "Section 5.2" here. 2. CERT Parameter For grouping Cert parameters, s/Cert/CERT/ Initiator and Responder can detect middleboxes on the path after R1 message is sent by checking if control packets contain ECHO_REQUEST_M parameters as defined in [HIP.middle_auth]. This comment seems a bit detached from the context. Maybe you should add some justification why would hosts want to detect middleboxes if they are using certificates. And I think you should mention that you can detect (only) *HIP* middleboxes that implement *and* use the middlebox authentication method like this. Cheers, Ari From miika.komu@hiit.fi Thu Jul 2 03:58:03 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4309D3A6B1C for ; Thu, 2 Jul 2009 03:58:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cx6qU5a6cJBk for ; Thu, 2 Jul 2009 03:58:02 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id D129A3A6CFD for ; Thu, 2 Jul 2009 03:58:01 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id C2A0325ED1D; Thu, 2 Jul 2009 13:58:22 +0300 (EEST) Message-ID: <4A4C92CE.4080808@hiit.fi> Date: Thu, 02 Jul 2009 13:58:22 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Ari Keranen References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4B3A16.8010908@nomadiclab.com> In-Reply-To: <4A4B3A16.8010908@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 10:58:03 -0000 Ari Keranen wrote: Hi, > Henderson, Thomas R wrote: >>> -----Original Message----- >>> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] Sent: Tuesday, >>> June 30, 2009 4:22 AM >>> To: HIP >>> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >>> >>> Gonzalo Camarillo wrote: >>>> we would like to start the WGLC on the following draft: >>>> >>>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >>> Here are some comments on the HIP native API draft. Indented text is >>> copy-pasted from the draft. >>> >>> The draft does not seem to take NAT traversal into account. For NAT >>> traversal purposes an application that is not using a resolver should >>> be able to get the local UDP port used by the HIP daemon for >>> receiving incoming HIP messages. Also the application should be able >>> create a HIT-to-locator mapping that includes a (possibly >>> non-standard) UDP port number for a peer. Probably this is more of an >>> issue for the shim6 API draft, though. >> >> I'm concerned that you have hit upon a real problem here. The shim6 >> draft or protocol framework do not seem to have any concept of NAT >> traversal support. I do not think this is a simple patch for the shim6 >> document; for instance, is shim6 WG willing to rewrite Figure 1 of >> http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- >> 08.txt >> to show the shim6 layer sitting on top of UDP? The concept of a locator >> in shim6 is an IPv6 address, not a transport address. > > True. Overall shim6 is really IPv6 centric, and even in the shim6 WG > charter it's said that: > > - IPv6 NAT devices are assumed not to exist, or not to present an > obstacle about which the shim6 solution needs to be concerned. > - Only IPv6 is considered. > > So this could actually be quite a bit out of scope for the shim6 API draft. Agree, but a problem is that the same API is used by two protocols. The SHIM API should be modular enough to accommodate both of them. At the minimum, the SHIM draft could define some reserved fields for ports to support further extensions. >> One possibility would be to remove the explicit locator-related messages >> in the native HIP API document (leaving them for further study), but >> that would also strip out the support for outbound opportunistic mode. >> >> The other options seem to be to ask the shim6-api draft authors, and WG, >> to support NAT traversal, or to just write a HIP-specific API for these >> aspects. In either case, I think we (HIP WG) should decide what we want >> this API to be. > > Probably writing a HIP-specific API would be the easier way, but surely > it doesn't hurt to ask from the shim6 API draft authors (and WG?) too. We could increase the flexibility in the SHIM API for future extensions but I am not yet convinced for the need for applications to control the UDP port numbers in HIP API for the following reasons: * The UDP port numbers would be mostly useful IMHO in a library based HIP implementation (e.g. OpenSSL extensions). So far, there has been little work towards this (albeit the specifications shouldn't create artificial obstacles for such work). * We have decided earlier to exclude support for user specific HITs in the draft which are basically required for library-based implementations. * The NAT draft doesn't really handle properly the case where a host has single HIT but uses multiple UDP ports. * The current version of the HIP API is oriented towards DNS and not DHT (see related comment on the end of this email). > Anyway, I think this is an important issue and should be addressed > somehow. The NAT traversal related requirements for the API include at > least: > - ability for an application to learn the local HIP UDP port number and > IP address (so it can publish them e.g., to a DHT) I believe you mean the relay reflexive address? I think publishing the IP address of the relay should suffice and this can be done at the system level. > - ability for an application to set the port (in addition to IP address) > for a peer locator when creating a HIT-locator mapping to the daemon Once again, the relay address should be sufficient. The port number is not necessary because a HIP relay uses HITs for demultiplexing traffic. The end-hosts negotiate the TURN relay dynamically during the base exchange. I think the TURN relay should be set also at the system level and not at the application layer to avoid user access control issues (which are not currently in the scope of the draft). > In addition, it would be helpful to have a way to store the port number > to DNS, but I don't see this as important as the two requirements above. The OpenDHT extensions can already support UDP port numbers. DNS extensions are not really in the scope of the API drafts apart from the resolver interface. From ari.keranen@nomadiclab.com Thu Jul 2 04:48:02 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FC403A6CE3 for ; Thu, 2 Jul 2009 04:48:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.212 X-Spam-Level: X-Spam-Status: No, score=-6.212 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wcY1i0OENKz4 for ; Thu, 2 Jul 2009 04:48:01 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id D1C6F3A6918 for ; Thu, 2 Jul 2009 04:48:00 -0700 (PDT) X-AuditID: c1b4fb3c-b7bdcae0000052f9-d0-4a4c9e4e65df Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id 73.07.21241.E4E9C4A4; Thu, 2 Jul 2009 13:47:27 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 13:46:12 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 13:46:11 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id BD91D233F; Thu, 2 Jul 2009 14:46:11 +0300 (EEST) Message-ID: <4A4C9E01.70009@nomadiclab.com> Date: Thu, 02 Jul 2009 14:46:09 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4B3A16.8010908@nomadiclab.com> <4A4C92CE.4080808@hiit.fi> In-Reply-To: <4A4C92CE.4080808@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Jul 2009 11:46:11.0958 (UTC) FILETIME=[B27D7160:01C9FB0A] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 11:48:02 -0000 Hi, Miika Komu wrote: > Ari Keranen wrote: >> Henderson, Thomas R wrote: >>>> -----Original Message----- >>>> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] Sent: Tuesday, >>>> June 30, 2009 4:22 AM >>>> To: HIP >>>> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >>>> >>>> Gonzalo Camarillo wrote: >>>>> we would like to start the WGLC on the following draft: >>>>> >>>>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >>>> Here are some comments on the HIP native API draft. Indented text is >>>> copy-pasted from the draft. >>>> >>>> The draft does not seem to take NAT traversal into account. For NAT >>>> traversal purposes an application that is not using a resolver >>>> should be able to get the local UDP port used by the HIP daemon for >>>> receiving incoming HIP messages. Also the application should be able >>>> create a HIT-to-locator mapping that includes a (possibly >>>> non-standard) UDP port number for a peer. Probably this is more of >>>> an issue for the shim6 API draft, though. >>> >>> I'm concerned that you have hit upon a real problem here. The shim6 >>> draft or protocol framework do not seem to have any concept of NAT >>> traversal support. I do not think this is a simple patch for the shim6 >>> document; for instance, is shim6 WG willing to rewrite Figure 1 of >>> http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- >>> 08.txt >>> to show the shim6 layer sitting on top of UDP? The concept of a locator >>> in shim6 is an IPv6 address, not a transport address. >> >> True. Overall shim6 is really IPv6 centric, and even in the shim6 WG >> charter it's said that: >> >> - IPv6 NAT devices are assumed not to exist, or not to present an >> obstacle about which the shim6 solution needs to be concerned. >> - Only IPv6 is considered. >> >> So this could actually be quite a bit out of scope for the shim6 API >> draft. > > Agree, but a problem is that the same API is used by two protocols. The > SHIM API should be modular enough to accommodate both of them. At the > minimum, the SHIM draft could define some reserved fields for ports to > support further extensions. Sounds reasonable. >>> One possibility would be to remove the explicit locator-related messages >>> in the native HIP API document (leaving them for further study), but >>> that would also strip out the support for outbound opportunistic mode. >>> >>> The other options seem to be to ask the shim6-api draft authors, and WG, >>> to support NAT traversal, or to just write a HIP-specific API for these >>> aspects. In either case, I think we (HIP WG) should decide what we want >>> this API to be. >> >> Probably writing a HIP-specific API would be the easier way, but >> surely it doesn't hurt to ask from the shim6 API draft authors (and >> WG?) too. > > We could increase the flexibility in the SHIM API for future extensions > but I am not yet convinced for the need for applications to control the > UDP port numbers in HIP API for the following reasons: > > * The UDP port numbers would be mostly useful IMHO in a library based > HIP implementation (e.g. OpenSSL extensions). So far, there has been > little work towards this (albeit the specifications shouldn't create > artificial obstacles for such work). > * We have decided earlier to exclude support for user specific HITs in > the draft which are basically required for library-based implementations. Library based implementations are just one use case for this. For example, you could sit behind a NAT that allows nicely anyone to contact you, but you can't choose your public port number. Or some other service might be running on the HIP port, and thus HIP daemon needs to use some other port than what IANA reserves for the purpose. > * The NAT draft doesn't really handle properly the case where a host has > single HIT but uses multiple UDP ports. How come? Anyway, I would consider using multiple UDP ports a bit corner case anyway. > * The current version of the HIP API is oriented towards DNS and not DHT > (see related comment on the end of this email). That's true, but I think supporting also DHT-like environments would make sense. Or would you prefer a separate draft for that? >> Anyway, I think this is an important issue and should be addressed >> somehow. The NAT traversal related requirements for the API include at >> least: >> - ability for an application to learn the local HIP UDP port number >> and IP address (so it can publish them e.g., to a DHT) > > I believe you mean the relay reflexive address? I think publishing the > IP address of the relay should suffice and this can be done at the > system level. I mean what ever port & address you use for the purpose of receiving HIP signaling (especially I1) packets. This can be a local address, server reflexive address (i.e., the address NAT gives you), address of your HIP relay server, etc. And any of these may potentially have a non-standard UDP port. You're right that *most* of the time just your relay's IP address is enough, but for example with a host without a HIP relay server but behind an endpoint independent NAT (as I explained before) this feature would be needed. >> - ability for an application to set the port (in addition to IP >> address) for a peer locator when creating a HIT-locator mapping to the >> daemon > > Once again, the relay address should be sufficient. The port number is > not necessary because a HIP relay uses HITs for demultiplexing traffic. I guess I don't need to repeat myself here :) > The end-hosts negotiate the TURN relay dynamically during the base > exchange. I think the TURN relay should be set also at the system level > and not at the application layer to avoid user access control issues > (which are not currently in the scope of the draft). I think TURN relaying is unrelated issue here -- unless you are using TURN to also relay I1 packets, but that's a bit more complicated because you would need to install TURN permissions at the TURN server for the Initiator. >> In addition, it would be helpful to have a way to store the port >> number to DNS, but I don't see this as important as the two >> requirements above. > > The OpenDHT extensions can already support UDP port numbers. DNS > extensions are not really in the scope of the API drafts apart from the > resolver interface. OK. So I guess your preference would be a separate draft for this. Cheers, Ari From shinta@sfc.wide.ad.jp Thu Jul 2 09:05:52 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76EAE28C0F7 for ; Thu, 2 Jul 2009 09:05:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.904 X-Spam-Level: X-Spam-Status: No, score=0.904 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RELAY_IS_203=0.994] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LL9iPC+N3BMK for ; Thu, 2 Jul 2009 09:05:51 -0700 (PDT) Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) by core3.amsl.com (Postfix) with ESMTP id D9E813A6951 for ; Thu, 2 Jul 2009 09:04:52 -0700 (PDT) Received: from imac.local (softbank126018084248.bbtec.net [126.18.84.248]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id CB6CC4C913; Fri, 3 Jul 2009 01:05:10 +0900 (JST) Message-ID: <4A4CDAB6.90203@sfc.wide.ad.jp> Date: Fri, 03 Jul 2009 01:05:10 +0900 From: Shinta Sugimoto User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 16:05:52 -0000 Hi Thomas, all, Excuse me for jumping in the discussion, but please find my comments inline. I am co-authoring the multihome shim API draft. Henderson, Thomas R wrote: >> -----Original Message----- >> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] >> Sent: Tuesday, June 30, 2009 4:22 AM >> To: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Gonzalo Camarillo wrote: >>> we would like to start the WGLC on the following draft: >>> >>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >> Here are some comments on the HIP native API draft. Indented text is >> copy-pasted from the draft. >> >> The draft does not seem to take NAT traversal into account. For NAT >> traversal purposes an application that is not using a >> resolver should be >> able to get the local UDP port used by the HIP daemon for receiving >> incoming HIP messages. Also the application should be able create a >> HIT-to-locator mapping that includes a (possibly >> non-standard) UDP port >> number for a peer. Probably this is more of an issue for the >> shim6 API >> draft, though. > > I'm concerned that you have hit upon a real problem here. The shim6 > draft or protocol framework do not seem to have any concept of NAT > traversal support. I do not think this is a simple patch for the shim6 > document; for instance, is shim6 WG willing to rewrite Figure 1 of > http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- > 08.txt > to show the shim6 layer sitting on top of UDP? The concept of a locator > in shim6 is an IPv6 address, not a transport address. well, I don't think this is a very big change for SHIM6 actually. In theory, SHIM6 can support IPv4 locator as well. And such an idea was brought up and discussed in the SHIM6 WG in the past. For instance, Section 1.3 of draft-nordmark-shim6-esd-01.txt discusses the issue of IPv4 locator. In my understanding, SHIM6 is very much dependent on IPv6 with regard to the security mechanism to protect identity ownwership (i.e., CGA/HBA). However, there is not much dependency on IPv6 with regard to locators because validity check of claimed locator is done by the return routability test. Although Figure 1 in the multihome draft shows that the multihome shim layer is a sub-layer inside the IP layer, this does not necessarily mean that UDP encap interface cannot be handled as a locator. I think this is common to HIP as well (HIP lays between transport layer and IP layer, from an architectural p.o.v., if I understand it correctly, but it supports handling UDP encap interface as a locator). > One possibility would be to remove the explicit locator-related messages > in the native HIP API document (leaving them for further study), but > that would also strip out the support for outbound opportunistic mode. > > The other options seem to be to ask the shim6-api draft authors, and WG, > to support NAT traversal, or to just write a HIP-specific API for these > aspects. In either case, I think we (HIP WG) should decide what we want > this API to be. As a co-author of the multihome shim API document, I am willing to improve the draft to support NAT Traversal. It is not only useful for HIP but also for SHIM6 (in the future) as mentioned above. Does this sound reasonable? With regard to the data structure for storing IPv4 address and a pair of UDP port numbers, let me come up with proposal later. I need to discuss with co-authors of the multihome shim API draft. Regards, Shinta > >> >> 4.5. Source HIT Selection by the System: >> >> | Public DSA | 130 | 7 | >> | Public RSA | 140 | 8 | >> | [RFC3484] rules | 50-100 | 7 | >> >> Are the labels for Public DSA and RFC 3484 rules >> intentionally the same? >> > > They shouldn't be the same, but more broadly, I think this section may > need some more work. According to RFC 3484, the precedence value is > used for sorting destination addresses, and the label for selecting > source addresses, but the text here implies that precedence is used for > source address selection. It is not clear how RFC3484 rules relate to > HITs, or whether they are referring to possible use of IP addresses. > > Tom > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From miika.komu@hiit.fi Thu Jul 2 11:20:45 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FC5728C1A3 for ; Thu, 2 Jul 2009 11:20:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id igWCAlfOv52F for ; Thu, 2 Jul 2009 11:20:44 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 9E6F628C191 for ; Thu, 2 Jul 2009 11:20:43 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id 8502325ED19; Thu, 2 Jul 2009 21:21:05 +0300 (EEST) Message-ID: <4A4CFA96.1010604@hiit.fi> Date: Thu, 02 Jul 2009 21:21:10 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Ari Keranen References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4B3A16.8010908@nomadiclab.com> <4A4C92CE.4080808@hiit.fi> <4A4C9E01.70009@nomadiclab.com> In-Reply-To: <4A4C9E01.70009@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 18:20:45 -0000 Ari Keranen wrote: Hi, > Hi, > > Miika Komu wrote: >> Ari Keranen wrote: >>> Henderson, Thomas R wrote: >>>>> -----Original Message----- >>>>> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] Sent: >>>>> Tuesday, June 30, 2009 4:22 AM >>>>> To: HIP >>>>> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >>>>> >>>>> Gonzalo Camarillo wrote: >>>>>> we would like to start the WGLC on the following draft: >>>>>> >>>>>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >>>>> Here are some comments on the HIP native API draft. Indented text >>>>> is copy-pasted from the draft. >>>>> >>>>> The draft does not seem to take NAT traversal into account. For NAT >>>>> traversal purposes an application that is not using a resolver >>>>> should be able to get the local UDP port used by the HIP daemon for >>>>> receiving incoming HIP messages. Also the application should be >>>>> able create a HIT-to-locator mapping that includes a (possibly >>>>> non-standard) UDP port number for a peer. Probably this is more of >>>>> an issue for the shim6 API draft, though. >>>> >>>> I'm concerned that you have hit upon a real problem here. The shim6 >>>> draft or protocol framework do not seem to have any concept of NAT >>>> traversal support. I do not think this is a simple patch for the shim6 >>>> document; for instance, is shim6 WG willing to rewrite Figure 1 of >>>> http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- >>>> >>>> 08.txt >>>> to show the shim6 layer sitting on top of UDP? The concept of a >>>> locator >>>> in shim6 is an IPv6 address, not a transport address. >>> >>> True. Overall shim6 is really IPv6 centric, and even in the shim6 WG >>> charter it's said that: >>> >>> - IPv6 NAT devices are assumed not to exist, or not to present an >>> obstacle about which the shim6 solution needs to be concerned. >>> - Only IPv6 is considered. >>> >>> So this could actually be quite a bit out of scope for the shim6 API >>> draft. >> >> Agree, but a problem is that the same API is used by two protocols. >> The SHIM API should be modular enough to accommodate both of them. At >> the minimum, the SHIM draft could define some reserved fields for >> ports to support further extensions. > > Sounds reasonable. > >>>> One possibility would be to remove the explicit locator-related >>>> messages >>>> in the native HIP API document (leaving them for further study), but >>>> that would also strip out the support for outbound opportunistic mode. >>>> >>>> The other options seem to be to ask the shim6-api draft authors, and >>>> WG, >>>> to support NAT traversal, or to just write a HIP-specific API for these >>>> aspects. In either case, I think we (HIP WG) should decide what we >>>> want >>>> this API to be. >>> >>> Probably writing a HIP-specific API would be the easier way, but >>> surely it doesn't hurt to ask from the shim6 API draft authors (and >>> WG?) too. >> >> We could increase the flexibility in the SHIM API for future >> extensions but I am not yet convinced for the need for applications to >> control the UDP port numbers in HIP API for the following reasons: >> >> * The UDP port numbers would be mostly useful IMHO in a library based >> HIP implementation (e.g. OpenSSL extensions). So far, there has been >> little work towards this (albeit the specifications shouldn't create >> artificial obstacles for such work). >> * We have decided earlier to exclude support for user specific HITs in >> the draft which are basically required for library-based implementations. > > Library based implementations are just one use case for this. For > example, you could sit behind a NAT that allows nicely anyone to contact > you, but you can't choose your public port number. Or some other service > might be running on the HIP port, and thus HIP daemon needs to use some > other port than what IANA reserves for the purpose. I'd think it's quite common that NATs don't let you choose the port number which is the reason is why we need the HIP relay. If some other service is occupying the HIP port on the same machine, the other service is breaking the IANA allocation. Nothing much we can do for that. Do you actually mean the case where there are e.g. two hosts behind a single NAT controlled by the user of the hosts? In such a case, the "power" user could avoid use of the relay by specifying a non-standard port. I believe this would be an adequate use case to suit people who are capable of configuring bypass ports to their NAT boxes. Perhaps future HIP NAT extensions or implementation could actually define some uPNP extensions to automatize port reservation to remove this burden from the user. Still, the use case above is an optimization more prone to failure than using a HIP relay... >> * The NAT draft doesn't really handle properly the case where a host >> has single HIT but uses multiple UDP ports. > > How come? Anyway, I would consider using multiple UDP ports a bit corner > case anyway. I tried to invent a use case for the port numbers. I was thinking a (client) library based implementation that shares the HIT but uses different port numbers to demultiplex the different users/applications. Then two users on a single client would connect to a single server. This is not covered in the draft and I don't think it should be. >> * The current version of the HIP API is oriented towards DNS and not >> DHT (see related comment on the end of this email). > > That's true, but I think supporting also DHT-like environments would > make sense. Or would you prefer a separate draft for that? We have two choices: * Define place holders for port numbers in the SHIM draft and describe the usage in HIP API or * have the whole thing in the SHIM draft (it's about locators after all and SHIM API is all about locator handling) I am open for the option which ever makes most sense to people. >>> Anyway, I think this is an important issue and should be addressed >>> somehow. The NAT traversal related requirements for the API include >>> at least: >>> - ability for an application to learn the local HIP UDP port number >>> and IP address (so it can publish them e.g., to a DHT) >> >> I believe you mean the relay reflexive address? I think publishing the >> IP address of the relay should suffice and this can be done at the >> system level. > > I mean what ever port & address you use for the purpose of receiving HIP > signaling (especially I1) packets. This can be a local address, server > reflexive address (i.e., the address NAT gives you), address of your HIP > relay server, etc. And any of these may potentially have a non-standard > UDP port. > > You're right that *most* of the time just your relay's IP address is > enough, but for example with a host without a HIP relay server but > behind an endpoint independent NAT (as I explained before) this feature > would be needed. > >>> - ability for an application to set the port (in addition to IP >>> address) for a peer locator when creating a HIT-locator mapping to >>> the daemon >> >> Once again, the relay address should be sufficient. The port number is >> not necessary because a HIP relay uses HITs for demultiplexing traffic. > > I guess I don't need to repeat myself here :) > >> The end-hosts negotiate the TURN relay dynamically during the base >> exchange. I think the TURN relay should be set also at the system >> level and not at the application layer to avoid user access control >> issues (which are not currently in the scope of the draft). > > I think TURN relaying is unrelated issue here -- unless you are using > TURN to also relay I1 packets, but that's a bit more complicated because > you would need to install TURN permissions at the TURN server for the > Initiator. Ok. >>> In addition, it would be helpful to have a way to store the port >>> number to DNS, but I don't see this as important as the two >>> requirements above. >> >> The OpenDHT extensions can already support UDP port numbers. DNS >> extensions are not really in the scope of the API drafts apart from >> the resolver interface. > > OK. So I guess your preference would be a separate draft for this. From gonzalo.camarillo@ericsson.com Thu Jul 2 11:34:43 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 92BDA3A6DE2 for ; Thu, 2 Jul 2009 11:34:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.249 X-Spam-Level: X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSv1EVm2jXut for ; Thu, 2 Jul 2009 11:34:42 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 3784528C28A for ; Thu, 2 Jul 2009 11:34:20 -0700 (PDT) X-AuditID: c1b4fb3e-b7b3cae000002c88-d8-4a4cfd9c2cbb Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 30.DD.11400.C9DFC4A4; Thu, 2 Jul 2009 20:34:04 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.171]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 20:34:04 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Thu, 2 Jul 2009 20:34:04 +0200 Received: from [131.160.126.222] (rvi2-126-222.lmf.ericsson.se [131.160.126.222]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 544D2246A; Thu, 2 Jul 2009 21:34:01 +0300 (EEST) Message-ID: <4A4CFD99.6060804@ericsson.com> Date: Thu, 02 Jul 2009 21:34:01 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Gonzalo Camarillo References: <4A425954.4040500@ericsson.com> In-Reply-To: <4A425954.4040500@ericsson.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 02 Jul 2009 18:34:04.0417 (UTC) FILETIME=[AD365710:01C9FB43] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jul 2009 18:34:43 -0000 Hi, another reason why we waited with this WGLC was that we wanted to have a better understanding of HIP-based overlays in order to understand whether or not we wanted to include overlay-related functionality in this API. Comments on this topic are welcome. Cheers, Gonzalo Gonzalo Camarillo wrote: > Folks, > > we would like to start the WGLC on the following draft: > > http://tools.ietf.org/html/draft-ietf-hip-native-api-06 > > Some time ago, we decided to wait with this WGLC until the NAT traversal > draft was more mature. The WGLC on the NAT traversal draft ends on > Sunday. We chose to make both WGLCs overlap a bit just in case somebody > wants to review both drafts at the same time. > > This WGLC will end on July 12th. > > Cheers, > > Gonzalo > HIP co-chair > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From thomas.r.henderson@boeing.com Thu Jul 2 22:22:45 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A45B43A6A49 for ; Thu, 2 Jul 2009 22:22:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.406 X-Spam-Level: X-Spam-Status: No, score=-6.406 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqgKXvh4B5TA for ; Thu, 2 Jul 2009 22:22:39 -0700 (PDT) Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id 6F4E43A69A2 for ; Thu, 2 Jul 2009 22:22:39 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by stl-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n635MmPJ029686 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 3 Jul 2009 00:22:54 -0500 (CDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n635Mlch011785; Fri, 3 Jul 2009 00:22:47 -0500 (CDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n635MlIM011780; Fri, 3 Jul 2009 00:22:47 -0500 (CDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 2 Jul 2009 22:22:47 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 2 Jul 2009 22:20:09 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: Acn7LuuxH9vnz7NCQBO7AuHA2gA6XwAbwOTr References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> From: "Henderson, Thomas R" To: "Shinta Sugimoto" X-OriginalArrivalTime: 03 Jul 2009 05:22:47.0304 (UTC) FILETIME=[4D0F9080:01C9FB9E] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 05:22:47 -0000 >>=20 >> The other options seem to be to ask the shim6-api draft authors, and = WG, >> to support NAT traversal, or to just write a HIP-specific API for = these >> aspects. In either case, I think we (HIP WG) should decide what we = want >> this API to be. > >As a co-author of the multihome shim API document, I am willing >to improve the draft to support NAT Traversal. It is not only >useful for HIP but also for SHIM6 (in the future) as mentioned >above. Does this sound reasonable? > >With regard to the data structure for storing IPv4 address and >a pair of UDP port numbers, let me come up with proposal later. >I need to discuss with co-authors of the multihome shim API draft. Thanks, it sounds reasonable to extend this if shim6 WG is willing, but = from your comments, I take it that you are just going to focus on IPv4 = NAT traversal? I was wondering whether IPv6 NAT traversal also should = be supported in the API in case such devices (or firewalls that filter = the HIP protocol) become prevalent. Tom From ari.keranen@nomadiclab.com Fri Jul 3 06:48:34 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C03253A6999 for ; Fri, 3 Jul 2009 06:48:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.216 X-Spam-Level: X-Spam-Status: No, score=-6.216 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZOrd6VAytCd for ; Fri, 3 Jul 2009 06:48:33 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 039B73A6CE9 for ; Fri, 3 Jul 2009 06:48:32 -0700 (PDT) X-AuditID: c1b4fb3c-b7c04ae0000036a1-d2-4a4e0c46479b Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id C0.7B.13985.64C0E4A4; Fri, 3 Jul 2009 15:48:55 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Jul 2009 15:48:52 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 3 Jul 2009 15:48:51 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id AAC6323F6; Fri, 3 Jul 2009 16:48:51 +0300 (EEST) Message-ID: <4A4E0C41.40500@nomadiclab.com> Date: Fri, 03 Jul 2009 16:48:49 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.21 (X11/20090318) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4B3A16.8010908@nomadiclab.com> <4A4C92CE.4080808@hiit.fi> <4A4C9E01.70009@nomadiclab.com> <4A4CFA96.1010604@hiit.fi> In-Reply-To: <4A4CFA96.1010604@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 03 Jul 2009 13:48:51.0936 (UTC) FILETIME=[FFCAB600:01C9FBE4] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 13:48:34 -0000 Miika Komu wrote: > Ari Keranen wrote: >> Miika Komu wrote: >>> Ari Keranen wrote: >>>> Henderson, Thomas R wrote: >>>>>> -----Original Message----- >>>>>> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] Sent: >>>>>> Tuesday, June 30, 2009 4:22 AM >>>>>> To: HIP >>>>>> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >>>>>> >>>>>> Gonzalo Camarillo wrote: >>>>>>> we would like to start the WGLC on the following draft: >>>>>>> >>>>>>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >>>>>> Here are some comments on the HIP native API draft. Indented text >>>>>> is copy-pasted from the draft. >>>>>> >>>>>> The draft does not seem to take NAT traversal into account. For >>>>>> NAT traversal purposes an application that is not using a resolver >>>>>> should be able to get the local UDP port used by the HIP daemon >>>>>> for receiving incoming HIP messages. Also the application should >>>>>> be able create a HIT-to-locator mapping that includes a (possibly >>>>>> non-standard) UDP port number for a peer. Probably this is more of >>>>>> an issue for the shim6 API draft, though. >>>>> >>>>> I'm concerned that you have hit upon a real problem here. The shim6 >>>>> draft or protocol framework do not seem to have any concept of NAT >>>>> traversal support. I do not think this is a simple patch for the >>>>> shim6 >>>>> document; for instance, is shim6 WG willing to rewrite Figure 1 of >>>>> http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- >>>>> >>>>> 08.txt >>>>> to show the shim6 layer sitting on top of UDP? The concept of a >>>>> locator >>>>> in shim6 is an IPv6 address, not a transport address. >>>> >>>> True. Overall shim6 is really IPv6 centric, and even in the shim6 WG >>>> charter it's said that: >>>> >>>> - IPv6 NAT devices are assumed not to exist, or not to present an >>>> obstacle about which the shim6 solution needs to be concerned. >>>> - Only IPv6 is considered. >>>> >>>> So this could actually be quite a bit out of scope for the shim6 API >>>> draft. >>> >>> Agree, but a problem is that the same API is used by two protocols. >>> The SHIM API should be modular enough to accommodate both of them. At >>> the minimum, the SHIM draft could define some reserved fields for >>> ports to support further extensions. >> >> Sounds reasonable. >> >>>>> One possibility would be to remove the explicit locator-related >>>>> messages >>>>> in the native HIP API document (leaving them for further study), but >>>>> that would also strip out the support for outbound opportunistic mode. >>>>> >>>>> The other options seem to be to ask the shim6-api draft authors, >>>>> and WG, >>>>> to support NAT traversal, or to just write a HIP-specific API for >>>>> these >>>>> aspects. In either case, I think we (HIP WG) should decide what we >>>>> want >>>>> this API to be. >>>> >>>> Probably writing a HIP-specific API would be the easier way, but >>>> surely it doesn't hurt to ask from the shim6 API draft authors (and >>>> WG?) too. >>> >>> We could increase the flexibility in the SHIM API for future >>> extensions but I am not yet convinced for the need for applications >>> to control the UDP port numbers in HIP API for the following reasons: >>> >>> * The UDP port numbers would be mostly useful IMHO in a library based >>> HIP implementation (e.g. OpenSSL extensions). So far, there has been >>> little work towards this (albeit the specifications shouldn't create >>> artificial obstacles for such work). >>> * We have decided earlier to exclude support for user specific HITs >>> in the draft which are basically required for library-based >>> implementations. >> >> Library based implementations are just one use case for this. For >> example, you could sit behind a NAT that allows nicely anyone to >> contact you, but you can't choose your public port number. Or some >> other service might be running on the HIP port, and thus HIP daemon >> needs to use some other port than what IANA reserves for the purpose. > > I'd think it's quite common that NATs don't let you choose the port > number which is the reason is why we need the HIP relay. But if you are behind a friendly NAT, you could survive even without a HIP relay. > If some other service is occupying the HIP port on the same machine, the > other service is breaking the IANA allocation. Nothing much we can do > for that. Except run our service in some other port; and that's exactly what I'm suggesting that we should support. > Do you actually mean the case where there are e.g. two hosts behind a > single NAT controlled by the user of the hosts? In such a case, the No, just a regular case where a single user is behind a NAT, and is able to receive data from any host to the address given by the NAT, but is not able to choose the port number. > "power" user could avoid use of the relay by specifying a non-standard > port. I believe this would be an adequate use case to suit people who > are capable of configuring bypass ports to their NAT boxes. Perhaps > future HIP NAT extensions or implementation could actually define some > uPNP extensions to automatize port reservation to remove this burden > from the user. > > Still, the use case above is an optimization more prone to failure than > using a HIP relay... Sure, a HIP relay would be a better option, but you may not always have such option available. >>> * The NAT draft doesn't really handle properly the case where a host >>> has single HIT but uses multiple UDP ports. >> >> How come? Anyway, I would consider using multiple UDP ports a bit >> corner case anyway. > > I tried to invent a use case for the port numbers. I was thinking a > (client) library based implementation that shares the HIT but uses > different port numbers to demultiplex the different users/applications. > Then two users on a single client would connect to a single server. This > is not covered in the draft and I don't think it should be. OK >>> * The current version of the HIP API is oriented towards DNS and not >>> DHT (see related comment on the end of this email). >> >> That's true, but I think supporting also DHT-like environments would >> make sense. Or would you prefer a separate draft for that? > > We have two choices: > > * Define place holders for port numbers in the SHIM draft and describe > the usage in HIP API or > * have the whole thing in the SHIM draft (it's about locators after all > and SHIM API is all about locator handling) > > I am open for the option which ever makes most sense to people. Both are fine for me too. Cheers, Ari From miika.komu@hiit.fi Fri Jul 3 06:53:01 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD98B3A684E for ; Fri, 3 Jul 2009 06:53:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJ2mdKbewaqU for ; Fri, 3 Jul 2009 06:53:00 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 63B313A688D for ; Fri, 3 Jul 2009 06:53:00 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id EE41325ED0E; Fri, 3 Jul 2009 16:53:22 +0300 (EEST) Message-ID: <4A4E0D52.9090703@hiit.fi> Date: Fri, 03 Jul 2009 16:53:22 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 13:53:01 -0000 Henderson, Thomas R wrote: >> -----Original Message----- >> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] >> Sent: Tuesday, June 30, 2009 4:22 AM >> To: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Gonzalo Camarillo wrote: >>> we would like to start the WGLC on the following draft: >>> >>> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 >> Here are some comments on the HIP native API draft. Indented text is >> copy-pasted from the draft. >> >> The draft does not seem to take NAT traversal into account. For NAT >> traversal purposes an application that is not using a >> resolver should be >> able to get the local UDP port used by the HIP daemon for receiving >> incoming HIP messages. Also the application should be able create a >> HIT-to-locator mapping that includes a (possibly >> non-standard) UDP port >> number for a peer. Probably this is more of an issue for the >> shim6 API >> draft, though. > > I'm concerned that you have hit upon a real problem here. The shim6 > draft or protocol framework do not seem to have any concept of NAT > traversal support. I do not think this is a simple patch for the shim6 > document; for instance, is shim6 WG willing to rewrite Figure 1 of > http://www.ietf.org/internet-drafts/draft-ietf-shim6-multihome-shim-api- > 08.txt > to show the shim6 layer sitting on top of UDP? The concept of a locator > in shim6 is an IPv6 address, not a transport address. > > One possibility would be to remove the explicit locator-related messages > in the native HIP API document (leaving them for further study), but > that would also strip out the support for outbound opportunistic mode. > > The other options seem to be to ask the shim6-api draft authors, and WG, > to support NAT traversal, or to just write a HIP-specific API for these > aspects. In either case, I think we (HIP WG) should decide what we want > this API to be. the NAT traversal part isn't yet included in neither of the drafts. >> 4.5. Source HIT Selection by the System: >> >> | Public DSA | 130 | 7 | >> | Public RSA | 140 | 8 | >> | [RFC3484] rules | 50-100 | 7 | >> >> Are the labels for Public DSA and RFC 3484 rules >> intentionally the same? >> > > They shouldn't be the same, but more broadly, I think this section may > need some more work. According to RFC 3484, the precedence value is > used for sorting destination addresses, and the label for selecting > source addresses, but the text here implies that precedence is used for > source address selection. It is not clear how RFC3484 rules relate to > HITs, or whether they are referring to possible use of IP addresses. Unless there are objections, I would suggest to leave this for future work. I have commented this section out from the preversion: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt IMHO, the source HIT selection is more related to routing than the API syntax. I think this could be handled separately along with overlay routing issues which haven't received any feedback yet from the WG. Comments? From miika.komu@hiit.fi Fri Jul 3 06:56:29 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E08D3A6936 for ; Fri, 3 Jul 2009 06:56:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FtPsGkkfnkRn for ; Fri, 3 Jul 2009 06:56:27 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 8A30D3A684E for ; Fri, 3 Jul 2009 06:56:27 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id 9ACA725ED0E; Fri, 3 Jul 2009 16:56:50 +0300 (EEST) Message-ID: <4A4E0E22.9040200@hiit.fi> Date: Fri, 03 Jul 2009 16:56:50 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Ari Keranen References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> In-Reply-To: <4A49F558.7040304@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 13:56:29 -0000 Ari Keranen wrote: Hi, > Gonzalo Camarillo wrote: >> we would like to start the WGLC on the following draft: >> >> http://tools.ietf.org/html/draft-ietf-hip-native-api-06 > > Here are some comments on the HIP native API draft. Indented text is > copy-pasted from the draft. > > The draft does not seem to take NAT traversal into account. For NAT > traversal purposes an application that is not using a resolver should be > able to get the local UDP port used by the HIP daemon for receiving > incoming HIP messages. Also the application should be able create a > HIT-to-locator mapping that includes a (possibly non-standard) UDP port > number for a peer. Probably this is more of an issue for the shim6 API > draft, though. > > Also, I think it would be worthwhile to clarify in section 3.2 what > socket options exactly are used for setting new HIT-to-locator mappings > when no (DNS) resolver is used. Maybe add a reference to section 4.6. > > > In section 4.1. Socket Family and Address Structure Extensions: > > The > HIP_HIT_ANY equals to HIP_HIT_ANY_PUB or HIP_HIT_ANY_TMP. > > Do you mean here that > HIP_HIT_ANY = HIP_HIT_ANY_PUB | HIP_HIT_ANY_TMP > or that the implementation is free to set HIP_HIP_ANY to any one of the > two? I'd guess you mean the binary/logical or, but it wasn't clear while > reading this the first time. It's '|'. I hope the text is now more clear. > 4.2. Extensions to Resolver Data Structures: > > The simultaneous use of both HIP_PREFER_ORCHID and > HIP_PREFER_PASSIVE_* flags produces a single sockaddr_hip structure > containing a wildcard address that the application can use either for > incoming (node argument is NULL in getaddrinfo) or outgoing > communications (node argument is non-NULL). > > I think you should introduce the HIP_PREFER_PASSIVE_* flags before this. > Actually, I couldn't find any explanation of their semantics in the > whole document. Done. > 4.6. Explicit Handling of Locators: > > An application that initiates a connection using a connection > oriented socket to a particular host at a known address or set of > addresses can invoke SHIM_LOCLIST_PEER socket option. > > What about UDP (non-connection oriented) sockets? I hope you can also > use the LOCLIST option with them. Added a paragraph on datagram-oriented applications. > 4.5. Source HIT Selection by the System: > > | Public DSA | 130 | 7 | > | Public RSA | 140 | 8 | > | [RFC3484] rules | 50-100 | 7 | > > Are the labels for Public DSA and RFC 3484 rules intentionally the same? No, my bad. I have commented this section for the time being unless people really want it there. It requires more work. > Editorial nits/comments: > > The table of contents is partially double-spaced but all the other HIP > RFCs have fully single-spaced TOCs, so it would make sense to use only > single spacing here too. > > > 4.1. Socket Family and Address Structure Extensions: > > The port number ship_port is two > octets in network byte order. and the ship_hit is 16 octets in > > A period in the middle of a sentence. > > > 4.4. Validating HITs: > > short sockaddr_is_srcaddr(struct sockaddr *srcaddr > uint64_t flags); > > Missing comma between the arguments. > > > 4.6. Explicit Handling of Locators: > > The description for SHIM_LOC_LOCAL_SEND and SHIM_LOC_PEER_SEND in Figure > 6 implies that the options have only "set" semantics while they seem to > also work with "get". Also, I'd call that a "table" instead of "figure". > > > [...] uses the first address (if multiple are provided, or else the > application can override this by setting SHIM_LOC_PEER_PREF to one of > the addresses in SHIM_LOCLIST_PEER. > > Missing closing parenthesis. Fixed. New version is here: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt Thanks for your comments! From miika.komu@hiit.fi Fri Jul 3 07:00:24 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 82CA63A6A71 for ; Fri, 3 Jul 2009 07:00:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FfLeSR-Hbc43 for ; Fri, 3 Jul 2009 07:00:23 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 1077B3A6936 for ; Fri, 3 Jul 2009 07:00:23 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id 1E7E525ED0E; Fri, 3 Jul 2009 17:00:46 +0300 (EEST) Message-ID: <4A4E0F0D.5090905@hiit.fi> Date: Fri, 03 Jul 2009 17:00:45 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Ahrenholz, Jeffrey M" References: <4A425954.4040500@ericsson.com> <0DF156EE7414494187B087A3C279BDB404AD7B8F@XCH-NW-6V1.nw.nos.boeing.com> In-Reply-To: <0DF156EE7414494187B087A3C279BDB404AD7B8F@XCH-NW-6V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jul 2009 14:00:24 -0000 Ahrenholz, Jeffrey M wrote: Hi, > Here are additional comments on the native API draft, mostly editorial > nits. > > You might reference ORCHIDs earlier on (maybe second or third paragraph > of introduction) as the first time they appear in this draft is section > 4.2. Done. > Should the resolver function be dealing with sockaddr_orchid > instead of sockaddr_hip? The naming is a little strange to have the > HIP_PREFER_ORCHID flag return sockaddr_hip. (See also a note below about > typedef orchid_t ...) I agree that the HIT vs. ORCHID usage was confusing. I replaced all orchid names with HITs in order to unify the naming scheme in the API. Is it ok now? > Abstract, Page 2 > current sockets API for the Host Identity Protocol > ^^^ > Section 1., Page 4 > are of an experimental nature *or* are experimental in nature > ^^ ^^(deleted of) ^^ > Section 3.1 Page 5 > (parenthesis might make these steps more clear in the text) > calls the resolver in step (a) to resolve an FQDN in step (b). > ^ ^ ^^ ^ ^ > and a set of locators in step (c). > ^^ ^ ^ > Section 3.1 Page 5 > caches the HIT to locator mapping with the HIP module > ^^^^ > Figure 1 Page 5 > I'm not sure you need the double text > Maybe just or would suffice? > > Section 3.2 Page 5-6 > suggest replacing: > The resolver associates implicitly the HIT with the locator(s) > by e.g. communicating the HIT-to-IP mapping to the HIP daemon. > with this: > The resolver may implicitly associate the HIT with its > locator(s) by communicating the HIT-to-IP mapping to the > HIP daemon. Done. > Page 3 says: > "This document specifies extensions to [RFC3493] to define a new > socket address family, AF_HIP. The macro AF_HIP is used as an alias > for PF_HIP in this document because the distinction between AF and PF > has been lost in practice." > but then Section 4.1 Page 6, 2nd paragraph talks about using PF_HIP > "The use of the PF_HIP constant" ... I rephrased this, please check if it is ok now. > In Figure 2 on Page 6, there is typedef struct in6_addr hip_hit_t. It > may be worthwhile to reference the RFC 4843 ORCHIDs so that the HIT is > defined as an ORCHID such as: typedef struct in6_addr orchid_t; typedef > orchid_t hip_hit_t; I am not sure what to do about it because I decided to unify the constants just to use always "hit". > Section 4.1 Page 7 > identifiers refer to the use of anonymous identifiers > ^^ > Section 4.1 Page 8 > it should be noted that different > ^^^^^ (replaced noticed) > Section 4.2 Page 8 > to be used by applications to query > ^ > The application must set both the > ^^^ > The application denotes its preference > ^^^ > Section 4.2 Page 10 > cache the locator mappings with the HIP module > ^^^^ > it should be noted that the application > ^^^^^ > Section 4.5 Page 11 > When an application using a AF_HIP-based > ^^ > Section 4.5 Page 12 > When the system provides multiple keys of the same type > ^^^ ^^^ > Section 4.5 Page 12 > calls and in the ancillary data of datagram packets > ^^^^^^^^^ > Section 9 Page 15 > Jan Melen appears to have provided twice the feedback :) Fixed. Thanks! http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt From web-usrn@ISI.EDU Mon Jun 29 03:12:17 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E111C3A68EF for ; Mon, 29 Jun 2009 03:12:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.215 X-Spam-Level: X-Spam-Status: No, score=-17.215 tagged_above=-999 required=5 tests=[AWL=0.384, BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YV4zHfcnQEWm for ; Mon, 29 Jun 2009 03:12:17 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id 0613F3A6784 for ; Mon, 29 Jun 2009 03:12:16 -0700 (PDT) Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id n5TAC2O1020786 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 29 Jun 2009 03:12:03 -0700 (PDT) Received: (from web-usrn@localhost) by boreas.isi.edu (8.13.8/8.13.8/Submit) id n5TABxh9020780; Mon, 29 Jun 2009 03:11:59 -0700 (PDT) Date: Mon, 29 Jun 2009 03:11:59 -0700 (PDT) Message-Id: <200906291011.n5TABxh9020780@boreas.isi.edu> To: petri.jokela@nomadiclab.com, rgm@icsalabs.com, pekka.nikander@nomadiclab.com, rdroms@cisco.com, jari.arkko@piuha.net, dward@cisco.com, gonzalo.camarillo@ericsson.com From: RFC Errata System X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: web-usrn@boreas.isi.edu X-Mailman-Approved-At: Sat, 04 Jul 2009 06:16:32 -0700 Cc: hipsec@ietf.org, ari.keranen@ericsson.com, rfc-editor@rfc-editor.org Subject: [Hipsec] [Editorial Errata Reported] RFC5202 (1798) X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jun 2009 10:12:18 -0000 The following errata report has been submitted for RFC5202, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5202&eid=1798 -------------------------------------- Type: Editorial Reported by: Ari Keränen Section: 5.1.2 Original Text ------------- Conversely, a recipient MUST be prepared to handle received transport parameters that contain more than six Suite IDs. Corrected Text -------------- Conversely, a recipient MUST be prepared to handle received transform parameters that contain more than six Suite IDs. Notes ----- The section describes the ESP "transform", not "transport", parameter. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5202 (draft-ietf-hip-esp-06) -------------------------------------- Title : Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP) Publication Date : April 2008 Author(s) : P. Jokela, R. Moskowitz, P. Nikander Category : EXPERIMENTAL Source : Host Identity Protocol Area : Internet Stream : IETF Verifying Party : IESG From web-usrn@ISI.EDU Tue Jun 30 05:10:52 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 74BF43A6808 for ; Tue, 30 Jun 2009 05:10:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.224 X-Spam-Level: X-Spam-Status: No, score=-17.224 tagged_above=-999 required=5 tests=[AWL=0.375, BAYES_00=-2.599, USER_IN_DEF_WHITELIST=-15] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJHWD0BO4l9f for ; Tue, 30 Jun 2009 05:10:51 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) by core3.amsl.com (Postfix) with ESMTP id A51413A688F for ; Tue, 30 Jun 2009 05:10:51 -0700 (PDT) Received: from boreas.isi.edu (localhost [127.0.0.1]) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id n5UC9GXa009806 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 30 Jun 2009 05:09:17 -0700 (PDT) Received: (from web-usrn@localhost) by boreas.isi.edu (8.13.8/8.13.8/Submit) id n5UC9Faj009801; Tue, 30 Jun 2009 05:09:15 -0700 (PDT) Date: Tue, 30 Jun 2009 05:09:15 -0700 (PDT) Message-Id: <200906301209.n5UC9Faj009801@boreas.isi.edu> To: rgm@icsalabs.com, pekka.nikander@nomadiclab.com, petri.jokela@nomadiclab.com, thomas.r.henderson@boeing.com, rdroms@cisco.com, jari.arkko@piuha.net, dward@cisco.com, gonzalo.camarillo@ericsson.com From: RFC Errata System X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: web-usrn@boreas.isi.edu X-Mailman-Approved-At: Sat, 04 Jul 2009 06:16:32 -0700 Cc: hipsec@ietf.org, ari.keranen@ericsson.com, rfc-editor@rfc-editor.org Subject: [Hipsec] [Technical Errata Reported] RFC5201 (1799) X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jun 2009 12:10:52 -0000 The following errata report has been submitted for RFC5201, "Host Identity Protocol". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=5201&eid=1799 -------------------------------------- Type: Technical Reported by: Ari Keränen Section: 5.2. Original Text ------------- Parameters numbered between 1024-2047 are reserved. Parameters numbered between 2048-4095 are used for parameters related to HIP transform types. Parameters numbered between 4096 and (2^16 - 2^12) 61439 are reserved. Parameters numbered between 61440-62463 are used for signatures and signed MACs. Parameters numbered between 62464- 63487 are used for parameters that fall outside of the signed area of the packet. Parameters numbered between 63488-64511 are used for rendezvous and other relaying services. Parameters numbered between 64512-65535 are reserved. Corrected Text -------------- (for the correct values, see: http://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-3) Notes ----- The parameter number ranges are not in sync with the actual IANA assignments. Instructions: ------------- This errata is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC5201 (draft-ietf-hip-base-10) -------------------------------------- Title : Host Identity Protocol Publication Date : April 2008 Author(s) : R. Moskowitz, P. Nikander, P. Jokela, Ed., T. Henderson Category : EXPERIMENTAL Source : Host Identity Protocol Area : Internet Stream : IETF Verifying Party : IESG From samu.varjonen@hiit.fi Mon Jul 6 00:05:37 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA0103A6A14 for ; Mon, 6 Jul 2009 00:05:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhXCvGq9B10X for ; Mon, 6 Jul 2009 00:05:36 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id BCB333A6880 for ; Mon, 6 Jul 2009 00:05:36 -0700 (PDT) Received: from [192.168.1.14] (cs181123046.pp.htv.fi [82.181.123.46]) by argo.otaverkko.fi (Postfix) with ESMTP id 4346825ED14; Mon, 6 Jul 2009 10:06:01 +0300 (EEST) Message-ID: <4A51A258.6080205@hiit.fi> Date: Mon, 06 Jul 2009 10:06:00 +0300 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: Ari Keranen References: <4A4C8F57.8090800@nomadiclab.com> In-Reply-To: <4A4C8F57.8090800@nomadiclab.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Comments on draft-ietf-hip-cert-01.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 07:05:37 -0000 Ari Keranen wrote: > Hi, > > Here's some comments/editorial nits on the HIP Certificates draft. > Indented text is copy-pasted from the draft. > > 1. Introduction > > This document specifies the CERT parameter that > is used to transmit digital signatures in HIP. It corresponds to the > placeholder specified in Section 2 of [RFC5201]. > > You probably mean "Section 5.2" here. > Yes, corrected into the sources. > 2. CERT Parameter > > For grouping Cert parameters, > > s/Cert/CERT/ > Checked and corrected > Initiator and > Responder can detect middleboxes on the path after R1 message is sent > by checking if control packets contain ECHO_REQUEST_M parameters as > defined in [HIP.middle_auth]. > > This comment seems a bit detached from the context. Maybe you should add > some justification why would hosts want to detect middleboxes if they > are using certificates. And I think you should mention that you can > detect (only) *HIP* middleboxes that implement *and* use the middlebox > authentication method like this. > Have to think this a bit more and clarify this bit. The original need to notice if there is a middlebox traces back to Hash and URL encodings. We do not want to introduce extra work for middleboxes by caching or fetching the certificates. Thanks for the comments. BR, Samu > > Cheers, > Ari > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From samu.varjonen@hiit.fi Mon Jul 6 00:09:35 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 37A183A6988 for ; Mon, 6 Jul 2009 00:09:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9us+zmypI2To for ; Mon, 6 Jul 2009 00:09:34 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 31F163A6A14 for ; Mon, 6 Jul 2009 00:09:34 -0700 (PDT) Received: from [192.168.1.14] (cs181123046.pp.htv.fi [82.181.123.46]) by argo.otaverkko.fi (Postfix) with ESMTP id 41B2E25ED14 for ; Mon, 6 Jul 2009 10:09:59 +0300 (EEST) Message-ID: <4A51A346.2030807@hiit.fi> Date: Mon, 06 Jul 2009 10:09:58 +0300 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Hipsec] draft-ietf-hip-cert-01 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 07:09:35 -0000 Hi, http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-01.txt This new version of the draft brings editorial changes to the group handling and clarifications to the usage of x.509 distinguished name (DN) section. We would appreciate if people would read the draft and comment it. We have some additional discussion topics that we would like open. Main point in these questions is to determine the direction where we should take the draft. - Is the draft sufficient? Do we need to specify something more? Is something important missing? -Is SPKI the right choice for the default format? X.509 is more widely deployed and has better support vs. SPKI is simpler but has less support. -Are the hash and URL encodings needed? At least with on-path middleboxes they are problematic. -Are the examples in the appendixes sufficient? One discussion topic that is a bit out of scope of hip-cert but is relevant for HIP in general is fragmentation. I have brought this issue up in several of the last meetings. Is there any interest in the group to tackle this issue or should be just left for the IP and its fragmentation to handle? BR, Samu From miika.komu@hiit.fi Mon Jul 6 00:51:23 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72F973A6C2F for ; Mon, 6 Jul 2009 00:51:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y71tZme7Qflw for ; Mon, 6 Jul 2009 00:51:22 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id C63BB28C1B6 for ; Mon, 6 Jul 2009 00:51:20 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id EFE4225ED10; Mon, 6 Jul 2009 10:51:01 +0300 (EEST) Message-ID: <4A51ACE5.3030502@hiit.fi> Date: Mon, 06 Jul 2009 10:51:01 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Varjonen Samu References: <4A51A346.2030807@hiit.fi> In-Reply-To: <4A51A346.2030807@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-01 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 07:51:23 -0000 Varjonen Samu wrote: Hi, (I gave these comments already offline) > Hi, > > http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-01.txt > > This new version of the draft brings editorial changes to the group > handling and clarifications to the usage of x.509 distinguished name > (DN) section. > > We would appreciate if people would read the draft and comment it. > > We have some additional discussion topics that we would like open. Main > point in these questions is to determine the direction where we should > take the draft. > > - Is the draft sufficient? Do we need to specify something more? Is > something important missing? I don't think there is anything substantial missing. > -Is SPKI the right choice for the default format? X.509 is more widely > deployed and has better support vs. SPKI is simpler but has less support. Since this is a WG document (and not RG), I would suggest X.509 as MUST and SPKI MAY/SHOULD. > -Are the hash and URL encodings needed? At least with on-path > middleboxes they are problematic. Support for them could be detected (middleboxes tag their support on passing packets). > -Are the examples in the appendixes sufficient? Works for me. > One discussion topic that is a bit out of scope of hip-cert but is > relevant for HIP in general is fragmentation. I have brought this issue > up in several of the last meetings. Is there any interest in the group > to tackle this issue or should be just left for the IP and its > fragmentation to handle? IMHO, this is a problem for the IP layer for the currently defined experimental RFCs unless it changes at the standards track. From root@core3.amsl.com Mon Jul 6 06:45:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id D157428C2A9; Mon, 6 Jul 2009 06:45:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090706134501.D157428C2A9@core3.amsl.com> Date: Mon, 6 Jul 2009 06:45:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-bone-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 13:45:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : HIP BONE: Host Identity Protocol (HIP) Based Overlay Networking Environment Author(s) : G. Camarillo, et al. Filename : draft-ietf-hip-bone-02.txt Pages : 17 Date : 2009-07-06 This document specifies a framework to build HIP (Host Identity Protocol)-based overlay networks. This framework uses HIP to perform connection management. Other functions, such as data storage and retrieval or overlay maintenance, are implemented using protocols other than HIP. These protocols are loosely referred to as peer protocols. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-bone-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-bone-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-07-06064438.I-D@ietf.org> --NextPart-- From gonzalo.camarillo@ericsson.com Mon Jul 6 07:19:04 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 23BEF3A6A15 for ; Mon, 6 Jul 2009 07:19:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.194 X-Spam-Level: X-Spam-Status: No, score=-6.194 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxcYPuMMnERp for ; Mon, 6 Jul 2009 07:19:03 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 1DD913A67DF for ; Mon, 6 Jul 2009 07:19:02 -0700 (PDT) X-AuditID: c1b4fb3e-b7b3cae000002c88-16-4a5203fc4e60 Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 94.45.11400.CF3025A4; Mon, 6 Jul 2009 16:02:36 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Jul 2009 16:02:35 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Jul 2009 16:02:35 +0200 Received: from [131.160.37.44] (EV001E681B5FE2.lmf.ericsson.se [131.160.37.44]) by mail.lmf.ericsson.se (Postfix) with ESMTP id B964923F6 for ; Mon, 6 Jul 2009 17:02:35 +0300 (EEST) Message-ID: <4A5203FB.3010207@ericsson.com> Date: Mon, 06 Jul 2009 17:02:35 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Jul 2009 14:02:35.0773 (UTC) FILETIME=[6A1382D0:01C9FE42] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] New revision of the HIP BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 14:19:04 -0000 Folks, [as individual] we have just submitted a new revision (02) of the HIP BONE draft: http://www.ietf.org/internet-drafts/draft-ietf-hip-bone-02.txt This revision should be ready for WGLC. This draft defines a high-level framework to build HIP-based overlays. Additionally, its previous version defined how to build a HIP-based overlay using RELOAD. The authors have chosen to move this definition to a separate document because while the high-level framework is informational in nature, the definition makes use of normative language. The resulting document is the draft below. draft-keranen-hip-reload-instance Cheers, Gonzalo From jeffrey.m.ahrenholz@boeing.com Mon Jul 6 07:52:16 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B98E3A6CE4 for ; Mon, 6 Jul 2009 07:52:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95oaHL3z9do2 for ; Mon, 6 Jul 2009 07:52:15 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 607493A6BCB for ; Mon, 6 Jul 2009 07:52:15 -0700 (PDT) Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n66Ep23L010823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Jul 2009 07:51:06 -0700 (PDT) Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n66Ep1xN016760; Mon, 6 Jul 2009 07:51:01 -0700 (PDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n66Eoxna016666; Mon, 6 Jul 2009 07:51:01 -0700 (PDT) Received: from XCH-NW-6V1.nw.nos.boeing.com ([130.247.55.53]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 6 Jul 2009 07:50:59 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 6 Jul 2009 07:50:50 -0700 Message-ID: <0DF156EE7414494187B087A3C279BDB40CD300FB@XCH-NW-6V1.nw.nos.boeing.com> In-Reply-To: <4A4E0F0D.5090905@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: Acn75qzarEuio+2nSHK28j2f7FWdiACYMfPg References: <4A425954.4040500@ericsson.com> <0DF156EE7414494187B087A3C279BDB404AD7B8F@XCH-NW-6V1.nw.nos.boeing.com> <4A4E0F0D.5090905@hiit.fi> From: "Ahrenholz, Jeffrey M" To: X-OriginalArrivalTime: 06 Jul 2009 14:50:59.0120 (UTC) FILETIME=[2C9B1B00:01C9FE49] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 14:52:16 -0000 > > You might reference ORCHIDs earlier on (maybe second or=20 > third paragraph > > of introduction) as the first time they appear in this=20 > draft is section > > 4.2. >=20 > Done. OK, in the new ORCHID text, you might use "derived" instead of "derivated". > I agree that the HIT vs. ORCHID usage was confusing. I replaced all=20 > orchid names with HITs in order to unify the naming scheme in=20 > the API.=20 > Is it ok now? yes, I think it is clearer now > > but then Section 4.1 Page 6, 2nd paragraph talks about using PF_HIP > > "The use of the PF_HIP constant" ... >=20 > I rephrased this, please check if it is ok now. looks good > > typedef struct in6_addr orchid_t; typedef orchid_t hip_hit_t; >=20 > I am not sure what to do about it because I decided to unify the=20 > constants just to use always "hit". yes now all the constants use "hit" so the "orchid" name is not needed -Jeff From miika.komu@hiit.fi Mon Jul 6 09:37:10 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AF6053A6B7F for ; Mon, 6 Jul 2009 09:37:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1zwIeFqHJMe for ; Mon, 6 Jul 2009 09:37:10 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id D57283A6CF8 for ; Mon, 6 Jul 2009 09:37:09 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id 59E8825ED10; Mon, 6 Jul 2009 19:08:00 +0300 (EEST) Message-ID: <4A522160.1060205@hiit.fi> Date: Mon, 06 Jul 2009 19:08:00 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Ahrenholz, Jeffrey M" References: <4A425954.4040500@ericsson.com> <0DF156EE7414494187B087A3C279BDB404AD7B8F@XCH-NW-6V1.nw.nos.boeing.com> <4A4E0F0D.5090905@hiit.fi> <0DF156EE7414494187B087A3C279BDB40CD300FB@XCH-NW-6V1.nw.nos.boeing.com> In-Reply-To: <0DF156EE7414494187B087A3C279BDB40CD300FB@XCH-NW-6V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 16:37:10 -0000 Ahrenholz, Jeffrey M wrote: Hi, >>> You might reference ORCHIDs earlier on (maybe second or >> third paragraph >>> of introduction) as the first time they appear in this >> draft is section >>> 4.2. >> Done. > > OK, in the new ORCHID text, you might use "derived" instead of > "derivated". thanks. This will appear in the next version. >> I agree that the HIT vs. ORCHID usage was confusing. I replaced all >> orchid names with HITs in order to unify the naming scheme in >> the API. >> Is it ok now? > > yes, I think it is clearer now > >>> but then Section 4.1 Page 6, 2nd paragraph talks about using PF_HIP >>> "The use of the PF_HIP constant" ... >> I rephrased this, please check if it is ok now. > > looks good > >>> typedef struct in6_addr orchid_t; typedef orchid_t hip_hit_t; >> I am not sure what to do about it because I decided to unify the >> constants just to use always "hit". > > yes now all the constants use "hit" so the "orchid" name is not needed Ok, thanks. From gonzalo.camarillo@ericsson.com Mon Jul 6 10:50:31 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2B00428C2E0 for ; Mon, 6 Jul 2009 10:50:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.183 X-Spam-Level: X-Spam-Status: No, score=-6.183 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YOog8LnG+CiE for ; Mon, 6 Jul 2009 10:50:30 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 6E71828C3B8 for ; Mon, 6 Jul 2009 10:50:22 -0700 (PDT) X-AuditID: c1b4fb3e-b7b3cae000002c88-27-4a5235842d62 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 2C.93.11400.485325A4; Mon, 6 Jul 2009 19:33:56 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Jul 2009 19:33:43 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Jul 2009 19:33:43 +0200 Received: from [131.160.126.166] (rvi2-126-166.lmf.ericsson.se [131.160.126.166]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 8114A2450; Mon, 6 Jul 2009 20:33:43 +0300 (EEST) Message-ID: <4A523577.9020607@ericsson.com> Date: Mon, 06 Jul 2009 20:33:43 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 06 Jul 2009 17:33:43.0572 (UTC) FILETIME=[E8AC3D40:01C9FE5F] X-Brightmail-Tracker: AAAAAA== Cc: =?ISO-8859-1?Q?=22Ari_Ker=E4nen_=28JO/LMF=29=22?= Subject: [Hipsec] Two spin offs from HIP BONE X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 17:50:31 -0000 Folks, [as individual] the following two drafts are two spin offs from the HIP BONE spec: http://www.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt http://www.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt While writing HIP BONE, we have noticed that these extensions have wider a applicability and, thus, are better defined in stand-alone documents. Comments are welcome. Cheers, Gonzalo From thomas.r.henderson@boeing.com Wed Jul 8 11:58:17 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 819693A68D4 for ; Wed, 8 Jul 2009 11:58:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.436 X-Spam-Level: X-Spam-Status: No, score=-4.436 tagged_above=-999 required=5 tests=[AWL=-1.825, BAYES_00=-2.599, FRT_STOCK2=3.988, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jFpf0Y--2mcx for ; Wed, 8 Jul 2009 11:58:16 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 926F03A6774 for ; Wed, 8 Jul 2009 11:58:16 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n68IwTxS020218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 8 Jul 2009 11:58:32 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n68IwSnk019053; Wed, 8 Jul 2009 13:58:28 -0500 (CDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n68IwMfC018785; Wed, 8 Jul 2009 13:58:28 -0500 (CDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 8 Jul 2009 11:58:26 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Wed, 8 Jul 2009 11:58:24 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A4E0E22.9040200@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: Acn75iAq+V7iJ5bnSUGEwBxXo9TDsAEFHxGA References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> From: "Henderson, Thomas R" To: X-OriginalArrivalTime: 08 Jul 2009 18:58:26.0035 (UTC) FILETIME=[12E20C30:01C9FFFE] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 18:58:17 -0000 >=20 > Fixed. New version is here: >=20 > http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt >=20 Miika, I reviewed this preview version and have some more comments. 1) I think that Figure 3.1 and the related prose description could be clearer by referring specifically to the records that are being retreived from DNS. In particular: - step a) could say explicitly that a HIP RR is being fetched, step b) in the diagram could say "QNAME=3DFQDN, QTYPE=3DHIP" instead of , = step c in the diagram should say "HIP RR(s)" instead of "". Or else, if you intend to abstract this and you mean to say that "b) " refers to both possible fetching of HIP RRs and A/AAAA records, and that steps b and c may in fact be several transactions, the corresponding text should clarify this. =20 - step e) should be generalized to show that not only HITs but also sockaddr_in or sockaddr_in6 are passed back to the application - step f) should probably not just say "f. connect()" but should show or describe that there are several possible socket messages using the new address family and the new HIP addresses fetched in step e, including socket(), setsockopt(), sendmsg(), bind(), connect(), ... 2) section 4.2 on the use and extension of getaddrinfo seems unclear to me on a few points - why is AI_EXTFLAGS necessary to be set if the caller does not care about changing the source HIT selection preferences? why can't you just set ai_protocol to IPPROTO_HIP? - I think that in general, it would be clearer to talk about source address selection separately, and not introduce all of these flags referring to source address selection in this section, because they also apply to sockets and not just getaddrinfo - it is not clear what the behavior should be if the resolver cannot determine whether HITs are public or anonymous=20 - in the second paragraph on page 9, it implies that DNS, by default, will spoof the resolution and return HITs and LSIs in sockaddr_in6/sockaddr_in structures. (by the way, the reference should be to RFC5338). I would make this change to imply that this is not the recommended default behavior: s/In such a case, the DNS agent returns transparently.../In such a case, the DNS agent may, according to local policy, return transparently.../ and later: s/To disable this behavior/To override this local policy/ - in general, my understanding is that the setting of PREFER_SRC... flags does not cause the glibc to filter addresses and only return those that match, but instead influences the order in which the possibly multiple destination addresses are returned to the caller. In any case, I am not sure that PREFER_SRC_TMP and PREFER_SRC_PUBLIC make much sense here because the destination HITs are all going to be public and these flags will not affect HIT ordering. =20 - Is it really true that HIP_PREFER_PASSIVE_* produces a single sockaddr_hip structure containing a wildcard and not an explicit HIT? If so, what is the point of this call-- the application can populate the appropriate wildcard itself? 3) section 4.4 on the validation function - do you really need 64-bits of flag? - the flag names in Table 2 should probably be changed to HIP_PREFER_HIT_TMP and HIP_PREFER_HIT_PUBLIC - again, it should be clarified what the behavior is if the system can tell whether the identifier is a HIT but can't tell whether it is a TMP or PUBLIC Regards, Tom From shinta@sfc.wide.ad.jp Thu Jul 9 03:02:08 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 115803A6CC3 for ; Thu, 9 Jul 2009 03:02:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.904 X-Spam-Level: X-Spam-Status: No, score=0.904 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RELAY_IS_203=0.994] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-AvvDOU70rd for ; Thu, 9 Jul 2009 03:02:07 -0700 (PDT) Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) by core3.amsl.com (Postfix) with ESMTP id 480873A6A69 for ; Thu, 9 Jul 2009 03:02:07 -0700 (PDT) Received: from localhost.localdomain (unknown [IPv6:2001:380:633:2:20b:cdff:fefb:2a8]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id 1DFB54D874; Thu, 9 Jul 2009 19:02:29 +0900 (JST) Message-ID: <4A55BE2D.4040506@sfc.wide.ad.jp> Date: Thu, 09 Jul 2009 18:53:49 +0900 From: Shinta Sugimoto User-Agent: Thunderbird 2.0.0.6 (X11/20070809) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Jul 2009 10:02:08 -0000 Hi Thomas, Thank you for your comments and sorry for my delayed response. Please find my comment below. Henderson, Thomas R wrote: >>> The other options seem to be to ask the shim6-api draft authors, and WG, >>> to support NAT traversal, or to just write a HIP-specific API for these >>> aspects. In either case, I think we (HIP WG) should decide what we want >>> this API to be. >> As a co-author of the multihome shim API document, I am willing >> to improve the draft to support NAT Traversal. It is not only >> useful for HIP but also for SHIM6 (in the future) as mentioned >> above. Does this sound reasonable? >> >> With regard to the data structure for storing IPv4 address and >> a pair of UDP port numbers, let me come up with proposal later. >> I need to discuss with co-authors of the multihome shim API draft. > > Thanks, it sounds reasonable to extend this if shim6 WG is willing, but from your comments, I take it that you are just going to focus on IPv4 NAT traversal? I was wondering whether IPv6 NAT traversal also should be supported in the API in case such devices (or firewalls that filter the HIP protocol) become prevalent. Thank you. Let us define the locator management API taking NAT into consideration. Answering to your question, yes, we (at least I) have been thinking only IPv4 NAT. But I see your point that NAT is not necessarily IPv4 but there could be IPv6 NAT as well. Then, let us also take this into account. Now we are updating the multihome API document with NAT support. Will send it to the HIP list when it's ready (hopefully before the cutoff). Regards, Shinta From miika.komu@hiit.fi Fri Jul 10 02:49:44 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE9B83A68A9 for ; Fri, 10 Jul 2009 02:49:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.605 X-Spam-Level: X-Spam-Status: No, score=-0.605 tagged_above=-999 required=5 tests=[AWL=-1.994, BAYES_00=-2.599, FRT_STOCK2=3.988] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ry0zfdWdCtqq for ; Fri, 10 Jul 2009 02:49:43 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 0B2BC3A6BFE for ; Fri, 10 Jul 2009 02:49:21 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id 022EA25ED19; Fri, 10 Jul 2009 12:49:48 +0300 (EEST) Message-ID: <4A570EBB.2000300@hiit.fi> Date: Fri, 10 Jul 2009 12:49:47 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2009 09:49:45 -0000 Henderson, Thomas R wrote: Hi, a new version is available from here: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre2.txt It is based on comments from you and the minor comment from Jeff is included. I didn't have time to proof read all the changes yet, so I might apply small nits here and there. Cut-off deadline is on Monday. I assume that I have follow the official schedule and I'll submit the final 07 version on Monday. Please comment before that if you can. > > >> Fixed. New version is here: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt >> > > Miika, I reviewed this preview version and have some more comments. > > 1) I think that Figure 3.1 and the related prose description could be > clearer by referring specifically to the records that are being > retreived from DNS. In particular: > > - step a) could say explicitly that a HIP RR is being fetched, step b) > in the diagram could say "QNAME=FQDN, QTYPE=HIP" instead of , step > c in the diagram should say "HIP RR(s)" instead of "". Or > else, if you intend to abstract this and you mean to say that "b) > " refers to both possible fetching of HIP RRs and A/AAAA records, > and that steps b and c may in fact be several transactions, the > corresponding text should clarify this. > > - step e) should be generalized to show that not only HITs but also > sockaddr_in or sockaddr_in6 are passed back to the application > > - step f) should probably not just say "f. connect()" but should > show or describe that there are several possible socket messages using > the new address family and the new HIP addresses fetched in step e, > including socket(), setsockopt(), sendmsg(), bind(), connect(), ... Done, please suggest further clarifications if necessary. I think we should keep this description simple to give an overview of how the API works. > 2) section 4.2 on the use and extension of getaddrinfo seems unclear to > me on a few points > > - why is AI_EXTFLAGS necessary to be set if the caller does not care > about changing the source HIT selection preferences? why can't you just > set ai_protocol to IPPROTO_HIP? Or AF_HIP, like I have put in the current text. I am not sure what to do with IPPROTO_HIP. Your were right about AI_EXTFLAGS, it was unnecessarily coupled with the basic HIP resolution. > - I think that in general, it would be clearer to talk about source > address selection separately, and not introduce all of these flags > referring to source address selection in this section, because they also > apply to sockets and not just getaddrinfo Moved to section 4.4. > - it is not clear what the behavior should be if the resolver cannot > determine whether HITs are public or anonymous Added: "Similarly to [RFC5014], the sockaddr_is_srcaddr() function returns 1 when the address satisfies the given flags and 0 otherwise. Value -1 denotes a failure." > - in the second paragraph on page 9, it implies that DNS, by default, > will spoof the resolution and return HITs and LSIs in > sockaddr_in6/sockaddr_in structures. (by the way, the reference should > be to RFC5338). I would make this change to imply that this is not the > recommended default behavior: > s/In such a case, the DNS agent returns transparently.../In such a case, > the DNS agent may, according to local policy, return transparently.../ > and later: > s/To disable this behavior/To override this local policy/ Fixed. > - in general, my understanding is that the setting of PREFER_SRC... > flags does not cause the glibc to filter addresses and only return those > that match, but instead influences the order in which the possibly > multiple destination addresses are returned to the caller. In any case, > I am not sure that PREFER_SRC_TMP and PREFER_SRC_PUBLIC make much sense > here because the destination HITs are all going to be public and these > flags will not affect HIT ordering. You're right, the semantics were ambiguous. After some thinking, I thought the following would be more clear: The same flags can also be used with getaddrinfo() when the application asks the resolver to assign a local wildcard HIT to be used with the bind() socket call. In such a case, the node argument for getaddrinfo() must be NULL and input flags must include the AI_PASSIVE flag. When the AI_EXTFLAGS is unset, the resolver returns a sockaddr_hip structure with ship_hit field prefilled with the HIP_HIT_ANY macro that was described in Section 4. When AI_EXTFLAGS is set, the resolver prefills the returned sockaddr_hip structure for the conveniency of the application as listed in Table 2. Does that work for you? > - Is it really true that HIP_PREFER_PASSIVE_* produces a single > sockaddr_hip structure containing a wildcard and not an explicit HIT? > If so, what is the point of this call-- the application can populate the > appropriate wildcard itself? As indicated by the last quoted text, it is just for the conveniency of the application. The existing getaddrinfo() interface provides such functionality for filling wildcard or loopback addresses for bind(). I have no idea how common it is for applications to use it in practice, but I believe we should define the same conveniency interface. Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without reducing any functionality. Now there are just two flags instead of the original seven. > 3) section 4.4 on the validation function > > - do you really need 64-bits of flag? The function provide a superset of inet6_is_srcaddr() which could have been defined originally in a little bit more flexible way: The function has also 64 bit flags instead of 32 bits. This new function handles the same flags as defined in [RFC5014] in addition to some two HIP-specific flags for anonymous and public HITs, HIP_PREFER_SRC_HIT_TMP and HIP_PREFER_SRC_HIT_PUBLIC. 64 bits should guarantee that we don't run out of bits for some while due to the shared interface. Do you agree with this? > - the flag names in Table 2 should probably be changed to > HIP_PREFER_HIT_TMP and HIP_PREFER_HIT_PUBLIC The flags are now "HIP_PREFER_SRC_HIT_xx" since destination HIT is supposed to be public by definition. Is this ok? > - again, it should be clarified what the behavior is if the system can > tell whether the identifier is a HIT but can't tell whether it is a TMP > or PUBLIC I added: Similarly to [RFC5014], the sockaddr_is_srcaddr() function returns 1 when the address satisfies the given flags and 0 otherwise. Value -1 denotes a failure. From miika.komu@hiit.fi Fri Jul 10 04:59:23 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F6B73A7059 for ; Fri, 10 Jul 2009 04:59:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.314 X-Spam-Level: X-Spam-Status: No, score=-2.314 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXrtlgpIVsmZ for ; Fri, 10 Jul 2009 04:59:22 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 461433A6E53 for ; Fri, 10 Jul 2009 04:59:04 -0700 (PDT) Received: from [193.167.187.26] (halko.pc.infrahip.net [193.167.187.26]) by argo.otaverkko.fi (Postfix) with ESMTP id 2ACCD25ED1F; Fri, 10 Jul 2009 14:32:14 +0300 (EEST) Message-ID: <4A5726BD.40108@hiit.fi> Date: Fri, 10 Jul 2009 14:32:13 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> In-Reply-To: <4A570EBB.2000300@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2009 11:59:23 -0000 Miika Komu wrote: Hi, >> - Is it really true that HIP_PREFER_PASSIVE_* produces a single >> sockaddr_hip structure containing a wildcard and not an explicit HIT? >> If so, what is the point of this call-- the application can populate the >> appropriate wildcard itself? > > As indicated by the last quoted text, it is just for the conveniency of > the application. The existing getaddrinfo() interface provides such > functionality for filling wildcard or loopback addresses for bind(). I > have no idea how common it is for applications to use it in practice, > but I believe we should define the same conveniency interface. > > Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without > reducing any functionality. Now there are just two flags instead of the > original seven. if you agree on the conveniency flags for getaddrinfo(), should we define them also for outbound opportunistic connections? From shinta@sfc.wide.ad.jp Fri Jul 10 05:12:08 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5DA123A67F3 for ; Fri, 10 Jul 2009 05:12:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.198 X-Spam-Level: *** X-Spam-Status: No, score=3.198 tagged_above=-999 required=5 tests=[AWL=-2.294, BAYES_00=-2.599, FRT_STOCK2=3.988, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_102=0.6, RELAY_IS_203=0.994] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Y7tVjfEiCtt for ; Fri, 10 Jul 2009 05:12:07 -0700 (PDT) Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) by core3.amsl.com (Postfix) with ESMTP id 2515A3A6E4D for ; Fri, 10 Jul 2009 05:12:07 -0700 (PDT) Received: from localhost.localdomain (unknown [IPv6:2001:380:633:2:20b:cdff:fefb:2a8]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id ABBA54CC2F; Fri, 10 Jul 2009 21:04:57 +0900 (JST) Message-ID: <4A572C5F.50906@sfc.wide.ad.jp> Date: Fri, 10 Jul 2009 20:56:15 +0900 From: Shinta Sugimoto User-Agent: Thunderbird 2.0.0.6 (X11/20070809) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> <4A55BE2D.4040506@sfc.wide.ad.jp> In-Reply-To: <4A55BE2D.4040506@sfc.wide.ad.jp> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2009 12:12:08 -0000 Hi all, (please allow me to change the subject of the thread) As I mentioned, we (authors of mutlhome shim API draft) are updating the multihome shim API draft taking NAT Traversal support into account. Below is what we have now in the draft. Basically, we modified the data structure for storing locator information so that it can contain UDP encapsulation as well. Also, a locator behind NAT could be either IPv4 or IPv6 (taking Thomas's comment into account). Any comments/suggestions are welcome. Please note that we are planning to submit the updated draft (-09) before the cutoff. Thank you. ---(beginning of quote)--- 7.1. Placeholder for Locator Information As defined in Section 5, the SHIM_LOC_LOCAL_PREF, SHIM_LOC_PEER_PREF, SHIM_LOCLIST_LOCAL, and SHIM_LOCLIST_PEER socket options need to handle one or more locator information. Locator information includes not only the locator itself but also additional information about the locator which is useful for locator management. A new data structure is defined to serve as a placeholder for the locator information. Figure 4 illustrates the data structure called shim_locator which stores a locator information. struct shim_locator { uint8_t lc_family; /* address family */ uint8_t lc_proto; /* protocol */ uint16_t lc_port; /* port number */ uint16_t lc_flags; /* flags */ uint16_t lc_pref; /* preference value */ uint32_t lc_ifidx; /* interface index */ struct in6_addr lc_addr; /* address */ }; Figure 4: shim locator structure lc_family Address family of the locator (e.g. AF_INET, AF_INET6). It is required that the parameter contains non-zero value indicating the exact address family of the locator. lc_proto Internet Protocol number for the protocol which is used to handle locator behanid NAT. Typically, this value is set as UDP (17) when the locator is a UDP encapsulation interface. Komu, et al. Expires November 8, 2009 [Page 28] Internet-Draft Multihoming Shim API May 2009 lc_port Port number which is used for handling locator behind NAT. lc_flags Each bit of the flags represents a specific characteristics of the locator. Hash Based Address (HBA) is defined as 0x01. Cryptographically Generated Address (CGA) is defined as 0x02. lc_pref Preference of the locator. The preference is represented by an integer. lc_ifidx Interface index of the network interface to which the locator is assigned. This field should be valid only in a read (getsockopt()) operation. lc_addr Contains the locator. In the case where a locator whose size is smaller than 16 bytes, an encoding rule should be provided for each locator of a given address family. For instance, in case of AF_INET (IPv4), the locator should be in the format of an IPv4- mapped IPv6 address as defined in RFC 4291[RFC4291]. 7.1.1. Handling Locator behind NAT Note that the locator information MAY contain a locator behind a Network Addresss Translator (NAT). Such a situation may arise when the host is behind the NAT and uses a local address as a source locator to communicate with the peer. Note that a NAT traversal mechansim for HIP is defined, which allows HIP host to tunnel control and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also that the locator behind NAT is not necessarily an IPv4 address but it can be an IPv6 address. Below is an example where the application sets a UDP encapsulation interface as a source locator when sending IP packets. Komu, et al. Expires November 8, 2009 [Page 29] Internet-Draft Multihoming Shim API May 2009 struct shim_locator locator; struct in6_addr ia6; /* copy the private IPv4 address to the ia6 as an IPv4-mapped IPv6 address */ memset(&locator, 0, sizeof(locator)); /* fill shim_locator data structure */ locator.lc_family = AF_INET; locator.lc_proto = IPPROTO_UDP; locator.lc_port = 50500; locator.lc_flags = 0; locator.lc_pref = 0; locator.lc_ifidx = 3; memcpy(&locator.lc_addr, &ia6, sizeof(ia6)); setsockopt(fd, SOL_SHIM, SHIM_LOC_LOCAL_SEND, &locator, sizeof(locator)); ---(end of quote)--- Regards, Shinta Shinta Sugimoto wrote: > Hi Thomas, > > Thank you for your comments and sorry for my delayed response. > Please find my comment below. > > Henderson, Thomas R wrote: >>>> The other options seem to be to ask the shim6-api draft authors, and >>>> WG, >>>> to support NAT traversal, or to just write a HIP-specific API for these >>>> aspects. In either case, I think we (HIP WG) should decide what we >>>> want >>>> this API to be. >>> As a co-author of the multihome shim API document, I am willing >>> to improve the draft to support NAT Traversal. It is not only >>> useful for HIP but also for SHIM6 (in the future) as mentioned >>> above. Does this sound reasonable? >>> >>> With regard to the data structure for storing IPv4 address and >>> a pair of UDP port numbers, let me come up with proposal later. >>> I need to discuss with co-authors of the multihome shim API draft. >> >> Thanks, it sounds reasonable to extend this if shim6 WG is willing, >> but from your comments, I take it that you are just going to focus on >> IPv4 NAT traversal? I was wondering whether IPv6 NAT traversal also >> should be supported in the API in case such devices (or firewalls that >> filter the HIP protocol) become prevalent. > > Thank you. > > Let us define the locator management API taking NAT into consideration. > Answering to your question, yes, we (at least I) have been thinking > only IPv4 NAT. But I see your point that NAT is not necessarily IPv4 > but there could be IPv6 NAT as well. Then, let us also take this into > account. > > Now we are updating the multihome API document with NAT support. Will > send it to the HIP list when it's ready (hopefully before the cutoff). > > Regards, > Shinta > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From dwing@cisco.com Fri Jul 10 15:58:31 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C9FB63A6E61 for ; Fri, 10 Jul 2009 15:58:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.537 X-Spam-Level: X-Spam-Status: No, score=-6.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4wKMMgISl-S for ; Fri, 10 Jul 2009 15:58:31 -0700 (PDT) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 7825C3A6976 for ; Fri, 10 Jul 2009 15:58:30 -0700 (PDT) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApsEAKBkV0qrR7PD/2dsb2JhbACLAKt5iCOQcgWECIFA X-IronPort-AV: E=Sophos;i="4.42,380,1243814400"; d="scan'208";a="341683525" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 10 Jul 2009 22:58:59 +0000 Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n6AMwxt8023153; Fri, 10 Jul 2009 15:58:59 -0700 Received: from dwingwxp01 ([10.32.240.196]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n6AMwxis004457; Fri, 10 Jul 2009 22:58:59 GMT From: "Dan Wing" To: "'Shinta Sugimoto'" , "'Henderson, Thomas R'" References: <4A425954.4040500@ericsson.com><4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com><4A55BE2D.4040506@sfc.wide.ad.jp> <4A572C5F.50906@sfc.wide.ad.jp> Date: Fri, 10 Jul 2009 15:58:59 -0700 Message-ID: <063f01ca01b2$02a98130$c4f0200a@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <4A572C5F.50906@sfc.wide.ad.jp> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350 Thread-Index: AcoBV7hX0+ftPwc+SD2AgbzjoUfMfQAWkZYw DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=713; t=1247266739; x=1248130739; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20 |Subject:=20RE=3A=20[Hipsec]=20Support=20of=20locator=20beh ind=20NAT=20in=20multihome=20shim=20API |Sender:=20; bh=jO/lCxGZxQXTvp35telo3/r04xoiFFMv+vHybCWRhvY=; b=F/C1if/e/oV/AuAKw4kOUNGyWl9SKbsBa7ybP7/sLAKXsF96PfwFYMm8Ge 9CHF1zyeWcVFcT2kDGLEh0J+ZjBfE52kPD66j7rWlZgX7YgbfVEtu9+ot9UW FBCctynSYD; Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); Cc: 'HIP' Subject: Re: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jul 2009 22:58:31 -0000 > 7.1.1. Handling Locator behind NAT > > Note that the locator information MAY contain a locator behind a > Network Addresss Translator (NAT). Such a situation may > arise when > the host is behind the NAT and uses a local address as a source > locator to communicate with the peer. Note that a NAT traversal > mechansim for HIP is defined, which allows HIP host to > tunnel control > and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also > that the locator behind NAT is not necessarily an IPv4 > address but it > can be an IPv6 address. And due to a 6/4 translator, the address family of the tunnel endpoints could be different, too. -d From thomas.r.henderson@boeing.com Sat Jul 11 21:15:11 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 43FD63A67A6 for ; Sat, 11 Jul 2009 21:15:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.234 X-Spam-Level: X-Spam-Status: No, score=-4.234 tagged_above=-999 required=5 tests=[AWL=-1.623, BAYES_00=-2.599, FRT_STOCK2=3.988, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4yvv1K2acst for ; Sat, 11 Jul 2009 21:15:10 -0700 (PDT) Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id E3B703A67B1 for ; Sat, 11 Jul 2009 21:15:09 -0700 (PDT) Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by stl-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6C4FKeL000101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 11 Jul 2009 23:15:23 -0500 (CDT) Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6C4FKjD026125; Sat, 11 Jul 2009 21:15:20 -0700 (PDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6C4FJTW026115; Sat, 11 Jul 2009 21:15:20 -0700 (PDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Sat, 11 Jul 2009 21:15:19 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sat, 11 Jul 2009 21:15:19 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C438@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A570EBB.2000300@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: AcoBQ8Vsd+U0VQbNQ6y04Irx9rHwowBYHC5Q References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> From: "Henderson, Thomas R" To: X-OriginalArrivalTime: 12 Jul 2009 04:15:19.0935 (UTC) FILETIME=[5E5BD0F0:01CA02A7] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 04:15:11 -0000 =20 > -----Original Message----- > From: Miika Komu [mailto:miika.komu@hiit.fi]=20 > Sent: Friday, July 10, 2009 2:50 AM > To: Henderson, Thomas R > Cc: HIP > Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >=20 > Henderson, Thomas R wrote: >=20 > Hi, >=20 > a new version is available from here: >=20 > http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre2.txt >=20 > It is based on comments from you and the minor comment from Jeff is > included. I didn't have time to proof read all the changes yet, so I=20 > might apply small nits here and there. >=20 > Cut-off deadline is on Monday. I assume that I have follow=20 > the official=20 > schedule and I'll submit the final 07 version on Monday.=20 > Please comment=20 > before that if you can. >=20 > > >=20 > >> Fixed. New version is here: > >> > >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt > >> > >=20 > > Miika, I reviewed this preview version and have some more comments. > >=20 > > 1) I think that Figure 3.1 and the related prose=20 > description could be > > clearer by referring specifically to the records that are being > > retreived from DNS. In particular: > >=20 > > - step a) could say explicitly that a HIP RR is being=20 > fetched, step b) > > in the diagram could say "QNAME=3DFQDN, QTYPE=3DHIP" instead of=20 > , step > > c in the diagram should say "HIP RR(s)" instead of=20 > "". Or > > else, if you intend to abstract this and you mean to say that "b) > > " refers to both possible fetching of HIP RRs and=20 > A/AAAA records, > > and that steps b and c may in fact be several transactions, the > > corresponding text should clarify this. =20 > >=20 > > - step e) should be generalized to show that not only HITs but also > > sockaddr_in or sockaddr_in6 are passed back to the application > >=20 > > - step f) should probably not just say "f. connect()"=20 > but should > > show or describe that there are several possible socket=20 > messages using > > the new address family and the new HIP addresses fetched in step e, > > including socket(), setsockopt(), sendmsg(), bind(), connect(), ... >=20 > Done, please suggest further clarifications if necessary. I think we > should keep this description simple to give an overview of how the API > works. I think that if we just try to limit the diagram to HIP information, it would be simple. As it reads right now, I might suggest in step b) delete "QTYPE=3DHIP" since, in the figure, steps b) and c) are asymmetrical (b only asks for HIP, and c responds with A/AAAA). I think that the text describes that there may be other queries for A/AAAA records involved. >=20 > > 2) section 4.2 on the use and extension of getaddrinfo=20 > seems unclear to > > me on a few points > >=20 > > - why is AI_EXTFLAGS necessary to be set if the caller does not care > > about changing the source HIT selection preferences? why=20 > can't you just > > set ai_protocol to IPPROTO_HIP? >=20 > Or AF_HIP, like I have put in the current text. I am not sure=20 > what to do > with IPPROTO_HIP. >=20 > Your were right about AI_EXTFLAGS, it was unnecessarily=20 > coupled with the > basic HIP resolution. >=20 > > - I think that in general, it would be clearer to talk about source > > address selection separately, and not introduce all of these flags > > referring to source address selection in this section,=20 > because they also > > apply to sockets and not just getaddrinfo >=20 > Moved to section 4.4. >=20 > > - it is not clear what the behavior should be if the resolver cannot > > determine whether HITs are public or anonymous=20 >=20 > Added: >=20 > "Similarly to [RFC5014], the sockaddr_is_srcaddr() function returns 1 > when the address satisfies the given flags and 0 otherwise. Value -1 > denotes a failure." I had a hard time understanding the distinction between 0 and -1 when I read RFC5014, and here, I think what is unclear is whether the library necessarily knows whether a HIT is public or not, and whether it should return 0 or -1. I think it would be clearer to maybe add "we assume that the system will be able to resolve each HIT as either a public or anonymous HIT on the basis of local metadata, or other policy decision." Perhaps value 1 should equal "is my HIT and satisfies flags", value 0 "is my HIT but does not satisfy flags", and value -1 "is not a HIT, or is not one of my HITs" >=20 > > - in the second paragraph on page 9, it implies that DNS,=20 > by default, > > will spoof the resolution and return HITs and LSIs in > > sockaddr_in6/sockaddr_in structures. (by the way, the=20 > reference should > > be to RFC5338). I would make this change to imply that=20 > this is not the > > recommended default behavior: > > s/In such a case, the DNS agent returns transparently.../In=20 > such a case, > > the DNS agent may, according to local policy, return=20 > transparently.../ > > and later: > > s/To disable this behavior/To override this local policy/ >=20 > Fixed. >=20 > > - in general, my understanding is that the setting of PREFER_SRC... > > flags does not cause the glibc to filter addresses and only=20 > return those > > that match, but instead influences the order in which the possibly > > multiple destination addresses are returned to the caller. =20 > In any case, > > I am not sure that PREFER_SRC_TMP and PREFER_SRC_PUBLIC=20 > make much sense > > here because the destination HITs are all going to be=20 > public and these > > flags will not affect HIT ordering. =20 >=20 > You're right, the semantics were ambiguous. After some thinking, I=20 > thought the following would be more clear: >=20 > The same flags can also be used with getaddrinfo() when the > application asks the resolver to assign a local wildcard HIT to be > used with the bind() socket call. In such a case, the=20 > node argument > for getaddrinfo() must be NULL and input flags must include the > AI_PASSIVE flag. When the AI_EXTFLAGS is unset, the=20 > resolver returns > a sockaddr_hip structure with ship_hit field prefilled with the > HIP_HIT_ANY macro that was described in Section 4. When=20 > AI_EXTFLAGS > is set, the resolver prefills the returned sockaddr_hip=20 > structure for > the conveniency of the application as listed in Table 2. >=20 > Does that work for you? >=20 OK > > - Is it really true that HIP_PREFER_PASSIVE_* produces a single > > sockaddr_hip structure containing a wildcard and not an=20 > explicit HIT? > > If so, what is the point of this call-- the application can=20 > populate the > > appropriate wildcard itself? >=20 > As indicated by the last quoted text, it is just for the=20 > conveniency of=20 > the application. The existing getaddrinfo() interface provides such=20 > functionality for filling wildcard or loopback addresses for=20 > bind(). I=20 > have no idea how common it is for applications to use it in practice,=20 > but I believe we should define the same conveniency interface. >=20 > Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without=20 > reducing any functionality. Now there are just two flags=20 > instead of the=20 > original seven. OK >=20 > > 3) section 4.4 on the validation function > >=20 > > - do you really need 64-bits of flag? >=20 > The function provide a superset of inet6_is_srcaddr() which=20 > could have=20 > been defined originally in a little bit more flexible way: >=20 > The function has also 64 bit flags > instead of 32 bits. This new function handles the same flags as > defined in [RFC5014] in addition to some two HIP-specific=20 > flags for > anonymous and public HITs, HIP_PREFER_SRC_HIT_TMP and > HIP_PREFER_SRC_HIT_PUBLIC. >=20 > 64 bits should guarantee that we don't run out of bits for some while=20 > due to the shared interface. Do you agree with this? I'm OK with it. >=20 > > - the flag names in Table 2 should probably be changed to > > HIP_PREFER_HIT_TMP and HIP_PREFER_HIT_PUBLIC >=20 > The flags are now "HIP_PREFER_SRC_HIT_xx" since destination HIT is=20 > supposed to be public by definition. Is this ok? OK=20 >=20 > > - again, it should be clarified what the behavior is if the=20 > system can > > tell whether the identifier is a HIT but can't tell whether=20 > it is a TMP > > or PUBLIC >=20 > I added: >=20 > Similarly to [RFC5014], the sockaddr_is_srcaddr()=20 > function returns 1 > when the address satisfies the given flags and 0=20 > otherwise. Value -1 > denotes a failure. same comment as above-- I don't think it hurts to be explicit and list these out what these mean rather than just refer to RFC5014 reference. Regards, Tom From thomas.r.henderson@boeing.com Sun Jul 12 14:59:14 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D613B28C1A8 for ; Sun, 12 Jul 2009 14:59:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.071 X-Spam-Level: X-Spam-Status: No, score=-4.071 tagged_above=-999 required=5 tests=[AWL=-1.460, BAYES_00=-2.599, FRT_STOCK2=3.988, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dwV5B-czNPm for ; Sun, 12 Jul 2009 14:59:14 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 599F53A6C8F for ; Sun, 12 Jul 2009 14:58:58 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6CLxFUt005270 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 12 Jul 2009 14:59:20 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6CLxFSE013411; Sun, 12 Jul 2009 16:59:15 -0500 (CDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6CLxFvA013408; Sun, 12 Jul 2009 16:59:15 -0500 (CDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Sun, 12 Jul 2009 14:59:15 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Sun, 12 Jul 2009 14:59:12 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C439@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A5726BD.40108@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: AcoBUhTbWThJ6u4lSemSi4+4APJtkgB6bDLw References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> <4A5726BD.40108@hiit.fi> From: "Henderson, Thomas R" To: X-OriginalArrivalTime: 12 Jul 2009 21:59:15.0283 (UTC) FILETIME=[FF30EA30:01CA033B] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2009 21:59:14 -0000 =20 > -----Original Message----- > From: Miika Komu [mailto:miika.komu@hiit.fi]=20 > Sent: Friday, July 10, 2009 4:32 AM > To: Henderson, Thomas R > Cc: HIP > Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >=20 > Miika Komu wrote: >=20 > Hi, >=20 > >> - Is it really true that HIP_PREFER_PASSIVE_* produces a single > >> sockaddr_hip structure containing a wildcard and not an=20 > explicit HIT? > >> If so, what is the point of this call-- the application=20 > can populate the > >> appropriate wildcard itself? > >=20 > > As indicated by the last quoted text, it is just for the=20 > conveniency of=20 > > the application. The existing getaddrinfo() interface provides such=20 > > functionality for filling wildcard or loopback addresses=20 > for bind(). I=20 > > have no idea how common it is for applications to use it in=20 > practice,=20 > > but I believe we should define the same conveniency interface. > >=20 > > Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without=20 > > reducing any functionality. Now there are just two flags=20 > instead of the=20 > > original seven. >=20 > if you agree on the conveniency flags for getaddrinfo(), should we=20 > define them also for outbound opportunistic connections? >=20 I think the current flags: - HIP_PREFER_SRC_HIT_TMP - HIP_PREFER_SRC_HIT_PUBLIC=20 may be useful for two reasons. 1) alignment with how getaddrinfo() AI_PASSIVE works in the non-HIP case. Yes, the app could fill in these macros directly, but this is true of the non-HIP case as well (app could fill in INADDR_ANY). So, it is probably best to just align with how IPv6 works. 2) pass in something like an IPV6_ADDR_PREFERENCES to a socket, as in section 6 of RFC5014. However, I don't see that option in the current draft-- there is no SHIM_*** optname that relates to the setting of preferences on the EID that is selected, nor do I see it in the current shim6 document. As you mention, this would help for opportunistic connections, but I think also for other connections as well. One possibility is to insert this section after table 2; any comments on this? 4.5 Additions to the Socket Interface The Socket API for Source Address Selection [RFC5014] defines socket options=20 to allow applications to influence source address selection mechanisms. In some cases, HIP-aware applications may want to influence source HIT selection; in particular, whether an outbound connection should use a published or anonymous HIT. Similar to=20 IPV6_ADDR_PREFERENCES defined in RFC 5014, the following socket option HIT_PREFERENCES is defined for IPPROTO_HIP-based sockets. This socket option can be used with setsockopt() and getsockopt() calls to set and get the HIT selection preferences affecting a HIP-enabled socket. The socket option value (optval) is a 32-bit unsigned integer argument. The argument consists of a number of flags where each flag indicates an address selection preference that modifies one of the rules in the default HIT selection; these flags have been introduced above in Table 2. HIP_PREFER_SRC_HIT_TMP /* Prefer an anonymous HIT */ HIP_PREFER_SRC_HIT_PUBLIC /* Prefer a public HIT */ If the system is unable to assign the type of HIT that is requested, at HIT selection time, the socket call (connect (), sendto(), or sendmsg()) will fail and errno will be set to EINVAL. If the application tries to set both of the above flags for the same socket, this also results in the error EINVAL. >=20 From samu.varjonen@hiit.fi Mon Jul 13 03:13:02 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DEA783A6D47 for ; Mon, 13 Jul 2009 03:13:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yc18gjo2yPil for ; Mon, 13 Jul 2009 03:13:02 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 043B928C215 for ; Mon, 13 Jul 2009 03:13:02 -0700 (PDT) Received: from [193.167.187.73] (ip73.infrahip.net [193.167.187.73]) by argo.otaverkko.fi (Postfix) with ESMTP id B49CE25ED0F for ; Mon, 13 Jul 2009 13:13:31 +0300 (EEST) Message-ID: <4A5B08CB.2000109@hiit.fi> Date: Mon, 13 Jul 2009 13:13:31 +0300 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.21 (X11/20090409) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 10:13:03 -0000 Hi, Couple comments/questions on the draft-ietf-hip-native-api-07-pre2. First some editorial stuff. In the introduction third paragraph it says "Host Identifier Tags (HITs)". It should be "Host Identity Tags (HITs)". HITs abreviation is also opened couple pragraphs down, while just saying "HITs" would be sufficient. In introduction, with opportunistic mode I would refer to "[RFC5201] section 4.1.6." Last paragraph in introduction, the "recap", the third goal is something that sounds exactly like draft-ietf-shim6-multihome-shim-api. Isn't it already defined in it, like the section 4.5 seems to be explanation of multihome-shim-api with HIP specific language. So isn't the third goal more like multihome-shim-api's goal? The definition of macro HIP_ADDR_ANY is confusing. "HIP_ADDR_ANY, denotes means that the application accepts both HITs and any other type of addresses." First it has "denotes means", drop one. Third paragraph after the definition it says that applications might use HIP_ADDR_ANY when HIP-based connectivity fails and In section 4.4 Table 2 the correspondence from flags to macros says that if its not a *_HIT_TMP or *_HIT_PUBLIC it corresponds to macro HIP_ADDR_ANY. To me this looks like the definition should lose the HIT part and just say "accepts addresses". Sorry If there is some overlapping with other comments on the draft, I have not been following the discussion on the list thoroughly ;) BR, Samu From ari.keranen@nomadiclab.com Mon Jul 13 03:44:22 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28E893A6D4C for ; Mon, 13 Jul 2009 03:44:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.925 X-Spam-Level: X-Spam-Status: No, score=-3.925 tagged_above=-999 required=5 tests=[AWL=-2.264, BAYES_00=-2.599, FRT_STOCK2=3.988, HELO_EQ_SE=0.35, J_CHICKENPOX_102=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhHJvtX8qiYB for ; Mon, 13 Jul 2009 03:44:21 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id EC97628C2CA for ; Mon, 13 Jul 2009 03:43:56 -0700 (PDT) X-AuditID: c1b4fb3e-b7be7ae000001a87-97-4a5b10091092 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 0A.1D.06791.9001B5A4; Mon, 13 Jul 2009 12:44:26 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Jul 2009 12:43:49 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 13 Jul 2009 12:43:48 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 773032461; Mon, 13 Jul 2009 13:43:48 +0300 (EEST) Message-ID: <4A5B0FE1.5070503@nomadiclab.com> Date: Mon, 13 Jul 2009 13:43:45 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Shinta Sugimoto References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> <4A55BE2D.4040506@sfc.wide.ad.jp> <4A572C5F.50906@sfc.wide.ad.jp> In-Reply-To: <4A572C5F.50906@sfc.wide.ad.jp> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 13 Jul 2009 10:43:48.0729 (UTC) FILETIME=[CDE54690:01CA03A6] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 10:44:22 -0000 Hi Shinta, That change should be good enough at least for the NAT traversal scenarios I had in mind. Thanks! Although I guess that if lc_proto != 0, it means that one uses transport layer encapsulation with port lc_port and protocol lc_proto? This could be stated more explicitly in the draft. Maybe something like lc_proto Internet Protocol number of a transport layer protocol if transport layer encapsulation is used with the locator. Set to IPPROTO_UDP (17) for UDP or zero if no transport layer encapsulation is used. lc_port The transport layer port number, or zero if lc_proto is zero. Also I'm not sure if I fully understood the second sentence of 7.1.1: 7.1.1. Handling Locator behind NAT Note that the locator information MAY contain a locator behind a Network Addresss Translator (NAT). Such a situation may arise when the host is behind the NAT and uses a local address as a source locator to communicate with the peer. Shouldn't the "local address" be rather the address NAT gives to the host (i.e., server or peer reflexive address) since that's the one host uses, from the peer's point of view, as the source locator? Or did you mean to say that this situation arises if the host uses *the* local address that is behind the NAT (and may have some other local address that is not)? also: s/Addresss/Address/ And perhaps change the title of the section to something like "Handling Locator with Transport Layer Encapsulation", since this isn't really a fully working NAT traversal solution, and might be also usable for other than NAT traversal purposes. Cheers, Ari Shinta Sugimoto wrote: > Hi all, > (please allow me to change the subject of the thread) > > As I mentioned, we (authors of mutlhome shim API draft) are updating the > multihome shim API draft taking NAT Traversal support into account. > Below is what we have now in the draft. Basically, we modified the data > structure for storing locator information so that it can contain UDP > encapsulation as well. Also, a locator behind NAT could be either IPv4 > or IPv6 (taking Thomas's comment into account). Any > comments/suggestions are welcome. Please note that we are planning to > submit the updated draft (-09) before the cutoff. Thank you. > > ---(beginning of quote)--- > 7.1. Placeholder for Locator Information > > As defined in Section 5, the SHIM_LOC_LOCAL_PREF, SHIM_LOC_PEER_PREF, > SHIM_LOCLIST_LOCAL, and SHIM_LOCLIST_PEER socket options need to > handle one or more locator information. Locator information includes > not only the locator itself but also additional information about the > locator which is useful for locator management. A new data structure > is defined to serve as a placeholder for the locator information. > > Figure 4 illustrates the data structure called shim_locator which > stores a locator information. > > struct shim_locator { > uint8_t lc_family; /* address family */ > uint8_t lc_proto; /* protocol */ > uint16_t lc_port; /* port number */ > uint16_t lc_flags; /* flags */ > uint16_t lc_pref; /* preference value */ > uint32_t lc_ifidx; /* interface index */ > struct in6_addr lc_addr; /* address */ > }; > > Figure 4: shim locator structure > > lc_family > Address family of the locator (e.g. AF_INET, AF_INET6). It is > required that the parameter contains non-zero value indicating the > exact address family of the locator. > lc_proto > Internet Protocol number for the protocol which is used to handle > locator behanid NAT. Typically, this value is set as UDP (17) > when the locator is a UDP encapsulation interface. > > Komu, et al. Expires November 8, 2009 [Page 28] > > Internet-Draft Multihoming Shim API May 2009 > > lc_port > Port number which is used for handling locator behind NAT. > lc_flags > Each bit of the flags represents a specific characteristics of the > locator. Hash Based Address (HBA) is defined as 0x01. > Cryptographically Generated Address (CGA) is defined as 0x02. > lc_pref > Preference of the locator. The preference is represented by an > integer. > lc_ifidx > Interface index of the network interface to which the locator is > assigned. This field should be valid only in a read > (getsockopt()) operation. > lc_addr > Contains the locator. In the case where a locator whose size is > smaller than 16 bytes, an encoding rule should be provided for > each locator of a given address family. For instance, in case of > AF_INET (IPv4), the locator should be in the format of an IPv4- > mapped IPv6 address as defined in RFC 4291[RFC4291]. > > 7.1.1. Handling Locator behind NAT > > Note that the locator information MAY contain a locator behind a > Network Addresss Translator (NAT). Such a situation may arise when > the host is behind the NAT and uses a local address as a source > locator to communicate with the peer. Note that a NAT traversal > mechansim for HIP is defined, which allows HIP host to tunnel control > and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also > that the locator behind NAT is not necessarily an IPv4 address but it > can be an IPv6 address. Below is an example where the application > sets a UDP encapsulation interface as a source locator when sending > IP packets. > > Komu, et al. Expires November 8, 2009 [Page 29] > > Internet-Draft Multihoming Shim API May 2009 > > > struct shim_locator locator; > struct in6_addr ia6; > > /* copy the private IPv4 address to the ia6 as an IPv4-mapped > IPv6 address */ > > memset(&locator, 0, sizeof(locator)); > > /* fill shim_locator data structure */ > locator.lc_family = AF_INET; > locator.lc_proto = IPPROTO_UDP; > locator.lc_port = 50500; > locator.lc_flags = 0; > locator.lc_pref = 0; > locator.lc_ifidx = 3; > > memcpy(&locator.lc_addr, &ia6, sizeof(ia6)); > > setsockopt(fd, SOL_SHIM, SHIM_LOC_LOCAL_SEND, &locator, > sizeof(locator)); > ---(end of quote)--- > > Regards, > Shinta > > Shinta Sugimoto wrote: >> Hi Thomas, >> >> Thank you for your comments and sorry for my delayed response. >> Please find my comment below. >> >> Henderson, Thomas R wrote: >>>>> The other options seem to be to ask the shim6-api draft authors, >>>>> and WG, >>>>> to support NAT traversal, or to just write a HIP-specific API for >>>>> these >>>>> aspects. In either case, I think we (HIP WG) should decide what we >>>>> want >>>>> this API to be. >>>> As a co-author of the multihome shim API document, I am willing >>>> to improve the draft to support NAT Traversal. It is not only >>>> useful for HIP but also for SHIM6 (in the future) as mentioned >>>> above. Does this sound reasonable? >>>> >>>> With regard to the data structure for storing IPv4 address and >>>> a pair of UDP port numbers, let me come up with proposal later. >>>> I need to discuss with co-authors of the multihome shim API draft. >>> >>> Thanks, it sounds reasonable to extend this if shim6 WG is willing, >>> but from your comments, I take it that you are just going to focus on >>> IPv4 NAT traversal? I was wondering whether IPv6 NAT traversal also >>> should be supported in the API in case such devices (or firewalls >>> that filter the HIP protocol) become prevalent. >> >> Thank you. >> >> Let us define the locator management API taking NAT into >> consideration. Answering to your question, yes, we (at least I) have >> been thinking only IPv4 NAT. But I see your point that NAT is not >> necessarily IPv4 but there could be IPv6 NAT as well. Then, let us >> also take this into account. >> >> Now we are updating the multihome API document with NAT support. Will >> send it to the HIP list when it's ready (hopefully before the cutoff). >> >> Regards, >> Shinta >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec >> > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From miika.komu@hiit.fi Mon Jul 13 05:02:49 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42AFA28C401 for ; Mon, 13 Jul 2009 05:02:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.545 X-Spam-Level: X-Spam-Status: No, score=-0.545 tagged_above=-999 required=5 tests=[AWL=-1.934, BAYES_00=-2.599, FRT_STOCK2=3.988] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScnDHE0bLJmK for ; Mon, 13 Jul 2009 05:02:48 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id DAE0C28C3F6 for ; Mon, 13 Jul 2009 05:02:44 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id BC2AB25ED0E; Mon, 13 Jul 2009 15:03:14 +0300 (EEST) Message-ID: <4A5B2284.3030301@hiit.fi> Date: Mon, 13 Jul 2009 15:03:16 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" , HIP References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C438@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C438@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 12:02:49 -0000 Henderson, Thomas R wrote: Hi, I have applied the comments in this email to third iteration: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre3.txt >> -----Original Message----- >> From: Miika Komu [mailto:miika.komu@hiit.fi] >> Sent: Friday, July 10, 2009 2:50 AM >> To: Henderson, Thomas R >> Cc: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Henderson, Thomas R wrote: >> >> Hi, >> >> a new version is available from here: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre2.txt >> >> It is based on comments from you and the minor comment from Jeff is >> included. I didn't have time to proof read all the changes yet, so I >> might apply small nits here and there. >> >> Cut-off deadline is on Monday. I assume that I have follow >> the official >> schedule and I'll submit the final 07 version on Monday. >> Please comment >> before that if you can. >> >>> > >>>> Fixed. New version is here: >>>> >>>> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre1.txt >>>> >>> Miika, I reviewed this preview version and have some more comments. >>> >>> 1) I think that Figure 3.1 and the related prose >> description could be >>> clearer by referring specifically to the records that are being >>> retreived from DNS. In particular: >>> >>> - step a) could say explicitly that a HIP RR is being >> fetched, step b) >>> in the diagram could say "QNAME=FQDN, QTYPE=HIP" instead of >> , step >>> c in the diagram should say "HIP RR(s)" instead of >> "". Or >>> else, if you intend to abstract this and you mean to say that "b) >>> " refers to both possible fetching of HIP RRs and >> A/AAAA records, >>> and that steps b and c may in fact be several transactions, the >>> corresponding text should clarify this. >>> >>> - step e) should be generalized to show that not only HITs but also >>> sockaddr_in or sockaddr_in6 are passed back to the application >>> >>> - step f) should probably not just say "f. connect()" >> but should >>> show or describe that there are several possible socket >> messages using >>> the new address family and the new HIP addresses fetched in step e, >>> including socket(), setsockopt(), sendmsg(), bind(), connect(), ... >> Done, please suggest further clarifications if necessary. I think we >> should keep this description simple to give an overview of how the API >> works. > > I think that if we just try to limit the diagram to HIP information, it > would be simple. As it reads right now, I might suggest in step b) > delete "QTYPE=HIP" since, in the figure, steps b) and c) are > asymmetrical (b only asks for HIP, and c responds with A/AAAA). I think > that the text describes that there may be other queries for A/AAAA > records involved. Done. >>> 2) section 4.2 on the use and extension of getaddrinfo >> seems unclear to >>> me on a few points >>> >>> - why is AI_EXTFLAGS necessary to be set if the caller does not care >>> about changing the source HIT selection preferences? why >> can't you just >>> set ai_protocol to IPPROTO_HIP? >> Or AF_HIP, like I have put in the current text. I am not sure >> what to do >> with IPPROTO_HIP. >> >> Your were right about AI_EXTFLAGS, it was unnecessarily >> coupled with the >> basic HIP resolution. >> >>> - I think that in general, it would be clearer to talk about source >>> address selection separately, and not introduce all of these flags >>> referring to source address selection in this section, >> because they also >>> apply to sockets and not just getaddrinfo >> Moved to section 4.4. >> >>> - it is not clear what the behavior should be if the resolver cannot >>> determine whether HITs are public or anonymous >> Added: >> >> "Similarly to [RFC5014], the sockaddr_is_srcaddr() function returns 1 >> when the address satisfies the given flags and 0 otherwise. Value -1 >> denotes a failure." > > I had a hard time understanding the distinction between 0 and -1 when I > read RFC5014, and here, I think what is unclear is whether the library > necessarily knows whether a HIT is public or not, and whether it should > return 0 or -1. I think it would be clearer to maybe add "we assume > that the system will be able to resolve each HIT as either a public or > anonymous HIT on the basis of local metadata, or other policy decision." > > Perhaps value 1 should equal "is my HIT and satisfies flags", value 0 > "is my HIT but does not satisfy flags", and value -1 "is not a HIT, or > is not one of my HITs" It says now: When given an AF_INET6 socket, sockaddr_is_srcaddr() behaves as inet6_is_srcaddr() function as described in [RFC5014]. With AF_HIP socket, the function returns 1 when the HIT contained in the socket address structure corresponds to a valid HIT of the local host and the HIT satisfies the given flags. The function returns -1 when the HIT does not belong to the local host or the flags are not valid The function returns 0 when the preference flags are valid but the HIT does not match the given flags. Is this ok? >>> - in the second paragraph on page 9, it implies that DNS, >> by default, >>> will spoof the resolution and return HITs and LSIs in >>> sockaddr_in6/sockaddr_in structures. (by the way, the >> reference should >>> be to RFC5338). I would make this change to imply that >> this is not the >>> recommended default behavior: >>> s/In such a case, the DNS agent returns transparently.../In >> such a case, >>> the DNS agent may, according to local policy, return >> transparently.../ >>> and later: >>> s/To disable this behavior/To override this local policy/ >> Fixed. >> >>> - in general, my understanding is that the setting of PREFER_SRC... >>> flags does not cause the glibc to filter addresses and only >> return those >>> that match, but instead influences the order in which the possibly >>> multiple destination addresses are returned to the caller. >> In any case, >>> I am not sure that PREFER_SRC_TMP and PREFER_SRC_PUBLIC >> make much sense >>> here because the destination HITs are all going to be >> public and these >>> flags will not affect HIT ordering. >> You're right, the semantics were ambiguous. After some thinking, I >> thought the following would be more clear: >> >> The same flags can also be used with getaddrinfo() when the >> application asks the resolver to assign a local wildcard HIT to be >> used with the bind() socket call. In such a case, the >> node argument >> for getaddrinfo() must be NULL and input flags must include the >> AI_PASSIVE flag. When the AI_EXTFLAGS is unset, the >> resolver returns >> a sockaddr_hip structure with ship_hit field prefilled with the >> HIP_HIT_ANY macro that was described in Section 4. When >> AI_EXTFLAGS >> is set, the resolver prefills the returned sockaddr_hip >> structure for >> the conveniency of the application as listed in Table 2. >> >> Does that work for you? >> > > OK > >>> - Is it really true that HIP_PREFER_PASSIVE_* produces a single >>> sockaddr_hip structure containing a wildcard and not an >> explicit HIT? >>> If so, what is the point of this call-- the application can >> populate the >>> appropriate wildcard itself? >> As indicated by the last quoted text, it is just for the >> conveniency of >> the application. The existing getaddrinfo() interface provides such >> functionality for filling wildcard or loopback addresses for >> bind(). I >> have no idea how common it is for applications to use it in practice, >> but I believe we should define the same conveniency interface. >> >> Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without >> reducing any functionality. Now there are just two flags >> instead of the >> original seven. > > OK > >>> 3) section 4.4 on the validation function >>> >>> - do you really need 64-bits of flag? >> The function provide a superset of inet6_is_srcaddr() which >> could have >> been defined originally in a little bit more flexible way: >> >> The function has also 64 bit flags >> instead of 32 bits. This new function handles the same flags as >> defined in [RFC5014] in addition to some two HIP-specific >> flags for >> anonymous and public HITs, HIP_PREFER_SRC_HIT_TMP and >> HIP_PREFER_SRC_HIT_PUBLIC. >> >> 64 bits should guarantee that we don't run out of bits for some while >> due to the shared interface. Do you agree with this? > > I'm OK with it. > >>> - the flag names in Table 2 should probably be changed to >>> HIP_PREFER_HIT_TMP and HIP_PREFER_HIT_PUBLIC >> The flags are now "HIP_PREFER_SRC_HIT_xx" since destination HIT is >> supposed to be public by definition. Is this ok? > > OK >>> - again, it should be clarified what the behavior is if the >> system can >>> tell whether the identifier is a HIT but can't tell whether >> it is a TMP >>> or PUBLIC >> I added: >> >> Similarly to [RFC5014], the sockaddr_is_srcaddr() >> function returns 1 >> when the address satisfies the given flags and 0 >> otherwise. Value -1 >> denotes a failure. > > same comment as above-- I don't think it hurts to be explicit and list > these out what these mean rather than just refer to RFC5014 reference. Ok. From miika.komu@hiit.fi Mon Jul 13 05:57:46 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8428028C375 for ; Mon, 13 Jul 2009 05:57:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.217 X-Spam-Level: X-Spam-Status: No, score=-2.217 tagged_above=-999 required=5 tests=[AWL=0.382, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1phuxvdkayfJ for ; Mon, 13 Jul 2009 05:57:45 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 426B028C2E3 for ; Mon, 13 Jul 2009 05:57:44 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id C781125ED10; Mon, 13 Jul 2009 15:58:12 +0300 (EEST) Message-ID: <4A5B2F66.9070300@hiit.fi> Date: Mon, 13 Jul 2009 15:58:14 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Varjonen Samu , hipsec@ietf.org References: <4A5B08CB.2000109@hiit.fi> In-Reply-To: <4A5B08CB.2000109@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 12:57:46 -0000 Varjonen Samu wrote: Hi, here's an updated version with your comments: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre3.txt Please check if you are ok with the changes. > Hi, > > Couple comments/questions on the draft-ietf-hip-native-api-07-pre2. > > First some editorial stuff. In the introduction third paragraph it says > "Host Identifier Tags (HITs)". It should be "Host Identity Tags (HITs)". > HITs abreviation is also opened couple pragraphs down, while just saying > "HITs" would be sufficient. Applied. > In introduction, with opportunistic mode I would refer to "[RFC5201] > section 4.1.6." Applied. > Last paragraph in introduction, the "recap", the third goal is something > that sounds exactly like draft-ietf-shim6-multihome-shim-api. Isn't it > already defined in it, like the section 4.5 seems to be explanation of > multihome-shim-api with HIP specific language. So isn't the third goal > more like multihome-shim-api's goal? Changed to: "The third goal is to illustrate how HIP-aware applications can use the SHIM API [I-D.ietf-shim6-multihome-shim-api] to manually map locators to HITs." > The definition of macro HIP_ADDR_ANY is confusing. "HIP_ADDR_ANY, > denotes means that the application accepts both HITs and any other type > of addresses." First it has "denotes means", drop one. Third paragraph > after the definition it says that applications might use HIP_ADDR_ANY > when HIP-based connectivity fails and In section 4.4 Table 2 the > correspondence from flags to macros says that if its not a *_HIT_TMP or > *_HIT_PUBLIC it corresponds to macro HIP_ADDR_ANY. To me this looks like > the definition should lose the HIT part and just say "accepts addresses". I have changed HIP_ADDR_ANY to HIP_ENDPOINT_ANY. Does it work for you? In addition, I changed "connectivity fails" text as follows: The use of HIP_ENDPOINT_ANY macro in the context of outgoing communications is left for further experimentation in the context of opportunistic mode. It can result in a data flow with or without HIP. More about the _HIT_TMP variables in a short while in a separate email. From miika.komu@hiit.fi Mon Jul 13 06:48:10 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E452F28C41A for ; Mon, 13 Jul 2009 06:48:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.277 X-Spam-Level: X-Spam-Status: No, score=-0.277 tagged_above=-999 required=5 tests=[AWL=-1.666, BAYES_00=-2.599, FRT_STOCK2=3.988] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dzAcLmvG32dt for ; Mon, 13 Jul 2009 06:48:10 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 9FB6528C2E8 for ; Mon, 13 Jul 2009 06:48:09 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id 94A3C25ED10; Mon, 13 Jul 2009 16:48:39 +0300 (EEST) Message-ID: <4A5B3B39.6010202@hiit.fi> Date: Mon, 13 Jul 2009 16:48:41 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> <4A5726BD.40108@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C439@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C439@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 13:48:11 -0000 Henderson, Thomas R wrote: Hi, a new preversion with your comments is here: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre4.txt >> -----Original Message----- >> From: Miika Komu [mailto:miika.komu@hiit.fi] >> Sent: Friday, July 10, 2009 4:32 AM >> To: Henderson, Thomas R >> Cc: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Miika Komu wrote: >> >> Hi, >> >>>> - Is it really true that HIP_PREFER_PASSIVE_* produces a single >>>> sockaddr_hip structure containing a wildcard and not an >> explicit HIT? >>>> If so, what is the point of this call-- the application >> can populate the >>>> appropriate wildcard itself? >>> As indicated by the last quoted text, it is just for the >> conveniency of >>> the application. The existing getaddrinfo() interface provides such >>> functionality for filling wildcard or loopback addresses >> for bind(). I >>> have no idea how common it is for applications to use it in >> practice, >>> but I believe we should define the same conveniency interface. >>> >>> Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* flags without >>> reducing any functionality. Now there are just two flags >> instead of the >>> original seven. >> if you agree on the conveniency flags for getaddrinfo(), should we >> define them also for outbound opportunistic connections? >> > > I think the current flags: > - HIP_PREFER_SRC_HIT_TMP > - HIP_PREFER_SRC_HIT_PUBLIC > may be useful for two reasons. > > 1) alignment with how getaddrinfo() AI_PASSIVE works in the non-HIP > case. Yes, the app could fill in these macros directly, but this is > true of the non-HIP case as well (app could fill in INADDR_ANY). So, it > is probably best to just align with how IPv6 works. There seems to be some problems with the flags: 1. They are coupled with socket options (which are not flags) of your description 2. In my opinion, the description brings too little convenciency when compared to the added complexity. I would like to resolve these problems by removing the HIP_PREFER flags from the context of the getaddrinfo. Also, I would state that AI_PASSIVE flag will be ignored with AF_HIP and NULL hints gives a list of all local HITs. Does this work for you? To make the decision easier, here's a recap how the resolver works (without HIP) in relation to the passive flag: hints=NULL and AI_PASSIVE=true: The returned socket addresses will be suitable for bind(2)ing a socket that will accept(2) connections. The returned socket address will contain the "wildcard address" (INADDR_ANY for IPv4 addresses, IN6ADDR_ANY_INIT for IPv6 address). The wildcard address is used by applications (typically servers) that intend to accept connections on any of the hosts network addresses. hints=!NULL and AI_PASSIVE=true: The AI_PASSIVE flag is ignored. hints=NULL and AI_PASSIVE=false: The network address will be set to the loopback interface address (INADDR_LOOPBACK for IPv4 addresses, IN6ADDR_LOOPBACK_INIT for IPv6 address); this is used by applications that intend to communicate with peers running on the same host. hints=!NULL and AI_PASSIVE=false: Returned socket addresses will be suitable for use with connect(2), sendto(2), or sendmsg(2). My suggestion should retain compatibility with the existing semantics and make the API more simple. > 2) pass in something like an IPV6_ADDR_PREFERENCES to a socket, as in > section 6 of RFC5014. However, I don't see that option in the current > draft-- there is no SHIM_*** optname that relates to the setting of > preferences on the EID that is selected, nor do I see it in the current > shim6 document. As you mention, this would help for opportunistic > connections, but I think also for other connections as well. > > One possibility is to insert this section after table 2; any comments on > this? > > 4.5 Additions to the Socket Interface > > The Socket API for Source Address Selection [RFC5014] defines socket > options > to allow applications to influence source address selection > mechanisms. In some cases, > HIP-aware applications may want to influence source HIT selection; in > particular, whether > an outbound connection should use a published or anonymous HIT. > Similar to > IPV6_ADDR_PREFERENCES defined in RFC 5014, the following socket > option > HIT_PREFERENCES is defined for IPPROTO_HIP-based sockets. This > socket option can be used with > setsockopt() and getsockopt() calls to set and get the HIT > selection preferences affecting a HIP-enabled socket. > The socket option value (optval) is a 32-bit unsigned integer > argument. The argument consists of a number of flags where each flag > indicates an address selection preference that modifies one of the > rules in the default HIT selection; these flags have been introduced > above in Table 2. > > HIP_PREFER_SRC_HIT_TMP /* Prefer an anonymous HIT */ > HIP_PREFER_SRC_HIT_PUBLIC /* Prefer a public HIT */ > > If the system is unable to assign the type of HIT that is requested, > at HIT selection > time, the socket call (connect (), sendto(), or sendmsg()) will fail > and errno will be > set to EINVAL. If the application tries to set both of the above > flags for the same socket, > this also results in the error EINVAL. I added this section. However, I thought that it would be better to order the sections as follows: 4.4. Selection of Source HIT Type 4.5. Verification of Source HIT Type Is this ok? From thomas.r.henderson@boeing.com Mon Jul 13 09:04:27 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BF0DA3A68C8 for ; Mon, 13 Jul 2009 09:04:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.639 X-Spam-Level: X-Spam-Status: No, score=-3.639 tagged_above=-999 required=5 tests=[AWL=-1.628, BAYES_00=-2.599, FRT_STOCK2=3.988, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qv7UF4RgWuJF for ; Mon, 13 Jul 2009 09:04:26 -0700 (PDT) Received: from stl-smtpout-01.boeing.com (stl-smtpout-01.boeing.com [130.76.96.56]) by core3.amsl.com (Postfix) with ESMTP id 0D0B43A68CC for ; Mon, 13 Jul 2009 09:04:22 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by stl-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6DG4hgi020054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 13 Jul 2009 11:04:47 -0500 (CDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6DG4h5q003507; Mon, 13 Jul 2009 11:04:43 -0500 (CDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6DG4ele003342; Mon, 13 Jul 2009 11:04:43 -0500 (CDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 13 Jul 2009 09:04:41 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 13 Jul 2009 09:04:40 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C43F@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A5B3B39.6010202@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC: draft-ietf-hip-native-api-06 Thread-Index: AcoDwKOD4nOCt8n0Ts2NrmevbpnvPwAEAQiQ References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> <4A5726BD.40108@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C439@XCH-NW-5V1.nw.nos.boeing.com> <4A5B3B39.6010202@hiit.fi> From: "Henderson, Thomas R" To: X-OriginalArrivalTime: 13 Jul 2009 16:04:41.0117 (UTC) FILETIME=[A1368CD0:01CA03D3] Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 16:04:27 -0000 =20 > -----Original Message----- > From: Miika Komu [mailto:miika.komu@hiit.fi]=20 > Sent: Monday, July 13, 2009 6:49 AM > To: Henderson, Thomas R > Cc: HIP > Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >=20 > Henderson, Thomas R wrote: >=20 > Hi, >=20 > a new preversion with your comments is here: >=20 > http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre4.txt >=20 > >> -----Original Message----- > >> From: Miika Komu [mailto:miika.komu@hiit.fi]=20 > >> Sent: Friday, July 10, 2009 4:32 AM > >> To: Henderson, Thomas R > >> Cc: HIP > >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 > >> > >> Miika Komu wrote: > >> > >> Hi, > >> > >>>> - Is it really true that HIP_PREFER_PASSIVE_* produces a single > >>>> sockaddr_hip structure containing a wildcard and not an=20 > >> explicit HIT? > >>>> If so, what is the point of this call-- the application=20 > >> can populate the > >>>> appropriate wildcard itself? > >>> As indicated by the last quoted text, it is just for the=20 > >> conveniency of=20 > >>> the application. The existing getaddrinfo() interface=20 > provides such=20 > >>> functionality for filling wildcard or loopback addresses=20 > >> for bind(). I=20 > >>> have no idea how common it is for applications to use it in=20 > >> practice,=20 > >>> but I believe we should define the same conveniency interface. > >>> > >>> Btw, I simplified the jungle of HIP_PREFER_PASSIVE_*=20 > flags without=20 > >>> reducing any functionality. Now there are just two flags=20 > >> instead of the=20 > >>> original seven. > >> if you agree on the conveniency flags for getaddrinfo(), should we=20 > >> define them also for outbound opportunistic connections? > >> > >=20 > > I think the current flags: > > - HIP_PREFER_SRC_HIT_TMP > > - HIP_PREFER_SRC_HIT_PUBLIC=20 > > may be useful for two reasons. > >=20 > > 1) alignment with how getaddrinfo() AI_PASSIVE works in the non-HIP > > case. Yes, the app could fill in these macros directly, but this is > > true of the non-HIP case as well (app could fill in=20 > INADDR_ANY). So, it > > is probably best to just align with how IPv6 works. >=20 > There seems to be some problems with the flags: >=20 > 1. They are coupled with socket options (which are not flags) of your=20 > description > 2. In my opinion, the description brings too little convenciency when=20 > compared to the added complexity. >=20 > I would like to resolve these problems by removing the=20 > HIP_PREFER flags=20 > from the context of the getaddrinfo. Also, I would state that=20 > AI_PASSIVE=20 > flag will be ignored with AF_HIP and NULL hints gives a list of all=20 > local HITs. Does this work for you? Yes, I have no problem with that. >=20 > To make the decision easier, here's a recap how the resolver works=20 > (without HIP) in relation to the passive flag: >=20 > hints=3DNULL and AI_PASSIVE=3Dtrue: I think you mean nodename=3D=3DNULL, since AI_PASSIVE or any flag cannot = be true with a null hints. But otherwise, yes, I agree (your second and fourth cases below are really the same case, since AI_PASSIVE is ignored). >=20 > The returned socket addresses will be suitable for =20 > bind(2)ing a > socket that will accept(2) connections. The returned socket > address will contain the "wildcard address" (INADDR_ANY for IPv4 > addresses, IN6ADDR_ANY_INIT for IPv6 address). The=20 > wildcard address > is used by applications (typically servers) that intend to accept > connections on any of the hosts network addresses. >=20 > hints=3D!NULL and AI_PASSIVE=3Dtrue: >=20 > The AI_PASSIVE flag is ignored. >=20 > hints=3DNULL and AI_PASSIVE=3Dfalse: >=20 > The network address will be set to the loopback interface > address (INADDR_LOOPBACK for IPv4 addresses, > IN6ADDR_LOOPBACK_INIT for IPv6 address); this is used by > applications that intend to communicate with peers running > on the same host. >=20 > hints=3D!NULL and AI_PASSIVE=3Dfalse: >=20 > Returned socket addresses will be suitable for use with connect(2), > sendto(2), or sendmsg(2). >=20 > My suggestion should retain compatibility with the existing semantics=20 > and make the API more simple. Agree. >=20 > > 2) pass in something like an IPV6_ADDR_PREFERENCES to a=20 > socket, as in > > section 6 of RFC5014. However, I don't see that option in=20 > the current > > draft-- there is no SHIM_*** optname that relates to the setting of > > preferences on the EID that is selected, nor do I see it in=20 > the current > > shim6 document. As you mention, this would help for opportunistic > > connections, but I think also for other connections as well. > >=20 > > One possibility is to insert this section after table 2;=20 > any comments on > > this? > >=20 > > 4.5 Additions to the Socket Interface > >=20 > > The Socket API for Source Address Selection [RFC5014]=20 > defines socket > > options=20 > > to allow applications to influence source address selection > > mechanisms. In some cases, > > HIP-aware applications may want to influence source HIT=20 > selection; in > > particular, whether > > an outbound connection should use a published or anonymous HIT. > > Similar to=20 > > IPV6_ADDR_PREFERENCES defined in RFC 5014, the following socket > > option > > HIT_PREFERENCES is defined for IPPROTO_HIP-based sockets. This > > socket option can be used with > > setsockopt() and getsockopt() calls to set and get the HIT > > selection preferences affecting a HIP-enabled socket. > > The socket option value (optval) is a 32-bit unsigned integer > > argument. The argument consists of a number of flags=20 > where each flag > > indicates an address selection preference that modifies=20 > one of the > > rules in the default HIT selection; these flags have=20 > been introduced > > above in Table 2. > >=20 > > HIP_PREFER_SRC_HIT_TMP /* Prefer an anonymous HIT */ > > HIP_PREFER_SRC_HIT_PUBLIC /* Prefer a public HIT */ > >=20 > > If the system is unable to assign the type of HIT that=20 > is requested, > > at HIT selection > > time, the socket call (connect (), sendto(), or=20 > sendmsg()) will fail > > and errno will be > > set to EINVAL. If the application tries to set both of the above > > flags for the same socket, > > this also results in the error EINVAL. >=20 > I added this section. However, I thought that it would be better to=20 > order the sections as follows: >=20 > 4.4. Selection of Source HIT Type > 4.5. Verification of Source HIT Type >=20 > Is this ok? Yes. Here is one more getaddrinfo-related suggestion that I have for now: Section 4.2: OLD TEXT: An application resolving with the ai_family field set to zero in the input argument may receive any kind of socket address structures, including sockaddr_hip. The same occurs when the input argument is NULL. When the application should resolve only HITs contained in sockaddr_hip structures, it should set the ai_family field to AF_HIP. NEW TEXT: An application resolving with the ai_family field set to AF_UNSPEC in the input argument may receive any kind of socket address structures, including sockaddr_hip. When the application wants to receive only HITs contained in sockaddr_hip structures, it should set the ai_family field to AF_HIP. From thomas.r.henderson@boeing.com Mon Jul 13 09:20:52 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 615FA28C4B3 for ; Mon, 13 Jul 2009 09:20:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.797 X-Spam-Level: X-Spam-Status: No, score=-5.797 tagged_above=-999 required=5 tests=[AWL=0.802, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKkausTABElv for ; Mon, 13 Jul 2009 09:20:51 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id C7FB53A68CC for ; Mon, 13 Jul 2009 09:20:06 -0700 (PDT) Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6DGKSwc006615 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 13 Jul 2009 09:20:29 -0700 (PDT) Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6DGKSm7028874; Mon, 13 Jul 2009 09:20:28 -0700 (PDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6DGKNpc028737; Mon, 13 Jul 2009 09:20:28 -0700 (PDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 13 Jul 2009 09:20:28 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 13 Jul 2009 09:20:27 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C441@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A5B2F66.9070300@hiit.fi> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 Thread-Index: AcoDuZl2XpbZ23vqSo2ylTi4nuGowwAGwKsg References: <4A5B08CB.2000109@hiit.fi> <4A5B2F66.9070300@hiit.fi> From: "Henderson, Thomas R" To: , "Varjonen Samu" , X-OriginalArrivalTime: 13 Jul 2009 16:20:28.0104 (UTC) FILETIME=[D5A94C80:01CA03D5] Subject: Re: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 16:20:52 -0000 Miika, Here are a few comments on the changes you made w.r.t. Samu's comments:=20 > -----Original Message----- > From: Miika Komu [mailto:miika.komu@hiit.fi]=20 > Sent: Monday, July 13, 2009 5:58 AM > To: Varjonen Samu; hipsec@ietf.org > Subject: Re: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 >=20 > Varjonen Samu wrote: >=20 > Hi, >=20 > here's an updated version with your comments: >=20 > http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre3.txt >=20 OLD TEXT: However, the application can use three special macros to set a wildcard value manually into the ship_hit field. The macros are=20 NEW TEXT: However, the application can use four special wildcard constants. =20 The wildcards are (and in general, change "macro" to "constant" in this section unless you are talking about a macro function) OLD TEXT: The HIP_HIT_ANY denotes that the application accepts any type of HIT. NEW TEXT: The HIP_HIT_ANY denotes that the application accepts inbound HIP associations to any type of HIT. Otherwise, I'm fine with the changes. - Tom From miika.komu@hiit.fi Mon Jul 13 11:41:26 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5A043A6ED0 for ; Mon, 13 Jul 2009 11:41:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.063 X-Spam-Level: X-Spam-Status: No, score=-2.063 tagged_above=-999 required=5 tests=[AWL=0.536, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXvSAtnOd8li for ; Mon, 13 Jul 2009 11:41:25 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id F23D128C5A5 for ; Mon, 13 Jul 2009 11:40:44 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id E132325ED0E; Mon, 13 Jul 2009 21:41:09 +0300 (EEST) Message-ID: <4A5B7FC4.2000101@hiit.fi> Date: Mon, 13 Jul 2009 21:41:08 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A5B08CB.2000109@hiit.fi> <4A5B2F66.9070300@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C441@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C441@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hipsec@ietf.org Subject: Re: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 18:41:26 -0000 Henderson, Thomas R wrote: Hi, new preversion is here based on your comments: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre5.txt > Miika, > Here are a few comments on the changes you made w.r.t. Samu's comments: > >> -----Original Message----- >> From: Miika Komu [mailto:miika.komu@hiit.fi] >> Sent: Monday, July 13, 2009 5:58 AM >> To: Varjonen Samu; hipsec@ietf.org >> Subject: Re: [Hipsec] WGLC comments: draft-ietf-hip-native-api-07-pre2 >> >> Varjonen Samu wrote: >> >> Hi, >> >> here's an updated version with your comments: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre3.txt >> > > OLD TEXT: > > However, the application can use three special macros to set a > wildcard value manually into the ship_hit field. The macros are > > NEW TEXT: > > However, the application can use four special wildcard constants. > The wildcards are > > (and in general, change "macro" to "constant" in this section unless you > are talking about a macro function) I replaced throughout the text because we don't really provide new macros at all. > OLD TEXT: > > The HIP_HIT_ANY denotes that the > application accepts any type of HIT. > > NEW TEXT: > > The HIP_HIT_ANY denotes that the > application accepts inbound HIP associations to any type of HIT. > > > Otherwise, I'm fine with the changes. I didn't apply this because it says few paragraphs later: The application also uses the HIP_HIT_ANY constant in ship_hit field to establish outgoing communications in Opportunistic mode , i.e., when the application knows the remote peer locator but not the HIT. So the ANY constants apply for both inbound and outbound connections. Please suggest if this should be clarified in some way. From miika.komu@hiit.fi Mon Jul 13 11:41:40 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5E903A6EE3 for ; Mon, 13 Jul 2009 11:41:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.171 X-Spam-Level: X-Spam-Status: No, score=0.171 tagged_above=-999 required=5 tests=[AWL=-1.818, BAYES_00=-2.599, FRT_STOCK2=3.988, J_CHICKENPOX_54=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0i8iY2tkPm9i for ; Mon, 13 Jul 2009 11:41:39 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 1D9B73A6E91 for ; Mon, 13 Jul 2009 11:41:05 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id 491C925ED0E; Mon, 13 Jul 2009 21:41:35 +0300 (EEST) Message-ID: <4A5B7FE2.6020702@hiit.fi> Date: Mon, 13 Jul 2009 21:41:38 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <4A4E0E22.9040200@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C421@XCH-NW-5V1.nw.nos.boeing.com> <4A570EBB.2000300@hiit.fi> <4A5726BD.40108@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C439@XCH-NW-5V1.nw.nos.boeing.com> <4A5B3B39.6010202@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0C43F@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C43F@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 18:41:40 -0000 Henderson, Thomas R wrote: Hi, new preversion is here based on your comments: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre5.txt >> -----Original Message----- >> From: Miika Komu [mailto:miika.komu@hiit.fi] >> Sent: Monday, July 13, 2009 6:49 AM >> To: Henderson, Thomas R >> Cc: HIP >> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >> >> Henderson, Thomas R wrote: >> >> Hi, >> >> a new preversion with your comments is here: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-07-pre4.txt >> >>>> -----Original Message----- >>>> From: Miika Komu [mailto:miika.komu@hiit.fi] >>>> Sent: Friday, July 10, 2009 4:32 AM >>>> To: Henderson, Thomas R >>>> Cc: HIP >>>> Subject: Re: [Hipsec] WGLC: draft-ietf-hip-native-api-06 >>>> >>>> Miika Komu wrote: >>>> >>>> Hi, >>>> >>>>>> - Is it really true that HIP_PREFER_PASSIVE_* produces a single >>>>>> sockaddr_hip structure containing a wildcard and not an >>>> explicit HIT? >>>>>> If so, what is the point of this call-- the application >>>> can populate the >>>>>> appropriate wildcard itself? >>>>> As indicated by the last quoted text, it is just for the >>>> conveniency of >>>>> the application. The existing getaddrinfo() interface >> provides such >>>>> functionality for filling wildcard or loopback addresses >>>> for bind(). I >>>>> have no idea how common it is for applications to use it in >>>> practice, >>>>> but I believe we should define the same conveniency interface. >>>>> >>>>> Btw, I simplified the jungle of HIP_PREFER_PASSIVE_* >> flags without >>>>> reducing any functionality. Now there are just two flags >>>> instead of the >>>>> original seven. >>>> if you agree on the conveniency flags for getaddrinfo(), should we >>>> define them also for outbound opportunistic connections? >>>> >>> I think the current flags: >>> - HIP_PREFER_SRC_HIT_TMP >>> - HIP_PREFER_SRC_HIT_PUBLIC >>> may be useful for two reasons. >>> >>> 1) alignment with how getaddrinfo() AI_PASSIVE works in the non-HIP >>> case. Yes, the app could fill in these macros directly, but this is >>> true of the non-HIP case as well (app could fill in >> INADDR_ANY). So, it >>> is probably best to just align with how IPv6 works. >> There seems to be some problems with the flags: >> >> 1. They are coupled with socket options (which are not flags) of your >> description >> 2. In my opinion, the description brings too little convenciency when >> compared to the added complexity. >> >> I would like to resolve these problems by removing the >> HIP_PREFER flags >> from the context of the getaddrinfo. Also, I would state that >> AI_PASSIVE >> flag will be ignored with AF_HIP and NULL hints gives a list of all >> local HITs. Does this work for you? > > Yes, I have no problem with that. Applied: The resolver ignores the AI_PASSIVE flag when the application sets the family in hints to AF_HIP. >> To make the decision easier, here's a recap how the resolver works >> (without HIP) in relation to the passive flag: >> >> hints=NULL and AI_PASSIVE=true: > > I think you mean nodename==NULL, since AI_PASSIVE or any flag cannot be > true with a null hints. But otherwise, yes, I agree (your second and > fourth cases below are really the same case, since AI_PASSIVE is > ignored). Yes. >> The returned socket addresses will be suitable for >> bind(2)ing a >> socket that will accept(2) connections. The returned socket >> address will contain the "wildcard address" (INADDR_ANY for IPv4 >> addresses, IN6ADDR_ANY_INIT for IPv6 address). The >> wildcard address >> is used by applications (typically servers) that intend to accept >> connections on any of the hosts network addresses. >> >> hints=!NULL and AI_PASSIVE=true: >> >> The AI_PASSIVE flag is ignored. >> >> hints=NULL and AI_PASSIVE=false: >> >> The network address will be set to the loopback interface >> address (INADDR_LOOPBACK for IPv4 addresses, >> IN6ADDR_LOOPBACK_INIT for IPv6 address); this is used by >> applications that intend to communicate with peers running >> on the same host. >> >> hints=!NULL and AI_PASSIVE=false: >> >> Returned socket addresses will be suitable for use with connect(2), >> sendto(2), or sendmsg(2). >> >> My suggestion should retain compatibility with the existing semantics >> and make the API more simple. > > Agree. > >>> 2) pass in something like an IPV6_ADDR_PREFERENCES to a >> socket, as in >>> section 6 of RFC5014. However, I don't see that option in >> the current >>> draft-- there is no SHIM_*** optname that relates to the setting of >>> preferences on the EID that is selected, nor do I see it in >> the current >>> shim6 document. As you mention, this would help for opportunistic >>> connections, but I think also for other connections as well. >>> >>> One possibility is to insert this section after table 2; >> any comments on >>> this? >>> >>> 4.5 Additions to the Socket Interface >>> >>> The Socket API for Source Address Selection [RFC5014] >> defines socket >>> options >>> to allow applications to influence source address selection >>> mechanisms. In some cases, >>> HIP-aware applications may want to influence source HIT >> selection; in >>> particular, whether >>> an outbound connection should use a published or anonymous HIT. >>> Similar to >>> IPV6_ADDR_PREFERENCES defined in RFC 5014, the following socket >>> option >>> HIT_PREFERENCES is defined for IPPROTO_HIP-based sockets. This >>> socket option can be used with >>> setsockopt() and getsockopt() calls to set and get the HIT >>> selection preferences affecting a HIP-enabled socket. >>> The socket option value (optval) is a 32-bit unsigned integer >>> argument. The argument consists of a number of flags >> where each flag >>> indicates an address selection preference that modifies >> one of the >>> rules in the default HIT selection; these flags have >> been introduced >>> above in Table 2. >>> >>> HIP_PREFER_SRC_HIT_TMP /* Prefer an anonymous HIT */ >>> HIP_PREFER_SRC_HIT_PUBLIC /* Prefer a public HIT */ >>> >>> If the system is unable to assign the type of HIT that >> is requested, >>> at HIT selection >>> time, the socket call (connect (), sendto(), or >> sendmsg()) will fail >>> and errno will be >>> set to EINVAL. If the application tries to set both of the above >>> flags for the same socket, >>> this also results in the error EINVAL. >> I added this section. However, I thought that it would be better to >> order the sections as follows: >> >> 4.4. Selection of Source HIT Type >> 4.5. Verification of Source HIT Type >> >> Is this ok? > > Yes. Here is one more getaddrinfo-related suggestion that I have for > now: > > Section 4.2: > > OLD TEXT: > > An application resolving with the ai_family field set to zero in the > input argument may receive any kind of socket address structures, > including sockaddr_hip. The same occurs when the input argument is > NULL. When the application should resolve only HITs contained in > sockaddr_hip structures, it should set the ai_family field to AF_HIP. > > NEW TEXT: > > An application resolving with the ai_family field set to AF_UNSPEC in > the > input argument may receive any kind of socket address structures, > including sockaddr_hip. When the application wants to receive only > HITs contained in > sockaddr_hip structures, it should set the ai_family field to AF_HIP. Applied. From root@core3.amsl.com Mon Jul 13 13:15:02 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 1E2C828C54D; Mon, 13 Jul 2009 13:15:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090713201502.1E2C828C54D@core3.amsl.com> Date: Mon, 13 Jul 2009 13:15:02 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2009 20:15:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : Basic Socket Interface Extensions for Host Identity Protocol (HIP) Author(s) : M. Komu, T. Henderson Filename : draft-ietf-hip-native-api-07.txt Pages : 16 Date : 2009-07-13 This document defines extensions to the current sockets API for the Host Identity Protocol (HIP). The extensions focus on the use of public-key based identifiers discovered via DNS resolution, but define also interfaces for manual bindings between HITs and locators. With the extensions, the application can also support more relaxed security models where the communication can be non-HIP based, according to local policies. The extensions in document are experimental and provide basic tools for further experimentation with policies. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-native-api-07.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-07-13130707.I-D@ietf.org> --NextPart-- From shinta@sfc.wide.ad.jp Tue Jul 14 03:27:48 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC2E93A6C34 for ; Tue, 14 Jul 2009 03:27:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.771 X-Spam-Level: *** X-Spam-Status: No, score=3.771 tagged_above=-999 required=5 tests=[AWL=-1.720, BAYES_00=-2.599, FRT_STOCK2=3.988, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_102=0.6, RELAY_IS_203=0.994] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMZWuIyc-WNB for ; Tue, 14 Jul 2009 03:27:47 -0700 (PDT) Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) by core3.amsl.com (Postfix) with ESMTP id E9A513A67E5 for ; Tue, 14 Jul 2009 03:27:46 -0700 (PDT) Received: from localhost.localdomain (unknown [IPv6:2001:380:633:2:20b:cdff:fefb:2a8]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id D3B734CC4D; Tue, 14 Jul 2009 19:26:32 +0900 (JST) Message-ID: <4A5C5B42.4040804@sfc.wide.ad.jp> Date: Tue, 14 Jul 2009 19:17:38 +0900 From: Shinta Sugimoto User-Agent: Thunderbird 2.0.0.6 (X11/20070809) MIME-Version: 1.0 To: Ari Keranen References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> <4A55BE2D.4040506@sfc.wide.ad.jp> <4A572C5F.50906@sfc.wide.ad.jp> <4A5B0FE1.5070503@nomadiclab.com> In-Reply-To: <4A5B0FE1.5070503@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 10:27:49 -0000 Hi Ari, Thanks for your comments. Please find my comments below. Ari Keranen wrote: > Hi Shinta, > > That change should be good enough at least for the NAT traversal > scenarios I had in mind. Thanks! Ok, thanks. > > Although I guess that if lc_proto != 0, it means that one uses transport > layer encapsulation with port lc_port and protocol lc_proto? This could > be stated more explicitly in the draft. Maybe something like > > lc_proto > Internet Protocol number of a transport layer protocol if > transport layer encapsulation is used with the locator. Set to > IPPROTO_UDP (17) for UDP or zero if no transport layer encapsulation is > used. I see, and agree that the text you suggested would be more user-friendly. We should probably use 255 (instead of zero) to explicitly mean that the locator is NOT an transport layer tunneling as I noticed that IP protocol number 0 is reserved for IPv6 hop-by-hop option. So, let us update the text as follows: lc_proto Internet Protocol number of a transport layer protocol if transport layer encapsulation is used with the locator. Set to IPPROTO_UDP (17) for UDP or 255 if no transport layer encapsulation is used. > lc_port > The transport layer port number, or zero if lc_proto is zero. agree. lc_port The transport layer port number, or zero if lc_proto is 255. > > > Also I'm not sure if I fully understood the second sentence of 7.1.1: > > 7.1.1. Handling Locator behind NAT > > Note that the locator information MAY contain a locator behind a > Network Addresss Translator (NAT). Such a situation may arise when > the host is behind the NAT and uses a local address as a source > locator to communicate with the peer. > > Shouldn't the "local address" be rather the address NAT gives to the > host (i.e., server or peer reflexive address) since that's the one host > uses, from the peer's point of view, as the source locator? Or did you > mean to say that this situation arises if the host uses *the* local > address that is behind the NAT (and may have some other local address > that is not)? I see that the text is a bit confusing. I meant a situation where a host is behind the NAT, gets a private address (e.g., 10.0.0.4) assigned by the local DHCP server which is usually running on top of the NAT device, and the application running on top of the host wants to use a transport layer tunneling interface as the source locator. What about the following? Note that the locator information MAY contain a locator which represents a transport layer tunnel. Such a situation may arise when the host is behind the NAT and gets an private IP address assigned by the NAT, and the host establishes a transport layer tunnel with the peer to traverse NAT. > also: s/Addresss/Address/ thanks. this has been corrected when we submitted 09 version. > And perhaps change the title of the section to something like "Handling > Locator with Transport Layer Encapsulation", since this isn't really a > fully working NAT traversal solution, and might be also usable for other > than NAT traversal purposes. Ok, I see. Will change the title in the next revision. thanks again for your comments! Regards, Shinta > > > Cheers, > Ari > > Shinta Sugimoto wrote: >> Hi all, >> (please allow me to change the subject of the thread) >> >> As I mentioned, we (authors of mutlhome shim API draft) are updating >> the multihome shim API draft taking NAT Traversal support into >> account. Below is what we have now in the draft. Basically, we >> modified the data structure for storing locator information so that it >> can contain UDP encapsulation as well. Also, a locator behind NAT >> could be either IPv4 or IPv6 (taking Thomas's comment into account). >> Any comments/suggestions are welcome. Please note that we are >> planning to submit the updated draft (-09) before the cutoff. Thank you. >> >> ---(beginning of quote)--- >> 7.1. Placeholder for Locator Information >> >> As defined in Section 5, the SHIM_LOC_LOCAL_PREF, SHIM_LOC_PEER_PREF, >> SHIM_LOCLIST_LOCAL, and SHIM_LOCLIST_PEER socket options need to >> handle one or more locator information. Locator information includes >> not only the locator itself but also additional information about the >> locator which is useful for locator management. A new data structure >> is defined to serve as a placeholder for the locator information. >> >> Figure 4 illustrates the data structure called shim_locator which >> stores a locator information. >> >> struct shim_locator { >> uint8_t lc_family; /* address family */ >> uint8_t lc_proto; /* protocol */ >> uint16_t lc_port; /* port number */ >> uint16_t lc_flags; /* flags */ >> uint16_t lc_pref; /* preference value */ >> uint32_t lc_ifidx; /* interface index */ >> struct in6_addr lc_addr; /* address */ >> }; >> >> Figure 4: shim locator structure >> >> lc_family >> Address family of the locator (e.g. AF_INET, AF_INET6). It is >> required that the parameter contains non-zero value indicating the >> exact address family of the locator. >> lc_proto >> Internet Protocol number for the protocol which is used to handle >> locator behanid NAT. Typically, this value is set as UDP (17) >> when the locator is a UDP encapsulation interface. >> >> Komu, et al. Expires November 8, 2009 [Page 28] >> >> Internet-Draft Multihoming Shim API May 2009 >> >> lc_port >> Port number which is used for handling locator behind NAT. >> lc_flags >> Each bit of the flags represents a specific characteristics of the >> locator. Hash Based Address (HBA) is defined as 0x01. >> Cryptographically Generated Address (CGA) is defined as 0x02. >> lc_pref >> Preference of the locator. The preference is represented by an >> integer. >> lc_ifidx >> Interface index of the network interface to which the locator is >> assigned. This field should be valid only in a read >> (getsockopt()) operation. >> lc_addr >> Contains the locator. In the case where a locator whose size is >> smaller than 16 bytes, an encoding rule should be provided for >> each locator of a given address family. For instance, in case of >> AF_INET (IPv4), the locator should be in the format of an IPv4- >> mapped IPv6 address as defined in RFC 4291[RFC4291]. >> >> 7.1.1. Handling Locator behind NAT >> >> Note that the locator information MAY contain a locator behind a >> Network Addresss Translator (NAT). Such a situation may arise when >> the host is behind the NAT and uses a local address as a source >> locator to communicate with the peer. Note that a NAT traversal >> mechansim for HIP is defined, which allows HIP host to tunnel control >> and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also >> that the locator behind NAT is not necessarily an IPv4 address but it >> can be an IPv6 address. Below is an example where the application >> sets a UDP encapsulation interface as a source locator when sending >> IP packets. >> >> Komu, et al. Expires November 8, 2009 [Page 29] >> >> Internet-Draft Multihoming Shim API May 2009 >> >> >> struct shim_locator locator; >> struct in6_addr ia6; >> >> /* copy the private IPv4 address to the ia6 as an IPv4-mapped >> IPv6 address */ >> >> memset(&locator, 0, sizeof(locator)); >> >> /* fill shim_locator data structure */ >> locator.lc_family = AF_INET; >> locator.lc_proto = IPPROTO_UDP; >> locator.lc_port = 50500; >> locator.lc_flags = 0; >> locator.lc_pref = 0; >> locator.lc_ifidx = 3; >> >> memcpy(&locator.lc_addr, &ia6, sizeof(ia6)); >> >> setsockopt(fd, SOL_SHIM, SHIM_LOC_LOCAL_SEND, &locator, >> sizeof(locator)); >> ---(end of quote)--- >> >> Regards, >> Shinta >> >> Shinta Sugimoto wrote: >>> Hi Thomas, >>> >>> Thank you for your comments and sorry for my delayed response. >>> Please find my comment below. >>> >>> Henderson, Thomas R wrote: >>>>>> The other options seem to be to ask the shim6-api draft authors, >>>>>> and WG, >>>>>> to support NAT traversal, or to just write a HIP-specific API for >>>>>> these >>>>>> aspects. In either case, I think we (HIP WG) should decide what >>>>>> we want >>>>>> this API to be. >>>>> As a co-author of the multihome shim API document, I am willing >>>>> to improve the draft to support NAT Traversal. It is not only >>>>> useful for HIP but also for SHIM6 (in the future) as mentioned >>>>> above. Does this sound reasonable? >>>>> >>>>> With regard to the data structure for storing IPv4 address and >>>>> a pair of UDP port numbers, let me come up with proposal later. >>>>> I need to discuss with co-authors of the multihome shim API draft. >>>> >>>> Thanks, it sounds reasonable to extend this if shim6 WG is willing, >>>> but from your comments, I take it that you are just going to focus >>>> on IPv4 NAT traversal? I was wondering whether IPv6 NAT traversal >>>> also should be supported in the API in case such devices (or >>>> firewalls that filter the HIP protocol) become prevalent. >>> >>> Thank you. >>> >>> Let us define the locator management API taking NAT into >>> consideration. Answering to your question, yes, we (at least I) have >>> been thinking only IPv4 NAT. But I see your point that NAT is not >>> necessarily IPv4 but there could be IPv6 NAT as well. Then, let us >>> also take this into account. >>> >>> Now we are updating the multihome API document with NAT support. >>> Will send it to the HIP list when it's ready (hopefully before the >>> cutoff). >>> >>> Regards, >>> Shinta >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >>> >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec >> > > From ari.keranen@nomadiclab.com Tue Jul 14 22:49:17 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E0853A67D3 for ; Tue, 14 Jul 2009 22:49:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.719 X-Spam-Level: X-Spam-Status: No, score=-3.719 tagged_above=-999 required=5 tests=[AWL=-2.058, BAYES_00=-2.599, FRT_STOCK2=3.988, HELO_EQ_SE=0.35, J_CHICKENPOX_102=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tipuoSzCdCc4 for ; Tue, 14 Jul 2009 22:49:16 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 86DA03A68F2 for ; Tue, 14 Jul 2009 22:49:13 -0700 (PDT) X-AuditID: c1b4fb3c-b7b1cae00000060c-0a-4a5d6dccb788 Received: from esealmw126.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id CE.23.01548.CCD6D5A4; Wed, 15 Jul 2009 07:49:00 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.172]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 15 Jul 2009 07:49:00 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Wed, 15 Jul 2009 07:48:55 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id E2E54245F; Wed, 15 Jul 2009 08:48:54 +0300 (EEST) Message-ID: <4A5D6DC3.4010403@nomadiclab.com> Date: Wed, 15 Jul 2009 08:48:51 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Shinta Sugimoto References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> <4A55BE2D.4040506@sfc.wide.ad.jp> <4A572C5F.50906@sfc.wide.ad.jp> <4A5B0FE1.5070503@nomadiclab.com> <4A5C5B42.4040804@sfc.wide.ad.jp> In-Reply-To: <4A5C5B42.4040804@sfc.wide.ad.jp> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 15 Jul 2009 05:48:55.0464 (UTC) FILETIME=[F0B6CA80:01CA050F] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2009 05:49:17 -0000 Hi Shinta, Comments inline. Shinta Sugimoto wrote: > Ari Keranen wrote: >> Although I guess that if lc_proto != 0, it means that one uses >> transport layer encapsulation with port lc_port and protocol lc_proto? >> This could be stated more explicitly in the draft. Maybe something like >> >> lc_proto >> Internet Protocol number of a transport layer protocol if >> transport layer encapsulation is used with the locator. Set to >> IPPROTO_UDP (17) for UDP or zero if no transport layer encapsulation >> is used. > > I see, and agree that the text you suggested would be more user-friendly. > We should probably use 255 (instead of zero) to explicitly mean that the > locator is NOT an transport layer tunneling as I noticed that IP > protocol number 0 is reserved for IPv6 hop-by-hop option. Good point, 255 as a reserved value is better for this. > So, let us update the text as follows: > > lc_proto > Internet Protocol number of a transport layer protocol if > transport layer encapsulation is used with the locator. Set to > IPPROTO_UDP (17) for UDP or 255 if no transport layer encapsulation is > used. > >> lc_port >> The transport layer port number, or zero if lc_proto is zero. > > agree. > > lc_port > The transport layer port number, or zero if lc_proto is 255. These are good. >> Also I'm not sure if I fully understood the second sentence of 7.1.1: >> >> 7.1.1. Handling Locator behind NAT >> >> Note that the locator information MAY contain a locator behind a >> Network Addresss Translator (NAT). Such a situation may arise when >> the host is behind the NAT and uses a local address as a source >> locator to communicate with the peer. >> >> Shouldn't the "local address" be rather the address NAT gives to the >> host (i.e., server or peer reflexive address) since that's the one >> host uses, from the peer's point of view, as the source locator? Or >> did you mean to say that this situation arises if the host uses *the* >> local address that is behind the NAT (and may have some other local >> address that is not)? > > I see that the text is a bit confusing. > I meant a situation where a host is behind the NAT, gets a private > address (e.g., 10.0.0.4) assigned by the local DHCP server which is > usually running on top of the NAT device, and the application running on > top of the host wants to use a transport layer tunneling interface as > the source locator. What about the following? > > Note that the locator information MAY contain a locator which represents > a transport layer tunnel. Such a situation may arise when the host is > behind the NAT and gets an private IP address assigned by the NAT, and > the host establishes a transport layer tunnel with the peer to traverse > NAT. OK, this is much better. Just a couple of editorial nits: s/behind the NAT/behind a NAT/ s/an private IP/a private IP/ s/traverse NAT/traverse NATs/ >> And perhaps change the title of the section to something like >> "Handling Locator with Transport Layer Encapsulation", since this >> isn't really a fully working NAT traversal solution, and might be also >> usable for other than NAT traversal purposes. > > Ok, I see. Will change the title in the next revision. > > thanks again for your comments! You're welcome. Cheers, Ari >> Shinta Sugimoto wrote: >>> Hi all, >>> (please allow me to change the subject of the thread) >>> >>> As I mentioned, we (authors of mutlhome shim API draft) are updating >>> the multihome shim API draft taking NAT Traversal support into >>> account. Below is what we have now in the draft. Basically, we >>> modified the data structure for storing locator information so that >>> it can contain UDP encapsulation as well. Also, a locator behind NAT >>> could be either IPv4 or IPv6 (taking Thomas's comment into account). >>> Any comments/suggestions are welcome. Please note that we are >>> planning to submit the updated draft (-09) before the cutoff. Thank >>> you. >>> >>> ---(beginning of quote)--- >>> 7.1. Placeholder for Locator Information >>> >>> As defined in Section 5, the SHIM_LOC_LOCAL_PREF, SHIM_LOC_PEER_PREF, >>> SHIM_LOCLIST_LOCAL, and SHIM_LOCLIST_PEER socket options need to >>> handle one or more locator information. Locator information includes >>> not only the locator itself but also additional information about the >>> locator which is useful for locator management. A new data structure >>> is defined to serve as a placeholder for the locator information. >>> >>> Figure 4 illustrates the data structure called shim_locator which >>> stores a locator information. >>> >>> struct shim_locator { >>> uint8_t lc_family; /* address family */ >>> uint8_t lc_proto; /* protocol */ >>> uint16_t lc_port; /* port number */ >>> uint16_t lc_flags; /* flags */ >>> uint16_t lc_pref; /* preference value */ >>> uint32_t lc_ifidx; /* interface index */ >>> struct in6_addr lc_addr; /* address */ >>> }; >>> >>> Figure 4: shim locator structure >>> >>> lc_family >>> Address family of the locator (e.g. AF_INET, AF_INET6). It is >>> required that the parameter contains non-zero value indicating the >>> exact address family of the locator. >>> lc_proto >>> Internet Protocol number for the protocol which is used to handle >>> locator behanid NAT. Typically, this value is set as UDP (17) >>> when the locator is a UDP encapsulation interface. >>> >>> Komu, et al. Expires November 8, 2009 [Page 28] >>> >>> Internet-Draft Multihoming Shim API May 2009 >>> >>> lc_port >>> Port number which is used for handling locator behind NAT. >>> lc_flags >>> Each bit of the flags represents a specific characteristics of the >>> locator. Hash Based Address (HBA) is defined as 0x01. >>> Cryptographically Generated Address (CGA) is defined as 0x02. >>> lc_pref >>> Preference of the locator. The preference is represented by an >>> integer. >>> lc_ifidx >>> Interface index of the network interface to which the locator is >>> assigned. This field should be valid only in a read >>> (getsockopt()) operation. >>> lc_addr >>> Contains the locator. In the case where a locator whose size is >>> smaller than 16 bytes, an encoding rule should be provided for >>> each locator of a given address family. For instance, in case of >>> AF_INET (IPv4), the locator should be in the format of an IPv4- >>> mapped IPv6 address as defined in RFC 4291[RFC4291]. >>> >>> 7.1.1. Handling Locator behind NAT >>> >>> Note that the locator information MAY contain a locator behind a >>> Network Addresss Translator (NAT). Such a situation may arise when >>> the host is behind the NAT and uses a local address as a source >>> locator to communicate with the peer. Note that a NAT traversal >>> mechansim for HIP is defined, which allows HIP host to tunnel control >>> and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also >>> that the locator behind NAT is not necessarily an IPv4 address but it >>> can be an IPv6 address. Below is an example where the application >>> sets a UDP encapsulation interface as a source locator when sending >>> IP packets. >>> >>> Komu, et al. Expires November 8, 2009 [Page 29] >>> >>> Internet-Draft Multihoming Shim API May 2009 >>> >>> >>> struct shim_locator locator; >>> struct in6_addr ia6; >>> >>> /* copy the private IPv4 address to the ia6 as an IPv4-mapped >>> IPv6 address */ >>> >>> memset(&locator, 0, sizeof(locator)); >>> >>> /* fill shim_locator data structure */ >>> locator.lc_family = AF_INET; >>> locator.lc_proto = IPPROTO_UDP; >>> locator.lc_port = 50500; >>> locator.lc_flags = 0; >>> locator.lc_pref = 0; >>> locator.lc_ifidx = 3; >>> >>> memcpy(&locator.lc_addr, &ia6, sizeof(ia6)); >>> >>> setsockopt(fd, SOL_SHIM, SHIM_LOC_LOCAL_SEND, &locator, >>> sizeof(locator)); >>> ---(end of quote)--- >>> >>> Regards, >>> Shinta >>> >>> Shinta Sugimoto wrote: >>>> Hi Thomas, >>>> >>>> Thank you for your comments and sorry for my delayed response. >>>> Please find my comment below. >>>> >>>> Henderson, Thomas R wrote: >>>>>>> The other options seem to be to ask the shim6-api draft authors, >>>>>>> and WG, >>>>>>> to support NAT traversal, or to just write a HIP-specific API for >>>>>>> these >>>>>>> aspects. In either case, I think we (HIP WG) should decide what >>>>>>> we want >>>>>>> this API to be. >>>>>> As a co-author of the multihome shim API document, I am willing >>>>>> to improve the draft to support NAT Traversal. It is not only >>>>>> useful for HIP but also for SHIM6 (in the future) as mentioned >>>>>> above. Does this sound reasonable? >>>>>> >>>>>> With regard to the data structure for storing IPv4 address and >>>>>> a pair of UDP port numbers, let me come up with proposal later. >>>>>> I need to discuss with co-authors of the multihome shim API draft. >>>>> >>>>> Thanks, it sounds reasonable to extend this if shim6 WG is willing, >>>>> but from your comments, I take it that you are just going to focus >>>>> on IPv4 NAT traversal? I was wondering whether IPv6 NAT traversal >>>>> also should be supported in the API in case such devices (or >>>>> firewalls that filter the HIP protocol) become prevalent. >>>> >>>> Thank you. >>>> >>>> Let us define the locator management API taking NAT into >>>> consideration. Answering to your question, yes, we (at least I) >>>> have been thinking only IPv4 NAT. But I see your point that NAT is >>>> not necessarily IPv4 but there could be IPv6 NAT as well. Then, let >>>> us also take this into account. >>>> >>>> Now we are updating the multihome API document with NAT support. >>>> Will send it to the HIP list when it's ready (hopefully before the >>>> cutoff). >>>> >>>> Regards, >>>> Shinta >>>> _______________________________________________ >>>> Hipsec mailing list >>>> Hipsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hipsec >>>> >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >>> >> >> > > From shinta@sfc.wide.ad.jp Thu Jul 16 21:53:19 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A271128C0CF for ; Thu, 16 Jul 2009 21:53:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.853 X-Spam-Level: *** X-Spam-Status: No, score=3.853 tagged_above=-999 required=5 tests=[AWL=-1.639, BAYES_00=-2.599, FRT_STOCK2=3.988, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, J_CHICKENPOX_102=0.6, RELAY_IS_203=0.994] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKEaBt0aA3UO for ; Thu, 16 Jul 2009 21:53:18 -0700 (PDT) Received: from mail.sfc.wide.ad.jp (mail.sfc.wide.ad.jp [203.178.142.146]) by core3.amsl.com (Postfix) with ESMTP id 4A4D13A68AC for ; Thu, 16 Jul 2009 21:53:13 -0700 (PDT) Received: from localhost.localdomain (unknown [IPv6:2001:380:633:2:20b:cdff:fefb:2a8]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id D0AD54C58A; Fri, 17 Jul 2009 13:53:39 +0900 (JST) Message-ID: <4A6001B5.3000807@sfc.wide.ad.jp> Date: Fri, 17 Jul 2009 13:44:37 +0900 From: Shinta Sugimoto User-Agent: Thunderbird 2.0.0.6 (X11/20070809) MIME-Version: 1.0 To: Ari Keranen References: <4A425954.4040500@ericsson.com> <4A49F558.7040304@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C3E8@XCH-NW-5V1.nw.nos.boeing.com> <4A4CDAB6.90203@sfc.wide.ad.jp> <77F357662F8BFA4CA7074B0410171B6D099DF19D@XCH-NW-5V1.nw.nos.boeing.com> <4A55BE2D.4040506@sfc.wide.ad.jp> <4A572C5F.50906@sfc.wide.ad.jp> <4A5B0FE1.5070503@nomadiclab.com> <4A5C5B42.4040804@sfc.wide.ad.jp> <4A5D6DC3.4010403@nomadiclab.com> In-Reply-To: <4A5D6DC3.4010403@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Support of locator behind NAT in multihome shim API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jul 2009 04:53:19 -0000 Hi Ari, Sorry for the delayed response. I agree with your suggestions and will incorporate them in the next revision. Thanks! Regards, Shinta Ari Keranen wrote: > Hi Shinta, > > Comments inline. > > Shinta Sugimoto wrote: >> Ari Keranen wrote: >>> Although I guess that if lc_proto != 0, it means that one uses >>> transport layer encapsulation with port lc_port and protocol >>> lc_proto? This could be stated more explicitly in the draft. Maybe >>> something like >>> >>> lc_proto >>> Internet Protocol number of a transport layer protocol if >>> transport layer encapsulation is used with the locator. Set to >>> IPPROTO_UDP (17) for UDP or zero if no transport layer encapsulation >>> is used. >> >> I see, and agree that the text you suggested would be more user-friendly. >> We should probably use 255 (instead of zero) to explicitly mean that >> the locator is NOT an transport layer tunneling as I noticed that IP >> protocol number 0 is reserved for IPv6 hop-by-hop option. > > Good point, 255 as a reserved value is better for this. > >> So, let us update the text as follows: >> >> lc_proto >> Internet Protocol number of a transport layer protocol if >> transport layer encapsulation is used with the locator. Set to >> IPPROTO_UDP (17) for UDP or 255 if no transport layer encapsulation is >> used. >> >>> lc_port >>> The transport layer port number, or zero if lc_proto is zero. >> >> agree. >> >> lc_port >> The transport layer port number, or zero if lc_proto is 255. > > These are good. > >>> Also I'm not sure if I fully understood the second sentence of 7.1.1: >>> >>> 7.1.1. Handling Locator behind NAT >>> >>> Note that the locator information MAY contain a locator behind a >>> Network Addresss Translator (NAT). Such a situation may arise when >>> the host is behind the NAT and uses a local address as a source >>> locator to communicate with the peer. >>> >>> Shouldn't the "local address" be rather the address NAT gives to the >>> host (i.e., server or peer reflexive address) since that's the one >>> host uses, from the peer's point of view, as the source locator? Or >>> did you mean to say that this situation arises if the host uses *the* >>> local address that is behind the NAT (and may have some other local >>> address that is not)? >> >> I see that the text is a bit confusing. >> I meant a situation where a host is behind the NAT, gets a private >> address (e.g., 10.0.0.4) assigned by the local DHCP server which is >> usually running on top of the NAT device, and the application running >> on top of the host wants to use a transport layer tunneling interface >> as the source locator. What about the following? >> >> Note that the locator information MAY contain a locator which >> represents a transport layer tunnel. Such a situation may arise when >> the host is behind the NAT and gets an private IP address assigned by >> the NAT, and the host establishes a transport layer tunnel with the >> peer to traverse NAT. > > OK, this is much better. Just a couple of editorial nits: > s/behind the NAT/behind a NAT/ > s/an private IP/a private IP/ > s/traverse NAT/traverse NATs/ > >>> And perhaps change the title of the section to something like >>> "Handling Locator with Transport Layer Encapsulation", since this >>> isn't really a fully working NAT traversal solution, and might be >>> also usable for other than NAT traversal purposes. >> >> Ok, I see. Will change the title in the next revision. >> >> thanks again for your comments! > > You're welcome. > > > Cheers, > Ari > >>> Shinta Sugimoto wrote: >>>> Hi all, >>>> (please allow me to change the subject of the thread) >>>> >>>> As I mentioned, we (authors of mutlhome shim API draft) are updating >>>> the multihome shim API draft taking NAT Traversal support into >>>> account. Below is what we have now in the draft. Basically, we >>>> modified the data structure for storing locator information so that >>>> it can contain UDP encapsulation as well. Also, a locator behind >>>> NAT could be either IPv4 or IPv6 (taking Thomas's comment into >>>> account). Any comments/suggestions are welcome. Please note that >>>> we are planning to submit the updated draft (-09) before the >>>> cutoff. Thank you. >>>> >>>> ---(beginning of quote)--- >>>> 7.1. Placeholder for Locator Information >>>> >>>> As defined in Section 5, the SHIM_LOC_LOCAL_PREF, >>>> SHIM_LOC_PEER_PREF, >>>> SHIM_LOCLIST_LOCAL, and SHIM_LOCLIST_PEER socket options need to >>>> handle one or more locator information. Locator information >>>> includes >>>> not only the locator itself but also additional information about >>>> the >>>> locator which is useful for locator management. A new data >>>> structure >>>> is defined to serve as a placeholder for the locator information. >>>> >>>> Figure 4 illustrates the data structure called shim_locator which >>>> stores a locator information. >>>> >>>> struct shim_locator { >>>> uint8_t lc_family; /* address family */ >>>> uint8_t lc_proto; /* protocol */ >>>> uint16_t lc_port; /* port number */ >>>> uint16_t lc_flags; /* flags */ >>>> uint16_t lc_pref; /* preference value */ >>>> uint32_t lc_ifidx; /* interface index */ >>>> struct in6_addr lc_addr; /* address */ >>>> }; >>>> >>>> Figure 4: shim locator structure >>>> >>>> lc_family >>>> Address family of the locator (e.g. AF_INET, AF_INET6). It is >>>> required that the parameter contains non-zero value indicating >>>> the >>>> exact address family of the locator. >>>> lc_proto >>>> Internet Protocol number for the protocol which is used to handle >>>> locator behanid NAT. Typically, this value is set as UDP (17) >>>> when the locator is a UDP encapsulation interface. >>>> >>>> Komu, et al. Expires November 8, 2009 [Page >>>> 28] >>>> >>>> Internet-Draft Multihoming Shim API May >>>> 2009 >>>> >>>> lc_port >>>> Port number which is used for handling locator behind NAT. >>>> lc_flags >>>> Each bit of the flags represents a specific characteristics of >>>> the >>>> locator. Hash Based Address (HBA) is defined as 0x01. >>>> Cryptographically Generated Address (CGA) is defined as 0x02. >>>> lc_pref >>>> Preference of the locator. The preference is represented by an >>>> integer. >>>> lc_ifidx >>>> Interface index of the network interface to which the locator is >>>> assigned. This field should be valid only in a read >>>> (getsockopt()) operation. >>>> lc_addr >>>> Contains the locator. In the case where a locator whose size is >>>> smaller than 16 bytes, an encoding rule should be provided for >>>> each locator of a given address family. For instance, in case of >>>> AF_INET (IPv4), the locator should be in the format of an IPv4- >>>> mapped IPv6 address as defined in RFC 4291[RFC4291]. >>>> >>>> 7.1.1. Handling Locator behind NAT >>>> >>>> Note that the locator information MAY contain a locator behind a >>>> Network Addresss Translator (NAT). Such a situation may arise when >>>> the host is behind the NAT and uses a local address as a source >>>> locator to communicate with the peer. Note that a NAT traversal >>>> mechansim for HIP is defined, which allows HIP host to tunnel >>>> control >>>> and data traffic over UDP[I-D.ietf-hip-nat-traversal]. Note also >>>> that the locator behind NAT is not necessarily an IPv4 address >>>> but it >>>> can be an IPv6 address. Below is an example where the application >>>> sets a UDP encapsulation interface as a source locator when sending >>>> IP packets. >>>> >>>> Komu, et al. Expires November 8, 2009 [Page >>>> 29] >>>> >>>> Internet-Draft Multihoming Shim API May >>>> 2009 >>>> >>>> >>>> struct shim_locator locator; >>>> struct in6_addr ia6; >>>> >>>> /* copy the private IPv4 address to the ia6 as an IPv4-mapped >>>> IPv6 address */ >>>> >>>> memset(&locator, 0, sizeof(locator)); >>>> >>>> /* fill shim_locator data structure */ >>>> locator.lc_family = AF_INET; >>>> locator.lc_proto = IPPROTO_UDP; >>>> locator.lc_port = 50500; >>>> locator.lc_flags = 0; >>>> locator.lc_pref = 0; >>>> locator.lc_ifidx = 3; >>>> >>>> memcpy(&locator.lc_addr, &ia6, sizeof(ia6)); >>>> >>>> setsockopt(fd, SOL_SHIM, SHIM_LOC_LOCAL_SEND, &locator, >>>> sizeof(locator)); >>>> ---(end of quote)--- >>>> >>>> Regards, >>>> Shinta >>>> >>>> Shinta Sugimoto wrote: >>>>> Hi Thomas, >>>>> >>>>> Thank you for your comments and sorry for my delayed response. >>>>> Please find my comment below. >>>>> >>>>> Henderson, Thomas R wrote: >>>>>>>> The other options seem to be to ask the shim6-api draft authors, >>>>>>>> and WG, >>>>>>>> to support NAT traversal, or to just write a HIP-specific API >>>>>>>> for these >>>>>>>> aspects. In either case, I think we (HIP WG) should decide what >>>>>>>> we want >>>>>>>> this API to be. >>>>>>> As a co-author of the multihome shim API document, I am willing >>>>>>> to improve the draft to support NAT Traversal. It is not only >>>>>>> useful for HIP but also for SHIM6 (in the future) as mentioned >>>>>>> above. Does this sound reasonable? >>>>>>> >>>>>>> With regard to the data structure for storing IPv4 address and >>>>>>> a pair of UDP port numbers, let me come up with proposal later. >>>>>>> I need to discuss with co-authors of the multihome shim API draft. >>>>>> >>>>>> Thanks, it sounds reasonable to extend this if shim6 WG is >>>>>> willing, but from your comments, I take it that you are just going >>>>>> to focus on IPv4 NAT traversal? I was wondering whether IPv6 NAT >>>>>> traversal also should be supported in the API in case such devices >>>>>> (or firewalls that filter the HIP protocol) become prevalent. >>>>> >>>>> Thank you. >>>>> >>>>> Let us define the locator management API taking NAT into >>>>> consideration. Answering to your question, yes, we (at least I) >>>>> have been thinking only IPv4 NAT. But I see your point that NAT is >>>>> not necessarily IPv4 but there could be IPv6 NAT as well. Then, >>>>> let us also take this into account. >>>>> >>>>> Now we are updating the multihome API document with NAT support. >>>>> Will send it to the HIP list when it's ready (hopefully before the >>>>> cutoff). >>>>> >>>>> Regards, >>>>> Shinta >>>>> _______________________________________________ >>>>> Hipsec mailing list >>>>> Hipsec@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/hipsec >>>>> >>>> >>>> _______________________________________________ >>>> Hipsec mailing list >>>> Hipsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hipsec >>>> >>> >>> >> >> > > From gonzalo.camarillo@ericsson.com Mon Jul 20 03:30:27 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F56E3A6A8D for ; Mon, 20 Jul 2009 03:30:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.049 X-Spam-Level: X-Spam-Status: No, score=-5.049 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZuchgTKtK1Y for ; Mon, 20 Jul 2009 03:30:26 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id F14663A6A6F for ; Mon, 20 Jul 2009 03:30:25 -0700 (PDT) X-AuditID: c1b4fb3c-b7ba4ae0000038c0-cb-4a6446ded21e Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id C2.57.14528.ED6446A4; Mon, 20 Jul 2009 12:28:46 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Jul 2009 12:27:38 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Jul 2009 12:27:38 +0200 Received: from [131.160.37.44] (EV001E681B5FE2.lmf.ericsson.se [131.160.37.44]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 4180E2461 for ; Mon, 20 Jul 2009 13:27:38 +0300 (EEST) Message-ID: <4A64469A.2020402@ericsson.com> Date: Mon, 20 Jul 2009 13:27:38 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 20 Jul 2009 10:27:38.0589 (UTC) FILETIME=[B489E8D0:01CA0924] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2009 10:30:27 -0000 Folks, the draft below includes all the comments received during its WGLC. Please, have a final look at it because we intend to request its publication in one week. http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt Thanks, Gonzalo HIP co-chair From gonzalo.camarillo@ericsson.com Mon Jul 20 03:54:35 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B81EE3A68FF for ; Mon, 20 Jul 2009 03:54:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.099 X-Spam-Level: X-Spam-Status: No, score=-4.099 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HELO_EQ_SE=0.35, MANGLED_TOOL=2.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUzYkcWEDvE3 for ; Mon, 20 Jul 2009 03:54:34 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 37B793A659B for ; Mon, 20 Jul 2009 03:54:33 -0700 (PDT) X-AuditID: c1b4fb3e-b7bf5ae000000202-48-4a6447e0d74c Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id C5.40.00514.0E7446A4; Mon, 20 Jul 2009 12:33:04 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Jul 2009 12:33:02 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Jul 2009 12:33:01 +0200 Received: from [131.160.37.44] (EV001E681B5FE2.lmf.ericsson.se [131.160.37.44]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 345502461; Mon, 20 Jul 2009 13:33:01 +0300 (EEST) Message-ID: <4A6447DC.7070005@ericsson.com> Date: Mon, 20 Jul 2009 13:33:00 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 20 Jul 2009 10:33:01.0559 (UTC) FILETIME=[750B3870:01CA0925] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jul 2009 10:54:35 -0000 Folks, here you have a summary of the status of the overlay work. Additionally, we have some questions for the WG related to our milestones and their related charter items. Your input on those questions is very welcome. 1) We have the following milestone: "Specify a framework to build HIP-based overlays. This framework will describe how HIP can perform some of the tasks needed to build an overlay and how technologies developed somewhere else (e.g., a peer protocol developed in the P2PSIP WG) can complement HIP by performing the tasks HIP was not designed to perform." The WG item for this milestone is the following draft, which should be ready for WGLC: http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt This draft defines a high-level framework to build HIP-based overlays. Additionally, its previous version defined how to build a HIP-based overlay using RELOAD. The authors have chosen to move this definition to a separate document because while the high-level framework is informational in nature, the definition makes use of normative language. The resulting document is the draft below. We would like to ask the WG if it is OK to split our current milestone in two so that they cover the high-level framework and the definition in separate documents. http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt Additionally, we would like to ask the WG if we should take the draft above as the WG item associated to the milestone for the definition. 2) We have the following milestone: "Specify how to carry upper-layer data over specified HIP packets. These include some of the existing HIP packets and possibly new HIP packets (e.g., a HIP packet that occurs outside a HIP base exchange)." We still do not have a WG item for it but the following draft has been around for some time. We would like to ask the WG if we should adopt the following draft as the WG item for this milestone. http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt Revision 02 of the draft above is identical to 01 (the only changes are the date and the new copyright). The authors intend to address the comments received on the list shortly. 3) In order to be able to support the functionality provided by RELOAD, HIP needs to support multi-hop routing. Instead of specifying it in the HIP BONE draft, having a separate draft seem to make more sense given that this functionality has a more general applicability than overlays. We would like to ask the WG if we should spin off a new milestone from our original milestone for overlays that covers multihop routing in HIP. The following draft takes a stab at specifying multihop routing in HIP. We would like to ask the WG if we should adopt it as a WG item for the milestone above (assuming we decide to create the milestone). http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt 4) We have the following milestone: "Specify how to generate ORCHIDs from other node identifiers including both cryptographic ones (leading to cryptographic delegation) and non-cryptographic ones (e.g., identifiers defined by a peer protocol)." When we created that milestone, we expected to have a generic mechanism to transform node IDs into ORCHIDs. However, at this point, it seems that such transformation will be done in different ways depending on the peer protocol used in a particular overlay. For example, the instance specification for RELOAD draft defines such transformation for RELOAD peer identifiers. The fact that nobody has submitted a draft for that milestone seems to confirm the previous impression. We would like to ask the WG if we should remove that milestone from our charter. Thanks, Gonzalo HIP co-chair From thomas.r.henderson@boeing.com Mon Jul 20 22:09:54 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 15CDF3A6AD5 for ; Mon, 20 Jul 2009 22:09:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.299 X-Spam-Level: X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_TOOL=2.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDFj3sesr-G7 for ; Mon, 20 Jul 2009 22:09:52 -0700 (PDT) Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id A5A033A657C for ; Mon, 20 Jul 2009 22:09:52 -0700 (PDT) Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6L59Xm4002202 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Jul 2009 22:09:37 -0700 (PDT) Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6L59Wx8029075; Mon, 20 Jul 2009 22:09:32 -0700 (PDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6L59WlL029070; Mon, 20 Jul 2009 22:09:32 -0700 (PDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.46]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 20 Jul 2009 22:09:32 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 20 Jul 2009 22:09:32 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A6447DC.7070005@ericsson.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] Overlay work: status and request for input Thread-Index: AcoJKHq4FMDnpmeOSlOVxHWuQ2Oi7AAXjVAg References: <4A6447DC.7070005@ericsson.com> From: "Henderson, Thomas R" To: "Gonzalo Camarillo" , "HIP" X-OriginalArrivalTime: 21 Jul 2009 05:09:32.0625 (UTC) FILETIME=[6ED4AC10:01CA09C1] Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2009 05:09:54 -0000 Gonzalo, below I've expressed my (somewhat negative, sorry) opinions on your questions:=20 > -----Original Message----- > From: Gonzalo Camarillo [mailto:Gonzalo.Camarillo@ericsson.com]=20 > Sent: Monday, July 20, 2009 3:33 AM > To: HIP > Subject: [Hipsec] Overlay work: status and request for input >=20 > Folks, >=20 > here you have a summary of the status of the overlay work. > Additionally, we have some questions for the WG related to our > milestones and their related charter items. Your input on those > questions is very welcome. >=20 > 1) We have the following milestone: >=20 > "Specify a framework to build HIP-based overlays. This framework will > describe how HIP can perform some of the tasks needed to build an > overlay and how technologies developed somewhere else (e.g., a peer > protocol developed in the P2PSIP WG) can complement HIP by performing > the tasks HIP was not designed to perform." >=20 > The WG item for this milestone is the following draft, which should be > ready for WGLC: >=20 > http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt I remain very uneasy about the above draft, which I think is not very clear and skirts over some hard issues. The document tries to provide a generalized framework for HIP-based overlays, but it is not clear how it will work when there are multiple peer protocols (multiple overlays) and when the peer IDs are not the same as the node IDs. The specific instance draft does not handle these issues; it assumes that the peer ID is the ORCHID (which was not acceptable to some in the P2PSIP WG due to possible chosen ID attacks), and is, of course, only one instance. In general, I recommend not trying to complete work on a framework for multiple overlays until there is an example of at least how two independent overlays (perhaps with different peer protocols and different peer ID structures) coexists on some of the same nodes, and the peer IDs are not HITs. =20 The draft states: "Since HIP needs ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay will transform their Peer IDs into ORCHIDs, for example, by taking a hash of the Peer IDs or taking a hash of the Peer ID and the public key." I don't see how this would work since for an ORCHID to be used as a HIT, it must hash a public key. It is not clear from the document what IDs are being routed if the peer ID is not the same as the HIT. I think the answer is that it is the peer IDs that are being routed, and HIP is just providing the links between the peer IDs. It may be that the peer IDs are the same as HITs in some instances, but it should be architecturally clear that transport connections are being terminated at each hop in the overlay. If the document were to describe an overlay architecture where you recommend to the peer protocols "Use HITs like you would otherwise use IP addresses, and HIP will take care of the rest of the ugly business of NAT traversal, mobility, and multihoming," then it would seem to be relatively straightforward, so long as HIP took it upon itself with no dependency on the peer protocol to do anything for it. Where I think it becomes conflated, however, is when you try to use the overlay to forward HIP signaling traffic. I see why you are trying to do this but it leads to these questions: 1) the overlay may stitch together addressing realms that have no hope of supporting end-to-end HIP associations between them. For instance, this simple topology: node A <--------Ipv4 network -----> node B <--------Ipv6 network ---------> node C The overlay may route the I1 from node A to node C and R1 back, but no HIP association between A and C can actually be formed. 2) what if node B above belongs to multiple other HIP-based overlays? How does it know on which overlay to forward the I1? Also, from a performance perspective, I think there may be some danger in abstracting the underlying topology away from a peer protocol. From the peer protocol layer perspective, HIP makes every node look like it is "on link" whereas in fact, each node is possibly different number of hops away, in different administrative domains of the network, etc. To summarize, I think there is some value in defining how P2PSIP-based overlay could use HIP to form its links and deal with NAT, mobility, and multihoming. However, before allowing RELOAD nodes to perform the HIP distributed rendezvous service, I would first define: 1) how the system works in the case where the enrollment server chooses PeerIds that are not HITs 2) how two such independent overlays (run by different organizations) could operate on the same node, and how the node would ensure that messages got onto the right overlays The above can all be done by assuming that HIP rendezvous is done in the underlay, not overlay. As a final step, one might consider whether one of these overlays itself could be leveraged to forward HIP traffic. If all of this holds together, then I think we might have a framework document that completes the charter item. As an editorial note, I also would recommend skipping section 2 because RFC 4423 and other documents are available to provide HIP tutorials. >=20 > This draft defines a high-level framework to build HIP-based overlays. > Additionally, its previous version defined how to build a HIP-based > overlay using RELOAD. The authors have chosen to move this=20 > definition to > a separate document because while the high-level framework is > informational in nature, the definition makes use of=20 > normative language. > The resulting document is the draft below. We would like to ask the WG > if it is OK to split our current milestone in two so that=20 > they cover the > high-level framework and the definition in separate documents. >=20 > http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload -instance-00.txt >=20 > Additionally, we would like to ask the WG if we should take the draft > above as the WG item associated to the milestone for the definition. I think it is good to split framework from instance documents. I might suggest that Delay Tolerant Networks (DTN) be another instance document. >=20 > 2) We have the following milestone: >=20 > "Specify how to carry upper-layer data over specified HIP > packets. These include some of the existing HIP packets and possibly > new HIP packets (e.g., a HIP packet that occurs outside a HIP base > exchange)." >=20 > We still do not have a WG item for it but the following draft has been > around for some time. We would like to ask the WG if we=20 > should adopt the > following draft as the WG item for this milestone. >=20 > http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccu ps-02.txt >=20 > Revision 02 of the draft above is identical to 01 (the only=20 > changes are > the date and the new copyright). The authors intend to address the > comments received on the list shortly. In January I made a number of comments that the semantics for this new service were not very clear. I still would like to understand the service semantics and requirements; could they be stated clearly somewhere? I am not really questioning that such a need for HIP DATA might exist, but it seems premature to specify message syntax for these packets when there is no implementation that implements it and no API for HIP-aware applications to access this service. How can we build interoperable implementations without this? >=20 > 3) In order to be able to support the functionality provided=20 > by RELOAD, > HIP needs to support multi-hop routing. Instead of specifying=20 > it in the > HIP BONE draft, having a separate draft seem to make more sense given > that this functionality has a more general applicability than=20 > overlays. > We would like to ask the WG if we should spin off a new milestone from > our original milestone for overlays that covers multihop=20 > routing in HIP. >=20 > The following draft takes a stab at specifying multihop=20 > routing in HIP. > We would like to ask the WG if we should adopt it as a WG item for the > milestone above (assuming we decide to create the milestone). >=20 > http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt I'm fine with your suggestion.=20 >=20 > 4) We have the following milestone: >=20 > "Specify how to generate ORCHIDs from other node identifiers > including both cryptographic ones (leading to cryptographic > delegation) and non-cryptographic ones (e.g., identifiers defined by a > peer protocol)." >=20 > When we created that milestone, we expected to have a generic=20 > mechanism > to transform node IDs into ORCHIDs. However, at this point, it seems > that such transformation will be done in different ways=20 > depending on the > peer protocol used in a particular overlay. For example, the instance > specification for RELOAD draft defines such transformation for RELOAD > peer identifiers. The fact that nobody has submitted a draft for that > milestone seems to confirm the previous impression. We would=20 > like to ask > the WG if we should remove that milestone from our charter. >=20 (note: the charter seems to now be missing from http://www.ietf.org/dyn/wg/charter/hip-charter.html) RFC4843 already specifies how to generate ORCHIDs from other node identifiers. If they are unique, they can serve as the Input in the ORCHID algorithm. But they cannot be used as HITs. Was that the intent of the charter item, to allow non-HIT ORCHIDs to serve the role as HITs in the protocol? (See above discussion about overlays) I think the interesting question is how to bind other node identifiers that are not public keys to HIP's public keys. I have been assuming that certificates and HIP-CERT are the answer there. At least, that has been the direction that we have been interested in at Boeing. - Tom From gonzalo.camarillo@ericsson.com Tue Jul 21 09:34:28 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D30873A6A30 for ; Tue, 21 Jul 2009 09:34:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.536 X-Spam-Level: X-Spam-Status: No, score=-1.536 tagged_above=-999 required=5 tests=[AWL=-2.717, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_SE=0.35, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dc4Xr5WJ5V86 for ; Tue, 21 Jul 2009 09:34:27 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id BA1723A6C6C for ; Tue, 21 Jul 2009 09:33:27 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-ae-4a65edd69521 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id DE.1F.18827.6DDE56A4; Tue, 21 Jul 2009 18:33:26 +0200 (CEST) Received: from esealmw126.eemea.ericsson.se ([153.88.254.170]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 21 Jul 2009 18:32:41 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 21 Jul 2009 18:32:41 +0200 Received: from [131.160.126.242] (rvi2-126-242.lmf.ericsson.se [131.160.126.242]) by mail.lmf.ericsson.se (Postfix) with ESMTP id C340E245F; Tue, 21 Jul 2009 19:32:40 +0300 (EEST) Message-ID: <4A65EDA8.1080203@ericsson.com> Date: Tue, 21 Jul 2009 19:32:40 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Jul 2009 16:32:41.0191 (UTC) FILETIME=[DDEB7F70:01CA0A20] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2009 16:34:28 -0000 Hi Tom, thanks for your feedback. I would like to keep this thread focused on our milestones. I will answer your questions about the HIP BONE draft in a different thread. Thanks, Gonzalo Henderson, Thomas R wrote: > Gonzalo, below I've expressed my (somewhat negative, sorry) opinions on > your questions: > >> -----Original Message----- >> From: Gonzalo Camarillo [mailto:Gonzalo.Camarillo@ericsson.com] >> Sent: Monday, July 20, 2009 3:33 AM >> To: HIP >> Subject: [Hipsec] Overlay work: status and request for input >> >> Folks, >> >> here you have a summary of the status of the overlay work. >> Additionally, we have some questions for the WG related to our >> milestones and their related charter items. Your input on those >> questions is very welcome. >> >> 1) We have the following milestone: >> >> "Specify a framework to build HIP-based overlays. This framework will >> describe how HIP can perform some of the tasks needed to build an >> overlay and how technologies developed somewhere else (e.g., a peer >> protocol developed in the P2PSIP WG) can complement HIP by performing >> the tasks HIP was not designed to perform." >> >> The WG item for this milestone is the following draft, which should be >> ready for WGLC: >> >> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt > > I remain very uneasy about the above draft, which I think is not very > clear and skirts over some hard issues. > > The document tries to provide a generalized framework for HIP-based > overlays, but it is not clear how it will work when there are multiple > peer protocols (multiple overlays) and when the peer IDs are not the > same as the node IDs. The specific instance draft does not handle these > issues; it assumes that the peer ID is the ORCHID (which was not > acceptable to some in the P2PSIP WG due to possible chosen ID attacks), > and is, of course, only one instance. > > In general, I recommend not trying to complete work on a framework for > multiple overlays until there is an example of at least how two > independent overlays (perhaps with different peer protocols and > different peer ID structures) coexists on some of the same nodes, and > the peer IDs are not HITs. > > The draft states: > "Since HIP needs > ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay > will transform their Peer IDs into ORCHIDs, for example, by taking a > hash of the Peer IDs or taking a hash of the Peer ID and the public > key." > > I don't see how this would work since for an ORCHID to be used as a HIT, > it must hash a public key. > > It is not clear from the document what IDs are being routed if the peer > ID is not the same as the HIT. I think the answer is that it is the > peer IDs that are being routed, and HIP is just providing the links > between the peer IDs. It may be that the peer IDs are the same as HITs > in some instances, but it should be architecturally clear that transport > connections are being terminated at each hop in the overlay. > > If the document were to describe an overlay architecture where you > recommend to the peer protocols "Use HITs like you would otherwise use > IP addresses, and HIP will take care of the rest of the ugly business of > NAT traversal, mobility, and multihoming," then it would seem to be > relatively straightforward, so long as HIP took it upon itself with no > dependency on the peer protocol to do anything for it. > > Where I think it becomes conflated, however, is when you try to use the > overlay to forward HIP signaling traffic. I see why you are trying to > do this but it leads to these questions: > > 1) the overlay may stitch together addressing realms that have no hope > of supporting end-to-end HIP associations between them. For instance, > this simple topology: > > node A <--------Ipv4 network -----> node B <--------Ipv6 network > ---------> node C > > The overlay may route the I1 from node A to node C and R1 back, but no > HIP association between A and C can actually be formed. > > 2) what if node B above belongs to multiple other HIP-based overlays? > How does it know on which overlay to forward the I1? > > Also, from a performance perspective, I think there may be some danger > in abstracting the underlying topology away from a peer protocol. From > the peer protocol layer perspective, HIP makes every node look like it > is "on link" whereas in fact, each node is possibly different number of > hops away, in different administrative domains of the network, etc. > > To summarize, I think there is some value in defining how P2PSIP-based > overlay could use HIP to form its links and deal with NAT, mobility, and > multihoming. However, before allowing RELOAD nodes to perform the HIP > distributed rendezvous service, I would first define: > 1) how the system works in the case where the enrollment server chooses > PeerIds that are not HITs > 2) how two such independent overlays (run by different organizations) > could operate on the same node, and how the node would ensure that > messages got onto the right overlays > > The above can all be done by assuming that HIP rendezvous is done in the > underlay, not overlay. As a final step, one might consider whether one > of these overlays itself could be leveraged to forward HIP traffic. If > all of this holds together, then I think we might have a framework > document that completes the charter item. > > As an editorial note, I also would recommend skipping section 2 because > RFC 4423 and other documents are available to provide HIP tutorials. > >> This draft defines a high-level framework to build HIP-based overlays. >> Additionally, its previous version defined how to build a HIP-based >> overlay using RELOAD. The authors have chosen to move this >> definition to >> a separate document because while the high-level framework is >> informational in nature, the definition makes use of >> normative language. >> The resulting document is the draft below. We would like to ask the WG >> if it is OK to split our current milestone in two so that >> they cover the >> high-level framework and the definition in separate documents. >> >> http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload > -instance-00.txt >> Additionally, we would like to ask the WG if we should take the draft >> above as the WG item associated to the milestone for the definition. > > I think it is good to split framework from instance documents. I might > suggest that Delay Tolerant Networks (DTN) be another instance document. > > >> 2) We have the following milestone: >> >> "Specify how to carry upper-layer data over specified HIP >> packets. These include some of the existing HIP packets and possibly >> new HIP packets (e.g., a HIP packet that occurs outside a HIP base >> exchange)." >> >> We still do not have a WG item for it but the following draft has been >> around for some time. We would like to ask the WG if we >> should adopt the >> following draft as the WG item for this milestone. >> >> http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccu > ps-02.txt >> Revision 02 of the draft above is identical to 01 (the only >> changes are >> the date and the new copyright). The authors intend to address the >> comments received on the list shortly. > > In January I made a number of comments that the semantics for this new > service were not very clear. I still would like to understand the > service semantics and requirements; could they be stated clearly > somewhere? I am not really questioning that such a need for HIP DATA > might exist, but it seems premature to specify message syntax for these > packets when there is no implementation that implements it and no API > for HIP-aware applications to access this service. How can we build > interoperable implementations without this? > >> 3) In order to be able to support the functionality provided >> by RELOAD, >> HIP needs to support multi-hop routing. Instead of specifying >> it in the >> HIP BONE draft, having a separate draft seem to make more sense given >> that this functionality has a more general applicability than >> overlays. >> We would like to ask the WG if we should spin off a new milestone from >> our original milestone for overlays that covers multihop >> routing in HIP. >> >> The following draft takes a stab at specifying multihop >> routing in HIP. >> We would like to ask the WG if we should adopt it as a WG item for the >> milestone above (assuming we decide to create the milestone). >> >> http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > I'm fine with your suggestion. > >> 4) We have the following milestone: >> >> "Specify how to generate ORCHIDs from other node identifiers >> including both cryptographic ones (leading to cryptographic >> delegation) and non-cryptographic ones (e.g., identifiers defined by a >> peer protocol)." >> >> When we created that milestone, we expected to have a generic >> mechanism >> to transform node IDs into ORCHIDs. However, at this point, it seems >> that such transformation will be done in different ways >> depending on the >> peer protocol used in a particular overlay. For example, the instance >> specification for RELOAD draft defines such transformation for RELOAD >> peer identifiers. The fact that nobody has submitted a draft for that >> milestone seems to confirm the previous impression. We would >> like to ask >> the WG if we should remove that milestone from our charter. >> > > (note: the charter seems to now be missing from > http://www.ietf.org/dyn/wg/charter/hip-charter.html) > > RFC4843 already specifies how to generate ORCHIDs from other node > identifiers. If they are unique, they can serve as the Input in the > ORCHID algorithm. But they cannot be used as HITs. Was that the intent > of the charter item, to allow non-HIT ORCHIDs to serve the role as HITs > in the protocol? (See above discussion about overlays) > > I think the interesting question is how to bind other node identifiers > that are not public keys to HIP's public keys. I have been assuming > that certificates and HIP-CERT are the answer there. At least, that has > been the direction that we have been interested in at Boeing. > > - Tom From gonzalo.camarillo@ericsson.com Tue Jul 21 10:05:05 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8FE823A69DE for ; Tue, 21 Jul 2009 10:05:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.505 X-Spam-Level: X-Spam-Status: No, score=-2.505 tagged_above=-999 required=5 tests=[AWL=-1.386, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4p2N1oYfZ5P3 for ; Tue, 21 Jul 2009 10:05:04 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id 985C53A6848 for ; Tue, 21 Jul 2009 10:05:01 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-aa-4a65f53cd7e8 Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id 6E.10.18827.C35F56A4; Tue, 21 Jul 2009 19:05:00 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 21 Jul 2009 19:04:23 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 21 Jul 2009 19:04:23 +0200 Received: from [131.160.126.242] (rvi2-126-242.lmf.ericsson.se [131.160.126.242]) by mail.lmf.ericsson.se (Postfix) with ESMTP id ED2C3245F; Tue, 21 Jul 2009 20:04:22 +0300 (EEST) Message-ID: <4A65F513.5030701@ericsson.com> Date: Tue, 21 Jul 2009 20:04:19 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 21 Jul 2009 17:04:23.0453 (UTC) FILETIME=[4BC1A4D0:01CA0A25] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2009 17:05:05 -0000 Hi Tom, thanks for you comments. Answers inline: >> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt > > I remain very uneasy about the above draft, which I think is not very > clear and skirts over some hard issues. we have moved a few things to the RELOAD instance draft, which is still very much work in progress (as you can see if you read the draft). Some issues will be addressed there. Of course, any general issues belonging to the framework should be addresses in this document. > The document tries to provide a generalized framework for HIP-based > overlays, but it is not clear how it will work when there are multiple > peer protocols (multiple overlays) and when the peer IDs are not the > same as the node IDs. The specific instance draft does not handle these > issues; it assumes that the peer ID is the ORCHID (which was not > acceptable to some in the P2PSIP WG due to possible chosen ID attacks), > and is, of course, only one instance. The framework does not assume that Peer IDs are used at the HIP level. It just tells you that depending on the Peer IDs used in your overlay, you need to convert them to something HIP can use. Originally, we thought of having a draft that described that conversion in general (you yourself was working on a similar draft at some point) but now we tend to think that this type of conversion is better defined in the instance specs. Regarding the RELOAD instance draft, this is one of the open issues. That is, whether we can use RELOAD peer IDs directly or if we need some type of transformation (ORCHIDs have a prefix; therefore, there are less than 128 bits available). > In general, I recommend not trying to complete work on a framework for > multiple overlays until there is an example of at least how two > independent overlays (perhaps with different peer protocols and > different peer ID structures) coexists on some of the same nodes, and > the peer IDs are not HITs. RELOAD has its own way of identifying particular overlays. Other peer protocols may have different ways. Therefore, this does not seem to be a framework issue. Each instance draft would need to describe it separately... in any case, I agree it is worthwhile talking a bit more about this in the framework. > The draft states: > "Since HIP needs > ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay > will transform their Peer IDs into ORCHIDs, for example, by taking a > hash of the Peer IDs or taking a hash of the Peer ID and the public > key." > > I don't see how this would work since for an ORCHID to be used as a HIT, > it must hash a public key. The text wants to indicate that conversions between Peer IDs and ORCHIDs are up to each particular instance specification. I agree removing the examples may be a good idea so that they do not mislead readers. > It is not clear from the document what IDs are being routed if the peer > ID is not the same as the HIT. I think the answer is that it is the > peer IDs that are being routed, and HIP is just providing the links > between the peer IDs. Yes, routing tables contain Peer IDs. > It may be that the peer IDs are the same as HITs > in some instances, but it should be architecturally clear that transport > connections are being terminated at each hop in the overlay. Yes, transport connections are between hops in the overlay, as usual. > If the document were to describe an overlay architecture where you > recommend to the peer protocols "Use HITs like you would otherwise use > IP addresses, and HIP will take care of the rest of the ugly business of > NAT traversal, mobility, and multihoming," then it would seem to be > relatively straightforward, so long as HIP took it upon itself with no > dependency on the peer protocol to do anything for it. > > Where I think it becomes conflated, however, is when you try to use the > overlay to forward HIP signaling traffic. I see why you are trying to > do this but it leads to these questions: we had a lot of discussions in the past about this. There were different proposals, one of which proposed the simple use you described above. The conclusion was to do what HIP BONE specifies. I do not think it would be productive to go through the same discussions again at this point. > 1) the overlay may stitch together addressing realms that have no hope > of supporting end-to-end HIP associations between them. For instance, > this simple topology: > > node A <--------Ipv4 network -----> node B <--------Ipv6 network > ---------> node C > > The overlay may route the I1 from node A to node C and R1 back, but no > HIP association between A and C can actually be formed. This is not a problem specific to the use of HIP in the overlay. It is a general problem of the overlay, even if it was not using HIP. If no direct connections can be formed between nodes in an overlay, the overlay will most likely keep on routing stuff through the overlay. > 2) what if node B above belongs to multiple other HIP-based overlays? > How does it know on which overlay to forward the I1? This is one of the open issues of the instance draft. RELOAD has its own way to identify different overlays. We need to decide how we want to covey that information in an I1. > Also, from a performance perspective, I think there may be some danger > in abstracting the underlying topology away from a peer protocol. From > the peer protocol layer perspective, HIP makes every node look like it > is "on link" whereas in fact, each node is possibly different number of > hops away, in different administrative domains of the network, etc. Not really. When HIP is not used, the ICE module takes care of establishing those "links". The complexity of connection management is abstracted out even when HIP is not used. > To summarize, I think there is some value in defining how P2PSIP-based > overlay could use HIP to form its links and deal with NAT, mobility, and > multihoming. However, before allowing RELOAD nodes to perform the HIP > distributed rendezvous service, I would first define: > 1) how the system works in the case where the enrollment server chooses > PeerIds that are not HITs The framework already says this is possible... and the instance draft will need to define how that is done for RELOAD, of course. > 2) how two such independent overlays (run by different organizations) > could operate on the same node, and how the node would ensure that > messages got onto the right overlays This will also need to be defined by the instance draft... in any case, I agree with you that the framework needs to talk more about this (it does not discuss this issue right now). > The above can all be done by assuming that HIP rendezvous is done in the > underlay, not overlay. As a final step, one might consider whether one > of these overlays itself could be leveraged to forward HIP traffic. If > all of this holds together, then I think we might have a framework > document that completes the charter item. You make valid points above. After addressing your points in a new revision of the draft (possibly after more list discussions), I think the best way to proceed will be to progress the framework and the instance draft together so that they can be reviewed at the same time. In that way, it will be clearer for the reviewers. > As an editorial note, I also would recommend skipping section 2 because > RFC 4423 and other documents are available to provide HIP tutorials. This is the typical comment we often get from HIP experts :o)... however, application-layer people really appreciated that part of the draft when they read it. Before writing it, we sent them all types of links to HIP documents and tutorials but they did not find them useful. I actually believe that having that type of tutorial material in the draft makes it much easier for application-layer people to understand the draft (and eventually decide to use it). So, I strongly suggest to keep it in the draft. Thanks, Gonzalo From heer@informatik.rwth-aachen.de Wed Jul 22 07:56:09 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 553AE3A6949 for ; Wed, 22 Jul 2009 07:56:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afGSwTojVgwy for ; Wed, 22 Jul 2009 07:56:08 -0700 (PDT) Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id 0FE143A68AE for ; Wed, 22 Jul 2009 07:56:07 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KN6008ONT6RBLB0@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Wed, 22 Jul 2009 16:20:51 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,247,1246831200"; d="scan'208";a="19979059" Received: from relay-auth-2.ms.rz.rwth-aachen.de (HELO relay-auth-2) ([134.130.7.79]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Wed, 22 Jul 2009 16:20:52 +0200 Received: from ip100.infrahip.net ([unknown] [193.167.187.100]) by relay-auth-2.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KN6004LTT6REN10@relay-auth-2.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Wed, 22 Jul 2009 16:20:51 +0200 (CEST) Message-id: From: Tobias Heer To: hip WG In-reply-to: <4A64469A.2020402@ericsson.com> Date: Wed, 22 Jul 2009 17:20:47 +0300 References: <4A64469A.2020402@ericsson.com> X-Mailer: Apple Mail (2.935.3) Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jul 2009 14:56:09 -0000 Hi everyone. Below some comments on the draft. I am sorry that these comments are so late but I hope they are useful anyway. Conceptual comments first: --------------------------- Section 4.1: The behavior of the system if HIP_ENDPOINT_ANY is used is not clear. First, the text says that "any other type of address" can be returned. I would like to know which addresses this could be. After talking to Miika he confirmed that "any other address" means IPv4 or IPv6. It would be good to be clear here. The possibility of ending up with an IPv4 socket when using HIP_ENDPOINT_ANY also bears a follow-up problem: Since the address format of IPv4 and IPv6 differ, it is not clear what sockaddr_hip should contain if the socket is bound to an IPv4 address instead a HIT or IPv6 address. From the text it is not clear if a sockaddr_hip would be replied at all or if a sockadr_in or sockadr_in6 would be replied. After some private discussion with Miika we came up with the following solution: In the IPv6 case sockaddr_hip.hip_hit_t should contain a regular IPv6 address (no magic because these have the same format as HITs). In the IPv4 case, the sockaddr_hip.hip_hit_t should be a mapped representation of the IPv4 address in IPv6 format (see RFC2553). In case the system calls accept() or recv() return a sockaddr_hip after binding to HIP_ENDPOINT_ANY, the host should check the type of the address with the sockaddr_is_srcaddr function to determine the actual nature of the socket. I suggest to clarify this issue in Section 4.1. Section 4.3: The text only considers the HIP_HIT_* wildcards but not the HIP_ENDPOINT_ANY wildcard. Explanation about the possible bindings for HIP_ENDPOINT_ANY (IPv4, IPv6, HIT) should be given here, too. The function getsockname() and getpeername() could also return a mapped IPv4 address of a IPv6 address in case the socket is not HIP. Again the use of sockaddr_is_srcaddr should be considered to figure out the type of socket. Security considerations: The use of HIP_ENDPOINT_ANY and a resulting binding to an IPv4 or IPv6 socket leads to a lower level of security compared to HIP. In my opinion this should be noted in the security considerations. Editorial comments: -------------------- Section 3: I suggest to rename Section 3 ("API Overview") to something like "Name Resolution Process" or "Resolver Overview" because it does only talk about the resolver and not about the API in general. Section 3.1: There should be a reference to Figure 1 in the beginning of Section 3.1. Section 4.1: The text says that the system should return -1 and EAFNOSUPPORT if AF_HIP is not supported. I suggest to emphasize that this is the default behavior for unsupported address families and that this does not require changes to legacy hosts. Section 4.2.1: "Resolver can return" -> "The resolver can return" Section 4.3: The text is somewhat confusing because first the client case and then the server case are explained without notable distinction. I suggest to only talk about the server case here since this is not relevant for the client anyway. Section 4.4: The section talks about specific bindings to certain HIP classes. Noting that a binding to specific HIT can also be achieved by using bind() and a local HIT in sockaddr_hip.hip_hit_t may be helpful. Best regards! Tobias Am 20.07.2009 um 13:27 schrieb Gonzalo Camarillo: > Folks, > > the draft below includes all the comments received during its WGLC. > Please, have a final look at it because we intend to request its > publication in one week. > > http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt > > Thanks, > > Gonzalo > HIP co-chair > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From pascal.urien@gmail.com Thu Jul 23 11:14:29 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DDD993A6BA7 for ; Thu, 23 Jul 2009 11:14:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.184 X-Spam-Level: X-Spam-Status: No, score=-0.184 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eh+usqCAfzBe for ; Thu, 23 Jul 2009 11:14:28 -0700 (PDT) Received: from mail-qy0-f203.google.com (mail-qy0-f203.google.com [209.85.221.203]) by core3.amsl.com (Postfix) with ESMTP id 3A6B03A6BD3 for ; Thu, 23 Jul 2009 11:13:43 -0700 (PDT) Received: by qyk41 with SMTP id 41so1511604qyk.29 for ; Thu, 23 Jul 2009 11:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=NvBtf2eewDRmOkbJjUozlXr1zj8kEmvWaR7VgkX/suA=; b=k5NP3hhjxkpqkoOGMl7K2t2vrMvPcRyZgj9WMNIrpdjsyzwbUpMVHyt0Kk601WblLY VuyLLPOwwcr1RrA9q2YwcrbXDSmUbfnKWP467EaWFRn9GZbkOtXYtmiMwi4Tqav+rEbS zrbXAAn3NmXdkKbgSH0G1+RshtKdI9kikA6cs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=LX/P5daQbFWowpg9JvwTdYZ71PCl3oMWNLlcaUuAd5qzvC4mY+xZEbQaISJjFrcPLy iHGW72e8mPkoJTnIfLcWaUwIJyUcge3AP/WKZN9fphWqkD9B8zLZTFq9Bhtd0SPDI4A6 lba6WbLJVJZQ8MC/aR1d9dnDvhWszBQrzLxtg= MIME-Version: 1.0 Received: by 10.229.99.146 with SMTP id u18mr569511qcn.97.1248372404962; Thu, 23 Jul 2009 11:06:44 -0700 (PDT) Date: Thu, 23 Jul 2009 20:06:44 +0200 Message-ID: <788eb8c40907231106g27bae308vcdc94a495b519b8e@mail.gmail.com> From: Pascal Urien To: hipsec@ietf.org Content-Type: multipart/alternative; boundary=0016364eed74bec781046f63598a Subject: [Hipsec] HIP-TAG sample code X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 18:14:30 -0000 --0016364eed74bec781046f63598a Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi folks, A sample code for HIP-TAGS is availbale at http://perso.telecom-paristech.fr/~urien/hiptag/index.html It works with ISO 14443 (13,56 Mhz javacards) and illustrates the HIP_T_Transform 0x0001 as described in http://perso.telecom-paristech.fr/~urien/hiptag/draft-urien-hip-tag-02.txt Best Regards Pascal Urien --0016364eed74bec781046f63598a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi folks,
=A0
=A0 A sample code for HIP-TAGS is availbale at http://perso.telecom-parist= ech.fr/~urien/hiptag/index.html
=A0
=A0 It works with ISO 14443 (13,56 Mhz javacards) and illustrates the = HIP_T_Transform 0x0001 as described in http://perso.telecom-par= istech.fr/~urien/hiptag/draft-urien-hip-tag-02.txt
=A0
Best Regards
=A0
Pascal Urien
--0016364eed74bec781046f63598a-- From Pascal.Urien@enst.fr Thu Jul 23 11:20:41 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 73B2A3A6B03 for ; Thu, 23 Jul 2009 11:20:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.249 X-Spam-Level: X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOsEBByev1MU for ; Thu, 23 Jul 2009 11:20:40 -0700 (PDT) Received: from smtp2.enst.fr (revol2.enst.fr [IPv6:2001:660:330f:2::e]) by core3.amsl.com (Postfix) with ESMTP id 2BD2828C14F for ; Thu, 23 Jul 2009 11:20:13 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.enst.fr (Postfix) with ESMTP id D0BACB8E34 for ; Thu, 23 Jul 2009 20:20:12 +0200 (CEST) X-Virus-Scanned: amavisd-new at enst.fr Received: from PC-de-pascal.enst.fr (sony-urien.enst.fr [137.194.164.119]) by smtp2.enst.fr (Postfix) with ESMTP id 6AB6FB8B5B for ; Thu, 23 Jul 2009 20:20:08 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 23 Jul 2009 20:19:46 +0200 To: hipsec@ietf.org From: Pascal Urien Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20090723182008.6AB6FB8B5B@smtp2.enst.fr> Subject: [Hipsec] HIP-TAGS sample code X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 18:20:41 -0000 Hi folks, A sample code for HIP-TAGS is availbale at http://perso.telecom-paristech.fr/~urien/hiptag/index.html It works with ISO 14443 (13,56 Mhz javacards) and illustrates the HIP_T_Transform 0x0001 as described in http://perso.telecom-paristech.fr/~urien/hiptag/draft-urien-hip-tag-02.txt Best Regards Pascal Urien From Pascal.Urien@enst.fr Thu Jul 23 11:21:24 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DBB83A6B58 for ; Thu, 23 Jul 2009 11:21:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.249 X-Spam-Level: X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9nVs5u2KOvM for ; Thu, 23 Jul 2009 11:21:23 -0700 (PDT) Received: from smtp2.enst.fr (revol2.enst.fr [IPv6:2001:660:330f:2::e]) by core3.amsl.com (Postfix) with ESMTP id 47ED33A69C0 for ; Thu, 23 Jul 2009 11:21:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.enst.fr (Postfix) with ESMTP id C3BDFB8ADD for ; Thu, 23 Jul 2009 20:21:16 +0200 (CEST) X-Virus-Scanned: amavisd-new at enst.fr Received: from PC-de-pascal.enst.fr (sony-urien.enst.fr [137.194.164.119]) by smtp2.enst.fr (Postfix) with ESMTP id 7BB5CB8ACB for ; Thu, 23 Jul 2009 20:21:16 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 23 Jul 2009 20:21:09 +0200 To: hipsec@ietf.org From: Pascal Urien Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20090723182116.7BB5CB8ACB@smtp2.enst.fr> Subject: [Hipsec] WG meeting on Tuesday July 28, 13h00-15h00, room 307 ? X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 18:21:24 -0000 Hi All At the IETF WEB site, the WG meeting is scheduled for Tuesday July 28, 13h00-15h00, room 307 (see https://datatracker.ietf.org/meeting/75/agenda.txt Is it the right agenda ? It should great for me, because i could not participate on Friday, but Tuesday should be ok. Best Regards Pascal From pascal.urien@gmail.com Thu Jul 23 11:22:19 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5305128C17D for ; Thu, 23 Jul 2009 11:22:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.391 X-Spam-Level: X-Spam-Status: No, score=-1.391 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVCDj4n-fZoE for ; Thu, 23 Jul 2009 11:22:18 -0700 (PDT) Received: from mail-qy0-f203.google.com (mail-qy0-f203.google.com [209.85.221.203]) by core3.amsl.com (Postfix) with ESMTP id 826E128C17C for ; Thu, 23 Jul 2009 11:22:18 -0700 (PDT) Received: by qyk41 with SMTP id 41so1519502qyk.29 for ; Thu, 23 Jul 2009 11:20:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=KI/zfnsB2/sDyIhM6krQY5DNnFUV50MwXBfZAIXMeqk=; b=qLtPCCEDlS6MWRzq56Dce4WXC+uMpk5wywfoV+m/C7b++MAl91NK5Jc7aBKYtqocfR 9VhjYb5Lfu2SMwsmI99tL+WKaVZL7oo+FrpXOurHGRByzChZwAcIdORNzp/ZTsL+pn/X liCdc70BdgD16SHwqk30hHT3mntkqEtTfsJeI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=q39y6pELLK2pEI/q0Lpdp/2T6CUt6VXakKssAPWmfRY6bZht3OoX2xr85Gdytbw5VC WwDJthzs//Q5jZr+bGtFL3ekGrk4k28bxYsLmTr3LbWjjxn1F4THgyvypatQ87urWhHY jXrcwL5xzQqIKtkRElnXASn0PCvlx+0LvP1x0= MIME-Version: 1.0 Received: by 10.229.88.134 with SMTP id a6mr569736qcm.89.1248372806483; Thu, 23 Jul 2009 11:13:26 -0700 (PDT) Date: Thu, 23 Jul 2009 20:13:26 +0200 Message-ID: <788eb8c40907231113t3bbbfa60ta00a6561f625eb1e@mail.gmail.com> From: Pascal Urien To: hipsec@ietf.org Content-Type: multipart/alternative; boundary=0016367f9822ad7dfb046f63712c Subject: [Hipsec] HIPRG on Tuesday July 28, 13h00-15h00 room 307 ? X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2009 18:22:19 -0000 --0016367f9822ad7dfb046f63712c Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi All At the IETF WEB site, the WG meeting is scheduled for Tuesday July 28, 13h00-15h00, room 307 (see https://datatracker.ietf.org/meeting/75/agenda.txt Is it the right agenda ? It should great for me, because i could not participate on friday, but tuesday should be ok. Best Regards Pascal --0016367f9822ad7dfb046f63712c Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi All
=A0
At the IETF WEB site, the WG meeting is scheduled for Tuesday July 28,= 13h00-15h00, room 307 (see
=A0
Is it the right agenda ? It should great for me, because i could=A0not= participate on friday, but tuesday should be ok.
=A0
Best Regards
=A0
Pascal
--0016367f9822ad7dfb046f63712c-- From thomas.r.henderson@boeing.com Fri Jul 24 02:00:00 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D8E63A6A41 for ; Fri, 24 Jul 2009 02:00:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.449 X-Spam-Level: X-Spam-Status: No, score=-5.449 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEWodecIxyOv for ; Fri, 24 Jul 2009 01:59:58 -0700 (PDT) Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id 778443A6826 for ; Fri, 24 Jul 2009 01:59:58 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6O4uYSM014295 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 23 Jul 2009 21:56:34 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6O4uYUd000358; Thu, 23 Jul 2009 23:56:34 -0500 (CDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6O4uXH5000350; Thu, 23 Jul 2009 23:56:33 -0500 (CDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.46]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 23 Jul 2009 21:56:33 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 23 Jul 2009 21:56:33 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C4D3@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A65F513.5030701@ericsson.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Comments on the HIP-BONE draft Thread-Index: AcoKJYelP3dRKPguSNuKjcnyaWs+0QAqjq8g References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> From: "Henderson, Thomas R" To: "Gonzalo Camarillo" X-OriginalArrivalTime: 24 Jul 2009 04:56:33.0686 (UTC) FILETIME=[1DC94360:01CA0C1B] Cc: HIP Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2009 09:00:00 -0000 =20 > >=20 > > Where I think it becomes conflated, however, is when you=20 > try to use the > > overlay to forward HIP signaling traffic. I see why you=20 > are trying to > > do this but it leads to these questions: >=20 > we had a lot of discussions in the past about this. There=20 > were different=20 > proposals, one of which proposed the simple use you described=20 > above. The=20 > conclusion was to do what HIP BONE specifies. I do not think=20 > it would be=20 > productive to go through the same discussions again at this point. I am not trying to rathole things, I would just like to understand how it is supposed to work. Maybe if I sketched out some use cases, you could suggest how you think it would work. For instance, consider five nodes A-E, and two overlays (X.org's overlay, and Q.com's overlay). Nodes A-D belong to Q.com's overlay, and A and C to X.org's overlay. =20 Peer-ID: X.org-AID X.org-CID =20 Peer-ID: Q.com-AID Q.com-BID Q.com-CID Q.com-DID HIT: A-HIT B-HIT C-HIT D-HIT E-HIT IP-addr: A-IP B-IP C-IP D-IP E-IP Case 1: The overlay process belonging to Q.com on node E wants to join overlay Q.com. What assumptions do you make about the bootstrapping record that Q.com's overlay process must have about well-known, stable nodes? Does this bootstrapping record store the tuple {Q.com-AID, A-HIT, A-IP) or just (Q.com-AID, A-HIT)? Case 2: Suppose on node A, the peer protocol on node A for overlay Q.com decides to initiate a HIP association to node C. What name does it use for node C? Presumably, its peer-id "Q.com-CID". So, it needs to discover the C-HIT and ultimately the C-IP. So, as part of the peer protocol, it resolves Q.com-CID to C-HIT. I suppose that it does this with the existing connections that it has. Does it also at this time obtain C-IP? Next, it issues a connect(HIT) socket call. What happens next? There is an outbound I1 to a HIT. Does the I1 go to the HIP routing layer, or does the HIP process try to do a DNS/DHT lookup, or both? If there are no such records, how does the I1 propagate through the Q.com overlay, which is not routing HITs but Peer-IDs? If you suggest, as below, that Q.com's overlay name is stored in the I1, how does this "Q.com" get passed through the socket API so that HIP knows that the process that used the socket API to connect(HIT) was associated with Q.com? Or is the native socket API not involved in this framework? Suppose a HIP association is built between node A and node C, based on the Q.com peer protocol. Is this association exported to overlay X.org? If so, suppose A later leaves Q.com overlay, but stays on X.org overlay. Does the HIP association from A to C persist? Are HIP records inserted into the HIP routing table by a particular peer protocol "owned" by that protocol, and must be removed by that protocol (just as IP routes are tagged by the routing protocols that insert them into the FIB)? Case 3: the stack on Node A is asked to open a session to F-HIT. It doesn't know this yet, but F-HIT is not a known HIT in any of the overlays that it belongs to. What happens? >=20 > > 1) the overlay may stitch together addressing realms that=20 > have no hope > > of supporting end-to-end HIP associations between them. =20 > For instance, > > this simple topology: > >=20 > > node A <--------Ipv4 network -----> node B <--------Ipv6 network > > ---------> node C > >=20 > > The overlay may route the I1 from node A to node C and R1=20 > back, but no > > HIP association between A and C can actually be formed. >=20 > This is not a problem specific to the use of HIP in the=20 > overlay. It is a=20 > general problem of the overlay, even if it was not using HIP. If no=20 > direct connections can be formed between nodes in an overlay, the=20 > overlay will most likely keep on routing stuff through the overlay. It depends on the type of overlay, whether the overlay allows "cut through" forwarding like you are proposing or whether data is forwarded hop-by-hop at the overlay layer. But HIP requires the end-to-end association-- you can't just terminate it hop-by-hop (unless perhaps you are using HIP DATA packets). >=20 > > 2) what if node B above belongs to multiple other HIP-based=20 > overlays? > > How does it know on which overlay to forward the I1? >=20 > This is one of the open issues of the instance draft. RELOAD=20 > has its own=20 > way to identify different overlays. We need to decide how we want to=20 > covey that information in an I1. If I1s need to be extended, that is an important framework issue. >=20 > > Also, from a performance perspective, I think there may be=20 > some danger > > in abstracting the underlying topology away from a peer=20 > protocol. From > > the peer protocol layer perspective, HIP makes every node=20 > look like it > > is "on link" whereas in fact, each node is possibly=20 > different number of > > hops away, in different administrative domains of the network, etc. >=20 > Not really. When HIP is not used, the ICE module takes care of=20 > establishing those "links". The complexity of connection=20 > management is=20 > abstracted out even when HIP is not used. I was thinking that some overlays (such as content delivery networks) may want to run heuristics on IP addresses to determine network distances.=20 >=20 > > To summarize, I think there is some value in defining how=20 > P2PSIP-based > > overlay could use HIP to form its links and deal with NAT,=20 > mobility, and > > multihoming. However, before allowing RELOAD nodes to=20 > perform the HIP > > distributed rendezvous service, I would first define: > > 1) how the system works in the case where the enrollment=20 > server chooses > > PeerIds that are not HITs >=20 > The framework already says this is possible... and the instance draft=20 > will need to define how that is done for RELOAD, of course. >=20 > > 2) how two such independent overlays (run by different=20 > organizations) > > could operate on the same node, and how the node would ensure that > > messages got onto the right overlays >=20 > This will also need to be defined by the instance draft... in=20 > any case,=20 > I agree with you that the framework needs to talk more about this (it=20 > does not discuss this issue right now). >=20 > > The above can all be done by assuming that HIP rendezvous=20 > is done in the > > underlay, not overlay. As a final step, one might consider=20 > whether one > > of these overlays itself could be leveraged to forward HIP=20 > traffic. If > > all of this holds together, then I think we might have a framework > > document that completes the charter item. >=20 > You make valid points above. After addressing your points in a new=20 > revision of the draft (possibly after more list discussions), I think=20 > the best way to proceed will be to progress the framework and the=20 > instance draft together so that they can be reviewed at the=20 > same time.=20 > In that way, it will be clearer for the reviewers. I agree that it may be better to progress these together. >=20 > > As an editorial note, I also would recommend skipping=20 > section 2 because > > RFC 4423 and other documents are available to provide HIP tutorials. >=20 > This is the typical comment we often get from HIP experts :o)...=20 > however, application-layer people really appreciated that part of the=20 > draft when they read it. Before writing it, we sent them all types of=20 > links to HIP documents and tutorials but they did not find=20 > them useful.=20 > I actually believe that having that type of tutorial material in the=20 > draft makes it much easier for application-layer people to understand=20 > the draft (and eventually decide to use it). So, I strongly=20 > suggest to=20 > keep it in the draft. OK, as I said, it was just an editorial suggestion. Regards, Tom From ari.keranen@nomadiclab.com Fri Jul 24 10:00:53 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B9F713A6CFF for ; Fri, 24 Jul 2009 10:00:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.051 X-Spam-Level: X-Spam-Status: No, score=0.051 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzwVQfy7TIBc for ; Fri, 24 Jul 2009 10:00:52 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id 64FB53A680C for ; Fri, 24 Jul 2009 10:00:52 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-82-4a69e8c3c5de Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id 20.4E.18827.3C8E96A4; Fri, 24 Jul 2009 19:00:51 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 24 Jul 2009 18:59:35 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 24 Jul 2009 18:59:35 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id BC2522450; Fri, 24 Jul 2009 19:59:34 +0300 (EEST) Message-ID: <4A69E873.2010906@nomadiclab.com> Date: Fri, 24 Jul 2009 19:59:31 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Gonzalo Camarillo References: <4A6447DC.7070005@ericsson.com> In-Reply-To: <4A6447DC.7070005@ericsson.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 24 Jul 2009 16:59:35.0146 (UTC) FILETIME=[1F26BCA0:01CA0C80] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2009 17:00:53 -0000 Hi, I think it makes sense to split the RELOAD specifics out of the HIP BONE draft and make it a separate WG item. Also +1 for adopting HICCUPS and HIP-VIA as WG items and removing generic ORCHID transformation milestone. Cheers, Ari Gonzalo Camarillo wrote: > Folks, > > here you have a summary of the status of the overlay work. > Additionally, we have some questions for the WG related to our > milestones and their related charter items. Your input on those > questions is very welcome. > > 1) We have the following milestone: > > "Specify a framework to build HIP-based overlays. This framework will > describe how HIP can perform some of the tasks needed to build an > overlay and how technologies developed somewhere else (e.g., a peer > protocol developed in the P2PSIP WG) can complement HIP by performing > the tasks HIP was not designed to perform." > > The WG item for this milestone is the following draft, which should be > ready for WGLC: > > http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt > > This draft defines a high-level framework to build HIP-based overlays. > Additionally, its previous version defined how to build a HIP-based > overlay using RELOAD. The authors have chosen to move this definition to > a separate document because while the high-level framework is > informational in nature, the definition makes use of normative language. > The resulting document is the draft below. We would like to ask the WG > if it is OK to split our current milestone in two so that they cover the > high-level framework and the definition in separate documents. > > http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt > > > Additionally, we would like to ask the WG if we should take the draft > above as the WG item associated to the milestone for the definition. > > 2) We have the following milestone: > > "Specify how to carry upper-layer data over specified HIP > packets. These include some of the existing HIP packets and possibly > new HIP packets (e.g., a HIP packet that occurs outside a HIP base > exchange)." > > We still do not have a WG item for it but the following draft has been > around for some time. We would like to ask the WG if we should adopt the > following draft as the WG item for this milestone. > > http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt > > Revision 02 of the draft above is identical to 01 (the only changes are > the date and the new copyright). The authors intend to address the > comments received on the list shortly. > > 3) In order to be able to support the functionality provided by RELOAD, > HIP needs to support multi-hop routing. Instead of specifying it in the > HIP BONE draft, having a separate draft seem to make more sense given > that this functionality has a more general applicability than overlays. > We would like to ask the WG if we should spin off a new milestone from > our original milestone for overlays that covers multihop routing in HIP. > > The following draft takes a stab at specifying multihop routing in HIP. > We would like to ask the WG if we should adopt it as a WG item for the > milestone above (assuming we decide to create the milestone). > > http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > 4) We have the following milestone: > > "Specify how to generate ORCHIDs from other node identifiers > including both cryptographic ones (leading to cryptographic > delegation) and non-cryptographic ones (e.g., identifiers defined by a > peer protocol)." > > When we created that milestone, we expected to have a generic mechanism > to transform node IDs into ORCHIDs. However, at this point, it seems > that such transformation will be done in different ways depending on the > peer protocol used in a particular overlay. For example, the instance > specification for RELOAD draft defines such transformation for RELOAD > peer identifiers. The fact that nobody has submitted a draft for that > milestone seems to confirm the previous impression. We would like to ask > the WG if we should remove that milestone from our charter. > > Thanks, > > Gonzalo > HIP co-chair > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From gonzalo.camarillo@ericsson.com Sun Jul 26 04:04:03 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 337703A6A9A for ; Sun, 26 Jul 2009 04:04:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.845 X-Spam-Level: X-Spam-Status: No, score=-2.845 tagged_above=-999 required=5 tests=[AWL=-1.466, BAYES_00=-2.599, HELO_EQ_SE=0.35, SARE_MLH_Stock1=0.87] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KeWXN48m6hNJ for ; Sun, 26 Jul 2009 04:04:02 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id EA15E3A6ABE for ; Sun, 26 Jul 2009 04:03:51 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-e4-4a6c3817ee77 Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id C1.DF.18827.7183C6A4; Sun, 26 Jul 2009 13:03:51 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sun, 26 Jul 2009 13:03:51 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sun, 26 Jul 2009 13:03:51 +0200 Received: from [131.160.126.137] (rvi2-126-137.lmf.ericsson.se [131.160.126.137]) by mail.lmf.ericsson.se (Postfix) with ESMTP id E21BC245F; Sun, 26 Jul 2009 14:03:50 +0300 (EEST) Message-ID: <4A6C3816.5090007@ericsson.com> Date: Sun, 26 Jul 2009 14:03:50 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 26 Jul 2009 11:03:51.0324 (UTC) FILETIME=[C21175C0:01CA0DE0] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] Final agenda for Stockholm X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jul 2009 11:04:03 -0000 Folks, I have just uploaded the final agenda (make sure you refresh your browser if you fetched previous agendas from this link): http://www.ietf.org/proceedings/75/agenda/hip.html The only presentation we will have will deal with moving HIP to the standards track. Cheers, Gonzalo HIP co-chair From gonzalo.camarillo@ericsson.com Sun Jul 26 06:29:15 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 849A63A6B90 for ; Sun, 26 Jul 2009 06:29:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.264 X-Spam-Level: X-Spam-Status: No, score=-3.264 tagged_above=-999 required=5 tests=[AWL=-1.015, BAYES_00=-2.599, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAIkROH5VZzY for ; Sun, 26 Jul 2009 06:29:14 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id 84BD73A6B21 for ; Sun, 26 Jul 2009 06:29:14 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-e9-4a6c5a2a45d5 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id 78.E1.18827.A2A5C6A4; Sun, 26 Jul 2009 15:29:14 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sun, 26 Jul 2009 15:28:54 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Sun, 26 Jul 2009 15:28:54 +0200 Received: from [131.160.126.137] (rvi2-126-137.lmf.ericsson.se [131.160.126.137]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 335A02461; Sun, 26 Jul 2009 16:28:53 +0300 (EEST) Message-ID: <4A6C5A14.1020407@ericsson.com> Date: Sun, 26 Jul 2009 16:28:52 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: Pascal Urien References: <20090723182116.7BB5CB8ACB@smtp2.enst.fr> In-Reply-To: <20090723182116.7BB5CB8ACB@smtp2.enst.fr> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 26 Jul 2009 13:28:54.0645 (UTC) FILETIME=[05A6DA50:01CA0DF5] X-Brightmail-Tracker: AAAAAA== Cc: hipsec@ietf.org Subject: Re: [Hipsec] WG meeting on Tuesday July 28, 13h00-15h00, room 307 ? X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Jul 2009 13:29:15 -0000 Hi Pascal, the RG will be meeting on Tuesday. The WG, whose mailing list is this one, will be meeting on Thursday. Cheers, Gonzalo Pascal Urien wrote: > Hi All > > At the IETF WEB site, the WG meeting is scheduled for Tuesday July 28, > 13h00-15h00, room 307 (see > https://datatracker.ietf.org/meeting/75/agenda.txt > > Is it the right agenda ? It should great for me, because i could not > participate on Friday, but Tuesday should be ok. > > Best Regards > > Pascal > > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > From heer@informatik.rwth-aachen.de Mon Jul 27 07:26:13 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 180DB28C185 for ; Mon, 27 Jul 2009 07:26:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHFs5-ebCBIX for ; Mon, 27 Jul 2009 07:26:12 -0700 (PDT) Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id DF87628C1E4 for ; Mon, 27 Jul 2009 07:26:11 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNG00KEO2RLZR50@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Mon, 27 Jul 2009 16:26:09 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,276,1246831200"; d="scan'208";a="20522195" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Mon, 27 Jul 2009 16:26:09 +0200 Received: from dhcp-11f5.meeting.ietf.org ([unknown] [130.129.17.245]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNG006V52RKSM00@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Mon, 27 Jul 2009 16:26:08 +0200 (CEST) Message-id: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> From: Tobias Heer To: hip WG Date: Mon, 27 Jul 2009 16:26:05 +0200 X-Mailer: Apple Mail (2.935.3) Subject: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jul 2009 14:26:13 -0000 Some comments on the hiccups draft. In general I find the approach interesting and worth pursuing. Below are some questions that mostly focus on security: Conceptual comments and questions: ---------------------------------- Section 3: Existence of the HMAC in the packet: The hiccups draft states that "[the payload is] protected by a PAYLOAD_HMAC parameter". To me it is unclear how such protection can possibly work. Since there is no previous handshake there are no keys for use in the HMAC. Jan explained that the HMAC is merely used as a way to create a digest over the packet for making the signature more efficient. However, if it is only used for creating the digest, I wonder why it is actually transmitted in the packet because without a secret included in the packet, the digest can easily be calculated and transmitting the digest in a packet seems to be a unnecessary waste of space. Am I missing something here? It would be nice if the draft was more precise about the nature and the use of the HMAC. Section 4.3: Sending R1 if receiver suspects an attack: I guess that in this case, the receiver drops the data packet and its content should be retransmitted (by a higher-layer mechanism?)? If yes, this could be mentioned somewhere. Replay protection: The draft talks about a immediate replays of DATA packets in the context of DoS attacks targeted at ACK signature generation. However, it does not talk about replays after a longer time (e.g. to mess with upper-layer state machines). How can hosts shelter against replays of valid but old hiccups packets? The sequence number only works from the second packet on and still complete sequences of HIP DATA packets can be replayed. Caching packets or keeping state for every ever-received packet is probably not feasible. Is there a solution? If not, this should also be stated in the text and the security considerations. Various sections: DoS resistance: The draft briefly mentions that the protocol is susceptible to DoS attacks. This statement is rather vague and only mentions the absence of "half-stateless DoS protection nature of the base exchange" and immediate replays. However, CPU targeted DoS attacks (verification of PK-sigantures without a puzzle or working HMAC to shelter against floods of HIP DATA packets - not necessarily replays) seem much more realistic to me than state a space exhaustion attacks. Using HIP DATA packet creates a computational asymmetry between the attacker and the victim (receiver). This imbalance could be mentioned in a more explicit way. Editorial comments: ------------------- Section 4.3: "The host MAY responds" -> "The host MAY respond" Best regards, Tobias -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From wang_russell@hotmail.com Tue Jul 28 01:36:40 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 07D6A3A6DBB for ; Tue, 28 Jul 2009 01:36:40 -0700 (PDT) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER, Duplicate header field: "Message-ID" X-Spam-Flag: NO X-Spam-Score: 0.19 X-Spam-Level: X-Spam-Status: No, score=0.19 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, CN_BODY_35=0.339, MIME_CHARSET_FARAWAY=2.45] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fc5y8MJeEGAd for ; Tue, 28 Jul 2009 01:36:38 -0700 (PDT) Received: from bay0-omc2-s8.bay0.hotmail.com (bay0-omc2-s8.bay0.hotmail.com [65.54.246.144]) by core3.amsl.com (Postfix) with ESMTP id DCC4C3A6DBA for ; Tue, 28 Jul 2009 01:36:38 -0700 (PDT) Received: from hotmail.com ([65.54.169.80]) by bay0-omc2-s8.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 01:36:40 -0700 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 28 Jul 2009 01:36:40 -0700 Message-ID: Received: from 130.129.18.191 by BAY114-DAV8.phx.gbl with DAV; Tue, 28 Jul 2009 08:36:39 +0000 X-Originating-IP: [130.129.18.191] X-Originating-Email: [wang_russell@hotmail.com] X-Sender: wang_russell@hotmail.com From: "wangjun" To: "'Gonzalo Camarillo'" , "'Henderson, Thomas R'" References: <4A6447DC.7070005@ericsson.com><77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> Date: Tue, 28 Jul 2009 10:36:44 +0200 Message-ID: <90ABCE964C6D454E9F94FEB569F38E39@WangJunNK> MIME-Version: 1.0 Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 11 In-Reply-To: <4A65F513.5030701@ericsson.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579 Thread-Index: AcoKJWZOCDiaurnLSFu84syoAKFwhwFNKiWg X-OriginalArrivalTime: 28 Jul 2009 08:36:40.0289 (UTC) FILETIME=[872FF510:01CA0F5E] Cc: 'HIP' Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 08:36:40 -0000 Hi Gonzalo, About the HIP ID and Peer ID, My understandings: 1) The HIP Bone is a p2p overlay, each other between peers talk p2p protocol, HIP can be encapsulated in a p2p payload.. 2)Every HIP host is a p2p client or a p2p agnostic terminal, and attach = to arbitrary peer(s) of the overlay; they register their locator-HIP_ID bindings into the HIP bone. So the HIP Hosts may be designated a peer ID, but it's really not mandated.=20 -----=D3=CA=BC=FE=D4=AD=BC=FE----- =B7=A2=BC=FE=C8=CB: hipsec-bounces@ietf.org = [mailto:hipsec-bounces@ietf.org] =B4=FA=B1=ED Gonzalo Camarillo =B7=A2=CB=CD=CA=B1=BC=E4: 2009=C4=EA7=D4=C221=C8=D5 19:04 =CA=D5=BC=FE=C8=CB: Henderson, Thomas R =B3=AD=CB=CD: HIP =D6=F7=CC=E2: [Hipsec] Comments on the HIP-BONE draft Hi Tom, thanks for you comments. Answers inline: >> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt >=20 > I remain very uneasy about the above draft, which I think is not very=20 > clear and skirts over some hard issues. we have moved a few things to the RELOAD instance draft, which is still = very much work in progress (as you can see if you read the draft). Some = issues will be addressed there. Of course, any general issues belonging to the framework should be addresses in this document. > The document tries to provide a generalized framework for HIP-based=20 > overlays, but it is not clear how it will work when there are multiple = > peer protocols (multiple overlays) and when the peer IDs are not the=20 > same as the node IDs. The specific instance draft does not handle=20 > these issues; it assumes that the peer ID is the ORCHID (which was not = > acceptable to some in the P2PSIP WG due to possible chosen ID=20 > attacks), and is, of course, only one instance. The framework does not assume that Peer IDs are used at the HIP level.=20 It just tells you that depending on the Peer IDs used in your overlay, = you need to convert them to something HIP can use. Originally, we thought of having a draft that described that conversion in general (you yourself = was working on a similar draft at some point) but now we tend to think that = this type of conversion is better defined in the instance specs. Regarding the RELOAD instance draft, this is one of the open issues.=20 That is, whether we can use RELOAD peer IDs directly or if we need some = type of transformation (ORCHIDs have a prefix; therefore, there are less than = 128 bits available). > In general, I recommend not trying to complete work on a framework for = > multiple overlays until there is an example of at least how two=20 > independent overlays (perhaps with different peer protocols and=20 > different peer ID structures) coexists on some of the same nodes, and=20 > the peer IDs are not HITs. RELOAD has its own way of identifying particular overlays. Other peer protocols may have different ways. Therefore, this does not seem to be a framework issue. Each instance draft would need to describe it = separately... in any case, I agree it is worthwhile talking a bit more about this in = the framework. > The draft states: > "Since HIP needs > ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay=20 > will transform their Peer IDs into ORCHIDs, for example, by taking a=20 > hash of the Peer IDs or taking a hash of the Peer ID and the public=20 > key." >=20 > I don't see how this would work since for an ORCHID to be used as a=20 > HIT, it must hash a public key. The text wants to indicate that conversions between Peer IDs and ORCHIDs = are up to each particular instance specification. I agree removing the = examples may be a good idea so that they do not mislead readers. > It is not clear from the document what IDs are being routed if the=20 > peer ID is not the same as the HIT. I think the answer is that it is=20 > the peer IDs that are being routed, and HIP is just providing the=20 > links between the peer IDs. Yes, routing tables contain Peer IDs. > It may be that the peer IDs are the same as HITs in some instances,=20 > but it should be architecturally clear that transport connections are=20 > being terminated at each hop in the overlay. Yes, transport connections are between hops in the overlay, as usual. > If the document were to describe an overlay architecture where you=20 > recommend to the peer protocols "Use HITs like you would otherwise use = > IP addresses, and HIP will take care of the rest of the ugly business=20 > of NAT traversal, mobility, and multihoming," then it would seem to be = > relatively straightforward, so long as HIP took it upon itself with no = > dependency on the peer protocol to do anything for it. >=20 > Where I think it becomes conflated, however, is when you try to use = the > overlay to forward HIP signaling traffic. I see why you are trying = to > do this but it leads to these questions: we had a lot of discussions in the past about this. There were different proposals, one of which proposed the simple use you described above. The conclusion was to do what HIP BONE specifies. I do not think it would be productive to go through the same discussions again at this point. > 1) the overlay may stitch together addressing realms that have no hope = > of supporting end-to-end HIP associations between them. For instance, = > this simple topology: >=20 > node A <--------Ipv4 network -----> node B <--------Ipv6 network > ---------> node C >=20 > The overlay may route the I1 from node A to node C and R1 back, but no = > HIP association between A and C can actually be formed. This is not a problem specific to the use of HIP in the overlay. It is a general problem of the overlay, even if it was not using HIP. If no = direct connections can be formed between nodes in an overlay, the overlay will = most likely keep on routing stuff through the overlay. > 2) what if node B above belongs to multiple other HIP-based overlays? > How does it know on which overlay to forward the I1? This is one of the open issues of the instance draft. RELOAD has its own = way to identify different overlays. We need to decide how we want to covey = that information in an I1. > Also, from a performance perspective, I think there may be some danger = > in abstracting the underlying topology away from a peer protocol. =20 > From the peer protocol layer perspective, HIP makes every node look=20 > like it is "on link" whereas in fact, each node is possibly different=20 > number of hops away, in different administrative domains of the = network, etc. Not really. When HIP is not used, the ICE module takes care of = establishing those "links". The complexity of connection management is abstracted out even when HIP is not used. > To summarize, I think there is some value in defining how P2PSIP-based = > overlay could use HIP to form its links and deal with NAT, mobility,=20 > and multihoming. However, before allowing RELOAD nodes to perform the = > HIP distributed rendezvous service, I would first define: > 1) how the system works in the case where the enrollment server=20 > chooses PeerIds that are not HITs The framework already says this is possible... and the instance draft = will need to define how that is done for RELOAD, of course. > 2) how two such independent overlays (run by different organizations)=20 > could operate on the same node, and how the node would ensure that=20 > messages got onto the right overlays This will also need to be defined by the instance draft... in any case, = I agree with you that the framework needs to talk more about this (it does = not discuss this issue right now). > The above can all be done by assuming that HIP rendezvous is done in=20 > the underlay, not overlay. As a final step, one might consider=20 > whether one of these overlays itself could be leveraged to forward HIP = > traffic. If all of this holds together, then I think we might have a=20 > framework document that completes the charter item. You make valid points above. After addressing your points in a new = revision of the draft (possibly after more list discussions), I think the best = way to proceed will be to progress the framework and the instance draft = together so that they can be reviewed at the same time.=20 In that way, it will be clearer for the reviewers. > As an editorial note, I also would recommend skipping section 2=20 > because RFC 4423 and other documents are available to provide HIP tutorials. This is the typical comment we often get from HIP experts :o)...=20 however, application-layer people really appreciated that part of the = draft when they read it. Before writing it, we sent them all types of links to = HIP documents and tutorials but they did not find them useful.=20 I actually believe that having that type of tutorial material in the = draft makes it much easier for application-layer people to understand the = draft (and eventually decide to use it). So, I strongly suggest to keep it in = the draft. Thanks, Gonzalo _______________________________________________ Hipsec mailing list Hipsec@ietf.org https://www.ietf.org/mailman/listinfo/hipsec From pascal.urien@gmail.com Tue Jul 28 02:00:24 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0150C3A6E11 for ; Tue, 28 Jul 2009 02:00:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oda5oxSOEIUF for ; Tue, 28 Jul 2009 02:00:23 -0700 (PDT) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id 84EB43A6E0A for ; Tue, 28 Jul 2009 02:00:22 -0700 (PDT) Received: by qw-out-2122.google.com with SMTP id 5so2021890qwd.31 for ; Tue, 28 Jul 2009 02:00:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=BA0bhWjkdSIfKNdaG9DwKqywhG4dFzZzOLLpPiUqgD0=; b=i8YdcFe5ViBwvz1g+ZchlYVQJ6WryPzFOg3gNvAMuWsz0eBGIiGJE8NeCuNQhh232d F0poIHVJQ/QZhxjhhGN0BfRvjEDBeSNcREeTqSnsfidfZ/xqpa6S91ULEJojzbFDryMY /ECa0xpmOtmSW19Ah+IY7TLmjG8cd9wlP2Gu4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rVCOiJwljXzXGh3JNSo2K1/CK9xgG3ekHhD6NWxyLLpsjdh+ee8U2IrX7vvYyKi0Fo iespshprWnzXf07K0BnlvI9bcbfGYdK/DuuKJhZ6id48nQ70uQlZkLLLUD45wpZD2ol/ xSUmon5CjgRP0QP21eOPmyUQptdtXYMMWHtPg= MIME-Version: 1.0 Received: by 10.229.91.13 with SMTP id k13mr1633906qcm.98.1248771620178; Tue, 28 Jul 2009 02:00:20 -0700 (PDT) In-Reply-To: <788eb8c40907261406i312d7546n49876df495497914@mail.gmail.com> References: <0016e68dce8223dd6f046f849495@google.com> <4A6C2950.2060302@ericsson.com> <4A6C2BB1.5020300@hiit.fi> <788eb8c40907261406i312d7546n49876df495497914@mail.gmail.com> Date: Tue, 28 Jul 2009 11:00:19 +0200 Message-ID: <788eb8c40907280200m2c2b59a2vfa8c6a8d063899a1@mail.gmail.com> From: Pascal Urien To: hipsec@ietf.org Content-Type: multipart/mixed; boundary=0016361e8134d38fea046fc04cad Cc: Andrei Gurtov Subject: Re: [Hipsec] Presentation at the next IETF 75 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 09:00:24 -0000 --0016361e8134d38fea046fc04cad Content-Type: multipart/alternative; boundary=0016361e8134d38fb3046fc04cab --0016361e8134d38fb3046fc04cab Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hi all, My slides for the today IETF 75th meeting Best Regards Pascal --0016361e8134d38fb3046fc04cab Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi all,
=A0
=A0My slides for the today IETF 75th meeting
=A0
Best Regards
=A0
Pascal
--0016361e8134d38fb3046fc04cab-- --0016361e8134d38fea046fc04cad Content-Type: application/vnd.ms-powerpoint; name="draft-urien-hip-tag-02.ppt" Content-Disposition: attachment; filename="draft-urien-hip-tag-02.ppt" Content-Transfer-Encoding: base64 X-Attachment-Id: f_fxoe9bpb0 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAGAAAA+gIAAAAAAAAA EAAA/v///wAAAAD+////AAAAAPQCAAD1AgAA9gIAAPcCAAD4AgAA+QIAAP////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////8A bh7wIQsAAPd6/DBkvDhrNLhJzOMqxzf/iVBORw0KGgoAAAANSUhEUgAAAG0AAABtCAMAAACcJh9k AAAAYFBMVEWxsbHPUWvINlSRkZHwytJ1dXVTU1MwMDASEhLZ2dnk5OTnq7e6Ayr8+/vBwcHw8fHi mKjWbYP35Ojdhpi+DzS9CjH78/XrucPCIUP89vj02N63ACD67fC/Ejj///8AAABKR8yOAAAAAWJL R0QAiAUdSAAAAAxjbVBQSkNtcDA3MTIAAAADSABzvAAACkZJREFUaEPtmA1z4rwOhWMnJKFJIJ/k i5j//y/vIzmB0C1bdmZn35k7NdsSsK1jHR3J6gbpvxxBevuH4wftb5H9w+QPk98z8KOS7zl6b8UP k+/x9P2qHya/5+i9FT9MvsfT96t+mPyeo/dW/DD5Hk/fr/oPmEyT3bjddh/lr4Rk96fCpykm16F+ PX3g093ZdLWhvoXn8/nCj/5ObsEoD/oKb7d4PN3h0rDYT92SYN11xHIafngLH6Ee8niOV7j05A76 6NEwfy6c4/f4kdxODps6CtAOjq8e2/ZTWHGy9VwcMRM6vw9DApeM943MYGhDUwpC9xHL+w20YOOE XQcnB/cD8/up2G0fxXrhTn7byY3sSM7MKiux4O/Q5PHug5jcyQu0B5OndZufPzh430bsipW5uJAn fHNKYPLBw69omw+/oD359uIgN9DWdclZ0c7FqRAnA3c8/olvezR/yM23h9s7tPjs1LciBiiFAN5f MkncjodQXqFQ84nJ56mPR3YQxM23cVTfXJweXfABnVsAHtm9jxtE65CwfFLJq6kvfMNDjiAi+Art EbePwA/x/xPafUrl+rVv5803SQusorvfazK9ycsL71mTfkbn9lNf+3ZLY6H3N2iSb89SeK2Sb33b 0vSv5NujzIhv93zzmpTfr9F2+Xb/DyKf9etHrSVPU0W4TUnFCPzCYKslv0VbD4rJ89GPDwrywRXb J5HyfgqBuw9dd8Rw4EhjxlqxqGS+FGvB+8xkfBcY23Y6Pzw+hRz7PuRslMR1YDjZJgtNq+T8uAN+ zW6vHhlJfB9i8fEpfZoSk+k26cuvH+tllmxEig2v7//g7t7p/c8fVRg3//Pd7le+pQc/Vgpem0m8 hE6bVp5X0lnsj/AKLTmFcjHGQfC4wXaG4sNmJAlCxuhOhzAIHpFa18acYwf3Ei3w8o1P2mR8Gmlw ejpEKoX+q5FSJ99BO/kMSQM9z2fEjaD1e67nFe3eaEl3xkZK6W73a988GkSlPgcwjN6TND4kkgjy USfE5oYWnxhKpzx9QMDBneLg6L97nQGJZzINWRgQpDSUcxHNOAmpVge+TkVCaSinWpk8jEHqG7uQ tgsWQx7GY+wv89+iiUr0+k5DOX4s50sDnmNp+xBPorzEa6MjxeR81kvvlMaFXA7pMeSTAP1aS56D DIOif9FvulIjdV3u1xRXFe10YFrb4OQocaN+s4lSSg3TOwu/6UqYfwPtoQwJ0EHkjW9eMoLGr1Mg gFvc6HnoZhiEUaPOnNfk92h3SZPoSEGZXKO5oiGWMDhJ5mncKNnrLZye15ovN8h7aFsrhz40bg/f RNjITaqu18uqyYCIadJsTBJhieJbvm25RA5IDATtybfEey9toI9bXGjrnEgPqTmtcXvLtzW7JQnE t1hSQbNPE0M8SrRQJcIkvSNoSB6ZIh4hlQyIaQa2nstz/DK7w3s9Tg8hORzzBZnty3Si7/FhzXq0 flRHD8cTgdQ8/dA8p06S2iG/NTBv3W/+jz25U7Yq5Fu8lAnP9/bnIHV8DQCXs5YbWaPtyttoavBv jLd8+xtAv43bXwN4MvTj29/i9YfJHya/ZwCV+OL3T/5x2f/L8fiD7B887f78+/9DG78cF/6Tbz+K Ub8oZLE+3XftFursKP91p2tXG+s3OhUYO1j5tw3/aai2Pf69N7ZxbjKyymCv1icZmRvLCMhLVK7f VbVumazp/bvlXbca0KzhNchQW/oS2zqaanRTE2Xz3EaunPOuy4erc1GXW9vleT6z0CzGGLvkecd0 183mIjsv1TxMvEeLrMnYmg/BZbxcGZfLpeBHx8jjxkfWVr2pBrt07KnmpV1yy9nLvDN9XzZNlfFh HsrS5O0C1LIs7Vwp3GhnGCo8aJMzMQRlxcEYlQ7/zMCIcH+FgtlUtq/axYCGvdxe3dXmmB4sC2Ep y1k9mq6zmcFoZ6u+aSZZZB2/Zxvhv0cbZvhYx5zPyifvRimH1Kau8jzrl9IME4ftTW4KF8FbVbZd 3g4lyxbhPcu7XhA6fK+XeTCm7ezk6oFjmaptFc3ydh95cykK13fYEjTiNC815xqIhe0GMX2xTPVN lZsGC03JuS8DXNWEkekKiokVEHnedkPkpgEaCKlQDJqw07VtqwFGExpR71vJQnhrWDutjLiyU5vV QJw4qCjAla2Nyg5X+nLgDQLEOJwukYta/+zRGtHjAtoiHJoSwU0++IR2Bt8VRGSISlXHtcpx1jWd GbA9cAxB4/zDALQ4pGcnSBtar8rZ0Kaorqeo5zVNVzy71FGfZRkEYXQZTI2EhexOpFBbvGZRM0T9 0JrBThloo2iGIIpyqr7keY2OMPmMZhejlkWBdYRCcZQ0EvJLDiCmRU5EgWWkgATHVSIaPDGlETRV omkMOJErCKDgSfKBlnV3YUjcOJJpyrKpKjtglDXQmoNWkrTlVIh4264h8YgoIZeMhWKNe6fZLZnR dpnr8a+sm7YzUUU6GPidPqMR7C0DNgaWRdCqIcMDU2E1l4ox41Xp5UMCllbjITOu5kOHG4R/EJcz koJ0iESrHGEXN7/p8xC0HqjMzKK9tqwjm7dVaXOtfQ1uDypr9U3U25rsmom0Icdm5QLkaCHiE9o+ 3x6Jt2ZAbuWsWCWaWzwlR5R/Y9tWKq44m7e4PklhM30j4ZiXijzdNLZp8rVvWh8q6kk1SDJ6SUvU kHxFAYumpmsr/YKCsTAFmuQJwsiHiiI1Q+8kU/cMeKolz75xQfXcB9WFijtoehKlUe6TzMhHviPp lMhu6bgayBWJIxoSMea2pIrqQR5oL+NG4PriYueFS6yfSiTEwSMrSU71R6eINzfqGznf2YtoQ9Fy Kf4XSzQK3tZU95XrNdq1NKaxOYcra45P4AbTzTn2o6xnH/mWZYpGkuTcarAmBTbLVakW/DUZ3/GN pZGZKVCMCkyqrDVVQ8JnEIxCFt60xAkatmFN4gaT8FsvlFg/9xaTGv+laZayzwDDYlXrPUk655BI HdO6r0y26O9K2lGIm5ln1wu+n3sbLWpJcWOu9ZCbyLQ0LKKSxhihdSC9fP5hkQQryMm25w6R/Mlm 75vMvccka6Xy1RQgudsieg8pzh6N0knee00KGhDCqKSdXgxyyf8ZWmH9lr4zxbWcSGKPxoWP+KmG PgEzvSybEdaQSaE9FFu1uZGTvOnbtNAXuIJClDe9aSR6egfQUZB69BC+E4ykwlI5Gu4IqbClu5bN IFs1F99F0xBEBjVIYkUUE7UfcfoLypGUlqEFoxtq/BBtcOk18ywNzB/5VhgKVCOdRSU7pS54NJpZ LtY8t41ejr5gcC2xkro/SfnhxvvDuGXUi2Wmc7E1XWdNjfdoZMC8NH1jpctkSMdH4Ba0I1dPwQ3B SsmDtzNgjBrCRQYbUo0umhZW7gGJm8YnaqZo8Gj0CtI4q0pFRlyvxFFqnF4Pu7hpT/55LFLoDI1g GdXjJaK5HSjCrFpoEbVhoWXqOMGi2V3QTVPlyoyOSltp5tcO5GJk2zr+B4R1fIR/YLjlAAAAAElF TkSuQmCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwDoA2+RAAAB AOkDKAAAAIAWAADgEAAAXBAAABIYAAAFAAAACgAAAAIAAAADAAAAAQAAAAAAAAEPAAkE2AAAAAAA CgQEAAAABQAAAA8A1w9eAAAAAADTDwQAAAACAAAAAAC6DwIAAAAvABAAug9AAAAAaAB0AHQAcAA6 AC8ALwB3AHcAdwAuAHQAZQBsAGUAYwBvAG0ALQBwAGEAcgBpAHMAdABlAGMAaAAuAGYAcgAvAA8A 1w9eAAAAAADTDwQAAAAFAAAAAAC6DwIAAAAvABAAug9AAAAAaAB0AHQAcAA6AC8ALwB3AHcAdwAu AHQAZQBsAGUAYwBvAG0ALQBwAGEAcgBpAHMAdABlAGMAaAAuAGYAcgAvAA8A8gN0AwAALwDID+oA AAAwANIPBAAAAAIAAAAAALoPKAAAABggHCAI/xQwO/9b/wgwCjAMMA4wEDDl/wT/JAAoAFsAXAB7 AGL/4f8QALoPpgAAAAEwAjAM/w7/+zAa/xv/H/8B/5swnDD9MP4wnTCeMAUw/DAZIB0gCf8VMD3/ Xf8JMAswDTAPMBEwsAAwIDIgMyADIeD/Bf9BMEMwRTBHMEkwYzCDMIUwhzCOMKEwozClMKcwqTDD MOMw5TDnMO4w9TD2MCEAJQApACwALgA6ADsAPwBdAH0AYf9j/2T/Zf9n/2j/af9q/2v/bP9t/27/ b/9w/57/n/8PANUHyAEAAAAAtw9EAAAAVABpAG0AZQBzACAATgBlAHcAIABSAG8AbQBhAG4AAAA4 oRMAOKETAOiOEwDcjRMAHDaQbNyNEwAIAAAADwDVBwAABhIQALcPRAAAAEEAcgBpAGEAbAAAAE4A ZQB3ACAAUgBvAG0AYQBuAAAAOKETADihEwDojhMA3I0TABw2kGzcjRMACAAAAA8A1QcAAAQAIAC3 D0QAAABJAG0AcABhAGMAdAAAAGUAdwAgAFIAbwBtAGEAbgAAADihEwA4oRMA6I4TANyNEwAcNpBs 3I0TAAgAAAAPANUHAAAGIjAAtw9EAAAAVAByAGUAYgB1AGMAaABlAHQAIABNAFMAAABhAG4AAAA4 oRMAOKETAOiOEwDcjRMAHDaQbNyNEwAIAAAADwDVBwAABiJAALcPRAAAAFcAaQBuAGcAZABpAG4A ZwBzAAAATQBTAAAAYQBuAAAAOKETADihEwDojhMA3I0TABw2kGzcjRMACAAAAA8A1QcCAAYCUAC3 D0QAAABDAG8AdQByAGkAZQByACAATgBlAHcAAAAAAGEAbgAAADihEwA4oRMA6I4TANyNEwAcNpBs 3I0TAAgAAAAPANUHAAAGMQAApA8IAAAAgABAAAAAAAAAAKUPEgAAAAAAMAguAAAAAAAAAAEAAgAA AAAAqQ8KAAAABwAAAAIADAQAAEAAow9uAAAABQD//T8AAAAiIAEAZAAAAAD/AQBkAAAAAAAAAAAA QAIAAAAAAgAAAP//7wAAAAAA//8AAP//IAAAAAABAAAABQAAIAEgAQAAAAAABQAAQAJAAgAAAAAA BQAAYANgAwAAAAAABQAAgASABAAAAABfAOQHtncAAAAA5QcEAAAAAQAAAA8A5geidwAAAAC6DxgA AABGAEwAXwBNAEEAWABJAE0ALgBXAEEAVgAQALoPCAAAAC4AVwBBAFYAIAC6DwIAAAAxAAAA5wdg dwAAUklGRlh3AABXQVZFZm10IBAAAAABAAIAIlYAAIhYAQAEABAAZGF0YRRuAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAA AAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA AAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAA AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAQAAAAAAAAAAAAAA AAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAA AAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAA AAAAAQAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAABAAAAAAAAAAAAAAD//wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAA AAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8A AAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAA AAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAQAAAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD//wAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAA//8AAAAAAAD//wAAAAAAAP//AAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAAD//wAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAAAAAABAAAAAQAAAAEAAAAAAAAA AQAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAAAAAAAP//AAD/ /wAA//8AAP//AAD//wAAAAAAAAAAAAAAAAAAAAAAAP//AAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAA AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA//8AAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8A AAAA//8AAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAA//8AAAAAAAAAAAAA//8A AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//wAA//8AAAAAAAAAAAAA//8AAAAA AAAAAAAAAAAAAP//AAAAAP//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAAAAAA AAAAAP//AAD//wAA//8AAAAAAAD//wAA//8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA AAAAAAABAAEAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAA AAAAAP//AQAAAAAAAAAAAAAAAAD//wEAAAAAAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAEAAAAA AAAAAAAAAAEA//8AAAAAAAAAAAAA//8AAP//AAD//wAA//8AAP//AAD//wAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAEAAAABAAAAAQAAAAAAAAABAAAAAAAAAAAAAAAA AAAAAAAAAP//AAD//wAAAAAAAAAAAAD//wAA/v8AAP//AAD/////AAAAAP//AAAAAAAAAAAAAAEA AAABAAAAAQAAAAEAAAACAAAAAQAAAAIAAAACAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAD//wAA/v8A AP7/AAD+/wAA/v8AAP7/AAD+/wAA/v8AAP//AAD//wAA//8AAAAAAAAAAAAAAQAAAAEAAAACAAAA AQAAAAIAAAACAAAAAgAAAAEAAAABAAAAAgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA//8AAP//AAAA AAAA//8AAP//AAD//wAA////////AAD//wAAAAAAAAAAAAD/////AAAAAAAAAAABAAAAAQAAAAEA AAABAAAAAQAAAAEA//8AAAAAAAAAAAAAAAAAAAAA//8AAP//AAD//wAA//8AAP//AAD//wAAAAAB AAAAAAAAAAAAAAABAAEAAAABAAEAAQAAAAEAAAACAAAAAgAAAAEAAAABAAAAAQAAAAAAAAAAAAAA AAAAAP//AAD//wAA/v8AAP7////+/wAA/v8AAP7/AAD//wAA//8AAP//AAAAAAAAAAAAAAEAAAAB AAAAAQAAAAIAAAACAAAAAgAAAAEAAAABAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA//8AAP// AAD//wAA//8AAP//AAD//wAA//8AAP7/AAD//wAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAA AAEAAAABAAAAAQAAAAEAAQAAAAAAAAAAAAAAAQAAAAAA//8AAP7/AAD//wAA/v8AAP7/AAD//wAA //8AAP//AAD//wAAAAAAAAAAAAABAAAAAQAAAAEAAAACAAAAAgAAAAIAAAABAAAAAQAAAAEAAAAA AAAAAAAAAP//AAD//wAA//8AAP7/AAD//wAA//8AAP//AAD//wEA//8AAAAAAAAAAAAAAQAAAAIA AAABAAAAAQAAAAIAAAABAAAAAQAAAAEAAAAAAAAA//8AAAAAAAD//wAA//8AAP//AAD//wAA/v8A AP//AAD+/wAA//8AAP//AAD//wAAAAAAAP//AAAAAAAAAAAAAAEAAAABAAAAAgAAAAIAAAACAAAA AgAAAAIAAQACAAAAAQAAAAEAAAABAAAAAAAAAAAAAAD+/wAA//8AAP//AAD//wAA//8AAP//AAD/ /wAA//8AAP//AAD//wAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAP// AAD//wAA//8AAP//AAD//wAA//8AAP//AAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAACAAAAAQAA AAIAAAABAAAAAQAAAAEAAAABAAAAAAAAAAAAAAAAAAAA//8AAP7/AAD+/wAA//8AAP//AAD+/wAA //8AAP7/AAD//wAA//8AAP//AAABAAAAAQAAAAEAAAACAAAAAQAAAAEAAAABAAAAAQAAAAEAAQAB AAAAAQAAAAAAAQAAAAEA//8AAP//AAD+/wAA/v8AAP//AAD//wAAAAAAAAAAAAAAAAAA//////// AAABAP//AQAAAAEA//8CAAAAAgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8A AP//AAD//wAA//8AAP//AAAAAAAAAAAAAAAAAAABAAAA//8AAAAAAAAAAAAAAAAAAAAAAAABAAAA AAAAAAEAAAAAAAAAAAAAAP//AAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//8AAAAAAAAA AAAAAQAAAAIA//8BAAAAAQAAAAEAAQD//wAA//8AAP//AAAAAAAAAAABAAAAAAD//wAA//8AAP// AAD//wAA//8AAAAA//8BAAAAAgD//wEA//8BAP//AQD//wAAAAAAAP//AQAAAAEAAAABAAEAAAAB AP//AQD//wEA//8CAP//AgD//wEAAAABAAAAAQAAAAAA//8AAP//AAD//////////wAA/v8AAP// AQD+/wEA/v8AAP//AAD+/wAA//8BAAAAAQAAAAEAAAABAAEAAQABAP//AQD//wEA/v8CAP//AQAA AAEA//8BAAAAAAAAAAAAAQAAAAAAAAAAAAAAAQD//wIA//8DAP//AgAAAAIA//8BAP////8AAP// AAD//wAA//8AAP//AAD//wEA//8BAP7/AQD+/wEA/v8BAP//AAD//wAAAQAAAAAAAAAAAAAAAAAA AAAA//8AAP//AAD//wEA//8BAAAAAgD//wEAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAAEAAAAAAAEA AAAAAP//AAD//wAA//8AAAAAAAAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAAAAP//AAD//wAA/v8AAP7/AAD//wAA//8BAAAAAAAAAAAA/v8AAP//AAD//wAAAAAAAAEA AAACAAAAAgAAAAIAAAACAAAAAQAAAAEAAAABAAAAAgAAAAEAAAABAAAAAAAAAAAAAAD//wAA/v8A AP//AAD//wAA/v8AAP//AAD+/wAA/f8AAP7/AAD+/wAAAAAAAAEAAAAAAAAAAQAAAAIAAAABAAAA AQAAAAIAAAACAAAAAgAAAAIAAAABAAAAAAAAAP7/AAD//wAA//8AAAAAAAAAAAAA//8AAP//AAD+ /wAA/v8AAP//AAAAAAAAAAAAAAEAAAABAAAAAAAAAAAAAAABAP//AQAAAAIAAAACAAAAAQAAAAEA AAAAAAEA/v8AAP7/AQD+/wEA//8BAP7/AQD//wAA//8AAP//AAAAAAAAAAAAAAEA//8CAAAAAgD/ /wEA/v8AAP//AAD//wAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAP//AQD//wAA//8BAAEAAQAAAAEA AAAAAAAAAQD//wAAAAAAAAAAAAAAAAAAAQAAAAIA//8CAP//AQD//wEA//8AAP//AAAAAAAAAAAA AAAA//8AAP7/AAD+/wAA/f8AAP7/AAD//wAAAQAAAAEAAAACAAAAAQAAAAEAAAABAAAAAQAAAAEA AAAAAAAAAQAAAP//AAD//wEA//8AAP//AQAAAAAAAQAAAAAAAQAAAAEAAAAAAP//AAD//wAA//8A AAAA//8BAP7/AQD+/wAA//8AAP7/AQD//wEAAAACAAAAAQAAAAIAAAAAAAEA//8BAP3/AQD+/wIA //8BAP//AgD//wEAAAABAAAAAAAAAAAAAAAAAAEAAAACAP//AgD//wEAAAD//wAAAAAAAP//AAD/ /wAA//8AAAAAAAAAAAAA//8AAP7/AAD+/wAA//8AAAAAAAABAAAAAgAAAAIAAAABAAAAAQAAAAEA AAADAAAAAwD//wIA//8CAP//AAAAAP7/AAD+/wAA/v//////AAD//wAA//8AAP7/AAD9/wAA/v8B AP//AAABAAEAAQABAAIAAAABAAEAAAAAAAAAAQAAAAAAAQAAAAEAAAABAAAAAQAAAP//AAD+//// /v//////AAAAAP//AAD+//////8AAP//AAAAAAIAAAACAAAAAwAAAAQAAAAEAAAAAgAAAAAAAAAA AAAAAAABAP//AQD//wEA/v8AAPz/AAD7/wAA+/8AAP3/AAD//wAAAAAAAAAA//8BAAAAAAAAAAEA AAACAAAAAwAAAAMAAAADAAEAAAAAAP7/AAD//wEA/v8AAP7/AAD//wAA//8AAP7/AAD9/////v// /wEA//8CAP//BAAAAAQAAAAEAAAAAgAAAAIAAAACAAEAAgABAAIAAQAAAAAA/v8BAPz/AAD8/wAA +/8AAPz/AAD9/wAA/f////z////9/////v///wAA//8CAAAABQAAAAYAAAAFAAEAAwABAAIAAQAD AAIAAgACAAEAAgD//wEA/f8BAPz/AAD7/wAA/P////7/AAAAAP//AQD+/wAA/v8BAP7/AQD//wMA //8DAAAABAABAAQAAAABAAAAAQABAAAAAgAAAAEAAAABAP//AAD+/wAA/f8AAPv////6/////P// /////v//////AQD//wEAAAABAAAAAgAAAAMAAQAEAAEABAACAAIAAgD//wIA/f8CAP3/AQD+/wIA //8BAAAAAAAAAP//AAAAAP//AAAAAP//AgD//wMA//8CAP7/AQD//wAA/v////7//////wAAAAAC AAAAAQAAAP//AAD9/wAA/f8AAP7/AAD+/wAAAAAAAAAAAAD//wAA//8AAAAAAQACAAEAAwABAAQA AQAEAAEAAgABAP7/AQD+/wEA/v8AAP//AAD//wAA/f////7/AAD+/wAA/v///wAAAAADAP//AwAA AAIAAAAAAAAAAQAAAAEAAAABAAAAAgAAAAEAAAAAAAAA/f8AAP3/AAD+//////8AAP//AAD//wAA /v8AAP//AQAAAAAAAAAAAAMAAAAEAAEAAwAAAAIAAQABAAAAAQAAAAEAAAAAAAAA//8AAP7/AAD8 /wAA/P8AAP3/AAD9/wAA//8AAP//AAAAAAAAAQAAAAIAAAAEAAEAAwABAAMAAAAEAAAAAwAAAAIA //8BAP//AQD//wEA/v/+/////v/+///////9/wAA+/////3/AAAAAAAA/f8AAPz/AQAAAAEAAQAC AP//AgAAAAIAAwACAAMAAQD//wEA//8BAAMAAAACAAAA/v///wAAAAADAAAAAQD///3///8AAP// BAD//wEA/v/+//7/AQD9/wMA/v/+//7//P///wAA//8CAAAA/P8BAPz/AQAAAAIAAAADAP3/AwAA AAIABQACAAIAAQD+/wEAAQAAAAUAAAABAAAA/////wIAAAADAP7//f/+//3//v8BAP7/AQD+//3/ ///9////AQAAAP//AAD6/wEA/f8BAAIAAgAAAAEA/P8CAAEAAQAEAAEAAQAAAAAAAAAEAAAABQD/ ////////////AwD//wMA/////wAAAQAAAAQAAAAAAAAA/P8AAP//AAABAAAA+/8BAPn/AAD8/wAA /f8AAPv/AAD+/wAABAAAAAQAAQABAAAAAwAAAAYAAQADAAAA//8AAAIAAAACAAEA/f8AAP3///8B AP//AgD+//3//v/+//7/AgD9//3//f/7/////////wMA//8AAAAAAAAAAAYAAQAHAAIAAwADAAQA BAAGAAMAAQADAPj/AgD5/wEA+v8BAPf/AAD3/////f///wAA/f////z/BAD9/wkA/f8JAP7/BQD/ /wQAAAAFAAAAAAABAP3/AQABAAIAAAABAPz/AQD7/wAA/v8AAP3////6/////f8AAAAAAAD9/wAA /f8AAAUAAQAHAAAABQABAAYAAgAKAAEABQAAAP//AAD//wAAAAAAAPn/AAD2/wAA+v8AAPv/AAD6 /wAA/v///wQAAAADAAAAAAAAAAMA//8GAAAABAAAAAMAAQAEAAAAAgABAP3/AAD+/wAAAgAAAP7/ AAD7/wAA/v8AAP7////8/////////wQAAAACAP//AAAAAAIAAAAEAAAA//8AAP//AQAAAAAA/v8B APn/AgD7/wAA//8BAP//AQAAAAIABAABAAUAAQACAAEAAwAAAAgAAAAEAAAAAAD//wEA/v////3/ +//8//r//P/+//3//P/+//f////6/////v8CAP7/AgAAAAQABQAEAAYAAwACAAMABgACAAkAAQAH AAAAAwAAAAIA/v8AAP7/+//9//z//v///////P/+//n////9/wAA/v8AAP3/AQAAAAIAAwAEAAAA AwD+/wQAAgADAAMAAgABAAEAAgAAAAQAAAABAP3//v/8/wIA+/8DAPv////8//7//v8BAP7///8A AP7/AAADAAIAAwACAP7/AgD+/wEAAAABAP7/AAD8/wAA/v8AAP7/AAD6/wAA/f8AAAMAAQADAAEA AgABAAYAAQAGAAAAAgAAAAMAAAAGAAAAAgACAPz/AAD+/wAA/f////r////8//z/AAD8//3/+v/9 //r/BAD6/wYA/f8DAAAAAwAAAAQAAgD//wQA/v8EAAEABgD//wYA+v8EAPz/BAD//wMA/f8BAP// AgAEAAAAAQAAAPz///8BAP3/BAD8/wIA+/8CAPz/BAD8/wAA/f/9////AgAAAAQAAgD9/wMA+/8C AP7/AwD8/wAA/v8AAAUAAAAEAAAA//8AAAEAAAAFAAAABAAAAAQAAgAEAAEA/f8BAPb/AAD6/wAA /v8AAPn/AAD4/wAA+/8AAPv/////////CQD//wwA/v8GAP7/BQD+/wcA/v8DAAAAAgAAAAMAAwD9 /wUA9v8FAPv/BAACAAIAAQACAAAAAAACAP7/+//8//r/+/8DAP3/BQD+///////+/wAAAQAAAP// AAAEAAAACAABAAIAAgD2/wMA+v8EAP3/BQD8/wQA//8EAAAAAQD6////+f/7/wYA+f8HAPn/AgD6 /wIA/P8BAP///f8AAAQAAgANAAYABgAGAP3/BgAAAAQAAgACAAAAAgAEAAEAAgACAPf/AAD3//// AQD9/wEA/f/9//z//v/8//j/+//z//3//v///wYAAQABAAMA/v8DAAIAAgACAAAABAABAAoAAAAE AAAA9/////r//v8CAP//AgAAAAYAAgAKAAIAAAACAP//AgAKAAQACQAHAP3/BwD7/wcA+P8CAPP/ AAD9//z/BgD3//z/8//3//H//f/y////9f8AAPz/BwADAAIABgD5/wkAAQALAAsACwAHAAgAAwAH AAIAAgD3/wAA9v///wMA//8CAAEA+v8AAP3//v8DAP3/AgD7/woA+/8OAPz/AAD+//n///8CAAAA AgAEAP7/BgACAAYA+f8CAPD////8//z/BAD7//z/+v/7//v////8//3///8FAAEAEQAGAAgABwD8 /wcAAAAFAP//AgD9/wAAAgAAAP7////z//z/+f/7/wcA/P8FAP//AQAAAAIAAQD7/wIA/P8CAAoA AwAJAAQA/v8BAP7/AAAAAPz////7/wUA/P8EAP7/9/////j/AAADAAAABQABAAYAAwAGAAEA/f8A APv///8CAAAAAwABAPj/AwD0/wMA9P8DAPj/AgACAAIABAACAP7//v/9//z/AwD7/wsA+/8QAP7/ DAAAAAUAAAACAAAABQAAAAgAAAAEAAAA+f8AAPH////z//7/+v8AAP3/AwD5/wQA9f8EAPb/AwAD AAIACgADAAoAAAADAP3//v/7/wMA+P8NAPj/DAD7/wIA/f/2/wAA9f8AAP7/BAADAAgA//8JAPb/ CAD2/wUAAQABAA4A//8OAAAAAwD9//r//P/9//z/BwD9/woAAAACAAAA+P8AAPb//////wAABgAA AAAAAADz/wAA7/8AAPf///8GAAAADAABAAUAAAD+////AgD+/wwAAAAPAAEABQACAPf/BAD0/wQA AAAGAAoABwAHAAUA+/8DAPb//f/6//r/BQD5/wUA9//5//f/8//3//n/+v8HAAAAEAAEAAgABAD8 /wUA+f8FAAMABAAIAAYAAgAEAPf//v/y//7//f8AAAkAAAAJAAEA/v8AAPf//f/7////BgACAAgA AAD//wAA8/8AAPf//v8EAAAADAAFAAkAAQAAAP7////+/wgA/f8QAP7/CQAAAPv/+//y//v/9v8B AP//BAAAAAQA9/8FAPD/AQD3/wAAAwAEAAYAAgD/////+P8AAPz///8LAAAAFAADABAAAgAGAPv/ AAD+/wUAAAAGAAAA/f8DAPD/AQDt//7/9v8BAAUAAgAJAP7/AwD+/////P8DAPr/CQAAAAkAAgD9 //3/9P/+//X//v//////AwABAP7/BAD1/wIA9v8HAP//DAAIAAoABgAGAP//AQAAAPj/CQD4/xAA +/8MAPn/AQD7//r/AAD+/wAAAwAGAAMABAD6//3/9P/6//n//f8CAP3/BAAAAP//AgD6/////v8A AAUAAgAHAP7////7//b/+//1//v//P8EAAEADAAAAAwA/f8LAP//CgAIAAQADgACAAsA/P8CAPP/ AQD1/wUA+/8LAP7/CAAAAAAAAAD5//7/+P8AAPr/AgD3////8f/+//D/AAD3////AwADAAoAAQAI AP3/BAD9/wQA//8HAAAACAAFAAIABAD7/wQA+/8IAP//CQABAAUA/P8DAPf/AAD2//z//////wgA /f8LAPf/CgD3/wkA+P8NAPv/DQAAAAYAAAD7/wAA8/8GAPP/CAD4/wYA+v8CAPb//f/1//v/+P/9 /////f8DAP3//v8AAPr/AAD//wYABwAJAAoABAAIAAIAAwADAAUABAAKAAQADQACAAYA/f8AAPz/ AgD8/wYA9/8HAPb//f/2//X/+f/z/wAA9/8FAPb/BQDw/wkA7f8JAPT/BwABAAUABwD//wYA+P8F APj/DAD5/xMA+P8RAP3/BQD+//3/AwD+/wsAAwAMAAEADAD5/wkA+f8FAAEAAwAJAP//CAD3//7/ 9f/3//b/+//3////+f/6//3/8v/9//L/BAD8/wYACAAGAAcABgAAAAMAAQADAAoAAgAQAP//CwD7 //7/+v/7//j/AgD7/wQAAAD4/wQA7f8IAO7/DwD8/w8ABgAQAAMACwABAP7/CAD4/xQA8v8TAPD/ BADx//T/8P/1//T//f/+//3/AgD2/wMA9f8FAAIAAwARAAcAEgAMAAQABwD6/wQA/P8EAP//BAD3 /wQA6P8DAOf//f/4////BgAAAAkA//8EAP//CAD5/xcA+P8dAP7/EQD7/wMA+P////j/BQD4/wIA AADy/wYA5P8GAOn/CwD5/xEAAQAQAPz/DAD8/wIACgD3/xUA8/8PAPH//P/x/+//9v/z//r/+v8E APX/CgDv/wgA+P8IAA0ABwAdAAUAGQAHAA0AAwALAP7/EAD8/woA9//2//T/5v/2/+r/9f/3//3/ /P8GAPb/CQD2/wwABQAKABIAAgAOAAAA/v/8//b/+P/+//v/AgD7//n////t/wEA8P///wEAAAAM AAQABwAFAAQACwANAAkAHAADABkAAgAHAPv/9//2//j/9v/8//X/8////+n/BgDr/wcA/v8HAA0A AQAJAPv/AQD7/wIA9/8JAPf/CQD///n/AQDu/wcA9P8GAP//AAAAAAEA+v8EAPr/BQAKAAoAGAAK ABIACQAHAAcAAgD8/wcA8/8FAPD/9v/w/+z/+f/z////AgD//wcAAwD+/wEA+////wQA/P8KAPj/ AgAAAPP/BQD0/wcAAAAMAAMACAD5/wcA8/8KAPz/BAAKAAIACwACAAAAAAADAP//EQD3/xMA7f8H APL/9v/0//j/+f8CAAAA//8BAPX/CQD0/w8AAgAHABIABAACAAEA9/8AAPf/AwD6//v/AgD3//D/ +//m//v///8CAAYAAQALAAMABwAPAP7/DQAcAAcAIAAAAAcA9/8EAPv/+P/5/wEA9P8HAPj/4v/7 /+r/AAD+/////v/6/wgAAADw/wkA8v8MABUADQAGAAQAAgADAP7/BQD6////FgD3/wIA+P/l/wEA 9f8IAPn/AwAPAPv/DgD7//f/AAAWAP7/HAD4/woA+P/+/wIA5P8JAPv/BQAMAP3/8v////b/BQD6 /wgAAwADAA4AAADp/wMA6f8CAAUA9/8IAOz/DgDx//z////8/wYAGQAFAAUABgD0/w4A8/8QAPj/ AwAYAPn/CgD8//j/BQAMAAQADwD5/xIA9P/+//v/5P////7/+P8AAPP/8f/9/+z/DADn/wsABwD9 /w0A+P/z/wIA/P8LAAUABQAUAAAAFQAIAPn/EgAKAAoAGQD0/wwA7f/+//v/5P8CAPH//P8EAPT/ 8f/+//b/CgADAAEAFgDx/yIA9v/9/wkA8v8VAPv/CAD0////9P8GAOP/CwD0//7/FwDq/w0A7P8G AAEA/f8HAAMA+f8WAPP//P8BAPb/EgAFAAkACQD+/w4ACQDy/x4A6/8ZAAYAAAADAPH/BQD6//// +v8FAOP/HgDT/wIA4//q////5v8FAOT//f/3/wcA6/8kAPD/KgAXABIAIAD//yYABwASAA8ABgD/ /xUA6f/8/+//7P8GAOb/AwDp/+z/BADo//b//v/0/woACAD6/w0A7f8YAAAAAQAWAPj/DAAMAPf/ ///6//n/EQDu/xIA8//7/wwA8//8/wcA+v8VAAIAAAAHAOr/FwD2//7/BwD5/wIAAgDw//v/+v/6 /xoA6/8gAPn/AgAYAO7/FgD3/xgA/v8OAOr/CwDd/wUA+P/f/xsA1/8YAN7//v/s//j/AQAKAPz/ CAATAPL/IgDy/xgAEQAPACQA+f8MAAQA9P8EAPr/8f8IAPP//f/y/+j/AgDz/wUADwD6/wsADQDu /xQA4/8WAPv/CgAHAPL/+//6//b/7f8QAOL/JgDi/xIA5//4/wUA/P8HAAoACQD//xcA5v8ZAO3/ JAAJAA4ADwABAP//BAD7//n/DAD2/xEA5//7//D/8P8FAAAA/v8MAAIA///9/+//BQD2/wUAAADs //b/8//q//z/8/8IAAkACQASAPr/CAAMAA4ABwAfAPr/HQD2/wUA9//3/xgAAgAWAAUADgDx/xQA 5P8NAPL/BwD//+H/7//b/+H/7//y/+z/DADz/wkA8P/+/wgACAATACAA/P8bAAYA//8QAPv/IwAS ABcAEgD9//f/CQDr//r/AgDp/wwA2f/w/+T/4f8SAPv/CQATAAwAAAASAO3/FQAAAAwAGADc/wMA 6//i//3/6/8CAAkAAQAFAPr/6v8hAPz/EAAoAPL/LQDv/wYA9P/+/woAGADl/w8A6v/h/wsA0f8P APr/CwAOAPH/8/8aAOb/JwALAAYAIAD///r//f/d/xkA/v/v/xwA1P8CAPT/5P/9////AQAiAN7/ CAD//+b/IAAAAP//LQDy/xoA7//r/xwA8v8NABEA7P///xAAz/8iAOL/JgAdAO3/IwDv//3/FgD8 //n/HgDn/wwA3f/M/xMAw/8OAPj/2f8LAOz/7P8DAPf/GQAwAO3/PgDz/woALQD0/xwAGgD//yMA 4f/x/w8A2/8VAAAA4f8NAOr/3f8EAMj/IAD6/+3/HwDl/wIAIgDy/ykAGAASACcA8f/z/xMAzf8O APD/x/8YALn/AADZ//L/CQAcAPD/NgD2/wgAMgDg/0MA/v8eAB8A+/8BAB4A5/8kAAMA7/8bAND/ 7//r/8f/+v/m/9f/CwDQ//n/CgDk/y8ACAAVAC0AAgAQABwA8/8jAA4A7/8rAM7/CgDq/+f/BgD8 /+v/DwDi//T/DgDZ/y0A+P8UABUA+f8AABgA7f8jAAYA/v8eAOL/BAD+/+v/EwD+/+z/CwDc//D/ 9v/e/wsA/P/t/xIA5f8CABAA+f8dABIAAQAcAOn/AQAEAPX/CwANAPX/FwD+////JwD3/zoABgAO AAIA/P/m//z/3v/u//j/y//8/9L/8v8CAO7/CgANAPr/FAD6/wIAFAARAAYAFgD1/yIACQD3/yEA +P8WAPz/9P/y//T/9f/2/+r/6P8aAOX/CAANABAAKQAFAB4ABAAPAAIADwDV/wUA6P/g/9f/3f/2 //T/9//9/xIA5/80AOn/KAD9/zIA9f8BAPD/BQAKAOH/NQDf/y4A4v8fAOj/IQAQABUAAgDr/yIA z/8QAOj/IQDv/wYA6P/n/+v/5P8LAMb/CQDZ/+//yv/5/wcAFQAnABkAQgABAEcAFAA4ACUANAAJ AOf/5v/Y//D/vf/+/9P/3f/S/9X/5//3/x4AEAAnAP3/MQAHAAwAMwAeADcA9P8ZANT/DgDP/x0A 5P/3/wQAwP/0/7r/IwDT/yoAzP8tAM3/AAAJAAEAQAAJADsA4/8qAN//OwDi/y0AFAD4////3v8U APn/KgD3/yoA2v/6/+D/wv/9/9P/+f+6/+T/zP/+/+j/GwBBABIAUgD1/z0ABAA8AAgAKQD0/wcA 7//G/xEA4v8fAN3/CgDU/wgAxv8PAPX/BgAbAOr/DwD2/yoAAQAxAPr/LgDw/9///P/Z/wQA4v/1 /+n/9//q//v/DAD8/zwA8P8UAPv/BgAHAPr/DQAKAA4A4P8bAOH/IQD7/xMAAgAMAPv/BwD9//r/ MgDl/yAA4v8XAOb/AADj/wcA7P/Y////wP8OANH/CADl/wwA9/8SAP3/CAAzAPz/MQACADUAFQAc AAYAIwAFAAIABADk/wgA3//s/9z/7v/s//z/5v8FAAkA+v8FAPr/EwAIAP//9/8BAOz/9P/4//D/ FQDz/woA8v8BAAsABgAMAAMAJwDu/xgA7f8nABIADwAXAAEADgDm/wUA5/8NAOr/+//g//P/8f/9 //z/EgAQAAAA8//m/wcA4f8IAOX/BwDi/+r/8v/9/xgACQAtAAAAHQAMABMAJwASADsADgANAPj/ CwD4//j////u//f/vv/e/93/4//t////7//9/+z/9/8IAAgAGwAfAAEABAASAAAAGQASAB0AGgDx //H/CgDp/wQA//8EAPr/9P/j/xEA9f8LABwA9P/9//P/6//0/wsA+P8tAOf/BAAKAAkABAAjAAkA EADs/9D//v/l/+H/CwDu//D/+f/Q/xgA9P8hAAQAMQDX/zcA7P8YAEAACABLAOr/FQDk/yAAvf8o AN3/3v/f/7f/AAD1/wAADQA1AN3/IgDt/w8AJgD9/w4A+v/i/9r/CgDT/yUABwDc/xIAwf8aAPn/ GwAQAEAA6//8/yQA6f9cANv/MwD3/+3/w/8SAPn/CwApAMz/OADB/wwA//8kAOr/DwDI/7z/+P+p /ywA1f8JAO//8f/Y/yMANwAeAFgA7/9IAP3/DAA5AEcADwABAOv/x/8GALL/FQD//9v/zf/m/+b/ DgAtAPz/UADM//T/6//q/wcA/v/u/8L/7v+m/ycA+v8vAEcA+P8QABMAOQA3AF4AIQA/AO7/0P8V AAgA/P/v/7n/uP+r/5r/7/8MAO3/+//l//P/KgAiAEwAUgAoAO//EQDZ/zcACQAFAP3/2v/Q/8b/ DgDy/0kAxv8RANX/BgD8/zgAMQAaAAUAw/8oANj/PgD0/ywAyP/z/8X/CAAZAAUAHADb/+//y/8P AO3/OwDy/xAAw/8BAOr/KQAUABQAFQDO//7/3/9HAAMANgDx/wcA7P/o/xgAIQAFAOz/2P/n//L/ EAAkADYAFQDW/w8A2v8eAPP/+f/c/8L/tv/i/xMAFAAxABIA+/8PAPz/FwAyAPD/CQDP/9v/+v8h ACgALAAlAO7/HADz/wsARQDX/xAAuf/0/9//DwALAAQAFQCL/xwAqP8cANv/AQDl//T/5P8KAFYA DQBMAPT/GgDj/xkA3P9CANz//P8BAPT/OwAVAFcAEQBJAM7/HgDn/9//9v+q/8//oP+7/7j/+v/j //7/DQDy/yoAJAAtAEEALAAhACYAFQAXACMADwAAAA0A5f/9/93/6P/z/+r/4f/t/+7/6P8IAPr/ IgAGAAMA9f8ZAOb/GgD2/w4A+v/o////+f8cAOH/KADY/wQAzP/3/wIAAQD/////EwAKACMAOQBF ADkAEQAHABAA6f8XANX/CQCl/9n/qv8HAOL/9v/8/9L/AwDO/zMA8v9JAM//KQDn/yYAEQAxADEA AQAYAN//QgDs/0UA5P8TAM3/5P/y//n/FAC4/wAAt//9/woAEQAzAPX/FQDe/0UAAwAmABcAwv8C AKz/DwDX/yAAs//6/8r/7P8zABAARwAPAC8A9f96AAkAaQAIAPj/5P/Y//H/zv8PAI3//v+n//X/ EQAHACQA9P/4/93/IAD7/xEADADB//7/+/8TADAAKQD//wAAKQD4/0sADgATAPv/AgDw//v/EwDL /w8Asv/1/9H/CAD7/xMABQDx/yUA6/86APH/BwDB/wEArv8JAOb/z/8FANr/IQAEAHAA9P96ACAA MQBSABYAGwAEAPf/uv/8/7b/zP/k/8D/xf8CALz/CwAJAPX/GAApAAAAOQAuAP3/JAD3/8///f/l /7T/LACu/x4AEgA2ABoAagAQAA4AaACw/0oA0f/r/8f/GQCp//z/CACi/zUAz//5//X/GADf/0IA AwDx/zAA0v8MAPv/2P/G/wMAuf8OAC4A6f9SADAAMQBDAF8A+f9HABkA1v8TANL/1P/r/+f/qP/v /6z/4f/0//n/4v8AAOv/BAA+APv/OgDv/wkA9/8kAPT/JQD+//X/HQAKADQAJQBEAPH/KADe/wsA +f/r/+L/sv/T/8H/AAD7/wsA5v/9/wAAHAA2AC8A+v8CAPT/5P8rAOT/4v/K/8X/xf8DAAcAAQA3 ABUANQBiAFcAYwBnABUAGgDk/9//5f/J/5f/gf+a/3b/CwDn/+z/HwDx/yAAUABPABAAOgDn/+D/ HAADAAMAOAD5/wAAMQAFAD0AJgAVANH/AADG/wUAGgDG/+X/mf+1/9n/CADs/wUA9//9/1kAdABP AGYA5//R/+P/wv/W/63/vv92/wUA+/9SAHkAUABKADcAVgA2AGIABwDh/5j/vv+q/+r/2P+W/6T/ i/8MAA4AcQAVABMAGwAXAIcAMgBAALP/w/+d//X/FADn/xwAr/8OACIAkABSAFkA/v+m/yUA9v8v AOb/qP9l/7X//v/+/0AAwf/K//z/PQBmAIgADgDD//X/rf8sAAEA2/9x/8z/zP8oAMUACQBCAPz/ IABTAI0AMwDF/+v/nP/3/y8At//B/3L/kP/G/ycABAAOABQAv/9tADEAbQD//xgAc/8LACIA5f9W ALj/AADq/54ADQBmABgAyP8rACgACgDd/9f/gv/C/93/w//I/93/zv8QAB4AMgAdAEMA//9MAP// IAAVAOT/5v/I/w8AnP9KAL3//v8sAFUAVABGAHIAvf9pABcA5f+9/4//i/+R/xQAhf+y/8z/zP9C AC0ATwATAEoATQBbAFgACwAvAMj/2f/p/9f/1f8AANb/sP85AAwALwApAAkAx/8uAE0A8f8+AK3/ 6f/Y/ysA0P/U/8f/kf8gALT/MgDC/wYA+v8gAEsAGwCaAPT/WQA9AAwAXAARABIAl//9/8//z/8v AHr/1P+t/wgA8f8GAOr/xP8IAPH/IgD4//b/2v8WAND/WwBKADgAYgAvAEkAOAB/APX/uf/h/1v/ +//M/7P/u/+I/zEArP+qALv/TwAIAO7/iADW/4QAg/9DAET/GADy/8T/AwCu/wEA9//YAAQAhgD/ /00AHAB/AAEAp//5/1L/JwCY/wgAoP/e/9H/6P9YANH/PgDk/83/IQBIAAoAFADp/8r/8v9YAPT/ zP8yAMX/ewA+AF4ADwAdADcAyP81AIr/FACP/7r/xv+4//f/7P8PAIf/NAAuADcATAAyAN3/KABG AOz/0f/L/7r/z/8dAPr/LgA3ADYAVAAsAD0AdgDt/+D/tv/x/6r/CgDA//7+DgDI/ycA+f8aAMH/ DQDYAN//RwDe/+X///8nABIAuv89ALr/VgAhAEwAPQAtAPv/6/+HAJb/KwBl/4L/jf8gANL/Vv83 AI//egBrAE4Axv8uAF4A+f9FANf/pP8DABsAAAACAA8ADQAVAF8A+f9QAPj/CADj/x0A0//W/93/ Vf/9/67/FAB3/ygA6v8eAKkA5v9BAPP/cwD1/w0AAACY/zUAGgAAAAUA9/8nABIASwDz/+L/JwC7 /yoAzv/b/53/6f/T/8z/OwCe/wgA5v9qAOv/YAD3/9T/gQAbAHgAn/9HAIP/VAAXAK7/6v+M/3cA 7v+yAKT/HQD6/wYALgCv/7r/X/8eALf/MQDe/9H/pP9IABsANwBVAOT/QABiAOAA8P8tAI7/r/8g AAkAuf90/+z/AAB7ADUAu/+h//H//v8tAOb/jP/V/x0AIgAyAAwAxP/l/3cAPgBiAFsAsv8OAEQA RACq/8D/cv+X/4YAHADM/+f/+P9CAEkAOwBj/7f/7f/c/2AAvf/N/9L/bQAOAGsA/P+w/xMAYgBH AOD/YABP/0wA//8KAKn/tf/j/6r/2gDq/yQAGgAaACcARQD0/zL/tv/Y/73/3v/H/67/AQBtAFAA RgBkACYAjgBMADYAHAC3/7j/o/8pAHn/t//z/73/PgA1ACkArf9DAAkA+v/J//j/vf/R/ykAw/9q AMX/kADf/zsASQAEABkAj/9bALT/LAD2/wEA2v9NACYA0/8lAOj//v+m/ywAd//X/7D/mf/q/9v/ ewDw/5QALACvAJQA3P84AH7/9v+V/yQAf/+A/3kAFAA9ACMAPQC2/0gASwDO/6b/BADE/8b/HQC9 /7v/vv8AAAcAQwD7//3/GwB7AE8AZQDo/7v/YQA1ABEAqf8EANH/WQA8ALn/j//H/+7/mf8AAHX/ uv8aAE0ASwD//ywA1f9BAGYA///9//H/RwBMAEoA4v/L/8H/EwAjAOz/zf+q/2AA6v8xALv/kv/L /xMAQgCM//r/1/81ACkAKgDi/+L/bAAfAEkABgDv/w0AEgA+AOz/EAAPAOT/XADz/9T/x//e/9// 2P/c/43/xv/+/9r/r/8dABAAEACOADIAGQA9AFEAMACa/4QAr/9DAEUABQD8/5X/ewBS/zAATf/3 /8X/JgAXAHD/XwBY/5EAv/88ALL/OgB4AAAAXgDG/w4AzP+rANX/CwD5/yQAbAD1/0YAd/8PAEsA vv8IAE3/3v+K/7n/9P9B/zIA0f+xAB8AVwA/AP//dwD6/28Anf9QADwAOwAqAKr/LgCB/xgAkf+2 /+P/mP9gAHz/SwB1/0oACACL/5kAtf/lAJ//1QAAAMz/nABx/xMAGv93AKj/4f9dAMv/lgAaAKsA v/8GACwAff8kAHf/0P9i//f/EADK/ygAjf9HAC4AjwCp/ysAYQBCALAAr/8IAJ7/cAABAC7/QgDP /z4AIgDl/yAALf9WALP/x//W/6v/dQDz/5sA4f9OALX/hwA0AMP/3f+L/4kAOv9ZAHj//f99AEYA owDh/6cA7f8pAOL/U/+u/7f/1P9Z/97//P+Z/2YAy/83AFsAlwBVAOD/JQGf/zcADAAPAK7/+f+P AAH/UQDE/9f/G/8KANH/7/6vAKH/WAADAN4ARQDh/ykBVf8tAM7/AQCP/8P/hwBe/5AAOQAMAAEA MQAMALb/NgBw/4D/KAD6/03/zv+UAL7/LgB6ABUADwA9AKQAXP8xACAAnP/p/97/fwCc/1kARACz AEoAif/r/6n/0P8T/4//dv+K/6QAHwDH/yUAxQCzAOj/pAA4AAMAIAD9/4P/Zv+a/6r/SwDs/yIA 2P+0AF4A//83AGv/2f9LAPz/C/91/1sASQCK/3wAGgAOAGcARQATAE3/cQDt/1AAFAAJAPL/BACi ALn/8f+l/xYACQDl/4r/Rf/y/xkA0P+v/yoAIwBTAEYAQwDa/xYAhgAjABkA+v8/AAAAUgABALT/ nP/Q/+z/av/D/5X/SwBBABUADgAsADMAmv/Y/xwA4f+o/0cAQABrAAgAVABKAF0AfwC2/xoAhv++ /2z/rf9u/37/fwA9AEgAGACKAPr/FQA3AHP/eP+q/w8AgP/Y/0sAGwAvAekAjgAuAGUAggDy/oz/ Jf9W/8z/m/+8/7f/nwAHAPH/EQB2ALz/JQAgAKX/YQAMADgA9f+yAHQAAgBHAEkAa//T/9L/JP+W /6v/agC0/1UAZgAAAJMA7//l/3L/3v/X/7v/AABm/1wA4AB4AOf/NABNAQ8AtP/z/+f/5f91/9L/ h//M/6X/sv/h/9f/xf+t/2AAAAAVAFIALgCeAHsArADx//7/fQDL/3P/sf/O/9f/lf8+ADUArf9p APj/tQBq/6n/x//Q/wIA5P4JAB8A5gDn/1sAdwCfAEYArv+EAHD/kQC7/yUA4//D/10AUP8BALT/ hf+T/9v/0P9g/9P/bgDr/93/ZgDmAD4AfgBWAKwAbADA/9n/Xv+eAD7/S//B//3/KgAD/ywA9P8b AFcA6v9NABMAQQAhAKr/+P/I/wsAUwD9/zkAMAD/AF0AIwCv/9v/NAD1/kj/+v5pAEQAfv9FADEA BQHE/5j/FwDy/yAAX/8SAP//GwBpAEMAswDj/8IARQCa/8f/+v5oAN3+x/+G/8z/3wB2/+QAk/8t AeP/gP/q/w3/pwAZ/7MA4P/YAGkB7f9mAJD/4QB8/zT/gP+J/9P/K//Z/7T/YADPAHwAnQDK/50A +v9v/2X/Hv+tAIP/CAA2AGcAHAEMALgA6/+W/0YA//5N/yr/5f9NAHj/7wDe/1wAQQAlAM7/+v7s AFD/4f9p/6sARgD5/14BBgAcAen/5QAV/zv/9v+M/sz/Fv93AO7/BQBMAYr/RgApAPX/8v9U/8AA 2f8HAF4AMQCDAOH/ngDg/zsA5P9u/73/V//x/0T/zP8JAPD/MgCu/ygA7P83ADoAiP+gABwA0QAD ACIAGwHq/0wAS/8kAH7/Bv++/3j/0v9K/6IAUQDt/zgAhwCiAKL/DAARAEIAzf8mALn/IwBmAOD/ LQAiAK4Asv/P/8f/a//J/sf/YwCP/ygAswBRAZX/sP8gADYAV/+I/yAAxP+OAHj/tADO/5oAkgDc /4UAn/9XAFz/7f9G/77/0P+2/zIAdP+vANH/PgDC/9v/NADV/5gAOQDNAGcAcgBWAMf/tP+Y/8P/ 5P9S/4P/5f+W/9r/h/9NAF4AWQCfACkARAAeAJMAmf9u/+z/bQAzABP/hQDUAFAAi/+S/ysAh/+1 /4L/u//C/yEAJACA/jYAPwCuAF0ACwD6Af//fAD4/57/OADr/0EAUv9e/w0AuP90/rH/OwBgAJb/ 2f/oABAAagBIAPkAKQBxALz/ef+G/3b/eACl/68ACgBuAAIApP/6/53/XAB7/5L/g/+v/8H/mP8j AMgARgBCADYAEQCxAJT/nQDV/yUAeABe/zMAuv+zANr/OP/N/4X/Xv9P/xoAXgAjAEAAWwC+/8n/ egB6ABgAawDQAC0Ag////6AAhv/2/ykA3f9t//b+WgD8/mL/QAC//zoAlv/vAGcALgAwAQ0AKgDR /5wAif8k/8sAAwAHAAf/mwBLAPH+awBA//j/Hv/e/yIARP8rAboAhQDd/88AUQBb/6//OQAoADn/ YABBAPD/EAB+AEEAoP/7/wQAC/8V/7n/jv+k/9f/2gBkAHEA2gCbADMAHAB8AND/0P+E/z0AXP+g /+H/w/8hAHn/mgBx/ycA5v/X/xsAEv+vAMr/NQBgAJMAMQEWAFsAEQAWAGX/vv/O/7b/AwBl//// CP+U/yYAi/8xABsA1wBgAJX/sQC2AEcAdQA8AJUAs//v/uz/EP+v//T/sv9QAJT/XgDT/8L/QQCs AE8A2v+sAAoAQABn/9f/JQBA/+z/vf86AHcARgBTADoAKADF/57//v8cANz/df/G/+z/b//Z/9r/ kgAcAA8AIwD8/1QAEQCAAFMAPQBOAHgA2/+X/8r/Wv+H/6L+jP9zAH3/+QD2/6EAcgBS//IArv+f ACcAMAB9AGz/rADJ/88Am/8JABUAAf5q/6/+EwA8/8z/3wFtAMEACAAUAYwAB/9hANP/OwCE/+f/ PgB//6b/uv8+AGD/zf8/AAgA5P+A/3gAZACR/0gAVQDE/9//CwCzAD4AQQDsAIMADQBj/9//FP+M /03/V/8kAJb/dAARAAoAWABFAJoARQAxAG0AEQC2//3/9v8NACoAbAA6ACn/bP/o/2X/NP8SACoA bwCS//v/vgCW/xEACgDr/2EAyv+LAN8AfgC/ADwA4P9+/3L/w/73/jT/n//G/5b/ygDbAKcAHACi AG4ArP8+AOD/AAEZABQAVQCn/zEAJf+m/zr/7/+M/zf/gQD1/yYBWv80AMIAYv9kAA//OgHC/4v/ 5QDT/9QAjP/RAG4Abv/E/6D/3v/o/p7/f/9U/6D/ff8nAEgAsQAbAR0BcwCmAFwA/f8wAIz/AACH /0v/RP9I/2b/zv+QAOf/SgBsAKYA//96/wwAHwD5/57/BAFwAHAAsQDI/0YAk/9z/xQAnf+p/9r/ Jv/n/5T/D/8CAGMAXwA+AGAApgDIAH0AUgCkAFYA+f+d/9L+X/8E/wD/s/8IAD4AGwBMASAAFAAh APP/zwDc/l8AfQDH/0AAo/8AAEUACwAdAEoAwf9FAF3/uP/a/97/HgDK/z4AV//k/wYABQALAF4A dwBtABABPgC2AA8A7v/B/+n+S/+g/yj/xv6t/3b/NAAcAOMAjwHuADsBawAcAGj/o/5y//z+o/8h ACYAvwD//50AdAAnAPX/nf/K/wX/Ev9u//L/hgBzAMcALQEAASwABQBJAOX/2/8o//T/eADF/jwA Uv8a/5//Ev9oAPL/gABXAUMB4QD6AHMAo/8o/57+1v4z/6P/fQD1/4IAswGs/ykBiv9H//v/3f1A ADX/9v/8AEwAOgBzAOoATwCYAPz/SAD6/3n/n//P/1H///9d/7L+KgCS/1kAqP84AQUBjQD/ABQA SAGw/mb/qP84/wUAN/+rAPD/AwARANL/wwDR/z7/uv/B/8n/fv+y/xMBagBrAHAA1QBxAFz/MQCc /14Af/+x/0YAHv8gAMH+5f/m/3r/JACN/2MBHQClAOsAPwHKAJv/VQDf/7P/9P01/0H/sf/g/83/ mgHf/0MAuP/H/4AAi/8tAN0AkgATAFkABABuAHj/Yv9oAHL/Av+b/9X/XACl/8D/LAEQAMD/hP90 /woACgBjABkC3gAfAfsAaf5MAC7+7f50/yn+UACb/6YAyP+RAVIBPwC5AUP+KgAG/6T+2wBv/ygB hgC2ANQA4/9SALz+4f58/qj+ZwBu/yAAZwBQACACUgD4ADQBDf+f/wP++/8kAAUAPgFDADwBNP9j /2P/oP5t/8n+RwAsAIsAmgHbADYBawCn/1EAU/96/7X/u/+VAJz/3gDj/4H/qP8M/vL/Gf+t/zIB agB7AeAAWACYAD3/u/9e/4n/TwC7/0EBSAAeAAkA4f4u/8n++/4+/1AAZgBKAXwBcAHjAHgAVv+f /gwAAP7pAFwAMQAFAsv+agCA/o3+xP/C/uIAtv/tAB8BBwDSAcH/iACz/7T+5QDB/tEA/v+h/8IA 4/6WAPn+Of+H/9j+rwC2/70ALAFUAHIBWQCeAPD/E/9/AJT+owDE/yL/wQC6/kMAm/9F/4//P/9I AEsAYwF3AdsAmAEBALb/Lf9+/uv/tf4kADEA3v+/AGT/gAC7/4v/L/+l/7UAOwB9AWMAPgA6ALX/ xf+J/6n/mv8vABwAUACaAGL/R/8U/3r/VwB3/5AATgBqAPYAGwCFAKwA8v/1//z/NQCz/4P/Gf// /iUA6v7V/38A2v+WAfD/FwGYAFr/mABT/uIAAgCY/yABHP8HAfz/if88AKf+NgA4/hsA8P///rQB N/+mAf0ATQC4AUv/tQB8/+j+nP9n/kIAJgCm/2IAa/9JAKz/Av/pAHf//wDXAG8ANwE8/2UAfv/3 /4QAkP5yADz/iv/PAKL+TgD3/v//dQC5/twBWQACAY8BxP8zAZn/QP/L/zH/Yv+X/8z/bgD4/6z/ Mv83AMT/PQAfARz/8QD+AB8A5wDX/x4Anv/W/vz/rv4KAEkAdP/fAST/Fv/D//n+QACj/zYBEABA Ad0AbQDCAOX+OgAu//n+vf/G/1gAJgFz/yQAqv/o/iYAVP8+Adz+SABFAQwAuwHg/8MAk/+FADX/ 6P6aAOv9UwAm/x3/BgBt/xgBewATATUB7P/kAMv/0P/C/7n+gQBp/5cANgCf/7cASP+c/yf/tf8O AJH/jwD//3wAuQA6AVYBGgDp/zz/bP8oAGb/jP/n/5/+E/9j/3n/DQHJAKgBZQGg/4QAbP+lAJ7/ iP9F/8n+tgAf/3cBNgANALX/Kv+g/1/+2wCb/4wBNQH0/xwBS/9/ANn/3f8zAHH/qP8S/zP/kP9X /30Ayf/EAEIBzP/LAZj/8v/L/9b+PACc/5IAwf/oAFcAaP8nALH+qf8m//L/PwAwAHMBGwDZAEMA c/8gAMj/UQBAAEMAHgDL/0v/e/8X/wb/2P+Y/0sA0/96AfgA/QC9AS//VgCZ/+/+S/+G/6H/Qv+B AAYAIwAiALX/BADp/yYAQQDl/5sAyv+b/18BhwCLARcAff9R/9v9Z//q/j4AiwCAAJ4A7P+/AM3/ KgDFAMX/1v8cAOf/iQAfAKD/KgBU/1X/5f4k/y0AWQAqAM0Atv9c/yQAuv9GAbMAZgADAR4ABQCF /h3/5f6z/rIAPv/jAIIBqv9TAar/SAD7/4v/qwE7/xEB1/86/5kAq/5p/zD/MwCRAE8AZwGF/1f/ Zf+C/rcA+v+bAMYB7P9mAV7/Yf8ZAJT+8v93/j4Ay//F/78Al/8BAaT/igAwAd7/jQCO/xUARAA/ //b/TP/g/zAAp/9zANYAEADq/7n/CP+u/+b/UgAiAbv/mwA2AIUARwDA//j/7P4XADj+q//y/27/ QAFPAJABtwBU/0sA0P5N/18Ahv9xAOj/kwCgABcA/wAJ/oEAhf+0/m4AC/8MAZ8ACQGQ/7f/ZQCZ ADkAkgB2AK7+3P/f/bX/FP+b/9sBFADDARQA1v8oABn/BgCg/+j/xwDl/xYADAAZ/1QAhP5qAM3/ uf+iAYT/sgCO/5X/AAAdAH8AswC1APgAbwAe/4//E/4H/07/gv/+AAwAYQHSACoB4QAyAEoAlf7o /vj+3v5DAPz/SAD4ABIAhQD+/xgADQDd/1L/7//Z/8b/1QCY//0Avv9FAEcAeP/UACL/EgHx/lP/ 0/9K/hYBtv/jAB4BPADzABQAKv/H/z3/iP5lAG7/OwDgAAUAwQD+/9H/AQDw/v//8f8AAOUAAADD AQAAXAAAACn9AADO/gAAVwAAACwBAACXAQAAHQAAAP//AAAE/wAAXv8AABUAAAA5/wAAGgAAANQA AAB1AQAANgAAAOn+AADv/gAAFP8AAEYBAAAjAQAAZ/8AAO7+AAAAAAAABAEAAOD/AAB4AAAAXAAA AAr/AAB8/wAAcgAAAFgAAACV/wAAdQAAAFsAAACk/wAAQAAAACwAAAB8/wAA5f4AAFwAAADGAAAA SP8AAMn/AAARAQAA8wAAAJT/AAC5/gAAgP4AAJIAAAAeAgAAjAAAAMT/AAAF/wAAr/8AAJ0AAAB7 /wAAIwAAAGsAAAAp/wAAwf8AAP8AAABvAAAAb/8AALH/AAAVAAAADAAAABEAAABi/wAAm/8AACwB AADiAAAA6f8AAC7/AAAp/wAAdQAAAG4AAADn/wAAev8AAB0AAAALAAAA1P8AAJcAAADt/wAAGAAA ALz/AAA1/wAAYwAAANoAAABEAAAA/P4AAJb/AAAuAAAAFgEAABUBAACn/wAA+v0AAFkAAAD1/wAA AQAAAJIAAABgAAEAAgAAAHn/AACu/wAACQAAACcAAAArAAAA/P8AANH/AAD8/wEALgAAAKMAAADr /wAAdv8AAE3/AADs/wAApgAAAN0AAACNAAAAVP8AAMb+AABp/wAAfAAAACgBAAAHAQAAev8AADH+ AABV/wAA3QAAADQBAAAdAAAA0f8AAPr/AACv/wAAXv8AALH/AACbAAAAcwEBAP4AAAAc/gAADf4A AMEAAADhAQAA5v8AAF/+AAATAP//kgABAIQAAABn/wAA6P4AADwAAAC7AQAAiwAAAJj9//8bAAAA pQIAAFIAAABR/QAAnv4BAJgBAAD0AgAA7gAAADr8//8u/gAAKgEAAIEBAQC4AAAA1/4AACYAAQCw /wAAev8AAH0AAAAWAAAADgAAAP//AAAJAAAALAAAACQAAADq/wAAvP///yMA//8OAAEA6f8AAAoA AQBKAAAA2f8AAAsAAADu/wAA7f8AAPH////8/wEA3/8AABQAAQAnAAEA3f8AAB8AAAAAAP//9v8A ANP/AAAXAAAAvv8AAPz/AQALAP//CwAAAAYAAAAaAP//FwAAAPz/AAAhAAEAzP8BAP3/AAD0/wAA DwAAAMz/AAAYAP//HAAAABgAAAABAAAA9v8AAB0AAAD//wAADwAAANj///8kAAAA+f8AABUAAADn /wEABAABAPX/AAD5/wEA/P///wAA//8FAAAA9f8AAAMAAQD+/wEAAQAAAP//AAABAAAA///+/wAA //8AAAEAAAABAAAARElTUCwIAAAIAAAAKAAAACAAAAAgAAAAAQAIAAAAAAAABAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAIAAAIAAAACAgACAAAAAgACAAICAAADAwMAAwNzAAPDKpgAEBAQACAgIAAwM DAAREREAFhYWABwcHAAiIiIAKSkpAFVVVQBNTU0AQkJCADk5OQCAfP8AUFD/AJMA1gD/7MwAxtbv ANbn5wCQqa0AAAAzAAAAZgAAAJkAAADMAAAzAAAAMzMAADNmAAAzmQAAM8wAADP/AABmAAAAZjMA AGZmAABmmQAAZswAAGb/AACZAAAAmTMAAJlmAACZmQAAmcwAAJn/AADMAAAAzDMAAMxmAADMmQAA zMwAAMz/AAD/ZgAA/5kAAP/MADMAAAAzADMAMwBmADMAmQAzAMwAMwD/ADMzAAAzMzMAMzNmADMz mQAzM8wAMzP/ADNmAAAzZjMAM2ZmADNmmQAzZswAM2b/ADOZAAAzmTMAM5lmADOZmQAzmcwAM5n/ ADPMAAAzzDMAM8xmADPMmQAzzMwAM8z/ADP/MwAz/2YAM/+ZADP/zAAz//8AZgAAAGYAMwBmAGYA ZgCZAGYAzABmAP8AZjMAAGYzMwBmM2YAZjOZAGYzzABmM/8AZmYAAGZmMwBmZmYAZmaZAGZmzABm mQAAZpkzAGaZZgBmmZkAZpnMAGaZ/wBmzAAAZswzAGbMmQBmzMwAZsz/AGb/AABm/zMAZv+ZAGb/ zADMAP8A/wDMAJmZAACZM5kAmQCZAJkAzACZAAAAmTMzAJkAZgCZM8wAmQD/AJlmAACZZjMAmTNm AJlmmQCZZswAmTP/AJmZMwCZmWYAmZmZAJmZzACZmf8AmcwAAJnMMwBmzGYAmcyZAJnMzACZzP8A mf8AAJn/MwCZzGYAmf+ZAJn/zACZ//8AzAAAAJkAMwDMAGYAzACZAMwAzACZMwAAzDMzAMwzZgDM M5kAzDPMAMwz/wDMZgAAzGYzAJlmZgDMZpkAzGbMAJlm/wDMmQAAzJkzAMyZZgDMmZkAzJnMAMyZ /wDMzAAAzMwzAMzMZgDMzJkAzMzMAMzM/wDM/wAAzP8zAJn/ZgDM/5kAzP/MAMz//wDMADMA/wBm AP8AmQDMMwAA/zMzAP8zZgD/M5kA/zPMAP8z/wD/ZgAA/2YzAMxmZgD/ZpkA/2bMAMxm/wD/mQAA /5kzAP+ZZgD/mZkA/5nMAP+Z/wD/zAAA/8wzAP/MZgD/zJkA/8zMAP/M/wD//zMAzP9mAP//mQD/ /8wAZmb/AGb/ZgBm//8A/2ZmAP9m/wD//2YAIQClAF9fXwB3d3cAhoaGAJaWlgDLy8sAsrKyANfX 1wDd3d0A4+PjAOrq6gDx8fEA+Pj4APD7/wCkoKAAgICAAAAA/wAA/wAAAP//AP8AAAD/AP8A//8A AP///wD//////////////////z09PT3/////////////////////Pj4+Pj4+Pf////89IyMjIz09 /////////////////z4jIyMjIyMjPT3/PSO2vLa8IyM9//////////////8+IyoqMDAwMCojIz0j tge2B7bvtiM9/////////////z4jKjAweXkeHh4eI+zvtu+277bvtiM9////////////PiMqMOV5 MHnl5So97La1tu+297b3Iz3///////////8+IyoweeUw5RqZ5XQ9tbb3tve297YjPf////////// //8+IyoweTDlmRqZ5T2Ntba1trW2jSM9//////////////8+IyowMOUamZOZdD2NtY21trUjPf// //////////////8+IyojMOWTmZMcPa6NrraujSM+Pf////////////////8+IyMwk5mTHHN0Eq6N ro2uPiMjPT09PT3///////////8+PiMjkxxzdHNDD0M9PT0SjY0jIyMjIz3/////////////Pj4j 7HRzdBMPPT4+PY21jbW2tbaTIz3//////////////z4jI0NDQwoMDD49ro21trW2vLbtIz3///// //9gYP///z4+Pj4PPj4KPRKNro21tu+2B7YjPf//////////YGBgYGBgYBQ/Pwo9ba6NtY21tu+2 vCM9//////////////////8+YF8MQxI9ja6Ntba1try2Iz3//////////////////2D/PiNt7Os9 Pa62tba8B7wjPf//////////////////YP8+I3R0c3RhPa6TtZP3Iz3///////////////////9g /z4jdHN0cxyNPT2NEiM9/////////////////////2D/PiNzdHMck+WTHj09Pf////////////// ////////YP8+I3RzHJOZk+UqHh49//////////////////////9g//8+I3STmZOZGjAqIz3///// //////////////////9g/z4jKnST5RqZMCMjPf///////////////////////2D//z4jKnPl5eUw KiM9////////////////////////////PiMjMDAwMHkwIz3///////////////////////////// PiMqMOV5eTAjPf////////////////////////////8+IyoweeUwKiM9//////////////////// //////////8+IyowMDAqIz3///////////////////////////////8+IyoqKiM9//////////// //////////////////////9fIyMjPf////////////////////////////////////89PT3///// ////TElTVOQAAABJTkZPSUNPUCEAAABDb3B5cmlnaHQgqSBNaWNyb3NvZnQgQ29ycC4gMTk5OAAA SUNSRAsAAAAxOTk4LTAxLTEyAABJRU5HDQAAAEJpbGwgV29sZm9yZAAASVBSRCEAAABNaWNyb3Nv ZnQgUGx1cyGuIGZvciBXaW5kb3dzIDk4rgAASVNGVBAAAABTb3VuZCBGb3JnZSA0LjAASVNSQ0IA AABNaWNyb3NvZnQgQ29ycG9yYXRpb24NCk9uZSBNaWNyb3NvZnQgV2F5DQpSZWRtb25kLCBXQSAg OTgwNTItNjM5OQAPAAsE+AEAAA8AAPDwAQAAAAAG8AABAAABeAAAHwAAANEAAAAeAAAAAQAAAAYA AAAPAAAABgAAABEAAAAEAAAAEgAAAA0AAAATAAAABAAAABQAAAApAAAAFQAAAAwAAAAWAAAADAAA ABcAAAAMAAAAGAAAAA4AAAAZAAAABAAAABoAAAAbAAAAGwAAABQAAAAdAAAABAAAAB4AAAAEAAAA DgAAABUAAAAQAAAABAAAABwAAAAEAAAADQAAAAUAAAAMAAAAAQAAAAsAAAABAAAACgAAAAEAAAAJ AAAAAQAAAAgAAAABAAAABwAAAAEAAAAGAAAAAQAAAAUAAAABAAAABAAAAAEAAAADAAAAAQAAAAIA AAABAAAAHwAB8CwAAABiAAfwJAAAAAYG93r8MGS8OGs0uEnM4yrHN/8AKQsAAAEAAAAAAAAAAAAA ACMBC/BsAAAAgAEAAAAAgQEAAAAIgwEAAAAIhsEAAAAAvwEQABAAwAEBAAAIwQEAAAEAxAEAAAAA xcEAAAAAywGcMQAAzQEAAAAAzgEAAAAA0AEAAAAA0QEAAAAA1wECAAAA/wEIAAgAAQICAAAIPwIA AAIAgAAa8SAAAAD/mQAAAACZAP8zAAD/ZgAA//9mAP/MmQD/zAAA9r9pAEAAHvEQAAAA/zMAAAEA AAj/////mZn/AB8A8A8cAAAAAADzAxQAAAAEAAAABAAAAAAAAAAAAACAAAAAAA8A0AfXCAAAHwAU BBwAAAAAABUEFAAAAOSsyAYAypo7rQeUxwDKmjsBAQAAHwATBDwAAAAAAP0DNAAAAGQAAABkAAAA ZAAAAGQAAACEjRMAaDaQbPKvEwCUjRMACAAAAEyhEwAAAAAAAAAAAAABkGwPAPoDZwAAAAAA/gMD AAAAAAEBAAD9AzQAAABGAAAAZAAAAEYAAABkAAAAlNs1agAAAADVn1Zpmp9WaUyhEwAIAAAA3vr/ /zT///8AABMAcAD7AwgAAAAAAAAAYwoAAHAA+wMIAAAAAQAAAEALAAAfAAcEPAAAAAAA/QM0AAAA IQAAAGQAAAAhAAAAZAAAAGFSkGypCs6eOKETAEjFHQMUjhMATKETAAAAAAAAAAAAAAGQbB8A+gNn AAAAAAD+AwMAAAAAAQEAAP0DNAAAAH0AAABkAAAAfQAAAGQAAACU2zVqAAAAANWfVmman1ZpTKET AAgAAACG/v//CgIAAAAAEwBwAPsDCAAAAAAAAAAIDAAAcAD7AwgAAAABAAAALQgAAB8ACAQ8AAAA AAD9AzQAAAAyAAAAZAAAADIAAABkAAAAYVKQbKkKzp44oRMAiMUdAxSOEwBMoRMAAAAAAAAAAAAA AJBsHwD/AxQAAAACAAAEDAAAAAAAAAAAAAAAAgAAAA8AiBPlBgAADwCKEykAAAAAALoPEAAAAF8A XwBfAFAAUABUADEAMgAAAIsTCQAAAAAAJQQBAAAAAQ8AihMwAAAAAAC6DxAAAABfAF8AXwBQAFAA VAAxADAAAACLExAAAAAAAA0ECAAAAHC1AABwtQAADwCKE3QGAAAAALoPDgAAAF8AXwBfAFAAUABU ADkAAACLE1YGAAAPAPgHOgYAAAAA+QfhAQAABgYAbh7w1wEAAGDHq92gBo4vph1YSWbxtSX/iVBO Rw0KGgoAAAANSUhEUgAAAA8AAAAPCAMAAAAMCGV4AAAAAXNSR0IArs4c6QAAAMxQTFRF//fYwMDA /9AT/9Qn/9g7/99iAAAAUlH/eHj/jIv/n57/xcX///Cw//PEBQT/LCv///TE//jY/++w//PF/+iJ //Cx/9ra/7+//7Gx/6Oj/4eH/3l5/9c7/+Bi/8/P/7Oz/6am/5iX/8TE/6in/5qa/4yM/3Fw/2Ji /62t/5GS/4SD/3V2/1pa/0xM/6Ki/4aG/3h3/2pq/05O/0FA/5aW/3p6/21t/15f/9AUn5//xsX/ eXf/i4v//+iK/+eJeXj/eHf/UlL/LCr/Kyv/WLUWNgAAAAxjbVBQSkNtcDA3MTICAQEGiroUzgAA AAJ0Uk5T/wDltzBKAAAAgklEQVQYlV3PPQuCAAAEUB/UmGPg0tDUFA1GRj8/ISpwa2pqiHALBJUk aSj7uu3BDXcEP9G533xMlAvVhacXe1GeZDqDJOu5fjlstdd3n7BWCMSwj+SLQ1MITMFRRXy3MQGn OLXcUhqDS5yC0gjnr71DUMzXkp3Z5rV/oFrdZMr/Pw/btSokYKUFFgAAAABJRU5ErkJgghAA+Qcw AQAABgYAbh7wJgEAAFwGMq4XGLkYDmcz+fGGZQX/iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAMA AABhq6zVAAAAAXNSR0IArs4c6QAAAGBQTFRFwMDAwL//v8D/v7//qqr/lZX/lZT/lJX/lJT/gID/ gH//f4D/f3//a2r/amv/amr/VVX/VFX/QED/QD//P0D/Kyv/Kiv/Kir/Fhb/FhX/FRb/FRX/AAD/ AAAAAAAAAAAATSMSQQAAAAxjbVBQSkNtcDA3MTICOAIBFEkMsQAAAAF0Uk5TAEDm2GYAAAA+SURB VBgZBcEBAQMxEAKwgI75V/nllgCA+H177+1790qCDCUXHZRz7qA0IXXKNjFRSg4UdVIUVxIUJpsB AH94mx0UJnZ4yAAAAABJRU5ErkJggiAA+QcRAwAABgYAbh7wBwMAAMBlRbGwPFuTcYBt39fItYv/ iVBORw0KGgoAAAANSUhEUgAAAA8AAAAPCAMAAAAMCGV4AAAAAXNSR0IArs4c6QAAAftQTFRFAGBo wMDAMP//MfPyNsjNBNGdAJSPAJljAJllAJmfAJ1/AGsx4P8yD5FTAH9SAF0/AGUrAGo0AG5AAHR4 AKd+AJF8AGktkdpkBs6VAMTOAKJ9AHNwAD0xAE86ADMAAD07ANLMAMfHAJGWAKKFAHRyAF0yAC4y AC8zQM15AmcuAGctAFocAFpBAGdXAJOdAKWmAHB5AD8zAEgyNP//ItXaAK+eALeXALm4AMGdAJ+l ALd9AIVsAIJgAFxaAJJPNNnaMejeA5afAJhnAJdyAJhuAKmfAKGeAJ+qAKt0L87/evuKIbfSM/// IMz42P9RDPLNANCcAI+QAKKIALCfAJiNAH0zBJiqA8/OAP//APT1AH1JAGJBADotAGU0AC8yAFI8 AM7RAHuFAFoiAFcvAE4zAEszAG4qAMvHALCgAFxqAMGWAL2iALmZNdGkAKqcALeQAKeSAGlkAKJ/ AJGcAJyCAKmzAJlvAFxgAGJHAGEuAGMuADpIAJVfAHtiAHBrAI17ALK9AHNgANC4AGVqAFFWACoO ACcQAGFIAGRpAD0fADsGAIBNAFtWAFEfABIAAC8rACQkAGE4AEJkAGFbAEAuACUAACsdAFVAAD8e ACwbABsAACoAADA4AC8sACwsADAsACg1ACEAACMAABkAADYNJf/7AB5LABoIAA4AtNgRFgAAAAxj bVBQSkNtcDA3MTICGAIBLARKUQAAAAJ0Uk5T/wDltzBKAAAAg0lEQVQYGQXBMYuBAQAG4Pf5Axb5 U1ax3+hX6JavK6VkUVa6QZmvlMUos+kbbkByRZ8UdcrzkCRd/4yThKT9BOYSAsBdaLoB+MF0AIC1 jsoWoMWnjRUAev4sAfCFvQWA7yNKJwAjlM7AhKErXEBB+tQ9/PIqQjKrqB0adkVCkkzgI0neZVUk W+xduK4AAAAASUVORK5CYIIvAMgPDAAAADAA0g8EAAAAgAAAAD8A2Q8MAAAAAADaDwQAAAANAAIA TwDZDwwAAAAAANoPBAAAAA0AAgAPAPAPiAEAAAAA8wMUAAAABQAAAAQAAAAAAAAABQEAAAAAAAAA APMDFAAAAAYAAAAEAAAAAAAAAA8BAAAAAAAAAADzAxQAAAAHAAAABAAAAAAAAAARAQAAAAAAAAAA 8wMUAAAACAAAAAQAAAAAAAAAEgEAAAAAAAAAAPMDFAAAAAkAAAAEAAAAAAAAABMBAAAAAAAAAADz AxQAAAAKAAAABAAAAAAAAAAUAQAAAAAAAAAA8wMUAAAACwAAAAQAAAAAAAAAFQEAAAAAAAAAAPMD FAAAAAwAAAAEAAAAAAAAABYBAAAAAAAAAADzAxQAAAANAAAABAAAAAAAAAAXAQAAAAAAAAAA8wMU AAAADgAAAAQAAAAAAAAAHAEAAAAAAAAAAPMDFAAAAA8AAAAEAAAAAAAAABoBAAAAAAAAAADzAxQA AAAQAAAABAAAAAAAAAAdAQAAAAAAAAAA8wMUAAAAEQAAAAQAAAAAAAAAGwEAAAAAAAAAAPMDFAAA ABIAAAAEAAAAAAAAABkBAAAAAAAALwDwDzgAAAAAAPMDFAAAABMAAAAAAAAAAAAAAAABAAAAAAAA AADzAxQAAAAUAAAAAAAAAAAAAAABAQAAAAAAAAEAAQRQAAAAAAAAAf///38AAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HgMAACgEwgcAAFBLAwQUAAYACAAAACEAVq4Hw/cAAACpAQAAEwAIAltDb250ZW50X1R5cGVzXS54 bWwgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAfJDNTsMwEITvSLyD5SuKHTgghJr0wM8RkCgPsDibxKr/5N1WzdvjpEVCqHCy1rsz 82lW64N3Yo+ZbAyNvFa1FBhM7GwYGvmxea7upCCG0IGLARs5Icl1e3mx2kwJSRR1oEaOzOleazIj eiAVE4ay6WP2wGXMg05gtjCgvqnrW21iYAxc8ewh29Uj9rBzLJ4O5ftIktGRFA/HwzmrkZCSswa4 kOp96H6lVKcEVZTLDY020VXBkPpswrz5O+Ckey3VZNuheIPML+ALhmb4dPjOk0NS/5ucoYx9bw12 0ex8aUCljFTeBdg79cP6m1wvRbdfAAAA//8DAFBLAwQUAAYACAAAACEA7eQMS7sAAAAmAQAACwAI Al9yZWxzLy5yZWxzIKIEAiigAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAISPzQrCMBCE74LvEPZuUz2ISNNeRPCq9QHWdPuDaRKSVezbm2ML gsfZYb7ZKarPaMSbQhycVbDNchBktWsG2ym41+fNAURktA0aZ0nBRBGqcr0qrmSQUyj2g48iUWxU 0DP7o5RR9zRizJwnm5zWhRE5ydBJj/qJHcldnu9lmDOgXDDFpVEQLs0WRD351Pyf7dp20HRy+jWS 5R8VkvFh6MaTSStEjaEjVjA7ZulbkGUhF+vKLwAAAP//AwBQSwMEFAAGAAgAAAAhANj9jY+sAAAA tgAAAA8AAAB0YWJsZVN0eWxlcy54bWwMzEkOgjAYQOG9iXdo/n0tQ1EkFMIgK3fqASqUIelAaKMS 491l+fKSL80/SqKXWOxkNAP/4AESujXdpAcGj3uDY0DWcd1xabRgsAoLebbfpTxxT3lzqxRX69Cm aJtwBqNzc0KIbUehuD2YWejt9WZR3G25DKRb+HvTlSSB5x2J4pMG1ImewTeqgiCitMCny+WIaUgD XHo0xnFU1tW5qf0qLH5Asj8AAAD//wMAUEsBAi0AFAAGAAgAAAAhAFauB8P3AAAAqQEAABMAAAAA AAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEA7eQMS7sAAAAm AQAACwAAAAAAAAAAAAAAAAAwAwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA2P2Nj6wAAAC2 AAAADwAAAAAAAAAAAAAAAAAcBgAAdGFibGVTdHlsZXMueG1sUEsFBgAAAAADAAMAtwAAAPUGAAAA AAAA6gMAAAAADwD4AxynAgACAO8DGAAAAAEAAAABAgcJCAAAAAAAAAAAAAAAAgATAGAA8AcgAAAA ////AAAAAACAgIAAAAAAAADMmQAzM8wAzMz/ALKysgBgAPAHIAAAAAAA/wD///8AAAAAAP//AAD/ mQAAAP//AP8AAACWlpYAYADwByAAAAD//8wAAAAAAGZmMwCAgAAAM5kzAIAAAAAAM8wA/8xmAGAA 8AcgAAAA////AAAAAAAzMzMAAAAAAN3d3QCAgIAATU1NAOrq6gBgAPAHIAAAAP///wAAAAAAgICA AAAAAAD/zGYAAAD/AMwAzADAwMAAYADwByAAAAD///8AAAAAAICAgAAAAAAAwMDAAABm/wD/AAAA AJkAAGAA8AcgAAAA////AAAAAACAgIAAAAAAADOZ/wCZ/8wAzADMALKysgAAAKMPPgAAAAEA//0/ AAAAIiABAGQAAAAA/wIAWgAAAAAAAAAAAEACAAAAAAIAAAD//+8AAAACAP//AgD//yAAAAAAAwAA EACjD4wAAAAFAP/9PwAPACIgBABkAAAA//4AAFoAHgAAAPAAAABAAgAAAAACAAAA///vAAEAAwD/ /wMA//8YAAAAAAEAAKAFAAATIAAAmf5YAmgBAQAAAAAAgAUAACIghAPQAgAAAgAUAIAFAAATILAE /AMBAAIAAQASAKAFAACnAAAAAAWUBSgFAABDAAEAAQAQACAAow9uAAAABQD//T8AAAAiIAEAZAAA AAD/AABaACgAAAAAAAAAQAIAAAAAAgAAAP//7wAAAAEA//8BAP//DAAAAAABAAAABQAAIAEgAQAA AAAABQAAQAJAAgAAAAAABQAAYANgAwAAAAAABQAAgASABAAAAABAAKMPbgAAAAUA//0/AAAAIiAB AGQAAAAA/wAAZAAAAAAAAAAAAEACAAAAAAcAAAD//+8AAAADAP//AwD//xIAAAAAAQAAAAUAACAB IAEAAAAAAAUAAEACQAIAAAAAAAUAAGADYAMAAAAAAAUAAIAEgAQAAAAAUACjD1IAAAAFAAAAAQkA AA4AAQAAAAAAAAABAAEJAAAOAAEAaAEAAAAAAgABCQAADgABANACAAAAAAMAAQkAAA4AAQD8AwAA AAAEAAEJAAAOAAEAKAUAAAAAYACjDwwAAAABAAAAAAAAAAAAAABwAKMPPgAAAAUAAAAAAAAAAAAC ABQAAQAAAAAAAAACABQAAgAAAAAAAAACABIAAwAAAAAAAAACABAABAAAAAAAAAACAA4AgACjDz4A AAAFAAAAAAAAAAAAAgASAAEAAAAAAAAAAgASAAIAAAAAAAAAAgAQAAMAAAAAAAAAAgAOAAQAAAAA AAAAAgAMAAAAIwQAEAAAUEsDBBQABgAIAAAAIQCQ/w5uBQEAAO0BAAATAAAAW0NvbnRlbnRfVHlw ZXNdLnhtbJSRyWrDMBCG74W+g9C1WHJ6KKXYzqHLrcshfYBBHtui2tAoIXn7jp0cQiiBnsSs//eP mvXeO7HDTDaGVq5ULQUGE3sbxlZ+b96qRymoQOjBxYCtPCDJdXd702wOCUnwdKBWTqWkJ63JTOiB VEwYuDLE7KFwmEedwPzAiPq+rh+0iaFgKFWZd8iuecEBtq6I1z2njyQpjFI8H/tmqVZaP8/Ped01 n4ycbY/iC3L5AM913WfS5Dj5DlTY0XmwUsxzsRBSctZAYed6F/oL6ioOgzXYR7P1zKpSRuJ3afdO nQndzauZ6Q8XGR39T/V0J8WTixRNNtEVheu2TmR6+azuFwAA//8DAFBLAwQUAAYACAAAACEAjuoq +r4AAAA4AQAACwAAAF9yZWxzLy5yZWxzhI/BCsIwEETvgv8Q9m7TehCRpr2I0IMX0Q9Ykm0bbJOQ jaJ/b44WBI/DMG9m6vY1T+JJka13CqqiBEFOe2PdoOB2PW32IDihMzh5RwrexNA261V9oQlTDvFo A4tMcaxgTCkcpGQ90oxc+EAuO72PM6Ys4yAD6jsOJLdluZPxmwHNgik6oyB2pgJxfYfc/J/t+95q Onr9mMmlHxWSJ2vojJwoZizGgZICE/nbWIiqyPtBNrVc/G0+AAAA//8DAFBLAwQUAAYACAAAACEA 1t/NS88AAAAyAgAALAAAAGRycy9zbGlkZU1hc3RlcnMvX3JlbHMvc2xpZGVNYXN0ZXIxLnhtbC5y ZWxzvJHLagMxDEX3hf6D0b7WzARCKfFkUwLZluQDhK3xmI4f2E5p/r6GUkggpLssJXHPPaDN9tsv 4otzcTEo6GUHgoOOxgWr4HjYvbyCKJWCoSUGVnDmAtvx+WnzwQvVFiqzS0U0SigK5lrTG2LRM3sq MiYO7TLF7Km2MVtMpD/JMg5dt8Z8yYDxiin2RkHemxWIwzm15v/ZcZqc5veoT55DvVGBzrfuBqRs uSqQEj0bR7/7lUzBAt7WGB6mMdzT6B+m0f9p4NWnxx8AAAD//wMAUEsDBBQABgAIAAAAIQBhppvx JQQAAOYqAAAhAAAAZHJzL3NsaWRlTWFzdGVycy9zbGlkZU1hc3RlcjEueG1s7JrfbptIFMbvV9p3 QHO7cm3+2AYUXCVdWarUi6jpaq8HGGy2w4CGcTbuC+177JP1zAxgIHaaXZE2KuQmDgyT4cfnM+c7 h6u3Dxk17gkv05wFyHyzQAZhUR6nbBegPz5tZy4ySoFZjGnOSICOpERvN7/+clX44uFOHCkpDZiC lT4O0F6Iwp/Py2hPMly+yQvC4FyS8wwL+JPv5jHHf8PUGZ1bi8VqnuGUoep6/pzr8yRJI/J7Hh0y woSehBOKBSy/3KdFWc9WPGe2gpMSplFXd5a0kbeXCkrUHW6usE/vqVnccgPTHXDiyOCCBkjSwh/Y Df+sPic5E9dqQIhLgow9Zju429sDi4QcoCZid0UkP5RFdBsJ4x7DPN4CftB8czWH/9QacEOS/tB6 GFx+OnudiCfGVWdjknyEOyi/BMgG+mo1ZU7TeJtSqi6Xz428o1wvSjxY1ZI6oyRsZohjQRIcgSJ+ y/6aUSFHYp/g3gmC9Ymo7J2IympuvSp955qxnAhwWxNuRaKH+31W4Eggo0hFtN/iLKVHeJ4OMqI9 5iVROtNC6pKVOCuy9kR2SLISZ0XWmcgOSVbirMguJ7JDkpU4K7IrSTbD/EOAnOVabgzTJuf3N7n/ G3Ul3Irz+sTZMx1n4jykniXcirN74mzaa3M1gR4StKRbgfZaoF3LdSfQQ4KWdCEr7vqQwg/z+PjI lOjobbumdBFGymIwNQGa1Qe0Z6E/zrPYLXvz331LeABLItGWfBc27kROud1WJqIZEh7uvjSuSuIA IMqZhIctmLOWCfkTjJl0ueAYO6m01cqklf/Bfni4oWkhVxDCb4P7JAtJDC7wfWw2C6iHtFyWpYJ8 CLYaqeU/6bXqmb7htdglr8VmF7wWmz3Ta2kVeUtrOS4VeV7zECuhfW8V1T77JLS+igbXDxQanvaH Wg2mY7nrZTuoWO5SHfhpg8qPl4Pd6PFcUJEh7eXl0De1lRy8BQSHSQ7fdY+5KIeX2VkeRYa+C9dS sKzVyutEBnNtOvLATxMZuuVQHEWQVp1C9cvuFe+gmqdKegH69x+dwrT2BO1qhnz+1zzFkCF+o4h4 vmxgrS3HnKQAeeKLJJ+vUwrnKxu26Zr2JIVxSeF88cVe2e5yksK4pHC+POQsPG0amtLElCug4aoT r3ODaApYrZJV4ediT3hTwIKU5lbXE6vkhkLHPEAJn20/ViboNKRuwev8s51owphPOLyDxnZdWX/U nTeRoWr6p2Z9tzmvSzTVKmSL3FT1zM+Ey9cintcufy0lnG4bB7K60fLpN721dGqRNEZltHwuuPxu 22TMAjrvfc1uu2PMgC44QsuFvtsUomHLOu+TrLWj3sE6FUtGG4MuuAfYcls98jF/xc7n1PZquW71 tscMqMk028ml7JxWL6huvgIAAP//AwBQSwMECgAAAAAAAAAhAJPqMpn2AgAA9gIAABQAAABkcnMv bWVkaWEvaW1hZ2UzLnBuZ4lQTkcNChoKAAAADUlIRFIAAAAPAAAADwgDAAAADAhleAAAAAFzUkdC AK7OHOkAAAH7UExURQBgaMDAwDD//zHz8jbIzQTRnQCUjwCZYwCZZQCZnwCdfwBrMeD/Mg+RUwB/ UgBdPwBlKwBqNABuQAB0eACnfgCRfABpLZHaZAbOlQDEzgCifQBzcAA9MQBPOgAzAAA9OwDSzADH xwCRlgCihQB0cgBdMgAuMgAvM0DNeQJnLgBnLQBaHABaQQBnVwCTnQClpgBweQA/MwBIMjT//yLV 2gCvngC3lwC5uADBnQCfpQC3fQCFbACCYABcWgCSTzTZ2jHo3gOWnwCYZwCXcgCYbgCpnwChngCf qgCrdC/O/3r7iiG30jP//yDM+Nj/UQzyzQDQnACPkACiiACwnwCYjQB9MwSYqgPPzgD//wD09QB9 SQBiQQA6LQBlNAAvMgBSPADO0QB7hQBaIgBXLwBOMwBLMwBuKgDLxwCwoABcagDBlgC9ogC5mTXR pACqnAC3kACnkgBpZACifwCRnACcggCpswCZbwBcYABiRwBhLgBjLgA6SACVXwB7YgBwawCNewCy vQBzYADQuABlagBRVgAqDgAnEABhSABkaQA9HwA7BgCATQBbVgBRHwASAAAvKwAkJABhOABCZABh WwBALgAlAAArHQBVQAA/HgAsGwAbAAAqAAAwOAAvLAAsLAAwLAAoNQAhAAAjAAAZAAA2DSX/+wAe SwAaCAAOALTYERYAAAAMY21QUEpDbXAwNzEyAhgCASwESlEAAAACdFJOU/8A5bcwSgAAAINJREFU GBkFwTGLgQEABuD3+QMW+VNWsd/oV+iWryulZFFWukGZr5TFKLPpG25AckWfFHXK85AkXf+Mk4Sk /QTmEgLAXWi6AfjBdACAtY7KFqDFp40VAHr+LAHwhb0FgO8jSicAI5TOwIShK1xAQfrUPfzyKkIy q6gdGnZFQpJM4CNJ3mVVJFvsXbiuAAAAAElFTkSuQmCCUEsDBAoAAAAAAAAAIQA/Gv/zFQEAABUB AAAUAAAAZHJzL21lZGlhL2ltYWdlMi5wbmeJUE5HDQoaCgAAAA1JSERSAAAADAAAAAwIAwAAAGGr rNUAAAABc1JHQgCuzhzpAAAAYFBMVEXAwMDAv/+/wP+/v/+qqv+Vlf+VlP+Ulf+UlP+AgP+Af/9/ gP9/f/9rav9qa/9qav9VVf9UVf9AQP9AP/8/QP8rK/8qK/8qKv8WFv8WFf8VFv8VFf8AAP8AAAAA AAAAAABNIxJBAAAADGNtUFBKQ21wMDcxMgI4AgEUSQyxAAAAAXRSTlMAQObYZgAAAD5JREFUGBkF wQEBAzEQArCAjvlX+eWWAID4fXvv7Xv3SoIMJRcdlHPuoDQhdco2MVFKDhR1UhRXEhQmmwEAf3ib HRQmdnjIAAAAAElFTkSuQmCCUEsDBAoAAAAAAAAAIQDnOhKExgEAAMYBAAAUAAAAZHJzL21lZGlh L2ltYWdlMS5wbmeJUE5HDQoaCgAAAA1JSERSAAAADwAAAA8IAwAAAAwIZXgAAAABc1JHQgCuzhzp AAAAzFBMVEX/99jAwMD/0BP/1Cf/2Dv/32IAAABSUf94eP+Mi/+fnv/Fxf//8LD/88QFBP8sK/// 9MT/+Nj/77D/88X/6In/8LH/2tr/v7//sbH/o6P/h4f/eXn/1zv/4GL/z8//s7P/pqb/mJf/xMT/ qKf/mpr/jIz/cXD/YmL/ra3/kZL/hIP/dXb/Wlr/TEz/oqL/hob/eHf/amr/Tk7/QUD/lpb/enr/ bW3/Xl//0BSfn//Gxf95d/+Li///6Ir/54l5eP94d/9SUv8sKv8rK/9YtRY2AAAADGNtUFBKQ21w MDcxMgIBAQaKuhTOAAAAAnRSTlP/AOW3MEoAAACCSURBVBiVXc89C4IAAARQH9SYY+DS0NQUDUZG Pz8hKnBramqIcAsElSRpKPu67cENdwQ/0bnffEyUC9WFpxd7UZ5kOoMk67l+OWy113efsFYIxLCP 5ItDUwhMwVFFfLcxAac4tdxSGoNLnILSCOevvUNQzNeSndnmtX+gWt1kyv8/D9u1KiRgpQUWAAAA AElFTkSuQmCCUEsBAi0AFAAGAAgAAAAhAJD/Dm4FAQAA7QEAABMAAAAAAAAAAAAAAAAAAAAAAFtD b250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAjuoq+r4AAAA4AQAACwAAAAAAAAAAAAAA AAA2AQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA1t/NS88AAAAyAgAALAAAAAAAAAAAAAAA AAAdAgAAZHJzL3NsaWRlTWFzdGVycy9fcmVscy9zbGlkZU1hc3RlcjEueG1sLnJlbHNQSwECLQAU AAYACAAAACEAYaab8SUEAADmKgAAIQAAAAAAAAAAAAAAAAA2AwAAZHJzL3NsaWRlTWFzdGVycy9z bGlkZU1hc3RlcjEueG1sUEsBAi0ACgAAAAAAAAAhAJPqMpn2AgAA9gIAABQAAAAAAAAAAAAAAAAA mgcAAGRycy9tZWRpYS9pbWFnZTMucG5nUEsBAi0ACgAAAAAAAAAhAD8a//MVAQAAFQEAABQAAAAA AAAAAAAAAAAAwgoAAGRycy9tZWRpYS9pbWFnZTIucG5nUEsBAi0ACgAAAAAAAAAhAOc6EoTGAQAA xgEAABQAAAAAAAAAAAAAAAAACQwAAGRycy9tZWRpYS9pbWFnZTEucG5nUEsFBgAAAAAHAAcA6QEA AAEOAAAAAAAA+QMQAAAAAAAAAAEAAAACABEAAnDwAw8ADASBFQAADwAC8HkVAAAQAAjwCAAAAAUA AAAFBAAADwAD8B0VAAAPAATwKAAAAAEACfAQAAAAAAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAAAQA AAUAAAAPAATw/wcAAEIBCvAIAAAAAgQAAIAKAADDAAvwWAAAAH8AAADvAYUAAgAAAIcAAQAAAL8A BAAEAH8BAAABAL8BAAAQAMABBAAACMsBDPgAAP8BGAAYAD8DCAAIAIDDEAAAAL8DAAACAEwAaQBu AGUAIAAzADkAAAATACLxdwcAAKnDcQcAAFBLAwQUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAFtD b250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhjSvdg9ahG1x8wgWlLtgXCYN3999L9 uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeCEzqDo3ekYEcMq+byol7vArHIaccK hpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSkhQFN3VKHn2MSj9t8fTCJNDKIh8Pi 0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe8tNEa0i8YkzPOGUNaSJL479cpLn8 G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pvAAAA//8DAFBLAwQUAAYACAAAACEA Md1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbvg72D0b1x2kMZo05vhV5LB7sKW0lM Y8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefjYODrfFh9gJKC0eHEkQzcSWDfvb/t TjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvBgfSmbbc6/2ZAt2CqozOQj24D6nxP 1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTnQL/2rv/plRETfVf+QvxMq/XHrBc1 dg8AAAD//wMAUEsDBBQABgAIAAAAIQCdimedEQMAAKwHAAAQAAAAZHJzL3NoYXBleG1sLnhtbKRV TW8aMRC9V+p/sHytUiCEhKBsoiQq7YFGCGjvs14vuHjHK9vLR359x/YS2qiKqnCB8XrG8+Z53vjm bldptpHWKYMZ733uciZRmELhMuM/FuOzIWfOAxagDcqM76Xjd7cfP9zUI1czCkY3qjO+8r4edTpO rGQF7rOpJdJeaWwFnpZ22amtdBI9eEpU6c55t3vZqUAhv6WjcDOvpzZY4mkztUwVhKV72ecMoaKs E4WS9a95p3VJ3kAQJkasXYsD/gdHYWFLxf0FgaF5XAEu5XwFtVzsa0rZC8k6EdABGxK09PGI1xFu lm+/m4JioPGG6oHRrrTVyaBKreqfAUg40ZQl22X8fNAdng8422f86pI47AaUMJI7zwRtDwfDYf+K 9gU59HtkBbwJT/CrrfNfpTkdWzgo45quJaKDzcT5lOqQIqRDM1Zan0pErFDjqcewbcYv+wOiLEBz RqsioIuL0LbyUVu2AU3XKAR1amqAV57WNFhEQCsJxZfW9qB0solrjeFIWZZSeGLlVNiB1aC1JA+/ ezDFPiTI6Z9aLynw/Z2/tUDyRdI2Z4BiZWzGhbeprbTzc7/X8tQskbDDtHg31lB1UFsFdpJxGlRk zKKhN3Rr9EFhQRcXTdBLmmehElbIcgH5/Dnj172LC7p/Zn3ylzDBB7uOAaVBfx+DcnBEhqZJhcft MB5obEwbFDFBAKNxXotguFpMhU/N0yNRJlnGXjh6PMjytW9UL7lR/HH3vvRv+LW7eUPduthFYvNm /vxijqmMl8UTXWt08ZAngcKI2JilMRbZDKkkFlOwQJ/ZuqlUZX6pRCvVnPHSno1n9AgQf32aOJzl iev42xx6x3mr1jQC0cyjxdla2vCixBBxbDKqNUZieBu0epbf4jKQHsZJuze1xpTBDviSotIwCXI4 fHlLw373T/2+yDLS0kyw5aoJo6C1480zT69ACYIALVQlHXuSWzYzFSBntfJiNYZKaZqyPXogxQqs k7Ev4rkS/gj/VOGZhCQo4V5tCNdO6OMdxALrqPqD2uMAuP0NAAD//wMAUEsDBBQABgAIAAAAIQC+ OKt60AAAAO8AAAAPAAAAZHJzL2Rvd25yZXYueG1sRE9LS8NAEL4L/odlBG92Uy1tiN0WEXwcemla Ct7G7DQJZmfj7rRJ/fXuQfD48b2X69F16kwhtp4NTCcZKOLK25ZrA/vdy10OKgqyxc4zGbhQhPXq +mqJhfUDb+lcSq1SCMcCDTQifaF1rBpyGCe+J07c0QeHkmCotQ04pHDX6fssm2uHLaeGBnt6bqj6 Kk/OwKH8iTntXqeb2feHX5xkMxsWuTG3N+PTIyihUf7Ff+53m+Zn8wdQx7fLZ2jtFqNQMJAepX+J BL36BQAA//8DAFBLAQItABQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAAAAAAAAAAAAAAAAAAABb Q29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAAAAAAAAAAAA AAAALwEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAJ2KZ50RAwAArAcAABAAAAAAAAAAAAAA AAAAKgIAAGRycy9zaGFwZXhtbC54bWxQSwECLQAUAAYACAAAACEAvjiretAAAADvAAAADwAAAAAA AAAAAAAAAABpBQAAZHJzL2Rvd25yZXYueG1sUEsFBgAAAAAEAAQA9QAAAGYGAAAAAAAAEPAIAAAA 4AGeAMAV4gEPAATwNgEAABIACvAIAAAAAwQAAAAKAADTAAvwaAAAAH8AAQDvAYAAwNY0BYEAeGEB AIIAoq0AAIMAeGEBAIQAoq0AAL8ABAAEAL8BAQARAMsBnDEAAP8BAQAZAD8DAAAIAIDDGgAAAL8D AAACAFIAZQBjAHQAYQBuAGcAbABlACAAMQAxAAAAAAAQ8AgAAABqAp4AjhP6Dg8AEfAQAAAAAADD CwgAAAABAAAAAgATAA8ADfCGAAAAAACfDwQAAAABAAAAAACoD0AAAABDb3JwcyBkdSB0ZXh0ZQ1E ZXV4aehtZSBuaXZlYXUNVHJvaXNp6G1lIG5pdmVhdQ1RdWF0cmnobWUgbml2ZWF1AACiDxgAAAAP AAAAAAAQAAAAAQARAAAAAgARAAAAAwAAAKoPCgAAAEEAAAABAAAAAAAPAATwAQEAABIACvAIAAAA BAQAAAAKAADjAAvwbgAAAH8AAQDvAYAA4Nc0BYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIcAAQAA AL8ABAAEAL8BAQARAMsBnDEAAP8BAQAZAD8DAAAIAIDDGgAAAL8DAAACAFIAZQBjAHQAYQBuAGcA bABlACAAMQAyAAAAAAAQ8AgAAACEALgC2BW8AQ8AEfAQAAAAAADDCwgAAAAAAAAAAQATAA8ADfBL AAAAAACfDwQAAAAAAAAAAACoDxcAAABUaXRyZSBkZSBsYSBkaWFwb3NpdGl2ZQAAog8GAAAAGAAA AAAAAACqDwoAAAAYAAAAAQAAAAAADwAE8JcKAAASAArwCAAAAAUEAAAACgAA4wAL8G4AAAB/AAAA 7wGAAADZNAWBAAAAAACCAAAAAACDAAAAAACEAAAAAACHAAEAAAC/AAYABgC/AQAAEADLAZwxAAD/ AQAAGAA/AwAACACAwxoAAAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADMANgAAABMAIvE/CAAA qcM5CAAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSR TU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8z/sE6tV2GsVMka13 Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwHmpBLH8jlSefjhCkf Yy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3GlE3l7MyPluLYUObk focHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPius5rKNnKbY280n6zO 0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAX3Jl bHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++pjBYRm876hf6PvHv 9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6JKpSohgYS0mfWosd KaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s3JfGctDc996+omrH 13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP//AwBQSwMEFAAGAAgA AAAhAJgcf1XSAwAAshIAABAAAABkcnMvc2hhcGV4bWwueG1s7FdNb+M2EL0X6H8geC28/oyTGKss 7CBuC6SLIM6eA1qiYjUUKZC0Y6fof++bkRyv97BfDhaLNDrII2lEvnnzZsZ6+25dGrHSPhTOJrL7 piOFtqnLCnuXyA8309aJFCEqmynjrE7kRgf57uzXX95Wo1AJvGzDqErkIsZq1G6HdKFLFd64Sls8 y50vVcSlv2tXXgdto4rYqDTtXqczbJeqsPIMS9nVrLryZKXvV1deFBmwdIYAY1WJXa91Cgx3Rov+ ULYbv/oVBRyXLr0PDRj1NWAyrx4Q4R4OYd35ApvosffuYaFVFgCCdmszrC1CC4D1zR3qAPRi/vCX ywBWLaNDVGq0zn15KCpax+W5WCcSbGwSOTzqHHeHfcKlRnodRYpHg9OjfqcDhxQevePBsH/MwGsM 5Fn5EH/X7mA8ghZKpEdCOEa1ugyR6NhtQdtZNy2MOTR4jtHYQ5cRD0hk7xj87KDx0mURtRemKBN5 AvrgwLcp9xc2YzuqwtQ2IjSWSc9zRI+wD8WFDSAt0g4pOq4nLtvQBnP8Qk91cX2/ns2fFgqGKOLW 8FtjvjWUTRfOJzKNnskJ1RjqnRZNSmskhMmEOIsbFOCBqJjUbeP47tgIEZVcqfwlhwjjmg2zMvxb 2Azdhk1l7tDajBSZzm/UfPaYyNPuYEDl4mPtrdWlnfh7ds+djWN+Za6ClsKgZdndY2oRaB1XS5vy 8kyOnVUpGaFKr9IoVgrLdp8UxcrZeUx0/qkvCw9ueH/3dJzHz/g1T+fLc+Nv1kzrfDl7fDKnCOPp 4j16dyPneV2vagQ2rutOxlzSVrnJuPX+M+h3e0cX/Unr9KTfaQ1wtE4mF9PW9OJ83D0fd4anF91/ IaxNhX4XTAGulyULyCMr98uyKN3fRZ0Q8JXI3Lem15gk4L6LUpNiTr1VwAXnZSItANKg8cU9VrRu xpYU99rTWMK0QG9TGDSNY5Xy4pYGjCke9R98SQkzBY0puFt35Z3LyabY6tqt+xIV3vZOcIBPzYq5 pvmlwWidwrjuNW10z0tvGwBTury0Dc9LWqaxWTVMUK5SABr7QkGC6UL5oFk4/LJWH/n8VtqWVnUP SsMnD9LQQAHDBPVV/sTCs8o/ngnSBaoOZ9QCbcBcf4WoaXiQqHH+QaIWWeEjxv3LlPdeLuokcDp+ xvby4jMhPqqLb8rFa1U8b9NHVXxLKrRtfZg1U/c1Fc+eils6xP6xGyBfLJQfnR36Qtz/X/TSG9ft 7U+cjv9XKlAlXC6ol7poqHLqO1xDbO5lC//BKv5A3n4Y87fy2X8AAAD//wMAUEsDBBQABgAIAAAA IQBxQmGJ1wAAAPwAAAAPAAAAZHJzL2Rvd25yZXYueG1sRI9NTwIxEEDvJv6HZky8SVc0K6wUYowG I9EEMJ6Hdthd6cemLbD8eyYe9DjzJm/yJrPeWXGgmNrgFdwOChDkdTCtrxV8rV9vRiBSRm/QBk8K TpRgNr28mGBlwtEv6bDKtWCJTxUqaHLuKimTbshhGoSOPLNtiA4zj7GWJuKR5c7KYVGU0mHr+UOD HT03pHervVPw4z7WL7vFw/cmlZ9Wzu/etd2XSl1f9U+PIDL1+f94oYf34/QHf1VvhluKkmO289Mm tmaJKVNUwBuOZQhyegYAAP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAA AAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAAL AAAAAAAAAAAAAAAAAC8BAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCYHH9V0gMAALISAAAQ AAAAAAAAAAAAAAAAACoCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhAHFCYYnXAAAA /AAAAA8AAAAAAAAAAAAAAAAAKgYAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAAAuBwAA AAAAABDwCAAAAAMQAAAwDLAQDwAR8EIAAAAPAIgTOgAAAA8AihMyAAAAAAC6Dw4AAABfAF8AXwBQ AFAAVAA5AAAAixMUAAAAAACsDwwAAAAAAAAAAAAAAAAAAAAPAA3waAEAAAAAnw8EAAAABAAAAAAA oA+GAAAAKgAgAC8AMQA0ACAAIABQAGEAcwBjAGEAbAAgAFUAUgBJAEUATgAsACAASQBFAFQARgAg ADcANQB0AGgALAAgAFQAdQBlAHMAZABhAHkAIABKAHUAbAB5ACAAMgA4AHQAaAAgAFMAdABvAGMA awBoAG8AbABtACwAIABTAHcAZQBkAGUAbgAAAKEPhgAAAEQAAAAAAAAIAAAAAAEAAAADAEcAAwAB AAEAEgAAAAADAQAAAAIARwACAAEAAQAKAAAAAAMDAAAAAwBHAAMAAQABABIAAAAAAxcAAAACAEcA AgABAAEACgAAAAADAgAAAAIATwACAAEAAQAKAAAAAAMeACYAAAACAEcAAgABAAEACgAAAAADAADY DwQAAAAAAAAAAACqDxgAAAAHAAAAAQAAAAAAPQAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC 8AMQBQ8ABPA8AAAAEgAK8AgAAAABBAAAAAwAAGMAC/AkAAAAgQEAAAAIgwEFAAAIvwEQABAA/wEA AAgABAMJAAAAPwMBAAEAEADwByAAAAD///8AAAAAAJGRkQAAAAAAYY/9AACuAAD8ASgAzs7OAA8A iBMcAQAADwCKExQBAAAAALoPDgAAAF8AXwBfAFAAUABUADkAAACLE/YAAAAQAK0PSgAAAAUAAACA AwAAAAADAAEAAAAAAAAAgAMBAAAAAwABAAAAAAAAAIADAgAAAAMAAQAAAAAAAACAAwIAAAADAAEA AAAAAAAAAAAAAAAAcACtD0oAAAAFAAAAgAMAAAAAAwABAAAAAAAAAIADAQAAAAMAAQAAAAAAAACA AwIAAAADAAEAAAAAAAAAgAMCAAAAAwABAAAAAAAAAAAAAAAAAIAArQ9KAAAABQAAAIADAAAAAAMA AQAAAAAAAACAAwEAAAADAAEAAAAAAAAAgAMCAAAAAwABAAAAAAAAAIADAgAAAAMAAQAAAAAAAAAA AAAAAAAAAA4E0g4AAFBLAwQUAAYACAAAACEAgoq8E/oAAAAcAgAAEwAAAFtDb250ZW50X1R5cGVz XS54bWyskctqwzAQRfeF/oPQtthyuiil2M6iSXd9LNIPGOSxLWqPhDQJyd937LhQuggtdCMQYs6Z e1Wuj+OgDhiT81TpVV5ohWR946ir9PvuKbvXKjFQA4MnrPQJk17X11fl7hQwKZmmVOmeOTwYk2yP I6TcByR5aX0cgeUaOxPAfkCH5rYo7oz1xEic8cTQdfkqC0TXoHqDyC8wisewoPD7+QwkgJgLWKvH M2FaotIQwuAssEQwB2p+6DPfts5i4+1+FGk+gxfYzQQzv1xg9T/qL+cGW9gPrLZH6eJcf8Qh/S3b Umsuk3P+1LuQLhgul7e0Yea/rT8BAAD//wMAUEsDBBQABgAIAAAAIQCl1qfnwAAAADYBAAALAAAA X3JlbHMvLnJlbHOEj89qwzAMh++FvYPRfVHSwxgldi+lkEMvo30A4Sh/aCIb2xvr20/HBgq7CISk 7/epPf6ui/nhlOcgFpqqBsPiQz/LaOF2Pb9/gsmFpKclCFt4cIaje9u1X7xQ0aM8zTEbpUi2MJUS D4jZT7xSrkJk0ckQ0kpF2zRiJH+nkXFf1x+YnhngNkzT9RZS1zdgro+oyf+zwzDMnk/Bf68s5UUE bjeUTGnkYqGoL+NTvZCoZarUHtC1uPnW/QEAAP//AwBQSwMEFAAGAAgAAAAhAGt5lhaDAAAAigAA ABwAAAB0aGVtZS90aGVtZS90aGVtZU1hbmFnZXIueG1sDMxNCsMgEEDhfaF3kNk3Y7soRWKyy667 9gBDnBpBx6DSn9vX5eODN87fFNWbSw1ZLJwHDYplzS6It/B8LKcbqNpIHMUsbOHHFebpeBjJtI0T 30nIc1F9I9WQha213SDWtSvVIe8s3V65JGo9i0dX6NP3KeJF6ysmCgI4/QEAAP//AwBQSwMEFAAG AAgAAAAhALHArZ9fCQAAMzIAABYAAAB0aGVtZS90aGVtZS90aGVtZTEueG1s7Fpbb+O2En4vcP6D oPdt5HscrLdwZLstsLsN4hz0mZZoSxvdDkXnsr++M0NSFq1EdpqcvSCxAJuixkPO5ZsZknr/212a ODdclHGeTdzOr57r8CzIwzjbTNz/Xi3enbpOKVkWsiTP+MS956X724f//PKencmIp9yB/2flGZu4 kZTF2clJGUA3K3/NC57Bs3UuUibhVmxOQsFugW+anHQ9b3iSsjhznYylwNbP05KLm/HY/WA4zxNg n8kSO4JELJEv1+REFV538FkpNis/Ec4NSyauRx/35MP7E3amCRLZpFvQR9NpgvC6e4gfESSySTfu 4FXxIwIWBDD/5tjDzuliMdO0NSLVbPL2vOnc8yz6Gv9eY86WbIopEalmv0Fv6axGpJqDBv35yB8u 5tZ8iEjRDxv0njee7c2fiKIkzq4b1Avf63RPNfeKZJ0nfzxI7s/x0uQ7KrB+5TM4xDrPpOVBtsOl 7EsuFkCDtAmTcebI+4KvWQC++WdasEDiEOyMs9oD1RWUe10wtsUvjbPHmV8JvtqCa0vn0/JpQ+y4 woA7+Uja1Bb2r/U6DrhLj+IkWcr7hH8sSdgyT+JwAZ34kLDLKzAVETS1ai26jWD0H0fk8u9YRsuI FaCoDo2wKTXrTekUeQmYpO4HeeOgoGypwDtAT1RKKJn8lIequ1fHdMWGEL6h6GAG6iGDYwfrjZ43 WEfN6lG12aJ1aGrkQpZolchgw6Zo0FlpE7zfYRiUO0OInjh3pwxYwkPUu4p3xiw4tGm/iInKiIVc 2wjlbtqoQ0YyvkKhGnznARud0tRbtVYbbYxsnzHaMUaqD9d/ZDhjvedYyURwYxlSznoPjklWB2eS ObcTdzzoDlwnYMXEXUNsgmZagNXLbOM6LNlA2g6kUG5/EMyk+J01x0Yw8L4a4jqe6W8IbMWBQpRy xspIuQY90i6QZDiSmn93AGp9KQGUp/+LWfROwRm+2yxAj7Zp+XrNA1k3dq0HdadudSjNt5KLZRTe OqtkKy4ZmB9dFeQJ41JOXIoIeCMmLmqbHtnBWQfGB4olHI0lRcR0uEWIGiQrcnLVag50V5seyPbg 3Em4p4tCkH8hUepu/MpEwXzCM94L0QIBFNmCOYjXiZsLGeUQhYooDhYCih6KHeAtDkQXTNcOlPr0 K/gN/irMKR7ILYk3kbyMN46IIR/JSHB+AWGJvO8As47OXYqlYUQeVZtuWahpr/gNT64wBg4xt7tO BK5O0USHAaLb9z/7XiNotcEip443K4ZUuVdh4FtXPgrMIJQdh6mgMfqvpkjasisf9X/6u8m9dUHw wa7M6htUwGC1VDDWsP+XU3hiqlURqyFxd2AmB1ZsSgydVUFUMBk5+AX5LxZBsqtvr/JLiK0OLAeR GbgNePU7VXg4GCBV5woKJ9WpnAlZKdXq6ha1ZpL1i5RROxNU4+4pG2d2jL2fqOyqOLOHs7D4ksrW GrZ0rfoeVTVYdh+i0LU2CxkyDG041LcF8tUXMPQM1mnbRG0UlAXcEQ6KC+GsbmERAQsTtpU5Bbm7 tUjxab5eO3cU4u51gIMcdiedADo7UCRArymqzV+CbSl/5zn9nd1AVCHf3YSmxSLTCu4y0xTaD5UP wjeoBL7B9cjK7AydThGDtPUh2qLTamMmZ1GpaqvThYXN8+sceffgGI9UfOxM5NssJJVEnIXzLKRF 8cTNYNfIxQie8hASC4fEgi2ilCxOjqEE1ah6sio6lBuVYGO05ioP78HasIsFQI9y8RUGhPQGJfL/ tkzA8MmfGaxDx51+Hw1BN/3BqIv2qD9Z1Z9k29TPIYSAO7AsAK6Q6UzTl8qOQQ5bA/JjtiwCJMS5 oIKu7v5motDZVoJffc6XuEImAuM7INSOltxbiYFMklJVhtgO+foChEuZ+Ei+A41LasRZCNtL1Nyt Ahwgv2Kr5VctLooocV8MtvXYx+xcXFMbtwumtHRYsRIVhFseu8cRLDRho+5imwU0AM0JpcRGWQQX EF1pu03HIWUOKHArinODwh1tFdeKYPd0ula7EDWeNTr9dLWFteTVHfnMarv8WjVxx6a6+Qyept1q ZfAH2rgE5V1v0zjNv8Qke0Kr6LV4t7iEJTQoqgdxUGPSUSRb47elFPE1BJAsX1JL40o5NezqpCyJ v/I/iC9qEhbpQA3cylT6CWdURint4XeWYxFitEXKbFmxPQLBOgjAVfY2q67ilJfOZ37rXOYpg/3V IpZBtGBpnGBQg93cIGKi5GRXNROlJHJB5WzU3PkgeGoVVpNsZiz7Fl+fsxx/xLhv8RVD7Vt8fYuv cDL0euKrDqsQaZslLdQPgkECXNLKDjIb5g27E3sCQ7F/ouaowuRHOi079fAyW4XqOE2dHjVPyzzP 9+FYUKWqGpFqdimJ1je1evDxfYueiBT9tz8tm07nXX9qzaf1tKw7687ObXlbTst8+CwWmvvh07Lz Ll6a/PHTMvClT6xwYJ0xceFwFGrmO2iBB0GZtOliXxf7oAVnplAUq4NOWGephumB59pKpqdnenqm p296+qZnYHpg01v9fWh6hrADhKeAUOXjj+sYEWBnXB8Qatma+Gj2PI6YLlXq3woxlf30AfRD58t4 plvtDGgCre0GAhaLMezlWB5HsNK2aNB7HnK36FsRM4XPHn3r+fJsipfFv4+TUPNpni8vFj6MYNG3 Isbz5qP5yKJvQQzqsdLOYcSMh3hp5sbJqECu3AdlqSOGMEGIIewQYgg7hBjCjjad8WtcYxJ0flrE 9F4EMVXcbnkjAzNHZb8WxAzh0+tpwx1ATK83Hle02jY7DyUwWG+Z0PadjbBWxCC+5ibsKv6tiEEP rWRU9K2Imc4AMfYbJa2IGVUbglBxKP4tiPG8WkY9jBiArz98GmJeY47pvwhiqjjcghjLm1oQg5VT hYIDiJnRx4q5rTnGqviUxx1ETCXb/wEx83O8rPkfQMyoNzLR5CBi+jO8NPfDiJlP8dLkx+WY14iY wQ+HGMurDyDGCovKg1oRg6jdQ8B3RQxmsHPzXp6afyticP7HV2W+j+u8oxHje3i9IYbr2lPtDTRW /sOfGjGWkY9CzHD4IyFm5uOlnfQoxAz84xHzxHUMvIS7WxS+5Rj7dfLqZWBn9FMjBtcxewhozTFI XUVd5aHfNcfgOmZv/q055nQ6Hz1lr+xJOebV7pXBmtDeLKM9Z+il9y8+/AMAAP//AwBQSwMEFAAG AAgAAAAhAA3RkJ+2AAAAGwEAACcAAAB0aGVtZS90aGVtZS9fcmVscy90aGVtZU1hbmFnZXIueG1s LnJlbHOEj00KwjAUhPeCdwhvb9O6EJEm3YjQrdQDhOQ1DTY/JFHs7Q2uLAguh2G+mWm7l53JE2My 3jFoqhoIOumVcZrBbbjsjkBSFk6J2TtksGCCjm837RVnkUsoTSYkUiguMZhyDidKk5zQilT5gK44 o49W5CKjpkHIu9BI93V9oPGbAXzFJL1iEHvVABmWUJr/s/04GolnLx8WXf5RQXPZhQUoosbM4COb qkwEylu6usTfAAAA//8DAFBLAQItABQABgAIAAAAIQCCirwT+gAAABwCAAATAAAAAAAAAAAAAAAA AAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAKXWp+fAAAAANgEAAAsAAAAA AAAAAAAAAAAAKwEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAGt5lhaDAAAAigAAABwAAAAA AAAAAAAAAAAAFAIAAHRoZW1lL3RoZW1lL3RoZW1lTWFuYWdlci54bWxQSwECLQAUAAYACAAAACEA scCtn18JAAAzMgAAFgAAAAAAAAAAAAAAAADRAgAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbFBLAQIt ABQABgAIAAAAIQAN0ZCftgAAABsBAAAnAAAAAAAAAAAAAAAAAGQMAAB0aGVtZS90aGVtZS9fcmVs cy90aGVtZU1hbmFnZXIueG1sLnJlbHNQSwUGAAAAAAUABQBdAQAAXw0AAAAAAAAPBDoBAAA8P3ht bCB2ZXJzaW9uPSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQo8YTpj bHJNYXAgeG1sbnM6YT0iaHR0cDovL3NjaGVtYXMub3BlbnhtbGZvcm1hdHMub3JnL2RyYXdpbmdt bC8yMDA2L21haW4iIGJnMT0ibHQxIiB0eDE9ImRrMSIgYmcyPSJsdDIiIHR4Mj0iZGsyIiBhY2Nl bnQxPSJhY2NlbnQxIiBhY2NlbnQyPSJhY2NlbnQyIiBhY2NlbnQzPSJhY2NlbnQzIiBhY2NlbnQ0 PSJhY2NlbnQ0IiBhY2NlbnQ1PSJhY2NlbnQ1IiBhY2NlbnQ2PSJhY2NlbnQ2IiBobGluaz0iaGxp bmsiIGZvbEhsaW5rPSJmb2xIbGluayIvPrAAHgT7NwAAUEsDBBQABgAIAAAAIQB6gx3yCQEAAO0B AAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbHyRy07DMBBF90j8g+UtapyyQAg16YLHCgGL8gEje5JY OLblcULz90xSkKBqWVnzuD53Zjbbfe/EiIls8JVcF6UU6HUw1reVfN89rW6loAzegAseKzkhyW19 ebHZTRFJsNpTJbuc451SpDvsgYoQ0XOlCamHzGFqVQT9AS2q67K8UTr4jD6v8vyHrDcP2MDgsnjc c/rgJKEjKe4PjTOrkhCjsxoyO1WjN0eU1TehYOXSQ52NdMU2pDpJmCvnAed1nzAe6wZjg5rzTHrl ZSZrULxByi/Qs3FlEilynHyGKQz5T7Au/jdyYtLQNFajCXroeYtFTEj8LkP3rvgF+pleLceqvwAA AP//AwBQSwMEFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAABfcmVscy8ucmVsc4SPwQrCMBBE74L/ EPZu03oQkaa9iCB4Ev2AJdm2wTYJ2Sj2783RguBxGObNTN2+p1G8KLL1TkFVlCDIaW+s6xXcb6fN HgQndAZH70jBTAxts17VVxox5RAPNrDIFMcKhpTCQUrWA03IhQ/kstP5OGHKMvYyoH5gT3JbljsZ vxnQLJjibBTEs6lA3OaQm/+zfddZTUevnxO59KNC8mgNXXD2z5SxGHtKCkzkb2MhqiLvB9nUcvG3 +QAAAP//AwBQSwMEFAAGAAgAAAAhAHvcj5wPAwAAXAgAACEAAABkcnMvc2xpZGVMYXlvdXRzL3Ns aWRlTGF5b3V0MS54bWy0Vstu2zAQvBfoPxC6J7KVOA8hduA6SVEgr8Zu2lvBSOtYKEUxJKXa/aLm O/JjHVKW3bgJYLfoRSbF3dndmV3RR8fTXLCKtMkK2Q3a262AkUyKNJP33eDT6GzrIGDGcplyUUjq BjMywXHv7ZsjFRuRnvNZUVoGDGli3g0m1qo4DE0yoZyb7UKRxNm40Dm32Or7MNX8O7BzEUat1l6Y 80wGc3+9jn8xHmcJnRRJmZO0NYgmwS3yN5NMmQZNrYOmNBnAeO/nKdmZQrUgxo4yK6gv09E0YN5e VzhpBz1QkAxFyiTP8QJmmhyTNku4YGSZpaklb2bUSBM5B1m912qorrX3vqyuNctShzZHCcL5wdzM byXMsAhX3O8bJB5PxzrvHfEY7LBpN4CIM/eEE4+RBUvql8nybTK5esE2mZy+YB02AZDBIij0V3VF f5YTNeWskNJelFf7cGCcF8k3w2SBgh0PdZ3JZdWguuJdHDVhtSbW6RGwQmdQrpZo7lWbepoab+Op bvJfELS3H7V39zuepqh12OmscBW1O52DCOeOsc7B/t4hNi61BglBamgV2+m7Ip05pu/wC0FdD3QD 4rf4dU48FsYO7UyQ34A1HqMkPGAsuBu0sd46u8Gg5XYgiGMQ5/nY3kBkDyX9YKooNcsxl+OM4EUY SgCytGTgQ5PLzPr8PDLJ9JprfrMSoK4ACSD9Jm1fiSP4dTl3GjlPjeIJMf30aEhXT48+vOvyZd9H rmIMRiPgX0nsiFxRGGOCHm76Y32lo07LCwkdXxJ6b6eNY8zL/xIa/cdEJRaK/rPwplbeLLlHD+Bj iy551gRoCN9p9aPJwhO4QfudUDnNnn7mxGRWES/XCOE7YIMQI11kZsMYO/VcrU3mx5JbvWGM3Q1j DDL5UL4aA9/hjWfSj2Z9c2Dp7ho/WkJfcHVV+eIhvCU98K8U7lU34TBdmmDQNZcmc/ejn3KZ9hO/ sEPp8YxMmY4pvyNcRPpDuriLzs6/XvS/fLjY/ty/dVy4dGont6pxsPod3x00/wp6vwAAAP//AwBQ SwMEFAAGAAgAAAAhACD/1vO/AAAAJAEAACwAAABkcnMvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRl TGF5b3V0MS54bWwucmVsc4TPz2rDMAwG8Pug72B0n5X0MMqI08sY5Fq6BxC2kpjGf7DdtH37GXpp odCjJL7fh7r91S1i5ZRt8Apa2YBgr4OxflLwd/z93IHIhbyhJXhWcOMM+37z0R14oVJDebYxi6r4 rGAuJX4jZj2zoyxDZF8vY0iOSh3ThJH0iSbGbdN8YXo0oH8yxWAUpMG0II63WJvf22EcreafoM+O fXlRgXQ2NlSQ0sRFgZTo2Fi671t5oRWw7/Dpt/4fAAD//wMAUEsDBBQABgAIAAAAIQAerms71i8A AGB3AAAUAAAAZHJzL21lZGlhL2F1ZGlvMS53YXbsnQd8VVW2xvdJDwkkAUIHQy8KilE6CCiIIiOi WEYH2xh7BXvDsY4Nu0RHcewdFVGRKQJSxCBFRQTphBI6BEg9+/2/szmTyzUgdebN+73L7Oxz9tl7 rW/1dW7ie4NO6tv37JuNOavXmX1yrh6WlW6M8UyMaXKmMQ+d7Zk4k27+eOGwC2tew4P///xXasDb D9TW7vnQbz3X6d/a81vPK6NxKGSJlDSa/qHCGM0nEkP09f5giKYReb839ML9e9q7p2d7cz7csy/z vuhtX+jubu+eZNzTs5Denvbs77OQduS8N3rZmz2iuSdckTz35npPPCt7diC8K6O3Nxj/t+6pTBeR a5XJG/n83yHXvwtDZXJVxjtS5sgzle3d3fPI9Uh64fVvPQ/37cu8LzQrk2V3vPaF7u5o7Mv6vmDb F7r7s/ffLXs0xn+nLg5U1n3Fuq/7o3VzqO4PVA97wvWfkPlQylOZrP8JGSvD8d+4dihttSfah9pm h5r+f6OtK8O8JxtVtv9A1vbGJocaz95gOBAZDzX+3WE71HLtju/BXD+UMuzOLrtbP5hy/V+mtb/6 O5S23pO+Dxbfg0VnT1jDZweLV6StDhbNEOOBzpHYDpRW9PmDJevuMO5uPcTxW8/DfQc2Hxwp95bK 3u7bk0z/Hr1UjuBg4D8YNCpH979vNdpW0fd7i7gynVW2trf0Ktu3v9gqo/WfXNudXna3vjusB0sf e8t3b/cdaryV0Y/WRfR95Jk9PYuUUdeR96IRfR9JV9d7oh29N/J+f8/9Fp5IHgd6LYwHg9/+ynqg +A/d+b3Tyt7t2l+UFdRD/UbPe0O5gsre7D7wPSHGkFL0fbi+P3NltCRfKGN4vbv7PfEMaWuOHtHn wr1uPeRW2V30SYd11xO/3hO5Yu3e7w5x/fYJtzOUM5Lfvl6HvKJn0QnxRF/vK4/d7Y+kH70nxBO9 vvv7fT9RGa09YdL+g8MlmvOeqUbbORqju49ejeaxf/fRVHUfDlGMvK6cQyib9y/dhSu/3l/Zk+gI qrjX7sjh6EXS8H7lwyHeyPnXOH69Eskn5BDOkbtDuuGa7v1/6Ux3u8ZVNN0YnmtNczii+YQ0Rbey EWJw3CDEJ+SzO/ohz2heOhvSi7x2a5bPrvK4Fe2s4BnydnMkKrcvpBE9Owpuj67d+XDeVT8hj3C3 5pCe05G1kboKn2kOPyENzaHuQ31FPgv3h3Mkrehr8dwdj0iaFde6Cj/uWudDOqEM0XwiT4S0didD uDeSRki/Ym3X2BHNSF1EXoeIdVafChruOqQdzuHzcG9wiB+V4XYy6K9OK56H/HQummZIO3rW3shz ld1rLfpc5L2eh58Qq+YQWzhHPgv3axYt4Y3EHF6Hc8gvkkZldBUF4Z5QM+HZaB67YnARKuu689aK fiSPyP2R1yH9yDnyuejpWfRH6/qEs65DGrqu7BNJR+di/oVXdJxv7krDUQ/XImdxq6Chazcc31AP jq5+VuwQ110560wFbelSd856HrOG2xGuObnF39msgr4fQduhcIicJOG1QxAbIAn14LhW4AgxOdoO hUMT7omk6SiHT0JpQ9ruacXPaD8Lebk53OfkC+92nSN5h1x39dGKHaH2tE8fPQn9M5xDXuGz8D44 wA+djaQTXmsu3/lM1/rorD7RtEJe4RzuC2mF+HS2Mpm0rk80NmehCpkqnjvPCW0nq+g6pB3JT6sO l9tVgcDx3PWn4+joOA+MlDqSboi3wuudb+xq6Qr9RupTdEJZhC28jpxD+iGWcA7XK05VSOTwhdoI te80I9ohL806r53lge5c3O4av8GmnTudv4fR7fhE83X79UycQ+5aDXmH/EM5Y3nmYtVx1t7wrL8z Wzi53brzR2fnMD84mqKoj5tD+uHsMKmncbkgtEpFZqjwMWGK2zmcnkRXn9A3nO+VIWPpziFcoU50 FYlGNJycmt0Tp5vQhyv0qPVyQAmnuEnfIRbNouWGarwbLAW+LzwhJs3CJFpljJCmOOl8PCMhmL0A k2jFQlH/RDX0iwp6rh90sjkLhREn+zmd6b9xcRZwWVCcnAVCnxCmUvCU7MQVWsRp1u3WKekpLhgO k1CXB0NcQy9kI7wjf+qJ86cwG0iTFVYPEemU00+Fv4mOPnrmqDr9VmBx92HOcTZ0e51+Q1rudKgX 8dQn9EXNIQ6tV+AA6k7emkMf0R59Qh1rlpUi6el5eCb0g5BuSFN7Qt7SreRyNB1tp1Xnd9Ky05zT XWg3zfpoLgu8XDh0UhLFQE+jIk4cVskiFI6PnkpfQhzHcLyk1XJsJ75+4LN6Lqri43jpLjbYJV7x DOlBJyWXfFqztOh2+vBxw+3StePt9hlTEnCVBDohPk6z0o/26COfjg+oirLzL9lWEmiPnusjvYdr pdAt5j6MQ+UJ2VN7Q9rSTQIUNOucEIi7s1sY/w6/dKII0D/Fjz7CwJHgIzqJnI7lXxz/EphFuYhT xWCRnDvYvYNzTvf6WYb+y21yMHwrGZ2sIunqgjTj9OIFuU4y6KTiN9IXdB0fYHBzAueqcC+bCGWI VDrZzihhSCea5RviKz3oI7mUm9yayymhXsRfiDSHOtV55Th9dEbeyBTs073j76wpXylGJzoberp2 yibCLz7CkcTQWbdLHKT3MuQuCzxKP6VL6UGW0dCJeIZ0L0tIB8nQS+SJaGqXkJdCS+f10VzMLP05 3QqnTjvpfSRyVnV+6bg46yhKJEksw1FymUnyipZD4bDpiU5pXT7pkDj9i7fzFie/fEn6Fy/hdtcx /zoX2r8M/qJWjhY04rBmAt6hMxpCLotIBlGUVbVLXifvVd+hSJWkQicbyuu0Q3KJo67lceLpZFcU SGLJFRs8lSzys9DWohXeC4O4i1fod9ovPyxiyA/CeEoGTSpUExjxjMSAQ6gH4Y2HRjz7RVX2ECJn V+cbsoV2OduKj7DIHsKWFJyIgUZsoAftdLpwGpAvFeMdCaBLDLy0JNCBy5dOn1XRo/6Vs8utCIOT UZjCGHcSS2/ysDJbBN2t3AmZ7Csvl/50xunVI14dTufXrsrqmYtlx0dWqII0yXh1OShLGcoxW5FR vBJAUAanHXYz3LbAbRtPytglXpJMEZES/EtEI7FB1nK4t7NbsS/NKi8IrfQpX6jCqLbT2oqXUGpZ y9GNMZtYl0/GsVeRWso/rch3FNsZ8E+Cn9DIQ0RFvi9a0stW9kr/2qGnsp2wOE+U3LHILX92ceQ8 tnSnFV0+kE/J98VPeUC6Fg8hER/FWRFSFe4c0p3+yaOU46VDeXcKI52V1ICWwyifDvOS/HdzgNlH UukqFt3GmW0M+Ze0LbyyqXSorKNqUJWRGkhUbhUPso7iMxbKFttst0mBj8tDqrFSbed55T1hk9VF U7JIVtlM/i1v1Ed+sJEhH9JaKnSEW/qVhJInLViTzePQg3w/AZyJ/FNsxUJT2aQEvRYzdmCTHYFH FbMmy6WjrSSGrKQdypVJ0JAWdyDplkCPBltpOFvtgKZsoF3SoTALq/YLQSq8tdch9dFCeaB/0ZAf bWFsx+6uwohPPP7maqr4iy7kiTPnFSmcqwmydNYToCC60oN0Ilvp7Hp4i6b6mGSeKyLlr8oODrur +IXs28bQR/4jxNvQ5na0oYyVhPaUE5zHFnG2COylPFHlLw38Q7lI3iisytaFrBYzi4Pkl3VcLZPv xmAL8ZPMpfBWPCmLynqpnEhhf5XABtXYm4IllAE8UMmCKZyVjvUpBrd0okwmn9jM/SbudS0vVY8g XasPUVWQfZMCBIpiDeeX0pI0o/y2HTT66FwKK1UYkrkqu6tyXjqWxrdi7a3sKmIWf/mVZCliVsV1 ceFqoDwjESsotyUhk7Cpluu+KvfKuLKsapJyXGJAbTv0ivFNyeNqwyaQrGcUskOYZaEEEMQzZI8a zBnQUo0QAh8JYoMo0dNkhjKH8ozkk3duw/tlBWlMEaCsqiH/Vz4TbknsKngVsKZzVvlDmUHSKn/K xkX8XA/VDTaNs2mcSudUCvxkryJb02wB3yZ2bcY/NsG5EE7C6WqWrCvNZMCxOpjjmCvquWIizqxG plWcKAKtUEkO2TUJyWrDoyG8MsCjXKRokV6US7awewVjDciL2eGBrQyNSeOybyaWTANXGR60EX1s RTbx3ob1Nwbok7BTommIzusyVw0k84mDssA/tiPLSs4VBPp0lWo7+t4Oj3g4VEcy5TrVyu3gUr6U 3lRr1uPZm5iVHZzU8owUeCSbBvCpy1lVQtmpiFEGj63sX4M8a/EDdRJVkSiZPa6ayF81ZFEPeyTi L4pfGLDPdVJCVcXUCbCp2qq7V/7dis42wWWTXRf4niJXcSNfEnXpWzI7vWq3fFHIlePVWWzlqeJZ vpLC0Ed1NwNMNfCQRKwhfRVBX08l+TbQFmIBSVod6VUXXa+hbCVd7QBRKTp2lU51T56dSLb3icoG XGVBK5F9imrR9gJkRXYZZwqQXRlHPqvcoTjagm0y0VxCwE/yxcPL2lrQiEG+/ACXZIqFi/oD2cCY WuxswHPpQF3MCmipSitzqSNRDycuinHZfA3n17BPtSbJrIOO/EyZOAHbxvMvAaTV0Fs6FGOxSXGg QXmv/CGN++rskM+sCGRQxtsadEDrkGEVPq26qdq7FT5l3ItqTXhnBjapHti6LjRSg6ogOjEBClVI 5cztcFSE12K1SZB7pJ9M5Epih8VaCWY5dIWitimA1zpW1HvIM4rRmbob9cDV4ZzMPx+JRKMRPlp3 ZwbZvFPDqr3LefI9KJZjG4td49FjOfpNZH8z7NPG1MYTsvCOFkhXHS3IgzPRZBkRKu4rA72uw96r we+DUTWjBGzrbR1klzTKiqnoXW9SivsN4NuKHlMDvMovmYGHJiJTbdArluSV6vZU2UpsPfBkBWt1 OC3fqBPIVoA2FoK6yC629c1PrC7i9Do8T51uGXqrgfRNGHXIaGmmGTRkTXUkJeg8CQTyl9VwUxSl saqY30CeXA4f9aSKFKHYTo5IN8vQxDLwr4KHqlUifBTjtdFEXWRuxl016LguQrklFYky2F9K7Gzi jGIgFdlUnTZyL081WFL5rgC9qprJdtXBkoTeqoHgMK4bBjt3YJ06nK6FheXDNbFYVRCqBi2F3oLg 5xZ0IO0mo0HlfekhC7T1A/upb2gKfdlW1k5Gu6qdazjzMxhXQKM6e5I5pW6gOnJlMqcSFb9g77VE c7ldywl1U4qzAtsY6ummFUjakqsVSz66q2PyyScF0Esxs7mSdoV6KxZdaVuSPRIC71LFW4j+fCRo YH6AciEoVME90wSbqj9YiQcoT7WFRz14rGXnFmTPQHcW3jOxs6zTELRNeV6O/dTrN0L3qXhJHnlv EvFQZH8GxTo0pE6jrjmK/T3QVRXTFq4NTD14NDVL8Y40syCQeylcCsAXZ6aBoQQ/OAy5+L/5A//W yFjdtAxkqmFmQH+TnYqFxpEdfsazVD022Q7YLskcbZbY45GxEfZUlRCyZkTuRuwyC8nXcrIEOX8C 3yyQV8G2R2K7TJCp4jcAZVP0t9Eebr7jaYFdhabLOJeG5MpeP6Md1fhM/NyATJrQm24jnuudZi06 UHykYEfVl0VclSFP9UCedE41RBoPTmvAp8qraNiGdytvt0RfXaCnfrAMnGWc30AcfMvVHGSNIW6q sL8EBPKnmsHbWC3ON8FTduAjRYFNCtlbSP1UpV6NLfPRTVXka40vNQpybQwR9CNxsdouQRsL2VmI n5YHcXcM2Frht0dDVzVbNXSpPdYstu2Q8jDONIaWMspa+M7EM7Qin1yNvtbiVylmCnb5GY1PR8uJ 7G1JDeiN3CeCuZNpbo4B7yoknIeW/o4nfw+GOfZHzu9Al+nsL7ftictUkw3ijvhNXby2GtwaYjNV v69A/CXa/54cmodVZmAPRUtPfnYlt7QBb1fwtoWjuqRF6KyY1R2M+XjBEjsReb8H35cgzgPDaryk F9YZhNzd0VI3PKM1nBORbQoZRrIvRP8/oM0peMQ2JK6Pj6The23g3B6btENfi7HWzyBchgXWgLUg yMRlthvPauKX6jWVv6tg5yXwXIr2SvGbGKTVe7Pe247GZllQUNYzSJNIPM1Diq/QwWz45xNxO7BW OdfZ+Ep7Th+LnhvgPU2xst7iVvBsMb74Cz60DkyqPslwVj6pgWwWbB501aNsIg4VoVtYUc5Qn9MS b5OHt0QnaeQyvcuKxqogWkvRoKvOZeBIJ3NshUMi0ghdItgL8MJyKCQTXYaskUq2E62u0FEVT2HI MhvA8Q/ss9AuJ1IsXlMOXnURSej3MPjGccrgQdWhUo9MsBmka9CwurQS8C/HOoqkBlirHFRrWRP1 tmBVh6bvG5ryMx1pZ2Hp/CBfbkDqYu7rcKoxO9pT3zqyow4+lGT6Y9lMdJhl/k40LATfYvs5ttC7 flV0vRDfX4/tW2CDaqBYZueD6nvbHOv+gkYmEHfFWDcdamvRfjMQn0e+y8Zu6+0kdhSDsTW+24m9 qcjSLPClafZvaOUdewTxmYznbcbuTYmARuZs7vrBLdV0Jo5UAZXPEswn4LTUpRnofyVY2uIPA6Fb iB4KsISPhicy3sSSJeS7E9FMOrboDNUhprE5DjvPgkYS5zbacfYL+559gSt1UaXoaive3cScQly0 AkEGcd0RXcaDZD7npsBxiz2JiMgAsbJlJzRZj+eT0Ns8Mn8hskyDymQsqk6wAVrYSE5Lg35Xzqaz 00P21kSqMut3WGixPREP7ICt5fmrsUljTioGVuFV6fQZHdg5FxrzyRdbseMvyPgZVqgBjfZ4SinP yoifo4m6ZPLGAqKqMRIcQfbZQBXaivb7YPF0Kkkh/NLw+zhoPsKztxkLwJTPkxVY9Uwsfgpy1CMS 62Ld3gz1gYXgzzRnkYVPArWqzWIy6bt2pn3FjkePJXim+vYtaLAZdukF98Z4TCbR1BQLypPy8diF SKjeZCmesYFr9XdNiMJYvK0uMVePDCMfW010FINtaaDZOGysHl6dkEXuKtDsjEydwZOI361BevnQ G2Sjd4OI1FvVHKryd3ihbDYTna+iomegsfbQqUO+6I2W++D3qrUr0HUxOesLfP5zcFZhZzaYMukY +oCuBXJMBMH7aO8nImUMEk8ndrPhLg89kr234SuX41tFUJuHN3/H3sfQyltkR+FshhaL0EAWFssg R0zgmbLhUcSG3uVac7I/GaMGz12/WsPIdz7hvDKh9sbjJ82Jhi6Bv0zAMh8i90rsEI9/KLavg8tt dELt8eJaZBW9Z3+JNj4j868gq06G9t/wiGQQ14GnQYvt8PBm7JuJ5Pn2U7z4Q2xcHc+rZ65Awmrm MvORPZl8rDisa96BXpJ5lUo5E62JjrQZC6ajzByiqRT5p6D9cdiyHdYZhIztzfHmfDLBiUTGXCSZ Y3+A2ir7NhHyPv5QCKVlaGEteawHFLoQgar00lpzInsb9bAK1bS5OQE+rbCL3vzVP35CbZvASX2T tBIJDHHXAYuob5BXH46Nl2GtyfzTG6ZHNsgkr12EP19sLuW6HjsWI/k39nl7DxnhJiitwrqHwSnL DDSnooMurCzBI/UW2AnOBoniTffAx2dzNwUL1ONnvs21Y/FDvRnqDbHcnmOGQSGH87OJkol2rv2A KnATT0vRzK3QPxlEZ4L5ItAttSN5+i4xMs8+Z1+3j6DPauZ6UNbAmrXNg8R5T/xvkn0JndSEagMz Gj03MU9g8XPQ1JvoazvZbyW6vQQs+p64J942Hat1B8dD0JvE2Q+ws0f0X49n5KHRyfhEbzJJljnd PIb3T0a7fyHujiQiJtgb7BPYtCX+VI288097NfJfjd/WMUPRVhOi+8wgegrsy8R6DhE2Dc23wmYL 6bv+hNwLwTyNn9+RiRohRUM8wtpTGFlIt4KMPg1v/wt+pj7pCDPYnGH6mhu4uxy58+meRqCNJ5H5 fmwuzL3JNKeil5PNAHMuVSMFq09D92vg+CM2mWs/sp2JtCPx82QzlZ5lABbtYT5gxzzQzcIHp0Ix y3xKHzKRnF7CdX/0/AKecw7WTTXnkQmqm+ex40z+HWlu48wHWHczuwvs18FVEyJ3OzWiFhTPBU0n LHkkmbKTuZsoG4d3n0uk59kx5MqH6GDet++a8fZUcsUG+xAo7zP30s2fgC63QDGW6NO3JfPQ9QNo ZwD+fDeWeosIGYQFRsLzFar0bLLk2cRkD3Q3g9jvh65rEm3TyWVngz8PmSbb24mmIWSohvjYNCL2 YfQ3gowwhay9Ax9PMw/aY4jSjuT9o7FVK3S+Dtrfskc9qDq9jvjmGWT07uYmKtkScslmPLQKnanv V4NqS+KhHh5W1cwjE5xIbOaTp9UBfYnHfYlnNIZ6d6xVik89aJ5D95fgE4+h7Tn2TKrsCHLWleZ3 xE870BaTc3/C92OxhH53kIZHZQbZYyCaTqI2NaT/mIsvDcYuHyLRzeAuIGe9g9f3ouINRe/6bnck EtdjViQKT3+eLeNqPHXqOyrlS3jC92iqq3kZuivtFeSfC9j7g70H3reYUUhzrz0D//uQiHzU3ozF PjGvB3pJQGuj0dL58P0cq8oir9O31Edfg7FJT7xgCTW5rXncjkbSZPLhMDRuzO1kn/H2r2jR5+lK 6P4IxSboP9V8je5uxmYX4dGfENcn8O9d8vYN5KYH8IQ8cmYRnn8S3eXF9Gnr6QcuIEZmUO+uJjav JII/Ir9eRF1awpNTgwirQs4eS/Z5185HT83QST061D54ydFYcx6xtYhIkN9dTT7qa/5IXnscm3WA 4+d4ymvUz1vhtpWdPUDfmhg6HolKyJlFrM3m+SS0N9k+gQd0BV0ceX4E0aBqot9azMePWwRd42qk fpPVm4nSj8iWBdjhdvT0DB422jxDx9HJ3EU8PQvOu+1weyte3Z2K3918hnb7Y7c3qRFf48ENkXs8 2VLfEx6Pb5XThd5ORriE97Px9kJwZiB3HDFyDu8448gfU+k6ctl/I3arRzboT3yp/+xFxtK3KJux 9ylE8DL8fwJabEoszEBrF6C19tjsKdZrkCUfpf7/hG+1Nm3Yu8xeRfd+En3MRryuOtZbR45LwwfO w9+UYxZRX+ZhqcdA7ZMpRoM9nX+PY/O6SHYaFfIF8sBotNoHby1D+tvNIOrpAKJ0Mp1LbXOdPd+c bZ8k93bDM7rgnYZYUVeaZ99DBtXDZuYqPL8vuk1Dtn/g0wPg/TA5qND2Ih/Mth+D9Cw6YYuXldhr zUt00N3wpTZ4WTtzDznoSTxiOVXoAnMH/ciN5OMkesVcM9bmEw8/wjXP/sVcjx7qQeNtstsf6FOe w6PeA1sCVrwTHDfTMV8E9nQzndh8DL22MyOwxuHmQvT3EZImEXPXkdfa4c0z8SrVkCzTlmwxBo3N pTe/Ee29SEX8HbwfpPZPIuIfsX82XbDnLVjrTjz1NZ6/RVZqjR1Ox4M/R9/nIHMZds4BV0fi6Hni cYlt7o3iLhW7fEgmHWE8expe9JOtTyabbTf6o81fyZuxZhEWWGpbe4OJze/w3BHUrQfNEDxbtURv v6l4YgfsMRzJSuwAKtoz6LqduY0slYY1Xzfn4S1Z1LI1ILmb+RyieAx+9Wfy3ztopga+eBN2eR1r TKVeT+bpau46wT+Lbuxem0Mf8i76X0d/PM9+iqUt6K+kuvXHO1LsjcTWSWTzO9B7NbqYPtTBAfZ6 NDGQeNE3tXHmVXx+s32DupSMbh+2fagMdalRo8l+TanyfYkaVa0HuKuLJMdh20FI+Cl1fxaZ6gok fxZ+vZCrGnbNxkfnBV3529izJ7kmibpwsvkD9ekz4ukBYvEqquM19i6k7k5FqmMehm4mGXGovQV5 0sxwKKjCHumtwfvbEat/Mlv8R21z6kCefZF3ws/tKOJ5Mz3yTXSqzdHHG8RyKrrZRu4dRj04Ecmv JG/Psc3okd4j73xqBxPBxjxNBOaTKxdh1/HEeQ4RuIRIWUWNG+ClsW8r+TMf7c2xD8LvDTqJpeyd DOoLOJ+J/O3My2SR90Hg42Hf2qH2Yyz8E5pQ5vuAbqTIjjVXYMepaInfF/jJWHElPM41N5tRaPVD Ivk6InU86Jejwz+YgfjRp/Z++zS5bpa9AOzXUGkW4qEryRZ30f29T+R+hXWH0D/1sP3JPuVYKZbs VEhWO4v8MwAL96KSvkvGnUa0n46fdCZvWPTflHhagIzb/H62xL8cb7uLGkqH6n1NJNfGG7LM+byJ W2hdjtXHgGsiPvMCMpT4l5mF/lT7APpYbG6yK8zTtq23HO/m9wLEVl07huiZZy731oP3CbuUvHAM T/+MFIeD+FM0N9PcYV4i0l9STqHrbGQ/oG4mUT8uNQ28VPMF0j5HXrL+ANsG/Q8gfjdSMc9DouZE WYm/Dh0ttZeTyfqSx4Z4CZxbQ8bJtF2pBY/6ebZWUH3jzSnew1BqjTdssWfYr3hLTyQ62pt7idqX QdqVvHsNNeksfP8EZNI310djk1bEUkf6+IfsK1S12URaE1PfK6A+9idf3WUT8N5b8IuT7avk4/VU oQeJoFfpvzPIWDPIweP4fiIHDm05+SE5eCbau9J+g+4uJku0Qqunec9S07KQ+yw6vSzyy+NI+ikS vmCeorLdTwY9i+yw3vaF2ywy7dFmmB0ddHETAwv+aEeSZ2agtxvwiqlodyQetILO71709hy140G0 N4ROfxQ6OIFO+mmTi7zrqP7ZpgYcfqCCP0KlOpzObixd1nh678a8fQ73O5D3P8RbUkyJZ8kcRfZl pFxL9RuE31Wlfx/mf4z+LqBD+9mupj5dQQwXw+d6IvFWPOQmewvROJpO8xri8HWq4EvY8Ha43UtW mQDWpmYaFuyNBjLMx+YZPOJHouAW8mc2neAY8k0nKur98DuVjDEEz+1Jhv4HfcRt5M865JRZ9In3 0j++Qj7ZTl5faK+22/3fmzL/Inqqf1L5nsN3LiVOj/KqUrdmU43+TCb4Fovye08qRn+z2b/S9CRO GpEJmtBZH+59ae6H0kwsey5IO/Nm0hm/7YVvpBN/veio9VvvFJtJrXycPu4nOqU/Ivd88yJ6bYB/ z8Je99HPnsd3HkuxSWM6oheogy3p4Kgipjp6mU5PcAEWae/VQqoM3sAvwc7fYedYrvi9tn0GP3qE 6sDvmNj5LPX4M/LZjdTgZ6l7G306B/AVkpcGor0hdEwTsc/7dDXz7fvovae5FG7NkW4dPt6FjNOX TNAFeSZjTf0m8xey2xSeXosN59unwJ6GlsvoYjPMcPZ2p8++hfe+53lT+D3e9CrZdyg1u5g+7a94 3SC7hWgZRX94lLnTXAXXb9Dbi8RRpvH8K+xov4bpplzhXW0mUAFqeo+i9QtB2tXcR3btQdf2Jv1V D3MBlj6OHSvIFregzSfp3wYTE4vJXmPIe73MOqK2Kn3sYluTLngAMdsM6w4DaRXe58hPDL1nZlBf 9BdIsvdVSNuaOrOaPHMMOa2NudY8hfX+wUmdWwuW6fYRsxi7/hO9LqEa3WAn+Tv8Y+woNPOcnW4W mLfQy6t48fvgXGKNV5eqOZh3rPamOei78K3Eo7YjbwHbbAvv92TWieYi+0eTZrt4E+lB8pH2B7rA 2VC4hnc2vY+t9l+2d5ORXrF34hP98P76XkNvqHmTd8hyOrlHqUcPktlPsP2o7t/RT6yit7qK59be RpY5jLz3so3zruM7nI95q+pLHh7Ku81LVJr5tgWafcamUW8u5k0I3XJuGvYZRLdxJidfsnP8822c NbxlJvG8PnkyC5ka00PNNL/457N3KvHzGij6kAEaUrcnUCP+QHc/H/SN0FkPspb+qiKe50PwrKtN utcD/0zjrWeCXeP3R7ZWdor/AXngGPS33IzwNpiu3pVcX2Zf82+wZf5rxEUL9G6J/GH40DaQTbfx tjo5agtvMEPNVNOWPxc7Ai4n0ZUsgGIh3jHZ74bn1cNC1e1l1Kvh5izveG+pKeHEa+x52Z/rZ/Me cicU/2TGeO/ToT1sT8TuC8t7mmPxjTI69y7sLiBWRuLv/ahFt0Jvpj2NyPuD/cRvg5+cQ8fayYv3 HqNu1jT9vI/8HL4n6cS3MR2pPZuI0wzeSScpI+PDE8hLdxGLNbwryEzXmR/JCOrt/kJk3k1f0Nc0 IstP8PP59uI2fPcxe7HX0Lxh1prjvOnEzGDehsbYwvJj6b4/5s15hn3BW0yP/wWVYzh5oK1ZSF2o QTaPw5NuoWO+zNxgY+iDfiSvvsF73xFeOn3Bfbw56u87LjZ1YxaZw7xSc7l/imnnr/eH2db+QDjh DfZJb5B3nBnnHY+kCfZ1f4G51rbyHsCCP1DvB5m/+Uv9O/y3/Uvx2Swy6ECTFTPIFJljvKroKdYv RYJ408M73nTzjrEX8+8V/2rq24n0fo+YF7wFpgO2fou++XSkHUtleRZNLIL2Pegw1ae7pI86Gl3d 7i0hfkea7uwZQqdwKr1QL68f1SrZLPXbQbPU70GGyzEne3d413nLyUhn2lF+Kr/SXkO80LnEfOtf Qc16zP/aTvSXEf/rkTvRzPEm8J3JGPupn4/eZ/N911/pZJb7z5livzPZbB59/Gf27+YI7wxzg3cO vdwmuu27zTP+a2SeJnaC+dI/Hn31oQM/LnifvNi7GclGeh7n2tq7/LV2rN8MBIvsP80fsdJ44v1I OsWxvCXd6V1MbHXhfWQyUr1Dj34kvj+QPHURvlgTrZzFm88TZNgrzHZi8H4y9xa+ayujLoyhRtbl T1aamwL/RxDNt895m2xtb6T5PTX/dGSM4fuKLK+BTfTKoN7NvEXF7uTXRwLrf+p1tG965byzfuH1 B8sd5Ju/2Ev93kTbm/Yi+uGTyGUxdg38LbXlWtPR62Yvoa/ZQTf6hH8DOfthMsGr/u/MDt/ybjXO /wX9xHgj6BGzvVzbk3fb9njg8+T2a+gN3ue7gY7orDt6b2A3G58MtYrvZRrx3jbXL7Mf+lWI4GHU gWb0ZpNssa/s0gF/7ektJHdMNPl+F97uiv2/k3XPNi28ofjXu+BuYc6wPbxf/H6mD73heG8J8fY0 ncuxPHvBrC0/3bSwDclDV9s63u2mhnest46u9Fvq70Q7zr/HXG6fp78YZT83/XhTaYknVqO2jCDn 3GHGmS7emV49vgfrRo1oxRvAo2TOUX4NvPlWW9X7xrztXeK9gk6usm8gyUN4wjf+Z+Ywe7PXgVo0 lv70FXs+sfOifRTO/B4ffd9Nl7mQDuZ6/Ly6zea70LPIRN/Yr01vL89+640kt32LVroRD0+RV1fT sV9GFfjYf4fMvYUqeJQZ6tU3P9N7DyX2phFDPbluhFT97e22Nt3nPLqn/tSV27wiU27+7h3Jm3Au HUF/+q6/2t7UIv3GswkI45CuBdUzn15nOrnifO9B84hXmxp+ml1Qfqkt8HsQr8Px/XX48AzeIybT HcylN1jF2/Nh9DptsMBgm+83IwOdQwWdge+fh3W+tH29MURlrNeITHC/35A9Y/xPeCNZbv7kvWtP Z/Tjm5ZH7HteV5vh/USlzDXv+Zfbo9DOk2TeS7370Q3f7vmfk39fNFOwXY43xF7Im+czZIibwfYt 0fNPvlP1vNftw3Rxi+xjfEeWSTd7HHn8FPLkUWSZoWYuHWgB/VgS7/UryV9NvPFQ7EBUnUhOLLLr /NrEx3vo9xrb0zvVPOF9jlz9zSzeMs6ne7yed+qnzSt8d2JNMn5zP1njGnq8VG+USfae4E3zEpNL t/0Ub5of+r/YxeVjieEX7QKvppnEmIv/1MUPX6HXmIq2a/EWWpc+6j4y0wxwverdxxvp47wZ6re+ d9PTjCWbXktNGGFr+In2d3TfPmcu9OaYNtSyo6m5z/qr/SJ/ETlIFaqIb4vuJ4fVwfMW0uNvpGeb wncsI205PXEf5LyFPqOJre5t9k/nfetkv5bHtzOmkdfNbKV+taGOdLcP+ZeQ0bvyphtPR+bzbRx/ zUCMbwZXPm+1kzxDTuU3TOXGfOfz/3GK6yNYe57RkGv99onOgR5db8D8RohZ35r+wLiRPR2Y13Bu I6Mmz/qy1pRxKdcbWNMnjnv6KPK441WF6zsYN3B/NkM6upH5XMbrXPdkPoKhPfnQEL4pjH7cf8PI gN5W7p/hehzPhzOe4r5RjDGPMn/NejxjNOMl7m9nbsp8JaM11/qNEP/DGgwuPmZItlRGBuMi7l9k SA/LuF/DdTuGzgrnNYxVXN/GkI5SGD9w/Tzzemb9RdrfmI9lXMz1fMYJjDJwPsdaO65rQTuT8Rb3 Jej+HNa2cc1SIMsFXCEO7xGGjlt/1WHomIw5nFHG/WyGfvsqWq8x1nJ/E2MAYx3jTdYWMh5jnMH9 FHhfznwH961gksgQ/vasD2bW3mNYa8gs2iUM6U92l35eZH0odZDtpgE/qjImcL2UMyt5fj73NfCW p8B9H+uy/2rWunE9nj2PMI/kT63qM7+BYIOYTys35mXfo74aU8jaBta6lFnbjnNtWLsHfl+w9hP3 LaD7ETSF+U7WajGqMeSf0s0RjGaMAu7/Rk/XlCfVOCPb6S/DT+bZz1ynMG9glp02s086XMx1Tfa0 ZCzk+jD2iPJ2rr9n1ObuH8zam8K6aCQw6nGtZ7JHY87m8byc60JGGut5zHXY04Br+QQi8R5VEVfa o79nEe5i1uWDq6Chv4+XL+jvWlEHV/qvTpx/uL/ap0nmXk/c7Ad73J1WTjjp9IFHJLn/xqMV91k7 h/5CPvjEuenXP4cTTqwOH+4mfnJpvvrqK/PVL1+ZTdPfNHFx/F17En8zmMq3Hxm8x9aqZRo0aGCa NGliWrdubQYPHmwGDBhgevfubTp37myG32HNwIGWN9+5xq7LM1PmbjRzV60yT7zzAYyyGTmMXEae u81mLZu1bNaytYZw2pLDeg4XOaznsJ7Duo7lsp7Lei43uaznss5k8ljPYz2P9TwWZA6+pTJUJWPz As7Z/MyGeDaEsjmUTV4I2PMjGwzZYMgGQzYYAkhgyAZDNhiywZANhgAmGLLBkA2GbDBkgyGADoZs MGSDIRsM2WDIphpmgyMbHNnCgRlBFaDI4WcOWHLAkgOWQGSw5MA8B0Y5EM0BS6AGHuZwkQOWHLAE agFHDjhywJEDjhxwBKoCRw4YcsCQAwapLgccOWDIAUMevCw/AxXCx/3jPlCvtAMqeOeyK1A1vHPB lAvTXBjkgikX3rk8zIVILrxz4R2YI+DNOvxz4Z8Lf5koF/656CYXDLlgyEUPMhtaCaRnhZmfMiM6 yINfHtjywJEHv8C0woEO8sCRJxwIFpibQ3lgyQNLHiDyYBi4AFjyOJjHpjwW8sDC/xjQwSZ5YOG3 xwzWA2+QFVgDgwWDBYMFgwUDrZ5zJzD8D1/W79M2EEZvQ4pAVGknhCIjb1ZBB/0hMpwRmFIhtRAF pIwJagiNFGIUG0XeOrF5soSUjaEdunhAiqf8B7AzMVEvNBVlAqnD9X02yE6I+CzHvu+9e/f83Z1l KefwIOFBwsM5PEAGJ/jwIOFBwgP9uQRpnMjDg4QHCQ/4pMZOhgbGl+goQapBo4Z2DT5kpE2cGt4y P1i5XGbtdpsdHR2x4+NjdnZ2xk5PT9nFxQW7vLxkV1dX7Pr6mt3e3rL7+3v2959k309OsI+/obq0 B+gCvahFutSkazoEIt2mez2KKC1UxBBDpxwCaaEGvaCH25SErmoaR2hIq8EYjpsgTQDOuePkEGr/ BiAdKQLhocOdMNREP+gCvAvuhnAn5OFUJ7RFl0AcKVySgMPDDgjC7UKhG7hpPCJQf69jg0CUARgF UDWVh17Hmxa+6we+q+rpJySCygm27CwIro82FTIh6cgQbBmTBvJZ141LltQJjL5t2S8nha4/uAi8 AR+QMAwjMz6uwwU9RS/480ioVB7maVLXM5Anwg1K/YhLWYnj1dJSRuwDjgi9BI+d6JXyuJEVUX8a YBiv4FH3+7+F8Gn8sSf9CbfxGDvC97peeppi/QhHGaZdIdzssDpcoj/BXujl0vV7rFPcfxq1DrVc LqlvgpMBwJ0pLLineDSAZnuYbT64TB8UUEfMthWG4ej+oNFkIxw+Sp9k4hX7PI4VO9JfZIMEaMOM 8B/hNIL2DCxlmfZjzB39mxT30/rW9i+8E9Y31jbXjc3CDO4N88Bp1fe+2spP5XP9S8u0zJqtGGbr YE6Zz+cXwTaKq/Q9RK1ZPj87v4Dch42PE8it1BsNpWQ2amarimyhuEqaiU6hcWjN+ApgpVRvVs22 peQXfTC31rZfgLllHjaryprZ2ttV3s5x5IvGyoACOTFbO3bdbE5kNpu7KZOlHWciU9yt7pvN6mul tKxAm79bmH3/Jp9n/wEAAP//AwBQSwECLQAUAAYACAAAACEAeoMd8gkBAADtAQAAEwAAAAAAAAAA AAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQBw8DjcvgAAADgBAAAL AAAAAAAAAAAAAAAAADoBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQB73I+cDwMAAFwIAAAh AAAAAAAAAAAAAAAAACECAABkcnMvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0MS54bWxQSwECLQAU AAYACAAAACEAIP/W878AAAAkAQAALAAAAAAAAAAAAAAAAABvBQAAZHJzL3NsaWRlTGF5b3V0cy9f cmVscy9zbGlkZUxheW91dDEueG1sLnJlbHNQSwECLQAUAAYACAAAACEAHq5rO9YvAABgdwAAFAAA AAAAAAAAAAAAAAB4BgAAZHJzL21lZGlhL2F1ZGlvMS53YXZQSwUGAAAAAAUABQBlAQAAgDYAAAAA oAAeBLI3AABQSwMEFAAGAAgAAAAhAHqDHfIJAQAA7QEAABMAAABbQ29udGVudF9UeXBlc10ueG1s fJHLTsMwEEX3SPyD5S1qnLJACDXpgscKAYvyASN7klg4tuVxQvP3TFKQoGpZWfO4PndmNtt978SI iWzwlVwXpRTodTDWt5V83z2tbqWgDN6ACx4rOSHJbX15sdlNEUmw2lMlu5zjnVKkO+yBihDRc6UJ qYfMYWpVBP0BLarrsrxROviMPq/y/IesNw/YwOCyeNxz+uAkoSMp7g+NM6uSEKOzGjI7VaM3R5TV N6Fg5dJDnY10xTakOkmYK+cB53WfMB7rBmODmvNMeuVlJmtQvEHKL9CzcWUSKXKcfIYpDPlPsC7+ N3Ji0tA0VqMJeuh5i0VMSPwuQ/eu+AX6mV4tx6q/AAAA//8DAFBLAwQUAAYACAAAACEAcPA43L4A AAA4AQAACwAAAF9yZWxzLy5yZWxzhI/BCsIwEETvgv8Q9m7TehCRpr2IIHgS/YAl2bbBNgnZKPbv zdGC4HEY5s1M3b6nUbwosvVOQVWUIMhpb6zrFdxvp80eBCd0BkfvSMFMDG2zXtVXGjHlEA82sMgU xwqGlMJBStYDTciFD+Sy0/k4Ycoy9jKgfmBPcluWOxm/GdAsmOJsFMSzqUDc5pCb/7N911lNR6+f E7n0o0LyaA1dcPbPlLEYe0oKTORvYyGqIu8H2dRy8bf5AAAA//8DAFBLAwQUAAYACAAAACEACd5B 58YCAAB8BwAAIQAAAGRycy9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnhtbKxV204bMRB9r9R/ sPwOy6WqqlUSRANUSNxKUtq3yuxOiFWv19jebcIXle/gx3psZ0OhICVqX3a99syZmXM8s729WaVY S9bJWvf59uYWZ6SLupT6ps+/jI82PnDmvNClULWmPp+T43uDt296JneqPBHzuvEMGNrlos+n3ps8 y1wxpUq4zdqQxtmktpXw+LQ3WWnFT2BXKtvZ2nqfVUJqvvC3q/jXk4ks6KAumoq0TyCWlPDI302l cR2aWQXNWHKAid5PU/Jzg2pBjB/POIt2tsXONh+g9GKkSqZFhY2x9JYYeeZp5ilQ6WUhVDRzZmyJ goNuP1kzMhc2ep+1F5bJMqAtUHi2OFiYxU8NMyyyZ+43HZLIZxNbDXoiByts1ucQbx6ecBI50mFF 2iwed4vp+Qu2xfTwBeusC4AMlkGhu0kV/V3OTldOImV7WVUyFXA9qYsfjukadYbyU3nFWduBhZoD vJmyJIGXXtHCLh1GPjp7B04jWX72sS7nofBrvOOmyJXzIz9XFAlB2iIHOB6gX4lwwyd24+gSN7zy Q0UCHbAgzw+GSt42dMdM3VhWoSEmkuBF6AYAsrJhyMxSDyR5aLRAJl1eCCsunwUIZYocCSD3LlEs E5Ov87nb8XnojCiI2Yd7R7Z9uI/hn9w3tvM/yA7UcVZbiaZIt5/jnuISdUqto0DshT4ncYWeCNm9 pAfkY6pVS+L/WR+XBHKPFEEqDCOI+USrpEcUBY8ui1jnGrfkgJqZfPhVEdOyJdGsECIKtUaIsa2l WzPGbqJ7ZTI/N8LbNWO8WzPGUOrb5tUYmFdrt07soDRhsQwzOQ5RZU+FOW9j8RDekx3GLYP/TmhE mD6aoB+t0E6G/0fwdrrcL+LCj3TEww6zOVXXhIFtj8vlzD46+X66/+34dPPr/lXgIqSTnMIq4WD1 J3446P6ag98AAAD//wMAUEsDBBQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAZHJzL3NsaWRlTGF5 b3V0cy9fcmVscy9zbGlkZUxheW91dDEueG1sLnJlbHOEz89qwzAMBvD7oO9gdJ+V9DDKiNPLGORa ugcQtpKYxn+w3bR9+xl6aaHQoyS+34e6/dUtYuWUbfAKWtmAYK+DsX5S8Hf8/dyByIW8oSV4VnDj DPt+89EdeKFSQ3m2MYuq+KxgLiV+I2Y9s6MsQ2RfL2NIjkod04SR9Ikmxm3TfGF6NKB/MsVgFKTB tCCOt1ib39thHK3mn6DPjn15UYF0NjZUkNLERYGU6NhYuu9beaEVsO/w6bf+HwAA//8DAFBLAwQU AAYACAAAACEAHq5rO9YvAABgdwAAFAAAAGRycy9tZWRpYS9hdWRpbzEud2F27J0HfFVVtsb3SQ8J JAFCB0MvCopROggoiCIjolhGB9sYewV7w7GODbtER3HsHRVRkSkCUsQgRUUE6YQSOgRIPfv9v7M5 k8s1IHXmzfu9y+zsc/bZe61v9XVu4nuDTurb9+ybjTmr15l9cq4elpVujPFMjGlypjEPne2ZOJNu /njhsAtrXsOD///8V2rA2w/U1u750G891+nf2vNbzyujcShkiZQ0mv6hwhjNJxJD9PX+YIimEXm/ N/TC/Xvau6dne3M+3LMv877obV/o7m7vnmTc07OQ3p727O+zkHbkvDd62Zs9orknXJE89+Z6Tzwr e3YgvCujtzcY/7fuqUwXkWuVyRv5/N8h178LQ2VyVcY7UubIM5Xt3d3zyPVIeuH1bz0P9+3LvC80 K5Nld7z2he7uaOzL+r5g2xe6+7P33y17NMZ/py4OVNZ9xbqv+6N1c6juD1QPe8L1n5D5UMpTmaz/ CRkrw/HfuHYobbUn2ofaZoea/n+jrSvDvCcbVbb/QNb2xiaHGs/eYDgQGQ81/t1hO9Ry7Y7vwVw/ lDLszi67Wz+Ycv1fprW/+juUtt6Tvg8W34NFZ09Yw2cHi1ekrQ4WzRDjgc6R2A6UVvT5gyXr7jDu bj3E8VvPw30HNh8cKfeWyt7u25NM/x69VI7gYOA/GDQqR/e/bzXaVtH3e4u4Mp1Vtra39Crbt7/Y KqP1n1zbnV52t747rAdLH3vLd2/3HWq8ldGP1kX0feSZPT2LlFHXkfeiEX0fSVfXe6IdvTfyfn/P /RaeSB4Hei2MB4Pf/sp6oPgP3fm908re7dpflBXUQ/1Gz3tDuYLK3uw+8D0hxpBS9H24vj9zZbQk XyhjeL27+z3xDGlrjh7R58K9bj3kVtld9EmHddcTv94TuWLt3u8Ocf32CbczlDOS375eh7yiZ9EJ 8URf7yuP3e2PpB+9J8QTvb77+30/URmtPWHS/oPDJZrznqlG2zkao7uPXo3msX/30VR1Hw5RjLyu nEMom/cv3YUrv95f2ZPoCKq41+7I4ehF0vB+5cMh3sj51zh+vRLJJ+QQzpG7Q7rhmu79f+lMd7vG VTTdGJ5rTXM4ovmENEW3shFicNwgxCfkszv6Ic9oXjob0ou8dmuWz67yuBXtrOAZ8nZzJCq3L6QR PTsKbo+u3flw3lU/IY9wt+aQntORtZG6Cp9pDj8hDc2h7kN9RT4L94dzJK3oa/HcHY9ImhXXugo/ 7lrnQzqhDNF8Ik+EtHYnQ7g3kkZIv2Jt19gRzUhdRF6HiHVWnwoa7jqkHc7h83BvcIgfleF2Muiv Tiueh/x0LppmSDt61t7Ic5Xday36XOS9noefEKvmEFs4Rz4L92sWLeGNxBxeh3PIL5JGZXQVBeGe UDPh2Wgeu2JwESrruvPWin4kj8j9kdch/cg58rno6Vn0R+v6hLOuQxq6ruwTSUfnYv6FV3Scb+5K w1EP1yJncaugoWs3HN9QD46uflbsENddOetMBW3pUnfOeh6zhtsRrjm5xd/ZrIK+H0HboXCInCTh tUMQGyAJ9eC4VuAIMTnaDoVDE+6JpOkoh09CaUPa7mnFz2g/C3m5Odzn5Avvdp0jeYdcd/XRih2h 9rRPHz0J/TOcQ17hs/A+OMAPnY2kE15rLt/5TNf66Kw+0bRCXuEc7gtphfh0tjKZtK5PNDZnoQqZ Kp47zwltJ6voOqQdyU+rDpfbVYHA8dz1p+Po6DgPjJQ6km6It8LrnW/saukK/UbqU3RCWYQtvI6c Q/ohlnAO1ytOVUjk8IXaCLXvNCPaIS/NOq+d5YHuXNzuGr/Bpp07nb+H0e34RPN1+/VMnEPuWg15 h/xDOWN55mLVcdbe8Ky/M1s4ud2680dn5zA/OJqiqI+bQ/rh7DCpp3G5ILRKRWao8DFhits5nJ5E V5/QN5zvlSFj6c4hXKFOdBWJRjScnJrdE6eb0Icr9Kj1ckAJp7hJ3yEWzaLlhmq8GywFvi88ISbN wiRaZYyQpjjpfDwjIZi9AJNoxUJR/0Q19IsKeq4fdLI5C4URJ/s5nem/cXEWcFlQnJwFQp8QplLw lOzEFVrEadbt1inpKS4YDpNQlwdDXEMvZCO8I3/qifOnMBtIkxVWDxHplNNPhb+Jjj565qg6/VZg cfdhznE2dHudfkNa7nSoF/HUJ/RFzSEOrVfgAOpO3ppDH9EefUIda5aVIunpeXgm9IOQbkhTe0Le 0q3kcjQdbadV53fSstOc011oN836aC4LvFw4dFISxUBPoyJOHFbJIhSOj55KX0Icx3C8pNVybCe+ fuCzei6q4uN46S422CVe8QzpQScll3xas7TodvrwccPt0rXj7fYZUxJwlQQ6IT5Os9KP9ugjn44P qIqy8y/ZVhJoj57rI72Ha6XQLeY+jEPlCdlTe0Pa0k0CFDTrnBCIu7NbGP8Ov3SiCNA/xY8+wsCR 4CM6iZyO5V8c/xKYRbmIU8VgkZw72L2Dc073+lmG/sttcjB8KxmdrCLp6oI04/TiBblOMuik4jfS F3QdH2BwcwLnqnAvmwhliFQ62c4oYUgnmuUb4is96CO5lJvcmsspoV7EX4g0hzrVeeU4fXRG3sgU 7NO94++sKV8pRic6G3q6dsomwi8+wpHE0Fm3Sxyk9zLkLgs8Sj+lS+lBltHQiXiGdC9LSAfJ0Evk iWhql5CXQkvn9dFczCz9Od0Kp0476X0kclZ1fum4OOsoSiRJLMNRcplJ8oqWQ+Gw6YlOaV0+6ZA4 /Yu38xYnv3xJ+hcv4XbXMf86F9q/DP6iVo4WNOKwZgLeoTMaQi6LSAZRlFW1S14n71XfoUiVpEIn G8rrtENyiaOu5XHi6WRXFEhiyRUbPJUs8rPQ1qIV3guDuItX6HfaLz8sYsgPwnhKBk0qVBMY8YzE gEOoB+GNh0Y8+0VV9hAiZ1fnG7KFdjnbio+wyB7ClhSciIFGbKAH7XS6cBqQLxXjHQmgSwy8tCTQ gcuXTp9V0aP+lbPLrQiDk1GYwhh3Ektv8rAyWwTdrdwJmewrL5f+dMbp1SNeHU7n167K6pmLZcdH VqiCNMl4dTkoSxnKMVuRUbwSQFAGpx12M9y2wG0bT8rYJV6STBGREvxLRCOxQdZyuLezW7EvzSov CK30KV+owqi209qKl1BqWcvRjTGbWJdPxrFXkVrKP63IdxTbGfBPgp/QyENERb4vWtLLVvZK/9qh p7KdsDhPlNyxyC1/dnHkPLZ0pxVdPpBPyffFT3lAuhYPIREfxVkRUhXuHNKd/smjlOOlQ3l3CiOd ldSAlsMonw7zkvx3c4DZR1LpKhbdxpltDPmXtC28sql0qKyjalCVkRpIVG4VD7KO4jMWyhbbbLdJ gY/LQ6qxUm3neeU9YZPVRVOySFbZTP4tb9RHfrCRIR/SWip0hFv6lYSSJy1Yk83j0IN8PwGcifxT bMVCU9mkBL0WM3Zgkx2BRxWzJsulo60khqykHcqVSdCQFncg6ZZAjwZbaThb7YCmbKBd0qEwC6v2 C0EqvLXXIfXRQnmgf9GQH21hbMfursKITzz+5mqq+Isu5Ikz5xUpnKsJsnTWE6AgutKDdCJb6ex6 eIum+phknisi5a/KDg67q/iF7NvG0Ef+I8Tb0OZ2tKGMlYT2lBOcxxZxtgjspTxR5S8N/EO5SN4o rMrWhawWM4uD5Jd1XC2T78ZgC/GTzKXwVjwpi8p6qZxIYX+VwAbV2JuCJZQBPFDJgimclY71KQa3 dKJMJp/YzP0m7nUtL1WPIF2rD1FVkH2TAgSKYg3nl9KSNKP8th00+uhcCitVGJK5Krurcl46lsa3 Yu2t7CpiFn/5lWQpYlbFdXHhaqA8IxErKLclIZOwqZbrvir3yriyrGqSclxiQG079IrxTcnjasMm kKxnFLJDmGWhBBDEM2SPGswZ0FKNEAIfCWKDKNHTZIYyh/KM5JN3bsP7ZQVpTBGgrKoh/1c+E25J 7Cp4FbCmc1b5Q5lB0ip/ysZF/FwP1Q02jbNpnErnVAr8ZK8iW9NsAd8mdm3GPzbBuRBOwulqlqwr zWTAsTqY45gr6rliIs6sRqZVnCgCrVBJDtk1Cclqw6MhvDLAo1ykaJFelEu2sHsFYw3Ii9nhga0M jUnjsm8mlkwDVxketBF9bEU28d6G9TcG6JOwU6JpiM7rMlcNJPOJg7LAP7Yjy0rOFQT6dJVqO/re Do94OFRHMuU61crt4FK+lN5Ua9bj2ZuYlR2c1PKMFHgkmwbwqctZVULZqYhRBo+t7F+DPGvxA3US VZEomT2umshfNWRRD3sk4i+KXxiwz3VSQlXF1Amwqdqqu1f+3YrONsFlk10X+J4iV3EjXxJ16Vsy O71qt3xRyJXj1Vls5aniWb6SwtBHdTcDTDXwkESsIX0VQV9PJfk20BZiAUlaHelVF12voWwlXe0A USk6dpVOdU+enUi294nKBlxlQSuRfYpq0fYCZEV2GWcKkF0ZRz6r3KE42oJtMtFcQsBP8sXDy9pa 0IhBvvwAl2SKhYv6A9nAmFrsbMBz6UBdzApoqUorc6kjUQ8nLopx2XwN59ewT7UmyayDjvxMmTgB 28bzLwGk1dBbOhRjsUlxoEF5r/whjfvq7JDPrAhkUMbbGnRA65BhFT6tuqnauxU+ZdyLak14ZwY2 qR7Yui40UoOqIDoxAQpVSOXM7XBUhNditUmQe6SfTORKYofFWglmOXSForYpgNc6VtR7yDOK0Zm6 G/XA1eGczD8fiUSjET5ad2cG2bxTw6q9y3nyPSiWYxuLXePRYzn6TWR/M+zTxtTGE7LwjhZIVx0t yIMz0WQZESruKwO9rsPeq8Hvg1E1owRs620dZJc0yoqp6F1vUor7DeDbih5TA7zKL5mBhyYiU23Q K5bkler2VNlKbD3wZAVrdTgt36gTyFaANhaCusgutvXNT6wu4vQ6PE+dbhl6q4H0TRh1yGhpphk0 ZE11JCXoPAkE8pfVcFMUpbGqmN9AnlwOH/WkihSh2E6OSDfL0MQy8K+Ch6pVInwU47XRRF1kbsZd Nei4LkK5JRWJMthfSuxs4oxiIBXZVJ02ci9PNVhS+a4AvaqayXbVwZKE3qqB4DCuGwY7d2CdOpyu hYXlwzWxWFUQqgYthd6C4OcWdCDtJqNB5X3pIQu09QP7qW9oCn3ZVtZORruqnWs48zMYV0CjOnuS OaVuoDpyZTKnEhW/YO+1RHO5XcsJdVOKswLbGOrpphVI2pKrFUs+uqtj8sknBdBLMbO5knaFeisW XWlbkj0SAu9SxVuI/nwkaGB+gHIhKFTBPdMEm6o/WIkHKE+1hUc9eKxl5xZkz0B3Ft4zsbOs0xC0 TXlejv3U6zdC96l4SR55bxLxUGR/BsU6NKROo645iv090FUV0xauDUw9eDQ1S/GONLMgkHspXArA F2emgaEEPzgMufi/+QP/1shY3bQMZKphZkB/k52KhcaRHX7Gs1Q9NtkO2C7JHG2W2OORsRH2VJUQ smZE7kbsMgvJ13KyBDl/At8skFfBtkdiu0yQqeI3AGVT9LfRHm6+42mBXYWmyziXhuTKXj+jHdX4 TPzcgEya0JtuI57rnWYtOlB8pGBH1ZdFXJUhT/VAnnRONUQaD05rwKfKq2jYhncrb7dEX12gp36w DJxlnN9AHHzL1RxkjSFuqrC/BATyp5rB21gtzjfBU3bgI0WBTQrZW0j9VKVejS3z0U1V5GuNLzUK cm0MEfQjcbHaLkEbC9lZiJ+WB3F3DNha4bdHQ1c1WzV0qT3WLLbtkPIwzjSGljLKWvjOxDO0Ip9c jb7W4lcpZgp2+RmNT0fLiextSQ3ojdwngrmTaW6OAe8qJJyHlv6OJ38Phjn2R87vQJfp7C+37YnL VJMN4o74TV28thrcGmIzVb+vQPwl2v+eHJqHVWZgD0VLT352Jbe0AW9X8LaFo7qkReismNUdjPl4 wRI7EXm/B9+XIM4Dw2q8pBfWGYTc3dFSNzyjNZwTkW0KGUayL0T/P6DNKXjENiSuj4+k4Xtt4Nwe m7RDX4ux1s8gXIYF1oC1IMjEZbYbz2ril+o1lb+rYOcl8FyK9krxmxik1Xuz3tuOxmZZUFDWM0iT SDzNQ4qv0MFs+OcTcTuwVjnX2fhKe04fi54b4D1NsbLe4lbwbDG++As+tA5Mqj7JcFY+qYFsFmwe dNWjbCIOFaFbWFHOUJ/TEm+Th7dEJ2nkMr3LisaqIFpL0aCrzmXgSCdzbIVDItIIXSLYC/DCcigk E12GrJFKthOtrtBRFU9hyDIbwPEP7LPQLidSLF5TDl51EUno9zD4xnHK4EHVoVKPTLAZpGvQsLq0 EvAvxzqKpAZYqxxUa1kT9bZgVYem7xua8jMdaWdh6fwgX25A6mLu63CqMTvaU986sqMOPpRk+mPZ THSYZf5ONCwE32L7ObbQu35VdL0Q31+P7Vtgg2qgWGbng+p72xzr/oJGJhB3xVg3HWpr0X4zEJ9H vsvGbuvtJHYUg7E1vtuJvanI0izwpWn2b2jlHXsE8ZmM523G7k2JgEbmbO76wS3VdCaOVAGVzxLM J+C01KUZ6H8lWNriDwOhW4geCrCEj4YnMt7EkiXkuxPRTDq26AzVIaaxOQ47z4JGEuc22nH2C/ue fYErdVGl6Gor3t3EnEJctAJBBnHdEV3Gg2Q+56bAcYs9iYjIALGyZSc0WY/nk9DbPDJ/IbJMg8pk LKpOsAFa2EhOS4N+V86ms9ND9tZEqjLrd1hosT0RD+yAreX5q7FJY04qBlbhVen0GR3YORca88kX W7HjL8j4GVaoAY32eEopz8qIn6OJumTyxgKiqjESHEH22UAV2or2+2DxdCpJIfzS8Ps4aD7Cs7cZ C8CUz5MVWPVMLH4KctQjEuti3d4M9YGF4M80Z5GFTwK1qs1iMum7dqZ9xY5HjyV4pvr2LWiwGXbp BffGeEwm0dQUC8qT8vHYhUio3mQpnrGBa/V3TYjCWLytLjFXjwwjH1tNdBSDbWmg2ThsrB5enZBF 7irQ7IxMncGTiN+tQXr50Btko3eDiNRb1Ryq8nd4oWw2E52voqJnoLH20KlDvuiNlvvg96q1K9B1 MTnrC3z+c3BWYWc2mDLpGPqArgVyTATB+2jvJyJlDBJPJ3az4S4PPZK9t+Erl+NbRVCbhzd/x97H 0MpbZEfhbIYWi9BAFhbLIEdM4Jmy4VHEht7lWnOyPxmjBs9dv1rDyHc+4bwyofbG4yfNiYYugb9M wDIfIvdK7BCPfyi2r4PLbXRC7fHiWmQVvWd/iTY+I/OvIKtOhvbf8IhkENeBp0GL7fDwZuybieT5 9lO8+ENsXB3Pq2euQMJq5jLzkT2ZfKw4rGvegV6SeZVKOROtiY60GQumo8wcoqkU+aeg/XHYsh3W GYSM7c3x5nwywYlExlwkmWN/gNoq+zYR8j7+UAilZWhhLXmsBxS6EIGq9NJacyJ7G/WwCtW0uTkB Pq2wi9781T9+Qm2bwEl9k7QSCQxx1wGLqG+QVx+OjZdhrcn80xumRzbIJK9dhD9fbC7luh47FiP5 N/Z5ew8Z4SYorcK6h8Epyww0p6KDLqwswSP1FtgJzgaJ4k33wMdnczcFC9TjZ77NtWPxQ70Z6g2x 3J5jhkEhh/OziZKJdq79gCpwE09L0cyt0D8ZRGeC+SLQLbUjefouMTLPPmdft4+gz2rmelDWwJq1 zYPEeU/8b5J9CZ3UhGoDMxo9NzFPYPFz0NSb6Gs72W8lur0ELPqeuCfeNh2rdQfHQ9CbxNkPsLNH 9F+PZ+Sh0cn4RG8ySZY53TyG909Gu38h7o4kIibYG+wT2LQl/lSNvPNPezXyX43f1jFD0VYTovvM IHoK7MvEeg4RNg3Nt8JmC+m7/oTcC8E8jZ/fkYkaIUVDPMLaUxhZSLeCjD4Nb/8LfqY+6Qgz2Jxh +pobuLscufPpnkagjSeR+X5sLsy9yTSnopeTzQBzLlUjBatPQ/dr4PgjNplrP7KdibQj8fNkM5We ZQAW7WE+YMc80M3CB6dCMct8Sh8ykZxewnV/9PwCnnMO1k0155EJqpvnseNM/h1pbuPMB1h3M7sL 7NfBVRMidzs1ohYUzwVNJyx5JJmyk7mbKBuHd59LpOfZMeTKh+hg3rfvmvH2VHLFBvsQKO8z99LN n4Aut0AxlujTtyXz0PUDaGcA/nw3lnqLCBmEBUbC8xWq9Gyy5NnEZA90N4PY74euaxJt08llZ4M/ D5km29uJpiFkqIb42DQi9mH0N4KMMIWsvQMfTzMP2mOI0o7k/aOxVSt0vg7a37JHPag6vY745hlk 9O7mJirZEnLJZjy0Cp2p71eDakvioR4eVtXMIxOcSGzmk6fVAX2Jx32JZzSGenesVYpPPWieQ/eX 4BOPoe059kyq7Ahy1pXmd8RPO9AWk3N/wvdjsYR+d5CGR2UG2WMgmk6iNjWk/5iLLw3GLh8i0c3g LiBnvYPX96LiDUXv+m53JBLXY1YkCk9/ni3jajx16jsq5Ut4wvdoqqt5Gbor7RXknwvY+4O9B963 mFFIc689A//7kIh81N6MxT4xrwd6SUBro9HS+fD9HKvKIq/Tt9RHX4OxSU+8YAk1ua153I5G0mTy 4TA0bsztZJ/x9q9o0efpSuj+CMUm6D/VfI3ubsZmF+HRnxDXJ/DvXfL2DeSmB/CEPHJmEZ5/Et3l xfRp6+kHLiBGZlDvriY2rySCPyK/XkRdWsKTU4MIq0LOHkv2edfOR0/N0Ek9OtQ+eMnRWHMesbWI SJDfXU0+6mv+SF57HJt1gOPneMpr1M9b4baVnT1A35oYOh6JSsiZRazN5vkktDfZPoEHdAVdHHl+ BNGgaqLfWszHj1sEXeNqpH6T1ZuJ0o/IlgXY4Xb09AweNto8Q8fRydxFPD0LzrvtcHsrXt2dit/d fIZ2+2O3N6kRX+PBDZF7PNlS3xMej2+V04XeTka4hPez8fZCcGYgdxwxcg7vOOPIH1PpOnLZfyN2 q0c26E98qf/sRcbStyibsfcpRPAy/H8CWmxKLMxAaxegtfbY7CnWa5AlH6X+/4RvtTZt2LvMXkX3 fhJ9zEa8rjrWW0eOS8MHzsPflGMWUV/mYanHQO2TKUaDPZ1/j2Pzukh2GhXyBfLAaLTaB28tQ/rb zSDq6QCidDKdS21znT3fnG2fJPd2wzO64J2GWFFXmmffQwbVw2bmKjy/L7pNQ7Z/4NMD4P0wOajQ 9iIfzLYfg/QsOmGLl5XYa81LdNDd8KU2eFk7cw856Ek8YjlV6AJzB/3IjeTjJHrFXDPW5hMPP8I1 z/7FXI8e6kHjbbLbH+hTnsOj3gNbAla8Exw30zFfBPZ0M53YfAy9tjMjsMbh5kL09xGSJhFz15HX 2uHNM/Eq1ZAs05ZsMQaNzaU3vxHtvUhF/B28H6T2TyLiH7F/Nl2w5y1Y60489TWev0VWao0dTseD P0ff5yBzGXbOAVdH4uh54nGJbe6N4i4Vu3xIJh1hPHsaXvSTrU8mm203+qPNX8mbsWYRFlhqW3uD ic3v8NwR1K0HzRA8W7VEb7+peGIH7DEcyUrsACraM+i6nbmNLJWGNV835+EtWdSyNSC5m/kcongM fvVn8t87aKYGvngTdnkda0ylXk/m6WruOsE/i27sXptDH/Iu+l9HfzzPfoqlLeivpLr1xztS7I3E 1klk8zvQezW6mD7UwQH2ejQxkHjRN7Vx5lV8frN9g7qUjG4ftn2oDHWpUaPJfk2p8n2JGlWtB7ir iyTHYdtBSPgpdX8WmeoKJH8Wfr2Qqxp2zcZH5wVd+dvYsye5Jom6cLL5A/XpM+LpAWLxKqrjNfYu pO5ORapjHoZuJhlxqL0FedLMcCiowh7prcH72xGrfzJb/Edtc+pAnn2Rd8LP7SjieTM98k10qs3R xxvEciq62UbuHUY9OBHJryRvz7HN6JHeI+98agcTwcY8TQTmkysXYdfxxHkOEbiESFlFjRvgpbFv K/kzH+3NsQ/C7w06iaXsnQzqCzififztzMtkkfdB4ONh39qh9mMs/BOaUOb7gG6kyI41V2DHqWiJ 3xf4yVhxJTzONTebUWj1QyL5OiJ1POiXo8M/mIH40af2fvs0uW6WvQDs11BpFuKhK8kWd9H9vU/k foV1h9A/9bD9yT7lWCmW7FRIVjuL/DMAC/eikr5Lxp1GtJ+On3Qmb1j035R4WoCM2/x+tsS/HG+7 ixpKh+p9TSTXxhuyzPm8iVtoXY7Vx4BrIj7zAjKU+JeZhf5U+wD6WGxusivM07attxzv5vcCxFZd O4bomWcu99aD9wm7lLxwDE//jBSHg/hTNDfT3GFeItJfUk6h62xkP6BuJlE/LjUNvFTzBdI+R16y /gDbBv0PIH43UjHPQ6LmRFmJvw4dLbWXk8n6kseGeAmcW0PGybRdqQWP+nm2VlB9480p3sNQao03 bLFn2K94S08kOtqbe4nal0Halbx7DTXpLHz/BGTSN9dHY5NWxFJH+viH7CtUtdlEWhNT3yugPvYn X91lE/DeW/CLk+2r5OP1VKEHiaBX6b8zyFgzyMHj+H4iBw5tOfkhOXgm2rvSfoPuLiZLtEKrp3nP UtOykPssOr0s8svjSPopEr5gnqKy3U8GPYvssN72hdssMu3RZpgdHXRxEwML/mhHkmdmoLcb8Iqp aHckHrSCzu9e9PYcteNBtDeETn8UOjiBTvppk4u866j+2aYGHH6ggj9CpTqczm4sXdZ4eu/GvH0O 9zuQ9z/EW1JMiWfJHEX2ZaRcS/UbhN9VpX8f5n+M/i6gQ/vZrqY+XUEMF8PneiLxVjzkJnsL0Tia TvMa4vB1quBL2PB2uN1LVpkA1qZmGhbsjQYyzMfmGTziR6LgFvJnNp3gGPJNJyrq/fA7lYwxBM/t SYb+B33EbeTPOuSUWfSJ99I/vkI+2U5eX2ivttv935sy/yJ6qn9S+Z7Ddy4lTo/yqlK3ZlON/kwm +BaL8ntPKkZ/s9m/0vQkThqRCZrQWR/ufWnuh9JMLHsuSDvzZtIZv+2Fb6QTf73oqPVb7xSbSa18 nD7uJzqlPyL3fPMiem2Af8/CXvfRz57Hdx5LsUljOqIXqIMt6eCoIqY6eplOT3ABFmnv1UKqDN7A L8HO32HnWK74vbZ9Bj96hOrA75jY+Sz1+DPy2Y3U4Gepext9OgfwFZKXBqK9IXRME7HP+3Q18+37 6L2nuRRuzZFuHT7ehYzTl0zQBXkmY039JvMXstsUnl6LDefbp8CehpbL6GIzzHD2dqfPvoX3vud5 U/g93vQq2XcoNbuYPu2veN0gu4VoGUV/eJS501wF12/Q24vEUabx/CvsaL+G6aZc4V1tJlABanqP ovULQdrV3Ed27UHX9ib9VQ9zAZY+jh0ryBa3oM0n6d8GExOLyV5jyHu9zDqitip97GJbky54ADHb DOsOA2kV3ufITwy9Z2ZQX/QXSLL3VUjbmjqzmjxzDDmtjbnWPIX1/sFJnVsLlun2EbMYu/4TvS6h Gt1gJ/k7/GPsKDTznJ1uFpi30MurePH74FxijVeXqjmYd6z2pjnou/CtxKO2I28B22wL7/dk1onm IvtHk2a7eBPpQfKR9ge6wNlQuIZ3Nr2PrfZftneTkV6xd+IT/fD++l5Db6h5k3fIcjq5R6lHD5LZ T7D9qO7f0U+sore6iufW3kaWOYy897KN867jO5yPeavqSx4eyrvNS1Sa+bYFmn3GplFvLuZNCN1y bhr2GUS3cSYnX7Jz/PNtnDW8ZSbxvD55MguZGtNDzTS/+Oezdyrx8xoo+pABGlK3J1Aj/kB3Px/0 jdBZD7KW/qoinudD8KyrTbrXA/9M461ngl3j90e2VnaK/wF54Bj0t9yM8DaYrt6VXF9mX/NvsGX+ a8RFC/Ruifxh+NA2kE238bY6OWoLbzBDzVTTlj8XOwIuJ9GVLIBiId4x2e+G59XDQtXtZdSr4eYs 73hvqSnhxGvsedmf62fzHnInFP9kxnjv06E9bE/E7gvLe5pj8Y0yOvcu7C4gVkbi7/2oRbdCb6Y9 jcj7g/3Eb4OfnEPH2smL9x6jbtY0/byP/By+J+nEtzEdqT2biNMM3kknKSPjwxPIS3cRizW8K8hM 15kfyQjq7f5CZN5NX9DXNCLLT/Dz+fbiNnz3MXux19C8Ydaa47zpxMxg3obG2MLyY+m+P+bNeYZ9 wVtMj/8FlWM4eaCtWUhdqEE2j8OTbqFjvszcYGPog34kr77Be98RXjp9wX28OervOy42dWMWmcO8 UnO5f4pp56/3h9nW/kA44Q32SW+Qd5wZ5x2PpAn2dX+Buda28h7Agj9Q7weZv/lL/Tv8t/1L8dks MuhAkxUzyBSZY7yq6CnWL0WCeNPDO950846xF/PvFf9q6tuJ9H6PmBe8BaYDtn6Lvvl0pB1LZXkW TSyC9j3oMNWnu6SPOhpd3e4tIX5Hmu7sGUKncCq9UC+vH9Uq2Sz120Gz1O9BhssxJ3t3eNd5y8lI Z9pRfiq/0l5DvNC5xHzrX0HNesz/2k70lxH/65E70czxJvCdyRj7qZ+P3mfzfddf6WSW+8+ZYr8z 2Wweffxn9u/mCO8Mc4N3Dr3cJrrtu80z/mtkniZ2gvnSPx599aEDPy54n7zYuxnJRnoe59rau/y1 dqzfDASL7D/NH7HSeOL9SDrFsbwl3eldTGx14X1kMlK9Q49+JL4/kDx1Eb5YE62cxZvPE2TYK8x2 YvB+MvcWvmsroy6MoUbW5U9WmpsC/0cQzbfPeZtsbW+k+T01/3RkjOH7iiyvgU30yqDezbxFxe7k 10cC63/qdbRveuW8s37h9QfLHeSbv9hL/d5E25v2Ivrhk8hlMXYN/C215VrT0etmL6Gv2UE3+oR/ Azn7YTLBq/7vzA7f8m41zv8F/cR4I+gRs71c25N32/Z44PPk9mvoDd7nu4GO6Kw7em9gNxufDLWK 72Ua8d421y+zH/pViOBh1IFm9GaTbLGv7NIBf+3pLSR3TDT5fhfe7or9v5N1zzYtvKH417vgbmHO sD28X/x+pg+94XhvCfH2NJ3LsTx7wawtP920sA3JQ1fbOt7tpoZ3rLeOrvRb6u9EO86/x1xun6e/ GGU/N/14U2mJJ1ajtowg59xhxpku3plePb4H60aNaMUbwKNkzlF+Dbz5VlvV+8a87V3ivYJOrrJv IMlDeMI3/mfmMHuz14FaNJb+9BV7PrHzon0UzvweH33fTZe5kA7mevy8us3mu9CzyETf2K9Nby/P fuuNJLd9i1a6EQ9PkVdX07FfRhX42H+HzL2FKniUGerVNz/Tew8l9qYRQz25boRU/e3ttjbd5zy6 p/7Uldu8IlNu/u4dyZtwLh1Bf/quv9re1CL9xrMJCOOQrgXVM59eZzq54nzvQfOIV5safppdUH6p LfB7EK/D8f11+PAM3iMm0x3MpTdYxdvzYfQ6bbDAYJvvNyMDnUMFnYHvn4d1vrR9vTFEZazXiExw v9+QPWP8T3gjWW7+5L1rT2f045uWR+x7Xleb4f1Epcw17/mX26PQzpNk3ku9+9EN3+75n5N/XzRT sF2ON8ReyJvnM2SIm8H2LdHzT75T9bzX7cN0cYvsY3xHlkk3exx5/BTy5FFkmaFmLh1oAf1YEu/1 K8lfTbzxUOxAVJ1ITiyy6/zaxMd76Pca29M71TzhfY5c/c0s3jLOp3u8nnfqp80rfHdiTTJ+cz9Z 4xp6vFRvlEn2nuBN8xKTS7f9FG+aH/q/2MXlY4nhF+0Cr6aZxJiL/9TFD1+h15iKtmvxFlqXPuo+ MtMMcL3q3ccb6eO8Geq3vnfT04wlm15LTRhha/iJ9nd03z5nLvTmmDbUsqOpuc/6q/0ifxE5SBWq iG+L7ieH1cHzFtLjb6Rnm8J3LCNtOT1xH+S8hT6jia3ubfZP533rZL+Wx7czppHXzWylfrWhjnS3 D/mXkNG78qYbT0fm820cf81AjG8GVz5vtZM8Q07lN0zlxnzn8/9xiusjWHue0ZBr/faJzoEeXW/A /EaIWd+a/sC4kT0dmNdwbiOjJs/6staUcSnXG1jTJ457+ijyuONVhes7GDdwfzZDOrqR+VzG61z3 ZD6CoT350BC+KYx+3H/DyIDeVu6f4Xocz4cznuK+UYwxjzJ/zXo8YzTjJe5vZ27KfCWjNdf6jRD/ wxoMLj5mSLZURgbjIu5fZEgPy7hfw3U7hs4K5zWMVVzfxpCOUhg/cP0883pm/UXa35iPZVzM9XzG CYwycD7HWjuua0E7k/EW9yXo/hzWtnHNUiDLBVwhDu8Rho5bf9Vh6JiMOZxRxv1shn77KlqvMdZy fxNjAGMd403WFjIeY5zB/RR4X858B/etYJLIEP72rA9m1t5jWGvILNolDOlPdpd+XmR9KHWQ7aYB P6oyJnC9lDMreX4+9zXwlqfAfR/rsv9q1rpxPZ49jzCP5E+t6jO/gWCDmE8rN+Zl36O+GlPI2gbW upRZ245zbVi7B35fsPYT9y2g+xE0hflO1moxqjHkn9LNEYxmjALu/0ZP15Qn1Tgj2+kvw0/m2c9c pzBvYJadNrNPOlzMdU32tGQs5Pow9ojydq6/Z9Tm7h/M2pvCumgkMOpxrWeyR2PO5vG8nOtCRhrr ecx12NOAa/kEIvEeVRFX2qO/ZxHuYtblg6ugob+Ply/o71pRB1f6r06cf7i/2qdJ5l5P3OwHe9yd Vk446fSBRyS5/8ajFfdZO4f+Qj74xLnp1z+HE06sDh/uJn5yab766ivz1S9fmU3T3zRxcfxdexJ/ M5jKtx8ZvMfWqmUaNGhgmjRpYlq3bm0GDx5sBgwYYHr37m06d+5sht9hzcCBljffucauyzNT5m40 c1etMk+88wGMshk5jFxGnrvNZi2btWzWsrWGcNqSw3oOFzms57Cew7qO5bKey3ouN7ms57LOZPJY z2M9j/U8FmQOvqUyVCVj8wLO2fzMhng2hLI5lE1eCNjzIxsM2WDIBkM2GAJIYMgGQzYYssGQDYYA JhiywZANhmwwZIMhgA6GbDBkgyEbDNlgyKYaZoMjGxzZwoEZQRWgyOFnDlhywJIDlkBksOTAPAdG ORDNAUugBh7mcJEDlhywBGoBRw44csCRA44ccASqAkcOGHLAkAMGqS4HHDlgyAFDHrwsPwMVwsf9 4z5Qr7QDKnjnsitQNbxzwZQL01wY5IIpF965PMyFSC68c+EdmCPgzTr8c+GfC3+ZKBf+uegmFwy5 YMhFDzIbWgmkZ4WZnzIjOsiDXx7Y8sCRB7/AtMKBDvLAkSccCBaYm0N5YMkDSx4g8mAYuABY8jiY x6Y8FvLAwv8Y0MEmeWDht8cM1gNvkBVYA4MFgwWDBYMFA62ecycw/A9f1u/TNhBGb0OKQFRpJ4Qi I29WQQf9ITKcEZhSIbUQBaSMCWoIjRRiFBtF3jqxebKElI2hHbp4QIqn/AewMzFRLzQVZQKpw/V9 NshOiPgsx77vvXv3/N2dZSnn8CDhQcLDOTxABif48CDhQcID/bkEaZzIw4OEBwkP+KTGToYGxpfo KEGqQaOGdg0+ZKRNnBreMj9YuVxm7XabHR0dsePjY3Z2dsZOT0/ZxcUFu7y8ZFdXV+z6+prd3t6y +/t79vefZN9PTrCPv6G6tAfoAr2oRbrUpGs6BCLdpns9iigtVMQQQ6ccAmmhBr2gh9uUhK5qGkdo SKvBGI6bIE0Azrnj5BBq/wYgHSkC4aHDnTDURD/oArwL7oZwJ+ThVCe0RZdAHClckoDDww4Iwu1C oRu4aTwiUH+vY4NAlAEYBVA1lYdex5sWvusHvqvq6SckgsoJtuwsCK6PNhUyIenIEGwZkwbyWdeN S5bUCYy+bdkvJ4WuP7gIvAEfkDAMIzM+rsMFPUUv+PNIqFQe5mlS1zOQJ8INSv2IS1mJ49XSUkbs A44IvQSPneiV8riRFVF/GmAYr+BR9/u/hfBp/LEn/Qm38Rg7wve6XnqaYv0IRxmmXSHc7LA6XKI/ wV7o5dL1e6xT3H8atQ61XC6pb4KTAcCdKSy4p3g0gGZ7mG0+uEwfFFBHzLYVhuHo/qDRZCMcPkqf ZOIV+zyOFTvSX2SDBGjDjPAf4TSC9gwsZZn2Y8wd/ZsU99P61vYvvBPWN9Y2143NwgzuDfPAadX3 vtrKT+Vz/UvLtMyarRhm62BOmc/nF8E2iqv0PUStWT4/O7+A3IeNjxPIrdQbDaVkNmpmq4psobhK molOoXFozfgKYKVUb1bNtqXkF30wt9a2X4C5ZR42q8qa2drbVd7OceSLxsqAAjkxWzt23WxOZDab uymTpR1nIlPcre6bzeprpbSsQJu/W5h9/yafZ/8BAAD//wMAUEsBAi0AFAAGAAgAAAAhAHqDHfIJ AQAA7QEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAA ACEAcPA43L4AAAA4AQAACwAAAAAAAAAAAAAAAAA6AQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAA ACEACd5B58YCAAB8BwAAIQAAAAAAAAAAAAAAAAAhAgAAZHJzL3NsaWRlTGF5b3V0cy9zbGlkZUxh eW91dDEueG1sUEsBAi0AFAAGAAgAAAAhACD/1vO/AAAAJAEAACwAAAAAAAAAAAAAAAAAJgUAAGRy cy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAh AB6uazvWLwAAYHcAABQAAAAAAAAAAAAAAAAALwYAAGRycy9tZWRpYS9hdWRpbzEud2F2UEsFBgAA AAAFAAUAZQEAADc2AAAAAJAAHgTDOgAAUEsDBBQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAAW0Nv bnRlbnRfVHlwZXNdLnhtbHyRy07DMBBF90j8g+UtapyyQAg16YLHCgGL8gEje5JYOLblcULz90xS kKBqWVnzuD53Zjbbfe/EiIls8JVcF6UU6HUw1reVfN89rW6loAzegAseKzkhyW19ebHZTRFJsNpT Jbuc451SpDvsgYoQ0XOlCamHzGFqVQT9AS2q67K8UTr4jD6v8vyHrDcP2MDgsnjcc/rgJKEjKe4P jTOrkhCjsxoyO1WjN0eU1TehYOXSQ52NdMU2pDpJmCvnAed1nzAe6wZjg5rzTHrlZSZrULxByi/Q s3FlEilynHyGKQz5T7Au/jdyYtLQNFajCXroeYtFTEj8LkP3rvgF+pleLceqvwAAAP//AwBQSwME FAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAABfcmVscy8ucmVsc4SPwQrCMBBE74L/EPZu03oQkaa9 iCB4Ev2AJdm2wTYJ2Sj2783RguBxGObNTN2+p1G8KLL1TkFVlCDIaW+s6xXcb6fNHgQndAZH70jB TAxts17VVxox5RAPNrDIFMcKhpTCQUrWA03IhQ/kstP5OGHKMvYyoH5gT3JbljsZvxnQLJjibBTE s6lA3OaQm/+zfddZTUevnxO59KNC8mgNXXD2z5SxGHtKCkzkb2MhqiLvB9nUcvG3+QAAAP//AwBQ SwMEFAAGAAgAAAAhACZx2zHXBQAAqxEAACEAAABkcnMvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0 MS54bWysWN1u2zYUvh+wdyB0O7SO/x2jTpFm9RbASYPaW3c30BJla6EolaRcJ0+z277G+mL7DkXJ UtYOhpsbmyYPP56fj+cc+tXrfSrZTmiTZGoWdF+eBUyoMIsStZkFv63mLyYBM5ariMtMiVnwIEzw +uLHH17lUyOjBX/ICsuAocyUz4Kttfm00zHhVqTcvMxyobAWZzrlFj/1phNp/gnYqez0zs5GnZQn KvD79TH7szhOQvFzFhapULYE0UJyC/3NNslNhZYfg5ZrYQDjdrdVsg85rM2TcLUPmBPTO0x0gwtY Hi5lxBRPMXGd8o1gfCdCJr983ggVCSdi8pUWgoTV7hedL/M77Xbe7u40SyJC8ghBxy94MfdTQQyD zpPtmwqJT/exTi9e8SkcwvazAHF7oE9s4lOxtywsJ8PDbLh99xXZcPv2K9Kd6gBoUB+KkOelRf81 p1eZs0qsFqxbW1WKcmxdZOG9YSqDnWR+aV54u6vAyGaCz7es9L5NrBRerlx0/qjkjfNppWjtie74 vNebgLawfDAByc6eeGU4mIwGmGTkm+FoNO5P3CEVEg4pofOp3b/Jogdy6RrfiBxX4TYDUde0g0+l sUv7IBFnjHeyC40YlxvcJAkW8Gkk4veYMo+zAHTHkevK8loeQW7jwMV8CkfgA1slp4sY6xfz97iI qb2SggPem2QvrmTysRCPLM8KzVLc2zgR2CVwaaEXiwoGL2pBh1h3lEMGTe+45qRb8wAKCZ9CAbig Mt15g8Ly7dj3q9i/NTkPBdNfPhuhd18+l1oVSrCErsk/f7Me+Q0XqIr6SbzArQxwh0DwikWnsWPU 7Y3HwzKS1ZVpkWPQ7RKDjmYH8qhF2sn0Y8A+aQ6am48F1yJg8lqZWXB+NiBiWvdjMBgMwQjdXFk3 V1SRXmXSZYqKdjbwDLyyICFROEtzbhdqmYckSKzJtbGr/Qeuc+QtA30sbLvNllueU2riU75bGOtD Xcu6yJckJ5mvETvleuEOTZDkFIDPHNy6uEVlcNehQfc++O795i+Gg93JHt2REmowHJMUOwavd4gD 8AjE4/UPeOfdgbvXR+GRZOkE4BGIxxsc8Lr9cZeyx3EK0v2uAQnFAw4bgBMkptMACcUDjg6ASHRQ 8CQNCcUDjhuA44GL3AkmE4oHnBwACe34oLR8SCge8LwBOBqOTwwKoTieN9nt0u0BHr4EOd87noMY T/heJ3cGqq/4eonEXrFO21Ja8IV6o+/dzjhT9tLVgzU3lAbQaajD8hbJHc3QXaHC+jpJustktsnD u9CyHQfsORxTs6sh8EbET0X7DVFAHCQuYxSANmwFCTm/ui6upHO60Zs1huXxBDmfe3bXIuti+Vhr 2CUZh4daWcxhtyviMerBLPgAI6mjRHOWJzbcznmaSBRfNA3hlmsjYL2rDLS3ziaWr8tEVdVRn7NK VjRK2H2RJmn2V1IGrVUwEZ+Sz67wslKkmAUKKYsaW53cQz+VLd0oYPdCu+rKQsreXopyK3ihqI2V yaP41f2kiMqEemK3dqezLHbjZpV2/FX0qbJ5IqVPEG7GZDKJaNKFhVpmUXvc7svShng1pUQci9BW XikWarUHIp8WBOPHjmMN5/+UqhfSUvDQGPInC4KXC6F5shAaH+6Dn09rDgbfbA6oN0FpEqxPR31v U0C1CxFFwLdcxr4/cKRCB3NafzDsozcsm8NDT91qECYo6KPykCO6RxeCZu7xldGXwyPTeLdVuajl pMj6onhCZe22KvX3V1bKBJ47z1NZkfwOeM9QWFt4z1BXW3jPUFZbeM9QVVt4z1BUW3j/X1N9BXXE dzT9nieNKd80xj1qXOJABsHfDHj/tJ4333rCuJdM+SrHkN7wLutIfcPzdzunHtCs0MjCmMpRsKA4 iR5E8C7SXJmE/m5wjyIVXaJa43Vkl8rhGRUxPRXpWkSzQF9H9Tt/vvjz5vKP65uXHy5/d3yuN5Fi JQ5GTXxaqP5kufgXAAD//wMAUEsDBBQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAZHJzL3NsaWRl TGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDEueG1sLnJlbHOEz89qwzAMBvD7oO9gdJ+V9DDKiNPL GORaugcQtpKYxn+w3bR9+xl6aaHQoyS+34e6/dUtYuWUbfAKWtmAYK+DsX5S8Hf8/dyByIW8oSV4 VnDjDPt+89EdeKFSQ3m2MYuq+KxgLiV+I2Y9s6MsQ2RfL2NIjkod04SR9Ikmxm3TfGF6NKB/MsVg FKTBtCCOt1ib39thHK3mn6DPjn15UYF0NjZUkNLERYGU6NhYuu9beaEVsO/w6bf+HwAA//8DAFBL AwQUAAYACAAAACEAHq5rO9YvAABgdwAAFAAAAGRycy9tZWRpYS9hdWRpbzEud2F27J0HfFVVtsb3 SQ8JJAFCB0MvCopROggoiCIjolhGB9sYewV7w7GODbtER3HsHRVRkSkCUsQgRUUE6YQSOgRIPfv9 v7M5k8s1IHXmzfu9y+zsc/bZe61v9XVu4nuDTurb9+ybjTmr15l9cq4elpVujPFMjGlypjEPne2Z OJNu/njhsAtrXsOD///8V2rA2w/U1u750G891+nf2vNbzyujcShkiZQ0mv6hwhjNJxJD9PX+YIim EXm/N/TC/Xvau6dne3M+3LMv877obV/o7m7vnmTc07OQ3p727O+zkHbkvDd62Zs9orknXJE89+Z6 Tzwre3YgvCujtzcY/7fuqUwXkWuVyRv5/N8h178LQ2VyVcY7UubIM5Xt3d3zyPVIeuH1bz0P9+3L vC80K5Nld7z2he7uaOzL+r5g2xe6+7P33y17NMZ/py4OVNZ9xbqv+6N1c6juD1QPe8L1n5D5UMpT maz/CRkrw/HfuHYobbUn2ofaZoea/n+jrSvDvCcbVbb/QNb2xiaHGs/eYDgQGQ81/t1hO9Ry7Y7v wVw/lDLszi67Wz+Ycv1fprW/+juUtt6Tvg8W34NFZ09Yw2cHi1ekrQ4WzRDjgc6R2A6UVvT5gyXr 7jDubj3E8VvPw30HNh8cKfeWyt7u25NM/x69VI7gYOA/GDQqR/e/bzXaVtH3e4u4Mp1Vtra39Crb t7/YKqP1n1zbnV52t747rAdLH3vLd2/3HWq8ldGP1kX0feSZPT2LlFHXkfeiEX0fSVfXe6IdvTfy fn/P/RaeSB4Hei2MB4Pf/sp6oPgP3fm908re7dpflBXUQ/1Gz3tDuYLK3uw+8D0hxpBS9H24vj9z ZbQkXyhjeL27+z3xDGlrjh7R58K9bj3kVtld9EmHddcTv94TuWLt3u8Ocf32CbczlDOS375eh7yi Z9EJ8URf7yuP3e2PpB+9J8QTvb77+30/URmtPWHS/oPDJZrznqlG2zkao7uPXo3msX/30VR1Hw5R jLyunEMom/cv3YUrv95f2ZPoCKq41+7I4ehF0vB+5cMh3sj51zh+vRLJJ+QQzpG7Q7rhmu79f+lM d7vGVTTdGJ5rTXM4ovmENEW3shFicNwgxCfkszv6Ic9oXjob0ou8dmuWz67yuBXtrOAZ8nZzJCq3 L6QRPTsKbo+u3flw3lU/IY9wt+aQntORtZG6Cp9pDj8hDc2h7kN9RT4L94dzJK3oa/HcHY9ImhXX ugo/7lrnQzqhDNF8Ik+EtHYnQ7g3kkZIv2Jt19gRzUhdRF6HiHVWnwoa7jqkHc7h83BvcIgfleF2 MuivTiueh/x0LppmSDt61t7Ic5Xday36XOS9noefEKvmEFs4Rz4L92sWLeGNxBxeh3PIL5JGZXQV BeGeUDPh2Wgeu2JwESrruvPWin4kj8j9kdch/cg58rno6Vn0R+v6hLOuQxq6ruwTSUfnYv6FV3Sc b+5Kw1EP1yJncaugoWs3HN9QD46uflbsENddOetMBW3pUnfOeh6zhtsRrjm5xd/ZrIK+H0HboXCI nCThtUMQGyAJ9eC4VuAIMTnaDoVDE+6JpOkoh09CaUPa7mnFz2g/C3m5Odzn5Avvdp0jeYdcd/XR ih2h9rRPHz0J/TOcQ17hs/A+OMAPnY2kE15rLt/5TNf66Kw+0bRCXuEc7gtphfh0tjKZtK5PNDZn oQqZKp47zwltJ6voOqQdyU+rDpfbVYHA8dz1p+Po6DgPjJQ6km6It8LrnW/saukK/UbqU3RCWYQt vI6cQ/ohlnAO1ytOVUjk8IXaCLXvNCPaIS/NOq+d5YHuXNzuGr/Bpp07nb+H0e34RPN1+/VMnEPu Wg15h/xDOWN55mLVcdbe8Ky/M1s4ud2680dn5zA/OJqiqI+bQ/rh7DCpp3G5ILRKRWao8DFhits5 nJ5EV5/QN5zvlSFj6c4hXKFOdBWJRjScnJrdE6eb0Icr9Kj1ckAJp7hJ3yEWzaLlhmq8GywFvi88 ISbNwiRaZYyQpjjpfDwjIZi9AJNoxUJR/0Q19IsKeq4fdLI5C4URJ/s5nem/cXEWcFlQnJwFQp8Q plLwlOzEFVrEadbt1inpKS4YDpNQlwdDXEMvZCO8I3/qifOnMBtIkxVWDxHplNNPhb+Jjj565qg6 /VZgcfdhznE2dHudfkNa7nSoF/HUJ/RFzSEOrVfgAOpO3ppDH9EefUIda5aVIunpeXgm9IOQbkhT e0Le0q3kcjQdbadV53fSstOc011oN836aC4LvFw4dFISxUBPoyJOHFbJIhSOj55KX0Icx3C8pNVy bCe+fuCzei6q4uN46S422CVe8QzpQScll3xas7TodvrwccPt0rXj7fYZUxJwlQQ6IT5Os9KP9ugj n44PqIqy8y/ZVhJoj57rI72Ha6XQLeY+jEPlCdlTe0Pa0k0CFDTrnBCIu7NbGP8Ov3SiCNA/xY8+ wsCR4CM6iZyO5V8c/xKYRbmIU8VgkZw72L2Dc073+lmG/sttcjB8KxmdrCLp6oI04/TiBblOMuik 4jfSF3QdH2BwcwLnqnAvmwhliFQ62c4oYUgnmuUb4is96CO5lJvcmsspoV7EX4g0hzrVeeU4fXRG 3sgU7NO94++sKV8pRic6G3q6dsomwi8+wpHE0Fm3Sxyk9zLkLgs8Sj+lS+lBltHQiXiGdC9LSAfJ 0EvkiWhql5CXQkvn9dFczCz9Od0Kp0476X0kclZ1fum4OOsoSiRJLMNRcplJ8oqWQ+Gw6YlOaV0+ 6ZA4/Yu38xYnv3xJ+hcv4XbXMf86F9q/DP6iVo4WNOKwZgLeoTMaQi6LSAZRlFW1S14n71XfoUiV pEInG8rrtENyiaOu5XHi6WRXFEhiyRUbPJUs8rPQ1qIV3guDuItX6HfaLz8sYsgPwnhKBk0qVBMY 8YzEgEOoB+GNh0Y8+0VV9hAiZ1fnG7KFdjnbio+wyB7ClhSciIFGbKAH7XS6cBqQLxXjHQmgSwy8 tCTQgcuXTp9V0aP+lbPLrQiDk1GYwhh3Ektv8rAyWwTdrdwJmewrL5f+dMbp1SNeHU7n167K6pmL ZcdHVqiCNMl4dTkoSxnKMVuRUbwSQFAGpx12M9y2wG0bT8rYJV6STBGREvxLRCOxQdZyuLezW7Ev zSovCK30KV+owqi209qKl1BqWcvRjTGbWJdPxrFXkVrKP63IdxTbGfBPgp/QyENERb4vWtLLVvZK /9qhp7KdsDhPlNyxyC1/dnHkPLZ0pxVdPpBPyffFT3lAuhYPIREfxVkRUhXuHNKd/smjlOOlQ3l3 CiOdldSAlsMonw7zkvx3c4DZR1LpKhbdxpltDPmXtC28sql0qKyjalCVkRpIVG4VD7KO4jMWyhbb bLdJgY/LQ6qxUm3neeU9YZPVRVOySFbZTP4tb9RHfrCRIR/SWip0hFv6lYSSJy1Yk83j0IN8PwGc ifxTbMVCU9mkBL0WM3Zgkx2BRxWzJsulo60khqykHcqVSdCQFncg6ZZAjwZbaThb7YCmbKBd0qEw C6v2C0EqvLXXIfXRQnmgf9GQH21hbMfursKITzz+5mqq+Isu5Ikz5xUpnKsJsnTWE6AgutKDdCJb 6ex6eIum+phknisi5a/KDg67q/iF7NvG0Ef+I8Tb0OZ2tKGMlYT2lBOcxxZxtgjspTxR5S8N/EO5 SN4orMrWhawWM4uD5Jd1XC2T78ZgC/GTzKXwVjwpi8p6qZxIYX+VwAbV2JuCJZQBPFDJgimclY71 KQa3dKJMJp/YzP0m7nUtL1WPIF2rD1FVkH2TAgSKYg3nl9KSNKP8th00+uhcCitVGJK5Krurcl46 lsa3Yu2t7CpiFn/5lWQpYlbFdXHhaqA8IxErKLclIZOwqZbrvir3yriyrGqSclxiQG079IrxTcnj asMmkKxnFLJDmGWhBBDEM2SPGswZ0FKNEAIfCWKDKNHTZIYyh/KM5JN3bsP7ZQVpTBGgrKoh/1c+ E25J7Cp4FbCmc1b5Q5lB0ip/ysZF/FwP1Q02jbNpnErnVAr8ZK8iW9NsAd8mdm3GPzbBuRBOwulq lqwrzWTAsTqY45gr6rliIs6sRqZVnCgCrVBJDtk1Cclqw6MhvDLAo1ykaJFelEu2sHsFYw3Ii9nh ga0MjUnjsm8mlkwDVxketBF9bEU28d6G9TcG6JOwU6JpiM7rMlcNJPOJg7LAP7Yjy0rOFQT6dJVq O/reDo94OFRHMuU61crt4FK+lN5Ua9bj2ZuYlR2c1PKMFHgkmwbwqctZVULZqYhRBo+t7F+DPGvx A3USVZEomT2umshfNWRRD3sk4i+KXxiwz3VSQlXF1Amwqdqqu1f+3YrONsFlk10X+J4iV3EjXxJ1 6VsyO71qt3xRyJXj1Vls5aniWb6SwtBHdTcDTDXwkESsIX0VQV9PJfk20BZiAUlaHelVF12voWwl Xe0AUSk6dpVOdU+enUi294nKBlxlQSuRfYpq0fYCZEV2GWcKkF0ZRz6r3KE42oJtMtFcQsBP8sXD y9pa0IhBvvwAl2SKhYv6A9nAmFrsbMBz6UBdzApoqUorc6kjUQ8nLopx2XwN59ewT7UmyayDjvxM mTgB28bzLwGk1dBbOhRjsUlxoEF5r/whjfvq7JDPrAhkUMbbGnRA65BhFT6tuqnauxU+ZdyLak14 ZwY2qR7Yui40UoOqIDoxAQpVSOXM7XBUhNditUmQe6SfTORKYofFWglmOXSForYpgNc6VtR7yDOK 0Zm6G/XA1eGczD8fiUSjET5ad2cG2bxTw6q9y3nyPSiWYxuLXePRYzn6TWR/M+zTxtTGE7LwjhZI Vx0tyIMz0WQZESruKwO9rsPeq8Hvg1E1owRs620dZJc0yoqp6F1vUor7DeDbih5TA7zKL5mBhyYi U23QK5bkler2VNlKbD3wZAVrdTgt36gTyFaANhaCusgutvXNT6wu4vQ6PE+dbhl6q4H0TRh1yGhp phk0ZE11JCXoPAkE8pfVcFMUpbGqmN9AnlwOH/WkihSh2E6OSDfL0MQy8K+Ch6pVInwU47XRRF1k bsZdNei4LkK5JRWJMthfSuxs4oxiIBXZVJ02ci9PNVhS+a4AvaqayXbVwZKE3qqB4DCuGwY7d2Cd OpyuhYXlwzWxWFUQqgYthd6C4OcWdCDtJqNB5X3pIQu09QP7qW9oCn3ZVtZORruqnWs48zMYV0Cj OnuSOaVuoDpyZTKnEhW/YO+1RHO5XcsJdVOKswLbGOrpphVI2pKrFUs+uqtj8sknBdBLMbO5knaF eisWXWlbkj0SAu9SxVuI/nwkaGB+gHIhKFTBPdMEm6o/WIkHKE+1hUc9eKxl5xZkz0B3Ft4zsbOs 0xC0TXlejv3U6zdC96l4SR55bxLxUGR/BsU6NKROo645iv090FUV0xauDUw9eDQ1S/GONLMgkHsp XArAF2emgaEEPzgMufi/+QP/1shY3bQMZKphZkB/k52KhcaRHX7Gs1Q9NtkO2C7JHG2W2OORsRH2 VJUQsmZE7kbsMgvJ13KyBDl/At8skFfBtkdiu0yQqeI3AGVT9LfRHm6+42mBXYWmyziXhuTKXj+j HdX4TPzcgEya0JtuI57rnWYtOlB8pGBH1ZdFXJUhT/VAnnRONUQaD05rwKfKq2jYhncrb7dEX12g p36wDJxlnN9AHHzL1RxkjSFuqrC/BATyp5rB21gtzjfBU3bgI0WBTQrZW0j9VKVejS3z0U1V5GuN LzUKcm0MEfQjcbHaLkEbC9lZiJ+WB3F3DNha4bdHQ1c1WzV0qT3WLLbtkPIwzjSGljLKWvjOxDO0 Ip9cjb7W4lcpZgp2+RmNT0fLiextSQ3ojdwngrmTaW6OAe8qJJyHlv6OJ38Phjn2R87vQJfp7C+3 7YnLVJMN4o74TV28thrcGmIzVb+vQPwl2v+eHJqHVWZgD0VLT352Jbe0AW9X8LaFo7qkReismNUd jPl4wRI7EXm/B9+XIM4Dw2q8pBfWGYTc3dFSNzyjNZwTkW0KGUayL0T/P6DNKXjENiSuj4+k4Xtt 4Nwem7RDX4ux1s8gXIYF1oC1IMjEZbYbz2ril+o1lb+rYOcl8FyK9krxmxik1Xuz3tuOxmZZUFDW M0iTSDzNQ4qv0MFs+OcTcTuwVjnX2fhKe04fi54b4D1NsbLe4lbwbDG++As+tA5Mqj7JcFY+qYFs FmwedNWjbCIOFaFbWFHOUJ/TEm+Th7dEJ2nkMr3LisaqIFpL0aCrzmXgSCdzbIVDItIIXSLYC/DC cigkE12GrJFKthOtrtBRFU9hyDIbwPEP7LPQLidSLF5TDl51EUno9zD4xnHK4EHVoVKPTLAZpGvQ sLq0EvAvxzqKpAZYqxxUa1kT9bZgVYem7xua8jMdaWdh6fwgX25A6mLu63CqMTvaU986sqMOPpRk +mPZTHSYZf5ONCwE32L7ObbQu35VdL0Q31+P7Vtgg2qgWGbng+p72xzr/oJGJhB3xVg3HWpr0X4z EJ9HvsvGbuvtJHYUg7E1vtuJvanI0izwpWn2b2jlHXsE8ZmM523G7k2JgEbmbO76wS3VdCaOVAGV zxLMJ+C01KUZ6H8lWNriDwOhW4geCrCEj4YnMt7EkiXkuxPRTDq26AzVIaaxOQ47z4JGEuc22nH2 C/uefYErdVGl6Gor3t3EnEJctAJBBnHdEV3Gg2Q+56bAcYs9iYjIALGyZSc0WY/nk9DbPDJ/IbJM g8pkLKpOsAFa2EhOS4N+V86ms9ND9tZEqjLrd1hosT0RD+yAreX5q7FJY04qBlbhVen0GR3YORca 88kXW7HjL8j4GVaoAY32eEopz8qIn6OJumTyxgKiqjESHEH22UAV2or2+2DxdCpJIfzS8Ps4aD7C s7cZC8CUz5MVWPVMLH4KctQjEuti3d4M9YGF4M80Z5GFTwK1qs1iMum7dqZ9xY5HjyV4pvr2LWiw GXbpBffGeEwm0dQUC8qT8vHYhUio3mQpnrGBa/V3TYjCWLytLjFXjwwjH1tNdBSDbWmg2ThsrB5e nZBF7irQ7IxMncGTiN+tQXr50Btko3eDiNRb1Ryq8nd4oWw2E52voqJnoLH20KlDvuiNlvvg96q1 K9B1MTnrC3z+c3BWYWc2mDLpGPqArgVyTATB+2jvJyJlDBJPJ3az4S4PPZK9t+Erl+NbRVCbhzd/ x97H0MpbZEfhbIYWi9BAFhbLIEdM4Jmy4VHEht7lWnOyPxmjBs9dv1rDyHc+4bwyofbG4yfNiYYu gb9MwDIfIvdK7BCPfyi2r4PLbXRC7fHiWmQVvWd/iTY+I/OvIKtOhvbf8IhkENeBp0GL7fDwZuyb ieT59lO8+ENsXB3Pq2euQMJq5jLzkT2ZfKw4rGvegV6SeZVKOROtiY60GQumo8wcoqkU+aeg/XHY sh3WGYSM7c3x5nwywYlExlwkmWN/gNoq+zYR8j7+UAilZWhhLXmsBxS6EIGq9NJacyJ7G/WwCtW0 uTkBPq2wi9781T9+Qm2bwEl9k7QSCQxx1wGLqG+QVx+OjZdhrcn80xumRzbIJK9dhD9fbC7luh47 FiP5N/Z5ew8Z4SYorcK6h8Epyww0p6KDLqwswSP1FtgJzgaJ4k33wMdnczcFC9TjZ77NtWPxQ70Z 6g2x3J5jhkEhh/OziZKJdq79gCpwE09L0cyt0D8ZRGeC+SLQLbUjefouMTLPPmdft4+gz2rmelDW wJq1zYPEeU/8b5J9CZ3UhGoDMxo9NzFPYPFz0NSb6Gs72W8lur0ELPqeuCfeNh2rdQfHQ9CbxNkP sLNH9F+PZ+Sh0cn4RG8ySZY53TyG909Gu38h7o4kIibYG+wT2LQl/lSNvPNPezXyX43f1jFD0VYT ovvMIHoK7MvEeg4RNg3Nt8JmC+m7/oTcC8E8jZ/fkYkaIUVDPMLaUxhZSLeCjD4Nb/8LfqY+6Qgz 2Jxh+pobuLscufPpnkagjSeR+X5sLsy9yTSnopeTzQBzLlUjBatPQ/dr4PgjNplrP7KdibQj8fNk M5WeZQAW7WE+YMc80M3CB6dCMct8Sh8ykZxewnV/9PwCnnMO1k0155EJqpvnseNM/h1pbuPMB1h3 M7sL7NfBVRMidzs1ohYUzwVNJyx5JJmyk7mbKBuHd59LpOfZMeTKh+hg3rfvmvH2VHLFBvsQKO8z 99LNn4Aut0AxlujTtyXz0PUDaGcA/nw3lnqLCBmEBUbC8xWq9Gyy5NnEZA90N4PY74euaxJt08ll Z4M/D5km29uJpiFkqIb42DQi9mH0N4KMMIWsvQMfTzMP2mOI0o7k/aOxVSt0vg7a37JHPag6vY74 5hlk9O7mJirZEnLJZjy0Cp2p71eDakvioR4eVtXMIxOcSGzmk6fVAX2Jx32JZzSGenesVYpPPWie Q/eX4BOPoe059kyq7Ahy1pXmd8RPO9AWk3N/wvdjsYR+d5CGR2UG2WMgmk6iNjWk/5iLLw3GLh8i 0c3gLiBnvYPX96LiDUXv+m53JBLXY1YkCk9/ni3jajx16jsq5Ut4wvdoqqt5Gbor7RXknwvY+4O9 B963mFFIc689A//7kIh81N6MxT4xrwd6SUBro9HS+fD9HKvKIq/Tt9RHX4OxSU+8YAk1ua153I5G 0mTy4TA0bsztZJ/x9q9o0efpSuj+CMUm6D/VfI3ubsZmF+HRnxDXJ/DvXfL2DeSmB/CEPHJmEZ5/ Et3lxfRp6+kHLiBGZlDvriY2rySCPyK/XkRdWsKTU4MIq0LOHkv2edfOR0/N0Ek9OtQ+eMnRWHMe sbWISJDfXU0+6mv+SF57HJt1gOPneMpr1M9b4baVnT1A35oYOh6JSsiZRazN5vkktDfZPoEHdAVd HHl+BNGgaqLfWszHj1sEXeNqpH6T1ZuJ0o/IlgXY4Xb09AweNto8Q8fRydxFPD0LzrvtcHsrXt2d it/dfIZ2+2O3N6kRX+PBDZF7PNlS3xMej2+V04XeTka4hPez8fZCcGYgdxwxcg7vOOPIH1PpOnLZ fyN2q0c26E98qf/sRcbStyibsfcpRPAy/H8CWmxKLMxAaxegtfbY7CnWa5AlH6X+/4RvtTZt2LvM XkX3fhJ9zEa8rjrWW0eOS8MHzsPflGMWUV/mYanHQO2TKUaDPZ1/j2Pzukh2GhXyBfLAaLTaB28t Q/rbzSDq6QCidDKdS21znT3fnG2fJPd2wzO64J2GWFFXmmffQwbVw2bmKjy/L7pNQ7Z/4NMD4P0w OajQ9iIfzLYfg/QsOmGLl5XYa81LdNDd8KU2eFk7cw856Ek8YjlV6AJzB/3IjeTjJHrFXDPW5hMP P8I1z/7FXI8e6kHjbbLbH+hTnsOj3gNbAla8Exw30zFfBPZ0M53YfAy9tjMjsMbh5kL09xGSJhFz 15HX2uHNM/Eq1ZAs05ZsMQaNzaU3vxHtvUhF/B28H6T2TyLiH7F/Nl2w5y1Y60489TWev0VWao0d TseDP0ff5yBzGXbOAVdH4uh54nGJbe6N4i4Vu3xIJh1hPHsaXvSTrU8mm203+qPNX8mbsWYRFlhq W3uDic3v8NwR1K0HzRA8W7VEb7+peGIH7DEcyUrsACraM+i6nbmNLJWGNV835+EtWdSyNSC5m/kc ongMfvVn8t87aKYGvngTdnkda0ylXk/m6WruOsE/i27sXptDH/Iu+l9HfzzPfoqlLeivpLr1xztS 7I3E1klk8zvQezW6mD7UwQH2ejQxkHjRN7Vx5lV8frN9g7qUjG4ftn2oDHWpUaPJfk2p8n2JGlWt B7iriyTHYdtBSPgpdX8WmeoKJH8Wfr2Qqxp2zcZH5wVd+dvYsye5Jom6cLL5A/XpM+LpAWLxKqrj NfYupO5ORapjHoZuJhlxqL0FedLMcCiowh7prcH72xGrfzJb/Edtc+pAnn2Rd8LP7SjieTM98k10 qs3RxxvEciq62UbuHUY9OBHJryRvz7HN6JHeI+98agcTwcY8TQTmkysXYdfxxHkOEbiESFlFjRvg pbFvK/kzH+3NsQ/C7w06iaXsnQzqCzififztzMtkkfdB4ONh39qh9mMs/BOaUOb7gG6kyI41V2DH qWiJ3xf4yVhxJTzONTebUWj1QyL5OiJ1POiXo8M/mIH40af2fvs0uW6WvQDs11BpFuKhK8kWd9H9 vU/kfoV1h9A/9bD9yT7lWCmW7FRIVjuL/DMAC/eikr5Lxp1GtJ+On3Qmb1j035R4WoCM2/x+tsS/ HG+7ixpKh+p9TSTXxhuyzPm8iVtoXY7Vx4BrIj7zAjKU+JeZhf5U+wD6WGxusivM07attxzv5vcC xFZdO4bomWcu99aD9wm7lLxwDE//jBSHg/hTNDfT3GFeItJfUk6h62xkP6BuJlE/LjUNvFTzBdI+ R16y/gDbBv0PIH43UjHPQ6LmRFmJvw4dLbWXk8n6kseGeAmcW0PGybRdqQWP+nm2VlB9480p3sNQ ao03bLFn2K94S08kOtqbe4nal0Halbx7DTXpLHz/BGTSN9dHY5NWxFJH+viH7CtUtdlEWhNT3yug PvYnX91lE/DeW/CLk+2r5OP1VKEHiaBX6b8zyFgzyMHj+H4iBw5tOfkhOXgm2rvSfoPuLiZLtEKr p3nPUtOykPssOr0s8svjSPopEr5gnqKy3U8GPYvssN72hdssMu3RZpgdHXRxEwML/mhHkmdmoLcb 8IqpaHckHrSCzu9e9PYcteNBtDeETn8UOjiBTvppk4u866j+2aYGHH6ggj9CpTqczm4sXdZ4eu/G vH0O9zuQ9z/EW1JMiWfJHEX2ZaRcS/UbhN9VpX8f5n+M/i6gQ/vZrqY+XUEMF8PneiLxVjzkJnsL 0TiaTvMa4vB1quBL2PB2uN1LVpkA1qZmGhbsjQYyzMfmGTziR6LgFvJnNp3gGPJNJyrq/fA7lYwx BM/tSYb+B33EbeTPOuSUWfSJ99I/vkI+2U5eX2ivttv935sy/yJ6qn9S+Z7Ddy4lTo/yqlK3ZlON /kwm+BaL8ntPKkZ/s9m/0vQkThqRCZrQWR/ufWnuh9JMLHsuSDvzZtIZv+2Fb6QTf73oqPVb7xSb Sa18nD7uJzqlPyL3fPMiem2Af8/CXvfRz57Hdx5LsUljOqIXqIMt6eCoIqY6eplOT3ABFmnv1UKq DN7AL8HO32HnWK74vbZ9Bj96hOrA75jY+Sz1+DPy2Y3U4Gepext9OgfwFZKXBqK9IXRME7HP+3Q1 8+376L2nuRRuzZFuHT7ehYzTl0zQBXkmY039JvMXstsUnl6LDefbp8CehpbL6GIzzHD2dqfPvoX3 vud5U/g93vQq2XcoNbuYPu2veN0gu4VoGUV/eJS501wF12/Q24vEUabx/CvsaL+G6aZc4V1tJlAB anqPovULQdrV3Ed27UHX9ib9VQ9zAZY+jh0ryBa3oM0n6d8GExOLyV5jyHu9zDqitip97GJbky54 ADHbDOsOA2kV3ufITwy9Z2ZQX/QXSLL3VUjbmjqzmjxzDDmtjbnWPIX1/sFJnVsLlun2EbMYu/4T vS6hGt1gJ/k7/GPsKDTznJ1uFpi30MurePH74FxijVeXqjmYd6z2pjnou/CtxKO2I28B22wL7/dk 1onmIvtHk2a7eBPpQfKR9ge6wNlQuIZ3Nr2PrfZftneTkV6xd+IT/fD++l5Db6h5k3fIcjq5R6lH D5LZT7D9qO7f0U+sore6iufW3kaWOYy897KN867jO5yPeavqSx4eyrvNS1Sa+bYFmn3GplFvLuZN CN1ybhr2GUS3cSYnX7Jz/PNtnDW8ZSbxvD55MguZGtNDzTS/+Oezdyrx8xoo+pABGlK3J1Aj/kB3 Px/0jdBZD7KW/qoinudD8KyrTbrXA/9M461ngl3j90e2VnaK/wF54Bj0t9yM8DaYrt6VXF9mX/Nv sGX+a8RFC/Ruifxh+NA2kE238bY6OWoLbzBDzVTTlj8XOwIuJ9GVLIBiId4x2e+G59XDQtXtZdSr 4eYs73hvqSnhxGvsedmf62fzHnInFP9kxnjv06E9bE/E7gvLe5pj8Y0yOvcu7C4gVkbi7/2oRbdC b6Y9jcj7g/3Eb4OfnEPH2smL9x6jbtY0/byP/By+J+nEtzEdqT2biNMM3kknKSPjwxPIS3cRizW8 K8hM15kfyQjq7f5CZN5NX9DXNCLLT/Dz+fbiNnz3MXux19C8Ydaa47zpxMxg3obG2MLyY+m+P+bN eYZ9wVtMj/8FlWM4eaCtWUhdqEE2j8OTbqFjvszcYGPog34kr77Be98RXjp9wX28OervOy42dWMW mcO8UnO5f4pp56/3h9nW/kA44Q32SW+Qd5wZ5x2PpAn2dX+Buda28h7Agj9Q7weZv/lL/Tv8t/1L 8dksMuhAkxUzyBSZY7yq6CnWL0WCeNPDO950846xF/PvFf9q6tuJ9H6PmBe8BaYDtn6Lvvl0pB1L ZXkWTSyC9j3oMNWnu6SPOhpd3e4tIX5Hmu7sGUKncCq9UC+vH9Uq2Sz120Gz1O9BhssxJ3t3eNd5 y8lIZ9pRfiq/0l5DvNC5xHzrX0HNesz/2k70lxH/65E70czxJvCdyRj7qZ+P3mfzfddf6WSW+8+Z Yr8z2Wweffxn9u/mCO8Mc4N3Dr3cJrrtu80z/mtkniZ2gvnSPx599aEDPy54n7zYuxnJRnoe59ra u/y1dqzfDASL7D/NH7HSeOL9SDrFsbwl3eldTGx14X1kMlK9Q49+JL4/kDx1Eb5YE62cxZvPE2TY K8x2YvB+MvcWvmsroy6MoUbW5U9WmpsC/0cQzbfPeZtsbW+k+T01/3RkjOH7iiyvgU30yqDezbxF xe7k10cC63/qdbRveuW8s37h9QfLHeSbv9hL/d5E25v2Ivrhk8hlMXYN/C215VrT0etmL6Gv2UE3 +oR/Azn7YTLBq/7vzA7f8m41zv8F/cR4I+gRs71c25N32/Z44PPk9mvoDd7nu4GO6Kw7em9gNxuf DLWK72Ua8d421y+zH/pViOBh1IFm9GaTbLGv7NIBf+3pLSR3TDT5fhfe7or9v5N1zzYtvKH417vg bmHOsD28X/x+pg+94XhvCfH2NJ3LsTx7wawtP920sA3JQ1fbOt7tpoZ3rLeOrvRb6u9EO86/x1xu n6e/GGU/N/14U2mJJ1ajtowg59xhxpku3plePb4H60aNaMUbwKNkzlF+Dbz5VlvV+8a87V3ivYJO rrJvIMlDeMI3/mfmMHuz14FaNJb+9BV7PrHzon0UzvweH33fTZe5kA7mevy8us3mu9CzyETf2K9N by/PfuuNJLd9i1a6EQ9PkVdX07FfRhX42H+HzL2FKniUGerVNz/Tew8l9qYRQz25boRU/e3ttjbd 5zy6p/7Uldu8IlNu/u4dyZtwLh1Bf/quv9re1CL9xrMJCOOQrgXVM59eZzq54nzvQfOIV5safppd UH6pLfB7EK/D8f11+PAM3iMm0x3MpTdYxdvzYfQ6bbDAYJvvNyMDnUMFnYHvn4d1vrR9vTFEZazX iExwv9+QPWP8T3gjWW7+5L1rT2f045uWR+x7Xleb4f1Epcw17/mX26PQzpNk3ku9+9EN3+75n5N/ XzRTsF2ON8ReyJvnM2SIm8H2LdHzT75T9bzX7cN0cYvsY3xHlkk3exx5/BTy5FFkmaFmLh1oAf1Y Eu/1K8lfTbzxUOxAVJ1ITiyy6/zaxMd76Pca29M71TzhfY5c/c0s3jLOp3u8nnfqp80rfHdiTTJ+ cz9Z4xp6vFRvlEn2nuBN8xKTS7f9FG+aH/q/2MXlY4nhF+0Cr6aZxJiL/9TFD1+h15iKtmvxFlqX Puo+MtMMcL3q3ccb6eO8Geq3vnfT04wlm15LTRhha/iJ9nd03z5nLvTmmDbUsqOpuc/6q/0ifxE5 SBWqiG+L7ieH1cHzFtLjb6Rnm8J3LCNtOT1xH+S8hT6jia3ubfZP533rZL+Wx7czppHXzWylfrWh jnS3D/mXkNG78qYbT0fm820cf81AjG8GVz5vtZM8Q07lN0zlxnzn8/9xiusjWHue0ZBr/faJzoEe XW/A/EaIWd+a/sC4kT0dmNdwbiOjJs/6staUcSnXG1jTJ457+ijyuONVhes7GDdwfzZDOrqR+VzG 61z3ZD6CoT350BC+KYx+3H/DyIDeVu6f4Xocz4cznuK+UYwxjzJ/zXo8YzTjJe5vZ27KfCWjNdf6 jRD/wxoMLj5mSLZURgbjIu5fZEgPy7hfw3U7hs4K5zWMVVzfxpCOUhg/cP0883pm/UXa35iPZVzM 9XzGCYwycD7HWjuua0E7k/EW9yXo/hzWtnHNUiDLBVwhDu8Rho5bf9Vh6JiMOZxRxv1shn77Klqv MdZyfxNjAGMd403WFjIeY5zB/RR4X858B/etYJLIEP72rA9m1t5jWGvILNolDOlPdpd+XmR9KHWQ 7aYBP6oyJnC9lDMreX4+9zXwlqfAfR/rsv9q1rpxPZ49jzCP5E+t6jO/gWCDmE8rN+Zl36O+GlPI 2gbWupRZ245zbVi7B35fsPYT9y2g+xE0hflO1moxqjHkn9LNEYxmjALu/0ZP15Qn1Tgj2+kvw0/m 2c9cpzBvYJadNrNPOlzMdU32tGQs5Pow9ojydq6/Z9Tm7h/M2pvCumgkMOpxrWeyR2PO5vG8nOtC Rhrrecx12NOAa/kEIvEeVRFX2qO/ZxHuYtblg6ugob+Ply/o71pRB1f6r06cf7i/2qdJ5l5P3OwH e9ydVk446fSBRyS5/8ajFfdZO4f+Qj74xLnp1z+HE06sDh/uJn5yab766ivz1S9fmU3T3zRxcfxd exJ/M5jKtx8ZvMfWqmUaNGhgmjRpYlq3bm0GDx5sBgwYYHr37m06d+5sht9hzcCBljffucauyzNT 5m40c1etMk+88wGMshk5jFxGnrvNZi2btWzWsrWGcNqSw3oOFzms57Cew7qO5bKey3ouN7ms57LO ZPJYz2M9j/U8FmQOvqUyVCVj8wLO2fzMhng2hLI5lE1eCNjzIxsM2WDIBkM2GAJIYMgGQzYYssGQ DYYAJhiywZANhmwwZIMhgA6GbDBkgyEbDNlgyKYaZoMjGxzZwoEZQRWgyOFnDlhywJIDlkBksOTA PAdGORDNAUugBh7mcJEDlhywBGoBRw44csCRA44ccASqAkcOGHLAkAMGqS4HHDlgyAFDHrwsPwMV wsf94z5Qr7QDKnjnsitQNbxzwZQL01wY5IIpF965PMyFSC68c+EdmCPgzTr8c+GfC3+ZKBf+uegm Fwy5YMhFDzIbWgmkZ4WZnzIjOsiDXx7Y8sCRB7/AtMKBDvLAkSccCBaYm0N5YMkDSx4g8mAYuABY 8jiYx6Y8FvLAwv8Y0MEmeWDht8cM1gNvkBVYA4MFgwWDBYMFA62ecycw/A9f1u/TNhBGb0OKQFRp J4QiI29WQQf9ITKcEZhSIbUQBaSMCWoIjRRiFBtF3jqxebKElI2hHbp4QIqn/AewMzFRLzQVZQKp w/V9NshOiPgsx77vvXv3/N2dZSnn8CDhQcLDOTxABif48CDhQcID/bkEaZzIw4OEBwkP+KTGToYG xpfoKEGqQaOGdg0+ZKRNnBreMj9YuVxm7XabHR0dsePjY3Z2dsZOT0/ZxcUFu7y8ZFdXV+z6+prd 3t6y+/t79vefZN9PTrCPv6G6tAfoAr2oRbrUpGs6BCLdpns9iigtVMQQQ6ccAmmhBr2gh9uUhK5q GkdoSKvBGI6bIE0Azrnj5BBq/wYgHSkC4aHDnTDURD/oArwL7oZwJ+ThVCe0RZdAHClckoDDww4I wu1CoRu4aTwiUH+vY4NAlAEYBVA1lYdex5sWvusHvqvq6SckgsoJtuwsCK6PNhUyIenIEGwZkwby WdeNS5bUCYy+bdkvJ4WuP7gIvAEfkDAMIzM+rsMFPUUv+PNIqFQe5mlS1zOQJ8INSv2IS1mJ49XS UkbsA44IvQSPneiV8riRFVF/GmAYr+BR9/u/hfBp/LEn/Qm38Rg7wve6XnqaYv0IRxmmXSHc7LA6 XKI/wV7o5dL1e6xT3H8atQ61XC6pb4KTAcCdKSy4p3g0gGZ7mG0+uEwfFFBHzLYVhuHo/qDRZCMc PkqfZOIV+zyOFTvSX2SDBGjDjPAf4TSC9gwsZZn2Y8wd/ZsU99P61vYvvBPWN9Y2143NwgzuDfPA adX3vtrKT+Vz/UvLtMyarRhm62BOmc/nF8E2iqv0PUStWT4/O7+A3IeNjxPIrdQbDaVkNmpmq4ps obhKmolOoXFozfgKYKVUb1bNtqXkF30wt9a2X4C5ZR42q8qa2drbVd7OceSLxsqAAjkxWzt23WxO ZDabuymTpR1nIlPcre6bzeprpbSsQJu/W5h9/yafZ/8BAAD//wMAUEsBAi0AFAAGAAgAAAAhAHqD HfIJAQAA7QEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYA CAAAACEAcPA43L4AAAA4AQAACwAAAAAAAAAAAAAAAAA6AQAAX3JlbHMvLnJlbHNQSwECLQAUAAYA CAAAACEAJnHbMdcFAACrEQAAIQAAAAAAAAAAAAAAAAAhAgAAZHJzL3NsaWRlTGF5b3V0cy9zbGlk ZUxheW91dDEueG1sUEsBAi0AFAAGAAgAAAAhACD/1vO/AAAAJAEAACwAAAAAAAAAAAAAAAAANwgA AGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzUEsBAi0AFAAGAAgA AAAhAB6uazvWLwAAYHcAABQAAAAAAAAAAAAAAAAAQAkAAGRycy9tZWRpYS9hdWRpbzEud2F2UEsF BgAAAAAFAAUAZQEAAEg5AAAAAIAAHgQ+OQAAUEsDBBQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAA W0NvbnRlbnRfVHlwZXNdLnhtbHyRy07DMBBF90j8g+UtapyyQAg16YLHCgGL8gEje5JYOLblcULz 90xSkKBqWVnzuD53Zjbbfe/EiIls8JVcF6UU6HUw1reVfN89rW6loAzegAseKzkhyW19ebHZTRFJ sNpTJbuc451SpDvsgYoQ0XOlCamHzGFqVQT9AS2q67K8UTr4jD6v8vyHrDcP2MDgsnjcc/rgJKEj Ke4PjTOrkhCjsxoyO1WjN0eU1TehYOXSQ52NdMU2pDpJmCvnAed1nzAe6wZjg5rzTHrlZSZrULxB yi/Qs3FlEilynHyGKQz5T7Au/jdyYtLQNFajCXroeYtFTEj8LkP3rvgF+pleLceqvwAAAP//AwBQ SwMEFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAABfcmVscy8ucmVsc4SPwQrCMBBE74L/EPZu03oQ kaa9iCB4Ev2AJdm2wTYJ2Sj2783RguBxGObNTN2+p1G8KLL1TkFVlCDIaW+s6xXcb6fNHgQndAZH 70jBTAxts17VVxox5RAPNrDIFMcKhpTCQUrWA03IhQ/kstP5OGHKMvYyoH5gT3JbljsZvxnQLJji bBTEs6lA3OaQm/+zfddZTUevnxO59KNC8mgNXXD2z5SxGHtKCkzkb2MhqiLvB9nUcvG3+QAAAP// AwBQSwMEFAAGAAgAAAAhAAZtEmJSBAAAjQ4AACEAAABkcnMvc2xpZGVMYXlvdXRzL3NsaWRlTGF5 b3V0MS54bWzMV91y4jYYve9M30Hj+w0YMBBPYCfNbjo7k2TThd32riNsAW5t2SvJLuwTNc+RF+uR ZBFD2QBJL3pDFPnofP/fJ128XWUpqZiQSc5Hnn/W9gjjUR4nfDHyPk+v3ww9IhXlMU1zzkbemknv 7fjHHy6KUKbxDV3npSLg4DKkI2+pVBG2WjJasozKs7xgHN/muciowr9i0YoF/QvcWdrqtNv9VkYT 7tXnxTHn8/k8idi7PCozxpUlESylCvrLZVJIx1Ycw1YIJkFjTm+rpNYFrM1nf0xXHjEwUWHD98aw PJqkMeE0w8ZVzhXjJaEVi0j6+LBgPGYGJIupYEzDefWzKCbFvTBn76p7QZJYc9UcXqv+UMPMvxww LFo7xxeOiYarucjGFzSES8hq5CFya/2LQzRkK0Uiuxk97UbLj3uw0fL9HnTLCYAGG6EIemEt+rc5 HWfONFGCEX9jlYVSHL3Joz8l4Tns1OZb86K7ypFpmzV9sSTW/ypRKatx9qPxh8NL41On6MYTvWCA 5DLu6Ay67WDHJ912e9j1ux7RnvH9fqdGNC22zEWoVj/l8Vp7dIa/CBzl0TJHps6sn1OpJmqdIsw0 TKvUh0KEpguUUookoGHM5p+wJb+NPKgEnWbO8A0eMca6wQMP0xB+wA+OplRX4ly8uf6ESszUVcoo 6Gub1PgqTb6W7Bsp8lKQDIU7TxhOMVQt9CJxSeBEwbQQZUQZZmTpPRVU69YUoCNCQygANzvTsbRB /37o4UtbDe9lQSNGxOODZKJ6fNDio7pCOq9LiCRGOrucOT4XusEg0PHVtbEvGQLf94GwyRAMg66P zLBusPVlzLdp6TziksFUWjNydQbsBL6rk9FSNgBYdur0bSbJsIl1AGC7e7C9JtYBgO3twerk2+jg AMAGh7AOAGz/ENYBgB0cwjoAsMNDWAcA9vwQ1gL2lRROEjBsaufVJSZtjUlTZOi4ptow91CPW+Vm S8rUFX6cFiaXTyj0d6xcJY9/Z4zwpGK0PEKEKbkTRExFnsgTZZhqOUHGLyVV4kQZPZ26J8i4SvjX 8rsyMB3/0+7Xe677KZMXxkm4N7hR96JhqCcQRgBGyZKmcw93CHREE2IzFHWPMouJKRHdtfXWc9PR 73UD3zaGpyvD1njs9c/9dv/VHZFkVNyYK0qC6xFXeqlVm5V3uFWa4DaaoL/V2PRM1ViUru6HNZWb 8UfxbTXgnaZa8537PS2VHMW31Ux3Gm/N53cHfv9YwvNnmrPjG3aGejYcpeAW304Dr/k6nSHUewnf TpN3fIOemXOn67czCGo+TXZ0QLbs3RkWjq8fDF4Wj//tQEGxuxuJuaSY8nevDuzoV4p5WKTilhYf K1NFGE+KiSuzVeAhpu8EgD5BQCool4l+UOnTkseXkVmoCTd82CEiZNmM4REjPsSbd8z1ze+3l799 uD379fKLuWzgtD2k9bM8WDX59Qf3jBz/AwAA//8DAFBLAwQUAAYACAAAACEAIP/W878AAAAkAQAA LAAAAGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzhM/PasMwDAbw +6DvYHSflfQwyojTyxjkWroHELaSmMZ/sN20ffsZemmh0KMkvt+Huv3VLWLllG3wClrZgGCvg7F+ UvB3/P3cgciFvKEleFZw4wz7fvPRHXihUkN5tjGLqvisYC4lfiNmPbOjLENkXy9jSI5KHdOEkfSJ JsZt03xhejSgfzLFYBSkwbQgjrdYm9/bYRyt5p+gz459eVGBdDY2VJDSxEWBlOjYWLrvW3mhFbDv 8Om3/h8AAP//AwBQSwMEFAAGAAgAAAAhAB6uazvWLwAAYHcAABQAAABkcnMvbWVkaWEvYXVkaW8x LndhduydB3xVVbbG90kPCSQBQgdDLwqKUToIKIgiI6JYRgfbGHsFe8Oxjg27REdx7B0VUZEpAlLE IEVFBOmEEjoESD37/b+zOZPLNSB15s37vcvs7HP22Xutb/V1buJ7g07q2/fsm405q9eZfXKuHpaV bozxTIxpcqYxD53tmTiTbv544bALa17Dg////FdqwNsP1Nbu+dBvPdfp39rzW88ro3EoZImUNJr+ ocIYzScSQ/T1/mCIphF5vzf0wv172runZ3tzPtyzL/O+6G1f6O5u755k3NOzkN6e9uzvs5B25Lw3 etmbPaK5J1yRPPfmek88K3t2ILwro7c3GP+37qlMF5Frlckb+fzfIde/C0NlclXGO1LmyDOV7d3d 88j1SHrh9W89D/fty7wvNCuTZXe89oXu7mjsy/q+YNsXuvuz998tezTGf6cuDlTWfcW6r/ujdXOo 7g9UD3vC9Z+Q+VDKU5ms/wkZK8Px37h2KG21J9qH2maHmv5/o60rw7wnG1W2/0DW9sYmhxrP3mA4 EBkPNf7dYTvUcu2O78FcP5Qy7M4uu1s/mHL9X6a1v/o7lLbek74PFt+DRWdPWMNnB4tXpK0OFs0Q 44HOkdgOlFb0+YMl6+4w7m49xPFbz8N9BzYfHCn3lsre7tuTTP8evVSO4GDgPxg0Kkf3v2812lbR 93uLuDKdVba2t/Qq27e/2Cqj9Z9c251edre+O6wHSx97y3dv9x1qvJXRj9ZF9H3kmT09i5RR15H3 ohF9H0lX13uiHb038n5/z/0WnkgeB3otjAeD3/7KeqD4D935vdPK3u3aX5QV1EP9Rs97Q7mCyt7s PvA9IcaQUvR9uL4/c2W0JF8oY3i9u/s98Qxpa44e0efCvW495FbZXfRJh3XXE7/eE7li7d7vDnH9 9gm3M5Qzkt++Xoe8omfRCfFEX+8rj93tj6QfvSfEE72++/t9P1EZrT1h0v6DwyWa856pRts5GqO7 j16N5rF/99FUdR8OUYy8rpxDKJv3L92FK7/eX9mT6AiquNfuyOHoRdLwfuXDId7I+dc4fr0SySfk EM6Ru0O64Zru/X/pTHe7xlU03Riea01zOKL5hDRFt7IRYnDcIMQn5LM7+iHPaF46G9KLvHZrls+u 8rgV7azgGfJ2cyQqty+kET07Cm6Prt35cN5VPyGPcLfmkJ7TkbWRugqfaQ4/IQ3Noe5DfUU+C/eH cySt6Gvx3B2PSJoV17oKP+5a50M6oQzRfCJPhLR2J0O4N5JGSL9ibdfYEc1IXUReh4h1Vp8KGu46 pB3O4fNwb3CIH5XhdjLor04rnof8dC6aZkg7etbeyHOV3Wst+lzkvZ6HnxCr5hBbOEc+C/drFi3h jcQcXodzyC+SRmV0FQXhnlAz4dloHrticBEq67rz1op+JI/I/ZHXIf3IOfK56OlZ9Efr+oSzrkMa uq7sE0lH52L+hVd0nG/uSsNRD9ciZ3GroKFrNxzfUA+Orn5W7BDXXTnrTAVt6VJ3znoes4bbEa45 ucXf2ayCvh9B26FwiJwk4bVDEBsgCfXguFbgCDE52g6FQxPuiaTpKIdPQmlD2u5pxc9oPwt5uTnc 5+QL73adI3mHXHf10Yodofa0Tx89Cf0znENe4bPwPjjAD52NpBNeay7f+UzX+uisPtG0Ql7hHO4L aYX4dLYymbSuTzQ2Z6EKmSqeO88JbSer6DqkHclPqw6X21WBwPHc9afj6Og4D4yUOpJuiLfC651v 7GrpCv1G6lN0QlmELbyOnEP6IZZwDtcrTlVI5PCF2gi17zQj2iEvzTqvneWB7lzc7hq/waadO52/ h9Ht+ETzdfv1TJxD7loNeYf8QzljeeZi1XHW3vCsvzNbOLnduvNHZ+cwPziaoqiPm0P64ewwqadx uSC0SkVmqPAxYYrbOZyeRFef0Dec75UhY+nOIVyhTnQViUY0nJya3ROnm9CHK/So9XJACae4Sd8h Fs2i5YZqvBssBb4vPCEmzcIkWmWMkKY46Xw8IyGYvQCTaMVCUf9ENfSLCnquH3SyOQuFESf7OZ3p v3FxFnBZUJycBUKfEKZS8JTsxBVaxGnW7dYp6SkuGA6TUJcHQ1xDL2QjvCN/6onzpzAbSJMVVg8R 6ZTTT4W/iY4+euaoOv1WYHH3Yc5xNnR7nX5DWu50qBfx1Cf0Rc0hDq1X4ADqTt6aQx/RHn1CHWuW lSLp6Xl4JvSDkG5IU3tC3tKt5HI0HW2nVed30rLTnNNdaDfN+mguC7xcOHRSEsVAT6MiThxWySIU jo+eSl9CHMdwvKTVcmwnvn7gs3ouquLjeOkuNtglXvEM6UEnJZd8WrO06Hb68HHD7dK14+32GVMS cJUEOiE+TrPSj/boI5+OD6iKsvMv2VYSaI+e6yO9h2ul0C3mPoxD5QnZU3tD2tJNAhQ065wQiLuz Wxj/Dr90ogjQP8WPPsLAkeAjOomcjuVfHP8SmEW5iFPFYJGcO9i9g3NO9/pZhv7LbXIwfCsZnawi 6eqCNOP04gW5TjLopOI30hd0HR9gcHMC56pwL5sIZYhUOtnOKGFIJ5rlG+IrPegjuZSb3JrLKaFe xF+INIc61XnlOH10Rt7IFOzTvePvrClfKUYnOht6unbKJsIvPsKRxNBZt0scpPcy5C4LPEo/pUvp QZbR0Il4hnQvS0gHydBL5IloapeQl0JL5/XRXMws/TndCqdOO+l9JHJWdX7puDjrKEokSSzDUXKZ SfKKlkPhsOmJTmldPumQOP2Lt/MWJ798SfoXL+F21zH/Ohfavwz+olaOFjTisGYC3qEzGkIui0gG UZRVtUteJ+9V36FIlaRCJxvK67RDcomjruVx4ulkVxRIYskVGzyVLPKz0NaiFd4Lg7iLV+h32i8/ LGLID8J4SgZNKlQTGPGMxIBDqAfhjYdGPPtFVfYQImdX5xuyhXY524qPsMgewpYUnIiBRmygB+10 unAakC8V4x0JoEsMvLQk0IHLl06fVdGj/pWzy60Ig5NRmMIYdxJLb/KwMlsE3a3cCZnsKy+X/nTG 6dUjXh1O59euyuqZi2XHR1aogjTJeHU5KEsZyjFbkVG8EkBQBqcddjPctsBtG0/K2CVekkwRkRL8 S0QjsUHWcri3s1uxL80qLwit9ClfqMKottPaipdQalnL0Y0xm1iXT8axV5Fayj+tyHcU2xnwT4Kf 0MhDREW+L1rSy1b2Sv/aoaeynbA4T5Tcscgtf3Zx5Dy2dKcVXT6QT8n3xU95QLoWDyERH8VZEVIV 7hzSnf7Jo5TjpUN5dwojnZXUgJbDKJ8O85L8d3OA2UdS6SoW3caZbQz5l7QtvLKpdKiso2pQlZEa SFRuFQ+yjuIzFsoW22y3SYGPy0OqsVJt53nlPWGT1UVTskhW2Uz+LW/UR36wkSEf0loqdIRb+pWE kictWJPN49CDfD8BnIn8U2zFQlPZpAS9FjN2YJMdgUcVsybLpaOtJIaspB3KlUnQkBZ3IOmWQI8G W2k4W+2ApmygXdKhMAur9gtBKry11yH10UJ5oH/RkB9tYWzH7q7CiE88/uZqqviLLuSJM+cVKZyr CbJ01hOgILrSg3QiW+nseniLpvqYZJ4rIuWvyg4Ou6v4hezbxtBH/iPE29DmdrShjJWE9pQTnMcW cbYI7KU8UeUvDfxDuUjeKKzK1oWsFjOLg+SXdVwtk+/GYAvxk8yl8FY8KYvKeqmcSGF/lcAG1dib giWUATxQyYIpnJWO9SkGt3SiTCaf2Mz9Ju51LS9VjyBdqw9RVZB9kwIEimIN55fSkjSj/LYdNPro XAorVRiSuSq7q3JeOpbGt2LtrewqYhZ/+ZVkKWJWxXVx4WqgPCMRKyi3JSGTsKmW674q98q4sqxq knJcYkBtO/SK8U3J42rDJpCsZxSyQ5hloQQQxDNkjxrMGdBSjRACHwligyjR02SGMofyjOSTd27D +2UFaUwRoKyqIf9XPhNuSewqeBWwpnNW+UOZQdIqf8rGRfxcD9UNNo2zaZxK51QK/GSvIlvTbAHf JnZtxj82wbkQTsLpapasK81kwLE6mOOYK+q5YiLOrEamVZwoAq1QSQ7ZNQnJasOjIbwywKNcpGiR XpRLtrB7BWMNyIvZ4YGtDI1J47JvJpZMA1cZHrQRfWxFNvHehvU3BuiTsFOiaYjO6zJXDSTziYOy wD+2I8tKzhUE+nSVajv63g6PeDhURzLlOtXK7eBSvpTeVGvW49mbmJUdnNTyjBR4JJsG8KnLWVVC 2amIUQaPrexfgzxr8QN1ElWRKJk9rprIXzVkUQ97JOIvil8YsM91UkJVxdQJsKnaqrtX/t2KzjbB ZZNdF/ieIldxI18SdelbMju9ard8UciV49VZbOWp4lm+ksLQR3U3A0w18JBErCF9FUFfTyX5NtAW YgFJWh3pVRddr6FsJV3tAFEpOnaVTnVPnp1ItveJygZcZUErkX2KatH2AmRFdhlnCpBdGUc+q9yh ONqCbTLRXELAT/LFw8vaWtCIQb78AJdkioWL+gPZwJha7GzAc+lAXcwKaKlKK3OpI1EPJy6Kcdl8 DefXsE+1Jsmsg478TJk4AdvG8y8BpNXQWzoUY7FJcaBBea/8IY376uyQz6wIZFDG2xp0QOuQYRU+ rbqp2rsVPmXci2pNeGcGNqke2LouNFKDqiA6MQEKVUjlzO1wVITXYrVJkHukn0zkSmKHxVoJZjl0 haK2KYDXOlbUe8gzitGZuhv1wNXhnMw/H4lEoxE+WndnBtm8U8Oqvct58j0olmMbi13j0WM5+k1k fzPs08bUxhOy8I4WSFcdLciDM9FkGREq7isDva7D3qvB74NRNaMEbOttHWSXNMqKqehdb1KK+w3g 24oeUwO8yi+ZgYcmIlNt0CuW5JXq9lTZSmw98GQFa3U4Ld+oE8hWgDYWgrrILrb1zU+sLuL0OjxP nW4ZequB9E0YdchoaaYZNGRNdSQl6DwJBPKX1XBTFKWxqpjfQJ5cDh/1pIoUodhOjkg3y9DEMvCv goeqVSJ8FOO10URdZG7GXTXouC5CuSUViTLYX0rsbOKMYiAV2VSdNnIvTzVYUvmuAL2qmsl21cGS hN6qgeAwrhsGO3dgnTqcroWF5cM1sVhVEKoGLYXeguDnFnQg7SajQeV96SELtPUD+6lvaAp92VbW Tka7qp1rOPMzGFdAozp7kjmlbqA6cmUypxIVv2DvtURzuV3LCXVTirMC2xjq6aYVSNqSqxVLPrqr Y/LJJwXQSzGzuZJ2hXorFl1pW5I9EgLvUsVbiP58JGhgfoByIShUwT3TBJuqP1iJByhPtYVHPXis ZecWZM9AdxbeM7GzrNMQtE15Xo791Os3QvepeEkeeW8S8VBkfwbFOjSkTqOuOYr9PdBVFdMWrg1M PXg0NUvxjjSzIJB7KVwKwBdnpoGhBD84DLn4v/kD/9bIWN20DGSqYWZAf5OdioXGkR1+xrNUPTbZ DtguyRxtltjjkbER9lSVELJmRO5G7DILyddysgQ5fwLfLJBXwbZHYrtMkKniNwBlU/S30R5uvuNp gV2Fpss4l4bkyl4/ox3V+Ez83IBMmtCbbiOe651mLTpQfKRgR9WXRVyVIU/1QJ50TjVEGg9Oa8Cn yqto2IZ3K2+3RF9doKd+sAycZZzfQBx8y9UcZI0hbqqwvwQE8qeawdtYLc43wVN24CNFgU0K2VtI /VSlXo0t89FNVeRrjS81CnJtDBH0I3Gx2i5BGwvZWYiflgdxdwzYWuG3R0NXNVs1dKk91iy27ZDy MM40hpYyylr4zsQztCKfXI2+1uJXKWYKdvkZjU9Hy4nsbUkN6I3cJ4K5k2lujgHvKiSch5b+jid/ D4Y59kfO70CX6ewvt+2Jy1STDeKO+E1dvLYa3BpiM1W/r0D8Jdr/nhyah1VmYA9FS09+diW3tAFv V/C2haO6pEXorJjVHYz5eMESOxF5vwfflyDOA8NqvKQX1hmE3N3RUjc8ozWcE5FtChlGsi9E/z+g zSl4xDYkro+PpOF7beDcHpu0Q1+LsdbPIFyGBdaAtSDIxGW2G89q4pfqNZW/q2DnJfBcivZK8ZsY pNV7s97bjsZmWVBQ1jNIk0g8zUOKr9DBbPjnE3E7sFY519n4SntOH4ueG+A9TbGy3uJW8GwxvvgL PrQOTKo+yXBWPqmBbBZsHnTVo2wiDhWhW1hRzlCf0xJvk4e3RCdp5DK9y4rGqiBaS9Ggq85l4Egn c2yFQyLSCF0i2AvwwnIoJBNdhqyRSrYTra7QURVPYcgyG8DxD+yz0C4nUixeUw5edRFJ6Pcw+MZx yuBB1aFSj0ywGaRr0LC6tBLwL8c6iqQGWKscVGtZE/W2YFWHpu8bmvIzHWlnYen8IF9uQOpi7utw qjE72lPfOrKjDj6UZPpj2Ux0mGX+TjQsBN9i+zm20Lt+VXS9EN9fj+1bYINqoFhm54Pqe9sc6/6C RiYQd8VYNx1qa9F+MxCfR77Lxm7r7SR2FIOxNb7bib2pyNIs8KVp9m9o5R17BPGZjOdtxu5NiYBG 5mzu+sEt1XQmjlQBlc8SzCfgtNSlGeh/JVja4g8DoVuIHgqwhI+GJzLexJIl5LsT0Uw6tugM1SGm sTkOO8+CRhLnNtpx9gv7nn2BK3VRpehqK97dxJxCXLQCQQZx3RFdxoNkPuemwHGLPYmIyACxsmUn NFmP55PQ2zwyfyGyTIPKZCyqTrABWthITkuDflfOprPTQ/bWRKoy63dYaLE9EQ/sgK3l+auxSWNO KgZW4VXp9Bkd2DkXGvPJF1ux4y/I+BlWqAGN9nhKKc/KiJ+jibpk8sYCoqoxEhxB9tlAFdqK9vtg 8XQqSSH80vD7OGg+wrO3GQvAlM+TFVj1TCx+CnLUIxLrYt3eDPWBheDPNGeRhU8CtarNYjLpu3am fcWOR48leKb69i1osBl26QX3xnhMJtHUFAvKk/Lx2IVIqN5kKZ6xgWv1d02Iwli8rS4xV48MIx9b TXQUg21poNk4bKweXp2QRe4q0OyMTJ3Bk4jfrUF6+dAbZKN3g4jUW9UcqvJ3eKFsNhOdr6KiZ6Cx 9tCpQ77ojZb74PeqtSvQdTE56wt8/nNwVmFnNpgy6Rj6gK4FckwEwfto7yciZQwSTyd2s+EuDz2S vbfhK5fjW0VQm4c3f8fex9DKW2RH4WyGFovQQBYWyyBHTOCZsuFRxIbe5Vpzsj8ZowbPXb9aw8h3 PuG8MqH2xuMnzYmGLoG/TMAyHyL3SuwQj38otq+Dy210Qu3x4lpkFb1nf4k2PiPzryCrTob23/CI ZBDXgadBi+3w8Gbsm4nk+fZTvPhDbFwdz6tnrkDCauYy85E9mXysOKxr3oFeknmVSjkTrYmOtBkL pqPMHKKpFPmnoP1x2LId1hmEjO3N8eZ8MsGJRMZcJJljf4DaKvs2EfI+/lAIpWVoYS15rAcUuhCB qvTSWnMiexv1sArVtLk5AT6tsIve/NU/fkJtm8BJfZO0EgkMcdcBi6hvkFcfjo2XYa3J/NMbpkc2 yCSvXYQ/X2wu5boeOxYj+Tf2eXsPGeEmKK3CuofBKcsMNKeigy6sLMEj9RbYCc4GieJN98DHZ3M3 BQvU42e+zbVj8UO9GeoNsdyeY4ZBIYfzs4mSiXau/YAqcBNPS9HMrdA/GURngvki0C21I3n6LjEy zz5nX7ePoM9q5npQ1sCatc2DxHlP/G+SfQmd1IRqAzMaPTcxT2Dxc9DUm+hrO9lvJbq9BCz6nrgn 3jYdq3UHx0PQm8TZD7CzR/Rfj2fkodHJ+ERvMkmWOd08hvdPRrt/Ie6OJCIm2BvsE9i0Jf5Ujbzz T3s18l+N39YxQ9FWE6L7zCB6CuzLxHoOETYNzbfCZgvpu/6E3AvBPI2f35GJGiFFQzzC2lMYWUi3 gow+DW//C36mPukIM9icYfqaG7i7HLnz6Z5GoI0nkfl+bC7Mvck0p6KXk80Acy5VIwWrT0P3a+D4 IzaZaz+ynYm0I/HzZDOVnmUAFu1hPmDHPNDNwgenQjHLfEofMpGcXsJ1f/T8Ap5zDtZNNeeRCaqb 57HjTP4daW7jzAdYdzO7C+zXwVUTInc7NaIWFM8FTScseSSZspO5mygbh3efS6Tn2THkyofoYN63 75rx9lRyxQb7ECjvM/fSzZ+ALrdAMZbo07cl89D1A2hnAP58N5Z6iwgZhAVGwvMVqvRssuTZxGQP dDeD2O+HrmsSbdPJZWeDPw+ZJtvbiaYhZKiG+Ng0IvZh9DeCjDCFrL0DH08zD9pjiNKO5P2jsVUr dL4O2t+yRz2oOr2O+OYZZPTu5iYq2RJyyWY8tAqdqe9Xg2pL4qEeHlbVzCMTnEhs5pOn1QF9icd9 iWc0hnp3rFWKTz1onkP3l+ATj6HtOfZMquwIctaV5nfETzvQFpNzf8L3Y7GEfneQhkdlBtljIJpO ojY1pP+Yiy8Nxi4fItHN4C4gZ72D1/ei4g1F7/pudyQS12NWJApPf54t42o8deo7KuVLeML3aKqr eRm6K+0V5J8L2PuDvQfet5hRSHOvPQP/+5CIfNTejMU+Ma8HeklAa6PR0vnw/RyryiKv07fUR1+D sUlPvGAJNbmtedyORtJk8uEwNG7M7WSf8favaNHn6Uro/gjFJug/1XyN7m7GZhfh0Z8Q1yfw713y 9g3kpgfwhDxyZhGefxLd5cX0aevpBy4gRmZQ764mNq8kgj8iv15EXVrCk1ODCKtCzh5L9nnXzkdP zdBJPTrUPnjJ0VhzHrG1iEiQ311NPupr/kheexybdYDj53jKa9TPW+G2lZ09QN+aGDoeiUrImUWs zeb5JLQ32T6BB3QFXRx5fgTRoGqi31rMx49bBF3jaqR+k9WbidKPyJYF2OF29PQMHjbaPEPH0cnc RTw9C8677XB7K17dnYrf3XyGdvtjtzepEV/jwQ2RezzZUt8THo9vldOF3k5GuIT3s/H2QnBmIHcc MXIO7zjjyB9T6Tpy2X8jdqtHNuhPfKn/7EXG0rcom7H3KUTwMvx/AlpsSizMQGsXoLX22Owp1muQ JR+l/v+Eb7U2bdi7zF5F934SfcxGvK461ltHjkvDB87D35RjFlFf5mGpx0DtkylGgz2df49j87pI dhoV8gXywGi02gdvLUP6280g6ukAonQynUttc50935xtnyT3dsMzuuCdhlhRV5pn30MG1cNm5io8 vy+6TUO2f+DTA+D9MDmo0PYiH8y2H4P0LDphi5eV2GvNS3TQ3fClNnhZO3MPOehJPGI5VegCcwf9 yI3k4yR6xVwz1uYTDz/CNc/+xVyPHupB422y2x/oU57Do94DWwJWvBMcN9MxXwT2dDOd2HwMvbYz I7DG4eZC9PcRkiYRc9eR19rhzTPxKtWQLNOWbDEGjc2lN78R7b1IRfwdvB+k9k8i4h+xfzZdsOct WOtOPPU1nr9FVmqNHU7Hgz9H3+cgcxl2zgFXR+LoeeJxiW3ujeIuFbt8SCYdYTx7Gl70k61PJptt N/qjzV/Jm7FmERZYalt7g4nN7/DcEdStB80QPFu1RG+/qXhiB+wxHMlK7AAq2jPoup25jSyVhjVf N+fhLVnUsjUguZv5HKJ4DH71Z/LfO2imBr54E3Z5HWtMpV5P5ulq7jrBP4tu7F6bQx/yLvpfR388 z36KpS3or6S69cc7UuyNxNZJZPM70Hs1upg+1MEB9no0MZB40Te1ceZVfH6zfYO6lIxuH7Z9qAx1 qVGjyX5NqfJ9iRpVrQe4q4skx2HbQUj4KXV/FpnqCiR/Fn69kKsads3GR+cFXfnb2LMnuSaJunCy +QP16TPi6QFi8Sqq4zX2LqTuTkWqYx6GbiYZcai9BXnSzHAoqMIe6a3B+9sRq38yW/xHbXPqQJ59 kXfCz+0o4nkzPfJNdKrN0ccbxHIqutlG7h1GPTgRya8kb8+xzeiR3iPvfGoHE8HGPE0E5pMrF2HX 8cR5DhG4hEhZRY0b4KWxbyv5Mx/tzbEPwu8NOoml7J0M6gs4n4n87czLZJH3QeDjYd/aofZjLPwT mlDm+4BupMiONVdgx6loid8X+MlYcSU8zjU3m1Fo9UMi+ToidTzol6PDP5iB+NGn9n77NLlulr0A 7NdQaRbioSvJFnfR/b1P5H6FdYfQP/Ww/ck+5VgpluxUSFY7i/wzAAv3opK+S8adRrSfjp90Jm9Y 9N+UeFqAjNv8frbEvxxvu4saSofqfU0k18Ybssz5vIlbaF2O1ceAayI+8wIylPiXmYX+VPsA+lhs brIrzNO2rbcc7+b3AsRWXTuG6JlnLvfWg/cJu5S8cAxP/4wUh4P4UzQ309xhXiLSX1JOoetsZD+g biZRPy41DbxU8wXSPkdesv4A2wb9DyB+N1Ixz0Oi5kRZib8OHS21l5PJ+pLHhngJnFtDxsm0XakF j/p5tlZQfePNKd7DUGqNN2yxZ9iveEtPJDram3uJ2pdB2pW8ew016Sx8/wRk0jfXR2OTVsRSR/r4 h+wrVLXZRFoTU98roD72J1/dZRPw3lvwi5Ptq+Tj9VShB4mgV+m/M8hYM8jB4/h+IgcObTn5ITl4 Jtq70n6D7i4mS7RCq6d5z1LTspD7LDq9LPLL40j6KRK+YJ6ist1PBj2L7LDe9oXbLDLt0WaYHR10 cRMDC/5oR5JnZqC3G/CKqWh3JB60gs7vXvT2HLXjQbQ3hE5/FDo4gU76aZOLvOuo/tmmBhx+oII/ QqU6nM5uLF3WeHrvxrx9Dvc7kPc/xFtSTIlnyRxF9mWkXEv1G4TfVaV/H+Z/jP4uoEP72a6mPl1B DBfD53oi8VY85CZ7C9E4mk7zGuLwdargS9jwdrjdS1aZANamZhoW7I0GMszH5hk84kei4BbyZzad 4BjyTScq6v3wO5WMMQTP7UmG/gd9xG3kzzrklFn0iffSP75CPtlOXl9or7bb/d+bMv8ieqp/Uvme w3cuJU6P8qpSt2ZTjf5MJvgWi/J7TypGf7PZv9L0JE4akQma0Fkf7n1p7ofSTCx7Lkg782bSGb/t hW+kE3+96Kj1W+8Um0mtfJw+7ic6pT8i93zzInptgH/Pwl730c+ex3ceS7FJYzqiF6iDLengqCKm OnqZTk9wARZp79VCqgzewC/Bzt9h51iu+L22fQY/eoTqwO+Y2Pks9fgz8tmN1OBnqXsbfToH8BWS lwaivSF0TBOxz/t0NfPt++i9p7kUbs2Rbh0+3oWM05dM0AV5JmNN/SbzF7LbFJ5eiw3n26fAnoaW y+hiM8xw9nanz76F977neVP4Pd70Ktl3KDW7mD7tr3jdILuFaBlFf3iUudNcBddv0NuLxFGm8fwr 7Gi/hummXOFdbSZQAWp6j6L1C0Ha1dxHdu1B1/Ym/VUPcwGWPo4dK8gWt6DNJ+nfBhMTi8leY8h7 vcw6orYqfexiW5MueAAx2wzrDgNpFd7nyE8MvWdmUF/0F0iy91VI25o6s5o8cww5rY251jyF9f7B SZ1bC5bp9hGzGLv+E70uoRrdYCf5O/xj7Cg085ydbhaYt9DLq3jx++BcYo1Xl6o5mHes9qY56Lvw rcSjtiNvAdtsC+/3ZNaJ5iL7R5Nmu3gT6UHykfYHusDZULiGdza9j632X7Z3k5FesXfiE/3w/vpe Q2+oeZN3yHI6uUepRw+S2U+w/aju39FPrKK3uorn1t5GljmMvPeyjfOu4zucj3mr6kseHsq7zUtU mvm2BZp9xqZRby7mTQjdcm4a9hlEt3EmJ1+yc/zzbZw1vGUm8bw+eTILmRrTQ800v/jns3cq8fMa KPqQARpStydQI/5Adz8f9I3QWQ+ylv6qIp7nQ/Csq0261wP/TOOtZ4Jd4/dHtlZ2iv8BeeAY9Lfc jPA2mK7elVxfZl/zb7Bl/mvERQv0bon8YfjQNpBNt/G2OjlqC28wQ81U05Y/FzsCLifRlSyAYiHe MdnvhufVw0LV7WXUq+HmLO94b6kp4cRr7HnZn+tn8x5yJxT/ZMZ479OhPWxPxO4Ly3uaY/GNMjr3 LuwuIFZG4u/9qEW3Qm+mPY3I+4P9xG+Dn5xDx9rJi/ceo27WNP28j/wcvifpxLcxHak9m4jTDN5J Jykj48MTyEt3EYs1vCvITNeZH8kI6u3+QmTeTV/Q1zQiy0/w8/n24jZ89zF7sdfQvGHWmuO86cTM YN6GxtjC8mPpvj/mzXmGfcFbTI//BZVjOHmgrVlIXahBNo/Dk26hY77M3GBj6IN+JK++wXvfEV46 fcF9vDnq7zsuNnVjFpnDvFJzuX+Kaeev94fZ1v5AOOEN9klvkHecGecdj6QJ9nV/gbnWtvIewII/ UO8Hmb/5S/07/Lf9S/HZLDLoQJMVM8gUmWO8qugp1i9FgnjTwzvedPOOsRfz7xX/aurbifR+j5gX vAWmA7Z+i775dKQdS2V5Fk0sgvY96DDVp7ukjzoaXd3uLSF+R5ru7BlCp3AqvVAvrx/VKtks9dtB s9TvQYbLMSd7d3jXecvJSGfaUX4qv9JeQ7zQucR8619BzXrM/9pO9JcR/+uRO9HM8SbwnckY+6mf j95n833XX+lklvvPmWK/M9lsHn38Z/bv5gjvDHODdw693Ca67bvNM/5rZJ4mdoL50j8effWhAz8u eJ+82LsZyUZ6Hufa2rv8tXas3wwEi+w/zR+x0nji/Ug6xbG8Jd3pXUxsdeF9ZDJSvUOPfiS+P5A8 dRG+WBOtnMWbzxNk2CvMdmLwfjL3Fr5rK6MujKFG1uVPVpqbAv9HEM23z3mbbG1vpPk9Nf90ZIzh +4osr4FN9Mqg3s28RcXu5NdHAut/6nW0b3rlvLN+4fUHyx3km7/YS/3eRNub9iL64ZPIZTF2Dfwt teVa09HrZi+hr9lBN/qEfwM5+2Eywav+78wO3/JuNc7/Bf3EeCPoEbO9XNuTd9v2eODz5PZr6A3e 57uBjuisO3pvYDcbnwy1iu9lGvHeNtcvsx/6VYjgYdSBZvRmk2yxr+zSAX/t6S0kd0w0+X4X3u6K /b+Tdc82Lbyh+Ne74G5hzrA9vF/8fqYPveF4bwnx9jSdy7E8e8GsLT/dtLANyUNX2zre7aaGd6y3 jq70W+rvRDvOv8dcbp+nvxhlPzf9eFNpiSdWo7aMIOfcYcaZLt6ZXj2+B+tGjWjFG8CjZM5Rfg28 +VZb1fvGvO1d4r2CTq6ybyDJQ3jCN/5n5jB7s9eBWjSW/vQVez6x86J9FM78Hh99302XuZAO5nr8 vLrN5rvQs8hE39ivTW8vz37rjSS3fYtWuhEPT5FXV9OxX0YV+Nh/h8y9hSp4lBnq1Tc/03sPJfam EUM9uW6EVP3t7bY23ec8uqf+1JXbvCJTbv7uHcmbcC4dQX/6rr/a3tQi/cazCQjjkK4F1TOfXmc6 ueJ870HziFebGn6aXVB+qS3wexCvw/H9dfjwDN4jJtMdzKU3WMXb82H0Om2wwGCb7zcjA51DBZ2B 75+Hdb60fb0xRGWs14hMcL/fkD1j/E94I1lu/uS9a09n9OOblkfse15Xm+H9RKXMNe/5l9uj0M6T ZN5LvfvRDd/u+Z+Tf180U7BdjjfEXsib5zNkiJvB9i3R80++U/W81+3DdHGL7GN8R5ZJN3scefwU 8uRRZJmhZi4daAH9WBLv9SvJX0288VDsQFSdSE4ssuv82sTHe+j3GtvTO9U84X2OXP3NLN4yzqd7 vJ536qfNK3x3Yk0yfnM/WeMaerxUb5RJ9p7gTfMSk0u3/RRvmh/6v9jF5WOJ4RftAq+mmcSYi//U xQ9fodeYirZr8RZalz7qPjLTDHC96t3HG+njvBnqt75309OMJZteS00YYWv4ifZ3dN8+Zy705pg2 1LKjqbnP+qv9In8ROUgVqohvi+4nh9XB8xbS42+kZ5vCdywjbTk9cR/kvIU+o4mt7m32T+d962S/ lse3M6aR181spX61oY50tw/5l5DRu/KmG09H5vNtHH/NQIxvBlc+b7WTPENO5TdM5cZ85/P/cYrr I1h7ntGQa/32ic6BHl1vwPxGiFnfmv7AuJE9HZjXcG4joybP+rLWlHEp1xtY0yeOe/oo8rjjVYXr Oxg3cH82Qzq6kflcxutc92Q+gqE9+dAQvimMftx/w8iA3lbun+F6HM+HM57ivlGMMY8yf816PGM0 4yXub2duynwlozXX+o0Q/8MaDC4+Zki2VEYG4yLuX2RID8u4X8N1O4bOCuc1jFVc38aQjlIYP3D9 PPN6Zv1F2t+Yj2VczPV8xgmMMnA+x1o7rmtBO5PxFvcl6P4c1rZxzVIgywVcIQ7vEYaOW3/VYeiY jDmcUcb9bIZ++yparzHWcn8TYwBjHeNN1hYyHmOcwf0UeF/OfAf3rWCSyBD+9qwPZtbeY1hryCza JQzpT3aXfl5kfSh1kO2mAT+qMiZwvZQzK3l+Pvc18JanwH0f67L/ata6cT2ePY8wj+RPreozv4Fg g5hPKzfmZd+jvhpTyNoG1rqUWduOc21Yuwd+X7D2E/ctoPsRNIX5TtZqMaox5J/SzRGMZowC7v9G T9eUJ9U4I9vpL8NP5tnPXKcwb2CWnTazTzpczHVN9rRkLOT6MPaI8nauv2fU5u4fzNqbwrpoJDDq ca1nskdjzubxvJzrQkYa63nMddjTgGv5BCLxHlURV9qjv2cR7mLW5YOroKG/j5cv6O9aUQdX+q9O nH+4v9qnSeZeT9zsB3vcnVZOOOn0gUckuf/GoxX3WTuH/kI++MS56dc/hxNOrA4f7iZ+cmm++uor 89UvX5lN0980cXH8XXsSfzOYyrcfGbzH1qplGjRoYJo0aWJat25tBg8ebAYMGGB69+5tOnfubIbf Yc3AgZY337nGrsszU+ZuNHNXrTJPvPMBjLIZOYxcRp67zWYtm7Vs1rK1hnDaksN6Dhc5rOewnsO6 juWynst6Lje5rOeyzmTyWM9jPY/1PBZkDr6lMlQlY/MCztn8zIZ4NoSyOZRNXgjY8yMbDNlgyAZD NhgCSGDIBkM2GLLBkA2GACYYssGQDYZsMGSDIYAOhmwwZIMhGwzZYMimGmaDIxsc2cKBGUEVoMjh Zw5YcsCSA5ZAZLDkwDwHRjkQzQFLoAYe5nCRA5YcsARqAUcOOHLAkQOOHHAEqgJHDhhywJADBqku Bxw5YMgBQx68LD8DFcLH/eM+UK+0Ayp457IrUDW8c8GUC9NcGOSCKRfeuTzMhUguvHPhHZgj4M06 /HPhnwt/mSgX/rnoJhcMuWDIRQ8yG1oJpGeFmZ8yIzrIg18e2PLAkQe/wLTCgQ7ywJEnHAgWmJtD eWDJA0seIPJgGLgAWPI4mMemPBbywML/GNDBJnlg4bfHDNYDb5AVWAODBYMFgwWDBQOtnnMnMPwP X9bv0zYQRm9DikBUaSeEIiNvVkEH/SEynBGYUiG1EAWkjAlqCI0UYhQbRd46sXmyhJSNoR26eECK p/wHsDMxUS80FWUCqcP1fTbIToj4LMe+77179/zdnWUp5/Ag4UHCwzk8QAYn+PAg4UHCA/25BGmc yMODhAcJD/ikxk6GBsaX6ChBqkGjhnYNPmSkTZwa3jI/WLlcZu12mx0dHbHj42N2dnbGTk9P2cXF Bbu8vGRXV1fs+vqa3d7esvv7e/b3n2TfT06wj7+hurQH6AK9qEW61KRrOgQi3aZ7PYooLVTEEEOn HAJpoQa9oIfblISuahpHaEirwRiOmyBNAM654+QQav8GIB0pAuGhw50w1EQ/6AK8C+6GcCfk4VQn tEWXQBwpXJKAw8MOCMLtQqEbuGk8IlB/r2ODQJQBGAVQNZWHXsebFr7rB76r6uknJILKCbbsLAiu jzYVMiHpyBBsGZMG8lnXjUuW1AmMvm3ZLyeFrj+4CLwBH5AwDCMzPq7DBT1FL/jzSKhUHuZpUtcz kCfCDUr9iEtZiePV0lJG7AOOCL0Ej53olfK4kRVRfxpgGK/gUff7v4XwafyxJ/0Jt/EYO8L3ul56 mmL9CEcZpl0h3OywOlyiP8Fe6OXS9XusU9x/GrUOtVwuqW+CkwHAnSksuKd4NIBme5htPrhMHxRQ R8y2FYbh6P6g0WQjHD5Kn2TiFfs8jhU70l9kgwRow4zwH+E0gvYMLGWZ9mPMHf2bFPfT+tb2L7wT 1jfWNteNzcIM7g3zwGnV977ayk/lc/1Ly7TMmq0YZutgTpnP5xfBNoqr9D1ErVk+Pzu/gNyHjY8T yK3UGw2lZDZqZquKbKG4SpqJTqFxaM34CmClVG9Wzbal5Bd9MLfWtl+AuWUeNqvKmtna21XeznHk i8bKgAI5MVs7dt1sTmQ2m7spk6UdZyJT3K3um83qa6W0rECbv1uYff8mn2f/AQAA//8DAFBLAQIt ABQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10u eG1sUEsBAi0AFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAAAAAAAAAAAAAAAAOgEAAF9yZWxzLy5y ZWxzUEsBAi0AFAAGAAgAAAAhAAZtEmJSBAAAjQ4AACEAAAAAAAAAAAAAAAAAIQIAAGRycy9zbGlk ZUxheW91dHMvc2xpZGVMYXlvdXQxLnhtbFBLAQItABQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAA AAAAAAAAAAAAALIGAABkcnMvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVs c1BLAQItABQABgAIAAAAIQAerms71i8AAGB3AAAUAAAAAAAAAAAAAAAAALsHAABkcnMvbWVkaWEv YXVkaW8xLndhdlBLBQYAAAAABQAFAGUBAADDNwAAAABwAB4EZzYAAFBLAwQUAAYACAAAACEAeoMd 8gkBAADtAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWx8kctOwzAQRfdI/IPlLWqcskAINemCxwoB i/IBI3uSWDi25XFC8/dMUpCgallZ87g+d2Y2233vxIiJbPCVXBelFOh1MNa3lXzfPa1upaAM3oAL His5IcltfXmx2U0RSbDaUyW7nOOdUqQ77IGKENFzpQmph8xhalUE/QEtquuyvFE6+Iw+r/L8h6w3 D9jA4LJ43HP64CShIynuD40zq5IQo7MaMjtVozdHlNU3oWDl0kOdjXTFNqQ6SZgr5wHndZ8wHusG Y4Oa80x65WUma1C8Qcov0LNxZRIpcpx8hikM+U+wLv43cmLS0DRWowl66HmLRUxI/C5D9674BfqZ Xi3Hqr8AAAD//wMAUEsDBBQABgAIAAAAIQBw8DjcvgAAADgBAAALAAAAX3JlbHMvLnJlbHOEj8EK wjAQRO+C/xD2btN6EJGmvYggeBL9gCXZtsE2Cdko9u/N0YLgcRjmzUzdvqdRvCiy9U5BVZQgyGlv rOsV3G+nzR4EJ3QGR+9IwUwMbbNe1VcaMeUQDzawyBTHCoaUwkFK1gNNyIUP5LLT+ThhyjL2MqB+ YE9yW5Y7Gb8Z0CyY4mwUxLOpQNzmkJv/s33XWU1Hr58TufSjQvJoDV1w9s+UsRh7SgpM5G9jIaoi 7wfZ1HLxt/kAAAD//wMAUEsDBBQABgAIAAAAIQBcEuDnewEAAN0CAAAhAAAAZHJzL3NsaWRlTGF5 b3V0cy9zbGlkZUxheW91dDEueG1sjFLLTsMwELwj8Q+W7zSFA0JWU1TxEhIFpPK6ocXeNhGxY61N aP+etdPwEgcu0Xp2ZrzjzeR4bRvRIYW6daXcH42lQKdbU7tVKe/vzveOpAgRnIGmdVjKDQZ5PN3d mXgVGnMFm/YtCvZwQUEpqxi9KoqgK7QQRq1Hx71lSxYiH2lVGIJ39rZNcTAeHxYWaie3evqPvl0u a42nrX6z6GJvQthA5PlDVfswuPn/uHnCwDZZ/XOkuPGc9qUB9ypFplHHwL6ccnK9aIxwYBl4qA1m LPg7Qkxd112QX/hbytTr7pZEbZJ0K5HFtrGl5aNjGhfFL/lqcAK1XpKdTkDxC4h1KXlRm/RlEShc R6F7UH+hurr5g6ursz/YxXABT/B5KddDLC5T6jx5Q3PwNx3nA8VrjkgnGfK82D6D/qJ4FQlcqNOC kjo4M9O5iAuX/RgRpNC+IL8SXZrPhzq/ep7Pni7no8fZQ8qZxulFqep9uPrunxrDbzn9AAAA//8D AFBLAwQUAAYACAAAACEAIP/W878AAAAkAQAALAAAAGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xp ZGVMYXlvdXQxLnhtbC5yZWxzhM/PasMwDAbw+6DvYHSflfQwyojTyxjkWroHELaSmMZ/sN20ffsZ emmh0KMkvt+Huv3VLWLllG3wClrZgGCvg7F+UvB3/P3cgciFvKEleFZw4wz7fvPRHXihUkN5tjGL qvisYC4lfiNmPbOjLENkXy9jSI5KHdOEkfSJJsZt03xhejSgfzLFYBSkwbQgjrdYm9/bYRyt5p+g z459eVGBdDY2VJDSxEWBlOjYWLrvW3mhFbDv8Om3/h8AAP//AwBQSwMEFAAGAAgAAAAhAB6uazvW LwAAYHcAABQAAABkcnMvbWVkaWEvYXVkaW8xLndhduydB3xVVbbG90kPCSQBQgdDLwqKUToIKIgi I6JYRgfbGHsFe8Oxjg27REdx7B0VUZEpAlLEIEVFBOmEEjoESD37/b+zOZPLNSB15s37vcvs7HP2 2Xutb/V1buJ7g07q2/fsm405q9eZfXKuHpaVbozxTIxpcqYxD53tmTiTbv544bALa17Dg////Fdq wNsP1Nbu+dBvPdfp39rzW88ro3EoZImUNJr+ocIYzScSQ/T1/mCIphF5vzf0wv172runZ3tzPtyz L/O+6G1f6O5u755k3NOzkN6e9uzvs5B25Lw3etmbPaK5J1yRPPfmek88K3t2ILwro7c3GP+37qlM F5Frlckb+fzfIde/C0NlclXGO1LmyDOV7d3d88j1SHrh9W89D/fty7wvNCuTZXe89oXu7mjsy/q+ YNsXuvuz998tezTGf6cuDlTWfcW6r/ujdXOo7g9UD3vC9Z+Q+VDKU5ms/wkZK8Px37h2KG21J9qH 2maHmv5/o60rw7wnG1W2/0DW9sYmhxrP3mA4EBkPNf7dYTvUcu2O78FcP5Qy7M4uu1s/mHL9X6a1 v/o7lLbek74PFt+DRWdPWMNnB4tXpK0OFs0Q44HOkdgOlFb0+YMl6+4w7m49xPFbz8N9BzYfHCn3 lsre7tuTTP8evVSO4GDgPxg0Kkf3v2812lbR93uLuDKdVba2t/Qq27e/2Cqj9Z9c251edre+O6wH Sx97y3dv9x1qvJXRj9ZF9H3kmT09i5RR15H3ohF9H0lX13uiHb038n5/z/0WnkgeB3otjAeD3/7K eqD4D935vdPK3u3aX5QV1EP9Rs97Q7mCyt7sPvA9IcaQUvR9uL4/c2W0JF8oY3i9u/s98Qxpa44e 0efCvW495FbZXfRJh3XXE7/eE7li7d7vDnH99gm3M5Qzkt++Xoe8omfRCfFEX+8rj93tj6QfvSfE E72++/t9P1EZrT1h0v6DwyWa856pRts5GqO7j16N5rF/99FUdR8OUYy8rpxDKJv3L92FK7/eX9mT 6AiquNfuyOHoRdLwfuXDId7I+dc4fr0SySfkEM6Ru0O64Zru/X/pTHe7xlU03Riea01zOKL5hDRF t7IRYnDcIMQn5LM7+iHPaF46G9KLvHZrls+u8rgV7azgGfJ2cyQqty+kET07Cm6Prt35cN5VPyGP cLfmkJ7TkbWRugqfaQ4/IQ3Noe5DfUU+C/eHcySt6Gvx3B2PSJoV17oKP+5a50M6oQzRfCJPhLR2 J0O4N5JGSL9ibdfYEc1IXUReh4h1Vp8KGu46pB3O4fNwb3CIH5XhdjLor04rnof8dC6aZkg7etbe yHOV3Wst+lzkvZ6HnxCr5hBbOEc+C/drFi3hjcQcXodzyC+SRmV0FQXhnlAz4dloHrticBEq67rz 1op+JI/I/ZHXIf3IOfK56OlZ9Efr+oSzrkMauq7sE0lH52L+hVd0nG/uSsNRD9ciZ3GroKFrNxzf UA+Orn5W7BDXXTnrTAVt6VJ3znoes4bbEa45ucXf2ayCvh9B26FwiJwk4bVDEBsgCfXguFbgCDE5 2g6FQxPuiaTpKIdPQmlD2u5pxc9oPwt5uTnc5+QL73adI3mHXHf10Yodofa0Tx89Cf0znENe4bPw PjjAD52NpBNeay7f+UzX+uisPtG0Ql7hHO4LaYX4dLYymbSuTzQ2Z6EKmSqeO88JbSer6DqkHclP qw6X21WBwPHc9afj6Og4D4yUOpJuiLfC651v7GrpCv1G6lN0QlmELbyOnEP6IZZwDtcrTlVI5PCF 2gi17zQj2iEvzTqvneWB7lzc7hq/waadO52/h9Ht+ETzdfv1TJxD7loNeYf8QzljeeZi1XHW3vCs vzNbOLnduvNHZ+cwPziaoqiPm0P64ewwqadxuSC0SkVmqPAxYYrbOZyeRFef0Dec75UhY+nOIVyh TnQViUY0nJya3ROnm9CHK/So9XJACae4Sd8hFs2i5YZqvBssBb4vPCEmzcIkWmWMkKY46Xw8IyGY vQCTaMVCUf9ENfSLCnquH3SyOQuFESf7OZ3pv3FxFnBZUJycBUKfEKZS8JTsxBVaxGnW7dYp6Sku GA6TUJcHQ1xDL2QjvCN/6onzpzAbSJMVVg8R6ZTTT4W/iY4+euaoOv1WYHH3Yc5xNnR7nX5DWu50 qBfx1Cf0Rc0hDq1X4ADqTt6aQx/RHn1CHWuWlSLp6Xl4JvSDkG5IU3tC3tKt5HI0HW2nVed30rLT nNNdaDfN+mguC7xcOHRSEsVAT6MiThxWySIUjo+eSl9CHMdwvKTVcmwnvn7gs3ouquLjeOkuNtgl XvEM6UEnJZd8WrO06Hb68HHD7dK14+32GVMScJUEOiE+TrPSj/boI5+OD6iKsvMv2VYSaI+e6yO9 h2ul0C3mPoxD5QnZU3tD2tJNAhQ065wQiLuzWxj/Dr90ogjQP8WPPsLAkeAjOomcjuVfHP8SmEW5 iFPFYJGcO9i9g3NO9/pZhv7LbXIwfCsZnawi6eqCNOP04gW5TjLopOI30hd0HR9gcHMC56pwL5sI ZYhUOtnOKGFIJ5rlG+IrPegjuZSb3JrLKaFexF+INIc61XnlOH10Rt7IFOzTvePvrClfKUYnOht6 unbKJsIvPsKRxNBZt0scpPcy5C4LPEo/pUvpQZbR0Il4hnQvS0gHydBL5IloapeQl0JL5/XRXMws /TndCqdOO+l9JHJWdX7puDjrKEokSSzDUXKZSfKKlkPhsOmJTmldPumQOP2Lt/MWJ798SfoXL+F2 1zH/Ohfavwz+olaOFjTisGYC3qEzGkIui0gGUZRVtUteJ+9V36FIlaRCJxvK67RDcomjruVx4ulk VxRIYskVGzyVLPKz0NaiFd4Lg7iLV+h32i8/LGLID8J4SgZNKlQTGPGMxIBDqAfhjYdGPPtFVfYQ ImdX5xuyhXY524qPsMgewpYUnIiBRmygB+10unAakC8V4x0JoEsMvLQk0IHLl06fVdGj/pWzy60I g5NRmMIYdxJLb/KwMlsE3a3cCZnsKy+X/nTG6dUjXh1O59euyuqZi2XHR1aogjTJeHU5KEsZyjFb kVG8EkBQBqcddjPctsBtG0/K2CVekkwRkRL8S0QjsUHWcri3s1uxL80qLwit9ClfqMKottPaipdQ alnL0Y0xm1iXT8axV5Fayj+tyHcU2xnwT4Kf0MhDREW+L1rSy1b2Sv/aoaeynbA4T5Tcscgtf3Zx 5Dy2dKcVXT6QT8n3xU95QLoWDyERH8VZEVIV7hzSnf7Jo5TjpUN5dwojnZXUgJbDKJ8O85L8d3OA 2UdS6SoW3caZbQz5l7QtvLKpdKiso2pQlZEaSFRuFQ+yjuIzFsoW22y3SYGPy0OqsVJt53nlPWGT 1UVTskhW2Uz+LW/UR36wkSEf0loqdIRb+pWEkictWJPN49CDfD8BnIn8U2zFQlPZpAS9FjN2YJMd gUcVsybLpaOtJIaspB3KlUnQkBZ3IOmWQI8GW2k4W+2ApmygXdKhMAur9gtBKry11yH10UJ5oH/R kB9tYWzH7q7CiE88/uZqqviLLuSJM+cVKZyrCbJ01hOgILrSg3QiW+nseniLpvqYZJ4rIuWvyg4O u6v4hezbxtBH/iPE29DmdrShjJWE9pQTnMcWcbYI7KU8UeUvDfxDuUjeKKzK1oWsFjOLg+SXdVwt k+/GYAvxk8yl8FY8KYvKeqmcSGF/lcAG1dibgiWUATxQyYIpnJWO9SkGt3SiTCaf2Mz9Ju51LS9V jyBdqw9RVZB9kwIEimIN55fSkjSj/LYdNProXAorVRiSuSq7q3JeOpbGt2LtrewqYhZ/+ZVkKWJW xXVx4WqgPCMRKyi3JSGTsKmW674q98q4sqxqknJcYkBtO/SK8U3J42rDJpCsZxSyQ5hloQQQxDNk jxrMGdBSjRACHwligyjR02SGMofyjOSTd27D+2UFaUwRoKyqIf9XPhNuSewqeBWwpnNW+UOZQdIq f8rGRfxcD9UNNo2zaZxK51QK/GSvIlvTbAHfJnZtxj82wbkQTsLpapasK81kwLE6mOOYK+q5YiLO rEamVZwoAq1QSQ7ZNQnJasOjIbwywKNcpGiRXpRLtrB7BWMNyIvZ4YGtDI1J47JvJpZMA1cZHrQR fWxFNvHehvU3BuiTsFOiaYjO6zJXDSTziYOywD+2I8tKzhUE+nSVajv63g6PeDhURzLlOtXK7eBS vpTeVGvW49mbmJUdnNTyjBR4JJsG8KnLWVVC2amIUQaPrexfgzxr8QN1ElWRKJk9rprIXzVkUQ97 JOIvil8YsM91UkJVxdQJsKnaqrtX/t2KzjbBZZNdF/ieIldxI18SdelbMju9ard8UciV49VZbOWp 4lm+ksLQR3U3A0w18JBErCF9FUFfTyX5NtAWYgFJWh3pVRddr6FsJV3tAFEpOnaVTnVPnp1ItveJ ygZcZUErkX2KatH2AmRFdhlnCpBdGUc+q9yhONqCbTLRXELAT/LFw8vaWtCIQb78AJdkioWL+gPZ wJha7GzAc+lAXcwKaKlKK3OpI1EPJy6Kcdl8DefXsE+1Jsmsg478TJk4AdvG8y8BpNXQWzoUY7FJ caBBea/8IY376uyQz6wIZFDG2xp0QOuQYRU+rbqp2rsVPmXci2pNeGcGNqke2LouNFKDqiA6MQEK VUjlzO1wVITXYrVJkHukn0zkSmKHxVoJZjl0haK2KYDXOlbUe8gzitGZuhv1wNXhnMw/H4lEoxE+ WndnBtm8U8Oqvct58j0olmMbi13j0WM5+k1kfzPs08bUxhOy8I4WSFcdLciDM9FkGREq7isDva7D 3qvB74NRNaMEbOttHWSXNMqKqehdb1KK+w3g24oeUwO8yi+ZgYcmIlNt0CuW5JXq9lTZSmw98GQF a3U4Ld+oE8hWgDYWgrrILrb1zU+sLuL0OjxPnW4ZequB9E0YdchoaaYZNGRNdSQl6DwJBPKX1XBT FKWxqpjfQJ5cDh/1pIoUodhOjkg3y9DEMvCvgoeqVSJ8FOO10URdZG7GXTXouC5CuSUViTLYX0rs bOKMYiAV2VSdNnIvTzVYUvmuAL2qmsl21cGShN6qgeAwrhsGO3dgnTqcroWF5cM1sVhVEKoGLYXe guDnFnQg7SajQeV96SELtPUD+6lvaAp92VbWTka7qp1rOPMzGFdAozp7kjmlbqA6cmUypxIVv2Dv tURzuV3LCXVTirMC2xjq6aYVSNqSqxVLPrqrY/LJJwXQSzGzuZJ2hXorFl1pW5I9EgLvUsVbiP58 JGhgfoByIShUwT3TBJuqP1iJByhPtYVHPXisZecWZM9AdxbeM7GzrNMQtE15Xo791Os3QvepeEke eW8S8VBkfwbFOjSkTqOuOYr9PdBVFdMWrg1MPXg0NUvxjjSzIJB7KVwKwBdnpoGhBD84DLn4v/kD /9bIWN20DGSqYWZAf5OdioXGkR1+xrNUPTbZDtguyRxtltjjkbER9lSVELJmRO5G7DILyddysgQ5 fwLfLJBXwbZHYrtMkKniNwBlU/S30R5uvuNpgV2Fpss4l4bkyl4/ox3V+Ez83IBMmtCbbiOe651m LTpQfKRgR9WXRVyVIU/1QJ50TjVEGg9Oa8Cnyqto2IZ3K2+3RF9doKd+sAycZZzfQBx8y9UcZI0h bqqwvwQE8qeawdtYLc43wVN24CNFgU0K2VtI/VSlXo0t89FNVeRrjS81CnJtDBH0I3Gx2i5BGwvZ WYiflgdxdwzYWuG3R0NXNVs1dKk91iy27ZDyMM40hpYyylr4zsQztCKfXI2+1uJXKWYKdvkZjU9H y4nsbUkN6I3cJ4K5k2lujgHvKiSch5b+jid/D4Y59kfO70CX6ewvt+2Jy1STDeKO+E1dvLYa3Bpi M1W/r0D8Jdr/nhyah1VmYA9FS09+diW3tAFvV/C2haO6pEXorJjVHYz5eMESOxF5vwfflyDOA8Nq vKQX1hmE3N3RUjc8ozWcE5FtChlGsi9E/z+gzSl4xDYkro+PpOF7beDcHpu0Q1+LsdbPIFyGBdaA tSDIxGW2G89q4pfqNZW/q2DnJfBcivZK8ZsYpNV7s97bjsZmWVBQ1jNIk0g8zUOKr9DBbPjnE3E7 sFY519n4SntOH4ueG+A9TbGy3uJW8GwxvvgLPrQOTKo+yXBWPqmBbBZsHnTVo2wiDhWhW1hRzlCf 0xJvk4e3RCdp5DK9y4rGqiBaS9Ggq85l4Egnc2yFQyLSCF0i2AvwwnIoJBNdhqyRSrYTra7QURVP YcgyG8DxD+yz0C4nUixeUw5edRFJ6Pcw+MZxyuBB1aFSj0ywGaRr0LC6tBLwL8c6iqQGWKscVGtZ E/W2YFWHpu8bmvIzHWlnYen8IF9uQOpi7utwqjE72lPfOrKjDj6UZPpj2Ux0mGX+TjQsBN9i+zm2 0Lt+VXS9EN9fj+1bYINqoFhm54Pqe9sc6/6CRiYQd8VYNx1qa9F+MxCfR77Lxm7r7SR2FIOxNb7b ib2pyNIs8KVp9m9o5R17BPGZjOdtxu5NiYBG5mzu+sEt1XQmjlQBlc8SzCfgtNSlGeh/JVja4g8D oVuIHgqwhI+GJzLexJIl5LsT0Uw6tugM1SGmsTkOO8+CRhLnNtpx9gv7nn2BK3VRpehqK97dxJxC XLQCQQZx3RFdxoNkPuemwHGLPYmIyACxsmUnNFmP55PQ2zwyfyGyTIPKZCyqTrABWthITkuDflfO prPTQ/bWRKoy63dYaLE9EQ/sgK3l+auxSWNOKgZW4VXp9Bkd2DkXGvPJF1ux4y/I+BlWqAGN9nhK Kc/KiJ+jibpk8sYCoqoxEhxB9tlAFdqK9vtg8XQqSSH80vD7OGg+wrO3GQvAlM+TFVj1TCx+CnLU IxLrYt3eDPWBheDPNGeRhU8CtarNYjLpu3amfcWOR48leKb69i1osBl26QX3xnhMJtHUFAvKk/Lx 2IVIqN5kKZ6xgWv1d02Iwli8rS4xV48MIx9bTXQUg21poNk4bKweXp2QRe4q0OyMTJ3Bk4jfrUF6 +dAbZKN3g4jUW9UcqvJ3eKFsNhOdr6KiZ6Cx9tCpQ77ojZb74PeqtSvQdTE56wt8/nNwVmFnNpgy 6Rj6gK4FckwEwfto7yciZQwSTyd2s+EuDz2SvbfhK5fjW0VQm4c3f8fex9DKW2RH4WyGFovQQBYW yyBHTOCZsuFRxIbe5Vpzsj8ZowbPXb9aw8h3PuG8MqH2xuMnzYmGLoG/TMAyHyL3SuwQj38otq+D y210Qu3x4lpkFb1nf4k2PiPzryCrTob23/CIZBDXgadBi+3w8Gbsm4nk+fZTvPhDbFwdz6tnrkDC auYy85E9mXysOKxr3oFeknmVSjkTrYmOtBkLpqPMHKKpFPmnoP1x2LId1hmEjO3N8eZ8MsGJRMZc JJljf4DaKvs2EfI+/lAIpWVoYS15rAcUuhCBqvTSWnMiexv1sArVtLk5AT6tsIve/NU/fkJtm8BJ fZO0EgkMcdcBi6hvkFcfjo2XYa3J/NMbpkc2yCSvXYQ/X2wu5boeOxYj+Tf2eXsPGeEmKK3CuofB KcsMNKeigy6sLMEj9RbYCc4GieJN98DHZ3M3BQvU42e+zbVj8UO9GeoNsdyeY4ZBIYfzs4mSiXau /YAqcBNPS9HMrdA/GURngvki0C21I3n6LjEyzz5nX7ePoM9q5npQ1sCatc2DxHlP/G+SfQmd1IRq AzMaPTcxT2Dxc9DUm+hrO9lvJbq9BCz6nrgn3jYdq3UHx0PQm8TZD7CzR/Rfj2fkodHJ+ERvMkmW Od08hvdPRrt/Ie6OJCIm2BvsE9i0Jf5UjbzzT3s18l+N39YxQ9FWE6L7zCB6CuzLxHoOETYNzbfC Zgvpu/6E3AvBPI2f35GJGiFFQzzC2lMYWUi3gow+DW//C36mPukIM9icYfqaG7i7HLnz6Z5GoI0n kfl+bC7Mvck0p6KXk80Acy5VIwWrT0P3a+D4IzaZaz+ynYm0I/HzZDOVnmUAFu1hPmDHPNDNwgen QjHLfEofMpGcXsJ1f/T8Ap5zDtZNNeeRCaqb57HjTP4daW7jzAdYdzO7C+zXwVUTInc7NaIWFM8F TScseSSZspO5mygbh3efS6Tn2THkyofoYN6375rx9lRyxQb7ECjvM/fSzZ+ALrdAMZbo07cl89D1 A2hnAP58N5Z6iwgZhAVGwvMVqvRssuTZxGQPdDeD2O+HrmsSbdPJZWeDPw+ZJtvbiaYhZKiG+Ng0 IvZh9DeCjDCFrL0DH08zD9pjiNKO5P2jsVUrdL4O2t+yRz2oOr2O+OYZZPTu5iYq2RJyyWY8tAqd qe9Xg2pL4qEeHlbVzCMTnEhs5pOn1QF9icd9iWc0hnp3rFWKTz1onkP3l+ATj6HtOfZMquwIctaV 5nfETzvQFpNzf8L3Y7GEfneQhkdlBtljIJpOojY1pP+Yiy8Nxi4fItHN4C4gZ72D1/ei4g1F7/pu dyQS12NWJApPf54t42o8deo7KuVLeML3aKqreRm6K+0V5J8L2PuDvQfet5hRSHOvPQP/+5CIfNTe jMU+Ma8HeklAa6PR0vnw/RyryiKv07fUR1+DsUlPvGAJNbmtedyORtJk8uEwNG7M7WSf8favaNHn 6Uro/gjFJug/1XyN7m7GZhfh0Z8Q1yfw713y9g3kpgfwhDxyZhGefxLd5cX0aevpBy4gRmZQ764m Nq8kgj8iv15EXVrCk1ODCKtCzh5L9nnXzkdPzdBJPTrUPnjJ0VhzHrG1iEiQ311NPupr/kheexyb dYDj53jKa9TPW+G2lZ09QN+aGDoeiUrImUWszeb5JLQ32T6BB3QFXRx5fgTRoGqi31rMx49bBF3j aqR+k9WbidKPyJYF2OF29PQMHjbaPEPH0cncRTw9C8677XB7K17dnYrf3XyGdvtjtzepEV/jwQ2R ezzZUt8THo9vldOF3k5GuIT3s/H2QnBmIHccMXIO7zjjyB9T6Tpy2X8jdqtHNuhPfKn/7EXG0rco m7H3KUTwMvx/AlpsSizMQGsXoLX22Owp1muQJR+l/v+Eb7U2bdi7zF5F934SfcxGvK461ltHjkvD B87D35RjFlFf5mGpx0DtkylGgz2df49j87pIdhoV8gXywGi02gdvLUP6280g6ukAonQynUttc509 35xtnyT3dsMzuuCdhlhRV5pn30MG1cNm5io8vy+6TUO2f+DTA+D9MDmo0PYiH8y2H4P0LDphi5eV 2GvNS3TQ3fClNnhZO3MPOehJPGI5VegCcwf9yI3k4yR6xVwz1uYTDz/CNc/+xVyPHupB422y2x/o U57Do94DWwJWvBMcN9MxXwT2dDOd2HwMvbYzI7DG4eZC9PcRkiYRc9eR19rhzTPxKtWQLNOWbDEG jc2lN78R7b1IRfwdvB+k9k8i4h+xfzZdsOctWOtOPPU1nr9FVmqNHU7Hgz9H3+cgcxl2zgFXR+Lo eeJxiW3ujeIuFbt8SCYdYTx7Gl70k61PJpttN/qjzV/Jm7FmERZYalt7g4nN7/DcEdStB80QPFu1 RG+/qXhiB+wxHMlK7AAq2jPoup25jSyVhjVfN+fhLVnUsjUguZv5HKJ4DH71Z/LfO2imBr54E3Z5 HWtMpV5P5ulq7jrBP4tu7F6bQx/yLvpfR388z36KpS3or6S69cc7UuyNxNZJZPM70Hs1upg+1MEB 9no0MZB40Te1ceZVfH6zfYO6lIxuH7Z9qAx1qVGjyX5NqfJ9iRpVrQe4q4skx2HbQUj4KXV/Fpnq CiR/Fn69kKsads3GR+cFXfnb2LMnuSaJunCy+QP16TPi6QFi8Sqq4zX2LqTuTkWqYx6GbiYZcai9 BXnSzHAoqMIe6a3B+9sRq38yW/xHbXPqQJ59kXfCz+0o4nkzPfJNdKrN0ccbxHIqutlG7h1GPTgR ya8kb8+xzeiR3iPvfGoHE8HGPE0E5pMrF2HX8cR5DhG4hEhZRY0b4KWxbyv5Mx/tzbEPwu8NOoml 7J0M6gs4n4n87czLZJH3QeDjYd/aofZjLPwTmlDm+4BupMiONVdgx6loid8X+MlYcSU8zjU3m1Fo 9UMi+ToidTzol6PDP5iB+NGn9n77NLlulr0A7NdQaRbioSvJFnfR/b1P5H6FdYfQP/Ww/ck+5Vgp luxUSFY7i/wzAAv3opK+S8adRrSfjp90Jm9Y9N+UeFqAjNv8frbEvxxvu4saSofqfU0k18Ybssz5 vIlbaF2O1ceAayI+8wIylPiXmYX+VPsA+lhsbrIrzNO2rbcc7+b3AsRWXTuG6JlnLvfWg/cJu5S8 cAxP/4wUh4P4UzQ309xhXiLSX1JOoetsZD+gbiZRPy41DbxU8wXSPkdesv4A2wb9DyB+N1Ixz0Oi 5kRZib8OHS21l5PJ+pLHhngJnFtDxsm0XakFj/p5tlZQfePNKd7DUGqNN2yxZ9iveEtPJDram3uJ 2pdB2pW8ew016Sx8/wRk0jfXR2OTVsRSR/r4h+wrVLXZRFoTU98roD72J1/dZRPw3lvwi5Ptq+Tj 9VShB4mgV+m/M8hYM8jB4/h+IgcObTn5ITl4Jtq70n6D7i4mS7RCq6d5z1LTspD7LDq9LPLL40j6 KRK+YJ6ist1PBj2L7LDe9oXbLDLt0WaYHR10cRMDC/5oR5JnZqC3G/CKqWh3JB60gs7vXvT2HLXj QbQ3hE5/FDo4gU76aZOLvOuo/tmmBhx+oII/QqU6nM5uLF3WeHrvxrx9Dvc7kPc/xFtSTIlnyRxF 9mWkXEv1G4TfVaV/H+Z/jP4uoEP72a6mPl1BDBfD53oi8VY85CZ7C9E4mk7zGuLwdargS9jwdrjd S1aZANamZhoW7I0GMszH5hk84kei4BbyZzad4BjyTScq6v3wO5WMMQTP7UmG/gd9xG3kzzrklFn0 iffSP75CPtlOXl9or7bb/d+bMv8ieqp/Uvmew3cuJU6P8qpSt2ZTjf5MJvgWi/J7TypGf7PZv9L0 JE4akQma0Fkf7n1p7ofSTCx7Lkg782bSGb/thW+kE3+96Kj1W+8Um0mtfJw+7ic6pT8i93zzInpt gH/Pwl730c+ex3ceS7FJYzqiF6iDLengqCKmOnqZTk9wARZp79VCqgzewC/Bzt9h51iu+L22fQY/ eoTqwO+Y2Pks9fgz8tmN1OBnqXsbfToH8BWSlwaivSF0TBOxz/t0NfPt++i9p7kUbs2Rbh0+3oWM 05dM0AV5JmNN/SbzF7LbFJ5eiw3n26fAnoaWy+hiM8xw9nanz76F977neVP4Pd70Ktl3KDW7mD7t r3jdILuFaBlFf3iUudNcBddv0NuLxFGm8fwr7Gi/hummXOFdbSZQAWp6j6L1C0Ha1dxHdu1B1/Ym /VUPcwGWPo4dK8gWt6DNJ+nfBhMTi8leY8h7vcw6orYqfexiW5MueAAx2wzrDgNpFd7nyE8MvWdm UF/0F0iy91VI25o6s5o8cww5rY251jyF9f7BSZ1bC5bp9hGzGLv+E70uoRrdYCf5O/xj7Cg085yd bhaYt9DLq3jx++BcYo1Xl6o5mHes9qY56LvwrcSjtiNvAdtsC+/3ZNaJ5iL7R5Nmu3gT6UHykfYH usDZULiGdza9j632X7Z3k5FesXfiE/3w/vpeQ2+oeZN3yHI6uUepRw+S2U+w/aju39FPrKK3uorn 1t5GljmMvPeyjfOu4zucj3mr6kseHsq7zUtUmvm2BZp9xqZRby7mTQjdcm4a9hlEt3EmJ1+yc/zz bZw1vGUm8bw+eTILmRrTQ800v/jns3cq8fMaKPqQARpStydQI/5Adz8f9I3QWQ+ylv6qIp7nQ/Cs q0261wP/TOOtZ4Jd4/dHtlZ2iv8BeeAY9LfcjPA2mK7elVxfZl/zb7Bl/mvERQv0bon8YfjQNpBN t/G2OjlqC28wQ81U05Y/FzsCLifRlSyAYiHeMdnvhufVw0LV7WXUq+HmLO94b6kp4cRr7HnZn+tn 8x5yJxT/ZMZ479OhPWxPxO4Ly3uaY/GNMjr3LuwuIFZG4u/9qEW3Qm+mPY3I+4P9xG+Dn5xDx9rJ i/ceo27WNP28j/wcvifpxLcxHak9m4jTDN5JJykj48MTyEt3EYs1vCvITNeZH8kI6u3+QmTeTV/Q 1zQiy0/w8/n24jZ89zF7sdfQvGHWmuO86cTMYN6GxtjC8mPpvj/mzXmGfcFbTI//BZVjOHmgrVlI XahBNo/Dk26hY77M3GBj6IN+JK++wXvfEV46fcF9vDnq7zsuNnVjFpnDvFJzuX+Kaeev94fZ1v5A OOEN9klvkHecGecdj6QJ9nV/gbnWtvIewII/UO8Hmb/5S/07/Lf9S/HZLDLoQJMVM8gUmWO8qugp 1i9FgnjTwzvedPOOsRfz7xX/aurbifR+j5gXvAWmA7Z+i775dKQdS2V5Fk0sgvY96DDVp7ukjzoa Xd3uLSF+R5ru7BlCp3AqvVAvrx/VKtks9dtBs9TvQYbLMSd7d3jXecvJSGfaUX4qv9JeQ7zQucR8 619BzXrM/9pO9JcR/+uRO9HM8SbwnckY+6mfj95n833XX+lklvvPmWK/M9lsHn38Z/bv5gjvDHOD dw693Ca67bvNM/5rZJ4mdoL50j8effWhAz8ueJ+82LsZyUZ6Hufa2rv8tXas3wwEi+w/zR+x0nji /Ug6xbG8Jd3pXUxsdeF9ZDJSvUOPfiS+P5A8dRG+WBOtnMWbzxNk2CvMdmLwfjL3Fr5rK6MujKFG 1uVPVpqbAv9HEM23z3mbbG1vpPk9Nf90ZIzh+4osr4FN9Mqg3s28RcXu5NdHAut/6nW0b3rlvLN+ 4fUHyx3km7/YS/3eRNub9iL64ZPIZTF2DfwtteVa09HrZi+hr9lBN/qEfwM5+2Eywav+78wO3/Ju Nc7/Bf3EeCPoEbO9XNuTd9v2eODz5PZr6A3e57uBjuisO3pvYDcbnwy1iu9lGvHeNtcvsx/6VYjg YdSBZvRmk2yxr+zSAX/t6S0kd0w0+X4X3u6K/b+Tdc82Lbyh+Ne74G5hzrA9vF/8fqYPveF4bwnx 9jSdy7E8e8GsLT/dtLANyUNX2zre7aaGd6y3jq70W+rvRDvOv8dcbp+nvxhlPzf9eFNpiSdWo7aM IOfcYcaZLt6ZXj2+B+tGjWjFG8CjZM5Rfg28+VZb1fvGvO1d4r2CTq6ybyDJQ3jCN/5n5jB7s9eB WjSW/vQVez6x86J9FM78Hh99302XuZAO5nr8vLrN5rvQs8hE39ivTW8vz37rjSS3fYtWuhEPT5FX V9OxX0YV+Nh/h8y9hSp4lBnq1Tc/03sPJfamEUM9uW6EVP3t7bY23ec8uqf+1JXbvCJTbv7uHcmb cC4dQX/6rr/a3tQi/cazCQjjkK4F1TOfXmc6ueJ870HziFebGn6aXVB+qS3wexCvw/H9dfjwDN4j JtMdzKU3WMXb82H0Om2wwGCb7zcjA51DBZ2B75+Hdb60fb0xRGWs14hMcL/fkD1j/E94I1lu/uS9 a09n9OOblkfse15Xm+H9RKXMNe/5l9uj0M6TZN5LvfvRDd/u+Z+Tf180U7BdjjfEXsib5zNkiJvB 9i3R80++U/W81+3DdHGL7GN8R5ZJN3scefwU8uRRZJmhZi4daAH9WBLv9SvJX0288VDsQFSdSE4s suv82sTHe+j3GtvTO9U84X2OXP3NLN4yzqd7vJ536qfNK3x3Yk0yfnM/WeMaerxUb5RJ9p7gTfMS k0u3/RRvmh/6v9jF5WOJ4RftAq+mmcSYi//UxQ9fodeYirZr8RZalz7qPjLTDHC96t3HG+njvBnq t75309OMJZteS00YYWv4ifZ3dN8+Zy705pg21LKjqbnP+qv9In8ROUgVqohvi+4nh9XB8xbS42+k Z5vCdywjbTk9cR/kvIU+o4mt7m32T+d962S/lse3M6aR181spX61oY50tw/5l5DRu/KmG09H5vNt HH/NQIxvBlc+b7WTPENO5TdM5cZ85/P/cYrrI1h7ntGQa/32ic6BHl1vwPxGiFnfmv7AuJE9HZjX cG4joybP+rLWlHEp1xtY0yeOe/oo8rjjVYXrOxg3cH82Qzq6kflcxutc92Q+gqE9+dAQvimMftx/ w8iA3lbun+F6HM+HM57ivlGMMY8yf816PGM04yXub2duynwlozXX+o0Q/8MaDC4+Zki2VEYG4yLu X2RID8u4X8N1O4bOCuc1jFVc38aQjlIYP3D9PPN6Zv1F2t+Yj2VczPV8xgmMMnA+x1o7rmtBO5Px Fvcl6P4c1rZxzVIgywVcIQ7vEYaOW3/VYeiYjDmcUcb9bIZ++yparzHWcn8TYwBjHeNN1hYyHmOc wf0UeF/OfAf3rWCSyBD+9qwPZtbeY1hryCzaJQzpT3aXfl5kfSh1kO2mAT+qMiZwvZQzK3l+Pvc1 8JanwH0f67L/ata6cT2ePY8wj+RPreozv4Fgg5hPKzfmZd+jvhpTyNoG1rqUWduOc21Yuwd+X7D2 E/ctoPsRNIX5TtZqMaox5J/SzRGMZowC7v9GT9eUJ9U4I9vpL8NP5tnPXKcwb2CWnTazTzpczHVN 9rRkLOT6MPaI8nauv2fU5u4fzNqbwrpoJDDqca1nskdjzubxvJzrQkYa63nMddjTgGv5BCLxHlUR V9qjv2cR7mLW5YOroKG/j5cv6O9aUQdX+q9OnH+4v9qnSeZeT9zsB3vcnVZOOOn0gUckuf/GoxX3 WTuH/kI++MS56dc/hxNOrA4f7iZ+cmm++uor89UvX5lN0980cXH8XXsSfzOYyrcfGbzH1qplGjRo YJo0aWJat25tBg8ebAYMGGB69+5tOnfubIbfYc3AgZY337nGrsszU+ZuNHNXrTJPvPMBjLIZOYxc Rp67zWYtm7Vs1rK1hnDaksN6Dhc5rOewnsO6juWynst6Lje5rOeyzmTyWM9jPY/1PBZkDr6lMlQl Y/MCztn8zIZ4NoSyOZRNXgjY8yMbDNlgyAZDNhgCSGDIBkM2GLLBkA2GACYYssGQDYZsMGSDIYAO hmwwZIMhGwzZYMimGmaDIxsc2cKBGUEVoMjhZw5YcsCSA5ZAZLDkwDwHRjkQzQFLoAYe5nCRA5Yc sARqAUcOOHLAkQOOHHAEqgJHDhhywJADBqkuBxw5YMgBQx68LD8DFcLH/eM+UK+0Ayp457IrUDW8 c8GUC9NcGOSCKRfeuTzMhUguvHPhHZgj4M06/HPhnwt/mSgX/rnoJhcMuWDIRQ8yG1oJpGeFmZ8y IzrIg18e2PLAkQe/wLTCgQ7ywJEnHAgWmJtDeWDJA0seIPJgGLgAWPI4mMemPBbywML/GNDBJnlg 4bfHDNYDb5AVWAODBYMFgwWDBQOtnnMnMPwPX9bv0zYQRm9DikBUaSeEIiNvVkEH/SEynBGYUiG1 EAWkjAlqCI0UYhQbRd46sXmyhJSNoR26eECKp/wHsDMxUS80FWUCqcP1fTbIToj4LMe+77179/zd nWUp5/Ag4UHCwzk8QAYn+PAg4UHCA/25BGmcyMODhAcJD/ikxk6GBsaX6ChBqkGjhnYNPmSkTZwa 3jI/WLlcZu12mx0dHbHj42N2dnbGTk9P2cXFBbu8vGRXV1fs+vqa3d7esvv7e/b3n2TfT06wj7+h urQH6AK9qEW61KRrOgQi3aZ7PYooLVTEEEOnHAJpoQa9oIfblISuahpHaEirwRiOmyBNAM654+QQ av8GIB0pAuGhw50w1EQ/6AK8C+6GcCfk4VQntEWXQBwpXJKAw8MOCMLtQqEbuGk8IlB/r2ODQJQB GAVQNZWHXsebFr7rB76r6uknJILKCbbsLAiujzYVMiHpyBBsGZMG8lnXjUuW1AmMvm3ZLyeFrj+4 CLwBH5AwDCMzPq7DBT1FL/jzSKhUHuZpUtczkCfCDUr9iEtZiePV0lJG7AOOCL0Ej53olfK4kRVR fxpgGK/gUff7v4XwafyxJ/0Jt/EYO8L3ul56mmL9CEcZpl0h3OywOlyiP8Fe6OXS9XusU9x/GrUO tVwuqW+CkwHAnSksuKd4NIBme5htPrhMHxRQR8y2FYbh6P6g0WQjHD5Kn2TiFfs8jhU70l9kgwRo w4zwH+E0gvYMLGWZ9mPMHf2bFPfT+tb2L7wT1jfWNteNzcIM7g3zwGnV977ayk/lc/1Ly7TMmq0Y ZutgTpnP5xfBNoqr9D1ErVk+Pzu/gNyHjY8TyK3UGw2lZDZqZquKbKG4SpqJTqFxaM34CmClVG9W zbal5Bd9MLfWtl+AuWUeNqvKmtna21XeznHki8bKgAI5MVs7dt1sTmQ2m7spk6UdZyJT3K3um83q a6W0rECbv1uYff8mn2f/AQAA//8DAFBLAQItABQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAAAAAA AAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAHDwONy+AAAAOAEA AAsAAAAAAAAAAAAAAAAAOgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAFwS4Od7AQAA3QIA ACEAAAAAAAAAAAAAAAAAIQIAAGRycy9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnhtbFBLAQIt ABQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAAAAAAAAAAAAAANsDAABkcnMvc2xpZGVMYXlvdXRz L19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVsc1BLAQItABQABgAIAAAAIQAerms71i8AAGB3AAAU AAAAAAAAAAAAAAAAAOQEAABkcnMvbWVkaWEvYXVkaW8xLndhdlBLBQYAAAAABQAFAGUBAADsNAAA AABgAB4EDDcAAFBLAwQUAAYACAAAACEAeoMd8gkBAADtAQAAEwAAAFtDb250ZW50X1R5cGVzXS54 bWx8kctOwzAQRfdI/IPlLWqcskAINemCxwoBi/IBI3uSWDi25XFC8/dMUpCgallZ87g+d2Y2233v xIiJbPCVXBelFOh1MNa3lXzfPa1upaAM3oALHis5IcltfXmx2U0RSbDaUyW7nOOdUqQ77IGKENFz pQmph8xhalUE/QEtquuyvFE6+Iw+r/L8h6w3D9jA4LJ43HP64CShIynuD40zq5IQo7MaMjtVozdH lNU3oWDl0kOdjXTFNqQ6SZgr5wHndZ8wHusGY4Oa80x65WUma1C8Qcov0LNxZRIpcpx8hikM+U+w Lv43cmLS0DRWowl66HmLRUxI/C5D9674BfqZXi3Hqr8AAAD//wMAUEsDBBQABgAIAAAAIQBw8Djc vgAAADgBAAALAAAAX3JlbHMvLnJlbHOEj8EKwjAQRO+C/xD2btN6EJGmvYggeBL9gCXZtsE2Cdko 9u/N0YLgcRjmzUzdvqdRvCiy9U5BVZQgyGlvrOsV3G+nzR4EJ3QGR+9IwUwMbbNe1VcaMeUQDzaw yBTHCoaUwkFK1gNNyIUP5LLT+ThhyjL2MqB+YE9yW5Y7Gb8Z0CyY4mwUxLOpQNzmkJv/s33XWU1H r58TufSjQvJoDV1w9s+UsRh7SgpM5G9jIaoi7wfZ1HLxt/kAAAD//wMAUEsDBBQABgAIAAAAIQD9 FJsvIAIAADcEAAAhAAAAZHJzL3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDEueG1sjFNNb9swDL0P 2H8QdG+c9DAMRuIiy5ahQNIETfZxG1iZjo3JkibJXrxfP0q2067roRdbIvme+J6o+c25lqxF6yqt Fnw2mXKGSui8UqcF/3JcX73nzHlQOUitcME7dPwme/tmblIn8w10uvGMOJRLYcFL702aJE6UWIOb aIOKcoW2NXja2lOSW/hN3LVMrqfTd0kNleID3r4Gr4uiEvhRi6ZG5XsSixI89e/KyriRzbyGzVh0 RBPR/7bkO0NqfeUl7pTsOIultqXgjGekXhxkzhTUFDhW3iJz2MiYceZoEUONaj9bczB7GwF37d6y Kg8EA5AnQ2Ioi1tFZbRInsFPIxOk58LW2RxS8oKdF5yurAtfAkGKZ89EHxSPUVHuXqgV5acXqpPx AOrgcijdtukV/S/nepTT+zC7qOpLgaAbLX46pjTpDPJ7eeKuHcmC5kBvSvbE+KGuT0Y/xnpHnkaz /PmDzrsg/IH+MQipdP7gO4nREGobUiKnD9kvIcx1Ya/W9zTXtV9JBJr7wTyfrWT1q8E/zOjGspqe QVEhoeh2AyHLG0YjYXFOJnm6o4EZVb4HC/fPDggyIaUGqPexUVoGJ+OvHxNahlmKkyDtFsyuje3S A/JoVzFk6MkMpj2WEKkF5aow+gHtVL4UceEPKvJRhNkU6wekqbO3+WXw1psf2+X32+3k2/Lr4DJ5 FkChsZ6HVk/5Q2J88NlfAAAA//8DAFBLAwQUAAYACAAAACEAIP/W878AAAAkAQAALAAAAGRycy9z bGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzhM/PasMwDAbw+6DvYHSflfQw yojTyxjkWroHELaSmMZ/sN20ffsZemmh0KMkvt+Huv3VLWLllG3wClrZgGCvg7F+UvB3/P3cgciF vKEleFZw4wz7fvPRHXihUkN5tjGLqvisYC4lfiNmPbOjLENkXy9jSI5KHdOEkfSJJsZt03xhejSg fzLFYBSkwbQgjrdYm9/bYRyt5p+gz459eVGBdDY2VJDSxEWBlOjYWLrvW3mhFbDv8Om3/h8AAP// AwBQSwMEFAAGAAgAAAAhAB6uazvWLwAAYHcAABQAAABkcnMvbWVkaWEvYXVkaW8xLndhduydB3xV VbbG90kPCSQBQgdDLwqKUToIKIgiI6JYRgfbGHsFe8Oxjg27REdx7B0VUZEpAlLEIEVFBOmEEjoE SD37/b+zOZPLNSB15s37vcvs7HP22Xutb/V1buJ7g07q2/fsm405q9eZfXKuHpaVbozxTIxpcqYx D53tmTiTbv544bALa17Dg////FdqwNsP1Nbu+dBvPdfp39rzW88ro3EoZImUNJr+ocIYzScSQ/T1 /mCIphF5vzf0wv172runZ3tzPtyzL/O+6G1f6O5u755k3NOzkN6e9uzvs5B25Lw3etmbPaK5J1yR PPfmek88K3t2ILwro7c3GP+37qlMF5Frlckb+fzfIde/C0NlclXGO1LmyDOV7d3d88j1SHrh9W89 D/fty7wvNCuTZXe89oXu7mjsy/q+YNsXuvuz998tezTGf6cuDlTWfcW6r/ujdXOo7g9UD3vC9Z+Q +VDKU5ms/wkZK8Px37h2KG21J9qH2maHmv5/o60rw7wnG1W2/0DW9sYmhxrP3mA4EBkPNf7dYTvU cu2O78FcP5Qy7M4uu1s/mHL9X6a1v/o7lLbek74PFt+DRWdPWMNnB4tXpK0OFs0Q44HOkdgOlFb0 +YMl6+4w7m49xPFbz8N9BzYfHCn3lsre7tuTTP8evVSO4GDgPxg0Kkf3v2812lbR93uLuDKdVba2 t/Qq27e/2Cqj9Z9c251edre+O6wHSx97y3dv9x1qvJXRj9ZF9H3kmT09i5RR15H3ohF9H0lX13ui Hb038n5/z/0WnkgeB3otjAeD3/7KeqD4D935vdPK3u3aX5QV1EP9Rs97Q7mCyt7sPvA9IcaQUvR9 uL4/c2W0JF8oY3i9u/s98Qxpa44e0efCvW495FbZXfRJh3XXE7/eE7li7d7vDnH99gm3M5Qzkt++ Xoe8omfRCfFEX+8rj93tj6QfvSfEE72++/t9P1EZrT1h0v6DwyWa856pRts5GqO7j16N5rF/99FU dR8OUYy8rpxDKJv3L92FK7/eX9mT6AiquNfuyOHoRdLwfuXDId7I+dc4fr0SySfkEM6Ru0O64Zru /X/pTHe7xlU03Riea01zOKL5hDRFt7IRYnDcIMQn5LM7+iHPaF46G9KLvHZrls+u8rgV7azgGfJ2 cyQqty+kET07Cm6Prt35cN5VPyGPcLfmkJ7TkbWRugqfaQ4/IQ3Noe5DfUU+C/eHcySt6Gvx3B2P SJoV17oKP+5a50M6oQzRfCJPhLR2J0O4N5JGSL9ibdfYEc1IXUReh4h1Vp8KGu46pB3O4fNwb3CI H5XhdjLor04rnof8dC6aZkg7etbeyHOV3Wst+lzkvZ6HnxCr5hBbOEc+C/drFi3hjcQcXodzyC+S RmV0FQXhnlAz4dloHrticBEq67rz1op+JI/I/ZHXIf3IOfK56OlZ9Efr+oSzrkMauq7sE0lH52L+ hVd0nG/uSsNRD9ciZ3GroKFrNxzfUA+Orn5W7BDXXTnrTAVt6VJ3znoes4bbEa45ucXf2ayCvh9B 26FwiJwk4bVDEBsgCfXguFbgCDE52g6FQxPuiaTpKIdPQmlD2u5pxc9oPwt5uTnc5+QL73adI3mH XHf10Yodofa0Tx89Cf0znENe4bPwPjjAD52NpBNeay7f+UzX+uisPtG0Ql7hHO4LaYX4dLYymbSu TzQ2Z6EKmSqeO88JbSer6DqkHclPqw6X21WBwPHc9afj6Og4D4yUOpJuiLfC651v7GrpCv1G6lN0 QlmELbyOnEP6IZZwDtcrTlVI5PCF2gi17zQj2iEvzTqvneWB7lzc7hq/waadO52/h9Ht+ETzdfv1 TJxD7loNeYf8QzljeeZi1XHW3vCsvzNbOLnduvNHZ+cwPziaoqiPm0P64ewwqadxuSC0SkVmqPAx YYrbOZyeRFef0Dec75UhY+nOIVyhTnQViUY0nJya3ROnm9CHK/So9XJACae4Sd8hFs2i5YZqvBss Bb4vPCEmzcIkWmWMkKY46Xw8IyGYvQCTaMVCUf9ENfSLCnquH3SyOQuFESf7OZ3pv3FxFnBZUJyc BUKfEKZS8JTsxBVaxGnW7dYp6SkuGA6TUJcHQ1xDL2QjvCN/6onzpzAbSJMVVg8R6ZTTT4W/iY4+ euaoOv1WYHH3Yc5xNnR7nX5DWu50qBfx1Cf0Rc0hDq1X4ADqTt6aQx/RHn1CHWuWlSLp6Xl4JvSD kG5IU3tC3tKt5HI0HW2nVed30rLTnNNdaDfN+mguC7xcOHRSEsVAT6MiThxWySIUjo+eSl9CHMdw vKTVcmwnvn7gs3ouquLjeOkuNtglXvEM6UEnJZd8WrO06Hb68HHD7dK14+32GVMScJUEOiE+TrPS j/boI5+OD6iKsvMv2VYSaI+e6yO9h2ul0C3mPoxD5QnZU3tD2tJNAhQ065wQiLuzWxj/Dr90ogjQ P8WPPsLAkeAjOomcjuVfHP8SmEW5iFPFYJGcO9i9g3NO9/pZhv7LbXIwfCsZnawi6eqCNOP04gW5 TjLopOI30hd0HR9gcHMC56pwL5sIZYhUOtnOKGFIJ5rlG+IrPegjuZSb3JrLKaFexF+INIc61Xnl OH10Rt7IFOzTvePvrClfKUYnOht6unbKJsIvPsKRxNBZt0scpPcy5C4LPEo/pUvpQZbR0Il4hnQv S0gHydBL5IloapeQl0JL5/XRXMws/TndCqdOO+l9JHJWdX7puDjrKEokSSzDUXKZSfKKlkPhsOmJ TmldPumQOP2Lt/MWJ798SfoXL+F21zH/Ohfavwz+olaOFjTisGYC3qEzGkIui0gGUZRVtUteJ+9V 36FIlaRCJxvK67RDcomjruVx4ulkVxRIYskVGzyVLPKz0NaiFd4Lg7iLV+h32i8/LGLID8J4SgZN KlQTGPGMxIBDqAfhjYdGPPtFVfYQImdX5xuyhXY524qPsMgewpYUnIiBRmygB+10unAakC8V4x0J oEsMvLQk0IHLl06fVdGj/pWzy60Ig5NRmMIYdxJLb/KwMlsE3a3cCZnsKy+X/nTG6dUjXh1O59eu yuqZi2XHR1aogjTJeHU5KEsZyjFbkVG8EkBQBqcddjPctsBtG0/K2CVekkwRkRL8S0QjsUHWcri3 s1uxL80qLwit9ClfqMKottPaipdQalnL0Y0xm1iXT8axV5Fayj+tyHcU2xnwT4Kf0MhDREW+L1rS y1b2Sv/aoaeynbA4T5Tcscgtf3Zx5Dy2dKcVXT6QT8n3xU95QLoWDyERH8VZEVIV7hzSnf7Jo5Tj pUN5dwojnZXUgJbDKJ8O85L8d3OA2UdS6SoW3caZbQz5l7QtvLKpdKiso2pQlZEaSFRuFQ+yjuIz FsoW22y3SYGPy0OqsVJt53nlPWGT1UVTskhW2Uz+LW/UR36wkSEf0loqdIRb+pWEkictWJPN49CD fD8BnIn8U2zFQlPZpAS9FjN2YJMdgUcVsybLpaOtJIaspB3KlUnQkBZ3IOmWQI8GW2k4W+2Apmyg XdKhMAur9gtBKry11yH10UJ5oH/RkB9tYWzH7q7CiE88/uZqqviLLuSJM+cVKZyrCbJ01hOgILrS g3QiW+nseniLpvqYZJ4rIuWvyg4Ou6v4hezbxtBH/iPE29DmdrShjJWE9pQTnMcWcbYI7KU8UeUv DfxDuUjeKKzK1oWsFjOLg+SXdVwtk+/GYAvxk8yl8FY8KYvKeqmcSGF/lcAG1dibgiWUATxQyYIp nJWO9SkGt3SiTCaf2Mz9Ju51LS9VjyBdqw9RVZB9kwIEimIN55fSkjSj/LYdNProXAorVRiSuSq7 q3JeOpbGt2LtrewqYhZ/+ZVkKWJWxXVx4WqgPCMRKyi3JSGTsKmW674q98q4sqxqknJcYkBtO/SK 8U3J42rDJpCsZxSyQ5hloQQQxDNkjxrMGdBSjRACHwligyjR02SGMofyjOSTd27D+2UFaUwRoKyq If9XPhNuSewqeBWwpnNW+UOZQdIqf8rGRfxcD9UNNo2zaZxK51QK/GSvIlvTbAHfJnZtxj82wbkQ TsLpapasK81kwLE6mOOYK+q5YiLOrEamVZwoAq1QSQ7ZNQnJasOjIbwywKNcpGiRXpRLtrB7BWMN yIvZ4YGtDI1J47JvJpZMA1cZHrQRfWxFNvHehvU3BuiTsFOiaYjO6zJXDSTziYOywD+2I8tKzhUE +nSVajv63g6PeDhURzLlOtXK7eBSvpTeVGvW49mbmJUdnNTyjBR4JJsG8KnLWVVC2amIUQaPrexf gzxr8QN1ElWRKJk9rprIXzVkUQ97JOIvil8YsM91UkJVxdQJsKnaqrtX/t2KzjbBZZNdF/ieIldx I18SdelbMju9ard8UciV49VZbOWp4lm+ksLQR3U3A0w18JBErCF9FUFfTyX5NtAWYgFJWh3pVRdd r6FsJV3tAFEpOnaVTnVPnp1ItveJygZcZUErkX2KatH2AmRFdhlnCpBdGUc+q9yhONqCbTLRXELA T/LFw8vaWtCIQb78AJdkioWL+gPZwJha7GzAc+lAXcwKaKlKK3OpI1EPJy6Kcdl8DefXsE+1Jsms g478TJk4AdvG8y8BpNXQWzoUY7FJcaBBea/8IY376uyQz6wIZFDG2xp0QOuQYRU+rbqp2rsVPmXc i2pNeGcGNqke2LouNFKDqiA6MQEKVUjlzO1wVITXYrVJkHukn0zkSmKHxVoJZjl0haK2KYDXOlbU e8gzitGZuhv1wNXhnMw/H4lEoxE+WndnBtm8U8Oqvct58j0olmMbi13j0WM5+k1kfzPs08bUxhOy 8I4WSFcdLciDM9FkGREq7isDva7D3qvB74NRNaMEbOttHWSXNMqKqehdb1KK+w3g24oeUwO8yi+Z gYcmIlNt0CuW5JXq9lTZSmw98GQFa3U4Ld+oE8hWgDYWgrrILrb1zU+sLuL0OjxPnW4ZequB9E0Y dchoaaYZNGRNdSQl6DwJBPKX1XBTFKWxqpjfQJ5cDh/1pIoUodhOjkg3y9DEMvCvgoeqVSJ8FOO1 0URdZG7GXTXouC5CuSUViTLYX0rsbOKMYiAV2VSdNnIvTzVYUvmuAL2qmsl21cGShN6qgeAwrhsG O3dgnTqcroWF5cM1sVhVEKoGLYXeguDnFnQg7SajQeV96SELtPUD+6lvaAp92VbWTka7qp1rOPMz GFdAozp7kjmlbqA6cmUypxIVv2DvtURzuV3LCXVTirMC2xjq6aYVSNqSqxVLPrqrY/LJJwXQSzGz uZJ2hXorFl1pW5I9EgLvUsVbiP58JGhgfoByIShUwT3TBJuqP1iJByhPtYVHPXisZecWZM9Adxbe M7GzrNMQtE15Xo791Os3QvepeEkeeW8S8VBkfwbFOjSkTqOuOYr9PdBVFdMWrg1MPXg0NUvxjjSz IJB7KVwKwBdnpoGhBD84DLn4v/kD/9bIWN20DGSqYWZAf5OdioXGkR1+xrNUPTbZDtguyRxtltjj kbER9lSVELJmRO5G7DILyddysgQ5fwLfLJBXwbZHYrtMkKniNwBlU/S30R5uvuNpgV2Fpss4l4bk yl4/ox3V+Ez83IBMmtCbbiOe651mLTpQfKRgR9WXRVyVIU/1QJ50TjVEGg9Oa8Cnyqto2IZ3K2+3 RF9doKd+sAycZZzfQBx8y9UcZI0hbqqwvwQE8qeawdtYLc43wVN24CNFgU0K2VtI/VSlXo0t89FN VeRrjS81CnJtDBH0I3Gx2i5BGwvZWYiflgdxdwzYWuG3R0NXNVs1dKk91iy27ZDyMM40hpYyylr4 zsQztCKfXI2+1uJXKWYKdvkZjU9Hy4nsbUkN6I3cJ4K5k2lujgHvKiSch5b+jid/D4Y59kfO70CX 6ewvt+2Jy1STDeKO+E1dvLYa3BpiM1W/r0D8Jdr/nhyah1VmYA9FS09+diW3tAFvV/C2haO6pEXo rJjVHYz5eMESOxF5vwfflyDOA8NqvKQX1hmE3N3RUjc8ozWcE5FtChlGsi9E/z+gzSl4xDYkro+P pOF7beDcHpu0Q1+LsdbPIFyGBdaAtSDIxGW2G89q4pfqNZW/q2DnJfBcivZK8ZsYpNV7s97bjsZm WVBQ1jNIk0g8zUOKr9DBbPjnE3E7sFY519n4SntOH4ueG+A9TbGy3uJW8GwxvvgLPrQOTKo+yXBW PqmBbBZsHnTVo2wiDhWhW1hRzlCf0xJvk4e3RCdp5DK9y4rGqiBaS9Ggq85l4Egnc2yFQyLSCF0i 2AvwwnIoJBNdhqyRSrYTra7QURVPYcgyG8DxD+yz0C4nUixeUw5edRFJ6Pcw+MZxyuBB1aFSj0yw GaRr0LC6tBLwL8c6iqQGWKscVGtZE/W2YFWHpu8bmvIzHWlnYen8IF9uQOpi7utwqjE72lPfOrKj Dj6UZPpj2Ux0mGX+TjQsBN9i+zm20Lt+VXS9EN9fj+1bYINqoFhm54Pqe9sc6/6CRiYQd8VYNx1q a9F+MxCfR77Lxm7r7SR2FIOxNb7bib2pyNIs8KVp9m9o5R17BPGZjOdtxu5NiYBG5mzu+sEt1XQm jlQBlc8SzCfgtNSlGeh/JVja4g8DoVuIHgqwhI+GJzLexJIl5LsT0Uw6tugM1SGmsTkOO8+CRhLn Ntpx9gv7nn2BK3VRpehqK97dxJxCXLQCQQZx3RFdxoNkPuemwHGLPYmIyACxsmUnNFmP55PQ2zwy fyGyTIPKZCyqTrABWthITkuDflfOprPTQ/bWRKoy63dYaLE9EQ/sgK3l+auxSWNOKgZW4VXp9Bkd 2DkXGvPJF1ux4y/I+BlWqAGN9nhKKc/KiJ+jibpk8sYCoqoxEhxB9tlAFdqK9vtg8XQqSSH80vD7 OGg+wrO3GQvAlM+TFVj1TCx+CnLUIxLrYt3eDPWBheDPNGeRhU8CtarNYjLpu3amfcWOR48leKb6 9i1osBl26QX3xnhMJtHUFAvKk/Lx2IVIqN5kKZ6xgWv1d02Iwli8rS4xV48MIx9bTXQUg21poNk4 bKweXp2QRe4q0OyMTJ3Bk4jfrUF6+dAbZKN3g4jUW9UcqvJ3eKFsNhOdr6KiZ6Cx9tCpQ77ojZb7 4PeqtSvQdTE56wt8/nNwVmFnNpgy6Rj6gK4FckwEwfto7yciZQwSTyd2s+EuDz2SvbfhK5fjW0VQ m4c3f8fex9DKW2RH4WyGFovQQBYWyyBHTOCZsuFRxIbe5Vpzsj8ZowbPXb9aw8h3PuG8MqH2xuMn zYmGLoG/TMAyHyL3SuwQj38otq+Dy210Qu3x4lpkFb1nf4k2PiPzryCrTob23/CIZBDXgadBi+3w 8Gbsm4nk+fZTvPhDbFwdz6tnrkDCauYy85E9mXysOKxr3oFeknmVSjkTrYmOtBkLpqPMHKKpFPmn oP1x2LId1hmEjO3N8eZ8MsGJRMZcJJljf4DaKvs2EfI+/lAIpWVoYS15rAcUuhCBqvTSWnMiexv1 sArVtLk5AT6tsIve/NU/fkJtm8BJfZO0EgkMcdcBi6hvkFcfjo2XYa3J/NMbpkc2yCSvXYQ/X2wu 5boeOxYj+Tf2eXsPGeEmKK3CuofBKcsMNKeigy6sLMEj9RbYCc4GieJN98DHZ3M3BQvU42e+zbVj 8UO9GeoNsdyeY4ZBIYfzs4mSiXau/YAqcBNPS9HMrdA/GURngvki0C21I3n6LjEyzz5nX7ePoM9q 5npQ1sCatc2DxHlP/G+SfQmd1IRqAzMaPTcxT2Dxc9DUm+hrO9lvJbq9BCz6nrgn3jYdq3UHx0PQ m8TZD7CzR/Rfj2fkodHJ+ERvMkmWOd08hvdPRrt/Ie6OJCIm2BvsE9i0Jf5UjbzzT3s18l+N39Yx Q9FWE6L7zCB6CuzLxHoOETYNzbfCZgvpu/6E3AvBPI2f35GJGiFFQzzC2lMYWUi3gow+DW//C36m PukIM9icYfqaG7i7HLnz6Z5GoI0nkfl+bC7Mvck0p6KXk80Acy5VIwWrT0P3a+D4IzaZaz+ynYm0 I/HzZDOVnmUAFu1hPmDHPNDNwgenQjHLfEofMpGcXsJ1f/T8Ap5zDtZNNeeRCaqb57HjTP4daW7j zAdYdzO7C+zXwVUTInc7NaIWFM8FTScseSSZspO5mygbh3efS6Tn2THkyofoYN6375rx9lRyxQb7 ECjvM/fSzZ+ALrdAMZbo07cl89D1A2hnAP58N5Z6iwgZhAVGwvMVqvRssuTZxGQPdDeD2O+HrmsS bdPJZWeDPw+ZJtvbiaYhZKiG+Ng0IvZh9DeCjDCFrL0DH08zD9pjiNKO5P2jsVUrdL4O2t+yRz2o Or2O+OYZZPTu5iYq2RJyyWY8tAqdqe9Xg2pL4qEeHlbVzCMTnEhs5pOn1QF9icd9iWc0hnp3rFWK Tz1onkP3l+ATj6HtOfZMquwIctaV5nfETzvQFpNzf8L3Y7GEfneQhkdlBtljIJpOojY1pP+Yiy8N xi4fItHN4C4gZ72D1/ei4g1F7/pudyQS12NWJApPf54t42o8deo7KuVLeML3aKqreRm6K+0V5J8L 2PuDvQfet5hRSHOvPQP/+5CIfNTejMU+Ma8HeklAa6PR0vnw/RyryiKv07fUR1+DsUlPvGAJNbmt edyORtJk8uEwNG7M7WSf8favaNHn6Uro/gjFJug/1XyN7m7GZhfh0Z8Q1yfw713y9g3kpgfwhDxy ZhGefxLd5cX0aevpBy4gRmZQ764mNq8kgj8iv15EXVrCk1ODCKtCzh5L9nnXzkdPzdBJPTrUPnjJ 0VhzHrG1iEiQ311NPupr/kheexybdYDj53jKa9TPW+G2lZ09QN+aGDoeiUrImUWszeb5JLQ32T6B B3QFXRx5fgTRoGqi31rMx49bBF3jaqR+k9WbidKPyJYF2OF29PQMHjbaPEPH0cncRTw9C8677XB7 K17dnYrf3XyGdvtjtzepEV/jwQ2RezzZUt8THo9vldOF3k5GuIT3s/H2QnBmIHccMXIO7zjjyB9T 6Tpy2X8jdqtHNuhPfKn/7EXG0rcom7H3KUTwMvx/AlpsSizMQGsXoLX22Owp1muQJR+l/v+Eb7U2 bdi7zF5F934SfcxGvK461ltHjkvDB87D35RjFlFf5mGpx0DtkylGgz2df49j87pIdhoV8gXywGi0 2gdvLUP6280g6ukAonQynUttc50935xtnyT3dsMzuuCdhlhRV5pn30MG1cNm5io8vy+6TUO2f+DT A+D9MDmo0PYiH8y2H4P0LDphi5eV2GvNS3TQ3fClNnhZO3MPOehJPGI5VegCcwf9yI3k4yR6xVwz 1uYTDz/CNc/+xVyPHupB422y2x/oU57Do94DWwJWvBMcN9MxXwT2dDOd2HwMvbYzI7DG4eZC9PcR kiYRc9eR19rhzTPxKtWQLNOWbDEGjc2lN78R7b1IRfwdvB+k9k8i4h+xfzZdsOctWOtOPPU1nr9F VmqNHU7Hgz9H3+cgcxl2zgFXR+LoeeJxiW3ujeIuFbt8SCYdYTx7Gl70k61PJpttN/qjzV/Jm7Fm ERZYalt7g4nN7/DcEdStB80QPFu1RG+/qXhiB+wxHMlK7AAq2jPoup25jSyVhjVfN+fhLVnUsjUg uZv5HKJ4DH71Z/LfO2imBr54E3Z5HWtMpV5P5ulq7jrBP4tu7F6bQx/yLvpfR388z36KpS3or6S6 9cc7UuyNxNZJZPM70Hs1upg+1MEB9no0MZB40Te1ceZVfH6zfYO6lIxuH7Z9qAx1qVGjyX5NqfJ9 iRpVrQe4q4skx2HbQUj4KXV/FpnqCiR/Fn69kKsads3GR+cFXfnb2LMnuSaJunCy+QP16TPi6QFi 8Sqq4zX2LqTuTkWqYx6GbiYZcai9BXnSzHAoqMIe6a3B+9sRq38yW/xHbXPqQJ59kXfCz+0o4nkz PfJNdKrN0ccbxHIqutlG7h1GPTgRya8kb8+xzeiR3iPvfGoHE8HGPE0E5pMrF2HX8cR5DhG4hEhZ RY0b4KWxbyv5Mx/tzbEPwu8NOoml7J0M6gs4n4n87czLZJH3QeDjYd/aofZjLPwTmlDm+4BupMiO NVdgx6loid8X+MlYcSU8zjU3m1Fo9UMi+ToidTzol6PDP5iB+NGn9n77NLlulr0A7NdQaRbioSvJ FnfR/b1P5H6FdYfQP/Ww/ck+5VgpluxUSFY7i/wzAAv3opK+S8adRrSfjp90Jm9Y9N+UeFqAjNv8 frbEvxxvu4saSofqfU0k18Ybssz5vIlbaF2O1ceAayI+8wIylPiXmYX+VPsA+lhsbrIrzNO2rbcc 7+b3AsRWXTuG6JlnLvfWg/cJu5S8cAxP/4wUh4P4UzQ309xhXiLSX1JOoetsZD+gbiZRPy41DbxU 8wXSPkdesv4A2wb9DyB+N1Ixz0Oi5kRZib8OHS21l5PJ+pLHhngJnFtDxsm0XakFj/p5tlZQfePN Kd7DUGqNN2yxZ9iveEtPJDram3uJ2pdB2pW8ew016Sx8/wRk0jfXR2OTVsRSR/r4h+wrVLXZRFoT U98roD72J1/dZRPw3lvwi5Ptq+Tj9VShB4mgV+m/M8hYM8jB4/h+IgcObTn5ITl4Jtq70n6D7i4m S7RCq6d5z1LTspD7LDq9LPLL40j6KRK+YJ6ist1PBj2L7LDe9oXbLDLt0WaYHR10cRMDC/5oR5Jn ZqC3G/CKqWh3JB60gs7vXvT2HLXjQbQ3hE5/FDo4gU76aZOLvOuo/tmmBhx+oII/QqU6nM5uLF3W eHrvxrx9Dvc7kPc/xFtSTIlnyRxF9mWkXEv1G4TfVaV/H+Z/jP4uoEP72a6mPl1BDBfD53oi8VY8 5CZ7C9E4mk7zGuLwdargS9jwdrjdS1aZANamZhoW7I0GMszH5hk84kei4BbyZzad4BjyTScq6v3w O5WMMQTP7UmG/gd9xG3kzzrklFn0iffSP75CPtlOXl9or7bb/d+bMv8ieqp/Uvmew3cuJU6P8qpS t2ZTjf5MJvgWi/J7TypGf7PZv9L0JE4akQma0Fkf7n1p7ofSTCx7Lkg782bSGb/thW+kE3+96Kj1 W+8Um0mtfJw+7ic6pT8i93zzInptgH/Pwl730c+ex3ceS7FJYzqiF6iDLengqCKmOnqZTk9wARZp 79VCqgzewC/Bzt9h51iu+L22fQY/eoTqwO+Y2Pks9fgz8tmN1OBnqXsbfToH8BWSlwaivSF0TBOx z/t0NfPt++i9p7kUbs2Rbh0+3oWM05dM0AV5JmNN/SbzF7LbFJ5eiw3n26fAnoaWy+hiM8xw9nan z76F977neVP4Pd70Ktl3KDW7mD7tr3jdILuFaBlFf3iUudNcBddv0NuLxFGm8fwr7Gi/hummXOFd bSZQAWp6j6L1C0Ha1dxHdu1B1/Ym/VUPcwGWPo4dK8gWt6DNJ+nfBhMTi8leY8h7vcw6orYqfexi W5MueAAx2wzrDgNpFd7nyE8MvWdmUF/0F0iy91VI25o6s5o8cww5rY251jyF9f7BSZ1bC5bp9hGz GLv+E70uoRrdYCf5O/xj7Cg085ydbhaYt9DLq3jx++BcYo1Xl6o5mHes9qY56LvwrcSjtiNvAdts C+/3ZNaJ5iL7R5Nmu3gT6UHykfYHusDZULiGdza9j632X7Z3k5FesXfiE/3w/vpeQ2+oeZN3yHI6 uUepRw+S2U+w/aju39FPrKK3uorn1t5GljmMvPeyjfOu4zucj3mr6kseHsq7zUtUmvm2BZp9xqZR by7mTQjdcm4a9hlEt3EmJ1+yc/zzbZw1vGUm8bw+eTILmRrTQ800v/jns3cq8fMaKPqQARpStydQ I/5Adz8f9I3QWQ+ylv6qIp7nQ/Csq0261wP/TOOtZ4Jd4/dHtlZ2iv8BeeAY9LfcjPA2mK7elVxf Zl/zb7Bl/mvERQv0bon8YfjQNpBNt/G2OjlqC28wQ81U05Y/FzsCLifRlSyAYiHeMdnvhufVw0LV 7WXUq+HmLO94b6kp4cRr7HnZn+tn8x5yJxT/ZMZ479OhPWxPxO4Ly3uaY/GNMjr3LuwuIFZG4u/9 qEW3Qm+mPY3I+4P9xG+Dn5xDx9rJi/ceo27WNP28j/wcvifpxLcxHak9m4jTDN5JJykj48MTyEt3 EYs1vCvITNeZH8kI6u3+QmTeTV/Q1zQiy0/w8/n24jZ89zF7sdfQvGHWmuO86cTMYN6GxtjC8mPp vj/mzXmGfcFbTI//BZVjOHmgrVlIXahBNo/Dk26hY77M3GBj6IN+JK++wXvfEV46fcF9vDnq7zsu NnVjFpnDvFJzuX+Kaeev94fZ1v5AOOEN9klvkHecGecdj6QJ9nV/gbnWtvIewII/UO8Hmb/5S/07 /Lf9S/HZLDLoQJMVM8gUmWO8qugp1i9FgnjTwzvedPOOsRfz7xX/aurbifR+j5gXvAWmA7Z+i775 dKQdS2V5Fk0sgvY96DDVp7ukjzoaXd3uLSF+R5ru7BlCp3AqvVAvrx/VKtks9dtBs9TvQYbLMSd7 d3jXecvJSGfaUX4qv9JeQ7zQucR8619BzXrM/9pO9JcR/+uRO9HM8SbwnckY+6mfj95n833XX+lk lvvPmWK/M9lsHn38Z/bv5gjvDHODdw693Ca67bvNM/5rZJ4mdoL50j8effWhAz8ueJ+82LsZyUZ6 Hufa2rv8tXas3wwEi+w/zR+x0nji/Ug6xbG8Jd3pXUxsdeF9ZDJSvUOPfiS+P5A8dRG+WBOtnMWb zxNk2CvMdmLwfjL3Fr5rK6MujKFG1uVPVpqbAv9HEM23z3mbbG1vpPk9Nf90ZIzh+4osr4FN9Mqg 3s28RcXu5NdHAut/6nW0b3rlvLN+4fUHyx3km7/YS/3eRNub9iL64ZPIZTF2DfwtteVa09HrZi+h r9lBN/qEfwM5+2Eywav+78wO3/JuNc7/Bf3EeCPoEbO9XNuTd9v2eODz5PZr6A3e57uBjuisO3pv YDcbnwy1iu9lGvHeNtcvsx/6VYjgYdSBZvRmk2yxr+zSAX/t6S0kd0w0+X4X3u6K/b+Tdc82Lbyh +Ne74G5hzrA9vF/8fqYPveF4bwnx9jSdy7E8e8GsLT/dtLANyUNX2zre7aaGd6y3jq70W+rvRDvO v8dcbp+nvxhlPzf9eFNpiSdWo7aMIOfcYcaZLt6ZXj2+B+tGjWjFG8CjZM5Rfg28+VZb1fvGvO1d 4r2CTq6ybyDJQ3jCN/5n5jB7s9eBWjSW/vQVez6x86J9FM78Hh99302XuZAO5nr8vLrN5rvQs8hE 39ivTW8vz37rjSS3fYtWuhEPT5FXV9OxX0YV+Nh/h8y9hSp4lBnq1Tc/03sPJfamEUM9uW6EVP3t 7bY23ec8uqf+1JXbvCJTbv7uHcmbcC4dQX/6rr/a3tQi/cazCQjjkK4F1TOfXmc6ueJ870HziFeb Gn6aXVB+qS3wexCvw/H9dfjwDN4jJtMdzKU3WMXb82H0Om2wwGCb7zcjA51DBZ2B75+Hdb60fb0x RGWs14hMcL/fkD1j/E94I1lu/uS9a09n9OOblkfse15Xm+H9RKXMNe/5l9uj0M6TZN5LvfvRDd/u +Z+Tf180U7BdjjfEXsib5zNkiJvB9i3R80++U/W81+3DdHGL7GN8R5ZJN3scefwU8uRRZJmhZi4d aAH9WBLv9SvJX0288VDsQFSdSE4ssuv82sTHe+j3GtvTO9U84X2OXP3NLN4yzqd7vJ536qfNK3x3 Yk0yfnM/WeMaerxUb5RJ9p7gTfMSk0u3/RRvmh/6v9jF5WOJ4RftAq+mmcSYi//UxQ9fodeYirZr 8RZalz7qPjLTDHC96t3HG+njvBnqt75309OMJZteS00YYWv4ifZ3dN8+Zy705pg21LKjqbnP+qv9 In8ROUgVqohvi+4nh9XB8xbS42+kZ5vCdywjbTk9cR/kvIU+o4mt7m32T+d962S/lse3M6aR181s pX61oY50tw/5l5DRu/KmG09H5vNtHH/NQIxvBlc+b7WTPENO5TdM5cZ85/P/cYrrI1h7ntGQa/32 ic6BHl1vwPxGiFnfmv7AuJE9HZjXcG4joybP+rLWlHEp1xtY0yeOe/oo8rjjVYXrOxg3cH82Qzq6 kflcxutc92Q+gqE9+dAQvimMftx/w8iA3lbun+F6HM+HM57ivlGMMY8yf816PGM04yXub2duynwl ozXX+o0Q/8MaDC4+Zki2VEYG4yLuX2RID8u4X8N1O4bOCuc1jFVc38aQjlIYP3D9PPN6Zv1F2t+Y j2VczPV8xgmMMnA+x1o7rmtBO5PxFvcl6P4c1rZxzVIgywVcIQ7vEYaOW3/VYeiYjDmcUcb9bIZ+ +yparzHWcn8TYwBjHeNN1hYyHmOcwf0UeF/OfAf3rWCSyBD+9qwPZtbeY1hryCzaJQzpT3aXfl5k fSh1kO2mAT+qMiZwvZQzK3l+Pvc18JanwH0f67L/ata6cT2ePY8wj+RPreozv4Fgg5hPKzfmZd+j vhpTyNoG1rqUWduOc21Yuwd+X7D2E/ctoPsRNIX5TtZqMaox5J/SzRGMZowC7v9GT9eUJ9U4I9vp L8NP5tnPXKcwb2CWnTazTzpczHVN9rRkLOT6MPaI8nauv2fU5u4fzNqbwrpoJDDqca1nskdjzubx vJzrQkYa63nMddjTgGv5BCLxHlURV9qjv2cR7mLW5YOroKG/j5cv6O9aUQdX+q9OnH+4v9qnSeZe T9zsB3vcnVZOOOn0gUckuf/GoxX3WTuH/kI++MS56dc/hxNOrA4f7iZ+cmm++uor89UvX5lN0980 cXH8XXsSfzOYyrcfGbzH1qplGjRoYJo0aWJat25tBg8ebAYMGGB69+5tOnfubIbfYc3AgZY337nG rsszU+ZuNHNXrTJPvPMBjLIZOYxcRp67zWYtm7Vs1rK1hnDaksN6Dhc5rOewnsO6juWynst6Lje5 rOeyzmTyWM9jPY/1PBZkDr6lMlQlY/MCztn8zIZ4NoSyOZRNXgjY8yMbDNlgyAZDNhgCSGDIBkM2 GLLBkA2GACYYssGQDYZsMGSDIYAOhmwwZIMhGwzZYMimGmaDIxsc2cKBGUEVoMjhZw5YcsCSA5ZA ZLDkwDwHRjkQzQFLoAYe5nCRA5YcsARqAUcOOHLAkQOOHHAEqgJHDhhywJADBqkuBxw5YMgBQx68 LD8DFcLH/eM+UK+0Ayp457IrUDW8c8GUC9NcGOSCKRfeuTzMhUguvHPhHZgj4M06/HPhnwt/mSgX /rnoJhcMuWDIRQ8yG1oJpGeFmZ8yIzrIg18e2PLAkQe/wLTCgQ7ywJEnHAgWmJtDeWDJA0seIPJg GLgAWPI4mMemPBbywML/GNDBJnlg4bfHDNYDb5AVWAODBYMFgwWDBQOtnnMnMPwPX9bv0zYQRm9D ikBUaSeEIiNvVkEH/SEynBGYUiG1EAWkjAlqCI0UYhQbRd46sXmyhJSNoR26eECKp/wHsDMxUS80 FWUCqcP1fTbIToj4LMe+77179/zdnWUp5/Ag4UHCwzk8QAYn+PAg4UHCA/25BGmcyMODhAcJD/ik xk6GBsaX6ChBqkGjhnYNPmSkTZwa3jI/WLlcZu12mx0dHbHj42N2dnbGTk9P2cXFBbu8vGRXV1fs +vqa3d7esvv7e/b3n2TfT06wj7+hurQH6AK9qEW61KRrOgQi3aZ7PYooLVTEEEOnHAJpoQa9oIfb lISuahpHaEirwRiOmyBNAM654+QQav8GIB0pAuGhw50w1EQ/6AK8C+6GcCfk4VQntEWXQBwpXJKA w8MOCMLtQqEbuGk8IlB/r2ODQJQBGAVQNZWHXsebFr7rB76r6uknJILKCbbsLAiujzYVMiHpyBBs GZMG8lnXjUuW1AmMvm3ZLyeFrj+4CLwBH5AwDCMzPq7DBT1FL/jzSKhUHuZpUtczkCfCDUr9iEtZ iePV0lJG7AOOCL0Ej53olfK4kRVRfxpgGK/gUff7v4XwafyxJ/0Jt/EYO8L3ul56mmL9CEcZpl0h 3OywOlyiP8Fe6OXS9XusU9x/GrUOtVwuqW+CkwHAnSksuKd4NIBme5htPrhMHxRQR8y2FYbh6P6g 0WQjHD5Kn2TiFfs8jhU70l9kgwRow4zwH+E0gvYMLGWZ9mPMHf2bFPfT+tb2L7wT1jfWNteNzcIM 7g3zwGnV977ayk/lc/1Ly7TMmq0YZutgTpnP5xfBNoqr9D1ErVk+Pzu/gNyHjY8TyK3UGw2lZDZq ZquKbKG4SpqJTqFxaM34CmClVG9Wzbal5Bd9MLfWtl+AuWUeNqvKmtna21XeznHki8bKgAI5MVs7 dt1sTmQ2m7spk6UdZyJT3K3um83qa6W0rECbv1uYff8mn2f/AQAA//8DAFBLAQItABQABgAIAAAA IQB6gx3yCQEAAO0BAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0A FAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAAAAAAAAAAAAAAAAOgEAAF9yZWxzLy5yZWxzUEsBAi0A FAAGAAgAAAAhAP0Umy8gAgAANwQAACEAAAAAAAAAAAAAAAAAIQIAAGRycy9zbGlkZUxheW91dHMv c2xpZGVMYXlvdXQxLnhtbFBLAQItABQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAAAAAAAAAAAAA AIAEAABkcnMvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVsc1BLAQItABQA BgAIAAAAIQAerms71i8AAGB3AAAUAAAAAAAAAAAAAAAAAIkFAABkcnMvbWVkaWEvYXVkaW8xLndh dlBLBQYAAAAABQAFAGUBAACRNQAAAABQAB4E0TkAAFBLAwQUAAYACAAAACEAeoMd8gkBAADtAQAA EwAAAFtDb250ZW50X1R5cGVzXS54bWx8kctOwzAQRfdI/IPlLWqcskAINemCxwoBi/IBI3uSWDi2 5XFC8/dMUpCgallZ87g+d2Y2233vxIiJbPCVXBelFOh1MNa3lXzfPa1upaAM3oALHis5IcltfXmx 2U0RSbDaUyW7nOOdUqQ77IGKENFzpQmph8xhalUE/QEtquuyvFE6+Iw+r/L8h6w3D9jA4LJ43HP6 4CShIynuD40zq5IQo7MaMjtVozdHlNU3oWDl0kOdjXTFNqQ6SZgr5wHndZ8wHusGY4Oa80x65WUm a1C8Qcov0LNxZRIpcpx8hikM+U+wLv43cmLS0DRWowl66HmLRUxI/C5D9674BfqZXi3Hqr8AAAD/ /wMAUEsDBBQABgAIAAAAIQBw8DjcvgAAADgBAAALAAAAX3JlbHMvLnJlbHOEj8EKwjAQRO+C/xD2 btN6EJGmvYggeBL9gCXZtsE2Cdko9u/N0YLgcRjmzUzdvqdRvCiy9U5BVZQgyGlvrOsV3G+nzR4E J3QGR+9IwUwMbbNe1VcaMeUQDzawyBTHCoaUwkFK1gNNyIUP5LLT+ThhyjL2MqB+YE9yW5Y7Gb8Z 0CyY4mwUxLOpQNzmkJv/s33XWU1Hr58TufSjQvJoDV1w9s+UsRh7SgpM5G9jIaoi7wfZ1HLxt/kA AAD//wMAUEsDBBQABgAIAAAAIQCF4MuC5QQAAKcYAAAhAAAAZHJzL3NsaWRlTGF5b3V0cy9zbGlk ZUxheW91dDEueG1s7FnbbuM2EH0v0H8g9L6xdfFNiLNIs5tigdy6cS9vBSPRsVqJUkjKsfeLdr8j P9aZkWjLSRzI3gLtg18cSjo8nAvnaMQcv19kKZsLpZNcjh33qOswIaM8TuT92Pl1cv5u6DBtuIx5 mksxdpZCO+9PfvzhuAh1Gl/wZV4aBhxSh3zszIwpwk5HRzORcX2UF0LCs2muMm7gUt13YsUfgTtL O1632+9kPJFOPV+1mZ9Pp0kkPuRRmQlpKhIlUm7Afj1LCm3ZijZshRIaaGj2pklmWYC35jGfLCaP +fXdXw4jsJrDbdc5Af+j2zRmkmdw4yzPCq54onNJj3QxUUIgSM5/VsVtcaNoxtX8RrEkRoZ6ptOp H9QwupQAg0Hn2fR7y8TDxVRlJ8c8hHCwxdiBrC3xFybxUCwMi6qb0fpuNLt+BRvNPr6C7tgFwILV opDwovLopTuedWeSGCWYu/KqgnKYepFHf2smc/AT3a/ci67mlgx9RvpixurYJyYVNa56SPGweE0x tYauIhH0BrCxKBzeIOj7w82YDD1v1MfnGBnXDfwuXKAtlgjWqJiL0Cx+yuMlRvQO/lJGeJhqc2uW KeQWxvPUra2IxfRzlbPGbSBtwiF6PAQf4Qd2Qcqxwqbq3flnqLDMnKWCQwXWOTQnZ2nyUIovrMhL xTIoyGkiYJaAaoTlWVwyg7FGyw3ZT8xCxjewEcGWjQUqD8EAcM+6RZ5ixLen1bdp/agLHgmmnr5p oeZP32h52GeCeRg9qAWbyL1SjfF1oC5g09qdsVfG3Z7fc11/M+VBN+i6Q5AxTHnfHw36ZHObjDMu o1kOunRXUTazWSefZVxdUAEmMgYpwSFtmfIK9BJiw8NqbzD9Zex4Ae69O+tmY6/Q0IPdVBPafdyK FTfxM1akwsXBTH/NOnIDsqANqzt8yYpUNWuwZnX9gUtF1YqWkJshQK6attegHXpDsmFfWuSqaftr Ws8bggkQsH1pkaumHTRoB4FPyrMvLXLVtMM1LXK2T9krsUWumnbUoO33Bt+VMuQi2WnWBCkcLgK7 biVltPr3KJ6uJE+vRQfED9oLkMcN9YOK3lnhgrcULsqlEbJkJCj7axwW/oyn01rhKvXBVztFEAe3 FEz75rGvolffae4gGA56byicP+q5UDeIaCNxpFDNHL54qa2Fq6JsAGBodaYpcut3agMAQ6seDSyJ zIrXAgBrJaGJxQ27wloAYG2db8VaAGBt8W7FWgBgbUVuxVoAYG2ZbcVaAGCr2tl4MZB+rnz73xYX VRj82BKnt/UOTc0HUS6Sp6+ZYDKZC16+Ur/Pl6By2WGJicoTveMadcfQWql+KblRO64RVDXbeo2z RD6UW9eALv9f7fR6b+mgoU6PHNhfBaumvur0UBEfSq6MULUoUgaov28tiv2g1/XAbmzkt/R97gCk 8tD3jZ1D3we996HvGzv+oe+j85f+W3pn+z5qs/ZXvJcqRxK6t8p5W3q/tcodej+M+WYvdej9th4l 7fZh9bwxO/R+rXvY/773o8O+6kwahnhyTad2qbrkxfWcmlL4ooZ+7IxuFXBEj18jAF1D4OhQcakT PGqnc0MZn0Y0MLeS+LSMmQpFdifgiFt9ilen3OcXf16e/vHp8uj309/oEw6+datJaFjFA6MmPz6w /2A4+QcAAP//AwBQSwMEFAAGAAgAAAAhACD/1vO/AAAAJAEAACwAAABkcnMvc2xpZGVMYXlvdXRz L19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVsc4TPz2rDMAwG8Pug72B0n5X0MMqI08sY5Fq6BxC2 kpjGf7DdtH37GXppodCjJL7fh7r91S1i5ZRt8Apa2YBgr4OxflLwd/z93IHIhbyhJXhWcOMM+37z 0R14oVJDebYxi6r4rGAuJX4jZj2zoyxDZF8vY0iOSh3ThJH0iSbGbdN8YXo0oH8yxWAUpMG0II63 WJvf22EcreafoM+OfXlRgXQ2NlSQ0sRFgZTo2Fi671t5oRWw7/Dpt/4fAAD//wMAUEsDBBQABgAI AAAAIQAerms71i8AAGB3AAAUAAAAZHJzL21lZGlhL2F1ZGlvMS53YXbsnQd8VVW2xvdJDwkkAUIH Qy8KilE6CCiIIiOiWEYH2xh7BXvDsY4Nu0RHcewdFVGRKQJSxCBFRQTphBI6BEg9+/2/szmTyzUg debN+73L7Oxz9tl7rW/1dW7ie4NO6tv37JuNOavXmX1yrh6WlW6M8UyMaXKmMQ+d7Zk4k27+eOGw C2tew4P///xXasDbD9TW7vnQbz3X6d/a81vPK6NxKGSJlDSa/qHCGM0nEkP09f5giKYReb839ML9 e9q7p2d7cz7csy/zvuhtX+jubu+eZNzTs5Denvbs77OQduS8N3rZmz2iuSdckTz35npPPCt7diC8 K6O3Nxj/t+6pTBeRa5XJG/n83yHXvwtDZXJVxjtS5sgzle3d3fPI9Uh64fVvPQ/37cu8LzQrk2V3 vPaF7u5o7Mv6vmDbF7r7s/ffLXs0xn+nLg5U1n3Fuq/7o3VzqO4PVA97wvWfkPlQylOZrP8JGSvD 8d+4dihttSfah9pmh5r+f6OtK8O8JxtVtv9A1vbGJocaz95gOBAZDzX+3WE71HLtju/BXD+UMuzO LrtbP5hy/V+mtb/6O5S23pO+Dxbfg0VnT1jDZweLV6StDhbNEOOBzpHYDpRW9PmDJevuMO5uPcTx W8/DfQc2Hxwp95bK3u7bk0z/Hr1UjuBg4D8YNCpH979vNdpW0fd7i7gynVW2trf0Ktu3v9gqo/Wf XNudXna3vjusB0sfe8t3b/cdaryV0Y/WRfR95Jk9PYuUUdeR96IRfR9JV9d7oh29N/J+f8/9Fp5I Hgd6LYwHg9/+ynqg+A/d+b3Tyt7t2l+UFdRD/UbPe0O5gsre7D7wPSHGkFL0fbi+P3NltCRfKGN4 vbv7PfEMaWuOHtHnwr1uPeRW2V30SYd11xO/3hO5Yu3e7w5x/fYJtzOUM5Lfvl6HvKJn0QnxRF/v K4/d7Y+kH70nxBO9vvv7fT9RGa09YdL+g8MlmvOeqUbbORqju49ejeaxf/fRVHUfDlGMvK6cQyib 9y/dhSu/3l/Zk+gIqrjX7sjh6EXS8H7lwyHeyPnXOH69Eskn5BDOkbtDuuGa7v1/6Ux3u8ZVNN0Y nmtNczii+YQ0RbeyEWJw3CDEJ+SzO/ohz2heOhvSi7x2a5bPrvK4Fe2s4BnydnMkKrcvpBE9Owpu j67d+XDeVT8hj3C35pCe05G1kboKn2kOPyENzaHuQ31FPgv3h3Mkrehr8dwdj0iaFde6Cj/uWudD OqEM0XwiT4S0didDuDeSRki/Ym3X2BHNSF1EXoeIdVafChruOqQdzuHzcG9wiB+V4XYy6K9OK56H /HQummZIO3rW3shzld1rLfpc5L2eh58Qq+YQWzhHPgv3axYt4Y3EHF6Hc8gvkkZldBUF4Z5QM+HZ aB67YnARKuu689aKfiSPyP2R1yH9yDnyuejpWfRH6/qEs65DGrqu7BNJR+di/oVXdJxv7krDUQ/X Imdxq6Chazcc31APjq5+VuwQ110560wFbelSd856HrOG2xGuObnF39msgr4fQduhcIicJOG1QxAb IAn14LhW4AgxOdoOhUMT7omk6SiHT0JpQ9ruacXPaD8Lebk53OfkC+92nSN5h1x39dGKHaH2tE8f PQn9M5xDXuGz8D44wA+djaQTXmsu3/lM1/rorD7RtEJe4RzuC2mF+HS2Mpm0rk80NmehCpkqnjvP CW0nq+g6pB3JT6sOl9tVgcDx3PWn4+joOA+MlDqSboi3wuudb+xq6Qr9RupTdEJZhC28jpxD+iGW cA7XK05VSOTwhdoIte80I9ohL806r53lge5c3O4av8GmnTudv4fR7fhE83X79UycQ+5aDXmH/EM5 Y3nmYtVx1t7wrL8zWzi53brzR2fnMD84mqKoj5tD+uHsMKmncbkgtEpFZqjwMWGK2zmcnkRXn9A3 nO+VIWPpziFcoU50FYlGNJycmt0Tp5vQhyv0qPVyQAmnuEnfIRbNouWGarwbLAW+LzwhJs3CJFpl jJCmOOl8PCMhmL0Ak2jFQlH/RDX0iwp6rh90sjkLhREn+zmd6b9xcRZwWVCcnAVCnxCmUvCU7MQV WsRp1u3WKekpLhgOk1CXB0NcQy9kI7wjf+qJ86cwG0iTFVYPEemU00+Fv4mOPnrmqDr9VmBx92HO cTZ0e51+Q1rudKgX8dQn9EXNIQ6tV+AA6k7emkMf0R59Qh1rlpUi6el5eCb0g5BuSFN7Qt7SreRy NB1tp1Xnd9Ky05zTXWg3zfpoLgu8XDh0UhLFQE+jIk4cVskiFI6PnkpfQhzHcLyk1XJsJ75+4LN6 Lqri43jpLjbYJV7xDOlBJyWXfFqztOh2+vBxw+3StePt9hlTEnCVBDohPk6z0o/26COfjg+oirLz L9lWEmiPnusjvYdrpdAt5j6MQ+UJ2VN7Q9rSTQIUNOucEIi7s1sY/w6/dKII0D/Fjz7CwJHgIzqJ nI7lXxz/EphFuYhTxWCRnDvYvYNzTvf6WYb+y21yMHwrGZ2sIunqgjTj9OIFuU4y6KTiN9IXdB0f YHBzAueqcC+bCGWIVDrZzihhSCea5RviKz3oI7mUm9yayymhXsRfiDSHOtV55Th9dEbeyBTs073j 76wpXylGJzoberp2yibCLz7CkcTQWbdLHKT3MuQuCzxKP6VL6UGW0dCJeIZ0L0tIB8nQS+SJaGqX kJdCS+f10VzMLP053QqnTjvpfSRyVnV+6bg46yhKJEksw1FymUnyipZD4bDpiU5pXT7pkDj9i7fz Fie/fEn6Fy/hdtcx/zoX2r8M/qJWjhY04rBmAt6hMxpCLotIBlGUVbVLXifvVd+hSJWkQicbyuu0 Q3KJo67lceLpZFcUSGLJFRs8lSzys9DWohXeC4O4i1fod9ovPyxiyA/CeEoGTSpUExjxjMSAQ6gH 4Y2HRjz7RVX2ECJnV+cbsoV2OduKj7DIHsKWFJyIgUZsoAftdLpwGpAvFeMdCaBLDLy0JNCBy5dO n1XRo/6Vs8utCIOTUZjCGHcSS2/ysDJbBN2t3AmZ7Csvl/50xunVI14dTufXrsrqmYtlx0dWqII0 yXh1OShLGcoxW5FRvBJAUAanHXYz3LbAbRtPytglXpJMEZES/EtEI7FB1nK4t7NbsS/NKi8IrfQp X6jCqLbT2oqXUGpZy9GNMZtYl0/GsVeRWso/rch3FNsZ8E+Cn9DIQ0RFvi9a0stW9kr/2qGnsp2w OE+U3LHILX92ceQ8tnSnFV0+kE/J98VPeUC6Fg8hER/FWRFSFe4c0p3+yaOU46VDeXcKI52V1ICW wyifDvOS/HdzgNlHUukqFt3GmW0M+Ze0LbyyqXSorKNqUJWRGkhUbhUPso7iMxbKFttst0mBj8tD qrFSbed55T1hk9VFU7JIVtlM/i1v1Ed+sJEhH9JaKnSEW/qVhJInLViTzePQg3w/AZyJ/FNsxUJT 2aQEvRYzdmCTHYFHFbMmy6WjrSSGrKQdypVJ0JAWdyDplkCPBltpOFvtgKZsoF3SoTALq/YLQSq8 tdch9dFCeaB/0ZAfbWFsx+6uwohPPP7maqr4iy7kiTPnFSmcqwmydNYToCC60oN0Ilvp7Hp4i6b6 mGSeKyLlr8oODrur+IXs28bQR/4jxNvQ5na0oYyVhPaUE5zHFnG2COylPFHlLw38Q7lI3iisytaF rBYzi4Pkl3VcLZPvxmAL8ZPMpfBWPCmLynqpnEhhf5XABtXYm4IllAE8UMmCKZyVjvUpBrd0okwm n9jM/SbudS0vVY8gXasPUVWQfZMCBIpiDeeX0pI0o/y2HTT66FwKK1UYkrkqu6tyXjqWxrdi7a3s KmIWf/mVZCliVsV1ceFqoDwjESsotyUhk7Cpluu+KvfKuLKsapJyXGJAbTv0ivFNyeNqwyaQrGcU skOYZaEEEMQzZI8azBnQUo0QAh8JYoMo0dNkhjKH8ozkk3duw/tlBWlMEaCsqiH/Vz4TbknsKngV sKZzVvlDmUHSKn/KxkX8XA/VDTaNs2mcSudUCvxkryJb02wB3yZ2bcY/NsG5EE7C6WqWrCvNZMCx OpjjmCvquWIizqxGplWcKAKtUEkO2TUJyWrDoyG8MsCjXKRokV6US7awewVjDciL2eGBrQyNSeOy byaWTANXGR60EX1sRTbx3ob1Nwbok7BTommIzusyVw0k84mDssA/tiPLSs4VBPp0lWo7+t4Oj3g4 VEcy5TrVyu3gUr6U3lRr1uPZm5iVHZzU8owUeCSbBvCpy1lVQtmpiFEGj63sX4M8a/EDdRJVkSiZ Pa6ayF81ZFEPeyTiL4pfGLDPdVJCVcXUCbCp2qq7V/7dis42wWWTXRf4niJXcSNfEnXpWzI7vWq3 fFHIlePVWWzlqeJZvpLC0Ed1NwNMNfCQRKwhfRVBX08l+TbQFmIBSVod6VUXXa+hbCVd7QBRKTp2 lU51T56dSLb3icoGXGVBK5F9imrR9gJkRXYZZwqQXRlHPqvcoTjagm0y0VxCwE/yxcPL2lrQiEG+ /ACXZIqFi/oD2cCYWuxswHPpQF3MCmipSitzqSNRDycuinHZfA3n17BPtSbJrIOO/EyZOAHbxvMv AaTV0Fs6FGOxSXGgQXmv/CGN++rskM+sCGRQxtsadEDrkGEVPq26qdq7FT5l3ItqTXhnBjapHti6 LjRSg6ogOjEBClVI5cztcFSE12K1SZB7pJ9M5Epih8VaCWY5dIWitimA1zpW1HvIM4rRmbob9cDV 4ZzMPx+JRKMRPlp3ZwbZvFPDqr3LefI9KJZjG4td49FjOfpNZH8z7NPG1MYTsvCOFkhXHS3IgzPR ZBkRKu4rA72uw96rwe+DUTWjBGzrbR1klzTKiqnoXW9SivsN4NuKHlMDvMovmYGHJiJTbdArluSV 6vZU2UpsPfBkBWt1OC3fqBPIVoA2FoK6yC629c1PrC7i9Do8T51uGXqrgfRNGHXIaGmmGTRkTXUk Jeg8CQTyl9VwUxSlsaqY30CeXA4f9aSKFKHYTo5IN8vQxDLwr4KHqlUifBTjtdFEXWRuxl016Lgu QrklFYky2F9K7GzijGIgFdlUnTZyL081WFL5rgC9qprJdtXBkoTeqoHgMK4bBjt3YJ06nK6FheXD NbFYVRCqBi2F3oLg5xZ0IO0mo0HlfekhC7T1A/upb2gKfdlW1k5Gu6qdazjzMxhXQKM6e5I5pW6g OnJlMqcSFb9g77VEc7ldywl1U4qzAtsY6ummFUjakqsVSz66q2PyyScF0Esxs7mSdoV6KxZdaVuS PRIC71LFW4j+fCRoYH6AciEoVME90wSbqj9YiQcoT7WFRz14rGXnFmTPQHcW3jOxs6zTELRNeV6O /dTrN0L3qXhJHnlvEvFQZH8GxTo0pE6jrjmK/T3QVRXTFq4NTD14NDVL8Y40syCQeylcCsAXZ6aB oQQ/OAy5+L/5A//WyFjdtAxkqmFmQH+TnYqFxpEdfsazVD022Q7YLskcbZbY45GxEfZUlRCyZkTu RuwyC8nXcrIEOX8C3yyQV8G2R2K7TJCp4jcAZVP0t9Eebr7jaYFdhabLOJeG5MpeP6Md1fhM/NyA TJrQm24jnuudZi06UHykYEfVl0VclSFP9UCedE41RBoPTmvAp8qraNiGdytvt0RfXaCnfrAMnGWc 30AcfMvVHGSNIW6qsL8EBPKnmsHbWC3ON8FTduAjRYFNCtlbSP1UpV6NLfPRTVXka40vNQpybQwR 9CNxsdouQRsL2VmIn5YHcXcM2Frht0dDVzVbNXSpPdYstu2Q8jDONIaWMspa+M7EM7Qin1yNvtbi VylmCnb5GY1PR8uJ7G1JDeiN3CeCuZNpbo4B7yoknIeW/o4nfw+GOfZHzu9Al+nsL7ftictUkw3i jvhNXby2GtwaYjNVv69A/CXa/54cmodVZmAPRUtPfnYlt7QBb1fwtoWjuqRF6KyY1R2M+XjBEjsR eb8H35cgzgPDarykF9YZhNzd0VI3PKM1nBORbQoZRrIvRP8/oM0peMQ2JK6Pj6The23g3B6btENf i7HWzyBchgXWgLUgyMRlthvPauKX6jWVv6tg5yXwXIr2SvGbGKTVe7Pe247GZllQUNYzSJNIPM1D iq/QwWz45xNxO7BWOdfZ+Ep7Th+LnhvgPU2xst7iVvBsMb74Cz60DkyqPslwVj6pgWwWbB501aNs Ig4VoVtYUc5Qn9MSb5OHt0QnaeQyvcuKxqogWkvRoKvOZeBIJ3NshUMi0ghdItgL8MJyKCQTXYas kUq2E62u0FEVT2HIMhvA8Q/ss9AuJ1IsXlMOXnURSej3MPjGccrgQdWhUo9MsBmka9CwurQS8C/H OoqkBlirHFRrWRP1tmBVh6bvG5ryMx1pZ2Hp/CBfbkDqYu7rcKoxO9pT3zqyow4+lGT6Y9lMdJhl /k40LATfYvs5ttC7flV0vRDfX4/tW2CDaqBYZueD6nvbHOv+gkYmEHfFWDcdamvRfjMQn0e+y8Zu 6+0kdhSDsTW+24m9qcjSLPClafZvaOUdewTxmYznbcbuTYmARuZs7vrBLdV0Jo5UAZXPEswn4LTU pRnofyVY2uIPA6FbiB4KsISPhicy3sSSJeS7E9FMOrboDNUhprE5DjvPgkYS5zbacfYL+559gSt1 UaXoaive3cScQly0AkEGcd0RXcaDZD7npsBxiz2JiMgAsbJlJzRZj+eT0Ns8Mn8hskyDymQsqk6w AVrYSE5Lg35Xzqaz00P21kSqMut3WGixPREP7ICt5fmrsUljTioGVuFV6fQZHdg5FxrzyRdbseMv yPgZVqgBjfZ4SinPyoifo4m6ZPLGAqKqMRIcQfbZQBXaivb7YPF0Kkkh/NLw+zhoPsKztxkLwJTP kxVY9Uwsfgpy1CMS62Ld3gz1gYXgzzRnkYVPArWqzWIy6bt2pn3FjkePJXim+vYtaLAZdukF98Z4 TCbR1BQLypPy8diFSKjeZCmesYFr9XdNiMJYvK0uMVePDCMfW010FINtaaDZOGysHl6dkEXuKtDs jEydwZOI361BevnQG2Sjd4OI1FvVHKryd3ihbDYTna+iomegsfbQqUO+6I2W++D3qrUr0HUxOesL fP5zcFZhZzaYMukY+oCuBXJMBMH7aO8nImUMEk8ndrPhLg89kr234SuX41tFUJuHN3/H3sfQyltk R+FshhaL0EAWFssgR0zgmbLhUcSG3uVac7I/GaMGz12/WsPIdz7hvDKh9sbjJ82Jhi6Bv0zAMh8i 90rsEI9/KLavg8ttdELt8eJaZBW9Z3+JNj4j868gq06G9t/wiGQQ14GnQYvt8PBm7JuJ5Pn2U7z4 Q2xcHc+rZ65AwmrmMvORPZl8rDisa96BXpJ5lUo5E62JjrQZC6ajzByiqRT5p6D9cdiyHdYZhIzt zfHmfDLBiUTGXCSZY3+A2ir7NhHyPv5QCKVlaGEteawHFLoQgar00lpzInsb9bAK1bS5OQE+rbCL 3vzVP35CbZvASX2TtBIJDHHXAYuob5BXH46Nl2GtyfzTG6ZHNsgkr12EP19sLuW6HjsWI/k39nl7 DxnhJiitwrqHwSnLDDSnooMurCzBI/UW2AnOBoniTffAx2dzNwUL1ONnvs21Y/FDvRnqDbHcnmOG QSGH87OJkol2rv2AKnATT0vRzK3QPxlEZ4L5ItAttSN5+i4xMs8+Z1+3j6DPauZ6UNbAmrXNg8R5 T/xvkn0JndSEagMzGj03MU9g8XPQ1JvoazvZbyW6vQQs+p64J942Hat1B8dD0JvE2Q+ws0f0X49n 5KHRyfhEbzJJljndPIb3T0a7fyHujiQiJtgb7BPYtCX+VI288097NfJfjd/WMUPRVhOi+8wgegrs y8R6DhE2Dc23wmYL6bv+hNwLwTyNn9+RiRohRUM8wtpTGFlIt4KMPg1v/wt+pj7pCDPYnGH6mhu4 uxy58+meRqCNJ5H5fmwuzL3JNKeil5PNAHMuVSMFq09D92vg+CM2mWs/sp2JtCPx82QzlZ5lABbt YT5gxzzQzcIHp0Ixy3xKHzKRnF7CdX/0/AKecw7WTTXnkQmqm+ex40z+HWlu48wHWHczuwvs18FV EyJ3OzWiFhTPBU0nLHkkmbKTuZsoG4d3n0uk59kx5MqH6GDet++a8fZUcsUG+xAo7zP30s2fgC63 QDGW6NO3JfPQ9QNoZwD+fDeWeosIGYQFRsLzFar0bLLk2cRkD3Q3g9jvh65rEm3TyWVngz8PmSbb 24mmIWSohvjYNCL2YfQ3gowwhay9Ax9PMw/aY4jSjuT9o7FVK3S+Dtrfskc9qDq9jvjmGWT07uYm KtkScslmPLQKnanvV4NqS+KhHh5W1cwjE5xIbOaTp9UBfYnHfYlnNIZ6d6xVik89aJ5D95fgE4+h 7Tn2TKrsCHLWleZ3xE870BaTc3/C92OxhH53kIZHZQbZYyCaTqI2NaT/mIsvDcYuHyLRzeAuIGe9 g9f3ouINRe/6bnckEtdjViQKT3+eLeNqPHXqOyrlS3jC92iqq3kZuivtFeSfC9j7g70H3reYUUhz rz0D//uQiHzU3ozFPjGvB3pJQGuj0dL58P0cq8oir9O31Edfg7FJT7xgCTW5rXncjkbSZPLhMDRu zO1kn/H2r2jR5+lK6P4IxSboP9V8je5uxmYX4dGfENcn8O9d8vYN5KYH8IQ8cmYRnn8S3eXF9Gnr 6QcuIEZmUO+uJjavJII/Ir9eRF1awpNTgwirQs4eS/Z5185HT83QST061D54ydFYcx6xtYhIkN9d TT7qa/5IXnscm3WA4+d4ymvUz1vhtpWdPUDfmhg6HolKyJlFrM3m+SS0N9k+gQd0BV0ceX4E0aBq ot9azMePWwRd42qkfpPVm4nSj8iWBdjhdvT0DB422jxDx9HJ3EU8PQvOu+1weyte3Z2K3918hnb7 Y7c3qRFf48ENkXs82VLfEx6Pb5XThd5ORriE97Px9kJwZiB3HDFyDu8448gfU+k6ctl/I3arRzbo T3yp/+xFxtK3KJux9ylE8DL8fwJabEoszEBrF6C19tjsKdZrkCUfpf7/hG+1Nm3Yu8xeRfd+En3M RryuOtZbR45LwwfOw9+UYxZRX+ZhqcdA7ZMpRoM9nX+PY/O6SHYaFfIF8sBotNoHby1D+tvNIOrp AKJ0Mp1LbXOdPd+cbZ8k93bDM7rgnYZYUVeaZ99DBtXDZuYqPL8vuk1Dtn/g0wPg/TA5qND2Ih/M th+D9Cw6YYuXldhrzUt00N3wpTZ4WTtzDznoSTxiOVXoAnMH/ciN5OMkesVcM9bmEw8/wjXP/sVc jx7qQeNtstsf6FOew6PeA1sCVrwTHDfTMV8E9nQzndh8DL22MyOwxuHmQvT3EZImEXPXkdfa4c0z 8SrVkCzTlmwxBo3NpTe/Ee29SEX8HbwfpPZPIuIfsX82XbDnLVjrTjz1NZ6/RVZqjR1Ox4M/R9/n IHMZds4BV0fi6HnicYlt7o3iLhW7fEgmHWE8expe9JOtTyabbTf6o81fyZuxZhEWWGpbe4OJze/w 3BHUrQfNEDxbtURvv6l4YgfsMRzJSuwAKtoz6LqduY0slYY1Xzfn4S1Z1LI1ILmb+RyieAx+9Wfy 3ztopga+eBN2eR1rTKVeT+bpau46wT+Lbuxem0Mf8i76X0d/PM9+iqUt6K+kuvXHO1LsjcTWSWTz O9B7NbqYPtTBAfZ6NDGQeNE3tXHmVXx+s32DupSMbh+2fagMdalRo8l+TanyfYkaVa0HuKuLJMdh 20FI+Cl1fxaZ6gokfxZ+vZCrGnbNxkfnBV3529izJ7kmibpwsvkD9ekz4ukBYvEqquM19i6k7k5F qmMehm4mGXGovQV50sxwKKjCHumtwfvbEat/Mlv8R21z6kCefZF3ws/tKOJ5Mz3yTXSqzdHHG8Ry KrrZRu4dRj04EcmvJG/Psc3okd4j73xqBxPBxjxNBOaTKxdh1/HEeQ4RuIRIWUWNG+ClsW8r+TMf 7c2xD8LvDTqJpeydDOoLOJ+J/O3My2SR90Hg42Hf2qH2Yyz8E5pQ5vuAbqTIjjVXYMepaInfF/jJ WHElPM41N5tRaPVDIvk6InU86Jejwz+YgfjRp/Z++zS5bpa9AOzXUGkW4qEryRZ30f29T+R+hXWH 0D/1sP3JPuVYKZbsVEhWO4v8MwAL96KSvkvGnUa0n46fdCZvWPTflHhagIzb/H62xL8cb7uLGkqH 6n1NJNfGG7LM+byJW2hdjtXHgGsiPvMCMpT4l5mF/lT7APpYbG6yK8zTtq23HO/m9wLEVl07huiZ Zy731oP3CbuUvHAMT/+MFIeD+FM0N9PcYV4i0l9STqHrbGQ/oG4mUT8uNQ28VPMF0j5HXrL+ANsG /Q8gfjdSMc9DouZEWYm/Dh0ttZeTyfqSx4Z4CZxbQ8bJtF2pBY/6ebZWUH3jzSnew1BqjTdssWfY r3hLTyQ62pt7idqXQdqVvHsNNeksfP8EZNI310djk1bEUkf6+IfsK1S12URaE1PfK6A+9idf3WUT 8N5b8IuT7avk4/VUoQeJoFfpvzPIWDPIweP4fiIHDm05+SE5eCbau9J+g+4uJku0Qqunec9S07KQ +yw6vSzyy+NI+ikSvmCeorLdTwY9i+yw3vaF2ywy7dFmmB0ddHETAwv+aEeSZ2agtxvwiqlodyQe tILO71709hy140G0N4ROfxQ6OIFO+mmTi7zrqP7ZpgYcfqCCP0KlOpzObixd1nh678a8fQ73O5D3 P8RbUkyJZ8kcRfZlpFxL9RuE31Wlfx/mf4z+LqBD+9mupj5dQQwXw+d6IvFWPOQmewvROJpO8xri 8HWq4EvY8Ha43UtWmQDWpmYaFuyNBjLMx+YZPOJHouAW8mc2neAY8k0nKur98DuVjDEEz+1Jhv4H fcRt5M865JRZ9In30j++Qj7ZTl5faK+22/3fmzL/Inqqf1L5nsN3LiVOj/KqUrdmU43+TCb4Fovy e08qRn+z2b/S9CROGpEJmtBZH+59ae6H0kwsey5IO/Nm0hm/7YVvpBN/veio9VvvFJtJrXycPu4n OqU/Ivd88yJ6bYB/z8Je99HPnsd3HkuxSWM6oheogy3p4Kgipjp6mU5PcAEWae/VQqoM3sAvwc7f YedYrvi9tn0GP3qE6sDvmNj5LPX4M/LZjdTgZ6l7G306B/AVkpcGor0hdEwTsc/7dDXz7fvovae5 FG7NkW4dPt6FjNOXTNAFeSZjTf0m8xey2xSeXosN59unwJ6GlsvoYjPMcPZ2p8++hfe+53lT+D3e 9CrZdyg1u5g+7a943SC7hWgZRX94lLnTXAXXb9Dbi8RRpvH8K+xov4bpplzhXW0mUAFqeo+i9QtB 2tXcR3btQdf2Jv1VD3MBlj6OHSvIFregzSfp3wYTE4vJXmPIe73MOqK2Kn3sYluTLngAMdsM6w4D aRXe58hPDL1nZlBf9BdIsvdVSNuaOrOaPHMMOa2NudY8hfX+wUmdWwuW6fYRsxi7/hO9LqEa3WAn +Tv8Y+woNPOcnW4WmLfQy6t48fvgXGKNV5eqOZh3rPamOei78K3Eo7YjbwHbbAvv92TWieYi+0eT Zrt4E+lB8pH2B7rA2VC4hnc2vY+t9l+2d5ORXrF34hP98P76XkNvqHmTd8hyOrlHqUcPktlPsP2o 7t/RT6yit7qK59beRpY5jLz3so3zruM7nI95q+pLHh7Ku81LVJr5tgWafcamUW8u5k0I3XJuGvYZ RLdxJidfsnP8822cNbxlJvG8PnkyC5ka00PNNL/457N3KvHzGij6kAEaUrcnUCP+QHc/H/SN0FkP spb+qiKe50PwrKtNutcD/0zjrWeCXeP3R7ZWdor/AXngGPS33IzwNpiu3pVcX2Zf82+wZf5rxEUL 9G6J/GH40DaQTbfxtjo5agtvMEPNVNOWPxc7Ai4n0ZUsgGIh3jHZ74bn1cNC1e1l1Kvh5izveG+p KeHEa+x52Z/rZ/MecicU/2TGeO/ToT1sT8TuC8t7mmPxjTI69y7sLiBWRuLv/ahFt0Jvpj2NyPuD /cRvg5+cQ8fayYv3HqNu1jT9vI/8HL4n6cS3MR2pPZuI0wzeSScpI+PDE8hLdxGLNbwryEzXmR/J COrt/kJk3k1f0Nc0IstP8PP59uI2fPcxe7HX0Lxh1prjvOnEzGDehsbYwvJj6b4/5s15hn3BW0yP /wWVYzh5oK1ZSF2oQTaPw5NuoWO+zNxgY+iDfiSvvsF73xFeOn3Bfbw56u87LjZ1YxaZw7xSc7l/ imnnr/eH2db+QDjhDfZJb5B3nBnnHY+kCfZ1f4G51rbyHsCCP1DvB5m/+Uv9O/y3/Uvx2Swy6ECT FTPIFJljvKroKdYvRYJ408M73nTzjrEX8+8V/2rq24n0fo+YF7wFpgO2fou++XSkHUtleRZNLIL2 Pegw1ae7pI86Gl3d7i0hfkea7uwZQqdwKr1QL68f1SrZLPXbQbPU70GGyzEne3d413nLyUhn2lF+ Kr/SXkO80LnEfOtfQc16zP/aTvSXEf/rkTvRzPEm8J3JGPupn4/eZ/N911/pZJb7z5livzPZbB59 /Gf27+YI7wxzg3cOvdwmuu27zTP+a2SeJnaC+dI/Hn31oQM/LnifvNi7GclGeh7n2tq7/LV2rN8M BIvsP80fsdJ44v1IOsWxvCXd6V1MbHXhfWQyUr1Dj34kvj+QPHURvlgTrZzFm88TZNgrzHZi8H4y 9xa+ayujLoyhRtblT1aamwL/RxDNt895m2xtb6T5PTX/dGSM4fuKLK+BTfTKoN7NvEXF7uTXRwLr f+p1tG965byzfuH1B8sd5Ju/2Ev93kTbm/Yi+uGTyGUxdg38LbXlWtPR62Yvoa/ZQTf6hH8DOfth MsGr/u/MDt/ybjXO/wX9xHgj6BGzvVzbk3fb9njg8+T2a+gN3ue7gY7orDt6b2A3G58MtYrvZRrx 3jbXL7Mf+lWI4GHUgWb0ZpNssa/s0gF/7ektJHdMNPl+F97uiv2/k3XPNi28ofjXu+BuYc6wPbxf /H6mD73heG8J8fY0ncuxPHvBrC0/3bSwDclDV9s63u2mhnest46u9Fvq70Q7zr/HXG6fp78YZT83 /XhTaYknVqO2jCDn3GHGmS7emV49vgfrRo1oxRvAo2TOUX4NvPlWW9X7xrztXeK9gk6usm8gyUN4 wjf+Z+Ywe7PXgVo0lv70FXs+sfOifRTO/B4ffd9Nl7mQDuZ6/Ly6zea70LPIRN/Yr01vL89+640k t32LVroRD0+RV1fTsV9GFfjYf4fMvYUqeJQZ6tU3P9N7DyX2phFDPbluhFT97e22Nt3nPLqn/tSV 27wiU27+7h3Jm3AuHUF/+q6/2t7UIv3GswkI45CuBdUzn15nOrnifO9B84hXmxp+ml1Qfqkt8HsQ r8Px/XX48AzeIybTHcylN1jF2/Nh9DptsMBgm+83IwOdQwWdge+fh3W+tH29MURlrNeITHC/35A9 Y/xPeCNZbv7kvWtPZ/Tjm5ZH7HteV5vh/USlzDXv+Zfbo9DOk2TeS7370Q3f7vmfk39fNFOwXY43 xF7Im+czZIibwfYt0fNPvlP1vNftw3Rxi+xjfEeWSTd7HHn8FPLkUWSZoWYuHWgB/VgS7/UryV9N vPFQ7EBUnUhOLLLr/NrEx3vo9xrb0zvVPOF9jlz9zSzeMs6ne7yed+qnzSt8d2JNMn5zP1njGnq8 VG+USfae4E3zEpNLt/0Ub5of+r/YxeVjieEX7QKvppnEmIv/1MUPX6HXmIq2a/EWWpc+6j4y0wxw verdxxvp47wZ6re+d9PTjCWbXktNGGFr+In2d3TfPmcu9OaYNtSyo6m5z/qr/SJ/ETlIFaqIb4vu J4fVwfMW0uNvpGebwncsI205PXEf5LyFPqOJre5t9k/nfetkv5bHtzOmkdfNbKV+taGOdLcP+ZeQ 0bvyphtPR+bzbRx/zUCMbwZXPm+1kzxDTuU3TOXGfOfz/3GK6yNYe57RkGv99onOgR5db8D8RohZ 35r+wLiRPR2Y13BuI6Mmz/qy1pRxKdcbWNMnjnv6KPK441WF6zsYN3B/NkM6upH5XMbrXPdkPoKh PfnQEL4pjH7cf8PIgN5W7p/hehzPhzOe4r5RjDGPMn/NejxjNOMl7m9nbsp8JaM11/qNEP/DGgwu PmZItlRGBuMi7l9kSA/LuF/DdTuGzgrnNYxVXN/GkI5SGD9w/Tzzemb9RdrfmI9lXMz1fMYJjDJw PsdaO65rQTuT8Rb3Jej+HNa2cc1SIMsFXCEO7xGGjlt/1WHomIw5nFHG/WyGfvsqWq8x1nJ/E2MA Yx3jTdYWMh5jnMH9FHhfznwH961gksgQ/vasD2bW3mNYa8gs2iUM6U92l35eZH0odZDtpgE/qjIm cL2UMyt5fj73NfCWp8B9H+uy/2rWunE9nj2PMI/kT63qM7+BYIOYTys35mXfo74aU8jaBta6lFnb jnNtWLsHfl+w9hP3LaD7ETSF+U7WajGqMeSf0s0RjGaMAu7/Rk/XlCfVOCPb6S/DT+bZz1ynMG9g lp02s086XMx1Tfa0ZCzk+jD2iPJ2rr9n1ObuH8zam8K6aCQw6nGtZ7JHY87m8byc60JGGut5zHXY 04Br+QQi8R5VEVfao79nEe5i1uWDq6Chv4+XL+jvWlEHV/qvTpx/uL/ap0nmXk/c7Ad73J1WTjjp 9IFHJLn/xqMV91k7h/5CPvjEuenXP4cTTqwOH+4mfnJpvvrqK/PVL1+ZTdPfNHFx/F17En8zmMq3 Hxm8x9aqZRo0aGCaNGliWrdubQYPHmwGDBhgevfubTp37myG32HNwIGWN9+5xq7LM1PmbjRzV60y T7zzAYyyGTmMXEaeu81mLZu1bNaytYZw2pLDeg4XOaznsJ7Duo7lsp7Lei43uaznss5k8ljPYz2P 9TwWZA6+pTJUJWPzAs7Z/MyGeDaEsjmUTV4I2PMjGwzZYMgGQzYYAkhgyAZDNhiywZANhgAmGLLB kA2GbDBkgyGADoZsMGSDIRsM2WDIphpmgyMbHNnCgRlBFaDI4WcOWHLAkgOWQGSw5MA8B0Y5EM0B S6AGHuZwkQOWHLAEagFHDjhywJEDjhxwBKoCRw4YcsCQAwapLgccOWDIAUMevCw/AxXCx/3jPlCv tAMqeOeyK1A1vHPBlAvTXBjkgikX3rk8zIVILrxz4R2YI+DNOvxz4Z8Lf5koF/656CYXDLlgyEUP MhtaCaRnhZmfMiM6yINfHtjywJEHv8C0woEO8sCRJxwIFpibQ3lgyQNLHiDyYBi4AFjyOJjHpjwW 8sDC/xjQwSZ5YOG3xwzWA2+QFVgDgwWDBYMFgwUDrZ5zJzD8D1/W79M2EEZvQ4pAVGknhCIjb1ZB B/0hMpwRmFIhtRAFpIwJagiNFGIUG0XeOrF5soSUjaEdunhAiqf8B7AzMVEvNBVlAqnD9X02yE6I +CzHvu+9e/f83Z1lKefwIOFBwsM5PEAGJ/jwIOFBwgP9uQRpnMjDg4QHCQ/4pMZOhgbGl+goQapB o4Z2DT5kpE2cGt4yP1i5XGbtdpsdHR2x4+NjdnZ2xk5PT9nFxQW7vLxkV1dX7Pr6mt3e3rL7+3v2 959k309OsI+/obq0B+gCvahFutSkazoEIt2mez2KKC1UxBBDpxwCaaEGvaCH25SErmoaR2hIq8EY jpsgTQDOuePkEGr/BiAdKQLhocOdMNREP+gCvAvuhnAn5OFUJ7RFl0AcKVySgMPDDgjC7UKhG7hp PCJQf69jg0CUARgFUDWVh17Hmxa+6we+q+rpJySCygm27CwIro82FTIh6cgQbBmTBvJZ141LltQJ jL5t2S8nha4/uAi8AR+QMAwjMz6uwwU9RS/480ioVB7maVLXM5Anwg1K/YhLWYnj1dJSRuwDjgi9 BI+d6JXyuJEVUX8aYBiv4FH3+7+F8Gn8sSf9CbfxGDvC97peeppi/QhHGaZdIdzssDpcoj/BXujl 0vV7rFPcfxq1DrVcLqlvgpMBwJ0pLLineDSAZnuYbT64TB8UUEfMthWG4ej+oNFkIxw+Sp9k4hX7 PI4VO9JfZIMEaMOM8B/hNIL2DCxlmfZjzB39mxT30/rW9i+8E9Y31jbXjc3CDO4N88Bp1fe+2spP 5XP9S8u0zJqtGGbrYE6Zz+cXwTaKq/Q9RK1ZPj87v4Dch42PE8it1BsNpWQ2amarimyhuEqaiU6h cWjN+ApgpVRvVs22peQXfTC31rZfgLllHjaryprZ2ttV3s5x5IvGyoACOTFbO3bdbE5kNpu7KZOl HWciU9yt7pvN6multKxAm79bmH3/Jp9n/wEAAP//AwBQSwECLQAUAAYACAAAACEAeoMd8gkBAADt AQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQBw 8DjcvgAAADgBAAALAAAAAAAAAAAAAAAAADoBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQCF 4MuC5QQAAKcYAAAhAAAAAAAAAAAAAAAAACECAABkcnMvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0 MS54bWxQSwECLQAUAAYACAAAACEAIP/W878AAAAkAQAALAAAAAAAAAAAAAAAAABFBwAAZHJzL3Ns aWRlTGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDEueG1sLnJlbHNQSwECLQAUAAYACAAAACEAHq5r O9YvAABgdwAAFAAAAAAAAAAAAAAAAABOCAAAZHJzL21lZGlhL2F1ZGlvMS53YXZQSwUGAAAAAAUA BQBlAQAAVjgAAAAAQAAeBGQ4AABQSwMEFAAGAAgAAAAhAHqDHfIJAQAA7QEAABMAAABbQ29udGVu dF9UeXBlc10ueG1sfJHLTsMwEEX3SPyD5S1qnLJACDXpgscKAYvyASN7klg4tuVxQvP3TFKQoGpZ WfO4PndmNtt978SIiWzwlVwXpRTodTDWt5V83z2tbqWgDN6ACx4rOSHJbX15sdlNEUmw2lMlu5zj nVKkO+yBihDRc6UJqYfMYWpVBP0BLarrsrxROviMPq/y/IesNw/YwOCyeNxz+uAkoSMp7g+NM6uS EKOzGjI7VaM3R5TVN6Fg5dJDnY10xTakOkmYK+cB53WfMB7rBmODmvNMeuVlJmtQvEHKL9CzcWUS KXKcfIYpDPlPsC7+N3Ji0tA0VqMJeuh5i0VMSPwuQ/eu+AX6mV4tx6q/AAAA//8DAFBLAwQUAAYA CAAAACEAcPA43L4AAAA4AQAACwAAAF9yZWxzLy5yZWxzhI/BCsIwEETvgv8Q9m7TehCRpr2IIHgS /YAl2bbBNgnZKPbvzdGC4HEY5s1M3b6nUbwosvVOQVWUIMhpb6zrFdxvp80eBCd0BkfvSMFMDG2z XtVXGjHlEA82sMgUxwqGlMJBStYDTciFD+Sy0/k4Ycoy9jKgfmBPcluWOxm/GdAsmOJsFMSzqUDc 5pCb/7N911lNR6+fE7n0o0LyaA1dcPbPlLEYe0oKTORvYyGqIu8H2dRy8bf5AAAA//8DAFBLAwQU AAYACAAAACEAHrYZyngDAABGDgAAIQAAAGRycy9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnht bOxXy3LaMBTdd6b/oPE+ARMIxANk0jw6ncmrSfrYdRRbBLe27EiyA/mi5jvyYz2SLCAEBph0mQ3I 0rnnPnTvldTdH6UJKZmQccZ7nr9d9wjjYRbF/K7nfbs52ep4RCrKI5pknPW8MZPefv/jh24eyCQ6 peOsUAQcXAa05w2VyoNaTYZDllK5neWMY22QiZQqfIq7WiToA7jTpNao13drKY25V8mLdeSzwSAO 2VEWFinjypIIllAF++UwzqVjy9dhywWToDHSL01S4xzeqofs4va3RwxOlJjxvT5cD6+TiHCaYuKI FSMSZlwxXkizKPMbwZiG8fKzyK/zS2FkzstLQeJIc1SyXq1aqGDmkwOGQW1O/M4x0WA0EGm/SwPE gox6HrZsrH8hRAM2UiS0k+F0NhxeLMCGw+MF6JpTAAsmSrHbufXotTsN585NrAQj/sQrC6UQPc3C P5LwDH5q96174XnpyLTPmj4fkirwsUpYhbOLJh4OLxFTEyw1+pRFY+34Lf7NJA0Sqa7VOGEmIDCb BiDHD8KfUJ3XA7F1coW8TtVhwijyvgqe6h8m8X3BHkmeFYKkKINBzCDFUAMgJFFBlHayiyAp7FHF zHh0SQW9mlOg3aQBDIDtzlAMbSSXx3PHxfNY5jRkRDw/SSbK5yetvso00nhblOUjyoMmAw8JiWxx W7Ik1Dp6c0nXaNU7jZbJvL2OX2+3tD3T9Ntpt/29OjJTJ2HLr7ea+LDxsEQmDnbTXWgW7qEmTcrE N0VEg4gNdJS1+Y3OhHIGgGFjAXaqfgaA4c4CbH2W1wGAbb7G+i9scABgW6uwDgDs7iqsAwDbXoV1 AGA7q7AOAOzeKqwFIJ1dcemNMbUFSQKGSRG9udakLTZpqg39zJQdjhMU5ou6s7U1b4VJ5Q0qXvfv +PlvygiPS0aLNVSY2ttAxY3IYrmhjh1bT2sH82tBldhQR3NDHYcxvy+W6kDx/9c22FynDZow4Tx2 R8mGh81cGzQbaw4a3ZnMYPbEWdAGm3675b/3wfc+iDb03gdXXK7e++Cy66C5DdlXA4b6dWEeBok4 o/lFaQ4BHICKiUMzleMFpS9TgE4huGMKymWsX0JaWvLoIDQDdc0NH2aICFh6y/AIEV+iyTvk5PTX 2cHPL2fbPw6+m1sapK2QNszyYDTLrxfc+6//DwAA//8DAFBLAwQUAAYACAAAACEAIP/W878AAAAk AQAALAAAAGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzhM/PasMw DAbw+6DvYHSflfQwyojTyxjkWroHELaSmMZ/sN20ffsZemmh0KMkvt+Huv3VLWLllG3wClrZgGCv g7F+UvB3/P3cgciFvKEleFZw4wz7fvPRHXihUkN5tjGLqvisYC4lfiNmPbOjLENkXy9jSI5KHdOE kfSJJsZt03xhejSgfzLFYBSkwbQgjrdYm9/bYRyt5p+gz459eVGBdDY2VJDSxEWBlOjYWLrvW3mh FbDv8Om3/h8AAP//AwBQSwMEFAAGAAgAAAAhAB6uazvWLwAAYHcAABQAAABkcnMvbWVkaWEvYXVk aW8xLndhduydB3xVVbbG90kPCSQBQgdDLwqKUToIKIgiI6JYRgfbGHsFe8Oxjg27REdx7B0VUZEp AlLEIEVFBOmEEjoESD37/b+zOZPLNSB15s37vcvs7HP22Xutb/V1buJ7g07q2/fsm405q9eZfXKu HpaVbozxTIxpcqYxD53tmTiTbv544bALa17Dg////FdqwNsP1Nbu+dBvPdfp39rzW88ro3EoZImU NJr+ocIYzScSQ/T1/mCIphF5vzf0wv172runZ3tzPtyzL/O+6G1f6O5u755k3NOzkN6e9uzvs5B2 5Lw3etmbPaK5J1yRPPfmek88K3t2ILwro7c3GP+37qlMF5Frlckb+fzfIde/C0NlclXGO1LmyDOV 7d3d88j1SHrh9W89D/fty7wvNCuTZXe89oXu7mjsy/q+YNsXuvuz998tezTGf6cuDlTWfcW6r/uj dXOo7g9UD3vC9Z+Q+VDKU5ms/wkZK8Px37h2KG21J9qH2maHmv5/o60rw7wnG1W2/0DW9sYmhxrP 3mA4EBkPNf7dYTvUcu2O78FcP5Qy7M4uu1s/mHL9X6a1v/o7lLbek74PFt+DRWdPWMNnB4tXpK0O Fs0Q44HOkdgOlFb0+YMl6+4w7m49xPFbz8N9BzYfHCn3lsre7tuTTP8evVSO4GDgPxg0Kkf3v281 2lbR93uLuDKdVba2t/Qq27e/2Cqj9Z9c251edre+O6wHSx97y3dv9x1qvJXRj9ZF9H3kmT09i5RR 15H3ohF9H0lX13uiHb038n5/z/0WnkgeB3otjAeD3/7KeqD4D935vdPK3u3aX5QV1EP9Rs97Q7mC yt7sPvA9IcaQUvR9uL4/c2W0JF8oY3i9u/s98Qxpa44e0efCvW495FbZXfRJh3XXE7/eE7li7d7v DnH99gm3M5Qzkt++Xoe8omfRCfFEX+8rj93tj6QfvSfEE72++/t9P1EZrT1h0v6DwyWa856pRts5 GqO7j16N5rF/99FUdR8OUYy8rpxDKJv3L92FK7/eX9mT6AiquNfuyOHoRdLwfuXDId7I+dc4fr0S ySfkEM6Ru0O64Zru/X/pTHe7xlU03Riea01zOKL5hDRFt7IRYnDcIMQn5LM7+iHPaF46G9KLvHZr ls+u8rgV7azgGfJ2cyQqty+kET07Cm6Prt35cN5VPyGPcLfmkJ7TkbWRugqfaQ4/IQ3Noe5DfUU+ C/eHcySt6Gvx3B2PSJoV17oKP+5a50M6oQzRfCJPhLR2J0O4N5JGSL9ibdfYEc1IXUReh4h1Vp8K Gu46pB3O4fNwb3CIH5XhdjLor04rnof8dC6aZkg7etbeyHOV3Wst+lzkvZ6HnxCr5hBbOEc+C/dr Fi3hjcQcXodzyC+SRmV0FQXhnlAz4dloHrticBEq67rz1op+JI/I/ZHXIf3IOfK56OlZ9Efr+oSz rkMauq7sE0lH52L+hVd0nG/uSsNRD9ciZ3GroKFrNxzfUA+Orn5W7BDXXTnrTAVt6VJ3znoes4bb Ea45ucXf2ayCvh9B26FwiJwk4bVDEBsgCfXguFbgCDE52g6FQxPuiaTpKIdPQmlD2u5pxc9oPwt5 uTnc5+QL73adI3mHXHf10Yodofa0Tx89Cf0znENe4bPwPjjAD52NpBNeay7f+UzX+uisPtG0Ql7h HO4LaYX4dLYymbSuTzQ2Z6EKmSqeO88JbSer6DqkHclPqw6X21WBwPHc9afj6Og4D4yUOpJuiLfC 651v7GrpCv1G6lN0QlmELbyOnEP6IZZwDtcrTlVI5PCF2gi17zQj2iEvzTqvneWB7lzc7hq/waad O52/h9Ht+ETzdfv1TJxD7loNeYf8QzljeeZi1XHW3vCsvzNbOLnduvNHZ+cwPziaoqiPm0P64eww qadxuSC0SkVmqPAxYYrbOZyeRFef0Dec75UhY+nOIVyhTnQViUY0nJya3ROnm9CHK/So9XJACae4 Sd8hFs2i5YZqvBssBb4vPCEmzcIkWmWMkKY46Xw8IyGYvQCTaMVCUf9ENfSLCnquH3SyOQuFESf7 OZ3pv3FxFnBZUJycBUKfEKZS8JTsxBVaxGnW7dYp6SkuGA6TUJcHQ1xDL2QjvCN/6onzpzAbSJMV Vg8R6ZTTT4W/iY4+euaoOv1WYHH3Yc5xNnR7nX5DWu50qBfx1Cf0Rc0hDq1X4ADqTt6aQx/RHn1C HWuWlSLp6Xl4JvSDkG5IU3tC3tKt5HI0HW2nVed30rLTnNNdaDfN+mguC7xcOHRSEsVAT6MiThxW ySIUjo+eSl9CHMdwvKTVcmwnvn7gs3ouquLjeOkuNtglXvEM6UEnJZd8WrO06Hb68HHD7dK14+32 GVMScJUEOiE+TrPSj/boI5+OD6iKsvMv2VYSaI+e6yO9h2ul0C3mPoxD5QnZU3tD2tJNAhQ065wQ iLuzWxj/Dr90ogjQP8WPPsLAkeAjOomcjuVfHP8SmEW5iFPFYJGcO9i9g3NO9/pZhv7LbXIwfCsZ nawi6eqCNOP04gW5TjLopOI30hd0HR9gcHMC56pwL5sIZYhUOtnOKGFIJ5rlG+IrPegjuZSb3JrL KaFexF+INIc61XnlOH10Rt7IFOzTvePvrClfKUYnOht6unbKJsIvPsKRxNBZt0scpPcy5C4LPEo/ pUvpQZbR0Il4hnQvS0gHydBL5IloapeQl0JL5/XRXMws/TndCqdOO+l9JHJWdX7puDjrKEokSSzD UXKZSfKKlkPhsOmJTmldPumQOP2Lt/MWJ798SfoXL+F21zH/Ohfavwz+olaOFjTisGYC3qEzGkIu i0gGUZRVtUteJ+9V36FIlaRCJxvK67RDcomjruVx4ulkVxRIYskVGzyVLPKz0NaiFd4Lg7iLV+h3 2i8/LGLID8J4SgZNKlQTGPGMxIBDqAfhjYdGPPtFVfYQImdX5xuyhXY524qPsMgewpYUnIiBRmyg B+10unAakC8V4x0JoEsMvLQk0IHLl06fVdGj/pWzy60Ig5NRmMIYdxJLb/KwMlsE3a3cCZnsKy+X /nTG6dUjXh1O59euyuqZi2XHR1aogjTJeHU5KEsZyjFbkVG8EkBQBqcddjPctsBtG0/K2CVekkwR kRL8S0QjsUHWcri3s1uxL80qLwit9ClfqMKottPaipdQalnL0Y0xm1iXT8axV5Fayj+tyHcU2xnw T4Kf0MhDREW+L1rSy1b2Sv/aoaeynbA4T5Tcscgtf3Zx5Dy2dKcVXT6QT8n3xU95QLoWDyERH8VZ EVIV7hzSnf7Jo5TjpUN5dwojnZXUgJbDKJ8O85L8d3OA2UdS6SoW3caZbQz5l7QtvLKpdKiso2pQ lZEaSFRuFQ+yjuIzFsoW22y3SYGPy0OqsVJt53nlPWGT1UVTskhW2Uz+LW/UR36wkSEf0loqdIRb +pWEkictWJPN49CDfD8BnIn8U2zFQlPZpAS9FjN2YJMdgUcVsybLpaOtJIaspB3KlUnQkBZ3IOmW QI8GW2k4W+2ApmygXdKhMAur9gtBKry11yH10UJ5oH/RkB9tYWzH7q7CiE88/uZqqviLLuSJM+cV KZyrCbJ01hOgILrSg3QiW+nseniLpvqYZJ4rIuWvyg4Ou6v4hezbxtBH/iPE29DmdrShjJWE9pQT nMcWcbYI7KU8UeUvDfxDuUjeKKzK1oWsFjOLg+SXdVwtk+/GYAvxk8yl8FY8KYvKeqmcSGF/lcAG 1dibgiWUATxQyYIpnJWO9SkGt3SiTCaf2Mz9Ju51LS9VjyBdqw9RVZB9kwIEimIN55fSkjSj/LYd NProXAorVRiSuSq7q3JeOpbGt2LtrewqYhZ/+ZVkKWJWxXVx4WqgPCMRKyi3JSGTsKmW674q98q4 sqxqknJcYkBtO/SK8U3J42rDJpCsZxSyQ5hloQQQxDNkjxrMGdBSjRACHwligyjR02SGMofyjOST d27D+2UFaUwRoKyqIf9XPhNuSewqeBWwpnNW+UOZQdIqf8rGRfxcD9UNNo2zaZxK51QK/GSvIlvT bAHfJnZtxj82wbkQTsLpapasK81kwLE6mOOYK+q5YiLOrEamVZwoAq1QSQ7ZNQnJasOjIbwywKNc pGiRXpRLtrB7BWMNyIvZ4YGtDI1J47JvJpZMA1cZHrQRfWxFNvHehvU3BuiTsFOiaYjO6zJXDSTz iYOywD+2I8tKzhUE+nSVajv63g6PeDhURzLlOtXK7eBSvpTeVGvW49mbmJUdnNTyjBR4JJsG8KnL WVVC2amIUQaPrexfgzxr8QN1ElWRKJk9rprIXzVkUQ97JOIvil8YsM91UkJVxdQJsKnaqrtX/t2K zjbBZZNdF/ieIldxI18SdelbMju9ard8UciV49VZbOWp4lm+ksLQR3U3A0w18JBErCF9FUFfTyX5 NtAWYgFJWh3pVRddr6FsJV3tAFEpOnaVTnVPnp1ItveJygZcZUErkX2KatH2AmRFdhlnCpBdGUc+ q9yhONqCbTLRXELAT/LFw8vaWtCIQb78AJdkioWL+gPZwJha7GzAc+lAXcwKaKlKK3OpI1EPJy6K cdl8DefXsE+1Jsmsg478TJk4AdvG8y8BpNXQWzoUY7FJcaBBea/8IY376uyQz6wIZFDG2xp0QOuQ YRU+rbqp2rsVPmXci2pNeGcGNqke2LouNFKDqiA6MQEKVUjlzO1wVITXYrVJkHukn0zkSmKHxVoJ Zjl0haK2KYDXOlbUe8gzitGZuhv1wNXhnMw/H4lEoxE+WndnBtm8U8Oqvct58j0olmMbi13j0WM5 +k1kfzPs08bUxhOy8I4WSFcdLciDM9FkGREq7isDva7D3qvB74NRNaMEbOttHWSXNMqKqehdb1KK +w3g24oeUwO8yi+ZgYcmIlNt0CuW5JXq9lTZSmw98GQFa3U4Ld+oE8hWgDYWgrrILrb1zU+sLuL0 OjxPnW4ZequB9E0YdchoaaYZNGRNdSQl6DwJBPKX1XBTFKWxqpjfQJ5cDh/1pIoUodhOjkg3y9DE MvCvgoeqVSJ8FOO10URdZG7GXTXouC5CuSUViTLYX0rsbOKMYiAV2VSdNnIvTzVYUvmuAL2qmsl2 1cGShN6qgeAwrhsGO3dgnTqcroWF5cM1sVhVEKoGLYXeguDnFnQg7SajQeV96SELtPUD+6lvaAp9 2VbWTka7qp1rOPMzGFdAozp7kjmlbqA6cmUypxIVv2DvtURzuV3LCXVTirMC2xjq6aYVSNqSqxVL PrqrY/LJJwXQSzGzuZJ2hXorFl1pW5I9EgLvUsVbiP58JGhgfoByIShUwT3TBJuqP1iJByhPtYVH PXisZecWZM9AdxbeM7GzrNMQtE15Xo791Os3QvepeEkeeW8S8VBkfwbFOjSkTqOuOYr9PdBVFdMW rg1MPXg0NUvxjjSzIJB7KVwKwBdnpoGhBD84DLn4v/kD/9bIWN20DGSqYWZAf5OdioXGkR1+xrNU PTbZDtguyRxtltjjkbER9lSVELJmRO5G7DILyddysgQ5fwLfLJBXwbZHYrtMkKniNwBlU/S30R5u vuNpgV2Fpss4l4bkyl4/ox3V+Ez83IBMmtCbbiOe651mLTpQfKRgR9WXRVyVIU/1QJ50TjVEGg9O a8Cnyqto2IZ3K2+3RF9doKd+sAycZZzfQBx8y9UcZI0hbqqwvwQE8qeawdtYLc43wVN24CNFgU0K 2VtI/VSlXo0t89FNVeRrjS81CnJtDBH0I3Gx2i5BGwvZWYiflgdxdwzYWuG3R0NXNVs1dKk91iy2 7ZDyMM40hpYyylr4zsQztCKfXI2+1uJXKWYKdvkZjU9Hy4nsbUkN6I3cJ4K5k2lujgHvKiSch5b+ jid/D4Y59kfO70CX6ewvt+2Jy1STDeKO+E1dvLYa3BpiM1W/r0D8Jdr/nhyah1VmYA9FS09+diW3 tAFvV/C2haO6pEXorJjVHYz5eMESOxF5vwfflyDOA8NqvKQX1hmE3N3RUjc8ozWcE5FtChlGsi9E /z+gzSl4xDYkro+PpOF7beDcHpu0Q1+LsdbPIFyGBdaAtSDIxGW2G89q4pfqNZW/q2DnJfBcivZK 8ZsYpNV7s97bjsZmWVBQ1jNIk0g8zUOKr9DBbPjnE3E7sFY519n4SntOH4ueG+A9TbGy3uJW8Gwx vvgLPrQOTKo+yXBWPqmBbBZsHnTVo2wiDhWhW1hRzlCf0xJvk4e3RCdp5DK9y4rGqiBaS9Ggq85l 4Egnc2yFQyLSCF0i2AvwwnIoJBNdhqyRSrYTra7QURVPYcgyG8DxD+yz0C4nUixeUw5edRFJ6Pcw +MZxyuBB1aFSj0ywGaRr0LC6tBLwL8c6iqQGWKscVGtZE/W2YFWHpu8bmvIzHWlnYen8IF9uQOpi 7utwqjE72lPfOrKjDj6UZPpj2Ux0mGX+TjQsBN9i+zm20Lt+VXS9EN9fj+1bYINqoFhm54Pqe9sc 6/6CRiYQd8VYNx1qa9F+MxCfR77Lxm7r7SR2FIOxNb7bib2pyNIs8KVp9m9o5R17BPGZjOdtxu5N iYBG5mzu+sEt1XQmjlQBlc8SzCfgtNSlGeh/JVja4g8DoVuIHgqwhI+GJzLexJIl5LsT0Uw6tugM 1SGmsTkOO8+CRhLnNtpx9gv7nn2BK3VRpehqK97dxJxCXLQCQQZx3RFdxoNkPuemwHGLPYmIyACx smUnNFmP55PQ2zwyfyGyTIPKZCyqTrABWthITkuDflfOprPTQ/bWRKoy63dYaLE9EQ/sgK3l+aux SWNOKgZW4VXp9Bkd2DkXGvPJF1ux4y/I+BlWqAGN9nhKKc/KiJ+jibpk8sYCoqoxEhxB9tlAFdqK 9vtg8XQqSSH80vD7OGg+wrO3GQvAlM+TFVj1TCx+CnLUIxLrYt3eDPWBheDPNGeRhU8CtarNYjLp u3amfcWOR48leKb69i1osBl26QX3xnhMJtHUFAvKk/Lx2IVIqN5kKZ6xgWv1d02Iwli8rS4xV48M Ix9bTXQUg21poNk4bKweXp2QRe4q0OyMTJ3Bk4jfrUF6+dAbZKN3g4jUW9UcqvJ3eKFsNhOdr6Ki Z6Cx9tCpQ77ojZb74PeqtSvQdTE56wt8/nNwVmFnNpgy6Rj6gK4FckwEwfto7yciZQwSTyd2s+Eu Dz2SvbfhK5fjW0VQm4c3f8fex9DKW2RH4WyGFovQQBYWyyBHTOCZsuFRxIbe5Vpzsj8ZowbPXb9a w8h3PuG8MqH2xuMnzYmGLoG/TMAyHyL3SuwQj38otq+Dy210Qu3x4lpkFb1nf4k2PiPzryCrTob2 3/CIZBDXgadBi+3w8Gbsm4nk+fZTvPhDbFwdz6tnrkDCauYy85E9mXysOKxr3oFeknmVSjkTrYmO tBkLpqPMHKKpFPmnoP1x2LId1hmEjO3N8eZ8MsGJRMZcJJljf4DaKvs2EfI+/lAIpWVoYS15rAcU uhCBqvTSWnMiexv1sArVtLk5AT6tsIve/NU/fkJtm8BJfZO0EgkMcdcBi6hvkFcfjo2XYa3J/NMb pkc2yCSvXYQ/X2wu5boeOxYj+Tf2eXsPGeEmKK3CuofBKcsMNKeigy6sLMEj9RbYCc4GieJN98DH Z3M3BQvU42e+zbVj8UO9GeoNsdyeY4ZBIYfzs4mSiXau/YAqcBNPS9HMrdA/GURngvki0C21I3n6 LjEyzz5nX7ePoM9q5npQ1sCatc2DxHlP/G+SfQmd1IRqAzMaPTcxT2Dxc9DUm+hrO9lvJbq9BCz6 nrgn3jYdq3UHx0PQm8TZD7CzR/Rfj2fkodHJ+ERvMkmWOd08hvdPRrt/Ie6OJCIm2BvsE9i0Jf5U jbzzT3s18l+N39YxQ9FWE6L7zCB6CuzLxHoOETYNzbfCZgvpu/6E3AvBPI2f35GJGiFFQzzC2lMY WUi3gow+DW//C36mPukIM9icYfqaG7i7HLnz6Z5GoI0nkfl+bC7Mvck0p6KXk80Acy5VIwWrT0P3 a+D4IzaZaz+ynYm0I/HzZDOVnmUAFu1hPmDHPNDNwgenQjHLfEofMpGcXsJ1f/T8Ap5zDtZNNeeR Caqb57HjTP4daW7jzAdYdzO7C+zXwVUTInc7NaIWFM8FTScseSSZspO5mygbh3efS6Tn2THkyofo YN6375rx9lRyxQb7ECjvM/fSzZ+ALrdAMZbo07cl89D1A2hnAP58N5Z6iwgZhAVGwvMVqvRssuTZ xGQPdDeD2O+HrmsSbdPJZWeDPw+ZJtvbiaYhZKiG+Ng0IvZh9DeCjDCFrL0DH08zD9pjiNKO5P2j sVUrdL4O2t+yRz2oOr2O+OYZZPTu5iYq2RJyyWY8tAqdqe9Xg2pL4qEeHlbVzCMTnEhs5pOn1QF9 icd9iWc0hnp3rFWKTz1onkP3l+ATj6HtOfZMquwIctaV5nfETzvQFpNzf8L3Y7GEfneQhkdlBtlj IJpOojY1pP+Yiy8Nxi4fItHN4C4gZ72D1/ei4g1F7/pudyQS12NWJApPf54t42o8deo7KuVLeML3 aKqreRm6K+0V5J8L2PuDvQfet5hRSHOvPQP/+5CIfNTejMU+Ma8HeklAa6PR0vnw/RyryiKv07fU R1+DsUlPvGAJNbmtedyORtJk8uEwNG7M7WSf8favaNHn6Uro/gjFJug/1XyN7m7GZhfh0Z8Q1yfw 713y9g3kpgfwhDxyZhGefxLd5cX0aevpBy4gRmZQ764mNq8kgj8iv15EXVrCk1ODCKtCzh5L9nnX zkdPzdBJPTrUPnjJ0VhzHrG1iEiQ311NPupr/kheexybdYDj53jKa9TPW+G2lZ09QN+aGDoeiUrI mUWszeb5JLQ32T6BB3QFXRx5fgTRoGqi31rMx49bBF3jaqR+k9WbidKPyJYF2OF29PQMHjbaPEPH 0cncRTw9C8677XB7K17dnYrf3XyGdvtjtzepEV/jwQ2RezzZUt8THo9vldOF3k5GuIT3s/H2QnBm IHccMXIO7zjjyB9T6Tpy2X8jdqtHNuhPfKn/7EXG0rcom7H3KUTwMvx/AlpsSizMQGsXoLX22Owp 1muQJR+l/v+Eb7U2bdi7zF5F934SfcxGvK461ltHjkvDB87D35RjFlFf5mGpx0DtkylGgz2df49j 87pIdhoV8gXywGi02gdvLUP6280g6ukAonQynUttc50935xtnyT3dsMzuuCdhlhRV5pn30MG1cNm 5io8vy+6TUO2f+DTA+D9MDmo0PYiH8y2H4P0LDphi5eV2GvNS3TQ3fClNnhZO3MPOehJPGI5VegC cwf9yI3k4yR6xVwz1uYTDz/CNc/+xVyPHupB422y2x/oU57Do94DWwJWvBMcN9MxXwT2dDOd2HwM vbYzI7DG4eZC9PcRkiYRc9eR19rhzTPxKtWQLNOWbDEGjc2lN78R7b1IRfwdvB+k9k8i4h+xfzZd sOctWOtOPPU1nr9FVmqNHU7Hgz9H3+cgcxl2zgFXR+LoeeJxiW3ujeIuFbt8SCYdYTx7Gl70k61P JpttN/qjzV/Jm7FmERZYalt7g4nN7/DcEdStB80QPFu1RG+/qXhiB+wxHMlK7AAq2jPoup25jSyV hjVfN+fhLVnUsjUguZv5HKJ4DH71Z/LfO2imBr54E3Z5HWtMpV5P5ulq7jrBP4tu7F6bQx/yLvpf R388z36KpS3or6S69cc7UuyNxNZJZPM70Hs1upg+1MEB9no0MZB40Te1ceZVfH6zfYO6lIxuH7Z9 qAx1qVGjyX5NqfJ9iRpVrQe4q4skx2HbQUj4KXV/FpnqCiR/Fn69kKsads3GR+cFXfnb2LMnuSaJ unCy+QP16TPi6QFi8Sqq4zX2LqTuTkWqYx6GbiYZcai9BXnSzHAoqMIe6a3B+9sRq38yW/xHbXPq QJ59kXfCz+0o4nkzPfJNdKrN0ccbxHIqutlG7h1GPTgRya8kb8+xzeiR3iPvfGoHE8HGPE0E5pMr F2HX8cR5DhG4hEhZRY0b4KWxbyv5Mx/tzbEPwu8NOoml7J0M6gs4n4n87czLZJH3QeDjYd/aofZj LPwTmlDm+4BupMiONVdgx6loid8X+MlYcSU8zjU3m1Fo9UMi+ToidTzol6PDP5iB+NGn9n77NLlu lr0A7NdQaRbioSvJFnfR/b1P5H6FdYfQP/Ww/ck+5VgpluxUSFY7i/wzAAv3opK+S8adRrSfjp90 Jm9Y9N+UeFqAjNv8frbEvxxvu4saSofqfU0k18Ybssz5vIlbaF2O1ceAayI+8wIylPiXmYX+VPsA +lhsbrIrzNO2rbcc7+b3AsRWXTuG6JlnLvfWg/cJu5S8cAxP/4wUh4P4UzQ309xhXiLSX1JOoets ZD+gbiZRPy41DbxU8wXSPkdesv4A2wb9DyB+N1Ixz0Oi5kRZib8OHS21l5PJ+pLHhngJnFtDxsm0 XakFj/p5tlZQfePNKd7DUGqNN2yxZ9iveEtPJDram3uJ2pdB2pW8ew016Sx8/wRk0jfXR2OTVsRS R/r4h+wrVLXZRFoTU98roD72J1/dZRPw3lvwi5Ptq+Tj9VShB4mgV+m/M8hYM8jB4/h+IgcObTn5 ITl4Jtq70n6D7i4mS7RCq6d5z1LTspD7LDq9LPLL40j6KRK+YJ6ist1PBj2L7LDe9oXbLDLt0WaY HR10cRMDC/5oR5JnZqC3G/CKqWh3JB60gs7vXvT2HLXjQbQ3hE5/FDo4gU76aZOLvOuo/tmmBhx+ oII/QqU6nM5uLF3WeHrvxrx9Dvc7kPc/xFtSTIlnyRxF9mWkXEv1G4TfVaV/H+Z/jP4uoEP72a6m Pl1BDBfD53oi8VY85CZ7C9E4mk7zGuLwdargS9jwdrjdS1aZANamZhoW7I0GMszH5hk84kei4Bby Zzad4BjyTScq6v3wO5WMMQTP7UmG/gd9xG3kzzrklFn0iffSP75CPtlOXl9or7bb/d+bMv8ieqp/ Uvmew3cuJU6P8qpSt2ZTjf5MJvgWi/J7TypGf7PZv9L0JE4akQma0Fkf7n1p7ofSTCx7Lkg782bS Gb/thW+kE3+96Kj1W+8Um0mtfJw+7ic6pT8i93zzInptgH/Pwl730c+ex3ceS7FJYzqiF6iDLeng qCKmOnqZTk9wARZp79VCqgzewC/Bzt9h51iu+L22fQY/eoTqwO+Y2Pks9fgz8tmN1OBnqXsbfToH 8BWSlwaivSF0TBOxz/t0NfPt++i9p7kUbs2Rbh0+3oWM05dM0AV5JmNN/SbzF7LbFJ5eiw3n26fA noaWy+hiM8xw9nanz76F977neVP4Pd70Ktl3KDW7mD7tr3jdILuFaBlFf3iUudNcBddv0NuLxFGm 8fwr7Gi/hummXOFdbSZQAWp6j6L1C0Ha1dxHdu1B1/Ym/VUPcwGWPo4dK8gWt6DNJ+nfBhMTi8le Y8h7vcw6orYqfexiW5MueAAx2wzrDgNpFd7nyE8MvWdmUF/0F0iy91VI25o6s5o8cww5rY251jyF 9f7BSZ1bC5bp9hGzGLv+E70uoRrdYCf5O/xj7Cg085ydbhaYt9DLq3jx++BcYo1Xl6o5mHes9qY5 6LvwrcSjtiNvAdtsC+/3ZNaJ5iL7R5Nmu3gT6UHykfYHusDZULiGdza9j632X7Z3k5FesXfiE/3w /vpeQ2+oeZN3yHI6uUepRw+S2U+w/aju39FPrKK3uorn1t5GljmMvPeyjfOu4zucj3mr6kseHsq7 zUtUmvm2BZp9xqZRby7mTQjdcm4a9hlEt3EmJ1+yc/zzbZw1vGUm8bw+eTILmRrTQ800v/jns3cq 8fMaKPqQARpStydQI/5Adz8f9I3QWQ+ylv6qIp7nQ/Csq0261wP/TOOtZ4Jd4/dHtlZ2iv8BeeAY 9LfcjPA2mK7elVxfZl/zb7Bl/mvERQv0bon8YfjQNpBNt/G2OjlqC28wQ81U05Y/FzsCLifRlSyA YiHeMdnvhufVw0LV7WXUq+HmLO94b6kp4cRr7HnZn+tn8x5yJxT/ZMZ479OhPWxPxO4Ly3uaY/GN Mjr3LuwuIFZG4u/9qEW3Qm+mPY3I+4P9xG+Dn5xDx9rJi/ceo27WNP28j/wcvifpxLcxHak9m4jT DN5JJykj48MTyEt3EYs1vCvITNeZH8kI6u3+QmTeTV/Q1zQiy0/w8/n24jZ89zF7sdfQvGHWmuO8 6cTMYN6GxtjC8mPpvj/mzXmGfcFbTI//BZVjOHmgrVlIXahBNo/Dk26hY77M3GBj6IN+JK++wXvf EV46fcF9vDnq7zsuNnVjFpnDvFJzuX+Kaeev94fZ1v5AOOEN9klvkHecGecdj6QJ9nV/gbnWtvIe wII/UO8Hmb/5S/07/Lf9S/HZLDLoQJMVM8gUmWO8qugp1i9FgnjTwzvedPOOsRfz7xX/aurbifR+ j5gXvAWmA7Z+i775dKQdS2V5Fk0sgvY96DDVp7ukjzoaXd3uLSF+R5ru7BlCp3AqvVAvrx/VKtks 9dtBs9TvQYbLMSd7d3jXecvJSGfaUX4qv9JeQ7zQucR8619BzXrM/9pO9JcR/+uRO9HM8SbwnckY +6mfj95n833XX+lklvvPmWK/M9lsHn38Z/bv5gjvDHODdw693Ca67bvNM/5rZJ4mdoL50j8effWh Az8ueJ+82LsZyUZ6Hufa2rv8tXas3wwEi+w/zR+x0nji/Ug6xbG8Jd3pXUxsdeF9ZDJSvUOPfiS+ P5A8dRG+WBOtnMWbzxNk2CvMdmLwfjL3Fr5rK6MujKFG1uVPVpqbAv9HEM23z3mbbG1vpPk9Nf90 ZIzh+4osr4FN9Mqg3s28RcXu5NdHAut/6nW0b3rlvLN+4fUHyx3km7/YS/3eRNub9iL64ZPIZTF2 DfwtteVa09HrZi+hr9lBN/qEfwM5+2Eywav+78wO3/JuNc7/Bf3EeCPoEbO9XNuTd9v2eODz5PZr 6A3e57uBjuisO3pvYDcbnwy1iu9lGvHeNtcvsx/6VYjgYdSBZvRmk2yxr+zSAX/t6S0kd0w0+X4X 3u6K/b+Tdc82Lbyh+Ne74G5hzrA9vF/8fqYPveF4bwnx9jSdy7E8e8GsLT/dtLANyUNX2zre7aaG d6y3jq70W+rvRDvOv8dcbp+nvxhlPzf9eFNpiSdWo7aMIOfcYcaZLt6ZXj2+B+tGjWjFG8CjZM5R fg28+VZb1fvGvO1d4r2CTq6ybyDJQ3jCN/5n5jB7s9eBWjSW/vQVez6x86J9FM78Hh99302XuZAO 5nr8vLrN5rvQs8hE39ivTW8vz37rjSS3fYtWuhEPT5FXV9OxX0YV+Nh/h8y9hSp4lBnq1Tc/03sP JfamEUM9uW6EVP3t7bY23ec8uqf+1JXbvCJTbv7uHcmbcC4dQX/6rr/a3tQi/cazCQjjkK4F1TOf Xmc6ueJ870HziFebGn6aXVB+qS3wexCvw/H9dfjwDN4jJtMdzKU3WMXb82H0Om2wwGCb7zcjA51D BZ2B75+Hdb60fb0xRGWs14hMcL/fkD1j/E94I1lu/uS9a09n9OOblkfse15Xm+H9RKXMNe/5l9uj 0M6TZN5LvfvRDd/u+Z+Tf180U7BdjjfEXsib5zNkiJvB9i3R80++U/W81+3DdHGL7GN8R5ZJN3sc efwU8uRRZJmhZi4daAH9WBLv9SvJX0288VDsQFSdSE4ssuv82sTHe+j3GtvTO9U84X2OXP3NLN4y zqd7vJ536qfNK3x3Yk0yfnM/WeMaerxUb5RJ9p7gTfMSk0u3/RRvmh/6v9jF5WOJ4RftAq+mmcSY i//UxQ9fodeYirZr8RZalz7qPjLTDHC96t3HG+njvBnqt75309OMJZteS00YYWv4ifZ3dN8+Zy70 5pg21LKjqbnP+qv9In8ROUgVqohvi+4nh9XB8xbS42+kZ5vCdywjbTk9cR/kvIU+o4mt7m32T+d9 62S/lse3M6aR181spX61oY50tw/5l5DRu/KmG09H5vNtHH/NQIxvBlc+b7WTPENO5TdM5cZ85/P/ cYrrI1h7ntGQa/32ic6BHl1vwPxGiFnfmv7AuJE9HZjXcG4joybP+rLWlHEp1xtY0yeOe/oo8rjj VYXrOxg3cH82Qzq6kflcxutc92Q+gqE9+dAQvimMftx/w8iA3lbun+F6HM+HM57ivlGMMY8yf816 PGM04yXub2duynwlozXX+o0Q/8MaDC4+Zki2VEYG4yLuX2RID8u4X8N1O4bOCuc1jFVc38aQjlIY P3D9PPN6Zv1F2t+Yj2VczPV8xgmMMnA+x1o7rmtBO5PxFvcl6P4c1rZxzVIgywVcIQ7vEYaOW3/V YeiYjDmcUcb9bIZ++yparzHWcn8TYwBjHeNN1hYyHmOcwf0UeF/OfAf3rWCSyBD+9qwPZtbeY1hr yCzaJQzpT3aXfl5kfSh1kO2mAT+qMiZwvZQzK3l+Pvc18JanwH0f67L/ata6cT2ePY8wj+RPreoz v4Fgg5hPKzfmZd+jvhpTyNoG1rqUWduOc21Yuwd+X7D2E/ctoPsRNIX5TtZqMaox5J/SzRGMZowC 7v9GT9eUJ9U4I9vpL8NP5tnPXKcwb2CWnTazTzpczHVN9rRkLOT6MPaI8nauv2fU5u4fzNqbwrpo JDDqca1nskdjzubxvJzrQkYa63nMddjTgGv5BCLxHlURV9qjv2cR7mLW5YOroKG/j5cv6O9aUQdX +q9OnH+4v9qnSeZeT9zsB3vcnVZOOOn0gUckuf/GoxX3WTuH/kI++MS56dc/hxNOrA4f7iZ+cmm+ +uor89UvX5lN0980cXH8XXsSfzOYyrcfGbzH1qplGjRoYJo0aWJat25tBg8ebAYMGGB69+5tOnfu bIbfYc3AgZY337nGrsszU+ZuNHNXrTJPvPMBjLIZOYxcRp67zWYtm7Vs1rK1hnDaksN6Dhc5rOew nsO6juWynst6Lje5rOeyzmTyWM9jPY/1PBZkDr6lMlQlY/MCztn8zIZ4NoSyOZRNXgjY8yMbDNlg yAZDNhgCSGDIBkM2GLLBkA2GACYYssGQDYZsMGSDIYAOhmwwZIMhGwzZYMimGmaDIxsc2cKBGUEV oMjhZw5YcsCSA5ZAZLDkwDwHRjkQzQFLoAYe5nCRA5YcsARqAUcOOHLAkQOOHHAEqgJHDhhywJAD BqkuBxw5YMgBQx68LD8DFcLH/eM+UK+0Ayp457IrUDW8c8GUC9NcGOSCKRfeuTzMhUguvHPhHZgj 4M06/HPhnwt/mSgX/rnoJhcMuWDIRQ8yG1oJpGeFmZ8yIzrIg18e2PLAkQe/wLTCgQ7ywJEnHAgW mJtDeWDJA0seIPJgGLgAWPI4mMemPBbywML/GNDBJnlg4bfHDNYDb5AVWAODBYMFgwWDBQOtnnMn MPwPX9bv0zYQRm9DikBUaSeEIiNvVkEH/SEynBGYUiG1EAWkjAlqCI0UYhQbRd46sXmyhJSNoR26 eECKp/wHsDMxUS80FWUCqcP1fTbIToj4LMe+77179/zdnWUp5/Ag4UHCwzk8QAYn+PAg4UHCA/25 BGmcyMODhAcJD/ikxk6GBsaX6ChBqkGjhnYNPmSkTZwa3jI/WLlcZu12mx0dHbHj42N2dnbGTk9P 2cXFBbu8vGRXV1fs+vqa3d7esvv7e/b3n2TfT06wj7+hurQH6AK9qEW61KRrOgQi3aZ7PYooLVTE EEOnHAJpoQa9oIfblISuahpHaEirwRiOmyBNAM654+QQav8GIB0pAuGhw50w1EQ/6AK8C+6GcCfk 4VQntEWXQBwpXJKAw8MOCMLtQqEbuGk8IlB/r2ODQJQBGAVQNZWHXsebFr7rB76r6uknJILKCbbs LAiujzYVMiHpyBBsGZMG8lnXjUuW1AmMvm3ZLyeFrj+4CLwBH5AwDCMzPq7DBT1FL/jzSKhUHuZp UtczkCfCDUr9iEtZiePV0lJG7AOOCL0Ej53olfK4kRVRfxpgGK/gUff7v4XwafyxJ/0Jt/EYO8L3 ul56mmL9CEcZpl0h3OywOlyiP8Fe6OXS9XusU9x/GrUOtVwuqW+CkwHAnSksuKd4NIBme5htPrhM HxRQR8y2FYbh6P6g0WQjHD5Kn2TiFfs8jhU70l9kgwRow4zwH+E0gvYMLGWZ9mPMHf2bFPfT+tb2 L7wT1jfWNteNzcIM7g3zwGnV977ayk/lc/1Ly7TMmq0YZutgTpnP5xfBNoqr9D1ErVk+Pzu/gNyH jY8TyK3UGw2lZDZqZquKbKG4SpqJTqFxaM34CmClVG9Wzbal5Bd9MLfWtl+AuWUeNqvKmtna21Xe znHki8bKgAI5MVs7dt1sTmQ2m7spk6UdZyJT3K3um83qa6W0rECbv1uYff8mn2f/AQAA//8DAFBL AQItABQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBl c10ueG1sUEsBAi0AFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAAAAAAAAAAAAAAAAOgEAAF9yZWxz Ly5yZWxzUEsBAi0AFAAGAAgAAAAhAB62Gcp4AwAARg4AACEAAAAAAAAAAAAAAAAAIQIAAGRycy9z bGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnhtbFBLAQItABQABgAIAAAAIQAg/9bzvwAAACQBAAAs AAAAAAAAAAAAAAAAANgFAABkcnMvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54bWwu cmVsc1BLAQItABQABgAIAAAAIQAerms71i8AAGB3AAAUAAAAAAAAAAAAAAAAAOEGAABkcnMvbWVk aWEvYXVkaW8xLndhdlBLBQYAAAAABQAFAGUBAADpNgAAAAAwAB4EeTgAAFBLAwQUAAYACAAAACEA eoMd8gkBAADtAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWx8kctOwzAQRfdI/IPlLWqcskAINemC xwoBi/IBI3uSWDi25XFC8/dMUpCgallZ87g+d2Y2233vxIiJbPCVXBelFOh1MNa3lXzfPa1upaAM 3oALHis5IcltfXmx2U0RSbDaUyW7nOOdUqQ77IGKENFzpQmph8xhalUE/QEtquuyvFE6+Iw+r/L8 h6w3D9jA4LJ43HP64CShIynuD40zq5IQo7MaMjtVozdHlNU3oWDl0kOdjXTFNqQ6SZgr5wHndZ8w HusGY4Oa80x65WUma1C8Qcov0LNxZRIpcpx8hikM+U+wLv43cmLS0DRWowl66HmLRUxI/C5D9674 BfqZXi3Hqr8AAAD//wMAUEsDBBQABgAIAAAAIQBw8DjcvgAAADgBAAALAAAAX3JlbHMvLnJlbHOE j8EKwjAQRO+C/xD2btN6EJGmvYggeBL9gCXZtsE2Cdko9u/N0YLgcRjmzUzdvqdRvCiy9U5BVZQg yGlvrOsV3G+nzR4EJ3QGR+9IwUwMbbNe1VcaMeUQDzawyBTHCoaUwkFK1gNNyIUP5LLT+ThhyjL2 MqB+YE9yW5Y7Gb8Z0CyY4mwUxLOpQNzmkJv/s33XWU1Hr58TufSjQvJoDV1w9s+UsRh7SgpM5G9j Iaoi7wfZ1HLxt/kAAAD//wMAUEsDBBQABgAIAAAAIQAVq7XFjQMAAJ4JAAAhAAAAZHJzL3NsaWRl TGF5b3V0cy9zbGlkZUxheW91dDEueG1spJbbbts4EIbvC+w7ELpvLMkHOULsIps22wJJGjTZ7t4V tETHQimKS9Ku3Tfqc/TF9h9S8qFNAcO9sWlq5pvzyBev1rVkK2Fs1ahJlJzFEROqaMpKPU2ivx+v X44jZh1XJZeNEpNoI2z0avrHiwudW1ne8E2zdAwMZXM+iRbO6bzXs8VC1NyeNVooPJs3puYOP81T rzT8C9i17KVxPOrVvFJRq2+O0W/m86oQr5tiWQvlAsQIyR38t4tK246mj6FpIywwXvvQJbfRiNaK 4q3gZcS8oFnhKommiL14kCVTvMbFY+WMYKVgECYv/HOrH40QJKlWfxn9oO+NV7tb3RtWlYRp1aNe +6AV8z8VxHDo/aD+1JF4vp6benrBc+SDrScRyrahTyjxXKwdK8JlsbstFu+fkS0Wb56R7nUG4MHW KCquQ0Q/h5N24YRsJNuogiiH6k1TfLZMNYiTwg/hFXerDkYxE14vWEi+q5wUrVx46PPRyVuf087R bSayNO0nfZ+OwSAencc/JCXLsnSAS0apSfqjNM6G3khHgpGA1rlb/9mUG0rpDN+oHFfFokGfOtLg ubTuwW0k6ozzSibwiHH5hEGS6AKel2L+AVf26ySCSdic+cIXHBngUrZmW02U+5CIZPMcKcEHIJLT RM7Ny+sPmMjaXUnBYaiNzk2vZPXfUnxlulkaVmOA55WAFtqSPGTlkiGfRpAR5015slDlPTecvNw3 QMXhORxAMrok+LxQgX7dBUh7mIk3VvNCMPP9mxVm9f2bN4+2FCyloDE/Xd1P6gyqRoQxQo93jXRS g6Tn8ShDs/hidlNz2CDDOE7GWVupMHTHNMgsMJ9rkJqbGz+wlSqxe+hINZ4t77BgvSd7bYMl6StM rREajGRxTKnXAmowzCCGfBzBS8b7PIK0vP6Od55gcI7ljfZ5BGl5gx0v6WcJiR3nIJkO7YcoidIC h3vAcTqmOE4AEqUFjnbANB3DwZOARGmB2R4wG/SPr8lByERpgeMdkGjHF+UASJQWeL4HHA2zE4tC lOeXFeFRte1W8nZ/Z3nZsL3sbn9gj+GfBTbdwSL71bLyoxrexDjSS9svH2luuX6/8u6B5oS58lca /0yo9yC6E8EGNFzZit7tfv2p8rLwB/egPM+qkplc1DOBF7t5V27f7dc3n24v/313e/bP5Uff1Fie QYkcCxyc9vn0oPtfNf0fAAD//wMAUEsDBBQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAZHJzL3Ns aWRlTGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDEueG1sLnJlbHOEz89qwzAMBvD7oO9gdJ+V9DDK iNPLGORaugcQtpKYxn+w3bR9+xl6aaHQoyS+34e6/dUtYuWUbfAKWtmAYK+DsX5S8Hf8/dyByIW8 oSV4VnDjDPt+89EdeKFSQ3m2MYuq+KxgLiV+I2Y9s6MsQ2RfL2NIjkod04SR9Ikmxm3TfGF6NKB/ MsVgFKTBtCCOt1ib39thHK3mn6DPjn15UYF0NjZUkNLERYGU6NhYuu9beaEVsO/w6bf+HwAA//8D AFBLAwQUAAYACAAAACEAHq5rO9YvAABgdwAAFAAAAGRycy9tZWRpYS9hdWRpbzEud2F27J0HfFVV tsb3SQ8JJAFCB0MvCopROggoiCIjolhGB9sYewV7w7GODbtER3HsHRVRkSkCUsQgRUUE6YQSOgRI Pfv9v7M5k8s1IHXmzfu9y+zsc/bZe61v9XVu4nuDTurb9+ybjTmr15l9cq4elpVujPFMjGlypjEP ne2ZOJNu/njhsAtrXsOD///8V2rA2w/U1u750G891+nf2vNbzyujcShkiZQ0mv6hwhjNJxJD9PX+ YIimEXm/N/TC/Xvau6dne3M+3LMv877obV/o7m7vnmTc07OQ3p727O+zkHbkvDd62Zs9orknXJE8 9+Z6Tzwre3YgvCujtzcY/7fuqUwXkWuVyRv5/N8h178LQ2VyVcY7UubIM5Xt3d3zyPVIeuH1bz0P 9+3LvC80K5Nld7z2he7uaOzL+r5g2xe6+7P33y17NMZ/py4OVNZ9xbqv+6N1c6juD1QPe8L1n5D5 UMpTmaz/CRkrw/HfuHYobbUn2ofaZoea/n+jrSvDvCcbVbb/QNb2xiaHGs/eYDgQGQ81/t1hO9Ry 7Y7vwVw/lDLszi67Wz+Ycv1fprW/+juUtt6Tvg8W34NFZ09Yw2cHi1ekrQ4WzRDjgc6R2A6UVvT5 gyXr7jDubj3E8VvPw30HNh8cKfeWyt7u25NM/x69VI7gYOA/GDQqR/e/bzXaVtH3e4u4Mp1Vtra3 9Crbt7/YKqP1n1zbnV52t747rAdLH3vLd2/3HWq8ldGP1kX0feSZPT2LlFHXkfeiEX0fSVfXe6Id vTfyfn/P/RaeSB4Hei2MB4Pf/sp6oPgP3fm908re7dpflBXUQ/1Gz3tDuYLK3uw+8D0hxpBS9H24 vj9zZbQkXyhjeL27+z3xDGlrjh7R58K9bj3kVtld9EmHddcTv94TuWLt3u8Ocf32CbczlDOS375e h7yiZ9EJ8URf7yuP3e2PpB+9J8QTvb77+30/URmtPWHS/oPDJZrznqlG2zkao7uPXo3msX/30VR1 Hw5RjLyunEMom/cv3YUrv95f2ZPoCKq41+7I4ehF0vB+5cMh3sj51zh+vRLJJ+QQzpG7Q7rhmu79 f+lMd7vGVTTdGJ5rTXM4ovmENEW3shFicNwgxCfkszv6Ic9oXjob0ou8dmuWz67yuBXtrOAZ8nZz JCq3L6QRPTsKbo+u3flw3lU/IY9wt+aQntORtZG6Cp9pDj8hDc2h7kN9RT4L94dzJK3oa/HcHY9I mhXXugo/7lrnQzqhDNF8Ik+EtHYnQ7g3kkZIv2Jt19gRzUhdRF6HiHVWnwoa7jqkHc7h83BvcIgf leF2MuivTiueh/x0LppmSDt61t7Ic5Xday36XOS9noefEKvmEFs4Rz4L92sWLeGNxBxeh3PIL5JG ZXQVBeGeUDPh2Wgeu2JwESrruvPWin4kj8j9kdch/cg58rno6Vn0R+v6hLOuQxq6ruwTSUfnYv6F V3Scb+5Kw1EP1yJncaugoWs3HN9QD46uflbsENddOetMBW3pUnfOeh6zhtsRrjm5xd/ZrIK+H0Hb oXCInCThtUMQGyAJ9eC4VuAIMTnaDoVDE+6JpOkoh09CaUPa7mnFz2g/C3m5Odzn5Avvdp0jeYdc d/XRih2h9rRPHz0J/TOcQ17hs/A+OMAPnY2kE15rLt/5TNf66Kw+0bRCXuEc7gtphfh0tjKZtK5P NDZnoQqZKp47zwltJ6voOqQdyU+rDpfbVYHA8dz1p+Po6DgPjJQ6km6It8LrnW/saukK/UbqU3RC WYQtvI6cQ/ohlnAO1ytOVUjk8IXaCLXvNCPaIS/NOq+d5YHuXNzuGr/Bpp07nb+H0e34RPN1+/VM nEPuWg15h/xDOWN55mLVcdbe8Ky/M1s4ud2680dn5zA/OJqiqI+bQ/rh7DCpp3G5ILRKRWao8DFh its5nJ5EV5/QN5zvlSFj6c4hXKFOdBWJRjScnJrdE6eb0Icr9Kj1ckAJp7hJ3yEWzaLlhmq8GywF vi88ISbNwiRaZYyQpjjpfDwjIZi9AJNoxUJR/0Q19IsKeq4fdLI5C4URJ/s5nem/cXEWcFlQnJwF Qp8QplLwlOzEFVrEadbt1inpKS4YDpNQlwdDXEMvZCO8I3/qifOnMBtIkxVWDxHplNNPhb+Jjj56 5qg6/VZgcfdhznE2dHudfkNa7nSoF/HUJ/RFzSEOrVfgAOpO3ppDH9EefUIda5aVIunpeXgm9IOQ bkhTe0Le0q3kcjQdbadV53fSstOc011oN836aC4LvFw4dFISxUBPoyJOHFbJIhSOj55KX0Icx3C8 pNVybCe+fuCzei6q4uN46S422CVe8QzpQScll3xas7TodvrwccPt0rXj7fYZUxJwlQQ6IT5Os9KP 9ugjn44PqIqy8y/ZVhJoj57rI72Ha6XQLeY+jEPlCdlTe0Pa0k0CFDTrnBCIu7NbGP8Ov3SiCNA/ xY8+wsCR4CM6iZyO5V8c/xKYRbmIU8VgkZw72L2Dc073+lmG/sttcjB8KxmdrCLp6oI04/TiBblO Muik4jfSF3QdH2BwcwLnqnAvmwhliFQ62c4oYUgnmuUb4is96CO5lJvcmsspoV7EX4g0hzrVeeU4 fXRG3sgU7NO94++sKV8pRic6G3q6dsomwi8+wpHE0Fm3Sxyk9zLkLgs8Sj+lS+lBltHQiXiGdC9L SAfJ0EvkiWhql5CXQkvn9dFczCz9Od0Kp0476X0kclZ1fum4OOsoSiRJLMNRcplJ8oqWQ+Gw6YlO aV0+6ZA4/Yu38xYnv3xJ+hcv4XbXMf86F9q/DP6iVo4WNOKwZgLeoTMaQi6LSAZRlFW1S14n71Xf oUiVpEInG8rrtENyiaOu5XHi6WRXFEhiyRUbPJUs8rPQ1qIV3guDuItX6HfaLz8sYsgPwnhKBk0q VBMY8YzEgEOoB+GNh0Y8+0VV9hAiZ1fnG7KFdjnbio+wyB7ClhSciIFGbKAH7XS6cBqQLxXjHQmg Swy8tCTQgcuXTp9V0aP+lbPLrQiDk1GYwhh3Ektv8rAyWwTdrdwJmewrL5f+dMbp1SNeHU7n167K 6pmLZcdHVqiCNMl4dTkoSxnKMVuRUbwSQFAGpx12M9y2wG0bT8rYJV6STBGREvxLRCOxQdZyuLez W7EvzSovCK30KV+owqi209qKl1BqWcvRjTGbWJdPxrFXkVrKP63IdxTbGfBPgp/QyENERb4vWtLL VvZK/9qhp7KdsDhPlNyxyC1/dnHkPLZ0pxVdPpBPyffFT3lAuhYPIREfxVkRUhXuHNKd/smjlOOl Q3l3CiOdldSAlsMonw7zkvx3c4DZR1LpKhbdxpltDPmXtC28sql0qKyjalCVkRpIVG4VD7KO4jMW yhbbbLdJgY/LQ6qxUm3neeU9YZPVRVOySFbZTP4tb9RHfrCRIR/SWip0hFv6lYSSJy1Yk83j0IN8 PwGcifxTbMVCU9mkBL0WM3Zgkx2BRxWzJsulo60khqykHcqVSdCQFncg6ZZAjwZbaThb7YCmbKBd 0qEwC6v2C0EqvLXXIfXRQnmgf9GQH21hbMfursKITzz+5mqq+Isu5Ikz5xUpnKsJsnTWE6AgutKD dCJb6ex6eIum+phknisi5a/KDg67q/iF7NvG0Ef+I8Tb0OZ2tKGMlYT2lBOcxxZxtgjspTxR5S8N /EO5SN4orMrWhawWM4uD5Jd1XC2T78ZgC/GTzKXwVjwpi8p6qZxIYX+VwAbV2JuCJZQBPFDJgimc lY71KQa3dKJMJp/YzP0m7nUtL1WPIF2rD1FVkH2TAgSKYg3nl9KSNKP8th00+uhcCitVGJK5Krur cl46lsa3Yu2t7CpiFn/5lWQpYlbFdXHhaqA8IxErKLclIZOwqZbrvir3yriyrGqSclxiQG079Irx TcnjasMmkKxnFLJDmGWhBBDEM2SPGswZ0FKNEAIfCWKDKNHTZIYyh/KM5JN3bsP7ZQVpTBGgrKoh /1c+E25J7Cp4FbCmc1b5Q5lB0ip/ysZF/FwP1Q02jbNpnErnVAr8ZK8iW9NsAd8mdm3GPzbBuRBO wulqlqwrzWTAsTqY45gr6rliIs6sRqZVnCgCrVBJDtk1Cclqw6MhvDLAo1ykaJFelEu2sHsFYw3I i9nhga0MjUnjsm8mlkwDVxketBF9bEU28d6G9TcG6JOwU6JpiM7rMlcNJPOJg7LAP7Yjy0rOFQT6 dJVqO/reDo94OFRHMuU61crt4FK+lN5Ua9bj2ZuYlR2c1PKMFHgkmwbwqctZVULZqYhRBo+t7F+D PGvxA3USVZEomT2umshfNWRRD3sk4i+KXxiwz3VSQlXF1Amwqdqqu1f+3YrONsFlk10X+J4iV3Ej XxJ16VsyO71qt3xRyJXj1Vls5aniWb6SwtBHdTcDTDXwkESsIX0VQV9PJfk20BZiAUlaHelVF12v oWwlXe0AUSk6dpVOdU+enUi294nKBlxlQSuRfYpq0fYCZEV2GWcKkF0ZRz6r3KE42oJtMtFcQsBP 8sXDy9pa0IhBvvwAl2SKhYv6A9nAmFrsbMBz6UBdzApoqUorc6kjUQ8nLopx2XwN59ewT7UmyayD jvxMmTgB28bzLwGk1dBbOhRjsUlxoEF5r/whjfvq7JDPrAhkUMbbGnRA65BhFT6tuqnauxU+ZdyL ak14ZwY2qR7Yui40UoOqIDoxAQpVSOXM7XBUhNditUmQe6SfTORKYofFWglmOXSForYpgNc6VtR7 yDOK0Zm6G/XA1eGczD8fiUSjET5ad2cG2bxTw6q9y3nyPSiWYxuLXePRYzn6TWR/M+zTxtTGE7Lw jhZIVx0tyIMz0WQZESruKwO9rsPeq8Hvg1E1owRs620dZJc0yoqp6F1vUor7DeDbih5TA7zKL5mB hyYiU23QK5bkler2VNlKbD3wZAVrdTgt36gTyFaANhaCusgutvXNT6wu4vQ6PE+dbhl6q4H0TRh1 yGhpphk0ZE11JCXoPAkE8pfVcFMUpbGqmN9AnlwOH/WkihSh2E6OSDfL0MQy8K+Ch6pVInwU47XR RF1kbsZdNei4LkK5JRWJMthfSuxs4oxiIBXZVJ02ci9PNVhS+a4AvaqayXbVwZKE3qqB4DCuGwY7 d2CdOpyuhYXlwzWxWFUQqgYthd6C4OcWdCDtJqNB5X3pIQu09QP7qW9oCn3ZVtZORruqnWs48zMY V0CjOnuSOaVuoDpyZTKnEhW/YO+1RHO5XcsJdVOKswLbGOrpphVI2pKrFUs+uqtj8sknBdBLMbO5 knaFeisWXWlbkj0SAu9SxVuI/nwkaGB+gHIhKFTBPdMEm6o/WIkHKE+1hUc9eKxl5xZkz0B3Ft4z sbOs0xC0TXlejv3U6zdC96l4SR55bxLxUGR/BsU6NKROo645iv090FUV0xauDUw9eDQ1S/GONLMg kHspXArAF2emgaEEPzgMufi/+QP/1shY3bQMZKphZkB/k52KhcaRHX7Gs1Q9NtkO2C7JHG2W2OOR sRH2VJUQsmZE7kbsMgvJ13KyBDl/At8skFfBtkdiu0yQqeI3AGVT9LfRHm6+42mBXYWmyziXhuTK Xj+jHdX4TPzcgEya0JtuI57rnWYtOlB8pGBH1ZdFXJUhT/VAnnRONUQaD05rwKfKq2jYhncrb7dE X12gp36wDJxlnN9AHHzL1RxkjSFuqrC/BATyp5rB21gtzjfBU3bgI0WBTQrZW0j9VKVejS3z0U1V 5GuNLzUKcm0MEfQjcbHaLkEbC9lZiJ+WB3F3DNha4bdHQ1c1WzV0qT3WLLbtkPIwzjSGljLKWvjO xDO0Ip9cjb7W4lcpZgp2+RmNT0fLiextSQ3ojdwngrmTaW6OAe8qJJyHlv6OJ38Phjn2R87vQJfp 7C+37YnLVJMN4o74TV28thrcGmIzVb+vQPwl2v+eHJqHVWZgD0VLT352Jbe0AW9X8LaFo7qkReis mNUdjPl4wRI7EXm/B9+XIM4Dw2q8pBfWGYTc3dFSNzyjNZwTkW0KGUayL0T/P6DNKXjENiSuj4+k 4Xtt4Nwem7RDX4ux1s8gXIYF1oC1IMjEZbYbz2ril+o1lb+rYOcl8FyK9krxmxik1Xuz3tuOxmZZ UFDWM0iTSDzNQ4qv0MFs+OcTcTuwVjnX2fhKe04fi54b4D1NsbLe4lbwbDG++As+tA5Mqj7JcFY+ qYFsFmwedNWjbCIOFaFbWFHOUJ/TEm+Th7dEJ2nkMr3LisaqIFpL0aCrzmXgSCdzbIVDItIIXSLY C/DCcigkE12GrJFKthOtrtBRFU9hyDIbwPEP7LPQLidSLF5TDl51EUno9zD4xnHK4EHVoVKPTLAZ pGvQsLq0EvAvxzqKpAZYqxxUa1kT9bZgVYem7xua8jMdaWdh6fwgX25A6mLu63CqMTvaU986sqMO PpRk+mPZTHSYZf5ONCwE32L7ObbQu35VdL0Q31+P7Vtgg2qgWGbng+p72xzr/oJGJhB3xVg3HWpr 0X4zEJ9HvsvGbuvtJHYUg7E1vtuJvanI0izwpWn2b2jlHXsE8ZmM523G7k2JgEbmbO76wS3VdCaO VAGVzxLMJ+C01KUZ6H8lWNriDwOhW4geCrCEj4YnMt7EkiXkuxPRTDq26AzVIaaxOQ47z4JGEuc2 2nH2C/uefYErdVGl6Gor3t3EnEJctAJBBnHdEV3Gg2Q+56bAcYs9iYjIALGyZSc0WY/nk9DbPDJ/ IbJMg8pkLKpOsAFa2EhOS4N+V86ms9ND9tZEqjLrd1hosT0RD+yAreX5q7FJY04qBlbhVen0GR3Y ORca88kXW7HjL8j4GVaoAY32eEopz8qIn6OJumTyxgKiqjESHEH22UAV2or2+2DxdCpJIfzS8Ps4 aD7Cs7cZC8CUz5MVWPVMLH4KctQjEuti3d4M9YGF4M80Z5GFTwK1qs1iMum7dqZ9xY5HjyV4pvr2 LWiwGXbpBffGeEwm0dQUC8qT8vHYhUio3mQpnrGBa/V3TYjCWLytLjFXjwwjH1tNdBSDbWmg2Ths rB5enZBF7irQ7IxMncGTiN+tQXr50Btko3eDiNRb1Ryq8nd4oWw2E52voqJnoLH20KlDvuiNlvvg 96q1K9B1MTnrC3z+c3BWYWc2mDLpGPqArgVyTATB+2jvJyJlDBJPJ3az4S4PPZK9t+Erl+NbRVCb hzd/x97H0MpbZEfhbIYWi9BAFhbLIEdM4Jmy4VHEht7lWnOyPxmjBs9dv1rDyHc+4bwyofbG4yfN iYYugb9MwDIfIvdK7BCPfyi2r4PLbXRC7fHiWmQVvWd/iTY+I/OvIKtOhvbf8IhkENeBp0GL7fDw ZuybieT59lO8+ENsXB3Pq2euQMJq5jLzkT2ZfKw4rGvegV6SeZVKOROtiY60GQumo8wcoqkU+aeg /XHYsh3WGYSM7c3x5nwywYlExlwkmWN/gNoq+zYR8j7+UAilZWhhLXmsBxS6EIGq9NJacyJ7G/Ww CtW0uTkBPq2wi9781T9+Qm2bwEl9k7QSCQxx1wGLqG+QVx+OjZdhrcn80xumRzbIJK9dhD9fbC7l uh47FiP5N/Z5ew8Z4SYorcK6h8Epyww0p6KDLqwswSP1FtgJzgaJ4k33wMdnczcFC9TjZ77NtWPx Q70Z6g2x3J5jhkEhh/OziZKJdq79gCpwE09L0cyt0D8ZRGeC+SLQLbUjefouMTLPPmdft4+gz2rm elDWwJq1zYPEeU/8b5J9CZ3UhGoDMxo9NzFPYPFz0NSb6Gs72W8lur0ELPqeuCfeNh2rdQfHQ9Cb xNkPsLNH9F+PZ+Sh0cn4RG8ySZY53TyG909Gu38h7o4kIibYG+wT2LQl/lSNvPNPezXyX43f1jFD 0VYTovvMIHoK7MvEeg4RNg3Nt8JmC+m7/oTcC8E8jZ/fkYkaIUVDPMLaUxhZSLeCjD4Nb/8LfqY+ 6Qgz2Jxh+pobuLscufPpnkagjSeR+X5sLsy9yTSnopeTzQBzLlUjBatPQ/dr4PgjNplrP7KdibQj 8fNkM5WeZQAW7WE+YMc80M3CB6dCMct8Sh8ykZxewnV/9PwCnnMO1k0155EJqpvnseNM/h1pbuPM B1h3M7sL7NfBVRMidzs1ohYUzwVNJyx5JJmyk7mbKBuHd59LpOfZMeTKh+hg3rfvmvH2VHLFBvsQ KO8z99LNn4Aut0AxlujTtyXz0PUDaGcA/nw3lnqLCBmEBUbC8xWq9Gyy5NnEZA90N4PY74euaxJt 08llZ4M/D5km29uJpiFkqIb42DQi9mH0N4KMMIWsvQMfTzMP2mOI0o7k/aOxVSt0vg7a37JHPag6 vY745hlk9O7mJirZEnLJZjy0Cp2p71eDakvioR4eVtXMIxOcSGzmk6fVAX2Jx32JZzSGenesVYpP PWieQ/eX4BOPoe059kyq7Ahy1pXmd8RPO9AWk3N/wvdjsYR+d5CGR2UG2WMgmk6iNjWk/5iLLw3G Lh8i0c3gLiBnvYPX96LiDUXv+m53JBLXY1YkCk9/ni3jajx16jsq5Ut4wvdoqqt5Gbor7RXknwvY +4O9B963mFFIc689A//7kIh81N6MxT4xrwd6SUBro9HS+fD9HKvKIq/Tt9RHX4OxSU+8YAk1ua15 3I5G0mTy4TA0bsztZJ/x9q9o0efpSuj+CMUm6D/VfI3ubsZmF+HRnxDXJ/DvXfL2DeSmB/CEPHJm EZ5/Et3lxfRp6+kHLiBGZlDvriY2rySCPyK/XkRdWsKTU4MIq0LOHkv2edfOR0/N0Ek9OtQ+eMnR WHMesbWISJDfXU0+6mv+SF57HJt1gOPneMpr1M9b4baVnT1A35oYOh6JSsiZRazN5vkktDfZPoEH dAVdHHl+BNGgaqLfWszHj1sEXeNqpH6T1ZuJ0o/IlgXY4Xb09AweNto8Q8fRydxFPD0LzrvtcHsr Xt2dit/dfIZ2+2O3N6kRX+PBDZF7PNlS3xMej2+V04XeTka4hPez8fZCcGYgdxwxcg7vOOPIH1Pp OnLZfyN2q0c26E98qf/sRcbStyibsfcpRPAy/H8CWmxKLMxAaxegtfbY7CnWa5AlH6X+/4RvtTZt 2LvMXkX3fhJ9zEa8rjrWW0eOS8MHzsPflGMWUV/mYanHQO2TKUaDPZ1/j2Pzukh2GhXyBfLAaLTa B28tQ/rbzSDq6QCidDKdS21znT3fnG2fJPd2wzO64J2GWFFXmmffQwbVw2bmKjy/L7pNQ7Z/4NMD 4P0wOajQ9iIfzLYfg/QsOmGLl5XYa81LdNDd8KU2eFk7cw856Ek8YjlV6AJzB/3IjeTjJHrFXDPW 5hMPP8I1z/7FXI8e6kHjbbLbH+hTnsOj3gNbAla8Exw30zFfBPZ0M53YfAy9tjMjsMbh5kL09xGS JhFz15HX2uHNM/Eq1ZAs05ZsMQaNzaU3vxHtvUhF/B28H6T2TyLiH7F/Nl2w5y1Y60489TWev0VW ao0dTseDP0ff5yBzGXbOAVdH4uh54nGJbe6N4i4Vu3xIJh1hPHsaXvSTrU8mm203+qPNX8mbsWYR FlhqW3uDic3v8NwR1K0HzRA8W7VEb7+peGIH7DEcyUrsACraM+i6nbmNLJWGNV835+EtWdSyNSC5 m/kcongMfvVn8t87aKYGvngTdnkda0ylXk/m6WruOsE/i27sXptDH/Iu+l9HfzzPfoqlLeivpLr1 xztS7I3E1klk8zvQezW6mD7UwQH2ejQxkHjRN7Vx5lV8frN9g7qUjG4ftn2oDHWpUaPJfk2p8n2J GlWtB7iriyTHYdtBSPgpdX8WmeoKJH8Wfr2Qqxp2zcZH5wVd+dvYsye5Jom6cLL5A/XpM+LpAWLx KqrjNfYupO5ORapjHoZuJhlxqL0FedLMcCiowh7prcH72xGrfzJb/Edtc+pAnn2Rd8LP7SjieTM9 8k10qs3RxxvEciq62UbuHUY9OBHJryRvz7HN6JHeI+98agcTwcY8TQTmkysXYdfxxHkOEbiESFlF jRvgpbFvK/kzH+3NsQ/C7w06iaXsnQzqCzififztzMtkkfdB4ONh39qh9mMs/BOaUOb7gG6kyI41 V2DHqWiJ3xf4yVhxJTzONTebUWj1QyL5OiJ1POiXo8M/mIH40af2fvs0uW6WvQDs11BpFuKhK8kW d9H9vU/kfoV1h9A/9bD9yT7lWCmW7FRIVjuL/DMAC/eikr5Lxp1GtJ+On3Qmb1j035R4WoCM2/x+ tsS/HG+7ixpKh+p9TSTXxhuyzPm8iVtoXY7Vx4BrIj7zAjKU+JeZhf5U+wD6WGxusivM07attxzv 5vcCxFZdO4bomWcu99aD9wm7lLxwDE//jBSHg/hTNDfT3GFeItJfUk6h62xkP6BuJlE/LjUNvFTz BdI+R16y/gDbBv0PIH43UjHPQ6LmRFmJvw4dLbWXk8n6kseGeAmcW0PGybRdqQWP+nm2VlB9480p 3sNQao03bLFn2K94S08kOtqbe4nal0Halbx7DTXpLHz/BGTSN9dHY5NWxFJH+viH7CtUtdlEWhNT 3yugPvYnX91lE/DeW/CLk+2r5OP1VKEHiaBX6b8zyFgzyMHj+H4iBw5tOfkhOXgm2rvSfoPuLiZL tEKrp3nPUtOykPssOr0s8svjSPopEr5gnqKy3U8GPYvssN72hdssMu3RZpgdHXRxEwML/mhHkmdm oLcb8IqpaHckHrSCzu9e9PYcteNBtDeETn8UOjiBTvppk4u866j+2aYGHH6ggj9CpTqczm4sXdZ4 eu/GvH0O9zuQ9z/EW1JMiWfJHEX2ZaRcS/UbhN9VpX8f5n+M/i6gQ/vZrqY+XUEMF8PneiLxVjzk JnsL0TiaTvMa4vB1quBL2PB2uN1LVpkA1qZmGhbsjQYyzMfmGTziR6LgFvJnNp3gGPJNJyrq/fA7 lYwxBM/tSYb+B33EbeTPOuSUWfSJ99I/vkI+2U5eX2ivttv935sy/yJ6qn9S+Z7Ddy4lTo/yqlK3 ZlON/kwm+BaL8ntPKkZ/s9m/0vQkThqRCZrQWR/ufWnuh9JMLHsuSDvzZtIZv+2Fb6QTf73oqPVb 7xSbSa18nD7uJzqlPyL3fPMiem2Af8/CXvfRz57Hdx5LsUljOqIXqIMt6eCoIqY6eplOT3ABFmnv 1UKqDN7AL8HO32HnWK74vbZ9Bj96hOrA75jY+Sz1+DPy2Y3U4Gepext9OgfwFZKXBqK9IXRME7HP +3Q18+376L2nuRRuzZFuHT7ehYzTl0zQBXkmY039JvMXstsUnl6LDefbp8CehpbL6GIzzHD2dqfP voX3vud5U/g93vQq2XcoNbuYPu2veN0gu4VoGUV/eJS501wF12/Q24vEUabx/CvsaL+G6aZc4V1t JlABanqPovULQdrV3Ed27UHX9ib9VQ9zAZY+jh0ryBa3oM0n6d8GExOLyV5jyHu9zDqitip97GJb ky54ADHbDOsOA2kV3ufITwy9Z2ZQX/QXSLL3VUjbmjqzmjxzDDmtjbnWPIX1/sFJnVsLlun2EbMY u/4TvS6hGt1gJ/k7/GPsKDTznJ1uFpi30MurePH74FxijVeXqjmYd6z2pjnou/CtxKO2I28B22wL 7/dk1onmIvtHk2a7eBPpQfKR9ge6wNlQuIZ3Nr2PrfZftneTkV6xd+IT/fD++l5Db6h5k3fIcjq5 R6lHD5LZT7D9qO7f0U+sore6iufW3kaWOYy897KN867jO5yPeavqSx4eyrvNS1Sa+bYFmn3GplFv LuZNCN1ybhr2GUS3cSYnX7Jz/PNtnDW8ZSbxvD55MguZGtNDzTS/+Oezdyrx8xoo+pABGlK3J1Aj /kB3Px/0jdBZD7KW/qoinudD8KyrTbrXA/9M461ngl3j90e2VnaK/wF54Bj0t9yM8DaYrt6VXF9m X/NvsGX+a8RFC/Ruifxh+NA2kE238bY6OWoLbzBDzVTTlj8XOwIuJ9GVLIBiId4x2e+G59XDQtXt ZdSr4eYs73hvqSnhxGvsedmf62fzHnInFP9kxnjv06E9bE/E7gvLe5pj8Y0yOvcu7C4gVkbi7/2o RbdCb6Y9jcj7g/3Eb4OfnEPH2smL9x6jbtY0/byP/By+J+nEtzEdqT2biNMM3kknKSPjwxPIS3cR izW8K8hM15kfyQjq7f5CZN5NX9DXNCLLT/Dz+fbiNnz3MXux19C8Ydaa47zpxMxg3obG2MLyY+m+ P+bNeYZ9wVtMj/8FlWM4eaCtWUhdqEE2j8OTbqFjvszcYGPog34kr77Be98RXjp9wX28OervOy42 dWMWmcO8UnO5f4pp56/3h9nW/kA44Q32SW+Qd5wZ5x2PpAn2dX+Buda28h7Agj9Q7weZv/lL/Tv8 t/1L8dksMuhAkxUzyBSZY7yq6CnWL0WCeNPDO950846xF/PvFf9q6tuJ9H6PmBe8BaYDtn6Lvvl0 pB1LZXkWTSyC9j3oMNWnu6SPOhpd3e4tIX5Hmu7sGUKncCq9UC+vH9Uq2Sz120Gz1O9BhssxJ3t3 eNd5y8lIZ9pRfiq/0l5DvNC5xHzrX0HNesz/2k70lxH/65E70czxJvCdyRj7qZ+P3mfzfddf6WSW +8+ZYr8z2Wweffxn9u/mCO8Mc4N3Dr3cJrrtu80z/mtkniZ2gvnSPx599aEDPy54n7zYuxnJRnoe 59rau/y1dqzfDASL7D/NH7HSeOL9SDrFsbwl3eldTGx14X1kMlK9Q49+JL4/kDx1Eb5YE62cxZvP E2TYK8x2YvB+MvcWvmsroy6MoUbW5U9WmpsC/0cQzbfPeZtsbW+k+T01/3RkjOH7iiyvgU30yqDe zbxFxe7k10cC63/qdbRveuW8s37h9QfLHeSbv9hL/d5E25v2Ivrhk8hlMXYN/C215VrT0etmL6Gv 2UE3+oR/Azn7YTLBq/7vzA7f8m41zv8F/cR4I+gRs71c25N32/Z44PPk9mvoDd7nu4GO6Kw7em9g NxufDLWK72Ua8d421y+zH/pViOBh1IFm9GaTbLGv7NIBf+3pLSR3TDT5fhfe7or9v5N1zzYtvKH4 17vgbmHOsD28X/x+pg+94XhvCfH2NJ3LsTx7wawtP920sA3JQ1fbOt7tpoZ3rLeOrvRb6u9EO86/ x1xun6e/GGU/N/14U2mJJ1ajtowg59xhxpku3plePb4H60aNaMUbwKNkzlF+Dbz5VlvV+8a87V3i vYJOrrJvIMlDeMI3/mfmMHuz14FaNJb+9BV7PrHzon0UzvweH33fTZe5kA7mevy8us3mu9CzyETf 2K9Nby/PfuuNJLd9i1a6EQ9PkVdX07FfRhX42H+HzL2FKniUGerVNz/Tew8l9qYRQz25boRU/e3t tjbd5zy6p/7Uldu8IlNu/u4dyZtwLh1Bf/quv9re1CL9xrMJCOOQrgXVM59eZzq54nzvQfOIV5sa fppdUH6pLfB7EK/D8f11+PAM3iMm0x3MpTdYxdvzYfQ6bbDAYJvvNyMDnUMFnYHvn4d1vrR9vTFE ZazXiExwv9+QPWP8T3gjWW7+5L1rT2f045uWR+x7Xleb4f1Epcw17/mX26PQzpNk3ku9+9EN3+75 n5N/XzRTsF2ON8ReyJvnM2SIm8H2LdHzT75T9bzX7cN0cYvsY3xHlkk3exx5/BTy5FFkmaFmLh1o Af1YEu/1K8lfTbzxUOxAVJ1ITiyy6/zaxMd76Pca29M71TzhfY5c/c0s3jLOp3u8nnfqp80rfHdi TTJ+cz9Z4xp6vFRvlEn2nuBN8xKTS7f9FG+aH/q/2MXlY4nhF+0Cr6aZxJiL/9TFD1+h15iKtmvx FlqXPuo+MtMMcL3q3ccb6eO8Geq3vnfT04wlm15LTRhha/iJ9nd03z5nLvTmmDbUsqOpuc/6q/0i fxE5SBWqiG+L7ieH1cHzFtLjb6Rnm8J3LCNtOT1xH+S8hT6jia3ubfZP533rZL+Wx7czppHXzWyl frWhjnS3D/mXkNG78qYbT0fm820cf81AjG8GVz5vtZM8Q07lN0zlxnzn8/9xiusjWHue0ZBr/faJ zoEeXW/A/EaIWd+a/sC4kT0dmNdwbiOjJs/6staUcSnXG1jTJ457+ijyuONVhes7GDdwfzZDOrqR +VzG61z3ZD6CoT350BC+KYx+3H/DyIDeVu6f4Xocz4cznuK+UYwxjzJ/zXo8YzTjJe5vZ27KfCWj Ndf6jRD/wxoMLj5mSLZURgbjIu5fZEgPy7hfw3U7hs4K5zWMVVzfxpCOUhg/cP0883pm/UXa35iP ZVzM9XzGCYwycD7HWjuua0E7k/EW9yXo/hzWtnHNUiDLBVwhDu8Rho5bf9Vh6JiMOZxRxv1shn77 KlqvMdZyfxNjAGMd403WFjIeY5zB/RR4X858B/etYJLIEP72rA9m1t5jWGvILNolDOlPdpd+XmR9 KHWQ7aYBP6oyJnC9lDMreX4+9zXwlqfAfR/rsv9q1rpxPZ49jzCP5E+t6jO/gWCDmE8rN+Zl36O+ GlPI2gbWupRZ245zbVi7B35fsPYT9y2g+xE0hflO1moxqjHkn9LNEYxmjALu/0ZP15Qn1Tgj2+kv w0/m2c9cpzBvYJadNrNPOlzMdU32tGQs5Pow9ojydq6/Z9Tm7h/M2pvCumgkMOpxrWeyR2PO5vG8 nOtCRhrrecx12NOAa/kEIvEeVRFX2qO/ZxHuYtblg6ugob+Ply/o71pRB1f6r06cf7i/2qdJ5l5P 3OwHe9ydVk446fSBRyS5/8ajFfdZO4f+Qj74xLnp1z+HE06sDh/uJn5yab766ivz1S9fmU3T3zRx cfxdexJ/M5jKtx8ZvMfWqmUaNGhgmjRpYlq3bm0GDx5sBgwYYHr37m06d+5sht9hzcCBljffucau yzNT5m40c1etMk+88wGMshk5jFxGnrvNZi2btWzWsrWGcNqSw3oOFzms57Cew7qO5bKey3ouN7ms 57LOZPJYz2M9j/U8FmQOvqUyVCVj8wLO2fzMhng2hLI5lE1eCNjzIxsM2WDIBkM2GAJIYMgGQzYY ssGQDYYAJhiywZANhmwwZIMhgA6GbDBkgyEbDNlgyKYaZoMjGxzZwoEZQRWgyOFnDlhywJIDlkBk sOTAPAdGORDNAUugBh7mcJEDlhywBGoBRw44csCRA44ccASqAkcOGHLAkAMGqS4HHDlgyAFDHrws PwMVwsf94z5Qr7QDKnjnsitQNbxzwZQL01wY5IIpF965PMyFSC68c+EdmCPgzTr8c+GfC3+ZKBf+ uegmFwy5YMhFDzIbWgmkZ4WZnzIjOsiDXx7Y8sCRB7/AtMKBDvLAkSccCBaYm0N5YMkDSx4g8mAY uABY8jiYx6Y8FvLAwv8Y0MEmeWDht8cM1gNvkBVYA4MFgwWDBYMFA62ecycw/A9f1u/TNhBGb0OK QFRpJ4QiI29WQQf9ITKcEZhSIbUQBaSMCWoIjRRiFBtF3jqxebKElI2hHbp4QIqn/AewMzFRLzQV ZQKpw/V9NshOiPgsx77vvXv3/N2dZSnn8CDhQcLDOTxABif48CDhQcID/bkEaZzIw4OEBwkP+KTG ToYGxpfoKEGqQaOGdg0+ZKRNnBreMj9YuVxm7XabHR0dsePjY3Z2dsZOT0/ZxcUFu7y8ZFdXV+z6 +prd3t6y+/t79vefZN9PTrCPv6G6tAfoAr2oRbrUpGs6BCLdpns9iigtVMQQQ6ccAmmhBr2gh9uU hK5qGkdoSKvBGI6bIE0Azrnj5BBq/wYgHSkC4aHDnTDURD/oArwL7oZwJ+ThVCe0RZdAHClckoDD ww4Iwu1CoRu4aTwiUH+vY4NAlAEYBVA1lYdex5sWvusHvqvq6SckgsoJtuwsCK6PNhUyIenIEGwZ kwbyWdeNS5bUCYy+bdkvJ4WuP7gIvAEfkDAMIzM+rsMFPUUv+PNIqFQe5mlS1zOQJ8INSv2IS1mJ 49XSUkbsA44IvQSPneiV8riRFVF/GmAYr+BR9/u/hfBp/LEn/Qm38Rg7wve6XnqaYv0IRxmmXSHc 7LA6XKI/wV7o5dL1e6xT3H8atQ61XC6pb4KTAcCdKSy4p3g0gGZ7mG0+uEwfFFBHzLYVhuHo/qDR ZCMcPkqfZOIV+zyOFTvSX2SDBGjDjPAf4TSC9gwsZZn2Y8wd/ZsU99P61vYvvBPWN9Y2143Nwgzu DfPAadX3vtrKT+Vz/UvLtMyarRhm62BOmc/nF8E2iqv0PUStWT4/O7+A3IeNjxPIrdQbDaVkNmpm q4psobhKmolOoXFozfgKYKVUb1bNtqXkF30wt9a2X4C5ZR42q8qa2drbVd7OceSLxsqAAjkxWzt2 3WxOZDabuymTpR1nIlPcre6bzeprpbSsQJu/W5h9/yafZ/8BAAD//wMAUEsBAi0AFAAGAAgAAAAh AHqDHfIJAQAA7QEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAU AAYACAAAACEAcPA43L4AAAA4AQAACwAAAAAAAAAAAAAAAAA6AQAAX3JlbHMvLnJlbHNQSwECLQAU AAYACAAAACEAFau1xY0DAACeCQAAIQAAAAAAAAAAAAAAAAAhAgAAZHJzL3NsaWRlTGF5b3V0cy9z bGlkZUxheW91dDEueG1sUEsBAi0AFAAGAAgAAAAhACD/1vO/AAAAJAEAACwAAAAAAAAAAAAAAAAA 7QUAAGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzUEsBAi0AFAAG AAgAAAAhAB6uazvWLwAAYHcAABQAAAAAAAAAAAAAAAAA9gYAAGRycy9tZWRpYS9hdWRpbzEud2F2 UEsFBgAAAAAFAAUAZQEAAP42AAAAACAAHgSXNwAAUEsDBBQABgAIAAAAIQB6gx3yCQEAAO0BAAAT AAAAW0NvbnRlbnRfVHlwZXNdLnhtbHyRy07DMBBF90j8g+UtapyyQAg16YLHCgGL8gEje5JYOLbl cULz90xSkKBqWVnzuD53Zjbbfe/EiIls8JVcF6UU6HUw1reVfN89rW6loAzegAseKzkhyW19ebHZ TRFJsNpTJbuc451SpDvsgYoQ0XOlCamHzGFqVQT9AS2q67K8UTr4jD6v8vyHrDcP2MDgsnjcc/rg JKEjKe4PjTOrkhCjsxoyO1WjN0eU1TehYOXSQ52NdMU2pDpJmCvnAed1nzAe6wZjg5rzTHrlZSZr ULxByi/Qs3FlEilynHyGKQz5T7Au/jdyYtLQNFajCXroeYtFTEj8LkP3rvgF+pleLceqvwAAAP// AwBQSwMEFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAABfcmVscy8ucmVsc4SPwQrCMBBE74L/EPZu 03oQkaa9iCB4Ev2AJdm2wTYJ2Sj2783RguBxGObNTN2+p1G8KLL1TkFVlCDIaW+s6xXcb6fNHgQn dAZH70jBTAxts17VVxox5RAPNrDIFMcKhpTCQUrWA03IhQ/kstP5OGHKMvYyoH5gT3JbljsZvxnQ LJjibBTEs6lA3OaQm/+zfddZTUevnxO59KNC8mgNXXD2z5SxGHtKCkzkb2MhqiLvB9nUcvG3+QAA AP//AwBQSwMEFAAGAAgAAAAhAFt0RkSrAgAAQwcAACEAAABkcnMvc2xpZGVMYXlvdXRzL3NsaWRl TGF5b3V0MS54bWysVdtO3DAQfa/Uf7DyDuFSVVW0u4guUCFx2bLby1tlnFnWrWObsZPu9ovKd/Bj HdvJUihIRPQlceyZM3POjCeDvWWlWAPopNHDbHtzK2OghSmlvhpmn2ZHG+8y5jzXJVdGwzBbgcv2 Rq9fDWzhVHnCV6b2jDC0K/gwW3hvizx3YgEVd5vGgqazucGKe/rEq7xE/pOwK5XvbG29zSsuddb6 43P8zXwuBRwYUVegfQJBUNxT/m4hrevQ7HPQLIIjmOh9PyW/ssTWXH7PWDTChj63sxHxFlNVMs0r 2phJj8DAM2G0B13Hc2dnCBAsdfMB7dROMLqdNRNksgwwrXuWtwetWfzUZEaL/IH7VYfEi+Ucq9GA F6QFWw4zKtkqPMmJF7CkZNKmuNsVi/NHbMXi8BHrvAtAGayDUrVtYvQvnZ2OTlJje80qmXJyPTHi h2PaEM9AP9ETZ00HFjgHeLtgSXgvvYLWLh1GPTp7R5pGsfzyvSlXgfglveMmL5TzU79SEAWhtHlB 4PQg+RUPfT3HjaML6uvKjxVw6vtWPD8aK3ldwy9mTY2somswl0BeQHeAAFlZM8oMYUAieapRiwy6 nHDkFw8CBJq8oAQo9y5RWiYln9Zzt9Pz0FkugOHtjQNsbm9C+LbR2M7LVJYl9UhXiP8gMNWDqUat lXyx4C4p7qLk1NRRe5opVJ174ieBo8r06LKIzHqU/QDqpbz9XQHTsgFePyNELECPEDM00vWMsRuK 3CPGx5p77BnjTc8YY6mv6ydj0ADqfRfilUgjk5ZhusapqPCU2/MmdhIV3gOO45al30e4WWR6Z0IX DLl2MvwGgrfT5b6ICz/VEY92GBZQXQJNYDwu10P46OTb6f7X49PNL/ufgxYhneQUVgmHVn/jh4Pu 5zf6AwAA//8DAFBLAwQUAAYACAAAACEAIP/W878AAAAkAQAALAAAAGRycy9zbGlkZUxheW91dHMv X3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzhM/PasMwDAbw+6DvYHSflfQwyojTyxjkWroHELaS mMZ/sN20ffsZemmh0KMkvt+Huv3VLWLllG3wClrZgGCvg7F+UvB3/P3cgciFvKEleFZw4wz7fvPR HXihUkN5tjGLqvisYC4lfiNmPbOjLENkXy9jSI5KHdOEkfSJJsZt03xhejSgfzLFYBSkwbQgjrdY m9/bYRyt5p+gz459eVGBdDY2VJDSxEWBlOjYWLrvW3mhFbDv8Om3/h8AAP//AwBQSwMEFAAGAAgA AAAhAB6uazvWLwAAYHcAABQAAABkcnMvbWVkaWEvYXVkaW8xLndhduydB3xVVbbG90kPCSQBQgdD LwqKUToIKIgiI6JYRgfbGHsFe8Oxjg27REdx7B0VUZEpAlLEIEVFBOmEEjoESD37/b+zOZPLNSB1 5s37vcvs7HP22Xutb/V1buJ7g07q2/fsm405q9eZfXKuHpaVbozxTIxpcqYxD53tmTiTbv544bAL a17Dg////FdqwNsP1Nbu+dBvPdfp39rzW88ro3EoZImUNJr+ocIYzScSQ/T1/mCIphF5vzf0wv17 2runZ3tzPtyzL/O+6G1f6O5u755k3NOzkN6e9uzvs5B25Lw3etmbPaK5J1yRPPfmek88K3t2ILwr o7c3GP+37qlMF5Frlckb+fzfIde/C0NlclXGO1LmyDOV7d3d88j1SHrh9W89D/fty7wvNCuTZXe8 9oXu7mjsy/q+YNsXuvuz998tezTGf6cuDlTWfcW6r/ujdXOo7g9UD3vC9Z+Q+VDKU5ms/wkZK8Px 37h2KG21J9qH2maHmv5/o60rw7wnG1W2/0DW9sYmhxrP3mA4EBkPNf7dYTvUcu2O78FcP5Qy7M4u u1s/mHL9X6a1v/o7lLbek74PFt+DRWdPWMNnB4tXpK0OFs0Q44HOkdgOlFb0+YMl6+4w7m49xPFb z8N9BzYfHCn3lsre7tuTTP8evVSO4GDgPxg0Kkf3v2812lbR93uLuDKdVba2t/Qq27e/2Cqj9Z9c 251edre+O6wHSx97y3dv9x1qvJXRj9ZF9H3kmT09i5RR15H3ohF9H0lX13uiHb038n5/z/0Wnkge B3otjAeD3/7KeqD4D935vdPK3u3aX5QV1EP9Rs97Q7mCyt7sPvA9IcaQUvR9uL4/c2W0JF8oY3i9 u/s98Qxpa44e0efCvW495FbZXfRJh3XXE7/eE7li7d7vDnH99gm3M5Qzkt++Xoe8omfRCfFEX+8r j93tj6QfvSfEE72++/t9P1EZrT1h0v6DwyWa856pRts5GqO7j16N5rF/99FUdR8OUYy8rpxDKJv3 L92FK7/eX9mT6AiquNfuyOHoRdLwfuXDId7I+dc4fr0SySfkEM6Ru0O64Zru/X/pTHe7xlU03Rie a01zOKL5hDRFt7IRYnDcIMQn5LM7+iHPaF46G9KLvHZrls+u8rgV7azgGfJ2cyQqty+kET07Cm6P rt35cN5VPyGPcLfmkJ7TkbWRugqfaQ4/IQ3Noe5DfUU+C/eHcySt6Gvx3B2PSJoV17oKP+5a50M6 oQzRfCJPhLR2J0O4N5JGSL9ibdfYEc1IXUReh4h1Vp8KGu46pB3O4fNwb3CIH5XhdjLor04rnof8 dC6aZkg7etbeyHOV3Wst+lzkvZ6HnxCr5hBbOEc+C/drFi3hjcQcXodzyC+SRmV0FQXhnlAz4dlo HrticBEq67rz1op+JI/I/ZHXIf3IOfK56OlZ9Efr+oSzrkMauq7sE0lH52L+hVd0nG/uSsNRD9ci Z3GroKFrNxzfUA+Orn5W7BDXXTnrTAVt6VJ3znoes4bbEa45ucXf2ayCvh9B26FwiJwk4bVDEBsg CfXguFbgCDE52g6FQxPuiaTpKIdPQmlD2u5pxc9oPwt5uTnc5+QL73adI3mHXHf10Yodofa0Tx89 Cf0znENe4bPwPjjAD52NpBNeay7f+UzX+uisPtG0Ql7hHO4LaYX4dLYymbSuTzQ2Z6EKmSqeO88J bSer6DqkHclPqw6X21WBwPHc9afj6Og4D4yUOpJuiLfC651v7GrpCv1G6lN0QlmELbyOnEP6IZZw DtcrTlVI5PCF2gi17zQj2iEvzTqvneWB7lzc7hq/waadO52/h9Ht+ETzdfv1TJxD7loNeYf8Qzlj eeZi1XHW3vCsvzNbOLnduvNHZ+cwPziaoqiPm0P64ewwqadxuSC0SkVmqPAxYYrbOZyeRFef0Dec 75UhY+nOIVyhTnQViUY0nJya3ROnm9CHK/So9XJACae4Sd8hFs2i5YZqvBssBb4vPCEmzcIkWmWM kKY46Xw8IyGYvQCTaMVCUf9ENfSLCnquH3SyOQuFESf7OZ3pv3FxFnBZUJycBUKfEKZS8JTsxBVa xGnW7dYp6SkuGA6TUJcHQ1xDL2QjvCN/6onzpzAbSJMVVg8R6ZTTT4W/iY4+euaoOv1WYHH3Yc5x NnR7nX5DWu50qBfx1Cf0Rc0hDq1X4ADqTt6aQx/RHn1CHWuWlSLp6Xl4JvSDkG5IU3tC3tKt5HI0 HW2nVed30rLTnNNdaDfN+mguC7xcOHRSEsVAT6MiThxWySIUjo+eSl9CHMdwvKTVcmwnvn7gs3ou quLjeOkuNtglXvEM6UEnJZd8WrO06Hb68HHD7dK14+32GVMScJUEOiE+TrPSj/boI5+OD6iKsvMv 2VYSaI+e6yO9h2ul0C3mPoxD5QnZU3tD2tJNAhQ065wQiLuzWxj/Dr90ogjQP8WPPsLAkeAjOomc juVfHP8SmEW5iFPFYJGcO9i9g3NO9/pZhv7LbXIwfCsZnawi6eqCNOP04gW5TjLopOI30hd0HR9g cHMC56pwL5sIZYhUOtnOKGFIJ5rlG+IrPegjuZSb3JrLKaFexF+INIc61XnlOH10Rt7IFOzTvePv rClfKUYnOht6unbKJsIvPsKRxNBZt0scpPcy5C4LPEo/pUvpQZbR0Il4hnQvS0gHydBL5IloapeQ l0JL5/XRXMws/TndCqdOO+l9JHJWdX7puDjrKEokSSzDUXKZSfKKlkPhsOmJTmldPumQOP2Lt/MW J798SfoXL+F21zH/Ohfavwz+olaOFjTisGYC3qEzGkIui0gGUZRVtUteJ+9V36FIlaRCJxvK67RD comjruVx4ulkVxRIYskVGzyVLPKz0NaiFd4Lg7iLV+h32i8/LGLID8J4SgZNKlQTGPGMxIBDqAfh jYdGPPtFVfYQImdX5xuyhXY524qPsMgewpYUnIiBRmygB+10unAakC8V4x0JoEsMvLQk0IHLl06f VdGj/pWzy60Ig5NRmMIYdxJLb/KwMlsE3a3cCZnsKy+X/nTG6dUjXh1O59euyuqZi2XHR1aogjTJ eHU5KEsZyjFbkVG8EkBQBqcddjPctsBtG0/K2CVekkwRkRL8S0QjsUHWcri3s1uxL80qLwit9Clf qMKottPaipdQalnL0Y0xm1iXT8axV5Fayj+tyHcU2xnwT4Kf0MhDREW+L1rSy1b2Sv/aoaeynbA4 T5Tcscgtf3Zx5Dy2dKcVXT6QT8n3xU95QLoWDyERH8VZEVIV7hzSnf7Jo5TjpUN5dwojnZXUgJbD KJ8O85L8d3OA2UdS6SoW3caZbQz5l7QtvLKpdKiso2pQlZEaSFRuFQ+yjuIzFsoW22y3SYGPy0Oq sVJt53nlPWGT1UVTskhW2Uz+LW/UR36wkSEf0loqdIRb+pWEkictWJPN49CDfD8BnIn8U2zFQlPZ pAS9FjN2YJMdgUcVsybLpaOtJIaspB3KlUnQkBZ3IOmWQI8GW2k4W+2ApmygXdKhMAur9gtBKry1 1yH10UJ5oH/RkB9tYWzH7q7CiE88/uZqqviLLuSJM+cVKZyrCbJ01hOgILrSg3QiW+nseniLpvqY ZJ4rIuWvyg4Ou6v4hezbxtBH/iPE29DmdrShjJWE9pQTnMcWcbYI7KU8UeUvDfxDuUjeKKzK1oWs FjOLg+SXdVwtk+/GYAvxk8yl8FY8KYvKeqmcSGF/lcAG1dibgiWUATxQyYIpnJWO9SkGt3SiTCaf 2Mz9Ju51LS9VjyBdqw9RVZB9kwIEimIN55fSkjSj/LYdNProXAorVRiSuSq7q3JeOpbGt2Ltrewq YhZ/+ZVkKWJWxXVx4WqgPCMRKyi3JSGTsKmW674q98q4sqxqknJcYkBtO/SK8U3J42rDJpCsZxSy Q5hloQQQxDNkjxrMGdBSjRACHwligyjR02SGMofyjOSTd27D+2UFaUwRoKyqIf9XPhNuSewqeBWw pnNW+UOZQdIqf8rGRfxcD9UNNo2zaZxK51QK/GSvIlvTbAHfJnZtxj82wbkQTsLpapasK81kwLE6 mOOYK+q5YiLOrEamVZwoAq1QSQ7ZNQnJasOjIbwywKNcpGiRXpRLtrB7BWMNyIvZ4YGtDI1J47Jv JpZMA1cZHrQRfWxFNvHehvU3BuiTsFOiaYjO6zJXDSTziYOywD+2I8tKzhUE+nSVajv63g6PeDhU RzLlOtXK7eBSvpTeVGvW49mbmJUdnNTyjBR4JJsG8KnLWVVC2amIUQaPrexfgzxr8QN1ElWRKJk9 rprIXzVkUQ97JOIvil8YsM91UkJVxdQJsKnaqrtX/t2KzjbBZZNdF/ieIldxI18SdelbMju9ard8 UciV49VZbOWp4lm+ksLQR3U3A0w18JBErCF9FUFfTyX5NtAWYgFJWh3pVRddr6FsJV3tAFEpOnaV TnVPnp1ItveJygZcZUErkX2KatH2AmRFdhlnCpBdGUc+q9yhONqCbTLRXELAT/LFw8vaWtCIQb78 AJdkioWL+gPZwJha7GzAc+lAXcwKaKlKK3OpI1EPJy6Kcdl8DefXsE+1Jsmsg478TJk4AdvG8y8B pNXQWzoUY7FJcaBBea/8IY376uyQz6wIZFDG2xp0QOuQYRU+rbqp2rsVPmXci2pNeGcGNqke2Lou NFKDqiA6MQEKVUjlzO1wVITXYrVJkHukn0zkSmKHxVoJZjl0haK2KYDXOlbUe8gzitGZuhv1wNXh nMw/H4lEoxE+WndnBtm8U8Oqvct58j0olmMbi13j0WM5+k1kfzPs08bUxhOy8I4WSFcdLciDM9Fk GREq7isDva7D3qvB74NRNaMEbOttHWSXNMqKqehdb1KK+w3g24oeUwO8yi+ZgYcmIlNt0CuW5JXq 9lTZSmw98GQFa3U4Ld+oE8hWgDYWgrrILrb1zU+sLuL0OjxPnW4ZequB9E0YdchoaaYZNGRNdSQl 6DwJBPKX1XBTFKWxqpjfQJ5cDh/1pIoUodhOjkg3y9DEMvCvgoeqVSJ8FOO10URdZG7GXTXouC5C uSUViTLYX0rsbOKMYiAV2VSdNnIvTzVYUvmuAL2qmsl21cGShN6qgeAwrhsGO3dgnTqcroWF5cM1 sVhVEKoGLYXeguDnFnQg7SajQeV96SELtPUD+6lvaAp92VbWTka7qp1rOPMzGFdAozp7kjmlbqA6 cmUypxIVv2DvtURzuV3LCXVTirMC2xjq6aYVSNqSqxVLPrqrY/LJJwXQSzGzuZJ2hXorFl1pW5I9 EgLvUsVbiP58JGhgfoByIShUwT3TBJuqP1iJByhPtYVHPXisZecWZM9AdxbeM7GzrNMQtE15Xo79 1Os3QvepeEkeeW8S8VBkfwbFOjSkTqOuOYr9PdBVFdMWrg1MPXg0NUvxjjSzIJB7KVwKwBdnpoGh BD84DLn4v/kD/9bIWN20DGSqYWZAf5OdioXGkR1+xrNUPTbZDtguyRxtltjjkbER9lSVELJmRO5G 7DILyddysgQ5fwLfLJBXwbZHYrtMkKniNwBlU/S30R5uvuNpgV2Fpss4l4bkyl4/ox3V+Ez83IBM mtCbbiOe651mLTpQfKRgR9WXRVyVIU/1QJ50TjVEGg9Oa8Cnyqto2IZ3K2+3RF9doKd+sAycZZzf QBx8y9UcZI0hbqqwvwQE8qeawdtYLc43wVN24CNFgU0K2VtI/VSlXo0t89FNVeRrjS81CnJtDBH0 I3Gx2i5BGwvZWYiflgdxdwzYWuG3R0NXNVs1dKk91iy27ZDyMM40hpYyylr4zsQztCKfXI2+1uJX KWYKdvkZjU9Hy4nsbUkN6I3cJ4K5k2lujgHvKiSch5b+jid/D4Y59kfO70CX6ewvt+2Jy1STDeKO +E1dvLYa3BpiM1W/r0D8Jdr/nhyah1VmYA9FS09+diW3tAFvV/C2haO6pEXorJjVHYz5eMESOxF5 vwfflyDOA8NqvKQX1hmE3N3RUjc8ozWcE5FtChlGsi9E/z+gzSl4xDYkro+PpOF7beDcHpu0Q1+L sdbPIFyGBdaAtSDIxGW2G89q4pfqNZW/q2DnJfBcivZK8ZsYpNV7s97bjsZmWVBQ1jNIk0g8zUOK r9DBbPjnE3E7sFY519n4SntOH4ueG+A9TbGy3uJW8GwxvvgLPrQOTKo+yXBWPqmBbBZsHnTVo2wi DhWhW1hRzlCf0xJvk4e3RCdp5DK9y4rGqiBaS9Ggq85l4Egnc2yFQyLSCF0i2AvwwnIoJBNdhqyR SrYTra7QURVPYcgyG8DxD+yz0C4nUixeUw5edRFJ6Pcw+MZxyuBB1aFSj0ywGaRr0LC6tBLwL8c6 iqQGWKscVGtZE/W2YFWHpu8bmvIzHWlnYen8IF9uQOpi7utwqjE72lPfOrKjDj6UZPpj2Ux0mGX+ TjQsBN9i+zm20Lt+VXS9EN9fj+1bYINqoFhm54Pqe9sc6/6CRiYQd8VYNx1qa9F+MxCfR77Lxm7r 7SR2FIOxNb7bib2pyNIs8KVp9m9o5R17BPGZjOdtxu5NiYBG5mzu+sEt1XQmjlQBlc8SzCfgtNSl Geh/JVja4g8DoVuIHgqwhI+GJzLexJIl5LsT0Uw6tugM1SGmsTkOO8+CRhLnNtpx9gv7nn2BK3VR pehqK97dxJxCXLQCQQZx3RFdxoNkPuemwHGLPYmIyACxsmUnNFmP55PQ2zwyfyGyTIPKZCyqTrAB WthITkuDflfOprPTQ/bWRKoy63dYaLE9EQ/sgK3l+auxSWNOKgZW4VXp9Bkd2DkXGvPJF1ux4y/I +BlWqAGN9nhKKc/KiJ+jibpk8sYCoqoxEhxB9tlAFdqK9vtg8XQqSSH80vD7OGg+wrO3GQvAlM+T FVj1TCx+CnLUIxLrYt3eDPWBheDPNGeRhU8CtarNYjLpu3amfcWOR48leKb69i1osBl26QX3xnhM JtHUFAvKk/Lx2IVIqN5kKZ6xgWv1d02Iwli8rS4xV48MIx9bTXQUg21poNk4bKweXp2QRe4q0OyM TJ3Bk4jfrUF6+dAbZKN3g4jUW9UcqvJ3eKFsNhOdr6KiZ6Cx9tCpQ77ojZb74PeqtSvQdTE56wt8 /nNwVmFnNpgy6Rj6gK4FckwEwfto7yciZQwSTyd2s+EuDz2SvbfhK5fjW0VQm4c3f8fex9DKW2RH 4WyGFovQQBYWyyBHTOCZsuFRxIbe5Vpzsj8ZowbPXb9aw8h3PuG8MqH2xuMnzYmGLoG/TMAyHyL3 SuwQj38otq+Dy210Qu3x4lpkFb1nf4k2PiPzryCrTob23/CIZBDXgadBi+3w8Gbsm4nk+fZTvPhD bFwdz6tnrkDCauYy85E9mXysOKxr3oFeknmVSjkTrYmOtBkLpqPMHKKpFPmnoP1x2LId1hmEjO3N 8eZ8MsGJRMZcJJljf4DaKvs2EfI+/lAIpWVoYS15rAcUuhCBqvTSWnMiexv1sArVtLk5AT6tsIve /NU/fkJtm8BJfZO0EgkMcdcBi6hvkFcfjo2XYa3J/NMbpkc2yCSvXYQ/X2wu5boeOxYj+Tf2eXsP GeEmKK3CuofBKcsMNKeigy6sLMEj9RbYCc4GieJN98DHZ3M3BQvU42e+zbVj8UO9GeoNsdyeY4ZB IYfzs4mSiXau/YAqcBNPS9HMrdA/GURngvki0C21I3n6LjEyzz5nX7ePoM9q5npQ1sCatc2DxHlP /G+SfQmd1IRqAzMaPTcxT2Dxc9DUm+hrO9lvJbq9BCz6nrgn3jYdq3UHx0PQm8TZD7CzR/Rfj2fk odHJ+ERvMkmWOd08hvdPRrt/Ie6OJCIm2BvsE9i0Jf5UjbzzT3s18l+N39YxQ9FWE6L7zCB6CuzL xHoOETYNzbfCZgvpu/6E3AvBPI2f35GJGiFFQzzC2lMYWUi3gow+DW//C36mPukIM9icYfqaG7i7 HLnz6Z5GoI0nkfl+bC7Mvck0p6KXk80Acy5VIwWrT0P3a+D4IzaZaz+ynYm0I/HzZDOVnmUAFu1h PmDHPNDNwgenQjHLfEofMpGcXsJ1f/T8Ap5zDtZNNeeRCaqb57HjTP4daW7jzAdYdzO7C+zXwVUT Inc7NaIWFM8FTScseSSZspO5mygbh3efS6Tn2THkyofoYN6375rx9lRyxQb7ECjvM/fSzZ+ALrdA MZbo07cl89D1A2hnAP58N5Z6iwgZhAVGwvMVqvRssuTZxGQPdDeD2O+HrmsSbdPJZWeDPw+ZJtvb iaYhZKiG+Ng0IvZh9DeCjDCFrL0DH08zD9pjiNKO5P2jsVUrdL4O2t+yRz2oOr2O+OYZZPTu5iYq 2RJyyWY8tAqdqe9Xg2pL4qEeHlbVzCMTnEhs5pOn1QF9icd9iWc0hnp3rFWKTz1onkP3l+ATj6Ht OfZMquwIctaV5nfETzvQFpNzf8L3Y7GEfneQhkdlBtljIJpOojY1pP+Yiy8Nxi4fItHN4C4gZ72D 1/ei4g1F7/pudyQS12NWJApPf54t42o8deo7KuVLeML3aKqreRm6K+0V5J8L2PuDvQfet5hRSHOv PQP/+5CIfNTejMU+Ma8HeklAa6PR0vnw/RyryiKv07fUR1+DsUlPvGAJNbmtedyORtJk8uEwNG7M 7WSf8favaNHn6Uro/gjFJug/1XyN7m7GZhfh0Z8Q1yfw713y9g3kpgfwhDxyZhGefxLd5cX0aevp By4gRmZQ764mNq8kgj8iv15EXVrCk1ODCKtCzh5L9nnXzkdPzdBJPTrUPnjJ0VhzHrG1iEiQ311N Pupr/kheexybdYDj53jKa9TPW+G2lZ09QN+aGDoeiUrImUWszeb5JLQ32T6BB3QFXRx5fgTRoGqi 31rMx49bBF3jaqR+k9WbidKPyJYF2OF29PQMHjbaPEPH0cncRTw9C8677XB7K17dnYrf3XyGdvtj tzepEV/jwQ2RezzZUt8THo9vldOF3k5GuIT3s/H2QnBmIHccMXIO7zjjyB9T6Tpy2X8jdqtHNuhP fKn/7EXG0rcom7H3KUTwMvx/AlpsSizMQGsXoLX22Owp1muQJR+l/v+Eb7U2bdi7zF5F934SfcxG vK461ltHjkvDB87D35RjFlFf5mGpx0DtkylGgz2df49j87pIdhoV8gXywGi02gdvLUP6280g6ukA onQynUttc50935xtnyT3dsMzuuCdhlhRV5pn30MG1cNm5io8vy+6TUO2f+DTA+D9MDmo0PYiH8y2 H4P0LDphi5eV2GvNS3TQ3fClNnhZO3MPOehJPGI5VegCcwf9yI3k4yR6xVwz1uYTDz/CNc/+xVyP HupB422y2x/oU57Do94DWwJWvBMcN9MxXwT2dDOd2HwMvbYzI7DG4eZC9PcRkiYRc9eR19rhzTPx KtWQLNOWbDEGjc2lN78R7b1IRfwdvB+k9k8i4h+xfzZdsOctWOtOPPU1nr9FVmqNHU7Hgz9H3+cg cxl2zgFXR+LoeeJxiW3ujeIuFbt8SCYdYTx7Gl70k61PJpttN/qjzV/Jm7FmERZYalt7g4nN7/Dc EdStB80QPFu1RG+/qXhiB+wxHMlK7AAq2jPoup25jSyVhjVfN+fhLVnUsjUguZv5HKJ4DH71Z/Lf O2imBr54E3Z5HWtMpV5P5ulq7jrBP4tu7F6bQx/yLvpfR388z36KpS3or6S69cc7UuyNxNZJZPM7 0Hs1upg+1MEB9no0MZB40Te1ceZVfH6zfYO6lIxuH7Z9qAx1qVGjyX5NqfJ9iRpVrQe4q4skx2Hb QUj4KXV/FpnqCiR/Fn69kKsads3GR+cFXfnb2LMnuSaJunCy+QP16TPi6QFi8Sqq4zX2LqTuTkWq Yx6GbiYZcai9BXnSzHAoqMIe6a3B+9sRq38yW/xHbXPqQJ59kXfCz+0o4nkzPfJNdKrN0ccbxHIq utlG7h1GPTgRya8kb8+xzeiR3iPvfGoHE8HGPE0E5pMrF2HX8cR5DhG4hEhZRY0b4KWxbyv5Mx/t zbEPwu8NOoml7J0M6gs4n4n87czLZJH3QeDjYd/aofZjLPwTmlDm+4BupMiONVdgx6loid8X+MlY cSU8zjU3m1Fo9UMi+ToidTzol6PDP5iB+NGn9n77NLlulr0A7NdQaRbioSvJFnfR/b1P5H6FdYfQ P/Ww/ck+5VgpluxUSFY7i/wzAAv3opK+S8adRrSfjp90Jm9Y9N+UeFqAjNv8frbEvxxvu4saSofq fU0k18Ybssz5vIlbaF2O1ceAayI+8wIylPiXmYX+VPsA+lhsbrIrzNO2rbcc7+b3AsRWXTuG6Jln LvfWg/cJu5S8cAxP/4wUh4P4UzQ309xhXiLSX1JOoetsZD+gbiZRPy41DbxU8wXSPkdesv4A2wb9 DyB+N1Ixz0Oi5kRZib8OHS21l5PJ+pLHhngJnFtDxsm0XakFj/p5tlZQfePNKd7DUGqNN2yxZ9iv eEtPJDram3uJ2pdB2pW8ew016Sx8/wRk0jfXR2OTVsRSR/r4h+wrVLXZRFoTU98roD72J1/dZRPw 3lvwi5Ptq+Tj9VShB4mgV+m/M8hYM8jB4/h+IgcObTn5ITl4Jtq70n6D7i4mS7RCq6d5z1LTspD7 LDq9LPLL40j6KRK+YJ6ist1PBj2L7LDe9oXbLDLt0WaYHR10cRMDC/5oR5JnZqC3G/CKqWh3JB60 gs7vXvT2HLXjQbQ3hE5/FDo4gU76aZOLvOuo/tmmBhx+oII/QqU6nM5uLF3WeHrvxrx9Dvc7kPc/ xFtSTIlnyRxF9mWkXEv1G4TfVaV/H+Z/jP4uoEP72a6mPl1BDBfD53oi8VY85CZ7C9E4mk7zGuLw dargS9jwdrjdS1aZANamZhoW7I0GMszH5hk84kei4BbyZzad4BjyTScq6v3wO5WMMQTP7UmG/gd9 xG3kzzrklFn0iffSP75CPtlOXl9or7bb/d+bMv8ieqp/Uvmew3cuJU6P8qpSt2ZTjf5MJvgWi/J7 TypGf7PZv9L0JE4akQma0Fkf7n1p7ofSTCx7Lkg782bSGb/thW+kE3+96Kj1W+8Um0mtfJw+7ic6 pT8i93zzInptgH/Pwl730c+ex3ceS7FJYzqiF6iDLengqCKmOnqZTk9wARZp79VCqgzewC/Bzt9h 51iu+L22fQY/eoTqwO+Y2Pks9fgz8tmN1OBnqXsbfToH8BWSlwaivSF0TBOxz/t0NfPt++i9p7kU bs2Rbh0+3oWM05dM0AV5JmNN/SbzF7LbFJ5eiw3n26fAnoaWy+hiM8xw9nanz76F977neVP4Pd70 Ktl3KDW7mD7tr3jdILuFaBlFf3iUudNcBddv0NuLxFGm8fwr7Gi/hummXOFdbSZQAWp6j6L1C0Ha 1dxHdu1B1/Ym/VUPcwGWPo4dK8gWt6DNJ+nfBhMTi8leY8h7vcw6orYqfexiW5MueAAx2wzrDgNp Fd7nyE8MvWdmUF/0F0iy91VI25o6s5o8cww5rY251jyF9f7BSZ1bC5bp9hGzGLv+E70uoRrdYCf5 O/xj7Cg085ydbhaYt9DLq3jx++BcYo1Xl6o5mHes9qY56LvwrcSjtiNvAdtsC+/3ZNaJ5iL7R5Nm u3gT6UHykfYHusDZULiGdza9j632X7Z3k5FesXfiE/3w/vpeQ2+oeZN3yHI6uUepRw+S2U+w/aju 39FPrKK3uorn1t5GljmMvPeyjfOu4zucj3mr6kseHsq7zUtUmvm2BZp9xqZRby7mTQjdcm4a9hlE t3EmJ1+yc/zzbZw1vGUm8bw+eTILmRrTQ800v/jns3cq8fMaKPqQARpStydQI/5Adz8f9I3QWQ+y lv6qIp7nQ/Csq0261wP/TOOtZ4Jd4/dHtlZ2iv8BeeAY9LfcjPA2mK7elVxfZl/zb7Bl/mvERQv0 bon8YfjQNpBNt/G2OjlqC28wQ81U05Y/FzsCLifRlSyAYiHeMdnvhufVw0LV7WXUq+HmLO94b6kp 4cRr7HnZn+tn8x5yJxT/ZMZ479OhPWxPxO4Ly3uaY/GNMjr3LuwuIFZG4u/9qEW3Qm+mPY3I+4P9 xG+Dn5xDx9rJi/ceo27WNP28j/wcvifpxLcxHak9m4jTDN5JJykj48MTyEt3EYs1vCvITNeZH8kI 6u3+QmTeTV/Q1zQiy0/w8/n24jZ89zF7sdfQvGHWmuO86cTMYN6GxtjC8mPpvj/mzXmGfcFbTI// BZVjOHmgrVlIXahBNo/Dk26hY77M3GBj6IN+JK++wXvfEV46fcF9vDnq7zsuNnVjFpnDvFJzuX+K aeev94fZ1v5AOOEN9klvkHecGecdj6QJ9nV/gbnWtvIewII/UO8Hmb/5S/07/Lf9S/HZLDLoQJMV M8gUmWO8qugp1i9FgnjTwzvedPOOsRfz7xX/aurbifR+j5gXvAWmA7Z+i775dKQdS2V5Fk0sgvY9 6DDVp7ukjzoaXd3uLSF+R5ru7BlCp3AqvVAvrx/VKtks9dtBs9TvQYbLMSd7d3jXecvJSGfaUX4q v9JeQ7zQucR8619BzXrM/9pO9JcR/+uRO9HM8SbwnckY+6mfj95n833XX+lklvvPmWK/M9lsHn38 Z/bv5gjvDHODdw693Ca67bvNM/5rZJ4mdoL50j8effWhAz8ueJ+82LsZyUZ6Hufa2rv8tXas3wwE i+w/zR+x0nji/Ug6xbG8Jd3pXUxsdeF9ZDJSvUOPfiS+P5A8dRG+WBOtnMWbzxNk2CvMdmLwfjL3 Fr5rK6MujKFG1uVPVpqbAv9HEM23z3mbbG1vpPk9Nf90ZIzh+4osr4FN9Mqg3s28RcXu5NdHAut/ 6nW0b3rlvLN+4fUHyx3km7/YS/3eRNub9iL64ZPIZTF2DfwtteVa09HrZi+hr9lBN/qEfwM5+2Ey wav+78wO3/JuNc7/Bf3EeCPoEbO9XNuTd9v2eODz5PZr6A3e57uBjuisO3pvYDcbnwy1iu9lGvHe Ntcvsx/6VYjgYdSBZvRmk2yxr+zSAX/t6S0kd0w0+X4X3u6K/b+Tdc82Lbyh+Ne74G5hzrA9vF/8 fqYPveF4bwnx9jSdy7E8e8GsLT/dtLANyUNX2zre7aaGd6y3jq70W+rvRDvOv8dcbp+nvxhlPzf9 eFNpiSdWo7aMIOfcYcaZLt6ZXj2+B+tGjWjFG8CjZM5Rfg28+VZb1fvGvO1d4r2CTq6ybyDJQ3jC N/5n5jB7s9eBWjSW/vQVez6x86J9FM78Hh99302XuZAO5nr8vLrN5rvQs8hE39ivTW8vz37rjSS3 fYtWuhEPT5FXV9OxX0YV+Nh/h8y9hSp4lBnq1Tc/03sPJfamEUM9uW6EVP3t7bY23ec8uqf+1JXb vCJTbv7uHcmbcC4dQX/6rr/a3tQi/cazCQjjkK4F1TOfXmc6ueJ870HziFebGn6aXVB+qS3wexCv w/H9dfjwDN4jJtMdzKU3WMXb82H0Om2wwGCb7zcjA51DBZ2B75+Hdb60fb0xRGWs14hMcL/fkD1j /E94I1lu/uS9a09n9OOblkfse15Xm+H9RKXMNe/5l9uj0M6TZN5LvfvRDd/u+Z+Tf180U7BdjjfE Xsib5zNkiJvB9i3R80++U/W81+3DdHGL7GN8R5ZJN3scefwU8uRRZJmhZi4daAH9WBLv9SvJX028 8VDsQFSdSE4ssuv82sTHe+j3GtvTO9U84X2OXP3NLN4yzqd7vJ536qfNK3x3Yk0yfnM/WeMaerxU b5RJ9p7gTfMSk0u3/RRvmh/6v9jF5WOJ4RftAq+mmcSYi//UxQ9fodeYirZr8RZalz7qPjLTDHC9 6t3HG+njvBnqt75309OMJZteS00YYWv4ifZ3dN8+Zy705pg21LKjqbnP+qv9In8ROUgVqohvi+4n h9XB8xbS42+kZ5vCdywjbTk9cR/kvIU+o4mt7m32T+d962S/lse3M6aR181spX61oY50tw/5l5DR u/KmG09H5vNtHH/NQIxvBlc+b7WTPENO5TdM5cZ85/P/cYrrI1h7ntGQa/32ic6BHl1vwPxGiFnf mv7AuJE9HZjXcG4joybP+rLWlHEp1xtY0yeOe/oo8rjjVYXrOxg3cH82Qzq6kflcxutc92Q+gqE9 +dAQvimMftx/w8iA3lbun+F6HM+HM57ivlGMMY8yf816PGM04yXub2duynwlozXX+o0Q/8MaDC4+ Zki2VEYG4yLuX2RID8u4X8N1O4bOCuc1jFVc38aQjlIYP3D9PPN6Zv1F2t+Yj2VczPV8xgmMMnA+ x1o7rmtBO5PxFvcl6P4c1rZxzVIgywVcIQ7vEYaOW3/VYeiYjDmcUcb9bIZ++yparzHWcn8TYwBj HeNN1hYyHmOcwf0UeF/OfAf3rWCSyBD+9qwPZtbeY1hryCzaJQzpT3aXfl5kfSh1kO2mAT+qMiZw vZQzK3l+Pvc18JanwH0f67L/ata6cT2ePY8wj+RPreozv4Fgg5hPKzfmZd+jvhpTyNoG1rqUWduO c21Yuwd+X7D2E/ctoPsRNIX5TtZqMaox5J/SzRGMZowC7v9GT9eUJ9U4I9vpL8NP5tnPXKcwb2CW nTazTzpczHVN9rRkLOT6MPaI8nauv2fU5u4fzNqbwrpoJDDqca1nskdjzubxvJzrQkYa63nMddjT gGv5BCLxHlURV9qjv2cR7mLW5YOroKG/j5cv6O9aUQdX+q9OnH+4v9qnSeZeT9zsB3vcnVZOOOn0 gUckuf/GoxX3WTuH/kI++MS56dc/hxNOrA4f7iZ+cmm++uor89UvX5lN0980cXH8XXsSfzOYyrcf GbzH1qplGjRoYJo0aWJat25tBg8ebAYMGGB69+5tOnfubIbfYc3AgZY337nGrsszU+ZuNHNXrTJP vPMBjLIZOYxcRp67zWYtm7Vs1rK1hnDaksN6Dhc5rOewnsO6juWynst6Lje5rOeyzmTyWM9jPY/1 PBZkDr6lMlQlY/MCztn8zIZ4NoSyOZRNXgjY8yMbDNlgyAZDNhgCSGDIBkM2GLLBkA2GACYYssGQ DYZsMGSDIYAOhmwwZIMhGwzZYMimGmaDIxsc2cKBGUEVoMjhZw5YcsCSA5ZAZLDkwDwHRjkQzQFL oAYe5nCRA5YcsARqAUcOOHLAkQOOHHAEqgJHDhhywJADBqkuBxw5YMgBQx68LD8DFcLH/eM+UK+0 Ayp457IrUDW8c8GUC9NcGOSCKRfeuTzMhUguvHPhHZgj4M06/HPhnwt/mSgX/rnoJhcMuWDIRQ8y G1oJpGeFmZ8yIzrIg18e2PLAkQe/wLTCgQ7ywJEnHAgWmJtDeWDJA0seIPJgGLgAWPI4mMemPBby wML/GNDBJnlg4bfHDNYDb5AVWAODBYMFgwWDBQOtnnMnMPwPX9bv0zYQRm9DikBUaSeEIiNvVkEH /SEynBGYUiG1EAWkjAlqCI0UYhQbRd46sXmyhJSNoR26eECKp/wHsDMxUS80FWUCqcP1fTbIToj4 LMe+77179/zdnWUp5/Ag4UHCwzk8QAYn+PAg4UHCA/25BGmcyMODhAcJD/ikxk6GBsaX6ChBqkGj hnYNPmSkTZwa3jI/WLlcZu12mx0dHbHj42N2dnbGTk9P2cXFBbu8vGRXV1fs+vqa3d7esvv7e/b3 n2TfT06wj7+hurQH6AK9qEW61KRrOgQi3aZ7PYooLVTEEEOnHAJpoQa9oIfblISuahpHaEirwRiO myBNAM654+QQav8GIB0pAuGhw50w1EQ/6AK8C+6GcCfk4VQntEWXQBwpXJKAw8MOCMLtQqEbuGk8 IlB/r2ODQJQBGAVQNZWHXsebFr7rB76r6uknJILKCbbsLAiujzYVMiHpyBBsGZMG8lnXjUuW1AmM vm3ZLyeFrj+4CLwBH5AwDCMzPq7DBT1FL/jzSKhUHuZpUtczkCfCDUr9iEtZiePV0lJG7AOOCL0E j53olfK4kRVRfxpgGK/gUff7v4XwafyxJ/0Jt/EYO8L3ul56mmL9CEcZpl0h3OywOlyiP8Fe6OXS 9XusU9x/GrUOtVwuqW+CkwHAnSksuKd4NIBme5htPrhMHxRQR8y2FYbh6P6g0WQjHD5Kn2TiFfs8 jhU70l9kgwRow4zwH+E0gvYMLGWZ9mPMHf2bFPfT+tb2L7wT1jfWNteNzcIM7g3zwGnV977ayk/l c/1Ly7TMmq0YZutgTpnP5xfBNoqr9D1ErVk+Pzu/gNyHjY8TyK3UGw2lZDZqZquKbKG4SpqJTqFx aM34CmClVG9Wzbal5Bd9MLfWtl+AuWUeNqvKmtna21XeznHki8bKgAI5MVs7dt1sTmQ2m7spk6Ud ZyJT3K3um83qa6W0rECbv1uYff8mn2f/AQAA//8DAFBLAQItABQABgAIAAAAIQB6gx3yCQEAAO0B AAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAHDw ONy+AAAAOAEAAAsAAAAAAAAAAAAAAAAAOgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAFt0 RkSrAgAAQwcAACEAAAAAAAAAAAAAAAAAIQIAAGRycy9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQx LnhtbFBLAQItABQABgAIAAAAIQAg/9bzvwAAACQBAAAsAAAAAAAAAAAAAAAAAAsFAABkcnMvc2xp ZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVsc1BLAQItABQABgAIAAAAIQAerms7 1i8AAGB3AAAUAAAAAAAAAAAAAAAAABQGAABkcnMvbWVkaWEvYXVkaW8xLndhdlBLBQYAAAAABQAF AGUBAAAcNgAAAAAQAB4ELzgAAFBLAwQUAAYACAAAACEAeoMd8gkBAADtAQAAEwAAAFtDb250ZW50 X1R5cGVzXS54bWx8kctOwzAQRfdI/IPlLWqcskAINemCxwoBi/IBI3uSWDi25XFC8/dMUpCgallZ 87g+d2Y2233vxIiJbPCVXBelFOh1MNa3lXzfPa1upaAM3oALHis5IcltfXmx2U0RSbDaUyW7nOOd UqQ77IGKENFzpQmph8xhalUE/QEtquuyvFE6+Iw+r/L8h6w3D9jA4LJ43HP64CShIynuD40zq5IQ o7MaMjtVozdHlNU3oWDl0kOdjXTFNqQ6SZgr5wHndZ8wHusGY4Oa80x65WUma1C8Qcov0LNxZRIp cpx8hikM+U+wLv43cmLS0DRWowl66HmLRUxI/C5D9674BfqZXi3Hqr8AAAD//wMAUEsDBBQABgAI AAAAIQBw8DjcvgAAADgBAAALAAAAX3JlbHMvLnJlbHOEj8EKwjAQRO+C/xD2btN6EJGmvYggeBL9 gCXZtsE2Cdko9u/N0YLgcRjmzUzdvqdRvCiy9U5BVZQgyGlvrOsV3G+nzR4EJ3QGR+9IwUwMbbNe 1VcaMeUQDzawyBTHCoaUwkFK1gNNyIUP5LLT+ThhyjL2MqB+YE9yW5Y7Gb8Z0CyY4mwUxLOpQNzm kJv/s33XWU1Hr58TufSjQvJoDV1w9s+UsRh7SgpM5G9jIaoi7wfZ1HLxt/kAAAD//wMAUEsDBBQA BgAIAAAAIQCAWpMbQwMAAEwJAAAhAAAAZHJzL3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDEueG1s rJZdb9owFIbvJ+0/WLlvQ8JH0giounadKtEPle7jbnITA9Ecx7NNBvv1O8d2gHadVGW9AeOc88Tn fe1jxqebipOGKV3WYhJEx72AMJHXRSmWk+Dzw+VRGhBtqCgorwWbBFumg9Pp+3djmWlezOi2XhsC DKEzOglWxsgsDHW+YhXVx7VkAp4talVRAz/VMiwU/QXsiodxrzcKK1qKwOer1+TXi0WZs4s6X1dM GAdRjFMD69erUuqWJl9Dk4ppwNjsp0syWwnVmtJwFhAbphqYiIIpVJ7PeUEErWDioqSy1qUpG0YK RiBBMRuj5YNiDKNF80nJubxTNvWmuVOkLBDlEUHoH/gw+1NAGAzCZ+nLlkSzzUJV0zHNQBGymQRg 3BY/IYlmbGNI7ibz/Wy+un0hNl99fCE6bF8AK9i9FDyXrqK/y4nbch5QAhLtqnKhFFJndf5DE1FD nVi+Ky+/aVoY1ox4uSJO/twooIEDrRL43ErSpmgra7vWnRijdJj2nCJx1O8N4uFTXZIkiQcYgOpE g6TXcxGHVTu0zMzmQ11sUdVH+Lau0IxrMzdbzqzaoAnNYGXwAd5yikdnoY4u7+HoVOacMwpHyztj pue8/Llmv4ms14pUcNIWJYMsBscMgKRYu000hrUYqNaTmSjuqKL3z16AwtAMFgCqtAuFobPp32b1 W7Pm9Vof2U1L4rdwTK8fnWOwxWH/tSY7Z1/jXNRPopG3rp+mI+gST60bgW/WW2tdMowx2sngToQt 322kVpEXrUO/eMMj2EGkompmj1ApCugHdkj5EmyDLRhY79c30P+s3QVbgA3ulR7gWfGeNRgmuHTS AYgUD+zvgSfRwO7YDkCkeOBgD9wp3YGIGE8cHhDTOLXWdCAixhNHe2Icp2BvNxkR44nJATEZ9Lsa gxhPTPdExHV1BjGeeHJAHA0TewY66IgY2xPaDoX4t21QTBO9axsaGxbc9dDS/rtj2ZPrbk0Y4iVr L0aurqm8baxQ8CbD1LmdkvA/Ak8hhO5DoA0qKvBCrgVma1Gc5XZg5sLyYIaojFWPDC5hdVXs7uHL 2ffrs29X18dfz77YjgLZLgkX5jgwOuTjg/Zf0PQPAAAA//8DAFBLAwQUAAYACAAAACEAIP/W878A AAAkAQAALAAAAGRycy9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzhM/P asMwDAbw+6DvYHSflfQwyojTyxjkWroHELaSmMZ/sN20ffsZemmh0KMkvt+Huv3VLWLllG3wClrZ gGCvg7F+UvB3/P3cgciFvKEleFZw4wz7fvPRHXihUkN5tjGLqvisYC4lfiNmPbOjLENkXy9jSI5K HdOEkfSJJsZt03xhejSgfzLFYBSkwbQgjrdYm9/bYRyt5p+gz459eVGBdDY2VJDSxEWBlOjYWLrv W3mhFbDv8Om3/h8AAP//AwBQSwMEFAAGAAgAAAAhAB6uazvWLwAAYHcAABQAAABkcnMvbWVkaWEv YXVkaW8xLndhduydB3xVVbbG90kPCSQBQgdDLwqKUToIKIgiI6JYRgfbGHsFe8Oxjg27REdx7B0V UZEpAlLEIEVFBOmEEjoESD37/b+zOZPLNSB15s37vcvs7HP22Xutb/V1buJ7g07q2/fsm405q9eZ fXKuHpaVbozxTIxpcqYxD53tmTiTbv544bALa17Dg////FdqwNsP1Nbu+dBvPdfp39rzW88ro3Eo ZImUNJr+ocIYzScSQ/T1/mCIphF5vzf0wv172runZ3tzPtyzL/O+6G1f6O5u755k3NOzkN6e9uzv s5B25Lw3etmbPaK5J1yRPPfmek88K3t2ILwro7c3GP+37qlMF5Frlckb+fzfIde/C0NlclXGO1Lm yDOV7d3d88j1SHrh9W89D/fty7wvNCuTZXe89oXu7mjsy/q+YNsXuvuz998tezTGf6cuDlTWfcW6 r/ujdXOo7g9UD3vC9Z+Q+VDKU5ms/wkZK8Px37h2KG21J9qH2maHmv5/o60rw7wnG1W2/0DW9sYm hxrP3mA4EBkPNf7dYTvUcu2O78FcP5Qy7M4uu1s/mHL9X6a1v/o7lLbek74PFt+DRWdPWMNnB4tX pK0OFs0Q44HOkdgOlFb0+YMl6+4w7m49xPFbz8N9BzYfHCn3lsre7tuTTP8evVSO4GDgPxg0Kkf3 v2812lbR93uLuDKdVba2t/Qq27e/2Cqj9Z9c251edre+O6wHSx97y3dv9x1qvJXRj9ZF9H3kmT09 i5RR15H3ohF9H0lX13uiHb038n5/z/0WnkgeB3otjAeD3/7KeqD4D935vdPK3u3aX5QV1EP9Rs97 Q7mCyt7sPvA9IcaQUvR9uL4/c2W0JF8oY3i9u/s98Qxpa44e0efCvW495FbZXfRJh3XXE7/eE7li 7d7vDnH99gm3M5Qzkt++Xoe8omfRCfFEX+8rj93tj6QfvSfEE72++/t9P1EZrT1h0v6DwyWa856p Rts5GqO7j16N5rF/99FUdR8OUYy8rpxDKJv3L92FK7/eX9mT6AiquNfuyOHoRdLwfuXDId7I+dc4 fr0SySfkEM6Ru0O64Zru/X/pTHe7xlU03Riea01zOKL5hDRFt7IRYnDcIMQn5LM7+iHPaF46G9KL vHZrls+u8rgV7azgGfJ2cyQqty+kET07Cm6Prt35cN5VPyGPcLfmkJ7TkbWRugqfaQ4/IQ3Noe5D fUU+C/eHcySt6Gvx3B2PSJoV17oKP+5a50M6oQzRfCJPhLR2J0O4N5JGSL9ibdfYEc1IXUReh4h1 Vp8KGu46pB3O4fNwb3CIH5XhdjLor04rnof8dC6aZkg7etbeyHOV3Wst+lzkvZ6HnxCr5hBbOEc+ C/drFi3hjcQcXodzyC+SRmV0FQXhnlAz4dloHrticBEq67rz1op+JI/I/ZHXIf3IOfK56OlZ9Efr +oSzrkMauq7sE0lH52L+hVd0nG/uSsNRD9ciZ3GroKFrNxzfUA+Orn5W7BDXXTnrTAVt6VJ3znoe s4bbEa45ucXf2ayCvh9B26FwiJwk4bVDEBsgCfXguFbgCDE52g6FQxPuiaTpKIdPQmlD2u5pxc9o Pwt5uTnc5+QL73adI3mHXHf10Yodofa0Tx89Cf0znENe4bPwPjjAD52NpBNeay7f+UzX+uisPtG0 Ql7hHO4LaYX4dLYymbSuTzQ2Z6EKmSqeO88JbSer6DqkHclPqw6X21WBwPHc9afj6Og4D4yUOpJu iLfC651v7GrpCv1G6lN0QlmELbyOnEP6IZZwDtcrTlVI5PCF2gi17zQj2iEvzTqvneWB7lzc7hq/ waadO52/h9Ht+ETzdfv1TJxD7loNeYf8QzljeeZi1XHW3vCsvzNbOLnduvNHZ+cwPziaoqiPm0P6 4ewwqadxuSC0SkVmqPAxYYrbOZyeRFef0Dec75UhY+nOIVyhTnQViUY0nJya3ROnm9CHK/So9XJA Cae4Sd8hFs2i5YZqvBssBb4vPCEmzcIkWmWMkKY46Xw8IyGYvQCTaMVCUf9ENfSLCnquH3SyOQuF ESf7OZ3pv3FxFnBZUJycBUKfEKZS8JTsxBVaxGnW7dYp6SkuGA6TUJcHQ1xDL2QjvCN/6onzpzAb SJMVVg8R6ZTTT4W/iY4+euaoOv1WYHH3Yc5xNnR7nX5DWu50qBfx1Cf0Rc0hDq1X4ADqTt6aQx/R Hn1CHWuWlSLp6Xl4JvSDkG5IU3tC3tKt5HI0HW2nVed30rLTnNNdaDfN+mguC7xcOHRSEsVAT6Mi ThxWySIUjo+eSl9CHMdwvKTVcmwnvn7gs3ouquLjeOkuNtglXvEM6UEnJZd8WrO06Hb68HHD7dK1 4+32GVMScJUEOiE+TrPSj/boI5+OD6iKsvMv2VYSaI+e6yO9h2ul0C3mPoxD5QnZU3tD2tJNAhQ0 65wQiLuzWxj/Dr90ogjQP8WPPsLAkeAjOomcjuVfHP8SmEW5iFPFYJGcO9i9g3NO9/pZhv7LbXIw fCsZnawi6eqCNOP04gW5TjLopOI30hd0HR9gcHMC56pwL5sIZYhUOtnOKGFIJ5rlG+IrPegjuZSb 3JrLKaFexF+INIc61XnlOH10Rt7IFOzTvePvrClfKUYnOht6unbKJsIvPsKRxNBZt0scpPcy5C4L PEo/pUvpQZbR0Il4hnQvS0gHydBL5IloapeQl0JL5/XRXMws/TndCqdOO+l9JHJWdX7puDjrKEok SSzDUXKZSfKKlkPhsOmJTmldPumQOP2Lt/MWJ798SfoXL+F21zH/Ohfavwz+olaOFjTisGYC3qEz GkIui0gGUZRVtUteJ+9V36FIlaRCJxvK67RDcomjruVx4ulkVxRIYskVGzyVLPKz0NaiFd4Lg7iL V+h32i8/LGLID8J4SgZNKlQTGPGMxIBDqAfhjYdGPPtFVfYQImdX5xuyhXY524qPsMgewpYUnIiB RmygB+10unAakC8V4x0JoEsMvLQk0IHLl06fVdGj/pWzy60Ig5NRmMIYdxJLb/KwMlsE3a3cCZns Ky+X/nTG6dUjXh1O59euyuqZi2XHR1aogjTJeHU5KEsZyjFbkVG8EkBQBqcddjPctsBtG0/K2CVe kkwRkRL8S0QjsUHWcri3s1uxL80qLwit9ClfqMKottPaipdQalnL0Y0xm1iXT8axV5Fayj+tyHcU 2xnwT4Kf0MhDREW+L1rSy1b2Sv/aoaeynbA4T5Tcscgtf3Zx5Dy2dKcVXT6QT8n3xU95QLoWDyER H8VZEVIV7hzSnf7Jo5TjpUN5dwojnZXUgJbDKJ8O85L8d3OA2UdS6SoW3caZbQz5l7QtvLKpdKis o2pQlZEaSFRuFQ+yjuIzFsoW22y3SYGPy0OqsVJt53nlPWGT1UVTskhW2Uz+LW/UR36wkSEf0loq dIRb+pWEkictWJPN49CDfD8BnIn8U2zFQlPZpAS9FjN2YJMdgUcVsybLpaOtJIaspB3KlUnQkBZ3 IOmWQI8GW2k4W+2ApmygXdKhMAur9gtBKry11yH10UJ5oH/RkB9tYWzH7q7CiE88/uZqqviLLuSJ M+cVKZyrCbJ01hOgILrSg3QiW+nseniLpvqYZJ4rIuWvyg4Ou6v4hezbxtBH/iPE29DmdrShjJWE 9pQTnMcWcbYI7KU8UeUvDfxDuUjeKKzK1oWsFjOLg+SXdVwtk+/GYAvxk8yl8FY8KYvKeqmcSGF/ lcAG1dibgiWUATxQyYIpnJWO9SkGt3SiTCaf2Mz9Ju51LS9VjyBdqw9RVZB9kwIEimIN55fSkjSj /LYdNProXAorVRiSuSq7q3JeOpbGt2LtrewqYhZ/+ZVkKWJWxXVx4WqgPCMRKyi3JSGTsKmW674q 98q4sqxqknJcYkBtO/SK8U3J42rDJpCsZxSyQ5hloQQQxDNkjxrMGdBSjRACHwligyjR02SGMofy jOSTd27D+2UFaUwRoKyqIf9XPhNuSewqeBWwpnNW+UOZQdIqf8rGRfxcD9UNNo2zaZxK51QK/GSv IlvTbAHfJnZtxj82wbkQTsLpapasK81kwLE6mOOYK+q5YiLOrEamVZwoAq1QSQ7ZNQnJasOjIbwy wKNcpGiRXpRLtrB7BWMNyIvZ4YGtDI1J47JvJpZMA1cZHrQRfWxFNvHehvU3BuiTsFOiaYjO6zJX DSTziYOywD+2I8tKzhUE+nSVajv63g6PeDhURzLlOtXK7eBSvpTeVGvW49mbmJUdnNTyjBR4JJsG 8KnLWVVC2amIUQaPrexfgzxr8QN1ElWRKJk9rprIXzVkUQ97JOIvil8YsM91UkJVxdQJsKnaqrtX /t2KzjbBZZNdF/ieIldxI18SdelbMju9ard8UciV49VZbOWp4lm+ksLQR3U3A0w18JBErCF9FUFf TyX5NtAWYgFJWh3pVRddr6FsJV3tAFEpOnaVTnVPnp1ItveJygZcZUErkX2KatH2AmRFdhlnCpBd GUc+q9yhONqCbTLRXELAT/LFw8vaWtCIQb78AJdkioWL+gPZwJha7GzAc+lAXcwKaKlKK3OpI1EP Jy6Kcdl8DefXsE+1Jsmsg478TJk4AdvG8y8BpNXQWzoUY7FJcaBBea/8IY376uyQz6wIZFDG2xp0 QOuQYRU+rbqp2rsVPmXci2pNeGcGNqke2LouNFKDqiA6MQEKVUjlzO1wVITXYrVJkHukn0zkSmKH xVoJZjl0haK2KYDXOlbUe8gzitGZuhv1wNXhnMw/H4lEoxE+WndnBtm8U8Oqvct58j0olmMbi13j 0WM5+k1kfzPs08bUxhOy8I4WSFcdLciDM9FkGREq7isDva7D3qvB74NRNaMEbOttHWSXNMqKqehd b1KK+w3g24oeUwO8yi+ZgYcmIlNt0CuW5JXq9lTZSmw98GQFa3U4Ld+oE8hWgDYWgrrILrb1zU+s LuL0OjxPnW4ZequB9E0YdchoaaYZNGRNdSQl6DwJBPKX1XBTFKWxqpjfQJ5cDh/1pIoUodhOjkg3 y9DEMvCvgoeqVSJ8FOO10URdZG7GXTXouC5CuSUViTLYX0rsbOKMYiAV2VSdNnIvTzVYUvmuAL2q msl21cGShN6qgeAwrhsGO3dgnTqcroWF5cM1sVhVEKoGLYXeguDnFnQg7SajQeV96SELtPUD+6lv aAp92VbWTka7qp1rOPMzGFdAozp7kjmlbqA6cmUypxIVv2DvtURzuV3LCXVTirMC2xjq6aYVSNqS qxVLPrqrY/LJJwXQSzGzuZJ2hXorFl1pW5I9EgLvUsVbiP58JGhgfoByIShUwT3TBJuqP1iJByhP tYVHPXisZecWZM9AdxbeM7GzrNMQtE15Xo791Os3QvepeEkeeW8S8VBkfwbFOjSkTqOuOYr9PdBV FdMWrg1MPXg0NUvxjjSzIJB7KVwKwBdnpoGhBD84DLn4v/kD/9bIWN20DGSqYWZAf5OdioXGkR1+ xrNUPTbZDtguyRxtltjjkbER9lSVELJmRO5G7DILyddysgQ5fwLfLJBXwbZHYrtMkKniNwBlU/S3 0R5uvuNpgV2Fpss4l4bkyl4/ox3V+Ez83IBMmtCbbiOe651mLTpQfKRgR9WXRVyVIU/1QJ50TjVE Gg9Oa8Cnyqto2IZ3K2+3RF9doKd+sAycZZzfQBx8y9UcZI0hbqqwvwQE8qeawdtYLc43wVN24CNF gU0K2VtI/VSlXo0t89FNVeRrjS81CnJtDBH0I3Gx2i5BGwvZWYiflgdxdwzYWuG3R0NXNVs1dKk9 1iy27ZDyMM40hpYyylr4zsQztCKfXI2+1uJXKWYKdvkZjU9Hy4nsbUkN6I3cJ4K5k2lujgHvKiSc h5b+jid/D4Y59kfO70CX6ewvt+2Jy1STDeKO+E1dvLYa3BpiM1W/r0D8Jdr/nhyah1VmYA9FS09+ diW3tAFvV/C2haO6pEXorJjVHYz5eMESOxF5vwfflyDOA8NqvKQX1hmE3N3RUjc8ozWcE5FtChlG si9E/z+gzSl4xDYkro+PpOF7beDcHpu0Q1+LsdbPIFyGBdaAtSDIxGW2G89q4pfqNZW/q2DnJfBc ivZK8ZsYpNV7s97bjsZmWVBQ1jNIk0g8zUOKr9DBbPjnE3E7sFY519n4SntOH4ueG+A9TbGy3uJW 8GwxvvgLPrQOTKo+yXBWPqmBbBZsHnTVo2wiDhWhW1hRzlCf0xJvk4e3RCdp5DK9y4rGqiBaS9Gg q85l4Egnc2yFQyLSCF0i2AvwwnIoJBNdhqyRSrYTra7QURVPYcgyG8DxD+yz0C4nUixeUw5edRFJ 6Pcw+MZxyuBB1aFSj0ywGaRr0LC6tBLwL8c6iqQGWKscVGtZE/W2YFWHpu8bmvIzHWlnYen8IF9u QOpi7utwqjE72lPfOrKjDj6UZPpj2Ux0mGX+TjQsBN9i+zm20Lt+VXS9EN9fj+1bYINqoFhm54Pq e9sc6/6CRiYQd8VYNx1qa9F+MxCfR77Lxm7r7SR2FIOxNb7bib2pyNIs8KVp9m9o5R17BPGZjOdt xu5NiYBG5mzu+sEt1XQmjlQBlc8SzCfgtNSlGeh/JVja4g8DoVuIHgqwhI+GJzLexJIl5LsT0Uw6 tugM1SGmsTkOO8+CRhLnNtpx9gv7nn2BK3VRpehqK97dxJxCXLQCQQZx3RFdxoNkPuemwHGLPYmI yACxsmUnNFmP55PQ2zwyfyGyTIPKZCyqTrABWthITkuDflfOprPTQ/bWRKoy63dYaLE9EQ/sgK3l +auxSWNOKgZW4VXp9Bkd2DkXGvPJF1ux4y/I+BlWqAGN9nhKKc/KiJ+jibpk8sYCoqoxEhxB9tlA FdqK9vtg8XQqSSH80vD7OGg+wrO3GQvAlM+TFVj1TCx+CnLUIxLrYt3eDPWBheDPNGeRhU8CtarN YjLpu3amfcWOR48leKb69i1osBl26QX3xnhMJtHUFAvKk/Lx2IVIqN5kKZ6xgWv1d02Iwli8rS4x V48MIx9bTXQUg21poNk4bKweXp2QRe4q0OyMTJ3Bk4jfrUF6+dAbZKN3g4jUW9UcqvJ3eKFsNhOd r6KiZ6Cx9tCpQ77ojZb74PeqtSvQdTE56wt8/nNwVmFnNpgy6Rj6gK4FckwEwfto7yciZQwSTyd2 s+EuDz2SvbfhK5fjW0VQm4c3f8fex9DKW2RH4WyGFovQQBYWyyBHTOCZsuFRxIbe5Vpzsj8ZowbP Xb9aw8h3PuG8MqH2xuMnzYmGLoG/TMAyHyL3SuwQj38otq+Dy210Qu3x4lpkFb1nf4k2PiPzryCr Tob23/CIZBDXgadBi+3w8Gbsm4nk+fZTvPhDbFwdz6tnrkDCauYy85E9mXysOKxr3oFeknmVSjkT rYmOtBkLpqPMHKKpFPmnoP1x2LId1hmEjO3N8eZ8MsGJRMZcJJljf4DaKvs2EfI+/lAIpWVoYS15 rAcUuhCBqvTSWnMiexv1sArVtLk5AT6tsIve/NU/fkJtm8BJfZO0EgkMcdcBi6hvkFcfjo2XYa3J /NMbpkc2yCSvXYQ/X2wu5boeOxYj+Tf2eXsPGeEmKK3CuofBKcsMNKeigy6sLMEj9RbYCc4GieJN 98DHZ3M3BQvU42e+zbVj8UO9GeoNsdyeY4ZBIYfzs4mSiXau/YAqcBNPS9HMrdA/GURngvki0C21 I3n6LjEyzz5nX7ePoM9q5npQ1sCatc2DxHlP/G+SfQmd1IRqAzMaPTcxT2Dxc9DUm+hrO9lvJbq9 BCz6nrgn3jYdq3UHx0PQm8TZD7CzR/Rfj2fkodHJ+ERvMkmWOd08hvdPRrt/Ie6OJCIm2BvsE9i0 Jf5UjbzzT3s18l+N39YxQ9FWE6L7zCB6CuzLxHoOETYNzbfCZgvpu/6E3AvBPI2f35GJGiFFQzzC 2lMYWUi3gow+DW//C36mPukIM9icYfqaG7i7HLnz6Z5GoI0nkfl+bC7Mvck0p6KXk80Acy5VIwWr T0P3a+D4IzaZaz+ynYm0I/HzZDOVnmUAFu1hPmDHPNDNwgenQjHLfEofMpGcXsJ1f/T8Ap5zDtZN NeeRCaqb57HjTP4daW7jzAdYdzO7C+zXwVUTInc7NaIWFM8FTScseSSZspO5mygbh3efS6Tn2THk yofoYN6375rx9lRyxQb7ECjvM/fSzZ+ALrdAMZbo07cl89D1A2hnAP58N5Z6iwgZhAVGwvMVqvRs suTZxGQPdDeD2O+HrmsSbdPJZWeDPw+ZJtvbiaYhZKiG+Ng0IvZh9DeCjDCFrL0DH08zD9pjiNKO 5P2jsVUrdL4O2t+yRz2oOr2O+OYZZPTu5iYq2RJyyWY8tAqdqe9Xg2pL4qEeHlbVzCMTnEhs5pOn 1QF9icd9iWc0hnp3rFWKTz1onkP3l+ATj6HtOfZMquwIctaV5nfETzvQFpNzf8L3Y7GEfneQhkdl BtljIJpOojY1pP+Yiy8Nxi4fItHN4C4gZ72D1/ei4g1F7/pudyQS12NWJApPf54t42o8deo7KuVL eML3aKqreRm6K+0V5J8L2PuDvQfet5hRSHOvPQP/+5CIfNTejMU+Ma8HeklAa6PR0vnw/RyryiKv 07fUR1+DsUlPvGAJNbmtedyORtJk8uEwNG7M7WSf8favaNHn6Uro/gjFJug/1XyN7m7GZhfh0Z8Q 1yfw713y9g3kpgfwhDxyZhGefxLd5cX0aevpBy4gRmZQ764mNq8kgj8iv15EXVrCk1ODCKtCzh5L 9nnXzkdPzdBJPTrUPnjJ0VhzHrG1iEiQ311NPupr/kheexybdYDj53jKa9TPW+G2lZ09QN+aGDoe iUrImUWszeb5JLQ32T6BB3QFXRx5fgTRoGqi31rMx49bBF3jaqR+k9WbidKPyJYF2OF29PQMHjba PEPH0cncRTw9C8677XB7K17dnYrf3XyGdvtjtzepEV/jwQ2RezzZUt8THo9vldOF3k5GuIT3s/H2 QnBmIHccMXIO7zjjyB9T6Tpy2X8jdqtHNuhPfKn/7EXG0rcom7H3KUTwMvx/AlpsSizMQGsXoLX2 2Owp1muQJR+l/v+Eb7U2bdi7zF5F934SfcxGvK461ltHjkvDB87D35RjFlFf5mGpx0DtkylGgz2d f49j87pIdhoV8gXywGi02gdvLUP6280g6ukAonQynUttc50935xtnyT3dsMzuuCdhlhRV5pn30MG 1cNm5io8vy+6TUO2f+DTA+D9MDmo0PYiH8y2H4P0LDphi5eV2GvNS3TQ3fClNnhZO3MPOehJPGI5 VegCcwf9yI3k4yR6xVwz1uYTDz/CNc/+xVyPHupB422y2x/oU57Do94DWwJWvBMcN9MxXwT2dDOd 2HwMvbYzI7DG4eZC9PcRkiYRc9eR19rhzTPxKtWQLNOWbDEGjc2lN78R7b1IRfwdvB+k9k8i4h+x fzZdsOctWOtOPPU1nr9FVmqNHU7Hgz9H3+cgcxl2zgFXR+LoeeJxiW3ujeIuFbt8SCYdYTx7Gl70 k61PJpttN/qjzV/Jm7FmERZYalt7g4nN7/DcEdStB80QPFu1RG+/qXhiB+wxHMlK7AAq2jPoup25 jSyVhjVfN+fhLVnUsjUguZv5HKJ4DH71Z/LfO2imBr54E3Z5HWtMpV5P5ulq7jrBP4tu7F6bQx/y LvpfR388z36KpS3or6S69cc7UuyNxNZJZPM70Hs1upg+1MEB9no0MZB40Te1ceZVfH6zfYO6lIxu H7Z9qAx1qVGjyX5NqfJ9iRpVrQe4q4skx2HbQUj4KXV/FpnqCiR/Fn69kKsads3GR+cFXfnb2LMn uSaJunCy+QP16TPi6QFi8Sqq4zX2LqTuTkWqYx6GbiYZcai9BXnSzHAoqMIe6a3B+9sRq38yW/xH bXPqQJ59kXfCz+0o4nkzPfJNdKrN0ccbxHIqutlG7h1GPTgRya8kb8+xzeiR3iPvfGoHE8HGPE0E 5pMrF2HX8cR5DhG4hEhZRY0b4KWxbyv5Mx/tzbEPwu8NOoml7J0M6gs4n4n87czLZJH3QeDjYd/a ofZjLPwTmlDm+4BupMiONVdgx6loid8X+MlYcSU8zjU3m1Fo9UMi+ToidTzol6PDP5iB+NGn9n77 NLlulr0A7NdQaRbioSvJFnfR/b1P5H6FdYfQP/Ww/ck+5VgpluxUSFY7i/wzAAv3opK+S8adRrSf jp90Jm9Y9N+UeFqAjNv8frbEvxxvu4saSofqfU0k18Ybssz5vIlbaF2O1ceAayI+8wIylPiXmYX+ VPsA+lhsbrIrzNO2rbcc7+b3AsRWXTuG6JlnLvfWg/cJu5S8cAxP/4wUh4P4UzQ309xhXiLSX1JO oetsZD+gbiZRPy41DbxU8wXSPkdesv4A2wb9DyB+N1Ixz0Oi5kRZib8OHS21l5PJ+pLHhngJnFtD xsm0XakFj/p5tlZQfePNKd7DUGqNN2yxZ9iveEtPJDram3uJ2pdB2pW8ew016Sx8/wRk0jfXR2OT VsRSR/r4h+wrVLXZRFoTU98roD72J1/dZRPw3lvwi5Ptq+Tj9VShB4mgV+m/M8hYM8jB4/h+IgcO bTn5ITl4Jtq70n6D7i4mS7RCq6d5z1LTspD7LDq9LPLL40j6KRK+YJ6ist1PBj2L7LDe9oXbLDLt 0WaYHR10cRMDC/5oR5JnZqC3G/CKqWh3JB60gs7vXvT2HLXjQbQ3hE5/FDo4gU76aZOLvOuo/tmm Bhx+oII/QqU6nM5uLF3WeHrvxrx9Dvc7kPc/xFtSTIlnyRxF9mWkXEv1G4TfVaV/H+Z/jP4uoEP7 2a6mPl1BDBfD53oi8VY85CZ7C9E4mk7zGuLwdargS9jwdrjdS1aZANamZhoW7I0GMszH5hk84kei 4BbyZzad4BjyTScq6v3wO5WMMQTP7UmG/gd9xG3kzzrklFn0iffSP75CPtlOXl9or7bb/d+bMv8i eqp/Uvmew3cuJU6P8qpSt2ZTjf5MJvgWi/J7TypGf7PZv9L0JE4akQma0Fkf7n1p7ofSTCx7Lkg7 82bSGb/thW+kE3+96Kj1W+8Um0mtfJw+7ic6pT8i93zzInptgH/Pwl730c+ex3ceS7FJYzqiF6iD LengqCKmOnqZTk9wARZp79VCqgzewC/Bzt9h51iu+L22fQY/eoTqwO+Y2Pks9fgz8tmN1OBnqXsb fToH8BWSlwaivSF0TBOxz/t0NfPt++i9p7kUbs2Rbh0+3oWM05dM0AV5JmNN/SbzF7LbFJ5eiw3n 26fAnoaWy+hiM8xw9nanz76F977neVP4Pd70Ktl3KDW7mD7tr3jdILuFaBlFf3iUudNcBddv0NuL xFGm8fwr7Gi/hummXOFdbSZQAWp6j6L1C0Ha1dxHdu1B1/Ym/VUPcwGWPo4dK8gWt6DNJ+nfBhMT i8leY8h7vcw6orYqfexiW5MueAAx2wzrDgNpFd7nyE8MvWdmUF/0F0iy91VI25o6s5o8cww5rY25 1jyF9f7BSZ1bC5bp9hGzGLv+E70uoRrdYCf5O/xj7Cg085ydbhaYt9DLq3jx++BcYo1Xl6o5mHes 9qY56LvwrcSjtiNvAdtsC+/3ZNaJ5iL7R5Nmu3gT6UHykfYHusDZULiGdza9j632X7Z3k5FesXfi E/3w/vpeQ2+oeZN3yHI6uUepRw+S2U+w/aju39FPrKK3uorn1t5GljmMvPeyjfOu4zucj3mr6kse Hsq7zUtUmvm2BZp9xqZRby7mTQjdcm4a9hlEt3EmJ1+yc/zzbZw1vGUm8bw+eTILmRrTQ800v/jn s3cq8fMaKPqQARpStydQI/5Adz8f9I3QWQ+ylv6qIp7nQ/Csq0261wP/TOOtZ4Jd4/dHtlZ2iv8B eeAY9LfcjPA2mK7elVxfZl/zb7Bl/mvERQv0bon8YfjQNpBNt/G2OjlqC28wQ81U05Y/FzsCLifR lSyAYiHeMdnvhufVw0LV7WXUq+HmLO94b6kp4cRr7HnZn+tn8x5yJxT/ZMZ479OhPWxPxO4Ly3ua Y/GNMjr3LuwuIFZG4u/9qEW3Qm+mPY3I+4P9xG+Dn5xDx9rJi/ceo27WNP28j/wcvifpxLcxHak9 m4jTDN5JJykj48MTyEt3EYs1vCvITNeZH8kI6u3+QmTeTV/Q1zQiy0/w8/n24jZ89zF7sdfQvGHW muO86cTMYN6GxtjC8mPpvj/mzXmGfcFbTI//BZVjOHmgrVlIXahBNo/Dk26hY77M3GBj6IN+JK++ wXvfEV46fcF9vDnq7zsuNnVjFpnDvFJzuX+Kaeev94fZ1v5AOOEN9klvkHecGecdj6QJ9nV/gbnW tvIewII/UO8Hmb/5S/07/Lf9S/HZLDLoQJMVM8gUmWO8qugp1i9FgnjTwzvedPOOsRfz7xX/aurb ifR+j5gXvAWmA7Z+i775dKQdS2V5Fk0sgvY96DDVp7ukjzoaXd3uLSF+R5ru7BlCp3AqvVAvrx/V Ktks9dtBs9TvQYbLMSd7d3jXecvJSGfaUX4qv9JeQ7zQucR8619BzXrM/9pO9JcR/+uRO9HM8Sbw nckY+6mfj95n833XX+lklvvPmWK/M9lsHn38Z/bv5gjvDHODdw693Ca67bvNM/5rZJ4mdoL50j8e ffWhAz8ueJ+82LsZyUZ6Hufa2rv8tXas3wwEi+w/zR+x0nji/Ug6xbG8Jd3pXUxsdeF9ZDJSvUOP fiS+P5A8dRG+WBOtnMWbzxNk2CvMdmLwfjL3Fr5rK6MujKFG1uVPVpqbAv9HEM23z3mbbG1vpPk9 Nf90ZIzh+4osr4FN9Mqg3s28RcXu5NdHAut/6nW0b3rlvLN+4fUHyx3km7/YS/3eRNub9iL64ZPI ZTF2DfwtteVa09HrZi+hr9lBN/qEfwM5+2Eywav+78wO3/JuNc7/Bf3EeCPoEbO9XNuTd9v2eODz 5PZr6A3e57uBjuisO3pvYDcbnwy1iu9lGvHeNtcvsx/6VYjgYdSBZvRmk2yxr+zSAX/t6S0kd0w0 +X4X3u6K/b+Tdc82Lbyh+Ne74G5hzrA9vF/8fqYPveF4bwnx9jSdy7E8e8GsLT/dtLANyUNX2zre 7aaGd6y3jq70W+rvRDvOv8dcbp+nvxhlPzf9eFNpiSdWo7aMIOfcYcaZLt6ZXj2+B+tGjWjFG8Cj ZM5Rfg28+VZb1fvGvO1d4r2CTq6ybyDJQ3jCN/5n5jB7s9eBWjSW/vQVez6x86J9FM78Hh99302X uZAO5nr8vLrN5rvQs8hE39ivTW8vz37rjSS3fYtWuhEPT5FXV9OxX0YV+Nh/h8y9hSp4lBnq1Tc/ 03sPJfamEUM9uW6EVP3t7bY23ec8uqf+1JXbvCJTbv7uHcmbcC4dQX/6rr/a3tQi/cazCQjjkK4F 1TOfXmc6ueJ870HziFebGn6aXVB+qS3wexCvw/H9dfjwDN4jJtMdzKU3WMXb82H0Om2wwGCb7zcj A51DBZ2B75+Hdb60fb0xRGWs14hMcL/fkD1j/E94I1lu/uS9a09n9OOblkfse15Xm+H9RKXMNe/5 l9uj0M6TZN5LvfvRDd/u+Z+Tf180U7BdjjfEXsib5zNkiJvB9i3R80++U/W81+3DdHGL7GN8R5ZJ N3scefwU8uRRZJmhZi4daAH9WBLv9SvJX0288VDsQFSdSE4ssuv82sTHe+j3GtvTO9U84X2OXP3N LN4yzqd7vJ536qfNK3x3Yk0yfnM/WeMaerxUb5RJ9p7gTfMSk0u3/RRvmh/6v9jF5WOJ4RftAq+m mcSYi//UxQ9fodeYirZr8RZalz7qPjLTDHC96t3HG+njvBnqt75309OMJZteS00YYWv4ifZ3dN8+ Zy705pg21LKjqbnP+qv9In8ROUgVqohvi+4nh9XB8xbS42+kZ5vCdywjbTk9cR/kvIU+o4mt7m32 T+d962S/lse3M6aR181spX61oY50tw/5l5DRu/KmG09H5vNtHH/NQIxvBlc+b7WTPENO5TdM5cZ8 5/P/cYrrI1h7ntGQa/32ic6BHl1vwPxGiFnfmv7AuJE9HZjXcG4joybP+rLWlHEp1xtY0yeOe/oo 8rjjVYXrOxg3cH82Qzq6kflcxutc92Q+gqE9+dAQvimMftx/w8iA3lbun+F6HM+HM57ivlGMMY8y f816PGM04yXub2duynwlozXX+o0Q/8MaDC4+Zki2VEYG4yLuX2RID8u4X8N1O4bOCuc1jFVc38aQ jlIYP3D9PPN6Zv1F2t+Yj2VczPV8xgmMMnA+x1o7rmtBO5PxFvcl6P4c1rZxzVIgywVcIQ7vEYaO W3/VYeiYjDmcUcb9bIZ++yparzHWcn8TYwBjHeNN1hYyHmOcwf0UeF/OfAf3rWCSyBD+9qwPZtbe Y1hryCzaJQzpT3aXfl5kfSh1kO2mAT+qMiZwvZQzK3l+Pvc18JanwH0f67L/ata6cT2ePY8wj+RP reozv4Fgg5hPKzfmZd+jvhpTyNoG1rqUWduOc21Yuwd+X7D2E/ctoPsRNIX5TtZqMaox5J/SzRGM ZowC7v9GT9eUJ9U4I9vpL8NP5tnPXKcwb2CWnTazTzpczHVN9rRkLOT6MPaI8nauv2fU5u4fzNqb wrpoJDDqca1nskdjzubxvJzrQkYa63nMddjTgGv5BCLxHlURV9qjv2cR7mLW5YOroKG/j5cv6O9a UQdX+q9OnH+4v9qnSeZeT9zsB3vcnVZOOOn0gUckuf/GoxX3WTuH/kI++MS56dc/hxNOrA4f7iZ+ cmm++uor89UvX5lN0980cXH8XXsSfzOYyrcfGbzH1qplGjRoYJo0aWJat25tBg8ebAYMGGB69+5t OnfubIbfYc3AgZY337nGrsszU+ZuNHNXrTJPvPMBjLIZOYxcRp67zWYtm7Vs1rK1hnDaksN6Dhc5 rOewnsO6juWynst6Lje5rOeyzmTyWM9jPY/1PBZkDr6lMlQlY/MCztn8zIZ4NoSyOZRNXgjY8yMb DNlgyAZDNhgCSGDIBkM2GLLBkA2GACYYssGQDYZsMGSDIYAOhmwwZIMhGwzZYMimGmaDIxsc2cKB GUEVoMjhZw5YcsCSA5ZAZLDkwDwHRjkQzQFLoAYe5nCRA5YcsARqAUcOOHLAkQOOHHAEqgJHDhhy wJADBqkuBxw5YMgBQx68LD8DFcLH/eM+UK+0Ayp457IrUDW8c8GUC9NcGOSCKRfeuTzMhUguvHPh HZgj4M06/HPhnwt/mSgX/rnoJhcMuWDIRQ8yG1oJpGeFmZ8yIzrIg18e2PLAkQe/wLTCgQ7ywJEn HAgWmJtDeWDJA0seIPJgGLgAWPI4mMemPBbywML/GNDBJnlg4bfHDNYDb5AVWAODBYMFgwWDBQOt nnMnMPwPX9bv0zYQRm9DikBUaSeEIiNvVkEH/SEynBGYUiG1EAWkjAlqCI0UYhQbRd46sXmyhJSN oR26eECKp/wHsDMxUS80FWUCqcP1fTbIToj4LMe+77179/zdnWUp5/Ag4UHCwzk8QAYn+PAg4UHC A/25BGmcyMODhAcJD/ikxk6GBsaX6ChBqkGjhnYNPmSkTZwa3jI/WLlcZu12mx0dHbHj42N2dnbG Tk9P2cXFBbu8vGRXV1fs+vqa3d7esvv7e/b3n2TfT06wj7+hurQH6AK9qEW61KRrOgQi3aZ7PYoo LVTEEEOnHAJpoQa9oIfblISuahpHaEirwRiOmyBNAM654+QQav8GIB0pAuGhw50w1EQ/6AK8C+6G cCfk4VQntEWXQBwpXJKAw8MOCMLtQqEbuGk8IlB/r2ODQJQBGAVQNZWHXsebFr7rB76r6uknJILK CbbsLAiujzYVMiHpyBBsGZMG8lnXjUuW1AmMvm3ZLyeFrj+4CLwBH5AwDCMzPq7DBT1FL/jzSKhU HuZpUtczkCfCDUr9iEtZiePV0lJG7AOOCL0Ej53olfK4kRVRfxpgGK/gUff7v4XwafyxJ/0Jt/EY O8L3ul56mmL9CEcZpl0h3OywOlyiP8Fe6OXS9XusU9x/GrUOtVwuqW+CkwHAnSksuKd4NIBme5ht PrhMHxRQR8y2FYbh6P6g0WQjHD5Kn2TiFfs8jhU70l9kgwRow4zwH+E0gvYMLGWZ9mPMHf2bFPfT +tb2L7wT1jfWNteNzcIM7g3zwGnV977ayk/lc/1Ly7TMmq0YZutgTpnP5xfBNoqr9D1ErVk+Pzu/ gNyHjY8TyK3UGw2lZDZqZquKbKG4SpqJTqFxaM34CmClVG9Wzbal5Bd9MLfWtl+AuWUeNqvKmtna 21XeznHki8bKgAI5MVs7dt1sTmQ2m7spk6UdZyJT3K3um83qa6W0rECbv1uYff8mn2f/AQAA//8D AFBLAQItABQABgAIAAAAIQB6gx3yCQEAAO0BAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9U eXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAHDwONy+AAAAOAEAAAsAAAAAAAAAAAAAAAAAOgEAAF9y ZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAIBakxtDAwAATAkAACEAAAAAAAAAAAAAAAAAIQIAAGRy cy9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnhtbFBLAQItABQABgAIAAAAIQAg/9bzvwAAACQB AAAsAAAAAAAAAAAAAAAAAKMFAABkcnMvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54 bWwucmVsc1BLAQItABQABgAIAAAAIQAerms71i8AAGB3AAAUAAAAAAAAAAAAAAAAAKwGAABkcnMv bWVkaWEvYXVkaW8xLndhdlBLBQYAAAAABQAFAGUBAAC0NgAAAAAAABwEBAAAAAEAAAAgALoPEgAA AEMAbwBtAHMAZQByAHYAOQA5AA8A8APTogAAAQDxAwgAAAAAAACAAgDPAA8ADATGjwAADwAC8L6P AADgAAjwCAAAABQAAAAUQAAADwAD8GKPAAAPAATwKAAAAAEACfAQAAAAAAAAAAAAAAAAAAAAAAAA AAIACvAIAAAAAEAAAAUAAAAPAATwlAAAABIACvAIAAAAAkAAAAAKAACjAAvwVAAAAH8ABADvAYcA AQAAAL8ABAAEAL8BAQARAMABAQAACMsBnDEAAP8BCQAZAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBj AHQAYQBuAGcAbABlACAAMgAAAAAAEPAIAAAA0gExAjEO0goPABHwEAAAAAAAwwsIAAAAAgAAAAUA EwAPAAPwjo4AAA8ABPB4AAAAAQAJ8BAAAAB0AQAAQgAAAGoPAAACFgAAAgAK8AgAAAADQAAAAQIA AEMAC/AqAAAABAAAAAAAfwAAAOEBgMMSAAAAvwMAAAIARwByAG8AdQBwACAAMgAwAAAAEwAi8QYA AAB/AAAAAAIAABDwCAAAAEYAaAHyDosXDwAE8GYJAAASAArwCAAAAARAAAACCgAA4wAL8GwAAAB/ AAAA7wGAAMBwtQWBAPZJAQCCAPunAACDAPZJAQCEAPunAACFAAIAAAC/AAYABgC/AQAAEADLAZwx AAD/AQAAGAA/AwAACACAwxgAAAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADMAAAATACLx9gcA AKnD8AcAAFBLAwQUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyU kU1PxCAQhu8m/gcyV9NSPRhjSvdg9ahG1x8wgWlLtgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGt dwquywoEOe2Ndb2Cj/VTcQeCEzqDo3ekYEcMq+byol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44Qp H2MvA+oN9iRvqupWau8SuVSkhQFN3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm 5H6HBxv4KmuA/LVhmZwvOOZe8tNEa0i8YkzPOGUNaSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+s ztF5wEAZ/V/8+5I7weX+h5pvAAAA//8DAFBLAwQUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9y ZWxzLy5yZWxzpJDBasMwDIbvg72D0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x 7/a3MKmZsniOBtZNC4qiZefjYODrfFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qL HSmgNJwo1k3POWCpYx50QnvBgfSmbbc6/2ZAt2CqozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJq x9d4orlSMA9UDLgszzDT3NTnQL/2rv/plRETfVf+QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAI AAAAIQAT/M4FiQMAADoMAAAQAAAAZHJzL3NoYXBleG1sLnhtbOxWTY8iNxC9R8p/sHyNWJoBhgZt zwomwyYSWaFhch653e6hg9tu2W4+Jsp/T1UZBrKHKFo2t+EAbqrsevWq6rk/ftrXmm2V85U1Ge99 SDhTRtqiMi8Z//1p3kk580GYQmhrVMYPyvNPdz/+8LGZ+IbBZuMnTcbXITSTbtfLtaqF/2AbZcBW WleLAI/upds45ZUJIkCgWndvkuS2W4vK8Ds4ymxXzdLhSn7ZLh2riozfJMMeZ0bUEPVRScDwohXr 8+7RLe4QAGNh5cYfsYj/gqVwYgcJ/gMGM/Z+DTHU1Dm7WytReOADo3UJ1QmgAXzxzzNoD+BZvvvN FoBVtMFCUmKyL119LSo8x5Yl2wOWcQ9qccj4cJDeIi4xUfvAJJgG6YgzCabeICXEMTi6NM6Hz8pe DYThQRl3UAhKTmwXPiAP5xAYzth5pfW1WVNy2lx7DNsBIzejJCHEERodXVdBOaarOuNpgp9IJxb9 wRTkEkSl4xoy1IbYLkvIHtK+FhfShuMTOz7sZ7Y4YIAcfqGR4lB9eyPvnICJNDCunOlfDbRxOhiM YLADPQz6SdLnzF1a8gsLIvHNFLp4Xh0rHIGhQfuwCgeYwytBEscn/fjmVBERjl4t3CLjkCEsHmmh t5p+K1OA6NBS6BdQOBkcZ4Uqn0S+egVmhmnah7FyIforsTAzt6ENpTVhSpty4ZFL0C5zNqNYgIgs WyMpANFjVo2MBMqlDGwr4NjxqcOok84OM1V+7UqNCG6+kWfrtAz/4ne05u29dk974jVvV69vyzlk 8fbwBZri2N55nF8xATIeo6QRmRgKlBi+gNhNW1e1/aOKnELCGVem83kGdwKQ1wMR5yyPRNN3e+o7 H1y1ATE0dkUrzjbK4QVDW+S5QSFT2mnwqtDVq/qFHpFxXeGFAxGMXTprS1wjsDiNb+P8Np/e6qpA +SG28CZSwEmsQdhHKQdqL73UaaSJlHZhjky1eMxxTWVn4dCoUkgANHWV0CC3a+G8osrTZiUufH6q TUeJqCrSf2WQ/qjRwDBCDXfs+fmZoZRCoeGb/i11Qdfgnz/P5sn8YTDuzO8fhp1BOr7tpL37tDPq J72H8XA0mt4O/4LhBoAZ90CBMm1NRL1XMM7D/17Bdw0ihfquGgRTcZ4IGAacFGWKpXAC5OpdmVAI 8UK6EJfvp0xnouMbHr2wnF5U6N3l7m8AAAD//wMAUEsDBBQABgAIAAAAIQBpHIM81wAAAPwAAAAP AAAAZHJzL2Rvd25yZXYueG1sRI9Na8MwEETvhf4HsYXeGjmGfuBGCcFQEnpL0ktvG2sji1grV1Js p7++oof2OMzwhrdYTa4TA4VoPSuYzwoQxI3Xlo2Cj8PbwwuImJA1dp5JwZUirJa3NwustB95R8M+ GZEhHCtU0KbUV1LGpiWHceZ74tydfHCYcgxG6oBjhrtOlkXxJB1azg8t9lS31Jz3F6dge/h2g+vf TR19pI0Z/ZcuvVL3d9P6FUSiKf2PP+vj88X+lb+orVZQFo9zEKfN9Ris3mFMFBRkvSybRUEufwAA AP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRl bnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAAAC8B AABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQAT/M4FiQMAADoMAAAQAAAAAAAAAAAAAAAAACoC AABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhAGkcgzzXAAAA/AAAAA8AAAAAAAAAAAAA AAAA4QUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAADlBgAAAAAAAA/wEAAAAH4HAABu FQAAZQkAAAIWAAAPABHwQgAAAA8AiBM6AAAADwCKEzIAAAAAALoPDgAAAF8AXwBfAFAAUABUADkA AACLExQAAAAAAKwPDAAAAAAAAAAAAAAAAAAAAA8ADfB6AAAAAACfDwQAAAAEAAAAAACgDwwAAABQ AGEAZwBlACAAKgAAAKEPGgAAAAcAAAAAAAAQAABaAAcAAAAAAEMAAQABAAwAAADYDwQAAAAFAAAA AACqDw4AAAAHAAAABwAAAAAACQgAAAAApg8OAAAA8QAAAB0C1AHQAvADEAUPAATwywgAABIACvAI AAAABUAAAAIKAADjAAvwbAAAAH8AAADvAYAA4HG1BYEA9kkBAIIA+6cAAIMA9kkBAIQA+6cAAIUA AgAAAL8ABgAGAL8BAAAQAMsBnDEAAP8BAAAYAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBu AGcAbABlACAANAAAABMAIvF5BwAAqcNzBwAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAA W0NvbnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f33 0v24GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8Cschp xwqGlMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiH w+LSpQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1yk ufwbslhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAA IQAx3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpb SUxjy1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9 v+1ONGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPq fE/V/IcdvM0s3JfGctDc996+omrH13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9ces FzV2DwAAAP//AwBQSwMEFAAGAAgAAAAhANiY578OAwAAnwcAABAAAABkcnMvc2hhcGV4bWwueG1s pFXbbtswDH0fsH8Q9Dq0cdK0yYK6RVKs3YCsCJruA2RbTrTIlCHJufTrR1HOZX0YhiYvpkOaPDwi j27vt5Vma2mdMpDy7mXCmYTcFAoWKf/1+ngx5Mx5AYXQBmTKd9Lx+7vPn27rkasZfgxuVKd86X09 6nRcvpSVcJemloC+0thKeHy1i05tpZPghcdCle70kuSmUwkF/A5TwXpez2yw8uf1zDJVpLyXXPc4 A1Fh1ReZI4aFlqzPO21Y/EIgjKnJV67FIv4HS2HFBhv8CwYD87DEGnJsrdkspSgc8hGqdQjVHiAg vvjnEbRD8Czb/DQFYhWNN9iUGG1LW52LKuQxZcm2iKV7c8PZLuX4QABiJLee5eQYcJajo9ftEd5Y OoTU1vknac6GwUKilFs8BmpNrKfOBxaOJUI5MI9K63N7puY0nJuGbZCz3iBJCHGERqkr5aVlWlUp HybhF+kMR/4NCgrxQuloY4caiO2yxO6x7XNxBdrC8sR599uJKXahQIZPHKO4Uh8f440VuI+Ay8qZ /gE4xMN+f4Br7emlf5UkV5zZU0924glIXD3GGX5U7QlHYMGhnZ/7HW7hmSCJ4716fLjVgCgsXiXs NOXYIRovZOi1pqeCAiWHTKEXqG+as0KWryKbv6X8a9IfDq6RCx+jpZjCxK4ovDTgx/RJJlxgEnUL ju4gFCggswZySk/kwLzOI335LPdsLTBt9zBgNEjHiIks38fSHGKYq/Ojd1z6f8S13qx50PZ1S7Rm zfztYD5iG4eXZ5yJdrqzuL5ihGy8RD0jLkMpCcVMWIF/s1VTqcr8VpFU7DnlEi6eJnglIH9d3B7O MjQ4iyHNfvCct2qFWghmThZnK2nD/YKyj1p1nFDslZJDuCm0epPf6TWQrlW4bzAczMwaUwY74Ivr eNjnw4I6o1UR9If4CheRRFbiMfhtVHIk9zRK7neaaGmm0HLVhDStTSfP/K6WpcgR0NgqgWOUL4V1 kg6fPpbiJOZLBRdSRFnJ3TtH7lqRPhIdhZR0Ya8HJBF3fwAAAP//AwBQSwMEFAAGAAgAAAAhAA0o vB3VAAAA/AAAAA8AAABkcnMvZG93bnJldi54bWxEj8FqwzAQRO+F/oPYQm+NHENLcaKEEggJvSXu B2ysjWwirVxJsZ18fUUP7XGY4Q1vuZ6cFQOF2HlWMJ8VIIgbrzs2Cr7q7cs7iJiQNVrPpOBGEdar x4clVtqPfKDhmIzIEI4VKmhT6ispY9OSwzjzPXHuzj44TDkGI3XAMcOdlWVRvEmHHeeHFnvatNRc jlenYF/f3eD6T7OJPtLOjP5bl16p56fpYwEi0ZT+x3be3Gv7V/6i9lpBWbyWIM672yl0+oAxUVCQ 9bJsFgW5+gEAAP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAA AAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAA AAAAAAAAAC8BAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQDYmOe/DgMAAJ8HAAAQAAAAAAAA AAAAAAAAACoCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhAA0ovB3VAAAA/AAAAA8A AAAAAAAAAAAAAAAAZgUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAABoBgAAAAAAAA/w EAAAAI4EAABCAAAAAwUAABYBAAAPABHwQgAAAA8AiBM6AAAADwCKEzIAAAAAALoPDgAAAF8AXwBf AFAAUABUADkAAACLExQAAAAAAKwPDAAAAAAAAAAAAAAAAAAAAA8ADfBcAAAAAACfDwQAAAAEAAAA AAChDxwAAAABAAAAAAAACAAAAAABAAAAAQBDAAEAAQABABIAAACqDw4AAAABAAAABwAAAAAACQgA AAAApg8OAAAA8QAAADoC1AHQAvADEAUPAATwKQgAAEIBCvAIAAAABkAAAAIKAADzAAvwaAAAAH8A AADvAYEA9kkBAIIA+6cAAIMA9kkBAIQA+6cAAIUAAgAAAL8ABgAGAH8BAAABAL8BAAAQAMsBnDEA AM4BAgAAAP8BEAAYAD8DCAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA1AAAAEwAi8YkHAACpw4MH AABQSwMEFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAABbQ29udGVudF9UeXBlc10ueG1slJFNT8Qg EIbvJv4HMlfTUj0YY0r3YPWoRtcfMIFpS7YFwmDd/ffS/bgY18QjzLzP+wTq1XYaxUyRrXcKrssK BDntjXW9go/1U3EHghM6g6N3pGBHDKvm8qJe7wKxyGnHCoaUwr2UrAeakEsfyOVJ5+OEKR9jLwPq DfYkb6rqVmrvErlUpIUBTd1Sh59jEo/bfH0wiTQyiIfD4tKlAEMYrcaUTeXszI+W4thQ5uR+hwcb +CprgPy1YZmcLzjmXvLTRGtIvGJMzzhlDWkiS+O/XKS5/BuyWE5c+K6zmso2cptjbzSfrM7RecBA Gf1f/PuSO8Hl/oeabwAAAP//AwBQSwMEFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAABfcmVscy8u cmVsc6SQwWrDMAyG74O9g9G9cdpDGaNOb4VeSwe7CltJTGPLWCZt376mMFhGbzvqF/o+8e/2tzCp mbJ4jgbWTQuKomXn42Dg63xYfYCSgtHhxJEM3Elg372/7U40YalHMvokqlKiGBhLSZ9aix0poDSc KNZNzzlgqWMedEJ7wYH0pm23Ov9mQLdgqqMzkI9uA+p8T9X8hx28zSzcl8Zy0Nz33r6iasfXeKK5 UjAPVAy4LM8w09zU50C/9q7/6ZURE31X/kL8TKv1x6wXNXYPAAAA//8DAFBLAwQUAAYACAAAACEA 6/hFBSADAADDBwAAEAAAAGRycy9zaGFwZXhtbC54bWykVdtu2zAMfR+wfxD0OrRx2nRpg7pFL8s2 ICuCJvsAWpYbLTJlSHIu/fpRktNkfRiGpQ8pZVLi4RF5dH27qTVbSeuUwZz3TzPOJApTKnzJ+c/5 +OSSM+cBS9AGZc630vHbm48frpuRaxhtRjdqcr7wvhn1ek4sZA3u1DQSyVcZW4OnpX3pNVY6iR48 Jap17yzLPvdqUMhv6ChczZqpDZZ4Wk0tU2XOz7KLc84Qaso6USjZBe91ESkYCMHEiKXrYMC/wCgt rKm2PxAwNA8LwBc5W0Aj59uGMvZDsl7Es4OGhCx93MN1BJsV6x+mpD3QekPlwGhT2fpYUOEcU1Vs k/Pz4RlnW2LkihghBDCSG89E8FwMB5wJ8mURb0odIhrr/FdpjobBwkE513QBsTRYTZwPLOxThHRo xkrrY2uOtWk89hi2pvs7G2ZZRJygxaNDLY/gFmwFOudu6x6NT4Ra02IZYxYSyi+d7UHpZFO5GiPz VSWFJw6OBRk4DDOU2t5v7k25DQkK+k89lSbr/1t6bYHGEmlmOdPf0eX8cjAY0nT7uBicZxlNlz30 FAeegMQ1d9TQY9VddwIWHNr5md9qeSzIdCfHnhIQhSmswU7CHATjORp6RbdMHxSWpDzRBP1CMie8 5ayU1RyK2WvOr/qDATULsz7FS5jgvV3GDZVBfxc3FeAClyRguHcH2SA5mbYoYoJID84akQgUU+FT s/Wz8NcNqT6IuJfV+9hdmGvE3ntX+b/Edd6ifdB2vonEFu3s9c0cUxlviyfqihjioUjTDCNi4znJ W2QzpJJYTsECfWbLtla1+aUSrVRzzit7Mn6mt4H4Oycx56xIXMffdtd6zlu1JGlEM4sWZ0tpw0MT t4h9j1KtcSeGJ0OrV/ktLgPpQXs639QaUwU74EsD+TbebyPqjFZlkKPIV3iRJLGSrsFvkrBTdx9G yd1UR1raCXZcteGYzo43zzy9DhUIAjRXtXTsSa7Zs6kBOWuUF4sx1EqTHvfp3RQLsE7GvojnSjjY /qnGEwlJfYR75xCu65T9HSTJjaKxE4uoHze/AQAA//8DAFBLAwQUAAYACAAAACEAMjsnCtMAAADv AAAADwAAAGRycy9kb3ducmV2LnhtbESPTWvCQBCG74X+h2UKvUjdVFuR6CpFKE2pUNR68DZmxyQ0 Oxt2pxr/ffdQ6PHl/eKZL3vXqjOF2Hg28DjMQBGX3jZcGfjavT5MQUVBtth6JgNXirBc3N7MMbf+ whs6b6VSaYRjjgZqkS7XOpY1OYxD3xEn7+SDQ0kyVNoGvKRx1+pRlk20w4bTQ40drWoqv7c/zsDg +Pn+NPlYHQ6d7KkYjIvdeuqNub/rX2aghHr5D/+1C2tglD2PQZ3ersfQ2A1GoWAgESW+xAZ68QsA AP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRl bnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAAAC8B AABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQDr+EUFIAMAAMMHAAAQAAAAAAAAAAAAAAAAACoC AABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhADI7JwrTAAAA7wAAAA8AAAAAAAAAAAAA AAAAeAUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAAB4BgAAAAAAAA/wEAAAAHQBAACJ CwAAag8AAIkLAAAPAATwzwgAABIACvAIAAAAB0AAAAIKAADjAAvwbAAAAH8AAADvAYAAwHO1BYEA 9kkBAIIA+6cAAIMA9kkBAIQA+6cAAIUAAgAAAL8ABgAGAL8BAAAQAMsBnDEAAP8BAAAYAD8DAAAI AIDDGAAAAL8DAAACAFIAZQBjAHQAYQBuAGcAbABlACAANgAAABMAIvF9BwAAqcN3BwAAUEsDBBQA BgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX 01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP 9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q6lZq 7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8tWGZ nC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7kjvB 5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOkkMFq wzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G1k0L iqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85YKlj HnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s3JfGctDc996+omrH13iiuVIwD1QMuCzP MNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP//AwBQSwMEFAAGAAgAAAAhAIWVC7ERAwAA oAcAABAAAABkcnMvc2hhcGV4bWwueG1spFXbbhoxEH2v1H+w/FqlLAkEgrKJICppJRqhkH6A1+sF F+94ZZtbvr7jMZc0D1UVeGG8M/acOZ45vr3f1oatlfPaQs7bXzPOFEhbapjn/NfL+KLPmQ8CSmEs qJzvlOf3d58/3TYD3zDcDH7Q5HwRQjNotbxcqFr4r7ZRgL7KuloEXLp5q3HKKwgiYKLatC6z7LpV Cw38Do+C9ayZumjJp/XUMV3m/DLrdjgDUWPWZyURw9wods1b+7C0QyCMiZVLv8ci/gdL6cQGC/wL BgP7sMAcauic3SyUKD3yEbO1CNUBICC+9PEE2iN4Vmx+2hKxilWwWJQYbCtXn4sqnmOrim0Ry03v mrMdEtPtdyIuMVDbwGR0tXucSXS1uzeEOCWPIY3z4VHZs4GweFDOHV4EFSfWEx8iD6cUMR3YsTbm 3KqpOAPnHsM2yMhlL8sIcYJGR9c6KMeMrnPez+Iv0Rkv/RuUFBKENsnGCg0Q21WF1WPZ5+KKtMXx SR0ftiNb7mKCAv+xkdJQfbyRN07gRAKOK2fmB2Ab9zudHg52oEXnKsuuOHNvPcUbT0TimyF28Vjv bzgBiw7jwyzscA7PBEkcH/Tjw6VGRHH0auEmOccK0Xgmw6wN/WsoUXTIFGaOCmc4K1X1IorZa85v sk6/10UuQopWYgIjt6TwykIY0pZC+MgkKhec3FEqUEKmK5B0PJEDs0Ym+uRUBrYWeGz72GDUSKeI karex1IfYphv5Mk7rMI/4vbeYvVg3MuWaC1Ws9ejOcYyjosn7Il9dxdpfMUA2XhOikZcxlQKyqlw Aj+z5arWtf2tE6lYc84VXDyO8FFA/tqo4pwVaHCWQlY59zCPT4bTSxRDsDOyOFsqFx8Y2iFPDYql 0tkQnwqjX9V3WkbOjY4PDiYAO3XWVtGO8NI0Hsf5OJ/eGl1G+SG64kukkJR0C2GbpBy5fRulDiNN rKwmsKdqFY/Z23TxLOwaVQmJgIZOC+wiuRDOK7p72qzEm5gvNVwokVRF+ncO6fcafeI56SjJwkEO SCHu/gAAAP//AwBQSwMEFAAGAAgAAAAhAJbiX7LWAAAA/AAAAA8AAABkcnMvZG93bnJldi54bWxE j1FLwzAUhd8F/0O4gm8utahIt2zIQFZEH7r5A67NXVqW3NQktp2/3uCDPh7O4Tt8q83srBgpxN6z gttFAYK49bpno+D98HzzCCImZI3WMyk4U4TN+vJihZX2Ezc07pMRGcKxQgVdSkMlZWw7chgXfiDO 3dEHhynHYKQOOGW4s7IsigfpsOf80OFA247a0/7LKagP3250w4vZRh9pZyb/qUuv1PXV/LQEkWhO /+NXWzdv9q/8RdVaQVnc34E47s4fodcNxkRBQdbLslkU5PoHAAD//wMAUEsBAi0AFAAGAAgAAAAh AFrjEWb+AAAA4gEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAU AAYACAAAACEAMd1fYdIAAACPAQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAU AAYACAAAACEAhZULsREDAACgBwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBL AQItABQABgAIAAAAIQCW4l+y1gAAAPwAAAAPAAAAAAAAAAAAAAAAAGkFAABkcnMvZG93bnJldi54 bWxQSwUGAAAAAAQABAD1AAAAbAYAAAAAAAAP8BAAAAC4BwAAGAoAAC0IAAC3CgAADwAR8EIAAAAP AIgTOgAAAA8AihMyAAAAAAC6Dw4AAABfAF8AXwBQAFAAVAA5AAAAixMUAAAAAACsDwwAAAAAAAAA AAAAAAAAAAAPAA3wXAAAAAAAnw8EAAAABAAAAAAAoQ8cAAAAAQAAAAAAAAgAAAAAAQAAAAUAQwAF AAEAAQAMAAAAqg8OAAAAAQAAAAcAAAAAAAkIAAAAAKYPDgAAAPEAAAA6AtQB0ALwAxAFDwAE8CkI AABCAQrwCAAAAAhAAAACCgAA8wAL8GgAAAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCEAPunAACF AAIAAAC/AAYABgB/AQAAAQC/AQAAEADLAZwxAADOAQIAAAD/ARAAGAA/AwgACACAww4AAAC/AwAA AgBMAGkAbgBlACAANwAAABMAIvGJBwAAqcODBwAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAAT AAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg 3f330v24GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8C schpxwqGlMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0 MoiHw+LSpQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvj v1ykufwbslhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAI AAAAIQAx3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksH uwpbSUxjy1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJ YN+9v+1ONGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CP bgPqfE/V/IcdvM0s3JfGctDc996+omrH13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr 9cesFzV2DwAAAP//AwBQSwMEFAAGAAgAAAAhALN4m68gAwAAwwcAABAAAABkcnMvc2hhcGV4bWwu eG1spFXbbtswDH0fsH8Q9Dp0cZp06YK6RS/LNiArgib7AFqWGy0yZUhyLv36UZLTZH0YhiUPMW1S 4uEReXR1s601W0vrlMGc9z9mnEkUplT4nPOfi8nZJWfOA5agDcqc76TjN9fv3101Y9cwWoxu3OR8 6X0z7vWcWMoa3EfTSCRfZWwNnl7tc6+x0kn04ClRrXvnWfapV4NCfk1b4XrezGywxON6Zpkqc36e XVxwhlBT1qlCyUa810WkYCAEUyNWroMB/wKjtLCh2v5AwNDcLwGf5XwJjVzsGsrYD8l6Ec8eGhKy 9PEA1xFsVmx+mJLWQOsNlQPjbWXrU0GFfUxVsW3OB6Nzznb07A8GARaM5dYzETwXoyFngnxZxJtS h4jGOv9VmpNhsLBRzjUdQCwN1lPnAwuHFCEdmonS+tSaY20aT92Gbej8zkdZFhEnaHHrUMsDuCVb g86527kH4xOh1rRYxpilhPJLZ3tQOtlUrsbIfFVJ4YmDU0EGDsMMpbb32ztT7kKCgp7UU2my/r+l NxZoLJFmljP9HV3OL4fDEU23jy/DQZYNOLPHnuLIE5C45pYaeqK6407AgkM7P/c7LU8Fmc7k1F0C ojCFNdhpmINgPEVDr+mU6YPCkpQnmqCfSeaEt5yVslpAMX/J+ef+cEjNwqxP8RKmeGdXcUFl0N/G RQW4wCUJGB7cQTZITmYtipgg0oPzRiQCxUz41Gz9LPy6IdVHEXeyehu7D3ONOHhvK/+XuM5btPfa LraR2KKdv7yaEyrj9eWRuiKGeCjSNMOY2HhK8hbZDKkkljOwQJ/Zqq1VbX6pRCvVnPPKnk2e6G4g /gYk5pwViev43+5bz3mrViSNaObR4mwlbbho4hJx6FGqNa7EcGVo9SK/xddAetCezjezxlTBDvjS QL6O9+uIOqNVGeQo8hVuJEmspGPw2yTs1N3HUXI/1ZGWdoodV23YprPjyTNPt0MFggAtVC0de5Qb 9mRqQM4a5cVyArXSpMd9ujfFEqyTsS/ivhKOln+o8UxCUh/h3jiE6zrlcAZJcqNo7MUi6sf1bwAA AP//AwBQSwMEFAAGAAgAAAAhAAJxZYPTAAAA7wAAAA8AAABkcnMvZG93bnJldi54bWxEj01rwkAQ hu+F/odlCr1I3dRWkegqRShNqVDUevA2ZsckNDsbdqca/333UOjx5f3imS9716ozhdh4NvA4zEAR l942XBn42r0+TEFFQbbYeiYDV4qwXNzezDG3/sIbOm+lUmmEY44GapEu1zqWNTmMQ98RJ+/kg0NJ MlTaBrykcdfqUZZNtMOG00ONHa1qKr+3P87A4Pj5/jz5WB0OneypGDwVu/XUG3N/17/MQAn18h/+ axfWwCgbj0Gd3q7H0NgNRqFgIBElvsQGevELAAD//wMAUEsBAi0AFAAGAAgAAAAhAFrjEWb+AAAA 4gEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEA Md1fYdIAAACPAQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA s3ibryADAADDBwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBLAQItABQABgAI AAAAIQACcWWD0wAAAO8AAAAPAAAAAAAAAAAAAAAAAHgFAABkcnMvZG93bnJldi54bWxQSwUGAAAA AAQABAD1AAAAeAYAAAAAAAAP8BAAAAB0AQAAPQwAAGoPAAA9DAAADwAE8CkIAABCAQrwCAAAAAlA AAACCgAA8wAL8GgAAAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCEAPunAACFAAIAAAC/AAYABgB/ AQAAAQC/AQAAEADLAZwxAADOAQIAAAD/ARAAGAA/AwgACACAww4AAAC/AwAAAgBMAGkAbgBlACAA OAAAABMAIvGJBwAAqcODBwAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRf VHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8 z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwH mpBLH8jlSefjhCkfYy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3G lE3l7MyPluLYUObkfocHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPiu s5rKNnKbY280n6zO0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAA AI8BAAALAAAAX3JlbHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++ pjBYRm876hf6PvHv9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6 JKpSohgYS0mfWosdKaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s 3JfGctDc996+omrH13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP// AwBQSwMEFAAGAAgAAAAhAJvuVc4gAwAAwwcAABAAAABkcnMvc2hhcGV4bWwueG1spFXbbtswDH0f sH8Q9Dq0cS5ru6Bu0XbLNiArgib7AFqWGy0yZUhyLv36UZLTZH0YhiUPMW1S4uEReXR9u601W0vr lMGc988zziQKUyp8zvnPxeTsijPnAUvQBmXOd9Lx25v3766bsWsYLUY3bnK+9L4Z93pOLGUN7tw0 EslXGVuDp1f73GusdBI9eEpU694gyy56NSjkN7QVrufNzAZLPK5nlqky54Ps4wVnCDVlnSqU7Ir3 uogUDIRgasTKdTDgX2CUFjZU2x8IGJqHJeCznC+hkYtdQxn7IVkv4tlDQ0KWPh7gOoLNis0PU9Ia aL2hcmC8rWx9Kqiwj6kqts358HLA2Y6ew/4gwIKx3Homgufj5YgzQb4s4k2pQ0Rjnf8qzckwWNgo 55oOIJYG66nzgYVDipAOzURpfWrNsTaNp27DNnR+g8ssi4gTtLh1qOUzuCVbg86527nPxidCrWmx jDFLCeWXzvagdLKpXI2R+aqSwhMHp4IMHIYZSm3vt/em3IUEBT2pp9Jk/X9LbyzQWCLNLGf6O7qc X41GlzTdPr6Mhlk25Mwee4ojT0Dimjtq6InqjjsBCw7t/NzvtDwVZDqTU3cJiMIU1mCnYQ6C8RQN vaZTpg8KS1KeaIJ+JpkT3nJWymoBxfwl55/6oxE1C7M+xUuY4r1dxQWVQX8XFxXgApckYHhwB9kg OZm1KGKCSA/OG5EIFDPhU7P1s/DrhlQfRdzL6m3sPsw14uC9q/xf4jpv0T5ou9hGYot2/vJqTqiM 15dH6ooY4qFI0wxjYuMpyVtkM6SSWM7AAn1mq7ZWtfmlEq1Uc84rezZ5oruB+BuSmHNWJK7jf7tv PeetWpE0oplHi7OVtOGiiUvEoUep1rgSw5Wh1Yv8Fl8D6UF7Ot/MGlMFO+BLA/k63q8j6oxWZZCj yFe4kSSxko7Bb5OwU3cfR8n9VEda2il2XLVhm86OJ8883Q4VCAK0ULV07FFu2JOpATlrlBfLCdRK kx736d4US7BOxr6I+0o4Wv6hxjMJSX2Ee+MQruuUwxkkyY2isReLqB83vwEAAP//AwBQSwMEFAAG AAgAAAAhABpUxMfTAAAA7wAAAA8AAABkcnMvZG93bnJldi54bWxEj01Lw0AQhu+C/2GZgpdiN1YN Je22SEGMKEhbPfQ2zU6TYHY27I5t+u/dg+Dx5f3iWawG16kThdh6NnA3yUARV962XBv43D3fzkBF QbbYeSYDF4qwWl5fLbCw/swbOm2lVmmEY4EGGpG+0DpWDTmME98TJ+/og0NJMtTaBjyncdfpaZbl 2mHL6aHBntYNVd/bH2dgfPh4fcjf1vt9L19Uju/L3fvMG3MzGp7moIQG+Q//tUtrYJo95qCOL5dD aO0Go1AwkIgSX2IDvfwFAAD//wMAUEsBAi0AFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAAAAAAAA AAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAMd1fYdIAAACPAQAA CwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAm+5VziADAADDBwAA EAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBLAQItABQABgAIAAAAIQAaVMTH0wAA AO8AAAAPAAAAAAAAAAAAAAAAAHgFAABkcnMvZG93bnJldi54bWxQSwUGAAAAAAQABAD1AAAAeAYA AAAAAAAP8BAAAAB0AQAA8AwAAGoPAADwDAAADwAE8CoIAABCAQrwCAAAAApAAAACCgAA8wAL8GgA AAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCEAPunAACFAAIAAAC/AAYABgB/AQAAAQC/AQAAEADL AZwxAADOAQIAAAD/ARAAGAA/AwgACACAww4AAAC/AwAAAgBMAGkAbgBlACAAOQAAABMAIvGKBwAA qcOEBwAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSR TU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8z/sE6tV2GsVMka13 Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwHmpBLH8jlSefjhCkf Yy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3GlE3l7MyPluLYUObk focHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPius5rKNnKbY280n6zO 0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAX3Jl bHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++pjBYRm876hf6PvHv 9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6JKpSohgYS0mfWosd KaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s3JfGctDc996+omrH 13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP//AwBQSwMEFAAGAAgA AAAhADDzFNkgAwAAwwcAABAAAABkcnMvc2hhcGV4bWwueG1spFXbbtswDH0fsH8Q9Dq0cdJ0WYO6 RS/LNiArgib7AFqWGy0yZUhyLv36UZLTZHsYhiUPMW1S4uEReXR9u601W0vrlMGc988zziQKUyp8 yfmPxeTsE2fOA5agDcqc76Tjtzfv3103Y9cwWoxu3OR86X0z7vWcWMoa3LlpJJKvMrYGT6/2pddY 6SR68JSo1r1Bln3s1aCQ39BWuJ43Mxss8bSeWabKnA+yyxFnCDVlnSqU7Ir3uogUDIRgasTKdTDg X2CUFjZU228IGJqHJeCLnC+hkYtdQxn7IVkv4tlDQ0KWPh7gOoLNis13U9IaaL2hcmC8rWx9Kqiw j6kqts35xWjA2Y6ew6tBgAVjufVMBM/laMiZIF8W8abUIaKxzn+R5mQYLGyUc00HEEuD9dT5wMIh RUiHZqK0PrXmWJvGU7dhGzq/wSjLIuIELW4dankEt2Rr0Dl3O/dofCLUmhbLGLOUUH7ubA9KJ5vK 1RiZryopPHFwKsjAYZih1PZ+e2/KXUhQ0JN6Kk3W/7f0xgKNJdLMcqa/ocv5p+FwRNPt48vwIssu OLPHnuLIE5C45o4aeqK6407AgkM7P/c7LU8Fmc7k1F0CojCFNdhpmINgPEdDr+mU6YPCkpQnmqBf SOaEt5yVslpAMX/N+VV/OKRmYdaneAlTvLeruKAy6O/iogJc4JIEDA/uIBskJ7MWRUwQ6cF5IxKB YiZ8arZ+Fn7dkOqjiHtZ/Rm7D3ONOHjvKv+XuM5btA/aLraR2KKdv76ZEyrj7eWJuiKGeCjSNMOY 2HhO8hbZDKkkljOwQJ/Zqq1VbX6qRCvVnPPKnk2e6W4g/i5IzDkrEtfxv923nvNWrUga0cyjxdlK 2nDRxCXi0KNUa1yJ4crQ6lV+ja+B9KA9nW9mjamCHfClgXwb77cRdUarMshR5CvcSJJYScfgt0nY qbuPo+R+qiMt7RQ7rtqwTWfHk2eebocKBAFaqFo69iQ37NnUgJw1yovlBGqlSY/7dG+KJVgnY1/E fSUcLf9Q45mEpD7C/eEQruuUwxkkyY2isReLqB83vwAAAP//AwBQSwMEFAAGAAgAAAAhABK3pPvU AAAA7wAAAA8AAABkcnMvZG93bnJldi54bWxEj01Lw0AQhu+C/2EZwUuxG6u2JXZapCBGKkg/PPQ2 zU6TYHY27K5t+u/dg+Dx5f3imS1626oT+9A4QbgfZqBYSmcaqRB229e7KagQSQy1ThjhwgEW8+ur GeXGnWXNp02sVBqRkBNCHWOXax3Kmi2FoetYknd03lJM0lfaeDqncdvqUZaNtaVG0kNNHS9rLr83 PxZhcPh8fxyvlvt9F7+4GDwU24+pQ7y96V+eQUXu43/4r10YhFH2NAF1fLscfGPWFCJ7hESU+BIb 6PkvAAAA//8DAFBLAQItABQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAAAAAAAAAAAAAAAAAAABb Q29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAAAAAAAAAAAA AAAALwEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhADDzFNkgAwAAwwcAABAAAAAAAAAAAAAA AAAAKgIAAGRycy9zaGFwZXhtbC54bWxQSwECLQAUAAYACAAAACEAErek+9QAAADvAAAADwAAAAAA AAAAAAAAAAB4BQAAZHJzL2Rvd25yZXYueG1sUEsFBgAAAAAEAAQA9QAAAHkGAAAAAAAAD/AQAAAA dAEAAKQNAABqDwAApA0AAA8ABPAzCAAAQgEK8AgAAAALQAAAAgoAAPMAC/BqAAAAfwAAAO8BgQD2 SQEAggD7pwAAgwD2SQEAhAD7pwAAhQACAAAAvwAGAAYAfwEAAAEAvwEAABAAywGcMQAAzgECAAAA /wEQABgAPwMIAAgAgMMQAAAAvwMAAAIATABpAG4AZQAgADEAMAAAABMAIvGRBwAAqcOLBwAAUEsD BBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+ BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11 vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q 6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8 tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7 kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOk kMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G 1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85 YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s3JfGctDc996+omrH13iiuVIwD1QM uCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP//AwBQSwMEFAAGAAgAAAAhAGkpbkwm AwAAxAcAABAAAABkcnMvc2hhcGV4bWwueG1spFXbbts4EH1foP9A8HWRWk7cujWqFEm73l3ADYzY +wEjiopZU0OBpHzJ1+8MqdhpH4rF2g/WSDOcOXM7/PT50Fqx0z4Yh6Ucvy2k0KhcbfCplP+s51cf pAgRsAbrUJfyqIP8fPvmt0/dLHSCDmOYdaXcxNjNRqOgNrqF8NZ1GknXON9CpFf/NOq8DhojRArU 2tF1UbwftWBQ3pIr3K26pWdJPeyWXpi6lNfFO4qN0FLUhUEtxoUcDSbZGgjCwqltGHDAf8FRe9hT cj9AEOi+bACf9GoDnV4fOwo55mCjBOgFGxK0/PGMNxBuUe2/uZrOQB8d5QOzQ+PbS0GxH9c04lDK m+m1FEd6vp8mWDDThygUa95NJ1Io0qXijHJoPtr5EP/U7mIYgh2V0lIHUmqwW4TIVTiH4HDo5sba S3MmvzCzeKkbsaf+XU+LIiHO0JJrzuUrhI3YgS1lOIavLnKfYeZdj3WSNhrqPwY5grFZpnQtsqFu Gq0i1eBSkBSMxovnh4c6Hu5dfeQAFT1ppvJq/f+R3nugvURaWins3xhK+WEymdJ6x/QyuSmKGyn8 a031SsNIQndHAz03Q7szMFbYEFfxaPWlIHNPLvXCiHgLW/AL3gMWHpNgd9Rl+mCwJupJItgn4jkV vRS1btZQrZ5L+XE8mdCwCB+zvYYF3vttOtA4jHfpUAWBa0kMhmc10wbRybJHlQKk8uCqU7mAaqli HrZxwb9EKjxKZ4t73fxs+2IWOnXW3jXxF3aDtuq/WL8+pMJW/er5JM4pjdPLA01FMolQ5W2GGVXj MdNbqiaH0lgvwQN9Ftu+Na37bnJZKedSNv5q/kiXA9XvhthciirXOv33L6MXojdbokZ0qyRJsdWe b5p0RJ1nlHJNJ5HvDGue9V/plYvO3DPolt65hmXGlxfytN6nFQ3OmprpKNWLryRNVcltiIdM7DTd r61OW53K0i9wqFXPbgY5dV5Euh0aUARobVodxIPei0fXAkrRmag2c2iNJT4e0+WlNuCDTnOR/Gp4 dfz3Fq80ZPZR4SeFCsOknHuQKTeRxgtZJP64/RcAAP//AwBQSwMEFAAGAAgAAAAhACsA8HbVAAAA 7wAAAA8AAABkcnMvZG93bnJldi54bWxEj8FqwkAQhu+FvsMyBS9SN7WtSOooRRBTWihqe/A2Zsck NDsbdleNb989FHr8mX++mW+26G2rzuxD4wThYZSBYimdaaRC+Nqt7qegQiQx1DphhCsHWMxvb2aU G3eRDZ+3sVIJIiEnhDrGLtc6lDVbCiPXsaTZ0XlLMUVfaePpkuC21eMsm2hLjaQLNXW8rLn82Z4s wvDw+fY0eV/u91385mL4WOw+pg5xcNe/voCK3Mf/8t92YRDG2XN697i+HnxjNhQie4RklPySG+j5 LwAAAP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0Nv bnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAA AC8BAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQBpKW5MJgMAAMQHAAAQAAAAAAAAAAAAAAAA ACoCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhACsA8HbVAAAA7wAAAA8AAAAAAAAA AAAAAAAAfgUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAACABgAAAAAAAA/wEAAAAHQB AABXDgAAag8AAFcOAAAPAATwMQgAAEIBCvAIAAAADEAAAAIKAADzAAvwagAAAH8AAADvAYEA9kkB AIIA+6cAAIMA9kkBAIQA+6cAAIUAAgAAAL8ABgAGAH8BAAABAL8BAAAQAMsBnDEAAM4BAgAAAP8B EAAYAD8DCAAIAIDDEAAAAL8DAAACAEwAaQBuAGUAIAAxADEAAAATACLxjwcAAKnDiQcAAFBLAwQU AAYACAAAACEAWuMRZv4AAADiAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcy V9NSPRhjSvdg9ahG1x8wgWlLtgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2C j/VTcQeCEzqDo3ekYEcMq+byol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupW au8SuVSkhQFN3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVh mZwvOOZe8tNEa0i8YkzPOGUNaSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7 weX+h5pvAAAA//8DAFBLAwQUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDB asMwDIbvg72D0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZN C4qiZefjYODrfFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCp Yx50QnvBgfSmbbc6/2ZAt2CqozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgs zzDT3NTnQL/2rv/plRETfVf+QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAIAAAAIQADpYIoJgMA AMQHAAAQAAAAZHJzL3NoYXBleG1sLnhtbKRV227bMAx9H7B/EPQ6tHHadG2DukUvyzYgK4Im+wBa lhstMmVIci79+lGSc1kfhmHJQ0ybFHl0RB7d3K1rzZbSOmUw5/3TjDOJwpQKX3P+czY6ueLMecAS tEGZ8410/O7244ebZugaRovRDZucz71vhr2eE3NZgzs1jUTyVcbW4OnVvvYaK51ED54K1bp3lmWf ezUo5LeUCpfTZmKDJZ6XE8tUmfOz7OKaM4Saqo4VStbv814XkqKBIIyNWLgOB/wLjtLCijb3BwSG 5nEO+Cqnc2jkbNNQyVisFwFtsSFBIwT0cY/XEW5WrH6YktZA6w3tB4brytbHggp5TFWxdc7PL884 29Dz6iLCgqFceyaC5+JywJkgXxbI6aXSYWljnf8qzdEwWEiUc00nELcGy7HzqdS2RCiHZqS0PnbP lBeGGo9Nw1Z0fmeXWRYRJ2gxdUD8BG7OlqBz7jbuyfjAGwytabGM1lxC+aWzPSidbGJWYwiUVSWF Jw6OBUnFqJNC/4Sm9usHU25CgYKe1FNptP6/pVcWaC6RhpYz/R1dzq8Gg0sabx9fBudZds6ZPfQU B56AxDX31NAj1R13AhYc2vmp32h5LMh0JsdmCYjCFNZgx2EOgvESDb2kU6YPCkuSnmiCfiWdE95y VspqBsX0LefX/cGAmoVZn+IljPHBLuKCyqC/j4sKcIFLUjDcu4NskJxMWhSxQKQHp41IBIqJ8KnZ +ln4dUOqDyIeZPU+dhvmGrH33lf+L3Gdt2gftZ2tI7FFO33bmSPaxu7lmboihngo0jTDkNh4SfIW 2QylJJYTsECf2aKtVW1+qUQr7TnnlT0ZvdDlQPydk5pzViSu43+7bT3nrVqQNKKZRouzhbThpolL xL5Haa9xJYY7Q6s3+S2+BtKD9nS+iTWmCnbAlwZyN967EXVGqzLIUeQrXEmSWEnH4NdJ2Km7D6N2 Ux1pacfYcdWGNJ0dT555uh0qEARopmrp2LNcsRdTA3LWKC/mI6iVJj3u08Up5mCdjH0R80o4WP6p xhMJSX2Ee+cQruuU/RlEdW+iaGzFIurH7W8AAAD//wMAUEsDBBQABgAIAAAAIQAj45BK0wAAAO8A AAAPAAAAZHJzL2Rvd25yZXYueG1sRI9NS8NAEIbvgv9hGcFLsRurlhq7LVIQIxWkX4feptlpEszO ht2xTf+9exA8vrxfPNN571p1ohAbzwbuhxko4tLbhisD283b3QRUFGSLrWcycKEI89n11RRz68+8 otNaKpVGOOZooBbpcq1jWZPDOPQdcfKOPjiUJEOlbcBzGnetHmXZWDtsOD3U2NGipvJ7/eMMDA5f H4/j5WK/72RHxeCh2HxOvDG3N/3rCyihXv7Df+3CGhhlT8+gju+XQ2jsCqNQMJCIEl9iAz37BQAA //8DAFBLAQItABQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVu dF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAAAAAAAAAAAAAAAALwEA AF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAAOlgigmAwAAxAcAABAAAAAAAAAAAAAAAAAAKgIA AGRycy9zaGFwZXhtbC54bWxQSwECLQAUAAYACAAAACEAI+OQStMAAADvAAAADwAAAAAAAAAAAAAA AAB+BQAAZHJzL2Rvd25yZXYueG1sUEsFBgAAAAAEAAQA9QAAAH4GAAAAAAAAD/AQAAAAdAEAAAsP AABqDwAACw8AAA8ABPAwCAAAQgEK8AgAAAANQAAAAgoAAPMAC/BqAAAAfwAAAO8BgQD2SQEAggD7 pwAAgwD2SQEAhAD7pwAAhQACAAAAvwAGAAYAfwEAAAEAvwEAABAAywGcMQAAzgECAAAA/wEQABgA PwMIAAgAgMMQAAAAvwMAAAIATABpAG4AZQAgADEAMgAAABMAIvGOBwAAqcOIBwAAUEsDBBQABgAI AAAAIQBa4xFm/gAAAOIBAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX01I9 GGNK92D1qEbXHzCBaUu2BcJg3f330v24GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP9VNx B4ITOoOjd6RgRwyr5vKiXu8CschpxwqGlMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q6lZq7xK5 VKSFAU3dUoefYxKP23x9MIk0MoiHw+LSpQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8tWGZnC84 5l7y00RrSLxiTM84ZQ1pIkvjv1ykufwbslhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7kjvB5f6H mm8AAAD//wMAUEsDBBQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOkkMFqwzAM hu+DvYPRvXHaQxmjTm+FXksHuwpbSUxjy1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G1k0LiqJl 5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1ONGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85YKljHnRC e8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V/IcdvM0s3JfGctDc996+omrH13iiuVIwD1QMuCzPMNPc 1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2DwAAAP//AwBQSwMEFAAGAAgAAAAhAGbBp+4jAwAAxAcA ABAAAABkcnMvc2hhcGV4bWwueG1spFXbbtswDH0fsH8Q9Dq0cS5bu6Bu0cuyDciKoMk+gJblRotM GZKcS79+lOQmWR+GYelDSpm3Q4o8urrZ1pqtpXXKYM775xlnEoUpFT7n/OdicnbJmfOAJWiDMuc7 6fjN9ft3V83YNYyc0Y2bnC+9b8a9nhNLWYM7N41E0lXG1uDpaJ97jZVOogdPiWrdG2TZp14NCvk1 hcL1vJnZIInH9cwyVeZ8kH0iMAg1ZZ0qlKw/4L3OJFkDQZgasXIdDvgXHKWFDRX3BwSG5n4J+Czn S2jkYtdQyn5I1ouAXrEhQUsfD3gd4WbF5ocpyQdab6geGG8rW58KKsQxVcW2OR9eDDjb5XyUDSMs GMutZyJoPl6MOBOkyyLelDq4Ntb5r9KcDIOFQDnXdAOxNFhPnQ9dOKQI6dBMlNan1kxxYazx1DBs Q/c3uMiyiDhBi6FDLQ/glmwNOudu5x6MD32DsTUtllFaSii/dLIHpZNM5WoMhrKqpPDUg1NBUjIa rzA/Yaj99s6Uu5CgoP80U2m1/n+kNxZoL5GWljP9HV3OL0ejC9ooHw+jYZYNObPHmuJIE5C45pYG eqK6607AgkI7P/c7LU8Fme7k1CgBUdjCGuw07EEQnqKg13TL9EFhSdQTRdDPxHPCW85KWS2gmL/k /HN/NKJhYdYnewlTvLOr6FAZ9LfRqQAXekkMhgd1oA2ik1mLIiaI7cF5I1IDxUz4NGz9LPx1S6qP LO5k9db21cw14qC9rfxf7Dpt0d5ru9jGxhbt/GUvTqiM/eGRpiKaeCjSNsOYuvGU6C12M6SSWM7A An1mq7ZWtfmlUlup5pxX9mzyRI8D9W9IbM5ZkXodf9vX0XPeqhVRI5p5lDhbSRtemugiDjNKtUZP DG+GVi/yWzyGpgfu6XQza0wV5IAvLeR+vfcr6oxWZaCj2K/wJEnqSroGv03ETtN9bLXf6tiWdopd r9oQppPjzTNPr0MFggAtVC0de5Qb9mRqQM4a5cVyArXSxMd9ejjFEqyTcS5iXAlH7h9qPJOQ2Ee4 Nwrhukk53EGi3Egar2QR+eP6NwAAAP//AwBQSwMEFAAGAAgAAAAhAFknrl3VAAAA7wAAAA8AAABk cnMvZG93bnJldi54bWxEj0FrwkAQhe+F/odlhF6kbmpLkOgqRShNaaGo7cHbmB2T0Oxu2J1q/Ped Q8HjzLx5732L1eA6daKY2uANPEwyUOSrYFtfG/javdzPQCVGb7ELngxcKMFqeXuzwMKGs9/Qacu1 EhOfCjTQMPeF1qlqyGGahJ683I4hOmQZY61txLOYu05PsyzXDlsvCQ32tG6o+tn+OgPjw+fbU/6+ 3u97/qZy/FjuPmbBmLvR8DwHxTTwVfz/XVoD0yyX/sfXyyG2doOJKRqQjfAJG+jlHwAAAP//AwBQ SwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlw ZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAAAC8BAABfcmVs cy8ucmVsc1BLAQItABQABgAIAAAAIQBmwafuIwMAAMQHAAAQAAAAAAAAAAAAAAAAACoCAABkcnMv c2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhAFknrl3VAAAA7wAAAA8AAAAAAAAAAAAAAAAAewUA AGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAAB9BgAAAAAAAA/wEAAAAHQBAAC/DwAAag8A AL8PAAAPAATwMAgAAEIBCvAIAAAADkAAAAIKAADzAAvwagAAAH8AAADvAYEA9kkBAIIA+6cAAIMA 9kkBAIQA+6cAAIUAAgAAAL8ABgAGAH8BAAABAL8BAAAQAMsBnDEAAM4BAgAAAP8BEAAYAD8DCAAI AIDDEAAAAL8DAAACAEwAaQBuAGUAIAAxADMAAAATACLxjgcAAKnDiAcAAFBLAwQUAAYACAAAACEA WuMRZv4AAADiAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhjSvdg 9ahG1x8wgWlLtgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeCEzqD o3ekYEcMq+byol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSkhQFN 3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe8tNE a0i8YkzPOGUNaSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pvAAAA //8DAFBLAwQUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbvg72D 0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefjYODr fFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvBgfSm bbc6/2ZAt2CqozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTnQL/2 rv/plRETfVf+QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAIAAAAIQDBRahOJQMAAMQHAAAQAAAA ZHJzL3NoYXBleG1sLnhtbKRV224bNxB9L9B/IPhaOFpdGqdC1oGdVG0A1RAs9QNmuVyLFXe4ILm6 +Os7Q64sNw9BUPlBHu4MOWcOZw4/fjq2Vuy1D8ZhKcfvCik0KlcbfC7l35vFzQcpQgSswTrUpTzp ID/d/fzTx24eOkGbMcy7Um5j7OajUVBb3UJ45zqN5GucbyHS0j+POq+DxgiRErV2NCmK96MWDMo7 Ogr3627l2VKP+5UXpi7lpHg/lgKhpaxLg1qMp3I0hORoIAhLp3ZhwAE/gqP2cKDi/gNBoPu8BXzW 6y10enPqKOWYk40SoDM2JGj54wVvINyiOvzlatoDfXRUD8yPjW+vBcXnuKYRx1JObydSnEo5m4wL hgVzfYxCsefX25kUinzJMcqpOaLzIf6h3dUwBB9USks3kEqD/TJEZuGSgtOhWxhrr6051Wbx2mPE ge5vclsUCXGGlo7mWr5A2Io92FKGU/jiYibUux7rFLPVUP8+2BGMzTaVazEx3zRaReLgWpDMIQ9R 7vt4fHD1iRNU9J96Ko/W/2/pgweaS6ShlcJ+xVDKD7PZLY13TIvZtCimUvi3nuqNh5GE7p4aemGG 687A2GFDXMeT1deCzHdy7SmMiKewBb/kOWDjKRl2T7dMHwzWJD3JBPtMOqeil6LWzQaq9UspfxvP ZtQswsccr2GJD36XNjQO433aVEFgLknB8OJm2SA5WfWoUoJED647lQlUKxVzs40L/kuiwq10iXjQ zbex57DQqYv3vonfiRu8Vf/Z+s0xEVv165dXc0FlvC4eqStSSIQqTzPMiY2nLG+JTU6lsV6BB/os dn1rWvePybRSzaVs/M3iiR4H4m9Kai5FlblOv/259UL0ZkfSiG6dLCl22vNLk7aoS49SrWkn8pth zYv+My2ZdNaewbfyzjVsM748kK/j/TqiwVlTsxwlvvhJ0sRKvoZ4zMJO3f02Sp+nOtHSL3Hgqudj BjvdvIj0OjSgCNDGtDqIR30QT64FlKIzUW0X0BpLejymh1NtwQed+iKdq+HN9l9avNGQ1UeFbxwq DJ1yuYMsuUk0zmKR9OPuXwAAAP//AwBQSwMEFAAGAAgAAAAhAFHEzmHTAAAA7wAAAA8AAABkcnMv ZG93bnJldi54bWxEj01rwkAQhu+F/odlCr1I3WhLkOgqRShNaaGo9eBtzI5JaHY27E41/vvuodDj y/vFs1gNrlNnCrH1bGAyzkARV962XBv42r08zEBFQbbYeSYDV4qwWt7eLLCw/sIbOm+lVmmEY4EG GpG+0DpWDTmMY98TJ+/kg0NJMtTaBrykcdfpaZbl2mHL6aHBntYNVd/bH2dgdPx8e8rf14dDL3sq R4/l7mPmjbm/G57noIQG+Q//tUtrYJrlE1Cn1+sxtHaDUSgYSESJL7GBXv4CAAD//wMAUEsBAi0A FAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54 bWxQSwECLQAUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJl bHNQSwECLQAUAAYACAAAACEAwUWoTiUDAADEBwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBl eG1sLnhtbFBLAQItABQABgAIAAAAIQBRxM5h0wAAAO8AAAAPAAAAAAAAAAAAAAAAAH0FAABkcnMv ZG93bnJldi54bWxQSwUGAAAAAAQABAD1AAAAfQYAAAAAAAAP8BAAAAB0AQAAchAAAGoPAAByEAAA DwAE8DEIAABCAQrwCAAAAA9AAAACCgAA8wAL8GoAAAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCE APunAACFAAIAAAC/AAYABgB/AQAAAQC/AQAAEADLAZwxAADOAQIAAAD/ARAAGAA/AwgACACAwxAA AAC/AwAAAgBMAGkAbgBlACAAMQA0AAAAEwAi8Y8HAACpw4kHAABQSwMEFAAGAAgAAAAhAFrjEWb+ AAAA4gEAABMAAABbQ29udGVudF9UeXBlc10ueG1slJFNT8QgEIbvJv4HMlfTUj0YY0r3YPWoRtcf MIFpS7YFwmDd/ffS/bgY18QjzLzP+wTq1XYaxUyRrXcKrssKBDntjXW9go/1U3EHghM6g6N3pGBH DKvm8qJe7wKxyGnHCoaUwr2UrAeakEsfyOVJ5+OEKR9jLwPqDfYkb6rqVmrvErlUpIUBTd1Sh59j Eo/bfH0wiTQyiIfD4tKlAEMYrcaUTeXszI+W4thQ5uR+hwcb+CprgPy1YZmcLzjmXvLTRGtIvGJM zzhlDWkiS+O/XKS5/BuyWE5c+K6zmso2cptjbzSfrM7RecBAGf1f/PuSO8Hl/oeabwAAAP//AwBQ SwMEFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAABfcmVscy8ucmVsc6SQwWrDMAyG74O9g9G9cdpD GaNOb4VeSwe7CltJTGPLWCZt376mMFhGbzvqF/o+8e/2tzCpmbJ4jgbWTQuKomXn42Dg63xYfYCS gtHhxJEM3Elg372/7U40YalHMvokqlKiGBhLSZ9aix0poDScKNZNzzlgqWMedEJ7wYH0pm23Ov9m QLdgqqMzkI9uA+p8T9X8hx28zSzcl8Zy0Nz33r6iasfXeKK5UjAPVAy4LM8w09zU50C/9q7/6ZUR E31X/kL8TKv1x6wXNXYPAAAA//8DAFBLAwQUAAYACAAAACEA/Cg3ZSYDAADEBwAAEAAAAGRycy9z aGFwZXhtbC54bWykVdtuGzcQfS/QfyD4WjhaWWqcCFkHdlK1BVRDsNQPmOVyLVbc4YLk6uKv7wy5 ltQ8BEHlB3m4cztzODP89PnQWrHTPhiHpRy/K6TQqFxt8KWUf6/nNx+kCBGwButQl/Kog/x8//NP n7pZ6AQ5Y5h1pdzE2M1Go6A2uoXwznUaSdc430Kko38ZdV4HjREiJWrt6LYo3o9aMCjvKRTuVt3S s6SedksvTF3K2+L9rRQILWVdGNRiPJWjwSRbA0FYOLUNAw74ERy1hz0V9x8IAt2XDeCLXm2g0+tj RynHnGyUAL1hQ4KWP57xBsItqv1friYf6KOjemB2aHx7LSiO45pGHEo5uSMmjqWcTj4mWDDThygU a369m0qhSFckvDk1u3Y+xN+1uxqG4ECltHQDqTTYLUJkFs4pOB26ubH22popLswsXhtG7On+bu+K IiHO0FJoruUrhI3YgS1lOIavLjJvMPOuxzpJGw31b4McwdgsU7kW2VA3jVaROLgWJCWj9uL+4aaO h0dXHzlBRf+pp/Jo/f+W3nuguUQaWinsnxhK+WE6vaPxjukwnRTFRAp/qakuNIwkdA/U0HMzXHcG xgob4ioerb4WZL6Ta6MwIp7CFvyC54CF5yTYHd0yfTBY0+pJItgX2nMqeilq3ayhWr2W8uN4OqVm ET5mew0LfPTb5NA4jA/JqYLAXNIGw7Oa1watk2WPKiVI9OCqU5lAtVQxN9u44L9hSO2FxaNuvrV9 MwudOmsfmvgdu0Fb9V+sXx8SsVW/ej2JcyrjdHiirkgmEao8zTAjNp7zektsciqN9RI80Gex7VvT un9MppVqLmXjb+bP9DgQfxPa5lJUmev027+1XojebGk1olslSYqt9vzSJBd17lGqNXkivxnWvOo/ 0pFJ590z6JbeuYZlxpcH8jTepxENzpqa11Hii58kTazka4iHvNipuy+tTlOdaOkXOHDVc5hBTjcv Ir0ODSgCtDatDuJJ78WzawGl6ExUmzm0xtI+HtPDqTbgg059keJquHD/pcUbDXn7qPCNQoWhU853 kFduWhpvyyLtj/t/AQAA//8DAFBLAwQUAAYACAAAACEASeFvJdMAAADvAAAADwAAAGRycy9kb3du cmV2LnhtbESPTUvDQBCG74L/YRnBS7Ebo4QSOy1SECMK0lYPvU2z0ySY3Q27Y5v+e/cg9PjyfvHM l6Pt1ZFD7LxDuJ9moNjV3nSuQfjavtzNQEUhZ6j3jhHOHGG5uL6aU2n8ya35uJFGpREXS0JoRYZS 61i3bClO/cAueQcfLEmSodEm0CmN217nWVZoS51LDy0NvGq5/tn8WoTJ/vPtsXhf7XaDfHM1eai2 HzOPeHszPj+BEh7lEv5vVwYhz4oc1OH1vA+dWVMUDgiJKPElNtCLPwAAAP//AwBQSwECLQAUAAYA CAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBL AQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAAAC8BAABfcmVscy8ucmVsc1BL AQItABQABgAIAAAAIQD8KDdlJgMAAMQHAAAQAAAAAAAAAAAAAAAAACoCAABkcnMvc2hhcGV4bWwu eG1sUEsBAi0AFAAGAAgAAAAhAEnhbyXTAAAA7wAAAA8AAAAAAAAAAAAAAAAAfgUAAGRycy9kb3du cmV2LnhtbFBLBQYAAAAABAAEAPUAAAB+BgAAAAAAAA/wEAAAAHQBAAAnEQAAag8AACcRAAAPAATw MAgAAEIBCvAIAAAAEEAAAAIKAADzAAvwagAAAH8AAADvAYEA9kkBAIIA+6cAAIMA9kkBAIQA+6cA AIUAAgAAAL8ABgAGAH8BAAABAL8BAAAQAMsBnDEAAM4BAgAAAP8BEAAYAD8DCAAIAIDDEAAAAL8D AAACAEwAaQBuAGUAIAAxADUAAAATACLxjgcAAKnDiAcAAFBLAwQUAAYACAAAACEAWuMRZv4AAADi AQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhjSvdg9ahG1x8wgWlL tgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeCEzqDo3ekYEcMq+by ol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSkhQFN3VKHn2MSj9t8 fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe8tNEa0i8YkzPOGUN aSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pvAAAA//8DAFBLAwQU AAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbvg72D0b1x2kMZo05v hV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefjYODrfFh9gJKC0eHE kQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvBgfSmbbc6/2ZAt2Cq ozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTnQL/2rv/plRETfVf+ QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAIAAAAIQDHqGEFJQMAAMQHAAAQAAAAZHJzL3NoYXBl eG1sLnhtbKRV224bOQx9X2D/QdBrkXqcOE3X6KRI2rpbwBsYsfsBHI0m1lpDDSSNL/n6ktI4TvtQ LNZ5cKghJR4ekUcfPu5bK7baB+OwlOO3hRQalasNPpXy+2p28V6KEAFrsA51KQ86yI+3f/7xoZuG TtBmDNOulOsYu+loFNRatxDeuk4j+RrnW4i09E+jzuugMUKkRK0dXRbFu1ELBuUtHYXbZbfwbKmH 7cILU5fysnh3JQVCS1nnBrUYX8vREJKjgSDMndqEAQf8Fxy1hx0V9xMEge7TGvBJL9fQ6dWho5Rj TjZKgI7YkKDljye8gXCLavePq2kP9NFRPTDdN749FxSf45pG7Et5dXMpxaGUk+ubgmHBVO+jUOy5 vplIociXHKOcmiM6H+JX7c6GIfigUlq6gVQabOchMgunFJwO3cxYe27NqTaL5x4jdnR/lzdFkRBn aOloruUzhLXYgi1lOITPLmZCveuxTjFrDfWXwY5gbLapXIuJ+abRKhIH54JkDnmIct/H/b2rD5yg ov/UU3m0/n9L7zzQXCINrRT2G4ZSvp9MqH1ETIvJVVHQePnXnuqVh5GE7o4aemaG687A2GFDXMaD 1eeCzHdy7imMiKewBT/nOWDjMRl2S7dMHwzWJD3JBPtEOqeil6LWzQqq5XMp/xpPJtQswsccr2GO 936TNjQO413aVEFgLknB8ORm2SA5WfSoUoJEDy47lQlUCxVzs40L/kuiwq10irjXza+xx7DQqZP3 rom/iRu8Vf/J+tU+EVv1y+cXc0ZlvCweqCtSSIQqTzNMiY3HLG+JTU6lsV6AB/osNn1rWvevybRS zaVs/MXskR4H4u+K1FyKKnOdfvtj64XozYakEd0yWVJstOeXJm1Rpx6lWtNO5DfDmmf9d1oy6aw9 g2/hnWvYZnx5IF/G+2VEg7OmZjlKfPGTpImVfA1xn4Wduvt1lD5OdaKln+PAVc/HDHa6eRHpdWhA EaCVaXUQD3onHl0LKEVnolrPoDWW9HhMD6dagw869UU6V8Or7W9avNCQ1UeFXxwqDJ1yuoMsuUk0 jmKR9OP2BwAAAP//AwBQSwMEFAAGAAgAAAAhAEECDxnTAAAA7wAAAA8AAABkcnMvZG93bnJldi54 bWxEj01rwkAQhu+F/odlCr1I3VRLkOgqRShNaaGo9eBtzI5JaHY27E41/vvuodDjy/vFs1gNrlNn CrH1bOBxnIEirrxtuTbwtXt5mIGKgmyx80wGrhRhtby9WWBh/YU3dN5KrdIIxwINNCJ9oXWsGnIY x74nTt7JB4eSZKi1DXhJ467TkyzLtcOW00ODPa0bqr63P87A6Pj59pS/rw+HXvZUjqbl7mPmjbm/ G57noIQG+Q//tUtrYJLlU1Cn1+sxtHaDUSgYSESJL7GBXv4CAAD//wMAUEsBAi0AFAAGAAgAAAAh AFrjEWb+AAAA4gEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAU AAYACAAAACEAMd1fYdIAAACPAQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAU AAYACAAAACEAx6hhBSUDAADEBwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBL AQItABQABgAIAAAAIQBBAg8Z0wAAAO8AAAAPAAAAAAAAAAAAAAAAAH0FAABkcnMvZG93bnJldi54 bWxQSwUGAAAAAAQABAD1AAAAfQYAAAAAAAAP8BAAAAB0AQAA2hEAAGoPAADaEQAADwAE8DAIAABC AQrwCAAAABFAAAACCgAA8wAL8GoAAAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCEAPunAACFAAIA AAC/AAYABgB/AQAAAQC/AQAAEADLAZwxAADOAQIAAAD/ARAAGAA/AwgACACAwxAAAAC/AwAAAgBM AGkAbgBlACAAMQA2AAAAEwAi8Y4HAACpw4gHAABQSwMEFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMA AABbQ29udGVudF9UeXBlc10ueG1slJFNT8QgEIbvJv4HMlfTUj0YY0r3YPWoRtcfMIFpS7YFwmDd /ffS/bgY18QjzLzP+wTq1XYaxUyRrXcKrssKBDntjXW9go/1U3EHghM6g6N3pGBHDKvm8qJe7wKx yGnHCoaUwr2UrAeakEsfyOVJ5+OEKR9jLwPqDfYkb6rqVmrvErlUpIUBTd1Sh59jEo/bfH0wiTQy iIfD4tKlAEMYrcaUTeXszI+W4thQ5uR+hwcb+CprgPy1YZmcLzjmXvLTRGtIvGJMzzhlDWkiS+O/ XKS5/BuyWE5c+K6zmso2cptjbzSfrM7RecBAGf1f/PuSO8Hl/oeabwAAAP//AwBQSwMEFAAGAAgA AAAhADHdX2HSAAAAjwEAAAsAAABfcmVscy8ucmVsc6SQwWrDMAyG74O9g9G9cdpDGaNOb4VeSwe7 CltJTGPLWCZt376mMFhGbzvqF/o+8e/2tzCpmbJ4jgbWTQuKomXn42Dg63xYfYCSgtHhxJEM3Elg 372/7U40YalHMvokqlKiGBhLSZ9aix0poDScKNZNzzlgqWMedEJ7wYH0pm23Ov9mQLdgqqMzkI9u A+p8T9X8hx28zSzcl8Zy0Nz33r6iasfXeKK5UjAPVAy4LM8w09zU50C/9q7/6ZURE31X/kL8TKv1 x6wXNXYPAAAA//8DAFBLAwQUAAYACAAAACEA8fs+RSUDAADEBwAAEAAAAGRycy9zaGFwZXhtbC54 bWykVdtuGzcQfS/QfyD4Wjha2YqVCFkHdlK1BRRDsNQPmOVyLVbc4YLk6uKv7wy5stw8FEHkB3m4 M+ScOZw5/PT50Fqx0z4Yh6Ucvyuk0KhcbfC5lH+v51cfpAgRsAbrUJfyqIP8fPfrL5+6WegEbcYw 60q5ibGbjUZBbXQL4Z3rNJKvcb6FSEv/POq8DhojRErU2tF1UdyOWjAo7+go3K26pWdLPe6WXpi6 lNfF7UQKhJayLgxqMb6VoyEkRwNBWDi1DQMO+BEctYc9FfcfCALdlw3gs15toNPrY0cpx5xslACd sCFByx/PeAPhFtX+m6tpD/TRUT0wOzS+vRQUn+OaRhxKeTO9luJYysn0fcGwYKYPUSj2vJ8SSYp8 yTHKqTmi8yH+od3FMAQfVEpLN5BKg90iRGbhnILToZsbay+tOdVm8dJjxJ7u73paFAlxhpaO5lq+ QtiIHdhShmP46mIm1Lse6xSz0VD/PtgRjM02lWsxMd80WkXi4FKQzCEPUe77eHhw9ZETVPSfeiqP 1s+39N4DzSXS0Eph/8JQyg+TyZTGO6bF5KYobqTwbz3VGw8jCd09NfTcDNedgbHDhriKR6svBZnv 5NJTGBFPYQt+wXPAxlMy7I5umT4YrEl6kgn2mXRORS9FrZs1VKuXUn4cTybULMLHHK9hgQ9+mzY0 DuN92lRBYC5JwfDsZtkgOVn2qFKCRA+uOpUJVEsVc7ONC/5LosKtdI540M33saew0Kmz976J/xM3 eKv+i/XrQyK26lcvr+acynhdPFJXpJAIVZ5mmBEbT1neEpucSmO9BA/0WWz71rTuH5NppZpL2fir +RM9DsTfDam5FFXmOv32p9YL0ZstSSO6VbKk2GrPL03aos49SrWmnchvhjUv+s+0ZNJZewbf0jvX sM348kC+jvfriAZnTc1ylPjiJ0kTK/ka4iELO3X32yh9mupES7/AgauejxnsdPMi0uvQgCJAa9Pq IB71Xjy5FlCKzkS1mUNrLOnxmB5OtQEfdOqLdK6GN9t/a/FKQ1YfFb5zqDB0yvkOsuQm0TiJRdKP u38BAAD//wMAUEsDBBQABgAIAAAAIQB5qy2s0wAAAO8AAAAPAAAAZHJzL2Rvd25yZXYueG1sRI9N a8JAEIbvhf6HZQq9SN3USpDoKkUoTWmhqPXgbcyOSWh2NuxONf777qHQ48v7xbNYDa5TZwqx9Wzg cZyBIq68bbk28LV7eZiBioJssfNMBq4UYbW8vVlgYf2FN3TeSq3SCMcCDTQifaF1rBpyGMe+J07e yQeHkmSotQ14SeOu05Msy7XDltNDgz2tG6q+tz/OwOj4+TbN39eHQy97KkdP5e5j5o25vxue56CE BvkP/7VLa2CS5VNQp9frMbR2g1EoGEhEiS+xgV7+AgAA//8DAFBLAQItABQABgAIAAAAIQBa4xFm /gAAAOIBAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgA AAAhADHdX2HSAAAAjwEAAAsAAAAAAAAAAAAAAAAALwEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgA AAAhAPH7PkUlAwAAxAcAABAAAAAAAAAAAAAAAAAAKgIAAGRycy9zaGFwZXhtbC54bWxQSwECLQAU AAYACAAAACEAeastrNMAAADvAAAADwAAAAAAAAAAAAAAAAB9BQAAZHJzL2Rvd25yZXYueG1sUEsF BgAAAAAEAAQA9QAAAH0GAAAAAAAAD/AQAAAAdAEAAI4SAABqDwAAjhIAAA8ABPAwCAAAQgEK8AgA AAASQAAAAgoAAPMAC/BqAAAAfwAAAO8BgQD2SQEAggD7pwAAgwD2SQEAhAD7pwAAhQACAAAAvwAG AAYAfwEAAAEAvwEAABAAywGcMQAAzgECAAAA/wEQABgAPwMIAAgAgMMQAAAAvwMAAAIATABpAG4A ZQAgADEANwAAABMAIvGOBwAAqcOIBwAAUEsDBBQABgAIAAAAIQBa4xFm/gAAAOIBAAATAAAAW0Nv bnRlbnRfVHlwZXNdLnhtbJSRTU/EIBCG7yb+BzJX01I9GGNK92D1qEbXHzCBaUu2BcJg3f330v24 GNfEI8y8z/sE6tV2GsVMka13Cq7LCgQ57Y11vYKP9VNxB4ITOoOjd6RgRwyr5vKiXu8CschpxwqG lMK9lKwHmpBLH8jlSefjhCkfYy8D6g32JG+q6lZq7xK5VKSFAU3dUoefYxKP23x9MIk0MoiHw+LS pQBDGK3GlE3l7MyPluLYUObkfocHG/gqa4D8tWGZnC845l7y00RrSLxiTM84ZQ1pIkvjv1ykufwb slhOXPius5rKNnKbY280n6zO0XnAQBn9X/z7kjvB5f6Hmm8AAAD//wMAUEsDBBQABgAIAAAAIQAx 3V9h0gAAAI8BAAALAAAAX3JlbHMvLnJlbHOkkMFqwzAMhu+DvYPRvXHaQxmjTm+FXksHuwpbSUxj y1gmbd++pjBYRm876hf6PvHv9rcwqZmyeI4G1k0LiqJl5+Ng4Ot8WH2AkoLR4cSRDNxJYN+9v+1O NGGpRzL6JKpSohgYS0mfWosdKaA0nCjWTc85YKljHnRCe8GB9KZttzr/ZkC3YKqjM5CPbgPqfE/V /IcdvM0s3JfGctDc996+omrH13iiuVIwD1QMuCzPMNPc1OdAv/au/+mVERN9V/5C/Eyr9cesFzV2 DwAAAP//AwBQSwMEFAAGAAgAAAAhADxJo1klAwAAxAcAABAAAABkcnMvc2hhcGV4bWwueG1spFXb bhs3EH0v0H8g+Fo4WllKlAhZB3ZStQFUQ7DUD5jlci1W3OGC5Orir+8MubLcPBRF5Qd5uDPknDmc Ofz85dhasdc+GIelHL8rpNCoXG3wuZR/bhY3H6UIEbAG61CX8qSD/HL380+fu3noBG3GMO9KuY2x m49GQW11C+Gd6zSSr3G+hUhL/zzqvA4aI0RK1NrRbVF8GLVgUN7RUbhfdyvPlnrcr7wwdSlviw/v pUBoKevSoBbjmRwNITkaCMLSqV0YcMB/wVF7OFBx/4Ag0H3dAj7r9RY6vTl1lHLMyUYJ0BkbErT8 8YI3EG5RHf5wNe2BPjqqB+bHxrfXguJzXNOIYykns1spTqWcfpoUDAvm+hiFYs/72VQKRb7kGOXU HNH5EH/T7moYgg8qpaUbSKXBfhkis3BJwenQLYy119acarN47THiQPd3OyuKhDhDS0dzLd8gbMUe bCnDKXxzMRPqXY91itlqqH8d7AjGZpvKtZiYbxqtInFwLUjmkIco9308Prj6xAkq+k89lUfr/7f0 wQPNJdLQSmG/Yyjlx+l0RuMd02I6KYqJFP6tp3rjYSShu6eGXpjhujMwdtgQ1/Fk9bUg851cewoj 4ilswS95Dth4Sobd0y3TB4M1SU8ywT6Tzqnopah1s4Fq/VLKT+PplJpF+JjjNSzxwe/ShsZhvE+b KgjMJSkYXtwsGyQnqx5VSpDowXWnMoFqpWJutnHBf0lUuJUuEQ+6+TH2HBY6dfHeN/Ff4gZv1X+1 fnNMxFb9+uXVXFAZr4tH6ooUEqHK0wxzYuMpy1tik1NprFfggT6LXd+a1v1lMq1Ucykbf7N4oseB +JuQmktRZa7Tb39uvRC92ZE0olsnS4qd9vzSpC3q0qNUa9qJ/GZY86J/T0smnbVn8K28cw3bjC8P 5Ot4v45ocNbULEeJL36SNLGSryEes7BTd7+N0uepTrT0Sxy46vmYwU43LyK9Dg0oArQxrQ7iUR/E k2sBpehMVNsFtMaSHo/p4VRb8EGnvkjnaniz/ZcWbzRk9VHhB4cKQ6dc7iBLbhKNs1gk/bj7GwAA //8DAFBLAwQUAAYACAAAACEAcUhNkNMAAADvAAAADwAAAGRycy9kb3ducmV2LnhtbESPTUvDQBCG 74L/YZmCl2I3Vg0l7bZIQYwoSFs99DbNTpNgdjbsjm36792D4PHl/eJZrAbXqROF2Ho2cDfJQBFX 3rZcG/jcPd/OQEVBtth5JgMXirBaXl8tsLD+zBs6baVWaYRjgQYakb7QOlYNOYwT3xMn7+iDQ0ky 1NoGPKdx1+lpluXaYcvpocGe1g1V39sfZ2B8+Hh9yN/W+30vX1SO78vd+8wbczManuaghAb5D/+1 S2tgmuWPoI4vl0No7QajUDCQiBJfYgO9/AUAAP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADi AQAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx 3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAAAC8BAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQA8 SaNZJQMAAMQHAAAQAAAAAAAAAAAAAAAAACoCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgA AAAhAHFITZDTAAAA7wAAAA8AAAAAAAAAAAAAAAAAfQUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAA BAAEAPUAAAB9BgAAAAAAAA/wEAAAAHQBAABCEwAAag8AAEITAAAPAATwLQgAAEIBCvAIAAAAE0AA AAIKAADzAAvwagAAAH8AAADvAYEA9kkBAIIA+6cAAIMA9kkBAIQA+6cAAIUAAgAAAL8ABgAGAH8B AAABAL8BAAAQAMsBnDEAAM4BAgAAAP8BEAAYAD8DCAAIAIDDEAAAAL8DAAACAEwAaQBuAGUAIAAx ADgAAAATACLxiwcAAKnDhQcAAFBLAwQUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAFtDb250ZW50 X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhjSvdg9ahG1x8wgWlLtgXCYN3999L9uBjXxCPM vM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeCEzqDo3ekYEcMq+byol7vArHIaccKhpTCvZSs B5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSkhQFN3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxit xpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe8tNEa0i8YkzPOGUNaSJL479cpLn8G7JYTlz4 rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pvAAAA//8DAFBLAwQUAAYACAAAACEAMd1fYdIA AACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbvg72D0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3f vqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefjYODrfFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy +iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvBgfSmbbc6/2ZAt2CqozOQj24D6nxP1fyHHbzN LNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTnQL/2rv/plRETfVf+QvxMq/XHrBc1dg8AAAD/ /wMAUEsDBBQABgAIAAAAIQC8URQzIgMAAMQHAAAQAAAAZHJzL3NoYXBleG1sLnhtbKRV227bMAx9 H7B/EPQ6dHHatGmDukUvyzYgK4Im+wBalhstMmVIci79+lGS02R9GIalDyllUuLhEXl0fbupNVtJ 65TBnPc/Z5xJFKZU+JLzn/PxySVnzgOWoA3KnG+l47c3Hz9cNyPXMNqMbtTkfOF9M+r1nFjIGtxn 00gkX2VsDZ6W9qXXWOkkevCUqNa90yy76NWgkN/QUbiaNVMbLPG0mlqmypyfZhcXnCHUlHWiULL+ Je91ISkaCMLEiKXrcMC/4CgtrKm4PyAwNA8LwBc5W0Aj59uGUvZDsl4EtMOGBC193ON1hJsV6x+m pD3QekP1wGhT2fpYUOEcU1Vsk/Oz4Sln25yf97OrAAtGcuOZCJ7z4YAzQb4s4k2pQ0Rjnf8qzdEw WDgo55puIJYGq4nzgYV9ipAOzVhpfWzNsTaNxx7D1nR/p8Msi4gTtHh0qOUR3IKtQOfcbd2j8YlQ a1osY8xCQvmlsz0onWwqV2Nkvqqk8MTBsSADh2GIUt/7zb0ptyFBQf+pp9Jo/X9Lry3QXCINLWf6 O7qcXw4GQxpvHxeDsyw748weeooDT0Dimjtq6LHqrjsBCw7t/MxvtTwWZLqTY08JiMIU1mAnYQ6C 8RwNvaJbpg8KS5KeaIJ+IZ0T3nJWymoOxew151f9wYCahVmf4iVM8N4u44bKoL+LmwpwgUtSMNy7 g2yQnExbFDFBpAdnjUgEiqnwqdn6WfjrhlQfRNzL6n3sLsw1Yu+9q/xf4jpv0T5oO99EYot29vpm jqmMt8UTdUUM8VCkaYYRsfGc5C2yGVJJLKdggT6zZVur2vxSiVaqOeeVPRk/0+NA/J2RmnNWJK7j b7trPeetWpI0oplFi7OltOGliVvEvkep1rgTw5uh1av8FpeB9KA9nW9qjamCHfClgXwb77cRdUar MshR5Cs8SZJYSdfgN0nYqbsPo+RuqiMt7QQ7rtpwTGfHm2eeXocKBAGaq1o69iTX7NnUgJw1yovF GGqlSY/ptWJiAdbJ2BfxXAkH2z/VeCIhqY9w7xzCdZ2yv4MkuVE0dmIR9ePmNwAAAP//AwBQSwME FAAGAAgAAAAhAGlt7NTTAAAA7wAAAA8AAABkcnMvZG93bnJldi54bWxEj01rwkAQhu+F/odlhF6k bmpLkOgoRShNaaGo7cHbmB2T0Oxs2N1q/PfdQ8Hjy/vFs1gNtlMn9qF1gvAwyUCxVM60UiN87V7u Z6BCJDHUOWGECwdYLW9vFlQYd5YNn7axVmlEQkEITYx9oXWoGrYUJq5nSd7ReUsxSV9r4+mcxm2n p1mWa0utpIeGel43XP1sfy3C+PD59pS/r/f7Pn5zOX4sdx8zh3g3Gp7noCIP8Rr+b5cGYZrlOajj 6+XgW7OhENkjJKLEl9hAL/8AAAD//wMAUEsBAi0AFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAAAA AAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAMd1fYdIAAACP AQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAvFEUMyIDAADE BwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBLAQItABQABgAIAAAAIQBpbezU 0wAAAO8AAAAPAAAAAAAAAAAAAAAAAHoFAABkcnMvZG93bnJldi54bWxQSwUGAAAAAAQABAD1AAAA egYAAAAAAAAP8BAAAAB0AQAA9RMAAGoPAAD1EwAADwAE8C8IAABCAQrwCAAAABRAAAACCgAA8wAL 8GoAAAB/AAAA7wGBAPZJAQCCAPunAACDAPZJAQCEAPunAACFAAIAAAC/AAYABgB/AQAAAQC/AQAA EADLAZwxAADOAQIAAAD/ARAAGAA/AwgACACAwxAAAAC/AwAAAgBMAGkAbgBlACAAMQA5AAAAEwAi 8Y0HAACpw4cHAABQSwMEFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAABbQ29udGVudF9UeXBlc10u eG1slJFNT8QgEIbvJv4HMlfTUj0YY0r3YPWoRtcfMIFpS7YFwmDd/ffS/bgY18QjzLzP+wTq1XYa xUyRrXcKrssKBDntjXW9go/1U3EHghM6g6N3pGBHDKvm8qJe7wKxyGnHCoaUwr2UrAeakEsfyOVJ 5+OEKR9jLwPqDfYkb6rqVmrvErlUpIUBTd1Sh59jEo/bfH0wiTQyiIfD4tKlAEMYrcaUTeXszI+W 4thQ5uR+hwcb+CprgPy1YZmcLzjmXvLTRGtIvGJMzzhlDWkiS+O/XKS5/BuyWE5c+K6zmso2cptj bzSfrM7RecBAGf1f/PuSO8Hl/oeabwAAAP//AwBQSwMEFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsA AABfcmVscy8ucmVsc6SQwWrDMAyG74O9g9G9cdpDGaNOb4VeSwe7CltJTGPLWCZt376mMFhGbzvq F/o+8e/2tzCpmbJ4jgbWTQuKomXn42Dg63xYfYCSgtHhxJEM3Elg372/7U40YalHMvokqlKiGBhL SZ9aix0poDScKNZNzzlgqWMedEJ7wYH0pm23Ov9mQLdgqqMzkI9uA+p8T9X8hx28zSzcl8Zy0Nz3 3r6iasfXeKK5UjAPVAy4LM8w09zU50C/9q7/6ZURE31X/kL8TKv1x6wXNXYPAAAA//8DAFBLAwQU AAYACAAAACEAOaUqyyQDAADEBwAAEAAAAGRycy9zaGFwZXhtbC54bWykVdtu2zAMfR+wfxD0OrRx 0nTpgrpFL8s2ICuCJvsAWpYbLbJkSHIu/fqRkptkexiGpQ8pZd4Oj0jq+nZba7aWzitrct4/zziT RthSmZec/1hMzq448wFMCdoamfOd9Pz25v2762bsG4bOxo+bnC9DaMa9nhdLWYM/t400qKusqyHg 0b30Gie9NAECJqp1b5BlH3s1KMNvMJRZz5uZI0k8rWeOqTLng+zjiDMDNWadKiNZ/xPvdSbJGhDC 1IqV73DAv+AoHWywuN8gMGMflmBe5HwJjVzsGkzZp2S9COgNm0Fo6eMBr0fcrNh8tyX6QBss1gPj beXqU0FRHFtVbJvzi9GAs13OLwdXkQMYy21ggjSXoyFnAnVZxJtSk2vjfPgi7ckwGAXKucYbiKXB euoDsXBIQemMnSitT60Z48JYm1PDsA3e32CUZRFxghZDUy2P4JdsDTrnfucfbSDeYOxsa8ooLSWU nzs5gNJJxnK1IUNZVVIE5OBUkJgM24v6h5o6bO9tuaMEBf7Hnkqj9f8tvXGAc2lwaDnT34zP+dVw OMLxDvEwvMiyC87csaY40hAS39xhQ09Ud90JGCm0D/Ow0/JUkOlOTo1CiGgKa3BTmgMSnqOg13jL +EGZEldPFEG/4J4TwXFWymoBxfw155/6wyE2C3Mh2UuYmnu3ig6VNeEuOhXgiUvcYOagprWB62TW GhETRHrMvBGJQDETITVbP6O/bkj1kcW9rP60fTPzjTho76rwF7tOW7QP2i22kdiinb/uxQmWsT88 YVdEkwBFmmYYIxvPab1FNimVNOUMHOBntmprVdufKtGKNee8cmeTZ3wckL8L3OacFYnr+Nu+tZ4P Tq1wNRo7jxJnK+nopYku4tCjWGv0NPRmaPUqv8YjkU67p9PNnLUVyYQvDeR+vPcj6q1WJa2jyBc9 SRJZSdcQtmmxY3cfW+2nOtLSTk3HVUthOjnePAv4OlQgENBC1dKzJ7lhz7YGw1mjglhOoFYa93Ef H06xBOdl7IsYV8KR+4fanElI20f4PxTCd51yuIO0cuPSeFsWcX/c/AIAAP//AwBQSwMEFAAGAAgA AAAhAGGOjOjTAAAA7wAAAA8AAABkcnMvZG93bnJldi54bWxEj01Lw0AQhu+C/2EZwUuxG6vEknZb pCBGFKStPfQ2zU6TYHY27I5t+u/dg+Dx5f3imS8H16kThdh6NnA/zkARV962XBv42r7cTUFFQbbY eSYDF4qwXFxfzbGw/sxrOm2kVmmEY4EGGpG+0DpWDTmMY98TJ+/og0NJMtTaBjyncdfpSZbl2mHL 6aHBnlYNVd+bH2dgdPh8e8zfV/t9LzsqRw/l9mPqjbm9GZ5noIQG+Q//tUtrYJLlT6COr5dDaO0a o1AwkIgSX2IDvfgFAAD//wMAUEsBAi0AFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAAAAAAAAAAAA AAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAMd1fYdIAAACPAQAACwAA AAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAOaUqyyQDAADEBwAAEAAA AAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBLAQItABQABgAIAAAAIQBhjozo0wAAAO8A AAAPAAAAAAAAAAAAAAAAAHwFAABkcnMvZG93bnJldi54bWxQSwUGAAAAAAQABAD1AAAAfAYAAAAA AAAP8BAAAAB0AQAAqRQAAGoPAACpFAAADwAE8DwAAAASAArwCAAAAAFAAAAADAAAYwAL8CQAAACB AQAAAAiDAQUAAAi/ARAAEAD/AQAACAAEAwkAAAA/AwEAAQAQAPAHIAAAAP///wAAAAAAkZGRAAAA AABhj/0AAK4AAPwBKADOzs4ADwCIEzgAAAAPAIoTMAAAAAAAug8QAAAAXwBfAF8AUABQAFQAMQAw AAAAixMQAAAAAADrLggAAAA0oMIBQPwzxAAADgTQCwAAUEsDBBQABgAIAAAAIQCCirwT+gAAABwC AAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKyRy2rDMBBF94X+g9C22HK6KKXYzqJJd30s0g8Y5LEt ao+ENAnJ33fsuFC6CC10IxBizpl7Va6P46AOGJPzVOlVXmiFZH3jqKv0++4pu9cqMVADgyes9AmT XtfXV+XuFDApmaZU6Z45PBiTbI8jpNwHJHlpfRyB5Ro7E8B+QIfmtijujPXESJzxxNB1+SoLRNeg eoPILzCKx7Cg8Pv5DCSAmAtYq8czYVqi0hDC4CywRDAHan7oM9+2zmLj7X4UaT6DF9jNBDO/XGD1 P+ov5wZb2A+stkfp4lx/xCH9LdtSay6Tc/7Uu5AuGC6Xt7Rh5r+tPwEAAP//AwBQSwMEFAAGAAgA AAAhAKXWp+fAAAAANgEAAAsAAABfcmVscy8ucmVsc4SPz2rDMAyH74W9g9F9UdLDGCV2L6WQQy+j fQDhKH9oIhvbG+vbT8cGCrsIhKTv96k9/q6L+eGU5yAWmqoGw+JDP8to4XY9v3+CyYWkpyUIW3hw hqN727VfvFDRozzNMRulSLYwlRIPiNlPvFKuQmTRyRDSSkXbNGIkf6eRcV/XH5ieGeA2TNP1FlLX N2Cuj6jJ/7PDMMyeT8F/ryzlRQRuN5RMaeRioagv41O9kKhlqtQe0LW4+db9AQAA//8DAFBLAwQU AAYACAAAACEAa3mWFoMAAACKAAAAHAAAAHRoZW1lL3RoZW1lL3RoZW1lTWFuYWdlci54bWwMzE0K wyAQQOF9oXeQ2TdjuyhFYrLLrrv2AEOcGkHHoNKf29fl44M3zt8U1ZtLDVksnAcNimXNLoi38Hws pxuo2kgcxSxs4ccV5ul4GMm0jRPfSchzUX0j1ZCFrbXdINa1K9Uh7yzdXrkkaj2LR1fo0/cp4kXr KyYKAjj9AQAA//8DAFBLAwQUAAYACAAAACEA/VRR8F0GAAAzGwAAFgAAAHRoZW1lL3RoZW1lL3Ro ZW1lMS54bWzsWU9vHDUUvyPxHay5t9lNmjSJuqmSzW4Dbdoouy3q0TvrnXHjGY9sb9K9ofaIhIQo iAsSN5AQUKmVuJQTHyVQBEXqV+DZntm1Mw5J2ogiaFbKztg/v//v+dl75er9jKF9IiTleStqXmxE iOQxH9I8aUW3+90LyxGSCudDzHhOWtGEyOjq2rvvXMGrKiUZQbA+l6u4FaVKFatzczKGYSwv8oLk MDfiIsMKXkUyNxT4AOhmbG6+0ViayzDNI5TjDMj205+/AWK3RiMak2itot5hwCJXUg/ETPQ0bVIu MajhXlPPSZEM2kygfcxaUcP8RXNrV+bwaglgqo7rmr8SVwKGe/Mn0TMApuq4lab+TOkZAI5jkL/O e6m53O1ullgHZB/rtBuN9U6j4eEd+gs1mT3dLFEDso+XanjPZg7IPi7W8BuX20vdjiePAVn8Ug3f aKxsHpHfgFJG870auttuNOeXS+pTyIizrSC83dGfEj5DgfenMaNZjHiuvAhyoi3D97joAkADGVY0 R2pSkBGOITjbmNGBoJoBXiXYmbFDsawNaV5IxoIWqhW9X2AI9Bm9l8++e/nsCXr57PHhg6eHD348 fPjw8MEPlpa3cAvnibvwxdef/Pnlh+iPJ1+9ePRZGC9d/K/ff/TLT5+GgcoFPv/88W9PHz//4uPf v30UgK8LPHDhfZoRiW6SA7TLM9DNGMaXnAzE2Vb0U0zdFet5InGONZcA/Y5KPfTNCWY4gNsgvgXv CAqlLAC8Nr7nCdxLxViVLvc0u55mHnCbc7bBRdAK1zUvx/H9cZ6EmYuxi9vFeD/Eu41zz7+dcQEF kYZItlPiibnDcK5wQnKikJ7je4QEzHCXUs+u2zQWXPKRQncp2sA0aJI+HXjRNFu0RTPwyyQkIPjb s832HbTBWUjrTbLvIyErMAsI3yfMM+M1PFY4C5Hs44y5Br+BVRoSsjcRsYvrSAWeTgjjqDMkUobW 3BKgr+P061A9wm7fZpPMRwpF90I0b2DOXeQm32unOCtC2B7NUxf7ntyDEMVoh6sQfJv7GaLfwQ84 P9bddyjx3H1yNbhNE0+kWYDombHQvoRq7RXhjOZvK/KpK/K6oMGU2DpSh4/DHa2+bS6G9N9ffDfx ON8hEO/1Heht7X1be6P/fO09Lp9PW3FnRRbqr+5zbINs2uXs2G55RBnrqQkjN6RpmCVsGMMuDOp1 5gBIpqexIoXHssB7uERgswYJrj6gKu2luIBmuxlpIoksSScSFVzCoc4MB2lrPDTsyp7+FvVRxtYD idU2H9rhBfdQOCVjtp3EHC8rRguawGmZLVx+PWZNK9WxZvNVaxrRTKnzVJuqDD6sqwaDU2tCJ4Kg fwErL8ERXMsOhxTMyFDb3W7ClVuMF87TRTLFQ1L6SOtd91HTOKmKFXPWh9gJ+GjZiP63VnO4rWiy r8HtNE5y2V06hl3lvdfxUnUFMPOSztsj6chyNzlZjg5a0cri/GKEYly0ohGcb+ExK8DrUjd/mCVw 9xMrYcP+xGQ2hp95c6VSDKLPybhmoxqvKezVgUJItYllakPDTJUhwHLNyco/vwhmPS8FbKS/ghQL yxAMb0wKsKPvWjIakVi5znZGtO3sa1lK+VgR0UuHB2jAxmIXg/t1qII+QyrhmsJUBP0iWpG2tpny i3NZGAO3bZobZkWKy3KrU7TKZAs3eTyVwbw54oFuQdmNcmdXxaT8OanihvH/TBW9n8CVwcJQeyCG m1qBkc7XVsSFSjlUoSKlcVdA42BqB0QLguqit2sE98XmW5B9/W1zztLQ1Bic/NQuTZCgsB+pVBCy A2XJRN8JxJrl3mVJVoRMRDniysKKPSD7hPV1DVzSe3uEUgh1U03KMmBwR+PPfy8zaJDoJsfNN6+G TPdemwP/dOdjkxmU8uuwaWgq+09FDOyqdr1ZXu29riJ6YtZmXaqyApg5W8FKmfavKMIZt1pbsWoa zy9WwoEX6xrD4LQhKuDiB+l/sP9RETP724PeUPt8F2orgt8TNDEIG4jqC7bxQLpA2sEBNE520AaT JmVNW7ZO2mrVZn3One6U7xFja8lO4+8zGnvanPnsvFw8T2OXFvZsbceONTV49miKwtCoOsgYx5hf rdzflfjgHjh6E+76x0xJE0zkPlzzQevZM3kAyW85mqVrfwEAAP//AwBQSwMEFAAGAAgAAAAhAA3R kJ+2AAAAGwEAACcAAAB0aGVtZS90aGVtZS9fcmVscy90aGVtZU1hbmFnZXIueG1sLnJlbHOEj00K wjAUhPeCdwhvb9O6EJEm3YjQrdQDhOQ1DTY/JFHs7Q2uLAguh2G+mWm7l53JE2My3jFoqhoIOumV cZrBbbjsjkBSFk6J2TtksGCCjm837RVnkUsoTSYkUiguMZhyDidKk5zQilT5gK44o49W5CKjpkHI u9BI93V9oPGbAXzFJL1iEHvVABmWUJr/s/04GolnLx8WXf5RQXPZhQUoosbM4CObqkwEylu6usTf AAAA//8DAFBLAQItABQABgAIAAAAIQCCirwT+gAAABwCAAATAAAAAAAAAAAAAAAAAAAAAABbQ29u dGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAKXWp+fAAAAANgEAAAsAAAAAAAAAAAAAAAAA KwEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAGt5lhaDAAAAigAAABwAAAAAAAAAAAAAAAAA FAIAAHRoZW1lL3RoZW1lL3RoZW1lTWFuYWdlci54bWxQSwECLQAUAAYACAAAACEA/VRR8F0GAAAz GwAAFgAAAAAAAAAAAAAAAADRAgAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA IQAN0ZCftgAAABsBAAAnAAAAAAAAAAAAAAAAAGIJAAB0aGVtZS90aGVtZS9fcmVscy90aGVtZU1h bmFnZXIueG1sLnJlbHNQSwUGAAAAAAUABQBdAQAAXQoAAAAAAAAPBDoBAAA8P3htbCB2ZXJzaW9u PSIxLjAiIGVuY29kaW5nPSJVVEYtOCIgc3RhbmRhbG9uZT0ieWVzIj8+DQo8YTpjbHJNYXAgeG1s bnM6YT0iaHR0cDovL3NjaGVtYXMub3BlbnhtbGZvcm1hdHMub3JnL2RyYXdpbmdtbC8yMDA2L21h aW4iIGJnMT0ibHQxIiB0eDE9ImRrMSIgYmcyPSJsdDIiIHR4Mj0iZGsyIiBhY2NlbnQxPSJhY2Nl bnQxIiBhY2NlbnQyPSJhY2NlbnQyIiBhY2NlbnQzPSJhY2NlbnQzIiBhY2NlbnQ0PSJhY2NlbnQ0 IiBhY2NlbnQ1PSJhY2NlbnQ1IiBhY2NlbnQ2PSJhY2NlbnQ2IiBobGluaz0iaGxpbmsiIGZvbEhs aW5rPSJmb2xIbGluayIvPgAAJwRrBQAAUEsDBBQABgAIAAAAIQAo12LI+QAAALsBAAATAAAAW0Nv bnRlbnRfVHlwZXNdLnhtbJSQu27DMAxF9wL9B0FrEcnpUBSF7Qx9bH0M6QcQEm0L1QuiEiR/X9rJ EHQI0EmgJN5zyHZzCF7ssZBLsZNr1UiB0STr4tjJ7+3b6lEKqhAt+BSxk0ckuelvb9rtMSMJ7o7U yanW/KQ1mQkDkEoZI78MqQSoXJZRZzA/MKK+b5oHbVKsGOuqzhmybz9ZoDiL4gtK/YDAHG0LafJ8 +Q5U2e+yWCtOl+L5FDObdBJy9s5A5Tn0Pto/Dqs0DM6gTWYXmKxyQeJz+R68ugDdzdG6b19wgJ2v 4vXAqqftFPT0P+p5asWdC4oml+kK4fpYZzO9rL7/BQAA//8DAFBLAwQUAAYACAAAACEAjuoq+r4A AAA4AQAACwAAAF9yZWxzLy5yZWxzhI/BCsIwEETvgv8Q9m7TehCRpr2I0IMX0Q9Ykm0bbJOQjaJ/ b44WBI/DMG9m6vY1T+JJka13CqqiBEFOe2PdoOB2PW32IDihMzh5RwrexNA261V9oQlTDvFoA4tM caxgTCkcpGQ90oxc+EAuO72PM6Ys4yAD6jsOJLdluZPxmwHNgik6oyB2pgJxfYfc/J/t+95qOnr9 mMmlHxWSJ2vojJwoZizGgZICE/nbWIiqyPtBNrVc/G0+AAAA//8DAFBLAwQUAAYACAAAACEAG+du ojwCAADODQAAIQAAAGRycy9zbGlkZU1hc3RlcnMvc2xpZGVNYXN0ZXIxLnhtbOyXzW6jMBDH7yvt OyBfq5aQT4JCqnRXPfUQbdoHmBgTUI1BtptN9ul3BhwB2UullZpDwsmWx+OZ/89m7MXjoZDeXmiT lypmwcOAeULxMsnVLmZvr8/3IfOMBZWALJWI2VEY9rj8/m1RRfawsUcpjIculIkgZpm1VeT7hmei APNQVkLhWFrqAix29c5PNPxG14X0h4PB1C8gV8zN15+ZX6ZpzsXPkn8UQtnGiRYSLIZvsrwyJ2/V Z7xVWhh0U8/uhbSk9HIrRZ2hT91tmRzr3nIBkdzLoFprD+QOVZPM01bGjLSDF/Wk3+t2Wiq7qg22 YATzMlA7zH39obglg9qR2lScGqbia269PaCf+QA/hqv6uFLH4Emk56bjjim6aC1WqT23PblEOzea iPQXZmH+IHnkwbx3oWkXULueXco8ec6lrDtEVfyQugnSHgIXoulaEQrl2WMlUuC4X1Y6B9SHZ6CN qNPGvCAS0LG5K9S9APIGETdnA9y4ZZpgG1Ea+ckeSQyJRAH6JWbjyazO48YFt85FuBAMx2XUcpkH Y9yp7HZe6EhfhAvBcFzGLZdgNAumNzCX/JERDQdm0gETDsPwBuaSYIiGAzNtwQyHIR6Y7q8M69Ir bDdYQ09/uX8uAwHz6rrY3g36d4GA0UJfUI2p0krbVNr/LsGkihNo1hFoNh71a/DVCkSqOIHCViBS p18Mr1YgUsUJNO8INJ3M+kXpagUiVfDG23t9VFFpM6FPLxMcPD3Eln8BAAD//wMAUEsBAi0AFAAG AAgAAAAhACjXYsj5AAAAuwEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQ SwECLQAUAAYACAAAACEAjuoq+r4AAAA4AQAACwAAAAAAAAAAAAAAAAAqAQAAX3JlbHMvLnJlbHNQ SwECLQAUAAYACAAAACEAG+duojwCAADODQAAIQAAAAAAAAAAAAAAAAARAgAAZHJzL3NsaWRlTWFz dGVycy9zbGlkZU1hc3RlcjEueG1sUEsFBgAAAAADAAMAyQAAAIwEAAAAAA8AyQ+/KAAADwAMBDUb AAAPAALwLRsAANAACPAIAAAABAAAAARMAAAPAAPw0RoAAA8ABPAoAAAAAQAJ8BAAAAAAAAAAAAAA AAAAAAAAAAAAAgAK8AgAAAAATAAABQAAAA8ABPBqCQAAEgAK8AgAAAACTAAAAAoAAOMAC/BsAAAA fwAAAO8BgAAA87QFgQBSUQEAggC7qwAAgwBSUQEAhAC7qwAAhQACAAAAvwAGAAYAvwEAABAAywGc MQAA/wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4AZwBsAGUAIAAyAAAAEwAi8QII AACpw/wHAABQSwMEFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAABbQ29udGVudF9UeXBlc10ueG1s lJFNT8QgEIbvJv4HMlfTUj0YY0r3YPWoRtcfMIFpS7YFwmDd/ffS/bgY18QjzLzP+wTq1XYaxUyR rXcKrssKBDntjXW9go/1U3EHghM6g6N3pGBHDKvm8qJe7wKxyGnHCoaUwr2UrAeakEsfyOVJ5+OE KR9jLwPqDfYkb6rqVmrvErlUpIUBTd1Sh59jEo/bfH0wiTQyiIfD4tKlAEMYrcaUTeXszI+W4thQ 5uR+hwcb+CprgPy1YZmcLzjmXvLTRGtIvGJMzzhlDWkiS+O/XKS5/BuyWE5c+K6zmso2cptjbzSf rM7RecBAGf1f/PuSO8Hl/oeabwAAAP//AwBQSwMEFAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAABf cmVscy8ucmVsc6SQwWrDMAyG74O9g9G9cdpDGaNOb4VeSwe7CltJTGPLWCZt376mMFhGbzvqF/o+ 8e/2tzCpmbJ4jgbWTQuKomXn42Dg63xYfYCSgtHhxJEM3Elg372/7U40YalHMvokqlKiGBhLSZ9a ix0poDScKNZNzzlgqWMedEJ7wYH0pm23Ov9mQLdgqqMzkI9uA+p8T9X8hx28zSzcl8Zy0Nz33r6i asfXeKK5UjAPVAy4LM8w09zU50C/9q7/6ZURE31X/kL8TKv1x6wXNXYPAAAA//8DAFBLAwQUAAYA CAAAACEAc8gsrpQDAABGDAAAEAAAAGRycy9zaGFwZXhtbC54bWzsVl2P2joQfa/U/2D5taIEAgtB zVbALm0lukLL3ueVkziLi2NHtsPHVv3vHY9h4fbh6qq0b8tDmMRjz5njmWN/+LirJNlwY4VWKe28 jyjhKteFUE8p/edh1hpSYh1TBZNa8ZTuuaUfr9+++VCPbE1gsrKjOqUr5+pRu23zFa+Yfa9rrmCs 1KZiDl7NU7s23HLlmINAlWx3o+iqXTGh6DUspTbLemG8ld9tFoaIIqVxNOhRolgFUe95DhieJCdd 2j64hRkMYMx1vrYHLOz/YCkM20KC/4JBlJ6uIAYfG6O3K84KC3z4aG1EdQSoAF/4eAJtATzJtl91 AVhZ4zQkxUa70lSXovLr6LIku5R2k/6g34kp2ac0iTv9Xj/y6NiI7xzJwWEQ96NOl5IcHLqDTu8q RvQBiHesjXWfuL4YFPELpdTApmCibDO3znNyCuHDKT0TUl7KAKYo1aXLkC3sZncQRYg4QMOlK+G4 IVJUKR1G/hdI9QVwqwp0cUzIYEOGUiHnZQnZQ9qX4vK0+VYK1e92E13sfYAM/qGoQoP9flFvDYPu VNC6lMgvCkp6eBX3oa8cvvTiBKqEmPOR7GzEI7H1GCp6Jg47HID5AWnd0u2hJy8EiRwfteS3U/WI fBtWzMxTCjIGxj0aciPxX6gCBAhNJp9A7XJnKCl4+cCy5TMw0x8OY5A744I/Z3M1MWucUGrlxjgp Y9ZzCTqmTsNeOEBQFo3KMQDSo5Z1HgjMF7kjGwbLJscKw0o6OUx4+asrFiK42To/jY5L9x9+h9Gs mUrzsENes2b5/GLOIIuXlzsoikN5Z6F/2QjIuA/yhmT6UKDK8ABi100lKv1NBE4h4ZRy1fo0gfMB yOuAoFOSBaLx2Rzrzjoj1iCMSi/RomTNjT9scEp+KlDIFGcqf2xI8cw/46tnXAp/+EAEpRdG69Lb Hljoxpd2fulPq6UovPwgW/5U4sBJ2AO3C7IO1J578WNLIynNXB2YavwyBxu3nbh9zUuWA6CxEUyC 4q6YsRx3HidzdubzrlItzoKq5PaXgdweNBoY9lDdNXl8fCReSmGj4YlfS1ngkfh9nHT7g+FNt3V7 M0lavdvBtJUkSa81i5L4ZhpPh7NJ9AOaGwCm1AIFXDUVEvW6g6Ef/voOvmoQKtQf1SDoilNHQDP4 TuGqWDDDQK5elckLoT+QzsTlzynTiehww8MLy/GigneX658AAAD//wMAUEsDBBQABgAIAAAAIQCN SM742AAAAPwAAAAPAAAAZHJzL2Rvd25yZXYueG1sRI/BSgMxFEX3gv8QnuDOZqxiy9i0SGFQd7YK 1t2b5HVmcPIyJGk69esNLuryci/nchar0fYikQ+dYwW3kwIEsXam40bBx3t1MwcRIrLB3jEpOFGA 1fLyYoGlcUfeUNrGRmQIhxIVtDEOpZRBt2QxTNxAnLu98xZjjr6RxuMxw20vp0XxIC12nB9aHGjd kv7eHqyC/jPpxNPqJ9Tjrkr6LfGrT0pdX41PjyAijfF//LWuZ4fuXP6hXoyCu2J2D2L/fKp9ZzYY InkFWS/LZlGQy18AAAD//wMAUEsBAi0AFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAAAAAAAAAAAA AAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAMd1fYdIAAACPAQAACwAA AAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEAc8gsrpQDAABGDAAAEAAA AAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBLAQItABQABgAIAAAAIQCNSM742AAAAPwA AAAPAAAAAAAAAAAAAAAAAOwFAABkcnMvZG93bnJldi54bWxQSwUGAAAAAAQABAD1AAAA8QYAAAAA AAAQ8AgAAADsFkcHFgmXFw8AEfBCAAAADwCIEzoAAAAPAIoTMgAAAAAAug8OAAAAXwBfAF8AUABQ AFQAOQAAAIsTFAAAAAAArA8MAAAAAAAAAAAAAAAAAAAADwAN8HoAAAAAAJ8PBAAAAAQAAAAAAKAP DAAAAFAAYQBnAGUAIAAqAAAAoQ8aAAAABwAAAAAAABAAAFoABwAAAAAAQwABAAEADAAAANgPBAAA AAUAAAAAAKoPDgAAAAcAAAAHAAAAAAAJCAAAAACmDw4AAADxAAAAHQLUAdAC8AMQBQ8ABPCOCAAA EgAK8AgAAAADTAAAAAoAALMAC/BaAAAAfwAAAO8BgABg/LQFhQACAAAAhwABAAAAvwAEAAQAvwEA ABAAywGcMQAA/wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4AZwBsAGUAIAAzAAAA EwAi8YAHAACpw3oHAABQSwMEFAAGAAgAAAAhAFrjEWb+AAAA4gEAABMAAABbQ29udGVudF9UeXBl c10ueG1slJFNT8QgEIbvJv4HMlfTUj0YY0r3YPWoRtcfMIFpS7YFwmDd/ffS/bgY18QjzLzP+wTq 1XYaxUyRrXcKrssKBDntjXW9go/1U3EHghM6g6N3pGBHDKvm8qJe7wKxyGnHCoaUwr2UrAeakEsf yOVJ5+OEKR9jLwPqDfYkb6rqVmrvErlUpIUBTd1Sh59jEo/bfH0wiTQyiIfD4tKlAEMYrcaUTeXs zI+W4thQ5uR+hwcb+CprgPy1YZmcLzjmXvLTRGtIvGJMzzhlDWkiS+O/XKS5/BuyWE5c+K6zmso2 cptjbzSfrM7RecBAGf1f/PuSO8Hl/oeabwAAAP//AwBQSwMEFAAGAAgAAAAhADHdX2HSAAAAjwEA AAsAAABfcmVscy8ucmVsc6SQwWrDMAyG74O9g9G9cdpDGaNOb4VeSwe7CltJTGPLWCZt376mMFhG bzvqF/o+8e/2tzCpmbJ4jgbWTQuKomXn42Dg63xYfYCSgtHhxJEM3Elg372/7U40YalHMvokqlKi GBhLSZ9aix0poDScKNZNzzlgqWMedEJ7wYH0pm23Ov9mQLdgqqMzkI9uA+p8T9X8hx28zSzcl8Zy 0Nz33r6iasfXeKK5UjAPVAy4LM8w09zU50C/9q7/6ZURE31X/kL8TKv1x6wXNXYPAAAA//8DAFBL AwQUAAYACAAAACEA7p/wZxEDAACNBwAAEAAAAGRycy9zaGFwZXhtbC54bWykVU1v2zAMvQ/YfxB0 Hdq4TbOmQd2iLZbtkBVBkv0AWpYTLbJkSHI++utHSk7T9TAMTQ4xbZHi4xP5dHu/qzXbSOeVNTm/ OM84k0bYUpllzn8txmdDznwAU4K2RuZ8Lz2/v/v86bYZ+YZhsPGjJuerEJpRr+fFStbgz20jDa5V 1tUQ8NUte42TXpoAARPVuneZZV97NSjD73Ars5k3U0eWeN5MHVNlzvvZ9YAzAzVmnUmBGJZasj7v dW4pAhDGxIq177DA/2ApHWyxwL9gMGOfVphDPjhntysJpUc+KFsvojoANIgvfTyC9gieFduftkSs 0AaLRcFoV7n6VFS0j60qtkMs2eD6kijZk531+1lG6GAkd4EJdLgaDG7oIxPo0R/0Ly+Gw4g/QSHX xvnwXdqTYTHaKOcOjyWWCpuJD8TKMQWlM3astD6Vg1ikNqduw7bI2+U1EnSEFreuVZCOaVXnfJjR L9FKLfDNlNElgNLJxgq1iaxXFVaPZZ+Ki2ijYUr9H3aPttxTggKf2FZpxD7e1lsHOJ8Gh5czMGJl Xc5FcKlG7cM87HGsTswSSTrIwYexUtU0STW4Sc6xkdGYRUNvdHwqU6KGRBP0EgWLKmGlrBZQzF9y fnNxdUUT4ELylzAxj24dAyprwkMMKsAjGRqlyByXafZRE6atETEBgdFm3ggyfCOmIrAN4LY4e12P xF44ejzK6r1vbCV0w/jj6kMV/uHXrRbtk3aLXSS2aOcvr+YYy3h9ecZj7Rq0SBMII2RjliQqskmp pCmn4AA/s3Vbq9r+VolWrDnnlTsbz1Dlkb8+yjJnReI6/reH3vHBqTXKm7HzaHG2lo6ujBgijk2G tcZIQ+Kv1Yv8EV+JdK3oCsEMxk6dtRXZhC9NVFILGofDF2+1KklCIl90t0hkJR1D2CVxRnLfesnD WEZa2onpuGppm86OJ8/CvpEVCAS0ULX07Flu2czWYDhrVBCrMdRKk9biDShW4LyMfRH3lfAm/Ett ziSkgRL+3YLwnQQfzyDJZJz6w7RHAbj7AwAA//8DAFBLAwQUAAYACAAAACEAf4HaA9kAAAD8AAAA DwAAAGRycy9kb3ducmV2LnhtbESPTUsDMRRF94L/ITzBjdiMilrHpkUFURCETmvR3TN588FMXsYk zkz/vcFNl5d7OZezWE22EwP50DhWcDHLQBBrZxquFGw3z+dzECEiG+wck4I9BVgtj48WmBs38pqG IlYiQTjkqKCOsc+lDLomi2HmeuLUlc5bjCn6ShqPY4LbTl5m2Y202HB6qLGnp5p0W/xaBXY36LOv Nx663fuWTfnTfhaPrVKnJ9PDPYhIUzyMdftxNx7Kf9SrUXCV3V6DKF/2374xawyRvIKkl2STKMjl HwAAAP//AwBQSwECLQAUAAYACAAAACEAWuMRZv4AAADiAQAAEwAAAAAAAAAAAAAAAAAAAAAAW0Nv bnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAALAAAAAAAAAAAAAAAA AC8BAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQDun/BnEQMAAI0HAAAQAAAAAAAAAAAAAAAA ACoCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhAH+B2gPZAAAA/AAAAA8AAAAAAAAA AAAAAAAAaQUAAGRycy9kb3ducmV2LnhtbFBLBQYAAAAABAAEAPUAAABvBgAAAAAAABDwCAAAAHgC mgLSDSkLDwAR8EIAAAAPAIgTOgAAAA8AihMyAAAAAAC6Dw4AAABfAF8AXwBQAFAAVAA5AAAAixMU AAAAAACsDwwAAAAAAAAAAAAAAAAAAAAPAA3wMgAAAAAAnw8EAAAABAAAAAAAqg8KAAAAAQAAAAEA AAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8JEIAAASAArwCAAAAARMAAAACgAAswAL8FoAAAB/ AAAA7wGAAAD8tAWFAAIAAACHAAEAAAC/AAQABAC/AQAAEADLAZwxAAD/AQAAGAA/AwAACACAwxgA AAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADQAAAATACLxgwcAAKnDfQcAAFBLAwQUAAYACAAA ACEAWuMRZv4AAADiAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhj Svdg9ahG1x8wgWlLtgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeC EzqDo3ekYEcMq+byol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSk hQFN3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe 8tNEa0i8YkzPOGUNaSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pv AAAA//8DAFBLAwQUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbv g72D0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefj YODrfFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvB gfSmbbc6/2ZAt2CqozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTn QL/2rv/plRETfVf+QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAIAAAAIQC5R700FQMAAI0HAAAQ AAAAZHJzL3NoYXBleG1sLnhtbKRV227bMAx9H7B/EPQ6tLknXVC3aItle8iKIMk+gJblRItMGZKc S79+lJQ0XR+GoclDTFukeHhEHt3e7yvNttI6ZTDjnes2ZxKFKRSuMv5rObm64cx5wAK0QZnxg3T8 /u7zp9t67GpGwejGdcbX3tfjVsuJtazAXZtaIq2Vxlbg6dWuWrWVTqIHT4kq3eq228NWBQr5HW2F 20U9s8ESz9uZZarIeK89GnKGUFHWuRSEYaUl6/PW0S1FAMGYGrFxRyzwP1gKCzsq8C8YDM3TmnLI B2vNbi2hcMRHyNaKqE4AkfClj2fQjsCzfPfTFIQVGm+oKBjvS1tdiirsY8qS7QlLezi8adP5HDI+ 6I4G3WEvoIOx3HsmyKE/GIxGnR5ngjx6g15vNBpE/AlKcK2t89+luRgWCxtl3NKxxFJhO3U+sHJO EdKhmSitL+UgFqnx0m3YjjjsjojBM7S4daW8tEyrKuPEL/0SraEFvmERXTwonWyqUGNkvSypeir7 UlyBtjBMqf/9/tEUh5Agpye1VRqxj7f1zgLNJ9LwcgYo1sZmXHibatTOL/yBxurCLJGkkxx8GGuo OkxSBXaacep0MubR0FsdnwoL0pBogl6RYIVKWCHLJeSLl4x/7fT7YUSsT/4SpvhoNzGgNOgfYlAO jsjQJEV4Xg6zT5owa1DEBAGMxkUtguFqMROebYG27bz2SOyFs8ejLN/7xlYiN4o/rz6U/h9+x9W8 edJ2uY/E5s3i5dWcUBmvL890rMcGzdMEwpjYmCeJimyGVBKLGVigz2zTVKoyv1WilWrOeGmvJnNS eeKvR7LMWZ64jv/NqXect2pD8oZmES3ONtKGKyOGiHOTUa0xEoP4a/Uif8TXQLpW4QqhDGhm1pgy 2AFfmqikFmEcTl+c0aoIEhL5CneLJFbSMfh9Emci962XPI1lpKWZ4pGrJmxztOPJM3+oZQmCAC1V JR17ljs2NxUgZ7XyYj2BSmlS0g7dgGIN1snYF3FfCW/Cv1R4JSENlHDvFoQ7SvD5DJJMxqk/TXsU gLs/AAAA//8DAFBLAwQUAAYACAAAACEAZ6R7R9gAAAD8AAAADwAAAGRycy9kb3ducmV2LnhtbESP TUsDMRRF94L/ITzBjdiMCtWOTYsKoiAIHduiu2fy5oOZvIxJnJn+e4ObLi/3ci5nuZ5sJwbyoXGs 4GqWgSDWzjRcKdh+PF/egQgR2WDnmBQcKMB6dXqyxNy4kTc0FLESCcIhRwV1jH0uZdA1WQwz1xOn rnTeYkzRV9J4HBPcdvI6y+bSYsPpocaenmrSbfFrFdj9oC++3njo9u9bNuVP+1k8tkqdn00P9yAi TfE41u1uMR7Lf9SrUXCT3c5BlC+Hb9+YDYZIXkHSS7JJFOTqDwAA//8DAFBLAQItABQABgAIAAAA IQBa4xFm/gAAAOIBAAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0A FAAGAAgAAAAhADHdX2HSAAAAjwEAAAsAAAAAAAAAAAAAAAAALwEAAF9yZWxzLy5yZWxzUEsBAi0A FAAGAAgAAAAhALlHvTQVAwAAjQcAABAAAAAAAAAAAAAAAAAAKgIAAGRycy9zaGFwZXhtbC54bWxQ SwECLQAUAAYACAAAACEAZ6R7R9gAAAD8AAAADwAAAAAAAAAAAAAAAABtBQAAZHJzL2Rvd25yZXYu eG1sUEsFBgAAAAAEAAQA9QAAAHIGAAAAAAAAEPAIAAAA+wygAtcNrRUPABHwQgAAAA8AiBM6AAAA DwCKEzIAAAAAALoPDgAAAF8AXwBfAFAAUABUADkAAACLExQAAAAAAKwPDAAAAAAAAAAAAAAAAAAA AA8ADfAyAAAAAACfDwQAAAAEAAAAAACqDwoAAAABAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQAvAD EAUPAATwPAAAABIACvAIAAAAAUwAAAAMAABjAAvwJAAAAIEBAAAACIMBBQAACL8BEAAQAP8BAAAI AAQDCQAAAD8DAQABABAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAArgAA/AEoAM7OzgAPAIgT OAAAAA8AihMwAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLExAAAAAAAOsuCAAAADSgwgGA CTfEAAAOBNALAABQSwMEFAAGAAgAAAAhAIKKvBP6AAAAHAIAABMAAABbQ29udGVudF9UeXBlc10u eG1srJHLasMwEEX3hf6D0LbYcroopdjOokl3fSzSDxjksS1qj4Q0Ccnfd+y4ULoILXQjEGLOmXtV ro/joA4Yk/NU6VVeaIVkfeOoq/T77im71yoxUAODJ6z0CZNe19dX5e4UMCmZplTpnjk8GJNsjyOk 3AckeWl9HIHlGjsTwH5Ah+a2KO6M9cRInPHE0HX5KgtE16B6g8gvMIrHsKDw+/kMJICYC1irxzNh WqLSEMLgLLBEMAdqfugz37bOYuPtfhRpPoMX2M0EM79cYPU/6i/nBlvYD6y2R+niXH/EIf0t21Jr LpNz/tS7kC4YLpe3tGHmv60/AQAA//8DAFBLAwQUAAYACAAAACEApdan58AAAAA2AQAACwAAAF9y ZWxzLy5yZWxzhI/PasMwDIfvhb2D0X1R0sMYJXYvpZBDL6N9AOEof2giG9sb69tPxwYKuwiEpO/3 qT3+rov54ZTnIBaaqgbD4kM/y2jhdj2/f4LJhaSnJQhbeHCGo3vbtV+8UNGjPM0xG6VItjCVEg+I 2U+8Uq5CZNHJENJKRds0YiR/p5FxX9cfmJ4Z4DZM0/UWUtc3YK6PqMn/s8MwzJ5PwX+vLOVFBG43 lExp5GKhqC/jU72QqGWq1B7Qtbj51v0BAAD//wMAUEsDBBQABgAIAAAAIQBreZYWgwAAAIoAAAAc AAAAdGhlbWUvdGhlbWUvdGhlbWVNYW5hZ2VyLnhtbAzMTQrDIBBA4X2hd5DZN2O7KEVissuuu/YA Q5waQceg0p/b1+XjgzfO3xTVm0sNWSycBw2KZc0uiLfwfCynG6jaSBzFLGzhxxXm6XgYybSNE99J yHNRfSPVkIWttd0g1rUr1SHvLN1euSRqPYtHV+jT9yniResrJgoCOP0BAAD//wMAUEsDBBQABgAI AAAAIQD9VFHwXQYAADMbAAAWAAAAdGhlbWUvdGhlbWUvdGhlbWUxLnhtbOxZT28cNRS/I/EdrLm3 2U2aNIm6qZLNbgNt2ii7LerRO+udceMZj2xv0r2h9oiEhCiICxI3kBBQqZW4lBMfJVAERepX4Nme 2bUzDknaiCJoVsrO2D+//+/52Xvl6v2MoX0iJOV5K2pebESI5DEf0jxpRbf73QvLEZIK50PMeE5a 0YTI6Orau+9cwasqJRlBsD6Xq7gVpUoVq3NzMoZhLC/yguQwN+IiwwpeRTI3FPgA6GZsbr7RWJrL MM0jlOMMyPbTn78BYrdGIxqTaK2i3mHAIldSD8RM9DRtUi4xqOFeU89JkQzaTKB9zFpRw/xFc2tX 5vBqCWCqjuuavxJXAoZ78yfRMwCm6riVpv5M6RkAjmOQv857qbnc7W6WWAdkH+u0G431TqPh4R36 CzWZPd0sUQOyj5dqeM9mDsg+LtbwG5fbS92OJ48BWfxSDd9orGwekd+AUkbzvRq6224055dL6lPI iLOtILzd0Z8SPkOB96cxo1mMeK68CHKiLcP3uOgCQAMZVjRHalKQEY4hONuY0YGgmgFeJdiZsUOx rA1pXkjGghaqFb1fYAj0Gb2Xz757+ewJevns8eGDp4cPfjx8+PDwwQ+WlrdwC+eJu/DF15/8+eWH 6I8nX7149FkYL138r99/9MtPn4aBygU+//zxb08fP//i49+/fRSArws8cOF9mhGJbpIDtMsz0M0Y xpecDMTZVvRTTN0V63kicY41lwD9jko99M0JZjiA2yC+Be8ICqUsALw2vucJ3EvFWJUu9zS7nmYe cJtztsFF0ArXNS/H8f1xnoSZi7GL28V4P8S7jXPPv51xAQWRhki2U+KJucNwrnBCcqKQnuN7hATM cJdSz67bNBZc8pFCdynawDRokj4deNE0W7RFM/DLJCQg+NuzzfYdtMFZSOtNsu8jISswCwjfJ8wz 4zU8VjgLkezjjLkGv4FVGhKyNxGxi+tIBZ5OCOOoMyRShtbcEqCv4/TrUD3Cbt9mk8xHCkX3QjRv YM5d5Cbfa6c4K0LYHs1TF/ue3IMQxWiHqxB8m/sZot/BDzg/1t13KPHcfXI1uE0TT6RZgOiZsdC+ hGrtFeGM5m8r8qkr8rqgwZTYOlKHj8Mdrb5tLob03198N/E43yEQ7/Ud6G3tfVt7o/987T0un09b cWdFFuqv7nNsg2za5ezYbnlEGeupCSM3pGmYJWwYwy4M6nXmAEimp7EihceywHu4RGCzBgmuPqAq 7aW4gGa7GWkiiSxJJxIVXMKhzgwHaWs8NOzKnv4W9VHG1gOJ1TYf2uEF91A4JWO2ncQcLytGC5rA aZktXH49Zk0r1bFm81VrGtFMqfNUm6oMPqyrBoNTa0IngqB/ASsvwRFcyw6HFMzIUNvdbsKVW4wX ztNFMsVDUvpI6133UdM4qYoVc9aH2An4aNmI/rdWc7itaLKvwe00TnLZXTqGXeW91/FSdQUw85LO 2yPpyHI3OVmODlrRyuL8YoRiXLSiEZxv4TErwOtSN3+YJXD3Eythw/7EZDaGn3lzpVIMos/JuGaj Gq8p7NWBQki1iWVqQ8NMlSHAcs3Jyj+/CGY9LwVspL+CFAvLEAxvTAqwo+9aMhqRWLnOdka07exr WUr5WBHRS4cHaMDGYheD+3Wogj5DKuGawlQE/SJakba2mfKLc1kYA7dtmhtmRYrLcqtTtMpkCzd5 PJXBvDnigW5B2Y1yZ1fFpPw5qeKG8f9MFb2fwJXBwlB7IIabWoGRztdWxIVKOVShIqVxV0DjYGoH RAuC6qK3awT3xeZbkH39bXPO0tDUGJz81C5NkKCwH6lUELIDZclE3wnEmuXeZUlWhExEOeLKwoo9 IPuE9XUNXNJ7e4RSCHVTTcoyYHBH489/LzNokOgmx803r4ZM916bA/9052OTGZTy67BpaCr7T0UM 7Kp2vVle7b2uInpi1mZdqrICmDlbwUqZ9q8owhm3WluxahrPL1bCgRfrGsPgtCEq4OIH6X+w/1ER M/vbg95Q+3wXaiuC3xM0MQgbiOoLtvFAukDawQE0TnbQBpMmZU1btk7aatVmfc6d7pTvEWNryU7j 7zMae9qc+ey8XDxPY5cW9mxtx441NXj2aIrC0Kg6yBjHmF+t3N+V+OAeOHoT7vrHTEkTTOQ+XPNB 69kzeQDJbzmapWt/AQAA//8DAFBLAwQUAAYACAAAACEADdGQn7YAAAAbAQAAJwAAAHRoZW1lL3Ro ZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwucmVsc4SPTQrCMBSE94J3CG9v07oQkSbdiNCt1AOE 5DUNNj8kUeztDa4sCC6HYb6ZabuXnckTYzLeMWiqGgg66ZVxmsFtuOyOQFIWTonZO2SwYIKObzft FWeRSyhNJiRSKC4xmHIOJ0qTnNCKVPmArjijj1bkIqOmQci70Ej3dX2g8ZsBfMUkvWIQe9UAGZZQ mv+z/TgaiWcvHxZd/lFBc9mFBSiixszgI5uqTATKW7q6xN8AAAD//wMAUEsBAi0AFAAGAAgAAAAh AIKKvBP6AAAAHAIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAU AAYACAAAACEApdan58AAAAA2AQAACwAAAAAAAAAAAAAAAAArAQAAX3JlbHMvLnJlbHNQSwECLQAU AAYACAAAACEAa3mWFoMAAACKAAAAHAAAAAAAAAAAAAAAAAAUAgAAdGhlbWUvdGhlbWUvdGhlbWVN YW5hZ2VyLnhtbFBLAQItABQABgAIAAAAIQD9VFHwXQYAADMbAAAWAAAAAAAAAAAAAAAAANECAAB0 aGVtZS90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAA3RkJ+2AAAAGwEAACcAAAAAAAAA AAAAAAAAYgkAAHRoZW1lL3RoZW1lL19yZWxzL3RoZW1lTWFuYWdlci54bWwucmVsc1BLBQYAAAAA BQAFAF0BAABdCgAAAAAAAA8EOgEAADw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04 IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCjxhOmNsck1hcCB4bWxuczphPSJodHRwOi8vc2NoZW1hcy5v cGVueG1sZm9ybWF0cy5vcmcvZHJhd2luZ21sLzIwMDYvbWFpbiIgYmcxPSJsdDEiIHR4MT0iZGsx IiBiZzI9Imx0MiIgdHgyPSJkazIiIGFjY2VudDE9ImFjY2VudDEiIGFjY2VudDI9ImFjY2VudDIi IGFjY2VudDM9ImFjY2VudDMiIGFjY2VudDQ9ImFjY2VudDQiIGFjY2VudDU9ImFjY2VudDUiIGFj Y2VudDY9ImFjY2VudDYiIGhsaW5rPSJobGluayIgZm9sSGxpbms9ImZvbEhsaW5rIi8+DwDuA2wG AAACAO8DGAAAABAAAAAAAAAAAAAAAAAAAIAAAQAABwAAAAAA+QMQAAAAAAAAAAEAAAACABEAAif7 Aw8ADARbBQAADwAC8FMFAADwAAjwCAAAAAUAAAAFCAAADwAD8DsFAAAPAATwKAAAAAEACfAQAAAA AAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAAAgAAAUAAAAPAATwYQEAABIACvAIAAAAAggAACACAAAD AQvweAAAAAQAAAAAAH8AAQDvAYAAQNg0BYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAAAIcA AQAAAIgAAAAAAL8ABAAEAP8BAAARAAEDBAQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBu AGcAbABlACAANAAAAAAAEPAIAAAAPgWeANAU3AgPABHwHAAAAAAAwwsIAAAA/////w8AEwAAAB8E BAAAAAIAAAAPAA3wlQAAAAAAnw8EAAAABgAAAAAAqA8dAAAAZHJhZnQtdXJpZW4taGlwLXRhZy0w Mi50eHQgICAAAKEPJAAAAB4AAAAAAAAAAAAMAAAAAAAAAA4AAAABAAAAAQAEAAAAAAAAAAAAqg8w AAAADAAAAAEAAAAAAA8AAAAHAAAAAAAJBAAAAQAAAAEAAAAAAAIAAAAHAAAAAAAJBAAADwAE8EkB AAASAArwCAAAAAMIAAAgAgAAAwEL8HgAAAAEAAAAAAB/AAEA7wGAAABGMwWBAHhhAQCCAKKtAACD AHhhAQCEAKKtAACFAAAAAACHAAAAAACIAAAAAAC/AAQABAD/AQAAEQABAwMEAAA/AwAACACAwxgA AAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADUAAAAAABDwCAAAANwIVAEsFYUMDwAR8BwAAAAA AMMLCAAAAP////8QABMAAAAfBAQAAAADAAAADwAN8H0AAAAAAJ8PBAAAAAUAAAAAAKgPOQAAAEhJ UCBzdXBwb3J0IGZvciBSRklEICANDVBhc2NhbC5VcmllbkB0ZWxlY29tLXBhcmlzdGVjaC5mcgAA qg8OAAAAOgAAAAcAAAAAAAkEAAAAAKYPEgAAANAeAADUASABQALwA2ADEAWABA8ABPD/AAAAogwK 8AgAAAAECAAAAAoAAKMAC/BSAAAAfwAAAO8BgABA2zQFhQACAAAAvwAGAAYAvwEAABEAywGcMQAA /wEAABgAPwMAAAgAgMMWAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAANwAAAAAAEPAIAAAAvQ9D DlAWkRAPAA3wfQAAAAAAnw8EAAAABAAAAAAAqA8fAAAAaHR0cDovL3d3dy50ZWxlY29tLXBhcmlz dGVjaC5mcgAAoQ8YAAAAIAAAAAAAAAAAACAAAAAAAEMAAwADABAAAACqDw4AAAAgAAAABwAAAAAA CQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8EIBAACyBArwCAAAAAUIAAAACgAAswAL8PIAAAB/ AIAA+wG/AAQABAAEQQEAAAAFwU4AAAA/AQAABgC/AQEAEQD/AQAAGAA/AxAAGACAwxQAAACBw04A AAC/AwAAAgBMAG8AZwBvACAAVADpAGwA6QBjAG8AbQAgAFAAYQByAGkAcwAsACAAcgBlAHQAbwB1 AHIAIADgACAAbAAnAGEAYwBjAHUAZQBpAGwAAABQAGkAYwB0AHUAcgBlACAAOQAAAEwAbwBnAG8A IABUAOkAbADpAGMAbwBtACAAUABhAHIAaQBzACwAIAByAGUAdABvAHUAcgAgAOAAIABsACcAYQBj AGMAdQBlAGkAbAAAAAAAEPAIAAAAsQyeEiwVPw8PABHwIAAAAA8A8g8YAAAAAADzDxAAAAAAAAAA BQAAAAQAAAAIihMAEADwByAAAAD///8AAAAAAJGRkQAAAAAAYY/9AACuAAD8ASgAzs7OAA8AiBOR AAAADwCKE4kAAAAAALoPEAAAAF8AXwBfAFAAUABUADEAMAAAAIsTaQAAAAAA6y4IAAAANcXEAdCd hQ8AAAArBAAAAAAAAAAfAETxPQAAAAAAJ/EgAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA//// /xIAAAAPAD3xDQAAAEABQvEFAAAAAQkAAAAPAAIrAAAAAAAAIgQIAAAAAQAAAAEAAAAPAO4DdAUA AAIA7wMYAAAAEAAAAAAAAAAAAAAAAAAAgAAAAAAHAAAAAAD5AxAAAAAAAAAAAQAAAAIAEQACKvsD DwAMBGMEAAAPAALwWwQAABABCPAIAAAAAwAAAAMMAAAPAAPwQwQAAA8ABPAoAAAAAQAJ8BAAAAAA AAAAAAAAAAAAAAAAAAAAAgAK8AgAAAAADAAABQAAAA8ABPAZAQAAEgAK8AgAAAACDAAAIAIAAAMB C/B4AAAABAAAAAAAfwABAO8BgABg3DQFgQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAAhwAB AAAAiAAAAAAAvwAEAAQA/wEAABEAAQMEBAAAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4A ZwBsAGUAIAAyAAAAAAAQ8AgAAACEALgC2BW8AQ8AEfAcAAAAAADDCwgAAAD/////DQATAAAAHwQE AAAAAgAAAA8ADfBNAAAAAACfDwQAAAAAAAAAAACoDwcAAABTdW1tYXJ5AAChDxQAAAAIAAAAAAAA AAAACAAAAAAAAgAcAAAAqg8OAAAACAAAAAcAAAAAAAkEAAAPAATw6gIAABIACvAIAAAAAwwAACAC AAADAQvweAAAAAQAAAAAAH8AAQDvAYAAgN00BYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAA AIcAAAAAAIgAAAAAAL8ABAAEAP8BAAARAAEDAwQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQA YQBuAGcAbABlACAAMwAAAAAAEPAIAAAAagKeAIcVDhAPABHwHAAAAAAAwwsIAAAA/////w4AEwAA AB8EBAAAAAMAAAAPAA3wHgIAAAAAnw8EAAAAAQAAAAAAqA/YAQAAVGhpcyBkb2N1bWVudCBkZXNj cmliZXMgYW4gYXJjaGl0ZWN0dXJlIGJhc2VkIG9uIHRoZSBIb3N0IElkZW50aXR5IFByb3RvY29s IChISVApIGZvciBhY3RpdmUgdGFncywgaS5lLiBSRklEcyB0aGF0IGluY2x1ZGUgdGFtcGVyIHJl c2lzdGFudCBjb21wdXRpbmcgcmVzb3VyY2VzLg1ISVAtVGFncyBuZXZlciBleHBvc2UgdGhlaXIg aWRlbnRpdHkgaW4gY2xlYXIgdGV4dCwgYnV0IGhpZGUgdGhpcyB2YWx1ZSAodHlwaWNhbGx5IGFu IEVQQy1Db2RlKSBieSBhIHBhcnRpY3VsYXIgZXF1YXRpb24gKGYpIHRoYXQgY2FuIGJlIG9ubHkg c29sdmVkIGJ5IGEgZGVkaWNhdGVkIGVudGl0eSwgcmVmZXJyZWQgYXMgdGhlIHBvcnRhbC4gDUhJ UCBleGNoYW5nZXMgb2NjdXJyZWQgYmV0d2VlbiBISVAtVGFncyBhbmQgUE9SVEFMczsgdGhleSBh cmUgc2h1dHRsZWQgYnkgSVAgcGFja2V0cywgdGhyb3VnaCB0aGUgSW50ZXJuZXQgY2xvdWQuIAAA qg8OAAAA2QEAAAcAAAAAAAkEAAAAAKYPFAAAAPAeAADUASAB0AJAAvADYAMQBYAEEADwByAAAAD/ //8AAAAAAJGRkQAAAAAAYY/9AACuAAD8ASgAzs7OAA8AiBORAAAADwCKE4kAAAAAALoPEAAAAF8A XwBfAFAAUABUADEAMAAAAIsTaQAAAAAA6y4IAAAAqe3IAXBE12IAAAArBAAAAAAAAAAfAETxPQAA AAAAJ/EgAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA/////xIAAAAPAD3xDQAAAEABQvEFAAAA AQkAAAAPAAIrAAAAAAAAIgQIAAAAAQAAAAIAAAAPAO4Dbg0AAAIA7wMYAAAAEAAAAAAAAAAAAAAA AAAAgAAAAAAHAAAAAAD5AxAAAAAAAAAAAQAAAAIAEQACLPsDDwAMBF0MAAAPAALwVQwAACABCPAI AAAADAAAAAwQAAAPAAPwPQwAAA8ABPAoAAAAAQAJ8BAAAAAAAAAAAAAAAAAAAAAAAAAAAgAK8AgA AAAAEAAABQAAAA8ABPAlAQAAEgAK8AgAAAACEAAAIAIAAAMBC/B4AAAABAAAAAAAfwABAO8BgABA MoMFgQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAAhwABAAAAiAAAAAAAvwAEAAQA/wEAABEA AQMEBAAAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4AZwBsAGUAIAAyAAAAAAAQ8AgAAACE ALgC2BW8AQ8AEfAcAAAAAADDCwgAAAD/////DQATAAAAHwQEAAAAAgAAAA8ADfBZAAAAAACfDwQA AAAAAAAAAACoDxMAAABJZGVudGl0eSBQcm90ZWN0aW9uAAChDxQAAAAUAAAAAAAAAAAAFAAAAAAA AgAcAAAAqg8OAAAAFAAAAAcAAAAAAAkEAAAPAATwUAIAABIACvAIAAAAAxAAACACAAADAQvweAAA AAQAAAAAAH8AAQDvAYAAYDODBYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAAAIcAAAAAAIgA AAAAAL8ABAAEAP8BAAARAAEDAwQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBuAGcAbABl ACAAMwAAAAAAEPAIAAAAagKeAI4T+g4PABHwHAAAAAAAwwsIAAAA/////w4AEwAAAB8EBAAAAAMA AAAPAA3whAEAAAAAnw8EAAAAAQAAAAAAqA++AAAAUHJpdmFjeSBpc3N1ZXMNRVBDLUNvZGUgTVVT VCBiZSBwcm90ZWN0ZWQNRVBDLUNvZGUgaXMgYSBzb2x1dGlvbiBvZiBmKHIxLHIyLEVQQy1Db2Rl KQ0NDQ0NRXhhbXBsZQ1NYW55IGYgcHJvcG9zYWwgaW4gdGhlIHNjaWVudGlmaWMgbGl0ZXJhdHVy ZQ0gZihyMSxyMiwgRVBDLUNvZGUpID0gU0hBMSAocjEgfCByMiB8IEVQQy1Db2RlKQAAoQ98AAAA DwAAAAAAAAAAAEcAAAABAAAAAAABAAAAAAABAAAADgALAAAAAAAAAAAAXQAAAAEAAAAAAA8AAAAA AAAACQAAAAAEAAAABAQAAAAFBAQABQT/AAD+OgAAAAAEAAAABAEAAAAACAAAAQgLAAAAAAwAAAEM XQAAAAAQAAAAEAAAqg8OAAAAvwAAAAcAAAAAAAkEAAAAAKYPEAAAAOAcAADQAkAC8ANgAxAFgAQP AATwyAAAABIACvAIAAAABBAAAAAKAADTAAvwZgAAAH8AAADvAYAAgDSDBYUAAgAAAIcAAQAAAL8A BAAEAIEBAAAACL8BEAAQAMABAQAACMsBnDEAAP8BCAAYAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBj AHQAYQBuAGcAbABlACAANAAAAAAAEPAIAAAAaQbLDoQSxwkPAA3wMgAAAAAAnw8EAAAABAAAAAAA qg8KAAAAAQAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8MYAAACiDArwCAAAAAUQAAAA CgAAowAL8FIAAAB/AAAA7wGAAKA1gwWFAAIAAAC/AAYABgC/AQAAEQDLAZwxAAD/AQAAGAA/AwAA CACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA1AAAAAAAQ8AgAAAAdB8sOFRKKCA8ADfBE AAAAAACfDwQAAAAEAAAAAACoDwYAAABSZWFkZXIAAKoPDgAAAAcAAAAHAAAAAAAJBAAAAACmDwwA AADwAAAA1AHQAvADEAUPAATwyAAAABIACvAIAAAABhAAAAAKAADTAAvwZgAAAH8AAADvAYAAwDaD BYUAAgAAAIcAAQAAAL8ABAAEAIEBAAAACL8BEAAQAMABAQAACMsBnDEAAP8BCAAYAD8DAAAIAIDD GAAAAL8DAAACAFIAZQBjAHQAYQBuAGcAbABlACAANgAAAAAAEPAIAAAAaQabBWIIxwkPAA3wMgAA AAAAnw8EAAAABAAAAAAAqg8KAAAAAQAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8PAA AACiDArwCAAAAAcQAAAACgAAowAL8FIAAAB/AAAA7wGAAOA3gwWFAAIAAAC/AAYABgC/AQAAEQDL AZwxAAD/AQAAGAA/AwAACACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA3AAAAAAAQ8AgA AADyBoAFYggRCQ8ADfBuAAAAAACfDwQAAAAEAAAAAACoDwwAAABUYWcNRVBDLUNvZGUAAKEPHAAA AA0AAAAAAAAAAAAEAAAAAAAAAAkAAAAAAAIAEgAAAKoPDgAAAA0AAAAHAAAAAAAJBAAAAACmDwwA AADwAAAA1AHQAvADEAUPAATweAAAAEIBCvAIAAAACBAAAEAKAACzAAvwUAAAAH8AAADvAb8ABAAE AH8BAAABAL8BAAARAMABAQAACMsBnDEAANEBAQAAAP8BGAAYAD8DCAAIAIDDDgAAAL8DAAACAEwA aQBuAGUAIAA4AAAAAAAQ8AgAAAANB2IIyw4NBw8ABPDeAAAAogwK8AgAAAAJEAAAAAoAAKMAC/BS AAAAfwAAAO8BgADAOYMFhQACAAAAvwAGAAYAvwEAABEAywGcMQAA/wEAABgAPwMAAAgAgMMWAAAA vwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAOQAAAAAAEPAIAAAAIwbDCrwLHQcPAA3wXAAAAAAAnw8E AAAABAAAAAAAqA8CAAAAcjEAAKEPFAAAAAMAAAAAAAAAAAADAAAAAAACABQAAACqDw4AAAADAAAA BwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8HoAAABCAQrwCAAAAAoQAAAACgAAswAL 8FIAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADRAQEAAAD/ARgAGAA/AwgA CACAwxAAAAC/AwAAAgBMAGkAbgBlACAAMQAwAAAAAAAQ8AgAAAARCWIIyw4RCQ8ABPD0AAAAogwK 8AgAAAALEAAAAAoAAKMAC/BUAAAAfwAAAO8BgADAPIMFhQACAAAAvwAGAAYAvwEAABEAywGcMQAA /wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAMQAxAAAAAAAQ8AgAAAAX CH0IlA4RCQ8ADfBwAAAAAACfDwQAAAAEAAAAAACoDxYAAAByMiwgZihyMSxyMiwgRVBDLUNvZGUp AAChDxQAAAAXAAAAAAAAAAAAFwAAAAAAAgAUAAAAqg8OAAAAFwAAAAcAAAAAAAkEAAAAAKYPDAAA APAAAADUAdAC8AMQBQ8ABPA2AgAAogwK8AgAAAAMEAAAAAoAAJMAC/BOAAAAfwAAAO8BgADgPYMF vwAGAAYAvwEAABEAywGcMQAA/wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4 ACAAMQAzAAAAAAAQ8AgAAABmDQcB2BUIEA8ADfC4AQAAAACfDwQAAAAEAAAAAACoD1wBAABTLiBX ZWlzLCBTLiBTYXJtYSwgUi4gUml2ZXN0IGFuZCBELiBFbmdlbHMuICJTZWN1cml0eSBhbmQgcHJp dmFjeSBhc3BlY3RzIG9mIGxvdy1jb3N0IHJhZGlvIGZyZXF1ZW5jeSBpZGVudGlmaWNhdGlvbiBz eXN0ZW1zLiIgSW4gRC4gSHV0dGVyLCBHLiBNdWxsZXIsIFcuIFN0ZXBoYW4gYW5kIE0uIFVsbG1h biwgZWRpdG9ycywgSW50ZXJuYXRpb25hbCBDb25mZXJlbmNlIG9uIFNlY3VyaXR5IGluIFBlcnZh c2l2ZSBDb21wdXRpbmcgLSBTUEMgMjAwMywgdm9sdW1lIDI4MDIgb2YgTGVjdHVyZSBOb3RlcyBp biBjb21wdXRlciBTY2llbmNlLCBwYWdlcyA0NTQtIDQ2OS4gU3ByaW5nZXItVmVybGFnLCAyMDAz LiAAAKEPFgAAAF0BAAAAAAAIAAAAAF0BAAAAAAIAEAAAAKoPDgAAAF0BAAAHAAAAAAAJBAAAAACm DwwAAADwAAAA1AHQAvADEAUQAPAHIAAAAP///wAAAAAAkZGRAAAAAABhj/0AAK4AAPwBKADOzs4A DwCIE5EAAAAPAIoTiQAAAAAAug8QAAAAXwBfAF8AUABQAFQAMQAwAAAAixNpAAAAAADrLggAAACs 7cgBAG2bdAAAACsEAAAAAAAAAB8ARPE9AAAAAAAn8SAAAAAAAAAAAwAAAAAAAAAAAAAAAAAAAAAA AAD/////EgAAAA8APfENAAAAQAFC8QUAAAABCQAAAA8AAisAAAAAAAAiBAgAAAABAAAAAgAAAA8A 7gO/BwAAAgDvAxgAAAAQAAAAAAAAAAAAAAAAAACAAAAAAAcAAAAAAPkDEAAAAAAAAAABAAAAAgAR AAIt+wMPAAwErgYAAA8AAvCmBgAAMAEI8AgAAAADAAAAAxQAAA8AA/COBgAADwAE8CgAAAABAAnw EAAAAAAAAAAAAAAAAAAAAAAAAAACAArwCAAAAAAUAAAFAAAADwAE8BwBAAASAArwCAAAAAIUAAAg AgAAAwEL8HgAAAAEAAAAAAB/AAEA7wGAAADfNAWBAHhhAQCCAKKtAACDAHhhAQCEAKKtAACFAAAA AACHAAEAAACIAAAAAAC/AAQABAD/AQAAEQABAwQEAAA/AwAACACAwxgAAAC/AwAAAgBSAGUAYwB0 AGEAbgBnAGwAZQAgADIAAAAAABDwCAAAAIQAuALYFbwBDwAR8BwAAAAAAMMLCAAAAP////8NABMA AAAfBAQAAAACAAAADwAN8FAAAAAAAJ8PBAAAAAAAAAAAAKgPCgAAAE1haW4gSWRlYXMAAKEPFAAA AAsAAAAAAAAAAAALAAAAAAACABwAAACqDw4AAAALAAAABwAAAAAACQQAAA8ABPAyBQAAEgAK8AgA AAADFAAAIAIAAAMBC/B4AAAABAAAAAAAfwABAO8BgABgMIMFgQB4YQEAggCirQAAgwB4YQEAhACi rQAAhQAAAAAAhwAAAAAAiAAAAAAAvwAEAAQA/wEAABEAAQMDBAAAPwMAAAgAgMMYAAAAvwMAAAIA UgBlAGMAdABhAG4AZwBsAGUAIAAzAAAAAAAQ8AgAAABqAp4AjhP6Dg8AEfAcAAAAAADDCwgAAAD/ ////DgATAAAAHwQEAAAAAwAAAA8ADfBmBAAAAACfDwQAAAABAAAAAACgDywDAABUAGgAZQAgAFQA QQBHACAAcgB1AG4AcwAgAGEAIABtAG8AZABpAGYAaQBlAGQAIAB2AGUAcgBzAGkAbwBuACAAbwBm ACAASABJAFAADQBIAEkAUAAgAE8AbgBsAHkAIQAgABMgIABOAE8AIABJAFAAIABzAHQAYQBjAGsA DQBIAEkAVAAgAGkAcwAgAGEAIAB0AHIAdQBlACAAMQA2ACAAYgB5AHQAZQBzACAAcgBhAG4AZABv AG0AIABuAHUAbQBiAGUAcgAgAGcAZQBuAGUAcgBhAHQAZQBkACAAYgB5ACAAdABoAGUAIABUAEEA RwANACAAVABoAGUAIABSAGUAYQBkAGUAcgAgAGkAcwAgAGEAbgAgAEkAUAAgAG4AbwBkAGUADQBJ AHQAIABhAGMAdABzACAAYQBzACAAYQAgAGQAbwBjAGsAaQBuAGcAIABoAG8AcwB0ACAAZgBvAHIA IABIAEkAUAAgAHQAYQBnAA0AVABoAGUAIABSAGUAYQBkAGUAcgAgAGkAcwAgAG4AbwB0ACAAYQBi AGwAZQAgAHQAbwAgAHMAbwBsAHYAZQAgAHQAaABlACAAZgAgAGUAcQB1AGEAdABpAG8AbgANAFQA aABlACAAaQBkAGUAbgB0AGkAdAB5ACAAcwBvAGwAdgBlAHIAIABlAG4AdABpAHQAeQAgAGkAcwAg AGwAbwBjAGEAdABlAGQAIABpAG4AIABhACAAbgBvAGQAZQAgAGMAYQBsAGwAZQBkACAAdABoAGUA IABQAE8AUgBUAEEATAANAEgASQBQACAAZABpAGEAbABvAGcAIABiAGUAdAB3AGUAZQBuACAAVABh AGcAIABhAG4AZAAgAFAAbwByAHQAYQBsAA0ASABJAFAAIABwAGEAYwBrAGUAdABzACAATQBBAFkA IABiAGUAIABlAG4AYwBhAHAAcwB1AGwAYQB0AGUAZAAgAGIAeQAgAGEAIABIAEEAVAAgACgASABJ AFAAIABBAGQAZAByAGUAcwBzACAAVAByAGEAbgBzAGwAYQB0AGkAbwBuACkAIABsAGEAeQBlAHIA LgANAAAAoQ/wAAAAJwAAAAAAAAAAAFIAAAABAAAAAAAaAAAAAAAAAAAAJgAAAAEAAAAAAC8AAAAA AAAAAABCAAAAAQAAAAAAIgAAAAAAAAAAAEoAAAABAAAAAAABAAAAAAABAAAADgAnAAAAAAAAAFIA AAAABAAAAAQaAAAAAAgAAAEIJgAAAAAMAAAADC8AAAAAEAAAARAEAAAAABQAAAAUEAAAAAIUAAAC FC4AAAAAFAAAABQiAAAAABgAAAEYDAAAAAAcAAAAHAMAAAABHAAAARwbAAAAABwAAAAcFwAAAAIc AAACHAkAAAAAHAAAABwBAAAAACAAAAEgAACqDw4AAACXAQAABwAAAAAACQQAAAAApg8QAAAA4BwA ANACQALwA2ADEAWABBAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAArgAA/AEoAM7OzgAPAIgT kQAAAA8AihOJAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLE2kAAAAAAOsuCAAAAK7tyAGg d2ltAAAAKwQAAAAAAAAAHwBE8T0AAAAAACfxIAAAAAAAAAADAAAAAAAAAAAAAAAAAAAAAAAAAP// //8SAAAADwA98Q0AAABAAULxBQAAAAEJAAAADwACKwAAAAAAACIECAAAAAEAAAACAAAADwDuA+sg AAACAO8DGAAAABAAAAAAAAAAAAAAAAAAAIAAAAAABwAAAAAA+QMQAAAAAAAAAAEAAAACABEAAsD7 Aw8ADATaHwAADwAC8NIfAABAAQjwCAAAACgAAAAoGAAADwAD8LofAAAPAATwKAAAAAEACfAQAAAA AAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAABgAAAUAAAAPAATwJwEAABIACvAIAAAAAhgAACACAAAD AQvweAAAAAQAAAAAAH8AAQDvAYAA4A2GBYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAAAIcA AQAAAIgAAAAAAL8ABAAEAP8BAAARAAEDBAQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBu AGcAbABlACAANAAAAAAAEPAIAAAAhAC4AtgVvAEPABHwHAAAAAAAwwsIAAAA/////w0AEwAAAB8E BAAAAAIAAAAPAA3wWwAAAAAAnw8EAAAAAAAAAAAAqA8VAAAASElQLVRhZ3MgQXJjaGl0ZWN0dXJl AAChDxQAAAAWAAAAAAAAAAAAFgAAAAAAAgAcAAAAqg8OAAAAFgAAAAcAAAAAAAkEAAAPAATw3AAA AKIMCvAIAAAAAxgAAAAKAACDAAvwRgAAAH8AAADvAYAAAA+GBb8ABAAEAL8BEAAQAP8BCAAYAD8D AAAIAIDDFgAAAL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADcAAAAAABDwCAAAAKIGdA7xEfoHDwAN 8GYAAAAAAJ8PBAAAAAQAAAAAAKgPAgAAAElQAAChDxQAAAADAAAAAAAAAAAAAwAAAAAAAgASAAAA qg8YAAAAAgAAAAEAAAAAAAEAAAAHAAAAAAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATw3QAA AKIMCvAIAAAABBgAAAAKAACDAAvwRgAAAH8AAADvAYAAYCCGBb8ABAAEAL8BEAAQAP8BCAAYAD8D AAAIAIDDFgAAAL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADgAAAAAABDwCAAAAC0IdA7xEYUJDwAN 8GcAAAAAAJ8PBAAAAAQAAAAAAKgPAwAAAE1BQwAAoQ8UAAAABAAAAAAAAAAAAAQAAAAAAAIAEgAA AKoPGAAAAAMAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8N0A AACiDArwCAAAAAUYAAAACgAAgwAL8EYAAAB/AAAA7wGAAIAhhgW/AAQABAC/ARAAEAD/AQgAGAA/ AwAACACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA5AAAAAAAQ8AgAAAC+CXsO+BEWCw8A DfBnAAAAAACfDwQAAAAEAAAAAACoDwMAAABQSFkAAKEPFAAAAAQAAAAAAAAAAAAEAAAAAAACABIA AACqDxgAAAADAAAAAQAAAAAAAQAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDe AAAAogwK8AgAAAAGGAAAAAoAAIMAC/BIAAAAfwAAAO8BgACgIoYFvwAEAAQAvwEQABAA/wEIABgA PwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAMQAxAAAAAAAQ8AgAAACiBugJZQ36 Bw8ADfBmAAAAAACfDwQAAAAEAAAAAACoDwIAAABJUAAAoQ8UAAAAAwAAAAAAAAAAAAMAAAAAAAIA EgAAAKoPGAAAAAIAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE 8N8AAACiDArwCAAAAAcYAAAACgAAgwAL8EgAAAB/AAAA7wGAACAxgwW/AAQABAC/ARAAEAD/AQgA GAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAxADIAAAAAABDwCAAAACII6Alm DXoJDwAN8GcAAAAAAJ8PBAAAAAQAAAAAAKgPAwAAAE1BQwAAoQ8UAAAABAAAAAAAAAAAAAQAAAAA AAIAEgAAAKoPGAAAAAMAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAF DwAE8N8AAACiDArwCAAAAAgYAAAACgAAgwAL8EgAAAB/AAAA7wGAAIA6gwW/AAQABAC/ARAAEAD/ AQgAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAxADMAAAAAABDwCAAAAL4J 6QlmDRYLDwAN8GcAAAAAAJ8PBAAAAAQAAAAAAKgPAwAAAFBIWQAAoQ8UAAAABAAAAAAAAAAAAAQA AAAAAAIAEgAAAKoPGAAAAAMAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALw AxAFDwAE8OQAAACiDArwCAAAAAkYAAAACgAAgwAL8EgAAAB/AAAA7wGAAIAkhgW/AAQABAC/ARAA EAD/AQgAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAxADQAAAAAABDwCAAA ACII/wV8CXoJDwAN8GwAAAAAAJ8PBAAAAAQAAAAAAKgPCAAAAFJGSUQtTUFDAAChDxQAAAAJAAAA AAAAAAAACQAAAAAAAgASAAAAqg8YAAAACAAAAAEAAAAAAAEAAAAHAAAAAAAJBAAAAACmDwwAAADw AAAA1AHQAvADEAUPAATw5AAAAKIMCvAIAAAAChgAAAAKAACDAAvwSAAAAH8AAADvAYAAoCWGBb8A BAAEAL8BEAAQAP8BCAAYAD8DAAAIAIDDGAAAAL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADEANQAA AAAAEPAIAAAAvgn/BXwJFgsPAA3wbAAAAAAAnw8EAAAABAAAAAAAqA8IAAAAUkZJRC1QSFkAAKEP FAAAAAkAAAAAAAAAAAAJAAAAAAACABIAAACqDxgAAAAIAAAAAQAAAAAAAQAAAAcAAAAAAAkEAAAA AKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDkAAAAogwK8AgAAAALGAAAAAoAAIMAC/BIAAAAfwAAAO8B gADAJoYFvwAEAAQAvwEQABAA/wEIABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4 ACAAMgAwAAAAAAAQ8AgAAAA3CFQB0QSPCQ8ADfBsAAAAAACfDwQAAAAEAAAAAACoDwgAAABSRklE LU1BQwAAoQ8UAAAACQAAAAAAAAAAAAkAAAAAAAIAEgAAAKoPGAAAAAgAAAABAAAAAAABAAAABwAA AAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8OQAAACiDArwCAAAAAwYAAAACgAAgwAL8EgA AAB/AAAA7wGAAOAnhgW/AAQABAC/ARAAEAD/AQgAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0 ACAAQgBvAHgAIAAyADEAAAAAABDwCAAAAL4JVAHRBBYLDwAN8GwAAAAAAJ8PBAAAAAQAAAAAAKgP CAAAAFJGSUQtUEhZAAChDxQAAAAJAAAAAAAAAAAACQAAAAAAAgASAAAAqg8YAAAACAAAAAEAAAAA AAEAAAAHAAAAAAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATwxAAAAKIMCvAIAAAADRgAAAAK AACDAAvwSAAAAH8AAADvAYAAACmGBb8ABAAEAL8BEAAQAP8BCAAYAD8DAAAIAIDDGAAAAL8DAAAC AFQAZQB4AHQAIABCAG8AeAAgADIAMgAAAAAAEPAIAAAArgNUAdEE6QcPAA3wTAAAAAAAnw8EAAAA BAAAAAAAqA8EAAAADUhJUAAAqg8YAAAABAAAAAEAAAAAAAEAAAAHAAAAAAAJBAAAAACmDwwAAADw AAAA1AHQAvADEAUPAATwdAAAAEIBCvAIAAAADhgAAAAKAACjAAvwTAAAAH8AAADvAb8ABAAEAH8B AAABAL8BAAARANABAQAAANEBAQAAAP8BGAAYAD8DCAAIAIDDEAAAAL8DAAACAEwAaQBuAGUAIAAy ADYAAAAAABDwCAAAAFgK0QT/BVgKDwAE8HQAAABCAQrwCAAAAA8YAAAACgAAowAL8EwAAAB/AAAA 7wG/AAQABAB/AQAAAQC/AQAAEQDQAQEAAADRAQEAAAD/ARgAGAA/AwgACACAwxAAAAC/AwAAAgBM AGkAbgBlACAAMgA3AAAAAAAQ8AgAAAD1CNEE/wX1CA8ABPDGAAAAogwK8AgAAAAQGAAAAAoAAIMA C/BIAAAAfwAAAO8BgACgK4YFvwAEAAQAvwEQABAA/wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAVABl AHgAdAAgAEIAbwB4ACAAMgA4AAAAAAAQ8AgAAADJC+wQaRT0DA8ADfBOAAAAAACfDwQAAAAEAAAA AACoDwYAAABQb3J0YWwAAKoPGAAAAAYAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAA ANQB0ALwAxAFDwAE8MMAAACiDArwCAAAABEYAAAACgAAgwAL8EgAAAB/AAAA7wGAAMAshgW/AAQA BAC/ARAAEAD/AQAAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAzADIAAAAA ABDwCAAAAMkLTwHRBJMNDwAN8EsAAAAAAJ8PBAAAAAQAAAAAAKgPAwAAAFRhZwAAqg8YAAAAAwAA AAEAAAAAAAEAAAAHAAAAAAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATwxgAAAKIMCvAIAAAA EhgAAAAKAACDAAvwSAAAAH8AAADvAYAA4C2GBb8ABAAEAL8BEAAQAP8BAAAYAD8DAAAIAIDDGAAA AL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADMAMwAAAAAAEPAIAAAAyQtzB10M9AwPAA3wTgAAAAAA nw8EAAAABAAAAAAAqA8GAAAAUmVhZGVyAACqDxgAAAAGAAAAAQAAAAAAAQAAAAcAAAAAAAkEAAAA AKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDfAAAAogwK8AgAAAATGAAAAAoAAIMAC/BIAAAAfwAAAO8B gAAAL4YFvwAEAAQAvwEQABAA/wEIABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4 ACAAMwA0AAAAAAAQ8AgAAAB5BXsONhBZBg8ADfBnAAAAAACfDwQAAAAEAAAAAACoDwMAAABIQVQA AKEPFAAAAAQAAAAAAAAAAAAEAAAAAAACABIAAACqDxgAAAADAAAAAQAAAAAAAQAAAAcAAAAAAAkE AAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDfAAAAogwK8AgAAAAUGAAAAAoAAIMAC/BIAAAAfwAA AO8BgABgELAFvwAEAAQAvwEQABAA/wEIABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIA bwB4ACAAMwA2AAAAAAAQ8AgAAACKBbsLZg1qBg8ADfBnAAAAAACfDwQAAAAEAAAAAACoDwMAAABI QVQAAKEPFAAAAAQAAAAAAAAAAAAEAAAAAAACABIAAACqDxgAAAADAAAAAQAAAAAAAQAAAAcAAAAA AAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDDAAAAogwK8AgAAAAVGAAAAAoAAIMAC/BIAAAA fwAAAO8BgACAEbAFvwAEAAQAvwEQABAA/wEIABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAg AEIAbwB4ACAAMwA5AAAAAAAQ8AgAAACuA3QO+BErBQ8ADfBLAAAAAACfDwQAAAAEAAAAAACoDwMA AABISVAAAKoPGAAAAAMAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAF DwAE8MoAAAASAArwCAAAABYYAAAACgAA0wAL8GgAAAB/AAAA7wGAAKASsAWFAAIAAACHAAEAAAC/ AAQABAC/AQAAEQDAAQEAAAjLAZwxAADOAQYAAAD/AQgAGAA/AwAACACAwxoAAAC/AwAAAgBSAGUA YwB0AGEAbgBnAGwAZQAgADQAMAAAAAAAEPAIAAAATQOVBcwNawsPAA3wMgAAAAAAnw8EAAAABAAA AAAAqg8KAAAAAQAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8MoAAAASAArwCAAAABcY AAAACgAA0wAL8GgAAAB/AAAA7wGAAMATsAWFAAIAAACHAAEAAAC/AAQABAC/AQAAEQDAAQEAAAjL AZwxAADOAQYAAAD/AQgAGAA/AwAACACAwxoAAAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADQA MQAAAAAAEPAIAAAATQP5AC0FawsPAA3wMgAAAAAAnw8EAAAABAAAAAAAqg8KAAAAAQAAAAEAAAAA AAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8MoAAAASAArwCAAAABgYAAAACgAA0wAL8GgAAAB/AAAA 7wGAAOAUsAWFAAIAAACHAAEAAAC/AAQABAC/AQAAEQDAAQEAAAjLAZwxAADOAQYAAAD/AQgAGAA/ AwAACACAwxoAAAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADQAMgAAAAAAEPAIAAAATQM6Dg8W awsPAA3wMgAAAAAAnw8EAAAABAAAAAAAqg8KAAAAAQAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALw AxAFDwAE8MUAAACiDArwCAAAABkYAAAACgAAgwAL8EgAAAB/AAAA7wGAAAAWsAW/AAQABAC/AQAA EQD/AQAAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA0ADMAAAAAABDwCAAA AKEDYhIPFikGDwAN8E0AAAAAAJ8PBAAAAAQAAAAAAKgPDwAAAElkZW50aXR5DVNvbHZlcgAAqg8O AAAAEAAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPCAAAAAQgEK8AgAAAAaGAAA AAoAAMMAC/BYAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA0AEBAAAA0QEB AAAA/wEYABgAPwMIAAgAgMMQAAAAvwMAAAIATABpAG4AZQAgADQANgAAAAAAEPAIAAAAXQTRBHQO XQQPAATwxAAAABIACvAIAAAAGxgAAAAKAADDAAvwYgAAAH8AAADvAYAA4BewBYUAAgAAAIcAAQAA AL8ABAAEAL8BAAARAMABAQAACMsBnDEAAP8BCAAYAD8DAAAIAIDDGgAAAL8DAAACAFIAZQBjAHQA YQBuAGcAbABlACAANAA3AAAAAAAQ8AgAAAChA2IS2BVMBg8ADfAyAAAAAACfDwQAAAAEAAAAAACq DwoAAAABAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATwygAAAFIECvAIAAAAHBgAAAAK AADTAAvwaAAAAH8AAADvAYAAABmwBYUAAgAAAIcAAQAAAL8ABAAEAIEBAAAACL8BEAAQAMABAQAA CMsBnDEAAP8BCAAYAD8DAAAIAIDDGgAAAL8DAAACAEEAdQB0AG8AUwBoAGEAcABlACAANAA0AAAA AAAQ8AgAAAACBIYRsRK4BA8ADfAyAAAAAACfDwQAAAAEAAAAAACqDwoAAAABAAAAAQAAAAAAAACm DwwAAADwAAAA1AHQAvADEAUPAATwgAAAAEIBCvAIAAAAHRgAAAAKAADDAAvwWAAAAH8AAADvAb8A BAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAANABAQAAANEBAQAAAP8BGAAYAD8DCAAIAIDDEAAA AL8DAAACAEwAaQBuAGUAIAA0ADkAAAAAABDwCAAAADIHZQ17DjIHDwAE8HoAAABCAQrwCAAAAB4Y AACACgAAswAL8FIAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADQAQQAAAD/ ARgAGAA/AwgACACAwxAAAAC/AwAAAgBMAGkAbgBlACAANQAxAAAAAAAQ8AgAAAASBl0KXQqiBg8A BPB6AAAAQgEK8AgAAAAfGAAAgAoAALMAC/BSAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEB AAAIywGcMQAA0AEEAAAA/wEYABgAPwMIAAgAgMMQAAAAvwMAAAIATABpAG4AZQAgADUAMgAAAAAA EPAIAAAAiQf6EfYTiQcPAATw4wAAAKIMCvAIAAAAIBgAAAAKAACjAAvwVAAAAH8AAADvAYAAYNA0 BYUAAgAAAL8ABgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDGAAAAL8DAAACAFQAZQB4AHQA IABCAG8AeAAgADUAMwAAAAAAEPAIAAAAQgWqCE4KKQYPAA3wXwAAAAAAnw8EAAAABAAAAAAAqA8F AAAAU1BJLUkAAKEPFAAAAAYAAAAAAAAAAAAGAAAAAAACABIAAACqDw4AAAAGAAAABwAAAAAACQQA AAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8OMAAACiDArwCAAAACEYAAAACgAAowAL8FQAAAB/AAAA 7wGAAMAcsAWFAAIAAAC/AAYABgC/AQAAEQDLAZwxAAD/AQAAGAA/AwAACACAwxgAAAC/AwAAAgBU AGUAeAB0ACAAQgBvAHgAIAA1ADQAAAAAABDwCAAAAKIGIhL2E4kHDwAN8F8AAAAAAJ8PBAAAAAQA AAAAAKgPBQAAAFNQSS1SAAChDxQAAAAGAAAAAAAAAAAABgAAAAAAAgASAAAAqg8OAAAABgAAAAcA AAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPB0AAAAQgEK8AgAAAAiGAAAQAoAAKMAC/BM AAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA/wEYABgAPwMIAAgAgMMQAAAA vwMAAAIATABpAG4AZQAgADUAOAAAAAAAEPAIAAAAEgaqCF0KEgYPAATwdAAAAEIBCvAIAAAAIxgA AAAKAACjAAvwTAAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8D CAAIAIDDEAAAAL8DAAACAEwAaQBuAGUAIAA1ADkAAAAAABDwCAAAABIGqgiqCCIIDwAE8OoAAAAy BArwCAAAACQYAAAACgAA0wAL8HoAAAB/AAAA7wGAAGAfsAW/AAQABABHAXFBAACBAQAAAAi/ARAA EADAAQEAAAjLAZwxAADWAQIAAAD/AQgAGAA/AwAACACAwywAAAC/AwAAAgBGAGwA6ABjAGgAZQAg AHYAZQByAHMAIABsAGUAIABiAGEAcwAgADMANwAAABMAIvEGAAAA/wEAAEAAAAAQ8AgAAAASBmkU VhUiCA8ADfAyAAAAAACfDwQAAAAEAAAAAACqDwoAAAABAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQ AvADEAUPAATw5AAAAKIMCvAIAAAAJRgAAAAKAACDAAvwSAAAAH8AAADvAYAAwDCyBb8ABAAEAL8B AAARAP8BAAAYAD8DAAAIAIDDGAAAAL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADMAOQAAAAAAEPAI AAAAgwj0Et4VhQkPAA3wbAAAAAAAnw8EAAAABAAAAAAAqA8IAAAARVBDLUNvZGUAAKEPFAAAAAkA AAAAAAAAAAAJAAAAAAACABIAAACqDxgAAAAIAAAAAQAAAAAAAQAAAAcAAAAAAAkEAAAAAKYPDAAA APAAAADUAdAC8AMQBQ8ABPD0AAAAogcK8AgAAAAmGAAAAAoAALMAC/CEAAAAfwAAAO8BgADgMbIF vwAEAAQAvwEAABEAwAEBAAAIywGcMQAA1gECAAAA/wEIABgAPwMAAAgAgMNCAAAAvwMAAAIATwBy AGcAYQBuAGkAZwByAGEAbQBtAGUAoAA6ACAAQgBhAG4AZABlACAAcABlAHIAZgBvAHIA6QBlACAA MwA5AAAAEwAi8QYAAAD/AQAAQAAAABDwCAAAAHAIsRLYFb4JDwAN8DIAAAAAAJ8PBAAAAAQAAAAA AKoPCgAAAAEAAAABAAAAAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDkAAAAogwK8AgAAAAnGAAA AAoAAIMAC/BIAAAAfwAAAO8BgAAAM7IFvwAEAAQAvwEAABEA/wEAABgAPwMAAAgAgMMYAAAAvwMA AAIAVABlAHgAdAAgAEIAbwB4ACAAMwA5AAAAAAAQ8AgAAABZBpUBfwRcBw8ADfBsAAAAAACfDwQA AAAEAAAAAACoDwgAAABFUEMtQ29kZQAAoQ8UAAAACQAAAAAAAAAAAAkAAAAAAAIAEgAAAKoPGAAA AAgAAAABAAAAAAABAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8PQAAACiBwrw CAAAACgYAAAACgAAswAL8IQAAAB/AAAA7wGAACA0sgW/AAQABAC/AQAAEQDAAQEAAAjLAZwxAADW AQIAAAD/AQgAGAA/AwAACACAw0IAAAC/AwAAAgBPAHIAZwBhAG4AaQBnAHIAYQBtAG0AZQCgADoA IABCAGEAbgBkAGUAIABwAGUAcgBmAG8AcgDpAGUAIAA0ADEAAAATACLxBgAAAP8BAABAAAAAEPAI AAAATAaVAX8EmgcPAA3wMgAAAAAAnw8EAAAABAAAAAAAqg8KAAAAAQAAAAEAAAAAAAAApg8MAAAA 8AAAANQB0ALwAxAFEADwByAAAAD///8AAAAAAJGRkQAAAAAAYY/9AACuAAD8ASgAzs7OAA8AiBOR AAAADwCKE4kAAAAAALoPEAAAAF8AXwBfAFAAUABUADEAMAAAAIsTaQAAAAAA6y4IAAAAr+3IAYB0 HJEAAAArBAAAAAAAAAAfAETxPQAAAAAAJ/EgAAAAAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAA//// /xIAAAAPAD3xDQAAAEABQvEFAAAAAQkAAAAPAAIrAAAAAAAAIgQIAAAAAQAAAAYAAAAPAO4DIAkA AAIA7wMYAAAAEAAAAAAAAAAAAAAAAAAAgAAAAAAHAAAAAAD5AxAAAAAAAAAAAQAAAAIAEQAC8/sD DwAMBA8IAAAPAALwBwgAAFABCPAIAAAACwAAAAscAAAPAAPw7wcAAA8ABPAoAAAAAQAJ8BAAAAAA AAAAAAAAAAAAAAAAAAAAAgAK8AgAAAAAHAAABQAAAA8ABPAmAQAAEgAK8AgAAAACHAAAIAIAAAMB C/B4AAAABAAAAAAAfwABAO8BgABgCYYFgQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAAhwAB AAAAiAAAAAAAvwAEAAQA/wEAABEAAQMEBAAAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4A ZwBsAGUAIAAyAAAAAAAQ8AgAAACEALgC2BW8AQ8AEfAcAAAAAADDCwgAAAD/////DQATAAAAHwQE AAAAAgAAAA8ADfBaAAAAAACfDwQAAAAAAAAAAACoDxQAAABULUJFWCBFeGNoYW5nZSwgSTEtVAAA oQ8UAAAAFQAAAAAAAAAAABUAAAAAAAIAHAAAAKoPDgAAABUAAAAHAAAAAAAJBAAADwAE8K4BAAAS AArwCAAAAAMcAAAgAgAAAwEL8HoAAAAEAAAAAAB/AAEA7wGAAMAAhgWBAHhhAQCCAKKtAACDAHhh AQCEAKKtAACFAAAAAACHAAAAAACIAAAAAAC/AAQABAD/AQAAEQABAwMEAAA/AwAACACAwxoAAAC/ AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADEANwAAAAAAEPAIAAAAuwdXBBkRoA4PABHwHAAAAAAA wwsIAAAA/////w4AEwAAAB8EBAAAAAMAAAAPAA3w4AAAAAAAnw8EAAAAAQAAAAAAqA9IAAAASElU LUkNQSByYW5kb20gdmFsdWUgZ2VuZXJhdGVkIGJ5IHRoZSB0YWcNSElULVINQSBrbm93biBISVQN QSBudWxsIHZhbHVlAAChD04AAAAGAAAAAAAAAAAAJAAAAAEAAAAAAAYAAAAAAAAAAAAZAAAAAQAA AAAABgAAAAAAAAAkAAAAAAQAAAAEBgAAAAAIAAABCBkAAAAADAAAAAwAAKoPDgAAAEkAAAAHAAAA AAAJBAAAAACmDxAAAADgHAAA0AJAAvADYAMQBYAEDwAE8HIAAABCAQrwCAAAAAQcAAAACgAAowAL 8EoAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAAD/ARgAGAA/AwgACACAww4A AAC/AwAAAgBMAGkAbgBlACAANAAAAAAAEPAIAAAA1QMmAaED1QMPAATwcgAAAEIBCvAIAAAABRwA AAAKAACjAAvwSgAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8D CAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA2AAAAAAAQ8AgAAADNA2QCZAIkDw8ABPByAAAAQgEK 8AgAAAAGHAAAAAoAAKMAC/BKAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA /wEYABgAPwMIAAgAgMMOAAAAvwMAAAIATABpAG4AZQAgADcAAAAAABDwCAAAAN0DKRKkFN0DDwAE 8HIAAABCAQrwCAAAAAccAAAACgAAowAL8EoAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEA AAjLAZwxAAD/ARgAGAA/AwgACACAww4AAAC/AwAAAgBMAGkAbgBlACAAOAAAAAAAEPAIAAAA1QNn E2cTLA8PAATwwwAAAKIMCvAIAAAACBwAAAAKAACjAAvwUgAAAH8AAADvAYAAoDWyBYUAAgAAAL8A BgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDFgAAAL8DAAACAFQAZQB4AHQAIABCAG8AeAAg ADkAAAAAABDwCAAAAGgCYwFlA9UDDwAN8EEAAAAAAJ8PBAAAAAQAAAAAAKgPAwAAAFRhZwAAqg8O AAAABAAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPDIAAAAogwK8AgAAAAJHAAA AAoAAKMAC/BUAAAAfwAAAO8BgADANrIFhQACAAAAvwAGAAYAvwEAABEAywGcMQAA/wEAABgAPwMA AAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAMQAyAAAAAAAQ8AgAAABgAv0R1BTNAw8A DfBEAAAAAACfDwQAAAAEAAAAAACoDwYAAABQb3J0YWwAAKoPDgAAAAcAAAAHAAAAAAAJBAAAAACm DwwAAADwAAAA1AHQAvADEAUPAATwegAAAEIBCvAIAAAAChwAAAAKAACzAAvwUgAAAH8AAADvAb8A BAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAANEBAQAAAP8BGAAYAD8DCAAIAIDDEAAAAL8DAAAC AEwAaQBuAGUAIAAxADQAAAAAABDwCAAAAFAGuALeElAGDwAE8M4AAACiDArwCAAAAAscAAAACgAA owAL8FQAAAB/AAAA7wGAAKA4sgWFAAIAAAC/AAYABgC/AQAAEQDLAZwxAAD/AQAAGAA/AwAACACA wxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAxADUAAAAAABDwCAAAAIoEGQMLCfcFDwAN8EoA AAAAAJ8PBAAAAAQAAAAAAKgPDAAAAEhJVC1JLCBISVQtUgAAqg8OAAAADQAAAAcAAAAAAAkEAAAA AKYPDAAAAPAAAADUAdAC8AMQBRAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAArgAA/AEoAM7O zgAPAIgTkQAAAA8AihOJAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLE2kAAAAAAOsuCAAA ALLtyAHggtmyAAAAKwQAAAAAAAAAHwBE8T0AAAAAACfxIAAAAAAAAAADAAAAAAAAAAAAAAAAAAAA AAAAAP////8SAAAADwA98Q0AAABAAULxBQAAAAEJAAAADwACKwAAAAAAACIECAAAAAEAAAACAAAA DwDuA80JAAACAO8DGAAAABAAAAAAAAAAAAAAAAAAAIAAAAAABwAAAAAA+QMQAAAAAAAAAAEAAAAC ABEAAvT7Aw8ADAS8CAAADwAC8LQIAABgAQjwCAAAAAsAAAALIAAADwAD8JwIAAAPAATwKAAAAAEA CfAQAAAAAAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAACAAAAUAAAAPAATwJgEAABIACvAIAAAAAiAA ACACAAADAQvweAAAAAQAAAAAAH8AAQDvAYAAwDmyBYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUA AAAAAIcAAQAAAIgAAAAAAL8ABAAEAP8BAAARAAEDBAQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBj AHQAYQBuAGcAbABlACAAMgAAAAAAEPAIAAAAhAC4AtgVvAEPABHwHAAAAAAAwwsIAAAA/////w0A EwAAAB8EBAAAAAIAAAAPAA3wWgAAAAAAnw8EAAAAAAAAAAAAqA8UAAAAVC1CRVggRXhjaGFuZ2Us IFIxLVQAAKEPFAAAABUAAAAAAAAAAAAVAAAAAAACABwAAACqDw4AAAAVAAAABwAAAAAACQQAAA8A BPASAgAAEgAK8AgAAAADIAAAIAIAAAMBC/B4AAAABAAAAAAAfwABAO8BgADgOrIFgQB4YQEAggCi rQAAgwB4YQEAhACirQAAhQAAAAAAhwAAAAAAiAAAAAAAvwAEAAQA/wEAABEAAQMDBAAAPwMAAAgA gMMYAAAAvwMAAAIAUgBlAGMAdABhAG4AZwBsAGUAIAAzAAAAAAAQ8AgAAADLCLgCyhOwDw8AEfAc AAAAAADDCwgAAAD/////DgATAAAAHwQEAAAAAwAAAA8ADfBGAQAAAACfDwQAAAABAAAAAACoD9IA AAByMSwgcmFuZG9tIHZhbHVlIGdlbmVyYXRlZCBieSB0aGUgUG9ydGFsLg1ISVQtVC1UcmFuc2Zv cm1zLCBsaXN0IG9mIGYgZnVuY3Rpb25zIGFuZCBhc3NvY2lhdGVkIHBhcmFtZXRlcnMuDUVTUC1U cmFuc2Zvcm1zLCBvcHRpb25hbCBsaXN0IG9mIEVTUC1UcmFuc2Zvcm1zLCB1c2VkIHdoZW4gYSBz ZWN1cmUgY29tbXVuaWNhdGlvbiBjaGFubmVsIGlzIHJlcXVlc3RlZC4AAKEPJgAAANMAAAAAAAAA AABEAAAAAAAAAAEAAAAAAAQA/zMA/o4AAAAAAAAAAACqDw4AAADTAAAABwAAAAAACQQAAAAApg8U AAAA8B4AANQBIAHQAkAC8ANgAxAFgAQPAATwcgAAAEIBCvAIAAAABCAAAAAKAACjAAvwSgAAAH8A AADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8DCAAIAIDDDgAAAL8DAAAC AEwAaQBuAGUAIAA0AAAAAAAQ8AgAAADNA3kA9ALNAw8ABPByAAAAQgEK8AgAAAAFIAAAAAoAAKMA C/BKAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA/wEYABgAPwMIAAgAgMMO AAAAvwMAAAIATABpAG4AZQAgADUAAAAAABDwCAAAAMUDtwG3ARwPDwAE8HIAAABCAQrwCAAAAAYg AAAACgAAowAL8EoAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAAD/ARgAGAA/ AwgACACAww4AAAC/AwAAAgBMAGkAbgBlACAANgAAAAAAEPAIAAAA5QNkE98V5QMPAATwcgAAAEIB CvAIAAAAByAAAAAKAACjAAvwSgAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEA AP8BGAAYAD8DCAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA3AAAAAAAQ8AgAAADdA6IUohQ0Dw8A BPDDAAAAogwK8AgAAAAIIAAAAAoAAKMAC/BSAAAAfwAAAO8BgAAAP7IFhQACAAAAvwAGAAYAvwEA ABEAywGcMQAA/wEAABgAPwMAAAgAgMMWAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAOAAAAAAA EPAIAAAAYAK2ALgCzQMPAA3wQQAAAAAAnw8EAAAABAAAAAAAqA8DAAAAVGFnAACqDw4AAAAEAAAA BwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8MYAAACiDArwCAAAAAkgAAAACgAAowAL 8FIAAAB/AAAA7wGAAGBAsgWFAAIAAAC/AAYABgC/AQAAEQDLAZwxAAD/AQAAGAA/AwAACACAwxYA AAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA5AAAAAAAQ8AgAAABoAjgTDxbVAw8ADfBEAAAAAACf DwQAAAAEAAAAAACoDwYAAABQb3J0YWwAAKoPDgAAAAcAAAAHAAAAAAAJBAAAAACmDwwAAADwAAAA 1AHQAvADEAUPAATwGQEAAKIMCvAIAAAACiAAAAAKAACjAAvwVAAAAH8AAADvAYAAgEGyBYUAAgAA AL8ABgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDGAAAAL8DAAACAFQAZQB4AHQAIABCAG8A eAAgADEAMQAAAAAAEPAIAAAA5QS7AaIUhQcPAA3wlQAAAAAAnw8EAAAABAAAAAAAqA87AAAASElU LVIsIEhJVC1JLCBISVQtUihyMSksIEhJVC1ULVRyYW5zZm9ybXMsDVtFU1AtVHJhbnNmb3Jtc10A AKEPFAAAADwAAAAAAAAIAAACADwAAAAAAAAAAACqDw4AAAA8AAAABwAAAAAACQQAAAAApg8MAAAA 8AAAANQB0ALwAxAFDwAE8HoAAABCAQrwCAAAAAsgAABACgAAswAL8FIAAAB/AAAA7wG/AAQABAB/ AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADRAQEAAAD/ARgAGAA/AwgACACAwxAAAAC/AwAAAgBMAGkA bgBlACAAMQAyAAAAAAAQ8AgAAADcB9cBRRTcBxAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAA rgAA/AEoAM7OzgAPAIgTkQAAAA8AihOJAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLE2kA AAAAAOsuCAAAALLtyAHggtmyAAAAKwQAAAAAAAAAHwBE8T0AAAAAACfxIAAAAAAAAAADAAAAAAAA AAAAAAAAAAAAAAAAAP////8SAAAADwA98Q0AAABAAULxBQAAAAEJAAAADwACKwAAAAAAACIECAAA AAEAAAACAAAADwDuA7IKAAACAO8DGAAAABAAAAAAAAAAAAAAAAAAAIAAAAAABwAAAAAA+QMQAAAA AAAAAAEAAAACABEAAlD8Aw8ADAShCQAADwAC8JkJAABwAQjwCAAAAAsAAAALJAAADwAD8IEJAAAP AATwKAAAAAEACfAQAAAAAAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAACQAAAUAAAAPAATwJgEAABIA CvAIAAAAAiQAACACAAADAQvweAAAAAQAAAAAAH8AAQDvAYAAYEOyBYEAeGEBAIIAoq0AAIMAeGEB AIQAoq0AAIUAAAAAAIcAAQAAAIgAAAAAAL8ABAAEAP8BAAARAAEDBAQAAD8DAAAIAIDDGAAAAL8D AAACAFIAZQBjAHQAYQBuAGcAbABlACAAMgAAAAAAEPAIAAAAhAC4AtgVvAEPABHwHAAAAAAAwwsI AAAA/////w0AEwAAAB8EBAAAAAIAAAAPAA3wWgAAAAAAnw8EAAAAAAAAAAAAqA8UAAAAVC1CRVgg RXhjaGFuZ2UsIEkyLVQAAKEPFAAAABUAAAAAAAAAAAAVAAAAAAACABwAAACqDw4AAAAVAAAABwAA AAAACQQAAA8ABPDGAgAAEgAK8AgAAAADJAAAIAIAAAMBC/B4AAAABAAAAAAAfwABAO8BgADgBIYF gQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAAhwAAAAAAiAAAAAAAvwAEAAQA/wEAABEAAQMD BAAAPwMAAAgAgMMYAAAAvwMAAAIAUgBlAGMAdABhAG4AZwBsAGUAIAAzAAAAAAAQ8AgAAAD4CLgC yhMsEA8AEfAcAAAAAADDCwgAAAD/////DgATAAAAHwQEAAAAAwAAAA8ADfD6AQAAAACfDwQAAAAB AAAAAACoDzoBAAByMiwgcmFuZG9tIHZhbHVlIGdlbmVyYXRlZCBieSB0aGUgVGFnLg1ISVQtVC1U cmFuc2Zvcm0sIHNlbGVjdGVkIGYgZnVuY3Rpb24uDUYtVCwgZXF1YXRpb24gdG8gc29sdmUNZihy MSxyMiwgRVBDLUNvZGUpDUVTUC1UcmFuc2Zvcm0sIG9wdGlvbmFsIHNlbGVjdGVkIEVTUC1UcmFu c2Zvcm0NRVNQLUluZm8sIG9wdGlvbmFsIGluZm8gYWJvdXQgRVNQIHRyYW5zZm9ybSwgaW5jbHVk ZXMgdGhlIFNQSS1JIHZhbHVlLg1TaWduYXR1cmUtVCwgc2lnbmF0dXJlIG9mIHRoZSBJMi1UIG1l c3NhZ2UNS0ktQXV0aC1rZXkgPSBnKHIxLCByMiwgRVBDLUNvZGUpIAAAoQ92AAAAZAAAAAAAABAA AFAAEwAAAAEAABAAAFAAoQAAAAAAABAAAFAAIwAAAAEAABAAAFAAQQAAAAAAAgAUAAEAAAAAAAYA FAD/MwD+IgAAAAAAAgAUABMAAAAABAIAAAQUAKEAAAAACAIAAQgUACMAAAAADAIAAAwUAAAAqg8O AAAAOwEAAAcAAAAAAAkEAAAAAKYPEAAAAOAcAADQAkAC8ANgAxAFgAQPAATwcgAAAEIBCvAIAAAA BCQAAAAKAACjAAvwSgAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAY AD8DCAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA0AAAAAAAQ8AgAAADNA3kA9ALNAw8ABPByAAAA QgEK8AgAAAAFJAAAAAoAAKMAC/BKAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGc MQAA/wEYABgAPwMIAAgAgMMOAAAAvwMAAAIATABpAG4AZQAgADUAAAAAABDwCAAAAMUDtwG3ARwP DwAE8HIAAABCAQrwCAAAAAYkAAAACgAAowAL8EoAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDA AQEAAAjLAZwxAAD/ARgAGAA/AwgACACAww4AAAC/AwAAAgBMAGkAbgBlACAANgAAAAAAEPAIAAAA 5QNkE98V5QMPAATwcgAAAEIBCvAIAAAAByQAAAAKAACjAAvwSgAAAH8AAADvAb8ABAAEAH8BAAAB AL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8DCAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA3AAAA AAAQ8AgAAADdA6IUohQ0Dw8ABPDDAAAAogwK8AgAAAAIJAAAAAoAAKMAC/BSAAAAfwAAAO8BgACA B4YFhQACAAAAvwAGAAYAvwEAABEAywGcMQAA/wEAABgAPwMAAAgAgMMWAAAAvwMAAAIAVABlAHgA dAAgAEIAbwB4ACAAOAAAAAAAEPAIAAAAYAK2ALgCzQMPAA3wQQAAAAAAnw8EAAAABAAAAAAAqA8D AAAAVGFnAACqDw4AAAAEAAAABwAAAAAACQQAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8MYAAACi DArwCAAAAAkkAAAACgAAowAL8FIAAAB/AAAA7wGAAKAChgWFAAIAAAC/AAYABgC/AQAAEQDLAZwx AAD/AQAAGAA/AwAACACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA5AAAAAAAQ8AgAAABo AjgTDxbVAw8ADfBEAAAAAACfDwQAAAAEAAAAAACoDwYAAABQb3J0YWwAAKoPDgAAAAcAAAAHAAAA AAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATwSgEAAKIMCvAIAAAACiQAAAAKAACjAAvwVAAA AH8AAADvAYAAQEWyBYUAAgAAAL8ABgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDGAAAAL8D AAACAFQAZQB4AHQAIABCAG8AeAAgADEAMAAAAAAAEPAIAAAALwTUAZcUAggPAA3wxgAAAAAAnw8E AAAABAAAAAAAqA9sAAAASElULUksIEhJVC1SLCBISVQtUihyMiksIEhJVC1ULVRyYW5zZm9ybSwg DUYtVCA9IGYocjEscjIsRVBDLUNvZGUpLA1bRVNQLVRyYW5zZm9ybV0sIFtFU1AtSW5mb10sIFNp Z25hdHVyZS1UAAChDxQAAABtAAAAAAAACAAAAABtAAAAAAAAAAAAqg8OAAAAbQAAAAcAAAAAAAkE AAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPB6AAAAQgEK8AgAAAALJAAAQAoAALMAC/BSAAAAfwAA AO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA0AEBAAAA/wEYABgAPwMIAAgAgMMQAAAA vwMAAAIATABpAG4AZQAgADEAMQAAAAAAEPAIAAAAcAj0AWIUcAgQAPAHIAAAAP///wAAAAAAkZGR AAAAAABhj/0AAK4AAPwBKADOzs4ADwCIE5EAAAAPAIoTiQAAAAAAug8QAAAAXwBfAF8AUABQAFQA MQAwAAAAixNpAAAAAADrLggAAACy7cgB4ILZsgAAACsEAAAAAAAAAB8ARPE9AAAAAAAn8SAAAAAA AAAAAwAAAAAAAAAAAAAAAAAAAAAAAAD/////EgAAAA8APfENAAAAQAFC8QUAAAABCQAAAA8AAisA AAAAAAAiBAgAAAABAAAAAgAAAA8A7gO3CgAAAgDvAxgAAAAQAAAAAAAAAAAAAAAAAACAAAAAAAcA AAAAAPkDEAAAAAAAAAABAAAAAgARAAK0/AMPAAwEpgkAAA8AAvCeCQAAgAEI8AgAAAANAAAADSgA AA8AA/CGCQAADwAE8CgAAAABAAnwEAAAAAAAAAAAAAAAAAAAAAAAAAACAArwCAAAAAAoAAAFAAAA DwAE8DIBAAASAArwCAAAAAIoAAAgAgAAAwEL8HgAAAAEAAAAAAB/AAEA7wGAAMBJsgWBAHhhAQCC AKKtAACDAHhhAQCEAKKtAACFAAAAAACHAAEAAACIAAAAAAC/AAQABAD/AQAAEQABAwQEAAA/AwAA CACAwxgAAAC/AwAAAgBSAGUAYwB0AGEAbgBnAGwAZQAgADIAAAAAABDwCAAAAIQAuALYFbwBDwAR 8BwAAAAAAMMLCAAAAP////8NABMAAAAfBAQAAAACAAAADwAN8GYAAAAAAJ8PBAAAAAAAAAAAAKgP IAAAAFQtQkVYIEV4Y2hhbmdlLCBSMi1UICAoT3B0aW9uYWwpAAChDxQAAAAhAAAAAAAAAAAAIQAA AAAAAgAcAAAAqg8OAAAAIQAAAAcAAAAAAAkEAAAPAATwrQEAABIACvAIAAAAAygAACACAAADAQvw eAAAAAQAAAAAAH8AAQDvAYAAQEuyBYEAeGEBAIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAAAIcAAAAA AIgAAAAAAL8ABAAEAP8BAAARAAEDAwQAAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBuAGcA bABlACAAMwAAAAAAEPAIAAAA3ApSAmQTHA8PABHwHAAAAAAAwwsIAAAA/////w4AEwAAAB8EBAAA AAMAAAAPAA3w4QAAAAAAnw8EAAAAAQAAAAAAqA+bAAAARVNQLUluZm8sIG9wdGlvbmFsIGluZm8g YWJvdXQgRVNQIHRyYW5zZm9ybSwgaW5jbHVkZXMgdGhlIFNQSS1SIHZhbHVlLg1TaWduYXR1cmUt VCwgc2lnbmF0dXJlIG9mIHRoZSBJMi1UIG1lc3NhZ2UgcjEsIHJhbmRvbSB2YWx1ZSBnZW5lcmF0 ZWQgYnkgdGhlIFBvcnRhbC4AAKoPDgAAAJwAAAAHAAAAAAAJBAAAAACmDxQAAADwHgAA1AEgAdAC QALwA2ADEAWABA8ABPByAAAAQgEK8AgAAAAEKAAAAAoAAKMAC/BKAAAAfwAAAO8BvwAEAAQAfwEA AAEAvwEAABEAwAEBAAAIywGcMQAA/wEYABgAPwMIAAgAgMMOAAAAvwMAAAIATABpAG4AZQAgADQA AAAAABDwCAAAAM0DeQD0As0DDwAE8HIAAABCAQrwCAAAAAUoAAAACgAAowAL8EoAAAB/AAAA7wG/ AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAAD/ARgAGAA/AwgACACAww4AAAC/AwAAAgBMAGkA bgBlACAANQAAAAAAEPAIAAAAxQO3AbcBHA8PAATwcgAAAEIBCvAIAAAABigAAAAKAACjAAvwSgAA AH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8DCAAIAIDDDgAAAL8D AAACAEwAaQBuAGUAIAA2AAAAAAAQ8AgAAADlA2QT3xXlAw8ABPByAAAAQgEK8AgAAAAHKAAAAAoA AKMAC/BKAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA/wEYABgAPwMIAAgA gMMOAAAAvwMAAAIATABpAG4AZQAgADcAAAAAABDwCAAAAN0DohSiFDQPDwAE8MMAAACiDArwCAAA AAgoAAAACgAAowAL8FIAAAB/AAAA7wGAAGBPsgWFAAIAAAC/AAYABgC/AQAAEQDLAZwxAAD/AQAA GAA/AwAACACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA4AAAAAAAQ8AgAAABgArYAuALN Aw8ADfBBAAAAAACfDwQAAAAEAAAAAACoDwMAAABUYWcAAKoPDgAAAAQAAAAHAAAAAAAJBAAAAACm DwwAAADwAAAA1AHQAvADEAUPAATwxgAAAKIMCvAIAAAACSgAAAAKAACjAAvwUgAAAH8AAADvAYAA wPCyBYUAAgAAAL8ABgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDFgAAAL8DAAACAFQAZQB4 AHQAIABCAG8AeAAgADkAAAAAABDwCAAAAGgCOBMPFtUDDwAN8EQAAAAAAJ8PBAAAAAQAAAAAAKgP BgAAAFBvcnRhbAAAqg8OAAAABwAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPD9 AAAAogwK8AgAAAAKKAAAAAoAAJMAC/BOAAAAfwAAAO8BgADg8bIFvwAGAAYAvwEAABEAywGcMQAA /wEAABgAPwMAAAgAgMMYAAAAvwMAAAIAVABlAHgAdAAgAEIAbwB4ACAAMQAwAAAAAAAQ8AgAAADl BM8DohRSBg8ADfB/AAAAAACfDwQAAAAEAAAAAACoDyUAAABISVQtUiwgSElULUksIFtFU1AtSW5m b10sIFQtU2lnbmF0dXJlAAChDxQAAAAmAAAAAAAACAAAAgAmAAAAAAAAAAAAqg8OAAAAJgAAAAcA AAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPB6AAAAQgEK8AgAAAALKAAAQAoAALMAC/BS AAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA0QEBAAAA/wEYABgAPwMIAAgA gMMQAAAAvwMAAAIATABpAG4AZQAgADEAMQAAAAAAEPAIAAAAYgbXAUUUYgYPAATwgAAAAEIBCvAI AAAADCgAAAAKAADDAAvwWAAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAANAB AQAAANEBAQAAAP8BGAAYAD8DCAAIAIDDEAAAAL8DAAACAEwAaQBuAGUAIAAxADIAAAAAABDwCAAA AMsI1wFFFMsIDwAE8M8AAACiDArwCAAAAA0oAAAACgAAkwAL8E4AAAB/AAAA7wGAAOD0sgW/AAYA BgC/AQAAEQDLAZwxAAD/AQAAGAA/AwAACACAwxgAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAAx ADMAAAAAABDwCAAAAF4HkQJkE8sIDwAN8FEAAAAAAJ8PBAAAAAQAAAAAAKgPEwAAAE9wdGlvbmFs IEVTUCBEaWFsb2cAAKoPDgAAABQAAAAHAAAAAAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUQAPAH IAAAAP///wAAAAAAkZGRAAAAAABhj/0AAK4AAPwBKADOzs4ADwCIE5EAAAAPAIoTiQAAAAAAug8Q AAAAXwBfAF8AUABQAFQAMQAwAAAAixNpAAAAAADrLggAAACy7cgB4ILZsgAAACsEAAAAAAAAAB8A RPE9AAAAAAAn8SAAAAAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAD/////EgAAAA8APfENAAAAQAFC 8QUAAAABCQAAAA8AAisAAAAAAAAiBAgAAAABAAAAAgAAAA8A7gOmBQAAAgDvAxgAAAAQAAAAAAAA AAAAAAAAAACAAAAAAAcAAAAAAPkDEAAAAAAAAAABAAAAAgARAAIZHAQPAAwElQQAAA8AAvCNBAAA kAEI8AgAAAADAAAAAywAAA8AA/B1BAAADwAE8CgAAAABAAnwEAAAAAAAAAAAAAAAAAAAAAAAAAAC AArwCAAAAAAsAAAFAAAADwAE8AEBAAASAArwCAAAAAIsAAAgAgAAAwEL8HAAAAAEAAAAAAB/AAEA 7wGAAKBFsgWBAHhhAQCCAKKtAACDAHhhAQCEAKKtAACFAAAAAACHAAEAAACIAAAAAAC/AAQABAD/ ARAAEQABAwQEAAA/AwAACACAwxAAAAC/AwAAAgBUAGkAdAByAGUAIAAxAAAAAAAQ8AgAAACEALgC 2BW8AQ8AEfAcAAAAAADDCwgAAAD/////DQATAAAAHwQEAAAAAgAAAA8ADfA9AAAAAACfDwQAAAAA AAAAAACoDxcAAABULVRyYW5zZm9ybSAwMDAxIC0gSE1BQwAAqg8KAAAAGAAAAAEAAAAAAA8ABPA0 AwAAEgAK8AgAAAADLAAAIAIAABMBC/CeAAAABAAAAAAAfwABAO8BgABgBoYFgQB4YQEAggCirQAA gwB4YQEAhACirQAAhQAAAAAAhwAAAAAAiAAAAAAAvwAEAAQAvwEBAAEA/wEQABEAAQMDBAAAPwMA AAgAgMM4AAAAvwMAAAIARQBzAHAAYQBjAGUAIAByAOkAcwBlAHIAdgDpACAAZAB1ACAAYwBvAG4A dABlAG4AdQAgADIAAAAAABDwCAAAAGoCngByFaUPDwAR8LYAAAAAAMMLCAAAAP////8TABMADwCI E5IAAAAPAIoTigAAAAAAug8OAAAAXwBfAF8AUABQAFQAOQAAAIsTbAAAAAAArA9kAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAACAAv//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwQEAAAAAwAAAA8ADfCoAQAA AACfDwQAAAABAAAAAACoD7gAAABLID0gSE1BQy1TSEExKHIxIHwgcjIsIEVQQy1Db2RlKSANRi1U ID0gSE1BQy1TSEExKEssIENUMSB8ICJUeXBlIDAwMDEga2V5ICIpDUNUMSA9IDB4MDAwMDAwMDEg KDMyIGJpdHMpDUstQVVUSC1LRVkgPSBITUFDLVNIQTEoSywgQ1QyIHwgIlR5cGUgMDAwMSBrZXki KQ1DVDIgPSAweDAwMDAwMDEwICgzMiBiaXRzKQ0NDQ0NAAChD6oAAABNAAAAAAAAAAAAGwAAAAEA AAAAADEAAAAAAAAAAAAbAAAAAQAAAAAAAQAAAAEAAQAAAA4AAQAAAAAAAQAAAA4AAQAAAAAAkgAA AA8AIiABAAIAAAAAAAEAAAAOAE0AAAAAAAAAGwAAAAAEAAAABDEAAAAACAAAAQgbAAAAAAwAAAAM AQAAAAAQAAAAEAEAAAAAFAAAARQBAAAAABgAAAEYAgAAAAAcAAABHAAAqg8KAAAAuQAAAAEAAAAA AAAApg8QAAAA4BwAANACQALwA2ADEAWABBAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAArgAA /AEoAM7OzgAPAIgTkQAAAA8AihOJAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLE2kAAAAA AOsuCAAAAP7hyQGwIHHzAAAAKwQAAAAAAAAAHwBE8T0AAAAAACfxIAAAAAAAAAADAAAAAAAAAAAA AAAAAAAAAAAAAP////8SAAAADwA98Q0AAABAAULxBQAAAAEJAAAADwACKwAAAAAAACIECAAAAAEA AAACAAAADwDuA+8hAAACAO8DGAAAABAAAAAAAAAAAAAAAAAAAIAAAAAABwAAAAAA+QMQAAAAAAAA AAEAAAACABEAAi0cBA8ADATeIAAADwAC8NYgAACgAQjwCAAAABoAAAAaMAAADwAD8BYgAAAPAATw KAAAAAEACfAQAAAAAAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAADAAAAUAAAAPAATwEAEAABIACvAI AAAAAjAAACACAAADAQvwcAAAAAQAAAAAAH8AAQDvAYAAYPmyBYEAeGEBAIIAoq0AAIMAeGEBAIQA oq0AAIUAAAAAAIcAAQAAAIgAAAAAAL8ABAAEAP8BEAARAAEDBAQAAD8DAAAIAIDDEAAAAL8DAAAC AFQAaQB0AHIAZQAgADMAAAAAABDwCAAAAIQAuALYFbwBDwAR8BwAAAAAAMMLCAAAAP////8NABMA AAAfBAQAAAACAAAADwAN8EwAAAAAAJ8PBAAAAAAAAAAAAKgPIgAAAEV4YW1wbGUsIHdpdGggVC1U cmFuc2Zvcm0gPSAweDAwMDEAAKoPDgAAACMAAAAHAAAAAAAJBAAADwAE8D0BAACiDArwCAAAAAMw AAAACgAAkwAL8E4AAAB/AAAA7wGAAIABhgWFAAIAAAC/AAYABgC/AQEAEQD/AQAAGAA/AwAACACA wxgAAAC/AwAAAgBaAG8AbgBlAFQAZQB4AHQAZQAgADQAAAAAABDwCAAAAN0DjgLKDK4FDwAN8L8A AAAAAJ8PBAAAAAQAAAAAAKgPYQAAAEhFQUQgM2IwNDQwMTEwMDAwMDAwMA1zSElUIGY5MWI3MWM4 YjJlMzA0MTU2NjYwMTU0ODZmNTk5NzBlDWRISVQgMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAAAKEPHAAAAGIAAAAAAAAIAAAAAGIAAAAAAGMABQAFAAUADgAAAKoPCgAAAGIAAAABAAAA AAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPByAAAAQgEK8AgAAAAEMAAAAAoAAKMAC/BKAAAAfwAA AO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA/wEYABgAPwMIAAgAgMMOAAAAvwMAAAIA TABpAG4AZQAgADQAAAAAABDwCAAAANUDJgGhA9UDDwAE8HIAAABCAQrwCAAAAAUwAAAACgAAowAL 8EoAAAB/AAAA7wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAAD/ARgAGAA/AwgACACAww4A AAC/AwAAAgBMAGkAbgBlACAANgAAAAAAEPAIAAAAzQNkAmQCJA8PAATwcgAAAEIBCvAIAAAABjAA AAAKAACjAAvwSgAAAH8AAADvAb8ABAAEAH8BAAABAL8BAAARAMABAQAACMsBnDEAAP8BGAAYAD8D CAAIAIDDDgAAAL8DAAACAEwAaQBuAGUAIAA3AAAAAAAQ8AgAAADdAykSpBTdAw8ABPByAAAAQgEK 8AgAAAAHMAAAAAoAAKMAC/BKAAAAfwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA /wEYABgAPwMIAAgAgMMOAAAAvwMAAAIATABpAG4AZQAgADgAAAAAABDwCAAAANUDZxNnEywPDwAE 8MMAAACiDArwCAAAAAgwAAAACgAAowAL8FIAAAB/AAAA7wGAAGC8egWFAAIAAAC/AAYABgC/AQAA EQDLAZwxAAD/AQAAGAA/AwAACACAwxYAAAC/AwAAAgBUAGUAeAB0ACAAQgBvAHgAIAA5AAAAAAAQ 8AgAAABoAmMBZQPVAw8ADfBBAAAAAACfDwQAAAAEAAAAAACoDwMAAABUYWcAAKoPDgAAAAQAAAAH AAAAAAAJBAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATwyAAAAKIMCvAIAAAACTAAAAAKAACjAAvw VAAAAH8AAADvAYAAgP2yBYUAAgAAAL8ABgAGAL8BAAARAMsBnDEAAP8BAAAYAD8DAAAIAIDDGAAA AL8DAAACAFQAZQB4AHQAIABCAG8AeAAgADEAMgAAAAAAEPAIAAAAYAL9EdQUzQMPAA3wRAAAAAAA nw8EAAAABAAAAAAAqA8GAAAAUG9ydGFsAACqDw4AAAAHAAAABwAAAAAACQQAAAAApg8MAAAA8AAA ANQB0ALwAxAFDwAE8HoAAABCAQrwCAAAAAowAAAACgAAswAL8FIAAAB/AAAA7wG/AAQABAB/AQAA AQC/AQAAEQDAAQEAAAjLAZwxAADRAQEAAAD/ARgAGAA/AwgACACAwxAAAAC/AwAAAgBMAGkAbgBl ACAAMQA0AAAAAAAQ8AgAAACuBbgC3hKuBQ8ABPB6AAAAQgEK8AgAAAALMAAAAAoAALMAC/BSAAAA fwAAAO8BvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA0QEBAAAA/wEYABgAPwMIAAgAgMMQ AAAAvwMAAAIATABpAG4AZQAgADEANAAAAAAAEPAIAAAAJA+4At4SJA8PAATwvgAAAAICCvAIAAAA DDAAAAALAADDAAvwiAAAAAQAAAC0AH8AAADrAb8ABAAEAL8BAAARAMABAQAACMsBnDEAANEBBQAA AP8BGAAYAAMDAAAAAD8DCAAIAIDDQAAAAL8DAAACAEMAbwBuAG4AZQBjAHQAZQB1AHIAIABkAHIA bwBpAHQAIABhAHYAZQBjACAAZgBsAOgAYwBoAGUAIAAxADcAAAATACLxBgAAAP8BAABAAAAAEPAI AAAAIwqOApASJAoPAATw1wEAAKIMCvAIAAAADTAAAAAKAACDAAvwSgAAAH8AAADvAYAAIAG0Bb8A BgAGAL8BAQARAP8BAAAYAD8DAAAIAIDDGgAAAL8DAAACAFoAbwBuAGUAVABlAHgAdABlACAAMQA4 AAAAAAAQ8AgAAABUBqEDHRQ1CQ8ADfBdAQAAAACfDwQAAAAEAAAAAACoD7cAAABIRUFEIDNiMGE0 MTExMDAwMDAwMDANc0hJVCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMA1kSElUIGY5 MWI3MWM4YjJlMzA0MTU2NjYwMTU0ODZmNTk5NzBlDUFUVCAwNDAwIDIwIGJ5dGVzIGYyMjhjYjBj NThlYWZmYjA1NDJmYTk1Mjk1ZjE2NDZlYTZjNTI1NTMNQVRUIDA0MDIgMDQgYnl0ZXMgMDAwMTAw MDAAAKEPZAAAALgAAAAAAAAIAAAAAHQAAAAAAGMABQAFAAUADgApAAAAAQBnAAEABQAFAAUADgD/ AAD+EgAAAAAAYwAFAAUABQAOAAQAAAABAGMAAQAFAAUABQAOAAUAAAAAAGMABQAFAAUADgAAAKoP CgAAALgAAAABAAAAAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8ABPBoDAAAogwK8AgAAAAOMAAAAAoA AJMAC/BQAAAAfwAAAO8BgADgAbQFhQACAAAAvwAGAAYAvwEAABAA/wEAABgAPwMAAAgAgMMaAAAA vwMAAAIAWgBvAG4AZQBUAGUAeAB0AGUAIAAxADkAAAATACLxgwkAAKnDfQkAAFBLAwQUAAYACAAA ACEAWuMRZv4AAADiAQAAEwAAAFtDb250ZW50X1R5cGVzXS54bWyUkU1PxCAQhu8m/gcyV9NSPRhj Svdg9ahG1x8wgWlLtgXCYN3999L9uBjXxCPMvM/7BOrVdhrFTJGtdwquywoEOe2Ndb2Cj/VTcQeC EzqDo3ekYEcMq+byol7vArHIaccKhpTCvZSsB5qQSx/I5Unn44QpH2MvA+oN9iRvqupWau8SuVSk hQFN3VKHn2MSj9t8fTCJNDKIh8Pi0qUAQxitxpRN5ezMj5bi2FDm5H6HBxv4KmuA/LVhmZwvOOZe 8tNEa0i8YkzPOGUNaSJL479cpLn8G7JYTlz4rrOayjZym2NvNJ+sztF5wEAZ/V/8+5I7weX+h5pv AAAA//8DAFBLAwQUAAYACAAAACEAMd1fYdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbv g72D0b1x2kMZo05vhV5LB7sKW0lMY8tYJm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefj YODrfFh9gJKC0eHEkQzcSWDfvb/tTjRhqUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvB gfSmbbc6/2ZAt2CqozOQj24D6nxP1fyHHbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTn QL/2rv/plRETfVf+QvxMq/XHrBc1dg8AAAD//wMAUEsDBBQABgAIAAAAIQC1I2C/FAUAAM03AAAQ AAAAZHJzL3NoYXBleG1sLnhtbOxbW2/bNhR+H7D/QPB1SC27dtoIVYokmLeHNDDi7GUvAS1RNmeK FCjKl/z6nUNKthUMQ1NvaG1QSCRKoshz58dD+tPnTSHJiptKaJXQ/ruIEq5SnQk1T+gfT+OLj5RU lqmMSa14Qre8op+vf/7pUxlXJYGPVRWXCV1YW8a9XpUueMGqd7rkCt7l2hTMwq2Z90rDK64ss9BR IXuDKLrsFUwoeg1NqdW0nBgspQ+riSEiS+hgMBoOKFGsgG7/hM6f+MZy0r+ivaYifkPs5lZvgHJo hwFJ9zpdVg1d7GvoygxbA7MdkojSdwum5vzGGL1ecJZV2AP023MUtsQqoNU/3DNQIVGz9RedAdms ttoRtslNcSxVyKDOc4Lc9qPhVQS62iZ0+P79h2gUIXUsBhGRFCpcjgb9ITwkKdToX0YRyNvRz2Ik BauWprK/cX00WQQbSqjhqXWsstV9ZVEq+y6wO6XHQspjZeCYlOrYZsg6oVejwcgR7ClzLRfCckOk KBL6McLDSxUt4FeVuSqWCenLwKBUziRQ52iTaIvZFrmdwRXswPvHt9vh2jBwLgXG7yityhswqLFo xOs7we5kZad2K/mxHToOW7f+ZrKddQH3BTP3CQUjhMKjK8iVdFehMogFrsjkHAKPpCTj+RObTV9A M/3hEI3bWF+bs3t1a5aueq6VvXGfzFjFKZEQUNT+NXotePOkVqlr3glHTcsUC1WZTlJLVgya7e/U 69S4r3HL89d1W8+B7/dvb3L7L/Wat7P6TpqnjRPrrJ6+7IpjYGN38wD6bWxr5n2HxSCNRx9cwI3Q uljsTyDXZV2IQv8lvEiB44Tm5mL8CJEapNd3spt5Obtz3ZgQBHIjlhCWlJ66EiVLbjDsY3Qg6c7W CHDqvlQYwKV44b+7WxS5FDgMQHWlJ0br3JUzYSwEmshZKTpF6+/AVuMmIH4tRYZBwMkNRwoO0vHq sBsfXl/V4nkOYaWVSX2vGpnV2ExTdhZA7LbkOUuBtDtdGwFe/MDXlJTCposxK4TESHkFTC6Yqbiz DSdyzg4+/aVQF5x5n0+rgxdvaRP4NV5h9pq449lf2jNKBGwH6/koifIITvfKQYPTfbXTEW4MOHFw Pu9UrfOh23V8LYTQ+ARDKKjR/T3j5fDwt88dFUNQLUM43aOUHd4J4TSE07fjo0Msg+7W8bUQTk8x nB5G0H8qd1QcwilOGkM4hYl2mBLG/+GU0Htex9dOI5yGucYuedAZHJ/hOEF1IlYO+ZqDfM2ROuxT 4tNyIef2PXNuR2oRsptBi98/c9rRYoCiAYr6lbAARVmAorgCFdLe7TpWgKI4VnQWGE9/6bAz/L19 dvhjQ1Ezn+0Wf8fjdqvF2SmxWbRwSxV4gn9f9i9g0gj3r2aOAekEpBOQzv+wDyMk3c5riMScW0i6 xQHpnFC6hqUp7Hxs9urUBWwT9hvgRocQqN0b5/aznBWqRbzjMA/GYlf2D3Z7PKCAAKmDfQMgCoAo AKIAiMhum3FI/YRVSNjEf7a7xjvD37mlflp044GPB0QDv3n5ABB9QETU/GTJ/awMfyzwQwGivwEA AP//Si5WKKksSE1LTE61VXLOLy3KTC1S8EstV1IoyCxJznBLzM3MqbRVMrFUUkjOSCwqTi2xVTJQ 0rez0U+0KgoosrNJtCqxU1CIVwCB+HggDUFgESAXCKGCQHmQphKIVjBZACQLrEoqnPJTKsHM4gI7 AAAAAP//AwBQSwMEFAAGAAgAAAAhAHynNbzZAAAA/QAAAA8AAABkcnMvZG93bnJldi54bWxEj8Fu wjAQRO+V+AdrkXorDmmpohSDaKW2QZwC+YBtvCQR8Tq1XQh/X6sHehzN6I3ecj2aXpzJ+c6ygvks AUFcW91xo6A6vD9kIHxA1thbJgVX8rBeTe6WmGt74ZLO+9CICGGfo4I2hCGX0tctGfQzOxDH7mid wRCja6R2eIlw08s0SZ6lwY7jQ4sDvbVUn/Y/RsHHqSqq78ddsdssDt5nc1OlmVHqfjpuXkAEGsP/ mLdJ+bq9lX+oQitI08VTCuL4ef1ynS7RB3IKol+0jaYgV78AAAD//wMAUEsBAi0AFAAGAAgAAAAh AFrjEWb+AAAA4gEAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5cGVzXS54bWxQSwECLQAU AAYACAAAACEAMd1fYdIAAACPAQAACwAAAAAAAAAAAAAAAAAvAQAAX3JlbHMvLnJlbHNQSwECLQAU AAYACAAAACEAtSNgvxQFAADNNwAAEAAAAAAAAAAAAAAAAAAqAgAAZHJzL3NoYXBleG1sLnhtbFBL AQItABQABgAIAAAAIQB8pzW82QAAAP0AAAAPAAAAAAAAAAAAAAAAAGwHAABkcnMvZG93bnJldi54 bWxQSwUGAAAAAAQABAD1AAAAcggAAAAAAAAQ8AgAAACsCrgCxBKcDg8AEfBCAAAADwCIEzoAAAAP AIoTMgAAAAAAug8OAAAAXwBfAF8AUABQAFQAOQAAAIsTFAAAAAAArA8MAAAAAAAAAAAAAAAAAAAA DwAN8BMCAAAAAJ8PBAAAAAQAAAAAAKgPMQEAAEhFQUQgM2IxMzQwMTEwMDAwMDAwMA1zSElUIGY5 MWI3MWM4YjJlMzA0MTU2NjYwMTU0ODZmNTk5NzBlDWRISVQgMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDANQVRUIDA0MDIgMDQgYnl0ZXMgIDAwMDEwMDAwDUFUVCAwNDAwIDIwIGJ5dGVz ICAwZjRiNDQ5MGI2NDA0ZjA5OWUyNmM5NDE5YmMwYjcyMmJmZTNiM2VlDUFUVCAwNDA0IDIwIGJ5 dGVzICBkZTRmYmIxZTQ5NDQ3YjdjZWFhN2FmYjYxM2U2MmQwYzk1MGRhMzIxDUFUVCAwNDA2IDIw IGJ5dGVzICA0NWI5NDU2NWZhYzY5ZjA3ZTE2M2Q1MjVmZjNiNGZiZTU2ZTQ0NjEzAAChD6AAAAAy AQAAAAAACAAAAAB1AAAAAABjAAUABQAFAA4ABAAAAAEAYwABAAUABQAFAA4AGAAAAAAAYwAFAAUA BQAOACkAAAABAGcAAQAFAAUABQAOAP8AAP4TAAAAAABjAAUABQAFAA4AKQAAAAEAZwABAAUABQAF AA4AAjWt/hMAAAAAAGMABQAFAAUADgApAAAAAQBnAAEABQAFAAUADgAAggD+AACqDwoAAAAyAQAA AQAAAAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATw+wAAAKIMCvAIAAAADzAAAAAKAACTAAvwUAAA AH8AAADvAYAAIAS0BYUAAgAAAL8ABgAGAL8BAQARAP8BAAAYAD8DAAAIAIDDGgAAAL8DAAACAFoA bwBuAGUAVABlAHgAdABlACAAMgAwAAAAAAAQ8AgAAAB9Ao8HrQ8/Aw8ADfB7AAAAAACfDwQAAAAE AAAAAACoDx0AAABFUEMtQ09ERSAwMTIzNDU2Nzg5YWJjZGVmY2RhYgAAoQ8cAAAAHgAAAAAAAAgA AAAAHgAAAAAAYwAFAAUABQAOAAAAqg8KAAAAHgAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAF DwAE8L4AAACiDArwCAAAABAwAAAACgAAkwAL8FAAAAB/AAAA7wGAAEAFtAWFAAIAAAC/AAYABgC/ AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8AbgBlAFQAZQB4AHQAZQAgADEANQAAAAAA EPAIAAAAfAPKDAgP7AQPAA3wPgAAAAAAnw8EAAAABAAAAAAAqA8EAAAASTEtVAAAqg8KAAAABQAA AAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8L4AAACiDArwCAAAABEwAAAACgAAkwAL8FAA AAB/AAAA7wGAAAADtAWFAAIAAAC/AAYABgC/AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBa AG8AbgBlAFQAZQB4AHQAZQAgADEANgAAAAAAEPAIAAAAVAatD0MSxAcPAA3wPgAAAAAAnw8EAAAA BAAAAAAAqA8EAAAAUjEtVAAAqg8KAAAABQAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE 8L4AAACiDArwCAAAABIwAAAACgAAkwAL8FAAAAB/AAAA7wGAAMAGtAWFAAIAAAC/AAYABgC/AQEA EQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8AbgBlAFQAZQB4AHQAZQAgADEANwAAAAAAEPAI AAAArArpDSgQHAwPAA3wPgAAAAAAnw8EAAAABAAAAAAAqA8EAAAASTItVAAAqg8KAAAABQAAAAEA AAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8NgAAACiDArwCAAAABMwAAAACgAAkwAL8FAAAAB/ AAAA7wGAAOAHtAWFAAIAAAC/AAYABgC/AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8A bgBlAFQAZQB4AHQAZQAgADEAOAAAAAAAEPAIAAAAVAakFJEVPQcPAA3wWAAAAAAAnw8EAAAABAAA AAAAqA8CAAAAcjEAAKEPFAAAAAMAAAAAAAAAAAADAAAAAAACABIAAACqDwoAAAADAAAAAQAAAAAA AACmDwwAAADwAAAA1AHQAvADEAUPAATw0gAAAKIMCvAIAAAAFDAAAAAKAACDAAvwSgAAAH8AAADv AYAAAAm0Bb8ABgAGAL8BAQARAP8BAAAYAD8DAAAIAIDDGgAAAL8DAAACAFoAbwBuAGUAVABlAHgA dABlACAAMQA5AAAAAAAQ8AgAAACoC6QUkRWRDA8ADfBYAAAAAACfDwQAAAAEAAAAAACoDwIAAABy MgAAoQ8UAAAAAwAAAAAAAAAAAAMAAAAAAAIAEgAAAKoPCgAAAAMAAAABAAAAAAAAAKYPDAAAAPAA AADUAdAC8AMQBQ8ABPDXAAAAogwK8AgAAAAVMAAAAAoAAJMAC/BQAAAAfwAAAO8BgAAgCrQFhQAC AAAAvwAGAAYAvwEBABEA/wEAABgAPwMAAAgAgMMaAAAAvwMAAAIAWgBvAG4AZQBUAGUAeAB0AGUA IAAyADAAAAAAABDwCAAAAPMMpBRJFdwNDwAN8FcAAAAAAJ8PBAAAAAQAAAAAAKgPAQAAAGYAAKEP FAAAAAIAAAAAAAAAAAACAAAAAAACABIAAACqDwoAAAACAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQ AvADEAUPAATw3wAAAKIMCvAIAAAAFjAAAAAKAACTAAvwUAAAAH8AAADvAYAAQAu0BYUAAgAAAL8A BgAGAL8BAQARAP8BAAAYAD8DAAAIAIDDGgAAAL8DAAACAFoAbwBuAGUAVABlAHgAdABlACAAMgAx AAAAAAAQ8AgAAADIDtATcRaxDw8ADfBfAAAAAACfDwQAAAAEAAAAAACoDwkAAABTaWduYXR1cmUA AKEPFAAAAAoAAAAAAAAAAAAKAAAAAAACABIAAACqDwoAAAAKAAAAAQAAAAAAAACmDwwAAADwAAAA 1AHQAvADEAUPAATwvgAAAAICCvAIAAAAFzAAAIALAADDAAvwiAAAAH8AAADrAb8ABAAEAL8BAAAR AMABAQAACMsBnDEAANABBAAAANEBAQAAAP8BGAAYAAMDAAAAAD8DCAAIAIDDQAAAAL8DAAACAEMA bwBuAG4AZQBjAHQAZQB1AHIAIABkAHIAbwBpAHQAIABhAHYAZQBjACAAZgBsAOgAYwBoAGUAIAAy ADMAAAATACLxBgAAAP8BAABAAAAAEPAIAAAA2wY1E6QUQwgPAATwvgAAAAICCvAIAAAAGDAAAIAL AADDAAvwiAAAAH8AAADrAb8ABAAEAL8BAAARAMABAQAACMsBnDEAANABBAAAANEBAQAAAP8BGAAY AAMDAAAAAD8DCAAIAIDDQAAAAL8DAAACAEMAbwBuAG4AZQBjAHQAZQB1AHIAIABkAHIAbwBpAHQA IABhAHYAZQBjACAAZgBsAOgAYwBoAGUAIAAyADQAAAATACLxBgAAAP8BAABAAAAAEPAIAAAAHAyv EqQU8wwPAATwvgAAAAICCvAIAAAAGTAAAIALAADDAAvwiAAAAH8AAADrAb8ABAAEAL8BAAARAMAB AQAACMsBnDEAANABBAAAANEBAQAAAP8BGAAYAAMDAAAAAD8DCAAIAIDDQAAAAL8DAAACAEMAbwBu AG4AZQBjAHQAZQB1AHIAIABkAHIAbwBpAHQAIABhAHYAZQBjACAAZgBsAOgAYwBoAGUAIAAyADUA AAATACLxBgAAAP8BAABAAAAAEPAIAAAAZw2nEqQUig0PAATwvgAAAAICCvAIAAAAGjAAAAALAADD AAvwiAAAAH8AAADrAb8ABAAEAL8BAAARAMABAQAACMsBnDEAANABBAAAANEBAQAAAP8BGAAYAAMD AAAAAD8DCAAIAIDDQAAAAL8DAAACAEMAbwBuAG4AZQBjAHQAZQB1AHIAIABkAHIAbwBpAHQAIABh AHYAZQBjACAAZgBsAOgAYwBoAGUAIAAyADcAAAATACLxBgAAAP8BAABAAAAAEPAIAAAAOw7EEqoU yA5fAAXwoAAAAAEAEvAYAAAAAQAAAAAAAAAAAAAADDAAAP//////////AQAS8BgAAAACAAAAAAAA AAAAAAAXMAAA//////////8BABLwGAAAAAMAAAAAAAAAAAAAABgwAAD//////////wEAEvAYAAAA BAAAAAAAAAAVMAAAGTAAAP////8BAAAAAQAS8BgAAAAFAAAAAAAAAAAAAAAaMAAA//////////8Q APAHIAAAAP///wAAAAAAkZGRAAAAAABhj/0AAK4AAPwBKADOzs4ADwCIE5EAAAAPAIoTiQAAAAAA ug8QAAAAXwBfAF8AUABQAFQAMQAwAAAAixNpAAAAAADrLggAAAD94ckBABo3MQAAACsEAAAAAAAA AB8ARPE9AAAAAAAn8SAAAAAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAD/////EgAAAA8APfENAAAA QAFC8QUAAAABCQAAAA8AAisAAAAAAAAiBAgAAAABAAAABgAAAA8A7gPMFAAAAgDvAxgAAAAQAAAA AAAAAAAAAAAAAACAAQEAAAcAAAAAAPkDEAAAAAAAAAABAAAAAgARAAInXwQPAAwEuxMAAA8AAvCz EwAAsAEI8AgAAAATAAAAEzQAAA8AA/DTEgAADwAE8CgAAAABAAnwEAAAAAAAAAAAAAAAAAAAAAAA AAACAArwCAAAAAA0AAAFAAAADwAE8D4BAAASAArwCAAAAAI0AAAgAgAAAwEL8HAAAAAEAAAAAAB/ AAEA7wGAAOA3sgWBAHhhAQCCAKKtAACDAHhhAQCEAKKtAACFAAAAAACHAAEAAACIAAAAAAC/AAQA BAD/ARAAEQABAwQEAAA/AwAACACAwxAAAAC/AwAAAgBUAGkAdAByAGUAIAAxAAAAAAAQ8AgAAACE ALgC2BW8AQ8AEfAcAAAAAADDCwgAAAD/////DQATAAAAHwQEAAAAAgAAAA8ADfB6AAAAAACfDwQA AAAAAAAAAACgD1AAAABUAC0AVAByAGEAbgBzAGYAbwByAG0AIAAwADAAMAAyACAAEyAgAFQAcgBl AGUAIAAoAGUAYQByAGwAeQAgAHAAcgBvAHAAbwBzAGEAbAApAAAAqg8OAAAAKQAAAAcAAAAAAAkE AAAPAATwAwMAABIACvAIAAAAAzQAACACAAATAQvwngAAAAQAAAAAAH8AAQDvAYAAgFczBYEAeGEB AIIAoq0AAIMAeGEBAIQAoq0AAIUAAAAAAIcAAAAAAIgAAAAAAL8ABAAEAL8BAQABAP8BEAARAAED AwQAAD8DAAAIAIDDOAAAAL8DAAACAEUAcwBwAGEAYwBlACAAcgDpAHMAZQByAHYA6QAgAGQAdQAg AGMAbwBuAHQAZQBuAHUAIAAyAAAAAAAQ8AgAAABqAp4A2BUVCw8AEfAcAAAAAADDCwgAAAD///// EwATAAAAHwQEAAAAAwAAAA8ADfARAgAAAACfDwQAAAABAAAAAACoDxcBAABGLVQgPSBIMSB8IEgy IHwgSGkgfCBIbg1IaSA9IEhNQUMtU0hBMShyMSB8IHIyLCBLaSB8IENUMSApLG9yIA1IaSA9IEhN QUMtU0hBMShyMSB8IHIyLCBLaSB8IENUMiApIA1DVDEgPSAweDAwMDAwMDAxLCBDVDIgPSAweDAw MDAwMDEwIA1Ob3RhdGlvbjogSGlDVGtLaSAgICBrPTEsMiAgaT0xLi4ubg1LLUFVVEgtS0VZID0g SE1BQy1TSEExKEssIENUMSB8ICJUeXBlIDAwMDIga2V5IikNSyA9IEhNQUMtU0hBMShyMSB8IHIy LCBFUEMtQ29kZSkNQ1QxID0gMHgwMDAwMDAwMSAoMzIgYml0cykAAKEPuAAAABgAAAAAAAAAAABL AAAAAQAAAAAAJAAAAAIAAAAAACQAAAABAAAAAAAxAAAAAAAAAAAAIQAAAAEAAAAAABsAAAACAAAA AAAYAAAAAAAAAEsAAAAABAAAAAQkAAAAAAgAAAAICwAAAAAMAAAADAEAAAAADAgAAAzn/wMAAAAA DAgAAAweAAIAAAAADAgAAAzn/xMAAAAADAAAAAwxAAAAABAAAAEQIQAAAAAUAAAAFBsAAAAAGAAA ABgAAKoPCgAAABgBAAABAAAAAAAAAKYPDAAAAMAYAADwA2ADEAWABA8ABPC2AQAAogwK8AgAAAAE NAAAAAoAAIMAC/BIAAAAfwAAAO8BgACgDrQFvwAGAAYAvwEBABEA/wEAABgAPwMAAAgAgMMYAAAA vwMAAAIAWgBvAG4AZQBUAGUAeAB0AGUAIAA0AAAAAAAQ8AgAAABfDJ4AKgy4Dg8ADfA+AQAAAACf DwQAAAAEAAAAAACgD1wAAABFAFAAQwAtAEMAbwBkAGUAIAA9ACAAMAAxADAAJiAuAA0ARgAtAFQA IAA9ACAASAAxAEMAVAAxAEsAMQAgAEgAMgBDAFQAMgBLADIAIABIADMAQwBUADEASwAxAAAAoQ+g AAAALwAAAAAAAAgAAAAAGAAAAAAAAgAcAAEAAAAAAAoAHADn/wMAAAAAAAoAHAAeAAIAAAAAAAoA HADn/wIAAAAAAAIAHAABAAAAAAAKABwA5/8DAAAAAAAKABwAHgACAAAAAAAKABwA5/8CAAAAAAAC ABwAAQAAAAAACgAcAOf/AwAAAAAACgAcAB4AAgAAAAAACgAcAOf/AQAAAAAAAgAcAAAAqg8KAAAA LwAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8KoAAABCAQrwCAAAAAU0AAAACwAA0wAL 8HQAAAAEAAAAWgB/AAAA6wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADRAQEAAAD/ARgA GAADAwAAAAA/AwgACACAwyYAAAC/AwAAAgBDAG8AbgBuAGUAYwB0AGUAdQByACAAZAByAG8AaQB0 ACAANgAAABMAIvEGAAAA/wEAAEAAAAAQ8AgAAACsCisP7RCMDA8ABPCqAAAAQgEK8AgAAAAGNAAA QAsAANMAC/B0AAAABAAAAFoAfwAAAOsBvwAEAAQAfwEAAAEAvwEAABEAwAEBAAAIywGcMQAA0AEE AAAA/wEYABgAAwMAAAAAPwMIAAgAgMMmAAAAvwMAAAIAQwBvAG4AbgBlAGMAdABlAHUAcgAgAGQA cgBvAGkAdAAgADgAAAATACLxBgAAAP8BAABAAAAAEPAIAAAArArtEK8SjQwPAATwAQEAAKIMCvAI AAAABzQAAAAKAACTAAvwUAAAAH8AAADvAYAA4BG0BYUAAgAAAL8ABgAGAL8BAQARAP8BAAAYAD8D AAAIAIDDGgAAAL8DAAACAFoAbwBuAGUAVABlAHgAdABlACAAMQAyAAAAAAAQ8AgAAAAVC90LBg9f DA8ADfCBAAAAAACfDwQAAAAEAAAAAACoDwcAAABIMUNUMUsxAAChDzgAAAAIAAAAAAAAAAAAAQAA AAAAAgAcAAEAAAAAAAoAHADn/wMAAAAAAAoAHAAeAAMAAAAAAAoAHADn/wAAqg8KAAAACAAAAAEA AAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8AEBAACiDArwCAAAAAg0AAAACgAAkwAL8FAAAAB/ AAAA7wGAAAAWtAWFAAIAAAC/AAYABgC/AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8A bgBlAFQAZQB4AHQAZQAgADEANAAAAAAAEPAIAAAAFQuvEtgVXwwPAA3wgQAAAAAAnw8EAAAABAAA AAAAqA8HAAAASDFDVDJLMQAAoQ84AAAACAAAAAAAAAAAAAEAAAAAAAIAHAABAAAAAAAKABwA5/8D AAAAAAAKABwAHgADAAAAAAAKABwA5/8AAKoPCgAAAAgAAAABAAAAAAAAAKYPDAAAAPAAAADUAdAC 8AMQBQ8ABPDRAAAAogwK8AgAAAAJNAAAAAoAAIMAC/BKAAAAfwAAAO8BgAAgF7QFvwAGAAYAvwEB ABEA/wEAABgAPwMAAAgAgMMaAAAAvwMAAAIAWgBvAG4AZQBUAGUAeAB0AGUAIAAxADUAAAAAABDw CAAAAHAKXA9CELoLDwAN8FcAAAAAAJ8PBAAAAAQAAAAAAKgPAQAAADAAAKEPFAAAAAIAAAAAAAAA AAACAAAAAAACABwAAACqDwoAAAACAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATw0QAA AKIMCvAIAAAACjQAAAAKAACDAAvwSgAAAH8AAADvAYAAQBi0Bb8ABgAGAL8BAQARAP8BAAAYAD8D AAAIAIDDGgAAAL8DAAACAFoAbwBuAGUAVABlAHgAdABlACAAMQA2AAAAAAAQ8AgAAABwCsoRrxK6 Cw8ADfBXAAAAAACfDwQAAAAEAAAAAACoDwEAAAAxAAChDxQAAAACAAAAAAAAAAAAAgAAAAAAAgAc AAAAqg8KAAAAAgAAAAEAAAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8LIAAABCAQrwCAAAAAs0 AABACwAA4wAL8HwAAAAEAAAAWgB/AAAA6wG/AAQABAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADQ AQQAAADRAQEAAAD/ARgAGAADAwAAAAA/AwgACACAwygAAAC/AwAAAgBDAG8AbgBuAGUAYwB0AGUA dQByACAAZAByAG8AaQB0ACAAMwAwAAAAEwAi8QYAAAD/AQAAQAAAABDwCAAAAI0MKw/tEG0ODwAE 8KYAAABCAQrwCAAAAAw0AAAACwAAwwAL8HAAAAAEAAAAWgB/AAAA6wG/AAQABAB/AQAAAQC/AQAA EQDAAQEAAAjLAZwxAAD/ARgAGAADAwAAAAA/AwgACACAwygAAAC/AwAAAgBDAG8AbgBuAGUAYwB0 AGUAdQByACAAZAByAG8AaQB0ACAAMwAxAAAAEwAi8QYAAAD/AQAAQAAAABDwCAAAAI4MaQ0rD20O DwAE8KwAAABCAQrwCAAAAA00AAAACwAA0wAL8HYAAAAEAAAAWgB/AAAA6wG/AAQABAB/AQAAAQC/ AQAAEQDAAQEAAAjLAZwxAADRAQEAAAD/ARgAGAADAwAAAAA/AwgACACAwygAAAC/AwAAAgBDAG8A bgBuAGUAYwB0AGUAdQByACAAZAByAG8AaQB0ACAAMwAyAAAAEwAi8QYAAAD/AQAAQAAAABDwCAAA AG0OKw/tEE0QDwAE8KwAAABCAQrwCAAAAA40AABACwAA0wAL8HYAAAAEAAAAWgB/AAAA6wG/AAQA BAB/AQAAAQC/AQAAEQDAAQEAAAjLAZwxAADQAQQAAAD/ARgAGAADAwAAAAA/AwgACACAwygAAAC/ AwAAAgBDAG8AbgBuAGUAYwB0AGUAdQByACAAZAByAG8AaQB0ACAAMwAzAAAAEwAi8QYAAAD/AQAA QAAAABDwCAAAAG0O7RCvEk4QDwAE8AEBAACiDArwCAAAAA80AAAACgAAkwAL8FAAAAB/AAAA7wGA AGActAWFAAIAAAC/AAYABgC/AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8AbgBlAFQA ZQB4AHQAZQAgADMANAAAAAAAEPAIAAAAvwxCEGsTCA4PAA3wgQAAAAAAnw8EAAAABAAAAAAAqA8H AAAASDJDVDJLMgAAoQ84AAAACAAAAAAAAAAAAAEAAAAAAAIAHAABAAAAAAAKABwA5/8DAAAAAAAK ABwAHgADAAAAAAAKABwA5/8AAKoPCgAAAAgAAAABAAAAAAAAAKYPDAAAAPAAAADUAdAC8AMQBQ8A BPABAQAAogwK8AgAAAAQNAAAAAoAAJMAC/BQAAAAfwAAAO8BgACAHbQFhQACAAAAvwAGAAYAvwEB ABEA/wEAABgAPwMAAAgAgMMaAAAAvwMAAAIAWgBvAG4AZQBUAGUAeAB0AGUAIAAzADUAAAAAABDw CAAAAG0OsgzbD7cPDwAN8IEAAAAAAJ8PBAAAAAQAAAAAAKgPBwAAAEgzQ1QxSzEAAKEPOAAAAAgA AAAAAAAAAAABAAAAAAACABwAAQAAAAAACgAcAOf/AwAAAAAACgAcAB4AAwAAAAAACgAcAOf/AACq DwoAAAAIAAAAAQAAAAAAAACmDwwAAADwAAAA1AHQAvADEAUPAATw0QAAAKIMCvAIAAAAETQAAAAK AACDAAvwSgAAAH8AAADvAYAAoB60Bb8ABgAGAL8BAQARAP8BAAAYAD8DAAAIAIDDGgAAAL8DAAAC AFoAbwBuAGUAVABlAHgAdABlACAAMwA2AAAAAAAQ8AgAAADpC2gPThAyDQ8ADfBXAAAAAACfDwQA AAAEAAAAAACoDwEAAAAxAAChDxQAAAACAAAAAAAAAAAAAgAAAAAAAgAcAAAAqg8KAAAAAgAAAAEA AAAAAAAApg8MAAAA8AAAANQB0ALwAxAFDwAE8NEAAACiDArwCAAAABI0AAAACgAAgwAL8EoAAAB/ AAAA7wGAAADwtAW/AAYABgC/AQEAEQD/AQAAGAA/AwAACACAwxoAAAC/AwAAAgBaAG8AbgBlAFQA ZQB4AHQAZQAgADMANwAAAAAAEPAIAAAAyQ1oD04QEg8PAA3wVwAAAAAAnw8EAAAABAAAAAAAqA8B AAAAMAAAoQ8UAAAAAgAAAAAAAAAAAAIAAAAAAAIAHAAAAKoPCgAAAAIAAAABAAAAAAAAAKYPDAAA APAAAADUAdAC8AMQBQ8ABPDQAAAAEgAK8AgAAAATNAAAAAoAALMAC/BcAAAAfwAAAAQAgAAg8bQF vwAEAAQAvwEAABAAwAEBAAAIywGcMQAAzgEBAAAA1gECAAAA/wEIAAgAgMMaAAAAvwMAAAIAUgBl AGMAdABhAG4AZwBsAGUAIAAxADgAAAATACLxBgAAAP8BAABAAAAAEPAIAAAAcApcD04QEg8PAA3w NgAAAAAAnw8EAAAABAAAAAAAqg8OAAAAAQAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQ BW8ABfDAAAAAAQAS8BgAAAABAAAAAAAAAAAAAAAFNAAA//////////8BABLwGAAAAAIAAAAAAAAA AAAAAAY0AAD//////////wEAEvAYAAAAAwAAAAAAAAAAAAAACzQAAP//////////AQAS8BgAAAAE AAAAAAAAAAAAAAAMNAAA//////////8BABLwGAAAAAUAAAAAAAAAAAAAAA00AAD//////////wEA EvAYAAAABgAAAAAAAAAAAAAADjQAAP//////////EADwByAAAAD///8AAAAAAJGRkQAAAAAAYY/9 AACuAAD8ASgAzs7OAA8AiBORAAAADwCKE4kAAAAAALoPEAAAAF8AXwBfAFAAUABUADEAMAAAAIsT aQAAAAAA6y4IAAAA/uHJAbAgcfMAAAArBAAAAAAAAAAfAETxPQAAAAAAJ/EgAAAAAAAAAAMAAAAA AAAAAAAAAAAAAAAAAAAA/////xIAAAAPAD3xDQAAAEABQvEFAAAAAQkAAAAPAAIrAAAAAAAAIgQI AAAAAQAAAAIAAAAPAO4DBB4AAAIA7wMYAAAAEAAAAAAAAAAAAAAAAAAAgAAAAAAHAAAAAAD5AxAA AAAAAAAAAQAAAAIAEQACKV8EDwAMBPMcAAAPAALw6xwAANABCPAIAAAAAwAAAAM4AAAPAAPw0xwA AA8ABPAoAAAAAQAJ8BAAAAAAAAAAAAAAAAAAAAAAAAAAAgAK8AgAAAAAOAAABQAAAA8ABPAGAQAA EgAK8AgAAAACOAAAIAIAAAMBC/BwAAAABAAAAAAAfwABAO8BgADgQbIFgQB4YQEAggCirQAAgwB4 YQEAhACirQAAhQAAAAAAhwABAAAAiAAAAAAAvwAEAAQA/wEQABEAAQMEBAAAPwMAAAgAgMMQAAAA vwMAAAIAVABpAHQAcgBlACAAMQAAAAAAEPAIAAAAhAC4AtgVvAEPABHwHAAAAAAAwwsIAAAA//// /w0AEwAAAB8EBAAAAAIAAAAPAA3wQgAAAAAAnw8EAAAAAAAAAAAAqA8OAAAAT3BlbiBSZXNvdXJj ZXMAAKoPGAAAAAUAAAABAAAAAAAKAAAABwAAAAAACQQAAA8ABPCNGwAAEgAK8AgAAAADOAAAIAIA ABMBC/CeAAAABAAAAAAAfwABAO8BgADg+rIFgQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAA hwAAAAAAiAAAAAAAvwAEAAQAvwEBAAEA/wEQABEAAQMDBAAAPwMAAAgAgMM4AAAAvwMAAAIARQBz AHAAYQBjAGUAIAByAOkAcwBlAHIAdgDpACAAZAB1ACAAYwBvAG4AdABlAG4AdQAgADIAAAATACLx MxQAAKnDLRQAAFBLAwQUAAYACAAAACEA+ClR+AoBAAAUAgAAEwAAAFtDb250ZW50X1R5cGVzXS54 bWyUkc9OwzAMh+9IvEOUK2pTOCCE1u5A4QgIxgNYqdtGNE4Uh7K9Pcn+SDAxJI6x/f38JVks13YS MwY2jmp5WVZSIGnXGRpq+bZ6KG6k4AjUweQIa7lBlsvm/Gyx2nhkkWjiWo4x+lulWI9ogUvnkVKn d8FCTMcwKA/6HQZUV1V1rbSjiBSLmDNks2ixh48pivt1Ku9MPA1S3O3m8qpaGpv5XFe/EgEnPkLA +8loiOluaqbuyKvYO5WJ3M7waDxfJPETG3Lnp9P3BXvuKT1mMB2KZwjxEWwyV11g1blPCjiXf4dk S8uF63ujsWwDtwl7wflgdSqdR/CYov8b/5q5Q7ja/mnzBQAA//8DAFBLAwQUAAYACAAAACEAMd1f YdIAAACPAQAACwAAAF9yZWxzLy5yZWxzpJDBasMwDIbvg72D0b1x2kMZo05vhV5LB7sKW0lMY8tY Jm3fvqYwWEZvO+oX+j7x7/a3MKmZsniOBtZNC4qiZefjYODrfFh9gJKC0eHEkQzcSWDfvb/tTjRh qUcy+iSqUqIYGEtJn1qLHSmgNJwo1k3POWCpYx50QnvBgfSmbbc6/2ZAt2CqozOQj24D6nxP1fyH HbzNLNyXxnLQ3PfevqJqx9d4orlSMA9UDLgszzDT3NTnQL/2rv/plRETfVf+QvxMq/XHrBc1dg8A AAD//wMAUEsDBBQABgAIAAAAIQAIOOoHPgcAAKVGAAAQAAAAZHJzL3NoYXBleG1sLnhtbOxaXW7b OBB+X2DvQPB1kdpx7cQ2qhRNdrNbICiMOkUfC1qiYjUSpSUp18mNeo5erN+Qkm0ZLeI2P01bCbBF kUNyOJz5OOTw2fNllrKF1CbJVcD3n3Q5kyrMo0RdBPzN+enekDNjhYpEmisZ8Ctp+POjP/94VoxN wVBZmXER8Lm1xbjTMeFcZsI8yQupUBbnOhMWn/qiU2hppLLCoqMs7fS63YNOJhLFj9CUWkyLiaZU +Gox0SyJAv6UMyUydPmPKUQomf700Ui9+PSRRSULc2WlKlmPd6pavgEBrs7y8NJUrIldWIu0+IDx NrhiKv9XY2D71EHH8VWzqMAhdVrMwecy4P3eqD86OOyNBhWtJ0Cl9bCMG54YL2Od3Za1o2dinMcx Q9e9QXfYG3B2FfDRcL976DgQY7m0LETx8KB30EcmC0EwGB4ejEBM4/GMuIF5zoqxXR7n0RW1PcMb c+Dn9vsFCKWykH6urzn7oAVkaf4vhZacpS+VAcPd/hDKZd1Hv98fQPX0Zslss0SV2Ume0nwwoUK0 GnBbJ08svlA7zLNC2DM1LUIipLEU2tjz5VuhC0ZJVIJsXuXTuSikIxCLM2O9SNa0VFNBd1+UNo8T y1Jq8rWMypC0F2138VSC9NKiGqmxU3uVyttKDtyA8du24hrBNGZCn8GYoB1gmb5eO1mlCwgTGYmK YJUB36spRHqBEaacRTI+F7PpNWZqv9+nytr6OlKcqWN96erHMMQXrspMGJpbGLhaF8+FuoBpTUoV opOuE7mTJrFninASWrYQaHa0IdJNgmMZb5M+3SBFE2uKF7Hdpq1nCXRV6aw8SWG+6F1fzJD03VOT p6f1lNYks3J6veLQTbprDyZSnmLczF4VMgY2BfwtBkmYaTgrEhvOT0WWpDC6HrRyLrSRGL3DKqp7 nCYFcTDDu5pmKPDNEAqjT0L5dx6WGebMQ6iWJPFcmXlSoHM9ltlMRgHXLyMPXZsdWjHz2i7GmN3X E10pPuGZGPs/qMxlmSVZ/j7xioIZDLhUe2+mWAmgDT2nCzNnip6kDLjC4kALhU4uIQ2VT12Ks0up oU1kmwQAFRWZJ7LIwkSaXMv/3CfpT5rQGuPKJjrPY5eOEm0hSuSazJ6kUrgWieNU0b/KT5M09UPx OSZPk4gyqditSXI103ZZy6VBJeNYhraWTnmmzpfODktqpko73d6Y9L8ytZdaUhpArtgqkMIXhGar IDSVmmkvdnv0Dg9jjF7v/P/67VLNMoJvKDr+MWP4d7pUK9J34zUNAotUhRejAZYWSLyJFwDfFi8c XBFejEbVRK4g5efGC4dP0Kc1QN0tXkCdWrzweEG2W1s/Wbyz+lUC36w18sfhFLRGjnUBurqrU9Aa +cop+KqRO3P3Jv8QZr7f7w0PaXfVXMzhmq4W895w4Ch+X+f/V7PzpyvfpN5t3M1iDr+HMzj/rZ1/ 2c7hx/tn5czD0KushrHvvt/6cSKXGvtSOP2Pdt/VgFj2ruk1YVOmoonQAhvdm5avHyfjxyzbtfzu baPZLk47nEy1i9NuTmhrxdVx5PpkqoGQX9pp0jpFT33GVL2rPSkVVL8tdEXD93Hw1OJBiwcw9tZZ RajqPk6qt/HA2bczcXJSCQj8U7msdR45sXURpVYf63SV1fTB7gkl6mBVc0dLe5I2nEXRNCyEbTiL IhrfcHJFwQ23r23DWXcXzvJA4UGixgzs0wAljc3wPcFEG8W6Oer9q+0t2ijWg0W9t32J2gOo9gze hVj5E5VfURe6z5XHsZ2o3I+HAInWl7gZJNqrMa0v4a7JifHDXo3xkLJGEuAEZVVIU2EJZdQ5RODT D4Ed3+pgvC8Nbi3+djfrWh9jJ/jYH7bBNX+d8uvnl1UsrWHcO4fSfqCAf65QmvfVmnu0n0HKjzmY tr7w5ZazVoNdTPEOL+Fub0da9d24BX27+80N0bbq+0An81uHZC0A3+KG/n1q8GcAAAD//+xXwWrD MAz9FePrKG3HDqM0OawwdughrNt5uInSebHl4Lij7dfPVpI1G4Nd2kLBPgj5SZZtIeRnjgaBs8ZZ WUHiZyvSOKvAYsInnOWiDjh51TlBaKwWSh7giaZr0YCS6Jd7dzSZNaYkvZDW7UkDaxM+9ftot1Ag KHI6FzOFQaJ5lEqN0/m4RxqjZBHAYG7yd9CwUJZ9CpVwt5vy1veHF5Ql5G7ZOG8Ts+0SX3atFsJ0 uhJOInP7GkqR+/PeaBwp10WzmQ0rXcre/AhncXQiQluRWVZttdTmQ9K1lMBNwgFHryt/t4O/4v3E 52BNxtZl+528M6f4OlLLaIQEt9rVpTlW8tmbRazk2JNjT77cc0edODZieuzPSSkiqRiyuhPytVjA l+HEkRQPfiWnrt9QxIEX+0EKFfVQ9JS5x47zsKTj08FIMQjrwQ5hv5o8YJEJK57//dbc3sVvzR8/ xmP+6O2ovaxnbvdgij2pTZ1+AQAA//8DAFBLAwQUAAYACAAAACEANydHYcwAAAApAgAAGwAAAGRy cy9fcmVscy9zaGFwZXhtbC54bWwucmVsc7yRwWoCMRCG70LfIcy9m90ViohZLyJ4FfsAQzKbDW4m IYmlvr2BUqgg9eZxZvi//4PZbL/9LL4oZRdYQde0IIh1MI6tgs/T/n0FIhdkg3NgUnClDNvhbbE5 0oylhvLkYhaVwlnBVEpcS5n1RB5zEyJxvYwheSx1TFZG1Ge0JPu2/ZDpLwOGO6Y4GAXpYJYgTtdY m5+zwzg6TbugL564PKiQztfuCsRkqSjwZBz+LJdNZAvysUP/Gof+P4fuNQ7dr4O8e/BwAwAA//8D AFBLAwQKAAAAAAAAACEAk+oymfYCAAD2AgAAFAAAAGRycy9tZWRpYS9pbWFnZTMucG5niVBORw0K GgoAAAANSUhEUgAAAA8AAAAPCAMAAAAMCGV4AAAAAXNSR0IArs4c6QAAAftQTFRFAGBowMDAMP// MfPyNsjNBNGdAJSPAJljAJllAJmfAJ1/AGsx4P8yD5FTAH9SAF0/AGUrAGo0AG5AAHR4AKd+AJF8 AGktkdpkBs6VAMTOAKJ9AHNwAD0xAE86ADMAAD07ANLMAMfHAJGWAKKFAHRyAF0yAC4yAC8zQM15 AmcuAGctAFocAFpBAGdXAJOdAKWmAHB5AD8zAEgyNP//ItXaAK+eALeXALm4AMGdAJ+lALd9AIVs AIJgAFxaAJJPNNnaMejeA5afAJhnAJdyAJhuAKmfAKGeAJ+qAKt0L87/evuKIbfSM///IMz42P9R DPLNANCcAI+QAKKIALCfAJiNAH0zBJiqA8/OAP//APT1AH1JAGJBADotAGU0AC8yAFI8AM7RAHuF AFoiAFcvAE4zAEszAG4qAMvHALCgAFxqAMGWAL2iALmZNdGkAKqcALeQAKeSAGlkAKJ/AJGcAJyC AKmzAJlvAFxgAGJHAGEuAGMuADpIAJVfAHtiAHBrAI17ALK9AHNgANC4AGVqAFFWACoOACcQAGFI AGRpAD0fADsGAIBNAFtWAFEfABIAAC8rACQkAGE4AEJkAGFbAEAuACUAACsdAFVAAD8eACwbABsA ACoAADA4AC8sACwsADAsACg1ACEAACMAABkAADYNJf/7AB5LABoIAA4AtNgRFgAAAAxjbVBQSkNt cDA3MTICGAIBLARKUQAAAAJ0Uk5T/wDltzBKAAAAg0lEQVQYGQXBMYuBAQAG4Pf5Axb5U1ax3+hX 6JavK6VkUVa6QZmvlMUos+kbbkByRZ8UdcrzkCRd/4yThKT9BOYSAsBdaLoB+MF0AIC1jsoWoMWn jRUAev4sAfCFvQWA7yNKJwAjlM7AhKErXEBB+tQ9/PIqQjKrqB0adkVCkkzgI0neZVUkW+xduK4A AAAASUVORK5CYIJQSwMECgAAAAAAAAAhAD8a//MVAQAAFQEAABQAAABkcnMvbWVkaWEvaW1hZ2Uy LnBuZ4lQTkcNChoKAAAADUlIRFIAAAAMAAAADAgDAAAAYaus1QAAAAFzUkdCAK7OHOkAAABgUExU RcDAwMC//7/A/7+//6qq/5WV/5WU/5SV/5SU/4CA/4B//3+A/39//2tq/2pr/2pq/1VV/1RV/0BA /0A//z9A/ysr/yor/yoq/xYW/xYV/xUW/xUV/wAA/wAAAAAAAAAAAE0jEkEAAAAMY21QUEpDbXAw NzEyAjgCARRJDLEAAAABdFJOUwBA5thmAAAAPklEQVQYGQXBAQEDMRACsICO+Vf55ZYAgPh9e+/t e/dKggwlFx2Uc+6gNCF1yjYxUUoOFHVSFFcSFCabAQB/eJsdFCZ2eMgAAAAASUVORK5CYIJQSwME CgAAAAAAAAAhAOc6EoTGAQAAxgEAABQAAABkcnMvbWVkaWEvaW1hZ2UxLnBuZ4lQTkcNChoKAAAA DUlIRFIAAAAPAAAADwgDAAAADAhleAAAAAFzUkdCAK7OHOkAAADMUExURf/32MDAwP/QE//UJ//Y O//fYgAAAFJR/3h4/4yL/5+e/8XF///wsP/zxAUE/ywr///0xP/42P/vsP/zxf/oif/wsf/a2v+/ v/+xsf+jo/+Hh/95ef/XO//gYv/Pz/+zs/+mpv+Yl//ExP+op/+amv+MjP9xcP9iYv+trf+Rkv+E g/91dv9aWv9MTP+iov+Ghv94d/9qav9OTv9BQP+Wlv96ev9tbf9eX//QFJ+f/8bF/3l3/4uL///o iv/niXl4/3h3/1JS/ywq/ysr/1i1FjYAAAAMY21QUEpDbXAwNzEyAgEBBoq6FM4AAAACdFJOU/8A 5bcwSgAAAIJJREFUGJVdzz0LggAABFAf1Jhj4NLQ1BQNRkY/PyEqcGtqaohwCwSVJGko+7rtwQ13 BD/Rud98TJQL1YWnF3tRnmQ6gyTruX45bLXXd5+wVgjEsI/ki0NTCEzBUUV8tzEBpzi13FIag0uc gtII56+9Q1DM15Kd2ea1f6Ba3WTK/z8P27UqJGClBRYAAAAASUVORK5CYIJQSwMEFAAGAAgAAAAh APGIHHPYAAAA+QAAAA8AAABkcnMvZG93bnJldi54bWxEj1FLwzAUhd+F/YdwBd9cOkWZddkYosw5 Nuiq+Hpt7tpic9MlsWv99QYf9PFwDt/hmy1604iOnK8tK5iMExDEhdU1lwpe86fLKQgfkDU2lknB QB4W89HZDFNtT5xRtw+liBD2KSqoQmhTKX1RkUE/ti1x7A7WGQwxulJqh6cIN428SpJbabDm+FBh Sw8VFZ/7L6Pgnb+3q+J4M3nZrB83+m171LsOlbo475f3IAL14X+8zoe7LP8rf1HPWsE1iMNq+HC1 ztAHcgqiWzSNliDnPwAAAP//AwBQSwECLQAUAAYACAAAACEA+ClR+AoBAAAUAgAAEwAAAAAAAAAA AAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQAx3V9h0gAAAI8BAAAL AAAAAAAAAAAAAAAAADsBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQAIOOoHPgcAAKVGAAAQ AAAAAAAAAAAAAAAAADYCAABkcnMvc2hhcGV4bWwueG1sUEsBAi0AFAAGAAgAAAAhADcnR2HMAAAA KQIAABsAAAAAAAAAAAAAAAAAogkAAGRycy9fcmVscy9zaGFwZXhtbC54bWwucmVsc1BLAQItAAoA AAAAAAAAIQCT6jKZ9gIAAPYCAAAUAAAAAAAAAAAAAAAAAKcKAABkcnMvbWVkaWEvaW1hZ2UzLnBu Z1BLAQItAAoAAAAAAAAAIQA/Gv/zFQEAABUBAAAUAAAAAAAAAAAAAAAAAM8NAABkcnMvbWVkaWEv aW1hZ2UyLnBuZ1BLAQItAAoAAAAAAAAAIQDnOhKExgEAAMYBAAAUAAAAAAAAAAAAAAAAABYPAABk cnMvbWVkaWEvaW1hZ2UxLnBuZ1BLAQItABQABgAIAAAAIQDxiBxz2AAAAPkAAAAPAAAAAAAAAAAA AAAAAA4RAABkcnMvZG93bnJldi54bWxQSwUGAAAAAAgACAAEAgAAExIAAAAAAAAQ8AgAAABqAp4A 2BXgEA8AEfAcAAAAAADDCwgAAAD/////EwATAAAAHwQEAAAAAwAAAA8ADfBgBgAAAACfDwQAAAAB AAAAAACgD3QFAABoAHQAdABwADoALwAvAHAAZQByAHMAbwAuAHQAZQBsAGUAYwBvAG0ALQBwAGEA cgBpAHMAdABlAGMAaAAuAGYAcgAvAH4AdQByAGkAZQBuAC8AaABpAHAAdABhAGcADQBKAGEAdgBh ACAAYwBvAGQAZQAgAGYAbwByACAAcABvAHIAdABhAGwALgAgAA0ASgBhAHYAYQAgAGMAYQByAGQA IABjAG8AZABlACAAZgBvAHIAIAB0AGEAZwBzAC4ADQBJAFMATwAgADEANAA0ADQAMwAgAHQAYQBn AHMAIAB3AG8AcgBrACAAYQB0ACAAMQAzACwANQA2ACAATQBIAHoALgANAEoAYQB2AGEAIABjAGEA cgBkACAAYQByAGUAIAB3AGkAZABlAGwAeQAgAGQAZQBwAGwAbwB5AGUAZAAsACAAYQBiAG8AdQB0 ACAAMQAgAGIAaQBsAGwAaQBvAG4AIABkAGUAdgBpAGMAZQBzACAAcABlAHIAIAB5AGUAYQByAC4A DQBUAGgAYQBuAGsAcwAgAHQAbwAgAHQAaABlACAATgBGAEMAIAB0AGUAYwBoAG4AbwBsAG8AZwB5 ACwAIABIAEkAUAAtAFQAQQBHACAAYwBvAHUAbABkACAAYgBlACAAcwB1AHAAcABvAHIAdABlAGQA IABiAHkAIABiAGkAbABsAGkAbwBuAHMAIABvAGYAIABtAG8AYgBpAGwAZQAgAHAAaABvAG4AZQBz AC4ADQBoAHQAdABwADoALwAvAGcAZgBvAHIAZwBlAC4AYwBuAGEAbQAuAGYAcgAvAGcAZgAvAHAA cgBvAGoAZQBjAHQALwB0ADIAdABpAHQADQBDAG8AZABlACAAcwBvAHUAcgBjAGUAIABvAGYAIAB0 AGgAZQAgAFQAMgBUAEkAVAAgAHAAcgBvAGoAZQBjAHQALAAgAGYAdQBuAGQAZQBkACAAYgB5ACAA dABoAGUAIABGAHIAZQBuAGMAaAAgAE4AYQB0AGkAbwBuAGEAbAAgAFIAZQBzAGUAYQByAGMAaAAg AEEAZwBlAG4AYwB5ACAAKABBAE4AUgApAC4ADQBQAGEAcABlAHIAcwA6ACAASABJAFAALQB0AGEA ZwBzACwAIABhACAAbgBlAHcAIABwAGEAcgBhAGQAaQBnAG0AIABmAG8AcgAgAHQAaABlACAASQBu AHQAZQByAG4AZQB0ACAATwBmACAAVABoAGkAbgBnAHMADQBVAHIAaQBlAG4ALAAgAFAALgA7ACAA RQBsAHIAaABhAHIAYgBpACwAIABTAC4AOwAgAE4AeQBhAG0AeQAsACAARAAuADsAIABDAGgAYQBi AGEAbgBuAGUALAAgAEgALgA7ACAASQBjAGEAcgB0ACwAIABUAC4AOwAgAFAAZQBwAGkAbgAsACAA QwAuADsAIABCAG8AdQBlAHQALAAgAE0ALgA7ACAAQwB1AG4AaABhACwAIABEAC4AOwAgAEcAdQB5 AG8AdAAsACAAVgAuADsAIABLAHIAegBhAG4AaQBrACwAIABQAC4AOwAgAFMAdQBzAGkAbgBpACwA IABKAC4ALQBGAC4AOwAgAFcAaQByAGUAbABlAHMAcwAgAEQAYQB5AHMALAAgADIAMAAwADgALgAg AFcARAAgACcAMAA4AC4AIAAxAHMAdAAgAEkARgBJAFAALAAgADIANAAtADIANwAgAE4AbwB2AC4A IAAyADAAMAA4ACAAUABhAGcAZQAoAHMAKQA6ADEAIAATICAANQAuACAAQQB2AGEAaQBsAGEAYgBs AGUAIABhAHQAIABJAEUARQBFACAARQB4AHAAbABvAHIAZQByAC4AAAChD6YAAAAwAAAAAAAAEAAA UAAwAAAAAQAAEAAAUAC6AAAAAgAAEAAAUAAnAAAAAAAAEAAAUABXAAAAAQAAEAAAUAA8AAAAAAAA EAAAUADnAAAAAQAAGAAAAwBQADAAAAAAAAAAMAAAAAAEAAAABLoAAAAACAAAAAgnAAAAAAwAAAEM VwAAAAAQAAAAEDwAAAAAFAAAARTmAAAAABgCAAAYEgABAAAAABgAAAAYAACqDw4AAAC7AgAABwAA AAAACQQAAAAApg8MAAAAwBgAAPADYAMQBYAEEADwByAAAAD///8AAAAAAJGRkQAAAAAAYY/9AACu AAD8ASgAzs7OAA8AiBORAAAADwCKE4kAAAAAALoPEAAAAF8AXwBfAFAAUABUADEAMAAAAIsTaQAA AAAA6y4IAAAAow7KAUBWYpgAAAArBAAAAAAAAAAfAETxPQAAAAAAJ/EgAAAAAAAAAAMAAAAAAAAA AAAAAAAAAAAAAAAA/////xIAAAAPAD3xDQAAAEABQvEFAAAAAQkAAAAPAAIrAAAAAAAAIgQIAAAA AQAAAAIAAAAPAO4D3QQAAAIA7wMYAAAAEAAAAAAAAAAAAAAAAAAAgAAAAAAHAAAAAAD5AxAAAAAA AAAAAQAAAAIAEQACfV8EDwAMBMwDAAAPAALwxAMAAOABCPAIAAAAAwAAAAM8AAAPAAPwrAMAAA8A BPAoAAAAAQAJ8BAAAAAAAAAAAAAAAAAAAAAAAAAAAgAK8AgAAAAAPAAABQAAAA8ABPAAAQAAEgAK 8AgAAAACPAAAIAIAAAMBC/B4AAAABAAAAAAAfwABAO8BgADAA4YFgQB4YQEAggCirQAAgwB4YQEA hACirQAAhQAAAAAAhwABAAAAiAAAAAAAvwAEAAQA/wEAABEAAQMEBAAAPwMAAAgAgMMYAAAAvwMA AAIAUgBlAGMAdABhAG4AZwBsAGUAIAA0AAAAAAAQ8AgAAACEALgC2BW8AQ8AEfAcAAAAAADDCwgA AAD/////DQATAAAAHwQEAAAAAgAAAA8ADfA0AAAAAACfDwQAAAAAAAAAAACoDwoAAABDb25jbHVz aW9uAACqDw4AAAALAAAABwAAAAAACQQAAA8ABPBsAgAAEgAK8AgAAAADPAAAIAIAABMBC/CeAAAA BAAAAAAAfwABAO8BgACA8bQFgQB4YQEAggCirQAAgwB4YQEAhACirQAAhQAAAAAAhwAAAAAAiAAA AAAAvwAEAAQAvwEBAAEA/wEQABEAAQMDBAAAPwMAAAgAgMM4AAAAvwMAAAIARQBzAHAAYQBjAGUA IAByAOkAcwBlAHIAdgDpACAAZAB1ACAAYwBvAG4AdABlAG4AdQAgADMAAAAAABDwCAAAAGoCngCO E9sGDwAR8GoAAAAAAMMLCAAAAP////8TABMADwCIE0YAAAAPAIoTPgAAAAAAug8OAAAAXwBfAF8A UABQAFQAOQAAAIsTIAAAAAAArA8YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAfBAQAAAAD AAAADwAN8CwBAAAAAJ8PBAAAAAEAAAAAAKgPtAAAAElzIEludGVybmV0IE9mIFRoaW5nIGEgd29y a2luZyBpdGVtIGZvciB0aGUgSVJURj8NSXMgSElQIGEgZ29vZCBjYW5kaWRhdGUgZm9yIHRoZSBJ b1QgPw1JcyBwcml2YWN5IGEgbWFpbiByZXF1ZXN0IGZvciB0aGUgSW9UID8NSXMgaXQgYWNjZXB0 YWJsZSB0byBoYXZlIGZpeCBpZGVudGlmaWVyIGZvciB0aGUgSW9UPwAAoQ8cAAAAtQAAAAAAAAAA ALQAAAAAAAAAAQAAAAAEAAABBAAAqg8cAAAAtAAAAAcAAAAAAAkEAAABAAAABwAAAAAACQQAAAAA pg8UAAAA8B4AANQBIAHQAkAC8ANgAxAFgAQQAPAHIAAAAP///wAAAAAAkZGRAAAAAABhj/0AAK4A APwBKADOzs4ADwCIE5EAAAAPAIoTiQAAAAAAug8QAAAAXwBfAF8AUABQAFQAMQAwAAAAixNpAAAA AADrLggAAAC67cgBQHRg5gAAACsEAAAAAAAAAB8ARPE9AAAAAAAn8SAAAAAAAAAAAwAAAAAAAAAA AAAAAAAAAAAAAAD/////EgAAAA8APfENAAAAQAFC8QUAAAABCQAAAA8AAisAAAAAAAAiBAgAAAAB AAAAAgAAAA8A8ANYAgAAAQDxAwgAAAAFAQAABwDPAA8ADATYAQAADwAC8NABAAAAAQjwCAAAAAMA AAADRAAADwAD8LgBAAAPAATwKAAAAAEACfAQAAAAAAAAAAAAAAAAAAAAAAAAAAIACvAIAAAAAEQA AAUAAAAPAATwsgAAABIACvAIAAAAAkQAACACAADzAAvwcgAAAAQAAAAAAH8ABADvAYEAMGUBAIIA mLIAAIMAMGUBAIQAmLIAAIUAAAAAAIcAAQAAAIgAAAAAAL8ABAAEAP8BAQARAAEDAkAAAD8DAAAI AIDDGAAAAL8DAAACAFIAZQBjAHQAYQBuAGcAbABlACAAMgAAAAAAEPAIAAAA0gExAjEO0goPABHw EAAAAAAAwwsIAAAAAAAAAAsAEwAPAATwxgAAABIACvAIAAAAA0QAAAAKAACDAAvwSAAAAH8AAQDv AYAAQPW0Bb8ABAAEAL8BAQARAP8BAQAZAD8DAAAIAIDDGAAAAL8DAAACAFIAZQBjAHQAYQBuAGcA bABlACAAMwAAAAAAEPAIAAAAbwujAbkORBYPABHwEAAAAAAAwwsIAAAAAQAAAAwAEwAPAA3wNgAA AAAAnw8EAAAAAgAAAAAAqg8OAAAAAQAAAAcAAAAAAAkEAAAAAKYPDAAAAPAAAADUAdAC8AMQBRAA 8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAArgAA/AEoAM7OzgAPAIgTOAAAAA8AihMwAAAAAAC6 DxAAAABfAF8AXwBQAFAAVAAxADAAAACLExAAAAAAAOsuCAAAAOWhxgEwzV5tDwDwA8ICAAABAPED CAAAAB0BAAAHAM8ADwAMBEICAAAPAALwOgIAAMABCPAIAAAAAwAAAANIAAAPAAPwIgIAAA8ABPAo AAAAAQAJ8BAAAAAAAAAAAAAAAAAAAAAAAAAAAgAK8AgAAAAASAAABQAAAA8ABPD0AAAAEgAK8AgA AAACSAAAIAIAAPMAC/C0AAAABAAAAAAAfwCFAe8BgQAwZQEAggCYsgAAgwAwZQEAhACYsgAAhQAA AAAAhwABAAAAiAAAAAAAvwAEAAQA/wERABEAAQMCQAAAPwMAAAgAgMNaAAAAvwMAAAIARQBzAHAA YQBjAGUAIAByAOkAcwBlAHIAdgDpACAAZABlACAAbAAnAGkAbQBhAGcAZQAgAGQAZQBzACAAZABp AGEAcABvAHMAaQB0AGkAdgBlAHMAIAAxAAAAAAAQ8AgAAADSATECMQ7SCg8AEfAQAAAAAADDCwgA AAAAAAAACwATAA8ABPDuAAAAEgAK8AgAAAADSAAAAAoAAIMAC/B0AAAAfwABAO8BgACA97QFvwAE AAQAvwEBABEA/wERABkAPwMAAAgAgMNEAAAAvwMAAAIARQBzAHAAYQBjAGUAIAByAOkAcwBlAHIA dgDpACAAZABlAHMAIABjAG8AbQBtAGUAbgB0AGEAaQByAGUAcwAgADIAAAAAABDwCAAAAG8LowG5 DkQWDwAR8BAAAAAAAMMLCAAAAAEAAAAMABMADwAN8DIAAAAAAJ8PBAAAAAIAAAAAAKoPCgAAAAEA AAABAAAAAAAAAKYPDAAAAPAAAADUAdAC8AMQBRAA8AcgAAAA////AAAAAACRkZEAAAAAAGGP/QAA rgAA/AEoAM7OzgAPAIgTOAAAAA8AihMwAAAAAAC6DxAAAABfAF8AXwBQAFAAVAAxADAAAACLExAA AAAAAOsuCAAAAKoOygHwMKYEAAByF1QAAAABAEABAAAAAJs4AwB22wMAd5EAAD0EBACxCgQALRAE AKMdBABqJQQAXUYEAIVPBABaWQQAFGQEANNuBACBdAQAeJYEAEyrBABYyQQAPc4EAJ3QBAAAAPUP HAAAAAAAAABoGQADAAAAAGfTBAABAAAAFAAAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /v8AAAYAAgAAAAAAAAAAAAAAAAAAAAAAAQAAAOCFn/L5T2gQq5EIACsns9kwAAAA+OIAAA4AAAAB AAAAeAAAAAIAAACAAAAABAAAAJgAAAAHAAAAsAAAAAgAAADcAAAACQAAAPgAAAASAAAABAEAAAoA AAAoAQAACwAAADQBAAAMAAAAQAEAAA0AAABMAQAADgAAAFgBAAAPAAAAYAEAABEAAABoAQAAAgAA AOQEAAAeAAAAEAAAAFdpTUFYIHNlY3VyaXR5AAAeAAAAEAAAAFBhc2NhbCBVcmllbgAAAAAeAAAA JAAAAEM6XE1TT2ZmaWNlXE1vZOhsZXNcQ29tc2Vydjk5LnBvdAAAAB4AAAAUAAAAVXRpbGlzYXRl dXIgV2luZG93cwAeAAAABAAAADE2MQAeAAAAHAAAAE1pY3Jvc29mdCBQb3dlclBvaW50IDQuMAAA AABAAAAAoJxxxHECAABAAAAAgAKjpDGLwgFAAAAAYA4dHP9owQFAAAAA0G1cp2APygEDAAAAFwAA AAMAAAC1AwAARwAAAIjhAAD/////AwAAAAgAiRBnDAAAAQAJAAADvHAAAAAAoXAAAAAABQAAAAsC AAAAAAUAAAAMAtACwAMFAAAABwEDAAAAoXAAAEELIADMAHgAoAAAAAAA0ALAAwAAAAAoAAAAoAAA AHgAAAABABgAAAAAAADhAAAAAAAAAAAAAAAAAAAAAAAA//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////tf//1oyMtf//1oyMtf//1oyMjLW1tYyM////1v//ADmM OQAAY2M5Y2NjOTlj1taMADmMAAAAjGMAADmMAAAA1ow5////1v//tbW1ADmMAAAAOQAA/9aMY2O1 OWNj/9aMtf///7W1////AGO1OQAAOTk5Y2M5OTljOTk5Yzk51v+1Y2OMADljYwAA//+1////OWO1 OTk5tbVjYzmM//+1AGO1tYw5OTmMY2M5OTljOTk5ADk5AAAAjIw5/7W1////AGO1AAAAOQAAOTk5 OTk5Yzk5//+1//////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////Y7X/jDkA///W jIzWY7W1jDkAY7XWYwAA//+1//////////////////////////////////////////////////// ////////////////////////////////1v//tbW1YzmM//+1//////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////AGO11ow5//////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////AGO11ow5//////////////////////////////////////////////////// ////////////////////1v//YzmM//+1tf//tYyMYzmM//+1Y4zW/9aM//////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////tbW1jIzWAGNj/7VjAGO1/7VjtbW1 jIzWtbWMtbW1///WtbXW///WjLX/jLWM/7WMjLX/jLWM/7WMjLX/jLWM/7WMtbXWAGOM1rVjADmM tWMAY4y1ADljjGMAADmMjGMAADmMjDkAtbWMtbXWtbXW//+1tbW1Y4zWADk5jDkAtbWMtbXWAGOM 1ow5AGO1AAAAjGMAADmMtWMAtbW1jIzWtbWMtbW1tbWM//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////AGO1jDkAOWOM/9aMOWO1/9aMAGO1YwAAtbWMjNbW/7WMjNb/1rWMjIyMjGOMY4yMjIxjjGOM Y4yMjIxjjGOMjIyM///WOWO11taMADmMYwAAjLVjADmMOQAAADk5jGMAADmMYwAAAGNjAAAAYwAA OWN7AFJjYwAAOYyMjDkAAGOMYzkAOTlj/9aMAGO1AAAAOQAAADk5tWMAAGO1jDkA///WjIy1AGOM /7Vj//////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////tbW1////jIy1///WjIy1///W//////////////// tbW1////tbW1////////////////////////////////////////jIy1///W////////tbW1//// ////////////////////////////////////////////////////////tbXW///W////jIy1///W ////////////tbW1////////OYzW/7Vj//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////QiHOORDGORDGQiHGzsb3nIznhGvee2PW lHvnnITea0rW1s73e2PeSinGnIznhGvW3tb3UjHOORDG//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ORDGORDGMQi9ORjG3t73xrXvjHvea1LWpZTnnIznSinGzsb3e2PWjHPelITeva3v1s73UinOMQi9 //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////SinOSinGQhjOQhjGxr3vhGveWjnOWjnOxr33nIznSinO xr3vjHvee2PWc1LWe2PWpZTnQiHGORDG//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////Y0rOc1rWjHPe jHPeta3njHveUjnOjHPepZTnjHPeQiHGtaXva1LWWjnOWkLOQiHGe2PWSinOKQC9//////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////rZT3nITvtZz3ta33////7+f/va3/rZz3taX/xrX/lITv1s7/zsb/jHPn va3/1s7/1sb/xr3/lHvv//////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////jIyUlJSUjIyMjIyUlJSUnJyU lJSUlJSUjIyUlJSUjIyMlJSUlJSUlJSUlJSUnJyUlJSUnJyUlJSU//////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA//////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////AAAAAAAAAAAACAgICAgIAAAAGBgYGBgYCAgI EBAQEBAQEBAQGBgYGBgYEBAYISEhISEhMTExCAgI//////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////CAgI AAAAAAAAEBAQQkJCGBgYSkpKSkpKOTk5OTk5SkpKOTk5c3Nzc3Nze3tzWlpac3NzjIyMISEh//// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////AAAAAAAAAAAACAgIOTk5OTk5GBgYEBAQGBgYKSkpEBAQMTEx c3NzQkJCKSkpISEhY2NjUlJSAAAA//////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////CAgIISEhGBgYQkJC Y2NjQkJCWlpaQkJCUlJSQkJCMTExa2trWlpaWlpaSkpKKSkpEBAQGBgYEBAQ//////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////AAAAUlJSKSkpe3t7Y2NjUlJSWlpaKSkplJSUSkpKa2trKSkpMTExUlJSUlJS hISEWlpae3t7ISEh//////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////EBAQhISEa2trc3Nzc3NzUlJSOTk5 CAgIlJSUUlJSY2NjWlpaSkpKa2tra2trc3Nze3t7jIyMISEh//////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////CAgIKSkpISEhGBgYISEhGBgYAAAAAAAAGBgYISEhCAgIKSkpEBAQISEhGBgYCAgIAAAACAgI AAAA//////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////CAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////CAgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA//////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////AAAACAgIAAAAAAAAAAAA CAgIAAAAAAAAAAAACAgIAAAAAAAAAAAACAgIAAAAAAAAAAAACAgIAAAA//////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////OYy11oxj//////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////Y2O1//+11v//ADmM AAAA/7VjAGO1YwAAAGNjAAAA1rVjADmMAAAA/7VjY4zWOWNj/7VjOYzWAAAAjDkAY2OM//+1Y4zW ADk5AAAA/7VjY2O1tf+1tWNjAGO1AAAAOQAA/9aMOYzWjDkAAGOMAAAA/7VjY4zWADk5AAAA/7Vj AGO1AAAA/7VjAGO1AAAA1ow5Y2O1jNa11oxjY2O1//+1////Y2O1OYyMtYw5ADmMAAAA/7VjY2O1 //+1Y4zWADk5YwAAOYyMjDkAAGOMAAAA/7VjAGO1AAAA/7VjY2O1tf+1tWNjOYzW/7VjjIzW//+1 Y2O1//+1//////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////AGO1OQAA/9aMOYzWAAAA/7VjAGO11rVjjGOM///W////OYzWAAAA/7VjjIzW //+1////Y2O1//+1Y2O1Y2Nj//+1OYzWAAAAAAAAtWMAY2O1tf+1jGNjjIyMADmMtYw5tYyMjIzW 1v+1ADmMAAAAtWMAY4zWADk5AAAAjGMAjGOM///W1v//jGOMtf/WtWNjY2O1jNa11oxjY2O1AGN7 1ow5Y2O1tf+1tWNjOYzWAAAA/7VjY2O1//+1Y4zWADk5/7VjjIzW1v+1ADmMAAAAjGMAjGOM///W ////Y2O1tf+1tWNj////////jIzW//+1Y2O1//+1//////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////Y2O1tf+1tWNjOYzWjDkA///WOYzW jDkAjNbWOQA5/9aMOYzWjDkA///WjIzW//+1////Y2O1//+1Y2O1AGNjOQAAOTk5jLWMOQA5/9aM OYy1OQA5/9aMOYzWAAAAAAAAtYw5ADmMjDkAjNbWOQA5/9aMjIzWjNa1OQA5/9aMjNb/OQA5/9aM jNb/OQA5/9aMOYy1OQA5OWNjtWMA////////OYy1OQA5/9aMOYzWjDkA///WAGO1OQAAOTk5OWNj YzkAADljjDkAjNbWOQA5/9aMjNb/OQA5/9aMAGO1OQAA/9aM////tf//AABjtWMAAGO1YwAA//+1 //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////AGO1YwAA//+1////////////////////////////////////////////jIzW//+1////Y2O1 //+1Y2O1//+1////jIzW//+1//////////////////////////////////////////////////// ////jIzW//+1//////////////////////////////////////////////////////////////// ////////////////////////jIzW//+1////////////////////////////////////Y2O1//+1 ////////////jNb/YwA5//+1//////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////OYy11oxj////OYy11oxj//////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////Y2O1 //+1jIzWY2NjY2Nj//+1////////////AGO1YwAAAGNjAAAAtWMAY2O1OYyM1ow5Y2O1OYyM1ow5 AGO1AAAA1ow5Y2O1//+1OYzWjDkA///W////////jIzW//+1AGO1AAAA1ow5Y2O1//+1//////// Y2O1tf+1YwBjY2Nj//+1////Y2O1AGNjAAAA1ow5//////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////AGO1AAAAYwAAY2NjAGNjOQAA/9aM////////AGO1/7VjY2O1 tf+1tWNjY2O1tf+1tWNjY2O1tf+1jGNjjGOMtf/WtWNjY2O1//+1jIzW//+1////////////jIzW 1v+1jGOMtf/WtWNjY2O1//+1////////AGO1OQAA/9aMAGO1OQAA/9aMY2O1Y2Nj//+1Y2O1//+1 //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////Y2O1//+1jIzWY2Nj Y2Njtf+1tWNj////////OYzWjDkAY2OMtf+1tWNjOYy1OQA5/9aMOYy1OQA5/9aMjNb/OQA5/9aM AGO1OQAAADk5jDkA///W////tf//AABjtWMAjNb/OQA5/9aMAGO1YwAA//+1////Y2O1tf+1tWNj Y2O1//+1////Y2O1Y2Njtf+1YwBj//+1//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////Y2O1//+1jIzWY2NjAGNjYwAA//+1//////////////////////////////// ////////////////////////////////////////////////////////////jNb/YwA5//+1//// ////////////////////AGO1OQAA/9aMAGO1AAAAtWMAY2O1AGNjYwAA//+1//////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////1v//ADmMAAAAtWMA//////////// ////////////////////////AGO1AAAAAAAAjDkA///W//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////AGO1AAAA AAAA1rVjADmMtWMA1v//ADmMAAAAAAAA/7VjAGO1tWMAAGO1OQAA/9aM////AGO1AAAAAAAA1rVj ADmMtWMA1v//ADmMtWMAOYzWAAAAOQAA1taMADmMY2MAAABj1ow5////1v//ADmMAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA/7Vj////AGO1AAAAAAAAAAAAAAAAAAAA/7VjY7X/AAAAAAAA/7Vj ////OYzWAAAAAAAAAAAAAAAAAAAAAAAAAAAAOQAAADk5AAAAAAAAAAAAAAAAAAAAAAAAOQAA/9aM //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////1v//ADmMY2MAAABj1rVjADmMtWMA1v//ADmMjIw5AABj/7VjAGO1tWMA AGO1tWMA////1v//ADmMY2MAAABj1rVjADmMtWMA1v//ADmMjGMAADmMY2MAAABj1rVjADmMY2MA AABj1ow5////1v//ADmMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1ow5////AGO1AAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAA/7Vj////AGO1AAAAAAAAAAAAOTk5AAAAYwAA//+1////AGO1 AAAAAAAAAAAAAAAAAAAAAAAAtWMA//////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////1v//ADmMY2MAAABj1rVjADmM tWMA////1v//ADmMAAAA/7VjAGO1tWMAAGO1lGMAADmMUgAAADljY2MAAABj1rVjADmMtWMA1v// ADmMjGMAADmMAAAAAAAA1rVjADmMY2MAAABjtYw5ADmMUgAAADljAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAABghAAAAAAAAAAAAjGMAADmMAAAAAAAAAAAAAAAAAAAAAAAAACExAAAAAAAAAAAA AAAAAAAAtYw5ADmMAAAAtWMA////AGO1AAAAAAAAAAAAAAAAAAAAAAAAtWMA//////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////1v//ADmMAAAAAAAA1rVjADmMAAAAtYw5ADmMY2M5AAA51rVjADmMYzkAADljjDkA///W 1v//ADmMY2MAAABj1rVjADmMAAAAtYw5ADmMjGMAADmMY2MAAABj1rVjADmMAAAAAAAA1ow5//// 1v//ADmMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1ow51v//ADmMAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA/7Vj1v//ADmMAAAAAAAAAAAA1ow5jNb/AAA5OQAA1taMADmMAAAAAAAAAAAA AAAAAAAAAAAAjDkA///W//////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////Y7X/Y2MAAABj1rVjADmMY2MA1oyMtf// AABj1ow5////AGO11ow5AGO1tWMA////1v//ADmMY2MAAABj1rVjADmMY2MAtYyMADmMtWMAtf// AABj1ow51v//ADmMY2MAYwBj//+1////1v//ADmMAAAAAAAAOQAAADk5AAAAAAAAAAAAAAAAYwAA //+1////AGO1AAAAY2MAAABjAAAA1ow5Y7X/AAAAAAAAAAAA/7Vj////AGO1AAAAAAAAAAAAAAAA AAAAAAAAAAAA/7VjAGO1AAAAAAAAAAAAAAAAAAAAAAAAtWMA//////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////tf//AABj/7Vj////////////////////////////tf//YwBj//+1//////////////////// ////////////////1v//ADmMtWMA////////////////////////////////////1v//ADmMAAAA tWMA1v//ADmMAAAAtWMA//////////////////////////////////////////////////////// ////////////tf//AABjAAAAtWMAtf//AABjAAAA1ow5//////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////62M/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr /5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj /5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj /5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj /5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr /5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj /5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj /5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/5Rj /5Rj/5Rj/5Rr/5Rj/5Rj/5Rj/5Rr/62M//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ////////AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /v8AAAYAAgAAAAAAAAAAAAAAAAAAAAAAAgAAAALVzdWcLhsQk5cIACss+a5EAAAABdXN1ZwuGxCT lwgAKyz5rpADAABMAwAADwAAAAEAAACAAAAAAwAAAIgAAAAEAAAArAAAAAYAAAC0AAAABwAAALwA AAAIAAAAxAAAAAkAAADMAAAACgAAANQAAAAXAAAA3AAAAAsAAADkAAAAEAAAAOwAAAATAAAA9AAA ABYAAAD8AAAADQAAAAQBAAAMAAAA4wIAAAIAAADkBAAAHgAAABwAAABBZmZpY2hhZ2Ug4CBsJ+lj cmFuICg0OjMpAAAAAwAAAOfjBAADAAAAqQAAAAMAAAAOAAAAAwAAAAIAAAADAAAAAAAAAAMAAAAA AAAAAwAAAAAADAALAAAAAAAAAAsAAAAAAAAACwAAAAAAAAALAAAAAAAAAB4QAAAVAAAAEAAAAFRp bWVzIE5ldyBSb21hbgAGAAAAQXJpYWwABwAAAEltcGFjdAANAAAAVHJlYnVjaGV0IE1TAAoAAABX aW5nZGluZ3MADAAAAENvdXJpZXIgTmV3AAoAAABDb21zZXJ2OTkAHgAAAGRyYWZ0LXVyaWVuLWhp cC10YWctMDIudHh0ICAgAAgAAABTdW1tYXJ5ABQAAABJZGVudGl0eSBQcm90ZWN0aW9uAAsAAABN YWluIElkZWFzABYAAABISVAtVGFncyBBcmNoaXRlY3R1cmUAFQAAAFQtQkVYIEV4Y2hhbmdlLCBJ MS1UABUAAABULUJFWCBFeGNoYW5nZSwgUjEtVAAVAAAAVC1CRVggRXhjaGFuZ2UsIEkyLVQAIQAA AFQtQkVYIEV4Y2hhbmdlLCBSMi1UICAoT3B0aW9uYWwpABgAAABULVRyYW5zZm9ybSAwMDAxIC0g SE1BQwAjAAAARXhhbXBsZSwgd2l0aCBULVRyYW5zZm9ybSA9IDB4MDAwMQApAAAAVC1UcmFuc2Zv cm0gMDAwMiCWIFRyZWUgKGVhcmx5IHByb3Bvc2FsKQAPAAAAT3BlbiBSZXNvdXJjZXMACwAAAENv bmNsdXNpb24ADBAAAAYAAAAeAAAAEgAAAFBvbGljZXMgdXRpbGlz6WVzAAMAAAAGAAAAHgAAAAYA AABUaOhtZQADAAAAAQAAAB4AAAAYAAAAVGl0cmVzIGRlcyBkaWFwb3NpdGl2ZXMAAwAAAA4AAAAA PAEAAAMAAAAAAAAAIAAAAAEAAAA4AAAAAgAAAEAAAAABAAAAAgAAAAwAAABfUElEX0hMSU5LUwAC AAAA5AQAAEEAAAD0AAAADAAAAAMAAAAHAAAAAwAAAAYAAAADAAAAAAAAAAMAAAAHAAAAHwAAACEA AABoAHQAdABwADoALwAvAHcAdwB3AC4AdABlAGwAZQBjAG8AbQAtAHAAYQByAGkAcwB0AGUAYwBo AC4AZgByAC8AAAAAAB8AAAABAAAAAAAAAAMAAAAHAAAAAwAAAAYAAAADAAAAAAAAAAMAAAAHAAAA HwAAACEAAABoAHQAdABwADoALwAvAHcAdwB3AC4AdABlAGwAZQBjAG8AbQAtAHAAYQByAGkAcwB0 AGUAYwBoAC4AZgByAC8AAAAAAB8AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9g8rAAAA FAAAAF/AkePD0wQAEwD0AwMAEwBVdGlsaXNhdGV1ciBXaW5kb3dzCAAAAFUAdABpAGwAaQBzAGEA dABlAHUAcgAgAFcAaQBuAGQAbwB3AHMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAgAAAAMAAAAEAAAA BQAAAAYAAAAHAAAA/v///wkAAAAKAAAACwAAAAwAAAANAAAADgAAAA8AAAAQAAAAEQAAABIAAAAT AAAAFAAAABUAAAAWAAAAFwAAABgAAAAZAAAAGgAAABsAAAAcAAAAHQAAAB4AAAAfAAAAIAAAACEA AAAiAAAAIwAAACQAAAAlAAAAJgAAACcAAAAoAAAAKQAAACoAAAArAAAALAAAAC0AAAAuAAAALwAA ADAAAAAxAAAAMgAAADMAAAA0AAAANQAAADYAAAA3AAAAOAAAADkAAAA6AAAAOwAAADwAAAA9AAAA PgAAAD8AAABAAAAAQQAAAEIAAABDAAAARAAAAEUAAABGAAAARwAAAEgAAABJAAAASgAAAEsAAABM AAAATQAAAE4AAABPAAAAUAAAAFEAAABSAAAAUwAAAFQAAABVAAAAVgAAAFcAAABYAAAAWQAAAFoA AABbAAAAXAAAAF0AAABeAAAAXwAAAGAAAABhAAAAYgAAAGMAAABkAAAAZQAAAGYAAABnAAAAaAAA AGkAAABqAAAAawAAAGwAAABtAAAAbgAAAG8AAABwAAAAcQAAAHIAAABzAAAAdAAAAHUAAAB2AAAA dwAAAHgAAAB5AAAAegAAAHsAAAB8AAAAfQAAAH4AAAB/AAAAgAAAAIEAAACCAAAAgwAAAIQAAACF AAAAhgAAAIcAAACIAAAAiQAAAIoAAACLAAAAjAAAAI0AAACOAAAAjwAAAJAAAACRAAAAkgAAAJMA AACUAAAAlQAAAJYAAACXAAAAmAAAAJkAAACaAAAAmwAAAJwAAACdAAAAngAAAJ8AAACgAAAAoQAA AKIAAACjAAAApAAAAKUAAACmAAAApwAAAKgAAACpAAAAqgAAAKsAAACsAAAArQAAAK4AAACvAAAA sAAAALEAAACyAAAAswAAALQAAAC1AAAAtgAAALcAAAC4AAAAuQAAALoAAAC7AAAAvAAAAL0AAAC+ AAAAvwAAAMAAAADBAAAAwgAAAMMAAADEAAAAxQAAAMYAAADHAAAAyAAAAMkAAADKAAAAywAAAMwA AADNAAAAzgAAAM8AAADQAAAA0QAAANIAAADTAAAA1AAAANUAAADWAAAA1wAAANgAAADZAAAA2gAA ANsAAADcAAAA3QAAAN4AAADfAAAA4AAAAOEAAADiAAAA4wAAAOQAAADlAAAA5gAAAOcAAADoAAAA 6QAAAOoAAADrAAAA7AAAAO0AAADuAAAA7wAAAPAAAADxAAAA8gAAAPMAAAD0AAAA9QAAAPYAAAD3 AAAA+AAAAPkAAAD6AAAA+wAAAPwAAAD9AAAA/gAAAP8AAAAAAQAAAQEAAAIBAAADAQAABAEAAAUB AAAGAQAABwEAAAgBAAAJAQAACgEAAAsBAAAMAQAADQEAAA4BAAAPAQAAEAEAABEBAAASAQAAEwEA ABQBAAAVAQAAFgEAABcBAAAYAQAAGQEAABoBAAAbAQAAHAEAAB0BAAAeAQAAHwEAACABAAAhAQAA IgEAACMBAAAkAQAAJQEAACYBAAAnAQAAKAEAACkBAAAqAQAAKwEAACwBAAAtAQAALgEAAC8BAAAw AQAAMQEAADIBAAAzAQAANAEAADUBAAA2AQAANwEAADgBAAA5AQAAOgEAADsBAAA8AQAAPQEAAD4B AAA/AQAAQAEAAEEBAABCAQAAQwEAAEQBAABFAQAARgEAAEcBAABIAQAASQEAAEoBAABLAQAATAEA AE0BAABOAQAATwEAAFABAABRAQAAUgEAAFMBAABUAQAAVQEAAFYBAABXAQAAWAEAAFkBAABaAQAA WwEAAFwBAABdAQAAXgEAAF8BAABgAQAAYQEAAGIBAABjAQAAZAEAAGUBAABmAQAAZwEAAGgBAABp AQAAagEAAGsBAABsAQAAbQEAAG4BAABvAQAAcAEAAHEBAAByAQAAcwEAAHQBAAB1AQAAdgEAAHcB AAB4AQAAeQEAAHoBAAB7AQAAfAEAAH0BAAB+AQAAfwEAAIABAACBAQAAggEAAIMBAACEAQAAhQEA AIYBAACHAQAAiAEAAIkBAACKAQAAiwEAAIwBAACNAQAAjgEAAI8BAACQAQAAkQEAAJIBAACTAQAA lAEAAJUBAACWAQAAlwEAAJgBAACZAQAAmgEAAJsBAACcAQAAnQEAAJ4BAACfAQAAoAEAAKEBAACi AQAAowEAAKQBAAClAQAApgEAAKcBAACoAQAAqQEAAKoBAACrAQAArAEAAK0BAACuAQAArwEAALAB AACxAQAAsgEAALMBAAC0AQAAtQEAALYBAAC3AQAAuAEAALkBAAC6AQAAuwEAALwBAAC9AQAAvgEA AL8BAADAAQAAwQEAAMIBAADDAQAAxAEAAMUBAADGAQAAxwEAAMgBAADJAQAAygEAAMsBAADMAQAA zQEAAM4BAADPAQAA0AEAANEBAADSAQAA0wEAANQBAADVAQAA1gEAANcBAADYAQAA2QEAANoBAADb AQAA3AEAAN0BAADeAQAA3wEAAOABAADhAQAA4gEAAOMBAADkAQAA5QEAAOYBAADnAQAA6AEAAOkB AADqAQAA6wEAAOwBAADtAQAA7gEAAO8BAADwAQAA8QEAAPIBAADzAQAA9AEAAPUBAAD2AQAA9wEA APgBAAD5AQAA+gEAAPsBAAD8AQAA/QEAAP4BAAD/AQAAAAIAAAECAAACAgAAAwIAAAQCAAAFAgAA BgIAAAcCAAAIAgAACQIAAAoCAAALAgAADAIAAA0CAAAOAgAADwIAABACAAARAgAAEgIAABMCAAAU AgAAFQIAABYCAAAXAgAAGAIAABkCAAAaAgAAGwIAABwCAAAdAgAAHgIAAB8CAAAgAgAAIQIAACIC AAAjAgAAJAIAACUCAAAmAgAAJwIAACgCAAApAgAAKgIAACsCAAAsAgAALQIAAC4CAAAvAgAAMAIA ADECAAAyAgAAMwIAADQCAAA1AgAANgIAADcCAAA4AgAAOQIAADoCAAA7AgAAPAIAAD0CAAA+AgAA PwIAAEACAABBAgAAQgIAAEMCAABEAgAARQIAAEYCAABHAgAASAIAAEkCAABKAgAASwIAAEwCAABN AgAATgIAAE8CAABQAgAAUQIAAFICAABTAgAAVAIAAFUCAABWAgAAVwIAAFgCAABZAgAAWgIAAFsC AABcAgAAXQIAAF4CAABfAgAAYAIAAGECAABiAgAAYwIAAGQCAABlAgAAZgIAAGcCAABoAgAAaQIA AGoCAABrAgAAbAIAAG0CAABuAgAAbwIAAHACAABxAgAA/v///3MCAAB0AgAAdQIAAHYCAAB3AgAA eAIAAHkCAAB6AgAAewIAAHwCAAB9AgAAfgIAAH8CAACAAgAAgQIAAIICAACDAgAAhAIAAIUCAACG AgAAhwIAAIgCAACJAgAAigIAAIsCAACMAgAAjQIAAI4CAACPAgAAkAIAAJECAACSAgAAkwIAAJQC AACVAgAAlgIAAJcCAACYAgAAmQIAAJoCAACbAgAAnAIAAJ0CAACeAgAAnwIAAKACAAChAgAAogIA AKMCAACkAgAApQIAAKYCAACnAgAAqAIAAKkCAACqAgAAqwIAAKwCAACtAgAArgIAAK8CAACwAgAA sQIAALICAACzAgAAtAIAALUCAAC2AgAAtwIAALgCAAC5AgAAugIAALsCAAC8AgAAvQIAAL4CAAC/ AgAAwAIAAMECAADCAgAAwwIAAMQCAADFAgAAxgIAAMcCAADIAgAAyQIAAMoCAADLAgAAzAIAAM0C AADOAgAAzwIAANACAADRAgAA0gIAANMCAADUAgAA1QIAANYCAADXAgAA2AIAANkCAADaAgAA2wIA ANwCAADdAgAA3gIAAN8CAADgAgAA4QIAAOICAADjAgAA/v///+UCAADmAgAA5wIAAOgCAADpAgAA 6gIAAOsCAAD+////7QIAAO4CAADvAgAA8AIAAPECAADyAgAA8wIAAP7////9/////f////3////9 /////f////3////7AgAA/v////////////////////////9SAG8AbwB0ACAARQBuAHQAcgB5AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFgAFAf//////////AwAA ABCNgWSbT88RhuoAqgC5KegAAAAAAAAAAAAAAAAAAAAAAAAAAP7///8AAAAAAAAAAFAAaQBjAHQA dQByAGUAcwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAS AAIB////////////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ AAAAAAAAQwB1AHIAcgBlAG4AdAAgAFUAcwBlAHIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAABoAAgEBAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAADsAgAAABAAAAAAAAAFAFMAdQBtAG0AYQByAHkASQBuAGYAbwByAG0AYQB0AGkAbwBu AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKAACAQIAAAAFAAAA/////wAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHICAAAo4wAAAAAAAFAAbwB3AGUAcgBQAG8AaQBuAHQAIABE AG8AYwB1AG0AZQBuAHQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAIB//////////////// AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAOfTBAAAAAAABQBEAG8AYwB1 AG0AZQBuAHQAUwB1AG0AbQBhAHIAeQBJAG4AZgBvAHIAbQBhAHQAaQBvAG4AAAAAAAAAAAAAADgA AgEEAAAA//////////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADkAgAAABAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAP///////////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////////////////AAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --0016361e8134d38fea046fc04cad-- From ari.keranen@nomadiclab.com Tue Jul 28 04:47:17 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3A9E3A6EC1 for ; Tue, 28 Jul 2009 04:47:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.747 X-Spam-Level: X-Spam-Status: No, score=-1.747 tagged_above=-999 required=5 tests=[AWL=0.502, BAYES_00=-2.599, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBtByKp90Cim for ; Tue, 28 Jul 2009 04:47:15 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id B882C3A6EBD for ; Tue, 28 Jul 2009 04:47:12 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-a9-4a6ee540daa7 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id 26.DC.18827.045EE6A4; Tue, 28 Jul 2009 13:47:12 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 13:46:15 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 13:46:15 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 9BDFE2553; Tue, 28 Jul 2009 14:46:14 +0300 (EEST) Message-ID: <4A6EE502.3060404@nomadiclab.com> Date: Tue, 28 Jul 2009 14:46:10 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4D3@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C4D3@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 28 Jul 2009 11:46:15.0365 (UTC) FILETIME=[0342CF50:01CA0F79] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 11:47:17 -0000 Hi Tom, Henderson, Thomas R wrote: >>> Where I think it becomes conflated, however, is when you >> try to use the >>> overlay to forward HIP signaling traffic. I see why you >> are trying to >>> do this but it leads to these questions: >> we had a lot of discussions in the past about this. There >> were different >> proposals, one of which proposed the simple use you described >> above. The >> conclusion was to do what HIP BONE specifies. I do not think >> it would be >> productive to go through the same discussions again at this point. > > I am not trying to rathole things, I would just like to understand how > it is supposed to work. Maybe if I sketched out some use cases, you > could suggest how you think it would work. For instance, consider five > nodes A-E, and two overlays (X.org's overlay, and Q.com's overlay). > Nodes A-D belong to Q.com's overlay, and A and C to X.org's overlay. > > Peer-ID: X.org-AID X.org-CID > > Peer-ID: Q.com-AID Q.com-BID Q.com-CID Q.com-DID > > HIT: A-HIT B-HIT C-HIT D-HIT E-HIT > > IP-addr: A-IP B-IP C-IP D-IP E-IP Many of the details depend on the particular instance specification, and the RELOAD instance spec is still very much work-in-progress, so how things are done is likely to evolve from current situation. Anyway, here's how I see these use cases could work. > Case 1: The overlay process belonging to Q.com on node E wants to join > overlay Q.com. What assumptions do you make about the bootstrapping > record that Q.com's overlay process must have about well-known, stable > nodes? Does this bootstrapping record store the tuple {Q.com-AID, > A-HIT, A-IP) or just (Q.com-AID, A-HIT)? Especially bootstrapping is a peer protocol dependent feature (as noted in Sections 3.1 and 3.4 of the HIP BONE draft), but in general, you need at minimum an IP address (+ possibly port) of an overlay node to contact and some overlay identifier (not necessary a peer ID) used to tell the contacted node which overlay you want to join. Adding also HIT to the tuple increases security, but is not mandatory if the overlay uses an enrollment server that gives certificates for the HITs and the nodes can use the certificates to prove that they truly belong to that overlay. > Case 2: Suppose on node A, the peer protocol on node A for overlay > Q.com decides to initiate a HIP association to node C. What name does > it use for node C? Presumably, its peer-id "Q.com-CID". So, it needs > to discover the C-HIT and ultimately the C-IP. So, as part of the peer > protocol, it resolves Q.com-CID to C-HIT. I suppose that it does this > with the existing connections that it has. Does it also at this time > obtain C-IP? Next, it issues a connect(HIT) socket call. What happens > next? There is an outbound I1 to a HIT. Does the I1 go to the HIP > routing layer, or does the HIP process try to do a DNS/DHT lookup, or > both? If there are no such records, how does the I1 propagate through > the Q.com overlay, which is not routing HITs but Peer-IDs? If you > suggest, as below, that Q.com's overlay name is stored in the I1, how > does this "Q.com" get passed through the socket API so that HIP knows > that the process that used the socket API to connect(HIT) was associated > with Q.com? Or is the native socket API not involved in this framework? If Peer-IDs are not HITs, the peer protocol uses "Q.com-CID" as the peer name for node C. If this is the case, presumably there is a mapping (using some transformation) between Peer ID and HIT, so that there is no need for any discovery step. There is no need to query for C-IP in the overlay since the HIP base exchange is done via the overlay and the C-IP (or, the "best" C-IP) is discovered using ICE as defined in the NAT traversal draft. And the BeX is done using existing overlay connections. I1 (and the rest of the BeX) is routed using the overlay routing table constructed by the overlay protocol, so there is no additional (DNS/DHT) lookup for this. If there is no mapping from HIT to Peer ID, we may need to convey also the Peer IDs in the HIP packets. The interaction with peer protocol is likely to require more features than what the current HIP native socket API can provide, but at least my view on this is that the peer protocol and HIP daemon are integrated so that they don't need to use the socket API for sharing the routing table (e.g., they are run in the same process, or they use IPC). > Suppose a HIP association is built between node A and node C, based on > the Q.com peer protocol. Is this association exported to overlay X.org? IMO, no. The different overlays likely have different finger tables (i.e., peer protocol connections between peers) and thus it would be unlikely (at least in a big network) that they would share connections. Also, the HITs for different overlays are likely to be different. This could be considered as an optimization though. > If so, suppose A later leaves Q.com overlay, but stays on X.org overlay. > Does the HIP association from A to C persist? Are HIP records inserted > into the HIP routing table by a particular peer protocol "owned" by that > protocol, and must be removed by that protocol (just as IP routes are > tagged by the routing protocols that insert them into the FIB)? Whether a HIP association persists, would depend on the implementation of the optimization. If the association was created for something else than P2P protocol traffic (e.g., SIP call), it should persist as long as it is used. The routing table records would be overlay instance specific (even if they use the same protocol) so they would be added and removed by the same overlay process. > Case 3: the stack on Node A is asked to open a session to F-HIT. It > doesn't know this yet, but F-HIT is not a known HIT in any of the > overlays that it belongs to. What happens? The overlay tries to route I1 to F-HIT but when it fails to do so, the node that detects this (i.e., the node that is responsible for the part of the overlay where F would be) responds with an error message. The MESSAGE_NOT_RELAYED notify packet type could be used for this, but I think the behavior is HIP BONE instance specification specific. >>> 1) the overlay may stitch together addressing realms that >> have no hope >>> of supporting end-to-end HIP associations between them. >> For instance, >>> this simple topology: >>> >>> node A <--------Ipv4 network -----> node B <--------Ipv6 network >>> ---------> node C >>> >>> The overlay may route the I1 from node A to node C and R1 >> back, but no >>> HIP association between A and C can actually be formed. >> This is not a problem specific to the use of HIP in the >> overlay. It is a >> general problem of the overlay, even if it was not using HIP. If no >> direct connections can be formed between nodes in an overlay, the >> overlay will most likely keep on routing stuff through the overlay. > > It depends on the type of overlay, whether the overlay allows "cut > through" forwarding like you are proposing or whether data is forwarded > hop-by-hop at the overlay layer. But HIP requires the end-to-end > association-- you can't just terminate it hop-by-hop (unless perhaps you > are using HIP DATA packets). HIP DATA packets could be used for this. Also, it is possible to use a TURN server with IPv4-IPv6 translation. If a TURN server implementing the turn-ipv6 draft is used, ICE would take care of this. >>> 2) what if node B above belongs to multiple other HIP-based >> overlays? >>> How does it know on which overlay to forward the I1? >> This is one of the open issues of the instance draft. RELOAD >> has its own >> way to identify different overlays. We need to decide how we want to >> covey that information in an I1. > > If I1s need to be extended, that is an important framework issue. The RELOAD HIP BONE instance spec defines OVERLAY_ID attribute for this purpose. The (next version of) HIP BONE draft will define a generic format for the parameter and instance specs define how it is encoded for each specific protocol. All HIP overlay messages should have this parameter to indicate which overlay they belong to. I understand that we want to keep I1 as simple as possible to prevent DoS attacks, but this parameter would not create any state in the receiving or forwarding node and it would be trivial to process, so I don't think it is a problem to have it there. >>> Also, from a performance perspective, I think there may be >> some danger >>> in abstracting the underlying topology away from a peer >> protocol. From >>> the peer protocol layer perspective, HIP makes every node >> look like it >>> is "on link" whereas in fact, each node is possibly >> different number of >>> hops away, in different administrative domains of the network, etc. >> Not really. When HIP is not used, the ICE module takes care of >> establishing those "links". The complexity of connection >> management is >> abstracted out even when HIP is not used. > > I was thinking that some overlays (such as content delivery networks) > may want to run heuristics on IP addresses to determine network > distances. I guess you're referring to the IP addresses of the hosts that you have a direct HIP association with (since even without HIP you don't know the addresses of the intermediate nodes forwarding the messages in the overlay). For such nodes, I assume one can ask the current IP address using the native HIP API and SHIM_LOC_PEER_SEND (or SHIM_LOCLIST_PEER?) socket option. That said, because of TURN servers and other relays, this may not be really a good idea. >>> To summarize, I think there is some value in defining how >> P2PSIP-based >>> overlay could use HIP to form its links and deal with NAT, >> mobility, and >>> multihoming. However, before allowing RELOAD nodes to >> perform the HIP >>> distributed rendezvous service, I would first define: >>> 1) how the system works in the case where the enrollment >> server chooses >>> PeerIds that are not HITs >> The framework already says this is possible... and the instance draft >> will need to define how that is done for RELOAD, of course. With RELOAD, the enrollment server can generate Peer IDs that have ORCHID prefix either by generating the key pair or by generating random ID and using certificates. >>> 2) how two such independent overlays (run by different >> organizations) >>> could operate on the same node, and how the node would ensure that >>> messages got onto the right overlays >> This will also need to be defined by the instance draft... in >> any case, >> I agree with you that the framework needs to talk more about this (it >> does not discuss this issue right now). This will be addressed with the generic OVERLAY_ID in the framework draft. Cheers, Ari From ari.keranen@nomadiclab.com Tue Jul 28 04:54:22 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68E363A6ABC for ; Tue, 28 Jul 2009 04:54:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.914 X-Spam-Level: X-Spam-Status: No, score=-3.914 tagged_above=-999 required=5 tests=[AWL=2.335, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tLuYABKY5HyJ for ; Tue, 28 Jul 2009 04:54:21 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 881153A6CF0 for ; Tue, 28 Jul 2009 04:54:17 -0700 (PDT) X-AuditID: c1b4fb3e-b7bf5ae000000202-31-4a6ee6e9a0f0 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 07.8C.00514.9E6EE6A4; Tue, 28 Jul 2009 13:54:17 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 13:53:46 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 13:53:44 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id A48862553; Tue, 28 Jul 2009 14:53:43 +0300 (EEST) Message-ID: <4A6EE6C3.1050600@nomadiclab.com> Date: Tue, 28 Jul 2009 14:53:39 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: wangjun References: <4A6447DC.7070005@ericsson.com><77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 28 Jul 2009 11:53:44.0439 (UTC) FILETIME=[0EEE1070:01CA0F7A] X-Brightmail-Tracker: AAAAAA== Cc: 'HIP' Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 11:54:22 -0000 Hi, wangjun wrote: > About the HIP ID and Peer ID, My understandings: > 1) The HIP Bone is a p2p overlay, each other between peers talk p2p > protocol, HIP can be encapsulated in a p2p payload.. Actually, the current idea is that peer protocol messages would be encapsulated in HIP messages to keep the protocol layering consistent. > 2)Every HIP host is a p2p client or a p2p agnostic terminal, and attach to > arbitrary peer(s) of the overlay; they register their locator-HIP_ID > bindings into the HIP bone. The HIP hosts don't actually need to register locators to the overlay since the HIP base exchange is done via the overlay and the (best) locator is discovered using ICE (see [1] but replace HIP relay server with a HIP BONE overlay). > So the HIP Hosts may be designated a peer ID, but it's really not > mandated. HIP hosts have peer IDs when they are part of a HIP BONE overlay, but preferably the peer ID is a one of the HITs of the host. Cheers, Ari [1] http://tools.ietf.org/html/draft-ietf-hip-nat-traversal-08 > -----邮件原件----- > å‘件人: hipsec-bounces@ietf.org [mailto:hipsec-bounces@ietf.org] 代表 > Gonzalo Camarillo > å‘é€æ—¶é—´: 2009å¹´7月21æ—¥ 19:04 > 收件人: Henderson, Thomas R > 抄é€: HIP > 主题: [Hipsec] Comments on the HIP-BONE draft > > Hi Tom, > > thanks for you comments. Answers inline: > >>> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt >> I remain very uneasy about the above draft, which I think is not very >> clear and skirts over some hard issues. > > we have moved a few things to the RELOAD instance draft, which is still very > much work in progress (as you can see if you read the draft). Some issues > will be addressed there. Of course, any general issues belonging to the > framework should be addresses in this document. > >> The document tries to provide a generalized framework for HIP-based >> overlays, but it is not clear how it will work when there are multiple >> peer protocols (multiple overlays) and when the peer IDs are not the >> same as the node IDs. The specific instance draft does not handle >> these issues; it assumes that the peer ID is the ORCHID (which was not >> acceptable to some in the P2PSIP WG due to possible chosen ID >> attacks), and is, of course, only one instance. > > The framework does not assume that Peer IDs are used at the HIP level. > It just tells you that depending on the Peer IDs used in your overlay, you > need to convert them to something HIP can use. Originally, we thought of > having a draft that described that conversion in general (you yourself was > working on a similar draft at some point) but now we tend to think that this > type of conversion is better defined in the instance specs. > > Regarding the RELOAD instance draft, this is one of the open issues. > That is, whether we can use RELOAD peer IDs directly or if we need some type > of transformation (ORCHIDs have a prefix; therefore, there are less than 128 > bits available). > >> In general, I recommend not trying to complete work on a framework for >> multiple overlays until there is an example of at least how two >> independent overlays (perhaps with different peer protocols and >> different peer ID structures) coexists on some of the same nodes, and >> the peer IDs are not HITs. > > RELOAD has its own way of identifying particular overlays. Other peer > protocols may have different ways. Therefore, this does not seem to be a > framework issue. Each instance draft would need to describe it separately... > in any case, I agree it is worthwhile talking a bit more about this in the > framework. > >> The draft states: >> "Since HIP needs >> ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay >> will transform their Peer IDs into ORCHIDs, for example, by taking a >> hash of the Peer IDs or taking a hash of the Peer ID and the public >> key." >> >> I don't see how this would work since for an ORCHID to be used as a >> HIT, it must hash a public key. > > The text wants to indicate that conversions between Peer IDs and ORCHIDs are > up to each particular instance specification. I agree removing the examples > may be a good idea so that they do not mislead readers. > >> It is not clear from the document what IDs are being routed if the >> peer ID is not the same as the HIT. I think the answer is that it is >> the peer IDs that are being routed, and HIP is just providing the >> links between the peer IDs. > > Yes, routing tables contain Peer IDs. > >> It may be that the peer IDs are the same as HITs in some instances, >> but it should be architecturally clear that transport connections are >> being terminated at each hop in the overlay. > > Yes, transport connections are between hops in the overlay, as usual. > >> If the document were to describe an overlay architecture where you >> recommend to the peer protocols "Use HITs like you would otherwise use >> IP addresses, and HIP will take care of the rest of the ugly business >> of NAT traversal, mobility, and multihoming," then it would seem to be >> relatively straightforward, so long as HIP took it upon itself with no >> dependency on the peer protocol to do anything for it. >> >> Where I think it becomes conflated, however, is when you try to use the >> overlay to forward HIP signaling traffic. I see why you are trying to >> do this but it leads to these questions: > > we had a lot of discussions in the past about this. There were different > proposals, one of which proposed the simple use you described above. The > conclusion was to do what HIP BONE specifies. I do not think it would be > productive to go through the same discussions again at this point. > >> 1) the overlay may stitch together addressing realms that have no hope >> of supporting end-to-end HIP associations between them. For instance, >> this simple topology: >> >> node A <--------Ipv4 network -----> node B <--------Ipv6 network >> ---------> node C >> >> The overlay may route the I1 from node A to node C and R1 back, but no >> HIP association between A and C can actually be formed. > > This is not a problem specific to the use of HIP in the overlay. It is a > general problem of the overlay, even if it was not using HIP. If no direct > connections can be formed between nodes in an overlay, the overlay will most > likely keep on routing stuff through the overlay. > >> 2) what if node B above belongs to multiple other HIP-based overlays? >> How does it know on which overlay to forward the I1? > > This is one of the open issues of the instance draft. RELOAD has its own way > to identify different overlays. We need to decide how we want to covey that > information in an I1. > >> Also, from a performance perspective, I think there may be some danger >> in abstracting the underlying topology away from a peer protocol. >> From the peer protocol layer perspective, HIP makes every node look >> like it is "on link" whereas in fact, each node is possibly different >> number of hops away, in different administrative domains of the network, > etc. > > Not really. When HIP is not used, the ICE module takes care of establishing > those "links". The complexity of connection management is abstracted out > even when HIP is not used. > >> To summarize, I think there is some value in defining how P2PSIP-based >> overlay could use HIP to form its links and deal with NAT, mobility, >> and multihoming. However, before allowing RELOAD nodes to perform the >> HIP distributed rendezvous service, I would first define: >> 1) how the system works in the case where the enrollment server >> chooses PeerIds that are not HITs > > The framework already says this is possible... and the instance draft will > need to define how that is done for RELOAD, of course. > >> 2) how two such independent overlays (run by different organizations) >> could operate on the same node, and how the node would ensure that >> messages got onto the right overlays > > This will also need to be defined by the instance draft... in any case, I > agree with you that the framework needs to talk more about this (it does not > discuss this issue right now). > >> The above can all be done by assuming that HIP rendezvous is done in >> the underlay, not overlay. As a final step, one might consider >> whether one of these overlays itself could be leveraged to forward HIP >> traffic. If all of this holds together, then I think we might have a >> framework document that completes the charter item. > > You make valid points above. After addressing your points in a new revision > of the draft (possibly after more list discussions), I think the best way to > proceed will be to progress the framework and the instance draft together so > that they can be reviewed at the same time. > In that way, it will be clearer for the reviewers. > >> As an editorial note, I also would recommend skipping section 2 >> because RFC 4423 and other documents are available to provide HIP > tutorials. > > This is the typical comment we often get from HIP experts :o)... > however, application-layer people really appreciated that part of the draft > when they read it. Before writing it, we sent them all types of links to HIP > documents and tutorials but they did not find them useful. > I actually believe that having that type of tutorial material in the draft > makes it much easier for application-layer people to understand the draft > (and eventually decide to use it). So, I strongly suggest to keep it in the > draft. > > Thanks, > > Gonzalo > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From wang.jun17@zte.com.cn Tue Jul 28 07:05:07 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA6A83A6F8F; Tue, 28 Jul 2009 07:05:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -92.843 X-Spam-Level: X-Spam-Status: No, score=-92.843 tagged_above=-999 required=5 tests=[AWL=3.853, BAYES_00=-2.599, CN_BODY_35=0.339, HTML_MESSAGE=0.001, J_CHICKENPOX_84=0.6, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q40Hi13iMYEU; Tue, 28 Jul 2009 07:05:04 -0700 (PDT) Received: from mx5.zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by core3.amsl.com (Postfix) with ESMTP id A18293A6F2A; Tue, 28 Jul 2009 07:04:20 -0700 (PDT) Received: from [10.30.17.100] by mx5.zte.com.cn with surfront esmtp id 111642312144290; Tue, 28 Jul 2009 21:45:32 +0800 (CST) Received: from [10.30.3.18] by [10.30.17.100] with StormMail ESMTP id 12290.3541197830; Tue, 28 Jul 2009 21:56:18 +0800 (CST) Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse1.zte.com.cn with ESMTP id n6SE0bQC019571; Tue, 28 Jul 2009 22:00:37 +0800 (CST) (envelope-from wang.jun17@zte.com.cn) In-Reply-To: <4A6EE6C3.1050600@nomadiclab.com> To: Ari Keranen MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.4 March 27, 2005 Message-ID: From: wang.jun17@zte.com.cn Date: Tue, 28 Jul 2009 16:00:15 +0200 X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 6.5.4|March 27, 2005) at 2009-07-28 22:00:24, Serialize complete at 2009-07-28 22:00:24 Content-Type: multipart/alternative; boundary="=_alternative 004CECE9C1257601_=" X-MAIL: mse1.zte.com.cn n6SE0bQC019571 Cc: 'HIP' , hipsec-bounces@ietf.org Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:05:07 -0000 This is a multipart message in MIME format. --=_alternative 004CECE9C1257601_= Content-Type: text/plain; charset="GB2312" Content-Transfer-Encoding: base64 SGksDQoNCiAgIFRoYXQgbWVhbnMgZXZlcnkgSElQIEhvc3QgbXVzdCBiZSBhIHAycCBwZWVyLCBh bmQgdGhlIGRlcGxveW1lbnQgbW9kZWwgDQppcyBzYW1lICBhcyB0aGUgUDJQIGFwcGxpY2F0aW9u cyBzdWNoIGFzIHNreXBlPyBJbiBzdWNoIGEgc2NlbmFyaW8sb25seSANCkhJUCBob3N0cyBjYW4g Y29tbXVuaWNhdGUgZWFjaCBvdGhlciwgc28gd2hhdCBhYm91dCB0aGUgaW50ZXJ3b3JraW5nIA0K c29sdXRpb24gYmV0d2VlbiBISVAgYW5kIG5vbi1ISVAgaG9zdD8NCiAgSSBwcmVmZXIgdGhhdCBI SVAgYm9uZSBhY3RzIGFzIGEgZGlzdHJpYnV0ZWQgc2VydmljZSBzeXN0ZW0gYW5kIGV2ZXJ5IA0K b3JkaW5hcnkgSElQIGhvc3QgaXMganVzdCBhIHAycCBjbGllbnQsIGFuZCBjb21iaW5pbmcgd2l0 aCB0aGUgbWVjaG5pc21zIA0KZGVzY3JpYmVkIGluIGRyYWZ0LW1lbGVuLWhpcC1wcm94eSwgdGhl IGdlbmVyaWMgaW50ZXJ3b3JraW5nIHNvbHV0aW9uIGNhbiANCmJlIHByb3ZpZGVkIHRvIGFueSBo aXAgYW5kIG5vbi1oaXAgaG9zdHMuDQogDQpoaXBzZWMtYm91bmNlc0BpZXRmLm9yZyDQtNPaIDIw MDktMDctMjggMTM6NTM6Mzk6DQoNCj4gSGksDQo+IA0KPiB3YW5nanVuIHdyb3RlOg0KPiA+IEFi b3V0IHRoZSBISVAgSUQgYW5kIFBlZXIgSUQsIE15IHVuZGVyc3RhbmRpbmdzOg0KPiA+IDEpIFRo ZSBISVAgQm9uZSBpcyBhIHAycCBvdmVybGF5LCBlYWNoIG90aGVyIGJldHdlZW4gcGVlcnMgIHRh bGsgcDJwDQo+ID4gcHJvdG9jb2wsIEhJUCBjYW4gYmUgZW5jYXBzdWxhdGVkIGluIGEgcDJwIHBh eWxvYWQuLg0KPiANCj4gQWN0dWFsbHksIHRoZSBjdXJyZW50IGlkZWEgaXMgdGhhdCBwZWVyIHBy b3RvY29sIG1lc3NhZ2VzIHdvdWxkIGJlIA0KPiBlbmNhcHN1bGF0ZWQgaW4gSElQIG1lc3NhZ2Vz IHRvIGtlZXAgdGhlIHByb3RvY29sIGxheWVyaW5nIGNvbnNpc3RlbnQuDQo+IA0KPiA+IDIpRXZl cnkgSElQIGhvc3QgaXMgYSBwMnAgY2xpZW50IG9yIGEgcDJwIGFnbm9zdGljIHRlcm1pbmFsLCBh bmQgDQphdHRhY2ggdG8NCj4gPiBhcmJpdHJhcnkgcGVlcihzKSBvZiB0aGUgb3ZlcmxheTsgdGhl eSByZWdpc3RlciB0aGVpciBsb2NhdG9yLUhJUF9JRA0KPiA+IGJpbmRpbmdzIGludG8gdGhlIEhJ UCBib25lLg0KPiANCj4gVGhlIEhJUCBob3N0cyBkb24ndCBhY3R1YWxseSBuZWVkIHRvIHJlZ2lz dGVyIGxvY2F0b3JzIHRvIHRoZSBvdmVybGF5IA0KPiBzaW5jZSB0aGUgSElQIGJhc2UgZXhjaGFu Z2UgaXMgZG9uZSB2aWEgdGhlIG92ZXJsYXkgYW5kIHRoZSAoYmVzdCkgDQo+IGxvY2F0b3IgaXMg ZGlzY292ZXJlZCB1c2luZyBJQ0UgKHNlZSBbMV0gYnV0IHJlcGxhY2UgSElQIHJlbGF5IHNlcnZl ciANCj4gd2l0aCBhIEhJUCBCT05FIG92ZXJsYXkpLg0KPiANCj4gPiBTbyB0aGUgSElQIEhvc3Rz IG1heSBiZSBkZXNpZ25hdGVkICBhIHBlZXIgSUQsIGJ1dCAgaXQncyByZWFsbHkgbm90DQo+ID4g bWFuZGF0ZWQuIA0KPiANCj4gSElQIGhvc3RzIGhhdmUgcGVlciBJRHMgd2hlbiB0aGV5IGFyZSBw YXJ0IG9mIGEgSElQIEJPTkUgb3ZlcmxheSwgYnV0IA0KPiBwcmVmZXJhYmx5IHRoZSBwZWVyIElE IGlzIGEgb25lIG9mIHRoZSBISVRzIG9mIHRoZSBob3N0Lg0KPiANCj4gDQo+IENoZWVycywNCj4g QXJpDQo+IA0KPiBbMV0gaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1oaXAt bmF0LXRyYXZlcnNhbC0wOA0KPiANCj4gPiAtLS0tLdPKvP7Urbz+LS0tLS0NCj4gPiC3orz+yMs6 IGhpcHNlYy1ib3VuY2VzQGlldGYub3JnIFttYWlsdG86aGlwc2VjLWJvdW5jZXNAaWV0Zi5vcmdd ILT6se0NCj4gPiBHb256YWxvIENhbWFyaWxsbw0KPiA+ILeiy83KsbzkOiAyMDA5xOo31MIyMcjV IDE5OjA0DQo+ID4gytW8/sjLOiBIZW5kZXJzb24sIFRob21hcyBSDQo+ID4gs63LzTogSElQDQo+ ID4g1vfM4jogW0hpcHNlY10gQ29tbWVudHMgb24gdGhlIEhJUC1CT05FIGRyYWZ0DQo+ID4gDQo+ ID4gSGkgVG9tLA0KPiA+IA0KPiA+IHRoYW5rcyBmb3IgeW91IGNvbW1lbnRzLiBBbnN3ZXJzIGlu bGluZToNCj4gPiANCj4gPj4+IGh0dHA6Ly90b29scy5pZXRmLm9yZy9pZC9kcmFmdC1pZXRmLWhp cC1ib25lLTAyLnR4dA0KPiA+PiBJIHJlbWFpbiB2ZXJ5IHVuZWFzeSBhYm91dCB0aGUgYWJvdmUg ZHJhZnQsIHdoaWNoIEkgdGhpbmsgaXMgbm90IHZlcnkgDQoNCj4gPj4gY2xlYXIgYW5kIHNraXJ0 cyBvdmVyIHNvbWUgaGFyZCBpc3N1ZXMuDQo+ID4gDQo+ID4gd2UgaGF2ZSBtb3ZlZCBhIGZldyB0 aGluZ3MgdG8gdGhlIFJFTE9BRCBpbnN0YW5jZSBkcmFmdCwgd2hpY2ggaXMgDQpzdGlsbCB2ZXJ5 DQo+ID4gbXVjaCB3b3JrIGluIHByb2dyZXNzIChhcyB5b3UgY2FuIHNlZSBpZiB5b3UgcmVhZCB0 aGUgZHJhZnQpLiBTb21lIA0KaXNzdWVzDQo+ID4gd2lsbCBiZSBhZGRyZXNzZWQgdGhlcmUuIE9m IGNvdXJzZSwgYW55IGdlbmVyYWwgaXNzdWVzIGJlbG9uZ2luZyB0byANCnRoZQ0KPiA+IGZyYW1l d29yayBzaG91bGQgYmUgYWRkcmVzc2VzIGluIHRoaXMgZG9jdW1lbnQuDQo+ID4gDQo+ID4+IFRo ZSBkb2N1bWVudCB0cmllcyB0byBwcm92aWRlIGEgZ2VuZXJhbGl6ZWQgZnJhbWV3b3JrIGZvciBI SVAtYmFzZWQgDQo+ID4+IG92ZXJsYXlzLCBidXQgaXQgaXMgbm90IGNsZWFyIGhvdyBpdCB3aWxs IHdvcmsgd2hlbiB0aGVyZSBhcmUgDQptdWx0aXBsZSANCj4gPj4gcGVlciBwcm90b2NvbHMgKG11 bHRpcGxlIG92ZXJsYXlzKSBhbmQgd2hlbiB0aGUgcGVlciBJRHMgYXJlIG5vdCB0aGUgDQo+ID4+ IHNhbWUgYXMgdGhlIG5vZGUgSURzLiAgVGhlIHNwZWNpZmljIGluc3RhbmNlIGRyYWZ0IGRvZXMg bm90IGhhbmRsZSANCj4gPj4gdGhlc2UgaXNzdWVzOyBpdCBhc3N1bWVzIHRoYXQgdGhlIHBlZXIg SUQgaXMgdGhlIE9SQ0hJRCAod2hpY2ggd2FzIA0Kbm90IA0KPiA+PiBhY2NlcHRhYmxlIHRvIHNv bWUgaW4gdGhlIFAyUFNJUCBXRyBkdWUgdG8gcG9zc2libGUgY2hvc2VuIElEIA0KPiA+PiBhdHRh Y2tzKSwgYW5kIGlzLCBvZiBjb3Vyc2UsIG9ubHkgb25lIGluc3RhbmNlLg0KPiA+IA0KPiA+IFRo ZSBmcmFtZXdvcmsgZG9lcyBub3QgYXNzdW1lIHRoYXQgUGVlciBJRHMgYXJlIHVzZWQgYXQgdGhl IEhJUCBsZXZlbC4gDQoNCj4gPiBJdCBqdXN0IHRlbGxzIHlvdSB0aGF0IGRlcGVuZGluZyBvbiB0 aGUgUGVlciBJRHMgdXNlZCBpbiB5b3VyIG92ZXJsYXksIA0KeW91DQo+ID4gbmVlZCB0byBjb252 ZXJ0IHRoZW0gdG8gc29tZXRoaW5nIEhJUCBjYW4gdXNlLiBPcmlnaW5hbGx5LCB3ZSB0aG91Z2h0 IA0Kb2YNCj4gPiBoYXZpbmcgYSBkcmFmdCB0aGF0IGRlc2NyaWJlZCB0aGF0IGNvbnZlcnNpb24g aW4gZ2VuZXJhbCAoeW91IHlvdXJzZWxmIA0Kd2FzDQo+ID4gd29ya2luZyBvbiBhIHNpbWlsYXIg ZHJhZnQgYXQgc29tZSBwb2ludCkgYnV0IG5vdyB3ZSB0ZW5kIHRvIHRoaW5rdGhhdCANCnRoaXMN Cj4gPiB0eXBlIG9mIGNvbnZlcnNpb24gaXMgYmV0dGVyIGRlZmluZWQgaW4gdGhlIGluc3RhbmNl IHNwZWNzLg0KPiA+IA0KPiA+IFJlZ2FyZGluZyB0aGUgUkVMT0FEIGluc3RhbmNlIGRyYWZ0LCB0 aGlzIGlzIG9uZSBvZiB0aGUgb3BlbiBpc3N1ZXMuIA0KPiA+IFRoYXQgaXMsIHdoZXRoZXIgd2Ug Y2FuIHVzZSBSRUxPQUQgcGVlciBJRHMgZGlyZWN0bHkgb3IgaWYgd2UgbmVlZHNvbWUgDQp0eXBl DQo+ID4gb2YgdHJhbnNmb3JtYXRpb24gKE9SQ0hJRHMgaGF2ZSBhIHByZWZpeDsgdGhlcmVmb3Jl LCB0aGVyZSBhcmUgbGVzcyANCnRoYW4gMTI4DQo+ID4gYml0cyBhdmFpbGFibGUpLg0KPiA+IA0K PiA+PiBJbiBnZW5lcmFsLCBJIHJlY29tbWVuZCBub3QgdHJ5aW5nIHRvIGNvbXBsZXRlIHdvcmsg b24gYSBmcmFtZXdvcmsgDQpmb3IgDQo+ID4+IG11bHRpcGxlIG92ZXJsYXlzIHVudGlsIHRoZXJl IGlzIGFuIGV4YW1wbGUgb2YgYXQgbGVhc3QgaG93IHR3byANCj4gPj4gaW5kZXBlbmRlbnQgb3Zl cmxheXMgKHBlcmhhcHMgd2l0aCBkaWZmZXJlbnQgcGVlciBwcm90b2NvbHMgYW5kIA0KPiA+PiBk aWZmZXJlbnQgcGVlciBJRCBzdHJ1Y3R1cmVzKSBjb2V4aXN0cyBvbiBzb21lIG9mIHRoZSBzYW1l IG5vZGVzLCBhbmQgDQoNCj4gPj4gdGhlIHBlZXIgSURzIGFyZSBub3QgSElUcy4NCj4gPiANCj4g PiBSRUxPQUQgaGFzIGl0cyBvd24gd2F5IG9mIGlkZW50aWZ5aW5nIHBhcnRpY3VsYXIgb3Zlcmxh eXMuIE90aGVyIHBlZXINCj4gPiBwcm90b2NvbHMgbWF5IGhhdmUgZGlmZmVyZW50IHdheXMuIFRo ZXJlZm9yZSwgdGhpcyBkb2VzIG5vdCBzZWVtIHRvIGJlIA0KYQ0KPiA+IGZyYW1ld29yayBpc3N1 ZS4gRWFjaCBpbnN0YW5jZSBkcmFmdCB3b3VsZCBuZWVkIHRvIGRlc2NyaWJlIGl0IA0Kc2VwYXJh dGVseS4uLg0KPiA+IGluIGFueSBjYXNlLCBJIGFncmVlIGl0IGlzIHdvcnRod2hpbGUgdGFsa2lu ZyBhIGJpdCBtb3JlIGFib3V0IHRoaXMgaW4gDQp0aGUNCj4gPiBmcmFtZXdvcmsuDQo+ID4gDQo+ ID4+IFRoZSBkcmFmdCBzdGF0ZXM6DQo+ID4+ICJTaW5jZSBISVAgbmVlZHMNCj4gPj4gT1JDSElE cyAoYW5kIG5vdCBhbnkgdHlwZSBvZiBQZWVyIElEKSB0byB3b3JrLCBob3N0cyBpbiB0aGUgb3Zl cmxheSANCj4gPj4gd2lsbCB0cmFuc2Zvcm0gdGhlaXIgUGVlciBJRHMgaW50byBPUkNISURzLCBm b3IgZXhhbXBsZSwgYnkgdGFraW5nIGEgDQo+ID4+IGhhc2ggb2YgdGhlIFBlZXIgSURzIG9yIHRh a2luZyBhIGhhc2ggb2YgdGhlIFBlZXIgSUQgYW5kIHRoZSBwdWJsaWMgDQo+ID4+IGtleS4iDQo+ ID4+DQo+ID4+IEkgZG9uJ3Qgc2VlIGhvdyB0aGlzIHdvdWxkIHdvcmsgc2luY2UgZm9yIGFuIE9S Q0hJRCB0byBiZSB1c2VkIGFzIGEgDQo+ID4+IEhJVCwgaXQgbXVzdCBoYXNoIGEgcHVibGljIGtl eS4NCj4gPiANCj4gPiBUaGUgdGV4dCB3YW50cyB0byBpbmRpY2F0ZSB0aGF0IGNvbnZlcnNpb25z IGJldHdlZW4gUGVlciBJRHMgYW5kIA0KT1JDSElEcyBhcmUNCj4gPiB1cCB0byBlYWNoIHBhcnRp Y3VsYXIgaW5zdGFuY2Ugc3BlY2lmaWNhdGlvbi4gSSBhZ3JlZSByZW1vdmluZyB0aGUgDQpleGFt cGxlcw0KPiA+IG1heSBiZSBhIGdvb2QgaWRlYSBzbyB0aGF0IHRoZXkgZG8gbm90IG1pc2xlYWQg cmVhZGVycy4NCj4gPiANCj4gPj4gSXQgaXMgbm90IGNsZWFyIGZyb20gdGhlIGRvY3VtZW50IHdo YXQgSURzIGFyZSBiZWluZyByb3V0ZWQgaWYgdGhlIA0KPiA+PiBwZWVyIElEIGlzIG5vdCB0aGUg c2FtZSBhcyB0aGUgSElULiAgSSB0aGluayB0aGUgYW5zd2VyIGlzIHRoYXQgaXQgaXMgDQoNCj4g Pj4gdGhlIHBlZXIgSURzIHRoYXQgYXJlIGJlaW5nIHJvdXRlZCwgYW5kIEhJUCBpcyBqdXN0IHBy b3ZpZGluZyB0aGUgDQo+ID4+IGxpbmtzIGJldHdlZW4gdGhlIHBlZXIgSURzLg0KPiA+IA0KPiA+ IFllcywgcm91dGluZyB0YWJsZXMgY29udGFpbiBQZWVyIElEcy4NCj4gPiANCj4gPj4gSXQgbWF5 IGJlIHRoYXQgdGhlIHBlZXIgSURzIGFyZSB0aGUgc2FtZSBhcyBISVRzIGluIHNvbWUgaW5zdGFu Y2VzLCANCj4gPj4gYnV0IGl0IHNob3VsZCBiZSBhcmNoaXRlY3R1cmFsbHkgY2xlYXIgdGhhdCB0 cmFuc3BvcnQgY29ubmVjdGlvbnMgYXJlIA0KDQo+ID4+IGJlaW5nIHRlcm1pbmF0ZWQgYXQgZWFj aCBob3AgaW4gdGhlIG92ZXJsYXkuDQo+ID4gDQo+ID4gWWVzLCB0cmFuc3BvcnQgY29ubmVjdGlv bnMgYXJlIGJldHdlZW4gaG9wcyBpbiB0aGUgb3ZlcmxheSwgYXMgdXN1YWwuDQo+ID4gDQo+ID4+ IElmIHRoZSBkb2N1bWVudCB3ZXJlIHRvIGRlc2NyaWJlIGFuIG92ZXJsYXkgYXJjaGl0ZWN0dXJl IHdoZXJlIHlvdSANCj4gPj4gcmVjb21tZW5kIHRvIHRoZSBwZWVyIHByb3RvY29scyAiVXNlIEhJ VHMgbGlrZSB5b3Ugd291bGQgb3RoZXJ3aXNlIA0KdXNlIA0KPiA+PiBJUCBhZGRyZXNzZXMsIGFu ZCBISVAgd2lsbCB0YWtlIGNhcmUgb2YgdGhlIHJlc3Qgb2YgdGhlIHVnbHkgYnVzaW5lc3MgDQoN Cj4gPj4gb2YgTkFUIHRyYXZlcnNhbCwgbW9iaWxpdHksIGFuZCBtdWx0aWhvbWluZywiIHRoZW4g aXQgd291bGQgc2VlbSB0byANCmJlIA0KPiA+PiByZWxhdGl2ZWx5IHN0cmFpZ2h0Zm9yd2FyZCwg c28gbG9uZyBhcyBISVAgdG9vayBpdCB1cG9uIGl0c2VsZiB3aXRoIA0Kbm8gDQo+ID4+IGRlcGVu ZGVuY3kgb24gdGhlIHBlZXIgcHJvdG9jb2wgdG8gZG8gYW55dGhpbmcgZm9yIGl0Lg0KPiA+Pg0K PiA+PiBXaGVyZSBJIHRoaW5rIGl0IGJlY29tZXMgY29uZmxhdGVkLCBob3dldmVyLCBpcyB3aGVu IHlvdSB0cnkgdG8gdXNlIA0KdGhlDQo+ID4+IG92ZXJsYXkgdG8gZm9yd2FyZCBISVAgc2lnbmFs aW5nIHRyYWZmaWMuICAgSSBzZWUgd2h5IHlvdSBhcmUgdHJ5aW5nIA0KdG8NCj4gPj4gZG8gdGhp cyBidXQgaXQgbGVhZHMgdG8gdGhlc2UgcXVlc3Rpb25zOg0KPiA+IA0KPiA+IHdlIGhhZCBhIGxv dCBvZiBkaXNjdXNzaW9ucyBpbiB0aGUgcGFzdCBhYm91dCB0aGlzLiBUaGVyZSB3ZXJlIA0KZGlm ZmVyZW50DQo+ID4gcHJvcG9zYWxzLCBvbmUgb2Ygd2hpY2ggcHJvcG9zZWQgdGhlIHNpbXBsZSB1 c2UgeW91IGRlc2NyaWJlZCBhYm92ZS4gDQpUaGUNCj4gPiBjb25jbHVzaW9uIHdhcyB0byBkbyB3 aGF0IEhJUCBCT05FIHNwZWNpZmllcy4gSSBkbyBub3QgdGhpbmsgaXQgd291bGQgDQpiZQ0KPiA+ IHByb2R1Y3RpdmUgdG8gZ28gdGhyb3VnaCB0aGUgc2FtZSBkaXNjdXNzaW9ucyBhZ2FpbiBhdCB0 aGlzIHBvaW50Lg0KPiA+IA0KPiA+PiAxKSB0aGUgb3ZlcmxheSBtYXkgc3RpdGNoIHRvZ2V0aGVy IGFkZHJlc3NpbmcgcmVhbG1zIHRoYXQgaGF2ZSBubyANCmhvcGUgDQo+ID4+IG9mIHN1cHBvcnRp bmcgZW5kLXRvLWVuZCBISVAgYXNzb2NpYXRpb25zIGJldHdlZW4gdGhlbS4gIEZvciANCmluc3Rh bmNlLCANCj4gPj4gdGhpcyBzaW1wbGUgdG9wb2xvZ3k6DQo+ID4+DQo+ID4+IG5vZGUgQSA8LS0t LS0tLS1JcHY0IG5ldHdvcmsgLS0tLS0+IG5vZGUgQiA8LS0tLS0tLS1JcHY2IG5ldHdvcmsNCj4g Pj4gLS0tLS0tLS0tPiBub2RlIEMNCj4gPj4NCj4gPj4gVGhlIG92ZXJsYXkgbWF5IHJvdXRlIHRo ZSBJMSBmcm9tIG5vZGUgQSB0byBub2RlIEMgYW5kIFIxIGJhY2ssIGJ1dCANCm5vIA0KPiA+PiBI SVAgYXNzb2NpYXRpb24gYmV0d2VlbiBBIGFuZCBDIGNhbiBhY3R1YWxseSBiZSBmb3JtZWQuDQo+ ID4gDQo+ID4gVGhpcyBpcyBub3QgYSBwcm9ibGVtIHNwZWNpZmljIHRvIHRoZSB1c2Ugb2YgSElQ IGluIHRoZSBvdmVybGF5LiBJdCBpcyANCmENCj4gPiBnZW5lcmFsIHByb2JsZW0gb2YgdGhlIG92 ZXJsYXksIGV2ZW4gaWYgaXQgd2FzIG5vdCB1c2luZyBISVAuIElmIG5vIA0KZGlyZWN0DQo+ID4g Y29ubmVjdGlvbnMgY2FuIGJlIGZvcm1lZCBiZXR3ZWVuIG5vZGVzIGluIGFuIG92ZXJsYXksIHRo ZSBvdmVybGF5d2lsbCANCm1vc3QNCj4gPiBsaWtlbHkga2VlcCBvbiByb3V0aW5nIHN0dWZmIHRo cm91Z2ggdGhlIG92ZXJsYXkuDQo+ID4gDQo+ID4+IDIpIHdoYXQgaWYgbm9kZSBCIGFib3ZlIGJl bG9uZ3MgdG8gbXVsdGlwbGUgb3RoZXIgSElQLWJhc2VkIG92ZXJsYXlzPw0KPiA+PiBIb3cgZG9l cyBpdCBrbm93IG9uIHdoaWNoIG92ZXJsYXkgdG8gZm9yd2FyZCB0aGUgSTE/DQo+ID4gDQo+ID4g VGhpcyBpcyBvbmUgb2YgdGhlIG9wZW4gaXNzdWVzIG9mIHRoZSBpbnN0YW5jZSBkcmFmdC4gUkVM T0FEIGhhcyBpdHMgDQpvd24gd2F5DQo+ID4gdG8gaWRlbnRpZnkgZGlmZmVyZW50IG92ZXJsYXlz LiBXZSBuZWVkIHRvIGRlY2lkZSBob3cgd2Ugd2FudCB0byBjb3ZleSANCnRoYXQNCj4gPiBpbmZv cm1hdGlvbiBpbiBhbiBJMS4NCj4gPiANCj4gPj4gQWxzbywgZnJvbSBhIHBlcmZvcm1hbmNlIHBl cnNwZWN0aXZlLCBJIHRoaW5rIHRoZXJlIG1heSBiZSBzb21lIA0KZGFuZ2VyIA0KPiA+PiBpbiBh YnN0cmFjdGluZyB0aGUgdW5kZXJseWluZyB0b3BvbG9neSBhd2F5IGZyb20gYSBwZWVyIHByb3Rv Y29sLiANCj4gPj4gRnJvbSB0aGUgcGVlciBwcm90b2NvbCBsYXllciBwZXJzcGVjdGl2ZSwgSElQ IG1ha2VzIGV2ZXJ5IG5vZGUgbG9vayANCj4gPj4gbGlrZSBpdCBpcyAib24gbGluayIgd2hlcmVh cyBpbiBmYWN0LCBlYWNoIG5vZGUgaXMgcG9zc2libHkgZGlmZmVyZW50IA0KDQo+ID4+IG51bWJl ciBvZiBob3BzIGF3YXksIGluIGRpZmZlcmVudCBhZG1pbmlzdHJhdGl2ZSBkb21haW5zIG9mIHRo ZSANCm5ldHdvcmssDQo+ID4gZXRjLg0KPiA+IA0KPiA+IE5vdCByZWFsbHkuIFdoZW4gSElQIGlz IG5vdCB1c2VkLCB0aGUgSUNFIG1vZHVsZSB0YWtlcyBjYXJlIG9mIA0KZXN0YWJsaXNoaW5nDQo+ ID4gdGhvc2UgImxpbmtzIi4gVGhlIGNvbXBsZXhpdHkgb2YgY29ubmVjdGlvbiBtYW5hZ2VtZW50 IGlzIGFic3RyYWN0ZWQgDQpvdXQNCj4gPiBldmVuIHdoZW4gSElQIGlzIG5vdCB1c2VkLg0KPiA+ IA0KPiA+PiBUbyBzdW1tYXJpemUsIEkgdGhpbmsgdGhlcmUgaXMgc29tZSB2YWx1ZSBpbiBkZWZp bmluZyBob3cgDQpQMlBTSVAtYmFzZWQgDQo+ID4+IG92ZXJsYXkgY291bGQgdXNlIEhJUCB0byBm b3JtIGl0cyBsaW5rcyBhbmQgZGVhbCB3aXRoIE5BVCwgbW9iaWxpdHksIA0KPiA+PiBhbmQgbXVs dGlob21pbmcuICBIb3dldmVyLCBiZWZvcmUgYWxsb3dpbmcgUkVMT0FEIG5vZGVzIHRvIHBlcmZv cm0gDQp0aGUgDQo+ID4+IEhJUCBkaXN0cmlidXRlZCByZW5kZXp2b3VzIHNlcnZpY2UsIEkgd291 bGQgZmlyc3QgZGVmaW5lOg0KPiA+PiAxKSBob3cgdGhlIHN5c3RlbSB3b3JrcyBpbiB0aGUgY2Fz ZSB3aGVyZSB0aGUgZW5yb2xsbWVudCBzZXJ2ZXIgDQo+ID4+IGNob29zZXMgUGVlcklkcyB0aGF0 IGFyZSBub3QgSElUcw0KPiA+IA0KPiA+IFRoZSBmcmFtZXdvcmsgYWxyZWFkeSBzYXlzIHRoaXMg aXMgcG9zc2libGUuLi4gYW5kIHRoZSBpbnN0YW5jZSBkcmFmdCANCndpbGwNCj4gPiBuZWVkIHRv IGRlZmluZSBob3cgdGhhdCBpcyBkb25lIGZvciBSRUxPQUQsIG9mIGNvdXJzZS4NCj4gPiANCj4g Pj4gMikgaG93IHR3byBzdWNoIGluZGVwZW5kZW50IG92ZXJsYXlzIChydW4gYnkgZGlmZmVyZW50 IG9yZ2FuaXphdGlvbnMpIA0KDQo+ID4+IGNvdWxkIG9wZXJhdGUgb24gdGhlIHNhbWUgbm9kZSwg YW5kIGhvdyB0aGUgbm9kZSB3b3VsZCBlbnN1cmUgdGhhdCANCj4gPj4gbWVzc2FnZXMgZ290IG9u dG8gdGhlIHJpZ2h0IG92ZXJsYXlzDQo+ID4gDQo+ID4gVGhpcyB3aWxsIGFsc28gbmVlZCB0byBi ZSBkZWZpbmVkIGJ5IHRoZSBpbnN0YW5jZSBkcmFmdC4uLiBpbiBhbnkgDQpjYXNlLCBJDQo+ID4g YWdyZWUgd2l0aCB5b3UgdGhhdCB0aGUgZnJhbWV3b3JrIG5lZWRzIHRvIHRhbGsgbW9yZSBhYm91 dCB0aGlzIChpdCANCmRvZXMgbm90DQo+ID4gZGlzY3VzcyB0aGlzIGlzc3VlIHJpZ2h0IG5vdyku DQo+ID4gDQo+ID4+IFRoZSBhYm92ZSBjYW4gYWxsIGJlIGRvbmUgYnkgYXNzdW1pbmcgdGhhdCBI SVAgcmVuZGV6dm91cyBpcyBkb25lIGluIA0KPiA+PiB0aGUgdW5kZXJsYXksIG5vdCBvdmVybGF5 LiAgQXMgYSBmaW5hbCBzdGVwLCBvbmUgbWlnaHQgY29uc2lkZXIgDQo+ID4+IHdoZXRoZXIgb25l IG9mIHRoZXNlIG92ZXJsYXlzIGl0c2VsZiBjb3VsZCBiZSBsZXZlcmFnZWQgdG8gZm9yd2FyZCAN CkhJUCANCj4gPj4gdHJhZmZpYy4gIElmIGFsbCBvZiB0aGlzIGhvbGRzIHRvZ2V0aGVyLCB0aGVu IEkgdGhpbmsgd2UgbWlnaHQgaGF2ZSBhIA0KDQo+ID4+IGZyYW1ld29yayBkb2N1bWVudCB0aGF0 IGNvbXBsZXRlcyB0aGUgY2hhcnRlciBpdGVtLg0KPiA+IA0KPiA+IFlvdSBtYWtlIHZhbGlkIHBv aW50cyBhYm92ZS4gQWZ0ZXIgYWRkcmVzc2luZyB5b3VyIHBvaW50cyBpbiBhIG5ldyANCnJldmlz aW9uDQo+ID4gb2YgdGhlIGRyYWZ0IChwb3NzaWJseSBhZnRlciBtb3JlIGxpc3QgZGlzY3Vzc2lv bnMpLCBJIHRoaW5rIHRoZSBiZXN0IA0Kd2F5IHRvDQo+ID4gcHJvY2VlZCB3aWxsIGJlIHRvIHBy b2dyZXNzIHRoZSBmcmFtZXdvcmsgYW5kIHRoZSBpbnN0YW5jZSBkcmFmdCANCnRvZ2V0aGVyIHNv DQo+ID4gdGhhdCB0aGV5IGNhbiBiZSByZXZpZXdlZCBhdCB0aGUgc2FtZSB0aW1lLiANCj4gPiBJ biB0aGF0IHdheSwgaXQgd2lsbCBiZSBjbGVhcmVyIGZvciB0aGUgcmV2aWV3ZXJzLg0KPiA+IA0K PiA+PiBBcyBhbiBlZGl0b3JpYWwgbm90ZSwgSSBhbHNvIHdvdWxkIHJlY29tbWVuZCBza2lwcGlu ZyBzZWN0aW9uIDIgDQo+ID4+IGJlY2F1c2UgUkZDIDQ0MjMgYW5kIG90aGVyIGRvY3VtZW50cyBh cmUgYXZhaWxhYmxlIHRvIHByb3ZpZGUgSElQDQo+ID4gdHV0b3JpYWxzLg0KPiA+IA0KPiA+IFRo aXMgaXMgdGhlIHR5cGljYWwgY29tbWVudCB3ZSBvZnRlbiBnZXQgZnJvbSBISVAgZXhwZXJ0cyA6 bykuLi4gDQo+ID4gaG93ZXZlciwgYXBwbGljYXRpb24tbGF5ZXIgcGVvcGxlIHJlYWxseSBhcHBy ZWNpYXRlZCB0aGF0IHBhcnQgb2YgdGhlIA0KZHJhZnQNCj4gPiB3aGVuIHRoZXkgcmVhZCBpdC4g QmVmb3JlIHdyaXRpbmcgaXQsIHdlIHNlbnQgdGhlbSBhbGwgdHlwZXMgb2YgbGlua3MgDQp0byBI SVANCj4gPiBkb2N1bWVudHMgYW5kIHR1dG9yaWFscyBidXQgdGhleSBkaWQgbm90IGZpbmQgdGhl bSB1c2VmdWwuIA0KPiA+IEkgYWN0dWFsbHkgYmVsaWV2ZSB0aGF0IGhhdmluZyB0aGF0IHR5cGUg b2YgdHV0b3JpYWwgbWF0ZXJpYWwgaW4gdGhlIA0KZHJhZnQNCj4gPiBtYWtlcyBpdCBtdWNoIGVh c2llciBmb3IgYXBwbGljYXRpb24tbGF5ZXIgcGVvcGxlIHRvIHVuZGVyc3RhbmQgdGhlIA0KZHJh ZnQNCj4gPiAoYW5kIGV2ZW50dWFsbHkgZGVjaWRlIHRvIHVzZSBpdCkuIFNvLCBJIHN0cm9uZ2x5 IHN1Z2dlc3QgdG8ga2VlcCBpdCANCmluIHRoZQ0KPiA+IGRyYWZ0Lg0KPiA+IA0KPiA+IFRoYW5r cywNCj4gPiANCj4gPiBHb256YWxvDQo+ID4gDQo+ID4gX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18NCj4gPiBIaXBzZWMgbWFpbGluZyBsaXN0DQo+ID4gSGlw c2VjQGlldGYub3JnDQo+ID4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9o aXBzZWMNCj4gPiANCj4gPiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KPiA+IEhpcHNlYyBtYWlsaW5nIGxpc3QNCj4gPiBIaXBzZWNAaWV0Zi5vcmcNCj4g PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2hpcHNlYw0KPiANCj4gX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gSGlwc2VjIG1h aWxpbmcgbGlzdA0KPiBIaXBzZWNAaWV0Zi5vcmcNCj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp bG1hbi9saXN0aW5mby9oaXBzZWMNCg0KDQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpaVEUgSW5mb3JtYXRpb24gU2VjdXJpdHkgTm90 aWNlOiBUaGUgaW5mb3JtYXRpb24gY29udGFpbmVkIGluIHRoaXMgbWFpbCBpcyBzb2xlbHkgcHJv cGVydHkgb2YgdGhlIHNlbmRlcidzIG9yZ2FuaXphdGlvbi4gVGhpcyBtYWlsIGNvbW11bmljYXRp b24gaXMgY29uZmlkZW50aWFsLiBSZWNpcGllbnRzIG5hbWVkIGFib3ZlIGFyZSBvYmxpZ2F0ZWQg dG8gbWFpbnRhaW4gc2VjcmVjeSBhbmQgYXJlIG5vdCBwZXJtaXR0ZWQgdG8gZGlzY2xvc2UgdGhl IGNvbnRlbnRzIG9mIHRoaXMgY29tbXVuaWNhdGlvbiB0byBvdGhlcnMuDQpUaGlzIGVtYWlsIGFu ZCBhbnkgZmlsZXMgdHJhbnNtaXR0ZWQgd2l0aCBpdCBhcmUgY29uZmlkZW50aWFsIGFuZCBpbnRl bmRlZCBzb2xlbHkgZm9yIHRoZSB1c2Ugb2YgdGhlIGluZGl2aWR1YWwgb3IgZW50aXR5IHRvIHdo b20gdGhleSBhcmUgYWRkcmVzc2VkLiBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIGVtYWlsIGlu IGVycm9yIHBsZWFzZSBub3RpZnkgdGhlIG9yaWdpbmF0b3Igb2YgdGhlIG1lc3NhZ2UuIEFueSB2 aWV3cyBleHByZXNzZWQgaW4gdGhpcyBtZXNzYWdlIGFyZSB0aG9zZSBvZiB0aGUgaW5kaXZpZHVh bCBzZW5kZXIuDQpUaGlzIG1lc3NhZ2UgaGFzIGJlZW4gc2Nhbm5lZCBmb3IgdmlydXNlcyBhbmQg U3BhbSBieSBaVEUgQW50aS1TcGFtIHN5c3RlbS4NCg== --=_alternative 004CECE9C1257601_= Content-Type: text/html; charset="GB2312" Content-Transfer-Encoding: base64 DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPkhpLDwvZm9udD4NCjxicj4NCjxi cj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+Jm5ic3A7ICZuYnNwO1RoYXQgbWVhbnMg ZXZlcnkgSElQIEhvc3QNCm11c3QgYmUgYSBwMnAgcGVlciwgYW5kIHRoZSBkZXBsb3ltZW50IG1v ZGVsIGlzIHNhbWUgJm5ic3A7YXMgdGhlIFAyUCBhcHBsaWNhdGlvbnMNCnN1Y2ggYXMgc2t5cGU/ IEluIHN1Y2ggYSBzY2VuYXJpbyxvbmx5IEhJUCBob3N0cyBjYW4gY29tbXVuaWNhdGUgZWFjaCBv dGhlciwNCnNvIHdoYXQgYWJvdXQgdGhlIGludGVyd29ya2luZyBzb2x1dGlvbiBiZXR3ZWVuIEhJ UCBhbmQgbm9uLUhJUCBob3N0PzwvZm9udD4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1z ZXJpZiI+Jm5ic3A7IEkgcHJlZmVyIHRoYXQgSElQIGJvbmUgYWN0cyBhcw0KYSBkaXN0cmlidXRl ZCBzZXJ2aWNlIHN5c3RlbSBhbmQgZXZlcnkgb3JkaW5hcnkgSElQIGhvc3QgaXMganVzdCBhIHAy cA0KY2xpZW50LCBhbmQgY29tYmluaW5nIHdpdGggdGhlIG1lY2huaXNtcyBkZXNjcmliZWQgaW4g ZHJhZnQtbWVsZW4taGlwLXByb3h5LA0KdGhlIGdlbmVyaWMgaW50ZXJ3b3JraW5nIHNvbHV0aW9u IGNhbiBiZSBwcm92aWRlZCB0byBhbnkgaGlwIGFuZCBub24taGlwDQpob3N0cy48L2ZvbnQ+DQo8 YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPiZuYnNwOyAmbmJzcDs8L2ZvbnQ+DQo8 YnI+PGZvbnQgc2l6ZT0yPjx0dD5oaXBzZWMtYm91bmNlc0BpZXRmLm9yZyDQtNPaIDIwMDktMDct MjggMTM6NTM6Mzk6PGJyPg0KPGJyPg0KJmd0OyBIaSw8YnI+DQomZ3Q7IDxicj4NCiZndDsgd2Fu Z2p1biB3cm90ZTo8YnI+DQomZ3Q7ICZndDsgQWJvdXQgdGhlIEhJUCBJRCBhbmQgUGVlciBJRCwg TXkgdW5kZXJzdGFuZGluZ3M6PGJyPg0KJmd0OyAmZ3Q7IDEpIFRoZSBISVAgQm9uZSBpcyBhIHAy cCBvdmVybGF5LCBlYWNoIG90aGVyIGJldHdlZW4gcGVlcnMgJm5ic3A7dGFsaw0KcDJwPGJyPg0K Jmd0OyAmZ3Q7IHByb3RvY29sLCBISVAgY2FuIGJlIGVuY2Fwc3VsYXRlZCBpbiBhIHAycCBwYXls b2FkLi48YnI+DQomZ3Q7IDxicj4NCiZndDsgQWN0dWFsbHksIHRoZSBjdXJyZW50IGlkZWEgaXMg dGhhdCBwZWVyIHByb3RvY29sIG1lc3NhZ2VzIHdvdWxkIGJlDQo8YnI+DQomZ3Q7IGVuY2Fwc3Vs YXRlZCBpbiBISVAgbWVzc2FnZXMgdG8ga2VlcCB0aGUgcHJvdG9jb2wgbGF5ZXJpbmcgY29uc2lz dGVudC48YnI+DQomZ3Q7IDxicj4NCiZndDsgJmd0OyAyKUV2ZXJ5IEhJUCBob3N0IGlzIGEgcDJw IGNsaWVudCBvciBhIHAycCBhZ25vc3RpYyB0ZXJtaW5hbCwNCmFuZCBhdHRhY2ggdG88YnI+DQom Z3Q7ICZndDsgYXJiaXRyYXJ5IHBlZXIocykgb2YgdGhlIG92ZXJsYXk7IHRoZXkgcmVnaXN0ZXIg dGhlaXIgbG9jYXRvci1ISVBfSUQ8YnI+DQomZ3Q7ICZndDsgYmluZGluZ3MgaW50byB0aGUgSElQ IGJvbmUuPGJyPg0KJmd0OyA8YnI+DQomZ3Q7IFRoZSBISVAgaG9zdHMgZG9uJ3QgYWN0dWFsbHkg bmVlZCB0byByZWdpc3RlciBsb2NhdG9ycyB0byB0aGUgb3ZlcmxheQ0KPGJyPg0KJmd0OyBzaW5j ZSB0aGUgSElQIGJhc2UgZXhjaGFuZ2UgaXMgZG9uZSB2aWEgdGhlIG92ZXJsYXkgYW5kIHRoZSAo YmVzdCkNCjxicj4NCiZndDsgbG9jYXRvciBpcyBkaXNjb3ZlcmVkIHVzaW5nIElDRSAoc2VlIFsx XSBidXQgcmVwbGFjZSBISVAgcmVsYXkgc2VydmVyDQo8YnI+DQomZ3Q7IHdpdGggYSBISVAgQk9O RSBvdmVybGF5KS48YnI+DQomZ3Q7IDxicj4NCiZndDsgJmd0OyBTbyB0aGUgSElQIEhvc3RzIG1h eSBiZSBkZXNpZ25hdGVkICZuYnNwO2EgcGVlciBJRCwgYnV0ICZuYnNwO2l0J3MNCnJlYWxseSBu b3Q8YnI+DQomZ3Q7ICZndDsgbWFuZGF0ZWQuIDxicj4NCiZndDsgPGJyPg0KJmd0OyBISVAgaG9z dHMgaGF2ZSBwZWVyIElEcyB3aGVuIHRoZXkgYXJlIHBhcnQgb2YgYSBISVAgQk9ORSBvdmVybGF5 LA0KYnV0IDxicj4NCiZndDsgcHJlZmVyYWJseSB0aGUgcGVlciBJRCBpcyBhIG9uZSBvZiB0aGUg SElUcyBvZiB0aGUgaG9zdC48YnI+DQomZ3Q7IDxicj4NCiZndDsgPGJyPg0KJmd0OyBDaGVlcnMs PGJyPg0KJmd0OyBBcmk8YnI+DQomZ3Q7IDxicj4NCiZndDsgWzFdIGh0dHA6Ly90b29scy5pZXRm Lm9yZy9odG1sL2RyYWZ0LWlldGYtaGlwLW5hdC10cmF2ZXJzYWwtMDg8YnI+DQomZ3Q7IDxicj4N CiZndDsgJmd0OyAtLS0tLdPKvP7Urbz+LS0tLS08YnI+DQomZ3Q7ICZndDsgt6K8/sjLOiBoaXBz ZWMtYm91bmNlc0BpZXRmLm9yZyBbbWFpbHRvOmhpcHNlYy1ib3VuY2VzQGlldGYub3JnXQ0KtPqx 7Txicj4NCiZndDsgJmd0OyBHb256YWxvIENhbWFyaWxsbzxicj4NCiZndDsgJmd0OyC3osvNyrG8 5DogMjAwOcTqN9TCMjHI1SAxOTowNDxicj4NCiZndDsgJmd0OyDK1bz+yMs6IEhlbmRlcnNvbiwg VGhvbWFzIFI8YnI+DQomZ3Q7ICZndDsgs63LzTogSElQPGJyPg0KJmd0OyAmZ3Q7INb3zOI6IFtI aXBzZWNdIENvbW1lbnRzIG9uIHRoZSBISVAtQk9ORSBkcmFmdDxicj4NCiZndDsgJmd0OyA8YnI+ DQomZ3Q7ICZndDsgSGkgVG9tLDxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgdGhhbmtz IGZvciB5b3UgY29tbWVudHMuIEFuc3dlcnMgaW5saW5lOjxicj4NCiZndDsgJmd0OyA8YnI+DQom Z3Q7ICZndDsmZ3Q7Jmd0OyBodHRwOi8vdG9vbHMuaWV0Zi5vcmcvaWQvZHJhZnQtaWV0Zi1oaXAt Ym9uZS0wMi50eHQ8YnI+DQomZ3Q7ICZndDsmZ3Q7IEkgcmVtYWluIHZlcnkgdW5lYXN5IGFib3V0 IHRoZSBhYm92ZSBkcmFmdCwgd2hpY2ggSSB0aGluaw0KaXMgbm90IHZlcnkgPGJyPg0KJmd0OyAm Z3Q7Jmd0OyBjbGVhciBhbmQgc2tpcnRzIG92ZXIgc29tZSBoYXJkIGlzc3Vlcy48YnI+DQomZ3Q7 ICZndDsgPGJyPg0KJmd0OyAmZ3Q7IHdlIGhhdmUgbW92ZWQgYSBmZXcgdGhpbmdzIHRvIHRoZSBS RUxPQUQgaW5zdGFuY2UgZHJhZnQsIHdoaWNoDQppcyBzdGlsbCB2ZXJ5PGJyPg0KJmd0OyAmZ3Q7 IG11Y2ggd29yayBpbiBwcm9ncmVzcyAoYXMgeW91IGNhbiBzZWUgaWYgeW91IHJlYWQgdGhlIGRy YWZ0KS4NClNvbWUgaXNzdWVzPGJyPg0KJmd0OyAmZ3Q7IHdpbGwgYmUgYWRkcmVzc2VkIHRoZXJl LiBPZiBjb3Vyc2UsIGFueSBnZW5lcmFsIGlzc3VlcyBiZWxvbmdpbmcNCnRvIHRoZTxicj4NCiZn dDsgJmd0OyBmcmFtZXdvcmsgc2hvdWxkIGJlIGFkZHJlc3NlcyBpbiB0aGlzIGRvY3VtZW50Ljxi cj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IFRoZSBkb2N1bWVudCB0cmllcyB0byBw cm92aWRlIGEgZ2VuZXJhbGl6ZWQgZnJhbWV3b3JrIGZvcg0KSElQLWJhc2VkIDxicj4NCiZndDsg Jmd0OyZndDsgb3ZlcmxheXMsIGJ1dCBpdCBpcyBub3QgY2xlYXIgaG93IGl0IHdpbGwgd29yayB3 aGVuIHRoZXJlDQphcmUgbXVsdGlwbGUgPGJyPg0KJmd0OyAmZ3Q7Jmd0OyBwZWVyIHByb3RvY29s cyAobXVsdGlwbGUgb3ZlcmxheXMpIGFuZCB3aGVuIHRoZSBwZWVyIElEcw0KYXJlIG5vdCB0aGUg PGJyPg0KJmd0OyAmZ3Q7Jmd0OyBzYW1lIGFzIHRoZSBub2RlIElEcy4gJm5ic3A7VGhlIHNwZWNp ZmljIGluc3RhbmNlIGRyYWZ0IGRvZXMNCm5vdCBoYW5kbGUgPGJyPg0KJmd0OyAmZ3Q7Jmd0OyB0 aGVzZSBpc3N1ZXM7IGl0IGFzc3VtZXMgdGhhdCB0aGUgcGVlciBJRCBpcyB0aGUgT1JDSElEICh3 aGljaA0Kd2FzIG5vdCA8YnI+DQomZ3Q7ICZndDsmZ3Q7IGFjY2VwdGFibGUgdG8gc29tZSBpbiB0 aGUgUDJQU0lQIFdHIGR1ZSB0byBwb3NzaWJsZSBjaG9zZW4NCklEIDxicj4NCiZndDsgJmd0OyZn dDsgYXR0YWNrcyksIGFuZCBpcywgb2YgY291cnNlLCBvbmx5IG9uZSBpbnN0YW5jZS48YnI+DQom Z3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7IFRoZSBmcmFtZXdvcmsgZG9lcyBub3QgYXNzdW1lIHRo YXQgUGVlciBJRHMgYXJlIHVzZWQgYXQgdGhlIEhJUA0KbGV2ZWwuIDxicj4NCiZndDsgJmd0OyBJ dCBqdXN0IHRlbGxzIHlvdSB0aGF0IGRlcGVuZGluZyBvbiB0aGUgUGVlciBJRHMgdXNlZCBpbiB5 b3VyDQpvdmVybGF5LCB5b3U8YnI+DQomZ3Q7ICZndDsgbmVlZCB0byBjb252ZXJ0IHRoZW0gdG8g c29tZXRoaW5nIEhJUCBjYW4gdXNlLiBPcmlnaW5hbGx5LCB3ZQ0KdGhvdWdodCBvZjxicj4NCiZn dDsgJmd0OyBoYXZpbmcgYSBkcmFmdCB0aGF0IGRlc2NyaWJlZCB0aGF0IGNvbnZlcnNpb24gaW4g Z2VuZXJhbCAoeW91DQp5b3Vyc2VsZiB3YXM8YnI+DQomZ3Q7ICZndDsgd29ya2luZyBvbiBhIHNp bWlsYXIgZHJhZnQgYXQgc29tZSBwb2ludCkgYnV0IG5vdyB3ZSB0ZW5kIHRvDQp0aGlua3RoYXQg dGhpczxicj4NCiZndDsgJmd0OyB0eXBlIG9mIGNvbnZlcnNpb24gaXMgYmV0dGVyIGRlZmluZWQg aW4gdGhlIGluc3RhbmNlIHNwZWNzLjxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgUmVn YXJkaW5nIHRoZSBSRUxPQUQgaW5zdGFuY2UgZHJhZnQsIHRoaXMgaXMgb25lIG9mIHRoZSBvcGVu DQppc3N1ZXMuIDxicj4NCiZndDsgJmd0OyBUaGF0IGlzLCB3aGV0aGVyIHdlIGNhbiB1c2UgUkVM T0FEIHBlZXIgSURzIGRpcmVjdGx5IG9yIGlmIHdlDQpuZWVkc29tZSB0eXBlPGJyPg0KJmd0OyAm Z3Q7IG9mIHRyYW5zZm9ybWF0aW9uIChPUkNISURzIGhhdmUgYSBwcmVmaXg7IHRoZXJlZm9yZSwg dGhlcmUgYXJlDQpsZXNzIHRoYW4gMTI4PGJyPg0KJmd0OyAmZ3Q7IGJpdHMgYXZhaWxhYmxlKS48 YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7Jmd0OyBJbiBnZW5lcmFsLCBJIHJlY29tbWVu ZCBub3QgdHJ5aW5nIHRvIGNvbXBsZXRlIHdvcmsgb24gYQ0KZnJhbWV3b3JrIGZvciA8YnI+DQom Z3Q7ICZndDsmZ3Q7IG11bHRpcGxlIG92ZXJsYXlzIHVudGlsIHRoZXJlIGlzIGFuIGV4YW1wbGUg b2YgYXQgbGVhc3QgaG93DQp0d28gPGJyPg0KJmd0OyAmZ3Q7Jmd0OyBpbmRlcGVuZGVudCBvdmVy bGF5cyAocGVyaGFwcyB3aXRoIGRpZmZlcmVudCBwZWVyIHByb3RvY29scw0KYW5kIDxicj4NCiZn dDsgJmd0OyZndDsgZGlmZmVyZW50IHBlZXIgSUQgc3RydWN0dXJlcykgY29leGlzdHMgb24gc29t ZSBvZiB0aGUgc2FtZQ0Kbm9kZXMsIGFuZCA8YnI+DQomZ3Q7ICZndDsmZ3Q7IHRoZSBwZWVyIElE cyBhcmUgbm90IEhJVHMuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBSRUxPQUQgaGFz IGl0cyBvd24gd2F5IG9mIGlkZW50aWZ5aW5nIHBhcnRpY3VsYXIgb3ZlcmxheXMuIE90aGVyDQpw ZWVyPGJyPg0KJmd0OyAmZ3Q7IHByb3RvY29scyBtYXkgaGF2ZSBkaWZmZXJlbnQgd2F5cy4gVGhl cmVmb3JlLCB0aGlzIGRvZXMgbm90IHNlZW0NCnRvIGJlIGE8YnI+DQomZ3Q7ICZndDsgZnJhbWV3 b3JrIGlzc3VlLiBFYWNoIGluc3RhbmNlIGRyYWZ0IHdvdWxkIG5lZWQgdG8gZGVzY3JpYmUgaXQN CnNlcGFyYXRlbHkuLi48YnI+DQomZ3Q7ICZndDsgaW4gYW55IGNhc2UsIEkgYWdyZWUgaXQgaXMg d29ydGh3aGlsZSB0YWxraW5nIGEgYml0IG1vcmUgYWJvdXQNCnRoaXMgaW4gdGhlPGJyPg0KJmd0 OyAmZ3Q7IGZyYW1ld29yay48YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7Jmd0OyBUaGUg ZHJhZnQgc3RhdGVzOjxicj4NCiZndDsgJmd0OyZndDsgJnF1b3Q7U2luY2UgSElQIG5lZWRzPGJy Pg0KJmd0OyAmZ3Q7Jmd0OyBPUkNISURzIChhbmQgbm90IGFueSB0eXBlIG9mIFBlZXIgSUQpIHRv IHdvcmssIGhvc3RzIGluIHRoZQ0Kb3ZlcmxheSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IHdpbGwgdHJh bnNmb3JtIHRoZWlyIFBlZXIgSURzIGludG8gT1JDSElEcywgZm9yIGV4YW1wbGUsDQpieSB0YWtp bmcgYSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IGhhc2ggb2YgdGhlIFBlZXIgSURzIG9yIHRha2luZyBh IGhhc2ggb2YgdGhlIFBlZXIgSUQgYW5kDQp0aGUgcHVibGljIDxicj4NCiZndDsgJmd0OyZndDsg a2V5LiZxdW90Ozxicj4NCiZndDsgJmd0OyZndDs8YnI+DQomZ3Q7ICZndDsmZ3Q7IEkgZG9uJ3Qg c2VlIGhvdyB0aGlzIHdvdWxkIHdvcmsgc2luY2UgZm9yIGFuIE9SQ0hJRCB0byBiZQ0KdXNlZCBh cyBhIDxicj4NCiZndDsgJmd0OyZndDsgSElULCBpdCBtdXN0IGhhc2ggYSBwdWJsaWMga2V5Ljxi cj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgVGhlIHRleHQgd2FudHMgdG8gaW5kaWNhdGUg dGhhdCBjb252ZXJzaW9ucyBiZXR3ZWVuIFBlZXIgSURzDQphbmQgT1JDSElEcyBhcmU8YnI+DQom Z3Q7ICZndDsgdXAgdG8gZWFjaCBwYXJ0aWN1bGFyIGluc3RhbmNlIHNwZWNpZmljYXRpb24uIEkg YWdyZWUgcmVtb3ZpbmcNCnRoZSBleGFtcGxlczxicj4NCiZndDsgJmd0OyBtYXkgYmUgYSBnb29k IGlkZWEgc28gdGhhdCB0aGV5IGRvIG5vdCBtaXNsZWFkIHJlYWRlcnMuPGJyPg0KJmd0OyAmZ3Q7 IDxicj4NCiZndDsgJmd0OyZndDsgSXQgaXMgbm90IGNsZWFyIGZyb20gdGhlIGRvY3VtZW50IHdo YXQgSURzIGFyZSBiZWluZyByb3V0ZWQNCmlmIHRoZSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IHBlZXIg SUQgaXMgbm90IHRoZSBzYW1lIGFzIHRoZSBISVQuICZuYnNwO0kgdGhpbmsgdGhlIGFuc3dlcg0K aXMgdGhhdCBpdCBpcyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IHRoZSBwZWVyIElEcyB0aGF0IGFyZSBi ZWluZyByb3V0ZWQsIGFuZCBISVAgaXMganVzdCBwcm92aWRpbmcNCnRoZSA8YnI+DQomZ3Q7ICZn dDsmZ3Q7IGxpbmtzIGJldHdlZW4gdGhlIHBlZXIgSURzLjxicj4NCiZndDsgJmd0OyA8YnI+DQom Z3Q7ICZndDsgWWVzLCByb3V0aW5nIHRhYmxlcyBjb250YWluIFBlZXIgSURzLjxicj4NCiZndDsg Jmd0OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IEl0IG1heSBiZSB0aGF0IHRoZSBwZWVyIElEcyBhcmUg dGhlIHNhbWUgYXMgSElUcyBpbiBzb21lDQppbnN0YW5jZXMsIDxicj4NCiZndDsgJmd0OyZndDsg YnV0IGl0IHNob3VsZCBiZSBhcmNoaXRlY3R1cmFsbHkgY2xlYXIgdGhhdCB0cmFuc3BvcnQgY29u bmVjdGlvbnMNCmFyZSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IGJlaW5nIHRlcm1pbmF0ZWQgYXQgZWFj aCBob3AgaW4gdGhlIG92ZXJsYXkuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBZZXMs IHRyYW5zcG9ydCBjb25uZWN0aW9ucyBhcmUgYmV0d2VlbiBob3BzIGluIHRoZSBvdmVybGF5LCBh cw0KdXN1YWwuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyZndDsgSWYgdGhlIGRvY3Vt ZW50IHdlcmUgdG8gZGVzY3JpYmUgYW4gb3ZlcmxheSBhcmNoaXRlY3R1cmUNCndoZXJlIHlvdSA8 YnI+DQomZ3Q7ICZndDsmZ3Q7IHJlY29tbWVuZCB0byB0aGUgcGVlciBwcm90b2NvbHMgJnF1b3Q7 VXNlIEhJVHMgbGlrZSB5b3Ugd291bGQNCm90aGVyd2lzZSB1c2UgPGJyPg0KJmd0OyAmZ3Q7Jmd0 OyBJUCBhZGRyZXNzZXMsIGFuZCBISVAgd2lsbCB0YWtlIGNhcmUgb2YgdGhlIHJlc3Qgb2YgdGhl IHVnbHkNCmJ1c2luZXNzIDxicj4NCiZndDsgJmd0OyZndDsgb2YgTkFUIHRyYXZlcnNhbCwgbW9i aWxpdHksIGFuZCBtdWx0aWhvbWluZywmcXVvdDsgdGhlbiBpdA0Kd291bGQgc2VlbSB0byBiZSA8 YnI+DQomZ3Q7ICZndDsmZ3Q7IHJlbGF0aXZlbHkgc3RyYWlnaHRmb3J3YXJkLCBzbyBsb25nIGFz IEhJUCB0b29rIGl0IHVwb24gaXRzZWxmDQp3aXRoIG5vIDxicj4NCiZndDsgJmd0OyZndDsgZGVw ZW5kZW5jeSBvbiB0aGUgcGVlciBwcm90b2NvbCB0byBkbyBhbnl0aGluZyBmb3IgaXQuPGJyPg0K Jmd0OyAmZ3Q7Jmd0Ozxicj4NCiZndDsgJmd0OyZndDsgV2hlcmUgSSB0aGluayBpdCBiZWNvbWVz IGNvbmZsYXRlZCwgaG93ZXZlciwgaXMgd2hlbiB5b3UNCnRyeSB0byB1c2UgdGhlPGJyPg0KJmd0 OyAmZ3Q7Jmd0OyBvdmVybGF5IHRvIGZvcndhcmQgSElQIHNpZ25hbGluZyB0cmFmZmljLiAmbmJz cDsgSSBzZWUgd2h5DQp5b3UgYXJlIHRyeWluZyB0bzxicj4NCiZndDsgJmd0OyZndDsgZG8gdGhp cyBidXQgaXQgbGVhZHMgdG8gdGhlc2UgcXVlc3Rpb25zOjxicj4NCiZndDsgJmd0OyA8YnI+DQom Z3Q7ICZndDsgd2UgaGFkIGEgbG90IG9mIGRpc2N1c3Npb25zIGluIHRoZSBwYXN0IGFib3V0IHRo aXMuIFRoZXJlIHdlcmUNCmRpZmZlcmVudDxicj4NCiZndDsgJmd0OyBwcm9wb3NhbHMsIG9uZSBv ZiB3aGljaCBwcm9wb3NlZCB0aGUgc2ltcGxlIHVzZSB5b3UgZGVzY3JpYmVkDQphYm92ZS4gVGhl PGJyPg0KJmd0OyAmZ3Q7IGNvbmNsdXNpb24gd2FzIHRvIGRvIHdoYXQgSElQIEJPTkUgc3BlY2lm aWVzLiBJIGRvIG5vdCB0aGluaw0KaXQgd291bGQgYmU8YnI+DQomZ3Q7ICZndDsgcHJvZHVjdGl2 ZSB0byBnbyB0aHJvdWdoIHRoZSBzYW1lIGRpc2N1c3Npb25zIGFnYWluIGF0IHRoaXMgcG9pbnQu PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyZndDsgMSkgdGhlIG92ZXJsYXkgbWF5IHN0 aXRjaCB0b2dldGhlciBhZGRyZXNzaW5nIHJlYWxtcyB0aGF0DQpoYXZlIG5vIGhvcGUgPGJyPg0K Jmd0OyAmZ3Q7Jmd0OyBvZiBzdXBwb3J0aW5nIGVuZC10by1lbmQgSElQIGFzc29jaWF0aW9ucyBi ZXR3ZWVuIHRoZW0uICZuYnNwO0Zvcg0KaW5zdGFuY2UsIDxicj4NCiZndDsgJmd0OyZndDsgdGhp cyBzaW1wbGUgdG9wb2xvZ3k6PGJyPg0KJmd0OyAmZ3Q7Jmd0Ozxicj4NCiZndDsgJmd0OyZndDsg bm9kZSBBICZsdDstLS0tLS0tLUlwdjQgbmV0d29yayAtLS0tLSZndDsgbm9kZSBCICZsdDstLS0t LS0tLUlwdjYNCm5ldHdvcms8YnI+DQomZ3Q7ICZndDsmZ3Q7IC0tLS0tLS0tLSZndDsgbm9kZSBD PGJyPg0KJmd0OyAmZ3Q7Jmd0Ozxicj4NCiZndDsgJmd0OyZndDsgVGhlIG92ZXJsYXkgbWF5IHJv dXRlIHRoZSBJMSBmcm9tIG5vZGUgQSB0byBub2RlIEMgYW5kIFIxDQpiYWNrLCBidXQgbm8gPGJy Pg0KJmd0OyAmZ3Q7Jmd0OyBISVAgYXNzb2NpYXRpb24gYmV0d2VlbiBBIGFuZCBDIGNhbiBhY3R1 YWxseSBiZSBmb3JtZWQuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBUaGlzIGlzIG5v dCBhIHByb2JsZW0gc3BlY2lmaWMgdG8gdGhlIHVzZSBvZiBISVAgaW4gdGhlIG92ZXJsYXkuDQpJ dCBpcyBhPGJyPg0KJmd0OyAmZ3Q7IGdlbmVyYWwgcHJvYmxlbSBvZiB0aGUgb3ZlcmxheSwgZXZl biBpZiBpdCB3YXMgbm90IHVzaW5nIEhJUC4NCklmIG5vIGRpcmVjdDxicj4NCiZndDsgJmd0OyBj b25uZWN0aW9ucyBjYW4gYmUgZm9ybWVkIGJldHdlZW4gbm9kZXMgaW4gYW4gb3ZlcmxheSwgdGhl IG92ZXJsYXl3aWxsDQptb3N0PGJyPg0KJmd0OyAmZ3Q7IGxpa2VseSBrZWVwIG9uIHJvdXRpbmcg c3R1ZmYgdGhyb3VnaCB0aGUgb3ZlcmxheS48YnI+DQomZ3Q7ICZndDsgPGJyPg0KJmd0OyAmZ3Q7 Jmd0OyAyKSB3aGF0IGlmIG5vZGUgQiBhYm92ZSBiZWxvbmdzIHRvIG11bHRpcGxlIG90aGVyIEhJ UC1iYXNlZA0Kb3ZlcmxheXM/PGJyPg0KJmd0OyAmZ3Q7Jmd0OyBIb3cgZG9lcyBpdCBrbm93IG9u IHdoaWNoIG92ZXJsYXkgdG8gZm9yd2FyZCB0aGUgSTE/PGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZn dDsgJmd0OyBUaGlzIGlzIG9uZSBvZiB0aGUgb3BlbiBpc3N1ZXMgb2YgdGhlIGluc3RhbmNlIGRy YWZ0LiBSRUxPQUQNCmhhcyBpdHMgb3duIHdheTxicj4NCiZndDsgJmd0OyB0byBpZGVudGlmeSBk aWZmZXJlbnQgb3ZlcmxheXMuIFdlIG5lZWQgdG8gZGVjaWRlIGhvdyB3ZSB3YW50DQp0byBjb3Zl eSB0aGF0PGJyPg0KJmd0OyAmZ3Q7IGluZm9ybWF0aW9uIGluIGFuIEkxLjxicj4NCiZndDsgJmd0 OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IEFsc28sIGZyb20gYSBwZXJmb3JtYW5jZSBwZXJzcGVjdGl2 ZSwgSSB0aGluayB0aGVyZSBtYXkgYmUNCnNvbWUgZGFuZ2VyIDxicj4NCiZndDsgJmd0OyZndDsg aW4gYWJzdHJhY3RpbmcgdGhlIHVuZGVybHlpbmcgdG9wb2xvZ3kgYXdheSBmcm9tIGEgcGVlciBw cm90b2NvbC4NCiZuYnNwOzxicj4NCiZndDsgJmd0OyZndDsgRnJvbSB0aGUgcGVlciBwcm90b2Nv bCBsYXllciBwZXJzcGVjdGl2ZSwgSElQIG1ha2VzIGV2ZXJ5DQpub2RlIGxvb2sgPGJyPg0KJmd0 OyAmZ3Q7Jmd0OyBsaWtlIGl0IGlzICZxdW90O29uIGxpbmsmcXVvdDsgd2hlcmVhcyBpbiBmYWN0 LCBlYWNoIG5vZGUNCmlzIHBvc3NpYmx5IGRpZmZlcmVudCA8YnI+DQomZ3Q7ICZndDsmZ3Q7IG51 bWJlciBvZiBob3BzIGF3YXksIGluIGRpZmZlcmVudCBhZG1pbmlzdHJhdGl2ZSBkb21haW5zDQpv ZiB0aGUgbmV0d29yayw8YnI+DQomZ3Q7ICZndDsgZXRjLjxicj4NCiZndDsgJmd0OyA8YnI+DQom Z3Q7ICZndDsgTm90IHJlYWxseS4gV2hlbiBISVAgaXMgbm90IHVzZWQsIHRoZSBJQ0UgbW9kdWxl IHRha2VzIGNhcmUgb2YNCmVzdGFibGlzaGluZzxicj4NCiZndDsgJmd0OyB0aG9zZSAmcXVvdDts aW5rcyZxdW90Oy4gVGhlIGNvbXBsZXhpdHkgb2YgY29ubmVjdGlvbiBtYW5hZ2VtZW50DQppcyBh YnN0cmFjdGVkIG91dDxicj4NCiZndDsgJmd0OyBldmVuIHdoZW4gSElQIGlzIG5vdCB1c2VkLjxi cj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IFRvIHN1bW1hcml6ZSwgSSB0aGluayB0 aGVyZSBpcyBzb21lIHZhbHVlIGluIGRlZmluaW5nIGhvdw0KUDJQU0lQLWJhc2VkIDxicj4NCiZn dDsgJmd0OyZndDsgb3ZlcmxheSBjb3VsZCB1c2UgSElQIHRvIGZvcm0gaXRzIGxpbmtzIGFuZCBk ZWFsIHdpdGggTkFULA0KbW9iaWxpdHksIDxicj4NCiZndDsgJmd0OyZndDsgYW5kIG11bHRpaG9t aW5nLiAmbmJzcDtIb3dldmVyLCBiZWZvcmUgYWxsb3dpbmcgUkVMT0FEIG5vZGVzDQp0byBwZXJm b3JtIHRoZSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IEhJUCBkaXN0cmlidXRlZCByZW5kZXp2b3VzIHNl cnZpY2UsIEkgd291bGQgZmlyc3QgZGVmaW5lOjxicj4NCiZndDsgJmd0OyZndDsgMSkgaG93IHRo ZSBzeXN0ZW0gd29ya3MgaW4gdGhlIGNhc2Ugd2hlcmUgdGhlIGVucm9sbG1lbnQNCnNlcnZlciA8 YnI+DQomZ3Q7ICZndDsmZ3Q7IGNob29zZXMgUGVlcklkcyB0aGF0IGFyZSBub3QgSElUczxicj4N CiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgVGhlIGZyYW1ld29yayBhbHJlYWR5IHNheXMgdGhp cyBpcyBwb3NzaWJsZS4uLiBhbmQgdGhlIGluc3RhbmNlDQpkcmFmdCB3aWxsPGJyPg0KJmd0OyAm Z3Q7IG5lZWQgdG8gZGVmaW5lIGhvdyB0aGF0IGlzIGRvbmUgZm9yIFJFTE9BRCwgb2YgY291cnNl Ljxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IDIpIGhvdyB0d28gc3VjaCBpbmRl cGVuZGVudCBvdmVybGF5cyAocnVuIGJ5IGRpZmZlcmVudCBvcmdhbml6YXRpb25zKQ0KPGJyPg0K Jmd0OyAmZ3Q7Jmd0OyBjb3VsZCBvcGVyYXRlIG9uIHRoZSBzYW1lIG5vZGUsIGFuZCBob3cgdGhl IG5vZGUgd291bGQgZW5zdXJlDQp0aGF0IDxicj4NCiZndDsgJmd0OyZndDsgbWVzc2FnZXMgZ290 IG9udG8gdGhlIHJpZ2h0IG92ZXJsYXlzPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBU aGlzIHdpbGwgYWxzbyBuZWVkIHRvIGJlIGRlZmluZWQgYnkgdGhlIGluc3RhbmNlIGRyYWZ0Li4u IGluDQphbnkgY2FzZSwgSTxicj4NCiZndDsgJmd0OyBhZ3JlZSB3aXRoIHlvdSB0aGF0IHRoZSBm cmFtZXdvcmsgbmVlZHMgdG8gdGFsayBtb3JlIGFib3V0IHRoaXMNCihpdCBkb2VzIG5vdDxicj4N CiZndDsgJmd0OyBkaXNjdXNzIHRoaXMgaXNzdWUgcmlnaHQgbm93KS48YnI+DQomZ3Q7ICZndDsg PGJyPg0KJmd0OyAmZ3Q7Jmd0OyBUaGUgYWJvdmUgY2FuIGFsbCBiZSBkb25lIGJ5IGFzc3VtaW5n IHRoYXQgSElQIHJlbmRlenZvdXMNCmlzIGRvbmUgaW4gPGJyPg0KJmd0OyAmZ3Q7Jmd0OyB0aGUg dW5kZXJsYXksIG5vdCBvdmVybGF5LiAmbmJzcDtBcyBhIGZpbmFsIHN0ZXAsIG9uZSBtaWdodA0K Y29uc2lkZXIgPGJyPg0KJmd0OyAmZ3Q7Jmd0OyB3aGV0aGVyIG9uZSBvZiB0aGVzZSBvdmVybGF5 cyBpdHNlbGYgY291bGQgYmUgbGV2ZXJhZ2VkIHRvDQpmb3J3YXJkIEhJUCA8YnI+DQomZ3Q7ICZn dDsmZ3Q7IHRyYWZmaWMuICZuYnNwO0lmIGFsbCBvZiB0aGlzIGhvbGRzIHRvZ2V0aGVyLCB0aGVu IEkgdGhpbmsNCndlIG1pZ2h0IGhhdmUgYSA8YnI+DQomZ3Q7ICZndDsmZ3Q7IGZyYW1ld29yayBk b2N1bWVudCB0aGF0IGNvbXBsZXRlcyB0aGUgY2hhcnRlciBpdGVtLjxicj4NCiZndDsgJmd0OyA8 YnI+DQomZ3Q7ICZndDsgWW91IG1ha2UgdmFsaWQgcG9pbnRzIGFib3ZlLiBBZnRlciBhZGRyZXNz aW5nIHlvdXIgcG9pbnRzIGluDQphIG5ldyByZXZpc2lvbjxicj4NCiZndDsgJmd0OyBvZiB0aGUg ZHJhZnQgKHBvc3NpYmx5IGFmdGVyIG1vcmUgbGlzdCBkaXNjdXNzaW9ucyksIEkgdGhpbmsNCnRo ZSBiZXN0IHdheSB0bzxicj4NCiZndDsgJmd0OyBwcm9jZWVkIHdpbGwgYmUgdG8gcHJvZ3Jlc3Mg dGhlIGZyYW1ld29yayBhbmQgdGhlIGluc3RhbmNlIGRyYWZ0DQp0b2dldGhlciBzbzxicj4NCiZn dDsgJmd0OyB0aGF0IHRoZXkgY2FuIGJlIHJldmlld2VkIGF0IHRoZSBzYW1lIHRpbWUuIDxicj4N CiZndDsgJmd0OyBJbiB0aGF0IHdheSwgaXQgd2lsbCBiZSBjbGVhcmVyIGZvciB0aGUgcmV2aWV3 ZXJzLjxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsmZ3Q7IEFzIGFuIGVkaXRvcmlhbCBu b3RlLCBJIGFsc28gd291bGQgcmVjb21tZW5kIHNraXBwaW5nIHNlY3Rpb24NCjIgPGJyPg0KJmd0 OyAmZ3Q7Jmd0OyBiZWNhdXNlIFJGQyA0NDIzIGFuZCBvdGhlciBkb2N1bWVudHMgYXJlIGF2YWls YWJsZSB0byBwcm92aWRlDQpISVA8YnI+DQomZ3Q7ICZndDsgdHV0b3JpYWxzLjxicj4NCiZndDsg Jmd0OyA8YnI+DQomZ3Q7ICZndDsgVGhpcyBpcyB0aGUgdHlwaWNhbCBjb21tZW50IHdlIG9mdGVu IGdldCBmcm9tIEhJUCBleHBlcnRzIDpvKS4uLg0KPGJyPg0KJmd0OyAmZ3Q7IGhvd2V2ZXIsIGFw cGxpY2F0aW9uLWxheWVyIHBlb3BsZSByZWFsbHkgYXBwcmVjaWF0ZWQgdGhhdCBwYXJ0DQpvZiB0 aGUgZHJhZnQ8YnI+DQomZ3Q7ICZndDsgd2hlbiB0aGV5IHJlYWQgaXQuIEJlZm9yZSB3cml0aW5n IGl0LCB3ZSBzZW50IHRoZW0gYWxsIHR5cGVzDQpvZiBsaW5rcyB0byBISVA8YnI+DQomZ3Q7ICZn dDsgZG9jdW1lbnRzIGFuZCB0dXRvcmlhbHMgYnV0IHRoZXkgZGlkIG5vdCBmaW5kIHRoZW0gdXNl ZnVsLiA8YnI+DQomZ3Q7ICZndDsgSSBhY3R1YWxseSBiZWxpZXZlIHRoYXQgaGF2aW5nIHRoYXQg dHlwZSBvZiB0dXRvcmlhbCBtYXRlcmlhbA0KaW4gdGhlIGRyYWZ0PGJyPg0KJmd0OyAmZ3Q7IG1h a2VzIGl0IG11Y2ggZWFzaWVyIGZvciBhcHBsaWNhdGlvbi1sYXllciBwZW9wbGUgdG8gdW5kZXJz dGFuZA0KdGhlIGRyYWZ0PGJyPg0KJmd0OyAmZ3Q7IChhbmQgZXZlbnR1YWxseSBkZWNpZGUgdG8g dXNlIGl0KS4gU28sIEkgc3Ryb25nbHkgc3VnZ2VzdCB0bw0Ka2VlcCBpdCBpbiB0aGU8YnI+DQom Z3Q7ICZndDsgZHJhZnQuPGJyPg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBUaGFua3MsPGJy Pg0KJmd0OyAmZ3Q7IDxicj4NCiZndDsgJmd0OyBHb256YWxvPGJyPg0KJmd0OyAmZ3Q7IDxicj4N CiZndDsgJmd0OyBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f Xzxicj4NCiZndDsgJmd0OyBIaXBzZWMgbWFpbGluZyBsaXN0PGJyPg0KJmd0OyAmZ3Q7IEhpcHNl Y0BpZXRmLm9yZzxicj4NCiZndDsgJmd0OyBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp c3RpbmZvL2hpcHNlYzxicj4NCiZndDsgJmd0OyA8YnI+DQomZ3Q7ICZndDsgX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQomZ3Q7ICZndDsgSGlwc2Vj IG1haWxpbmcgbGlzdDxicj4NCiZndDsgJmd0OyBIaXBzZWNAaWV0Zi5vcmc8YnI+DQomZ3Q7ICZn dDsgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9oaXBzZWM8YnI+DQomZ3Q7 IDxicj4NCiZndDsgX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X188YnI+DQomZ3Q7IEhpcHNlYyBtYWlsaW5nIGxpc3Q8YnI+DQomZ3Q7IEhpcHNlY0BpZXRmLm9y Zzxicj4NCiZndDsgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9oaXBzZWM8 YnI+DQo8L3R0PjwvZm9udD4NCjxicj48cHJlPg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NClpURSZuYnNwO0luZm9ybWF0aW9uJm5ic3A7 U2VjdXJpdHkmbmJzcDtOb3RpY2U6Jm5ic3A7VGhlJm5ic3A7aW5mb3JtYXRpb24mbmJzcDtjb250 YWluZWQmbmJzcDtpbiZuYnNwO3RoaXMmbmJzcDttYWlsJm5ic3A7aXMmbmJzcDtzb2xlbHkmbmJz cDtwcm9wZXJ0eSZuYnNwO29mJm5ic3A7dGhlJm5ic3A7c2VuZGVyJ3MmbmJzcDtvcmdhbml6YXRp b24uJm5ic3A7VGhpcyZuYnNwO21haWwmbmJzcDtjb21tdW5pY2F0aW9uJm5ic3A7aXMmbmJzcDtj b25maWRlbnRpYWwuJm5ic3A7UmVjaXBpZW50cyZuYnNwO25hbWVkJm5ic3A7YWJvdmUmbmJzcDth cmUmbmJzcDtvYmxpZ2F0ZWQmbmJzcDt0byZuYnNwO21haW50YWluJm5ic3A7c2VjcmVjeSZuYnNw O2FuZCZuYnNwO2FyZSZuYnNwO25vdCZuYnNwO3Blcm1pdHRlZCZuYnNwO3RvJm5ic3A7ZGlzY2xv c2UmbmJzcDt0aGUmbmJzcDtjb250ZW50cyZuYnNwO29mJm5ic3A7dGhpcyZuYnNwO2NvbW11bmlj YXRpb24mbmJzcDt0byZuYnNwO290aGVycy4NClRoaXMmbmJzcDtlbWFpbCZuYnNwO2FuZCZuYnNw O2FueSZuYnNwO2ZpbGVzJm5ic3A7dHJhbnNtaXR0ZWQmbmJzcDt3aXRoJm5ic3A7aXQmbmJzcDth cmUmbmJzcDtjb25maWRlbnRpYWwmbmJzcDthbmQmbmJzcDtpbnRlbmRlZCZuYnNwO3NvbGVseSZu YnNwO2ZvciZuYnNwO3RoZSZuYnNwO3VzZSZuYnNwO29mJm5ic3A7dGhlJm5ic3A7aW5kaXZpZHVh bCZuYnNwO29yJm5ic3A7ZW50aXR5Jm5ic3A7dG8mbmJzcDt3aG9tJm5ic3A7dGhleSZuYnNwO2Fy ZSZuYnNwO2FkZHJlc3NlZC4mbmJzcDtJZiZuYnNwO3lvdSZuYnNwO2hhdmUmbmJzcDtyZWNlaXZl ZCZuYnNwO3RoaXMmbmJzcDtlbWFpbCZuYnNwO2luJm5ic3A7ZXJyb3ImbmJzcDtwbGVhc2UmbmJz cDtub3RpZnkmbmJzcDt0aGUmbmJzcDtvcmlnaW5hdG9yJm5ic3A7b2YmbmJzcDt0aGUmbmJzcDtt ZXNzYWdlLiZuYnNwO0FueSZuYnNwO3ZpZXdzJm5ic3A7ZXhwcmVzc2VkJm5ic3A7aW4mbmJzcDt0 aGlzJm5ic3A7bWVzc2FnZSZuYnNwO2FyZSZuYnNwO3Rob3NlJm5ic3A7b2YmbmJzcDt0aGUmbmJz cDtpbmRpdmlkdWFsJm5ic3A7c2VuZGVyLg0KVGhpcyZuYnNwO21lc3NhZ2UmbmJzcDtoYXMmbmJz cDtiZWVuJm5ic3A7c2Nhbm5lZCZuYnNwO2ZvciZuYnNwO3ZpcnVzZXMmbmJzcDthbmQmbmJzcDtT cGFtJm5ic3A7YnkmbmJzcDtaVEUmbmJzcDtBbnRpLVNwYW0mbmJzcDtzeXN0ZW0uDQo8L3ByZT4= --=_alternative 004CECE9C1257601_=-- From Jan.Melen@nomadiclab.com Tue Jul 28 07:30:54 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09E643A6FB2 for ; Tue, 28 Jul 2009 07:30:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uG56LpxRz-jw for ; Tue, 28 Jul 2009 07:30:52 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 523B63A6FB0 for ; Tue, 28 Jul 2009 07:30:52 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 586B11EF28F; Tue, 28 Jul 2009 17:30:52 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 1098D1EF28E; Tue, 28 Jul 2009 17:30:52 +0300 (EEST) Message-ID: <4A6F0B98.5000006@nomadiclab.com> Date: Tue, 28 Jul 2009 17:30:48 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: Tobias Heer References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> In-Reply-To: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:30:54 -0000 Hi, Tobias Heer wrote: > Some comments on the hiccups draft. In general I find the approach > interesting and worth pursuing. Below are some questions that mostly > focus on security: > > Conceptual comments and questions: > ---------------------------------- > > Section 3: Existence of the HMAC in the packet: > The hiccups draft states that "[the payload is] protected by a > PAYLOAD_HMAC parameter". To me it is unclear how such protection can > possibly work. Since there is no previous handshake there are no keys > for use in the HMAC. Jan explained that the HMAC is merely used as a > way to create a digest over the packet for making the signature more > efficient. However, if it is only used for creating the digest, I > wonder why it is actually transmitted in the packet because without a > secret included in the packet, the digest can easily be calculated and > transmitting the digest in a packet seems to be a unnecessary waste of > space. Am I missing something here? It would be nice if the draft was > more precise about the nature and the use of the HMAC. > Yes, it is only a message authentication code of the packet and I know that you don't have to send it but it is less prone to errors if you do send it as the receiving end doesn't have to generate the actual parameter that was used to create MAC code in order to verify the signature. > Section 4.3: Sending R1 if receiver suspects an attack: > I guess that in this case, the receiver drops the data packet and its > content should be retransmitted (by a higher-layer mechanism?)? If > yes, this could be mentioned somewhere. Yes, I will add that to the draft. > > Replay protection: > The draft talks about a immediate replays of DATA packets in the > context of DoS attacks targeted at ACK signature generation. However, > it does not talk about replays after a longer time (e.g. to mess with > upper-layer state machines). > How can hosts shelter against replays of valid but old hiccups > packets? The sequence number only works from the second packet on and > still complete sequences of HIP DATA packets can be replayed. Caching > packets or keeping state for every ever-received packet is probably > not feasible. Is there a solution? If not, this should also be stated > in the text and the security considerations. > > Various sections: DoS resistance: > The draft briefly mentions that the protocol is susceptible to DoS > attacks. This statement is rather vague and only mentions the absence > of "half-stateless DoS protection nature of the base exchange" and > immediate replays. However, CPU targeted DoS attacks (verification of > PK-sigantures without a puzzle or working HMAC to shelter against > floods of HIP DATA packets - not necessarily replays) seem much more > realistic to me than state a space exhaustion attacks. Using HIP DATA > packet creates a computational asymmetry between the attacker and the > victim (receiver). This imbalance could be mentioned in a more > explicit way. These are known attacks and that is why we have said in the security considerations section that host should consider carefully when to accept HIP data packets. > Editorial comments: > ------------------- > > Section 4.3: "The host MAY responds" -> "The host MAY respond" Thanks for the comments Jan From Jan.Melen@nomadiclab.com Tue Jul 28 07:34:46 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7EE733A677E for ; Tue, 28 Jul 2009 07:34:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0TqvbQA68Uo for ; Tue, 28 Jul 2009 07:34:45 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 427703A6ADD for ; Tue, 28 Jul 2009 07:34:45 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 285011EF28F; Tue, 28 Jul 2009 17:34:46 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id D8B951EF28E; Tue, 28 Jul 2009 17:34:45 +0300 (EEST) Message-ID: <4A6F0C81.3060606@nomadiclab.com> Date: Tue, 28 Jul 2009 17:34:41 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <49815F7E.5080604@hiit.fi> <77F357662F8BFA4CA7074B0410171B6D07B0BD3A@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0BD3A@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hipsec@ietf.org Subject: Re: [Hipsec] feedback of hiccups-01 draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:34:46 -0000 Hi, Henderson, Thomas R wrote: >> * The justification for the seq/ack mechanism is a bit unclear. Is it >> only about replay protection? >> > > I have a similar question-- why not just make this an unreliable data > service and delegate reliability to the application? > > The justification is in the main user of the HIP_DATA packet which is the a signalling application. The HIP_DATA packet is meant only for exchanging few packets between the hosts not a stream of data. If you need to exchange a large stream of data then you should run base exchange and not use HIP_DATA. >> * Second paragraph in section 5 explain about the issues with >> fragmentation. Implementation wise, shouldn't this problem be just >> solved by lowering the MTU of the tunnel device by the size of HIP >> header, [HOST_ID], payload HMAC and HIP_SIGNATURE? >> > > I think this is a complicated issue and agree that it would be helpful > to give more guidance on how to handle it, beyond "should not generate > too large datagrams". Again, there may be API issues to discuss with > respect to this. > > > I will add some more text in that section Jan From Jan.Melen@nomadiclab.com Tue Jul 28 07:37:47 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 853683A7023 for ; Tue, 28 Jul 2009 07:37:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O1EWq2fXIkTG for ; Tue, 28 Jul 2009 07:37:46 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 5EA203A6FD0 for ; Tue, 28 Jul 2009 07:37:46 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 41C6F1EF28F; Tue, 28 Jul 2009 17:37:41 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 01B4B1EF28E; Tue, 28 Jul 2009 17:37:40 +0300 (EEST) Message-ID: <4A6F0D31.9020501@nomadiclab.com> Date: Tue, 28 Jul 2009 17:37:37 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <49815F7E.5080604@hiit.fi> In-Reply-To: <49815F7E.5080604@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hipsec@ietf.org Subject: Re: [Hipsec] feedback of hiccups-01 draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:37:47 -0000 Miika Komu wrote: > > * I guess the draft assumes that data packets may be sent over > HIP-aware overlays. I would suggest that the authors have a look at > draft-heer-hip-middle-auth and perhaps add a pointer to the draft. > Particularly, I would propose to make the public key mandatory and > perhaps the middlebox extension as SHOULD? There is a new version of > the draft coming up very soon. Feel free to ask Tobias for a preview > if you are interested. I think that the host on the path should not verify the signatures on HIP_DATA packets as it is meant that these are anyway only few packets that are exchanged between the peer's and not a stream of data. For streams you set-up a full HIP association using base-exchange and ESP as a transport. Jan From heer@informatik.rwth-aachen.de Tue Jul 28 07:42:00 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7FB193A7035 for ; Tue, 28 Jul 2009 07:42:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.102 X-Spam-Level: X-Spam-Status: No, score=-4.102 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nmZTawKMREVH for ; Tue, 28 Jul 2009 07:41:59 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 721283A6E3F for ; Tue, 28 Jul 2009 07:41:59 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNH00CQNY5ZNLA0@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Tue, 28 Jul 2009 16:41:59 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,283,1246831200"; d="scan'208";a="20658201" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Tue, 28 Jul 2009 16:41:58 +0200 Received: from dhcp-11f5.meeting.ietf.org ([unknown] [130.129.17.245]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNH0058GY5Y4B80@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Tue, 28 Jul 2009 16:41:59 +0200 (CEST) Message-id: From: Tobias Heer To: hip WG In-reply-to: <4A6F0B98.5000006@nomadiclab.com> Date: Tue, 28 Jul 2009 16:41:56 +0200 References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> X-Mailer: Apple Mail (2.935.3) Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 14:42:00 -0000 Hi Jan, Am 28.07.2009 um 16:30 schrieb Jan Melen: >> Section 3: Existence of the HMAC in the packet: >> The hiccups draft states that "[the payload is] protected by a >> PAYLOAD_HMAC parameter". To me it is unclear how such protection >> can possibly work. Since there is no previous handshake there are >> no keys for use in the HMAC. Jan explained that the HMAC is merely >> used as a way to create a digest over the packet for making the >> signature more efficient. However, if it is only used for creating >> the digest, I wonder why it is actually transmitted in the packet >> because without a secret included in the packet, the digest can >> easily be calculated and transmitting the digest in a packet seems >> to be a unnecessary waste of space. Am I missing something here? It >> would be nice if the draft was more precise about the nature and >> the use of the HMAC. >> > > if you do send it as the receiving end doesn't have to generate the > actual parameter that was used to create MAC code in order to verify > the signature. You must recalculate the digest anyway. Otherwise the receiver will only check that the signature covers the HMAC but the receiver will not check that the packet contents match the HMAC. In that sense only the HMAC but not the packet contents would be integrity-protected. Since you have to generate the digest over the whole packet anew anyway I do not see the advantage of sending it in the packet. Best regards, Tobias -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From Jan.Melen@nomadiclab.com Tue Jul 28 08:10:48 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B95EB3A701A for ; Tue, 28 Jul 2009 08:10:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id av8pYwY6ehZS for ; Tue, 28 Jul 2009 08:10:48 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id BE7E23A7030 for ; Tue, 28 Jul 2009 08:10:47 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id AD2D31EF28F; Tue, 28 Jul 2009 18:10:48 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 71ADD1EF28E; Tue, 28 Jul 2009 18:10:48 +0300 (EEST) Message-ID: <4A6F14F5.50905@nomadiclab.com> Date: Tue, 28 Jul 2009 18:10:45 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: Tobias Heer References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:10:48 -0000 Hi Tobias, Tobias Heer wrote: > Am 28.07.2009 um 16:30 schrieb Jan Melen: > >>> Section 3: Existence of the HMAC in the packet: >>> The hiccups draft states that "[the payload is] protected by a >>> PAYLOAD_HMAC parameter". To me it is unclear how such protection can >>> possibly work. Since there is no previous handshake there are no >>> keys for use in the HMAC. Jan explained that the HMAC is merely used >>> as a way to create a digest over the packet for making the signature >>> more efficient. However, if it is only used for creating the digest, >>> I wonder why it is actually transmitted in the packet because >>> without a secret included in the packet, the digest can easily be >>> calculated and transmitting the digest in a packet seems to be a >>> unnecessary waste of space. Am I missing something here? It would be >>> nice if the draft was more precise about the nature and the use of >>> the HMAC. >>> >> >> if you do send it as the receiving end doesn't have to generate the >> actual parameter that was used to create MAC code in order to verify >> the signature. > > You must recalculate the digest anyway. Otherwise the receiver will > only check that the signature covers the HMAC but the receiver will > not check that the packet contents match the HMAC. In that sense only > the HMAC but not the packet contents would be integrity-protected. > Since you have to generate the digest over the whole packet anew > anyway I do not see the advantage of sending it in the packet. Yes you have to calculate it in either case I'm not referring to that. I'm just saying that the implementation will be more error prone if the host has to calculate the digest and then create the parameter. And we send the parameter in the packet the receiver can already after calculating the digest drop packets which have been modified on the transmit without calculating the signature (the non-malicious errors that happen on transmit). Jan From Jan.Melen@nomadiclab.com Tue Jul 28 08:17:02 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9947E3A7054 for ; Tue, 28 Jul 2009 08:17:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JFi5XdKpK0j for ; Tue, 28 Jul 2009 08:17:01 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 7D3853A704E for ; Tue, 28 Jul 2009 08:17:01 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 6B1CC1EF28F for ; Tue, 28 Jul 2009 18:17:02 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 33B911EF28E for ; Tue, 28 Jul 2009 18:17:02 +0300 (EEST) Message-ID: <4A6F166B.1050300@nomadiclab.com> Date: Tue, 28 Jul 2009 18:16:59 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: hip WG Content-Type: multipart/mixed; boundary="------------040309090805050507020908" X-Virus-Scanned: ClamAV using ClamSMTP Subject: [Hipsec] [Fwd: I-D Action:draft-nikander-hip-hiccups-03.txt] X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:17:02 -0000 This is a multi-part message in MIME format. --------------040309090805050507020908 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: I-D Action:draft-nikander-hip-hiccups-03.txt Date: Tue, 28 Jul 2009 08:15:01 -0700 (PDT) From: Internet-Drafts@ietf.org Reply-To: internet-drafts@ietf.org To: i-d-announce@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : HIP (Host Identity Protocol) Immediate Carriage and Conveyance of Upper- layer Protocol Signaling (HICCUPS) Author(s) : P. Nikander, et al. Filename : draft-nikander-hip-hiccups-03.txt Pages : 19 Date : 2009-07-28 This document defines a new HIP (Host Identity Protocol) packet type called DATA. HIP DATA packets are used to securely and reliably convey arbitrary protocol messages over the Internet and various overlay networks. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-nikander-hip-hiccups-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --------------040309090805050507020908 Content-Type: Message/External-body; name="draft-nikander-hip-hiccups-03.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="draft-nikander-hip-hiccups-03.txt" Content-Type: text/plain Content-ID: <2009-07-28080448.I-D@ietf.org> --------------040309090805050507020908 Content-Type: text/plain; name="file:///tmp/nsmail.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="file:///tmp/nsmail.txt" _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt --------------040309090805050507020908-- From Jan.Melen@nomadiclab.com Tue Jul 28 08:17:18 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 041073A705D for ; Tue, 28 Jul 2009 08:17:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bo8HovnMOYlS for ; Tue, 28 Jul 2009 08:17:17 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id DF4C73A705A for ; Tue, 28 Jul 2009 08:17:16 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id CFF541EF2A2 for ; Tue, 28 Jul 2009 18:17:17 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 97EA71EF28E for ; Tue, 28 Jul 2009 18:17:17 +0300 (EEST) Message-ID: <4A6F167A.6060108@nomadiclab.com> Date: Tue, 28 Jul 2009 18:17:14 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: hip WG Content-Type: multipart/mixed; boundary="------------020909080502080004060304" X-Virus-Scanned: ClamAV using ClamSMTP Subject: [Hipsec] [Fwd: I-D Action:draft-melen-hip-proxy-01.txt] X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:17:18 -0000 This is a multi-part message in MIME format. --------------020909080502080004060304 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit -------- Original Message -------- Subject: I-D Action:draft-melen-hip-proxy-01.txt Date: Tue, 28 Jul 2009 07:00:02 -0700 (PDT) From: Internet-Drafts@ietf.org Reply-To: internet-drafts@ietf.org To: i-d-announce@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Host Identity Protocol-based Mobile Proxy Author(s) : J. Melen, et al. Filename : draft-melen-hip-proxy-01.txt Pages : 12 Date : 2009-07-28 This drafts defines a HIP proxy node that enables non-HIP host to communicate with HIP host through a proxy node. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-melen-hip-proxy-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --------------020909080502080004060304 Content-Type: Message/External-body; name="draft-melen-hip-proxy-01.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="draft-melen-hip-proxy-01.txt" Content-Type: text/plain Content-ID: <2009-07-28065430.I-D@ietf.org> --------------020909080502080004060304 Content-Type: text/plain; name="file:///tmp/nsmail.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="file:///tmp/nsmail.txt" _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt --------------020909080502080004060304-- From heer@informatik.rwth-aachen.de Tue Jul 28 08:50:05 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA59D3A67F6 for ; Tue, 28 Jul 2009 08:50:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqXEn7VhD10F for ; Tue, 28 Jul 2009 08:50:04 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 9F5433A67EB for ; Tue, 28 Jul 2009 08:50:04 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNI005YL1BGJJ80@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Tue, 28 Jul 2009 17:50:04 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,284,1246831200"; d="scan'208";a="20667476" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Tue, 28 Jul 2009 17:50:03 +0200 Received: from [10.1.200.37] ([unknown] [81.225.222.227]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNI005ZY1BF4B80@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Tue, 28 Jul 2009 17:50:04 +0200 (CEST) Message-id: From: Tobias Heer To: Jan Melen In-reply-to: <4A6F14F5.50905@nomadiclab.com> Date: Tue, 28 Jul 2009 17:50:01 +0200 References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> <4A6F14F5.50905@nomadiclab.com> X-Mailer: Apple Mail (2.935.3) Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:50:05 -0000 Am 28.07.2009 um 17:10 schrieb Jan Melen: > Hi Tobias, > > Tobias Heer wrote: >> Am 28.07.2009 um 16:30 schrieb Jan Melen: >> >>>> Section 3: Existence of the HMAC in the packet: >>>> The hiccups draft states that "[the payload is] protected by a >>>> PAYLOAD_HMAC parameter". To me it is unclear how such protection >>>> can possibly work. Since there is no previous handshake there are >>>> no keys for use in the HMAC. Jan explained that the HMAC is >>>> merely used as a way to create a digest over the packet for >>>> making the signature more efficient. However, if it is only used >>>> for creating the digest, I wonder why it is actually transmitted >>>> in the packet because without a secret included in the packet, >>>> the digest can easily be calculated and transmitting the digest >>>> in a packet seems to be a unnecessary waste of space. Am I >>>> missing something here? It would be nice if the draft was more >>>> precise about the nature and the use of the HMAC. >>>> >>> >>> if you do send it as the receiving end doesn't have to generate >>> the actual parameter that was used to create MAC code in order to >>> verify the signature. >> >> You must recalculate the digest anyway. Otherwise the receiver will >> only check that the signature covers the HMAC but the receiver will >> not check that the packet contents match the HMAC. In that sense >> only the HMAC but not the packet contents would be integrity- >> protected. Since you have to generate the digest over the whole >> packet anew anyway I do not see the advantage of sending it in the >> packet. > > Yes you have to calculate it in either case I'm not referring to > that. I'm just saying that the implementation will be more error > prone if the host has to calculate the digest and then create the > parameter. And we send the parameter in the packet the receiver can > already after calculating the digest drop packets which have been > modified on the transmit without calculating the signature (the non- > malicious errors that happen on transmit). Now everything becomes a bit clearer. Since you do not expect to have a UDP header (with checksum) in all cases you use the HMAC as checksum? That works... Although a 20-byte checksum from a cryptographic hash function is rather large and expensive (compared to the usual transport-layer checksums TCP/UDP: 2 byte). Maybe this (non- standard?) use of the HMAC could be stated in the draft to avoid confusion. BR, Tobias > > Jan > -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From thomas.r.henderson@boeing.com Tue Jul 28 08:52:13 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E6583A70BC for ; Tue, 28 Jul 2009 08:52:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.024 X-Spam-Level: X-Spam-Status: No, score=-6.024 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJ6SyPzIGCfk for ; Tue, 28 Jul 2009 08:52:11 -0700 (PDT) Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id 94C5A3A6DA3 for ; Tue, 28 Jul 2009 08:52:11 -0700 (PDT) Received: from slb-av-01.boeing.com (slb-av-01.boeing.com [129.172.13.4]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n6SFpxOm022154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 28 Jul 2009 08:52:02 -0700 (PDT) Received: from slb-av-01.boeing.com (localhost [127.0.0.1]) by slb-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n6SFpx55012035; Tue, 28 Jul 2009 08:51:59 -0700 (PDT) Received: from XCH-NWBH-11.nw.nos.boeing.com (xch-nwbh-11.nw.nos.boeing.com [130.247.55.84]) by slb-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n6SFpwGf011974; Tue, 28 Jul 2009 08:51:59 -0700 (PDT) Received: from XCH-NW-5V1.nw.nos.boeing.com ([130.247.55.44]) by XCH-NWBH-11.nw.nos.boeing.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 28 Jul 2009 08:51:53 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 28 Jul 2009 08:51:52 -0700 Message-ID: <77F357662F8BFA4CA7074B0410171B6D07B0C4F9@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <4A6EE502.3060404@nomadiclab.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Hipsec] Comments on the HIP-BONE draft Thread-Index: AcoPeShC8zxdIGoRRnGC9ArO0FoZvwAHTB1g References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4D3@XCH-NW-5V1.nw.nos.boeing.com> <4A6EE502.3060404@nomadiclab.com> From: "Henderson, Thomas R" To: "Ari Keranen" X-OriginalArrivalTime: 28 Jul 2009 15:51:53.0958 (UTC) FILETIME=[5425A060:01CA0F9B] Cc: HIP Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jul 2009 15:52:13 -0000 Hi Ari, some responses inline below. > -----Original Message----- > From: Ari Keranen [mailto:ari.keranen@nomadiclab.com]=20 > Sent: Tuesday, July 28, 2009 4:46 AM > To: Henderson, Thomas R > Cc: Gonzalo Camarillo; HIP > Subject: Re: [Hipsec] Comments on the HIP-BONE draft >=20 > Hi Tom, >=20 > Henderson, Thomas R wrote: > >>> Where I think it becomes conflated, however, is when you=20 > >> try to use the > >>> overlay to forward HIP signaling traffic. I see why you=20 > >> are trying to > >>> do this but it leads to these questions: > >> we had a lot of discussions in the past about this. There=20 > >> were different=20 > >> proposals, one of which proposed the simple use you described=20 > >> above. The=20 > >> conclusion was to do what HIP BONE specifies. I do not think=20 > >> it would be=20 > >> productive to go through the same discussions again at this point. > >=20 > > I am not trying to rathole things, I would just like to=20 > understand how > > it is supposed to work. Maybe if I sketched out some use cases, you > > could suggest how you think it would work. For instance,=20 > consider five > > nodes A-E, and two overlays (X.org's overlay, and Q.com's overlay). > > Nodes A-D belong to Q.com's overlay, and A and C to X.org's=20 > overlay. =20 > >=20 > > Peer-ID: X.org-AID X.org-CID =20 > >=20 > > Peer-ID: Q.com-AID Q.com-BID Q.com-CID Q.com-DID > >=20 > > HIT: A-HIT B-HIT C-HIT D-HIT E-HIT > >=20 > > IP-addr: A-IP B-IP C-IP D-IP E-IP >=20 > Many of the details depend on the particular instance=20 > specification, and=20 > the RELOAD instance spec is still very much work-in-progress, so how=20 > things are done is likely to evolve from current situation. Anyway,=20 > here's how I see these use cases could work. >=20 > > Case 1: The overlay process belonging to Q.com on node E=20 > wants to join > > overlay Q.com. What assumptions do you make about the bootstrapping > > record that Q.com's overlay process must have about=20 > well-known, stable > > nodes? Does this bootstrapping record store the tuple {Q.com-AID, > > A-HIT, A-IP) or just (Q.com-AID, A-HIT)? >=20 > Especially bootstrapping is a peer protocol dependent feature=20 > (as noted=20 > in Sections 3.1 and 3.4 of the HIP BONE draft), but in=20 > general, you need=20 > at minimum an IP address (+ possibly port) of an overlay node=20 > to contact=20 > and some overlay identifier (not necessary a peer ID) used to=20 > tell the=20 > contacted node which overlay you want to join. Adding also HIT to the=20 > tuple increases security, but is not mandatory if the overlay uses an=20 > enrollment server that gives certificates for the HITs and=20 > the nodes can=20 > use the certificates to prove that they truly belong to that overlay. >=20 > > Case 2: Suppose on node A, the peer protocol on node A for overlay > > Q.com decides to initiate a HIP association to node C. =20 > What name does > > it use for node C? Presumably, its peer-id "Q.com-CID". =20 > So, it needs > > to discover the C-HIT and ultimately the C-IP. So, as part=20 > of the peer > > protocol, it resolves Q.com-CID to C-HIT. I suppose that=20 > it does this > > with the existing connections that it has. Does it also at=20 > this time > > obtain C-IP? Next, it issues a connect(HIT) socket call. =20 > What happens > > next? There is an outbound I1 to a HIT. Does the I1 go to the HIP > > routing layer, or does the HIP process try to do a DNS/DHT=20 > lookup, or > > both? If there are no such records, how does the I1=20 > propagate through > > the Q.com overlay, which is not routing HITs but Peer-IDs? If you > > suggest, as below, that Q.com's overlay name is stored in=20 > the I1, how > > does this "Q.com" get passed through the socket API so that=20 > HIP knows > > that the process that used the socket API to connect(HIT)=20 > was associated > > with Q.com? Or is the native socket API not involved in=20 > this framework? >=20 > If Peer-IDs are not HITs, the peer protocol uses "Q.com-CID"=20 > as the peer=20 > name for node C. If this is the case, presumably there is a mapping=20 > (using some transformation) between Peer ID and HIT, so that=20 > there is no=20 > need for any discovery step. This is perhaps my main concern. I do not understand how you can form HITs from Peer IDs, in general, unless the Peer IDs are HITs or public keys themselves. I see how you can bind a HIT to a Peer ID using a certificate, but that is not the same. >=20 > There is no need to query for C-IP in the overlay since the HIP base=20 > exchange is done via the overlay=20 which overlay? Are you assuming that the routing table has an explicit entry for an overlay next hop for C? If there is no entry for C-HIT, is the I1 sent on both overlays? > and the C-IP (or, the "best"=20 > C-IP) is=20 > discovered using ICE as defined in the NAT traversal draft.=20 > And the BeX=20 > is done using existing overlay connections. >=20 > I1 (and the rest of the BeX) is routed using the overlay=20 > routing table=20 > constructed by the overlay protocol, so there is no=20 > additional (DNS/DHT)=20 > lookup for this. If there is no mapping from HIT to Peer ID,=20 > we may need=20 > to convey also the Peer IDs in the HIP packets. >=20 > The interaction with peer protocol is likely to require more features=20 > than what the current HIP native socket API can provide, but=20 > at least my=20 > view on this is that the peer protocol and HIP daemon are=20 > integrated=20 Ah, OK, perhaps this suggests a misunderstanding on my part about what you are trying to define. I was not assuming that HIP and peer protocol were integrated, but that HIP was providing a service to different peer protocols, so that other WGs like P2PSIP could build an overlay on the service offered by a HIP BONE. Maybe this point could be clarified in the next draft version. > so=20 > that they don't need to use the socket API for sharing the=20 > routing table=20 > (e.g., they are run in the same process, or they use IPC). >=20 > > Suppose a HIP association is built between node A and node=20 > C, based on > > the Q.com peer protocol. Is this association exported to=20 > overlay X.org? >=20 > IMO, no. The different overlays likely have different finger tables=20 > (i.e., peer protocol connections between peers) and thus it would be=20 > unlikely (at least in a big network) that they would share=20 > connections.=20 > Also, the HITs for different overlays are likely to be=20 > different. This=20 > could be considered as an optimization though. If peer protocol and HIP are integrated, offering a specialized API, then I think my questions about how information is shared between overlays are not so relevant. >=20 > > If so, suppose A later leaves Q.com overlay, but stays on=20 > X.org overlay. > > Does the HIP association from A to C persist? Are HIP=20 > records inserted > > into the HIP routing table by a particular peer protocol=20 > "owned" by that > > protocol, and must be removed by that protocol (just as IP=20 > routes are > > tagged by the routing protocols that insert them into the FIB)? >=20 > Whether a HIP association persists, would depend on the=20 > implementation=20 > of the optimization. If the association was created for=20 > something else=20 > than P2P protocol traffic (e.g., SIP call), it should persist=20 > as long as=20 > it is used. >=20 > The routing table records would be overlay instance specific (even if=20 > they use the same protocol) so they would be added and removed by the=20 > same overlay process. >=20 > > Case 3: the stack on Node A is asked to open a session to=20 > F-HIT. It > > doesn't know this yet, but F-HIT is not a known HIT in any of the > > overlays that it belongs to. What happens? >=20 > The overlay tries to route I1 to F-HIT but when it fails to=20 > do so, the=20 > node that detects this (i.e., the node that is responsible=20 > for the part=20 > of the overlay where F would be) responds with an error message. The=20 > MESSAGE_NOT_RELAYED notify packet type could be used for this, but I=20 > think the behavior is HIP BONE instance specification specific. >=20 > >>> 1) the overlay may stitch together addressing realms that=20 > >> have no hope > >>> of supporting end-to-end HIP associations between them. =20 > >> For instance, > >>> this simple topology: > >>> > >>> node A <--------Ipv4 network -----> node B <--------Ipv6 network > >>> ---------> node C > >>> > >>> The overlay may route the I1 from node A to node C and R1=20 > >> back, but no > >>> HIP association between A and C can actually be formed. > >> This is not a problem specific to the use of HIP in the=20 > >> overlay. It is a=20 > >> general problem of the overlay, even if it was not using=20 > HIP. If no=20 > >> direct connections can be formed between nodes in an overlay, the=20 > >> overlay will most likely keep on routing stuff through the overlay. > >=20 > > It depends on the type of overlay, whether the overlay allows "cut > > through" forwarding like you are proposing or whether data=20 > is forwarded > > hop-by-hop at the overlay layer. But HIP requires the end-to-end > > association-- you can't just terminate it hop-by-hop=20 > (unless perhaps you > > are using HIP DATA packets). >=20 > HIP DATA packets could be used for this.=20 Probably not in the media-stream, RELOAD use case. > Also, it is possible=20 > to use a=20 > TURN server with IPv4-IPv6 translation. If a TURN server implementing=20 > the turn-ipv6 draft is used, ICE would take care of this. OK >=20 > >>> 2) what if node B above belongs to multiple other HIP-based=20 > >> overlays? > >>> How does it know on which overlay to forward the I1? > >> This is one of the open issues of the instance draft. RELOAD=20 > >> has its own=20 > >> way to identify different overlays. We need to decide how=20 > we want to=20 > >> covey that information in an I1. > >=20 > > If I1s need to be extended, that is an important framework issue. >=20 > The RELOAD HIP BONE instance spec defines OVERLAY_ID=20 > attribute for this=20 > purpose. The (next version of) HIP BONE draft will define a generic=20 > format for the parameter and instance specs define how it is=20 > encoded for=20 > each specific protocol. All HIP overlay messages should have this=20 > parameter to indicate which overlay they belong to. >=20 > I understand that we want to keep I1 as simple as possible to prevent=20 > DoS attacks, but this parameter would not create any state in the=20 > receiving or forwarding node and it would be trivial to process, so I=20 > don't think it is a problem to have it there. >=20 > >>> Also, from a performance perspective, I think there may be=20 > >> some danger > >>> in abstracting the underlying topology away from a peer=20 > >> protocol. From > >>> the peer protocol layer perspective, HIP makes every node=20 > >> look like it > >>> is "on link" whereas in fact, each node is possibly=20 > >> different number of > >>> hops away, in different administrative domains of the=20 > network, etc. > >> Not really. When HIP is not used, the ICE module takes care of=20 > >> establishing those "links". The complexity of connection=20 > >> management is=20 > >> abstracted out even when HIP is not used. > >=20 > > I was thinking that some overlays (such as content delivery=20 > networks) > > may want to run heuristics on IP addresses to determine network > > distances.=20 >=20 > I guess you're referring to the IP addresses of the hosts=20 > that you have=20 > a direct HIP association with (since even without HIP you=20 > don't know the=20 > addresses of the intermediate nodes forwarding the messages in the=20 > overlay). For such nodes, I assume one can ask the current IP address=20 > using the native HIP API and SHIM_LOC_PEER_SEND (or=20 > SHIM_LOCLIST_PEER?)=20 > socket option. That said, because of TURN servers and other=20 > relays, this=20 > may not be really a good idea. Again, I think my concern here is based on my assumption that HIP is offering a service to a peer protocol, and may be abstracting away details from it that it may care about. However, your comments above suggest that since the peer protocol and HIP are part of an integrated design, so maybe this is less of a concern. Mainly, the concern I was raising was along the same lines of spoofing HITs for IP addresses to applications that may really want the IP addresses. >=20 > >>> To summarize, I think there is some value in defining how=20 > >> P2PSIP-based > >>> overlay could use HIP to form its links and deal with NAT,=20 > >> mobility, and > >>> multihoming. However, before allowing RELOAD nodes to=20 > >> perform the HIP > >>> distributed rendezvous service, I would first define: > >>> 1) how the system works in the case where the enrollment=20 > >> server chooses > >>> PeerIds that are not HITs > >> The framework already says this is possible... and the=20 > instance draft=20 > >> will need to define how that is done for RELOAD, of course. >=20 > With RELOAD, the enrollment server can generate Peer IDs that have=20 > ORCHID prefix either by generating the key pair or by=20 > generating random=20 > ID and using certificates. >=20 > >>> 2) how two such independent overlays (run by different=20 > >> organizations) > >>> could operate on the same node, and how the node would ensure that > >>> messages got onto the right overlays > >> This will also need to be defined by the instance draft... in=20 > >> any case,=20 > >> I agree with you that the framework needs to talk more=20 > about this (it=20 > >> does not discuss this issue right now). >=20 > This will be addressed with the generic OVERLAY_ID in the=20 > framework draft. >=20 OK, I will wait to see that. Regards, Tom From Jan.Melen@nomadiclab.com Wed Jul 29 01:52:32 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C03FD3A67D0 for ; Wed, 29 Jul 2009 01:52:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Hkz-g9RkQrs for ; Wed, 29 Jul 2009 01:52:31 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 89BF13A6DC4 for ; Wed, 29 Jul 2009 01:52:29 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id AA06C1EF2A1; Wed, 29 Jul 2009 11:52:29 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 381F21EF28F; Wed, 29 Jul 2009 11:52:29 +0300 (EEST) Message-ID: <4A700DC9.7000500@nomadiclab.com> Date: Wed, 29 Jul 2009 11:52:25 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: Tobias Heer References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> <4A6F14F5.50905@nomadiclab.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 08:52:32 -0000 Tobias Heer wrote: > > Am 28.07.2009 um 17:10 schrieb Jan Melen: > >> Hi Tobias, >> >> Tobias Heer wrote: >>> Am 28.07.2009 um 16:30 schrieb Jan Melen: >>> >>>>> Section 3: Existence of the HMAC in the packet: >>>>> The hiccups draft states that "[the payload is] protected by a >>>>> PAYLOAD_HMAC parameter". To me it is unclear how such protection >>>>> can possibly work. Since there is no previous handshake there are >>>>> no keys for use in the HMAC. Jan explained that the HMAC is merely >>>>> used as a way to create a digest over the packet for making the >>>>> signature more efficient. However, if it is only used for creating >>>>> the digest, I wonder why it is actually transmitted in the packet >>>>> because without a secret included in the packet, the digest can >>>>> easily be calculated and transmitting the digest in a packet seems >>>>> to be a unnecessary waste of space. Am I missing something here? >>>>> It would be nice if the draft was more precise about the nature >>>>> and the use of the HMAC. >>>>> >>>> >>>> if you do send it as the receiving end doesn't have to generate the >>>> actual parameter that was used to create MAC code in order to >>>> verify the signature. >>> >>> You must recalculate the digest anyway. Otherwise the receiver will >>> only check that the signature covers the HMAC but the receiver will >>> not check that the packet contents match the HMAC. In that sense >>> only the HMAC but not the packet contents would be >>> integrity-protected. Since you have to generate the digest over the >>> whole packet anew anyway I do not see the advantage of sending it in >>> the packet. >> >> Yes you have to calculate it in either case I'm not referring to >> that. I'm just saying that the implementation will be more error >> prone if the host has to calculate the digest and then create the >> parameter. And we send the parameter in the packet the receiver can >> already after calculating the digest drop packets which have been >> modified on the transmit without calculating the signature (the >> non-malicious errors that happen on transmit). > > Now everything becomes a bit clearer. Since you do not expect to have > a UDP header (with checksum) in all cases you use the HMAC as > checksum? That works... Although a 20-byte checksum from a > cryptographic hash function is rather large and expensive (compared to > the usual transport-layer checksums TCP/UDP: 2 byte). Maybe this > (non-standard?) use of the HMAC could be stated in the draft to avoid > confusion. The upper-layer protocol might have it's own checksum but I do not want to make a dependency to HIP protocol that a HIP implementation should be able to identify all transport protocols thus it is easier to define that HIP_DATA has some checksum calculation that is less expensive than public key signature but still provides something for the end goal. After all the if the packet would be IP (HIP(HIP_DATA, HIP_SIGNATURE) UDP ()), the processing in the stack would go in the following order: 1. IP stack processes the IP header 2. HIP processes the HIP header, HIP_DATA and HIP_SIGNATURE 3. Transport layer UDP processes the UDP header 4. Application If we wouldn't make this check on step 2 we might do the signature calculation just to notice that the packet has been accidentally modified in transit. But anyway I will add something to the draft. Jan From Jan.Melen@nomadiclab.com Wed Jul 29 02:21:55 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBD153A6EE1 for ; Wed, 29 Jul 2009 02:21:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6JYBSahaDDq for ; Wed, 29 Jul 2009 02:21:54 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 346E13A6EDE for ; Wed, 29 Jul 2009 02:21:54 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 406C81EF2A2; Wed, 29 Jul 2009 12:21:55 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 2EA8E1EF28E; Wed, 29 Jul 2009 12:21:53 +0300 (EEST) Message-ID: <4A7014AD.5080700@nomadiclab.com> Date: Wed, 29 Jul 2009 12:21:49 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: Tobias Heer References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> <4A6F14F5.50905@nomadiclab.com> <4A700DC9.7000500@nomadiclab.com> In-Reply-To: <4A700DC9.7000500@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 09:21:55 -0000 Hi Tobias, Jan Melen wrote: > Tobias Heer wrote: >> >> Am 28.07.2009 um 17:10 schrieb Jan Melen: >> >>> Hi Tobias, >>> >>> Tobias Heer wrote: >>>> Am 28.07.2009 um 16:30 schrieb Jan Melen: >>>> >>>>>> Section 3: Existence of the HMAC in the packet: >>>>>> The hiccups draft states that "[the payload is] protected by a >>>>>> PAYLOAD_HMAC parameter". To me it is unclear how such protection >>>>>> can possibly work. Since there is no previous handshake there are >>>>>> no keys for use in the HMAC. Jan explained that the HMAC is >>>>>> merely used as a way to create a digest over the packet for >>>>>> making the signature more efficient. However, if it is only used >>>>>> for creating the digest, I wonder why it is actually transmitted >>>>>> in the packet because without a secret included in the packet, >>>>>> the digest can easily be calculated and transmitting the digest >>>>>> in a packet seems to be a unnecessary waste of space. Am I >>>>>> missing something here? It would be nice if the draft was more >>>>>> precise about the nature and the use of the HMAC. >>>>>> >>>>> >>>>> if you do send it as the receiving end doesn't have to generate >>>>> the actual parameter that was used to create MAC code in order to >>>>> verify the signature. >>>> >>>> You must recalculate the digest anyway. Otherwise the receiver will >>>> only check that the signature covers the HMAC but the receiver will >>>> not check that the packet contents match the HMAC. In that sense >>>> only the HMAC but not the packet contents would be >>>> integrity-protected. Since you have to generate the digest over the >>>> whole packet anew anyway I do not see the advantage of sending it >>>> in the packet. >>> >>> Yes you have to calculate it in either case I'm not referring to >>> that. I'm just saying that the implementation will be more error >>> prone if the host has to calculate the digest and then create the >>> parameter. And we send the parameter in the packet the receiver can >>> already after calculating the digest drop packets which have been >>> modified on the transmit without calculating the signature (the >>> non-malicious errors that happen on transmit). >> >> Now everything becomes a bit clearer. Since you do not expect to have >> a UDP header (with checksum) in all cases you use the HMAC as >> checksum? That works... Although a 20-byte checksum from a >> cryptographic hash function is rather large and expensive (compared >> to the usual transport-layer checksums TCP/UDP: 2 byte). Maybe this >> (non-standard?) use of the HMAC could be stated in the draft to avoid >> confusion. > > The upper-layer protocol might have it's own checksum but I do not > want to make a dependency to HIP protocol that a HIP implementation > should be able to identify all transport protocols thus it is easier > to define that HIP_DATA has some checksum calculation that is less > expensive than public key signature but still provides something for > the end goal. After all the if the packet would be IP (HIP(HIP_DATA, > HIP_SIGNATURE) UDP ()), the processing in the stack would go in the > following order: > 1. IP stack processes the IP header > 2. HIP processes the HIP header, HIP_DATA and HIP_SIGNATURE > 3. Transport layer UDP processes the UDP header > 4. Application > > If we wouldn't make this check on step 2 we might do the signature > calculation just to notice that the packet has been accidentally > modified in transit. > > But anyway I will add something to the draft. > http://users.piuha.net/jmelen/HICCUPS/draft-nikander-hip-hiccups-04-pre1.txt I've now made yet another edit on the draft regarding the comment you gave. Take now a look at section 3 paragraph 4. Jan From petri.jokela@nomadiclab.com Wed Jul 29 02:23:04 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C18A3A6FE2 for ; Wed, 29 Jul 2009 02:23:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.288 X-Spam-Level: X-Spam-Status: No, score=-2.288 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HOST_MISMATCH_COM=0.311] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwO3DLeF0o1B for ; Wed, 29 Jul 2009 02:23:03 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id CEA203A6FE0 for ; Wed, 29 Jul 2009 02:23:02 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id DB5491EF2A2; Wed, 29 Jul 2009 12:23:03 +0300 (EEST) Received: from [127.0.0.1] (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 8E9F21EF28E; Wed, 29 Jul 2009 12:23:03 +0300 (EEST) Message-Id: From: Petri Jokela To: Gonzalo Camarillo In-Reply-To: <4A6447DC.7070005@ericsson.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Wed, 29 Jul 2009 11:23:03 +0200 References: <4A6447DC.7070005@ericsson.com> X-Mailer: Apple Mail (2.935.3) X-Virus-Scanned: ClamAV using ClamSMTP Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 09:23:04 -0000 On 20.7.2009, at 12.33, Gonzalo Camarillo wrote: > Folks, > > 1) We have the following milestone: > > "Specify a framework to build HIP-based overlays. This framework will ... > The resulting document is the draft below. We would like to ask the WG > if it is OK to split our current milestone in two so that they cover > the > high-level framework and the definition in separate documents. > > http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt > > Additionally, we would like to ask the WG if we should take the draft > above as the WG item associated to the milestone for the definition. > The proposal sounds reasonable, taking also into account the discussion that has been going on in another thread. > 2) We have the following milestone: ... > We still do not have a WG item for it but the following draft has been > around for some time. We would like to ask the WG if we should adopt > the > following draft as the WG item for this milestone. > > http://tools.ietf.org/internet-drafts/draft-nikander-hip- > hiccups-02.txt > For me, this sounds good. As in the previous case, taking into account also the ongoing discussion on the related thread. > 3) In order to be able to support the functionality provided by > RELOAD, > HIP needs to support multi-hop routing. Instead of specifying it in > the > HIP BONE draft, having a separate draft seem to make more sense given > that this functionality has a more general applicability than > overlays. > We would like to ask the WG if we should spin off a new milestone from > our original milestone for overlays that covers multihop routing in > HIP. > > The following draft takes a stab at specifying multihop routing in > HIP. > We would like to ask the WG if we should adopt it as a WG item for the > milestone above (assuming we decide to create the milestone). > > http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt This sounds ok. > 4) We have the following milestone: > > "Specify how to generate ORCHIDs from other node identifiers > including both cryptographic ones (leading to cryptographic > delegation) and non-cryptographic ones (e.g., identifiers defined by a > peer protocol)." > > When we created that milestone, we expected to have a generic > mechanism > to transform node IDs into ORCHIDs. However, at this point, it seems > that such transformation will be done in different ways depending on > the > peer protocol used in a particular overlay. For example, the instance > specification for RELOAD draft defines such transformation for RELOAD > peer identifiers. The fact that nobody has submitted a draft for that > milestone seems to confirm the previous impression. We would like to > ask > the WG if we should remove that milestone from our charter. While there is no activity, it seems reasonable to remove it now. /petri > Thanks, > > Gonzalo > HIP co-chair > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec > > -- Petri Jokela Tel: +358 9 299 2413 Research scientist Fax: +358 9 299 3535 NomadicLab, Ericsson Research Mobile: +358 44 299 2413 Oy L M Ericsson Ab email: petri.jokela@ericsson.com From heer@informatik.rwth-aachen.de Wed Jul 29 02:27:58 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A2623A6F7E for ; Wed, 29 Jul 2009 02:27:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LBQs7vycCezY for ; Wed, 29 Jul 2009 02:27:57 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id B67273A6F65 for ; Wed, 29 Jul 2009 02:27:57 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNJ003USEAL5C50@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 11:27:57 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,288,1246831200"; d="scan'208";a="20743263" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Wed, 29 Jul 2009 11:27:57 +0200 Received: from [10.1.200.37] ([unknown] [81.225.222.227]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNJ00D37EAHR610@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 11:27:57 +0200 (CEST) Message-id: <6BE2670B-852E-4625-8CA9-782D56D99027@cs.rwth-aachen.de> From: Tobias Heer To: Jan Melen In-reply-to: <4A7014AD.5080700@nomadiclab.com> Date: Wed, 29 Jul 2009 11:27:48 +0200 References: <6512FD53-0253-4B49-BC0D-41022DBB9644@cs.rwth-aachen.de> <4A6F0B98.5000006@nomadiclab.com> <4A6F14F5.50905@nomadiclab.com> <4A700DC9.7000500@nomadiclab.com> <4A7014AD.5080700@nomadiclab.com> X-Mailer: Apple Mail (2.935.3) Cc: hip WG Subject: Re: [Hipsec] Comments on hiccups draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 09:27:58 -0000 Hi Jan, Am 29.07.2009 um 11:21 schrieb Jan Melen: >> > > http://users.piuha.net/jmelen/HICCUPS/draft-nikander-hip-hiccups-04-pre1.txt > I've now made yet another edit on the draft regarding the comment > you gave. Take now a look at section 3 paragraph 4. > I think things are clearer now. Thanks for the clarification. Tobias > Jan > > > -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From ari.keranen@nomadiclab.com Wed Jul 29 04:07:56 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BEC6B3A6F4E for ; Wed, 29 Jul 2009 04:07:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.498 X-Spam-Level: X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=-0.249, BAYES_00=-2.599, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYnEnlGVJVVW for ; Wed, 29 Jul 2009 04:07:55 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id 38C543A6F97 for ; Wed, 29 Jul 2009 04:07:54 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-2b-4a702d8ab3fa Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id C5.57.18827.A8D207A4; Wed, 29 Jul 2009 13:07:54 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 13:07:54 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 13:07:54 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 6F71E2530; Wed, 29 Jul 2009 14:07:53 +0300 (EEST) Message-ID: <4A702D85.1030702@nomadiclab.com> Date: Wed, 29 Jul 2009 14:07:49 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4A6447DC.7070005@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4AA@XCH-NW-5V1.nw.nos.boeing.com> <4A65F513.5030701@ericsson.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4D3@XCH-NW-5V1.nw.nos.boeing.com> <4A6EE502.3060404@nomadiclab.com> <77F357662F8BFA4CA7074B0410171B6D07B0C4F9@XCH-NW-5V1.nw.nos.boeing.com> In-Reply-To: <77F357662F8BFA4CA7074B0410171B6D07B0C4F9@XCH-NW-5V1.nw.nos.boeing.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Jul 2009 11:07:54.0217 (UTC) FILETIME=[D2153D90:01CA103C] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 11:07:56 -0000 Henderson, Thomas R wrote: >> -----Original Message----- >> From: Ari Keranen [mailto:ari.keranen@nomadiclab.com] >> Henderson, Thomas R wrote: >>> Case 2: Suppose on node A, the peer protocol on node A for overlay >>> Q.com decides to initiate a HIP association to node C. >> What name does >>> it use for node C? Presumably, its peer-id "Q.com-CID". >> So, it needs >>> to discover the C-HIT and ultimately the C-IP. So, as part >> of the peer >>> protocol, it resolves Q.com-CID to C-HIT. I suppose that >> it does this >>> with the existing connections that it has. Does it also at >> this time >>> obtain C-IP? Next, it issues a connect(HIT) socket call. >> What happens >>> next? There is an outbound I1 to a HIT. Does the I1 go to the HIP >>> routing layer, or does the HIP process try to do a DNS/DHT >> lookup, or >>> both? If there are no such records, how does the I1 >> propagate through >>> the Q.com overlay, which is not routing HITs but Peer-IDs? If you >>> suggest, as below, that Q.com's overlay name is stored in >> the I1, how >>> does this "Q.com" get passed through the socket API so that >> HIP knows >>> that the process that used the socket API to connect(HIT) >> was associated >>> with Q.com? Or is the native socket API not involved in >> this framework? >> >> If Peer-IDs are not HITs, the peer protocol uses "Q.com-CID" >> as the peer >> name for node C. If this is the case, presumably there is a mapping >> (using some transformation) between Peer ID and HIT, so that >> there is no >> need for any discovery step. > > This is perhaps my main concern. I do not understand how you can form > HITs from Peer IDs, in general, unless the Peer IDs are HITs or public > keys themselves. I see how you can bind a HIT to a Peer ID using a > certificate, but that is not the same. > The easiest solution is to require/recommend that Peer IDs are created just like HITs. This should be possible, with minor modifications, at least with the peer protocols and algorithms we have been looking into so far. However, to be future proof, I agree that a general mechanism would be useful. I think we should consider creating "HITs" (or ORCHIDs) that are not hashes of cryptographic keys (and maybe call them ORIDs :). Is there some technical reason that prevents you from having an arbitrary, but random enough, ID after the ORCHID prefix that is not based on a public key if you include anyway certificates and host identities as HIP parameters in the HIP base exchange? Another option would be to leave this out of scope of the current documents and define such transformation when there is a protocol or algorithm that really needs one. And we can fall back to having Peer IDs in HIP parameters and route based on those for overlays whose IDs can't be transformed into HITs. >> There is no need to query for C-IP in the overlay since the HIP base >> exchange is done via the overlay > > which overlay? Are you assuming that the routing table has an explicit > entry for an overlay next hop for C? If there is no entry for C-HIT, is > the I1 sent on both overlays? > Q.com overlay if the node A is (in that context) initiating connection to node C at overlay Q.com. The next hop is taken from Q.com overlay's routing table so there is no need for explicit entry for C-HIT. Perhaps it would be clearer to talk about "application on node A using overlay Q.com" instead of "node A". That is, when one initiates a connection (BeX), one tells which overlay that connection belongs to. Once again, it could be possible for the application or node to try to contact another node in all the overlays, but this would be an additional optimization or a feature. If we want, e.g., legacy applications to be able to use just the socket API for initiating connections over P2P overlays, one would need to configure to which overlay(s) this kind of messages should be sent to. >> and the C-IP (or, the "best" >> C-IP) is >> discovered using ICE as defined in the NAT traversal draft. >> And the BeX >> is done using existing overlay connections. >> >> I1 (and the rest of the BeX) is routed using the overlay >> routing table >> constructed by the overlay protocol, so there is no >> additional (DNS/DHT) >> lookup for this. If there is no mapping from HIT to Peer ID, >> we may need >> to convey also the Peer IDs in the HIP packets. >> >> The interaction with peer protocol is likely to require more features >> than what the current HIP native socket API can provide, but >> at least my >> view on this is that the peer protocol and HIP daemon are >> integrated > > Ah, OK, perhaps this suggests a misunderstanding on my part about what > you are trying to define. I was not assuming that HIP and peer protocol > were integrated, but that HIP was providing a service to different peer > protocols, so that other WGs like P2PSIP could build an overlay on the > service offered by a HIP BONE. Maybe this point could be clarified in > the next draft version. > OK, I agree that it would make sense to clarify this. >> so >> that they don't need to use the socket API for sharing the >> routing table >> (e.g., they are run in the same process, or they use IPC). >> >>> Suppose a HIP association is built between node A and node >> C, based on >>> the Q.com peer protocol. Is this association exported to >> overlay X.org? >> >> IMO, no. The different overlays likely have different finger tables >> (i.e., peer protocol connections between peers) and thus it would be >> unlikely (at least in a big network) that they would share >> connections. >> Also, the HITs for different overlays are likely to be >> different. This >> could be considered as an optimization though. > > If peer protocol and HIP are integrated, offering a specialized API, > then I think my questions about how information is shared between > overlays are not so relevant. OK. >>>>> 1) the overlay may stitch together addressing realms that >>>> have no hope >>>>> of supporting end-to-end HIP associations between them. >>>> For instance, >>>>> this simple topology: >>>>> >>>>> node A <--------Ipv4 network -----> node B <--------Ipv6 network >>>>> ---------> node C >>>>> >>>>> The overlay may route the I1 from node A to node C and R1 >>>> back, but no >>>>> HIP association between A and C can actually be formed. >>>> This is not a problem specific to the use of HIP in the >>>> overlay. It is a >>>> general problem of the overlay, even if it was not using >> HIP. If no >>>> direct connections can be formed between nodes in an overlay, the >>>> overlay will most likely keep on routing stuff through the overlay. >>> It depends on the type of overlay, whether the overlay allows "cut >>> through" forwarding like you are proposing or whether data >> is forwarded >>> hop-by-hop at the overlay layer. But HIP requires the end-to-end >>> association-- you can't just terminate it hop-by-hop >> (unless perhaps you >>> are using HIP DATA packets). >> HIP DATA packets could be used for this. > > Probably not in the media-stream, RELOAD use case. > Right, the HIP DATA packets are not really suitable for media but should be used only/mainly for the signaling. Although I can think of some use cases where even some sort of "media" (say, IM if there are no media relays and firewalls prevent direct connectivity) could go via an overlay, so I would not make this a MUST NOT, but rather a NOT RECOMMENDED. >> Also, it is possible >> to use a >> TURN server with IPv4-IPv6 translation. If a TURN server implementing >> the turn-ipv6 draft is used, ICE would take care of this. > > OK > >>>>> 2) what if node B above belongs to multiple other HIP-based >>>> overlays? >>>>> How does it know on which overlay to forward the I1? >>>> This is one of the open issues of the instance draft. RELOAD >>>> has its own >>>> way to identify different overlays. We need to decide how >> we want to >>>> covey that information in an I1. >>> If I1s need to be extended, that is an important framework issue. >> The RELOAD HIP BONE instance spec defines OVERLAY_ID >> attribute for this >> purpose. The (next version of) HIP BONE draft will define a generic >> format for the parameter and instance specs define how it is >> encoded for >> each specific protocol. All HIP overlay messages should have this >> parameter to indicate which overlay they belong to. >> >> I understand that we want to keep I1 as simple as possible to prevent >> DoS attacks, but this parameter would not create any state in the >> receiving or forwarding node and it would be trivial to process, so I >> don't think it is a problem to have it there. >> >>>>> Also, from a performance perspective, I think there may be >>>> some danger >>>>> in abstracting the underlying topology away from a peer >>>> protocol. From >>>>> the peer protocol layer perspective, HIP makes every node >>>> look like it >>>>> is "on link" whereas in fact, each node is possibly >>>> different number of >>>>> hops away, in different administrative domains of the >> network, etc. >>>> Not really. When HIP is not used, the ICE module takes care of >>>> establishing those "links". The complexity of connection >>>> management is >>>> abstracted out even when HIP is not used. >>> I was thinking that some overlays (such as content delivery >> networks) >>> may want to run heuristics on IP addresses to determine network >>> distances. >> I guess you're referring to the IP addresses of the hosts >> that you have >> a direct HIP association with (since even without HIP you >> don't know the >> addresses of the intermediate nodes forwarding the messages in the >> overlay). For such nodes, I assume one can ask the current IP address >> using the native HIP API and SHIM_LOC_PEER_SEND (or >> SHIM_LOCLIST_PEER?) >> socket option. That said, because of TURN servers and other >> relays, this >> may not be really a good idea. > > Again, I think my concern here is based on my assumption that HIP is > offering a service to a peer protocol, and may be abstracting away > details from it that it may care about. However, your comments above > suggest that since the peer protocol and HIP are part of an integrated > design, so maybe this is less of a concern. Mainly, the concern I was > raising was along the same lines of spoofing HITs for IP addresses to > applications that may really want the IP addresses. > OK. In that sense the design we have in mind should be able to expose enough details for the peer protocols. >>>>> To summarize, I think there is some value in defining how >>>> P2PSIP-based >>>>> overlay could use HIP to form its links and deal with NAT, >>>> mobility, and >>>>> multihoming. However, before allowing RELOAD nodes to >>>> perform the HIP >>>>> distributed rendezvous service, I would first define: >>>>> 1) how the system works in the case where the enrollment >>>> server chooses >>>>> PeerIds that are not HITs >>>> The framework already says this is possible... and the >> instance draft >>>> will need to define how that is done for RELOAD, of course. >> With RELOAD, the enrollment server can generate Peer IDs that have >> ORCHID prefix either by generating the key pair or by >> generating random >> ID and using certificates. >> >>>>> 2) how two such independent overlays (run by different >>>> organizations) >>>>> could operate on the same node, and how the node would ensure that >>>>> messages got onto the right overlays >>>> This will also need to be defined by the instance draft... in >>>> any case, >>>> I agree with you that the framework needs to talk more >> about this (it >>>> does not discuss this issue right now). >> This will be addressed with the generic OVERLAY_ID in the >> framework draft. >> > > OK, I will wait to see that. The next version should contain that, but at least currently it's just a general version (can have any length) of the OVERLAY_ID in the RELOAD instance spec. Cheers, Ari From ari.keranen@nomadiclab.com Wed Jul 29 04:30:07 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 72C863A6A73 for ; Wed, 29 Jul 2009 04:30:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.148 X-Spam-Level: X-Spam-Status: No, score=-4.148 tagged_above=-999 required=5 tests=[AWL=1.501, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-myMdqhoKfj for ; Wed, 29 Jul 2009 04:30:05 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 57F993A6FDE for ; Wed, 29 Jul 2009 04:29:49 -0700 (PDT) X-AuditID: c1b4fb3c-b7b9dae00000519d-40-4a7032acaecb Received: from esealmw129.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id DA.71.20893.CA2307A4; Wed, 29 Jul 2009 13:29:49 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.171]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 13:29:39 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 13:29:39 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id B80DE2530; Wed, 29 Jul 2009 14:29:38 +0300 (EEST) Message-ID: <4A70329F.9020400@nomadiclab.com> Date: Wed, 29 Jul 2009 14:29:35 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: wang.jun17@zte.com.cn References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 29 Jul 2009 11:29:39.0471 (UTC) FILETIME=[DC1331F0:01CA103F] X-Brightmail-Tracker: AAAAAA== Cc: 'HIP' Subject: Re: [Hipsec] Comments on the HIP-BONE draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 11:30:07 -0000 wang.jun17@zte.com.cn wrote: > That means every HIP Host must be a p2p peer, and the deployment > model is same as the P2P applications such as skype? In such a > scenario,only HIP hosts can communicate each other, so what about the > interworking solution between HIP and non-HIP host? Every HIP host that is part of the overlay (i.e., routing messages and storing data there) would be a peer. Interworking with non-HIP hosts has not been in the scope of HIP-BONE so far. > I prefer that HIP bone acts as a distributed service system and every > ordinary HIP host is just a p2p client, and combining with the mechnisms > described in draft-melen-hip-proxy, the generic interworking solution > can be provided to any hip and non-hip hosts. That's an interesting idea. What kind of interworking did you have in mind? Cheers, Ari > hipsec-bounces@ietf.org 写于 2009-07-28 13:53:39: > > > Hi, > > > > wangjun wrote: > > > About the HIP ID and Peer ID, My understandings: > > > 1) The HIP Bone is a p2p overlay, each other between peers talk p2p > > > protocol, HIP can be encapsulated in a p2p payload.. > > > > Actually, the current idea is that peer protocol messages would be > > encapsulated in HIP messages to keep the protocol layering consistent. > > > > > 2)Every HIP host is a p2p client or a p2p agnostic terminal, and > attach to > > > arbitrary peer(s) of the overlay; they register their locator-HIP_ID > > > bindings into the HIP bone. > > > > The HIP hosts don't actually need to register locators to the overlay > > since the HIP base exchange is done via the overlay and the (best) > > locator is discovered using ICE (see [1] but replace HIP relay server > > with a HIP BONE overlay). > > > > > So the HIP Hosts may be designated a peer ID, but it's really not > > > mandated. > > > > HIP hosts have peer IDs when they are part of a HIP BONE overlay, but > > preferably the peer ID is a one of the HITs of the host. > > > > > > Cheers, > > Ari > > > > [1] http://tools.ietf.org/html/draft-ietf-hip-nat-traversal-08 > > > > > -----邮件原件----- > > > å‘件人: hipsec-bounces@ietf.org [mailto:hipsec-bounces@ietf.org] 代表 > > > Gonzalo Camarillo > > > å‘é€æ—¶é—´: 2009å¹´7月21æ—¥ 19:04 > > > 收件人: Henderson, Thomas R > > > 抄é€: HIP > > > 主题: [Hipsec] Comments on the HIP-BONE draft > > > > > > Hi Tom, > > > > > > thanks for you comments. Answers inline: > > > > > >>> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt > > >> I remain very uneasy about the above draft, which I think is not very > > >> clear and skirts over some hard issues. > > > > > > we have moved a few things to the RELOAD instance draft, which is > still very > > > much work in progress (as you can see if you read the draft). Some > issues > > > will be addressed there. Of course, any general issues belonging to the > > > framework should be addresses in this document. > > > > > >> The document tries to provide a generalized framework for HIP-based > > >> overlays, but it is not clear how it will work when there are > multiple > > >> peer protocols (multiple overlays) and when the peer IDs are not the > > >> same as the node IDs. The specific instance draft does not handle > > >> these issues; it assumes that the peer ID is the ORCHID (which was > not > > >> acceptable to some in the P2PSIP WG due to possible chosen ID > > >> attacks), and is, of course, only one instance. > > > > > > The framework does not assume that Peer IDs are used at the HIP level. > > > It just tells you that depending on the Peer IDs used in your > overlay, you > > > need to convert them to something HIP can use. Originally, we > thought of > > > having a draft that described that conversion in general (you > yourself was > > > working on a similar draft at some point) but now we tend to > thinkthat this > > > type of conversion is better defined in the instance specs. > > > > > > Regarding the RELOAD instance draft, this is one of the open issues. > > > That is, whether we can use RELOAD peer IDs directly or if we > needsome type > > > of transformation (ORCHIDs have a prefix; therefore, there are less > than 128 > > > bits available). > > > > > >> In general, I recommend not trying to complete work on a framework > for > > >> multiple overlays until there is an example of at least how two > > >> independent overlays (perhaps with different peer protocols and > > >> different peer ID structures) coexists on some of the same nodes, and > > >> the peer IDs are not HITs. > > > > > > RELOAD has its own way of identifying particular overlays. Other peer > > > protocols may have different ways. Therefore, this does not seem to > be a > > > framework issue. Each instance draft would need to describe it > separately... > > > in any case, I agree it is worthwhile talking a bit more about this > in the > > > framework. > > > > > >> The draft states: > > >> "Since HIP needs > > >> ORCHIDs (and not any type of Peer ID) to work, hosts in the overlay > > >> will transform their Peer IDs into ORCHIDs, for example, by taking a > > >> hash of the Peer IDs or taking a hash of the Peer ID and the public > > >> key." > > >> > > >> I don't see how this would work since for an ORCHID to be used as a > > >> HIT, it must hash a public key. > > > > > > The text wants to indicate that conversions between Peer IDs and > ORCHIDs are > > > up to each particular instance specification. I agree removing the > examples > > > may be a good idea so that they do not mislead readers. > > > > > >> It is not clear from the document what IDs are being routed if the > > >> peer ID is not the same as the HIT. I think the answer is that it is > > >> the peer IDs that are being routed, and HIP is just providing the > > >> links between the peer IDs. > > > > > > Yes, routing tables contain Peer IDs. > > > > > >> It may be that the peer IDs are the same as HITs in some instances, > > >> but it should be architecturally clear that transport connections are > > >> being terminated at each hop in the overlay. > > > > > > Yes, transport connections are between hops in the overlay, as usual. > > > > > >> If the document were to describe an overlay architecture where you > > >> recommend to the peer protocols "Use HITs like you would otherwise > use > > >> IP addresses, and HIP will take care of the rest of the ugly business > > >> of NAT traversal, mobility, and multihoming," then it would seem > to be > > >> relatively straightforward, so long as HIP took it upon itself > with no > > >> dependency on the peer protocol to do anything for it. > > >> > > >> Where I think it becomes conflated, however, is when you try to > use the > > >> overlay to forward HIP signaling traffic. I see why you are > trying to > > >> do this but it leads to these questions: > > > > > > we had a lot of discussions in the past about this. There were > different > > > proposals, one of which proposed the simple use you described > above. The > > > conclusion was to do what HIP BONE specifies. I do not think it > would be > > > productive to go through the same discussions again at this point. > > > > > >> 1) the overlay may stitch together addressing realms that have no > hope > > >> of supporting end-to-end HIP associations between them. For > instance, > > >> this simple topology: > > >> > > >> node A <--------Ipv4 network -----> node B <--------Ipv6 network > > >> ---------> node C > > >> > > >> The overlay may route the I1 from node A to node C and R1 back, > but no > > >> HIP association between A and C can actually be formed. > > > > > > This is not a problem specific to the use of HIP in the overlay. It > is a > > > general problem of the overlay, even if it was not using HIP. If no > direct > > > connections can be formed between nodes in an overlay, the > overlaywill most > > > likely keep on routing stuff through the overlay. > > > > > >> 2) what if node B above belongs to multiple other HIP-based overlays? > > >> How does it know on which overlay to forward the I1? > > > > > > This is one of the open issues of the instance draft. RELOAD has > its own way > > > to identify different overlays. We need to decide how we want to > covey that > > > information in an I1. > > > > > >> Also, from a performance perspective, I think there may be some > danger > > >> in abstracting the underlying topology away from a peer protocol. > > >> From the peer protocol layer perspective, HIP makes every node look > > >> like it is "on link" whereas in fact, each node is possibly different > > >> number of hops away, in different administrative domains of the > network, > > > etc. > > > > > > Not really. When HIP is not used, the ICE module takes care of > establishing > > > those "links". The complexity of connection management is > abstracted out > > > even when HIP is not used. > > > > > >> To summarize, I think there is some value in defining how > P2PSIP-based > > >> overlay could use HIP to form its links and deal with NAT, mobility, > > >> and multihoming. However, before allowing RELOAD nodes to perform > the > > >> HIP distributed rendezvous service, I would first define: > > >> 1) how the system works in the case where the enrollment server > > >> chooses PeerIds that are not HITs > > > > > > The framework already says this is possible... and the instance > draft will > > > need to define how that is done for RELOAD, of course. > > > > > >> 2) how two such independent overlays (run by different organizations) > > >> could operate on the same node, and how the node would ensure that > > >> messages got onto the right overlays > > > > > > This will also need to be defined by the instance draft... in any > case, I > > > agree with you that the framework needs to talk more about this (it > does not > > > discuss this issue right now). > > > > > >> The above can all be done by assuming that HIP rendezvous is done in > > >> the underlay, not overlay. As a final step, one might consider > > >> whether one of these overlays itself could be leveraged to forward > HIP > > >> traffic. If all of this holds together, then I think we might have a > > >> framework document that completes the charter item. > > > > > > You make valid points above. After addressing your points in a new > revision > > > of the draft (possibly after more list discussions), I think the > best way to > > > proceed will be to progress the framework and the instance draft > together so > > > that they can be reviewed at the same time. > > > In that way, it will be clearer for the reviewers. > > > > > >> As an editorial note, I also would recommend skipping section 2 > > >> because RFC 4423 and other documents are available to provide HIP > > > tutorials. > > > > > > This is the typical comment we often get from HIP experts :o)... > > > however, application-layer people really appreciated that part of > the draft > > > when they read it. Before writing it, we sent them all types of > links to HIP > > > documents and tutorials but they did not find them useful. > > > I actually believe that having that type of tutorial material in > the draft > > > makes it much easier for application-layer people to understand the > draft > > > (and eventually decide to use it). So, I strongly suggest to keep > it in the > > > draft. > > > > > > Thanks, > > > > > > Gonzalo > > > > > > _______________________________________________ > > > Hipsec mailing list > > > Hipsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/hipsec > > > > > > _______________________________________________ > > > Hipsec mailing list > > > Hipsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/hipsec > > > > _______________________________________________ > > Hipsec mailing list > > Hipsec@ietf.org > > https://www.ietf.org/mailman/listinfo/hipsec > > -------------------------------------------------------- > ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. > This message has been scanned for viruses and Spam by ZTE Anti-Spam system. From heer@informatik.rwth-aachen.de Wed Jul 29 05:36:40 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E14EA3A6971 for ; Wed, 29 Jul 2009 05:36:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.052 X-Spam-Level: X-Spam-Status: No, score=-3.052 tagged_above=-999 required=5 tests=[AWL=-0.551, BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, MANGLED_TOOL=2.3, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObTPub+eP95A for ; Wed, 29 Jul 2009 05:36:39 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id 988063A684C for ; Wed, 29 Jul 2009 05:36:39 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-2.rz.rwth-aachen.de ([134.130.5.41]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNJ004MSN14DE00@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 14:36:40 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,289,1246831200"; d="scan'208";a="11275967" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-2.rz.rwth-aachen.de with ESMTP; Wed, 29 Jul 2009 14:36:40 +0200 Received: from dhcp-11f5.meeting.ietf.org ([unknown] [130.129.17.245]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNJ00DJPN13R630@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 14:36:40 +0200 (CEST) Message-id: <5C7C2C07-C267-4F5A-AFDE-5373CAB69D41@cs.rwth-aachen.de> From: Tobias Heer To: Gonzalo Camarillo In-reply-to: <4A6447DC.7070005@ericsson.com> Date: Wed, 29 Jul 2009 14:36:37 +0200 References: <4A6447DC.7070005@ericsson.com> X-Mailer: Apple Mail (2.935.3) Cc: hip WG Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 12:36:41 -0000 Hi Gonzalo. Comments inline: Am 20.07.2009 um 12:33 schrieb Gonzalo Camarillo: > Folks, > > here you have a summary of the status of the overlay work. > Additionally, we have some questions for the WG related to our > milestones and their related charter items. Your input on those > questions is very welcome. > > 1) We have the following milestone: > > We would like to ask the WG > if it is OK to split our current milestone in two so that they cover > the > high-level framework and the definition in separate documents. > I think it makes sense - yes. > http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt > > Additionally, we would like to ask the WG if we should take the draft > above as the WG item associated to the milestone for the definition. > Provided the issues that Tom pointed out can be resolved, I support this decision. > 2) We have the following milestone: > > "Specify how to carry upper-layer data over specified HIP > packets. These include some of the existing HIP packets and possibly > new HIP packets (e.g., a HIP packet that occurs outside a HIP base > exchange)." > > We still do not have a WG item for it but the following draft has been > around for some time. We would like to ask the WG if we should adopt > the > following draft as the WG item for this milestone. > > http://tools.ietf.org/internet-drafts/draft-nikander-hip- > hiccups-02.txt > I am fine with this, too. > Revision 02 of the draft above is identical to 01 (the only changes > are > the date and the new copyright). The authors intend to address the > comments received on the list shortly. > > 3) In order to be able to support the functionality provided by > RELOAD, > HIP needs to support multi-hop routing. Instead of specifying it in > the > HIP BONE draft, having a separate draft seem to make more sense given > that this functionality has a more general applicability than > overlays. > We would like to ask the WG if we should spin off a new milestone from > our original milestone for overlays that covers multihop routing in > HIP. > > The following draft takes a stab at specifying multihop routing in > HIP. > We would like to ask the WG if we should adopt it as a WG item for the > milestone above (assuming we decide to create the milestone). > > http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > 4) We have the following milestone: > > "Specify how to generate ORCHIDs from other node identifiers > including both cryptographic ones (leading to cryptographic > delegation) and non-cryptographic ones (e.g., identifiers defined by a > peer protocol)." > > When we created that milestone, we expected to have a generic > mechanism > to transform node IDs into ORCHIDs. However, at this point, it seems > that such transformation will be done in different ways depending on > the > peer protocol used in a particular overlay. For example, the instance > specification for RELOAD draft defines such transformation for RELOAD > peer identifiers. The fact that nobody has submitted a draft for that > milestone seems to confirm the previous impression. We would like to > ask > the WG if we should remove that milestone from our charter. > I agree. BR, Tobias > Thanks, > > Gonzalo > HIP co-chair > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From ari.keranen@nomadiclab.com Wed Jul 29 06:03:15 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C1613A7075 for ; Wed, 29 Jul 2009 06:03:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.698 X-Spam-Level: X-Spam-Status: No, score=-4.698 tagged_above=-999 required=5 tests=[AWL=1.551, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gpdAuM4WiEQ for ; Wed, 29 Jul 2009 06:03:14 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id 2D99A3A6EE4 for ; Wed, 29 Jul 2009 06:03:14 -0700 (PDT) X-AuditID: c1b4fb3e-b7bb9ae000004f89-aa-4a7048924675 Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 49.CC.20361.298407A4; Wed, 29 Jul 2009 15:03:14 +0200 (CEST) Received: from esealmw126.eemea.ericsson.se ([153.88.254.170]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 15:02:36 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Wed, 29 Jul 2009 15:02:36 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 17C132530 for ; Wed, 29 Jul 2009 16:02:36 +0300 (EEST) Message-ID: <4A704868.5030404@nomadiclab.com> Date: Wed, 29 Jul 2009 16:02:32 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: HIP References: <4A64469A.2020402@ericsson.com> In-Reply-To: <4A64469A.2020402@ericsson.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 29 Jul 2009 13:02:36.0456 (UTC) FILETIME=[D8379280:01CA104C] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] ROUTE_VIA and _DST support for HIP native API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 13:03:15 -0000 Hi, Sorry that this comes a bit late in the process, but I think it would make sense to have support for the source routing & route recording ROUTE_DST and ROUTE_VIA parameters [1] in the HIP native API. They are needed for HIP BONE but likely they have use also in other contexts and then an application would need an API for using them. Maybe the API that RFC 2292 [2] defines for IPv6 routing header could be re-used for this purpose. Cheers, Ari [1] http://tools.ietf.org/html/draft-camarillo-hip-via-00 [2] http://tools.ietf.org/html/rfc2292#section-8 From miika.komu@hiit.fi Wed Jul 29 08:25:00 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E0E333A6909 for ; Wed, 29 Jul 2009 08:25:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEK4X7Pqo9Nh for ; Wed, 29 Jul 2009 08:24:56 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 6E5733A7018 for ; Wed, 29 Jul 2009 08:24:47 -0700 (PDT) Received: from ip104.infrahip.net (unknown [130.129.82.252]) by argo.otaverkko.fi (Postfix) with ESMTP id 198AC25ED06; Wed, 29 Jul 2009 18:24:48 +0300 (EEST) Message-ID: <4A7069BF.60000@hiit.fi> Date: Wed, 29 Jul 2009 18:24:47 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Tobias Heer References: <4A64469A.2020402@ericsson.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hip WG Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 15:25:01 -0000 Tobias Heer wrote: Hi, thanks for Tobias for good comments! A new preversion updated with the comments from Tobias is here: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-08-pre1.txt I'll submit the final version today after Tobias has acknowledged the changes and I've written text for Ari's overlay extensions. Below some replies for the comments from Tobias. > Hi everyone. > > Below some comments on the draft. I am sorry that these comments are so > late but I hope they are useful anyway. > > Conceptual comments first: > --------------------------- > > Section 4.1: The behavior of the system if HIP_ENDPOINT_ANY is used is > not clear. First, the text says that "any other type of address" can be > returned. I would like to know which addresses this could be. After > talking to Miika he confirmed that "any other address" means IPv4 or > IPv6. It would be good to be clear here. > > The possibility of ending up with an IPv4 socket when using > HIP_ENDPOINT_ANY also bears a follow-up problem: Since the address > format of IPv4 and IPv6 differ, it is not clear what sockaddr_hip should > contain if the socket is bound to an IPv4 address instead a HIT or IPv6 > address. From the text it is not clear if a sockaddr_hip would be > replied at all or if a sockadr_in or sockadr_in6 would be replied. After > some private discussion with Miika we came up with the following > solution: In the IPv6 case sockaddr_hip.hip_hit_t should contain a > regular IPv6 address (no magic because these have the same format as > HITs). In the IPv4 case, the sockaddr_hip.hip_hit_t should be a mapped > representation of the IPv4 address in IPv6 format (see RFC2553). In case > the system calls accept() or recv() return a sockaddr_hip after binding > to HIP_ENDPOINT_ANY, the host should check the type of the address with > the sockaddr_is_srcaddr function to determine the actual nature of the > socket. I suggest to clarify this issue in Section 4.1. Added one paragraph: When a connection-oriented server application binds to HIP_ENDPOINT_ANY and calls accept(), the call outputs always a sockaddr_hip structure containing information on the connected client with the address family set to AF_HIP. The same applies also to datagram-oriented recvfrom() and recvmsg() calls. If the data flow was based on HIP, the ship_hit field contains a HIT. In the case of an IPv6 data flow without HIP, the field contains the corresponding IPv6 address of the client. In the case of an IPv4 flow without HIP, the fields contains the client's IPv4 address in IPv4-mapped IPv6 address format as described in section 3.7 of [RFC2553]. Section 4.5 describes how the application can verify the type of the address returned by the socket API calls. Is this ok? > Section 4.3: The text only considers the HIP_HIT_* wildcards but not the > HIP_ENDPOINT_ANY wildcard. Explanation about the possible bindings for > HIP_ENDPOINT_ANY (IPv4, IPv6, HIT) should be given here, too. The > function getsockname() and getpeername() could also return a mapped IPv4 > address of a IPv6 address in case the socket is not HIP. Again the use > of sockaddr_is_srcaddr should be considered to figure out the type of > socket. I did the following two changes: However, the sockaddr_hip structure does not contain a HIT when the application uses the HIP_HIT_ANY_* or HIP_ENDPOINT_ANY constants.. ..The application should be prepared to handle also IPv4 and IPv6 addresses in the ship_hit field as described in Section 4.1 in the context of the HIP_ENDPOINT_ANY constant. > Security considerations: The use of HIP_ENDPOINT_ANY and a resulting > binding to an IPv4 or IPv6 socket leads to a lower level of security > compared to HIP. In my opinion this should be noted in the security > considerations. Added: The use of HIP_ENDPOINT_ANY can be used to accept incoming or create outgoing data flows without HIP. The application should use the sockaddr_is_srcaddr() function to validate the type of the connection in order to e.g. inform the user of the lack of HIP-based security. The use of the HIP_HIT_ANY_* constants is recommended in security- critical applications and systems. > Editorial comments: > -------------------- > > Section 3: I suggest to rename Section 3 ("API Overview") to something > like "Name Resolution Process" or "Resolver Overview" because it does > only talk about the resolver and not about the API in general. Done. > Section 3.1: There should be a reference to Figure 1 in the beginning of > Section 3.1. It was already there on the first paragraph, second sentence: Before an application can establish network communications with the entity named by a given FQDN or relative host name, the application must translate the name into the corresponding identifier(s). DNS- based hostname-to-identifier translation is illustrated in Figure 1. > Section 4.1: The text says that the system should return -1 and > EAFNOSUPPORT if AF_HIP is not supported. I suggest to emphasize that > this is the default behavior for unsupported address families and that > this does not require changes to legacy hosts. Added: This is the default behavior for unsupported address families and does not require any changes to legacy systems. > Section 4.2.1: "Resolver can return" -> "The resolver can return" Ok. > Section 4.3: The text is somewhat confusing because first the client > case and then the server case are explained without notable distinction. > I suggest to only talk about the server case here since this is not > relevant for the client anyway. But it is relevant to clients as well. Earlier section says: The use of HIP_ENDPOINT_ANY constant in the context of outgoing communications is left for further experimentation in the context of opportunistic mode. It can result in a data flow with or without HIP. I believe that it was the first sentence that was confusing you, so I just removed it from the text. Is it ok now? > Section 4.4: The section talks about specific bindings to certain HIP > classes. Noting that a binding to specific HIT can also be achieved by > using bind() and a local HIT in sockaddr_hip.hip_hit_t may be helpful. I added an introduction to the beginning of the section: A client-side application can choose its source HIT by e.g. querying all of the local HITs with getaddrinfo() and associating one of them with the socket using bind(). This section describes another method for a client-side application to affect the selection of the source HIT type where the application does not call bind() explicitly. Instead, the application just specifies the preferred requirements for the source HIT type. > Best regards! > > Tobias > > > > > Am 20.07.2009 um 13:27 schrieb Gonzalo Camarillo: > >> Folks, >> >> the draft below includes all the comments received during its WGLC. >> Please, have a final look at it because we intend to request its >> publication in one week. >> >> http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt >> >> Thanks, >> >> Gonzalo >> HIP co-chair >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > > > > -- > Dipl.-Inform. Tobias Heer, Ph.D. Student > Distributed Systems Group > RWTH Aachen University, Germany > tel: +49 241 80 207 76 > web: http://ds.cs.rwth-aachen.de/members/heer > > > > > > > From miika.komu@hiit.fi Wed Jul 29 09:05:14 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 994BA3A6830 for ; Wed, 29 Jul 2009 09:05:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDptLQX-M9L6 for ; Wed, 29 Jul 2009 09:05:13 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 16EE13A70CA for ; Wed, 29 Jul 2009 09:04:24 -0700 (PDT) Received: from ip104.infrahip.net (unknown [130.129.82.252]) by argo.otaverkko.fi (Postfix) with ESMTP id 4C45925ED06; Wed, 29 Jul 2009 19:04:25 +0300 (EEST) Message-ID: <4A707308.2090209@hiit.fi> Date: Wed, 29 Jul 2009 19:04:24 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Ari Keranen References: <4A64469A.2020402@ericsson.com> <4A704868.5030404@nomadiclab.com> In-Reply-To: <4A704868.5030404@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] ROUTE_VIA and _DST support for HIP native API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 16:05:14 -0000 Ari Keranen wrote: Hi, > Hi, > > Sorry that this comes a bit late in the process, but I think it would > make sense to have support for the source routing & route recording > ROUTE_DST and ROUTE_VIA parameters [1] in the HIP native API. They are > needed for HIP BONE but likely they have use also in other contexts and > then an application would need an API for using them. > > Maybe the API that RFC 2292 [2] defines for IPv6 routing header could be > re-used for this purpose. > > > Cheers, > Ari > > [1] http://tools.ietf.org/html/draft-camarillo-hip-via-00 > [2] http://tools.ietf.org/html/rfc2292#section-8 I had a brief look a the routing header options and I think this would require a lot more work. I think we just can't tell "use IPv6 routing header for route recording" because we need to dig out the differences with orchid vs. IPv6 routing and flesh out all the details. The current time schedule is quite tight for this too. Currently, the native API draft defines "Basic Socket Interface Extensions for Host Identity Protocol (HIP)". I believe the hiccups extensions belong to the category of "advanced" and the reference to [2] is also "Advanced Sockets API for IPv6". I would propose that we'd introduce another document for orchid routing or add them to the VIA draft. Please comment this proposal ASAP so that I'll have more time to hack this over the night if people want to see the changes in the native API. From miika.komu@hiit.fi Wed Jul 29 09:20:19 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 485B63A69FC for ; Wed, 29 Jul 2009 09:20:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEJFVqfSSB59 for ; Wed, 29 Jul 2009 09:20:18 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 7F7CC3A6830 for ; Wed, 29 Jul 2009 09:20:17 -0700 (PDT) Received: from ip104.infrahip.net (unknown [130.129.82.252]) by argo.otaverkko.fi (Postfix) with ESMTP id C15E725ED11 for ; Wed, 29 Jul 2009 19:20:18 +0300 (EEST) Message-ID: <4A7076C2.3080606@hiit.fi> Date: Wed, 29 Jul 2009 19:20:18 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: hip WG References: <4A64469A.2020402@ericsson.com> <4A7069BF.60000@hiit.fi> In-Reply-To: <4A7069BF.60000@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 16:20:19 -0000 Miika Komu wrote: Hi, I run the draft through spell checker and made some typo fixes. If nobody objects, I think the use of AI_EXTFLAGS is not strictly speaking necessary. Pre2 version is here: http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-08-pre2.txt From ari.keranen@nomadiclab.com Wed Jul 29 14:13:27 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE8D33A6BD9 for ; Wed, 29 Jul 2009 14:13:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.299 X-Spam-Level: X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXvZnjmQm+tA for ; Wed, 29 Jul 2009 14:13:27 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id C48303A6A8D for ; Wed, 29 Jul 2009 14:13:26 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 9AFCB1EF2A1; Thu, 30 Jul 2009 00:13:26 +0300 (EEST) Received: from inside.nomadiclab.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id 39D051EF28F; Thu, 30 Jul 2009 00:13:26 +0300 (EEST) Date: Thu, 30 Jul 2009 00:13:26 +0300 (EEST) From: =?ISO-8859-1?Q?Ari_Ker=C3=A4nen?= To: Miika Komu In-Reply-To: <4A707308.2090209@hiit.fi> Message-ID: References: <4A64469A.2020402@ericsson.com> <4A704868.5030404@nomadiclab.com> <4A707308.2090209@hiit.fi> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: ClamAV using ClamSMTP Cc: HIP Subject: Re: [Hipsec] ROUTE_VIA and _DST support for HIP native API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 21:13:27 -0000 On Wed, 29 Jul 2009, Miika Komu wrote: > Ari Keranen wrote: >> Sorry that this comes a bit late in the process, but I think it would make >> sense to have support for the source routing & route recording ROUTE_DST >> and ROUTE_VIA parameters [1] in the HIP native API. They are needed for HIP >> BONE but likely they have use also in other contexts and then an >> application would need an API for using them. >> >> Maybe the API that RFC 2292 [2] defines for IPv6 routing header could be >> re-used for this purpose. >> >> >> Cheers, >> Ari >> >> [1] http://tools.ietf.org/html/draft-camarillo-hip-via-00 >> [2] http://tools.ietf.org/html/rfc2292#section-8 > > I had a brief look a the routing header options and I think this would > require a lot more work. I think we just can't tell "use IPv6 routing header > for route recording" because we need to dig out the differences with orchid > vs. IPv6 routing and flesh out all the details. The current time schedule is > quite tight for this too. > Actually my idea was not that you would use IPv6 routing header for the route recording, but you could perhaps re-use the API -- if it makes sense. The actual (HIP) route recording and source routing would be done with the ROUTE_{VIA,DST} parameters. If some other API than what RFC 2292 proposes is better, that's perfectly fine for me. Based on your comments, some other form of API is probably better. Essentially an application would need to be able to give a HIP socket a list of HITs (for source routing), set option to enable route recording and symmetric routing, and be able to read a recorded route (i.e., a list of HITs). I think a quite simple API extension would be sufficient for this. But by tight schedule are you referring to WGLC? I guess it's OK to postpone that a couple of days/weeks, if necessary? > Currently, the native API draft defines "Basic Socket Interface Extensions > for Host Identity Protocol (HIP)". I believe the hiccups extensions belong to > the category of "advanced" and the reference to [2] is also "Advanced Sockets > API for IPv6". > > I would propose that we'd introduce another document for orchid routing or > add them to the VIA draft. Please comment this proposal ASAP so that I'll > have more time to hack this over the night if people want to see the changes > in the native API. > This is not really a HICCUPS extension, but I see your point. If we have more "advanced" features, a new API draft could make sense, but probably not for just this extension. Also the VIA draft does not seem like a right place for API documentation. Cheers, Ari From heer@informatik.rwth-aachen.de Wed Jul 29 14:14:38 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E5CBD3A69C3 for ; Wed, 29 Jul 2009 14:14:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wb0JVB3j8LFK for ; Wed, 29 Jul 2009 14:14:37 -0700 (PDT) Received: from mta-2.ms.rz.rwth-aachen.de (mta-2.ms.rz.RWTH-Aachen.DE [134.130.7.73]) by core3.amsl.com (Postfix) with ESMTP id D0C683A6D3A for ; Wed, 29 Jul 2009 14:14:02 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-2.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNK0006UAZEU110@mta-2.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 23:14:02 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,290,1246831200"; d="scan'208";a="20838419" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Wed, 29 Jul 2009 23:14:02 +0200 Received: from [10.1.200.37] ([unknown] [81.225.222.227]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNK00D35AZDR690@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Wed, 29 Jul 2009 23:14:02 +0200 (CEST) Message-id: <225D36C8-3A02-4B65-9769-005AE19D5D8A@cs.rwth-aachen.de> From: Tobias Heer To: miika.komu@hiit.fi In-reply-to: <4A7069BF.60000@hiit.fi> Date: Wed, 29 Jul 2009 23:13:59 +0200 References: <4A64469A.2020402@ericsson.com> <4A7069BF.60000@hiit.fi> X-Mailer: Apple Mail (2.935.3) Cc: hip WG Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 21:14:39 -0000 Hi Miika, I am fine with all changes. Below I acknowledged them one by one but I do not have any objections. BR, Tobias Am 29.07.2009 um 17:24 schrieb Miika Komu: > Tobias Heer wrote: > > Hi, > > thanks for Tobias for good comments! A new preversion updated with > the comments from Tobias is here: > > http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-08-pre1.txt > > I'll submit the final version today after Tobias has acknowledged > the changes and I've written text for Ari's overlay extensions. > > Below some replies for the comments from Tobias. > >> Hi everyone. >> Below some comments on the draft. I am sorry that these comments >> are so late but I hope they are useful anyway. >> Conceptual comments first: >> --------------------------- >> Section 4.1: The behavior of the system if HIP_ENDPOINT_ANY is used >> is not clear. First, the text says that "any other type of address" >> can be returned. I would like to know which addresses this could >> be. After talking to Miika he confirmed that "any other address" >> means IPv4 or IPv6. It would be good to be clear here. >> The possibility of ending up with an IPv4 socket when using >> HIP_ENDPOINT_ANY also bears a follow-up problem: Since the address >> format of IPv4 and IPv6 differ, it is not clear what sockaddr_hip >> should contain if the socket is bound to an IPv4 address instead a >> HIT or IPv6 address. From the text it is not clear if a >> sockaddr_hip would be replied at all or if a sockadr_in or >> sockadr_in6 would be replied. After some private discussion with >> Miika we came up with the following solution: In the IPv6 case >> sockaddr_hip.hip_hit_t should contain a regular IPv6 address (no >> magic because these have the same format as HITs). In the IPv4 >> case, the sockaddr_hip.hip_hit_t should be a mapped representation >> of the IPv4 address in IPv6 format (see RFC2553). In case the >> system calls accept() or recv() return a sockaddr_hip after binding >> to HIP_ENDPOINT_ANY, the host should check the type of the address >> with the sockaddr_is_srcaddr function to determine the actual >> nature of the socket. I suggest to clarify this issue in Section 4.1. > > Added one paragraph: > > When a connection-oriented server application binds to > HIP_ENDPOINT_ANY and calls accept(), the call outputs always a > sockaddr_hip structure containing information on the connected > client > with the address family set to AF_HIP. The same applies also to > datagram-oriented recvfrom() and recvmsg() calls. If the data flow > was based on HIP, the ship_hit field contains a HIT. In the case of > an IPv6 data flow without HIP, the field contains the corresponding > IPv6 address of the client. In the case of an IPv4 flow without > HIP, > the fields contains the client's IPv4 address in IPv4-mapped IPv6 > address format as described in section 3.7 of [RFC2553]. Section > 4.5 > describes how the application can verify the type of the address > returned by the socket API calls. > > Is this ok? Yes. > >> Section 4.3: The text only considers the HIP_HIT_* wildcards but >> not the HIP_ENDPOINT_ANY wildcard. Explanation about the possible >> bindings for HIP_ENDPOINT_ANY (IPv4, IPv6, HIT) should be given >> here, too. The function getsockname() and getpeername() could also >> return a mapped IPv4 address of a IPv6 address in case the socket >> is not HIP. Again the use of sockaddr_is_srcaddr should be >> considered to figure out the type of socket. > > I did the following two changes: > > However, the sockaddr_hip structure does not contain a HIT when the > application uses the HIP_HIT_ANY_* or HIP_ENDPOINT_ANY constants.. > > ..The application should be prepared to handle also IPv4 and IPv6 > addresses in the ship_hit field as described in Section 4.1 in the > context of the HIP_ENDPOINT_ANY constant. Good, thanks. > >> Security considerations: The use of HIP_ENDPOINT_ANY and a >> resulting binding to an IPv4 or IPv6 socket leads to a lower level >> of security compared to HIP. In my opinion this should be noted in >> the security considerations. > > Added: > > The use of HIP_ENDPOINT_ANY can be used to accept incoming or create > outgoing data flows without HIP. The application should use the > sockaddr_is_srcaddr() function to validate the type of the > connection > in order to e.g. inform the user of the lack of HIP-based security. > The use of the HIP_HIT_ANY_* constants is recommended in security- > critical applications and systems. okay. > >> Editorial comments: >> -------------------- >> Section 3: I suggest to rename Section 3 ("API Overview") to >> something like "Name Resolution Process" or "Resolver Overview" >> because it does only talk about the resolver and not about the API >> in general. > > Done. ok. > >> Section 3.1: There should be a reference to Figure 1 in the >> beginning of Section 3.1. > > It was already there on the first paragraph, second sentence: > > Before an application can establish network communications with the > entity named by a given FQDN or relative host name, the application > must translate the name into the corresponding identifier(s). DNS- > based hostname-to-identifier translation is illustrated in Figure 1. > >> Section 4.1: The text says that the system should return -1 and >> EAFNOSUPPORT if AF_HIP is not supported. I suggest to emphasize >> that this is the default behavior for unsupported address families >> and that this does not require changes to legacy hosts. > > Added: > > This is the default behavior for unsupported address families > and does not require any changes to legacy systems. Ok. > >> Section 4.3: The text is somewhat confusing because first the >> client case and then the server case are explained without notable >> distinction. I suggest to only talk about the server case here >> since this is not relevant for the client anyway. > > But it is relevant to clients as well. Earlier section says: > > The use of HIP_ENDPOINT_ANY constant in the context of outgoing > communications is left for further experimentation in the context > of opportunistic mode. It can result in a data flow with or > without HIP. > > I believe that it was the first sentence that was confusing you, so > I just removed it from the text. Is it ok now? > Ok. >> Section 4.4: The section talks about specific bindings to certain >> HIP classes. Noting that a binding to specific HIT can also be >> achieved by using bind() and a local HIT in sockaddr_hip.hip_hit_t >> may be helpful. > > I added an introduction to the beginning of the section: > > A client-side application can choose its source HIT by e.g. querying > all of the local HITs with getaddrinfo() and associating one of them > with the socket using bind(). This section describes another method > for a client-side application to affect the selection of the source > HIT type where the application does not call bind() explicitly. > Instead, the application just specifies the preferred requirements > for the source HIT type. Okay. > >> Best regards! >> Tobias >> Am 20.07.2009 um 13:27 schrieb Gonzalo Camarillo: >>> Folks, >>> >>> the draft below includes all the comments received during its >>> WGLC. Please, have a final look at it because we intend to request >>> its publication in one week. >>> >>> http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt >>> >>> Thanks, >>> >>> Gonzalo >>> HIP co-chair >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >> -- >> Dipl.-Inform. Tobias Heer, Ph.D. Student >> Distributed Systems Group >> RWTH Aachen University, Germany >> tel: +49 241 80 207 76 >> web: http://ds.cs.rwth-aachen.de/members/heer > -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From miika.komu@hiit.fi Wed Jul 29 14:28:16 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C345F3A6EF9 for ; Wed, 29 Jul 2009 14:28:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCURU49Ub++a for ; Wed, 29 Jul 2009 14:28:15 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 048A63A703C for ; Wed, 29 Jul 2009 14:28:14 -0700 (PDT) Received: from ip104.infrahip.net (81-225-222-227-no16.business.telia.com [81.225.222.227]) by argo.otaverkko.fi (Postfix) with ESMTP id 698AE25ED16; Thu, 30 Jul 2009 00:28:15 +0300 (EEST) Message-ID: <4A70BEEE.3070505@hiit.fi> Date: Thu, 30 Jul 2009 00:28:14 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Tobias Heer References: <4A64469A.2020402@ericsson.com> <4A7069BF.60000@hiit.fi> <225D36C8-3A02-4B65-9769-005AE19D5D8A@cs.rwth-aachen.de> In-Reply-To: <225D36C8-3A02-4B65-9769-005AE19D5D8A@cs.rwth-aachen.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hip WG Subject: Re: [Hipsec] Requesting the publication of draft-ietf-hip-native-api-07.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 21:28:16 -0000 Tobias Heer wrote: Hi, thanks, you changes are available now in the final 08 version. > Hi Miika, > > I am fine with all changes. Below I acknowledged them one by one but I > do not have any objections. > > BR, > > Tobias > > Am 29.07.2009 um 17:24 schrieb Miika Komu: > >> Tobias Heer wrote: >> >> Hi, >> >> thanks for Tobias for good comments! A new preversion updated with the >> comments from Tobias is here: >> >> http://www.iki.fi/miika/docs/draft-ietf-hip-native-api-08-pre1.txt >> >> I'll submit the final version today after Tobias has acknowledged the >> changes and I've written text for Ari's overlay extensions. >> >> Below some replies for the comments from Tobias. >> >>> Hi everyone. >>> Below some comments on the draft. I am sorry that these comments are >>> so late but I hope they are useful anyway. >>> Conceptual comments first: >>> --------------------------- >>> Section 4.1: The behavior of the system if HIP_ENDPOINT_ANY is used >>> is not clear. First, the text says that "any other type of address" >>> can be returned. I would like to know which addresses this could be. >>> After talking to Miika he confirmed that "any other address" means >>> IPv4 or IPv6. It would be good to be clear here. >>> The possibility of ending up with an IPv4 socket when using >>> HIP_ENDPOINT_ANY also bears a follow-up problem: Since the address >>> format of IPv4 and IPv6 differ, it is not clear what sockaddr_hip >>> should contain if the socket is bound to an IPv4 address instead a >>> HIT or IPv6 address. From the text it is not clear if a sockaddr_hip >>> would be replied at all or if a sockadr_in or sockadr_in6 would be >>> replied. After some private discussion with Miika we came up with the >>> following solution: In the IPv6 case sockaddr_hip.hip_hit_t should >>> contain a regular IPv6 address (no magic because these have the same >>> format as HITs). In the IPv4 case, the sockaddr_hip.hip_hit_t should >>> be a mapped representation of the IPv4 address in IPv6 format (see >>> RFC2553). In case the system calls accept() or recv() return a >>> sockaddr_hip after binding to HIP_ENDPOINT_ANY, the host should check >>> the type of the address with the sockaddr_is_srcaddr function to >>> determine the actual nature of the socket. I suggest to clarify this >>> issue in Section 4.1. >> >> Added one paragraph: >> >> When a connection-oriented server application binds to >> HIP_ENDPOINT_ANY and calls accept(), the call outputs always a >> sockaddr_hip structure containing information on the connected client >> with the address family set to AF_HIP. The same applies also to >> datagram-oriented recvfrom() and recvmsg() calls. If the data flow >> was based on HIP, the ship_hit field contains a HIT. In the case of >> an IPv6 data flow without HIP, the field contains the corresponding >> IPv6 address of the client. In the case of an IPv4 flow without HIP, >> the fields contains the client's IPv4 address in IPv4-mapped IPv6 >> address format as described in section 3.7 of [RFC2553]. Section 4.5 >> describes how the application can verify the type of the address >> returned by the socket API calls. >> >> Is this ok? > > Yes. > >> >>> Section 4.3: The text only considers the HIP_HIT_* wildcards but not >>> the HIP_ENDPOINT_ANY wildcard. Explanation about the possible >>> bindings for HIP_ENDPOINT_ANY (IPv4, IPv6, HIT) should be given here, >>> too. The function getsockname() and getpeername() could also return a >>> mapped IPv4 address of a IPv6 address in case the socket is not HIP. >>> Again the use of sockaddr_is_srcaddr should be considered to figure >>> out the type of socket. >> >> I did the following two changes: >> >> However, the sockaddr_hip structure does not contain a HIT when the >> application uses the HIP_HIT_ANY_* or HIP_ENDPOINT_ANY constants.. >> >> ..The application should be prepared to handle also IPv4 and IPv6 >> addresses in the ship_hit field as described in Section 4.1 in the >> context of the HIP_ENDPOINT_ANY constant. > > Good, thanks. > >> >>> Security considerations: The use of HIP_ENDPOINT_ANY and a resulting >>> binding to an IPv4 or IPv6 socket leads to a lower level of security >>> compared to HIP. In my opinion this should be noted in the security >>> considerations. >> >> Added: >> >> The use of HIP_ENDPOINT_ANY can be used to accept incoming or create >> outgoing data flows without HIP. The application should use the >> sockaddr_is_srcaddr() function to validate the type of the connection >> in order to e.g. inform the user of the lack of HIP-based security. >> The use of the HIP_HIT_ANY_* constants is recommended in security- >> critical applications and systems. > > okay. > >> >>> Editorial comments: >>> -------------------- >>> Section 3: I suggest to rename Section 3 ("API Overview") to >>> something like "Name Resolution Process" or "Resolver Overview" >>> because it does only talk about the resolver and not about the API in >>> general. >> >> Done. > > ok. >> >>> Section 3.1: There should be a reference to Figure 1 in the beginning >>> of Section 3.1. >> >> It was already there on the first paragraph, second sentence: >> >> Before an application can establish network communications with the >> entity named by a given FQDN or relative host name, the application >> must translate the name into the corresponding identifier(s). DNS- >> based hostname-to-identifier translation is illustrated in Figure 1. >> >>> Section 4.1: The text says that the system should return -1 and >>> EAFNOSUPPORT if AF_HIP is not supported. I suggest to emphasize that >>> this is the default behavior for unsupported address families and >>> that this does not require changes to legacy hosts. >> >> Added: >> >> This is the default behavior for unsupported address families >> and does not require any changes to legacy systems. > > Ok. >> >>> Section 4.3: The text is somewhat confusing because first the client >>> case and then the server case are explained without notable >>> distinction. I suggest to only talk about the server case here since >>> this is not relevant for the client anyway. >> >> But it is relevant to clients as well. Earlier section says: >> >> The use of HIP_ENDPOINT_ANY constant in the context of outgoing >> communications is left for further experimentation in the context >> of opportunistic mode. It can result in a data flow with or >> without HIP. >> >> I believe that it was the first sentence that was confusing you, so I >> just removed it from the text. Is it ok now? >> > > Ok. > >>> Section 4.4: The section talks about specific bindings to certain HIP >>> classes. Noting that a binding to specific HIT can also be achieved >>> by using bind() and a local HIT in sockaddr_hip.hip_hit_t may be >>> helpful. >> >> I added an introduction to the beginning of the section: >> >> A client-side application can choose its source HIT by e.g. querying >> all of the local HITs with getaddrinfo() and associating one of them >> with the socket using bind(). This section describes another method >> for a client-side application to affect the selection of the source >> HIT type where the application does not call bind() explicitly. >> Instead, the application just specifies the preferred requirements >> for the source HIT type. > > Okay. > > > > >> >>> Best regards! >>> Tobias >>> Am 20.07.2009 um 13:27 schrieb Gonzalo Camarillo: >>>> Folks, >>>> >>>> the draft below includes all the comments received during its WGLC. >>>> Please, have a final look at it because we intend to request its >>>> publication in one week. >>>> >>>> http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-07.txt >>>> >>>> Thanks, >>>> >>>> Gonzalo >>>> HIP co-chair >>>> >>>> _______________________________________________ >>>> Hipsec mailing list >>>> Hipsec@ietf.org >>>> https://www.ietf.org/mailman/listinfo/hipsec >>> -- >>> Dipl.-Inform. Tobias Heer, Ph.D. Student >>> Distributed Systems Group >>> RWTH Aachen University, Germany >>> tel: +49 241 80 207 76 >>> web: http://ds.cs.rwth-aachen.de/members/heer >> > > > > > -- > Dipl.-Inform. Tobias Heer, Ph.D. Student > Distributed Systems Group > RWTH Aachen University, Germany > tel: +49 241 80 207 76 > web: http://ds.cs.rwth-aachen.de/members/heer > > > > > > > From root@core3.amsl.com Wed Jul 29 14:30:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 87B6B3A6E38; Wed, 29 Jul 2009 14:30:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20090729213001.87B6B3A6E38@core3.amsl.com> Date: Wed, 29 Jul 2009 14:30:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-native-api-08.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 21:30:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : Basic Socket Interface Extensions for Host Identity Protocol (HIP) Author(s) : M. Komu, T. Henderson Filename : draft-ietf-hip-native-api-08.txt Pages : 17 Date : 2009-07-29 This document defines extensions to the current sockets API for the Host Identity Protocol (HIP). The extensions focus on the use of public-key based identifiers discovered via DNS resolution, but define also interfaces for manual bindings between HITs and locators. With the extensions, the application can also support more relaxed security models where the communication can be non-HIP based, according to local policies. The extensions in document are experimental and provide basic tools for further experimentation with policies. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-native-api-08.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-native-api-08.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-07-29142545.I-D@ietf.org> --NextPart-- From miika.komu@hiit.fi Wed Jul 29 14:59:06 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE76A3A6BF9 for ; Wed, 29 Jul 2009 14:59:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kbJhUkqs35SS for ; Wed, 29 Jul 2009 14:59:06 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 1313F28C0E1 for ; Wed, 29 Jul 2009 14:59:00 -0700 (PDT) Received: from ip104.infrahip.net (81-225-222-227-no16.business.telia.com [81.225.222.227]) by argo.otaverkko.fi (Postfix) with ESMTP id 10DBA25ED16; Thu, 30 Jul 2009 00:59:01 +0300 (EEST) Message-ID: <4A70C624.8080700@hiit.fi> Date: Thu, 30 Jul 2009 00:59:00 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Ari_Ker=E4nen?= References: <4A64469A.2020402@ericsson.com> <4A704868.5030404@nomadiclab.com> <4A707308.2090209@hiit.fi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: HIP Subject: Re: [Hipsec] ROUTE_VIA and _DST support for HIP native API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jul 2009 21:59:07 -0000 Ari Keränen wrote: Hi, > On Wed, 29 Jul 2009, Miika Komu wrote: >> Ari Keranen wrote: >>> Sorry that this comes a bit late in the process, but I think it would >>> make sense to have support for the source routing & route recording >>> ROUTE_DST and ROUTE_VIA parameters [1] in the HIP native API. They >>> are needed for HIP BONE but likely they have use also in other >>> contexts and then an application would need an API for using them. >>> >>> Maybe the API that RFC 2292 [2] defines for IPv6 routing header could >>> be re-used for this purpose. >>> >>> >>> Cheers, >>> Ari >>> >>> [1] http://tools.ietf.org/html/draft-camarillo-hip-via-00 >>> [2] http://tools.ietf.org/html/rfc2292#section-8 >> >> I had a brief look a the routing header options and I think this would >> require a lot more work. I think we just can't tell "use IPv6 routing >> header for route recording" because we need to dig out the differences >> with orchid vs. IPv6 routing and flesh out all the details. The >> current time schedule is quite tight for this too. >> > > Actually my idea was not that you would use IPv6 routing header for the > route recording, but you could perhaps re-use the API -- if it makes > sense. The actual (HIP) route recording and source routing would be done > with the ROUTE_{VIA,DST} parameters. If some other API than what RFC > 2292 proposes is better, that's perfectly fine for me. Based on your > comments, some other form of API is probably better. I didn't mean that RFC2292 is not suitable. I merely questioned where this functionality should be added and that we shouldn't be hasty in adding new features that haven't been properly chewed first. We'd probably need also some socket options to turn hiccups on and off. All of the requirements are not clear to me yet. > Essentially an application would need to be able to give a HIP socket a > list of HITs (for source routing), set option to enable route recording > and symmetric routing, and be able to read a recorded route (i.e., a > list of HITs). I think a quite simple API extension would be sufficient > for this. > > But by tight schedule are you referring to WGLC? I guess it's OK to > postpone that a couple of days/weeks, if necessary? Any other opinions on this? What should we do about it? I have submitted the final 08 version. I am fine with delaying if people feel that source routing should be included, but I think it could also be hosted in a different draft. >> Currently, the native API draft defines "Basic Socket Interface >> Extensions for Host Identity Protocol (HIP)". I believe the hiccups >> extensions belong to the category of "advanced" and the reference to >> [2] is also "Advanced Sockets API for IPv6". >> >> I would propose that we'd introduce another document for orchid >> routing or add them to the VIA draft. Please comment this proposal >> ASAP so that I'll have more time to hack this over the night if people >> want to see the changes in the native API. >> > > This is not really a HICCUPS extension, but I see your point. If we have > more "advanced" features, a new API draft could make sense, but probably > not for just this extension. Also the VIA draft does not seem like a > right place for API documentation. We left out RFC3484 related issues from the native API draft because it was too immature for last call. If we started up a new draft, we could include source HIT selection when a host has multiple HITs. From miika.komu@hiit.fi Thu Jul 30 01:57:08 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9842D3A71A3 for ; Thu, 30 Jul 2009 01:57:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.524 X-Spam-Level: X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ge-lkfsU0t5m for ; Thu, 30 Jul 2009 01:57:08 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id CD6763A718A for ; Thu, 30 Jul 2009 01:57:07 -0700 (PDT) Received: from ip104.infrahip.net (81-225-222-227-no16.business.telia.com [81.225.222.227]) by argo.otaverkko.fi (Postfix) with ESMTP id DE7BB25ED1B; Thu, 30 Jul 2009 11:57:08 +0300 (EEST) Message-ID: <4A716061.3050906@hiit.fi> Date: Thu, 30 Jul 2009 11:57:05 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Jan Melen References: <49815F7E.5080604@hiit.fi> <4A6F0D31.9020501@nomadiclab.com> In-Reply-To: <4A6F0D31.9020501@nomadiclab.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hipsec@ietf.org Subject: Re: [Hipsec] feedback of hiccups-01 draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 08:57:08 -0000 Jan Melen wrote: Hi, > Miika Komu wrote: >> >> * I guess the draft assumes that data packets may be sent over >> HIP-aware overlays. I would suggest that the authors have a look at >> draft-heer-hip-middle-auth and perhaps add a pointer to the draft. >> Particularly, I would propose to make the public key mandatory and >> perhaps the middlebox extension as SHOULD? There is a new version of >> the draft coming up very soon. Feel free to ask Tobias for a preview >> if you are interested. > > I think that the host on the path should not verify the signatures on > HIP_DATA packets as it is meant that these are anyway only few packets > that are exchanged between the peer's and not a stream of data. For > streams you set-up a full HIP association using base-exchange and ESP as > a transport. no, I meant that the middleboxes should apply nonces to the messages. From heer@informatik.rwth-aachen.de Thu Jul 30 02:13:04 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 10F7A28C232 for ; Thu, 30 Jul 2009 02:13:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHm4X8vmcBLA for ; Thu, 30 Jul 2009 02:13:03 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id D8BC528C209 for ; Thu, 30 Jul 2009 02:13:02 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KNL00HC589R1AD0@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Thu, 30 Jul 2009 11:13:03 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.43,294,1246831200"; d="scan'208";a="20888706" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Thu, 30 Jul 2009 11:13:03 +0200 Received: from [10.1.200.37] ([unknown] [81.225.222.227]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KNL00HTH89QHO50@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Thu, 30 Jul 2009 11:13:03 +0200 (CEST) Message-id: <5D119CF4-5462-437D-884C-3434A15CE4BE@cs.rwth-aachen.de> From: Tobias Heer To: miika.komu@hiit.fi In-reply-to: <4A716061.3050906@hiit.fi> Date: Thu, 30 Jul 2009 11:13:00 +0200 References: <49815F7E.5080604@hiit.fi> <4A6F0D31.9020501@nomadiclab.com> <4A716061.3050906@hiit.fi> X-Mailer: Apple Mail (2.935.3) Cc: hip WG Subject: Re: [Hipsec] feedback of hiccups-01 draft X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 09:13:04 -0000 Am 30.07.2009 um 10:57 schrieb Miika Komu: > Jan Melen wrote: > > Hi, > >> Miika Komu wrote: >>> >>> * I guess the draft assumes that data packets may be sent over HIP- >>> aware overlays. I would suggest that the authors have a look at >>> draft-heer-hip-middle-auth and perhaps add a pointer to the draft. >>> Particularly, I would propose to make the public key mandatory and >>> perhaps the middlebox extension as SHOULD? There is a new version >>> of the draft coming up very soon. Feel free to ask Tobias for a >>> preview if you are interested. >> I think that the host on the path should not verify the signatures >> on HIP_DATA packets as it is meant that these are anyway only few >> packets that are exchanged between the peer's and not a stream of >> data. For streams you set-up a full HIP association using base- >> exchange and ESP as a transport. > > no, I meant that the middleboxes should apply nonces to the messages. Jan is right: Without a multi-packet protocol defined (back and forth at least), the MB authentication extensions don't work. However, for packets that require an acknowledgement, it would somewhat work and you could determine the identity of the receiver. For authenticating the sender, you need three consecutive messages. Hence, using the MB authentication extension makes more sense for stream-like connections. Tobias > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From miika.komu@hiit.fi Thu Jul 30 02:17:42 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C76E03A6FF5 for ; Thu, 30 Jul 2009 02:17:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.399 X-Spam-Level: X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[AWL=-1.100, BAYES_00=-2.599, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gNCxWeu1mkd5 for ; Thu, 30 Jul 2009 02:17:42 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id A7A1728C28B for ; Thu, 30 Jul 2009 02:17:41 -0700 (PDT) Received: from ip104.infrahip.net (81-225-222-227-no16.business.telia.com [81.225.222.227]) by argo.otaverkko.fi (Postfix) with ESMTP id 0C73325ED1B; Thu, 30 Jul 2009 12:17:43 +0300 (EEST) Message-ID: <4A716536.8020707@hiit.fi> Date: Thu, 30 Jul 2009 12:17:42 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: Gonzalo Camarillo References: <4A6447DC.7070005@ericsson.com> In-Reply-To: <4A6447DC.7070005@ericsson.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 09:17:42 -0000 Gonzalo Camarillo wrote: Hi, > Folks, > > here you have a summary of the status of the overlay work. > Additionally, we have some questions for the WG related to our > milestones and their related charter items. Your input on those > questions is very welcome. > > 1) We have the following milestone: > > "Specify a framework to build HIP-based overlays. This framework will > describe how HIP can perform some of the tasks needed to build an > overlay and how technologies developed somewhere else (e.g., a peer > protocol developed in the P2PSIP WG) can complement HIP by performing > the tasks HIP was not designed to perform." > > The WG item for this milestone is the following draft, which should be > ready for WGLC: > > http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt > > This draft defines a high-level framework to build HIP-based overlays. > Additionally, its previous version defined how to build a HIP-based > overlay using RELOAD. The authors have chosen to move this definition to > a separate document because while the high-level framework is > informational in nature, the definition makes use of normative language. > The resulting document is the draft below. We would like to ask the WG > if it is OK to split our current milestone in two so that they cover the > high-level framework and the definition in separate documents. > > http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt > > > Additionally, we would like to ask the WG if we should take the draft > above as the WG item associated to the milestone for the definition. +1 > 2) We have the following milestone: > > "Specify how to carry upper-layer data over specified HIP > packets. These include some of the existing HIP packets and possibly > new HIP packets (e.g., a HIP packet that occurs outside a HIP base > exchange)." > > We still do not have a WG item for it but the following draft has been > around for some time. We would like to ask the WG if we should adopt the > following draft as the WG item for this milestone. > > http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt > > Revision 02 of the draft above is identical to 01 (the only changes are > the date and the new copyright). The authors intend to address the > comments received on the list shortly. > > 3) In order to be able to support the functionality provided by RELOAD, > HIP needs to support multi-hop routing. Instead of specifying it in the > HIP BONE draft, having a separate draft seem to make more sense given > that this functionality has a more general applicability than overlays. > We would like to ask the WG if we should spin off a new milestone from > our original milestone for overlays that covers multihop routing in HIP. > > The following draft takes a stab at specifying multihop routing in HIP. > We would like to ask the WG if we should adopt it as a WG item for the > milestone above (assuming we decide to create the milestone). > > http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt +1 > 4) We have the following milestone: > > "Specify how to generate ORCHIDs from other node identifiers > including both cryptographic ones (leading to cryptographic > delegation) and non-cryptographic ones (e.g., identifiers defined by a > peer protocol)." > > When we created that milestone, we expected to have a generic mechanism > to transform node IDs into ORCHIDs. However, at this point, it seems > that such transformation will be done in different ways depending on the > peer protocol used in a particular overlay. For example, the instance > specification for RELOAD draft defines such transformation for RELOAD > peer identifiers. The fact that nobody has submitted a draft for that > milestone seems to confirm the previous impression. We would like to ask > the WG if we should remove that milestone from our charter. Fine by me. From samu.varjonen@hiit.fi Thu Jul 30 03:19:09 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B7C733A6C0B for ; Thu, 30 Jul 2009 03:19:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.299 X-Spam-Level: X-Spam-Status: No, score=-0.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byUcdihg5GBZ for ; Thu, 30 Jul 2009 03:19:08 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 4E6913A7139 for ; Thu, 30 Jul 2009 03:18:54 -0700 (PDT) Received: from [130.129.22.112] (dhcp-1670.meeting.ietf.org [130.129.22.112]) by argo.otaverkko.fi (Postfix) with ESMTP id 4462A25ED1A; Thu, 30 Jul 2009 13:18:55 +0300 (EEST) Message-ID: <4A71738E.3000506@hiit.fi> Date: Thu, 30 Jul 2009 12:18:54 +0200 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A6447DC.7070005@ericsson.com> <4A716536.8020707@hiit.fi> In-Reply-To: <4A716536.8020707@hiit.fi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 10:19:09 -0000 Miika Komu wrote: > Gonzalo Camarillo wrote: > > Hi, > >> Folks, >> >> here you have a summary of the status of the overlay work. >> Additionally, we have some questions for the WG related to our >> milestones and their related charter items. Your input on those >> questions is very welcome. >> >> 1) We have the following milestone: >> >> "Specify a framework to build HIP-based overlays. This framework will >> describe how HIP can perform some of the tasks needed to build an >> overlay and how technologies developed somewhere else (e.g., a peer >> protocol developed in the P2PSIP WG) can complement HIP by performing >> the tasks HIP was not designed to perform." >> >> The WG item for this milestone is the following draft, which should be >> ready for WGLC: >> >> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt >> >> This draft defines a high-level framework to build HIP-based overlays. >> Additionally, its previous version defined how to build a HIP-based >> overlay using RELOAD. The authors have chosen to move this definition to >> a separate document because while the high-level framework is >> informational in nature, the definition makes use of normative language. >> The resulting document is the draft below. We would like to ask the WG >> if it is OK to split our current milestone in two so that they cover the >> high-level framework and the definition in separate documents. >> >> http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt >> >> >> Additionally, we would like to ask the WG if we should take the draft >> above as the WG item associated to the milestone for the definition. > > +1 +1 > >> 2) We have the following milestone: >> >> "Specify how to carry upper-layer data over specified HIP >> packets. These include some of the existing HIP packets and possibly >> new HIP packets (e.g., a HIP packet that occurs outside a HIP base >> exchange)." >> >> We still do not have a WG item for it but the following draft has been >> around for some time. We would like to ask the WG if we should adopt the >> following draft as the WG item for this milestone. >> >> http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt >> >> Revision 02 of the draft above is identical to 01 (the only changes are >> the date and the new copyright). The authors intend to address the >> comments received on the list shortly. >> >> 3) In order to be able to support the functionality provided by RELOAD, >> HIP needs to support multi-hop routing. Instead of specifying it in the >> HIP BONE draft, having a separate draft seem to make more sense given >> that this functionality has a more general applicability than overlays. >> We would like to ask the WG if we should spin off a new milestone from >> our original milestone for overlays that covers multihop routing in HIP. >> >> The following draft takes a stab at specifying multihop routing in HIP. >> We would like to ask the WG if we should adopt it as a WG item for the >> milestone above (assuming we decide to create the milestone). >> >> http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > +1 +1 > >> 4) We have the following milestone: >> >> "Specify how to generate ORCHIDs from other node identifiers >> including both cryptographic ones (leading to cryptographic >> delegation) and non-cryptographic ones (e.g., identifiers defined by a >> peer protocol)." >> >> When we created that milestone, we expected to have a generic mechanism >> to transform node IDs into ORCHIDs. However, at this point, it seems >> that such transformation will be done in different ways depending on the >> peer protocol used in a particular overlay. For example, the instance >> specification for RELOAD draft defines such transformation for RELOAD >> peer identifiers. The fact that nobody has submitted a draft for that >> milestone seems to confirm the previous impression. We would like to ask >> the WG if we should remove that milestone from our charter. > > Fine by me. +1 > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From ari.keranen@nomadiclab.com Thu Jul 30 03:49:06 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D65193A679F for ; Thu, 30 Jul 2009 03:49:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.92 X-Spam-Level: X-Spam-Status: No, score=-4.92 tagged_above=-999 required=5 tests=[AWL=1.329, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d93x++G8n1lx for ; Thu, 30 Jul 2009 03:49:05 -0700 (PDT) Received: from mailgw3.ericsson.se (mailgw3.ericsson.se [193.180.251.60]) by core3.amsl.com (Postfix) with ESMTP id 404713A6ACA for ; Thu, 30 Jul 2009 03:48:50 -0700 (PDT) X-AuditID: c1b4fb3c-b7b9dae00000519d-b7-4a717a8fbaf5 Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw3.ericsson.se (Symantec Mail Security) with SMTP id 28.F3.20893.F8A717A4; Thu, 30 Jul 2009 12:48:48 +0200 (CEST) Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Jul 2009 12:48:08 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Thu, 30 Jul 2009 12:48:07 +0200 Received: from [127.0.0.1] (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 929542501; Thu, 30 Jul 2009 13:48:07 +0300 (EEST) Message-ID: <4A717A63.4000308@nomadiclab.com> Date: Thu, 30 Jul 2009 13:48:03 +0300 From: Ari Keranen User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A64469A.2020402@ericsson.com> <4A704868.5030404@nomadiclab.com> <4A707308.2090209@hiit.fi> <4A70C624.8080700@hiit.fi> In-Reply-To: <4A70C624.8080700@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-OriginalArrivalTime: 30 Jul 2009 10:48:07.0996 (UTC) FILETIME=[397407C0:01CA1103] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] ROUTE_VIA and _DST support for HIP native API X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 10:49:06 -0000 Miika Komu wrote: > Ari Keränen wrote: >> On Wed, 29 Jul 2009, Miika Komu wrote: >>> Ari Keranen wrote: >>>> Sorry that this comes a bit late in the process, but I think it >>>> would make sense to have support for the source routing & route >>>> recording ROUTE_DST and ROUTE_VIA parameters [1] in the HIP native >>>> API. They are needed for HIP BONE but likely they have use also in >>>> other contexts and then an application would need an API for using >>>> them. >>>> >>>> Maybe the API that RFC 2292 [2] defines for IPv6 routing header >>>> could be re-used for this purpose. >>>> >>>> >>>> Cheers, >>>> Ari >>>> >>>> [1] http://tools.ietf.org/html/draft-camarillo-hip-via-00 >>>> [2] http://tools.ietf.org/html/rfc2292#section-8 >>> >>> I had a brief look a the routing header options and I think this >>> would require a lot more work. I think we just can't tell "use IPv6 >>> routing header for route recording" because we need to dig out the >>> differences with orchid vs. IPv6 routing and flesh out all the >>> details. The current time schedule is quite tight for this too. >>> >> >> Actually my idea was not that you would use IPv6 routing header for >> the route recording, but you could perhaps re-use the API -- if it >> makes sense. The actual (HIP) route recording and source routing would >> be done with the ROUTE_{VIA,DST} parameters. If some other API than >> what RFC 2292 proposes is better, that's perfectly fine for me. Based >> on your comments, some other form of API is probably better. > > I didn't mean that RFC2292 is not suitable. I merely questioned where > this functionality should be added and that we shouldn't be hasty in > adding new features that haven't been properly chewed first. OK. > We'd probably need also some socket options to turn hiccups on and off. > All of the requirements are not clear to me yet. Yes, some HICCUPS API extensions would be useful too. >> Essentially an application would need to be able to give a HIP socket >> a list of HITs (for source routing), set option to enable route >> recording and symmetric routing, and be able to read a recorded route >> (i.e., a list of HITs). I think a quite simple API extension would be >> sufficient for this. >> >> But by tight schedule are you referring to WGLC? I guess it's OK to >> postpone that a couple of days/weeks, if necessary? > > Any other opinions on this? What should we do about it? > > I have submitted the final 08 version. I am fine with delaying if people > feel that source routing should be included, but I think it could also > be hosted in a different draft. OK (more of this below). >>> Currently, the native API draft defines "Basic Socket Interface >>> Extensions for Host Identity Protocol (HIP)". I believe the hiccups >>> extensions belong to the category of "advanced" and the reference to >>> [2] is also "Advanced Sockets API for IPv6". >>> >>> I would propose that we'd introduce another document for orchid >>> routing or add them to the VIA draft. Please comment this proposal >>> ASAP so that I'll have more time to hack this over the night if >>> people want to see the changes in the native API. >>> >> >> This is not really a HICCUPS extension, but I see your point. If we >> have more "advanced" features, a new API draft could make sense, but >> probably not for just this extension. Also the VIA draft does not seem >> like a right place for API documentation. > > We left out RFC3484 related issues from the native API draft because it > was too immature for last call. If we started up a new draft, we could > include source HIT selection when a host has multiple HITs. OK, so maybe there is need for such advanced API draft after all and the VIA extensions, as well as HICCUPS extensions, would fit there well. So, I guess there is no need to delay the WGLC of the current basic API draft. Cheers, Ari From miika.komu@hiit.fi Thu Jul 30 04:15:30 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A6D53A6885 for ; Thu, 30 Jul 2009 04:15:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.449 X-Spam-Level: X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UvNdg12WDAU9 for ; Thu, 30 Jul 2009 04:15:29 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 168E13A688D for ; Thu, 30 Jul 2009 04:15:29 -0700 (PDT) Received: from ip104.infrahip.net (dhcp-17e4.meeting.ietf.org [130.129.23.228]) by argo.otaverkko.fi (Postfix) with ESMTP id 6470825ED1B; Thu, 30 Jul 2009 14:15:30 +0300 (EEST) Message-ID: <4A7180D1.5080101@hiit.fi> Date: Thu, 30 Jul 2009 14:15:29 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A6447DC.7070005@ericsson.com> <4A716536.8020707@hiit.fi> In-Reply-To: <4A716536.8020707@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 11:15:30 -0000 Miika Komu wrote: Hi, sorry, I missed one. +1 for hiccups too. > Gonzalo Camarillo wrote: > > Hi, > >> Folks, >> >> here you have a summary of the status of the overlay work. >> Additionally, we have some questions for the WG related to our >> milestones and their related charter items. Your input on those >> questions is very welcome. >> >> 1) We have the following milestone: >> >> "Specify a framework to build HIP-based overlays. This framework will >> describe how HIP can perform some of the tasks needed to build an >> overlay and how technologies developed somewhere else (e.g., a peer >> protocol developed in the P2PSIP WG) can complement HIP by performing >> the tasks HIP was not designed to perform." >> >> The WG item for this milestone is the following draft, which should be >> ready for WGLC: >> >> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt >> >> This draft defines a high-level framework to build HIP-based overlays. >> Additionally, its previous version defined how to build a HIP-based >> overlay using RELOAD. The authors have chosen to move this definition to >> a separate document because while the high-level framework is >> informational in nature, the definition makes use of normative language. >> The resulting document is the draft below. We would like to ask the WG >> if it is OK to split our current milestone in two so that they cover the >> high-level framework and the definition in separate documents. >> >> http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt >> >> >> Additionally, we would like to ask the WG if we should take the draft >> above as the WG item associated to the milestone for the definition. > > +1 > >> 2) We have the following milestone: >> >> "Specify how to carry upper-layer data over specified HIP >> packets. These include some of the existing HIP packets and possibly >> new HIP packets (e.g., a HIP packet that occurs outside a HIP base >> exchange)." >> >> We still do not have a WG item for it but the following draft has been >> around for some time. We would like to ask the WG if we should adopt the >> following draft as the WG item for this milestone. >> >> http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt >> >> Revision 02 of the draft above is identical to 01 (the only changes are >> the date and the new copyright). The authors intend to address the >> comments received on the list shortly. >> >> 3) In order to be able to support the functionality provided by RELOAD, >> HIP needs to support multi-hop routing. Instead of specifying it in the >> HIP BONE draft, having a separate draft seem to make more sense given >> that this functionality has a more general applicability than overlays. >> We would like to ask the WG if we should spin off a new milestone from >> our original milestone for overlays that covers multihop routing in HIP. >> >> The following draft takes a stab at specifying multihop routing in HIP. >> We would like to ask the WG if we should adopt it as a WG item for the >> milestone above (assuming we decide to create the milestone). >> >> http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > +1 > >> 4) We have the following milestone: >> >> "Specify how to generate ORCHIDs from other node identifiers >> including both cryptographic ones (leading to cryptographic >> delegation) and non-cryptographic ones (e.g., identifiers defined by a >> peer protocol)." >> >> When we created that milestone, we expected to have a generic mechanism >> to transform node IDs into ORCHIDs. However, at this point, it seems >> that such transformation will be done in different ways depending on the >> peer protocol used in a particular overlay. For example, the instance >> specification for RELOAD draft defines such transformation for RELOAD >> peer identifiers. The fact that nobody has submitted a draft for that >> milestone seems to confirm the previous impression. We would like to ask >> the WG if we should remove that milestone from our charter. > > Fine by me. > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From Jan.Melen@nomadiclab.com Thu Jul 30 04:21:46 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 122313A6BD3 for ; Thu, 30 Jul 2009 04:21:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQ3u-6a8XDAI for ; Thu, 30 Jul 2009 04:21:45 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id 14F363A6C0C for ; Thu, 30 Jul 2009 04:21:45 -0700 (PDT) Received: from n2.nomadiclab.com (localhost [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id EE65E1EF123; Thu, 30 Jul 2009 14:21:45 +0300 (EEST) Received: from despair.unknown.com (inside.nomadiclab.com [193.234.219.2]) by n2.nomadiclab.com (Postfix) with ESMTP id AD2CE1EF118; Thu, 30 Jul 2009 14:21:45 +0300 (EEST) Message-ID: <4A718249.6000209@nomadiclab.com> Date: Thu, 30 Jul 2009 14:21:45 +0300 From: Jan Melen User-Agent: Thunderbird 2.0.0.7pre (X11/20090418) MIME-Version: 1.0 To: Petri Jokela References: <4A6447DC.7070005@ericsson.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 11:21:46 -0000 Hi, Petri Jokela wrote: > > On 20.7.2009, at 12.33, Gonzalo Camarillo wrote: > >> Folks, >> >> 1) We have the following milestone: >> >> "Specify a framework to build HIP-based overlays. This framework will > ... >> The resulting document is the draft below. We would like to ask the WG >> if it is OK to split our current milestone in two so that they cover the >> high-level framework and the definition in separate documents. >> >> http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt >> >> >> Additionally, we would like to ask the WG if we should take the draft >> above as the WG item associated to the milestone for the definition. >> > > The proposal sounds reasonable, taking also into account the > discussion that has been going on in another thread. +1 > >> 2) We have the following milestone: > ... >> We still do not have a WG item for it but the following draft has been >> around for some time. We would like to ask the WG if we should adopt the >> following draft as the WG item for this milestone. >> >> http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt >> > > For me, this sounds good. As in the previous case, taking into account > also the ongoing discussion on the related thread. +1 and the concerns raised before IETF 75 are addressed in the -03 draft and some new that came up during IETF 75 will be addressed in -04 > >> 3) In order to be able to support the functionality provided by RELOAD, >> HIP needs to support multi-hop routing. Instead of specifying it in the >> HIP BONE draft, having a separate draft seem to make more sense given >> that this functionality has a more general applicability than overlays. >> We would like to ask the WG if we should spin off a new milestone from >> our original milestone for overlays that covers multihop routing in HIP. >> >> The following draft takes a stab at specifying multihop routing in HIP. >> We would like to ask the WG if we should adopt it as a WG item for the >> milestone above (assuming we decide to create the milestone). >> >> http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt > > This sounds ok. > +1 > >> 4) We have the following milestone: >> >> "Specify how to generate ORCHIDs from other node identifiers >> including both cryptographic ones (leading to cryptographic >> delegation) and non-cryptographic ones (e.g., identifiers defined by a >> peer protocol)." >> >> When we created that milestone, we expected to have a generic mechanism >> to transform node IDs into ORCHIDs. However, at this point, it seems >> that such transformation will be done in different ways depending on the >> peer protocol used in a particular overlay. For example, the instance >> specification for RELOAD draft defines such transformation for RELOAD >> peer identifiers. The fact that nobody has submitted a draft for that >> milestone seems to confirm the previous impression. We would like to ask >> the WG if we should remove that milestone from our charter. > > While there is no activity, it seems reasonable to remove it now. Ok! Jan From samu.varjonen@hiit.fi Thu Jul 30 05:02:08 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0FC03A69DF for ; Thu, 30 Jul 2009 05:02:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.299 X-Spam-Level: X-Spam-Status: No, score=-0.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_TOOL=2.3] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cqzqcvav-JeD for ; Thu, 30 Jul 2009 05:02:07 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 87A543A68A9 for ; Thu, 30 Jul 2009 05:02:07 -0700 (PDT) Received: from [130.129.22.112] (dhcp-1670.meeting.ietf.org [130.129.22.112]) by argo.otaverkko.fi (Postfix) with ESMTP id D5BF925ED1A; Thu, 30 Jul 2009 15:02:05 +0300 (EEST) Message-ID: <4A718BBD.2080607@hiit.fi> Date: Thu, 30 Jul 2009 14:02:05 +0200 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4A6447DC.7070005@ericsson.com> <4A716536.8020707@hiit.fi> <4A7180D1.5080101@hiit.fi> In-Reply-To: <4A7180D1.5080101@hiit.fi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] Overlay work: status and request for input X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 12:02:08 -0000 Miika Komu wrote: > Miika Komu wrote: > > Hi, > > sorry, I missed one. +1 for hiccups too. So did I :) +1 > >> Gonzalo Camarillo wrote: >> >> Hi, >> >>> Folks, >>> >>> here you have a summary of the status of the overlay work. >>> Additionally, we have some questions for the WG related to our >>> milestones and their related charter items. Your input on those >>> questions is very welcome. >>> >>> 1) We have the following milestone: >>> >>> "Specify a framework to build HIP-based overlays. This framework will >>> describe how HIP can perform some of the tasks needed to build an >>> overlay and how technologies developed somewhere else (e.g., a peer >>> protocol developed in the P2PSIP WG) can complement HIP by performing >>> the tasks HIP was not designed to perform." >>> >>> The WG item for this milestone is the following draft, which should be >>> ready for WGLC: >>> >>> http://tools.ietf.org/id/draft-ietf-hip-bone-02.txt >>> >>> This draft defines a high-level framework to build HIP-based overlays. >>> Additionally, its previous version defined how to build a HIP-based >>> overlay using RELOAD. The authors have chosen to move this definition to >>> a separate document because while the high-level framework is >>> informational in nature, the definition makes use of normative language. >>> The resulting document is the draft below. We would like to ask the WG >>> if it is OK to split our current milestone in two so that they cover the >>> high-level framework and the definition in separate documents. >>> >>> http://tools.ietf.org/internet-drafts/draft-keranen-hip-reload-instance-00.txt >>> >>> >>> Additionally, we would like to ask the WG if we should take the draft >>> above as the WG item associated to the milestone for the definition. >> >> +1 >> >>> 2) We have the following milestone: >>> >>> "Specify how to carry upper-layer data over specified HIP >>> packets. These include some of the existing HIP packets and possibly >>> new HIP packets (e.g., a HIP packet that occurs outside a HIP base >>> exchange)." >>> >>> We still do not have a WG item for it but the following draft has been >>> around for some time. We would like to ask the WG if we should adopt the >>> following draft as the WG item for this milestone. >>> >>> http://tools.ietf.org/internet-drafts/draft-nikander-hip-hiccups-02.txt >>> >>> Revision 02 of the draft above is identical to 01 (the only changes are >>> the date and the new copyright). The authors intend to address the >>> comments received on the list shortly. >>> >>> 3) In order to be able to support the functionality provided by RELOAD, >>> HIP needs to support multi-hop routing. Instead of specifying it in the >>> HIP BONE draft, having a separate draft seem to make more sense given >>> that this functionality has a more general applicability than overlays. >>> We would like to ask the WG if we should spin off a new milestone from >>> our original milestone for overlays that covers multihop routing in HIP. >>> >>> The following draft takes a stab at specifying multihop routing in HIP. >>> We would like to ask the WG if we should adopt it as a WG item for the >>> milestone above (assuming we decide to create the milestone). >>> >>> http://tools.ietf.org/internet-drafts/draft-camarillo-hip-via-00.txt >> >> +1 >> >>> 4) We have the following milestone: >>> >>> "Specify how to generate ORCHIDs from other node identifiers >>> including both cryptographic ones (leading to cryptographic >>> delegation) and non-cryptographic ones (e.g., identifiers defined by a >>> peer protocol)." >>> >>> When we created that milestone, we expected to have a generic mechanism >>> to transform node IDs into ORCHIDs. However, at this point, it seems >>> that such transformation will be done in different ways depending on the >>> peer protocol used in a particular overlay. For example, the instance >>> specification for RELOAD draft defines such transformation for RELOAD >>> peer identifiers. The fact that nobody has submitted a draft for that >>> milestone seems to confirm the previous impression. We would like to ask >>> the WG if we should remove that milestone from our charter. >> >> Fine by me. >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From samu.varjonen@hiit.fi Thu Jul 30 06:19:26 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E712A28C177 for ; Thu, 30 Jul 2009 06:19:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.449 X-Spam-Level: X-Spam-Status: No, score=-1.449 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBaXZk2W-iGG for ; Thu, 30 Jul 2009 06:19:26 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 120663A6818 for ; Thu, 30 Jul 2009 06:19:26 -0700 (PDT) Received: from [130.129.20.233] (dhcp-14e9.meeting.ietf.org [130.129.20.233]) by argo.otaverkko.fi (Postfix) with ESMTP id C7DCE25ED1A for ; Thu, 30 Jul 2009 16:19:26 +0300 (EEST) Message-ID: <4A719DDD.6040705@hiit.fi> Date: Thu, 30 Jul 2009 15:19:25 +0200 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.22 (X11/20090608) MIME-Version: 1.0 To: HIP References: <4A51A346.2030807@hiit.fi> In-Reply-To: <4A51A346.2030807@hiit.fi> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] draft-ietf-hip-cert-01 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jul 2009 13:19:27 -0000 Hi, This is a resend for the mail concerning the new version of the hip-cert draft. We got only answer to the mail earlier. We would appreciate if people could read the draft and give us comments. Thans, Samu Varjonen Samu wrote: > Hi, > > http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-01.txt > > This new version of the draft brings editorial changes to the group > handling and clarifications to the usage of x.509 distinguished name > (DN) section. > > We would appreciate if people would read the draft and comment it. > > We have some additional discussion topics that we would like open. Main > point in these questions is to determine the direction where we should > take the draft. > > - Is the draft sufficient? Do we need to specify something more? Is > something important missing? > > -Is SPKI the right choice for the default format? X.509 is more widely > deployed and has better support vs. SPKI is simpler but has less support. > > -Are the hash and URL encodings needed? At least with on-path > middleboxes they are problematic. > > -Are the examples in the appendixes sufficient? > > One discussion topic that is a bit out of scope of hip-cert but is > relevant for HIP in general is fragmentation. I have brought this issue > up in several of the last meetings. Is there any interest in the group > to tackle this issue or should be just left for the IP and its > fragmentation to handle? > > BR, > Samu > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From rgm@htt-consult.com Fri Jul 31 00:57:24 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1741F3A6C27 for ; Fri, 31 Jul 2009 00:57:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hV6m6kRByYtI for ; Fri, 31 Jul 2009 00:57:23 -0700 (PDT) Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [208.83.67.147]) by core3.amsl.com (Postfix) with ESMTP id 49D843A6BFE for ; Fri, 31 Jul 2009 00:57:22 -0700 (PDT) Received: from z9m9z.htt-consult.com (localhost.localdomain [127.0.0.1]) by z9m9z.htt-consult.com (8.13.8/8.13.8) with ESMTP id n6V7vJkF005850 for ; Fri, 31 Jul 2009 03:57:19 -0400 Received: from nc2400.htt-consult.com (onlo.htt-consult.com [208.83.67.148]) by z9m9z.htt-consult.com (Scalix SMTP Relay 11.3.0.11339) via ESMTP; Fri, 31 Jul 2009 03:56:40 -0400 (EDT) Date: Fri, 31 Jul 2009 09:57:35 +0200 From: Robert Moskowitz To: HIP Message-ID: <4A72A3EF.90603@htt-consult.com> x-scalix-Hops: 1 User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"; format="flowed" Content-Disposition: inline Subject: [Hipsec] HIP support of AH on IPv6 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 07:57:24 -0000 I had a discussion with Tony Hain last night and was reminded that there ARE some valid uses for AH, particularly in IPv6. Any feelings about this? Would it be 'easy' to add AH support to our rev of 5202? Or is a case of cut and paste and make a new document? From rgm@htt-consult.com Fri Jul 31 01:46:29 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FB3E3A6C2C for ; Fri, 31 Jul 2009 01:46:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6qtSeduusNWA for ; Fri, 31 Jul 2009 01:46:28 -0700 (PDT) Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [208.83.67.147]) by core3.amsl.com (Postfix) with ESMTP id 3FD903A69DA for ; Fri, 31 Jul 2009 01:46:27 -0700 (PDT) Received: from z9m9z.htt-consult.com (localhost.localdomain [127.0.0.1]) by z9m9z.htt-consult.com (8.13.8/8.13.8) with ESMTP id n6V8kHX2011435 for ; Fri, 31 Jul 2009 04:46:19 -0400 Received: from nc2400.htt-consult.com (onlo.htt-consult.com [208.83.67.148]) by z9m9z.htt-consult.com (Scalix SMTP Relay 11.3.0.11339) via ESMTP; Fri, 31 Jul 2009 04:45:14 -0400 (EDT) Date: Fri, 31 Jul 2009 10:46:10 +0200 From: Robert Moskowitz To: hipsec@ietf.org Message-ID: <4A72AF52.90603@htt-consult.com> x-scalix-Hops: 1 User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"; format="flowed" Content-Disposition: inline Subject: [Hipsec] Building the first list of to Standards changes X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 08:46:29 -0000 OK we have met and agreed to go out and succeed. In light of that, lets get our work items in order and someone set up the tracking of who is working on what and what it is its status. Crypto Agility Add HI PK algorithms Add HI hashes Add ESP cipher suites HIT and LSI formats Standardize on ORCHIDs Context per HI Hash? IP address range for LSIs Multiple HIs per host Multiple HITs per HI ESP operation with HIP Explain Binding Transport Mode End to End without creating a new ESP mode AH operation with HIP Compressing Transport checksums New HIP option? HIP registries (DNS, DHT, LDAP, etc.) What information is stored in each For DNS HIs, HITs, HI hashes, lifetime via TTL ESP ciphers? RR from IANA OK. This is a start. Others should add/expand, and someone needs to be the 'owner' of the list. -- The Greatest Oak Was once a little Nut That held its ground. From rgm@htt-consult.com Fri Jul 31 02:33:33 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C778E28C2E9 for ; Fri, 31 Jul 2009 02:33:33 -0700 (PDT) X-Quarantine-ID: X-Virus-Scanned: amavisd-new at amsl.com X-Amavis-Alert: BAD HEADER, Duplicate header field: "References" X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M429i5XIPceX for ; Fri, 31 Jul 2009 02:33:32 -0700 (PDT) Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [208.83.67.147]) by core3.amsl.com (Postfix) with ESMTP id 978B928C2CE for ; Fri, 31 Jul 2009 02:33:32 -0700 (PDT) Received: from z9m9z.htt-consult.com (localhost.localdomain [127.0.0.1]) by z9m9z.htt-consult.com (8.13.8/8.13.8) with ESMTP id n6V9XTxG015209; Fri, 31 Jul 2009 05:33:29 -0400 Received: from nc2400.htt-consult.com (onlo.htt-consult.com [208.83.67.148]) by z9m9z.htt-consult.com (Scalix SMTP Relay 11.3.0.11339) via ESMTP; Fri, 31 Jul 2009 05:32:58 -0400 (EDT) Date: Fri, 31 Jul 2009 11:33:53 +0200 From: Robert Moskowitz To: Andrew McGregor Message-ID: <4A72BA81.5050809@htt-consult.com> In-Reply-To: <8F346BB1-D5EF-419F-AED7-A0DE8DFEECE0@indranet.co.nz> References: <4A72AF52.90603@htt-consult.com> References: <8F346BB1-D5EF-419F-AED7-A0DE8DFEECE0@indranet.co.nz> x-scalix-Hops: 1 User-Agent: Thunderbird 2.0.0.22 (X11/20090625) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII"; format="flowed" Content-Disposition: inline Cc: hipsec@ietf.org Subject: Re: [Hipsec] Building the first list of to Standards changes X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 09:33:33 -0000 Andrew McGregor wrote: > Whole lot of responses inline... > > On 31/07/2009, at 10:46 AM, Robert Moskowitz wrote: > >> OK we have met and agreed to go out and succeed. >> >> In light of that, lets get our work items in order and someone set up >> the tracking of who is working on what and what it is its status. >> >> Crypto Agility >> Add HI PK algorithms > > We use DNS formats for these, and so far the only RFCs published are > RSA and DSA. There is a draft for ECC, there may be others. Code > points are allocated by standards action. So this cannot progress > until the DNS formats do. > >> Add HI hashes > > 5201 defines the RHASH which is used for all hash operations in the > protocol to be the same as the hash used for ORCHIDS, see below. I would also want CBC-MAC, as hardware that implements CCM has CBC-MAC. There is lots of wireless hardware that implements CCM... And there are those that will expect SHA-256. > >> Add ESP cipher suites > > Straightforward, do you have a list of candidates? CCM, as this is in wireless hardware. GCM as this is in highspeed wired hardware. Or those are the claims... > >> >> HIT and LSI formats >> Standardize on ORCHIDs >> Context per HI Hash? > > Yes, RFC 4843 specifies that we use CGA Extension Type Tags registered > by IANA for contexts, and 5201 specifies that it be one per hash. The > only value allocated for hip is bound to SHA-1 by 5201. We can > allocate more. Exactly. > >> IP address range for LSIs > > The v6 ORCHID range is currently reserved until 2014, this may be > changed by standards action. v4 needs thought and either standards or > IANA action. 127.n.0.0/16 And what is n? Let IANA tell us or recommend something? e.g. 64 > >> >> Multiple HIs per host >> Multiple HITs per HI > > I think these can be done already. Current implementations may not > support multiple HIs per host, but I see no reason in the protocol why > this can not be done. Multiple HITs per HI can happen given that hash > agility is per context; therefore the ORCHIDS corresponding to > different hashes are astronomically unlikely to collide. Local policy > dictates if any particular HIT is acceptable. > > However, the IESG note at the beginning of 5201 has this to say: > > This document doesn't currently define support for parameterized > (randomized) hashing in signatures, support for negotiation of a key > derivation function, or support for combined encryption modes. > > The first point will require a lot of thought, although the packet > formats should be straightforward. OK. This is an important one I left off. Would the hash used for making the HIT be the hash used in the HIP sigs? Or is this YAP to add to things like HIP options and DNS RR? > > The second point could be covered by redefining the DIFFIE_HELLMAN > group id parameter to be an (algorithm, group) suite ID... this would > even be backward compatible by reusing the existing values with the > same processing definition. The third is merely more suite-ids for > those modes. So would we have a list of key derivations and this is just one more parameter? > >> >> ESP operation with HIP >> Explain Binding Transport Mode End to End without creating a new ESP >> mode > > This amounts to a wording change in 5202, all the text is already > there. BEET is a recommended implementation detail for 5202 ESP > processing and does not change the wire format or semantics, so there > should be no problem here. > >> AH operation with HIP >> >> Compressing Transport checksums >> New HIP option? > > I'm not sure what you're suggesting. Compressing suites could be > defined for ESP. Or are you suggesting compressing the HIP packets > themselves? If you are going to allow for removal of the TCP and UDP checksums, both parties would need to agree they are going to do this. > >> >> HIP registries (DNS, DHT, LDAP, etc.) >> What information is stored in each >> For DNS >> HIs, HITs, HI hashes, lifetime via TTL >> ESP ciphers? >> RR from IANA > > I suggest updating 5205 along the lines of > draft-ponomarev-hip-dns-locators and draft-ponomarev-hip-hit2ip. This > will require some DNS expert attention to get the details right. I > think that's sufficient for DNS. > > The Boeing SMA implementation in OpenHIP has an LDAP schema, I have > not looked at the detail. > >> >> OK. This is a start. Others should add/expand, and someone needs to >> be the 'owner' of the list. -- The Greatest Oak Was once a little Nut That held its ground. From gonzalo.camarillo@ericsson.com Fri Jul 31 03:29:31 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 35CF53A6805 for ; Fri, 31 Jul 2009 03:29:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.299 X-Spam-Level: X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=-1.050, BAYES_00=-2.599, HELO_EQ_SE=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vAwWZeTmBHLi for ; Fri, 31 Jul 2009 03:29:30 -0700 (PDT) Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id 1F8C13A6A9A for ; Fri, 31 Jul 2009 03:28:49 -0700 (PDT) X-AuditID: c1b4fb24-b7c01ae00000498b-10-4a72c762084b Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw5.ericsson.se (Symantec Brightmail Gateway) with SMTP id 6C.C5.18827.267C27A4; Fri, 31 Jul 2009 12:28:50 +0200 (CEST) Received: from esealmw129.eemea.ericsson.se ([153.88.254.177]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 31 Jul 2009 12:28:50 +0200 Received: from mail.lmf.ericsson.se ([131.160.11.50]) by esealmw129.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 31 Jul 2009 12:28:49 +0200 Received: from [131.160.126.137] (rvi2-126-137.lmf.ericsson.se [131.160.126.137]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 749BE25CA; Fri, 31 Jul 2009 13:28:49 +0300 (EEST) Message-ID: <4A72C761.9050301@ericsson.com> Date: Fri, 31 Jul 2009 12:28:49 +0200 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 31 Jul 2009 10:28:49.0731 (UTC) FILETIME=[B17C9130:01CA11C9] X-Brightmail-Tracker: AAAAAA== Subject: [Hipsec] Draft meeting minutes X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 10:29:31 -0000 Folks, you can find the draft minutes of our meeting yesterday under the following link: http://www.ietf.org/proceedings/75/minutes/hip.txt Cheers, Gonzalo HIP co-chair From dward@cisco.com Fri Jul 31 05:35:41 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 677FF3A6E2E for ; Fri, 31 Jul 2009 05:35:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.14 X-Spam-Level: X-Spam-Status: No, score=-6.14 tagged_above=-999 required=5 tests=[AWL=0.459, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pT3uOycJhA+Z for ; Fri, 31 Jul 2009 05:35:40 -0700 (PDT) Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 55D4B3A6DAC for ; Fri, 31 Jul 2009 05:35:40 -0700 (PDT) X-IronPort-AV: E=Sophos;i="4.43,302,1246838400"; d="scan'208";a="52387166" Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-2.cisco.com with ESMTP; 31 Jul 2009 12:35:41 +0000 Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id n6VCZfcE014120; Fri, 31 Jul 2009 08:35:41 -0400 Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id n6VCZfa0025288; Fri, 31 Jul 2009 12:35:41 GMT Received: from xmb-rtp-202.amer.cisco.com ([64.102.31.52]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 31 Jul 2009 08:35:41 -0400 Received: from [127.0.0.1] ([171.68.225.134]) by xmb-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 31 Jul 2009 08:35:41 -0400 Message-Id: From: David Ward To: Gonzalo Camarillo In-Reply-To: <4A72C761.9050301@ericsson.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Fri, 31 Jul 2009 07:35:39 -0500 References: <4A72C761.9050301@ericsson.com> X-Mailer: Apple Mail (2.935.3) X-OriginalArrivalTime: 31 Jul 2009 12:35:41.0278 (UTC) FILETIME=[6A5277E0:01CA11DB] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=398; t=1249043741; x=1249907741; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dward@cisco.com; z=From:=20David=20Ward=20 |Subject:=20Re=3A=20Draft=20meeting=20minutes |Sender:=20 |To:=20Gonzalo=20Camarillo=20; bh=FpJeR8Mq4zaKBBNvz9GUuf0YspOMxWnxqJNrgbnlbpc=; b=bjr8DkEUtPLar/e+m8pkG2WdIM6nxFla3QElJnI4iJ05kD0F+rDqYkkbfR WAUjjt9OxxVbUtufjH27OBctc4WBX/x2md72W0339UVa7Gt6c20/dLj9i4Nr orbSB81o7C; Authentication-Results: rtp-dkim-2; header.From=dward@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; ); Cc: HIP Subject: Re: [Hipsec] Draft meeting minutes X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Jul 2009 12:35:41 -0000 Gonzalo - Is the publication of the experimentation report as an IRTF RFC required to make HIP PS? Or just HIP WG LC? -DWard On Jul 31, 2009, at 5:28 AM, Gonzalo Camarillo wrote: > Folks, > > you can find the draft minutes of our meeting yesterday under the > following link: > > http://www.ietf.org/proceedings/75/minutes/hip.txt > > Cheers, > > Gonzalo > HIP co-chair