From randy@psg.com Fri Jul 1 18:50:22 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF74411E80FF for ; Fri, 1 Jul 2011 18:50:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IV0DimjrQB8o for ; Fri, 1 Jul 2011 18:50:21 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 445D511E80F8 for ; Fri, 1 Jul 2011 18:50:21 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QcpLe-000BSU-Un; Sat, 02 Jul 2011 01:50:19 +0000 Date: Sat, 02 Jul 2011 10:50:18 +0900 Message-ID: From: Randy Bush To: Hannes Gredler In-Reply-To: <20110630062137.GA19984@juniper.net> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 01:50:22 -0000 hannes, you raised two issues: o versioning, protocol upgrade, ... i will open that can of worms up in another message o what do do when the router receives a duplicate ipvx prefix. the relevant text from 5.5 says In the RPKI, nothing prevents a signing certificate from issuing two identical ROAs, and nothing prohibits the existence of two identical route: or route6: objects in the IRR. In this case there would be no semantic difference between the objects, merely a process redundancy. In the RPKI, there is also an actual need for what might appear to a router as identical IPvX PDUs. This can occur when an upstream certificate is being reissued or there is an address ownership transfer up the validation chain. The ROA would be identical in the router sense, i.e. have the same {prefix, len, max-len, asn}, but a different validation path in the RPKI. This is important to the RPKI, but not to the router. The cache server is responsible for assuring that it has told the router client to have one and only one IPvX PDU for a unique {prefix, len, max-len, asn} at any one point in time. Should the router client receive an IPvX PDU with a {prefix, len, max-len, asn} identical to one it already has active, it SHOULD raise a Duplicate Announcement Received error. i.e. in the rpki world, duplicates make sense and are allowed. on the router, they do not make sense. hence the cache is formally responsible for that boundary, and must not send dupes to the router. this was meant to clearly state that, if the router receives a duplicate, then either o the cache is broken because it must not send dupes, or o the router's data for that cache are incorrect, and it is not really a dupe. in either case, something is very broken. in this protocol, unlike bgp, when things are very broken, drop the session. unlime bgp, the router has other sessions with similar data, other caches available to it, ... perhaps the next version should be even more explicit The cache server MUST ensure that it has told the router client to have one and only one IPvX PDU for a unique {prefix, len, max-len, asn} at any one point in time. Should the router client receive an IPvX PDU with a {prefix, len, max-len, asn} identical to one it already has active, it SHOULD raise a Duplicate Announcement Received error. randy From randy@psg.com Fri Jul 1 19:08:21 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1901121F8A2E for ; Fri, 1 Jul 2011 19:08:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 45YoGUheaEc8 for ; Fri, 1 Jul 2011 19:08:20 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 81FC721F8A22 for ; Fri, 1 Jul 2011 19:08:19 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qcpd4-000BVk-3D; Sat, 02 Jul 2011 02:08:18 +0000 Date: Sat, 02 Jul 2011 11:08:17 +0900 Message-ID: From: Randy Bush To: Hannes Gredler In-Reply-To: <20110630062137.GA19984@juniper.net> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2011 02:08:21 -0000 on versioning, upgrading, new pdus, ... i fear that i have been very sloppy. for instance, the iana consideration section does not ask for a registry for Protocol version. on the naggumite far right we have the problem i stated earlier, the goal in dropping the session if an unrecognized pdu type is received is it prevents chaotic pretend upgrading producing a bunch of incorrect garbage in the router's database which leads to incorrect validity decisions and thus incorrect routing. imagine that the unrecognized pdu was signaling "flush all data with origin AS 42," or "delete all roas for prefix P or longer." on the be liberal in what you receive far left we have 1. the router does not recognize the new PDU and returns an error. 2. by including the unrecognized PDU in the error message the cache knows what particular PDU type has caused grief, such that it can log it and bring it to the operators attention. --- ok lets go through this: i was worried about e.g. a "central" deployment model where all your ASBRs have a session to a central cache. now consider you want to upgrade the cache with rob's latest sw (which introduces new PDUs). now all rpki-rtr sessions start to flap, unless you have upgraded routers to support the new PDUs. - you might argue that you should simply upgrade the routers first, thereby implying a certain upgrade order/procedure. that is going to be a problem: at some of my larger customers operational responsibilities (routers, servers) are strictly seperate and this hidden requirement to upgrade routers first, will likely be causing support-tickets at vendors of routing and local-cache software. i suspect that the core of the disagreement may be a difference in model. the bgp heads are used to a unique session whose data may be critical and can not afford to be lost. others of us are strongly attached to correctness and are less worried about dropping sessions because they are not unique in the data sense. the router is getting the same (well close to) data from other caches, so the cost of dropping any one session is negligible. i think that if we can resolve this difference i can then hack the docco to match. i suspect that a consequence of the right wing position may be that the Protocol Version must change if PDU Types are added or changed. this may imply that, on session start, when the cache receives a PDU from the router, it has to adjust to the router's version 'capability'. hmmmm. randy From Sandra.Murphy@cobham.com Tue Jul 5 06:59:06 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C01E511E80D3 for ; Tue, 5 Jul 2011 06:59:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -92.35 X-Spam-Level: X-Spam-Status: No, score=-92.35 tagged_above=-999 required=5 tests=[AWL=-10.249, BAYES_99=3.5, J_CHICKENPOX_23=0.6, J_CHICKENPOX_26=0.6, J_CHICKENPOX_27=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_39=0.6, J_CHICKENPOX_43=0.6, J_CHICKENPOX_44=0.6, J_CHICKENPOX_45=0.6, J_CHICKENPOX_46=0.6, J_CHICKENPOX_47=0.6, J_CHICKENPOX_48=0.6, J_CHICKENPOX_54=0.6, J_CHICKENPOX_55=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, J_CHICKENPOX_62=0.6, J_CHICKENPOX_63=0.6, J_CHICKENPOX_64=0.6, J_CHICKENPOX_65=0.6, J_CHICKENPOX_66=0.6, J_CHICKENPOX_75=0.6, J_CHICKENPOX_82=0.6, J_CHICKENPOX_83=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0KaoYKzVYxw0 for ; Tue, 5 Jul 2011 06:59:06 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 90E5311E80AB for ; Tue, 5 Jul 2011 06:59:04 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p65Dx3sU024886 for ; Tue, 5 Jul 2011 08:59:03 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p65Dx24B029681 for ; Tue, 5 Jul 2011 08:59:03 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 5 Jul 2011 09:58:59 -0400 Date: Tue, 5 Jul 2011 09:58:59 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; boundary="===============4097539645926626175==" X-OriginalArrivalTime: 05 Jul 2011 13:58:59.0835 (UTC) FILETIME=[B081BCB0:01CC3B1B] Subject: [sidr] Nomcom 2011-2012: Third Call for Volunteers (fwd) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2011 13:59:06 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --===============4097539645926626175== Content-Type: TEXT/PLAIN; charset=utf-8; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE The NomCom chair has made a 3rd request for volunteers for the NomCom. The NomCom is an important component of the IETF process. Please do=20 consider volunteering for the NomCom. The final deadline for volunteering= =20 is approaching. See the message below for details. --Sandy ---------- Forwarded message ---------- Date: Mon, 4 Jul 2011 08:47:17 -0700 From: NomCom Chair To: IETF Announcement list Cc: ietf@ietf.org Subject: Nomcom 2011-2012: Third Call for Volunteers This is the Third call for Volunteers for the 2011-12 Nomcom. We are almost through the volunteer period so if you are considering volunteering, please do so very soon. We have had a very good response to the initial call for volunteers and I am pleased to report that we have 84 volunteers thus far whose qualifications have been confirmed by the secretariat. I have notified each of these volunteers by email. However, we would like to have many more volunteers. The more volunteers, the better chance we have of choosing a random yet representative cross section of the IETF population. You have until 11:59 pm EDT July 10, 2011 to volunteer for Nomcom but it would be much better if you can volunteer as early as possible. If you volunteered before 09:00 EDT on June 29 to serve as a voting member and have not received a confirmation email from me, please re-submit and bring to my attention right away! Details about the process for volunteering for the Nomcom and the list of open positions for which the nominating committee is responsible are summarized in the initial announcement: https://datatracker.ietf.org/ann/nomcom/2938/ The 84 volunteers who have thus far been qualified by the secretariat are: Alia Atlas,Juniper Networks Lixia Zhang,UCLA Wassim Haddad ,Ericsson Glen Zorn,Network Zen Richard Barnes,BBN Technologies Stephen Kent,BBN Technologies Scott Mansfield,Ericsson Tina TSOU (Ting ZOU),FutureWei Technologies Fernando Gont,UTN/FRH Karen Seo,BBN Technologies Jie Dong,Huawei Technologies Mach Chen,Huawei Technologies Co. Ltd. Sheng Jiang,Huawei Technologies Co. Ltd. Dimitri Papadimitriou,Alcatel-Lucent Thomas D. Nadeau,CA Technologies David Meyer,Cisco Systems/University of Oregon Wesley George,Time Warner Cable Cullen Jennings,Cisco Stephen Hanna,Juniper Networks Stephan Wenger,Bidyo Inc. Keyur Patel,Cisco Systems Michael (Mike) Hamilton,BreakingPoint Systems Behcet Sarikaya,Huawei USA Mark Townsley,Cisco Systems Fred Baker,Cisco Systems Brian Trammell,ETH Z=FCrich Sam Hartman,Painless Security Chris Griffiths,Comcast George Michaelson,APNIC Jiankang Yao,CNNIC Sohel Khan,Comcast Dacheng Zhang,Huawei Lianshu Zheng,Huawei Technologies Hui Deng,China Mobile Gang Chen,China Mobile Mirja K=FChlewind,University of Stuttgart IKR John E Drake,Juniper Networks Matt Lepinski,BBN Technologies Subir Das,Telcordia Technologies Inc Yi Zhao,Huawei John Scudder,Juniper Networks Christer Holmberg,LM Ericsson Teemu Savolainen,Nokia Samita Chakrabarti,Ericsson Jaap Akkerhuis,NLnet labs Jason Weil,Time Warner Cable Randy Bush,Internet Initiative Japan Christian Schmidt,Nokia Siemens Networks Sean Shen,CNNIC Lou Berger,LabN Consulting L.L.C. Donald Eastlake,Huawei Xiaohu Xu,Huawei Technologies co. Ltd. B=F6rje Ohlman,Ericsson Deborah Brungard,AT&T Magnus Westerlund,Ericsson Zhen Cao,China Mobile Hadriel Kaplan,Acme Packet Lilla Dovner,Ericsson John Jason Brzozowski,Comcast Jonne Soininen,Renesas Mobile Javier Ubillos,Swedish Institute of Computer Science Eric Gray,Ericsson Thomas Herbst,Silver Spring Networks Ning Zong,Huawei Technologies Haibin Song,Huawei Technologies Yingjie Gu,Huawei Technologies Hongyu Li,Huawei Technologies Terry Manderson,ICANN Ari Keranen,Ericsson Jouni Korhonen,Nokia Siemens Networks Bhumip Khasnabish,ZTE USA Inc. Dapeng Liu,China Mobile Fangwei Hu,ZTE Corporation Ole Troan,Cisco Pascal Thubert,Cisco Wojciech Dec,Cisco Gunter Van de Velde,Cisco Ning So,Verizon Inc./University of Texas at Dallas Guoman liu,ZTE Simon Pietro Romano,Meetecho/University of Napoli Luca Martini,Cisco Bill VerSteeg,Cisco Toerless Eckert,Cisco Systems Joseph Salowey,Cisco Systems The primary activity for this nomcom will begin during IETF-81 in Quebec City and should be completed by January 2012. The nomcom will be collecting requirements from the community, as well as talking to candidates and to community members about candidates. There will be regularly scheduled conference calls to ensure progress. Thus, being a nomcom member does require some time commitment. Please volunteer by sending an email to me before 11:59 pm EDT July 10, 2011 as follows: To: suresh.krishnan@ericsson.com Subject: Nomcom 2011-12 Volunteer Please include the following information in the body of the mail: Full Name: // As you enter in the IETF Registration Form, // First/Given name followed by Last/Family Name Current Primary Affiliation: // typically what goes in the Company // field in the IETF Registration Form Email Address(es): // all email addresses used to Register for the // past 5 IETF meetings =09=09 // Please designate a Preferred email address for // contact if there is more than one email address Telephone number: // With country code (for confirmation if selected) Please expect an email response from me within 3 business days stating whether or not you are qualified. If you do not receive a response in this timeframe, please re-send your email with the tag "RESEND:" added to the subject line. If you are not yet sure you would like to volunteer, please consider that Nomcom members play a very important role in shaping the leadership of the IETF. Ensuring the leadership of the IETF is fair and balanced and comprised of those who can lead the IETF in the right direction is an important responsibility that rests on the IETF participants at large. Volunteering for the Nomcom is a good way of contributing in that direction. I will be publishing a more detailed target timetable, as well as details of the randomness seeds to be used for the RFC 3797 selection process very soon. Thank you in advance for your participation. Suresh Krishnan Nomcom Chair 2011-2012 Email: nomcom-chair@ietf.org, suresh.krishnan@ericsson.com --===============4097539645926626175== Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-Description: Content-Disposition: attachment _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www.ietf.org/mailman/listinfo/ietf-announce --===============4097539645926626175==-- From russ@cisco.com Tue Jul 5 07:36:25 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3352911E808A for ; Tue, 5 Jul 2011 07:36:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d4kZXYSAIhMB for ; Tue, 5 Jul 2011 07:36:24 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by ietfa.amsl.com (Postfix) with ESMTP id BF48211E8071 for ; Tue, 5 Jul 2011 07:36:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=2197; q=dns/txt; s=iport; t=1309876571; x=1311086171; h=message-id:date:from:mime-version:to:cc:subject; bh=oVw/QnUa0aPEU4a8/fw4TBkrw40C7MPjaSrv773/4A4=; b=BYhkVkK0T37P2mSlWik7hAgCV3HRDnvzJ+Xtx5AeCayF43RVz3QsMXE2 Yhq5w0DhV1RrXqK2XFOD+yQc8WtrP0q3lREdKQF41BzQRuJ+3Ar6CycO1 V5KspQFNMFT8UvU4u2qrsnQ2kiBhVNI/CgVN5F7WSI4yUg44czLPdbTS5 0=; X-Files: signature.asc : 260 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AskHALEgE06rRDoH/2dsb2JhbABTmQqOdXetBJ1uhjYEjU+EZ4R4i1o X-IronPort-AV: E=Sophos;i="4.65,479,1304294400"; d="asc'?scan'208";a="361376739" Received: from mtv-core-2.cisco.com ([171.68.58.7]) by sj-iport-5.cisco.com with ESMTP; 05 Jul 2011 14:36:11 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p65EaATf021776; Tue, 5 Jul 2011 14:36:10 GMT Message-ID: <4E132156.9020309@cisco.com> Date: Tue, 05 Jul 2011 10:36:06 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: ksriram@nist.gov X-Enigmail-Version: 1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2E81A41B838F9245650AFAC0" Cc: sidr@ietf.org Subject: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2011 14:36:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2E81A41B838F9245650AFAC0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The list in section 1 does not appear to capture all the requirements as they've been given in discussions on the list. Specifically, what is not covered is: 1. Proving intent to advertise. Showing that the AS advertising a route to a peering AS intended to avertise the reachability information contained in the BGP update. 2. Proving the path of the update. It is not enough to merely show that a path exists; any security system must also show the actual path routing information has taken through the routing system. 3. Providing transitive trust. A network operator must not need to rely on the filters or policies of neighboring autonomous systems to show the path an update takes through the system, nor to prove the intent of prior autonomous systems to advertise reachability through their networks= =2E These have all been clearly discussed on the list as motivations for the scheme adopted. There's a lot of 'we' in this doc, as well --I'm not certain that's good form for a draft? Finally, there doesn't seem to be a lot of justification around the length of the timer in an update (what's the impact on performance system wide, in terms of stability and route update intervals? Are these justifiable?), nor on why intervening AS' should not be allowed to include expiration times (why is a change in the AS path at an intervening AS treated differently than a change in the AS path at the originating AS?). Russ --------------enig2E81A41B838F9245650AFAC0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4TIVoACgkQER27sUhU9OSEigCeLJOtMfTClnSyuZqYFAK0x2Pg j44AoPaRrygtOh4MBQt6MnN2XDiJa6hG =2Y9z -----END PGP SIGNATURE----- --------------enig2E81A41B838F9245650AFAC0-- From jgs@bgp.nu Tue Jul 5 14:43:41 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD82821F885D for ; Tue, 5 Jul 2011 14:43:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.043 X-Spam-Level: X-Spam-Status: No, score=-102.043 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_IS_SMALL6=0.556, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAhIpj8AD+nW for ; Tue, 5 Jul 2011 14:43:41 -0700 (PDT) Received: from bgp.nu (bgp.nu [216.117.214.198]) by ietfa.amsl.com (Postfix) with ESMTP id 0962021F8825 for ; Tue, 5 Jul 2011 14:43:40 -0700 (PDT) Received: from [172.16.13.204] (75-151-14-10-Michigan.hfc.comcastbusiness.net [75.151.14.10]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by bgp.nu (Postfix) with ESMTP id C6EBF16144C1; Tue, 5 Jul 2011 17:43:39 -0400 (EDT) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: "John G. Scudder" In-Reply-To: Date: Tue, 5 Jul 2011 17:43:38 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> To: Randy Bush X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2011 21:43:42 -0000 On Jul 1, 2011, at 10:08 PM, Randy Bush wrote: > i suspect that a consequence of the right wing position may be that = the > Protocol Version must change if PDU Types are added or changed. =20 That's a viable option. I'll leave it to others to comment whether it's = palatable to them or not. > this > may imply that, on session start, when the cache receives a PDU from = the > router, it has to adjust to the router's version 'capability'. hmmmm. Yes, the lack of any establishment phase makes this part a little = squicky. One can either decide to tolerate the grossness, or add an = explicit version PDU exchange or similar. The latter seems nicer but = might itself require a version bump to introduce? --John= From kotikalapudi.sriram@nist.gov Tue Jul 5 19:30:10 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674D421F886B for ; Tue, 5 Jul 2011 19:30:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrDqM1zzHPi2 for ; Tue, 5 Jul 2011 19:30:09 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 8806E21F8869 for ; Tue, 5 Jul 2011 19:30:09 -0700 (PDT) Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Tue, 5 Jul 2011 22:29:56 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Tue, 5 Jul 2011 22:29:20 -0400 From: "Sriram, Kotikalapudi" To: Russ White Date: Tue, 5 Jul 2011 22:29:19 -0400 Thread-Topic: draft-sriram-bgpsec-design-choices-00 Thread-Index: Acw7IMwk1vF+i+YZRJ6p+C3X/g2TMAAYIubO Message-ID: References: <4E132156.9020309@cisco.com> In-Reply-To: <4E132156.9020309@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 02:30:10 -0000 Hi Russ, Thanks for your comments/observations. Please see my comments inline. Sriram >The list in section 1 does not appear to capture all the requirements as >they've been given in discussions on the list.=20 This is a design rationale document. It merely describes some of the details behind the design decisions. As you know, requirements are documented in draft-ietf-sidr-bgpsec-reqs.=20 >Specifically, what is not covered is: >1. Proving intent to advertise. Showing that the AS advertising a route >to a peering AS intended to avertise the reachability information >contained in the BGP update. > >2. Proving the path of the update. It is not enough to merely show that >a path exists; any security system must also show the actual path >routing information has taken through the routing system. > >3. Providing transitive trust. A network operator must not need to rely >on the filters or policies of neighboring autonomous systems to show the >path an update takes through the system, nor to prove the intent of >prior autonomous systems to advertise reachability through their networks. > >These have all been clearly discussed on the list as motivations for the >scheme adopted. These are requirements related questions which pertain to draft-ietf-sidr-bgpsec-reqs. I think Randy may like to respond to these. >There's a lot of 'we' in this doc, as well --I'm not certain that's good >form for a draft?=20 I could use the passive form like =93It was decided that =85=94 etc.=20 everywhere in the doc. I=92m not sure that is necessarily better. But I will take your suggestion into consideration. >Finally, there doesn't seem to be a lot of >justification around the length of the timer in an update (what's the >impact on performance system wide, in terms of stability and route >update intervals? Are these justifiable?),=20 This is an ongoing discussion.=20 But please see Section 3.2.2 (2nd, 3rd, 4th paragraphs).=20 http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-00#page-10 =20 Also see Section 3.4. http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-00#section-3.= 4=20 Sharon Goldberg and I have begun doing detailed modeling of the BGPSEC route-processor workload to quantify the performance metrics you have mentioned. We hope to report results in the near future. =20 >nor on why intervening AS' >should not be allowed to include expiration times It is simply not needed to reduce the replay attack window. It is sufficient that the origin AS inserts the Expire Time, and all other ASes in the AS path sign that info as they forward the route. Please see Section 3.2.2, 1st paragraph. http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-00#page-10 =20 > (why is a change in >the AS path at an intervening AS treated differently than a change in >the AS path at the originating AS?). In what way do you think they are treated differently? If the origin AS announces to a different neighbor, that is just the same as if an AS three hops down makes a different choice. Again the discussion in Section 3.2.2 (1st para) can be helpful here. Sriram From russ@cisco.com Wed Jul 6 04:10:58 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6599D21F86E6 for ; Wed, 6 Jul 2011 04:10:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.299 X-Spam-Level: X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeC--TZbu-ON for ; Wed, 6 Jul 2011 04:10:57 -0700 (PDT) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 5445821F85F7 for ; Wed, 6 Jul 2011 04:10:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=1161; q=dns/txt; s=iport; t=1309950657; x=1311160257; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=KCSdQS/ztgazAfakMXz5qak2eDqbLl2bL+BsK5++BFo=; b=aMvgmfBqNkwiERlfet7v21i496DbhLkh5/mx9kdb6ZZ401vQfu+RXaZm 7tcmaI2MrVEq1uJ1u57aoy56xLZ/Pdxa6Vg8ZgbXEXSveXbxn+yQpEV3s Gpb4kj6c/ebdtpRfcxMTt+5lNH/bKYb5+cWI/kpYgSn8pqpe+lf/VWoM4 g=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAIxBFE5Io8UR/2dsb2JhbABTqAN3iHqlI54vhjYEkkGEeote X-IronPort-AV: E=Sophos;i="4.65,486,1304294400"; d="scan'208";a="99907953" Received: from bgl-core-2.cisco.com ([72.163.197.17]) by ams-iport-1.cisco.com with ESMTP; 06 Jul 2011 11:10:55 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by bgl-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p66BArAo014854; Wed, 6 Jul 2011 11:10:54 GMT Message-ID: <4E1442BD.6090604@cisco.com> Date: Wed, 06 Jul 2011 07:10:53 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: "Sriram, Kotikalapudi" References: <4E132156.9020309@cisco.com> In-Reply-To: X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Cc: "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 11:10:58 -0000 >> The list in section 1 does not appear to capture all the requirements as >> they've been given in discussions on the list. > > This is a design rationale document. > It merely describes some of the details behind the design decisions. > As you know, requirements are documented in draft-ietf-sidr-bgpsec-reqs. I would expect it, however, to detail the primary reasons for making such decisions. The ones I've outlined are, based on the list discussions, the primary reasons. >> nor on why intervening AS' >> should not be allowed to include expiration times > > It is simply not needed to reduce the replay attack window. I don't see how this is true. For instance: +--3--+ 1--2 5 +--4--+ Where 1 is originating a route towards 2, and 2 towards 3 and 4. If the link between 2 and 3 fails, or 2 changes its policy, it must wait the duration of 1's timer before being assured 3 cannot continue to advertise the route. From 2's perspective, it has no ability to control the speed at which it can effectively implement policy or prevent replay attacks. This is unacceptable. The timer must be per hop. Russ From randy@psg.com Wed Jul 6 04:22:42 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC7A21F869A for ; Wed, 6 Jul 2011 04:22:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.574 X-Spam-Level: X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxH7odDgeYcP for ; Wed, 6 Jul 2011 04:22:42 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 3939F21F8601 for ; Wed, 6 Jul 2011 04:22:42 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QeQBi-0006Fy-8L; Wed, 06 Jul 2011 11:22:38 +0000 Date: Wed, 06 Jul 2011 20:22:36 +0900 Message-ID: From: Randy Bush To: Russ White In-Reply-To: <4E1442BD.6090604@cisco.com> References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: "Sriram, Kotikalapudi" , "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 11:22:42 -0000 > +--3--+ > 1--2 5 > +--4--+ > > Where 1 is originating a route towards 2, and 2 towards 3 and 4. If the > link between 2 and 3 fails, or 2 changes its policy, it must wait the > duration of 1's timer before being assured 3 cannot continue to > advertise the route. that is why beaconing is said to provide only a certain measurable and controllable freshness guarantee. no surprise there. > From 2's perspective, it has no ability to control the speed at which > it can effectively implement policy or prevent replay attacks. > > This is unacceptable. The timer must be per hop. would you explain why this would reduce the window? e.g., if 2 signs with a time and 3 signs with a time, 3 can still replay within 2's window, which one presumes is about as wide as 1's window. no gain, non-trivial pain. randy From russ@cisco.com Wed Jul 6 04:27:02 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE6FC21F861B for ; Wed, 6 Jul 2011 04:27:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmHekblk3EGF for ; Wed, 6 Jul 2011 04:27:02 -0700 (PDT) Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id EDA4721F860B for ; Wed, 6 Jul 2011 04:27:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=526; q=dns/txt; s=iport; t=1309951622; x=1311161222; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=N5lPbjwjmK972QvXT8ylk5gZfAbdFcEXIktXc0rdMJw=; b=mg7mW0fifyInUE3Y4+2mR5hkirK6XOy2WnqN8sFWBjGuE7He7un8l7Sk RuOm1S/SRKM7HqvOWwyqMzKlnOdlWQc17SAjQcPCVqkRPaDhKhFeFitMa 95DAxmgq9xFMU+Beat9zU0NGNzSHccEHmmJoe8IX4iiEH3OJEIAI6MfKt A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EACxGFE6tJXG8/2dsb2JhbABTqAN3iHqlOJ4vhjYEkkGEeote X-IronPort-AV: E=Sophos;i="4.65,486,1304294400"; d="scan'208";a="382147" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-1.cisco.com with ESMTP; 06 Jul 2011 11:27:01 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by rcdn-core2-1.cisco.com (8.14.3/8.14.3) with ESMTP id p66BR0AO019438; Wed, 6 Jul 2011 11:27:00 GMT Message-ID: <4E144684.4090106@cisco.com> Date: Wed, 06 Jul 2011 07:27:00 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: Randy Bush References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> In-Reply-To: X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Sriram, Kotikalapudi" , "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 11:27:02 -0000 > e.g., if 2 signs with a time and 3 signs with a time, 3 can still replay > within 2's window, which one presumes is about as wide as 1's window. > no gain, non-trivial pain. Because 2 would know its local conditions, and may set the timer shorter. 1 cannot know 2's local conditions or policies, and yet you are allowing 1 to control the length of time the connection is acceptable between 2 and 3. There is real gain in allowing a per hop timer. It would accurately reflect the state of the network. Russ From randy@psg.com Wed Jul 6 04:29:59 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B5D21F860F for ; Wed, 6 Jul 2011 04:29:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.575 X-Spam-Level: X-Spam-Status: No, score=-2.575 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gOA4u4UkMxEC for ; Wed, 6 Jul 2011 04:29:58 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 6762821F860B for ; Wed, 6 Jul 2011 04:29:50 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QeQIe-0006HS-CX; Wed, 06 Jul 2011 11:29:49 +0000 Date: Wed, 06 Jul 2011 20:29:45 +0900 Message-ID: From: Randy Bush To: Russ White In-Reply-To: <4E144684.4090106@cisco.com> References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: "Sriram, Kotikalapudi" , "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 11:29:59 -0000 >> e.g., if 2 signs with a time and 3 signs with a time, 3 can still replay >> within 2's window, which one presumes is about as wide as 1's window. >> no gain, non-trivial pain. > Because 2 would know its local conditions, and may set the timer > shorter. except 2 had already disconnected from 3. way too much noise for too little gain. randy From russ@cisco.com Wed Jul 6 04:40:29 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2832521F8687 for ; Wed, 6 Jul 2011 04:40:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUWPn1EkDYtE for ; Wed, 6 Jul 2011 04:40:28 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by ietfa.amsl.com (Postfix) with ESMTP id 8E0A221F8680 for ; Wed, 6 Jul 2011 04:40:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=842; q=dns/txt; s=iport; t=1309952428; x=1311162028; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=8ggjMjSR6G8T590GhM1H61z3XF8v28pw26DrMsRyBZs=; b=gvxNEYSTUFv+0ia38DdZwClPRS6IKbLfk+o7/IQXqoazGGEYUqETwPaf pOJRHqGY3yi+qzGXnOWm0Hvjufm6gPJ7i4gWoQ3LzuDUFXOb/YArCAVTp j0XWKXQlfPD/+UHKAtAXaNdf0paOcM5C0MYUsnjdnDLB8PZ5raEIKwCzS o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EADpJFE6rRDoI/2dsb2JhbABTqAN3rk6eLoY2BJJBhHqLXg X-IronPort-AV: E=Sophos;i="4.65,486,1304294400"; d="scan'208";a="362189105" Received: from mtv-core-3.cisco.com ([171.68.58.8]) by sj-iport-5.cisco.com with ESMTP; 06 Jul 2011 11:40:12 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p66BeBY0001096; Wed, 6 Jul 2011 11:40:11 GMT Message-ID: <4E14499B.6010801@cisco.com> Date: Wed, 06 Jul 2011 07:40:11 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: Randy Bush References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> In-Reply-To: X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Sriram, Kotikalapudi" , "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 11:40:29 -0000 On 7/6/2011 7:29 AM, Randy Bush wrote: >>> e.g., if 2 signs with a time and 3 signs with a time, 3 can still replay >>> within 2's window, which one presumes is about as wide as 1's window. >>> no gain, non-trivial pain. >> Because 2 would know its local conditions, and may set the timer >> shorter. > > except 2 had already disconnected from 3. way too much noise for too > little gain. No --if 2 knows the situation with 3 is problematic, it can reduce the timer on that path. What you're saying is that the originator should control the rate at which connectivity and policy should be allowed to change farther down the graph, because, well, it's too much trouble to do otherwise. What I'm saying is this is an unacceptable tradeoff --if the point is to provide security, then provide security at every hop. Russ From internet-drafts@ietf.org Wed Jul 6 05:27:08 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D28721F85B4; Wed, 6 Jul 2011 05:27:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.582 X-Spam-Level: X-Spam-Status: No, score=-102.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hk23goHeDvDu; Wed, 6 Jul 2011 05:27:07 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7248B21F85A5; Wed, 6 Jul 2011 05:27:07 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110706122707.21873.72458.idtracker@ietfa.amsl.com> Date: Wed, 06 Jul 2011 05:27:07 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-manifests-15.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 12:27:08 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : Manifests for the Resource Public Key Infrastructure Author(s) : Rob Austein Geoff Huston Stephen Kent Matt Lepinski Filename : draft-ietf-sidr-rpki-manifests-15.txt Pages : 19 Date : 2011-07-06 This document defines a "manifest" for use in the Resource Pub= lic Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority, that are published at this repository publication point, the manifest contains both the name of the file containing the object, and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect "stale" (= valid) data and deletion of signed objects. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-rpki-manifests-15.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-rpki-manifests-15.txt From chris.hall@highwayman.com Wed Jul 6 10:24:00 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2188521F88D7 for ; Wed, 6 Jul 2011 10:23:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKCrjFHPMIRh for ; Wed, 6 Jul 2011 10:23:55 -0700 (PDT) Received: from lon1-post-2.mail.demon.net (lon1-post-2.mail.demon.net [195.173.77.149]) by ietfa.amsl.com (Postfix) with ESMTP id 2536C21F88D5 for ; Wed, 6 Jul 2011 10:23:55 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by lon1-post-2.mail.demon.net with esmtp (Exim 4.69) id 1QeVpK-0003Cs-Zd; Wed, 06 Jul 2011 17:23:54 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QeVpJ-0008WN-81; Wed, 06 Jul 2011 18:23:53 +0100 From: "Chris Hall" To: References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> In-Reply-To: <4E1442BD.6090604@cisco.com> Date: Wed, 6 Jul 2011 18:23:48 +0100 Organization: Highwayman Message-ID: <017801cc3c01$7a6428c0$6f2c7a40$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIIPyMGWpCcV6CKtwfjVh3fQo+JFwH5QC+fAsY9keaUQSwiYA== Content-Language: en-gb Cc: "'Sriram, Kotikalapudi'" , 'Russ White' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 17:24:00 -0000 Russ White wrote (on Wed 06-Jul-2011 at 12:11 +0100): .... > I don't see how this is true. For instance: > > +--3--+ > 1--2 5 > +--4--+ > > Where 1 is originating a route towards 2, and 2 towards 3 and 4. If > the link between 2 and 3 fails, or 2 changes its policy, it must > wait the duration of 1's timer before being assured 3 cannot > continue to advertise the route. From 2's perspective, it has no > ability to control the speed at which it can effectively implement > policy or prevent replay attacks. > > This is unacceptable. The timer must be per hop. How short would the timers have to be to cope with link failures ? In any case, it seems to me that problems only arise if 3 turns out to be a Bad Person. In which case, no matter what any validity timers say, the objective should be to allow routes to be rapidly withdrawn ? Each AS announcing routes to 3 gets to make up their own minds about 3's bona fides which will have its own latency, but having made a decision, having to wait for some timer to expire before being able to act will seem like a failure ? If 2 changes which IPs it has allocated to customers, then the RPKI implements that by creating new and revoking old EE(s). If 2 changes which ASes it announces routes to, presumably it revokes the EE(s) associated with the path signatures it now repudiates. And the back-channel through the RPKI will update all interested routers, and any stale routes will be swept away ? Of course, 2 must first re-announce everything that currently uses the to-be-updated-keys to every other peer, and wait for those announcements to be propagated. Can this be right ? Mind you, what if: +--3--+ 1--2 | 5 +--4--+ In which case, if 4 does not agree with 2's assessment of 3's character, then 2 is estuffe if 4 announces its routes to 3, and 5 thinks that 3's price for transit is just wonderful, and 3 is a customer of 4 (which might affect its judgement, of course). On the other hand, if all parties suddenly realise that 3 is Wicked, then there will be a sudden rush of new EEs and every route including 3 will be withdrawn, *and* every related route *not* including 3 will have to be re-announced and have propagated across the BGP mesh, *before* EEs are updated ? Or, of course, everybody could do it the old fashioned way, and filter out routes with AS 3 in the path :-) Chris From russ@cisco.com Wed Jul 6 10:38:52 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34AD21F8986 for ; Wed, 6 Jul 2011 10:38:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Pv84GxO39Fc for ; Wed, 6 Jul 2011 10:38:52 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by ietfa.amsl.com (Postfix) with ESMTP id 40F4121F893B for ; Wed, 6 Jul 2011 10:38:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=1183; q=dns/txt; s=iport; t=1309973932; x=1311183532; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=yWZZxRH/Ybe2h1LcqilLsit+OQaczSxUQEugjC/P56k=; b=RPAjEGMfj8vaD5/RogwLdjonAVRbfqBR5/IghIec8wErODP58wyAiCKe m0Nqfj6BHZwgWWzJkMQmaD++x0MXzjXvUdsN5+ncVUFfroxsWAWxFyNf9 RvIB8oUlD+zfjDoLNzJy3ZnVXbQtnRzfT97UUuY7xxV9Wuam4RK6fDQbR E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAFucFE6rRDoG/2dsb2JhbABTqAV3iHqlOJYqhjcEkkGEeotf X-IronPort-AV: E=Sophos;i="4.65,488,1304294400"; d="scan'208";a="362518821" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by sj-iport-5.cisco.com with ESMTP; 06 Jul 2011 17:38:52 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p66HcpKq023151; Wed, 6 Jul 2011 17:38:51 GMT Message-ID: <4E149DAB.7030201@cisco.com> Date: Wed, 06 Jul 2011 13:38:51 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: Chris Hall References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <017801cc3c01$7a6428c0$6f2c7a40$@highwayman.com> In-Reply-To: <017801cc3c01$7a6428c0$6f2c7a40$@highwayman.com> X-Enigmail-Version: 1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "Sriram, Kotikalapudi" , sidr@ietf.org Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 17:38:52 -0000 >> I don't see how this is true. For instance: >> >> +--3--+ >> 1--2 5 >> +--4--+ >> >> Where 1 is originating a route towards 2, and 2 towards 3 and 4. If >> the link between 2 and 3 fails, or 2 changes its policy, it must >> wait the duration of 1's timer before being assured 3 cannot >> continue to advertise the route. From 2's perspective, it has no >> ability to control the speed at which it can effectively implement >> policy or prevent replay attacks. >> >> This is unacceptable. The timer must be per hop. > > How short would the timers have to be to cope with link failures ? My argument isn't over the length of the timer, just that the timer needs to exist per hop, not just for the originator. > If 2 changes which IPs it has allocated to customers, then the RPKI > implements that by creating new and revoking old EE(s). So you would argue that each time you change connections, you should issue a new EE? Then why have the timer at all? > Or, of course, everybody could do it the old fashioned way, and filter > out routes with AS 3 in the path :-) Then what's the point of the signatures in the first place? Russ From pmohapat@cisco.com Wed Jul 6 14:27:22 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3224621F8AE4 for ; Wed, 6 Jul 2011 14:27:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jOzALVggSRtL for ; Wed, 6 Jul 2011 14:27:21 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by ietfa.amsl.com (Postfix) with ESMTP id B549121F8AE5 for ; Wed, 6 Jul 2011 14:27:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pmohapat@cisco.com; l=984; q=dns/txt; s=iport; t=1309987641; x=1311197241; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=BCWbAukm+E2GWTc5EZz6BCMLY9Zj114iGnTuo2ix87s=; b=HQIqtxPtsfUNNFt0DD/TLZcy5FnEAPZDXEak2JKJJxmTxMSG4hcdPDPd H1TI9jKvZ3uA2h6B/sdPkgWkvqrHFH2x28HLKO/i+Ll3ibHy+Ls0CLxWd YVCIgVPJmsksRjFXxYEW65oPyboU6FYrVRsCEXy+rA/KuCuVtJbOhPu8C 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAErSFE6rRDoJ/2dsb2JhbABTqAt3iHqlC54MhjcEh0aKe4R6i2M X-IronPort-AV: E=Sophos;i="4.65,489,1304294400"; d="scan'208";a="362715819" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by sj-iport-5.cisco.com with ESMTP; 06 Jul 2011 21:27:21 +0000 Received: from [10.155.35.242] ([10.155.35.242]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p66LRLD8000498; Wed, 6 Jul 2011 21:27:21 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Pradosh Mohapatra In-Reply-To: <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> Date: Wed, 6 Jul 2011 14:31:19 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> To: "John G. Scudder" X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 21:27:22 -0000 >> i suspect that a consequence of the right wing position may be that = the >> Protocol Version must change if PDU Types are added or changed. =20 >=20 > That's a viable option. I'll leave it to others to comment whether = it's palatable to them or not. It seems to be an overkill though! It depends on what PDU is being = introduced (yes, that means a notion of mandatory and optional PDUs = ;-)). PDU change, definitely! >=20 >> this >> may imply that, on session start, when the cache receives a PDU from = the >> router, it has to adjust to the router's version 'capability'. = hmmmm. >=20 > Yes, the lack of any establishment phase makes this part a little = squicky. One can either decide to tolerate the grossness, or add an = explicit version PDU exchange or similar. The latter seems nicer but = might itself require a version bump to introduce? Putting the version# in to the reserved part of the reset query PDU = seems like a good start.= From randy@psg.com Wed Jul 6 14:28:30 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF5D21F8AE3 for ; Wed, 6 Jul 2011 14:28:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.576 X-Spam-Level: X-Spam-Status: No, score=-2.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWdbrd8PyTwz for ; Wed, 6 Jul 2011 14:28:30 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 1309A21F8AAC for ; Wed, 6 Jul 2011 14:28:30 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QeZdw-0008Qp-C7; Wed, 06 Jul 2011 21:28:24 +0000 Date: Thu, 07 Jul 2011 06:28:23 +0900 Message-ID: From: Randy Bush To: Pradosh Mohapatra In-Reply-To: <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 21:28:30 -0000 > Putting the version# in to the reserved part of the reset query PDU > seems like a good start. it is already in the version number field. randy From pmohapat@cisco.com Wed Jul 6 14:59:20 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17E3A21F8A9F for ; Wed, 6 Jul 2011 14:59:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hc3KbD8MZ9je for ; Wed, 6 Jul 2011 14:59:19 -0700 (PDT) Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by ietfa.amsl.com (Postfix) with ESMTP id 9DA7321F8A94 for ; Wed, 6 Jul 2011 14:59:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pmohapat@cisco.com; l=216; q=dns/txt; s=iport; t=1309989552; x=1311199152; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=SosNLUOLv96AdxjeZncGsjHZ3IgtpcXC8BaHT2xCgog=; b=YK5/tDNXCYhEro3ynZBtsP8608on7laSvaNwbVsAvPfzTnrY/9lwO81r aJM0lMudwQZPKNvH3o0bTtDldiqLa1lTBcLP0R8tZ6s14JZ2TEeI+WYRa ghAz27ud3OsXdS+ma3+v0BEVuqCSP0yOQmgrNbHby3gNnWUFWwT+t4igw M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAGDZFE6rRDoG/2dsb2JhbABTqAt3iHqlD54MhjcEh0aKe5Bd X-IronPort-AV: E=Sophos;i="4.65,489,1304294400"; d="scan'208";a="362740070" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by sj-iport-5.cisco.com with ESMTP; 06 Jul 2011 21:59:12 +0000 Received: from dhcp-171-70-246-214.cisco.com (dhcp-171-70-246-214.cisco.com [171.70.246.214]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p66LxC1i009711; Wed, 6 Jul 2011 21:59:12 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Pradosh Mohapatra In-Reply-To: Date: Wed, 6 Jul 2011 15:03:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <2D8B7061-79EE-45EB-AE05-9CFAF95A1068@cisco.com> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> To: Randy Bush X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 21:59:20 -0000 > it is already in the version number field. Oops! sorry ;-( I meant to say that should suffice (as a version = exchange mechanism) since the router always sends a reset query after = session establishment.= From randy@psg.com Wed Jul 6 15:29:36 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4170A21F8B69 for ; Wed, 6 Jul 2011 15:29:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.577 X-Spam-Level: X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCO94CSUknWM for ; Wed, 6 Jul 2011 15:29:35 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 48FF621F8B4C for ; Wed, 6 Jul 2011 15:29:32 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qeab2-0008dR-Oj; Wed, 06 Jul 2011 22:29:29 +0000 Date: Thu, 07 Jul 2011 07:29:27 +0900 Message-ID: From: Randy Bush To: Pradosh Mohapatra In-Reply-To: <2D8B7061-79EE-45EB-AE05-9CFAF95A1068@cisco.com> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> <2D8B7061-79EE-45EB-AE05-9CFAF95A1068@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 22:29:36 -0000 >> it is already in the version number field. > Oops! sorry ;-( I meant to say that should suffice (as a version > exchange mechanism) since the router always sends a reset query after > session establishment. that part is easy: o router sends version o if server can sing that version, all goes ahead o if not, server sends error and disconnects o router tries another server but you bring up allowing the router to ignore unknown pdu types if the version matches. i.e. there can be new pdu types which do not have important semantics. just so i can wrap my head, which is on first cuppa, around this, could you give me an example? my first reaction is, if it has no important semantics, then why add it? :) if a sender MUST only send unimportant unknown pdus, to enforce this, how does the recipient know if the unknown pdu type it just received is important or not? i guess the sender can paint them grey. :) but moving past this cloudy space, ... how do we tell the iana that it can only add to the pdu type registry if the version is bumped? or is it a registry of version pdu-type 0 0 0 1 ... 1 13 1 14 ... randy From pmohapat@cisco.com Wed Jul 6 19:07:14 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E2D121F8741 for ; Wed, 6 Jul 2011 19:07:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8rvecrY2GbCT for ; Wed, 6 Jul 2011 19:07:13 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 68D7C21F873D for ; Wed, 6 Jul 2011 19:07:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pmohapat@cisco.com; l=1149; q=dns/txt; s=iport; t=1310004433; x=1311214033; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=hRXqax227SBOZOgCTBOf1bSK4NRP+FVUiD5IpJh9jcE=; b=QE9fGs6CqRrpZR8Yq8EINFVwMwVgwh5h7SBt8AZUlUXjfX4aPknE2GlU 6qBRVP/SpewPcTEaIUlGIRNJmjHzDZkO6cz1sLWjSM3SABUQwadvNT0KG 4bu8w843k/0pDV/kNh04QdXIvyBImw4ZMarOZkwiSxpmuc2OnNAgZWJe3 I=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAHYUFU6rRDoJ/2dsb2JhbABTqBJ3iHqkd517hjcEh0aKe5Bd X-IronPort-AV: E=Sophos;i="4.65,490,1304294400"; d="scan'208";a="501620" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-6.cisco.com with ESMTP; 07 Jul 2011 02:07:12 +0000 Received: from sjc-vpn2-729.cisco.com (sjc-vpn2-729.cisco.com [10.21.114.217]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6727CpH016956; Thu, 7 Jul 2011 02:07:12 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Pradosh Mohapatra In-Reply-To: Date: Wed, 6 Jul 2011 19:11:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <88DDC98C-BA0B-487E-A5CD-3DD3BC4B5D33@cisco.com> References: <20110629070025.16892.26227.idtracker@ietfa.amsl.com> <20110629091651.GA17888@juniper.net> <20110630062137.GA19984@juniper.net> <0A4C7566-D9E3-48B1-BBB4-19E9071D2873@bgp.nu> <999E83B2-490A-4233-BB28-4046260C8462@cisco.com> <2D8B7061-79EE-45EB-AE05-9CFAF95A1068@cisco.com> To: Randy Bush X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-13.txt / error handling; X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 02:07:14 -0000 > but you bring up allowing the router to ignore unknown pdu types if = the > version matches. i.e. there can be new pdu types which do not have > important semantics. just so i can wrap my head, which is on first > cuppa, around this, could you give me an example? my first reaction = is, > if it has no important semantics, then why add it? :) E.g. If and when (;-)) we add origin validation for VPN routes and we do it = by adding a VPN prefix PDU. > if a sender MUST only send unimportant unknown pdus, to enforce this, > how does the recipient know if the unknown pdu type it just received = is > important or not? i guess the sender can paint them grey. :) By definition, if it's the same version#, all unknown PDUs are = unimportant... Otherwise, they are important ;-) > but moving past this cloudy space, ... >=20 > how do we tell the iana that it can only add to the pdu type registry = if > the version is bumped? or is it a registry of=20 >=20 > version pdu-type > 0 0 > 0 1 > ... > 1 13 > 1 14 > ... This should work if it can be done!= From kotikalapudi.sriram@nist.gov Thu Jul 7 10:18:33 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D277811E8081 for ; Thu, 7 Jul 2011 10:18:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3v2qar6oQan4 for ; Thu, 7 Jul 2011 10:18:32 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 7464211E8080 for ; Thu, 7 Jul 2011 10:18:32 -0700 (PDT) Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 7 Jul 2011 13:18:17 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Thu, 7 Jul 2011 13:17:42 -0400 From: "Sriram, Kotikalapudi" To: Russ White , Randy Bush Date: Thu, 7 Jul 2011 13:18:29 -0400 Thread-Topic: [sidr] draft-sriram-bgpsec-design-choices-00 Thread-Index: Acw70WYUNT1gCd1wRryqoFnMRHHqZAA9YN+Q Message-ID: References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> <4E14499B.6010801@cisco.com> In-Reply-To: <4E14499B.6010801@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 17:18:33 -0000 > >>> e.g., if 2 signs with a time and 3 signs with a time, 3 can still replay > >>> within 2's window, which one presumes is about as wide as 1's window. > >>> no gain, non-trivial pain. > >> Because 2 would know its local conditions, and may set the timer > >> shorter. > > > > except 2 had already disconnected from 3. way too much noise for too > > little gain. > > No --if 2 knows the situation with 3 is problematic, it can reduce the > timer on that path. The problem I see with this is as follows. If 2 knows the situation with 3 is problematic, then why would it still send updates to 3? Why would it not disconnect with 3 rather than reduce the timer? Also, it does not make sense for 2 to set a lower timer value (than that of 1) prior to any hunch or knowledge that 3 is bad. Presumably, 2 had already sent some updates to 3 prior to knowing that 3 has gone bad (or is suspicious). There is nothing 2 can do about those previous updates even if it has the ability to adjust its own timer value on subsequent updates. Once that hunch sets in, then why not just disconnect with 3? AS-1 anyway was prepared to live with replay possibility for the period of its timer when it sent an update in the first place. So why should 2 try to be extra helpful with manipulation of timers when it really can't. I think all 2 should do to help is to forward updates only to 4 (and disconnect from 3) from the moment it knows 3 has gone bad or suspicious. We can presume that 1 chose its timer value with some prudence, and knows to accept the consequences of it. Sriram > > What you're saying is that the originator should control the rate at > which connectivity and policy should be allowed to change farther down > the graph, because, well, it's too much trouble to do otherwise. What > I'm saying is this is an unacceptable tradeoff --if the point is to > provide security, then provide security at every hop. > > Russ From internet-drafts@ietf.org Thu Jul 7 12:48:56 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 223CE21F873A; Thu, 7 Jul 2011 12:48:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.581 X-Spam-Level: X-Spam-Status: No, score=-102.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRxJTjGdqFZG; Thu, 7 Jul 2011 12:48:55 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE50121F870A; Thu, 7 Jul 2011 12:48:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110707194855.22941.14152.idtracker@ietfa.amsl.com> Date: Thu, 07 Jul 2011 12:48:55 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-manifests-16.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 19:48:56 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : Manifests for the Resource Public Key Infrastructure Author(s) : Rob Austein Geoff Huston Stephen Kent Matt Lepinski Filename : draft-ietf-sidr-rpki-manifests-16.txt Pages : 19 Date : 2011-07-07 This document defines a "manifest" for use in the Resource Pub= lic Key Infrastructure (RPKI). A manifest is a signed object (file) that contains a listing of all the signed objects (files) in the repository publication point (directory) associated with an authority responsible for publishing in the repository. For each certificate, Certificate Revocation List (CRL), or other type of signed objects issued by the authority, that are published at this repository publication point, the manifest contains both the name of the file containing the object, and a hash of the file content. Manifests are intended to enable a relying party (RP) to detect certain forms of attacks against a repository. Specifically, if an RP checks a manifest's contents against the signed objects retrieved from a repository publication point, then the RP can detect "stale" (= valid) data and deletion of signed objects. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-rpki-manifests-16.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-rpki-manifests-16.txt From russ@cisco.com Thu Jul 7 13:53:39 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148CD9E801D for ; Thu, 7 Jul 2011 13:53:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rF7v7BVmkDrM for ; Thu, 7 Jul 2011 13:53:38 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 25B8E9E8019 for ; Thu, 7 Jul 2011 13:53:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=1540; q=dns/txt; s=iport; t=1310072018; x=1311281618; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to; bh=qnUOMbw51lm+sSYvL7vPg0sI6HzJ5iUlI9M+bMw/ZVs=; b=EiO7AVrAQO08b0k0zxaQGg5gwQrVeWxzjkl4RcY+ZSn7oVw8vbu5vfyT 0uGmIGQ0jlzSxxG3syEGxXBSEZvBatqIZl4ibJzGgbwB8W8RsNMtuS22t mvaJMJWj3ZAmNb2htX3n7oWlj6JJSMMgyP42hvNYT7m/yonLCLJfZ6qa7 0=; X-Files: signature.asc : 260 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EABYcFk6rRDoG/2dsb2JhbABUpz13iHukVJ1zhjgEjVuEaoR8i18 X-IronPort-AV: E=Sophos;i="4.65,495,1304294400"; d="asc'?scan'208";a="815064" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by rcdn-iport-8.cisco.com with ESMTP; 07 Jul 2011 20:53:37 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p67KraEY003154; Thu, 7 Jul 2011 20:53:36 GMT Message-ID: <4E161CCF.6080500@cisco.com> Date: Thu, 07 Jul 2011 16:53:35 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: "Sriram, Kotikalapudi" References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> <4E14499B.6010801@cisco.com> In-Reply-To: X-Enigmail-Version: 1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig4AF3B95237276A9D810BBAF6" Cc: "sidr@ietf.org" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 20:53:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig4AF3B95237276A9D810BBAF6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable > The problem I see with this is as follows. If 2 knows the situation wit= h 3 is=20 > problematic, then why would it still send updates to 3? Why would it no= t=20 > disconnect with 3 rather than reduce the timer?=20 How does 2 prevent 3 from replaying the update? It doesn't matter when 2 disconnects from 3, it cannot prevent 3 from replaying it's advertisement until the timer, which is set by 1, times out. Bottom line question: Why should AS 1 control the length of time AS2 is vulnerable to replay attacks by AS' further downstream? It seems like a simple question to me. _Every_ AS along the path has an interest in making certain it's peers can't replay updates they have sent, not just the originator. Hence, the timer only makes sense if it is available at every hop. Russ --------------enig4AF3B95237276A9D810BBAF6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4WHM8ACgkQER27sUhU9OR7rgCg/r1onBu7H0oYVriuCKJ19ai6 fawAn1ROJG5CNMmSMoR0lJ5aFvBfAeo4 =zbz/ -----END PGP SIGNATURE----- --------------enig4AF3B95237276A9D810BBAF6-- From sra@hactrn.net Thu Jul 7 15:02:17 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD7C71F0C3F for ; Thu, 7 Jul 2011 15:02:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id auo9goVPGY1y for ; Thu, 7 Jul 2011 15:02:17 -0700 (PDT) Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by ietfa.amsl.com (Postfix) with ESMTP id 30C2B1F0C3A for ; Thu, 7 Jul 2011 15:02:17 -0700 (PDT) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 339EB28468 for ; Thu, 7 Jul 2011 22:02:15 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 0228522808 for ; Thu, 7 Jul 2011 18:02:15 -0400 (EDT) Date: Thu, 07 Jul 2011 18:02:14 -0400 From: Rob Austein To: sidr@ietf.org In-Reply-To: <4E161CCF.6080500@cisco.com> References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> <4E14499B.6010801@cisco.com> <4E161CCF.6080500@cisco.com> User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20110707220215.0228522808@thrintun.hactrn.net> Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: sidr@ietf.org List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2011 22:02:18 -0000 At Thu, 07 Jul 2011 16:53:35 -0400, Russ White wrote: > > Bottom line question: Why should AS 1 control the length of time AS2 > is vulnerable to replay attacks by AS' further downstream? Because it's AS 1's prefix. From russ@cisco.com Thu Jul 7 18:01:25 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 407DF21F8931 for ; Thu, 7 Jul 2011 18:01:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.999 X-Spam-Level: X-Spam-Status: No, score=-4.999 tagged_above=-999 required=5 tests=[AWL=-2.400, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8KPLXnvZ4Pg for ; Thu, 7 Jul 2011 18:01:24 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECD221F8922 for ; Thu, 7 Jul 2011 18:01:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=russ@cisco.com; l=1145; q=dns/txt; s=iport; t=1310086884; x=1311296484; h=message-id:date:from:mime-version:to:subject:references: in-reply-to; bh=jeuuG2BMrAKtiwrqk1UCSrdx2SqroSESankMaKN9+Ds=; b=K4GDiTuSpy4Sd6Fpdp8Uv4iflrKZ9L97UcxiNliMAdh6Dc73rj2M5HOU f22rnmFRThogeqTnHkr48k0d9ydfDerWNQSS+j9RRVzmljNJiQiabeFYc jnZrcwoVIEd6ikZK+Ew1TfGuHUWl5iwJIsr4qgC+W9CJob3AnF0IGH5sp k=; X-Files: signature.asc : 260 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AkcHALZWFk6rRDoJ/2dsb2JhbABTmEyOcneIe6VPnXaGOASNW4RqhHyLXw X-IronPort-AV: E=Sophos;i="4.65,496,1304294400"; d="asc'?scan'208";a="878019" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-3.cisco.com with ESMTP; 08 Jul 2011 01:01:23 +0000 Received: from [10.116.137.179] (rtp-russwh-8712.cisco.com [10.116.137.179]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6811MAg007065 for ; Fri, 8 Jul 2011 01:01:22 GMT Message-ID: <4E1656DF.3040604@cisco.com> Date: Thu, 07 Jul 2011 21:01:19 -0400 From: Russ White User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20110528 Thunderbird/5.0b1 MIME-Version: 1.0 To: sidr@ietf.org References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> <4E14499B.6010801@cisco.com> <4E161CCF.6080500@cisco.com> <20110707220215.0228522808@thrintun.hactrn.net> In-Reply-To: <20110707220215.0228522808@thrintun.hactrn.net> X-Enigmail-Version: 1.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD90D7BC12D5ED8F7E85B9BBE" Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 01:01:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD90D7BC12D5ED8F7E85B9BBE Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable >> Bottom line question: Why should AS 1 control the length of time AS2 >> is vulnerable to replay attacks by AS' further downstream? >=20 > Because it's AS 1's prefix. It's AS2's policy. What you're saying is that a downstream AS shouldn't be allowed to have protection against replay attacks for traffic they no longer want to handle because --well, just because. Sorry, I don't agree. Russ --------------enigD90D7BC12D5ED8F7E85B9BBE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4WVucACgkQER27sUhU9OQeAwCgiHDITpNFXXP4iliCpF0tzp1Y vAgAniWIfXDSlDBeR9j5nDS7EYh/bm/l =C6ko -----END PGP SIGNATURE----- --------------enigD90D7BC12D5ED8F7E85B9BBE-- From jmh@joelhalpern.com Thu Jul 7 18:23:54 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29DB21F8A50 for ; Thu, 7 Jul 2011 18:23:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.586 X-Spam-Level: X-Spam-Status: No, score=-102.586 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7MZxeBPTypN for ; Thu, 7 Jul 2011 18:23:54 -0700 (PDT) Received: from hgblob.out.tigertech.net (hgblob.out.tigertech.net [74.114.88.71]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5B521F8942 for ; Thu, 7 Jul 2011 18:23:54 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hgblob.tigertech.net (Postfix) with ESMTP id 19F99325C158 for ; Thu, 7 Jul 2011 18:23:24 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at hgblob.tigertech.net Received: from [10.10.10.102] (pool-71-161-51-16.clppva.btas.verizon.net [71.161.51.16]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by hgblob.tigertech.net (Postfix) with ESMTPSA id A5BA1325C156 for ; Thu, 7 Jul 2011 18:23:23 -0700 (PDT) Message-ID: <4E165C06.3000304@joelhalpern.com> Date: Thu, 07 Jul 2011 21:23:18 -0400 From: "Joel M. Halpern" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Lightning/1.0b2 Thunderbird/3.1.11 MIME-Version: 1.0 To: sidr@ietf.org References: <4E132156.9020309@cisco.com> <4E1442BD.6090604@cisco.com> <4E144684.4090106@cisco.com> <4E14499B.6010801@cisco.com> <4E161CCF.6080500@cisco.com> <20110707220215.0228522808@thrintun.hactrn.net> In-Reply-To: <20110707220215.0228522808@thrintun.hactrn.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 01:23:54 -0000 I hate to say this, because mostly I think Russ is starting at shadows, but I think your answer does not seem to bear on the question that was asked. The fact that AS1 originates an advertisement means that its origination information is subject to its lifetime control. Which is covered by the existing work. It is also true that the originators path lifetime limitaiton has to serve as an upper bound on the lifetime of the advertisement. But other than those two statements, ti does not seem that the originator has any more rights to specify a lifetime than any other advertiser adding path information. Nor does he have any more precise information about what a good lifetime is for the path advertisement than anyone else has. This suggests that there is something odd with the lifetime / refresh mechanism we have chosen. Yours, Joel On 7/7/2011 6:02 PM, Rob Austein wrote: > At Thu, 07 Jul 2011 16:53:35 -0400, Russ White wrote: >> >> Bottom line question: Why should AS 1 control the length of time AS2 >> is vulnerable to replay attacks by AS' further downstream? > > Because it's AS 1's prefix. > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From chris.hall@highwayman.com Fri Jul 8 02:51:10 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BD6621F891A for ; Fri, 8 Jul 2011 02:51:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71Y4ian0fDaK for ; Fri, 8 Jul 2011 02:51:09 -0700 (PDT) Received: from lon1-post-3.mail.demon.net (lon1-post-3.mail.demon.net [195.173.77.150]) by ietfa.amsl.com (Postfix) with ESMTP id 6073021F8917 for ; Fri, 8 Jul 2011 02:51:09 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by lon1-post-3.mail.demon.net with esmtp (Exim 4.69) id 1Qf7iG-00012M-cp; Fri, 08 Jul 2011 09:51:08 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1Qf7iF-00065n-A5; Fri, 08 Jul 2011 10:51:07 +0100 From: "Chris Hall" To: Date: Fri, 8 Jul 2011 10:50:59 +0100 Organization: Highwayman Message-ID: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: Acw9VIo9pE4O/XwTTn6Qj9Nr4MbKmQ== Content-Language: en-gb Cc: "'Sriram, Kotikalapudi'" Subject: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 09:51:10 -0000 I am working on Quagga, on behalf of Euro-IX, to allow for future growth and other developments specific to the needs of a Route Server. The discussion in 7.4.2 is incomplete. It may be true that traffic is 80:20 in favour of direct bilateral peering (Method A). However, that does not mean that 80% of the peering connections are bilateral peering -- the distribution of traffic amongst peering connections has the usual long tail. Numbers vary, but a large exchange may have 50% of its clients connected to the route server for most (if not all) of their peering connections. Section 6.6 discusses Proxy Signing. Where a route server is not inserting its own AS in the path (Method B), it is acting as a proxy for each route server client. Given a certificate and private key from each client, the route server can rewrite the most recent signature. So, and please correct me if I have this wrong, the case is covered ? Incidentally, the discussion notes that router servers that insert their AS in the path (Method C) are rare. I'd put it more strongly than that, and relegate the case to "footnote" status. With such a route server the IXP has all the appearance of a transit provider (at least at the route level), so would be trivially supported -- at least until some mechanism is devised to validate the AS Path and the path taken by packets against each other. Chris From randy@psg.com Fri Jul 8 03:51:43 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5096521F89B0 for ; Fri, 8 Jul 2011 03:51:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.578 X-Spam-Level: X-Spam-Status: No, score=-2.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKCCtyzKs2eC for ; Fri, 8 Jul 2011 03:51:42 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id AD12E21F89AC for ; Fri, 8 Jul 2011 03:51:42 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qf8eq-000GZ8-Py; Fri, 08 Jul 2011 10:51:41 +0000 Date: Fri, 08 Jul 2011 19:51:39 +0900 Message-ID: From: Randy Bush To: Chris Hall In-Reply-To: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 10:51:43 -0000 i have a design that covers you. it is based on an 'optimization' and we have agreed to let optimizations sit for a bit. the hack is as follows : o an early optimization will be that each bgpspeaking AS adds a one byte prepend count, over which it signs. this saves signing 92 prepends. the count is normally one. o a bgpsec-speaking 'transparent' route server signs over a zero prepend count. o bgpsec speakers calculate as path length by summing prepend counts. o a bgpsec speaker passing a signed announcement to a non-speaker expands all prepends. of course, the expansion of a zero prepend is rather small. randy From chris.hall@highwayman.com Fri Jul 8 06:37:36 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5142F21F86D6 for ; Fri, 8 Jul 2011 06:37:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lm9gYAlLA0FQ for ; Fri, 8 Jul 2011 06:37:35 -0700 (PDT) Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id 917D921F86C5 for ; Fri, 8 Jul 2011 06:37:35 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QfBFO-0002aB-oP; Fri, 08 Jul 2011 13:37:34 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QfBFO-0006hp-7t; Fri, 08 Jul 2011 14:37:34 +0100 From: "Chris Hall" To: "'sidr wg list'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> In-Reply-To: Date: Fri, 8 Jul 2011 14:37:29 +0100 Organization: Highwayman Message-ID: <014001cc3d74$319571c0$94c05540$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9kpRForA= Content-Language: en-gb Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 13:37:36 -0000 Randy Bush wrote (on Fri 08-Jul-2011 at 11:52 +0100): > i have a design that covers you. it is based on an 'optimization' > and we have agreed to let optimizations sit for a bit. OK. But I quibble with the notion that support for Route Servers should be treated as an "optimisation". > the hack is as follows : > > o an early optimization will be that each bgpspeaking AS adds > a one byte prepend count, over which it signs. this saves > signing 92 prepends. the count is normally one. OK. That clears up a confusion I had... I wasn't sure whether there was supposed to be one signature per ASN in the path, or one per *distinct* ASN in the path. For my money, prepending is common enough to merit covering as a "feature. > o a bgpsec-speaking 'transparent' route server signs over a zero > prepend count. You're right: indeed. That would be, as you suggest, less 'transparent' than it used to be. I don't know if "revealing" the use of the route server is a serious issue. But I'm not sure how much is gained by inserting the route server ASN ? It seems reasonable to me to treat the route server as an extension of its clients' networks -- that's pretty much what it is. So, if the route server uses a different key for each client's routes, and the *client* is responsible for issuing the certificate (as if the route server were one of its routers), then that about covers it -- unless I am missing something ? I suppose that if the route server went off the reservation it could sign all kinds of rubbish as being announced by its clients, but the owners of the certificates could revoke them ? BTW (and sorry if this is a stupid question) where should I be looking for a discussion of the key/certificate management for AS Path signing keys ? This is intended to be added into the RPKI, yes ? > o bgpsec speakers calculate as path length by summing prepend > counts. Are you suggesting placing the prepend count in the AS Path itself ? Say, an AS_SEQUENCE_N, which is like an AS_SEQUENCE, but has a 1 byte repeat count for the first ASN in the sequence ? That would pay for itself (bytes-wise) and mean that where there is no prepending, there is no overhead -- except for the inclusion of the count (implied or explicit) in the signed data. > o a bgpsec speaker passing a signed announcement to a non-speaker > expands all prepends. of course, the expansion of a zero > prepend is rather small. > > Chris From randy@psg.com Fri Jul 8 06:50:48 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4798721F89B8 for ; Fri, 8 Jul 2011 06:50:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.579 X-Spam-Level: X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TXXPCpBGIzYe for ; Fri, 8 Jul 2011 06:50:47 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2A221F88F9 for ; Fri, 8 Jul 2011 06:50:47 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QfBS9-000H7U-Fk; Fri, 08 Jul 2011 13:50:45 +0000 Date: Fri, 08 Jul 2011 22:50:44 +0900 Message-ID: From: Randy Bush To: "Chris Hall" In-Reply-To: <014001cc3d74$319571c0$94c05540$@highwayman.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 13:50:48 -0000 >> i have a design that covers you. it is based on an 'optimization' >> and we have agreed to let optimizations sit for a bit. > OK. But I quibble with the notion that support for Route Servers > should be treated as an "optimisation". it is compressing prepends that is the optimization. transparent route servers are not an optimization, they're a hack. >> o an early optimization will be that each bgpspeaking AS adds >> a one byte prepend count, over which it signs. this saves >> signing 92 prepends. the count is normally one. > > OK. That clears up a confusion I had... I wasn't sure whether there > was supposed to be one signature per ASN in the path, or one per > *distinct* ASN in the path. For my money, prepending is common enough > to merit covering as a "feature. prepending is supported in the current spec. the problem is that there is one signature per prepend, expensive. >> o a bgpsec-speaking 'transparent' route server signs over a zero >> prepend count. > > That would be, as you suggest, less 'transparent' than it used to be. > I don't know if "revealing" the use of the route server is a serious > issue. But I'm not sure how much is gained by inserting the route > server ASN ? maintaining bgpsec. if A hands announcement to RS and RS hands to B and C truely transparently, to whom does A forward sign the announcement, B or C? #faceplant > It seems reasonable to me to treat the route server as an extension of > its clients' networks -- that's pretty much what it is. So, if the > route server uses a different key for each client's routes, and the > *client* is responsible for issuing the certificate (as if the route > server were one of its routers), then that about covers it -- unless I > am missing something ? so, A has to know all the ASs to which RS will hand route, forward sign announcements to each of them and hand all those to RS, and RS then stores them all and forwards as appropriate. that'll scale really well. omg! on reread it seems you are giving A's private key to RS. not a fracking chance in hell. you just blew the trust model to hell. >> o bgpsec speakers calculate as path length by summing prepend >> counts. > > Are you suggesting placing the prepend count in the AS Path itself ? see slide 29 of https://archive.psg.com/110614.nanog-bgpsec.pdf randy From raszuk@cisco.com Fri Jul 8 07:05:02 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46CCB21F871A for ; Fri, 8 Jul 2011 07:05:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jrvqlqkupmtu for ; Fri, 8 Jul 2011 07:05:01 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 82A4A21F8509 for ; Fri, 8 Jul 2011 07:05:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=raszuk@cisco.com; l=953; q=dns/txt; s=iport; t=1310133901; x=1311343501; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=H70bwIVZGNZeprl8hirqFIGYVBuUZZZo7dGj+CV0MEk=; b=dJBDlzHtrpVSnIP8ofGNkY2/NpX8Bd1WUY89fQoJvgr/WiuBiZXiKOp7 PVdRPEeTdhm9YW+eAuTE+F5jyn/z/BXx3JngFZGWEFSKJu7SOFzmrGwQL NaqUbW9JstaOMXX0sbDPReAA2Qsjlc06CjcVjLuWTPUGZl41n3yo7qQ1v o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EADsNF06rRDoG/2dsb2JhbABTp0V3iHukZ4MVDwGaXIY4BJJMhH2LSQ X-IronPort-AV: E=Sophos;i="4.65,499,1304294400"; d="scan'208";a="1050553" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by rcdn-iport-5.cisco.com with ESMTP; 08 Jul 2011 14:05:00 +0000 Received: from [192.168.1.51] (ams-raszuk-2-87113.cisco.com [10.55.99.78]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p68E4wWb019575; Fri, 8 Jul 2011 14:04:59 GMT Message-ID: <4E170E82.60406@cisco.com> Date: Fri, 08 Jul 2011 16:04:50 +0200 From: Robert Raszuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Randy Bush , Chris Hall References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: raszuk@cisco.com List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 14:05:02 -0000 > so, A has to know all the ASs to which RS will hand route, forward sign > announcements to each of them and hand all those to RS, and RS then > stores them all and forwards as appropriate. that'll scale really well. IX are used for optimizing local traffic patterns. Only very few applications of IX are about Internet peering broker service (but let's keep those out for the time being). So if we assume that A wants to give some of his addresses to B & C via RS why do they need to bother with bgpsec at all ? When A advertises it's nets to it's Internet providers yes it will forward sign it properly so they will be announced everywhere according to BGPsec rules. Imagine an IX without RS ... A wants to peer with B and both establish a peering relation I really see no need why they should get any of additional security on top of their direct route exchange as B will not be a transit for A anyway. Rgs, R. From chris.hall@highwayman.com Fri Jul 8 07:57:44 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E5AE21F8695 for ; Fri, 8 Jul 2011 07:57:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NesQLabFFiC for ; Fri, 8 Jul 2011 07:57:43 -0700 (PDT) Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id 952D321F869B for ; Fri, 8 Jul 2011 07:57:43 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QfCUx-0002Eb-mO; Fri, 08 Jul 2011 14:57:43 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QfCUv-0006v8-VB; Fri, 08 Jul 2011 15:57:42 +0100 From: "Chris Hall" To: "'sidr wg list'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> In-Reply-To: Date: Fri, 8 Jul 2011 15:57:36 +0100 Organization: Highwayman Message-ID: <014a01cc3d7f$6312f730$2938e590$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeJJ3UgXA Content-Language: en-gb Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 14:57:44 -0000 Randy Bush wrote (on 08-Jul-2011 at 14:51 +0100): > Chris Hall wrote: > > ... But I'm not sure how much is gained by inserting the > > route server ASN ? > maintaining bgpsec. if A hands announcement to RS and RS hands to B > and C truely transparently, to whom does A forward sign the > announcement, B or C? #faceplant A signs it's announcements to RS in the usual way, with the RS ASN as the next AS hop. When announcing A's routes to B, the RS *rewrites* the signature it received, using the key it has for A, as if A had announced the route directly to B. Clearly the RS would be required to preserve the Expire Time on any routes originated by A. Similarly, announcing A's routes to any other AS. Unless that is somehow impossible... .... > omg! on reread it seems you are giving A's private key to RS. not > a fracking chance in hell. you just blew the trust model to hell. ...yes, I'm suggesting that A delegates a unique signing key to the RS. It is still A's key, so in terms of the trust model, it is covered by A's CA. This is what "6.6 Proxy Signing" in draft-sriram-bgpsec-design-choices suggests, is it not ? Or does that blow the trust model to hell, also ? Chris From internet-drafts@ietf.org Fri Jul 8 09:12:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 677A721F8ACB; Fri, 8 Jul 2011 09:12:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.583 X-Spam-Level: X-Spam-Status: No, score=-102.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42lqZ9Tvraup; Fri, 8 Jul 2011 09:12:52 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 999E821F8A49; Fri, 8 Jul 2011 09:12:52 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110708161252.27961.972.idtracker@ietfa.amsl.com> Date: Fri, 08 Jul 2011 09:12:52 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 16:12:53 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : Algorithm Agility Procedure for RPKI. Author(s) : Roque Gagliano Stephen Kent Sean Turner Filename : draft-ietf-sidr-algorithm-agility-01.txt Pages : 25 Date : 2011-07-08 This document specifies the process that Certification Authorities (CAs) and Relying Parties (RP) participating in the Resource Public Key Infrastructure (RPKI) will need to follow to transition to a new (and probably cryptographically stronger) algorithm set. The process is expected to be completed in a time scale of months or years. Consequently, no emergency transition is specified. The transition procedure defined in this document supports only a top-down migration (parent migrates before children). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-01.txt From rogaglia@cisco.com Fri Jul 8 09:14:51 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5257521F8BAC for ; Fri, 8 Jul 2011 09:14:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8OjQ-T9XwJC for ; Fri, 8 Jul 2011 09:14:50 -0700 (PDT) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 1C8DB21F8BAB for ; Fri, 8 Jul 2011 09:14:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=8147; q=dns/txt; s=iport; t=1310141690; x=1311351290; h=from:mime-version:subject:date:in-reply-to:to:references: message-id; bh=JCXRa3FBl/XmsIQkcGBOyKLIJKHTInUFGsS24uxa2b8=; b=jCW1nBkrDH5V0+hskkxSttTGztkD0Ohm9YmoC2fqVoPu4wditJHnh+dm mxdzvSLlEeZ/wSPLUqjdGyGz2JDk5mXmTzjF2EIouIZ3hIlPkU03e8pHP IGLTf8nym9HgNcfYWu/8VH+dC3jHQhvPUTUdg4sXwjiswVvewm+cmeA57 U=; X-Files: smime.p7s : 4389 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAAssF06Q/khL/2dsb2JhbABSp0h3iHukEJ14hjgEkkyQRg X-IronPort-AV: E=Sophos;i="4.65,500,1304294400"; d="p7s'?scan'208";a="100385890" Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 08 Jul 2011 16:14:48 +0000 Received: from dhcp-144-254-20-210.cisco.com (dhcp-144-254-20-210.cisco.com [144.254.20.210]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p68GEmAW005317 for ; Fri, 8 Jul 2011 16:14:48 GMT From: Roque Gagliano Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-132--1025476933; protocol="application/pkcs7-signature"; micalg=sha1 Date: Fri, 8 Jul 2011 18:14:47 +0200 In-Reply-To: <20110708161252.27961.972.idtracker@ietfa.amsl.com> To: "sidr@ietf.org wg" References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> Message-Id: <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> X-Mailer: Apple Mail (2.1084) Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 16:14:51 -0000 --Apple-Mail-132--1025476933 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii In this new version we included the changes from the review by Arturo = and several editorial nits. Please take a look at the document and send your comments. Roque. On Jul 8, 2011, at 6:12 PM, Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts = directories. This draft is a work item of the Secure Inter-Domain = Routing Working Group of the IETF. >=20 > Title : Algorithm Agility Procedure for RPKI. > Author(s) : Roque Gagliano > Stephen Kent > Sean Turner > Filename : draft-ietf-sidr-algorithm-agility-01.txt > Pages : 25 > Date : 2011-07-08 >=20 > This document specifies the process that Certification Authorities > (CAs) and Relying Parties (RP) participating in the Resource Public > Key Infrastructure (RPKI) will need to follow to transition to a new > (and probably cryptographically stronger) algorithm set. The = process > is expected to be completed in a time scale of months or years. > Consequently, no emergency transition is specified. The transition > procedure defined in this document supports only a top-down = migration > (parent migrates before children). >=20 >=20 > A URL for this Internet-Draft is: > = http://www.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-01.t= xt >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > This Internet-Draft can be retrieved at: > = ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-01.tx= t > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr --Apple-Mail-132--1025476933 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MDgxNjE0NDhaMCMGCSqGSIb3DQEJBDEWBBRIifhKyy4GHBXyed9m3gTZ5X/eWDCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQAMqn5cVCgKXGUTywOmPmJ5jd2woyahhrvAxK1V0P/K73nb R5AvQeJgxCvnNOTgIfQLsbLOdovcSGUWpjt/fW5JeWdeZ5C5IZBLm5hlAvJgtfOV5GJwv2yGLrer q7lwKJzf4Ky3BDk803Kwbg0c1ltth9ZH1PT1MYldECiSdVtKCCB42TrRtct2DdDLWQaI+9KD55xS tt8qaG8g6yy/PvTZvGqr5c4lhWBcUnVlKAiPIZSscI9BxJ6PnCCb1iTDaNIajrU6JyIPrK0cVExr csHcVC6DTTMESefXH4yLrSvTI1aVLYa9X9SMnhr33x8AgV+XZ5e8yD9rZ6daL+Cpx99KAAAAAAAA --Apple-Mail-132--1025476933-- From randy@psg.com Fri Jul 8 11:23:35 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161E321F8B30 for ; Fri, 8 Jul 2011 11:23:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.58 X-Spam-Level: X-Spam-Status: No, score=-2.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IA88immoCtZX for ; Fri, 8 Jul 2011 11:23:34 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 680C921F8AAA for ; Fri, 8 Jul 2011 11:23:34 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QfFi9-000Hzs-6A; Fri, 08 Jul 2011 18:23:33 +0000 Date: Sat, 09 Jul 2011 03:23:32 +0900 Message-ID: From: Randy Bush To: Chris Hall In-Reply-To: <014a01cc3d7f$6312f730$2938e590$@highwayman.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 18:23:35 -0000 > I'm suggesting that A delegates a unique signing key to the RS. the expression we use is, now RS can sign gifs of naked furries in A's name. i.e. A has given away the store. you do NOT let anyone else have your private keys. for example. in this context, RS can now give that key to Perp who can originate A's prefixes. #fail > This is what "6.6 Proxy Signing" in > draft-sriram-bgpsec-design-choices suggests, is it not ? Or does that > blow the trust model to hell, also ? it does indeed. that is why 6.6 was rejected. randy From chris.hall@highwayman.com Fri Jul 8 11:55:41 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E63321F893E for ; Fri, 8 Jul 2011 11:55:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLPP3N9rgBPv for ; Fri, 8 Jul 2011 11:55:40 -0700 (PDT) Received: from lon1-post-1.mail.demon.net (lon1-post-1.mail.demon.net [195.173.77.148]) by ietfa.amsl.com (Postfix) with ESMTP id 7719221F88D6 for ; Fri, 8 Jul 2011 11:55:38 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by lon1-post-1.mail.demon.net with esmtp (Exim 4.69) id 1QfGDB-0001Px-Xy; Fri, 08 Jul 2011 18:55:37 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QfGDA-0007Zl-PT; Fri, 08 Jul 2011 19:55:36 +0100 From: "Chris Hall" To: "'sidr wg list'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> In-Reply-To: Date: Fri, 8 Jul 2011 19:55:31 +0100 Organization: Highwayman Message-ID: <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeALePpAvAmnYtsGSTVnR8A== Content-Language: en-gb Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 18:55:41 -0000 Randy Bush wrote (on Fri 08-Jul-2011 at 19:24 +0100): .... > > This is what "6.6 Proxy Signing" in > > draft-sriram-bgpsec-design-choices suggests, is it > > not ? Or does that blow the trust model to hell, > > also ? > it does indeed. that is why 6.6 was rejected. Ah. There I was, reading a draft of 5-Jul-2011 and thinking I was up to date :-( OK. If the RS ASN is in the path, then nobody needs to depend on the integrity of the RS (however trustworthy one may expect them to be). I look forward to the ASN count mechanism appearing in the draft(s), and support for Route Servers making its way into the Requirements. Chris From randy@psg.com Fri Jul 8 12:03:12 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F1B21F89B6 for ; Fri, 8 Jul 2011 12:03:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.58 X-Spam-Level: X-Spam-Status: No, score=-2.58 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XBHF5TUiVNp for ; Fri, 8 Jul 2011 12:03:12 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id EC53E21F8B0F for ; Fri, 8 Jul 2011 12:02:22 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QfGJh-000I9k-Ef; Fri, 08 Jul 2011 19:02:21 +0000 Date: Sat, 09 Jul 2011 04:02:20 +0900 Message-ID: From: Randy Bush To: Robert Raszuk In-Reply-To: <4E170E82.60406@cisco.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <4E170E82.60406@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:03:12 -0000 > IX are used for optimizing local traffic patterns. Only very few > applications of IX are about Internet peering broker service (but let's > keep those out for the time being). ixen are used for all sorts of things, including transit. > So if we assume that A wants to give some of his addresses to B & C via > RS why do they need to bother with bgpsec at all ? because A, B, and C have bgpsec speaking customers who want their prefixes protected. > When A advertises it's nets to it's Internet providers yes it will > forward sign it properly so they will be announced everywhere according > to BGPsec rules. it's not just A's prefixes, it's also A's customers' prefixes. > Imagine an IX without RS ... A wants to peer with B and both establish > a peering relation I really see no need why they should get any of > additional security on top of their direct route exchange as B will > not be a transit for A anyway. first, you have no idea whether they are transit or not. the business models across exchanges are quite diverse. second, both A and B have CUSTOMERS. A and B received those prefixes as signed, and A's and B's receiving customers want to receive them via bgpsec. no one's customers want to have their security reduced just because an upstream or more complex business partner uses an exchange point. weakened security does not sell well. randy From randy@psg.com Fri Jul 8 12:06:45 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36AF121F8B99 for ; Fri, 8 Jul 2011 12:06:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.581 X-Spam-Level: X-Spam-Status: No, score=-2.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kl6Uc69DWzIf for ; Fri, 8 Jul 2011 12:06:44 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id A58B321F8A04 for ; Fri, 8 Jul 2011 12:06:44 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QfGNv-000IAo-Gy; Fri, 08 Jul 2011 19:06:43 +0000 Date: Sat, 09 Jul 2011 04:06:42 +0900 Message-ID: From: Randy Bush To: "Chris Hall" In-Reply-To: <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:06:45 -0000 >>> This is what "6.6 Proxy Signing" in >>> draft-sriram-bgpsec-design-choices suggests, is it not ? Or does >>> that blow the trust model to hell, also ? >> it does indeed. that is why 6.6 was rejected. > Ah. There I was, reading a draft of 5-Jul-2011 and thinking I was up > to date :-( sriram's document represents the design team's thought processes, and therefore includes things which were rejected in the design. the bgpsec protocol documents are, i think, still are draft-ietf-sidr-bgpsec-overview-00.txt draft-ietf-sidr-bgpsec-protocol-00.txt > OK. If the RS ASN is in the path, then nobody needs to depend on the > integrity of the RS (however trustworthy one may expect them to be). bingo! > I look forward to the ASN count mechanism appearing in the draft(s), > and support for Route Servers making its way into the Requirements. i am still selling my hack to the design team. randy From bew@cisco.com Fri Jul 8 12:08:50 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BD6621F8ACB for ; Fri, 8 Jul 2011 12:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rNJWbCuaL4jA for ; Fri, 8 Jul 2011 12:08:49 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 60C4221F8AC5 for ; Fri, 8 Jul 2011 12:08:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=3161; q=dns/txt; s=iport; t=1310152129; x=1311361729; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=ojVvsrQyatTm5wosnXtkCfDTDsRgYm4Yy6+WGywBVv0=; b=mPVAoaDa1hmn2h8n48dkRFytTcJk71m1RTy3c+oj9K/mejKotUDRC8Q7 cLY16NZGMX/0K4iUTjaE6PJEv2Xe8ZW3ivdSizCJsWRg5sb6mIZ/iI9P8 TGwTt1Whc+38pm9oi9ZnFgqB6S6huxlSBPdyJlUKNYGJh6Qj2DxVaZrhW o=; X-IronPort-AV: E=Sophos;i="4.65,500,1304294400"; d="scan'208";a="1157503" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-2.cisco.com with ESMTP; 08 Jul 2011 19:08:49 +0000 Received: from dhcp-128-107-147-1.cisco.com (dhcp-128-107-147-1.cisco.com [128.107.147.1]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p68J8mxa024779; Fri, 8 Jul 2011 19:08:48 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Brian Weis In-Reply-To: <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> Date: Fri, 8 Jul 2011 12:08:48 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Roque Gagliano X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:08:50 -0000 Hi Roque, This draft seems very complete. I have just a few questions and = comments: 1. Section 2. "A failure to comply with this process during an algorithm = transition MUST be considered as non-compliance with ... I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply with = this process would be result in non-compliance. It would be hopeful to = more specific here. 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues = certificates to entities not under its administrative control." I = believe this effectively means "CAs that have children", and if that's = the intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., RIR). 3. Section 4.2. "The only milestone that affects both CAs and RPs, at = the same moment is the EOL date.". But the "Process for RPKI CAs" figure = shows that two milestones are aligned: (5) and (6). How do these = reconcile? 4. Section 4.3. The alignment errors that Arturo mentioned don't seem to = be fixed in -01. Did you mean to adjust them? Also, it might be worth = stating explicitly in the Note following this first example that the = indentation mean "signed by". 5. Section 4.5. "During this phase all signed product sets MUST be = available using both Algorithm Suite A and Algorithm Suite B." It isn't = clear to me what "During this phase" means in Phase 2. Does it mean "By = the end of this phase"? Or does it mean "Before the start of Phase 3", = which is not the same moment in time according to the figures in Section = 4.2. I'm inclined to think it means "Before the start of Phase 3", = because by Phase 3 "all product sets are available". Although again, = Section 4.6 uses the phrase "During this phrase" so that also isn't = clear and I would recommend being more precise here too. 6. Section 4.5. "An RP that validates all signed product sets using both = Algorithm Suite A or Algorithm Suite B, SHOULD expect the same results." = The text added to this paragraph in -01 clarifies how to resolve = certificate validation results that differ, but I think it would be = helpful to include references to both Sections 6 and 7 here which cover = issues when on there are differences in validation more thoroughly. 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to -17. = I didn't check other references. Thanks, Brian On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: > In this new version we included the changes from the review by Arturo = and several editorial nits. >=20 > Please take a look at the document and send your comments. >=20 > Roque. --=20 Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com From Sandra.Murphy@cobham.com Fri Jul 8 12:30:30 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B191921F8CEE for ; Fri, 8 Jul 2011 12:30:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -99.183 X-Spam-Level: X-Spam-Status: No, score=-99.183 tagged_above=-999 required=5 tests=[AWL=3.417, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BRxSf-r8wSE for ; Fri, 8 Jul 2011 12:30:29 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id A596421F8CC5 for ; Fri, 8 Jul 2011 12:30:28 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p68JUMdt009168; Fri, 8 Jul 2011 14:30:23 -0500 Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p68JUJRD015529; Fri, 8 Jul 2011 14:30:22 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 8 Jul 2011 15:30:19 -0400 Date: Fri, 8 Jul 2011 15:30:19 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Chris Hall In-Reply-To: <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> Message-ID: References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> X-X-Sender: sandy@nemo.columbia.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 08 Jul 2011 19:30:19.0282 (UTC) FILETIME=[78D1DF20:01CC3DA5] Cc: 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 19:30:30 -0000 On Fri, 8 Jul 2011, Chris Hall wrote: > Randy Bush wrote (on Fri 08-Jul-2011 at 19:24 +0100): > .... >>> This is what "6.6 Proxy Signing" in >>> draft-sriram-bgpsec-design-choices suggests, is it >>> not ? Or does that blow the trust model to hell, >>> also ? > >> it does indeed. that is why 6.6 was rejected. > > Ah. There I was, reading a draft of 5-Jul-2011 and thinking I was up > to date :-( The previous section, 6.5, lists alternatives for handling stub ASs. Note that alternative 2 is the same description as 6.6, but alternative 2 was not the chosen alternative. That might be what Randy meant when he said "rejected." Section 6.6 rightly notes that if an AS decided to share its private key with another AS, no one outside the agreement could tell the difference. Therein lies the power and the danger of sharing private keys. --Sandy, regular ol' wg member > > OK. If the RS ASN is in the path, then nobody needs to depend on the > integrity of the RS (however trustworthy one may expect them to be). > I look forward to the ASN count mechanism appearing in the draft(s), > and support for Route Servers making its way into the Requirements. > > Chris > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From raszuk@cisco.com Fri Jul 8 13:11:19 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B0621F8CED for ; Fri, 8 Jul 2011 13:11:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52ys+vIQy6u3 for ; Fri, 8 Jul 2011 13:11:18 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 39FC921F8C82 for ; Fri, 8 Jul 2011 13:11:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=raszuk@cisco.com; l=1036; q=dns/txt; s=iport; t=1310155878; x=1311365478; h=message-id:date:from:reply-to:mime-version:to:subject: references:in-reply-to:content-transfer-encoding; bh=RE83Flvq/RhV8+Cr6PPP/itXI+cfx+16/w3536opY9A=; b=fUIy0hDbKvstVHdLr+maBHpDq4AYJPijdewAeYYsBYcUssqK0aUNHF2H zvKEmk+sMd0IkDHvTZvuPa4HsLeBebDnhyUdu0/bf1bJj0aY43uqqgzc8 CoPj9s84j7jHWLpWm39FTHDSobkXfQGngumRt8rQnVtVE8JdNyeYWP41n M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiIHADNkF06rRDoJ/2dsb2JhbABUmFyOdXesCoMVDwGaM4Y4BJJMhH2LSQ X-IronPort-AV: E=Sophos;i="4.65,500,1304294400"; d="scan'208";a="1173767" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-8.cisco.com with ESMTP; 08 Jul 2011 20:11:17 +0000 Received: from [192.168.1.66] (sjc-raszuk-87113.cisco.com [10.20.147.254]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p68KBGIr009364 for ; Fri, 8 Jul 2011 20:11:16 GMT Message-ID: <4E17646A.1050600@cisco.com> Date: Fri, 08 Jul 2011 22:11:22 +0200 From: Robert Raszuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: sidr@ietf.org References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> In-Reply-To: <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [sidr] IXP and Route Server and Next Hop transparency X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: raszuk@cisco.com List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 20:11:19 -0000 On the previous post I just wanted to limit such bgpsec less exchange to stub customers only. But I agree and stand corrected that if we solve it for all - transit included - then there is no need to make any special treatment for stubs. Question withdrawn. --- However I would like to ask for some clarification on why bgpsec is all about securing advertised nets and does not (at least to the best of my knowledge) certify that such prefixes have been advertised with legitimate next hops (the one which the prefix owner really owns). I browsed the respective drafts and did not find a trace of such. If we talk about RS in particular such RS is not in the data path hence it is not modifying next hops as received from his clients. How are we going to protect the paths from compromised RS where the prefixes are advertised correctly but next hops are bogus ? What's worse client's customers connected via such RS may have chosen such paths as best even if they have alternatives ... Thx, R. From kotikalapudi.sriram@nist.gov Fri Jul 8 16:27:03 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F416B21F8ABC for ; Fri, 8 Jul 2011 16:27:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MWpoi7nzSUb5 for ; Fri, 8 Jul 2011 16:27:02 -0700 (PDT) Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 3D00D21F8A91 for ; Fri, 8 Jul 2011 16:27:01 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.323.0; Fri, 8 Jul 2011 19:26:25 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Fri, 8 Jul 2011 19:26:40 -0400 From: "Sriram, Kotikalapudi" To: Sandra Murphy , Chris Hall Date: Fri, 8 Jul 2011 19:26:38 -0400 Thread-Topic: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server Thread-Index: Acw9pWzKq/QwlyNIRImAxQJr5R8gbAAHaG5A Message-ID: References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2011 23:27:03 -0000 Sandy's observations are correct. Further, the topic of Section 6.6 cannot be either "accepted" or "rejected" as a matter of BGPSEC protocol specification. It is merely a statement that _outside_of_the_BGPSEC_protocol_specification_, any two consenting ASes can have this private arrangement. Section 6.6 clearly notes thus: "This is a private arrangement between said parties and is invisible to other ASes. Thus, this arrangement is not part of the BGPSEC protocol specification." http://tools.ietf.org/html/draft-sriram-bgpsec-design-choices-00#section-6.6 Sriram > -----Original Message----- > From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Sandra Murphy > Sent: Friday, July 08, 2011 3:30 PM > To: Chris Hall > Cc: 'sidr wg list' > Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server > > > > On Fri, 8 Jul 2011, Chris Hall wrote: > > > Randy Bush wrote (on Fri 08-Jul-2011 at 19:24 +0100): > > .... > >>> This is what "6.6 Proxy Signing" in > >>> draft-sriram-bgpsec-design-choices suggests, is it > >>> not ? Or does that blow the trust model to hell, > >>> also ? > > > >> it does indeed. that is why 6.6 was rejected. > > > > Ah. There I was, reading a draft of 5-Jul-2011 and thinking I was up > > to date :-( > > The previous section, 6.5, lists alternatives for handling stub ASs. > Note that alternative 2 is the same description as 6.6, but alternative 2 > was not the chosen alternative. That might be what Randy meant when he > said "rejected." > > Section 6.6 rightly notes that if an AS decided to share its private key > with another AS, no one outside the agreement could tell the difference. > > Therein lies the power and the danger of sharing private keys. > > --Sandy, regular ol' wg member > > > > > > OK. If the RS ASN is in the path, then nobody needs to depend on the > > integrity of the RS (however trustworthy one may expect them to be). > > I look forward to the ASN count mechanism appearing in the draft(s), > > and support for Route Servers making its way into the Requirements. > > > > Chris > > > > _______________________________________________ > > sidr mailing list > > sidr@ietf.org > > https://www.ietf.org/mailman/listinfo/sidr > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From chris.hall@highwayman.com Sat Jul 9 02:37:47 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7595E21F866C for ; Sat, 9 Jul 2011 02:37:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ap5fa1GsAewM for ; Sat, 9 Jul 2011 02:37:47 -0700 (PDT) Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id E3F4321F8665 for ; Sat, 9 Jul 2011 02:37:46 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QfTys-0003zg-mt; Sat, 09 Jul 2011 09:37:46 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QfTyr-0002Ff-5l; Sat, 09 Jul 2011 10:37:45 +0100 From: "Chris Hall" To: "'Sriram, Kotikalapudi'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> In-Reply-To: Date: Sat, 9 Jul 2011 10:37:40 +0100 Organization: Highwayman Message-ID: <01ab01cc3e1b$db54d230$91fe7690$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeALePpAvAmnYtsEBdZrX2AJHVOEeAiwqzkKSHwlsgA== Content-Language: en-gb Cc: 'Sandra Murphy' , 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 09:37:47 -0000 Sriram, Kotikalapudi wrote (on Sat 09-Jul-2011 at 00:27 +0100): > Sandy's observations are correct. > ... > Section 6.6 clearly notes thus: > "This is a private arrangement between said parties and > is invisible to other ASes. Thus, this arrangement is > not part of the BGPSEC protocol specification." Strictly entre nous, I don't get a strong sense from the text that entering into such an arrangement is an obvious and foolish mistake :-} Unlike, for example, an ISP using its own key to proxy sign for a customer, which is "considered a bad idea". Chris From kotikalapudi.sriram@nist.gov Sat Jul 9 06:31:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C532E21F8640 for ; Sat, 9 Jul 2011 06:31:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMljyr1sKhX8 for ; Sat, 9 Jul 2011 06:31:15 -0700 (PDT) Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 371CB21F85F9 for ; Sat, 9 Jul 2011 06:31:15 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.323.0; Sat, 9 Jul 2011 09:30:59 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Sat, 9 Jul 2011 09:31:14 -0400 From: "Sriram, Kotikalapudi" To: Chris Hall Date: Sat, 9 Jul 2011 09:30:24 -0400 Thread-Topic: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeALePpAvAmnYtsEBdZrX2AJHVOEeAiwqzkKSHwlsgIAAOq9B Message-ID: References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> , <01ab01cc3e1b$db54d230$91fe7690$@highwayman.com> In-Reply-To: <01ab01cc3e1b$db54d230$91fe7690$@highwayman.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: 'Sandra Murphy' , 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 13:31:15 -0000 >Strictly entre nous, I don't get a strong sense from the text that >entering into such an arrangement is an obvious and foolish mistake >:-} Unlike, for example, an ISP using its own key to proxy sign for a >customer, which is "considered a bad idea". > >Chris If an ISP (or IXP/RS) and its customer feel strongly that they have a long trusted relationship, and they are comfortable with this type of arrangement (outside of BGPSEC but still only to allow them to perform BGPSEC more efficiently or with lower cost), what good does it do to tell them that they are making "an obvious and foolish mistake"? They also know that the customer can revoke the EE cert and annul the router (or RS)-specific private key if the relationship ends or trust is compromised (Section 6.6.2). Having said that, I respect Randy's viewpoint (and yours -- seems you are in agreement). There is no conflict here since it is not about BGPSEC protocol specification. This is about operational best practices. We can revise Section 6.6 to put greater emphasis on the "cons" part of it. Sriram ________________________________________ From randy@psg.com Sat Jul 9 07:56:49 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DFF621F8583 for ; Sat, 9 Jul 2011 07:56:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.581 X-Spam-Level: X-Spam-Status: No, score=-2.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7WpErLe-7Q6 for ; Sat, 9 Jul 2011 07:56:48 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id ABD5D21F8582 for ; Sat, 9 Jul 2011 07:56:48 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QfYxa-0002RV-07; Sat, 09 Jul 2011 14:56:46 +0000 Date: Sat, 09 Jul 2011 23:56:44 +0900 Message-ID: From: Randy Bush To: Robert Raszuk In-Reply-To: <4E17646A.1050600@cisco.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> <4E17646A.1050600@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr@ietf.org Subject: Re: [sidr] IXP and Route Server and Next Hop transparency X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 14:56:49 -0000 > However I would like to ask for some clarification on why bgpsec is all > about securing advertised nets and does not (at least to the best of my > knowledge) certify that such prefixes have been advertised with > legitimate next hops (the one which the prefix owner really owns). considering next hop likely changes at AS boundaries (and for some ops practice, within the AS), how and why would one sign it? e.g. at the boundary between A and B, why bother having A sign it across what should be a trustable boundary. and, if A did sign it, and B changes the next hop when handing the update on to C, A's signature just got farbled. so bottom line, imiho, what's the need, and doing it would break things. randy From rogaglia@cisco.com Sat Jul 9 08:00:57 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76F721F87BA for ; Sat, 9 Jul 2011 08:00:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OQO6uro4+jeu for ; Sat, 9 Jul 2011 08:00:57 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8329521F87B6 for ; Sat, 9 Jul 2011 08:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=7616; q=dns/txt; s=iport; t=1310223656; x=1311433256; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=l2VhydFU/GxPYi7UchaYOW+UPXkQCn5y/lD6IG3pFQM=; b=PqVl1VJ1uxhN+8+YTwb9o1IAZJMgAo6/LJoCFrgXebyd3nq/tN9RztoC M5EIyAg/eWPQl7nep+wqpqrE3HroQISAbAIHL0G1sRgRQNF1bnmxCd0xV uYD4/P/mpUY2t3LHKyppg0yX5GUT37c6BJowa5U4WAjx2U4PebGLCxN8/ U=; X-Files: smime.p7s : 4389 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAF1sGE6Q/khL/2dsb2JhbABFDqdRd4h6pXCdIYMigjlfBJJUkEk X-IronPort-AV: E=Sophos;i="4.65,504,1304294400"; d="p7s'?scan'208";a="41345994" Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-2.cisco.com with ESMTP; 09 Jul 2011 15:00:54 +0000 Received: from ams3-vpn-dhcp5022.cisco.com (ams3-vpn-dhcp5022.cisco.com [10.61.83.157]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p69F0scn017775; Sat, 9 Jul 2011 15:00:54 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-235--943512811; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: Date: Sat, 9 Jul 2011 17:00:49 +0200 Message-Id: <0D4139F7-B4DC-497E-9079-C95EA1D3662D@cisco.com> References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> To: Randy Bush X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 15:00:57 -0000 --Apple-Mail-235--943512811 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Randy, >> I'm suggesting that A delegates a unique signing key to the RS. >=20 > the expression we use is, now RS can sign gifs of naked furries in A's > name. i.e. A has given away the store. you do NOT let anyone else = have > your private keys. >=20 > for example. in this context, RS can now give that key to Perp who can > originate A's prefixes. #fail I do not follow this reasoning. The certificate for BGPSEC are EE = certificates with only A's ASN in its RFC3779 extension. So, you cannot = use the same key to sign a ROA with another ASN nor issue any = certificate using that same key. IMHO, A good idea could be to clearly identify BGPSEC EE certs in the = RPKI repository by assign them a distinct Extended Key Usage (EKU). The = use of EKU is permitted by the RPKI CP. The EKU should be checked by the = RP during the validation process. Roque =20 >=20 >> This is what "6.6 Proxy Signing" in >> draft-sriram-bgpsec-design-choices suggests, is it not ? Or does = that >> blow the trust model to hell, also ? >=20 > it does indeed. that is why 6.6 was rejected. >=20 > randy > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr --Apple-Mail-235--943512811 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MDkxNTAwNTJaMCMGCSqGSIb3DQEJBDEWBBQxKj8h8wNvN93zUk8ZcIJ/ngetVDCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQCIZHWU8DDrIkoZH2Tfzp2aUL4VIZn5TnoiyBx+RvraT2jU /PC3/ptUy0EmSwhJA426XVnk5/GJpVXKmXTVp/8gRLf4eEYculn9oGBhdmxVUOwXDfaoJR0niFIr FGaVD85x+b3kARYKR3lTmDX4idnqn5YdMwRnlGXbemyIL5v7Cz0X+MozMr7yL3HztnBUaiYVQHnJ 2UZMs2xVfvy3WeVgI7tdRJKihpmG4R0y604YYPF+4aHKkXi4h8Ad+8culX3XcQJYDveiaB+hTTp5 6ZW7yY4Yt/a1EXuFPcLE+r1XOR4I/7HzeyIUITrYOK7O/WVayURNG2E2oC669ZEes1hmAAAAAAAA --Apple-Mail-235--943512811-- From Sandra.Murphy@cobham.com Sat Jul 9 16:05:30 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B73721F8AC4 for ; Sat, 9 Jul 2011 16:05:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fblGrOYVvORk for ; Sat, 9 Jul 2011 16:05:30 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 06BF621F8A59 for ; Sat, 9 Jul 2011 16:05:29 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p69N5Rbt016366; Sat, 9 Jul 2011 18:05:27 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p69N5RUC001734; Sat, 9 Jul 2011 18:05:27 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([76.111.96.30]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Sat, 9 Jul 2011 19:05:24 -0400 Date: Sat, 9 Jul 2011 19:05:26 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Robert Raszuk In-Reply-To: <4E17646A.1050600@cisco.com> Message-ID: References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> <4E17646A.1050600@cisco.com> X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 09 Jul 2011 23:05:24.0840 (UTC) FILETIME=[AF8B7E80:01CC3E8C] Cc: sidr@ietf.org Subject: Re: [sidr] IXP and Route Server and Next Hop transparency X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 23:05:30 -0000 On Fri, 8 Jul 2011, Robert Raszuk wrote: > > On the previous post I just wanted to limit such bgpsec less exchange to stub > customers only. But I agree and stand corrected that if we solve it for all - > transit included - then there is no need to make any special treatment for > stubs. Question withdrawn. > > --- > > However I would like to ask for some clarification on why bgpsec is all about > securing advertised nets and does not (at least to the best of my knowledge) > certify that such prefixes have been advertised with legitimate next hops > (the one which the prefix owner really owns). I browsed the respective drafts > and did not find a trace of such. The owner of the advertised prefix doesn't have ownership of the next hops along the path. nor does it have anything to say about the legitimacy of next hops along the path. There's this whole "third part next hop" concept which would make determining legitimacy of the next hop complicated. --Sandy, speaking as regular ol' wg member > > If we talk about RS in particular such RS is not in the data path hence it is > not modifying next hops as received from his clients. > > How are we going to protect the paths from compromised RS where the prefixes > are advertised correctly but next hops are bogus ? What's worse client's > customers connected via such RS may have chosen such paths as best even if > they have alternatives ... > > Thx, > R. > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From raszuk@cisco.com Sat Jul 9 16:23:18 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2868C21F8AC4 for ; Sat, 9 Jul 2011 16:23:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.632 X-Spam-Level: X-Spam-Status: No, score=-3.632 tagged_above=-999 required=5 tests=[AWL=-1.633, BAYES_00=-2.599, J_CHICKENPOX_14=0.6] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5OfuknIFSZS for ; Sat, 9 Jul 2011 16:23:17 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB5421F8A6F for ; Sat, 9 Jul 2011 16:23:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=raszuk@cisco.com; l=1710; q=dns/txt; s=iport; t=1310253797; x=1311463397; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=xQxuPNPilKZS1niT2v4XBmKnS/1JKLZ0cYNOMPclEgA=; b=SO2c5zhVirfysWrztwCDxTJdFrVb6jObjvlQK21UHnYhBS7kHNrED3Vv feu8+wOzrduorPrum1qUTIKwQSStrX7Sl+k/Jt4EiwVU9XIV9+UNcPBhs ZWTPhhTipIynmfSDG0UOPrAF1pOIe6jbkPfDQUCarwEPY1YSysexl97a3 s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EAKbiGE6rRDoJ/2dsb2JhbABTp1N3iHqlE4MVDwGZTIY6BJJUhH6LSw X-IronPort-AV: E=Sophos;i="4.65,506,1304294400"; d="scan'208";a="1401185" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-9.cisco.com with ESMTP; 09 Jul 2011 23:23:17 +0000 Received: from [192.168.1.66] (sjc-raszuk-87113.cisco.com [10.20.147.254]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p69NNF0q010140; Sat, 9 Jul 2011 23:23:15 GMT Message-ID: <4E18E2EB.3040602@cisco.com> Date: Sun, 10 Jul 2011 01:23:23 +0200 From: Robert Raszuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Sandra Murphy References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> <4E17646A.1050600@cisco.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: sidr@ietf.org Subject: Re: [sidr] IXP and Route Server and Next Hop transparency X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: raszuk@cisco.com List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2011 23:23:18 -0000 Hi Sandy, > The owner of the advertised prefix doesn't have ownership of the next > hops along the path. nor does it have anything to say about the > legitimacy of next hops along the path. > > There's this whole "third part next hop" concept which would make > determining legitimacy of the next hop complicated. Third party next hop (typical in IX cases) assures that the ownership of the next hop stays unchanged. So I would observe that this would make it actually easier there. Moreover there are deployed applications which specifically mandate to not change next hop across AS boundaries. As example I could bring Inter-AS option C for L3VPNs. Note that there can be transit ASes in the path too. So how are we going to assure a customer of such service that the advertising prefix from customer site attached to AS 1, transiting via AS 2 and terminating at AS 3 got to the final site on the other side uncompromized ? Maybe one should ask the bigger question: Is BGPSec as is being defined in SIDR applicable to other address families other then 1/1|2 and 2/1|2 which still carry IP prefixes or is it out of scope ? How about Internet as a VPN (aka Internet in a VRF scenarios) where internet routes may travel as vpnv4/vpnv6 updates ? How about those address families in BGP which are designed to carry control plane information between domains for example: bgp flowspec or rt-constrain ? I am just trying to understand if we are talking more of enhancements to bgp security (bgp being the protocol) or perhaps about just limiting the SIDR scope to build a new layer for controlling traditional Internet prefix propagation ? Many thx. R. From internet-drafts@ietf.org Sun Jul 10 07:04:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E5A21F86C2; Sun, 10 Jul 2011 07:04:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.515 X-Spam-Level: X-Spam-Status: No, score=-102.515 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mERem2xNZaMf; Sun, 10 Jul 2011 07:04:52 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 933EA21F8655; Sun, 10 Jul 2011 07:04:52 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110710140452.15030.60532.idtracker@ietfa.amsl.com> Date: Sun, 10 Jul 2011 07:04:52 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-origin-ops-10.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 14:04:53 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : RPKI-Based Origin Validation Operation Author(s) : Randy Bush Filename : draft-ietf-sidr-origin-ops-10.txt Pages : 9 Date : 2011-07-10 Deployment of RPKI-based BGP origin validation has many operational considerations. This document attempts to collect and present them. It is expected to evolve as RPKI-based origin validation is deployed and the dynamics are better understood. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-origin-ops-10.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-origin-ops-10.txt From internet-drafts@ietf.org Sun Jul 10 07:05:04 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4306021F872F; Sun, 10 Jul 2011 07:05:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.517 X-Spam-Level: X-Spam-Status: No, score=-102.517 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzkkSRvJsLcv; Sun, 10 Jul 2011 07:05:03 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4A0421F86D4; Sun, 10 Jul 2011 07:05:03 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110710140503.14978.62247.idtracker@ietfa.amsl.com> Date: Sun, 10 Jul 2011 07:05:03 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-ghostbusters-05.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 14:05:04 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : The RPKI Ghostbusters Record Author(s) : Randy Bush Filename : draft-ietf-sidr-ghostbusters-05.txt Pages : 8 Date : 2011-07-10 In the Resource Public Key Infrastructure (RPKI), resource certificates completely obscure names or any other information which might be useful for contacting responsible parties to deal with issues of certificate expiration, maintenance, roll-overs, compromises, etc. This draft describes the RPKI Ghostbusters Record containing human contact information to be signed (indirectly) by a resource-owning certificate. The data in the record are those of a severely profiled vCARD. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-ghostbusters-05.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-ghostbusters-05.txt From internet-drafts@ietf.org Sun Jul 10 07:05:13 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C4C321F8743; Sun, 10 Jul 2011 07:05:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.52 X-Spam-Level: X-Spam-Status: No, score=-102.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id su79zRPuJ38F; Sun, 10 Jul 2011 07:05:12 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D077A21F86B4; Sun, 10 Jul 2011 07:05:12 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110710140512.15353.86942.idtracker@ietfa.amsl.com> Date: Sun, 10 Jul 2011 07:05:12 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-rtr-14.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 14:05:13 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : The RPKI/Router Protocol Author(s) : Randy Bush Rob Austein Filename : draft-ietf-sidr-rpki-rtr-14.txt Pages : 25 Date : 2011-07-10 In order to formally validate the origin ASs of BGP announcements, routers need a simple but reliable mechanism to receive RPKI [I-D.ietf-sidr-arch] prefix origin data from a trusted cache. This document describes a protocol to deliver validated prefix origin data to routers. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-rpki-rtr-14.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-rpki-rtr-14.txt From chris.hall@highwayman.com Sun Jul 10 09:05:45 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F019721F8745 for ; Sun, 10 Jul 2011 09:05:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5Vj3NnMGRRf for ; Sun, 10 Jul 2011 09:05:45 -0700 (PDT) Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id 4F42E21F873D for ; Sun, 10 Jul 2011 09:05:44 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QfwVr-0001nI-p1; Sun, 10 Jul 2011 16:05:43 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QfwVq-0008Gi-NL; Sun, 10 Jul 2011 17:05:42 +0100 From: "Chris Hall" To: "'sidr wg list'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> In-Reply-To: Date: Sun, 10 Jul 2011 17:05:37 +0100 Organization: Highwayman Message-ID: <01ec01cc3f1b$383c8920$a8b59b60$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeALePpAvAmnYtsEBdZrX2AJHVOEeki+ILYA= Content-Language: en-gb Cc: 'Sandra Murphy' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 16:05:46 -0000 Sandra Murphy wrote (on Fri 08-Jul-2011 at 20:30): ... > Section 6.6 rightly notes that if an AS decided to share its > private key with another AS, no one outside the agreement > could tell the difference. As it stands, this is how a transparent route server could be implemented. I don't see a requirement to support transparent route servers in draft-ietf-sidr-bgpsec-reqs :-( Mind you, placing the RS ASN in the path might be said to violate: 3.15 A BGPsec design MUST NOT require operators to reveal more than is currently revealed... Though there's no shame in using an RS... except, perhaps, that your larger ASes will tend not to, and may turn their noses up at those that do. Using an RS, IXP customers can peer with each other for the cost of one BGP Session (or one with each local RS instance). At some IXPs there are several hundred RS clients. The cost doesn't go away, but falls on the RS, which scales as (N * N * R) -- number of clients 'N' and average number of routes each 'R' -- that is: it scales horribly. It would make life easier for the RS if the clients' routers were able to do more of the work -- noting that it is vital that this does NOT require any additional administrative effort beyond the initial configuration, and that new RS clients are automatically connected to all others (by default, at least). But any change at the client end requires some change to BGP and/or to administrative features of BGP implementations... so good luck with that, as they say :-( One such approach would use something like draft-walton-bgp-add-paths (currently expired), so that the RS no longer has to make any best path selection, but can pass all routes it has for each prefix, and let the clients decide. (This also solves the problem of how to allow clients to tune the selection process in the RS.) For BGPSEC it might be nice to push the signing out to the client: suppose BGPSEC were extended, so that each route given to the RS contained a list of AS Path signatures, one for each possible destination. This would also require a means for the RS to signal all possible destination ASes, so that there is no need for administrators to fiddle with their configurations. This solves the private key issue and has the happy property of moving work to the client -- except that they may not be quite ready to generate and send several hundred path signatures per route ! More exotic would be to arrange for the RS to talk to a box in each client which would provide the required signatures (inside the minimum advertisement interval). If that were a function of the local RPKI Cache, then setting up a BGPSEC connection to the RS would be a little more complicated, but once done would require no further work. (The request for a new signature could pass the current signatures, AS Path and NLRI etc, so that the signing box can verify that the RS is not asking for something it shouldn't.) Chris From chris.hall@highwayman.com Sun Jul 10 09:47:02 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2390321F8593 for ; Sun, 10 Jul 2011 09:47:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6c7FAntSBUM for ; Sun, 10 Jul 2011 09:47:01 -0700 (PDT) Received: from anchor-post-2.mail.demon.net (anchor-post-2.mail.demon.net [195.173.77.133]) by ietfa.amsl.com (Postfix) with ESMTP id 8D2C221F857D for ; Sun, 10 Jul 2011 09:47:01 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-2.mail.demon.net with esmtp (Exim 4.69) id 1Qfx9o-00031U-mD; Sun, 10 Jul 2011 16:47:01 +0000 Received: from hyperion.halldom.com ([80.177.246.170] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1Qfx9n-0008Ng-D8; Sun, 10 Jul 2011 17:46:59 +0100 From: "Chris Hall" To: "'Sriram, Kotikalapudi'" References: <012601cc3d54$8f07c4e0$ad174ea0$@highwayman.com> <014001cc3d74$319571c0$94c05540$@highwayman.com> <014a01cc3d7f$6312f730$2938e590$@highwayman.com> <017d01cc3da0$9f8cd390$dea67ab0$@highwayman.com> , <01ab01cc3e1b$db54d230$91fe7690$@highwayman.com> In-Reply-To: Date: Sun, 10 Jul 2011 17:46:54 +0100 Organization: Highwayman Message-ID: <01f101cc3f20$fc7485e0$f55d91a0$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQLnVxnGjNWVOyUsj5rn4Yr0eH1c1gL48hq9AYUdEa8CIAtBeALePpAvAmnYtsEBdZrX2AJHVOEeAiwqzkIBlx5YnwDgus8ukg1WnoA= Content-Language: en-gb Cc: 'Sandra Murphy' , 'sidr wg list' Subject: Re: [sidr] draft-sriram-bgpsec-design-choices-00 -- IXP and Route Server X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 16:47:02 -0000 Sriram, Kotikalapudi wrote (on 09-Jul-2011 at 14:30 +0100): > Chris Hall wrote: .... > >Strictly entre nous, I don't get a strong sense from the text that > >entering into such an arrangement is an obvious and foolish mistake > :-} .... > Having said that, I respect Randy's viewpoint (and yours -- seems > you are in agreement). I was mostly paraphrasing the opinion which had been put to me quite strongly. >From where I sit, I would happily trust, say, the LINX. But I entirely take the point that a better system would not require me to depend entirely on trust; and someone new to the LINX might prefer not to. .... > We can revise Section 6.6 to put greater emphasis on the "cons" part > of it. I think that would be a most reasonable thing to do. Particularly, from the RS perspective, because Proxy Signing is (currently) how a Transparent BGPSEC RS might be implemented. The cons would be the basis for a case for some other solution, in the BGPSEC protocol, or elsewhere. Chris From internet-drafts@ietf.org Sun Jul 10 16:33:33 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F25F21F8749; Sun, 10 Jul 2011 16:33:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.524 X-Spam-Level: X-Spam-Status: No, score=-102.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f0w5oPoMR8yh; Sun, 10 Jul 2011 16:33:32 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AFC021F8734; Sun, 10 Jul 2011 16:33:32 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110710233332.16313.89421.idtracker@ietfa.amsl.com> Date: Sun, 10 Jul 2011 16:33:32 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2011 23:33:33 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : The RPKI Ghostbusters Record Author(s) : Randy Bush Filename : draft-ietf-sidr-ghostbusters-06.txt Pages : 8 Date : 2011-07-10 In the Resource Public Key Infrastructure (RPKI), resource certificates completely obscure names or any other information which might be useful for contacting responsible parties to deal with issues of certificate expiration, maintenance, roll-overs, compromises, etc. This draft describes the RPKI Ghostbusters Record containing human contact information to be signed (indirectly) by a resource-owning certificate. The data in the record are those of a severely profiled vCARD. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-ghostbusters-06.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-ghostbusters-06.txt From randy@psg.com Sun Jul 10 23:50:20 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B4C621F8A5D for ; Sun, 10 Jul 2011 23:50:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.582 X-Spam-Level: X-Spam-Status: No, score=-2.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3TH9OefYDCPF for ; Sun, 10 Jul 2011 23:50:20 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id D68F721F84F4 for ; Sun, 10 Jul 2011 23:50:19 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QgAJt-000FlW-RW for sidr@ietf.org; Mon, 11 Jul 2011 06:50:18 +0000 Date: Mon, 11 Jul 2011 15:50:17 +0900 Message-ID: From: Randy Bush To: sidr wg list User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Subject: [sidr] rpki-based origin validation mibs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 06:50:20 -0000 here are the two router mibs for the rpki-rtr protocol and for roa-based origin validation in the router draft-ymbk-rpki-rtr-protocol-mib-01.txt draft-ymbk-bgp-origin-validation-mib-00.txt randy From rogaglia@cisco.com Mon Jul 11 02:29:08 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9D121F8AD6 for ; Mon, 11 Jul 2011 02:29:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.598 X-Spam-Level: X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ntqylO51xeeq for ; Mon, 11 Jul 2011 02:29:07 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id CD84D21F8AD7 for ; Mon, 11 Jul 2011 02:29:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=17765; q=dns/txt; s=iport; t=1310376547; x=1311586147; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=L9socR2pc93y2qKsO5dx7kJ8t4kDlee/yaAM+2b+cXc=; b=WrRQ7oPxw7MbmPzPLocvTxhWLwppLHfG+TX3XU2yU0wKNMkoimBmaju6 j2UknZqrdi6j8nteJagQr11EqTX1QR+FFwG8YBYMOR3uezkRPTts+IPzL Y4bryrPJwUQoK2EHq0S54CeV7THMPegcEXwcQQFnFS5+75SiW6Zn62XwD E=; X-Files: smime.p7s : 4389 X-IronPort-AV: E=Sophos;i="4.65,514,1304294400"; d="p7s'?scan'208,217";a="41527943" Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-2.cisco.com with ESMTP; 11 Jul 2011 09:29:05 +0000 Received: from dhcp-144-254-20-209.cisco.com (dhcp-144-254-20-209.cisco.com [144.254.20.209]) by ams-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6B9T42e020308; Mon, 11 Jul 2011 09:29:05 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-42--790621012; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: Date: Mon, 11 Jul 2011 11:29:02 +0200 Message-Id: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Brian Weis X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 09:29:09 -0000 --Apple-Mail-42--790621012 Content-Type: multipart/alternative; boundary=Apple-Mail-41--790622431 --Apple-Mail-41--790622431 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Brian, Thank you very much for your review. Please see my comments inline. Roque On Jul 8, 2011, at 9:08 PM, Brian Weis wrote: > Hi Roque, >=20 > This draft seems very complete. I have just a few questions and = comments: >=20 > 1. Section 2. "A failure to comply with this process during an = algorithm transition MUST be considered as non-compliance with ... > I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply = with this process would be result in non-compliance. It would be hopeful = to more specific here. (Roque) This is good feedback but I think we cannot delay the = publication of the CP document. The idea is that the Algorithm Suites = definition are part of the CP, consequently, the process to modify these = suites should also be consider as a global RPKI requirement and thus = tied to the CP. >=20 > 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues = certificates to entities not under its administrative control." I = believe this effectively means "CAs that have children", and if that's = the intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., RIR). (Roque) These are the "CA that have children and with whom the signaling = is carried out through the provisioning protocol".=20 What about changing the definition to" Non-Leaf CA: A CA that issues certificates to external entities by using = the provisioning protocol described in [PROV.]. >=20 > 3. Section 4.2. "The only milestone that affects both CAs and RPs, at = the same moment is the EOL date.". But the "Process for RPKI CAs" figure = shows that two milestones are aligned: (5) and (6). How do these = reconcile? (Roque)=20 I will change that, however, the milestone 5 (Twilight Date) is the date = where the NEW becomes CURRENT and the CURRENT becomes OLD. If the RP and = the CA did their part of the work, they should both be ready at that = time to issue/revoke and validate certificates with both algorithms, so = there is no "action" that should be taken at=20 >=20 > 4. Section 4.3. The alignment errors that Arturo mentioned don't seem = to be fixed in -01. Did you mean to adjust them? Also, it might be worth = stating explicitly in the Note following this first example that the = indentation mean "signed by". (Roque) Thanks. I will correct and do better "quality control". >=20 > 5. Section 4.5. "During this phase all signed product sets MUST be = available using both Algorithm Suite A and Algorithm Suite B." It isn't = clear to me what "During this phase" means in Phase 2. Does it mean "By = the end of this phase"? Or does it mean "Before the start of Phase 3", = which is not the same moment in time according to the figures in Section = 4.2. I'm inclined to think it means "Before the start of Phase 3", = because by Phase 3 "all product sets are available". Although again, = Section 4.6 uses the phrase "During this phrase" so that also isn't = clear and I would recommend being more precise here too. (Roque) "During this phase" means since start to end of these phase = (i.e. after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B Date") > 6. Section 4.5. "An RP that validates all signed product sets using = both Algorithm Suite A or Algorithm Suite B, SHOULD expect the same = results." The text added to this paragraph in -01 clarifies how to = resolve certificate validation results that differ, but I think it would = be helpful to include references to both Sections 6 and 7 here which = cover issues when on there are differences in validation more = thoroughly. (Roque) ok. will add. > 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to = -17. I didn't check other references. (Roque) ok. Thanks again, Roque >=20 > Thanks, > Brian >=20 > On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: >=20 >> In this new version we included the changes from the review by Arturo = and several editorial nits. >>=20 >> Please take a look at the document and send your comments. >>=20 >> Roque. >=20 > --=20 > Brian Weis > Security Standards and Technology, SRTG, Cisco Systems > Telephone: +1 408 526 4796 > Email: bew@cisco.com >=20 >=20 >=20 >=20 >=20 --Apple-Mail-41--790622431 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Brian,

Thank you very much for your = review.

Please see my comments = inline.

Roque

On Jul 8, = 2011, at 9:08 PM, Brian Weis wrote:

Hi = Roque,

This draft seems very complete. I have just a few = questions and comments:

1. Section 2. "A failure to comply with = this process during an algorithm transition MUST be considered as = non-compliance with ...
I-D.ietf-sidr-cp". I can't detect in the CP = where failing to comply with this process would be result in = non-compliance. It would be hopeful to more specific = here.

(Roque) This is good = feedback but I think we cannot delay the publication of the CP document. = The idea is that the Algorithm Suites definition are part of the CP, = consequently, the process to modify these suites should also be consider = as a global RPKI requirement and thus tied to the = CP.


2. Section 3. = The definition of a "Non-Leaf CA" is "A CA that issues certificates to = entities not under its administrative control." I believe this = effectively  means "CAs that have children", and if that's the = intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., = RIR).

(Roque) These are the = "CA that have children and with whom the signaling is carried out = through the provisioning protocol". 

What = about changing the definition to"

Non-Leaf CA: = A CA that issues certificates to external entities by using the = provisioning protocol described in = [PROV.].


3. = Section 4.2. "The only milestone that affects both CAs and RPs, at the = same moment is the EOL date.". But the "Process for RPKI CAs" figure = shows that two milestones are aligned: (5) and (6). How do these = reconcile?

(Roque) 
I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken = at 


4. Section 4.3. The = alignment errors that Arturo mentioned don't seem to be fixed in -01. = Did you mean to adjust them? Also, it might be worth stating explicitly = in the Note following this first example that the indentation mean = "signed = by".

(Roque)
Thanks. = I will correct and do better "quality control".


5. Section 4.5. "During this phase all signed = product sets MUST be available using both Algorithm Suite A and = Algorithm Suite B." It isn't clear to me what "During this phase" means = in Phase 2. Does it mean "By the end of this phase"? Or does it mean = "Before the start of Phase 3", which is not the same moment in time = according to the figures in Section 4.2. I'm inclined to think it means = "Before the start of Phase 3", because by Phase 3 "all product sets are = available". Although again, Section 4.6 uses the phrase "During this = phrase" so that also isn't clear and I would recommend being more = precise here too.

(Roque) = "During this phase" means since start to end of these phase (i.e. = after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B = Date")


6. = Section 4.5. "An RP that validates all signed product sets using both = Algorithm Suite A or Algorithm Suite B, SHOULD expect the same results." = The text added to this paragraph in -01 clarifies how to resolve = certificate validation results that differ, but I think it would be = helpful to include references to both Sections 6 and 7 here which cover = issues when on there are differences in validation more thoroughly.

(Roque) ok. will add.

7. (nit) = The references for I-D.ietf-sidr-cp didn't get updated to -17. I didn't = check other = references.

(Roque) = ok.

Thanks = again,

Roque


Thanks,
Brian

On Jul 8, 2011, at 9:14 = AM, Roque Gagliano wrote:

In this new = version we included the changes from the review by Arturo and several = editorial nits.

Please take a = look at the document and send your comments.

Roque.

--
Brian Weis
Security = Standards and Technology, SRTG, Cisco Systems
Telephone: +1 408 526 = 4796
Email: bew@cisco.com






= --Apple-Mail-41--790622431-- --Apple-Mail-42--790621012 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MTEwOTI5MDRaMCMGCSqGSIb3DQEJBDEWBBS1sVlSdqJB2e3K386smbAbn2aesjCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQA3Bws8yDDhvD/gnmLE/i+2FKsG1ow+kyjkyGHGgYlErMOR cbsayviK0P/hfXS+TcFvkrA99z9ByrqFmwEheqJcRjUEUzzh/A0fI6Ed/9hBcy9xT07gqL+ObZgT c3CEL+z7xb5kpk5xse13db/y0SplTqTsjUWeAHi/+aKEpNkmQMe+panNPFgihfrkfmrhAuMDeA/6 L4FhzeKqY0gYSO6SPxb0bIONc0iBXQXYdhftdxUloMZZcUiWmISPZW7NwoVpum1wjO92TgVf4Uoq bH/Ljz3EO77ZmwY6TX70wlQ5VfcAyF40z/9Lmi6/W6HbT1iPeTqA0uuC1EMdc59xbpskAAAAAAAA --Apple-Mail-42--790621012-- From Sandra.Murphy@cobham.com Mon Jul 11 08:22:27 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72DC21F86AA for ; Mon, 11 Jul 2011 08:22:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.037 X-Spam-Level: X-Spam-Status: No, score=-100.037 tagged_above=-999 required=5 tests=[AWL=2.562, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geTTP2922boN for ; Mon, 11 Jul 2011 08:22:26 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 6B8A421F86DF for ; Mon, 11 Jul 2011 08:22:09 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6BFM74v002617; Mon, 11 Jul 2011 10:22:07 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6BFM7As029630; Mon, 11 Jul 2011 10:22:07 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 11 Jul 2011 11:22:06 -0400 Date: Mon, 11 Jul 2011 11:22:06 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Roque Gagliano In-Reply-To: Message-ID: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 11 Jul 2011 15:22:06.0533 (UTC) FILETIME=[4B49F750:01CC3FDE] Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 15:22:27 -0000 On Mon, 11 Jul 2011, Roque Gagliano wrote: > Hi Brian, > > Thank you very much for your review. > > Please see my comments inline. > > Roque > > On Jul 8, 2011, at 9:08 PM, Brian Weis wrote: > >> Hi Roque, >> >> This draft seems very complete. I have just a few questions and comments: >> >> 1. Section 2. "A failure to comply with this process during an algorithm transition MUST be considered as non-compliance with ... >> I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply with this process would be result in non-compliance. It would be hopeful to more specific here. > > (Roque) This is good feedback but I think we cannot delay the publication of the CP document. The idea is that the Algorithm Suites definition are part of the CP, consequently, the process to modify these suites should also be consider as a global RPKI requirement and thus tied to the CP. > You seem to be saying that the alg transition mechanism is an addition to the global cert policy - an addendum/update of the CP (RSN an) RFC. True? If so, that should be noted. --Sandy, speaking as wg chair, ceremonial vestments and badges donned >> >> 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues certificates to entities not under its administrative control." I believe this effectively means "CAs that have children", and if that's the intended meaning perhaps that's a better statement. The present definition could apply to a CA cross-certifying another CA and other non-child certificate signing. Even if those situations don't expect to be possible within the RPKI, it would be helpful to clarify the definition. Also, it's not clear to me that a child CA is "under its administrative control" in the sense that the child CA (e.g., ISP) might not be administered by the parent (e.g., RIR). > > (Roque) These are the "CA that have children and with whom the signaling is carried out through the provisioning protocol". > > What about changing the definition to" > > Non-Leaf CA: A CA that issues certificates to external entities by using the provisioning protocol described in [PROV.]. > >> >> 3. Section 4.2. "The only milestone that affects both CAs and RPs, at the same moment is the EOL date.". But the "Process for RPKI CAs" figure shows that two milestones are aligned: (5) and (6). How do these reconcile? > > (Roque) > I will change that, however, the milestone 5 (Twilight Date) is the date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the RP and the CA did their part of the work, they should both be ready at that time to issue/revoke and validate certificates with both algorithms, so there is no "action" that should be taken at > >> >> 4. Section 4.3. The alignment errors that Arturo mentioned don't seem to be fixed in -01. Did you mean to adjust them? Also, it might be worth stating explicitly in the Note following this first example that the indentation mean "signed by". > > (Roque) > Thanks. I will correct and do better "quality control". > >> >> 5. Section 4.5. "During this phase all signed product sets MUST be available using both Algorithm Suite A and Algorithm Suite B." It isn't clear to me what "During this phase" means in Phase 2. Does it mean "By the end of this phase"? Or does it mean "Before the start of Phase 3", which is not the same moment in time according to the figures in Section 4.2. I'm inclined to think it means "Before the start of Phase 3", because by Phase 3 "all product sets are available". Although again, Section 4.6 uses the phrase "During this phrase" so that also isn't clear and I would recommend being more precise here too. > > (Roque) "During this phase" means since start to end of these phase (i.e. after "CA Go Algorithm B date"). In Phase 2 all products are available using both algorithms but not all RP MUST validate them both, that only happens in Phase 3 (after "RP Ready Algorithm B Date") > > >> 6. Section 4.5. "An RP that validates all signed product sets using both Algorithm Suite A or Algorithm Suite B, SHOULD expect the same results." The text added to this paragraph in -01 clarifies how to resolve certificate validation results that differ, but I think it would be helpful to include references to both Sections 6 and 7 here which cover issues when on there are differences in validation more thoroughly. > > (Roque) ok. will add. > >> 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to -17. I didn't check other references. > > (Roque) ok. > > Thanks again, > > Roque > >> >> Thanks, >> Brian >> >> On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: >> >>> In this new version we included the changes from the review by Arturo and several editorial nits. >>> >>> Please take a look at the document and send your comments. >>> >>> Roque. >> >> -- >> Brian Weis >> Security Standards and Technology, SRTG, Cisco Systems >> Telephone: +1 408 526 4796 >> Email: bew@cisco.com >> >> >> >> >> > > From internet-drafts@ietf.org Mon Jul 11 09:04:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B028921F8E79; Mon, 11 Jul 2011 09:04:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qVbJqlXw3iZ; Mon, 11 Jul 2011 09:04:15 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E42221F8E58; Mon, 11 Jul 2011 09:04:15 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110711160415.4108.75814.idtracker@ietfa.amsl.com> Date: Mon, 11 Jul 2011 09:04:15 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-publication-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 16:04:15 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : A Publication Protocol for the Resource Public Key Infra= structure (RPKI) Author(s) : Samuel Weiler Anuja Sonalker Rob Austein Filename : draft-ietf-sidr-publication-01.txt Pages : 11 Date : 2011-07-11 This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. This document provides the protocol for doing so. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-publication-01.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-publication-01.txt From bew@cisco.com Mon Jul 11 09:43:16 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2703B11E80E8 for ; Mon, 11 Jul 2011 09:43:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-4.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p0T3B8IEKBfk for ; Mon, 11 Jul 2011 09:43:15 -0700 (PDT) Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id B356C11E80AF for ; Mon, 11 Jul 2011 09:43:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=17074; q=dns/txt; s=iport; t=1310402594; x=1311612194; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=0bTy8eXKpLpB0wNMzufbbwUpHkLUDEGJVBSdpm0gJAg=; b=NePi9KILlpcHzAwuwyZyWcRx52xfHSvXtOSqqkLG4XA7XpOzpUlIsFLN nTdyhqb/o3oisMm+XOotfxx34Dhou4EOmHuQh2VBn3cvkDrQQj5u2wZtT dloxQJpE4Tmu5BWa/fcwBqVx9k7o7UB7VRSMryXRf5iejYsUBWmYlIvt3 Y=; X-IronPort-AV: E=Sophos;i="4.65,516,1304294400"; d="scan'208,217";a="1784601" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by rcdn-iport-5.cisco.com with ESMTP; 11 Jul 2011 16:43:14 +0000 Received: from stealth-10-32-244-213.cisco.com (stealth-10-32-244-213.cisco.com [10.32.244.213]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p6BGhDfL002856; Mon, 11 Jul 2011 16:43:13 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-25--764571937 From: Brian Weis In-Reply-To: Date: Mon, 11 Jul 2011 09:43:13 -0700 Message-Id: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Roque Gagliano X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 16:43:16 -0000 --Apple-Mail-25--764571937 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Roque, On Jul 11, 2011, at 2:29 AM, Roque Gagliano wrote: > Hi Brian, >=20 > Thank you very much for your review. >=20 > Please see my comments inline. >=20 > Roque >=20 > On Jul 8, 2011, at 9:08 PM, Brian Weis wrote: >=20 >> Hi Roque, >>=20 >> This draft seems very complete. I have just a few questions and = comments: >>=20 >> 1. Section 2. "A failure to comply with this process during an = algorithm transition MUST be considered as non-compliance with ... >> I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply = with this process would be result in non-compliance. It would be hopeful = to more specific here. >=20 > (Roque) This is good feedback but I think we cannot delay the = publication of the CP document. The idea is that the Algorithm Suites = definition are part of the CP, consequently, the process to modify these = suites should also be consider as a global RPKI requirement and thus = tied to the CP. I didn't intend to affect the CP document. But since this statement = implies that this document "updates" the CP, then I think the this = document should say so at the top. I believe that was Sandy's point. >=20 >>=20 >> 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues = certificates to entities not under its administrative control." I = believe this effectively means "CAs that have children", and if that's = the intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., RIR). >=20 > (Roque) These are the "CA that have children and with whom the = signaling is carried out through the provisioning protocol".=20 >=20 > What about changing the definition to" >=20 > Non-Leaf CA: A CA that issues certificates to external entities by = using the provisioning protocol described in [PROV.]. That's a good precise definition. >=20 >>=20 >> 3. Section 4.2. "The only milestone that affects both CAs and RPs, at = the same moment is the EOL date.". But the "Process for RPKI CAs" figure = shows that two milestones are aligned: (5) and (6). How do these = reconcile? >=20 > (Roque)=20 > I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken at=20 I understand now, but that's a subtle interpretation of "affects". It = might be clearer to say something like "The only milestone at which both = CAs and RPs take action at the same moment is the EOL date". (And that's = a powerful statement, in my opinion.) >=20 >>=20 >> 4. Section 4.3. The alignment errors that Arturo mentioned don't seem = to be fixed in -01. Did you mean to adjust them? Also, it might be worth = stating explicitly in the Note following this first example that the = indentation mean "signed by". >=20 > (Roque) > Thanks. I will correct and do better "quality control". >=20 >>=20 >> 5. Section 4.5. "During this phase all signed product sets MUST be = available using both Algorithm Suite A and Algorithm Suite B." It isn't = clear to me what "During this phase" means in Phase 2. Does it mean "By = the end of this phase"? Or does it mean "Before the start of Phase 3", = which is not the same moment in time according to the figures in Section = 4.2. I'm inclined to think it means "Before the start of Phase 3", = because by Phase 3 "all product sets are available". Although again, = Section 4.6 uses the phrase "During this phrase" so that also isn't = clear and I would recommend being more precise here too. >=20 > (Roque) "During this phase" means since start to end of these phase = (i.e. after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B Date") According to a dictionary I consulted, I note that "during" does mean = "throughout" so the use of that word is accurate with your = clarification. But I do think it would be clearer if "During the phase" = was replaced with "Throughout this phase", "=46rom the start of this = phase", or something that is less semantic. Thanks, Brian >> 6. Section 4.5. "An RP that validates all signed product sets using = both Algorithm Suite A or Algorithm Suite B, SHOULD expect the same = results." The text added to this paragraph in -01 clarifies how to = resolve certificate validation results that differ, but I think it would = be helpful to include references to both Sections 6 and 7 here which = cover issues when on there are differences in validation more = thoroughly. >=20 > (Roque) ok. will add. >=20 >> 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to = -17. I didn't check other references. >=20 > (Roque) ok. >=20 > Thanks again, >=20 > Roque >=20 >>=20 >> Thanks, >> Brian >>=20 >> On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: >>=20 >>> In this new version we included the changes from the review by = Arturo and several editorial nits. >>>=20 >>> Please take a look at the document and send your comments. >>>=20 >>> Roque. >>=20 >> --=20 >> Brian Weis >> Security Standards and Technology, SRTG, Cisco Systems >> Telephone: +1 408 526 4796 >> Email: bew@cisco.com >>=20 >>=20 >>=20 >>=20 >>=20 >=20 --=20 Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com --Apple-Mail-25--764571937 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Roque,

On Jul 11, 2011, at 2:29 AM, Roque Gagliano = wrote:

Hi = Brian,

Thank you very much for your = review.

Please see my comments = inline.

Roque

On Jul 8, = 2011, at 9:08 PM, Brian Weis wrote:

Hi = Roque,

This draft seems very complete. I have just a few = questions and comments:

1. Section 2. "A failure to comply with = this process during an algorithm transition MUST be considered as = non-compliance with ...
I-D.ietf-sidr-cp". I can't detect in the CP = where failing to comply with this process would be result in = non-compliance. It would be hopeful to more specific = here.

(Roque) This is good = feedback but I think we cannot delay the publication of the CP document. = The idea is that the Algorithm Suites definition are part of the CP, = consequently, the process to modify these suites should also be consider = as a global RPKI requirement and thus tied to the = CP.

I didn't = intend to affect the CP document. But since this statement implies that = this document "updates" the CP, then I think the this document should = say so at the top. I believe that was Sandy's = point.



2. Section 3. The definition of a "Non-Leaf CA" = is "A CA that issues certificates to entities not under its = administrative control." I believe this effectively  means "CAs = that have children", and if that's the intended meaning perhaps that's a = better statement. The present definition could apply to a CA = cross-certifying another CA and other non-child certificate signing. = Even if those situations don't expect to be possible within the RPKI, it = would be helpful to clarify the definition. Also, it's not clear to me = that a child CA is "under its administrative control" in the sense that = the child CA (e.g., ISP) might not be administered by the parent (e.g., = RIR).

(Roque) These are the = "CA that have children and with whom the signaling is carried out = through the provisioning protocol". 

What = about changing the definition to"

Non-Leaf CA: = A CA that issues certificates to external entities by using the = provisioning protocol described in = [PROV.].

That's a = good precise definition.


3. Section = 4.2. "The only milestone that affects both CAs and RPs, at the same = moment is the EOL date.". But the "Process for RPKI CAs" figure shows = that two milestones are aligned: (5) and (6). How do these = reconcile?

(Roque) 
I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken = at 

I understand = now, but that's a subtle interpretation of "affects". It might be = clearer to say something like "The only milestone at which both CAs and = RPs take action at the same moment is the EOL date". (And that's a = powerful statement, in my opinion.)


4. Section 4.3. The = alignment errors that Arturo mentioned don't seem to be fixed in -01. = Did you mean to adjust them? Also, it might be worth stating explicitly = in the Note following this first example that the indentation mean = "signed = by".

(Roque)
Thanks. = I will correct and do better "quality control".


5. Section 4.5. "During this phase all signed = product sets MUST be available using both Algorithm Suite A and = Algorithm Suite B." It isn't clear to me what "During this phase" means = in Phase 2. Does it mean "By the end of this phase"? Or does it mean = "Before the start of Phase 3", which is not the same moment in time = according to the figures in Section 4.2. I'm inclined to think it means = "Before the start of Phase 3", because by Phase 3 "all product sets are = available". Although again, Section 4.6 uses the phrase "During this = phrase" so that also isn't clear and I would recommend being more = precise here too.

(Roque) = "During this phase" means since start to end of these phase (i.e. = after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B = Date")

Acco= rding to a dictionary I consulted, I note that "during" does mean = "throughout" so the use of that word is accurate with your = clarification. But I do think it would be clearer if "During the phase" = was replaced with "Throughout this phase",  "=46rom the start of = this phase", or something that is less = semantic.

Thanks,
Brian

6. Section 4.5. "An RP that = validates all signed product sets using both Algorithm Suite A or = Algorithm Suite B, SHOULD expect the same results." The text added to = this paragraph in -01 clarifies how to resolve certificate validation = results that differ, but I think it would be helpful to include = references to both Sections 6 and 7 here which cover issues when on = there are differences in validation more thoroughly.

(Roque) ok. will add.

7. (nit) = The references for I-D.ietf-sidr-cp didn't get updated to -17. I didn't = check other = references.

(Roque) = ok.

Thanks = again,

Roque


Thanks,
Brian

On Jul 8, 2011, at 9:14 = AM, Roque Gagliano wrote:

In this new = version we included the changes from the review by Arturo and several = editorial nits.

Please take a = look at the document and send your comments.

Roque.

--
Brian Weis
Security = Standards and Technology, SRTG, Cisco Systems
Telephone: +1 408 526 = 4796
Email: bew@cisco.com







bew@cisco.com





= --Apple-Mail-25--764571937-- From rogaglia@cisco.com Mon Jul 11 10:04:28 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7CA111E808B for ; Mon, 11 Jul 2011 10:04:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0AKmZ1R+pjG for ; Mon, 11 Jul 2011 10:04:28 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA8821F8E4D for ; Mon, 11 Jul 2011 10:04:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=11693; q=dns/txt; s=iport; t=1310403867; x=1311613467; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=btDVC8VH1KHMH60WnRQjP7E6s+/2Ga7KMuT102RHtLU=; b=GkttJO2yjW0qCcfRi8VeLARWd7BmW0o3X7xjUu3y+Np+n9FUXjpe7Ipb mBjChmFrod2Xpc2VDlRucEhEy+RW820R4ziAjI3oz2+PXV8ASIkp9Tu8M 0/jkindZKIEX4UxGdYffVaxpmLfkGLexYB2Q1Gjot/L//cE6wTOy2VA6t A=; X-Files: smime.p7s : 4389 X-IronPort-AV: E=Sophos;i="4.65,516,1304294400"; d="p7s'?scan'208";a="41606383" Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-2.cisco.com with ESMTP; 11 Jul 2011 17:04:23 +0000 Received: from dhcp-144-254-20-209.cisco.com (dhcp-144-254-20-209.cisco.com [144.254.20.209]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p6BH4NtC004499; Mon, 11 Jul 2011 17:04:23 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-135--763302259; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: Date: Mon, 11 Jul 2011 19:04:21 +0200 Message-Id: <72402FD7-69F3-4CFD-A2FF-A4CAD1D23977@cisco.com> References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Sandra Murphy X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 17:04:28 -0000 --Apple-Mail-135--763302259 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Sandra, >>> Hi Roque, >>>=20 >>> This draft seems very complete. I have just a few questions and = comments: >>>=20 >>> 1. Section 2. "A failure to comply with this process during an = algorithm transition MUST be considered as non-compliance with ... >>> I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply = with this process would be result in non-compliance. It would be hopeful = to more specific here. >>=20 >> (Roque) This is good feedback but I think we cannot delay the = publication of the CP document. The idea is that the Algorithm Suites = definition are part of the CP, consequently, the process to modify these = suites should also be consider as a global RPKI requirement and thus = tied to the CP. >>=20 >=20 > You seem to be saying that the alg transition mechanism is an addition = to > the global cert policy - an addendum/update of the CP (RSN an) RFC. >=20 > True? >=20 We could ask the CP or the Alg. document authors to add a reference = during the AUTH48 process. That would be an easy fix. Roque. > If so, that should be noted. >=20 > --Sandy, speaking as wg chair, ceremonial vestments and badges donned >=20 >=20 >>>=20 >>> 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues = certificates to entities not under its administrative control." I = believe this effectively means "CAs that have children", and if that's = the intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., RIR). >>=20 >> (Roque) These are the "CA that have children and with whom the = signaling is carried out through the provisioning protocol". >>=20 >> What about changing the definition to" >>=20 >> Non-Leaf CA: A CA that issues certificates to external entities by = using the provisioning protocol described in [PROV.]. >>=20 >>>=20 >>> 3. Section 4.2. "The only milestone that affects both CAs and RPs, = at the same moment is the EOL date.". But the "Process for RPKI CAs" = figure shows that two milestones are aligned: (5) and (6). How do these = reconcile? >>=20 >> (Roque) >> I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken at >>=20 >>>=20 >>> 4. Section 4.3. The alignment errors that Arturo mentioned don't = seem to be fixed in -01. Did you mean to adjust them? Also, it might be = worth stating explicitly in the Note following this first example that = the indentation mean "signed by". >>=20 >> (Roque) >> Thanks. I will correct and do better "quality control". >>=20 >>>=20 >>> 5. Section 4.5. "During this phase all signed product sets MUST be = available using both Algorithm Suite A and Algorithm Suite B." It isn't = clear to me what "During this phase" means in Phase 2. Does it mean "By = the end of this phase"? Or does it mean "Before the start of Phase 3", = which is not the same moment in time according to the figures in Section = 4.2. I'm inclined to think it means "Before the start of Phase 3", = because by Phase 3 "all product sets are available". Although again, = Section 4.6 uses the phrase "During this phrase" so that also isn't = clear and I would recommend being more precise here too. >>=20 >> (Roque) "During this phase" means since start to end of these phase = (i.e. after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B Date") >>=20 >>=20 >>> 6. Section 4.5. "An RP that validates all signed product sets using = both Algorithm Suite A or Algorithm Suite B, SHOULD expect the same = results." The text added to this paragraph in -01 clarifies how to = resolve certificate validation results that differ, but I think it would = be helpful to include references to both Sections 6 and 7 here which = cover issues when on there are differences in validation more = thoroughly. >>=20 >> (Roque) ok. will add. >>=20 >>> 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to = -17. I didn't check other references. >>=20 >> (Roque) ok. >>=20 >> Thanks again, >>=20 >> Roque >>=20 >>>=20 >>> Thanks, >>> Brian >>>=20 >>> On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: >>>=20 >>>> In this new version we included the changes from the review by = Arturo and several editorial nits. >>>>=20 >>>> Please take a look at the document and send your comments. >>>>=20 >>>> Roque. >>>=20 >>> -- >>> Brian Weis >>> Security Standards and Technology, SRTG, Cisco Systems >>> Telephone: +1 408 526 4796 >>> Email: bew@cisco.com >>>=20 >>>=20 >>>=20 >>>=20 >>>=20 >>=20 >>=20 --Apple-Mail-135--763302259 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MTExNzA0MjNaMCMGCSqGSIb3DQEJBDEWBBScNmcdNo2altuqQYGE7feLAdXYDzCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQCF0nnA6YZ5Nx0bNzH2M+TmgC8Z23KOjLu6nIFc2sFScSgo T/q0nfNG+H3gUfm8l8PpnSwCrzSrGqPM2nNp8d1eTqSJOEtNPSypffAg4GHJM8MOvvH/kcQxUwbJ qikgUTWJcx0ce3Q9Nhi+NVJFiS2DHjLpe9hK3q1lPd9fjMGT3aNeucVG4yQyL7PJKSuf6ulDL+Kr 9z1gjf0ljv1dltxPzwU2sKc++KZz4E3b5WvgIeoQ9F4UTNs0GmsGxeSY/6RmyabGevEJM5sj+J8b 4qd+05jIcwokIPZB2LUd5rF6b81C/IFbIBX729hmiixAoxuvVJdLPRDWWxCaYq1v0VxoAAAAAAAA --Apple-Mail-135--763302259-- From rogaglia@cisco.com Mon Jul 11 10:11:43 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5496721F8E9E for ; Mon, 11 Jul 2011 10:11:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.598 X-Spam-Level: X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uTVnJ+wEol0N for ; Mon, 11 Jul 2011 10:11:42 -0700 (PDT) Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id EF46521F8E9D for ; Mon, 11 Jul 2011 10:11:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=25146; q=dns/txt; s=iport; t=1310404301; x=1311613901; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=hufwJsRQOlXd0GbZb54peKb6S8a9RoPs/El6aBXZYFE=; b=dcgSdReJrfpeIgpYNvMD8bHvbuD2KJ2veTzKtdB6bz0M24T+5OosWxFD ZxhxgwD55Plj6VHaZmh3usNZngAO2AEVaesPZuYpn6+s16xjvKI4+uaBL +/GGJ0L7SES9nPEk1ctWQosSplwqUNBRDWRlOp1ct9JpF3QcCifaNh2EC Q=; X-Files: smime.p7s : 4389 X-IronPort-AV: E=Sophos;i="4.65,516,1304294400"; d="p7s'?scan'208,217";a="41607298" Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-2.cisco.com with ESMTP; 11 Jul 2011 17:11:34 +0000 Received: from dhcp-144-254-20-209.cisco.com (dhcp-144-254-20-209.cisco.com [144.254.20.209]) by ams-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p6BHBXZM030293; Mon, 11 Jul 2011 17:11:34 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-142--762872081; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: Date: Mon, 11 Jul 2011 19:11:32 +0200 Message-Id: <61229E07-F49D-490D-803A-D5419B88ADC9@cisco.com> References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Brian Weis X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 17:11:43 -0000 --Apple-Mail-142--762872081 Content-Type: multipart/alternative; boundary=Apple-Mail-141--762872766 --Apple-Mail-141--762872766 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Brian, See inline. On Jul 11, 2011, at 6:43 PM, Brian Weis wrote: > Hi Roque, >=20 > On Jul 11, 2011, at 2:29 AM, Roque Gagliano wrote: >=20 >> Hi Brian, >>=20 >> Thank you very much for your review. >>=20 >> Please see my comments inline. >>=20 >> Roque >>=20 >> On Jul 8, 2011, at 9:08 PM, Brian Weis wrote: >>=20 >>> Hi Roque, >>>=20 >>> This draft seems very complete. I have just a few questions and = comments: >>>=20 >>> 1. Section 2. "A failure to comply with this process during an = algorithm transition MUST be considered as non-compliance with ... >>> I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply = with this process would be result in non-compliance. It would be hopeful = to more specific here. >>=20 >> (Roque) This is good feedback but I think we cannot delay the = publication of the CP document. The idea is that the Algorithm Suites = definition are part of the CP, consequently, the process to modify these = suites should also be consider as a global RPKI requirement and thus = tied to the CP. >=20 > I didn't intend to affect the CP document. But since this statement = implies that this document "updates" the CP, then I think the this = document should say so at the top. I believe that was Sandy's point. (Roque) I am fine with either solutions. I guess Steve may want to give = his opinion on this point. >>=20 >>>=20 >>> 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues = certificates to entities not under its administrative control." I = believe this effectively means "CAs that have children", and if that's = the intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., RIR). >>=20 >> (Roque) These are the "CA that have children and with whom the = signaling is carried out through the provisioning protocol".=20 >>=20 >> What about changing the definition to" >>=20 >> Non-Leaf CA: A CA that issues certificates to external entities by = using the provisioning protocol described in [PROV.]. >=20 > That's a good precise definition. (Roque) Ok. >=20 >>=20 >>>=20 >>> 3. Section 4.2. "The only milestone that affects both CAs and RPs, = at the same moment is the EOL date.". But the "Process for RPKI CAs" = figure shows that two milestones are aligned: (5) and (6). How do these = reconcile? >>=20 >> (Roque)=20 >> I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken at=20 >=20 > I understand now, but that's a subtle interpretation of "affects". It = might be clearer to say something like "The only milestone at which both = CAs and RPs take action at the same moment is the EOL date". (And that's = a powerful statement, in my opinion.) >=20 (Roque) Ok. >>=20 >>>=20 >>> 4. Section 4.3. The alignment errors that Arturo mentioned don't = seem to be fixed in -01. Did you mean to adjust them? Also, it might be = worth stating explicitly in the Note following this first example that = the indentation mean "signed by". >>=20 >> (Roque) >> Thanks. I will correct and do better "quality control". >>=20 >>>=20 >>> 5. Section 4.5. "During this phase all signed product sets MUST be = available using both Algorithm Suite A and Algorithm Suite B." It isn't = clear to me what "During this phase" means in Phase 2. Does it mean "By = the end of this phase"? Or does it mean "Before the start of Phase 3", = which is not the same moment in time according to the figures in Section = 4.2. I'm inclined to think it means "Before the start of Phase 3", = because by Phase 3 "all product sets are available". Although again, = Section 4.6 uses the phrase "During this phrase" so that also isn't = clear and I would recommend being more precise here too. >>=20 >> (Roque) "During this phase" means since start to end of these phase = (i.e. after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B Date") >=20 > According to a dictionary I consulted, I note that "during" does mean = "throughout" so the use of that word is accurate with your = clarification. But I do think it would be clearer if "During the phase" = was replaced with "Throughout this phase", "=46rom the start of this = phase", or something that is less semantic. (Roque) Ok, I will replace for "throughout". Roque. > Thanks, > Brian >=20 >>> 6. Section 4.5. "An RP that validates all signed product sets using = both Algorithm Suite A or Algorithm Suite B, SHOULD expect the same = results." The text added to this paragraph in -01 clarifies how to = resolve certificate validation results that differ, but I think it would = be helpful to include references to both Sections 6 and 7 here which = cover issues when on there are differences in validation more = thoroughly. >>=20 >> (Roque) ok. will add. >>=20 >>> 7. (nit) The references for I-D.ietf-sidr-cp didn't get updated to = -17. I didn't check other references. >>=20 >> (Roque) ok. >>=20 >> Thanks again, >>=20 >> Roque >>=20 >>>=20 >>> Thanks, >>> Brian >>>=20 >>> On Jul 8, 2011, at 9:14 AM, Roque Gagliano wrote: >>>=20 >>>> In this new version we included the changes from the review by = Arturo and several editorial nits. >>>>=20 >>>> Please take a look at the document and send your comments. >>>>=20 >>>> Roque. >>>=20 >>> --=20 >>> Brian Weis >>> Security Standards and Technology, SRTG, Cisco Systems >>> Telephone: +1 408 526 4796 >>> Email: bew@cisco.com >>>=20 >>>=20 >>>=20 >>>=20 >>>=20 >>=20 >=20 >=20 > --=20 > Brian Weis > Security Standards and Technology, SRTG, Cisco Systems > Telephone: +1 408 526 4796 > Email: bew@cisco.com >=20 >=20 >=20 >=20 >=20 --Apple-Mail-141--762872766 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Brian,

See = inline.

On Jul 11, 2011, at 6:43 PM, Brian = Weis wrote:

Hi = Roque,

On Jul 11, 2011, at 2:29 AM, Roque Gagliano = wrote:

Hi = Brian,

Thank you very much for your = review.

Please see my comments = inline.

Roque

On Jul 8, = 2011, at 9:08 PM, Brian Weis wrote:

Hi = Roque,

This draft seems very complete. I have just a few = questions and comments:

1. Section 2. "A failure to comply with = this process during an algorithm transition MUST be considered as = non-compliance with ...
I-D.ietf-sidr-cp". I can't detect in the CP = where failing to comply with this process would be result in = non-compliance. It would be hopeful to more specific = here.

(Roque) This is good = feedback but I think we cannot delay the publication of the CP document. = The idea is that the Algorithm Suites definition are part of the CP, = consequently, the process to modify these suites should also be consider = as a global RPKI requirement and thus tied to the = CP.

I didn't = intend to affect the CP document. But since this statement implies that = this document "updates" the CP, then I think the this document should = say so at the top. I believe that was Sandy's = point.

(Roque) I = am fine with either solutions. I guess Steve may want to give his = opinion on this point.


2. Section = 3. The definition of a "Non-Leaf CA" is "A CA that issues certificates = to entities not under its administrative control." I believe this = effectively  means "CAs that have children", and if that's the = intended meaning perhaps that's a better statement. The present = definition could apply to a CA cross-certifying another CA and other = non-child certificate signing. Even if those situations don't expect to = be possible within the RPKI, it would be helpful to clarify the = definition. Also, it's not clear to me that a child CA is "under its = administrative control" in the sense that the child CA (e.g., ISP) might = not be administered by the parent (e.g., = RIR).

(Roque) These are the = "CA that have children and with whom the signaling is carried out = through the provisioning protocol". 

What = about changing the definition to"

Non-Leaf CA: = A CA that issues certificates to external entities by using the = provisioning protocol described in = [PROV.].

That's a = good precise = definition.

(Roque) = Ok.



3. Section = 4.2. "The only milestone that affects both CAs and RPs, at the same = moment is the EOL date.". But the "Process for RPKI CAs" figure shows = that two milestones are aligned: (5) and (6). How do these = reconcile?

(Roque) 
I will change that, however, the milestone 5 (Twilight Date) is the = date where the NEW becomes CURRENT and the CURRENT becomes OLD. If the = RP and the CA did their part of the work, they should both be ready at = that time to issue/revoke and validate certificates with both = algorithms, so there is no "action" that should be taken = at 

I understand = now, but that's a subtle interpretation of "affects". It might be = clearer to say something like "The only milestone at which both CAs and = RPs take action at the same moment is the EOL date". (And that's a = powerful statement, in my = opinion.)


(Roq= ue) Ok.



4. Section 4.3. The alignment errors that Arturo = mentioned don't seem to be fixed in -01. Did you mean to adjust them? = Also, it might be worth stating explicitly in the Note following this = first example that the indentation mean "signed = by".

(Roque)
Thanks. = I will correct and do better "quality control".


5. Section 4.5. "During this phase all signed = product sets MUST be available using both Algorithm Suite A and = Algorithm Suite B." It isn't clear to me what "During this phase" means = in Phase 2. Does it mean "By the end of this phase"? Or does it mean = "Before the start of Phase 3", which is not the same moment in time = according to the figures in Section 4.2. I'm inclined to think it means = "Before the start of Phase 3", because by Phase 3 "all product sets are = available". Although again, Section 4.6 uses the phrase "During this = phrase" so that also isn't clear and I would recommend being more = precise here too.

(Roque) = "During this phase" means since start to end of these phase (i.e. = after "CA Go Algorithm B date"). In Phase 2 all products are = available using both algorithms but not all RP MUST validate them both, = that only happens in Phase 3 (after "RP Ready Algorithm B = Date")

Acco= rding to a dictionary I consulted, I note that "during" does mean = "throughout" so the use of that word is accurate with your = clarification. But I do think it would be clearer if "During the phase" = was replaced with "Throughout this phase",  "=46rom the start of = this phase", or something that is less = semantic.

(Roque) = Ok, I will replace for = "throughout".

Roque.

6. Section 4.5. "An RP that validates all signed = product sets using both Algorithm Suite A or Algorithm Suite B, SHOULD = expect the same results." The text added to this paragraph in -01 = clarifies how to resolve certificate validation results that differ, but = I think it would be helpful to include references to both Sections 6 and = 7 here which cover issues when on there are differences in validation = more thoroughly.

(Roque) ok. will add.

7. (nit) = The references for I-D.ietf-sidr-cp didn't get updated to -17. I didn't = check other = references.

(Roque) = ok.

Thanks = again,

Roque


Thanks,
Brian

On Jul 8, 2011, at 9:14 = AM, Roque Gagliano wrote:

In this new = version we included the changes from the review by Arturo and several = editorial nits.

Please take a = look at the document and send your comments.

Roque.

--
Brian Weis
Security = Standards and Technology, SRTG, Cisco Systems
Telephone: +1 408 526 = 4796
Email: bew@cisco.com







bew@cisco.com






= --Apple-Mail-141--762872766-- --Apple-Mail-142--762872081 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MTExNzExMzNaMCMGCSqGSIb3DQEJBDEWBBQv9eEESW3EwyyzE4Et5MzdBX6MFTCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQB06iSitoKOzVXG6boDS4zaoYAYS6BRNNLDCNSHAng5VHOo HaITpG7nwkYSjawChzeeuDEiquo0KpDuPBy/yH1R+CHsCI0QZQmIIngarNmncrJYk+fTmYre1YyO HZ0MLl0WINodTw9V9dlbV5hWTt0Rmuf6M/lS34smkRdtcr+hqHI40px1w+B0EOCLIWmELp6oiZ7N gu5uGjLsqKj2RH94/0m3J20uxppSbO8a1j6wBHsPE0UQ8S0+UOgoaDp1WjlvMXRkhcdseiuBIFHH I1t2SRGnxLZSz7Q9N4JxuHASyButW8uj/TwpvOzwydAZrhfn0eind3NklTBg3o/8XbkFAAAAAAAA --Apple-Mail-142--762872081-- From kent@bbn.com Mon Jul 11 10:27:14 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E170321F8DAF for ; Mon, 11 Jul 2011 10:27:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iwFlLHnTDlkl for ; Mon, 11 Jul 2011 10:27:14 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id CD50611E8086 for ; Mon, 11 Jul 2011 10:27:10 -0700 (PDT) Received: from dhcp89-089-024.bbn.com ([128.89.89.24]:49196) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QgKGD-0003WK-BI; Mon, 11 Jul 2011 13:27:10 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> Date: Mon, 11 Jul 2011 13:17:22 -0400 To: Brian Weis From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 17:27:15 -0000 At 12:08 PM -0700 7/8/11, Brian Weis wrote: >Hi Roque, > >This draft seems very complete. I have just a few questions and comments: > >1. Section 2. "A failure to comply with this process during an >algorithm transition MUST be considered as non-compliance with ... >I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply >with this process would be result in non-compliance. It would be >hopeful to more specific here. Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs). However, this doc say that the alg specs doc will be updated to reflect the new alg suite, and to include the timeline for the alg transition. Once that happens, a failure to comply with the alg transition procedure described here will imply noncompliance with the CP. >2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues >certificates to entities not under its administrative control." I >believe this effectively means "CAs that have children", and if >that's the intended meaning perhaps that's a better statement. The >present definition could apply to a CA cross-certifying another CA >and other non-child certificate signing. Even if those situations >don't expect to be possible within the RPKI, it would be helpful to >clarify the definition. Also, it's not clear to me that a child CA >is "under its administrative control" in the sense that the child CA >(e.g., ISP) might not be administered by the parent (e.g., RIR). There is no cross-certification (in the common, but incorrect, use of the term) in the RPKI, because of the constraints imposed by the 3779 extensions. Still, I agree that the definition could be improved. How about: Non-leaf CA: A CA that issues certs to other CAs in a non-leaf CA. In contrast, a leaf CA is a CA that issues only EE certs. >... > > >5. Section 4.5. "During this phase all signed product sets MUST be >available using both Algorithm Suite A and Algorithm Suite B." It >isn't clear to me what "During this phase" means in Phase 2. Does it >mean "By the end of this phase"? Or does it mean "Before the start >of Phase 3", which is not the same moment in time according to the >figures in Section 4.2. I'm inclined to think it means "Before the >start of Phase 3", because by Phase 3 "all product sets are >available". Although again, Section 4.6 uses the phrase "During this >phrase" so that also isn't clear and I would recommend being more >precise here too. Yes, it would be more accurate to say "at the start of Phase 2, all signed products ..." From Sandra.Murphy@cobham.com Mon Jul 11 10:44:10 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9056A21F8784 for ; Mon, 11 Jul 2011 10:44:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.549 X-Spam-Level: X-Spam-Status: No, score=-100.549 tagged_above=-999 required=5 tests=[AWL=2.050, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ+s6mv1ALyv for ; Mon, 11 Jul 2011 10:44:09 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id A33C921F85CE for ; Mon, 11 Jul 2011 10:44:09 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6BHi2AP005653; Mon, 11 Jul 2011 12:44:03 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6BHi219003959; Mon, 11 Jul 2011 12:44:03 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 11 Jul 2011 13:44:02 -0400 Date: Mon, 11 Jul 2011 13:44:01 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Stephen Kent In-Reply-To: Message-ID: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 11 Jul 2011 17:44:02.0068 (UTC) FILETIME=[1EF17D40:01CC3FF2] Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 17:44:10 -0000 On Mon, 11 Jul 2011, Stephen Kent wrote: > At 12:08 PM -0700 7/8/11, Brian Weis wrote: >> Hi Roque, >> >> This draft seems very complete. I have just a few questions and comments: >> >> 1. Section 2. "A failure to comply with this process during an algorithm >> transition MUST be considered as non-compliance with ... >> I-D.ietf-sidr-cp". I can't detect in the CP where failing to comply with >> this process would be result in non-compliance. It would be hopeful to more >> specific here. > > Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs). However, this > doc say that the alg specs doc will be updated to reflect the new alg suite, > and to include the timeline for the alg transition. Once that happens, a > failure to comply with the alg transition procedure described here will imply > noncompliance with the CP. S---T---R---E---T---C---H??? If the non-compliance with this draft was to fail to update the algs document, then the failure to comply with the procedure would not imply non-compliance with the CP. --Sandy, speaking as wg chair > > >> 2. Section 3. The definition of a "Non-Leaf CA" is "A CA that issues >> certificates to entities not under its administrative control." I believe >> this effectively means "CAs that have children", and if that's the >> intended meaning perhaps that's a better statement. The present definition >> could apply to a CA cross-certifying another CA and other non-child >> certificate signing. Even if those situations don't expect to be possible >> within the RPKI, it would be helpful to clarify the definition. Also, it's >> not clear to me that a child CA is "under its administrative control" in >> the sense that the child CA (e.g., ISP) might not be administered by the >> parent (e.g., RIR). > > There is no cross-certification (in the common, but incorrect, use of the > term) in the RPKI, because of the constraints imposed by the 3779 extensions. > Still, I agree that the definition could be improved. How about: > > Non-leaf CA: A CA that issues certs to other CAs in a non-leaf CA. In > contrast, a leaf CA is a CA that issues only EE certs. > >> ... >> >> >> 5. Section 4.5. "During this phase all signed product sets MUST be >> available using both Algorithm Suite A and Algorithm Suite B." It isn't >> clear to me what "During this phase" means in Phase 2. Does it mean "By the >> end of this phase"? Or does it mean "Before the start of Phase 3", which is >> not the same moment in time according to the figures in Section 4.2. I'm >> inclined to think it means "Before the start of Phase 3", because by Phase >> 3 "all product sets are available". Although again, Section 4.6 uses the >> phrase "During this phrase" so that also isn't clear and I would recommend >> being more precise here too. > > Yes, it would be more accurate to say "at the start of Phase 2, all signed > products ..." > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From kent@bbn.com Mon Jul 11 11:06:17 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCC211E813E for ; Mon, 11 Jul 2011 11:06:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Rpyp8ZBZdw6 for ; Mon, 11 Jul 2011 11:06:16 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id B1BF811E8138 for ; Mon, 11 Jul 2011 11:06:16 -0700 (PDT) Received: from dhcp89-089-024.bbn.com ([128.89.89.24]:49200) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QgKs0-0004BB-KL; Mon, 11 Jul 2011 14:06:12 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> Date: Mon, 11 Jul 2011 14:05:51 -0400 To: Roque Gagliano From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 18:06:17 -0000 At 11:29 AM +0200 7/11/11, Roque Gagliano wrote: >... >(Roque) These are the "CA that have children and with whom the >signaling is carried out through the provisioning protocol". > >What about changing the definition to" > >Non-Leaf CA: A CA that issues certificates to external entities by >using the provisioning protocol described in [PROV.]. I disagree with Brian here. the prov protocol is one way to have certs issued, but it is not the only way, e.g., see the managed CA services offered by most of the RIRs. I'd prefer the definition I suggested in my (belated) reply to Brian's message. Steve From bew@cisco.com Mon Jul 11 12:14:28 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682B811E8114 for ; Mon, 11 Jul 2011 12:14:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.266 X-Spam-Level: X-Spam-Status: No, score=-105.266 tagged_above=-999 required=5 tests=[AWL=-2.666, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gIN+RebE+C4h for ; Mon, 11 Jul 2011 12:14:27 -0700 (PDT) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5F06521F8D2D for ; Mon, 11 Jul 2011 12:14:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=bew@cisco.com; l=918; q=dns/txt; s=iport; t=1310411660; x=1311621260; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=t75xxKwbXn5psb/5vy++CtKq4Uul+zht0igNdbquJ9I=; b=IwpgDFE1Q3hHPzYQhJL3ojrRRhr3th6BztdIpbxQyxjGPUhIjbJ7k1ol SkLmKE1ja1I20rPyBbN4W1bMO+RnhaVjLMkhCNUoIWwuynzJ1fbkaV3zk XpmPHfZEYulhOAHvV1FBh3uMNvApIWavZ6MgHHceqLJC9sADu+UV1D8kU Y=; X-IronPort-AV: E=Sophos;i="4.65,517,1304294400"; d="scan'208";a="1835071" Received: from mtv-core-1.cisco.com ([171.68.58.6]) by rcdn-iport-6.cisco.com with ESMTP; 11 Jul 2011 19:14:19 +0000 Received: from stealth-10-32-244-213.cisco.com (stealth-10-32-244-213.cisco.com [10.32.244.213]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p6BJEJFb005609; Mon, 11 Jul 2011 19:14:19 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Brian Weis In-Reply-To: Date: Mon, 11 Jul 2011 12:14:19 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <0F1E331D-6749-483A-B69D-B4D62DE76447@cisco.com> References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> To: Stephen Kent X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 19:14:28 -0000 On Jul 11, 2011, at 11:05 AM, Stephen Kent wrote: > At 11:29 AM +0200 7/11/11, Roque Gagliano wrote: >> ... >> (Roque) These are the "CA that have children and with whom the = signaling is carried out through the provisioning protocol". >>=20 >> What about changing the definition to" >>=20 >> Non-Leaf CA: A CA that issues certificates to external entities by = using the provisioning protocol described in [PROV.]. >=20 > I disagree with Brian here. the prov protocol is one way to have = certs issued, > but it is not the only way, e.g., see the managed CA services offered = by most > of the RIRs. I'd prefer the definition I suggested in my (belated) = reply to Brian's message. I agree that Steve's definition is clearer. Thanks, Brian >=20 > Steve --=20 Brian Weis Security Standards and Technology, SRTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com From kent@bbn.com Mon Jul 11 13:33:26 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D131411E8201 for ; Mon, 11 Jul 2011 13:33:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PZ3-yMlAGZ5h for ; Mon, 11 Jul 2011 13:33:25 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id DA26511E80AB for ; Mon, 11 Jul 2011 13:33:25 -0700 (PDT) Received: from dhcp89-089-024.bbn.com ([128.89.89.24]:49221) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QgNAR-0006wp-Uk; Mon, 11 Jul 2011 16:33:24 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> Date: Mon, 11 Jul 2011 14:46:53 -0400 To: Sandra Murphy From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 20:33:26 -0000 At 1:44 PM -0400 7/11/11, Sandra Murphy wrote: >>>... >> >>Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs). >>However, this doc say that the alg specs doc will be updated to >>reflect the new alg suite, and to include the timeline for the alg >>transition. Once that happens, a failure to comply with the alg >>transition procedure described here will imply noncompliance with >>the CP. > >S---T---R---E---T---C---H??? > >If the non-compliance with this draft was to fail to update the algs >document, then the failure to comply with the procedure would not >imply non-compliance with the CP. > >--Sandy, speaking as wg chair Sandy, But stretching is the usual pre-exercise warm up, and the transition to a new alg suite will be an exercise, so ... :-). Stated less circuitously, the CP currently mandates support for the algs in the Alg Spec. These algs used to be in the CP, but it was decided to move them into a separate doc, to avoid the need ti change the CP when the algs change. An early version of the alg transition doc called for updating the CP to reflect alg transition. But, we moved the algs spec to a separate doc, so the alg transition now cals for the alg spec to be replaced with a new doc that calls out the new algs and provides the transition timeline. We have gone down the path of document modularization and indirection, this is where we wound up! Steve From internet-drafts@ietf.org Mon Jul 11 13:46:40 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4843711E8266; Mon, 11 Jul 2011 13:46:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.589 X-Spam-Level: X-Spam-Status: No, score=-102.589 tagged_above=-999 required=5 tests=[AWL=0.010, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOrq9o8ZIXOa; Mon, 11 Jul 2011 13:46:39 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72C911E8256; Mon, 11 Jul 2011 13:46:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110711204637.19867.97897.idtracker@ietfa.amsl.com> Date: Mon, 11 Jul 2011 13:46:37 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-keyroll-08.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 20:46:40 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : CA Key Rollover in the RPKI Author(s) : Geoff Huston George Michaelson Stephen Kent Filename : draft-ietf-sidr-keyroll-08.txt Pages : 11 Date : 2011-07-11 This document describes how a Certification Authority (CA) in the Resource Public Key Infrastructure (RPKI) performs a planned rollover of its key pair. This document also notes the implications of this key rollover procedure for Relying Parties (RPs). In general, RPs are expected to maintain a local cache of the objects that have been published in the RPKI repository, and thus the way in which a CA performs key rollover impacts RPs. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-keyroll-08.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-keyroll-08.txt From Sandra.Murphy@cobham.com Mon Jul 11 14:29:58 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E101121F8F55 for ; Mon, 11 Jul 2011 14:29:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.891 X-Spam-Level: X-Spam-Status: No, score=-100.891 tagged_above=-999 required=5 tests=[AWL=1.708, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-2tUPy0qoFT for ; Mon, 11 Jul 2011 14:29:58 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 7153121F8EB4 for ; Mon, 11 Jul 2011 14:29:57 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6BLTpqj009875; Mon, 11 Jul 2011 16:29:51 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6BLToMe013673; Mon, 11 Jul 2011 16:29:51 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 11 Jul 2011 17:29:50 -0400 Date: Mon, 11 Jul 2011 17:29:49 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Stephen Kent In-Reply-To: Message-ID: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 11 Jul 2011 21:29:50.0150 (UTC) FILETIME=[AA3ABE60:01CC4011] Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 21:29:59 -0000 On Mon, 11 Jul 2011, Stephen Kent wrote: > At 1:44 PM -0400 7/11/11, Sandra Murphy wrote: >>>> ... >>> >>> Agreed. The CP cites the alg spec (draft-ietf-sidr-rpki-algs). However, >>> this doc say that the alg specs doc will be updated to reflect the new alg >>> suite, and to include the timeline for the alg transition. Once that >>> happens, a failure to comply with the alg transition procedure described >>> here will imply noncompliance with the CP. >> >> S---T---R---E---T---C---H??? >> >> If the non-compliance with this draft was to fail to update the algs >> document, then the failure to comply with the procedure would not imply >> non-compliance with the CP. >> >> --Sandy, speaking as wg chair > > Sandy, > > But stretching is the usual pre-exercise warm up, and the transition to a > new alg suite will be an exercise, so ... :-). > Yes, especially when the exercise involves significant muscle movement, and alg transition involves significant movement of the brain muscle, so... :-) > Stated less circuitously, the CP currently mandates support for the algs > in the Alg Spec. These algs used to be in the CP, but it was decided to > move them into a separate doc, to avoid the need ti change the CP when the > algs change. An early version of the alg transition doc called for updating > the CP to reflect alg transition. But, we moved the algs spec to a separate > doc, so the alg transition now cals for the alg spec to be replaced with > a new doc that calls out the new algs and provides the transition timeline. > > We have gone down the path of document modularization and indirection, this > is where we wound up! I understand the reasoning (I can stretch that far). But the desired outcome is for any violation of the transition procedure to violate the CP. Right? As you said, this follows from the first step of the procedure, which is to update the alg document with the transition timeline, thereby indirectly updating the CP with the transition. Subsequent violation of the transition procedure would therefore violate the CP. But if the violation of the transition procedure is to fall at the first hurdle - to fail to update the alg document with the transition timeline, then any subsequent violation of the procedure would no longer violate the CP, even indirectly. Right? --Sandy, speaking as wg chair. > > Steve > From internet-drafts@ietf.org Mon Jul 11 14:52:19 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C8611E80C6; Mon, 11 Jul 2011 14:52:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.591 X-Spam-Level: X-Spam-Status: No, score=-102.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Lch3dGn1RE0; Mon, 11 Jul 2011 14:52:19 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B238721F8BE7; Mon, 11 Jul 2011 14:51:54 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110711215154.14120.98609.idtracker@ietfa.amsl.com> Date: Mon, 11 Jul 2011 14:51:54 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-pfx-validate-02.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 21:52:19 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : BGP Prefix Origin Validation Author(s) : Pradosh Mohapatra John Scudder David Ward Randy Bush Rob Austein Filename : draft-ietf-sidr-pfx-validate-02.txt Pages : 11 Date : 2011-07-11 To help reduce well-known threats against BGP including prefix mis- announcing and monkey-in-the-middle attacks, one of the security requirements is the ability to validate the origination AS of BGP routes. More specifically, one needs to validate that the AS number claiming to originate an address prefix (as derived from the AS_PATH attribute of the BGP route) is in fact authorized by the prefix holder to do so. This document describes a simple validation mechanism to partially satisfy this requirement. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-02.txt From kent@bbn.com Mon Jul 11 15:04:18 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9ABC11E82E7 for ; Mon, 11 Jul 2011 15:04:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaGsZuHiScd9 for ; Mon, 11 Jul 2011 15:04:18 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 4463111E82E4 for ; Mon, 11 Jul 2011 15:04:18 -0700 (PDT) Received: from dhcp89-089-024.bbn.com ([128.89.89.24]:49238) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QgOaO-0003AI-F5; Mon, 11 Jul 2011 18:04:16 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <20110708161252.27961.972.idtracker@ietfa.amsl.com> <42FAFCD2-C5F0-471C-8E90-A6AF0EC17DE6@cisco.com> Date: Mon, 11 Jul 2011 18:03:49 -0400 To: Sandra Murphy From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: "sidr@ietf.org wg" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 22:04:18 -0000 >>... > >I understand the reasoning (I can stretch that far). > >But the desired outcome is for any violation of the transition >procedure to violate the CP. Right? agreed. >As you said, this follows from the first step of the procedure, >which is to update the alg document with the transition timeline, >thereby indirectly updating the CP with the transition. Subsequent >violation of the transition procedure would therefore violate the CP. right. >But if the violation of the transition procedure is to fall at the >first hurdle - to fail to update the alg document with the >transition timeline, then any subsequent violation of the procedure >would no longer violate the CP, even indirectly. > >Right? yes, but that is a procedural hurdle that, presumably, is within the purview of the WG and the IESG. So I didn't think it belonged in the doc. But, we both agree that a more explicit statement of how this doc relates to the CP is needed. Steve From pmohapat@cisco.com Mon Jul 11 16:19:57 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1D511E8381 for ; Mon, 11 Jul 2011 16:19:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.599 X-Spam-Level: X-Spam-Status: No, score=-4.599 tagged_above=-999 required=5 tests=[AWL=-2.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ou6BVBJFBLT for ; Mon, 11 Jul 2011 16:19:57 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id BBD8D11E8354 for ; Mon, 11 Jul 2011 16:19:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pmohapat@cisco.com; l=284; q=dns/txt; s=iport; t=1310426397; x=1311635997; h=from:content-transfer-encoding:subject:date:references: to:message-id:mime-version; bh=ckgWdqCbLJpUYTIsrPrT5+19U/BadBFTMygCdMk5o3Q=; b=HKMQfl5zEyBEcXbB+xjcW7snhN2xcJeV2BYLl2MRkPAr1pIZ+pKH2QG6 Wk1OjLjdRha3xaoRINVlxwJpJH1g5KPrjBVxJhTat5jKo7F1W/e3YMdpj FUTlRtAO6GTcSk854lrvt/wLAbXr0kDR9rMQmjXBuh6UdVFT2WcZih7vR s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av0EANiDG06rRDoJ/2dsb2JhbABTpyZ3iHqiYZ4ahVtfBIdPiweQZw X-IronPort-AV: E=Sophos;i="4.65,517,1304294400"; d="scan'208";a="1905827" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-2.cisco.com with ESMTP; 11 Jul 2011 23:19:56 +0000 Received: from sjc-vpn4-862.cisco.com (sjc-vpn4-862.cisco.com [10.21.83.93]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6BNJtn7030934 for ; Mon, 11 Jul 2011 23:19:56 GMT From: Pradosh Mohapatra Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Mon, 11 Jul 2011 16:24:04 -0700 References: <20110711215154.14120.98609.idtracker@ietfa.amsl.com> To: sidr wg list Message-Id: Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 23:19:57 -0000 FYI... This version addresses comments from Geoff (put a reference to = ietf-sidr-origin-ops + some word-smithing). Would appreciate another = review. - Pradosh > A URL for this Internet-Draft is: > = http://www.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-02.txt From randy@psg.com Mon Jul 11 23:25:07 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B05B21F90A8 for ; Mon, 11 Jul 2011 23:25:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.584 X-Spam-Level: X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c13dJACeLfuc for ; Mon, 11 Jul 2011 23:25:07 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id DFA2321F90A6 for ; Mon, 11 Jul 2011 23:25:06 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QgWP2-000JWb-C4; Tue, 12 Jul 2011 06:25:04 +0000 Date: Tue, 12 Jul 2011 15:25:03 +0900 Message-ID: From: Randy Bush To: Pradosh Mohapatra In-Reply-To: References: <20110711215154.14120.98609.idtracker@ietfa.amsl.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 06:25:07 -0000 of course i could pick nits, but it looks ok to me. randy From Sandra.Murphy@cobham.com Tue Jul 12 15:10:30 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308D121F8B66 for ; Tue, 12 Jul 2011 15:10:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.135 X-Spam-Level: X-Spam-Status: No, score=-101.135 tagged_above=-999 required=5 tests=[AWL=1.464, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX+WuHqKXI2y for ; Tue, 12 Jul 2011 15:10:28 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 2968F21F8B80 for ; Tue, 12 Jul 2011 15:10:27 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6CMAOdF025512 for ; Tue, 12 Jul 2011 17:10:24 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6CMAON9017469 for ; Tue, 12 Jul 2011 17:10:24 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 12 Jul 2011 18:10:23 -0400 Date: Tue, 12 Jul 2011 18:10:23 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 12 Jul 2011 22:10:23.0914 (UTC) FILETIME=[7F4768A0:01CC40E0] Subject: [sidr] reminder on requests for agenda slots X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 22:10:30 -0000 A reminder that working group agendas are due tomorrow at 1700 PT. If you are thinking of requesting an agenda slot, it would be good to get that to the chairs soon. Final agendas are due Monday at 1700 PT. --Sandy, speaking as wg chair From randy@psg.com Tue Jul 12 17:08:05 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F02411E80C3 for ; Tue, 12 Jul 2011 17:08:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.584 X-Spam-Level: X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ke7NADiUq2pm for ; Tue, 12 Jul 2011 17:08:05 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 0744911E80B8 for ; Tue, 12 Jul 2011 17:08:05 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qgmzi-000Msy-RW for sidr@ietf.org; Wed, 13 Jul 2011 00:08:03 +0000 Date: Wed, 13 Jul 2011 09:08:02 +0900 Message-ID: From: Randy Bush To: sidr wg list User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Subject: [sidr] wglc request for draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 00:08:05 -0000 steve kent has been beating me up that a lot of documents normatively reference draft-ietf-sidr-iana-objects-03.txt, which in turn references draft-ietf-sidr-ghostbusters-06.txt. i.e. my draft is holding dinner up. so please review draft-ietf-sidr-ghostbusters-06.txt. and could the chairs provide incentive for review by doing a wglc? thanks randy From Sandra.Murphy@cobham.com Wed Jul 13 16:35:14 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A005921F8B4F for ; Wed, 13 Jul 2011 16:35:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.46 X-Spam-Level: X-Spam-Status: No, score=-101.46 tagged_above=-999 required=5 tests=[AWL=1.139, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DxGTB5RmTIy for ; Wed, 13 Jul 2011 16:35:13 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 38EDD21F8B4C for ; Wed, 13 Jul 2011 16:35:12 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6DNZCHN008532 for ; Wed, 13 Jul 2011 18:35:12 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6DNZCvN021959 for ; Wed, 13 Jul 2011 18:35:12 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 13 Jul 2011 19:35:11 -0400 Date: Wed, 13 Jul 2011 19:35:11 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr wg list In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 13 Jul 2011 23:35:11.0675 (UTC) FILETIME=[823BE0B0:01CC41B5] Subject: [sidr] WG LC for draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2011 23:35:14 -0000 The chairs have received a request from the authors for a WG Last Call for "The RPKI Ghostbusters Record", draft-ietf-sidr-ghostbusters-06. The document and the draft version history are available at: http://tools.ietf.org/wg/sidr/draft-ietf-sidr-ghostbusters The Last Call will end Wed, 3 Aug 2011 (AOE). This is three weeks instead of the usual two, because the IETF week will occupy people's time and attention. As usual, please address all comments to the WG mailing list, and please be clear in your comments to this last call if you are supporting the document's submission to the IESG or if you are opposed. If you are opposed, please indicate why. --Sandy, speaking as wg chair, with wg chair snood on From Sandra.Murphy@cobham.com Thu Jul 14 07:22:37 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6F021F8782 for ; Thu, 14 Jul 2011 07:22:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.574 X-Spam-Level: X-Spam-Status: No, score=-101.574 tagged_above=-999 required=5 tests=[AWL=1.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4TIYGjv0OWf for ; Thu, 14 Jul 2011 07:22:36 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id A38D521F8777 for ; Thu, 14 Jul 2011 07:22:35 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6EELtVI015072; Thu, 14 Jul 2011 09:21:55 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6EELpWn002505; Thu, 14 Jul 2011 09:21:52 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Thu, 14 Jul 2011 10:21:51 -0400 Date: Thu, 14 Jul 2011 10:21:50 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 14 Jul 2011 14:21:51.0104 (UTC) FILETIME=[5F908800:01CC4231] Cc: Andrew de la Haye Subject: [sidr] discussion of RPKI procedure for transfer of resources X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 14:22:37 -0000 As I noted in my message of 9 Jun, various RIRs are discussing and implementing transfer of resources. The procedure for accomplishing transfer of resources in the RPKI has not yet been discussed in this wg. I believe it would be good to ensure that the RPKI design accommodates the transfer of resources, as it looks like it is going to happen. I have reserved time to discuss this at the next meeting. There has been one post on the list of a discussion paper of transfer wrt the RPKI. (See http://www.ietf.org/mail-archive/web/sidr/current/msg02947.html.) That paper predates some of the considerations of the current design, so it may not be a complete answer. Anyone who has ideas in this area is invited to come prepared to present or discuss. If you think you would like to present, please let the chairs know. I particularly invite the RIRs to join in this discussion. --Sandy, speaking as wg chair From turners@ieca.com Thu Jul 14 09:40:09 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E775021F8D16 for ; Thu, 14 Jul 2011 09:40:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.398 X-Spam-Level: X-Spam-Status: No, score=-102.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhrPQUFPgd-t for ; Thu, 14 Jul 2011 09:40:09 -0700 (PDT) Received: from nm19.access.bullet.mail.mud.yahoo.com (nm19.access.bullet.mail.mud.yahoo.com [66.94.237.220]) by ietfa.amsl.com (Postfix) with SMTP id 16D9921F8D07 for ; Thu, 14 Jul 2011 09:40:04 -0700 (PDT) Received: from [66.94.237.197] by nm19.access.bullet.mail.mud.yahoo.com with NNFMP; 14 Jul 2011 16:40:03 -0000 Received: from [98.139.221.60] by tm8.access.bullet.mail.mud.yahoo.com with NNFMP; 14 Jul 2011 16:40:03 -0000 Received: from [127.0.0.1] by smtp101.biz.mail.bf1.yahoo.com with NNFMP; 14 Jul 2011 16:40:03 -0000 X-Yahoo-Newman-Id: 713576.86709.bm@smtp101.biz.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 5vuA74MVM1k6fbqAjTjBD.4v4oohMQ.nYkwW6lOuf9.pgmj lNUOxYwx15w_.y7pXNkvOf7R3goz9rLnRu4o5kP8qAeCYRUTZRLklc_CfTeN 1BQnTdTPYhA2J6EACYF2aPM11VQ_bHGufppLraIfX8pf45PmKUjQmt5nq_81 GgAs.RFtaIvAnTY42vBdMORU3ks5DnUepb.mVbSRMQX6t.I_HuP6MNMddeha ormt88_OjOyumtT.2_2Fk5aUl7ndtP_ieQ0AGBhMdOctAm4Jw.0xngfVUojO Kk_0bGjZG2PMNYdSiey8xObArLbnuit97nPZhK8T6l5Isvsbyc3_Jpl2Erb1 dfqB2s0pikUTsV8y4fEAqfCo- X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ Received: from thunderfish.westell.com (turners@96.231.124.123 with plain) by smtp101.biz.mail.bf1.yahoo.com with SMTP; 14 Jul 2011 09:40:02 -0700 PDT Message-ID: <4E1F1BD5.3080804@ieca.com> Date: Thu, 14 Jul 2011 12:39:49 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Sandra Murphy References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: sidr wg list Subject: Re: [sidr] WG LC for draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 16:40:10 -0000 I've read this document and support moving it forward. Make sure to ask Stewart to send an email to the mailing list ietf-types@ietf.org asking for comments on the Media Type section of your specification. spt On 7/13/11 7:35 PM, Sandra Murphy wrote: > > The chairs have received a request from the authors for a WG Last Call > for "The RPKI Ghostbusters Record", draft-ietf-sidr-ghostbusters-06. > > The document and the draft version history are available at: > http://tools.ietf.org/wg/sidr/draft-ietf-sidr-ghostbusters > > The Last Call will end Wed, 3 Aug 2011 (AOE). This is three weeks > instead of the usual two, because the IETF week will occupy people's > time and attention. > > As usual, please address all comments to the WG mailing list, and please > be clear in your comments to this last call if you are supporting the > document's submission to the IESG or if you are opposed. If you are > opposed, please indicate why. > > --Sandy, speaking as wg chair, with wg chair snood on > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From paul.hoffman@vpnc.org Thu Jul 14 09:54:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFB7511E807C for ; Thu, 14 Jul 2011 09:54:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.676 X-Spam-Level: X-Spam-Status: No, score=-102.676 tagged_above=-999 required=5 tests=[AWL=-0.077, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b4AeeapuC1H3 for ; Thu, 14 Jul 2011 09:54:12 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 402B821F8CDE for ; Thu, 14 Jul 2011 09:54:09 -0700 (PDT) Received: from [10.20.30.101] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4] (may be forged)) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p6EGrw3s083959 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 14 Jul 2011 09:53:58 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Paul Hoffman In-Reply-To: Date: Thu, 14 Jul 2011 09:54:06 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Sandra Murphy X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] WG LC for draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2011 16:54:18 -0000 I have read the document and think it would be a useful standard. In = specific, wearing my very dusty vCard-supporter hat, the constrained = profile for vCard seems quite appropriate. --Paul Hoffman From terry.manderson@icann.org Thu Jul 14 19:00:26 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43E8821F873E for ; Thu, 14 Jul 2011 19:00:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.368 X-Spam-Level: X-Spam-Status: No, score=-106.368 tagged_above=-999 required=5 tests=[AWL=0.231, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5qV8mbg4hfg for ; Thu, 14 Jul 2011 19:00:25 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 9D42B21F873D for ; Thu, 14 Jul 2011 19:00:25 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Thu, 14 Jul 2011 19:00:25 -0700 From: Terry Manderson To: Sandra Murphy , sidr wg list Date: Thu, 14 Jul 2011 19:00:22 -0700 Thread-Topic: [sidr] WG LC for draft-ietf-sidr-ghostbusters-06.txt Thread-Index: AcxBtZKXKviyMFStS4KzsmG5uYkbSgA3WHSj Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [sidr] WG LC for draft-ietf-sidr-ghostbusters-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2011 02:00:26 -0000 Have read -06 and I think (generally) it is fine to progress with a tiny personal nit. I did wonder as I was reading the document if the object is optional or mandatory in the repository structure? For example if I create a ROA, MUST = I create a Ghostbusters record. I can certainly see that for healthy NOC operation, a Ghostbusters record is a really nice thing to have for allowin= g others to contact you. Perhaps a sentence or two clarifying this. This might also then help the relying parties in terms of their validation workload. (not that the workload is high or anything) Can they happily discard or delay the validation of the Ghostbusters record if the so choose= ? Cheers Terry On 14/07/11 9:35 AM, "Sandra Murphy" wrote: >=20 >=20 > The chairs have received a request from the authors for a WG Last Call fo= r > "The RPKI Ghostbusters Record", draft-ietf-sidr-ghostbusters-06. >=20 > The document and the draft version history are available at: > http://tools.ietf.org/wg/sidr/draft-ietf-sidr-ghostbusters >=20 > The Last Call will end Wed, 3 Aug 2011 (AOE). This is three weeks instea= d > of the usual two, because the IETF week will occupy people's time and > attention. >=20 > As usual, please address all comments to the WG mailing list, and please > be clear in your comments to this last call if you are supporting the > document's submission to the IESG or if you are opposed. If you are > opposed, please indicate why. >=20 > --Sandy, speaking as wg chair, with wg chair snood on >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From stbryant@cisco.com Fri Jul 15 12:53:52 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6EA21F8C64 for ; Fri, 15 Jul 2011 12:53:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.523 X-Spam-Level: X-Spam-Status: No, score=-110.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OssrmAQav1U for ; Fri, 15 Jul 2011 12:53:48 -0700 (PDT) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 13A0C21F8C52 for ; Fri, 15 Jul 2011 12:53:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=383; q=dns/txt; s=iport; t=1310759628; x=1311969228; h=message-id:date:from:reply-to:mime-version:to:cc:subject: content-transfer-encoding; bh=ew2Jyczs+dCd1gSHCo302ahfhdR6U0yw2arlAuEFP4E=; b=B9FP5xy0AP+1jjgFhYc9dBYmr3Gp9HrcDg/FtfOuS6cK7qfNVr5FrVd6 HpRvNmnGHiaeESJp/RzZDtCkO4L0+TYL2rFgYyGKm32StIl5DPYS5XGMv 6+WXkdPOIKkAfL3CIyN4Fpjg94UirevolMAfkMsMwLLKeoHB7lRVtGyb/ o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnYHAI6aIE6Q/khM/2dsb2JhbABUmHCOf3etCoMVDwGbAYY6BJJmkFQ X-IronPort-AV: E=Sophos;i="4.67,209,1309737600"; d="scan'208";a="102632867" Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 15 Jul 2011 19:53:47 +0000 Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p6FJrkKv011645; Fri, 15 Jul 2011 19:53:47 GMT Received: from stbryant-mac2.local (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id p6FJrjOq000982; Fri, 15 Jul 2011 20:53:46 +0100 (BST) Message-ID: <4E209AC9.5040808@cisco.com> Date: Fri, 15 Jul 2011 20:53:45 +0100 From: Stewart Bryant User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: sidr@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, "sidr-chairs@tools.ietf.org" Subject: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: stbryant@cisco.com List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2011 19:53:52 -0000 SIDR WG, During IESG review the there was a preference for draft-ietf-sidr-repos-struct to be Standards Track rather than BCP. Making this change does not require a new IETF LC. I want to get sense of whether the WG would be OK with this change of track. If anyone has a reason not to change to Standards Track, please let me know by 29th July. Thanks Stewart From kent@bbn.com Sat Jul 16 11:18:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B02521F8741 for ; Sat, 16 Jul 2011 11:18:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.462 X-Spam-Level: X-Spam-Status: No, score=-106.462 tagged_above=-999 required=5 tests=[AWL=0.093, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBfuA9LMciru for ; Sat, 16 Jul 2011 11:18:14 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B4B1621F872E for ; Sat, 16 Jul 2011 11:18:14 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:57059 helo=[10.205.137.93]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qi8ya-000HCe-RQ; Sat, 16 Jul 2011 13:48:29 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <4E209AC9.5040808@cisco.com> References: <4E209AC9.5040808@cisco.com> Date: Sat, 16 Jul 2011 10:19:13 -0400 To: stbryant@cisco.com From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, "sidr-chairs@tools.ietf.org" , sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2011 18:18:15 -0000 At 8:53 PM +0100 7/15/11, Stewart Bryant wrote: >SIDR WG, > >During IESG review the there was a preference for >draft-ietf-sidr-repos-struct to be Standards Track >rather than BCP. > >Making this change does not require a new IETF LC. > >I want to get sense of whether the WG would be OK >with this change of track. > >If anyone has a reason not to change to Standards >Track, please let me know by 29th July. > >Thanks > >Stewart I'm comfortable with standard (instead of BCP). Steve From gih@apnic.net Sat Jul 16 18:33:46 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C0E21F8893 for ; Sat, 16 Jul 2011 18:33:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -93.564 X-Spam-Level: X-Spam-Status: No, score=-93.564 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_NET=0.611, HOST_EQ_AU=0.327, HOST_MISMATCH_AU=2.444, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, RELAY_IS_220=2.118, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcH5b1-8AKhn for ; Sat, 16 Jul 2011 18:33:46 -0700 (PDT) Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id D1FC121F8828 for ; Sat, 16 Jul 2011 18:33:44 -0700 (PDT) Received: from dhcp176.potaroo.net (220-253-182-136.NSW.netspace.net.au [220.253.182.136]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id 6D85FB68BC; Sun, 17 Jul 2011 11:33:42 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Geoff Huston In-Reply-To: <4E209AC9.5040808@cisco.com> Date: Sun, 17 Jul 2011 11:33:35 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: <686C0E84-0495-4D8B-B69D-B6C784E0996F@apnic.net> References: <4E209AC9.5040808@cisco.com> To: stbryant@cisco.com X-Mailer: Apple Mail (2.1084) Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, "sidr-chairs@tools.ietf.org" , sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 01:33:47 -0000 On 16/07/2011, at 5:53 AM, Stewart Bryant wrote: > SIDR WG, >=20 > During IESG review the there was a preference for > draft-ietf-sidr-repos-struct to be Standards Track > rather than BCP. >=20 > Making this change does not require a new IETF LC. >=20 > I want to get sense of whether the WG would be OK > with this change of track. >=20 > If anyone has a reason not to change to Standards > Track, please let me know by 29th July. The draft is ambivalent - it has a bunch of standards-type normative = terms of MUSTs and SHOULDs, yet the introduction states that these are = just recommendations.=20 As far as I understand it, as long as a CA conformed to the res-cert = profile draft and related standards track specs, the CA can do pretty = much whatever it wants in terms of the structure of their repository = publication point and a cautious Relying Party would still be able to = synchronise with it. So as far as I can see the draft is logically a BCP = in so far as it is saying "this is good practice for a CA in terms of = management of its publication point" and, quite properly, the drtaft = falls short of saying "this is a necessary set of constraints that are = necessary for interoperability."=20 I suspect that either way the draft should be edited. If it were to be = standards track the introductory text that refers to recommendations = should be altered to say that this is a mandatory part of the = specification of a CA's publication (but in such a case I do not believe = that there is clear technical justification for such a restriction), and = if it were left as a BCP then it would be more consistent if the use of = normative terms were to be excised from the draft. Personally I feel that Standards Track is using a sledge hammer to crack = a nut - I think its overkill and has no clear technical justification in = my view. Geoff=20= From sra@hactrn.net Sun Jul 17 07:53:28 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB2621F861D for ; Sun, 17 Jul 2011 07:53:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.276 X-Spam-Level: X-Spam-Status: No, score=-101.276 tagged_above=-999 required=5 tests=[AWL=-1.324, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qr31INEEAM61 for ; Sun, 17 Jul 2011 07:53:24 -0700 (PDT) Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) by ietfa.amsl.com (Postfix) with ESMTP id C708721F85E1 for ; Sun, 17 Jul 2011 07:53:23 -0700 (PDT) Received: from minas-ithil.hactrn.net (c-66-30-16-106.hsd1.ma.comcast.net [66.30.16.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by adrilankha.hactrn.net (Postfix) with ESMTPS id 9F6DCB865; Sun, 17 Jul 2011 14:53:22 +0000 (UTC) Received: from minas-ithil.hactrn.net (localhost [127.0.0.1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 6460631BDB0; Sun, 17 Jul 2011 10:53:23 -0400 (EDT) Date: Sun, 17 Jul 2011 10:53:23 -0400 From: Rob Austein To: Stewart Bryant In-Reply-To: <4E209AC9.5040808@cisco.com> References: <4E209AC9.5040808@cisco.com> User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20110717145323.6460631BDB0@minas-ithil.hactrn.net> Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 14:53:28 -0000 This draft defines the mappings from filename extension (.cer, .roa, .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). Without this mapping, relying party tools have no way of knowing what they're looking at in most cases, and would have to attempt to decode every object in various ways to see which (if any) worked. This would be tedious, error prone, and generally a bad idea. For this reason, I think the document that defines the filename mappings should be Standards Track; at present, that's this document, so I agree with the change of track. From gih@apnic.net Sun Jul 17 14:41:49 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EC8F21F869D for ; Sun, 17 Jul 2011 14:41:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -93.564 X-Spam-Level: X-Spam-Status: No, score=-93.564 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_NET=0.611, HOST_EQ_AU=0.327, HOST_MISMATCH_AU=2.444, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, RELAY_IS_220=2.118, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aUULAAtdCWw for ; Sun, 17 Jul 2011 14:41:48 -0700 (PDT) Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 62DE221F8686 for ; Sun, 17 Jul 2011 14:41:48 -0700 (PDT) Received: from dhcp176.potaroo.net (220-253-182-136.NSW.netspace.net.au [220.253.182.136]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id 20725B689A; Mon, 18 Jul 2011 07:41:46 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Geoff Huston In-Reply-To: <20110717145323.6460631BDB0@minas-ithil.hactrn.net> Date: Mon, 18 Jul 2011 07:41:40 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> To: Rob Austein X-Mailer: Apple Mail (2.1084) Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org, sidr-chairs@tools.ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 21:41:49 -0000 On 18/07/2011, at 12:53 AM, Rob Austein wrote: > This draft defines the mappings from filename extension (.cer, .roa, > .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >=20 > Without this mapping, relying party tools have no way of knowing what > they're looking at in most cases, and would have to attempt to decode > every object in various ways to see which (if any) worked. This would > be tedious, error prone, and generally a bad idea. But wouldn't the CMS (and ASN.1 for that matter) effectively tell the RP = what the object was intended to be? It strikes me that the file name = extension is a bit of syntactic sugar rather than an essential and = necessary component, so I'm curious to understand what has changed in = this particular PKI that makes the filename extension such a necessary = attribute. If this is the case would a rogue CA be able to mount an = effective DOS attack for all RPs by deliberately mis-naming objects?=20 Geoff From sra@hactrn.net Sun Jul 17 16:40:31 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0641C21F877F for ; Sun, 17 Jul 2011 16:40:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.614 X-Spam-Level: X-Spam-Status: No, score=-100.614 tagged_above=-999 required=5 tests=[AWL=-0.662, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qfMJC4ja282 for ; Sun, 17 Jul 2011 16:40:30 -0700 (PDT) Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) by ietfa.amsl.com (Postfix) with ESMTP id 6BC6621F8779 for ; Sun, 17 Jul 2011 16:40:30 -0700 (PDT) Received: from minas-ithil.hactrn.net (c-66-30-16-106.hsd1.ma.comcast.net [66.30.16.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by adrilankha.hactrn.net (Postfix) with ESMTPS id 792F8B85A; Sun, 17 Jul 2011 23:40:29 +0000 (UTC) Received: from minas-ithil.hactrn.net (localhost [127.0.0.1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id CA86F31DA93; Sun, 17 Jul 2011 19:40:28 -0400 (EDT) Date: Sun, 17 Jul 2011 19:40:28 -0400 From: Rob Austein To: Geoff Huston In-Reply-To: References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20110717234028.CA86F31DA93@minas-ithil.hactrn.net> Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org, sidr-chairs@tools.ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 23:40:31 -0000 At Mon, 18 Jul 2011 07:41:40 +1000, Geoff Huston wrote: > On 18/07/2011, at 12:53 AM, Rob Austein wrote: > > But wouldn't the CMS (and ASN.1 for that matter) effectively tell > the RP what the object was intended to be? As I said: "attempt to decode every object in various ways to see which (if any) worked". Not all objects are CMS. The outermost layers of ASN.1 on most of them are sequences of sequences of blah blah blah. Yes, if one peers at these things long enough it becomes obvious what they are, assuming no encoding errors, but it's not like there's a trivial tag in each one saying "this an X.509 certificate", "this is a CMS object", or "this is a CRL". > It strikes me that the file name extension is a bit of syntactic > sugar rather than an essential and necessary component, so I'm > curious to understand what has changed in this particular PKI that > makes the filename extension such a necessary attribute. Most PKIs aren't deep trees distributed over an arbitrarily large number of distinct servers and directories, in most cases one knows exactly what an object purports to be when one attempts to validate it, and in most cases one is not attempting to validate tens of thousands of objects at once. > If this is the case would a rogue CA be able to mount an effective > DOS attack for all RPs by deliberately mis-naming objects? No. The names are hints as to the intended decoding. If the encoding doesn't match the hint, the decode fails pretty quickly. The difference here is that the RP tries exactly one decode, and if that doesn't work, the object is toast. A MITM attack on rsync could of course whack the filenames, but it could also corrupt the objects themselves, with pretty much the same effect, so it's not a new threat. From terry.manderson@icann.org Sun Jul 17 16:42:54 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F7621F8757 for ; Sun, 17 Jul 2011 16:42:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.391 X-Spam-Level: X-Spam-Status: No, score=-106.391 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yt14nGp7IWor for ; Sun, 17 Jul 2011 16:42:54 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 7714921F8754 for ; Sun, 17 Jul 2011 16:42:54 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Sun, 17 Jul 2011 16:42:53 -0700 From: Terry Manderson To: "stbryant@cisco.com" , "sidr@ietf.org" Date: Sun, 17 Jul 2011 16:42:51 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxDKPsyukbEv/jHQcC1SlaP7JY+VABskJ59 Message-ID: In-Reply-To: <4E209AC9.5040808@cisco.com> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 23:42:55 -0000 Hi Stewart, I'm struggling to see how draft-ietf-sidr-repos-struct could exist as a Standards Track document without a significant rewrite and then passing bac= k through both WG and IETF last calls. The document at this stage is structured as a _recommendation_ to RPKI participants on one particular RPKI naming scheme. While I think that having the files in the RPKI have particular extensions helps relying parties decode the structure, I'm not convinced that turning that into a standards action is a healthy option. At this stage I feel more comfortable leaving it as BCP. Cheers Terry On 16/07/11 5:53 AM, "Stewart Bryant" wrote: > SIDR WG, >=20 > During IESG review the there was a preference for > draft-ietf-sidr-repos-struct to be Standards Track > rather than BCP. >=20 > Making this change does not require a new IETF LC. >=20 > I want to get sense of whether the WG would be OK > with this change of track. >=20 > If anyone has a reason not to change to Standards > Track, please let me know by 29th July. >=20 > Thanks >=20 > Stewart >=20 >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From terry.manderson@icann.org Sun Jul 17 16:42:57 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BCDB21F8891 for ; Sun, 17 Jul 2011 16:42:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.41 X-Spam-Level: X-Spam-Status: No, score=-106.41 tagged_above=-999 required=5 tests=[AWL=0.189, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7xdzHoBMRl8 for ; Sun, 17 Jul 2011 16:42:56 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id A4AC021F87AF for ; Sun, 17 Jul 2011 16:42:56 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Sun, 17 Jul 2011 16:42:55 -0700 From: Terry Manderson To: Rob Austein , Stewart Bryant Date: Sun, 17 Jul 2011 16:42:54 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxEkVfJwCEdzJQKTZmy54QvP9LGjgASeeoo Message-ID: In-Reply-To: <20110717145323.6460631BDB0@minas-ithil.hactrn.net> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2011 23:42:57 -0000 On 18/07/11 12:53 AM, "Rob Austein" wrote: > This draft defines the mappings from filename extension (.cer, .roa, > .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >=20 > Without this mapping, relying party tools have no way of knowing what > they're looking at in most cases, and would have to attempt to decode > every object in various ways to see which (if any) worked. This would > be tedious, error prone, and generally a bad idea. >=20 This actually makes me wonder why the manifest ( draft-ietf-sidr-rpki-manifests) in: FileAndHash ::=3D SEQUENCE { file IA5String, hash BIT STRING } Doesn't have a RPKIObjectIdentifier that tells the relying party what the object it has just retrieved is in terms of ROA/CERT/etc, as a signed attestation. (and then an appropriate IANA registry for RPKIObjectIdentifier could then be created and populated as a standards track) If repos-struct was standards track and the naming scheme was the prime mapping system then if a RPKI repository publication [1] point is compromised (or even MiTM!) it would be a trivial exercise to perform some substitutions on the filename to confuse (routing security downgrade DoS) the relying party. [1] Remember that the publication point is _just_ an rsync server (at this stage). Cheers Terry From gih@apnic.net Sun Jul 17 18:29:36 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C36E21F889D for ; Sun, 17 Jul 2011 18:29:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.895 X-Spam-Level: X-Spam-Status: No, score=-101.895 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcfLgkRpxx9U for ; Sun, 17 Jul 2011 18:29:36 -0700 (PDT) Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 5B29C21F8741 for ; Sun, 17 Jul 2011 18:29:35 -0700 (PDT) Received: from joan-vista.canberra.aarnet.edu.au (joan-vista.canberra.aarnet.edu.au [202.158.221.46]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id BA35DB68D8; Mon, 18 Jul 2011 11:29:33 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Geoff Huston In-Reply-To: Date: Mon, 18 Jul 2011 11:29:27 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Terry Manderson X-Mailer: Apple Mail (2.1084) Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 01:29:36 -0000 On 18/07/2011, at 9:42 AM, Terry Manderson wrote: >=20 >=20 >=20 > On 18/07/11 12:53 AM, "Rob Austein" wrote: >=20 >> This draft defines the mappings from filename extension (.cer, .roa, >> .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >>=20 >> Without this mapping, relying party tools have no way of knowing what >> they're looking at in most cases, and would have to attempt to decode >> every object in various ways to see which (if any) worked. This = would >> be tedious, error prone, and generally a bad idea. >>=20 >=20 > This actually makes me wonder why the manifest ( > draft-ietf-sidr-rpki-manifests) in: >=20 > FileAndHash ::=3D SEQUENCE { > file IA5String, > hash BIT STRING > } >=20 > Doesn't have a RPKIObjectIdentifier that tells the relying party what = the > object it has just retrieved is in terms of ROA/CERT/etc, as a signed > attestation. I don't have an answer - it's a good question. >=20 > (and then an appropriate IANA registry for RPKIObjectIdentifier could = then > be created and populated as a standards track) >=20 > If repos-struct was standards track and the naming scheme was the = prime > mapping system then if a RPKI repository publication [1] point is > compromised (or even MiTM!) it would be a trivial exercise to perform = some > substitutions on the filename to confuse (routing security downgrade = DoS) > the relying party. >=20 > [1] Remember that the publication point is _just_ an rsync server (at = this > stage). I personally feel uncomfortable on standardising a naming scheme from = the dim dark prehistory of mainframe filesystems as an intrinsic part = of the RPKI - it seems so retrograde! I thought a BCP represented a = slightly softer approach, but your question about the manifest contents = and type flagging in there is an interesting approach. At one stage = there was the though that the manifest would be optional for a CA, but = somewhere along the path I think they were made mandatory, but in the = forest of SIDR drafts I have no idea which one says that manifests are = REQUIRED. Geoff= From kent@bbn.com Sun Jul 17 19:33:47 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4E221F886C for ; Sun, 17 Jul 2011 19:33:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.504 X-Spam-Level: X-Spam-Status: No, score=-106.504 tagged_above=-999 required=5 tests=[AWL=0.095, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfJIfiG74Xgp for ; Sun, 17 Jul 2011 19:33:47 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 10DE321F8A57 for ; Sun, 17 Jul 2011 19:33:47 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:43523 helo=[198.18.176.250]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QideI-0001Ek-D8; Sun, 17 Jul 2011 22:33:34 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> Date: Sun, 17 Jul 2011 22:32:02 -0400 To: Geoff Huston From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 02:33:47 -0000 At 7:41 AM +1000 7/18/11, Geoff Huston wrote: >On 18/07/2011, at 12:53 AM, Rob Austein wrote: > >> This draft defines the mappings from filename extension (.cer, .roa, >> .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >> >> Without this mapping, relying party tools have no way of knowing what >> they're looking at in most cases, and would have to attempt to decode >> every object in various ways to see which (if any) worked. This would >> be tedious, error prone, and generally a bad idea. > >But wouldn't the CMS (and ASN.1 for that matter) effectively tell >the RP what the object was intended to be? It strikes me that the >file name extension is a bit of syntactic sugar rather than an >essential and necessary component, so I'm curious to understand what >has changed in this particular PKI that makes the filename extension >such a necessary attribute. If this is the case would a rogue CA be >able to mount an effective DOS attack for all RPs by deliberately >mis-naming objects? If youy want to compare the RPKI to the general PKI repository model (X.500), note that in an X.500 directory, every object is tagged in a fashion analogous to the filename extension. LDAP tags objects as well. So why is it not appropriate to do so, in a normative fashion here? Steve From kent@bbn.com Sun Jul 17 19:45:01 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61C9F21F8AD1 for ; Sun, 17 Jul 2011 19:45:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.516 X-Spam-Level: X-Spam-Status: No, score=-106.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Q+2GhcbdM7Q for ; Sun, 17 Jul 2011 19:45:00 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id D49F221F8ABD for ; Sun, 17 Jul 2011 19:45:00 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:50436 helo=[198.18.176.250]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qidp1-0001Fx-80; Sun, 17 Jul 2011 22:44:39 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Sun, 17 Jul 2011 22:42:29 -0400 To: Terry Manderson From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 02:45:01 -0000 At 4:42 PM -0700 7/17/11, Terry Manderson wrote: >... > >This actually makes me wonder why the manifest ( >draft-ietf-sidr-rpki-manifests) in: > >FileAndHash ::= SEQUENCE { > file IA5String, > hash BIT STRING > } > >Doesn't have a RPKIObjectIdentifier that tells the relying party what the >object it has just retrieved is in terms of ROA/CERT/etc, as a signed >attestation. the filename extension, which is part of the "file" data type above, conveys the needed info. yes, one could add an OID here, but ultimately an RP will check the syntax and know which file is what type. Som, adding an OID doesn't seem to help much in a manifest. >(and then an appropriate IANA registry for RPKIObjectIdentifier could then >be created and populated as a standards track) > >If repos-struct was standards track and the naming scheme was the prime >mapping system then if a RPKI repository publication [1] point is >compromised (or even MiTM!) it would be a trivial exercise to perform some >substitutions on the filename to confuse (routing security downgrade DoS) >the relying party. if there are no mandated filename extensions, then every pub point is a mini-DoS attack, as Rob noted. We can't prevent a rogue pub point manager (or CA) from mislabelling files relative to the 3-char extension, but why invite chaos :-)? An earlier draft of this doc called the extensions mere recommendations. I persuaded Geoff to make them mandatory. The arguments I made then still apply, which is why STD vs. BCP seems appropriate, to me. Steve From gih@apnic.net Sun Jul 17 19:53:19 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E304221F8A58 for ; Sun, 17 Jul 2011 19:53:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.283 X-Spam-Level: X-Spam-Status: No, score=-102.283 tagged_above=-999 required=5 tests=[AWL=0.388, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, GB_I_LETTER=-2, HELO_EQ_AU=0.377, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f9tVPiw2dCao for ; Sun, 17 Jul 2011 19:53:19 -0700 (PDT) Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 06A9C21F8A57 for ; Sun, 17 Jul 2011 19:53:19 -0700 (PDT) Received: from joan-vista.canberra.aarnet.edu.au (unknown [202.158.221.46]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id A1B8CB689A; Mon, 18 Jul 2011 12:53:17 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Geoff Huston In-Reply-To: Date: Mon, 18 Jul 2011 12:53:11 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: <46F6BC25-C99B-43A2-9ED1-810CE5E25A0F@apnic.net> References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> To: Stephen Kent X-Mailer: Apple Mail (2.1084) Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 02:53:20 -0000 On 18/07/2011, at 12:32 PM, Stephen Kent wrote: > At 7:41 AM +1000 7/18/11, Geoff Huston wrote: >> On 18/07/2011, at 12:53 AM, Rob Austein wrote: >>=20 >>> This draft defines the mappings from filename extension (.cer, .roa, >>> .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >>>=20 >>> Without this mapping, relying party tools have no way of knowing = what >>> they're looking at in most cases, and would have to attempt to = decode >>> every object in various ways to see which (if any) worked. This = would >>> be tedious, error prone, and generally a bad idea. >>=20 >> But wouldn't the CMS (and ASN.1 for that matter) effectively tell the = RP what the object was intended to be? It strikes me that the file name = extension is a bit of syntactic sugar rather than an essential and = necessary component, so I'm curious to understand what has changed in = this particular PKI that makes the filename extension such a necessary = attribute. If this is the case would a rogue CA be able to mount an = effective DOS attack for all RPs by deliberately mis-naming objects? >=20 > If youy want to compare the RPKI to the general PKI repository model = (X.500), note that in an X.500 directory, every object is tagged in a = fashion analogous to the filename extension. LDAP tags objects as well. = So why is it not appropriate to do so, in a normative fashion here? How is this X.500 directory "tagging" achieved in other PKIs? Three = letter filename extension conventions? Or some other tag mechanism? From terry.manderson@icann.org Sun Jul 17 20:30:08 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867E821F8AE1 for ; Sun, 17 Jul 2011 20:30:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.426 X-Spam-Level: X-Spam-Status: No, score=-106.426 tagged_above=-999 required=5 tests=[AWL=0.173, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEforfR3PIdO for ; Sun, 17 Jul 2011 20:30:07 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id A14AE21F8ADC for ; Sun, 17 Jul 2011 20:30:07 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Sun, 17 Jul 2011 20:30:07 -0700 From: Terry Manderson To: Geoff Huston Date: Sun, 17 Jul 2011 20:30:02 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxE6jPeHONdsC6OS6yowgCt/wxRwwAEMaA2 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 03:30:08 -0000 On 18/07/11 11:29 AM, "Geoff Huston" wrote: > On 18/07/2011, at 9:42 AM, Terry Manderson wrote: >=20 >>=20 >> This actually makes me wonder why the manifest ( >> draft-ietf-sidr-rpki-manifests) in: >>=20 >> FileAndHash ::=3D SEQUENCE { >> file IA5String, >> hash BIT STRING >> } >>=20 >> Doesn't have a RPKIObjectIdentifier that tells the relying party what th= e >> object it has just retrieved is in terms of ROA/CERT/etc, as a signed >> attestation. >=20 >=20 > I don't have an answer - it's a good question. > Certainly one to consider, and touches more on my personal philosophical point that while the 'directory and file' structure that is promulgated in the RPKI work at this stage has utility, primarily based on 'what works now= ' design choices - longer term I am far more comfortable in thinking toward a= n object structure. whereas now we see RSYNC://rpki.blah.org/something/xyzzy.roa one day in the future when it is palatable to think along such lines something like HTTPS://rpki.blah.org/something/subject?ROA might also validly exist. =20 >=20 > I personally feel uncomfortable on standardising a naming scheme from the= dim > dark prehistory of mainframe filesystems as an intrinsic part of the RPK= I - > it seems so retrograde! I thought a BCP represented a slightly softer > approach, but your question about the manifest contents and type flagging= in > there is an interesting approach. At one stage there was the though that = the > manifest would be optional for a CA, but somewhere along the path I think= they > were made mandatory, but in the forest of SIDR drafts I have no idea whic= h one > says that manifests are REQUIRED. I believe draft-ietf-sidr-res-certs section 4.8.8.1. "This extension MUST have an instance of an AccessDescription with an accessMethod of id-ad-rpkiManifest" Terry From terry.manderson@icann.org Sun Jul 17 20:50:24 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E117321F8B11 for ; Sun, 17 Jul 2011 20:50:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.439 X-Spam-Level: X-Spam-Status: No, score=-106.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Na2HJLlNPYMf for ; Sun, 17 Jul 2011 20:50:24 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 7622321F8B0A for ; Sun, 17 Jul 2011 20:50:24 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Sun, 17 Jul 2011 20:50:24 -0700 From: Terry Manderson To: Stephen Kent , Geoff Huston Date: Sun, 17 Jul 2011 20:50:19 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxE8y0dBaSkN3OERTqQmblMUXcE7QACqKmb Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 03:50:25 -0000 On 18/07/11 12:32 PM, "Stephen Kent" wrote: >> But wouldn't the CMS (and ASN.1 for that matter) effectively tell >> the RP what the object was intended to be? It strikes me that the >> file name extension is a bit of syntactic sugar rather than an >> essential and necessary component, so I'm curious to understand what >> has changed in this particular PKI that makes the filename extension >> such a necessary attribute. If this is the case would a rogue CA be >> able to mount an effective DOS attack for all RPs by deliberately >> mis-naming objects? >=20 > If youy want to compare the RPKI to the general PKI repository model > (X.500), note that in an X.500 directory, every object is tagged in a > fashion analogous to the filename extension. LDAP tags objects as > well. So why is it not appropriate to do so, in a normative fashion > here? >=20 >From what little I know about LDAP/X.500 directories, the tagging is driven from the DIT. Surely that is more analogous to the RPKI manifest than a filename based extension. Or am I missing your point or some key example/information? I'm happy to see things tagged in a normative fashion, I just think putting the eggs into the filename/directory basket as a standards action is worrying. Cheers Terry From terry.manderson@icann.org Sun Jul 17 21:08:44 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AF4021F8B00 for ; Sun, 17 Jul 2011 21:08:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.45 X-Spam-Level: X-Spam-Status: No, score=-106.45 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPTVx3+Cndwt for ; Sun, 17 Jul 2011 21:08:43 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 95CF021F8AFE for ; Sun, 17 Jul 2011 21:08:43 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Sun, 17 Jul 2011 21:08:43 -0700 From: Terry Manderson To: Stephen Kent Date: Sun, 17 Jul 2011 21:08:41 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxE9LHLE87ArBHcRkGCvfOHvH4ciwAC67S5 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 04:08:44 -0000 On 18/07/11 12:42 PM, "Stephen Kent" wrote: > At 4:42 PM -0700 7/17/11, Terry Manderson wrote: >=20 > the filename extension, which is part of the "file" data type above, > conveys the needed info. yes, one could add an OID here, but > ultimately an RP will check the syntax and know which file is what > type. Som, adding an OID doesn't seem to help much in a manifest. So, I'm confused.. if the RP ultimately checks the syntax, why is tagging needed at all? >=20 > if there are no mandated filename extensions, then every pub point is > a mini-DoS attack, as Rob noted. We can't prevent a rogue pub point > manager (or CA) from mislabelling files relative to the 3-char > extension, but why invite chaos :-)? Right, so its a processing issue. So through the hierarchy (loosely speaking TA points to CA, CA points to Rescert, Rescert points to publication point and manifest) the lesser of th= e chaos scenarios would be to put the 'labeling' in the highest possible location within the publication point. I'm guessing the most sane is the Manifest, if it is truly a standards action requirement. As the manifest is a signed object, it has the benefit of being tightly interpreted as an attestation by the issuer that this 'file' with a specified hash is a ROA. How much clearer do you need to be? or want to be? >=20 > An earlier draft of this doc called the extensions mere > recommendations. I persuaded Geoff to make them mandatory. The > arguments I made then still > apply, which is why STD vs. BCP seems appropriate, to me. >=20 Were those arguments made on list? if so I will go hunting and reflect on them with a Merlot in hand this evening. Terry From randy@psg.com Sun Jul 17 22:05:57 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CD4721F8B23 for ; Sun, 17 Jul 2011 22:05:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.53 X-Spam-Level: X-Spam-Status: No, score=-2.53 tagged_above=-999 required=5 tests=[AWL=0.069, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nSWl9gU3PtoH for ; Sun, 17 Jul 2011 22:05:57 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 1704021F8B29 for ; Sun, 17 Jul 2011 22:05:56 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qig1W-000Adm-9F; Mon, 18 Jul 2011 05:05:42 +0000 Date: Sun, 17 Jul 2011 22:05:41 -0700 Message-ID: From: Randy Bush To: Stephen Kent In-Reply-To: References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 05:05:57 -0000 > If youy want to compare the RPKI to the general PKI repository model > (X.500), note that in an X.500 directory, every object is tagged in a > fashion analogous to the filename extension. LDAP tags objects as > well. So why is it not appropriate to do so, in a normative fashion > here? it is appropriate. imiho, those should be MUSTs. randy From randy@psg.com Sun Jul 17 22:06:58 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BCFC21F8B08 for ; Sun, 17 Jul 2011 22:06:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.532 X-Spam-Level: X-Spam-Status: No, score=-2.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WcnXVLZT-uZU for ; Sun, 17 Jul 2011 22:06:58 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 03AC621F8AED for ; Sun, 17 Jul 2011 22:06:58 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qig2R-000AeB-Lx; Mon, 18 Jul 2011 05:06:39 +0000 Date: Sun, 17 Jul 2011 22:06:39 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 05:06:58 -0000 > So, I'm confused.. if the RP ultimately checks the syntax, why is tagging > needed at all? think tlv. that's the t randy From tim@ripe.net Mon Jul 18 04:39:13 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FA821F8BA2 for ; Mon, 18 Jul 2011 04:39:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kg7QyIjxaDiF for ; Mon, 18 Jul 2011 04:39:13 -0700 (PDT) Received: from postgirl.ripe.net (postgirl.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1342]) by ietfa.amsl.com (Postfix) with ESMTP id 8B76F21F8B92 for ; Mon, 18 Jul 2011 04:39:12 -0700 (PDT) Received: from dodo.ripe.net ([193.0.23.4]) by postgirl.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1QimAF-0006Xq-QL; Mon, 18 Jul 2011 13:39:10 +0200 Received: from timbru.vpn.ripe.net ([193.0.21.62]) by dodo.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1QimAF-0000pV-Ex; Mon, 18 Jul 2011 13:39:07 +0200 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <20110717145323.6460631BDB0@minas-ithil.hactrn.net> Date: Mon, 18 Jul 2011 13:39:06 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <1134F1F2-0964-4B85-A1EB-5B7A5B604C5B@ripe.net> References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> To: Rob Austein X-Mailer: Apple Mail (2.1084) X-RIPE-Spam-Level: ---- X-RIPE-Spam-Report: Spam Total Points: -4.0 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07198b1bedbe17afcc2444342e24c5d8fa8c Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org, sidr-chairs@tools.ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2011 11:39:13 -0000 Hi, On Jul 17, 2011, at 4:53 PM, Rob Austein wrote: > This draft defines the mappings from filename extension (.cer, .roa, > .crl, etc) to ASN.1 object type (X.509 certificate, ROA, CRL, etc). >=20 > Without this mapping, relying party tools have no way of knowing what > they're looking at in most cases, and would have to attempt to decode > every object in various ways to see which (if any) worked. This would > be tedious, error prone, and generally a bad idea. >=20 > For this reason, I think the document that defines the filename > mappings should be Standards Track; at present, that's this document, > so I agree with the change of track. +1 I agree that not having this mapping is tedious and error prone for RPs. Example: - ROA that isn't strictly standard compliant / validator has bug in ROA = recognition Validator tries to parse as roa, cer, crl, mft; then gives up... This is not only ugly code to maintain, it also makes it difficult to = debug problems. The happy flow case, while cumbersome, is not the = biggest problem here I think.. How do we work out, in this example, what caused the actual problem? = =46rom the software side it's rather involved to build something like: = this looks 99% like I ROA, one I don't understand, but it's probably = what they meant or something like that... so our tool just says: I don't = understand this *object*. If we do have the mapping the validator can give a far more informed = error message. For starters it can say: "I don't understand this = *ROA*.". But also, since it knows it should be a ROA it can report why = it rejected it as a ROA. If we had no clues about the intent we would = also have to tell the users why we rejected it as any other object.. The = less noise we produce here the easier it will be for RPs and publishers = to work out where the real problem is and fix it. Whether this mapping strictly needs to be in this draft may be another = question. Regards, Tim Bruijnzeels Implementing stuff @RIPE NCC= From terry.manderson@icann.org Mon Jul 18 18:57:39 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D47821F86AB for ; Mon, 18 Jul 2011 18:57:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.46 X-Spam-Level: X-Spam-Status: No, score=-107.46 tagged_above=-999 required=5 tests=[AWL=1.139, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dl5-1RSoXx9o for ; Mon, 18 Jul 2011 18:57:38 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 98F8D21F86A2 for ; Mon, 18 Jul 2011 18:57:38 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Mon, 18 Jul 2011 18:57:37 -0700 From: Terry Manderson To: Tim Bruijnzeels , Rob Austein Date: Mon, 18 Jul 2011 18:57:34 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxFP2AMTsBYVBo2QPSHDoq3fzYfkgAd9nec Message-ID: In-Reply-To: <1134F1F2-0964-4B85-A1EB-5B7A5B604C5B@ripe.net> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 01:57:39 -0000 On 18/07/11 9:39 PM, "Tim Bruijnzeels" wrote: > Hi, >=20 > I agree that not having this mapping is tedious and error prone for RPs. I can agree that a mapping system is useful. It may just be that living uni= x world for far too long has seen me move away from the mandatory dos-like suffixes to the voluntary use of extensions in a unix file system as a *hint* to the file contents and nothing more. And I'm happy to see it written as a hint. A validated mapping should come, in my opinion from something more robust which also transcends the technology used in the repository. >=20 > Example: > - ROA that isn't strictly standard compliant / validator has bug in ROA > recognition >=20 > Validator tries to parse as roa, cer, crl, mft; then gives up... >=20 So the validator has a bug. fix the validator? > This is not only ugly code to maintain, it also makes it difficult to deb= ug > problems. The happy flow case, while cumbersome, is not the biggest probl= em > here I think.. >=20 > How do we work out, in this example, what caused the actual problem? From= the > software side it's rather involved to build something like: this looks 99= % > like I ROA, one I don't understand, but it's probably what they meant or > something like that... so our tool just says: I don't understand this > *object*. >=20 Same goes for a misname (malicious or otherwise) of the file. A robust mechanism as I see it doesn't live in three letter extensions. >=20 > Whether this mapping strictly needs to be in this draft may be another > question. >=20 Agree with that point. Cheers Terry From randy@psg.com Mon Jul 18 21:23:42 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA6A21F8733 for ; Mon, 18 Jul 2011 21:23:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.535 X-Spam-Level: X-Spam-Status: No, score=-2.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67uW9afXI8Cb for ; Mon, 18 Jul 2011 21:23:42 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 2897221F8700 for ; Mon, 18 Jul 2011 21:23:42 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qj1pz-000EdL-Sw; Tue, 19 Jul 2011 04:23:16 +0000 Date: Mon, 18 Jul 2011 21:23:15 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: <1134F1F2-0964-4B85-A1EB-5B7A5B604C5B@ripe.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 04:23:42 -0000 > And I'm happy to see it written as a hint. A validated mapping should > come, in my opinion from something more robust which also transcends > the technology used in the repository. easy. throw away the entire structure and code to date and do it as a collection of tlvs. i suspect no one else wants to go there, at least no one with code in the game. randy From terry.manderson@icann.org Mon Jul 18 21:37:16 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 159EF21F86DD for ; Mon, 18 Jul 2011 21:37:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.532 X-Spam-Level: X-Spam-Status: No, score=-106.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eIVCoV1BYrsB for ; Mon, 18 Jul 2011 21:37:15 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 9D3E721F86C7 for ; Mon, 18 Jul 2011 21:37:15 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Mon, 18 Jul 2011 21:37:14 -0700 From: Terry Manderson To: Randy Bush Date: Mon, 18 Jul 2011 21:37:13 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxFy6TFJSoRgyLsRx2maZ+rmIVpgwAAeKvU Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 04:37:16 -0000 On 19/07/11 2:23 PM, "Randy Bush" wrote: >> And I'm happy to see it written as a hint. A validated mapping should >> come, in my opinion from something more robust which also transcends >> the technology used in the repository. >=20 > easy. throw away the entire structure and code to date and do it as a > collection of tlvs. I think there is an easier way, as already suggested. Add the object type t= o the manifest in FileandHash. 1) the rescert points to the publication point and manifest 2) the manifest is mandatory 3) the manifest is signed 4) the manifest is nicely(?) readable ASN.1 Really its a much nicer and more robust solution than either throwing the entire structure out or using filename extensions to 'mandate' file/object content. Then if hints, for human readable reasons, are still required then maintain the extensions as they are as a BCP. >=20 > i suspect no one else wants to go there, at least no one with code in > the game. Really... that is a shame. I always thought that coders wanted to make thei= r code less susceptible to adverse external influence. T. From randy@psg.com Tue Jul 19 04:16:02 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C06A21F8749 for ; Tue, 19 Jul 2011 04:16:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.536 X-Spam-Level: X-Spam-Status: No, score=-2.536 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COqQeoAveB2J for ; Tue, 19 Jul 2011 04:16:01 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 968F821F8552 for ; Tue, 19 Jul 2011 04:16:01 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1Qj8HD-000Fff-2x; Tue, 19 Jul 2011 11:15:47 +0000 Date: Tue, 19 Jul 2011 04:15:46 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 11:16:02 -0000 > I think there is an easier way, as already suggested. Add the object > type to the manifest in FileandHash. > > 1) the rescert points to the publication point and manifest > 2) the manifest is mandatory > 3) the manifest is signed > 4) the manifest is nicely(?) readable ASN.1 so move the deck chairs from coding the type in a directory maintained by the operating system to one the spec and the programmers write and maintain? big win there, eh? > Really its a much nicer and more robust solution than either throwing the > entire structure out or using filename extensions to 'mandate' file/object > content. we've a long tradition of using the file name extensions, formalities for registering them, ... do we really need to reinvent the wheel? where is the win? >> i suspect no one else wants to go there, at least no one with code in >> the game. > Really... that is a shame. I always thought that coders wanted to make > their code less susceptible to adverse external influence. luckily for me, i do not have to think. they already supported the move from bcp to ps on this very list. a principal goal of this little ietf thing is interoperability. the iesg noted we were being a little weak in ensuring interoperability in a spec that has already been written, coded multiple times, mildly deployed, approved by the wg, gone through ietf last call, and passed by the iesg. for this to be changed now is not impossible. it just needs some really solid reasoning and really solid documentation of how and why it should be changed. randy From terry.manderson@icann.org Tue Jul 19 05:51:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB3E721F854C for ; Tue, 19 Jul 2011 05:51:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.535 X-Spam-Level: X-Spam-Status: No, score=-106.535 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H6xRhZ+IcC+O for ; Tue, 19 Jul 2011 05:51:53 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 5583821F851F for ; Tue, 19 Jul 2011 05:51:53 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 05:51:52 -0700 From: Terry Manderson To: Randy Bush Date: Tue, 19 Jul 2011 05:51:50 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGBU0CyMKBu47zQmiYld9ZLl+qowADVNRv Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 12:51:53 -0000 On 19/07/11 9:15 PM, "Randy Bush" wrote: >> I think there is an easier way, as already suggested. Add the object >> type to the manifest in FileandHash. >>=20 >> 1) the rescert points to the publication point and manifest >> 2) the manifest is mandatory >> 3) the manifest is signed >> 4) the manifest is nicely(?) readable ASN.1 >=20 > so move the deck chairs from coding the type in a directory maintained > by the operating system to one the spec and the programmers write and > maintain? big win there, eh? The win is to eliminate a threat that has already been identified on the list. Is that not worthwhile? Perhaps consider it from a view of security requirement, than coding ease. >=20 >> Really its a much nicer and more robust solution than either throwing th= e >> entire structure out or using filename extensions to 'mandate' file/obje= ct >> content. >=20 > we've a long tradition of using the file name extensions, formalities > for registering them, ... do we really need to reinvent the wheel? > where is the win? > In the case of a repository system that may over time represent some worth, and looking at this from a point of eventually operating such a repository high up in the tree I have a concern of injecting 2 more paragraphs of text into a organisational risk analysis that could raise eyebrows given a simpl= e solution to an identified threat has been proposed. I can tell now I'll be answering "What the!?!" type questions from people with significantly more influence than I for weeks, if not months. :( >>> i suspect no one else wants to go there, at least no one with code in >>> the game. >> Really... that is a shame. I always thought that coders wanted to make >> their code less susceptible to adverse external influence. >=20 > luckily for me, i do not have to think. they already supported the move > from bcp to ps on this very list. And I can only hope they rethink their position. >=20 > for this to be changed now is not impossible. it just needs some really > solid reasoning and really solid documentation of how and why it should > be changed. >=20 So both Steve and Rob identified that mapping is required to remove a mini DoS threat (and I'm fine with that). Geoff and I have the belief that a mapping based on the extension exposes a CA/Repository related threat given the objects are supposed to be secure in nature. The suggestion of adding the mapping/type into the Manifest (while awkward in ietf processing) gives both the mapping result, and removes the CA/Repository threat identified. What other documentation are you looking for? If it helps, I can also propose the ASN.1 substitution for the manifest and the necessary paragraph for the IANA considerations section. Cheers Terry From sra@hactrn.net Tue Jul 19 06:59:59 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2C821F8797 for ; Tue, 19 Jul 2011 06:59:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.393 X-Spam-Level: X-Spam-Status: No, score=-100.393 tagged_above=-999 required=5 tests=[AWL=-0.441, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrCyuQQV3AUe for ; Tue, 19 Jul 2011 06:59:58 -0700 (PDT) Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) by ietfa.amsl.com (Postfix) with ESMTP id 6344221F873A for ; Tue, 19 Jul 2011 06:59:58 -0700 (PDT) Received: from minas-ithil.hactrn.net (c-66-30-16-106.hsd1.ma.comcast.net [66.30.16.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by adrilankha.hactrn.net (Postfix) with ESMTPS id 6C63BB878; Tue, 19 Jul 2011 13:59:57 +0000 (UTC) Received: from minas-ithil.hactrn.net (localhost [127.0.0.1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id C8EC033C66F; Tue, 19 Jul 2011 09:59:56 -0400 (EDT) Date: Tue, 19 Jul 2011 09:59:56 -0400 From: Rob Austein To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 13:59:59 -0000 At Tue, 19 Jul 2011 05:51:50 -0700, Terry Manderson wrote: > > The win is to eliminate a threat that has already been identified on the > list. What threat? Please describe it. The only "threat" I saw discussed is, in my opinion, a non-issue: an attacker can mangle filenames in the unprotected data stream, thus causing objects to fail validation. An attacker who can do that can also mangle the objects themselves in the unprotected data stream, which will also cause the objects to fail validation, so being able to change the filenames doesn't give the attacker anything new. > The suggestion of adding the mapping/type into the Manifest (while > awkward in ietf processing) gives both the mapping result, and > removes the CA/Repository threat identified. The file types are already in the manifest, because the file types are encoded in the filenames, which are in the manifest. From tim@ripe.net Tue Jul 19 07:25:34 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC15721F87C5 for ; Tue, 19 Jul 2011 07:25:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Utvj+lqNeMT1 for ; Tue, 19 Jul 2011 07:25:34 -0700 (PDT) Received: from postgirl.ripe.net (postgirl.ipv6.ripe.net [IPv6:2001:67c:2e8:11::c100:1342]) by ietfa.amsl.com (Postfix) with ESMTP id 12A7021F8588 for ; Tue, 19 Jul 2011 07:25:34 -0700 (PDT) Received: from ayeaye.ripe.net ([193.0.23.5]) by postgirl.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1QjBEm-0003cu-HN; Tue, 19 Jul 2011 16:25:29 +0200 Received: from timbru.vpn.ripe.net ([193.0.21.62]) by ayeaye.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1QjBEm-0001bv-4V; Tue, 19 Jul 2011 16:25:28 +0200 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> Date: Tue, 19 Jul 2011 16:25:27 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <6D9FDC97-2A01-4916-B5AF-C25174891FEC@ripe.net> References: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> To: Rob Austein X-Mailer: Apple Mail (2.1084) X-RIPE-Spam-Level: ---- X-RIPE-Spam-Report: Spam Total Points: -4.0 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.1 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719ac290000d2169aa1b676ea98ffdf1ab7 Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 14:25:35 -0000 On Jul 19, 2011, at 3:59 PM, Rob Austein wrote: > At Tue, 19 Jul 2011 05:51:50 -0700, Terry Manderson wrote: >>=20 >> The win is to eliminate a threat that has already been identified on = the >> list. >=20 > What threat? Please describe it. >=20 > The only "threat" I saw discussed is, in my opinion, a non-issue: an > attacker can mangle filenames in the unprotected data stream, thus > causing objects to fail validation. An attacker who can do that can > also mangle the objects themselves in the unprotected data stream, > which will also cause the objects to fail validation, so being able to > change the filenames doesn't give the attacker anything new. >=20 >> The suggestion of adding the mapping/type into the Manifest (while >> awkward in ietf processing) gives both the mapping result, and >> removes the CA/Repository threat identified. >=20 > The file types are already in the manifest, because the file types are > encoded in the filenames, which are in the manifest. and to add to this: Objects may appear in the repository but not on the manifest (manifest = doc 8.5). So having the type as a field in the manifest does not help. I am sorry if I am oversimplifying or missing the point but my = impression is that: - some people don't like file extension mapping for reasons that are not = technically convincing to me. - other people say that having them will actually make it much easier to = solve problems between RPs and publishers. Like I said I am happy to have this mapping as a standard elsewhere if = the repos-struct draft has other stuff in it preventing this from going = to standards track. And if we can't have standard I suppose we will just = trial-error-parse-it-all and say 'Can't understand your "object"', = instead of something useful... Regards, Tim= From Sandra.Murphy@cobham.com Tue Jul 19 07:37:52 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E6921F85F2 for ; Tue, 19 Jul 2011 07:37:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.811 X-Spam-Level: X-Spam-Status: No, score=-101.811 tagged_above=-999 required=5 tests=[AWL=0.788, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIdTb-j3tCTo for ; Tue, 19 Jul 2011 07:37:51 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 673A321F85AA for ; Tue, 19 Jul 2011 07:37:50 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6JEbnFJ008917; Tue, 19 Jul 2011 09:37:49 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6JEblIg027398; Tue, 19 Jul 2011 09:37:47 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 10:37:46 -0400 Date: Tue, 19 Jul 2011 10:37:46 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Tim Bruijnzeels In-Reply-To: <6D9FDC97-2A01-4916-B5AF-C25174891FEC@ripe.net> Message-ID: References: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> <6D9FDC97-2A01-4916-B5AF-C25174891FEC@ripe.net> X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 19 Jul 2011 14:37:46.0944 (UTC) FILETIME=[6D5AE400:01CC4621] Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 14:37:52 -0000 On Tue, 19 Jul 2011, Tim Bruijnzeels wrote: > > On Jul 19, 2011, at 3:59 PM, Rob Austein wrote: > >> At Tue, 19 Jul 2011 05:51:50 -0700, Terry Manderson wrote: >>> >>> The win is to eliminate a threat that has already been identified on the >>> list. >> >> What threat? Please describe it. >> >> The only "threat" I saw discussed is, in my opinion, a non-issue: an >> attacker can mangle filenames in the unprotected data stream, thus >> causing objects to fail validation. An attacker who can do that can >> also mangle the objects themselves in the unprotected data stream, >> which will also cause the objects to fail validation, so being able to >> change the filenames doesn't give the attacker anything new. >> >>> The suggestion of adding the mapping/type into the Manifest (while >>> awkward in ietf processing) gives both the mapping result, and >>> removes the CA/Repository threat identified. >> >> The file types are already in the manifest, because the file types are >> encoded in the filenames, which are in the manifest. > > and to add to this: > Objects may appear in the repository but not on the manifest (manifest doc 8.5). > So having the type as a field in the manifest does not help. > > I am sorry if I am oversimplifying or missing the point but my impression is that: > - some people don't like file extension mapping for reasons that are not technically convincing to me. > - other people say that having them will actually make it much easier to solve problems between RPs and publishers. > > Like I said I am happy to have this mapping as a standard elsewhere if the repos-struct draft has other stuff in it preventing this from going to standards track. A process reminder here. Several other documents point to the repos-struct draft, some of them specifically regarding the file extensions. Separating out the tagging into a separate document could mean some serious review of multiple documents. --Sandy, speaking as wg chair > > And if we can't have standard I suppose we will just trial-error-parse-it-all and say 'Can't understand your "object"', instead of something useful... > > Regards, > > Tim > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From Sandra.Murphy@cobham.com Tue Jul 19 07:44:39 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC6C421F8698 for ; Tue, 19 Jul 2011 07:44:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.867 X-Spam-Level: X-Spam-Status: No, score=-101.867 tagged_above=-999 required=5 tests=[AWL=0.732, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GqCSeg-SvQSo for ; Tue, 19 Jul 2011 07:44:39 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 48CF721F8658 for ; Tue, 19 Jul 2011 07:44:39 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6JEfp6M009014; Tue, 19 Jul 2011 09:41:51 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6JEfpxY027598; Tue, 19 Jul 2011 09:41:51 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 10:41:50 -0400 Date: Tue, 19 Jul 2011 10:41:50 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Terry Manderson In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 19 Jul 2011 14:41:50.0672 (UTC) FILETIME=[FEA0D500:01CC4621] Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 14:44:39 -0000 On Tue, 19 Jul 2011, Terry Manderson wrote: > > On 19/07/11 9:15 PM, "Randy Bush" wrote: > >>> I think there is an easier way, as already suggested. Add the object >>> type to the manifest in FileandHash. >>> >>> 1) the rescert points to the publication point and manifest >>> 2) the manifest is mandatory >>> 3) the manifest is signed >>> 4) the manifest is nicely(?) readable ASN.1 >> >> so move the deck chairs from coding the type in a directory maintained >> by the operating system to one the spec and the programmers write and >> maintain? big win there, eh? > > The win is to eliminate a threat that has already been identified on the > list. I see that someone else has already responded to this statement, but I'd like to chime in that I'd like to see an explicit statement of the threat and how the OID mechanism you suggest would counter it. --Sandy, speaking as wg chair From Sandra.Murphy@cobham.com Tue Jul 19 08:02:50 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F6021F8922 for ; Tue, 19 Jul 2011 08:02:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.916 X-Spam-Level: X-Spam-Status: No, score=-101.916 tagged_above=-999 required=5 tests=[AWL=0.683, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpQp-j60V3+L for ; Tue, 19 Jul 2011 08:02:50 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 1A52621F8661 for ; Tue, 19 Jul 2011 08:02:50 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6JF2TMn009449; Tue, 19 Jul 2011 10:02:29 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6JF2ST8028498; Tue, 19 Jul 2011 10:02:28 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 11:02:28 -0400 Date: Tue, 19 Jul 2011 11:02:27 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Terry Manderson In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 19 Jul 2011 15:02:28.0422 (UTC) FILETIME=[E0627E60:01CC4624] Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 15:02:50 -0000 On Mon, 18 Jul 2011, Terry Manderson wrote: > > On 18/07/11 9:39 PM, "Tim Bruijnzeels" wrote: > >> Hi, >> >> I agree that not having this mapping is tedious and error prone for RPs. > > I can agree that a mapping system is useful. It may just be that living unix > world for far too long has seen me move away from the mandatory dos-like > suffixes to the voluntary use of extensions in a unix file system as a > *hint* to the file contents and nothing more. > > And I'm happy to see it written as a hint. A validated mapping should come, > in my opinion from something more robust which also transcends the > technology used in the repository. > There was a brief discussion of the use of file names extensions when the repos-struct document came up for last call. See the following messages: http://www.ietf.org/mail-archive/web/sidr/current/msg02281.html http://www.ietf.org/mail-archive/web/sidr/current/msg02282.html http://www.ietf.org/mail-archive/web/sidr/current/msg02283.html http://www.ietf.org/mail-archive/web/sidr/current/msg02284.html To summarize: George Michaelson spoke against extensions when we were considering a registry (and Terry mildly supports them), I asked George if he as author was suggesting the draft needed to change and he said no and added that rsync can filter objects only on the basis of the file name. So we've been around this barn already. The point about the rsync filtering abilities has not come up this time. I ask for review and consideration of that exchange (and the registry discussion context). --Sandy, speaking as wg chair From randy@psg.com Tue Jul 19 08:48:22 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D804011E808C for ; Tue, 19 Jul 2011 08:48:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.537 X-Spam-Level: X-Spam-Status: No, score=-2.537 tagged_above=-999 required=5 tests=[AWL=0.062, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nISY+U5Pjgcx for ; Tue, 19 Jul 2011 08:48:22 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 429F011E808A for ; Tue, 19 Jul 2011 08:48:22 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QjCWm-000GNU-2p; Tue, 19 Jul 2011 15:48:08 +0000 Date: Tue, 19 Jul 2011 08:48:07 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 15:48:23 -0000 >>> I think there is an easier way, as already suggested. Add the object >>> type to the manifest in FileandHash. >>> >>> 1) the rescert points to the publication point and manifest >>> 2) the manifest is mandatory >>> 3) the manifest is signed >>> 4) the manifest is nicely(?) readable ASN.1 >> >> so move the deck chairs from coding the type in a directory maintained >> by the operating system to one the spec and the programmers write and >> maintain? big win there, eh? > > The win is to eliminate a threat that has already been identified on the > list. and is based on a weak premise. rpki security is based on object, not transport, security. stuff might be garbled in transport. and please remember that the manifest may be a proper subset of the directory. randy From iesg-secretary@ietf.org Tue Jul 19 10:12:00 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD9A5E8004; Tue, 19 Jul 2011 10:12:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.519 X-Spam-Level: X-Spam-Status: No, score=-102.519 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvARXJkF2ikl; Tue, 19 Jul 2011 10:12:00 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17C805E800A; Tue, 19 Jul 2011 10:11:44 -0700 (PDT) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 3.55 Message-ID: <20110719171144.20155.48369.idtracker@ietfa.amsl.com> Date: Tue, 19 Jul 2011 10:11:44 -0700 Cc: sidr mailing list , sidr chair , RFC Editor Subject: [sidr] Protocol Action: 'CA Key Rollover in the RPKI' to BCP (draft-ietf-sidr-keyroll-08.txt) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 17:12:00 -0000 The IESG has approved the following document: - 'CA Key Rollover in the RPKI' (draft-ietf-sidr-keyroll-08.txt) as a BCP This document is the product of the Secure Inter-Domain Routing Working Group. The IESG contact persons are Stewart Bryant and Adrian Farrel. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-sidr-keyroll/ Technical Summary This document describes how a Certification Authority (CA) in the Resource Public Key Infrastructure (RPKI) performs a planned rollover of its key pair. This document also notes the implications of this key rollover procedure for Relying Parties (RPs). In general, RPs are expected to maintain a local cache of the objects that have been published in the RPKI repository, and thus the way in which a CA performs key rollover impacts RPs. Working Group Summary The most contentious issue in the progress of this draft was an issue raised shortly after the wglc ended. The issue was discussed vigorously on the list (between a small number of members) and a change in requirements level was made, but that did not totally answer the original commenter. There was broad support for the draft during the wglc and consensus was not reached on the technical change suggested in this last discussion, so the document was progressed with the compromise requirement change only. The member bringing the issue to the list is resigned to the outcome. Document Quality This is another case in this working group in which a section of a document of long standing has been lifted out to be a draft of its own. This draft had been a topic in the res-certs profile and was extracted when the working group was asked by the security ADs to provide a plan for algorithm agility and key rollover. As such it has had the benefit of a long history of reviews of the parent document. Personnel Sandra Murphy (Sandra.Murphy@sparta.com) is the Document Shepherd for this document. Stewart Bryant (stbryant@cisco.com) is the Responsible Area Director. From terry.manderson@icann.org Tue Jul 19 13:40:50 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4A2121F8B3F for ; Tue, 19 Jul 2011 13:40:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.539 X-Spam-Level: X-Spam-Status: No, score=-106.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O2YvT3OjqX-D for ; Tue, 19 Jul 2011 13:40:50 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id F2BE721F8B3E for ; Tue, 19 Jul 2011 13:40:49 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 13:40:49 -0700 From: Terry Manderson To: Rob Austein Date: Tue, 19 Jul 2011 13:40:47 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGHoTPjd+JlLZ4Rg2KrONTWgETIwANZ56o Message-ID: In-Reply-To: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 20:40:50 -0000 On 19/07/11 11:59 PM, "Rob Austein" wrote: >=20 > What threat? Please describe it. >=20 > The only "threat" I saw discussed is, in my opinion, a non-issue: an > attacker can mangle filenames in the unprotected data stream, thus > causing objects to fail validation. An attacker who can do that can > also mangle the objects themselves in the unprotected data stream, > which will also cause the objects to fail validation, so being able to > change the filenames doesn't give the attacker anything new. I see those two as having a subtle difference. I guess I'm alone in that observation. >=20 >> The suggestion of adding the mapping/type into the Manifest (while >> awkward in ietf processing) gives both the mapping result, and >> removes the CA/Repository threat identified. >=20 > The file types are already in the manifest, because the file types are > encoded in the filenames, which are in the manifest. ok. So in which case before I give in to making repos-struct a PS, I would want to see words somewhere that say that the validation choice for an RPKI object file is to based on the filename in the manifest and not on the transferred filename. Do such words already exist? If so, where? And is tha= t how validation implementations are already coded? For some reason all I can think about with this extensions discussion is th= e .txt.vbs windows worm exploit.. its all just so 1990's.. T. From randy@psg.com Tue Jul 19 13:43:46 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6558521F8A7B for ; Tue, 19 Jul 2011 13:43:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.539 X-Spam-Level: X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTTBvBXrJhkw for ; Tue, 19 Jul 2011 13:43:46 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 154C221F8A70 for ; Tue, 19 Jul 2011 13:43:44 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QjH8o-000HBh-71; Tue, 19 Jul 2011 20:43:42 +0000 Date: Tue, 19 Jul 2011 13:43:41 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: <20110719135956.C8EC033C66F@minas-ithil.hactrn.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 20:43:46 -0000 > ok. So in which case before I give in to making repos-struct a PS, I would > want to see words somewhere that say that the validation choice for an RPKI > object file is to based on the filename in the manifest and not on the > transferred filename. again, the manifest may represent a proper subset of the valid objects in the directory randy From terry.manderson@icann.org Tue Jul 19 13:45:54 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4130421F8A91 for ; Tue, 19 Jul 2011 13:45:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.542 X-Spam-Level: X-Spam-Status: No, score=-106.542 tagged_above=-999 required=5 tests=[AWL=0.057, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhBEXvneYBrp for ; Tue, 19 Jul 2011 13:45:53 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id ACE1F21F8A7D for ; Tue, 19 Jul 2011 13:45:53 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 13:45:49 -0700 From: Terry Manderson To: Sandra Murphy , Tim Bruijnzeels Date: Tue, 19 Jul 2011 13:45:47 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGIX7vxhTIFkhWQlCpjN3kGYXUbAAM1coa Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 20:45:54 -0000 >=20 >=20 > A process reminder here. Several other documents point to the > repos-struct draft, some of them specifically regarding the file > extensions. Separating out the tagging into a separate document could > mean some serious review of multiple documents. >=20 I think the question might be if the authors of repos-struct are willing to rewrite parts (slabs?) of the document to be more in line with a PS? As it stands now, I not so sure that repo-struct is structured as a ps, despite many people's willingness to see it become that. 'Just because you drive a mini like a race car, doesn't actually mean it is a race car." T. From jtk@cymru.com Tue Jul 19 14:00:25 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9273D21F8B0D for ; Tue, 19 Jul 2011 14:00:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LcAYiq6jlnS6 for ; Tue, 19 Jul 2011 14:00:25 -0700 (PDT) Received: from obelisk11.ord01.cymru.com (obelisk11.ord01.cymru.com [38.229.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id EB10B21F8B08 for ; Tue, 19 Jul 2011 14:00:24 -0700 (PDT) Received: from t61p (vpn-21-33.svcs.iad01.cymru.com [192.168.21.33]) by obelisk11.ord01.cymru.com (Postfix) with ESMTP id 2B39BB0418; Tue, 19 Jul 2011 21:00:24 +0000 (GMT) Date: Tue, 19 Jul 2011 16:00:23 -0500 From: John Kristoff To: Terry Manderson Message-ID: <20110719160023.1d7b28cc@t61p> In-Reply-To: References: <20110610004921.5015.20702.idtracker@ietfa.amsl.com> X-Mailer: Claws Mail Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: sidr wg list Subject: Re: [sidr] FW: I-D Action: draft-manderson-sidr-geo-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:00:25 -0000 On Thu, 9 Jun 2011 17:59:58 -0700 Terry Manderson wrote: > This document reflects the feedback from Prague both in the WG and > around the halls, being: Hi Terry, I know you sought some additional feedback via way of a shared colleague, I'm posting my thoughts here for the entire group to see and for posterity sake. Firstly, thanks for writing up a draft. Regardless of any draft's merit and eventual outcome, recording it and having the ensuing discussion into the annals of Internet history is rarely a bad idea. > 1) Use cases? who wants this. I'll assume that you're looking for more use cases beyond those you had envisioned when deciding to write it up. Otherwise, this is a solution looking for a problem. In the draft it is suggested there may be a use case for this information by Network Providers, Content Providers, Security Providers, Geo-Location (GEO) IP services and Research. I'll consider those cases below. There may be geopolitical reasons for this as well. DNS resolver operators may be interested in this like they are with the draft-vandergaast-edns-client-ip proposal. One of the main themes of my critique however will be that routing data does not reliably associate itself to geo-location. The title has: "first class geographical location statements" The abstract has: "first class informational statements pertaining to the geographical attributes" The introduction has: "first class informational attestations pertaining to the geographical attributes" Some consistency is needed, but perhaps I'm confused because I don't know what "first class" means in this context and I couldn't find it in the references. Instead of "validatable" I'd say "verifiable". In section 2, the specification suggests network providers can configure geoloc attributes for the benefit of content providers. This reasoning assumes cooperation between network and content providers. That may be assuming too much. It is not clear from the draft if the anycast operators will benefit from publishing geoloc information or if receiving it from other network operators is of value. Either could be potentially useful. As a general comment, IP addresses are inherently virtual and all attempts to tie them to a physical geographic location will be imperfect. All sorts of mobility, tunneling, subnetting and ephemeral address issues are not likely to go away. This leads me to believe that this work will be doomed from the start with some strict control on what goes into the system, something that the Internet community is not inherently good at mandating. In my opinion, having done some security work, it's not clear this would add much if any value for security providers unless it was widely implemented and implemented in a uniform manner. Neither seems likely unless it was followed up with some more stringent requirements from entities in charge of allocating the numbers. This geoloc information may also compete or duplicate that provided when the numbers are allocated and assigned. That may or may not be helpful. As has already been mentioned, this effort is not aligned to the goals of the charter for sidr. Adding more features to a system is tempting, but this is probably not the place or time for it. This is trying to address a current operational problem by bolting on a new feature to a new system in hopes of addressing current problems with future solutions. I empathize with the motivation and would be potentially interested in such a feature, but I recommend other tactics and venues for this sort of effort. John From terry.manderson@icann.org Tue Jul 19 14:03:20 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BF621F8B0D for ; Tue, 19 Jul 2011 14:03:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.545 X-Spam-Level: X-Spam-Status: No, score=-106.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAv5vNQ8ToFU for ; Tue, 19 Jul 2011 14:03:20 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 5260721F8B05 for ; Tue, 19 Jul 2011 14:03:20 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Tue, 19 Jul 2011 14:03:19 -0700 From: Terry Manderson To: Sandra Murphy Date: Tue, 19 Jul 2011 14:03:18 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGJO19n9Qk9TdFRPaM/v1VjNkTlwAMlsM/ Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:03:20 -0000 On 20/07/11 1:02 AM, "Sandra Murphy" wrote: >=20 > There was a brief discussion of the use of file names extensions when the > repos-struct document came up for last call. See the following messages: >=20 > http://www.ietf.org/mail-archive/web/sidr/current/msg02281.html > http://www.ietf.org/mail-archive/web/sidr/current/msg02282.html > http://www.ietf.org/mail-archive/web/sidr/current/msg02283.html > http://www.ietf.org/mail-archive/web/sidr/current/msg02284.html >=20 > To summarize: George Michaelson spoke against extensions when we were > considering a registry (and Terry mildly supports them), I asked George i= f What I said was "and hint nicely". So happy to see it as the hint. That hasn't changed, and create a registry if you so desire. I'm still not comfortable in leading to a point where it is the way (and it seems only way) an objects validation regime is chosen. Rob's observation that the extension exists in the manifest file name is a close approximation provided words exist as highlighted which gives clear instruction to implementers as to 1) make the first approximation of validation regime on the filename in the _manifest_ 2) then try all others 3) give up. T. From terry.manderson@icann.org Tue Jul 19 14:06:21 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66EFA5E800D for ; Tue, 19 Jul 2011 14:06:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.548 X-Spam-Level: X-Spam-Status: No, score=-106.548 tagged_above=-999 required=5 tests=[AWL=0.051, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuyUXfvzwOCE for ; Tue, 19 Jul 2011 14:06:21 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id EDEF05E8008 for ; Tue, 19 Jul 2011 14:06:20 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Tue, 19 Jul 2011 14:06:20 -0700 From: Terry Manderson To: Randy Bush Date: Tue, 19 Jul 2011 14:06:17 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGVJlogc6nEGyySF+Ws7FOiKL4HAAAxnRZ Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:06:21 -0000 On 20/07/11 6:43 AM, "Randy Bush" wrote: >> ok. So in which case before I give in to making repos-struct a PS, I wou= ld >> want to see words somewhere that say that the validation choice for an R= PKI >> object file is to based on the filename in the manifest and not on the >> transferred filename. >=20 > again, the manifest may represent a proper subset of the valid objects in= the > directory >=20 Which I think is sloppy behaviour. T. From Sandra.Murphy@cobham.com Tue Jul 19 14:21:03 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7770F11E8087 for ; Tue, 19 Jul 2011 14:21:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.958 X-Spam-Level: X-Spam-Status: No, score=-101.958 tagged_above=-999 required=5 tests=[AWL=0.641, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHndl0Zb2d6z for ; Tue, 19 Jul 2011 14:21:03 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 8213711E807F for ; Tue, 19 Jul 2011 14:21:02 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6JLKdbD016765; Tue, 19 Jul 2011 16:20:39 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6JLKcUZ012357; Tue, 19 Jul 2011 16:20:39 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 17:20:37 -0400 Date: Tue, 19 Jul 2011 17:20:37 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Terry Manderson In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 19 Jul 2011 21:20:37.0623 (UTC) FILETIME=[B433D070:01CC4659] Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:21:03 -0000 On Tue, 19 Jul 2011, Terry Manderson wrote: > On 20/07/11 1:02 AM, "Sandra Murphy" wrote: > >> >> There was a brief discussion of the use of file names extensions when the >> repos-struct document came up for last call. See the following messages: >> >> http://www.ietf.org/mail-archive/web/sidr/current/msg02281.html >> http://www.ietf.org/mail-archive/web/sidr/current/msg02282.html >> http://www.ietf.org/mail-archive/web/sidr/current/msg02283.html >> http://www.ietf.org/mail-archive/web/sidr/current/msg02284.html >> >> To summarize: George Michaelson spoke against extensions when we were >> considering a registry (and Terry mildly supports them), I asked George if > > What I said was "and hint nicely". So happy to see it as the hint. That That's the "mildly" part. George was speaking against file extensions at all, you said they had "special meaning" and were in favor of a registry. --Sandy, explaining a former message sent when speaking as wg chair > hasn't changed, and create a registry if you so desire. I'm still not > comfortable in leading to a point where it is the > way (and it seems only way) an objects validation regime is chosen. > > Rob's observation that the extension exists in the manifest file name is a > close approximation provided words exist as highlighted which gives clear > instruction to implementers as to > 1) make the first approximation of validation regime on the filename in the > _manifest_ > 2) then try all others > 3) give up. > > T. > > From Sandra.Murphy@cobham.com Tue Jul 19 14:29:34 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF22522800F for ; Tue, 19 Jul 2011 14:29:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.996 X-Spam-Level: X-Spam-Status: No, score=-101.996 tagged_above=-999 required=5 tests=[AWL=0.603, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5u3YbWSXug1p for ; Tue, 19 Jul 2011 14:29:34 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA5A228006 for ; Tue, 19 Jul 2011 14:29:33 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6JLTC9P016887; Tue, 19 Jul 2011 16:29:12 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6JLTBM9012620; Tue, 19 Jul 2011 16:29:12 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 19 Jul 2011 17:29:11 -0400 Date: Tue, 19 Jul 2011 17:29:10 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Terry Manderson In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 19 Jul 2011 21:29:11.0144 (UTC) FILETIME=[E648E680:01CC465A] Cc: sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 21:29:35 -0000 On Tue, 19 Jul 2011, Terry Manderson wrote: > On 20/07/11 6:43 AM, "Randy Bush" wrote: > >>> ok. So in which case before I give in to making repos-struct a PS, I would >>> want to see words somewhere that say that the validation choice for an RPKI >>> object file is to based on the filename in the manifest and not on the >>> transferred filename. >> >> again, the manifest may represent a proper subset of the valid objects in the >> directory >> > > Which I think is sloppy behaviour. It is a fundamental part of the proposed repository structure. The following text from section 2.2 of the repos-struct draft: The RPKI design requires that a CA be uniquely associated with a single key pair. Thus, the administrative entity that is a CA performs key rollover by generating a new CA certificate with a new Subject name, as well as a new key pair [I-D.ietf-sidr-keyroll]. (The reason for the new Subject name is that in the context of the RPKI the Subject names in all certificates issued by a CA are intended to be unique, and because the RPKI key rollover procedure creates a new instance of a CA with the new key, the name constraint implies the need for a new Subject name for the CA with the new key.) In such cases the entity SHOULD continue to use the same repository publication point for both CA instances during the key rollover, ensuring that the value of the AIA extension in indirect subordinate objects that refer to the certificates issued by this CA remain valid across the key rollover, and that the re-issuance of subordinate certificates in a key rollover is limited to the collection of immediate subordinate products of this CA. In such cases the repository publication point will contain the CRL, manifest and subordinate certificates of both CA instances. says that in times of CA key rollover, the publication point directory should contain two manifests and all the files from both manifests. So neither manifest contains all the files names in the directory. --Sandy, speaking as wg chair > > T. > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From terry.manderson@icann.org Tue Jul 19 15:07:35 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 869275E8008 for ; Tue, 19 Jul 2011 15:07:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.55 X-Spam-Level: X-Spam-Status: No, score=-106.55 tagged_above=-999 required=5 tests=[AWL=0.049, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeNBA84claZt for ; Tue, 19 Jul 2011 15:07:35 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 15E575E8007 for ; Tue, 19 Jul 2011 15:07:35 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 15:07:34 -0700 From: Terry Manderson To: Sandra Murphy Date: Tue, 19 Jul 2011 15:07:33 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxGWvQ/ezOSE+lkSdKT70ZBuWy47AABU4Pm Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 22:07:35 -0000 On 20/07/11 7:29 AM, "Sandra Murphy" wrote: >>=20 >> Which I think is sloppy behaviour. >=20 > It is a fundamental part of the proposed repository structure. > [..]=20 > says that in times of CA key rollover, the publication point directory > should contain two manifests and all the files from both manifests. So > neither manifest contains all the files names in the directory. >=20 So long as a file appears in at least one manifest, I'm good. Randy's email lead me to think that a file (valid rpki object) can exist in a repository and not appear in a manifest at all. Is that the case? Cheers Terry From terry.manderson@icann.org Tue Jul 19 16:11:57 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAE5421F8506 for ; Tue, 19 Jul 2011 16:11:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.552 X-Spam-Level: X-Spam-Status: No, score=-106.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qu88r7UXRcJ for ; Tue, 19 Jul 2011 16:11:54 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 386C721F8500 for ; Tue, 19 Jul 2011 16:11:52 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Tue, 19 Jul 2011 16:11:51 -0700 From: Terry Manderson To: John Kristoff Date: Tue, 19 Jul 2011 16:11:48 -0700 Thread-Topic: [sidr] FW: I-D Action: draft-manderson-sidr-geo-01.txt Thread-Index: AcxGWtSNRfgqd3CBQlSkMPc3Z75D4wADmeCM Message-ID: In-Reply-To: <20110719160023.1d7b28cc@t61p> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] FW: I-D Action: draft-manderson-sidr-geo-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2011 23:11:57 -0000 Hi John, Thanks for taking the time to review the draft and post your thoughts. On 20/07/11 7:00 AM, "John Kristoff" wrote: >> 1) Use cases? who wants this. >=20 > I'll assume that you're looking for more use cases beyond those you had > envisioned when deciding to write it up. Otherwise, this is a solution > looking for a problem. > Actually the use cases existed, I didn't divulge them at the time as I didn't have the blessing of those who expressed their desires. At the time = I only had authority in my own desires to promote. =20 > In the draft it is suggested there may be a use case for this > information by Network Providers, Content Providers, Security > Providers, Geo-Location (GEO) IP services and Research. I'll consider > those cases below. There may be geopolitical reasons for this as > well. DNS resolver operators may be interested in this like they are > with the draft-vandergaast-edns-client-ip proposal. One of the main > themes of my critique however will be that routing data does not > reliably associate itself to geo-location. Why do you think that? from watching routing tables I see that there really isn't that much AS churn. This leads me to think people really don't move their routers, or routes that often unless doing some level of mobility or targeted anycast. >=20 > The title has: >=20 > "first class geographical location statements" >=20 > The abstract has: >=20 > "first class informational statements pertaining to the geographical > attributes" >=20 > The introduction has: >=20 > "first class informational attestations pertaining to the > geographical attributes" >=20 > Some consistency is needed, but perhaps I'm confused because I don't > know what "first class" means in this context and I couldn't find it in > the references. noted. will fix. >=20 > Instead of "validatable" I'd say "verifiable". >=20 > In section 2, the specification suggests network providers can > configure geoloc attributes for the benefit of content providers. > This reasoning assumes cooperation between network and content > providers. That may be assuming too much. Fair observation. >=20 > It is not clear from the draft if the anycast operators will benefit > from publishing geoloc information or if receiving it from other network > operators is of value. Either could be potentially useful. I will clarify. >=20 > As a general comment, IP addresses are inherently virtual and all > attempts to tie them to a physical geographic location will be > imperfect. All sorts of mobility, tunneling, subnetting and ephemeral > address issues are not likely to go away. This leads me to believe > that this work will be doomed from the start with some strict control > on what goes into the system, something that the Internet community is > not inherently good at mandating. I think there are a number of ways that information can be populated and maintained. The first, as you clearly state, is through some mandated model= . I'm not a fan of creating oligopolies, so that hints at a model more closel= y related to crowd sourcing. Do keep in mind that the HELD service is separated from the RPKI, so HELD service operators might find better ways to authoritatively represent the location of use of prefixes and ASNs. >=20 > In my opinion, having done some security work, it's not clear this > would add much if any value for security providers unless it was widely > implemented and implemented in a uniform manner. Neither seems likely > unless it was followed up with some more stringent requirements from > entities in charge of allocating the numbers. Interesting observation. >=20 > This geoloc information may also compete or duplicate that provided when > the numbers are allocated and assigned. That may or may not be helpful. I think some clarifiying words are needed that highlight that the geoloc information is where the resources are put into 'use' versus the location o= f the ISO code location of the company that they were allocated to as we see in whois. >=20 > As has already been mentioned, this effort is not aligned to the > goals of the charter for sidr. Yes, acknowledged. > Adding more features to a system is > tempting, but this is probably not the place or time for it. Indeed it is tempting, A global hierarchy of well formed, well maintained information about use of ASNs and Prefixes.. Without wanting to turn it int= o the quagmire of whois some level of extension would be desirable. > This is > trying to address a current operational problem by bolting on a new > feature to a new system in hopes of addressing current problems with > future solutions. And I think that hits the nail on the head. The RPKI work really is yet to show maturity. > I empathize with the motivation and would be > potentially interested in such a feature, but I recommend other tactics > and venues for this sort of effort. >=20 I'll drop you a note off list. Although I'm considering reclassifying this draft as experimental. Cheers Terry From terry.manderson@icann.org Tue Jul 19 22:44:32 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C3121F8997 for ; Tue, 19 Jul 2011 22:44:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.554 X-Spam-Level: X-Spam-Status: No, score=-106.554 tagged_above=-999 required=5 tests=[AWL=0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eb8zMIJTCOgk for ; Tue, 19 Jul 2011 22:44:28 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 493B021F891D for ; Tue, 19 Jul 2011 22:44:28 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Tue, 19 Jul 2011 22:44:27 -0700 From: Terry Manderson To: sidr wg list Date: Tue, 19 Jul 2011 22:44:24 -0700 Thread-Topic: looking at repository withholding attacks. Thread-Index: AcxGoBSGCiEVldVipkKuLsF2nNGAgA== Message-ID: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 05:44:32 -0000 All, So it seems that the RPKI repository as it stands has the notion of a mandatory entry in the resource certificate pointing to a manifest. The existence of the manifest is intended, but doesn't seem to be mandated, that is the absence of a manifest is left to the relying party make a decision on the use of the objects remaining at the publication point (Section 6.2: all objects SHOULD be considered suspect but may be used). So thinking about this further, and using the example from sidr-usecases. '5.2. Only Some Children Participate in RPKI' The resulting ROAs issued are: Org A. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64496 | 10.1.0.0/16 | 20 | +----------------------------------------------+ Org A issues for Org B. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64511 | 10.1.16.0/20 | 20 | +----------------------------------------------+ Org C. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 65535 | 10.1.32.0/20 | 20 | +----------------------------------------------+ I think it's sane to assume that the Org A RPKI objects are placed on the same repository server at the same publication point. Lets pretend that either the repository is compromised or a MiTM event occurs which removes the existence of the manifest at the publication point and the ROA issued by org A for org B (the second one): Org A issues for Org B. +----------------------------------------------+ | asID | address | maxLength | +----------------------------------------------+ | 64511 | 10.1.16.0/20 | 20 | +----------------------------------------------+ As I read the existing drafts, a relying party MAY still use the other objects. Further my reading suggests that the route corresponding to this object will then be considered invalid (roa-validation and pfx-validate) meaning that this is a targeted DoS attack on Org B which will succeed for all relying parties affected. Eg resulting in BGP_PFXV_STATE_INVALID. Am I correct in this interpretation, and if not. why? What have I missed? Why is this not a potential attack on org B? Considering also that there ar= e quite a number of real world 'sub-suballocated' (provider assigned if you like) prefix originations. (See http://stats.research.icann.org/bgp/cidr-map/origin-map.bgp.20110605.1800.h= t ml, please excuse the currency of the data, I had a cron issue and I just noticed it) I concede that this is an unintended state, but I find the possibility of this being played out somewhat concerning as it seems possible to still use remaining objects from a very suspicious repository point. I'm actually hoping that I have misinterpreted something and such an attack is not possible. Cheers Terry From kent@bbn.com Wed Jul 20 08:35:41 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C5B721F8A97 for ; Wed, 20 Jul 2011 08:35:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bO8URT-w+vk for ; Wed, 20 Jul 2011 08:35:40 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 3B16D21F8A23 for ; Wed, 20 Jul 2011 08:35:40 -0700 (PDT) Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:49157) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QjYnb-000NBv-Nk; Wed, 20 Jul 2011 11:34:59 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Wed, 20 Jul 2011 11:34:33 -0400 To: Terry Manderson From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 15:35:41 -0000 >... > >I'm happy to see things tagged in a normative fashion, I just think putting >the eggs into the filename/directory basket as a standards action is >worrying. > >Cheers >Terry Since we're using basic file systems for the repository (e.g., vs. LDAP), I think file names are an obvious candidate for labeling the object types in an easy fashion, for an RP's initial processing. Ultimately, an RP will check the OID for each object and verify the signature on each object (for the critical, signed objects). But with the file name extension we allow an RP to rely on that top level declaration by a CA, and then see if that declaration holds up when more detailed checks are made. Steve From kent@bbn.com Wed Jul 20 08:35:59 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2120E21F8757 for ; Wed, 20 Jul 2011 08:35:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id THP12vTPqiHm for ; Wed, 20 Jul 2011 08:35:58 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 6926A21F8751 for ; Wed, 20 Jul 2011 08:35:56 -0700 (PDT) Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:49157) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QjYnh-000NBv-H3; Wed, 20 Jul 2011 11:35:06 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Wed, 20 Jul 2011 11:34:29 -0400 To: Terry Manderson From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr@ietf.org" , "sidr-chairs@tools.ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 15:35:59 -0000 At 9:08 PM -0700 7/17/11, Terry Manderson wrote: >On 18/07/11 12:42 PM, "Stephen Kent" wrote: > >> At 4:42 PM -0700 7/17/11, Terry Manderson wrote: >> >> the filename extension, which is part of the "file" data type above, >> conveys the needed info. yes, one could add an OID here, but >> ultimately an RP will check the syntax and know which file is what >> type. Som, adding an OID doesn't seem to help much in a manifest. > >So, I'm confused.. if the RP ultimately checks the syntax, why is tagging >needed at all? see my reply to you message (now in flight :-)). > > if there are no mandated filename extensions, then every pub point is > > a mini-DoS attack, as Rob noted. We can't prevent a rogue pub point >> manager (or CA) from mislabelling files relative to the 3-char >> extension, but why invite chaos :-)? > >Right, so its a processing issue. yes. >So through the hierarchy (loosely speaking TA points to CA, CA points to >Rescert, Rescert points to publication point and manifest) the lesser of the >chaos scenarios would be to put the 'labeling' in the highest possible >location within the publication point. I'm guessing the most sane is the >Manifest, if it is truly a standards action requirement. > >As the manifest is a signed object, it has the benefit of being tightly >interpreted as an attestation by the issuer that this 'file' with a >specified hash is a ROA. How much clearer do you need to be? or want to be? yes, publication of a manifest is mandatory. But, if you read the manifest spec closely, especially the error case discussion, you'll see that RPs are encouraged to accept objects that do not appear on a manifest, under certain circumstances. Thus, if we were to rely exclusively on the manifest contents to direct RP processing we would degrade the functionality currently specified. > > > An earlier draft of this doc called the extensions mere > > recommendations. I persuaded Geoff to make them mandatory. The >> arguments I made then still >> apply, which is why STD vs. BCP seems appropriate, to me. >> > >Were those arguments made on list? if so I will go hunting and reflect on >them with a Merlot in hand this evening. I don't recall. I may have sent them directly to Geoff. Steve From sra@hactrn.net Wed Jul 20 09:15:18 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F029621F84E8 for ; Wed, 20 Jul 2011 09:15:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.283 X-Spam-Level: X-Spam-Status: No, score=-100.283 tagged_above=-999 required=5 tests=[AWL=-0.331, BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, RCVD_IN_PBL=0.905, RCVD_IN_SORBS_DUL=0.877, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FhU0n8R252i3 for ; Wed, 20 Jul 2011 09:15:17 -0700 (PDT) Received: from adrilankha.hactrn.net (adrilankha.hactrn.net [IPv6:2001:418:1::19]) by ietfa.amsl.com (Postfix) with ESMTP id 44C3E21F84E5 for ; Wed, 20 Jul 2011 09:15:17 -0700 (PDT) Received: from minas-ithil.hactrn.net (c-66-30-16-106.hsd1.ma.comcast.net [66.30.16.106]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by adrilankha.hactrn.net (Postfix) with ESMTPS id DE318B86D; Wed, 20 Jul 2011 16:15:15 +0000 (UTC) Received: from minas-ithil.hactrn.net (localhost [127.0.0.1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 3A5A13431A2; Wed, 20 Jul 2011 12:15:15 -0400 (EDT) Date: Wed, 20 Jul 2011 12:15:15 -0400 From: Rob Austein To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20110720161515.3A5A13431A2@minas-ithil.hactrn.net> Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 16:15:18 -0000 At Tue, 19 Jul 2011 14:03:18 -0700, Terry Manderson wrote: > > Rob's observation that the extension exists in the manifest file name is a > close approximation provided words exist as highlighted which gives clear > instruction to implementers as to > 1) make the first approximation of validation regime on the filename in the > _manifest_ > 2) then try all others > 3) give up. Sorry, wrong. Attempt validation based on the filename type; if that fails, the object is toast regardless of whether the filename appears in the manifest or not. Don't expect the RP to play guessing games. From kent@bbn.com Wed Jul 20 10:23:11 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A196421F8AE4 for ; Wed, 20 Jul 2011 10:23:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.901 X-Spam-Level: X-Spam-Status: No, score=-105.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03PYA+mVedVe for ; Wed, 20 Jul 2011 10:23:11 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 1138921F8AD6 for ; Wed, 20 Jul 2011 10:23:10 -0700 (PDT) Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:49165) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QjaTz-000PYP-BC; Wed, 20 Jul 2011 13:22:51 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Wed, 20 Jul 2011 13:22:36 -0400 To: Terry Manderson From: Stephen Kent Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 17:23:11 -0000 Terry, The repository document mandates that each CA=20 issue a manifest and maintain it in an up-to-date=20 fashion; that's pretty clear. For example, 4.2.1=20 says "If the authority alters any of the items=20 that it has published in the repository=20 publication point, then the authority MUST issue=20 a new manifest before the nextUpdate time."=20 Section 5.1 says "For a CA publication point in=20 the RPKI repository system, a CA MUST perform=20 the following steps to generate a manifest:" Yes,=20 I admit that it does not say that a CA MUST=20 generate a manifest, and here is how the CA MUST=20 do it, but I see that as a nit that could easily=20 be clarified during editing, unless the WG feels=20 otherwise. Section 5.2 says "A new manifest MUST=20 be issued on or before the nextUpdate time." It=20 also says "An authority MUST issue a new manifest=20 in conjunction with the finalization of changes=20 made to objects in the publication point." Both=20 of these statements seem like pretty clear=20 direction to each CA to create a publish=20 manifests. Section 4.4. says "To determine whether a=20 manifest is valid, the RP MUST perform the=20 following checks in addition to those specified=20 in [ID.sidr-signed-object]." This seems like=20 pretty clear direction to an RP. Section 6 of the manifest document also says: "=20 =8A, in the following sections, we describe a=20 sequence of tests that the RP SHOULD perform to=20 determine the manifest state of the given=20 publication point. We then discuss the risks=20 associated with using signed objects in the=20 publication point, given the manifest state; we=20 also provide suitable warning text that SHOULD be=20 placed in a user-accessible log file. It is the=20 responsibility of the RP to weigh these risks=20 against the risk of routing failure that could=20 occur if valid data is rejected, and to=20 implement a suitable local policy." So the manifest document explains what an RP=20 SHOULD do with respect to using manifests. Later=20 subsections note that an RP SHOULD view as=20 "suspect" signed objects that appear at a=20 publication point when there is no manifest=20 available, but that does not mean that an RP=20 ought not retrieve and process those objects. So=20 in such cases, the file name extension is the=20 only top-level demuxing type indicator available=20 to an RP. The text also says that an RP can=20 (probably ought) to use signed objects that=20 validate but are not on a manifest, because this=20 probably indicates an error by the maintainer of=20 the pub point, to maintain sync between the=20 manifest and the pub point content. As for your example: I agree that if the content of a pub point in a reposit= ory is modified to remove the manifest for that pub=20 point (or it a MITM attacks achieves the same=20 effect), and if one or more ROAs for more=20 specific prefixes are removed, while leaving the=20 encompassing ROA, then RPs may reach the wrong=20 conclusion about the route authorization info=20 expressed by the prefix holder. This is not an=20 ideal situation. RPs have flexibility in dealing=20 with this sort of situation. For example, an RP=20 that had previously acquired all three ROAs, and=20 a matching manifest, might choose to stick with=20 that data, in light of the absence of a manifest=20 for the objects retrieved this time. Manifests do two things well: if they are perfect=20 and the pub point perfectly matches what the=20 manifest says, an RP gets a very warm fuzzy=20 feeling. If a manifest is perfect, and a named=20 object is missing, or is present but the hash=20 does not match, an RP should be suspicious, e.g.,=20 contact the CA to see what's wrong (e.g., using=20 the GhostBusters record info). But, for most=20 (all?) of the other cases of a mismatch between a=20 manifest and pub point content, the manifest=20 can't tell the RP what is wrong. Steve From Sandra.Murphy@cobham.com Wed Jul 20 10:35:22 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E37C21F889F for ; Wed, 20 Jul 2011 10:35:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.03 X-Spam-Level: X-Spam-Status: No, score=-102.03 tagged_above=-999 required=5 tests=[AWL=0.569, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BxtiS1PTHSEO for ; Wed, 20 Jul 2011 10:35:21 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 4064421F888A for ; Wed, 20 Jul 2011 10:35:20 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6KHYsol026586; Wed, 20 Jul 2011 12:34:54 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6KHYsAX004811; Wed, 20 Jul 2011 12:34:54 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.116]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 20 Jul 2011 13:34:53 -0400 Date: Wed, 20 Jul 2011 13:34:53 -0400 (Eastern Daylight Time) From: Sandra Murphy To: Stephen Kent In-Reply-To: Message-ID: References: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="15606991-15411-1311183293=:5164" X-OriginalArrivalTime: 20 Jul 2011 17:34:53.0847 (UTC) FILETIME=[55E55A70:01CC4703] Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 17:35:22 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --15606991-15411-1311183293=:5164 Content-Type: TEXT/PLAIN; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: QUOTED-PRINTABLE On Wed, 20 Jul 2011, Stephen Kent wrote: > Terry, > > The repository document mandates that each CA issue a manifest and mainta= in=20 > it in an up-to-date fashion; that's pretty clear. There's also the following text: 2.1. Manifests Every repository publication point MUST contain a manifest --Sandy, speaking only as a personal observation For example, 4.2.1 says= =20 > "If the authority alters any of the items that it has published in the=20 > repository publication point, then the authority MUST issue a new manifes= t=20 > before the nextUpdate time." Section 5.1 says "For a CA publication point= in=20 > the RPKI repository system, a CA MUST perform the following steps to=20 > generate a manifest:" Yes, I admit that it does not say that a CA MUST=20 > generate a manifest, and here is how the CA MUST do it, but I see that as= a=20 > nit that could easily be clarified during editing, unless the WG feels=20 > otherwise. Section 5.2 says "A new manifest MUST be issued on or before t= he=20 > nextUpdate time." It also says "An authority MUST issue a new manifest in= =20 > conjunction with the finalization of changes made to objects in the=20 > publication point." Both of these statements seem like pretty clear=20 > direction to each CA to create a publish manifests. > > Section 4.4. says "To determine whether a manifest is valid, the RP MUST= =20 > perform the following checks in addition to those specified in=20 > [ID.sidr-signed-object]." This seems like pretty clear direction to an RP= =2E > > Section 6 of the manifest document also says: " =8A, in the following=20 > sections, we describe a sequence of tests that the RP SHOULD perform to= =20 > determine the manifest state of the given publication point. We then=20 > discuss the risks associated with using signed objects in the publication= =20 > point, given the manifest state; we also provide suitable warning text th= at=20 > SHOULD be placed in a user-accessible log file. It is the responsibility= of=20 > the RP to weigh these risks against the risk of routing failure that cou= ld=20 > occur if valid data is rejected, and to implement a suitable local policy= =2E" > > So the manifest document explains what an RP SHOULD do with respect to us= ing=20 > manifests. Later subsections note that an RP SHOULD view as "suspect"= =20 > signed objects that appear at a publication point when there is no manife= st=20 > available, but that does not mean that an RP ought not retrieve and proce= ss=20 > those objects. So in such cases, the file name extension is the only=20 > top-level demuxing type indicator available to an RP. The text also says = that=20 > an RP can (probably ought) to use signed objects that validate but are no= t on=20 > a manifest, because this probably indicates an error by the maintainer of= the=20 > pub point, to maintain sync between the manifest and the pub point conten= t. > > As for your example: I agree that if the content of a pub point in a=20 > repository > is modified to remove the manifest for that pub point (or it a MITM attac= ks=20 > achieves the same effect), and if one or more ROAs for more specific pref= ixes=20 > are removed, while leaving the encompassing ROA, then RPs may reach the w= rong=20 > conclusion about the route authorization info expressed by the prefix hol= der.=20 > This is not an ideal situation. RPs have flexibility in dealing with this= =20 > sort of situation. For example, an RP that had previously acquired all th= ree=20 > ROAs, and a matching manifest, might choose to stick with that data, in l= ight=20 > of the absence of a manifest for the objects retrieved this time. > > Manifests do two things well: if they are perfect and the pub point perfe= ctly=20 > matches what the manifest says, an RP gets a very warm fuzzy feeling. If = a=20 > manifest is perfect, and a named object is missing, or is present but the= =20 > hash does not match, an RP should be suspicious, e.g., contact the CA to = see=20 > what's wrong (e.g., using the GhostBusters record info). But, for most (a= ll?)=20 > of the other cases of a mismatch between a manifest and pub point content= ,=20 > the manifest can't tell the RP what is wrong. > > Steve > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > --15606991-15411-1311183293=:5164-- From kent@bbn.com Wed Jul 20 10:47:59 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3ACC421F861E for ; Wed, 20 Jul 2011 10:47:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -107.541 X-Spam-Level: X-Spam-Status: No, score=-107.541 tagged_above=-999 required=5 tests=[AWL=1.058, BAYES_00=-2.599, GB_I_LETTER=-2, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhKurvaUYeKA for ; Wed, 20 Jul 2011 10:47:58 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 98A7B21F85F5 for ; Wed, 20 Jul 2011 10:47:58 -0700 (PDT) Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:49167) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qjas1-000026-Pq; Wed, 20 Jul 2011 13:47:44 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <46F6BC25-C99B-43A2-9ED1-810CE5E25A0F@apnic.net> References: <4E209AC9.5040808@cisco.com> <20110717145323.6460631BDB0@minas-ithil.hactrn.net> <46F6BC25-C99B-43A2-9ED1-810CE5E25A0F@apnic.net> Date: Wed, 20 Jul 2011 13:47:16 -0400 To: Geoff Huston From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2011 17:47:59 -0000 At 12:53 PM +1000 7/18/11, Geoff Huston wrote: >... >How is this X.500 directory "tagging" achieved in other PKIs? Three >letter filename extension conventions? Or some other tag mechanism? I was referring specifically to the X.500 directory, which tags via its ASN.1 encoding for data types. But, in reality nobody uses X.500. LDAP is used instead, and it is based on X.500 (more precisely, X.501). LDAP directories are accessed using the LDAP protocol, so file names don't enter into the picture. One identifies the entry (by distinguished name) and the object type (class) within the entry by OID, and the requests that value of the object (speaking about retrieval). It is up to the implementation of the LDAP protocol to find the right type of object based on the search parameters provided, and to update or retrieve the objects accordingly. The RPKI repository design is very different. it is not intended to support searching the way X.500 or LDAP does. Our operational model says that every RP needs to retrieve the current version of every object at every pub point (to first order), periodically. We selected rsync as the access protocol, and it uses directory and file names to locate objects. So, given our access model and our choice of access protocol, I think we ought to assume that filenames are the appropriate object names, and filename extensions are a convenient object type indicator, for use with this protocol. Some RPs might, for example decide to not download GB files because these files are not critical to ROA validation. I am told that one can use rsync to perform selective retrieval based on a filename extension, so the use of such extensions seems very reasonable, as a means of enabling such selective retrieval. Steve From terry.manderson@icann.org Wed Jul 20 19:31:40 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0AED21F8A4E for ; Wed, 20 Jul 2011 19:31:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.556 X-Spam-Level: X-Spam-Status: No, score=-106.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4JH86MTRTr5 for ; Wed, 20 Jul 2011 19:31:40 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id 266C921F8A6F for ; Wed, 20 Jul 2011 19:31:40 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Wed, 20 Jul 2011 19:31:39 -0700 From: Terry Manderson To: Stephen Kent Date: Wed, 20 Jul 2011 19:31:36 -0700 Thread-Topic: [sidr] looking at repository withholding attacks. Thread-Index: AcxHAbtT5WTSY/qpTXSJ12pkT8TmOgATJSMN Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 02:31:41 -0000 Steve, On 21/07/11 3:22 AM, "Stephen Kent" wrote: > Terry, >=20 > The repository document mandates that each CA > issue a manifest and maintain it in an up-to-date > fashion; that's pretty clear. For example, 4.2.1 > says "If the authority alters any of the items > that it has published in the repository > publication point, then the authority MUST issue > a new manifest before the nextUpdate time." > Section 5.1 says "For a CA publication point in > the RPKI repository system, a CA MUST perform > the following steps to generate a manifest:" Yes, > I admit that it does not say that a CA MUST > generate a manifest, and here is how the CA MUST > do it, but I see that as a nit that could easily > be clarified during editing, unless the WG feels I think that would be fair, I'm happy for such an edit. > otherwise. Section 5.2 says "A new manifest MUST > be issued on or before the nextUpdate time." It > also says "An authority MUST issue a new manifest > in conjunction with the finalization of changes > made to objects in the publication point." Both > of these statements seem like pretty clear > direction to each CA to create a publish > manifests. I think it is sensible for us to be explicit in the creation of objects which drive the repository. >=20 > Section 4.4. says "To determine whether a > manifest is valid, the RP MUST perform the > following checks in addition to those specified > in [ID.sidr-signed-object]." This seems like > pretty clear direction to an RP. Right.. and then is says " If the above procedure indicates that the manifest is invalid, then the manifest MUST be discarded and treated as though no manifest were present." Which then really needs a point to 6.2.. but that's a nit I don't really care about. >=20 > Section 6 of the manifest document also says: " > =A9, in the following sections, we describe a > sequence of tests that the RP SHOULD perform to > determine the manifest state of the given > publication point. We then discuss the risks > associated with using signed objects in the > publication point, given the manifest state; we > also provide suitable warning text that SHOULD be > placed in a user-accessible log file. It is the > responsibility of the RP to weigh these risks > against the risk of routing failure that could > occur if valid data is rejected, and to > implement a suitable local policy." I would prefer, given the identified case, that where a situation exists that a manifest is is non-existent or discarded that the entire publication point MUST be considered suspicious and not used for validation of operational objects. I would be fine if the GB object were still validated and used for human contact reasons with sufficient warnings about lack of trust. >=20 > So the manifest document explains what an RP > SHOULD do with respect to using manifests. Later > subsections note that an RP SHOULD view as > "suspect" signed objects that appear at a > publication point when there is no manifest > available, but that does not mean that an RP > ought not retrieve and process those objects. So I'm fine for the RP to retrieve, fine for them to attempt to validate. but any use of those objects seems like a very slippery slope. I can foresee the potential for some transitive state existing where the RP fetches an incomplete repository, however I would still urge that the RP MUST not use an incomplete[1] repository and fall back onto their last know= n valid local cache [2]. [1] where the manifest is missing, or any objects listed in the manifest ar= e missing. [2] since multiple SIA values are permitted it might make sense to suggest attempting to find a sane publication point from a replicated site (I'm not sure at this stage if serial/rtt semantics are needed in that) but I suspec= t such a function will be a necessity for entities "up the tree" who need to consider high availability and network visibility of the publication point. > in such cases, the file name extension is the > only top-level demuxing type indicator available In the absence of a manifest - "hint/indicator" I am comfortable with - anything more is a veritable stretch. > to an RP. The text also says that an RP can > (probably ought) to use signed objects that > validate but are not on a manifest, because this > probably indicates an error by the maintainer of > the pub point, to maintain sync between the > manifest and the pub point content. That seems inconsistent with the direction to a CA where Manifests must exist, and must list all files (and hash) at the publication point. I see this as a hard error, not a fuzzy one that can be left to an interpretation without any real supporting information to the RP. >=20 > As for your example: I agree that if the content of a pub point in a > repository > is modified to remove the manifest for that pub > point (or it a MITM attacks achieves the same > effect), and if one or more ROAs for more > specific prefixes are removed, while leaving the > encompassing ROA, then RPs may reach the wrong > conclusion about the route authorization info > expressed by the prefix holder. This is not an > ideal situation. RPs have flexibility in dealing > with this sort of situation. For example, an RP > that had previously acquired all three ROAs, and > a matching manifest, might choose to stick with > that data, in light of the absence of a manifest > for the objects retrieved this time. It seems this falls into a comment expressed several times before by other wg members "don't leave the RP guessing". >=20 > Manifests do two things well: if they are perfect > and the pub point perfectly matches what the > manifest says, an RP gets a very warm fuzzy They get more than that - they know that the repository is presented as intended and perfectly retrieved. > feeling. If a manifest is perfect, and a named > object is missing, or is present but the hash > does not match, an RP should be suspicious, e.g., I would prefer to see a "MUST" in that thinking. > contact the CA to see what's wrong (e.g., using > the GhostBusters record info). But, for most > (all?) of the other cases of a mismatch between a > manifest and pub point content, the manifest > can't tell the RP what is wrong. That to me suggests the relying party ends up in a state of "how was I supposed to know". In a security construct this seems non-optimal. May I suggest the following to the WG: Given that it's reasonable to expect that the CA MUST publish the manifest, and the manifest MUST contain all the object's file and hash at the publication point a RP MUST consider a publication point suspicious which has a anything other than a perfect manifest and set of matching files/hashes. The RP MAY use the remaining objects for debugging purposes only. This will solve and remove the issue I have identified. The _worst case_ is that the all the resources (ROAs) described at the suspicious publication point move to a state of "UNKNOWN". Which is far far better (and softer in potential routing decisions) in my opinion than erroneously classifying a route as INVALID. The plus side to this is it reduces the situations where a RP is left scratching their head in bewilderment. Cheers terry From randy@psg.com Wed Jul 20 19:42:47 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C392B21F86E0 for ; Wed, 20 Jul 2011 19:42:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.54 X-Spam-Level: X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rl485i+IkLQJ for ; Wed, 20 Jul 2011 19:42:47 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 4C8E821F854E for ; Wed, 20 Jul 2011 19:42:47 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QjjDj-000NNV-Ck; Thu, 21 Jul 2011 02:42:39 +0000 Date: Wed, 20 Jul 2011 19:42:39 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 02:42:47 -0000 > I would prefer, given the identified case, that where a situation > exists that a manifest is is non-existent or discarded that the entire > publication point MUST be considered suspicious and not used for > validation of operational objects. I would be fine if the GB object > were still validated and used for human contact reasons with > sufficient warnings about lack of trust. off the bloody wall. the trust is gained through the cert chain. randy From terry.manderson@icann.org Wed Jul 20 19:53:30 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD0821F8B04 for ; Wed, 20 Jul 2011 19:53:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.557 X-Spam-Level: X-Spam-Status: No, score=-106.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TPgNelGzAHZB for ; Wed, 20 Jul 2011 19:53:29 -0700 (PDT) Received: from EXPFE100-2.exc.icann.org (expfe100-2.exc.icann.org [64.78.22.237]) by ietfa.amsl.com (Postfix) with ESMTP id EE69321F861E for ; Wed, 20 Jul 2011 19:53:29 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-2.exc.icann.org ([64.78.22.237]) with mapi; Wed, 20 Jul 2011 19:53:29 -0700 From: Terry Manderson To: Randy Bush Date: Wed, 20 Jul 2011 19:53:28 -0700 Thread-Topic: [sidr] looking at repository withholding attacks. Thread-Index: AcxHT+mAdOy74IouT8aZpigxJxp9XwAAXRhq Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 02:53:30 -0000 On 21/07/11 12:42 PM, "Randy Bush" wrote: >> I would prefer, given the identified case, that where a situation >> exists that a manifest is is non-existent or discarded that the entire >> publication point MUST be considered suspicious and not used for >> validation of operational objects. I would be fine if the GB object >> were still validated and used for human contact reasons with >> sufficient warnings about lack of trust. >=20 > off the bloody wall. the trust is gained through the cert chain. very well, "if the GB still validates through the cert chain." Provided of course that you have a valid GB object since without a manifest a simple `cp 00001.gbr 00001.cer` will fail to validate under the assumptio= n you make the validation selection regime based on filename extension. Terry From randy@psg.com Wed Jul 20 20:00:56 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A8821F8B08 for ; Wed, 20 Jul 2011 20:00:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.541 X-Spam-Level: X-Spam-Status: No, score=-2.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmRfnClTcaIH for ; Wed, 20 Jul 2011 20:00:56 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id C5A9D21F8ABD for ; Wed, 20 Jul 2011 20:00:55 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QjjVK-000NQb-QL; Thu, 21 Jul 2011 03:00:51 +0000 Date: Wed, 20 Jul 2011 20:00:49 -0700 Message-ID: From: Randy Bush To: Terry Manderson In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 03:00:56 -0000 >>> I would prefer, given the identified case, that where a situation >>> exists that a manifest is is non-existent or discarded that the entire >>> publication point MUST be considered suspicious and not used for >>> validation of operational objects. I would be fine if the GB object >>> were still validated and used for human contact reasons with >>> sufficient warnings about lack of trust. >> >> off the bloody wall. the trust is gained through the cert chain. > > very well, "if the GB still validates through the cert chain." > > Provided of course that you have a valid GB object since without a > manifest a simple `cp 00001.gbr 00001.cer` will fail to validate under > the assumption you make the validation selection regime based on > filename extension this is so far off into the weeds as to be picturesquely stunning. let me try with more words. the rpki is an x.509 based pki. it is the certs and validation chain(s) which rule. if a roa, gbr, ee cert, ... validates to a ta, it is good. period, end. finished. the purpose of the manifest is to try and reduce one known attack on this type of pki, removal of an object. end. period. fin. randy From terry.manderson@icann.org Wed Jul 20 20:03:41 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5DF1F0C37 for ; Wed, 20 Jul 2011 20:03:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.559 X-Spam-Level: X-Spam-Status: No, score=-106.559 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vOnQO2N9RAg for ; Wed, 20 Jul 2011 20:03:41 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 165421F0C36 for ; Wed, 20 Jul 2011 20:03:41 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Wed, 20 Jul 2011 20:03:40 -0700 From: Terry Manderson To: Rob Austein Date: Wed, 20 Jul 2011 20:03:37 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxG+EPt4cRNdg61QI2Q+GXRT2RURgAWoT1D Message-ID: In-Reply-To: <20110720161515.3A5A13431A2@minas-ithil.hactrn.net> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 03:03:41 -0000 On 21/07/11 2:15 AM, "Rob Austein" wrote: > At Tue, 19 Jul 2011 14:03:18 -0700, Terry Manderson wrote: >>=20 >> Rob's observation that the extension exists in the manifest file name is= a >> close approximation provided words exist as highlighted which gives clea= r >> instruction to implementers as to >> 1) make the first approximation of validation regime on the filename in = the >> _manifest_ >> 2) then try all others >> 3) give up. >=20 > Sorry, wrong. Attempt validation based on the filename type; if that > fails, the object is toast regardless of whether the filename appears > in the manifest or not. Don't expect the RP to play guessing games. You wouldn't check the manifest? The manifest seems like the hinge point to me. I think I'll have to reflect on why you select that direction. Cheers Terry From terry.manderson@icann.org Wed Jul 20 20:24:55 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690A521F874F for ; Wed, 20 Jul 2011 20:24:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.26 X-Spam-Level: X-Spam-Status: No, score=-106.26 tagged_above=-999 required=5 tests=[AWL=-0.261, BAYES_00=-2.599, J_CHICKENPOX_56=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDRvwItugmOx for ; Wed, 20 Jul 2011 20:24:54 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id E378721F86F6 for ; Wed, 20 Jul 2011 20:24:54 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Wed, 20 Jul 2011 20:24:54 -0700 From: Terry Manderson To: Randy Bush Date: Wed, 20 Jul 2011 20:24:51 -0700 Thread-Topic: [sidr] looking at repository withholding attacks. Thread-Index: AcxHUnPLjxMR3ArJS4m8iNKs+WVLCAAA0xzp Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 03:24:55 -0000 >>=20 >> Provided of course that you have a valid GB object since without a >> manifest a simple `cp 00001.gbr 00001.cer` will fail to validate under oops that should have been `mv 00001.gbr 00001.cer`. >> the assumption you make the validation selection regime based on >> filename extension >=20 > this is so far off into the weeds as to be picturesquely stunning. no its not.. Rob has said: " Attempt validation based on the filename type; if that fails, the object is toast regardless of whether the filename appears in the manifest or not. " That means if I rename an object it will not validate. (irrespective of being in the manifest or not) so really, 'rm *mft; for for foobar in * ; do mv $foobar $foobar.gbr ; done= ' will wipe out the entire repository and nothing will validate, except the valid GB record.. Did I interpret Rob incorrectly? So similarly 'for for foobar in * ; do mv $foobar hahha$foobar ; done' will mean that the manifest will mismatch, but provides a very clear signal if we use the MUST word to the RP such that the RP will set aside the entir= e publication point and start the human interaction process with a no harm/no foul result. >=20 > let me try with more words. the rpki is an x.509 based pki. it is the > certs and validation chain(s) which rule. if a roa, gbr, ee cert, > ... validates to a ta, it is good. period, end. finished. >=20 > the purpose of the manifest is to try and reduce one known attack on > this type of pki, removal of an object. end. period. fin. The problem is Randy, that this PKI requires full and complete distribution through a sane repository system. Failure to have a full and complete repository WILL lead to unintended (ie bad) results. So its not just the PK= I alone. Terry From achi@bbn.com Thu Jul 21 07:25:40 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B553021F8A67 for ; Thu, 21 Jul 2011 07:25:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMjhoxko1wsR for ; Thu, 21 Jul 2011 07:25:39 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9BAD521F8A55 for ; Thu, 21 Jul 2011 07:25:39 -0700 (PDT) Received: from dhcp89-089-139.bbn.com ([128.89.89.139]:63567 helo=[127.0.0.1]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QjuBg-000NAI-Nn; Thu, 21 Jul 2011 10:25:16 -0400 Message-ID: <4E2836C0.10808@bbn.com> Date: Thu, 21 Jul 2011 10:25:04 -0400 From: Andrew Chi User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Terry Manderson References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 14:25:40 -0000 On 7/20/2011 11:03 PM, Terry Manderson wrote: > > On 21/07/11 2:15 AM, "Rob Austein" wrote: > >> At Tue, 19 Jul 2011 14:03:18 -0700, Terry Manderson wrote: >>> >>> Rob's observation that the extension exists in the manifest file name is a >>> close approximation provided words exist as highlighted which gives clear >>> instruction to implementers as to >>> 1) make the first approximation of validation regime on the filename in the >>> _manifest_ >>> 2) then try all others >>> 3) give up. >> >> Sorry, wrong. Attempt validation based on the filename type; if that >> fails, the object is toast regardless of whether the filename appears >> in the manifest or not. Don't expect the RP to play guessing games. > > You wouldn't check the manifest? The manifest seems like the hinge point to > me. As another implementer, I agree with Rob. Manifests cannot solve everything. They detect when an expected file is NOT present. If you try to use them as a comprehensive listing, you run into tons of gray areas. I'll refrain from rehashing the discussion in the other thread about manifests, but you can insert that here. Therefore, the BBN validator does the only thing sensible, which is validate based on filename and certificate chain. After that, we check against the manifest and emit a warning if it doesn't look right. And we provide the user with configuration flags to control the output of validator: does he want output from the "perfect" ROAs only (with perfect manifests all the way up the chain), or is some level of grayness acceptable. Manifests are murky, especially when you misuse them. Filename extensions are not. -Andrew From achi@bbn.com Thu Jul 21 12:00:16 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F27321F8C42 for ; Thu, 21 Jul 2011 12:00:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeD4gx8pqeJO for ; Thu, 21 Jul 2011 12:00:15 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id C7B2021F8B7C for ; Thu, 21 Jul 2011 12:00:07 -0700 (PDT) Received: from dhcp89-089-139.bbn.com ([128.89.89.139]:64154 helo=[127.0.0.1]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QjyTe-00059k-3d; Thu, 21 Jul 2011 15:00:06 -0400 Message-ID: <4E287733.4060101@bbn.com> Date: Thu, 21 Jul 2011 15:00:03 -0400 From: Andrew Chi User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: Terry Manderson References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2011 19:00:16 -0000 On 7/20/2011 11:24 PM, Terry Manderson wrote: > The problem is Randy, that this PKI requires full and complete distribution > through a sane repository system. Failure to have a full and complete > repository WILL lead to unintended (ie bad) results. I agree that relying parties (RPs) need eventual access to the full repository system, and it's true that repositories (not just filenames) are considered unprotected structures. But IMO this is why we have RP software that: (1) caches valid objects from previous downloads, (2) validates through the certificate chain, and (3) does *not* simply blacklist an entire subtree when a single manifest disappears (or more generally, when other parent objects are inaccessible through the repo system). With RP software that does those things, intermittent repository dropouts and even intermittent corrupted repositories are okay. What am I missing? -Andrew From terry.manderson@icann.org Thu Jul 21 19:00:11 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3946F21F86EB for ; Thu, 21 Jul 2011 19:00:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.551 X-Spam-Level: X-Spam-Status: No, score=-106.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRrZrWx-M4OP for ; Thu, 21 Jul 2011 19:00:10 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id BEF7521F86EA for ; Thu, 21 Jul 2011 19:00:10 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Thu, 21 Jul 2011 19:00:10 -0700 From: Terry Manderson To: Andrew Chi Date: Thu, 21 Jul 2011 19:00:07 -0700 Thread-Topic: [sidr] looking at repository withholding attacks. Thread-Index: AcxH2HVcROr1fn7UTGKt0NtU9wNdMwAOp79t Message-ID: In-Reply-To: <4E287733.4060101@bbn.com> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] looking at repository withholding attacks. X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 02:00:11 -0000 Hi Andrew, On 22/07/11 5:00 AM, "Andrew Chi" wrote: > On 7/20/2011 11:24 PM, Terry Manderson wrote: >> The problem is Randy, that this PKI requires full and complete distribut= ion >> through a sane repository system. Failure to have a full and complete >> repository WILL lead to unintended (ie bad) results. > I left off a few words that might clarify the position. "Failure to have a full and complete repository" should have been "Failure to have a full and complete repository at that publication point" Given the distributed nature of the repository there will be times that som= e publication points are not available. =20 > I agree that relying parties (RPs) need eventual access to the full > repository system, and it's true that repositories (not just filenames) > are considered unprotected structures. agree. >=20 > But IMO this is why we have RP software that: > (1) caches valid objects from previous downloads, Which is good. > (2) validates through the certificate chain, and good there too. > (3) does *not* simply blacklist an entire subtree when a single manifest > disappears (or more generally, when other parent objects are > inaccessible through the repo system). This is where I disagree. Doing this takes the existing routing system with the default assessment of "unknown" and asserts a statement of "INVALID" in the case that I provided. This is badness and I think is the wrong action to take and against the original mandate of SIDR of 'make before break'. So you must set the publication point aside as you can't verify the consistency of the publication point unless you have a complete manifest and set of files, if you then pass that to the routing side as a 'best fit' the RP is simply guessing on what the intended outcomes should be. You may use a previously sane and known repository point which still validates. I am fine for RPs to do tweaks on the information once they receive it on the routing side (specifically how they implement VALID, INVALID, and UNKNOWN) but the outputs from the RPKI validation of a publication point should be perfectly predicable in all situations of repository dropouts and intermittent corruptions. >=20 > With RP software that does those things, intermittent repository > dropouts and even intermittent corrupted repositories are okay. > Not when they result in routes being marked as INVALID from such events. =20 > What am I missing? My suggestion to fix this through the manifest is probably only one solution. If you have an alternative fix, which takes the burden and guesswork away from the RP, I would be happy to hear it. Terry From terry.manderson@icann.org Thu Jul 21 19:16:43 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBA9321F86A2 for ; Thu, 21 Jul 2011 19:16:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.553 X-Spam-Level: X-Spam-Status: No, score=-106.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roWdKfmYAP1T for ; Thu, 21 Jul 2011 19:16:43 -0700 (PDT) Received: from EXPFE100-1.exc.icann.org (expfe100-1.exc.icann.org [64.78.22.236]) by ietfa.amsl.com (Postfix) with ESMTP id 93B7A21F8681 for ; Thu, 21 Jul 2011 19:16:43 -0700 (PDT) Received: from EXVPMBX100-1.exc.icann.org ([64.78.22.232]) by EXPFE100-1.exc.icann.org ([64.78.22.236]) with mapi; Thu, 21 Jul 2011 19:16:43 -0700 From: Terry Manderson To: Andrew Chi Date: Thu, 21 Jul 2011 19:16:40 -0700 Thread-Topic: [sidr] draft-ietf-sidr-repos-struct to Standards Track Thread-Index: AcxHshDlf1CW5p4mSnmkbzKWESapBwAY1NVK Message-ID: In-Reply-To: <4E2836C0.10808@bbn.com> Accept-Language: en-US Content-Language: en X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 02:16:44 -0000 Hi Andrew, >=20 > Therefore, the BBN validator does the only thing sensible, which is > validate based on filename and certificate chain. After that, we check > against the manifest and emit a warning if it doesn't look right. And > we provide the user with configuration flags to control the output of > validator: does he want output from the "perfect" ROAs only (with > perfect manifests all the way up the chain), or is some level of > grayness acceptable. >=20 > Manifests are murky, especially when you misuse them. Filename > extensions are not. Maybe the repository should have been constructed in LDAP with a manifest object there to confirm the ldap search returned all the roa objects. I am, and still, remain uncomfortable about RPKI using filename extensions as the only mechanism to select the validation regime. It might be a flippant statement but even Microsoft office can tell a word document from an excel document without the extension. Perhaps Randy's terse statement about starting again with TLVs isn't actually bad advice given that getting stuff from a repository isn't actually a specific question/answer model. Cheers Terry From ietfc@btconnect.com Fri Jul 22 10:20:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B18821F8AFB for ; Fri, 22 Jul 2011 10:20:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xq9urCsZUoHc for ; Fri, 22 Jul 2011 10:20:14 -0700 (PDT) Received: from mail.btconnect.com (c2bthomr07.btconnect.com [213.123.20.125]) by ietfa.amsl.com (Postfix) with ESMTP id 1915321F8B2F for ; Fri, 22 Jul 2011 10:20:13 -0700 (PDT) Received: from host86-174-254-236.range86-174.btcentralplus.com (HELO pc6) ([86.174.254.236]) by c2bthomr07.btconnect.com with SMTP id DWV32352; Fri, 22 Jul 2011 18:16:06 +0100 (BST) Message-ID: <00f401cc488a$3f562a40$4001a8c0@gateway.2wire.net> From: "t.petch" To: "Terry Manderson" References: Date: Fri, 22 Jul 2011 18:12:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0303.4E29B055.0050, actions=TAG X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2011.7.19.51514:17:7.586, ip=86.174.254.236, rules=__HAS_MSGID, __OUTLOOK_MSGID_1, __SANE_MSGID, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __MIME_VERSION, __CT, CT_TP_8859_1, __CT_TEXT_PLAIN, __CTE, __HAS_X_PRIORITY, __HAS_MSMAIL_PRI, __HAS_X_MAILER, USER_AGENT_OE, __OUTLOOK_MUA_1, __USER_AGENT_MS_GENERIC, __ANY_URI, __URI_NO_PATH, __OEM_SOFTWARE_5, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __OUTLOOK_MUA, RDNS_SUSP, OEM_SOFTWARE_X1, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr07.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020D.4E29B057.0137,ss=1,fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=multiengine X-Junkmail-IWF: false Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org, sidr@ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2011 17:20:15 -0000 ----- Original Message ----- From: "Terry Manderson" To: "Andrew Chi" Cc: "Rob Austein" ; ; ; Sent: Friday, July 22, 2011 4:16 AM > Hi Andrew, > > > > Therefore, the BBN validator does the only thing sensible, which is > > validate based on filename and certificate chain. After that, we check > > against the manifest and emit a warning if it doesn't look right. And > > we provide the user with configuration flags to control the output of > > validator: does he want output from the "perfect" ROAs only (with > > perfect manifests all the way up the chain), or is some level of > > grayness acceptable. > > > > Manifests are murky, especially when you misuse them. Filename > > extensions are not. > > Maybe the repository should have been constructed in LDAP with a manifest > object there to confirm the ldap search returned all the roa objects. > > I am, and still, remain uncomfortable about RPKI using filename extensions > as the only mechanism to select the validation regime. It might be a > flippant statement but even Microsoft office can tell a word document from > an excel document without the extension. Indeed; file extensions only work - and they have been working very well for a long time - in and around PC systems because they are part of a belt and braces. Almost all file formats also say what they are in the first line - GIF, jpeg, PDF, Wordpro etc - so the file extension gets you to the application that can then easily verify that what is has been passed is plausibly correct and not go mad because eg Wordpro is trying to parse a PDF. Given the distributed nature of the dynamic database that is RPKI, I would have thought a self identifying first line would be essential. Tom Petch > > Perhaps Randy's terse statement about starting again with TLVs isn't > actually bad advice given that getting stuff from a repository isn't > actually a specific question/answer model. > > Cheers > Terry > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From kent@bbn.com Sat Jul 23 07:22:44 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE27021F86AB for ; Sat, 23 Jul 2011 07:22:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.525 X-Spam-Level: X-Spam-Status: No, score=-106.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIo4HkirNH81 for ; Sat, 23 Jul 2011 07:22:44 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 40A1921F8677 for ; Sat, 23 Jul 2011 07:22:41 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:56474 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qkd5u-0007FI-SL; Sat, 23 Jul 2011 10:22:18 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Sat, 23 Jul 2011 09:22:40 -0400 To: Terry Manderson From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , "draft-ietf-sidr-repos-struct@tools.ietf.org" , "sidr-chairs@tools.ietf.org" , "sidr@ietf.org" Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 14:22:44 -0000 At 7:16 PM -0700 7/21/11, Terry Manderson wrote: >Hi Andrew, > > >> >> Therefore, the BBN validator does the only thing sensible, which is >> validate based on filename and certificate chain. After that, we check >> against the manifest and emit a warning if it doesn't look right. And >> we provide the user with configuration flags to control the output of >> validator: does he want output from the "perfect" ROAs only (with >> perfect manifests all the way up the chain), or is some level of >> grayness acceptable. >> >> Manifests are murky, especially when you misuse them. Filename >> extensions are not. > >Maybe the repository should have been constructed in LDAP with a manifest >object there to confirm the ldap search returned all the roa objects. LDAP would be terrible in this context. It is not well suited to the "I want everything that has changed since this time" model of repository access that RPs need here. Steve From kent@bbn.com Sat Jul 23 07:23:01 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32BA021F88B7 for ; Sat, 23 Jul 2011 07:23:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.532 X-Spam-Level: X-Spam-Status: No, score=-106.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Huiml6gDaQFm for ; Sat, 23 Jul 2011 07:23:00 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id A411F21F8677 for ; Sat, 23 Jul 2011 07:23:00 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:56474 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qkd5w-0007FI-4Z; Sat, 23 Jul 2011 10:22:26 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <00f401cc488a$3f562a40$4001a8c0@gateway.2wire.net> References: <00f401cc488a$3f562a40$4001a8c0@gateway.2wire.net> Date: Sat, 23 Jul 2011 09:37:17 -0400 To: "t.petch" From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org, sidr-chairs@tools.ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 14:23:01 -0000 >... >Given the distributed nature of the dynamic database that is RPKI, I >would have >thought a self identifying first line would be essential. > >Tom Petch Repository objects are not text files. They are binary (CMS). Each object DOES begin with its context type (and OID). So, in the binary space, we do just what you suggested. But, it is still very helpful to make use of filename extensions, e.g., to allow different types of RPs to filter what they retrieve. Steve From ietfc@btconnect.com Sat Jul 23 13:06:52 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 515D821F8563 for ; Sat, 23 Jul 2011 13:06:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.499 X-Spam-Level: X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1KN5uZkZMdN for ; Sat, 23 Jul 2011 13:06:51 -0700 (PDT) Received: from mail.btconnect.com (c2bthomr10.btconnect.com [213.123.20.128]) by ietfa.amsl.com (Postfix) with ESMTP id 028E921F8561 for ; Sat, 23 Jul 2011 13:06:50 -0700 (PDT) Received: from host86-174-254-236.range86-174.btcentralplus.com (HELO pc6) ([86.174.254.236]) by c2bthomr10.btconnect.com with SMTP id DUD21979; Sat, 23 Jul 2011 21:05:56 +0100 (BST) Message-ID: <026301cc496b$235c94a0$4001a8c0@gateway.2wire.net> From: "t.petch" To: "Stephen Kent" References: <00f401cc488a$3f562a40$4001a8c0@gateway.2wire.net> Date: Sat, 23 Jul 2011 21:02:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0301.4E2B29A2.0069, actions=tag X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2011.7.23.183914:17:7.586, ip=86.174.254.236, rules=__HAS_MSGID, __OUTLOOK_MSGID_1, __SANE_MSGID, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __MIME_VERSION, __CT, CT_TP_8859_1, __CT_TEXT_PLAIN, __CTE, __HAS_X_PRIORITY, __HAS_MSMAIL_PRI, __HAS_X_MAILER, USER_AGENT_OE, __OUTLOOK_MUA_1, __USER_AGENT_MS_GENERIC, __ANY_URI, __URI_NO_WWW, __URI_NO_PATH, BODY_SIZE_1100_1199, BODYTEXTP_SIZE_3000_LESS, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __OUTLOOK_MUA, RDNS_SUSP, BODY_SIZE_2000_LESS, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr10.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0202.4E2B29A5.0016,ss=1,fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=multiengine X-Junkmail-IWF: false Cc: Rob Austein , draft-ietf-sidr-repos-struct@tools.ietf.org, sidr@ietf.org, sidr-chairs@tools.ietf.org Subject: Re: [sidr] draft-ietf-sidr-repos-struct to Standards Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jul 2011 20:06:52 -0000 ----- Original Message ----- From: "Stephen Kent" To: "t.petch" Cc: "Terry Manderson" ; "Rob Austein" ; ; ; Sent: Saturday, July 23, 2011 3:37 PM > >... > >Given the distributed nature of the dynamic database that is RPKI, I > >would have > >thought a self identifying first line would be essential. > > > >Tom Petch > > Repository objects are not text files. They are binary (CMS). Each > object DOES begin with its context type (and OID). So, in the binary > space, we do just what you suggested. But, it is still very helpful > to make use of filename extensions, e.g., to allow different types of > RPs to filter what they retrieve. Yes, I am well familiar with OIDs and their encoding and assume that Terry is as well, so I was endorsing what I take to be his disquiet about only using file extensions before assuming that there is an OID there and presenting it to the validation regime on the assumption that there is one to decode. Tom Petch > > Steve From kent@bbn.com Sun Jul 24 06:25:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4337521F8880 for ; Sun, 24 Jul 2011 06:25:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.538 X-Spam-Level: X-Spam-Status: No, score=-106.538 tagged_above=-999 required=5 tests=[AWL=0.061, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHL3mqvjrsxz for ; Sun, 24 Jul 2011 06:25:52 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 5BEA821F8663 for ; Sun, 24 Jul 2011 06:25:52 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:52166 helo=[130.129.71.153]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Qkygp-0004Hj-II for sidr@ietf.org; Sun, 24 Jul 2011 09:25:51 -0400 Mime-Version: 1.0 Message-Id: Date: Sun, 24 Jul 2011 09:25:49 -0400 To: sidr@ietf.org From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: [sidr] slight whoops X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2011 13:25:53 -0000 I was reminded that not all objects in the RPKI repository are CMS objects, e.g., certs and CRLs. These are binary objects that do not start with an OID. Nonetheless, since we have adopted rsync as the access protocol for the RPKI repository, and since it deals with files and filenames, using the filename to identify an object yype at the top level seems appropriate. Steve From Sandra.Murphy@cobham.com Mon Jul 25 16:34:04 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD95C11E80EB for ; Mon, 25 Jul 2011 16:34:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XY2obzPX+uVl for ; Mon, 25 Jul 2011 16:34:04 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 291DF11E80EA for ; Mon, 25 Jul 2011 16:34:00 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6PNXx6A024316 for ; Mon, 25 Jul 2011 18:33:59 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6PNXxGJ011729 for ; Mon, 25 Jul 2011 18:33:59 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([130.129.19.220]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 25 Jul 2011 19:33:55 -0400 Date: Mon, 25 Jul 2011 19:33:55 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 25 Jul 2011 23:33:55.0804 (UTC) FILETIME=[51F7E1C0:01CC4B23] Subject: [sidr] send chairs your slides by Wed evening X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 23:34:05 -0000 Slides for the presentations need to be uploaded to the meeting materials web site before the meeting. Please do send the chairs your presentations by Wed evening. It would be a good idea to check the meeting materials site to see that the slides you sent have been up loaded. I will confirm when I upload slides I have received. Chris Morrow is not going to be able to be here, so his ability to assist in uploads will be limited. --Sandy, speaking as wg chair From Sandra.Murphy@cobham.com Mon Jul 25 16:35:20 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BD9911E80D7 for ; Mon, 25 Jul 2011 16:35:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GzE3kY1Wm7dp for ; Mon, 25 Jul 2011 16:35:20 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id A766B11E80B1 for ; Mon, 25 Jul 2011 16:35:19 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6PNZItA024326 for ; Mon, 25 Jul 2011 18:35:18 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6PNZIXq011765 for ; Mon, 25 Jul 2011 18:35:18 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([130.129.19.220]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Mon, 25 Jul 2011 19:35:17 -0400 Date: Mon, 25 Jul 2011 19:35:17 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 25 Jul 2011 23:35:17.0724 (UTC) FILETIME=[82CBE1C0:01CC4B23] Subject: [sidr] minutes taker and jabber scribe needed X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2011 23:35:20 -0000 Our meeting is Thursday morning. I'm doing the usual pleading for voluneteers to take minutes and do jabber scribing. We do need volunteers for both positions. --Sandy, speaking as wg chair From Sandra.Murphy@cobham.com Tue Jul 26 14:14:35 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC0221F87ED for ; Tue, 26 Jul 2011 14:14:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CaVCA-MYSq4x for ; Tue, 26 Jul 2011 14:14:34 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD7721F861E for ; Tue, 26 Jul 2011 14:14:33 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6QLEXFC004963 for ; Tue, 26 Jul 2011 16:14:33 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6QLEWYg009021 for ; Tue, 26 Jul 2011 16:14:33 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([130.129.19.220]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 26 Jul 2011 17:14:32 -0400 Date: Tue, 26 Jul 2011 17:14:33 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 26 Jul 2011 21:14:32.0676 (UTC) FILETIME=[03919240:01CC4BD9] Subject: [sidr] I-D Action: draft-turner-sidr-bgpsec-pki-profiles-00.txt (fwd) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2011 21:14:35 -0000 I noticed the following announcement. This looks to be of interest to the wg. --Sandy ---------- Forwarded message ---------- Date: Tue, 26 Jul 2011 07:36:23 -0700 From: internet-drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D Action: draft-turner-sidr-bgpsec-pki-profiles-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : A Profile for BGPSEC Router Certificates, Certificate Revocation Lists, and Certification Requests Author(s) : Mark Reynolds Sean Turner Filename : draft-turner-sidr-bgpsec-pki-profiles-00.txt Pages : 11 Date : 2011-07-26 This document defines a standard profile for X.509 certificates for the purposes of supporting validation of Autonomous System (AS) paths in the Border Gateway Protocol (BGP), as part of an extension to that protocol known as BGPSEC. BGP is a critical component for the proper operation of the Internet as a whole. The BGPSEC protocol is under development as a component to address the requirement to provide security for the BGP protocol. The goal of BGPSEC is to design a protocol for full AS path validation based on the use of strong cryptographic primitives. The end-entity (EE) certificates specified by this profile are issued under Resource Public Key Infrastructure (RPKI) Certification Authority (CA) certificates, containing the AS number extension, to routers within the Autonomous System (AS). The certificate asserts that the router(s) holding the private key are authorized to send out secure route advertisements on behalf of the specified AS. This document also profiles the Certificate Revocation List (CRL), profiles the format of certification requests, and specifies Relying Party certificate path validation procedures. The document extends the RPKI; therefore, this documents updates the RPKI Resource Certificates Profile (draft-ietf-sidr-res-certs). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-turner-sidr-bgpsec-pki-profiles-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-turner-sidr-bgpsec-pki-profiles-00.txt _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt From waehlisch@ieee.org Wed Jul 27 10:23:08 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A202821F8700 for ; Wed, 27 Jul 2011 10:23:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9pqPpSJmYw6 for ; Wed, 27 Jul 2011 10:23:08 -0700 (PDT) Received: from mail2.rz.htw-berlin.de (mail2.rz.htw-berlin.de [141.45.10.102]) by ietfa.amsl.com (Postfix) with ESMTP id 0C73521F854E for ; Wed, 27 Jul 2011 10:23:02 -0700 (PDT) Envelope-to: sidr@ietf.org Received: from dhcp-1247.meeting.ietf.org ([130.129.18.71] helo=mw-PC.meeting.ietf.org) by mail2.rz.htw-berlin.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.72 (FreeBSD)) (envelope-from ) id 1Qm7ox-0004u3-6W; Wed, 27 Jul 2011 19:23:01 +0200 Date: Wed, 27 Jul 2011 13:22:56 -0400 (Eastern Sommerzeit) From: Matthias Waehlisch To: Sandra Murphy In-Reply-To: Message-ID: References: X-X-Sender: mw@mail2.rz.fhtw-berlin.de MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="74305831-6736-1311787376=:1356" X-HTW-SPAMINFO: this message was scanned by eXpurgate (http://www.eleven.de) X-HTW-DELIVERED-TO: sidr@ietf.org Cc: sidr@ietf.org Subject: Re: [sidr] send chairs your slides by Wed evening X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 17:23:08 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --74305831-6736-1311787376=:1356 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi Sandy, please find enclosed our slides for the RTR client implementation update. Best regards matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehlisch@ieee.org .. http://www.inf.fu-berlin.de/~waehl :. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net On Mon, 25 Jul 2011, Sandra Murphy wrote: > Slides for the presentations need to be uploaded to the meeting materials web > site before the meeting. > > Please do send the chairs your presentations by Wed evening. > > It would be a good idea to check the meeting materials site to see that the > slides you sent have been up loaded. > > I will confirm when I upload slides I have received. > > Chris Morrow is not going to be able to be here, so his ability to assist in > uploads will be limited. > > --Sandy, speaking as wg chair > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > --74305831-6736-1311787376=:1356 Content-Type: APPLICATION/pdf; name=rtr-lib-sidr.pdf Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=rtr-lib-sidr.pdf JVBERi0xLjQNJeLjz9MNCjU0MCAwIG9iag08PC9MaW5lYXJpemVkIDEvTCAz MjM3NjIvTyA1NDIvRSAxMTQyMjgvTiAxMS9UIDMxMjkxNC9IIFsgNjcwIDUy Nl0+Pg1lbmRvYmoNICAgICAgICAgICAgDQp4cmVmDQo1NDAgMTgNCjAwMDAw MDAwMTYgMDAwMDAgbg0KMDAwMDAwMTM4NiAwMDAwMCBuDQowMDAwMDAxNjY2 IDAwMDAwIG4NCjAwMDAwMDE5NjIgMDAwMDAgbg0KMDAwMDAwMjY0MSAwMDAw MCBuDQowMDAwMDAyNzc0IDAwMDAwIG4NCjAwMDAwMDMwMjMgMDAwMDAgbg0K MDAwMDAwMzMyMiAwMDAwMCBuDQowMDAwMDAzNDI1IDAwMDAwIG4NCjAwMDAw MDQyNDcgMDAwMDAgbg0KMDAwMDAzMTAyNyAwMDAwMCBuDQowMDAwMDQ0NDkx IDAwMDAwIG4NCjAwMDAwNDQ3MzkgMDAwMDAgbg0KMDAwMDA0NDk1MiAwMDAw MCBuDQowMDAwMDU2NTE4IDAwMDAwIG4NCjAwMDAwODE5NDggMDAwMDAgbg0K MDAwMDAwMTE5NiAwMDAwMCBuDQowMDAwMDAwNjcwIDAwMDAwIG4NCnRyYWls ZXINCjw8L1NpemUgNTU4L1ByZXYgMzEyOTAyL1hSZWZTdG0gMTE5Ni9Sb290 IDU0MSAwIFIvSW5mbyAxMDkgMCBSL0lEWzxGQzU1MTYyRjcyNzQ5NUE4QUIw MjM2QTcyQkY5QzREMT48RDc5MTIzOERGMDdCQzQ0OUFGRDFBNTU5OTVBMkFB Q0M+XT4+DQpzdGFydHhyZWYNCjANCiUlRU9GDQogICAgICAgICANCjU1NyAw IG9iag08PC9MZW5ndGggNDI1L0MgNDcxL0ZpbHRlci9GbGF0ZURlY29kZS9J IDUxMy9MIDQ1NS9PIDQzOS9TIDMxMj4+c3RyZWFtDQp42mJgYGBiYGApYWAB kokMggwIIMjAysAGFOc4EMDAmOhwc0WDmL6SAosDYwLLHwYGxrU8PxumsPUz eEt83/tlngJUk4ELRwi/TJOXBZARfEHmEaeGgb+DQ6un4DmFSZN5hC8IKAZ6 FE9WmNTM8oWFIyRI5skJlQUHbRmZREXaLY2Ail04wmQLn10HmhDpNjMEyI1Q anO9LZvEqWUZzyPIJM79btuZ8JzSDpVVr5Z1PoMY6K14zqfJi4GBo6MB6IIO ECkIJhlCOzo6gBRrBISbhsoFqUJmgT3ApNEBZbOBlOPyNRCoMTBvLQDSfEBs DPE8Az/jB847TCt4Jsgn8B5szsjJuMCswKp1/k3K/SqR2oZjDE+YTTgPb1vA 3cCtt5nhEhBuYOyQYuBlkHIwYdAFGj+H2YLZgOcBzwFtBiOGNQwrmDpYE3ge SB4wbshgOMc4h2kHInq8GVh6ZgFpcQYG9mlAOp2BZXMvAzg6GRyAOImBZYoB yLcMDPKxQFqKge3Q7le7Zmdsqknrskid+E2kdLlkZQBQJpeB5XAakGYE4ksA AQYAuYWIHQ0KZW5kc3RyZWFtDWVuZG9iag01NTYgMCBvYmoNPDwvTGVuZ3Ro IDM4L0ZpbHRlci9GbGF0ZURlY29kZS9XWzEgMSAxXS9JbmRleFsxMTAgNDMw XS9EZWNvZGVQYXJtczw8L0NvbHVtbnMgMy9QcmVkaWN0b3IgMTI+Pi9TaXpl IDU0MC9UeXBlL1hSZWY+PnN0cmVhbQ0KeNpiYkpiYGJgYBzFgwUzzh0Ng9H4 GMWj8TEaH7gxQIABAHItB+INCmVuZHN0cmVhbQ1lbmRvYmoNNTQxIDAgb2Jq DTw8L01hcmtJbmZvPDwvTGV0dGVyc3BhY2VGbGFncyAwL01hcmtlZCB0cnVl Pj4vT3V0bGluZXMgNzUgMCBSL01ldGFkYXRhIDEwOCAwIFIvUGllY2VJbmZv PDwvTWFya2VkUERGPDwvTGFzdE1vZGlmaWVkKEQ6MjAxMTA3MjcxMzIyMDgp Pj4+Pi9QYWdlcyAxMDUgMCBSL1BhZ2VMYXlvdXQvU2luZ2xlUGFnZS9TdHJ1 Y3RUcmVlUm9vdCAxMTAgMCBSL1R5cGUvQ2F0YWxvZy9MYXN0TW9kaWZpZWQo RDoyMDExMDcyNzEzMjIwOCkvUGFnZUxhYmVscyAxMDMgMCBSPj4NZW5kb2Jq DTU0MiAwIG9iag08PC9Dcm9wQm94WzI3LjYxIDYxLjAgNTY3LjYxIDc4MS4w XS9QYXJlbnQgMTA2IDAgUi9TdHJ1Y3RQYXJlbnRzIDAvQ29udGVudHMgNTQ4 IDAgUi9Sb3RhdGUgOTAvTWVkaWFCb3hbMCAwIDU5NS4yMiA4NDJdL1Jlc291 cmNlczw8L1hPYmplY3Q8PC9JbTAgNTUzIDAgUi9JbTEgNTU0IDAgUi9JbTIg NTU1IDAgUj4+L0ZvbnQ8PC9UVDAgNTQzIDAgUi9DMl8wIDU0NCAwIFI+Pi9Q cm9jU2V0Wy9QREYvVGV4dC9JbWFnZUNdL0V4dEdTdGF0ZTw8L0dTMCA1NDcg MCBSPj4+Pi9UeXBlL1BhZ2U+Pg1lbmRvYmoNNTQzIDAgb2JqDTw8L1N1YnR5 cGUvVHJ1ZVR5cGUvRm9udERlc2NyaXB0b3IgNTQ1IDAgUi9MYXN0Q2hhciAy MjgvV2lkdGhzWzY4MiAwIDMwMyAzMDMgMCAwIDI1MCAwIDI1MiAzODYgNTA3 IDUwNyA1MDcgNTA3IDUwNyA1MDcgNTA3IDUwNyA1MDcgNTA3IDI2OCAwIDAg MCAwIDAgODk0IDU3OSA1NDQgNTMzIDYxNSA0ODggNDU5IDYzMSA2MjMgMjUy IDAgNTIwIDQyMCA4NTUgMCA2NjIgNTE3IDAgNTQzIDQ1OSA0ODcgNjQyIDU2 NyA4OTAgNTE5IDAgMCAwIDAgMCAwIDQ5OCAwIDQ3OSA1MjUgNDIzIDUyNSA0 OTggMzA1IDQ3MSA1MjUgMjI5IDIzOSA0NTUgMjI5IDc5OSA1MjUgNTI3IDUy NSA1MjUgMzQ5IDM5MSAzMzUgNTI1IDQ1MiA3MTUgNDMzIDQ1MyAwIDMxNCAw IDMxNCAwIDAgMCAwIDAgMCAwIDY5MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAyNTAgMCAwIDAgNDk4IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA0NzldL0Jhc2VG b250L0pCUEtLRStDYWxpYnJpL0ZpcnN0Q2hhciAzOC9FbmNvZGluZy9XaW5B bnNpRW5jb2RpbmcvVHlwZS9Gb250Pj4NZW5kb2JqDTU0NCAwIG9iag08PC9T dWJ0eXBlL1R5cGUwL0Rlc2NlbmRhbnRGb250c1s1NTIgMCBSXS9CYXNlRm9u dC9KQlBLSkQrQ2FsaWJyaS9Ub1VuaWNvZGUgNTQ2IDAgUi9FbmNvZGluZy9J ZGVudGl0eS1IL1R5cGUvRm9udD4+DWVuZG9iag01NDUgMCBvYmoNPDwvU3Rl bVYgODAvRm9udE5hbWUvSkJQS0tFK0NhbGlicmkvRm9udFN0cmV0Y2gvTm9y bWFsL0ZvbnRGaWxlMiA1NDkgMCBSL0ZvbnRXZWlnaHQgNDAwL0ZsYWdzIDMy L0Rlc2NlbnQgLTI1MC9Gb250QkJveFstNTAzIC0zMDcgMTI0MCA5NjRdL0Fz Y2VudCA3NTAvRm9udEZhbWlseShDYWxpYnJpKS9DYXBIZWlnaHQgNjI1L1hI ZWlnaHQgNDY4L1R5cGUvRm9udERlc2NyaXB0b3IvSXRhbGljQW5nbGUgMD4+ DWVuZG9iag01NDYgMCBvYmoNPDwvTGVuZ3RoIDIyOC9GaWx0ZXIvRmxhdGVE ZWNvZGU+PnN0cmVhbQ0KaN5UULFuxCAM3fkKjz11gHCVukRI1XXJ0GvVpN05 cFKkBpBDhvx9gUapOmD0nv3sZ/NL99x5l4C/UTA9Jhidt4RLWMkg3HByHhoJ 1pm0oxrNrCPwLO63JeHc+TFA2zL+npNLog3uhqG5Fyfgr2SRnJ8y8yA/PjPT rzF+44w+gQClwOLI+OVFx6ueEXgV/pHDFhFkxc0+O1hcojZI2k8IrRDirPJ3 fpQK0Nv/eSZ/VbfRfGliR7V4EortolaKJqOs3atKl7Lh4cqsRNlwPUO1VQw5 j8elYohldnnsR4ABABTYbSYKDQplbmRzdHJlYW0NZW5kb2JqDTU0NyAwIG9i ag08PC9PUE0gMS9PUCBmYWxzZS9CRzIvRGVmYXVsdC9vcCBmYWxzZS9UeXBl L0V4dEdTdGF0ZS9TQSBmYWxzZS9VQ1IyL0RlZmF1bHQvU00gMC4wMj4+DWVu ZG9iag01NDggMCBvYmoNPDwvTGVuZ3RoIDc1MS9GaWx0ZXIvRmxhdGVEZWNv ZGU+PnN0cmVhbQ0KSImMlV1P2zAUhu/zK3zpSMT1t2OpQowCo9uQWMm0C5hQ 2oY2W9OytoiLaf99x0lc0i6puMmn/fic97zHPk+C3jVD/X7vZjC8QBSdnp5f DFDQ+3hH0WwT9JKEIoaSp4AiKYiNUVTdKOJME6oRE4IwSxVKigB/CJOfQW/A H/0koowbm0yDPqVUnLrfb0jivqFkgijhvB6HR7efh4cYN4aRWPBOVuRgVh3A 7vEoCSOLR+GP5FMLUWlxJDrOrccMFnm2DBnF20MSJ0KyYxBR/8WDg6y6svCS GO1nfsnH7Yowo44rQplXZJfKA6hhcTJa5OOH8D9dYI7hbg5UVckGnArDu8oX MUpiY+BOeLXIsHheZIWXjHGclk/5atlaCU0U7/bJnio7Pe/xt+dpCqlsHTor uZc3zru3Oz8z72cworBoVqK4KUmISxRxl6JQFtZHXCgiWOXke3yVhhGP8Riu BufltfrSngEn2hzzUrMUPv7r1WKRrcNY45NWZhdIVQvG0rdMMl8V6abNIoLw bnNWupr9sPCAtIHAjnG31/bz86S7ybzIp9uT9sCUfOfOwHya6XLqUJGFnUA1 zHZTu0Dh7TwHHd6pZZV+bfaYK1+W76GQ+EFIGUYMzxf5ZjJvNRf35ipBrEof MVvuktUNNk0WQ5hcayKst9a8rPvj01m+fAqZxSvwFV4X6TaMFM5/kXn62r5f Ndzf7+hH6wbCEmkxflmHTOMZmbb3hnjrDS8DKEu1dspK2NOc5H+2ZHOkipKI +NjmB99i37bS6/saMuF6ieGsUvfvWZ5lGVlV8b4FewmH01U+e1lnu6ClD/o3 BMCMIYY753EUKVdDZ2fXhUpBK2t4gwMKJCNWMUolmhRBb1hQdLEKvtZ6HPDV Hl9LIjVAFWjC2W4t4MOhZ5S1Viok4UDUlsKzqBdg1QIeoY0CadghAkKUBhDK tCB4I8bzpFk2vTuiG0dz5TxQoUJLcJtGBhLXoj6ZmSufV/WfAAMA/FbINw0K ZW5kc3RyZWFtDWVuZG9iag01NDkgMCBvYmoNPDwvTGVuZ3RoIDI2NjkzL0Zp bHRlci9GbGF0ZURlY29kZS9MZW5ndGgxIDY2NTM2Pj5zdHJlYW0NCmjetHsH fFVF9v+57b0QWqQJBOGFR+gKIiICQggJLZSEUBJqCgmhF2mCJYJSAriKIKIi 4LoWBH2JDdeGLiqKq6y7WNb92QsqKNZVSN79f8/MPS8vjyL72f0HvjnfOVPu zNy5M+fMTMggorpUShZljszu0u23z598B5p/AXmFs/PnLZ/4wV6iE48RWb8W Ll4YCN25/y0iow+R06J43rTZv/wyvA6RL4eoVvNps64q/nZ1m9eI5v5ENKJb SVH+1C+Sw33JsEIor0cJFHX3NEgjqr8Q4TYlsxcurV1nzz6EbyfqM3TW3MJ8 +7xeLxM91x7h9bPzl85LGmBtQf6bkT4wJ392UfaXC/Cs8OtE9gvz5l65EPXG T3g3x89bUDRv5iNmmCjjMxSfQJbdybiZHIpztjqXoNYttbQO0SqT4sis75im aVum/TGZbgrtdlFKLS5veHYgQCko1/VRmIz9/rvNtgEytnOc9aRTj5/GT/bf jTS3UvRPJs2gK9GfpbSKNtCt9Dy9TwW0Emwr7aD76EEK0Qv0Kr1D/8Of8FXO bKpjPUk+akjknnCPhe8D9qKm1ZpbEWpoB6o1boL7bYzu2/CtbkJ4r68Bxau8 dc23oP3RqHJPmP047PbgsLkavL7K8b3/7vAj4ftj+iCLxtMEmkiTKI/y0f6p VELT0TMzaRbNpjkqNAdx0/C7GKEpSFWIVMyrU82lecACWkiLaDH+zQO/0gtx 3HwVXkRL8G8pXUXLaDldTdd4v5cozdWIWabCS4Fr6Tq8metphWIitWYl3UA3 4q2tpjW09qyhtRFWRutoPd7zTfSHM/INNUI3498ttBHjYRNtptvodoyLO+mu GO0Wpb+D7qbtGDMctxma7Ypx7DP0Mj1OD9Mj9ITqy0L0mu4R6Zdi1Yfz0AdX o4Uro2qs+29JpLeuRdu5bWVeS5dCvyIqx2KvHznlSqTUpej3wKVcE9MTN6MN mle3SIc2q/ZXa6N75Wxa6Y+7onrmThViFqs9E7+NtuEL3Inf3KvM7gHXbLvi 0fq7I2l3qPAf6V76E97F/YqJ1Jr7wO+nB/Bt76KHaDf+VfNopuXDtEe9uRCV UwU9So/hTT5BT9JepT9b3On0j3r6iojmKfozPY0R8hztw0zzIv6J5lnonve0 +5VOh1+kvyDMqXToZXoFM9RrdJBepzfpJYTeUL8PIHSI3qK/0ztGXbC/0Vf4 XUWHnM+oHvXHmvBn9PNdNJkmpwyaOmXypIkTxufmjBmdPSorc+SI4cMyhg4Z PGhgetqA1P4p/fpe0ad3r8t7Xtbj0i4XXdi5fdvkNsHWrZo2Oi+hft3a8bXi /D4HM7NBndODA/MCobZ5IbttcPDgCzkczIciP0qRFwpANbBmmlAgTyUL1EyZ gpTFMSlTdMqUSEojIdCH+lzYOZAeDIT+mhYM7DXGZ+WAb0gL5gZCxxQfrrjd VgXqIpCUhByB9KYlaYGQkRdIDw1cXFKWnpeG8sprxw8IDiiKv7AzlcfXBq0N FmofnFdutO9rKGK2T+9VjnWpLj82ZCWn508NZWblpKclJiXlKh0NUGWFfANC flVWYDrXmdYFyjvvK1u/N4EK8jrVmRqcmj8xJ2TlI1OZlV5Wtjp0XqdQh2Ba qMOyz5qiyUWhzsG09FCnIArLGBV5gBFykhOCgbKfCZUPHjtaU5PvaXzJCT8T U25ipJsQL5xQN9QQ7UtK4rqs25tCBQiESrNydDhABYkVlNKlU27IzOOYfRLT eAzHlEpMJHteMIlfVXqe939xSdNQaUHgws7offU/Gf8RHwhZbfMKCktY5heV BdPSdL+NzgmlpIGk5HttTS/v2gXp8/PQiOncDVk5oS7BeaFGwVSdAIoAv4Pp 2Tkqi5ct1GhACIaRlyvUJT2N6xVIL8tL0xXksoJZOU/RJe5H5d0DiY9eQt0p l+sRajIAL6VtelnO1OJQq7zEqRifxYGcxKRQSi66LzeYU5TLbymYEOrwER6X pJ6ocqFtMaklMbfcnxwXyDETrVx+W1AEBuJXMLUPIhLwulSQ32hqn0COkUiS DE/xUjCrUQ4CVvKAwRxlcdYBgxOTcpP0z1mqlOjVyUkOxUWVlQBFpE76OWes mk7NFeoQSC9Ki6pgjUIdr4Jeaaevp8l94T0YOeL4dQ6WKCsZXy50JopRKn6L TQMhygzkBIuCuUGMoZTMHG4b97V6vxnZwYys8TnqbXujZHSNkI7vqUMhSkK0 BMwBGIMDOyXKa1XhQSocCQ6OiR4i0YGyuGBGdhkXHvQKpAC+IDTa13ZI/rqe Dbrj0xyI2S04MD8YSAgMLMvf65YWlJWnpJTNS88r6cVlBIdMLQtm5/RJVHUd lXNN4jJ+VAPKMDJGp17YGXNPannQWJNVnmKsyR6f81QCrNw1o3MqTMMckJea W94GcTlPBYhSlNZkLSs5EOAAlzQKgTiVPvEpWNClKtZWChUu3GuQ0sWJzqDC vabWJYjOhM7WuhSl4x+8pKYl6GJMt+mBqfx6rs4tKcvL5Y+LmuBV4r8RMoJ9 KWQG+5Ybpq9OKD5YlBqqHUxlfT/W99N6H+v9GBhGEwOdw3NSWV4Q8xQGVA4l GnooWlxkYK/rjs5J+mvisdwkDLWJwPicUK1OmPud5KFIN4iRB/WgUGlhPteD xuRwXn/ykMJcDFspEEmGhGqhhFpeCUgxUOXh4YhMhXg3eIEqfykCodLcUG4n fmjO9Fw1nBNCNDjYC69dl+m05Qd1yS1rEOymvk18CvHJq1nUQt0oO0drEhHE w3J1J/nroOaFQUQV5gXQ2zYVZmOo67k0PlFrijAl2m2LFOITvUjiZlnJtevG h2pdhALxn3nti/iTdJL9ubm68iq02kuAZyeEaqNGbaO60suA3kHUEK4L/q9G VTnpC1xM1l4aFVyKmYUrrUryIzpUN3lIPiZ/nb82NMGekjmO54jaXhn7tdbP La+DfreSR+917w9elRT1c2HnIC8OPDAp8SkMbMoti1WEJnS6sHNcrLauUpeV xdU9fQbdX3F1I5KVgXSsGkgIn1v7lfE7Tp44saPWUdZE/9S37HrVIeNNeLs7 KXiu8CW6rzPs8bTbTqP80+Io4o7SFtulRIZ1hHYD6Z4c6KEQmAJc7+l3W3to t1OHJsTCrkR5gJNCAdOm3abtDoVsD3k5cDGQCYwElkPfEmhnb0S6DeQ3N7gP 2u2RH7AmKVxvFXh8HrWwJ9Nu3zsou+Np4AeGUeHvYqSG7zsqtFvjWYBTAJ4D rpHNEu0b5KEx0DQS/gIvJQpOa9p1rrDLqLW/JV0RC7sddUVZLU/B89TbQ3Ml f6KEc4Uz0f2EYdu00zpIs08Hu4h2AjPsJdSNYZUibSnqomXAQ2egA5Dq6Xda mci3gmadgqXQL6X19jZKMY7STuOomwPZDHIw0A4YA4wC5kN/HtDUTqSdZl8i s6+73noVZQPmRwqrzS88fhx1O0w7fT6Uf0sEW4GlihcDu6j4d/FnDZRTbL2E ZwF2OfgxcI10JUfSEA33Z+CXSDiXWli5blhLjMcNtB24y5NbgEUePwVWFSX5 +tJlsbBepx7WSryzWEynNA9xSh6miTFoeRqdgq+Lht2dtuL7Ge9hBDBOwv65 NN73f4ChgbR59npgBtCd8q2TNOlcYM6nZN8dlBx3mJLth8Dv9HifGIyMgaf3 LY7B2hh4+hrpa+EZA6LKXlkdZx/TcBpSsr89JVv76dJYqLaeiq12d3ePPcD9 zXibbjTedudA1occDwSABUAOMA3684Ct1j660W5Ja4yv3cMeCq0/Qu+B0wAd zRZKZhgnqYVZRVt9U/lZNTBCyXvcbUr2xPuoiZGn6Ppo+F5X707KyTNfo60a 7m+Qc6wkytLAuE1yqyTsPKyBsrYa3yP9w5Rk7gdYPkNt7S8oyV50bkBfJ/kz ML7fOzegnpuAmzy5ChgOrPX4pmhY26i1s5cujYW1BHPSdmp9CjpQrge/kj1p gZVPU62lGKu7Kc38nGaZI5QcbO6lQcYL1Mbcgnf0Fc0yCinfmO2+i/AsYzLm s7FI+4VCusqHPMYvkF0p1fiUgpzHvJFaWd9RZ/NarHGrqJV5GaWaozGfLQI2 8apdFUdUecQce6oO9SNrCqB0lduBaTG6bcB0w0X4DuAe4AGlLwLyrDYo72fo BgLTlH4HcK3VDuEhwIxIGddYdRCuD5yndLuBB81bkP92YIfSfQV8YsLGMF8E HkfaF4CPYXMo66NyFHCx8QbskLeBNzTQluEMtO0GyGXmdUouNv5NN5gXi73i rmUbxMrG+noD9dI2RPgVXtO0vRC+m9dmbS+E4Sa4o5QdsJnayHqPPs7Wa7jb ROXBum09BNtEr8NYL8NzWPoa4plYT31ENzuZNNnJDP8mayKvheZJtcYEI2sZ 5lZv3dppP0bFet1C2466o9V69DGdJ+uOtZomR9aSpXr9sCZQhloPouZuBz3F 87qTQ6t5fVEog63FSMF32g3jcSPWvq5I9yeMUcA8gDlgGOIY/TEfLSWf2Y02 md3co8AyoL6aVx5D+4oht2CsmzTcsvDtyJwwi9rbDWgx8ufi/U+0mpFlj6Gb PVwDNHF60BinN41Buxs4D9ImZyNNZZhr1buMRz/xu+5hOrQlgjYY9y7NYaj3 OZz2qPc5z8NivKN2ZEXZjvm+EjzjNcpw2L7y4NmDmWzrReytT8nynQDe0Xaj 36q24+zf9HtmO1VsL7RTYy/mhU36XTstkOZnYAEt9P2AMlqCf0P1fU0hU4AC mmTnU4E/Dnw+7DsX+X+A7YaBrcbGt3SPspMaeWiH911K9aLsoc7OUqzBpTTO Xou4tXQbsNmzccaw/YK27mTg3RpqvCz1bJIHgRneWGG7S+yIbRiz22Bzd0E7 4vV4sW9CnulId4Jm+4Kwd9IRnkLnOyuhOwJ8RjOt47BfuoG7WN+nUCu7EMAX iDXcUHqs//YA9AuPrcOY1/d7OMxrkJsDO+98Xiei13CU3xc2QYadjbGXDZsq G2uaXgMX8LpmPYHxBtiNqYnPpIbOdJpiD8I61t5bqy4GOqr1Z1XE5uB1phnF 81rnzc1NrbeotR2GHnM3xuJW+xK1hqY6/6CtThjhoRTvjIbuRWAdxvYG1O1l 8IPU0852f+O1Ge+7qTUHbfOAsfonhnmnEW/eSc8zrMfpRmCywgcY23l0DCi3 ptIyrAVTMI478pgGnubx7ayi26Bbz3qReEdrgE4iPV0n8wlaCOwTaTeDzdcM 34MnrfPJMD/EmvCIUWZVGg8jXBvhC80rsYYAViXsScDflzZHA7rfrEp6IfLN zaYbgWXmQrRpIY03b6CxwCIzBfNqCvRDKQRMO1M6lHU3sARYCiy2QzTTvgL2 QCXNAK4w9tM661Ja52BNcrA2+f8NYN3w99HSt4ceYcD/LHXupX7ObhqO9hLy 9rMfpSHQdwQfB8m2Uw74U8BQhLMhZ6MvOoF3t37EWr0d3+9z8B+3I9122GlJ NCTuEswVlZjfP8UYP48usDfRFPMg5uWjVABkYXy0tt6B7EHXWhWw2XpgPuiB sV2PBgMPAwuAaUAAKAJmAoXAKIUB6JsN1My6HvPglZgPd1NbqwT1eBJ9MIS6 YGxkWM/QKNQnE9gAFAEFQC9gmqrzdoyf7RivSHNK/dqfc/26nq5++D4GG7/C hghRhrmH+pvvU7J5H8bIhzQB63I382PoP4Sd8jVlQWaZh2ic8QzlATn/TV5z G/U0fqaLzVHUxxyCcTmUGpkDkSeLupo9qbU5DmUNR9nnmq7czbAaUpozBcBa 6pzvyYuAbOBVGqEwjQY5TwL3AH+lds41lA6ejrWd7bnBcSNoMHQT/a/ifVVi Xa+kYUAe0AmY7PFcAN8Q3pWOHwOM5fHsfEWdbYcu9f2dpuPd55vHYP9VUhzb G2wH8JrpK8JcPJom2E1oKL65O4DbgFcV6tEj/npGL5HxI+gOX0/4bsXU3iiD PfBPte7+lzAOxezRNAMaAxd44RZRULrIfssR+IpH3CPAV548wjqsqY2BHWfd 89h0BsjexMunR429iIh/6T4NlAN7NeBTRnhENzFqfelqnXTf9/AecJD1WF/a 8hpT7dO4R4CvqyV0O07BECXFP3grgvWeHMjSW29Mllh7s9H3Pav3RtxngX2e PODpDtQEdGIflrrHgfuBHcA9wE3Q895FLWBT1P5CEtA6ShbbR88Ab0/AaRzB HZ5cxFLbke73LM9p3L1AxU4b2E0MH2ycWzGnMq5G/WEzsU/HNgf7rdE+ebTf DT+ihfkl3WT5sHZn0E3mA8B6hNMQnkA3GfcBB8kxP4IeYXs24hZh3lyENedd xcdj7R1nltJAzA027Khx5qfU3E7HXPE4yl4H7KVM2JhVDLvYdaNhvcDA+lIH sk5EmuxDMAzXdaOBMmoxzF20wsPtDPgkN0TpNK5DnQHlL91CN+A7rIK+EdBQ +VsR4JnsZ7H/pNZj4A7texG58NnCw/DMkxrhfhpVLzK85zZC+SshGwO3Mqw7 jGE6v263rjf7WizDT3r1aMTP4n7gNsgzY2Eb1Mg2jEFcmrmL06Iv3tDQfcZ6 9dwDDOt7OiDx4q9Bv8Mq57rq/P6J1Mc/kWU0qJ/vkOsywC0PKcaH1FXhS+rG oF8pjWH6sSYwatEwhrENabYpXTcFT295MKZ4GEVNFf5CTRSexxgF0P9Z0UDf P2Q9i3HSHH3AaEKGQvMYGGRGg5/B/YB2q77At1df+S4p1FL5BNvgj7mU6Fyr 9MMwn85ykuGbvYYxv8d926mHtaIM4zYTfktb2OrwSf21MDd2RBzmVV8X5P8M eWW/GP6o3c/bF2bfk/d8U719XPhCXC7W/pK4h2h3XGPa7WNfZxDKfBJohO8W 8z38o15qzj7d/nHUvn5kv709XSnzPMqPi9usy+Y4P/vQ/9D+M3zw7/R64n6M ds6Bn82+2DDk6618rRz3ebRjDp7ThZ/F9VX7+JhTUOfh8L97y3oUu77w+oDy 37PT3C+tSZRofYE1YBNNtWeib9PRb/Dj8dy7zZ3kh69TCB+nOebxRNUePpvQ 2Bp1HlEDeOYNHlYA3dU5hHf+IOcNHtqzRLt6APPlLAHY4Z0nXArkAcXsbwpO OUuIaZ+cE0SdESyJOSMY9J+cD/A5QPRZAPuwkTOA56lxZN+f+/JF9074SYn8 PPUu5uO5n+BdpGFN2wN76HHoZlA7b//Pth719nK78t6s+61vgN4b5L0Dsz+1 sx7DHDIM/lZfylV6+GmY09W+H+ylRLVnxmO1GHZwCWX6ub/2wXZqibSHaSx8 wnFqbe5Oy4A10cC6XoA0OQy1/zzM/UTtuf6Resk6j7Ivgk+Zp8rVe7Eo131e 2wxIr2yD8Bt4ThHsgGOcx3zNvdJ8jRLs7pgDutNqNTa7w/b+K9rJtvQw1Nmz OWL3S9kGMNfS7fY3eo/Tdyvl+Tbi2QVY19lH5fZirCJvHzPF/TdD7aO66KtP YEcsUL7OAk5r/Aj/rgPmjy0YY/A3la9dvfe6iv3e0+0tx+yZ95N9c2m/h2lA Q7Zr0PZWHsZH7SfPxPq91tuDZuSyby2IroeC7oPqfWMv3tsfLgPi0a9u9f6w gqXGw8PePvDD7lsMb2+2P7Dc26tdZW0jI3pvVu3Hyp5sB8TpPVjitCjjZZWG 49BnxveUrcbiYeqAuNvsQrTvfSANeV6kHujH3ua31MdqhnHam8ZgzMfxHg3Q yDpIg5V/yWdWf1f6bNhjC+x7qdgqoxIrE/bjCpoFv7Oh2Q02y1E3zPt4vm50 i30L4mCXORtpDr6pOO+sJ1vt4a1EmM90yrV9Bj9Rn8HcDPv2Vppp3U5j/G/Q zrgx+A7H0074MLt9b9JOfwm+R9iLeM4gZfNtoNtOOfuJOpOTszLUaZTYjnyr WcrmON8Y2G4FtEPtOf7kvqTtUdjcpTTcOBo+hGfNQ74LVN5j7r1ox1Q8h9Sz UF91Bner2nMaZ61HGzx7NvY8TNmZHHeQ2mAOaGflut9Yl8PX5TPZDQhXYU4o hZ3QF2WvU+dk7ZCnDp4xhtPhe9iNd7xbfQ95dEz2WD3MiTpjZFzvyc2oS0eg LdAfIGBo5ExR9mKX0h1AgDna25H32eR8ELjWOyMkoD3QhvfcBFFnhBqx7fbO /qLO/foCt1Sf+ylQ9ZmfQlOgmfdOr/LkIjnbiz7fU2d6cq43nRzvHE+1BWXE qzRe36t+nwz/4iVI1MV+Amm+0/vSaqxnYv7YCr3Y7YM8RJ+rxdrzKzxEn6nJ Odo5nOecyxkOvt3bqs/N1J5fb+vO6vlPrQWAkwhfXZ85ZtiXAr0x9/XXc6xC FuK2USvrEGyIS5Rfp+cpzA+Y437kPXA+RzO/dO83f2Md4ldhziukTQpq7nNf VPmy9X6kgzVQ7Wv3oDGY54JR0PPfTbQJCOKbvlGB5/av3cNmqvurkmXufsx/ /XkOxLzSzl6MNWAM3SzznZrHslBnnuP+DjyD+eNpGqvWkU00WUm02fHTFN6D RZvHwxYaz3umXDbm8nY8t6l+8vL45mJd+gfl+ZuhT35E/+6nJGcZ+roO3tnD SDsdffwddQbmob2H7eHuYettzCn13U+x1hbYDVDmQZoBu2CrnQtboh/Sz6Ux 7GOb7M/cAv/oOHVVe7fcTwvR7wdh2/D+9AOYE9tTI9/raENJ1Fr9AMp4E+sr ox9skBn4Josow3mFMnxT4dd8QAFfPfTHSEq1usAe4TUE79H8AfkQZ2dCogyn C63EGmqwjwk7nNjPNE+ivuJnPkCZ5+Bnal+zggazv6l8Tc/PVD4mn+3t1md0 difvnM8741NYAr+UsYU68jkfn/HVON8bQT2U9M76Iud778OmH6vP+cyhVNd8 Dnwg4lZSe6sI42sK/Bc+N+RzQe88MJIG5SBNJqfxbcLYftq9334W7zzevd93 l/u5/RjswOfw7Y8CmgPbsL7Vh+zgvoj339viORQ2gm8N1mJ8D+Z0jMUS4H1g v2fzZcFWgS0BOzXPho1mHKeZvuuUXtb7GdZyrOknMF4wfjHHdLD6wPa7GrbL u1H2ifeN8jfLY0atwZfgm3yXNlmLKQNtmanOTecAFcASSuWzU8AfOT/dCB9z lzpHna3458AmhJdjvW+DNXes7nMrEeOxBSTax/1t9UCf85nqbPdd4zPV74R3 1hlxcxRu9M5VNwH3AQtgq/F7+kr3ucqH/geSTQtYh7L5THYVtTL202irO42u sb8PX13561upCJgle4p2BqUxzCz6QZ3X8jkuOO8HKM66y/EdXa73GU6717AL fcU+eD76ZrI+K1Znw/ycBLotFva4moBuAOSZ0CUWSM8yORbQN4c8BdCnQp4O sfU4U7rUs9TjdPq2kKfgv63HWcoNQp6Cs9QvA/J0ONd6nKmf20CegrPUYwTk 6VCjHhhbBQxlW/O+EJ9J7cIcr6H2fXiPi8drZE8N6dRZl7dHJrBT3F8Ylkm3 qz0vRhu1R0T+BvQPhppXef7k743HMd+ZeM91NfB9A3x2HA2iymJGzb01XbbC mfQ/xUD07fTeltr7e88LR+WP3Q+NLQc2xBMM5cvre48DRMLnrmePDR9gqfYU OM0kaunAprXvofoqHfv+fGaP9QdI5bN5+x3K8t0AX5rP2xvAb9LzZ2+R6ox9 KeZ8Xke3It1LfL+H6vO5PNsY9mKAz4+w/nr38QZH5FqMn7XhuUpmqjtqE+CL tnQIfBJs5/eRju+u7XRfsneGy4AC8NbAy+DrosKlQE7NM4ez5/EVUdBX5L7k KwqXAQXg0Lkvg6+TsHUkfNx+NrwCWKb4C+FVHr8X2GxXho87fwuvAJY5ueFd pwnfC2z27n6cNa1vH/ysfeHj/s3hFcAy/wWsqxk27fBx873wCmCZmX/a8L3A ZtN2RwDLnGGuz/k5vMJXJ7xc8R/C1/mc8EJnWPhNYLfdOnzc+iK8yTkf9WgY vtbeHt6F8CANfR7iZKp8y311w0udreFdkfB54at1GGVlhnfrOyhnT+tvRJP9 jVyf/4nwcv/fwkv9k1jnhQ+Hr+Zw5P7I72P8f5C2Rj65iwKM9OQoD0rv3U/Z CPwB2BQV3hgVZuRG8XNKj+/TMLu5q4CVQAHC5IUZeUCC2S38pse/A5YDHYDp QMlp7szVhP5OF3t3YVZ4uOE04QZAAlAadXemPzCf79DIfZn/H/hP7vf+R3eB n/p9eOddQzzE8uVRfvnvYe65pPP1+X3oMza3wEPRqWE3wTga/gpyqndna723 V5Dt7ZGc9T5wZB+AfXGea/9n0v3ZWgvE6CN3wf5H8C36fZzLnH8u8/C5zGPn snbEzufgw2PDp8yHjcL5NeZDhMX+EJtDnZFF2xPRPMqeiNgPdbRdAP/gKoEz Qt0Xi1d3C4vh7/ZHXSv0PTb7T97e/wxKdOpQfXXWWk67/T0hm+m/pai+iwi/ aTF87bdgP9xBC/leGrDH+YXaM/geHN+Ps6cgbz2yIucXSOf363MgOeexjlAu n0kxvDt1jWvcq4s+pyigYZH7cYwFNJ/vXPI9ONWeG/U5A9p4qW8SXea7gK6w m9MV/vpk8VmR05gmOElow2s03qmFek2B//6h9jN578XaDl9+n74rhv5Ud8Ks bxA/CH02H/P4u4j/HnIi1gu2g5pRvPI5GRXUATZQvPU1bOZ9ClvtA9SMoe6f vYlwEjXhPRJ7tHcv7Amawn1lHaaL5EwB/unYyN6SvrcWx/svdjZtBrZE7qMB 1jqya9wN3kcd+C4c3zFT7SnXe9bsA/vGUJ5zJ9r1Z8rwtaImvkzUI50y7etR Z97X74S6PaDu4bVTc0YjyKO00znk3Qtsoe//Ae1Qj/Pt2xFnYB5bgvnuHipS tl3UPVG7IfVw0qkF+n823/cDdjojKcDge4XqvqGLvOPJUHPmTu9eYBfeE67e T+a/y+DyGd4dRUvtAa+lHQpyB5HtzM/UncNqnED6RnjWSt0e+3xv3/IIDXXW ALm0wHqXFmAcG75mqMMa+O9paEMpleAdG3wvOI70/WCW5iMA/53SGOgyIZ8B tlLUHzW5/wKS7XrwhQD1fVa6v7FPbuXQGvHV7XuBxUY84k6aV8In/5ZGyt8r wUZvx3fMeN/P6UgBfx7G92B15zPg/KzO+hL5O4x7gLrZvdywvYKS7AqaYG+m APIGuAy+fwZwf33hbKMv+H6R36BnIAvsUcY79ih6zib4RmQ8qyHc/YXPf9H2 Cfw9o6z59iHq5RTQQutVSkCdNtldaIrdFN/oeMq2a+Nb609zrbZ4X3w/1gN8 s30eDijsctcz7I8o1/8Txfs/oUb+2/FNzkJdMQc5tamN737IAzTG3w/fw2uU xPeb7b3UIm6i+vZ7c1oGt8+ZQa2d7up+ZaLzCGQpJfpq45saQU34zq/1lrvf n44xfReN96VifkF6HuO+vTTb+QveczY1wHe+E88diDbx+t9a3WW+iFr7v6di pz6V+EIYi0hv3QW8ovzS9/FeNuh3HM7iv1Vjn9N4Be+f99vK3Yz4HfSYfZg2 modpJQO8AnIe638P8CcH6zFUdb6MpsjdiDZRiArzfk1kHXhW3XdY72Qan/Md dUnLafCDFYE+Bo7xn+/VKO8siP2J1GegLlP53vW9+/kDvbjBHu7RUHWcotLf DfAt/tYer4Ez+CL1FKJtvb3ViLbJouyqubBPDmggzRnsCfQzvt6q5sASYCTR yTBwAu+BzizPhqpDkF01TrqnolL+LmGPJ4GqRA/dY5Dn4UoPGG1VU2JwnUbl Tsi5+u5N5XfAD97fSTAe9p5X7IW7eODwFK/O30POhvwRcr6Hcu9vML730EW3 gftK73148dHACKi6CvIDjaoMjcoHNFS592lUfgo5zIOXrupa6D+szl/5B+9v MqKxEdjiYayHW5B3hYd5Hk54kL66ysMfPMzxsEyj8qRG1RMeHvBQ4sHrl0h/ CEYDbT108NAuBpfWRHT5qh8GehjkwawJ1bfF3t/PRGOnhzPpL4uBjIntekxU XaKfF5tfjVUzaszGlFP1rEYlvu7KP2pU/a0mKmcweI8BfsJBDWrO5/un3B/w zvXUHPjf/aOKWlZgr3nDY7WaGkNBVgpZIeR6IaVCrhNyrZBrhFwtZLmQZUKu ErJUyBIhi4UsErJQyJVC5guZJ2SukDlCZguZJWSmkBlCpgspETJNSLGQIiFT hRQKKRCSLyRPyBQhk4VMEjJRyAQh44XkCskRMk7IWCFjhIwWki1klJAsIZlC RgoZIWS4kGFCMoQMFTJEyGAhg4QMFJIuJE3IACGpQvoLSRHST0hfIVcI6SOk t5BeQi4X0lPIZUJ6CLlUSHchlwjpJuRiIV2FdBFykZALhXQW0klIRyEdhLQX 0k5IWyHJQtoICQppLSRJSEBIKyEthVwgpIWQRCHNhTQT0lTI+UKaCGkspJGQ hkIaCDlPSIKQ+kLqCakrpI6Q2kLihdQSEifEL8QnxBFiC7GEmEIMIeQRwxUS FlIlpFLISSEnhPwm5Fch/xbyi5Cfhfwk5EchPwj5XshxId8J+VbIMSFHhXwj 5GshXwk5IuRLIV8I+VzIZ0I+FfKJkI+FfCTkQyEfCPk/If8S8r6Qfwp5T8i7 Qt4R8raQw0L+IeTvQt4S8jchh4S8KeQNIX8V8rqQg0JeE/KqkANCXhHyspCX hOwX8hchLwp5Qcg+Ic8LeU7Is0KeEfK0kD8LeUrIXiFPCnlCyONCHhPyqJAK IeVCQkIeEfKwkD1Cdgt5SMguIQ8KeUDI/ULuE/InIfcK+aOQe4TsFLJDyHYh dwvZJuQuIXcKuUPIViG3C9ki5DYhm4VsEnKrkI1CbhFys5A/CLlJyAYh64Ws E1ImZK2QNUJWC1kl5EYhYvYYYvYYYvYYYvYYYvYYYvYYYvYYYvYYYvYYYvYY YvYYYvYYYvYYYvYYYvYYYvYYYvYYYvYYC4SI/WOI/WOI/WOI/WOI/WOI/WOI /WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI /WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI/WOI2WOI2WOI2WOItWOI tWOItWOItWOItWOItWOItWOItWOItWMMeJQJrOaKln1bwWauaNkYYoUOXV/R shdEqQ5dp8W1FS3rQFyjQ1drsVyLZVpcVXFBf4ilFRcMgFiixWItFum4hTp0 pRYLtHJ+xQWpEPO0mKvFHJ1kthaztJhZ0SIdYoYW07Uo0WKaFsUVLdIginRo qhaFWhRoka9FnhZTtJis803SoYlaTNBivBa5WuRoMU6LsVqM0WK0FtlajNIi S4tMLUZqMUKL4VoM0yJDi6EViUMghmgxuCJxKMQgLQZWJGZApFckDoNI02KA Fqk6rr/Ol6JFP52vrxZXaNFHp+ytRS+d/XItempxmRY9tLhUF9Zdi0t0Kd20 uFiLrrqwLlpcpPNdqEVnLTpp0VGLDlq016KdLrqtFsm6zDZaBLVorYtO0iKg 87XSoqUWF2jRQotELZpXNB8B0UyLphXNR0Kcr0UTrWysRSOtbKhFAy3O03EJ WtTXynpa1NWijo6rrUW8FrV0XJwWfi18Fc0yIZyKZlkQthaWVpo6ZGhBShiu FmGVxKjSoUotTmpxQsf9pkO/avFvLX7R4ueKpqMhfqpomg3xow79oMX3WhzX cd/p0LdaHNPiqI77RouvtfIrLY5o8aUWX+gkn+vQZzr0qQ59osXHWnyk4z7U 4gOt/D8t/qXF+1r8Uyd5T4fe1eKdivPH/T/2rTs8juraz53ZXme296LV7mq1 kla9WzuyZMnqVlm5rnvBBtyFcTe2cULAAYJDMCWBhC6CrZWNhU3AJCaEJIBD DHkpEPPSDMTEkIQQ21q9c+fOynLhvbzv/fPe9z3Zv/nduVM058w555577gjo nZS1H+htQqdI588JvUXoZ4ROklPeJPQG6Xyd0E8J/YTQj8kprxH6Eel8ldAP Cb1C6AShH5Azv0/2XiZ0nNBL5NiLhL5HOl8gdIzQUULPExohZx4he88ROkzo EKHhlCUOlEpZZgMNETpI6AChZwl9l9AzhAYJPZ2yQLxGT5G7PEnoCXLscUKP EXqU0HcIfZvQI4QeJvQtcrNvkrs8ROhBcuwBQvcT2k/oPnLBN8jevYS+Tmgf OXYPucvXCN1Njt1F6E5CXyW0l9Ad5Mzbyd5XCN1G6MuEvkRoT8q8AOjWlHkh 0G5Cu1LmpUA7Cd2SMieAdqTMEIzR9pS5HGgboa3k8i3kus2ENqXMi4E2kstv JrSB0E2EBgitJ7SO3HotuXwNodUp8yKgVeRmK8mZNxK6gdD1hFYQWk6uu47Q MvJkS8nlSwgtJmcuIrSQ0AJC8wnNIzSXCJ0kTzaH0Gwi9Cxy65nkF80gNJ08 bj/5RQlylz5CvYR6CHWnTDzQtJQJ/4aulAmbd2fKtAuoI2XKB2onp7QRak2Z IC9ALWRvKqFm0tmUMm0DmpIyfQmoMWXaDtSQMu0AmpwyNAHVE+IJxQnVpQww vqNJZK82xc0EqiFUneKwaVQRqkxxzUAVKW4GUHmKmwVURo6VEipJcXlAxeTM ohSHBStMcdg3Y4QKyOX55DfkEYqSm+USipCb5RAKEwoRCqY4rKVsQgFyzyxy Tz+5mY/cxUvIQ65zE3IRchJyELKn2CSQLcXOBbKm2HlAFkJmQiZCRkIGcgFH LmBJp56QjpCWkIacqSZnqkinkpCCkJyQjJwpJWdKSCdDiCaECFH8mH6hFyOt X+Qd1S/2XoT2BcB5wD+h73Po+wfgM8DfAX+D/r8CPoVjn8D+OcBfAB8DzkL/ nwEfwbEPYf8DwBnAnwB/1C3z/kF3nff3gN8B/h3wPvSdBv4t4D3Au7D/G+Bf A34F+CXg37TXe3+hLfK+A/y29gbvKW3I+3PAW9D+mTbqPQl4E/AGHH8d+n6q vdH7E2j/GNqvQftH2hXeV7XLvT/UXud9RbvMewKu/QHc7/uAlwH82HHYvgR4 EfA9zRrvC5q13mOadd6jmvXe5wEjgCPQ/xzgMBw7BMeGoS8FGAIcBBxQb/Q+ q97k/a56i/cZ9VbvoHqb92nAU4AnAU8AHgc8ps73Pgr8HcC34ZpHgB9WX+/9 FrS/Ce2HAA9C+wG41/1wr/1wr/ug7xuAewFfB+wD3AP4Glx3N9zvLlWn905V l/erqmXevarHvHeonvDeygS9u5lK7y5U6d2Z2JG4ZXBHYntia2Lb4NaEeitS b3Vubdu6eevg1l9v5Q0y1ZbEpsTmwU2JjYkNiZsHNySO0nuopfStfG3ipsGB hGTANLB+gPnbABocQI0DqHAA0dQAO+AbYDTrE2sT6wbXJqi109buWHtwraTm 4NrTa2lqLVKNjB0fXuv0NAHzW9Zq2aY1iVWJ1YOrEiuX3phYAQ+4vHJZ4rrB ZYmllYsTSwYXJxZVLkwsqJyfmFeZTMwdTCbmVM5KzB6clZhZOSMxHc7vr+xL JAb7Er2V3Ymewe5EV2VnohP6OyrbEu2DbYnWyqmJlsGpiebKpsQUEJ5ysS6f i2HxA3S64EkoJ5pc6OSdp53nnBLKedB53MkY9A6vg47o7aihy45W2bfb77Qz etubNpq3RfKa9NY3rb+1/sUqMfLWSEETZWEtPgtjxrJZOvqaBI43Ei4qE2Tt sARCTXoz0pu9ZnqK14wo7jR3jmPML7FvsrRej/T6MT3N6+F0vc6ro/FmTMfw uqKKJr3Wq6XxZkzLWHgt9OA7hjXT+pr0aq+aTsTVXWqaV8cbmnh1fmETxSAf QhRigRgFfgpk9jaBXw9bkBTBeD7U1xuNto0oqJ62g4ppsw+iLx8M9uIt3z3r oOzLB6nErNkzhhD66swhRDf0HTS1dc8i+7fu3UtNdrcddPfOOPiwe2bbwR3Q 4HFjDBqUe8hCTZ4ZnbtuYF00un4ubOauWx8V/sMeGsB7UdyJ/69bD/v434Cw T0X/0x9yGtC8dfCzPtO5Pvp/+gf93378/w0/QxSY6Iz6MXo3tZjeBdgJuAWw A7AdsA2wFbAFsBmwCbARcDNgA+AmwABgPWAdYA1gNWAVYCXgRsANgOsBKwDL AdcBlgGWApYAFgMWARYCFgDmA+YB5gKSgDmA2YBZgJmAGYDpgH5AAtAH6AX0 ALoB0wBdgE5AB6Ad0AZoBbQApgKaAU2AKYBGQANgMqAewAPigDrAJEAtoAZQ DagCVAIqAOWAMkApoARQDCgCFAJigAJAPiAPEAXkAiKAHEAYEAIEAdmAACAL 4Af4AF6AB+AGuABOgANgB9gAVoAFYAaYAEaAAcABWIAeoANoARqAGqACKAEK gBwgA0gBkvox2DIAGoAAFLUYQR9KA0YBFwEXAOcB/wR8DvgH4DPA3wF/A/wV 8CngE8A5wF8AHwPOUvh74MXoI8CHgA8AZwB/AvwR8AfA7wG/A/w74H3AacBv Ae8B3gX8BvBrwK8AvwT8G+AXgHcAbwNOAX4OeAvwM8BJwJuANwCvA34K+Ang x4DXAD8CvAr4IeAVwAnADwDfB7wMOA54CfAi4HuAFwDHAEcBzwNGAEcAzwEO Aw4BhgEpwBDgIOAA4FnAdwHPAAYBTwOeAjwJeALwOOAxwKOA7wC+DXgE8DDg W4BvAh4CPAh4AHA/YD/gPsA3APcCvg7YB7gH8DXA3YC7AHcCvgrYC7gDcDvg K4DbAF8GfAmwB3Artbh+BwL/R+D/CPwfgf8j8H8E/o/A/xH4PwL/R+D/CPwf gf8j8H8E/o/A/xH4PwL/R+D/aC0AYgCCGIAgBiCIAQhiAIIYgCAGIIgBCGIA ghiAIAYgiAEIYgCCGIAgBiCIAQhiAIIYgCAGIIgBCGIAghiAIAYgiAEIYgCC GIAgBiCIAQhiAIIYgCAGIIgBCPwfgf8j8H8Evo/A9xH4PgLfR+D7CHwfge8j 8H0Evo/A9/9/JPgf/cz8fxX8j35s8+ZSUopKr2Pewt+gU3KqiuqgOqnZL1Ba MGkLVY0OHzY3Niry5S+CudKUDwxeQSHUwOsltPaIwxEPHCmT7WW4Fpi8H4rL 90Ioj4++N/pGbPS9s4aq2FkUe/f9995nP3mDq4qVvH/q/aJCxPk5ASYdLZeb ZIGsArosHCovKSmuo8tKQ4EsHS30lZZX1DElxR6aMWV66mi8j5i3Ls5iukZl 9LZAvL9E6nHoTVqZlHbZDPm1QbZ3drC2wC1n5DJGqpDnVEzOarthStav5Jzb bHEbFAqD22J2c/LRX0t15z+V6i40SG64sI+R1cyJZzP3qRS0RCYb8djsuTX+ ln69kZWojSxnUcgNnCancc7oHrML38NlNpN7jXaAWgJj5yXbpCYqiwpRDz1P ZY+dOaRhUXtgRGyERsbOHVJDQ51pwJzqHO/ArSCLt1phqxG2fA4K4sN5atSR HQgF/6ZRa2xZ7oBKiywSDaVhNfSBwEuBNwNMQBPQGNw9hoQ0QcXjcUNVVSyW THLWKg6aXAl7tpgrAY1Hk+R1Q7YetFhkgsrDjJ/RMYGsUKi8AhE9W+UBxi8Z UCA26PUGjUrJqtE/rmBUxoDLHdQjBUpJtPawx5fr0Ek2o9+i70+yOHUSRq5R opr0a0qtUiLVOS2SlFqnYBiFXr13dDMFNvUMRUkQWJeHilKV1I94h9fGog4v q8cbLWxsGtj4QFa8DsLnOMw8HDfzcNxsVufhk/PwyXn45Dx8ch4+Oe8o/uuw seOHoU2FSkDTw3Am8LlhvchagT8b1gh8ZliNmWZ57cPq42pa7Qj/rahIni1U XrpLR5B6SN5Hxc/GBbutQrHk+4LSik9FSQO6o9Eq0galmnSSgD8rVMaVlpf4 QXtmbM8eBpUW0IEAh43ZeKkpQd7KrkVrWtLPWiMRKwqt37eo2BKtzy2bMyUn PeqonNWaOtHQU27vDDZf3/3G+ZoZDSG0btKynrpcszcs2Rn25vVt6ijoa640 qMp6VtIo1l7mSicDNV2j71bPqPWmK10VPRSiFoydk2ikHvDihcMuqiYqaiUq agX4z1grwB9jrURFrURfhDxSR9lQjPJTIZSXMvZKjqFcqowqRAVDyn5w6VNn MVCMiM++c6KoMGjSySa4pcwsuil2YLPJQ2O5sVlJNLRUYeLnbW7Z9pM7O3rv /dn2yhWzmpwKKSNRqBW64q41Xf17F1eULbprdse67lK9XCVjjrA2g84UCTv7 Hv3koUcuHphj9uU6dUaHweQyKsOx8JQ9L2/Z/L3t9aFYSMZ5wAOxld0JVmag vNQG3h33IyO2HCO2HKMJZDYaQGCjDaQ1HsOWQzmIbhyibhyixThEi3GIunEc g9xWCbrRpHTdzhEUGpISK8no4lTGIpI4ol1mEvIJBnBn/2PnHk9/LLz+4JNn Huo+XLrq6T0HhrY8vbaKvv/JC4/1kBc9/Ttn9i8/vLv1Ile342X8ZxMgGbMF JMujbhpyhMU3GhafOiw+dVh86rD41OERmuOVSqPP6IOHd4wgBa/dEULHQ+hk CIVCMjsuQmq7w0BDsnGrT65ZC2LFhDDCitYvvGf6KksP+LkrmswWiUqrGL0H S0gvVWgVUils0jKUUkBokCih3UkjhVYlaTY4DQoircLgNBmcnCK9Qsm6jAYH K08XKTinIPfYeaYP5A5Tc4bkRlFuoyi3UZTbKMptFOU2gtyHtW7K45aDaMNG o102gnKGs7rtOECKI1LsBFc1Lh26SpjMaJMRl+kDweRp0J4cHl5o8wqTz2HL MilA1Cah94TRBVJMlbNOs9HJKUf/INfKpVLYSJ7FUrqxRLPHPpbcLPVRcerb vNvl0tuwhdqwhdpwbLOpNLgFUtjw29NSL4WRL8yH54eZsF6UXy/Krxc9WS96 sl6UX4+/gIyVolLbCFIdysqqitUdQyoY41UokqrqNY2gvKFYP37f4M0cUYcY 504lkyfGA52ol8u8ubyCw1aAvV3QFocj4CX/l0hulig0ck3l3F2zrn/6pviU TU8tqd1clj7FcRIljBEPqC0GlaF6zsLFRff++Tv9yafO3tW6c8kUh0oy1+g2 KkIFoc6vvLhqy/HdjW432piVDWpUKFiXIW10hNxZNk3ymXP77j9/cIEjEHFk EfuQTIMxN0aNHIoXoYBGVJFGVJFGNBGNaCIaUUUarFyXNVuNta/G2ldj7aux 9tU4PqjxGGGleDMMLLwRb1gO8nkejlNWXJiDA5ifg2PW3B4YQPJ4/XENOqlB mstHY3Cos3EEo8YprFbR5C45VjI4bmoTrY5ETTP0ZZqSaQqT3+bwmRSjw9Cy Y8tTmLJsdr9JQXcItggtB2gfTE6joOtGv59pS36VaY2ep2WZtuhfaAboz0xN OxK3dlkPWBlKVCElqpASVUiJKqREFVJHISaqxo4fAU2o2B5BXBBzPBAGrxIG zcg8t9Lst9onPu2lJ8x4/efwVCXUQp4rws5QiN9JDLf8KvH5VOLzqcTnU4nP pxKfT4VfscYc7vGrWGcPeyk7imeCNmgftuQ5Q6Ewuob6xaTIbJLJEbJYmM/l pixnIM8iT2df+Q7Qj2Ws1e9w+IxyrSHdi97g5C4cAGWsiv7S6MbxUHDpXbxM x5UauUQKHVqHdXRs9H6HUYz1bSC9g5r6PGUmwppFYc2isGZRWLMorBl/y0sp 9T3mERQVgzmKvZ55GROi97hh4aDWBhFZOXrCGhkX4iRO4dpMTqMSYvOzmUe9 8IiSc4lvRhaFeFxLPcOz8+tW19HawkJrLKYqsNkcI//iYIpfjCe7SKNRYe9T Ye9TYe9TYe9T4TetwrYFeR1vx4aWXd6ttlm1MVtRgcyb0+1NZJwrboAktwQE zWRnkOmy4y2ualKspATnvhNsMYBwvguZLwpcFuOF1BeV4Pct6EcWVZi8dqvf qKDTJYza7DaZPSY1nW5G4Gl2G7zkPOd1vsJsmxJtkKI9aoc3ZL9R7zRqLpn0 sgv75Co5I4FUBiYX+8f7H8/N1jhynBenM497cu1qpdFthtxl0dhZyRmpnzLC WLeFd5iwakxYNSacuJhw4mLCqjGN0CW80kcVUjsgr/aIOveIOveIQ4JHHBI8 os49xyC5U1F2GAD0vQFsI9L+yxOY5ISc9rKJlpC/TMjmJGda73lv39fevr2x dd97++48tXfK4fDs+1avvm9eJDTrG2vX3D83h773oYtD86Y//tnD+88fmNf/ 2F+fWvm92zv77ji2bO3x2zv67nwB52rg46+CJbmoCHXzULZMFEQmCiITjUcm Go9MFESGjcfKubF63Fg9blajRe1uPBtw48+rKC4Io96wTKYBMdXD5m7NhEGf pGns5eN+4MrBXjIhZWNe5Td89+Z7lEa/HftHrgOZczuW39geOVwzPZn3rQc6 lzVlM/cseHBlbbpg/A0/nZMlt8bnbJzetaJUN/rPnOZFFJFYogaJy6lG6m7e wxZwFQp46gosRYUgRQWWqgK/5Qp4y0cieA4UiXNYFdDiRNVwomo4UTWcqBoO f3blKmAhz3tuNY943joJNHDY320V3UXI7vCk5qo5TZUYIoQpYQFzlUosVg8j Tm2sRosFlYbCoVAmqVXLTNkeh9+klmww59f11azLKAuSXGNRvaNtXWc4MHlO la80P8e0XqdIjzZOs8dL7n6ycdFkL7iLAvJCVoOKSqfHA6O/HFcipExSRlvZ v6qhfllXtUkXre0sSv8u283c2r7cKpel2/010yAiNY+dZRaB37RQf3qeqoep th4mz/WiiupF1QmsEVhQVf0IncdHi3mjCbUX8xzMsIuzizVOG77WiUORk2Xx Bi5x4tfhPEoX4Xg07BTGv+PDdpFNhJ/T4+RAU3AMhakKSLNCvJrzVaAKXq1B 7Rxe81PhVgVXwVlqISc9XO+URnotIygi+iG8grMczrij0SR7lsWmeilbMJAD VzioJOOgpGRSIPuCKZiMWdSw4ZFk/arpNVY1JGcKXcm0Na2VyYbs4p7lK6/r KalZfndfdHpHrVEmoRmZWq6ONSary6eVOop7V6xc0VuCrp/9VZio+rJsQa/F bZBn5QQ8FdNKKjprikrq+tZ0dW/vz9fbvUY1ZzMaYGbmCrjdhZOD5Z21xSWT etfAO9KDr/8CLD+LWnLExuMsl8NaO4Szin/Z8fGQwMFUH1u+zIATerfo28WQ dnwiKOeVKHsiOp7OX0qsMuFMGPR+IUxD9mXGb2iJ0xRmtzBJEbL4C98cN8SF Cs5lNJJCDx4Dn4ZIvRHG5yi1n3fPz0c+7LU+7MU+bDo+PIr5sNXgv6vhuYk5 JFgaZREFtogCW0SBLaLAFlFgy1GaxfkVzjTx4juvhFuoQj1sj/OS3QiJpRjB o5dMJImuTmXE8H2pR7Jxyo6RgesPbmskExmjIq93oKVtoDsqqMZvVKL3bnp+ x+S6jc9tYAIZdVz8dNaemfl5M3ZOZ6wTc7YsiG7XgVayqZW8OxsHtpxs5MAc cqAcKwppUZ4d5dmQfUR0UqGBw54t04MbvAF32W12Wyjo7bFJDSSzNFTFOQMi joAlpJJJlEwmo8loUBjQJWGY0ZaXTxjGiy0WmZw+ItHZw26L38Zp5Ex6pgIZ crJcfoNSgtYhtJxRQOjyZmsZhQcXrBDkYmqFJCWUtGCSeuElSRz345IWlnES ZD+nQcZaatlwqBYVj4x9zjdgxw6CCSpwIyeGgqzQE0RZNtyIZCGbDzfyi1B+ IcrPRvkBVNGT2xMoVDMTJwrWqngc3hz84FKd+C84nq0wmdaVYl4usHSXhHVF PN6oSydJf0KfZ3SOiM+f59Iz6adliAv5vNlGOY0CCJkYpSnocflNSgZFaORm ZMaA2xNgkTSk4/BcndMxP7sYy7Qlg1YH1opOfeGEpFqth6it0Ksv/FBSo4K2 VOewYg0Vgqd/JszHCnl3JIYiBShkQyErCltQDoUiPQE15+7hJiTj4K1J4edS URKh8ZrkBGnHRUTM77VSQyTLl21WS9Kn0+9KNeZsjz+kl2rRgvQBjZyFABWy qGTIgkxSlTHL7Q1zEk36YJ3FoZcyCrWSZkZHIfNmpHqHhe6l4xanXsLIISi4 0O8VWrnwvkdfwWP2HBhd4syPYSbCUwd5n36yd3JsMqNWWks14Kql2N9LsauX sth+S0fQP3gdFQ7rKaShcESgqsWRpxp7tVZkNWHB5qtHaAVv4qyvUKVsKV1z vBRRMHMvLajPHUFOXn8yC2VlSdwfFrRO+o2mQ0LFMlUaYeKeXDM3mUnhTkTn JqvEik0xDOhzIevFCg2Fyspkl2p0JWViPif2SIRYICeDhQVP8Jk463I6vLqa u7ub13Xn161/cvkWS1Fn1aQFLUUahUYpkTsn9y8tXfDlvtCjexsXT/bOnFa/ apJNo4GcSzMr3hRsWlrfvro12FQ6rczpDrgVrF1vdzsCbmNeYlvfCWt+PNLU O7lxbIxoV+qhQ4imKEpGy5NY5/uh923pGiqXmkTdehhCnMpfLsbGcjFWlota xPuCFstH0Oe80xzFaXLUh6ub+K1EcWSOskLRk1bxSsqsKi/zS6SFI0j6XKjV 2cS2V0FzSNohxFJQrLUqkyRGL2lyPJqGzVeHVeKCmSRZzlksQtr4dsmiu5LR lqamsMLgNJtcBpnc6LPZfQZFTtvUqTkLb5+e86y5tJ/31fFTwo1bGupmVNjR nwaO7W7iQtWRlRBZJRKIrNJKIT+CzegfIpUBtnPXwYEpOxdPMuROLk7v751e u2gzeN0s0JiPeY0qo24bcgl5CZm/nxbn7WcO4WnUNcqGH19eLhz7kJQRaTWv jemQzv4nL6/STvVmjyD6kLGV+agIj9pK7dSivBEkG1J24Jpw9KywGS8hnRgv GF5RGJaRpEQ2sSzM+Gip3F7bNiO24N4lZfVr9s+MdjeW2ZQy2qDVh2sT1Ru2 +/lkbVV/PKrBk6lvc3ZOaw+6Dfzm4YFbX9pUwzqybDqjzRD2+nP8R56dvmtG NDsaUBjd2JLmg14elN5Ihagq6nbeG69BamcV9tkqPEZX4RyvCltHFTaWqmPo n2CFMaK1mKismKismOjHMVFZMWxQKqO/SV0Vdkp0ufjzTFsrBADJsK5D2o7T EsGc4ldUiAV7Gp+OTnRMSLLHrYoJhSZOuSqYB+Wcy4QXnZr3z150x/Sc4oV3 z+vaxctNXmxTyscbtjbGwYLAour9k/imsD1jQBs6+jt2DS1cf2x385QGWp2p QoxOAdtZuIVv3LkEbKmhCGsrCdraD7EuSpVSz/K5sfJ4+apyxoi9yejD5Vaj Pw9nxHlYW2QhRoh6YAv/PNwYfTRK4yWGw9jbSiWi8UlEGxP21QKTsCfB+vP7 817dIblLQh+XoJMSJJG4Yr8Jtdo+nK9braN1yg9dgoElJ9aliVO+GyXGJqzG CA4qC/gnmJX5cuOjzeFyQaFyZn/YPpryNK3u5he3xDRytYyhGbm6vH8Nv+qJ tdW1ax5etOLr8/MfZzZumDSnLoum6bC/7eb+ArPDLNfZDVqjXqO224x1m0Y2 rX/+limN6x6YYdy5r6B9SQUe/YJj5+k90pshP1icsrDYAQXHc4pRy5mJVk4x nDlFY3LiP0QpzA2OjJ3kDbjOGFSdLW92hM4WTvW1s1OFuVsxnqtHT5R8Qnys 5MQV1VmzWKeaOHcLiJXakkx1lt4DGY5MbvZEnMFSn+41GAulBv1rCghNNp9R sZ1lcajZHph6Y2tgcrYGMh+90aqTKtVKW0l39UI55zBm+y5+hJMkvGzDmH3Z RgcnT879Un9Eq9cYnXitryx9D3Mb8yOqjuqk5lEnebMhvxl7WbMCRG72sUbU 3lwSh9wJqyAu+hfw6efwobi8C5q8Vm9A7V1Oib6QKZHLsfWwgr6O81po5JfI nU55Sb4E65gvxUqegX/FDB8Ll83IDfJq4KC+UM5Utv5K03vGbJ5fyXxQOzXX N/mXla2zf+nrEpc74qQA/g4J/dGS17FyrZBm4kSTg0729Sj8j2Y2WOugY4uF DAWhsAzimcUqzo8zNlcBg25pubAlng1TaFQaGh9k8bJgKBzWMeIec5tRf0vA VZzc0VmxyGmw1pd/1LC6p6D0+sfX3Lh/YR7rL/IVxYqD3uzSObe0R5q9iOW4 dHpJsrA5Zl0yu2hqzNo7r/sDX8Sm3H1T25I6J7M+4M2eHuu8uTfPbTEUeAIF tIr2T5pZU7c6URTkZ5b66ypL7Pb2vEnzQ8Hk5I5NfflKhT/9yZxlvsqWnJlL vRVTR+dWx2mFPT+SY65vcBfWYfveD9ndwzAyF1MbD8VLUe6lBRfRsCesxIgr MzAsWz2krC4U2IXauhA21PiYilTUPbl2FkaUI/mt2U32diF8CuUKFBMLymQw rrq8rCyMJvJrVG1JymhmHlYYyJhrK2gprNvSCLtC6S4zFDff1TJrc7vfnrFn Wt8xtzF7RmL09kzPxPG3rWXS0tsW4Eh569h51C2NUWbKT91xJB7oCqwKMBYx w7tsHmcU+PQV8z0yvztGr6FclPmLCrqiSs2gpudUXrwSjv8k45CdbRH0887Z qBgNxZHl2jV3Ix52sTGCFaK6KxVgzKupjmKMq4DZLScCy1FhdW6kCgASj72d vgctBomzqUJqz3BXMf42QUgWgD/Fzx3MBHb80QIWIIj/OjWqocTzJqweELnG lxEg9vEqu50qLsAyFoCMwzneFhOMpENSwUtBUq6kJJPlEmlBVullZRDL5XPb y8Tu9vCLm335Npj0MXKlXBaw+mMeXSboYR3kRmtqcvWLN/dFFSotZ9DiNUip KX9qCzN4tTqIH2wBPyilvs5r4uUoUoSKeAPqgPTopCBckTj8FWHpNQILw1/R MTpMZVEaUQdfvDoFruGw5OdTWCXERSxZamlOi6uJy7gHTJ5QDJItyPmFMaH4 dMYKxs3gX1rS2KIwZjmcAZtelt59pX2gPoXBnmWzZ5mVWn36KFqpVQsFO5gs KdGnae3VbnLxLXSTSqtkYFBVamxs+mg6yJnF2IHqQGdmihdWmlYJK03XXlm6 ZCPo80MqtkmQWDSAa68sXWXZ9qsfTXwK6UnIcaZRH/JOA15PEr4GCAlz9rAw YV/dg5quXlEmdcQJK88fjsc3j8eCK+6eYrJ+IaxkCIsYQphTgX0fmYYrP9Pq rl6gJ7e9aiH/GPocgiyLZKm2Vki+Zby2vrWuKb+yJb/dPuH9TyzgV4nVXK4q swaHo6Xwaf5/FjK/KIaaxWm3aCzSkySUGhWmvMaCqnVTsPdY/Ua5Ja+hoGr9 eGSVGVxWi5uVt9/ZUjmzsZDN725rzp5+U4v3UowNVF0RY6/uYXZDYsIwSrVi Q6LLEavPKWrMNULwbc+MQfAGi6l9vJ68QbwRh6Nz/9r3AXiy6FGzbGZUEhaA J6z9os+PiAMTHpZ4VX5rrj27JaN6nDWMj0yZ1QRR28F/WbVfPDyNK/EbHf/F 8HSZokBB8/HohGeD74GG8ErSk7wrHkE5BhThcAUupEEhBQrJUa5Q87nG6tHp a64e4WTdE1Mh1YRlKd/ly1JHaRWukB/RUx2r4TXZ8d+k6VsDMHMUp9d4hiiq LDa+2JTM/PxXq07Me9Xrvrt21WMry6vWPbMOuOJZZ92KrpbljX5nfEXX1BWN PvSHlc/vaZu87dBa4FbgLS07F1aVztvZ0bpzQVXp3J24tpDex7wNusG1hR24 tuAvv8b6MYk+lxaScRJjJmUFocAgrBOQCsM16wotbNcX1hWuVVa4ho18cVnh a3NzGuv57AnGYjI7DfJIe0d3/sKv4LJCiVBWaAo3bmqom1nhQB/c9MKuZjar NJCuy8RCyQdgMwyuhW3MrYuY23cfGJhyy+JaY6ShKH1/74zaxVuE+TNo60FR W3t4J6jLq45ih4mqNJkSixDkonjunEuVELOZ8P3dh+L3d5nv8jLf38Hc2Rxs UU+KeiVsAZ47O1or8dyZ7cBj/rXnzpfprIwj9dCMvVjLvnjurMRu5jXJI61T W8JYRcWL7p6X0zSlORd/wmlycfKr5s/pQxlNodcjVQF9Zg7NBWsiN2ZUl/47 mUSTggxMooXoRD8h1AsXHVpdhkJ60agufZojGpdetDo9Ni7DhOUBbGWUA2wu yCujrSG92ddibqfEcC8M+NHxXHjiBFD+RUYko5+gZUqFwurONtsLy6oDV4aZ YH11lVvrz3ZrJAxiFlo8nFKpVJgK2itGD14daHaVN4b1jEKlUuqEL7S6x87S b4DELdQbvCbWFm/ratvedqBNOmEJ7jNx6U0winpcnjJesTQnLMmh3/Besg4n rMBhExOX4fAUGccc51H0mfBZgAqnRRpeSJVgNwT3i2sOaGhNwbsVqo+4adx8 bjXHkOW2X+O1tlbLGeKM4wtt4jJbEi+cTFhmu5RL/3eX2eg3Subu7CycPqXQ opLgZbRovL8yt7HYGeanJbr5cKRnc0/21OqIWc5AdqSSKbPKW2K5fMScw/ck evkw0k25Ad631W7K9hoh/3T6nIZAeTBUmuPNitb115YtaMnTGMysRm9hOTsr t9gtxkChK1yW48vKrf0P9q0EPI7iSlf1MffR3XOPNDM9mtEcGs1odN+asQ5b h2VbtmVbtmVbtmVbIEu2LB/BBjsYyHIF1gGWBJYj4YOQLwEMsZE57YWEDYnJ JvEaZ0lY+MgCYcMRwgYCSNpX3T06jGFNPjab/TJj/+rqmu6ervdevXr1jqWE F/7Jt6mtzPdQDVr9/SjiA3GF5nGFF3GFF3FlQsYVqYwTITQ4jPE3A60e45uO 1mJifatltX2SiF2p4r06+bTs2mPO7WCY7YawZ9wx1FYNJ0YTjrkb055LzAKJ tV2cMdReIx5lwfxa5TxHMNeqYbUss8qTx5m0qvyOHQsok+xhOK02kDCEARqS D2JC17tWq9OyJicZ9w3Ez0c/BjbBobQPLAF9mEhQmEhQmESgwpKSCnOSyYX/ dFSeaT6FKj6FKnD8QJqbpPGQlIqsTFafIqM+slfRWuJtYT3ragPDjJ129s1M LJoSqXM6+84KyVVUTrv9blULHpvDw6s6b5KWfrVV3qM4ilqTDXtb1FYfzFxB O2UR7O5eULf5yvVUXmZ2jr+3cG1T/opuamemR4nN0XuBPoXolWMoMAmrGTF0 fVLEKt+HvXLDi+3KOG3K0Tpt/kpHYSrTYPKddCVJUwCrgsdhDkdYnBeBjvo8 HMzDftJM+XHQj0WpV8RBEYfNeJcf+4mTS8vbWv0izFo/ifhpQRT9xMNIzggn /OT5BpLsFWnz691telkBSsFOKYO9V7IcYvJ/KX4k053EzGJSTcFUms+MJcLi qLQoxQR7MUVTEycZozvi9UZcJmbiOYbFGovP4QlYtMwEQ39E6Sz+HIeXV9O3 M1qdQf3xvSQUyGhMOnq5QdDSsCek4I923G0wUK9qDRqa0ugJtcthj3EZULsF vXgMzQP1VA9DqyLOr2gVriTH/AQO+XFIxCEfDnlxyIPDuTjC4CiNa2pxbQ2u jeO6QsyJNtzJKe4DckzrQFw5EZ7AmZVuckwbyEJCus1z2qTrCDFT3EJumNvP MVxasLdypW35bTXXF+JC8l0h0Zqcxd66uXB3IdUCvY75WkLkfyWU7H06lToJ lJTpPR1wlUOu8kcmtGqKznRYPSNCeQ6Sz2iylzHsxPu00RHx+gpcBvpxirqf NrqjXl8Yzib+xDKwu3Dk5gka+pcU9QylFUDsfYKGep7Cpymtxe92eghb1Fbz NFOoa7Xa8R3TLDJb1Vo9cAh2quNurRY4ZATFS9LunJkzSqMj/IrC7OgAfhWh K46hYiAMT/z7RG8kiMaoTWAnyONREuVzYoeiG+yZLjvWEmktIPtWck8dwlUB XKHHepFsLwhX9PriZLSNRD7b+KkthBzPLpqKZRPhleU3lm+3Zsoz6HNEQi2W 6Uhok8YS9nkDNj1z5nlGb8vL9eTzWIudE+9rsCUsegJWHXPyXxgd78vx5AuU duJPhSaLgYXduRr3T9wCB5o1WEz4YXyPyWJkaJVOPXEYL1SRvDW91TyxhmgP sAL3AX2CaPExlANjLSczPwdHc7BT2jw7cchUYaLCWuwmS3KNG7uqCOFc2Nfm 0lnadB3MQtShbFpJjDsmT1oyef20PNRKC8nADJVNxbYtklfHblVTpXtUxSVu kadU+7QcPfGkhgt6vXlWLYsx/YGKzxNzg7xq4gjHswarCVczgo5ebXOaWFpj No4nqNMWPQvrhIBohOiHqTtYL9IjB3Ki4GPIQM1HAlJR8x9ENu0Yrn/ITDtb UerFEpJT8vLpl2Vvb8aRxM50KuGGSEVFKFxRGcLrM63xdcyJyki4vCoSKVeO EyeAggUTL+Id6CWUg3QP6h25iDt1Uk64UqvlOVNpmSpr2qEyOfgrWaPFZeEd OsxcrncG3a6gQ3+drywRdz2n1mkkMcaWAzkip1JxIrHUH518H19L3yjt+XIO I+sYtfdhnTcAO1YzjOdk6iRZwks+mdzHn11Vda3WFfGJEZgjzojoi7i0Z5/T oliYo9fnFIp5cXKMj0f8coffHwdV6I6TOfUP8D5DMGKg9GGS4nP8KEnl0dIg /PAqsRNk+DOIOVTUUJcg2DqvKNECIHGEmybfZ95BL0rcCqCCJ5GT2oe8wLO9 wDNE7XtY5bdpc8zkmaWlJ0sIx8i/2Y9mP41/A0V1NQkC/FSCtGpB5z6d6Ruc W5RoPgcIL+mdeAe7B3ipBV7Og/HIVP08rGRDvtKiuPM5tUFSSVps2e8WBZVK EAnt8MRrtI59AtmQ5jDHoqKi4qRDebbiu1N/mzFaPTaXX2BUVC9jtHhtYEox 7O+NZg2jNlqMqr1GsxaebDUiPPlH/CZDUZcgM+IfRGr9MZyLGESyIZVghl+m CcmNYiiL5eOURRAs9AmtWctSFaFAIJQf0ErVGJN/mvgagyadyIjMR5Ba91uG +Gc/+Rw7gzj+43peEHj6KY6fOB0QvYG8PBHGdvnEPfgP7NXAz7y0jSbqlSaG PS2lP9I2n/5ylCoCWZUT3VRgSQqOqbyQBC3FVmQa4LfX9q5dxWKTxyW4LQa6 YnFVrq96cSnWcrl2Ry5Hset/NNFz+vmJlT828HqWUmnYTT878+vt23/1y59v ZlQqUHUcofZF8EavwRv5UekxJMh2j6DYzeR4hLyZICX56aWdmfyGsZKpXDx1 RkdXCOVlVDikLH12Ab+WW9VVQRssbsHtMWJ29Zo1axiKy3XYcnkNtXkn5dr+ 6zM/28RqVBSr5w3P4nueP43v+ZGW08HbqZiTEwvh/ZZNPEE1swfQQuRJG1Mp zz9bLJqyF0LtL2iAh0VymVp9plRDsTBJikeGWhUV5ZkgVKa6RS3FC+V0Tpu0 TyZfUc1gX6uEHEvTshKBD1SGSW46kc72Nktpd6PFJaiVEp6oM8+m56LNZWXN UU5n8zsKtCawmSY5h1HD4Fj3gQuea16aCjNAGYeZs5tVlGb/vjsHDiyLYQa6 ON7BqTBfvKznUNvmxbV6Xe2STe1PrFhWLGCVWcoi2glj7ocxd5ExR6OdP2RZ ruyFRu8L3CfHDNS3ZWJxGUVWSbZq0uiBCFK+y9RXiu+NjFoadD/RpQVVAZO1 ZNkci9sKZyoVjDzmzLPr+EhLaWlLhCdjjOjNOobVGrWw/2hcVmIhFNIQo6+S s5vUmCldtKFVGiMYhUZljEISxtg+urFVrytsWtH+RE+3PEaBc5jUGUq1JFys xmxDMCnR5Fusj21HS9EWtA9djIrSurYdZd49rpVq89AYpo8s6IxGzdVjWHWk uXPj78xzMzVbkrukOGlRhlw2FQWXMnYb6PLp/ZncB9sOKYQpW2xyBh22Sv7e TH4QnXGgJGi4AA9605vbItX5XEHvoS0rvtwdCy092Ju3aPmqQtijGNScz2X3 WcE2K/bGm4p8Op2gB6k2iG5rMt1dXdA7sKMptX3d/HIwdc2+uK9tQ12OLTG3 uLytyD4aaN7UFF0wL51TtnldT35JU1SYeBl3V27oXV5YsWJ+S6Bh+/LS0NwN 9bXrV68qifasXB7JaelcFA3qQB4ptdnoqhrcvCYSTHoNlMbpcnnNOo0pUJfI q4k67NGGhetpKqeqfm4s2pJOBz3lUWdOvG48UrYsFeA9UUe8b31fQkyl0vTl xEKYNKr2sAm0DR1El6ELHtp+0Jk/hremixMGZ7wK7XV2O7vR3A2jL/sivuJL 3uJXvrVoUYfacDCxPcjyPvi3pv6twcu6Ot5eA5KaOvWm5FMA3pTwILNSJS5x Opx4mnSf4H52mq+ufpkn6ddY2VMrvMgkZjkqZYFV0yqym2YU5szKoZGTHYKS 1a2S7GvJA8YoseVKrNrDhxpW7u6Mzq3IV0c6Wlv8scbSoFNnEquWjMwXaytK 3DyTGxJcJpbq4ZJN0cYSEP6ikSev3zV2zcaWAru69JJTd7btWl6hU8GaAJPY UN136YJHJ8a/1ar3VfXs/96/X3vX27fOH38stKi0oLkkYNeWp5wlVanQRx/T uPmrV+xeWWoJVudHqoMc70/WtRbEhndt76k0i0n/CpOJUYPRWbZ8SXRu7+bB kuX/uHteWc/owSv3bwsPj13Rzlt4tdnBmwSzQWe1mlbc9epXy77y9dtv/kp/ zcLrf3o83Ryds3hZl699ER+oDtOLwRa6cPJN+nFWRGWoFX39GGoHi95hpjrX tePYzhTelMJNKVyWwsEUTo1RTWmrITfXcFE5vqAcd5TjmnIcK8fl8MXRbQiT JYtstOQyqNcfhsegpAEbxiY/TOvgxFAzmUyyoTGMHrT0NI9h22F27VT1MCwS vafApu99WdoxCSQ5T2qRqq/YDPcSc7Y7SX2W9zfjA3+8bPDu7V37Vtfnc0Ji 4e67h/LnpwtBk1BYrdfqQxWdpb1XdEdp95zOZcUD1/eE7nNUrGzMb29Juf2p Nan0mgYP/lb37V9qi7QPXnXXmiXfue3qzXVas6A3mi0mwc1pTLxp/oF7V5u9 TnN1/5XratY2Bo0On/Dl+wbiya5+YpMtBto+wvoRSXOfhy89hiqIi4QnCXjQ IEtl+ZjSU57pKcv0lGV6JAcxP+0obpNS6IFFbTiZuSaZcb7M7JGCqMkxypV2 WSOSzRCRXDtKmxSBRMYoZ9rtNQe8MAoSnCB/vFavrkq6poq4H2we2JBLNyqd 5MaqR6gmmP+nHiJMnmb6VI6/klN3XIlYHpdSexrJ3k9HntGYhIc2Zl66MfPS jcpLNxJR43Vkf6Qrr2fj466elvEpYameKpw7JTsyZiX+w4GbETsg0oNiymem Qf9J1U+XTWXcOSoqSCl6Juekgn6kbvvdF268bagm0jHUUrc67S/e8PVN66/r LSQJd/OGO8JnPFVLygeHc6qX1/UPFuS1bG5Ora33XX7ZgYN4/tKDKxMFi/d0 1m9a1pHna+laXdG8e0VpUddQqnTN0jYx0N69llpb0Jx0re8ON9VV+8ouGf9m omNOvd/X0NhW2HfBhTBPW0GWnpEqnmLojbTrrCBVfiZIFSe+inwiHXE8I/xE Yq5W4uGzEuZZnaT1KAWbDyTKzk1RES5RiUKIipsPjq+T3UhQxOIYFU9rdaSY Ko1oEvhJa0mun26hjkKSn0oqTZMF4rg045EO6eKFOWNY96B5Cak0yhRSTWen w74WJvrM2KDEss+IdDEzAhYM/UzR1ge+fNE9m2LJwQcO7IXjA6acWF1nsvuC ert3Tn9rVXc97Meoq2784+G+5fe+f8cN70vH7/Z9Y1d3pWvRNY8N/v2PD9QE m9aMXA7q6z6YtrezDpRA/5EOBr046MHBXBzIwUE3DrqU7OyoRHuBeCySUo4V IXcSI0JaFFW8xVGFoFHFbxpVCBpVXCJRUppl8jrJTU49+avnlXkER2le8co8 mtF/XClhAtLDHXfwmLcIYzj1UGBxlBvDarmWsSQ1flLy1ZPPSZL+lqn3kCfD tF+qVyl1zBR88GqVSvZHVeYrsWxe8gDertIZ1eOr1QY92HtGDTZ9SDLdaJVe iwsYg+AUnLAje0Nj0rLNxBuv5twWwc1r6TM36hij18E7OYPqSZphYDXUqz66 DsxCYrmOALVvBZluQDeA5VqBY14c9RAfX3osswylsZ1IsV3SPHZR8iVR8aOl +fAPVSu0rn6E2o/0MnH0xKOnJxFqvqpaFKtB+BJHS+2qxBIOTMFIhkJyZKNI ViagQE4ScZQEUKKR5LubRRzijjsrGVw1pTvUUqnMrSzsAsfLTTazmtaZDR8t H6gWcssXlUmp4Go9rDysxlnbc2Htmmt7E/Z5VwyfpEo1Zj3bTuqA1JzXbvU6 HEasW31oz/pYrLMmLy+SpxG8NrOdM9mCAWf56otaGvZed//Iaa0gRZM2g044 BPRbgdljaCWQLJeQbCUu1gBRisnEL5boVkzoVjxGlad1C5aEFixwWnBnmviS Q3BJiLg409AbStOmHA2XiR5Jd+aIUsKlLLI5QPkjkttOypIm89ukiKZJkXYT YZwF2GCqJck4tcTZOr+oFkuiq4iwvALU8rW8vWIM68FqX1L4B1Fk20iJl36q xAt2LdxUlReo7iJZ3yu6Xko6JAkcQvW0nleUhUpyWkzFoKjAdDp/pudcTLTB CnCoYfQ7F87ZvqLGrFHRJqO2fMlwc+PG5rzYki917gVeqVV6k3Z740Bb2F3W VV7TN79ER7yCsF+21HQPp1f+3aq42LCytml4URyP9Fy3qdLm8ZlMVo8tmCvm i3kN3SWVK9J5MD1sFpdZnZfuqYy0VfgCkQBrzrETw80CfE4s3TmvfqCrWk+p yxcR3U/qRH7BWlEB6KWP0jXEIR7H4UIcDONgCOfn4lAODkgKKt+J8x04ZMch Gw5ZcYjDwOIgi4Owf8rBkrYSZG0VtzuhYRc5JedOzrV76WGSi5ebSHBjkx+n PXAFR6YfRySCI2EijiwiHHFFcI9SPFg2jKyrGFgAMqnLaR3JXWaSReGchMRg JubnOJ1/sU6uTYJZV/pmSYni0Y0p0TJShHxSqTTNzMCzPnh2wu7U1MTTusqO A9hP/8IqHMpUHo+/YeCMLKXSqfHPWYu30AubLu4Qb5u4k5pYhe/B2/yhiXcy ISLMqTiv0+J1OYy0QDasrMao/fiHAeq34zVkxvXDjLuJNYHGOpE2hitxuEJK EaEljXVUVliVilaqJFaNnhSqkmK8CJA+Ar0RMi8ipoUlwyX7S+iSc5fmPkKV gnH1umJcHT8i5bVZxkjCCMkbtThh4hSmDYU174mk4oUt7HLOmjq9b5KpUxTD 3Gllxjzde0qePDJxCXWnZ8uskC0xgYjjTynvlcKTfiVJlL5p7oHDg3WDSyvM Kha27nq1rmDeQGvTtq5EuGvfsvoVoVynz0PVa8w61ipMeAJtyeG7h6vxHVu+ OVzDu5wmA+8W+Bxe4/K4xebN7Q1rUz6DO58y+0UtKMFgZOJGlirvu2pyMrMv oVT0s4hQfgPMgfuB8j70/DHEg+7S8X48n+c4paR3dqnv68o6+YEki6NS4I0b y9zFcXKISLqLU+6SvtaT2N5OjkwclRLW82c468czDNszkkFrU1bkGXmo0jPh +NIRuMfG8mM4/pC7Sz9VeiktyRIXYkocLhOOm47ESSEMvxItlpaW+2lWq5pI sGZH0J0X4ikVfmP8axYLqzNpqXdNNr2KeVrw5LhMHz1nMGtpldFiZNojQQus KyohF6ip7ESAmj9BxANOzu+GlSOJGtHjaUs0gQtYHJViagUhHNLhZqIqRDLs ZlhOjJmVxHNRMa4ubiseKKZjxbiYFAZrkckkom2IkrcB8nbg+0Ria8m6AbfW EntFKlTcWYsraufWbqqlg7W4doyKpU1F+Tg//a4oqiveK1gCUqw5rF42Y1Mo bQelMpleZUdYMlOGJSlmzk48qJxZKKIUqE/ZjBX03dZk1957t8W65hRagVh6 jT5Sv7i07+oVhVT5DesGv9YTLrngrpGui1enw/z9eY3rUnNW1+a6qlY2dlxD PbL0u7dfvaVWzwmCz213m1izYO645O7VvmTtpmuWLLtl19xo59ar7px74P7B ZNHCjeW165vziZktf3DjbFBrPj/IfGCePjfY22ZDddP5Qb0FIc3RT0L7x2no rvn80F8lwxA6N4wHPh2mbZ8P5vXT4MZmQ1h9blgKZsOaPn/YggjZ534SDnsW WXw2nKPnwFWfDddjCLlPnR9yqdnwNJ8fvO1/3RCD5wd/4TTyvJ8PgcJpBNfN wKvnRujbCIWf/XREXv18KLDKiIEuKayajfjT54fEY385FP3q/FEMPCz58JMo cwN+87eN8tVZZJFFFll8Ljwho2IB4BBClREFV30B+LfPRlXwU7DpLHyAUPXN 06iBvVHtZV886lXTaHj2/y/SIRmNI/+3aDqDUAvYYXOvQKh1CKE24GMH7C87 4Lv5DwCOI7SgJIssssgiiyyyyCKLLLLIIossssgiiyyyyCKLLLLIIossssgi iyyyyCKLLLLIIossssgiiyyyyOJ/D4hCWCpItiKatCgvUlE6qUIZfZEf+mbA JfR+qd0NWEEP0r+j36Tfot+m36F/T79L/4F+j/4vevmMe25BDOKRgJwoF4VQ GBWiIuiuQw2oGY4diFy7Eq1BG9EWtAONoi/N+sWLYAwUNmMOu7EXR/AivBL3 4gE8iIfxTrwLX4yvxFfja/D1+Bv4CD6OT+Af4mfgvksBB896+55PHdcq5TiK /mo/WP1n3sjgM/B3BKURi0qAA1HgQAJ4UI1qoG8OagI+tKB5qBW1ATfmo060 EC1Ci9EStBR1A3dWoLWoD20A/vSjTWgzcGkAXYAuRINoCA2jbfBkwrWdaDdw bi+6GF2ODqGb0G9Ei+gSQ5OT8NshFFF+M6n8ZqP0m3M/5TeXKb+5/hy/uVX6 ze3Kb+5Ce871m/QIvYyO0gV0Pf0Y7aFXTT41+dPJU5PPT740+ZvJVyd/P/nu 5PuTHyM10iA94pAFeZCfzkF3ou+ho+gY+if0W/Queg9NYoxprMEm7ALp8+AQ TuN2vIBW0yrqFPUj6kUUeKXvlcZXSr/gaXbe0/F/vMKE7pu6buPUPWr0IZxl 3rkEr1HaNDLh65U2A+3blLYK2t9V2mp0MX6EaBlGS55JVSptjHKpW5Q2hUzU w0qbhv4fKG0G2i8rbRW0x5U2vA/tQvciEeQzCf+qoNUJHN8AsjUMnB4GGRiF viZojQD3yd8+6BmA1hDIlQgSNQj/RJCgAUlaRuEuctYPx364ehf83QhXNsF9 g3DNeugbgCsGpOv64TgKd5ErRbhChGM/PGdAkrJ+6Wwj9I5Kv0tkciscR0Ae Reld5HvO/e2mzzUW8kZD0rPI24gwF4akd5N/fwm0+qSzHdJvDkFvkfIGwzNG sAHOdsK3o9IoydWJe8WSZLJK7BzYMDK8Y3jTqNg0PLJteKRvdGB4KCHOGRwU Fw9s3jK6Q1zcv6N/ZFf/xkR746KOjpZYU9/gwPqRgc86Uw7iwA6xf2B0S/+I 2CeO9G8e2DHaP9K/URwd6dvYv7Vv5EJxmHwz43TTud9HHBgS4TFi99DAKNy/ ZLRvtH+H2De0sQgeMCz9wIbhnUOjIwP9OxJ/EbFpB4W1CBRVByit2FlCtFgS lZ3QQ5j+WVf+ud/9zQqtYsCY87AIWvop0BMUHIvgS8Rfjy8FfYIlrcTeNnbj y+3fX2uu+y/k0khq6tH/3PcTcvxB3s0XffTh+NXa36mPwqk2Yyn9twADAEZc qEwKDQplbmRzdHJlYW0NZW5kb2JqDTU1MCAwIG9iag08PC9MZW5ndGggMTMz NzcvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aDEgNDU4Mjg+PnN0cmVhbQ0K aN60Wwd8VUX2Pre9F0KLdAjCC4/QEUREBISQQgslIZQktBQSQi/SBMUISAng KoKIihDXtWDAl9hwbeiioriKBcu6u3ZFBQUVd4Xk3f835by8PIrsb/cf+HK+ OXdm7rQ7c87MhAwiqk3FZFH3URndevz21VMfQPMskJO/eKEvcPeBd4iMlkRO y8J502b/+uuIOkSe3kS1WkybdV3hiq88i4nmvoc464oKcqd+HR/sT1TxBtL3 KoKi7p4GyUT1xyDctmj2wqW16+zZj/BSon7DZs3Nz6Umfb4kmj8R4Y2zc5fO i0uytiF9GeL75uTOLiibWXcc0Z6jRPaL8xYUzJv5qBkkSj2A7GLIsjsbt5JD Uc525wqUoJWS1mFaY1IUmfUd0zRty7Q/I9NNoDIXudYCaESGz0cJREHXQ0Ey DnjvNdv5yNgpnllPOfXE29Ei5L0XcW6n8J80mkHXor2KaQ1totvpBfqY8mgV 2HbaRQ/QwxSgF+k1+oD+hz/B65zZVMd6ijzUkMg97R4PPgDsQ0mrNbcj1ND2 VWvcGPeHCN0PwdvdmOA+TwOKlmnrmu9A+7NR5Z42B4iw20uEzbXg9WWKk957 g48GH4xog3TKpgk0kSZRDuWi/lOpiKajZWbSLJpNc2RoDp5Nw+9ChKYgVj5i CV4day7NAxbQQlpEi/FvHvi1OiSezZfhRbQE/5bSdbSMltP1dIP+vURqrseT ZTK8FFhBN6JnbqKVkrFUmlW0mm5Gr62ldbT+gqH1IVZCG2gj+vkW+sN5+aYa oVvx7zbajPGwhbbSHXQnxsXddE+EdpvU30X30k6MGfFsKzQ7JRNPn6VX6Ana S4/Sk7It89FqqkW4XQplG85DG1yPGq4KK7FqvyWh1lqBuou6leiaLoV+ZViK xbodRcxViKlyUf0gcrkhoiVuRR0Ur66RCm2V9a/WhrfKhbTcHveEtczdMiRY pPZ8/A7agS+wFL9Fqwp2H7hiOyUP198birtLhv9I99Of0BcPSsZSaR4Af5Ae wre9mx6hMvyr5uFMyb20R/ZcgMqpgh6jx9GTT9JTtE/qL/TsXPrHtL4ipHma /kzPYIQ8T/sx07yEf6x5DroXtPaA1KnwS/QXhEUsFXqFXsUM9TodojfoLXoZ oTfl74MIHaZ36F36wKgL9jZ9i99VdNj5kurRQKwBf0Y730OTaXLC4KlTJk+a OCE7K3PsmIzR6WmjRo4Ynjps6JDBg1KSkxIHJgzof02/vn2u7n1Vryu7Xda1 S4d28W39bVo3a3RJTP26taNrRXk9DmZmg7qk+Afl+ALtcgJ2O/+QIV1F2J8L RW6YIifgg2pQzTgBX46M5qsZMwExCyNiJqiYCaGYRoyvH/Xr2sWX4vcF/prs 9+0zstMzwTcl+7N8geOSj5DcbicDdRGIi0MKX0qzomRfwMjxpQQGLS4qSclJ Rn7ltaOT/EkF0V27UHl0bdDaYIEO/nnlRof+hiRmh5Q+5ViX6orXBqz4lNyp gbT0zJTk2Li4LKmjJJlXwJMU8Mq8fNNFmWmDr7zL/pKN+2IoL6dznan+qbkT MwNWLhKVWCklJWsDl3QOdPQnBzou+7IZqlwQ6OJPTgl09iOz1NGhFxgBJz7G 7ys5RSi8//ixmppcrfHEx5wiQUUVQ82E58wJZUMJUb+4OFGWDfsSKA+BQHF6 pgr7KC+2ghK6dc4KmDniyX5+0niseFLMT0LJc/xxoqtScvT/xUXNAsV5vq5d 0Pryfzz+47kvYLXLycsvEjK3oMSfnKzabUxmICEZJCFX1zWlvHs3xM/NQSWm i2ZIzwx0888LNPInqghQ+EQfTM/IlEl0skCjpAAMH50q0C0lWZTLl1KSk6wK KPLyp2c+TVe4n5b39MU+dgX1pCxRjkCTJHRKu5SSzKmFgdY5sVMxPgt9mbFx gYQsNF+WP7MgS/SSPybQ8VO8Lk6+UaZC3SJic2RRc298lC/TjLWyRG9B4RuE X/7EfngQg+6SQdGjif18mUYscTS8RccQrEY+CFjxSUPEI0skTRoSG5cVp34u UKRYXSYnPhAVllcMFKEyqfect2gqtihQR19KQXJYAWtk6ugC6tzOXU5TtIV+ MVJEie4cwo+seHy50JnIRqpELzbzBSjNl+kv8Gf5MYYS0jJF3URby/5NzfCn pmdnyt7Wo2RMjZB63luFAhSHxxwwkzAGB3WO5W6V4cEyHAoOiXg8lB/7SqL8 qRklInO/zpB8+IJQaU+7obkbejfoiU9zEGY3/6Bcvy/GN6gkd59bnFdSnpBQ Mi8lp6iPyMM/dGqJPyOzX6ws6+jMG2KXiVc1oFQjdUxi1y6YexLL/ca69PIE Y11GdubTMbBy143JrDANMyknMau8LZ5lPu0jSpBaU2iFUgR8IiByGo1AlIwf +zQs6GL51JYKGc7fZ5DURbHOoPx9ptLFsM6Ezla6BKkTP+ikZkVoYky3Kb6p onuuzyoqyckSHxc1QVfivxEw/P0pYPr7lxump04g2l+QGKjtTxT6AUI/QOk9 Qu/FwDCaGGgcMSeV5PgxT2FAZVKsoYaiJbL07XPdMZlxf409nhWHoTYRyM4M 1OqMud+JH4Z4gwVyoB4cKM7PFeWgsZkirTd+aH4Whi1niChDA7WQQy2dA2IM kmnEcESifPQNOlCmL0YgUJwVyOosXpo5PUsO55gADfH3QberPJ124kXdskoa +HvIbxOfQnT8WiFqoWyUkak0sQjiZVmqkbx1UPJ8Px7l5/jQ2jblZ2Coq7k0 OlZpCjAl2u0KJKJj9UMS1bLia9eNDtS6DBniv+C1LxOfpBPvzcpShZehtToC 3h0TqI0StQtrSp0ArYNHQ0VZ8H8tiiqiviiySd9Ho/1LMbOIQsucvHgcqBs/ NBeTv0pfGxp/b04cJeaI2jqPA0rrFTWvg3a34sfscx/0XxcX9tO1i18sDmJg UuzTGNiUVRKpCEzo3LVLVKS2rlSXlETVPXcC1V5RdUNSKH0pWDUQET618iuj d505fXpXrWNCE/5T37LrVYeMt+DdlpL/YuGJdd8QsLOpzE6m3HPiGJ4do222 S7EC1lEqA1K0HKSRD0wBbtL6MmsPlTl1aEIk7ErkBzgJ5DNtKjNtdxhkB8ir gcuBNGAUsBz6VkB7ezPibSKvucl92O6A9IA1SeImK0/zedTSnkxlng+Qd6dz wAsMp/zfxSgFz4+Ub7fBuwAnDzwTXCFDSNRvsEZjoFko/DU6JQxOG9p9sbBL qI23FV0TCbs9dUderc7CC9RXo4WUv1DMxcKZ6H4uYNtUah2i2eeCXUClwAx7 CfUQsIoRtxhlUdKn0QXoCCRqfamVhnQradZZWAr9Utpo76AE4xiVGsfcTMjm kEOA9sBYYDQwH/pLgGZ2LJWa/YnM/u5G6zXkDZifSqw1v9b8BMp2hEo9HuR/ WwjbgaWSFwK7qfB38WcF5FNovYx3AXY5+HFwhRQpR9FQBfcU8GsonEUtrSw3 qCTG4ybaCdyj5TZgkeZnwaqiOE9/uioS1hvUy1qFPovEdErWiJLyCE2MQKtz 6CQ83RTsnrQd30+2xkhgPIe9cynb8w/AUEDcHHsjMAPoSbnWGZp0MTDnU7zn LoqPOkLx9iPgd2veLwKjIqD1nsURWB8Bra8RvxbekRSW96rqZ/ZxBachxXs7 ULx1gK6MhKzr2dhu93T32Enub8b7dLPxvjsHsj5kNuADFgCZwDToLwG2W/vp ZrsVrTO+c49o5Ft/hF5DxAE6mS2lTDXOUEuzirZ7pop31cBIKe9zd0jZG/1R E6PO0vVT8Lwh+47zyTFfp+0K7m+Qc6w4SlfAuI1zqzjs7FVAXtuNk4i/l+LM A4CQz1I7+2uKsxddHNDWcd5UjO+PLg4o5xbgFi3XACOA9ZpvCYe1g9o4++jK SFhLMCftpDZnoSNlaXil7E0LrFyaai3FWC2jZPMrmmWOlHKIuY8GGy9SW3Mb +uhbmmXkU64x2/0Q4VnGZMxn4xD3a4kUmQ5pjF8hu1Oi8QX5RRrzZmpt/Uhd zBVY49ZQa/MqSjTHYD5bBGwRq3ZVFFHlUXPc2TqUj6wpgNRV7gSmReh2ANMN F+G7gPuAh6S+AMix2iK/U9ANAqZJ/S5ghdUe4aHAjFAeN1h1EK4PXCJ1ZcDD 5m1IfyewS+q+BT43YWOYLwFPIO6LwGewOaT1UTkauNx4E3bI+8CbCqjLCAHU bTXkMvNGKRcb/6LV5uVsr7jrhQ1iZWB9XU19lA0RfFWsacpeCN4r1mZlLwTh JrijpR2wldryeo82zlBruNtEpsG6bT0C20Stw1gvg3OE9DTEO7GeeohuddJo spMW/I3XRLEWmmfkGuMPrWWYW/W6VWo/ToVq3ULdjrlj5Hr0GV3C6461liaH 1pKlav2wJlCqXA/C5m4HLSXmdSeT1or1RaIEtpZAAr7THhiPm7H2dUe8P2GM AuZBzAHD8UxgIOajpeQxe9AWs4d7DFgG1JfzyuOoXyHkNox1k0ZYFr4dnhNm UQe7AS1G+iz0/0SrOVn2WLpV4wagidOLxjp9aSzq3cB5mLY4m2mqgLle9mU0 2kn0dS/ToW0htMW4d2mOgOzPEbRH9uc8jcXoo/ZkhdmOuZ4ivON1SnWEfaWh 7cE0YeuF7K0vyPKcBj5QdqPXqrbj7N9UPws7lW0v1FNhH+aFLaqvnZaIcwpY QAs9PyGPVuDfU31PM8gEII8m2bmU540Cnw/7zkX6n2C7YWDLsfED3SftpEYa 7dHfxVQvzB7q4izFGlxM4+31eLae7gC2ahtnrLBfUNdSAfStIcfLUm2TPAzM 0GNF2F1sR+zAmN0Bm7sb6hGtxot9C9JMR7zTNNvjh72TgvAUauqsgu4o8CXN tE7AfukB7mJ9n0Kt7XwAXyDWcEPqsf7bSWgXMbaOYF4/oHFErEFuJuy8pmKd CF/DkX9/2ASpdgbGXgZsqgysaWoNXCDWNetJjDfAbkxNPCY1dKbTFHsw1rEO eq26HOgk1581IZtDrDPNKVqsdXpubma9Q23sIPSYuzEWt9tXyDU00XmPtjtB hIdRtDMGupeADRjbm1C2V8APUW87w/1NrM3o72bWHNRNA2P1TwLm3Ua0eTe9 IGA9QTcDkyX+ibGdQ8eBcmsqLcNaMAXjuJMY08AzYnw7a+gO6DYKPUv00Tqg M0ut62w+SQuB/Szt5rD5muN70NJqSob5CdaER40Sq9LYi3BthLua12INAaxK 2JOAtz9tDQd0v1mV9GLom5tNNwPLzIWo00LKNlfTOGCRmYB5NQH6YRQApp0v HvK6F1gCLAUW2wGaaV8De6CSZgDXGAdog3UlbXCwJjlYm7z/ArBuePsp6dlD jwrA/yx27qcBThmNQH0JaQfYj9FQ6DuBj4cUtlMm+NPAMIQzIGejLTqD97R+ xlq9E9/v8/AfdyLeTthpcTQ06grMFZWY37/AGL+ELrW30BTzEOblY5QHpGN8 tLE+gOxFK6wK2Gy9MB/0wtiuR0OAvcACYBrgAwqAmUA+MFoiCW2ziZpbN2Ee vBbzYRm1s4pQjqfQBkOpG8ZGqvUsjUZ50oBNQAGQB/QBpsky78T42Ynxijhn la/DRZev+7nKh+9jiPFv2BABSjX30EDzY4o3H8AY+YQmYF3uYX4G/SewU76j dMh08zCNN56lHCDzv0lr7qDexim63BxN/cyhGJfDqJE5CGnSqbvZm9qY45HX COR9sfHK3VSrISU7UwCspU5TLS8DMoDXaKTENBrsPAXcB/yV2js3UAp4CtZ2 Yc8NiRpJQ6Cb6H0N/VWJdb2ShgM5QGdgsuZZAL4h9JV6PhYYJ8az8y11sR26 0vMuTUff55rHYf9VUpSwN4QdINZMTwHm4jE0wW5Cw/DN3QXcAbwmUY8e9dYz +rCMHkl3eXrDdyukDkYJ7IG/yXX3v4RxOGKPpjnQGLhUh1uGQepC+y1H4Sse dY8C32p5VOiwpjYGdl1wz2PLecB7E6+cGzX2IkL+pfsMUA7sU4BPGeIh3cSw 9aW7dcb9WOMj4JDQY31pJ9aYap/GPQp8Vy2h23UWhkrJ/sE7IWzUcpCQer0x hcTam4G27129N+I+B+zX8qDWHawJ6Ng+LHZPAA8Cu4D7gFugF3sXtYAtYfsL cUCbMFloHzsP9J6A0ziEu7RcJKSyI92TQl7UuHuRCp22sJsEPLBxbsecKnA9 yg+bSfh0wuYQfmu4Tx7ud8OPaGl+Q7dYHqzdqXSL+RCwEeFkhCfQLcYDwCFy zE+hR9iejWeLMG8uwprzoeTZWHvHm8U0CHODDTtqvPkFtbBTMFc8gbw3APso DTZmlYBd6LrhsF4UwPpSB7JOSJrChxAwXNcNB/KoJWDuppUadwrAJ1kdplO4 EWUGpL90G63Gd1gFfSOgofS3QsA7hZ8l/Ce5HgN3Kd+LyIXPFhyOd55RCA5Q qHpJQL+3EfJfBdkYuF3AussYrtKreqtyC19LyOBTuhyNxLtEO4g68DsjYRvU yDaMwSI3c7eIi7Z4U0G1mdDL9x4UsE7SQX7O/hr0u6xyUVaV3juR+nknChkO GuA57LoC4JZGgvEJdZf4hnoI0L8pWcD0Yk0QqEXDBYwdiLND6npIaL2lYUzR GE3NJP5CTSRewBgF0P7p4UDbP2I9h3HSAm0g0IQMiRYRMMgMh3iHaAfUW7YF vr360ndJoFbSJ9gBf8ylWGeF1A/HfDrLiYdv9jrG/B73face1ooSjNs0+C3t YKvDJ/XWwtzYCc8wr3q6If2XSMv7xfBH7QF6X1j4nmLPN1Hv48IXEvli7S+K eoTKohpTmUf4OoOR51NAI3y3mO/hH/WRc/a59o/D9vVD++0d6Fqe55F/VNRW lbd45hU+9HvKf4YP/qNaT9zPUM858LOFLzYc6fpKXyvTfQH1mIP3dBPvEuWV +/iYU1DmEfC/+/J6FLm+iPUB+X9kJ7vfWJMo1voaa8AWmmrPRNumoN3gx+O9 95ql5IWvkw8fpwXm8VhZH3E2obA97DyiBvDO1RorgZ7yHEKfP/B5g0YHIVGv XsB8PksAdunzhCuBHKBQ+JuMs84SIurH5wRhZwRLIs4IBv8n5wPiHCD8LED4 sKEzgBeocWjfX7TlS+7d8JNixftkX8zHez9HXyRjTdsDe+gJ6GZQe73/Z1uP 6b3c7mJv1v3Bk6T2BsXegTmQ2luPYw4ZDn+rP2VJPfw0zOly3w/2UqzcMxNj tRB2cBGleUV77Yft1Apxj9A4+ITj5drck5YB68KBdT0PcTIF5P7zcPdzuef6 R+rD6zzyvgw+ZY7MV+3FIl/3BWUzIL60DYJv4j0FsAOOizTm6+615usUY/fE HNCT1sqx2RO2919RT2FLD0eZtc0RuV8qbABzPd1pf6/2OD23U45nM96dh3Vd +KiivhirSNvPTHD/JSD3UV201eewIxZIX2eBiGv8DP+uI+aPbRhj8Delr129 97pG+L3n2luO2DMfwPvmXH+NaUBDYdeg7q01ssP2k2di/V6v96AFsoRvzQgv h4Rqg+p9Y/1c7w+XANFoV7d6f1jCkuNhr94H3uu+I6D3ZgcCy/Ve7RprBxnh e7NyP5b3ZDvimdqDJREXebwi44hnaDPjJGXIsXiEOuLZHXY+6vcxkIw0L1Ev tGNf8wfqZzXHOO1LYzHmo8QeDdDIOkRDpH8pzqzelfoM2GML7Pup0CqhIisN 9uNKmgW/s6HZAzbLMTco9vE8Peg2+zY8g13mbKY5+Kai9FlPhtzDW4WwONMp V/YZ/ER1BnMr7NvbaaZ1J431vkmlUWPxHWZTKXyYMs9bVOotwvcIexHvGSxt vk10x1lnP2FncnxWhjKNZtsR7yDOWzzzjIXtlke75J7jL+7Lyh6FzV1MI4xj wcN41zyku1SmPe7ej3pMxXtIvgvllWdwt8s9p/HWRtRB27OR52HSzhTPDlFb zAHtrSz3e+tq+LriTHYTwlWYE4phJ/RH3hvkOVl7pKmDd4wV8fA9lKGPy+T3 kEPHeY9VY07YGaPATVpuRVk6Ae2AgQABw0JnirwXu5TuAnyCo76dxD4bnw8C K/QZIQEdgLZiz40RdkaoEFlvffYXdu7XH7it+txPgqrP/CSaAc11n16n5SI+ 2ws/35NnenyuN50cfY4n64I8omUc3fay3SfDv3gZEmWxn0ScH9W+tBzraZg/ tkPPdvtgjfBztUh7fqVG+Jkan6NdxHnOxZzh4Nu9o/rcTO759bXurp7/5FoA OLHw1dWZY6p9JdAXc99ANcdKpOPZDmptHYYNcYX069Q8hfkBc9zPYg9cnKOZ 37gPmr8JHZ6vwZyXT1sk5NznviTTZaj9SAdroNzX7kVjMc/5w6Dmv1toC+DH N32zhJjbv3OPmInuv6UscQ9g/hso5kDMK+3txVgDxtKtPN/JeSwdZRZz3LvA s5g/nqFxch3ZQpOlRJ0dL00Re7CoczZsoWyxZyryxlzeXsxtsp10Gs9crEvv UY63OdrkZ7TvAYpzlqGt66DP9iLudLTxj9QFmIf6HrFHuEes9zGn1He/wFqb ZzdAnodoBuyC7XYWbIkBiD+Xxgof2xT+zG3wj05Qd7l3K9ppIdr9EGwbsT/9 EObEDtTI8wbqUBS2Vj+EPN7C+iowADbIDHyTBZTqvEqpnqnwa/5JPk89tMco SrS6wR4Rawj60fwJ6fDMToNEHk43WoU11BA+JuxwEn6meQblZT/zIUq7CD9T +ZoVNET4m9LX1H6m9DHF2V6ZOqOzO+tzPn3GJ7EEfqnANuokzvnEGV+N872R 1EtKfdYXOt/7GDb9OHXOZw6juubz4IPwbBV1sAowvqbAfxHnhuJcUJ8HhuIg H8RJE3E8WzC2n3EftJ9Dn0e7D3rucb+yH4cd+Dy+/dFAC2AH1rf6kB3dl9D/ fS0xh8JG8KzDWozvwZyOsVgEfAwc0DZfOmwV2BKwU3Ns2GjGCZrpuVHqeb2f YS3Hmn4a4wXjF3NMR6sfbL/rYbt8GGaf6G9UfLNizMg1+Ap8kx/SFmsxpaIu M+W56RygAlhCieLsFPCGzk83w8fcLc9RZ0v+FbAF4eVY79tizR2n2tyKxXhs CYn6ifa2eqHNxZnqbPdD40vZ7oQ+64JncyRu1ueqW4AHgAWw1UQ/favaXKZD +wPxpgVsQN7iTHYNtTYO0BirJ42psb8PX13669upAJjFe4p2KiULmOn0kzyv Fee44GI/QHKhuxrf0dVqn+Gcew270VbCB89F20xWZ8XybFi8J4buiIQ9viag S4I8H7pFAvGFjI8E9C0gzwL0iZDnQmQ5zhcv8QLlOJe+HeRZ+G/LcYF8/ZBn 4QLlS4U8Fy62HOdr57aQZ+EC5RgJeS7UKAfGVp6AtK3FvpA4k9qNOV5B7vuI PS4xXkN7aognz7r0HhnDTnB/FbBMulPueQm0lXtE5G1A7wnIeVXMn+J7E+NY 3Jn4yHUV8H0D4uw4HESVhQI199ZU3hLn0/8SAda3V3tbcu/vIx0OSx+5HxqZ D2yIJwWkL6/uPSaxhM9dzx4XPCik3FMQcSZRKwc2rX0f1ZfxhO8vzuyx/gCJ 4mze/oDSPavhS4vz9gbwm9T82ZelPGNfijlfrKPbEe9lcb+H6otzeWFj2IsB cX6E9VffxxsSkusxftYH50qZJu+oTYAv2soh8EmwnT9GPHF3rdR92S4NlgB5 4G2AV8A3hIWLgcyaZw4XTuMpIL+nwH3ZUxAsAfLAoXNfAd/AYeto8IT9XHAl sEzyF4NrNL8f2GpXBk84bwdXAsucrODuc4TvB7bqux8XjOvZDz9rf/CEd2tw JbDMe6nQ1QybdvCE+VFwJbDMzD1n+H5gq2m7I4FlznDX45wKrvTUCS6X/Kfg jR4nuNAZHnwLKLPbBE9YXwe3OE1RjobBFfbO4G6EByuo8xAnTaZb7qkbXOps D+4OhS8JXq/CyCstWKbuoFw4rrcRTfY2cj3eJ4PLvW8Hl3onCZ0OHwleL8Kh +yO/j+z/IG6NdHwXBRil5WgNqdf3UzYDfwC2hIU3h4UFssL4RcXH92mYPdw1 wCogD2HSYYEcIMbsEXxL8x+B5UBHYDpQdI47czWhvtPF+i7MSo3V5wg3AGKA 4rC7MwOB+eIODd+X+f/Af3K/9z+6C/z070Ofdw3ViOTLw/zy38Pci4nn6ff7 UGdsbp5GwdlhN8Y4FvwWcqq+s7VR7xVk6D2SC94HDu0DCF9czLX/M+mestYD EfrQXbD/ETyLfh8XM+dfzDx8MfPYxawdkfM5+IjI8FnzYaNgbo35EGG2P9jm kGdk4fZEOA+zJ0L2Qx1lF8A/uI7hjJT3xaLl3cJC+LsDUdYKdY/N/pPe+59B sU4dqi/PWsupzNsbsrn6W4rqu4jwmxbD134H9sNdtFDcSwP2OL9SBwFxD07c j7OnIG09skLnF4jn9apzID7nsY5SljiTEtB36hrXuFcXfk6RR8ND9+MEFtB8 cedS3IOT9blZnTOgjld6JtFVnkvpGrsFXeOtT5Y4K3Ia0wQnDnV4nbKdWijX FPjvnyg/U+y9WDvhy+9Xd8XQnvJOmPU9ng9Gm83HPP4hnp+EnIj1QthBzSla +pwCFdQRNlC09R1s5v0S2+2D1FxA3j97C+E4aiL2SOwx+l7YkzRFtJV1hC7j MwX4p+NCe0vq3lqU2H+xM2grsC10Hw2wNpBd427wfuoo7sKJO2ayPuVqz1r4 wJ6xlOPcjXr9mVI9ramJJw3lSKE0+yaUWezrd0bZHpL38NrLOaMR5DEqdQ7r e4Et1f0/oD3K0dS+E88MzGNLMN/dRwXStgu7J2o3pF5OCrVE+88W9/2AUmcU +QTEvUJ539BF2mwy5JxZqu8FdhN7wtX7yeLvMkT+AvqOoiX3gNfTLgm+gyjs zC/lncNqnEb8RnjXKlUfu6netzxKw5x1QBYtsD6kBRjHhqc5yrAO/nsy6lBM RehjQ9wLjiJ1P1hI81FA/J3SWOjSIJ8FtlPYHzW5fwfi7XrwhQD5fVa6vwmf 3Mqkdeyr2/cDi41oPDtjXguf/AcaxX+vBBu9vbhjJvb9nE7k8+ZgfA+Rdz59 zil51hcrvsOoh6iH3ccN2ispzq6gCfZW8iGtT+Qh7p8Bor2+dnbQ1+J+kdeg ZyHz7NHGB/Zoet4m+EZkPKfA3P1VnP+i7hPE94y85tuHqY+TRwut1ygGZdpi d6MpdjN8o9mUYdfGtzaQ5lrt0F/ifqwGfLP9GgcldrsbBexPKcv7C0V7P6dG 3jvxTc5CWTEHObWpredByIM01jsA38PrFCfuN9v7qGXURPnt9xVxBUT9nBnU xukp71fGOo9CFlOspza+qZHURNz5td5xD3hTMKbvoWxPIuYXxBdj3LOPZjt/ QT9nUAN856V47yDUSaz/beRd5suojfckFTr1qcgTwFhEfOse4FXpl36Mftmk +jiYLv5WTficxqvof7HfVu6mRu+ix+0jtNk8QqsEwCsg5wn97wH+5BA1hqqa 8mgK3Y1oG4awsNivCa0Dz8n7DhudNOMrcUed44o4+MGKQJ8Bx8Wf79XI7wKI /AmVZ5DKU/re9fX9/EH62RCN+xRkGafI+PcC4hZ/G81r4Dy+SD2JcFtvXzXC bbIwu2ou7JODCohzHnsC7Yyvt6oFsAQYRXQmCJxGP9D55YVQdRiyu8IZ92xU 8t8l7NESqIrV6BmBHI1rNTDaqqZE4EaFylLIueruTeWPwE/67yQE9ur3Fepw Nw0RnqLLfBJyNuTPkPM1yvXfYJzU6KbqINpK7X3o5+HACKi6DvKfClWpCpUP Kch8H1Co/AJyuIaOV7UC+k+q01f+Qf9NRjg2A9s0xmnchrQrNeZpnNbgtrpO 4w8aczSWKVSeUah6UuMhjSIN3S6h9mCMAdppdNRoH4ErayI8f9kOgzQGa5g1 Idu2UP/9TDhKNc6nvyoCPCZ2qjFRdYV6X2R6OVbNsDEbkU/VcwqV+Lor/6hQ 9XZNVM4QEHsM8BMOKVALcb5/1v0Bfa4n58D/7h9V1LJ8+8zVj9dqZgwDWcVk JZObmBQzuZHJCiY3MLmeyXImy5hcx2QpkyVMFjNZxGQhk2uZzGcyj8lcJnOY zGYyi8lMJjOYTGdSxGQak0ImBUymMslnksckl0kOkylMJjOZxGQikwlMsplk MclkMp7JOCZjmYxhksFkNJN0JmlMRjEZyWQEk+FMUpkMYzKUyRAmg5kMYpLC JJlJEpNEJgOZJDAZwKQ/k2uY9GPSl0kfJlcz6c3kKia9mFzJpCeTK5j0YHI5 k+5MujG5jElXJl2YdGbSiUlHJh2YtGfSjkk8k7ZM/EzaMIlj4mPSmkkrJpcy ackklkkLJs2ZNGPSlEkTJo2ZNGLSkEkDJpcwiWFSn0k9JnWZ1GFSm0k0k1pM oph4mXiYOExsJhYTk4nBhDQxXCZBJlVMKpmcYXKayW9M/s3kX0x+ZXKKyS9M fmbyE5OTTE4w+ZHJD0yOMznG5Hsm3zH5lslRJt8w+ZrJV0y+ZPIFk8+ZfMbk UyafMPknk38w+TuTj5n8jclHTD5k8gGT95kcYfIek3eZvMPkbSaHmbzF5E0m f2XyBpNDTF5n8hqTg0xeZfIKk5eZHGDyFyYvMXmRyX4mLzB5nslzTJ5l8gyT PzN5msk+Jk8xeZLJE0weZ/IYkwom5UwCTB5lspfJHiZlTB5hspvJw0weYvIg kweY/InJ/Uz+yOQ+JqVMdjHZyeReJjuY3MPkbiZ3MdnO5E4m25jcwWQrky1M bmeymcltTG5l8gcmtzDZxGQjkw1MSpisZ7KOyVoma5jczITNHoPNHoPNHoPN HoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHoPNHmMB E7Z/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/ DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/DLZ/ DLZ/DLZ/DDZ7DDZ7DDZ7DLZ2DLZ2DLZ2DLZ2DLZ2DLZ2DLZ2DLZ2DLZ2jKTH BIHVXNGqf2vYzBWtGkOsVKGbKlr1gShWoRuVWFHRqg7EDSp0vRLLlVimxHUV lw6EWFpxaRLEEiUWK7FIPVuoQtcqsUAp51dcmggxT4m5SsxRUWYrMUuJmRUt UyBmKDFdiSIlpilRWNEyGaJAhaYqka9EnhK5SuQoMUWJySrdJBWaqMQEJbKV yFIiU4nxSoxTYqwSY5TIUGK0EulKpCkxSomRSoxQYrgSqUoMq4gdCjFUiSEV scMgBisxqCI2FSKlInY4RLISSUokqmcDVboEJQaodP2VuEaJfipmXyX6qORX K9FbiauU6KXElSqznkpcoXLpocTlSnRXmXVT4jKVrqsSXZTorEQnJToq0UGJ 9irrdkrEqzzbKuFXoo3KOk4Jn0rXWolWSlyqREslYpVoUdFiJERzJZpVtBgF 0VSJJkrZWIlGStlQiQZKXKKexShRXynrKVFXiTrqWW0lopWopZ5FKeFVwlPR PA3CqWieDmErYSmlqUKGEiSF4SoRlFGMKhWqVOKMEqfVs99U6N9K/EuJX5U4 VdFsDMQvFc0yIH5WoZ+UOKnECfXsRxX6QYnjShxTz75X4jul/FaJo0p8o8TX KspXKvSlCn2hQp8r8ZkSn6pnnyjxT6X8hxJ/V+JjJf6monykQh8q8UFF0/EQ 71c0HQdxRIn3lPJdJd5R4m0lDqsobynxf+zbCVRU1R8H8HvfAIMMw8zgzMj+ RkzUUEBxGdNkBMSFcAGeCSiGzACjyOgsmgtKmmaLS2WmLWaWmY0ZPNfU1DJb Xcr2LNP2zbK9NOT/ffOj/+n8T6dz/v9O5/w75w1+3vfe++67857M/VHn4HEa PEZxlOJFihdoyvMUz9HgsxTPUByheJriMM18inpPUhyiOEjnDlA8QYP7KfZR 7KV4nGIPzdxNvV0UOyl2UGyXrTkIWbZWIFoomikeo9hG8SjFVoogxSOyFfWa b6FVHqbYTOceothE8SDFAxQbKe6n2EBxHy22nla5l+IeOnc3xV0U6yjW0gV3 Um8NxR0Uq+nc7bTKbRS30rlVFCspVlAsp7iFZt5MvZsobqRYRnEDxVLZUoVY IlumIK6nWCxbahCLKK6TLRKiSbagGPOFsqU/YgFFI10+n66bRzFXtjgRc+jy aylmU8yiCFD4KXy0tJcun0kxQ7ZUIzy0WAPNnE5RTzGNYiqFm66ro6ilO6uh y10UTppZTTGFooriGorJFJX00JPoziZSVNBDl9PSZfRGEyiuptsdT28k0Sql FCUUxRTjZLMDMVY2K+8wRjYrH+/Rsnkxokg290JcRVMKKUbJZvx3AR9JvREU w2mwQDYvQAyTzTcg8mXzQkSebG5C5MqxBYihFA6KHIohcix+vvMrqTdYNpUh BlFcIZuUj8ZACrtsGo4YIJsmIPrLpnJEPzrXlyJbNvVE9KGZvWWT8mBZsknZ m5kUGXR5L3qHnhTptNjlFD1ose4U3SjSKLrKJuVv6TKKLrRmKq3ZmRaz0Soi RQpdl0yRRJFIkUARLxsnIeJkYyWik2ycjLBSWCjMFB0pYukCE11gpEEDRQyF niKaZupoZhQNdqCIpNBSRNDMcJoZRoMaCoGCUzBHm2GKqLhkqBZbDU7xV7Qv wgX4BWM/Y+wn+BF+gO8x/h18i3PfoH8evoav4BzGv4QvcO5z9D+DT+ET+Dim Vvwopk78ED6A9+Esxs4g34PT8C767yBPwdvwFrypnya+oe8tvo58TV8vvqpP E1+Bk2i/rE8XX4ITcBznj2HsqH66+CLaL6D9PNrP6aeKz+rd4jP6OvGIvlZ8 GtcexnpPwZPgaDuE40E4AE9EzxT3R3vFfdE+cW+0X3wc9sBujO+CnTi3A+e2 Y0yGFmiGx3RzxG26ueKjuvniVl2jGNQtEB+BLfAwbIaHYJOul/gg8gHYiGvu R27QTRPvQ3s92vfCPWjfjbXuwlrrsNZajN0Ja+AOWA23w2247lastypqtLgy aoy4IqpWXB61SbwlarO4RNNVvF5jFxdzu7hIapKuCzZJC6VGaUGwUdI1cl1j YmNh47zGYOOpRkdsRNR8aa40LzhXmiPNlq4Nzpb2CktZjbDEMViaFQxIYQFz wB/QfB/gwQDPD/CsABdYwBiwBTTRfskr+YJeiXnHepu8zd6wQc3eM16BeXnU nrZD272JKQVIx3yv3lgwU/JIM4IeqaFmujQVN+i210p1wVqpxu6UXEGnVG2f IlXZr5Em2ydJlcFJ0kR7uVQRLJfK7BOkqzF/vL1UkoKlUol9nFQcHCeNsY+W RmO8yF4oXRUslEbZR0gjgyOk4fYCaRgeniUZk2xJGqNyA6OTcCcskedmJToS zySeTwxjic2JhxI1sYYEMUHoYYjneWPiuSd+YfzKeI0h7kSc4Ijr0bPA0OlE p/c6fd0prKOjU4+MAmY1Wm1WjUV5NmtRaUEoc/Ipe/cLPWuRtUtagcHCDRbR IgwTLZyZzpjOmzSWg8YTRsFg4AZDm0FwGDDdECPGCMqhLUbjiOk9oMCgF/WC cmjTa6wOPUaUFbtFjy0tMOhEnSDl6MboBIcuJ6/AoeuVVcA03MY540aEJlK5 C24RC7Cvt1t5OMfP85bSkvT0wj2RrLiwOXJsRTNf1ty1RDk6xpU3RyxrZlJ5 xYQWzleUtXAhr7TZXDiunPpLli9nucmFzcklE5o3JJcVNjeh4VAabWiw5BYr yy1Lr/QFfOnp/kocKn3+9NAf9HhA6aUrg8ofnx995SsQ6rP0P33RNMRkH17+ 3wb96f/oF/9n3/7/w6uF4SM6YWibcD1zCothEVwHTbAQFkAjzId5MBfmwLUw G2ZBAPzgg5kwAzzQANOhHqbBVHBDHdRCDbjACdUwBargGpgMlTAJJkIFlEMZ TICrYTxIUAolUAzjYCyMgdFQBFdBIYyCkTAChkMBDIN8yINcGAoOyIEhcCUM hkFwBQwEOwyA/tAP+kI29IHekAWZkAG9oCekw+XQA7pDN0iDrnAZdIFU6Aw2 ECEFkiEJEiEB4iEOOoEVLGCGjhALJjCCAWJAD9GggyjoAJGghQgIh7ChbThq QAAOjDk5xvglaIVf4SJcgF/gZ/gJfoQf4Hv4Dr6Fb+A8fA1fwTmm/D6wk38B n8Nn8Cl8Ah/DR/AhfADvw1k4A+/BaXgX3oFT8Da8BW/CG/A6vAavwitwEl6G l+AEHIdjcBRehBfgeXgOnoVn4Ag8DYfhKXgSDsFBOABPwH7YB3vhcdgDu2EX 7IQdsB1kaIFmeAy2waOwFYLwCGyBh2EzPASb4EF4ADbC/bAB7oP1cC/cA3fD XbAO1sKdsAbugNVwO9wGt8IqWAkrYDncAjfDTXAjLIMbYCksYc6hTRz7n2P/ c+x/jv3Psf859j/H/ufY/xz7n2P/c+x/jv3Psf859j/H/ufY/xz7n2P/cy+g BnDUAI4awFEDOGoARw3gqAEcNYCjBnDUAI4awFEDOGoARw3gqAEcNYCjBnDU AI4awFEDOGoARw3gqAEcNYCjBnDUAI4awFEDOGoARw3gqAEcNYBj/3Psf479 z7H3OfY+x97n2Psce59j73PsfY69z7H3Ofa++pPgL73K1L+Cv/SKm1zJwhm7 5NOcVH4HnWnZQFbERrOK/UyPj7SVXcF37rTk50f20h7Ax1VgNnzgIxnneQ5D mKDfnZCQ02V3v4jlGtNI/M/7jhztcpTynNbTrcczW0+fix2YeY5nvnv29Fnj N8dNAzOzz756tncWN3U2hZhjBK3WHNElNUPo1y2tf3Z2nyFCv75pXVJjhNBY 3/4Dhmiy+6QIGvNvI0MEpc81J38t14xpjRAWdMkZnx2ekmAw6yPChaS42F6D uxpLKroOzkjWarQRmvBIbfcBuamF9cNS39aaki3W5NjIyNhkqyXZpG09FR5z 4dvwmIt5YfUXV2siBk3MuUyzNipSCIuI2JMSF3/5oM4jxxs6GsN0HY0ma6Q2 1hTdPX9i61JLkrJGksVCa7UWMc6G8R1CBn5mG1jMDqbVnQtjypMfw8Pi+Tqn puFZsjvjzoWMWNOlyli8+MZIfYdw/ku3FDEtLSXClEC/PcpzVSqVSqVSqVQq lUr1j7JMpVKpVCqVSqVSqVQqlUqlUqlUKpVKpVKpVCqVSqVSqVQqlUqlUqlU qr8fi2HbcNSE/lGyM3RU2lp2AT1O/1aZ9eGV7W0Ni+Gr2tthaK9vb0egvbW9 rWWNfK+ySlgHjCQJA9rbAosRStrbGoxXtbfD0G5sb0egvQ5tjjbuR9jZ3sb9 aOLZFmZjfVgWvuxoFTE3q2Ze5mE+qGF+jOWh5WUzQscqjLjRamAZODOU1ePL xooxVsvqcM4X6rmQLsyehaMTM/NwXT3mTMGYGzPcoXkupB9XKTNtmGFDurCO ctYfGlWutqGtvK8TvelIL5uGMc+/r/njszX/1bMod9QQWku5GxuT0HOH7kF5 /xK0qkI9X+g9GzCa2X4Hnt89QTV6AZz1h55SmZ2xxdYnK8tuK3JXez0+T43f lufxzvB4q/xuT0OGbWh9va3YXVvn99mKXT6Xd5bLmTEqd2zhqPz0vKp69xSv +8967WFz+2wut7/O5bVV2byuWrfP7/K6nDa/t8rpml7lnWbzKGd+16354/ux uRtsWMYmNbj9uL7EX+V3+WxVDc5MLOAJvUG1J9Dg97pdvgw2iuWysawQmc/S /+MbXBz6NgYwonxD/mzm/3pO/dD+jR9apd6g6hhSuY0Z2WHUCQGZiZPMtIov Qm3hoaoUvn7Pml0NsZMNg39g8ZGhMrXvi/lHlTySunbuxQutN3f4UrsLXaVO herYvwQYAFlRTjMKDQplbmRzdHJlYW0NZW5kb2JqDTU1MSAwIG9iag08PC9T dGVtViA4MC9Gb250TmFtZS9KQlBLSkQrQ2FsaWJyaS9Gb250U3RyZXRjaC9O b3JtYWwvRm9udEZpbGUyIDU1MCAwIFIvRm9udFdlaWdodCA0MDAvRmxhZ3Mg NC9EZXNjZW50IC0yNTAvRm9udEJCb3hbLTUwMyAtMzA3IDEyNDAgOTY0XS9B c2NlbnQgNzUwL0ZvbnRGYW1pbHkoQ2FsaWJyaSkvQ2FwSGVpZ2h0IDYyNS9Y SGVpZ2h0IDQ2OC9UeXBlL0ZvbnREZXNjcmlwdG9yL0l0YWxpY0FuZ2xlIDA+ Pg1lbmRvYmoNNTUyIDAgb2JqDTw8L1N1YnR5cGUvQ0lERm9udFR5cGUyL0Zv bnREZXNjcmlwdG9yIDU1MSAwIFIvQmFzZUZvbnQvSkJQS0pEK0NhbGlicmkv V1szWzIyNl04ODJbMzA2XV0vQ0lEVG9HSURNYXAvSWRlbnRpdHkvQ0lEU3lz dGVtSW5mbzw8L1N1cHBsZW1lbnQgMC9PcmRlcmluZyhJZGVudGl0eSkvUmVn aXN0cnkoQWRvYmUpPj4vRFcgMTAwMC9UeXBlL0ZvbnQ+Pg1lbmRvYmoNNTUz IDAgb2JqDTw8L1N1YnR5cGUvSW1hZ2UvTGVuZ3RoIDExNDA1L0ZpbHRlci9G bGF0ZURlY29kZS9CaXRzUGVyQ29tcG9uZW50IDgvQ29sb3JTcGFjZS9EZXZp Y2VSR0IvV2lkdGggMzcwL0hlaWdodCAxMTIvVHlwZS9YT2JqZWN0Pj5zdHJl YW0NCmje7Jt3VFRJ2v///u3v3dlddXR0zGMWATMgYgIRRURAEAFFyUmS5Cg5 54Ym55xzztDEJuecmpyhaZKe92muwyLqjsed5fCy9Tl1tG5xu26F5/nWU9V9 P35EIBAIBOK/jq6RuaaB6S1LvaNzaMwRiJ1NZu1gBKFny1Ju3TAacwQCqQpS FQQC8f0UNo8kEwe2LBGax9CYIxA7G/LiyhxlecvS/OIKGnMEAoFAIBAIBAKx zalvHjBzSd+yFJ5Yubr6AQ07ArGDCUso33VBbcuSgIznysoqGnYEAqkKUhUE AvGdJGfXXn9suWVJyTAcqQoCsbMhkxdJQ5NblsYn0Q/7EQgEAoFAUFlYWpmn LG9ZIqNfwSEQO53c+qGYst4tS7n16D0gBGKHg94uRCAQSFUQCMR2pn98vmNo ZstS/9g8GnMEAoFAIBAIBAKxzRkYnCBUELYsNba1fUAvFyIQOxr/iKJd5wW2 LPFL26Bf7CMQOxv0diECgfhziQzO23uKfcvSc2kzpCoIBAKBQCAQCAQCgUAg tjm1PZOE1tEtS3XdU2jMEYidDXoPCIFAIFVBIBDbmZLW0fRa0palitYxNOYI BAKBQCAQCARimzM6NlNa2bFlqblt8AN6vRCB2NGEJ1bsvaixZemFvDf6xT4C sbNBbxciEAikKggEYjszOj5LqOzcstREPVdBo45AIBAIBAKBQCD+ZMZnKUNT C1uWxuYW0ZgjEDsb9B4QAoFAqoJAILYzqTWDIcU9W5aykKogEDsd8uLKHGV5 y9LC0goacwQCgUAgEH86S8srM7MLW5bIC+irIgRih5NV2MQh4rJlSc86fnUV /WIfgdjJoPeAEAgEUhUEArGdKavuVNAN27Lk6p+3uopeL0QgdjgfthY04AgE AoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFA IBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAI BAKBQCAQP8DS0oqjd1bvwPgPfNbQJsEnrPjDhz++c4Gy/FYvLCW7/nuqXVhY cvPPeyqGF3/nv7LyoatvorC8g7K4XN3Qt0BZ2nlT0EeaUDeNLq5o/09Uvrr6 oayqq7aStPX9au8eUTaMqG3s+752riZm1vJIe+J8c7bnNE1OzyvoWi4uUna8 JtxhFVBQMgKPwy7fG9kz3uAen5z7/hrAhble42oae3/g6fT3TV+rBq5+h6zM zFF2XVCzwKV/T7VNrR2/XHipauATk0IEp8gjNJvbp87MkH2Ci6em57+nhuWV 1WcvTK5eYXXGR27/Saxr6j/KqBcYVQL55rYhSdWg7/nUIGnk8ZM3QjIe2OXY xMwV1md0l++Njn1aIN7jQzm436ysrDjgM8MD0re+X4TKjn0XNVOya7/n5sry xuOXlJ/wexaXt8GlHT7D3Dl1ZWX1h5/e30e6fPlxSHIVdtndO/PwsaS0lscP V0gantp1lnV+fu7jTucYk94zKc/1FVxeNwzmcXRsBrv88OEDeWFxnrz44XPH B1edm6fAn6B8XVUoiyub7lxeXpmZXVhaWt74WfICef1xmKqAC0NtcPP3q8pa w5bI5MWv3lzf2nyU6eXQyNQfq8cy1ubN5TWN/aeuqF5nM7jJYzs5Nf+lkG76 FLRnbn7+wxcVQd+hax++Jxr759iuzs7OL69sHg2oZHZubmNVH6iDuUihLG1U lVJiF+tzh019nJ2jfOlfUJWosj+bgD52mZRZe4LZ4AyTBGloFOvjEzE8n+Rm J4J6ZucW1pchAPJz8+SNDVtcXIYnfq39lMXPjQGeAuOzsrq6YcSgtQuYMayr yuIXwwglVNPaYDPp+Y0HLmul5zVil7SsxhLqQcsrm2v+slXz84tLlK/YXnfn 0M+HpAMiSz6J8PDUxQdmQnLe6zfMkylfnVzqpPw+PtSRWl7epCrQO/L8wnfa A9S2PmjkefK/dpPtryqDI+OeYQnswhbsLyxxnqH9pBFsFuqaukRFXdlfOD4U Ni8mEMAwHr/GhcQWSWv43xeyt8IlDg2PQ/hRV93G99zx8WtXLhHNySmqg9c3 9trgUx4KWXC+wjm4p2KqwipkLaPuz/bc9uVb24mJaSiMTat+Ju01MUWGfG1d m7iS+8jYzEZVmZpZiIxI4haxfiKCC/TJXFz8zFCjkirZhKx+ppd8KOpk5JBU 39z/QgxHWtugEet6hRR8YR8EvXirF6JnGfFGyemttv/85+oEmqljFXaZXd89 MP/wde2gmAqsHPZfosoe1i6Rj1/h2J+ZREblYFFWS2uXlnkM2wtrTePg8PgC G3wGZsOE8nZxJTvOVy46ZqH1Tb0TU/OK+kEpuUXw1+mZWRElNxElj4GhCbj0 DS56rRoKHYmMLROW93okYi0i65ya00CeX1xeWrHHZyWmVagbhbA9M9U2j2nv GMF82c0v476A+cNXOG1T30PXtEFV7PDpd/nsj1xV4pbA+0YQ4Lamli4hGQuu N27iyvja5q5Ns+8bUcz6UBKaCklaI1hYHqeo55edRXXMxpYemrt6zj45y8ur ps6pAX6xUFhCbBSWc+IUdX3+UrePNNY3MuMZVMAl5sz2ysnUIXFN4pZLy+pe KblxvXbVtQrv6OmGT+lZJ+hZhYTFpLByazwVdYpLLgNpArOxc4zgEnXifG1j 6UENrqZnF3JLaiVVfMG0eCVdS6vaQFX20qur6rtzvXG9+0gxKb0c89aswnZB GTso5H5jn5RVAvNVSiDcfKiz54IKC49ZRHKljlXcATqF0ywGqsZRID7z8+Tw +CJ+GRynoGVwZM7wONXMPILypdU8LB2T2QWdJdV8W1s6vl9VYD9u45HBKWT1 8JWLrIZrbz9Vh+OzKkSVA6ycotmFXbhFHWJTy0Ijsrhe20tp+lbX92Gq8vez rHFxWcIKXlyvbIKiiscnpsEU8YGFr1X8V1aptuTola1mEgPy29g++FzWy8Et nkPQPDCqbHRs0ieskOul9QsFz/CkDF4Z428tqdtEVa4+srDEpdm6Z0Bi5tXA VAVWAW5xp0vseoHhhYGRJdc5DO7xm4Pt1TcPHLqq9FRULzaFGJtS1tfXB+YB jiMg7RKdVOLqn37suqqeZThM5SMBA1lVk+yi5vjkfApY2/LqLTZpYXm3qLjc +NSaAkItpipHmZTdvdMjEwj32F/ZuiZRB9Y7ezet+tAoVdny84lnmVR6+8c3 qoqZSxrtrbfhCSVB0cVHLounZNdt7FFzK8nWO/LAFQF8SGZ+eUthaduBq/Lt 3dRjgcyCxoNXtbMLm0AMbj+z/Ok3ATefwNzc8qXlz9bx5vbBwwzydm5RY+Oz fOJ4Grb3WHlQVMluGhl+SePoRKKVnd+Jy2JgaTOz5BMMSuAIofGFoRGZd3j1 Xin5ws3JWXW7z6rgfL1Tc2qV9Tw5ebRgSLXMIsycIuCv4fEExqc6ZxjE6uqa 4fK5sJGSQTwYWG5OfXwqMTW71NQm6OAV7czcBlAVCZXgG5zvw2PzQ0Izz9zS E5T0hkgms7Dpl2vvgsNSopKreYR0d9GogqqUVrSb2SVfuqccnlxe09TX0z92 hllFzcQPZsHOwZPnpdbq6mcLa3v3yP0XTk2tpOHRmUMXNWITs108giSkfaCp rj4pp2+qN7UOQrglIOtpoEuNf/jF7cysAzMKmtIzaienZ1Vtko5d1wlLLIrK rs8uqIdPxaVUnbgi6+IRlZXfqGrsI6esBkMtIOPxC724qb1fZFypsrbPT8cF Z2fJJZUd7E/VohIJmXmNeWVt0DAD28S9l2RtXRLi0ojRKaU9A4OgKrtolMUk 1aNSiPKyTr/SvmtoGYRmFJYPRCam5Ba3+IamMHBpTc2QBwYGdI3D9tIq6ZgH NraTsgnNJ67IsD93SMutB63OLai/zW0UnVackpp3k1NbySgMVnw9q1h6Zrnw SEJodDnDEyM2bt1N4Ryoyp6DUiJvfTDXMLSJO8ak+7uqrISnEJMzCpJz6sSV LEwc4qHQOzJzN436KzHbqJRqdX3fQ9dVXPER4XH5zLwmN7hsYXBAVf52XkJb xyUyqdzOM/Yog4a2eThMuvL7qN+Y9bGwSlI98PYzewiPiU39/6BReSZuGROb WlVHktPyPcmsg/dLjEwuVTCw33tJAVxsO6vK/sta5+4Ynb9LTXuvaGOqUtfc f4RR971dInabhUsq3FbT0GvqlPozvUZlbc/GIBZilYy8BshDQHjtsRVMBBS+ VPZ+Lu/Q0T2ChantXcO3+eyqGz47fgFV4ZXyIK9FSkIi2or64X+oKhBDX+ey guAW9Jw0NHlXwF7TLPaLHVDTEUZh+Cvki8q+rir3BOyvPjIf+9oJEjyFhtUY O39OyKihuyqIOWNobBn0PZfQAvmy6sbD1+TrmvryS1qhYX7hxdhnPYILQFXA E9+oBtzis4GphzEpLm9//taXGr1UtHMIO8LTzfCRqsYRaobeBYR6MGZxFXu4 hxomrW0T2jqGIxIqwNL8IghgbNKaoc6+uVj9vBJ40AGI5HUs446flsEKoV8H rmh/uQNyDyo4wqADCwG0gVBWd4ZZqW9gYtNui51PIyqZODg4dvScFFTrG1jA 8NhyaGT6hZw3t5gbtG2jqsjrBIsq+4FtYPEh3jf/l4uaEJsNjVKrhaaKKPre 4rPDel1W1flaNQDCYEE5L7CKsYlZuKe4vO2vB57NzMw3tpKYnlh6hxaNTczB 8MI+7swtQ15J943H6aAqe+jU/SKpQVdMStW+ixoFpW1YwDw5NQM1VNb07L2u M7xmKmm5jb9c0kzNbfhyB2RokwBBFzQJkrZlPPNTm6lpsoFNPOtTOWxPJ6sT ehL8+vPNBajKrl+lYGuJucZvt97vptNY3wHBp/pJo1X1ve+t/UUU3KiLTnTJ wWvaoHWQLyhp4RBxnlw7xAOrpr1vCnlQlX+c4B2fmMH2NfeeOzI9tYGN/FdV BWZt1wVVO+8kzK0usJk8lXDHtkJdPaSfzwptc1X56g4oJb96/xUNz+DkT8t0 eOleWo30gHoZuYBfGfV6SZMbVYV6rrImF9BrxifWYEWQBz25dN/swKnHwlKm Y2OTxVWdt55b9pBIm1Rl/bRWSNZEQTcUMg5e2eCnYNiQz8uvPMOovFFV2kem Tt01OsYoevHRezoOg90XlYRVfP9AVa6AqgxAPj23YaOqCEh7QeO/HJPz99Rp 76mqGulrmL+X1tA4fl0iKa9gXVUaWqlVldU0HWJQAJGMdKqAhqWlf/pyKia1 FlRlZnb+vqDFoQsS9I/eQzvPsenfEbSZmSF3dvbsO8VPKO3UNvdJTiMGRaQr 61p0tIw+4tOZpZ4SLCtq2dNfFD10yfQ2q/3+M+rgdGBsstqhIDJY/cIK3qyC jtMzZCHlgONnNbDCquaWI4xfURXYeuw+I0rDpgltOMOqdoBBpqapf1Nn73Hq vlYyr6ztfixuBpeVNV1HGHTN7BJP3DC288hc28r9U1VqqppuPjHbfVpSWMG4 s2cUFN7KNf30NR0adiF7XBRpaJz9hf2+CyIX13pNw67PJmw7PUsGe2Dhs8OE iFjb/Zd9/KAqkNc1D/zliioNi6KDVwRsQv96+p28QdjGgAE7V0leO61NyaqD dS2X0AoqZOrgTXvv+V1+OwFpj3+c4B/6I1UREtU7x6CDteows+ZJZm2wcFCV W8I6mJIrGUYeZ9L9UlW+tQMqrmiV1rA5co0HNnpMD9UFZXGYqoA3Yd9YgXi+ kPfGdtaqRpGgKhNTc6Aqfzl9Z+7301pOfvWLD0yGR8epqnJDD2vqm3cB66ry M51GwNqctg5N/nbLUFwq8FNLhob3nOX6v6gqoAnHb+iDzMI6AumdcTSsht29 o7BoQiCRklO/WVUaN6vK+hmFgLRnVFLlwODETR7b7MLmP1QVt4C83bRqEJxD Pres9gyrxkZVgam/8dSGX9pz07nft1SllNjxC61EWwd1rj2DCjaqipCCD+WL L5phXThE/zI6uTKnuBlLD57Jc79x+5aqQLgCDYMtJHZq9942iRqrLK9IaQbT 3DMCv9tYOayqtGwm4InX74pPT89GxlYwclo6emXRcWmurV+U3WdEJtYOh4vK Ow5f1/kXqgKVHGZ8gRVCsLHvkiamKmVVXdA1rBxCHXA0Yl3PvzAAC+cUWAdV 9fzccO5YyTMpj0MMajRsBhBeblIVDJgCHgkzR++c9RLIw8AS63ohOLnEYQ5j uPER31IVDGJ9+3EWFZis65wWt3htNzrLxu+A1lUlObv+0DVtmBcohODq10ta X1UVOjZj8d9Vxcw5xdgheVPHqaoi8iOqsri0Iqzox/zUGptxj6BCIQXf71SV ny6oDayZ5fjk3A0eGwg7QUXVTGP30Wour23D7wg6rKvKXnqNsPhybMDBrbB5 p45YXc9+es3/i6oCIyah6nfoAr+ZfYilQ8hRWv5Xir5QCLNPw6Zx65mqh3+S m2tcZ3v7V1WFsrgclZaFD8j09Em8/dQ4j9AMn73NLsnEaeCAj8T7pCanZX1L VfJKWvbSvZaTc3APiOaVVD9zW6Ojd3TjuQrOJ/cgjYChlRc+IB/vEVU9OPkv VAVinsP0L0ztXNw8Eq8yiOy/IJOW3fAtVYFGOgfkCchZbvyOQ9EqbP9ljdyS 0q+qCtjtQz6b31gMrG3czE2caO/oYucqeYSWvx8VlFXDufnnewZkxGekYOMj 9g52Xha7TrwAz6pt6Ke5a3zpgekbJS9MVf7/CREnXIi7dxrfc6vdZzXs8AXf UpWaxr7frktbOUa5uabc5tHeQ6vuHVYIN9Q2dBy7JuvqHpWYWTk4MkXLpnqf X9EtKBfvl5YRWPilAWTlt+6h0Tx4+Z2bayhWYucT+/fTwk+4rDDd3qgqcYF5 LoFZOK9khtv3A2MJhYQSN99UXEjRG1nLk7fetnYMwUb48CVJKRV7t6BCN+/M nJyyb6kKqWXc0yMO51ugZ+5Ix/hyjkzxCCncc15WUtXZxTXBxT+msbXrq6qS WVB34LKqio6np3eusrHjrlPCA0NTX6rKXT4rJg4tj4Dkicn5QkLTb1fVbByj 3Xzz3Nzi84uK/x1VgZ2suJr72duGbl4JHr4JjJxvn8u4guX8oar0D039dPIl /0sdF5/Yt1pOu8+9wgXmww3+UUV/O8bj6hSDDww/dpaD5bHd+NDcRlUBXLxz DtCLy+nZO3j5sPG/33tefDuript/Xmxq1foXcGAVTt7Z2GhAs1OzaqQ1Q2Q0 g5JSK6Z/78XI2KSlS4KMVqDMu+Dyyl6Yi8jEiuFR6oYFhDcgkhCfVg16Hp1c 9lo5WEkvJCmjCrOo4cGJlKxqOf1gZYOw+FSqvXmHFiZn1WGa7x9Vnr52OAMV llW3KsgbWbslZRcTcf6ZEPQuLq44eGaWVHbCDRTKcmFR41vtEDE1bwtH38G1 DftG+kjTZg5Z2NeIUHdyfrO0doCeRXR2HtHVN7OtYxieFxJTmpBes+mADiKr oJjSpJTPfiBBGp1y8s7KyK9paBmAzOg4dWXsH5h0cs8eXtumTU7MlVV3eQZl VFU3ewTlSWtSv9FYWV3t6SVZufqJqflpmUWlpH46eGlu74WOhMUXw6NheQqL K4dYpaltAHt6Rl61sl6QnG5EUWkbRFaEik6weRiWprZB7OMJ6dWhcWUgelB/ HqFOST9UVT88q7AWH5AHuxi4YWp6zswpXlYzIDa1Evo+Mjbx3ipSSitYUS04 M4L4pQHMzFL8Iwg43+ye/qFP/R0ecwvIqajoxi6hnXGpVfHJ1CPxiJhSGZ0Q BZ3gsLh8WImIVW0G1rGSWqFWjvjegWGsR739g7buKeLqwRom0QnFVDGMS6sO jinFhhp808AiEWZweHBaxzJKUiPE0DaqvqlrTb5WOnuGbHABEiru+jbRLR0D /YOTYI0dayETxK7OPtkQtS4uLZVVdyobh1u7pLV192kaJmHRXScE0j7ZsC/D mt3eNaRrEWVk6jg1Q15cXAI1M3VIkFQNMndIqG2gWlFBaatbMAFbSrIKm9wC cjcdZU9Mzlo7J4F3Y5dgTj5hRTD+a5HGdHh8uZR2YHxKeWxyXUhMxerqKtwJ YTZ2yNNHmgAvwE4UITYGO4fFF2rQt4yrrG4xso9T1zQn1raTKVS/gJF09yJI qvq7+qcnppcGRBDmZilgZmBsja2fTgxg+Wvr7Pe1zEnLrSDWtPx8WpCyE3/P ifgS8Cnl95HYcQQC8R8CNJCF1waNww4GVjqT96GP+Bz4pNzvvjBleqxfVFSO hgXx55JZVMbJa8Yj4f6A14LliRreKwyNyc6mpWMoPKHS2SczMpHY0z+GBgTx pzM6Ppua0+DikO0TVlxZ27P8b7yJgEAgEAgEAoFAIBAIBAKBQCAQCAQCgUAg EN9ifHKulNi5TRpDXlgcGJrc+FrEv8nCwtLA4OTCn/dz09UPH+rbBlyCc9Z/ 1fznkl/Q1NRG/d0smUwdisXvG4qiysb6ZtKPPXFimjw0MoX9jh3xX0hzC8nV L3fg9/ebRsZmXP1zq+t7/506I5OIMprB/6EGewUXpObWr1tsflGzq3/ev3j9 MySunJnHprVz+M9qQF5+w+2nlrWNn97Inp4k/5sVlld3XeUwfCyol1/S+uVf q+p7cX45hIqyH67/Gosszi8XMsExpcw8tj193/UzpwdP5G3cMzYVQmcTUmuM HZJUTUIDo0uXvjHsZq5hr1X8lj5/1wnx34O/f9Te0ypVNZ9ezPG2z9t1QS0j t+SHK1xd/SCubIYLyP4PNfj4dQFpraT1S0VF419pTFa+/UutrMImJ5/syWny n9WAuqY+W4/0sYlZeKijq/+jpxqrqz/+O7GpWTKfpAcTt8rY+OyXfyXWtl+6 r37iFq+Goe+PLf2z85TLD2XziqmvZaXnNVjj078nVpmZW7j3zDAtp2lj4eDw FK+AOT2DsrC894PnPmyvXb4l5lEx5VFJxE3vOiH+e/AJSX/yxgm2CdilkkbI r1e0KJTl362LnJRVY+GSqmObUkrsgJLuvrHopEpifa+bf66Td9bA4MTgyLSl f05EQgVWyfjE3E1ufb+Q2KgUopFXVu/AOFZVbVOfTxZVrMA7isvbQ+PKwOpm Zhfikita2kgBkYSEjJqPa9uB0qpWZ58cE4fElOzaTXYLG5lzTPKlVV3YJfjZ W3W8mkkM5Ns6hxPSqyuru1x8c+w9Mnp6qcEJOH4UtLauB5odHl9OGqa+cby8 shoaW9LQMoDdAB+0xGd7BOX3kSagZHqGHBlL6Owexnnnt7SNwlD4h5aaOaVA kxrXdgStHUMVNV3Ly6tpufU3uK2PXTSHzMTUfHpuw9wc5SP1bfEV8N+c4uZN Qz1HXswjtJg6pkDMMDE5R5WU6XmPwPwTzAYv5L2ItT1fzo6sFv7JG7eC0lYB Gc915YTtTH3zQFvXsIlPZnQyERsi6FRKdnl3X392YbOBc2pNQx8mQo2tAzzi eAhB58mL8WnV1Q2folAIJCLjymFmvRILMFWEeWntHHL2zUrOqoWPc4u5Da29 0LoOhKC7T8qWlW3uF8hUUkqLgWWKlUdqcx8J2plb3Dyy9uYjVdbmKKk59fAg +BdG5uNabNbTP15W1WnongajtN6v2bn5xIwaS1yai3cGNBgzht7+CU3dNGef bIg2oYVgM1mEVht8hjkuNbuhCfnv9kTXKl7DJAoMA0vyKmaPRJwxG4OZlVD3 uMZl+FYvjP62tKYZ1Xld/PLO3jK49NxB7F3AkeuauhahvBL4GzzOEOE4eueA JYPBn2BSpr+nKKLgu+uM1jVOC/BTql7ph997rPdx7bXZZ9IebIIOYE6VNV1H 6N/S3NQ+xqTnEVRAoSx5BOcfvSEn/i6A4xWO4yVuXe5+d6gB5qfW/b/v18gL S89lvcBJIW/qlHqZw4zlkbyURtDJG1rWbhFQ2N45fOCKlmdwQUZB08906gmZ 1Lehxydn95yWamofXF5eAXOlZzeRUw9i4bVlfmoDqlVc3rbrNzG6e4a/XlNN K6jVsog7RWtoZJ8srxvqEVa0NmKxLr650ClZ9RDoNXTQzDkZ1nEWHuu2tVee K2u7jzLo+KzdvA7Ir7C81ylmPVE5/G/M+tcfW0zPkhtbSSeZ7H6m12B97hCb WrVpakB5eF/qF5a1QRhDd994PcaA+RJT9ed6jbv1lDrs1m4Z4GukoUl6FhW2 pwaCcl5X2TWOMuq2dVJPaWJSq3llqYoEYnjgoqZncNHauC3qWMaycGhAv248 sSwhdsJ0x6dXHWfUuc/teF/AkV/KnYNPZVOwAeHH7rMvkzMKl5ZW1gOn6Zl5 Ga3gX2h0hGX9BCXxmVk1MDKMTywwie7sGeGVxN8TsHurF3qMUdc7lPp0IQUv Rb1QIXnv08ymB69pw9R8XHuLXEYNf/a2gaR6IIu0HVgRzA6sCOdZjcV0Qjhf 4ejum8CiAAvNFSZxmBRts6j4yHTkv9sQWOBoHpj97aDgXw5KYOlvh7nNXVLg Txn5jfvPy4jKm3WSJiGK5hV3iU7PgnKuV7a0LIq5+UQwqxcagXzSJsOj0/Nk yh4aNUX9MFj13ILy99GqRcWVgeGFeJWC2UfH545PzNI+tBCRMoIahsZmdl/R 1LJNgBvsXUL/ekrIIygNls6egXGaW6rsvGoZldSgSMsq3lQ/dVODbTzDuEVd 5+Y+nZT2kiaO3dBp76Cuv6eYbOk4tEurqSupmm7qW4NwqgZa5++n16xs7q5p 6DnJrOfqWwAru4Cklay2HriMT0jiDU7tkoqm+fnFJyJBlx+aT03N6pi4/3RK MCqpBDyxvm3w8A09Jf3I9QaAP164+zK7mKoAPmGl++g0cxMaPq7t+2iZHxcR O2E0mLlUhMUsFj7XQ9YnwrzCui1rspNR3LX7uNDoKNXvBHV8ztw3aujffE4L gvlCEs/OowajtECh/L9fHkDUQV3QZxcY2BVl1TzAeeGea49tD9GbTE1R0hPq 9hwRc8bHwP2ldb27aN4ZmLrC/RKKwQIC2pCpb2rac14oq7Bvbp5ygUXu0UvL 1k4S7OPY+TSy8prGx8d/2n/LwtYLvHtiYp7hsdUdNsVNTYInvnvvt/+swiF6 RVe/PKzwxNnXLHw6heWN6zpTUt7x028PP6xxhva+jpX31Ay5rLrt7B0tY4cs WFP+SscaHJkCtpdTXLmHVtY9uGCBsszBb3rhpuzg8Pj641TUfM7dlE/Kpsa0 +taxp1gMIcLh5Ne8dvMl8tztDKytR88LJiYX1Db2QYJlkZHLEv6FPz0Qdrwr 4ABWR3XegYlrnJbja/mjTDpKBpEw0RBRcwqahgdTQ4LGlgGIBAKjCJCHUOE6 l9XEFDXCT8muA1WBf2H5Pn5D3y+8GApJg+P/OCaWVdgIeVElP4gQwBMhr2ed dPCaTmvH4JqTrt4RcCgs79jUYIhhxOV11y8z8hr20zzE8kduqBjYJnzEtkUG EbjAAshb2IYwc1tOTZNhKYcuQBxeVt0FW7yENKoswLaCT8pdwzSGhcWG+41b RU03FD4Vc7v33AGLryB2MrJPOk4ngvPNpSwurQVLpBOXFEsI9VTtMoqCTsE4 YA24eEMUNnEV1c2nb6p2fX4iCvsjDhGn4t+7MzI+87djD0ZGRyF/96ktj4T7 l0cm4fEVRxl0PUMKO7pHGlv7/3JEADY7UN7cSjrFoJ6cVoqt78+kPG5wW4Gq O3hmnbxpAEs8lLd3j8CwW+DSQRivP7YUVvaFwpq6lsv3lCEA8I8s2U2rLq4W +EI64NIDM1kdO7gNdiVXHphgwcnyyspNXjt+Kc8vDQZugN3rXQF7WjZZLIz8 6QB7TtFneyKcX+5uOpmP1Jith+6+kapR1As5v3O3TA1sEsjkRWJt99+P84+O TcINsWnVh67p5BFaG5oH9tCpwwfXxwH+55M2ZRV01LSIPfnEEGK5zAKqcMFi d+aetLRWcHcferV2mxIcV777rHRLWx92WdtAOn5VfnyCKggHzokYqEM4Qd01 W7uEHz7/EJvxfRdEvMOo6tHS2XP6pnJIZA7kvQPidp15U9fYMz4+BbokIOGF 2byMetjfT2p09Yzi/Av3n9ckFLdT/aKtd8/JB0Oj0+OT5AusJhKS/pgxv5Sz fCDshC15qZnFB+kFq+vqNzUYQmvRt/ZYHlY9Zb2In6/yflKVCwKJ6dSTmeGR GabH731CqF9CmdjYvJYzh+08LNB3+OxfC3lzvbJmfWYEbRuYmjt2Q9nCJQH8 t4DYMTdP9ZGJWTL4sopx5HrwD923cos+zKAlrh60Qj2QKdt3Ua20ugv+JCxr wyVkt962S7c1DH1yrF39jW1DNqkEaBGHiDMstWui98HHL+Z/fn06MkK9vPlE /r1t4qZutra2XWZ9t/eCAgjFmduGp1n0fzohAnsWaFVIHKzv6ml51F1DR8fw 2dvvRRTtoJHPXhmz8NphR75efgkQOqZm15WXkw5f07d2zoRCJzzhpUIAZPTN g/be0ncJyItNLgD1w74i9w4tfKXsgz2dQKw7cVPL1CH1W2ZTWNpwglG5uWkQ IszdNEr9pMn1P0GEJiTn+eslY8i7eObe4dHxjyTEZVZ3DoxCcALD4uSZvev4 y7Ex6gGXmmkM3X3T7r5R2OmA0EUXVf1Th6fnWV/jFKxiQ2LKCku6ZuYWsCGF EYhOLT3HYX6Fw6KqavgjYvshrRVy/vb7gbUtMOARWHDwHD82fYcuiBgYJ8AC HRpXfvWB/uGLCmsutnKCQb2jh7pMxKUTD15VzyukrlMGFu7MXMYzs2RCRdtx Rt07fA4QHnT1jeymkbfCZYEzaprFHr+uR6zqmZldUDGM4BS2AufKK2n99ap2 TGwl9nRhKeOHIi7gIARi56X7hj/TKNU39W1q8JM3rjziBlPT89PzFFvv7INX dUydo6F8dByUxAjby9c09u+/pOEfVQiPkHrnFRKVg/kyxEUXGHXP31Rpbafu mEYm505cFyv/X/at/KfJJAz/AfvTJmviajSamKC7KyiHKIq4KMghp6AsgrJc ilbJwiLUgtoCcmO5acshV6nI1cVCsaUoR7HlaCmF1oJgEQpFuQWhYLLv1w+7 BN0sm/jDmu2ThnwZ5pu+M/POM88787YTiV+AdlBxwm7ug12+oaUPdWA0igGb nfyyDW1ioPsYXOkRhwTFOCKuLvpiImIrNfxz0iXZ3DPN0DqCy994iigfeXvy /P1GrhQ0WEOzZJdRcAieurS0vPB+2do9DjbrDfVJlFJbN7xQPNQ/qIRPX7/i kO1d+18zQBdhcLRv915jsvjQVBCOpmOGlw3KQYntMw370ZwgHRgDa50vhASE lSwuLpMLW7/Xx3YI5VDZzT+H/AChl/Dkoj0n8ejZFOgN4Ft4oFa2nfqFCIM/ opyy8kzeZnizmde/3iTF+DRQFgwj/L0VW6Hzs+viwjLQxDfbbUhFz2CK0Q9U 0z1FwODKEVbJazx7Jf29mrXAKmgclNK5y+RTboi4gkIz50T3aznwVtNzGbBK AKFUzTwfYDqmZt7ZemeVMQXoRLydmge3BGvhGepnFjdt1ceynr7QLuH/GmCa jO1iHbyz5tQ3Fyurq0Ayuw4Gof+1ciPCRuniFRmIzbgYmL/XHDkSEUtHrT3S wEPgOZL4eL9FlHwEYRhCfLp/aLFKtZr/kKtrEe1zneh0AXfCJdkTkwexP1So YHTtPIQzdfzNO7gAg6NiY6uhkFLUvMPoluxjJsl9ct1ukwgrjzQr90xH70wj 29iRsakNNje0SPYY4485J5m6JOuY40PvVaKLovn5C7erOehzZV3XTmNcE08G HmhsE6tp/04i/Tu94KjUKk33fw8vN3VIvBVb5R4QSaPzoTAus36bAXbiDbLj vx6d9LyRH4Qvc75MOGAZDSoF/PmYY4I7Jk+lzsTwuYr9wZzg6J6CEov/zaIt eqF+IUWf3rfC2Hr6JRpYx3gFkvXMMJhwGkpiEN04+mRprslQwLI96hhTwxKs f/3C9TwgjTHlzHGX5F1GgRaukR7X8/YejaxtQOQc8BKEEk7eaQ5eqVYe6QfN AtDrmyD8o8N2ceNKkIXzZk4EKo2OVG6T6JjdhXE+G0U7609Ck2ReDY9v2efh 5Jtt75MOhRAZbQgxcHHVQKc2boQjtrd1LaPjMtf01enzcTBrrr4UV39Kd9/r rh75VoMwajWSXfPy1cQBi2hwnpCoiktBBUA48wtLIK4gJkJH7Lj1jSR1Sgyw JfjPdgMsRLjnrlCYjWLgFr8b6Qcs790klHu4kok5DUCMtxPoPsGF/p4P9K1i ArDUL5iIqMWXY5UP9Hohr2sIDTpgybTw+ms5a0EHyHVySROpmK1QTrR1vKx/ ihyDgK/C88oKUr9dMARBLprpBHGxSB3R90pHYS8eGlYQSTW5tNbRj9r4/ZIK XCXzAUfYOwxRP2ypUCh7MVrX0LO4uOYb4CSt7QN/sLoZ9X0/Hfa+HBr/2cwK 5hNJai4nNZfd2t6vWb/ykcl24VpHgEYYLNHMHGjmD1WMjuXltVws6YCigsEb HP5L/yjk0/mlXHDs4oo2iPvg7U6RvI4jVq0grwDZ1rC60/I48WmsHukItAZk wmCLNCmC3DbZfQqrpIKHqjsbe6KeOaG94/NJxcBRJVW8JDKr9plY069CGsPC zndD3u/4xEzlY97k1Ox6/u8UvaquEzA7e3eY4u4mPSyr6SBS2AyGGK0QEU/f fTT8KVecVcAmFTcJe9b62MIfANKAOXr3bqmOIxocXstKEoiHoVpaHpvTKp2b R/aI5ZWVR0wBtPmYLYQOwiRusKpHMlLwqC2JxCosfw6bi+Y6WPlmtpTOTyLV l9W0z8wtAHXQmUL0XhjAaZak5LJTctjc9gHQISB9K2sFkv6xj3sEF40K0dEu oPKT1e2Pqc/ZILCiVvETs5/AHCnUKQFtnS/JYHYuC1hUc5ylhRZ/B/DhYfkk iI3p2QXngGxdiyhQ/l+L8WC2QjltZHaJrj7Y2QyAD8ffzNp5ZdhfTNj8F5XR O7YbYvmCoQ3lZy5l2HtnoVJNCy20QNErU+iaRDn7kSzdU/RPR3NapF/Rr0j8 Q4qO2Md7YpI02YP/CFpF6zHH+H0nCEyOePNfRKWyTM5EadJ1NNhvcifsXpXW i7TQYj1UqtUaobiytovB7h4d+8rO9usbxXUNIvQWfpMQSsahswND/66nk8p5 qWxM9cnPE0R9r9Hb+f8b/hRgAC6jMQ0KDQplbmRzdHJlYW0NZW5kb2JqDTU1 NCAwIG9iag08PC9TdWJ0eXBlL0ltYWdlL0xlbmd0aCAyNTI3Mi9GaWx0ZXIv RENURGVjb2RlL0JpdHNQZXJDb21wb25lbnQgOC9Db2xvclNwYWNlL0Rldmlj ZVJHQi9XaWR0aCA2ODMvSGVpZ2h0IDkxL1R5cGUvWE9iamVjdD4+c3RyZWFt DQr/2P/uAA5BZG9iZQBkgAAAAAH/2wCEAAICAgICAgICAgIDAgICAwQDAgID BAUEBAQEBAUGBQUFBQUFBgYHBwgHBwYJCQoKCQkMDAwMDAwMDAwMDAwMDAwB AwMDBQQFCQYGCQ0LCQsNDw4ODg4PDwwMDAwMDw8MDAwMDAwPDAwMDAwMDAwM DAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAFsCqwMBEQACEQEDEQH/xAGiAAAA BwEBAQEBAAAAAAAAAAAEBQMCBgEABwgJCgsBAAICAwEBAQEBAAAAAAAAAAEA AgMEBQYHCAkKCxAAAgEDAwIEAgYHAwQCBgJzAQIDEQQABSESMUFRBhNhInGB FDKRoQcVsUIjwVLR4TMWYvAkcoLxJUM0U5KismNzwjVEJ5OjszYXVGR0w9Li CCaDCQoYGYSURUaktFbTVSga8uPzxNTk9GV1hZWltcXV5fVmdoaWprbG1ub2 N0dXZ3eHl6e3x9fn9zhIWGh4iJiouMjY6PgpOUlZaXmJmam5ydnp+So6Slpq eoqaqrrK2ur6EQACAgECAwUFBAUGBAgDA20BAAIRAwQhEjFBBVETYSIGcYGR MqGx8BTB0eEjQhVSYnLxMyQ0Q4IWklMlomOywgdz0jXiRIMXVJMICQoYGSY2 RRonZHRVN/Kjs8MoKdPj84SUpLTE1OT0ZXWFlaW1xdXl9UZWZnaGlqa2xtbm 9kdXZ3eHl6e3x9fn9zhIWGh4iJiouMjY6Pg5SVlpeYmZqbnJ2en5KjpKWmp6 ipqqusra6vr/2gAMAwEAAhEDEQA/APv5irsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirum52AxV8yfmF/zl1+SfkD VJvLEOvXP5g+eIqj/Avkq1fXNTVh1Eq21YoKd/WkSmbDB2Znyjirhj3y2DhZ u0MWM1fEe4bl86Xn/OVP/ORH5gXdxp35W/lXonk6JG4NPrU115p1eMdjJp3l 9Xgtm/ybm5WnfM+PZumxC8kyfdUR85c/gHDOvzZDWOIH+yPyHL4sfh8p/wDO Uv5ha6fL3mX/AJyE1XStbkRpT5Y0nUvL3lKZI0oXIttNTWr/AIpyHLmVIqK5 M5NLijxRxAjvIlL7+EMODU5DwmZvusRP2WXgGo+T/wAitW1GPR/Ov576l501 q+vrrTLWwkuvPvmeW8vbNylzBbG0NhDO8bAhhGpp8szo5c8RcMYiOf8ABH77 cOWPEfTOdn/Pl+p0v5A/84jR2P5Z3y3kF/b/AJxX1xp3kO4tvKPmy4Nze21y bS4tZwNb5wzRyqwZJAGABYigOP57V3MV9HP1R7r/AJq/k9NUTf1cvTLvr+d3 rtV/Lj/nHr8vNZ1jRNP/ADavfJF7oetzeW5dUsV89aRYSatbgGWztdQgvNQt ZJYyaMqqSCDtjHPqMwEjDisX/Adu8igVOHBiJiJ1vX8Q37rsvW/K2hfnd+hr DzN+Un/OUOs+ZdFvb2XTtNkl8xaT5mtpLu2/vbX6t5jstKl5p+0gn5DMXJPB xGOXCAfcY/G4mX3ORCGYRvHkJHvEvhUqZ2v/ADkT/wA5V/le6x/mP5I8t+et Njfg1zNFd+StRk7USe8+taRK3gI7oVyn8hpM393IxPwmPsqX2N353UYvriCP 9Kfn9L3Hyb/zmt+Tmu39joPndtW/JjzRqHFbPSPPFr+j7a5Y7f6JqatJZTqT 0Kzb+GYeXsnNEcUKmP6O/wAxzcrH2likalcT5/r5PreC4guoYrm1mjubedQ8 FxEwdHVhUMrLUEHxGawiubng2q4EuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV83fnP/wA5P+QfygvE8rRQ3fn78z72 Az6X+Wfl/jNf+mBX6xeysRFY26jdpZ2UBfiAIzP0nZ2TOOL6Yfzjy+HefIOH qNbDCeHnLuH6e58M+cdZ/OH85tDufN/52fmHp35Wfk4TRtC03UpdF8tMrVpD c6uvDUdckYAgx2Qjt2I+Cftm4xQw6eXDiiZT76uXy5Q+O/k6vJPLnjxZJcMP fUfnzl8NvN6F5M8oflj+Wf54+QP+cer38s5L3RfO+jXet6P5ovXt9L8uagbK 3E7wWeiWiubqRSw5nUpHlABPJqrWjLly5sEs4nvE1XOQvvkeX+bs248WPHmj iMbvqdgdukev+du9lGm/mDpH5j/nd+T0Xn24tB+YvkJ9V/IG4EFvY2OgmAT2 N5aW0FnFGOVrNcW0vPdyjAmpWuYvFjlix5eH6ZVPqT1B376LkVOOSePi+qNx 6VzB+Vh8h+Rtdh/5xgg/Kt/+cgv+cQR5XvPI15HpsP8Azkf5Uu7a+Se7v0Np JfajJAUuJBciUmQTyMCTVU5BVGzzQOsM/Az3xC+A7ct6Hu8nBxyGl4TlxVR+ ofea/Sfg+iv+ckNH8ueQvzI/5wek8vWFpoWhad+aF3YW1rbgRwp+nbWUysP+ MkrlmPctXMHQTllx6ji3Jh/uXM1cY454q2HF96K/5ydXy7on53f84UaTarY6 OLj8y9U1FrKBYoA0k9nI0s7IvGplnlqzUqzMd+RyPZ/FLBnO59AH4+DLV8Mc uIcvUf0K3/OTNtpl1+en/OF3kDTra2tRefmLqXnG9sLdEjDPpNm9y1w6IBVn llLFiKlqmtcezyRgzzP80R+ezHW8PjYod8ifluxr/nLj8vvJWveZ/wDnHb8j 9P8AL1nFF+cH5tzecvOdvGnJ7iHTLVrjVpyWJKG4VlVytK/flnZmecY5cxP0 Q4R8fp+TDX4YSljxAfVKz5/zk/8A+ct/zz80+Q/IXnnyj+Q31KDzF+V+h2mt ef8AWzHFNa+X9J9REtrBIZEkje6vEB4xstEhDO1Kx1h2Zo4ZMkZ5uUjQH849 T7h9/wAWev1MoRMMPOIF+Q6D3n7nsmrf84//AJV/mb5Ssr6LQ4vLS+Z9Pt76 6g0uKD9HztcwrJyudKuI5rGYnluzwc/Bwd8xY67LhmRd0evP58/tb5aPHliD VX3cvly+x8oXn5H/AJ8f840zS6z+SPmiWLytC5mufKqxXer+V5UFWYXGiPJc X+m8u8unyzqO8Ua5shq9PrBWYb9+wl/puUvdKveXBOmzaXfGdvmPiOY94v4P oD8nf+cwPKXnrU9L8k/mLpg/Kv8AMjVFP6G0+7uorrRdd4bNJoerx/uLkV2M ZKyqfhKlgcwdV2XPEDPGeKI598f6w6OZp+0I5CIz9MvsPuL7DzVuwdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVaZlVSzEKqirM dgAOpJxV+dP5uf8AOUPmn8xdbuvyv/5xsuJFtRdyaT5i/OK1t1vWe7jFZ9O8 s27ssd3cxrvLcuy29uPjdwKNm90vZ0MUfEz+8R/TLuHcOZdRqNdKcuDF8/0R /XyH2oL/AJxZ/K//AJx/1LVfNGkQecNJ/MTzvoU8d95z8tQ3b6oslyz1W91X UpUX9NSrJsXH+ixSVWOJWHNpdo6jURAPCYxPI8vgB/D/ALojmWGhwYZEixIj mOfzP8X3A9H2L+d/5MeUPzz/AC48wfl95p062lj1GzlTQtVeFHm0u94EQXdq xFUeNqH4SKrVTsTmq0ernpsgnE+/zHc7LU6aOeBhL4eT8+dP1Hz3+ev5P+TL PSHsX/5zB/5w583xjUfK15dR29zqg0hxaXfFpCKw6jbFKyH4DIKEiozdmOPT ZpE/3GaPPuvf7D9jqRKefEAP73GeXfX6/vD2rUvzYn86fmb+WHmvzb5Kvfy0 T8rTqs995duLi11jzBqF3q9i1gdOS10mS6jtrcF/VeS6kjLskYVBuwxY6bw8 U4xlxcVb8ogA3dmrPutvlqOPJGUhw8N7cybFVtyHvp4T528teRfy207SvJn5 j/mHrVv+XOn6rHrHk/8AJLz55itrud2Sb6zaQDSPLtjf6ndwQuQY4ZblVFAG G2ZmHJkzEzxxHHVGUR8/VIiIPmA4uSEMQEZyPCOUZH9EQSfmyfzn5j/Mr8+L rQ9Qj/5xh1D8wU8vu0vlfWvMXlay0G0gMpQmW3PmDVpJSCUU1NsOnTtleHHi 0wI8URvmBIy/3I/S2ZZ5M+/h3XKxX+6Kba/5d/5y283appPmDzR+QflTXtX0 Gh0a71fUvKt1e2pV/UT0JZNLlMZVwGHGSlRXrkYT0eMGMckgDzoSr71nDVTI MsYJHeY/qSjzBdfnTH5v0H8w/wA0/wDnFu+1vzb5TMT6H530zSdH8z3lmIWZ 04NpOq6fclVZieIjbqfhyUBg4DDHmAieYJMR9oIWRzcXHkx7jqAJfcQh4vNX lD85vzg0b8wtL863Gm/nZ5X0y60fRfLtnqz+X9XskvIXglMXlfzfYG3Z/jq3 o3NGIBJPXCcc9PhMDG8ZNk1xA/50DfzC+JHNkExL1jbnR/0sxXyLGPzC/J3y DefkN5x8h/oeHzh/zkdeSajEfOXmoDyfrN9d6lcPMZbzUvrE9neyx8gPRNz6 cgUBVUAZZg1WQZ4zusW2w9QFDoKse+tmGXBj8Ixq8l8z6Tue+6Pzfpb+S/6a X8pPy2t/Mmi3Xl7zBYeW9Nsdb0a8MbTQXVpbpbzAtE8iMC8ZZSGNVIOc/q+H xp8JsWaLudLfhR4hRoPmj/nLzzh5j8z6p+Xf/OMv5WatcaV+aP5n6lbatf8A mWxmlhm8taBpM63FxqheFkZWZ4/TjBPx/EvcZsOzMUYCWoyC4RFV/Okejh9o ZDMxwwPqkbvuA6o388/+cefyxP5V6pq/nrzDDE2iWMc/nHzhrlsGs9Wli4xi +1S309IfSuKkf6ZaiOdPtFmQFCNHrsvigQHM7AdPIX0/omwup0cPDuR36k9f fXXzG7wv8uPz+89/8463Vp5Y/Nm9vfPv5MG3hm0vz20y6nq/l6wmIS3uri6t xw1fSW5AJfRDnHsk6I9EzM1Gix6ocWL0z7uQke6v4Zf0T8O9x8GrngPDPePf zI/4qPn/AGP070rVdM13TLDWdF1C31XSNUgS603UrSRZoJ4ZVDJJHIhKsrA1 BBznpRMSQRRDuoyEhY3CYZFLsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdir8v/wA9Pzo13/nIHzBqX5QflTfy2v5VaZc3Fh5+852V0LKT zHPZgNfabY39Cttp1ohB1C+3AU+nHyd1WTodHpI6WIy5B6zyHPh7iR1kf4Y/ gaXVak5z4cPp6nv79/5o6n9l9xT/AJxr0eX/AJx286+Svyz8xaXB5t88eVJd F0rzxptE063t3XlHYaf6DSGCxJqpCMzvyaWVpJSWOJ+fl+YjPIDwxN11957z /YKDkDRjwTGBHERz6e4eX9psvAtU1n/nO38s/wAs9Q8zR6F+R/5d+Xvyi0Dl qWkWrXE017a6ZCHaFSpEMHqKvwIGXcgChIzMjDQZsojeSRmfvcaUtXix3UAI j7vx5PsHU/8AnI/yl5V/LHyt5586x/oPXdf8t2Ov3nk9pY45rEXcCSN9blmZ EtokdivqTFakcVDP8GayOgnPLKENwCRffXd3/BzjrYxxiUtiQDT8wfNP5nee PNfm3zGv5Ofl7o/kC5/MKObzN55896u0ukWkekFiZNY1a4m4ajNZjpEbg28M poIbOTrnQ49PjxwHiyMuHYAb79w6X31ZHWQdJPPOczwRAvcnlt3nrXvod0Sn 3kTRJ4PKU35gzfmZcfl1+VdrWHUf+cmvMdslvrets5Kva+QfL5T0dLtpTVUu Fha5l6qOoEM07nwcHFP+YOQ/4ZL+I+XINmOFR4+Lhj/PPM/1I9Pfz+573+VH kDzzdrJff846/lDpn5JaFqp53n59/mrBLrXnjWg+5uodPlf1kEleQN1MqkGo iHTMLU58Y2zzMyP4IbQHlf6h8XKwYpnfDARH86W8j8HvC/8AOJlr5hH1j82f zr/Mz80LuSrXNm+uS6DpVT1Een6KLRVHsXb55hfymYf3WOEfhxH5ytyv5PEv 7ycpfGh8g8el/Jn/AJwyGoWX1b8sptS8qCC8PmXz1LqHmELp15bswhgmMtwJ S0noXHIj+7aMBvtjMv8AN62vrqW1Co7j8U4v5bSX9O3U3Lb8bvVNN/5xP/L0 6bY69+Uf5lfmV+WEepW8d3pVxonmXUZbVo5VDxtJp+sG7jKkEHiyDMaXaeSz HLCEvfEffGnJj2fjoHHKUfcT9xeb/mb+Vv5yxaWbH82vIPlf/nMjyBaCovrW yi8vefNPQf7ttPTYW87oN/3EkEjHpl+n1GEm8Ujhl7+KB9/X52GnNgygVkiM sflP8e5876joUXmHylf65+XnmrzP+cv5ceVw1rrmju72f5v/AJdcd3iUTcJN UtYt+dleowZR+7ZqchnRmYTqYEJHl1xT/wCJP9IfFxJQEo3EmUR/ysj+seR/ axb8rPz1/PL8rdT0Sw02/tPzU8geaI5Lj8v/ADX5aiLW2uw24LXNuNClaIRX 1sBWe0tXt7hd2WK4XrbqdHgzAkjhkOYP8P8Andx6E2PMNWDVZsJAHqieRHX/ ADe/yFH3vVfyv126/wCVjecPzx/Ia60/8xPPn5k266Trv5eee9Yljnikt5C4 h0LXZk5xpCSGl0+7hjmVE+EAKtcbUQHhxw5rjGO4lEf7qP3SBIcjBM+IcmLe UuYkf9yf96aLLfNHm3VP+cyfOFt+SkeqRad+TX5Ux2up/wDOUPm+yjutNtNT 1a2Bk/QFn9dCTx26yxM8ryUPFa/sryqx4h2fDxauctsY2ND+ca6ts8h1kvDu oR3meVnuF9Px03gt3+Ysn5gf4880flj5E06T/nDL8jLF9Igu9LFrY6pDe2pk l1TWPLMZh4ukMM/762uD6V1F8PElyuXDB4XDHJI+PM3vZHlGX6CN4n3NMsvi cUoR/cw+B8zH9IOxHvVfy7/MDXf+cS9Zs5i3+If+ca/OdvDrz22nLM9vo1lf 8GTzFoMcnKQae5lT67ZEl7R2DLyiZWZz4I66Pdljt7yP4Zf0v5sv4k4c0tLL vxnf5/xR8u8dPv8ArHpmp6frOnWOr6Tewalpep28d1p2oWzrJDPBMoeOSN1J DKykEEZzMomJIOxDvoyEhY5I7Al2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV+f8A/wA5afnFq+s6sn/OOP5aX95b65rVvby/mr5i0mjXumaV fuIrXSrA1A/SOqsfTiBP7uMtK1EBZd32ZpREePkGw+kHkSOZP9GP37Op1+pJ Pgw5nnX3DzP47wK/5xt0ryHbnzV+U9h+Wt/rGjDTpvLHmT8wrS3jm8pKbVCl 35asZ2kEzR2hmZJJTHS4uPWkdvUNANfLJtlMwDdgfxeUj7+7oKC6OMN4cN9C f4f6v45my+YPyz/5xz/MDy55+138vv8AnH/zb5k/JfzJ+UVxcx/mP5quLs6h 5d1y3uedx5d+r6FMzrJNdWxRrl6rHGUYKGdgBsdRrsc8YnniJif0iqkP53q7 geXUuFg0mSOQwxExMbs8wb+nbvI59AgtbuHtr7TvNf5z+QND82f85UebLy3s 4fKnlaK4uLZLu1ijFnHPpRu5bC/1VFAkeSRfq9onBpiSqRyGAsGOKRGEdT9u 9WI/bLp3olz4skQcp6D9XIy+wde56L5q/Lu8/La18s+ZfzMsbP8ANr/nJr8y 9SMX5O/k/LM13oWk6oy8pdV1B5N757GI+pcXk44JT04EiTjSjHnGYmOP0Yoj 1S6kdw7r6AfG2+eDw6M/VkkfTHoD3nvrqfuDynSNH8t6loWseevzD1LUPzD/ ACotfNCwW2n2yltX/O/8xkYxeqUHxNpVpMpgsrcfugiNIwoGByJTkJCGMCM6 +GHH/wAUecjzceMIkcUzcb+OSf8AxI6B9+flZ+Qeratrul/nF/zkCtl5g/Mm 3iB8meRLYB/Lvki0IHp2mmW5HCS5RaCS6YciRSPioFdLqNaIxOLBtHqf4p+Z 8vJ22DSky8TLvLoOkfd5+b63zWOe75dcVfM19+Xn5lldU8itr1hqOg/mA2pa t5k85LppiOn3RYcbdbQXnx+sJIhGQwAEL+oGMm+wGfFtOjcaAF8/jX4twThy bwvaVkmuX2/in0VpcN/b6bYW+q3keo6nBbxx6hqEMP1eOeZVAeRYeT+mGNTx 5GnSpzBkQSa5ObEEDfmj8il85/m/+QFr521W2/Mn8vNY/wCVafnl5fip5e/M CyjrHeIu40/WrdfhvbSSnFlcFk+0hBFDn6XWnGPDmOLGeY/THuLiZ9KJnjh6 Zjr+g94fnZ500G11Ww/Mbzcvkm48qeZPLV1byf8AOXn/ADjzpchR42jPO18+ +UZRQpcQAfWYpo9pUDJJvy57zDMxMY8Vg/3cz/0zn5dK6dPLUZI2JSqiPrj/ AL+P3/s5zLyb5Lsfzl1HUfK+peZLHy5/zkfo+i2uueTvzesIANF/M/ypIeWn anqNkhQXDrQJOyFbi3l+OOQEUFWXMdOBIC8RNGPXHLqAenl0I5s8eIZ/STWS rEuk49CR+CGLedz5h/MbTPNH5I/mJd3n5S/msjWs3mJ1uvqlr5qsoWEUNtrO pQRq9/p1wB6UGoU9S3ZvTukr8UtuHhxEZsfrh0/o/wBUdJDrHrzj5V5TLIDi n6Zf7r+seo7pdOvnJZ/y40H84fzg8r+Sh+QHnX8i/wAmfK/lC6sfz6ivbmXy 9ot4LCNW0mAT2NwLe/Fu6EeuWbnExJoFBFfjywYTPxIzmZej+Ii+fPcX3d7P wRmygcEoQA9XQeXLY13/AKk984fnjpP5m6gNA/Kz8vbjWf8AnFj8n7FtH80f m7ptojx6JfxJHBBeaRDIeV7aWUBKXkQVlltneo4U5wxaQ4RxZJVmnuIk8x3H uJP0noWeXUjJtCP7qOxkOnmO8Acx1Ca/847fmNefkB5+tfyQ823UQ/Krzrfi H8s9RjnNxZ6DrF4huYtLguWLeppupxk3GnSE7VaFvjR6Q12nGqx+NH6wPV5g df60eUvn3MtHnOCfhy+k8vI+/uPMf2v0/wA553bsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVeNfn3+bll+Sf5Za552ltDq2tcotM8m+XEqZdU1u +b0bCzjUbkySkFqdEDHtmVotKdRlEOQ5k9wHMuPqtQMGMy69B3l+a/kny3e6 T5f1Cwk/MnTNJ/5yV/O6PWrz8vfMOpvxXU9b+GLW9TSff0A0bPpulvQ8EV5Y 1b1WGdBlyAyB4ScUK4gOg/hHn/On8jydJjgeE+qskr4Se/qfvEfiRze36v8A kZ+Zn/OK0Vz+Z3/OMMj6h5NS1GofmX/zjlrl/JdWkoiiDXN1o9/KS8VyoUlq 7SEV32jzDjrMWt/d6j6v4ZgfeO78ebly02TSDjw8usSfuP4/Qwrzz+Z3lvXb /wAnf85G6L5P806D+cfnvy1aeXvJnkiWSH65b299PdCxmhtogVk1DUklkW2M 5ZYLcSXDIFXi9uHTyiJYDIGETZPuq/8ANj1rmdmrLmjIjKARMigPnXxPTy3e P6Z/ziZbeYv+cpfJnkL86PMOqXes65+Vt75u1e28uajLZQaTeHVfq6afYzjl K8UcbN6kjkvPKXlc1bMuXafDpZTxAUJiO457cz+Nhs40NBepEMhNmN7dN+X4 5nd9YSf8+1P+cc5p47qa/wDPUt1EjRRXL+ZLhpFRxR0VypIDA7gHfNYO39SB VR+TsT2PgJvf5/sfPP5if84nf84peQ9dtvKunr541PVdB0rzNrL26eYrlY7I +XtIh1RoIOEZCzTrdxEBaHhzPhmdg7S1eWPEeEAmI5fzjX2UXDzaLT45cIsk Ann3C+7ze7eX/wDn39/zjb5k0jT9Z0nzR561Cy1C2guIri2813TxlZ4kmShA 7o6sK9iMwp9tamEiCI/6Vy4dl4JgEE/P9ic/9E4fyA/6vX5g/wDhUXf9Mj/L uo7o/Jl/JOHvPz/Y7/onD+QH/V6/MH/wqLv+mP8ALuo7o/Jf5Jw95+f7FG5/ 590/8472dvPd3fmLz7a2lrG011cy+arlI440BZ3dmAChQKknpiO3NQTQEf8A SqeycI6n5/seF69+Qv8Az7z8tWgvtX/5yH1CKBl5oLfz813Iw/yYrYyu30Lm bDWdozNDF/sXFlp9FHnk+0fqfMXm7zH/AM+5fLmowWOj+Yfzk88wuCbnU9G1 a7jt4iCABW/e1dydz8Kke+bDFi7SmLIhH3j9VuBkzaGBoGR937aeC+cvzT/5 xjsPN9pB5D8hfmP5j8iRxRnUdS1fzpeadqksrgFxBDHHcRII+g5Fuf8AkjM3 FpdUYeuURLyjYcXJq9OJ1GJI8yP1P08/Lb/nDj/nCf8AOK1udc/Lv8xPMnm2 aCCKDWDY+bZZru3SVeawXKgeoq7kUYca1zntR2rrdOeHJED/ADXeYdBpc28J E/H9j0iL/n2d/wA42wNavBcedoHsY2isXj8wzq0Mb7skRCAopruFoMxz7Qak /wA35Nw7GwDv+f7HzV+b3/OGvkfyP+fv/ONnlD8uPNnmvy/qP5hJ5vRvM2pa i2rPa3GlaYlzZhYrleLQvI7LPEfhljJU5sNL2rPJp8sskQRHh2ArmaP7O5wN V2fCGfFGBI4uLf3Db9qI82aV5z/Nrys/5EfmBJqekfmF+VWp29fIUGrXNnpn mSz5LM2iPPzHqWupwW5fTLmSrRurW0h5oDI45QwT8aFGMhzqzH+l74/xjrzC Zxnlj4U7Eonlex8vj/CenJ9Afl3YfkdcXPmb87dF85ar+Tn5JaXoFroWrflw 1le+UtI/SUNpPaXE2om54R3t1BE/oAW448kTkZXCkYOeWcAYTETyEk8ViRqw du4dd/scvBHCbyAmMKAreIuiN+89NvJ8/wCqaz+W/wCd/l65/L/yF+W2ueWf yp8raDHon5N+cZbO5tm80WWko11qVvYvcHm95YMi39gx+ORo5kNPUcHNjDJp 5cc5AzJuQ/mk7C/I/TLu27nElOGccMIkRAqJ/nAbn4jmPcQeb7o/5xL/ADj1 P8y/I195X86XsN3+aH5XTw6L5zuojVNTgkiEum61B4xahbFZQf5uXTNP2npR hyCUPoluPLvj8C7XQag5YcMvqjsfPuPxfVma1znYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FX5dfnTrr/nh/zkpD5Tt9UGn+RPyNEtjNq3MLDDr91a G61vVC5+EHR9LBRCfsXM0edFpIfltNxV6p/ddRH+dL7A6PVT8fPw/wAMfv8A 4j/mj5FPIPNv/OI//OSd7dflz+YH5Raj5AXS/LUFz+X3nDzdpw8vvdeXtPkE NrdaNqTSLLFHE04ZFYrUMCVO4yBxazSDxITErO4ieL1HmJBkMmm1J4JQ4dti RXpHcV3k7U/zq/JXznceU9I/N/TPz3/IrR9MW5059UeC98zw318rW+j6AbuC UmT13/e+s6NSCKRqKBQuWODUQ4jAwyE9No0PqlXlyrvKYTy4ZcImJwHz35R/ TfdfJ8rp5b/M/wD5yU/MOfzx+UGqeZPOOleX7i7sh570vUI/J+jHULtETUrn 9ITpcahIzqFhRLe1T07dI41f7RbZeJi0ePgygAnoRxmugrl57nc2XXiGTVT4 sdmuo9I89+fyHKnp/wDzi7+Wlz+WP/Oas2h6t5j0DzLrlx+Vd/farJoOqajr AtJ31a2iMN3d6nPNM09F5H4YxxI+AVqcbtHUDNobAIHGBuAOh5AdG7Q4Ti1l EgngPIk9R3v2Azl3o35r+W9O1PzB5r/5yA8wym+03WbrzXf2lr5CspY54byS y9Hy3qmsWYmRhGZbC4UOC1OYUsB6fxdBkkIQxx5jhG/dfqET8R+LdJAGUsh6 2dv9iT8mUf8AOPVxe2n/ADlN+eXk21N3p/kLy1oGlan+XvluG6STToLfV5Cr 3It4XZYjOlpF6Kv8QiHKieoRlWuAOlxzP1EkE9dv1Xv5tmjsaicR9IAodN/x t5P0AzSO3dir5v1r88fIvnGT88vyt0CwvfMvnfyBo2oW995NmtWhGtSmx9SS 1093IFzT1o45Qu6l12oyk58NHkx+HkkajIjfu35nucKeqhPjgN5AHbv26P5i L78kfzd0iwstTvvyv8x2lhqFm+oWky6dPIptY5hbvJ8CsyqkhCHkBQkV6jPQ 46zDI0Ji+XN4aelzczE7vPbG5Syv7O7msodQjs7iOWfTroN6MwjcFoZQpVuL U4tQg+4OXyFinHieE2Q6/nt7q+vbq0so9Mtbm4llttNid5I7eN2LLCjyFnYI DxBYkmm5rjEECjuiRBNh+sX/AD6Q8swXn5l/mt5uOr+hc6F5dtNLTQ1qDcJq V0ZWnY9CsRswoHWr/fzPtPkrFCNczd+4ftej9nYXOUr5Dl7/AOx+8+cY9Y/L 7/n4F5Vj87fmf/zil5Wk1fR9BGr33muOPVdeurmy0+KRLG0kQS3FnPbTxl2U KhSQHkV2YfCei7EyeHizSomhHlueZ77dF2vDjyYo2BfFz5dHzT5y/J384fyT 1jSfzO8+r5iu/JPli1NjqXmzS/MR836MujXEySPGyXos9Ws1WQJNDIhn9KZU dRUb5+HVYdRE44VxHoRwm/hcT3HlYcPLp8uE8c7odb4hX2EfbRe+6v5a/Inz hbeYf+crfzs1+9/MLyr5L8u2M8vkS6+sto+p30ypBpWvWWnSOiA6pb+lF6LR BVnWQH7BphRyZ8ZGmwjhMid+oHWJP9E9e6nLMMM7z5TYA5dCeQP+cOnfaK/L D8rv+chdZ8g/kX57/NPzVPpP5X/lRdp520D8ntH0O4vPNwFm06aRpk0sbFp1 jtZVSgRX4HjIpYcgNRqdPHJkhjFzl6TImo7/AFH5pwYMxxwlkPpibAA9XkPl 9jErbz5oH5YfnF5F/PzybHe6Z+WHm6eTy55x03ULdrO4tNC1DU3tHjvLZt4Z dB1r4WB3S3uYox8Iy04ZZsMsM95jcddwL2/rx+0EtccscWUZY/Sdj7rr/Yy+ wgP19BBAINQehzl3oXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq8+/Nj z/p/5V/lp55/MXVKNZ+TdFu9TMJ/3bJDGTDCPeSTig9zl+mwnNljjHU01Z8o xY5T7g/Mb8qfyol8w/k9rXlbzF+aenfln+Y/5z3D6GNd1D05L/UdR1GeLWPN MdlbvND60sks0Ni1CaLb0pvnQ6nU8GYSjAyjDehyAHphf2y+Lo8Gn48ZiZCM pbb8z1lt8on3IT83tF/MnyXrWheYf+c2Pyttf+civyb8haRc6donnbyXCIVs pb6WEyX+r6T6kJ9QrFHECpWJNyKscdLPFkiY6SfhzkbIl1roD+CueOTHIS1E eOERQI863PL9AY/+deqaD+UOhadpf/OOn5a/4Ei0a3i87eaNCgLC7tI7OCzv Neub2RpJiXtrW4g09RzIVp7lV3GWaSMs8ic8+K/SD8xGveQZfAMNTMY6GKNd a695v3WB8ZMHT8vvIunfk7e+Yrewn02P8rfzpg8vfm42jXt1ph13yHreoJd2 g1A2csXqqkOpQlHbdVUjlxy7x8hzcN3xY7jYB4ZgUav3FpGGAxcVVwzqXMXA ny9+z7I8m/lx5C/K7/nPbR/Lf5deUtM8naE/5GXF1Lp+lwLCks7a8qGaUjeS QqiguxLEAVOarLnyZuzzLJIk+J1/quxx4YYtcIwAA8P9L9Fc0TuX5a61+Xet 6X/zmJ5o8p3vnbVJX/Mezl8+fljbaU9hHFpv1aSFtZ0+4tblJeBvWtLcesAF koWkVyGU9HDPGWjEhEen0yu9/wCab8rOzoZ4SNUY2fV6hVbd4+NB6r/zhB5c 1fh+bHn+51i4fRdY1xfKOheW7y8h1a4tIfJ5l03m+opBbclZuSxxLGERFUip YnMbtjIPRADcDiJqvq35b/NyOy8Z9UzyJquf07c/ufeuaV2zsVfNv5l/kInm TzDdedPKc9lba1qUltca7oWptcw2d3eWaCG31G1vrB47zTb6OEel9YtyecYV JY3CrTYafW8EeCXIciOe/Qg7Sj1o9eRcHPpOKXFHn1B++xuD5j4vnrUPzQ80 eUfMWteQJ/zI1Xy75s0OK1kvdOk82eVddjg+usVtoyfMFlps7O5FeBm58SCx FQczo6aGSInwgxP9GUeXP6SR9jhnPKEjDiII/pRP+6A+9+Gn/OROur5h/M3U r5ItCMa28SRajoGlWGjw3q1ZvXmttMury1MpJKs8cnxUBIzsNBDgxAb/ABJN fMAvK66fFkvb4AD7rDw3M1w364/8+j9B16X8yfzW80QxU8s2Xly20rUZy1Ab 65u1nt1Vf2qRwSkkdKj+bOX9p5x8OEet38Kek9nYy45HpX4+4v3jzjHrHwJ/ zlR5Y8uec/8AnJL/AJww8sebdDsfMnl3VtQ86R6nompQJc2s6rpMLqJIpAVb iyhhUbEA5u+zcksemzyiaIEdx73Ua+EZ6jDGQsEy+58j+d/y1/LfQof+c0dZ 0Ly483kL8sf0d5K/KHyLdXl3eaRa+c9XtY4Lu8s7K4mkhWaKe8iVAF+Ch4gH Nnh1GWRwAn1SuUjsDwDkCfcHBy4ccRmIHpjtEWT6jz27wUX+SWvQx+cdY/L/ APMHSYta/Jya4byZ5a+unlbXml+VXsNK1FQwIKtYaitvfxsCCqSXTqdzg1cP QJ4zU/qPkZWR8xcf9KjTSAlwTHo5b9RGgfkal831DYeYP+c3vz0l1bR9N03y 7/zjN5U0bUbzRdW83TpLrWuX0tlK1vNNpdvOscSQuVJjkcbjdWbNbKGh01Ek 5CRdcgL73YRnq89gVADa+Z+H4+LyDV/+cedd8t+XPzz8i6y/mnzd+XWlz22u 3X5mea/S+t6hfeYLd7TzWbbjR5YI4zb34fjQTwUqxHLMuOujOWOYoSO3COgj vD484+4uNLSSgJxNmI3s+f1fDkfeH2d/ziL5/wBU8/fkZ5X/AMSSc/OfkeW6 8meeATVv0poMps5HY9zKiJLXvyzU9p4Riznh+mXqHulu7Ls/KcmEXzGx94fT Ga9zXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXwp/zndr8DeUPyz/Leclr L8wvONtdeZ7eu0mg+WYpNc1JSO4YWsa/Tm57GgeOeTrGO39aXpH3ur7Vn6Iw 7zv7o7l4P5p8yeY/yq84WMvmn8kvzD83+WfLP5XjS4/PnlKxeSTTPNHmWVtX 1q7tZgA8bNI0UfrRGsfFga1IzMxwjngeHJEEzupHnGPpiD9u3VxJylil6oSI EasdJS3Jv9KReUvzm8seefKP5E6LB+e3mH8yvzP8t6u/mb8zoruI2VzpuhaX pUt9rulX1qbWCK7t5pbeO3jNwkjF3DKwI2nk0ssc8h8MRgRUetyJqJG+x3va mMNQJwx+sykDZ8gBch58q3t77/zjx+Xkf5mRf85AeafNyrdr5sS8/LWGYjkp jhE03mCaOuxE2rXtwvyhQdhmFrs/g+HGPSp/8T/sQPm5Oiw+L4kpdfT/AMV/ sifk+S/+cetIbzFcef8A/nH/AM4SC2uPzm/LzUPI2ptIf7vzl+XTy6WWNejt p8lrcg9wlc2eulwCOaP8EhL/ADMm/wB9hwdJHiMsUv4okf50NvuovXP+cYfz Bm/M7/nJj8ttd1cGPzdoH/OP8/lnzzaOf3tvrejeZGsr1ZFrUF2iElD2YZjd o4PB0s4j6Tlse4xsN+iy+LqYk8xjo+8Sfq3nNO/fl2tibH/n5zf6ZfXl1Jo+ p/lre6po1pcSzPBaTXkcUd69usxKKJDCzME+CpO3KudFxX2YCOYmB8uTpOGt eR04fv8A7Cu/59ZeZhf/AJWfml5RRoZIfKHnm7ks5o14ySQ6jGrqz0PE1aJq UA22x9o8dZYS74/cvYc7xyj3H9H7H6hZzru3Yq7FX85H/PwJf+cY9Q/Mvzp5 h8h+ctd80/m3q97bp5j0+z9Gby9azQIsc7tdunJ29JVjEcDMFYHkw3Gd52J+ aGKMZxAgOX875freN7YOnOQyhImf2PzhAA6Cmb90LeKv6Bf+fTvmjSr/APJH zp5Sgsxbax5c81zXmo3AQgXMOoW8JhcvSjMnoshFdgF8c4f2lxkZ4y6GP3PZ ez+QHCY9Qf0P1PznHfPz8/5y/wDOWiflz+df/OJ/n7zFMtvo/lGXz7qd/KSA WS30Dmsan+aRgFUdyRm77LxSzYM0I8zwD/ZOn7RyDFmxTPIcX3PlLznqt35C /JP8j9G80JXzT5o1DXP+cj/zftH2etrzv9Pt5Qf9/X1zaW6qepSnbNliiMuf IY8gBij9x+QBLhZCceKAPMk5Jfov3mg+hNV/JeTyD/zhj+V+q6lZNdebPyoS Lz35wAFZ7mLWPVbzVbO3X47K/uAf8pE8BmFDV+LrZgfTP0j4fQfmA5U9N4ek ia3j6j8fqHyJRXmfTvzZj8ief/zq8pf85Cat5ev9J8pxGDyPzsJ7G41XyoJL bVLnhqMM6ql7bwxOno8Pjfm/KowY5YfEjhliBuXPe6ly5dx705Bl8OWWOQgg ctucefPvHd3qH5J+ffzv/wCcgvPEr+WPOV95m/5xZt7Say8z+bfOPl/T9Ou/ MUk8TxTWekpZxW7+mvOjzMoAIIAOy46vDg0sPVEDN0ESTw+Zv7k6bJm1EzRJ x9SQBfeBSL/5xA1C88n/AJ3fnT+V2pyEv5g0zTvNkSk0B1PSppfLmtuB3Ms9 nFKf9auDtSIyYMeQdCR8D6o/YV7OkYZZ4z1F/L0n5l+j2aF3LsVdirsVdirs VdirsVdirsVaJAoCaV2HvireKuxV2KuxV2KuxV2KuxV+en/PxP8APX8zvyH/ AC78ha5+V/mFPLup635kew1O6e0t7vnbrZyyhAtzHIo+JQagVzedhaPFqckh kFgD9LqO2NVk0+OJgaJL5S8sa5/z9f8AOHlvQPNvl++sbzQfM+nW2q6LdsPL MRltbyJZoXMbqGXkjA0YVHfNnkh2TjkYyG4NH6ujgY59pTiJDkRf8L6N/wCc ddP/AOfiM/5raJJ+furWdh+V9nBdz63FEuhSSXUvosltbr9SUyrWRg5YU2Wl d8wNfLs4Yj4A9fT6v0uZoxrjkHin0/D9D9K8593TsVdirsVdir8m/wDn5N+X /wDzkx501f8ALab8obDzLrvkiytZk1TR/K80qzxauZqx3FzFA6OyelQI5qqE NXjy36XsDPpcYl4pAl59zoe2cOomY+HdeXe/Qj8hNN/MLSPya/LfTPzWu2vv zEstDtovNdzJIJpTcheksqkh5FTirsCeTAmp65pNbLHLNM4/pvZ22lExiiJ/ VW71zMVyHYq7FXYq88/NzX9U8q/lV+ZXmfRJ1tdZ8veV9X1LSblkWRY7m1s5 ZYnKOCrcXUGhFDl+lgJ5YRPIkD7WnUTMMUpDmAT9j4l/59y/n5+an59eTfzJ 1P8ANPzGnmO+8vazZWuk3CWdtaGOKa1MjqRbRxhqsK7jNv29osWlnAYxVgut 7I1WTURkZm6L9Hc0LuH5W/kZ/wA5LfnJ5y/5zq/NH8mvMXmiK+/Lry/ceZIt H0IWNrEYV06eNLak6RiViqkg8mNe+dJrOz8OPQQyxHqPDvZ6ui0utyz1ksZP pF93R+qWc2712KuxVi/ni38yXfkvzda+TbmOy83XOi38Xla8loI4tRe3dbV2 JBFFlKk1GWYTETiZ/TYv3dWvKJGB4edGve/I/wD599/lt/zlv5R/Onzfqn5r 2fmvRvJM+m3UfmhfM9zLNFqOqtKht5bQSySCV1IcmWP4eJpy3Azpu29RpMmC IxcJle1dB5/qdD2Th1MMpOSxHz/H2v2YzlXonYq7FXYq7FXYq7FXYq7FXYq7 FX4gXn5W/wDObTf851/4oiXzP/hn/GQuoPNoupP8OL5U+scvqxHP0eP1T92Y ePMv25fFnXjU6H8hw7Xw8v4uLv8An1eYODWfnOLeuLn04b/V0ftZrerW2g6N q+u3qyNZ6LZXF/drEAzmK2jaVwoJAJoppvnJQiZSER1ellLhBJ6Pmv8A5xc/ 5ym0H/nKXSvOuu+W/KuoeWNL8p6nBp0H6TmiknuhPD63qGOGqx06cebfPM/t Hs6WiMRIgki9nD0WtGqEiBVF9T5rnOfk15o/5yZ/5ys07/nOaw/KLTfKzv8A lpJrtnp8Pl8aVyS60OZUNxq51HgWBRS8nIOEXjwK1rXpsfZ+kOhOUn11d317 qdBk1upGr8MD03y8u/8AS9G/5+D/AJ8/n9+SWm/lzJ+TVi9rp2vXV2vmLzPH pi6oUnh9I2tlweORIxMGdqlatxopG9cfsTRafUGXincchdfFv7W1WfAI+GOf M/ofbX5Q+YPNnmv8rvIHmTz1o3+HvOOuaFZXvmTReDR/V7uaFWlX02qybmvE 7r9k7jNRqoQhllGBuIJouy085TxxlIUSN3hPnv8A5y88r+S/+cjfI/8Azjan lPVNV8z+b5bNbnX/AFYYLCzivUlkjYAl5JWAi3Xio3+1mZh7Lnk00tRYAF7d dnGya+MM4w1uX13msc92KvzY/wCck1HnP/nK/wDLLyW59S08v+TUMsfZZPNv mGy0mf6TZQT/AEVzf9n/ALvSTn3y/wBzEn76dLrfXqYw7h/uiB9z262b8+fy iufOXnO/1nTfzr/LjX/MWp62PLFtMLLWdA02ed2gi0u6u5hbXsccIHKB2iIa oidq8TiH8vnEYAGEgAL5iR8wNx79/NyR42HikTxxJJrqB5Xsfdt5PPvzD8// APOP3nvyJcfn1+Xb6Lr+uPGNF13X7VRFqEGnWzLruo2GoQ/DIjtDpbKRKvIL XieLGt2DBqMeTwZ2BzA6X9II+MmrPlwTh4sKJ5edfUQfgGaeRPOGkf8AON3/ ADiD5E80+bIpr/U00Czv5NGtwDe6t5i8xN9c+pQL1aa4u7or023Y7A5VmxHV 6yUY8rO/QRjtfwAbcExptLGUudfMnf735/eW9GbzWPO350/mL5yvvy58qeRv Nd75r85/mJ5S4JqWp+fr62GnjQfK3NJFMFlCy2srhWN1PWp4jku6yT4OHFji JSlEARPIQG/FPzPP+iHVRhx3knIxANkjYmR6R932/dN/+cPfy388/l7/AM5m eZr78w/rUPmP8yvy3vfOL6dqU8dzqlrDfaxBFFHqc0EUMLXZEPOX00ChjTrX Ku1M+PLogMfKMxHblsOnl3M+zsM8erPHzlEnz3PXzfshnKvRvyu/5zo/5yf8 tfk755/LrVPJ1lpXmP8ANLyqurWtzDcqzIljqNq9s8clxBuRHLu0RdWV+J4k EnOk7G7OlqMchOxA18wXQdq66OCcTGjIX9r8iP8AnHb/AJyc/MT/AJxs84Xv mXybJDqGk68UXzX5Rvi31PUERmZCWT4o5Y+bcJFG1SCGBIzp9f2dj1kOGfMc j3PO6LtCelnceR5h+vX5d/8AP1v8l9csYU/Mjyvr3kPWC6pMbKIavY8eIrIJ YvTlA5VHH0iafdnL5/ZrPE/uyJD5F6PD2/hkPWCD831J5Y/5zd/5xW82zRW2 mfnPoVpczLGUh1YzaXvJ0TlfRwryHQgHbNdk7I1ePnjPw3+5z4dp6afKY+O3 3vh//nP/AP5zd8tf4NX8pPyP87xazrPmgV84+b/L92ktvaab8SPYx3MXKstw dn4MCqDc/Hm47E7Ilx+LmjQHIHv7/g6vtftSIh4eKVk8yO7ufhoAAAAKAdBn YvJN4q7FX7x/8+i7Rk/LL83L43gkS6802sK2A6xGGxRjIf8AjJ6gH+xzi/ac /vYDy/S9f7Oj91I+b9cc5h6F+WP/AD8f/LjXfzc82f8AOMX5d+Wbi1tdf8xa n5nGkyXrFLdprWwtrpY3ZVfiJPR4AlSATUimdH2DqI4IZckuQEfvIdF2zhOa eOEeZv8AQ+fvOvks695F8y/mlc+a/OHmg2VvbeSP+ckfL/m1re/8zeQrvSb1 NQsb+1W2hhjnsLa7USzQhCk9ueamoPDNxZuHIMYER/FAx2jOxRB/pEcj0Li5 MVwMySekr3Mfs5X+O76ZfkP+a9l/zkL+WfmHQPNdta2vnTRIpPLX5oaHasJL V3u7b93e2bft2l/buJoG6FWK78TnP6zTHS5RKP0neJ/QfMHYu50ucanGRLmN j+v3F+dN55a8veb/AMj/ACNa+dvKt/5/138vfO2g6fpfkayuFtG17Url7jyn cabdXTH9zBPc6Ok8r0J2Ip8VRvhklDPIwIiJRJv+aPruvISoOnERPDESFkEb d5+mvLeL7C89/wDOQf5neTvPmifkd+SH5KaF5m13yT5JtvNX5k6L+kxYafpF mQETTdOkWKNWkNKRkoAQV+CnLjqsOhxZMZzZshAlKomrJ8y7LJq8kJDHjgCR GyOg8h+Pg8i0HzTp0n/OW/5JfmLo0UtloH5r2+pxQQzALILbzT5dsddto5AN qi8tJ6jxrmVPGfymTGecK/2MjH7iHGhkvUwmBtL/AH0QfvfqdnOO9flt/wA/ HP8AnJH84fyEvfyot/ys80R+W4vMsOry60WsbW7aZrVrVYaG5jk4hfVb7NK9 86PsHQYdUJ+ILqq3Pm6LtnW5dOYeGau+7yedWlr/AM/ap7G11ez1zy/fW9zA lzbQ8vL3KRJFDr8LQqKkHoTl5PZANEH/AGTUB2lV3/uUV+Qv/Oe/5v6N+c1j +Q//ADlR5VtNG1rU7+LSItfhthYXNlf3PH6qLuFXeCSGcsoWSLiByDfEvQa3 sXDLD42mlYAuudjrXVdJ2tljl8LOKPJ+wmcs9E7FXYq7FXYq7FX4veXfMGv6 h/z9k1PSr/XNQvdL0s6hFpmlz3UsltbRny2GKwwsxRAWJNFHXfOsyQiOyQQB Zr/dPNQnI9pEE7A/71+s35oWvnK+/Ljz3Zfl5dJY+e7rQb+LyhduwUR6i8Di 2bk2ykPShOwO5zmdOYDJE5PpsX7nf5xM45CH1Ua978tv+fdfkD/nK7yp+Zfn y+/Nyz82aN5EudLdNQtfNk80hvNZM8ZimtFnkcsVQSc5U+EggVO1Oj7dz6Se KIxcJlfToPN0nZGHUwySOS+Guve/YTOWehdirsVdirsVdir8lv8An7n/AOSk /K3/AMC+X/unz503sx/fT/q/pdB7Qf3Ufe+/f+ca/wD1nj8i/wDwAfLv/dNg zSdof4zk/rH73a6H/F8f9Ufc9szEcp8gv/zmZ+W9v/zkdq3/ADjrqen3+g6h oem3V3qPnLVjHZ6eLi1thfNCgkIYxm15SCYkKaUANeWbT+Ssp0wzjcE8hz7v v6Ov/lHGM5wnaup+f3PCLH/n5r5D80/nDoP5V/lx+WuueeLPzBrUGiad5qju obMTvNIEa4htJUZjCoq/J3Q8AWoMzD7P5IYTkyTEaF1+1xR2zCeUY4RJs1b7 o/Nv83/IP5IeTb7z1+Yutro2h2jCGFVUy3N3cOCY7a1hX4pJHoaAdBUsQoJG n02lyamfBjFn8c3Z6jUQwQ4pmg/Oaf8A5+p6SEfW7L/nHXzpdeRUl4jze8yR x8AaciBA8APt6/05vR7OHkcseLu/B/Q6g9uDmIHh7/wP0vvn8kP+cgfy2/5y C8lyedfy81SS6t7F/Q1zRbpBDqGnXHHn6NzDyYAsu6spKsPssaGml1mhy6Wf BMe49C7XTavHqIcUD+t8M3P/AD9l/Je1lnif8t/O/wC4keMsYrAAlCQaVu/b NyPZnMf44/b+p1R9oMQNcMvs/W/TDyd5ms/OvlHyv5x06Ga20/zXpFlrFjb3 AUTRw30CXEayBSw5BXANCRXOfy4zjmYHmCR8nd4sgyQEhyIt85f85H/85i/l T/zjWLHS/MrXnmXztq0Qm0ryPoypJdtEzcVluHdlSFGYEKWqzH7KtQ0ztB2V l1m8dojqXD1naOPTbHeXcHy3pP8Az9L8q2etafY/mf8Akd5x/LTR9TYfV9cu P9Joh/3abeSC1dkFan0+Zp0BzYy9nZmJOPJGRHT8W4Q7ciCBOBiD+PJ+nfl3 zFofm3QtJ8z+WdUt9b8v67ax3ukataOJIZ4JV5I6MPEduo6HfOfyY5Y5GMhR DuoTE4iUTYKc5Bk8k/P7/wAkX+cn/gE6/wD90+fMrRf38P6w+9x9X/cz/qn7 n5t/8+hP/JffnH/4EOm/9QTZvvaj+8h7j97p/Z/6J+/9b9f85d6B+G3/ADjL /wDJO/zq/wCYzzj/ANRUWdh2h/xl4/8AN+55fRf8aE/87736Q/8AOUn/ADlb 5V/5xa0TyzqnmLyxq/me6823klrpVrp4SOFRb+m1w01zJVUKo/JVCkvQ9ACR oezuzZ62RESBXe7rXa+OlAJBNvKvzc/5+Lfkj+XV7b+X/KNtqf5webrmCOc6 L5ZVXggEqCQJPdnkvMBhVY1kK9GodsyNL2FnyjilUI95/U0ajtfDj2j6j5fr SL8hP+fjnkD85PzE078sPMHkXV/yz8za5M1poJvriO7t5rtVLC1lZY4HhkcA hQyUJ2qCRWzW9g5NPjOSMhIDmw0vbEM2TwyOEl7Z/wA5M/8AOW/kr/nF6Tyd H5u8s675ibzoL5rD9CpA4iFh6HP1fXli+164pSvQ5h9n9mT1vFwkDhrn5uRr u0IaSuIE3fLyST/nGv8A5zV8gf8AOTnmfzF5V8peVvMGgX3lvS11W6m1dbZY 3iaZYOKehPKeQZgdx0yfaHZGTRxEpEGzW1sdF2nDVyMYgiu+lPR/+c0fJ+q/ 85OXn/OMdx5P1nQ9ftLi8sk8yajJBHbT3Ntb/Wo1hiRncpPEC0bEiu3w74Zd kzjpfzHECO4fL7Fj2lA6jwKIL7NzUuyfH/nT/nMfyX5N/wCcj/LX/ONzeVtZ 1/zH5iWwjfWdLMEkNndagWZIp4pHRgscIEruCeKn7O2bTF2VPJpjqLAAvY+X 4p12XtGEM4w0STXLze3fnB+cv5ffkX5Nu/PP5ja0NI0aBxBawxqZbq8uWBKW 9rCN5JGAO2wAqWIUE5iaXSZNTPgxiz93vcrUamGCPFM0H51zf8/U9KVDrcH/ ADjr50l8i+rxXze88ccZjrTlQQNBX29f6c3o9nDy8WPF3fg/odQe3BV+GeHv /A/S/QH8j/z5/Ln/AJyE8nL5z/LnVXvLSGX6trGk3SCG/wBOuacvRuoatxJB qrKSrDdWO+aTWaLJpZ8GQfqLtdLqseohxQLzL88v+cu/I35EfmZ+WX5ZeZND 1W7v/wAxrm3V9djVYtP0+0uLg2oneV6mVllpyRBVVPIkbA5Gj7LyanFPJEio 9Op6tOq7QhgyRhIHf5PCfz1/5+Y/lX+UfnW98ieWPK99+aOqaLMbbzDqGnXk NpY29yp4vbwzMkxnkRvhbioUN8PImtMzR+z+XPDjkeEHl3uLqe2seKfBEcVc +79L6q/M7/nIzyH+S/5V6P8Amh+aC3flga3a2z2Pk/ik+qy3txCJjYxxqwVp IxUOxYItKlhtmt0+gyajKcePeuvSu9zs2shhxic9r6dfc+DE/wCfsPl+J4dQ 1H/nH/zbZeUp5KQ+Y/rcLc4ydmVHgjiJ9hP9Obr/AENS5DJHi7q/H3Or/l6P MwNe/wDY+xvMX/OXn5c6J/zjxp//ADkpaaP5g1jyRqk0ENnpsdotvqJae6Np vFPIqUWRTVg5UjdSc1WPsvJLUflyQJfZyt2E+0IRweNRr7e54n+VX/Pyf8qP zY/Mbyj+Wuj+RfNul6t5xvhYWF7fR2QgikKM4aT07lnp8HZTmXqewMuDHLIZ RIHv/U4un7ax5sggIkE+79bKv+cvf+cwvI35DSXP5Y+Y/K/mDWdX88eU7y5s NQ0uO3a2hW69ezQStLMjVDoSaKdsr7L7Lyar95EgCMhz+BbO0e0Yaf0SBJI8 vMPy0/5wc/5zH8i/84v+UvPGgebvKvmDzDdeZ9Wtr+0m0ZLd4444bf0Ssnrz REEncUB2zo+1+ycmsnExkBQ6ui7M7ThpoyEgTZ6U/aH/AJxp/wCcnfLP/OTu i+Z9f8qeVde8t6d5YvodPmm1pIEFxNLEZWEPoSy19NePKtPtDOT7Q7Olo5CM iCT3PS6LXR1QJiCAO985/nF/z80/J38svNOteSNA8reYfzA8y+Xr6fTdWS3R NPtI7q2cxyxLLcVlcq6kErCRtsTmdpfZ/NmiJyIiDv3/AI+bh6jtrFikYgEk fAfj4ML8i/8AP1z8r9b8xWmh/mD+XWu/ltaXcqRNrslxHqMFtzIAkuY1iglR B3ZUanhl2b2byxjxQkJeXJrxdvY5S4ZxI+39T9BPza/Nry/+Uf5WeYvzb1O2 utf8u+XrO3vmg0n05ZrmK5mihjaAu6IwJlVq8qU3zSabTSz5RiGxPe7bUaiO HGch3A7n8/X5h/8AOWHkvzf/AM5m+RP+cj7Ly1rtr5V8r/ov65oU6QDUpPqU M0b+mqymPcyilXHTtnbYOzJ49FLASLN79N3kcvaUJ6oZQDQrufp/+V//AD8l /LL81/zC8o/lx5f/AC485wax5w1BLCzurmKy9CHkCzzSlLlmCRqpZiATQZz2 p7Ay4McskpxoDz/U7zT9tY80xARNn3frfozmhdy/Nm9jfWv+c9vNURah0yPy Zp0EhHIJw0XX9WGx60lRWp7Zvx6dAPPiP2xDpZHi1pHdw/cSzfyZ/wA+9fyQ 0jSdKs/zAvPMn5t3WnpWSLzBrF4ulrMzF5Db6bbyxwxIXYkIefuTlOXtzPIk wqF9wF/Nuxdk4ogCdyrvP6mOf85Z+Q/JH5dflF/hD8vfKOkeS9L1TT9XE1ro 9nDaCSS4tk0dHk9JQZGC6mwBYk75Z2ZmyZc3FORJBHP/AE3+9au0cUMWLhgA Lvl8v0vJ/wDnJfWdb/NP86/LH5OeRrg2tn+X13Y+T/KM8Y5Rxea9YszPqGqU Gx/QWiK7p/JPKvfMns+EcOA5Z/xXI/1Qdh/ny+wNOtkcuYY48hsP6x5n/Nj8 i9c/LX8vPLn5jfnBpnlrQbBYf+ce/wDnDhotA8m6P9q31fzwkQa7vpiNpTpy vSp/3e7P45i6jPLFhMpH97m3PlDoPj9zkYcMcmURH93j2HnLv+H3s2SNW/5+ FTyGvKP8i4+H+y19q/qyq/8AW7/kp/vWf/I//kn+l9sZqHaP58f+fp/5ba1o /wCdOk/mNbeWmtfKXmbQ7OzufMNvFS3l1WCSfmk7qgAmaILTkSzKvgM7j2b1 EZYTjv1Anby2eP7fwEZROtiB893yD/zjx+WP5X/m/rmt+RvPP5iP+Vvma9tf rHkPzRe/VzostxEGMtnfiZomRpBQxssg6MKE8QdprtRl08ROEeIdR194ddos GLOTGcuE9D0+LzP8xfy91X8tfMl55b1XV9B16S2kkSDVvLuq2uq2U6Rtx5rJ bSMUr/LIqt7ZkYM4zR4gCPeCC42fAcUuEkH3G2B0rsdxl7S4ADoKYq7FXYq7 FX9Fv/PrLy3ZaV/zjZca9FbNFfea/NGpT307MSJVtOFtEVB2AUIRt3zg/aPI Zanh7gHtuwoCOnvvL9J80DunxP8A85Fop/5yW/5wil35L5l81oPCh0UE/qzb 6D/FtR7o/e6zWf4xh95+5Bf85FaFH+T35gaF/wA5O6TZrL5U1Bbfyd/zknoP DnBqHlu9cW9vqksVKPJp8kgDEiphYqfhBw6Gf5jGdOfq+qB7pDp8fvXWR8GY zDlymO8d/wAHy15fDf8AOJv/ADkfbWtvdM35f20un6RNdM/NLjyD5punTRbl 33DnQtW5Wpk6+hNGvTNjP/DtNf8AFuf8+P1D/Pjv7w4ED+U1H9H/AHkuR/zT tfueweUPy0t/zA85fnz+WL6ze+VpI/NvmHU/LXmTTeIu9K1Ky1fTde0+8g5f CWhm1NjxOxUsvfMbLqDihjyVfpAIPUEGJH+xb8WAZJ5IXXqJHkQRIfe9p/Kr /nFCTydp/wCb9758/NXXvzA/MP8AO2KOz84fmJbxxaTew2METQxQWKxmYQUR zuvtxC8RmHqe0vEMBCAjGHKPMX5uXg0HAJ8ciZS5nk+fPzw8p6H+V35xf84x aH5WtnsPL/lHzN+Xum6TbvK8zx2pk13S+LSyFnY+nIoJJzO0eSWfDlMuZEz/ ALkuFqoDDlxiPIGI+8P1EznXevxD/wCfv3/HT/Iv/mF17/idjnX+y/LJ8P0v L+0XOHx/Q/Zryf8A8ol5X/7ZFj/yYTOUy/WfeXpcf0j3Pwd/5zxhh87f851/ l95Y8nKt75lSLytpWorbbut+9886Byu/KOCRGPgPlnZdjfu9BKU+XqPwp5Xt T162Ijz2Hx/BD+gTOJetfD//ADkH/wA54/lV+RXmX/AFppeqfmX+YylBdeVP L4Qi1eQcliubhuQWRgQfTRHYD7QG1dvoexsupjxkiMe8us1fauPBLgHql3B5 V5C/5+dflvq3muz8pfmr+XfmP8l7rUHSO21PV6T2kRkbijXRMVvNChP7fpso /aIG+ZOb2eyxhxY5CfuaMXbeMy4ckTH8fB+lj3cIs2vo2NzbiEzo1uPVMice QMYSvKo6U69s0Fb07m9rfD35e/8APwT8kfO/l383fNmqfX/JGh/lPdQRyjVw gvdShuucdu1taIS4lkmiaP0alhsWIBPHb5+xM+OUIipGXdyHx/S6zD2thnGU jsI9/VKv+cbP+c9NH/5yW/M/UPy98tflXrWi2Fhp1xqknmm6vbeZIreFlRDc wRqPTMruFUK77+wJyev7Flo8QnKYJuqpGj7UGpycEYkeb5G8pf8AyXPzF/xl 1D/xGVzZ5f8AjHHw/wB063F/xpn3/wC9foB/zkp/zmN+Xv8AzjBq3lXSPOvl 7zBrVx5ttLm8sJNGitpEjS1dI2EhnnhNSXFKA5pez+ysmtBMCBXfbt9b2jDS ECQJvupr/nGz/nMf8vf+cntX806N5L8veYNEufKdnb3t9JrMVtGkiXMjxqIz BcTEkFDWoGPaHZWTRAGZBvutGi7ShqyREEV3sh/5yg/5yc8sf84veTdL81+Y vLmreZ5tevW07RdN01URHnRPVYT3MnwwjgCRsxalAOpFfZ3Z8tbMxiQK3Ntm t1sdLESkLt49+aH/AD8V/IjyBa6LbaAdR/Mzzbrtha6hb+VPLiJM9st3CsyR 3dwSY45Arjki83U/aUZlafsLPlJ4qjEHmf0OPm7YwwAr1E9Aw/8AJX/n5X+X 35ofmJpH5a+avIGs/ljrfmG7XTtFur64ju7dr2U0ht7ikcEkLSkhVJQjkQCR WuW6vsDJhxnJGQkBz9zXpu2seXIISHCT+PJ+lOaB3LsVdir8lv8An7n/AOSk /Kz/AMC+X/unz503sx/fT/q/pef9of7qPvej/kj/AMrQ/wCVNflP+j/+V9/U P8H6J9S/RH/Ksf0f6X1GHh9T+v8A+lejSnp+v+8405/FXKNX4XjTvwr4jz8S +fWtr92zbpfE8GFeJ9I5eHXLpe/zfXf5Q/4u4a9/in/lYteVv9S/x/8A4Tr0 fn9T/wAL9unP1/8AJ4ftZq9VwbcPB/m8X28f6HZabi34uL/O4fs4f0vwk/5+ dcP+hqdSp9Wr/hLSuf1Hn69fTnp9brtyp/L/ALq4987L2e/xQf1j+B+Obynb v+M/Afj8dKfqJ/zhX9Q/5VH+XP6L/wCVNfUfrL+h/g36/wDW/wC4evq/pP8A 0r9IVr63qduVPhpnO9rX4078T/Oqvs24e53vZteHGuD4Xf272+Vf+fr3/KWf kB9b/SH6O9e75/pf/lE/76H1fW+qf6Z63GnrU/3RT0vj5ZsfZr6MlVfl9X27 V3efNwu3fqhz/wB7z+f4FP1R07j/AMqXteP+CeP+FhT6vy/wfT6r+zy+L6j8 9+Gc5L+//i+r/P5/7p3kf7n+Hl/m/wBj8e/+fXFP+V+fnd9S9X6h+inp/hyv +FuH6Qb0/wDe3/SuP/LHX4/T9T1M6n2j/wAXx3zvr9XLy2/redPPdh/3865e X08/Pf3fF6h/z9P/APJOeQv+OB/ymX/Sp/vv94Lr7ft4+9Mx/Zz++lz+nr7w 29u/3ceX1dPcX6Y/kF/5Iv8AJj/wBvL3/dNgzn9b/f5P6x+93mk/uYf1R9z8 f/LdP+io3mj69+j/AK1+lZfqv/Kzq/WK/V4qfoX6j+49X0/94fV29Hr++pnU ZP8AjLFXy/g/31/7Kuvk89D/AI0Dff8Axfor7PKur7e/5+TfV/8AoWXzD9Y/ wpx+u23p/wCI/X+uepzHD9CfV9/rnKlOXwcOfP4a5qOwP8aH1fD/AH3k7Ptn /Fzy+P6PP9CH/wCfZXq/9CreXuf6Z9P9N6t6H6T9L6tT6xv+jOHx/VuVf7zf 1fVp8NMPtD/jZ5chy/T5/opHYn+LDnzPP9H452/QTNG7d5J+f3/ki/zk/wDA J1//ALp8+ZWi/v4f1h97j6v+5n/VP3Pzb/59Cf8Akvvzj/8AAh03/qCbN97U f3kPcfvdP7P/AET9/wCt+v8AnLvQPw2/5xl/+Sd/nV/zGecf+oqLOw7Q/wCM vH/m/c8xov8AjQn/AJ33vb/+ftlP+VLflxX6vX/Gi0519f8A4591/ddqfzV9 sxPZj+/l/V/SHI9of7mPv/QhP+fX/wCjP8F3f6O/5VVz9L/ch+gP0l/jT1+R 5fpj9IfDwpTh9W/c/wAu9cPtDfHvx/GuD4V+ndexK4duH4XxfG/0bPn7/nLL h/0UY/KD0v0T636X8per/hvn+kq/pAU/Sfq/u/rNOnHb0eFd8zezP+M6fPlL ny5dPL9NuH2h/j0OXOPLnz6+f6Kft95j+1Zf8cTq/wDx1+v7P91/H6M5HH8f g9PP4fF+NP8Az7d/9at/5yX/ALr/AHl1P+5/u/8Ajvfsf5Ph7Z1Xb3+KYvh/ uXnexv8AGMnx+8JN/wA5Lf8AyTj8qvqn+9X6Q8pc/wDDX/HT5cjT659a/cep x+1x+H6vxr8Vcn2f/wAZc77pc+Xwr8Ww1v8AxoR945c+nP8AHKn7r5xr1L8N /wAo6f8ARVbz/wDWuP1j69rvof4nr9er+j1p+jvqv7rlw/ufU2+rVr+8pnYa r/jKjXcOXLn1v7f6Xk8vp/8AjSl8efPl0/R/RTf/AJ+qU/5WL/zj99c+ufo6 txy/T1f8IU+tQ+r631P/AEz1KU+s039Dh6Xxcsh7Of3WSufl9XLz293nzZ9u /wB5jvl5/Tz+fv8AhT9W5Kf8qYf/AJQnj/hb9qv+D6fVfv8AqP8AzLzm/wDL /wAXP/P/ALXe/wCR/h5f5v8AY/IP/n1VT/lcv54/U/rX1D9GR0/QVf8ADPH6 9J6dfrn+lVp/vJX4vS9X1N6Z1HtJ/c47531+rl5bf1vOqee7C/vp1y8vp5+e /u+LMf8An7xx9L8hq/VOf1nW6cOX6Qpxs68KfD6X486U75V7L/5T4e7q2e0X KHx9/RU/59zfo/8A5Vr5m+p/8qc9f11/SP6Q+v8A+KPV9c0/TP1z916fGno/ Vv3df8vlg7dvxRfifCuH/Nr7b3T2PXhmuD7eL4/opLf+fr9P8c/846+rz+r1 1Hl+la/oH/eqz5ev6X76tP76n+6qcd65L2a/u8vw5fV1/A80dvfXj+PPl+P2 P1i1n/yVp/5Qv/jjR/8AHQ/5Rb+5H/Tt/L/k5zUP73+Ln0+r+130v7v+Hl/m /wBiB8h0/wCVR+TuP+BuP6LtKf4cr/hSlB/xzuW/of77rks399L6ufX6vj5o xf3Q+nl0+n4PyK/MX/5Kb+Vv/HP/AL/Qv+OZ/vP/AMc+bp7+OdNg/wCMqfPr z97oMv8AxoR5dOT9cfzk/wCUL84/8cP/AJRnVP8Ajpf70/7zS/3Xt/HOa0n1 x58xy97vtT9EuXI835b/APPqj/yXf5q/8cH/AJSGx/47H2/94v2PbOi9o/7y HPkeXvdJ2H9E+XPq/Yny7/vDJ/xy/wC+b/jkf3HQdf8AK8fozlcnPr8XoYcu nwfHH5Z/U/8Alf35v/Vf+VB+p/iG4+t/oT63/jj1KL/x1vrPwerSnL0fg5e9 c2uov8vC/F5da4Ph+11+GvGl/d8+l8Xx/HN8h/8AP2H0P8Pfl/z/AMD/AFj9 Iyehw9f/ABVT0n5+nw/dfUunqepvz4cO+bT2a+qX1cv83+11vb/0x+nn/nf2 fpfo1/zjvy/6Fi/Jvlyr/gfRf+Ug49PqsVPX47cafZ9uNd80Ou/xrJ/WPL3u 50f+LQ/qjm/K/wDOSv8A0U3/ACl/443/AEof956fUP8Aea5+3/n4Z0ml/wCM yfPr73R6j/H48un6H7M6L/x0rb/lFv2/+Od/vT9k/Y/j7Zyk+X8Xxeihz6fB n2UNz83dBr/0P3+ZXh+lvKleVOP/ACheudO9fD6c38/+M+Hul/u4ukh/j0vf H/cyel/n5+k/+V2flV9V/wCVtelzsPT/AMFfoz/DVf0rB/ykP1n4/TrThy25 V/Z5Zj6KvAn9HX6r4uX8Lkau/Gj9fTlXDzH1IL/nNn/lHPLleX9xJy5f3f8A x3fL1fUp28adq4eyPqP4/hkx7U+kfjrF84/kRz/6GcsufP63/iD85afpHh+l frP16x514fuP0px49f3H1L0uHx88z9b/AIr8MfLlyPx4ft4rcPS/4x8Z+/p/ svs4afWH/OCnD/oXjReHocv0/wCYvX+3+kfV/Stzz/TPPb6/yr6/p/u+X938 FM1nbH+MH3D3cv4fLudj2Z/cD3n38+vmklr/APJDdV+1/wCSNt+vT/junpkz /wAZw/4Z/vWsf4+f+F/pfbuah2j4L/5+IfUf+VI6T+kf8JfVf8Qvy/xr9e/R fL9Dapx9P9Hfv/rdf95aberx5bZuuwr8c1xcv4avmO/au/ydV2vXhC659b7j 3de5/M2393vStP8AdnT6aZ6C8MOf6nR/ZH2P9h0xWXNUxYuxV2KuxV2Kv6kf +cBfR/6FK/J/0P0dw+o3tf0Z6vp8/r9zz9b1vi9flX1afDzrw+DjnnPbX+Nz 59OfuH2dz3/ZP+LQ5deXvL7DzVOxfE//ADkdX/oZD/nCKnL/AJSrzR9ilf8A jjd69vHNvoP8W1Huj97rdZ/f4fefue8f85B+l/yov84PX/Q3of4P1n1v8Qer +jOH1OXl9a9D97wp14fF/LvmFof7+HP6hy58+jlav+5ny5Hm/Kr89P8AyUv5 G/WvU9T/AKFx8w+v/iP/AI6vo+npHD9K/Vvg9Llw+pen+9+t+jz+D1c6TR/3 2T/ho5cuvL/fdOG66Oh1X93D/hZ5/Dn5fzet1fV9Zf8AONPq/wDK6vzE9f6/ 6/1vVfV/S/pfpLl+h/J9frnofuvV/n4bc602zW9of3EeXTly5z5Odof76Xx5 8+UObK/P/wClP+hqfIvpf8rY9D0dO4foX9F/4F4elqlf0t6v731vt+ly+KtK f7qyrBX5SX0ded8fTl5fjvbc1/mY/X05Vw9ebzT/AJzD/wDJw/kp0/5S3yB9 rp/x3r37P+V/CuZHZX9zk/qz/wByHH7S/vYe+P3l+keaB3b8Q/8An79/x0/y L/5hde/4nY51/svyyfD9Ly/tFzh8f0Prf/kKX+BrDn/0Mz9T/RVtX9A/8qv9 f0/RX/ebh/pHT7NPj+nNZ+64z/c8+vif2OwHicA/veXTg/tfn1/zgj+jv+hw vMnr/o39K/XdU+q/8rN/SH+OfT4S+p9U9H/QfrtafWPW+Phz9Pblm77Zv8mO dbfRXB8etd1fF1XZVfmj32fqvi6/C/2v6BZ+foTen6nqem3D0uHOtNuPqfBX w5beOcSHrC/C7/n3t6f/AENh+dXr/oz9I/WdS5f469T/ABxx+uS+p9W9D/Q/ W5U+uU+L7Pp/Byzse3P8Ux862+n6OXzr+a8v2R/jM+XX6vq5/L3/ANr13/n7 V9X/AMAfl96v+E/X/Sj/AFb659Y/xNXg3L6h6f7r6px/v/V25cOPxUzF9mb8 SX1cv834+fc5Hb/0R5c/874eX6afef8Azib6v/Qtf5K+t+muX+FLDj/iD0vr 3D0/g5ej8PpcaejX4vS4c/irml7T/wAZycvqPLl+O/zdr2f/AIvDny6/jl3e T+a/zz+jv+hkvPv6Q/wx+jv+Vjaj9Y/Sn6R/wtx/SM9frv1D/TPq9evp/FTl 2zv8N/lo1d8A5Vxcul7W8Xkr8ybquLrfDz8t39Mf5M0/Rmkcf+Va8f8AD9nT /lX9fQpyP9xy3+qf77r3rnn2r5n6+f8AF+Ob22l5D6eX8P45Py68pf8AyXPz F/xl1D/xGVzosv8Axjj4f7p0WL/jTPv/AN6/YDzd/f2H/KNfZf8A4732+o/u fbx+jOXxdefweiycxy+L8gf+fXP/AJO3/nJb+7+yn91/d/8AHUu/sf5Ph7Z1 HtF/cYvx0Dz/AGJ/fZH0P/z9Xp/0LXo1fq9f8caXx9Wvq1+rXv8Ac02r41/Z r3zB9m/8ZP8AVP3hyu3/APFx/W/QXjX/AD63/Rv6L1H6l/yqn61xb9KfU/0l /jz1ebU+t/Xf3Hocacfqv7vx+OuZftFdi+P7OD4VvfvcfsOq24Pt4/t6e55T /wA/BOH/AEOb+TfD9Devy8v8v0Bz/TVP0qvH9I8/3Xq1r6FN+H2tuOZPYn+J T59efLl0/S0drf43Dl05c/j+h+9WcW9U7FX/2QoNCmVuZHN0cmVhbQ1lbmRv YmoNNTU1IDAgb2JqDTw8L1N1YnR5cGUvSW1hZ2UvTGVuZ3RoIDMyMTIyL0Zp bHRlci9EQ1REZWNvZGUvQml0c1BlckNvbXBvbmVudCA4L0NvbG9yU3BhY2Uv RGV2aWNlUkdCL1dpZHRoIDY4Ny9IZWlnaHQgOTEvVHlwZS9YT2JqZWN0Pj5z dHJlYW0NCv/Y/+4ADkFkb2JlAGSAAAAAAf/bAIQAAgICAgICAgICAgMCAgID BAMCAgMEBQQEBAQEBQYFBQUFBQUGBgcHCAcHBgkJCgoJCQwMDAwMDAwMDAwM DAwMDAEDAwMFBAUJBgYJDQsJCw0PDg4ODg8PDAwMDAwPDwwMDAwMDA8MDAwM DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAWwKvAwERAAIRAQMRAf/E AaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAA AAAAAQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEG E2EicYEUMpGhBxWxQiPBUtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdU ZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE1OT0ZXWFlaW1xdXl9WZ2hpam tsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZqbnJ2en5 KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNh IgZxgZEyobHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJ ChgZJjZFGidkdFU38qOzwygp0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaW prbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+DlJWWl5iZmpucnZ6fkq OkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A+/mKvyf/AOfuH/kmvyz/APA0 /wC7fdZ0vsx/fT/q/pDz/tD/AHUf636Em/JX/n21/wA4+fmD+UX5Z+etd1Hz fHrXm/yzpmr6qlrqUEcAuLy2SWQRo1qxVeTGgJO2T1fb+oxZpwAjQJHLz97H S9i4MmKMjdkA9P1Pt7/nHn/nE78r/wDnGabzVcfl3ca5cy+cEs49VbWLyO6A WyMpiEQjhi47zNWta7Zp9d2nl1leJW3d5u00egx6W+C9+9+bH/OfVna6h/zn D/zjdYX1tHeWV7D5bgvLSZQ8csUmvyq6OpqCrA0IOb/sQkaHKR/S/wBy6Xtc Xq8YP9H7y/cIAAAAUA6DOQeofz6/852efjpH/OeHlDVtZ0a581aP+WUPli4t /K9saS3aRSHUnhi+FwGkkkp9k52/Y2Di0EgDRlxb/Y8l2rl4dZEkWBW32vqH /oqcv/sMvnX/AKSP+zTNd/oc/wBtj+Pi5/8ALf8AtZ+f7HyV+TnnrWfzJ/5+ I+VPzc0P8v8AXfJWk+dNZc32l3sEr+ismjva3TSziFEpI6F+g65s9Vhjh7OO IyBIH6bdfp8ksuuGQAgE/offH/P1L/1mKz/8DXSP+TN3ml9m/wDGv80/odr2 7/i/x/QX0n/zh3/6y5+RX/gIaf8A8QzX9qf41k/rFzez/wDF4e5+F35Af85K H8o/+ckvze/N/Wfy/wBX/MzWfM0utW8VppknGa1e91NZ5JmJil24xCMbDrnY 67QePpoYhIRArn5B5bSazwdRPIY2Tf2l92ar/wA/PbTWNL1LSbz/AJxj86SW mqWs1pdRm4BDRzoY3B/0PuGzTR9njEgjLHb8d7tpdtCQIOM/P9jBP+fSdt5i 0jzD+d2mX+kajpek3Vjot1Ct5bTQIZopbtAFMiqC3B96eGX+0xjKOMggmz+h o7AEoynfk/bPORemSvXP+OLrH/MFcf8AJtslD6h72M/pL8Rf+fRP/Ka/nl/2 ytI/6ibrOv8Aaj6MfvP6HmPZ36p+4P3OzjnqX4ZeY/8A5Llpf/bUsP8AxGBn Y4/+Mg+4/wC6eWn/AMaY9/8AvX3R/wA/Hf8A1kX8yf8AmJ0X/uqWuabsH/HI fH7i7Ttn/FZfD70b/wA+7/8A1kT8qvlq3/dVu8Hbv+OT+H3Bl2P/AIrH4/eX yN/z9/8A+UX/ACM/7auuf9Q9pmz9l/qye4fpcD2h+mHx/Q/XLyn/AMot5a/7 ZVn/AMmEzmMv1n3l3+P6R7n4yeQ//ktvm7/jLqv/AIj6Z1eb/jIj8P8AdPN4 v+NM/j+F9ef8/I/yl/5WV/zjfrOu2Nt6+vfldcp5lseIJdrNAYdQjFO3oOZD /wAYxms7A1Pg6kRPKW36vx5ux7Z0/i4CRzjv+v8AX8GW/wDODf5v2fn/AP5x W8ma/rGoKt3+X1jN5e803UrD92NFQBJXPvaem5J8TlXbGlOLVyiB9RsfH9rZ 2XqBk0wJ/h2Pw/Y+Jv8AnBfSLv8A5yF/5ys/Oj/nKjXbZn0nRby4g8o+qNku NRUwWyLXqbbTowp8DIDm37YmNLpMemjzPP4frLrOy4/mdTPOenL4/qDC/wDn 6/5glk/OT8mfLt3FLe6NougvqkmmRmhme81D05lXr8TR2qqNu+W+zWP9zkkO ZNfIftau35/vYA8gPvv9T3GL/n6TBbxRQQ/84xec4oYUEcUSz0CqoooA+qdh mH/odv8Aysfx8XMHbdf5M/P9j4p85/m9rP56f85l/k3+cHlv8r/MXkaSLXPK 1hf2t5DLcM8lrqAR52ljgjUKYZAhr0C5t8OljptFkxSmJbS+51eXPLPq4ZIx I3H3v1W/5+Sf+sj+f/8AmP0P/up2+c32B/jkfcfuLve2v8Vl7x96ff8APviw srL/AJxG/KSSztIbV9Qg1G7v3iQKZp21K5RpZCPtMVRRU9gB2yHbcidZO/L7 gz7JAGmjXn95TP8A5zb/ACA1n/nIn8kL7yl5WlhTzdoOowa95Zt7hxHDdXFs kkT2ryHZPVilcKx2Dca0FTkeyNbHSZ+KX0kUWXaekOpxcMeYNh8G/wDOPP8A znxqX5C6dof5Cf8AOT3kHWvK9z5Jt4tJ07zPHbP9Zhs4BwgW9smAaRY0AUTQ FuSgHiTVjudd2KNUTm08geLev1H9BdVpO1TpwMWeJFbW/YPyV558ofmP5csP N3kXzFY+afLepqTZ6tYSiWJiPtI3dHU7MrAMp2IGctmwzxSMZiiHoceWOSPF E2H5Df8AP3r7H5B/8xGvfqsM6n2X/wAp8P0vPe0XKHx/Q/Y7QP8AjhaL/wAw Ft/yaXOUn9R970cPpD8Zf+cY/wD5Jv8A85C/6/mv/qPtc6ztD/jLx/5v3F5v Rf8AGjP/ADvvfthnIvTPl/8A5yN/5y3/ACm/5xosrRPOd5c6r5p1WFp9G8l6 UqS300QJX1pC7IkMXIFebsKmvENQ02Og7Mzaw+jYDmTycHWa/HpR6tz3B+f/ AJ1/5zx/Pr80fIfnO28l/wDOJmtL5G1zQtRtb3zTdfX7lILK4tZI5rn1IrOK GkaMXryI2zd4extPhyRM8w4gRttzv3upy9q5ssJCOI8JB33P6Gbf8+i9vyl/ NNQaqPN0NP8AuHwb5T7T/wB9D+r+lt9n/wC6l70t/wCfvf8A5Lb8of8AwJL/ AP6gTkvZf+8n7h969v8A0Q9/6n6iflj/AOS2/L3/AMBrSf8AqDizndR/ey95 +93WD+7j7h9zOMpbX51f854W5PmL/nH26K8k+sed7IV3HqXPli6MYp41ize9 in05B/V/3QdN2rG5Yz/W+59X/mX+T/5ff85AeQNL8r/mFpQ1fQ7j6lqEbxER XKFOEtIbkL6kQkoFcxlWK1Wu+a3T6rJpchlA0dw7DPpsepgIzFjYsV82+T/J n5YfkXeflv5UjtNOs/LGiw3mn6Qphjup7bTLi3aa6kjiEZkYkL6snHdmHI1b LMWWebP4kup++9mvJjhiw8Eeg+7q/NL/AJx28jXeofmT5N0fWmaeTzL+dvmb VHjfomh/llDcfUIafyfpPUy3+sudBrs1YpEdMcR8cnP/AGMXS6TD+8iD1mT8 ID/ii/Qb/nEK1Os+V/zL/Nq6Hqaj+cn5heYNZjuD9r9G6ddvpGmxD/JSCzBH +sc0fah4ZwxdIRA+JFn73b9neqMsn86RPwBoML/5+A6jY6P+Vv5Yavqdwtnp ulfm55QvNQu3BKxQQTzSSOQoJIVVJ2Fcu7EiZZZgczCTX2rIRxxJ5CQ/S9H/ AOh1v+cXP/Lv6Z/0jX//AGTZR/JGq/mH7P1tv8qab+ePt/Uxnzr/AM5ef845 eYPJnmvQ9D/O3R9J1fW9IvbDStVubC/nht7i4geOOWSP6uvNVZgSK7jLMPZe phkjKWMkAixYYZO0tPKBAmLI7i/NH84vLX5P/nf5Pk1DXv8AnIfyRY/m5Fqu nz2OqJpup/VDp9to1pplzaT3ENkZGWSW0FxF8B9OpBqXbj0GmyZtNOo4pcFH qOdk8r86LpNTDDnhcskePboe4Du7w+Rbz/nGzQYgPqH/ADkl+WWpEKxcV16H iV+yPi0k/a6e2bMdoS64pj/S/rdbLRQ6ZI/b+pgWpfkve2FuZ7f8w/I+suFU /U7HUrn1jXqAJ7OFSR3+L5ZfHVg/wyHw/a1S0oA2mCwDWPKWraN9XEht9RNw H201zdGPiaUkCL8Neor1y+OUS8ve0yxEeaTDS9UavHS71qbmlvKf+NclxDvY eHLucNM1Qmg0y8JPb6vL/wA048Q714Jdzf6K1UHidKvQ38v1aWv3cceMd6+H Lufpn/z7W/Nn8vvyW8z/AJrXH5p643kyHX9M0yPRru+gu/Sma3mnMsYWOJxy AdTUjpX3znu39Nk1MYeGLom+TvexNRDTyl4hqwH64H/nNT/nF4AE/m7poB6E 2t/v/wBO2cz/ACRqv5h+z9b0P8qab+ePt/U85/N7/nMH/nGzXfyn/M/RNJ/N bTrzVdY8p61Y6bZrb3oaW4uLGaOKMFrcAFmYDc5fpeytTHNCRgaEh3d/vaNT 2lp5YpATFkHv7nrv/OIYI/5xf/IYHqPJWkg/9I65idp/41k/rFy9B/cQ9wYN +bGj2ui/85Rfkd5kljDaX+bXl3zL+WXnGE/YuIktjq+nq/iQ0M6j/Wy/TTMt Lkj1gYzH+5P6GjUREdTCXSQMT94fmTYeUtW0/wA3/lDcJcSBNB8sfmJ5C82I vSS+/L+HVNM0+V9vtmw1GFAe4zoTlBhPzMJD3Ton7QXSDGRKB7hKJ/zLH3EP 178+aB+R/wDzkRoPmP8AKXzNqmk+Zf0BqUNj5h0eG4iXUbC8tTDO0aEj1oWd CFZ46HizKGBrTlsM8+kkMsQRY27iHocsMOpBxyINHfvCS+bfy58pflL/AM48 z/l/5N05LDy/pT6TY2sXFBLKZ9TtYvUneNU9SVuQ5ORyY7mpyeLPPPqeOZ3N /cWOTDHDg4IjYV94Yp/zggrP/wA45aDfEll1fzH5qvomPdJtdvSp+kCuW9s/ 4yR3CP8AuQw7KN6cHvJ+8va/z9/8kX+cv/gD+YP+6dPmJov7/H/WH3uTq/7m f9U/c/DP/nAf/nEP8q/+clvKv5g6v+Yd1r1vd+VtUsrHTBo95HaoYp7Yyv6g kgl5HkNjUZ2HbXamXRziIVuOrzHZfZ2LUxkZ3senx8n0l+dH/PtDSfy88ran +ZX/ADjz5+8zaP518jW0usWOmX11G8k4tEaSQWl3bR28sM3AHh9oMfh2rXMD Se0ByzGPPEGMtv7Rvs5ep7EGKJnhkRIb/wBlU95/591/85ReZvz78j+Y/Kv5 g3v6V88/l29ry19lVJdS028DiCWZVABljeJkdgByBUn4ixzC7d7OjpcglDaM uncXM7H10tRAxn9UXwH/AM5g/mT/AIe/5+E6d5p1bQbvzhpv5Wz+XHsvK1qa TXK2tsl+I4qo+5nmLfZPTN12Xp+Ps4xBoyvf7HUdoZ+HXAkXw1+gvq7/AKKn L/7DL51/6SP+zTNb/oc/22P4+Lsf5b/2s/P9j5Z/5xr83az59/5+Iaf+aWle Rda8m6L59v8AWbm90y+t5WEC3GkS+sJZxFGh5zJzBoNyO+bHtDFHF2ccZkCY gfe6/R5JZNcJiNAk/cX1N/z902/KD8sCOv8Ai+Wn/cPuM13sx/fT/q/pc/2g /u4f1v0P0O/IOxstN/I38nbPT7SGxtI/JehNHbQII0BksIXchVAFWZiT4k1z R60k55k/zj97t9IAMMK/mj7nyL/z9F/9ZYvP/Aq0X/icmbP2d/xv4FwO2/8A F/j+t7b/AM4Rf+sofkd/4Dif8npcxO1/8bye9yezf8Xh7nwb/wA/e/8Ajl/k L/20Nd/5N2Wbn2X55PcP0up9ofph8f0P2E0D/jhaL/zAW3/Jpc5af1H3vRQ+ kPxb/wCcWv8A5Jn/AM5Af8ZPN3/dRts63tH/AIzMf+b9zzWh/wCNCf8Anfe/ Yb8yf/Jdefv/AAHNV/6hJc5bT/3kfePveiz/AN3L3H7n5af8+g//ACXX5w/+ BFp3/UEc6L2o/vIe4/e6TsD6J+/9b9f85d6B2Kvyf/5+4f8Akmfy0/8AAz/7 t11nS+zH99P+r+kPP+0P91H+t+h90f8AOLn/AKzf+RX/AIAuhf8AUDFmn7R/ xnJ/WP3u10H+L4/6o+57xmE5b8Rf+c7/AP1uz/nGT5eWP/Ehlzr+xv8AEMv+ d/uXmO1v8cx/5v3l+3Wcg9O/DD/n4XpGtfk3/wA5W/k9/wA5G2ljLdaHcyaT cTSoNjf6BccprYt0DS2pXjXrRv5TnY9hyjqNJPAee/yl+15fteJw6mGbpt9n 4D9ovI3nryn+ZHlfSPOXkrW7bX/LutwJcWN/auHFHAJSQA1R1rRkajKdiK5y ebDPDMwmKIekxZY5YiUTYKE078y/y+1fzjf/AJfaT5y0jU/O2l2J1HUvLNpd RzXdvbCQRGSWNCeFHYAg77jahwy0+SMBMxIiTVojnhKXACL7nwj/AM/Uv/WY rP8A8DXSP+TN3m59m/8AGv8ANP6HV9u/4v8AH9BfSf8Azh3/AOsufkV/4CGn /wDEM1/an+NZP6xc3s//ABeHufk5+Reu2f8AziB/znx+Yfk/8wLhdA8p+dZt Q0uz1u6/d2yWup3SahpN07n4RGSohZq0VieVOJp02sgdf2fGcN5CjXu2IdBp Z/k9bKM9gbH6n71SahYRWLanLfW8WmrF67ag8qLAIqV9QyE8eNN61pnF8Juu r1XEKvoxryX+YPkj8xrHUdU8ieatN826bpWoTaVqF/pc6XMMd5bhTJCZEJUl Q6moNCDUHLMuCeIgTBBIvdhjzQyC4kGtmY5U2Ia8txd2d3aE8RdQyRFvAOpX +OEGjaCLFPwc/wCfa/mPS/yj/wCcifze/KnzzdxeXtf1mF9J01L5hCJdR0a9 kV7VWcgc5EkZ0H7XHbemdn2/jOfTQyw3A3+BHN5XsWYwZ545bE7fEP3g1DUL DSbK51LVL6303TrKNpby/upUhghjXdnkkchVA7knOMjEyNDcvVGQAsvwq/Kb WLT/AJyB/wCfneqfmN5KrqPk/wAuXN3qB1mNW9KSy0zShpMNwCaUWecqUr1B zstTE6XssY5/UenmTby2nkNT2hxx5D9Ap9+f8/Hf/WRfzJ/5idF/7qlrmk7B /wAch8fuLte2f8Vl8PvRv/Pu/wD9ZE/Kr5at/wB1W7wdu/45P4fcGXY/+Kx+ P3l8jf8AP3//AJRf8jf+2rrn/UPaZs/Zf6snuH6XA9ofph8f0P1y8p/8ot5a /wC2VZ/8mEzmMv1n3l3+P6R7n4yeQ/8A5Lb5u/4y6r/4j6Z1eb/jIj8P9083 i/40z+P4X7V6rpljrWmajo2p263em6tazWWoWj7rLBOhjkRh4MrEHOTjIxII 5h6aURIEHkX80z/mJ5g/5xS0H/nMH/nGOaW4W68y3cGl+V7lQwpE0/pXFwD2 +s6XIpHvTO/8COulg1Hdufx5SeL8c6QZcB67D8eYft//AM4Xfk8PyU/5x48i eWbu2+r+YdYt/wDEHmwEUb6/qQWUxtt1hi9OH/YZyHa2q/MamUhyGw9w/FvT dm6fwMEQeZ3PxfA3/P2DyFrllqf5Qfnfo8DyWmgM+g6rdIpItrhZxfae7kdA 7iVanvQdxm69ms0SJ4T13/QXVdvYiDDKOm34+1+pP5KfnB5R/PD8vPLvn3yl qlvew6paRNq2nxyK01he8R69rcRg8keN6jcbijCqkHOc1elnpshhIcvtHe7z TaiOfGJxP7GQz/mX+X1t50038uZvOWkL571eGe40/wApC6ja/kjtk9SVjApL KFWp+ICoBpWhyA0+QwOThPCOvRmc8BPgscXc+Sv+fkn/AKyP5/8A+Y/Q/wDu p2+bPsD/AByPuP3F1/bX+Ky94+9lP/OAX/rIf5Mf8wGof91S7yvtr/HMnvH3 Bs7K/wAWh8fvL6i8yeb/ACr5Ot7C782eY9N8tWuqXkenaddapdRWkc13KGaO BHlZQXYISBWppmux4p5CREE1vs508kYfUQPewX83fyj/ACn/ADj8o32l/mh5 f0zWdES0kli1y44Rz6enAsbm2vdmgKD4uQbj/NUbZdpdVm087xkg93f8GrUa fFmjUwCO/u+L8l/+fUuoapY/ml+evlHRtUn1X8vLWxjure4NfRkuor5rezuQ v2Vee25k06hR/KM6b2kiDixyIqV/o3+10HYJIyTiDcfxX6WQf8/evsfkH/zE a9+qxyHsv/lPh+ll7RcofH9D9jtA/wCOFov/ADAW3/Jpc5Sf1H3vRw+kPxd/ 5xzu7bS/+foH562moTLZ3GrXHmmHTopSFM0j3FvcqqV6kxKXA8BnWa8X2Xjr pwvNaPbtGd/0vvfs9deZPL1jq+m+X73XdPtNe1gSHSdEmuYku7oRIZJDDAzB 3CqpJ4g0HXOUGORBkAaHV6UziCATuX4Z2sPlrzn/AM/T/MVh+ca297p1nrM9 t5Z03VeJtJLiz02M6PCySfCVb+8RTs0lNiTnYEyx9lA4udb1793l6jPtEjJ3 7X9n6H6wf85P/mN5F/Lf8kfzFl84+Y7Ly+uteWtV0rQrSZwJ7u7urOWGGC2g WryEs4B4iijdqAE5zXZ2DJmzx4BdEE/N32uzQx4ZcRqwQPk+D/8An0Pe27/l n+bemLIDeWnmazuJ4e4jnsVSNvpMLD6M3PtOD4sD5H73V+z8gYT97f8Az95t 5n/K/wDKW5WMmCHzReRSSDoHlsHKA/MI33Y+zB/ezHl+lPb/APdwPm/ST8rv MOhv+Tn5deYzq1pFoT+U9JuDq0k0aW6x/U4qs0rMFUDoanbNDqYS8aUa34j9 7uNPMeDE3tQ+56Fpeq6ZrmnWWsaLqNtq2k6lClxp2p2cqT288LiqSRSxkqys NwQaZRKJiaIohujISFjcPi3/AJzl05T5b/JPzG4/ceX/AM0tFttQbstprUNz pUxJ7A/WVBzbdjy9WSPfA/MUXW9qRPDAjpIX7i8D1P8AIjz9f/lb5r/N5/8A nIn8z9H07X9FtNT8sflr5GkvJQmonSrW1MEkMCTzNzvo2DLEqqqbll+IjNjr MYzDF4UCQaMpVysn7nDlpZnEcniSFiwI3zr9bGfy3/K/yx5d83/lVcadqXn+ H8yPzx/Lzzl5a84+WvzFuZ5tUSVNMguvrEVvcKJIrcXUTIrn4XPGm4yzPqJS hOxHghOJBjy5186YYsIEoVxcU4yBEufK/vev+Qrax07/AJyG/KSTT+Kwar+T vnPzrahRsL3zLrttf3I/1l5hT8sxc5J0876ZIx+EQQ5GHbPCuRhKXxkbe/8A /OE5Vv8AnFf8mZFNTNosksp8ZJLud5D/AMETmF2v/jeT3/ocvsv/ABaHu/Sw D/n4N9Ys/wAiNI8z20ccj+SfP/lTXWWaoipDqKQ/vCoJC1mHIgHbLuxN85j/ ADoyH2Nfa22Hi7iC9c8w65+fvl/QNa8wnyP5D1qLRrGe/OlaVf6tc310sEbS ejbQjTR6kj0oi13JGY0IaechHikLPUCvvbpzzxiZcMTXcT+p8cy+bvMLeT9E /wCcg/MV3rcratpnljXfzD0KPXNV0ldE0vWdau7C5+oWtpNFCn6PhWPks0bF wjs55knNoMUeM4I1sZAGgbIAO997rjOXCMsiehO5FAkjau5G+bPzO1Sx1LS7 W18t2/mjSvM2ieYfNnky71vW9flm1LTNKu0s9OtDLFdejay6jzE63Uypbxxs obk3IgYtOCDvRBANCOxIsnlvw8qG5Kcmcg7CwQSLJ3ANDrtfOztSH/MH8y9d 8ieVrTW72602VNR/Mi68pySeabrXdVtNB05NDTVQLX9DzpcSrA8cimTi7kMG 5cVw4NPHLOhe0OLbhHEbrfi2Rmzyxxs19Vb2aFX0emeU9bm856r/AM446Pre j6pplr+dvk/U/M2u21r5x10x2X6OhtZUjthHcAyJOLtGHOQFRUGpzHyw8MZS CDwSAHpjvd/dTfjlxnGCCOME/UelfrUfyv8AOn5o6L520/8AKDyXoi+ctHu/ I2kedB5o83XWoTW+l3F8XjuNObUY4Lpz6rJ60KSksAZAp4BQp1OLFKByzNHi MajW9da29xpGDJkjPw4ixwg2b2vpe7zr8zfzN/MLzE/5wXnm/wAvXflq5/IO +06HR/K2lalquj6brJmtdRvbnUGuoFtLqeKVLNYoGHwLR2ALE0v02nxw4BE3 4l7kAkcgBW467tOoz5JcZkK4K2BIB579D02TW3/MPzhcyat+X8Wg3eu/mNea LoXmT8v/AC03mXW2sdV0bU9Mnv7uSQvdRz8raS0ktv73i0jxV+0RkTggKndQ sgnhFgg0OnW7+bIZpm4VcqBAs0QRff0qvkhvJ3nXzb538wWOjeXZtAjvbHQt Y1Dzd+XB1PX7Sz0+ewl0TkNVs7oJew3cAvLhFhBEUoCyEnahy4YY4kyvmAJV GzfFyI2rYb8wjHknkkAK5GxZ6VzHO9z5Fk/kfzx5w8w2n/OO2oXHl+w8uaL/ AM5CXJIXRPMGu+tZWq6VcanKPSkkEYkX6vwBXY8q9t6s2GEDlFknH3iO+9Nm LLKQxmqE+4nutMPzG1TzD+RXnSXXfy5s9e85z615u0HynceRb2+1LWILm31X S7m5e69OZruaOS3mgEpkiA/d8wwK04jBGOphw5KFRJugORHu5jvZZjLBO4Wb IFEk8wT5su/5yM1786/Ln5CfnFq+ueX/AMvrbSYPKGrRX09lqWpSXKpcWrwV hSTT40Z6yfCGYCvfKtBDBLUQAMr4h0H62zWSzDDOxHkep/U9v/5xx0STy5+Q H5L6JKvCbT/JWiRzIdqObKJmH3nMPXz49RkP9I/e5Wijw4IA/wA0fc80/wCc nJBB5u/5xPnQhbj/AJXHp8SN39ObSdUSQfSDTMjs7eGb/hZ+8NGu2ni/rj7i +dPJvlqz17zJ+c4cr6um/wDORGraLpcYHxGPzEuiyaiF+UNvKxHzzPy5DGOP zxA/6Xir73Cx4xKU/wDhhH+mq0F+Yvmz8n/zU83+aPJH/ONn/OOHln89fzMm 1Oebzn+Z+qafHD5e0e+maks15q7Ks87gqaRwuAafAT0w4MebBAT1GUwhW0Qf UR5Dp8U5pYssjHDjEpdSRsPj+PJV/wCVC6h/zjR+UuseYPOP5k6r5182+Z9U sp9UsFurmLy5pdvpcra7LBpunSyMqhV08j1HHLiKAIKgj86NZmEYxAiAf6xv 07n4oOl/K4iZSJJPwFer9D6t/wCcNdCm8u/84ufkhp9zGY7mfyxbalcIRQ89 SLXxr7/v81vas+PVZD518tnYdnQ4NPADu+/dn/5+/wDki/zl/wDAH8wf906f KdF/f4/6w+9t1f8Acz/qn7n5kf8APpDVdL07yF+cS6hqVrYtLr+mGNbiZIiw Fm1SA5Fc6D2miTkhQ6H73S9gyAhOz1/W+9/+cjf+cjfyu/J/8sfNuqaz5t0q 51y50q6tvLfli2uopr2+vJomjhjSCNi/DkQXcjiq1JOaXQaDLqMsQImr3PQO 01msx4cZJIutg/O7/n0V5D1qAfm1+ZV1bvBod/HYeXdJuGUhLm4gaS5uihPU RcowT4tTsc3vtPmieDGOe5dR7P4iOOfTl+PsYl/znJZ6p+Q3/Oa35Wf85EtY y3PlnV5tI1GeaJTRptH42l/ag9ObWnBgO/L2OW9jkarQzwXuLHz3B+bX2mDp 9XHN0NfZz/Hm/bXyn5u8s+evLul+bPKGt2nmDy7rMCXOnarZyLJFIjqG6j7L CtGU0KnYgHORy4pYpGMhRD02PJHJESibBSrR/wAy/wAv/MHmzV/IuhectJ1n zfoFol7rfl+yuo57m1gd/TDzLGTx+LYg7ioqNxkpafJCAnKJETyLGOaEpGII JD8zv+fuv/kn/wAsP/Avl/7p9xnQezH99P8Aq/pdL7Qf3cP6z9GfyP8A/JLf lB/4BPl//unQZotZ/fz/AKx+93Gl/uYf1R9z4/8A+foMEs3/ADirqjxqWW28 z6JLMR2UzMlT9LAZs/Z0/wCFj3F1/bf+LH3vXv8AnBy9tLj/AJxN/JGSC5jk jj0P6tI6sKLNHdTRPGf8oOONPHMbtgH83k9/6HI7MIOmh+Or4X/5+9/8cv8A IX/toa7/AMm7LNx7L88nuH6XVe0P0w+P6H7CaB/xwtF/5gLb/k0uctP6j73o ofSH4t/84s//ACTL/nID/jJ5u/7qNtnW9o/8ZmP/ADfuea0P/GhP/O+9+w35 k/8AkuvP3/gOar/1CS5y2n/vI+8fe9Fn/u5e4/c/LT/n0H/5Lr84f/Ai07/q COdF7Uf3kPcfvdJ2B9E/f+t+v+cu9A7FXzV/zk5/zjN5a/5yg8p6B5T8zeY9 U8tW3l/Vv0tbXelLA0jyehJBwcTo440kJ23zYdn9oS0UzKIBsVu4Wt0UdVER kao29j/LvyXZflz5D8neQdNu59Q0/wAmaNZaNZ311xE00dlCsKyScAq8mC1N BTMTPmObJKZ5kk/NyMOIYoRgOgpmWVNr5F/OX/nEDyh+c/5yfl5+c2s+a9Z0 fWPy7/R/1HR7Fbc2tz+jr5r6P1TLGzjkzcTxPTpvmz0nak9PhliABEr+0U6/ U9nQz5Y5CTYr7Db66zWOweefmj+Vnkb85fJmp+Q/zD0SPXfLuqAM0LEpLBOl fTuLeVaNFLGTVWU+xqCQb9NqcmnmJwNENOfBDNHhmLD8w7r/AJ9QW9hqV0vk v/nIXzF5c8t3shM+lvY+pP6Z/ZeW3u7aOQ07tGM6Ee0tj14gT7/2F0h7Bo+n IQPd+19S/wDOOH/OCX5U/wDOOPmL/G+k6vrnm3zybSazGvanMsUMcVxT1vSt bdUWr03MjOfCma7X9s5dXHgIAj3D9bn6PsvHppcQJJeu/wDOR/8Azj/oP/OS f5eRfl35j17UfLunxata6uuoaYsLTeparKipSdHXiRKa7VzF0Gtlo8niRAJq t3I1mkjqYcEjQu2f/lb+X+n/AJVfl35N/LnSr641PTvJmlwaXZ6hdhBPMkC8 Q8gjCrU+wyjU5znySyHYk224MQxQEB0DyH/nI/8A5xP/ACs/5ya0myh8521x pXmXR42j0HzppZRL62jcktC/NWSaEtuUcbHdSpJOZWg7Ty6M+jcHmDycfWaD Hqh6uY6vhez/AOfT5Zl0vWP+cjPMF55Tib91olvp3p1X+Wkl7LCu3cRn5ZuT 7S9RiHF33+x1Y7B6HJt7v2v0I/5x9/5xw/Ln/nGvytqHlf8AL1NRlj1m6S91 zVNUuTcXF1cJGI1YhVSJAFFAEQe9c0eu1+TWTEp1typ22k0cNNHhhe/e98zC ct2Kvhr/AJyP/wCcCPyk/wCchdck86Ne3/kDz/Osa33mXSFjkjvfSULG13ay UV3UAAOrI1AASaCm40HbWbSx4NpR7j09xdXrOysWolxcpd75gT/n1RqmomOw 8z/85MeYNX8vRMOOljT5Gqg7AT380anwPA08M2P+iQDeOIA+/wDY4X8hE7Sy WPd+1+hP5B/842/ld/zjh5dudC/LzSpVu9UKP5g8y37ifUdQeMEJ60oVQESp 4oiqoqdqkk6PW6/Lq5cWQ8uQ6B22k0ePTRqA+PVOvz4/JzR/z8/LDX/yu17V 73QtM8wPaST6np4ja4jNpcx3K8RMrp8RjANR0yGi1ctLlGSIsjv82Wq0w1GM wJoFW/Iz8otI/In8sPLX5XaFqt5remeWhci31O/EYuJTdXMty3MRKqCjSkCg 6Y6zVS1OU5JCiU6XTjT4xAGwHmH/ADlF/wA4o+Vv+cptO8nad5n80av5YTyb dXlzZyaUtu5mN5HHG6yeujig9IEUzI7O7SnojIxAN9/k063Qx1QAkap9O6bZ R6Zp1hpsTtJFp9tFbRyPTkyxIEBNNqkDNdI2SXNiKFPlLRv+cQPKOi/85N6p /wA5Pw+bNZm8y6o1y0nlp0tvqCm5sRYtRhH6uyjkPi6+2bOfak5aUafhFDr1 524Eez4R1BzWb/ZT66zVuwfDf50f84L+Rfzp/Pfyn+dur+YrjTDov6N/xJ5S js45oNZ/Rkxki9WdpFaPknGJqK1VUZuNJ2xk0+A4QLu6Pdbq9T2XDPmGUnlV jvr8U+5M07tGNecfJ3lnz/5Z1nyd5x0a38weWtft2tdW0m6XlHLG2/ahVlID KykFSAQQRlmLLLFITgaIYZMcckTGQsF+WWu/8+o9Ftdbu7/8svzz8xeRtJvX PPSprb61LHGf91i6gubRpAK0HNSfEnOjh7SSMayYxI/jyLopdggG4TIHu/aH t/5C/wDPuz8qPyU846R+Y175m1/z9550KZrnS9Sv5FtLWKd42jMv1eCrO3Fz /eSsPbMPW9u5dRA4wBGJcrS9kY8EhMkkh9P/AJ9/kxo35/8A5Y65+V+v6xfa FpmuTWk02p6cImuI2s7iO4UKJldKMY6Go6Zr9Fq5aXKMkRZF/a5ur0w1GMwJ oFMfyU/KrS/yR/K/yn+Vui6pd6zpnlKCeC11O+Ea3EonuJbklxEqpsZSBQdB kdXqTqcpyEUSy02AYMYgOQYV/wA5Hf8AONHkL/nJvyrpvljzxd6rpp0K6kvt C1PSrgRPBcSR+mzPFIrxSjjtR1qP2SKnLdB2hk0czKFG+dtes0cNTHhlYruf BZ/59Za56DeX0/5yh8zDyTKaTeXjYy+myfymL9Iegfpjp7Zuv9Ecfq8EcXff 7HVfyHLl4h4e6v2v0G/5x/8A+cdvy6/5xw8nv5S8gWk7vfyrc+YfMN86yX2o 3KrxEkzqqqFUVCIoCqK0FSSdHrddk1c+KfwHQO20mjx6aHDD4nvYH/zlB/zi R5U/5ykHkoeZ/NeseWf8EyXr2f6KS3b1vrvo8hJ68b04+iKU8cv7O7TnouLh APFXPyatd2fHV1xEir+19U2dsllZ2tnGxaO0hSFGbqRGoUE077ZrSbNucBQp 8Af85If8++fJf57+fJPzQ0LztqX5aed71IRrN3ZW63VvdyW6CKKf0/UgeKUI oUssm4A2rUnd6Dtyemx+HKIlHo6nWdkQzz4weGSC/Ir/AJ91+Tfyj/MLRfzU 8w/mZ5l/MPzr5dlafSLmciyt0keNomMqh55pRxdhQyhT3Bw6zt2efGccYCMT 8V0vZEcMxkMiSPgy7/nJ/wD5wQ/Lv/nJDXrbzuuvX35f+f4II7a68xafClxF exQf3P1m3doyXjGyyK6sBQGoC0q7O7ZyaSPBXFHu7meu7LhqTxXUu955+WH/ AD7S/Lny55ksfNn5teetc/PDU9L4nTdM1oGLTkKfZ9WFpbiSYLtRGkCeKnL9 R7QZJx4cURAHu5tWHsaEZcWQmR+x7b/zjZ/zh75O/wCcafMn5h+ZPLPmfVtX fz3cMItIuOENlY2KTvNbQLElTLJFzKiViPh2CrU1xNf2pPWRjGQA4evUn8dH J0XZ0NLKRieb1n89/wAjvJn/ADkJ+Xmo/l153W4isLmaK803VbJlS6sb2Cvp XEJdWWoDMpDAhlJHeuY2i1k9LkGSHP7w36rSw1MOCT85bD/n03poZNM1n/nI PzHfeUYZeaeX7bT0gBBNTT1LqaFWPiIj8s3svaU8xiHF33+x047BHIzNe79r 9Q/yx/Lvy/8AlL5C8sflx5Va8fy95StPqWltfzm5uTHzZ/3kpAqasaUAAGwA AAzndRnlnyHJLmXeYcQxQEByDyL/AJzE8pXnnL/nGz819P0yMyazpGkf4h0T j9sXehyx6lFw9ybeg+eZXZeUY9TAnkTR+O36XH7Rx8eCQ8r+W75m8n/n1+dV n5O/LvRfyN/KjT/zQj82XetSfWb2+fT4NK+vR23mGwkuZqGNYTa6k0YUlWZ4 +Kmopmwy6LAZyOaZjVed1cTXxDg4dVlEYjHHiu/h/EPsLy3zV5n/AOcjvM1t +Zf5g/md+dnkn8vrv/nGfXbbU9U/Kny1aCt/Npsdvq1raz6lPKLhobtZPTRQ SGkqClRmTix6aBhDHjlLxBXEel2DtysNOSeeYlKcwDA/SOtbjfnvy6vWLa8s NB/5yH/5x01GIGPR5L3zp5BR22H6O8xWUHmfy+hB6AxN6IH80bDtmKQZafKO tRl8Yngl+tvjLhzY65eofAjij99Mq/5xx89DyB/zjfN5FdruHzf5I81eb/y/ 0dobN7mOLVbTULqSxFxIwEESsk8RUzOit0ByvX4fF1PH/DKMZc+lC/wGejy+ Fp+DqDKPxvb8FkP/ADkHb+dvzC/K380/yg86w6BpWp695BubryitpLO8us63 p7vcr9VMyRoKG1VzAnqSIHUliMhoTDFlhlhZAlv5A7b/AD5s9Vx5Mcsc6+nb zI/s5PN/yT1b8j/PH5Ufl15quPLH5r6hqWp6FZHV7rSz55vLQ38MYhuxFPaT NCwE6OPgNO2ZGrjnx5ZRBhVmr4Bt05+TRpjhnjiSJ3W9cfPr9qWTahd6N+Qf m19M8saZ5p8oab+TUNx5y0bzDcXlpcS6N63mOT6vE8aSTfWJOIQmQgofjJLC mSERLUCyRI5NiK5+n7EWY4TQscG93y9X2vN/+chLy50rUvyss/MGj+XNL1bV vyw1nTbq20rzJrWmQ3nk+BbSmmXiwW3KdZ/XIVAqENG558SKX6ECQmYkkCYO 4Bqe+436NOsJjw2B9JGxI9Pdy6/oZ35l1mDyBfW/6S8m6RqOmeS/PfmK80/z t5j1PUdP8saVqdro2madb2t5LawXIDXUNxKIpLukQUMCS7bU44eKNpEExGwA MiLJ2uuXlu2yl4fQGpHck8INAdL5+b6Q8oeUv+cfdF/NP8svJ/lHzlLZ+dfy r8r6lf8Ak/8AL2y1F7mzTRPMBjaeSsyStJBVU9FRNRFC8V45r8uXUSxTlKPp kRZre4/p79nNx4sIyRETvEGhe1S/He8j8vWf5e33mK5m85aD551eZPJPkuOw uPKMfmOSAR/VLpyJzoTKnOr7er8VOm2ZeQ5BH0GI9Uvq4e8fznGgMZl6hI+m PLi7j/NY35g8m6Z5tn/MHyV+XdjrekWXnLV/J2jXNv5yfW7W59Oey1sXrF9U El4qfVmPp8RxL7LQknJ48phwzyUaEj6a741y25tc8QnxRhYsxG990r578mDX P5i65pPkvyb+YmqeTPLEY1D8nvOvl/SNfTV9TTUYNF8scFuLOSUxOfXneKMx TqaqzsCpy8YIynLGJH+8iSKFXLr7u8NRzSEIzMR9EgNzdR6e/uLLv+cX9Ag1 X8yF117lF8wedfJvmzTdc80W+t3fmK8m/R8vlu2tnkvNRgjVjBDIqxqIitB8 XLKu0Z8OKukZRIFCI34ug72zQwvJfUxlvfFy4epe/fl75P8AyM/xT5H/ACU8 ueevMGs+cv8AnE1RqFnpU9w6Swx6nA8EYvZUtoorhVgmMaqp2Vt69cwc+XPw SzSiBHL+ju323c3Djw8QxxJJx/p+Hd96S/m8uhX35ix2Xma01zUdFj89aTJc 2PltNSk1F/T8pamycBpJF1QOwLcDTj9rbJ6XiGO41fCedV9Q79mGp4TkqV1x Dld/Se7d81/85T6T+WWs+RvLX5aeRdB/MXS/OX5ueb9E8r6U3mNvNttatbz3 ccl43HV5fq8vGJDVSCQDyptUZ/Z08sZnJMwMYRJ24e7b6d3D1sccoCEBIGRA 34v0vuPUPN/nueHzro/5YLoF95a8nwWdtpfmSKR5HtTbQE3loFcfVbiZPSKD 98giLL6gNKZqI4sY4Tkuze33HvHy36Ozlkn6hjqh1+/yPz2eSfmH500T82/z s/5xG0zy4bw6bZa75l856g19aT2bLb6Fpj2kcwWdE5xtcXgVJFqjU+FjmTgw ywYMxlzqMe/6jf3Boy5Rmy4hHlZPyDyT8jdS8zaz5O84+ffJulSeYPMet+Yf zI/Nry/pCIrG7vbmafy/5bibmVWkoiuHFSNkrmVrIxjOMJmgBCB931S/Q42l MpRM4bkmUx7/AKY/pedaVF5Y/LPRNMsPz7/5wM8w+ULjS7ZE1T8yPy2dtRt5 pVX95dTTaVcw3EZdqseUrkeOXyM80icOoBv+GW3w3H6GqMYYgBlwEecfv2P6 Xn35j6j+XHmD8sfMGqfkfrHnHV9O/OC//QukW3m+5urqeO9uZIfK1rHZteSz XHotHfaiwEjVrGwAAAy7TxyxygZhEGAv0/6c3W17RacxgYE4iTxd/wDpR98n 7aeXdFtfLfl/QvLtiONloOn2unWijakVrEsKfgozkskzORkept6aERGIiOgQ XnTyxa+dvJ/mrybfXEtpZebNIvdHu7u34+rFFfQPA7x8gV5KHqKilcOHIcc4 zHQg/JGXGMkDE9RXzflyv/Poz8qVAA/NjzhsKf3Wn/8AVDOi/wBE+b+ZH7XR n2fxfziyLy5/z6d/IbTNQhvPMHnDzf5ptomDPprz2tnHKAfsyPb24loe/F1P vkMntLqJCoxiPmyh2BhB3JI7n6S+UfJ/ljyD5c0nyj5N0S18ueWtDhFvpWj2 ScIokBJNOpJYklmYksSSSSc0GXLLLIymbJd1jxxxxEYigGLfm3+UHkH87/Jl 95E/MXRV1nQ7xhLCysYrm0uEBEdxazL8UciVNCOoqCCpINml1WTTT48Zo/jm 16jTwzw4Ziw/Myb/AJ9QJYX1zB5U/wCcifMOheWL12M+lNYcpihP2XeC8t4p DTuYh8s6Ae0tj1YgT7/2Ol/kGj6chA937X1l/wA42/8AOD35Vf8AONetXPm7 QNT1rzP51vLGTT59e1SdUjSCZkeVYrWBUjHNkWpfmdtjmt1/bGXWR4ZACPcP 1ufo+zMemPECSfNm3/OT3/OMfln/AJyi8q+XvKvmbzJqnlm38u6o2qW13pSw NJI7QPAUcTo4pR67ZT2f2hLRSMogGxW7brdFHVRAkao2938o+XLbyf5T8seU rKeW6s/K2k2WkWl1Px9WSKxgS3R34gDkwQE0FK5h5chyTMj1JPzcrHDgiIjo KY1+bX5X+WPzm/LzzN+WvnCOZ9B80WwguZbZgk8EkbrLDPCxDAPFIistQRtu CMnptRLT5BkhzDDUYI54GEuRfnV5H/59gJ5O8y6BqS/85EeaZfLvlnWrbXNM 8u2dotqPrVrKsyOxNzLCGqgBYQ1I8M3ub2h8SJHhCyKu/wBn6XUYuxPDkDxm gbqv2vq3/nKH/nE3yr/zlLb+S7bzP5q1fywvkqe8ns20pLdjMb1YVYSevG9O PoilPHNb2d2nPRGXCAbrn5OdrtBHVAcRIq/tfUtlapZWdpZRsXjtIY4UdupE ahQTTvtmuJs25wFCnyd+XP8Azh/5Q/Lf/nILzv8A85C6d5s1nUdf88HU2vNA uVtxZQHVJ455PTZIxIeJjotW6dc2eftSebTxwGIqNb+5wMPZ8MWY5gTZv7X1 Lr2kw6/oes6FcyvDb61Y3FhPNHTmiXMTRMy1BFQGqKjNbCXBIS7i5048USO9 85f84vf84s+V/wDnFrQfNOg+WPM+q+ZoPNV/Bf3U+qrAjxNBF6KqggRBQjc1 zP7R7RlrZAyAFDo4mj0UdKCIm7fUWa5zXlX/ACu38sP+ppi/5EXH/VLOF/5O V7P/APKSP9LP/iWnx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3u/5Xb+WH/U0xf8iLj/qlj/ycr2f/AOUkf6Wf /Er48O93/K7fyw/6mmL/AJEXH/VLH/k5Xs//AMpI/wBLP/iV8eHe7/ldv5Yf 9TTF/wAiLj/qlj/ycr2f/wCUkf6Wf/Er48O93/K7fyw/6mmL/kRcf9Usf+Tl ez//ACkj/Sz/AOJXx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3u/5Xb+WH/U0xf8iLj/qlj/ycr2f/AOUkf6Wf /Er48O93/K7fyw/6mmL/AJEXH/VLH/k5Xs//AMpI/wBLP/iV8eHe7/ldv5Yf 9TTF/wAiLj/qlj/ycr2f/wCUkf6Wf/Er48O93/K7fyw/6mmL/kRcf9Usf+Tl ez//ACkj/Sz/AOJXx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3u/5Xb+WH/U0xf8iLj/qlj/ycr2f/AOUkf6Wf /Er48O93/K7fyw/6mmL/AJEXH/VLH/k5Xs//AMpI/wBLP/iV8eHe7/ldv5Yf 9TTF/wAiLj/qlj/ycr2f/wCUkf6Wf/Er48O93/K7fyw/6mmL/kRcf9Usf+Tl ez//ACkj/Sz/AOJXx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3u/5Xb+WH/U0xf8iLj/qlj/ycr2f/AOUkf6Wf /Er48O93/K7fyw/6mmL/AJEXH/VLH/k5Xs//AMpI/wBLP/iV8eHe7/ldv5Yf 9TTF/wAiLj/qlj/ycr2f/wCUkf6Wf/Er48O93/K7fyw/6mmL/kRcf9Usf+Tl ez//ACkj/Sz/AOJXx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3u/5Xb+WH/U0xf8iLj/qlj/ycr2f/AOUkf6Wf /Er48O93/K7fyw/6mmL/AJEXH/VLH/k5Xs//AMpI/wBLP/iV8eHe7/ldv5Yf 9TTF/wAiLj/qlj/ycr2f/wCUkf6Wf/Er48O93/K7fyw/6mmL/kRcf9Usf+Tl ez//ACkj/Sz/AOJXx4d7v+V2/lh/1NMX/Ii4/wCqWP8Aycr2f/5SR/pZ/wDE r48O93/K7fyw/wCppi/5EXH/AFSx/wCTlez/APykj/Sz/wCJXx4d7v8Aldv5 Yf8AU0xf8iLj/qlj/wAnK9n/APlJH+ln/wASvjw73f8AK7fyw/6mmL/kRcf9 Usf+Tlez/wDykj/Sz/4lfHh3qFz+cn5U3ttcWd15kgntbuJ4bmB7e4KvHICr KR6XQg0wj/gl9gA2NSP9LP8A4lTnxna35XflZ5q85+QvJX5z/lV+W3nKw8ta 55anu/Lel+ddSISKy0rSr1tTtNSX1wFEjaFeXPp86b2lOoGesaXXaPtfFh12 I+JhyDiFXv8AwkVz2nGj73QYck8cZwgaI2s9wN3/AKUn5IHWrX/nCLyyvlry D5a8o6h/zmd+ez6pNcrq9rcyudV1i9Jnf9J6mki2zxn0yyxfvuKhq9XY58Dr p3OUhhx18gO4c/uWQ0kajEeJP7z5nr9vmyz8zfMH5n63+WNr5485eW4vLn56 fkrr+lSedPLVoIvSj1HQ5X1jy/dQC3LJ6V7ptxdWnJSQZCqfs0yvTwxRy8ED eOYNHyPpkN+6QB9zLPLJKHFIVOJF+8bxO3eCQ9+8qy6JqH5x+bfLena3PpX5 b/8AOZPlnSvzF8g63ZiJmGr6bHAmtWcYmSSL1bi0EMrBlP7e1RmFk4hhjIi5 YSYkeR+k/A7OXCjlMQajlAkPeOY977A8sfllaaD5j1zXdS1F/NjXf1QeXbjW YkutQ0yOBJBLEl7JykdXeRmBNCK8akAZq8moMoiIFd9cj8HY48AjIkm+6+Y+ L8//AMsfLPnnyf8AmJ+e/wDzhvb+cdE8q+Sr0X3mr8v7LV9LurqW+8t+ZGcX kFld22pWDR/VJXKEKCwYswO2brUZMeTHj1XCTLYGiNpR5WKPN1OHHOE56fiA jzFjoe7cfi0RobaVpf5bXP5Qa6sslhrP5fWn5ceaTaX0WmapZSaPfarDOBb3 8Ny5S5t7tWjlQSbVO54sWdnJ4seYlxDawbA7q5EeSxIEPDPWPCeh2J7++3oe n6dLfa1qGv6b+X3mDzfq2o+Q4fy6OoahdSz26aJCp9RUNzYaNAJbmQ85nWY8 j9kBQBlEpVERMgBxcW3f85Hbps2gWbESTw8Pw+UefveN+X/IP5ned9K8yaH5 y8rfmT5a0ZrvVLLUYhcRWv6d0zV7eyt51vxDLI0rMtiAWihYqGNG+LMvJnxY yDAwJ2/zSL5fPvcaGHJMESEgN/iDXP5dz6R03zlovka4069078pvKela7oWh W/l3TNZvrzU9Lvk0yzQRwWjXV9oIYooUf7tbNfLFLJYM5EE3VAiz1oSc2OUY +UACBXUGvjFhn5Tfl95qvfO2o/mP5F8/aBpeo6P5O8ueQr7UL/Tr/U9Ou5NP sop71rKl/pscipOwUSGInYgEfEou1WeAgMc4kgyMtiAdztex6NenxTMuOEgK AjyJHLetwlMGhah+UX5m+f77W9e0fW/MHmrXvL3n8SRz/oO2v2Fvq2m362La reXkIlt2khkMXqheLCiAdZGYz4ogAgAGP86uRF0Bz33Y8Jw5DZBJIl3d4NWS wTUPy78o+bfKXkfyFB5b82a3onkabUzpkNnr0l/NdQazeR317bXz6docltJD JJEo4idKLty75dHPPHOU7iDKulchQq5X9jTLDCcYwokC+t8zZuo19rP49Z/O LSP+ciE88aT+THmS4s9c8vXljqUckVimmW13cnTKTQsdRVVZ4dMRJA8w3VaI Cd6eDDLTcByDYjvvr5efc3cWWOfjEDuPKunn5PaoPzY1TQb/AFHXNQ/JtNG1 /U0jj1fWLi1urCe5SGvprLdWljqMLhamnK5oMwzphICIyWB02P2Ej7nJGoMS SYUfl9wP3vDvM1hN+evnjy9b2Wq6V5c12fzxbec7S2inn1VLC18uaKLW3m1B rKWw4+tdycVjM24O4b4lGZjl+WxmwSOHh7r4je1308nFmDqJiiAeK++qFb1X Vf5Fi85/nd/zmFPdebvMek+cPJv/ADilZT29pqujabLp1jL5s1yJUki9OW7u /Ue0gU1YP8L0FN6kZjDTaP0giWXvNnhHwHNniE8+puRBGPuFbn4n8B9c+YPy asNc1rWLmz1q48paBrei/o7UdE8vxQ2TXN2ZLgm7uZArLMBHOV9N0Ksd35UU DWQ1ZjEWLIN2d+7Zzp6USkaNAjo+CfOfnm7s0/5yN/PGxvm1Wby7o1l/zj1+ Q+oy8VbUtYkcR6pfR8aLvfSj4l24wN2GbrFhB8LCdrJyT8h0Hy+91eTJXiZe 4eHHzPU/NlvlKx/5yA/Jr8vvykvvyM/LCP8AMXRWsxJ5y025u7XT57jy9pVm ljpNravcNyWa5eWbUKqh+JyrdSDVllp9RkmM0+E9OZ9RNk/DaLPEM2GETjjY 69NhsPnvJGfmJ/zmv5B8z/l1528gatpf5gfkv+eGoac1p5P8lXtnd6Zq82uS OqaeunX1uGjkU3JjqWKhk5BlKkgjB2TkhkjMGM8d7mwRXWx7mWbtKEsco1KM 62HI30+3veN6JJo97/zkT+UXljzZq9mdM/LQS+bfN2rWlokFte32hJNpllcL BapwVrvWrnUrzZfiBVu+a/2g9otD2HoTn1eTw45JcEbuRuXqI2BO0BEeTjYw DnjGR+nc7d21/wCms/F+mv8Ayu38sP8AqaYv+RFx/wBUs82/5OV7P/8AKSP9 LP8A4l3njw73f8rt/LD/AKmmL/kRcf8AVLH/AJOV7P8A/KSP9LP/AIlfHh3u /wCV2/lh/wBTTF/yIuP+qWP/ACcr2f8A+Ukf6Wf/ABK+PDvd/wArt/LD/qaY v+RFx/1Sx/5OV7P/APKSP9LP/iV8eHe7/ldv5Yf9TTF/yIuP+qWP/JyvZ/8A 5SR/pZ/8Svjw73f8rt/LD/qaYv8AkRcf9Usf+Tlez/8Aykj/AEs/+JXx4d7v +V2/lh/1NMX/ACIuP+qWP/JyvZ//AJSR/pZ/8Svjw73f8rt/LD/qaYv+RFx/ 1Sx/5OV7P/8AKSP9LP8A4lfHh3u/5Xb+WH/U0xf8iLj/AKpY/wDJyvZ//lJH +ln/AMSvjw73f8rt/LD/AKmmL/kRcf8AVLH/AJOV7P8A/KSP9LP/AIlfHh3u /wCV2/lh/wBTTF/yIuP+qWP/ACcr2f8A+Ukf6Wf/ABK+PDvd/wArt/LD/qaY v+RFx/1Sx/5OV7P/APKSP9LP/iV8eHe7/ldv5Yf9TTF/yIuP+qWP/JyvZ/8A 5SR/pZ/8Svjw73f8rt/LD/qaYv8AkRcf9Usf+Tlez/8Aykj/AEs/+JXx4d7v +V2/lh/1NMX/ACIuP+qWP/JyvZ//AJSR/pZ/8Svjw73f8rt/LD/qaYv+RFx/ 1Sx/5OV7P/8AKSP9LP8A4lfHh3u/5Xb+WH/U0xf8iLj/AKpY/wDJyvZ//lJH +ln/AMSvjw73f8rt/LD/AKmmL/kRcf8AVLH/AJOV7P8A/KSP9LP/AIlfHh3v zsz5BddTsVp2K07FaditOxWnYrTsVp2K07FaditOxWnYrTsVp2K07FaditOx WnYrTsVp2K07FaditOxWnYrTsVp2K07FaditOxWnYrTsVp2K07FaditOxWnY rTsVp2K07FaditOxWnYrTsVp2K07FaeLeZDJ5L/NTy15tghil0r8wEg8tazb 3G1s2sWrPLoxuOwS7VptPkJ2Ec7Vz6k/4AvtIM+kz9kZJerGTlx/1JUMsR/V lw5B7y4OccGQS79vj0+fL3Poz8oPyxtvOv5c6T+Q2gaH5n/K/wAteVPM6ea/ L35yaHotvENW0yGc3+menq0jAwalAZhbXDelIwMUibBjT3bVajw8hzEiRIox J5HkfT/NPMbjm5GnweJjGIAxAN8QHMcxv/O6HnyRH5k+fvyU8s/nDL5B0nVP NX5y+bPPej6R5H/Mz9GTS6uvlXRtM9VrbVrt7aB/WvI76ZZZGldnQcvsCiMN Phzzw8ZEYRiTKN7cRPQXyFbJzZMUcnCCZEgRPWgOvmb3eVeQdC8xwv5l/wCc TNU1CHyt+cf5P67L58/5xY8yzjjbtNCzXFxpalqVt5FlY8O9tNvvFTMnPOJr UgXCY4cg/T7/ANI82jDGQvTnacTcP1e78dH6UfkX+c2l/nP5Rl1P6hJ5b85+ XLltH/MjyJdml7omsQfDPbTKdyjEFon6OlCN6gaDWaQ6edc4neJ7w7vTagZo 3yI5juLwn/nNn8lbjzx5V8ufm35T8uWfmX8w/wAkrz9NWXl67hE0OuaOCG1L SZoyDzEka80H8wIXdszOyNWMczikajPa+49C4naWm8SIyAXKO9d46j8fpYp+ Xut/84//AJm+UNF87eS/+cRtY13y/rUJa1vrPSNCeMPGxjmi+PUkYGN1KkMq nbpl2eGowzMJ5wCPOX6mrFLBliJRwkj3D9bMD5Y/KUmp/wCcKfMBPidE8v8A /eUyrxM3/KQPnL9TPgxf6gfkP1vOfPV1+SWj6n5H8iRf84xR+Q/O35saxH5f 8j6r5n0PSHso5mKG5uXitL6Z5Pq8TcwlAGbipYAki/CM8hKfjcUYizRN+7cd WrL4IIgMVSkaFgV79iwXypo35bxeUPzR1vWNGtNUt/yZ0q31Xz1eReRvL3rT RXFu94BpjJcQrIRbrzPqxCnQEnbLss8vHAA1xmh6pe7fbv8ANpxQx8MiR9I3 9Mfs+DXm3W/yJ0aLWLDQvyqnHmqztrlLCbzP5T0W50aXULbSotZazkk054po z9VmVi4PpgnjyrsXFDPKjKe3lI3V8N7+a5JYY2BDfziKurrbyTWSP8krnW9W 0fSvIrzzWGra9oNhqVr5O8utpt9qflmykvdTiihmlW5hSNIyqSTsqO2yt3Mf 34iCZdAfqlYEjQ8vkyrCZECPUj6Y0TEWfP5sV8k6d5P/ADcTSpPLnljS/KWp Sz6HdWmma75F0JbO707XLO9u7CaR7S8vnKzfUyrqssUiKa8a0yzNKeC+Ikjf lKV3EgHmB3+Ya8UYZq4QAducRyN11Pd5PWPyz1z/AJx9/NLyhp3m7yp/ziFq GvWFwXtb660zSNDlto762Pp3UKPNqELsI5AQCyKSKGgzG1ENRhmYyzge8nl8 nIwywZYiQwk/AfrZ8PLH5Sruv/OFPmAHxGieXx/3dMp8TN/ykD5y/U28GL/U D8h+t4p+e/mX8qfInlOHSdD/AOcR7rTfzN/MGc+X/wAqbDWdH0f0brWbgBI2 Zba+uJCsIf1GPCnQEitcy9Hjy5J2c1wjvKieXycfUyxQjQw1I7CwOfzfZX/O NH5Iab/zj9+UXlzyBbul5rSq2o+ctZUb32sXYD3U1epUGkaf5Crmp7Q1h1WY z6cgO4dHZaLTDT4hDr197F/+chPzV1yxuNI/I38p5luvzu/NCGSLTJk+OPy3 pBPp3mv33H7CQKSIVO8kvECtDlmh00TebL/dx/2R6RHv6+TDV5yKxY/rl9g7 y+AvMj+RNe856R+XOgXEif8AONH/ADhjo11d+cNdjbn+ltbRWTUJQ4IEs8js 1tGRu000zr9jN3j8SMDkl/e5jsO4dPh19wDqMnBKYgP7vEN/M9fj0+KbeVvz S88arqf5WfnX+Tv5xav+dXnzzxqtxZ+cv+cW7G5gtNI03TRZzTNZxW84T6gm mH0ozcSj96x5Kfi4tHJpscRPDlgIRiNsnMk3z8+LfbozhnmTHJjmZSPOHQCv srve5+a/zW8/+c9De7/Oj/nGqL8qb7yZKt55G8163q9rqSweZga213Yi3VS0 VjaLc3k7OeNIgNydsPFpseOVYcvEDzAFenuPvNAe9ycuec43lx8NciTdS7/g LJ9z5K/J62/S1v5i/MmW2ktf8fXMP+G7Wevq2/l3TIxaaTE9f2niT1X8Wfl1 OfK//B09pRr+146DHK8elBia5HNP1ZD/AJvph5UXF0kbBn38vcOT2XPEXMp2 K07FaditOxWnYrTsVp2K07FaditOxWnYrTsVp2K07FaditOxWnYrT9W/0bp3 /LBbf8ik/pn3f+Twf6nH5B21B36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lg tv8AkUn9MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5 FJ/TH8ng/wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9 MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng /wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9MfyeD/U4 /ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBTj8gt B36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9MfyeD/U4/ILQd+jd O/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBTj8gtB36N07/l gtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9MfyeD/U4/ILQd+jdO/5YLb/k Un9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBTj8gtB36N07/lgtv+RSf0 x/J4P9Tj8gtB36N07/lgtv8AkUn9MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD /U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj 8gtB36N07/lgtv8AkUn9MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd +jdO/wCWC2/5FJ/TH8ng/wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N0 7/lgtv8AkUn9MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCW C2/5FJ/TH8ng/wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8A kUn9MfyeD/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/T H8ng/wBTj8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9Mfye D/U4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBT j8gtB36N07/lgtv+RSf0x/J4P9Tj8gtB36N07/lgtv8AkUn9MfyeD/U4/ILQ d+jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/wCWC2/5FJ/TH8ng/wBTj8gtB36N 07/lgtv+RSf0x/J4P9Tj8gtB5z+bn5S+WPzd/Lfzb+XWs2sVraeZrFoINRhj VZrO6QiS1uoiACHhmVXFD2pmVohDSZo5ccACO4AbdR8Q06jBHNjMD1flx5J0 z8zfzds7X8iNR/NPWvyr8x+X/N17o/5m2+jXclvHfzQIsmvW0TRKwB1C1RdS tHI4hzeRtRWXOqzSxYD4wgJAxBjY5fzfkfSf810eOOTL+6MjE3v/AL751Y6f U9h/MP8AOr8lf+cONFsPyN/5xx8p6ZqX5qeYhapGpYtaWjXrpBFqmv6matL8 cgIXkeu5jWlcXBpM/aEvGzyPAP0dIj8fFyc2pxaOPh4gOI1/aT+Pg8n88/k7 +Z1iPIPkT80POn6R/P3y1YT+Y/yX/ODRfUN1qcOk/wCk6hpcvrUd7vS/U9WA vRbm3Z4jxfplYdViPFPHH92TUonpfI+6XI9x3cbLgyR4YzPrAuMh1rmPfHmO 8PRfJuv+YfzV82f4x8j3Wmflt/zmT5L0Ozn84eXnLnyt+Y3lyRVa1uGZQCYp lIMMtBPbOeDjiNsfNjjghwzuWAnY/wAWOXX8ci5GKcssuKPpygb/AM2Y7/xu H2j+TP8AzkB5a/NubXPLNxp135J/NHyW4g8+/lpqpU3mnTdOcc0dYrmBz9iW MkEdQp2zU6vRSwVK+KB5SHI/qLsNNq45rjVSHMHo+Lvzd0LzV/zhx+YVx+YX knzfqPk//nGj82NcST8ydP0mysb6Tyxrt0Ci39tbXsM6i1uWoZVjWoIp2jGb bSzhr8fBOIOWI9NkjiHdt1H46uv1EJaOfFGRGOR3qtj8fx07n2LbeXPOl5bW 15a/85P6jNa3kST20y6T5ao8cihkYVsehBrmqOSANHCPnL9bnCEyL8U/KP6n nH5i+VdettV/KPVNb/OKbz6un/mJ5eFrpN1pmhQlWmueDPHNZ2sU6EDrwYVG zVGZGDJEiYGPh9B6y/Saac2OQMCZ8XqHQfoD4+uE822mk/mB5DtZ7y1h/wCc ldEtbS1vLDy/+kJEh0ry2sl7FA8mqWqyMLWQO7emBXkicm3G1HATGf8AqZ76 5y26Hq608QEof6oO6+Ud+o6MN1HQtT80+ZfzY1N9Bl0/UfLkuu6nrPnQaNa2 l3IdB0iy0K+0X6+usXLvZSSPBI0YgY8m6jiSLYzEIwF7GgBZ/iJkJVQ359Ws xM5TNcrJNfzQIkXfLl0e9/l/5AvfMX5t/mBpflLzlqraPc+cPPsd55vHluGI XN7cWbWt/pmr6guprPdw2E18jWga3QMy7NxWows+cQwxMoi+GG3F0uwYiqF1 vu5eLCZ5ZCJNXLeutbgm96vbZ6X5d/5x/wDL35AX/kRvI/mRbzQNb1jQNI80 aD9VjRJtb0DRNStpNUjeKT9zLcog9eMggsOQYGtceeulqhLjG4BIPlIjb4dH IjpI6fh4TtYB94B3/Wzn8p/InmfTfyz8hQaP+f8Ac+W7GTQNOuE0W00fy0sd u01tHI6VNkWYhmNWYlmO7Ekk5Tqc0TlleO9zvcv1tmnxSGONZK2HSP6kw/ML UdY/LDyX5i8/ebf+co9XtvL3li0a71F7fRPLc8zAEKkcUSWJLvIxCqPE7kCp yOARzTEI4RZ85frZZeLFEyllNDyj+p5R/wA4q/lv56/M3zDaf85W/nxe3Gr+ Y9QsHs/yT8u30dvG2iaBcMzLeTQ2qRwLd3aMORVRRT/lUXJ7S1GPDH8thFC/ Ue+Xdv0DTocM8p8fKbP8PkO/8f2dj/ND/nIK9g83z/kl+SGkQefPzwmthPew XLtDonlu1fb6/rF0OoWtVgi5SOdvh65iafRDg8bMeHH9svID9LkZ9WeLw8Qu f2D3/qfGvmC71DyVc+ePyh/KPzFeee/+cgPOl1ZW3/ORf/OQ1wipc2dxqR9K z0bSFYhUnkqY7eJD6VtHWWRuS1XawAycOXKOHEL4Ie7nI/p73XTJx8WOBvIf ql7+g/G33D/yrsrTyFo3n7Qfyt8zyad5I/5xfP6S/Ol9EhsbnUPNuuwRNcXe modVUxrY2NvHIgkPGSWbkyFWBZhqScsoyyD1ZNo3dRj0O38RPyC4B4QkIH0w 3lVXI9Rv0FH3vQ/NX5d/849f85EQeU/zV/IjzXL+V/54eeNJ1PV/y187+XhN o9zqE+mcFu7bVIFjEcgjlkRJldfUpUgsoyjFn1GlvHmjxY4kCQO9Xyr9Dfkx YNRU8R4Zm6I2uud/peM+YbTzp+eHm/8ALD/nG7VvOd15wvBp9zH+Y/nliI2k 0SxvOPmW+h4LGF/SF9H+jLUcarbxO32Zsy4GGmhPOI1v6R5kekfAeo+Z8nGk J55xxE33nyv1H4n0jyHm/W6y0HRNOsrPTrHSbS1sbCCO2srWOFAkUMShI0UU 2CqABnHz02KcjKUIkncmhzd+IACgET+jdO/5YLb/AJFJ/TI/k8H+px+QTQd+ jdO/5YLb/kUn9MfyeD/U4/ILQd+jdO/5YLb/AJFJ/TH8ng/1OPyC0Hfo3Tv+ WC2/5FJ/TH8ng/1OPyC0Hfo3Tv8Algtv+RSf0x/J4P8AU4/ILQd+jdO/5YLb /kUn9MfyeD/U4/ILQd+jdO/5YLb/AJFJ/TH8ng/1OPyC0Hfo3Tv+WC2/5FJ/ TH8ng/1OPyC0Hfo3Tv8Algtv+RSf0x/J4P8AU4/ILQd+jdO/5YLb/kUn9Mfy eD/U4/ILQd+jdO/5YLb/AJFJ/TH8ng/1OPyC0Hfo3Tv+WC2/5FJ/TH8ng/1O PyC0Hfo3Tv8Algtv+RSf0x/J4P8AU4/ILQd+jdO/5YLb/kUn9MfyeD/U4/IL Qd+jdO/5YLb/AJFJ/TH8ng/1OPyC0Hfo3Tv+WC2/5FJ/TH8ng/1OPyC0Hfo3 Tv8Algtv+RSf0x/J4P8AU4/ILQd+jdO/5YLb/kUn9MfyeD/U4/ILQRuZKXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX53/APOX X5Zal5K8w2//ADk15Fhuo10+K1tvzksNNj9S6+o2L87DzFaw9JLnSmPxqf72 3LxN8Bau87M1AyR/Lz/zb7zzj7pfYd+bqO0MBgfGj/nfol8Pu8reHflZ5f8A Kug2f5n6D5L/ACtvPMflb/nI6y+q6nq/kbT7TVb7y1e31uPUgB1B0iOi3sL/ AFzT5pDxjPOKRTJHRc3UznIwlOdSx/ziQJAe7+McpD4jYuJgjECUYwsTH8IB 4fn/AAnnE/A7h+knkH8jPy0/Lmw8n2ugeX/rF95HtryDQPMGqyvf6mjakI/r 0z3UzMxluPRQOw7DitE+HNBm1mXKZcR2lVgbDbl8ndYtLjx1Q3F7+/m+W/zw 8j/lYn5iaf5W/SVzp3mL6nN5v0Ox8vSPZ+bPLLSzSJc615ZmRa3EDSIz3unj mDvMkZJdX2OjzZfDMq2+k39Mv6M+4/zZfC3A1OLGMldee31R84/pj8Q8l853 2rzXWlL+cflE/nxZ6HaLe+TP+ckvyekOm+etNsH3S7uNMtnSd4/55LVpLckE NHyquZOKIAPhS4L5wnvAnuv9e7RkJJHiDjrlOO0vfX4Ce+W/zL8zefdB1Tyf 5I/Ov8tf+cofKWq2r2Orflp+ZcbeV/Nv1dxxa2meGMLK46F5LNTXflXfIZNP HFISnjnikP4oeqP4+LOGaWSPDGccgPSXpl+Pg+e/KegebP8AnE278z3/AObX /OJSeZ/+cdZLg3dpezJonmnWvLTzdUW/jAe4s+fwgzqhXY8gahs/LOGuAGLN WX4xEvh0PucPHCWkJOTDcPhIj4/r+/n6Kn/w1+YHmH/nHH8wfyp/J+z/AC/8 iL540661XzNZ6d5Xkj1GOb4LWMXmm3s11btHLUMgj+InjJxpmAOLFHLDJk4p cJ2uW3wIouX6cksc8cOGPEN6j+g2yu21SJ9V/wCcWdW0jULL1vyY07Vrfzro l/Bqv6Rjmv8ASjpxhW2tdPuG5xSAli/EU6Vysx2zAj6yKO1bG+pZiW+Ig/QD Y3vcV3Pm/wAxt5F/KH8sr6a8842mofmbrkHm5PzO1G5knto9UPmmVr11srS6 lWWN4ZoYOAeFOaqxbcjM/H4mfLtH0Dh4fLh23Pz6uFkMMOPc+o8XF58XcPk9 d8l+Z9K8zfn5pn5r235g+WPKnlu01TV7u9t/K0OofXvNGnXkJhsLfWra2aS0 lktzR/rHFnJAUHvmLmxmGnOIxJNDnVRPXh679zk4sglm8TiAFnldyHS+nxep ab5Q/KDyCug6D+U91qd2dY8/6j548yQ3JvrhoWOi6l68xkuIwIYlJRBU9SOr HMaWXNluWWtoiI5d4cgQxQoY73lZ59xeFaF5v/Lb8h/yP8j61/zkJ/zj3aa9 qF1awrF5tGh+UIJtUNyfUto7axiv3uJnjhdFZgnJqc3AJzNniy6rPIYMtDuu e3xqnExzx4MMTmx2e+o7/C3llr+Uv5u/m9+ZWmfmtrP/ADiDonl78s9DiW8/ Lb8u7y+0nyxp9XYNHfeY/Thku7lgArej6IUdKceXPIOpw4MRxjOTM/UaMj7o 9B77aRgy5cniHCBHoNo/6bqfx8e1+e/zivru6Xy9+bf/ADknYWdzPxij/Ir/ AJx4srjU9cutqfVpdX/f3UdfssI1t/8AWGYmHSgDixYj/Xymh/peX3uTl1BO 2TJ/m49z7uL+xR8rx+ZLvy/qPlby1o0P/OI/5QxXKRazoOiuur/mh5lvLn+7 tZZozN9Tu7kdpHkuqVb4UBYOThEhKR8WfQnbHHz8wPhFYXw8MR4cO4bzl+o/ b8FLydc+ZLXVvMXkf/nFny35E/xl+U9q91rVlrmovc6X5dlvQ4a1EsDmXU9a vBEwvb2R/ShH7hXPxFjlESBPUmXDLlQ3lXX+jAfwx5nmjGZWY4BG4952H/FS PU8hyeUaX5K/JT/nJby95c8yfkZ5i8q/lF/zk/daPFqXnT8mrK4Y6Br5srj6 xNYapZKQkySSRCQ0LMFP75W+0MmWbPo5GOYGeK6Ev4o31B/Hk0xxYdVESxER yVvHoa6H8e9HebPzj8zeaNJ8t/mt+Z3k6P8AKm+8jw3aeS/I+gsfry6lqLPp 17rUdERzc6i0b2elQEN/u67kLxwgmOPSwgTjxy4hLmTyobiPuHOZ90eZXJqJ TAnMcNcgPPmfeeUR75cg+5/+cTPyQ1L8tvLWpeefPVjBa/mr+ZS21x5gsIRW HQ9Mto+GmaDak1Ijs4aB9/ik5Eltjmn7T1gzSEIfRHl5nrI+92ug0xxR4pfU fsHQPrjNY57sVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVU5oYriK WCeJJ4J0aOaGRQyOjCjKymoIINCDiDSkW/K3z15S8xf84X/mDaec/Jz+l+Rm uXrppVxOXNp5Xub6b1Z9F1NkDsukXczF7eahNnOeVCjSLL0mHLHtDHwT/vB/ sq/iH9IdR/EPhWjy45aOYlH6Pu8j5Hoenzv2X5s/5yR8peXvyL86fnXa2dxf p5KsS+q+U2KpfQai5jjhspwpcLzkmjIkXkjRsJYy6FSdVj0E5544T1PPpXf+ OuzsJ62EcJyDp08/P8ct3jX5LfkpZ+V7fXf+cpv+corrTNR/ODWoV8wajq2o cTp/kzTLeMyQWOn8yREYIzSRxuT8IJ3L5Wr1ZnWm098A225zPeXH0+mELz5/ q57/AMI/H47+H61qelefbnQE89eVP+VTaj+cPmLUrv8AIfT3uLjSzrcQdTba hbz2pkuvLmrzRSxsW3hueQ9aJmPw5kYnEDwHjEAOPrXl3Tj9o6FxJEZK4hwm RPD0vz/oy5eR6h89fmN5A/O3SvMcmnedZLH85/KlhGz3sXnLybZa1510a3U0 9a4jtJLW+vrdO91p93MtNyEPw5nYM2AwuFwP9GRED94B8pAOJmxZRKpeoeYu Q/SR5gkMz/Lr8hvNv5k6NcX35Pedvy88x6DNE8N9ZeW/PfnvRxCHHForzSZp rl4CQaGOQDwplWfWwwyrLGYPnGB+R2tnh0k8kf3ZiR5SkPs3pEaZ/wA4C/8A OU3kbT9eP5Z/mF5R8mafqEUVxN5As9S1i9s7y9tJBNBP617APQnV1XhKnEqQ NwCcEu2tLkI8SMie+hsPgeXkyj2VqYA8MgB3An9IYppf5vaR5N8w3nkD/nKD VPzR/Lrz1oUcMutT3NppHm7RPSloEulM1lcuIXJ+EhJF/Z5VFMslpjkjx6cQ lE8ucT7uY/Q1xzCEuDOZCQ90h9o/W+x/KHmf8jfOGjiw8sf85kaPJo7cXOiT 6b5KsFqv2S1nd6NCQR7pUZq8uPPjNywG++5n7RJ2OOWGQoZhXdUR9hCT/mH+ an5DeVLA2Xm//nM2DWobOPhb6HY6N5S1xgqjaOOC00S4CgDYDYZLBp88zccF edyj98gxzZsMR6s113CJ+6L5Ig8xedPz617V/If/ADipYec9SkshEvm7zZ5t t9G8t6HZ210CB61hp1pC7iVA3FCQzLU+mRmz4IaaInqTHyAuR+ZP473Xgz1E jHBfmTQH2D8dz0PU/wDnAT/nJDWvNUfnXzx558o/mf5jsmgOh6lc6zr2hvpc duAI4LCPT7cRQRpQcRGBSm1DlEe2tNGHBCMojrtE377O7dPsrUSlxSkJH3kV 7qDEfzN/JfXvIdxaQfmr5h/LrUdd1N+Oi+TdU8wefPPmuahI26paaGLqAzlu lWXh/MQMt0+rjlB8ITA6kCEIj3yprz6aUCPEMb7rlIn4KXkTyF+bQttYl84+ dLD8o/y30o8ta8jeS7bTPJKwwf8Afz63pwl/R6sOtstxcXjD4fSQ/EDmzYbH BEzkeRlc/wDSRPP30I+a4ceXfiPCOoFR/wBMRy91k+T9B/8AnFgflBrNrqkv kwzXuv8AkZlsBDdaPdaJa2FnfoZIp9GsbweoLe8VGY3Uhee4KlpZGoFGj7S8 aJHHyl53ZH84jqO7kOjt9AMRHp5jyqr7h59/M9WC/wDOUX/OJMWvWV/+aP5E W0Pkr80NMsZoPMOhaXI2l6f5u0d29W80q/8AqjQ0acAgSAgmvFj0ZLuzu0+E jHm3hexO5iehF9zXrdAJAzxbS6gbcQ6j8f2eaLj8y/I3m6b8jf8AnIHTfyv0 78ldF/KXQdQvfLVneRw2jX000P1J55jZgMmiaexYpIwEt3MywW8fIuc2A0+T H4mAzMzIi/Lr1/jPyiNyXB8eMzDKIiIiNvP5fwj5k7APfP8AnG/8m/MP5o+b LL/nIz83rW9XTre5k1P8pfKesRhLy4up1CN5n1aAfClxLGqpZwD4baAIqbgM cHX6qOGHgYufKRH+5Hl/OPUuXo9NLJLxcnwH++P6B0+1+jeaJ3DsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVSzWdF0nzFpOo6Dr2m2+saL q9vJaappd3GssFxBKpV45EYEMrA0IOShMwIlE0QxlESFHcF+UP5r/k15k/5x mTWLjT7W489f842a1ZSaVqkNzHNqNx5c0ucty0vWLeI+tfaQpdjDNGfrNkTy jNOSS9JptXHWUD6co37uI98e6XeOUuvlotRppaayN4fOh3HvHnzH39U/L2Ly V5+8t6Tf/mP+d2reZvyx/LSxj8zW/wCV2rxWdxHPaWFHtr+71WyQvr1jalKx sEFWVfrK+qpQY+czxSIx4wJy24hfXmAD9BP9mzdhEMkRxzJjHfhPl1JH1Af2 7vFvz7mf8wfy90v/AJzTuAz2mg/mL5Xm/KW3J3sfJ2m6qbaS4ZQaLLqdxIZ5 K7rGsKHdTmXoh4WQ6QdYy4vORH+9G3zcbVfvIfmZdJDh8og/pO/yex/85Ffm drEuo/mt+Y1je6Rffk5+QOkQ6ZqOjaxbGWLXvOU7iRYNJv7ZoruxntFnhiae GQ/vG4cPgY5i6HTxAhjN8eQ3t/DDzHIg77FyNXmJMpiuCFDfrLyPMEWN7eK6 ronlPzX54/LfR/N3knzH+W/54fmPo0Wt+VJWmmg1qOKRmUKvm7y4rysY6AuN VsZClR6kg65lxnOEJGMhLHE0e7/SS/3sh7nGMBOURKJjMix37/0o/wC+ia73 tFjqf/OV35ZS3Nlpv5if430/SGEd3ov5i6G2qPb1UMFk8w+UmuHBKkENd2sZ puRmIY6TNuY8JPWJr/Yzr7C5IlqcXKV+Uhf+yjf2h4z+d3nv8xfzXg0vW7f8 ldJP5r+UYZ7XQ/MvlHzXouvadqdhdfBe6LrOk3j2N3LY3SFgyMhdGoy0Na5e jw48FjxDwHmDExIPSUZCxYcfU5p5t+AcQ5EEG/IjnTwfU/yY1DVPy082arN/ zjNqFrqkekx2dtZX+gy3Oq6XIrgQelPbGOS8jjFUiu4vUcpxS7gLKtwc2OrA yxHiir79j+r3f6U9HEOml4cqxnl3bj9fv+Y6p/5z/K3zP5SvI73yJ/zjI9vr NzNa32k6fa6BDFp+nSwj/RbzUXuJWQ/V+RlisfrDs8tJL2X4Ut1rxamMxU8u 3v3PeB7+sq5bRHVnkwyibGPf3ff+q/OXc+mPys/NHzf+VXlX/Bf5d/lRpNjr Go3UupeafO35hecbG51nWtWuaG4v7vTfL6ardu7t0QH4VAQdM1+p00M8+PJM 1yAjE0B3Ay4Q5uHUSxR4YQF9TKQsn3Rsq/nrzj+cGoW3rfm5+eg/LjQrrc6J 5dig8hW8in9ldQ1k3uvzgjaltYqW7EY4cWEH91j4j3n1/ZGoD4yXLlykfvJ8 I8vR9puXyDx3V/M/kz8odC0jzL+XP5a6v+ZWjedUt5bzzd5ZgvYLHVoLu2vp XEuuXEs+tatNbNZsbm1ea2TiGBjGZUMc88jHJMRMehqxy/h+mIN7Gj73HlOG ECUImQPUXR59fqPLcbDye++Wv+ce/KH/ADlT+W9t5q8w+dNF80eVfMfkCz0j yno3lZbmz0Tyx5nheY3mo6bp7OqwyPWESLKnqgq614vTMHJrp6LLwxiQRKyT zlHoCfny2cyGkjqocRIIMaFcoy67fs73sn/OIP5wal5t8rap+Vf5l3ENn+eP 5MXZ8q+d7GV1E+oRWgIs9ShBo0kc8I5FhX4qtsGGYvamlEJDJj/u57jy7w5O g1BnE45/XHY/rT78+f8AnJ7yj+VGl6raWOoWV7r1m4s9QvJg89lp1xKP3dvJ HCfUu7ySv7uygPqN1kMUf7zIaLs6ecgkbfaf1D+kdu6zsy1WtjiBA5/YP1ny +dDd4J+Sv/OOnmn819esvzd/5yB025sNAgvItV8l/lNqYja6u7qFeNtq3mRI wsXqRIaWtjGohtl+ELXlyzNXroYI+FgO/IyHTyj+mXMuJpdHLKfEy8ug7/OX 6B0G3ff0j6bDYDNC7l2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KrJI45o3ilRZYpVKSxOAysrChBB2IIxV+fX5pf84fat5c1K588/ 841XdvoF4142q6l+UV5cS2ej3F4w/eXei3kJEuj3jjYtEfRk+zKnp1U7vTdq CQ4NRv04uZ90h/EPt7t3U5+zyDxYdvLp/m9x/HJ4vqv5wwfmV+Wfnb/nFz80 9Cu/IPmTWtNe0gsLjTIrTXNNuBMLiG6/RdqIrfVYROgczaWebip+qpu2ZkdL 4OWOoxniAPfsfid4nyl/pnFlqPExnBkFH3bj4df83f8Aopvc+S4fPvnL/nGb /nHryb5f1DUv+cbfIF8fMnnH8xI+N9Z+Ytb063a7S21BoGke1le6aRp0vBGz Oxouy1gMpxQy55msshQHLhB2279uVWz8MZJY8UR+7BsnvPPeuXmD3vSP+cjv POlflZ/zl5/zjx531i0vdRhuvJfm7RtN0nTYHub3UNQlNsbOyto0+1JPKwRa 0UVqxAqRj6DCc+kywFD1RO/IDqfg36zMMOohI2djy/Hm88/5yM/Lm5/Lv8jf zn/5yS83+rof/OR/n6PTINNvPLl/c2f6C9W6trax0u0ms5ITcPFEB60zhjM4 an7vioyNDn8XPDTw3xRvmL4tiSTfLyHRo1WHw8Us09shrl03Gwry5nqnn5fW I/Me807yp5F/PfzZ5z1XyLoun6j+b1p+Yei2ur2Y+v211EYLddY06K9hukuI hMEZjHw2Jqchnl4IMp44gSJEeEkHav5pqq271wjxTwwyEkAcXEL533i7fNmi /mTr8X/OO/kj88Jrv8s/N3njXfMa6TN+SKeUtIgutUgfUnsvStTp/p3aTmNP VrxK07UpXYT08fzEsPrEQL4+I7bXve1dHDhmPgDL6TIn6aG+/lRey/mj5l8k aV/zknqv5Tebda8u/wDOM/k6z8tafqHkXzIfK2jXR13U71A1x6+oapZ3MMcd sx9PgvDkVarg0GYmmhklphliDklZscR2A8gRzcrOYDOYEiArY8IN/Egsm8+2 Pnr8ufMP/OFHmTWPzRl1nRNa82QeU/zCfyhdHS/LWtSXHqvpGom0sfSjLSUB mFTGxHEDj1rwmGaOeIhREbHFvId4s/Z1bMoliOGUpbE0a2ie47falH59fkV5 N/5xi0b8ivzu8t2v6R1f8r/zLiuvzE843catqWpaR5iupIrlryc8mf6uJUjj qaKOlKnJaLWT1ksmGXKUPSOgMR097HVaWGkjDIOcZbnqQfxQe+f85ZXegfln +Xn5Yat5Z1vSfyxht/zR0q8stei04XkFtLqovUvLuPToeJuXK3MkpVR8Rqxq K5hdmCWbJMSBl6DtfdVC+nJyu0OHFCJiRH1D7bs11eKW/wCU+v8A/OMv5saB 5m/K783otO8kef7FtX/Nfy95igOpX/mDUpJzI0+j+W9Mt7Z4JTGTV0EcUQoH qqkZlnUx1mIxyQ9UTUSNhEf0pEn9ZcYYTpcgMJ7Hcg7knyiPwGBa552i/NH8 4/OGs/8AOPH5YPr35qeZFjsfM/muyvTJJp9rFElssWp+Y43ktNJi9OMc7bTG kuZNwbiI/Dl8MPg4YjPOoDkK59do85e+Ww7i1SyHLlJxR9R5n7N5co+6O57w +uvyP/5xG0byJqml+f8A8ztStvzF/M/TUb9BOluLfQfLayHk8Wh6eaiNixq9 xJWaQ/EzBia6vWdpyygwxjhgef8AOl/WP6OTsNNoI4yJT3kOXcPd+t9k5qnY uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K vNvzN/KD8tfzi0T9AfmR5QsPNFjGS9lLcJxurSQ9JbW6jKzQOP5o2BzI0+qy 6eXFjkR+Ooac2nx5hUxb4n8xf84l/nL+XmoN5g/JD8zG84W9snC38u+cLuex 12KBfswWvmawCzSqOix3scsY71zbY+08OUcOaFecd4/GJ/RRdZPs/LjN45X7 9j/ph9x2YHe/n950/L/zT5Y8yf8AOQ35QX1h5i8kpeW3lzzb5p0uSSC0W/Ea XX1TzH5fhu7J/UWNRyksYSB+0Kmt40UMsTHBPaXMA93fGVH/AGRaTqp45CWa G46kcr/pR2/2Kt+eP5oaT/zlT5a8laR5J852Pl2y8r+YLLzLqmmGyXzVZalc 6c4ltYZrjy/eXF1BCDy5q9qGNR9krTBo9MdFKRnG7Fc+Gr5/UKJ+LLU6gaoA RNUbr6r/ANLv9j0PTfzg83yea/OGv6jbflf5euL/AMpzxamNP19rfUfM+rW6 NDpNo36fttNexithLK5Lg1LAcuuUy0sOCMRxn1dRtEdT6SbvZsjqJcRJ4Rt3 7yPT6qrq+b9E/JO503/nEz8uX8sWvk/yv/zlH+S+vfpnQ9W07XdDN9q0S38k 0sJ1G1uSrpPbTcBHM/WPjsCK509XxauXFxHDMUdjQ27iO/u73Ejpq00eGhki bG4s794/Gz6P/MP8yNc81alfRefPyq8jfmj+U3m3y9Y3Wk+TNd8yeWdO1fy1 q/Bo7y2u5Lq5eN0lPFxLBIzx9B4DAwaeMB6JyjME7iMiJDpW32Hm5ebOZH1R jKJHImIMT8/7Hz5Z/lNbW3/OLvk78lLH84/LNt5w0Xz+vnkXGkJqXmeDQUim e4t7GwOnQytMYmIDM3FSS5B6HM46knVSymB4THh3qPF5m3GGIDAMYmLEr2uV e6re2f8AOQn/ADkP+TXnP8r7v8rPzJv7lo9Yisl8zzfX7Tyy17JaSRzOIbGV tR1RI5JYweC2jOBty75iaHQ5seXxMfS62Mq+O0ftcjVazFPHwS8r/h5eW5+x gvl7z5+eX5heXvLHk/8AJX8qdfufKfleJYPLPmPVI5tGsbdFUos3+IfMguNU uGVGI5WtrA/E8VYDLp4cGKRnmmOI8wNz/pY+kfElqhkzZAI44mhyPL/ZS3Pw Aet+Uf8AnCTVvMck2pf85AfmFJr8GouJtV/Lryg1zpuk3bA146pqc0j6pqf/ AD3mA9qZi5e1xDbBGq/ilufgPpj8HIx9mGW+WV+Q5fE8z8X3R5U8oeVvIuh2 Xlnyb5e0/wAr+X9OXhZaRplultBGKUJCRgAk03J3PfNPkyzyS4pkk+btIY4w FRFBkeVs3Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYqhrz/AHjuv7n+5f8A3o/ufsn+8/yfH2wjmg8n4r/85Gf4 b/xXc/4i/wChOvq/q/7u/wAR/wCJqV/b/wAPfvfU8PfOs0PFwjh8f/Y8P+ye c1XDZ4vC/wBlfx4Xnml/4K/Rqf4e/wCVw+pUcP8AlW/+NP0R0/3X/iD4KeHL tmRLjv1cH+fwX/sXHHDw7cf+bxf75I7n/FnrN9R/5Xf6VTT9K/4V9Wnv9d/e V8a5P0dfD+HF+hgOL+n8aROnf4h9X/cr/wAr89OvxfoT/D/L/uV/H92A8PTw /jxfpXe9/E+FfoVPM3/Kufqkf6Y/xP8AWOI/8nj/AMrE/Rlf+LP0R+64/hgx +Je1f8k+C/8AZMsnBw73/n8X+9fWv/OIv6M/Stv+if8AoU/6pyXh/wAq5/SX 6f8Ap/Sv+kV/1s1nad8O/jf51cP2bOy0Vce3hfC+L7X6nZzju3Yq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq/wD/2QoN CmVuZHN0cmVhbQ1lbmRvYmoNMSAwIG9iag08PC9Dcm9wQm94WzI3LjYxIDYx LjAgNTY3LjYxIDc4MS4wXS9QYXJlbnQgMTA2IDAgUi9TdHJ1Y3RQYXJlbnRz IDEvQ29udGVudHMgMiAwIFIvUm90YXRlIDkwL01lZGlhQm94WzAgMCA1OTUu MjIgODQyXS9SZXNvdXJjZXM8PC9Gb250PDwvVFQwIDU0MyAwIFIvVFQxIDQw IDAgUi9DMl8wIDU0NCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dF0vRXh0R1N0 YXRlPDwvR1MwIDU0NyAwIFI+Pj4+L1R5cGUvUGFnZT4+DWVuZG9iag0yIDAg b2JqDTw8L0xlbmd0aCA4OTIvRmlsdGVyL0ZsYXRlRGVjb2RlPj5zdHJlYW0N CkiJjFbJbtswEL37K3SkDqI5JCWSRRAUzlZ3AQpXQA9pUXhRXCWKVDhu0v59 h9ZS2SZjXSRbkB5nefPeTNLR+B0EZ2fjTxfTy4AF5+eTy4tgNL75woL102ic piyAIL0bsUAKanQQ1Td8yjTVMhAQU25YHKSPo1symS8f1psQElL9Llfh9/T9 6OqTxfvcnQHtGRGjjDEZpEtEE7ADr28IrhVlHM+QlEMLfpOV2SbkjMyLHfL4 gv/ookOUM4QT5+l9L2pBJSjES1f4fbW4z5bb/Dk0JHvTi+3jouii410F0hRq jKgGiYBKCRaJfOM8DvGc5vNJtfrbAYgeQBuczVPYCIHyJGnDmT7+KrLHrAyB ka0zIUllzOvXHblF/3EZ5ULWL5LZ5w9TG9whGFDNTQsmFD8GAwb2xVsyS8MI gMycQSFOYk4ElbRBiTbZZZFjpsaTKKecn8KEI8xfSDRFqm2oSbW0FzctsH1s cMDQVDEvXTVkVMXSC9X//qLHjx695DG9WMC15XpU3/CvkjQOQMRUNdS3hEt8 hIs9hEvqZkkZd4RrqAacZCEQnFPOyTzETjfP3NVLVDywerwbtRm2Op0V+SKM OA5sXrceT6o8RBeJn+j7ZzStJJPp7NLNcxO/HjDADiwChtXRdrDBmB3mtnJ3 XZ+oAIiDCqBEFdWLC4xTUMmraLzRRESDtp53FRaSkY1nIiGBoS3amx7bdEPu EJvkf4Zqag3I62TacSDVJl+7h4bTdmS9YPFRws8hSORmBKTIV/NQkW1elU4/ Sfb9hDv9RBhUgX0/IWn+mBV5mblixrfNqaDNofI+edhjWgvy8VHD0QDd2dwV NjwCTXxmpVxqYpktqVZ8qGPpYwHplXLPsq7znbc/Wea4lRyoEqfkQh4OS77K 5q7S+bRANXPeagaZlyXuG8ts5UJBNY39+t9zFPL28HOqjT+ZPfvtcplepdea udXf+PoFOMLIyoENA+bumFDmoGPkq5PdQIUc6oj/Kdl0HUcyL9xOi+GzU0LU 7SudEL2gBFWbh7xcewyIn1S3w92AVE4lAspe2af2udnazPanr4SxHhhVi3VL FlmY1GY79+1WcAJVm6MCPmdhpFEqNLYIf+T2gn5hSOlZtowctsR846xHwt4K 3+3wjMbCBGsEBqs3trixTNDNA4XSm4hGanmHcpWO/gkwAEIoxwYNCmVuZHN0 cmVhbQ1lbmRvYmoNMyAwIG9iag08PC9Dcm9wQm94WzI3LjYxIDYxLjAgNTY3 LjYxIDc4MS4wXS9QYXJlbnQgMTA2IDAgUi9TdHJ1Y3RQYXJlbnRzIDIvQ29u dGVudHMgNCAwIFIvUm90YXRlIDkwL0dyb3VwIDcgMCBSL01lZGlhQm94WzAg MCA1OTUuMjIgODQyXS9SZXNvdXJjZXM8PC9YT2JqZWN0PDwvSW0wIDYgMCBS Pj4vRm9udDw8L1RUMCA1NDMgMCBSL1RUMSA0MCAwIFIvQzJfMCA1NDQgMCBS Pj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9FeHRHU3RhdGU8PC9HUzAg NTQ3IDAgUj4+Pj4vVHlwZS9QYWdlPj4NZW5kb2JqDTQgMCBvYmoNPDwvTGVu Z3RoIDQwNC9GaWx0ZXIvRmxhdGVEZWNvZGU+PnN0cmVhbQ0KSIl8kltPwkAQ hd/3V8zj9oHt7K3tJoREwGs00bhvagyXgjUgCiWRf++UpRUJ+NBMs9n55pw5 2/UsvpLQbsd3ves+IHQ63X4PWHz5iDBdsdh7BAl+whCMFi6DVih0ipnIDCiD Ik3Rgp+zJ362jKTho7eijCTyfFSul5FCPphFL/6GxT31usO1EVF3/Pv+BEFn 9DcCK0yS0gg/Zryfr4rpR0Q3z+8qYbfDWSNXNnK9l7VM6kfQcqs1FOJnqUBF ko1QMmjlz0rZPWx3Md40YLUH3qlr/cpD8m2CvCd+O4ik45vKdk7mNc/Hh163 mrSQqQ1NR7wHugp0pWVNHxDSHuyzmnF0xCluZsNSZbLbabmojB+2ky1rTir8 I1DV6azWn5+LZXkMR4az/2m6tqtru5NZHsmEfxfDYlaUm63LkM99k42us0Fh tYNpHblU0KIPwZpE6ARSCj/Ru7B1k/Q5vfiLYrpe5g3R1MQvVnWnwkJLpVWh R5/Rk7HOOWNBmkw4ic5ZC6M5i6/nCP0FewjgHwEGADq1vnINCmVuZHN0cmVh bQ1lbmRvYmoNNSAwIG9iag08PC9TdWJ0eXBlL0ltYWdlL0xlbmd0aCAzMzQ5 Mi9GaWx0ZXIvRmxhdGVEZWNvZGUvTmFtZS9YL0JpdHNQZXJDb21wb25lbnQg OC9Db2xvclNwYWNlL0RldmljZUdyYXkvV2lkdGggMTE0My9IZWlnaHQgNTgw L1R5cGUvWE9iamVjdD4+c3RyZWFtDQpIiezXeVSU5QLH8WeGbZgZthmGGRhw hmFc0i5quAQJiij3aiK53DDTsKMlUvcaqd06mqRSNxdwSVpQwQ1RQWDAEBEs 1KsiN1yOgJoaaHZcTtzCtNTsue87pLlEj8XLO5Pn9/lj5nmfd5nnZQ7f8w4h AAAAYB/iv6EgPFt/rQD2DNlpF7b+WgHsGbLTLmz9tQLYM2SnXdj6awWwZ8hO u7D11wpgz1qyc73pEgii+SayA8DQkp3jM+JAEEubkR0Ahpbs7DLaeh0Pi5iL yA4AQ0t29nSy9ToeFiOQHQCWluzs/Yut1/GwiLuE7AAwIDvCQnYAmJAdYSE7 AEzIjrCQHQAmZEdYyA4AE7IjLGQHgOlPkh3fZ/8x3s/Wi3gQyA4Aky2y46rR G00mg7+PQsI4UqnXe0n5QVgdPREhwtLaDNkBYLJBdtQxczLyy0oL16UOd2Uc OsJimSrnB5Hf0qvRIqytzZAdACbRs+Mz8I38T4oLtlVUHjyV6sU4eBql660D 05vpb5nbf3Fth+wAMImdHXnctgu1acM7mbpHTy9KUXEzEhdPb28vpRO/10Hp rnR09lCrlI7clqPnPErzTN7uUiILCOogs17Ayc1L7WXdzR3g5q5w4A5Xeyqs Ey7u7jKxbqQVyA4Ak8jZceqVfePKeyFu/NAQ1ZePhM/IjMKCrORh/JOPOSVz fuRfF27OnjvEm3vESa2l9EyJZZYXMUxf8JqJv4B3zNtZGzPn/M36nBScmjm7 d9S76zaueGuQC7c9KjNzjINId9IKZAeASeTsmOedaV7T884ZSUT6wc+qqj7L G6eTkPAGenXNO5sqTzZaxrmRTlmNlF6s3rdITfo10C8juaMDErfX7684UFc8 UcdtDf8fvfT+vA3baxobNzylISSV0nQnke6kFcgOAJPI2Yk5cvPAkLvKIB35 buLjPUdtuVQ51oU8cYrS2rnhPV797+XywU6uQVxHCkMfNTiSfqfp2QGEuCXU N+f9vdvY4uaD4125q3H/40dTIrrFLD/bXBFtzc77yA6AvRM5O89fpVuNd091 7O7MvSb9dG2pBwmtpd+uDidEl3T6yvq+hCRS+qH1oLA6eiKCyEZX0d0xrkT5 dDWtfFJKhp6lF1dESIgkci+98jwhSynNQHYA7J3Y2fn+vuzIDd3DIiLmX6eb NSS0jp6K5SdNm2nTZEKmU5rlxm/z2Qknnhn02mt8pBQplC5yJkPP0YMD+N36 Anp9EiEvVVcnOYp0J61AdgCYbJ4d1+hFW6sOH2r4iVp8+Owci+BnPTMpnUbI DEpXe/DbfHb6EXUuvfaC9Sxux0oZn5391pVr8uiPLxLi26OHXiLSnbQC2QFg Ejk7E+79keUbX/TFoYJVq3b9SIuY2fHOu5Wd6XdnR5dPb7wg0i38NmQHgEnk 7Aw7fPPAEKc7JkI/pedmPeIomfjDXdnx+iU77vz2vU87XHZWcNn56u7seBmN KjztANg7kbNjnnvm8trH7pgY9AWtj+LXce3n7Jwcyk8H5NDLifdkJ5yP0bUk KbfpkkzpEuf7sjOxvHyKo0h30gpkB4BJ5Ow4h2TfuLo8xI0bOnSI6utMBjXS usFEGbmx5UdWLW1azlVJ/eKxHwq4x55/UbpGzp/Xkh3X547Q0kgnIhu6i1aP drgvO0so/cjpNz+/3SE7AEwiZ4fI47adr10c29kUHPWqJcWN9N72/fnUgUOW NFBaoiWhR+mNQzN7BE7ac+U/T3G9SWimFVEBGgfS7yRtGEAkqmkN36yO9n9y 4+Xjk7mnoGFf05pg/qq+xZQmEJJKaTqyA2DvxM4O8Yl8Pf/TrYWlO3cfPr3I nahGFTSd35e9rJLSCmt2vs5ZsLak/qudU7y5gyM2XbxcvWOeioSfoxcGchPm 1/ccqyzafeyTqQHcVuxVWteDv6hfGaUvE7KY0g+RHQB7J3p2CPGOmbuiYEdZ 8YYlsTJCZDEffFyaFjthi2WmB/8j62T8yIyykmVx/vyhmqELinZW/ltFuqRb PujGz/iPTS8ozV86WsdvhKy2LDTwA683LPnRhIy3WCY6iHgnvwLZAWCyQXaI q0ZvDDIZA7QKCbcl0xoCfRVKP71aSsLq6LH+Sn+TUSvndxGJzDvAZPZ1IM5a vdbFerJCZzAZtHLrWKbTa6xPNw5qvV5BiLte7yER807uh+wAMNkiO63jslPf 19aLaBNkB4DJvrITfoZ+2d/Wi2gTZAeAyb6yE1ZPj/ez9SLaBNkBYLKv7AQk zn6pg60X0SbIDgCTfWXnzw/ZAWBCdoSF7AAwITvCQnYAmJAdYSE7AEzIjrCQ HQAmZEdYyA4AE7IjLGQHgAnZERayA8CE7AgL2QFgQnaEhewAMCE7wkJ2AJiQ HWEhOwBMyI6wkB0AJmRHWMgOABOyIyxkB4AJ2REWsgPA1Gp2zOMmPrgRPjZY ul1CdgCYWs3OmDPND25fHxss3S4hOwBMrWZnEv0dGsNtsHS7hOwAMLWanfFN vyM7R0JtsHS7hOwAMCE7wkJ2AJiQHWEhOwBMyI6wkB0ApockO1KpjRdwC7ID wPRwZEed9IrKtiu4BdkBYBI2O8rOIaGhj4d0cZOaQkNDe3d/jHvt6a54pBc/ 29lD8NVLAzrK+Xd91io/wS/+hyA7AEzCZqdPblVNzYGKrCGmlJqamuq93FZN Yc/elgM1NVU7MmIVQq/eJTmrG//u2ruXq9DX/mOQHQAmYbMzuqkxJ2f9xqLl M9JycnL203Pc6+Iu476rz8lZt7l45XjBH0lyTwYLfcm2QXYAmITNzpjTS5RK ZdDTBXuf4d7jTmVwr3KHlxtmKpVunZ8rq4j85foyH6PZTynlh3JfU5C/u4Sf 1KkV2iCzwfpzzEvn5mkwB+mcrcdLPfyDAn1db50cGOQnJ/KuH5+I62h0JVKV yoGbdlR1MBs1/PESlU7JnWzSOt/+QEeNRqEONAeqJESmNZmNntZZJ1VAEHeO Izd00bZ8+M87vG7v4C9sMHfw8PR15zdcNMagDtbPc9F6K7UdTW53/NmQHQAm gbNz4i3+zSPt9LPcW+TRhdbZqZ8n8G/q1Z+PuH15l/5z8rYvi/HmhoqYtKLS jHgdN+yenhwzZ1vF5kkarjOJK8bFr63YnhrGB4kYJnxUWrQ4mv9vJ7KolC2l iwc79sq98N2hXeuDifrtFB9uvtu07B25yX35y0/NeGZCdkXp/D63P9HvnbTh U/PLC18xysOTLRVbJvNnyIKnrCop3zKrKzd+9L25McklFXkJOuuOhJXcjje7 Ws/tMn1TeWb8PzNHc2OnJ2bnluUkBXHDrv9nv0yDorqyAHyaHUSEQZZegG4R EYkgreyILAJiWNzNiNGIoiBC3OOIICrYYCsiCgZbaDQCymag2QIti2CrCQOy t9KCU+IylcSUk6qpSY1j5t5Ho8Yq62FVV2ml7vejz3333Pvue6+qvzon6+jS 5OuVC9/4bEQ7BAItqtbOQRwmn3gQhULoYBY1Gze0BQfjAsUr7eh7ZjVKJFfT 5qKiJjC/tbqqpWKtOQMCRkezcioaZSVRlqCW96JaWChpazq+QBfUzaNKJJKm tpMehuj23tloc0Uyz6ng8b9u1YvsweqH21zQtt7XIK2sbxE46oFO0YtKYVF1 27V0Lx3lkTNu/yrOLKlpKT0Qn3L2ynfoDCsAr+Svi6qqm2t2ztQEnwdPTudU NMjKY3hvJrRA03JHY2tV4dk7/z2ASjNnYU1l3Q1JNFcDvId/zD373WWfNz4b 0Q6BQItqtbPqXpapqan9um+vhcFr7Wy9n4RmHaPqa7zH7+4iqDnqbLU6cT6A X3ZN0mxu9NXCVTrgq/g1K4A1c01Z8yqAMy9lW+xZ85NlOeZgsuaCKIzlkVAs RLWM+7GaFD5vTYKrNruiL5RlqgXctlYLsPhSIg5n+pypRSWKRt7L65vs2AtS bp4yUx45vfl/Zau4VkFn5PLTwSybFUVNfwXYII6dwzHzTynbZwye8n9nB7Ft V19uXYsT25w4Zn5HyvZNBdPNZQUrmPwDD3/bA+CUVJIwm7v6dGH0FHAf+E9u kKW57hufjWiHQKBFtdoJua+QSCSNXcXLOPBaO+uf9KNZaWdesKny5ow4aaoD qn/4HNDY15o0E4C9SZpjAv4D7QGTUQEkGNkJcPbJ4elorefNa1xwuiT2RGOz gy3rAXZID6HnNZ3LBsj/geqCuE1SNnhUlizSBw13UcMyUBM/SkRtEMOvo85K eaZNs/wLJoDWxicdiw0BDA4O70VdXQAb5+ZUlnPBq/fWoikAUw6O7MMJ/Abg WFnOg9lXKkIN0PibpygRW72LhZ/qaqElePZ0hE7542cj2iEQaFGtdj69PyqT yYZ+/8YYX41r5/OnIzLZzZEXmeP9DjBOdYcoh9rnOv1x5NU1WkLQQI4avoge QkrI7/XFY/PaVh4s6KyPWL5qxRLxT7sBcrqClJsnFXa54Yi0w4LQngx1fLFz MBbUCu9gTYGltJGnXGvXVsvE0a9PpInjhnv7cbANXLJy+cab0mng23ueSqy/ dwCHGTgRiRNefz+vh2c2KlALmT6StmTlymWber+fAd69F96sdDBEOwQCLarV zoohkb29fWR7lR/+O45rJ2bkmL39J3G3i120lDdnZPePm0Nb3D0fR1ZdixXS zmlqMlqB6or8HiphVtfGA8/eZ30Dd+X9D59uBBD1+Co3I+1QJyPtMGHJoJCa jFfEI+10ueKxxTVUKo1h11ZtgqNf39cMHCMVyC7arinSTvng4PMGS/Dty6US 6xVJOHGksXMQJ6zAu0dE+ezzoWSAlN8e9MrvDsp/RmXUgt489bc+G9EOgUCL arXz2T30jwWDpeJ8XGuMayd+aDP6NYkoynFQ3pyR3fdKO/ldSu00Y+1kU//8 rYqvcLXjQyXqr/PAp/f7w4cEgtS9G2xA/Vz3uHb0Czspu1DaCR9QamcIa+eO hzLBVa5F1Y45jgF9uRo4blIkAISL8k+mHT0klLfwkHZEVGKDIhEnxDhxTN4y Dby7z73WjvDHSwdSBILkuEWT0FPlj4t0HKIdAoEW1Wpn9T0BDoz9A/Gar7Wz TbEDB+0TvRHK4oCxv3076nh0OYagmSqLRlXI5JCGS+avmiyldii7UNpxk5yf jTsgAytDUD/Ytg0JZBLHAPSKu183Wb5NBQ5oDe/EjQhQVzZZf9QO1WQF9J2j eilKO5mPjrABtDxvttsg7Yw1WZR2Mh+lclDCHSfm1l12RnphHR9FO/7WvMUU r2JytFBbJtZ+67MR7RAItKi42lGkUzGiVWiHtHN3rGWKG95FxW1tidZqYwsD RRVxTHWvWBdgLC8ujTRUDymo2joJFsnPUgtih1GTJe73w2NWQ7s1cOIvHp6H zBXylRcwgvPKY8w0fGL5oCnuCcNruC1NHJhxtC6ND9MTak+7gGZRj5cywVW+ kN2Neko7gQMiyi5Rw6jJynp8GBlsTtovrdPAbyCPSkQOJ+HEEbTaUfBLqzVY JEqEbsCM6X+O3sM3Iy/SCMktdosx+PQXEO0QCO+NarWz7qcx0cxKqk6cDMv+ mU9d7XmWQMW5adXb9cYWmi4pqjsjFB1HnZDF+m/rTwmvNu61VYPwpxcp7ex6 dgigdDQQjzk3e2xBy2Z3aZ7wxMn8TFTEmC6/XIs2H3MGtZ3XyzL2TQNuZwcX 9N0ymy+mi5rzA4xAT/IPH7zZurPDWvlCn/TeYOP46eNiyi7bnqUiS5SU52ak p1552TkdAh9foRIxzwTKRNpRlLAF3TlpLVfS08/Jf94OYBSQXXpKmHHmwpeG EDBapvPWZyPaIRBoUa12FjfspqKaa17mVPCtT6Su1ko3UFHDv/CIgfL2Rp+J b3Re/gI1MsCMLr3dWZswCw2965Ip7ayRbgYQVLvisWleERcF27jijt7rGYuN 0dg4okDWeWktKkfmHW6V180Ds4sFLHSqz6mm7rbzYbqofTtRxceb2RcL2MoT rYtEJjh61hzRwHGlNAYb7GJPv0wQU3nJElxrUqnEcmksTlzo7peloQQPTbkd b+mu2pE7sgeN9QOPNfZ0lW93UAPX6jSttz4b0Q6BQItqtWPqpqwtdPl8HTB2 taEuOG4WY7MGzg6a4/efyg8K9WBT/1qWW3DI/Gk4Y+w6g4Fn2G6WADNdjPBY 25GPSyQNC/eQ8CAHI0pLJnMXhbix0A49a/+lC41B22kOLjv07f3DAufgXeqz nKfghTpjCYwe35E67S8utoyxU63Qr9G8kPDg2Ry+ky4YucykEkw37njCASXw 4do2PqHeltv79lJvMcs/LHQ+F93X0MVO7a3PRrRDINCiWu38WbGciX5mZTSu o11JtEMg0EK0MxGCExYz3U/UpvJpVxLtEAi0EO1MBK/j5TXSW9lu+rQriXYI BFqIdiaC2dKs+vL0hZr0K4l2CARaiHYmgtokJs/SRGcCK4l2CARaiHZUC9EO gUAL0Y5qIdohEGh5p3bWPX8P7fR7fIBH/ygh2iEQaHmndqLewzq/P/T+AI/+ UUK0QyDQ8k7thLb3TJxyxw/w6B8lRDsEAi3v1I6Js/vEcZz8AR79o+T/7Nd5 UBRXAsfxN8McMNw3owJyCDKiCKKAioKAIoITxVV3NV7xIBpFRAUFr0qtRkGO Ube0kPswGlxFBLKCyiWKqKgERBajiYlWWZvdTSpVsbJx2Z4BzP7h+GaoHmaU 3+cPXvdM95vXXdS3upEdACql2YEBQXYAqJAddiE7AFTIDruQHQAqZIddyA4A FbLDLmQHgArZYReyA0CF7LAL2QGgQnbYhewAUCE77EJ2AKiUZocnMlaZqSGf o4W16yJkB4BKaXZsAqXz5n2gknkLwxx4Wli7LkJ2AKiUZmdCSkWVqqpzZhpo Ye26CNkBoFKanVn1r3pU9vUqIy2sXRchOwBUSrMT0ax6dXq+X4vs9EJ2AKje 8rTzm+rZeYSnnT7IDgAVssMuZAeACtlhF7IDQKW72eFOCLVmfVKNQ3YAqHQ3 O/z0q1NYn1TjkB0AKt3NjuDMdzNZn1TjkB0AKpazw3GeMUc6d84MCd88TCqV zpwRwfwda+AUEimdGxHsIVRjZYLcr4Lf9Ln1JJeBXOggQXYAqFjOjl5CZ2fn g9arKT6zazv7JTskMn87bl8+6MdVfWWCnLY3Zie0KmFAVzo4kB0AKpazIyh4 VSbLzMg7nb43TSY78qSnSiaTLXAs/eWULDOz8KwsXKDyypRlJ/J5xoCudHAg OwBULGdHv7AtkCmGR2xryXBCuCcezJZ/alNxQ8J855Xc9heT/vk5lp5+fuPE itcu/vCxfj4ufVMYO3tP8rDkEX5vdqzGuptxCDFx8Zk0dpge4brsfHo6IMBR ftYIH7+J7hY8Dd8h9SA7AFRsZ6fgjrd89LlxyYoZZG3T5XvWFfUOzMCZce+c Rd/0XPuVp5ubS2M9+czOmB3nrlfLwhUJEs1O+7Ipd5Ed0ctpCyLEaHVZxmQ+ MYnKvNRUttWZCPc8fvmitXULlwi9ky/dbDixcLimb5FakB0AKtafdm7Lp+IE 3rriRIje8XbF045tRZ2YGXhRHWf7s2O3uaSkqKAgL8acCN12XLqYd7r2RJAZ IWYhWdUlBZ+n+BOSe9efOMdfqk4ap2c2K6u84PPLZTGuwjX1Pz4oLl7CIRNT ThcX5BcdDecMyo1SEbIDQMVydoQ5nUvc3T3nHqpLsf09O9bnW+e4u4+PPlK3 27hveu+G5mgroUd8rA0ZFnchO8JIsq8y3Y+QqRnlyaPNIrZNJST7bqhl3PWL 0VZ63OC0wtW2FlFpp2L0hX/sOmJoKCAkprvA19gwdM98ZAfg3cJydviZP99v aLjWeivJQ/h7dsyLfrrd0NB079qmUby+6Sfef/AHA0Ic3PWJ9/lzYczpbgcb PiJkS23yKEJM3G2Yk7u2JV7JjjRjnqH2Vq1gBl7wl7nmZFb7fsUMsf8468P8 oLuD5m+SGpAdACq2syP76UZl5eVnL1bI915np/hf9ZWVV3/4OvL19I4HLhzb FxfNvImRoNYcfcVSOpMJyWyb03cEL/3H201lQfJNUdY3qWs/2Riz9/sr1mR+ Z5ri+5CCL1KTPg4x08RdGThkB4CK5ezo57Z/IBa77bl2SML9v5esspbpYrHn 4WvJLv3T81xXFTa3X97lrUeC7mcrnoE+7NpNyNH28P4jUn/9oX6/h2LWY78+ 7vh7d1fXs5Omr7Nj5L+z4k7bmZV42gF4x7CdncLb45jBOaZsv9Xv2bG9WD+c GTy2lieKXv+ARejK+CPVKbZkWmv2m552+EefHM28uNGe2RSd/CZl3abNsTGL fPlk/sPDfUe4zFuTXFS1mqOhWzMgyA4AFdvZyb83VT6OrKrz4RJOX3Zsypsk 8nF8Y7kLt/dAozHOzN/g+7dGk/Fl50KZ00cdbFxNSHxtEvNEZOxmQ3g5NwPD Smu2M+9hwn2VyyzlZzmO5JEF3RmKGezGMWEj218c52r0BqkJ2QGgYjs7RV9N k4/maX9bNYyQrIcR8j2bymZP+eiQVb7QuvdAxx2JEr4oqvmyGxkWfzErXDR6 T5UsgJBpmRd2upmEx08hnPy2KQYh5xu3uOpxg1Pz14m5Ir9d6wxJ5L2ckSI+ k6wDy2z0bJO6U5EdgHcLy9kx+Ou3M+SjMCSrLJqQomdS+Z5dfYeXfDSKKioN 7T3QblN+fn5BcdF6CyIcnVxTnn2qLjvEnOlV2MnqktziQ36E88V3YUQgPXPt M1++aciR0ry8gvyTy4TEO6e+rHAJh/geKMzLLzx1PAIvWQDvFpazI9hdNF6x YbA0fxEhCacC5DvmqVnOik9N1+eF9x04ZmNp882SpWJ5NLx2ld2oORapL//C KFJW05SzyI5wk0smMPuRJcdChEQUur+ypSlnGfPGZSE90Xp3K4eYBv+5uqUx LdhIszdITcgOABXL2eHYuxn2bllK7AgZ4W4s3+Y5uer3fmorseqbXyD2Cgjw tOjdHuEV4Otq0vuFiauvv8SSR4i9u3xSY4mHJfMaZeTkM9lfYsV8zDUZNXkK kx+OkZNvgJ+rSFN3ZmCQHQAqlrMz5CE7AFTIDruQHQAqZIddyA4AFbLDLmQH gArZYReyA0CF7LAL2QGgUpqd2ddVr07P0zXITi9kB4BK+dNO3X/+q6qebjzt 9EF2AKiUZmdydktr6x2VtLaXS0VaWLsuQnYAqJRmx3HBxs2xm1SyefsKCV8L a9dFyA4AldLs8E0tVWZtJuRoYe26CNkBoFKaHRgQZAeACtlhF7IDQIXssAvZ AaBCdtiF7ABQKc0Oly9Umb5ATwtL10nIDgCV0uxYeAcFq2qmvxjd6YXsAFAp zc643YUlJcUqKTmTPl1fC2vXRcgOAJXS7ITV/PyLql52LDfSwtp1EbIDQKU0 OxEtPap7vtZYC2vXRcgOAJXS7Myq/0317DxahaedXsiO+jg8/qDicbV9xUPe e5gdLl+L/1bIjvqs16cNpsMJU/W0fclD3XuYnelJgdr7cWRHfW6Nqv+nseFR rEDblzzUvYfZiX8ap70fR3bU535dI3VR6kkcsqNl72F2tj2P196PIzvqG3VF I3VR5lXHJ8iOlrGZHdGfMjIyDu3+ND0j49PxrK3QaPGHFmqdsLl705s+tlq2 aBDaiOyoD9kZctjMjsmBzs7Ob1/++2FnW00ways0q7g6Qq0TlGRnZG25KSsL eitkR33IzpDDZnb43lKpdN8/G6OlEdMsWVuhZW2Lo1onKMmOy60r5qws6K2Q HfUhO0MOm9lR8L13lBDxrIneK5KWWhKrwJXxCRtmyyMkXhAuiYpPWD9FX36Y ODIuMTbKWUA4gYt9A9dvW+kvUpxuHrQmYcMce2aLy3wRsHZH0mddj9OSllv3 z89xWrA1ccPM4TxmW+C9JH7LYk89xRdWQau3f+Rv3p8d+yXLvQwIsQ1du/3j 8P+xX+ZBUVxpAP+6YRhuRkAFRA4FvEXEKKCAIEhUMAq4ArrKpYCABFQOWcV4 BOLBKhCugYEFRA5xUQFRMcg5ChJBjqAzHsEqs8vm2tqyUrWbrezrGRGNmarp MCNT2+/3x/De1+99/fV7za/6TQNYnv7sYVqynzaAqm1IQkLgcg4hj/XE2qEP 1g7jkLl2nPvzAUIHyw7WC8/P0vY91dg7dP+ClzoB9vzmeO6XD/s+d0SCMQk6 3zd0ryzUFMizwpyTbQP8THsWcoqqZ1HnQPelkKkkKKULMo7eGhY+ffnT18Iq y1fpybnRl/qH+Nyt06ivq9Tmvt6mlPlIQYSWD69t8HbqCko7kUAYR7de8eUQ 2luL24fuV/iokUGPf3r5VMgzAjWn1NtDgzdOOLLlsZ5YO/TB2mEcMtfOmoEC gLifn5+JCt3A8S46Hb0r5PiFbG9NWPXk3yWxgVHnrhS4Auy6xo0JDj+TuRqg 4JevToXt5jZ9uowFOu75Nz4LOni1OsAISO4vPZ/sCg7dN/DoYKjX2PlII+l6 RmRwVOZJayBsUq7zwiNLGxMWoKPYhuL6IyHJWQEAsYLdYJ7WURlixdb3LK5O DD9dm+uluzDp0YN9oR6asKDw6pHdwYncGLkcubB26IO1wzjko53obzt90XEG Nic5oV/VzVfzjcCub2S/BcCcjIexANk/fsoBsAmyBTLrZd06ElacakjkwNyM a0kWoBt06bwbQOa/qteQSDRXv5g+XpbuldG96KVxCrQCjbiGTGeAtfl14SQs z6mNmQmGW5DS9goSFx1sq1iPvmZccvI3kjDFtyJ/Phg0Xxad49yedKGiNHx9 tOWxnlg79MHaYRzy0c7+ZykaVEdDb4qmuvqUpfWNs8Cxv8YEWYQMFx4COCrM czXR0uGwQaVQsEMNHZjsGmtmgHNbkRkBoPOnnggA7qMAVZRDr+G2yXhZOlxB qoORJkeHBdPKmt3Q+6O6sSNXBfzupulTN0RmCf+6Or0jayk1d0/3YROOht68 8ruOYNpSp0tlcGi/E7pIV3OKJimP9cTaoQ/WDuOQj3YSBCHiHmfr2ZKLVTXP m8zAuT9fFAoQHAFYdaKk5hIv2BhApbhvJRU2uNZiCh5DmaIxYYIEAJ74glFj q+V4WSrr08su1WRvQQYxutZiQYWWdFWrwi5h/NiQoH9831f7oai599uu0qqa yspvRpzBsq3BkIoZhuVX/LXqmIN8Xj2sHfpg7TAOOWlHGCbqzIvk3Wy/03nn u5umSDuFLNEdBSno1zy8/FZnbcIcUCruW0WFDUXaGXxTO/2rqTbSjsUbdREL 91e3tFdGGCNRtb7STtVb2gkefdJY7C0qKPIHQQu/u4vflGkJVu0N4sOahtvp +s5bOV7qMlvEN8DaoQ/WDuOQl3bCqTZxgJ+x0c7aZn1nuwXSDk+022LtKE+1 WLixrGsHsstXG6nw/Gv1xuDalctBbTLuQYwk7QDbwNLa/+ptN9C72LyMCrjw i9mwozdFlB0d0aKExwMbKry0UG/vYOrSJdbW1gvMVWHemHZA02Suw4GuIiPZ rqQYrB36YO0wDrlqhyz4JyUDdb+HrbPf1o7dZvRPz8r6MREg+4eiD9Crd+B6 mh4sLqkLmgbs9WVXNlHacaHGG93kW42XxXb11AGYVvt3f1A72pSyEMA27VaC Mqwur/wDB7RdUKrY4Z0GEbdrt3AAPMvO2FGzlrhOhbn8mwaifB9RZzf3x3xz eawn1g59sHYYh8y1s/ZJGcChb6KpNpl4L9vb0TGw4hf+LHB9XC7a7dAXJwD8 8+JcVm7itQYAnPtPf7Kb8+GGbHc2TA2orI209y+rj7EEsvyxGzV+atGdqJWL x05E6nvywp1W+ddcdwXCNaPxhKv7mRunHQgw2nGxKmTVH9NQwvgXscBOaKva bqgyY3tpQYC9o++fUy3BtLI1dOUCNsxJTfdxWB3Xmmcgj/XE2qEP1g7jkLl2 3AV/AUh+HinqLE1puP9lS3b6SMdscHlUKtrt4JFj6BPl0EV+T0dpuDmQWaPV mU3d3eWe2gQo6Qdf7rzDb0qerQKs0kdrqPHqgZfv95aMnbOUnVMv3+1p4W5D ByYtt4IOPr8j21EDxQ0jatu7ms6hD6T9z2MBZka21PvrK00PLrnR1X0jN0AP dCLqH/RmG4JeQH5T9736VBe2PNYTa4c+WDuMQ+basYzfCuCa7CDqsBbu5RZn BTrHROrD7Hg/JSr2wUEPAI1l0bnFGdtmoCHc4TDf9MITm6aIZszcllZ4NgKd nUDZL17kGtLM/1xpivFYfh3HeG7xqY/0qLaWx6G8nCQXNdEF8+2f8Y57oU8Y 52Qn1DWIOryWA2Dsc4yHkhuToGyxM6c0Xh8IY+9UXmHSCrlYB2vnd4C1wzhk rh1CGcmFZJGvuiw1NTUWqaRMiC8AdY36S6ALqsqowS564KysqsZWejVBiS2O oxaaJG6oqrPH8qH5Kmim0nhbhRyfKcry6ubKbNF8FB1LTuUZC6kQE1w4CWDt 0Adrh3HIXDt0YRc/cJjQEygWWDv0wdphHJOuHdXqEbcJPYFigbVDH6wdxjHp 2mFnta2c0BMoFlg79MHaYRyTrh0l+w3TJ/QEigXWDn2wdhjHpGvn/wysHfpg 7TAOrB3ZgrVDH6wdxoG1I1uwduiDtcM4JGpnXSeNnRwJxdoRg7VDH6wdxiFR Ox+209jJpyFYO2KwduiDtcM4JGrH8cKwUCAdwmdf+KpPQu2KCNYOfbB2GIdE 7ViEHDl+7KhUHD8Za4M3UgzWDn2wdhiHRO2oGZqZm0mH+WxjTWISaldEsHbo g7XDOCRqB/O7wNqhD9YO48DakS1YO/TB2mEcWDuyBWuHPlg7jANrR7Zg7dAH a4dxSNYOIT0kQbz/yhUTrB36YO0wDona0baysbVdKhW2KxbokZNQuyKCtUMf rB3GIVE7c2POZmZmSEVmzmE79iTUrohg7dAHa4dxSNSOa93od9Lyfc82jUmo XRHB2qEP1g7jkKidDfdo7OTfwrQmoXZFBGuHPlg7jEOidjza/iv9Tj4J0ZyE 2hURrB36YO0wDsnaaf1Z+p18HIy1IwZrhz5YO4zj/WqHsNmfulObVoG2ITZv ByyDVtNK8GtMd7qTr+txCzSbULJ3wNqhD9YO43iv2lFefLhHkGdkPEtN+gI/ Ht4DxJszvAdOSz/7N3DrzWGNtZU+71s7oWTvgLVDH6wdxvFetWN0rOrIDmfd o7x50heYNLoPyE+K5r8O+L3IkX72b7BupGxcOyXPPSeU7B2wduiDtcM4ZKkd Ffug6I9jwrcsYb17HxHzm+rmoGGJ56ykLzBOGAVkfMac1wGf4fS3R+itd5L0 Gi3aZPFOzH0gf1w7uYMe0pciDVg79MHaYRyy1A4nZ/SpUNDbnGb7P/bLPR7q dI/j35lxG9cxDAozjBCp5FZLQlEYaXVZhFKxOruis1rVCusSMS65JSIlck1k EDqITQq5DoVWr9pzttpz6pxTp/Z12nN5fmNmas/mnCPTq3295vf5Y57n9zzP 9/t9nmd+v/fr+5UivDWYYecFZdSQFSX+/w1i2AE5hdcWHv+JnSW/K5ytaAvt 9/7FmNNoHlHQx7HzaxCOHbGTKLGjdvlPSSH7DhQ2pq97+//K6Cp/O4/+i3jY eVPu4+k/HzC6XTebccRj/1+MOY2+LtJw7PwahGNH7CRK7Kg3dDEACKvTehPk QNN+GXOtD4sGoGy20XOjuSKqsQ5N9QX5+GzfZCGnZqbL++tl9Mw1eeH012rN xJW3tZACNauNXp6uRiSYwQ7B1IaCumQTVy+W0Z6JFGyZ8fqt3h4foWGTyOkb gT62MtgCo/WeHqs1BEdQdKx6VODjqY+6Skudt3ltssR26ThSrG/rudlGHYTY ITHstm51ZM4ZiW8Rjp25C8eO2Emk2OF8o4caSceb52VhU1fhvrJJjjlIu2V3 jFw/uZYIgfdePr87OTk5XapvGbPfFH3lJMsDMQ68cEFXds7EtbiYokrzymob GemMNSTMYIeU1bgC8cwqtXOkJSL3QQIA1eFIXf9Y31kXInx2/8dndyezVNGC lbENw/1VPgr8I+iW/PHvjyaHvFAe5hzXcIt7I98OlVd2w1fDigb7Kn0QCIkz 2FkUWtk/2BxGFwF3cOzMXTh2xE4ixU599xLMdNG1OjnY8fxxbkxcMJ3ikFeX mlDSxF4tb3vyuzupcXHsB6NmOoEVsUxUHyWV7THkhds7kKwngfnw/yaesfN0 SlxsYmlV+Ao+dhqmbUByWWx7WUxs7u2/RaPd5eTEx8XmXcxwVrI/9YcxdpyX PJCXxtfnxuU3nfZYMHME1d3tTzhxUZZA2JyXFR8bW1CbvJYM1sNPLyRGZbWV utGAgGGHoBNcUxx//FJVkP787xPHztyFY0fsJNpsByuyQGFz/zkZ8Pr93RDs ySb1rL8iGARXsZlg0F2DMhGp8gEL0Iqt/sLI5KuaI/ySyDyu+FMsS3E5kWK9 4DcxlghBJtGNoXzslA9YAS28PtMWqLsGXsQAuLO3KQOoeNfk6cGS3nIy5kLv 8PmDeqC6rajIQXCIg5P+WEP0TnZDG1wYUJ+uDjYjT1KXw8KQ2rw1ACe560Fu d3GyDUg4plXuJM77PnHszF04dsROIs52jAEUWfndkSTYMV2ohRUtn3UdVEeF l2FpuyXoXquWQRAovWUJRJ3EjqPJV6O1+YUN2ZZzXhu1kV07ZKU0GRhHpD1u ZPCxU4YsDOtqrZE1Lfq7JJTIMKmYlU5ZuykY3jwviT04tOQtRh2VmD5/wSG+ nPDjtWpMCvolmNRzdMB+tNkcvXbq0T1BGHacQPPcpbVo+4q+N5Ml5n2fOHbm Lhw7YidRYke1/PuSzIysi5woK4BdU4d5fsIfNyakZaSkT09bg3FPrQrKhir6 LdGEU9OdkbKVwngadVfNASjZ1+zRg5pXFPs4u/RhphA7FmDaW44FAY/baeiX aHcg8Xha+kjPcljRV0nBJpxv97FTMtISu18EC5xGTAXMdKQ3HDp2PDV7opUB 60bzeEnNromIGezQW6dzk4+nJ9X8VECa933i2Jm7cOyInUSJHeq5F9+Oj/Vy vjIADDtHeH72//X+AHd8bGSo1ACWvImdVWe/HU0yFMZTiqoOoMltyDpmBBIm +8q7B7nDky/TfoaditfY0dic3d7PHR1+0mMCpn2VStiE450fBkfGx0aHOlwE TiOm9vBa7e35nbe4I9y/XNYWYmf3JB87mk3PucNj49zhwWDCvO8Tx87chWNH 7CRK7NAujH++0W2DjS72WQuwEz6VtsGVxXJZY0KGpW9gRzqkK/9Uq68wHml5 QoXj4uwsK1lQZzfH+W5ydT58L++NImvZtQo1bOH2iVQAv8aCoC1uLls7+s2F 2HEZqnF3YbFcHSyoAqd87BA+b8nZ48Fy8evtYCLsnFHABoO44fxsp6lnlzOL xXK00Zr/feLYmbtw7IidRIkddc7VhUL7XVORvNa7JoaX0iwyUxJiB+Uucr5V +TZOZSVu0gIDwl5uqNPVdAm09Pq0Bxqghj049QZ2dE83+tIATM/8kACQ/OdU DDW2PcjVisEaHkdWFudbY+mKuqWmwGfkvU+xhlT49IgMgARruJMJa0YHPSkA ljkt3jPYoaVUbkEDQDYzwLOdDyEcO2InUWJHo7l3sdA+4EEMr9XfV5bqQNdz iI9hwrKBRlWEnZphS/Ka2tJVRFm3mtKVsgKLjR15h2qCUYde0R+ygrF0d/s/ TqJs6cF+IFVzV4HS9rKqPXoWEff+FQ8Qxs21X8R0zXkxZAbGLc3OTHUSqH1y uuATXR3zsDR7gct9w8eMdRWBFM9l2+gt+vjsqy4dWD3x0zl3XftMTiQ6dOGU M0itSy8NNmYY78zwIc37PnHszF04dsROIsVO2/AyoX3Q46O8Vko/rOJSy5Xa wgBVWM5tRdhR5Ayvskgq8Uf5BzW08qiNwIIZ1dMVgXFL3rOotau1mn3xxyKA w4/DgHRp0hpIGgGN15urT3S/SgawOlbf2dZwIvvhuAWoRbXfaI+lAonmd6b2 8pWGkkPGApcO5651NbsDwS69qbOtPjP/6U0m2E0/PH22qaM71VQWiMX3WWhD 6zMvNl5prkiyw7OdDyEcO2InUWJH6WC8ttDePnMLv2cYmNfAyfVjkoB+9EtU DpH3x+iZ/9aDV4/p+ez/SGAhacrOtuT1qO45TY2Fvp6ZgQBumc5ADE3SR8OM vUWcAr/dOag4kjKLqG26EM76OpEJkuYH61qjqWiBxlZ2XUNJiClZ4JK2KbOF 44ZCWsfVX64McUuMVgOjlKjNsfVV8bZEVNgFpi1Hy+TXRVU2VkfbU+Z/nzh2 5i6DzvdBl9k1GYJj5wNLlNghUqgSQnuyqhy/R1LUoNM1FFABI0GlYN+6krKk DFWWl1kQ5alCRoCEqpok31idTl+gIKuiCCCriqowJRVsgqi4AI3Kq2KxJKha dC0qmUJFE5IULQYNq48Icmra9IUUSaFHAlmNQUekA0kVbbqWMllZmQRSKhRZ VbqWCu/VU5xpZFSQNxXp+Sc7OHbeQYv73wdcZtf3B3DsfGCJEju4cOy8i7RS 22YT9+W7suXZRNcsPq8UfSzxvzeF630Kx45ohWNn7pLU0p9NQUP/fEfs3PzC YjanDIoI0lpc8xGOHdEKx45Ixcx+NOtLh4D06tm/2a8PoCjuPQ7gd8eBdEHw aIrSERB4Sog8naioQHwq+BQHImgiWII6CvKijhWNBhhQFHhqnuVixRqVaGJQ iiAIUcEKUhQRPen9gGv79m6Xphzlbo8F8/vMMHPs/fdftnzv9xf77XFjsucO xIPYIRbEDqHUPe51+8BxP7yp5SNIa2XeM1Z39RD/QxBspAYxiB1iQewQimp4 tKW71HlwIFK4/eI3/Nc7PK+bBrXXXMmeOugBxA6xIHaIpbAqm/vJ4/YieqnL hhzhJ16Yke33zOJPWuSt1CF75qAHEDvEgtghmFVUzUcPW9PTLaOoE5nlon+u zVSkWYYXfVwSZc4ie96gJ2Jjx+1e31MHKfaH2MFA7BCM5lfS9Vmrj/cZgz6e j7Ai6PF6TQrFbG3KR7nzeAWD7ImDHoiNna/T+xE7JRA7OIgdQmk5/vtwRZdH reycuyKForimEvu3immONhu55GrXVuW3di2YMJzs2QNxxMbOtCsl79/1zfuy dC8VEuY+GEHsEIeuarnkl7wGjqAjTgSlJ2YoUChU033N+IE0J2FTldmnyjs1 Q3gttTlHPM3Uh5G9BtAtsbEzLvBgbGxMn8Qe3TkJ7i8GYocwyk6BZ/6qQndV zR1xUrR/ijL6ldLsq1z8SIGX8ABFdXpMcafY4aJff8i4uGf+KJIXAbolNnbU TMbb2faN3QRLTRoJcx+MIHaIoTbOedXRXAHCF3BbOmqY3NCJom81N+bx8WOs ncZU4SE5h8hX+CE+D80dnvBT5Y1t7vYMUhcCuiM2doBEIHYIQKXrue9PLa3j IS0NPITDbsH2T4KnW6zpogajT7RnUd2FWdhPHt1210usXcXDwmYOgnDQZGJX PGb6WyrAj+IgA7FDLIgd6dEn+kcllgq3Sjw0OWoS952uFl3UBxvN8RYOdzq2 U7kr8VChWgZnig6l+vuG3SwT1T3oX1XWqc3z9ElbDOgOxA6xIHakRNO19ozO ZiMCAaeZj7CL0w8vNv5XJhdBmv8KMsbbqHo/bo8dpPEn1bZz9QPSmxCkYf8I iv78qKT8mrYmrPgN0y00SVoQ6AYWO6lGZM/jczGvHGJHGvTx6y48q+AiXDZH IBBU3t4yY+xwimksC0Hu+htS8UaWe992xA5y2qL9bG3vPxFB2mJ0J6Zm+OXK c0UcvORpLMk85mMMW61BA4ude1Zkz+Nz4QnVjhT03AKZ2S3o9RPwEIT95Pw2 D9HvoapnVuvdbxntzVxuNHaKnUT39nKHMnzBrcIwUznRZ+3pAftvvGprVZMS u3qGwQCvB4iBxU5JzFZAiPNNEDsSUjFwXBvPEvARPho8reW5l4K+bMuTseE3 lw5vb0j1K+yUOsjLbWM7OqF7hM5ur2qoOm57k4qr+eiOTVj1FF9cP3l0RzeA PFjsAIKRfVuHoJFzIxLyG9DAQTdFSPP9CK9/6Mu3fUe3c9btaKke0tL5Wtef n9ipG3VjjU7/qRj90//nPGHoCP9qCxKjfcbKeB2gDyB2ZILs2zrUKNstColn Ca8cGg/8gt+jltrQxbWVt2V2vdg5X/fUtYrTmkO3iwV426qkiCVTGD21BwMA YkcmyL6tQwpd3cg9KqeBgyBcDsKvf5e401lHXnxzDZ/krhebtWJYT93TFHRn h6eU1nFFjXns/LP+9tpKRC8C9Meylm5eGiAtsm/rUCL/xVpmRil60XjCK/fy 2PfTTHqMkdF7i7te7LpwM1rPQ6hYOC+PzmrF21fnXA+db0jkEkA/LR/Y1/Hv guzbOnQYTvY7ksPFL1tZ1plgp94KEZtf2V0vdvP1uQq9jqNgv+JIYkFb8pTf 2LXIUZ+YFYD+m8q8AIhH9m0dIuTVHIKvv24QlTlIS+2T/3mbqtF7OUfO9enH IV/4g3rvY8mp6E/fnljGbhss91zAeOUe9nJAhhS1GYB4ZN/WocFgfsiVZ014 dry5vM3TQaP3k/QCyz8pLs/0rXCRM3VdHZNej59Ukx23dR5UPAD8jahbumy6 2ZYgVc9/3+2m1afzRvkybwulFfGQ6gzRx8QdOn0dVc7a/8jdggZ82PfxG91s +jYsAGCoo+p5xGaysEpHwCs6teILHaW+nTlMa4yp0FcHG5FMV9FHM/2+b5Zo GobTguNZfCx3mlgPj/uaK0i4CADA0KHosPxAAgsvOaoTD66YMrLffaj9UIck 9LnK6cLQdd3htLa9VlXqsSAX2GsB8Fmj69h6xTznYi89+23mz95jJelmTEg9 kmQh4RzkzJedyHpdhydPycWgqUaaEnYFABj0hk0IuvKiXIBXOre3zjLVkKQb qvHueiR5nMTT0DJzDrxUgudO3euUaB9jifsCAAxiVGO3wOPZeKXT9OjsjoWS vuxUE+liB6XvuuFYygc8ecqSopY760nTHQBg8KGqG0zffJPFE73mrVX5l9fa KlEl7szkR2ljh0JVMPU69IBVL5qQoPX1pQBHXWWpegQADC7m30YnFTZixUVj auRiB30pOqOa7GlAkqSLHZSmldv6M0V4xVP74s8IDwNpuwQADBIjJ30TebcG e725ebeifG3oUvVHNSUkdlAjnP/zS2pp217rtx+9nXQJ6BUAQC55NYvvTuc2 cEWbGXZ54tapjGESb68wVLO9BMUOha5stOBgVgVblDucxpdnV9mpKxLRMQCA NGozNp99UIXXE/nMdTONpat0hKjmoUTFDkp9/JzgUy/xGVbnXN610JCgngEA A0/BZOrqs6/xN/pdZtymySpEdEu1CCMwdlAaX206n/GGi83zwx873O21iOsc ADBw5DS/2p38rlH0LvMasg+6m2jKE9KxKHYSLQnpC6OgaT43NKMGC56WyidM HzNFGoH9AwAGhPnisPgCvNJ5e33XInslonqmWRIdOyhFa4+NJx9zsPlW3Tu5 aQ7stQAYUrSt5uxKa8Le4cq8hLA5DAI7p40LJz52UMpOG+IelbCxWb+/ttnF fAThYwAAZEPO7LuTOaxW0esrKDix3NFAhcjuaVYRjbKIHYoCY5z7zjvVWO40 lt4/7GNE/CAAAOIxnNceTqvDdyvJhwKmaBE8gMxiB0U399hy8gFep1WkxK5x 0ZXJOAAAwijpTVwV94aP1wsPj31jIkf4GDRr2cUOStluTdwTVjNWq729smaS obqshgIASE/DZfeNvBq8VogPdrHUlMEgNJtIWcYOhaZj4x6SUIWtoi4/OcZr jMzGAgBIRd7afcvlV9jb2pRzYfs8PdmMQ7PZJ9PYETJbGHL+fiW+U0yI8Jsq o7UAACRHUzNwDcuo5QnfU05N4a/r7VWI317hQ43fL/PYocip2y9jPq8S7bUE rW8uBUzQVpbtiACAfrLwO5RSLAodpD4l0nfSKNkNRbONakTuyDh2UIwJC7f/ Vo5VPLVProd6ynBNAIB+Yjgujkhni95PTkFStK8VVZajDVTsoEbN33M1G99r lf8RstCRMRCjAgB6QVex8osrqBdVOi0VyTtm6CvTZDqgnN2BpgGKHYqihp3/ yReNXFGi1uae87NSlR+QgQEA4o2Yufn/7Jd7XIxZH8BnppmpppvS3atyK2zS xSrrJSWX3F4rtizZdXuRzVrWyi62pHYRUrm+tiW3KEU3Ufhoc3lDSa3Lytbb boqJ7jPdZ5/zDN60VKZ6fnPqfP/q8+mP8z3nOec755xIK6HvA413DnzpPKDT j6WCZRBj2aHQtfvUNypXeuMpSTvpM528tQgESDRMHVec+EN6JAvTw1daKzEw KMPZoTBw9onNfCqdpjBunbO5DoODEwiEJrD/MXNnakEFfRrFmcEuplpcJoZV sAqukiQzmR2Wsq7l3APZ1fRMRUW3f15gpsDk8AQCQYqK3YLAiy9vOrln/ebY KDM0MEB2KDRs3X84+7CBnu7za6FfT+3FsACB0N3hGZjP2Zcp/fkveZTk76zN 3NgK1iEA2aHQnbgx5sHTenrSRXGrRvfVYN6BQOi28D9cG5kllP70Pw5bbGek wuDgCsP2wGSHpdLLxj3wljS2lXmpu137sAEsCITuiPHkVWHZdfThe5K8f4W9 JrPDw2WHQsXqs21nHkhvPMLkXUsde8N4EAjdCVWDEWsuPG1Ex05UdDt4hjGP aQM6O0lA2WGx2NqjNyb+/qIWrUB9XuRXIwzUoVQIhO6B4azA5Eci+se+ON5r 0kAN5hW4H+4VAWaHxVI0sZu3K7WcXoSyh0lB7n3gXAiEro669Se+ic+lxy0j yne6IYgFd/g+2OxQ8C3nbU/IrqKX4sXlLXM+0gXVIRC6KFzVPi77sisbqIPW UJET4WGpzvjz6qWI7X6R5IIZzOCv4Cjqjlodk1+BlqOx6rcTiyw0lWCNCISu h5LtysPXCumf98rUgDkjDMBMuLYH4LODPIz+uSAgRfrWepEe7e9iDG1EIHQl uCajFu3PRuertiAt2n867JPig5AqSbw+qMIrdKd5h//yuBKtjDDBx8UGLsaE bo5il6PHiG/P5ZWh94SkLNV/6gBtZQ6by4eyUbEPFUmSh0AN/xqeApujrG1s v+ZsAX3jERdnH1tmrgyt1TlwoE8VoRWCuhx7z9yrkUgR5yTu9fMP2AVoExKR XSfJPwJo8JpdAf6bdpzOLH25OJLSW+HB0E6dgr8V9KkitIKEQOhilLtBnypC K0BvEQKho6mcDX2qCK0AvUUIhI7m6SzoU0VoBegtQiB0NCQ7cg/0FiEQOhqS HbmH/k7i8yF4ErzjR//dCY+rX+63witHd0MrNWNP1IN6Sf4xaI13E5qY9+q4 VtyL2rl5a2AwtJLsnHpGsoMF9H4rdlfCEEUeR0FFp+8En9RKNAlRccaeT/oJ oK2aoeZ0VCxJsoDWeDeG47deLSyvRyv4LHH1qN5aShwOTxHaSkZGZpDsYAGd nWeToTVkpdfHvpE3nqBD8yz623+Z94D2+TtWB0SSWH1oixZQNnP0OJiJllCc l3J83RgBtFA7ME0j2cECOjtCV2gNmTCwm7fragWaQFlGzOYpcnm2efaHxZJE M2iNlhGM8Ay98riO3grx3q52BtBCsjLsNskOFmCbHZ7A3CMipwrpV+efXjJU QxHa6K3wxhyplvvssLiqJpN8U57XUItZX/Ho1PKhanxoJZkg2cEEXLPTc/J3 JzPKkLz4RtDCUXJ500HwHI5WS87Je3ZY6K010XNPegNa0dKMSN9ZxtBCskCy gwlYZkdg6rAyqgCZi3JSDi4ZDO3TAthkh4I7dMWR67litK7PL2yYaqENLfTe kOxgAobZYWuN336tUESfjvNeo3v34EAbtQDf8Rg22WEpaJqM+z65GK1sjTD7 yLz+fDa00vtBsoMJ2GWHPeTzgPh8ZF2XHrZ2Uh9on1bgjz1eLUkwhdZoM2zT Kav2/VKB1rck9WevaXi9tUh2MAGv7LB1Bk3bcquOUm4ouhf51XBVaKFWwS07 FLxBCw5n5NNvrWdxa8f214QWajskO5iAVXY4g5aFZxY2oOqkb51prseDFmod vtMJ3LLDYvc0Hf/N+RK0M6ry/3twngm0UJsh2cEEjLKj7+S5P60G+ebH75w/ hAvt0yZwzA7CaPr6sBulaLFLrwQtH28A7dM2SHYwAZfsCPRtPKKLkGxFwfXt E3TY0EJthO8UXi2Jxy87LLbioEVHs56K6HMcs3y4oRq0URsg2cEETLKjM21b 4v1y5Pr74X/bmwqgfdoMf9xJPLNDoTt08tenpam/f2nPXGNon9Yh2cEEHLIj sHTZEENvf+G1sDX2+DSHgj8B3+xQ6DlvOHFVSJfn0pb5YwyhfVqBZAcT5D47 HNXeU4LvVlKW9eX3Q2f3FShAG70X/AmnaiRx2GaHxRP0n33oQXk9tf41BbFf WGoqQxu1BMkOJsh7dtiWKw6lFCDJZ9HrXWw0oX3eF/6ECKyzQ6E5bMa6aPoT VN6N2/GpEbRPC5DsYIJ8Z6fXR58FZdFX/OxzP07RhdaRgS6QHQrtyZuj0p6g D1F1ydvFVh/a512Q7GCCHGdHQdniy4Q/Kyi/hqcxHjbaStBCssCf2BWyw1Lq aToz5Nda9C1Kc6KXDRZwoY3eCskOJshvdgym+5y6gzZ6dUrAkrEG0Doyougc 2RWyQ6Fq7bohPJe+8dwK93M1gfZ5GyQ7mCCn2VE3c1ydUEap1eXfPPS5MbRO OxhzskYSjWs0m6Hm4Jtwp7CR+iyiS+snDtGD9vkbJDuYIJ/Z0ft4380CMbrp XPd26tMDWkcWeAL6IcJ3Pl0jiR0AbdNBKBl8MG17Rh31YWoLsyM8BnKghZpB soMJcpidHo6egeeFyOvu0e9dcX2f9HPz9vP29t587H695GEw9Ze3j98MVWir 9sMdOndT+H30dapv/uQ1wwTa5w1IdjBB3rKjZGg1P/wJknr+KG6NjTK0j8xY BhZLmlEbogNt1SGojFif+EiI3lqVl9fa99WC9vk/JDuYIGfZETj4XXhQipx+ DXKzNuRC+8iOzkph8+z84aUObdUx8HtbzdyWgaZUk3sjbHF/aJ/XkOxgglxl Z+B0r/A8JJQbH7LMhget0z4c0ppVR3RyHOZTagLbYvHOyKx6VJ6rgR7OJtA+ Ukh2MEFussNW07P3TRNRNtXFaVsdtHlsaKN2MuhU7ZvZeeFtgvucmsJTt15z Pr8cvbVeXPzGTk+dA21EsoMNcpOd/ov/cyUXyRSe8Bxnpgit034MfXPfzM7/ 5nSBWTWFbTRy9pbrDejG8/DSgaUDoX1IdrBBPrKjO9Jtyw1kUnwjwttJFdim Y1B3TX6jOjWpY6CVOgGzhbsTstAdtfFmwNwxRsA2JDuYIAfZ4an0WxidRz+v cg679dPgQ8p0HAoWPzU2zU7hfnNopU6ALdCy9kwoqqEmKP7zwipLteY3Ol0z HeaeliQ7mACfHVXnTcdvVlEWlUm+s4f3ADTpYFQ3iptmJ/0LfWijTqKXw/wf LqO51mad2bXQ9M1/Tgxax1xuSXYwgdHsKBhZN7uGK5s5LD1dgn4qf7u8x82A GQ2mWPC4oUl2YkcrQwt1Hkbu+y/er0TTTPObYWfMef0PlQ3PH/nbKDGkQbKD CYxmZ/DqUPemN26OhmPg7UL0O1mStMrWUI0ZC8YYH1veJDt79Zl7bDCPei9r jzghNc3GF3lJ31krvpwrf1iYpDHvwGiGpk6ygwkMZodt5X9HGKD1F/t1HhbF eQdwPCy7y94IiAIKGBQNiFc11gMb0xQ0+igRvGkTTwJeQCRCg0GsFoln1Zgn xouIGtFEC2iMR6IltWqrqGAwoIIGVKIiIKccu92DWXjnnYUZZGZ2ze/zh88O L868887sl5nm7d+9vymtSP/+8Xn4eFcupsAtr4RCY3TUxTEivufDMqcxYRvP lOtONufgqve89T+zW5Sp3S4+MEHOyRQgOxaCu+zIhm+4o9Gk/kGs3xI49X1n c67u+/jwxjdLXuPg+Nyzm5llzE7N2amCtv+HpXOZvuPinQrt6TZcSRjj4yx4 xTNZ36Ga49O6cnF8yI6F4Cw7Qr/dhWqNJje2u37TZ2nqzcf6J52E8V5dXs7X D8Hg743ZKdk2hO/pcMG254iQw4+059tYnPXtMh/Z+MuG06+8FO7GweEhOxaC q+x0Ctivuxs1Vd9pv37dAyJ3Xtdt3T6c2PQ0/lJyTaoksvNLmAPfs+GIvX/U 9oxnunPO3vlx8hNiATKX92f/jwtkx0JwlB376cfLDbff3TD3ARFndbdlZeH5 1cPlL+eDjkHnj3LVTd+6q358T4Y71m5/3nf9QbX2rKsrGozPe/lrh0rZPjJk x0Jwkx3nJf+uaLr7qn44cCbvufZD0Z7Zvh4ilg/ML3ngiXrDWVcf6c/3ZLjk 0H906MFiDapw91i2uwPZsRCcZKdXVKbx5mus0f1bfj4pZpQNu0fln7D3ljrD WRf83Y3vyXBM6Rebkl2JdOdJypQu7B4UsmMhOMiOtWdcXmPL26+x4nbKDFep NZsHNQ/iiDLDKf8wrRPfc+GaUDJ01yP0eafi9OwuVmweE7JDQerYhV+Ocuyi c5CdQevzkJuv4XriO8Ps2Tyi+Zico9af824vId9T4Z7HV1Wk96zK89GebB4R skPBL+kgv5IDJeQ5sZ4due/W++i9V3fGl73DmZlRR5/pTrl2pYzvmXBPPCFT g7m50ofFAEN2KITjV4Fjq5XkOel/zGJ2FH57S0mTUGe+zdrhzE3vVfm6U86b x/dEeOCx4iF+BzYWbhlszdohITsUFjew2hQa4hXkOel/zF527AIPPcZm8SDK GXvZe0kpgy5qT7gi1Z/vifBg3IlaqnuwaMcbrB0SskMhrJLFotBRu5zj7DhO T63Gp1FzdCyLD9rmxf2QWqPJX9qF73l0IKF9NxfntvVOLFJT3oXlSRO93Zyd aOyiVd2cFALy1CA7FH5z2ek6+3QFxTTU95ZjL3svK8cd2kfcrCAx3/PoQA4B MVGRbYiIiEz4n6mH+9IrX8aFL2lrF22JWTBURp4aZIfCby07fSIzKJ51tBoO ebJywI43PC7+xay52KjR3E/6+AV3E9xTxPdSGPXcfCPrattuU197vbLczEwa u2jVjR/n2ZOnBtmhYDHZkXv27QDDVmZRP2VrNNkRQ+nsoZcd3y9jH5j6i82x E2Owv+y86XuM79UwKF+OvbpCdihYTHaGpJzvAJd+Mfmdrb51kc4ekid04ujS mBLN2bVp3dlxcp5XopnPCb5Xw6Aqrit5apAdChaTnbElPE+0SdEi7MbiWGQd 32tgcNzfjJ520vheDYPSWHjaocNisvOnAn7nSbgZ4sjVtTEBsoOD7FgWi8nO W7d4nmiT7HmQHQPIDg6yQw9khyHIDgGyg4Ps0APZYQiyQ4Ds4CA79EB2GILs ECA7OMgOPZAdhiA7BMgODrJDD2SHIcgOAbKDg+zQA9lhCLJDgOzgIDv0QHYY guwQIDs4yA49kB2GIDsEyA4OskMPZIchyA4BsoOD7CBkKhMDkB2GIDsEyA4O soPoO3W0u6PcCh+A7DAE2SFAdnCQHcTU8xeSYyf1EWIDkB2GIDsEyA4OsoNY qNY05B3/R3jgiJ5SZACywxBkhwDZwUF2EKG6utTXlGZ/FTvO014uMg5AdhiC 7BAgOzjIDuL98qZ1eZqb8fX60NFOxABkhyHIDgGygzOZneJxfCwL30KetVib ssvJscF+Q9x1d81cyA4zkB0CZAdnMjuPgqUICc6GghgnoiDEWeMEOCsKHXhZ 5le0XJz6ypLCyweix7rZCBdCdpiB7BAgOziT2alKW7t2XbP1n6yOJ4v7aFkU yYeRC0PDUAtCZv2FLHha0KRA1KQJY/zHkLw1aiTKd+SwwYMGDET19/Ls5Ynq 5e5M4uLsaKdSqhBKudha0DJzlO9SZT+d2hUzc1s155cGBdlhCrKDM/vs4Brq SeqqSp+UoJ7+eu9OPqogL/sa2ZULP577F+rcqfQ0VHraNwf2ofbvS/ris0+3 obZuWJOwBpGYsCImOgbx1+gPFi8IW4AIC3kveGZwC0GTd9dSnvqDjGv1LF4E OiA7TEF2cBaYHXrUjWqSxvo6TG1tDVl1JaaiHFP29GkJ2eNHmOKHmPtFRYVF iMLCe3cR+fklauqzqntuYoAzkB2mIDs4s89O1T9XrEpstmbtpq2fkmzbvitp D2r33pTDJIeOpH9L9t335zLILlzJvEJy/WYu6ufc2/eK7qPxKHrwuIyktKy6 nvxs1sD3Sr8gyA5TkB2c2Wfn0buviBTN5LaOLt1Iur/a29sL9Vq/14f9nsT3 j/5kYycGTZmMmhI8Z95cxJy5oeGRqIjID2NXxJP8LXHjpo2IDZs+20Wyc1fy QXIQvz5y/OSpk4icRspVqn1aAU87zEB2CJAdnMnsFAe067wEQhGZWCojkytV tmR2Dp1RDp0dnTAu3V3J3Hp4YDz7YLz6+pD1GzAIMXBgQi3VIpVl7Dj9nNvr goHsMAXZwZl9dn6dzMey8G1WFXmBnmSfTFo5Y8RqbIBjkB2mIDs488/OFD6W hW9h1S3WRl1dev+/e6LeflVqbRVWydMFIkB2mILs4CA7ZmlRi+zU56Wum+8/ 0FWuG5gP2WEGskOA7OAgO4jFTdl5dus/qduiJnrbEAPwtMMQZIcA2cFBdhAR 9Rp1XVXJjSPxU3zsFTZWxgHIDkOQHQJkBwfZQURrNDlpG5YEjvK0RQcgOwxB dgiQHRxkBzE1/fCygN5ifACywxBkhwDZwUF2WrJy6tfLQWZFMQLZYQiyQ4Ds 4CA7LVEFxwCywxBkhwDZwUF26IHsMATZIUB2cJAdeiA7DEF2CJAdHGSHHsgO Q5AdAmQH1+7s2HsP7C6gfboCJzeJcUPR4wXuSGWPzs17dW6xV3ZBdhiC7BAg O7j2ZsdxzqlL0Ta0T1cS+4W3ccP3ywUMVorkzb3zjZ/lcZ/3af+eGIHsMATZ IUB2cO3MTtdZe86mh4ppn64irWCUcWNa8fbWf1vsMTFq6evUY+8+3mL83OnE 7WG0p/BiIDsMQXYIkB1cO7Mz/FiKn4vcinJMaKfCBuQpN0YYN4LubG59cTwi 0u/mzKEem1GwzvjZ9sh1E3HqcJAdhiA7BMgOrp3Z8c/aozQ15pEYia2zfP/V 4caNST9vbH1xAk6nx4f0px6blpdo/Gx76PKQ1vfUYSA7DEF2CJAdXDuzM/La BpNjXj8dxX4mP5A52LjRZnYW3V0jNTUWmPuJ8bPNQcgOZMcUyA7OArMjlgjF CpVcpP0oDbq5o5NKKbE2jFhLRM2/ZvNmzjFXW5nuPUsoU6qUMt0vaZ92RoqV Kpn+95qyY2WjUClsqBYnvGApcUy5SqWQWBk3FKLphqcda6lSJbHHnnZEEqFI oT+4QKI0zFU3O2upSiUX6iakUsmaJq39rJRqPwukxBxEUiExK+wtEbLDEGSH ANnB0c+OcOb/2S/ToKayLI6fJEAEDAjSzQ6KuLRG1ggIiLTQsigQNsUl2oDY IhACyiIitIKAgECUTfYQdmwUgbBFRVr2CIICIkjbMjNOO2hN97SjU1PTzHsP o4aMVVLzwbLq/b+ce8+957yT97g/zj1D332Rm+y+HIi+nb9O1dZc8LNWRVcU tvlYEN/u8+S/mLlSE4rcwRS3ReZWFJ3egjhlOON++7JLk1wV4C121vtd4F44 pP0/Xk7AIyZmSSt3JRZX5AatwmbqjPSyFNeo6Th0xSKqsJjp1NZnKBrpHOfu lFYToQASJiG5nFTP5YhPP9bX6hinLM1eWtYmprQsaStW6zKXeE5hlJUkaEUe efNn4XnaCGCNT0ZZ5pFVC0vCsbNI4dgRCseOuD4eO1L5v9dntXb3V7nIk8If vnomENTFJ32rhLQ+ruwku3fYOTz28sWQIGkZKHslV97o6fsx0YgC5Ly/Xc5u 6+4v3yH3BjuSOmFXb/QJGryVJWGhwn5iYZYalFX/Y29/0xENSSAqMur7uxsu tj2LRh5pkNrd28HJm+7eKBqZ8FvjuSZBmtISwwReR5+gzAXhDn1mKKHkVn9v 5n5GfOWtod40KwoQljlxb9++3ck2Ietdb6aiJZBU8gUOBHVW3Y1eAe87lQVV 4dhZpHDsCIVjR1wfjx3J3Lnxk9ZmJ5su2UlpBU3X0mhU0+xK+lKyVX6lveK7 W4kaY6x9K01HAoyzsnZZGmw/VXmOBsScf9+NsLKI5WXbkoCOYkfnSE3mTnP/ Io73ggII5DXsYR9suIcb42Bq5JVREaQM8m6l9Sza9sQn/zwBoBfNy9lB8278 V9cG0eD4P8ZP2NJ0pfSj6s5+bR1RnusqAU5Pf8/2MNoaVDdyK97R0C66pUgf yI75vJNmNmktCRu0k64e0kJCldw5mRu/9K7KcTE7XMD1UxVNjGNnkcKxIxSO HXEtAjvZzwuMAXRD21IUwOzeecRFciqo3OdcVLVX/v2Nq3q5mF3ptQ3tgb5I 7PQCQsFsjgHA2vC2BMo8dnbVJFIBiFtrKqiiz7HJq21OMcKGZnvXo8a47vJa 0L3U5KcOhC1Xn8cAeLdctADQCJnu1RcNjpstNUFrZf0QiqCEspuXIQfOU310 RQDV7FdN1mSkhrrhb2B5Kj9sNcCm1PbvZIzYtduRGL3iAnOKQ2UKmnFzebWR aGIcO4sUjh2hcOyI6+OxQy4a24nadc08TfhmLAtzenS0XekKJIlsNBqofnNC FNYabjI1TR/3BWLZfTvUQ22/pjyPncjxeFNE9jeGzESfc+DBTE+w1vyYpEY1 NjG1a+uggnFXuTLqOvQoAblLDe9Bx5oNA8aiwcmT+1EjmzcSgGZn3OMpgfvD dKzA8J9CUEO4OOoAmrzmr9CJ4wDyO8LvH0WG9n1sIgSPJ6NxNs33rEUT49hZ pHDsCIVjR1yLwE7JsCVqVZtvaYPdWDbaycC6zCc/5y9oDGiCmvnuR9698Hr/ nd7HT/cDsXwQ7UJA8zpfbR47Yb9Ndd8ZHBD8OrSAHNouEQ119vNjHdYPnQKB YPbWWjAZ4i5BXZ4PkwDSxp3R8dJqwYLg1AcuqJG+9Op+753B/pHX9QrgMZGA rYVOHsYse9wRtDuasVuU5XAJwMGe01+AnHfLcYCgv093CwYH+l+MmYsmxrGz SOHYEQrHjrj+T+xYVvR0VNktiBdUU1C7klXI5XJL83v+/O077PD5qvPYOfH8 5iVOeVnxeT+xApRSJ49iA8vEEm4pt7h0+vZ6FDtk1Ocx8Q47stUCmmho6oQb amQKXtTnc8vLCpLdpcBz4hy2Fjblj9nMcQcUOyrYE4aLiWAQX+ghb5MRY4r8 qc52olWVpPmriSbGsbNI4dgRCseOuBaBnYJHPrIAUpYttWpC7Gh93xF+mM9e JXLLog3WYifE4U6LvbKkjFraY38gcCYZyMsnW7dXKs1jJ6T3mLoMkSSrqkoW ezmsh0zMxk6m68tLLKPd6NMHvdYaqgSAXOTP8QDRA0cRsknSbvajnZa8uqww MnXCHTWyGZ17VMhECTn1L4kIdpKxtbCpeZih2FGrbd2CPFd2f1+qBEhsacxb H9Nmh/yio71RGrJEkoyKKtpaUdQpwsRB//nEH2ruexw7ixOOHXF9ftiRzHzZ vIME5mmNYRSwH88mACjENEau1Ay5dk7n/Y3GA9ewTsLtCd8ACdvR+fQQQN7L BjsCWLEbQ6WBPoFgZ9vFXE/04LszFvQViAKmWJhNe560DECDNdOzETTieWf0 QNar7x/RAK7VFV4yoJf2HFkA2FdoI4xMfYhhR3J34XlbxKoy3JYg17I32Hn0 BjsPHIES0cy2BAlX7lUGgkz1+tadWa16yJoVO98LxSP9oBYyoxc5CxMHf+Lv NDcX9xaBQmFuHDsfEo4dcX1+2JFgv76bGhxcwj9jSALnv3AIsGJ/Y84apOVJ bmOuI7zbuLq0M4npKA00Di/5eEBo+p9eHwHgzg0nM1nc9lh9Auz66yWA5Y55 1acCQ2KLY7XFXg5zar7bYTRVxbICIyv/uGcA0ubp13MDQjJn5uIAtH3qG075 x/Lm7usj21KeHRJGZv+yBzUEDUY5Jzwo5GxJoDTs+yUTW4uZDcVs8VM6kIzj +UXM8Ms85mrEszSqvbw0XBUZKdrl1MQGsaKL4nSR2cnZY8LENoVln1bF9CUL XxP2AXHsfEg4dsT1+WFHKmcmM+n2aHeGCXLXse1NBfg6JdFGCjnjW86w6e9d s+T3VE1MZSoCxZY9MHn/8jHuyAEA9mhaSvdo13ljZOPO/rNIlJzThetjY21x 1rKwUMzp45jVOFg9NiHIDOtspSIdjE1B/1j7mYKxcACiRkjryN3C2K62DSCh m8HfKYyMG5jvTwiqB4q6xkeuhBsSwGXgNOYLGvTFbHLfdgSiJikdI0OtEdj9 kGjAvnN+NXprBIpjBn9slJ9oQwGS9tmbXsLEZAXFTysF6ffIPi/sA+LY+ZBw 7Ijr88MOuXDUa7Mvc98maWSiTjcD0LE1wBp/2Y22X713JkiqNoGhTsiupaY+ LKYHdbMb0hJZuBpY+AXtNUb/ZWvRN6H7FM0Zwcy9RvJixwkCHidJYwMVhwCW v+06O0dFZCJneTCYQdvkboCu6NL9Ax2oDo4KsOI010/zbe2uwt5JbZsvK9Bt PfLFV7gaYx6q21rMmtL/y355RzWR7XH8phJSSEDsiiCroCIq0kQpYqFIExcE sWDDRREsKOchYte1cxCxGyGgElBR9NBEEQSVKEWpiujTd1wV2HLe2/P+8OF9 MxOKA+Ss2WRMRvI5RzNz595v7vxCPvnNMOR/lkVAWOhcE+mba1kvsW3fhq5t UET4QisBBQyMTgnDPT2qG9gHqNGOLDTa6YlZjqqrIeW/2wZ235os7Qir7L5R cbzzr22ab/KVk413bBpKyC6GxGwxIiRYWWAfoEY7stj4WdU1kJLjoj7aUbjb +fy5ra1N8cLK0e0k19jLvh9WJ3S5a0HvvnjkuqzX1Uu/cjVr6ICe/ZIyYA4Z SCUkWFlgH6BGO7KIVnUJ2rnvwVFxJbow3F1UeEcBCvKLK55XP7hbUKBIyp2i G0G63bcmQzusjLczZd6OuzCpg7ly18Krc22SFzbAMPbfvXua3Dl9DeyPurt2 XH5R6Xesk6bQHr9n35jA0jIFKX/zCX6sVDTlqA1LxZXogu8YvHiBAgT6b8io uL1zUWCgIikLgv3G9aiJDO0wYy9ayLyd4IqqDkLlrsXKzrVVK+Ve3IfBvt7d tTPzlQpd8wV1IarudvpPmKggTnG/w2vuiqaM5KlP00zj6OoKFIHvcPOPykX6 CmUIBLp8Vo+ayNAOxcCUK/N2hk2z72CE3LUY3rnWfrjci/sw2Ne7u3aMN+5V kPi839pqziuaEmGlPo8Wf5vVzfA4T9WbUC8m3IUvfYkIlqEdDepGr9oBFEUZ FNb46bKlwjEUldREqehsbIXnNL+EOKyLYMM8IoLl1A7XUB8/wDIYrD5d5fdM 79pRGK3g+rYUU2WnkhFBZCsUGqp6F+qF7X1Y70NEsJzacUj6CT9gcjL2O+iv SQBB2ukX0gCvWCs7lYzwN7TCJENV70K9mFIK672ICJZTO4EfTwAwfVXXz6Nt Y7ZA4U2MXeWIHxi6zIvRbc7osKhAM7bCb0VaCNKO7vJ6mGmj7FQyorO+FSYb qXoX6oXdQ1jnQUSwnNrxazoKQFS+W+eAVeVVPm4GVVePLu8mPG9vxA9Myjqi 3W3OrJKmu7ss5E3+fiBIO4KldTDLVtmpZIS3rgWKNNrBMVUCa93+epr8yKmd eQ2HALDxH9m1/rEYrx3dmF1D5N2E8Xwr/MBAX+fu7jIMikwtWSNv8vcDQdrR WVwLb9kpO5WMcCNaYIpGOzimlcPa2UQE/x3tfIm5JB2vHd5didza+UpWoK1W X4Ug7XCDamDOVGWnkhFOeAtMHfnX8/oS9lWwZgYRwb1rh8FmtB+x2FRAYfH4 fJ4Weopph0KlYJM4fB0ta2m3w+DoCHTYNACYpkVPrAVcGjqBjkxg93ziomnr 8LlM9IiqrUXXFugwgDSQxtbha9NZLCpyBflH12Ygb8HndiZ4PY9X+v2TBoK0 ww6shnnTlJ1KRthrW+BFjXZwODyD1dOJCO5dO7a7fKQHOmsjBwPTJYdFFxOX Dwbt2vHdORk55HvvTzmxaFnNRR6gDHLfdjbtfAzyqOQoft+cm7HXAJmg67Y9 SbhjBgMfDWhTos6mHPAbgBwaRa+fuTbjjKVZjDdyRrffKkyOcI3aPBQYxiyn AIfdC2duS714sDPBvT6OiBKQA4K0w/KvhgUOyk4lI+wwjXa641ALnxHyx9G7 dvyeHtdD+g3AtMi9Zmq66dTN4gdlGUGDqVLtxL0NRITkJiorzT0h/ihkgRHL jorvPnhYGGvMnlP8+7+fSc79ACg8j9O5xWUP4mx4uGi2xYHC4vsl4gDkDWxq /hl3+nG2vW/jQfTC4dIHhRfOvC83A7b1GVQQ2lq851JxeVnCTB3pUs+GkzQi akAKCNIOc95TWOio7FQywlrTAi8bq3oX6oVTA3w6lYjg3rVjlyLyQJ+djH4S bzZYLNowy8pq6cnkpSzgi2nnTQCgTj+WvWPqtM3ln84ygNPZQz52E+fsvhw7 pp9zacU8S1NtwHGOTw+38dyXtncKLnrS9uwEN+vIrGQfLrCsaUsOtDUXLHiD aGfi1pvH3CYH34CPx0m1E/Kfd/vmTHKNyRNZSpfOKBVbcihEVIEEEKQdhk8V LHZSdioZ0VrdAtM02sExvRFW2RIR3Lt29L1TT41GXj0z9ply7eePQMdc8s7o SrVzoOFHwN6ZH20KwISEliRtMGYBppahiQWzAe3Gnf7oieHhy/O5yFhU/hpc 9Ir8BDsARoTlJg4HluX1wQORsQUv9gCwLDfOBpkf3lRqBqwrUqlg1bscZxYA ozJqPKRLjaKzss7OpxNRBvWHIO3QPCthqZOyU8mIVmgLFGu0g2PGS1hpQ0Rw 79oB/YSPnACgrKtYjZwwDcwnW9v4P7rav0s7elfuTEInOleloY9A+mMtrGxs hE+9gV520Sj0gvmdfB8bhNi3+3HJP1cFoC/DM+4hTU1lWj/0JPA5op29VYHY hZtlE6XaWdv0D2zFkTqf9k0tzPmlIZpJRBnUH4K0Q51TAR86KzuVjDBWNcN0 jXZwzGqC5dZEBMvQDm1fyWI2ZfC2bB/kZPzWrPtPJBV/iPW6tKOfc28kOnGS JB3RTv/FKXclTx7+q9ENuVBsgl4YV/zr47LyJ48a/7cDlxxXi/UuPLHEHEyp vMBATzDtHKnzwi6kS9q1E94Yjq04WD9XunSiMH+PvymViDKoPwRpB7iWQ8kM paeSEDqinQyNdnC4NMHHVkQEy9AOxfVYvJ1g4fG1owHd/UiSSJR8Pu3d1X5f aCe7ENPOREk6B4yJFiaLRElnKhs9UO1g3c74kleicymposQ9U3HJcbVz0Bee uAzVTrI2etKuHU/0mJsumdShnfXYiiMd2nF9mjaSiBqQAqK0M/sJfDJT6akk hB7SDK/8oOpdqBdur2CZJRHBMrQDOAuLN5udvzSGAtgnG7aYcBh6LhXZA7q0 w0++M0sLAHZA/SUmCKpJs9dncA0uvEB8lFeCaWfc9St2enQqU2+YABccKwnl IR3t5MxbJoh2RGx0DNNOjCSUi14ofDShQzsbsBWd2vGoju+jrQ4gTjvOj2Hl LKWnkhDaymZ4VaMdHB6vYelkIoJlaQc4Sk57Xj/PR9oP8fsIRDAmu1uy9IHv c1Q7z38EzIisY07Iw1/mn0IaCPmAtiE8v8omb6QNemiBrh+0XhQ9HnmdsNIR lzsv43KANrA6kLt9ILCratfOC0Q7vuIUP20w/lBryVhgXYlq52W7dhrateNZ d5SIEpADorTjWAafuSg9lYRQVzTDaxrt4PB6DYu/rXZGJeYlC5ewANBanyfc GhG+5Ra8rQ8CPiQCkPAhCADzmLyU9Wv3V8A0JnAWX9+7cU3kid9+9QWcIw+O hfvrA+bYqCsJ68Ij485443KNQm5kRoedLjhsqwUcX1/joGPBHxGfGC7PvBGz Ovbmn0WmwK7pOhVsbtmCrTj1vv3L5l4XT0QJyAFR2rF/BGtdlZ5KQijLm2Hm KFXvQr2Y+xresyAiWKZ22P9nv9zjYkobOH7m1s2l63RBF7pMhcpaikq6k5gk GhUpQkrkUuvSjbVWu+/6rH29rLLV9iH0Fso1IylZmWqKQrIub24NoYvWy67n PdN8fLbx0fqY9zydc2af71+n5zzPr98zc853zvHJr1rBxQ8YlrFFTTd+2ZZU naeLTRdtxrA0EW4SlkP6hcaL33zbsEsd05mxp+7mldxVhdV+GMMvo/5WgTX+ 62G7Or/mRnVOpJlcLtM47ljNlfIfXNkY5li+W106Nqt6I35i2IrTV+oyU8UV I7Gx5/cwsSW1MT0rtlz2ly0NaELaITx34iXQNJXwVDoS+QQcRdqRI+geKB0D I7hP7WCaXqGyL4FhOiM2bqGzzTQPNcyEjz9zfcY3xYdVHAQxCyfa8V1wf2i5 RMXFTLd25ZtgmO6EyJUCPXwC23LakuVRPiac94KH+0fFCMZJH3P0/Z3Z0hGz gJ69DZ0SFe3uVFRhj+n5uzAw6wBbWUVpqrTHktvfwfgI6AEs7Tj9ApqnEZ5K RxY8AUVIO3IE3wNCBxjBfWun31E10cFl5lucx/vQ2WEBcbkVy/q7E3WApZ1x F8Ftf8JT6Uj4E1BsRXYJahHyH3DaHkZwf2iHqarxDlVm39MMFs43VJm290gM 90NnvSvulKY6QGpIA2BpZ2wluDed8FQ6Ml8CjiHt9IYR1gJO2sFI7g/tmKbm viPVpO9p3JjsrOzT5xItVD501jZxc/godVgVqQ8s7ThUghakHSm4do4j7fSG Hd4CjtFWO7zcunfk/sX3qjY+5dSlo0mjYFahL7C0M7oCPOQTnkpHwiTgJNJO b1Qi7oOi0TCS+0M7A+yc32E3oO9pDA3TsU72wzgwq9AXWNqxLQetAYSn0pFQ pJ33UFt0HxyG8hjQH9pBEAAs7dicB5KZhKfSkRAJOMUjuwSl0Fh8HxSMhJGM tEMTYGmHdw48nUV4Kh2ZKwGnkXZ6MzD6AThkCyMZaYcmwNKOpRA8Rd++FIEE nEHa6c3gmAcgD2nn7ww07ZSApwLCU+lIsAQIrckuQSm04h6CfTYwkpF2aAIs 7VicAm2hhKfSkTkScBZppze68Y/Az1A+EqQdmgBNOydA2zzCU+nIbAkoRdrp DXfNI5AF5b0TaYcmQNNOMWhbQHgqHQlqBeeQdnpjkPj47V4rGMlIOzQBlnbM j4K2SMJT6cisVlBmQ3YJSmG0rvX3DEsYyUg7NAGadgpBWxSD8FgaMhNp5z2G bmh9vRtp5+8MLO2MyAfPlrIIj6UhAa2gHGmnN8bJrb/tNIeRjLRDE2BpZ/hB 8GyZCuGxNITfCiqQdnpjmtb6cscIGMlIOzShRzsSPuG5+j+DtsWEp9IRn8fg vBnZJSiFQXJrR7oBjGRbEdIOLZBpJ5DwXCNcOzHoJQtn6iNQYUF2CUphvFny YtsQGMl2SDv0oEc7XTnxRLOpGrw8nEh4LA3J7AB3tpFdglJsEXZ1l26Gkfxd C9IOLejRDvj9NeH8ASWVhrx5C96+IbsEpXiDXxt/wEl+i7RDCwACoWQg7VAe si8RBIJokHYoD9mXCAJBNM+Dyb6rEB+B7EsEgSCa16Fk31WIj3ASEqV3375p PgcrnU5Ud4PnlWSXoBSVLa+7m0rh5ee5kn1XIT6CKSQcs9507JgAK51OLGgB 4ulkl6ASw2ccaL+/bTy8f2CsQfZdhSAJta9ePd8wiOwWVMC5GVywILsEpbD6 17PmGFWyWyCUEMNvXr7YakZ2Cyrg+yuo+pzsEpTCMftF8yoDslsglBCj9M4X 6RYMsmtQgCm3QJUj2SWoBHNibntTvCHZNRBKiNHW9hf/sETawbXTDKqcyC5B JZiu+ztuxCHtIIjH8Mtn7dt5SDu4dm6CyxPILkElWG4HOq7FopcsBPEYbHra vsOWSXYNCuB7A4icyS5BJVju+R0N0VyyayCUEINUSfvO0Ug7uHauA5EL2SWo BMuzsKN+MdIOgnj0kx+377JnkV2DAvhcAyJXsktQCZb3kU7xIj2yayCUEO6G Bx17PkPawTDvRlA9iewSVILtW9xVE6FLdg2EEsJd19KR+TnSDq6dBlDtRnYJ KsGeeqJLFK5Ddg2EEqKXcLfjp/FssmtQAO+roGayoos5GioEVqEGbP/TLy+F aSseoKqBfs4QH0Rvze2ObCcO2TUogNcVUOOu6OJJm32J7EIJ2DOE3RdDtBRe z1mQZEFcG4QyoRff3JE7USHtMKzGKdMTuFc9qPFUdPHyhxuJ7EIJ2AGl3ReC tRRer3bg5mTCyiCUCt24ps59Lgpph5V2fBLRdUjEUwxqvRRdHPtA+bTDCSzr Lg/SVHg90g6iL3Rir3cecFNRZClr32M+0XVIxKMWiL0VXbz0ViKRXSgBZ1Z5 9/nAwQqvV8updyWwDkKJ0Ilu7Mz3UEw7P97wI7oOiXjU/B/aiVJG7cyp/K2U P0jh9cwspB3Eh9FecrWzwEsh7TB3X5tKdB0S8agGYl9FFy9WRu0ILr0STh+o 8Ho20g6iD7QX1XUe8VFIO9hO5dKOCIinyI2ojYtJS4t20WXgx4NdFid/EcbD j5ieC8a7rtiUFGbaM0nfLz4tekLSr2vk04zn8ccItnwxEsO4XrEpa2fLJnPs wtZvCB6u4hhhI5tmEOavBnlfCsMJEb0q8XtfO1y/xE1JoaM0pMfD/ONT4/31 8SO94CD7GevTEn1l72S8kHXJAqcCsbP82vGRbk6xWyK0McwiKCFluafsSUrL bWnqKm9tTX6wlmzamIVjIW4LQQG0Imu7iqao/jnA0jW3tho2iCk9VuGO4I0w kDqJY2g4UN/S2oLL6pmkZmTBG6qVcU3+NsUGD9XWNLUxxdPUDMx5w/Vkk5la JjxzLoelP4QjmzbQWBv6vj4d98ugTk6jA92/PtfYcCbdUxVjqHrtOFt/RRhv zMFYO+78sEnY0FQSbcLCGBpBB2uunviq+EGcfJqbuDIpp7nSl6EemHn+av2x SF38w+A4pJ2sqT00lxsrWtLzWbC9yncN7r8tfhoqYTX/PeU7QH5wSEhWdaO4 YDXuU6Z+xL7KRvGBwAFMzLasNnln1fXGbH8tfFfGa4T14tytdTWO8ovX3t2f UnLzp6Es0xUFVY3VGe4aDIyh7ren7OrFfzqZZQodpRcMQyVBtKi/9oggB81w Uddxvz9/cdnW8YfLSrbzDaR/jEnIO1uYMgY/GvL194GrisqOr7eSjrPc04vP pAuKGrzlwwKy4wUZlbvMMLZraoHw4GqLnlHTRRnCgtUWequ/58mm+WUK+mFn n8rkKlDv13tgVNaJ9fMEK39cpY0NcN5+JCU0YX/eMkuMsQeIkucHJ+QcW6uD afruLdkSHLX78fNo+TSPe6+zY0IDjLV9Mv69NizlUE7YEIwxeuPJjIjwbevM 55R+ay/1jvnKkiT1ftzjJ6ESXvf6uJeG/ODsE7kxc0NTd83EMKPgfftj528t 3M3XwkaKQf6K4PAvCw8GYtj/2K/SqKiOLHx7R5rNBgSafUdEVFDRANJsgiKy gxAExSCoqCGAwATtYEvihggiiwooIIsINDQNgrI2KIKIIJtIRBM1k4yJ44w6 MzE5TL2n0DQ5Z46eM7bOHL4fr967t+q+d+tVffVdrc+qynf7RvFe3lgqOjhh 4t7BLf62dK3PLuaEbjlekewgAdJ2WXUc/4jUAE1O01Z1wDRmGt9dTCnO4gNB duP153XThP5Cdgm3qrI0FRGKhDGbx+W1XI43lAC9rudnU0pqBPx4UwC6+fGO +vKc/AeDLNFg0f/sTTnHP6Ihuewov7JGULNdmwJkZhi3jsvN99RK7/XBVDVR gX17t1hzfDuwrk30uUw32I7dskUKZb27DBgcLNyEFNqKtEq03dKfnbchAN27 h68BRuk1Udog5d/zJGJGtMF7EWqotUjP9SQD1S6vyBJou3hpdsjkxtSOLI3B VM6n5/eZE8WX4ruBurn/V57dDFZMeJaH0tIIsEKnR85JBySXvcqy9cGo/YcE dKioce4mAbiVnfeSAF3245vLRQfH/nzZBVtqAQWHkA5ibqk+rABGKbxYA6Cv YclZJBe4Iee8rwpDNMWV4yw+DGQ+vfa8wU1IO5sGiqxVlN2+8QMwjCpNWqbi fKgkVhO0Wn4r8dTQWJPVGYOoKZF/7BMlp7Mvh2xEg+18fi/eXIlBNmOXxhur eacWbWeAQlBpcYCaWVQg07/4a0x0090z0lniTPEtYXN1om8dYZphWeP1iGWq c+XmEGBVa6E5U15JkzOCaqkzd3ywulPncosW2HScUUNjJBPvR4tGcxwsVsaC behOMVSWV9bN7vcA2cJmFtI45Dkk4tKGCg1EaUeuuZHFmOK7gbpl8FUVS0LU GDZ4wcN43lwZNAPRPX/SVpJXMeNeNYcF1xsMMP70HUlBtdTNCBo6XvR5fZai g9njX2DhKEe6QjUVFVTtBbVqYNt+GptBGo1IDunZh7zza8v0PloqnsV/B9Ib 2l80egqPtJ1PuSZoYSzWB/DjHdBCFqM8vgVoNQ9vRHWXRMjdDAD/KyeWEEDG rWvIXjRY5ON8U2yvRfAjVVCzsrJICxYWVnopABgYSTIjGz5HVuWMirUMseX3 9rDpmOh3nb7e5wWlX+BXH8XO+1UD49yqWl758K+RAHmvd5NCrUAbnIdO4H1D x2JFozkNpuNtwKOhi9W11eXf/ewFjNo2vTduZkXTSgKoZ9fP0AMfE2ihI68q rWmiRpOYXC6/LMYY/ebYpzcu8vhVvF/uLAWTrjK8GluLzQdndAN2TznbZy06 eP8bR+rfBeU1fG7DP9pV0YjUSffa7nRFINvWZ0q/38Rm8cEh7dv2otlbSDur L5Yn7vCzwH78rvEcrw0BfoGCb+1BR1DLxNys/tMAUcPbsHva6SFn0WCxY7iD cPj+YW//AN/wwW5DsL6RS3/jXtuXidamcX2luhgSe2fYtE/0u5GmWyiWnPLm yzk+EmA98PBKk0DQWpvPAmLubRbmZV5q+4+0k4lTmP+jsfpmgaCFl24KikLa kd1dGK3OCEqP/IjLCVrY6Ktyyxm0A/I+WbxW/qEV6G8/G6hvEQiaqzhqsLCr XA7zug2nCWknbybtJN4NxB3HX95oaBW0NVZGyyDaSZt0mxzN8ZY2iEvzmaGw ZvF/BymvlhetvkLakbNLrL3ZV+CnDBD+9PHtkdGR4R+7loOuoGYe5mYN5ADs ubsV75v5R9oJxdsD/3owcGd0ZOQJXwNs+nMm64jl3DwzstT6kqS57z+vd8cq wUS/u0jJQ5Kap266s7tYGSmhohWGurp6+royQMm9bYt5cdqx7cxWxHrGj6Pi EwjUqfFOg1k4hQX0ppka6Orq62tJgmJJM5I4QCATgajNrnM1L07RwQaQqEK2 I1AomF4kUzDSIlFEaFDMoG379rcLK6iiRgJVjqlpmdofh/52f8ICfSw1NSos 6qrAfypOO3F9YdjXq1X0WYFIdol3N2INNeVmuDE+UoUEDp1Z2AwSSQSgWRbk LQjgh8ngM0AVKk8iPg8ECvn11BDec+KzeO+gezS9EPhNP16Mg/ccLeUGI7Xz mBvL5nDYEW7yYCCoxcomsB84g2hnFKcdQubQGtFgsWNhuOPIT/lxX3E4Cdsd JcHmVg7ljVtxc95e9eUn9lvMPEE/Cli3TfR7UKYZmD5YDWk32qUN84+d85VF D/qu84EkpB0dMDlTvVUFaK6Cv+xEJu24jZMBJmnHMjvLGbtZ7KIJ9JjagysB Fq1VQ4atw9Hu7Umv38y2nXopY3sEqkCJvvFG6GHVXqFD/KDuGP+9ZBlF1GgW sABd45+iEtLtXDKuZj5xlgfT6bTjU53rRAK1qPu9Fshkz7aaHPyGdkibz7OX oJZiZ08Hk8zqCA2g2bKQEJbO63SJv74e60PZFKs19dJFX7qhq0pkqBQiw+CY j1ghzuIt4VD3XOApfGTooeUjEfsoG2BT4168sFLUlMRoB7/HaWdzx9eoTKJa XBlajUxKZszJwbFj4VhDiGsKx7WRijoVzKsuWKEqS0kVrV+VU002IddC8L66 S2SnXiq3SAedYBLG89HRStBdJHSIE2aNE30iNKqflB7ktC6uKUMZpGyPX4hx dvJOynQEQvG4I+ZWbesxAIZnAW+Pg1/aL692I9OqO8WTBO7y4CxOOwqup89v W+3sf+yYORCWHriU6rGezTZGjtX8omOF/njfLx5GT71Up6dXF23Moj+7ooe4 vya8/7z/gCkxEfbg93OGM5zOWRz31V4nWiOQmgksyN3ksGbzSY4mLB68xMDc Xt+fAjDYzSsIsg/jToxgtPPlw4jJwQd/eP3v9baXnvRzdNl2ag8D5FzyamKd Ag+HyyC2jWk6kZ1hhnWRrhxaOfXSgCdZ6Lr4jgBpcOna+1Ywi/9xUNfUvejc OBfmSErLK6P9bsX2kQT6nu8y0D7cX/C5BiKMkEhd0O+4hJOLw1AuOt7Sq6O1 YEnK30ZYyLSBHzQZLO7eNrxlJedukUfMEhGuCKqRVRl2ZGZwIHYaftMdvrcR P81IiRXLpz7CqmofUtRquafRsiInVlqIMX8hVjZN3PbAhT15Di7wGV4nr/Te qktaRQMC3TGF332rPX+HHhDPDtlhvZiXO/SBJBdc3XOTn3zlx10oJ88bJyeF nPPIKZx2iHJeWfU9vS1ngpFalFiR3Nh1vSwcm0rVnVfbw5WxLtJ7+8OmvkK7 s0sHRcr/fh16iPkpXowTMAmirBKDLikJUv9mv97DoqrzOI6fuQjILVAUL6jk At4gMEXyhpkoq2JeilI3tQ01zRBQsxKUxxBZU1BBzFVZ9BE1Rd3FiE2eSsv1 koV4WR9XdKnWTUtSacULosyeM/AbZoineGjmfH/++Lz+sNEZhu/59Tvvc07s fx9u86/3pu/cHcdOf7krWs6Rrv0ft3xysrgwfbyLFFiUZ7zbGVci3wbZ+SYe PnkiZ+2FU/L/Sbdlp19mP5xUWrNV9L+bu/OzU0UfrhjuIGldI3MOn/z8zxFK sPusPZM7wkn5SLe9h540/dKJVzPlPwP/+amnvFr7Lw607fGD7eiDpsS+ERcX +1Z2yf3L+/60ZFlyykrlXr/fquw1aenbtr0gSc4hK/atT12dsXWxt9T97BHl yUAaeWWXTmo9YstnWe+u2l15VbnsLywznRtLb8QZ/+sWlrknI3VN5tYYD8m+ x+ID76dlZM1yk98Yv/fj3Ld9lY+0zP12uGmYyPt58jna/esS+YyzK7j7rIrr IEneMxPiFRtLDT/sWCK/SFgaM1gZVtdu1OLMzPl97ZRPuYTGrM1MmexrJ2kn zO2q/IvryzPktEpeE5dlLgobt2CApB2ZmTFKV/utvjFjtTWvPMIXZqx7Z3xn vfzavn90Wtp0f+UM0/rEvuGjvN9qevbS3qZp3F6Jks9f7dgYZZX6z6M4w7Th q1YmJycnJP/9f9XFaxbExsW9GTPBr/Zhy7771JXr06Z5G//iNW5x5rpF4Z4a qf3syS2Vf+kRq+RSCno9NX1maNRrnaQ2s7ckBrBvHjYvqPaVz6Sk9enzQ92V O6u2Y+LXJY33UpbLITRxqovyfq+l2bM8TRP1ilNuQz1fnSIXye7FOZ1se/xg O/aR+dfu/FR+81aVgakqjtJI7r9f9fnZrzZEKLfMLfonfnD6dEF8iIPkvX2j 8bGpf/4y+fRxjNx+vDgrekf+U5JdQEqe6RltRuHEmhdOw1cUnineGxOgbNbA xfnFB5f3V87edq9+utFf2Wouz2zd+oRpmCEfJcmna6ecrfIdgX55wQAV10G+ dzvy0FBP0bQ2Ne/p9Dot+5xW/oumoS/Q6mtao3sta0zLBj+g05l+UmP2suar O6as7q1r6MfIxFyrNi3F/Vs3y8sry/4Sym7j5CMwWwet2QKZkw+z5t+9V656 oqFPaCyX1vSN2poXT2+a1+63HwjwRjdo24P6Z1vBaI38UOA/fMzIIFfjhxx9 QyMihvjI1xjH3gHGi757cDdls7TuEz46uFNAsLvk+c72qe3Zl3YO6VD7yrXH 0IjRA7sol3XJruug0WE9XJX9pGkfGmS8bPbd+N4IZ9MwrYL95HcdggLlva3p FuyuygowAX+rvw6GI4MdmvBFGr++TZncMahmafnx0pmfrUjq4w3W5dc59+7V ogk/5tnPu2m/D/jmEVtWb2tdTeza4NX8l79m9uwOv/6pnwl48/kGbwwIeC48 V28h7m5q3lfakI31t8Z3r+iphwIhaCLOVVvurZLJTbjGax2bcmMg6Z24ucI7 hedZrkN16dsu1EOR8oq9ZLkiVYfCqGcCQfTZU17v0WIA9UgktB3WWK7DvcJI e+qhSNmHF9W72UnvRT0TCKJz/HmLvVWR40c9Eg1t3HWLhbi11l9HPROtnh8+ sFiRL6e0ph4JBOEcUWixt87Hd6AeichzxyvNF+KHOU7UExHzSi+z2Bp5QVrq kUAQWu/NFnurcIIL9UhEQrIszrJzY6gHotYqurja/D44w4N6IhCGXcJN8821 uUdzfbToEF1itg5394dQD0StZdhes6esB+djHKgnAmFoJh+9V7e57iW2pB6I in7oMbPslKb4UA9ETdMl1WxnVOwJ11NPBOLot+GGaW89LJ1OPQ4dn9zKurPs H39wp56HnP3cH+sW5EZiJw31QCAOzznf1F3SCkZRj0OnbfLlurNs95PN9WHT zPOn656ySidpqccBgeiGFZn21pXUQOpx6Di/dMh0lj1YjZsdSRq066ZpQQ4O pp4GhNIzt4Jtrn9FtaKehk6LgA1V7CT7TxxuduTHziX/Zjvj+3XdqKcBoXRc coFtrmNDqIeh5Lzwp9p1uP3RWDxSSJLbCyfYzvgiqi31NCAU53EH2EV+jx/1 MKQmsv6WpTXjh806usAClp09fVpQTwNC0XV9j91Jv9uOehhSQ/bXPm5+M6MZ P2ya8dx0p2ZB7qa6U88CgtEvLDfurYdHox6jnoWUX1JpzVl2cpiGehYuuL51 sVpZj+qLr+uoZwHRvPhVpbK5qnIG2VGPQsr5uS+M1bm9L4B6FD44RB4w7oyK vJHUo4BwQjb/aLyTTm7fzC/y/nnG7Hy9vAv1JHzQB2beVhbk+6U+1KOAcDrG XFQ217VZzf1O2iOjQlmIw1NaUU/CCfcFN5QFuTCxed8Ggy3YP3Nc3luVJ56l HoSaY/TZKnklcoJwltXQRF6S1+PBJyHUg4CA2mbfMhiuZnSnnoNc8GZ5ISoW UY/Bj8C8OwbD5RQP6jlAQK2XyE9Z5+d7Uc9BrmPCdYOhdCb1GPzwS7tsMByL cqOeA6g5TkiwtuT87wyGK/tSrP7F07rYciU6zrT2vEn5FfJtX268lb92wXjr Fb3FSCsP94tSPy4zGEq2J6n4K2f2stpagfV4vG+wumrrf6XR4adtuRIhp2w0 trXd2D7AagftuF7V0ZWdUW2r7dGgU5OstlZgPW32q7kJfpuTYbZciQGXqI+v kar+OthqB+2UTX00NnZpqtXWCqzHFnc7toK7HaPrj+7djuqqcbfDJWSHQXYE hOzwCdlhkB0BITt8QnYYZEdAyA6fkB0G2REQssMnZIdBdgSE7PAJ2WGQHQEh O3xCdhhkR0DIDp+QHQbZERCywydkh0F2BITs8AnZYZAdASE7fEJ2GGRHQMgO n5AdBtkRELLDJ2SHQXYEhOzwCdlhkB0BITt8QnYYZEdAyA6fkB0G2REQssMn ZIdBdgSE7PAJ2WGQHQEhO3xCdhhkR0DIDp+QHQbZERCywydkh0F2BITs8AnZ YZAdASE7fEJ2GGRHQMgOn5AdBtkRELLDJ2SHQXYEhOzwCdlhkB0BITt8QnYY ZEdAyA6fkB0G2REQssMnZIdBdgSE7PAJ2WGQHQEhO3xCdhhkR0DIDp+QHQbZ ERCywydkh0F2BITs8AnZYZAdASE7fEJ2GGRHQMgOn5AdBtkRELLDJ2SHQXYE hOzwCdlhkB0BITt8QnYYZEdAyA6fkB0G2REQssMnZIdBdgSE7PAJ2WGQHQEh O3xCdhhkR0DIDp+QHQbZERCywydkh0F2BITs8AnZYZAdASE7fEJ2GGRHQMgO n5AdBtkRELLDJ2SHQXYEhOzwCdlhkB0BITt8QnYYZEdAyA6fkB0G2REQssMn ZIdBdgSE7PAJ2WGQHQEhO3xCdhhkR0DIDp+QHQbZERCywyeP3dQ7o/GODrXl Sjx1lvr4Gql850CrHTSyAxTaFlDvjMY7O9yWKzHoW+rja6wPhljtoJEdoOCW UvTIyOpjy5Xw30l9fI10MDnQageN7AAFfde+j4xuLrZcCaee1MfXSEGPO1vt oJEdAFAZsgMAKkN2AEBlyA4AqAzZAQCVITsAoDJkBwBUhuwAgMqQHQBQGbID ACpDdgBAZcgOAKgM2QEAlSE7AKAyZAcAVIbsAIDKkB0AUBmyAwAqQ3YAQGXI DgCoDNkBAJUhOwCgMmQHAFSG7ACAypAdAAAQ2v8HAMtM3nkNCmVuZHN0cmVh bQ1lbmRvYmoNNiAwIG9iag08PC9TdWJ0eXBlL0ltYWdlL0xlbmd0aCA2MDMx My9GaWx0ZXIvRENURGVjb2RlL1NNYXNrIDUgMCBSL0JpdHNQZXJDb21wb25l bnQgOC9Db2xvclNwYWNlL0RldmljZVJHQi9XaWR0aCAxMTQzL0hlaWdodCA1 ODAvVHlwZS9YT2JqZWN0Pj5zdHJlYW0NCv/Y/+4ADkFkb2JlAGSAAAAAAf/b AIQAAgICAgICAgICAgMCAgIDBAMCAgMEBQQEBAQEBQYFBQUFBQUGBgcHCAcH BgkJCgoJCQwMDAwMDAwMDAwMDAwMDAEDAwMFBAUJBgYJDQsJCw0PDg4ODg8P DAwMDAwPDwwMDAwMDA8MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AA EQgCRAR3AwERAAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAH CAkKCwEAAgIDAQEBAQEAAAAAAAAAAQACAwQFBgcICQoLEAACAQMDAgQCBgcD BAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPBUtHhMxZi8CRygvEl QzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE 1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4 yNjo+Ck5SVlpeYmZqbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYE CAMDbQEAAhEDBCESMUEFURNhIgZxgZEyobHwFMHR4SNCFVJicvEzJDRDghaS UyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp0+PzhJSktMTU 5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4 yNjo+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A /P8A4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FU30DQ9S8za1pfl7RoPrWq6zcx2mn29QvOWU8VWp2FSctw4ZZpiEdyTQYZ MgxxMpcg+m3/AOcI/wDnI5GZG8jAMpoR9bg/5qzeD2X15/gHzDq/5d0n877C t/6El/5yN/6kYf8ASXB/zVj/AKFtf/MHzC/y7pP532F3/Qkv/ORv/UjD/pLg /wCasf8AQtr/AOYPmF/l3SfzvsKlcf8AOFn/ADkTa21zdzeSAsFpC887/WoD RI1LMftdgMEvZjXRFmA+YUduaQmuL7Hys6NG7IwoyEqw9xsc58inbrcVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVeq/kb/5OH8tf/Ahsf+Tq5sey P8cxf1h97ia//F5/1S/pCuSfrE2/7Z/XnuceQfMVGp8ckl1T44qleuk/4e8x 7/8ASpvf+TD5Rqf7uXuZY/rHvD+Ym6/3quf+Mr/8SOeBS5l9VHJQyKXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXqn5G/+Th/LX/wIbH/AJOrmx7I /wAcxf1h97ia/wDxef8AVL+kO5/3om/1z+vPc48g+ZKGFXYqlmu/8o95j/7Z N7/yYfKNT/dS9zPH9Y94fzE3X+9Vz/xlf/iRzwOXMvqg5KGRS7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYqynyR5mfyZ5v8t+bI7Rb9/L2oQX62TsV WUwuG4FhuK0zI0mo/L5o5KvhINe5pz4vFxyhysU/ReT/AJ+U6tJI7/8AKqtP HMk0+vS9/wDYZ2o9uJgV4X2/seb/ANDEf9UPyWf9FJtW/wDLV6f/ANJ0v/NG H/RzP/Uvt/Yv+hiP+qH5O/6KTat/5avT/wDpOl/5ox/0cz/1L7f2L/oYj/qh +SFvv+fjuq3un6jYH8rdPjF/azWpkF9KSomQpypw7VyGT22nOJHh8/P9iY+z MQQfEO3k/NCV/Vlklpx9Ry1PCprnCk2XqAp4EuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2Ksl8m+Xm82+a/L3lhJxbPr1/BYrcN0QzOF5H5VyGSXDEnubtP h8bJGHeafqQv/PrnVSqt/wArEtfiUH+78fozT/ywP5r2f+gyX+qfY3/0S41X /wAuJa/8iz/TH+WB/NT/AKDJf6p9jv8Aolxqv/lxLX/kWf6Y/wAsD+av+gyX +qfYh73/AJ9gapaWN9eH8wrZhZW0twU9Pr6SFqdO9MI7XBP0sJ+xxiL4/sfl NqVmdP1C+sC3M2VxJAXHf02K1/DNzE2LeKnHhkR3ILCxdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVem/kv/5Nn8uv+2/Y/wDJ5cp1H93L3Ob2d/jO P+sH9VMf91F/qL+rONfbI8l2LJ2Kpbrf/HC17/tm3f8AyZbJQ5hpz/QX8mnm X/lIte/7aFz/AMnWztIfSHw7N9cveUkyTW7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq9N/Jff82fy6p/1f7H/AJPLlOo/u5e5zezv8Zx/1g/qrRHE cXwn7C/qzjX2wFdwb+U4psO4N/KcVsJbraN+gte+E/8AHNu/+TLZKHMNOc+g v5MvMv8AykWvf9tC5/5OtnaQ+kPh+b65e8pJkmt2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxVNNF1i+8v6vp2t6ZJ6OoaVcR3VnKRXjJGeSmnzGCUR IUWePIcchKPMPq4f850/85EgADzXFRRQfuPD/ZZhfydh7ne/6Jtb/Od/0PT/ AM5E/wDU1xf8if8Am7H+TsPcv+ibW/znf9D0/wDORP8A1NcX/In/AJux/k7D 3L/om1v85Tm/5zk/5yGuILi2l81RNFcxPDKvo9UkUqw+14HH+TsPcg+0utIo yfJFzcS3dzcXU7cprmRpZW8Wckk/eczQKdDI2bKhhQ7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FU00TRtR8xavpuhaRbtd6pq1xHa2FqvWSWQ8VUfMnI zmIRMjyCQLfWI/5wI/5yoIBH5W6hRhUbHofozV/y5o/54Z+FLud/0IR/zlT/ AOWs1D7v7MH8uaP+eF8GXc7/AKEI/wCcqf8Ay1mofd/Zj/Lmj/nhfBl3Kc// ADgd/wA5SW1vcXU35X36QWsTzTOeyICzHp2AwjtvSE0JhfCl3PkW6tprO5uL S4Qx3FrI0U0Z6q6Hiw+gjNqDYtrUMKuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV9q/84xf84qaP+f3ljzLr+pecbry3LoOo x2MdtBbrMJA8Yk5EsdqVpnU9g+z0O0scpymRRrYDudH2r2vLRTjERBsW+lf+ ibnlb/y6Wo/9IMf9c3/+gbF/qkvkP1ur/wBE8/8AUx83f9E3PK3/AJdLUf8A pBj/AK4/6BsX+qS+Q/Wv+ief+pj5u/6JueVv/Lpaj/0gx/1x/wBA2L/VJfIf rX/RPP8A1MfN3/RNzyt/5dLUf+kGP+uP+gbF/qkvkP1r/onn/qY+bv8Aom55 W/8ALpaj/wBIMf8AXH/QNi/1SXyH61/0Tz/1MfN3/RNzyt/5dLUf+kGP+uP+ gbF/qkvkP1r/AKJ5/wCpj5u/6JueVv8Ay6Wo/wDSDH/XH/QNi/1SXyH61/0T z/1MfN3/AETc8rf+XS1H/pBj/rj/AKBsX+qS+Q/Wv+ief+pj5u/6JueVv/Lp aj/0gx/1x/0DYv8AVJfIfrX/AETz/wBTHzd/0Tc8rf8Al0tR/wCkGP8Arj/o Gxf6pL5D9a/6J5/6mPm7/om55W/8ulqP/SDH/XH/AEDYv9Ul8h+tf9E8/wDU x82Keef+ff8A5b8o+T/MPmaH8yb+9l0Szluo7R7NFWQxqTxJB2rmPq/YzHhx SyDIdgTyDbg9op5MkYcA3Pe/MDPP3q3Yq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq9k/wCceCR+ef5TEGhHmjTa H/nuuYmv/wAXn/VLKHMP7a43YxQksSTGpJ+jPHiS7IBfybxxsrQdybxxsrQS PzOzDyz5kIJBGlXhB/54vlmEnjCJDZ/DZ5w/5SzzN/21bv8A5PNnsmL6B7nW nmxzLEOxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV+wP/AD7j/wDJcfmF/wBt6D/qHGemew/9xk/rfoeL9pv76Hu/S/Q/O5eb dirsVdirsVdirsVdirsVdirsVeY/nT/5Kjz5/wBsi5/4gcwO1f8AFcn9UuVo f7+Hvfze54S+nOxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV7H/AM48/wDk8/yn/wDAo07/AJPrmJr/APF5/wBU socw/trj/uYP+Ma/qzx083ZBdil2KpJ5n/5RjzJ/2yrz/ky+WYfrCJcn8Nnm /wD5SzzN/wBtS7/5PNnsuL6B7nWHmx3LEOxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+wP8Az7j/APJcfmF/23oP+ocZ6Z7D /wBxk/rfoeL9pv76Hu/S/Q/O5ebUDeaejBZtTsrb4+DNNcRoFbwbkwofbK55 oR5lPDLuLB/I35keXvPzeZU0iRYJvLGtXGh3EEs0RkuJbcAtLAqtVozXYjMX SdoY9SZCPOMiPk36jSzw8PF1F/Nmz32nxkLJqNnGzNwVWuI1Jf8AkALfa9uu ZZywBqw0cMu4onJoUpJ7eI0muYYGILBZZFQkDqQGI2HjkZTjHmaSATyCxL2x ljeeHULWaCP+8njnjdF/1mDED6cAyRq72XhN1W66G5tblS9pdwXiA0L28qSq D4EoSMlGQkLCCK5rXvLGKUQS39rDcHpbyTxrJ/wBYH8MHiRvhvdNGrrZcbm1 Co5u7cRy19GQypxenXg1aNT2xM4gWStHubhuLa5Uva3UN3Gp4tJBIsqg+BKE gH2xjMSFg2pBHN5t+dP/AJKjz5/2yLn/AIgcwu1f8Vyf1S5Oh/v4e9/N7nhL 6c7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FWa/lx5rTyN598oecZLY3kflnVbbUXtRsZBBIH4ivjTKdRi8XHKH eKSDRt+56/8AP5/y+qIv/Kq7v4VAP75O3+yzjP8AQjL+e5P5gdzf/RaDy/8A +Wru/wDkcn/NWP8AoRl/PT+YHc7/AKLQeX//AC1d3/yOT/mrH/QjL+ev5gdy C1P/AJ/KeX9Q0vU9P/5Vbdob+zntlf1U+EyxlAT8XauSh7JyiQeNB1A7n4M6 zfjVNX1TU1T0xqF3NciP+X1XL0+iudrCPDEBxSluSV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kv2B/59x/+S4/ML/tvQf8A UOM9M9h/7jJ/W/Q8X7Tf30Pd+l+icP8AfRf66/rzuJci82+Lfyr/ACm8o/mH 54/PTU/O8E/mGwg89z2tpoU88q20RVFJkXgwIJ6Zymj7O0+py6g5Y8R8Q872 qvN3Wq1mbBDEMZocCYf84v8A5XeQNN1z8x/Men+WorfWvLHn3UdO0O/EsrG2 tVAAjClipFD1Ix7F7P08J5ZiNETmBz5bbL2rq8sowgZbGAJCWfkX+Vnlbzbe /mT5s81xT69PY/mFqf6FsLieUQ2csEgKyxhWG5PY7ZLsns/T5zkyTjcvFluS dqql1+szY+CEDUeAfF9pEliSTUnqc6p0r5S/Nzypbedv+chfyb8v6hf3dppj +XNZuL63tpGQXKIwrFIARVWzmu0NPDP2hihkFx4ZGvk7bSZp4tJklDnxBi+p flN5d0n89/Kv5deXrq+0HyF5n8uXuteYPK9vPIYLme1fgqsWYsAR1ocxv5Px 4tb+X3OKceLgvYEGturb+byT0xzbeJGQHF1osu8teXtM/LD8/H8m+TEl03yr rnki+1+fQjI8kS31uzKjpzLEdMysA/I6iWnx/ROPHX82jw0PJqyz/M6cZZ/U JCN94YV5L/Lnyz+Zf5X+Y/zR83alcDzzq0Opyy679ZaN9KNv6qJEi8gqghR1 GavBpIT7MOqM+HKRI+Je/Mj3eTl6jVTxa04IxBxxIAhXkwWy0RvNP5X/APOF /l+bVry0i1LW7+K6v4JWEsiRiSoZq/EGHWuV4ccc2DRRyWYk7789izyZJY8u qlCgQBXk+7vKfkryx5D06bRvKelrpOnzTtc3MKu8nqTsKNIS5Y1OdnpdJi00 eHHGg6DNnnmPFM2WMfnT/wCSo8+f9si5/wCIHKe1f8Vyf1S26H+/h7383ueE vpzsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVfsD/wA+4/8AyXH5hf8Abeg/6hxnpnsP/cZP 636Hi/ab++h7v0v0MknS0imvJDxis43uJm8EiBdj9AGdvOQAJPJ5sC9nxb5S /wCcl/8AnGDyNeebrnSPPN7LN5x1qTXNW9a1ldVunAUiKg2TbbOT0/b3ZmCU zGZ9ciTz5n4O8zdl63MIgwHpFDdjWi/nt/zi/wCXPPd1570T81Nf09tQuXvd U8qxQSjS7q5kFGlli41Ld8xMHavZ2HNLJHNKpEkx34bPlTfm0Osy4xCWKNgU JdaDIvJX/OS//OL3kK012y0TzxfSxeYdZutdvjc2kzFbm7NZFTbZRTYZl6Tt /szTCQjM+qRl15n4NOfsvW5iDKI2AHyZj/0Oh/zjv/1Oc3/SFN/TMz/RX2f/ AD/sLR/Ier/m/axG/wD+cmv+cX9R89eW/wAwp/PF8uueVtPutN06FbSUQNDe Gshdabkdswsnb3Zk88cxmeKII69fg3R7K1scUsfCKJB59zV3/wA5M/8AOL95 590X8xpfPF8Ne0LSbjRrOBbSX6ube5bk5dabsD0OM+3uzJZ45zM8QBHXrv3L HsrWjEcXCKJvm3L/AM5M/wDOL1x5/sfzHk88Xv6esNFl0GKD6pL9XNrM/Niy 0+1XGfbvZks4zGZsR4evK77kjsvWjF4XCKu+fV4P5u/OD/nGa9/x1faN5r8z 2UGoGQf4Nsi8WmanLIhHqmMj4QCakZpdbr+zceKQwzlKJ/yZ+jfnt8y7LBpd bKceOMQf5/8AEy3yB+d3/ONlh5J/JWw8yed7yHXPykea802G3tZfSM8/JSku 3xAKabZso9p9lYxiiMhPh8tj3e7zcTLotbOeSQh9fPd91+QvzE8p/mfoR8z+ S9S/Suj+u1ubkoYyJV+0pVt9s6zRa7DrMfHiNh0Wo02TTy4Jiik350/+So8+ f9si5/4gcr7V/wAVyf1Sz0P9/D3v5vc8JfTnYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYquVWdgqKWZjRVAqSfY Yqjf0Xqf/Vuuv+RL/wBMFhHEO9r9F6n/ANW66/5Ev/TGwvEO936L1P8A6t11 /wAiX/pjYXiHe79F6nuf0ddUG5Pov/TGwvEO9BEEEgihHUHClrFXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq/YH/n3H/wCS 4/ML/tvQf9Q4z0z2H/uMn9b9DxftN/fQ936X6GuiSRyRSKHilRklQ9GVhRgf YjO5IB2Lzby4/kZ+S5LMfyu8vFnYsx+qjck1J+k5rP5G0f8AqcfkHL/lDUfz z83f8qL/ACW/8td5e/6RRj/I2j/1OPyC/wAoaj+eXf8AKi/yW/8ALXeXv+kU Y/yNo/8AU4/IL/KGo/nl3/Ki/wAlv/LXeXv+kUY/yNo/9Tj8gv8AKGo/nl3/ ACov8lv/AC13l7/pFGP8jaP/AFOPyC/yhqP55d/yov8AJb/y13l7/pFGP8ja P/U4/IL/AChqP55d/wAqL/Jb/wAtd5e/6RRj/I2j/wBTj8gv8oaj+eXf8qM/ Jf8A8td5e/6RRj/I2j/1OPyC/wAoaj/VC1/yov8AJY/+Ut8vf9Iox/kbR/6n H5Bf5Q1H+qH5s60Dy35e8q2A0ryzo1roOmBzILCzT04uZ6txHfM3Bp8eCPDj iAPJx8mWeQ3Mklhf50/+So8+f9si5/4gcxu1f8Vyf1S36H+/h7383ueEvpzs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVeq/kba217+cX5Z2l5Al1aXPmKwjuLaQVR0aZQVYdwcp1BrHL3NGqNY pV3P664/yb/KYxxH/lXOg7ov/Honh8s5Dx595eEOpyd5+a//AJU1+Uv/AJbn Qf8ApEj/AKY+PPvKPzOTvPzd/wAqa/KX/wAtzoP/AEiR/wBMfHn3lfzOTvPz SnX/AMnvyoi8v6/In5d6Erx6ZdsjC0QEEQsQRtk4Zp3zLZj1MzLmfm/jw80x pF5m8wxxII449SuljQdABKwAHyzsIcg97D6QkOSZOxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+if/OGv/ORP5W/k15M84aN 581C+s7/AFfVoruxS1tXuFMSQhCSV6Gudr7Mdt6bQYpRykgmV8r6PNdt9m5t VkjLGBQHe+v/APoen/nHX/q96x/3DZc6j/RfoP5x+RdN/IGr7h83f9D0/wDO Ov8A1e9Y/wC4bLj/AKL9B/OPyK/yBq+4fN3/AEPT/wA46/8AV71j/uGy4/6L 9B/OPyK/yBq+4fN3/Q9P/OOv/V71j/uGy4/6L9B/OPyK/wAgavuHzd/0PT/z jr/1e9Y/7hsuP+i/Qfzj8iv8gavuHza/6Hq/5x2r/wAdvWKeP6Nlx/0X6D+c fkV/kDV9w+bf/Q9P/OOv/V71j/uGy4/6L9B/OPyK/wAgavuHzd/0PT/zjr/1 e9Y/7hsuP+i/Qfzj8iv8gavuHzd/0PT/AM46/wDV71j/ALhsuP8Aov0H84/I r/IGr7h83f8AQ9P/ADjr/wBXvWP+4bLj/ov0H84/Ir/IGr7h83f9D0/846/9 XvWP+4bLj/ov0H84/Ir/ACBq+4fNhH5lf85m/kL5l8g+a9A0nWNVk1LVdPmt 7KOTT5EUyOpABY9BXMTXe1WhzYJwjI2QQNi36XsPVY8sZECge9+MmeWvbuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV65+Qf8A5Or8rf8AwJdO/wCT65Tqf7uXucfVf3Uvc/sti/uof9Rf1Zxb 56V+BDsVSfzH/wAo55i/7Zd5/wAmXyeP6m3F9T+Kvzb/AMpT5j/7ad3/AMnm ztofSH0SH0j3MfyTJ2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV6V+ Ter6foH5rfl7rWrXC2mmaXr1lc31y3RIo5VZmPyAyrPEygQO5p1ETLHIDnT+ o9P+c4P+cYxHGP8AlZtgCEAI5Dw+ecr+RzfzS8V/Juf+aV3/AEPB/wA4xf8A lzrD/gh/XH8jm/mlf5Mz/wA0u/6Hg/5xi/8ALnWH/BD+uP5HN/NK/wAmZ/5p SzW/+c2v+cZrnQ9ctofzMsHmuNOuo4kDCrM8TBQN+5OShosoP0lnj7OziX0l /Kj5kuIbvzDrl1bv6kFzf3MsLjujysQfuOdXHkHtoCohJckydirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirJdI8mecPM Fs17oPlTWdbs0cxvd2FjcXMQcblS8SMK+1ciZxHMhhLJGPMgJp/yrD8yv/Le eZv+4Tef9Usj4sO8fNj42P8AnD5h3/KsPzK/8t55m/7hN5/1Sx8WHePmvjY/ 5w+Yd/yrD8yv/LeeZv8AuE3n/VLHxYd4+a+Nj/nD5h3/ACrD8yv/AC3nmb/u E3n/AFSx8WHePmvjY/5w+Yd/yrD8yv8Ay3nmb/uE3n/VLHxYd4+a+Nj/AJw+ Yd/yrD8yv/LeeZv+4Tef9UsfFh3j5r42P+cPmHf8qw/Mr/y3nmb/ALhN5/1S x8WHePmvjY/5w+Yd/wAqw/Mr/wAt55m/7hN5/wBUsfFh3j5r42P+cPmHf8qw /Mr/AMt55m/7hN5/1Sx8WHePmvjY/wCcPmHf8qw/Mr/y3nmb/uE3n/VLHxYd 4+a+Nj/nD5h3/KsPzK/8t55m/wC4Tef9UsfFh3j5r42P+cPmHf8AKsPzK/8A LeeZv+4Tef8AVLHxYd4+a+Nj/nD5h3/KsPzK/wDLeeZv+4Tef9UsfFh3j5r4 2P8AnD5ho/lj+ZQBJ/L3zMABUk6TebAf88sfFh3j5p8aH84fNhLo8TvFKjRy RsVkjYEMrA0IIO4IOWNi3FXYq7FXYq7FU40Xy/rvmS7aw8vaNe65eqhla0sI JLiQIvVikYY0HjkZSEeZpsx4p5DUQSfJlP8Ayqb80f8Ay3fmT/uF3X/VPIeP j/nD5t/5DUf6nL5F3/KpvzR/8t35k/7hd1/1Tx8fH/OHzX8hqP8AU5fIu/5V N+aP/lu/Mn/cLuv+qePj4/5w+a/kNR/qcvkXf8qm/NH/AMt35k/7hd1/1Tx8 fH/OHzX8hqP9Tl8i7/lU35o/+W78yf8AcLuv+qePj4/5w+a/kNR/qcvkXf8A KpvzR/8ALd+ZP+4Xdf8AVPHx8f8AOHzX8hqP9Tl8i7/lU35o/wDlu/Mn/cLu v+qePj4/5w+a/kNR/qcvkXf8qm/NH/y3fmT/ALhd1/1Tx8fH/OHzX8hqP9Tl 8i7/AJVN+aP/AJbvzJ/3C7r/AKp4+Pj/AJw+a/kNR/qcvkXf8qm/NH/y3fmT /uF3X/VPHx8f84fNfyGo/wBTl8i7/lU35o/+W78yf9wu6/6p4+Pj/nD5r+Q1 H+py+Rd/yqb80f8Ay3fmT/uF3X/VPHx8f84fNfyGo/1OXyLv+VTfmj/5bvzJ /wBwu6/6p4+Pj/nD5r+Q1H+py+Rd/wAqm/NH/wAt35k/7hd1/wBU8fHx/wA4 fNfyGo/1OXyLv+VTfmj/AOW68yf9wu6/6p4+Pj/nD5r+R1H+py+RYPd2d3YX M1nfW0tnd27FJ7aZCkiMOoZWAIOWA3ycWUTE0dihsKHYq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYqyDyp5Y1jzr5k0Tyn5fgW61rzBdx2WmW7MEV5pTRQ WOwqcjOYhEyPINuDDLNkGOHMmg+vm/595f8AOUKsynyhY1U0P+5GDt9OYX8p 4e8/J3Y9mNaeg/0wW/8ARPT/AJyg/wCpQsf+4jB/XB/KeDvPyT/oX1vcP9MH f9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf 1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MH f9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf 1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MH f9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf 1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MH f9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf 1x/lPB3n5L/oX1vcP9MHf9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MH f9E9P+coP+pQsf8AuIwf1x/lPB3n5L/oX1vcP9MHzh+av5Q+ePyY8xjyp5+0 6LTdZMK3AgimWdfTfcHkm2ZeHPHKLi6rW6HLpJ8GQUavveZZa4bsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVfVv5Af84medf+chNB13XvLGpWll baDdx2dylxWrPIvIEbjtmFqdbHAQC7vsvsPJr4GUCBRp73/0TN/Nz/q/aZ+P 9cxv5Wx9xdp/oP1H84O/6Jm/m5/1ftM/H+uP8rY+4r/oP1H84O/6Jm/m5/1f tM/H+uP8rY+4r/oP1H84O/6Jm/m5/wBX7TPx/rj/ACtj7iv+g/Ufzg7/AKJm /m5/1ftM/H+uP8rY+4r/AKD9R/ODv+iZv5uf9X7TPx/rj/K2PuK/6D9R/ODv +iZv5uf9X7TPx/rj/K2PuK/6D9R/ODv+iZv5uf8AV+0z8f64/wArY+4r/oP1 H84O/wCiZv5uf9X7TPx/rj/K2PuK/wCg/Ufzg7/omb+bn/V+0z8f64/ytj7i v+g/Ufzg7/omb+bn/V+0z8f64/ytj7iv+g/Ufzg7/omb+bn/AFftM/H+uP8A K2PuK/6D9R/ODv8Aomb+bn/V+0z8f64/ytj7iv8AoP1H84O/6Jm/m5/1ftM/ H+uP8rY+4r/oP1H84JJ5m/590/mn5Y8t675lvNc06S00GylvbiNK8mSIVIG+ Sh2pCUgAObVm9lM+KBkZDYW/PNlKsynqpIP0ZtHlWsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVf0l/wDPpN2H/ONevgUoPOF32H++YvbOc7WP7z4D9LyfbhrL 8B+l+onqN7f8CP6ZqLdFxF3qN7f8CP6Y2vEXeo3t/wACP6Y2vEXeo3t/wI/p ja8Rd6je3/Aj+mNrxF3qN7f8CP6Y2vEXeo3t/wACP6Y2vEXeo3t/wI/pja8R d6je3/Aj+mNrxF3qN7f8CP6Y2vEXeo3t/wACP6Y2vEXeo3t/wI/pja8Rd6je 3/Aj+mNrxFDX0jCw1A/DtaT/ALI/323tkondnCRt/FD54386+b/+23qH/UTJ na4/pHufQ8X0D3Bi+TZuxV2KuxV2Kv0X/wCfZLsn5/6mVNK+V74H/go81fa3 90Pe9T7JC9Uf6v6Q/eb15f5znOW+n8Ad68v85xteAO9eX+c42vAHevL/ADnG 14A715f5zja8Ad68v85xteAO9eX+c42vAHevL/OcbXgDvXl/nONrwB3ry/zn G14A715f5zja8Ad68v8AOcbXgDvXl/nONrwB3ry/znG14Avjnl5j4z3/AFY2 iUBT+WX/AJyFYt+dH5isxqTrNzU/7M51+l/uo+58Z7W/xrJ7y8ZzIdc7FXYq 7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXt3/ADjX/wCT8/KT/wACax/5ODMf V/3Mvc7Lsf8AxzF/WD+o+cn1pd/2z+vOPL7PD6Qp1PjiydU+OKuqfHFXVPji rqnxxV1T44q6p8cVdU+OKuqfHFXVPjirqnxxV1T44q6p8cVdU+OKvwQ/5+S/ +T5X/tlW/wDxEZ0nZX918Xy72t/xof1Q/PXNo8q7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq7FX7d/wDPrn/yWn5k/wDbdtv+TJzn+1/rHufRvYz+ 4n/W/Q/T3NO9q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXm/5yf+Sk/Mn/wH r3/k2cuwf3g97g9pf4vP3H7n8qc397L/AK7frzsnxM81PFDsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdir+kj/n0p/wCs2a//AOBfd/8AJmLOb7X/ALz4D9LyXbv9 78B+l+omah0LsVQl/f2WlWN5qeo3Mdnp9hE097dynikcaCrMxPQAYCaBPc2Y scskhGIsnk80/K/84/Kf5vJr8/lKy1mKy8v3K20mo6nYvaW92WrSSzkYkTJt 9oZfkwygATtYttz6Y4TRIPuN79z1bKXGdirdDSvbxxTTWKEq13WbHy5oeteY tUdo9M0CxuNR1KRF5MsFrG0shVe5CqaDJRiZGgzhAzIAS7yX5u0Xz/5S8u+d vLcsk+geabKPUNImmQxyNBKKqWQ7qfbJZMZhKiyy4jjkYnmEr1j8x/K+hefv J35aahcTp5r892l9e+XbdIi0Tw6coe4LydFIB2HfDHDIxMug/Syjp5SgZjkK +1nWVNDsVQ19/wAc/Uf+YSf/AJNtko82ePm/ik87/wDKaeb/APtt6h/1EyZ2 2P6R7n0XF9A9wYvk2bsVdirsVdir9FP+fZf/AJP7U/8AwGL7/iUeavtb+6+L 1Psj/jZ/q/pD95M5t9SdirdNq4oaxS7FXYq7FXYq7FVC6uI7O0u72avo2UEl xPQVPCJS7UHjQYQLNMZyERZYz5D87aJ+Y/lHRfO/lsznQ9ejkk083KenLxjk aJuSdviU5LJjOORieYadLqYajGMkORZbkHIdirum3hiq+P7YxYy5P5aP+cg/ /Jz/AJif9tm5/wCJnOx0v93H3Pi3av8AjWT3l43l7r3Yq7FXYq7FXYq7FXYq 7FXYq7FXYq7FXYq7FXYq9u/5xr/8n5+Un/gTWP8AycGY+r/uZe52XY/+OYv6 wf1Hz/30v+uf15x77PD6QpYskr1DW9H0m50qy1TU7ewvNenNroltM4V7qcDk Y4gftMBvTJCJN0OTVPNCBAJonkmtDUim465FtaxV2KupirsVdirYFSB4mmKC Xlf5efmPN558y/mv5fl0ldOT8tPMCaJDdLJzN4rwiX1WH7J3pTL8uHgjE3zF uv0etOfJkhVcEq+x6nlDsWwCSAASTsBii0q0rXNG11L2TRdTt9UTTbqSx1F7 Zw4guov7yF6dGWu4yUomPNhjyxyXwm6NJpkWx+CH/PyT/wAnyv8A2yrf/iIz pOyv7r4vl3tb/jQ/qh+e2bR5V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2Kv27/59c/+S0/Mn/tu23/Jk5z/AGv9Y9z6N7Gf3E/636H6e5p3tV6x s5VQVBYgCrAdfpxYmQDCfJ/n3QPPM/m+30J5mk8j61LoGuCZQn+mQqGf0tzy Wh2OWTxSgAT1FuPp9XDNKUY84kg+8M14nxX/AIIf1ytybW4pbAr4D5kD9eKC XEU8D8iD+rFW+JpWo+VRX7q4rbQBPh9Jp+vFXjH/ADkN5w8wfl9+TvnDzf5W uo7PX9IFn9QuZEEqL611HE9VOxqrEZkaXGJ5ADydb2tqZ4NNKcOY/WHrtg7z 6dp1xKQZbizt5pm2FXkiVmIHzOUSFFz8cjKIJRYUnuB8yB+vAzJYT5/8/aB+ Wugw+Y/MzTrps+pWelRm2QSP9YvpBFD8NR8PI7ntlmLEchoOLq9XDTREp8rA +ZpmzqUYqSCR3BBH3jK3KibFh5r+cn/kpPzJ/wDAevf+TZy7B/eD3uF2l/i8 /cfufypzf3sv+u3687J8TPNTxQ7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXY q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq/pI/ 59Kf+s2eYP8AwL7v/kzFnN9r/wB58B+l5Lt3+9+A/S/UTNQ6F8eecv8AnIz8 xrb88/Nv5Eflx+VcHm7XvL+iafrNnrF5eG1smW8Xk6XMgFI+P7Pjmwx6K8Yy kjhBo9/wHV2UMGCOOMskqMiQBV3TAPzU/O/zl5+/5xr/AD30yx8j22j/AJn+ TdLms/zB8o3t0Y47GxnjbleW83WX4ByQftZfh0uP0ZYyvHMkDvsEWCPe36TD 4GrAJ5UQRy5ivj3pp+Vn5ufm9+XX5P8A5eax+Z/5VaTon5dWmjaNb2+u6FqJ vp47Ka2Sl9dQUHprSjP4VyrPGGTMImXOxZ/nXsPcufR45iXgm52TwkVe/qrv l3PdbL88dP8ANvn/AE7yV+WdnD50s4YI7zzf5nilpZadBKOSIJBs0zKahPDK MemPDOU/TEbD+lLy/o+bgZNOIYhIn1S5DrXW+4vetq+1evtmI4z86fMnnT/n I6z/AOc19a0fyh5J0fXNIi8hwnTtHvdbe3tZNMN8obU2jpxW55VTjT7ObaGP EcAJO993l+C7vHiwHTAyO9939H8H3vqL8x/zA/NHSNZtPK/5Y/llH5w12WxS +vL/AFS6+oaVGGNDELru4PanTMPFgB9RI4ft+Tr8OPD/AByI+FvN4vzd1zzx 5F/PX8vvzA8rReR/zL8qeTNVu9Y0S1uBd2hs7i0lWGeG4H2gxzJGmjwRz4zc TLh32Ng77dzb4Bx5o1vE0QfiNve8C/Ij/nID81/K/wDzj3+VfmOL8m1uvyl8 s6La2Ov+Y5Ltk1NI4SVluorOnxxKBy5ZbqNNAZuDLICUj6a3G/K+5ytThw58 kxilchd339wPe9n826zp/mb/AJyt/wCcS/MOjTfWdK1zyj5ovtNuOnOGa2R0 b7jkDhlihPHLmCB9rTg/xWRqrMfvKa65/wA5BfmZrWreYz+Sn5V2n5geU/Js 7W3mDzBe34s2lmi/v47KP/drRkUI8cw8UYDEMuUmMTdbXLbqQn8jjxz8Kcqy UDXQA8rL3/8ALL8w9E/NPyXpPnXQOa2Wo84poJBR4bmBuE8R90cEYdZpZabJ wHfYH4HcOrlGUfqFb0zS+/45+o/8wk//ACbbMePNOPm/ik87/wDKaeb/APtt 6h/1EyZ22P6R7n0XF9A9wYvk2bsVdirsVdir9FP+fZf/AJP7U/8AwGL7/iUe avtb+6+L1Psj/jZ/q/pD95M5t9SfNP5h/nV528u/nBpn5QeSvI9t5n1LWfLh 1qz1K4maOGGUSmPjclfsx0H2szMWk8TGclgAHf3eXm6PWdrSw6mOAQJMht77 /i7h5vEdI8y/85PP/wA5O6vbXPlDymNV/wAEWTaloC6vOdOhsDd0N1D4zncU p0zJlDB4I3PPu8nVYs+uOsPpj9I2s1XFz9/6Hs3nT87PzA07849Q/JvyH5Cs /MerReXLXW7LV72d4bVJJ2IeO6ZfsIKbEdcx8ekEsXiGVAHfv+DstT2vOGpO njC5GNx7uv1dz6K0STWZtH0yXzFa21jr8lujaxZ2bmW3iuCPjWJzuyjsTmJK r25O6wmZgDMUWCfnB+Zdr+Uvkm483XNi+oubuDT7C0UHi1zdNxi9Qj7KV+0e 2HHilkkIxqyerVq9VHTY5ZJXQHRj35cedPza1zV7ay8/+S9E0vTNStWu9N1v y/em9gUKKhJyT8LEdBl+fHih6QTxDy2cLQarU5qlOMRAiwQbLBb/APPD8zde vfMl/wDlT+XVh5o8k+Up2t9T1m/uHhuLuSIkTLZIu0hShGRxwhHEMmYmIPQc x72Oo12eWaWLTxEjCrJNDfeo97M7/wDPvy7D+Vej/mVpllcai/mSX6h5f0ED 99cakG4NbU8VYEH5ZLUaOeLOMIok1v0oi7LPB2tjyaQ6kggAcut3VD4hf5W8 0/mzrNl5psfzI8jad5Ygk8v3l5pV7pdw9whDQPSGfl9mQA7jGccUSIxJMgd+ 74MMWbVZISlkgBEjbez8Xzz+Sv5yf4Z/I38pPI/kXSF87/mTqdtcmPQUYiCz i+uS8pr6Rd40odvfL8mCWbPLpAfVI8uXIebgaLXDTaLFEDiySHpiOfM7nuD6 A87fmp5t0PUdA8jeVvLena9+aGq2YvNR0q5uvR06yiI/vJZyQeJOwzGx4RPJ IRPoiLs9fd5uy1OuyYccAYg5Z7AA7Cud+TzrW/ze8/8AmT8t/wA5PKreV9N0 T83fKHl+4utW0lbxjYrps8TA3dtcoSS4WpQeOZUNNjIhmiTwGVb87Hl3Ouy9 paiUcuCUQMsY3sfTRB5Hv5/Flf8Azi1qn5pan+Vfk5/zA0nSbTSB5fsW8rav ZXkl1eXqEHlJeh/suRQ7ZTrYwEzw95crsLJqJ4R4gFUKN2Tt1fS8f2xmG7uX J/LR/wA5B/8Ak5/zE/7bNz/xM52Ol/u4+58W7V/xrJ7y8by917sVdirsVdir sVdirsVdirsVdirsVdirsVdirsVe3f8AONf/AJPz8pP/AAJrH/k4Mx9X/cy9 zsux/wDHMX9YP6j5/wC+l/1z+vOPfZ4fSHzH/wA5J+dPzF8op+Ulj+Wl7Ba6 35z84RaNdxXKhopreSIsUJP2aHeozN0eHHlMhM0AOY6Ok7a1mfT+H4IEpGQF HrdvAPzp/LX837fz/wD84+Jq/wCfV5fX+r+cJo9Fk/RVuBo9z9WLNLDQ/vaD 4aN2zJ0+XHwTqPId/N1HaGk1HjYuLLuZdw22PLv7t3sH5yeYfzh8jXP/ADj5 5I8nebY9b8z+b9autK80a9f26RfpCOKHmZmRdoytagDKdPixZjMzuIAvZz+0 dTqdIMEcdTkTRsVe3Pyp9BeRNA81eXNGlsfOPnWbz5q0ty8y6xNbR2pijYCk CpHsQp6Hqcw8koyPpFO60mLJjhU5cRvur7k68yX2oaX5c1/U9Jsjqeq6dp9x c6Zpo63E8aFo4h/rHbKzy505MiRyF+T4l/Kz8yfPnm7W9GudQ/O2zh80Xt0p 138ltSs0tms4eX7yOKegZmUdN982csAjD0Q4xX1X9tPLabWZMub95lGOXF9B A5e96x5t8w/mR+YP5p+Yfyy/LfzUPIFh5DtoJ/NXmRbdLm4klvF528UcUm1C OpzFw4xGMsmTl/CO/vt2Osz5M2WODCa2ucqvh7gAe9CeUPzj8xeXvK35y235 j+lq3mL8jvS/S2q244rfx3Kc4HKjZTQioGT1GITxY8mIVKd+k9CDXNj2frZ4 55ceeVxxkerqQQZcvsTP8utJ/PrVLryx568xefbeXRdeZLu/8grbRiC2sJxz iaK4Hxs/EioOOU48X7uMeI/zieR9zHRx1OoIzzlwAn6ABuOm/PzfP+ifm9c+ SvzX/wCcifIXlDTRrP5l+dfPcS+WrGY8LaFDaKDcTybUVevzzIOlnqIwA2jG Nyl3C+nm67F2hHSZc3Wcp1GPeaHPyewfmV+Ynm/8j/y68rWPm/ztaX/njzrq BsIvN99EILOwk4+pIWEYNVRahdt6ZT4Uc+aMcYqA5nr7683YZtXk0OklPNIH IeQ5Rs9Pgwf8ufzp1T/lZ3lz8urf87rD844fzCjubew1uytBDcaHdxRGQStG qhWQH7PI70zI/LxlCZlDgMKMT/Os8vJ1uPtGccsYQyjIJ8V7VwULsVzB81n/ ADiR5M8+WOpfmTq17+at1qmhaZ+YGt2uteV2sIY49SvAFDXryj4kZjQ8Rttl etyQIiOHeg39h6bMJzkchIE5Aihudt33fmteqfgh/wA/JP8AyfK/9sq3/wCI jOk7K/uvi+Xe1v8AjQ/qh+e2bR5V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2Kv27/59c/8AktPzJ/7btt/yZOc/2v8AWPc+jexn9xP+t+h+n6fb T/WH68072cuT4K/L38qLT82/zS/5yLfzx5j1q98q6T53+p6X5Ztb6a1WGQQq TIkkbBgKfsjbNpkyQxY8ZjH11z8nk8GlyarUagTmfDEto/0q53+hU/5xU/JX yFpXnn82fMdlDqo1PyT+Yd7pugmXUZ5IhbrEoAniZuMrfEfibfBq9RMxiD1A 6L2T2dihlyyF3GcgNzyoKP5L/lZa/mX5n/OLzH528x61qemaB+ZN+vlvQIr6 aCO1mtmVufJGqyH+Q7Y6jJDHCPDH1GO58mfZ+lyanNlOSZOMZDwi+RHP+x97 EkmpzWPVPlX/AJyY8v8AnTXG8nSabY6lr/5fWbTHz35W0OZodUvCf7k27IQ3 w96Zk6WWKOS5jetj0B83Udr4888VY+VjiA5keTF/IHnDyx5O/Kr849b/AC8f zBBeeS7H61J5E8zF3v8ASp+Hwq5csxEnUVOW6vFkyRiTONS5EdO9x+zdRhwx nwQncfqjK75E7MK8wflq/k78m0/5yB0/zrq9z+ZVlYweZLnUHvHe0uRcFHNn 9VLemAofjtvl+PMIajHhERwEgEHnLbofN1uXTylo56szJygGQIO0d9hXLbk9 N8+XWqfmj59/K38rNQ1a50Hy35i8oxebvMclnIYJbyQhQ1msqkFak123yiGK MMk5kWBYEe4/znZarPPNDDhvh46Mpd4/mjzPNKvz4/L/AE/8sv8AnF/81dG0 XUL7U9LL2V1p1lezNcTQBbqI+gsjks3IjauHT555c0TMg/Z0LX2no8el0WSM LrzN9RytAflLNqv/ADkH5qTX/O+rXPlqx/L17a20b8rbeZre5R1iQC7vaEMe XZdxlwxx02IZRUpT69I/0fe048ktfmljncIY/wCHlKX9I+Tyzzd5sg/Mn8x/ zGsvO/kz8yfMum+TtTk0Ty5b+S0dbW3MNKXEjo6szmvQimV4MJxYeKMo8ZPM 9B0jTX2hqfH1ZxzhkOOIHpj1PWV7HdKfzG0HWvPH/ONOhXv5oaTrum6n5Y/M Ox0fypDqUrWl4+jXFzHGkl1HGxDOV6E7g5mDLDxR4dXwequRlvZDgZ9Pknox 4wltk9N7ERJiBfwt+jXkryF5d/LbQk8reVkvI9IinkuUW+upLybnNQtWWUli PAZpsuQ5JWXstFpoafGIR5b+f3pH+cn/AJKT8yf/AAHr3/k2clg/vB72HaX+ Lz9x+5/KnN/ey/67frzsnxM81PFDsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir+k f/n0mB/0Lb5gbufN90D/AMiYs5vtf+8+A/S8l27/AHvwH6X6i5qHQvzk1Pz9 5q/Lv/nNX879X0jyDqnnzy6/k7y0vmO10OL6xqUMnBhAYYagMD+1vm3j4Z04 jIkSJNd3xdwdKcuCEuIRoysHrfcj/wDAn5kecvy//wCcsvzR1Tybe6J5i/Oj yyum+WPIDr/uQWPTrdoYBInaSUHphhKGDHjxmQMgSZEfTuQdkjUwGaMYn0Rr c9SSCfg9U8yWn5jn8ivyu/KXyx5VuF8webPK+laL5n1e7iDWuiW4tY47tpwd jKlCAp2zAOPHnzGMzUNyfMA8h5lGLNDBOWouzEnhA5k3t/m96Rfk1+U/mD/n F/zl/gfy1pF15s/Krz16U8utxRhrrS9UROD/AFgg7wybtU/Z6DMuWq/NY/Cm aOMHgPQx7v6zi6rhyjxyf3kjUx3nvj5B9rlSCRSuaynCIfFn5kSeavy2/wCc n9K/N2D8vvMHnrypr3kmPylOPLlt9auLS6+uev6syEikfHqczcWSE4HGTRG9 9OVU7bHGOTTACUQRLcE1tw1sxb/nJ3RfOep/mHoFz5m8q+cfPH5GS6Qi/wCF /JDSJqUOsFqvLcek6Nw4GnXrjpPCEz0nWxP0/wBrdp5RGnAxyjGfFvxdY10+ Lyr8lPym8y6J51/5ydvdJ/K7zN5P8m+b/wArBp/kyDXLma+u7y6eKb9yZJ2Z llq1PTrQZlTySEIicok8V7cgNmefVYpxhUrIlv06j7Ef5G82/nhbf842+Wv+ cfdW/IjzFZ+d9a8uf4d/TPoH9EWdjcq0Jlup61SVENSuDNHDnzCcJ1GMgZXz NGzw/oaDix4ck8ksgkLJjXO+YB+L2+y/K7zT5S/Oj/nEK2t9KudU8v8A5Z+R 9c0TzH5kiWttbzm0SKISN2MhHw45tRjn4hidjKx31ZLCOo4sMuKhIkGviS+Y tS/5x58t/ll5m822Hnn8ovzF/MeDX9Zu9X8v+ZfJGo3iwt9fkMrRXNvDKiRc CaVHXBg1UsmIAkCY2N1VdKNG3Oy6rxZ8cJxEeECjXFYHuNv0I/5x+8oWXkf8 qvL/AJf07yY3kCzikubiHys9w9zLB9YlMlZZZPiLvWrV75g6mUpT9UhI945O l1eYZZmQJPvFPXb7/jn6j/zCT/8AJtspjzaMfN/FJ53/AOU083/9tvUP+omT O2x/SPc+i4voHuDF8mzdirsVdirsVfop/wA+y/8Ayf2p/wDgMX3/ABKPNX2t /dfF6n2R/wAbP9X9IfvJnNvqTwFfLHmH/oad/OP6In/wqfy6GljXafufrv1v n6FevLjvmXxx8Dhve/0Ol8Cf5/xK9PBV+fFf3MW85xeb/In/ADkLH+Zun+Qt Y88+XfM3la18sXKaIiyTWU0c/qmeUMRRAOuOKcZ4zjJojcHofJhqsWXBqBnh HjEhwkDmN7v3Mp0Pyx5it/8AnJ/z95vn0ieLyxqfkXStP0/WiP3Ut3FMWkgB /mUdcE5jwBG97ZYcExrp5CPTwgA+dvoDg38pzFd1Yeefmlb6nP5M1CLTfKdt 51dnT635duf93W/+7PS/4sA+z75PGIX67ry73G1ZyeGfDAke49R1+Pc+ZfyP 8n67p/5tRa/5R/L7zL+VX5appl1B5o8t+Y5nka9v3FIJbdWdgFTvTNlPJWCc ZzEiSOGuY73ndFp5DVRljxyxxo8V8ielCyreXLz81PyJsPNH5b6R+Vuq+erC 81C8v/JvmXTVDWytqLtJIL1iaqELdsxDEarEAZCM+Rvl5V8HM/eaDLMQxynj kbjXMHrxfFGSfkX5w0P8j/y70jSxDf8Anf8ALbX3832unVPpXF1NI0r21fbm Rl+p1cPzAlAE49ge+qo18WrTdl5fyPBIgZRvHuuyRfwL1zyj5/8APfn6DzJa av8Aljq/ki1h0W5QSasoWS51B4mXjbhSQYyTsTlGTFGBEhIGJPLqPe5uDVZM 0DCWKUZAczyPufLf5Ufk3+Yv5K+SPJP5leS/LM7ebpbaa2/ND8urgBrm7ie6 dlkt2O6uFIPEGmZctYJTlimbxyNgj+E1z8w6jTdl5cGKGfHGs0Y1IH+IWTXk eoZn+dv5SL5t85eX/wA49T/LjWPOmm3mjRaZrnkiyuZbTVbRY6urxiFl5tU0 IJplWDP4M54zIcP8JHf5+Tkdo6H81HHn4CZC+KJNGjyquvemf5W/ljpn+H/z a/wr+UOp/lc3nHy1Po1nP5guZrjU7qR43VElEjPxjUttQ5HUZZxoymJAG6DZ 2fo8chOMcRxmQomXmCO88relf8466n5lt/I+kfl95n8haz5Sv/y80y20x9X1 BFWz1Ix1XnaMCSRtU1yvU8MjxxP1b11DmdleLjicOSJHBsD0kO8PoSP7YzFd rLk/lo/5yD/8nP8AmJ/22bn/AImc7HS/3cfc+Ldq/wCNZPeXjeXuvdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdir27/nGv/yfn5Sf+BNY/wDJwZj6v+5l 7nZdj/45i/rB/UfP/fS/65/XnHvs8PpDw783fJV35v178ntQtNY03TIvIPm2 LzBq8V9MsTzWqRFCsIJFWqcycGThjIVzFOs1+nOTLikCBwyBP2pZ+d/lXUPO /wDgbzB5G8xaFB5u/LnWn1vQ7fVLuNbOeR4/TMczK1QKHtjgyGEqIuJ5+7yY 9oaeOeAMZVkjvHuvzQXmHyz5k85+YP8AnH/zdr2t+WdP1n8utSvNS872NneK 0DNc2/pBbJmarAHf4snGcYCYANHk0ZcM80sM5GIMSSefUVt+176dY0Ykn9M2 G5/5aYv+asxOE9zufFh3oLUdQ0+606/trLzHZWF7cW8kdnfLcQkwystFkALU PE74QCDdWxyTjKJAlV9XyBqn5X/mP531vytbed9Y8hWGj+VNYttWXzto00ce uX5tW5KlxQgUk/aAObHBlx45HJUgeEjhH07vO59LnzGMJGBiJA8e/GeH7N3o Xnfyn5w0z8xNQ/M/8nvMnln9L+ZbdLbzboGuXix2lz6K8YJQ8bcuUY6Zi4J0 JQmLidx3x93vc7W4DxwzYCBOIog3Ux513N+Sfyp0+Lyv+Y9r+Y3mvTNZ8z/m 6VbzrPa3MXoJ6S8YY4atUhB45LUzBxQxYrAhdS6mze69n6bgnky5yCchBMR9 IoVQ+CH8g6b+c/lrUNA8t61528p3v5feXZgItYju1Oq3VpHtHbyoW4AKoAqM llOPKOMgxnXIcj/a1aSGfTSGISjLHZ3N8Vd3dsx+X8g9H1nU/wA5NV1vzPpW n6v5x80x+Yvy98yaddRi900xQCNRI3IVqw3WtKYJaicDCWOwYij3HyYx7OhM 5RkIInKwRzG3MFPdd8geYfzA/L/QLDz75n8st+Y3ky8N35b1uCaG4tZZFHEP cRykqS6ijbYZ5RHLHJiBA/ij093uZjTSzaaWHPIE/wAMuu3IkHqeRRP5faR+ Ydr5r0zVvOKflp5Y0jSC3KPysLcXF8SKAyuQCnj8Jxy8BFgyvu6LpY5hKpjG B3gGz82/yz8oeefy98++abHS9W8sav8Alh5z1y88xXkhu66xBd3YqY4olYqy 1A65CeTxMfrFSGwrubcGCWDUnwpA45bkG7EjzrpT6ZzFd0/BD/n5J/5Plf8A tlW//ERnSdlf3XxfLva3/Gh/VD89s2jyrsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVft3/z65/8lp+ZP/bdtv8Akyc5/tf6x7n0b2M/uJ/1v0P0 7aVIEaeRgkcILyOegVdyT9AzTvaS5PmnyN5u/I78v9b/ADF1ez/NjTb65/ML zA2u6lbzzIFtZwgjMUdOqinfMzJDLMRHDyFOj0+bS4Z5JDIPXIk7sW0LUfyh 8rfmTqPnzy3/AM5BW+k6Nr9++p+Z/ISPE1jf3brxMryH41PQ7YYxy+HwSjfd 5eTVOel/MeLDKI2PUARUj3+9kf5f+cvyI/LK387NZ/m3pl/D5t8w3nmfUJLi ZB9XkugC8SceqrTbBlhlyV6TsKbdLqNJpuMjIPVIy596bf8AQ2//ADjN/wCX n8v/APIx/wDmnB+RzfzS2fy/ov8AVY/P9jF/OP5h/kr+Z9tpGu+VP+cg7byh q2jNLHpfmXSpwWUPtIjQyUVvpGTx48+I0Y7HmKaNTqdHqoiUcoEhykDy79uq F/L++/IPyXbebzq/5v6d541vz+EXzl5g1GSNJb5YlKRq6J8ICg9sGphLLjGI Q4Yi9h5o7Py6fSzlklmEpyrc10FD7HncHlD8j1ltNKvv+ckH1P8ALmxvTe2v 5bTTR/U1blyCGWvMoD2O2ZGPNliYzMLnHlLupwp6fSS4sYzVikbMLFG9zvze n/mNrP5C+f7fQ5bX83NP8oeYfK5T/DfmfTZ1NxaqgosYU7MtB0O2YuOGaGU5 ADZFHzBdjqs2jzYY4+MDhIMSDvEjqx69/wCVNaz+WPmn8uPMn/OQkevz+b7i C61bzbcSxi6528qSrwjB4KDwAoMtAlGYlDHVfa40jhyYJYsuo4r67WNwf0Jv 5iv/AMhdW81+WvPOifnDYeUPNegRRW17qunzJ/uStYlVRDcoaK1aVr1yOnGX CZem4y5x6e/yZ6o6TNwyGURnHlIHeu494S7zbdflJq3mG681eRv+ci0/K3W9 UjWPXJ9IljljvOP7TxSHiGPiBXBghkxRMDC4k3Xn711s9NnmMkcwjOqsEbgc hR2ROoTfkLrP5a3f5ca3+dNtq/1y9XVJfM9zch7sX8bc0nUEkDiwqB0wShkE uLHHh9zZHNpZYTjy5RO73J336/B7j+UMkB8mwww/mbL+bfoXEo/xfOsaSMtf hhIi+H4Olcq1JJnZjw+TndmREcIAnxgdUR+cn/kpPzJ/8B69/wCTZwYP7we9 n2l/i8/cfufypzf3sv8Art+vOyfEzzU8UOxV2KuxV2KuxV2KuxV2KuxV2Kux V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kux V2Kv6SP+fSn/AKzZr/8A4F93/wAmYs5vtf8AvPgP0vJdu/3vwH6X6VeZLbV7 zy5r9n5fu00/X7vTrmHQ7+QVSC8eNlglYeCuQTmrgQCL5OkxmIkOLk/JHTf+ cVf+fiOl+bvMPnyx/wCcgtAtfNfmu1trLXtUVgWngs6iBSPQoOAO1Bm6/N6a uHhNe/8Aa9EdbpOER4DQ8/2sp/5UR/z81J5f9DL6LXxqv/ZPkPH0n8w/P9rX +Z0X8w/P9rv+VEf8/Nd/+sltF367r/2T4+PpP5h+f7V/MaL+Yfn+1ofkP/z8 1Faf85LaIK9d1/7J8fH0n8z7f2r+Y0X8w/P9rv8AlQ3/AD80/wDYldE+9f8A snweNpP5n2/tX8xof9TPz/a2PyI/5+bL9n/nJfRR8iv/AGT4Rn0o/gPz/ao1 OiH8B+f7XD8iP+fmy/Z/5yX0UfIr/wBk+I1GlH8B+f7VGp0Q5QPz/a4/kT/z 82NK/wDOS+imhqN1/wCyfHx9J/MPz/ak6nRH+A/P9rf/ACor/n5vuP8AoZjR aHruv/ZPh/MaX+afn+1fzOi/mH5/tW/8qH/5+a0I/wChltEoeoqv/ZPg8fSf zPt/aj8xov5h+f7Vw/In/n5svT/nJfRR8iv/AGT4jUaUfwH5/tSNToh/Afn+ 19c/84yeSP8AnJPyXZeaY/8AnIn8xrH8wbu+nhby3LZ0P1eNVIkDEJH9o07Z g6ueKRHhinW67JhmR4UafTl9/wAc/Uf+YSf/AJNtmLHm4WPm/ik87/8AKaeb /wDtt6h/1EyZ22P6R7n0XF9A9wYvk2bsVdirsVdir9FP+fZf/k/tT/8AAYvv +JR5q+1v7r4vU+yP+Nn+r+kP3lFAQTuAdxnNvqL4T/M78mP+cwPMfnzzNrPk D8+7byt5M1C69XQPL7Vraw8QOBHpt3BPXNlhz6eMAJQsvL6zQdpZM0pY8/DE 8hR2+xgg/wCcf/8AnPBa8f8AnJy1WvWhI/5lZZ+Z0v8Aqbi/yZ2t/wApH2H9 TX/Qvv8AznfSn/QzdpTrTf8A6pY/mdL/AKmn+Te1v+Uj7D+pr/oX3/nO7/2J q0/H/qlj+Z0v+pr/ACb2t/ykfYf1Nj/nH3/nO8bj/nJu0B8d/wDqlj+Z0v8A qa/yb2t/ykfYf1Nn/nH/AP5zwb7X/OTlq3zJP/MrH8zpf9TUdmdrD/kR9h/U 4f8AOP8A/wA54gUH/OTlqB4An/qlj+Z0v+po/kztb/lI+w/qa/6F9/5zvG4/ 5ybtK+O//VLH8zpf9TT/ACb2t/ykfYf1Nn/nH/8A5zwb7X/OTlqadKk/9Usf zOl/1NH8mdrf8pH2H9Tv+hfv+c8K8v8AoZu15fzb1/5NY/mdL/qaf5M7W/5S PsP6nD/nH7/nPAGo/wCcnLUE9SCf+qWP5nS/6mv8mdrf8pH2H9Tj/wA4/f8A OeDGrf8AOTlqT4mv/VLH8zpf9TX+TO1v+Uj7D+p79+Qf5b/85F+StZ1e6/Of 82oPzC0m5gRNLsY6loZATyYnivXMbVZcMwOCNF2vZWk1mGUjny8Y6bfsfVcf 2xmE7uXJ/LR/zkH/AOTn/MT/ALbNz/xM52Ol/u4+58W7V/xrJ7y8by917sVd irsVdirsVdirsVdirsVdirsVdirsVdirsVe3f841/wDk/Pyk/wDAmsf+TgzH 1f8Acy9zsux/8cxf1g/qPn/vpf8AXP68499nh9IfLP58f84r+WPz+1/RPMGv ectf8tT6JYmwitdIkVYpULl+bhv2qntmZptZLACAAbdJ2p2JDXTjKUpChWxe Gf8ARN78uf8Ay6fnT/kdHmT/ACrP+aHW/wChLF/qk/m7/om9+XP/AJdPzp/y Ojx/lWf80L/oSxf6pP5u/wCib35c/wDl0/On/I6PH+VZ/wA0L/oSxf6pP5u/ 6Jvflz/5dPzp/wAjo8f5Vn/NC/6EsX+qT+bv+ib35c/+XT86f8jo8f5Vn/NC /wChLF/qk/m7/om9+XP/AJdPzp/yOjx/lWf80L/oSxf6pP5u/wCib35c/wDl 0/On/I6PH+VZ/wA0L/oSxf6pP5u/6Jvflz/5dPzp/wAjo8f5Vn/NC/6EsX+q T+bv+ib35c/+XT86f8jo8f5Vn/NC/wChLF/qk/m7/om9+XP/AJdPzp/yOjx/ lWf80L/oSxf6pP5u/wCib35c/wDl0/On/I6PH+VZ/wA0L/oSxf6pP5s5/Lb/ AJwa8k/ll500bzrpv5h+atWvNFdnh069mUwSFhT4wtCR7ZVm7QlkiYkDdytF 7N49NlGQTka7y+3Camua96V+B/8Az8k/8nyv/bKt/wDiIzpOyv7r4vl3tb/j Q/qh+e2bR5V2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kv27/wCf XP8A5LT8yf8Atu23/Jk5z/a/1j3Po3sZ/cT/AK36H6bXVvHeWtzZzCsN3E8M w/yZFKt+BzTg09nKIkKL4ym/5wH/AOcfp5pp5NIvDJPI0jn136uST+175n/y lm73nj7MaMm+H7Vn/QgX/OPX/VnvP+kh/wDmrH+Us3ej/Qvo/wCb9rX/AEIF /wA49d9HvCO4M7/81Y/ylm71/wBC+j/m/a3/ANCA/wDOO/8A1YZ/+Rh/rj/K WbvX/Qvo/wCb9rX/AEID/wA48/s6LdoP5VmYD7gcf5Szd6/6F9H/ADftb/6E C/5x6/6s95/0kP8A81Y/ylm71/0L6P8Am/a7/oQL/nHr/qz3n/SQ/wDzVj/K WbvX/Qvo/wCb9rv+hAv+cev+rPef9JD/APNWP8pZu9f9C+j/AJv2u/6EC/5x 6/6s95/0kP8A81Y/ylm71/0L6P8Am/a7/oQL/nHr/qz3n/SQ/wDzVj/KWbvX /Qvo/wCb9rv+hAv+cev+rPef9JD/APNWP8pZu9f9C+j/AJv2u/6EC/5x6/6s 95/0kP8A81Y/ylm71/0L6P8Am/a+jfyr/Kjyl+Tnls+VfJlvJbaS1w9yY5WL t6khqxqScxc2aWWXFLm7fQ6HHo8fBjFC135yf+Sk/Mn/AMB69/5NnDg/vB70 dpf4vP3H7n8qc397L/rt+vOyfEzzU8UOxV2KuxV2KuxV2KuxV2KuxV2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2 Kv6Sv+fSaOf+ca9fYIxB84XdDTb+5iznO1heT4D9LyfbgJy7dw/S/UXg/wDI 33HNRRdFwnudwf8Akb7jjRXhPc7g/wDI33HGivCe53B/5G+440V4T3O4P/I3 3HGivCe53B/5G+440V4T3O4P/I33HGivCe53B/5G+440V4T3O4P/ACN9xxor wnudwf8Akb7jjRXhPc7g/wDI33HGivCe53B/5G+440V4T3O4P/I33HGivCe5 C30chsNQARiTaT0FD/vtslEG2cIm+T+KLzx/ymvm/wD7beof9RMmdrj+ke59 DxfQPcGL5Nm7FXYq7FXYq/Rb/n2Sjv8An/qYRSxHli+rQV/ajzV9rf3Q971P ska1R/q/pD95vRl/30//AAJzm31DiHe70Zf99P8A8CcV4h3u9GX/AH0//AnF eId7vRl/30//AAJxXiHe70Zf99P/AMCcV4h3u9GX/fT/APAnFeId7vRl/wB9 P/wJxXiHe70Zf99P/wACcV4h3u9GX/fT/wDAnFeId7vRl/30/wDwJxXiHe70 Zf8AfT/8CcV4h3u9GX/fT/8AAnFeId7vRl/30/8AwJxXiHe70Zf99P8A8CcV 4h3r44ZeY/dP/wACcaRKQrm/ll/5yEBX86PzFDAqRrNzUHb9s52Ol/uo+58X 7W/xrJ7y8ay917sVdirsVdirsVdirsVdirsVdirsVdirsVdirsVe1/8AOOE0 MH58flPNcTx20EXmSxaW4mYIiKJBUszUAHzzH1f91L3Ox7IIGsxE/wA4P6dZ /NXlP1pf+ds0X7Z/4/7fx/185Lw5dxfYIarHwj1BS/xV5T/6mzRf+k+3/wCa 8fDl3Fl+Zx/zh83f4q8p/wDU2aL/ANJ9v/zXj4cu4r+Zx/zh83f4q8p/9TZo v/Sfb/8ANePhy7iv5nH/ADh83f4q8p/9TZov/Sfb/wDNePhy7iv5nH/OHzd/ iryn/wBTZov/AEn2/wDzXj4cu4r+Zx/zh83f4q8p/wDU2aL/ANJ9v/zXj4cu 4r+Zx/zh83f4q8p/9TZov/Sfb/8ANePhy7iv5nH/ADh83f4q8p/9TZov/Sfb /wDNePhy7iv5nH/OHzd/iryn/wBTZov/AEn2/wDzXj4cu4r+Zx/zh83f4q8p /wDU2aL/ANJ9v/zXj4cu4r+Zx/zh83f4q8p/9TZov/Sfb/8ANePhy7iv5nH/ ADh83f4q8p/9TZov/Sfb/wDNePhy7iv5nH/OHzd/iryn/wBTZov/AEn2/wDz Xj4cu4r+Zx/zh83f4q8p/wDU2aL/ANJ9v/zXj4cu4r+Zx/zh834Sf8/Gr6wv /wA9Un07ULXUYP0Vbj17SZJkrxG3JCRXOi7LBGPfvfNPauYlqQQb9Ifn/mze XdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir9fv+fc35o/l95D/L /wA/2XnDzRaaFd3us28trBcNxLosVCw+nNH2phnOYIF7PeeyetxYMMxOQHq6 +5+iP/Qxf5If+XE0z/kYM1f5XJ/NL1n8r6X+ePm7/oYv8kP/AC4mmf8AIwY/ lcn80r/K+l/nj5u/6GL/ACQ/8uJpn/IwY/lcn80r/K+l/nj5u/6GL/JD/wAu Jpn/ACMGP5XJ/NK/yvpf54+bv+hi/wAkP/LiaZ/yMGP5XJ/NK/yvpf54+bv+ hi/yQ/8ALiaZ/wAjBj+VyfzSv8r6X+ePm7/oYv8AJD/y4mmf8jBj+VyfzSv8 r6X+ePm7/oYv8kP/AC4mmf8AIwY/lcn80r/K+l/nj5u/6GL/ACQ/8uJpn/Iw Y/lcn80r/K+l/nj5u/6GL/JD/wAuJpn/ACMGP5XJ/NK/yvpf54+bv+hi/wAk P/LiaZ/yMGP5XJ/NK/yvpf54+bv+hi/yQ/8ALiaZ/wAjBj+VyfzSv8r6X+eP m7/oYv8AJD/y4mmf8jBj+VyfzSv8r6X+ePm7/oYv8kP/AC4mmf8AIwY/lcn8 0r/K+l/nj5sB/Nb8/fya1P8ALD8wNPsfP2m3F7e6Fdw2tujgs8jJRVAr3y3D psgmNjzcTXdqaaeGQExyP3P5sZSDJIRuCxofpzq3yMrMUOxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2Kvbfy7/wCcj/zz/KbRJvLf5cfmZrPlDQri5a8m0ywkRYmn cBWkIZG3IAyjJpseQ3KILj5dJiym5xBLPP8Aod//AJyy/wDL7eZ/+R0f/VPK /wAjg/mBp/k3TfzA7/od/wD5yy/8vt5n/wCR0f8A1Tx/I4P5gX+TdN/MDv8A od//AJyy/wDL7eZ/+R0f/VPH8jg/mBf5N038wO/6Hf8A+csv/L7eZ/8AkdH/ ANU8fyOD+YF/k3TfzA7/AKHf/wCcsv8Ay+3mf/kdH/1Tx/I4P5gX+TdN/MDv +h3/APnLL/y+3mf/AJHR/wDVPH8jg/mBf5N038wO/wCh3/8AnLL/AMvt5n/5 HR/9U8fyOD+YF/k3TfzA7/od/wD5yy/8vt5n/wCR0f8A1Tx/I4P5gX+TdN/M Dv8Aod//AJyy/wDL7eZ/+R0f/VPH8jg/mBf5N038wO/6Hf8A+csv/L7eZ/8A kdH/ANU8fyOD+YF/k3TfzA7/AKHf/wCcsv8Ay+3mf/kdH/1Tx/I4P5gX+TdN /MDv+h3/APnLL/y+3mf/AJHR/wDVPH8jg/mBf5N038wO/wCh3/8AnLL/AMvt 5n/5HR/9U8fyOD+YF/k3TfzAtf8A5zc/5ywkR43/AD18zMkilHUzR7qwoR/d 9xiNDgH8ISOztOP4A+X7q6uL26ub27lae6u5XmuZ2+08kjFmY+5JrmUBTmAV soYUuxV2KuxV2Kst8m+fPOP5eaq+t+SPMV75Z1aSFrd9QsZPTkMT05IT4GmQ yY45BUhYb8GpyYJcWORifJ6f/wBDS/8AOQ//AJd7zH/0lH+mU/k8P80Ob/Le t/1WXzd/0NL/AM5D/wDl3vMf/SUf6Y/k8P8ANC/y3rf9Vl83f9DS/wDOQ/8A 5d7zH/0lH+mP5PD/ADQv8t63/VZfN3/Q0v8AzkP/AOXe8x/9JR/pj+Tw/wA0 L/Let/1WXzd/0NL/AM5D/wDl3vMf/SUf6Y/k8P8ANC/y3rf9Vl83f9DS/wDO Q/8A5d7zH/0lH+mP5PD/ADQv8t63/VZfN3/Q0v8AzkP/AOXe8x/9JR/pj+Tw /wA0L/Let/1WXzd/0NL/AM5D/wDl3vMf/SUf6Y/k8P8ANC/y3rf9Vl83f9DS /wDOQ/8A5d7zH/0lH+mP5PD/ADQv8t63/VZfN3/Q0v8AzkP/AOXe8x/9JR/p j+Tw/wA0L/Let/1WXzd/0NL/AM5D/wDl3vMf/SUf6Y/k8P8ANC/y3rf9Vl83 f9DS/wDOQ/8A5d7zH/0lH+mP5PD/ADQv8t63/VZfN3/Q0v8AzkP/AOXe8x/9 JR/pj+Tw/wA0L/Let/1WXzd/0NL/AM5D/wDl3vMf/SUf6Y/k8P8ANC/y3rf9 Vl82x/zlL/zkONx+b/mQH/mKP9MfyeH+aF/lrW/6rL5vEtW1bUtd1G71bV72 XUNSv5DLeXsx5SSO25Zj3JzIjERFB105ynIykbJS/CwdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirYJUhlJUjoRscVVvrVz/AMtEv/Bt/XBSbLvrVz/y 0S/8G39caC2XfWrn/lol/wCDb+uNBbLvrVz/AMtEv/Bt/XGgtl31q5/5aJf+ Db+uNBbLvrVz/wAtEv8Awbf1xoLZd9auf+WiX/g2/rjQWy761c/8tEv/AAbf 1xoLZd9auf8Alol/4Nv640Fsu+tXP/LRL/wbf1xoLZd9auf+WiX/AINv640F su+tXP8Ay0S/8G39caC2XfWrn/lol/4Nv640Fsu+tXP/AC0S/wDBt/XGgtl3 1q5/5aJf+Db+uNBbKk7vIeTuzt4sST+OFC3FXYq7FXYq7FXYq7FXYq7FXYq7 FXYq7FXYq7FXYq7FXYq2GI6Ej5Yq3zf+Y/firub/AMx+/FXc3/mP34q7m/8A MfvxV3N/5j9+Ku5v/MfvxV3N/wCY/firub/zH78Vdzf+Y/firub/AMx+/FXc 3/mP34q7m/8AMfvxV3N/5j9+Ku5v/MfvxV3Jv5j9+KrcVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdir7w/59yflT5A/Ob/AJyY0ryR+Zfl 2LzR5YuNA1a7k0qd3RDPbxo0TkxlW+Ek9803bupyafTccDRsNuKIJ3f0F/8A RO3/AJw3/wDLKab/ANJF1/1VzhP5f1n88/Z+py/Bj3O/6J2/84b/APllNN/6 SLr/AKq4/wAv6z+efs/Uvgx7nf8ARO3/AJw3/wDLKab/ANJF1/1Vx/l/Wfzz 9n6l8GPc7/onb/zhv/5ZTTf+ki6/6q4/y/rP55+z9S+DHud/0Tt/5w3/APLK ab/0kXX/AFVx/l/Wfzz9n6l8GPc7/onb/wA4b/8AllNN/wCki6/6q4/y/rP5 5+z9S+DHud/0Tt/5w3/8sppv/SRdf9Vcf5f1n88/Z+pfBj3O/wCidv8Azhv/ AOWU03/pIuv+quP8v6z+efs/Uvgx7nf9E7f+cN//ACymm/8ASRdf9Vcf5f1n 88/Z+pfBj3O/6J2/84b/APllNN/6SLr/AKq4/wAv6z+efs/Uvgx7nf8ARO3/ AJw3/wDLKab/ANJF1/1Vx/l/Wfzz9n6l8GPc7/onb/zhv/5ZTTf+ki6/6q4/ y/rP55+z9S+DHud/0Tt/5w3/APLKab/0kXX/AFVx/l/Wfzz9n6l8GPc7/onb /wA4b/8AllNN/wCki6/6q4/y/rP55+z9S+DHud/0Tt/5w3/8sppv/SRdf9Vc f5f1n88/Z+pfBj3O/wCidv8Azhv/AOWU03/pIuv+quP8v6z+efs/Uvgx7nf9 E7f+cN//ACymm/8ASRdf9Vcf5f1n88/Z+pfBj3O/6J2/84b/APllNN/6SLr/ AKq4/wAv6z+efs/Uvgx7nf8ARO3/AJw3/wDLKab/ANJF1/1Vx/l/Wfzz9n6l 8GPc/Mv/AJ+f/wDOLn5D/kZ+VPkjXvys/L+18p6xqmvm0vr23lmcyQeizcCJ HYdRXOi9nO0s+qzSjkkSAGjNARGz8OM7JxnYq7FXYq7FXYq7FXYq7FXYq7FX Yq9K/JrRdL8yfm1+Wvl/XLQX+ja15l0yy1SyYlRLbz3MaSISNxyUkZj6uZhh nKPMA/cyiLIf1ZN/z7s/5w3DEf8AKlNM2/5eLr/qrnmsu39Zf1n7P1OaMMa5 Nf8ARO3/AJw3/wDLKab/ANJF1/1VyP8AL+s/nn7P1J8GPc7/AKJ2/wDOG/8A 5ZTTf+ki6/6q4/y/rP55+z9S+DHud/0Tt/5w3/8ALKab/wBJF1/1Vx/l/Wfz z9n6l8GPc7/onb/zhv8A+WU03/pIuv8Aqrj/AC/rP55+z9S+DHud/wBE7f8A nDf/AMsppv8A0kXX/VXH+X9Z/PP2fqXwY9zv+idv/OG//llNN/6SLr/qrj/L +s/nn7P1L4Me53/RO3/nDf8A8sppv/SRdf8AVXH+X9Z/PP2fqXwY9zv+idv/ ADhv/wCWU03/AKSLr/qrj/L+s/nn7P1L4Me53/RO3/nDf/yymm/9JF1/1Vx/ l/Wfzz9n6l8GPc7/AKJ2/wDOG/8A5ZTTf+ki6/6q4/y/rP55+z9S+DHud/0T t/5w3/8ALKab/wBJF1/1Vx/l/Wfzz9n6l8GPc7/onb/zhv8A+WU03/pIuv8A qrj/AC/rP55+z9S+DHud/wBE7f8AnDf/AMsppv8A0kXX/VXH+X9Z/PP2fqXw Y9zv+idv/OG//llNN/6SLr/qrj/L+s/nn7P1L4Me53/RO3/nDf8A8sppv/SR df8AVXH+X9Z/PP2fqXwY9zv+idv/ADhv/wCWU03/AKSLr/qrj/L+s/nn7P1L 4Me53/RO3/nDf/yymm/9JF1/1Vx/l/Wfzz9n6l8GPc7/AKJ2/wDOG/8A5ZTT f+ki6/6q4/y/rP55+z9S+DHufl1/z8//AOcY/wAi/wAjPIPkjVfys8g2vlPU tU1Mw311byzP6kfEkKRIzdxnSeznaWfVZJDJIkANGaAiNn4k52DjOxV2KuxV 2KuxV2KuxV2KuxV+o3/PrX8ivyp/Pb8yfzM0T81/KMHm7TdE8uW97pVrcSSR rDO10EZx6bKSSu3XOd9o9bl0uOBxyqyfub8MRIm37a/9E7f+cN//ACymm/8A SRdf9Vc43+X9Z/PP2fqcnwY9zv8Aonb/AM4b/wDllNN/6SLr/qrj/L+s/nn7 P1L4Me53/RO3/nDf/wAsppv/AEkXX/VXH+X9Z/PP2fqXwY9zv+idv/OG/wD5 ZTTf+ki6/wCquP8AL+s/nn7P1L4Me53/AETt/wCcN/8Ayymm/wDSRdf9Vcf5 f1n88/Z+pfBj3O/6J2/84b/+WU03/pIuv+quP8v6z+efs/Uvgx7nf9E7f+cN /wDyymm/9JF1/wBVcf5f1n88/Z+pfBj3O/6J2/8AOG//AJZTTf8ApIuv+quP 8v6z+efs/Uvgx7nf9E7f+cN//LKab/0kXX/VXH+X9Z/PP2fqXwY9zv8Aonb/ AM4b/wDllNN/6SLr/qrj/L+s/nn7P1L4Me53/RO3/nDf/wAsppv/AEkXX/VX H+X9Z/PP2fqXwY9zv+idv/OG/wD5ZTTf+ki6/wCquP8AL+s/nn7P1L4Me53/ AETt/wCcN/8Ayymm/wDSRdf9Vcf5f1n88/Z+pfBj3O/6J2/84b/+WU03/pIu v+quP8v6z+efs/Uvgx7nf9E7f+cN/wDyymm/9JF1/wBVcf5f1n88/Z+pfBj3 O/6J2/8AOG//AJZTTf8ApIuv+quP8v6z+efs/Uvgx7nf9E7f+cN//LKab/0k XX/VXH+X9Z/PP2fqXwY9zv8Aonb/AM4b/wDllNN/6SLr/qrj/L+s/nn7P1L4 Me53/RO3/nDf/wAsppv/AEkXX/VXH+X9Z/PP2fqXwY9zv+idv/OG/wD5ZTTf +ki6/wCquP8AL+s/nn7P1L4Me53/AETt/wCcN/8Ayymm/wDSRdf9Vcf5f1n8 8/Z+pfBj3O/6J2/84b/+WU03/pIuv+quP8v6z+efs/Uvgx7nf9E7f+cN/wDy ymm/9JF1/wBVcf5f1n88/Z+pfBj3O/6J2/8AOG//AJZTTf8ApIuv+quP8v6z +efs/Uvgx7nf9E7f+cN//LKab/0kXX/VXH+X9Z/PP2fqXwY9zR/592/84b8X P/KlNN2Un/ei6/6q4f5f1n88/Z+pfBj3P5Yfz78v6N5U/Of8zPLfl2yGm6Ho nmC8tNKsFYsIYY5CEQE7mgz0nRTlPBCUjZIDgzFEvI8ymLsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir9Mv8An0r/ AOth6H/4DGuf8mkznvab/E/84N2D6n9T2eZue7FXYq7FXYq7FXYqoJdWsk81 rHdQyXduFa4tVdTJGG+yXQGoB7Vw8Jq1tXwK7FXYq7FXYq7FVCS6tYZoLea6 hhuLqotbd3VXl4ircFJq1B1phESRa2r4FdirsVdir8df+fzP/kk/y4/8Cc/9 Q7Z1nsj/AH8/6rjajk/m5z0Fw3Yq7FXYq7FXYq7FXYq7FXYq7FXYq9e/5x// APJ5flD/AOBfo/8A1GRZia//ABfJ/VP3Mocw/t1f7Zzx6XN2UeSzAl2KuxV2 KuxV2KuxV2KuxV2KuxV2KuxVQF1atcPZrdQteRoJJLQOplVCaBilagE96YeE 1a2r4FdirsVdir8Xv+fzP/ksvy5/7ax/4g2df7Jf3s/c42o5P50M75w3Yq7F XYq7FXYq7FXYq7FXYq/aD/nyz/5N784P/AStv+o0ZyXtb/cw95+5ydNzL+jD PP3MdirsVdirsVdirsVdirsVdirsVdirsVUI7q1mlnghuoZp7UgXUEbqzxFh UB1BqtR0rhMSN1tXwK7FXYq7FXYq7FXYqoW91a3kfrWd1Ddw8ivrQOsiclNG HJSRUHrhMSOag2r4FdirsVab7En+o36sVL+KT/nJv/1oL84P/Aov/wDk4c9g 7O/xbH/VDrcn1F4XmawdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVd irsVdirsVdirsVdirsVdirsVfpl/z6V/9bD0P/wGNc/5NJnPe03+J/5wbsH1 P6nv8znmbnvgv8qv+c4PJnnj88vzN/KjVLuaKHTfMFjon5aNBpV6r3TSQsLv 65IUKx8ZlopagI3ze6rsaWLBHKO4k7jv2+xpjls09p80/wDOV35FeTta8yeW 9a84N/iDyjqEGmeYNGtLS4urm3uLlQ0QMcKMxUgj4gKZgw7Mzzr0ncE30282 29r2fQtvPHdW9vdQktDcxJNCxBBKOAy1B3GxzBIINFLDPzB/MnyZ+VugSeZf PGspo+lo3CNuLSyyv/JFEgLu3soOTw4pZZiERZLIRJBI5Dmxz8s/zz/LL83L HU9Q8ka815Doyepqkd5by2UsEY/3Y8dwqMF260pmRq9Bl0wBmOfuP3NMMgnL hHNhumf85ZfkTrHnAeR9P83vNrb3H1SKU2dwtnJNWgVLsoIWqdhRssj2Xnli 8QDar3ofptOWfhS4Tz8t3zvF+bfkb8ov+cw/+cm9W8+a3NptnceWPKBs7SKO a6lkAgYMYreIOxpUVKr882J08s+kxRiN7l9/UsQNye6n2l+Wv5reQ/zd0I+Y /IOuJrOmpIYpwUeGeFx+zLDIFdD4VGanV6LLpiBMc+R6H4rjzRmTEcxzeiZi Nrwf8x/+clvyc/KnWoPLvnLzNJb6zMAXsbG0uL5oQ3Qz/V0f06/5VMzNJocu pvgHL4feuS4REjyPJn1x+Zfka08j/wDKyLrzDbQeS/qv1wa25ohi6bDqTXan XKZ4JwyeGR6rqua4v3ouP497C/yx/wCcivyj/OC/vtK8i+Zjfapp6erNp93b TWUzRk0DxpcKhdfda5lajszPggJyjt93vrk0+PHi4Sd/xyd+ZX/ORX5RflLq tnofnfzObLV71VkTT7W3mvJY0Y0DyrArmNa92oMq0miyaq/DF116fMtuQ+HH iPL7fk8N/N7VrPXv+ck/+cKdY0e8a60vVJvNFxaTxMwSWJtNRlYqCAfpG2bP S4jj0+eMuY4f90WjiEiCOr6V0n84Py717z3q35caL5hj1PzXocIn1e1tkaSC BSK8XuFBjDDuvKozUjSZDh8avRdWdm+Z4JRgeZ5Dq8/uP+cr/wAh7XzqnkCb zsg8wSXf1EOLaY2YuK8fTN2E9EGv+VmRh7Lz5cfHGO32n3DmWObIMJ9X9nv7 nj35tf8AOavlL8p/+cjPK35Va5dtH5Rm8u3eoebL+DTbu7uYr48GsVt2gRhJ G6MSxUGmZ2l7Flm05n/FddPO2s5hb7h0++t9TsLHU7Nme01G3iurV2UoxjmU OhKtQg0PQ5opRMTRbwX5Af8AP5n/AMkn+XH/AIE5/wCods6v2R/v5/1XG1HJ /NznoLhuxV2KuxV2KuxV2KuxV2KuxV2KuxV69/zj/wD+Ty/KH/wL9H/6jIsx Nf8A4vk/qn7mUOYf26v9s549Lm7KPJ8I/m3/AM5qeVPyl/5yP8tflNr9zJB5 Uby9eX3m68i0y8ubqHUAVazSAwowdGQksVBp3zeaTsaWfTHIOd7bj4tMstSe /ec/+civyg/L6/0TSvN3mtdI1TzJob+Y9D014JWnudPjpyeONVJLCv2Pte2a 6GgzTBIiSAa2724G+o5PQPI3nfy9+Y3lbSfOflW4nutB1uNpNPnuIJLaRlVi h5RTKrruD1GUZ8EsMzCXMLE2HhP/ADl5/wA5Br/zjh+UGoedrMRyeZLm6t7P yza3FtNcW8szTJ6wmMQ+ACEsQSetBmd2ToPzeYRPLr+PewyT4Q9J/K786vIf 5s+TZ/O3lfVJm0TTaxate39pNYCKWOJZJfhuVQ8QD1G3vmNrNJLTS4ZM8Z49 gkXkX/nJX8nPzJ81T+TPJ3mh9T16EOUia1nihmEf2zBNIgSSlP2ScuydmZ4Y /EIoedX8ubCWQRnwHn5bj5sW1n/nMn/nHfQrjU7S989GW50XVrjQ9ZhtbO5u GtL21NJUnEUbcFU/tHb3yWLsrUZCAI8wCLoDfztlKXDHi6fb8n0XoeuaR5k0 mw13Qr+HU9J1OFLixvYGDI6OKg1HsemYObDPDIwmKIRjyRmLiU1ytm+cta/5 yy/IjQPNzeSdQ84OdbjmFvNLBZ3E1nHKTTi93GjRKQdjVtsz9P2bmz4+OI28 6H3ljml4O0v1vR/zC/NryB+Vvl6380edtfj0rSLxkWxdVaaW4Mg5KIYYwzvU eAzGw6eeXJ4cRZ/H2MwCY8XRR/LL84Py9/ODSrnWPIOvrq1tZS+jewSxvbXE L0rSSCYK6/SMu1egy6auMbHr0+YaYZ4zNDmw3W/+cn/yT8ved0/L3UvN4HmY 3C2ssUFtNNbxTsQBHLcxqYkap6MwyWn7OzZ8fHAbfAX7r5s88vBri/Wfk8r8 uXCQf853/m1cXF16NnD+UmiySvLIVhjUXxJc1PFdhuczM+2gh/XP+5a4i50+ gPKH50/lr57t/NF95Y8yRX+m+TppYde1Uo8drG0IJkKTOAkiinVSRmuzaTJh hGcxQlyvn8m0G8hxjeQYh5I/5yj/ACR/MTzY3kryt5wFzr5Dtbw3FtNbRTiP 7XoTTIqSe3EnMifZWojj8Th2+35c2ueaMJVI/q+fJ4V5P/5zi8lax/zkR+Zf 5Q6xeTQ6Ro17pWk+RJ4dKvTPcX86sl6ly4QqipMAEY0BG9czcvYso6aOUc6J O45dPsQMvqp97EU2zQnZufi9/wA/mf8AyWX5c/8AbWP/ABBs6/2S/vZ+5xtR yfzoZ3zhuxV2KuxV2KuxV2KuxV2KuxV+0H/Pln/yb35wf+Albf8AUaM5L2t/ uYe8/c5Om5l/RNf3ttplje6leMyWenW8t1duql2EUKl3IVakmgOwzgYR4pAd 7lk0HxB/zjD/AM5peVPz11/zT5Pv7mSPzRH5p1ez8nWtvpl3DDNotmFa3mnm kTgkrLy5KxBzddodjT08YyHKhe45nm1Qygl6wP8AnLf8hZNYi0C084vqOrya /L5YksrKzuLhodThf03im9NG9MBtuTUHvmF/JueieEjbi+HzbSaAO276RpTb MA7JfCf5sf8AOanlT8p/+ckfLv5S6/cyQeVD5du77zbeRaZeXN1DqPJTZxwG FGDoyElioND1zfaXsaWfTHIOd7bj4tEstSfUvnX82vIH5d+VLPzn5w11dI0L UUiewd43aeb10DoscCgyMxB6AVzT48E8mTw4iy5ABIJ6Bi9h/wA5F/lDqH5a 67+bsPmj0fIflgA6/q1xbzQvaAuqD1YXUSLu46jMnJ2ZnhkjjI9UuVEFphmE rrok/lz/AJyr/IrzX5usvJOiedVn1vUlVtNaS3mitbnmgdRDdOoickHoGyX8 lag4zkETQ6dflzTlyxxSqR/V8+T6HzXNjBvzE/MjyX+VHlifzl5/1qPy/wCW rW4t7W41SVWZElupBFEDxBpViBXLtPp555cMBZQS8r0j/nLL8hNa8zzeUbbz ultqkIdvrF7bzWtlIEFT6d3Kiwv7UbMr+S8/h8Yj8Ovy5/YwyZRjNHvry+aL 8s/85Sfkj5u85/4B0XzcW8xuzJbRXNrPb287L2guJUWOQntxY1w/yXn8PxBH ar6XXu5oy5Y4jUu+vL5sj/ND8+Pyu/JuTS4fP3mI6beauT+j9PtreW7uHCnd vSgV3CjxIpmPpdJPUyIgLrn5e9ukCIcXT8cu98FeWvzsTy63/Pw387/y6vrf Xh5fm0C+8vSXhkNoZk08oVkQmqhWPxAUzo8+hJOnw5Nrvl/WDhwyCQMg92/J 7zV/zkz5v1bybquv/m9+TeveV9TittQ1/wAt+XknfVfqs8QkMUR5sodeQFTt tmDrMOmxwkI45g9CapsjI3uQ+3j1OaFvSnXdd0jyzpN9ruvahDpekabEZr2+ nYKiIPEnx7DGmUIGZoc3jX5d/wDOTX5N/mpr7+WfJvmSe71lQxjtbuyubP1g n2jC06IJKU/Zrmwz9l5sMOOQ2+H62jxRxcK/8yP+cl/yZ/KfXIfLnnXzWbPW ZY1lksrW2nvDDG3R5zAjiMe7UyvSaDLqr8MWO/avmS25Lxx4j+35PU7fzj5W uvK6+dINctH8rNZ/Xv00JF9EQceZYtWgoO2Y+bDPFPgmKPcxwyGb6N3m35bf 85F/lH+bGu3vlzyN5jk1TVrFHkeCW0nt1kjXq8LyoqyKPFSczM3ZubDDxJCh 8L+XNhLKOLg6/Z83zh/ziD588rflz/zi9f8AmzzxryaRoth5x80NNe3UjO7f 7k5QEjUku7Hsq1OZvbGM5NTGERZIjQHuCcETIGuj6k1z88Pyz8teRNO/MfXP MH6O8rauiPpk8sEouJ/UFVWO24+qSfALXNZLRZRm8GvV3DdlikMkOOPLvYpZ f85NflL5g/LPzp+ZvlnzI2oaN5Ks5ptWjNpOLuF1X4OVmyCYgsR+zmTLsnND JGEh9XI7V8+TUM8SSOoYF/ziN/zlZoH/ADkd5K0g3EzR/mNBp8l95s02Cwub eyhH1mSGP0JplCPVQpIVjvXLO1ezJaSZr6b25dzLHk4g+wG+xJ/qN+rNQ2l/ FJ/zk3/60F+cH/gUX/8AycOewdnf4tj/AKodbk+ovC8zWDsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdi rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir9Mv8An0r/ AOth6H/4DGuf8mkznvab/E/84N2D6n9T46j555m574V/JLX/AC55e/5yl/5y u0PzBqmnaJrHmjXvL0/lbT714rea/SPTzG5tVfiZCGIBC13zfayMsmlxyjuI iQPlvfwaDcJASB9QsefRS/5xs8u+Xrr/AJyT/wCcz/M8um21x5is/OGmadHq TqGljt2sA5jBNaAkVyfaOfJHSYcd+mia87a44YnLxnnVPu7Oect8j/8AOWPl PyZ5ksvy0vPMPnVPIHmby7rsl7+X/mK8QvpkeoekARfg0T0+I/aNK5teysma EycYBFeodSPLza8xgccscwSJd3SnnP5L+f8AUvOXmv8AO38u/wAxp/LfnObS PJ/qar+cPkm3EVpf6fdI8b2atEWDTQqSfhOZOp0sPAhnxxlCRmY8MvL+L3Fj HNPHkETISiAJADmPe8E0rzS/5JaH+X+h+T/O/k/86vygufMFjp2i/lm9qreb LIXM/FbmY8jKDbndiwzPGH85k4M8CJ8JPHH6PSPlu1GXhiWXFLh4pWRLrfc+ j/y+8v8Al/VP+c8/+cjtZ1DTra/1rQfKXlKPS7uZQ8lslxbMZAlenKgzDz55 w7PhAHYylfnRScUZZRI8wNvij/yLgsrD/nLX/nLzTdOijtLSKPypcGyh+GNZ ZrJ2kcINgXO5plWssaHDHoOOv9MG0HimZHns+3B1FOvbNG2vzX/MrS7HyT+b 35r+evyr/OTyv5L86arHDL+YXlLz1AskF96MH7uPTvWK15oOJ4V3OdBhyZPy 4jlxmcL24Pq59f2tU+HLOJFxlEVfTdIfPvmuPz1+QX/OMX5jaz5Mbyv+W9t5 tS//ADT8pwQsLeLT45JYi7Qjf0mlAkHscvGnx6XXHFE+v+AnpIgHc/Yonlza PMSeK4+quchf8LPvzA8xeQvPX/OR3/OMrflBe6frmraDfz3fnTUtCKSxw6C9 rxhhuZYSVAD0ojbjB2dizYo6o5LAMAN+UjxdPPzaNRKHBiB3HF6R1Brme5r8 rvMf5f8AkT84/wDnJK3/ADovdP0fzZrWv3d95f1DXCiLc+WHAEFvbSTUVqEH 4F3zDlE5dFAYBcQfUBz4+prn8XL1IkNVCUufhjhP8IHd7+9gv/OWenaz5086 f84h6Z+Ruuw+UtT1iPzPJ5O1AIYwLddORniiU7ozrsp7dcu7P4YYMvixMgOG x1+op4iMtki99+YuubOfyP1Pym/5DfmT+WPkfRZfJ3546NoupW3mvQb5wNYu tZaBx9dMrfFMJX3Drtk+1j4hGb6tOaoDlEX9Nd/3tHZ8Z4tQI5D+9seo8pdx Hl5dHyX5c0r8w9d/IKbyLrf5/flJ5Q0tbWW18w+X7/Q2TzHa6gu00qIziWW4 DbiRV3ObDPkxQzY80cc5GPCYUdqHIbD5gtOOEuLLAmuKUuK+t/o7n1PrV5oX kL/nJP8A5xQ1LzT5gtLfy5Y/lLqOkSectV4WlvcXPpQLG0kk9AjyheQDGu+Y UcktTgzUPWZ8VfE3t5NkoeDEGvSKjf3P0Shlhnhhnt5Emt50WS3mjIZHRhVW UjYgjcEZzJFOSH48/wDP5n/ySf5cf+BOf+ods6z2R/v5/wBVxtRyfzc56C4b sVdirsVdirsVdirsVdirsVdirsVevf8AOP8A/wCTy/KH/wAC/R/+oyLMTX/4 vk/qn7mUOYf26v8AbOePS5uyjyfCv5tazoXlT/nNL8ivMXmrULLQfLp8h+Yr GTXNSeOC1F1LKhjiaeWihmpsCc3ujByaOcI7ysGvLfo05QYjjI9N1fmUN570 Ty15p/5z2/JGTVbO01mLTPyt1fVNDL8ZEWX68Ak8fY/Cdj0yelzZMOgy8Jq5 AH3U1ZsMcs48XTcPu8KqgKqhVHRVAA+4ZzxNuY+SP+c6bae7/wCcXPzLjtrY 3UqDTZCipzYJHqFu7sBQ0ooJJ8M2vY0xDUxMjQv9BYyxyntEWUs/5yC1VfzD /wCcVfMU35TazZ+YpFttM+vyaHNHP/o8LwyXsLegTRvRDAr1wRjDBqB+YG1j p16H59W7s+ZyG8ZomMufu5e9nX5W+f8A/nHrXbT8s9I8i3eizaktk48raPaK hvLAJH+/WaNSXhPUHn1yWvwagaiUsgJNj1dPnycLQbacRHpFbgnd8e/84qee PyI8q3//ADldb+fbrSNG8xv+YvmBvMd1q/pxi+08uPThhaU0lI3qq75s+2sW fJpcIjco8AqI+q/0e9q0oI1UiAQTVE/T1/BfSX/OEFnqFp+S+oyXVvPaaVqP nHXb7yjbzqyldGnmVrLgrbheHQZie0BPi4xI2RjgD765Hz72WkMDxmA/iN+Z vcvsIfwOaEOY/IHV9SsvyK8seedU/Kf8x/KXnX8ujrV1e+YfyT8y2qyeZL26 muf9IgtQ5EtObVTalBnV4oS1M8WHUQJJ2EocgO89Pe4+SYMp5sZ4JVvxcttt ve96/MjV9B03/nIb/nHrz3+Y9kmj/ljd+SVh0hb9f9B0zzDcOJYBMW+CMpEe PJsw9JEDxsWI/vADv3wHQfFs1PFPSwkd4+ICQO+vqP8ARa8o3ujebv8AnLH8 z/MP5SyQ3vlZPy4n03zDrWl0NhceY2uC0RWVKxu4joOQyUIyxdmSGUEA5SQD zrh5gd1sJSidVCzc+EUe4XyJS/8A5xn84fkz5W/J6Tyj+Zlxpdj+ZFlq8sH5 jaPqir+kb7VXumMUqROfUlHErRlFBlXaGOeWOOWIE4uH0Afwjz7t20CcdXms 1My3JOx26eTxb/nJTyn+YnnL/nKj8zrb8u9RnFnpP5W6He+ePKljJ6F9rOkr euZLaCX9kleo/a6ZnaPLgw6fFLPHijxn3D07EjrTAeIROOOQjMjY/H9PJ65+ aWteXPzD/wCcNtQsf+cbraHQV0a409NU8sRxEXGmwW0ytfRXtsv7xqJXkDu2 UZonFq4z1R44kjhl0P8ANI7t/kns2xxwj6ZcMrB58t/n0LyK40fzX59tPyig 1z/nI38qP0Do2u6Pd+XtH8qaI0GvIsEgP1MRo5lhWQVV+S08czZ546XPPLHF M5DGUSbuPq68qPk4enxDLgjjO0RRo94/S+lvy/1/y75a/wCc0P8AnJSz8y6n p2gXPmnTvKI8rxX8kNu188NmY3W2MnH1GDEAhamua3PE5NHHg34TK+tWbco+ iQ4h9XLzrm+6M0Lc/F7/AJ/M/wDksvy5/wC2sf8AiDZ1/sl/ez9zjajk/nQz vnDdirsVdirsVdirsVdirsVdir9oP+fLP/k3vzg/8BK2/wCo0ZyXtb/cw95+ 5ydNzL+jJQCwBFQeozgYfUPe5Z5PhT/nDXzB5d07Ufz18majqmnaf5xn/Nnz Lf2nlyaSGG/ltJmjKTRQGjshCkgqKZvO0YSnHFOO8eGIvzF7NX0TMJCjz+BU f+cE/Lvl2Hy1+dXmi1022/T2sfmz5pt9U1UKGlkS2uFEaFjWnGpw9tajIfDx k+kQjQ94a8OGInKfU/ofd+aBynwx+a+s6F5U/wCc1vyQ8w+a9QsdA8vP+X/m CxbXNSeOC1F1LOhjiaeWihmA2BOb7Rg5NHOEd5WDXlXc0ZAY+sj03V+ZWfnh f6Bov/OTH5I+cvzCeF/ymXy/c2um6ncUk0631+afna3EjfYUel0c7ZX2bvHL DHtl4fnDqB530bNWCdNG94jILA53WxPkl/8Azll5j/LbzN/ziZ/zknfeQrjT 9TtIbW2XzVf6YFeC5kF1blqSR1WQ8NqqcPY+KePWY+IEHi67dCnUGRhzvbai 8r/OHzb+S/mn/nFv8uvKH5Tvp0vnq7XQ0/Lny3YKo1WxuY5YGuHeFSZYv3Ya pbrm002LUjteOSZujK5fwVwnmeRdbj4IaCQkCI0LifqO/dzfqHp6yJp9gk1f WS2hWavXmEAb8c5PL9RdnHk+Lv8An4Nb2d5/zjncWOoIkthf+bvLVteQSfZk jl1GJWQ/MGmbjsCRjqLHMA/cWnOLjXex7/nPHyV5OtPyG8laImg2VrpNj598 qabZ20aCMR20t4I3iVhQ0ddiK75b2PmnLVnMT6xGRv4MJYxHD4Q+k7Umv/Oa eh6D5f8Ay9/Jg6VptrpR0b81PKVlpMkCCJoIZLhlaJGFDRgNx3yPZWWctRky X6jjnv7wyMBHGID6bG3uQdnrXlLyV/zmH+auo/m5d2WkL5g0jTP+VVa1rLJH apaw23HUIoppSEVmft1OMY+JpckcHMS9Y6nf0+/Zt1YlxYDLccMqrlHffi9/ R5j/AM436t+Tmr+a/wDnPDUIdLtr/wDKGXX9KGuaUts0kE6/U5Bcn6uKlld6 nbrhnizww6aO8Z1KrO49Qrdc8vXIyN8uW/RK/wA7tG/5xj8p+QrPzV/zjhLp Hl/84PrFo/kOw8nT1vLm4eSMfV7y2jZ2WMRlqhgKZldnT1k9ZCGazjJPEJfT VHe3HzCBwTkdtuf8Q93m/UPQ5LuXRNFl1AcdQlsLZ79T1E7RKZK/7Kuc3nAG SQHKy5GP6Q8f/wCckfLnknzb+TPnDQPzD1K80fynexwfpDVLFXaaBkmRonAT cgOAW9sv0ByjLHwq4r2vk2DKMXqIsVW3m+Tfyw/MHzL5b/OT8pfy21vzR5J/ O/Qdat7uLyr5n8rWyLfeXI7WDkpvpI2NPVX4d6GubvJghqIZchhKE4cJs/TK zyHucOAOCMYQl6DY4Tz70d+TXmj8s/IPm3/nJHTfzuvdN0jznf8AmXUr6W41 0ojX3luWn1OK3aYj1ABX4E3zC1EJZtFDwATDkYjnx/xH497l5xMa0GR34I1L +Gu73jq8fsdE80S/84Y6xNY6ffL5Xk/NebWl00I4d/Jf1tXZFj+16Zh/Z8M2 eunCOrwjMQZDHADynW1+YPNp0Hqjn8LaxO/6XfXv6P0D/L7z5+Q/mXUvJ9h+ X1/omoatHozv5ft9NEbTWViEHOKUR1MRpsVffNFrcGeOWcsgN2bPQ/HkulNa cCO0dvSef635LfkZp8/lq28p/ml+b0U3nX/nH2387+ZoNI023Bez8u6m+pSL Hd38A/vPiBIfovfOonkh4s8UPTnlGPDI9RW8R3W1Z4zyYo8P0R+uI5y8/MDu fVf/ADlJc+a7385fyL88eSPOfljy9+Xp0OeHTfNXmCzOp6FFqssxa2cpEQsb en0djQZq+y4whPLjnE+LW/QmPUb89+jbqCJ6OJBuHiDYe7mfII/8oPK+vXX5 w/mL5z8yfnJ5J/MfzBffl/eWF1oPkPT/AEbByXLJc3MqM8Ty/s0rWmOTURxY PBhjlGBnxXLvojZHhGchkkQZVwjvq3qn/OCPmPy3c/8AOO35e+VLbV9Pfzb5 btL2LzF5eSWIX9m31+cj14AfUUUYbsO+YnbUJeOZ/wAMjYPQ7DqyxmiYHaUd i+zm+xJ/qN+rNM2l/FJ/zk3/AOtBfnB/4FF//wAnDnsHZ3+LY/6odbk+ovC8 zWDsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsV dirsVdir9Mv+fSv/AK2Hof8A4DGuf8mkznvab/E/84N2D6n9TwzzNz35Sf8A OR3/ADkrd+Qvz4vbOH/nC7UfzS1nyJJby+XPzOgtJJHLPGsge3mSB6cGJX7V ajOn7P7NhPAT44jxcx+vdqyZ5GgbIHLyYDpv/Pwj8zNGvta1PSf+cF/M+naj 5knW61+9gguEkvJ0XgskzC2qzBdgTmTPsTFMAHURNfjvahlPcnP/AEUq/Or/ ANgv84/8Bdf9k+V/6H9P/q8fx8U+Me4pD5l/5+A/mN5y0qfQvNn/ADgn5m8w 6Nc/3+m30FxLE3zVrYjJQ7CwQkJDURsfjvSM8hyB3S7yh/znV5y/L/TZdH8j /wDOAmv+VtLmYvNY6dazwxuW6lgtsK1y7Udkwz/3mpB95/a1xkIniEaKR6b/ AM5h6ho/maTznpX/AD7q1Ww81ysXk1+GxlW5LN1PP6rWpyQ7MAx+GNSBHuv9 qck/ENyjZZla/wDPwj8zLLW9U8y2f/ODHme28wa3FDBrGsxwXC3FzFbikKSy C2qwQbCvTKD2JiMRE6iND8d6fFPc6z/5+EfmZp2r6v5gsP8AnBfzPZ65r4hX XNWiguFnuxbrwhEzi2q3BdhXpjLsTFKIidRGh+O9fFPcnP8A0Ur/ADq/9gv8 4/8AAXX/AGT5D/Q/p/8AV4/j4p8Y9xedebv+czdY8/31pqnnb/n3jrHmjUrG hs77ULKaaSOhqOLNa165kafsmGC/D1MRfcf2rPMZjhIJDMZ/+fh35oXWjv5e uf8AnBrzRNoMkH1aTSHgnNuYaU9Mx/VqU9qZVLsPDKXFLURJ/HmjHlOOuEVT GPJv/ObXmP8ALt72TyJ/z751vynJqP8AvdJptnNA0u9fiK2oJ3y7N2VHMBGe pBA8/wBrESF8XDu7zf8A85teY/zAnsbrzv8A8++db803WmkNYXGoWc0zxEGo 4lrUkb5HB2RjwG8epiD5H9rKWUyjwkGu5O5P+c/vzDmvPL+oS/8AOCHmSS+8 qLIvlm6a3nL2AlQRyC3P1aqclFDTtkT2NjN3qY789+f2oE+EUI7LV/5z8/MF PMr+ck/5wP8AMiebJbcWsnmEW9wLpoAKCMyfVqkAdsY9i4owMBqIiJNkefzT LIZVYuuXkxLVP+cvrvW/MSebtX/59z6nqHmdHEia5NYytcBxuG5m1rXLcXZk cMeGGpAHv/auTIcn1C2Qeav+c4PNX5j2tjofnz/nAHXvNOlQyxi2s9RtJpo4 jUAFQ9tQU+YyrH2NjxS446iIl33+1kM8hHgAPD3P2W8tyJN5d0CaLTv0RFNp tq8ekUp9UVoVIgp29MfD9Gcjl+o73u3h+R3/AD+Z/wDJJ/lx/wCBOf8AqHbO p9kf7+f9Vx9Ryfzc56C4bsVdirsVdirsVdirsVdirsVdirsVevf84/8A/k8v yh/8C/R/+oyLMTX/AOL5P6p+5lDmH9ur/bOePS5uyjyfn1/zm9+bsfkCfyV5 cv8A/nGC5/5yJ0rXoLi7kaO2a5hsJbd1VUYLFLRmBJHTpm87G0ccpM/FEJD9 PxDDJmlGPDvR6PmGL/nP/wDMSDVdM12H/nBHzLHrWi6f+idI1Rbe49e2sdj9 Wjf6tVU2Gw2zZnsXEYmP5iNE3+N2nxT3Mg/6KVfnV/7Bf5x/4C6/7J8r/wBD +n/1eP4+KfGPcUJf/wDPxv8ANzVbO507U/8AnCTzZf6feIYruzniuXjkRtir KbYgg4/6H9P/AKvH8fFlDUzgbiCCxvyh/wA51ecvy/0y70XyR/zgL5g8raRf zvc3um6fbTwwyyyDi7sq21CSBQ5dm7Gx5jc9RE/j3sRlIN0UB5b/AOc09b8o 69d+ZvLX/PvPWtC17UCTqGr2NnNFcS8vtVcWvfJnsuPAIfmY8I6Xt97Gc+OX EY2e94z5B/P3zFoFj5tt/PX/ADgfrP5hXfmLzrqvm/T72/sJ2a0/STKwgHO3 apj47HMnJosfEJY9RGJERHn3e4qchMeEixfJ9O2v/PyH84rK2t7Oz/5wo83W tpaxrFbW0UdyqRoooqqBbUAAzXS7BwyNnURJP470xycIoRV/+ilf51j/ANcv 84/8Bdf9k+D/AEP6f/V4/j4p8Y9xeZ3v/OYd/qPmePzpf/8APurVLvzZE4kj 8wS2MrXIcdG5m1rXMrF2ZHFDghqQB5H9rHLk8X64372V+Z/+c/fzC866TJoP m7/nBDzJ5j0WUgvpl9bzywkjp8LWxG2UQ7DwwlxDURv8ebOOeUdgCo+Uv+c9 fPfkLS/0L5K/5wL8xeV9J5+odP062nhjL/zELbDfLM/ZEM5vJqYk+Z/a1xkI 8opJqf8AzmhreteZbfznq3/PvLWNQ82WrBrfzDNZTNdIw6ESG1rXbJYeyoYY mMNSAD3H9qcmTxABKNgMpi/5+E/mZBr115ph/wCcGPM8XmW+tEsLzXFguBcy 2sTc0haT6tUorbgVyk9iYjHh/MRr8eafEPcg9J/5z48+6Bd61f6J/wA4GeYt KvPMcjTa/cW1tOjXkjfaaalsORPeuGXYuKUBA6iPCOQ6fepyky469XexXSP+ cvrvQPMD+bNE/wCfc+qaX5lkYu+t29jKlwWPU8xa1rl/8mjg4PzQ4e6/2onP jNyjZZFqH/OanmLzz5r8t6z5r/5wA1zVde0y8h/Q/mC7tJnns3DgrIkj2w48 OvXKIdj48MZcGoiLG+/P7Ww55yAiQaHJ+zuk3supaVpmoz2zWU+oWkNzNZv9 qFpUDmNvdSaHORmKkRdt4fjd/wA/mf8AyWX5c/8AbWP/ABBs632S/vZ+5xtR yfzoZ3zhuxV2KuxV2KuxV2KuxV2KuxV+0H/Pln/yb35wf+Albf8AUaM5L2t/ uYe8/c5Om5l/RiNyN6e+cANy5hfjx+Yf/OW2reR/zu816npH/OC+r+YfNXlX UbrSrH8yrW0lE93AhMfqxzJbtVZFNdmOxzq9L2XCWniPHjEHer6/Npy55SPq BNbfBLNE/wCfhH5meWbe7tPLv/OC/mfRbW/u5tQvYLSC4jWW6uDymmYLbCru RUnvk8nYeGe8tRE9Pxu1jKe5Of8AopV+dX/sF/nH/gLr/snyH+h/T/6vH8fF PjHuLDfOn/Ocvm78xrKHTfPv/OAOvebrG2cSW9rqdrPOiMOhUNbGmW4excWG XFDURB7/AMFP5ifCY0aPRMdc/wCc9fzB8y+Xl8teYf8AnAvzJrPlhY0gTSLu 2uJLcJGvFFCNbEDiBQZGPYmGMuL8xG/x5rHPIXQLyj8zP+cpPzF81fkb5u/J vyb/AM4PeZPy+0bzVDDDDLZWdwtvCY7iOdj6S268q+nTrmbi0OMZ45cmojIx 8/eO/wA2kUAeGNWyjy5/zmHrHlfVbHzLpP8Az701iz83W1pDbzeZYbKZLp2i iWMsHFrUVp45TLsyJgcY1MRHuvb72c8nHLikLPe9Q/6KV/nX/wCwX+cf+Auv +yfMX/Q/p/8AV4/j4svGPcUm17/n4R+ZfmnT/wBFeZf+cF/M+uaZ60Vz9QvI LiWL1oGDxScWtiKowBByePsPDjNx1ER+Peg5Sejte/5+EfmZ5ps4tP8AMn/O C/mfXLGC5hvIbS8guJY1uLduUUoVrYgMjbg9scfYmLGbjqIj8e9fFPc7XP8A n4R+Znma3tbTzF/zgv5n1q1sbuG/s7e7guJViurc1hmUNbGjodwe2MOw8UDc dRHu/G6+Ke5JfOX/ADnJ5s/MSC1tvPf/ADgBr3myCxf1LOPUrWecRN1qvK2N Mnh7Gx4pcUNREH3/ALU+NKuGjRVtB/5zt86eVk1WPy3/AM4Ca/okeu8P01Ha Wk0QuvST009YLajlxU0Fe2OfsjHn/vNTE+8/tY45+H9EaY5oH/OX135V11/M /lv/AJ9z6povmJ3Mjaza2MqT823Lcxa1rlsuzRKHAdSOHuv9qynxGzGy9Q/6 KV/nX/7Bf5x/4C6/7J8xP9D+n/1eP4+LLxj3FDXv/Px7839RtLiw1D/nCbzb eWV0hjubWaK5ZHRhQqym2oQcf9D+n/1eP4+KY55RNgFgvlD/AJzP1r8v7281 LyP/AM+8tY8rahqFfrt7p9lNDJJU1PJlta5lZezBljwS1QI7r/a1kgy4jHdV 82/85na/+YF3bar51/595az5pvtN4i1v9QspppIgD8NGa1JyGDsnHgN49TEE 9x/azllM48JBIZpF/wA/GfzcSxTSYf8AnCLzYumrD9WTT1huBEIqcfTCfVqU ptTKZdg4JEmWoiSfx3ojlMOQqmG+V/8AnNPzH5B1K/1Tyf8A8+9db8r6rqRJ 1G9sLOaGWUnrzZbUE1y+fZcckBA6kcI6X+1BlcuMx370ztv+c8/PFl5evfKV p/zgR5ht/K+omZr/AEBLWcWszXLF5i8f1XiS7Gp265XPsTFOQlLURJH6Piyj mlE2AbUp/wDnOzzndeWE8lXX/OAvmC48oxRiKLy7Jaztaqg6ARm2oMlLsfHO fHLUxMu+/wBqIZDAVEUhvJn/ADm/5p/Lu3uLTyJ/z7913ynbXZrdQ6daTwiT /W42wrks/ZUc+09SD8f2sYyo8Qju+qP+cOvzZtvzX8+efNWuP+cVrj8iNdaw SbUPNtzamGTVC0oBhZmijLEEcs1XamkGnxQjHKJx7h0+0uQMsskjKXPvfoc3 2JP9Rv1ZoGwv4pP+cm//AFoL84P/AAKL/wD5OHPYOzv8Wx/1Q63J9ReF5msH Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX Yq7FX6Zf8+lf/Ww9D/8AAY1z/k0mc97Tf4n/AJwbsH1P6ns8zc9cHYbA4RIh FBvm/jh4yvCHc38ceMrwh3N/HHjK8Idzfxx4yvCHc38ceMrwh3N/HHjK8Idz fxx4yvCHc38ceMrwh3N/HHjK8Idzfxx4yvCHc38ceMrwh3N/HHjK8Idzfxx4 yvCHc38ceMrwh3N/HHjK8Ia5t448ZXhC3Ipfjr/z+Z/8kn+XH/gTn/qHbOs9 kf7+f9VxtRyfzc56C4bsVdirsVdirsVdirsVdirsVdirsVevf84//wDk8vyh /wDAv0f/AKjIsxNf/i+T+qfuZQ5h/bq/2znj0ubso8loYjoaYgkJItdzfxw8 ZRwh3N/HHjK8Idzfxx4yvCHc38ceMrwh3N/HHjK8Idzfxx4yvCHc38ceMrwh 3N/HHjK8Idzfxx4yvCHc38ceMrwh3N/HHjK8Idzfxx4yvCHc38ceMrwh3N/H HjK8Idzfxx4yvCGubeODiK8IW4Evxe/5/M/+Sy/Ln/trH/iDZ1/sl/ez9zja jk/nQzvnDdirsVdirsVdirsVdirsVdir9oP+fLP/AJN784P/AAErb/qNGcl7 W/3MPefucnTcy/owzz9zF3Nh3w8RRwhvm/jh4yvCHc38ceMrwhoyFQWZvhUF j8gK48RXhD4j/KLzvfeZvM354fn/AOavOM2m/lvobyaT5Fgubj0dMtrKzVhd Tzxn4S/rqPiObnwRj0uOAj+9ykykOZiRtEA9xDDVSrWSwnlhABrlLi9V31rk wH/nED8zvIHnLSte/PDzZ+di6l591yG8bzP5Yn1gDTdH06K9MNu31FqLDUIp D++W9oaSenjDBCGw61vIkd/xRLJ4mWcxtA/SO4f2v0C1XzJomhaS2va1rNpp WiIImfVbqVY4AJmCxku1B8ZYAeNc0kYzlLhF2zNPmmX/AJy9/LKw/P3zD+Se teZ9D0eLRNCs9Qi8xXOoRp62pXU4i/RojNKSKpD9ehGbMdl5jpxlFmz3dKu/ 0NfGLp9Lw+ZNFuNbvPLUGsWs3mHTraO8v9FSVTcw28xpHK8fUKx6E5rDHIIi Rui2ULQk/nLyxbXut6dceYrCC/8ALVmuoeYbN50EllaOpZZ51JqiEAkE5IY8 hAIBo7Lskej/AJsflv5g12y8saF580XV/MWo2f6RsNGtLuOW4mtKcvXRFJJS m9cJw5REyo0DXxSY8PMKf/K3vyx/xOvkr/lYOhf4ud/SXy59di+tl/5RFWtf bJQ0+acDkiCYjrRY5CMZAltb0JpGUMzNxCgliewHXMfiky4QkOn+bvLmraQ/ mDTPMFjf6HGzpJq8MyPbq0bcHBkBoCG2PvlpxZeIRo2VABkYjmOirqHmbQ9K udGs9T1q0sLrzFP9W0G3nlVHvJuPL04AftnjvQZGEZzsCzwiz5DvKCAObFtU /N78sdE8xxeUNY/MHQtN80zsEi0C4vIkumZtgvpk1qa5bi02bLEygCQO4FGQ jGAZbAsg17zn5X8ry6dD5k8yafoc2rmRdKjvZ0hNwYV5yCLkRy4ruadsqiJy BIugyjHiNAW+Q/O35qWvmr/nIv8A5xTb8vPPq615M1q48222uLo92JbG7mtb FSI5+BKsY26A9Dm5waYw0+Xjj6hw1Y35tRO4+L6vvfMflPXdS1f8vB5ptk8y SWLfX9Hs7pU1C3gnQgShVqyGhqDTNP4eSeMyH08r6Atwn4M4mt+Yvq+eP+cW PNXmaBPzD/KDzvrNzr3m38rtZdW1S6cySyaZfs0lgHc7syxihObTXkZ9Nh1c AIiYMaG28Nifi43h+FqcmIHihtIS857ke6L635v45p+MuRwh3N/HHjK8Idzf xx4yvCFpYnqa4CSUgUtb7En+o36sCl/FJ/zk3/60F+cH/gUX/wDycOewdnf4 tj/qh1uT6i8LzNYOxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2K uxV2KuxV2KuxV2KuxV2KvpH/AJxU/wCch7z/AJxf/Nuz/NWw8tQebLi00y90 0aRcTtboReKql+aKxqvHwzA7R0I1mLwya3B+TOEuE2/Tv/otd5o/8sVpP/cV n/6pZzv+hGH+qfZ+1u/MF3/Ra7zR/wCWK0n/ALis/wD1Sx/0Iw/1T7P2r+YL v+i13mj/AMsVpP8A3FZ/+qWP+hGH+qfZ+1fzBd/0Wu80f+WK0n/uKz/9Usf9 CMP9U+z9q/mC7/otd5o/8sVpP/cVn/6pY/6EYf6p9n7V/MF3/Ra7zR/5YrSf +4rP/wBUsf8AQjD/AFT7P2r+YLv+i13mj/yxWk/9xWf/AKpY/wChGH+qfZ+1 fzBd/wBFrvNH/litJ/7is/8A1Sx/0Iw/1T7P2r+YLv8Aotd5o/8ALFaT/wBx Wf8A6pY/6EYf6p9n7V/MF3/Ra7zR/wCWK0n/ALis/wD1Sx/0Iw/1T7P2r+YL v+i13mj/AMsVpP8A3FZ/+qWP+hGH+qfZ+1fzBd/0Wu80f+WK0n/uKz/9Usf9 CMP9U+z9q/mC7/otd5o/8sVpP/cVn/6pY/6EYf6p9n7V/MF3/Ra7zR/5YrSf +4rP/wBUsf8AQjD/AFT7P2r+YLv+i13mj/yxWk/9xWf/AKpY/wChGH+qfZ+1 fzBd/wBFrvNH/litJ/7is/8A1Sx/0Iw/1T7P2r+YLv8Aotd5o/8ALFaT/wBx Wf8A6pY/6EYf6p9n7V/MF3/Ra7zR/wCWK0n/ALis/wD1Sx/0Iw/1T7P2r+YL v+i13mj/AMsVpP8A3FZ/+qWP+hGH+qfZ+1fzBfI3/OYH/PwLV/8AnLTyV5e8 naj+XFj5Oj0DUzqSX9teyXLyExmPgVdFAG9c2fZfYcdDkMxK7FcmueXiFPzs zfNTsVdirsVdirsVdirsVdirsVdirsVZb5B81SeRfO/lLznFZpqMnlXV7PVY 7CRiiTG0mWURsw3AbjSuVZ8Xi45Q5WCEg0bftAf+f1/mgmv/ACorSf8AuKz/ APVLOUPslAm+P7P2t/5hr/otd5o/8sVpP/cVn/6pYP8AQjD/AFT7P2p/MF3/ AEWu80f+WK0n/uKz/wDVLH/QjD/VPs/av5gu/wCi13mj/wAsVpP/AHFZ/wDq lj/oRh/qn2ftX8wXf9FrvNH/AJYrSf8AuKz/APVLH/QjD/VPs/av5gu/6LXe aP8AyxWk/wDcVn/6pY/6EYf6p9n7V/MF3/Ra7zR/5YrSf+4rP/1Sx/0Iw/1T 7P2r+YLv+i13mj/yxWk/9xWf/qlj/oRh/qn2ftX8wXf9FrvNH/litJ/7is// AFSx/wBCMP8AVPs/av5gu/6LXeaP/LFaT/3FZ/8Aqlj/AKEYf6p9n7V/MF3/ AEWu80f+WK0n/uKz/wDVLH/QjD/VPs/av5gu/wCi13mj/wAsVpP/AHFZ/wDq lj/oRh/qn2ftX8wXf9FrvNH/AJYrSf8AuKz/APVLH/QjD/VPs/av5gu/6LXe aP8AyxWk/wDcVn/6pY/6EYf6p9n7V/MF3/Ra7zR/5YrSf+4rP/1Sx/0Iw/1T 7P2r+YLv+i13mj/yxWk/9xWf/qlj/oRh/qn2ftX8wXf9FrvNH/litJ/7is// AFSx/wBCMP8AVPs/av5gu/6LXeaP/LFaT/3FZ/8Aqlj/AKEYf6p9n7V/MF3/ AEWu80f+WK0n/uKz/wDVLH/QjD/VPs/av5gvjv8A5zA/5z31b/nLTyz5e8t6 j+Xdl5OTQLw3aXdteSXLSEgjiQ6KAN82nZfYkdDMyErsdzXPLxCn575vWp2K uxV2KuxV2KuxV2KuxV2Kv2g/58s/+Te/OD/wErb/AKjRnJe1v9zD3n7nJ03M v6MM8/cx2KuxV2KrJVLRTKOrRuB8ypwxNFXw5/ziLp+mP+QfnX8svMdjb6jq HlbWNetvNeh3sayoReTzXESzRsCCGQg75vNdIzOLUQPpmLif6ux+1pyjw9Vm wHfgMd+kuIX9j5T0LyR5Vtv+fZXmnXdG8p6XaeYdSsruHUNYtLONLu4hi8wV 4ySqvNlVV6E0oM2WXUSHaIEpbAjr/RRixHIOGIskPpP/AJzL80+Vn/5wylT9 OWTjzDa+W7fQlEqn61Kt3aNwjA6kUPypmu7PjLHrxGQN2f8AclR+9xGcdwOv xS/y95B/L3U/+c5fNket+TNAvWm/KbQ9RtvrtjBIX1AXg5XC+oprKFABYfFQ ZflzZBohwk7S336cP62J4YyF9eXmzXytPZaf/wA57/m79dmis59a/LTy/Fpf qkIbloJ2Z1jJpyKjqBmPkBnoI8O/DI35WGUhwGJlsJbDzI5vFPNGtaJrf50/ 85/Xui31tqcdn+TthY388DB1WeGwuA8TEd175k6WXFpsH9c/7qKZwMJEEdHo n5O/lj5c/LX/AJwy0Xzd+XfluA/mMPy1N/pPmQwpPqf1m5s/U9KOdh6gTkaB QaZj9q6r8xqZRymoXRrbYGr9/m2dmYpQyR/iJle/n09z5E0PyF+cXnP8irbU tF/Jv8rtO1CWD6+fzmuvMpXV7HVSQ0k9xIU9RXV9jEWoOlM2+XPg02oxylOY EaqIG0o+7rffThY4yzDJD6jIyBvmN+ndXR+zHk6G8Tyd5VttWu49S1BdEsYt Tv4m5R3E31ZFllRu6u1SDnIaiYnllKIoEk/MlzccfDAHd+h+U/nRdb0q5/Nj /nE/yxJJojfmJ52hh8px21RLZ6LJB9dubtAP2TOnEn3ze6S8+LDPFK5aWJlk J/i35e+mOsMNPmnlymsuqA8OuQkPT8Gc/lv5v1b86vzD8kWuu2fq61+RfkO9 1G8twvI2nme2d7OEP4O8Sh6ZkTx4cePPrdOf3Wb90L/m1xEj47W4wuJx6HLK 9RiyCcyP4wdhH3If8s/JH5M+bP8AnFfzn5//ADFh0+7/ADKu4tUvvPHmS+df 0np+uRNMbaGOZh6kRBVOKqd8w9Xmy4JYYYSRj9PBX8Qsc+++rlXKepz8QuVm wRtEV08mMaz5eP5sab/z7a038zVub281W61m71oSO0c8slvYq6B260YAch3G bnNlOm1OrlGI6Cum5ddjxCeCEYSNd/X5sz/5y60PzN5D/NH/AJxnsP8AnHjy 3pOjeaLZfN0+laRbQR29vQ2CfWJUiQKry8akA/aOanRZI5cGU5yeH0WRua4n Y4wBMbA7Gr5XW1vdP+cN9H/K2fyXP5o8t3Mut/mZqEzL+Zus6yP9zMep/wC7 4ZVf44o1aoVRtTI9tHJExxw2wfwVyI8+897i4DKUzLN/ejmO7+r5KP5Csur/ APOSn/OU/m7Tz9Y0DUpPL+nWV+m8T3FhbvFcKrdCVbY5RmN9l6eZ2sz26j1D f4t8/wB3qZYj9UREn4jZ9o5pm52KuxV2KtN9iT/Ub9WKl/FJ/wA5N/8ArQX5 wf8AgUX/APycOewdnf4tj/qh1uT6i8LzNYOxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Ku xV2KuxV2KuxV2KuxV2Kv2g/58s/+Te/OD/wErb/qNGcl7W/3MPefucnTcy/o wzz9zHYq7FXYq8O/5yC/Pvyr/wA44+QT+YnnDTdT1XSFv4NP+q6TD60/qT14 sV2AUU3OZug0M9Zk4IkX5sJzEQ/LDy//AM/DP+ca/K/5neefzH0fRfzCt7b8 xreNfNnlD9HRG1nu4k9JLsPy5KwjqtBnTR7D1QweCTAgG4m/oHWI953acuWE 5xnVECj/AEt+Z9zKfKf/AD8l/wCcRvJHkWL8tfL35U+cbbyVClxGuhy2CzRl bqR5ZQfUdieTuTlOo9ndVqJGU5xs+f7GWPUjGQY7EPCV/wCclf8An3f9X1Gy n/JX8wL6w1OeK5lsLozzQRSQyiZGgjecrFRxX4QM2I0PaAqpx5Vdi/nTTKUJ G6r3bD5PSPzD/wCc7/8AnCr80dX8va/5t/Kzz/JrflYxDSNUsY5LOZUgIKRy PBMhdAR9lqjMTT9h6zAZGM4+oUd9vubp6kSgIHkDY26q/wCan/Oe/wDzhd+c x0yTz3+Vfny6vNHJ+oanYwvZXaAinEzwSo5X2JwaTsLWaaRlCcdxR32+VLLU iUeE7jn7vclflr/nNz/nBjyjF53i0H8m/OtoPzH0ZNB86SG2Z3vrGONogkjN KTy4uQW6nLsvZWvy8Nzj6TtuO++5phKEbq93rnlr/n6h/wA4y+UPLei+UtA/ LvztZ+X/AC9YxadpNgbFXEdtAgSNKs5JoopvmFm9mtTlkZSlEk+f7GwZwOTw XU/+cuf+cBtW80P5uufye8/x6jLObmaxtxNDYSSk8iz2aTCI1PWq5nYey9di hwCca8yD94Rlyxyc/s2fSUH/AD9v/wCcerWCC1t/InnaG3tY1it4VsECoiDi qgc+gApmuPsvqCbMo/NIzgMEm/5+R/8AOItx+Y9n+bU35Vecn8/WGlPotrrh sRyWzkf1GTj6nGte9K5bi9nNVixzxwlECZuW/Pp3Mck4ZDEyF8PLy9zXlH/n 5F/ziJ5F8wedfNHlf8qvOWm65+Yd8NS823q2IY3NwF48qGQhRTsNslL2f1cs McPFHgjyF7fcwPhnN41esir608w8xf8AOYP/ADgT5p83y+d9X/Jnz0+tXNyt 5ewQxSQ2VxOhBEk1okwic1HdcydN2TrtPDghONdNwa922zZmzRzfVf6T7+96 rrX/AD8q/wCcSvMGv+RPM2p/lb5zk1j8tJbifyVPHYrGtk93EIJeKLIFIZBS hGY8ewdYBIcY9XPfnW/cgThEAAbBX1z/AJ+Z/wDOKXmPzf5O896x+Wfna680 eQfrn+FNS+phTbfX4xFcUUSAHmgpuMGP2f1eOEoCcaNXv3b9yTliWO/9FEP+ cSrLzd5i/MHy5+Xfnjyz568y2DWN7r1lYqqcihVZ2tufpO61rUrU4f5A1fgH Bxx4Cbq+Xu22Z+PA5IzmL4ftHcUV+Rv/AD8P/wCcavym8uWnkTRPLfn7WJ9V 1ae+1HXbzTk9a6vdQl5SyOEatOR6Dpk9f2JqNSRL0xEYgAA9w5/FpxzEZSkS SZG7POug9w5B+y+l6hDq2l6bqturpb6paw3cCSCjhJkDqGHYgHfOOnHhJDmg o7Iq7FXYq032JP8AUb9WKl/FJ/zk3/60F+cH/gUX/wDycOewdnf4tj/qh1uT 6i8LzNYOxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV 2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2Kv2g/58s/ +Te/OD/wErb/AKjRnJe1v9zD3n7nJ03Mv6MM8/cx2KuxV2KoO+07T9Tg+q6n YW2pWxIb6tdRJNHUdDxcEVyUZmJsFSLSf/Bnk3/qUNE/7h9t/wBU8s/MZO8s eEO/wZ5N/wCpQ0T/ALh9t/1Tx/MZO8rwh3+DPJv/AFKGif8AcPtv+qeP5jJ3 leEO/wAGeTf+pQ0T/uH23/VPH8xk7yvCHf4M8m/9Shon/cPtv+qeP5jJ3leE O/wZ5N/6lDRP+4fbf9U8fzGTvK8Id/gzyb/1KGif9w+2/wCqeP5jJ3leEO/w Z5N/6lDRP+4fbf8AVPH8xk7yvCHf4M8m/wDUoaJ/3D7b/qnj+Yyd5XhDv8Ge Tf8AqUNE/wC4fbf9U8fzGTvK8Id/gzyb/wBShon/AHD7b/qnj+Yyd5XhDv8A Bnk3/qUNE/7h9t/1Tx/MZO8rwh3+DPJv/UoaJ/3D7b/qnj+Yyd5XhDv8GeTf +pQ0T/uH23/VPH8xk7yvCHf4M8m/9Shon/cPtv8Aqnj+Yyd5XhDY8m+TlZWX yjoispqrDT7cEHxB4YnUT7yvCGRKqoqoihEUAKiigAHQAZSybxV2KuxVpvsS f6jfqxUv4pP+cm//AFoL84P/AAKL/wD5OHPYOzv8Wx/1Q63J9ReF5msHYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FX3x/zgJ/zlj5O/5xM87+ evM/nHy3qnmS1806JDplnBpTRK8UkdwJiz+qVBBAptml7a7MnroRjEgUTz91 NuLJwP1M/wCiz35H/wDlrfN//I2z/wCqmc1/oSzfzo/b+pu/MB3/AEWe/I// AMtb5v8A+Rtn/wBVMf8AQlm/nR+39S/mA7/os9+R/wD5a3zf/wAjbP8A6qY/ 6Es386P2/qX8wHf9FnvyP/8ALW+b/wDkbZ/9VMf9CWb+dH7f1L+YDv8Aos9+ R/8A5a3zf/yNs/8Aqpj/AKEs386P2/qX8wHf9FnvyP8A/LW+b/8AkbZ/9VMf 9CWb+dH7f1L+YDv+iz35H/8AlrfN/wDyNs/+qmP+hLN/Oj9v6l/MB3/RZ78j /wDy1vm//kbZ/wDVTH/Qlm/nR+39S/mA7/os9+R//lrfN/8AyNs/+qmP+hLN /Oj9v6l/MB3/AEWe/I//AMtb5v8A+Rtn/wBVMf8AQlm/nR+39S/mA7/os9+R /wD5a3zf/wAjbP8A6qY/6Es386P2/qX8wHf9FnvyP/8ALW+b/wDkbZ/9VMf9 CWb+dH7f1L+YDv8Aos9+R/8A5a3zf/yNs/8Aqpj/AKEs386P2/qX8wHf9Fnv yP8A/LW+b/8AkbZ/9VMf9CWb+dH7f1L+YDv+iz35H/8AlrfN/wDyNs/+qmP+ hLN/Oj9v6l/MB3/RZ78j/wDy1vm//kbZ/wDVTH/Qlm/nR+39S/mA7/os9+R/ /lrfN/8AyNs/+qmP+hLN/Oj9v6l/MB3/AEWe/I//AMtb5v8A+Rtn/wBVMf8A Qlm/nR+39S/mA7/os9+R/wD5a3zf/wAjbP8A6qY/6Es386P2/qX8wHf9Fnvy P/8ALW+b/wDkbZ/9VMf9CWb+dH7f1L+YDv8Aos9+R/8A5a3zf/yNs/8Aqpj/ AKEs386P2/qX8wHf9FnvyP8A/LW+b/8AkbZ/9VMf9CWb+dH7f1L+YDv+iz35 H/8AlrfN/wDyNs/+qmP+hLN/Oj9v6l/MB3/RZ78j/wDy1vm//kbZ/wDVTH/Q lm/nR+39S/mA7/os9+R//lrfN/8AyNs/+qmP+hLN/Oj9v6l/MBx/5/PfkeQR /wAqt837gj+9s/8Aqpj/AKEs386P2r+YD8Afze85WH5hfmf5688aXaTWOn+a dYudRs7O4IMsccz8grldqj2zt9LiOLFGB5gU40jZt5zmQxdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVf/2QoNCmVuZHN0 cmVhbQ1lbmRvYmoNNyAwIG9iag08PC9DUyA4IDAgUi9TL1RyYW5zcGFyZW5j eT4+DWVuZG9iag04IDAgb2JqDVsvSUNDQmFzZWQgOSAwIFJdDWVuZG9iag05 IDAgb2JqDTw8L0xlbmd0aCAyNTc0L0ZpbHRlci9GbGF0ZURlY29kZS9OIDMv QWx0ZXJuYXRlL0RldmljZVJHQj4+c3RyZWFtDQpIiZyWeVRTdxbHf2/JnpCV sMNjDVuAsAaQNWxhkR0EUQhJCAESQkjYBUFEBRRFRISqlTLWbXRGT0WdLq5j rQ7WferSA/Uw6ug4tBbXjp0XOEedTmem0+8f7/c593fv793fvfed8wCgJ6Wq tdUwCwCN1qDPSozFFhUUYqQJAAMKIAIRADJ5rS4tOyEH4JLGS7Ba3An8i55e B5BpvSJMysAw8P+JLdfpDQBAGTgHKJS1cpw7ca6qN+hM9hmceaWVJoZRE+vx BHG2NLFqnr3nfOY52sQKjVaBsylnnUKjMPFpnFfXGZU4I6k4d9WplfU4X8XZ pcqoUeP83BSrUcpqAUDpJrtBKS/H2Q9nuj4nS4LzAgDIdNU7XPoOG5QNBtOl JNW6Rr1aVW7A3OUemCg0VIwlKeurlAaDMEMmr5TpFZikWqOTaRsBmL/znDim 2mJ4kYNFocHBQn8f0TuF+q+bv1Cm3s7Tk8y5nkH8C29tP+dXPQqAeBavzfq3 ttItAIyvBMDy5luby/sAMPG+Hb74zn34pnkpNxh0Yb6+9fX1Pmql3MdU0Df6 nw6/QO+8z8d03JvyYHHKMpmxyoCZ6iavrqo26rFanUyuxIQ/HeJfHfjzeXhn KcuUeqUWj8jDp0ytVeHt1irUBnW1FlNr/1MTf2XYTzQ/17i4Y68Br9gHsC7y APK3CwDl0gBStA3fgd70LZWSBzLwNd/h3vzczwn691PhPtOjVq2ai5Nk5WBy o75ufs/0WQICoAIm4AErYA+cgTsQAn8QAsJBNIgHySAd5IACsBTIQTnQAD2o By2gHXSBHrAebALDYDsYA7vBfnAQjIOPwQnwR3AefAmugVtgEkyDh2AGPAWv IAgiQQyIC1lBDpAr5AX5Q2IoEoqHUqEsqAAqgVSQFjJCLdAKqAfqh4ahHdBu 6PfQUegEdA66BH0FTUEPoO+glzAC02EebAe7wb6wGI6BU+AceAmsgmvgJrgT XgcPwaPwPvgwfAI+D1+DJ+GH8CwCEBrCRxwRISJGJEg6UoiUIXqkFelGBpFR ZD9yDDmLXEEmkUfIC5SIclEMFaLhaBKai8rRGrQV7UWH0V3oYfQ0egWdQmfQ 1wQGwZbgRQgjSAmLCCpCPaGLMEjYSfiIcIZwjTBNeEokEvlEATGEmEQsIFYQ m4m9xK3EA8TjxEvEu8RZEolkRfIiRZDSSTKSgdRF2kLaR/qMdJk0TXpOppEd yP7kBHIhWUvuIA+S95A/JV8m3yO/orAorpQwSjpFQWmk9FHGKMcoFynTlFdU NlVAjaDmUCuo7dQh6n7qGept6hMajeZEC6Vl0tS05bQh2u9on9OmaC/oHLon XUIvohvp6+gf0o/Tv6I/YTAYboxoRiHDwFjH2M04xfia8dyMa+ZjJjVTmLWZ jZgdNrts9phJYboyY5hLmU3MQeYh5kXmIxaF5caSsGSsVtYI6yjrBmuWzWWL 2OlsDbuXvYd9jn2fQ+K4ceI5Ck4n5wPOKc5dLsJ15kq4cu4K7hj3DHeaR+QJ eFJeBa+H91veBG/GnGMeaJ5n3mA+Yv6J+SQf4bvxpfwqfh//IP86/6WFnUWM hdJijcV+i8sWzyxtLKMtlZbdlgcsr1m+tMKs4q0qrTZYjVvdsUatPa0zreut t1mfsX5kw7MJt5HbdNsctLlpC9t62mbZNtt+YHvBdtbO3i7RTme3xe6U3SN7 vn20fYX9gP2n9g8cuA6RDmqHAYfPHP6KmWMxWBU2hJ3GZhxtHZMcjY47HCcc XzkJnHKdOpwOON1xpjqLncucB5xPOs+4OLikubS47HW56UpxFbuWu252Pev6 zE3glu+2ym3c7b7AUiAVNAn2Cm67M9yj3GvcR92vehA9xB6VHls9vvSEPYM8 yz1HPC96wV7BXmqvrV6XvAneod5a71HvG0K6MEZYJ9wrnPLh+6T6dPiM+zz2 dfEt9N3ge9b3tV+QX5XfmN8tEUeULOoQHRN95+/pL/cf8b8awAhICGgLOBLw baBXoDJwW+Cfg7hBaUGrgk4G/SM4JFgfvD/4QYhLSEnIeyE3xDxxhrhX/Hko ITQ2tC3049AXYcFhhrCDYX8PF4ZXhu8Jv79AsEC5YGzB3QinCFnEjojJSCyy JPL9yMkoxyhZ1GjUN9HO0YrondH3YjxiKmL2xTyO9YvVx34U+0wSJlkmOR6H xCXGdcdNxHPic+OH479OcEpQJexNmEkMSmxOPJ5ESEpJ2pB0Q2onlUt3S2eS Q5KXJZ9OoadkpwynfJPqmapPPZYGpyWnbUy7vdB1oXbheDpIl6ZvTL+TIcio yfhDJjEzI3Mk8y9ZoqyWrLPZ3Ozi7D3ZT3Nic/pybuW65xpzT+Yx84ryduc9 y4/L78+fXOS7aNmi8wXWBeqCI4WkwrzCnYWzi+MXb1o8XRRU1FV0fYlgScOS c0utl1Yt/aSYWSwrPlRCKMkv2VPygyxdNiqbLZWWvlc6I5fIN8sfKqIVA4oH yghlv/JeWURZf9l9VYRqo+pBeVT5YPkjtUQ9rP62Iqlie8WzyvTKDyt/rMqv OqAha0o0R7UcbaX2dLV9dUP1JZ2Xrks3WRNWs6lmRp+i31kL1S6pPWLg4T9T F4zuxpXGqbrIupG65/V59Yca2A3ahguNno1rGu81JTT9phltljefbHFsaW+Z WhazbEcr1FraerLNua2zbXp54vJd7dT2yvY/dfh19Hd8vyJ/xbFOu87lnXdX Jq7c22XWpe+6sSp81fbV6Gr16ok1AWu2rHndrej+osevZ7Dnh1557xdrRWuH 1v64rmzdRF9w37b1xPXa9dc3RG3Y1c/ub+q/uzFt4+EBbKB74PtNxZvODQYO bt9M3WzcPDmU+k8ApAFb/pi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCe rp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhS qMSpN6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuy wrM4s660JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70V vY++Cr6Evv+/er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/I Pci8yTrJuco4yrfLNsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE 08bUSdTL1U7V0dZV1tjXXNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLf Kd+v4DbgveFE4cziU+Lb42Pj6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl 63Dr++yG7RHtnO4o7rTvQO/M8Fjw5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3 ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+S/7c/23//wIMAPeE8/sNCmVuZHN0 cmVhbQ1lbmRvYmoNMTAgMCBvYmoNPDwvQ3JvcEJveFsyNy42MSA2MS4wIDU2 Ny42MSA3ODEuMF0vUGFyZW50IDEwNiAwIFIvU3RydWN0UGFyZW50cyAzL0Nv bnRlbnRzIDExIDAgUi9Sb3RhdGUgOTAvTWVkaWFCb3hbMCAwIDU5NS4yMiA4 NDJdL1Jlc291cmNlczw8L0ZvbnQ8PC9UVDAgNTQzIDAgUi9UVDEgNDAgMCBS L1RUMiA0MiAwIFIvQzJfMCA1NDQgMCBSPj4vUHJvY1NldFsvUERGL1RleHRd L0V4dEdTdGF0ZTw8L0dTMCA1NDcgMCBSPj4+Pi9UeXBlL1BhZ2U+Pg1lbmRv YmoNMTEgMCBvYmoNPDwvTGVuZ3RoIDg1OC9GaWx0ZXIvRmxhdGVEZWNvZGU+ PnN0cmVhbQ0KSImcVl1v2jAUfedX5NGRivH1R+JMVaUWurXTqlUlbzBVNISK LU0QoZ327+d82KRgh24vBERyfO49556bq3gwugHv/Hx0N76deMS7uLiajL3B 6MuUeM/lYBTHxAMvXg0IJoRQL07UTZzhSHrD5qL+JxJL7tEQcAREePHLYIZi P2Bo61OCFnm5KbY7/0f8dTAa00cNWGExLGWoIOLl4Fzhs4v45+GZrD4TU8aa +2ZoWiS/fMZQ6gvUwF7fVZy/PWWmEjCVxDF0DiQeg5p8c1EHSYZBqho4pi15 NKdU+IpJC3tVLP8YYNoB7tKUDU3JuaZ5+7LJ0pc094GgXWktn+/vt5ZPWfsv WlR8uo9jHkrnk8OaEm87R6MWpNykyXq1Tg6xGiUIhV4qoAvb9cnKcBgFJ4jB kaSbrQ8hKna+REVSfWQOXZlD1yEoM4K6YKbKqIrtE5Efi1gzA3Gk4mWWFb8V I7uAFAdC9FZLda2mfavCH6r+ba2AgCFwy1ABgmkfFRryIfaHAOjBASkC1qes 9scM1a3P8zTZrYv8qGKOox6L1A2UQperjbsrbG5TLRZu4zcuCXWZoaa3eFIT X/qq0p1qYZsuiStZaM+AvE8WI/aqseGLFdFGFASWQCvbEQmu6Th2sbC5mMrK LcPmon5G9Rfg5F0wBS5PB45gat0iSesBNE1TmySA+QlJKNHqUmPmeFyb+d7l PDBZwEJqMTPU84Euv9spCdY/XQQOXYLeSmzHIhH9qON0YN5NhB0rCk9knOGl 5/7/eNW0okNa0+mNDcpZF20OCkPNZbkuk9eyVEPecVPHn+FHtydj0T9tT+kI XuPSffCOX7dqGtWWz/0IuWb8ZO/kQe9maK3XslSoKkoWdZ5UeffJekiIITwV VcFh6t1ni3Xuso77haeZMjjKJTNlqtHozDFrAT/Ri8NVpH3UCHVvRIo6ItHO 87xZtELtvEjlVH1gBfP5NU/aBlrdBMRpJ72vJ/22AXD5hh74BhWbND+zdZ6q k06Eick306EkK8rUCte7VCgWeyM3LvYBJW9z9LjIsrlvl5BjQk5IaFJFh3mZ 5ss9qoWnGkzWtwf3np2rfLfZAcwrL1F5HHnPCrjeeRVXwQPMAi9UgRCwNgC4 QbmOB38FGAC6PMkHDQplbmRzdHJlYW0NZW5kb2JqDTEyIDAgb2JqDTw8L0Ny b3BCb3hbMjcuNjEgNjEuMCA1NjcuNjEgNzgxLjBdL1BhcmVudCAxMDYgMCBS L1N0cnVjdFBhcmVudHMgNC9Db250ZW50cyAxMyAwIFIvUm90YXRlIDkwL01l ZGlhQm94WzAgMCA1OTUuMjIgODQyXS9SZXNvdXJjZXM8PC9Gb250PDwvVFQw IDU0MyAwIFIvVFQxIDQwIDAgUi9UVDIgNDIgMCBSL0MyXzAgNTQ0IDAgUj4+ L1Byb2NTZXRbL1BERi9UZXh0XS9FeHRHU3RhdGU8PC9HUzAgNTQ3IDAgUj4+ Pj4vVHlwZS9QYWdlPj4NZW5kb2JqDTEzIDAgb2JqDTw8L0xlbmd0aCA4MzQv RmlsdGVyL0ZsYXRlRGVjb2RlPj5zdHJlYW0NCkiJnFbLbtswELzrK3SkgIgm l6QeRZBDHm1TNECQ6JYWheJX3DqSISkB+vddUg8rsignPdjyQZ6dnZ0d8jxx Zl+5e3o6u7m4vnSZe3Z2fnnhOrMv98xdl84sSZjL3WTl+IwyFis3meNbUtA4 cv36gS+wiEbSFSAoixm+8+w8kLvE82Ny5/1MvjmzC/jV4DCNwKkKBP4xWTin jDFxlvzuldKVmDCVKEBUv/dA7vP5H08IsvQUqQzs1Y2m+v1x2zXAuwaShPcK Mlcw18cPloh0deQsKfCaLPkBoDzk0ACe54u/HST0IPtaMF4zjFt+18+77fJ5 mXkxqcrRtiWqBNa2a1Ro+uZN36R6WmpqhxIKFU1icd5K2DLUI+EwMRM7OcMt bAFli7grPB6SvPIQNp97nJF8axmNsIzGj6lAQB8bAtPw1DDk+DCgtUs3jLsl tirISj9iUozPA6ji8kMakiofGwajkbJrR9Lhf2jIgmmp5UBqUm6y9XbUCUCF PIIGQydUhQecpFm5y4tqVBurQY0iD6TstjGwbqOyjTzE3IB3jjyw7d9w5Lfo xYDkr5vFcnzcgsrwQzqR1Us2rzZ5Vo7pLmgYv888+13+D/cYfwuoVTd+jlBw H1dt7vkA5MlibTjSazQkl2aL8aBRYpod329JZ7ASW9VZU3gSLTLOkAX25TMU g7rpV49Lkm43i1QHTOUBwZFYArZrx8ZVGlAMBcpCkzpaCM240NIqLSqayPws FuZRWtwd2tytPfk+b0eH3jaNq4G17ysjQd0+qjqu6ORRiobo4OZPabbGY+pj MKo2PRdd+m8yvXGvJvbrMLAtHoOpo6Xbt8OglPZx9pXqHUlzbAztEZDVZv1S x9zjdrxTRZk6kpxiuCVtJIwngoiP8G3cF1Emoe++Xa7FbMdb9Cx327kl7rkF DpKwth1QXCrN83MbXZ965uvflJj1qtR493Lau5xbzAtvzIsm2VQnlmCxR5TZ VTi4wZRVas71Ar+5iUFOTizxwo+d7UIcmMeEgGzKSFNGmDJgLRNPHL69dNxH 4m4SDoSdNc6D9eaxdwbvLqkM0zp214jGtb+0cEoGVARuKDgNRHPh3aNcJc4/ AQYAu9S11w0KZW5kc3RyZWFtDWVuZG9iag0xNCAwIG9iag08PC9Dcm9wQm94 WzI3LjYxIDYxLjAgNTY3LjYxIDc4MS4wXS9QYXJlbnQgMTA2IDAgUi9TdHJ1 Y3RQYXJlbnRzIDUvQ29udGVudHMgMTUgMCBSL1JvdGF0ZSA5MC9NZWRpYUJv eFswIDAgNTk1LjIyIDg0Ml0vUmVzb3VyY2VzPDwvRm9udDw8L1RUMCA1NDMg MCBSL1RUMSA0MCAwIFIvVFQyIDQyIDAgUi9DMl8wIDU0NCAwIFI+Pi9Qcm9j U2V0Wy9QREYvVGV4dF0vRXh0R1N0YXRlPDwvR1MwIDU0NyAwIFI+Pj4+L1R5 cGUvUGFnZT4+DWVuZG9iag0xNSAwIG9iag08PC9MZW5ndGggMTEwOC9GaWx0 ZXIvRmxhdGVEZWNvZGU+PnN0cmVhbQ0KSImsV11vozgUfc+v4NFIg+MvjBlV lfoxnZnVjFRpeVipXVUpIRlGSaiSNDvz7/fagEOCDVlpHwoWoede33t8zuU2 m0y/0ODqavr97ut9QILr69v7u2Ay/fwnCZa7yTTLSECDbDEhmBASB1kOLwmO UxVE9Q1+JworEXAuMeP6nfXkCT0+hJSiv8K/sz8m0zv20sJoBIoFvA/L+eQK UPl19rMTKYJQiTKRMGNp/d4TymZhlCj0aq4rcy0M+qfvOuFvryu7DWq3kWW0 E5cEnAQR/EEkFWMqIXWBGa1zRs+MxSGk0gDeVvPfFpJ1IDt5ElqXBNs0b153 ISVovw1piiBlhvK9swiOnZsaS/0jx7IFnM8MXkgFwLmrmZg2+KtJKW3LyVrY 3T6MAHdrru9whUTNet95sg1FU+TzoBwnhI0EPYuJ9pWu7jkSwSoeQzJQOudq JC2GW8J4sOBhm5ZqS3EIKdetomhVQrVTXWyKirlv49Rf7WMHIQK1Ed6ADTGk rNCi/OVJnPuLYFCZfi2iKaYJ3DAzJa225bLcuMoKgGOIbZ5M/J9cE7LHtW0B xY0Nv3Tj9Lo010MYxc0DX7WFGKm26lV7AdVOULX27CCVw9pDVNqjSD4zpwJ2 oNCPMEq99ON+7I6CdrPdFVsNeNCVh6Vb0bhH0SLKsUqZJoQQhhFDIib6Inak ltUwdJPnxW5Xvq4KF7EEpkoOb1K0m2zeQ4dy5oKiIMFDHD1KR+/f8QAtzs65 ZXcOR1sLCFqvq42HbnE6nJBtG5y6Vii2C6P1uc+OYlfzWGw8tL5pY2JYqYAK cuJH0tdKOeJHSloDuVmtqn/CBO08lJWxv50ak1kl59QeMagj0+7hPmI0HlFh 6w3WN4sZ+KZCvy/1SqM1qay3QI59KX5pmUn1KWXUqHqKNma9hDX12pkiI6pg haYlFKoWHj9r6+SFis+2j3ZvRV4uytwFyHULLgEEUq7fVsW62IDRGGrWcl42 bO8zMxkflLiIL5+S1EUC84Tu3re1I25qv3G3hPhJ1EXtnHC7/9rFtKunZv8f nSEkTpIRjxQ9vf5WbZaAWgBdmTd1OipPtJf843FI0CLlHxT8ZDgll/Xfh9JM owMZg6+POZfoJZyFUs9iOunCLS6Dnh1RBfov7TDzhJ7BDN9m25C1zNUJew/s pZ2TR8luKqCJsck9OcOAl4wJIuuxwggi8wvikGNaV0FfHw/iTAKgM2zEbnvC NNvM3XYbD46ER7uFPOR/z6M/T57OvUzCqXkOO1r0aJUj7SgH69k4DIg4haMa GZPUGT68b3J9sHcfO1rU/QQkXmlrZqX7YSmj1KNlyemwNJvPP7iK7bMsxhrL IqfjMUdr40+VGQbrJx88BOVizKv66lJ3Yl3Vc+ZLMyObaeil/opwR3OEUFgl nW8n4fh2aiAxdjYbzk9TWwKUTIMlhKJ6iNUliYXEXAYJp1jyxnOOY9CnbPKv AAMAxxrDvg0KZW5kc3RyZWFtDWVuZG9iag0xNiAwIG9iag08PC9Dcm9wQm94 WzI3LjYxIDYxLjAgNTY3LjYxIDc4MS4wXS9QYXJlbnQgMTA2IDAgUi9TdHJ1 Y3RQYXJlbnRzIDYvQ29udGVudHMgMTcgMCBSL1JvdGF0ZSA5MC9NZWRpYUJv eFswIDAgNTk1LjIyIDg0Ml0vUmVzb3VyY2VzPDwvRm9udDw8L1RUMCA1NDMg MCBSL1RUMSA0MCAwIFIvVFQyIDQyIDAgUi9DMl8wIDU0NCAwIFI+Pi9Qcm9j U2V0Wy9QREYvVGV4dF0vRXh0R1N0YXRlPDwvR1MwIDU0NyAwIFI+Pj4+L1R5 cGUvUGFnZT4+DWVuZG9iag0xNyAwIG9iag08PC9MZW5ndGggNzkwL0ZpbHRl ci9GbGF0ZURlY29kZT4+c3RyZWFtDQpIiZxWXW+bMBR951fwNBmpOL7XBsxU 9aFpt3VqpanjrZ0mltCOKSFVklbav9+1+QgLmEx7MaRyj+89556DLzNv9gn8 8/PZ3fzmyhf+xcXl1dz3Zh+/Cv95582yTPjgZ09eKLgQaeRnC9qlJE+1H9YP 2iA018qHVHEhBe1Zew/sPgvClN0H37LP3myO3xscYRCAR7Gkf8yW3rkQQl5k v3pHmZME2pM4oq73sfmmqorFvtxUgdl9hKh4HME0IjSIEut9D+wur/LnQLNi a6u8vjOd3/5YdXxAx0eWQe804UuwDNQPOkUnnEoGoThCzQB7RIxMqQ3s5Wb5 uwPGHvBI11qpQ41lFYBg+wCA0ftulFBD/ET3KDu8BfXbMTkAUzxFN412BnTU 8thgsv1mTBHqIlLTishW46RBWr+u9uXLqhjDk1wm7h5NaXCQuGvXTCER9z9j aLsVbbeYtpA7GpeQFHmrJwdiNq4J8lToE+jKbAyB7CNSenI0LRARebUc44AK butwctCSKmVXMAlkCt4GkhX2zVWwiuJpdHJjQ0fUom8NJNJcmbV+L+36FoSq +cNy9DzJlUpOEAQD+pd5YwdkucO20mHbUPOUBCeelap5nvKocnhUDzx6s6aZ XRe1T10G7fZPD8Nf0/uyDSypKXsKUNppo5/VonCcoUQ0lQKtaOzd8XDxWJ8w Aqgjsz5QTZBQJK021gkkNNs6dBbSPVe29eRIZrYuFj/zqtytdz15ehJHLolB 8YSm9B81jocah/1o6kSrc3jEksiFPuXyoSUJKzUzLEhTolGz3KGp5NOOxIE/ nsjsKBxSAIf4RL4fEq+z+Ouun3M1j186DpMeh9jTVDWWkxr8ELnWaIn88FrV 357348pq5ze31fRqWtPUpSkca1pW5f7MkbPxtKiALfMSDjmb27Tb2nVPq2Rn jqQFOJUGMMQPLCx9v1/GYR3ugqg+E6Vuod6MnPmqNGGKdZgWATqqNTk9mSvd TeARRU+Ww4hAd7EUPJKp/0zAgCSouYpFKuaUDwndpeLm9siSDuU68/4IMABG C2SNDQplbmRzdHJlYW0NZW5kb2JqDTE4IDAgb2JqDTw8L0Nyb3BCb3hbMjcu NjEgNjEuMCA1NjcuNjEgNzgxLjBdL0Fubm90cyAxOSAwIFIvUGFyZW50IDEw NiAwIFIvU3RydWN0UGFyZW50cyA3L0NvbnRlbnRzIDIwIDAgUi9Sb3RhdGUg OTAvTWVkaWFCb3hbMCAwIDU5NS4yMiA4NDJdL1Jlc291cmNlczw8L0ZvbnQ8 PC9UVDAgNTQzIDAgUi9UVDEgNTEgMCBSL0MyXzAgNTQ0IDAgUj4+L1Byb2NT ZXRbL1BERi9UZXh0XS9FeHRHU3RhdGU8PC9HUzAgNTQ3IDAgUj4+Pj4vVHlw ZS9QYWdlPj4NZW5kb2JqDTE5IDAgb2JqDVs1NCAwIFIgNTIgMCBSIDUzIDAg UiA0OCAwIFJdDWVuZG9iag0yMCAwIG9iag08PC9MZW5ndGggMTE2OS9GaWx0 ZXIvRmxhdGVEZWNvZGU+PnN0cmVhbQ0KSIm8V9tu20YQfedXLPwQkIG53Nkb ScQxEF/QpGgAF2af7MBQaNpSLUsqReWCov/e2eVFS4pSHbQoDIgcYnfmzJnZ M+uzzIveAzk5iT6ef7ggjJyenl2cEy/66ZqRx7UXZRkjQLIHjxEpaJqQsH7g V5bQRBJQioqUKZI9ezf+5bcAEn/yvJoXwafsZy8653eNA0GlkLgvu/dOGGPi NPvdcR8yih/xNSeMcp7UC2/8W851EOKPf7kOgPlVANyffJ7P1tNhAGY2S8pT vTeKDSKbIEK0QbJAC78MOPMni/VqWVbW9eVHJOISCXpXVrOHSV4ZmrLvq4JE Z5P86bFcbhb3+H62/EZuQHCaCJJoyjUQJRRNYhLrmAKanxpWGTF/5aMHQlCW mNUKgEjGqZJEJ4xKUhbeg/eHB3YpkHqloQaXKypTlqaxIPmzdfZseFOG1RAo 45iVTJpX+5N7taEToJKTuWMiS/VenXAqjYvmJfc6PNaeoy0odLaxlG59OJbk dq+1bZh5a1lYjRfWpstw9bSNxSmW5RktoCrZ7rZWB77H09xj3Vs/x236Zo31 PEdOf60LeoYF/WW2eOp6HohTHTDVwX6BtqVAG0dh/UBTMRonJBU0hrrn/aq8 Wy/zp6IKsNXangElqaqXYSWp1qbWuqmugXDVxedtfCC90KZVVd2qjHFs2q9k HxxAHoRq8Lwm6/W0gfSGGFC4RqFv4weg9Yj9hB4hpkzL9hxEUV4Wk6oIQs3A nwTcJ9fX70m+XCyKvJotF9tz4SQgdgi0/rmNZILg8aUyNrBRAhITypKGKNHz w+yxR1wcmxq7zAFXeIrGqJP7qeNtniwdZy4WNOEElQahterVwMHsmf82ED75 k4xmrJyMqU4NTgGizdxEbDPXNOaxm/gRcEEFB9o8j46dCjkiyE1hGyHDuny4 Ih1LDhB9GIhVurBx5YDg/HinMcRI1CuUwtG48d64I9GOytXT7G6zLsqjnbAo gm2HgyFsAMB032+4cQxDcjB3cLpvF1FUVHlkYIVlVUbT5bp6Kr73SmHBxR04 PgauKL8UJWl2j0FM/zOIaxuLrsrZlx7MAaR3m2paLKpZPjGnlZjleJzJHnjA fqiM44g2n4+GtA1Uy8V4MwJyg9M8N4dO+Qbo2IEDcE966HTOHn35681o3wIf 1aoGcefgohOo2WLW03WhgWIuPXliiqZj6gTigLIPWmtHn4RKzLSENKW6nTS3 /qtaoY7Jq63G3wZurv3RJsfTla5A4f0kxLtLrDth3plmksU0lS8bZ6D+xTyT DO9vfDjPqny1d55Z2Qq3AnJooG1woC1W5bLCYVbc198y/HZ+ZUccdVqvT6Pe pXH/XDNod+eaFMxcm1821yDez+Fwgu9yyGO8gw4mmwPKpv3WzPY90w0OK+v/ ON7gsIDWh2hMqjC6HMrSj004zvYozj+JTa9z+O7lcnsOstddvwxlRnF7V36R zPADF8i6WSx6GL8HKUipRJXZUZptx6DabE9gX20cFNtbIFUirZG4/5ixJryJ bQNLTYUmsQCqRRM2cTn4W4ABAKPGSNENCmVuZHN0cmVhbQ1lbmRvYmoNMjEg MCBvYmoNPDwvQ3JvcEJveFsyNy42MSA2MS4wIDU2Ny42MSA3ODEuMF0vQW5u b3RzIDIyIDAgUi9QYXJlbnQgMTA2IDAgUi9TdHJ1Y3RQYXJlbnRzIDEyL0Nv bnRlbnRzIDIzIDAgUi9Sb3RhdGUgOTAvR3JvdXAgMjcgMCBSL01lZGlhQm94 WzAgMCA1OTUuMjIgODQyXS9SZXNvdXJjZXM8PC9YT2JqZWN0PDwvSW0wIDI2 IDAgUj4+L0NvbG9yU3BhY2U8PC9DUzAgNTYgMCBSPj4vRm9udDw8L1RUMCA1 NDMgMCBSL1RUMSA1MSAwIFIvQzJfMCA1NDQgMCBSPj4vUHJvY1NldFsvUERG L1RleHQvSW1hZ2VDL0ltYWdlSV0vRXh0R1N0YXRlPDwvR1MwIDU0NyAwIFI+ Pj4+L1R5cGUvUGFnZT4+DWVuZG9iag0yMiAwIG9iag1bNjAgMCBSIDU3IDAg UiA1OCAwIFJdDWVuZG9iag0yMyAwIG9iag08PC9MZW5ndGggODI3L0ZpbHRl ci9GbGF0ZURlY29kZT4+c3RyZWFtDQpIiaxWXU/bMBR9z6/wE0om4vjasRNr DGlt0cYEExPZE0OoK2lhQJOlgTFN+++7zleTJitiA4nUsexzzz3n2Moosrz3 QPb2vOPx4YQwsr8/moyJ5b07ZWSxsrwoYgRINLcY8QXVIXHLH5xlIQ19AlJT KZgk0Z11Zh88OhDa07v0NnbOow+WN+YXFYCgvvBxX3Rp7THGxH70rQ1POVc+ iWbEjMJy3Zn9BWfHDj7szOFC23ExnuJY2Tk+A7tXhxkQQUUothTDuaaYroud xpnjArMfHHzgeAiYU8XUdmDV6+LE4WAnyW2BeHCM+h6g7m+z/Ho+neVG/ehn GhNvNJ3dLLLkfnmJ41HySM5AMupzojkVGogERYGTwNdU4et5ZdZ3pKZkQAUz jIC4QklcgH/K9FbsAnyTUAEhR0lmd5Z3eMfIJLE+laRGSOqkyQLUWWA0kGRh uoSyS9e0ibJhm8XQmP/DJALTAUU0lKYBRoP5lEMdDc+bZfE0jx1XamVzB2yS 5dnFKpndxPnKzGp7nmTl4GuSX5WjPJsuV2mS5eVrvbxR0ju6Xt40pHlD2tAg 2aIiGxSelDRdoJxEE8tel3fQxdoX0JLKmjygkQHHl4BKTrLYmm+oJOqC0JeI BZu6aKB4Bjjn1A9KXUoSq6vdQox8lr4mDZlWGb8u4yoqg6oFE61qO123Usj0 hpTziLZWag0nG7hBK6NXFTLyGUQ2PAeB1UZoWup3JHFRAePBZiymTSzi7CHO LtLOqel6HfS8HjS4BdRyWTDRd1nhxnDI5XCLy7w872uXudaFy4GivLoY7RR+ DfqqWz0UZ5pRAaLJrSguKTekrGW6LXYNVEfh0KwDn8r6yvG8NIvncRYvZ3Fp 3MP09j4eNA3Y31kUmE3lnSoUfQK6SwDrD5yudk3Y3nmVmW75j5+PjshTpU3v y/iximuaXC/z6i7vceBtWwswCMuyal30d/tEdgIIYtttg4doWwB9gGcEEPzn JNDH66qXQDacQJD/EkH50hFUz4pgcWH+fwaDJzKoBjK4k8JLRjDsRbASvBvB QfrrywO/wHSZi/a3CjMJd/EfvwF8RYUigQCq6kTodhz/CDAAI3FSMQ0KZW5k c3RyZWFtDWVuZG9iag0yNCAwIG9iag08PC9TdWJ0eXBlL0ltYWdlL0xlbmd0 aCAzMDA0L0ZpbHRlci9GbGF0ZURlY29kZS9OYW1lL1gvQml0c1BlckNvbXBv bmVudCA4L0NvbG9yU3BhY2UvRGV2aWNlR3JheS9XaWR0aCAxMzcyL0hlaWdo dCA3NjQvVHlwZS9YT2JqZWN0Pj5zdHJlYW0NCkiJ7Na9bVMBAIVRP//FxIki JxKIDppUUEQKYaaICRiArWAAxmAByAOJFmiQE8r4k4ylcya41ac7mQAAAAAA AMD/bZgszp4C8GhnR39S+m9aT28/frsD4JG+fnq/GYbhYVpX7378AmAHPz+s HzzXYTp59nnfowAO3Zfnk+k2rsMwn74c970J4NCNL2bzbVyH6XJ5+X3fmwAO 3d3l0XK2betsdfxaWwF2NL5ar+61df7k9EpbAXY0Xp0dz6d/2zqdrzfX2gqw o/F6s15s27pYn99oK8COxjfnJ/fbenLxVlsBdjTeXGgrQExbAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60A PW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCe tgL0tBWgp60APW0F6GkrQE9bAXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9b AXraCtDTVoCetgL0tBWgp60APW0F6GkrQE9bAXraCtDT1t/s1LEAAAAAwCB/ 60nsLIgAfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sB fm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV 4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9b AX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5 FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCf WwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4 uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aA n1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F +LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdW gJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5u Bfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDn VoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+ bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg 51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sB fm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV 4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9b AX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5 FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCf WwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4 uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aA n1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F +LkV4OdWgJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdW gJ9bAX5uBfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5u Bfi5FeDnVoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uBfi5FeDn VoCfWwF+bgX4uRXg51aAn1sBfm4F+LkV4OdWgJ9bAX5uJXbrZyWqAIDiMHPn zh9nHGfUcQosx6KiFJ1AVyViCGG2aVs7QXq0HqFeoPfoBVoF2SrICkazNt0O iPR9T3BWPw6Qp60AedoKkKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCn rQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB5 2gqQp60AedoKkKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQ p60AedoKkKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQp60A edoKkKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQp60AedoK kKetAHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQp60AedoKkKet AHnaCpCnrQB52gqQp60AedoKkKetAHnaCpCnrQB52gqQ9+m3tm5/uOxNAFfd xwtt7Q433ny97FEAV9zbybB7rq1ld+n2wbvPJ18AqOjk5P2LO6NuOW1rrZxZ XN14+vLo+DUAlRwfvXo2uTXslLVpW+vtwfL9rZ39g8PnAFRweLC/s/XgxqBd P2tr0Zwdjte2H+3uPQGggr3dx9vrq0uzzeKsrbWyPTdaubu2OXkIQAWTzfV7 41G/XdambT09ro12b+Ha8s3xeBWAvzYeryxfX5ybaZzd1h9xLVudXn8wvwBA BfODfq/TatTPp/V7XOtls9UGoKJWs1Evfk3raVxrRVEHoLKiqF1M68+8AvAP /lBWAAAA4L/yTYABAK9yIlANCmVuZHN0cmVhbQ1lbmRvYmoNMjUgMCBvYmoN PDwvTGVuZ3RoIDIxNS9GaWx0ZXIvRmxhdGVEZWNvZGU+PnN0cmVhbQ0KaN7s wTmuRAAAAFCdIGgtrVaiQ8MNRCETCo1KwgF0DqCQ6ETpDk7gBEpLIZEYzHRE 7P8Ov573AAB4nieO46Zp6rrOsizP83Vdz/O873vf96IofN9fluW6rm3bgiBI kuQ4jjRNoygKw9DzPMdxxnEchmGaJtu2Lcv6fD4URaEoStP09/s1TROCIBiG dV03DAPDMBzHX6+XpmkEQSAIQpLk+/3u+15RlHmeVVVlWbaqqrZtOY4ry7Lr Otd1QRBkGEaWZVEUBUHgeV6SJODn57/+BBgA1KtnYAoNCmVuZHN0cmVhbQ1l bmRvYmoNMjYgMCBvYmoNPDwvU3VidHlwZS9JbWFnZS9MZW5ndGggMjc4MC9G aWx0ZXIvRmxhdGVEZWNvZGUvU01hc2sgMjQgMCBSL0JpdHNQZXJDb21wb25l bnQgOC9Db2xvclNwYWNlIDU2IDAgUi9XaWR0aCAxMzcyL0hlaWdodCA3NjQv VHlwZS9YT2JqZWN0Pj5zdHJlYW0NCmje7NrJUlNRFEBRFJuAShR7FJXOXmyw V9T//yrL4OhFsJLsAYO1hmd4BrtO3bpLSwAAAAAAAHDanV0+B8Dcls//I60X Lo5WzgAwp5XR6qWptF6+smYzAItYGV8dtvXaurUALGZ0fdjWG85WgAWNbk69 CWgrwIJGt4ZtvT36M1+7cxeAmW1M7tP1e8O23p+0dfPBQwBm9mhr0tbtYVu3 J23d2PHPF2B2u5uTtu4N54+P2vrEhgBm9/Sorc+G8z1tBZjb37Y+H861FWB+ 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1t BehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC 9LQVoKetAD1tBehpK0BPWwF62grQ01aAnrYC9LQVoKetAD1tBehpK0BPWwF6 2grQ01aAnrYC9LQVoKetAD1tBehpK0DvP23dsSGA2e2e2NbNFy8BmNmrrZPa urb/GoCZ7a8d09bJHID5HXe3AjC/6ba+eWsrAIsZvxu29eC9wxVgISsfPk59 INj7NF4dAzCn1dXPX75O/8769v3wx08A5vLj8NeBf74AAAAAAAAAAAAAAAAA AJwevwUYABtDrGoKDQplbmRzdHJlYW0NZW5kb2JqDTI3IDAgb2JqDTw8L0NT IDI4IDAgUi9TL1RyYW5zcGFyZW5jeT4+DWVuZG9iag0yOCAwIG9iag1bL0lD Q0Jhc2VkIDkgMCBSXQ1lbmRvYmoNMjkgMCBvYmoNPDwvQ3JvcEJveFsyNy42 MSA2MS4wIDU2Ny42MSA3ODEuMF0vQW5ub3RzIDMwIDAgUi9QYXJlbnQgMTA2 IDAgUi9TdHJ1Y3RQYXJlbnRzIDE2L0NvbnRlbnRzIDMxIDAgUi9Sb3RhdGUg OTAvTWVkaWFCb3hbMCAwIDU5NS4yMiA4NDJdL1Jlc291cmNlczw8L0ZvbnQ8 PC9UVDAgNTQzIDAgUi9UVDEgNTEgMCBSL0MyXzAgNTQ0IDAgUj4+L1Byb2NT ZXRbL1BERi9UZXh0XS9FeHRHU3RhdGU8PC9HUzAgNTQ3IDAgUj4+Pj4vVHlw ZS9QYWdlPj4NZW5kb2JqDTMwIDAgb2JqDVs3MyAwIFIgNjggMCBSIDY5IDAg UiA3MCAwIFIgNzEgMCBSIDcyIDAgUl0NZW5kb2JqDTMxIDAgb2JqDTw8L0xl bmd0aCAxMzE3L0ZpbHRlci9GbGF0ZURlY29kZT4+c3RyZWFtDQpIiZRXbW/b NhD+rl/BT4M0WDTfKWJdgTopug5pl6Fev7SFIciyo9W2PFlJs3+/I6lXV/a2 BJFIibp77rnnjsxiGcx/oejFi/m7m7e3iKCXLxe3NyiYv/lA0PYUzJdLgiha bgKCCSEMLTNYJGDCUOxvBCUcS4YokZhLotByH3wKXz9HNAnT/XGXR1+Wvwbz G7ZqLVkjL8Aaf7n8c+SBMU7tS46VFGB4uQZLnxlTNxG8CquIcRXmbpzCmIY1 XEU47YFjnlBvZMJZ7OJx3qxf5heGN+XhkGd1UR4iu/zMpMBKJBdNTlr8FL5L D+k2MmFe/XciWkMxBVOSwx1TYxzC9LCegnYhRJoY+5ZiLWkL6D6PYmqAzZiR cBPRsBzM95e4hMReDZy1gfOGyt+qYltM0ng9HQyrJGmxfoykglzHNNwV6zRK IOM0tNk5Q+m+18wniahh3ltnr9+Brl+D3l9VdbFJs9qqfvn3MUfzRZp93Vbl 42EN40X5jD5RyTFEYhTWYExCGihHWkjMYPqlKRKC7G+1DexqEIbRQDhFXCos kFVKlQeb4K+AunUUuWXaGCO1tUwkMUYYlO2dpb0Nwske7gbYxoJ1Q7hkgZ+A YXvbdVODpUL+WzsxlrxmkAUtGDfduanp5lxq66Qx0c0S766ZE++tm8GlsUKa UAksfmg8UWt3DxNoBkn/rZt1yHuGdgFp7tT2km6FmzVfE290B1z+7rO4gCze d02Ltk2LgMrR1qqKDlTBm5IEeQm0/GYzkUBBWZaoMlgDZiIwg/blO9d8XhyK OooVIWG626GqrlanMvua1yf/8FtRP/hR/ZD7wSnd5+iU13Vx2J6cNh3OAUjW gnSYmGkxscRjggoH9d4G4P5UPWF0LMvd7FjudmBxdcyrolzPsjQDhyBlb0P7 ZgyfU4Mp1U3drepin5eP9ezxuE7rfLU5zjLoanCP2iqY3xWHrx00jgZ6plbP A4xxY9vjA/OWjv22WjmSBmXFqMa05RIUj6EaKTNQjL4MxjkTrU/6vxLGKLPC YxyqU/uEhZ/DH45khhT8UQaX93/c3c1QP/gc/YT6yHsI8kw2cZuOhtQY4oG4 GSjVtaL5PKtyIDSKpVGuDcPAhKc6rWr/zMnBPsv6XcS92NstoOn/EwlQ3yVg +WNPtNfeiOqEWhbGVEvXACao1tNUD1nV2pYBUxIL07Daeh5yNwKdXFCNcqpx ZfydZjxXg0g44Rb1OBJucDIViLmimUasbheR56IxBnMIT8DOQHvRtBHOEOjn kkgomVSJ6r0ljVa0GovlKbU7ViuXRhoqXMD+9eYelX5zdI9efXgPyuVCok1Z +UcUVsGWAw4wmTOBLimH0mu162RspVQcV+l6XY2YV4klZcS8hi49RTxl16rV e+rY5kq4PmDsyaVh+1jlm+L5AsN83BlFRy11zAqsk15J3hJ+yiv0szMHcWNl bAAcLLXxc9HFH769/yjsSovd7uOybZQX8IgxnqRPtXKAGhvnkB6xpVi463Vs tO/bHKhqz0vkmbyCX/hp0Q5CkdhoPoF7rAZ5QQ161MkbkYbHzfOTLck6HwpD SNHviW1JEm1P+FPSUNeKUp1pQ/gmBYdjOAc12qjy0+OuvhyTvhCTz4vCcmJv 6mpvGJdW3wmeambPGVNxJf/abJxE2VmvEWARFMTAGeNdr+lbjatz23GcaGbQ lGDiKYAWNKlH03cgyY1HMzz10n7LIrZUY2r/9ZACwlVIMwkMNUAoGRLyjwAD AFcnLUsNCmVuZHN0cmVhbQ1lbmRvYmoNMzIgMCBvYmoNPDwvQ3JvcEJveFsy Ny42MSA2MS4wIDU2Ny42MSA3ODEuMF0vUGFyZW50IDEwNyAwIFIvU3RydWN0 UGFyZW50cyAyMy9Db250ZW50cyAzMyAwIFIvUm90YXRlIDkwL01lZGlhQm94 WzAgMCA1OTUuMjIgODQyXS9SZXNvdXJjZXM8PC9Gb250PDwvVFQwIDU0MyAw IFIvVFQxIDQwIDAgUi9UVDIgNDIgMCBSL0MyXzAgNTQ0IDAgUi9DMl8xIDc0 IDAgUj4+L1Byb2NTZXRbL1BERi9UZXh0XS9FeHRHU3RhdGU8PC9HUzAgNTQ3 IDAgUj4+Pj4vVHlwZS9QYWdlPj4NZW5kb2JqDTMzIDAgb2JqDTw8L0xlbmd0 aCA5NDEvRmlsdGVyL0ZsYXRlRGVjb2RlPj5zdHJlYW0NCkiJlFZdb9tGEHzX r2BfgiMQnm7vkzQMA7UdtAlqxEj45hYFJdE2E8pURcmt/333eKTMSHeW8kIK Ijmc3Zmd5WU+mf4O0fn59Obq43XEoouLy+uraDL97SuLHtrJNM9ZBFF+P2GU McajfI43SUGzNErcCa+zlKYy4lxTpZiK8uWEXDVP83rbVs1TnH+bTK/43wOO hZBUCvtkvpicI6y4sPeMXsWFcFfJu73HvbfvmNEM+uc+bzd103y3T3+4sQX9 Mat3ZcKuzDyHES0WCegqcyfETw1FaGCScugr+5NzNYK9bBYvO2A+Au7ZJR09 7eilUjp+d+RLDIzkcQLkS13N4gRLJqt1DJo0z9WibOO/8k8HfdOUK/Fm33p8 Uuy3nUoT7rgjKRxJzrOB5H1dxqDIf5ZmNavL915WgsIx6L7+na53pC5iyMhL DIKUWDYn5cILHoSU7tUc9ABZII4k88dqY3tbzjdbB9zhHrpABFyQgKRaowuA SgldN9/SXIY0Fz7NDSn/2Vbrrmx/wQJffqJQAgZk0SGe3MEOBexFoCozvWdW xXrz4htXTkHCEU7mUGG0tSLtmZcUUC1OLlPuQbaPAUlVUFJGldFRwmma8qOS 6p8aY5S0Lou2DM0GyCN1wjB3ZkBdFNbBzsY/MxXcqcXk6wQ3GC2MrAMigD6m 646cGiBtShnSbOIUDy+r0i+wpALMSREPIRnMIINlApC5iOZAhVWyO9nEVnZg FMvQUX1Et5sQZDqGZPZ2T+oLrihHSIG+zxzkHflarpweyxnmVSK1dRAHCDgx CzpRUJGKU8MF2Onpcuu2xzcMPq8i6H1zRG0z5DTfTfG/ZZwYMmvtsbKHTYzR ZX/4dRe42vkbuuN/6UFUPPZ2V2SzOptO16vvFe3CHNcPKeqlvfKsadP99xAn wpBpoPEQXu48tROSuBN+xQCnRkYg2Q/LXQe1CG73QQs2WPqmqOrq6cGXpQKt HJ6L0WqzKsBr8LWuRYExNuGvgrHTx2NcWLc824Yi2QKXe0BOpfexPU337NIk o/azzBpdZIPRw80NrlG919w7ct3Mt8vyKc6sZQQWgqa0H5r+LybBju0ZvZe/ pLn3KYccxLE2y4M2z7dr9xXi+PoHMzPZqTHc30h+vf145mOJixXUIRgfzZ/Y r/e221/vBzj4kZtvT4/hDtfXHJd0s7QSpWTzy2hQb1/13q1q3Mzoj4f9isGl hJ26BOy4Kqlt4hsMZ2X6cYXX3fEhn/wvwAAy5+LSDQplbmRzdHJlYW0NZW5k b2JqDTM0IDAgb2JqDTw8L0xlbmd0aCAxMjQzNi9GaWx0ZXIvRmxhdGVEZWNv ZGUvTGVuZ3RoMSA0MjMyND4+c3RyZWFtDQpo3rSbB2BUxfr231M3CQFCCyUQ NiyJICVI74Q0SmihyIZmEoq0YC4gAkqxRYxGBbkoKoL3ogKCbqIioiKgiA2w IxZUREAFbIACYc/3zLyzy2aJyv3u/wI/njP1zJmZM/POzFnSiKgKLSaD2gwe lty2vNbWWvB5GeSOnzPbndyvQz8irSGRHTGp8NqCx35I3UjkakoUWeva6fMm LT30Rwui/HTE6T55Yt6EI7a/D9HjiE8dJ8OjaknNK4liOsPddHLB7Ll7d/20 CO4xRN37T79ufB7V3PQH0fjFcN9dkDe3sGENYwjR2nLEd8/IK5jYy4wuIFoT TWSeLJw5sXD3z7NbEw1YR1TnETLM/vrLZFGEtdJqhxLEsxrv0VadIkiv7tIN 0zR08xvSnRTa6CDXSEADh7nd5CbyOzb5SXvd9aie5CZttQgztlvVxN1RI+R6 FHHup4t/bsbfR+gpep620g56mz6k37QoyqXb6VX6ln6gX+m8RppLq6M11JrT /9kf/61WAVU1tpNNdYmcc873/vXO90Qo6UWf++GqayZd9HFqOifC/fz3+7f4 99pVKEamjdHfge/P2gnnnN5LuJ2Owq3fIa5lip9dj/qf8a+uUJxCmknX01ya R/PpRlpAC2kR3UpFdActoTtRF4twfRfdTSV0D91L99FSWkb303L6J62gB+hB WkkP0cOox1X0KK1WYcL9KP6ukKEi5F/0BK2njdB/01p6nJ6kdXBvQO1vpKfh xz7s3gSfNfQYfJ+Ar4gl/J7BXx+VUhk9S8+hzdgdcG2h7bSZXoC+iNZ8CX3+ FdqGdtyOlt0p/YRPwP3nMfn/1+h12kVv0G56k95Cz3iH3qU9tJf2/X+F7Ar6 CNd79D59gL72EX1Mn9B+OkCf00H6ir6mQ+h1xy8J/xQxPkOcL1WsbxDrO/oe MU8gJsfjOF/I0GMyh4+Q9ms6rEXQaU2n8+TgSrTeCtlCK2U7itYTrbNW1rNo j2fgFi30ZLBtNqGON6E9hUtcP6Ra42nELUUNBuqv8lrbq1qH6/tlxBF1IUL2 qLrYrVpC5LMtmPYdGVYm0+0M5nqxRvkJPw6pnS9C6vA7OiJrhmuPQy/Wnohx GHFELYs8KtbtIaTl2hdphX9oGhH2GdzfY3Q4jpoW+qNsiR/paPD6qAo/QSfp Jzot//+ZfsF48hudgvsMfH6G61LfcJ/f8fcPOkvn0ILldCHEdSEs5AKGPgej labpmkH+i1cXfSWmZmk2xrQILVKL0qK1qlo1rboWA5+KIVWCITUuCYmuJCxS +tTUamm1MV7W1eppDbQ4jJuNtHitsZagNQkJqx8McSPEozXVElVYrExZP5i2 MWLUDYnbXGuj3YD/W2ittWRcX6W11zponbQu8GkFd1u4uyKsjdRUGkL5NJ3O Wcf0d5F/bYwqpSmZ14wbO2b0qBzviOHDhmYPGTxo4ICs/v369snMSE9L7Z3S q2eP7t26duncqWOH5NatWjZLSmzqadK4Xu0aMdWrVomKjHDZFiYhjVpmeDJz 3b6kXJ+Z5Onbt5Vwe/LgkRfiketzwyuzYhyfO1dGc1eMmYKYk8JipnDMlGBM Lcbdnbq3aunO8Lh9e9I97i3aqGwvrkvSPTlu3wl5PVBem0nSURWOhASkcGfU m5zu9mm57gxf5pzJxRm56civtEpUmidtYlSrllQaVQWXVXDla+YpLNWa9dTk hd4so2sppuCq4rY+IzEjb4JvSLY3Iz0uISFH+lGazMtnp/lcMi/3FFFmustd 2nJ78d1bYig/t0X0BM+EvDFen5GHRMVGRnHxHb4aLXzNPem+5vMP18MjT/S1 9KRn+Fp4kFnW0OANNJ+VGONxF58mFN5z4nhFnzzlYyfGnCZxKR4xWE0ID1wT yoYS4vkSEkRZ7tqSQvlw+BZne9ntpvy4MkpJbpHj03NFyPZASJ0RImRxICSY PNeTIJoqI1f9mzO5nm9xvrtVS9S+/JeIfwh3+4yk3Pzxk4XmTSz2pKdzvQ33 +lLScZGSp541o7RNMuLn5eIhpohqyPb6kj2FvtqeVI4AD7dogynDvDKJSuar neaDjadS+ZIz0kW53BnFuelcQJGXJ9v7IrVzvi5t7457th21pxxRDl9sGhol KaPYO2GSr3Fu3AT0z0lub1yCLyUH1Zfj8U7MEa3kifE1/xq3S5B3lKnwbGGx A5HFk7sSI9xePc7IEa0FD3cm/vOkdkdADJpLOkWLpnZ3e7U4CkTDXVQMcVUh HziMxLS+IsgQSdP6xiXkJPCfvyhSnCqTleiLCMkrBh7BMvF9/rRoHFsUqLk7 Y2J6SAErZGqpAqrcKi+nLupC3RgpIkRz9g0EGYl4c+GnIxvpJVqxnttHQ9xe z0RPjgd9KGWIVzybqGvZvlnDPFnZo7yytVUvGV7BxeGd2eWjBAQHHHoa+mBm i7hAs0p3H+kOOvuGBfcLBLuLIzxZw4pF5h6VIbnxBuGh7aR+eXd1rtker2Ym RjdPZp7HHePOLM7b4izOLy5NSSkuzMid3FXk4ek3odgzzNs9TpZ1qHdB3Hxx q5qUpWUNT23VEmNPaqlHW5JdmqItGTbK+yJsWfeS4d4yXdPTclNzSpsizPsi VgAp0lcXvsJTONzCIXIaCkeEjB/3YgrRYhlqSg/pHr9FI+kXEfDTaPwWnf1i An46/Ez2S5F+4g8aqd5kVDGG2wz3BNE8N+VMLs7NES8XxaIp8U/zaZ6e5NM9 PUs13Y72RXkmpvqqeFKFfy/h34v9beHvQsfAXIjKEWNSca4H4xQ6lJfiNO6K hsjSvcVxhnsT9sSdyElAVxsDRnl9kS0w9luJ/RGvjyAX3n18i8fniXLQCK9I 60rsNz4H3TaQIaL080Uih0iVA2JkyjSiOyLReLQNGlCmXwyHb3GOL6eFuKl3 So7szjE+6uvpimbnPK0kcaPknOKanrby3cSrEJV4h5BIlI2GedknDk7cLIcr yRWNko/3IGh8rhu1bdL4YejqPJZGxbHPRAyJZtJESVScCiTxWEZilapRvsjW yBD/xHWV1uKVtBJdOTlceOm6Q0XAvWN8VVCipJCqVAlQOwjqJ8qCf3egqCLq DpFN9hYa6pmLkUUUWubkQrCvamK/PAz+nL4KfDydA4kjxBhRReXxOvu6xJNH o96NxOFbnCc98xJC/rRq6RGTg+iYFPciOjblFId7+Ea3aNUyIty3qvQuLo6o WnkCrq+IqkGFJxbbRLx2jlpz/rNzRZHHhU/on+qGWe2iS9uHFfwBrEUvE7u9 86HAvIlKzO40uDKsKlQiaUTVBcZRKgG9QrQ7GAhGgOuVf4mxEWnqU79LiIa/ IA3r4iZUojdxRkGToOmgLxgERoPF8G8C4s23EO8JMvQnnGfMXJQVGPmSmcY/ 1PUcqmMupBLbj7wzKiEBTKEhf8tMBvkMMVNxL2AtwPXNuGamCjXexLMzjYEn 6D5D0aFYXejuy8V8iWJdKdQiHHMyJZjNKCYc40Nqp4gXavahqMvFutc5JDA7 U5HxDo2qDHMpFYGbzScoSWDci7j3UlOlbkUj0Ab0Uv5FhhfpHiFvJRRJdlB7 PYaK9BgnF9oYOhz0BsPARHAj/OuBWPM6xJtCpE9xHjMtpAV6ueR2oypfG9HU 0qxDRXZfhO+uhAfAZzTibznM2K3Rly8gX2AehF8ilBkl1LiO0hQasIPuGykO RCiNMzfSbZdNB4qzi6lFOKaJet9DVS7hXuqpiJX6G/UJo1MlfhK7HWNm0UIj h/oquoVc93UtABHU167GIG6W+QYoAVk0wHRR/8tBX0L17Z1UPzKS6pt7Q66v C+PmMJS/vTmMN8NQ/hXiD6T6Ef8MyfuHi2FWrCKD6rvGUX3087hw5LNeykIz y1lt5jlntd9pmva7MxfaADoedAJzQAGYBf8IsNA0aJrZlWboVZzPFQXGftS5 QsQBbfVZUnvpDam2kUcL7VvEvSowXuo5Z4XUgWiPv2MUY2+TbRfIJ0v/lBYy zq/QkcZV1I9xHCgF3NZHjFlIi/QaiP8G1dWPAaGfUJwVgznkmcvDSqG6rmLQ 7PJAOeeFMa4SP4nxFsVaZ8gTjrEJY9PbeDfCaU0ZCkPqcJqEd3WE8TgN0V+l jvppGqWnU2doV303ddXeo4b6IxiLztMobT4N1m5zDujbcT0HY8F0xD0LTlMX mU6kIWhX6q6dQzqk0R9H34sjt74ePIG664qx71qMZ7eBNWLWLveDb/XJl/gd MjqiPTD2GQ9LvwfBhDC/FWCiVg73PWAZWCH9p4HJRjbc1UEBWCL97wQFRmO4 +4AZ0u8xMN+oDXdD0FT6rQOr9dUoz7/BOul3CBzUYWPoO8HziPst7I06IEOG w6Ypr64hFvoyST0k/C+kCfQCmgTN1YukjtB1ulZvGbBXnJnCBkGZSszV1IJt CP8qMaexveCfL+Zmthf898M2GCztgO3UIDDfGz/TQJ7DneoijZi3jZ3UX8zB PF/6Bwq1UXdiPrXn0A2Y5/tZM/2/BedFMRfWxDhfjRKCcxnG1uC8dYZG8LwF 2yXGGSrno3iqEZh3jPtpZHAueYTnD2M+DZLzQcjYbb2EMmBctz6lGeY3iCvY ijFVMBbv6VAaaryCcqPmjPUYs4H+A6XgfV4oGQN75F4y9f40D5De31kAGslx 5TDyxvhh7EJfr4N5IZ7Sg2PCv8ht9qQJ5mjKNHrjPW9KujmeZitmgWbWg5QK 0tG/Iq2jNMfaBhsQ6HfKtjSNU7KtO+pNaUGQDnhvYmi4QLbnTLpHtuf1inlo o3yKCrEZB9jrqavxOfW0OiFMoezBQcLWC9hbVgRFua6kKNnOaFdXyxA7Lorb WdipAdvLzKMIyXcYF97mtoatWWK5EO8eGuhqhTymSns22h4PvwIwGHUzmAa7 BuP6QUrB/BBtVQcNkF70i4a0RPaNBEVXtPdmOQcH7KF4tOVVePf6mz6EKZSN M0zYL2Y0/AR5ZMj+8oiySfaDB1RfEXZXwI74hOoK0N4NUH7ZX9A/isz7QFvK tmEX2StkPvWs/dD6SH+ExhonYb8skXH6m8XUCPEboR7JTsN9pyMO5n/UGcm+ dRrj+ieKn8Uc5BSY6zBeifkuZA63voN9N5W6mrPR92ZToVA1B84R85rIRwAb prbdkWpaz3M/tkepuaofyJTzz7ygzSHmmXiKFHNdcGw+iza7llLF2G0uQvwB CDtGbew45DUE7hvQJ8v4XsYitPdi6m/buC6HnVTgnBVzs9mbahj/wrMp0Ff/ KdAfpiPgYYHxPM0CwwRmFHnRPvvAUmMcFRgjKAPtVlf26Q60RvfQAquUboLf NOmvFG00Qdl5UpVfnL4D+e2g9QFFv8oBDwTUKCTd6IW5aY9WaJRrd8DdEO4e sAG6CYxy57TA1ZNuDQV+Z/Gcy4Pv3EKUYyHl6StpFRiJOakjmKLnUAEYr99A y8DEP4tnCLu5nHJBHrjafJOGos1G4joedNEOYm69heZZGP+tOUQRvYlcbUA6 q72JHhVgrJxivUZtrQMYI15BnZdjrbKZusPfjet+0KGmlwbgej1Ih1tcj0e/ qIPrRsZX1MpYjfn3D7zDq2k4sOwO1CViHMaKcmro6oW+3IkaoF8O0g/CXvsV 8X6mNIz/8cb3WKOmYv7eRslmCg3EdR/k2QUsB14wAjQAuWA4yAY9QCr6sFff hLpfQ9nG7Vi/foj3uJiuMfaS17iGEo2PMD59gXFyNezo1aiL1TQEDAOivPkg A/QBnQWXlC/9ssvXtLLyGcnoExY10p+jnroP9sgJ8uhllKYfhg23ilrD3R3X HfX96DfvSVslS9tNA0Gf/yYt5vVkpE3UC6mNPhvprsdcN5Wu0ufTlXoe8ryL 4vUZ6OeXG+9Tp7XRkjpbd4DlIE3pKLAMnMN8I1hF3awfwTHqZrtgw5VSOq7T rUJqaX2M/rCQulg3UabrBNqknNqDTmA4aAKGqets0cfAJJABRoi+DZKt77FG 7EJN7OfwHg5AH9SoGt4pv7A3hB0g5kw7FePBtSCDOuKdWwbuAJsF9gs0x35B iwho1I20zE6iBeYkaqZ9BlsH4FrhfA4OXnRfLtq6sD0a6+/2cIL7LUfR7ked Y+AV8CVDmZhTW4Ilf7XnYcdDl1eC2pew61ZOhb2I4PrSeRs8pHSX8oM6b4E3 A34h80sb04X6cjmbwQGG+mN+aSjmmItrGudX8AH4ia+pL9YglRJYG1itL2Gc 0ND1gFzPTsL7G9wbcY6B15QeU36/gF8VPwm/EPuQjHuddeBWpYB6Yz5oCBaF 7C/0BPWVdhZ+1l2VE9gTsIorJ9SWvNjvRJ/7k361gyZhDcb7YB1h4zyPMfU1 ABU2k1jTiblLrFtD1+Sh626jFtUzomiuEYv3bBrN1V8Ay+C+Ce/YtTRX88Ft UTP9FBRu8yGEifDHYDOfYjWqImwJxhsfxsa5NEPkaT6GNG9hfbWRauhjKQ42 ZrkA70I0g3kfGDtQz4Loiog1hEBzKoI53xHoGzAnMg8KtL2Iv4FuqcAirC0W 0VSjqfOjvhR1j/vCvzaoJddbgtrqnmKdJdZPcj4G97Afkf9LAGv8wjnG35y5 8LRA3bc28r8VWgcINxkPMYhzQREZSjAe7iXqQTxD4J7hmBrVNjWtj8gtkE7c VxCsL/Z/U2D8Qm8GwgPrNfivMUrptkB61xjqDiiMXvYHsAE+qOCXon1FbslR aiqgPyhZoLuoiSSSOgm0VRgzAfw8kkisn4ERibkUaNdQD8lQipG8RrbkVYoQ GFdgfg6ByFmG9RKZDRSxzmFJA6pSAc1xQhH3CNSRqAvLi34v1i73ox7b0VXm 51j7iH3vo9K/G8bT0Zi/hiDuCGOj84k1C/PGVvTbSVi3TKYa5gSsLRpizMxA mBhXpyJ9vNzPKjH2wV7FehRrt/pyX1isPcWe70S1j/sj1mq/UCbm/kERB6kk oguV2M3xvmJ94voRDMF7i/Ee66M0OW5Xtn8csq9vNef9dthJswLjPO5BEbs4 bxHmqo08j/C4gDX4CZ5PnD1iLx/r7I241xik6ybSmjc7r+I55uI+XcS9RHnl 2tyDtF0wJx+ndoH5KHx+kXPEAcyHmc5nsLVqmFHOU7Atu5krsBYeR9XFOt44 5izVXyMD667B5ir4PUcu+TzibCJA6HlECLjnfMUtoCdYHDx/CJw3MHWE4rkw LzoLA2cJIecJHUAumCTWmwEuOUsIfz51ThByRlASdkbQ6z85HxDnAKFnAXL/ X50BhOz5tzPug816mGpi3V5DrpXxDOa7uO9ptEV3rNk2Yo31PfyWUXO5/3eN c97YrPZy08TerPOHPYP3BsXegX4z1jOHYXPADXtN7htirZsJe1Hu+5lif1Ls mX2MOp5NSainHq55yEuH7XQ14mJex5owT87Xle3XuWCfhexBm7Odg3LPdT/s cTXPG+sxb1Zxpol81V4s8nW2s83gfMu2gX+f2GeFHXBSpIGNOVv/FHWQhXdf 7Amupyuh2Xh/s8zGyLMryhywOcL2SYUNoK/FfFWO59+Hd2cVZdmrce985xu5 RhXPOx/v/nnYublkCUT9GRFoi1/Rhkupg7DljUTY1I1opXGAVprPYq7BelPe M2QfV6x7K91brrhn3jewbx54fsW1ZhbGrSy5Tu+gmBKyn4z1OM1Ue9CCfLG2 DhC2n3zpHrLyV/vDs0BV1Ou5i/vDEkOo3AOWOAcFqn0HKh0V2JcN3ZuV+7GB PdnWpKk92Ah5zzecdTKOCEOd6TVwD9G3f6MG+lnnAXMJytYKz9gDaU5hjBmP Nc1JusIYhH66En3nDNpE7NG0gF32DqWYzVGG1VTfGiz9e8Meyzc/wJi9AraL 1/kQ75YXcWvrc8X5EcY9i4rs++gWczfCYJfZTWCDvYS0fNaTIffwYIvLM51v 2D4zzqozmGL0hWLkfTv1jjCoKOJevIfPIr+6GDv2UZFrMt4/2It6jNPH3HDR tqtA4ExujHMoeFZmoU2U7Yj8KZC3CLORv7lGnW31cXaxPeqsQnkG6jH+Mtyr EOkiZfpE5yE8xxRzo/O7LDfKK/eehP1nY20k9jeVPRt+HibsSxn2Dg3XxR6z 2O9oR23NzhSPvEicWSFdPbm/tUmek5Gxx/lNrpXbYf3XhtbgHmvM9TRB7LEE 9lgVc0POGCuAPJuD1mCI2FsDmSFnikUhRArF8/YEIwLngyFnhASagXix5xbg kvPB8OcOnP1dPPcbE3bu19K4zvk95Mwv7i/P/FBPoed7ci8vcK53L1VX53id 5Z7xjRQl4gTqXtb7COcRlIdEGaxk0eaIdx/SoK+jXgaZUfBbBDtD8LrSgB0v rlcw9vOKT5QG7Htx/QGfz6Ed//Y8x3XF35/h4N1dIMe2AVgDibEP76yxRI1/ eXLMyxZYTfFOTqVUub84GHTCeD6Cos1xiNNf0tf4iGoaX8OPx5cFcsyYRjGS /jRPnKPBDqxldKZauok4T8kxb55CnNvtluPbZNAPa8Qd4ElKF3vdGOcaSQ5I 5fFvDc0DscYPyFeAMU876ezUM52TUlc7T2P86wySzFLYNptoqNmbZgfGOzmO PUfVUB4xV2aI+ch4GsDmAX2lYi6wWqF/i33TThjDhqNuxuLea51nMJY3NLqT sE+yAmns5zAvXaAs12jKspqgHWyqa63GfJWPNjtF881tiN8O/fInGmmOxTg2 DlyBMeUG5zPMtdnoO1HGS3jf8tFX8lGfuehDqHPU3VS9APc7hPflHLnl3q3Y 511HIxE/3SxG/7qTBlnNKMLeRkONFy+eJxify/Vje1BkjEAfL8IYeh3ifos4 D2DMjUS/6oZ+PgN9dQx1RT32xvhdE+uQItiPUeb1UORhraWZaOd6cj1YF+UU 68wr8N4H1pkv4P3/u3VmiVprnqUBcr0p1ppqnSnXmOJsbyPmltPoYy3VOZ86 49O3UGv9RrTnDeARqifO+cQZX4XzvXS6Uj8CPcJnfcHzvc/xrNP5nE9/En6/ 4noh+uUX1Ml4H+PxTkqW+YlzQXUeGIxzAvWp4tgPo99+RdUw/mQZraiaaxbV toZiHfIyuYxJsLt6gOOgFSgEwm5qRRPQbh1tvJP6dPT9VVQLbaeZh2AT4p2R ff5pytLXYS58Hu/SNPSvPjTLhr2A+SMw38/CvNzPmO7shE0Za7bGHD2UMswt sF0+QJqpoAb1x7vL72gNytbn0DTxPot3wXwTc/1dlKJ/R4PkuekM8DXq6AZq L85OtR3O+eD56e9UWyujoaiPMdofmH/FJ04v4/pZGqP3xRg7nevcwHoejDKa YN5A3RsvIL+usK+iKFqvhb46Eu9XG+qt/0hD9cNghzpXfRS8Df4F2zcWZTrP dS7PbFH/2hmsQaPBc7hPHJ/Haq/D5k9D/7i4vz81sCbWV6LuVtK4wJ4i6qut QM9GmDivFee44oz1CnUt/LrA9uvC+wyV7jVswLy4ge4HseIMWT6XOBsW94mh FeGYIysCvzTon5EcDuILTQwH/g2glwD/VGhlhJfjz+Kl/kU5KvNPgl7Cf1uO v8jXA72EvyhfFrQyLrccf1bPTaGX8BflGAStjArlQL/KF4g9K4yNt8kzqQ10 u0Lu++iraZLor8YOrMW+5b0jeda1Ibg/JPfKzBTnjMDQ6UHRxyVN1b5QTfpI IMfVLRhDxRgp+vFu6qEdQN8PQZwdhxLcs2oeRlPFJf6OIzmF61AC8Rvz/pzc +zug3KHUDiMsH7H3J5BrefHd49UY5wKajDVKsj9TqNxTEHGmYd2+Ta61ozHn DpZr//6wY5ZjTlxO3TF21jT3U5K9C3NzV8o1ezo/yzNPYQOxtrYew5y2DGO+ mEd3I5+TGI/fg83QB2ufKs7nWKs/ZR5Gn92PeY+/x0tR2gP2XrwZ5W8nVNrF r6NMw6mtNRzXs6kT7Cppw5oHnOXmAf8gkAROwP0oNAe0AcfhHgKSKp4pyDRe FeeEcgfT2Gthc6x1lttr/V7QBpxQ7hzlPm4c9W81f/DPBtNDrqfh+low1or2 b7Wr+2eDAmu3f2+Y+124J4Mx6tuPQNh0hO0Jc79r78Q6a6d/q2uXfzaY7lrg 3xPmfldv4t9qJPpngwL9S/+eCu4mMvxaMDbw3ak1xX/Q7oh7dPSnqutZIB3X D4NxZiqeqZk/31rqnw0esZY6HrgJNAych1gzHcvu6V8KRlm/+T+2ZvrLlXu0 dc7/EdylYD5/gyLj3gSGIGwf/H/B9SLl3utKp36udMeKiPHfBIa43vXvc6X7 f8H1IuXeG/x+5H9I4FsUkBFyHST4fcrfM/Y/iCvjw86vovd3isCtYDrcUcot mAJqK3LBT+BG0FaFTf7b7+XEdzGCi9/D/BkRIDLMbxj4h7gOfC/zv+A/+b73 P8GOBrF/jTrryhFnW5VcXxe2Lv+vsfuDnL8Gtloi1v13gZnqm+EGIe5CUA1U BzcgLBK6BqSCSSL+330PHNgHkGtxMdb+jzX4Ldj/EfYKsOavuZwx/3LG4UvG sZn+PhXGsZn+zMuZOy5nPL+c8TDc9pDnbKF2RqhtEWJPBO0H2Al6W1ql/XQR awnm+buouvy28A6M89dRiasBf8eGNXiJ+azcn4uxWsA+yEedfYBwL7QP2xUX v0UE+ynBtuB+hwaK79JAid2D4gXiOzjxfZwp7A0v1vCi/seq79cG8zlQ4JzH OEoZ4kxKoL6pqyLPZgLf1YWeUwyGPRH4Pk6A/LCmKxHfwcnn2U1uec5QQM3s O6m7TdTc7EjNXTEUJc6KrCS0cS2KFudfVjrGjs0Ym11yX2ahYVOM8SQttHuq b8XE2rMbqIt8SxBnOa5P00LrFPRW9Z15I4o09iEdMHXc+wjG1Z6waW3JQsui WMl31MaMkd9/1TbHQB8FiGN9Q9VFXRm/UdXgmYKLOgT3luR3a84FeR7A365V 2Pc2FjnnK3wbfIySxLdw8hsz8Tx+3rMWe1Z2N8qyZtGViHel3YZq2yOR11jk czueYSps/Rko21n5HR7JMSPBcdBPiuwm6rtAsefZU34DSOZ6ioOtV2R1Qfg9 8Htf2Xgh34lizkuyBsN+nIhnaQvGIP435BaI7wrF94ZmCtJuIEOOmUfUd4H3 y/3B4G88MDYPQrsOEahvFA25Bxz4TjHwDaKwM49gLFLfHcpvD9vSIPG9o/i+ EErmaN63xDN2tsrBYjxXXepvtyfDLpR2qNcswjOswHy4DOUioggQUP0ZIH6n NAJ+1eTan7SVFPKjJucLkKi+iWoqzlIMv3NWrMnFd3baC9RMrNXNXaCMjhjl zjn9PuqK920I6kv+XsnYjL5UjXLFvp91K7ldY9C/4/AerqSWdiOsaW6imuI9 jDiJ8XaBc958Ce37DfUzzyHPK3Bf5CG+P7MTqL01l45Yq8R9aJhLo5fld3JD tf3mUNpmEtZGpL3CBK6dM64aVIx+0UueV1aDPoH+60U6F1UT+5FmF/SZFk65 MYY6GHvJNrMxj3ZFXwusr8RewvAwNjgTBebXlOk6hXfxkPO760HnW9cyutru hfeyA/yaUXOMN27XOrwPv2LOnkM3iG9gI95Gu79IQ0RcgdkUtsQO8qDvLTT/ iTINRj3p1NDeij4/CePWUZpjnHU+RD590T/62mPQ7xHfSKV+9mt478/I39NE YcwosobSVS5C37gbfU18y1xIDSLmI84VmFteY2S/3i3XpftQH6O5jf3Z4rdq eg49ru1G+89Hu0U7WVFr6DnzY1qmf0y3CnBdBi0U/n8HUXlf7kMX6gZ6U+Db iuA6sWlFt351yDzwCtezNUR7HWvB8YG4Ig7mj3hk9xE4qN+Gd6RpWJ5/Qvif YHkK2C2+nZff3Bcolqnv8vuoa8Fw/t4ff24DvVB/56DXh2Mt988AS63lTh2s V01Qh9euINzWU1xibymMPc5xBuNQqD0RYjegnueDwWAUc178ZgGv8nm07/nP 2H2+PEQdppwqcv4Cc0H85qA1cyGKKV8AFiL8W6Z8o2IDWK/uL2ivaKfoo5ij yBC/PQhDxEetlxdDZ6j7/aJ4AKzke0gKwb9V+ZLFbyiYC8M4vsznN/H7CMUk 8bsM8KWiNT+HKIvMq1D9RmOauv4HyOQ6LT8BjqoyZ6jfYqzjfC+sBhhFy8/z vSWpioUh9xfcC4aFsUz9juTBEL9XkXaiIl9xRJGtGK9YDBaF+E9lyr9nLmxX FCtGKkYz5a+FMRN0V2iKQYpaimqK/syF56Hvc12Un4EOUATaPJkp36MI1G+Z YoVq38cVof7iW/HVis5hBPz/rfpeH75v+dow1qv22qAIy0f0FdlfVl9Mc8FS VGXK0wR4h/OxLohSxIvz/Uu+HVDf6ckx8L/7S6WRxhb9bFl8o8Zb9D/K4ltA fi+Lbwk5w3Ka5RSH/cauX1l+YfmZ5SeWkxzzBMtx9vyR5QeW71mOsRxlOcLy HcvhsvhIyLfsOsTyTVmjmpCvyxrVh3xV1igZcpDlS5YvWD7nKJ+x6wDLpyz7 WT5h+ZjlI5YPWT5geZ/lPZZ9LHu5EHtY3mV5h+Vtvu1bHPNNlt0sb7DsYnmd 5TWWnSw7WLazvMp5bmN5hT1fZnmJZSvLiyxbWF5g2czyPMtzLM+ylLGUljVs C/GxPFPWsB3kaZZNLBtZnmLZUNbwKsh6lnWc7kmWJ1geZ1nL8m+Wf3Hyx1jW sKxmeZRlFcsjnPXDLA9x8pUsD7I8wLKC5Z+cbjnL/SzLWJay3MdyL8s9nHUJ J7+b5S6WYpY7WZZwgjtYilhuZ7mN5VaWW8ri2kNuZlnMsohlIcsClptYbmSZ zzKPZS7LDSxzWK5nmc0yi2Umyz9YClmuK2vQATKDpYBlOss0lqksU1gms1zL MollIssElvEs+Sx5LLks17CMYxnLMoZlNMsolpyy+p0gXpaRLFezjGAZzjKM ZShLNssQlsEsg1gGsgxgyWLpz9KPpS9LH5ZMlgyWdJY0llSW3iwpLL1YerL0 YOnO0o2lK0uXsnpdIJ1ZOrF0ZOnA0p6lHUtblqtY2kgxtLJ6reFKZs/WLK1Y WrK0YLmSpTlLM5YrWJJYEsvqdoM0ZfGU1RUduklZ3a6QBPZ0szRmiWdpxNKQ JY6lAUt9lnosdVliWerwHWrzHWqxZ02WGiwxLNVZqrFUZYlmqcISxRLJeUaw uNjTZrFYTBaDRWfRWEiK5rD4WS6wlLOcZznHcpblD5bf5W21M/KJtNPseYrl N5ZfWX5h+ZnlJ5aTLCdYjrP8yPIDy/csx1iO8v2OlMV6IN+xHC6LRQfTvmU5 VBbbGfINy9dlsWmQr8pi0yEHWb5k+aIsNgPyeVlsJuQzlgMsn3LW+1k+4cw+ 5sw+YvmQ5QPO7H1O9x7LPpa9LHtY3mV5h9O9zVm/xfImF343yxt8v11lsamQ 1znBa3yjnVzqHZzZdpZXWbaxvMLyMstLLFs56xc56y2c9Quc9WaW51me4xs9 y1LGUsq39bE8w/I0Z72JZSPLUywbWNaX1cG4q60rq9Mb8iTLE2V1BkIeL6sz CLK2rM5gyP9j31ygo7jKOH7vTDab1+5mYQMkJNnhEaCNbEJ4FAolS4BlIUCe w5uEkF3IlpBJZ3egPFLSB4oKhLaUQimPAj5wtQkLVioUsAJaKW1VrFqkxVq1 2iJYqQ9oiP/ZL3qqp3r0HD32HO8mv/v77ne/mblz72TIOZzsj2VUQvtiGV7o KSrZSyV7qGQ3leyisSepcif1nqDKHaTtdMDjpG2xjHLoMTp8K+lR0iM0pYep cgtVtpE2xzIqoE1UuZH0WdJnYq450KdjrrnQhphrAfSpmGsh9MmYaxq0Puaa Dz1EYw9S5QNUcr+3Hb7mmOy+ave7L6fNdD8PvgFOgZOps9wxcAh0gHbwNPgK +DKIgi+Bg+CL4Avg8+Bz4ADYD/aBp8BesAfsTmlwPwF2gO3gcbANPAa2gkfB I+BhsCW5wd0GNoNNYCOYkCx9IN1gs5hbugk3MDdfF+tp/jjeF+thPloRUjjm NB8tnXQPqZmkkZpIy0mNpGWku0njSGNj6abuJI0hjSbdQRpFGkkaQRpOKoo5 zOd0GKmQ1IPkJKWTHCQ7yRbDphzlaaRUUgopmZREssZs5lYneufDvwFXwLvg HfBr8Cts5xvgdXAJ/ARcBK+BH2NbfgR+CE6A58BxcAx8HezCVjwJjvJWWunV Maf5yK+ixbmXtJK0gmSQJpJKaB0mkLykYtJ40l10yxkkF6mnqWdlWZZiXveB E7LEjoDTQJYZzWUNqYp2vZJmVkEqJ5WRZpJmkKaTSknTSFNJftIUko80mTSJ 1J/UjyavkNykXFIOKZvUl5RFyiT1odvsTerl3Ql3gg/ATXAD/Akb/EfwB/B7 8D64Dn6HXX0P/Bb8EvwC/By8BX4G3gQ/xe6eBy+Cc+A74AXwbfAtcBacAafB N8FR8DXs+DPgq+AIOAx2mrsvddIat5DWkkIxJ34V4g2kpbQsS0hBUoBUT1pM qiMtItWSakgLSQtI80nzSHNJc0izSbNIKqmaVEDy0FIPJX2ClE+6nXQbaQhp MGkQKY/2ZiBpAMlCSiDJJInE6SeSeffBXeAWeBsL+yr4AbgAvg++B74LXgEv g5ew0M+C9XKe+yHZ436Qe9wP+FvV+6Ot6jp/i3pftEVNbRnbUtoip7b0hda0 RFsutiSu9a9W10RXqwmrXaullFX+leq90ZVq6kqetsJvqNXGW8Z1Q3YZ1UbA iBhbjQtIWA8YR4zThny065S3hzF6rK/V2GJILoxLzOAOM93PSLX7In5dDUd1 NUEfoUtjr+v8ss6lQp2X64t0CVWH9YFDfGb1SL1Xli9dL9S9unyPX1Obo5pa pmnaOm2PdlKzrNPaNKkdkeTVkm2+Jv9y9Y3lnB2Xulg6OCV1xeQU7Zh0i3F2 Vbrl7eLLsAB3YyFCnqVqQ3SpusQTUIPRgFrvWazWeRaptZ6Fak10obrAM0+d H52nzvXMUWejfpanWlWj1WqVp0KtjFaoZZ6Z6kzkZ3hK1enRUnWax69OjfrV cj+f4vGpk+VRbvwLwnLx3ZzbmnstNyF1UU5zjtSccznnWo7cnH0tW1rXlzuy 1mW1ZckONBI1me7Mtsw9me2ZFkc8kNOae7T2kJqdrU6p0Ol1vuK87Exgzr1O ydHm2ONod8hljlrHVUeXI6HdwdvtJ+0v2+Uye61ds8sOu9mX0712zzCfw+a2 eacU2ORxBbZiW5lNbrNxr81T5PPaBg72FaeVpdWmyXvSuDdt0G2+qyldKZI3 BQNXk7uSpa5kzmSucM54OiQnmXvEM9w+PI+He3ELx68Wh6qr8vNLj1q7Kks7 ksrnd/ANHXlVZuutmNeRuKGDqfPmzznE+ea5h7g0sbrDVVoxj/rrN21iJTml HTlVczr25swt7WhF4DWDLgQs51AvVjI3vyZshMOR/HA+GlATRiZi4DsujhY2 IuZIJMxQkv8PPmZF2JQRLwobtQbOgQGkw/G02auJl+R/HD7h/+XF+cdiCf4v P31qa5iFsVth+aLFzmRmZWPYDDaTVR9nNr6L9WZ38nNHJk1KGmo9ga7EFH6O JTHOd3l7Jki2vn2LB4xM3ChXOKcWWzdK1ay48/VLZ9Gc7zGm4DwvuHTl1Svp nWedYwquXLgyrJA7+znjuOyS1ZqYOKC/Rxo5eNCo4cOLxksjRwwa0N8uxXMj Rt0xXh5elCvJrr9kxktmn8sXPyiTJ3cOlFb1G1s1zMLz83q7eyYlye5cW95w xVE6Y8CoIVmWhKRE2ZJkHTyqZIC6clr/l1L6DM7OGdwnBc7Jhjuft9hvvGex 35ydMOnmcentMXPGD0xcZUuVLMlJu4bkZgwcln1Xqc1hs9j79s7KtiY57Sm3 ++s6d2Tl9U5J6Z2XlZ1nniuvcyz9bxsfJxAIBAKBQCAQCAQCgUAgEAgEAoFA IBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAR/C7Ozp9HK8T9KDsRb M7ayG+hx+ltlVsRrumOZ9eRbuuMExPu740TEz3THVtbCXzDPkpCMTLbk644l ZpcWd8cyGyQ1d8cJiLd1x4mIjyPmiDEf6c3uGPORfewgU1gRK8TXaEQzWIjV M51pLAyWsAhyExHprDne1iETQtTEPBiZwBrxpbBK5JayBoyF470gHET1CrQB VE7EcY2oWYxcCBWheF0QjuAos1JBhQIHcR5zNBLPmkcriM3rBtBbDutsGXLa X4/56NEl/9a9mDNqip/LnI3CVPRC8TmY169CVBfvhePXbEK2oHsG2ofuoB49 A6OR+F2a1Z6DSlFh4WhlRqhe18LakogyUdObNb0uEtKaPMqExkalMrS0IRJW KoPhoL4iGPBMKymf7i/Jn1jXGFqsh4aWaI2Bfy3VHSuhsBIMRRqCulKn6MGl oXAkqAcDSkSvCwSX1+nLFM0c+VB3yUdPTwk1KTiNojaFIji+KlIXCYaVuqZA AU6gxS9QrxlNET0UDHvYNFbCytl05ofz/26/K+O7aiBj7s8/qxyKnIZ+4D9a JZ7w/+ITjjcK3lCO/lxh6ew5vFMkuIAtYiytnk/Ae4jH32CW3UdPXDo5rtYx 7n2WmRR/pR17Z+2Lps/0367ffK1zU/K71jPomu+0+DvvzwIMACjrp5YKDQpl bmRzdHJlYW0NZW5kb2JqDTM1IDAgb2JqDTw8L1N0ZW1WIDEyNC9Gb250TmFt ZS9KQlBMSEIrQ2FsaWJyaS1Cb2xkL0ZvbnRTdHJldGNoL05vcm1hbC9Gb250 RmlsZTIgMzQgMCBSL0ZvbnRXZWlnaHQgNzAwL0ZsYWdzIDQvRGVzY2VudCAt MjUwL0ZvbnRCQm94Wy01MTkgLTMwNiAxMjQwIDk3MV0vQXNjZW50IDc1MC9G b250RmFtaWx5KENhbGlicmkpL0NhcEhlaWdodCA2MjUvWEhlaWdodCA0Njgv VHlwZS9Gb250RGVzY3JpcHRvci9JdGFsaWNBbmdsZSAwPj4NZW5kb2JqDTM2 IDAgb2JqDTw8L1N1YnR5cGUvQ0lERm9udFR5cGUyL0ZvbnREZXNjcmlwdG9y IDM1IDAgUi9CYXNlRm9udC9KQlBMSEIrQ2FsaWJyaS1Cb2xkL1dbM1syMjZd XS9DSURUb0dJRE1hcC9JZGVudGl0eS9DSURTeXN0ZW1JbmZvPDwvU3VwcGxl bWVudCAwL09yZGVyaW5nKElkZW50aXR5KS9SZWdpc3RyeShBZG9iZSk+Pi9E VyAxMDAwL1R5cGUvRm9udD4+DWVuZG9iag0zNyAwIG9iag08PC9MZW5ndGgg MjE2L0ZpbHRlci9GbGF0ZURlY29kZT4+c3RyZWFtDQpo3lRQu27DMAzc9RUc W3SQ4jabYaBIFw99oHayKxLtCKgpgZYH/30lwUmQgSR45OGOlIf2oyUXQf6w Nx1GGBxZxtkvbBDOODqCXQXWmbh1JZtJB5CJ3K1zxKmlwUNdC/mbhnPkFZ76 fv+inkF+s0V2NCbkrTqeEtItIfzhhBRBQdOAxUHIw6cOX3pCkIV4B/s1IFSl 323a3uIctEHWNCLUSqnX5lqQ7OP8yjoP5qJZ3LffVSPS9oZnXr7p5sMszMli ObwYyRYc4e03wYeslkP8CzAA2sFqdwoNCmVuZHN0cmVhbQ1lbmRvYmoNMzgg MCBvYmoNPDwvTGVuZ3RoIDEwNDUzL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5n dGgxIDM1NDU2Pj5zdHJlYW0NCmje3HsJfFTVFfe59703MwmEhEAgG5kJk0Qg rEFkFSYrS0CWBEgQJYEEg4igAUVrYSiyBXCXKipbXRBcJgExQVtQ6gIKWCtY lypudaui1qUK5H3/c997IQwg2vb7fb/fx/B/5y7n7ueee+4SEkQURUHSaMzo oh5ZMVmXVCPkbaBs2qzyOX+NT9tPtKSMSBRPu2aub2Py65/DPYjIVTx9zmWz Xr6udC2R+xb4r7zsiuum1x2+dwDR6GFI/1hVZXnFO1cVf01Uw/4LqhAQ27td R6JW8FJa1ay586f0OT4B/jSiPhVXzJ5WTp49dUj/b/irZpXPnxO7PSqI9J3A 77uyfFblO7OPv0q09DUirXjO7Oq5qDf+Ld3O8XOurpyTfnjULqLc5UQt/kSa tlzcQgZ5jLVGb9Q6yaLaX2i6jPUYsoVLl/xPP0JdzN00Pxe5RHB+xaNyfRQg n3nc+GvjWNHbPVjUBUiYpkmkZxhPcWmkGzspAUg0HqIEPYPiicyPgU+YNs4w P+F4pvIz8NfbINpMj4oZ9CjtomfFV0j1ODXQdnqR2lMe3Us30B20jFw0CSEr aBx+BsLvEAnmdupBG9HejbQfvBNpAe2kdiLe/JQW0hLtr0i1BCPZkbJpDM2m 1WKkOY8m07v6YupLI+lKmiOCZol5k3mbeT89QA3ai+YJakGJNA2//eaXxt/M t6kbUtxJd9O74raIJ9ADEyEZDdp9dDWt1S7RhXmZ+RNqkErXog46jaL9YrfM RO6V9LGIFzdoucjlD2bI/DO4kukSqqK1tFP0EUNlqjHZHGXup3YoYz5yvZvq aAd+9fRHelO0NL4y7ze/ogTqSsPRnu10QOzWGk8sahyCHjPQS52pP2Jm05/o BXpF+MUzcrbR0sgyAsb15mvUlnrReNT2IaT8h/hBLsBvofa8XmDmQNiW0K3c 2/QcvScSRQ8xWkyQneVsuU67mjwosRd+FTQD/X0Xcn9HZIodsqU8qP1B36of c3VoPGK2wohk0D10Hz0jotBSn6gWvxOHxQcyV06R98j3tTv0h/VX3eVo9aU0 i1bTVvpBxIp+Yqy4WFSJG8Qycau4W+wXr4hPZLYsljPlUa1Ku0r7o56DX5Fe rS82lhorXZ80ljT+ufEvjT+YWeZSGgt5WITa30nr0LIGOkhv4PcuvS8M0UK0 ws8nUsV48Rv8FojVYpPYLB4W21HKK+J98an4RnwnjknCzyWTZKrsiJ9fXi2v lXfIe+VB/F6R/5Q/au21jlqm1kcbpJVqs1GrZdot+D2hvacn6gd1E/2cZawx 1hubja3Gs8ZXrpbu33nI8/LxP5zocuKdRmpc3rimsa5xu/kexWEME9ELXhqE 2pfjdznGew0k7nH6q2iJvksUXcRgMRI9M0VcLq4S89GTN4q14gFV98fE0+il 18VR1DlKJqs6d5d9ZI4cjd+lslJeJW+Rt8nt8rD8SXNrLbRoLU7rog3VLtEq tbnaddoaLaS9rP1de1/7XjuOn6lH6l69o56hZ+pD9Sn6PH2d/rH+sTHZeMn4 yBXpmuVa6qp3fe2+wD3YPcY91n2J+2b3DvdrnjJI5x56gp6kZv/EEW2Rlq89 QTfJ3nqCPCAPQJ6nUIU2SkJS5WaxXP5WbJdpxnzXQDlQXERf6Rno6+flevm9 HKiNEoWiiC6XvazcXG31LSCD9D30hf402nYAOc93tRQL5FFXS6oTJPujzOe0 nnqm9hK9qb0r3PpGekuPFO3FF/IhbQyk4I/6YKOEUrV76THtKvFbekLmE0Ue 86yCHF8ktkAvFIss8W/NJE1eBCnqq31Ai2mm/Bt9gXm8nH4vKvTL6CbqLW6g j+lBzIrOxpWuLq44sVfO0GtkG7GdpP4wWtdfpAnNaEs3iku0ta6j8g2aRwf1 SHpHewS1Pygf00bpXxnjRBVmwG9pKV1lLqLrjBL9VXEZaWICpUPR3kE3aFl6 KuhCaJXJ0Gk7MLt3Qg9ka6MQEg/JGQm5GA8NsRa/u6AndEjQDMzxidBiB2i7 q1jW02VGKwGtA338UuM4mmQ+SHebl9GV5m3UDfpgmXkDctxMH9HNtFksafwN zaEUzJx3xEijQB40Csxuska+IYvkmlPHF72dLuLpM/weg2cwdH2N/joV0RBz lXkI0t0JGvZumkoj6EO08kuUMEzbTb0bL5K1ZoE2B+19l8aaD5leEUlV5hU0 mp6mB9wGlbszMcYh8Sra+xuqlOPMuVpl4wz0w83ohQB6ax70z4pA7vji7MCQ wRcOGjigf7++fc7vndWrZ4/u3bpmdunc6byM9DR/x1SfN6VDclJiQnz7dnFt 28S2joluFdWyRWSEx+0ydE0K6prvLyjzhTLKQnqGf9iwbuz3lyOgvFlAWciH oIJTeUK+MsXmO5UzAM7pYZwBizPQxClifINoULeuvny/L7Q/z++rF5PGlsC9 Os9f6gt9odyjlPsW5Y6COzUVCXz58VV5vpAo8+WHCq6pqskvy0N2tS0ic/25 lZHdulJtZAs4W8AVau+fUyvaDxbKIdvnD6iV5IlCpUKJ/rz8UII/j2sQ0tLz yytCY8aW5OclpaaWdusaErnT/FND5M8JRWcqFspVxYRcuSG3KsY3g1tDK321 XXfXrKqPoallmS0r/BXlk0tCWnkpl9E6E+Xmhdpf/2H8SS8yj80tWdY8Nkmr yY+f4WNvTc0yX2jD2JLmsan8LS1FHkgr0wvKagpQ9Cp0YmGRD6XJJaUlIbEE Rfq4Jdwqq32V/nwOKbvcF4rw5/irai4vw9Ak1oRo3HWpdYmJgQbzCCXm+2qK S/ypoSFJ/tLyvOTatlQz7rptCQFfwqkx3brWxrS2Ora2VbTtaBnV3FHZFKdc ip1dheOaelZwjfzDIRAh3zQfalLiR5v68aeyH9VM6wc2/CsVSBWqwIjMCEXk ltXEDOBwTh8y0mP8vprvCBLg/+Kfp4aU2yGu9JjviJ0sJ02ihnjHHcrMDHXp wiLizsWYoo6Dlb9Pt67X1Eu/f06MDwTdR2PQt+WlA3qg+1NTeYBX1gdoKjyh 4NgSy++jqUl1FOiRWRqSZRyz24mJG88xQSemKXmZH5K8ndicjgt5Mpr+R8e0 a5NfNSAk2v1MdKUVX1jkLxw7qcSXX1Nm921h8Sk+K75fU5ztCrXJLdGSpO2S SZqKhVBObmJmT0nLkJ6O/y4l1BX1bg+kUoUIX0EopmyY9S2NTE39hYnqza84 lSInk9nVDA3IPNU/8BT/KdVrWaOhwlgqC4sn1dREnhIHUbMKHG4TSDwVl6T6 ckM0HjMzHf/rzd39GKVJoQC6LJcZIH9WkO09hTHJdpfiH0tnt64FUHQ1NQV+ X0FNWU15vRmc6vfF+Gsa5LPy2Zo5+WWO4NSbO1cmhQpWlaKvqsQATApJObV+ sXxsbUAsL5pU0hCD3cHy4pI6KWRuWU5pbRriShp8RAEVKjmUA9njYw8VCjSy TnoUf1JDgCioYnUVoPzT6gWpMI8TJmhavbTCYpwwiTDdCguoMP7HOia3uKS5 9KgpWdqNlzvs3gY3XkS5MfTT4z9dH6NCmv+LKnXZQWyL2AjJ1+lSvZrigOHu DnStMYFKxDKaJLfQDQytAwX0R+hq8G6BPxt0J6cF/3jgXWAQMAFItMNGAeVA EfvB28BpkccczkfRaprk8dJsY4J5AuWtMV6g6cA6uDfpH9BmV3+aBf/9SLdL J+rLPEizxrWF7kL4vYifhrB1oCXwb4R7MtL1tN0R7tXYz4ECLoR3Rj4r7fae pz1DF+jV5ntoSynyHAEsRRljQAuAQvC0Ac0BlokXaLl4wdyEeFBajPKXcTiQ Z9NhyGcJ4ocgXRr8i+FORD1coNFAKtBJPkL9ZVt6GrQH2j/RajfwAlVxm5va hPrbdTodVh0LmwNl/hHwy/7mR6ARzeoWjsVhGK71piDoTCAJGCv30yx9JAn0 193GR6QxPETcT+8AF+oVdBH8AvUsMrbTWvYDoxSqzRP6vbRB+5b6Ie561xq0 owL9DetYfk895D+pmyudFkK+8pD/ImAd8vxEyUMFFaP87qC99Y+UDC0FVqGs o04/cd/AvwjjOg5lHfewDG+hImAoxiUIXMH1Qfk9uM953MWExv7g/RA8kxkI b6+AtrNMchpOj7zSbTncdJLSJvCsRr8eAdWBOK6DAyVnNhD3PPJJAFxAB6A7 8BGwCZgJDAAKgU4om1CupuQVMsOyqeQDsmG8gD5E3ZTMWm1Yp8bTmjMb7by4 nFTXIzTTRirnyfOFZRZ1qXXy5jnFMuNQJd8zldx/ye1kmWqimHv65zSU66Dm IGTLoTzvUGeeD2vkeFoOuhZyvJhlluvnUO4XljXVJ5gTNh3UrK091RwB1Yj8 tqwvdqjTF020iu5HnmWuqdApG2iYPhf2+a00Vf+K8rTO1N3oiTC0B7wh+TmN 88B2x1iOhv/uMHoXw31IXG7sRju3oj8P0X3o06v0Q7KjfkgYxlbzU4PEXmOr XKDcp9FwiN1WHFNG87hfG/6fQB42tkJnbjU/Mw6ZJtpzG88J9+eiJ+BzKMLr gCDQxZMp7vLMFPXu8RTjIvoWmK0HaIARoL76boxPHPQ85gLCxxvv0S5tNa3Q D5lviCAF5SFa6o6jcuyxorkseZgWMzh/0DnN5OgUmQuXJYc68hpOWefbMuUF dWH+HbDxoY3vge8gR4WQyQReG1g/q/UBOhpYasmr+VOTfO6lB0BXOvIZJqcz w+SzZbhchlO1tkC/O/MU9VjhtJ/1I+s41pGs51jPOPzhtFn6GrkFcsx6eD9N sud1RxsjUMf37bkPPYzxnmiargLzIdd2c7MWa252ZcH9N8AwH0K75zetqSVm o72ednbWUiucWjjrqNGbZtn67H6lb76hO9Q6OkHVL8L1OC00jmHcoQNVfTfY cxD9iXrP1MvQ52tpFdqRoC3DfEQ4MJn7RI0FUTyvC7wmanein3ktWk2Ltbdg L3Da3tRarRdDaCLqvleFYU1lymHGRNrk+pyy9PHQtbupgseK28H14bH3zKMo Txz0xCHqpT8MnjiKBN8G1QcBekjJBaedScR94Z5GbsjsReDh/DaqNAGKtfvj ftUXKj1sEZZh7gvk6Yqjccqe+JzWG+NpIubQRneQNrrGY87F0Wbk8QDSjee6 IF2iWq/vpIsxv5ZDNy2HziEl/5PMY9pWtGc+9DqgBdFHWyneCKIPZ6q25+mW jl3G80fbQhksI647oYfZnriTavRMynfNpNUIW21AT6LclQi7EfO3J+buCqT3 2nqbUPYKhHPaIWzLsI3A88UdoDauoLIDSNWB7RSUr31KG7URtBxynO25E/2w hGBZCjYaU4BeFpR/gY1VFlRYjEVFqhZDv+Vw2ZteRQktiExeQxv0RTRDn0BZ Wi/M3dbUTf8L5uqPdI8WTVP0fXSPXk+r2K+3oU4arHRtO2xLDj9IYzhcvgr/ XTRJH4T0y+lKfQpVa7WQvdcoUp+OsUY64ybISRrSf4N8bYgPaJI2AXNrKdw/ mo8wnypjuzmRoQ+jbipdM6i6OgirsyxEq0ZgTFFfdp9SX9S1qZ5OHc9QP9VO zhfpmEe/hwahn94G0i3aOFaupq3ABvkm5Wqj6Dqx2dyJfi0Iw7Dmfr2PuAHo rvehJ4FFcHcF/RPwuOWH7daH3gKWIO9nQLfxvoAhc+gCpghbB9wFvOTENQeX c6bw5jCSzJ2n+J/AWgOIb82djHB+9PMFKO8C/UJzJwOyOILhWkht3ddQW+08 hKcgXZjfSMJ8eoLSNDJ/OFedfg7417NZPwaat9EZD9B2vwBvN6M+pvbaQP9N /f4TYHwXApeo/v2S4iwZolbisPk26ARxmGK0eZBBAP5u8Ldx+tMZJ4TfrsLD xg+yQtzn4eHh/vBxPZdfbqMpzeHIQZM83EaDGfoQ8APhfs9eGsxwPYe45073 6w+dA5Ooi7aW6wQZPO90v2s0nceQaahrIqfBnAOa/AehIwDmVemjaCiD5y5D bsd+DWiK70P5jGb9egH3q7bWinfGxxmX8PFB/QL6ARoOmgHaH7QIdIRDm8/Z 8HkbHubokjPxhM2NnmfL8/8nYO7sA14Anv+/XZYgyCoQA7jehh0yBHbkIdgn F9NiohPQJcd7AA9CDxWDvo4wrN6NnYEouFsj7DLQ+4iOfQf31Qg/ZMGUehJt sO3KBITtsNN67PyKrPTHXiT66VvgcSv9sS3A5XB/DWA9P/Z30GdA7wL/Z0h3 I+izVvyJKfBfAzwN/+fwXwGUwH0LaBxoV6ANEIv0axhsj5y2D/2f0zPvP34p hc0yDfX08pkX6A3he4hfTJ3xPAcN32s4438u2uzMIIxa/YA90/uw+0LN9z4/ t8dxKMazsTn08eYJ2JQt2Y5mW5btZ2U/2lTt35Qdi3KJ2jqUbWe2X9l2ZvsV dKM6MzBUfcbzPl/Vy143mutW8S2tA2KAJJvOBM+P8jzzAHRPNOT7O+yN7meQ 9SBlggXzINauaKx1u6B3vwPdD38H0O+cNc3Rrafp2HOsaf9r/69dI/+DNTXL xpQwnC3cQT8bwxnha/GvxbnW7v94LT/LGt18nf5v/c467yBiMGUx3AFzJyPc Lj3NDjiH/1x27q/1h9sdv9ofZpc4/nCcFh8ue449k0iJTQibd78WvLfQnzhp +zt1CJ/HTfPN9qOP8psDeqCTvYZugr6A/W92ALBGmbchbIHnOGV5HqUs+J8A sG42fgFawXGg68VqPt82T8D/O/hj9P2Kt8RGxbnkOVxu2T5X9iH6TOnBW7j+ 1AMYCMQCtcAsZ6x5D4my35BYdXmfq08yv9MPAGE24DlpH7oKeBT+aPijoYvb ulpDbwfoIT6PB40EjYR+H3vyjM884bpe8YxQZ8tzaRj0/JX6IT77Mv+szvQa KdrdUt2jLMYa6nXO6eCP47Mht4/PS8x6+3yuzPUN1sGJWA8jeO1AuRPUndBM nc9xv6E7tBaUZ58ht3XOkvl8itcrV3eKUecYzc+RP6Be+mTKA4bY91Tj+fxF +0jd1Szjc3ftInravt8KRW6hdREv0DpPBRV4Fqr7pjXavbQYYfe6b6J7XZnq fmW8s67ymniGsz8+y0xsOtO02xxuE6j6TaaRfB7TvFwnnacAa+k36hzKOsc8 h22DNb4GqLDuK8zvz3zeab5sn3tW2Wv8NU1rfvg5/WQaqy3Avs85k30Q9DBd qi8F7D4Or4tTFvrlxNlsIcc2gXuiOuuz7nv4DKpNs3u4AtXPn6rxGs5jZkRh Dkfz+JsN9v1cjj4f/JIS9KOAdfa4zL63SwAmyjfAvw5z9ErMFcigfru6w7vR BnjNB1W6K6x7M1cRMAT1mo50W/juyAEtOQnzQ3081SioczVzk2xrNoBeLV9S d4zR9l1ggr6KitWZ5sk7wXi9kzq37qQXAxh/4Dr401Tbbar6KoB00djXcRv5 bK47EeI82kD7jNTmdT9JBe4A5LUFFRjbKE2bDftlN3RdMsZuBMY1mhZr71OK 3o+maa2pgiEKzAPic1B+AQzIzxD+Buit8PPd7+t0qXOvZp1P0zGFfbAVAPsu l1HJkFtEqn1PWGq7O1huhPWnHQpOHlvowWYAn/k+cEzegbJzqELWo4wNqAvK 0WIw/8KANFNtdLLLGapPxBw7FbnhQFqmPcKBcKbp4bDDE8OBcKY54UB4zhnq cTa+s9XjbOEZ4UB4xv+gHmfL1x8OhPt/pn6F4UB44a+ox9n6OS0cCE/7mXpc FA6EXxReD+gn7GMbn8fe9BHQv9nr/aegI0EhfY1/hhv7C3O67f+bzfd7APtf 824Ae2UzxwZ0nsl74GWg/wSwrzbHnkTjXtBk6x2GU455O9AFmGCVxWkbn7LK VrDLbNxmpT/xKOiLYf52wD+s8lTZrHt3gvqBtXb7ltvlhqy6N95+kr8x2Wqj Shc6CVMDxiG9F7ToJBqfsGDuAX0M4HPRF+x6sTvF7g9u85Oc10m9QD/pa6Ez yoiwVrd1b7Go/hsaqXTuwVPWqjlKH35Am5W+49f6gyjLFQU75D7KYbuBdbhR qfhXGhVYmwj2yQR1nzdTP0KG/hwlGB/RFP1KytN2wC4eCn2LMtS9DPJmvc02 h7aCRgHqrlLdCfHdyXxaFrld2S8x4Gmrf4z63k27sGdbbpSQQHqXuzv8t2Bd 30jzjd/Q9Z5ZtMv1Fep6iKZjvfK6plB/43c0zNnbumZRhNESdoFNPXfRNHdX hG8hn/4PSo5YBrvuFRqDPuvrlN10d++mtgh/0DpfUfIHHM8ERqo6o76ww3Ts rds67waMS9AnFao+F6k7p4dJxx6djKNYu4dTJ3cEbK8etDwinja4vkc7XLBT M9W9/HS773vy/ZP7MuplLKMMZ+/u+hD9XEyRDuX7OOc8ALbbRr1K2Yux6l7L Pg9ook4efN8WpFX8ViLcrnHsqCabwj4jaDpzcNoDyutnU/tt2szesM4UdsM+ jaNMvsdTZyLh1K6TusfbDVmy7Vn3Lhrh1kAfpOmupVRkjEK/tKEi9x6KdQ+l eLbP3G5l183iNdr4EbZoEWVgbHLt+X4twHNpqD3H5yL8deARaz7y/OJwNTcR dmKtHX45cAMww4rnOHOh5T5x1Mpfxd1g8Z/APDT5Dk42O6t514Lah/ia26n2 W6qlp9GTd/csPwXnpL/wDI3nML+pOsMdfzi9HbTK8cPOexdz9Dak9QEux44O p/b7lAX2vX+DTR+w6R9Y1tjWC6fh71fO9p7lZ+xYa5459NR3Lw691KYZTe9y zkGbv5M5SU3T9rf6pWd39plbokPP8P7AOpM7SV2n7Z+aUzUmpNl2LNvvI9Q9 P7/N+Rk0veH6HWTgVExg8HuCM8GFlYThvuJU2Hb+WeG6GekAjzcc5r8YqPMi C+Y9Nj63sYmhCeylAf3WcJj/Ujjz+7o8130oF/B0s+Dea0HZ/z8D9AG5MYM9 sYq6eC38WcDKYLiP2ljpwDQZTr87/ej0C9r2D7S7qqnOTvl2vv/tOP634/K/ avfP1b057Dd6DuW3e64z1hvjo/AvC+otzRZqY8OFfn0K2Arss3E7A3Mlkd8q aZWQp0r1XrEpzWlysBp7U4btt9/fuFyw7Nzx1jzgtz8WqPRM/eOutOTPfZ7V T+rdjmV7fYR2RNlvbKfbui8tYgxttN/Jelm3YN3led5Tf4amn2rzmUXWftrc hHXSAH9rYy4VyJfMPxjXQyd8Zb5oLIQtAKCsG23stbHBsv3Mx+13kC71HngL Pdwc2NumMJgH5VUDD9j2NtuxV1to/NgKP1kvR/dq/0Y7jlGCel8aUPvrMfoM 7OlnUIL2OeJhL/B9k1ZO2bxmaBfAtuI3N/Pt97J89vAOqIUo9MsYbXOz+c3v a/hdDaDe5PA4PY81gPmfV+md/X0ndb40E3r8LfKqtz+IU296kAe/dWK7SMOO whgNuRgL3rHmX7S7QIfZ+DdwJeo7gWbIG6mbNh374Vdg78Qh/CpgNtzxoNFA KXAvcA31UuHHICc/gR/QdPhfBjWwtzcQ9qONVRY4Xu23d1AFbOIK5GfxHVJp LLioQjyryqrQcpAf+CR2ShosCi3OdrsQvwTpdln7dz5XYH4V5/BEnOQxvqCC yOlU4GoDrDB3GtnmTvEpDdInUWuMaRTQB2N9wN4/sB11EEBvmevg33fauwDn ntymxqM0w7iQuhknYB+8DTk4QoOM7+keYwh1co3BOvYIsSwNBHhvN53fE6u3 xIfMA87ZtwNXCcVFPEdDMYbE7zccKrcC/OR+vFqPrL/tY+ttq2WRqffT1lxT dq47jxZjHhcAw+x339Ot+zHYoJh7uvVOtZP+AHWw7DjeQzWit0yeD0XQDU1n r0z5TRvLlm0LIqn5iHyV97VmX76rkGP4vZZKe7G1LzX5vPoOgM8s7212/7SG 8f/6fiv8Hups90Xneptxrrcap/l/5Z1K+NuNc73lOKc/7M7lXPdlkFW2kQuw ruxybTEPwf8kcCv06/0MnUxTnY9a9toKrQXm9lzsQYdTmn0myuekKdBfKfoq daa/1MqP2kA35Vhn8+Zx++8c1Hkqn82xXarFq7+DSLT/rqGT/XcJw5y/m2g6 pz2fxrOuZZ2q1gx+2419GvRNBesWuZd6y+OWDhKHFIh1kTqXzEEdcxRVbtnF 1ik5FCF7oy23W9Cizb1KJ7WydJZGyK+e9RnWX0tfddASLf0lX7N0kHwHPA6+ BT7juxreT6s9Nb+HeFitTT9ZelLpQj6HhFv9PYq1f4rmOch/B3Mue8m2LbeG 0accei670E6z1U5zOr99d4O1pI1ak1+gzvy2t2nfRdRbvY3+h9qvDEM82yAn 7XznvF2NE8bIutsX4fsCvs/hsXX29Na5WeNrzegUC2qd5n78GHZZJNbdkaoM 6Dh131NtfmvXk/cnCZDTlU17P2cv5+w1iAbq6+h+7TLYQj35TZJa759utr+9 n6HekOylB9RbZlCE7QffMGvdUGvIc8ArwF+AL4HD1jnViTf4b4e4X5r2Q+v5 /UBjg/E2+ut5ivCMpATXTste0YJ0NZ+LM/jvChjqb6ccbMG8Yj1eTWMaqFjr tC0j3vvK01pnOgJIrXNdZgdvg3ae1qFuoDdQr/m3xcZlRWd3wzoqqIf6+vCd DTwO7AJ0aMEUhMfguxAIAo8Du4BXABdmTYqK9QGzgfXAEY7ROmjJdT5vTPZ5 WgLSJmCpitba01HABDTYMO1RansaDUwBbgbWAy7FxyGzgYXALuArFRPQ2tfd 1ht1b1+3UpFtl1+RpbzllnfyJcq7bWKpRUeNtWjecIttgMXW63wruHuORc/r atHY9Kwg08iorN3Z7bR2aGQ7VHwOvkL+maKFIC9tgEERAiQmthUS0GK3pWVk rd8FFSI0iY1bBXnN3Zqoi2qdlR0pTXmUYmGIfSm/sGLkF9tatc5anz1Cvk+P A7sATb6P33vyPVooj3Cf4zsEWA/sAg4CRwGXPILfu/i9Ay0SLf9OPYAhwBRg PbALOAq45d/xjZFv8yM59WX3EEDKt/GNkW+hWW/hGy3fhOtN+Saq9te6vv2z GpQjs4ft8KbbjvZJtiO2XVa9fLXux86QqAyMNCTqKa0jDabeWse69F7eei2+ btAMb738YJsv07shuyc0YAiAVYFvDOADxgBlwBzABddhuA5TELgF2ACEAEgZ vjGAT+4DXgYOU08gAIwBPPKVOhRTLw/WZeR4s9vJA/IFao8e3y9fVPRl+byi L8nnFN0LmgK6Tz5fl+Kl7BaIJ6SJAY0B7YF4Qz6zLS3Wa2a3hsWIYca3BzAE GA1MAW4GXHKX7FhX4Y1FJk/RPlhmXllHnyr6IG3yUOBybyAjFwLo40/GgAvh wme9b32GDGSsuRte/mTcdBtc/Mm4cRVc/Mm4fhFc/Mm44hq4+JNRcTlc/MmY NAUu/mSMLoYLn3q57sm087x9R88UvuxoeS166Vr00rXopWtJl9fyj37UuW73 1HXpgh5bG8js3MUb3CmCT4vgOBHcJIKVIrhABBeJ4CARvFQEM0UwWQRTRDAg gk+JfuiKoAhsP8XbPxAvgvtE8FERrBbBDBFMF8E0EfSJvoF6mVo3vLci+Yps y+ZJB3rhYGifaJmKHk2FzKdCJ+zC9yBgKl8ATL6OFnNCCtOO27oMsfzdB2TN zh4m9yDhHgzDHnoX0DFAeyBGe5DJHmQQje8QYAqwGzgKmIAL3B1R8ZvVNxrf HsAQYAqwEDgKuFR1jgKSZttVfFxVrIdd6dHsk3vw64hfqkwNdIhJjsmMGabd nCyiU8ToFDNF9qV27WCNx7b2tK4XUTt+iPr3D1EUkR0hb5I3w9D2yltsenPd jx289eKuuoynvNlx4vewjiB1oj9liHTQflSt/H0o2cP0fErGDsArsuqSJyBZ dF1GV+9O0YpT7fD+mPyh99PkegnnJ8lPeV/31euiznsIIVt3eF9LXuHd26Pe g5CnM+oFyE6fYm1I7ud9dJ9iXYSItXXeBUx2eH+bPNQ7M1lFVFoRl1bDF4j2 jsuY5B2G/PKSp3oD1chzh3dI8qXeQRZXH06zw9sTVci0nF1Q2c7JqlB/ispw fN96URXo6l7jLnGPdl/gznJ3dae6ve4O7iR3W0+sJ8bTytPSE+nxeFwe3SM9 5Glbbx4JZPJfFrd1qT8wZlNCkK7cMZK/0vpTZCk8kkZQqI1WKAuLckRhaPc0 KpzqC31f5K8XkWMnhQx/jgjFFlJhcU6oX2ZhvdscF+qbWRhyj7m4pFaIm0oR GpLL6wUVl9QLk4OWJIVic0saSIjWS1YnMe20ZHVpKcW3u2ZI/JDYwa37F+Sd 4VNmfzNP/os/xd0htKawqCS0pUNpKIsdZofSwtDtRb7JJQ3iG/FVfl6D+JpJ aUmDNlh8kz+Ow7XBeaWlhfViguIjn/gafJCYrxWfBwsz85HPk2LxrbX40pEe fGlMwBcRQemKLz0iQvHpgvlqq9Py82rT0hRPex9VK57q9r7mPPvSwZOernja BWmf4tnXLsg8ocGKJTkZLCnJikUkUrJiSRaJimXCSZYeNsuKJpYVqiRNnORJ tniijjg8UUfAk/lL/1XmZGaKbQNLp03Or/Tnl/nzK4Gy0MprquJDwak+X+20 Uo7whbSMsqnTqpiWV4ZK/ZV5oWn+PF/twMlniJ7M0QP9ebU0Ob+4pHZyoDKv bmBgYL6/PK9029Ax5/c9pawVTWWdP+YMmY3hzM7nsob2PUN0X44eymX15bL6 cllDA0NVWaRkfExJrYdySnMnW3SbbBEJeS1LSi3NaRczZ7AS3oGp8QuSdsJa 2UwtMktDLf05oSiAo7pld8vmKMwpjmqF4Gg7Kn7BwNQk7BHtqBgEt/bnUObc edXzKD5/Rp71vxr/EDR3Hne49c2sPts/xOWHAuV51XOJCkNdigpDQ8ZOKql1 uxFaxk0KDXDCWrTIrzd3W4HdETiAAzWtiZHDBnFYRITNePr4z7NpLs+CoHxq mwikiLlUXaqFUgqLJVRB8SS0dfKkkp2wpXh5qC5FA6tFpqh28rCrnZlJlp+4 zQ7mzrNddl/MtamVEkmqnS5p+sedldnUY3ORIWsuPsHBD8uNGxul1qmt0/GB lqPjPm338YBBx8in72Y1N0u8Iqu0l6gFeRsIcyXQKsL1so96QgvOaznxofjM mO8v+YJ6fNGrZ5vzL+id1S6urcvfMWPWnVUz7rxzRtWd8sCMO+6YATfyMo+L ffpseTFKTfk/7NvNaxNBGAbwZzebD7U2gSraD2H0ohhIm0LBQw+m8VQaKSEI giIr2SZr02zYbAP1H/DkoQc9CCp4KxRFPAoehYp/RFHxLAUvgsR31mnw0goV i8Kz4bf7zOTd2TCbScghl7PyXWOPJfUPg1Hn1d3T+au5TzdznzFZkaESM2dP Ok7Xere+jsF2kWgPvf/EcyIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIqI/YOs/ tsp2AgmdrDGRwr+53Xt5eNdycEn2R5GRGbLxAA/ViDrX70vfIPd3ML79ZNsz M7i7JX479nA88z/r7gzOSeO2tHbHmsF7kxMYtiyTHclZk1OSz5icRtHK6zvo HNFjWjdMtjBhvTXZlvoPJiek/4vJDibsIZNTki+YLK/HvoINKExjCkV5KNTQ hCfHCgK0RYQ1dOKesrRCyXrvSr8fVxTkmRJa8lCoSl9Dzo/QjVueHD2p7sm+ LpUlyb6cq2v9uMYVUTxeXWpW5BhiWfoCLB3ktWyo6aliUdWanqoE7SBa63iq HISdIHQjP2gXVKnVUlW/0Yy6qup1vbDn1Qvzc4sL5XK+FPpuq1LbrxUflN9V ropCt+6tuOGyCpb2vt4hzu085rCIBRmpjPwvM12Rq+rqBlalped3v8qDPvfX 76xeBcevYwezeCzvWxs5TOKaLJfNY2+QNJ9xydFHT9P3T93Kzn7NjGfiZfPs 43n9X0JsbW69/vbieyOHzJA09bqJ19UPAQYAEFg/9AoNCmVuZHN0cmVhbQ1l bmRvYmoNMzkgMCBvYmoNPDwvU3RlbVYgODgvRm9udE5hbWUvSkJQTENDK0Fy aWFsTVQvRm9udFN0cmV0Y2gvTm9ybWFsL0ZvbnRGaWxlMiAzOCAwIFIvRm9u dFdlaWdodCA0MDAvRmxhZ3MgMzIvRGVzY2VudCAtMjExL0ZvbnRCQm94Wy02 NjUgLTMyNSAyMDAwIDEwMDZdL0FzY2VudCA5MDUvRm9udEZhbWlseShBcmlh bCkvQ2FwSGVpZ2h0IDcxOC9YSGVpZ2h0IDUxNS9UeXBlL0ZvbnREZXNjcmlw dG9yL0l0YWxpY0FuZ2xlIDA+Pg1lbmRvYmoNNDAgMCBvYmoNPDwvU3VidHlw ZS9UcnVlVHlwZS9Gb250RGVzY3JpcHRvciAzOSAwIFIvTGFzdENoYXIgMTUw L1dpZHRoc1szNTAgNTU2XS9CYXNlRm9udC9KQlBMQ0MrQXJpYWxNVC9GaXJz dENoYXIgMTQ5L0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9UeXBlL0ZvbnQ+ Pg1lbmRvYmoNNDEgMCBvYmoNPDwvU3RlbVYgMTI0L0ZvbnROYW1lL0pCUExI QytDYWxpYnJpLUJvbGQvRm9udFN0cmV0Y2gvTm9ybWFsL0ZvbnRGaWxlMiA0 MyAwIFIvRm9udFdlaWdodCA3MDAvRmxhZ3MgMzIvRGVzY2VudCAtMjUwL0Zv bnRCQm94Wy01MTkgLTMwNiAxMjQwIDk3MV0vQXNjZW50IDc1MC9Gb250RmFt aWx5KENhbGlicmkpL0NhcEhlaWdodCA2MjUvWEhlaWdodCA0NjgvVHlwZS9G b250RGVzY3JpcHRvci9JdGFsaWNBbmdsZSAwPj4NZW5kb2JqDTQyIDAgb2Jq DTw8L1N1YnR5cGUvVHJ1ZVR5cGUvRm9udERlc2NyaXB0b3IgNDEgMCBSL0xh c3RDaGFyIDExNy9XaWR0aHNbMzI2IDAgMCAwIDAgMCAwIDAgMCAwIDAgMjU4 IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMjc2IDAgMCAwIDAgMCAwIDAg MCAwIDAgMCA0NTkgMCAwIDAgMCAwIDAgMCAwIDAgNTMyIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgNDk0IDAgNDE4IDAgNTAzIDAgMCAwIDI0 NiAwIDAgMjQ2IDgxMyA1MzcgNTM4IDAgMCAwIDM5OSAzNDcgNTM3XS9CYXNl Rm9udC9KQlBMSEMrQ2FsaWJyaS1Cb2xkL0ZpcnN0Q2hhciAzMy9FbmNvZGlu Zy9XaW5BbnNpRW5jb2RpbmcvVHlwZS9Gb250Pj4NZW5kb2JqDTQzIDAgb2Jq DTw8L0xlbmd0aCAxNTE3Mi9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoMSA0 NzM4MD4+c3RyZWFtDQpo3rSbB2BUxfr231M3CQFCCyUQNyyJICVIb0JIo0Qg oWiCgEko0s0FREAptojRWJCLoiJ4rwUQdRMbYgMUsQF2xIKKCFjACgqEPd/z znt22SxRud/935Afz5l65szMmXln5oQ0IqpNS8ig3GEjUjtVNdjUAD6fgcLx M4pKmj/v9RP5q4h0//i5c7ypg7oOItL6ENlRk0oum/HAd+kbiDyZRNENLps+ f1KjWzpEExVPIKofM3li0YQDdmAA0UbOr9tkeNQur38eUVw+3K0mz5gzb+e2 HxfDfTVRn8HTLx9fRMdnHyGaUwL3LTOK5pU0r2fkIv0LiO+dWTRjYtqE2gh7 8m0i80jJ5bPnoNz4eXIDh5fMmliy/ac5HYgufJ2o0X1kmIP1F8iiKGul1Rml ThQ13qFNOkWRXtejG6Zp6OZXpDtptMFBLtGc35ARXi95iQKOTQHSXvXcr6d4 SVvNYcZmqw7fje/suR9x7qTTP9fg3330KD1Nm2gLvUnv069aDBXSDfQyfU3f 0S90UiPNozXSmmtt6P/sJ3CdNYNqG5vJpsZEzgnn28A651silPS0z51wNTZT Tvs49Z3DkX6BOwMbAzvtWhSn0sbpb8H3J+2wc0Lvx26nG7v1G/lapfjJc3/g icDqasUpoVl0Bc2j+bSArqKFtIgW03VUSjfSUroJdbEY1zfTLVROt9JtdDvd QcvoTlpO/6QVdBfdTSvpHroX9biK7qfVbhi778e/FSqUQ/5FD9M62gD9Nz1I D9EjtBbu9aj9DfQ4/MRH3I/BZw09AN+H4cux2O8J/PNTBVXSk/QU2kzcQddG 2kzP0LPQ59Caz9ML9CK9hHbcjJbdqvzYJ+j+85jy/yv0Km2j12g7vU5voGe8 RW/TDtpJu/6/QraFfNj1Dr1L76GvfUAf0ke0m/bQp7SXvqAvaR963Q9nhH+M GJ8gzudurK8Q6xv6FjEPI6bEkzifqdBDKocPkPZL2q9F0VFNp5Pk4Ipbb4Vq oZWqHbn1uHUeVPXM7fEE3NxCj4Ta5jHU8WNoT3bx9T1uazyOuBWowWD91Vxr O93Wkfp+AXG4Ljhkh1sX292W4HxeCqV9S4VVqnRbQ7merlF5wg/DauezsDr8 hg6ompHak9DTtccx9iMO1zLnUb1u9yGt1D6nZf/wNBz2CdzfYnT4ATXN+r1q ie/pYOj6oBt+mI7Qj3RU/f8T/Yzx5Ff6De5j8PkJrjN9I31+x78/6DidQAtW 0akw16mIkFMY+hyMVpqmawYFTl+d9lWYmqXZGNOitGgtRovVamt1tLpaHHyq h9QKhdQ7IyS2hrBo5VNfa6A1xHjZWGuiNdMSMG620BK1c7QkrWVYWNNQiBch Pq2VluyGxauUTUNpz0GMxmFx22gdtSvxf1utg5aK6/O1LlpXrbvWEz7t4e4E dy+EdVSaTrlUTNPphHVIfxv5N8SoUpGWfem4sWMuGV2QP2rkiOF5ucOGDrkw Z/CggQOyszIz0vun9et7QZ/evXr26N6ta2qH9u1apyS38rU8p0nDenF1a9eK iY7y2BYmIY3aZfmyC73+lEK/meIbOLA9u31F8CgK8yj0e+GVXT2O31uoonmr x0xDzEkRMdMkZloophbn7UN92rfzZvm8/h2ZPu9GbXRePq7LM30FXv9hdT1E XZspylEbjqQkpPBmNZmc6fVrhd4sf/bcyWVZhZnIr6JWTIYvY2JM+3ZUEVML l7Vw5W/tK6nQWvfV1IXeOqtXBabg2nxbv5GcVTTBn5uXn5WZkJRUoPwoQ+Xl tzP8HpWXdwqXmW72VrTbXHbLxjgqLmwbO8E3oWhMvt8oQqIyI6us7EZ/vbb+ Nr5Mf5sF+5vgkSf62/kys/xtfcgsZ3joBprfSo7zecuOEgrvO/xDdZ8i18dO jjtKfMmPGKomhAevCWVDCfF8SUlclps3plExHP4lefni9lJxQiWlpbYt8OuF HLI5GNJoFIcsCYaEkhf6kripsgrd37mTm/iXFHvbt0Ptq99k/CLc6zdSCovH T2Ytmljmy8yUehuZ70/LxEVakfusWRUdUxG/qBAPMYWrIS/fn+or8Tf0pUsE eHi5DaaMyFdJ3GT+hhl+2IBuKn9qViaXy5tVVpgpBeS8fHn5z1Fn58uKLt6E JztTFyrgcvjjM9AoKVll+RMm+c8pTJiA/jnJm5+Q5E8rQPUV+PInFnAr+eL8 bb7E7ZLUHVUqPFtE7GBkfnJPcpQ3X08wCri14OHNxn++9D4IiENzKSe3aHof b76WQMFouIsbg6+q5QOHkZwxkIMMTpoxMCGpIEl+/qJICW6ZrGR/VFhecfAI lUnu86dFk9hcoDberImZYQWslqnlFtDNreZy6lwX7o2RIoqbc2AwyEjGmws/ HdkoL27FJjDrc735vom+Ah/6UFpuPj8b17Vq35wRvpy80fmqtd1eMrKaS8J7 iMtPSQgOOvQM9MHstgnBZlXuAcodcg6MCB4UDPaWRflyRpRx5j43Q/LiDcJD 2ymDim7uUb8LXs1sjG6+7CKfN86bXVa00VlSXFaRllZWklU4uRfn4Rs0ocw3 Ir9Pgirr8PyFCQv4VvUpR8sZmd6+Hcae9AqftjSvIk1bOmJ0/nOwZb1LR+ZX 6pqeUZheUNEKYfnPYQWQpnx19mVPdnjZwTkNhyNKxU94Lo1oiQo1lYdyj9+o kfKLCvppNH6jLn5xQT8dfqb4pSk//kEjNZmMKsZwm+WdwM1zdcHkssICfrko Hk2JX82v+fqSX/f1rdB0O9Yf45uY7q/lS2f/fuzfT/xt9vegY2AuROXwmFRW 6MM4hQ6VTwmadEWDs/RudJyR+Uk7Eg4XJKGrjQGj8/3RbTH2W8mDEW8AUwjv Af4l44u4HDQqn9N6kgeNL0C3DWaIKIP80cgh2s0BMbJVGu6OSDQebYMGVOmX wOFfUuAvaMs3zZ9SoLpznJ8G+nqh2SVPK4VvlFpQVt/XSb2beBVikm9kiUbZ aES++CTAiZsVSCV5YlHy8T4EjS/0orZNGj8CXV3G0pgE8ZmIIdFMmaiISXAD iR/LSK5VO8Yf3QEZ4peva3XgV9JK9hQUSOGV60Y3Au4d56+FEqWEVaWbALWD oEFcFvzeiKJy1C2cTd5GGu6bh5GFC61y8iDYXzt5UBEGf0lfCz6+HsHEUTxG 1HLzeFV8Pfzksah3I3nkRucR3/yksJ/27Xw8OXDHpITn0LGpoCzSw39J2/bt oiJ9ayvvsrKo2jUnkPqKqh1SeGKxTSRr55g1Jz85URr9A/uE/9Q1zDqnXdou rOj3YC16lthdnPcZ82oqN/vQsJqwalG5ogXVZYyDVA76hWkfMASMAle4/uXG BqRpSoPOIBb+TAbWxS2pXG/pjIamQDPBQDAUXAKWwL8lSDTfQLyHydAfdp4w C1FWYBQrZhn/cK/nUiNzEZXbAeSdVQNJYArl/i2zBOSTa6bjXsBaiOtrcC1M ZTVex7ML5wBfyH2MYsOxetItZ4v5PMV70qhtJOZkSjJbU1wkxvvU2SWR1RxA MWeLdZuzjzF7UKnxFo2uCfMOKgXXmA9TCmPchri3UStXvS4tQEfQz/UvNfKR 7j7Kr4FSxRbqosdRqR7nFELPgY4E/cEIMBFcBf8mIN68HPGmEOlTnAdMC2mB XqW4wagt10YstTMbUak9EOHba+Au8AmN+lv2C3YH9OVTyBeYe+GXDBVGsxqX U4aLBuyQ+ypKAFGuJpgb6Pqzpisl2GXUNhLTRL3voFpncBv1dYlX+isNiKB7 DX4Ku7Ng5tAio4AGuvQOux7oWQiiaKBdR0DcHPM1UA5y6ELTQ4PPBn0pNbW3 UtPoaGpq7gy7vjyCayJw/e1nIng9Ate/Wvwh1DTqn2F5f3c6zIp3yaKmnnHU FP08IRL1rGeyyMxxVptFznHtd5qm/e7MgzaDjgfdwVwwA8yGfxRYZBo0zexF M/VazqcuM4zdqHMXjgM66bOV9tObU0OjiBbZ1/K9qjFe6QlnhdIhaI+/Y7Rg v6TaLphPjv4xLRKcX6AXG+fTIMFxoBR0Wx8IZgkt1ush/mvUWD8EWD+iBCsO c8gTZ4eVRo09ZaD12YFyzo9gXA1+CuMNireOkS8S4zGMTW/i3YikA2W5GEpH 0iS8q6OMhyhXf5m66UdptJ5JPaC99O3US3uHmuv3YSw6SaO1BTRMu97Zo2/G 9VyMBdMR9zg4Sj1VOk5D0F7URzuBdEijP4S+l0BefR14GHXXC2PfZRjPrgdr eNauCoCv9cln+O0zuqE9MPYZ9yq/u8GECL8VYKJWBfetYBlYofyngclGHtx1 wQywVPnfBGYY58A9AMxUfg+ABUZDuJuDVspvLVitr0Z5/g3WKr99YK8OG0Pf Cp5G3K9hbzQCWSocNk1VXQ2x0JdJ6T72P5XB6DNoErRQL1U6StfpMr1d0F5x ZrENgjKVm6uprdgQgVU8p4m9EFjAc7PYC4E7YRsMU3bAZmoWnO+Nn2iIzOFO XU7D87axlQbzHCzzZWAIq4264/nUnktXYp4fZM0K/BqaF3kurI9xvg4lheYy jK2heesYjZJ5C7ZLnDNczUeJVC847xh30sWhueQ+mT+MBTRUzQdhY7f1PMqA cd36mGaaXyEuswljKjMW7+lwGm68iHKj5ox1GLOB/h2l4X1epBgDe+Q2MvXB NB+QPthZCFqocWU/8sb4YWxDX2+EeSGRMkNjwr/Ia/alCeYllG30x3veinRz PM1xmQ1aW3dTOshE/4q2DtJc6yXYgEC/SbWlafym2rqb3ooWhuiK9yaORjKq PWfRrao9r3CZjzYqppgwm/FCex31Mj6lvlZ3hLm49uBQtvWC9pYVRTGe8yhG tTPa1dMuzI6LkXZmOzVoe5lFFKX4BuPCm9LWsDXLLQ/i3UpDPO2Rx1Rlz8ba 4+E3AwxD3QyjYZ5huL6b0jA/xFp1QTOk537RnJaqvpHk0gvt/Yyag4P2UCLa 8ny8e4NNP8JcXBtnBNsvZiz8mCIyVH+5z7VJdoO73L7CdlfQjviIGjNo72Yo v+ov6B+l5u2gE+XZsIvsFSqfJtZuaFOkP0BjjSOwX5aqOIPNMmqB+C1Qj2Rn 4L7TEQfzP+qMVN86inH9I5efeA5yZphrMV7xfBc2h1vfwL6bSr3MOeh7c6iE 1Z0D5/K8xvkwsGEa2t2ovvW09GN7tDtXDQLZav6ZH7I5eJ5JpGie60Jj83G0 2WWUzmO3uRjxL0TYIepoJyCvXLivRJ+slHsZi9HeS2iwbeO6CnbSDOc4z81m f6pn/AvP5oK++k9Gv5cOgHsZ42maDUYwZgzlo312gTuMcTTDGEVZaLfGqk93 pTW6jxZaFXQ1/KYpf1fRRhNcO0+p65egb0F+W2hdUNGvCsBdQTVKSDf6YW7a oZUYVdqNcDeH+wLYAL0Zo8o5ynj60nXhwO84nnN56J1bhHIsoiJ9Ja0CF2NO 6gam6AU0A4zXr6RlYOKfxTPYbq6iQlAELjJfp+Fos4txnQh6ansxt15L8y2M /9Zcoqj+RJ6OckrNaj9G9zMYK6dYr1Anaw/GiBdR51VYqzxDfeDvxfUg6HAz ny7E9TqQCTdfj0e/aITrFsYX1N5Yjfn3D7zDq2kksOyu1DNqHMaKKmru6Ye+ 3J2aoV8O1ffCXvsF8X6iDIz/ica3WKOmY/5+iVLNNBqC6wHIsydYDvLBKNAM FIKRIA9cANLRh/P1x1D3ayjPuAHr1/fxHpfRpcZOyjcupWTjA4xPn2GcXA07 ejXqYjXlghGAy1sMssAA0IM5o3yZZ12+VjWVz0hFn7Cohf4U9dX9sEcOk0+v pAx9P2y4VdQB7j647qbvRr95R9kqOdp2GgIG/DdpMa+nIm2yXkId9TlIdwXm uql0vr6AztOLkOfNlKjPRD8/23gfOx2MdtTDuhEsBxmujgbLwAnMN8wq6m19 Dw5Rb9sDG66CMnGdaZVQO+tD9IdF1NO6mrI9h9EmVdQFdAcjQUswwr3O4z4G JoEsMIr7Nki1vsUasSe1tJ/Ce3gh+qBGdfBOBdjeYDuA50w7HePBZSCLuuGd WwZuBM8w9rM0135WiwpqzFW0zE6hheYkaq19AlsH4NrF+RTsPe0+W7S1EXs0 1t/t4YT2Ww6i3Q86h8CL4HOBsjGntgNL/2rPw06ELq8Bd1/Cblwz1fYiQutL 501wj6vbXD+o8wZ4PegXNr90ND2oL4/zDNgj0GDML815jjm9pnF+Ae+BH+Wa BmINUiPBtYHV4QzGsYavB9R6dhLe39DeiHMIvOLqIdfvZ/CLy4/sF2YfknGb sxZc5yqg/pgPmoPFYfsLfUFTV3uwn3VzzQT3BKyymgm3JU/3O+5zf9KvttAk rMFkH6wbbJynMaa+AqBsM/GajucuXreGr8nD191GA2pixNA8Ix7v2TSapz8L lsF9Nd6xy2ie5ofbotb6b1C4zXsQxuEPwGb+TdSojbClGG/8GBvn0UzO03wA ad7A+moD1dPHUgJszCoG70KsgHkfGFtQz0xsdXgNwWhOdTDnO4y+HnOicDej 7UT89XRtNRZjbbGYphqtnO/1O1D3uC/8G4IGar3FNHTvyessXj+p+RjcKn5E gc8BrPFTJ4RAG+HU44x734bI/zpoI8BuMu4REOeUS3Q4oXi4F9cDP0PwnpGY GjU0NW0A5xZMx/dlQvUl/q8zxs/0ejA8uF6D/xqjgq4PpveMoT6AIuhnvwcb 4L1qfmnaF+RVHKRWDP1BqYzuoZaKaOrOaKswZgL4+RTRWD8DIxpzKdAupQsU wylO8QrZipcpijHOxfwcBpGzDOslMpu5xDv7Fc2oVjU0xwmH7xGsI64LKx/9 ntcud6IeO9P55qdY+/C+90Hl3xvj6SWYv3IRd5SxwfnImo15YxP67SSsWyZT PXMC1hbNMWZmIYzH1alIn6j2s8qNXbBXsR7F2q2p2hfmtSfv+U5093G/x1rt Z8rG3D80ai+VR/WkcrsN3lesTzzfg1y8txjvsT7KUON2TfvHYfv6VhvZb4ed NDs4zuMeFLVN8uYwT0PkeUDGBazBD8t84uzgvXysszfgXmOQrjenNa9xXsZz zMN9evK9uLxqbe5D2p6Yk3+gzsH5KHJ+UXPEHsyH2c4nsLXqmTHOo7Ate5sr sBYeR3V5HW8ccu7QXyED665h5ir4PUUe9Tx8NhEk/DwiDNxzgcu1oC9YEjp/ CJ43CI1Y8VyYF51FwbOEsPOErqAQTOL1ZpAzzhIin889Jwg7IyiPOCPo95+c D/A5QPhZgNr/d88Awvb8Oxu3w2bdT/Wxbq+n1sp4BvNt3Pco2qIP1mwbsMb6 Fn7LqI3a/7vUOWk84+7lZvDerPOHPVP2BnnvQL8G65n9sDnghr2m9g2x1s2G vaj2/Uzen+Q9sw9Rx3MoBfV0gWc+8tJhO12EuJjXsSYsUvN1Tft1HthnYXvQ 5hxnr9pz3Q173J3njXWYN2s50zhfdy8W+TqbxWZwvhbbILCL91lhBxzhNLAx 5+gfow5y8O7znuA6Og+ah/c3xzwHefZCmYM2R8Q+KdsA+oOYr6rw/Lvw7qyi HHs17l3sfKXWqPy8C/Dun4SdW0gWw/VnRKEtfkEb3kFd2ZY3kmFTt6CVxh5a aT6JuQbrTXXPsH1cXvfWuLdcfc98YHDfPPj8LpeZORi3ctQ6vavLlLD9ZKzH aZa7B80U89o6SMR+8pl7yK6/uz88G9RGvZ44vT+sMFjVHrDC2cu47TvE1dHB fdnwvVm1Hxvck+1AmrsHG6Xu+ZqzVsXhMNSZXg/34L79KzXTjzt3mUtRtvZ4 xguQ5jeMMeOxpjlC5xpD0U9Xou8cQ5vwHk1b2GVvUZrZBmVYTU2tYcq/P+yx YvM9jNkrYLvkO+/j3cpH3Ib6PD4/wrhnUal9O11rbkcY7DK7JWyw55FWznqy 1B4ebHF1pvOV2GfGcfcMpgx9oQx530D9owwqjboN7+GTyK8xxo5dVOqZjPcP 9qIe5www15+27aoRPJMb4+wLnZVZaBPXdkT+FMybw2zkb65xz7YGONvEHnVW oTxD9LhAJe5VgnTRKn2ycw+eY4q5wfldlRvlVXtPbP/ZWBvx/qZrz0aeh7F9 qcLeopE67zHzfkdn6mT2oETkRXxmhXRN1P7WY+qcjIwdzq9qrdwZ67+OtAb3 WGOuowm8xxLcY3WZF3bGWA3k2QZ0ALm8twayw84US8OIZsXz9gWjgueDYWeE BFqDRN5zC3LG+WDkcwfP/k6f+42JOPdrZ1zu/B525pfwl2d+qKfw8z21lxc8 17uN6rrneD3UnvFVFMNxgnWv6n2Ucx/KQ1wGK5XbHPFuRxr0ddTLUDMGfoth ZzCvuhq04/l6hWA/7fKRq0H7nq/fk/M5tOPfnud4zv37Mxy8uwvV2HYh1kA8 9uGdNZa641+RGvPyGKsV3smplK72F4eB7hjPR1GsOQ5xBisGGh9QfeNL+Mn4 slCNGdMoTjGY5vM5GuzABkYPaqCbiPOoGvPmu/C53XY1vk0Gg7BG3AIeoUze 68Y410KxR6mMf2toPog3vkO+DMY87YizVc92jihd7TyO8a8HSDErYNs8RsPN /jQnON6pcewpqoPy8FyZxfOR8TiAzQMGKsVcYLVH/+Z90+4Yw0aibsbi3g86 T2Asb270IbZPcoJp7KcwL52iHM8llGO1RDvY1NhajfmqGG32Gy0wX0L8zuiX P9LF5liMY+PAuRhTrnQ+wVybh74TYzyP960YfaUY9VmIPoQ6R91N1Wfgfvvw vpwgr9q75X3etXQx4meaZehfN9FQqzVF2S/RcOO50+cJxqdq/dgFlBqj0MdL MYZejrhfI85dGHOj0a96o5/PRF8dQ71Qj/0xftfHOqQU9mOMeQUUeVgP0iy0 cxO1HmyMcvI681y898F15rN4//9unVnurjWP04VqvclrTXedqdaYfLa3AXPL UfSxdu45n3vGp2+kDvpVaM8rwX3UhM/5+Iyv2vleJp2nH4AekLO+0Pnep3jW 6XLOpz8Cv19wvQj98jPqbryL8Xgrpar8+FzQPQ8MxTmM+nTj2Pei335BdTD+ 5BjtqY5nNjW0hmMd8gJ5jEmwuy4AP4D2oASw3dSeJqDdutl4J/Xp6PurqAHa TjP3wSbEO6P6/OOUo6/FXPg03qVp6F8DaLYNewHzR3C+n415eZAx3dkKmzLe 7IA5ejhlmRthu7yHNFNBPRqMd1fe0XqUp8+lafw+87tgvo65/mZK07+hoerc dCb4EnV0JXXhs1Nti3MydH76OzXUKmk46mOM9gfmX/7E6QVcP0lj9IEYY6dL nRtYz4PRRkvMG6h741nk1wv2VQzF6g3QVy/G+9WR+uvf03B9P9jinqveD94E /4LtG48ynZQ6V2e2qH/tGNagseAp3CdBzmO1V2HzZ6B/nN7fnxpcE+srUXcr aVxwTxH11YnR8xDG57V8jstnrOe61+zXE7ZfT9lnqHGvYT3mxfV0J4jnM2T1 XHw2zPeJoxWRmBdXB34Z0D8jNRLEZ02OBP7NoGcA/3RoTUSW48/ipf9FOWry T4GewX9bjr/I1wc9g78oXw60Js62HH9Wz62gZ/AX5RgKrYlq5UC/KmZ4zwpj 4/XqTGo93eCi9n301TSJ+6uxBWuxr2XvSJ11rQ/tD6m9MjPNOcYYOt3NfVzR yt0Xqk8fMGpc3YgxlMdI7sfb6QJtD/p+GHx2HE5oz6pNBK1czvB3HMVvuA4n GP8c2Z9Te397XHc4DSOIyIf3/hi1lufvHi/COBfUVKxRUgPZrGpPgeNMw7r9 JbXWjsWcO0yt/QfDjlmOOXE59cHYWd/cTSn2NszNvajQ7Ov8pM482QYS7WA9 gDltGcZ8nke3I58jGI/fgc0wAGufWs6nWKs/au5Hn92NeU++x0tz9QLYe4lm TKAzq7KLX0WZRlInaySu51B32FXKhjX3OMvNPYGhIAUchvt+aAHoCH6AOxek VD9TUGny3TiHXXcojf0gbI4HneX2g4F80BEcdt0FrvsH42Bgk/ldYA6YHnY9 DdeXgbFWbGCTXTcwB8ywtgd2RrjfhnsyGON++xEMm46wHRHut+2tWGdtDWzy bAvMAdM9CwM7Itxv6y0Dm4zkwBwwQ/88sKOau6UKvwyMDX53ak0J7LW74R7d Aunu9WyQiet7wTgzHc/UOlBs3RGYA+6z7nB8cBNoHjwPsWY5lt03cAcYbf0a +NCaFahy3ZdYJwIfwF0BFsg3KCru1SAXYbvg/zOuF7vunZ5MGuTJdKyouMDV INfzdmCXJzPwM64Xu+6doe9H/ocEv0UBWWHXIULfp/w9Y/+DuCo+7Pxa+mCn FFwHpsMd47qZKaChSyH4EVwFOrlhk//2ezn+LoY5/T3MnxEFoiP8RoB/8HXw e5n/Bf/J973/CXYsiP9r3LOuAj7bquH68oh1+X+NPRgU/DWw1ZKx7r8ZzHK/ GW4W5i4BdUBdcCXCoqFrQDqYxPH/7nvg4D6AWovzWPs/1tC3YP9H2CvAmr/m bMb8sxmHzxjHZgUGVBvHZgWyz2buOJvx/GzGw0jbQ52zhdsZ4bZFmD0Rsh9g J+idaJX242mspZjnb6a66tvCGzHOX07lnmbyHRvW4OXmk2p/Ls5qC/ugGHX2 HsLzoQPErjj9LSLYTUm2BfdbNIS/SwPl9gWUyPB3cPx9nMn2Rj7W8Fz/Y93v 14bJOVDwnMc4SFl8JsW439TVUmczwe/qws8phsGeCH4fxyA/rOnK+Ts49Tzb yavOGWZQa/sm6mMTtTG7URtPHMXwWZGVgjZuQLF8/mVlYux4BmOzR+3LLDJs ijMeoUV2X/dbMV579gaNkW854izH9VFaZP0Gvc79zrwFRRu7kA6YOu59AONq X9i0tmKRZVG84hvqaMap778ammOg9wPEsb6iulxXxq9UO3Sm4KGuob0l9d2a c0qdB8i3a9X2vY3Fzslq3wYfohT+Fk59Y8bPE5A9a96zsntTjjWbzkO88+yO 1NC+GHmNRT434BmmwtafibIdV9/hkRozkhwH/aTUbul+F8h7nn3VN4BkrqME 2HqlVk+E3wq/d10bL+w7Ucx5KdYw2I8T8SydwBjE/4q8DH9XyN8bmmlIu54M NWYecL8LvFPtD4b+xgNj81C0ay7jfqNoqD3g4HeKwW8Q2c48gLHI/e5QfXvY iYby9478fSGUzEtk3xLP2MOqAkvwXI1psN2FDLtE2aH5ZimeYQXmw2UoFxFF gaDqTwD+O6VR8Kuj1v6kraSwP2pyPgPJ7jdRrfgsxQg4x3lNzt/Zac9Sa16r m9tAJR0wqpwT+u3UC+9bLupL/b2S8Qz6Uh0q5H0/6zryesagfyfgPVxJ7ewW WNNcTfX5PYw6gvF2oXPSfB7t+xUNMk8gz3NxX+TB35/ZSdTFmkcHrFV8Hxrh 0egF9Z3ccG23OZxeMglrI9JeFILXzjFPPSpDv+inzivrQB9G/81HOg/V4f1I syf6TFunyhhDXY2dZJt5mEd7oa8F11e8lzAygvXORMb8krI9v+Fd3Of87rnb +dqzjC6y++G97Aq/1tQG443Xsxbvwy+Ys+fSlfwNbNSbaPfnKJfjMmYr2BJb yIe+t8j8J8o0DPWkU3N7E/r8JIxbB2mucdx5H/kMRP8YaI9Bv0d8I50G2a/g vT+m/p4mBmNGqTWczvcQ+sYt6Gv8LXMJNYtagDjnYm55RVD9ertal+5CfVwi bRzI479V0wvoIW072n8B2i3WyYlZQ0+ZH9Iy/UO6jsF1JbSE/f8OoqqB0odO NQ72puC3FaF1Yqvqbv2isHngRalnK1d7FWvB8cG4HAfzRyKy+wDs1a/HO9Iq Is8/IfInVJ4Z4uZv59U39zNclrnf5Q9wr5mR8r0/fq4H/VB/J6BXRGItD8wE d1jLnUZYr5qgkaxdQaSt53KGveVi7HB+EDAOhdsTYXYD6nkBGAZGCyf5bxbw Kp9E+578RNwnq8LUEaqoOidPCaf4bw46CKdihKqFYBHCvxaqNrisB+vc+zNd XDq7DHCZ65LFf3sQAcdHrVeVQWe69/vZ5S6wUu6hKAH/dsuXyn9DIZwaIfFV Pr/y30e4TOK/ywCfu3SQ5+CyqLxK3L/RmOZe/wNkS51WHQYH3TJnuX+LsVby PbUaYBStOin3VqS7LAq7P3MbGBHBMvfvSO4O83sZaSe6FLsccMlzGe+yBCwO 858qVH0rnNrsUuZyscslQtUrEcwCfVw0l6EuDVzquAwWTj0NfVfqouoY9EKX YJunClU7XIL1W+mywm3fh1zC/flb8dUuPSII+v/b7XsD5L5VD0awzm2v9S4R +XBfUf1l9ek0pyyX2kJVBoN3uBjrghiXRD7fP+PbAfc7PTUG/nf/qCLa2Kgf r0xscc5G/Y/KxLaQ3ysT20GOiRwV+U3CfhXXLyI/i/wk8qPIEYl5WOQH8fxe 5DuRb0UOiRwUOSDyjcj+ysRoyNfi2ifyVWWL+pAvK1s0hXxR2SIVslfkc5HP RD6VKJ+Ia4/IxyK7RT4S+VDkA5H3Rd4TeVfkHZFdIjulEDtE3hZ5S+RNue0b EvN1ke0ir4lsE3lV5BWRrSJbRDaLvCx5viTyoni+IPK8yCaR50Q2ijwr8ozI 0yJPiTwpUilSUdm8E8Qv8kRl886Qx0UeE9kg8qjI+srm50PWiayVdI+IPCzy kMiDIv8W+Zckf0BkjchqkftFVoncJ1nfK3KPJF8pcrfIXSIrRP4p6ZaL3Cmy TOQOkdtFbhO5VbIul+S3iNwsUiZyk8hSSXCjSKnIDSLXi1wncm1lQhfINSJL RBaLLBJZKHK1yFUiC0Tmi8wTuVJkrsgVInNEZovMEvmHSInI5ZXNukJmiswQ mS4yTWSqyBSRySKXiUwSmSgyQWS8SLFIkUihyKUi40TGiowRuURktEhBZdPu kHyRi0UuEhklMlJkhMhwkTyRXJFhIkNFhohcKJIjMlhkkMhAkQEi2SJZIpki GSLpIv1F0kT6ifQVuUCkj0hvkV4iPSub9IT0EOku0k2kq0gXkc4inUTOF+mo xNAqm3SAK1U8O4i0F2kn0lbkPJE2Iq1FzhVJEUmubNwb0krEV9mYO3TLysa9 IEni6RU5RyRRpIVIc5EEkWYiTUWaiDQWiRdpJHdoKHdoIJ71ReqJxInUFakj UlskVqSWSIxItOQZJeIRT1vEEjFFDBFdRBMhJZojEhA5JVIlclLkhMhxkT9E fle31Y6pJ9KOiudvIr+K/CLys8hPIj+KHBE5LPKDyPci34l8K3JI5KDc70Bl vA/yjcj+ynh0MO1rkX2V8T0gX4l8WRmfAfmiMj4Tslfkc5HPKuOzIJ9WxmdD PhHZI/KxZL1b5CPJ7EPJ7AOR90Xek8zelXTviOwS2SmyQ+Rtkbck3ZuS9Rsi r0vht4u8JvfbVhmfDnlVErwiN9oqpd4imW0WeVnkJZEXRV4QeV5kk2T9nGS9 UbJ+VrJ+RuRpkafkRk+KVIpUyG39Ik+IPC5ZPyayQeRRkfUi6yobYdzV1lY2 +n/smwtgXFWZx8+5dx6Z90xmJvPIvB95TTIzmbybNLlJ23TymCZtMvSZpGmT NqFtJsyjpYHQgoLo0hYFVFRoRUQxq02npaRQHgriuoK6bhd3RbTusmrVLIio ayEZv3vPTEAsCMKirneS3/2fc+537z3nO+d859xp2gryOSL3pPURkM+m9WtA 7k7re0A+k9avA7krrWdAPk1MjhGTo8TkTmJyBzn3KWL5SZL7BLG8ncjHyQUf I/LRtL4X5DZy+a1EbiHyEVKlDxPLm4nlESKH0/q1IIeI5U1E/oHIh9K6DSAf TOs2gtyY1m0B+UBaNwByQ1rXCXJ9WrcZ5P3k3PuI5XXE5FrmOOgLqlX255Vh +3n5GvtXgC8DjwKPyC6zp4ETwCxwHPgS8EXgH4EZ4AvAvcDngc8B9wCfBe4G PgPcBXwaOAYcBe6Ujtk/AdwOfBz4GPBR4DbgVuAW4CPAh4GbJWP2I8Bh4BBw E9AqoV6hLqLLkJ16GXQM2fGBtJadjtek89mhlSSSSGvYoRUncgWRSSIxIhNE 9hDZTWQXkcuJNBFpTKtZWUakgUg9kToitURqiFQTqSISSqvYcVpJJEgkn4iG iJqIioiSiCINnTKH5URkRKREJETyiIjTCrarRcxm0P8B5oFfAD8HfgZcgO78 IfAD4Fng+8AzwPeA/4Bu+Xfgu8DDwEPAWeBB4AHgDuiKTwFz+CDx9FRaww75 /cQ5VxLZR2QvkRSRFUTaiB9aiTBEWog0E1lOmqwnoiOiZeUMTdNUmrHf/TBN oVPA4wBNI1KXq4j0kV5fR2q2lkgvkR4ia4hEiHQT6SLSSaSDSJjIaiLtRFYR WUnERcRJKu8gYidiI2IlYiFSSMRMxETESJppIFLAfBJ0AXgFeBm4CPwOOvh/ gd8CvwF+DbwE/Ap69UXgl8BPgB8D/w08B/wX8J/Aj6B3nwKeBL4B/DPwdeCf gK8BTwBfBR4HHgPmgPuhx08D9wGngJPAJ9nepxaIj6eJXE1kPK2BrRAeI7KT uGUHkVEiI0S2E9lGZJjIViJDRAaJDBDZQmQzkU1ENhLZQGQ9kcuIRIn0EwkQ 8RNXVxApJ+IjUkaklEgJkWIiRUS8pG88RNxEhEQERGgiFBFMZiRi7gLNAIvA T8GxTwP/BpwD/hX4DvAvwLeBbwHfBEefAa6nvfb30377+7Dffl34YPTamYPR A+Hp6DUz01HZdON01zQtmy4EuWp6ZvqZadHV4anoVTNTUcGUboqS7g/vi145 sy8q24fle8OpaH/qudRLKVqX6k+NpJKpW1PnoEB8d+pU6vEUPZd5lMlP1Te2 H0zdnKJ0cJ5CKaxii50pmbI9GY5HEzPxqCBeHacaX4rj83FMBeO4N741ToHV ybinpJ21rokXmNvV8WCcidNXhGPRyZlYtCcWix2IHY09EhMeiB2JUcchRTEx iaJ9Irwn+sM9GJ2lMkgNPEpl0rQ09iC1iDB6nlpkMngXOOBycMS4f2d0bGZn dId/JDo6MxLd7t8WHfZvjQ75B6KDMwPRLf5N0c0zm6Ib/Rui68H+Mn9/NDrT H+3zr42um1kb7fGvia6B8oi/K9o90xXt9IejHTPhaG8Yr/a3R1fRtXZYQZAN fidtB20v2ASyrdZJKzVpPW99wUpPWl6wUAcKscp8wHzETKvgQJGDyW46Yjpq Om4SqrgELZ/MP5hPTWoOaqightF8W3NeI0CaYxpKdUR1VHVcRfeohlTPqzIq wXEVPq58RPktJd2jHFLGlLRKyeZpNaP0V7arFHYFszqgoJsCihZFj4I+osCM wh9qZxSe4vYWeY98SE4flWNGXlTa/rw0I6UYKZx4XpKRUBkJRjR2YIywGoTO Y/sI6+3tMB5PFmAhhq3Fif4+n69rTpxZ1zWb17t5Ft846+1jj8zaTbOiG2dR dNPmDScwPrzxBKZW9M/qutZuIvnrDx1CbdauWWvfhtlj1o1dswchwbCJDCSQ 9UQBatvoG0ykEomkL+GDAzCYgJJkCn45wXAETSXZM8kEAhPfG3xYiwQrKc4o kRpKwT3gBBQnuGI2N8iZ+P4aPom/5MPxX4UL/i4/xqFBJERoMUE/I1QiGolR A4qgNaj/LFLgO5ABLcPfOLVyZV6F+GHIUsiBv4HyEMZ3MFoBpSgsbHHXiG6i 12o6WsQ3Uf2oZeEHzz4Bh6fyGwJP4cCz80/Pqxee0DQE5s/NVwaxxqnh0Ckp sVgkcrv8VE1xUW1VVaiZqqkucruUFFdWXVvXTFeFbBSty5U0U2we08+80kOv WvBQ+52NfZVC7PMa7Nq8PNpuU3irHKquiLu2xCwU5IloYZ64uLbNHd3X6fqm 1FhssRYbpaBWC+jCV4TKiy8KlS+vF6x8+Sz104YNzR7RfoWMEkry7iix6T2V luVdCpVCqCw0mC3iPI1SWhYeXrjd7DVIpQav2eJl7+VdaISYfyhzkd4OvitG Z9igE91wQqydo25lChRWZLOKS1Q4IjbKFbhbrJZB8gG8HmkzL5yGtFZrEs1l zp8EC9CfnpIpcbcI9gynGNdaUxQZW1rMkXmfD1zpm2dnSSDwuKZhPlQZLGQ0 7+J9K4Mb2Q5xOzVO8LCeJHN+11TXVrHF0ESZUrK4ER+SKGVCLp2Q20PFRVU2 RYWTGmZLBXfZSo3yxbulxhKbrcQsW7TJ1DKRCA6C28qLZaYyGD/gLQEN3rKg UnQw6y+P6EHqFqRBVurLjARpvEaZCnd7YaNzUiSSu7kWQIEbCk4x+rXypRZA A+bBK+fm1ZxTTr+9C3PNdr++rQJhtZ8tZgelgF553UMHdytsXEvllSW40t+X 3NdfvjgfbI+UTu5tidZa6Ov3fD7RtLhdqpaKRHAQ3BQIiA3NQwe2rdxQJlvs cC2PQstXZy7Qe+nvoirE4FLS8rTEUD1HbT6FiovRsjlqFaPW0Ab8KwM2zMmr 8SvVuJrdn0jYTq6u9reWwaabKTzvwvS065CLYly9rq0uWuWyuyi5wOUSWKHT GaUcmmw1qnHEetHfuRycwEggs/w5Rh4RIGOAc0AL6f6hwYGBgaGBeQ07FAau mB+4AgfmH28IgD8b2FGm+gvXBrrIq2PDRFFRTU02XLCBoKqG7aGlYNEsYEOD XsyW6HUFVaHaOnqvzldWUaqpO3TZ6n3rg8v3n9q3XlPcGmzZ3l2llmlkIqml fTDWOH7b1vLfbl1+Wa1pdUvNRr9dqRaL1crVjW3ejt3hNYkuT21ZS5nO4rIo zUUGu8fqtmlLozds+V6+p8pZz9RWs39gEs78jHbST6MadEe2Vy2o+GEqiZTI iGGDhjzZcehhX7K0nYIHcBhVgidlMFUry7kxW86+qTGSCAxQc2TBd8433wLH ebY32JF99h3fifOkUvSaUCrS67is2wUpG8UOdi7gOmmh2Lisc71/59HddSuu vHtbSWRFTYFESOvUmqLqcGjbmLkqUlXdVV+kkMjFglmz26gyOM1qZvpU8obH DjYrjbYCldFtWhYAt33sI+GJTq+9yC4tLGP/QKcT5sBpmAM+VI2FxFsntVpn OfsNua9aMEfFGamTLteWU4XljwnY4WZQ4AgSqAVUd69gq4A6JpgVUAKBJQAj iY1vrDIOsAk8V9Rp/A1SqpWUhlZKjHIckRjBQPI7xpJzhu8cDLH57GgbuGJw wDc/OAA+Dj07DwXsgJe8t8/mQpDI7XyN//V/2EuUvriWWxbF9OlSz8KPChsH WttGOoIqiTyPpgR5imWbkm37Tl7Z2Lz33ssnj+4IvkRvHgquDpgofNFf3jDQ 6tIatOJ8p6nAXqBSGg2apqkHpvc9cn17W+rYoOPy/Z7lfQHol12Zi/iQcA3S IydaRfrlEVRAPQJhWk9tRVJ4zbjqPsak7hB2szH0aZi1mCzphWcucY6MtlxQ zTZEy463Iljaq0IFeEpuDXq9Qas8p9rm/mjj8mh/k0uqkgqFcKCnpCp29VBJ cbB7WX1Hd2MDzLZroKZTwkmoaQupJ6NS6DFMAJkUKxCWCdActfU+RqpuJ9XB Aa4+XGwZKDyZK75kDf+4VkuVEbqlZCmTkjqIJDCKe9FMdgVrhxV/6KTNFpKy /17V21z8IHgthNTZ+apmv7np6vTMvTp/I4ySae1sbq+o76joNnWTWrW05Dc0 5EIiOLjh3Dy7dWrg3PyObvaH7eVmvVjzJgVZj+hra1k1kM2YXiSRW4LeoqBV pnHXeCu21IKfPKyfNK5aj39LTc5tUnOp3VFmkHbe0lu3YVVIUxLp6ireONXl WPInpanorLG2r1g4/sYl9NW51M7eXoOvyetrLtY27fxQBJE+oL8DfRBC12b7 oEzLOt2GZNADyKaey7xwEsKimnWTPOs2RsZUdJaZPB1LPsonHsruInKOfjtX /gnP/qEj9fR35JZKj7fSItd6GoqC2/7YZbf3bZ6OuJYchRda38wt4I5hmL/h zAWBALyhhV3oFbn5q6PYP9+ywVGKTNnBYprDZkai6nQbszsjS5oRkhiVG3TZ Wf1Wr8hto14Ts4TZ1Tm3rggETVNzV+2bTdYvn7r/qitnE/WLC/pQX0t9f21h QWV/c0N/rRlfiJ+9sbPtmrm98Yc+0Nl6zdy1bbF1/tKe2GrQitI1MejzjswF 6kVoZQe6QNp4BrVS/vs8IU9IXjhHrWRcSC7wY/9zdRAMpD/R1DFsN9Y56ii6 TlOnKVA14SYYFkwh25Km51oLhaWdBWp2P4MKsFpQ8OJSwyBc+NjpM+8b0DQ0 BAJDAz71/AD8suMkny1hncQ4/o+f9qpvBTnfkjclv+jVVZz4PutvEfViw9jh vtDmcLBALsiTS2Q+JlrrqinWeZdH1kaWe0ODH+gv62HKtXkCmhbL8yRFDV1B V8ihLmruWdvTXIRt3ck1xSqDUV9RbnXrxSabWWkuMdt8DournNnUwuzqLpPn 61Uqvd1Q6NKJ9Ua90uzW2cscFmc5sxF6yZD5BXVYcAItQ7eQXrpfo1E0liJ3 BRsbDYqKXOCqgF3MSXfYqsgVKNhtjSFcyX57zYizzoEh9hQ3MKsWQo+HNGSh PoMq/pybkLkqIFOTW4zIZjI3SckCLGJfCQpyCzJ1WJbvDtRZuibCrl1aHTvv LpdZyRz+CjsTddrH/I06h0kjFslEwqnygBaWraKeK9fhrwfqrCUG6ddg6YA3 JjUkDCXWusDiQEeHWCIW6z3grf2wI3qSfgLi2K5sHJPB4jEIE9dODTEqbUVH sUxo6vAYc6H+FKOMkBDETUA2xnOTltuwK9+K+WsjVm5XvRSoNNycra1bKqCf lJpK7c5SI4SmdVumI06u8RCx8r0QwIbrZFwAs7y6VLJRaeyDO6ilgsW8di6E UWtzJRCxfpz5JYWEY7COlyL7WdhrzCEH7DUOn5YJvYURdTtqaXn2m9lohJU0 W8li+tWtxOu+FfgRlpp8ED9NUmyW22tKSqrtCqHCWVtaWudQKBx1paW1TgX+ fG4Np29S6BQisUKreLmntN6lUrnqS8sa3CqVu4FdWwyL38f3YCcqRPoTathP HD6ZLzNYkPrcU1ChJyqDXu7rC1KpOu1SJe7Jy7fobxBrjC6z1aPGwim1q9rr DjlVcyWty+qsj0qVedB6eFnX3ekqKxCLC9j34WOZX+EH6ONc5C48gXRz1Nz9 UpsblhlVGLU81QKPrGLfbl8fYzWvd8EDSra5tU65nKjy9Xm6oKzeo1J56st8 yzxqtWfZQrisgS1oKCtrZLVx6a+JcdNfJ9Tlf/vQIzw8fxsIm/48RGN/Hnno 75gvvDtI/JdGmkZI9ugbI7/n3UPZ/dZQTb13qOM8PDw8PDzvDhrl22CKkC/l 4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh +f8FohDm/kOyDtFsirIhESXl/ocyeucfuvOSpdE3uWL9G5woukTZ+j/1fEwB asCWzQ9wxxhO4b14Olt2M/4Evg/xnz/+CNDNcHTAjwDUicrRMtSOetEw2o5G 0TjajSZQDCVQEqUymTew2POqBV0KP9bMeSRGn0ZfRGfQS5jGeViJrbgIM29p wNF/0kKJvrRkN7J0jRhdhFzuCSE8mE3TSItvzqYFkP5MNi2C9OlsWoym8dfZ 2SGQsPek2rNpjCzUF7JpCimpJ7JpGhVR57JpAaQvZtMiVEQ7smmoD92O7gXP hlAQfuohFQF/bUdxzl8xtAN85kArIBVHk9xxGErGITWB/HCmFXy7G3QdlO1E Y3AuweVGQUfBei8cR8ByBVy3G2y2Qdk4WIxzdmzfJOEq1tIBFg7QUbjPONdX o1xuBEqT3HNHILcHNI52QVls6ZpLn93xttrC1miCuxdbGweKQm6cqwP7/D5I DXO5BPfMCSgNZGsQe00LtkMuBWeTXCtZa/+9jlAwWO+IjG+PxxKxHUnHilh8 MhYfTo7HJvyO1t27HevGd44lE451o4nR+N7REX9nW293eIVvxfDu8W3x8Yq2 2O6Rt1aUTTvGE47R8eTYaNwx7IiP7hxPJEfjoyOOZHx4ZHTPcHyXI8aeeU12 x6Wr5xifcMBtHNGJ8SRc35ccTo4mHMMTIwG4QYx7wPZYaiIZHx9N+N+TUdSJ 2mBWd6Mw3Mv3ujG1jhs5KShhx8CbWVbAuRjkR95Vq7/bEU4WaZULO5AaPQQx hQINoK0IybfjVog9mItgwjvnPnvswrkhVdOvkSmPC2kP/vzqJ1n9quvj8Ze/ t3BI8gvxVyErye0Gfi/AAKhYx44KDQplbmRzdHJlYW0NZW5kb2JqDTQ0IDAg b2JqDTw8L1VSSShodHRwczovL3Jwa2kucmVhbG12Ni5vcmcvZG94eWdlbi9o dG1sL2dyb3VwX19tb2RfX3RjcF9fdHJhbnNwb3J0X19oLmh0bWwjZ2EzZGZk ODAyODU1NzI4MjI4ZTE0NzAyNmM4YTZmMjI0MSkvUy9VUkk+Pg1lbmRvYmoN NDUgMCBvYmoNPDwvVVJJKGh0dHBzOi8vcnBraS5yZWFsbXY2Lm9yZy9kb3h5 Z2VuL2h0bWwvc3RydWN0dHJfX3NvY2tldC5odG1sKS9TL1VSST4+DWVuZG9i ag00NiAwIG9iag08PC9MZW5ndGggMjM4NzIvRmlsdGVyL0ZsYXRlRGVjb2Rl L0xlbmd0aDEgNTA0NDg+PnN0cmVhbQ0KaN6se3lgVEXyf1W/N2eumck5CUlm MrnIQbgCIQxkQhJAIgJyJRwSjkAUWdEA4kWirhegoK6Kwk9drxURnQTUcCj4 lV2PhfUGd/X7ExU81o0nuodk3vfTPTMhoH71j++rVHe/Pqurq6qrXhJiIoqj dtJo8qSpZYMTSmbdipr3gE0Ll81fvuboDxrRcwOJ+ODCVSs8j8U3J6HsJ7Ks X7x8ybIO17DBRNaXiEzvLLnwssXDJrzRTTT4KFHD+pbm+Yve/Ni8lOjAO5hv WAsq7E8IjI2/H++5LctWrO7fnfgA3g8QuRdfeNHC+fqklBDRugsxx4Fl81cv d55lKcP4LvT3/Gb+suahaY/PJNrfj0jfvPyi1hWgG8++k7J9+SXNy/fevyGb qLCEyN5BQj/EG8lEVtM9piGgOjOca/NpsXCZTMKi2YQwCV0/SkXGflpdg1ls cr5pE2s8FCCPcVL/JLSGyLxVLAkQG4aB0Qv02+RqpOufgIrbKAN5lraAsoiM 9yP4oRwl20M9hiGOyCkjGH6mAe5Q6TSeGM5pEb1Fy+hWugt1Q/gvtBUUJKD+ LdKYuIH8dDtdSm/TdONr1HrpQfqSSmgEtRghclIbhfgqepAFCYyqoDepmTYK v1asf05MRTxQ28bXUClmmUZ3Uiq9ihmLDDved4hMnIlA/Z+1edYSY6DxDe/X XzYW0APsF4f1J+ggdXOOTqFrjXXGZmMLxdMJLbPnBWOQsQyjplMTraQrQUE7 3UuHuFGMEvuMm0BTA2hoo2foz1ysk95ELjoXvX9Lm2gXPUev0jt0nJkTuJDb +U1+y0Q9B0IHjLOMBcZFVEfn0GRqR2sm53G1mKXN0rZrR3o+Ch01sjD3NFpF q+kK2kAbaRsdob/Su6wJu5gmpmvbKYNG0SxaAG7eDpq20sv0Plt5KFdygK/n x8UqXes5ANnRKRkcHK+4fyttBk8fpifpAL1Gr2POr8FTjd1czNN5Dl/F1/Et /Dt+mB/nJ/hzCM47mqZdrf9J/zx02LAb9xhbsW4G9YNs9MfJVNDZOM9D9Hfs r4hLuIrfEMWiRGM9ticUGmKMM9qMPxpHyEcF6DuKarHniTQTVF9G19Ie+hPG HqK/0Mf0T3BJYzu7wAsP+/hcnsorQcV2/pJ7RArOr0JcKDrFW1qxdkifqT/R szOUHOoMfRkyjG1G0HjBOKjOdxjWqcEJzKXl1KpO7Cms80c6Rp/Rd1jDzNmg dTzXY7+bMP/7fBLiZBVrxOPC0EZpG7WXdbe+KXROaFloU2iHMdSYCNnSoGFu GgqohDRNp0bMfQ24+SA9hpPZAek5TF9wGmfxQD6LZ3ADN3ELX8TL+WK+gq8E V7fyTt7Dh/ld/kLowiySwadisVBcI24XO8UBcVgc00ibqjVoF2tXaLdrO7XX tE91h16iD9Qn6k36ZfrlJjJp5hTrwZOpJ5f1LOi5p+eF0IBQbWhpaF3o+dDh 0IdGjLHPOE5mGggaG2kJaLwK+7+ebqH7IB+PgcYP6BP6HGf+DXihsY3TQXG2 Orca0D0RlM/kRl4MaOELwP923sadvJf38/P8Mv+Z3+D3+EvBoH4AYCS0YLpY jD3cI7aJoPgr4Dvxby1fK9EGa0O00VoTdnODdiP2c5f2nnZcF3qyPkifqrfp L5o00yLTnabNpgOml0x/NzvMsyM24pQFwaMdFM/ro7UL6X6aLDTt7+IN4eer xA/8B5HJz2O1TG2yNlnUiJEkeA+kfBklWTabvWavSCKHpUnOIe4WpdpMPV+L pRXQNxKzxPWiiR7hvfSDGA9JW6UdEveLedpm/TZ9NB+hNqxJIo6/p2qq5tE4 uzfpYpxQqfak/hc5o8mqnTQtE3HGDfonJqG9ATs4ioX2Cs/ibp4sUsCtkeIW 8uHdwd3Iz4IG/hWSv4tnUoV+VFsvJoh3UXch3c7PY4976EKxhx/AuVRAHy/h ybxFG0Rr+GJwYwRdIH5HOWK5yIE8T6dv+RpOhub+gLPJFYtJ1+LEQnpLNOLU X2OXGMBrIKfLaB2vpRLu4f10UNxKw7hZe+6ku6dQ8Mlu7tDGUwf/oL+svyx0 zPQ8uDkQ1iMACXkQNmI6NNOr5UNqKsgkSiD/c2EBzyan+I6vFBfS+bxJ+4wf FtU0iZq1VjGW7wx9p1drQ8Cx3bAmNeYRVjL5TZn6UJz4JzQa0rgEd0yL/r7p GlnW3tROGI2GNzTPFB96jy4Hd8bDuq2DLo2nv3EKn8dTdEPU64Yxg7aJJ/X3 jFSOZS+9bkDDQk+xn3MND19sxPAUSPh55q09d+vr9Ov0lfqVuJt+gNW8nm6j e+i/cJs8hHurAHw8G9ycA9tzPu6IgTSYyrG70TQGVukstE2mGbCnTbCSi+k3 dDEs7/+jx6kDN1Q9+HEexi2mC1DfihvqCloD/b+B1sMG3EmP0OviMXGf5hU3 ij+KVeJ8+hv9TXtRC/AMeku/SW+jqZRLUzgRKw/HKWVj3HrjTazWnzJg/YdC SyH3xufGYePRnlcx3yOg/TbzGPrcXEOFNIm/19PZFKieFqgaPco/snJExfDy oUMGDxpYNqC0pLiof2FBfl6uL8fryc7K7JeR7k5LTUlOSnQ5HQnxcbExdpvV YjbpmmAqqfONbfIE85uCer5v/PhS+e6bj4r5fSqagh5UjT29T9DTpLp5Tu8Z QM/FZ/QMhHsGenuyw+Mnf2mJp87nCR6q9Xm6eNaUBpRvrvU1eoLdqjxRlTeq chzKXi8GeOrSWmo9QW7y1AXHrmpZW9dUi+k6Yuw1vppme2kJddhjUIxBKZjq W97BqaNZFURqXWWHIGsciAqm+2rrgm5fraQgqOXVzV8UnDyloa42w+ttLC0J cs1C34Ig+cYEE4pVF6pRywTNNUGLWsZzvtwNrfN0lOxfu77LQQuaimMX+RbN n9MQ1OY3yjWcxVi3Nph6+bG0U6+Y3FXTcEPf1gxtbV3a+R75unbtDZ7g/VMa +rZ6ZdrYiDkwVuSNbVo7FkuvBxPrp3qwmriusSHI12FJj9yJ3FV4f82+OlnT dIEnaPON8bWsvaAJR5O+NkjnXubtTE8P7DKOUnqdZ+20Bp83WJXha5xf268j idaee9kOd8DjPr2ltKTD4QwztiM+IVKIjetbaO5tUyXVXZbqz+3lLEuKfGdB IIKehR5Q0uDDnipk0lxBaxdWoBueRsao4CKcyPlBW03TWkelrJfjg6Y8h8+z 9juCBPi6/3F6zfxIjTnP8R3JopSTXlFDe7QcLC4OFhVJEbHU4ExB42j1Xl5a sqpLnO9b7vAgA/toMng7v7GyDOz3euUBr+sK0AK8BNunNITfPbQgo5MCZcWN QdEkW/ZHW5Kny5b2aEvv8CYfJHknySAkOWjN7/1JcKQk1rVUBjnlf2luDrfX T/XVT5nV4Klb2xThbf20097C7RW9bZFSMLGmQcsQkZLI0FQrhHJOb2f50hAb 1PPwY1ZCvajLYoVUqhr2jA06msaH00a71/srB3UZX8lRKjs1LEJmsLL49PeR p72fRl7sWg0E6/miftqstWvtp7WNhQVau3aszzN2bdPa+V1G+wKfx+FbuwsO SP7a5XVN0RPtMnavywiOXd+ITbRwJaRV0JgOH984pSPAN06d1bDLgWDnxmkN nXBtaprGNHbkoq1hl4cooGpFb61888g3qmdIeic8R9mUsStA1K5adVWh3hd2 Mak6a7SOaWGXCNc5VB2eUnn28v6CF3HIsBhv6D8oaTjNDdIPyftT9pApf852 eLXHgCH+QMzlUvqQNnIx7t5D8KWPo2UbvQB/7wC7ECV9wol8iCtwgzXT73AL HUFsMRN3zr2IXu5DRLMUI7bBY2ynNBpALbiDW9CyC3HHVHJQHm7GhfS2GEUf ISY+htX3Ih4pxYg1GHEEPuZ0epZ20j5QkwyP5la0taP1Vdxhs2kk7thmxIHd fAc8t9+hj1NFcg1qpamY6RRsw7gw7I6AnC0KsyNwEjf+MXhCG/giRbViC3zr KqzjAq3LMNMC+h1wFgWpGBHBH+gD+Pz5iD8ciAo+5s+xz5tws+/B+gtBS7Oi qQXoolsRee6AJ9LDeZhnMyhfCM5baKmYhpgwEb7SIfD5KOaSsZ/EBnAvDC0K pirYDQ+lEFgpiDt4N4/kt8C9GVhzFzjzNnULv9FDV2P2O7BeKU4vnlchJlkY OXF5LldhTtm7DfuUuMY4Lg5gzY0K78V7D1ZvV9iOmaM4AHyT2AKuNWCcRDnP BpyIxKngokRQobANO5SR5FOcgbj1NbrCOI44LAP7FYi3IyhT+IPNdDdi7kwp oIjJMmUaxugD7zxT9VbPz5V//hFLogUV5YfxCZx3PrxQDZRUUxd2KbC/+zgB dNtwKqjGee1Bm+Dz+Xx6ArIheRTlXJRLYU5d1YtLIbtL4QMeB9dO4bMYsROS tQ+8ivKzPcLPKE/D/Ly8l5dRzIO8yzM9otZ3QeIm03JopayPItohX366EdTH ol8MZQgr5GMPWylgnMR+qo3vqch4C/GA1NRmrPi20tJGcEPq6O2gYxHk5gBo WIgVMuFVHkdpAU5tHeKgmazTWHif8KdFAiSlGv7lBK4D7a+A7pk4wzpayYUo 3QpcqSS5DbBLyfE2xOuEmksR4S9SFEhrMYEa4FdfAn+0EC0+0LE0QkUbqChR dDTCo9UB8uxmQrpTQO9G8O4KyNUs5El4qwSspiHwgpdi9aXKkjwC+i/FPifS WPIC6jH7I/Cwc+lajLoFo6U9eRYWYScNMb7Aia3GiKVYeRM0fBC1iDyegAj2 LJHLzwA28SaU6kWuGAap3iT82jrEXgch2/cidnqQ7udLEZPdRi3cirPaSfth Na6D/vVDPLMfXP8P/X96gP4I//8gIs/L6Tq07qN/4nw/Rf87lHwirgK/JL6m IDpzMyztqXmvU3PKGXvn40txIjtR87io4fXwWXL5RX4RsSiUCvH1XcD3+EHg K/wu/5UXwbKd4DaexsMRoVm4gO5E74/FBH6dv+U4LmAnTvaU/r0i4OkLjR/g hxAhLuNzUbeFF3ATZC9PdYkhs+rpAB3y2QjOa+GvjGQHyOcxWMqv6C7gV+h1 L3QBAEqknQ7X38XX8tug/FF+Bf0zcQ7FvXm0/H/wgPYt6oYjSoKW2+nP4NBd kPz9vJf/pehUxgLlyP74Jf5t716jdZG9/ii/l6dIVDyQaA7zpjc/84mN8CeS czrOt08e5S2k97DKd0LfZbsVkaPMO7lT1Ycg1fL9W9AqH+xH7eUxWqXel0BH r6Hf0xZYEqBw47QhFzSfzgZH3oVsxEECHgQn5pKHTDiHVwBv4zSuRatcZQtt 4b/zd/wd9HspP8Un+CPOFwvBtSD0ppry+ShqPuIv+HnM+CK4cC/WOgK/4S90 iC/gFaDwEO1VX8LvoJsggU76AtK+F/AiIuuVfD3PBTwH2Mv38PunuN3LBSkp 90akQu52HKCBvkWE/y+cl/yWIu0p7CZouBtae4D/zPthB/8Iyd3FxdCMND6P a7Wr6CU1/j5+lh/mF5SOFysoVGD0wgFwoO/7KRiD3sDe+/PXYt+746fwOKyS vDOit8OvxTNvjr64UPkdYZQ0yDV+ZgyXcRJ9B4QthH1Ogh1drXApYAHGS5wM ye4P2yrvuzGgGXNBHtbzbB7P+wDjFVyqtEhKYlQaz9CiX5v/rLb9ghb+JN4F 3NxHQ38Oz9TcX9DgH2nsL+VSo6NoAii/PGI1I1r+ozxqTX8h77UOP5NHrcUv 5b38hFWB1/mtKiMHvtR7rj+HCdDSiDWNnP+qyE2wCne3AnnjIJpowK2yn+8X dtxySWQXGaIfL0VNKx/kFYDtNEhaBZHB+888hSjXYck7Ffc03PRb6JmoneuL mK8Svtx1wiUyQMMt9G+OU77IXcpXSYYf5IK8TYH3oQOlF52C1lKFssc2+Mey pp2egqZegmXbEY8kQ5s+Ut7dHljBZNRKz84P7UrBuB3KszsA3+k2WFbpL/uh ZaPQS3rKv1fwLryRA5C526gUMc0n1IyIwgqwgx4r9NUCsGMtaC6X9fqBUZ9T rhy1Ab+n9ZCV8FjZZgcF0ts80/aEbczu0zxQiVE7EPXutwHCPu319ImiODqL 1PjC0+yPtC0tiOGKlAd2AUoynjtH3fAtdAPgKsA2egh9p6vvt8/Cl5Qe8h5E lU5wLjnCvUr0OAe3zK3UqmAbOPQe0lsAryLOkvC6/KIJSrtwHjImrMZbNyKz 9bQdErZT/R6lBX7iDWoHu+g38OzaVYs9Agt6S1sRTboAy7iUiwCl9CluQ4Zv hKiNe0S8iEe8FVBR4OV0uRiGG2UvUj/uqb3yLlA9Ninw8/2IvIbwRG7kcg7g 3Y/oDyliIBm7VUF3RrIfo99GXgmQa+RpbjVXeIZPTs0m9yrHwJ/fzW+pNb1y NjWyUP5OORwXgm9/gA8Xj7fHOItfEIT19oLOQsxuleMgVW9jxvD9dgE/E1Gg ArwN5Mmcz6k8gjWcxOvgwkjcAOXhXUKCx8GbJfV71sG4q+VZr8c53AcIICJY j1tZnlxYVlaC17sQibygYvarITV7VWknxm2jf0N2CvFeCT2/E375CGU/nTLi ggXsL3+bgvwyaGQmIgq5UjpOV2IW/PsAzcO4JOxUjm7DnDvBZb+IE3HEgELM O5MWK83No6HQ0I3q5kqF3y8jcjv0aCb0W0ZwG2B3YwHyFjPBVkk83nvf+RBP LI2A7JFG2VzZq0VS+6QO4OZTI+Q6L4APcn2JUY24Gh5XCbQiinImgblWQDMc 2JHU6imwg3alr0mKT6ALvko9v4cIpAu+yTs8Cukx4MPaWfQhJfEMXoNzRA19 AG/rYbxvw9smvBN/hSilDCDP+L/5ioi1iNqwsB3bJiP9H+FPeSL3wW6eimpP R+mhSAsirU8U+34zkJgGqYhi9BtC328JfXGHspWlvZao73eGMzH63eHM7w99 0QGZkRiNkaXHIlFaqeh3ConTMb4CdRux1wVnQJ/HyDAyuA+c5gGsOwPOGCfi +Diswp0K7Wd8ipNye2sfkGO2AA4YB9Td1BfIWAHIgI6dDmT8w5gBWAPIMCyS dkUjaJG/cVXzzlRx+cpf2uMv7eXXrN0HpNbJ2N0JHR0GPkAu+8wtIrBU+fyF sMBJirvyc6X8boC2cEsvB14ByHwhQI6ERwPrVtiHnuicflEIq3A3ZDX6yG+K +bBvlfSx/CaAePYB6M0x2OO9sMQjsf4h/iwC0sKexcdgTysRIcheaSI+Mo+U 0pGIP/IgifIrgoSN9Awz9OhVWCl5e8nf5W+DtPk4V3H/EboW8AjNAEVpuIXk jdWNUUG0bcLbUrRlwuZ8QIcRfTs5BdY4VUXni+GJ/8Cp9BZ9DU/JBctwNg9j H8fQfyst1+gN9RcXA2GvBwE02PJC2PCRsOh+YD5aR2KusyHf32FkI/XAM/fg lpsMO5+KOlkzSNb0+TzsgV91Pd/Gl2HsXMSFz4l0+PbRuDb6VFIc7FYWbvxM +DpZaHufOkFRMXhU1dtLeqRt0oLC8x0HcCob1A7NfRU8WK2twzlksPzrJp/y siRsgtTugi27lDfRe4gFP1RRxSHIwt9A5/9VFNE3Vo/4lWfG3z/r1Uc99TPy aDx+Zlz+I8866omfGW0Q7r3nkMobfTPuu0ZIezedw274nAQ/8xikbwYNQ7oG J5rQ+5W8VMliB2SpGf1n4UzW4AwqMLdFfX/swOj1kI4RnIAoeBAvAmjwFCaL gbwSsADesR/ndwCe1duoT4LsJPE0PkdJz3hORLT+HV+sYCjXSMnif0DCDin/ IR/SV44zlfdiG26FM6wMZgpDbBjOtGxsAvStlx77s9COItjyBHUXSQ9iGvIE lKQN36Zgj/piF7Xt8h7Gzc0zw0DP0/M4X+gu9i51dQX6L4dv0qB87aXq7272 qVsgHN1ewX/io4g8/Mpra8c91c5t4a/ovJpbYEtXA9o5DzdWu7pVVuJGbgHP TZQOTpTyB4CrAJ8rwBnupmnGfm1/5/QhgS5klSrbEZ87uF3mMXEq77QNqaou 0/bTcuCTwFeBOs1D2hap0SgbaRVQ1m5Q7fdreygI3A98DShrdqNmN2p2o2Y3 aqq0LmLtGe3pztxsLL1zhzt38JfV6doOMoBCu1VbB2OYrZ0XyedF8g3Ii5Bv jOQ3a+s6R2YnVNvwzvQlUgMosLctneMmDd6lCsP9qrA5WrN5B2qyq93aFlC1 BVRtAVVbQNWXSBmzbkb9ZtRvRv1mVb+ZWE3l7R+ZKlLY0pmQEqlBodquNWoz 4I1maw2RfKY2o3Nw9r7qJm06pn5Spfdr05BuUOk8lU5SaZtqbVPli1T5IlWu UuWqSFmmZX3SbJUmyFQ7V5sKby5bm6JNUPlkrQ7ykK1NwrvMz4GvJvOJ2jiV n416WECtHv1cyCdoyqfUzsJ7LfLxeJf5OG1sZ232wOrleJ+HNoH1ZH0taKgF TbVgkqzZALwf+L6qmYe0DfgqUFM9WasF1ACqtWqMCGCOAFoCpGkBQBVgtDYa LaPQdxTSgOZXe/Sjlx8r+cErP2b243j8OB4/WTQ/Uo9WTgOBAeBkYBMQvrNW gnEloKsEK5RopfC4szWvWA+vNlvzRPJssU768VqWWNeZlR2otomdNBnYBFwO bBc7O02uhOok9JN9y4CTgPOAbcD7gE8CrVQVbgnEiCpRpU0SkzQd0t1/h98/ WOVDhoXzfpnhPDZ9cEL1JVp/sKk/3QfUQHJ/kNwfW42+ZQMFRKeA9gFfBb4P lAwvADMKwIwCbLAA4wtUL7Pq9yXQAGoQogLMf3ofkxqdDSzrM4usLURNId4K MaYQfQtR+z5SViNk+2TgBuC+SFuOEuYcJZw5mCsH1JYhrVKlBKTZWk6nsCV0 gb9cmVA9HHyfBESjuBncvBl8u1lKiJBKXIaWqkiPDcAngSZtF6A/oABQCMgB eAEeAE5Qy8LpbQRsANwCuBmwHrAOp5H0ZPG+YjGv/KLytvIN5feVP1m+r9yy R8wHNImmgJ1SUmCJXU5rerVD6DSH4vg/Kt2u0ktUGlBpaiB9TtyxOXEvzYm7 e07cHXPiGubEnTMnbuycuLI5cV28IJBaHPducdzG4rgZxXHDiuPKi+OGFMf1 L46rdiIknAnH5DmVjlHpYJXmqDSTZ3bGkW0vzyavFRLPBTu9V2cf93bp3Jl9 rbfLiuya8NvscDZSVj6dPdC7JLskXJMfznK9z+qYgabz42Th4kCJ5WXLPEvA MsIywFJqKbQUWHyWbEuS1WV1WOOtsVa71Wo1W3WrsJI1qcs4GiiW/n+S2SEz sy5TXZUd0rOV7q30hAU8XJpAwUStXtRPHcP1wf0LqX6BJ/j9VF8X26fMCpp8 Yzjoqqf6aWPSgsOL67ssxrnBiuL6oG3y7IYO5lsa8RYUN3YxTWvoYkNWXZch /5RoFzGXXHdzRiRvbJRjGjp0vvnmRkpZVZVW5RrtHDG29ieSpkhafOpJK+77 Akoyg3fWT20IPpbZGBwsC0ZmYz04J//yaJeoEMPqaneJ4TJrbNhlbxcVdefK ent7beOpfuRBfe0u8spM9SOP7EeeM/plieGyX57Mwv2yVL+s0/p1jPLW1XZ4 vdE+o1SfUaf3WXJ6nyWqz5JIHy3cx9unj+UoeVUfr+Xoj/pk/Yo+eT/Zpw83 m8cU/y8P76IJfLij5nL5Z1tNvrpmYFNw3aqWtGD7Ao9nF9Xw4chfdOU3LVjY IvP5zV182NdcG6zx1Xo6Jlz+4/bg5bJ5gq+2gy6vm9bQcXmgubZzQmBCnW9+ beOOcfOLtp+23E3R5TqK5v/EZPPlZEVyrXHbf6J5u2weJ9faLtfaLtcaFxin 1lJSD7G00pjGmjnhfIeIsUOAmzK8jWNSHMtHK2ke6U1bk7FbJ36UYoobg7G+ McE4oGwqrS6tlk3QMtkUL/86L9KUtmakN2M3PxppcqDa6RtDaXXn1+KntTVS +JU/ra2tK85rPa9V5uqndcVKoDwm+TFzBWEH1bHqfsuGNZa2eR1wvbLRWmtr 4wpSZ9q6kuRsK2RyavLe0krMzK19hYBaz3ykZBRTGDFd60pGL9lxZURsWuWv vDANSSIjs6hffi4h0peYZFRjobEdZksXx+4UTCZdFjSym00oPK1pIt1mkXVP M7mtk65IKz7HccI/scd/juN7/0RHDxwJf49f4qCBQ5xeZ57X6V2i00mPtv9k wEQ/kEffD/tmF3/QntffUN+6mzriTV3i+oCd7TYbzJ/9iG23eIhixHOBWI9z n/NV5/vOL50m525OISGe22HlI9QlHnpqoPUi2NW94m74V1/zZEordnw/90S3 o+f7ud0nukGH3+EHbYMGslczm305+QWnClhrrNnjdnvMvEQV09I9Jv2NUHp+ dnY+fxzOwZWQ8b4W0oepr83fByqvtFxpu3LEK3zQYxpZNGPgEt+Ssissvx19 U/VWywOjXxhtzy3rHygvqwzMzZ9eac4dOGiQb0Q17LmtYnCX6AoMKi/fDBw8 aHDFIJ9v0KBcsiWhsTqXB+o23wityNxbTNAGzC4oyO/i9J1ZJYGE3D28gTzw 20yB1AqyV5VoMUXl6TXe2bEd/hKze8zXe9O6OPc6eRYTsXd5FlQ1sbvKfyLd 3Z1Wlt59wu/odrpSR6SO4HB2w4Di+KscB9LI6ugZ5RpRlsaOr8tOHLhBVh5A 5jggGXfxXJrrLZAsKx86bHi+TIcMTkmVSXKS2WLJz/flmJOTUhOHDQ9XmX1m S2q46GMzmlKGDB6uTQvMumX101dcOCHzzvNzanOK7U53fHJ1dnVO3ZJZn47y nZuVnpBUMHD0iHFZ6elZoZppC6+buvyshb997qYLHvJcWl+48I6k5BS3KzYp xtcvY3FV9YbQhta70lxxKdatc2ekJrrShD3piunNt6zB5Snmhk5qT+qfUAZN DhT0jy1yCFNqfKLdlWI2mxypKYnJoxNNE222xPvjcwnBqyB3v1d2s4nS2K34 N3dij2SW4xgEqMrvdI2QHBsxAsyYy0NdruHhvVvMIjnJlar2mVOQL/LFXP9j BbHxLrflN+ed9xuL2xUfm/dogL9pZcHn+mLSnPbYV0JdDz0c6no5FtuPyeEJ IdzApaGToi1CbX+bsKW7hTtdlxTbXObUFIfJDGrtdhANehPgeAhKz3xoN0+M 0vu9pPcYCFbknkZtkhCW8NENH+YqHyoKwseXmuJKEW0/Se3XrSEjtD0n1g1q X+bxDz3M418BtWkxOaGnQS19KCzaR6C2lIcGrk3q5/AF+n2X/q9cU437hsT2 JC07Izv37FytKLcpblHistyDqd+6TmR8lWstKcrRqNCeFG9N8rpKigoS7CY9 j0pLc/Nyk/LycnN9uXm+3H4ZSf36ZWSkZ/RLz010JSUmumxWa67LmeRyOUvz cn39TFSYnuhy2kzx1lxy2Up1yutCaONyWlyzrVay5E7M8LiepXiO7+J7AgnW QMZEl8eCvvq/C5m6eFQgZlLhRYWi0D3gxVPqMneiOu0ef7rb0Z2e5uie2y1L aWCnzKqOVY0YAY4qrZGoRxTnhvgBacXWHxV0FEj1HTJEnYQsy9OYSxfPZadS n2RnXlSBTFEJKoie1PC8iJalioo0iDY7E+2ONGd66MutDrczJXnr1uRkl9u5 NfSF25mWEJOobeDs7PT07NAHjWa3MyHF2vhpapzLnfnZZ5luV1zqp7OsyQlO txmawcWht8TrPIBsNCSQ9l/0Bh2lr3A5Pq3zt+J5eiMBjquw7OVNZKdlnBk2 p8d6jlFZtxInL0dI5P3sDB3JyHf7NB7Q885gn9seK93W3cKiJ4o23CDpgVja D0k1Cbe+cJu8Io45PqayiXKiZG+5nnjyD6Jt9WrQdMj4UGP6Gk56P9j/TmuM /k6MO37ZLs6itLA1oyqMyouYlLAhEtNzKyZPGS6TrydVVJ4jEet/bMzU/m5a BqVeFqi02VLYbdMqaIRtLJ9lm21balvFq203WW+y3cl32x7mrban6Wl+kV+2 HeaP+TPb9/wvW2qMjWO6+KWntJjRNNvWxZ0garb12TKNtSPOLt7TsRdcOTG3 BzY2wpeL587lXsYMC5+rdrRnjjPD6baLB2OS4p1uU+5/GvLcCbHJpkdT490J MVDi49j3pyb5H2FlvH2HS9h9u41vSDNOdJZa+1fbUC40TlCB8U9KASYb/3y6 X7wt3hovdhv/IofxTWdmfKkcUWR8E/D1N/WLz47PcS2zZvVz0QAuMMXl+OK9 o1wlo0wukykufRTuy4NPD8odFe8e+PvdbIbxKIlcFo7vweEqaEC3EtYRzhFh +1FzWWCWGODIT3OnulPcye4kt8ncLyMzIysjO0M3F+QX5vfPL8rXzTGx9lhb rDXWEmsya/k5ztwAeRLTA1xszgtQqV4WYF+CN8AZbiT5sSUBGiCQKFdEOR9F eIqvporIwxV9H/hNgWRnVqK7KinLmVrllElKVparKqfL+CEQQKEgqZ8TSYYD iTsBSWp8lU8mBUkpcSgh0ZLQT8tyxVSV2pGkyFJmktsrJ/lHIBWFhKTUbDkq u0rYHc7RqTLhn/C5JdmNnOxQulqQj5/ycoe6EFJT8GMZipoC3IgiGfdeKmDI YFe59unVzfdMuHZAZl1CKkr11wz4H869BTCK6tz/nNnZ3dn3zOzsY/Y1O/uY ZF/ZTfaRhLwGU4LyMKgIIiwREK2IJilaRG2BoiL4AEW0ShVaxbZSFQmPACpe K2qLVqxaLdKCvYjWEi+3Fy0WsvmfM7N5EPV/e0vYmTlnJo853/f9vt/3OIHv 0M6prXG+sn78PZtaE+7K+vPv3kR8eLD034/d2pAX72+atuggpPF16P7GaUsX v9kU5sOloy/tXvy7phAfgeJL2NqOIar2KXkaeY7ntrGUt3fgtGxjdIAyeGXv FHaKlzTY9hC/BGa4QTbQZrONftFAEXhGi2ZYqNUS8EWqvM1Hz3q5PcT7gCGu 3gW0BsrME9xeYjniZi7idyiIv5ph4NWAhvQLRBfwgZ/C36kahACir5Hu76MV utXS16fAJBhiFF+ceuWcQXUGFBUpM6Jqz6Jiz1mR0Q46qlpiLQxiGtC/EB9h sPQ5Z7DxRoonT5+ZhZ29m7W7yMw0jHYWCvPFLWgl3ke2lIDB53RE69TLdnlN CS2JqFUvnLnDaOaaQlqEIi39KhajyNc58Gc56Y3kzrfdbL2j4o7KO2JPVj4Z 22veHjdYWKMzb66Lk7FwPJDgKgKVYcQ7sKZYPmP7nP9k+51kJTW4kod3lRdS +wI8hoDVBC0I1GZuNxiMZk8v/Gq78rv3wpkAGT2apz5imqJjLUQnSAEXmg2g 503EdSAJ7xu0SvrLU9go0QFDH6JwdP8xug+WlxGoy4is0ydEWLczGpQcolsG 9jAjQ5fAyZCNoEPZupYvV9cb/QPdsDsxo1ZUGZwDoXCktpnI5zCB0+vK3qeM XzqdHuj7idux/zn7LgR/754qPHPL9U/xOoOZZlzX7J7z6F+kmd8vfbBnqoiF dOOtxz/v/G575cInf1h0640uOvPE7EOrx8xZdEPp8E+xrv564C8kWiiABN+z sA45Y4Ra2ZqaPDMmckFkQrS17ntAt1S8o249uS7/YN3m/JN1u+17XAfsB7g3 XR/a/+Q6Yf+nayDN4O/bwYWQ4JheJEEfuohRNlOiktGk0R/iBtqwD/CBYKWU 5JHoe4JBNtkL7+mRmrKIE9yzg23ShZsKvdAiGx1NGp+vXuMZk96DROAjlu8y 8fVZrc5yYg9cpgoCwSLEEHns2IX0cbT2k2kcVWBp9B9DQ0Sn6zFcKiqPHb4K mr5cPhK1c6Q2mgvL0K51yDCSl2TIkawMgCKX5egfOtUVu+tAXTd0qhRAGqJn 2ZoCkoukSiTrUkaKlAZtRBWSxn7DzV/0Lvy0yuaiaW7D0/fvn7OzGPDw/Pnd 6x65dfr9SZoxMe7pSx7Z+MZcYktux9yHPpmVoVnabVu0q2vi2kuwLcHVM2ev bcxxBhdd2XTpvtumPoh80x+wPSGW5wcieFu2IH8eJAKi1i/4nGhZj+/0+190 2hxsL7xCZq3WFx1BUbya0CC2qSFEIYgWfpdGQ2rFgCWArrcBK3I+yF/5fdgM nMCG5pwOTS+xQrZBrfVqv18AtgBEphDYQ1wPRDhTNiEbgnyIJB1m5K1+j8QR GRJH92QU3nU3otiuvxFxdLoRczf6c8ThULSHA77+RqZei0iaEtxgw/ni3cbB s6060w3FPMwyg3xi8KIMRFmGCUONpv8d+M6zbZhWtSnH0uv4+GiyNB12zNFU nH0Dr13pi0E0gh3EkX4R6fkrWM/RyiXBn+WQyWvwhQwxfoxbm4pNinXEro/9 OPYb/kP339wUj5XYiZXYji68wTDF0cGIU/BAwS+CFyDeBABxuhIekw3+JpI0 Ailq74X/KRtcTUZPE62H+j3E7SBGLNyBnrw6GumFf9pF86koaRxU4eE1QxQX rVFff1FVXxzUpPsQavepxLZe0WNFe91un9bg0yL/7Tagg1fnlyFPuYY1F5lw IlHshswgVODoZ5TmhkMqnAyCPFw64c6mx947uX3x9RfKkptm7A9tW/fSk8tW rAhaUCgyAUMIeX9pviD8ecfrp/PRWtHJ8uw9v/n5vU+Po91OIoVxCMEni1bX g1AkDDLwKdlcFeIiuVAgERAD0p6BLwEY+ItszZMNVCs5kbqUvJzSRdEC96D1 DZbPIeUczkV6B96VjRg90HdHKEsv+s6lJElSHMlREilRcfsY+0T7TPsC+xL7 nfbbI3vtOyKHTIfYv1nsJqil9EGdxNsiwag4PzhPXCIuqVyU7sr0hPbG/2D+ i/G4mb2cQqSHZtignRMcAaffxdNuSwhELOaoSTLCTJqoSiIvEtMn4lqXzmqJ VCMb2bwj1aTRGLy98M+yU2jitBVNBov7I10TiNPxYDwTJ+MvEG+CGhCBEWAm ntwVasqgYIev3gvr4PIhSlfECQC6v4iIO/J5fX1Y1sewlAcjGBWmosmgSNpp G2NjbRqd2WKyELokGZdh0B7qhb+SHUAyIi4XjVRSaDKhTclQtAn4jglGLRUy iOkrFLXAikE3KkwO41q34nAUtqS6ngQcVhVFU5DbwbpS1p1wCDg4RJ+GVQcu vHDz/DsOvvjz614otLZkNr1369Q6t5OxsLGmX5f28dLjnV0bN82fc3kjYV90 /ZEnHvzqjrue/v1jd16zcX7IxrMuI1d67hPx7Z0/efbuFb+6pBbpTd1AXAM0 c1GM4QaXycxL1oPWD+ij1r/SJ61f0XoXMqunejI2aOuFHtlAbQO2/6H/w0n2 QqdsMeWsv7c5ofMQD3TloAS0QLTIp/AaI/jpQ5dqtH1OhKJBwVIZrYmp0br2 KbXocNEsSJU+dqC4LajTzJ1S23Ah/vS/UcqE2IDDjLcggflwNXmNxoz+Vi+o 3aaPwF7itOx1RGwm3uMn21mI/tvYNNvCaljeV06/FREg4oxPGmEjjkkGWZXq Js4ZkdVnFV6leQAfR1wTu7CV4U/pHZfd7sIf3MUDALmPvB/EUVixU04UGIQV 3uZkbWo8e4FnUrIthaims8PTkZySOh23JUA8nqyCBJEy0r3EE7LTssay0UIc sUBLjLFYaMZvZNhwDN+ySlI2LkmxuD8cTxo0ypROlyV0Og3hNxAp3q5MOZ3T WKfTzqJglgn58NT5AhCWCWsFzUEBCjGvIKCoJOT1eJLxeMDr4bxeD8swASKF /FEqEg4bDRSAgYStSqgiqqoMfCopeeyShyc8e+BliHc1y1xc8so2QwtgoA0F N0e9J70kMsLkzgwhMSmJ3QObATPwUg9jbEG04yWZRs/aGAiYdua/mAGGRHFh sic9bqG7t0yJuxFEYvqmXvYr3Bh7KQy7RSU5ivzUSq3iolZWuRMrf3BuGq7Y nUa8+dy83L8+VL5bj3wh/qiBu2aUk4NlaiHCUTc0mrBGc0v/B90/VRJxr+Lj WLjotMLEfw4fGatMv4ad4aZ1nwofwZWlNwedoOYzrDJnXh5yiiuJef2P4nzy dKRDM5AO+UAFqIFXyS88G9+SeNW43/S+UbsmvjrxaHBDdGPimajulsjS6KLE jak1xjXcXZE1UepSej691NhFdzFdbJddPyE4WbwgMjFxh1VbY2sIjhHHRFvi DYlxtvE0ZUjzQZ/ojXrj3nTYFk9QS+jnI6+lNW3BC6LfD94RXJ1ZH9wc3BGk khSiMQkA/E6C0iYg9FOZoFUTrrTWBCv8MclZIVEBf6C6psZJEU4qHLWZBXPa 3GJuN3eYO1GY2wtXyLFUFDA0Q9iYtcxLzEHmKHOS0TGeXEUlIjI4qXgSkQE+ O2GJqhPYRLvLOfKiQmBwzI3kpbhlWmWS5dDpXMKiYHUgkmQ5o8kuJaJxLpWC UWM4BZNsLAUiJikFwRDZX45zTN3d3UX0L8qER9i93qkmZ8uCtos1tQUFb0Xk pAsq3RQh6MbyJehH929ecfOUzXP678bj/TDW0d70nQcWl3rgLy+6qXnGY3eV fj9VFfeOmx/pSP9k9tS75mKRE4Wwb0Ft++1nnecvqJdvasYdFwNHyEnk06AO HJFvSnEwDVpAO9BonQ7nNNd87krnNVVd3CJnl3u7y1jrK2QmOCcUZrpm5he4 vpu/3fdw2pittgW9IQg0lNXpqq0JhgM2xEhZU3h7go3Wmu4iA9FErYYkEgar RF0hSpJnjFeyVQvV6eqWarKar185QgiTcWZ8cn8/Xn4l56GuvktJfKi5U8Tl 6xU2BCZuNV0ycWvkossv2w18Aye2MRzYM3AC+AdO7EDRvs/tLEdWM2CxGyBL H4ysyo6uQnFm+AtNAeTehjLH2O9VafL5HItmNB+oaMu4CO20Gx6YM02Wzqvw QXr7wi1TGAfrTFz85jUzZ58/e1XN7Z+sPEgKDVgkfxU8bu/UsTMSQurCjrbL 1j1f+tvsDoeTcaVnFcPe87fcN33LrVBp21mG1v92tP6NUJLr7g4+EiTSdAvd TmsuMLdFppmK5mmRJ01PRp7X7TEbyLArLJkrwlKkENEVQP1aUF8P/IV8GsNu 1lYDawpVNTXpKn/eSAkVdMoOAy43EnKqEBf8tEb0NkqFtFS4Kp8n7WLUqkEg eo0c5Dg7EY+ShsBVVVWpAITA01wh2SiBIii+aWXnKOEoJSRaoS7INFqwaaSP DQupvpxTVRgrOzLTUFRTDeqAfuUc+Y01AhpJTjtwCiQHPgMx9Kkc+GxHxBly hgeliMSIix2I2WL5VBFl8bjKMfGgVNVADA1JLFGmbE9aNWom01fs61j55r3t qz6/+8DdeqcVIyHjgrq3b7lh70UFCD6a9KPppSMKmiKfS3NwW+nH+cKUtdtW PbIaald3VnM2T+BFgXf5L104/97i9x9++8tgJaxFGuKGLrvFqUcSvRahaSdC 01b4smxmf+p8Jt3j3JcmVYdrsiTKftYTVPwn7Yf+hOj3B0W/J1mjTIE0TMey 6XRN1p9sPA9P0bYWoYVoSbS2tJzX6m9UvbFJlyg7Y9UVm5yxsidORJWfY6uE lYlIZWU04k805PFUK4oO6hK5urp8zt8QDgVQCGPga6RkMhGUPFEpkVA9b2ND gxG55WwgkgtEWmWfkNvY+mwrsab1SCvR2kvslb3j2IAoMoEMIRNrCU07cZAg bEQH0YkizOeJveA7uPQNlExssbsPQyjC10SjkjHBIWAj9rcKstJK2UsF2tGq 8o2jbx8U/+URTtAgt9uKOxTSiDAYbFyLU0aHNKIPu6x2NECHhJJMFL8WgJZh eyhAFb82M9ppr+h/RwHu0mF87Mhh9/wVvuwmUl0BDy98hWdyHYPP8EIXUSgF znXc+FOaBLcPXp91Dt5HOvcxcuN/RTongPflVJqs0obNQUuQCzrSvnSgWZs1 Z7iMo8XXErhQ22qWOdkx0dfubw84cF8S0hxzQUlAIk0SlLGvAHw+Afh5ilDG 2oKSRfNTbhaPKxwFxuFgGb9bkHhW4t0EIVE2yWCgMJVj2mlI88G7j6jUF7tV LHUkbCz1vn9FlN8kra9lJM+hzWHivlFZyaOKq1RYNNk8vFjDi4nzXsuQrV6G 1k0EC+U6xmTNs6zfJHoDeUQ/vBqD7kMCmRfnceXtdr+HkExeD2GibAZo8ITR m9pZPrR5yYgC+/Ei8lsIIfvK7ADpu3oaxRnQywxWmkar1WBI/h5RpWT3rsAv 8Prrykt9PPgy8EKsJKXZo14Igir0PsvR+yRhp4zoETT4eB/xGgFNUOf1QqeX NDGKQK0x1mpl0LtGEyrkIKiIJSsrE0l/1Egqj+izGr2e1CCg4pSxK4F+C4eW IRLA45CY9YtiwO+PeFHgDwNqdRB6gT0hRaMBKRJBqnPzTi8noTVDccHNshGa jEZI+X0BiFyK7AUgKUfztmR7siPZmVyTPJLUJT1VhCbAevHjdrbD3mlfYz9p J212aOdTY64dckXdSKswYcd0LYHW+7iqYo1lFVNyTX2KJ1pZlcA1ChukuMoW yDE+dKC9LZiPzVBo/f9ZHb8OJQq7EMPwW5ECjhJumCQW9q/foCSuDihJLAUe DhMLN2C5wgIejSddZ5tGcfdPNPuHtZcAPUjaM5G0wyAFTspu0kN69QEg2L2s EPXmveO8uxPGOFvRO/C5TN/ouc1DVFBxap1nvUAM2n2ibPffbOfVjkTZzpOK lYdBIMraIi0RIhJxI2OPRW0+6POkU8joab7qy2EiN8ilcXWwEUdVQJFCRDax LRGEt+hgsmGEnVHuRfnXgQBnyuvqYPdoQBhlQUrKPFrmzog6b1XhoeRVcFdZ b/jp0x+Or5k4Zcy00lfQXHx84lM/Kr0Hj5ZuOHfV31h10Y+idR771Etuap73 GEaN3YizcYizfQd8KMebspO87dlidrHzDudKzyrv3fUPn2e8INg2lrhP+Jnw y7G/OO8913HXFy69t3fgy212dwEnFWck5FhTg8dt03IA1lprMmFNVQ7zZsbE S42NOSbaiphz1V0VuajYishzBSUq9Lk22hHoDBABTxsXlaulsCSP7Ywtja2J bYw9G9PG+HGP7oHCiEzTsT5kDmoPgsqpB0l1P6MkyNWEk5piVPgbomW4/KMU w0fxZbWTJEDgulk5OaTeypebTgZzRBXSUMZRs07VV9YFtY/fdtcTVZOuuGrL 2Okzjv/6wxV4ldU7ex97bFfbuMyP3541652nt5LNPiydPwQwhb5jzZyai7MC 4/NXrJ699sCqDL71KWbXsx56bOF5VwccnvD5599+24tYLmuQPTQq9nCvHLcZ zHkaqXbIJxTCYb8PBZN5HEzaeWcBoTwfZgMImZAW872wcydNMwH0I9ClHKR9 ad8Vvrd8pM3X4mv3dfi6fGt8z/qO+CjfX6Mvdypl9+5T5fx2i6K+8FykP3eE 8X40NIgMV07BDl4Qaw8p/usf+Hio9Au8PJqn8fKd675Kf8KIAReXViln5IfA JUgfb0XvnYGhvSgSOg2EgdPbBNqHS9HegdNyaLH3mO647zPhK+IL3Rfe08KZ oMFEkDroNQm3ezfodKxbYZnAQTsIR5Z3ONy8n41nVNeQgqkYSKUywB9njCqH jRksFqPBz8TCeDxeyoawdvhjGSkeD0uxmFtijRLLEH4UVoREFFN0ItkQNhRY duDmgxreE6CodkOHodOw1LDGoDXw1SPQvajEGFhri+WGtZGw/m9RQaUPABfZ cGlTWXC04oPFmkFUZnAvFMKLUWit6T/x865nbh4f8FjNARWbN7z4o0tWXb1B AZGC6pT7z3vu5NzXbiJeRBKzGLHY+s+76+VJj81TZgb9M4009EUkqQScIfv0 QO/OgEnuCYkr/PfTB/1fub9KGH8BfuEnzJwaG9BZB01zDr/Z4QzF8ZQPSF0S ASRaukI6KJGSFEtIUjzhDyWASQkK3J16iPtEOvXIe8cIvR7FByYCijy+eYHf n3X7/bzbL7pdDgLCAHpBZMvuBAAoUuRcLrfLGZdCvCRyklkjmUKiaDabCLwz KgETUsY9xb3VfdJNIlE1I0ZASGlHh2OfQ+NA454BF3TtgSuAkzjYk1SybVfe jiKA48VTRcz/+4qKrdCNZeKPvtJpnGRDbvibkmyjk2jI5P6XibKYkSdW5IsD QyRCNa8ShtlvmiU231iaMdbFWSycC9a77Rar3fVTeIcOLt/k5tDADevUs0w2 Gxxms8OgHs86NZ+NHCtN4f1vkW+WwsACLNv1M6GJTKfVDpRz87vrzzyuaExR 4Pn+t0ZkctciK56mWQYqQQHOlS96Sv+E8FSVRtJHhQbyBvtiz/e9y7jbPfdz 6z1b9Ju4JzzPpHfon7c+x2337A4csJ6qdhghD+NQ8wjzgIe4pWp11Yaqp6xb qvZXv1f9cTVVGeolnpE90bQYjYbEUCXrt7tiBREUYlCTNRuShV54VL4c3lkJ jFlRYzKIIEknu5KaZKzBbK7kfkKLfj2+YQHBoChbnC02EabFFrFd7BA3is+K +8QjIiV66lxrMqIO3+/UbdTt0x3RkTq+Nr532LhhYnL/8QvV1KsaGwwWQdLF Pmzpp5R0m2u48DW6Q2HiVr6cN9gH9AjicgMnQR59+IFTPSxVRZXTBYiUlVMM HHp0LwigR+wDL+E7yLkVxXy5pI5d14iiGG5xUKl5GbM1knJP6ZQs1Gou23Xw oaeOvj/mzvZly+Y+FzTQLqN13k+mbNzWhfF4f8NtF+y6+sLF37tu77wljzzc efNOG33nuKvqjW6WMdo88Ufn9b+r1HV/xtDtDRdP+u70DszkUkj208lPgA8R 8chzFjuWlYlOczRt50IWnxOP7XzawfNOR8gX0GugKSiZi6ZeOG+HJBqCIvJc 8+S4xofiQL3B5BdtaOUJnScengrMQQeH0+c2rpM7wmk4Pjb73pHiwEI4NkjW WnBX3TE3Mk7+mPtYOZfz/2sXmbjVXBaGPHWBAWZMmcj4ymmVV1b+MrQ5sgvu Nj0f2FnxivYA9S55mDqm/YxinGQ1rNE2mVphu+mCwDR4qbaoL5quhFdpF5pu JG4x3hJYIqwK7BFeCO2IOmHvwMltJrqyd+Cz5wJOtU+iCLtnQAbJCDg4gFlI eBQDhDmVq2CBwfiP3++FutI/dhxet3+Y+2keO3T//Yfwh/yk/51XS1+8/Erp 5KubldaVZiXwen3jn/60EX1w/wqSzkRkmXFwcodoRMTVgaicnEQXrzkOR/9Y cVQ4Kv4t+lmFPuKocH4nODk6ueLSYDF6ecUC2wL+mugq3uzEDRWL7NwM+zTH tdGrKr70aHUennZ4YnSMjXpW0xvoB93rPZsdm9GzYeQ6bTznVXKqvM+l8kJw JyPG9KYeUuf7mUsMm6wN1IxNAlwrvCQQgifJiRIW8iYJ2iRBWitpJD7xygg5 I2tT8nfF7smn1L4V9HWsnLUbTquqFBD7SoSkuEtlkATqRpJA58hsaTgE8jmA uN5+tHo4Dca4CN2zD+x9+Q9PzT1wsYNmXPMff/1A6Qw0HfgPjcWHreRFwePy jl/22UOPv3v+FM7FJM67FmpeOwDN2BZ+iFZ7C7IFvIf5o50XxL8bJ3B48gyi IlqoTSsRSogKuPEU7U27vF63KxQwOkOVhqIRmUFPpYjWG5lDMCRyAWA2cXq8 acclGILLILRBCD3JqLiMhnQvvLsnEV82WBfqLq9PPy7/KAlo5KmOof+nsB18 O9Wozkzc6iwbQY+VYikMMcN2sRvEB05sC3IVmI5JA5/0hKkIP4RRQ9QwnNcN Oaga16Aq20eoMkmoEHP/R997e8mStxcdflAZd32w/sEPPnhw/QfkJ2euw9jy 89eXHF1805GbX4eHVE3edPjwJqzJhJJtTiNN5kEQHJSvMTofdhA1xHnExcQ8 4lXiVftv+UPsIf6w9z/dHwv/dFp4X9yXI+oCE7yThFney4VO70Lhh967vQ/7 Hg7s0tpudO7xvaJ5hf2N7zcBHbWf8QSDAELGL7r0pMiYzFM9DZsA7AK4ufdj 2RUKNsCGTRzs5PZxbyEoIjlejP9qhIpO7lNKcn1qYXyw/HIOyGxzcjoECdu9 nBAgegdODEE9RP9Fp3NUGl/VTKC2wevJ1NlfOD/+5ezfjbVbaTed+WL5B6Uj 0Pb676BxOv/eunXveuCjj7/WnLXxDEPXTIfe3+xCyPE/y+965lf3YA//PmJv lyPNzIEDclQ2T9Eu064wL6/eZN5m3p54OfFuwuiiUNjxOk2HDLkqUA2rewly JwChKhR89EJZ9kCkuZHKEIgWY6IfADbIV6XcOgNlDCFdlI0FkIRBz1uKaq6X LWmH7OhyHHSQDj5/4274htpxW5x8ChcpG+njCqFqxBF0v9JAMKo6VRxVprLG E14k0KQAEt6YADGlW77865m14bxFuWlkuBNA53AMptvSUMHR/k58PLATH3f+ 6t7FK7MON0fZH/ru9YvhKgVoLf3jB4MXYjfWx6ULfuKknCzr0rgWjluqtI4g zfxB6YfkD5FmVoAsDMjV47gujjgsvhM9IR6LnhFPRXTXxq5LzUvPy95suTXW nb07tiz7aOy+7JbYpuyegJWgMBrMVQDCoNVShhABAolqd5B2BZEsrYF11WLQ mBDBOklPNRA6qIOV/iAMGo20YZNhq0FjM+Bw5FnDWygY8eSrxGXhteFN4a1h cl/4rfDR8MkwGeZz8TnnKKuCFjjbh4SB4KKv5RiG1JbBimH9KJAYocV7UVh2 CngGTm2LUzW9KFgLUKAXjZJUBp9i5iyeTDnTyO2NbLdVmQvMD2WaOb2VCA/3 odUW8hhFiHyOzdaMhA7NctX3RdxdsyZ/ji//e8LiCufK954+c+bp91YeuOee 3/72nnsOEK8/oiDG7qnnJWdXKlWNSRfEx57dDeGOHRCUJj7wxpvrHnjzTWQL lyJbuA7ZQh38npx62HMmSJDQAa/U3ahbCx8gNsEniK2whzBu1j2p367doX9V /4H+iEfvoRiXgts2TuAIbpab41zuEBNLK4QnOSuTTKYzoRhtVPHeAi2zlFAz RKv81RSdVeaveMPOM3I4n1b264TqYDDmE8lYZSUSdx0g9bSRMgT5I26I/MTj smkMEIPV+zJvZYhML/xbT/34OUPdABhkFIsqQ74SoDD19f9OMvDcW2qz624A B17C3U2IyxzdxnhyIJGYoRgk7fFq9bqoV8sL0KP3qSaJe7gmbmWHnIdu4NSO oFngVPYzQ03NqN1dwxx1yHRVHqv/tlQkvHjKuplzV82ajYIPofRf2H3MXnHj rLHphWrxQVGNDsWyES86M338uDXt/f8Ysl/NzJtTwcX9J4a6fJvVzi/wAtIG p5ZBwb0PLJXjIb6Gl/mL+Xn8DfxtvN5uoS/jEI/VmQ2XabUhs9PHr3cgHqvZ T/TCB3b6dBazEcC9ECcHCBSGWElSG3S0c5Dj/RctHS4j0P2KlBpbvuwblVIf kVovQkc4b/9ataC8AMTaW5fCCfi9+91K+D7hi4DXI2iZP/6xdNHZv49AKsRl MObvQ2+2Dul5nujdDWJIkE5LS6wXnTmzcpbbWVPL1fYn7cQrORjn4tGqWDxX ma+PtESbYi25BdyCsOkqOwzbC3YiwbXH/hj9Y+5E9ETuTPRMjhoTHZNbEFmQ 38JtCesi+XAYqEBmGkIxH1b77UCAgoB/qZluEZQWF8Q9hVlhQQiFQ74wSGUV e8lk2nKZTDYXSuXyjEn5Qda00Wo1GUOM16HEEDa34Cbc7oc5t9vBhbycPSnh +fGx2KxoLCZFQ8loJBqJBPM5Lp/PhTk7aw+CMAdAGNjzEU4bhqEGn8/R4NVJ DclsQyqVTBKmBpYBVAMkjBwOIg2dKAB/JBq5NL8HbgJRNGPpyi3LEcFcJndF TpPD9uivtSPvh/C3y7DMQNCGoCGDLjAS6wx8YS98FOAGyStHdGYoWwURNzil 5BJww45aQ1QLS+V8v6t+Jakk/HejSO/dnkBji70XnX216pmvUc+ulHLexlW2 qPs6Z8CV2h+o+4O037Dn7ty0w2iT//ZnkTF/7XG9lW5sHAQG+8DRHk8kh/ed 99iYnB0DBDor2xiQKo/kkGHEITkqireU5Aa+HFkPR0+gp6aUnzrdE+VzwaGu B1zoGCo/DHt2Bo6qSMDRnUYQPj8iXNoP5ycUc7Fg05lT6oUb5yjli5N4tqH0 EPx+afWI4OmfMIkNSOlW+7w0Y6jlaBGyqL3IojhkUW5QlHNzHYscKxzI/Zov w6wJ8aTLMEdi3Y71DBNyA0SNAAwyNN1O76M1NM+PxANlS8O348C3YsB95yLA 3zECDJLnEbCG/lYH7q5DrKSNiMuNtlpbnbXeNsbWaGuyybZW2zgDK5kL5u3e bUmyAhYgcalvrn6u7wb9DT5tQV/jG6cf57tUr81QtU2KfR4ZA8e0NY8Z09Qc qnXY8FQgyMIp7EH2KHuSJQFLszKrYdusLGuzhhxRQXGVIESHiFBbIBQSAqFo IaNOZukskW1LZ7OZdKjQJuPJ+UdaYWtbS2ur3BJKpXUBqSpV6ffpoD5eKzeA Nl1c1HhEg0Gjry0UolGH0WINupyykM84lzkJ51nJHwhWSHgsLZMI6WwzSAdb mnEqBzTva36rWdPMj48/7R6RNUAXicah01Bpv1zqHawssPXg36jRF5X03je6 Ux1GYcWdjnarZb8arIy5eaOZ1JqiMbJCgFodb3QJsFIbF6Db7BHUjizcE4s7 /UGxiByud7gVxTjwOSDRRz9wCP2uQ8h9vzPIvmC3Ai56/Bd4mnW96hn/JdvQ Wd1+VLQ71D24Cnl2DHeyq5sEzh2P8NWjjfTTaxeOnSvWLRozszBe2Xe74cJs 1VVj25TL9upUsqlVmf6LUi1ULjVzL100rq1tXMOky/t3KPtuH5Knjpvf/45y fV/rdH/sSnUwTMeRli9EWj4daXkdXCnXvqd7jyJe0b1CEY9T23TbKE23fpme mKe/krrSq9ng3awjbhF64HZC4xMWCASAJEEEKFaNxm0OwUE42pQCQogdzepU l2TFG0Dbyl5JZXU0iP4/9q0Fuo3qTN87o9Fb1rw00kiyNBrJlmw5fshyLDPG nlgOJIE8yIMkBEMCcWInIU6MQ2lCS2lPCS0t0NJ0E6A92S2UAtkkELKYBJYu 0AAt23S3gT19kZA1KbvbLGlPttsttbz/nRm/kvLonrO75/RIOt9/79y5dzT6 773//e9//5+toi5Q7Xwtl5mqXU4r2PERfAopsKcXKhM2B2h5PM+5XW4lfFLG MllQWEPBu69xLyh4MtHuJpUGS7czB+foeVgs/nT/kT9VsxMjUcbpcNqdlD3K wICLOCtN7a7W0O7GB9tTcRGavvVkRDSH11bDPbCnB3SYmdbW66LRMX0UXaTg LV9xz8rVCwurjPHwtnG4/NmblmzfOlW/s8bK7Su7a2J3zx19b1K/W7mj+PnR X18wQEC/+8rYSVs7jBAPCuI5eoGXbJIYlOjX8GueN6ifMb9wvOGxb3T0c1Qv 1Wvrd/a7N/g2cb3CuqAzkKD9CRftcTm8CUTmi1/uNNKKoJHqvkDLQYRZ1IhW g/o3TO3UQ3zCrkM1uw51Buwv2I/bT9nP2Rn7MD59KAQiaFxzh8Xt7GjPVqI0 j8dITnMrO4ok2GaJY+efZsUKMXhk7DSsuKcP+WJcbHJH1UOWUTKtdY9EXANE Qjhi4BP8sU6PCMTpBuIghCNxZpWg8TlEDw83gUgiF+wQCRFEv0hqvKzzkHG7 QVlzEkLR/ng7zqILghVXYmK9HLdQTLXztJfOvvhy6d8x//KLWFj29t69bxPg A98tncPcCyS499zfffOtk9946NRJYjuGnTOZvVWoCc/QO5vc/rY0oGXGVXgZ 1eNbi6FP7Bt9Q3hH7WC95yX7d90/cfzE9dP0T5rO2N9xO2W6jt7h+BK9h95H 26WoMWXlhkpZjlaqkrlKefhXpy1Js9QGazXCvpoGvxaIajBSKxoSHndNAt9v c6C4VmWvTvid2BlurkMVSsxfubDy+sqBSlulnJtqfjZUu3Hj89l2Ywv9x3bQ H+4VMNVAlPE2HoFenwG9nvX6FEx6vWnsF0+mk9McCYkPuDnLiH2DmJE/cEpN syZfsW/bbf94c2n0+be/9LoxpQamGJW/8ePde06c2PMXJ+gb9qy6duj44OHS 2DMlu3nSDXqFZihE/V85/qP7vvKj42ZkpO0a+hMgGQK6eFsFrnMtdG/gP8l/ gf+6/RuCI2pueuOvWpp+JHCE2g+Ksa67LAWeuPrt1xdmFhh+fmrWUyF6PW6X k3H4sIDECtadqtJQ1u7uZEFwgt5O1PeI2+8456Ac4RlIVFL+5KKkae44l7Qn 5brReyaFp+nSZHo0GbGOhpO8eSxAVve2to/pQPOhAhO6j7O677AgVkh8dHy1 tXpomnPnB5mrKOrhb82+4g5ZcFcIybzc+uALeMhQ824iTjU/MFxr6BtOfG1Z b1iAPWkyvOKJUt7oGp4LUs9Za+HxsZN0CWZTN/61fpfYGZ1F8Veilai/e5+y r/UvC68Lr3W9Jbwpvdnxs65/E0by73b9QTif/10X7xHsEtPh6ooLASnQEem6 W92VP+r3LBeuKfQXNmjbC5/WvlD4gvaI+JTovkc7HKeucmZrktVN+qXt+XDI X+EIeNtQPteYtNXP9Fd4aTeiOVm79NIElyi6h3HL07RSj+uH8df1aPXMRAJp jmVtiYUx4g5Cx8KXNS1NajWBhE4kqgSyU185UINr5NlFB22vdic811lWbsMH BJtWRJwlITIT3iGkj3smXUPapjiHWL69vBmaVGjt4pVolVAV7AjEkRZpi+NW BQjfBZdSZyiOgqGOSy+pbId1L6y1F+Iz40icxRlqF1mETWLFbxvr4XjvP62J eXf0ubFfouDYr1A3bHk6xFYQuYdUqT06aQUjO5utPYYmVgB57AIVVROBFIh0 DrEBuALSTcRxtwgCuFuE7XKUPAc4Qyo9QxYhkZAp4hhWgj/mIE6Cn6a4vIj2 KS4vk4FR6epUteXycpu58yGnIIXFO7+8QLus8c4D3Wuu/+Err9zuDPgMpxc5 mNwz8PDeqxaXXrnryhP376ezlTBS74uFJbk9XWjLtrRnon4hlLxtzsZHe1Wx Ihz7axi+gfp4Y+f27gUNDUq+r33T7WSH8lVYmTXi8Yde01PvR7AvEo5QD7sP u190/9g94mZuqbizYlfFtyuOed702INOEpW4H9nwoB5w2mwOp4pZ0RXg/CzH i4zsrRnG39K5mJZKOTSMkd2bkD3iXbZh/Jgu1tU5XUp14hiKslEluiX6QpSB 1eKdQzPIpgAG0YhhlD4/7hpOws7NYyUygi4Q2MQaHY64PZ6wK47cEW8cmdZo 43CvB4/PcE680KBf3TLdOi0FQDU0vCNLhW1blx1rFX1syKf859b79xvuGQ+S zqBvIJN79B/m3tCs+EhUemL+F7dRDaTQiJwhfFwFfFxJ34DSIIm9btthicpI OOz0uwwJ7G1wer0up+o3j508kQXWsVM6Qa5nkJC/y5RUKqGoaSz5RSWhobQ7 GNLisZjf6dJYv11M0B5FQSgoEX3VVcNyivO4AzuIOTJzoTmyvd0ILjc84+Br +shdZFP+KHGru7FOhK0yzejICzY7UyXYuDji7aLJeXMaCtY0fB4FYPpJsHDy Y6et8xXjuDw9hf1G37ROXo6flt+579Ud+hLTatC34O+fMLrhPUPl3PFQccU2 KmZ0xpcXb3jOzJpWN9IHGqyGX4U+SOLr9aYn8BP8PoFW3IpHIc7MFYpfAS1f wwX+EmEdtZ7rF/uTB6DS4wKvxzFxr9+vB3zIx/oafLRvgeFmr7o53lxE4d/G 8RSTGfGh308i2q41nOhVF4VNE1lnyLSRLZgwkXEUxgrPibDnEJMIKYIoCoIo 8Bi5LWNYhNXctOZ22ZOaOIw36B6B0hq4Tu4AR3NH8AYkYJfu03ncyA/we2G7 b+OfxwdgzFThhGnmIqatM4afjBmLZvk6dbZ/qItMz0cEmv2Ra8NDBlk+MtMM QM0XllAH7yk9erVhIjFiWu7G+Spcb0Qc4XZiP15G+8ZDEkcvN/cK43aTwtiY 7WvQkxm6Tn8kI6WDd9KPS48Eh6lnpaeDTkSx1O3SvdIB6W+lk1JJcu6lDlLH KdppcwZCtlAgQ9XYMoF0sGArBObY5gSW25aLKwIr5BWZdXijrS+wPrheXp/Z Ybs1sFv6evDb1BO27wT2Bg9TR23DgYPBZ+RnMq9JrwR/Jp0I/os0Esx6pIiU pbJSNrhT3pnZJx2VjjHHxJ9L7+J3g7+j3pd+F+RMj4sKdsLlQgwk0qSobksK o5SS0lP0OZLbm/pRit6S+kyKYlOLiB/snkwqlc6oiQzy2kmDmusNlzba74q7 Frro91z4gOsF10lSgF2uPYzLZWdUL2NTwsaorKxskCsrw7KqyKFdlBRUhsfm 6bmAjVZExmZTAqIIy1EGBl1IhvEoU5iisRIKQh52axSmlYAENSTqBdgfB/EQ jKZTxGyFT+lJG1qKMb3U5k5ribCmCJrPrnkTiuLzee0DIRx6Scbk0LEa3S/r jS2ynsnmZb0qDaQyBkQOA/FzeVnTV2dw5ih+FPYaQXy3HpSWUXpTW54i9ShS j9JZLk8N40d1H6OsDuDAS6LtflFjiFmksYUkhwpteeMya17CzxgpPMFIob2R wsNIqvNSMM/ogZbbmXsZCjELGYp5Hp9GNVNmzG97eibW7rMjMjvSE2ZHycVo 6IzMjvaEQ2fNm+fPkJsoNN33rPN8OztCMqNnyQxzklBPBubYRGYy9jOb/XCD cE/P1q0Xl11caMy+yd3p4YxTdtrYSYUGDyYcNJ2mLwgnEYRmQbigjL6r79nh vv01ZDL+kpCNuw6tHb53A7FkniFKbwZT0dERPGWGrqPE0V9RD0ydpb0gbzfA LC1SX9V3xbk4T/EFbjlHRch+PK6uxjfxA4mB5OriS/gl9of8DxOvJ1/PvZh/ seh3ohDardIoh/kixxeTrJpkE/nmHE7kc0mWZxWcEzHO5Ys8zyuJvJhI5CkN a34NBKWg8VpCU7Rwk5bTUlpSq+3SilqLltc0vVjsLBQ6k8l0fX26cyWTH8b1 TyvFBzpZcrAQwZjxJhKS18sgCUtSJX7AzwzA0AjPzsH9Q8kH0rxRL/FAeqW/ ssHacjKVcrfbHXbX2jX7mSPYYbpHT1GER+TzobMyC4TowvL8kRDxWActWAaQ 4CRydyR8NsSOkEJSYKVhFGLPniU+1tMIs9M6hODHvk8OHXjr0AHSfYfEDEl/ e4hPkvQ0sYNA+tZTkfYOSxG1pD0xSSTZmdCerYPGrA4tWTc0Y2PQho2Bwsuq E62MZn74mEv/YS7k8+ebh8fefQpSc/E3zwuMF2seO627eE8nF/PwnVDrtD4P MpxbCnZwsGR2FGfF+E5MSLE1ynViQoqtERZyQIqi7O/EhCTclUpH3g8kJ8qR Dpbo3TmiaEPKW2lxeOzlQ6xIrKQv6z7IJNuBJAjB2Ys+aEIZx6aX5pQTiWkb dNiYY9NfZmJWYDxtmtiT1F58R7XoD8dLvyGT4u7Ss6WjxgJWei8W9gvV+I7S 4ykB7r9D1rO1OIIr15Ip9A65m8LfK93rkHzW0UVb6RXTLuaTHLAxneM07pD9 /HuYM2eVV3LCrNpV+rRtN8yqHH4OlAkU4kNq1pcItuAWbqFPD74v/JfqcQlX CPPUPtzH3Srcqt4l3KU+yz0vHFGPqf+kVsDU5HM8lxNMnSbm8zVMKDMRNfaZ GI7tUWMxVY2oyWwTOR+sbzT2hkHdk6uvb8qp2ZzgMl2mGGaP6TDlwogE8sCS E2wM4mCDEcyjhoVcbYqU3pRONyTT6VRSrU2qQi6nJFUxmVQ5mL4Ii4gXEM7B DZ7DyBljeBdRfSIRUQuHYUZTRPVJabVNWjZbW4Fii2LUltip2DmyM80vYjBi WEZhtjCnmHOMnZGba48YUtwwAY30bGXPgPgbNzJMUX4sv7SdznrjVG6nKZRD f4LG80G3xy/ZC2s7nGy7s910I7YG04cMrwvOzBLUptJ2ORb2BaQzhlEIL8eL DUX4nXiYFetHf/U5Y+wZ4Q3YAbKZ9wVchnBeSD1pDiEYXO9/b9xeBAMB7yqN 0pfYfoma0O7Db/BvqJQDhMUzsRZJjar5GIklESGTVFP1HM/SfqZuld4Jm5Fh KnQYKc5Vuh9yegIpYZQ+Ue89YWNSoLueCDfUpxIJ5QQKs2EqLOd+/yz+1IR3 kRHZYNARdgTJDQ2wsIbCZ2VIeiDF46G+TY3GOcpWLJFjDtHYJVuuQi0cCQMh XCFh7Fasm0hicuxQ007NzPHBrqa42xeWF7Zc3tUclaRoftatS0Nhn0vJzcrg 31SrMzpKe9rmMrTLC9MvN/tG3Nd6hY2WREGibVe04r7rPhXiea+bZua1lnZ3 zgdefa30B7rN4NUbulCr4u3q99V/VenHVRytq5qRD4EY1isgU6kCiRMSNJSR GfkAMJKkEmFoAjIx0sDGizxlsNbPxOZL85HiAO76sd/kbnaVTvisV5rctVga nmAyyBVg7nPU36BmfBT/ABm7ZIuvZnIxcyE9a0SuWQye0HFARRjE1eOctcJr xvluBjwZrJ1wYTbYTu1u5oDRissny4vylxebI8FgJN916xJZ9rrHGV3XgfsK 82y0y8fzoebutaXdBqMF0WB0aTcwWuC9LpoBrq/vXICsz+aLgaXpoF41Qd8C mkYKIea0CXsXAMrsLyLkgHaugwi5jyDkvRahCjdC/m6E2L9CiP/pxRDuNCFK 0yFdg1DoaoTkN6cj8h2EYlGE4ksnoaRMqLyJ5BcnUaUiVB1GKP0yQjV7PwZO mcj+HKEZ2xGqfxehRnj/ps8ilHsLofw9CM18CKHWW0xcAvzQhhDqgPfVb0Oo C1Sx4gkTs9chNAf+y9zrEJoHfLpyH0KLFiO0BP7Dst+aWK6aWPGlMsooo4wy yiijjDLKKKOMMsooo4wyyiijjDLKKKOMMsooo4wyyiijjDLKKKOMMsooo4wy yiijjDLKKKOMP28gCmEjjkVENMnhMMCOPvJDIwaoC3m8PuRnOV4QA1IwJJNb MaQATVVVA63N1iHUgJpQM0IzWwtt4827UPfsyy6fM3feFVeiBQsXXbV4CVp2 9fIVK69ZdS26Dq1G//8fGzoINAP/xYacQFVUjWrRTKShS1ERzUXw3mgRuhpd j/rRFvRJtAN9amwMWpg1M6jOqDkLXW7VXAI116CNaNCsOfbPH+dr9c3H+9Af WaMC7Z+ot2GijQMdg6vxX2rBjVaeRgHca+VtkN9u5e2Qv9fKO9CN+GEycmwu 8kzKYeUxqqW2WnkKVVAPWnkayh+z8jbI/9jK2yE/auXhfeg0egw4mUON8C1A binqQ72QzkcDaDNgCDi+xSgpwtUg5AldA+X9Ro16uDMLbYKvghZD2XpoP4Ru Nq56Ie2F2rcAXQs1yRO2wXW/UapAb/WiT0Dab9RfAxgynr0Wym+CdBB6UYE2 6/4H70Weutl4otluGVz1wxV5EwXGyJBRt9f65c1Q2mA8QTGe3We94Y3GG282 3qvfqF3/mJJrbCwoS/t6lfkDmweGPrmlVykODG4ZGFwz1D+wuV6ZtWmTsrh/ fd/Qzcri3pt7B2/pXVs/r2vRlXNnZ4sD2wb7ewcX9H5i0ZL5Sz9+oXWlwKXS f7OyRhkaXLO296Y1gxuVgXUf+CpK/2ZlCO4t29w/1LtWWTK0ZqgXGm9e2zAw qAzAnUHlxoFtm4fg0TfX/x8Og3kglBbBZJ2LZqPsBYPCHBJkEs+HdyBt18Pd TcZg+Pjt/jdq/lkMXkSkifcgVuEPfw4WFgqx0HQZiKC3meUgJ8w1ionWBPdc d/x6f/t/OF1OQ/x8q+qqNST93jevSo85fn+f7X1n1liWsCmf/luAAQAyL8KM Cg0KZW5kc3RyZWFtDWVuZG9iag00NyAwIG9iag08PC9TdGVtViA0Mi9Gb250 TmFtZS9KQlBMSUUrQ291cmllck5ld1BTTVQvRm9udFN0cmV0Y2gvTm9ybWFs L0ZvbnRGaWxlMiA0NiAwIFIvRm9udFdlaWdodCA0MDAvRmxhZ3MgMzQvRGVz Y2VudCAtMzAwL0ZvbnRCQm94Wy0xMjIgLTY4MCA2MjMgMTAyMV0vQXNjZW50 IDgzMi9Gb250RmFtaWx5KENvdXJpZXIgTmV3KS9DYXBIZWlnaHQgNTc4L1hI ZWlnaHQgNDIxL1R5cGUvRm9udERlc2NyaXB0b3IvSXRhbGljQW5nbGUgMD4+ DWVuZG9iag00OCAwIG9iag08PC9SZWN0WzUwMy4wNjMgOTMuNzEwMyA1MzAu MzEzIDE5OS41MzFdL1N1YnR5cGUvTGluay9CUzw8L1MvUy9XIDAvVHlwZS9C b3JkZXI+Pi9BIDQ0IDAgUi9IL0kvU3RydWN0UGFyZW50IDExL0JvcmRlclsw IDAgMF0vVHlwZS9Bbm5vdD4+DWVuZG9iag00OSAwIG9iag08PC9VUkkoaHR0 cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHlnZW4vaHRtbC9zdHJ1Y3R0cl9f c29ja2V0Lmh0bWwpL1MvVVJJPj4NZW5kb2JqDTUwIDAgb2JqDTw8L1VSSSho dHRwczovL3Jwa2kucmVhbG12Ni5vcmcvZG94eWdlbi9odG1sL3N0cnVjdHRy X190Y3BfX2NvbmZpZy5odG1sKS9TL1VSST4+DWVuZG9iag01MSAwIG9iag08 PC9TdWJ0eXBlL1RydWVUeXBlL0ZvbnREZXNjcmlwdG9yIDQ3IDAgUi9MYXN0 Q2hhciAxMjUvV2lkdGhzWzYwMCAwIDYwMCAwIDAgMCA2MDAgMCA2MDAgNjAw IDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw MCA2MDAgMCAwIDAgMCA2MDAgMCA2MDAgMCAwIDAgNjAwIDYwMCA2MDAgMCAw IDAgNjAwIDYwMCA2MDAgMCAwIDYwMCAwIDYwMCAwIDYwMCAwIDAgNjAwIDYw MCA2MDAgNjAwIDAgMCAwIDAgMCAwIDAgMCA2MDAgMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2MDAg NjAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCAwIDYwMCAw IDYwMF0vQmFzZUZvbnQvSkJQTElFK0NvdXJpZXJOZXdQU01UL0ZpcnN0Q2hh ciAzMi9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvVHlwZS9Gb250Pj4NZW5k b2JqDTUyIDAgb2JqDTw8L1JlY3RbMzg3Ljg2NCA5My43MTAzIDQxNS4xMTMg MTgwLjI3NV0vU3VidHlwZS9MaW5rL0JTPDwvUy9TL1cgMC9UeXBlL0JvcmRl cj4+L0EgNDkgMCBSL0gvSS9TdHJ1Y3RQYXJlbnQgOS9Cb3JkZXJbMCAwIDBd L1R5cGUvQW5ub3Q+Pg1lbmRvYmoNNTMgMCBvYmoNPDwvUmVjdFs0MTAuOTA0 IDkzLjcxMTEgNDM4LjE1MyAyMTguOTM3XS9TdWJ0eXBlL0xpbmsvQlM8PC9T L1MvVyAwL1R5cGUvQm9yZGVyPj4vQSA1MCAwIFIvSC9JL1N0cnVjdFBhcmVu dCAxMC9Cb3JkZXJbMCAwIDBdL1R5cGUvQW5ub3Q+Pg1lbmRvYmoNNTQgMCBv YmoNPDwvUmVjdFsxMzQuNDI0IDkzLjcxMDUgMTYxLjY3MyAxODAuMjc2XS9T dWJ0eXBlL0xpbmsvQlM8PC9TL1MvVyAwL1R5cGUvQm9yZGVyPj4vQSA0NSAw IFIvSC9JL1N0cnVjdFBhcmVudCA4L0JvcmRlclswIDAgMF0vVHlwZS9Bbm5v dD4+DWVuZG9iag01NSAwIG9iag08PC9VUkkoaHR0cHM6Ly9ycGtpLnJlYWxt djYub3JnL2RveHlnZW4vaHRtbC9zdHJ1Y3RydHJfX3NvY2tldC5odG1sKS9T L1VSST4+DWVuZG9iag01NiAwIG9iag1bL0luZGV4ZWQvRGV2aWNlUkdCIDI1 NSAyNSAwIFJdDWVuZG9iag01NyAwIG9iag08PC9SZWN0WzI4MC45NjIgMTA0 LjIxIDMxMS41OCAyNjUuNDgxXS9TdWJ0eXBlL0xpbmsvQlM8PC9TL1MvVyAw L1R5cGUvQm9yZGVyPj4vQSA2MSAwIFIvSC9JL1N0cnVjdFBhcmVudCAxNC9C b3JkZXJbMCAwIDBdL1R5cGUvQW5ub3Q+Pg1lbmRvYmoNNTggMCBvYmoNPDwv UmVjdFszODguOTYyIDEwNC4yMSA0MTkuNTggMjY1LjQ4MV0vU3VidHlwZS9M aW5rL0JTPDwvUy9TL1cgMC9UeXBlL0JvcmRlcj4+L0EgNTkgMCBSL0gvSS9T dHJ1Y3RQYXJlbnQgMTUvQm9yZGVyWzAgMCAwXS9UeXBlL0Fubm90Pj4NZW5k b2JqDTU5IDAgb2JqDTw8L1VSSShodHRwczovL3Jwa2kucmVhbG12Ni5vcmcv ZG94eWdlbi9odG1sL3N0cnVjdHJ0cl9fc2VydmVyX19wb29sLmh0bWwpL1Mv VVJJPj4NZW5kb2JqDTYwIDAgb2JqDTw8L1JlY3RbMTcyLjk2MiAxMDQuMjEg MjAzLjU4IDIxMS43MjRdL1N1YnR5cGUvTGluay9CUzw8L1MvUy9XIDAvVHlw ZS9Cb3JkZXI+Pi9BIDU1IDAgUi9IL0kvU3RydWN0UGFyZW50IDEzL0JvcmRl clswIDAgMF0vVHlwZS9Bbm5vdD4+DWVuZG9iag02MSAwIG9iag08PC9VUkko aHR0cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHlnZW4vaHRtbC9zdHJ1Y3Ry dHJfX3NlcnZlcl9fcG9vbC5odG1sKS9TL1VSST4+DWVuZG9iag02MiAwIG9i ag08PC9VUkkoaHR0cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHlnZW4vaHRt bC9ncm91cF9fbW9kX19ydHJfX21ncl9faC5odG1sI2dhYjE3NDBjMjc1YjA2 M2FmN2MxMTNmNTkxYmMxNTViYzMpL1MvVVJJPj4NZW5kb2JqDTYzIDAgb2Jq DTw8L1VSSShodHRwczovL3Jwa2kucmVhbG12Ni5vcmcvZG94eWdlbi9odG1s L3N0cnVjdHJ0cl9fbWdyX19zb2NrZXQuaHRtbCkvUy9VUkk+Pg1lbmRvYmoN NjQgMCBvYmoNPDwvVVJJKGh0dHBzOi8vcnBraS5yZWFsbXY2Lm9yZy9kb3h5 Z2VuL2h0bWwvZ3JvdXBfX21vZF9fcnRyX19tZ3JfX2guaHRtbCNnYTc4NjY4 YjhhZTI1NWZlNGNhNGUyMDUxMDNlNmI4MGM0KS9TL1VSST4+DWVuZG9iag02 NSAwIG9iag08PC9VUkkoaHR0cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHln ZW4vaHRtbC9zdHJ1Y3RpcF9fYWRkci5odG1sKS9TL1VSST4+DWVuZG9iag02 NiAwIG9iag08PC9VUkkoaHR0cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHln ZW4vaHRtbC9ncm91cF9fbW9kX19wZnhfX2guaHRtbCNnYTlmODdiMjdmMDI0 YTlkYjcwODg0YzM5ODFlMDMwYWEwKS9TL1VSST4+DWVuZG9iag02NyAwIG9i ag08PC9VUkkoaHR0cHM6Ly9ycGtpLnJlYWxtdjYub3JnL2RveHlnZW4vaHRt bC9ncm91cF9fbW9kX19ydHJfX21ncl9faC5odG1sI2dhZGM1YTFiY2IwNjEz ZTAyODg3NGFjMzVkNGJjODI4MjMpL1MvVVJJPj4NZW5kb2JqDTY4IDAgb2Jq DTw8L1JlY3RbMjU5LjM2MiAxMDQuMjEgMjg5Ljk4IDI1NC43MDNdL1N1YnR5 cGUvTGluay9CUzw8L1MvUy9XIDAvVHlwZS9Cb3JkZXI+Pi9BIDYzIDAgUi9I L0kvU3RydWN0UGFyZW50IDE4L0JvcmRlclswIDAgMF0vVHlwZS9Bbm5vdD4+ DWVuZG9iag02OSAwIG9iag08PC9SZWN0WzI4MC45NjIgMTA0LjIxIDMxMS41 OCAyNDQuMDA0XS9TdWJ0eXBlL0xpbmsvQlM8PC9TL1MvVyAwL1R5cGUvQm9y ZGVyPj4vQSA2NCAwIFIvSC9JL1N0cnVjdFBhcmVudCAxOS9Cb3JkZXJbMCAw IDBdL1R5cGUvQW5ub3Q+Pg1lbmRvYmoNNzAgMCBvYmoNPDwvUmVjdFszNDUu NzYyIDEwNC4yMSAzNzYuMzggMTc5LjQ0NV0vU3VidHlwZS9MaW5rL0JTPDwv Uy9TL1cgMC9UeXBlL0JvcmRlcj4+L0EgNjUgMCBSL0gvSS9TdHJ1Y3RQYXJl bnQgMjAvQm9yZGVyWzAgMCAwXS9UeXBlL0Fubm90Pj4NZW5kb2JqDTcxIDAg b2JqDTw8L1JlY3RbNDMyLjE2MiAxMDQuMjA5IDQ2Mi43OCAyMTEuNzIzXS9T dWJ0eXBlL0xpbmsvQlM8PC9TL1MvVyAwL1R5cGUvQm9yZGVyPj4vQSA2NiAw IFIvSC9JL1N0cnVjdFBhcmVudCAyMS9Cb3JkZXJbMCAwIDBdL1R5cGUvQW5u b3Q+Pg1lbmRvYmoNNzIgMCBvYmoNPDwvUmVjdFs0NTMuNzYyIDEwNC4yMSA0 ODQuMzggMjc2LjIwMl0vU3VidHlwZS9MaW5rL0JTPDwvUy9TL1cgMC9UeXBl L0JvcmRlcj4+L0EgNjcgMCBSL0gvSS9TdHJ1Y3RQYXJlbnQgMjIvQm9yZGVy WzAgMCAwXS9UeXBlL0Fubm90Pj4NZW5kb2JqDTczIDAgb2JqDTw8L1JlY3Rb MTk0LjU2MiAxMDQuMjEgMjI1LjE4IDIzMy4xODRdL1N1YnR5cGUvTGluay9C Uzw8L1MvUy9XIDAvVHlwZS9Cb3JkZXI+Pi9BIDYyIDAgUi9IL0kvU3RydWN0 UGFyZW50IDE3L0JvcmRlclswIDAgMF0vVHlwZS9Bbm5vdD4+DWVuZG9iag03 NCAwIG9iag08PC9TdWJ0eXBlL1R5cGUwL0Rlc2NlbmRhbnRGb250c1szNiAw IFJdL0Jhc2VGb250L0pCUExIQitDYWxpYnJpLUJvbGQvVG9Vbmljb2RlIDM3 IDAgUi9FbmNvZGluZy9JZGVudGl0eS1IL1R5cGUvRm9udD4+DWVuZG9iag03 NSAwIG9iag08PC9GaXJzdCA3NiAwIFIvQ291bnQgMTEvTGFzdCA3NyAwIFIv VHlwZS9PdXRsaW5lcz4+DWVuZG9iag03NiAwIG9iag08PC9QYXJlbnQgNzUg MCBSL0EgOTcgMCBSL05leHQgOTUgMCBSL1RpdGxlKP7/AEEAIABSAFAASwBJ ACAAUgBUAFIAIABDAGwAaQBlAG4AdAAgAEMAIABMAGkAYgAgAFwoAFIAVABS AGwAaQBiAFwpACAALQAgAAsASQBtAHAAbABlAG0AZQBuAHQAYQB0AGkAbwBu ACAAVQBwAGQAYQB0AGUpPj4NZW5kb2JqDTc3IDAgb2JqDTw8L1BhcmVudCA3 NSAwIFIvQSA3OCAwIFIvUHJldiA3OSAwIFIvVGl0bGUo/v8AQwBvAG4AYwBs AHUAcwBpAG8AbgAgACYAIABPAHUAdABsAG8AbwBrKT4+DWVuZG9iag03OCAw IG9iag08PC9EWzMyIDAgUi9GaXRdL1MvR29Ubz4+DWVuZG9iag03OSAwIG9i ag08PC9QYXJlbnQgNzUgMCBSL0EgODAgMCBSL05leHQgNzcgMCBSL1ByZXYg ODEgMCBSL1RpdGxlKP7/AEUAeABhAG0AcABsAGUAICATACAAQwByAGUAYQB0 AGUAIABDAG8AbgBuAGUAYwB0AGkAbwBuACAATQBhAG4AYQBnAGUAcgAgAGEA bgBkACAAUABlAHIAZgBvAHIAbQAgAE8AcgBpAGcAaQBuACAAVgBhAGwAaQBk AGEAdABpAG8AbgAgACApPj4NZW5kb2JqDTgwIDAgb2JqDTw8L0RbMjkgMCBS L0ZpdF0vUy9Hb1RvPj4NZW5kb2JqDTgxIDAgb2JqDTw8L1BhcmVudCA3NSAw IFIvQSA4MiAwIFIvTmV4dCA3OSAwIFIvUHJldiA4MyAwIFIvVGl0bGUo/v8A RQB4AGEAbQBwAGwAZQAgIBMAIABDAHIAZQBhAHQAZQAgAFMAZQByAHYAZQBy ACAAUABvAG8AbCk+Pg1lbmRvYmoNODIgMCBvYmoNPDwvRFsyMSAwIFIvRml0 XS9TL0dvVG8+Pg1lbmRvYmoNODMgMCBvYmoNPDwvUGFyZW50IDc1IDAgUi9B IDg0IDAgUi9OZXh0IDgxIDAgUi9QcmV2IDg1IDAgUi9UaXRsZSj+/wBFAHgA YQBtAHAAbABlACAgEwAgAEUAcwB0AGEAYgBsAGkAcwBoACAAVAByAGEAbgBz AHAAbwByAHQpPj4NZW5kb2JqDTg0IDAgb2JqDTw8L0RbMTggMCBSL0ZpdF0v Uy9Hb1RvPj4NZW5kb2JqDTg1IDAgb2JqDTw8L1BhcmVudCA3NSAwIFIvQSA4 NiAwIFIvTmV4dCA4MyAwIFIvUHJldiA4NyAwIFIvVGl0bGUo/v8AUgBUAFIA IABDAG8AbgBuAGUAYwB0AGkAbwBuACAATQBhAG4AYQBnAGUAcik+Pg1lbmRv YmoNODYgMCBvYmoNPDwvRFsxNiAwIFIvRml0XS9TL0dvVG8+Pg1lbmRvYmoN ODcgMCBvYmoNPDwvUGFyZW50IDc1IDAgUi9BIDg4IDAgUi9OZXh0IDg1IDAg Ui9QcmV2IDg5IDAgUi9UaXRsZSj+/wBQAEYAWAAgAFQAYQBiAGwAZSk+Pg1l bmRvYmoNODggMCBvYmoNPDwvRFsxNCAwIFIvRml0XS9TL0dvVG8+Pg1lbmRv YmoNODkgMCBvYmoNPDwvUGFyZW50IDc1IDAgUi9BIDkwIDAgUi9OZXh0IDg3 IDAgUi9QcmV2IDkxIDAgUi9UaXRsZSj+/wBSAFQAUgAgAFMAbwBjAGsAZQB0 KT4+DWVuZG9iag05MCAwIG9iag08PC9EWzEyIDAgUi9GaXRdL1MvR29Ubz4+ DWVuZG9iag05MSAwIG9iag08PC9QYXJlbnQgNzUgMCBSL0EgOTIgMCBSL05l eHQgODkgMCBSL1ByZXYgOTMgMCBSL1RpdGxlKP7/AFQAcgBhAG4AcwBwAG8A cgB0ACAAUwBvAGMAawBlAHQpPj4NZW5kb2JqDTkyIDAgb2JqDTw8L0RbMTAg MCBSL0ZpdF0vUy9Hb1RvPj4NZW5kb2JqDTkzIDAgb2JqDTw8L1BhcmVudCA3 NSAwIFIvQSA5NCAwIFIvTmV4dCA5MSAwIFIvUHJldiA5NSAwIFIvVGl0bGUo /v8AQQByAGMAaABpAHQAZQBjAHQAdQByAGEAbAAgAEQAZQBzAGkAZwBuKT4+ DWVuZG9iag05NCAwIG9iag08PC9EWzMgMCBSL0ZpdF0vUy9Hb1RvPj4NZW5k b2JqDTk1IDAgb2JqDTw8L1BhcmVudCA3NSAwIFIvQSA5NiAwIFIvTmV4dCA5 MyAwIFIvUHJldiA3NiAwIFIvVGl0bGUo/v8AQgBhAGMAawBnAHIAbwB1AG4A ZCk+Pg1lbmRvYmoNOTYgMCBvYmoNPDwvRFsxIDAgUi9GaXRdL1MvR29Ubz4+ DWVuZG9iag05NyAwIG9iag08PC9EWzU0MiAwIFIvRml0XS9TL0dvVG8+Pg1l bmRvYmoNOTggMCBvYmoNPDwvRmlyc3QgODg4L0xlbmd0aCAyMTQ3L0ZpbHRl ci9GbGF0ZURlY29kZS9OIDEwMC9UeXBlL09ialN0bT4+c3RyZWFtDQp42rxY S28cxxHOT5ljfJnpR/ULMAiQjp0oki1BJJADzQNFrmla9K6wWgbmn0/yVXX1 cIec3bUMOgeya2eqvnpXd4+1pjOdtbazCX/WdeQDVt9R5pW6QA5r6KIvWGMX M/OnLsn73OXCv0tXCn470CYTCIC5lPAP0t5nEL6zZPDe4TVFPHYQCPzLxc5G hnMQSIRfDgLZsDiU5oh/3nTO4J/1FkQBvHedgzzDd87BYusJRAIOXHDeQ9xH EIXFU+cCo8IUF9hVuOMi/IJRICKeEJCT4SdAToGfADmxXwTkzIYRkMVj/HBF ngC5sD2UO2/YUyogMuwJpvNsuAWWt4mfuM47Rg4eBLscqPMehtsQQESIh9h5 MvArJBCRpYAcDEsBOXAeIpADhxd2e/ECAfURqBYCgGECyMkzAeTMKiKQc2QC yCWyeO6QExYvIDjTyYDgFCNGxF7ahJpwcI4dII+KQIo6IlaKWBOxrhQ7CuwO bCIxIwE5BWYGcua6ACgVrosM5JI5w64LhsMCiCDlgNIJjksCWMFnZo6oQPyz OXUhcG1CMgQuiVy6EA3EkY8Q2VSkISQWL0BO7GABcuYiKUDOhV8BuXhmBnLJ zJM6wDBOBsH1g4qJXJUO9RrZJ4foR4cSdkhMRLlwMaIlUP/OEIjIVYkmQRBB oEsocMECOUDCGSBHIYCcIPr118Pr84BaNt17RCPWFRbL6utvX+pvpLquUMcr 65cVIeOVgyQrAo/1Ynh3uV4sN2frxUJaG8+2Hv2w+G3zevHQORrer+4W319+ kr5nprOHT4vhdLO+vxLO96vV5ugIpv5w/+vncyNjQfTIYBALZDSIbTIcxHoZ D0zVAcFUlBHBVJIhwVSWKcFUkTEhyEYGhZBWRoWQdVgI6WVcCEkyMKrjMjKE jDI0hEwyNmqEZHAIWWR0iPVGhoeQVsZHjaoMECG9jBCOqcTh7+vV/afhb7f/ Hs4QxJPVb8PxejOc3t1eI2yLK5A/XyKC393e3K8XR0fnQd0K6lNQh4J6E9SV oH6E6sTFOTqmxjJ7XUnXoKvGOmvF5Kxr0YoyurYKU7ziVUHUF1FfRFUUVVEM yqg5InWF1BVSV0hdIXWF1BXSfJAmgzQT1Gpec0BeLfLqsleXvbrs1WWvLnt1 2avLXl326rJXl7267IviFVJFpC9IX5AqIlVEqohUEakiUkVBFQVVFBQvKF5o iowCGgU0CmgU0CigVUCrgFYBtd28Npu3mhOXtJQ1Ny5pESd6smoZJ50XKemq cyRVA1w2uiqepqKtrTtdbv2o+jQ1TlPjNDVOU9P612mRuSj6LmT4Wfx/++GX rkarjp63J/98f3SE+dVcGk6HN7fLj8O7m65OEmlDCFOTdrPS1dCd0rFJ+3np sE/aNctrXTyTrs7OSJ877QHnW1w1bm0ItQk0jh8db9pTzmvevOaNFI80b9Rw la/Vh1a600p3WumO2j6SH/Pi1LtoZr3zT/NSdWhsUgtsmhfO+4Stb9Lzga3M M9LntrTZrntH0UJt47/o7qEb6uNeoIXaElI0sEbft8SYtmG03w1fA6od3vYN 2xonbxV88y7NFp2auO1d2YpNq9iY54XzPuHchMu8cNknbFu5p/mCMG6vdGjS dl467pVu9ZRm21zDPCN9blvr+JZhPRNoy1htGdtaRlvk+aqZ1pax1A4fiq+b g9XNwdbNgTN+LCddtu91Z9ja0IbSPyzbWmtOPD2W03FltcKammMf7p7z1rEN XjflPVldP8xwZ+X2wp33IiflpSnvDuSo3IG5dWDsQq7ljUrGETBfTAV2wJPC F+G2e+G9wvMJsjbJxVRqhw7Xwi5xj2WvkpZO66bMO7DHlErk496cxhZLS1Pm eewwmiKxD60R3j1h5XPq8d3tzXL4dnk9vB3eXD6s7jfDv9a3m9vlzfcrHFzf rM8+8NtXy2vcEHAg6z3uAJfrjT6IkXoKtSNbfYvOthPoWXjseO2YoB1TbZNs 2JZxOTI3yNqquyHlSnxIabsIaDsGbceo7V7rQIwI46Ad953JjKhM41x6NR45 JpNjF5cedWz0e7EmU2cn12T2zHIdy/W+BWerese3tYmOrzb3l3cctL/+579/ +XH91ZSfi+xJvUgJ7KmY00+XV4uTxU+r9aIzPTaRUtJWGUVyfQiTQkqmd6Lk 3R1Ef8Wj4dXy7na5GLW8rAlUepupTGywxvZpjO9kdtd5kZ9ntJVSGrnoWQlN t4VZqJ1eDycoZFy0qM9JPpL1ONjgYtazSpRrn8rFy0bGp9CXXYE5YCfuZUis G+10tpcvY3+GnRgYPR58WRGpmR7Z589phmCmwzUR/vFHHht6MuGFDQ2xJ/+k 1H6vpa743mS11PDnwNDLJzRY6kt6YUtdSH2xf8xQg2y4Zmjia0XPHxQkpC9s JqZHpPCHzMQGhIpsmeczf0+2Jf6Znd8AZ7H+XTsjJi2yPC3H+iyPp7jxGDLe BOpBlbb3560z7osFLMHpiWVIjhvNaoevZxek8WIUpxekdjEaL0RmcjHadSFy +sljvBDlx80/x5mt++Ty6uPNenW/vP5mdbdan5seiurfxXCyWl8v1qebh7vF cLrCkUGfzLA+loBwnP18e/Vxufj8uXO9aTNav07Y9hUj5wMHk2Lbzjpr++t2 v9vJcSzfpvWgJqfYnA8Wwksc1I7lE/jW3SOnyd1jVvEXtAJGlE8pTguO+FnT 79zkQrOzAcBpJ9eZvZx5bC/9mnhxUCTtPv88yo3ckxvNXtyxpfRbQjpsCo0i tXvKYRH/RdaPlxlzENiOtuhEcIeNmd5n9rGaMrnN7GXNX+KiSaPd2sXx/zRg KdpdE/blDs0x9ib8yUo8tvEwp+R/AgwAtX5AXQ0KZW5kc3RyZWFtDWVuZG9i ag05OSAwIG9iag08PC9GaXJzdCA4ODgvTGVuZ3RoIDE0MTMvRmlsdGVyL0Zs YXRlRGVjb2RlL04gMTAwL1R5cGUvT2JqU3RtL0V4dGVuZHMgOTggMCBSPj5z dHJlYW0NCnja7FhNbxs3EO1P4bG9rEjOcIYEggByUKBFUjSoA/SQ+uDYamrE sApFAZo/3/YNlytLbrzbFlodghiQOct9nO8l324M3nkXQ3DB2xhd9AEjOarX 7LheJ5fqKE7qqE49sCG77AljccWzi9GbHhOgMFQhQkgCgVyISSGwC4zpGJML KdqMQFDDqAsCj2LMENiWFwgZGIJmFWAImrMvEKA5F+ghaC4EMH6h5AQBP2+a CQu8GFgtSLuVLRq7VcxdXLHZS/jHwewhGq5KsZTJVgJorlSfGSpY6j+HRbYc ulLCUsaFJMNggZpgSnMVcLtUISKvVUCCQxXYUaxCckRVEEeM+5YsSrgfU3Yk uB9TcaQmiHeULasSHJUqRFSqCuQ4mGOC2tWCwl0mSwvSx1zglKiDBbgpGYLC FnLE4hGKegjmuAbHGi0UaFb8i8BxttQpNBczodBczFUUj0uBCVU0iiVbMwRL HX4poB1i9hDgXczBJVQFQoRg2coEodgMu0SWfrgLBxF7FpfYko0mSJwNDM2J DAPNCS5EhJQE6mOBZrVI0RYpW6QoZ6qOQZfUFseFROtZ2BOyKIo64WAz2UkK NlOcSOyfAVE0I6HpJZNVLzopCJCgQj3bDDsNbDPJaV9hgQA7hIQqIc9mRq0E hMZVRlafPFm8Wv2xXd7evL1bnG8vN9vFj4sXlx/XH7aLnzc325u7tz+sr1eL F5tXbxbnv19erc5Wv643K+e7UPCni2/vrr+/u17dbVGv0OVeyTBDXXz69Kg2 Cnc+zWykSEczmxCR+eMgirMXhIrOnixs/11Kn0NFgob5I+E4v42Q42NlX9bD 1rufFs9fB+xZkHDQXixe1rPX5s8XLxcv36KsdnXk2FN4tIrLeub3jtmpbY7Z od2P3MbURmmjtjG3sfQj+zaGNjZ9cbhuernp5aaXq94+G6llw6I/W/9RnTy7 vHr3drP+cHf9bH273rz2HQz1v4vF2Xpzvdqcbz/erhbn69ub6zbTQxG5a7+L +wz2iFe/3Vy9u1u9f++o89UQchBbjLH5GnXwLVQ6Zr6dw8qqX1DJj80+5vvz SpjGEMvKpGoJQJEqTCdbAtUdaYi92tODlhT1HQ7mwTKFZtlXw9IMfxcetfwM Wlabf2W85I4fPHX91GBdButh9ElYVlI1PD19gehiakkaksqTyNyQaRLZV2Z5 tf1weWs5+frPv776ZfPN4bodWppemdSbduH1z1aeDq89tq5MImnIsp+ExgE6 WZG0q12chPoBOplg3j0JkznjoWpBJ6E6QPNptly8H81/3uCNb3Yqgz1+dioT lGaPQ2h+G1/qcRxOcjwenuUz4cikaf63FkknCCTx/P1LZYSHC+2O2kZDYz1r hfcPhZCPfyhQCF05TDBeRkVZd74NNMC+51TftPmojSpro6faKLg2Cq6NgudG wXOj3LlR8Nz05aYvN3256ctNX276JO4ouchxKfkB9FFKHu8puTTfpPkueYKS axgI9yd9f14/qY0hlvVbW08ZIlVYnuyOY1FyjfuUXPSAkn/S8n+h5Nzh9eIB J+/nmn37ZjY8IK2Jxp+PZf3e1i8hx9PguM+2R5Fhnz+PIodq6QTSPh/2yDyJ zPsEexSpBwR7FCoHBHsUev9OgC3tYhLOj7+a3K/boe93wX6HCGnawv0XjH43 CTq9Jhww71GoP3gJHoPmoYjRn2brFs5djo/v3cfjd8l3dBJDUmzTmd8Q4ZX/ JIZixunqaX5DotrpCRLH/jQ9d7Lmhp3oT1Ehqi3H8xsKoLP+JM0dQ8df9p// 03SkpymRVjs8wu+J97+2UiiH1E72GQ37vU+jFIcT7sWb239iaXccHmLP1tcf P4EeeA1VdBrVrHvfUPewDzX/LcAAyyYe6A0KZW5kc3RyZWFtDWVuZG9iag0x MDAgMCBvYmoNPDwvRmlyc3QgODczL0xlbmd0aCAxNTI3L0ZpbHRlci9GbGF0 ZURlY29kZS9OIDEwMC9UeXBlL09ialN0bS9FeHRlbmRzIDk4IDAgUj4+c3Ry ZWFtDQp42rxYYWscNxDtT9HH9otOI82MJAgBuxQa4lJTB/rBzQcnvgaDaxfj QPrn277Z0+7tnm/3GnNuwJFW9/T0NJrVvLtEwQWXiBwzmuiqPSVHKaJlR1nR iovRntVFFbTZpQ5eXMr4o+o4YiwGx0poyQmoEuaI4WNyUhNadprsc3GqFa26 HGxedpkNV1wuhquuQENKwRW1llxVrAdNtVoLfaFCWIJAshWTOIodVCHd1kzZ EYMgpeJIuk5Fx2ZxcKRdh2x/mMXRUWHshMFcKnXbowrWBF1Ui41g8yHaSEan gBATImFPiSs6GSMSEChELQmhozYSXUwBsZCEDqYmYXRsF4KocrIRMAtimwTM IjYLzFIRIQGzYrsJXFEreLDbmG2WgrmLFjYQCw4wIUSxQIvtP1bjUTDXgn0p JgSEOykegsXS4k8WKNMdLT7Z4th1ogUC/2ULTcXUbHKrnbbYeuCxtFDjyfax HaolQulmgbnYLItR7TrIrgC9qUTHZEGAbiZLtcJIHRxjKoKOzSjq2DIllYyO qcMGmC2qBXnGFlXMZAkYwVFxFzGEhsXigzxjtfggxKzFMGDOlp44ci4BwqGJ C9ssMBewQqbjijTlAOZqMgNyOCABGIcnodsBshhphw6jg11wECcRWYDNoWPC kc1i4jkUdNR4qhNjffVqddKlZ3C/rN46WZ13+W9PF6uzD7er80/ISnt+/bph pWF1ij29v/5rD5obOnfo0NDne5CpIUuHTIsaYsPWKXa/Bup3R8HguCb2i3i3 /vJ4cnvz6W71w9316ufV2dVf958fV78+3Dze3H366f56vTp7ePfBPn1zd72+ e0Qi+LS6eLx6eGwDmoOXLB3d2+6GsqXOuztps6gtcnr/ZYO4tDsK431kenHv MYWoD9bF7c31uqcMBylxzW2oYqOOPeX8FG5Qaa22dlCzPbqzXkkL+57PLu2q 3mjgLUHsQW96VGjLhNEy9BRVGqouoagPIC2hYuOK81wn3cXe7yxv03D4dLPb k4+Pn69uLZDf/v3PN789fDfFWyruZFWXKAt5dfHn1cf16fr3+4e1C54q/uVR silHLzJJN2Rb7BY5v8XUPzC0enN3e3O3HlY5rgTc2l7K12pYnSLVLnGfelzs FNhHHDir+oj3g0g8vz+uTNx1nvJUJl7VeNxVcGN5kucFIxbsmoZgIG98zS8T jKQ+8fNEpuo7TwORZMXcl9o0hmOrZPIhP0slCXszSU0m1YzIpjmZ34Nn/fCf Lnd4TWy4TES1sf4qKNQqS1dYpL9df6SusvC4CJXQFyGDquyUtwk214aNU+xQ 3qbo0tCpQ+si8+Z+envJnWnq70DVA0tM/EHmxSXS2B9ssTPMcewPNC8y09gh aD7AHMYeQeqk6E+QWif+QNOSCO2jTTQF71chvVui7ixFZ2Qc33sI90VM8v6q L60YSvMgG3EL3oPjIUptVVibB5HW6taDzE5t3kObKdCtKRgO72w4BZ6vwduj 7nXr4FR2mCwIzSVJ2r4NO07leBUcJxRmyhKkcDNNvDVNGp5YGG5xYl1E9Wca ZlHHcwXBZ3qmKSjB27fczd0tYLKvzMQgpGObApSY9OKWwGvk+qxQwCv7MoQC r6/PLxUKTT7QtK4F8nnIndwyrAy5k2Unw4ab/bzPxOGlOuQqsvpsv2Nw6DZK OBZ8lbAyriJH3mmM4os+0/2wp8FWxIwneqnzKD7ws81PHXkfPM2K/ArrE7N4 4ukr3cbaDcwxjK1P3bE+cVQDmerI+nDYtT5TbBlZnxF2qK5TdB5ZHw66yNx7 GJ5iZ5hl5Hg45EVmHjmeEXaGOY0cD4eyyBxHjmeEnWGmseOpU8czRYax47Gf kBZEhDp2PCPwXhX2u9bY8VSdkXF8x1OHG6nOeIzaHE9t1bEecjwlHqC039CM yn6Y21BSe946ntmp0qDa2tza7b1bd52P/co363zqrvPpD+spkwWjOZ86OJ8m +v93PqU5n8JbKU89TWnOp+giqlWvUhZRfQaEWdTxXAFH+3a/54L/V4ABAKrq XvcNCmVuZHN0cmVhbQ1lbmRvYmoNMTAxIDAgb2JqDTw8L0ZpcnN0IDg4NC9M ZW5ndGggMTY0NC9GaWx0ZXIvRmxhdGVEZWNvZGUvTiAxMDAvVHlwZS9PYmpT dG0vRXh0ZW5kcyA5OCAwIFI+PnN0cmVhbQ0KeNq0WU1vGzcQ1U/hsblQHH4P EASwixYN4qJGHaAH1wfHVg2jihSoCpD8+bZvuNwV15bkRJACxORyh4+PM8Ph zMqTUUZ5IhUDGquotE7ZmNB65ZxFizHn0EblOaNNKjCjzSpGj5ZVinhnjcqO 0JJikbVWcYCcdYqMAYD16HgZCeiwjERF5IFpEzqMxWxWZJ2MMDoZI84ochj2 wCaXwBekqGdFPooMkIORESCHDFIOyJFkFpCjbAeglAz4OSCnCBwP5CyzPJBz wCsP5JzA0AOZsVHvvbJGcHxAJ2BbPqLDWMInZUkUhA1Y62SElXUGI8Eo6w1G AGqDwaxg0UnYcijaxaIByIlkBMgJFDzQbTZYNACZDRYNQOYizMqZBBzwdgR2 PpJy1sqIRSdCODrYC7b0UQwnVGFN5xiAMI/zsi8owgXRKia46GQEyFGIQbPQ LoQTkAufBOSUgIzXLotJE5AziHtwcln0DE6OZe8JMw3U72WCET+S9Qj689mI 7TE9i/Zly8Wu4kvZiYrxXrDK+yy7tTJLtCZgWTZg5ZVsUjwts9DFMBuhgj8s dBlTxYey+I+4V2EopmJRFF4HI+bmiI7sHaoJRlBBJRD81cOvA4EGBFWAmdHB g5APsGuwAMRUFaB6dPDgYBDxvCAGEUuHYGUWkKOTESDHsg5GE+Bfv55ezm/v Zh9ni/X07WL+uJhNf5te3H5dfl5Pz8+XX67hIhr7xlHRsmvGE8kxQUM3b94A 4P3sy/ps/viwmF6tb1frzfw/Vo/rx8XDr8v72fRi9f7D9OoTljqf/bVczZTR xPiXpj8t7t8u7rE+WJN2HUgd8U7b465BhjTbMFolmbrKC6rAYdJhUIXzeDqV KkAJJ+0gljjzDUuLaSdjaZ3VNh7Ekhg73LAEZz4Zy5w0m8OUSQEuOdBEENZu J80fgTJb7eHZUIpWG29HlOpYAT0rodWo36fvlJlelntDnq6mv9D08kGVm/L3 XhThuBMlEUWM60QvPsy3yOYqa8ey58v7r1ukU5V2RTrsRY6d7LUvtwn6N+NJ O5YIdYkg0riP9i1hq2wcy+5ApiqdCo+4F7nXdh7Lbkf2vcK52CZX6cstkr26 qZjR230kfK9torHwdhbO9+LFli7soLHxUDjgN7knwu44DkeJIikUuHcl05Gl Lkti0y0qi+DAdBLX1V973fTkxCGoY4YpV/PH+1kPaelFSO6gvKmQtfU0+Nqu qZ2b977Y2/dmZLyLwQrd5s7u1p9v5wL0w7//Tf5cvRqbuuddjfQcSRhTZWo3 p4F6obfHDXIxsg5h++UJKtZ2VKzb7JzHVESq6smGvVLVppZ3Sh3vus5RGz4s dsNNdZLEvQTvkh1qi/yLKGhv0rGTF9yFlMKp0xdibf2h6UvSxjT5CzwGuXSn Dn9kdZBkMH7EU1KvNDhRrE6UBicK/omrDSH+snfJ4XS9lAPhNORSmJmyVeyc pLoLQSc+dqrmNIcDswtk0xZRf8iCgs50MosIajo4C2o8R2jv8ZzvyYPIwE7j NKgM9cE4U5sFxTzKglx7G2bTJkHpyUU7Ek3c5kDp2TU7Fs5tCpRMe8mOBGPN f5QvVPuE7efHh8+r2SA9PZuXC+Vuspx8nHzC38Vkhv/ryT8TjefF5OHVE5Oc z5d3f2/U2VjUB2T6PD5kPiOTpnoMTNQoieuYlLVI11XkqH2fvuIoxhrPY71g U71Y40t3dhzu7GG3o4u3FO8vSES/X+K62qeU/X2kiPz0qo1VKG6EEj27uVK9 31LYKXVWvh1USqnJRoe3cXd6kEYZ6ZEveCk3vzfMnCL/O2IpHnWOh9ZlXmff RKSkPR0jIlFiHd2YVB2rHhDsKCbxk8qsCQnBjmISj+uEVpDaiCSfdMZVwki0 xqNrh/6Q+jZzhmJhNCs1wSkMx3nbAoabgqwR3YprcluR7dmhSU0xJp+x9hCI TS3WiG4nEJpSTL6K7cH1bS3WyG4Dlg91bTHGYfvWjl9c8ZDz8I5yhmtxxTVw 80uBOtuXILOrUPUOyB20fHjsI+X2qYPntebvw3I1Xq/rm61C8v20W9tsvNk8 i91ciym2+6RyjfB5E+H5ZLUJ6os4TqiyqxnuN3xU9X1CJb8CcNBcMyrHx878 rE06PfkA9s1MkTrL7x0dU/kJApk110h7ZJ6417W3py6hrMma8pMIj91gmf8F GAAO9fnUDQplbmRzdHJlYW0NZW5kb2JqDTEwMiAwIG9iag08PC9GaXJzdCAy NDgvTGVuZ3RoIDc0Mi9GaWx0ZXIvRmxhdGVEZWNvZGUvTiAzMC9UeXBlL09i alN0bS9FeHRlbmRzIDk4IDAgUj4+c3RyZWFtDQp42qxV22obQQzdT5nH5iGz I2muEAx2aZsQl5o4kIfUFCfeuqZbOzUOJD/fVjN7cbYksUuNMdrVnDlHo5G0 BpRQwgAI8mxQOMOGBPDfgBagozUCQrRWYLBsnSCM1gsKyDYIHbQwyEwW2IKw lvHIdJppkYSLONTCE/OjEd5FvxUBI96JEAJbL0D5CAgcAL8ZUgJQOX4AftCM JRRAisWJgyTNisRRUohLHGaKg6wAE+IuJ8ApjoQPB16xBDFz4POcnOTn19pb PvyF0N5FO8lHKRP8mI/z4Vmvl1AmpegiZadGaQ6yRrUgqkH6Rap+ymB0jRqy uHhTtqsVa/92cz8tL4uHzZtfv7PP66MufrCaPaYdEdEvF/NlPt5M15v8Uz6c Pq7uN/nVerFZLOcfV7MiH64vb/Lx3fS2GBRfV+tCKAmc7ODyd8vZ2XJWLDfC BC81moqm9gEYiUlmVPLmH+zLz5blYlm0Oq+v5oPB6uEatZUE8c6MdCDQk7Qq Xg9IDJPDHgNUkNZ1j8F6bq84lZIh1Z+WXJKoSepAKQta6QMHqgml1d1AWRD/ UnnL/mL9isyWEY2WYH2HsfY1xcWVHwvoXKhYTtSU0ynko7kwOr23WF9jIWGp xo6eg7oairuhtobSbqipoTpBm0Z6v5jfr4sn+LxfpiY5zfrZVXacldkqm/P/ OPuW/Txq2XTNZvZjG9YsX7KL7EM2YEuZ4t8su8sWLSs2CbWJVb10nO2F8n3t dZtcC9S5SuuUNM5UsybNyXqKtGeJIlzHzTSqrrdJcpq0lXW1XzVTCqAJfFwu ZkUrgbsksKHWtTXt4Ht2y7YBB+Xq9vs2EU+qmHg6kO72BSfDBqi6lKegVLrx CWO4O72wykuydrKvTGw/wtBtFgIZTCOjQBrd+JIM165O4wUm/9qlO4YBopfG YjeayndoJZ5xznQrCxWPeXNoJR47MoDrflAcT9bwHzPOoOSvSIfTJVev90eA AQDhOmAfDQplbmRzdHJlYW0NZW5kb2JqDTEwMyAwIG9iag08PC9OdW1zWzAg MTA0IDAgUl0+Pg1lbmRvYmoNMTA0IDAgb2JqDTw8L1MvRD4+DWVuZG9iag0x MDUgMCBvYmoNPDwvQ291bnQgMTEvVHlwZS9QYWdlcy9LaWRzWzEwNiAwIFIg MTA3IDAgUl0+Pg1lbmRvYmoNMTA2IDAgb2JqDTw8L1BhcmVudCAxMDUgMCBS L0NvdW50IDEwL1R5cGUvUGFnZXMvS2lkc1s1NDIgMCBSIDEgMCBSIDMgMCBS IDEwIDAgUiAxMiAwIFIgMTQgMCBSIDE2IDAgUiAxOCAwIFIgMjEgMCBSIDI5 IDAgUl0+Pg1lbmRvYmoNMTA3IDAgb2JqDTw8L1BhcmVudCAxMDUgMCBSL0Nv dW50IDEvVHlwZS9QYWdlcy9LaWRzWzMyIDAgUl0+Pg1lbmRvYmoNMTA4IDAg b2JqDTw8L1N1YnR5cGUvWE1ML0xlbmd0aCAzNjQ5L1R5cGUvTWV0YWRhdGE+ PnN0cmVhbQ0KPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhp SHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpu czptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNC4wLWMzMjEgNDQu Mzk4MTE2LCBUdWUgQXVnIDA0IDIwMDkgMTQ6MjQ6MzkiPgogICA8cmRmOlJE RiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRm LXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91 dD0iIgogICAgICAgICAgICB4bWxuczp4YXA9Imh0dHA6Ly9ucy5hZG9iZS5j b20veGFwLzEuMC8iPgogICAgICAgICA8eGFwOkNyZWF0ZURhdGU+MjAxMS0w Ny0yN1QxMzoyMjowOC0wNDowMDwveGFwOkNyZWF0ZURhdGU+CiAgICAgICAg IDx4YXA6Q3JlYXRvclRvb2w+QWNyb2JhdCBQREZNYWtlciA4LjEgZsO8ciBQ b3dlclBvaW50PC94YXA6Q3JlYXRvclRvb2w+CiAgICAgICAgIDx4YXA6TW9k aWZ5RGF0ZT4yMDExLTA3LTI3VDEzOjIyOjA4LTA0OjAwPC94YXA6TW9kaWZ5 RGF0ZT4KICAgICAgICAgPHhhcDpNZXRhZGF0YURhdGU+MjAxMS0wNy0yN1Qx MzoyMjowOC0wNDowMDwveGFwOk1ldGFkYXRhRGF0ZT4KICAgICAgPC9yZGY6 RGVzY3JpcHRpb24+CiAgICAgIDxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0 PSIiCiAgICAgICAgICAgIHhtbG5zOnBkZj0iaHR0cDovL25zLmFkb2JlLmNv bS9wZGYvMS4zLyI+CiAgICAgICAgIDxwZGY6UHJvZHVjZXI+QWNyb2JhdCBE aXN0aWxsZXIgOC4zLjAgKFdpbmRvd3MpPC9wZGY6UHJvZHVjZXI+CiAgICAg IDwvcmRmOkRlc2NyaXB0aW9uPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJk ZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpkYz0iaHR0cDovL3B1cmwu b3JnL2RjL2VsZW1lbnRzLzEuMS8iPgogICAgICAgICA8ZGM6Zm9ybWF0PmFw cGxpY2F0aW9uL3BkZjwvZGM6Zm9ybWF0PgogICAgICAgICA8ZGM6Y3JlYXRv cj4KICAgICAgICAgICAgPHJkZjpTZXE+CiAgICAgICAgICAgICAgIDxyZGY6 bGk+bXc8L3JkZjpsaT4KICAgICAgICAgICAgPC9yZGY6U2VxPgogICAgICAg ICA8L2RjOmNyZWF0b3I+CiAgICAgICAgIDxkYzp0aXRsZT4KICAgICAgICAg ICAgPHJkZjpBbHQ+CiAgICAgICAgICAgICAgIDxyZGY6bGkgeG1sOmxhbmc9 IngtZGVmYXVsdCI+Rm9saWUgMTwvcmRmOmxpPgogICAgICAgICAgICA8L3Jk ZjpBbHQ+CiAgICAgICAgIDwvZGM6dGl0bGU+CiAgICAgIDwvcmRmOkRlc2Ny aXB0aW9uPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgog ICAgICAgICAgICB4bWxuczp4YXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94 YXAvMS4wL21tLyI+CiAgICAgICAgIDx4YXBNTTpEb2N1bWVudElEPnV1aWQ6 ZjE2MmQxYzYtMmMyOS00ZTYxLTg5MWUtNDQ1ZTBmNzg0MzI4PC94YXBNTTpE b2N1bWVudElEPgogICAgICAgICA8eGFwTU06SW5zdGFuY2VJRD51dWlkOjg3 MzM2ODg0LTZkZTktNGMyZi1hOWUyLTE4MWM4Y2ViZWFlYzwveGFwTU06SW5z dGFuY2VJRD4KICAgICAgPC9yZGY6RGVzY3JpcHRpb24+CiAgIDwvcmRmOlJE Rj4KPC94OnhtcG1ldGE+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg IAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAKPD94cGFj a2V0IGVuZD0idyI/Pg0KZW5kc3RyZWFtDWVuZG9iag0xMDkgMCBvYmoNPDwv Q3JlYXRpb25EYXRlKEQ6MjAxMTA3MjcxMzIyMDgtMDQnMDAnKS9BdXRob3Io bXcpL0NyZWF0b3IoQWNyb2JhdCBQREZNYWtlciA4LjEgZvxyIFBvd2VyUG9p bnQpL1Byb2R1Y2VyKEFjcm9iYXQgRGlzdGlsbGVyIDguMy4wIFwoV2luZG93 c1wpKS9Nb2REYXRlKEQ6MjAxMTA3MjcxMzIyMDgtMDQnMDAnKS9UaXRsZShG b2xpZSAxKT4+DWVuZG9iag14cmVmDQowIDU0MA0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMTE0MjI4IDAwMDAwIG4NCjAwMDAxMTQ0NzYgMDAwMDAgbg0K MDAwMDExNTQzNyAwMDAwMCBuDQowMDAwMTE1NzI2IDAwMDAwIG4NCjAwMDAx MTYxOTkgMDAwMDAgbg0KMDAwMDE0OTg1OSAwMDAwMCBuDQowMDAwMjEwMzQy IDAwMDAwIG4NCjAwMDAyMTAzODYgMDAwMDAgbg0KMDAwMDIxMDQxOSAwMDAw MCBuDQowMDAwMjEzMDg3IDAwMDAwIG4NCjAwMDAyMTMzNDggMDAwMDAgbg0K MDAwMDIxNDI3NiAwMDAwMCBuDQowMDAwMjE0NTM3IDAwMDAwIG4NCjAwMDAy MTU0NDEgMDAwMDAgbg0KMDAwMDIxNTcwMiAwMDAwMCBuDQowMDAwMjE2ODgx IDAwMDAwIG4NCjAwMDAyMTcxNDIgMDAwMDAgbg0KMDAwMDIxODAwMiAwMDAw MCBuDQowMDAwMjE4MjY2IDAwMDAwIG4NCjAwMDAyMTgzMTIgMDAwMDAgbg0K MDAwMDIxOTU1MiAwMDAwMCBuDQowMDAwMjE5ODkzIDAwMDAwIG4NCjAwMDAy MTk5MzIgMDAwMDAgbg0KMDAwMDIyMDgyOSAwMDAwMCBuDQowMDAwMjI0MDAx IDAwMDAwIG4NCjAwMDAyMjQyODYgMDAwMDAgbg0KMDAwMDIyNzIzNiAwMDAw MCBuDQowMDAwMjI3MjgyIDAwMDAwIG4NCjAwMDAyMjczMTYgMDAwMDAgbg0K MDAwMDIyNzU4MSAwMDAwMCBuDQowMDAwMjI3NjQxIDAwMDAwIG4NCjAwMDAy MjkwMjkgMDAwMDAgbg0KMDAwMDIyOTMwMyAwMDAwMCBuDQowMDAwMjMwMzE0 IDAwMDAwIG4NCjAwMDAyNDI4MzYgMDAwMDAgbg0KMDAwMDI0MzA4OCAwMDAw MCBuDQowMDAwMjQzMjk2IDAwMDAwIG4NCjAwMDAyNDM1ODIgMDAwMDAgbg0K MDAwMDI1NDEyMSAwMDAwMCBuDQowMDAwMjU0MzY3IDAwMDAwIG4NCjAwMDAy NTQ1MjkgMDAwMDAgbg0KMDAwMDI1NDc4MiAwMDAwMCBuDQowMDAwMjU1MTQy IDAwMDAwIG4NCjAwMDAyNzA0MDAgMDAwMDAgbg0KMDAwMDI3MDU0MCAwMDAw MCBuDQowMDAwMjcwNjMyIDAwMDAwIG4NCjAwMDAyOTQ1OTAgMDAwMDAgbg0K MDAwMDI5NDg0OCAwMDAwMCBuDQowMDAwMjk1MDAxIDAwMDAwIG4NCjAwMDAy OTUwOTMgMDAwMDAgbg0KMDAwMDI5NTE5MCAwMDAwMCBuDQowMDAwMjk1NjU0 IDAwMDAwIG4NCjAwMDAyOTU4MDYgMDAwMDAgbg0KMDAwMDI5NTk1OSAwMDAw MCBuDQowMDAwMjk2MTExIDAwMDAwIG4NCjAwMDAyOTYyMDQgMDAwMDAgbg0K MDAwMDI5NjI1MiAwMDAwMCBuDQowMDAwMjk2NDAzIDAwMDAwIG4NCjAwMDAy OTY1NTQgMDAwMDAgbg0KMDAwMDI5NjY1MyAwMDAwMCBuDQowMDAwMjk2ODA0 IDAwMDAwIG4NCjAwMDAyOTY5MDMgMDAwMDAgbg0KMDAwMDI5NzAzNyAwMDAw MCBuDQowMDAwMjk3MTM1IDAwMDAwIG4NCjAwMDAyOTcyNjkgMDAwMDAgbg0K MDAwMDI5NzM1OSAwMDAwMCBuDQowMDAwMjk3NDg4IDAwMDAwIG4NCjAwMDAy OTc2MjIgMDAwMDAgbg0KMDAwMDI5Nzc3MyAwMDAwMCBuDQowMDAwMjk3OTI0 IDAwMDAwIG4NCjAwMDAyOTgwNzUgMDAwMDAgbg0KMDAwMDI5ODIyNyAwMDAw MCBuDQowMDAwMjk4Mzc4IDAwMDAwIG4NCjAwMDAyOTg1MjkgMDAwMDAgbg0K MDAwMDI5ODY2NCAwMDAwMCBuDQowMDAwMjk4NzMzIDAwMDAwIG4NCjAwMDAy OTg5MTUgMDAwMDAgbg0KMDAwMDI5OTAyMSAwMDAwMCBuDQowMDAwMjk5MDYz IDAwMDAwIG4NCjAwMDAyOTkyNzUgMDAwMDAgbg0KMDAwMDI5OTMxNyAwMDAw MCBuDQowMDAwMjk5NDUxIDAwMDAwIG4NCjAwMDAyOTk0OTMgMDAwMDAgbg0K MDAwMDI5OTYyOSAwMDAwMCBuDQowMDAwMjk5NjcxIDAwMDAwIG4NCjAwMDAy OTk3OTMgMDAwMDAgbg0KMDAwMDI5OTgzNSAwMDAwMCBuDQowMDAwMjk5OTMx IDAwMDAwIG4NCjAwMDAyOTk5NzMgMDAwMDAgbg0KMDAwMDMwMDA3MSAwMDAw MCBuDQowMDAwMzAwMTEzIDAwMDAwIG4NCjAwMDAzMDAyMjMgMDAwMDAgbg0K MDAwMDMwMDI2NSAwMDAwMCBuDQowMDAwMzAwMzgzIDAwMDAwIG4NCjAwMDAz MDA0MjQgMDAwMDAgbg0KMDAwMDMwMDUyMiAwMDAwMCBuDQowMDAwMzAwNTYz IDAwMDAwIG4NCjAwMDAzMDA2MDYgMDAwMDAgbg0KMDAwMDMwMjg1MiAwMDAw MCBuDQowMDAwMzA0Mzc5IDAwMDAwIG4NCjAwMDAzMDYwMjEgMDAwMDAgbg0K MDAwMDMwNzc4MCAwMDAwMCBuDQowMDAwMzA4NjM1IDAwMDAwIG4NCjAwMDAz MDg2NzMgMDAwMDAgbg0KMDAwMDMwODY5OSAwMDAwMCBuDQowMDAwMzA4NzYz IDAwMDAwIG4NCjAwMDAzMDg4OTUgMDAwMDAgbg0KMDAwMDMwODk2NCAwMDAw MCBuDQowMDAwMzEyNjkyIDAwMDAwIG4NCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUz NSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0K MDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAwIDY1NTM1IGYNCjAwMDAw MDAwMDAgNjU1MzUgZg0KMDAwMDAwMDAwMCA2NTUzNSBmDQowMDAwMDAwMDAw IDY1NTM1IGYNCjAwMDAwMDAwMDAgNjU1MzUgZg0KdHJhaWxlcg0KPDwvU2l6 ZSA1NDA+Pg0Kc3RhcnR4cmVmDQoxMTYNCiUlRU9GDQo= --74305831-6736-1311787376=:1356-- From stbryant@cisco.com Wed Jul 27 10:54:10 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA28A11E811B for ; Wed, 27 Jul 2011 10:54:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.549 X-Spam-Level: X-Spam-Status: No, score=-110.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKO3KjuhrUiP for ; Wed, 27 Jul 2011 10:54:10 -0700 (PDT) Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 126B811E8117 for ; Wed, 27 Jul 2011 10:54:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=265; q=dns/txt; s=iport; t=1311789250; x=1312998850; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=RbO1Cu6gE779ZnuE9xrZX/AYw9DlTxcPSfu50iOediw=; b=e1iJbV6VWl06idBl2vR0ENUOxkKRvIoeUc0S08lmbtiJnvgXSNZls/FX vt7ggl8CidZir9RW1eqESA1mqrJ8jf/mhrFNs6OO128O2WhNRyusVc6R6 bZrqROBb4Sk+5MFYbPn8A2XeQIOzjxwx7OE1C1CKkBHLStxBjQAeVMDZt U=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqUFAKRPME6Q/khN/2dsb2JhbAA2AQEEFAEEASRGAREtIg8JAwIBAgECURUBDgEBH5gfjwR3rEWDFg8Bm0OGQASSdZBj X-IronPort-AV: E=Sophos;i="4.67,277,1309737600"; d="scan'208";a="105036714" Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-1.cisco.com with ESMTP; 27 Jul 2011 17:54:09 +0000 Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6RHs8im005266; Wed, 27 Jul 2011 17:54:08 GMT Received: from dhcp-57a9.meeting.ietf.org (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id p6RHs7Y4019689; Wed, 27 Jul 2011 18:54:08 +0100 (BST) Message-ID: <4E3050BF.1020406@cisco.com> Date: Wed, 27 Jul 2011 18:54:07 +0100 From: Stewart Bryant User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20110624 Thunderbird/5.0 MIME-Version: 1.0 To: sidr@ietf.org References: <00f401cc488a$3f562a40$4001a8c0@gateway.2wire.net> <026301cc496b$235c94a0$4001a8c0@gateway.2wire.net> In-Reply-To: <026301cc496b$235c94a0$4001a8c0@gateway.2wire.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: draft-ietf-sidr-repos-struct@tools.ietf.org, sidr-chairs@tools.ietf.org Subject: [sidr] draft-ietf-sidr-repos-struct - Track X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: stbryant@cisco.com List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 17:54:10 -0000 Having reviewed the discussion on how to proceed with this document, I believe that there is a rough consensus to publish draft-ietf-sidr-repos-struct as a Standards Track document. Please will the editor make the necessary changes. Regards Stewart From internet-drafts@ietf.org Wed Jul 27 11:43:45 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D704611E80DD; Wed, 27 Jul 2011 11:43:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.578 X-Spam-Level: X-Spam-Status: No, score=-102.578 tagged_above=-999 required=5 tests=[AWL=0.021, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qmz80076eG0T; Wed, 27 Jul 2011 11:43:45 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B9F7228006; Wed, 27 Jul 2011 11:43:45 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.56 Message-ID: <20110727184344.5273.46.idtracker@ietfa.amsl.com> Date: Wed, 27 Jul 2011 11:43:44 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-algorithm-agility-02.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 18:43:46 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : Algorithm Agility Procedure for RPKI. Author(s) : Roque Gagliano Stephen Kent Sean Turner Filename : draft-ietf-sidr-algorithm-agility-02.txt Pages : 25 Date : 2011-07-27 This document specifies the process that Certification Authorities (CAs) and Relying Parties (RP) participating in the Resource Public Key Infrastructure (RPKI) will need to follow to transition to a new (and probably cryptographically stronger) algorithm set. The process is expected to be completed in a time scale of months or years. Consequently, no emergency transition is specified. The transition procedure defined in this document supports only a top-down migration (parent migrates before children). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-algorithm-agility-02.txt From Sandra.Murphy@cobham.com Wed Jul 27 11:53:42 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BA511E814D for ; Wed, 27 Jul 2011 11:53:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYq-Cg+sqQ-3 for ; Wed, 27 Jul 2011 11:53:41 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF2F11E8141 for ; Wed, 27 Jul 2011 11:53:40 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id p6RIrbqm015640 for ; Wed, 27 Jul 2011 13:53:38 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id p6RIrbY2003854 for ; Wed, 27 Jul 2011 13:53:37 -0500 Received: from SMURPHY-LT.columbia.ads.sparta.com ([130.129.19.220]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Wed, 27 Jul 2011 14:53:36 -0400 Date: Wed, 27 Jul 2011 14:53:38 -0400 (Eastern Daylight Time) From: Sandra Murphy To: sidr@ietf.org Message-ID: X-X-Sender: sandy@mailbin.sparta.com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-OriginalArrivalTime: 27 Jul 2011 18:53:36.0648 (UTC) FILETIME=[7DCBD880:01CC4C8E] Subject: [sidr] I-D Action: draft-turner-sidr-bgpsec-algs-00.txt (fwd) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 18:53:42 -0000 Here's another announcement that appears to be of interest to the group. --Sandy ---------- Forwarded message ---------- Date: Tue, 26 Jul 2011 07:36:32 -0700 From: internet-drafts@ietf.org To: i-d-announce@ietf.org Subject: I-D Action: draft-turner-sidr-bgpsec-algs-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : BGP Algorithms, Key Formats, & Signature Formats Author(s) : Sean Turner Filename : draft-turner-sidr-bgpsec-algs-00.txt Pages : 7 Date : 2011-07-26 This document specifies the algorithms, algorithms' parameters, asymmetric key formats, asymmetric key size and signature format used in BGPSEC (Border Gateway Protocol Security). This document updates the Profile for Algorithms and Key Sizes for use in the Resource Public Key Infrastructure (draft-ietf-sidr-rpki-algs). A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-turner-sidr-bgpsec-algs-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-turner-sidr-bgpsec-algs-00.txt _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt From rogaglia@cisco.com Wed Jul 27 14:46:21 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31F3911E813C for ; Wed, 27 Jul 2011 14:46:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wr92Fpyf8ofr for ; Wed, 27 Jul 2011 14:46:20 -0700 (PDT) Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 0286711E8082 for ; Wed, 27 Jul 2011 14:46:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=16805; q=dns/txt; s=iport; t=1311803180; x=1313012780; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=tGFhYZN3vDpgp3Sv1XRHd0YvcFuVwD/gzCi5P/Foyig=; b=Badwda9IFCFm0U2ifjG6yv+WkQkkSqs/uahwmA7CVX+9/vHIrTPhBww6 p0oObqKI2t3qA5mZeGxUq7mqTbLRThlL9Ul3P/G0hzElWaoBxRk1q3w/L rdFUN7PwoB+Y0SNlsLZY/uprlbrns3t6uqGoM0r2GGtbQCIvPgNBt1AB1 g=; X-Files: smime.p7s : 4389 X-IronPort-AV: E=Sophos;i="4.67,278,1309737600"; d="p7s'?scan'208,217";a="7154183" Received: from mtv-core-4.cisco.com ([171.68.58.9]) by rcdn-iport-8.cisco.com with ESMTP; 27 Jul 2011 21:46:19 +0000 Received: from [10.21.75.101] ([10.21.75.101]) by mtv-core-4.cisco.com (8.14.3/8.14.3) with ESMTP id p6RLkIVT031925; Wed, 27 Jul 2011 21:46:18 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-25-636012704; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: <39DD9BDD-C1A8-43B3-9A69-CA8DB1E3E685@cisco.com> Date: Wed, 27 Jul 2011 17:46:17 -0400 Message-Id: References: <20110711215154.14120.98609.idtracker@ietfa.amsl.com> <39DD9BDD-C1A8-43B3-9A69-CA8DB1E3E685@cisco.com> To: Pradosh Mohapatra X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org wg" Subject: Re: [sidr] Fwd: I-D Action: draft-ietf-sidr-pfx-validate-02.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 21:46:21 -0000 --Apple-Mail-25-636012704 Content-Type: multipart/alternative; boundary=Apple-Mail-24-636011823 --Apple-Mail-24-636011823 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Pradosh,=20 I read the document and I think it is in great shape. I found some nits = and have some comments. Roque General Comment: " Depending on the lookup result, we define a property for each route, called the "validity state". It can assume the values "valid", "not found", or "invalid"." You may want to consider calling it "Origin AS validity state" to = distinguish it from the validity state in BGPSEC ("valid" and = "invalid"). Section 1: p2: s/verifyable/verifiable Section 2: "An AS can originate more than one prefix set. Thus, multiple prefix sets in the database can contain the same origin AS(es)." I believe you also need to mention that in the table there may be = "multi-origin prefixes". Geoff report identifies 2400 but you may find = more in local/regional environments = (http://bgp.potaroo.net/as6447/report.txt). Section 5: p5:=20 I believe you should reference = draft-ietf-sidr-origin-validation-signaling-00 Security Consideration: I think you need to consider what you already mentioned in section 4, if = the connectivity to the local-caches is lost, invalid routes will be = classified as "not-found", which could have a different set of local = policies. >=20 >=20 >=20 > n Jul 11, 2011, at 7:24 PM, Pradosh Mohapatra wrote: >=20 >> FYI... This version addresses comments from Geoff (put a reference to = ietf-sidr-origin-ops + some word-smithing). Would appreciate another = review. >>=20 >> - Pradosh >>=20 >>> A URL for this Internet-Draft is: >>> = http://www.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-02.txt >>=20 >>=20 >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >=20 --Apple-Mail-24-636011823 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Pradosh, 

I read the document and I think it is = in great shape. I found some nits and have some = comments.

Roque
  " Depending on the lookup result, we define a = property for each route,
   = called the "validity state".  It can assume the values "valid", = "not
   found", or "invalid"."

You may want to consider calling it "Origin = AS validity state" to distinguish it from the validity state in BGPSEC = ("valid" and "invalid").

Section = 1:
p2: s/verifyable/verifiable

Sec= tion 2:
   "An AS can originate more than = one
   prefix set.  Thus, multiple prefix sets in the = database can contain
   the same origin = AS(es)."

I believe you also = need to mention that in the table there may be "multi-origin prefixes". = Geoff report identifies 2400 but you may find more in local/regional = environments (http://bgp.potaroo.net/as6447/report.txt).

Section = 5:
p5: 
I believe you should = reference draft-ietf-sidr-origin-validation-signaling-00

Security Consideration:
I think = you need to consider what you already mentioned in section 4, if the = connectivity to the local-caches is lost, invalid routes will be = classified as "not-found", which could have a different set of local = policies.


FYI... = This version addresses comments from Geoff (put a reference to = ietf-sidr-origin-ops + some word-smithing). Would appreciate another = review.

- Pradosh

A URL for this = Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-sidr-pfx-validate-02= .txt


_________________________________________= ______
sidr mailing list
sidr@ietf.org
https://www.ietf.org/m= ailman/listinfo/sidr


= --Apple-Mail-24-636011823-- --Apple-Mail-25-636012704 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MjcyMTQ2MThaMCMGCSqGSIb3DQEJBDEWBBR3KgRm8V3J+iCSSDubqc2v/HSPtjCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQBO6cu4Ww+IwiHz9w+UxjKrZAVy6WeyYmZkXlgAJ3w5/SoO DqZ3uz/hrIJFpdB+fXi2zh9ac2DqhY/zWR7ZYmJe16Cx/lOw+fUZGYfucejLZNJQ1CR5dE8QdUT2 iOyJdJ2iunvTuc9SPfggftf/Aj4iJUy+ySYMUwlw4i07RxmSH69kHnpvRJIfL5udm8MWZCrbYG5Z YRt3BXb1yqvqR96bJaBkh+j2rbpMK38CWU/DF9rhMMEfP+VEf2RQhLuzoZy2aD10eLtWKY92JK8p C8yiQRtIhfceaiDEz9tADlO8wkYfmTJJ4dnvr9rJjIen1ieCwO6jrA04kXv1W2ROsidhAAAAAAAA --Apple-Mail-25-636012704-- From internet-drafts@ietf.org Wed Jul 27 14:46:43 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0AF911E8175; Wed, 27 Jul 2011 14:46:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.574 X-Spam-Level: X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1zraedbz6pAA; Wed, 27 Jul 2011 14:46:42 -0700 (PDT) Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C3DF11E8082; Wed, 27 Jul 2011 14:46:42 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 3.56 Message-ID: <20110727214642.13330.66518.idtracker@ietfa.amsl.com> Date: Wed, 27 Jul 2011 14:46:42 -0700 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-repos-struct-09.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2011 21:46:43 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working G= roup of the IETF. Title : A Profile for Resource Certificate Repository Structure Author(s) : Geoff Huston Robert Loomans George Michaelson Filename : draft-ietf-sidr-repos-struct-09.txt Pages : 16 Date : 2011-07-27 This document defines a profile for the structure of the Resource PKI distributed repository. Each individual repository publication point is a directory that contains files that correspond to X.509 / PKIX Resource Certificates, Certificate Revocation Lists and signed objects. This profile defines the object (file) naming scheme, the contents of repository publication points (directories), and a suggested internal structure of a local repository cache that is intended to facilitate synchronization across a distributed collection of repository publication points and to facilitate certification path construction. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-sidr-repos-struct-09.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-ietf-sidr-repos-struct-09.txt From danny@tcb.net Thu Jul 28 08:02:15 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 825C411E8076 for ; Thu, 28 Jul 2011 08:02:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.512 X-Spam-Level: X-Spam-Status: No, score=-106.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzYEUqbcYzET for ; Thu, 28 Jul 2011 08:02:15 -0700 (PDT) Received: from exprod6og111.obsmtp.com (exprod6og111.obsmtp.com [64.18.1.27]) by ietfa.amsl.com (Postfix) with ESMTP id A539A11E8074 for ; Thu, 28 Jul 2011 08:02:14 -0700 (PDT) Received: from peregrine.verisign.com ([216.168.239.74]) (using TLSv1) by exprod6ob111.postini.com ([64.18.5.12]) with SMTP ID DSNKTjF59rjhv8MwojRyLNNVKsG/CvHMD0Sy@postini.com; Thu, 28 Jul 2011 08:02:14 PDT Received: from dul1wnexcn03.vcorp.ad.vrsn.com (dul1wnexcn03.vcorp.ad.vrsn.com [10.170.12.113]) by peregrine.verisign.com (8.13.6/8.13.4) with ESMTP id p6SF2Ddx016449 for ; Thu, 28 Jul 2011 11:02:13 -0400 Received: from dul1dmcphers-m2.vcorp.ad.vrsn.com ([10.100.0.154]) by dul1wnexcn03.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 28 Jul 2011 11:02:13 -0400 From: Danny McPherson Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 28 Jul 2011 11:02:11 -0400 Message-Id: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> To: sidr wg list Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) X-OriginalArrivalTime: 28 Jul 2011 15:02:13.0254 (UTC) FILETIME=[550FCA60:01CC4D37] Subject: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:02:15 -0000 Doug et al,=20 I like the general objective of pCNT and this seems a good idea to me. = My only comment at the microphone was that if we add this for = compression, then validation should require that pCNT MUST be equal to = the number of _contiguous ASx appearances in the path (i.e., no more, no = less, and only contiguous). I do wonder if pCNT=3D0 for transparent route servers introduces the = opportunity for some sort of downgrade attack of sorts.. -danny= From sharangxy@gmail.com Thu Jul 28 08:11:58 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A163521F8C4E for ; Thu, 28 Jul 2011 08:11:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.684 X-Spam-Level: X-Spam-Status: No, score=-1.684 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MISSING_HEADERS=1.292, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2TXBuWD75CU for ; Thu, 28 Jul 2011 08:11:58 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 045AB21F8C4D for ; Thu, 28 Jul 2011 08:11:57 -0700 (PDT) Received: by vxi40 with SMTP id 40so2524506vxi.31 for ; Thu, 28 Jul 2011 08:11:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:cc:content-type; bh=eLKsz3Tpy90KhBcBQudrNDhBhMKEf33XWlRdG4utMe8=; b=NGMjgCXex9gLWosFyY/WsPPYSQpqMK08aV2ev0mRmpT9tTETMJGzdxTuD2VUe7HhI1 3UFtuv8bI7N+ykb2NuAwwAeKIig06DmUu8PvqS6CqVDNrIDL8NUKehAEXx2k//uSxcvA dO3ghK8y2sPK7blLnX0C9q2wZq8GWkrWCJ7Ng= Received: by 10.220.7.79 with SMTP id c15mr45023vcc.3.1311865917116; Thu, 28 Jul 2011 08:11:57 -0700 (PDT) MIME-Version: 1.0 Sender: sharangxy@gmail.com Received: by 10.220.190.199 with HTTP; Thu, 28 Jul 2011 08:11:17 -0700 (PDT) In-Reply-To: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> From: XIANG Yang Date: Thu, 28 Jul 2011 23:11:17 +0800 X-Google-Sender-Auth: -Plgnk4SFt9saP8jT0vO30QcdeM Message-ID: Cc: sidr wg list Content-Type: multipart/alternative; boundary=000325573d2afb912a04a92295e1 Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:11:58 -0000 --000325573d2afb912a04a92295e1 Content-Type: text/plain; charset=ISO-8859-1 +1 support. It's import to defend "AS removal" attack. _____________________________________________________ Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang 2011/7/28 Danny McPherson > > Doug et al, > I like the general objective of pCNT and this seems a good idea to me. My > only comment at the microphone was that if we add this for compression, then > validation should require that pCNT MUST be equal to the number of > _contiguous ASx appearances in the path (i.e., no more, no less, and only > contiguous). > > I do wonder if pCNT=0 for transparent route servers introduces the > opportunity for some sort of downgrade attack of sorts.. > > -danny > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > --000325573d2afb912a04a92295e1 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
+1 support.=A0
It's import to defend "AS removal&qu= ot; attack.
____________________________________= _________________
Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang



2011/7/28 Danny McPherson <danny@tcb.net>

Doug et al,
I like the general objective of pCNT and this seems a good idea to me. =A0M= y only comment at the microphone was that if we add this for compression, t= hen validation should require that pCNT MUST be equal to the number of _con= tiguous ASx appearances in the path (i.e., no more, no less, and only conti= guous).

I do wonder if pCNT=3D0 for transparent route servers introduces the opport= unity for some sort of downgrade attack of sorts..

-danny
_______________________________________________
sidr mailing list
sidr@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/sidr

--000325573d2afb912a04a92295e1-- From dougm@nist.gov Thu Jul 28 08:12:32 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FF5B21F873D for ; Thu, 28 Jul 2011 08:12:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.155 X-Spam-Level: X-Spam-Status: No, score=-2.155 tagged_above=-999 required=5 tests=[AWL=0.444, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSdgnkoO+Tnd for ; Thu, 28 Jul 2011 08:12:31 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 3530221F8CAD for ; Thu, 28 Jul 2011 08:12:31 -0700 (PDT) Received: from WSXGHUB2.xchange.nist.gov (129.6.18.19) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 11:12:37 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB2.xchange.nist.gov ([129.6.18.19]) with mapi; Thu, 28 Jul 2011 11:11:59 -0400 From: "Montgomery, Douglas" To: Danny McPherson , sidr wg list Date: Thu, 28 Jul 2011 11:11:58 -0400 Thread-Topic: [sidr] pCNT & prepending Thread-Index: AcxNN0eWulfOUp5TRcKNw0LLLfNzGwAABlCZ Message-ID: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> In-Reply-To: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:12:32 -0000 Danny, Yes, that is certainly the idea if we agree to protect prepending (as opposed to just avoiding multiple Sigs in the the presence of prepending). If we protect prepending, the pCNT must be carried in the protocol, covered by the Sig and verified ... i.e., what you suggest below .. in validation. Note, that if you don't want to protect prepending ... only avoid repeating sigs ..., then you don't have to carry pCNT in the protocol. Just update the Sig verification algorithm treat sequences of repeated AS's as one. If we like the "translucent" approach to support RS, then we need to carry pCNT in BGSSEC. You are right we do need enhanced receive/process rules such as: 1. Only accept pCNT=0 from peers that are configured to be route servers. 2. Don't accept paths with multiple pCNT=0 entries in a row. Anyway, if we like this approach, we can talk the details of the receiving rules / process rules to protect potential abuse. dougm Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST ________________________________________ From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Danny McPherson [danny@tcb.net] Sent: Thursday, July 28, 2011 11:02 AM To: sidr wg list Subject: [sidr] pCNT & prepending Doug et al, I like the general objective of pCNT and this seems a good idea to me. My only comment at the microphone was that if we add this for compression, then validation should require that pCNT MUST be equal to the number of _contiguous ASx appearances in the path (i.e., no more, no less, and only contiguous). I do wonder if pCNT=0 for transparent route servers introduces the opportunity for some sort of downgrade attack of sorts.. -danny _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr From dougm@nist.gov Thu Jul 28 08:14:32 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0BF821F8CAF for ; Thu, 28 Jul 2011 08:14:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.229 X-Spam-Level: X-Spam-Status: No, score=-2.229 tagged_above=-999 required=5 tests=[AWL=0.370, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9s72igBB9BPN for ; Thu, 28 Jul 2011 08:14:32 -0700 (PDT) Received: from wsget1.nist.gov (wsget1.nist.gov [129.6.13.150]) by ietfa.amsl.com (Postfix) with ESMTP id 1883121F873D for ; Thu, 28 Jul 2011 08:14:32 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget1.nist.gov (129.6.13.150) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 11:14:16 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 28 Jul 2011 11:14:30 -0400 From: "Montgomery, Douglas" To: XIANG Yang Date: Thu, 28 Jul 2011 11:12:16 -0400 Thread-Topic: [sidr] pCNT & prepending Thread-Index: AcxNOKk3f1YBVYl+Q9qOJP+lu8VqVwAABNAm Message-ID: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:14:32 -0000 Did your comment mean complete "AS removal" ... or defending against adding/removing pre-pends. dougm Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST ________________________________________ From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of XIANG Yang [xiangy08@csnet1.cs.tsinghua.edu.cn] Sent: Thursday, July 28, 2011 11:11 AM Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending +1 support. It's import to defend "AS removal" attack. _____________________________________________________ Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang 2011/7/28 Danny McPherson > Doug et al, I like the general objective of pCNT and this seems a good idea to me. My only comment at the microphone was that if we add this for compression, then validation should require that pCNT MUST be equal to the number of _contiguous ASx appearances in the path (i.e., no more, no less, and only contiguous). I do wonder if pCNT=0 for transparent route servers introduces the opportunity for some sort of downgrade attack of sorts.. -danny _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr From sharangxy@gmail.com Thu Jul 28 08:19:03 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACEAE21F8C3F for ; Thu, 28 Jul 2011 08:19:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.33 X-Spam-Level: X-Spam-Status: No, score=-2.33 tagged_above=-999 required=5 tests=[AWL=0.646, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3X8xrkiWX4oL for ; Thu, 28 Jul 2011 08:19:03 -0700 (PDT) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by ietfa.amsl.com (Postfix) with ESMTP id D551F21F8BF2 for ; Thu, 28 Jul 2011 08:19:02 -0700 (PDT) Received: by vws18 with SMTP id 18so3843563vws.27 for ; Thu, 28 Jul 2011 08:19:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=Q0rK9v8PgZKvoSvnS6MOnaI2SxbPxZUio/kzD1Y6a8o=; b=DfoDSw+YenE3I8awZrMWtWgsuVmOUKkUzFIgQGg63Huzk+Y+HyvUO4P7aNDizDT5/L ZglKHOlJEuvr8TOu/odHumDMCFH9SXb4MwTE4TrnFnott/cYJlJmLhlxIT+Jqy0wTgy5 lolw5iT5LFN1GGFt+a5D1xdz6SomMXXq5BsA0= Received: by 10.220.189.74 with SMTP id dd10mr44909vcb.38.1311866342154; Thu, 28 Jul 2011 08:19:02 -0700 (PDT) MIME-Version: 1.0 Sender: sharangxy@gmail.com Received: by 10.220.190.199 with HTTP; Thu, 28 Jul 2011 08:18:22 -0700 (PDT) In-Reply-To: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> From: XIANG Yang Date: Thu, 28 Jul 2011 23:18:22 +0800 X-Google-Sender-Auth: D2kJBkxvfXY8rHnPHXq8-7HnE08 Message-ID: To: "Montgomery, Douglas" Content-Type: multipart/alternative; boundary=90e6ba53ab4051206604a922af65 Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:19:03 -0000 --90e6ba53ab4051206604a922af65 Content-Type: text/plain; charset=ISO-8859-1 Sorry for the ambiguity. I mean defending against attacks such as "removing an AS from the path". I.e. suppose the path is , then we need pCNT to avoid AS3 to announce a shorter path , by remove one of AS2. R. _____________________________________________________ Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang 2011/7/28 Montgomery, Douglas > Did your comment mean complete "AS removal" ... or defending against > adding/removing pre-pends. > > dougm > > Doug Montgomery - Manager Internet and Scalable Systems Research Group / > Information Technology Laboratory / NIST > ________________________________________ > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of XIANG > Yang [xiangy08@csnet1.cs.tsinghua.edu.cn] > Sent: Thursday, July 28, 2011 11:11 AM > Cc: sidr wg list > Subject: Re: [sidr] pCNT & prepending > > +1 support. > It's import to defend "AS removal" attack. > _____________________________________________________ > Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang< > http://about.me/xiangyang> > > > > 2011/7/28 Danny McPherson > > > Doug et al, > I like the general objective of pCNT and this seems a good idea to me. My > only comment at the microphone was that if we add this for compression, then > validation should require that pCNT MUST be equal to the number of > _contiguous ASx appearances in the path (i.e., no more, no less, and only > contiguous). > > I do wonder if pCNT=0 for transparent route servers introduces the > opportunity for some sort of downgrade attack of sorts.. > > -danny > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > --90e6ba53ab4051206604a922af65 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sorry for the=A0ambiguity. I mean defending against attacks such as "r= emoving an AS from the path".
I.e.
suppose the path is &= lt;AS1 AS2 AS2 AS3>,
then we need pCNT to avoid AS3 to announc= e a shorter path <AS1 AS2 AS3>, by remove one of AS2.

R.
________________________________= _____________________
Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang
=



2011/7/28 Montgomery, Douglas <dougm@nist= .gov>
Did your comment mean complete "AS removal" ... or defending agai= nst adding/removing pre-pends.

dougm

Doug Montgomery - Manager Internet and Scalable Systems Research Group / In= formation Technology Laboratory / NIST
________________________________________
From: sidr= -bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of XIANG Yang [xiangy08@csnet1.cs.= tsinghua.edu.cn]
Sent: Thursday, July 28, 2011 11:11 AM
Cc: sidr wg list
Subject: Re: [sidr] pCNT & prepending

+1 support.
It's import to defend "AS removal" attack.
_____________________________________________________
Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang<http://about.me/xiangyang>



2011/7/28 Danny McPherson <danny@tcb.net<mailto:danny@tcb.net>>

Doug et al,
I like the general objective of pCNT and this seems a good idea to me. =A0M= y only comment at the microphone was that if we add this for compression, t= hen validation should require that pCNT MUST be equal to the number of _con= tiguous ASx appearances in the path (i.e., no more, no less, and only conti= guous).

I do wonder if pCNT=3D0 for transparent route servers introduces the opport= unity for some sort of downgrade attack of sorts..

-danny
_______________________________________________
sidr mailing list
sidr@ietf.org&= lt;mailto:sidr@ietf.org<= /a>>
https://www.ietf.org/mailman/listinfo/sidr

_______________________________________________
sidr mailing list
sidr@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/sidr

--90e6ba53ab4051206604a922af65-- From dougm.tlist@gmail.com Thu Jul 28 08:24:26 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA4721F8CD3 for ; Thu, 28 Jul 2011 08:24:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.202 X-Spam-Level: X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNVcopV5tvyE for ; Thu, 28 Jul 2011 08:24:25 -0700 (PDT) Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5728321F8CD9 for ; Thu, 28 Jul 2011 08:24:25 -0700 (PDT) Received: by qwc23 with SMTP id 23so1859827qwc.31 for ; Thu, 28 Jul 2011 08:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :in-reply-to:mime-version:content-type; bh=HXAR1XUYVweK1l01N52uDTCXS3TPBFHYHhwQZiBqpiE=; b=URmFNeGNqprYcgrAtdLMFBjuiWb7JJu1NfCnQuugwGpKb7VwH2uqpwp5FXW7mu1kpL 5kimM48jF3RWt2FcUKFKWH9pXF5MQvJ5frGJjtZIm5CEpvl0mjRUpGUC7oL9AAdX5ARR oXRNyysqRTigiXY073H8DPdKwptdpkXZFXLeI= Received: by 10.224.198.68 with SMTP id en4mr121662qab.223.1311866662192; Thu, 28 Jul 2011 08:24:22 -0700 (PDT) Received: from [130.129.87.22] (dhcp-5716.meeting.ietf.org [130.129.87.22]) by mx.google.com with ESMTPS id 1sm734338qcy.43.2011.07.28.08.24.20 (version=SSLv3 cipher=OTHER); Thu, 28 Jul 2011 08:24:21 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.10.0.110310 Date: Thu, 28 Jul 2011 11:24:17 -0400 From: Doug Montgomery To: XIANG Yang , Doug Montgomery Message-ID: Thread-Topic: [sidr] pCNT & prepending In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3394697060_4652465" Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:24:27 -0000 > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3394697060_4652465 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable OK =AD so that is a +1 for protecting prepending, not just optimizing Sigs in the presence of prepending. From: XIANG Yang Date: Thu, 28 Jul 2011 23:18:22 +0800 To: Doug Montgomery Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending > Sorry for the ambiguity. I mean defending against attacks such as "removi= ng an > AS from the path". > I.e. > suppose the path is , > then we need pCNT to avoid AS3 to announce a shorter path , = by > remove one of AS2. >=20 > R. > _____________________________________________________ > Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang > >=20 >=20 >=20 > 2011/7/28 Montgomery, Douglas >> Did your comment mean complete "AS removal" ... or defending against >> adding/removing pre-pends. >>=20 >> dougm >>=20 >> Doug Montgomery - Manager Internet and Scalable Systems Research Group / >> Information Technology Laboratory / NIST >> ________________________________________ >> From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of XIANG Y= ang >> [xiangy08@csnet1.cs.tsinghua.edu.cn] >> Sent: Thursday, July 28, 2011 11:11 AM >> Cc: sidr wg list >> Subject: Re: [sidr] pCNT & prepending >>=20 >> +1 support. >> It's import to defend "AS removal" attack. >> _____________________________________________________ >> Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang >> >>=20 >>=20 >>=20 >> 2011/7/28 Danny McPherson > >>=20 >> Doug et al, >> I like the general objective of pCNT and this seems a good idea to me. = My >> only comment at the microphone was that if we add this for compression, = then >> validation should require that pCNT MUST be equal to the number of >> _contiguous ASx appearances in the path (i.e., no more, no less, and onl= y >> contiguous). >>=20 >> I do wonder if pCNT=3D0 for transparent route servers introduces the >> opportunity for some sort of downgrade attack of sorts.. >>=20 >> -danny >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >>=20 >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >=20 > _______________________________________________ sidr mailing list > sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr --B_3394697060_4652465 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable
OK – so that is a +1 f= or protecting prepending, not just optimizing Sigs in the presence of prepen= ding.


From: <= /span> XIANG Yang <xi= angy08@csnet1.cs.tsinghua.edu.cn>
D= ate: Thu, 28 Jul 2011 23:18:22 +0800
To: Doug Montgomery <dougm@nis= t.gov>
Cc: sidr wg list <= ;sidr@ietf.org>
Subject: Re: [sidr] pCNT & prepending
=
Sorry for the = ambiguity. I mean defending against attacks such as "removing an AS from the= path".
I.e.
suppose the path is <AS1 AS2 AS2 AS3>,
then we need pCNT to avoid AS3 to announce a shorter path <AS1 AS2 = AS3>, by remove one of AS2.

R.
_____________________________________________________
Yang Xiang, PhD = student, Tsinghua Univ., about.me/xiangyang



= 2011/7/28 Montgomery, Douglas <dougm@nist.gov>
Did your comment mean complete "AS removal" ... or defending against adding= /removing pre-pends.

dougm

Doug Montgomery - Manager Internet and Scalable Systems Research Group / In= formation Technology Laboratory / NIST
________________________________________
From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Beha= lf Of XIANG Yang [xiangy08@csnet1.cs.tsinghua.edu.cn]
Sent: Thursday, July 28, 2011 11:11 AM
Cc: sidr wg list
Subject: Re: [sidr] pCNT & prepending

+1 support.
It's import to defend "AS removal" attack.
_____________________________________________________
Yang Xiang, = PhD student, Tsinghua Univ., about.me/xiangyang<http://about.me/xiangyang>



2011/7/28 Danny McPherson <danny@tcb.net<mailto:danny@tcb.net>>

Doug et al,
I like the general objective of pCNT and this seems a good idea to me. &nbs= p;My only comment at the microphone was that if we add this for compression,= then validation should require that pCNT MUST be equal to the number of _co= ntiguous ASx appearances in the path (i.e., no more, no less, and only conti= guous).

I do wonder if pCNT=3D0 for transparent route servers introduces the opportun= ity for some sort of downgrade attack of sorts..

-danny
_______________________________________________
sidr mailing list
s= idr@ietf.org<mailto:si= dr@ietf.org>

_______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/m= ailman/listinfo/sidr
--B_3394697060_4652465-- From randy@psg.com Thu Jul 28 08:27:51 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7222221F886C for ; Thu, 28 Jul 2011 08:27:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.518 X-Spam-Level: X-Spam-Status: No, score=-2.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6uL0NCSiBdt for ; Thu, 28 Jul 2011 08:27:51 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 2A8C621F886A for ; Thu, 28 Jul 2011 08:27:50 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QmSUi-000Bvl-CG; Thu, 28 Jul 2011 15:27:28 +0000 Date: Thu, 28 Jul 2011 11:27:27 -0400 Message-ID: From: Randy Bush To: XIANG Yang In-Reply-To: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:27:51 -0000 > It's import to defend "AS removal" attack. you do not support tranparent route servers? randy From chris.hall@highwayman.com Thu Jul 28 08:31:54 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5B721F8B39 for ; Thu, 28 Jul 2011 08:31:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.203 X-Spam-Level: X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nsOMFhkBU0a8 for ; Thu, 28 Jul 2011 08:31:53 -0700 (PDT) Received: from lon1-post-1.mail.demon.net (lon1-post-1.mail.demon.net [195.173.77.148]) by ietfa.amsl.com (Postfix) with ESMTP id 8FE7A21F885C for ; Thu, 28 Jul 2011 08:31:53 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by lon1-post-1.mail.demon.net with esmtp (Exim 4.69) id 1QmSYy-00038H-Xm; Thu, 28 Jul 2011 15:31:52 +0000 Received: from dhcp-1584.meeting.ietf.org ([130.129.21.132]) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QmSYw-0007fH-OE; Thu, 28 Jul 2011 16:31:51 +0100 References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8K2) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (8K2) From: Highwayman Date: Thu, 28 Jul 2011 11:31:46 -0400 To: "Montgomery, Douglas" Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:31:54 -0000 It's not clear to me how the system is protected from some unscrupulous tran= sit provider setting their AS's to zero width, in order to attract more traf= fic. Unless there is a side channel for ASN which may validly announce them= selves in this way ? I agree that transparency is the minimum requirement. I do not, yet, discoun= t the emotional demand for Route Server users to not be seen to be RS users.= For many years we peered at LINX and, frankly, would not have dreamt of ei= ther using the RS, or be seen to be using it -- we were big boys -- notwiths= tanding, we peered openly... go figure :-) Chris --=20 Chris Hall. +44 7970 277 383 (iPhone) On 28 Jul 2011, at 11:11, "Montgomery, Douglas" wrote: > Danny, >=20 > Yes, that is certainly the idea if we agree to protect prepending (as oppo= sed to just avoiding multiple Sigs in the the presence of prepending). >=20 > If we protect prepending, the pCNT must be carried in the protocol, covere= d by the Sig and verified ... i.e., what you suggest below .. in validation.= >=20 > Note, that if you don't want to protect prepending ... only avoid repeatin= g sigs ..., then you don't have to carry pCNT in the protocol. Just update t= he Sig verification algorithm treat sequences of repeated AS's as one. >=20 > If we like the "translucent" approach to support RS, then we need to carry= pCNT in BGSSEC. You are right we do need enhanced receive/process rules s= uch as: >=20 > 1. Only accept pCNT=3D0 from peers that are configured to be route servers= . >=20 > 2. Don't accept paths with multiple pCNT=3D0 entries in a row. >=20 > Anyway, if we like this approach, we can talk the details of the receiving= rules / process rules to protect potential abuse. >=20 > dougm >=20 > Doug Montgomery - Manager Internet and Scalable Systems Research Group / I= nformation Technology Laboratory / NIST > ________________________________________ > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Danny McP= herson [danny@tcb.net] > Sent: Thursday, July 28, 2011 11:02 AM > To: sidr wg list > Subject: [sidr] pCNT & prepending >=20 > Doug et al, > I like the general objective of pCNT and this seems a good idea to me. My= only comment at the microphone was that if we add this for compression, the= n validation should require that pCNT MUST be equal to the number of _contig= uous ASx appearances in the path (i.e., no more, no less, and only contiguou= s). >=20 > I do wonder if pCNT=3D0 for transparent route servers introduces the oppor= tunity for some sort of downgrade attack of sorts.. >=20 > -danny > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From dougm.tlist@gmail.com Thu Jul 28 08:53:43 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A585D21F8C5B for ; Thu, 28 Jul 2011 08:53:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.901 X-Spam-Level: X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[AWL=0.699, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4UvRNea2iiI for ; Thu, 28 Jul 2011 08:53:43 -0700 (PDT) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by ietfa.amsl.com (Postfix) with ESMTP id A43A621F8BD0 for ; Thu, 28 Jul 2011 08:53:37 -0700 (PDT) Received: by vws18 with SMTP id 18so3894113vws.27 for ; Thu, 28 Jul 2011 08:53:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :in-reply-to:mime-version:content-type:content-transfer-encoding; bh=wbA/Sv8dlmkucJYa8hDh1AoxxJEDL/lohxe9+Svbdyg=; b=PXzH9yv+08vvOxHl2qlS8rB76VubKE1V+clZxeHIWw5A5HwW0dPJO2D/IMsrZU8ONQ znz7ITY5lRf/OSZiYFY48tWWU1ObDPdPhc7WYRaxjgq4pF4WAJhfF+Sr7sr4uRhoPFXY IYK7aMznzeoTff83+yB4Rju5EQcladyMeW6n4= Received: by 10.52.98.2 with SMTP id ee2mr172008vdb.461.1311868417042; Thu, 28 Jul 2011 08:53:37 -0700 (PDT) Received: from [130.129.87.22] (dhcp-5716.meeting.ietf.org [130.129.87.22]) by mx.google.com with ESMTPS id r12sm386133vcq.12.2011.07.28.08.53.35 (version=SSLv3 cipher=OTHER); Thu, 28 Jul 2011 08:53:36 -0700 (PDT) User-Agent: Microsoft-MacOutlook/14.10.0.110310 Date: Thu, 28 Jul 2011 11:53:32 -0400 From: Doug Montgomery To: Highwayman , Doug Montgomery Message-ID: Thread-Topic: [sidr] pCNT & prepending In-Reply-To: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 15:53:43 -0000 I think we would all benefit from your offer to survey the RS community to see if solutions that did not effect PATH_LENGTH but do make the RS AS# visible somewhere in the protocol (we can quibble about the syntax of carrying that in AS_PATH vs PATH_SIGs later). If one requires dropping routes with pCNT=0 from peers that are not administratively configured to be route servers, then allowing a unscrupulous transit provider to propogate that, now requires collusion between two AS's. There are other issues that come up if we consider those scenarios. One could think of having RS's somehow announce/declare themselves (e.g., an RPKI object/flag) ... But I will point out that if I am unscrupulous I will just announce myself and proceed. Anyway, again ... Let's get the requirement right before we talk about the encoding / mechanisms - you offer to survey if "translucent" supports the use case / business model of the RS community is an important step towards getting the requirement right. Dougm On 7/28/11 11:31 AM, "Highwayman" wrote: >It's not clear to me how the system is protected from some unscrupulous >transit provider setting their AS's to zero width, in order to attract >more traffic. Unless there is a side channel for ASN which may validly >announce themselves in this way ? > >I agree that transparency is the minimum requirement. I do not, yet, >discount the emotional demand for Route Server users to not be seen to be >RS users. For many years we peered at LINX and, frankly, would not have >dreamt of either using the RS, or be seen to be using it -- we were big >boys -- notwithstanding, we peered openly... go figure :-) > >Chris >-- >Chris Hall. +44 7970 277 383 (iPhone) > > >On 28 Jul 2011, at 11:11, "Montgomery, Douglas" wrote: > >> Danny, >> >> Yes, that is certainly the idea if we agree to protect prepending (as >>opposed to just avoiding multiple Sigs in the the presence of >>prepending). >> >> If we protect prepending, the pCNT must be carried in the protocol, >>covered by the Sig and verified ... i.e., what you suggest below .. in >>validation. >> >> Note, that if you don't want to protect prepending ... only avoid >>repeating sigs ..., then you don't have to carry pCNT in the protocol. >>Just update the Sig verification algorithm treat sequences of repeated >>AS's as one. >> >> If we like the "translucent" approach to support RS, then we need to >>carry pCNT in BGSSEC. You are right we do need enhanced >>receive/process rules such as: >> >> 1. Only accept pCNT=0 from peers that are configured to be route >>servers. >> >> 2. Don't accept paths with multiple pCNT=0 entries in a row. >> >> Anyway, if we like this approach, we can talk the details of the >>receiving rules / process rules to protect potential abuse. >> >> dougm >> >> Doug Montgomery - Manager Internet and Scalable Systems Research Group >>/ Information Technology Laboratory / NIST >> ________________________________________ >> From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Danny >>McPherson [danny@tcb.net] >> Sent: Thursday, July 28, 2011 11:02 AM >> To: sidr wg list >> Subject: [sidr] pCNT & prepending >> >> Doug et al, >> I like the general objective of pCNT and this seems a good idea to me. >>My only comment at the microphone was that if we add this for >>compression, then validation should require that pCNT MUST be equal to >>the number of _contiguous ASx appearances in the path (i.e., no more, no >>less, and only contiguous). >> >> I do wonder if pCNT=0 for transparent route servers introduces the >>opportunity for some sort of downgrade attack of sorts.. >> >> -danny >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >_______________________________________________ >sidr mailing list >sidr@ietf.org >https://www.ietf.org/mailman/listinfo/sidr From kent@bbn.com Thu Jul 28 09:59:40 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC99E11E80F9 for ; Thu, 28 Jul 2011 09:59:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.57 X-Spam-Level: X-Spam-Status: No, score=-106.57 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5J8-7r6scO2 for ; Thu, 28 Jul 2011 09:59:40 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 5877D11E8106 for ; Thu, 28 Jul 2011 09:59:40 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:56411 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QmTvp-000Lle-Qv; Thu, 28 Jul 2011 12:59:33 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: References: Date: Thu, 28 Jul 2011 12:57:37 -0400 To: Doug Montgomery From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 16:59:41 -0000 At 11:53 AM -0400 7/28/11, Doug Montgomery wrote: >... > >One could think of having RS's somehow announce/declare themselves (e.g., >an RPKI object/flag) ... But I will point out that if I am unscrupulous I >will just announce myself and proceed. yes, but if you do so, then there is a signed record of that, if we follow Roque's suggestion and include an EKU in the router cert. If contracts for resource allocation include language that prohibits using the RPKI to make false assertions about RS-ness, then this could be a basis for revocation ... (As someone who is going through the resource allocation process with an RIR, I know that there are already a lot of criteria that I have promised to not violate, and that provide a basis for termination of my allocation, so this could be added to that list :-).) Steve From randy@psg.com Thu Jul 28 10:31:16 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D47C21F8C23 for ; Thu, 28 Jul 2011 10:31:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.519 X-Spam-Level: X-Spam-Status: No, score=-2.519 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkyP8lnysHVm for ; Thu, 28 Jul 2011 10:31:16 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id EC43521F8C1E for ; Thu, 28 Jul 2011 10:31:15 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QmUQS-000CMe-3y; Thu, 28 Jul 2011 17:31:12 +0000 Date: Thu, 28 Jul 2011 13:31:11 -0400 Message-ID: From: Randy Bush To: Highwayman In-Reply-To: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 17:31:16 -0000 > It's not clear to me how the system is protected from some > unscrupulous transit provider setting their AS's to zero width, in > order to attract more traffic. and what is to stop them from using the transparency hack today? randy From shane@castlepoint.net Thu Jul 28 12:01:11 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530051F0C3C for ; Thu, 28 Jul 2011 12:01:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JpIfDu8PSPjQ for ; Thu, 28 Jul 2011 12:01:10 -0700 (PDT) Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 6E3761F0CD7 for ; Thu, 28 Jul 2011 12:00:32 -0700 (PDT) Received: by dog.tcb.net (Postfix, from userid 0) id 83E25268037; Thu, 28 Jul 2011 13:00:31 -0600 (MDT) Received: from host2.tcb.net (64.78.235.218 [64.78.235.218]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; for sidr@ietf.org; Thu, 28 Jul 2011 13:00:31 -0600 (MDT) (envelope-from shane@castlepoint.net) X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=64.78.235.218; client-port=56271; data-bytes=0 From: Shane Amante Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 28 Jul 2011 13:00:29 -0600 Message-Id: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> To: sidr@ietf.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:01:11 -0000 Hi, I have a question for the WG. In a series of e-mail exchanges earlier = this year, I had thought it was concluded that BGPSEC was merely being = used as a means to express that a BGP UPDATE had passed through a series = of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that = can [later] be validated by receiver that are further downstream. IOW, = it's not a validation of the TE policies (e.g.: AS_PATH prepending) = applied by ASN's. I went back to the BGPSEC requirements: http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 ... and, if I look at Req #3.19: 3.19 A BGPsec design SHOULD NOT presume to know the intent of the originator of a NLRI, nor that of any AS on the AS Path. What was the intended meaning of the word "intent"? I thought that word = was meant to say that BGPsec was not intended to validate TE policies = that may, or may not, be applied to the NLRI. If that is correct, then = why is the WG looking at signing an BGP attribute that expresses the the = number of times an ASN may be prepended? Or, has the WG had a change of = direction and I haven't kept up to speed? I would note that the reason I'm asking the above is that it may not be = the originator that is performing AS_PATH prepending. Specifically, a = customer may use a provider's BGP TE communities to ask the provider to = perform AS_PATH prepending (selectively) on their behalf. But, since = these BGP TE communities are not signed, then how would a receiver of = the NLRI know that an AS_PATH should or should not have been prepended = by an intermediate/transit ASN? Thanks, -shane= From chris.hall@highwayman.com Thu Jul 28 12:08:10 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D0F5E8028 for ; Thu, 28 Jul 2011 12:08:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.203 X-Spam-Level: X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJM3Zo3AK3Dd for ; Thu, 28 Jul 2011 12:08:09 -0700 (PDT) Received: from anchor-post-3.mail.demon.net (anchor-post-3.mail.demon.net [195.173.77.134]) by ietfa.amsl.com (Postfix) with ESMTP id 575495E8029 for ; Thu, 28 Jul 2011 12:07:58 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-3.mail.demon.net with esmtp (Exim 4.69) id 1QmVw4-0001k5-pL; Thu, 28 Jul 2011 19:07:56 +0000 Received: from 108.4.modemcable.oricom.ca ([69.67.4.108] helo=[172.23.0.106]) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QmVw3-0008FD-Sg; Thu, 28 Jul 2011 20:07:56 +0100 References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> In-Reply-To: Mime-Version: 1.0 (iPhone Mail 8K2) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <228BB02B-7891-425B-9D45-A0792110466E@highwayman.com> X-Mailer: iPhone Mail (8K2) From: Highwayman Date: Thu, 28 Jul 2011 15:07:46 -0400 To: Randy Bush Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:08:10 -0000 On 28 Jul 2011, at 13:31, Randy Bush wrote: >> It's not clear to me how the system is protected from some >> unscrupulous transit provider setting their AS's to zero width, in >> order to attract more traffic. >=20 > and what is to stop them from using the transparency hack today? Not sure I see much challenge in having the bar at "anything will do, provid= ed it's not a step back from where we are now", given where we are now :-) Chris= From mlepinsk@bbn.com Thu Jul 28 12:36:51 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C59D11E80E5 for ; Thu, 28 Jul 2011 12:36:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCX0y5Eck5Fl for ; Thu, 28 Jul 2011 12:36:50 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9E7EA11E809E for ; Thu, 28 Jul 2011 12:36:50 -0700 (PDT) Received: from [128.89.253.217] (port=1177) by smtp.bbn.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QmWO2-0006cs-8c for sidr@ietf.org; Thu, 28 Jul 2011 15:36:50 -0400 Message-ID: <4E31BA6E.9000400@bbn.com> Date: Thu, 28 Jul 2011 15:37:18 -0400 From: Matt Lepinski User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: sidr@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [sidr] Presentations on non-working group documents X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:36:51 -0000 At the end of the SIDR session there were a couple of presentations on drafts that were not working group documents. I just wanted to agree with something that Wes had said at the microphone near the end of the meeting. SIDR has a lot of work on its plate right now, and the area directors have indicated that presently they are not willing to expand the charter to take on additional work. Therefore, if folks have ideas about improving routing security, I believe it is most helpful to the working group if these suggestions can be cast in terms of improvements/enhancements/extensions/optimizations to existing SIDR work items (either RPKI origin validation or BGPSEC path validation). From dougm@nist.gov Thu Jul 28 12:43:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C03A511E8121 for ; Thu, 28 Jul 2011 12:43:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.282 X-Spam-Level: X-Spam-Status: No, score=-2.282 tagged_above=-999 required=5 tests=[AWL=0.317, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qm1KRNotB9Hs for ; Thu, 28 Jul 2011 12:43:52 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 5141711E80F0 for ; Thu, 28 Jul 2011 12:43:52 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 15:43:57 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 28 Jul 2011 15:43:48 -0400 From: "Montgomery, Douglas" To: Shane Amante , "sidr@ietf.org" Date: Thu, 28 Jul 2011 15:43:18 -0400 Thread-Topic: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? Thread-Index: AcxNWMvXAWgAjGIMQFCYGDxRLTLcowAA8L60 Message-ID: References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> In-Reply-To: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:43:53 -0000 The discussion so far has not been protecting/validating if prepending *should have* occurred. BGPSEC protects the AS_PATH. Prepending occurs in the AS_PATH. Today's strawman presented one approach to protect the fact that prepending *did* occur (without comment as if it should have occurred). With that interpretation, I don't think today's proposal violates the requirement about presuming intent. This too is good discussion as to what the requirement is. If we want to protect the common encoding of prepending in the AS_PATH today's strawman provides a simple approach. I don't know if your example is primarily pointing out another situation where prepending occurs on ingress .... or if we you are proposing that we discuss protecting the intent to prepend. If it is the latter - that is a significant expansion of requirements - and there are no obvious simple enhancements of bgpsec-00 mechanisms that would get us there. dougm Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST ________________________________________ From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane Amante [shane@castlepoint.net] Sent: Thursday, July 28, 2011 3:00 PM To: sidr@ietf.org Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? Hi, I have a question for the WG. In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream. IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's. I went back to the BGPSEC requirements: http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 ... and, if I look at Req #3.19: 3.19 A BGPsec design SHOULD NOT presume to know the intent of the originator of a NLRI, nor that of any AS on the AS Path. What was the intended meaning of the word "intent"? I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI. If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended? Or, has the WG had a change of direction and I haven't kept up to speed? I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending. Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf. But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN? Thanks, -shane _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr From mlepinsk@bbn.com Thu Jul 28 12:53:32 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65DA11E80F0 for ; Thu, 28 Jul 2011 12:53:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdJfoTUFwPlI for ; Thu, 28 Jul 2011 12:53:32 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 3052611E8075 for ; Thu, 28 Jul 2011 12:53:31 -0700 (PDT) Received: from [128.89.253.217] (port=1196) by smtp.bbn.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QmWeB-0006s9-KD for sidr@ietf.org; Thu, 28 Jul 2011 15:53:31 -0400 Message-ID: <4E31BE58.50500@bbn.com> Date: Thu, 28 Jul 2011 15:54:00 -0400 From: Matt Lepinski User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: sidr@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [sidr] Presentations on non-working-group documents X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:53:32 -0000 At the end of the SIDR session there were a couple of presentations on drafts that were not working group documents. I just wanted to agree with something that Wes had said at the microphone near the end of the meeting. SIDR has a lot of work on its plate right now, and the area directors have indicated that presently they are not willing to expand the charter to take on additional work. Therefore, if folks have ideas about improving routing security, I believe it is most helpful to the working group if these suggestions can be cast in terms of improvements/enhancements/extensions/optimizations to existing SIDR work items (either RPKI origin validation or BGPSEC path validation). From dougm@nist.gov Thu Jul 28 12:58:02 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 098D121F8AA8 for ; Thu, 28 Jul 2011 12:58:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.322 X-Spam-Level: X-Spam-Status: No, score=-2.322 tagged_above=-999 required=5 tests=[AWL=0.277, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5QHE9TXa5F09 for ; Thu, 28 Jul 2011 12:58:01 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 41BC421F8A7B for ; Thu, 28 Jul 2011 12:58:01 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 15:58:08 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 28 Jul 2011 15:58:00 -0400 From: "Montgomery, Douglas" To: Highwayman Date: Thu, 28 Jul 2011 15:55:06 -0400 Thread-Topic: [sidr] pCNT & prepending Thread-Index: AcxNO2kv7vK/uVZFS/Klned0i1HAEwAJNZTI Message-ID: References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 19:58:02 -0000 Chris, Do you think the proposed receiver processing rules below are insufficient? dougm ________________________________________ From: Highwayman [chris.hall@highwayman.com] Sent: Thursday, July 28, 2011 11:31 AM To: Montgomery, Douglas Cc: Danny McPherson; sidr wg list Subject: Re: [sidr] pCNT & prepending It's not clear to me how the system is protected from some unscrupulous transit provider setting their AS's to zero width, in order to attract more traffic. Unless there is a side channel for ASN which may validly announce themselves in this way ? I agree that transparency is the minimum requirement. I do not, yet, discount the emotional demand for Route Server users to not be seen to be RS users. For many years we peered at LINX and, frankly, would not have dreamt of either using the RS, or be seen to be using it -- we were big boys -- notwithstanding, we peered openly... go figure :-) Chris -- Chris Hall. +44 7970 277 383 (iPhone) On 28 Jul 2011, at 11:11, "Montgomery, Douglas" wrote: > Danny, > > Yes, that is certainly the idea if we agree to protect prepending (as opposed to just avoiding multiple Sigs in the the presence of prepending). > > If we protect prepending, the pCNT must be carried in the protocol, covered by the Sig and verified ... i.e., what you suggest below .. in validation. > > Note, that if you don't want to protect prepending ... only avoid repeating sigs ..., then you don't have to carry pCNT in the protocol. Just update the Sig verification algorithm treat sequences of repeated AS's as one. > > If we like the "translucent" approach to support RS, then we need to carry pCNT in BGSSEC. You are right we do need enhanced receive/process rules such as: > > 1. Only accept pCNT=0 from peers that are configured to be route servers. > > 2. Don't accept paths with multiple pCNT=0 entries in a row. > > Anyway, if we like this approach, we can talk the details of the receiving rules / process rules to protect potential abuse. > > dougm > > Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST > ________________________________________ > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Danny McPherson [danny@tcb.net] > Sent: Thursday, July 28, 2011 11:02 AM > To: sidr wg list > Subject: [sidr] pCNT & prepending > > Doug et al, > I like the general objective of pCNT and this seems a good idea to me. My only comment at the microphone was that if we add this for compression, then validation should require that pCNT MUST be equal to the number of _contiguous ASx appearances in the path (i.e., no more, no less, and only contiguous). > > I do wonder if pCNT=0 for transparent route servers introduces the opportunity for some sort of downgrade attack of sorts.. > > -danny > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From sharangxy@gmail.com Thu Jul 28 13:29:51 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C9911E8083 for ; Thu, 28 Jul 2011 13:29:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.82 X-Spam-Level: X-Spam-Status: No, score=-1.82 tagged_above=-999 required=5 tests=[AWL=-0.510, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_HTML_USL_OBFU=1.666] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OyaN+0wETd9x for ; Thu, 28 Jul 2011 13:29:50 -0700 (PDT) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1E511E8081 for ; Thu, 28 Jul 2011 13:29:50 -0700 (PDT) Received: by vxi40 with SMTP id 40so2787198vxi.31 for ; Thu, 28 Jul 2011 13:29:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=4KlMZBxVz0kRM8cVrCjQ4xoj9/I9yNJw2T8hguoR9Cw=; b=Gs5S150bIKNcrD/gjDiWTXEKfCXZssFppF9Zz59ii0PWQJow2VxTUXCmrw4Z0H5Dn0 3ZGwUw7v21mKjeSpNttqfuwumRv2nP1xXQIz90kxAs+KcqpIbyh/ADD9ag+N8MDgLLP1 dPfWCN4H9YfxdEagwjkc1yb9djo3yF9d3po3M= Received: by 10.220.8.193 with SMTP id i1mr137231vci.108.1311884990074; Thu, 28 Jul 2011 13:29:50 -0700 (PDT) MIME-Version: 1.0 Sender: sharangxy@gmail.com Received: by 10.220.190.199 with HTTP; Thu, 28 Jul 2011 13:29:10 -0700 (PDT) In-Reply-To: <4E31BA6E.9000400@bbn.com> References: <4E31BA6E.9000400@bbn.com> From: XIANG Yang Date: Fri, 29 Jul 2011 04:29:10 +0800 X-Google-Sender-Auth: mPLRegganMHpnWhmPMN73RunAnk Message-ID: To: Matt Lepinski Content-Type: multipart/alternative; boundary=bcaec54ee99ed1d05d04a92706af Cc: sidr@ietf.org Subject: Re: [sidr] Presentations on non-working group documents X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 20:29:51 -0000 --bcaec54ee99ed1d05d04a92706af Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi Matt, and others, I agree with you that we should concentrate to the charter of SIDR. However, I also have some different opinions. 1. Firstly, expiration-date almost can not restrict replay attack, since route failures are frequently occurred. And the expiration-date can not be very short. >From this aspect, I think BGPSEC is also a "feasible path authentication" method. Actually, I just proposed a method to restrict the replay attack. That is the Suppressed Path Padding (or we can call it Non-optimal path padding). With SPP we can grantee that all non-optimal path will no shorter than optimal path. Since optimal path usually has an obvious longer use-time, SPP actually protect the most important optimal path. 2. Secondly, if guys think that BGPSEC has no need to cover AS Path Pre-pending, It means that BGPSEC also can not defend many "AS removal=93 attacks, since ASPP is widely used. >From this aspect, even if BGPSEC grantees that the AS-Path represented in the route is the same as the path through, it has no significance since it can not defend very simple attacks. If guys think these simple attacks are acceptable, then we also should be able to adopt the tiny security loss in FS-BGP. Actually the full version of FS-BGP (armed with SPP) is more security than S-BGP. 3. Thirdly, the cost of S-BGP is unbearable. I remembered that Sandy said, "if the router can not bear, then we can choose only signs some of k path suffix from the entire n path suffixes." So guys, if we think selectively signing path suffixes is acceptable, I think we also can accept signing the adjacent AS triples using FS-BGP. Because --- neighbor based routing, this is indeed how BGP works. -- OK, I just a new guy here, and hope can make some contribution to the SIDR WG. Regards. _____________________________________________________ Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang 2011/7/29 Matt Lepinski > At the end of the SIDR session there were a couple of presentations on > drafts that were not working group documents. I just wanted to agree with > something that Wes had said at the microphone near the end of the meeting= . > > SIDR has a lot of work on its plate right now, and the area directors hav= e > indicated that presently they are not willing to expand the charter to ta= ke > on additional work. Therefore, if folks have ideas about improving routin= g > security, I believe it is most helpful to the working group if these > suggestions can be cast in terms of improvements/enhancements/**extension= s/optimizations > to existing SIDR work items (either RPKI origin validation or BGPSEC path > validation). > > > ______________________________**_________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/**listinfo/sidr > --bcaec54ee99ed1d05d04a92706af Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi Matt, and others,

I agree with you that we should=A0c= oncentrate to the charter of SIDR.
However, I also have some diff= erent opinions.

1.

Firstl= y, expiration-date almost can not restrict replay attack, since route=A0fai= lures are frequently occurred.
And the expiration-date can not be very short.
From this asp= ect, I think BGPSEC is also a "feasible path authentication" meth= od.

Actually, I just proposed a method to restrict= the replay attack.
That is the Suppressed Path Padding (or we can call it Non-optimal pat= h padding).
With SPP we can grantee that all non-optimal path wil= l no shorter than optimal path.
Since optimal path usually has an= obvious longer use-time, SPP=A0actually=A0protect the most important optim= al path.

2.

Secondly, if guys think tha= t BGPSEC has no need to cover AS Path Pre-pending,
It means that = BGPSEC also can not defend many "AS removal=93 attacks, since ASPP is = widely used.
From this aspect, even if BGPSEC=A0grantees that=A0the AS-Path represe= nted in the route is the same as the path through,
it has no sign= ificance since it can not defend very simple attacks.

If guys think these simple attacks are acceptable,
then we also s= hould be able to adopt the tiny security loss in FS-BGP.
Actually= =A0the full version of FS-BGP (armed with SPP) is more security than S-BGP.=

3.

Thirdly, the cost of S-BGP = is unbearable.
I remembered that Sandy said,
"if t= he router can not bear, then we can choose only signs some of k path suffix= from the entire n path suffixes."

So guys, if we think selectively signing path suffixes = is=A0acceptable,
I think we also can accept signing the adjacent = AS triples using FS-BGP.

Because --- neighbor base= d routing, this is indeed how BGP works.

--

OK, I just a new guy here, = and hope can make some contribution to the SIDR WG.

Regards.
_______________________________________= ______________
Yang Xiang, PhD student, Tsinghua Univ., about.me/xiangyang



2011/7/29 Matt Lepinski <mlepinsk@bbn.com>
At the end of the SIDR session there were a couple of presentations on draf= ts that were not working group documents. I just wanted to agree with somet= hing that Wes had said at the microphone near the end of the meeting.

SIDR has a lot of work on its plate right now, and the area directors have = indicated that presently they are not willing to expand the charter to take= on additional work. Therefore, if folks have ideas about improving routing= security, I believe it is most helpful to the working group if these sugge= stions can be cast in terms of improvements/enhancements/extensions/= optimizations to existing SIDR work items (either RPKI origin validation or= BGPSEC path validation).


_______________________________________________
sidr mailing list
sidr@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/sidr

--bcaec54ee99ed1d05d04a92706af-- From kent@bbn.com Thu Jul 28 13:50:06 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A8221F8AC9 for ; Thu, 28 Jul 2011 13:50:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.571 X-Spam-Level: X-Spam-Status: No, score=-106.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CzCIaxWPGCx for ; Thu, 28 Jul 2011 13:50:06 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 38EF521F8AAC for ; Thu, 28 Jul 2011 13:50:06 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:59829 helo=[130.129.18.170]) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1QmXWv-000Pce-Jp; Thu, 28 Jul 2011 16:50:05 -0400 Mime-Version: 1.0 Message-Id: In-Reply-To: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> Date: Thu, 28 Jul 2011 16:49:52 -0400 To: Danny McPherson From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 20:50:06 -0000 At 11:02 AM -0400 7/28/11, Danny McPherson wrote: >Doug et al, >I like the general objective of pCNT and this seems a good idea to >me. My only comment at the microphone was that if we add this for >compression, then validation should require that pCNT MUST be equal >to the number of _contiguous ASx appearances in the path (i.e., no >more, no less, and only contiguous). > >I do wonder if pCNT=0 for transparent route servers introduces the >opportunity for some sort of downgrade attack of sorts.. > >-danny There is a valid secruity concern when we allow 0 as a valid pCNT value. I think Roque's suggestion of an EKU to mark an EE cert as being associated with a route server is helpful here. Yes, this is a self-assertion, and thus not authoritative. But, it could be a convenient mechanism to assist in configuration for checking when it's OK to receive an update with a 0 pCNT value. Specifically, if we agree that an ISP knows when a configured peer is an RS, then we can mandate that an ISP check to make sure that an update received from a peer with a 0 pCNT is, in fact, coming from what it believes is an RS. Having a marker in a cert that says "HI, I'm an RS" at least makes this intent clear. (One also could imagine that, since IXPs are well known and the route servers at IXPs are known, a third party could scan the RPKI looking for certs that claim to be associated with RSes, and checking to see if they appear to be legit.) BGPSEC also could mandate some configuration capabilities that enable ASes further along a path to filter routes based on 0 pCNT values in a path. For example, one might say that any AS can be configured to drop a route with 2 or more 0 pCNT hops in a row, or more than 2 total, or whatever. If we can reach agreement on any general rules with regard to 0 pCNT values, these rules can become part of the validation standard. Steve From shane@castlepoint.net Thu Jul 28 14:18:05 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC5D11E80FB for ; Thu, 28 Jul 2011 14:18:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydCBQzvyOQb9 for ; Thu, 28 Jul 2011 14:18:04 -0700 (PDT) Received: from dog.tcb.net (dog.tcb.net [64.78.150.133]) by ietfa.amsl.com (Postfix) with ESMTP id 98B5611E8099 for ; Thu, 28 Jul 2011 14:18:04 -0700 (PDT) Received: by dog.tcb.net (Postfix, from userid 0) id 5F685368199; Thu, 28 Jul 2011 15:18:04 -0600 (MDT) Received: from host2.tcb.net (64.78.235.218 [64.78.235.218]) (authenticated-user smtp) (TLSv1/SSLv3 AES128-SHA 128/128) by dog.tcb.net with SMTP; Thu, 28 Jul 2011 15:18:04 -0600 (MDT) (envelope-from shane@castlepoint.net) X-Avenger: version=0.7.8; receiver=dog.tcb.net; client-ip=64.78.235.218; client-port=56838; data-bytes=0 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Shane Amante In-Reply-To: Date: Thu, 28 Jul 2011 15:18:02 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net> References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> To: "Montgomery, Douglas" X-Mailer: Apple Mail (2.1084) Cc: "sidr@ietf.org" Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 21:18:05 -0000 On Jul 28, 2011, at 1:43 PM, Montgomery, Douglas wrote: > The discussion so far has not been protecting/validating if prepending = *should have* occurred. BGPSEC protects the AS_PATH. Prepending = occurs in the AS_PATH. Today's strawman presented one approach to = protect the fact that prepending *did* occur (without comment as if it = should have occurred). Right. But, if BGPSEC is not "commenting" whether AS_PATH prepending = should, or should not, have occurred, then wouldn't it be more = straightforward to avoid representing AS_PATH prepending in BGPSEC's = AS_PATH Attr? IOW, isn't the intent of the BGPSEC AS_PATH signature to = "simply" represent the ASN's over which the BGP UPDATE has travelled? = Why does AS_PATH prepending *need* representation in the BGPSEC AS_PATH = Attr, (or, what does it help with wrt BGPSEC)? The SIDR WG instigated the deprecation of AS_SET's for reasons of = simplification. If WG really believes in simplification, then why does = that not apply here wrt AS_PATH prepending? > With that interpretation, I don't think today's proposal violates the = requirement about presuming intent. >=20 > This too is good discussion as to what the requirement is. =20 >=20 > If we want to protect the common encoding of prepending in the AS_PATH = today's strawman provides a simple approach. =20 >=20 > I don't know if your example is primarily pointing out another = situation where prepending occurs on ingress .... or if we you are = proposing that we discuss protecting the intent to prepend. >=20 > If it is the latter - that is a significant expansion of requirements = - and there are no obvious simple enhancements of bgpsec-00 mechanisms = that would get us there. So, I grudgingly agree with the requirement, as written, that a BGPSEC = AS_PATH signature should not describe/express intent. (I'd feel better = if the requirement were changed to say "does not" describe/express = intent, but I'm not sure there is consensus to do so ...). Ultimately, my concern is the more "faithfully" the AS_PATH appears to = be represented in the BGPSEC AS_PATH Attr (i.e.: it does include AS_PATH = prepending), then: a) The more potential confusion there might be with operators who = aren't well versed in SIDR incorrectly /assuming/ that it does describe = intent[1]; and/or, b) The more potential/temptation there may be for vendors to use the = BGPSEC AS_PATH Attr in BGP path selection (i.e.: as the AS_PATH length = tie-breaker) in place of the legacy AS_PATH Attribute. This has = implications wrt control plane scaling w/out any appreciable benefit. -shane [1] Yeah, yeah, they should RTFM ... >=20 > dougm >=20 >=20 >=20 >=20 > Doug Montgomery - Manager Internet and Scalable Systems Research Group = / Information Technology Laboratory / NIST > ________________________________________ > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane = Amante [shane@castlepoint.net] > Sent: Thursday, July 28, 2011 3:00 PM > To: sidr@ietf.org > Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? >=20 > Hi, >=20 > I have a question for the WG. In a series of e-mail exchanges earlier = this year, I had thought it was concluded that BGPSEC was merely being = used as a means to express that a BGP UPDATE had passed through a series = of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that = can [later] be validated by receiver that are further downstream. IOW, = it's not a validation of the TE policies (e.g.: AS_PATH prepending) = applied by ASN's. >=20 > I went back to the BGPSEC requirements: > http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 > ... and, if I look at Req #3.19: > 3.19 A BGPsec design SHOULD NOT presume to know the intent of the > originator of a NLRI, nor that of any AS on the AS Path. >=20 > What was the intended meaning of the word "intent"? I thought that = word was meant to say that BGPsec was not intended to validate TE = policies that may, or may not, be applied to the NLRI. If that is = correct, then why is the WG looking at signing an BGP attribute that = expresses the the number of times an ASN may be prepended? Or, has the = WG had a change of direction and I haven't kept up to speed? >=20 > I would note that the reason I'm asking the above is that it may not = be the originator that is performing AS_PATH prepending. Specifically, = a customer may use a provider's BGP TE communities to ask the provider = to perform AS_PATH prepending (selectively) on their behalf. But, since = these BGP TE communities are not signed, then how would a receiver of = the NLRI know that an AS_PATH should or should not have been prepended = by an intermediate/transit ASN? >=20 > Thanks, >=20 > -shane > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From dougm@nist.gov Thu Jul 28 15:06:13 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE50A11E809D for ; Thu, 28 Jul 2011 15:06:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.352 X-Spam-Level: X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[AWL=0.247, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cU0lICdcahd for ; Thu, 28 Jul 2011 15:06:13 -0700 (PDT) Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id DAA5411E8081 for ; Thu, 28 Jul 2011 15:06:12 -0700 (PDT) Received: from WSXGHUB1.xchange.nist.gov (129.6.18.96) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.323.0; Thu, 28 Jul 2011 18:06:20 -0400 Received: from MBCLUSTER.xchange.nist.gov ([fe80::d479:3188:aec0:cb66]) by WSXGHUB1.xchange.nist.gov ([129.6.18.96]) with mapi; Thu, 28 Jul 2011 18:06:12 -0400 From: "Montgomery, Douglas" To: Shane Amante Date: Thu, 28 Jul 2011 18:05:41 -0400 Thread-Topic: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? Thread-Index: AcxNa8XSScGcJ857Tc+NRqOoth394QABONWt Message-ID: References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> , <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net> In-Reply-To: <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Cc: "sidr@ietf.org" Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 22:06:14 -0000 Shane, Just to be clear if you look at my second slide from today ... BGPSEC uses a PATH_SIGs attribute to protect the existing BGP4 AS_PATH attribute. That is, there is no distinct BGPSEC_AS_PATH. Clearly, that could be ... and has been discussed ... done differently. But in the protocol-00 spec, that is the semantic/encoding. So the situation is that prepended AS's already appear today in the attribute we are trying to protect. The protocol-00 spec would have you add a distinct signature for each element (i.e., including prepends) in the AS_PATH. The design-choices document notes that this was flagged as an issue we would clearly want to revisit and optimize in one way or the other. But the position we start from is that prepends are already in the AS_PATH and protected by individual Sigs. If you look at the straw man requirements slide, there are two issues to consider. 1. Avoid duplicating Sigs for prepended AS's in the AS_PATH. 2. Protect prepended AS's with the BGPSEC PATH_Sig. Those really are two distinct options ... If we want: 1, but not 2 - we can just rewrite the sig generation / verification rules to "skip" consecutive repeated AS's. No need to carry or sign over pCNT. If we want: 2, but not 1 - do nothing, that is what the protocol-00 spec does now. 1 sig per AS_PATH element, including prepends. If we want 1 and 2 - you get the strawman proposed today - Anyway, just wanted to be clear that currently we protect the existing AS_PATH, which already has prepends. dougm Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST ________________________________________ From: Shane Amante [shane@castlepoint.net] Sent: Thursday, July 28, 2011 5:18 PM To: Montgomery, Douglas Cc: sidr@ietf.org Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? On Jul 28, 2011, at 1:43 PM, Montgomery, Douglas wrote: > The discussion so far has not been protecting/validating if prepending *should have* occurred. BGPSEC protects the AS_PATH. Prepending occurs in the AS_PATH. Today's strawman presented one approach to protect the fact that prepending *did* occur (without comment as if it should have occurred). Right. But, if BGPSEC is not "commenting" whether AS_PATH prepending should, or should not, have occurred, then wouldn't it be more straightforward to avoid representing AS_PATH prepending in BGPSEC's AS_PATH Attr? IOW, isn't the intent of the BGPSEC AS_PATH signature to "simply" represent the ASN's over which the BGP UPDATE has travelled? Why does AS_PATH prepending *need* representation in the BGPSEC AS_PATH Attr, (or, what does it help with wrt BGPSEC)? The SIDR WG instigated the deprecation of AS_SET's for reasons of simplification. If WG really believes in simplification, then why does that not apply here wrt AS_PATH prepending? > With that interpretation, I don't think today's proposal violates the requirement about presuming intent. > > This too is good discussion as to what the requirement is. > > If we want to protect the common encoding of prepending in the AS_PATH today's strawman provides a simple approach. > > I don't know if your example is primarily pointing out another situation where prepending occurs on ingress .... or if we you are proposing that we discuss protecting the intent to prepend. > > If it is the latter - that is a significant expansion of requirements - and there are no obvious simple enhancements of bgpsec-00 mechanisms that would get us there. So, I grudgingly agree with the requirement, as written, that a BGPSEC AS_PATH signature should not describe/express intent. (I'd feel better if the requirement were changed to say "does not" describe/express intent, but I'm not sure there is consensus to do so ...). Ultimately, my concern is the more "faithfully" the AS_PATH appears to be represented in the BGPSEC AS_PATH Attr (i.e.: it does include AS_PATH prepending), then: a) The more potential confusion there might be with operators who aren't well versed in SIDR incorrectly /assuming/ that it does describe intent[1]; and/or, b) The more potential/temptation there may be for vendors to use the BGPSEC AS_PATH Attr in BGP path selection (i.e.: as the AS_PATH length tie-breaker) in place of the legacy AS_PATH Attribute. This has implications wrt control plane scaling w/out any appreciable benefit. -shane [1] Yeah, yeah, they should RTFM ... > > dougm > > > > > Doug Montgomery - Manager Internet and Scalable Systems Research Group / Information Technology Laboratory / NIST > ________________________________________ > From: sidr-bounces@ietf.org [sidr-bounces@ietf.org] On Behalf Of Shane Amante [shane@castlepoint.net] > Sent: Thursday, July 28, 2011 3:00 PM > To: sidr@ietf.org > Subject: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? > > Hi, > > I have a question for the WG. In a series of e-mail exchanges earlier this year, I had thought it was concluded that BGPSEC was merely being used as a means to express that a BGP UPDATE had passed through a series of ASN's, i.e.: it's an expression of a "breadcrumbs", if you will, that can [later] be validated by receiver that are further downstream. IOW, it's not a validation of the TE policies (e.g.: AS_PATH prepending) applied by ASN's. > > I went back to the BGPSEC requirements: > http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-00 > ... and, if I look at Req #3.19: > 3.19 A BGPsec design SHOULD NOT presume to know the intent of the > originator of a NLRI, nor that of any AS on the AS Path. > > What was the intended meaning of the word "intent"? I thought that word was meant to say that BGPsec was not intended to validate TE policies that may, or may not, be applied to the NLRI. If that is correct, then why is the WG looking at signing an BGP attribute that expresses the the number of times an ASN may be prepended? Or, has the WG had a change of direction and I haven't kept up to speed? > > I would note that the reason I'm asking the above is that it may not be the originator that is performing AS_PATH prepending. Specifically, a customer may use a provider's BGP TE communities to ask the provider to perform AS_PATH prepending (selectively) on their behalf. But, since these BGP TE communities are not signed, then how would a receiver of the NLRI know that an AS_PATH should or should not have been prepended by an intermediate/transit ASN? > > Thanks, > > -shane > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From rogaglia@cisco.com Thu Jul 28 15:21:08 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD745E8017 for ; Thu, 28 Jul 2011 15:21:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAPU1BKrM4u6 for ; Thu, 28 Jul 2011 15:21:07 -0700 (PDT) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 125215E800E for ; Thu, 28 Jul 2011 15:21:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=rogaglia@cisco.com; l=10729; q=dns/txt; s=iport; t=1311891667; x=1313101267; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=gAxijWliR+W82kZnvwT1+mPP44h4gm3+srQrpaxqEko=; b=U0KjAyZR8GY30FXrw5i33oaABnKvDhkhs1i/rErKAJr0K//F+VCT2jsM q8aX+yih0gwzBemH83ctn/mnjJ3QDFkzK7Iww/2p8CbqpyM0EPBDkHdOT 1xy+mAVLApE3VBDbL8G7xkKLL7jNBFNjo4dsnyBd0ZT5aDWPNTQGPda2L o=; X-Files: smime.p7s : 4389 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Av4EAJnfMU6rRDoI/2dsb2JhbAA1AQEBAQIBAQEBEQFlCwUMDAROAhIYOQcXJ6c1d4h8BKRGnjuFYl8EknmRAA X-IronPort-AV: E=Sophos;i="4.67,284,1309737600"; d="p7s'?scan'208,217";a="7564248" Received: from mtv-core-3.cisco.com ([171.68.58.8]) by rcdn-iport-2.cisco.com with ESMTP; 28 Jul 2011 22:21:06 +0000 Received: from sjc-vpn7-1108.cisco.com (sjc-vpn7-1108.cisco.com [10.21.148.84]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p6SML5uc030815; Thu, 28 Jul 2011 22:21:05 GMT Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/signed; boundary=Apple-Mail-268-724499598; protocol="application/pkcs7-signature"; micalg=sha1 From: Roque Gagliano In-Reply-To: Date: Thu, 28 Jul 2011 18:21:01 -0400 Message-Id: <7BF9E3EF-B784-43AB-95FC-137AB9C627A0@cisco.com> References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> To: Stephen Kent X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 22:21:08 -0000 --Apple-Mail-268-724499598 Content-Type: multipart/alternative; boundary=Apple-Mail-267-724496693 --Apple-Mail-267-724496693 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > I think Roque's suggestion of an EKU to mark an EE cert as being = associated with a route server is helpful here. Yes, this is a = self-assertion, and thus not authoritative. > But, it could be a convenient mechanism to assist in configuration for = checking when it's OK to receive an update with a 0 pCNT value. = Specifically, if we agree that an ISP knows when a configured peer is an = RS, then we can mandate that an ISP check to make sure that an update = received from a peer with a 0 pCNT is, in fact, coming from what it = believes is an RS. Having a marker in a cert that says "HI, I'm an RS" = at least makes this intent clear. (One also could imagine that, since = IXPs are well known and the route servers at IXPs are known, a third = party could scan the RPKI looking for certs that claim to be associated = with RSes, and checking to see if they appear to be legit.) About this last statement, the RIRs keep a list of IP Addresses for the = IXPs, we could ask them to sign that list and include their ASN to = increase the "confidence" that they really are RS. This could be checked = by the validator. Roque > BGPSEC also could mandate some configuration capabilities that enable = ASes further along a path to filter routes based on 0 pCNT values in a = path. For example, one might say that any AS can be configured to drop a = route with 2 or more 0 pCNT hops in a row, or more than 2 total, or = whatever. If we can reach agreement on any general rules with regard to = 0 pCNT values, these rules can become part of the validation standard. >=20 > Steve > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr --Apple-Mail-267-724496693 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
I think Roque's suggestion of an = EKU to mark an EE cert as being associated with a route server is = helpful here.  Yes, this is a self-assertion, and thus not = authoritative.
But, it = could be a convenient mechanism to assist in configuration for checking = when it's OK to receive an update with a 0 pCNT value. Specifically, if = we agree that an ISP knows when a configured peer is an RS, then we can = mandate that an ISP check to make sure that an update received from a = peer with a 0 pCNT is, in fact, coming from what it believes is an RS. = Having a marker in a cert that says "HI, I'm an RS" at least makes this = intent clear.  (One also could imagine that, since IXPs are well = known and the route servers at IXPs are known, a third party could scan = the RPKI looking for certs that claim to be associated with RSes, and = checking to see if they appear to be legit.)

Abou= t this last statement, the RIRs keep a list of IP Addresses for the = IXPs, we could ask them to sign that list and include their ASN to = increase the "confidence" that they really are RS. This could be checked = by the = validator.

Roque


BGPSEC also could mandate some configuration = capabilities that enable ASes further along a path to filter routes = based on 0 pCNT values in a path. For example, one might say that any AS = can be configured to drop a route with 2 or more 0 pCNT hops in a row, = or more than 2 total, or whatever.  If we can reach agreement on = any general rules with regard to 0 pCNT values, these rules can become = part of the validation standard.

Steve
______________________________________________= _
sidr mailing list
sidr@ietf.org
https://www.ietf.org/ma= ilman/listinfo/sidr

= --Apple-Mail-267-724496693-- --Apple-Mail-268-724499598 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIMXDCCBWYw ggROoAMCAQICEFyqcUyRFrhvN5s0SHw/EO4wDQYJKoZIhvcNAQEFBQAwgd0xCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y azE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEg KGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24g Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMzAeFw0xMTA1MTAwMDAwMDBaFw0x MjA1MTEyMzU5NTlaMIIBEzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlT aWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9S UEEgSW5jb3JwLiBieSBSZWYuLExJQUIuTFREKGMpOTgxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDEzMDEGA1UECxMqRGlnaXRhbCBJRCBDbGFzcyAxIC0gTmV0c2NhcGUgRnVsbCBTZXJ2 aWNlMRcwFQYDVQQDFA5Sb3F1ZSBHYWdsaWFubzEhMB8GCSqGSIb3DQEJARYScm9nYWdsaWFAY2lz Y28uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxIp28SUiJ/fiFYD/Nct8MUbG WJuPqSnhkfBYMFbbWfDDrHR8OXzK2LkWIuHY5aeAo1nalAQCO40oeTYt0cp9W++a7USNCEDQzgVN Rg0YMYL27YSQoVJnecO3u9wi0jjwhJGblWWxphaztdaMbqiChgND1PHqf7dcs4UjeUOhhKFk0/61 mTmduV721jrxj6ABIlUHAc7nXhKANtDbKdBZzEhM4dbzp6STKq65EQ3xRLVFIuapTgNVckvXtc1e Cyu4xLOLZgaD2aLq9JzBn9y/rFRMtf2euP/Nmzl7QRjAUjpPdo1n6NXWGDtNyR0lUrcJ/x1leccZ Gfj0eaqe+tpJmQIDAQABo4HoMIHlMAkGA1UdEwQCMAAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcX ATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMAsGA1UdDwQEAwIF oDAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwFAYKYIZIAYb4RQEGBwQGFgROb25lMFAG A1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9pbmRjMWRpZ2l0YWxpZC1nMy1jcmwudmVyaXNpZ24uY29t L0luZEMxRGlnaXRhbElELUczLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAsvqKrlga/tU0vyBtnBOj 4miDAZxou0/fN2wVEK7dRLzIQLYEJD35sELVhiP8v8wVHtgOeVHz9FyBEVqXmJ0RKy4kMC7gdQxj +t1MlqSTDShEaPMmiwaK6M1iJ9jpBL4JvoiirpHnQYGukkgvTUeqITWZ5ecg03nB3QHuab91Gc+n RZ1OKL4D4p5IkvzWhRlIAlxW9yGZyB8r9V6iu3+1SYEpPPUN3AYCxXeXrn8fJjkOoEodybRiGyfW pMpShpTZg2tHB7ZX162Ti3sRvwA2mktDMnBtEm1pXo15z7yieDUPmjVybMA4byV7AQcbIrjQj0eq c/biBsueC2KWoJY7TDCCBu4wggXWoAMCAQICEHEVZgVK5JEhTem8RPms09wwDQYJKoZIhvcNAQEF BQAwgcoxCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBG b3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMg UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA5MDUwMTAwMDAwMFoXDTE5 MDQzMDIzNTk1OVowgd0xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0G A1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0 dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZh bGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIg Q0EgLSBHMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO3ER98qKB18Bmu71yEyyWwT j+mxjUFONPfaC+Nq+mWIIAsRE+mb4ElOi2/VAdBfDUeRilpMdD4/xpEJu0w0no1uoYJRYvdpdliW B6+eFBgHT1q9n9IxslQZc0ZqGUIR7BJzIY313DDN5dlWCjHFNm0pFJe9LdqJRxmI2EsEPeu2PGce dAATDdCG2pNn+DMDrho8a2l49sAsjuGDP3f5mf/+n1JawrSHCthsqUfBVCllQz5KwJYfwa33d69s sQRevsG2lC2XkC0n0rse6YNqhPbEsq4jBmUmpSdYKwcitG+mYkgad/LVUCeaKdOW+yj1uiR2YuOM Wev7btVCxL5Bx/UCAwEAAaOCArkwggK1MDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAwcAYDVR0gBGkwZzBlBgtg hkgBhvhFAQcXATBWMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMCoG CCsGAQUFBwICMB4aHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0fBC0wKzApoCeg JYYjaHR0cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMS1nMy5jcmwwDgYDVR0PAQH/BAQDAgEGMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy7 0FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAuBgNV HREEJzAlpCMwITEfMB0GA1UEAxMWUHJpdmF0ZUxhYmVsNC0yMDQ4LTExODAdBgNVHQ4EFgQUeUdh CEH9OASiS+e1zPVD9kkrEfgwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMCVVMxFzAV BgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTow OAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5 MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24g QXV0aG9yaXR5IC0gRzOCEQCLW3VWhFSFCwDPrzhIzrGkMA0GCSqGSIb3DQEBBQUAA4IBAQA5Tc9B mYG1qQW1UjjpOYSJbOQ0qFrn2GwJTCQaulmkhztzIfGTgc+/aGNaZ/41hSuhw12jSsI6Gd0w1sxN 7/HSgZfKVFpDvzeLeo4ZjQ9DqIzyr2CzFYqzlZw84J6zJ5ikNXIX5fwqXYfTig3C0UUq+MD0rCqT OtWuEnAI6/s74nfs6CtkNXbNutrg0csU1nFYm77VPn222egkxSRmTF2RH3azFz5/DcYhiS+zN7ih /1yybUneZVJC+w6I0u1KHb9L4/jMcvpIDmWOScjW+JmYO7eUPjFxBof6bFlTLtffK+1fYwCsFe0D uFUWjMZoA+ciqHMLsbyg2lJY3QoOf8GCMYIEizCCBIcCAQEwgfIwgd0xCzAJBgNVBAYTAlVTMRcw FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazE7 MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVyaVNpZ24gQ2xh c3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRIfD8Q7jAJBgUr DgMCGgUAoIICbTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTA3 MjgyMjIxMDVaMCMGCSqGSIb3DQEJBDEWBBTJ9rF685zDh27wDirVSUJ6mIEwJDCCAQMGCSsGAQQB gjcQBDGB9TCB8jCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFs aWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBD QSAtIEczAhBcqnFMkRa4bzebNEh8PxDuMIIBBQYLKoZIhvcNAQkQAgsxgfWggfIwgd0xCzAJBgNV BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3Qg TmV0d29yazE7MDkGA1UECxMyVGVybXMgb2YgdXNlIGF0IGh0dHBzOi8vd3d3LnZlcmlzaWduLmNv bS9ycGEgKGMpMDkxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuVmVy aVNpZ24gQ2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHMwIQXKpxTJEWuG83mzRI fD8Q7jANBgkqhkiG9w0BAQEFAASCAQAUsnP/oU5KPlagsWSwqjDBWdIiY3z8vIi855SavpHkGMzG RTNlvAnysryohZKxggQBf334U++725dvevhKonjdO0B+0tdkU7B1ni/3v9OYOt5yA4anpTAAb/de iMeo5OYtje8Ex8tYHsnKt75AKGyf/D+zsXRFwk1C/ZY37f4Oqc3Rijwu153/avmZrz4psxSehi6B ZERIgKG9T3A+UFgSfvlM2Wy7dMa9UQOKk8Vl6N2b99qn5b7UbaUcpzRSvAjImtBpOfOXFrSXc67A /ZbBc8JD7Bl9aNdtUxV1YCYeYRqBlQCgOGKFQubgVwLgGxW1Xaj1clKxMA/80FKP56HGAAAAAAAA --Apple-Mail-268-724499598-- From randy@psg.com Thu Jul 28 16:15:37 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD32B21F8B32 for ; Thu, 28 Jul 2011 16:15:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.52 X-Spam-Level: X-Spam-Status: No, score=-2.52 tagged_above=-999 required=5 tests=[AWL=0.079, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0zZQx5Ps4-L for ; Thu, 28 Jul 2011 16:15:37 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:1::36]) by ietfa.amsl.com (Postfix) with ESMTP id 544B321F8B1C for ; Thu, 28 Jul 2011 16:15:37 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=rair.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76 (FreeBSD)) (envelope-from ) id 1QmZnh-000DoJ-UE; Thu, 28 Jul 2011 23:15:34 +0000 Date: Thu, 28 Jul 2011 19:15:32 -0400 Message-ID: From: Randy Bush To: Shane Amante In-Reply-To: <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net> References: <19BD9B69-B1EE-495E-8795-38DDE3BF6D4A@castlepoint.net> <2C3246E7-A4AD-4335-BCDA-73D98DDB0274@castlepoint.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: "sidr@ietf.org" Subject: Re: [sidr] pCNT & (AS_PATH) prepending: Is it in scope? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2011 23:15:38 -0000 > The SIDR WG instigated the deprecation of AS_SET's for reasons of > simplification. If WG really believes in simplification, then why > does that not apply here wrt AS_PATH prepending? as sets are essentially unused. path prepending is widely used. randy From chris.hall@highwayman.com Thu Jul 28 17:42:53 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A35621F8B7A for ; Thu, 28 Jul 2011 17:42:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uRglQmz9bqtQ for ; Thu, 28 Jul 2011 17:42:53 -0700 (PDT) Received: from anchor-post-2.mail.demon.net (anchor-post-2.mail.demon.net [195.173.77.133]) by ietfa.amsl.com (Postfix) with ESMTP id DF6FB21F8B79 for ; Thu, 28 Jul 2011 17:42:52 -0700 (PDT) Received: from [80.177.246.162] (helo=hestia.halldom.com) by anchor-post-2.mail.demon.net with esmtp (Exim 4.69) id 1QmbAB-0006vg-lm; Fri, 29 Jul 2011 00:42:51 +0000 Received: from modemcable058.242-23-96.mc.videotron.ca ([96.23.242.58] helo=HYPERION) by hestia.halldom.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from ) id 1QmbAA-0000ip-VK; Fri, 29 Jul 2011 01:42:51 +0100 From: "Chris Hall" To: "'Doug Montgomery'" , "'Doug Montgomery'" References: In-Reply-To: Date: Thu, 28 Jul 2011 20:42:44 -0400 Organization: Highwayman Message-ID: <04fb01cc4d88$725b9f80$5712de80$@highwayman.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQDeXYLmELunLwCpVGoLmXsXA0K8YZbeUebw Content-Language: en-gb Cc: 'sidr wg list' Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2011 00:42:53 -0000 Doug Montgomery wrote (on Thu 28-Jul-2011 at 11:54 -0500); ... > I think we would all benefit from your offer to survey the RS > community to see if solutions that did not effect PATH_LENGTH but do > make the RS AS# visible somewhere in the protocol (we can quibble > about the syntax of carrying that in AS_PATH vs PATH_SIGs later). Will do. Chris From gih@apnic.net Thu Jul 28 17:54:26 2011 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74FAF11E8116 for ; Thu, 28 Jul 2011 17:54:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.154 X-Spam-Level: X-Spam-Status: No, score=-102.154 tagged_above=-999 required=5 tests=[AWL=0.445, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kIsi47SXNkHw for ; Thu, 28 Jul 2011 17:54:26 -0700 (PDT) Received: from asmtp.apnic.net (asmtp.apnic.net [IPv6:2001:dc0:2001:11::199]) by ietfa.amsl.com (Postfix) with ESMTP id 5896811E80C7 for ; Thu, 28 Jul 2011 17:54:25 -0700 (PDT) Received: from dhcp-4331.meeting.ietf.org (dhcp-4331.meeting.ietf.org [130.129.67.49]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by asmtp.apnic.net (Postfix) with ESMTP id 79E85B673D; Fri, 29 Jul 2011 10:54:22 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: text/plain; charset=us-ascii From: Geoff Huston In-Reply-To: <7BF9E3EF-B784-43AB-95FC-137AB9C627A0@cisco.com> Date: Fri, 29 Jul 2011 10:53:03 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: <10F216FC-2573-41A9-9E4A-8A44FA4AC87E@apnic.net> References: <3E7A5153-26C1-4974-9A1B-33AB92FCD657@tcb.net> <7BF9E3EF-B784-43AB-95FC-137AB9C627A0@cisco.com> To: Roque Gagliano X-Mailer: Apple Mail (2.1084) Cc: sidr wg list Subject: Re: [sidr] pCNT & prepending X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Jul 2011 00:54:26 -0000 On 29/07/2011, at 8:21 AM, Roque Gagliano wrote: >> I think Roque's suggestion of an EKU to mark an EE cert as being = associated with a route server is helpful here. Yes, this is a = self-assertion, and thus not authoritative. >> But, it could be a convenient mechanism to assist in configuration = for checking when it's OK to receive an update with a 0 pCNT value. = Specifically, if we agree that an ISP knows when a configured peer is an = RS, then we can mandate that an ISP check to make sure that an update = received from a peer with a 0 pCNT is, in fact, coming from what it = believes is an RS. Having a marker in a cert that says "HI, I'm an RS" = at least makes this intent clear. (One also could imagine that, since = IXPs are well known and the route servers at IXPs are known, a third = party could scan the RPKI looking for certs that claim to be associated = with RSes, and checking to see if they appear to be legit.) >=20 > About this last statement, the RIRs keep a list of IP Addresses for = the IXPs, we could ask them to sign that list and include their ASN to = increase the "confidence" that they really are RS. This could be checked = by the validator. >=20 I am not sure that the RIRs really are appropriate reference points as = to the _purpose_ to which ASes are put to use from day to day, and much = the same applies to the purpose of the use of IP addresses in routing. I suggest that if would be perhaps better to look elsewhere and even to = examine the validity of the assumed need for the injection of additional = mechanisms of confidence into what I would phrase as a "policy = conformance" issue rather than a "detection of lying in routing" issue. Geoff