From iesg-secretary@ietf.org Thu Jan 2 09:21:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F9AC1AD9AD; Thu, 2 Jan 2014 09:21:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YficKarwsB7u; Thu, 2 Jan 2014 09:21:53 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E5901ADF88; Thu, 2 Jan 2014 09:21:51 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 4.90 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140102172151.20576.48012.idtracker@ietfa.amsl.com> Date: Thu, 02 Jan 2014 09:21:51 -0800 Cc: sidr mailing list , sidr chair , RFC Editor Subject: [sidr] Document Action: 'RPKI Router Implementation Report' to Informational RFC (draft-ietf-sidr-rpki-rtr-impl-05.txt) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jan 2014 17:21:55 -0000 The IESG has approved the following document: - 'RPKI Router Implementation Report' (draft-ietf-sidr-rpki-rtr-impl-05.txt) as Informational RFC This document is the product of the Secure Inter-Domain Routing Working Group. The IESG contact persons are Stewart Bryant and Adrian Farrel. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-rtr-impl/ Technical Summary This document is an implementation report for the RPKI Router protocol as defined in [RFC6810]. The editor did not verify the accuracy of the information provided by respondents. The respondents are experts with the implementations they reported on, and their responses are considered authoritative for the implementations for which their responses represent. Respondents were asked to only use the YES answer if the feature had at least been tested in the lab. Working Group Summary This is a survey of existing implementations, so not a matter subject to much opinion or dispute. Discussion on the working group list was minimal. Document Quality As stated, the draft is a survey of implementations of a protocol. The respondants were trusted to provide true and accurate answers to the survey. There were few responses to the wg last call, but the three co-chairs have all reviewed the draft and believe it is ready for publication. The draft is well written and organized. As an informational survey document, there will not be implementations. However, the document does report on implementations. There were no substantive issues. One reviewer did point to an implementation that was not covered in an early version and that implementation was added to the survey. Personnel The Document Shepherd is Sandra Murphy. The Responsible Area Director is Stewart Bryant. RFC Editor Note In abstract s/[RFC6810]/RFC6810/ From iesg-secretary@ietf.org Thu Jan 2 09:23:32 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B7F1ADDD0; Thu, 2 Jan 2014 09:23:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aj-cmRPRlBhc; Thu, 2 Jan 2014 09:23:30 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C89061AE30F; Thu, 2 Jan 2014 09:23:27 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 4.90 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140102172327.20607.40349.idtracker@ietfa.amsl.com> Date: Thu, 02 Jan 2014 09:23:27 -0800 Cc: sidr mailing list , sidr chair , RFC Editor Subject: [sidr] Document Action: 'Threat Model for BGP Path Security' to Informational RFC (draft-ietf-sidr-bgpsec-threats-09.txt) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Jan 2014 17:23:32 -0000 The IESG has approved the following document: - 'Threat Model for BGP Path Security' (draft-ietf-sidr-bgpsec-threats-09.txt) as Informational RFC This document is the product of the Secure Inter-Domain Routing Working Group. The IESG contact persons are Stewart Bryant and Adrian Farrel. A URL of this Internet Draft is: http://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-threats/ Technical Summary SIDR was re-chartered to develop solutions for a specific BGP security problem, i.e., how to enable an AS to verify that the AS_Path represented in BGP route is the same as the path through which the NLRI travelled. This document examines threats and attacks on BGP relative to this goal. It begins with a brief characterization of threats (motivated, capable adversaries) and then describes classes of attacks. The attack characterization focuses on elements of the routing system, including the RPKI and likely approaches to path security. (The current SIDR charter calls for building upon the RPKI, hence its inclusion in this document.) The document ends with a brief discussion of residual vulnerabilities, e.g. routing security concerns that are outside the scope of SIDR’s charter. Working Group Summary SIDR was initially chartered to develop standards to enable network operators to verify route origin assertions propagated via BGP. It published a set of RFCs (6480-93) that addressed this initial problem statement. Initial versions of the threat document and the requirements document were published at about the same time (June 2011). A threat document is nominally a precursor for a requirements document, but there was an informal understanding of the threats to be addressed, which permitted parallel development of these documents, by different sets of authors. Document Quality The document is clearly written and well organized. Personnel Alexey Melnikov is the Document Shepherd. Stewart Bryant is the Responsible Area Director. RFC Editor Note Please Delete: "8. Acknowledgements TBD " From internet-drafts@ietf.org Fri Jan 3 12:50:02 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A50FD1ADFCA; Fri, 3 Jan 2014 12:50:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id inSBhq32_eEg; Fri, 3 Jan 2014 12:50:01 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 78FAC1ADD02; Fri, 3 Jan 2014 12:50:01 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.90.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140103205001.11171.46274.idtracker@ietfa.amsl.com> Date: Fri, 03 Jan 2014 12:50:01 -0800 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-bgpsec-reqs-09.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jan 2014 20:50:02 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Secure Inter-Domain Routing Working Group= of the IETF. Title : Security Requirements for BGP Path Validation Authors : Steven M. Bellovin Randy Bush David Ward Filename : draft-ietf-sidr-bgpsec-reqs-09.txt Pages : 9 Date : 2014-01-03 Abstract: This document describes requirements for a BGP security protocol design to provide cryptographic assurance that the origin AS had the right to announce the prefix and to provide assurance of the AS Path of the announcement. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-reqs/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-09 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-bgpsec-reqs-09 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From randy@psg.com Fri Jan 3 15:21:22 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 294511ADFEF for ; Fri, 3 Jan 2014 15:21:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.438 X-Spam-Level: X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1_8fih1KwJTE for ; Fri, 3 Jan 2014 15:21:20 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id B3CC41ADFD7 for ; Fri, 3 Jan 2014 15:21:20 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1VzE3E-0004Ad-HZ for sidr@ietf.org; Fri, 03 Jan 2014 23:21:13 +0000 Date: Fri, 03 Jan 2014 13:21:11 -1000 Message-ID: From: Randy Bush To: sidr wg list In-Reply-To: <20140103205001.11171.46274.idtracker@ietfa.amsl.com> References: <20140103205001.11171.46274.idtracker@ietfa.amsl.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Fri_Jan__3_13:21:06_2014-1"; micalg=pgp-sha512; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-reqs-09.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Jan 2014 23:21:22 -0000 --pgp-sign-Multipart_Fri_Jan__3_13:21:06_2014-1 Content-Type: text/plain; charset=US-ASCII added 3.3 BGP attributes other than the AS_PATH are used only locally, or have meaning only between immediate neighbors, may be modified by intermediate systems, and figure less prominently in the decision process. Consequently, it is not appropriate to try to protect such attributes in a BGPsec design. randy --pgp-sign-Multipart_Fri_Jan__3_13:21:06_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAABCgAGBQJSx0XnAAoJEMzMBey4OgLtP+AH/32ojMk4WwKBUIvJReFeLahs B5RTguwU5ZC6XwRv77Sxc3hQ5WFgYWVjX8mTRv6WAE9WsmjYvCtnD6KFmh5Oz2jz KVIkTygHFQGk1O2/fw/CkOKe8Cs0ZqMGxnqJebiRLTLt+s/D14bqozBVP2EMTHFA 6f6gw2n4EW8ofUMOI+CfEGaF2oL/IB0dLLPKuxL4PXWDA5vEjtKzuEEw6WEA40u5 w67vqNYExi6CW8bHhaozqJbaT7LkrxDW8HcCoVhfNba5jtQzgaoO0j2SBNTcxqQy zpXVapK34Jf3AiPLkQElQZxxmLonvZFueDudQ0HxOXHmp/xfO5OiBDOkVQQ3+d4= =RQQT -----END PGP SIGNATURE----- --pgp-sign-Multipart_Fri_Jan__3_13:21:06_2014-1-- From prvs=6087a38d63=sandra.murphy@parsons.com Fri Jan 10 12:33:25 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061CD1AE145 for ; Fri, 10 Jan 2014 12:33:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sIDxb15QpUZ4 for ; Fri, 10 Jan 2014 12:33:23 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 52D521AE134 for ; Fri, 10 Jan 2014 12:33:23 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0AKTft6010330; Fri, 10 Jan 2014 14:33:13 -0600 Received: from uther.sparta.com (uther.sparta.com [157.185.0.2]) by txdal11mx03.parsons.com with ESMTP id 1hajy225t0-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Fri, 10 Jan 2014 14:33:13 -0600 Received: from durin.laguna.sparta.com ([10.62.216.7]) by Uther.sparta.com (8.13.8/8.13.8) with ESMTP id s0AKX96C024804; Fri, 10 Jan 2014 12:33:09 -0800 Received: from kraven.huntsville.ads.sparta.com ([10.62.8.137]) by durin.laguna.sparta.com (8.13.8/8.13.8) with ESMTP id s0AKX8nI009315; Fri, 10 Jan 2014 12:33:09 -0800 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Fri, 10 Jan 2014 14:33:08 -0600 From: "Murphy, Sandra" To: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Thread-Topic: WG Adoption: draft-ymbk-lta-use-cases Thread-Index: AQHO6xGReFLB3eVNzESqWt0J42rjVpp+r1FN Date: Fri, 10 Jan 2014 20:33:08 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> References: <52954D51.5020808@ops-netman.net> In-Reply-To: <52954D51.5020808@ops-netman.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-10_07:2014-01-10,2014-01-10,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=84.1112099950422 compositescore=0.01888822098199 urlsuspect_oldscore=0.231420553165966 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=11 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.01888822098199 spamscore=0 recipient_to_sender_domain_totalscore=12 urlsuspectscore=0.1 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401100141 Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 20:33:25 -0000 There were four responses to this adoption call, all positive. But four is= not a strong indication of wg wishes here.=0A= =0A= Can others please look at this and speak up as to whether you do or do not = support adoption?=0A= =0A= Recall: silence does not indicate interest.=0A= =0A= We give this another two weeks (for people who are taking a Christmas prese= nt holiday in some warm climate).=0A= =0A= Repond by 24 Jan 2014. Please.=0A= =0A= --Sandy, speaking as wg co-chair=0A= ________________________________________=0A= From: Chris Morrow [morrowc@ops-netman.net]=0A= Sent: Tuesday, November 26, 2013 8:39 PM=0A= To: sidr-chairs@tools.ietf.org; sidr wg list=0A= Subject: WG Adoption: draft-ymbk-lta-use-cases=0A= =0A= Howdy gentle WG folks,=0A= The authors of:=0A= =0A= =0A= are interested in starting a WG Adoption call for this piece of scribed=0A= text. It would be good if other folk also agreed about the adoption.=0A= =0A= The abstract says:=0A= "There are a number of critical circumstances where a localized=0A= routing domain needs to augment or modify the Global RPKI. This=0A= document attempts to outline a few of them."=0A= =0A= Please consider this a 'WG Adoption' call, and let's attempt to close=0A= this out by:=0A= 12/9/2013 or 9/12/2013 or Ninth December Twenty-Thirteen or ... you=0A= get the point, see you in 2 weeks with (hopefully) clear direction from=0A= the folks behind the emailz.=0A= =0A= -chris=0A= co-chair=0A= From prvs=6087a38d63=sandra.murphy@parsons.com Fri Jan 10 12:44:41 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4109D1AE11B for ; Fri, 10 Jan 2014 12:44:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvNcdrZ9-oS1 for ; Fri, 10 Jan 2014 12:44:40 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 2BFAE1AE116 for ; Fri, 10 Jan 2014 12:44:40 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0AKeqIY021663 for ; Fri, 10 Jan 2014 14:44:30 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hajy227an-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 10 Jan 2014 14:44:29 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0AKiSle004014 for ; Fri, 10 Jan 2014 14:44:28 -0600 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0AKiDL7002267 for ; Fri, 10 Jan 2014 14:44:13 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Fri, 10 Jan 2014 14:44:09 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: about draft-ietf-sidr-rtr-keying-04 Thread-Index: Ac8OQ/g1ISU0xGdARKi9HJAYBcJD9Q== Date: Fri, 10 Jan 2014 20:44:07 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBE8@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-10_07:2014-01-10,2014-01-10,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0475211685653588 urlsuspect_oldscore=0.475211685653588 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=1 kscore.is_spamscore=1 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=1 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401100143 Subject: [sidr] about draft-ietf-sidr-rtr-keying-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Jan 2014 20:44:41 -0000 The draft draft-ietf-sidr-rtr-keying-04 has grown over time, mostly from th= e author's energy, not wg discussion.=0A= =0A= But this is an important and subtle issue.=0A= =0A= The latest version was submitted 17 Dec. There's a section called "Key rol= lover" which says only "TBD".=0A= =0A= Could the wg please look at this document carefully and provide the author = with some sort of feedback?=0A= =0A= "good work, nice job" would at least be reassuring that the wg was paying a= ttention.=0A= =0A= --Sandy, speaking as wg co-chair=0A= From randy@psg.com Fri Jan 10 17:25:33 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A94F1AD957 for ; Fri, 10 Jan 2014 17:25:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.438 X-Spam-Level: X-Spam-Status: No, score=-2.438 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SryNTKtmL4Zo for ; Fri, 10 Jan 2014 17:25:28 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id CBAE21AC828 for ; Fri, 10 Jan 2014 17:25:28 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1W1nK9-0005gF-Td; Sat, 11 Jan 2014 01:25:18 +0000 Date: Sat, 11 Jan 2014 10:25:16 +0900 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: multipart/signed; boundary="pgp-sign-Multipart_Sat_Jan_11_10:25:12_2014-1"; micalg=pgp-sha512; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Cc: sidr wg list Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2014 01:25:33 -0000 --pgp-sign-Multipart_Sat_Jan_11_10:25:12_2014-1 Content-Type: text/plain; charset=US-ASCII > There were four responses to this adoption call, all positive. But > four is not a strong indication of wg wishes here. note that the wg meeting in berlin asked for a requirements draft randy --pgp-sign-Multipart_Sat_Jan_11_10:25:12_2014-1 Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAABCgAGBQJS0J18AAoJEMzMBey4OgLtCGQH/2ZAQvG0Eq6q6VIJHMFq+5/g lkm0zaMLGlY42Oc1I+Vh8qmEwnwZq43psmefuC9Qb58t9n1zeS/uOjIM2YQew6Q5 y4sSf4pELjaIFRI8HDwnBIqf2q+H7hi/zZ1WKm023IpON0doocMW6FLTh1DTF9Rd tHvK/GCBMzHbGTywv6LMvVCNEe2DTnru/E2XODR+2WCdDPEWbliyNBWFZDX9MxxI suZtJMNUwDQCfBHL9oB9KqfHY8lAZDZ/X8hsXqvB+rmVhdB1hZSEq3crJKdxEveD EDc3l2gLQbL72TtstIwM74rge3uMdct1n7nFh08AMpkpwIpEoEgsvz3Yeii2n10= =FVBY -----END PGP SIGNATURE----- --pgp-sign-Multipart_Sat_Jan_11_10:25:12_2014-1-- From morrowc@ops-netman.net Fri Jan 10 17:39:19 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93421AD8EB for ; Fri, 10 Jan 2014 17:39:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2_3qXGtkFWV for ; Fri, 10 Jan 2014 17:39:17 -0800 (PST) Received: from mailserver.ops-netman.net (mailserver.ops-netman.net [IPv6:2606:700:e:b00b:5054:ff:fe79:69db]) by ietfa.amsl.com (Postfix) with ESMTP id AE65E1A1F76 for ; Fri, 10 Jan 2014 17:39:15 -0800 (PST) Received: from [IPv6:2001:470:e03a:b00b:b4c0:345f:b1a1:9a67] (unknown [IPv6:2001:470:e03a:b00b:b4c0:345f:b1a1:9a67]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: morrowc@OPS-NETMAN.NET) by mailserver.ops-netman.net (Postfix) with ESMTPSA id 70B7B320036; Sat, 11 Jan 2014 01:39:03 +0000 (UTC) Message-ID: <52D0A0AC.5040903@ops-netman.net> Date: Fri, 10 Jan 2014 20:38:52 -0500 From: Chris Morrow User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: "sidr-chairs@tools.ietf.org" , sidr wg list , "sidr-ads@tools.ietf.org" References: <52D072F6.9030304@ops-netman.net> In-Reply-To: <52D072F6.9030304@ops-netman.net> X-Enigmail-Version: 1.6 X-Forwarded-Message-Id: <52D072F6.9030304@ops-netman.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jan 2014 01:39:20 -0000 Working Group Folken, Today starts a WGLC for the subject draft: Abstract: This document describes requirements for a BGP security protocol design to provide cryptographic assurance that the origin AS had the right to announce the prefix and to provide assurance of the AS Path of the announcement. Please have a read-through and send comments at the authors + sidr@ietf.org mailing list. This WGLC completes in 1,209,600 seconds, or 20,160 minutes. Thanks! -chris co-chair From prvs=609043920f=sandra.murphy@parsons.com Mon Jan 13 05:42:20 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A124E1ADFA7 for ; Mon, 13 Jan 2014 05:42:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.439 X-Spam-Level: X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4X7SwtdQbEmg for ; Mon, 13 Jan 2014 05:42:19 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 5B51A1ADFA2 for ; Mon, 13 Jan 2014 05:42:19 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0DDefNf020669; Mon, 13 Jan 2014 07:42:08 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hcg19r9dt-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Mon, 13 Jan 2014 07:42:08 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0DDfwV6012736; Mon, 13 Jan 2014 07:41:58 -0600 Received: from kraven.huntsville.ads.sparta.com (kraven.huntsville.sparta.com [10.62.8.137]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0DDfwuG010005; Mon, 13 Jan 2014 07:41:58 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Mon, 13 Jan 2014 07:41:59 -0600 From: "Murphy, Sandra" To: Randy Bush Thread-Topic: [sidr] WG Adoption: draft-ymbk-lta-use-cases Thread-Index: AQHO6xGReFLB3eVNzESqWt0J42rjVpp+r1FNgAC3FwCAA41JpQ== Date: Mon, 13 Jan 2014 13:41:57 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE00@HSV-MB002.huntsville.ads.sparta.com> References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-13_01:2014-01-13,2014-01-12,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=95.4186638347027 compositescore=0.0148378968684884 urlsuspect_oldscore=0.195307920112602 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=38 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0148378968684884 spamscore=0 recipient_to_sender_domain_totalscore=47 urlsuspectscore=0.1 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401130064 Cc: sidr wg list Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 13:42:20 -0000 On Fri, 10 Jan 2014, Randy Bush said:=0A= =0A= =0A= >> There were four responses to this adoption call, all positive. But=0A= >> four is not a strong indication of wg wishes here.=0A= >=0A= >note that the wg meeting in berlin asked for a requirements draft=0A= =0A= I hear you, and I heard the comments. But the wg is supposed to speak on t= he list.=0A= =0A= Perhaps those who spoke up in the meeting about this could type a word or t= wo into a message to the list.=0A= =0A= --Sandy. speaking as wg co-chair=0A= From drosen2s@smail.inf.h-brs.de Mon Jan 13 06:54:23 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8EB21AE1BB for ; Mon, 13 Jan 2014 06:54:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.05 X-Spam-Level: * X-Spam-Status: No, score=1.05 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQA68lgiVcWP for ; Mon, 13 Jan 2014 06:54:20 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6A91AE1BA for ; Mon, 13 Jan 2014 06:54:18 -0800 (PST) Received: from [192.168.16.76] ([194.25.10.166]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0DEs5X6019297 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Mon, 13 Jan 2014 15:54:06 +0100 Message-ID: <52D3FE0B.1080808@smail.inf.h-brs.de> Date: Mon, 13 Jan 2014 15:54:03 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org Content-Type: multipart/mixed; boundary="------------060603010501090401010805" X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 14:54:23 -0000 This is a multi-part message in MIME format. --------------060603010501090401010805 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit Hello, as some of you know, I'm writing my master thesis about RPKI at Deutsche Telekom (Rüdiger Volk). Especially I try to identify the "problems (attack, misconfiguration, ...)" of using RPKI as a relying party/resource owner and try to find ways to identify if such a "problem" arises (i.e. competing ROAs). Furthermore I want to give proposals on how to proceed if a "problem" arises. To sum it up, a RP should use the RPKI as a reliable tool to improve it's routing. I hope this thesis helps to reduce the concerns of some RPs of using RPKI for securing inter-domain routing. The following classification lists the groups of problems I've identified including a short description. If possible, I used terms which are used in SIDR drafts/RFCs. It would be great to get some feedback to this classification. I guess most of you prefer textual description, so I tried to represent it in textual form. Additionally, you can find a jpg attached. Classification of "problems" 1. Incorrect representation of RPs/ROs INRs at "RPKI layer": The initial transformation of RP/Resource Owner INRs as RPKI objects is not correct. 2. Incorrect/untrustworthy/suspicious RPKI information 2.1 Object related 2.1.1 Competing Attack: Router certificate: ASN competes with existing router certificate; Other Objects: IP-Range competes with existing objects (In my opinion, certificates can also compete with other certs because of their X.509 extensions. Of course, at the end the ROA causes the problem but it could be kind of an early warning system if competing certificates are identified --> Should a doctor try to take care of the cause or just try to allay the pain?). 2.1.2 Whacked Objects: Object transition which results in a route transition from valid to missing or invalid. 2.1.3 Non-compliance: Non-compliance of RPKI objects can cause bad behavior of RP software. Weak alg./key length could result in a downgrade attack. (There are syntactical checks, but for the sake of completeness and because of possible implementation mistakes it's also included) 2.1.4 Expiring object: Check if objects are almost expired/forgotten. Can cause unwanted routing behavior. 2.2 System related 2.2.1 Replay attack:A whole old dataset could replace a newer one and could be still valid. 2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes could overload the RP software because of it's cryptographic checks. 2.2.3 Incomplete amount of objects: Incompleteness of RPKI objects could affect the global routing behavior. 2.2.4 repository availability:A DoS attack could affect the availability of the Repository. Kind regards Demian Rosenkranz --------------060603010501090401010805 Content-Type: image/jpeg; name="classification.jpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="classification.jpg" /9j/4AAQSkZJRgABAQEAYABgAAD/4QBaRXhpZgAATU0AKgAAAAgABQMBAAUAAAABAAAASgMD AAEAAAABAAAAAFEQAAEAAAABAQAAAFERAAQAAAABAAAOw1ESAAQAAAABAAAOwwAAAAAAAYag AACxj//bAEMAAgEBAgEBAgICAgICAgIDBQMDAwMDBgQEAwUHBgcHBwYHBwgJCwkICAoIBwcK DQoKCwwMDAwHCQ4PDQwOCwwMDP/bAEMBAgICAwMDBgMDBgwIBwgMDAwMDAwMDAwMDAwMDAwM DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAlUDnQMBIgACEQEDEQH/ xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0B AgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4 OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOk paanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/ xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncA AQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3 ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqi o6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/ 2gAMAwEAAhEDEQA/AP38ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD+ej9rLQT8Uv24/jZLq99qE8lh4x1 K2hczbisSXk8aJlgflVEVVA4AGK4v/hRuk/8/Go/9/E/+Ir0P43f8nufHj/seNV/9L7qs+v6 CyuhTeEptroj8azCtNYmaT6nGf8ACjdJ/wCfjUf+/if/ABFH/CjdJ/5+NR/7+J/8RXZ0V3/V qXY4vrFTucZ/wo3Sf+fjUf8Av4n/AMRR/wAKN0n/AJ+NR/7+J/8AEV2dFH1al2D6xU7nGf8A CjdJ/wCfjUf+/if/ABFH/CjdJ/5+NR/7+J/8RXZ1o+KvCOreBdbl03W9L1HR9RhCtJaX1s9v PGGUMpKOAwypBHHIINL2FG9rK4/bVWr3PO/+FG6T/wA/Go/9/E/+Io/4UbpP/PxqP/fxP/iK 7Oin9WpdhfWKnc4z/hRuk/8APxqP/fxP/iKP+FG6T/z8aj/38T/4iuzoo+rUuwfWKnc4z/hR uk/8/Go/9/E/+Io/4UbpP/PxqP8A38T/AOIr1Pwj8JfFXxA0q9vtB8M+INbstNGby4sNOmuY rUYLfvGRSE4BPJHANc/UqlQbcUldblOrWSUm3ZnGf8KN0n/n41H/AL+J/wDEUf8ACjdJ/wCf jUf+/if/ABFdnRVfVqXYn6xU7nGf8KN0n/n41H/v4n/xFH/CjdJ/5+NR/wC/if8AxFdnRR9W pdg+sVO5xn/CjdJ/5+NR/wC/if8AxFH/AAo3Sf8An41H/v4n/wARXZ0UfVqXYPrFTucZ/wAK N0n/AJ+NR/7+J/8AEUf8KN0n/n41H/v4n/xFdnRR9Wpdg+sVO5xn/CjdJ/5+NR/7+J/8RR/w o3Sf+fjUf+/if/EV2dXNA8P3/ivWrbTtLsbzUtQvHEVva2sLTTTueioigsx9gKX1ektWh+3q dzgP+FG6T/z8aj/38T/4ij/hRuk/8/Go/wDfxP8A4ivSPGPgbW/h3rbab4g0fVNC1FEWRrXU LSS1nVW5BKOA2D2OKbp/gvWdWtrGa10nU7mHU7v7BZvFau63dz8v7mMgYeT50+QZPzrxyKlU qDXMrWKdWsnyu9zzn/hRuk/8/Go/9/E/+Io/4UbpP/PxqP8A38T/AOIrt7u0lsLqSCeOSGaF zHJHIpVo2BwQQeQQe1R1Sw9J6pEuvVTs2cZ/wo3Sf+fjUf8Av4n/AMRR/wAKN0n/AJ+NR/7+ J/8AEV2dFP6tS7C+sVO5xn/CjdJ/5+NR/wC/if8AxFH/AAo3Sf8An41H/v4n/wARXonh/wAI at4sW9OlaXqOpjTbZ727NpbPN9lgTG6WTaDsQZGWOAM9azqXsKN7WQ/bVbXucZ/wo3Sf+fjU f+/if/EUf8KN0n/n41H/AL+J/wDEV6JqHhDVtJ8P6fq11peo22lasZFsb2W2dLe8MZ2yCKQj a+08NtJwetZ1CoUXskDrVVuzjP8AhRuk/wDPxqP/AH8T/wCIo/4UbpP/AD8aj/38T/4iuzop /VqXYX1ip3OM/wCFG6T/AM/Go/8AfxP/AIij/hRuk/8APxqP/fxP/iK7Oij6tS/lD6xU7nGf 8KN0n/n41H/v4n/xFH/CjdJ/5+NR/wC/if8AxFeq3/wh8WaVLqKXXhfxFbPo9ul3frLpsyGx hfGyWUFfkRsjDNgHPBrnaiNKhL4bMp1a0d2zjP8AhRuk/wDPxqP/AH8T/wCIo/4UbpP/AD8a j/38T/4iuzoq/q1LsT9YqdzjP+FG6T/z8aj/AN/E/wDiKyPGPg5Phjb2WraRfalbahBdp5My zBHhYBmDKygEMCowQa9KrjPjl/yKdv8A9fa/+gPWOIoU1TbSNaFeo6iTZ/SXRRRX86H7aFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFeHfEL/AIKRfBX4WeM9R8P6543httX0mZre7gi028uRBIvDIXihZNwPBAPB BB5Fe418G/sE/B/wl8V/2tP2nv8AhKfC/h3xL9g8XH7L/aumw3n2bfealv2eYrbd21c467Rn oK9nK8JhqlKtXxXNy00naLSbvJLqn3PLzDE16dSlRw9rzb3u1om+jR7R/wAPYvgB/wBD9/5Q 9S/+R6P+HsXwA/6H7/yh6l/8j16L/wAMgfCX/ol3w6/8Juz/APjdH/DIHwl/6Jd8Ov8Awm7P /wCN1pz5N/LV/wDAof8AyJHLmn81P7pf/JHnX/D2L4Af9D9/5Q9S/wDkej/h7F8AP+h+/wDK HqX/AMj16L/wyB8Jf+iXfDr/AMJuz/8AjdH/AAyB8Jf+iXfDr/wm7P8A+N0c+Tfy1f8AwKH/ AMiHLmn81P7pf/JHnX/D2L4Af9D9/wCUPUv/AJHo/wCHsXwA/wCh+/8AKHqX/wAj16L/AMMg fCX/AKJd8Ov/AAm7P/43R/wyB8Jf+iXfDr/wm7P/AON0c+Tfy1f/AAKH/wAiHLmn81P7pf8A yR51/wAPYvgB/wBD9/5Q9S/+R6P+HsXwA/6H7/yh6l/8j16L/wAMgfCX/ol3w6/8Juz/APjd H/DIHwl/6Jd8Ov8Awm7P/wCN0c+Tfy1f/Aof/Ihy5p/NT+6X/wAkfhr8TtSh8UftT/FvxFYs Z9H8S+Kr/U9NuNpX7Tby3dxJG+04Zco6nDAEZ5ANVqu/F62j0n9sH41abaxpbadpfjHUrWyt YlCQWkKXtyqRxoPlRFVQAqgAAADpVKv27LuT6rD2d7W0vuflOO5vrE+fe/QKKKK7TkCvqH4N 67b/ALIf7H9p8TtN07TL34h+NdYuNM0O/vYEuBoFtAhWSeFGBHnFyRk5GCuQRuVvl6vpb4Je JvCH7Qv7LMfwj8S+J9O8E+ItA1WbV/DWq6oSmm3IkjYyW08vSEFgTvb1UAMflbys4TdBXTce Zc1v5eu2ttr+Vz0MscVX1snaXLfbms7b6el9nY4X4zftuePv2ivBK6J43utJ8Q+RdJc2d/Lp UEF7YYBDxxPCqAJJld4IOfLTkY59R/bs+Htr8UP+CiutaRfeItF8KWUtnYy3Gp6rKUgt400+ F2xgZaQgEIgxvYquRnNeY/GL9l7R/gn4GOoXPxU+HvifWp7lI7LS/C942qCWP/lrJLMFVYdu V2hgd+WwRtNfQHij4m/DfV/+Coura1rWqeFdU0O50mCDSdSuil/o8Oo/YYEhknKkrsRwwJzh GAJK7dw8ucqFOcauBh7sYVvhjbX93srJP5bu/W56MVXmnDGS1bgvel053u9WlvvstdrHjPxA /ZF8J/8ACode8XfDn4o23xCh8JtA2s2raBc6TNaQzOUSVPNY+Z8/UDGBzntUuj/sZ+G9P+Fm hat4w+KWk+D/ABJ4t019V0PRrjSZ54bqD5hEZrxSI4C7KeoO0FTyTtH0N8VPjhrc37KnxS0H 4h/HL4c+Pte1LTreTSNN8Py2zRxoLlN5E0cUQeU/88sMwVN3QnHLfs0tpOi/CXRrbxz8VfhP 4q+D506W7vPDGstu1/RriSIiRbOHYZ0lSXcqskgBV3dUywNcazHGLDTlKb92WjSu2uW9k/Zp N329xX+Hm6nV9Rwvt4JQWqd1eyT5lZtc7drP+btK3R+L/CH9kjw54k+Eem+MvHvxJs/h7pvi K+lsdEVtGn1Nr5oSBK0hjZRCoYgAsefmPAAy/wCEPhXxJp/7Onx1XSfGFra6HoP9nQ6rZ21j Fdw+IVa6eKNkuGw0SqQXDIPnDDOK9K/YvJ0rwLZMPip8KI/h9qOpNP4l8EeN5Iy6LHIQGhhk RjI5h8uRXiaMGRVU7tlcx4W8Z+B9J+C/7Tun+HtQs7DSNZudNHhqyu7rZc3tvHqEjDykkIkf bHtJGCygjdXZXxVeU6tNtyXNCy5VZL2kFZ3je9ru95J25ouNrHPh8NSjGlPRO7u7u70lqmnt ayekWr2d7nqfiy08M/Cr/gnb4RTwx8bdW8Ppdz6nexS6bo17at4nu9oDWchRwYwhxHvkJRuD jArxr48/Cbxz8RvFHwS8NT+IV8V6h4p8Jac2iRNp8ViulQSlwluzJnzFjCkmVvmIzkcVn/Fr xfpOpfsF/CXR7fVNOn1fTdW1eS7sY7lGubVXkUo0kYO5Qw6EgZ7V6bfftG+Fvhn+0H+zb4ol 1Gx1XTPDHgjT7HV/sUy3L6e7JPFIrqhJWSMSBih+bjpnFY0qVahN1ILmk51N1Hop8uqSavot /JaaDnVp1KKpv3Uqcdm+s430vZ9Xa3n0VvNPin+yr8PvAfhbXV0z42eH9e8YeG4d95oo0ie1 gmdHVJore7dvLnZWY7Qq5cKThQDi78Pf2QPhx4oh0HTdU+O3h/T/ABf4hSA2+lWOh3OpW0Uk +PJhku0ZY0kyyq4I/dtkHOMmP42fsj+GvBmn+KPFEHxk+G+taYu+50ix0zUTeavfvJIPLjlt xgxfKzFmLNtK8jkkfT/hL44W3hh/Bt/8PvjN8K/h58IbS0sjqWgNbQHXZJlwtx5tu0LSvK7A K0gdfl+fkDcyrY+usPF0aspNvVuKVnb4f4cvkuVvpzFLB0fbyU6cVFJ21b5le1/jj9/Ml2Wh 4z+w3+zN4St/ij8TdB+IWr6XD4g8M6Vqdi+l3GhtqMUCRqA+oxy/dzERlVADtnIIrmPgT8Ph oPxN+I9h8Lfip9t0ux8B3+oXerf8I15f9pwoIzLZeTcEtFkkDzQcjHA5rsPh78UfCo/4KL/F aS88S6NY6J40tdZ0iz1qS5VrBXuB+7kMoJTYdv3s45HNcz+zfoGk/s5fFD4qaPqvjXwPqi3P w41S2ttQ0rV1msLy4mWIpbxSuE3ynBGxQTkEDOKznUryVSrUk7ypQajypxvZ30cXs+l+ut1a 28KdCFSFGmlaNaS5rtSUbws7prdXV7dNLO7fC/A79lPTvHnw0uvHHjbxxpvw88GR3Z022vZr GXULrULsBWKRW0ZDMiqxLODxjoRuKs+Pf7KVv8LfDHh3xV4Z8XWHjrwN4muGsrbWLe0ks5IL lPvwzW8hLRtjJXJyQpJA4z3nw4tfC/7T37IPh/wBN448M+BvF3gbVLy9tx4juTZ6fqdrcMhY i4wQsiseEwSQp4xkrU+Oeq+F/gr+zh4c+E+k+LNI8aa3/wAJKfEutahpEzTaZZMYFijghmIA lyp3FlxggggGvTjisQ8Zyczvz25OX3eT+a9r+d+a1/dtc8z6vR+q89lbkb5r6qV3ZWvbsrct 7PmvY6PxF/wTW8J+BfiwngrxB8btC03xJqssUWi2KaJPcS3ZkVdn2grJstWZzhQzNuXDd9tf NHjn4b6r8PviRqfhS/hB1nSr99NljhO8PKrlPkPcE9PUEV75+1H490PxB/wU0i16w1rSb3Qx rejynUbe7jktAiJbB281SUwu1snPG056VxX7Q3xJsNM/bt8ReLNNntdY06z8VnU4JbWdZYbt EnEg2OpKkHbwQcc0sprYt+yeIk5c9PmaaSs/d0Vkt763vqtLbDzOlhoxqqhFJwkktW7pqV93 0aVrdHrd6nbP+wX4K8Ka9Z+FfF/xu8P+HfiHdBEfRItFuL21tJ5P9VDLeqyxo3K79w+TP8Qw T3n/AAT8+BNj8GP2gviHZ+KfFSeHfHHg3SNRt47WLTJboW8Pkru1KKYYGEVsrHgO6v26VkfG H9nrwD8ffjbqPxKsPjX8PNM8G+IbptXvbbUL5rfXrIZLTRJZ7dzuCp2cgtkYB4LS+C/2kvDP xK/bV+MHi86haaPouteENTsNNk1G4W3N0Vt4oYgN5H7yTy9wT73OMZFeVWr4rEYSpBzk26cn JcqXLLT3V7vW8k0+Z2V79T0qVDDUcVTkopJVIcr5r80bv3nr092WiSTdmnsvnH9obWhrfxUv mi8e6t8S7WBI4rfX9RjuIprpNgYrsnZpFCszKAT2yOte1aB+2P4D8I6x4en0vRNftovBngKf StBXyIP9C8RT587UP9YcqSSd53NwMIMDHy9RX09XLqVWlGjUbaSt0V7ppvRJapvZJas+fhjq kKrrQSu7eezUlu290t2e6fBr9j/TPid8Cz8Q/EHxD0nwbosGtyaXfNf2jTOFWFZd8Ko++4mY vgRKo4Vm3cYqp8d/2SbP4aeGfC3ijwt4zsfHXgnxVctYQ6tBYyWUtrdKfmilt3Ysh2/MuSCQ GyAMFvUvgv8AC7S/i7/wTZ/sjUfGGheDJ3+IEklhdazvjsbmcWK/upZlBEAKb2DsCMoF6sK5 74z6l4b+B/7PPg74V6d4v8PeMtYPihvE2tX2izm406w/drDFFHPgLJlcsxxlSCCBxnyoYytL G+zjNu07cvLpy2Tbva+nfm8randPDU1gvauK1hJ819eZNqNlfrZLbz6Mzf2mP2I/Dn7NU2qa Pd/FCw1jxtDND/Zvh6z0aZpr2GRkVWllDtHbyEFmEbFiVCHPzgDTf9gvwV4U16z8K+L/AI3e H/DvxDugiPokWi3F7a2k8n+qhlvVZY0bld+4fJn+IYJxv2yvippcX/BQ3W/GGj3ljr2l2Ws2 GoQz2Vyk0F0IYrdiEkUlTyhGQeoNd98Yf2evAPx9+Nuo/Eqw+Nfw80zwb4hum1e9ttQvmt9e shktNElnt3O4KnZyC2RgHgthSxOKWHoSxNaUeePNKSim1K0bRtytJayequ2tGtjpr0MP9Yrw w9NScJWiuZ6q8ryvzK+0UrNWT1vuQfsWfA7V/APxj+OHgHXJ9L0jVrXwRqWmz3V3c+XYwbnh AneUjiHawfcRnac4zxXC+LP2MfDt/wDCfX/Enw6+KGl/EK58HxLc67pqaRPpstrAeGmhMpPn opByQANoznJCn1TwB+0L4J+Mf7WHx11/VPENt4S8MeKvCN1pNnfXo3SsgW3gV1hJV5ZGWMyC JfnPTqK5vwt4O8M/sX/Cb4japc/ErwH4z1vxnoEvhzRdN8N35vmKTsnmTXHyr5OxACFbqcjO Rg8/1nFRqe1k3GpKNP3eXSUuqejta/Rq27dkbqhhnH2UUpU1OevNrGNo+8tVfbTRp2tbU534 3afPq37Bn7PVrbRST3Nzfa9FFEi5aR2vUCqB3JJAq5YfsD+FP+Eii8F6h8ZvD9h8VJv9HHh0 aPczWcd4y7ktn1AHyw/Kq2FO1yVAYgZq+Kfi1pPhr9l79nSW2vtP1DVPCOs6rqF9p0N0jXFu BfxyxiRAdyb1U7SwGRyK+mPHX7R/jjx14rm8SeDP2nvhfoHgDUGF3HY6rDZx6zpcOf3kX2R7 dpJXTDbQXBk4weQTWIxGLox5aL5U51tfP2j5V8E9029le2kl1ihRw9Wzq+81CFl9938UNtFv pfZ9Pkb4HfsXT/FbQ/Hl5rPijS/BY+Hd7b2urNqUe6GFGeVJW3q2S6GLaqKreY7KoK5zXZat /wAE/PCdn4S0zxvb/Gvw3J8L7vfBca9NpNxDexXSsVFvHYZaSVzw2NykIHYjCgth+HfiZZ6z +zN+0ANT8RWF7rviXWdKu7cymO1uNXIvJXlmjg4OMNuZVGFDc4rH8Q+K9Lm/4J8eHNFTUrBt Yg8b3l3JYLcIbmOFrSNVlMedwQsCA2MEjFdk6mOnUbVRxXNCNlFWs4Rcnqr6SbtfbZp7LmjD BxSjyXupu7bv7sp8q0dtVFX73Vrbu342/YS1bSvj54M8G+Htf0zxJp3xCtYb/QdbEbW0Nxbu pZnkjJZoygViVyxxj+I7RR+JvwS+GPwr1vQrzTvicPH2jR6uLPXrO00SXTdRtY1IZjFFNIPN BVXXeGUK23k54734ga7o/jxP2ctP0/4gaR4WvtK8NmGXV0ug40K8WR3hE5jbdDmQICzY2Btx BANWv229X0bUvghpr+K/E/wx8b/F2bWmk/tvwWyObnTvKw326SKOON5A4REBUMFVcZ+fM08Z ilUpQnN7yTsld2m4qT921rK75XG29mmknLC4eUKkoxS92Mlq7K8OZpe9e/M7K6lfbR6nKfE/ 9t7/AITnQPiTcWtpeWniL4kXcFjKSFFtpmiW6jybaMhstK2FV2KgbVOMlzj56oor3cJgqWGj y0lZafgkl+C/XdnkYnF1K7vUff8AF3/4HoktkgooorrOYK5b4uaNc674et4LWIzS/albAIGA EfnJ4rqa5H4z3s1h4ZtpIJZIZPtajdGxU/cfuKxr29m77GtG/OrH7ef8PYvgB/0P3/lD1L/5 Ho/4exfAD/ofv/KHqX/yPXov/DIHwl/6Jd8Ov/Cbs/8A43R/wyB8Jf8Aol3w6/8ACbs//jdf hXPk38tX/wACh/8AIn65y5p/NT+6X/yR51/w9i+AH/Q/f+UPUv8A5Ho/4exfAD/ofv8Ayh6l /wDI9ei/8MgfCX/ol3w6/wDCbs//AI3R/wAMgfCX/ol3w6/8Juz/APjdHPk38tX/AMCh/wDI hy5p/NT+6X/yR51/w9i+AH/Q/f8AlD1L/wCR6P8Ah7F8AP8Aofv/ACh6l/8AI9ei/wDDIHwl /wCiXfDr/wAJuz/+N0f8MgfCX/ol3w6/8Juz/wDjdHPk38tX/wACh/8AIhy5p/NT+6X/AMke df8AD2L4Af8AQ/f+UPUv/kej/h7F8AP+h+/8oepf/I9ei/8ADIHwl/6Jd8Ov/Cbs/wD43R/w yB8Jf+iXfDr/AMJuz/8AjdHPk38tX/wKH/yIcuafzU/ul/8AJHn1n/wVY+AV9dxwp4/jDysE UyaPqEaAn1ZoAoHuSBX0JFKs8SujK6OAyspyGB6EGvhb/gr58AfAnw0/ZRt9R8OeCvCXh/UD r1rCbrTdHt7SYoY5iV3xoDtJAyM44FfbXhD/AJFPS/8Ar0i/9AFTmOEwkcNSxWE5rSck1Jp/ Dbsl3HgcTiZYiph8Ty3iov3U1vfu32NGiiivEPWCiiigAooooAKKKKACiiigAooooAKKKKAC iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKACiiigAr4w/wCCZX/J2n7VP/Y3L/6WapX2fXxh/wAEyv8Ak7T9 qn/sbl/9LNUr3ct/3DF/4Yf+lxPIx3++4b1l/wCkM+z6KKK8I9cKKKKACiiigAooooA/n3+N 3/J7nx4/7HjVf/S+6rPpn7VXilPhx+3F8bo9Ttb6OS78aapLGoiAOw3s7q2GI4ZXVge4INcf /wALy0n/AJ99R/79p/8AF1/QWV16ccJTTfRH4zmFGbxM2l1OzorjP+F5aT/z76j/AN+0/wDi 6P8AheWk/wDPvqP/AH7T/wCLrv8ArNLucf1ep2OzorjP+F5aT/z76j/37T/4uj/heWk/8++o /wDftP8A4uj6zS7h9Xqdjs6K4z/heWk/8++o/wDftP8A4uj/AIXlpP8Az76j/wB+0/8Ai6Pr NLuH1ep2OzorjP8AheWk/wDPvqP/AH7T/wCLo/4XlpP/AD76j/37T/4uj6zS7h9Xqdjs6K4z /heWk/8APvqP/ftP/i6P+F5aT/z76j/37T/4uj6zS7h9Xqdjs6K4z/heWk/8++o/9+0/+Lo/ 4XlpP/PvqP8A37T/AOLo+s0u4fV6nY7OiuM/4XlpP/PvqP8A37T/AOLo/wCF5aT/AM++o/8A ftP/AIuj6zS7h9Xqdjs6K4z/AIXlpP8Az76j/wB+0/8Ai6P+F5aT/wA++o/9+0/+Lo+s0u4f V6nY7OiuM/4XlpP/AD76j/37T/4uj/heWk/8++o/9+0/+Lo+s0u4fV6nY7OiuM/4XlpP/Pvq P/ftP/i6P+F5aT/z76j/AN+0/wDi6PrNLuH1ep2OzorjP+F5aT/z76j/AN+0/wDi6P8AheWk /wDPvqP/AH7T/wCLo+s0u4fV6nY7OiuM/wCF5aT/AM++o/8AftP/AIuj/heWk/8APvqP/ftP /i6PrNLuH1ep2PZn+OWrP8Ak+HP2fTv7ETWzr4n8t/tXnmHydu7fs2becbM579q4yuM/4Xlp P/PvqP8A37T/AOLo/wCF5aT/AM++o/8AftP/AIuohUoQu4tau79S5U60klJbaL8/zZ2dFcZ/ wvLSf+ffUf8Av2n/AMXR/wALy0n/AJ99R/79p/8AF1f1ml3I+r1Ox2dFcZ/wvLSf+ffUf+/a f/F0f8Ly0n/n31H/AL9p/wDF0fWaXcPq9TsdnRXGf8Ly0n/n31H/AL9p/wDF0f8AC8tJ/wCf fUf+/af/ABdH1ml3D6vU7HZ0Vxn/AAvLSf8An31H/v2n/wAXR/wvLSf+ffUf+/af/F0fWaXc Pq9TsdnRXGf8Ly0n/n31H/v2n/xdH/C8tJ/599R/79p/8XR9Zpdw+r1Ox2dFcZ/wvLSf+ffU f+/af/F0f8Ly0n/n31H/AL9p/wDF0fWaXcPq9TsdnRXGf8Ly0n/n31H/AL9p/wDF0f8AC8tJ /wCffUf+/af/ABdH1ml3D6vU7HZ1xnxy/wCRTt/+vtf/AEB6P+F5aT/z76j/AN+0/wDi6xPH fju3+IGn2unada373b3SGOMxAmQkMoVQpJLEsMDFY169N02kzWjRqKom0f0zUUUV/Oh+2hRR RQAUUUUAFFFFAHyD/wAFs/8Akzi2/wCxitP/AEVPX1b4Q/5FPS/+vSL/ANAFfKX/AAWz/wCT OLb/ALGK0/8ARU9fVvhD/kU9L/69Iv8A0AV7uK/5FOH/AMVT/wBsPIw//Ixrf4Yf+3GjRRRX hHrhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQBFNew200 UcksaSTsViVmAMhAJIUdzgE8dhXxl/wTTuI7P9qz9qyWV0iii8WB3d22qii81QkknoBXaf8A BUT4Ga148+FGk+O/CU91B4v+Fly2s2IhPMsPyNMAO7KI0ceoR1wd1fn18IviZ4w/aT+I3jzw N4atlsL747eJIL/UpI2JWytklu7iZCevljz9zHqVhI53Yr7jIsoWIy2tONRJSSUr/Z5ZqTfm uXX1uj5PN8ydHHUoyg7xu4/3rxat5e9p+J+0MUqzRq6MGRgGVlOQQe4p1Yfw08BWXws+Hmh+ GtOMpsNBsYbC3MrbnZIkCAse5IHNblfEzspNR1R9XG7SctwoooqRhRRRQAUUUUAFFFFABRRR QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAF FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8e/wDBai9hvv2N LdoZY5lXxLbIWRgwDLHcAjjuCCCK+rfCF3F/wjulweZH5/2GKTy9w3bdoGcdcZ71+SX7fXgj X/2Stc8VfDEedc+BPF+qxeKtEklcnyHHmI6A/wB4b9jdyI4m/i5+qP8Agmh4S179oP4seIvj 74o863ivYToHhqz3nZHaR4V29Cq7Ag7F/ObAOK+6zDJ4U8op1faXgnJp2+Jy5bK19Ho79rHy OCzOU8znT5PffKmu3LzXd+vS3e59tUUUV8KfXBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB8d/8A BRL/AIK1Q/sHfFzQ/Blt4AvPGuq6vpS6u5TVPsKQxNLLEqriGUu2YJCeAAMcnJx4J/xEZat/ 0QDUf/Cnf/5Arzz/AILt/wDKRrwP/wBiPB/6V6lXzTX6nkPC+X4rAwrVY+899X/mfn+ccQYz D4uVKnLReS/yPtn/AIiMtW/6IBqP/hTv/wDIFH/ERlq3/RANR/8ACnf/AOQK+JqK9j/UrK/5 Pxl/meX/AK1Y/wDm/Bf5H2z/AMRGWrf9EA1H/wAKd/8A5Ao/4iMtW/6IBqP/AIU7/wDyBXxN RR/qVlf8n4y/zD/WrH/zfgv8j7Z/4iMtW/6IBqP/AIU7/wDyBR/xEZat/wBEA1H/AMKd/wD5 Ar4moo/1Kyv+T8Zf5h/rVj/5vwX+R9s/8RGWrf8ARANR/wDCnf8A+QKP+IjLVv8AogGo/wDh Tv8A/IFfE1FH+pWV/wAn4y/zD/WrH/zfgv8AI+2f+IjLVv8AogGo/wDhTv8A/IFH/ERlq3/R ANR/8Kd//kCviaij/UrK/wCT8Zf5h/rVj/5vwX+R9sN/wcYaq6kH9n/UCCMEHxM/P/khXhH7 MH/BTPSv2Wvi34x8WaP8BdSuJvEspWxt28QMi6JbM297eM/YjuBfHOBhURccEt49RXTR4WwN KnOlTTUZ6NXette5hU4hxVScak7Nx20Wn4H2z/xEZat/0QDUf/Cnf/5Ao/4iMtW/6IBqP/hT v/8AIFfE1Fc3+pWV/wAn4y/zN/8AWrH/AM34L/I+2f8AiIy1b/ogGo/+FO//AMgUf8RGWrf9 EA1H/wAKd/8A5Ar4moo/1Kyv+T8Zf5h/rVj/AOb8F/kfbP8AxEZat/0QDUf/AAp3/wDkCj/i Iy1b/ogGo/8AhTv/APIFfE1FH+pWV/yfjL/MP9asf/N+C/yPtn/iIy1b/ogGo/8AhTv/APIF H/ERlq3/AEQDUf8Awp3/APkCviaij/UrK/5Pxl/mH+tWP/m/Bf5H2z/xEZat/wBEA1H/AMKd /wD5Ao/4iMtW/wCiAaj/AOFO/wD8gV8TUUf6lZX/ACfjL/MP9asf/N+C/wAj7Z/4iMtW/wCi Aaj/AOFO/wD8gU2b/g441O3haST4B36IgLMzeKHAUDqSfsNfFFZ3i/8A5FPVP+vSX/0A0nwX laV+T8Zf5jXFOPbtzfgv8j93f2PP2lLX9r39m/wz8RLPS59Fg8RRzn7DNMJmt3huJbdxvAAY b4mIOBkEZA6V6ZXyv/wRQ/5Rk/DT/uKf+nW8r6or8fx1KNLE1KcNlJpfJn6XhKkp0ITlu0n+ AUUUVynQFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA FFFFABRRRQAUUUUAFc78XfiPa/B34T+J/F19DNcWXhbSbvV7iKHHmSx28Lysq543EIQM966K vK/26f8AkyP4x/8AYj61/wCkE9a0IqdWMXs2jOrJxg5Loj4Rg/4OPb++j822+A19cQMTskXx QxDAHHaxI/Wn/wDERlq3/RANR/8ACnf/AOQK+BPhR/yIFh/20/8ARjV0VfscODMrlFS5Pxl/ mfmU+KMfGTXN+C/yPtn/AIiMtW/6IBqP/hTv/wDIFH/ERlq3/RANR/8ACnf/AOQK+JqKv/Ur K/5Pxl/mR/rVj/5vwX+R9s/8RGWrf9EA1H/wp3/+QKP+IjLVv+iAaj/4U7//ACBXxNRR/qVl f8n4y/zD/WrH/wA34L/I+2f+IjLVv+iAaj/4U7//ACBR/wARGWrf9EA1H/wp3/8AkCvnP4Vf BfS/HP7PHxR8W3c9/HqPgldLNjHC6CCX7TcPFJ5oKljhVG3ay89c9KsfslfA3Sfjz4t8TWGr 3Go20Oi+GNQ1qA2ciIzzQIrIrbkYFDnkAA+hFclThjJqcaspQdqe+sv5VLv2aOqnn+ZzlThG SvUdlou9u3c+hP8AiIy1b/ogGo/+FO//AMgUf8RGWrf9EA1H/wAKd/8A5Ar5D8P/AAv8S+Lb O0uNK8O67qdvf3Z0+1ltLCWZLm5CbzAhVSGk2fNsHOOcYp+sfCbxV4e8Y23h2/8ADPiCx8QX hQW+mXGnTR3k5c4TZCyh23HgYHPat/8AVDKObltr/if+Zh/rNmVua+nov8j65/4iMtW/6IBq P/hTv/8AIFH/ABEZat/0QDUf/Cnf/wCQK+PtK+H2v674kuNGsdD1e81iz83z7GCzkkuYPKz5 m6MAsuzB3ZHGDnFQaJ4Q1bxNZ39xpul6jqFvpMH2m+ltrZ5Us4s48yQqCEXP8TYFP/U/KP5f /Jn1+Yf6zZltfy2W/wBx7N+2h/wVpi/bP+HNnomp/A7VdHvtMu1urLUoteaeS3zgSptNkuVd eD83BCNg7cH0vwH/AMF+n+GngvS/D+jfs731npWjW0dpawr4nf5I0AAyfsHJ4yT1JJPevmrw z8A/HXjTw1/bOj+CvFuraOQ5F9ZaPcT2x2ZD/vFQr8uDnnjBrC0LwpqniiO9fTdNv9RXTLZr y8a1t3lFpAuN0sm0HYgyMscAZHNby4cy2dFYZu8YNu3M9G/n/WvmYxzzHRq+3S96el7LW3y/ rQ+yf+IjLVv+iAaj/wCFO/8A8gUf8RGWrf8ARANR/wDCnf8A+QK+SfGHwe8XfD3SLXUNf8Le I9DsL8hba51DTZraG4JXcAjuoDcc8HpXpfin9hDxv4f+APhrxrDoniq+udbkuvtmlp4fnD6T BDjZPI4ydki/MCUUYHBNcNThjI6ai57N2XvPf7zsp5/mtRuMN7X2W33Htf8AxEZat/0QDUf/ AAp3/wDkCj/iIy1b/ogGo/8AhTv/APIFfJHgP4Q+LPimLk+GPC/iLxGLLaLg6Xps155G7O3f 5attztOM9cH0rGvdIu9N1aWwuLW4gvoJjby20kRWWOQHaUZSMhgRggjOa3XB2UuXIo6rpzO/ 5mD4nzFR529O9l/kfaH/ABEZat/0QDUf/Cnf/wCQKP8AiIy1b/ogGo/+FO//AMgV5b+zF+yZ eXXjfxLZ/EjwT4h0yCDwhquqaamqWl1p2+5t0QrIhOwvsLDI5HzDIr54rCjwtk9WpKnTjeyT vd21uv5vJ3N6nEGZ06aqTdrtq1lfRRfb+8j7Z/4iMtW/6IBqP/hTv/8AIFH/ABEZat/0QDUf /Cnf/wCQK+JqK6v9Ssr/AJPxl/mc3+tWP/m/Bf5H2z/xEZat/wBEA1H/AMKd/wD5Ao/4iMtW /wCiAaj/AOFO/wD8gV8TUUf6lZX/ACfjL/MP9asf/N+C/wAj7Z/4iMtW/wCiAaj/AOFO/wD8 gV6j+xV/wWyX9rP9pbQ/hvqHwuvvCF14giuHtbs619sAaGCWcho2t4iFKwuAwJ5xx1I/NWvU /wDgmF/ylj+Ff/XpqX/ptv687N+FMuw+DqVqcNVFtavt6ndlvEWNr4qFKctG10Xf0P3Fooor 8lP0YKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KAPx9/4Lt/8AKRrwP/2I8H/pXqVfNNfS3/Bdv/lI14H/AOxHg/8ASvUq+aa/deFP+RZTPyTi P/f5hRRRX0Z4QUUUUAFFFe7WHhDSX/4JsX+unS9OOtp8Q0sl1A2yfalg/s/f5Ilxv2bvm25x nnFc2JxCoxUmr3aX3uxvh6DrScV2k/8AwFN/oeE0V9EaT/wTU8ZXWjaFqep+KPhz4Z0nxLYW 19pl7rWufZI7xp1Di2RTGXaZVKlgF2/MMMxyB57c/soeOoP2hJfhemjNP4vjnMIto5F8t12e Z5okJC+WY/n3HHB5weKyp5lhaknCFRXV29dkt/u69uppPBYiEFUlB2dvx2+/p3POaK9j+M37 Fur/AAf8Ez69D4x+HXjKzsbuKyvk8M639um0+STcI/NQopUMUYDGTkHjg10+kf8ABM/xndwa fban4q+GnhrxPqsSy2vhjV/ECwazNvJESiEIw3SYG0bu+G2kECHm2DUPaOorXt+F9t9mn813 L/s3E8/s+R33+V7em+h860V6x8Jv2LfHfxj+I3inwjp1ja2nibwjbvNe6ffTeVI5WVIjGjAF C25wQWZUK87sYzv6H/wT68VeNviPqXhbwt4l8AeMNT0zRxrEjaLrBubeRTMIfIEvlhRMGIJD lVCkEtVTzPCQdpVFtf5d/TzJjgMRJXUHvb59vXyPCKK9hk/Yr8QX3xei8H6J4j8C+KJF086p f6tpGsifSdHtlYrJJc3BVRH5eMsME4ZcAk4qP41fsa6/8G/AkfiiDxB4K8beHPtX2K61Hwrq w1GDT5yAUjmO1SpYHg4I6AkFlBazLCuUY86vLb9Pv6d+gPAYhKT5H7u/3Xf3LV9lqzyKivfP A3/BO7xb4u8L6Lf3/ib4eeEb3xLGk+j6P4g1wWmp6rG+BE8UIRsiRjtUEgk9QMgnvvAP/BP/ AEfxN+x9eaxfeLPhno/i5tejiGo6l4leGDSYRGQ9jcYBjW4LjcF2scdGxXPXzvB0t531S011 bt+HXt66GtDK8TVatG103r2Sv+PTv6anyLWj4o8Iat4H1Y2GtaXqOkXyoshtr22e3lCMAytt cA4IIIOOQa9O/Y9+C9v8Sv2odK0rUZbO40Lw/PJqusXCN5ls9naZklIOOUfaFB77xXHfHr4q 3Hxw+M3iXxZcqUfXL+S5SMnPkxZxHHn/AGUCr/wGupYrmxCow25eZv1do/faX3eZh9X5aLqz 35uVeel5fd7v/gRyNFFFdhyhRRRQAVneL/8AkU9U/wCvSX/0A1o1neL/APkU9U/69Jf/AEA1 M/hZUPiR+wP/AARQ/wCUZPw0/wC4p/6dbyvqivlf/gih/wAoyfhp/wBxT/063lfVFfzvmn++ 1v8AFL82fteA/wB1p/4V+QUUUVwnWFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeV/t0/8mR/GP8A7EfWv/SCevVK8r/bp/5M j+Mf/Yj61/6QT1vhf48PVfmZV/4UvRn4M/Cj/kQLD/tp/wCjGroq534Uf8iBYf8AbT/0Y1dF X9GUf4cfRH4hV+N+oUUUVqZhRRRQB9F/sjeG7rx5+yl8ftC0qKS+1maw0i/gsoF3z3EVvdu8 zKvU7VIJxnqOMkVN/wAE7dFu9Ll+KXiueCSLw/o/gbU7a5vWGIlmlRRFEGPBdsHC+1eGfDT4 o+Ifg54vtde8MaveaLq1ocx3Fs+CRkEqwPyuhwMowKt0IIrtvjT+238U/wBoXw2mj+LvF95q Wlo/mG0it4LSGY5BHmLAiCTBUEb84IyMGvDxmAxNSVanT5eSra7bd4+6ouytZ3SVtVZ9z18J jKEPZTqX5qburWs9eZJu6trvo9D1v4b/ABl8S/Bf/gl5dXXhfVbjRb7VfHj6fNeWp2XCQmyR 2Ecg+aMkxr8ykHA681H8dfivrmt/shfALxzql9car4p0jWdTEep3UjSXUqwXEbxh5CdzYKjk nPH1r52b4r6+/wAK18FG/wD+KZXUjq4svIj4uvL8rzPM2+Z9zjbu2+2aNa+K+v8AiH4c6L4T vL/zvD/h6ae40+18iNfs8kxBkO8KHbJHRmIHbFH9k/vvb2V/ac1+vLyONtvw2sJZivYqi725 HG3S7k3ff01308j70m1TR/2c/jh4u+PwtoX8P+M7TRJtKXA+b+0pVe9xnjeqW1wTjn952ryz 9o34XRfsgfAX4m6fGht7r4keMF0/ScEYk0W2Au1dD3VmmiQ49B6V82+J/j/4v8ZfCfRPA+p6 zJdeFvDkrT6dYtBEPs7nfk+YFEjffbAZiBnjFL8Wv2g/GPx0tdDh8V63LrEfhu0+w6cHhij+ zxYUYyiruJ2rlmyxwMmuGhkVeFSPNJcqaT3vyQ5XTW26cXf/ABPVnZUzilKD918zV+n8SSkp P0aaa84rRdPuTwr4gh+Dvxj+HXgnxb8R/jvr3jhrXS3g03wsILTw/BDtXy7eSA4MyIiHzJAp 3ICThgwHJ/CHW5fhR+2x+03qmhx29pc6H4f1u9sx5QaOKVJ45FOw8EBucYxXzz4f/wCCg3xk 8LfD218L2HjzVLbR7GNYbdRFCbiJFYMqi4KGbaMAAb8bRt+7xXJQ/tH+M4PFvizXV1nGq+Ob S4sdbn+yQf6bDOQZV27NqbiBygUjsRWSyHEt1Odx96Mo773aadlFW0T0971Zos3w8YU0k/dl CXyimmruTvvpol6HvHwg+NPiv45fsffH638Za/qvieOxs9N1G0/tO5a5NnMbogmLcT5YPHyr gccDrUnxZ+OPjm2/4J4fCq9tvF/iuOW+1TVtP1C4i1W4DXESsBHBKwb5lCZCo3AXOBivm7wl 8V9f8DeE/EWh6Xf/AGXS/FcMVvqsHkRv9qjjfeg3MpZcNzlCCe9dP8L/ANr34j/Bn4fal4V8 N+J7jTvD+reZ9pszbQTqfMTY+wyIzR5XrsK+vXmu2vk75pSoxjbnjJJ6LSHK9k7d9nsjloZo rRVWUr2km93rqraq9n5rc+r7z4geBvgj+yb8Hhfa58cPDOnapo73ZuPAF1bWlneXruftH2iV yrvMGXG0khVAwBzS/Dv4g6F8dP8AgoDp3ifQNG8S2ur2fgOW703/AISSwhgvdb1GO3cQXW2L KSF4WVg4GDsyBgCvlj4J/tq/FD9nbw/NpXg/xbd6Xpk8nmm1kt4LuKNuclFmRxHnJzsxu4zn ArnfEXx/8aeK/iuPHN/4k1ObxYkwnj1JZfLlhYdAgXCooGQEUBQCRjFcv9gVXOrdr3ue0ru/ v33jbpf+bW2y6bRzinGlTVvh5Lxto+Rp7362/l6vV9fqL9hn46fFX4kah8V7DxLr3izXNBj8 JanJfrqJkuIbK7EbCNNzg+QTmXEalQ208HYMfFte1eLv+CiXxm8dP/xNPG93cR/ZZ7JoVsrW KB4502Sbo0iCM20kByCyhm2kZOfFa9TLsFUo1qlacIx5lFWj/dv5R7rp5dLvhx2LhUowpQlK XK5O8v7yj5vqn+fWyKKKK9g8sKKKKACvU/8AgmF/ylj+Ff8A16al/wCm2/ryyvU/+CYX/KWP 4V/9empf+m2/rxeIf+RdW/wv8merkn+/UvVfmj9xaKKK/AT9jCiiigAooooAKKKKACiiigAo oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD8ff8Agu3/AMpGvA//AGI8H/pX qVfNNfS3/Bdv/lI14H/7EeD/ANK9Sr5pr914U/5FlM/JOI/9/mFFFFfRnhBRRRQAV9D6d/yi u1H/ALKZH/6ba+eKK5cVh/bRjG9rSi/uaZ04av7Gbna91Jf+BRa/C59F/wDBQ24ke6+D0Zdz HH8N9IKqTwpIkzge+B+Ve++KfE+l6f8A8FJ/EWm6tqdvpFx4u8ApoWnahdSbI7e8uLGERszn OM4ZQT3YDqa/PeivNqZLGdJUpT0SqLb+d3/D8Ttp5rKFT2sY6/u//JLfnb5Hv+tfsY+Of2S9 R0fxp8Q9N0vSNG0rXbILbPqMFxPqyiXe/kxxs+4KiZbftOGHB5x6l8e/2FvHXxy/aR1b4ieG NS0HUPh94hvv7Yj8WLrVulrptuDl2k3P5gMIQg7VIG0dMED4uorV4LFuca3tY86ur8mlny9O a97xve/fTYz+tYbllS9m+SVnbm1uubry2taTVrfM+54vilpfxS/aC/ao8QeHbs3GnT+AruCC 7jOPtPlJbwtIpHVWKMQe4IPevIv2Crh7Xwb8dnjd43Hw5v8ADKcEfPGOtfOtFZQyWMKEqEZa OMY7fyq3zv8AI1lmspVo1pR1U3PfvbT8N9T6m/4JkeNLSyuPiH4WS38I33iPxbpUEWh2PieI SaZqlxFNu+yyKSNzPuG1cjLKPSur/aqvvir8Ov2bte0vxd8MPgt8MNG8RXNpE0GiQQ2+pas8 cnmBolguJFYRFRuLjgS8dTj4uoqq2UKeL+tJreLaab1ja1nzJLZbp90Th8zdPD+ws/tWaaXx K2ujv8mux9s/tRfsieLv2zviXpPxC+HA0jV/BGuaTYxfbX1SCCPQvKiWOWKdXYOPL2lmCq5H PGeK5j9nv4N638eP2IfHvgDweNP13xTpnjG21JrSK+hiFxbCExGaNpGVSm4HBJGR78V8m0VM cqrRofV1UVouLj7uq5Zcy5ve97a2nL94/wC0aftVWcHezUtdGnFx0003vrza+R9F+CdMl/Z3 /Yk8ba9dRxxa/wDEfUh4R08hgXhs7djJeupGQyOwWI4OOK+dK7D4k/GvU/ib4T8I6JdW2nWO meC9PbT7CCzR1D73Mks0m52zLIxyxGF4GFFcfXdg6E4OdSr8Unf5LSP4K9u7fqcuKrQlGFOl 8MV+L1f3fDfqkttgoooruOMKKKKACs7xf/yKeqf9ekv/AKAa0azvF/8AyKeqf9ekv/oBqZ/C yofEj9gf+CKH/KMn4af9xT/063lfVFfK/wDwRQ/5Rk/DT/uKf+nW8r6or+d80/32t/il+bP2 vAf7rT/wr8gooorhOsKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC iiigAooooAKKKKACiiigAooooAK8r/bp/wCTI/jH/wBiPrX/AKQT16pXlf7dP/Jkfxj/AOxH 1r/0gnrfC/x4eq/Myr/wpejPwZ+FH/IgWH/bT/0Y1dFXO/Cj/kQLD/tp/wCjGroq/oyj/Dj6 I/EKvxv1CiiitTMKKKVPvj604q7SASiv1D+LfxO+PI/bWtfC+kaJqOr/AAlu2sbe9ivfD0b6 RLZyW0f2vzLtougDSnmT7w24P3D4f+yHdQeHP2r/AI/XXwvTzRp/hvWX8M/YIRd5ZbiPyfIX DCRSwXaMEMNvBr5ehxDKdF1pU18HOrSv8pe6uV/fs+x708mSnGCm9ZRjrG3xdVq+ZLrt07nx ZXQfD74Wa78UpdVXQ7IXn9h6dLq1+z3EcCW1rFjfIzSMq8ZHAOTngGvrb4x634/+Kf7C/jDW /jvpLWniHSdXs4fB99qmjx6ZqbySMPtMCIqRkw+Wu7lME7jltg2eXaM//Civ+Cf+o3gdY9b+ MmqrYwqeHTS7Fi0jL3+edgh7ECuuOaznSlypc6moKz5ottJ3Tsr2i22rL4WvMweXQjUhdvkc XJ3XLJKLael3a7VovVO6Pnqiv0O8XfFv9oDwJ4J+B1j8J9N1zUdBufBOkSXUcGgJeWUlycqU luGiPlAoE3fvE2qc5XrXAap8CPAHxO/4Kb6/ptpZacngvwzZtres6fpjD7M8tvbI09vHt4C+ edrKMYxIBjtlTz5Xk6sUopTekuZ2g7O6srX6au5csofJH2cm5Pk0asm5q6Sd3e3XRdX0PjCi vpib/gqv8TrbxGU04eHLDwUjeTD4STRrX+zUs8bfsxPl+ZsK9cOOScADCjmP2/8A4a6D4D+N VhqXhewTSdB8b6FZeJbTT4yNlh9pUl4lxwFDKxAHA3YAAAFdtHG1/axpYimo817Wlzba2eis 7drrR67X5qmEo+zlOhPm5d9LaXtdau6vbdJ6rTe3h1FfQ+nf8ortR/7KZH/6ba9+8XaRpn7R P7OHw5+D88FtF4ql+H9n4k8I3bnDS3kZlE9pn0lhj47ZXJ5UVz4nOfYt3hdKfK3fZKPM5bdF uuyv5G2Gyr23L79m4cy068/Io79XbXz+Z+fVFfQEtpLYf8EzrqCeOSGaH4nGOSORSrRsNNAI IPIIPavo7xd8W/2gPAngn4HWPwn03XNR0G58E6RJdRwaAl5ZSXJypSW4aI+UCgTd+8Tapzle tPEZtKEuWnFX5nH3pcq+Hmvflfp+pNHLVJc05P4ebSN38fJa116n540V9T/HX9nLQPjf+314 q8N+D7rRPDXh7S7T+0taurSPzrPShBbo16Yoo+XKyFl8tcfPkfKAceMfHr4W+E/hxeaXJ4O+ IFj4/wBK1GJy9xHp0unXFpKjYKSQSEsAQVKtn5vm4+XJ6cJmlKuqa1UpxUrWbsmr6tKy2drt XtoZYnL6lJza1jF2vou3Ru91dXSvbqef0UUV6R54UUUUAFep/wDBML/lLH8K/wDr01L/ANNt /Xllep/8Ewv+Usfwr/69NS/9Nt/Xi8Q/8i6t/hf5M9XJP9+peq/NH7i0UUV+An7GFFFFABRR RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH4+/wDBdv8A 5SNeB/8AsR4P/SvUq+aa+lv+C7f/ACka8D/9iPB/6V6lXzTX7rwp/wAiymfknEf+/wAwooor 6M8IKK9l/Y/+FGgfFK0+J7a7Yfbj4e8EX+r6efPki+z3URj2SfIw3Y3H5WypzyDS/s8/CjQP HP7PXxl1zVLD7VqnhTTLG40qfz5E+yySXBRztVgrZXjDggdq4a2YU6bmpJ+7y3/7edl/wTso 4KpVUHFr3m0vkk/1PGam07TrjWNQgtLSCa6urqRYYYYULyTOxwqqo5JJIAA65r6ktvB3wY+D X7Kfww8b+KvBGreLvEnilNQjfT4damsLS8EVyUM00i7mRkXYEWIANlt2eDWnqPgL4c/Bb9rT 4R+IdJ8KXeo+FPiHp+n6tYaLc6tNE+h3U06orCYZeVY2UMFcnccgnGK5f7Xi5uEact5RT0s5 QvdLXydm7LzT0NXl0lT9o5x2jK2t1GVtXp0bV1v1Sa1Pk3XdBvvC+sXOnanZXenahZyGK4tb qFoZoHHVXRgCpHoRVSvsn4/SfDv4zf8ABQ7TvBw+Hn9mXU3jb7H4g1L+3rmb+3keUI37r5RB nk/u2zz1rm/FXh34Nap+094e+F/hnwFqSR2njSHTNT12+1ycy6pB57RzW4t1wsaBmwjhvM2R qT8zMazw2cupCm5UpKUo832bJaa/Ftrot/Lc2xWVqlUqqNRWg7db31stt9NenmfLVFfQ3wi+ BnhbxR/wUifwDfaX5/hMeJNRsBY/aZl/cRef5aeYHEnGxed2Tjkmt79lH4DeD/Ffhf4h6xN4 Iuvin4h8N3/k23hC21qTTZorAFi94hjzLOwYLGEUMfm6EsuNqucUacOdp/DGXTaTst2ktd7t JdzKOV1ZVHSTV1Jx67pN9rvbSyu9rHzZ4b8Iat4yuZ4dI0vUdVmtbd7ueOztnnaGFOXlYKCQ i92PA71nV9s/sL+JvAPh743/ABYsLb4c6ta+XoGp3UcWp6tNBdafaJEguNMeMDu+5RK37xQo yM5rzbwJ4R+HP7TWhfFkeG/Ao8G6to3h2LXPD9qNautQeH7K+btQzkCTzUZcBlO3HB61j/bD jVmp02oxjB3937Xf3unlfZ+V9VlalTjy1FzOUo211ta1tOt+tt11vb5vor6b8V/smeH9O/4J +ab4wgj2+PbU2+uanmZ8nSrq4mtrceWW2/ejR9wUHDdTWtN+xt4Uv/jl4P8AAd5HdaJ/wj3g seJPHd7aTtJdvL5RneONJGZEZVaJBtUD5iSprX+2sMua9/dck/8AtxXb81slbdtaGayqvJRa +0otefNJRS9Xe+vTW58nUV9Z/DHSfgX+154rvvAXhz4b6p8O9evbW5m0HWx4juNQ8+aGNpFj ngl+RFdFJbaWIIwGH3qyvhH4C+E/gf8AYvtviN468Jal4p1pfFVxo1vY22qzWUWoD7Ojqk0i k+WiDzHBjXez7ASVzSecRjdTpyUvd933bvmbSekmtWmtXpbWwLLJSa5JxafNrrZcqu73V9n0 TT6HzlF4Q1afwvLriaXqL6LBcC0l1BbZzaxzEbhEZcbQ5HIUnOK6J/gdqyfAJPiN9o07+xH1 s6AIPMf7V54h87dt2bNm3jO/Oe3evrHwb8YvhVF+wDr+pSfBvzfD8PjKKCfRv+EtvB9onaFm jn8/bvXZGQmwDDY3Hk1z/wAKtf8Ah/pP/BOy71bxl4f1XVtFg+Ik02naDZX5t1upjZrshmuM F1iVC+WUbyVX1Nck84r2n+6a5Zxj9l3vy6aSeuvpa2t726YZZSvD94nzRk+qtbns9UtPd163 vpazPjuivpz4veAfhVY6D8H/AIo6R4Wu9F8HeK9Qns9f8NTancXawrbTKkjR3GRKdyFjwR0X AHIq5pH7G2geGv23vFuia5G918OPBun3Piu4KyuoutLEIlgjWQMGyTJGm4Nk7W712f2zRUHK cXGym7O1/cdpLRvXtbfozm/suq5JQaldxStfXnvZ6pWV1Z3tZ2vufK9FWNWuob3VLma3tlsr eWVnit1dnWBSSQgZiWIA4yTk45qvXrJ3VzzpKzsncKzvF/8AyKeqf9ekv/oBrRrO8X/8inqn /XpL/wCgGlP4WEPiR+wP/BFD/lGT8NP+4p/6dbyvqivlf/gih/yjJ+Gn/cU/9Ot5X1RX875p /vtb/FL82fteA/3Wn/hX5BRRRXCdYUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAV5X+3T/AMmR/GP/ALEfWv8A0gnr1SvK/wBu n/kyP4x/9iPrX/pBPW+F/jw9V+ZlX/hS9Gfgz8KP+RAsP+2n/oxq6Kud+FH/ACIFh/20/wDR jV0Vf0ZR/hx9EfiFX436hRRRWpmFKp+YfWkopxdncD7a+O/7cU3g79vO4aLxP/wl3wqvIbKw 1PSE1Aaho9zay2sKXG2Lc0W9WLNwAdykE4LA878G7rw5+zN8efjrbaF410SPTv8AhDtSXwzq lnrUX79pDFJbxwzK/M6jjap3bkOBXyPRXgQyGlCiqMHZcnI9PitazfmtfvZ6/wDa9R1FOSva UZLytuvR6X9EdhL4j8Y/tH+PdD0vVte13xNq19cx6dYtqd/LePGZZAoVTIxIG45OK9B/b98Y Wl78abfwho8yTeH/AIZ6bB4XsWTpK0C/v5T23NMXye+0V5V8OPiNrHwl8b6f4j0C5jstY0qQ y2s728VwIXKld2yRWQkAnBIODgjBANZF9fTanezXNxI009w7SySMcs7Mckk+pJr0HhP38Jqy hBOy/vPr8lf/AMCZyRxNqU07uUrK/wDdWtvm+X/wE+svjH+2XrnwkuPgdN4L8YyXen6J4J0t dW0e01TzbCadd6zW91CrFN5TCsHXco2nggGnRfE34e/s0ft0W/ivQbnTbz4Z+OtLLXdppc0c 0mjwXsWJoHijJ8topPm8rGQmAATxXyNRXIskoWcf5lNS/vKbvr6dH017nR/atXS32eRx/uuC STXrbVbPrsj6Wuf2E/Bi662pp8e/hUPA+PtaznUi2uC2278GwC7jN28vduz2z8tcJ+2r8ddL +PXxrN54einh8LaDp9toeiJOu2T7LbrtVmHbcxdhnnBAPIrySit6GAnGpGrWqObimldJb7t2 Wr039bLUyq4yLhKFKCjzb2u9tbK+yv8APRa6Hu1h4v0lP+CbF/oR1TThrb/ENL1dPNyn2poP 7P2ecIs79m75d2MZ4zVj9pT4sR6TN8DNX8L63Zyat4W8F6cGls7hJm0+7inmfy5ACdrr8pKN zg8jmvAaKay+Kq+1v9py++PLYX12XsvZW+zy/wDk/Pf79D7K/bH+LPgP4n/sZWWs+GtS0i11 7xl4ui8Qaz4eiuI/tGm3f2FoLhvKzv8ALaSPeHKgEy571mfGP9svXPhJcfA6bwX4xku9P0Tw Tpa6to9pqnm2E0671mt7qFWKbymFYOu5RtPBANfJFFctHIqEIqEveipN2eujjypeiR0VM3rT bltJx5brR/FzOXq3v6n1brXhDw9pf7Z4134WfE7wh8PbTWdMXxF4fu5ryJbPTrmQKZdOuSm5 LbAM3ySIVwFj2ndWD+3ve+F7nS/BYTUvAOu/EjyrlvFOqeDMf2XfAyAwSuUVY3uXzI0jIqnJ IIxsx84UVdPKuSpSqOo37NW2V2tVZvdrXVdWrkSzHmhUjyL39X2vpd22vpp2vYKKKK9g8wKK KKACvU/+CYX/AClj+Ff/AF6al/6bb+vLK9T/AOCYX/KWP4V/9empf+m2/rxeIf8AkXVv8L/J nq5J/v1L1X5o/cWiiivwE/YwooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooA/H3/gu3/wApGvA//Yjwf+lepV8019Lf8F2/+UjXgf8A7EeD/wBK 9Sr5pr914U/5FlM/JOI/9/mFFFFfRnhHrH7H37Qel/s+fETUpvEGjza54Y8TaTPoOs2tvIEu Pss5Xe8RJA3jbwCVzk/MvBHfXH7RXwd+HPwU+IHgvwD4e8d58ZafDH/bGu3FvJcyTJOjrC0U TLFHCqhyHUM7NJggBRXzTRXnYjLKNap7Sd7u17NpPld1deTO7D5hVoxUYW0baur2bsnb1SX6 Hqnxd+OWk+Pv2cvhZ4Qs7fUY9S8EJqS30s0aCCX7RcLInlEOWOAOdyrz0zWr8WP2m9N8UXHw cu9Gs78Xfw10WzsrpbtERLi4gmMuYyrNlDwMsAf9mvFqK0jgaSaa6SlL5y5r/wDpTM3i6ji4 vZxUPkrW/wDSUfTnj/8AaV+Ed5+1V4X+KfhzTfiFb6h/wkMet+IrS/8AsjwKFZGZbQK24ksG /wBY4HTpnA8hvfjR/Zf7T1x8QdJt2ZYvEz6/aW90ArMv2ozokm0kAkYBwTjnBrgaKjDZbRoJ KN3Zcqu76disRjqlfm57e87uytd66/iz7E0H9sH4CeDv2iLf4p6b4M+IcvijUr43moWtzeW/ 9n6TJKv+kTWqowedyS4VZWRP3hbC4VR5J8HPHXweWfULzxzZ/EvTtdh1ltT0rV/Cd3bpcLGc FY5FmO2No3Xerx/MTIckbVz4tRWNLJ6NNNQlLZK/M7pLZLy/PqbVMzq1Heai9bvRat7t/wBe h9OaX+3bol/+2n4i+IGseH9SHhXxPpcugXdnbTI9+LRrdIfM3ttVpj5ascsPvEbjjJ4/4ZfG /wAEfs9ftYaP4o8FQeL7rwTaYgvLbWvszajdQSxmO4UrEREeGO0E9VGSO3idFXHKMPGPJFPl 5ORq+jirrXz1evmRPMq83dvXm5k7ap6bdtl9x9VeG/24fBln+1NrWr6lomu3Xws1Pw5F4Xj0 gRRG7S0giiEO5TIELCSMtnzON5IPauI8NftqXXh/9r3xD8S7nSV1mw8SyXltfaTcS+V9osJ1 KCAuA20rGIwDg/cHavDKKUMnwsd1e8eR3e66/N9XuxzzPESVk7e8p6dGtFbyXRH1Bof7RnwQ /Z4vNT8SfCrw58RLnxpdwT2unP4mntRY6GJkdWliEJZ5HUNtCyZyCSWyOfNNV+OelX/7GWmf DsQaj/bln4sl16SdkT7K0D23lBQ2/fv3c424x37V5VRVU8roxfM25O6d27v3b2Xorv72KeY1 ZaJJL3tErL3lZv1tZfI93/Z1+PHw+0r4DeJPhz8StP8AGEui6rqsGtWl34ba3+1Qzxp5ZVhO Qu0rjnnvwOtYer/HLQZP2P2+HVnbauNQTxk+vwzTJGYfshtvJVWcNu83OMgJt9+1eSUVby6k 6kqmurUrX0urWdvkrkRxtSMIwVvdTS01tK91/wCTM9V+IHxy0nxX+yh8P/Atvb6imr+FNQ1G 7u5pI0FtItw4ZBGwcsSAOcqPbNe6/Gv41tpf/BODwQ95ZyWvjTx5Zp4elvSdsl1o2mzyGM9e ATJGucfOAckgCvjWtHXfF+reKLawh1PVNR1GHSrcWllHdXLzLZwjkRRhiQiDJ+VcCsMRlVOp yJbKfO/Pd29LteVkbYfMZ0+Z9eTkX3r8unW9jOooor1jzQrO8X/8inqn/XpL/wCgGtGs7xf/ AMinqn/XpL/6AamfwsqHxI/YH/gih/yjJ+Gn/cU/9Ot5X1RXyv8A8EUP+UZPw0/7in/p1vK+ qK/nfNP99rf4pfmz9rwH+60/8K/IKKKK4TrCiiigAooooAKKKKACiiigAooooAKKKKACiiig AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvK/26f8AkyP4x/8AYj61/wCkE9eq V5X+3T/yZH8Y/wDsR9a/9IJ63wv8eHqvzMq/8KXoz8GfhR/yIFh/20/9GNXRVzvwo/5ECw/7 af8Aoxq6Kv6Mo/w4+iPxCr8b9Qor6t+EniTwl8F/2ArDxvffD3wn4w8Uv4yuNMsJdZsxNBEp tUcmdRhp0ChwsbNtVpN/VRntP2c/hXoZ+BCfE5rH4CWniTx1rV7st/H0zW2iabaxyYMFla8q W387i2UQKozuJrya+dKkpylB2jLlTutZb/dbW77Ho0csdVQSmryTdtdEr6/erJfkfD1FfZnx c+GPgC4/ak+CN1pb/DDUL7xLqkFt4p0jwhfR3+hLIlxCoZISP3aSxscxsMZU/eO5muaX8Y/h 7L+1zdfCR/gp8P18I6j4huPD9xdm2MmsiWSZoTPFdZXyV3kMscajy1G1WGAalZ05wjKlSbbU na6VuV2e+93t38ipZWoSkqlRJJxV7N/Errbt17a79fieivsD4O+DPB3wG+FXx/1DXvCGi+OL j4eeJLOx0kalCCDILieFDIwG7yshHkjBAkCbTwa0f2XPBmh/GXwx43+L+o6J8FNE1aPU7fSN L0vxFu0zwnp7eQplkMALCSR1+6hOAxd85AFE88hFTqKD5I8qvpq5KLStv9tXfTz2HHKJtwg5 JSlzaa6KDkpO/wD267dWfF1FfX/7YXgr4dP4I8GeIb69+EEPiSPXUsNcsvhjqSSWlzphy/nC 3ODHMuGXdyDuGWPyqsn7aej2958I9Ru/CHw7+FN/8Nre6tl0fxf4QAGoab/dg1E7jKZWiZQ4 lVQHkQli+BTpZ3Gp7O0GuZtatJKzS3e973S3evXQJ5S4ua517qv1u9+nlbV9Lp7M+PKK/RqL 4F+Gf2eYNC8N2kf7LVxbLY2tzrMvj/UT/b97NKitKyblItoypAjUBgMbuSxFeZfCD4UfCzw1 +1N8b7SLTtH8d/D/AMPeEbvVbCKK7S7TaBbylILkbirrueMSqd6885zWMOIqU1OUYO0U2vNJ pfK99O6vtYv+xKiULyV5OKt25tvW3Xs9r7nxlXRa18KNf8PfDnRfFt5YeT4f8QzT2+n3Xnxt 9okhIEg2Bi64J6soB7Zr6OXxf4W/at/ZU+KN5L8N/A/gzVvh7HY3+kXnhyw+yyvHJMYmiuG3 EzHaPvHqTnAIrrPil+1L/Zf7Afw0vf8AhXPwruP7buNV077PPoG+DT/LIj8+3XzP3czZ3M/O WAOKurm1dNQhS97nUWm11jzKzWn+Vn5MVHLaMvelU91xbTSe6euj+/z9T4jrd+Gnw11r4weO NP8ADfh2y/tHWtUcx2tv50cPmsFLEbpGVRwpPJHSvrv9mjwVceGvgL4bv5/BH7OHhy21dZJl 1b4oX3nXfiMhyDLaof8AURouxSmME4cZ3V0/w10PRP2b/wDgrMvhbw74d8NS6T4kEE8TXFv9 pfRi9m07mykyPLBYsM4PyNtwBUV895ZVaVON5RjNrVNPk3vb8r30adnoKllLdKFaUrJ8t9Ht L8/y6ptanxP8N/hdL8Q/iRD4am1rw74YmkeWOS+12+FpY2zRqxIklAYDJXaODkkDvXO31r9h vZofMim8l2TzIm3I+DjKnuD2NfWXwE8eaX+05/wUM8H2GteAfh3pmmW0+o2s1jpWhpDa6jtg uHElxG5dZHDKCCR2Fcv+z54f8M/Cn4D+NvizrPhbSPGWo6VrkWgaHpmqKZNOt5pI3d554RgS qEICoe4zwcMNv7UnB3qx15YPlVt5ylFa+dl6IJZbFylClLRSau77RjzPTySfr0PnCivp/wAY ax4Z/at/ZJ8Z+MP+EE8KeCPF3w6vbHEvhmxNhY6jaXUhi8uSHLDzFYFt+c8KOBnPYfHH4t+C v2XNI+GEel/CD4ea/rWveDNL1DVrzW9NFxDMjIRiOEFUWZmV2aYgs24A5AFX/as+ZUlSfPzc trrflUr32tytflYy/s6LXtFUXJy817P+bltbvf8ADU+MKK9p/wCCgnwv0L4S/tRa3p3hq0/s 7RrqC11GC0Bytr58CSMi/wCyGY4HYHA4FfUPwR+GaaLpHgrR9b8A/szeEdP1aC0M2neMb/7T 4r1SKXaJLmJzkq0pL+XGRmNvlwMUq2dQhhaeJUfj1tdJ7X/q1whlkniJUHL4eqTenT8+tu25 8L/Df4Ua/wDF3Ur+08PWH9oXGl6fNql0nnxxeVbQgGR8uyg4BHAyT2Brna+7f2TtSsP2ff2o /jh4G0vw34Z1DTdE07Wry1utSsTcXqxQABbQylgTbsMB0I+bGc18d/GL4o/8Lg8bSa1/wjvh bwv5kSRfYPD1h9isl2jG4R7mwx7nPNVg8yqYjEOEYfu+WMk+vvX3Xy/q48Vl8KFDmnL31OUW unu8u333+7szlq9T/wCCYX/KWP4V/wDXpqX/AKbb+vLK9T/4Jhf8pY/hX/16al/6bb+p4h/5 F1b/AAv8mGSf79S9V+aP3Fooor8BP2MKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii gAooooAKKKKACiiigAooooAKKKKAPx9/4Lt/8pGvA/8A2I8H/pXqVfNNfS3/AAXb/wCUjXgf /sR4P/SvUq+aa/deFP8AkWUz8k4j/wB/mFfVmtfAT9nz4S+F/h3/AMJzqPxcj1fxr4dsdcmn 0prCSxtBPkNkPH5oVWVjgBztxjceK+U6+9/HHxJ+EnhY/s+6b8R/h7Hr8l34I0dl1+XV544t LiO4KJLNSsc0auCzbm5VmGDgA9Gc1KkXSjDmd27qDSk7Rb0u0jnyuEJe1lPlVo3Tley96K1s m9n2PHPCv7CunWX7e1t8Jdf1u7vdElie7GpaYqQT3EH2NrmMqHDqjcAEEMODg8g09v2d/g98 cPh94xuPhVq/xFs/EvgnTZNcuLLxVBaPDqNpFkTCJ7YfI65U5c85AA5LJ6X8ItM8UaJ/wWKl j8aXUGqavvvX+0W8P2eC4tjp8nkGNATsTydgA3MRjlmOSfIPGP7ZXhnw/wCAfEfh/wCGPwt0 74ezeLIDp+salJrdxq91Pa5yYYmlA8kNyGxncCOAQCPJjXxteVNUpOUvZ05XTSjdyldyTs2m l0V9Nloep7LC0nUlVilFVJKzu3ZRi7Rte2rdru2q1Zn3v7IEniX4X/Bm58JR6pqfin4nPqMc 9rI6G3hNvOI1ZMICiBCWdmZgACeAK3/BX7L/AMN/Hf7Zfhb4W6Vr3iDV7AxzW2va1bXEKx3N 7FbyyP8AYgYjthV49u59+7nGBhj7b8JfjBofgH9kz4N+GtfkGiWXxC0bX9B/4SWAst3oLSXi 7XU5x5TPtEg4OAp3AKQfKP2Kfg1rnwB/4KbeGPCviC38nUNMuLxd658q5jNlcFJYyQNyMMEH 35wQRTljq7hieaTjyKu4/wB7llNX/wC3LJW8030MPqtJUqU4xu5ezUv7t4xf/k7vr5NdWfLu oW4tNQniXJWORkBPXAOK7Pxj4N0PTfg14P1Sw0rxzBrery3SXt5qFtGujXvlybVFi6je7LkC TcThuK5DWv8AkM3f/XZ//QjX0L8Zv+TEv2d/+whr3/palfRV6rjKhH+aaX/kk3+h53so+0rW 2ipNfJnkNn+zr8QdRn1KK38C+MZ5NGYJqCR6Lcs1ixQOBKAnyHYQ3zY4IPSvSP2Bv2ZY/j98 Tbu71zw9rut+EvDun3N/dxWMUqrqE8ce6OzEyD5XkJGFBDEA49a94/aj/ap+IHh3/gpZo3hz TvFGqad4f0rV9KtU021maG1uI5hA0omRSBKWMjcvnAPGMVH8HvFGp+CP26v2g9I0bU9R0rSo tL8QaglnaXTw26XKYKTBFIUSLk7WxkZ4Ir56rm2LqYJ1LKLnSc4tN6bX6b+9ddn33PVpZXho 4uMLuSjUjFppa817ddvds+62tsfMvxX+Hd78R/jReaT4I+EXirwjdWdoj3HhiP7Zqt5a4A3T MJIxKqtvQ/MuBuHPIrg/FngHXfAXiD+ydc0XVtF1TCt9jv7OS3uMN90+W4Dc9uOa+o9Z+Lfj zwv/AME9tC8V+G/EPiQar4l8TXS+LtfhvJX1DfEqR2kUt1nzUTYFwN3OQM4bBr/EzxNr/wAR v2Efhtrnjya6vvEUXjWS10PUNRYvfXumtEHkYu3zyIJgBuJP3VGeld+Gx1aEo02lyqfs37zc r99b3V+jd+X3r9DhxOGpShKom+ZwlNaJKyvo7W6LdK3NpbqfOuq/BDxpoWlahfXvhDxRZ2Wk XAtL64n0qeOKymO3EcrFQEc70+ViD86+oqVPgD47kttWmXwV4tMWgll1Nxo9xt04qgkYTHZi PCEMd2MKQelfQf8AwU3+PnjDW/2ufE3hCTxBqcXhXTZ7S3i0iC4aKzceXFOWkiUhZH8xy25w T0wcAAeq/EP9qHx3pv8AwVg0bwra+Ir+08MWus2OmDSYH8uzminiiMpkjHyyOzSu29wWBxgj AxjTzXGToUqsYRvUhKe70SULdN3zfLu7a7V8uwtKrVhKUrU5KL0Wrbl59OXfr2V9Phk/CrxQ vgQeKT4b18eGS20av/Z832Anf5ePP2+Xnf8AL168daPAnwo8U/FKa5j8MeGtf8RyWYVrhdL0 +a8MAbO0uI1O3ODjPXBr7H+Bn7QXi/4t/tUfFvwx4g1q61DwvJ4f1yyj0R2xp1rFbqUhWKAf u0KqgG4DJ5ySSTXKfs/anH8Fv2QNG8SeMfiL8UtB8Ka/rl1HpWj+A/JtLrz1VVlnnunI3KfL 2iInsGXPzYv+2K6i1KC5nyOKV38d7LbVrlfZegnldLnSjJtJzi9EvgSbe+3vLz9dj55+HvwC 8TeO/jLY+CDouu2esS3ccF7bnTJXudNjZlDyyQ4DBUVgx3YGOpHWuq+Jn7KWq/An4/QeHfEu i+NL3wy2uDTIdQstHe3n1yMSAH7GJN0bysp+VQzDJHWvoz9q3xRc+E/2q/2f9Z0W/wDF+k3O q6Nplvd3erTfZtZurc3m0retGQGcpw+eD3zXCfGf4heJvEH/AAVAsdF1fXNdvdL0n4hWpsLC 8vJZLeyU3cW3yo2JVAVxjaBxiow+Z4rEVKclZRcZtrreMlG6/T116DxGAw9ClVvdtOFn5Ti5 W/zfkrW1PnXx/wCEIYPi3qeheHNL8TJGNRaysNP1W2A1cHfsSGWKMf67PylVHXjFJ47+C/jH 4XWsE/ibwn4l8Ow3TmOCTVNLntFmYDJCmRQCQOwr6/8AAA1HRf2hv2rPEPhaJ5vHuh/bW0Ty oRNcQJJfMtxLEhBJdUA5HTd0OcVx/wCzD8VfGvxk+A3xttPHWta34m8GWvhSW6F1rd3JdpZ6 kjKbVYpJS212Yk7VPJVeDxRDN6ypKcUrRjByu9XzJPTT7r/E9NC6mV0/rDpybvKc4xstFy9/ v1tstddj5w8P/Bjxh4sOnf2V4U8S6n/bEUs9h9k0ueb7dHEwWV4tqneqMQGK5Ck4OKyPEnhn UvB2uXGmavp97pWpWjbJ7S8gaCeBsA4ZGAZTgjqO9fVPxP8Aj74w+EH/AAT9+CGneFtf1Hw8 mt/2tJeT6dM1vcy+TeHYolUh1X942QCM984rmv8AgodrVx4x0r4NeIdRf7TrWteBLOW/u2H7 y8kDuN7nu3qa66GY15V1GcVyOc4LV39xy1elteV6fPyOSeBpKi5Rk+ZQjPbT3uVW/wDJr3+X mfNtZ3i//kU9U/69Jf8A0A1o1neL/wDkU9U/69Jf/QDXsz+Fnlw+JH7A/wDBFD/lGT8NP+4p /wCnW8r6or5X/wCCKH/KMn4af9xT/wBOt5X1RX875p/vtb/FL82fteA/3Wn/AIV+QUUUVwnW FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR RQAUUUUAFeV/t0/8mR/GP/sR9a/9IJ69Uryv9un/AJMj+Mf/AGI+tf8ApBPW+F/jw9V+ZlX/ AIUvRn4M/Cj/AJECw/7af+jGroq534Uf8iBYf9tP/RjV0Vf0ZR/hx9EfiFX436noeofHr7d+ y1p/w1/srb9h8RyeIP7R+1Z374PJ8rytnGOu7f7Y7103wT/av0rwZ8LJfAvjvwHp/wARfCUd 22o2FtLqEum3Wm3LbQxjuIwWEbAHKADJOc9QfFqKwngKE4uElo3zbtO/dNO6fpY1hi6sJRlF /CrLRbO+luu73PoP4Z/FPw78S/2xPhOvhXwLpXgPRdL12yhhtLe6kvbictdK7PPcyYeU7iQu QNq4XoBXofxe/bU8JfCr9o/xhq1l8GvC5+Iuia1fW1n4gXUbiO1DpK8aTvYD92023lnDAs5L 8GvjmiuSrk1CpOLk3ypNW5pXd3d3le78073OqnmlWEZWSu3F7RsuVNL3bW679LHpfh39o+40 n4GfELwfd6e2oXXxAv7LUJtTa62tbvbytK2Y9h3lyx53Lj3q7+zp+09D8G/D+u+GvEPhXT/H PgjxKUlv9Hurh7V1mjDCOaGdAWicZ5IBJAxx1ryeiuuWAoSjODjpNpvfdJJNdrKKta1rX3OV YuspQnzaxvb5tt+t3J3ve6dttD1z4lftBeDNX1Hw5/whnwl8OeEtO0PUF1O4t7y9m1mXVZAV /dTSy7WNuVQAxYxksc/Ma3/iH+194Um+FHiPwt8PPhbZ/D5fGLQLrV3/AG9c6o9zFDJ5qRxr IFWIbzzjIKnGOhHglFZ/2Zh2op3fK76yk76p63fvWaVua9uhoswrJuUbJvTSMV32003eqsz6 Kh/bT8F+PvDWjx/E/wCD2nePPEOiWiadFrUHiC50ea5to1CxidYlIlkGD85PTHA5zyfgT9qq PwT4x+JGqxeFNKtoviBoV5oiWGmv9itNJWfZh402vuC7Pu/LnJ5FeQ0UlleGSkknaV9OaVtX d2V7K77JB/aFf3XdXjZp2V9Nru13bzueifCX49/8Ku+E3xE8L/2V9u/4T2ytrT7T9q8r7D5M xk3bNh8zOcYyuPU11HgX9q3w/Zfs5J8PfGHw8tvGMWlXNzd6Hf8A9sz6fJpcs64YlY1PmgP8 20soPQjvXidFaVsvoVbua1bT0bTulZNNNNaaaE0sbWp8vK9r9E1rvdNWfzPoPw5+2l4Yv/hp 4Z0nx18J9H8c614KtTY6Hqkur3FlHFAp3RR3FvGNtwFbqGIDLxgEszZ3jL9t/UfEn7XekfFy z0Gy02/0sWgOnLOz28nlQiJ1B2qVV13YHO3IGWxz4bRWccqwsZuoo6u/V2974rK9lfrZFPH1 3T9k3potlfTa7td2tpd6Hv8Ao/7YXhLwN+1J4e+JHhP4Xx+HItJ+0y3ulp4gmuRqM06SoZBL JGREB5nCqmPl7Z4579n/APatX4QaZ4j8P674W03xr4H8WuJtS0W7ne3YSJu8uWGdAWikBIyw UkhRjBwR5DRT/svDcnI4tqyjq5N2Tclq3fRttO91prorN5jiHP2l7O99Elraz0StqtH31vuz 2r4zftaaZ4s+Fn/CC+AvAmnfDnwhdXKX+o20WoTajd6ncITt824kAYxrlSqYOGXOecDmf2hf j3/wvm48IP8A2V/ZX/CK+G7Pw9j7V5/2r7Pu/ffcXbu3fd5xj7xrzuiro4ChSacFqm3dtt3a tdttt6aa3IqY2tO6k9GrWSSVr81kkrLXXTr6non7UPx7/wCGkvizL4o/sr+xfMsrWz+zfavt GPJhWPdv2J125xjjPU16yP8AgoN4b1fVNE8U6/8AB7QNe+JWiQW8Mevz6vcJazGDCxyPYqPL LhB13cOAwAChR8xUVMssw0qcKTWkNrNr5XTvZ9U9H1HHHV1OU76vR3Se22jVum+57h4T/bQk 8LftZ+I/iX/wjVve2PipryPUNDmvDtltrkYeHzgg56fNs7fdrzf4weK/DfjPxvNfeE/CY8F6 M8aLHpY1OXUfLYDDMZpQGO484xgdK5eirpYChSmp01ZqKju9ltdXs7dG9RVcbWqKSqO/M3J6 Ld7taaXsr2sFep/8Ewv+Usfwr/69NS/9Nt/Xllep/wDBML/lLH8K/wDr01L/ANNt/XDxD/yL q3+F/kzqyT/fqXqvzR+4tFFFfgJ+xhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA FFFFABRRRQAUUUUAFFFFABRRRQB+Pv8AwXb/AOUjXgf/ALEeD/0r1Kvmmvpb/gu3/wApGvA/ /Yjwf+lepV801+68Kf8AIspn5JxH/v8AMK6Lx98V9f8AihBoceu3/wBuTw3pkWj6cPIji+zW kWdkfyKN2Nx+Zssc8k1ztFfQOEW1JrVbeR4inJJpPffz6/mj0eH9rb4g2/jzw/4nXXx/b3hf TRpGm3psLYyQ2oRoxG2Y8SfK7DdIGbnrmvOXcyOWPUnJpKKmnQpwd4RS9F5t/m2/VvuVKrUk rSba/wCAl+SS9EkdF4l+K+v+MPA3h7w3qN/9o0XwqJ10u28iNPsomcPL8yqGbcwB+YnHbFdL Y/ta/EHTvE/hLWo9f/4m3gazbT9FvHsbaSa0tyjJ5bM0ZMqhWYL5m7buOMZrziiplhaMlyyg mtei+1fm++7v3u77jVeqtpPZLforWXorK3ayHzzNcTPI5y7sWY46k10OtfFzxD4h8CeHfDN5 qHnaJ4Uknl0q28iNfsrTuJJTvCh23MAfnJx2wK5uitHCLs2ttV5Pa6+Ta+ZPtJXbvvv5+p1n i/44+KPHnxYHjjVdU+1eKFuILoXv2aFP3kIQRN5aqI/lCLxtwcc5yauWP7R/jPTfiH4h8Vw6 zs1/xXb3Nrqt19kgP2qO4x5y7Cmxd2OqKCO2K4eisvqtHlUORWStay27emi02NPrNbm5+Z3u nu91s/VXdmegfA39qf4gfs2z3b+CvE15oqXwxPAI47i3lPHzGKVXj38Ab9u4DIzgkVT+Lv7R HjX48+L4dd8W+ILzWtStdv2dpQiRW2Nv+riQCNM7QTtUbjyck5ri6KPqtD231jkXP/NZX+/c X1ir7J0OZ8j6X0+7Y6D4kfFLXfi58QL3xT4hvv7Q13UZEluLryY4vMZFVFOxFVBhVUcAdK0d U+P/AIu1n4zx/EK51bzPF8V1DerqH2WEYmiCrG3lhPL4CLxtwccg1x1FUsPSSUVFWSstNlpo uy0WnkuwpVqkm3KTbk7vXd66vu9Xr5s6zwh8cvFPgPxvqviPStU+y6zrcVzBe3H2aF/OS4z5 w2shVd2T90DHbFdF8Dv2yfiX+zfot3p3gzxVdaRp97KJpbZraC6iD4xuVZkcISMZK43YXOcD HmNFRUweHnFwnBNOys0tlsvl07FRxNaMuaM2ndvd7vd+r6vqdh8Tvj94x+Mup6Ve+J/EF9rF 9okPkWV1MVE8KeY0n+sUBmIZiQWJI4AOABXS/EL9tr4ofFa98NXHiDxVLqU/hC8S/wBJd7K2 U206FSsh2xjzDlF/1m7POepz5VRS+pYf3V7OPu3totL727X6jeKrtybm/e0er1S2T7nY6P8A tA+MvD3xdufHen6/eWHiu8u3vZ7+2CxGeR33vuRQIyjN1QrsPQrjiug+Nn7anxQ/aJ0GHS/F /i681TTYHMgtI4IbSGRsggyJCiCTBUEbwdvOMZNeXUUPBYZyjN043js7K69O3yGsXXSklN+9 vq9fXv8AM6LxL8V9f8YeBvD3hvUb/wC0aL4VE66XbeRGn2UTOHl+ZVDNuYA/MTjtijx18V9f +JWm6Daa1f8A2238Maeul6YnkRx/ZrZSSqZRQW5J5bJ9652itVRpppqK0be3V3u/V3d31uzL 2s7Wu9rfJWsvRWWnkgrO8X/8inqn/XpL/wCgGtGs7xf/AMinqn/XpL/6AaufwsmHxI/YH/gi h/yjJ+Gn/cU/9Ot5X1RXyv8A8EUP+UZPw0/7in/p1vK+qK/nfNP99rf4pfmz9rwH+60/8K/I KKKK4TrCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC iiigAooooAKKKKACvK/26f8AkyP4x/8AYj61/wCkE9eqV5X+3T/yZH8Y/wDsR9a/9IJ63wv8 eHqvzMq/8KXoz8GfhR/yIFh/20/9GNXRVzvwo/5ECw/7af8Aoxq6Kv6Mo/w4+iPxCr8b9Qoo orUzCiiigD3T9gn4ceEviF488ZS+MtA/4SXSvDXg+/11LD7dNZ+bLbmIqPMiYMMgsO4+bODg V1GueDvhP+0T+zV458V+DfBGofDTXvh19luJYP7bm1Wz1WG4lEYVnmAZJFKvgKB153Z+SH/g mLrv/CL/ABD+JGpfY7HUf7P+HmrXP2S+h862udhgby5UyNyNjDLkZBIrqvE/xP8A+GuP2HfF S+H9K0PwLq3ga/i1bXPD3hixSx03XrJsKt00YBkLwkDILlQEDEZKbPk8xqVVjW4uSS9nrzNR jeTveOzutNVpvpa59Jl0Kbwq5km26mjim5WjFpKW8bX0s/S7snj2mnfCL4G/sp/C/wAR+J/h QfHWt+NV1F7m5Pie80zyvs9zsUbI9yH5WUcBfu85Jre0X9jvwEP26vBGgx2WoX3gPx74cbxN baZf3DR3NkklrPIkDyROGOx4wQd2cYBLYLNNrf7RB+Av7D3wMK+CPh74wbUY9XIbxPo39oG0 KXn/ACx+ddm7d83XO1fSsD9hz41eI/j3/wAFGNB8T+KL/wDtDVbq3vV3eWqRwxrZThI0QDaq Adsc8k5JJOFT617LE4iEmlH2+vM3s5KPLHaPLbdW2630qDw69hRkk3L2OnKuri5Ny3d1fTXf yOM0L4L+Gvgh8Bp/G3xD03+09Y8WwvD4N8OSXEtuXj76ncGNlcQrwI1yPMJ/ukMMr4vfCnQP C/7Hvwh8U2Nh5GveKLjWE1O68+RvtIguVSL5CxRdqkj5VGe+a9A+MCL+3b8Fn8eafsHxI+Hd itp4m0uFVRNR02Mny7+3jHC+WDiRVG0ZyAo2hsH4/f8AKPz4A/8AX14g/wDSxK7aeIqudN1J NTdW0o30S5Kjil3T0lfq97WSWdShTV1CKcOSTTtq5aXv2cXol0Vmr3u+W/YN+F+hfGf9q/wn 4a8S2P8AaWiam9yLm286SHzAlrNIvzxsrDDKp4I6eleVX9pjWJoIUY/vmjjRQST82AB3Ne6f 8EvOf26vAn/XS8/9IriuSm/Ze8e6Z4xtpde8J+LvC2jXGqQ28+saho9xbWtiss6oJWldVVQC w5JHavS+sKGYypzlZckLK/XmqJ2Xfb8DzfZOWBc4Ru1Le3Tl/I3bv/gnJ8bLDwK/iObwDqcW mRWpvHDXFuLpIwMnNt5nnhgOqbNw9K80uPhRr9r8Lrfxo1h/xTN1qDaUl6s8bAXKpvMbIG3q dvILKAexNfpD8FvhHp/gH9tiOws/gt8QNRvtHmlM/wATNe8RXjG+zCQ87KVFvNu37Aqtkjkq CGA+XP2W1b4v6P8AF/4MjY0/iaKbWPDsJwo/tOzkLiNCeFMsQKkk4wleLhM+r1VObSaioy2t 7rb5tpy2jqr8r7xR62IyajTcY3abk4b/AGre79lL4tHZyVno+/gl38H/ABJZfD7R/FMmmONE 8QXkmn6dOJY2e8mjxvVIg3mHBIG7bjJxnPFd94w/4J/fGLwD8OZfFereBtRtdEt7dbqeTz4J J7eIgHdJAshmTaDltyDYAd2MHHu914v0DwT/AMFAvg34AuZrb/hHfhTFbaHJJLjyH1J0LzT+ gJuXjyT0aPPau2tdbv8A4R/HLxFqulfso+MIfEOL8XuuzeMdQksryJkd5pJJpozburKC3zMc ttA+bFPE57ioqMqUV7ycleyvG/u6ynG11Zt+9a693vOGyihKTjVk/d5Yu17qTV5aKMr2eiWl 7PVdPjr4SfsefEn47aFaan4T8LXOs2F5dy2Mc8VxAiLLEgkcOXceWArLhnwpLBQSxArhPFnh a/8AA/ijUdG1SD7LqWk3Mlndw71fypY2Kuu5SVOCCMgkehr6Gv8AxPf6N/wSnsbSyu7i0tdW +IU8N5FFIVW5jWzWRUf+8odVbB4yqnqBXzTXuYOvXq1anPbli7JWd+mrd7ddred+h5OIo0qd Km435pK7fTdrRWv03v8AIKKKK9E4QooooAK9T/4Jhf8AKWP4V/8AXpqX/ptv68sr1P8A4Jhf 8pY/hX/16al/6bb+vF4h/wCRdW/wv8merkn+/UvVfmj9xaKKK/AT9jCiiigAooooAKKKKACi iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD8dv+C/8AeN4W/bz8Eavc 29ybD/hC4YlkSPiR1u7/AHKpOASvmISM8Bh6ivj3/heWk/8APvqP/ftP/i6/pLor7bLOM54P DRw8aV7db/8AAPlcfwvDFV5V5Ttfy/4J/Np/wvLSf+ffUf8Av2n/AMXR/wALy0n/AJ99R/79 p/8AF1/SXRXf/wARCq/8+f8Ayb/7U4/9S6f/AD8/D/gn82n/AAvLSf8An31H/v2n/wAXR/wv LSf+ffUf+/af/F1/SXRR/wARCq/8+f8Ayb/7UP8AUun/AM/Pw/4J/Np/wvLSf+ffUf8Av2n/ AMXR/wALy0n/AJ99R/79p/8AF1/SXRR/xEKr/wA+f/Jv/tQ/1Lp/8/Pw/wCCfzaf8Ly0n/n3 1H/v2n/xdH/C8tJ/599R/wC/af8Axdf0l0Uf8RCq/wDPn/yb/wC1D/Uun/z8/D/gn82n/C8t J/599R/79p/8XR/wvLSf+ffUf+/af/F1/SXRR/xEKr/z5/8AJv8A7UP9S6f/AD8/D/gn82n/ AAvLSf8An31H/v2n/wAXV7U/ijZaTYWlxNbXwjvULx4VCccdfm9xX9HtfE//AATP/wCTy/2o v+xob/0u1CvQwvGlSth61d0rezSe+95JdvM4sRwtClXpUlP421ttZN9z8jP+F5aT/wA++o/9 +0/+Lo/4XlpP/PvqP/ftP/i6/pLorz/+IhVf+fP/AJN/9qdv+pdP/n5+H/BP5tP+F5aT/wA+ +o/9+0/+Lo/4XlpP/PvqP/ftP/i6/pLoo/4iFV/58/8Ak3/2of6l0/8An5+H/BP5tP8AheWk /wDPvqP/AH7T/wCLo/4XlpP/AD76j/37T/4uv6S6KP8AiIVX/nz/AOTf/ah/qXT/AOfn4f8A BP5tP+F5aT/z76j/AN+0/wDi6P8AheWk/wDPvqP/AH7T/wCLr+kuij/iIVX/AJ8/+Tf/AGof 6l0/+fn4f8E/m0/4XlpP/PvqP/ftP/i6P+F5aT/z76j/AN+0/wDi6/pLoo/4iFV/58/+Tf8A 2of6l0/+fn4f8E/m0/4XlpP/AD76j/37T/4uquu/GTTNU0O8to4L8PcQPEpZEwCykDPze9f0 q0Un4g1Grex/8m/+1GuDKad/afh/wT5b/wCCLdnLY/8ABM34ZJNFJC5TUpArqVJVtTu2VsHs VIIPcEGvqSiivgsVW9tWnWtbmbf3u59hQpeypRp72SX3BRRRWBqFFFFABRRRQAUUUUAFFFFA BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFeY/ts6fPq37G fxctbWGW5ubnwXrMUMMSF3ldrGYKqgckkkAAetenUVdKfJNT7O5M480XHufzP+Cfirp/hvwx bWU8N60sO/cY0UqcuzcZYetav/C8tJ/599R/79p/8XX9JdFfoMfECpFWVH/yb/7U+NfBtNu7 qfh/wT+bT/heWk/8++o/9+0/+Lo/4XlpP/PvqP8A37T/AOLr+kuin/xEKr/z5/8AJv8A7Un/ AFLp/wDPz8P+Cfzaf8Ly0n/n31H/AL9p/wDF0f8AC8tJ/wCffUf+/af/ABdf0l0Uf8RCq/8A Pn/yb/7UP9S6f/Pz8P8Agn84vh39qH/hEJLttJu/EWltf2z2V0bSXyDcwPjfC+2QbkbAyp4O BkU/wv8AtUyeCJLt9Fv/ABLpD39u1ndNZT/ZzcwNjdE+yQbkOBlTwcdK/o3oqHx9N3vQWvn/ APalLg6Ktaq9PL/gn84up/tQ/wBtaHp+mXl34iu9N0gSCxtJpfMgst53P5SGTam48naBk9aP C37T/wDwg2txalot34h0fUYAwju7GX7PPGGUqwDpIGGVJBweQSK/o6op/wCv07OPsFZ+fff7 PUP9ToXT9q9PLt8z+cnwn+1VJ4C1dr/Qr/xLot+0bQtc2E5tpijfeUukgOD3Geaj1D9qH+1v D+n6TdXfiK50rSTI1jZSy77ezMh3SGKMybU3HltoGT1r+jqil/r9K/M6Cv6//a+b+9j/ANT4 2t7V/d/wT+cTwt+08PA2vQapot14h0fU7UkwXljL9nnhypU7XRwwypIOD0JFdF4r/b88V+PN Cm0vXPGXxD1nTLnb51pfatNcQS7SGG5HmKnBAIyOoFf0M0VMuO3OSlLDptef/wBqOPCKirRr NJ+X/BP55f8AhvjxSNM02y/4TD4g/Y9GeOTT4P7Wm8qxaMbYzEvm4QqOFK4wOldB+yN+214Q +Bfx7sfGviGx8UaidGiuLm0hs0iLXN40bJH5rNKpEeXJYjJ4+6cmv36orOpxvz05U/YJKSad nZ67/ZKjwmoyjJ1b8trXV1p89j+cHxJ+0na+LvEN9quoDVLm/wBSuJLq5ldELSyOxZmPz9yT XRan+3l4m1rwl/YF54u8f3eheSlv/Zs2qSyWnlJjanlGXZtG0YGMDA9K/ocorR8dtpReHVlt rt6e6L/VL3nP2zu99P8Agn84sn7UPm+Fo9Da78RNokVybxNPMubVJyu0yiLzNocrxuxnHGaz v+F5aT/z76j/AN+0/wDi6/pLorReIFRbUV/4F/8Aamf+psHvV/D/AIJ/Np/wvLSf+ffUf+/a f/F0f8Ly0n/n31H/AL9p/wDF1/SXRT/4iFV/58/+Tf8A2ov9S6f/AD8/D/gn82n/AAvLSf8A n31H/v2n/wAXR/wvLSf+ffUf+/af/F1/SXRR/wARCq/8+f8Ayb/7UP8AUun/AM/Pw/4J/Np/ wvLSf+ffUf8Av2n/AMXXu/8AwSR19fHP/BU74aXllb3Xk2drqQmLR/6sf2bejccEgLl1GT3Y DuK/dSiuTHcbzxOHnQlStzJrfurdjpwnCkMPWjWVS9mnt/wQooor4U+tCiiigAooooAKKKKA CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo ooAKKKKACiiigAr4n/4Jn/8AJ5f7UX/Y0N/6XahX2xXxP/wTP/5PL/ai/wCxob/0u1Cveyz/ AHDGf4Y/+lo8fH/75hvWX/pLPtiiiivBPYCiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK+Dv+CfvxF8P/D/APbI/aaOva7o 2iC68UyCA397Hbedtvr/AHbd7DOMjOOmR61941+cX7K/7IPgT9q39rT9pD/hNdMuNR/sHxdL 9i8q8lt/L8681DzM7GGc+UnXpj3r6XI1ReExSxDajyxvZXfxro2up4Wbe1WJw7opOV5b6L4X 6n3T/wANH/Dz/ofPBn/g7tv/AIuj/ho/4ef9D54M/wDB3bf/ABdeMf8ADoL4E/8AQs6j/wCD m6/+Lo/4dBfAn/oWdR/8HN1/8XXP7LJ/+flT/wABj/8AJG3tMz/kh/4E/wD5E9n/AOGj/h5/ 0Pngz/wd23/xdH/DR/w8/wCh88Gf+Du2/wDi68Y/4dBfAn/oWdR/8HN1/wDF0f8ADoL4E/8A Qs6j/wCDm6/+Lo9lk/8Az8qf+Ax/+SD2mZ/yQ/8AAn/8iez/APDR/wAPP+h88Gf+Du2/+Lo/ 4aP+Hn/Q+eDP/B3bf/F14x/w6C+BP/Qs6j/4Obr/AOLo/wCHQXwJ/wChZ1H/AMHN1/8AF0ey yf8A5+VP/AY//JB7TM/5If8AgT/+RPZ/+Gj/AIef9D54M/8AB3bf/F0f8NH/AA8/6HzwZ/4O 7b/4uvGP+HQXwJ/6FnUf/Bzdf/F0f8OgvgT/ANCzqP8A4Obr/wCLo9lk/wDz8qf+Ax/+SD2m Z/yQ/wDAn/8AIns//DR/w8/6HzwZ/wCDu2/+Lo/4aP8Ah5/0Pngz/wAHdt/8XXjH/DoL4E/9 CzqP/g5uv/i6P+HQXwJ/6FnUf/Bzdf8AxdHssn/5+VP/AAGP/wAkHtMz/kh/4E//AJE9n/4a P+Hn/Q+eDP8Awd23/wAXR/w0f8PP+h88Gf8Ag7tv/i68Y/4dBfAn/oWdR/8ABzdf/F0f8Ogv gT/0LOo/+Dm6/wDi6PZZP/z8qf8AgMf/AJIPaZn/ACQ/8Cf/AMiez/8ADR/w8/6HzwZ/4O7b /wCLo/4aP+Hn/Q+eDP8Awd23/wAXXjH/AA6C+BP/AELOo/8Ag5uv/i6P+HQXwJ/6FnUf/Bzd f/F0eyyf/n5U/wDAY/8AyQe0zP8Akh/4E/8A5E9n/wCGj/h5/wBD54M/8Hdt/wDF0f8ADR/w 8/6HzwZ/4O7b/wCLrxj/AIdBfAn/AKFnUf8Awc3X/wAXR/w6C+BP/Qs6j/4Obr/4uj2WT/8A Pyp/4DH/AOSD2mZ/yQ/8Cf8A8iez/wDDR/w8/wCh88Gf+Du2/wDi6P8Aho/4ef8AQ+eDP/B3 bf8AxdeMf8OgvgT/ANCzqP8A4Obr/wCLo/4dBfAn/oWdR/8ABzdf/F0eyyf/AJ+VP/AY/wDy Qe0zP+SH/gT/APkT2f8A4aP+Hn/Q+eDP/B3bf/F0f8NH/Dz/AKHzwZ/4O7b/AOLrxj/h0F8C f+hZ1H/wc3X/AMXR/wAOgvgT/wBCzqP/AIObr/4uj2WT/wDPyp/4DH/5IPaZn/JD/wACf/yJ 7P8A8NH/AA8/6HzwZ/4O7b/4uj/ho/4ef9D54M/8Hdt/8XXjH/DoL4E/9CzqP/g5uv8A4uj/ AIdBfAn/AKFnUf8Awc3X/wAXR7LJ/wDn5U/8Bj/8kHtMz/kh/wCBP/5E9n/4aP8Ah5/0Pngz /wAHdt/8XR/w0f8ADz/ofPBn/g7tv/i68Y/4dBfAn/oWdR/8HN1/8XR/w6C+BP8A0LOo/wDg 5uv/AIuj2WT/APPyp/4DH/5IPaZn/JD/AMCf/wAiez/8NH/Dz/ofPBn/AIO7b/4uj/ho/wCH n/Q+eDP/AAd23/xdeMf8OgvgT/0LOo/+Dm6/+Lo/4dBfAn/oWdR/8HN1/wDF0eyyf/n5U/8A AY//ACQe0zP+SH/gT/8AkT2f/ho/4ef9D54M/wDB3bf/ABdH/DR/w8/6HzwZ/wCDu2/+Lrxj /h0F8Cf+hZ1H/wAHN1/8XR/w6C+BP/Qs6j/4Obr/AOLo9lk//Pyp/wCAx/8Akg9pmf8AJD/w J/8AyJ7P/wANH/Dz/ofPBn/g7tv/AIuj/ho/4ef9D54M/wDB3bf/ABdeMf8ADoL4E/8AQs6j /wCDm6/+Lo/4dBfAn/oWdR/8HN1/8XR7LJ/+flT/AMBj/wDJB7TM/wCSH/gT/wDkT2f/AIaP +Hn/AEPngz/wd23/AMXR/wANH/Dz/ofPBn/g7tv/AIuvGP8Ah0F8Cf8AoWdR/wDBzdf/ABdH /DoL4E/9CzqP/g5uv/i6PZZP/wA/Kn/gMf8A5IPaZn/JD/wJ/wDyJ7P/AMNH/Dz/AKHzwZ/4 O7b/AOLo/wCGj/h5/wBD54M/8Hdt/wDF14x/w6C+BP8A0LOo/wDg5uv/AIuj/h0F8Cf+hZ1H /wAHN1/8XR7LJ/8An5U/8Bj/APJB7TM/5If+BP8A+RPZ/wDho/4ef9D54M/8Hdt/8XR/w0f8 PP8AofPBn/g7tv8A4uvGP+HQXwJ/6FnUf/Bzdf8AxdH/AA6C+BP/AELOo/8Ag5uv/i6PZZP/ AM/Kn/gMf/kg9pmf8kP/AAJ//Ins/wDw0f8ADz/ofPBn/g7tv/i6P+Gj/h5/0Pngz/wd23/x deMf8OgvgT/0LOo/+Dm6/wDi6P8Ah0F8Cf8AoWdR/wDBzdf/ABdHssn/AOflT/wGP/yQe0zP +SH/AIE//kT2f/ho/wCHn/Q+eDP/AAd23/xdH/DR/wAPP+h88Gf+Du2/+Lrxj/h0F8Cf+hZ1 H/wc3X/xdH/DoL4E/wDQs6j/AODm6/8Ai6PZZP8A8/Kn/gMf/kg9pmf8kP8AwJ//ACJ7P/w0 f8PP+h88Gf8Ag7tv/i6P+Gj/AIef9D54M/8AB3bf/F14x/w6C+BP/Qs6j/4Obr/4uj/h0F8C f+hZ1H/wc3X/AMXR7LJ/+flT/wABj/8AJB7TM/5If+BP/wCRPZ/+Gj/h5/0Pngz/AMHdt/8A F0f8NH/Dz/ofPBn/AIO7b/4uvGP+HQXwJ/6FnUf/AAc3X/xdH/DoL4E/9CzqP/g5uv8A4uj2 WT/8/Kn/AIDH/wCSD2mZ/wAkP/An/wDIns//AA0f8PP+h88Gf+Du2/8Ai6P+Gj/h5/0Pngz/ AMHdt/8AF14x/wAOgvgT/wBCzqP/AIObr/4uj/h0F8Cf+hZ1H/wc3X/xdHssn/5+VP8AwGP/ AMkHtMz/AJIf+BP/AORPZ/8Aho/4ef8AQ+eDP/B3bf8AxdH/AA0f8PP+h88Gf+Du2/8Ai68Y /wCHQXwJ/wChZ1H/AMHN1/8AF0f8OgvgT/0LOo/+Dm6/+Lo9lk//AD8qf+Ax/wDkg9pmf8kP /An/APIns/8Aw0f8PP8AofPBn/g7tv8A4uj/AIaP+Hn/AEPngz/wd23/AMXXjH/DoL4E/wDQ s6j/AODm6/8Ai6P+HQXwJ/6FnUf/AAc3X/xdHssn/wCflT/wGP8A8kHtMz/kh/4E/wD5E9n/ AOGj/h5/0Pngz/wd23/xdH/DR/w8/wCh88Gf+Du2/wDi68Y/4dBfAn/oWdR/8HN1/wDF0f8A DoL4E/8AQs6j/wCDm6/+Lo9lk/8Az8qf+Ax/+SD2mZ/yQ/8AAn/8iez/APDR/wAPP+h88Gf+ Du2/+Lo/4aP+Hn/Q+eDP/B3bf/F14x/w6C+BP/Qs6j/4Obr/AOLo/wCHQXwJ/wChZ1H/AMHN 1/8AF0eyyf8A5+VP/AY//JB7TM/5If8AgT/+RPZ/+Gj/AIef9D54M/8AB3bf/F0f8NH/AA8/ 6HzwZ/4O7b/4uvGP+HQXwJ/6FnUf/Bzdf/F0f8OgvgT/ANCzqP8A4Obr/wCLo9lk/wDz8qf+ Ax/+SD2mZ/yQ/wDAn/8AIns//DR/w8/6HzwZ/wCDu2/+Lo/4aP8Ah5/0Pngz/wAHdt/8XXjH /DoL4E/9CzqP/g5uv/i6P+HQXwJ/6FnUf/Bzdf8AxdHssn/5+VP/AAGP/wAkHtMz/kh/4E// AJE9n/4aP+Hn/Q+eDP8Awd23/wAXV/w58Z/B/jHVUsNI8V+GtVvpAWS3s9TgnlcAZJCqxJwP avCf+HQXwJ/6FnUf/Bzdf/F14R8SP2W/Bv7K3/BRv4GWHgrT7jTbbVZnnuVku5bgu4LKOXYk cdhW+Hy7LcS5U8PUnzKMmrxVtE30k+xjWxuOoJTrQjytpaSd9XbsfolRRRXzZ7oUUUUAFFFF ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABXxh/wTK/5O0/ap /wCxuX/0s1Svqnxr8ZPC/wAOfFHh/Rdc1ux0zVPFU7W2k2877WvpF25Ve2cug5IyWUDkgV8g fsCeOtI+Gf7Q37XGva/qFvpWj6Z4pE11dTthIl+26mPqSSQABySQACTX0OW0an1DFe6/ejC2 m/7xLTvroeJjqsPruH1Wjlfy9xvU+5aKz/CvinT/ABx4ZsNZ0m7ivtM1S3S6tLiI5SaJ1DKw +oIrQr59pp2e57SaaugooopDCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo ooAKKKKACiiigAooooAKKKKACvjD9tH/AJSafs9/9tf/AEY1fWHxR+JWlfB34e6v4n1yWWHS dEt2ubl44jI4UeijkkkgfjzgV8Z/tDfEjRvi9+3x+zP4l8PXiaho2sQSXFrOoK718xgQQeQw IIIPIIIPSvoeHqU/bSq2fLyVFfpfkenqeJndSHso07+9zQdutuZan3XRXB/BT9pPwh+0LdeI o/CepHUx4Yvv7PvZBCyxmTBwY2Iw6nDYYenoQT3leFVo1KU+Somn2Z7FOpCpHnpu68gooorM sKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi iigAooooAKKKKACiiigAooooAKKKKACivza/4LE/t/8Axg/Zy/aj8K+Bvht4ks/DVnf+HE1e eR9Ntrp55XuLqMhjNFJhQtuMbQOWOSeMfL//AA88/ax/6Kpp3/gh03/5Dr6fA8JY3F0I16Tj Z+b/AMjwcXxFhMPVdGpe69P8z9xaK/Dr/h55+1j/ANFU07/wQ6b/APIdH/Dzz9rH/oqmnf8A gh03/wCQ66/9Rsx7x+9/5HN/rZgfP8P8z9xaK/Dr/h55+1j/ANFU07/wQ6b/APIdH/Dzz9rH /oqmnf8Agh03/wCQ6P8AUbMe8fvf+Qf62YHz/D/M/cWivw6/4eeftY/9FU07/wAEOm//ACHR /wAPPP2sf+iqad/4IdN/+Q6P9Rsx7x+9/wCQf62YHz/D/M/cWivw6/4eeftY/wDRVNO/8EOm /wDyHR/w88/ax/6Kpp3/AIIdN/8AkOj/AFGzHvH73/kH+tmB8/w/zP3For8Ov+Hnn7WP/RVN O/8ABDpv/wAh0f8ADzz9rH/oqmnf+CHTf/kOj/UbMe8fvf8AkH+tmB8/w/zP1G/4KNfstP8A tM/ASY6SjL4w8KOdV0KWLiVpFALwKeo8wKMc/fWM9q/Nb9l7wx4z/bJ+OGs+CWupoLHx5rUf iHxdcRJsKJbvO7sew+e5cKpGPMaP+7WF/wAPPP2sf+iqad/4IdN/+Q64z4cftafHn4Q+K9e1 3wx4v0HR9X8US+fq1zFoti7Xb72fIV7UrGMuSVjCqTgkZFfV5PleZ4LB1MNJRb+w9fdd15d7 SXmj53M8fgMVioV02l9paar7/k/I/erw14csvB/h2w0nTLaOz07TLeO0tYIxhYYo1Coo9gAB +FXq/Dr/AIeeftY/9FU07/wQ6b/8h0f8PPP2sf8Aoqmnf+CHTf8A5Dr5V8D5k3duP3v/ACPo lxXgUrJP7l/mfuLRX4df8PPP2sf+iqad/wCCHTf/AJDo/wCHnn7WP/RVNO/8EOm//IdL/UbM e8fvf+Qf62YHz/D/ADP3For8Ov8Ah55+1j/0VTTv/BDpv/yHR/w88/ax/wCiqad/4IdN/wDk Oj/UbMe8fvf+Qf62YHz/AA/zP3For8Ov+Hnn7WP/AEVTTv8AwQ6b/wDIdH/Dzz9rH/oqmnf+ CHTf/kOj/UbMe8fvf+Qf62YHz/D/ADP3For8Ov8Ah55+1j/0VTTv/BDpv/yHR/w88/ax/wCi qad/4IdN/wDkOj/UbMe8fvf+Qf62YHz/AA/zP3For8Ov+Hnn7WP/AEVTTv8AwQ6b/wDIdQal /wAFS/2rtL06e5k+KdgUt42lYLoOmZIUEnH+h+1H+o2Y73j97/yH/rZgfP8AD/M/cyivCf8A gmh8ePEX7TP7EPgbxt4snguvEOsR3iXk8MCwrMYb24t1bYuFBKxKTgAZJwAOK92r5KvSlSqS pS3i2vuPoqVRVIKpHZq/3hRRRWRoFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFfO3/BWH4o6/wDBr/gn58Q/EXhfVbvRNcs4 rKK3vrV9k1uJr+2gkKN1VjHI4DDkZyCCAa/HjR/j78btV0m1uv8AhevxUj+0wpLt/wCEkvzt 3AHGftHvX0eTcN18xpOrSklZ2/L/ADPEzPPKWBmoVE3dXP6EKK/n3/4Xd8bv+i8fFT/wor// AOSKP+F3fG7/AKLx8VP/AAor/wD+SK9n/UHGfzo8z/XDC/ys/oIor+ff/hd3xu/6Lx8VP/Ci v/8A5Io/4Xd8bv8AovHxU/8ACiv/AP5Io/1Bxn86D/XDC/ys/oIor+ff/hd3xu/6Lx8VP/Ci v/8A5Io/4Xd8bv8AovHxU/8ACiv/AP5Io/1Bxn86D/XDC/ys/oIor+ff/hd3xu/6Lx8VP/Ci v/8A5Io/4Xd8bv8AovHxU/8ACiv/AP5Io/1Bxn86D/XDC/ys/oIor+ff/hd3xu/6Lx8VP/Ci v/8A5Io/4Xd8bv8AovHxU/8ACiv/AP5Io/1Bxn86D/XDC/ys/fvxJ4csfGHh6+0nU7aK807U 7d7W6t5RlJonUqykehBIr8X/ANov4LeOP2YP2mbbwBpNzqdy9pcyHwk6D97NBenYvlHs5OVO OkisRjrXkn/C7vjd/wBF4+Kn/hRX/wD8kVl6r4y+J2va9Z6tqHxZ8b6hq+m/8eOoXWp3U13Y c5PkytMXjz32kZr6Hh/h/G5bOfM1KMlt59H+j8meJnOcYTHRja8ZJ7+XVfqvM/cj9jP9mmy/ ZR+AWj+FYPLk1AL9r1W5Qf8AH1eOB5jZ/urgIv8AsovfNeqV/Pv/AMLu+N3/AEXj4qf+FFf/ APyRR/wu743f9F4+Kn/hRX//AMkV4eI4Jx9erKtVqJyk7s9ajxVg6VNUqcGktEf0EUV/Pv8A 8Lu+N3/RePip/wCFFf8A/wAkUf8AC7vjd/0Xj4qf+FFf/wDyRWX+oOM/nRr/AK4YX+Vn9BFF fz7/APC7vjd/0Xj4qf8AhRX/AP8AJFH/AAu743f9F4+Kn/hRX/8A8kUf6g4z+dB/rhhf5Wf0 EUV/Pv8A8Lu+N3/RePip/wCFFf8A/wAkUf8AC7vjd/0Xj4qf+FFf/wDyRR/qDjP50H+uGF/l Z/QRRX8+/wDwu743f9F4+Kn/AIUV/wD/ACRR/wALu+N3/RePip/4UV//APJFH+oOM/nQf64Y X+Vn9BFFfz7/APC7vjd/0Xj4qf8AhRX/AP8AJFH/AAu743f9F4+Kn/hRX/8A8kUf6g4z+dB/ rhhf5Wf0EUV+dP8AwQI+PHjv4tv8YNK8Z+MfEXi+Lw3c6YLGTV76S8lgMpvll2vIzOA3kx/L uIG3jqc/otXyGYYKWExEsPN3cf8AK59Jg8VHE0Y1oqyYUUUVxHUFFFFABRRRQAUUUUAFFFFA BRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH4+/8F2/+UjXgf8A7EeD/wBK 9Sr5pr6W/wCC7f8Ayka8D/8AYjwf+lepV801+68Kf8iymfknEf8Av8wooor6M8IKK9G/Zj/Z 3uv2kfiDPpY1O20DSNKsZdV1nV7lN8WmWkQG+UrkbjkqAuRnPUAEj1jwz8J/2ZPil4sTwnoP i74qaJrWoTfY9P1rWrWyfSJZtwVC0aBZgkn8O4pt3DcRgivPxOY0qM/ZtOTSu+VN2Xnb0em+ mx2UMHOrHnukr2u3a70/K6u9l1Z8w0V9C/BT9l6z0/x58afDPjbTUu9U8A+E9TvLbZcSokV3 AUEc6lSu9SG3AMCCGGVrx3xh8HvF3w90i11DX/C3iPQ7C/IW2udQ02a2huCV3AI7qA3HPB6V dLH0ak+SL6Jrz5trd9hVMFWpx5pLrJNdU42vf7znKK7TxZ4U0TTPgv4U1W003xpb63qc92l9 eX9vGmi3axvhBZuBvdlBAk3E4Y8VTsfgd411PwU3iW28H+KLjw6kTztqsWlTvZLGhIdzME2b VIOTnAwc9K2WIhbmk7K7WvdGXsZ3Sirtq+hy9FafhHwZrHxA12LS9B0nUtb1OcM0dpYWr3M8 gUFmIRAWOACTxwBXpnwH/Yu8Y/F7476f4I1PRfEvhaSYebfXN1oc7HTISrlJZY22YRmTaCzK CTwT0pVsVSopyqySsr/JdbCp0alT4FfW3zPIKK6T4ofCPxF8HvEDWHiHQ9a0Z3Z/sx1GwltD dxqxXzEDgZU46jI96Z4Y+Enivxtb2k2jeGfEOrxX872tq9lp0063MyJ5jxoUUhnVPmKjkLye KqNenKCqqS5X1CdCpCbpSXvLoc9RXQ+HfhF4s8X+KL3RNJ8MeIdU1rTd/wBr0+002ae6tdjB G8yNVLLtYhTkDBOK2/hT8L5h+0l4T8JeLNHv7I3evWFjqWnXsUtpOI5ZowyMp2um5H68HBBF P29PZPW1/kJ05pXa02+fY4OivR/jn8JzZftSeL/B3g/Rr66Wz168sdM02yjlu5zHHK4VFHzS OQq+5wCTXN+Lvg94u8AarY2OveFvEeiXupnbZ29/ps1tLdnIXEauoL8kDgHkis6OLp1YQknb mSaT3s1fY1r4WpSnOElfkbTa20djnKK9p+PP7DvjD4H+CfDWuPpPiW/tNW0WPVdVdtCngj0C RmKm3nf5gGXjJfYeR8tefeDfgd41+Iuiy6l4f8H+KNd06B2ikutO0qe6hjdQGKl0QqCAQSCe hFTSx2HqU3VhNcqdr+jsFTCV4TVOUXdpNfNX/L7upy9FW9D0O98Taxbafptndahf3siw29tb RNLNO7HAVEUEsxPQAZr3T4YfsxnTPgf8Yr7xx4T1nSfEXhjR7C+0ddShubGW3825aNpBG20O rBSPmVhwcc08Vi6dCPNPy066tL9RYbDVK8+SH/APAKKKK6jnCs7xf/yKeqf9ekv/AKAa0azv F/8AyKeqf9ekv/oBqZ/CyofEj9gf+CKH/KMn4af9xT/063lfVFfK/wDwRQ/5Rk/DT/uKf+nW 8r6or+d80/32t/il+bP2vAf7rT/wr8gooorhOsKKKKACiiigAooooAKKKKACiiigAooooAKK KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA+V/wDgtf8A8oyfiX/3C/8A062d fj94Q/5FPS/+vSL/ANAFfsD/AMFr/wDlGT8S/wDuF/8Ap1s6/H7wh/yKel/9ekX/AKAK/WPD /wD3Wp/if5RPzrjP/eIen6s0aKK1fA3htfGXjbR9Ie6jsl1W+hs2uZBlbcSSKm8jI4Gc9R0r 9APjNtTKor6w/aT0f4I/s8+NfEHw1vvhR4oW/wBLs2htfFjeIZvttzMYd0Vx9kIW3MbSYUkH GzJC7htr5x8V/CjX/BPhDw9r+pWHkaR4qilm0u5WeOVbpYn2ScIxKlW4KuAfavPweYwxEFUU XFSty3t7103pZvom7OzS3R3YrAToScG05K/Mlf3bWWuiW7Surq/U52iu/wBK/Zc8e65rPhHT 7Pw7cXN946tje6JBHPE0l3ACQZWG/MScE7pdowCc4Ga7Xwz/AME+PiTH+0D4d8DeIfC95p91 q4W9mWO/tSfsKyqs8qSh2jLIpJ25Lcr8pyM6TzDCwdpVIp6vddL3+6zv2szGOEryXNGDa06P 7VrffdW73Vtzwuivb/2w/wBiXxP+y/4+uFbSb7/hFdS1OWy8P3c93b3NxqCLyuUiO4MQR1Re vSqfjD/gn98YvAPw5l8V6t4G1G10S3t1up5PPgknt4iAd0kCyGZNoOW3INgB3YwcZ0s1wdSl CqqkbT2u1q+3r5bm1TLcVCrKi4NuO9k3p39PPY8cor0T4Ufsm/EP45aRaX/hPwxd61Z3t7Jp 8csM0QVJo41kcSbnHlqFZfnfamWADZOK6Wy/4J3fGm/8fXnhmPwDqv8AathbrdTF5oEtRG2N pW5LiBieflVycq/HytjSpmGFpycJ1IprdNrQyhg8ROKnCDafZM8WorstP/Z68a6r8Yz8P4PD mov4xW5Nq2mFQsiOBkksTtCbfm8wnZt+bdt5qX45fs4+Nf2bdetNN8a6FLol3fwfaLcGeKdJ kBKkh4mZMgjkZyMjI5GdFi6DlGCmryV0rq7Xdd16E/VqyUpODtHR6PR9n2+ZxFFd18If2Z/H Xx7sbu48IeHrnXYrG6gs7jyJYw0Uk27y8qzA7flYl8bUCksVHNamm/sZ/E3WfjLffD+08KXd z4r0tFkvLSK4haO0VkEitJOH8lQVYYJfkkL14pSxuHjJwlNJxV2rq6Wmr7LVfegjhq0oqcYN p6J2dm7tW+9NeqZ5jRXc/G/9mzxx+zdrdnYeNvD9zok9/GZbZmkjnhnUHDbZYmZCRxlQ2RuX IGRn1X9uT4Hza1+3Tqvg/wABeF4/NuILAWml6RZLEgLWcLuwRAFUZLMzHAHLMRyay/tCi5wU GnGSk+ZNWtHlvr/29+Br9SqqM+dNONtGtddj5xor1b41fsQ/FL9nnwsmt+L/AAncaXpTzCD7 Ul3b3aRuegfyZH2Z6AtgE8ZzXqfiz/glt43079mzw34o03QtRn8Rzi7u9dtZNVsfs1lZqA8E sfzAksmSQHc+ynisqmcYKEI1HVjyydr3Vr2vvf8Aq67mkMrxc5umqcuZK9rO9vQ+VqK9P+CH 7GPxN/aN0S51Lwd4Tu9V061kET3T3EFpCz85VHmdA5GOQpO3IzjIzy2qfBnxXo3xPk8F3Hh/ VV8Vx3H2U6Wtuz3DSdQFVc7gR8wZcgqQwJBzXWsXQdR0VNcy3V1deq3RyvD1VTVZxfK+ttPv OZor7E/Zy/YH8a/CLxP4suviV4BhGlHwZq81pNdC21G3guY40KNujaRYpBklCdrHDbehx8d1 hhcxo4mpKFCSkopO6aa1v27WNq+Bq0KcalVOLbas009FF3178wUUUV3nGfbP/Bub/wAjZ8f/ APr70j/0PU6/T+vzA/4Nzf8AkbPj/wD9fekf+h6nX6f1+DcUf8jSr8v/AElH7BkH+4U/n+bC iiivAPYCiiigAooooAKKKKACiiigAooooAKKKKAPzt/Zs+Of7WP7X/g3UfFHhLxP4Ls9LttT l08w3lnFG0UipHLtUeS5KBZUAJbPBz616H/whP7bP/Q4fDr/AL8xf/I1H/BDH/k0vxD/ANjd c/8ApHZV9n19jnOZRwuOqYelQp8sXZXgj5nK8DLEYSFapWneSv8AEz4wPwy/bZ1c7P8AhYfw 60vb83mfZom3+3/Hk/8AIfWj/hSf7bP/AEWD4df+AUX/AMra+z6K8v8At6fSjS/8FxO/+x49 atT/AMDZ8Yf8KT/bZ/6LB8Ov/AKL/wCVtH/DP/7Zuq/Je/GfwRbxr8yta2aBifQ4sE469/wr 7Poo/t+p0o0v/Bcf8g/seHWrU/8AA5f5nxh/wzD+1z/0XLw7/wCAg/8AkWj/AIZh/a5/6Ll4 d/8AAQf/ACLX2fRR/rBX/wCfdP8A8Fx/yD+xqX88/wDwOX+Z8Yf8MnftW6r+7vfjzpUEQ+YN a2pDlvQ4gTjk9/Tij/hi79pr/o4T/wAl5P8ACvs+ij/WHE9IQ/8ABcP8g/sWh1lP/wADl/mf GH/DF37TX/Rwn/kvJ/hR/wAMO/tHap+7vf2i7yCIfMGtoJd+fThk469/wr7Poo/1ixXSMP8A wXD/ACD+xMP1cv8AwOX+Z8Yf8O/fj1/0ct4i/wC/Nx/8fo/4d+/Hr/o5bxF/35uP/j9fZ9FH +seM/u/+AQ/+RD+xML/e/wDA5f5n4gf8FJ/hn4k+B37Wfhvw/wCNfFl18QtevfDsd7b6zdKy yWtuZrxRbgMznAaORuoH708evk1fS3/Bdv8A5SNeB/8AsR4P/SvUq+aa/X+HMROvgIVKlrvs kvwWh+a55RjRxkoQ2823+YUUUV7h5B9M/wDBP2wl8c/Df43eDdMTzvEfiPwqJNNt1IEl2YJC zxJ6swccZ5rxv4J/B3xD8UfjVpHhbStMvn1Z79Ip4hA2+xCyBZJJRj5Fj/iLcDHNc14W8V6n 4H1+21XRtQvdK1OzbfBd2c7QzQnBBKupBHBI4PQmvYfGX/BSX43ePfDFzpGo+Pb77FeKEl+y WdrZSsoIOBLDEkgBxg4YZBIOQSK8mpQxdLETrYblfPa/M2rNaX0TurdNNt9dPQjUw9XDqhiG 1ZvZJ3Ttpq1bbfXfbTX6Z8GfEO68Sft//tF614J8261Wz8JXkWmNbW63LzXlsLWIFI9rCQmW PgYO7jg5ryz9nD4teNfjB8EvjrZfELWdc8ReF7LwxLctJrM0lyun6osg+yrG0mfLcvuwi4BK DjivnD4XfGjxR8FL3UrnwrrFzol1q1k+n3M9uq+aYWZWIRyC0bZVSHQqwxwRXX/Ff9tX4n/t BeHLbw/4x8Z3t9oayozwrbQwI+CMNIIUQy7cBgHJ5GRzzXl/2DUilSpqLjywjzP4lydVo9e2 qs9T0/7ag5OtPmT55zstU+ZL3Xqu1no7pvTU9E1fT9P1b9lj9my11baNKufE2rRXpZtq+S17 biTJ7DaTzX0f8Wf2l/BnwV/a4k0+81X9pRdX02+it7Tw1ppsf7AvI8COKG3s8r5kLrhV43tn Od3NfJ37V3jrwLbfBz4cfD7wN4luvGdv4ROoXd5rD6bJp0csl1KjCNIZfnBUJyeRyME8hafh /wD4KO/Gzwv4Ki8P2fj7UU02CBraPzLW2muUjOeBcPGZsjPDb8rgYIwMZVMrq4umqkVpzVfd leOkp3T+FtaLZpXT6dbp4+nhn7KT15YaxtKzV9NJJPfpLRrr09U8LeJrvwT+yN8aPGHw1i1T w3qV545S0uGgj+zajo2kfNJGhMeTCPMcIdrDG0jJxVP9hf49fE3xZ+1t8LV8T+JfFd1pN+bm 1tpr2eULqkAE7MjSnm5VZsgb2faw2jGAB4F8HP2lPHPwA8VXmteEvEd7pWo6ipW7kKpcLd5J OZElVkdskkMwJBJwRk1b+IP7WHxE+KXxL0rxhrnii+uvEWh7P7Pu40jt/se1tw2JGqoOevy/ N3zXY8oqN1KbjFxmvid3Je5yWWnzvzLRvTqck8yjKCknJSTei+F3m5Xeum9tnste2b8c/iF4 m8e/ELUR4m1zXdZuNNu57aEapeS3D2qiRsxr5hJQZ7DFe++E/jN4m+Df/BLi0l8L6vd6Fd6v 48nsri8s5DFcrCLRJSiSjDJlo0yVIJAxnBIPhPx0/aS8a/tKa3Zaj411o61eadAba3f7LBbi OMsWI2xIink9SM+9ZNx8V9fuvhbb+Cnv93hm11JtWis/Ij+W6aPyzJ5m3zD8nG0tt9s11ywE 6uGpUakYrlcW0tVo+mi3323+8xeOjHFzrwbaalZ7PVNLq9m++33H2L8G/H/hvwF+wTpHifXt c+L+nXHiHxPey69rHgi6hS+nuwcRi9uJjvClGyqhsMzMSCcGud+JHxs8NfGv48fs63Gg2nxD nfTNYtrRtc8X28Au9agXUIfLPnxEify3EqlsZBPJLFjXz38DP2qviB+zXJeHwV4lu9FTUBi4 h8qK4gkPHzeVKroH4A3hd2MjOCRTfiB+1J4++KfxP0vxjr/iO61LxDoksU1hcSQxLHZtEwdC kKqIh8ygkbMMeTnNcUMlnHGOvo1dtO7urxaty8vS9r821tDeWaRlg/Ya3tZ6aP3ua97/APtu /XU+lPBuh6jD+1p+0b4mXxj4g8G+G/DV1eya9NoFukmrXsD3rFYLd2/1LFo8+aD8uBn5SxGh +0V420bx3/wTyXxD4d1X4satHp/jS3k0/VfHNxHNqEUghcMbWeMn90Cv97hw3Qivlvwb+1J4 ++H3xc1Lx1o3iO50/wAUaxLNNfXcUMWy7aViz74SvlMCx3BSmAQCACBi/wDFz9sr4mfHfQbv S/Fviu71nTry4hu5LaS3hjiSSJSqMioiiPhjkJgMTlgTzWH9iYn2lJ3jaHs+tn7trr4db9G2 u1up1f2vh/3zs/fdTz+NNL7Wlutk/U9h/bq+MfjK5+DvwchbxV4mfTvEfgiCTU4zqc5h1SYS NvaYbtsr/dyWyema9q+Pnxn+H37PPiDwZp0/iL9oLw3p9joVhPo9v4QubK30G7h2K+9VkI88 szHzDJuySQeMCvi+y/a9+I9h8EpfhzH4nuD4NnjMLae9tBJiMvvKLKyGVV3DoHA6joa2vhV/ wUA+L/wV8GweH/DnjS7tNItSTBbz2dteeQMAbUaaN2VBjhQQo5wOTTqZHWcFCKjaMpO17XUm 2r+47ON7bS0vqjOnm1Pm5pN3cIxel7OKinb3ldStd7a23PobwJ4wXxD8bP2lfHPgbRNb8O+K 7bw8s+laff2C2+qWLyGMXk3kru2yZUtxk/vM8ZrmPgj8X/iH8Uf2EPjmPFeteJNf0K0s7Q2F 3qjSXIFwbhPNRLiTLEhRGTHvIXcDgbiT82+Ff2gPGngr4qN4303xJqcHiqSVppdRaTzZZy33 hIHysinjKsCpwOOK6n4jftz/ABW+LWn6paeIfGF3qVnrNmlhd2zWtukLRLIJAFRIwsbFgpLo FZtqgkgABzyOrZQiotWp6tu8eS2i0d723ut2Onm9P2ntJOSfNKWiVpc1t9dH955NRRRX1R84 FUfE8gh8N6g7IJFW2kJQ9GG08VerO8X/APIp6p/16S/+gGpl8LKj8SPvH/gnj+xR4++PH7Hn hDxX4c+OvjD4e6Nqv237P4f01bk21h5d7cRNs2XcS/O6NIcIOZD1PJ9p/wCHZXxa/wCjqfiL /wB8Xn/yfXT/APBFD/lGT8NP+4p/6dbyvqivxLMOIcdDFVYRkrKTXwQ7/wCE/VsHkuElh4Sk ndpfal29T4w/4dlfFr/o6n4i/wDfF5/8n0f8Oyvi1/0dT8Rf++Lz/wCT6+z6K4/9ZMw/mj/4 BD/5E6f7Cwf8r/8AA5//ACR8Yf8ADsr4tf8AR1PxF/74vP8A5Po/4dlfFr/o6n4i/wDfF5/8 n19n0Uf6yZh/NH/wCH/yIf2Fg/5X/wCBz/8Akj4w/wCHZXxa/wCjqfiL/wB8Xn/yfR/w7K+L X/R1PxF/74vP/k+vs+ij/WTMP5o/+AQ/+RD+wsH/ACv/AMDn/wDJHxh/w7K+LX/R1PxF/wC+ Lz/5Po/4dlfFr/o6n4i/98Xn/wAn19n0Uf6yZh/NH/wCH/yIf2Fg/wCV/wDgc/8A5I+MP+HZ Xxa/6Op+Iv8A3xef/J9H/Dsr4tf9HU/EX/vi8/8Ak+vs+ij/AFkzD+aP/gEP/kQ/sLB/yv8A 8Dn/APJHxh/w7K+LX/R1PxF/74vP/k+j/h2V8Wv+jqfiL/3xef8AyfX2fRR/rJmH80f/AACH /wAiH9hYP+V/+Bz/APkj4d/4J/3HjnwF+3V8Svh34l+Ivibx3p/hrR0ZJNUuZpFklZ7ZhIqS SSGMhZGXhuc89sfcVfGH7MP/AClz+OX/AGCIf5WdfZ9PiJ82JjOyu4QbsktXFN7CyRWoSj0U 5JddE33CiiivBPYCiiigD4e/bj1n4ifED/goZ4B+GXg/4ha34Hs9d8NNeGSzlcRLKrX0jO6I y7yVtkUZPHUd86X/AA79+PX/AEct4i/783H/AMfo+Nn/ACmz+EH/AGKNx/6K1evs+vrcZmVb B0cNToKKTppu8YvXml1afY+cw2BpYmrXnWbuptfFJaWj2Z8YH/gnp8dLseXN+0z4ojifh2ii uQ6j2xcA5/EfWj/h2V8Wv+jqfiL/AN8Xn/yfX2fRXn/6yY7o4r/tyH/yJ2f2HhOql/4HP/5I +MP+HZXxa/6Op+Iv/fF5/wDJ9H/DsX4qT/JcftSfEWa3biSPbdjevcc3xH6Gvs+ij/WTMP5o /wDgEP8A5EP7Cwf8r/8AAp//ACR8Yf8ADqXxb/0cP8Rf++pv/kmj/h1L4t/6OH+Iv/fU3/yT X2fRR/rLmP8AOv8AwGH/AMiH9hYL+V/+BS/zPjD/AIdQeJ5/kuP2g/iLNA/yyR7pfnU9RzcE cj2P0o/4c/f9Vl+Iv/f7/wCzr7Poo/1lzLpU/wDJY/5B/YOB/k/GX+Z8Yf8ADn7/AKrL8Rf+ /wB/9nR/w56jm+Wb4w/EWWFuJE84fOvccsRyPY19n0Uf6zZl/wA/Pwj/AJB/YOA/k/F/5nxh /wAOWPCX/RQ/iL/4Fw//ABuj/hyx4S/6KH8Rf/AuH/43X2fRR/rNmf8Az9f3L/IP7BwH/Ptf j/mfmP8A8FDv+CbOgfstfseeMPHem+L/ABhrV7oX2Py7PUp43tZvOvbeA7wqAnAlLDB6qK+E fC0pn8Mac5ABe1iYgDAGUFfr9/wWv/5Rk/Ev/uF/+nWzr8fvCH/Ip6X/ANekX/oAr9H4Lx+I xeHnPES5mpNfgj4jinB0cNWjGhGya/VmjWl4O8I6h4/8V6boek2/2vVNXuY7O0h8xY/Nldgq ruYhRkkckge9ZtKjmNwykhgcgg8g19n6Hyp92fs16R8VvH1/J8O/jn4J1XVfhtptjdmfW/Em mGGXwykUcjGe21B1G75tg++/yKNuEU54L9l3wMf2xP2cdY+E1pc79V8J+IrbXNDklwriwnlF veewCBxMR1JPGa+ffF37QXj34gaE2l69438Xa3pjsrNaX+sXFzAxU5UlHcrkHpxxXW/softA ad+zhN4y1opq7+JtQ0CfSdCe12iC2mnIDTTMWDDYFBUKrZPXGAa+Zq5ZiIU6laPLzvlcVFPl 5ou92m/tXtL+73Z79PH0ZTp0teTVNyeqjJcrSt2Wq87WS6+yXvxy8Q+Lf26/Fep/D7wlL418 PeHtGk8ONoFuWD3WhwiO1kWEpmQFnYOpjDMN+dpAYVnfFD4Jab8IPG3wO8S2cPi/wnp3iLXf Ofwl4mYm48PyRXkPnGIlVPkNlQpdFdgisxO75fmPwr4y1fwLr8Wq6JqupaPqkG7yryxuXt7i PcCrbXQhhkEg4PIJqTxn49134j6z/aPiHWtW17UNgi+1ajdyXU2wZwu9yWwMnAz3rrp5VOlV punK0YpJ73lZNa623d72vuupzVcwhVp1YzjrJtpaWje23XRK1r2dl2PrzVvAd98Nf+CtVrr/ AIw0O/0vw1qnjGV7HUb+zeOyuncMYWjlYbGw7RnIPynrjFd9a63f/CP45eItV0r9lHxhD4hx fi912bxjqElleRMjvNJJNNGbd1ZQW+ZjltoHzYr4P8Y/FrxV8RNPsrTxB4m8Qa7a6cMWkOoa jNdR2owB+7V2IXgAcY4Aq9qf7QHjzWvCX9gXnjbxdd6F5KW/9mzaxcSWnlJjanlF9m0bRgYw MD0rhqZDWnThCck7Q5HrNJrv7slfzT0fdHbHOaca06sYtc0uf7Laer05k++j3XzPXx4r1HQv +CXK2the3Vla6v8AEOW3vIoZSouYhYK4jfH3l3KpweMqD2FWf2r/AIja9f8A7If7P1hNrGov ZtpV7cNCZ22PJDdNFC5GeTHGNqk/dGQMZNfPLeK9UfwwuiHUr86MlybxbA3D/ZVnK7DKI87d +3jdjOOM0ap4r1TXNK0+xvdSv7yy0lGisbee4eSKyRm3MsSkkIC3JCgZPNep/Zn71VNNKnP/ AOSOP33afyPOWPapuHem4ffUU7+lk18z7d+NXijxho37eU2r+GvCs/jyafwJZ/8ACQaTEWE+ pWE0EUU+0p+88wl0w0YZh12lQwrxP9sz4D2Pwv8AAHgLXtNtvGHhez8UC+f/AIRDxKxa50GZ JE83ychSYGLKFLorsEVmJ3fL5BH8YPFsPi+38QJ4o8RLr1pEIINSGpTC8hjClAiy7t6qFJXA OMHHSqfjPx7rvxH1n+0fEOtatr2obBF9q1G7kuptgzhd7ktgZOBnvXNhcqq0alKUZJKKs7X1 XvWVttL3TtdarZm9bMadSnOM023ttZO0U33v7vez0vse/wD7OHiXUPC3/BPn48TabeXFjNPe aLaySQOUZopJpEkTI5wykqR3BIPBNdn+wj/ZWs/sbfErTR4CuviXqa6zZ3WoeH7HVptNu7uy CERuGhBkmVJQx8sA8sDjIFfJFj4v1bTPDt9pFtqmo2+k6o0b3llFculvdtGcxmSMHa5U8gkH HaneEfGmsfD/AF2LVNB1bUtE1OAMsd3YXT208YYFWAdCGGQSDzyDWuKyp1Y10pWdSUZLf7Kg km00949HdXutTLDZh7J0NLqmpJ/9vym21e6vaS3WtrPQ+lf2t/GN5D+zD4e8Mx/A/XvhP4dt /EUl1ZPq2t3N3I83kHzY44bmNZVQiRW3D5NwbHzbq9N+JPwtg+Lf/BVvxJp1xquvaZHbeH47 xotEuxbahqYTTId1pE+RzIpIYd0DDjOR8TeOfib4k+J+oQ3fiXxBrniG6t4/Kim1O+lu5Iky TtVpGJAyScD1puo/EfxDrHjGPxDd69rN1r8LxyR6nNeyveI8YAjYSlt4KhV2nPGBjpWEcmqK HuyUZctRX96Ws+Sz95tu3LqbyzSDldxuvc00jpGXM17qVr/f18j7jm8MWOm/sP8AxrnsfgZr vwetJrOyRm1XWLy7bU3S5VhiG5VWTZuzvUYJYjOVryPxh8OvEHxL/wCCb/wtl8O6Jq2upoWs 6ydR/s+0kuTZBnDhpAgJVdoJ3HgeteEeJPjp438Z/af7Y8Y+KtV+2Wws7j7Zq08/nwB94ifc 53IH+baeM84zVXwr8WvFXgXQ73TNE8TeINH03UwReWljqM1vBd5XafMRGCvleOQeOKijk9em nJSXNzqau5PaPLZuTb2/y2LnmlGTjFxfKlJOyivi7JJI+2r600HxT+yX8HJ4PgVrfxj0u00Z 7VpNG16+thpV6JD9oR7a1V8MzDcZGA3cDPAqTwH8QL/x7+39pP8Aa/g+4+G3iceAJdN8P2Oo asb65+0tBIbZ5JXCuspjdl2yfvAV+Y5OK+JPAfxi8XfCyK5Twx4p8R+HEvCrXC6XqU1mJyud pcRsN2MnGemTWXqnijUtb8Qy6ve6hfXerTzfaJL2ed5LiSXOd5kJ3Fs85JzUPIHKVSMpaS57 O8rrnvf3ebl69Fr6hHOeWFNxj70eTS0bPkaa1tza8q0vo/JWPsD9h34JfFL4Y6p8U73xRoni nQdDufCmpw3h1PzLaLULwxO0bBXI+0MAsx3qGCgk5G7n4wrr9a/aE8feI79LrUPG/i+/uo7e W0Sa51m4lkSGUASxBmckI4A3L0bAyDXIV6mCwlanWnXrON5KK91NfDfv6/p0ucWKxNKdGNGk nZOT1f8AMo/5fPfrYKKKK9M849//AOCTn7G/hj9ubW/ijbeLL3XNOj8GXNktkdHlhhMv2h7z f5vmRSZI8hMbdvVs5zx9lf8ADjH4S/8AQw/EX/wPs/8A5Frw/wD4Nzf+Rs+P/wD196R/6Hqd fp/X47xBn2YUMwqUqNVqKtZfJH6dk2T4Krg4VKlNNu/5s+MP+HGPwl/6GH4i/wDgfZ//ACLR /wAOMfhL/wBDD8Rf/A+z/wDkWvs+ivG/1mzX/n/I9P8AsHL/APn0j4w/4cY/CX/oYfiL/wCB 9n/8i0f8OMfhL/0MPxF/8D7P/wCRa+z6KP8AWbNf+f8AIP7By/8A59I+MP8Ahxj8Jf8AoYfi L/4H2f8A8i0f8OMfhL/0MPxF/wDA+z/+Ra+z6KP9Zs1/5/yD+wcv/wCfSPjD/hxj8Jf+hh+I v/gfZ/8AyLR/w4x+Ev8A0MPxF/8AA+z/APkWvs+ij/WbNf8An/IP7By//n0j4w/4cY/CX/oY fiL/AOB9n/8AItH/AA4x+Ev/AEMPxF/8D7P/AORa+z6KP9Zs1/5/yD+wcv8A+fSPjD/hxj8J f+hh+Iv/AIH2f/yLR/w4x+Ev/Qw/EX/wPs//AJFr7Poo/wBZs1/5/wAg/sHL/wDn0j8vf24v 2AvCf7D2j+CPE/g3XPF8mqXviOCzLX95CwiXa0m5PKhjIbKDnJHXiv1Cr4w/4LT/APJJfh5/ 2N0P/omWvs+ujOMXWxOAw1avLmk+fV+TRhlmHp0MZiKVFWj7mnyZ8Yf8EMf+TS/EP/Y3XP8A 6R2VfZ9fGH/BDH/k0vxD/wBjdc/+kdlX2fXPxP8A8jWv/iN8h/5F9L0CiiivCPXCiiigAooo oAKKKKACiiigAooooA/H3/gu3/yka8D/APYjwf8ApXqVfNNfsB+2t/wSp+HH7d3xD0vxR4t1 Hxdpmq6Vpw0tG0a8giSaBZZJVDrLDLyGlkwVx97nOBjxv/iHM+CX/Q0/FT/wZWH/AMh1+mZJ xbg8Jg4UKl7o+EzbhzE4nFSrQtZn5x0V+jn/ABDmfBL/AKGn4qf+DKw/+Q6P+Icz4Jf9DT8V P/BlYf8AyHXrf694Dszzv9UMZ3R+cdFfo5/xDmfBL/oafip/4MrD/wCQ6P8AiHM+CX/Q0/FT /wAGVh/8h0f694Dsw/1QxndH5x0V+jn/ABDmfBL/AKGn4qf+DKw/+Q6P+Icz4Jf9DT8VP/Bl Yf8AyHR/r3gOzD/VDGd0fnHRX6Of8Q5nwS/6Gn4qf+DKw/8AkOj/AIhzPgl/0NPxU/8ABlYf /IdH+veA7MP9UMZ3R+cdFfo5/wAQ5nwS/wChp+Kn/gysP/kOj/iHM+CX/Q0/FT/wZWH/AMh0 f694Dsw/1QxndH5x0V+jn/EOZ8Ev+hp+Kn/gysP/AJDo/wCIcz4Jf9DT8VP/AAZWH/yHR/r3 gOzD/VDGd0fnHRX6Of8AEOZ8Ev8Aoafip/4MrD/5Do/4hzPgl/0NPxU/8GVh/wDIdH+veA7M P9UMZ3R+cdFfo5/xDmfBL/oafip/4MrD/wCQ6P8AiHM+CX/Q0/FT/wAGVh/8h0f694Dsw/1Q xndH5x0V+jn/ABDmfBL/AKGn4qf+DKw/+Q6P+Icz4Jf9DT8VP/BlYf8AyHR/r3gOzD/VDGd0 fnHRX6Of8Q5nwS/6Gn4qf+DKw/8AkOj/AIhzPgl/0NPxU/8ABlYf/IdH+veA7MP9UMZ3R+cd Ffo5/wAQ5nwS/wChp+Kn/gysP/kOj/iHM+CX/Q0/FT/wZWH/AMh0f694Dsw/1QxndH5x1neL /wDkU9U/69Jf/QDX6W/8Q5nwS/6Gn4qf+DKw/wDkOj/iHM+CX/Q0/FT/AMGVh/8AIdJ8dYBq 1mNcI4xO90eqf8EUP+UZPw0/7in/AKdbyvqiuE/Zo/Z50L9lP4H6F4A8MyahNovh9JVt5L+V ZbiQyzSTOzsqqpJeRzwoAzgCu7r8oxtWNXEVKsNpSb+9n6Jhabp0YU5bpJfcgooorlNwoooo AKKKKACiiigAooooAKKKKAPjD9mH/lLn8cv+wRD/ACs6+z6+MP2Yf+Uufxy/7BEP8rOvs+vd 4g/j0/8Ar3T/APSUeRk38Kf+Of8A6Uwooorwj1wooooA+MPjZ/ymz+EH/Yo3H/orV6+z6+MP jZ/ymz+EH/Yo3H/orV6+z693O/gwv/Xpf+lSPIyr48R/18f/AKTEKKKK8I9cKKKKACiiigAo oooAKKKKACiiigD5X/4LX/8AKMn4l/8AcL/9OtnX43+FvFOmW/hjTo5NRsEdLWJWVrhAVIQZ BGa/oU+L3wh8OfHr4cap4R8W6XFrPh3Wo1ivLOR3jEoV1dfmQqykOqsCpBBUEGvnv/hyh+zJ /wBE0/8ALi1X/wCSq+04a4loZbQlTqxbbd9Ldl5rsfL57kVXHVYzhJJJW1+fkfj9/wAJfpP/ AEFNO/8AAlP8aP8AhL9J/wCgpp3/AIEp/jX7A/8ADlD9mT/omn/lxar/APJVH/DlD9mT/omn /lxar/8AJVfSf8RAwn/PuX3L/wCSPC/1NxH86/H/ACPx+/4S/Sf+gpp3/gSn+NH/AAl+k/8A QU07/wACU/xr9gf+HKH7Mn/RNP8Ay4tV/wDkqj/hyh+zJ/0TT/y4tV/+SqP+IgYT/n3L7l/8 kH+puI/nX4/5H4/f8JfpP/QU07/wJT/Gj/hL9J/6Cmnf+BKf41+wP/DlD9mT/omn/lxar/8A JVH/AA5Q/Zk/6Jp/5cWq/wDyVR/xEDCf8+5fcv8A5IP9TcR/Ovx/yPx+/wCEv0n/AKCmnf8A gSn+NH/CX6T/ANBTTv8AwJT/ABr9gf8Ahyh+zJ/0TT/y4tV/+SqP+HKH7Mn/AETT/wAuLVf/ AJKo/wCIgYT/AJ9y+5f/ACQf6m4j+dfj/kfj9/wl+k/9BTTv/AlP8aP+Ev0n/oKad/4Ep/jX 7A/8OUP2ZP8Aomn/AJcWq/8AyVR/w5Q/Zk/6Jp/5cWq//JVH/EQMJ/z7l9y/+SD/AFNxH86/ H/I/H7/hL9J/6Cmnf+BKf40f8JfpP/QU07/wJT/Gv2B/4cofsyf9E0/8uLVf/kqj/hyh+zJ/ 0TT/AMuLVf8A5Ko/4iBhP+fcvuX/AMkH+puI/nX4/wCR+P3/AAl+k/8AQU07/wACU/xo/wCE v0n/AKCmnf8AgSn+NfsD/wAOUP2ZP+iaf+XFqv8A8lUf8OUP2ZP+iaf+XFqv/wAlUf8AEQMJ /wA+5fcv/kg/1NxH86/H/I/H7/hL9J/6Cmnf+BKf40f8JfpP/QU07/wJT/Gv2B/4cofsyf8A RNP/AC4tV/8Akqj/AIcofsyf9E0/8uLVf/kqj/iIGE/59y+5f/JB/qbiP51+P+R+P3/CX6T/ ANBTTv8AwJT/ABo/4S/Sf+gpp3/gSn+NfsD/AMOUP2ZP+iaf+XFqv/yVR/w5Q/Zk/wCiaf8A lxar/wDJVH/EQMJ/z7l9y/8Akg/1NxH86/H/ACPx+/4S/Sf+gpp3/gSn+NH/AAl+k/8AQU07 /wACU/xr9gf+HKH7Mn/RNP8Ay4tV/wDkqj/hyh+zJ/0TT/y4tV/+SqP+IgYT/n3L7l/8kH+p uI/nX4/5H4/f8JfpP/QU07/wJT/Gj/hL9J/6Cmnf+BKf41+wP/DlD9mT/omn/lxar/8AJVH/ AA5Q/Zk/6Jp/5cWq/wDyVR/xEDCf8+5fcv8A5IP9TcR/Ovx/yPx+/wCEv0n/AKCmnf8AgSn+ NH/CX6T/ANBTTv8AwJT/ABr9gf8Ahyh+zJ/0TT/y4tV/+SqP+HKH7Mn/AETT/wAuLVf/AJKo /wCIgYT/AJ9y+5f/ACQf6m4j+dfj/kfM3/BuPMtx4n+PkkbK6PdaOyspyGBfUsEGv1Bry/8A Zp/Yy+Gn7H9pq8Pw68MR+HU154nvyL25u3uTEHEeWnkdgF8x8AED5jxzXqFfnWcY2GLxk8RT TSlbf0SPt8twssNho0Z7q/5hRRRXmHcFFFFABRRRQAUUUUAFFFFABRRRQB8Yf8Fp/wDkkvw8 /wCxuh/9Ey19n18Yf8Fp/wDkkvw8/wCxuh/9Ey19n17uO/5FmF9an5xPIwn+/wCI9Ifkz4w/ 4IY/8ml+If8Asbrn/wBI7Kvs+vjD/ghj/wAml+If+xuuf/SOyr7Po4n/AORrX/xBkP8AyL6X oFFFFeEeuFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAHx h+zD/wApc/jl/wBgiH+VnX2fXxh+zD/ylz+OX/YIh/lZ19n17vEH8en/ANe6f/pKPIyb+FP/ ABz/APSmFFFFeEeuFFFFAHxh8bP+U2fwg/7FG4/9FavX2fXxh8bP+U2fwg/7FG4/9FavX2fX u538GF/69L/0qR5GVfHiP+vj/wDSYhRRRXhHrhRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA FFFFABRRRQAUUUUAFFFFABRRRQB8Yf8ABaf/AJJL8PP+xuh/9Ey19n18Yf8ABaf/AJJL8PP+ xuh/9Ey19n17uO/5FmF9an5xPIwn+/4j0h+TPjD/AIIY/wDJpfiH/sbrn/0jsq+z6+MP+CGP /JpfiH/sbrn/ANI7Kvs+jif/AJGtf/EGQ/8AIvpegUUV5prH7aPwd8ParcWN/wDFj4aWN7aS NDPb3HieyilgdThlZWlBUg8EEZrxYU5z+BNnqynGPxOx6XRXlf8Aw3T8Ev8AosXwr/8ACssP /jtH/DdPwS/6LF8K/wDwrLD/AOO1p9VrfyP7mR7el/MvvPVKK8r/AOG6fgl/0WL4V/8AhWWH /wAdo/4bp+CX/RYvhX/4Vlh/8do+q1v5H9zD29L+ZfeeqUV5X/w3T8Ev+ixfCv8A8Kyw/wDj tH/DdPwS/wCixfCv/wAKyw/+O0fVa38j+5h7el/MvvPVKK8r/wCG6fgl/wBFi+Ff/hWWH/x2 j/hun4Jf9Fi+Ff8A4Vlh/wDHaPqtb+R/cw9vS/mX3nqlFeV/8N0/BL/osXwr/wDCssP/AI7R /wAN0/BL/osXwr/8Kyw/+O0fVa38j+5h7el/MvvPVKK8r/4bp+CX/RYvhX/4Vlh/8do/4bp+ CX/RYvhX/wCFZYf/AB2j6rW/kf3MPb0v5l956pRXlf8Aw3T8Ev8AosXwr/8ACssP/jtH/DdP wS/6LF8K/wDwrLD/AOO0fVa38j+5h7el/MvvPVKK8r/4bp+CX/RYvhX/AOFZYf8Ax2j/AIbp +CX/AEWL4V/+FZYf/HaPqtb+R/cw9vS/mX3nqlFeV/8ADdPwS/6LF8K//CssP/jtH/DdPwS/ 6LF8K/8AwrLD/wCO0fVa38j+5h7el/MvvPVKK8r/AOG6fgl/0WL4V/8AhWWH/wAdo/4bp+CX /RYvhX/4Vlh/8do+q1v5H9zD29L+ZfeeqUV5X/w3T8Ev+ixfCv8A8Kyw/wDjtLH+3N8E5XCr 8YfhazMcADxXYEk/9/aPqtb+R/cw9vS/mX3nqdFR2l3Ff2sc8Ekc0MyCSOSNgyyKRkEEcEEd 6krA1CivC/23v+ChPgT9gbR9AuvGdv4gvpfEss8dja6RaxzTOIRGZXPmSRoFXzYx97J3jAOD j53/AOIjP4Jf9Ct8VP8AwW2H/wAmV6FDKsXWgqlKm2n1OOrmGGpS5Kk0mfflFfAf/ERn8Ev+ hW+Kn/gtsP8A5Mo/4iM/gl/0K3xU/wDBbYf/ACZW39h4/wD59Mz/ALWwf/PxH35RXwH/AMRG fwS/6Fb4qf8AgtsP/kyj/iIz+CX/AEK3xU/8Fth/8mUf2Hj/APn0w/tbB/8APxH35RXwH/xE Z/BL/oVvip/4LbD/AOTKP+IjP4Jf9Ct8VP8AwW2H/wAmUf2Hj/8An0w/tbB/8/EfflFfAf8A xEZ/BL/oVvip/wCC2w/+TKP+IjP4Jf8AQrfFT/wW2H/yZR/YeP8A+fTD+1sH/wA/EfflFfAf /ERn8Ev+hW+Kn/gtsP8A5Mo/4iM/gl/0K3xU/wDBbYf/ACZR/YeP/wCfTD+1sH/z8R9+UV8B /wDERn8Ev+hW+Kn/AILbD/5Mo/4iM/gl/wBCt8VP/BbYf/JlH9h4/wD59MP7Wwf/AD8R9+UV 8B/8RGfwS/6Fb4qf+C2w/wDkyj/iIz+CX/QrfFT/AMFth/8AJlH9h4//AJ9MP7Wwf/PxH35R XwH/AMRGfwS/6Fb4qf8AgtsP/kyj/iIz+CX/AEK3xU/8Fth/8mUf2Hj/APn0w/tbB/8APxH3 5RXwH/xEZ/BL/oVvip/4LbD/AOTKP+IjP4Jf9Ct8VP8AwW2H/wAmUf2Hj/8An0w/tbB/8/Ef flFfAf8AxEZ/BL/oVvip/wCC2w/+TKP+IjP4Jf8AQrfFT/wW2H/yZR/YeP8A+fTD+1sH/wA/ EfflFfAf/ERn8Ev+hW+Kn/gtsP8A5Mr2b9in/gqn8N/27vHup+GvCVj4s0zV9L086m8WsWUM QmgWSONmRoppRkNLGMNg/NxnBxlVyjGUoOpUptJF08xw1SShCabZ9LUUUV5x2nxh+zD/AMpc /jl/2CIf5WdfZ9fGH7MP/KXP45f9giH+VnX2fXu8Qfx6f/Xun/6SjyMm/hT/AMc//SmFFFFe EeuFFFFAHxh8bP8AlNn8IP8AsUbj/wBFavX2fXxh8bP+U2fwg/7FG4/9FavX2fXu538GF/69 L/0qR5GVfHiP+vj/APSYhRRXkH7SP7e3wk/ZG13T9L+IXjC30DUdUgN1bWwsrq8leLcV3lYI 3KqWVgC2MlWxnBrxqVKpVlyU4tvslc9SdSEI803ZeZ6/RXyv/wAPrv2ZP+il/wDlu6r/APIt H/D679mT/opf/lu6r/8AItdX9l43/nzL/wABf+Rz/X8L/wA/I/ej6oor5X/4fXfsyf8ARS// AC3dV/8AkWj/AIfXfsyf9FL/APLd1X/5Fo/svG/8+Zf+Av8AyD6/hf8An5H70fVFFfK//D67 9mT/AKKX/wCW7qv/AMi0f8Prv2ZP+il/+W7qv/yLR/ZeN/58y/8AAX/kH1/C/wDPyP3o+qKK +V/+H137Mn/RS/8Ay3dV/wDkWj/h9d+zJ/0Uv/y3dV/+RaP7Lxv/AD5l/wCAv/IPr+F/5+R+ 9H1RRXyv/wAPrv2ZP+il/wDlu6r/APItH/D679mT/opf/lu6r/8AItH9l43/AJ8y/wDAX/kH 1/C/8/I/ej6oor5X/wCH137Mn/RS/wDy3dV/+RaP+H137Mn/AEUv/wAt3Vf/AJFo/svG/wDP mX/gL/yD6/hf+fkfvR9UUV8r/wDD679mT/opf/lu6r/8i0f8Prv2ZP8Aopf/AJbuq/8AyLR/ ZeN/58y/8Bf+QfX8L/z8j96Pqiivlf8A4fXfsyf9FL/8t3Vf/kWj/h9d+zJ/0Uv/AMt3Vf8A 5Fo/svG/8+Zf+Av/ACD6/hf+fkfvR9UUV8r/APD679mT/opf/lu6r/8AItH/AA+u/Zk/6KX/ AOW7qv8A8i0f2Xjf+fMv/AX/AJB9fwv/AD8j96Pqiivlf/h9d+zJ/wBFL/8ALd1X/wCRaP8A h9d+zJ/0Uv8A8t3Vf/kWj+y8b/z5l/4C/wDIPr+F/wCfkfvR9UUV8r/8Prv2ZP8Aopf/AJbu q/8AyLR/w+u/Zk/6KX/5buq//ItH9l43/nzL/wABf+QfX8L/AM/I/ej6ooriPgB+0d4K/ak8 Bf8ACTeAteg8Q6ILl7R7iOGWExzIFZo3SRVdWCuhwyjhgehrt645wlCTjNWaOqMlJc0XdBRW R8QPHGnfDHwHrfiTWJWg0nw9YT6nfSqhcxwQxtJIwUcnCqTgV8Nyf8HGPwRRyB4Y+KTAHAYa ZYYPvzeV1YbAYjEJuhBysc9fGUaLSqySuffdFfAf/ERn8Ev+hW+Kn/gtsP8A5Mo/4iM/gl/0 K3xU/wDBbYf/ACZXV/YeP/59Mw/tbB/8/EfflFfAf/ERn8Ev+hW+Kn/gtsP/AJMo/wCIjP4J f9Ct8VP/AAW2H/yZR/YeP/59MP7Wwf8Az8R9+UV8B/8AERn8Ev8AoVvip/4LbD/5Mo/4iM/g l/0K3xU/8Fth/wDJlH9h4/8A59MP7Wwf/PxH35RXwH/xEZ/BL/oVvip/4LbD/wCTKP8AiIz+ CX/QrfFT/wAFth/8mUf2Hj/+fTD+1sH/AM/EfflFfAf/ABEZ/BL/AKFb4qf+C2w/+TKP+IjP 4Jf9Ct8VP/BbYf8AyZR/YeP/AOfTD+1sH/z8R9+UV8B/8RGfwS/6Fb4qf+C2w/8Akyj/AIiM /gl/0K3xU/8ABbYf/JlH9h4//n0w/tbB/wDPxH35RXwH/wARGfwS/wChW+Kn/gtsP/kyj/iI z+CX/QrfFT/wW2H/AMmUf2Hj/wDn0w/tbB/8/EfflFfAf/ERn8Ev+hW+Kn/gtsP/AJMo/wCI jP4Jf9Ct8VP/AAW2H/yZR/YeP/59MP7Wwf8Az8R9+UV8B/8AERn8Ev8AoVvip/4LbD/5Mo/4 iM/gl/0K3xU/8Fth/wDJlH9h4/8A59MP7Wwf/PxH35RXwH/xEZ/BL/oVvip/4LbD/wCTKP8A iIz+CX/QrfFT/wAFth/8mUf2Hj/+fTD+1sH/AM/EfflFfAf/ABEZ/BL/AKFb4qf+C2w/+TK6 f4K/8F3/AIN/HD4seHvB9jo3xB0zUPE2oQ6ZZz6hp1qLcTzOI41YxXMjAM7KM7SBnnA5qZZL jopylSdkOOaYSTsqiPtWiiivLO8+MP8AgtP/AMkl+Hn/AGN0P/omWvs+vjD/AILT/wDJJfh5 /wBjdD/6Jlr7Pr3cd/yLML61PzieRhP9/wAR6Q/Jnxh/wQx/5NL8Q/8AY3XP/pHZV9n18Yf8 EMf+TS/EP/Y3XP8A6R2VfZ9HE/8AyNa/+IMh/wCRfS9Ar+aD4WeC9N8UaBPc39ubicXLJvMr qcbVPYjuTX9L9fzafA3/AJFO4/6+2/8AQEr6fw/ipVKya/l/9uPC4yk1Tptef6Gj/wAKo0D/ AJ8P/I8n/wAVR/wqjQP+fD/yPJ/8VXRUV+n+xp/yr7j8/wDa1O7Od/4VRoH/AD4f+R5P/iqP +FUaB/z4f+R5P/iq6Kij2NP+VfcHtandnO/8Ko0D/nw/8jyf/FUf8Ko0D/nw/wDI8n/xVdFR R7Gn/KvuD2tTuznf+FUaB/z4f+R5P/iqP+FUaB/z4f8AkeT/AOKroqKPY0/5V9we1qd2c7/w qjQP+fD/AMjyf/FUf8Ko0D/nw/8AI8n/AMVXRUUexp/yr7g9rU7s53/hVGgf8+H/AJHk/wDi qP8AhVGgf8+H/keT/wCKroqKPY0/5V9we1qd2c7/AMKo0D/nw/8AI8n/AMVR/wAKo0D/AJ8P /I8n/wAVXRUUexp/yr7g9rU7s53/AIVRoH/Ph/5Hk/8AiqP+FUaB/wA+H/keT/4quioo9jT/ AJV9we1qd2c7/wAKo0D/AJ8P/I8n/wAVR/wqjQP+fD/yPJ/8VXRUUexp/wAq+4Pa1O7Od/4V RoH/AD4f+R5P/iqP+FUaB/z4f+R5P/iq6Kij2NP+VfcHtandnO/8Ko0D/nw/8jyf/FVjfEH4 faRofhC7urW08qeLZtbzXbGXUHgkjoTXd1zvxX/5EC//AO2f/oxazq0oKDaS2NKVWbmk29z9 5v2Fzn9iT4O/9iPov/pBBXqleV/sLf8AJkfwc/7EfRf/AEggr1Sv53xP8afq/wAz9rofwo+i PzA/4OMv+Rs+AH/X3q//AKHplfE1fbP/AAcZf8jZ8AP+vvV//Q9Mr4mr9k4K/wCRXD5/+lM/ MOKv9/l8vyQUUUV9afNhRRRQAUUUUAFFFFABRRRQAUUVc0Hw/f8AinV4bDTLK71G+uSVhtrW FpppSASQqKCTwCeB2pNpK7Gk27Ip0UUUxBRRRQAUUUUAFFFFABX0t/wQk/5SNeOP+xHn/wDS vTa+aa+lv+CEn/KRrxx/2I8//pXptfN8Wf8AIsqHu8Of7/A/YKiob+/g0uylubmaK3t4EMks srhEjUDJZieAAO5qPRNdsvEulQ32nXlrqFlcruhuLaVZYpR0yrKSCPoa/DLO1+h+tXV7Hx1+ zD/ylz+OX/YIh/lZ19n18Yfsw/8AKXP45f8AYIh/lZ19n17nEH8en/17p/8ApKPJyb+FP/HP /wBKYUUUV4R64UUUUAfGHxs/5TZ/CD/sUbj/ANFavX2fXxh8bP8AlNn8IP8AsUbj/wBFavX2 Jruv2PhfSZr/AFK9tNOsbYBpbm6mWKKIEgZZmIA5IHJ7172dJuGFS/59L/0qR5GVu0sQ3/z8 f/pMS3X48/8ABeaziv8A/gol4JinijmibwPBuSRQynF3qR5Br9gbK9h1GziuLeWOeCdBJHLG wZJFIyGBHBBHevyC/wCC7f8Ayka8D/8AYjwf+lepV18H/wDIzin5nPxK/wDYJNHyx/wiGk/9 AvTv/AZP8KP+EQ0n/oF6d/4DJ/hWjRX7byR7H5Rzy7md/wAIhpP/AEC9O/8AAZP8KP8AhENJ /wCgXp3/AIDJ/hWjRRyR7Bzy7md/wiGk/wDQL07/AMBk/wAKP+EQ0n/oF6d/4DJ/hWjRRyR7 Bzy7md/wiGk/9AvTv/AZP8KP+EQ0n/oF6d/4DJ/hWjRRyR7Bzy7md/wiGk/9AvTv/AZP8KP+ EQ0n/oF6d/4DJ/hWjRRyR7Bzy7md/wAIhpP/AEC9O/8AAZP8KP8AhENJ/wCgXp3/AIDJ/hWj RRyR7Bzy7md/wiGk/wDQL07/AMBk/wAKP+EQ0n/oF6d/4DJ/hWjRRyR7Bzy7md/wiGk/9AvT v/AZP8KP+EQ0n/oF6d/4DJ/hWjRRyR7Bzy7md/wiGk/9AvTv/AZP8KP+EQ0n/oF6d/4DJ/hW jRRyR7Bzy7md/wAIhpP/AEC9O/8AAZP8KP8AhENJ/wCgXp3/AIDJ/hWjRRyR7Bzy7md/wiGk /wDQL07/AMBk/wAKP+EQ0n/oF6d/4DJ/hWjRRyR7Bzy7n6Of8G5n/Jkfin/seLv/ANINPr78 r4D/AODcz/kyPxT/ANjxd/8ApBp9fflfz/nv+/1fU/Zsq/3On6Hlf7dP/Jkfxj/7EfWv/SCe vwZ+FH/IgWH/AG0/9GNX7zft0/8AJkfxj/7EfWv/AEgnr8GfhR/yIFh/20/9GNX3Ph98FU+S 4z3pnRVr6t4F1XQvCWj67dWvlaVrzTpYT+ajeeYGVZflBLLtLr94DOeM1kV9TfBzS7DWfBfw Hh1PTbHV7Hd4rlks72LzIJ9kQcBlyDjcoPBBGAQQQDX3mNxTw8VO11rf0UZS0+4+OwuH9s3H rpb5yS/U+WaK+q/hnpGgfGLTPhfr2u+H/Cker6hqmv6dDbWunQaZZatcW9rBNp9vNHCEjbNx MEyRlwyqxas/wR4G8S6v4l1dvE3w/wBAsviJaeFp7rwxosnh62sZdVlF0itI+lqqRyyxwG5a NWg/eeVnbLsGOV5qotqUbNb6+clp3ty3b6Kz7nTHLnJRlF3UnZaem/bfTvZnzJRX15H4c0zQ LfUtV1zwh4WtfH1h8NrrUtY0ebRoY4NPvU1GBLS4eyCiKCdrco7RhVB3fNHiRgy3h0fxdqej 6PP4R8FW8Hij4W3XiPUJrTQra3nbUIbO5eOeJ0UG3w1rGSkGyNi0hZSWNZPOUk5cmivfXtzN 27q0W0+und20hlXNJR5rNtLbu4LXtrNX9H5X+Qq6L4g/DO/+G0OgPfS2ko8R6RDrVt5DM2yG VnVVfKjD5jOQMjkc19RaX8M93h7QBeeB/DUXw3ufh/8A2hrWvJpEBmivhp7NG5vcGSC4MwgC xBkEm/JR/MJZvhLwrofivxb4MTU7f7bqtr8I4J9CtV0uLVpZ7wXMo/dWU0iR3UqxGZlidsEr naxUKZqZyk9Fom79ek/ud43fk0+tgp5Y2ld/Elbpq3T+9Wn96Z8k6R4fv/EDXAsLK7vTZ273 c4t4Wk8iFBl5GwDtRRyWPA71Tr7V8FSTeHvizq+l6J4P1TTPFesfD3U1mtNc8AWWkPrd3GJD A1tp+ZkAaMbHjiASUxEshOaqfCf4faSfhh4WvX8Fa74iuby71BfGun6J8OLTW7hbgXLI9o8p mil0tlh2eWsCRhSxYFiMKpZ2o+9KOmltf8Wu23u6PzV0ruzWVN6J63d9PKD77+9tfZOzdtfj Wul8W/CDxH4E8G+H/EGq6Y9ppHilJJNMuDLG32gR7d2VViyHDoQHCkhgRkHNSfDz4cP8V/jH pfhfSPNjGs6mtnA9yNrQRs+C8gGQNiZZuuNpr6E+IGveDP2hvB/xL0jwvqviHU73TPJ8Q6HZ XujRWkNna2Ea2skUMiXUrSZs9jHMaZ+zBuDxXdica6c4RitHq9Hom0vlu3d6Wi1vqufDYP2j kpPbRectbWvvtay1vJPyfylRX2T8ZNZ0rwtqnx0isfBXw+gTwFdac+g/8U3an7FJNMIZWbKf vgwlY+XNviVgpVFCqBR8U/DWGLVfG+o+BPB+i6v45ksfDmoQaNFosOopaWt5YrPez2unujxs PtDQqcRuIll4CA7hx0s7U4c7hZNLr35LX7W51d9LPc2llbUuRSu1d7drp/O6sl1bPkSivqT4 j/B+w8ZJ8Q9J8LeF7G88bR6doN/e6PotmLibTbwhhqUdtGm5kRJZEEiREqhO3gLhbvxQ0jS/ g5Z/EG9sfDXg2fUtI0fwklq0+mWt/b2k09iPtEsakNDIztuJYh1YndgkKw0WcQloo66aX78q v6Xlv5C/suab10Sve34Pz7rofLVl4fv9S0u9vbeyu57LTQjXdxHCzRWodtqGRgMLubgZxk8C qdfalxFf6Xp3xg0jwT4a0S4v9U8O+G/ECaRa+HLS+LPPHaS3TRQPE58pTIWCAFIi25Qp5r5X +A+j6D4h+NXhSx8UzpbeG7zVraHUpXm8lEt2kUOWf+BcZy2RgZORjNb4PHutGc3GyVtFq9Yp 7fgu9jDFYRUVCzvzfdvp87WbXS5y1vbvd3CRRqWkkYIqjuTwBXU/GX4Ty/BbxpPoF3rOjatq dgzQ38enfaCLCdWKvC7SxRhnUjkx719GNe+eMtL1nwV4TvdT8b+B/DHg7xJpfiu1h8KIvhmz sxfQEyi6jEXl7Ly3jUQFZpVkwzDEpLc+Tftn+JLjxL+1J46a4jsIzZ65e2kf2WxgtAyJcSYL iJFDvzzI+XbuxrPD46VetGMbctpXs73tyWs7be9r5prprrWwUaNOfPrJcttO7mn/AOkaeT7v TzCtD4I/8nufAf8A7HjSv/S+1rPrQ+CP/J7nwH/7HjSv/S+1rbNf9zqehllv+9Q9T+giiiuK 8FftF+B/iP8AEPU/Cmg+J9K1fX9GhM95aWkvmmBAyoTuHynDMoIBJUkA4r+eoUpzTlFNpb+X qfs8qkItKTs3t5nzL/wWn/5JL8PP+xuh/wDRMtfZ9fGH/Baf/kkvw8/7G6H/ANEy19n17WO/ 5FmF9an5xPLwn+/4j0h+TPy5/wCCaH/BQ/wD+yT8CdW8OeKYfEEmoXuvTalGbG0SaPynt7aM ZJkU7t0TcY6Y5pv7Zn7dXgP40+LtL8cfD/xj8SPCHjfQLT7Laxm0UWF0gdn2sFlJQkuQTtdW AAK969u/4If6FY6p+yh4gkubO1uHHi25UNLCrkD7HZcZI9zXe/tm/sxfE79oHxhpfhzwhrPh 3wb8Pbm0zrF5DBjUZJd7BowFALIUKYUOgPz7jjaK+sr4zAUs6qOpDlkm7ycvdatr7vI737Hz tHC4yplcFCV1ZWSjr5a8y27nk37GX/BZKLx5qen+F/iVpkkGr3brb22r6VbPLFdSEgKJbdAW Vie8YIJP3VFflV8Df+RTuP8Ar7b/ANASv3p/Zc/YY+H/AOyZpi/8I9pYutbZNtxrV8BLey5H IVsYjU/3UAB4zk81+C3wN/5FO4/6+2/9ASvV4Zr4Crja8svg4x0+fxbLp9/yR5+fUcZTwlKO MmpS1+W276/1udnRRRX3R8gFep+B/Cvh/wAD/AdvHeuaND4nvdT1l9F0rTLueeGxiEUUcs88 xgkjldsSxqirIgB3s24ALXlld78PfjBp2j/D2+8I+J9Cn8QeHLm9XU7cWeof2ffafdhQjSRS mOVNrxgK6PE2dqEFSua5cXGpKnan3V7OztfWz0/PyOjDOCqXntZ+etnb8bFuy+Hdn8ZW1XxF p8OhfDnwzpMdvDfz315d3FjFdyZCxwBY5rkmTY7hP3pUI5LhcY0n/Y91vT28Rzan4h8JaRpP hpbCabVLi6mktby3vVdra4t/JheSVHCdAm8bhlBtfbHpHx18KWHh3XfC8ngm/PgzV2tLlLeD X9mqQ3dt5gW4a6aB4mLJNKjILdU2lNoVlLM/x7+1K/jfwh4p0QaHFZWOtJpFppyJdl/7KtNN SVIYmJXMzMsg3OSvzAkLghV4ZfXOblpJqN42u09Lxu73b5l72+lkuu/ZH6ry3qu8rPa611t0 Sta3nzeQvxJ/Y91z4Zab4kkn17wnqV94TEM+p6fp95LNcQ2s0ipDdAmIRNG5eI7Q/mKJU3Iu Thnjj9kPWvBNpr6/2/4V1fV/C8KXWqaRp1zNLeWtszqgn5iWJlzJHuVZDIgkG5Fw2JPGH7Uv /CWa98Q73+wvs/8AwnujWWk7Ptu77D9me0bzM+WPM3fZfu/LjzOp289l+0b+0T4c0j4g/EJP CujI+r+KYYtMutdh1kXVjLbK8MrNBCI8rI5ijDMZnTh9qLkBco1MenCE1q9Xt/cvfXZNy217 Gjhg5RlNaJO3XbXVab9unfz4XxL+ylqfhWHU47nxJ4VbVvDywS69pUUt091oUUjIjSTEQeXI I3kjWQW7yspb7pwcdt44/Zh8O/Dn4teNNB0y70vxlb6X4RudVjjnvry0uNIkW0gmE7MLZEmb MjGOMZUqQJGQisv40ftsah8avDeqR3l18R7PUdZjRbm1i8au3h8uNvmbdPa3LCNtpIj88hS3 BwAtU/Ef7V+na1401vxFB4Wu7bVvE3habw7qe7V1ktmke1it1uIU8gNGAIixjZ3yW4dccwlm M43qKztLRNWvZW7O1721uur6lXwMZLkenNHdP4U9e6vbfo7aK5nL+yJrD+GorxPEXhKTU7jw /wD8JNb6Kl1O1/PYiLzXcDyfKVlQOSjyKxEbFQwwS60/ZE1FvCdxqN74s8IaXfWvh9PE02kX D3r30dk+3ynPlWzxbnEkZCeZuUSAsFAOItL/AGmv7N8ZWOrf2Jv+x+DZPCXlfbMb99jJafaN 2zjHmb9mO2N3Oa9z+I/izQvFXwcfTpfEmk2mkWvg20tIdY0/W9FS4vHgtomisH09YH1YobhV RlkuNoYGUhUUKFisTjaUkns+uneWi3vpytLdtu3ZPCUMJVt3XTXtDV9tXNX2SSb01fyX4K8J 3fj3xjpWh2CeZfaxdxWVuvq8jhF/U17l8Q/gV4I8YeMfBU3hKRdE8KX2ty+EdUvZLiacS3UE o23X3ZWQ3MEkbKoUorhuAoOPJ/gn8U/+FMeN/wDhIIbH7ZqNrZXMWnP5/lfYbqSFo47n7p3G IvvUcfMqnIxXXaP+2R4qufCd7pvirUNb8auNQsdW0qbV9XmuP7KurWUtuUSbiVkRnRlVk6qc /Lg92LhiZVoypfCvO17uz068q1V+vc4cPKiqU1U+J7abWV1r05nZPrZPa51OrfsheELGH4ss vxE0Yf8ACC3ccFkzx35WANeGArdYscu+0bcw5XfznZzXnfh79nq58VeELvULDxL4VutUstLk 1qXQorieS/FrGNzvvWI2wZUy5jMwkABBXd8tdPqX7S/hjU/EPxEZvB2tLonxIVJ760XxDH9p tLtbs3Qkin+ybfK3Hb5bRM2P+Wlb+k/t4/2P8NW0GHQ9ehSXwvL4aksoPErQ6EN8LRm8WwWD AuCxDszSMGYucBmDLww/tKnS0TlLTdx/l1/8m38tmtT0J/UJ11qow12Uv5v/AJF6ea1W1/N/ EH7P114T8HQajqfiHwxY6pc6dFq8WgzXEq6jJaykeW4PlfZ9zIRIIvO80oQdnOK6/wDa9+BD +CfHXiXXlTRvD2iy6itto+m48mfUVCKJJLeFEx5KMCGkYopYlVLMGA5zx78bdA+JHhi1l1Xw nczeMbXSLbRhqi6uUsnS3CxxTm1EW8zCBFTPn7CV3eX2rW+Ov7WR/aD0rU4Ne0IzXK3aXGgX pvt1xokW0LLaMxj/AH1u2Nyp8nlvkqcFlPRbGurCTWibT22bjbl11WnXW1+rSOZPC+ycb62V t97O99O76abdLs8eooor2Tywrnfiv/yIF/8A9s//AEYtdFXO/Ff/AJEC/wD+2f8A6MWsq38O XozSl8a9T95v2Fv+TI/g5/2I+i/+kEFeqV5X+wt/yZH8HP8AsR9F/wDSCCvVK/nPE/xp+r/M /b6H8KPoj8wP+DjL/kbPgB/196v/AOh6ZXxNX2z/AMHGX/I2fAD/AK+9X/8AQ9Mr4mr9k4K/ 5FcPn/6Uz8w4q/3+Xy/JBRRRX1p82FfRf7EHj+y+G/wv+LF/qtoL/RJ7TS7DVbfaC01nPeCG cJ6OI3YqezBTXzpWvovjvVfD3hjWtGs7rydN8QrCmoQ+UjfaBFIJI/mILLhwD8pGe+RXJjcN 9Ypeyezav6Jpv8Dow1b2NT2i3SdvWzs/kz6l+Jf7LaWGgfDLwZqupyHRdJHifWW1CzjDPqOm wpDeJJACdu6aBV25OFL85wQeE+H/AOzp4G+LsfhLW9Nk8V6HoGrahqOkanZ3N3b395bzWtkb tZYZlhhR0ZWQFGjUgqfmIYFfOIP2mPHVt/wh2zxHeK3gFZI9BcJHvsUkILx7tuZEIAUpIWXZ lcbSRSah+0j4w1DXdK1AajZ2cmiRTw2EFhpdpZWdoJ1ZZiltDEsIZ1Yhn2bjhcn5Vx5cMDjo U+RVFf3tfNubva1tbx/wtO1+vpSxmElU55QdtNPLlirJ30s1Jr+ZNJnT+LfgXoXizwJ4U8Q+ B2utMi1+81HT5rXxNr1jEscloIH8xbp1t4gHSdfkbkMpALZFM0v4O+F/h58M4vEXjn+19WOo a7NokFv4b1ez8q2WCKKSac3ASeKbPnxhI0Kg7WPmCvOb7x1quo+CtP8ADs11v0fS7qe9tbfy kHlTTLGsrbgNx3CGPgkgbeAMnOz8Ovjz4n+FekTWGj3ll9hmuo777PfaZa6hHDcoCqzxLcRy CKUAkb49rYA54GO14fEqnyKV9e7Ttf8Am3Wnl8zkjWocylKOtvK17O2nXo9/VHo3gj4B+B2m +Hmk67P4rutU+KBZtPvrCa3t7fR45LuSzt2lt3jkadjJGzuqyxBVICsx5rofAP7J3ga/uvAG ha5d+LP+Eg8dDVYGvLG4txZ6ZLaXFzDHIIniLzqxiXKeZGRgkOd21fJvDP7UHjnwjoEenWet KYraS4ltLi5sbe6vNOe4/wBc1tcyxtPblz8xMTp8xLfeJNZ+g/HfxX4Zu/DE9lqvky+DlmTR 2NtC/wBkEzvJJ95Dvy0jn592M8YwK5quEx0r8tS2r6vtPl6aWbje29rvs+inicJFK8L7dF5c 3XW+rV/h22PU/C37OXgb4lS+BdS0q48WaToXia51jT72O7nt7u7hksbVbhZoyscaFXEiZjYZ BVh5hyGHTfsw/Dnwv/wtT4ZeNfCia9p9ne+IL/Rbix1i7iu5TJDaCVZo5I4ohsZZgChTKsv3 mB48l+AX7RN78K/FXhxr66vm0Tw1NqF5Zw2cUYnt7m6tTCZFf5W6pCeW+UISoz1p3n7Unje7 8SaJqq6raWl14cklm05LLSrO0t7eSUYlk8iKJYmkcY3OyljgZPAxlXwWMnzUYy92z1bfVz02 105b9uly6GKwsOSpKOqeqS7Wt10/XW529h8Obn4jfCf4K6bLPr+qWl/da2q2FnHag2kccsTu Y3cIEVuS8s8jLGoL42qVO5P+yF4WuvFnw+b7RqemaN4uXVo72C18Q6d4hmtXsoTKHjurVEgc MGTMZUMNpy3zAjxrwv8AHrxZ4MXw8NN1Y2y+FWum0xfs0LrD9pwJ1YMhEquBgrJuXGRjBIrR 1P8Aaj8bapdaNIdTsrZfD32oaZBZaRZ2dvZC5jEc4SGKJYwHUcjb94swwzEnWphMbe1KSS9/ vvLna6W3cW79n88qeJwu9VNv3e3RR7+j26W+XoPhv9mrwb8UbbwdrWhz+JtG0DVpNZXVLa+u IL68VNMt0unaB0iiUtLE4UKyHYwJy4rK+EXwa8EfHTxRqk+kp4h0nSfDuhTarqGn6nrthFJc SrMkUcceoSxxQRIxlQs0kPybWAEhYY8+8L/G/wAU+C7XQIdL1eWyTwxfzanpvlxR5t55ljWV iduXV1iRSj5UgEYwzZ0P+GlfGCeJbbVIb7T7SS1s5dPS0tdHsrfTmt5STLE9nHEtu6uTlg8Z 3EKTnaMXLC4tXUJ9Ha7emst9NdHFb6WuvOY4jDWi5R1ur6LVaaLXTRP1vr3LP7RHwv0T4b6r oz6DqNrPb6vY/aJ7Bdestam0mZXZGikubM+U+4KsikKh2yAFcqSfO62vHHj6++IWpxXd/Bot vLFEIlXTNHtNMiK5JyY7aKNGbk/MQTjAzgCsWvQw0KkKSjVd3/XfXRaa697nHiJQlUbpqy0/ Ly01YUUUV0GAV63/AMEs/jNc/AP9sH4keJrTwvrfi6ay8DzAWGloGk5utOPmOeSsa4+ZlViM g7SMkeSV9Lf8EJP+UjXjj/sR5/8A0r02vA4mlGOXzlOPMuq2v8z2chjKWMioOz79jG+Kn7af j39t34jW+neI7fxDe+FxIZf+EW8KgxtIi88krIXYdS7qwHOFXNfVfwp/4KEaj8FPh5pfhbw5 +zZ8RbHRdHiMVtDm4cjLF2JY25JZmZmJ9WNexftR/wDBNPwT+0DqLeINHaXwN44jf7RDrOlL 5fmzDkPNGpAZs871Kvn+I4xXsPwK8H+IfAPwk0PR/FfiA+KfEFhAY7zVDF5ZuzuYqSOpIUqu 48tt3HkmvgcxzzK62Fpxp0dF9i8o2ff3dJdrvU+wwWU5hSxE5VKur+3ZO67a6r0Wh8Vf8E8f ipe/F3/gpb8U9evfD2oeGLjWfD4uJNOvtwuLMpJZIqtlVPzD5ug4Ir9Aq+MP2ev+Uyfxp/7F 2D/0DTa+z68XiSUZYinKCsnThp291aHq5EpRoTjJ3anPXvqFFFFfPHtBRRRQB+fn7ePxXu/g h/wVU+G/iix8Paj4rutM8InZpVgG+0XXmHU4jtwrH5Q5c/KeFP1q/wDF/wDb/v8A46/DnU/C viX9mz4jX2jasipPEGuI2yrB0ZWW3BDK6qw9xzkcV0vxs/5TZ/CD/sUbj/0Vq9fT3x/8FeI/ iJ8Ida0Xwl4jbwn4gv4lS11VY95tvnUvjHILIGXcOV3ZHIr7ati8LRWDValeXJH3uaS5fel/ L237nytPDYio8S6VSy537vLF392Pfvt2PyY+EX7b3j/9ib4h3GlaFBr8PhUShx4W8UgvJCjc 8EKjRvySGRVByCUNYH/BVn4u3Hxy/bH+G3iS68M654SlvvAsBOn6rGEmX/StS+de5jOflZgp I52jIr9Lv2WP+CbPgf8AZyvk12/83xp42Z/Ol1vVV3tHKeS0MZJCHPO8ln5PzYOK+Bv+C7f/ ACka8D/9iPB/6V6lXu4PNcDjM2p/VafvLee3N8v1ep5GIy7F4bLp/WJ6PaO9vn+i0Pmmiiiv 0U+ICiiigAr6K/Zj8H6nrf7OWtXPhrS/At54mk8WWFhDL4ittJk3QyW85MMR1AFSzOE+SP5z jgda+da6Oz+J+oWHwruvCMcdqNOu9Vh1hptrfaFmiikiUBt20LiViflzkDkdK5MbRlVpckLX vHfVWUk3ppfTp1OjC1I06qnLa0vxjJL8WvTc9s139luw+M/xl+JN/wCGLLxBZ+GPC13b276f oHhy41HUPtUo2yRw2cjxOkSyR3BJkdNihVwSQtYPiL9jy2+HmqeLW8VeI9Q0TS/DEWnXSN/Y Tvf3sN8jtEPszyx+VOpUB45JAqkSfOdq78G//ax1jX9f8QXes6F4b1y08VRWn9raddx3K297 cWyBY7stFOkyTn5ixSRVYyPlcHFaPw9+PPh7w18P/iFHJ4Y8LxN4gk0xbbw88d9NYzJEZvNK yNM08bAsj7hOrZJAO3K15Sp4+lBRTdkoJJWb+wpavW/xPVWtq7dPTdTB1Jyk1q3J63XdpWWl rWW6d9tN+mb4V/8ACovgl8YrCLUF1bT9Q0bw9qunXvkmBrm1uLuOWJnjJYxvhsMu44IOCwwT j63+xt/ZPwhuvF32/wAWR2GlLYz3l3feEprHTbq3uJEjMtjcSShrnaXQhXii3LkgjGDynij9 qHxD4rj8Uxy2ukQQeKbbT7J4oIHVNOt7Fka3itwXOFURqp37yQOTkk1qePf2wNX8f6L4rt5v DXhKxvfHEcC65qVrDdfa79oZY5Uf95O8cZ3R8iJEQ7jleE23CjjoWaerkm9trQTv8lLVdbWV npEqmDlo9lGy33953Xzasn032s4/iP8AsuyfDS18fXV5rKPZ+EL6zsNOnW1wuvNdAyxMnz/u wbZTKfv4yq9816N+xf8AAWTxR8Pm1G58EXvim28b6s3hcXkejvfpoFt5DebfBlRvJdJprYq+ RxFMPWuB/aF+PMXxC+EXwx8KWl3Der4W0fOo3Eds0LS3TMUSJywBk8i3SGMNyPvYJFcH4z+J +oeNdE8M6dNHa2ln4UsDYWMdsrKCDNJM8r5Y5kd5CSRgcLgDFX7HF18O6VSVm5Wbtryx0urW +Jrm8lLyI9rh6VaNWmto3t05papa3+FO3m4+Z6k/wM8GeFv2btXvvFF34h0zxfo/jFtBupLP SkulhKQykwANdxKUJTcZCoYMNoBB3Ve+NP7OPg5/2npfCPhK68VJAllFcS2Fp4dk1C73G0hl CWkaXEjTu+53bzWhSMBgGIAzx3jT9q/VfiHoniWx1nw/4YvYvE13DqcrGO5je0vo7c25u4ik 4/eOpLMJN8ZY5CDpVyf9sXVb3xNd6rdeGPCVzcazoq6Frisl4ia7AqwqjTBLlTG6+RGc25iB Ocgg4rONHHqbqSbvZ6XVruMe62TUrfLo2XKrg3BQilvvZ3tzS/Hla+59omr4r/Yuk8FeM7iL VdX1XSfDlj4ZTxTd3WoaGbbVbaBpfs6wNYmXAuDOQgUzBSrBi46Vt/BD4JJ8T/hh8TNA8F6s dZsJG0a+k1C9s2sfsECfaZJ3uIw0gXygGz5bybsDaWZgtcRdftd6zdeILS4/4R/wqmk23h9v C76IkFwLC608yPKscn77ztyuysJFlWTMasWLbi2dp/7Tet+GLjUX8N6fonhQXs1hPCulQyxm wezLGIxs8jOxYuxdpWkZs9ccU3Rx86fJN66NbW0mnqlreyvo7dNwVXBwlzRWnXe+sEnZvTe+ rXbTtxnjGw0vSvFF9baLqNxq+lQSlLa9ntPsj3SD+Pyt77AecAsTjGcHgZlbXxE8Zn4h+NdQ 1ttM0rSJNSlM8lrpsTRWqOfvFEZm2hmy20HaCxChRgDFr2aPN7OPPvbX+lZfckeXV5ed8m19 P6bf5v1CiiitDMKKKKAP0c/4NzP+TI/FP/Y8Xf8A6QafX35XwH/wbmf8mR+Kf+x4u/8A0g0+ vvyv59z3/f6vqftGVf7nT9Dyv9un/kyP4x/9iPrX/pBPX4M/Cj/kQLD/ALaf+jGr95v26f8A kyP4x/8AYj61/wCkE9fgz8KP+RAsP+2n/oxq+58PvgqnyXGe9M6Kiiiv0k+ECiiigAooooA3 vH3xDvfiLcaVJexWsR0jS7bSYfIVlDRQJsRmyTliOpGB6AVg0V7Tf3lv8BfgH4D1PSNK8O32 u+N0vNQvtQ1XS7bVfIihuHt47aKK5jkijGUZ2cLvJYDcFXB5ak1RUYwWsnZetnL8k2dEIuq2 5PSK19FZL80jxaivrXQPC3hzWoJvERSz8IQeN/hjeX+sR2VmWgtZY9RWCSaC3UgASCHcsQKI GOAUXleI8E/Aa00HUJNQ0i/0zxD4f8S+B9Y1awuda0IefCbZJUlXyBOwhuEkiOyVZJFG4MAe VHH/AGtTXNzqzjf71zXV7W+y/Va2OpZbOXK4O6k190uSz3/vq/bueA0V9CWX/BP3XL3wFa3y /wDCUvq17oH/AAkMLReGJZNCEXlGcQPqXmALOYRnHlFN7Km/JJHF+Kvgh4a+Hek2EHiHxffW Xia80y01iTT7fRPtFtDBcBJEi8/z1Y3HkOJNhiEeSFMo+8N4ZlhpycISu07WSb7+W2m+3mYv AV1FTlGyavuvL/NfeeX0V9J/Ev8AZT8G69+0vqvhTwlquvWkOm6SmoyabHoy3V9cN9lt5BDY xteFruV/MeVkZ4yiq+3eFGfCPiP4Yg8F+NtQ0q3/ALb2WMnlMusaYNNvUcAblltxJL5ZDZGN 54APGcCsNj6Neyhe7SlZprRk18HVpczlsny3ut/6/q5h0UUV2nKFFFFABRRRQAVf+ChI/bZ+ BG0At/wm+l4BOAT9vtaoVofBH/k9z4D/APY8aV/6X2tefmv+51PQ7st/3qHqfXP/AAU3/ao+ OyeJrnwv4g0m6+H/AITuWaO3h06UyRavGO7XageZkHmNdgAIDJmtj9ivWPjL8GfhxDffDP4H eD9Wt9ViAn11dTS6uNQx2aQXWFwesahQCOVzmv0g8ceA9F+Jfhm50bxBpdjrOlXi7ZrW7hEs b++D0I7Ecg8g5ryX9mn9g7wx+yh8TfEGu+E9V1+HTNetxD/Yc9z5llatuVvMXI3Mw24UsSQG cZOePy6nxJhHl31X2MYtdLPll62knf15j76eRYlY36x7VtPrpzR9Lpq3pY+Jv2+fi/8AG/4h eFfB1t8Tvh1pfhDSYPEMMtpcWs4dp59jjyz++fA2lj0HTrX6lV8Yf8Fp/wDkkvw8/wCxuh/9 Ey19n152cV41sBhZxgoK9TRXtvHu2d2V0pUsZiISk5fBq7X2fZI+MP8Aghj/AMml+If+xuuf /SOyr7Pr4w/4IY/8ml+If+xuuf8A0jsq+z65uJ/+RrX/AMRvkP8AyL6XoFfzafA3/kU7j/r7 b/0BK/pLr+bb4F/Dv4geLvCVxc+FNCtdU05LxopJZbmKMrKEQlcNKh+6VPTv1r6TgOrGnOtK e3u/+3HicX05VIU4x8/0Oxop3/CkvjN/0KGnf+B1v/8AH6P+FJfGb/oUNO/8Drf/AOP1+k/2 jQ7nwv1Gt2G0U7/hSXxm/wChQ07/AMDrf/4/R/wpL4zf9Chp3/gdb/8Ax+j+0aHcPqNbsNop 3/CkvjN/0KGnf+B1v/8AH6P+FJfGb/oUNO/8Drf/AOP0f2jQ7h9RrdhtFO/4Ul8Zv+hQ07/w Ot//AI/R/wAKS+M3/Qoad/4HW/8A8fo/tGh3D6jW7DaKd/wpL4zf9Chp3/gdb/8Ax+j/AIUl 8Zv+hQ07/wADrf8A+P0f2jQ7h9RrdhtFO/4Ul8Zv+hQ07/wOt/8A4/R/wpL4zf8AQoad/wCB 1v8A/H6P7Rodw+o1uw2inf8ACkvjN/0KGnf+B1v/APH6P+FJfGb/AKFDTv8AwOt//j9H9o0O 4fUa3YbRTv8AhSXxm/6FDTv/AAOt/wD4/R/wpL4zf9Chp3/gdb//AB+j+0aHcPqNbsNop3/C kvjN/wBChp3/AIHW/wD8fo/4Ul8Zv+hQ07/wOt//AI/R/aNDuH1Gt2G0U7/hSXxm/wChQ07/ AMDrf/4/R/wpL4zf9Chp3/gdb/8Ax+j+0aHcPqNbsNrnfiv/AMiBf/8AbP8A9GLXSf8ACkvj N/0KGnf+B1v/APH6534sfC34m+HPh/f3niHw5Z2GkQ+X9onjuoXaPMiBcBZmJyxUdD1qKmPo yi4p6suGDqxkpNH7yfsLf8mR/Bz/ALEfRf8A0ggr1SvK/wBhb/kyP4Of9iPov/pBBXqlfz/i f40/V/mfslD+FH0R+YH/AAcZf8jZ8AP+vvV//Q9Mr4mr7c/4OKNGu/Efjb9nzT7CSKG+v77V ra2kl+5HI8mmKpbg8AkZ4P0NfH//AAxn8WP+hk8Kf99v/wDI9frXCWMp0cspqfW//pTPzniP DTq46bj5fkjDorc/4Yz+LH/QyeFP++3/APkej/hjP4sf9DJ4U/77f/5Hr6X+1aB4P9nVjDor c/4Yz+LH/QyeFP8Avt//AJHo/wCGM/ix/wBDJ4U/77f/AOR6P7VoB/Z1Yw6K3P8AhjP4sf8A QyeFP++3/wDkej/hjP4sf9DJ4U/77f8A+R6P7VoB/Z1Yw6K3P+GM/ix/0MnhT/vt/wD5Ho/4 Yz+LH/QyeFP++3/+R6P7VoB/Z1Yw6K3P+GM/ix/0MnhT/vt//kej/hjP4sf9DJ4U/wC+3/8A kej+1aAf2dWMOitz/hjP4sf9DJ4U/wC+3/8Akej/AIYz+LH/AEMnhT/vt/8A5Ho/tWgH9nVj Dorc/wCGM/ix/wBDJ4U/77f/AOR6P+GM/ix/0MnhT/vt/wD5Ho/tWgH9nVjDorc/4Yz+LH/Q yeFP++3/APkej/hjP4sf9DJ4U/77f/5Ho/tWgH9nVjDorc/4Yz+LH/QyeFP++3/+R6P+GM/i x/0MnhT/AL7f/wCR6P7VoB/Z1Yw6K3P+GM/ix/0MnhT/AL7f/wCR6P8AhjP4sf8AQyeFP++3 /wDkej+1aAf2dWMOvpb/AIISf8pGvHH/AGI8/wD6V6bXgv8Awxn8WP8AoZPCn/fb/wDyPX0D /wAENvBmrfD7/gpP470jXLm0u9UtPA83nzWxJifddaY64yqn7rKD8o5B+teFxJjadbLqsYdj 18iwtSljYSl3P17ooor8WP1I+MP2ev8AlMn8af8AsXYP/QNNr7Pr4w/Z6/5TJ/Gn/sXYP/QN Nr7Pr3c//i0v+vdP/wBJR5GTfw6n/Xyf/pTCiiivCPXCiiigD4w+Nn/KbP4Qf9ijcf8AorV6 +z6+MPjZ/wAps/hB/wBijcf+itXr7Pr3c7+DC/8AXpf+lSPIyr48R/18f/pMQr8ff+C7f/KR rwP/ANiPB/6V6lX7BV+Qn/BcnwZq3xB/4KT+BNI0O5tLTVLvwPD5E1ySIk23Wpu2cKx+6rAf KeSPrXVwjJRzGMn0TMeI4uWClFdWj5iorc/4Yz+LH/QyeFP++3/+R6P+GM/ix/0MnhT/AL7f /wCR6/X/AO1aB+Z/2dWMOitz/hjP4sf9DJ4U/wC+3/8Akej/AIYz+LH/AEMnhT/vt/8A5Ho/ tWgH9nVjDorc/wCGM/ix/wBDJ4U/77f/AOR6P+GM/ix/0MnhT/vt/wD5Ho/tWgH9nVjDorc/ 4Yz+LH/QyeFP++3/APkej/hjP4sf9DJ4U/77f/5Ho/tWgH9nVjDorc/4Yz+LH/QyeFP++3/+ R6P+GM/ix/0MnhT/AL7f/wCR6P7VoB/Z1Yw6K3P+GM/ix/0MnhT/AL7f/wCR6P8AhjP4sf8A QyeFP++3/wDkej+1aAf2dWMOitz/AIYz+LH/AEMnhT/vt/8A5Ho/4Yz+LH/QyeFP++3/APke j+1aAf2dWMOitz/hjP4sf9DJ4U/77f8A+R6P+GM/ix/0MnhT/vt//kej+1aAf2dWMOitz/hj P4sf9DJ4U/77f/5Ho/4Yz+LH/QyeFP8Avt//AJHo/tWgH9nVjDorc/4Yz+LH/QyeFP8Avt// AJHo/wCGM/ix/wBDJ4U/77f/AOR6P7VoB/Z1Yw6K3P8AhjP4sf8AQyeFP++3/wDkej/hjP4s f9DJ4U/77f8A+R6P7VoB/Z1Y/QD/AINzP+TI/FP/AGPF3/6QafX35XwH/wAG5n/Jkfin/seL v/0g0+vvyvw/Pf8Af6vqfrOVf7nT9Dyv9un/AJMj+Mf/AGI+tf8ApBPX4M/Cj/kQLD/tp/6M av3m/bp/5Mj+Mf8A2I+tf+kE9fiH8Bf2NtQ+K3wn0rX4PHF7o8V/522zjs2kWHZM8fDCZc52 5+6Ov419jwPiY0aVScu58zxZQlVnCMexXort/wDh3nq3/RS9R/8ABe//AMkUf8O89W/6KXqP /gvf/wCSK+7/ALXonx/9mVO5xFFdv/w7z1b/AKKXqP8A4L3/APkij/h3nq3/AEUvUf8AwXv/ APJFH9r0Q/syp3OIort/+Heerf8ARS9R/wDBe/8A8kUf8O89W/6KXqP/AIL3/wDkij+16If2 ZU7nEV3fhD48S6F4Ej8Nax4b8N+MNFtLprywh1dblH02RxiXypbaeGUJJhSyMzJlFYKDkmP/ AId56t/0UvUf/Be//wAkUf8ADvPVv+il6j/4L3/+SKzqZlh6i5Zr+vJ9C4YCtB3izas/2tPE MHju91q407w5fwXmkHQE0iexP9m2mnl1f7NFEjKVUbcbtxf5mbd5h311HgX9o2z1Zdb1DWZ9 E8OWOi+D7/w34f8ADmnW94wdrtJFPls/m/8ALSRpJHnm3HIC7sADz3/h3nq3/RS9R/8ABe// AMkUf8O89W/6KXqP/gvf/wCSK5KlXBTi48ttLafP8bNq++r7nTTp4qElLmvZp/dZr5e7HTbR di1rHx+/4SzwxaWWveEfCuu6lYaaulW2s3LX0V9FBGpWHIguY4XaNSArPExIRQ24Ck8R/tB3 Xi7wXb6bqXhzwte6ra6ZFo8Wvy28zaitrE37tMGX7PuVAIxL5PmBABvzzVb/AId56t/0UvUf /Be//wAkUf8ADvPVv+il6j/4L3/+SK2+t4Ts977v+rd1s+pn9VxHfpbptp+VlbtbQ1PFX7R0 Xj7xVFrXiDwH4L1rUhZRWdzLLJqcP25o44o0mkWG8jAkCRAfIEQ7mJUnBHMfFb4pah8X/F39 r6jFaWzJbQWVvb2quIbW3gjWKKJS7M5CooGXZmPdia0/+Heerf8ARS9R/wDBe/8A8kUf8O89 W/6KXqP/AIL3/wDkinTxuFg04p6aLfT0XT/LTYUsJiJJpvffbX1f9a67nEUV2/8Aw7z1b/op eo/+C9//AJIo/wCHeerf9FL1H/wXv/8AJFdH9r0TD+zKnc4iiu3/AOHeerf9FL1H/wAF7/8A yRR/w7z1b/opeo/+C9//AJIo/teiH9mVO5xFFdv/AMO89W/6KXqP/gvf/wCSKP8Ah3nq3/RS 9R/8F7//ACRR/a9EP7MqdziK0Pgj/wAnufAf/seNK/8AS+1rp/8Ah3nq3/RS9R/8F7//ACRV PwH+zzd/AX9tz9n77V4luPEX9q+ONN2+bbmL7P5d/Z5xmR87t49Pu965MdmNOrh5047tM6cH gZ068Jvuj97aKKK/CD9dPjD/AILT/wDJJfh5/wBjdD/6Jlr7Pr4w/wCC0/8AySX4ef8AY3Q/ +iZa+z693Hf8izC+tT84nkYT/f8AEekPyZ8Yf8EMf+TS/EP/AGN1z/6R2VfZ9fGH/BDH/k0v xD/2N1z/AOkdlX2fRxP/AMjWv/iDIf8AkX0vQK/Dj/gm5/yQ3Vf+w7N/6T29fuPX4cf8E3P+ SG6r/wBh2b/0nt69XhT4K3/bv/tx5/EXxUv+3v0O3+Ofxl8S/D/xboOh+FvDWg+IL/WLK/1C U6tr8mkQW8Np5G7Dpa3G5mM4wCFUbTlqpJ+2n4FtPB3hvV9RudXsV8R6Jb+IDDHo93fHSbOZ dyzXr20UkdpF98ebOyR/upCGwjEW/jv+yt4Z/aN8U6Fd+KrLT9V0/Q7G/tY7O6slmZJbnyAt zFIxzDNEITtdRuBfIZcc814k/ZY8XapbTxWfxDtIm8SeHbXw54rubzw99qudUSFZU+1WzC4R ba4ZJ5QTIk8edh8v5WD+63iU52V9Va/a0r+a15f5n28vKiqDUeZ27/evXpfsej3nxx8LWMOq SSaqvl6Nq1nod4ywSuIry7+zfZ4wQp3b/tlv8y5UeZyRtbHI+Gf20/BXiXwrqWr+T4xsodN1 iXQxb3PhTUheX91G8qstrbrA0tzxDI5ESs0aIxkVNrYxvFX7Imq6l4rul0jxdY6R4Q1LXNH8 Q32mPorXN9Lc6cbMRol2bgKkLpYwAr5DOCGIfB21Q+In7Dr/ABE8OXmmX+qeENWtLbxXceKt FtNc8JjVLKGS5+0efDewPcqt0ubmQxtGbdoysZJfB3VUnX3hH7/WGu/+N/JX13UI4dwXO9dL /wDgL8v5rL0PQdL/AGovBWtXnh62tdQ1Ke98TmZbGzXRb77UPJlSGfz4fJ8y28qR0WQzqnll huxVjUP2jvCGl+NNX0Ke/vUufD8D3Gq3f9lXZ0vS1SETstxfCL7LC4iKvseUPtdTj5hnB+Df 7Msfwq1rw3fp/wAIhpx0LSdR0x7Dwx4b/sTTJWu7q3n82O38+XyiBbgMNzb2ctlfu1T8Rfsw ar4jk8f6HL4n07/hX/xES6a+0s6KzanaTXFqsEjQ3huPK2bl8zZJbOcsw3bcAOUq6gmkm7S+ /wCyt9nvf0Vlq1MY0XOzel1919Xt26erv0erb/tg+A5NB1DUbi+13S4tMktop4NU8Nanp14x uZfJtzHbT26TSrJL8itGjKWBXORisy0/bP8ADmvx+MI9NsPEVrceC2txeSa/oOpaRZuJRCw2 yvas24LMv7spvJGdoQ+ZXOfDj9hmPwVok1qYfhRo0zarpOoi58HfD8eHpJ1sbtLkx3GLubzd 5QBSNgQljtbOB1PjP9mvUPFepfEGNPEVnbaN49+yXD250ppLmyuoEgi3ibzwrxNHbqPL8oMG YnzCPlpXxHLd2vr+Wjvfvpt+GoWo3dvL81fp2uc54G/bssfFHjTxGmp6Zb+GfCeg3l9aLqmr HUrO6uRZxNJcSeRNYJCEXY33bliBjIViErtLz9q7wtYeGLPWJNO+Iv2K+kljjCfD7X3nQxhS zSQizMkSYcbXdVV8NtJ2tjlvHn7FaeOtIu7V/EktqbjUtZ1OOWOxBeCS/B8sjLkHyX2tyMPt wQoNU/jF+yH4k+P2j6J/wmHiD4deIdR0oXULxah4FkvNGeObysTR2M2oOEvY/LYJcNI4CyyL 5eGOeaM8bGkrxTlyx7fFZc3Xvfy7M05cM53vZXl932enX5+iOm8NftreBPFN14qEE3iCOz8J mAT38mg3os9Q89IWhFnKIity8hnjWOOPMkpZTGjqys3TfDz49+HPijcrBpH9v+fvljlhvfD2 oafJZvGsblbhbiBDAzLLGyCUKZFJKbgpI8jj/YCZvhXq3gy68RaPqeg6jZ6MUgv/AA6Lgfb9 NitIo5Jkafy5rSQWke+22KxDuBMMjb3n7O/wBvfgNp5sreH4W6ZYXM8097b+EvBDeHo7pisS wttF5MNy7ZNzMG3howNmwl+um63tHGa93XXvr66f16LOao8l4vX/AIC8u/8AXVrpP7TUOpfH 7X/BX9iXf2fSLWR7bU4pfMGo3UEVvNc2qR7Rh0jvLYqdx3kyjC+Uc8JYftw6/qP7NV98RLXw RoesbrrTrTSdN0jxYt291Nd3cVqbS5c2yfZbyFpV8yHbIoY7fMznbqaR+wrZ6B4i0bxJZeLP E0Pi+x1261y7v21K8nsbp7oTrcJHp0tw1pBlJyFZYyV8tCd/zBkH7H+ueKNc1DW/FXirw7ee Ib6fRGe80Xwu2lrcxabqEV6v2lWu5mmlby/LWTeqxqx2x8kHnp/Wpcqnp320vq2u6XwpWTtq 7v4tf9nUrrVXXfa9mvK695u71dlbp3Hwx/aF074q+Mbmx06AjTI/DemeI4b6STa0iXsl4nlP GVBjaP7J82WzlyCF280rT9sLwJf+Dzr0N34hl0yS5itLORfC+qF9YkkVnT7BH9n33ylEd99q sq7FL52jNU/h9+ydZeAvip8SNcGsXV3ovxCtLe1GjPEETSAr3clx5UoOSk0t5LJtKjYzPgkM AuTp/wCzb4+s/B3hi1f4geGptc8B3EbeHtRbwlKIzALWS1kjvYBff6QzxSZ3wvb7XUELtyh2 569r8vbz66rdbLbv1s1Z5uNHndnpp5fZXk95Xv26XTutLVf28PhZolvFLdeI7qGIxRz3LnRb /bpUbzy2wa9Pkf6EFmhljf7T5flshD7TUq/tv/DmSCLZqPiCW9lluIV0uPwtqr6tvgEDSg2I tjcjal1A/MfKShxlcsMXSv2MZbbwv4wtrvxR9r1Txvb2/wDaV4um+XGLpL66vJJI4vNO2Njc 7EjLEosS7pJGJY5HjL9mXx3YftVN4y8GeI9K0pdYh1S5u7vUtG/tC2s3lt9DtY7ZoVuoZZCw 0+SUSI6hSoVgRjfnz4pNJparotn21krrz0v5PQ0jDDSk1dpK9r9dNOmmvr28zt739tP4dWot 3i1fVNStLmGCcX2maBqOoWMXnoskMclzBA8MU0iyRFYXdZG86LC/vEzleFv2+/h54o8F6Zrn /FY2VvqVqL54Z/COqNLp1uc4nuvLt3WCA7X2zyMIX8qUq7CNyvEeD/8Agmno3w98dWGp2EPw 112BJbK5vbjxV4Di1bWzNBFFE72t8txD9nDiFXVTFII5Xdl+UhFp3P8AwTXe4l0ye7u/hL4p utM0uHQoj4t+G41qOKyt5JHt/LBvkaOfE0glcNsl2xkRRbTuXPjL6xX6L57vy0XdpbD5MJb4 n0/4PTp6v57nvPgL4/eGvif4ovNK0N9bvnshIWvv7Bv4tLm8uQRuIb54RazEPkYilY/K391s c3+2/wD8mveJ/wDt1/8ASuGqXwb/AGYdT+GPxi1DxM+r+FbLT72K4VtH8LeHp9Dtb2WWRG+0 3kbXs8M9wqoF85YY5DkgsVwgu/tv/wDJr3if/t1/9K4a78M5NRc1Z9fv+Zw1uVXUdv8AgH6j /sLf8mR/Bz/sR9F/9IIK9Uryv9hb/kyP4Of9iPov/pBBXqlfleJ/jT9X+Z+hUP4UfRH5tf8A Bej/AJLl+zD/ANh2/wD/AEo0quemfy4WYdgTXQ/8F6P+S5fsw/8AYdv/AP0o0quekTzEKnuM V9/lSk8rpqG9pW/8CZ8Zmn++1L+X5I+ZP2fv21/EvxA8G/DY+KNP0DS/EHibU4l1dLdJFtv7 OuNIvdStbq3DSFlB+ziJi5YB4bgAfdI7SD9t/Q4fD19rOp+F/Gmh6Mmg3niXSr29trUp4gsL WNZZZLdI53kjby3jdY7lIHYOMLlXC27L9inwdY6p8ML0PrD3Xwp09tL012uExqNsbR7XZdqE Cy4SR2XAXazNjAZlNOz/AGHtE/4RXUdE1LxX4113SptAu/DGlW99cWhHh2wuUEckds0dujO2 xI1ElyZ3AjA3fM+/rarptLzt22td9bvR6WV+bpYJSwsqqe0dL9/ibdvRNLXWyXW5q6F+174Y W11iXxfHc/DBdFjtLmU+L7uxsUlt7ppVt5g6XEiKJGhlUJIySgoQyLxmW+/aq0iy1XxG40Tx DceFvCUMj6p4phW1bS4JI4FnaFF8/wC1TPtdADDA6F227twYDrtI+Gljo3xJ1LxRFLdtqGqa VZaRLG7L5KxWslzJGyjbneTdSbiSQQFwBg55HWf2WtO1vXfFbSeI/FCeHfGqTf2t4bR7X+zZ ppbdYHnRzAbqKTCK37udV3jdtyWzUlVWi10dtr36X6WfWyWttLXOaPs2/e8r/cua3o7pXvp5 2M+T9sK00jS9SOt+B/Hnh/WNP/s9k0W6gsp72+ivboWkEkRt7mWEjziVZWlV025ZQCpaLwF+ 2dYeNvGmn6Jc+CfHfh2W+1O50JrjVLeyFvbalBDLcPZs0NzIXYwRNIJIg8BBC+aJAyDS0H9l WztPtFxrnizxf4v1e4n02T+1NWezW4iisLpbuC3Vba3hhEZlDFz5fmPvOXO1NuoP2dtGTW7T UFutT+0WPiW58VRKZE2G6ns5rRkPyZ8oRzsQAd24A7iMgw/bpN36P81y/wDkrlf+8lbTR03R 5Wra/wD2v5c9rdeV66nm+r/t6w6n8OE1jSfCniXSP7Z0hda8O3mvW0As9ZhD24l2rDcNMjIt wpxMsW7lkLqCav8AxN/bj0n4H6PqF/4gsp76yg8QXmircR32j6JHbvCqOsZOo6lCJnKsxDRc tsbMaYG7O+EH7A8egfCLw/ofjDxd4m1+80nw7DokMH2m3ay0b/UPP9jItkkZXeBAGuDIyoNq 7AWB67xL+yFper+Ip9Y0zxP4s8M6vdXN9LPe6a1k0ssN55BuLb9/bSqsbG2hIZAsoK8SDOKz qRxXM3D+V2235la/Ta92tltd6PV/V1K26v8AhZ7dd7b9fLbKtf28/C2oXhnttD8VzeF7e40+ 1vPExgtotLsXv7e2ntd/mTrOwcXcCny4X2M/z7R81R+LP29dA+H3wqtfGHiPwz4m8NaVrF1D a6ENYu9JsG13zYnmWSNpr1Y7dfKjZyLx7d+ihS5CHW0T9izwlonwwvfCIudaudIv9Q0jUZhc TRO7tpsVhFCmfLA2Ounw+YCMnfJgrkbW6f8Asjf2f4J0zRv+FifEGaTw3cxXHh3UZW01r3w+ I4ZLfy4m+x7J1aGV42+1pOxB3Z3gNWs1WtJRfa23lzX2135fnzdCY+wsm9+u+9tH6X+Lra1u oeG/20vDfjr4SaF4p8N6brPiabxLqE2lado2ly2NxeXF1D5pnQTC5+x7Y1hkcy/aPKIUbXYs gbC1f9q/xF4w+I/w60Twh4X1G0g8Q6hew+IJtVs7aeTSBZSLHdWpRb+LEqs3+uj+0R7dpRZw 3HceJf2fpfFvgvQrG88ceMD4h8OXjX1j4ojTTo9UjkZZI2BRbQWjKYpXjKtbkFcHG8BxL4H/ AGc9G8C33h+8hvtYvb/QTqErXd3NG8upz3zq9zPPtRQXZ1yBGERc7VUKFUDjWct9Fb52cb/L 4rrf4Um1e+d6Sjpvr/7d+Pw20/mutjzDxX+1b4i0n9qHU/CVjrXgS7j0zWtM01fCQspX8SX9 pdRW7T38ci3WFig895GJtSuy3cF1J3DkpP28vFVq3xIlt9S+H3iGXwpZ+Kpho2nWU4v/AA02 lTyx2j6iwupA6XKxggeXbsS3ybgCV99179nLQvEOs6nqEtxqkd9qOvWPiJZ4pUV7O6tIoYU8 o7OEeKLY4bduWWUZAbh8/wCz1otx8GPFPgY3Oqf2T4ubVmvJhIn2iP8AtKaeafy22bRta4cJ lTgBc7uSc40a/LrLX3vxUbdejv38mr6dMKuH5o80dLwv6Lm5vv07Pvdb8Z4Z/aV13xd4M8P+ LLW00qLw74w8TWemaNHLFJ9rawkJR7ib58JK7qzJGRujTaJB5hZE3vFX7VOm+FvG17px8OeK b7RtIv7fStW8RW0VsdM0q7n8ry4ZA063Ln9/BuaGCRE80bmXbJsvJ+zVoVvqk88F3q1vbz69 beJRZRyx/Zor2IYZ0UoSomOGkUHBcFhtZ3LUfEX7K2m+I/H15qzeI/FNto2rahbavqfhqCW2 GlaneQCIRzSEwG5X/UQFkjnSNzENyNuk36wVZKz7/wDtsP8AyW6ntZ3askrpci5Ovb8by287 cu+ne553qP7etz4X+H3ijUte8Ma5psWl6l4i0yx8QQ6dDcaTJNp8195MRhN4lzJIYbTJbEcL yZQTRkgDU+JP/BSX4b/CH4st4O1zUI4ryyltbXUrw6nplvHYTTpG6A2s12t7Iu2WIl4IJUUO cvlJNmf8bP2DZfE/w98UadoHiTXNQ/tuXVLyy0PWtRhh0bTr7UvtCz3gaK0a5YxrdztHC0hi LY4Vv3q+i6h+zYsnja+1bTvGXizQ7HW5orjWtEtI9Pm07WZEijgYyC4tZZo/MhijjcQyxghc jDkucI/WuXz03226+V76rW3L15jrqPCuV1s+b5arlt/2730vfpa/L3/7ZuqfZPB95YfCL4g3 OneM9VjsLGe4utItWmhktpbhLlImvd4BSPPlzCJwN2QGARus+D37Slj8b/GfiHTNG0HWv7O8 N3txpt1rMt1pzWv2uCQRvbmGO6e7ik6sBPbx/KM9GXdlaV+yX/Zfg3R9FPxD8f3cfhm+tr3Q rq5/syS50cQxSQiFG+x4lRopGRjcCWQjkOG+atTwj+zdDoHxofx3qfinxH4n1tLGbTbM6jba bCthbSyrK0KPaWkEsiBkXCzSSAdQNxLV0Q9oqnXlu97bcsbXt1vzbaXe9kkc0/Z8um9l335p Xtfpbl37bX1PSarf8Eq/+UvnxQ/7Ef8A9qaTVmq3/BKv/lL58UP+xH/9qaTWeZ/7lV/w/qi8 B/vVP1P1Nooor8wPvT4w/Z6/5TJ/Gn/sXYP/AEDTa+z6+MP2ev8AlMn8af8AsXYP/QNNr7Pr 3c//AItL/r3T/wDSUeRk38Op/wBfJ/8ApTCiiivCPXCiiigD4w+Nn/KbP4Qf9ijcf+itXr7P r4w+Nn/KbP4Qf9ijcf8AorV6+z693O/gwv8A16X/AKVI8jKvjxH/AF8f/pMQr8sv+Cqn/KXz 4X/9iP8A+1NWr9Ta/LL/AIKqf8pfPhf/ANiP/wC1NWrThj/ff+3WTnv+6/NGD8ZviGPhP8Kd f8ReR9rm0qykmt7YdbufGIYR/tSSFEHuwrD+CnxW1fxb8Jb2+8Q6fCfFfhue707WbHSlOyW6 tmYfuFkfIWZPLljV3yFmQFu9bXxd+D2ifHLwvDofiS3GoaIL2C8utPljjkttR8lxIkM6OrB4 t4RivGSgBOMg0Pg9+zt4U+AV7r3/AAh+mWvh/TPEE8V3LpFhbQ2unW0yRCJpIYY0UI0iqm/k glAcAk5+yarOcrOyasvXpL01aa8kz5a9PkS63u/Tt+v3/LndI/bO8IeIZdunrqt4rxaNLbyR xR7Ls6o8awJGS4y6CaJ5FOCqSqRuzisv4S/teyeKPEJ0zxF4c1XS4rjxHrehWOurHBHpNzJY 3N4FhG6c3Hm/ZrVnZ/KEJZHAcH5Bc8DfsReEPAHiLw7qVpc67PL4X1G/1GyjublHjzdIsYhY eWMxQJHGsIBBQRrktiugsv2a9AsrfRYfP1KaLQ/EmpeJ4UleNhNcXwvhNHINnMQ+3zbVGGG1 Ms2Dun9+482ilrp01tZd9NU31aT20NX7BRcVd+fXRS/Bvlfkm10uc7pP7X1t4n0q5kt/C/if Q/t2h3eueG73WYLcWniCCBFcyRrDO80Q2yRPsuEgkKycLlXC8x8TP+Ckngn4Faf4ag8Vun9s atoFrr1/FBqWm2K2MMynDql7dwyT5ZJcR2wnkAQZXLx7+w8E/sg6X4QjMNz4o8YeILOz0ifQ dGtdTntWj8P2UwVXjtzFBG8h2RxIJLlppAsYG75n32dV/ZgWPUdOvfDnjfxn4LvbPSLXRLmf Shp051O2tt/kCZLy0nQMnmS/NEsZPmENkBQs2r68r09217N29+97NLrC9ui01D9xdX8+6X2b dG9ua1+u+gvxJ/ap03wBqU0Np4c8U+KrfTdLj1vWLzRorZodEsZN5SaXz54nk3LFMwjt1ll2 xn5PmQNz2nftiu2oalYweGda8XaiNVv47K08Oww+ZHp1stuTdzG5niX71wi7UYu5YbI22tjp Pir+zBZfFLxNd6j/AMJR4t8PJrOnJpOu2mkzW0cGv2iGQrHMZIJJIziaZfMtnhk2yEb/AJUK 0b79j3SIvEH9q6H4l8WeFNQe4u3mm0qW1HnW9z5BltCs1vIqxZt4irIFmTB2yDJqZxxDnLl2 tJLa97qz9LW87c/XlJ/c8kV1ur+lvzvfy+H+8ReEf2o5pv2c/hr4qvtA1LXvEvxB0+ylttE0 GKJJbm4ltPtMoj+1TRxxxoiyMTLMMBQMliobz22/4KaaR4J8LabqHjnQrzRV1fVNVtopG1HS bFraK01O4tNjWtzfrdzTxxxRtILaKYFnwgYkIPVr79lzS0+GHgnw3o+veJfDkvw9jhi0PV7G W3kv7dY7ZrUhvtEMsEm+F2Vg8RGTuGGAI4+6/wCCe3h46Lqmn2XjHx7pdr4it57XXvIubKSX XY5bq6uyJpZbV5F2y3lwR5LR5EmG3ACta3tXVbp/Dfy20/4N+u1jS9Bw13v5/wB6/wClvTUW P9uoaT8Jtd8Ya/8AD7xFoGmaHr8+hsbzXdBtkl8ueWHzvOuL+GFBvjVSrOG3yKE8xcuLHgH9 vvwv8V/Enh/S/C+ja5rtxrmnrqsxt77SUXTLX7RJbSTOJL1WuI45IpA0lmLhPlG1m3pu2NR/ ZFsp/Oey8X+L9JuI9fm8R6VPbLp0j6DdTpMlx9nE1pIrLKLibcJxKV3/ACFMDGT/AMMK6Xc6 XomlX3jXxpqvh3RNUGtLpN7FpUsVxe/apLs3DT/YvtSSGWRvmhmjIXgYBOcV9aSVtX7u9t+X XbpzXbsr9FvpLdB3aXfvtd2+drW173214Kb/AIK4+CdfBh8IeH9V8YahLLAbK1sdc0QyXtvJ dQ25m2LfNLb4M8ZEd1HDIS4Uqu2Qx+4+M/ju3hTXtC0a18H+K/EGv61aNfy6ZpxsRLpVurRo 8lxJNcxwAK8iriOR2YhigcKxHM2v7HiWvgifwv8A8LD8fyeGEghg0rTJBpbJoPkTRTWzwSmy 8+RoTCir9pkmDLneHPNdJ40+Az+LPEega3a+MvFnh/XtEsm0+XUdOWwMmrW7tE7pcxz2ssJy 8QYGOONlLOFKhiK1pqsrc7bV12Ttr8t7c2/u/DroKq6Lb5Fbe2/lb9bee+hm6P8AtWaZrHje 304eHPFMOiahqc+i6f4lkitv7L1C9h83zIYws5uR80E6iSSBImMR2udyF8Px9+2TY2Xwm0HX dBsbo3vi3w0fFGlpfwL5UdustijJOEkyJMX0eApI+Vvm4G7c8O/sqaZ4e8dQan/wkXim80aw 1O51nTvDdxLbf2Vpl7P5hkmj2wLcNzPOVjlneNDKSqLtj2c9p37BmgW0UcF14r8balYWOky6 DpNlcT2awaLYPPbTeRAI7ZC202sKh5jJJtXBY8EKHt+W0t3+Hu/nzbW+ytdd2/Yc11t/wX+n L879CS6/a7uNa+L3g/QdF8K64uga/wCJbzQpPEV7BD/Z999ls76SUWuyczKyz2oUNNCqOqyF Cw2tXt9eT+Hv2SNL8O+PNL1dfE3i+40/QNYutd0nQpp7b+ztNubpLlJym2ATurfa5iFllcIS Am1Rtr1itqHPyfvN/wDgL5b3+XmZV3Bz/d7W/WX6W+YUUUVsYhRRRQB6R/wbmf8AJkfin/se Lv8A9INPr78r4D/4NzP+TI/FP/Y8Xf8A6QafX35X5znv+/1fU+4yr/c6foeV/t0/8mR/GP8A 7EfWv/SCevy4/Yg/5Ne8Mf8Ab1/6VzV+o/7dP/Jkfxj/AOxH1r/0gnr8uP2IP+TXvDH/AG9f +lc1fRcL/wC7VP8AEvyPEz/+PD0f5m78dPGWpeDovCR024+znU/E9hp1z+7V/NgkZg6fMDjO ByMEdjXCaH+2DqkviaKbV/CNlpXg6717WPDtpqia01zfS3OnfbWd2tBbhVhdLGfDeeXDYGzB 3V7D4n8Hab4yWwGpW32gaZexajbfvGTyp4ySj/KRnGTwcg9xWRafBDwvZR6akelgLpGsXmv2 imeVhFe3f2n7RKct82/7ZcfK2UHmcKNq49p061pcstW21105YJfc1J2T6+bPLjKjb3lrb/5N /m4fJPyPPbH9pDxzeeEvDly3gLw9DrXju4jXw3p7eKpCjQG2kunkv5hZEWzJFHjZAtzl2Cht uXGbrH7YPikaNDHpHgDTb7xBa22tzataXXiQ21nZvpU0EUyxXAtXeYSecDExhjJAG9Y8nb1t n+xr4C0/wWnh+G18Sx6Xb3MV3YovivVvM0eSJGjT7FL9p8yyURu6bLdo1KMVIKnFdBoX7P8A 4R8N6NaWFnpPl29lp95pke66mkkeG8dJLoySM5eWSWSNXeVy0jNuYtlmJicMS+bklbR2662V ruy0ve+mqd1a1ioToJx5o3113Wmv970tr0s77vy21/bZ1uDw/qlzqHgFLa/SHw9faVYwa6kz 3trrN81nb+c5hVIJ0ZGMkamWMcbZWzkZ3jD9svXvAPiVx4p0SPRJPCA1ObX9N0a9Grw6lFFp a3sBt55IIJCx3bdpjj+dSPmXDH0H4s/sj+GPib4Ol0iOI6Z9qTRLK4lEk0plsdLvhdw2wHmK VJzMnmAhx5u4ltoFaGh/speAtC0v7J/YkuoxyPdSXD6tqN1qk181zALec3EtzJJJcboVWP8A es21FVRgAAOtTrvnVKVt+W/ytey9b6vty7NOnOglFzXa/wByv1/mvbra2vQ8X0j9ub4meLvF 3hvSbD4W6dpjaprENlPc6zPrunWksUlvcy7YZLzR7ZzOv2clgI3QBkGSXJjn8Uf8FIL/AEHV /FNxbfDTxBqXhfw5/a0Y1KK01VGkk09Lje0kjacLBIHktnRXW9kYb48xhi6J6vZfsieDLLSB ZeZ41uoY7uC+ga88ba1dTWU0IdUa3llu2eD5ZHVhEyh1bawZeKdrH7IngbXdT1qea18QJB4i S6j1LTbfxPqlvpV19qjeO4Y2MdwtqGkEjszCIMXYyZ3/ADVKpYnbn6v8o26d1L77+RUamG5v ei7afnK/XzX3HH+JP2ytZ+G/hvxQ3irwTFZ6/osGlXVjpukancauL1NTuZLW1EjR2glSRZon 8xIYZyFGY/OJCHlZ/wDgoN4ptPD8VzefDIeH2Se4S71LxJdaxofh+FI0hdCL260hHjLmUoDc wW8ReNlWVzgH3jxd8CfCvjqXV5NU0r7TLrljaaddyC5mjcxWsss1sY2RwYpIpZpHSWMrIrFS Gyqkctqv7GHgvXfD7aXeX/xKubCQSrJFJ8R/ETeesiqrpIft2XQhcbWJUZbAG5sqpTxWvs5L y/4Oj/roTTnh7Lni+l/uV+v817eXXtzvww/bQn8S/C/xh4o8R6DpOiHwnp66jLoVnqtzPr0C ssjLHd2d3Z2jWrvsAjJLxyZZlkKAO2F8cf2kvih4f+HPifSE8M+HPDHjq2tdPu7Oe08SNfWk drd3f2QyLLLp4xcxuD8j27xYdW3SYaOvVPBX7LfgrwJour6fb2Gp6na67YjS71dc1u+1tpLQ Bl+zK15NKyQ4dsxoQpzkjNN8M/sq+CPCvh/UtNh0/VL2LV2tjdz6prl/qd5KttIJLeP7TczS TCKN8ssYcIC7nb87ZqpSrzjy81tLfPXy0+y7+qSXxExqUo68vVb9tPPX7XTt6Hl37UPxO174 Tv8AD3S9S8eeNfDEc2h6jc6xqegaHba3c3FzbR2mHnzp0kaQAySs8ogt4xwSYhgDnPEHxt+K F38VvDulJqviK18S/wDCJ+G9Vk8PaJoMGo6He3tzd3SX4vL0W8v2eERwjY4u4h8pKGU/KfqH V/Amk694lsdXvLNbjUNOtrizt5GdtqQ3Hl+chTO1g3lR/eBxt4xk5zvAXwa8N/DG4jl0PTvs TxaTZ6Gh+0Sy7bO0Mxt4vnY8IZ5cH7x3YJIAxXsajqSk5aNp9dElLTt1XlpqnbV+2pqlyW96 1r6b80Xf7k131smrng/wg/aJ8ZfEvUPiUtzq39lp8PJfEEcEElrB9o1sLf3kVpcKNmBa28du Igw+eSZZPMwIwZu+/wCF6eKpNC8CaR4d0HSvFHi7xD4dXXbxtV1ZtHsoYUSBZHMkVtcMZHln TaixbcByWTChutj/AGd/B0M0ciaP5csbamRIl1OrsNSlaa9RiHyySyNv2HKqyoVClFxD45/Z s8I/EPR9Dsr601W2Xw3bm002fS9bvtKu7aBkRGh+0Ws0czRsI49yM5VjGhIJUERClXjFpyu7 R/Dnvuna9430d7PbSxVqUZ1XJK0bydrdHy22a2s+ul+q0fj3/DYnjHVvEmra74c8L2+seF7L wLpnim603UdWj0+fTt82pi5WJ0gm8+dltkVUZki/dE+Ym75ovHH7et94O+IWtaLofhnWfFd/ LqG60hlivpba1tE03TLhmA0zTLu5Qs+oJhZY3XIkJmQGOKvUvFn7G3w48Z3NpJd+H5YFs9Mg 0RYNP1O70+2m0+AuY7OWGCVI5rcGR8wyKyMDhlIArNt/2PdI17XPEWq+J768vdW1rXJNVtr3 Qby+8O3Gmwta2totqs1rciZlMdpCZAZAkjqG8tdqBV7PFc0kpLrb7/n0ei1tZrmd1bVVMM5c 0o6WtbztFX+9Nva91pucgf2xvHvjb4M+L/GXhb4d6Vp+neF9LuJZB4p1i607UEvobVZ5Ymsl s2by0ZtmXlidmRvkVSrnauf2p/FXh/x14Q0DXfCvhTRG162s5bzU77xDeW+mtNcTNGLWwuDp xhubraoYW8slvIxcBVZQZB19h+yj4K07V7+8S21931ey+wajDN4k1Ka11RDbLal7mB7gxTzG FEQzyo0p2qS5IBpi/smeDmuNJaZ/GV7Doywrb2l74z1m6spPKfzI/Ot5LpoZyGwczI5O1c/d GLUK6km3p7t/lzc3TS9427Wtd2u8JTotWS7/AI8tuvS0vvvZbL0qvJfil/ye5+zL/wBjxZ/+ l+n161XkvxS/5Pc/Zl/7Hiz/APS/T665fDL0f5Mwj8S9V+Z+z1FFFfkh+jHxh/wWn/5JL8PP +xuh/wDRMtfZ9fGH/Baf/kkvw8/7G6H/ANEy19n17uO/5FmF9an5xPIwn+/4j0h+TPjD/ghj /wAml+If+xuuf/SOyr7Pr4w/4IY/8ml+If8Asbrn/wBI7Kvs+jif/ka1/wDEGQ/8i+l6BX4c f8E3P+SG6r/2HZv/AEnt6/cevw4/4Juf8kN1X/sOzf8ApPb16vCnwVv+3f8A248/iL4qX/b3 6HoXxi/aS0P4IXF3Dq9rq0ssGkPrEEdrCkjagqTxW7QwAuC0wkuLcbTgHzkwTyBV1T9oiwvb mEaU8vkxeJrLw/PO9mtxHdNcW8c+IiJ0KYWaMF2DbSGHlt1rX+KPwK0b4t+JvC2q6lLqENx4 Tvje2620qol2CATBOCp3xb0ik2gg74Izngg5Hgj9lbw54A+GvhzwtY3GrtY+GdXXWreaaZHu LidZXkAlbYAy/Pt4AO1VGeM19BH23PaW1193Mm7/APbrat3jd72PFl7Pk93ez++zS/FJ/wDb 3S2vn7ftt+Ib6DQ7iH4ZeJbP7Z42vfCj2Ek1jdXeprb22oPutmjuhHG/m2cYczssahnwzAeY O71v9rTwv4V/Z7ufiPq6XukaVZTvZXNpevbw3NteLdGza1kcy/Z0cXIMZczCEYLGQIC9T6N+ zJpmjeK7fU/7b8Q3ENh4luPFVlYStbfZrK6uILqGdVKwiVo3+2SuRJIxDBdrKoKGxd/s4aLc /C3UPCq3usQW97rFxr8V7FNGLuwvZdQfUFliOzZ+6uGBRXRlKqFcOC26Yxrqlq/esu29o3t0 u3zeW2yubTlh3UTitL/hzTf4LkX37nnvhz/gpV8O9f8Ah7J4mI1GDS7XUZNJu5ILmw1NLS7F v9ohhaWxuZ4Xadfki8t3zKVjbY7Kp1vHn7ZVj8LPEFzaatpeq3F7dXum6dp2kRpY2VyLm7tp JhA11c3yWryfunAXfHlsKnnE5rT8U/sk2XxO8Gw6H458X+MPHNpb3E11GdSNhassrw+VG+LO 1gUtAS0kTFcpKwfJZIyk3ir9l3/hIodU+z+OfGGkza9bW1pq00NvpV3/AGpFDA0O2VLuymjI cMxcKgyTxhflqZ/WOV23vHttbX5333S6J21lew5l21v63087W/4JzsX7X2r6jY/ED7Z4C8Se Cx4HktI2vNUOn6iszTJbSGIw217kSbZ+MSFMANvLZjqTWf28/D3h06jc3/hfxpaaHY3up6XD rMlvaC01G+sPtHnWsK/aPOLEWsxV2iWI7CDIDxV/w1+xR4d8I+FNV8P2GteJofD+safZWM2n eZamJHtY4Yo7hG8jzFkMcEaFQ/kgD5Y1PNZvx7/YstPiN8Cbrwzo1/cx38Gr6p4hsTeyx+RN dX/23zoZv3Ei+QRfTqAYnxhN6zKGSRVPrEYOS1sn6t3f6arTtfqnUPYS0ejbXovdf/t1k9dr 26M39A/ausr74YeOfFOr+E/F3hiD4fSzQ6nZagLKe7doYEnfyha3MyP8ki4+cZJxVfxP+13F 4VSTzfAXj24l03ThrGuxW8enu/hyzZpQk1x/pYEhdIZZBFbGaXanMYZlVsP9nz9ljWPDn7Mv iL4deMpNJstN1lrm2tbbw+LNRp1pNEodVe306xgZzIZXz9kXG8Al+tdZ8VP2X7H4oeJbvUF8 T+LPDses6dHpGuWekTWyQa9aIZCsUxlgkkjIE0y+ZbvDJtkI3/KhXSft+WLhvZb97O9/K9rp apX6kR9jzNT2u/uurW87X8r26C+Iv2qND0Pw14l1K303W9XXw1rWnaC0FmkAkv7i+Wya38ky Somw/b4ATIyYw/GACfOb3/gpb4c8IfCDwb4l8WeG9T8Mal41gkurHR73XdFtXkgjEZedbm5v YLYpmaMBDIszZJ8rCsV7jxZ+x9o/inxm+or4i8VaVpVxqWnazdaBYSWsenXl5YmD7PM5MDT8 LbQKUWZYyIl+Td81Q6f+x9B4f0DQbXRvHnjrRb/wxHcWemapbDTXubawmMRawKy2bwSQgwxF XkiaYFP9adzbpn7dt8un3Pa2vTVu/W3L/esiqfsFFc+/Xft+V/n8i78Dv2uvDv7QdnqOpeH7 DWv+Eb0u2SefXblYI7Dc1vDc+UuJTKzCKdWLCPyxtYb8gA8/4s/b10D4ffCq18YeI/DPibw1 pWsXUNroQ1i70mwbXfNieZZI2mvVjt18qNnIvHt36KFLkIfRfAHwcsvA2l69bzX+pa/J4nuB dapPqQg33cn2SC1YlYY44wHSBSQqgbmbAAwo47T/ANkb+z/BOmaN/wALE+IM0nhu5iuPDuoy tprXvh8RwyW/lxN9j2Tq0Mrxt9rSdiDuzvAarqe25bLe0drb397e3/bvz5tbEQ9je721/LT5 X+Lr2KXgr9ufw/8AFHSfD0/hLw94l8V3PiK3vriO20ubTpRarZzxwXHmXBuxbNtklQAxTSK4 OVLCsOT9tvVrv4F+H/Gy+CNZ0u51vSdR1KHQJzZ3M94Le1E6ulyl2sccWNx+dS7BSNiHG71X wr8GRoXiTRta1LxH4g8Ta1o2m3elC+1FbSN7qK5nhmYyJbQQx7lMEaqURRtzkMx3VzOnfsga LaeBtM8Pz694mv7DRba/sdPM72qyWlrd25tzADHAu5Y0J2M4Z88uz1hiaeKlQkqcvfcXbok7 6W+Wut1vfoXSlQVROa91Nfdrf+tPkcz4T/au1zwp4W8PP440+4uvEetaJDfJoukaJFbXN1dT 3gghhiJ1G4iUkOnDS7AA0jyxjKI7xN/wUD0bwJ8R9M8J+IvB/iTQfEGsCEWen3et+HWvJ5Js rDGttFqb3B3yDyw4jMYOWZ1RWcdf8QP2VdE8ftYzNq3iDStQ0nT7Ww0++sJoVnsTb3EdxFOm +J0Mm6MAh1aNlZlZCGNYsH7FtsddW8vPH/j3UI5tXs9f1G0lGlxQ6vqFqYfKuJzDZI+dtvCh SN0jIjB2Bssdqirc1oOy5n2+Hmdt9b8vqvhSXxWzg6fLee9l3+Kyvtpa9/x8jlb3/gpb4c8I fCDwb4l8WeG9T8Mal41gkurHR73XdFtXkgjEZedbm5vYLYpmaMBDIszZJ8rCsV92+GHxH0r4 v/DvRfFGhz/adI1+zjvrSQ4y0bqGGcEjPODgkcdTXnen/sfQeH9A0G10bx5460W/8MR3Fnpm qWw017m2sJjEWsCstm8EkIMMRV5ImmBT/Wnc270jwZ4YvfC9lJFe+ItY8Ru/l4m1GK0R49sS I2BbwxL87K0jZB+aRgu1NqLdD2uvtPL+t/v6XvbSwVvZaez8/wA/8tvx1NmvKP23/wDk17xP /wBuv/pXDXq9eUftv/8AJr3if/t1/wDSuGuun8aOWfws/Uf9hb/kyP4Of9iPov8A6QQV6pXl f7C3/Jkfwc/7EfRf/SCCvVK/J8T/ABp+r/M/RaH8KPoj82v+C9H/ACXL9mH/ALDt/wD+lGlV yuu6zB4c0S81C6YrbWED3EzBckIilmIHfgGuq/4L0f8AJcv2Yf8AsO3/AP6UaVXPSRrNGyOo ZWGGUjII9DX3+U8zyymoaO0revMz43M7fXp822n5I8G8Q/tVeNPDHwd03xXfeCvCtrP4iuLf +xNJ/wCEi1G9vr6CWF5sGKy0m4l+0oihmigjmQKJWMoWPLR6D+2P4j+Iui+C18J+A7O91zxX Yatez2ur61PpNvpp026gtZ1Z3s2nO6Sb5N1uj8DekZLBOt0/9jbwJpXhBNCtoPFNvpttPHcW Sx+LtXWXSWRGjVbOUXPmWkfluyGO3aNCh2lSvFb/AIF/Z+8I/DY6QdG0prVtBtr60sWa8nma KO9njuLkEu7FzJLEjFnyRjggEg9UoYht2lZdNm9vT+bfTbtsYc9FW92+9/xt19OvzZzN/wDt K3viD4efDzUvB/h221nWPiTbx3mnWWp6mdNtrWE2v2mR550hmYbV2qAkTlmdeAu5l5jxZ+2j qngb45af4UvvC2mXmnzX+n6TfahpF7ql82mXd2IgIpXGlrZIVklQ7ZbyOQxMj+XudYz6Jrv7 NPg7xB8OvDvhWSw1C00jwiIhox0/WLywvNN8qFoE8q6glS4U+U7IT5nzKxDZyap6h+yZ4G1X xbaa1c2OszXtncWt4qP4h1E2s1zbeWIbmW38/wAma4URRgzSI0jBAGYitZKq63NF+5zLT+7p dbb79X6oV6PLaz2f330e/b09OpzPir9sG40D4f2OtWng++1i5v8AxLrnhyLTrO5MlxI2mpqb B0URlnaX+zsCNV3DzuN5UB+K1P8A4KGaxZaPpUFp4P0TXfE+pS3Zk0/RNQ1vVYtKitltvMS8 Fvor3trd77qMG3ls1CgEvIrFUb1LW/2N/AHiDxdPrk9jr0epS3M97G9r4m1O1jsbieN45pra OK4VLaWRZH3vAqMxdiSSc0xv2MPALWMafZ/FKXsc73A1ZPF2rprLF0RGRtQF0LtoiscY8ppT H+7Q7cqMc8oYt7SS0X39ehrz4Xmuou2v5yt16JxXyv68xrv7QHjzXvHPwzHhTwuok8XeFdU1 a90DxHdPo32OaGXTQpnlNtLOjRieZAiw/MZBuCgZXnviF/wUSm8H+HfD+uWfhGHVNLv9Eh1v VraK61K41PRY2d1cPHaadcWyL+7cRyXN1bpIY5PmVUZx6345/Zg8H/Eez0KPVoNeln8NWklj p1/B4j1G11GCGQRCUG7inW4cuIY97PIzPg7idxzS8Yfsc/DzxzYWdne6JdwWFnpsWjiy07WL 3TrS4s4gRFBPDbzRxzpHubYJVfZuO3GTVuGIv7rVr/hd+Wm67+TVtZjOhypSjrb8b+uunp8z iV/aX8Z+Mfit8PxYaDY6T4C8Q+LtQ0VdRGqLcXupx2tlqW4S2rW4FujT2odGjndysQ3hN5Wm /Cr9pzxjDqEX/CTaFY3XhjUvGeueG7XW49TUX0bW97fiANZLbhPIWK2WLzPPMpYAmMgl69C0 T9lPwL4d8fw+JbTSbxNTtL+bU7RX1a8ks7C5mWVJpbe1aU28DSCeUv5ca7y5ZstzR4a/ZU8C +EfiCfE9hpN5Hqn2y61JUfVryayiu7kuZ7lLR5TbpO4lkUyrGH2uy7tpxU+zxFo2lr1/8l8l 2fa1767BOrRcWlH09ff8/wC9He/w+SPn/UP+CiXi/wAe+E7a70H4fa9o1vqt7o8+k38ljqSJ c28+q2MJtriS902C0ikmguGAa3nuVBDlX+VHbr/HH7cvibwPFc6dL4K8O3Pi3SNRnsNU0ez1 nV9SKqlta3Sz2/2LR7iaWHy7uISSSwQpG7Ku5t6mvSNE/ZB8C+Hn22tr4hFis0FxDpkvifVJ tLs3guYrqHyLN7g28CxywxlVijVVVSgGwlTY8Z/sp+B/HmuX2p32nanDqOp3LXV5dadrl/p0 t0Wggt2jka3mjLQtHa24aE/u2MSkqW5pOlilTfLP3tfT7Nunk/LXa+pp7XC82sXa7t+Gj19W cDov7cEXxB8IodO0O+sdUv4ri4EJu0WezsBpSahHfAtE6EkT20e0qyrLIQSwQ5u6z+1P4hsN AE+geE7XxFB4e8LWfiXxHPqGuiwnihnikkWO2VLV0uLjZBKxD/ZosmMBxuby+vtf2fPhx8Pt Vgvxpdhpl1daFB4JgllvZEMtiufKs03Pyx6Bh+8baBuO0YPGP7JngPx5Ppz6jpV8V07T4tJE VtrF7aQX1lGSUtruOKZUvIRlv3dwJFxJIMYds24V3zckl0S8rKW/m7wk0ra3SaSV8VKinHmW mt/O7j59LSS36dW7Yfgb9q+XxJ8DfE/xG1Hw4NP8MaN9tbT0t9Q+03+prazTQuWiMaRwl2iX YPNbO/5imOeM+OP7SXxQ8P8Aw58T6Qnhnw54Y8dW1rp93Zz2niRr60jtbu7+yGRZZdPGLmNw fke3eLDq26TDR17rYfCjw9p3gS/8MJpdu+gaobv7XYzFporgXUkklwGDk5V2lkyvQBsAAYFc 54Z/ZV8EeFfD+pabDp+qXsWrtbG7n1TXL/U7yVbaQSW8f2m5mkmEUb5ZYw4QF3O352yVqVaa cYysrfO9n1tprbXsnZJ6ip1KcdXG7v8Ahdefa/z6tHl37UPxO174Tv8AD3S9S8eeNfDEc2h6 jc6xqegaHba3c3FzbR2mHnzp0kaQAySs8ogt4xwSYhgDnPEHxt+KF38VvDulJqviK18S/wDC J+G9Vk8PaJoMGo6He3tzd3SX4vL0W8v2eERwjY4u4h8pKGU/KfqHV/Amk694lsdXvLNbjUNO trizt5GdtqQ3Hl+chTO1g3lR/eBxt4xk5zvAXwa8N/DG4jl0PTvsTxaTZ6Gh+0Sy7bO0Mxt4 vnY8IZ5cH7x3YJIAw/Y1HUlJy0bT66JKWnbqvLTVO2te2pqlyW961r6b80Xf7k131smrnUUU UV1nIFVv+CVf/KXz4of9iP8A+1NJqzVb/glX/wApfPih/wBiP/7U0muLM/8Acqv+H9UdeA/3 qn6n6m0UUV+YH3p8Yfs9f8pk/jT/ANi7B/6BptfZ9fGH7PX/ACmT+NP/AGLsH/oGm19n17uf /wAWl/17p/8ApKPIyb+HU/6+T/8ASmFFFFeEeuFFFFAHxh8bP+U2fwg/7FG4/wDRWr19n18Y fGz/AJTZ/CD/ALFG4/8ARWr19n17ud/Bhf8Ar0v/AEqR5GVfHiP+vj/9JiFfll/wVU/5S+fC /wD7Ef8A9qatX6m1+WX/AAVU/wCUvnwv/wCxH/8AamrVpwx/vv8A26yc9/3X5o5b46fFG6+E XgeLU7HSV1u9utTsdKt7R7v7IjyXVzHbozSbH2qrSBjhScA4BPFeUa3+3BrmkfGc+E4fhzqu qRaVe2Wl63eabb6xera3U8UEkht5ItMa0khiW4Qs89zbPhJD5YGzf7r4s8G6b450+3tdUtvt UFreW+oRL5jJtnt5VmifKkE7ZEU4PBxggjIrmtY/Z18Maz8R/wDhK9viCw1lpobic6Z4j1HT bW+kiChHuba3nSC4baqITNG+5EVDlVCj7Nxq86alpf8ACy/Xm/CzR8xCVLlaktbfjf8Ay/4b txnhX9qjXde8X6f9p8GWdl4S1TxRqHhKDU11zzb77XazXcQla08gKLdzaMN3n+YrOB5ZUb65 TUv2xPEvgD4L+ENSXS9M8Ya7rn9oyXFs8mopeeVb3DIJY7fTdMvXaNQUV5HSNELRgsTIK734 SfsdeGPhh4tuPEMrX2q69Jreqa1DLLfXa2drLe3M8haOyMzWyzLFOYTOsYkZQ3IDFa1vEP7K 3gjxNoWl6dNp+p2ttownjtjp2uX+ny+XO/mTQySwTI8sLuAWikZkJVcrwMc0qeLdJcslzf8A AXlrqnrZaO3S72c8Mqzsrw1t98rdb7cv3fI4bwv+2veeL/h3r3xAtPCMa/Djw7pT39zeS6q3 9s3EqWUd00UNisDRsAZFi3PcoSysQhXaWl+En7YGs+OfCvjK+8QeCz4PPhfTP7ThvNTGr6fp Fyu2QlJLm/0u0kjKmMFzHBMFR1ILHK11nh79kH4f+FbqdrDR723tLzT10u60z+2b5tKvoFtk tAJ7EzG2mfyI0j8ySNnIRctwK0fCf7N/hbwf4a1nRo/+Ek1TStft/sl5a654m1PWomi2suyM XlxL5QIcg+Xtz8uc7VxtKNfmbTVrf+Ta67bbaa9td3mpULJNPdfdppvvvr89Nl5p8P8A9ue8 8Q/DH4la1rPgy40jU/hzo39uPYr/AGjAmoQGGeRAjahYWUwYm2kUnyGjGVIdjuVbXiT9srWf hv4b8UN4q8ExWev6LBpV1Y6bpGp3Gri9TU7mS1tRI0doJUkWaJ/MSGGchRmPziQh7bQP2UPA /h3w94n0xLHV7638Z2A0zWpNU1/UNSur+2CyoI2nuJ5JQAs0gG1wQG4xgY2PF3wJ8K+OpdXk 1TSvtMuuWNpp13ILmaNzFayyzWxjZHBikilmkdJYysisVIbKqQShXt7stbL063e3p5eQ4zod Y9fw93z7c/z5ddzxHQ/+Cg2tSaXqaav8MtY0zWIbSSXSraT+0LSHXJ1mtIRDC1/YWswBa9hH mNAFBWXqqbju+Pf26otB8HNqug+GrnxH/aGvpoOifZ/ttxHqDfYBeTTOLO0uZ1SMCWL91BNl 4+di7mTvNN/Za8G2C6J51vrury+HNUOs6bPrPiPUtWntLkxeUSJbqeRym3/lkSY93zbd3zU9 v2XPA6/C/TvB0GkXFhoWj3LXmnrY6nd2d3p87NIzSQ3UUq3ETHzZFJSQEpIyfdYrUKGJ5WuZ X0t96bb07Xil2UXu2Pnw/Mnyvrf7na2vRpPfrJdEcj+z1+1V4i+PHjRtKk8AT+GotMsYrvV5 tUubu0miMst3FELa2uLOKaVGNruDTJbnZIDtyCtWNC/ai1nVfFOmXEvhKyh8Da9rlz4e0zVU 1ovqMlzCZ18yWy8gJHA72soVluHkwYy0a7mCd58OvgzoPwtuJ59KTVpLu6torSe71PWLzVLq aKKSaSNXmupZJG2tcS4JbOGAzhVAy9E/Zj8F+HviLJ4ptdNvRqj3M96kUmrXktha3M4YTXEF k8ptoJpA8m6WKJXbzZcsfMfdc4V7JQl6/evLtf07SM3Kl72np9z8+9vl2PHf+Hhmr6H8PNG8 Ra98PksofGWhw6z4YtdP1efVLq98y5srYR3MUNnvh+e/t2/cC5cpvwm8CNuo8O/tgazqnwG8 R+KtS8Gf8I7q+hXsVlBZav8A2xY2erNIYgn2d5tLS9lZjJ5aolizPKoRQ24NXb6l+y14E1fw toui3Ghb9P8ADukHQtMQXtwr2NqWtnAjkEgcSK9pbOk27zUaFWV1OSZ7X9nLwxB8O7zwtMfE 2o6VfXC3btqXifU7+9hlUoyPDdz3D3EJRo0ZTFIu1huXBJJHCv7yUu9vv0vp20/TqaynhnZq L319Oy1/rv28x8K/tt67418F6S2neAk/4SzU/FcnhNtMvtQvNMtbeZdPkvxM0l1YxXQj8pFz utFfJO1XAUvznxO/bd8b638F/Ht34N8IaZb6z4I0DUJ9eu5ddGNFvIZb22H2NHtCt7skspZP 3ot1KeXwWZkX27wZ+zP4M8ArZf2dpt6ZbDWH1+K4vNVvL24e+e0azaeSWeV3lYwOyHezDnON wBrF8S/sSfDTxbJem90G88vVBdLqEEGtX9tBqi3E89xItzFHMqXC+dczuiyqwjMrbAlEqddp Wl0V/wDwFJ20v8V3922xVOrh4yUnHZrz+02+vblS+d1sy3ffGrXJvilc6HpOgaVeaP4ds7W8 8Ratf6u9pJaidZHC21ultL9odUjLMHeFfnQBmO7bw13+2rr3hvwJP4l1zwLZWWlal4U1Dxb4 dFt4gNzcXkFrAlx5N4htkW1leOWMjynuVBEgLfKu/wBU1r4DeG9d+JFl4tki1a212ygitvOs davbKK7iiZ2jjuYYZUiuVUySYWdHA3t6msnwZ+yV4B8BNf8A2DRrmSHULGXSzb32q3moW1nZ ykGS1tYp5XjtYGwuYoFjQiOMYwigDjiLtprrb8bX09PSzb59jGhKjHl9or25b+e1+vr3vpbl 68z8Z/2kr3wp8TLHw9aJ/Z8VnPoV7e3mVl+0W19PfxyQeWUO3aLLO8HJ34AXHOf8Jf2hfHHx M+OnguLVPD9h4Z8JeKvCWpa/YRQaquoTXqrPpv2drgGCM28yR3D5jjeWM+d99igx2PhH9kHw B4Ku3ubXStSuryWa0mkutT1y/wBTuZWtDIbcNLczSOyx+dJhCduGxjGBVr4ZfsteCPg/4kh1 bQdMvoL+0tJdOtHutXvb1bC0kaJmtrdJ5XWCDMMe2KMKi7PlUc06UKqqNzenM38nGyW3R6rZ LV6t6Jzp9F9lL59Xv1fr0StbX0Kiiiuo5z0j/g3M/wCTI/FP/Y8Xf/pBp9fflfAf/BuZ/wAm R+Kf+x4u/wD0g0+vvyvznPf9/q+p9xlX+50/Q8r/AG6f+TI/jH/2I+tf+kE9flx+xB/ya94Y /wC3r/0rmr9R/wBun/kyP4x/9iPrX/pBPX5cfsQf8mveGP8At6/9K5q+i4X/AN2qf4l+R4mf /wAeHo/zPV687+OniC8svFnw20e2uZ7SHxD4nEN3JFM8LPFBZXd4IwykE73towy9GTeDkEg+ iVg+Ovh9Z/EBdJN1LdW82ianBqtpNbsqyRyxEjGWBG10Z42GMlJGAIOCPoZJu1u8X9zT/pdd jxYtK9+zXzaaX4njWjftC+ONc8RaRqCXXgyPw/4q8Taj4U0/SP7OuH1TTZbb7YouZp/tISbD WbPJbrDEUSQ/vj5eX43wNqvxK8FfsI6d4jsfG9jN4x8Ra/Y3dxqepafe6lCsV1fwW7xJBcXz +WPm+7E8cYXcEjjY+YPpDSvgx4P0L4h3vi6y8J+GrPxXqUflXmtQaXBHqN0nyjbJcBRI4wic Fj9xfQU7xF4V8JQ+CV8N6tpvh1fDmo405dKu7eEWV1vPEAhYbG3HOEwc+lcf1apa7lra27/u 6X82m77+9bVJHT7eHNovd32XTm/RpfK+7Z4Na/Fb4h+Afih46vrjWNA1Pw1pnjnQtBvLKaxu WuJDfWWjwMbNjc7LOJJrozeWUn3l5BuUne2h8Jv2i/ix8T/jZL5Pghf+Fcx69qOiy3fkWSNZ paSz2/2g3P8AajTSM0sIzD/Z0ZXzSN7BN8nt9r8M/DWnaW9nD4f0OCyee3ungSxiWJpbcRCC QqFxuiEEARuqCGPGNi4xdC+D/wAOPEfjS1+I2meFvBN/4iv4lubbxRa6bay3txG8WxZEu1Uu ytEdoIfBQ46VtGjJSj72i3+6K+7SWmlr6O6FKrCVNrl1slf0X531vrtZp6nNeAdPf4n+LPjR oWr6jrradD4ntrW3Fpq91YzWcX9j6ZMUgmgkSWEGR3YiNlyXfP3jnxW31JPhp+yBoscWv/E6 fWfiRra6Rc30Gq634j1W1torqdriS1jD3E8TC0hlUPAgwzIzdM19I6r8I/h1o/xMt/G174Y8 F2vjK5mS2g1+fTbZNTllaPyljW5K+aWMeUChslfl6cV0On+CdG0l7JrXSNMtm0wSrZmK1RDa CU5lEeB8m8gFsY3Ec5rKeGc4rZNJRfnbl3as9V81fR9Q9ulJWvbR/O1r9Vv99tUeD/Bb446l 450z4L6vNe6lJfapPqXhPXre6hnsvNura3meS4ktZArRy+bYEqsiB1S4YcZIOt4o/aC8W6LF 8UfFMT+GD4V+GpurRtEeymOqXk0NnHOJpbwTiO3iJlB2/ZpD5QD7vn2r6f8A8Ki0WPx/ZeIo bZLW7svtUnlQQxRwz3FyIlkuZMLuabZCEDFvuswIPGItb+E/ga08YXPjfUfDXhOLX4LN4rjX 7nTrcXkdsEKur3LLvEYTIILbduc8Vc41OVylLo/KzstdOl76be9fdWJjKnzWS00+670+6yv5 W2Z5Jq37Q3jz4Zatf6Lrt34J8S6jbv4duhf6RplxY29vbalqy2MsckL3U7bljEkkc3mhW5zH iM7nfEL4/alqmuazDBcrHaeEPiTpuhqdMlZZbu3On2t1NFNhyGbzJ5FK8DCqCMgk+n+DPgR8 OtA+Hd5ofh7wb4KsvCfiJDLd6fp2k2senamkiAFpIkQRyhkCjJByoHatHwx8HfCHgbQ4NN0b wr4b0fTbS4S8htbLTIbeCGZAFSVURQquoAAYDIAGDxSlRqpJc1rNO/a0oyt52Str8V7u3Vqr Ts/dvdNffG1/m7vyvZHhPwX+Mfjbxx8ePh9qPiTxB4Yk0TxX4B1PxLa6XocVxCLNHn0tohcB 55FumjSVlWdUiyWmAjUGub0T9rL4n+L/AA54tsbj+zNP/tDwLf8AivwtrzeHE09ZYYTGFmFs ur3czLIkyspmFq6FRmNzuVPo34X/AAt+H3hxf+Eg8F+HPB1gNdVr3+0tE0+2i/tBZ9jtL5sS jzBJtRi2Tu2qcnAqvpXwX+Gfw11aY2XhPwLoF94ukms5jBpdray608qNLNE2FBmLpEzspzkR kkYUkZYjC1J03Ti+W6mt39rmtru+VtWej93rzaa08RCMk3G9mnsuju/S+t1tr5a/Kfwy134i fs7aH4z8QXfiOfx7qGkwaFoGjWElzqjRxzam9q3nOl/rEkMzK9yT+8eN2wEW4giIVfT/AIaf Gz44eNfiBaeDdc0nwz4F1f7Pcat/aGs6Mk/9r2cb20eyCytNXnETq8zh5Hu3wBEfK/e4T367 +HXh+/0nU7CfQtGmsdahFtqFtJZRtFfxCMRCOVSuJFEYCYYEbRjpXEav+zH8GPB3g2KG/wDh 78MNK8P6Ze/2hGlxoNjBZ2l0+yPzwCgRJW2xrvGGOEGeBWvsZRqOSfuXbtfo23b5N3vfX4Xo 7mSqxlT5ZL3u9utkvxt20vfc4DSviL8Uov2Vvi5r974t8Mz+INAutdTRLuHw00KWKWU1woDx m6YS/LGAhONvG/zuc4HjD4r/ABT+HPinxfrY8ReF9RTwh8OdK8Savbz6TdLa6gyzas8iWluL vFrLLHCqtMzzcxJ+7YYC/SemfDXw5ol9rdzZ6Bolpc+JXD6xLDYxRvqrBSgNwwXMp2krl88H HSqmi/Bbwd4b8Oz6Rp3hPwzYaTc2A0uayttLgit5bQGVhbNGqhTFmaY7CNuZZOPmOSGHmkry 1Sit3ulJN/NtN97a3L+sU7u8dG2+mznCVvkotLtfSx4trf7SHxX179obVtG8H+B11bwn4Y1a y0vUpDBZF5llgtriWb7TJqkEkGyO5yEFjPu8oYf95iP6PrkfE/wB8CeNvGun+JdZ8FeEtX8R 6T5f2HVb3R7e4vbLy2Lx+VM6F02MSy7SME5HNddW1GEoRtJ3d/69PTp3OapJStZdF/X/AAQr yX4pf8nufsy/9jxZ/wDpfp9etV5L8Uv+T3P2Zf8AseLP/wBL9PrWXwy9H+TJj8S9V+Z+z1FF Ffkh+jHxh/wWn/5JL8PP+xuh/wDRMtfZ9fGH/Baf/kkvw8/7G6H/ANEy19n17uO/5FmF9an5 xPIwn+/4j0h+TPjD/ghj/wAml+If+xuuf/SOyr7Pr4w/4IY/8ml+If8Asbrn/wBI7Kvs+jif /ka1/wDEGQ/8i+l6BX4cf8E3P+SG6r/2HZv/AEnt6/cevw4/4Juf8kN1X/sOzf8ApPb16vCn wVv+3f8A248/iL4qX/b36G38ZoH+I37SXhbwLqer67pHhy80C/1kRaRq9zpFzqt3BPbRBDc2 0kc4SKOdnKI4DF1LZCgV578FPHvxDuPiN4O0LT/HFhqfg1J/EtsZdU0xtQv9WtdPvooYSb0T oTIqSeWJSjFjGzyeaz5X6K+I/wAJ/C3xj0OPS/F3hrw/4q02KYXMdprGnQ30CSgMokCSqyhg GYA4zhj60Xvwn8Lalb6DFceGvD88XhZ0l0VJNOhZdHdF2I1sCv7kqvygpjA4Fe3LCzd7Pv31 u7pvzivdS1TXY8f20eXlt/wNGrL1b5n5rqfMnwe/ai8e/Cf9nfw3q3iuTR/Fsd38LbnxfYRw xzw3++wgs96Xd3NNIJ2m+1KxkEUfllWz5n3q3tG/aD+N+leC72fxJ4T0nSri81LRrDR9SvtP t7W2c3t6ltKGt7TV79n8tHSQP50QbO3aMbq+h9O8BaHpCaetpouk2q6RZtp1iIbONBZWreXu giwPkiPlRZRcKfLTj5RjA8E/s2fDr4aQ3MfhzwD4K8Px3s0FzcLpuh21oJ5YH3wyOI0G5o3J ZCeVJyMGtnRm6ilzPl9d1zN+uzSvdWt2uaVMRTkm1HW7f5W8lbtbW/TRnCfE2zv/AB/8fPBn gLxHr2qWOl3Phq91i4Ph/ULvQX1q/gltYiFlgmFwkUazs/lLMc+Yu4uErzDwD488d3fxC8Fa B4d8e6e8Kw+MLGy1PxIs2pw6ja2Oo2EcDyRRTwG7njjEkYmaUNt8x2Lktv8Ap/4j/Cfwt8Y9 Dj0vxd4a8P8AirTYphcx2msadDfQJKAyiQJKrKGAZgDjOGPrVLxb8AvAnj/w5YaPrvgrwlrW kaXCLaysb/R7e5trOIbMRxxuhVFHlx8KAPkX0FZPD1ObmT197yvd3TdusV7q30vsTCvBWT/R 291rS/dvmfmuulvnu4/bL8Rr4SvvFNjoUF3rOoeEvCs9naQ3kktr9q1TUry08xI5rmG3aMFU dDugaUFUecLsaPovD/xv+M13Y6D4f17RNA8GeKvEmuTWNjqus6ZG9pLaxWTXLMLG01W4PnFk eNUN6MqjyYG3yz6xZ/ALQh4r8VanqAfW4PFmm2ujXGl38Fu+n21jbibZaxxLEu6Mm4mZvNMh O/GQoVRDB+yt8MLbwHN4Vj+HHgKPwxcXQv5dHXw/aCwluAAomaDy/LMmABuK5wBzxT9jVu3f fzt9q9rJaPfVPrbbUqVak3pH9fsJdXrZ62f/AADy+Hx58bbLVfitHp954X8Z3nh3UbCx0nTb Tw99kkg822s5ZpR52oxpMqpLI3kyTRlmHEyjEdelfs9eN9Z+I/hSPVr7X9H1mFRLZXCW3he8 0KeC9iuJUlDw3NzLJGAoRNjDO5GcOVkVVNV+Anwn+IOpajYX3gv4ea3eWlra6ff20+kWdzJB boA9tBKhQlY1ADRowwMAqK2fhp4E8EeGbRZvB2jeFdPgtIm0dZNGtIIkgjgnl3WoMQAVY52m zH0V2k4DE1dCEoy1d1r1fn8vW93d7+6k8qs4uGis9Onl/wAC6263Wt18o+LNU8XfEXR/hhpt g3xH17U9U0DxTNENC8VvpDw3kV/ZRW13dyNdQiaGHzGGwic4fiFxkV6v+0v488VQfs/67p13 4e8aWV9p0+jWravpmp2lh/wkLS31rHOljJBeLPAXDOuZhb43/eAyR7bpngjRdFubSaz0jS7S XT4poLV4bSONraOZ1eVEIGVV3RGYDhiik5IFN8XS6G1na2uvNpRt767hitob8x7Li5DCSJUV +GkDIGUDnKZHIrKGE5aXI5avR7W3dum+tvOyTukkaPEpyhJR+H/O/wDXbW258j6P8ePHvgHw /qGk+Cn1W7vYdW1O4Xw54ktP+Ej1nQbC1hsxMt3e3WsWca7biZpB/pV0Wiu4DGSiHG9o37a3 jvXvCF348Ft4OsvB2k6joFhcaVJbTyahdf2naabKzC789YoRDJqA5MMm9YyPkPzH6E8a/Abw N8SZd/iLwZ4U19/tS327UtIt7o/aFRY1mzIh/eBFVQ3UKoGcCoLL4b+BfHXw6ubHTNM8OXPh zWhGzHTIoRBM0KpFFKjxjHmRCCJUcHdH5Ee0jYuIdGuoNKXvWVteqtd69HtZ311vrZXCtRc1 zx01v3s3f70r2em58+eFf2wPit/wpPxB4v1HRLC+D/2LY6Hbf8IhfeH5Vv7+dIZUZdRvEFzH AZosOrwRTsSBKmSU9t/Zn8X/ABD8W+F9RPxH8N/8I/qdreeXaSCC2tft8BjVt/kQX98sRVy6 c3DFtobC5wOe/Z6/YO8Efs7aN4j06yiGt2Hiq1isdQtL7SNKtrWeCMSAI8FlaW8Mu4SuGeVH dhgFsDFek/Dj4S+FPgzocum+EfDPh7wpps0xuZbXR9OhsYJJSqqZGSJVUsVVRuIzhR6V00oS jJzk9LbXvby/PW7fTVK5hUnFx5Vvfe1r6f1pbz02OhorL/4TfRv+EN/4SL+19M/4R/7J/aH9 p/ak+x/Ztm/z/Ozs8vZ82/O3HOcVpQzLcQrJGyujgMrKchgehBrp8jCzW46iiigQV5R+2/8A 8mveJ/8At1/9K4a9Xryj9t//AJNe8T/9uv8A6Vw1dP40TP4WfqP+wt/yZH8HP+xH0X/0ggr1 SvK/2Fv+TI/g5/2I+i/+kEFeqV+T4n+NP1f5n6LQ/hR9Efm1/wAF6P8AkuX7MP8A2Hb/AP8A SjSq5jVbsWGl3M7TwWqwxNIZp/8AVQgAnc/I+UdTyOB1FdP/AMF6P+S5fsw/9h2//wDSjSqw K/QMnTeW00u0v/SmfGZm7Y6b9PyR8Y/Dv9qzXZ/hR4ukl+JqeI9T0ybSV1fxNpV9out+HPDl rc3RiuLqzmtbWF1aKLc7JfxsItqPmaNJHePxtZy/tO+GtE0G4+IV7468Br8QrOwtNcGn6Pdw eJYDYtPIkv8AobWdysFwrIrxRKmVKtukiLD7Sorf6pJ8vPK9nF+vLKMrb9eXfe7erXumTxKX M4RtdNel4tdr/jbyT1PjTTPjf4l+B3g/xDqH/Cw9X8Z3Gk+NNV0LU9K1Q2Ms2keebpNKyILd JYhJcC0VVfKFJ8qoQKBuSftC+Mn+CfjvUdQ1/UrKXwY9h4Tm1WBbDTlXVorkpe6hLJcW1xFb 2pSW2aRzFIscYlZI9wFfTZ8ZaaPGY8P/AGj/AIm5sjqIt/Lb/UBxGX3Y2/eIGM59sUlp410y 98a33h2K53axptlb6hc2/luPLgneaOJ92Np3NbzDAJI2cgZGZjhp8iSqdEv/AAFcvfupX633 fu6uVaPO58mzu/SUrrp5xS6W6e8fKH7KXx8+IHxo+I1pol347t9T0/RTqty97o01hqaeIVt/ 7KeFDeCwt4niP22ZC8FtCSoXDZUyM79jb9qHxZ4v8eR3Hjr4nfDN4LzT92p+Gz4ss31TQr+S aGOOBbJdNtZ7XbNIYGjubi5cO8SbmbLP9hUVtToTi4NzbstfN66/1fa6IlXg4yXLv+H4f19x 8sftf+E/7a+MreBh9pS0+PWl22j3DJv8uMafcGS7OVHytJY3Dr1BPkjBGM1y2hfGHxbffAfx v8UNPFtaeKLKPRfBNxe3jGGHSxaSouqXZkaCVY0inu7smVoJUT7MHdHRClfXnifxlpvg1bA6 lc/Zhqd7Fp9t+7Z/MnkJCJ8oOM4PJwB3NI/jbTT4Vj1u2uG1PS5kSSGfTYXv/PRyArRrCHZ1 5ByoIAyTwCaxWGtzNT6vXqnulfyUpK2jamtdEafWNY80b7adH308+WO91eL0u2fDusftSeOr TwDYj/hdHgud5r29+x69pvjvRJNNuFjitj9huL0+H3jlvt8paG3t7SJmiLl3Yquew/Y7+Nvi Pxj8c7261y8TQdJ8X3dhqO62t0aPXNWk8M6VI9i7SAtbqke+ZFT55ijDeghZJvseitaOHnTm 5ud9Ev8AP7/zSbvs5liYuDio2umvvafbpa3o3azs18jfDj9pnxRqf7a9r4eXxfDqGh6preqa XceHNQ1fT5tV0dIIriRJHsbbTYZrWNmgHlPPezGSGRSULPmPz74dftC69p/xJ8EeBbH4gHwh bPPayLbfb/D9vBexSaleNdrLFfBr+WR40SOI2aFNzEMQQSv1x8U/2ovB3wa8RtpWuz68t3FY jU7g2HhzUtShsrUs6iaeW2gkjgTMcnzSsoARj0GabrH7Pvgb4peLbPxk6X19Nc/ZL1HstfvY tM1LySJLaaW1hmFrclcIVeSN+FTnCrjmjQnJ0nCpzckve812dvNbPfXsXOrG8+aFuZaeXn9z 39O5i6r4i0/41/Hjwomk31nq2geF9Ik8Um6tJlnt7ia6WS1smR1JV1MX25sgnoh9K+V/hr+0 X498F/sleCbOPxNpfhC6FrollP8A2jd22mWHh/Rm02Z7bUBfzWV2oN3PEsTSTwNEjj7OqJIP tEn2F8L/AIr+B/GHxG8R2fh2W/m1i4neS+uZdNvYrS+e22Wsgt7mWMQTCIqqMtu7BWJJAZiT 3mq6ra6Fpdze31zBZ2VnE09xcTyCOKCNQWZ3Y4CqACSTwAK19k5Qc4Ttza3Xk2/ytG/ZPq7p xrqDdOUL7aPdaPTbu2+97dLp/Jfwg/aG+Il9r3hTwtqPjDw14ruPH9xFd6Jr/h66t9WsxZWV zMdTRrmO1t4ZJPIjtoywhQCW5faqhQB0Hx1+IPiH4Yan8atY8MPaW2pwt4dha8upPKh023lP l3F08hhmWNYoXkkMjwypHs3vG6Kyn3o6R4b1v4lWmq7rG68TaXpjx25FzultrO5kQswj3YCy PbKN+3nyiAeCK6KqeGm6Shzu927/AIW+7fzuZKvBVOfl000/H8fu8uh8a/BT4l/En4yeL9G8 Np8afD95pl3aazfHW/Bup6T4kuibX+y1jgmuDpkFqrq13K21bUHy3QElsPWFL+1n4y+LfxA+ G+gxfEebwHf+LPD/AIe1Bksrvw5BHM12ryXn7jUUkvJZWARIPssTx7zh+Q2PtLwf410zx7pc 17pNz9rtre9utPkfy3TbPbTvbzJhgD8ssbrnoduQSCDXMeLP2afCHjbx/H4l1Cz1VtSWW3ml ig1u+trC8kt2DQvcWccy21wyFVw0sbn5EGcKuIlhZuMFGTavFvV6pc23rdaaJ21NPbwSlGUL OzS0Wjv19PwsfMXwKtdd+Kl58H4rP4veI7rXY/CHiFdV1pV0y+1OxuEuNFEli2+2aJWR8bxN E8wG4FgSGX6l/Zx8fXvxV/Z+8EeJtREQ1DxBoNlqN0I1wnmywI74HYZY8V2lFdVCk6ceVu+3 5yem9r3/AAu7sxrVlUVrWtf8W3/X4WCq3/BKv/lL58UP+xH/APamk1Zqt/wSr/5S+fFD/sR/ /amk1hmf+5Vf8P6ovAf71T9T9TaKKK/MD70+MP2ev+Uyfxp/7F2D/wBA02vs+vjD9nr/AJTJ /Gn/ALF2D/0DTa+z693P/wCLS/690/8A0lHkZN/Dqf8AXyf/AKUwooorwj1wooooA+MPjZ/y mz+EH/Yo3H/orV6+z6+MPjZ/ymz+EH/Yo3H/AKK1evs+vdzv4ML/ANel/wClSPIyr48R/wBf H/6TEK/LL/gqp/yl8+F//Yj/APtTVq/U2vyy/wCCqn/KXz4X/wDYj/8AtTVq04Y/33/t1k57 /uvzR5F+3vfHS/2cZbr7b/ZgtfEXh+dr3yPP+xqms2TGYp/EEALEf7NeLeNP2mvF+mfC2/l8 LfEvS/EPhUeL4tJi+ImqX2n6dbw2h04zybr6LT57ABbwLbib7GyEyeSSJf3g+z6K+vqYecnL lna/b/t3ztsuiT13to/m6WIjGKjKN7X/ABVu3Tft5dT5sPxg8Uw/sNL4hufil8L7fWpbvyIP Fi+KLQ6TPB9s2YGoGxFt9p8oMm4WRj81T+69Of8Ah58WZ/G/xD+C+st8VfG1noWsxazYGPVb jQlg8TXkN1CIo/Mtbf7NceYvmCNrZgxjiypV/O3fWdFX7CXOpc2itp6fPrr0311trn7VcvLy 9/xvZfL+vL4f1rUn1b4cTTvFaQk+Cp1CWtrHbRKF8QKoCxxqqLwB0Ayck8k17V8X/jB4q8H/ ALRGmeCLO6n2eNjZ3+jzR2ccjWdvaO76tHyhBzCluEL5O+8OMbRj3aisaeDlCnCCl8N/n705 f+3fh56OVZSlKTjv+GkVf/yX8T4m+Av7Snif4l6x4w0XUPGNt4q0a/8ABOpaqttNrGn6hqeh zRGJFt7tLLTbNLS42zsJIHe5IZMB1CkyW1+L1z4CbTbGXxZZfDbw9qMHh631XxWlnYRSadH/ AGNPKoee5ieEGWWKKJXuFcKG2IAzqR9nUU1hJqFufX3ddfsub79p236dblyxEZT5uWy97T1U V26ct/n0PCv2APFtjqfwaudO/wCEgttb1iLXtdvp2ISC6uIJtav/ACrt4BgxrLscqdoU4bbw MD3WiiuyKtFR7HPUlz1JT7tv73cKKKKogKKKKACiiigAooooAKKKKACiiigD0j/g3M/5Mj8U /wDY8Xf/AKQafX35XwH/AMG5n/Jkfin/ALHi7/8ASDT6+/K/Oc9/3+r6n3GVf7nT9Dyv9un/ AJMj+Mf/AGI+tf8ApBPX5cfsQf8AJr3hj/t6/wDSuav1H/bp/wCTI/jH/wBiPrX/AKQT1+XH 7EH/ACa94Y/7ev8A0rmr6Lhf/dqn+JfkeJn/APHh6P8AM9Xooor6Q8I84/a88TXvg/8AZl8a 3+mXdxY6lHpckdpPbmQSxzSYjTZ5YaTcWYAeUrSZI2Kz7VPhXwL0q98SfDnT5IZPFeoahB8S rG6vtL1K+1/U5vDcCxRlYjJq8MN35ewiUu0MafvyBu27j9YeIPD1h4t0O70zVbGz1PTdQha3 urS7hWaC5iYYZHRgVZSCQQRgg1nfDz4X+GvhF4f/ALJ8KeHdC8MaV5rT/YtJsIrK38xsbn8u NVXccDJxk4FcnsG8T7Z7Llt6xmpfc7W7/ezf2q9j7Nbu/wBzi4/r/Vj538EDxLd/G2x3f8LT HjRfEuof8JEbz+018Lf2KPtItxbiT/iWnKfYtn2YG5358z/lua4b9nPRfE/hP4VaPY6HoXxf n1bSPh3c2vifSNdutW0yymvlgt0s7exkkIjhlyswV9PwVXJkPm7K+3qKzjgrR5b7r9LaeXVr q29rm31zW9u34Nv9bLskux8UfAzQPG91rQs7mbxp4i8PWfifw9qFlc6poHiCw8pt92Lsqus3 N1d7ECQbiZFiGQQg3Fn9D+IvhrxbFF8UtcFz8RHQeJrKxjg068vfMTQPK05r06dbxnBlP+lY lhUzg+asTB8CvpSitIYVRi1fq35bQVvS0LWvrFtXMnXblzPsl9zbv63d/XU+V/Deua/4Kh03 X9OX4ry/DbSvGqyw2+pWesahrcunPpE8Mu+2mWTUpoP7RkRlWdGZdpcARLGRzHwZ8K69J8Wf F3i7VtP+LNprvifQtZOhm8l1gwxBNT1VoIZIgzW8DLayWhhjlC8sDEN+6vs+is6mC51Zy2TS 8rx5fw3XY1+uO1lH+X58snL8b697I+N9W0Tx54f8CeJfHd3qPxLj17w3rHh1NOt5NRvUsksG stJGoyNaF1gnUGW9MjzKwjeN2yhRjW3/AME39Svtcj8R3Otar4qfXJtK01n0rV9U8R3aqpSb ffRrq8Fvt+0ShwUto2jTyQBIQcD6rkjWaNkdQysMMpGQR6Gua+GnwT8GfBe3u4vB3hHwx4Ti 1B1kuk0bSoLBbllyFZxEq7iMnBPTJq5Ya9Sb+zJfNO1nb169+vRrN1k6MafVW17pW39Ladrv zT+QvgH4e8eeHPg3puneBrX4raX4w0v4cXdrrFv4livk06HVVt7dLBLOO8ItPMV1lx9lwm0H zzvK1F8N/g74h8feMfB9rdeLviZrOiL4limv4ZfDfizw9PpI/snVkeZL3Vry4nVZC8cLG2lj VCY8FXkUn7poo+qRc+eWvl03b2vazvqnfuazx0pKSStfm9feVtXvddNuq1R8DfFy3+KOnaa0 Wn/8LN0/VvDQ1KDw9cJb+KdYk15YNVvktUl+zXkVnGyW0ds3n6ilx9qWdThwhD+lX9v8UZrH xxpbHxui+AoJLDSLyN7jf4jN5fJcRSowO6drazWKFn5Id5uhzX1fRShg+V35u/3vr6/h1tdX Iq4rnbtG2v3eS8v620PlTw1/wlNz8XYdv/C1l8cp4h1L+32uv7TXwx/YwF19nFsH/wCJccp9 h2fZgbnfnzD/AK816x+yxbXHg34P+DNN1uXxjd+KNc0aHVNTm1k3146XXkwCdZJZQ0ds29hi DMfIcqnDkep0Vrh6Hsk9b3t+C6dr6N+d310zrVvaPb+tfyvZeVl0CiiiugwCvJfil/ye5+zL /wBjxZ/+l+n161XkvxS/5Pc/Zl/7Hiz/APS/T6Uvhl6P8mVH4l6r8z9nqKKK/JD9GPjD/gtP /wAkl+Hn/Y3Q/wDomWvs+vjD/gtP/wAkl+Hn/Y3Q/wDomWvs+vdx3/IswvrU/OJ5GE/3/Eek PyZ8Yf8ABDH/AJNL8Q/9jdc/+kdlX2fXxh/wQx/5NL8Q/wDY3XP/AKR2VfZ9HE//ACNa/wDi DIf+RfS9Ar8OP+Cbn/JDdV/7Ds3/AKT29fuPX4cf8E3P+SG6r/2HZv8A0nt69XhT4K3/AG7/ AO3Hn8RfFS/7e/Q0/wBo+Qj4zeE01/8A4WT/AMIWbG4Mf/CILq//ACExNB5f2w6Z+/8AL8oy bN/7j/W7+RHXF+B/+EmufjfY5/4WmvjVPEuof8JC15/aa+Fv7FH2n7OLcSf8S05T7Fs+zA3O /PmH/XmvqSivelhebr39dWnq/ly/4Pd8zxvb+6423Vvwa/W/+JX8j4p1L4I+OrL4Vy6hBr3x ql10fDD+3PKOv6mzSeJIo8xDyw/EnzMptFAil4MkMjKrDX8UeJNb8R/tC+NrGxu/itP4r0vx fo0GgLYPqP8AwjtlbNZaXNerc+V/oQXY87Ot3837weSPMbn6/qpp+hWWk3l7cWtna20+pTC4 vJYolR7uURpGHkIGXYRxomTk7UUdAKr6slJNbK//AKVzadrL3U+iSRpLF813Jav/AO137r3W 7d5M+Sfh74R8deIP2or9PE/jLxtp81zrOqQzaXD4Z8TLp91pjeeLaOPUo706RB/o5gdZYoI5 1dArN5xctxqeBPFXhn4AfC/QtNv/AIm+F/D2l2t7beIvM0Xxbq17HqyfZliQJYXltfi22C52 PE72ROeCxiYfedFYrL4qKj/nr66387Xtze93Tr67Lnc7flpvtpbrZaXsrX2t8jfAv/hI9H/a E8NjUdZ+JHxFkuYIYZ72+0XxT4Vs9GjXT8NNJBOTpd4JHGSkgS4jeQ5ad1wlbXW+L9rr+q6R aL44lhs7248E2t2ftHlNBqE888WseZkmX7Jb/Yo/PBBR/PBbJNfYVFa/Vdrva/42v+F9Xd3k 276Wy+sdl2/C9v00VlovO/yt+0T8PL/xB8cbLUdXh+I9z4Y8N+JNJmgOjXWr/uon0+8ilkjj sm3yYnaAOyqxUO24hWfNr4PfC7xB4A8Z+HNct/8AhN45tb+Inia31eznvLw6bBpck2r3EMv2 Mt9njV5ktXW4Me9vOUCQq6rX0/RTp4aMJOfVtv7+X/5G3o2gliW6fs7aWS+5Tt+M7+qR8c+D NG8cN+0nq114q8XePbSRNV1Yz6RZ+EvE8tneaYBcfZoob6K8bSY2Nv5DI8NvHceYioT5zPuv /CJ/irYeAIf+Ewfx6viWHxRpLTyxpNOg0X7OPLwsQaN5gN/2sKpzcbs7o/Jr63orKnguRJKW 1u/Rp9762to1a8rfEVUxXO22t7/K6a002189o3eiPgnw94FvNd1Xw1Prdt8aPEOn+GPEdldX viWObxtpst/5tvexsRpF1IZYCkjQBntDJEVlbPkpmMdZdeCPiL4l8G+MNVvLz4qRav4Y8DjU PDttb6jqNql1rC3usOoaKNl+1SbI7NTDJvVkeMFCGSvsqiqhgoxVr9W9ratJLTbSyt2066lf XG587V9EvulzP/wLVPydlZaHx74K8X6h4u/b3l/tbWvFVjp1nr9za2JXU/EKaZqbx6cFGnm3 SBdHBSRZ5t32h5maPa0YbO3d8EDxLd/G2x3f8LTHjRfEuof8JEbz+018Lf2KPtItxbiT/iWn KfYtn2YG5358z/lua98tvgd4Ks/iVL4zi8H+F4vGEylJNdTSoF1KQFBHg3AXzCNgC/e6ADpX U1EcG3SjCb1W9uu2vzt73dNp66vOVde8o9VbX5/le67NJ+S+BPAcPiT4bfsvXX9jf8Lf8Pan 4c+E+pr4nOvNqdrZWN/FZQizFj5+IElQpMVaxwAoPmnzNtdj8X9H+JuqftK6lLB4x8U+HZVv LE+FY7fwl4j1bS57fyIMrNNY3iaYivcfaUkN9btIisX3bBEV+t/F3gvR/iBob6Zr2k6Zremy Okj2l/apcwOyMHRijgqSrKrA44IBHIrTqp4Tn+KX3aW1buuz10367303ljru/L38735d+/w/ c7dNfii+8FaX4o+F/gDWr2L9oZ9V8Pa9a3XitrtvFRv7a4ewuUklt7dPlkQXDID9hjaBQxAx Gxz6B+xR4kvfDes6ppWqxfETXPthtoo/E2r2Hii2i1K4K3DurafqocaftVeZIZPs8hdB+6by 4a+l6K0p4fkqOorK+tkrLZKy1dlorW12u2lYwqV+eHI77W383JPzerv07JPVFeUftv8A/Jr3 if8A7df/AErhr1evKP23/wDk17xP/wBuv/pXDXbT+NHJP4WfqP8AsLf8mR/Bz/sR9F/9IIK9 Uryv9hb/AJMj+Dn/AGI+i/8ApBBXqlfk+J/jT9X+Z+i0P4UfRH5tf8F6P+S5fsw/9h2//wDS jSq5TxDZ3Oo6BfW9lc/Y7ye3kjguNu7yJCpCvjvg4P4V1f8AwXo/5Ll+zD/2Hb//ANKNKrAr 7/KYKeWU4PZqS/8AJmfG5nJxx05Lpb8kfIGifs8yWvwe8M2MnwAeOLSNRtpfGXh8y6LKfHbr ZzRfazIbrZe+Xcuk3+ntE7/fx5iha3/BPwt8Z/Bqfwf4g0/wFqGoQWlv4hsIPC+najYxyeG7 bULy0uLSEvLOkAhhS12OkDSCMuFiWREBr6gorqeDi25X1atpZbpJ6Wtsu2mtrI5/rMrJW0Xq +/d3+189G7s+WtD/AGcfH+mfBLS9HtrVdO120+ESeF/MTUEQRakojBhWVCWXO1gJVGB1ByBW 1+zF8Cz4E+IvjvVtI+Fq/Crw7r3h7TNPstI86wDyXUEmoGZ2is5pYY8ieHkOd/VsNuA+i6Kq eFhK9+vMun2nKT6d5u3yCWKnK9+rT+7l/wDkF+Plb4r+If7Dl8/wd+E+mHwhq19p2jaM6+JN D0G28OXlzcaxJDaL9tmTWUeznZRDPGZw3nDzAELI8mMnU/2Mdfvp9S0/QvAPiKa81vw1caNP 4j+IVv4dvbvTVbSHtYxZ31lcG8hcuVSSNo5IDmTy/JU7m+6qKmeChKbmm036fctNtfkawx9S FrW0/wA7nyxqvwq8Z/HP4rS65rfw6u9B0S4Hhuxl0/Wb7TrqW4htJ9Te7aRIJ5YvL23aALvY uCflHKjT+HX7Peo+Fv2CJPAWl+BYfC+uW0cdtNZQ/YYY9TnSWIveK0EhQrIEyGlKyEL8yqcC vpSirjhYR57favf52/y/F+Vud1pO3lypf9uppfg9T5r8afsq3esfE3xl40i8L2Nx4sk8d6Df 6Dq8jwNd2ulwppUd75EjNmFSkd8roNrSAEbWymea+Mf7NPirxP8AtiWvjCw8ITJd2viHSrm3 17S7Hw9b27abGYFuRdXUqnV3udonQpCywtCI05+dW+uaKI4WEeTl05WpfNKK19eVX+Zo8VNp p9Vb5Hi/xDu/F/w//aL1PxBovw91/wAaWOr+GLPTYZtPv9Ntobe5hubuQrP9puYpAhE0Z3Rx yHG75SRg+PeKv2Qdd0Lwvp+gaj8PbP4lXkPg200Tw/q0FxZwWngjU08/zriMXMqTW8e+W3dZ 7RJJ9tsoKgxxg/ZNFRLBQkuWTfX8eZvbX7W+601HHFzjLmiu3/kqSX4L0302t89fAjwD4x8G fFJoLLw54n8KeH1gvX1qLU9Xs9Q0PWb5nBjutPjSaW5t/McySOpS3jIdiYjIdw8Y+Gv7D3iR 7Xxzp934Bj0a08U+CNR0zUbObTvDdjo17rDPC9s1rDpyCV7dGEpikvi80YxnaxYt92UUp4GE /ib2a6bSTW1raX0S0WmlgpYudP4Et0/ud11v69T4o8f/ALHy3sy32hfAHQ7T+2PCmn6XJC+j eG57jRGt7yVrpFjmma2NzLbuvkN+9h3onnbVXFVfg1+ylrngLXLQ+KfhDq3jjwTb3962i+H7 8eGvN8OvKtgyXjWcMkGnIS0d0CbcGSM7iA/nyOfuGiqjg4Rq+1W+va2suZ6W77dt1rZk/WZ+ z9m9tO/SKj+S+fXTQ+ef2WfgT4l+FXxg8S6r4h0db+LX9Q1u40zUXuIWl8PW8urz3C2ioH/1 V0ksdxuRfM3IUmOI4FT6GoorelBU4Kmtl/X9fjrdmdaq6tSVWW8ncKKKK0Mgqt/wSr/5S+fF D/sR/wD2ppNWarf8Eq/+UvnxQ/7Ef/2ppNcWZ/7lV/w/qjrwH+9U/U/U2iiivzA+9PjD9nr/ AJTJ/Gn/ALF2D/0DTa+z6+MP2ev+Uyfxp/7F2D/0DTa+z693P/4tL/r3T/8ASUeRk38Op/18 n/6Uwooorwj1wooooA+MPjZ/ymz+EH/Yo3H/AKK1evs+vjD42f8AKbP4Qf8AYo3H/orV6+z6 93O/gwv/AF6X/pUjyMq+PEf9fH/6TEK/LL/gqp/yl8+F/wD2I/8A7U1av1Nr8sv+Cqn/ACl8 +F//AGI//tTVq04Y/wB9/wC3WTnv+6/NFmiiivuz5AKKKKACiiigAooooAKKKKACiiigAooo oAKKKKACiiigAooooAKKKKAPSP8Ag3M/5Mj8U/8AY8Xf/pBp9fflfAf/AAbmf8mR+Kf+x4u/ /SDT6+/K/Oc9/wB/q+p9xlX+50/Q8r/bp/5Mj+Mf/Yj61/6QT1+XH7EH/Jr3hj/t6/8ASuav 1H/bp/5Mj+Mf/Yj61/6QT1+XH7EH/Jr3hj/t6/8ASuavouF/92qf4l+R4mf/AMeHo/zPV6KK K+kPCCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACvJfil/ye5+zL/2PFn/ AOl+n161XkvxS/5Pc/Zl/wCx4s//AEv0+lL4Zej/ACZUfiXqvzP2eooor8kP0Y+MP+C0/wDy SX4ef9jdD/6Jlr7Pr4w/4LT/APJJfh5/2N0P/omWvs+vdx3/ACLML61PzieRhP8Af8R6Q/Jn xh/wQx/5NL8Q/wDY3XP/AKR2VfZ9fGH/AAQx/wCTS/EP/Y3XP/pHZV9n0cT/API1r/4gyH/k X0vQK/AP9iX9ovwb8IPhXqGmeItY/s69m1aS5SL7JPLmMwwqDlEYdUYYzniv38r5l8T237G9 n4kv49Zj/Zmi1dbhxeperoa3Kzbjv8wP82/dnO7nOc1pkWYrCqpFwcua23lf/MnNsE8RyNSU bX387f5H5/f8Nv8Awv8A+hn/APKdd/8Axqj/AIbf+F//AEM//lOu/wD41X3n/wAYSf8AVq// AJQaP+MJP+rV/wDyg1739vQ/58T/AK+R4/8AY8v+fsT4M/4bf+F//Qz/APlOu/8A41R/w2/8 L/8AoZ//ACnXf/xqvvP/AIwk/wCrV/8Ayg0f8YSf9Wr/APlBo/t6H/Pif9fIP7Hl/wA/YnwZ /wANv/C//oZ//Kdd/wDxqj/ht/4X/wDQz/8AlOu//jVfef8AxhJ/1av/AOUGj/jCT/q1f/yg 0f29D/nxP+vkH9jy/wCfsT4M/wCG3/hf/wBDP/5Trv8A+NUf8Nv/AAv/AOhn/wDKdd//ABqv vP8A4wk/6tX/APKDR/xhJ/1av/5QaP7eh/z4n/XyD+x5f8/YnwZ/w2/8L/8AoZ//ACnXf/xq j/ht/wCF/wD0M/8A5Trv/wCNV95/8YSf9Wr/APlBo/4wk/6tX/8AKDR/b0P+fE/6+Qf2PL/n 7E+DP+G3/hf/ANDP/wCU67/+NUf8Nv8Awv8A+hn/APKdd/8AxqvvP/jCT/q1f/yg0f8AGEn/ AFav/wCUGj+3of8APif9fIP7Hl/z9ifBn/Db/wAL/wDoZ/8AynXf/wAao/4bf+F//Qz/APlO u/8A41X3n/xhJ/1av/5QaP8AjCT/AKtX/wDKDR/b0P8AnxP+vkH9jy/5+xPgz/ht/wCF/wD0 M/8A5Trv/wCNUf8ADb/wv/6Gf/ynXf8A8ar7z/4wk/6tX/8AKDR/xhJ/1av/AOUGj+3of8+J /wBfIP7Hl/z9ifBn/Db/AML/APoZ/wDynXf/AMao/wCG3/hf/wBDP/5Trv8A+NV95/8AGEn/ AFav/wCUGj/jCT/q1f8A8oNH9vQ/58T/AK+Qf2PL/n7E+DP+G3/hf/0M/wD5Trv/AONUf8Nv /C//AKGf/wAp13/8ar7z/wCMJP8Aq1f/AMoNH/GEn/Vq/wD5QaP7eh/z4n/XyD+x5f8AP2J8 Gf8ADb/wv/6Gf/ynXf8A8arz79qf9qfwH8R/gNrujaLrv2zUrz7P5MP2K4j37biJ2+Z4wowq k8ntX6af8YSf9Wr/APlBpY0/YmlcKo/ZZZmOAANBJJpriCKd/YT/AK+QPJpNW9rE9T/YW/5M j+Dn/Yj6L/6QQV6pVXQ4bK20Wzj01bVNOSBFtVtgohWIKNgQL8u3bjGOMYxVqvg6s+ebl3Z9 dTjywUex+aH/AAcJap/wiPjj9nnxFcW11Lpmh6tqM9y8Me7GJNOkCAkhd7LFJtBIztPoa+Z/ +Hkfgb/oFeK//AW3/wDj1fs38Svjz4G+DMlqnjDxn4U8KPfBmtl1nV7exNwF6lPNdd2MjOPW uX/4bp+CX/RYvhX/AOFZYf8Ax2vqMtzqdDDQo+wckr63fVt9meBjsrhVryq+1Ub20t5W7o/I z/h5H4G/6BXiv/wFt/8A49R/w8j8Df8AQK8V/wDgLb//AB6v1z/4bp+CX/RYvhX/AOFZYf8A x2j/AIbp+CX/AEWL4V/+FZYf/Ha7v9YZ/wDQM/vf/wAicv8AYsP+f6+7/wC2PyM/4eR+Bv8A oFeK/wDwFt//AI9R/wAPI/A3/QK8V/8AgLb/APx6v1z/AOG6fgl/0WL4V/8AhWWH/wAdo/4b p+CX/RYvhX/4Vlh/8do/1hn/ANAz+9//ACIf2LD/AJ/r7v8A7Y/Iz/h5H4G/6BXiv/wFt/8A 49R/w8j8Df8AQK8V/wDgLb//AB6v1z/4bp+CX/RYvhX/AOFZYf8Ax2j/AIbp+CX/AEWL4V/+ FZYf/HaP9YZ/9Az+9/8AyIf2LD/n+vu/+2PyM/4eR+Bv+gV4r/8AAW3/APj1H/DyPwN/0CvF f/gLb/8Ax6v1z/4bp+CX/RYvhX/4Vlh/8do/4bp+CX/RYvhX/wCFZYf/AB2j/WGf/QM/vf8A 8iH9iw/5/r7v/tj8jP8Ah5H4G/6BXiv/AMBbf/49R/w8j8Df9ArxX/4C2/8A8er9c/8Ahun4 Jf8ARYvhX/4Vlh/8do/4bp+CX/RYvhX/AOFZYf8Ax2j/AFhn/wBAz+9//Ih/YsP+f6+7/wC2 PyM/4eR+Bv8AoFeK/wDwFt//AI9R/wAPI/A3/QK8V/8AgLb/APx6v1z/AOG6fgl/0WL4V/8A hWWH/wAdo/4bp+CX/RYvhX/4Vlh/8do/1hn/ANAz+9//ACIf2LD/AJ/r7v8A7Y/Iz/h5H4G/ 6BXiv/wFt/8A49R/w8j8Df8AQK8V/wDgLb//AB6v1z/4bp+CX/RYvhX/AOFZYf8Ax2j/AIbp +CX/AEWL4V/+FZYf/HaP9YZ/9Az+9/8AyIf2LD/n+vu/+2PyM/4eR+Bv+gV4r/8AAW3/APj1 H/DyPwN/0CvFf/gLb/8Ax6v1z/4bp+CX/RYvhX/4Vlh/8do/4bp+CX/RYvhX/wCFZYf/AB2j /WGf/QM/vf8A8iH9iw/5/r7v/tj8jP8Ah5H4G/6BXiv/AMBbf/49R/w8j8Df9ArxX/4C2/8A 8er9c/8Ahun4Jf8ARYvhX/4Vlh/8do/4bp+CX/RYvhX/AOFZYf8Ax2j/AFhn/wBAz+9//Ih/ YsP+f6+7/wC2PyM/4eR+Bv8AoFeK/wDwFt//AI9R/wAPI/A3/QK8V/8AgLb/APx6v1z/AOG6 fgl/0WL4V/8AhWWH/wAdo/4bp+CX/RYvhX/4Vlh/8do/1hn/ANAz+9//ACIf2LD/AJ/r7v8A 7Y/Iz/h5H4G/6BXiv/wFt/8A49Xrv/BFXx7b/GH/AIKa/EXxTpdrfxaXd+CmjBuIgrRsJ9NQ K20soJMTkDPIU+hx+i3/AA3T8Ev+ixfCv/wrLD/47XZfDn4v+E/jFpk174R8UeHfFNnbSeVN PpGpQ30UT4ztZomYA47GuTHZ9Oph50nQceZWu3/9qjowmURhWjUVVO2trf8ABOiooor5A+kP jD9nr/lMn8af+xdg/wDQNNr7Pr4w/Z6/5TJ/Gn/sXYP/AEDTa+z693P/AOLS/wCvdP8A9JR5 GTfw6n/Xyf8A6Uwooorwj1wooooA+MPjZ/ymz+EH/Yo3H/orV6+z6+MPjZ/ymz+EH/Yo3H/o rV6+z693O/gwv/Xpf+lSPIyr48R/18f/AKTEK/Jf/gtV45h+Dv8AwUx+HPizVLPUJdItfBax breIMZX8/UkKoWKqSvnRkjdwGHqM/rRXkH7SP7e3wk/ZG13T9L+IXjC30DUdUgN1bWwsrq8l eLcV3lYI3KqWVgC2MlWxnBrnybEzoYnnpwc3Zqy3/Jm+Z0IVqHLOfKrrV/0j8l/+Hkfgb/oF eK//AAFt/wD49R/w8j8Df9ArxX/4C2//AMer9H/+H137Mn/RS/8Ay3dV/wDkWj/h9d+zJ/0U v/y3dV/+Ra+s/tfFf9Ac/wAf/kT53+zaH/QTH8P/AJI/OD/h5H4G/wCgV4r/APAW3/8Aj1H/ AA8j8Df9ArxX/wCAtv8A/Hq/R/8A4fXfsyf9FL/8t3Vf/kWj/h9d+zJ/0Uv/AMt3Vf8A5Fo/ tfFf9Ac/x/8AkQ/s2h/0Ex/D/wCSPzg/4eR+Bv8AoFeK/wDwFt//AI9R/wAPI/A3/QK8V/8A gLb/APx6v0f/AOH137Mn/RS//Ld1X/5Fo/4fXfsyf9FL/wDLd1X/AORaP7XxX/QHP8f/AJEP 7Nof9BMfw/8Akj84P+Hkfgb/AKBXiv8A8Bbf/wCPUf8ADyPwN/0CvFf/AIC2/wD8er9H/wDh 9d+zJ/0Uv/y3dV/+RaP+H137Mn/RS/8Ay3dV/wDkWj+18V/0Bz/H/wCRD+zaH/QTH8P/AJI/ OD/h5H4G/wCgV4r/APAW3/8Aj1H/AA8j8Df9ArxX/wCAtv8A/Hq/R/8A4fXfsyf9FL/8t3Vf /kWj/h9d+zJ/0Uv/AMt3Vf8A5Fo/tfFf9Ac/x/8AkQ/s2h/0Ex/D/wCSPzg/4eR+Bv8AoFeK /wDwFt//AI9R/wAPI/A3/QK8V/8AgLb/APx6v0f/AOH137Mn/RS//Ld1X/5Fo/4fXfsyf9FL /wDLd1X/AORaP7XxX/QHP8f/AJEP7Nof9BMfw/8Akj84P+Hkfgb/AKBXiv8A8Bbf/wCPUf8A DyPwN/0CvFf/AIC2/wD8er9H/wDh9d+zJ/0Uv/y3dV/+RaP+H137Mn/RS/8Ay3dV/wDkWj+1 8V/0Bz/H/wCRD+zaH/QTH8P/AJI/OD/h5H4G/wCgV4r/APAW3/8Aj1H/AA8j8Df9ArxX/wCA tv8A/Hq/R/8A4fXfsyf9FL/8t3Vf/kWj/h9d+zJ/0Uv/AMt3Vf8A5Fo/tfFf9Ac/x/8AkQ/s 2h/0Ex/D/wCSPzg/4eR+Bv8AoFeK/wDwFt//AI9R/wAPI/A3/QK8V/8AgLb/APx6v0f/AOH1 37Mn/RS//Ld1X/5Fo/4fXfsyf9FL/wDLd1X/AORaP7XxX/QHP8f/AJEP7Nof9BMfw/8Akj84 P+Hkfgb/AKBXiv8A8Bbf/wCPUf8ADyPwN/0CvFf/AIC2/wD8er9H/wDh9d+zJ/0Uv/y3dV/+ RaP+H137Mn/RS/8Ay3dV/wDkWj+18V/0Bz/H/wCRD+zaH/QTH8P/AJI/OD/h5H4G/wCgV4r/ APAW3/8Aj1H/AA8j8Df9ArxX/wCAtv8A/Hq/R/8A4fXfsyf9FL/8t3Vf/kWj/h9d+zJ/0Uv/ AMt3Vf8A5Fo/tfFf9Ac/x/8AkQ/s2h/0Ex/D/wCSPL/+DdOzltv2H/EbyRSRpceNbuSJmUgS r9isF3Ke43KwyO6kdq++K4j4AftHeCv2pPAX/CTeAteg8Q6ILl7R7iOGWExzIFZo3SRVdWCu hwyjhgehrt6+LzGtKtiZ1Jx5W3t2PqMFSjToRhF3SW/c87/a88Kah47/AGTvifoekWsl9qus +EtVsbK2j+/cTy2cqRovuzMAPrX48/BCT43fBr4X6Z4b/wCGc/ipqP8AZ3m/6T/Yt/D5m+V5 Pu/ZWxjfjqelftV8VPip4f8Agj8PtT8VeKtUt9F8P6NEJry8mDFYVLBRwoLElmVQqgklgACT Xzv/AMPrv2ZP+il/+W7qv/yLXrZLjcVQpyjQouab7Pf5Hn5phcPVnF1aig0u6/U+Cf8AhaXx u/6Nl+Kn/gsv/wD5Do/4Wl8bv+jZfip/4LL/AP8AkOvvb/h9d+zJ/wBFL/8ALd1X/wCRaP8A h9d+zJ/0Uv8A8t3Vf/kWvY/tfH/9Aj+6R5n9m4P/AKCF98T4J/4Wl8bv+jZfip/4LL//AOQ6 P+FpfG7/AKNl+Kn/AILL/wD+Q6+9v+H137Mn/RS//Ld1X/5Fo/4fXfsyf9FL/wDLd1X/AORa P7Xx/wD0CP7pB/ZuD/6CF98T4J/4Wl8bv+jZfip/4LL/AP8AkOj/AIWl8bv+jZfip/4LL/8A +Q6+9v8Ah9d+zJ/0Uv8A8t3Vf/kWj/h9d+zJ/wBFL/8ALd1X/wCRaP7Xx/8A0CP7pB/ZuD/6 CF98T4J/4Wl8bv8Ao2X4qf8Agsv/AP5Do/4Wl8bv+jZfip/4LL//AOQ6+9v+H137Mn/RS/8A y3dV/wDkWj/h9d+zJ/0Uv/y3dV/+RaP7Xx//AECP7pB/ZuD/AOghffE+Cf8AhaXxu/6Nl+Kn /gsv/wD5Do/4Wl8bv+jZfip/4LL/AP8AkOvvb/h9d+zJ/wBFL/8ALd1X/wCRaP8Ah9d+zJ/0 Uv8A8t3Vf/kWj+18f/0CP7pB/ZuD/wCghffE+Cf+FpfG7/o2X4qf+Cy//wDkOj/haXxu/wCj Zfip/wCCy/8A/kOvvb/h9d+zJ/0Uv/y3dV/+RaP+H137Mn/RS/8Ay3dV/wDkWj+18f8A9Aj+ 6Qf2bg/+ghffE+Cf+FpfG7/o2X4qf+Cy/wD/AJDo/wCFpfG7/o2X4qf+Cy//APkOvvb/AIfX fsyf9FL/APLd1X/5Fo/4fXfsyf8ARS//AC3dV/8AkWj+18f/ANAj+6Qf2bg/+ghffE+Cf+Fp fG7/AKNl+Kn/AILL/wD+Q6P+FpfG7/o2X4qf+Cy//wDkOvvb/h9d+zJ/0Uv/AMt3Vf8A5Fo/ 4fXfsyf9FL/8t3Vf/kWj+18f/wBAj+6Qf2bg/wDoIX3xPgn/AIWl8bv+jZfip/4LL/8A+Q6P +FpfG7/o2X4qf+Cy/wD/AJDr72/4fXfsyf8ARS//AC3dV/8AkWj/AIfXfsyf9FL/APLd1X/5 Fo/tfH/9Aj+6Qf2bg/8AoIX3xPgn/haXxu/6Nl+Kn/gsv/8A5Do/4Wl8bv8Ao2X4qf8Agsv/ AP5Dr72/4fXfsyf9FL/8t3Vf/kWj/h9d+zJ/0Uv/AMt3Vf8A5Fo/tfH/APQI/ukH9m4P/oIX 3xPgn/haXxu/6Nl+Kn/gsv8A/wCQ6reB/A/xi+OX7YvwO1DUPgd8RfCmn+FPF1le3d3e6Tdi 3jhF3bSSSPJJBGqBEhY8nnPr1+//APh9d+zJ/wBFL/8ALd1X/wCRa7L4Ef8ABTD4IftMfEO3 8KeCvHUGr+IbuOSS3s5NNvbNpwiF32GeFFYhVZiAc4UnGAazq5xjlTk5YZpWetpaF08swjmr V03fa6PdqKKK+IPqj4w/4LT/APJJfh5/2N0P/omWvs+vjD/gtP8A8kl+Hn/Y3Q/+iZa+z693 Hf8AIswvrU/OJ5GE/wB/xHpD8mfGH/BDH/k0vxD/ANjdc/8ApHZV9n18Yf8ABDH/AJNL8Q/9 jdc/+kdlX2fRxP8A8jWv/iDIf+RfS9Ar+aD4WeC9N8UaBPc39ubicXLJvMrqcbVPYjuTX9L9 fzafA3/kU7j/AK+2/wDQEr6fw/ipVKya/l/9uPC4yk1Tptef6Gj/AMKo0D/nw/8AI8n/AMVR /wAKo0D/AJ8P/I8n/wAVXRUV+n+xp/yr7j8/9rU7s53/AIVRoH/Ph/5Hk/8AiqP+FUaB/wA+ H/keT/4quioo9jT/AJV9we1qd2c7/wAKo0D/AJ8P/I8n/wAVR/wqjQP+fD/yPJ/8VXRUUexp /wAq+4Pa1O7Od/4VRoH/AD4f+R5P/iqP+FUaB/z4f+R5P/iq6Kij2NP+VfcHtandnO/8Ko0D /nw/8jyf/FUf8Ko0D/nw/wDI8n/xVdFRR7Gn/KvuD2tTuznf+FUaB/z4f+R5P/iqP+FUaB/z 4f8AkeT/AOKroqKPY0/5V9we1qd2c7/wqjQP+fD/AMjyf/FUf8Ko0D/nw/8AI8n/AMVXRUUe xp/yr7g9rU7s53/hVGgf8+H/AJHk/wDiqP8AhVGgf8+H/keT/wCKroqKPY0/5V9we1qd2c7/ AMKo0D/nw/8AI8n/AMVR/wAKo0D/AJ8P/I8n/wAVXRUUexp/yr7g9rU7s53/AIVRoH/Ph/5H k/8AiqP+FUaB/wA+H/keT/4quioo9jT/AJV9we1qd2c7/wAKo0D/AJ8P/I8n/wAVWN8Qfh9p Gh+ELu6tbTyp4tm1vNdsZdQeCSOhNd3XO/Ff/kQL/wD7Z/8Aoxazq0oKDaS2NKVWbmk29z95 v2Fzn9iT4O/9iPov/pBBXqleV/sLf8mR/Bz/ALEfRf8A0ggr1Sv53xP8afq/zP2uh/Cj6I/H X/gvlpkOu/8ABQjwVZ3SmW2k8EQFk3EAn7ZqJ7HPUD8q+T/+FUaB/wA+H/keT/4qvrj/AILt /wDKRrwP/wBiPB/6V6lXzTX7XwtTjLLKbkuh+V8QzksfNJnO/wDCqNA/58P/ACPJ/wDFUf8A CqNA/wCfD/yPJ/8AFV0VFfQ+xp/yr7jxPa1O7Od/4VRoH/Ph/wCR5P8A4qj/AIVRoH/Ph/5H k/8Aiq6Kij2NP+VfcHtandnO/wDCqNA/58P/ACPJ/wDFUf8ACqNA/wCfD/yPJ/8AFV0VFHsa f8q+4Pa1O7Od/wCFUaB/z4f+R5P/AIqj/hVGgf8APh/5Hk/+KroqKPY0/wCVfcHtandnO/8A CqNA/wCfD/yPJ/8AFUf8Ko0D/nw/8jyf/FV0VFHsaf8AKvuD2tTuznf+FUaB/wA+H/keT/4q j/hVGgf8+H/keT/4quioo9jT/lX3B7Wp3Zzv/CqNA/58P/I8n/xVH/CqNA/58P8AyPJ/8VXR UUexp/yr7g9rU7s53/hVGgf8+H/keT/4qj/hVGgf8+H/AJHk/wDiq6Kij2NP+VfcHtandnO/ 8Ko0D/nw/wDI8n/xVH/CqNA/58P/ACPJ/wDFV0VFHsaf8q+4Pa1O7Od/4VRoH/Ph/wCR5P8A 4qj/AIVRoH/Ph/5Hk/8Aiq6Kij2NP+VfcHtandnO/wDCqNA/58P/ACPJ/wDFV97/APBuFapY eIfjzBENsUFzo6IuSdoDakB19hXxVX2z/wAG5v8AyNnx/wD+vvSP/Q9Tr5TjOEY5ZPlVtv8A 0pH0fC85Sx8eZ9/yZ+n9FFFfi5+onxh+z1/ymT+NP/Yuwf8AoGm19n18Yfs9f8pk/jT/ANi7 B/6BptfZ9e7n/wDFpf8AXun/AOko8jJv4dT/AK+T/wDSmFFFFeEeuFFFFAHxh8bP+U2fwg/7 FG4/9FavX2fXxh8bP+U2fwg/7FG4/wDRWr19myyrBEzuyoiAszMcBQOpJr3c7+DC/wDXpf8A pUjyMq+PEf8AXx/+kxHV+PP/AAXms4r/AP4KJeCYp4o5om8DwbkkUMpxd6keQa/YCxv4NUs4 ri2miuLeZQ8csTh0kU9CCOCK/IP/AILt/wDKRrwP/wBiPB/6V6lXZwev+FOKfmc/Er/2CTR8 sf8ACIaT/wBAvTv/AAGT/Cj/AIRDSf8AoF6d/wCAyf4Vo0V+28kex+Uc8u5nf8IhpP8A0C9O /wDAZP8ACj/hENJ/6Benf+Ayf4Vo0Uckewc8u5nf8IhpP/QL07/wGT/Cj/hENJ/6Benf+Ayf 4Vo0Uckewc8u5nf8IhpP/QL07/wGT/Cj/hENJ/6Benf+Ayf4Vo0Uckewc8u5nf8ACIaT/wBA vTv/AAGT/Cj/AIRDSf8AoF6d/wCAyf4Vo0Uckewc8u5nf8IhpP8A0C9O/wDAZP8ACj/hENJ/ 6Benf+Ayf4Vo0Uckewc8u5nf8IhpP/QL07/wGT/Cj/hENJ/6Benf+Ayf4Vo0Uckewc8u5nf8 IhpP/QL07/wGT/Cj/hENJ/6Benf+Ayf4Vo0Uckewc8u5nf8ACIaT/wBAvTv/AAGT/Cj/AIRD Sf8AoF6d/wCAyf4Vo0Uckewc8u5nf8IhpP8A0C9O/wDAZP8ACj/hENJ/6Benf+Ayf4Vo0Uck ewc8u5nf8IhpP/QL07/wGT/Cj/hENJ/6Benf+Ayf4Vo0Uckewc8u5+jn/BuZ/wAmR+Kf+x4u /wD0g0+vvyvgP/g3M/5Mj8U/9jxd/wDpBp9fflfz/nv+/wBX1P2bKv8Ac6fofK//AAWv/wCU ZPxL/wC4X/6dbOvxv8LeFtMuPDGnSSadYO72sTMzW6EsSgyScV+yH/Ba/wD5Rk/Ev/uF/wDp 1s6/H7wh/wAinpf/AF6Rf+gCv0HgBJ4Sd/5n+UT4vjJtYiFu36sP+EQ0n/oF6d/4DJ/hR/wi Gk/9AvTv/AZP8K0aK+/5I9j43nl3M7/hENJ/6Benf+Ayf4Uf8IhpP/QL07/wGT/CtGijkj2D nl3M7/hENJ/6Benf+Ayf4Uf8IhpP/QL07/wGT/CtGijkj2Dnl3M7/hENJ/6Benf+Ayf4Uf8A CIaT/wBAvTv/AAGT/CtGijkj2Dnl3M7/AIRDSf8AoF6d/wCAyf4Uf8IhpP8A0C9O/wDAZP8A CtGijkj2Dnl3M7/hENJ/6Benf+Ayf4Uf8IhpP/QL07/wGT/CtGijkj2Dnl3M7/hENJ/6Benf +Ayf4Uf8IhpP/QL07/wGT/CtGijkj2Dnl3M7/hENJ/6Benf+Ayf4Uf8ACIaT/wBAvTv/AAGT /CtGijkj2Dnl3M7/AIRDSf8AoF6d/wCAyf4Uf8IhpP8A0C9O/wDAZP8ACtGijkj2Dnl3M7/h ENJ/6Benf+Ayf4Uf8IhpP/QL07/wGT/CtGijkj2Dnl3M7/hENJ/6Benf+Ayf4V67/wAEtNNt 9L/4Ku/CyO2ght0NrqTFYkCAn+zL/nA+grzOvU/+CYX/AClj+Ff/AF6al/6bb+vG4gill1ay +zL8merksm8dTv3X5o/cWiiq9nqttqM08dvcQTyWr+VOscgYwvgHawHQ4IOD61+Ban7CfHH/ AAWn/wCSS/Dz/sbof/RMtfZ9fGH/AAWn/wCSS/Dz/sbof/RMtfZ9e7jv+RZhfWp+cTyMJ/v+ I9Ifkz80f+CW/wC3T8N/2WvgFrXh3xpq15pmrXPiKe+SFNPnn/dNbW0YJKKQDuicYPPFdP8A tm/tx/DD9oHRdFvPBvxh8T+CfE3hiWW4sWg029S0vGcKNswRM8bcBsNgM4KsGr7Zv/gB4D1W 9lubrwT4RubmdzJLLLo9u7yMeSWYpkk+prw79s39lvxH4o0XRdF+EXgv4ZaT/akssWs6xd6T arNp0eE2GIGM9cyZKqzjC7cda9mjmeXYnMfrTjKE5O7blHlWmu8Hpb7zy6uAx1DBfV1JSila yjLm302kjxP9kz/gtPBLLBoPxZgRWUiKPxJp0B8uTtungAyvrujHcfuxya/MH4JRND4XukYF WW8cEHsdiV+1/wCyX/wS48A/s1tb6tqUY8Y+LY8OdQv4gYbZ+uYITkKQejsWfuCM4r8Tvgb/ AMincf8AX23/AKAlfW8O1suqY2tLLotLS/Z77Lp/WiPnc6pY6GEprHSTetu623fX+tWdnRRR X2p8oFej/DLwJpPjv4GfEGX7Kp8T+GEs9YtJxJJvey83yLmPYDsIDTQPuI3DaecZrziu8/Zw +NafAT4nw67caPH4h02S1nsb/S5Lg2631vNGUZDIFYryVbIB+7XPiozdJ+z3Wq6Xs72+drej NqEoxqJz22fo9G/VJ3Xme2eNP2RfC1j8RvhXp9lDNHYmb+yPG7/aGdVvLSCG8vmDbiUHkTOA BgDyScdTWHqf7PWn/Gr4f/D5/DFz4R8M3/iCXVY9O0+7klW71ZxfTeTArJHISVQJGr3DqpJV Q5Occv4a/bF1DRPDHxItLjSYr7UPHt1Ne29+1wUfRprhZYrlkUL8/mQTPHjKgcHtisvwF+0j /wAIPrfwtvP7G+1f8K1u5LrZ9r2f2juujcbc7D5eM7c/N6+1eHHDZhZXeset1q3GTenZSair 7JaaanrVK+DUZcivfS1ukWlHXvJXcu7KPwx/Z3uvimLa2tPEnhWy1zUnlj07Rbm4na9v3jB+ UeVE8UJYqVUTyRbjg/dIYs0r9n27ufAVjruo+IfDHh/+2YrmbSbHU7iaO51VICVdkKxNFGC6 simeSIMykDPWvS/gj+3r/wAKa0Lw7bw6Frwk0C4uJpINM8Stpum6150hYte26wMZ5VU7VcyA YSMFWVSrcE/xx0DxH8OdF0nxL4TudZ1Twvb3VnpN5DrBtLfyZXeVEuYREzy+VLJIymOWLIba c4zXX7THupL3bRuraxbt72239zfo3byxdPBJK0rvXfm8t/lzbdbXOx+Iv7MOpeNrTwpf6JZ6 RpNrd+G9Ht7cS/6Odd1OeJP9HgVVPmztvDOxwqggyOuVzyGsfsr6uksUeg634b8Yz/2zFoFz Fo0twWsbyUssKP58MQZXKSBZIy8f7s/MMrnq9E/bqvtOsdAtLvQYtTtPCVjp40JLi8JbSdRs 9u26ibZxHLtxLAOHGPnDKrhfGH7ceo6t4k0rWdNuviR9t0vW4daSx13xtJq+kBo3MgjW2NvG 4UHAUmViFyMkncMaf9pQnyqK5bvqtr9eu19rW032dT+pSpczfvcq6PdR6dN7b7+95MZ4v+CO mfDf9lXxdONY8H+KdTs/F+n6d9v0kSvJZFYL7zYd00McmxisZ3IDE+0YZihxynwU8A6M/wAN vGXjrX7Btas/Cn2S0tNLMzww3t3dM4QzujLJ5KLE7FY2VmJQB1GTVjx/8fPDmsfCzWfCvhrw bdaBba5rcGuT3F3rX26VZIkuE8lQIYkEQE/y/LvGG3M+5dmB8I/i5b+ANN17RtY0f+3/AAx4 ngSLULJLs2k6yREtBPBNtcRyxuTjcjqVZ1KndkbU6eK9jUcr8zlF9L2ShzJWdle0ktVrrdbk 1Z4ZVKcYW5UpLru5Tcb3V3a8W9H1SPUPhh4N8I/GHSPDniey8L6b4cvtE8Z6To+q6bbTXF1p 2qWt3I5R9l1JM4cGJlZTIUZWHyg5zheOv2cDonjW71ey1Dwr4l0az8Tx6bqenaXdzIdLaaVj HBK3lKoRgjp5luZUUoQGztzn2v7SGmeD7bw9pnhTwxPpWgaRrtr4ivor7VBe3+r3MDHyw9ws MSJGqMyqqQjBdmYuSMdJ4e+N2lfEDXP+Ef8ADXh6y8If8Jb4jtNc1281bxHCbVfs7PIEheZI hBEDJK2JJJXY7VDE8NlyYqFX2kbqF+rTtH3L3bbfSbVr20W2gSnh5UHB25rdE1d/vLWsl3gn or677mL4u/ZjZvGviq4utU8KeANAsfE11oNl/aN7eXUDzxuS0ELx28kzpGhTMsqIuGXJBOKy bP8AZY1mzTUn8Sax4c8FxafrD6AJdZnm23V6g3SRx/Z4pflUFC0r7YgJF+fmvRta/bbPhvxf 480qyuvGA8P6n4vv9e0+98LeJn0G6fznKkSP5MyyxMqxsoKBlIOGwxFcT/w0do3inQrvSfGW geI/FdhHrsuuabPN4k2ajE0qKksVzcNbv9oR1ihyVSJsxkhhuwJw88wdNXjpaPa+y25uu9+Z vy89sTDBKrJJ680u9t5W26fDt5/K7q/7KdlP8KPh7f6P4n0m98V+NL+404aWZZts8y3EMKJD J5AhBQyHzGebY3BjZxXn3xS+G1t8M9V+wxeKNB8RXUcssF1Hp0N9GbJ4yFKyfaraHknP3N33 TnHGehuPjR4f8R/Cfw/4Z1zwxqMh8NajdXVpcaXrK2ifZ7mSJ5YGSWCYlh5ZCSb/AJdw3K+O Zvj5+0Uvxn8O6Jpq2mvy/wBjyzSjUvEWtjWtVlEgQCD7R5EOIE2Flj2nDO5zziuqh9cjOKnd q8r/AA7X93u7W6b36tHLU+rOL5bJ2Vt91v2V332t0ve3l9FFFeseaFc78V/+RAv/APtn/wCj Froq534r/wDIgX//AGz/APRi1lW/hy9GaUvjXqfvN+wt/wAmR/Bz/sR9F/8ASCCvVK8r/YW/ 5Mj+Dn/Yj6L/AOkEFeqV/OeJ/jT9X+Z+30P4UfRH4+/8F2/+UjXgf/sR4P8A0r1Kvmmvpb/g u3/yka8D/wDYjwf+lepV801+3cKf8iymflPEf+/zCiiivozwgooooA+hv2qPhno3wxs/sWle D/h7Y2E1hpjpqY8TTT63HJNbQyyO1n9vZlBdnHNrgKQR1Vq5LxB+xx4o8L39jHe3mhw2+t6p Z6Xol358hg1/7SqutxakR5eBEkjLuQu3zFXBfKiL4yfGjwb8Yr86tP4T8TWXiB7SytHmTxJA 9mRbwxQEiE2Icbo4v+epwzZ5A2nsdN/axsfib458HaXqfh/TdF0bw34k06bw3Ml0sY8OWKSR rNbyuUHno4RZGdihEgd+jla8KisbTpwVn/eu79tryfn2VubS/Kn6tWWFlzO/TS3ez391afe7 21s5NczB+y5eeG9b0+6fUvCvi+0sPEFno2uWGnX9wpsJpnwsM0vlKNj7JE823MqgqcHO3Mfj f9muSxh8W+IptV8K+FdB0nxLqGgwWdxeXVzIbiDDi3h2wNJIuxwFlcKPk+coWXds+NP2ltC8 N6zqtn4V8LvZRX3iu313VZ21n7XFqBtJZGijtv3QMMLNI7fO8zcr83HPJ/FL9oP/AIWV4O1P Sf7I+xf2j4vv/Ffm/avM8v7UiL5GNgzt2Z35Gc/dFFCWOqcs2rJ+mz5L6XtvzW3drX131rRw dOUoLW3r09pbW1/5L2snfy06j4jfsw/2j8SPGbW0/hPwHoPhSPTpLtLvVLu8gthdWyunlv5D TzFmBJURlgXwAVUsMW4/ZI1jR9c8Rw6xr/hfRNK8NCzafWbqa4ksbn7YnmWvkiGGSZ/Njy4/ dDaqndtPFHxO/ab/AOFjr43H9ifY/wDhMjpJ/wCPzzPsf2GHy/7g37+v8O3/AGq9j+Dn7QVn 468NeLbz7NoMd9eR6Bpr6JqGsaRZG5hsLJ4BcifVoZbZl3oCYlhMql0IkCqd0SqY6jR5pbJR W6/uJu7vrrPV3Wib03UYYSrVcV15n/6VZW00tbbV7KzPn7xx8AtY8H/G9vh/a3Gn+Itf+2R2 Ef8AZZlMM074ARWmSMnlgN2NvcEjmu08Dfs0NovxA8NajHrnhHxrotn4rsNH1qPTJJplspJJ wFSZJ4YxJFJtkUPH5kbbGG7kZyvid48X4UftZN4q8M67/wAJPdaVqVvqy3l7Mt6st2AkssTz RhEnVZd8fmRhVcLuTAIq9b/tO6F4NlSPwf4PvNFsbvxFZ+INVivtb+3vc/ZZGkgtoXEEfkxK Xk5YSOcrlyFIboU8XOlTcdbpX2305r3s9r8tuu+m+FSnhozqxlpa/Lv2dvne17+fXaTx1+zg dE8a3er2WoeFfEujWfiePTdT07S7uZDpbTSsY4JW8pVCMEdPMtzKilCA2duYfF37MbN418VX F1qnhTwBoFj4mutBsv7Rvby6geeNyWgheO3kmdI0KZllRFwy5IJxW14e+N2lfEDXP+Ef8NeH rLwh/wAJb4jtNc1281bxHCbVfs7PIEheZIhBEDJK2JJJXY7VDE8Nra1+22fDfi/x5pVldeMB 4f1Pxff69p974W8TPoN0/nOVIkfyZlliZVjZQUDKQcNhiK44Sx0VGmlql3V7e56xvfnte+i7 3OyosHOU6l/dbXR7/vPR7cl0rb+lvObP9ljWbNNSfxJrHhzwXFp+sPoAl1mebbdXqDdJHH9n il+VQULSvtiAkX5+atfEn4AaJ4I/Z68IeLIfFemXGta5Lex3OnKbiTzDDLGm2BhbiLMYc+YW l2twYy4qb/ho7RvFOhXek+MtA8R+K7CPXZdc02ebxJs1GJpUVJYrm4a3f7QjrFDkqkTZjJDD dgYPiT4xaZ4s+B+keFbrQJ4dQ8O3t3caZfWuo7LaOK5eN5IpIHjd5MeWQrCZcbhkNjnsj9dl ODndWavbltblfd333/8AJfPll9UUZcltna9976f+SrTzeum3AUUUV7B5YUUUUAFfR3/BGr9r Hwf+yTD8edY8WXVwn2290qOxs7aEy3F9IrakWVBwowCMliAMjnkV8419g/8ABAjwBonxOl/a I0XxDpVjrOlXl1pCzWt3CJY2+fU8HB6EdiOQeQa+Z4rdFYBuum4XV0nZ/Ej3+HVUeLSotKVn a+q2ZU+Kv/BSnXv2ufGZ0fVPGB+D/wAPgcyrp1vcXl/doD0Z4lBZj/dzGmOoYjn628H/APBV v4EeEfCWl6V/wmWu6h/ZlpFafarvS7qS4ufLQJ5kjeX8ztjJPck15r8Xf+CUOsfB3xmfF/wR m0m+w2ZvC/iOCG8t5EJ5SN5wVI9pCGAyRLmvrHwh+zx4Pu/Cely618OvAdprMtpE9/Bb6PbP DDcFAZERinKh8gHuAK+IzbFZLOjT9jF8n8sWk0+vMnFt+t2j6rLsPmsas/atc/dptNeVpJfK yPlL9hv4r6L8dP8AgqX8V/Fnhu4lvNE1Xw5Gbad4WiL7DYRnKsAR8yN1HavvKsTwl8NfDvgB pjoWgaLopuABKbCxitvNx03bFGce9bdfL5rjaeKrKdKLUYxjFXd37qt5H0GXYSeHpONR3bbb totXcKKKK8w7wooooA+Cv28PiJL+zx/wUz+GvxHvtA1zVtB0nwvJbP8A2fb72lkb+0IyikkL lftEbEE9DWp4z/4K8+A/H/hDVNC1X4bfEa40zWbSWxu4hbxJ5kUiFHXcJARlSeQc19w1leOL LVtS8F6vb6DeQadrc9lNHp93PF5sVtcFCI5GT+IK2CR3xX0cM2ws4UoYiheUEoqXO46Jt7JP ueJPLsRCVSVGrZTbduVPol1fkfj/AOA/22NZ/Y7+IX/FsbzxWfBV03nP4d8WwIUXJ5CGNzg/ 9NECHoGDY54T/gpB+0tD+1l+1j8PvF8Ghan4eEnhBLR7a85DulzfsXhfjzITvwHwMsjjHymv 0e+B3/BLjTLXxc3jL4wa5P8AFHxlMwc/bSzafb4PACNzKB2DAIAcCPjNfFn/AAXTt47P/gol 4EiiRIoovAtuiIi7VRRdakAAB0Ar7XCZnl+JzOnHDwvUS1n3/Bc3q0mfK4jAY3D4Ccq0rQe0 e3+Xom0fNlFFFfoB8Ye/fswWem+LvhlN4f8AD0fgZ/iTdaz5gsvFGnQzrr9l5IVLS0nmRo4J vN3ggPC7+Ym2XKgDcsvgfpfxU+G3wi8Larr914a8S6hJqml6dYrpLXKfaft8o23DmVDCm/am VErAliUAGT5B8MvjofhjbWbReFPCOq6lpV0b3TdTvrWb7VYS/KQ37qWNJgrKrKtwkqqc4GCQ bOj/ALTfiLSPFPgvWTHp13f+Br2XULSS4jdvtcstyblzPhxuzIx+7t49+a8LEYPEyqudF21v fS9+WSVt9NVo1prbTb1qOKpRock9XtbW3xJu/n2aeqSvsb3gj9l7TNYi8IWWu+LJtD8Q/EBn GhWkOk/bLXHnvbQtdTiVGhEk6Oo8uOYqq7mAyBWl4S/Zm8LeHG8AXPjTxLqsU/i/UJLYaTp2 irdbDBfvayLLM11CFRigw8e5hlvlG1S/OeFf2rdX8M6Roscmg+FtW1Pws8z6Bq19bTPeaL5j mUCMJKsUgSVmkQTxy7GY444rn9Z+Oeua3Y+EIpTbCbwU80tjchGaaaSW6a6Z5SzEMfMc9AOO uetbezx0qlnK0bu+23vWtp/hvfW97abxUng1TlyRu7aXvvpe+vq426b6k/7SPhTw74G+N3iX SPC8+oy6Xp2pXNsEvLQQG1ZJ5E8pMTSmRFAUCRmDN3Ud9f4gaBYWX7Kfw51GGytItQvtW1mO 5ukhVZrhY/smxXcDLBdzYBPG4461yvxc+JP/AAtzx5feIJNF0fQ7rU5HuLuLTPtHkzzu7O8u JpZCrMW5CkKMDCjmt3Q/j+tl8MNN8Kar4N8KeJLHR7i5urKe/fUI54HuPL8zm3uolYfu0xuU 4x71pGnXjRo813KNubVXfuteSer/AKZM6lGWIqONlGV7aOy10/pfLQ9u+D2haV4R+KXhPVb+ 6i0a8h+F1xq9hNoOgIrxyLa3oNxKWuU33SBN4lGN7BBiPG+ue8G/sVa38eNN0zxLPqvjrV7r x1d3LabqMfhmbU4MLM0KTandCc/ZjJIp3bfPKKCxJGM+YD9o/XBqOmXP2XSt+k+F5fCUI8qT DWkkU0bO3z/63E74IwuQvy9cponx88jwTpeg674S8L+L7TQvNXTJNUN9FNZRyv5jxK1rcwbk 3lmAk3FS7YIBxXHPB4uM3VpSs3psm7c1R6Xt3ju+/kb08Th3TVOor9eq15Ka1t0up7Lttdno 0vwZ8HeF/h98I76J78eMdY12ezvYL7SFuLC8khvLeN45x9r4jj3MBsTMwJDeXwaS9/Zc0LX/ ABRq+o694sXw5HffEG98IW9rpPhzzoklV0YSpGbhBFbjzcFNzMgChRJk7fO9I/aGvtL8CaBo b6JoF5/wiuptqmkX0y3AurFnlilkiGyZY3jZolz5iMwBbDDjEmq/tM69rBXzLTSBt8Wz+Mht ik/4/JfL3R/f/wBT+7XA+9yfmNaLDYy/x63lrps5Jq10+l1rt6WIlWwuto9FZa7qMlrt15Xp bTzudXrH7Gy3MosfDfiiPW9asvFdv4O1OGfT2s7a3vZ/MCPDKXZpYd0MqlmjjYbQQhBFM+O3 7Gt/8IPAN74hh/4S9rPSdSTTLw694Wl0RZjIH8ua1ZpZPPiJjYEny3XdHlPm45df2n/E1rPr c9n9gsLvW/FEHi5rmCJvMtb2Fp2TytzFfLBuH+VgxO1eeuc34k/Few+IsUrp4I8J6BqNzcm6 nvtLe/WSZm3Fl8uW6khVSWzhI1xgBcDinTp5gpx556aX0XaN77aX5kra7blTngWpcsddbavv O3fW3Jvpe+x7X+xf8BZPFHw+bUbnwRe+KbbxvqzeFxeR6O9+mgW3kN5t8GVG8l0mmtir5HEU w9a5d/gZ4M8Lfs3avfeKLvxDpni/R/GLaDdSWelJdLCUhlJgAa7iUoSm4yFQwYbQCDury3xn 8T9Q8a6J4Z06aO1tLPwpYGwsY7ZWUEGaSZ5XyxzI7yEkjA4XAGK6/wAaftX6r8Q9E8S2Os+H /DF7F4mu4dTlYx3Mb2l9Hbm3N3EUnH7x1JZhJvjLHIQdKmphcX7WVSMtJNaLooyVt9NY3b21 01FSxGGVONOS2T1fVyi73trpLlS8ldWZ2Pxp/Zx8HP8AtPS+EfCV14qSBLKK4lsLTw7JqF3u NpDKEtI0uJGnd9zu3mtCkYDAMQBnP8V/sXSeCvGdxFqur6rpPhyx8Mp4pu7rUNDNtqttA0v2 dYGsTLgXBnIQKZgpVgxcdKyp/wBsXVb3xNd6rdeGPCVzcazoq6Frisl4ia7AqwqjTBLlTG6+ RGc25iBOcgg4qC6/a71m68QWlx/wj/hVNJtvD7eF30RILgWF1p5keVY5P33nbldlYSLKsmY1 YsW3FpjTzGMYRjLaNnezu7PW/e9rXuray1uivaYKUpSkt3pa+ivH9Oa/ntpa3b/BD4JJ8T/h h8TNA8F6sdZsJG0a+k1C9s2sfsECfaZJ3uIw0gXygGz5bybsDaWZgteCeMbDS9K8UX1touo3 Gr6VBKUtr2e0+yPdIP4/K3vsB5wCxOMZweB2en/tN634YuNRfw3p+ieFBezWE8K6VDLGbB7M sYjGzyM7Fi7F2laRmz1xxXJ/ETxmfiH411DW20zStIk1KUzyWumxNFao5+8URmbaGbLbQdoL EKFGAOvC0sRGvOc/hlr0vflitbLy6aLXe6tz4ipRlSUY/EvW1ry2v69d9Phs74tFFFemeefo 5/wbmf8AJkfin/seLv8A9INPr78r4D/4NzP+TI/FP/Y8Xf8A6QafX35X8+57/v8AV9T9oyr/ AHOn6Hyv/wAFr/8AlGT8S/8AuF/+nWzr8fvCH/Ip6X/16Rf+gCv2B/4LX/8AKMn4l/8AcL/9 OtnX4/eEP+RT0v8A69Iv/QBX6F4f/wC61P8AE/yifFcZ/wC8Q9P1Zo19Zfs7eBLvVvgr8M5d J0HwBqKal4g1JdeXV9O025v76zhNsxSFZlN5LsjMx22gMgyMDJWvk2uy0/4565pHh3whp9mb a0/4QnUp9V025iVhOJ5WhYlzuwQDCmMAdTknt9lj8POtGMYW366rZ9Outj5bC1o0pOUr7dNH 8n0PSvBH7Ilt8YLbXfFGkL4y/wCEQfxHcaVpEPh/wxNr15HEv7wSXCebH5UaxvEMlmdmJwp2 k1man+ynpfw5s9Ym8d+LbjQf7H8STeGni07RjqMs0qJHIJlDSwjytrkncQ4wuFYsQuG/7TU+ px6za6v4R8I63o+raxLrsel3K3sVvpl1KMSNbtBcxzKrDaCjSMvyLxkZrc8L/tB6F4V+Br6d /wAIx4U1W8n8WS6suiX0F69tYw+REI3ilWZZcBlZNrTNuH3w3BHn8uOhu3b3dFyt/Zvq+u97 q3W6O9ywc3olf3tdUtpW06L4et+lmL4g/ZO0/wCFFzfH4geK5tDtItfn8P2UulaT/ajXTwLG 81wytND5cKrNCerSEuQI/lNXIP2KZdGtvFp1rU9dvLjwjqsmmXlt4U0Ia3Lbokfmfa7hWngM Nu652OQ2SkgbaVwedT9rXWdXbUf+En0Lwt41jvtak8QRx6xbTBbK8kAErRfZ5YjscLGGictG fKT5eDmHwx+1Ff6D43l8V3fh3w5rnjN9RbVY9fvnvhdW9xkFSkcNzHb4RhlVaIjsQVwtVyZj ye9L3rdOW1/d2vb+9zX7pxXQlywPN7sdLvfmWnvb2v3ja2ujv5+lfs//AAd8N/EM/Baz8UwW R0jXrjW4iun6UY729aJkKrdXAuEZ1GTsKgFAu3DBiR57pXwQ8H/8IxF4l1fxlrml+FtU1VtJ 0idfDiXF9ctFHG9xNNALsJDHH50Y+WWR23cJwcUfDP7UniTwrf8Agu5gi0qSfwNf3moWbSwM ftT3Tq0yzAMAVO3A2BCAx5zgiXSP2l/7M0uXS5vA3gjUtATUhq2n6TeJfSW+kXBjVJDC4uRM ySBELxzSSISi/KKcaGMhNyu7Pomv55PS6tezXlZO+thSq4WSUbbdXf8AlSWz2Ulr110vqdB4 j/ZL0z4WeHtVvvG3i6fS20vxLceGfI0rR/7RaeSKGGYTqXmhAiKy85IcfLhWy2zJ+I/7Lsnw 0tfH11eayj2fhC+s7DTp1tcLrzXQMsTJ8/7sG2Uyn7+MqvfNc947+P8A4h+JfhO40rWpLe9N 3r0/iKe7MZW4luZoo4mHBCCMLGuFVRj1xgDqf2hfjzF8QvhF8MfClpdw3q+FtHzqNxHbNC0t 0zFEicsAZPIt0hjDcj72CRTjHHxcOeV23Z2SslZNva+tnHX+ZPoDlg5c3LGySbW927tJb9pR b8ovubn7E/w2uL2LxB40/wCEFufiDDoElnYRaQmkvqUc73EuZXeJVbhLaOfDY+V5IjnOKyvi l+yNdeB9Q+IVtb3k0up+CNZtrX+zGtGElxYXRIgug5Oc7mhVkKcGZee1ed6p8TL/AFT4YaR4 S8q0g0vSL651EGJWEt1POsaF5SWIO1IlVcAYGepOa7fwZ+2N4m8EeN9G16Cw0G6vNI0SHQXS 6glkh1GCFg0D3C+YN0kZSLaV2j9zHkHBzVWji1WlXpvfp5KzWu2tpLa6599DOlVw/slRmvO/ m7rbfRNPezcLW1Oj8OfsVQa38Tdc8NJrHizWJ9AvoNLvJPDnhCXVhaXDKPOaYiaNI4Ek8xFf ezv5Tt5ajGbPhH4VXPw70aztL1NAe88PfFe10Se5isCb2R0VgwW5LA/Z8x58ox/eIbcMYrhP A/7T2qeEfCyaTeaH4d8TQ22sNr9nLqyXDSWV8yqGlHlTRrJnYhKzLIhK/dwSCmr/ALUXiDWb i9kls9HVr7xcPGkmyKTAvBu/dj95/qfnPH3unzVHscc58s5XXu9t043a66+9o9tLFSng+RuC s3zW32amlfpvyarz0O/n/ZwX48ftFfEX994vYxeLru1ZPD/hWXW2tRJcy4muW8yKOKLrgh3c 7X+QAAl0vwt0Twp+z7qPh3xp4kuNDGgfEK8055tN0s6k88yW8MbMqNJCojG1mLF933QEbJxx 1h+17q6JfLqPhzwpra3HiKfxVarfQ3W3Tb+Ygu8axzoHX5U+ScSr8oyDlskf7XWo3jayuseE /BniG11vxBP4mlt7+2uQsF5LtyY3inSRUAUjYXIYMd+/C4wjhsaoxpv4YqO3Lf3eXZv/ALe3 8jpnicI5yqr4pOXfaSmtfvjtrvp37fTPgpefCC2tNN1BfD8934f+KllpT3cNgTeTfut4K3Jc EQEKG8ox53EEsCMVp+JvAGleLPFniB9cTT49JuvjJNplzNb6T5uqOsnnHyxP50f7gkAGMAEF t4YkbT5Jqv7VHijXmuJNQ/s+9ubrxVH4vmnkhYO94ilQmFYKIsH7oAIwMECoNW/aT8Qata38 fk6Zbtf+K/8AhMWlihbdFe4fCruYjyhvJ2kE8D5quOCxbkp1GubS7X/cO/TykYzxOGUZQp7a 2/8AKvL1/vQ69zrPjB+zn4fOrfES58D6rqd2PBuvrYS6PdaYIZIoZbiWBWikFxKZEjkWKPLB WbzVJA6V538a/hxF8IfijrHhmPUl1Z9FmFrPcLD5SmdVHmoBubhJN6ZzztzgZwPVvgj+1ra+ HP2jNf8AiFqGmeHtCmvdIv5JtOtLa6ntdZv5MyRBllklKE3HlSE7ljXyRgA9fBb6+m1O9mub iRpp7h2lkkY5Z2Y5JJ9STXTgFi4zVOs20ore27srX8uVu/XnXYjGyw0oyqUlZuTtbtve3S/M orp7r7kVek/8E3tWXQv+CpXw2vXhurhbTTtUmMVtC000u3TNQO1EXJZj0AHU15tXqf8AwTC/ 5Sx/Cv8A69NS/wDTbf1HEH/IurX/AJX+THkv++07d1+Z7x+1/wD8FdPGfxH1u78L+DrTU/AG jrMba6neP/idy/NhhjIEB/2VO7I++M4rf/Y//bd+GX7H3hXUbXS/BXxX1jV9dkSfVtTvbeHf eyJu2kJ5mEUF3OMlvmOWbivsv9qH9hf4fftYaczeINL+ya2q7YNasAIr2LA4DNjEij+64IHb B5qP9jT4FeP/ANn3w1q+heMfHK+N9LinjGgyyRuLm1gAYMsjOSefk2ruYLtODg4H53LOMpll vsadLltbmhzNc3nzJPmtvZ28j7SOWZisd7WdS/aVk7eXK2rX8rnxT+2x+2xa/tv6T4K8M+Gf BPjSy1Cy8RQXn+mWakSja0e1QjMc5cduxr9PaKK+azHMaWIpU6FCnyRhfrzfFbyXY93A4KpR qTq1Z80p26W2CiiivJPSCv5tPgb/AMincf8AX23/AKAlf0l1/NL8Im8Rjw3P/Y/hLW9etvtL brizt5ZER9qZQlUYZAwev8Qr9C4BqRhOtKb093/24+M4whKcKcY+f6HoVFY+/wAc/wDRNvFf /gFcf/GqN/jn/om3iv8A8Arj/wCNV+l/XaH8x8H9UrfymxRWPv8AHP8A0TbxX/4BXH/xqjf4 5/6Jt4r/APAK4/8AjVH12h/MH1St/KbFFY+/xz/0TbxX/wCAVx/8ao3+Of8Aom3iv/wCuP8A 41R9dofzB9UrfymxRWPv8c/9E28V/wDgFcf/ABqjf45/6Jt4r/8AAK4/+NUfXaH8wfVK38ps UVj7/HP/AETbxX/4BXH/AMao3+Of+ibeK/8AwCuP/jVH12h/MH1St/KbFFY+/wAc/wDRNvFf /gFcf/GqN/jn/om3iv8A8Arj/wCNUfXaH8wfVK38psUVj7/HP/RNvFf/AIBXH/xqjf45/wCi beK//AK4/wDjVH12h/MH1St/KbFFY+/xz/0TbxX/AOAVx/8AGqN/jn/om3iv/wAArj/41R9d ofzB9UrfymxRWPv8c/8ARNvFf/gFcf8Axqjf45/6Jt4r/wDAK4/+NUfXaH8wfVK38psUVj7/ ABz/ANE28V/+AVx/8ao3+Of+ibeK/wDwCuP/AI1R9dofzB9UrfymxXO/Ff8A5EC//wC2f/ox atb/ABz/ANE28V/+AVx/8arD+I7eKj4LvP7S8E+INIsvk8y7ubWZIovnXGS0YHJwBz1IqKmM oyg0pF08LVU02j9+P2Fv+TI/g5/2I+i/+kEFeqV5X+wt/wAmR/Bz/sR9F/8ASCCvVK/nzE/x p+r/ADP2eh/Cj6I/H3/gu3/yka8D/wDYjwf+lepV8019If8ABes3w/4KH+Cv7N0271e9/wCE Ht/LtLZGeWX/AEzUs4CgngZJ46A18r7/ABz/ANE28V/+AVx/8ar9n4YxFOnltNTdtD8uz+hU njpuKNiisff45/6Jt4r/APAK4/8AjVG/xz/0TbxX/wCAVx/8ar3/AK7Q/mPG+qVv5TYorH3+ Of8Aom3iv/wCuP8A41Rv8c/9E28V/wDgFcf/ABqj67Q/mD6pW/lNiisff45/6Jt4r/8AAK4/ +NUb/HP/AETbxX/4BXH/AMao+u0P5g+qVv5TYorH3+Of+ibeK/8AwCuP/jVG/wAc/wDRNvFf /gFcf/GqPrtD+YPqlb+U2KKx9/jn/om3iv8A8Arj/wCNUb/HP/RNvFf/AIBXH/xqj67Q/mD6 pW/lNiisff45/wCibeK//AK4/wDjVG/xz/0TbxX/AOAVx/8AGqPrtD+YPqlb+U2KKx9/jn/o m3iv/wAArj/41Rv8c/8ARNvFf/gFcf8Axqj67Q/mD6pW/lNiisff45/6Jt4r/wDAK4/+NUb/ ABz/ANE28V/+AVx/8ao+u0P5g+qVv5TYorH3+Of+ibeK/wDwCuP/AI1Rv8c/9E28V/8AgFcf /GqPrtD+YPqlb+U2KKx9/jn/AKJt4r/8Arj/AONUb/HP/RNvFf8A4BXH/wAao+u0P5g+qVv5 TYr7Z/4Nzf8AkbPj/wD9fekf+h6nXwdv8c/9E28V/wDgFcf/ABqvu7/g3F8//hJPj39qtpbO 5+06P51vKpV4H3aluRgQCCDkHIHSvl+MK9Oplk1B32/9KR9BwzRnDHxc13/Jn6hUUUV+NH6e FFFFABRRRQAUUUUAFFFFABX4+/8ABdv/AJSNeB/+xHg/9K9Sr9gq/H3/AILtaJrPiP8A4KN+ B7Pw9Zx3+rzeB4Ps8EjqiyYu9SLZLMoGFDHqOlfT8ISUcyjJ7JM8HiROWBlFHzTRTv8AhSXx m/6FDTv/AAOt/wD4/R/wpL4zf9Chp3/gdb//AB+v2P8AtGh3PzH6jW7DaKd/wpL4zf8AQoad /wCB1v8A/H6P+FJfGb/oUNO/8Drf/wCP0f2jQ7h9RrdhtFO/4Ul8Zv8AoUNO/wDA63/+P0f8 KS+M3/Qoad/4HW//AMfo/tGh3D6jW7DaKd/wpL4zf9Chp3/gdb//AB+j/hSXxm/6FDTv/A63 /wDj9H9o0O4fUa3YbRTv+FJfGb/oUNO/8Drf/wCP0f8ACkvjN/0KGnf+B1v/APH6P7Rodw+o 1uw2inf8KS+M3/Qoad/4HW//AMfo/wCFJfGb/oUNO/8AA63/APj9H9o0O4fUa3YbRTv+FJfG b/oUNO/8Drf/AOP0f8KS+M3/AEKGnf8Agdb/APx+j+0aHcPqNbsNop3/AApL4zf9Chp3/gdb /wDx+j/hSXxm/wChQ07/AMDrf/4/R/aNDuH1Gt2G0U7/AIUl8Zv+hQ07/wADrf8A+P0f8KS+ M3/Qoad/4HW//wAfo/tGh3D6jW7DaKd/wpL4zf8AQoad/wCB1v8A/H6P+FJfGb/oUNO/8Drf /wCP0f2jQ7h9RrdhtFO/4Ul8Zv8AoUNO/wDA63/+P0f8KS+M3/Qoad/4HW//AMfo/tGh3D6j W7H6Nf8ABuZ/yZH4p/7Hi7/9INPr78r4D/4NzP8AkyPxT/2PF3/6QafX35X4Xnv+/wBX1P1z Kv8Ac6fofK//AAWv/wCUZPxL/wC4X/6dbOvx+8If8inpf/XpF/6AK/YH/gtf/wAoyfiX/wBw v/062dfkB4P+EHxa1PwlpdzpvhawuNOuLSKW1la8gUyxMgKMQZwRlSDyB9BX3nAteFLCTc39 p/lE+Q4tozqYiKh/L+rL9FO/4Ul8Zv8AoUNO/wDA63/+P0f8KS+M3/Qoad/4HW//AMfr7j+0 aHc+S+o1uw2inf8ACkvjN/0KGnf+B1v/APH6P+FJfGb/AKFDTv8AwOt//j9H9o0O4fUa3YbR Tv8AhSXxm/6FDTv/AAOt/wD4/R/wpL4zf9Chp3/gdb//AB+j+0aHcPqNbsNop3/CkvjN/wBC hp3/AIHW/wD8fo/4Ul8Zv+hQ07/wOt//AI/R/aNDuH1Gt2G0U7/hSXxm/wChQ07/AMDrf/4/ R/wpL4zf9Chp3/gdb/8Ax+j+0aHcPqNbsNop3/CkvjN/0KGnf+B1v/8AH6P+FJfGb/oUNO/8 Drf/AOP0f2jQ7h9RrdhtFO/4Ul8Zv+hQ07/wOt//AI/R/wAKS+M3/Qoad/4HW/8A8fo/tGh3 D6jW7DaKd/wpL4zf9Chp3/gdb/8Ax+j/AIUl8Zv+hQ07/wADrf8A+P0f2jQ7h9RrdhtFO/4U l8Zv+hQ07/wOt/8A4/R/wpL4zf8AQoad/wCB1v8A/H6P7Rodw+o1uw2inf8ACkvjN/0KGnf+ B1v/APH6P+FJfGb/AKFDTv8AwOt//j9H9o0O4fUa3YbXqf8AwTC/5Sx/Cv8A69NS/wDTbf15 d/wpL4zf9Chp3/gdb/8Ax+vUv+CYnhbxN4R/4KyfCu28V6bDpeovaalLHFFKkgaI6bqADZV3 H3gw69uleTnmMpVMvrRg9eWX5M9LKcLUp4ynKS+0vzP3Eooor8LP1oKKKKACiiigAr8OP+Cb n/JDdV/7Ds3/AKT29fuPX4cf8E3P+SG6r/2HZv8A0nt6+y4U+Ct/27/7cfMcRfFS/wC3v0PS /ir8bR8N9c03R7Dwz4k8Za/qkM13HpmifZFmjtoiiyTu91PBCqB5Y1AMm9i/yqwViuD4Q/bU +HfizxTpeivr9lomp67YWd/pltrFzDYz6ibl5oxbwxO4keeN4WWSMLlWZRyTxp/FX4UeJde8 c6Z4n8G+JtI8Oa3Z2U2mXI1XQ21azvLaR0kAMcdxbyLIjoCrCXbh3BRsqV89P7EGo6dei3sP GFr/AGJqWn6ZYa6t7ohn1PUTZ3c935sNylxHHA8ktxITmCQLn5Qte9zV072667ba2t12te92 nsmjx7UuV3ettN99L309bW0a3ae3qOrftCeD/CWjQX3iTxFoHhSG81K40m1Or6xZwC7nhmeI pGwlKsxKEhM+YoOHVGDKI/Hv7TPw8+F97q9p4g8b+FtK1DQdPbVdQsZ9TiF7a2oAJmaAN5u3 lcELyWUDJIFeIeJP2KvEHxv8KadqM+q3ngfVGute+1aTe3F9Ij2eoai9yI5v7J1S0DSbAgYG eaLDEbcgMPRf+GZ9ZttO8c6Fa+JtKh8I+OLO5WW1fRZZNRs7qe0jtjIt0bra8SiMERvCX5x5 uAKn2mJcW+Wztp11tot116/Ky+Itww6q2ctOaz9L7rR30/zu9jp9d/ae+HXhnRfDGpX/AI38 L22meNLgWuhXrajF9m1SQqzARSg7GGFxnONxVc7mUE8Q/tSfDLwlBey6r8RfAmmRaZdrYXj3 ev2kK2lyysywyFpBskKo5CHBIRjjg1V8U/CnxR4n8LeCt3ibRYvE/hPUotRmvxoUhsr/ABBN byoLb7Vvj3Rztg+c21gDhh8tcp4y/ZN1rUPg9a+FvD3jaTQJYvEF/rdxcxw39ul2l1c3NwYW +w31pcDa1wPmFwFYx5ZDkBdKsq65vZpPXT093z/xdttu+VJUmo+0dtNfJ+95eUfv30PRNK+P XgbXvGFv4esfGfhO81+8txeQaZBq9vJeTwFBIJViDl2TYQ24DG05ziuQ1v8Abr+Eeg2dvfyf EPwVNoczvA+rW/iCxmtLedZLePyX2zF9xNzGSVQpGoJkaMFd2D8Jv2IovhT4LsNMj1y11C4s NWtdV+0XGlFhO0GjppgSRTMWYEJvJL5wxT/brnbH9gzxSqQ3Nz8SLKTUdMSYaTGuiXcun6az XmmXaBYrnUJ5/KV9NwYhcLGFlAjWHYd6lOvfSPT9E7brrePqr7GkIUOZKUtP+H8n5P0dtT17 VP2nfAfhqeYa34t8L+H4ft0en2k+o65Ywx6lI9vDcKIf3xOSk6YVwrkEMFKMjtsJ8ZfCEnxD /wCEQXxV4bPiwoZRoo1OH+0dgXcW+z7vMwF5J29Oa8i8VfsY69qPxD8V+KNK8ZaHZap42hls dUF74ae9hS1lsrC2lW3UXcZjkLWW8OzOuJArRvsDHqPCf7KVn4P1n7Vb6lvCeJ4PESeZaBpi IdKTTlhaTdlm2pv8zH8RXb3qqcqzlacbLT80n9y97ZX+FLRNxONJRvF62/G17fN3jvpv1svQ h8Q9AN4tv/bmj+e8k8SxfbY97PBzOoGc5j/jH8PfFcJ/w2T8P31jxRpaeINIOt+F4ZLltLk1 axt7rUoEtI7s3FuJZ1UweXIB5rsiAo+5gq7q5X4sfsLQ/Ezx9r+uReJZdKOsTwzwRx2IkfT2 kijttS2OZB/x92kUcXAHlsGk+ctgT/Fj9iK1+JnhDxrpcWtQaY3jDVptUE66YJDZ79G/ssR4 8xd+1fnByvHyYH3qmMsQ9ZRt/ndK/pa7XkrPWxpCGH5kpS0/p2/RvvqtDrfit+118O/gxemy 13xZ4fttVhe1+06adUtVvLKC4mjiW6lieRWS3UyqzyHgLk89+kHxl8IH4eJ4v/4Srw3/AMIn KnmprX9pw/2c6btu4XG7yyNwIzu6jFeca/8AsqavrGv39unifRh4R1LxFYeKJ9PuNAee/wDt dtNaSlRdfalj8pvsoAUwFk3/AHyFC10Gq/s5xan4KfRv7SjVH8Xx+LN/2MEZTU1v/J27+pK7 d+ep3be1VTlWfxq139y93z13k+jfLsuZJY2p8q79fufl5LTXfd2u9m9/aN+HunayNOuPHfg2 DUDpp1kWsmtWyzGxEZlN1sL58jywX8zG3aCc4GaueGfjb4M8aaHFqej+LvDGrabPbT3kV3Za rBPBJBAwSeVXRipSNmUOwOFJAJGa8V+I/wCwdqXi/wCMWt+JrTxZp7WGsXbakNK1q31m+tra 6NoLXeIYNXtrRlCqCN1sZOT+8ztK2r79jnxnN4J02zj+JVnNrUOk6roF7f6lod1qKPY30kTl IRNqBuFkj8lAslxcXJOWyMbVXONXE2blD019ba+tvld7+6a+zoXS59Ort9+n9bpW6nZWX7a/ wyFzb2+q+LtE8NXd7NqsdrBrF9DaNcpp11Ja3Eykvt8vfGzKSwLIGOPlcL0+lfHPwv4n0rQN S0LW9G8Q6R4kvZLG01HTdUtJrVnjhmlch/NHmYEDgrFvcHJKhVdl8tuP2Ndc0fwvplloPizw +k1pNrwuv7a8Ny6ha3lvqt8Lxo/LivYHR42VAJBIc4J2gkY3vDP7MesWvg3wPYa54zm1y/8A B2s3Wqm6e2uHFwktneWqQKbi5nuAEF2G3zTzOTGRkBgErnrrmXLe23S/4v8ATr5XTjQeqf8A N+vL066ffr1t3vgT4y+EPikmot4Z8VeG/EQ0hxFfnS9ThuxZOQSFl8tjsOAeGx0NN+Gnxt8G fGi3u5fB3i7wx4si091jun0bVIL9bZmyVVzEzbScHAPXBrnPg1+zpF8HLLSorXUkc6X4S0/w srw2SwFvsplInA3MBuMpOwggY6nNYX7LX7Lut/AXxH4g1bX/ABnN4xv9dtbS082QajmNbdrh 9xN7f3hBY3DZWIxRjHEYya1Tqc9mtNdfm7fetfK9rvUzkqfLJxeulvO9r/dd+tvNHs9eUftv /wDJr3if/t1/9K4a9Xryj9t//k17xP8A9uv/AKVw100/jRzz+Fn6j/sLf8mR/Bz/ALEfRf8A 0ggr1SvK/wBhb/kyP4Of9iPov/pBBXqlfk+J/jT9X+Z+i0P4UfRH5Zf8FVP+Uvnwv/7Ef/2p q1ZXxP8AiHY/Cf4e6x4k1JLmWz0a1e5kito/MmnwOI41yMuxwqjIyWHIrV/4Kqf8pfPhf/2I /wD7U1asj4qfDy1+LPw51nw3ezXNrb6zaPbG4tyBNbEj5ZULAjejYYZBGVGQRxX6Jg+b+z6f Jvy6euvfT79D4rF2+uT5tub/ACPNNf8A2o/EXwltvDz/ABE8FWmhDxDrK6XC2h6tPr2Faxu7 obYktI55Zw9qIjCkRB85CkjkMo6bUf2qfBeneE9H1hbvW76DXhMbO107w7qN/qLCFtk5eygg e5iETkJIZI18t2VG2swBz9M+CXjHXda8J6l4y8a6Prd54S1n+1IF0zw62mwTJ9gvLQqyvczM JGN3vZ9+zESqsSZZjw3xD/4J+WXjS10qVpvA+tajpWp67eRp4u8HJr+mGLVL9r11FsbiJlmi bYizLKAV8zKfONm1R4hX5En/AMMvPXW/b8hKOHfLzO2mtr7+/wD5RXz8mz1CL9prwdf+IdG0 uwvtR1e916zh1C2/szR72+hit5iwhluJYYnjtUco4Vp2jB8t/wC62I/2df2itI/aJ8D6fqVg rQahLpVhqOo2aCSaLTZLu3Wdbc3GxY3lVGUso+dVeNmVRImcPwR+ztr3wx8ZWd74b1zwfo2j XWmWGn63otv4VeO1la1Ei77AJdqLJWWTb5bi4VQiY53FrH7KX7Mp/ZV8D23hnT9c/tDw/bWF rGlmbPyhDeqhW6uYz5jbEuG2yGHB2yGVgx8wgaU3U55c60vp+P5q3ne2i1ZlJUuR8u/u/wD2 3To+n4vZ4+qfthunib4baLpmgDV7/wAfXM4lngGpNp+n20EvlyyC4WwYNIDjCSrCnUtIilWZ /wAQv2ovEWiXfi++8M+CLTxJ4W+Hsph1+8l1w2V87xxJPcJY232d0uGihkX/AFs0AZ8oDxur d8Afs5f8INd+CZf7Y+1f8IdFqcWPsmz7Z9tkV8/fOzZtx/Fuz2rE8Z/sv+ItS1bxhZ+H/Gtn ofhH4hTm516wm0M3eoRySQJb3Bsrr7QiQeZFGv8ArYJ9rl2HBCryf7Xyvvrba17Rsn/dvzXt 717W0NI+w5lfbS++13e3nta+lr31J9E/bY8JXXxF1rw9qP2/Tm07VbPTLa8XT7u4s5vtdnZ3 EDzzpD5NmZHuxEizSLvZPlJJ2jVl/ao8OaLoS3epvdzTXGqalp1tZ6Bpeo65dTLZXT200hgg tTOFR1VZG8sxI8iqJXDIz8zrn7JWs3Hi7X/sXi6ztvBPibWNP1jUdD/sPfeE2UFnFHBBd/aF WNZPsUe8vC52khDGfnriV/Yduvi94I0TVNe0bwdY+IbHWPEV4mk+NfDVv4psoLXU9Uku1Dwx XKKtyqiHEkU7KA0qkPkFdZVMRb3I/f8ALzt36rr7qsr1GGH5E5PXS9v8Mr9P5rdPn29K8Sft y/D7QvD+salaXHiTxFbaHph1S6l0Pw3qGowRx+QtwI2uI4TAkxidG8uSRWUOpYKDmtjSv2q/ CWtalollbx+L5L7XYYJ47dfCOrO9ikzskZvNtsRZhij4NwYwVUtnaN1cd4O/ZC1nwZ4Q8TeE bLxF4R07wN4ssZ4rrSNM8JtZNp9zPZrbytZuLwxw2+9TKsLxSMu9l80jBBrn7KfivxZ4w8K6 xf8AirwTaahoEVpBc6vo3hO70/XLqGCbzWtkvBqTbbWTgNbzRzxEliVYkbWpYjmV1p7t/wDy bmtr/ht37LVLKUaNtHrr/wC28vT/ABX7d3o333iT9ozwv4P8eDw7qh8RWN20scC3c3hrUl0p pJFBjQah5H2TcxYKB5uS5CffO2smP9sXwHdeE9N1q0u/EWpWWslzp6af4W1W9ub+JFjZriG3 itmmktgJYgbhUMQaRV37iBXC/Fr9glPil8b28XSar4WG7VrHVo7m+8LC+12xNsYf9FtdQa4H kWj+USYkhyHmlbcd5FS/Ef8AYLsvHHgn4c2LSeB9Z1H4e6L/AGFGfF3hBNf0y8iaO3V5Ram4 iaKbdbIVdZiFV5FIfcCsKeK5JNxV76enff5W07+RpyYbmS5na2vrb07/ANdT0rxT+0f4X8J+ FtG1p/8AhJNV0rX4DdWVzofhnU9aQxbVbdJ9jt5TECGGPM25w2PutjBvf2xPCmia7fxX00v9 nBrBNJutOt7jVJdbe7tZrpFhgt4nkY+VC7DaG3Acc4B534xfsTQ/FXwb4O0of8K8it/C+nya e+l3/gwX/h8GRYgZ7TTjcoltOnlkROzy+Wksi4bcTWj8Lf2Ph8M9X8MXI8Q/bB4bTTUCfYPL +0fY9KudO6+Ydu/7R5nQ7dm3nO4aN13KSSSV1brda3vr6dtzNKioptu9nf16dPvNrwJ+2Z8N viOty+meIyLe10uXWXur3TruwtWtIdouJEmniSN/IZ1SZVYtC52SBGBFV4v22Ph7NaFvtfid bzzI0j0t/COrpq9wsiyMksVgbUXUsJEUp81Imj/dP83ynGNe/sVW2seFtO0i88QTtb2XhzXP D7vDaCOR/wC0rm2uBOpLsFMRtwApDB92TgDacjxt+x74x+Jlw+qeJfFXw38QeIjHb20E974E uTZ6fFB5zRzW0Sams0N75k7t9pW4yoCCNIyGZs3PFcqtFX6/e9te3L97d2/dNOTDb8z/AKt5 er/C3U9E+D/7Tnh743eMfEGiaPYeMLS78NtELl9X8M3+lxP5kUco2tcRJ82JVzG22TgttK4Y +iV5f8AvgJrPwS1rU3ufFh8SWGrWln9oN9ZSHUZLyC2htmna6adt6OkKnY8Zk3ElpnzXqFdl Pm5Fz7/8H5/n/kcs+Xm93bT8v8woooqyArf/AOCC/wDyXL9p7/sO2H/pRqtYFb//AAQX/wCS 5ftPf9h2w/8ASjVa8zOv+RdV/wC3f/Skd+Vf77T+f5M/SWiiivzY+5CiiigAooooAKKKKACi iigAr8sv+Cqn/KXz4X/9iP8A+1NWr9Ta/LL/AIKqf8pfPhf/ANiP/wC1NWr6Hhj/AH3/ALdZ 42e/7r80cb+0l8Z/+FAfCG+8UeVo0v2S5s7b/ib6r/ZVhF9ouorfzJ7ny5fKjTzdzN5bcL07 1zHhf9sjQv8AhV+keIPE1vcabNqrXRSPQ7W98Q2skEEpQ30U1vbbmsWXY63MkccZWReRkZ9J 8deCLX4gaLDY3klxHFBf2eoqYWAYyW1zHcxg5BG0vEobjOCcEHkeNfFb/gnJ4D+LKWAu5Lq3 /su5vp7NZNK0jVIrVLyZZ5oI4dQsrmJI/NXcpVA43Mu/adtfYT+sKTcNV+W3/B9Eursj5mn7 FwSno77+Vv6/4bU7/V/2nPBuh6tr1rPfamyeGbR73U72HRL6fTrREjWVlN4kJtzKEdG8oSGT DD5as+Mv2iPCXgPUhZahfXrXzahHpaWtnpV3fXEty9v9pWNI4InZv3IMhKghVViSNpxh3n7K mm3aeKbEeIvEkHhrxhaTW+oaBCLJLESywpC9zG32fz45NqA7RL5Wcny+ad4K/Zbs/C/iOz1n UPFXivxRrNnq51n7bqZskeaX7A9gEZLa2hjEYhfgKincASTyDadXRW7X+/W2v3P70nootTtd +f5adPW/4X3LFr+1B4Z1zWrC10q5e4in1yfQZri5sb61iaeG3u5ZUtpDbmO4dGs5Vfa6ou18 vvCxvR0L9tb4deJvCl5rNhqmtXVlZrayKE8N6n9ovo7pzHbyWsH2fzbuORlYB7dJF+U88GtS 3/Zt0O20zQLVbrVvL8Oa7f8AiG2Jljy9xeLerKr/ACcxgX820DBG1MscHd578ev2LT4n+CNr 4b8Lm31Cey0vS9CFvrlzCtvdWdjIzpvL2V1CZSWyfNtZoztGI0bbImU54iMeaye3/B69Ht6+ Rso4eUkk2v8A9p/+22+ZsfGH9s/S/BHwj8J+L9Dbw6+meLdUOm2934w1WfwlZWwENzKXlknt ZJUJNsUVWiG4uvOMZr3P7Vni3XNH+0+Gvh1FqE2k+H7bXvEFpqmttptxZGdJHW0tl+zSefcB YnOJTbp80Pzje2zpfhh8Bp7X4T+A9I8XPZXGoeDWd1g0+OBbIqbe4tUt2VLeCN40t7gpmOCB WKAiNFOysi8/Yu05dNt7LS/Gvj7QbD+yY9B1G3sbu1K6xYxbxFDK0tu7xlI5HjEts0MuwjLl lRlKscReXs3vttpo9/K9npd9vNQlQ93mXrvr73T/ALd+X6a+mftM2et/F7Q/D1pplxNpGuWE c0es+ZtSK8lga6is2j25DNaxvKW3cfIMEtxszftDeFrfxTr+kyXGrRy+F4HuNTu30S+XTbYI iSMv20w/ZnkCyKTGkhfkjbkHHNv+xN8PV8RJr0Gh2Vp4rg1K31G38RRWNqdWtFgMYjto7hoi y2/kxLAU7xFhnJLVW8cfsUeHfiX4/wDFOva9q+t6j/wlejzaFc2X2bTreKO1kAGzzYbVLmdU wSiXM00al2OzOMXKVdJuK/mt91466dfd221uZxVL7T7ffs36W1336dCG+/b7+Hum65BYzp44 gZ7W6u53m8FavCbFbcQswnje2EsZZZ0KZTDZAzl0D97pvxr0DUPC+k6w76vptlrd8mm2g1XR r3TZzO7FER4biJJYtzLhWkVVYlcE7lz5P4Q/4J26F8OtIht/Dfi/xF4buY2uhJdaRoPhuyN1 DcpAssEsEWlrbSIfs8Z3NCZOCN+35a63Rv2QPD+jfs4TfDNdT1s6VI5mivo1tLW6sZROJ4pL eOCCO1g8qRUZFjgVAUBKkliZhLE2fMlfS3n3W76aX762aLlGhpyv18t9enk7fLQl1T9rzwY3 gK18QaPq1vq1ldtavGyQXZ3xTagljlVigkkMhlLKkewF3TGVXdIvLRf8FDfBjR+Er+fT/Flh oPizRbvWI7m58O6iLqzW3a2DebbJbs4h23BY3OfIUIPnIYGuk0/9jnwnpVvrUVtLrEMWt6tp erMgnQraHT54riCCEFPlhM0bO4OWZp5iGBYbU8M/si6P4e8OW2mTeIPE+qw2OgX/AIZtXvJL XzLewuzCTGDHAgJjECKjMCcZ3lzyD/aE+nX8tFv3/K+3uuo/V7a33/D+r/l5nTa18d9A0jx0 vhpP7XvdYksxfD7Ho17c2UMbLIyedeRwtbQFhE+0SyKTxgHcufPvh1/wUH8AeN/h9o+rzvr9 lqWq2trMNHh8O6pd3kzTxSSD7LGlr5l5CBDN+/gR4sRMdwFdF4o/ZX0zxf8AFrw94su9e1wS +GbQ2dlZRW2nIioY2Rh9p+y/bQrZDNGtwInKLuQrlTn337GejqPC0+keJvFnhzWPB2j22h6X qti1nJcxW8KSx/MtxbSwuZFlYPujI+VSoUjNNvEJyata+np72u630/PTVGcfY8qvvZffpdbe v5eateLP20vAXhbQby/jutc1oWWg/wDCSyRaRoV7estkVkZGdkiKRM/lSBVlZDmNwcbWx6L4 Q8VW3jfwzZatZx6hDa38QmiS+sZrG4UH+/DMiSxn2dQa4PQP2T/DXhzwtr2kQXGrm18R+Hof Dd4zzoZGhj+1ZmB2cTO13KzHlc4woAwe78GeH5vCfhWw0241bUddmsoRE1/fiEXN1j+KTyY4 493+6ij2rWn7TmftLfL1d/wt0X6KJ8llyed/ujb8eb8DTooorYyCiiigD0j/AINzP+TI/FP/ AGPF3/6QafX35XwH/wAG5n/Jkfin/seLv/0g0+vvyvznPf8Af6vqfcZV/udP0Plf/gtf/wAo yfiX/wBwv/062dfG/wABv+SG+DP+wFY/+k6V9kf8Fr/+UZPxL/7hf/p1s6+N/gN/yQ3wZ/2A rH/0nSvqOGf9xf8Ajf5RPn8+/wB6X+Ffmzn/ABR+0fD4Z/aL0bwGdJlmttRt0+06ss+I7C6m W5ktbdk28+alnc/NuG0iEbT5oIm+MnxY8UeEfHfhrw34S8NaD4g1PxBbXt4x1fXpdJgto7Yw A4aK0uWdmNwuBtUDaea5Dxz+w5YeOPE2ueJZPE3iK28Xajrtprdldw6nfR6dYtaNB9mjfTku VtpwqQBWZ13MXc5XgDr/AIx/CfxR4u8eeGvEnhLxJoHh/U/D9te2bLq+gy6tBcx3JtycLFd2 zIym3XB3MDuPFeivbul73xX6W2ettdLrVPpZKzb1OH9z7TTa3W+/fTWz0a690loZekftieG4 /A2majrtlr+k61eXN3YT6DZaTd61qNtc2knlXQEVlFK7wxvt/fhfLIliJKmRRVT/AIaxPiT4 3aN4X8LWHh7WtN1TSrTWlvrjxCLO61C0nd1M2n25hdbxYVQNKTLFsDqBuJANW1/ZT8QeCDo2 qeEPGtlZeLbaPUE1bUtb0NtTt9XN9cJdTv5EdzbmFlmjXy9shVI8oVfhhBrv7H+q6j4T8N+E IvFekz+BtDFhK9tqfhwXWrLc2sgkNxa3iTxJbyOQDuNvIULPsKghVE8T7vMtdL2263te7ts+ jW2t3JDVG0uV97X330vpa9tN2uunwnoHxJ/aD8N/CPW4LLXR4jtxNEs7XsHhvUrvTbWMsV3T 3kMD28AGCWMsi7V+ZsKQa4rxl+3n4M8Dal4rtbvSfiFNJ4P1S00m9a18H6jcRTS3BhCNFIkR R1/fL33MOUDh49+R+1h+wwn7T3iie/l1Lwskd3pS6Z/xPPC41u50gq8jefpsjXEa2crmQeY/ luX8qLlSgNdB47/Zk1jxRf8Ajg2PifTbGz8W3GnapBHPor3EtjqFkbXy5GcXKCW3YWsYMQVH yzESjIAUpYrWyW7+7p1/ptbaspRw91dvp+l+nr93mdHeftNeFNL8W2ejXo8UadPfGBYrq+8K 6pa6dvmRWiRr2S3W2R23KuxpAwkPlkB/lrm9R/bc8HrZaBqVm183h3VtTksrjWdS0+80qygg XTry++1wy3ECJdQlbQgPCxTEgbeRgNxvxR/4J8D4wfFIeItb1bwjePcX1hqNzdTeEzNrMDW4 hElrZ3z3RNpZyeUzeSsbMrTynzG3HOtqX7GWs/EPwB4Q8NeN/GWm61p/gbUob7SrjTNBfTL4 CCxubWF3kN1Kv2lHminWWNI1DwcR4b5Xz4nlleOt9PNaea8/XvHS4o4fS76O/ryu1tP5renm r29G8TftGeF/CUHh43b6+1z4pg+1afY2vh3UbvUGhHl7pJbWKBp4EQyxh2mRAjOqsQTiotN/ ac8F6v8AERvDEGpXp1L7VLYRzvpN4mnXF1EGaW2ivmiFrLOgSTdFHKzgxSArmNwMrW/gz40k 8TeF/Eel+NNCg8TaZpDaNrVxf+G3ubTWY2eKQyJDHdxNbyB42IIkdcSsCrYUjM8Mfsu6xovi 3TobvxZZXfgbQdcu/EOlaRHoph1CO5nM7eXPe+eyywxvczFVWCN+Ig0jBW8y5yr81opbv7rq 3W+13stdNFq8uWlytt62/Gz8u9lvtr5LW8dftXeGvDfw307xBpk39snXdG/t/SLfZLb/AG+y ElqjS7mjPl4+2QHa4DHf04bFTUv2xfDDfGPw74K0lb7VNR1nXLnRJ7g2F3b2Vu9vaXM83lXT w/Z7l43txE8cUpZGc7sFCtcTZfsJ65NpGnaVqXjywuNH8N+HZvC+g29t4eMD2to9xZSq9xI1 05nmC2MaFlESnJOxT16Xwt+ytrvh/wAb+HJJvGdnceFPCHiG+8Q6VpaaH5d4Xu471HiuLozs siob59hSGMgKA28/NRzVnUjpaL320971/l3tfXsayjh1CXK7uzt62dune29vRo6/xb+0n4X8 DeNG0LVF8U2t2HSMXP8AwiuqPp0kjqGSNL1bc2zyOSEVFkLNIwjALkLXjHhn/gpK3iCz8JXM /g2bSLPxXf3ki3eoJrFvbafpFsFMl7PK2lhElAYkxk+QoXLXQFdD8SP2FU+IX7QEXjWTU/Cz eXrWn61HPfeFxe67Zm0aE/ZLXUWuB9ntH8okxJDkPNK247yDqav+xVZeJfhfoHhTUtcmlsNI 8P6poFxJFZqkl0l9GiGRdzMqFAuQGDhs88cHmnLG8vPFK6vpprrFrW/X3l/wbFRWF5lFvTS7 7aO/3O39XNk/tqfD+O0Z5bnxTbXfnRwRaZceENXh1W7aRZGUwWL2ouZ02wzEvFGygROSRtOL 3gH9qbw38RvEni3S7HT/ABpDceDFV75rzwtqFsswMMc2Id8IMkm2QYiA81uqoVIY+XeCP2C9 U+Guq2Ot+G7v4L+E/FOkThrS+8PfDA6ZBdQNDLFNDeRJqG6cHejoUki2NGfvKxWvXfh58LNZ 8GfEjxNrV1rmmX1l4pS2uLq0i0p4JY76K3it3kSU3DgQskIIiKFlJOZWHFbxeIe6S3/LTr30 f+WplNUV8Ov/AA+vTt/XQ4DS/wDgoT4R1eHwdfppPjCHRvGOlX+pQNL4c1FtRRrV7MeWtjHb vLMrLdlzLHujUQsdzDJXtvFv7VvgbwXBp8tzqeoXcGo2EerLNpejX2pw21nJkx3Vw9tDIttC wVyJJyikRyEH5Hxi/B79mTUfhrqXhCa/8SWWqx+C9F1Lw/Ypb6S1oZbW5lsniMpM8mZYxZ4Z lCrIZMhY9uD57rX/AATcsbmz8JmM/DLxDfeH/C+n+GLmTxr4BTxBFKlmH8ua2T7VC9sz+a+9 d8isBHgAqSy5sTyLRX0+XxX6/wCHbv13NeXCvdtWv89dOnb7/LY+n4ZluIVkjZXRwGVlOQwP Qg06orO1SxtIoYkjijhQIiRptRABgADsPQVLXc7X0OBXtqFcb+zp/wApqPg9/wBgK/8A/SLV a7KuN/Z0/wCU1Hwe/wCwFf8A/pFqtc+L/wB2q/4JfkzfDfx6f+KP5n67UUUV+VH6EFFFFABR RRQAV+HH/BNz/khuq/8AYdm/9J7ev3Hr8OP+Cbn/ACQ3Vf8AsOzf+k9vX2XCnwVv+3f/AG4+ Y4i+Kl/29+h6B8TfjVqPgf4n6L4esdCttSgvNLvdb1G7m1BrdrO0tXgSTyo1hkM0x+0LtQmN TtbLjjPC+Gv2ytakt9LOv+DdN02XxAmi3umJYeIGvw1lqN6lqrzsbaMRTJ5gby08xHwQsvBN e5yaJZTazFqLWlq2oQQvbxXRiUzRxOVZ0V8bgrFEJAOCUXPQVymm/s3/AA60Pw7rmk2ngLwX Z6T4lbzNYs4dEto7fVWBJ3XEYQLKcknLg9a+g5aykpc10rtra+r0vbTS2vSz0d1y+LzU2rW/ rvv66dbra2vDt+0z4i1H4w6Tpmn6F4cPhhv7eXU7q51eVb6P+zbqGBngjWBkckSZ8tmXOT86 +X+8P2Y/2sNZ/aQ07WLgeB7/AEKOKwh1HR7i8h1S2tdSSYOUR5bvT7cLINqFvs/2lAJMq78Z 7fwh8Ivh1d+GvDFzoPhjwVJo+jH+0fDsun6bam2sTKufPtCi7U3qc748bgepq78Pvgd4K+Eu o6jd+FfB/hfwzd6wwe/n0nSoLKS+YFiDK0aqXILMfmzyx9aUKVdPlnPS3zvbfbv06W63tGqk 6Vnyxs7/AIX2+7Tz8ra+W/CH9qHxr410n4dxar4V8Iw6j4u0GbxFqNxbeI5hZWFnCbZWZN1o XaVjcg+UcKuxgZjgE8t4M/4KAeK/Hfia38O6f8OdMfxBqV1bRaf9o1fVNO06eGa3vp/PM95p EEpULYvgwwTI3mJh/vY9vsvDnw7+CT/6NYeC/CLQ2l7qB8uC2sDHbb4nvZ+AuI95haV/u58s sc4qv4T+CXww+DN9ZyaF4R8B+FLnULwG0aw0q0sXubnypQPLKKpaTymm6fNsMnYtQoVmknP1 23v007abb307U5UrSah6b2876/1+fkPxc/bh1zwx8OYdZXwoNI0bVfB8+tpqkmqSxzQ3i2s0 ptbd/wCz7izMoZECG5ljLliVhkClTq337UHivSPjRNpesaTplt4bsfFH9k21xpWqma9uov7A m1Ii5t5LTGDsyPJmRt+1clUbzfT9Q/Zn+HGra9Hql18P/BFzqcVm2nJeS6FavOlq0bRtAHKb hEY3dCmdpV2GME1qn4ReE28cjxOfDHh4+JQEA1b+zYftwCI8afvtu/5UkkUc8K7AcE0vZ4h6 uWuvp5adbadV5t21r2tBKyj0f3tK33av8kjwy1/bc8a3niLwloMfw48PHX/H1tDqWhxDxe5t Fs5Le4n33cwsSYZQsGNkUcysW+WQhSa0Pil8c/G3i3QfgtfeE4oNCtPG+oibWw2oRLdW8Mdl NdPbRmSzuI3U+VJlsRsdiqrR+YZI/WPBvwC8C/Dq/kuvD/grwloVzLdG+ebTtHt7WR7go6GY siAmTZJIu7riRhnDGtlPBOjR22nQrpGmCHSCTYRi1TbZEo0Z8oYwmUd1+XHysw6E0OlWdO3P rv6a3S2V+z013sk7GaqU1K/LpZr701fd+q7d3ueGW37Y3jDU/BGhapaeAPD/ANp1bw5N4xmt 7nxZJDHa6UiwsuJBZNvuz5pzFtES7eZ/mFWdQ/a28Zav4rgtfDHw80fU9L1DV00Kxu9T8Tvp 80ly+mjUd8sK2cvlwiIlCwdpN4wIyp3V6l4r+A/gfx5pGj6frngzwprNh4eKnSra+0i3uIdM 2gKvkI6ERYCqBsAwAPStv/hEtKF6Ln+zNP8AtAuzfiX7Mm8XBi8kzZxnzPK+Td12/LnHFX7O q5yvPTpt39O2nqr9eWK56fSPfvvbTr3/AAdt1d+Xa9+17aeDfg/4P8Z6zolza6d4nspZZo4J /Pexuls5LlLYYUeZ5nkyxo3ykv5Q25k48z/aJ/bt8VfD6DxPotv4atdNvIdBv2ttYs5dQvRp epRaPNfiORpNMXT2KNEV2C7dz8pMXLKv0tffD7QdT8P2uk3OiaRcaXYywz21nLZxvb28kTh4 nSMjarI6qykDKkAjBFYus/s6fD7xF4yvfEWoeBPBt94g1KBrW71O40W2lvLqFovJaOSZkLsh i+QqSQV+XpxUyp13K/No/wANOnXf8LW630o1aEJKUo3t+Lv+Vvv1+Xhnjr9sHxZZ/BrxK/hj Tbe81zTLLxRqU9/rGrRWv9nW2nX89qskCpZtHO4KqUhkVFCqoknZjvbr/jv+054p+Cmp+HZb bQNB13Q7nwze6zqT3GqyWd+Zbc2qhYVEDxEE3AzvZRgs2UEeJPR/E37PvgLxrb2MOs+CPCGr RaZdTX1ml7o1vOtpcTOZJZow6HZI7kszDBZjkkmtDxZ8KvC/j06f/bvhvQda/sgubH7fp8Vz 9iLpsYxb1OzKfKduMjjpSdKvyu0tdP18n3Xe7W6Tso56V17unvfja3XW1n6X26vz+P8AaR1v Qfh58Qr7xD4U0+28R/D63+03Gm6VrTX1peq1uJ4ljupbeAhyMhg0Q2nByQQay/Cv7Tfji4+J Q0LxF4A0DSbOHWx4fvL6w8VPfGO4k0/7dE0Ub2UXmR7CqOWZCrn5VkUbq9O8JfBnwf4A8GT+ HNC8KeGtF8PXRdptLsNMgtrKYuAHLQooQ7gADkc4Ga1H8I6VJetctpmntcPci9aU2yF2nEQh EpOM7xGAgbrtG3OOKqdKs9p/1fX8NOney2JU6fK04662f5f1+J80eDP25PGl54F0y4j8Af2i 954bsNY06S/1S9N7rXmw27zOBaaQ0EpjEkzMlp5k/wC6B+yor/IzR/29PEep634hg0bwppfi OTTLefV7zzPE3kWdjbW2naXPPFbN/Z6zO+++ICTorb0k3vECsaew3P7GnwfvHuWm+FPw2la8 hS3uC/hmyYzxJs2I+YvmVfLjwDwNi46Cul0X4MeD/DcLx6d4T8NWEclqbB1ttLgiDW5iihMJ CqMxmOCBNvTbDGuMIoEqGI5m3Lvb9Oi8r6d7W2N3Vw3M2oaf8N5+v3o88/Zr/ag1/wDaD8b6 9A/gg6L4W01XNlrL3N4TqB8944wqy2UUEm5IzIXtri4jXcg3ndmtH9t//k17xP8A9uv/AKVw 1X+Av7F/hj9nv4ja34n0m81C61DXEkil8+y063Kq8olbfLbWsM1y2QMSXck0gAOGBdy1j9t/ /k17xP8A9uv/AKVw11YTn5Ie0+Lr977abW2/F6vjxHLzS5Nun3f5n6j/ALC3/Jkfwc/7EfRf /SCCvVK8r/YW/wCTI/g5/wBiPov/AKQQV6pX5Zif40/V/mfoND+FH0R+WX/BVT/lL58L/wDs R/8A2pq1UfH/AI60z4YeBtY8R63c/Y9H0Gyl1C9n2lvKhiQu7YAJOFB4Aye1Xv8Agqp/yl8+ F/8A2I//ALU1aqfjnwXp3xH8Gar4f1eFrjS9atJbG7iWRo2eKRSjAMpDKcE4III6g1+i4Ln/ ALPp8m/Lp66nxWK5Prs/abc2vpoeHfD/AP4KX/Dzx/oWtain2m0tfDj2jarKmqaTqcWnWtzI 0SXk0the3EaQq6kSbmEiA72QJlxs6p+3BpdlY/aLbwR8QNTig0GDxRe/Z7O0VtO0yZ7kJcyr LcoSSts7+TGHn2suIywdV2pP2Xv+Ek8IXPh/xh478Z+PNDu57aWax1mPTI4po4WLfZ5PstnA ZIZDs8xJC28RhSdrSK/GS/sKz3PjK8iHjvxjp/hOXwpYeF2gtb6BrzVLaG4v3kt7l5bZyI/K uYo0lhZJ8B8yAnc1P6yo2W/Tbs9/K/Lezv8AHbeKSh9X1cvLb1je3W9uZq+nw32bfYeJP2nr Dwbe+JJZodQ1q00240e2srXTNPUXE76iVjhVXecLJukZeSsQQHndgtXJ+Nf+Ck/w9+HPxWh8 H64ZtK1RJbO11IXWraRE+j3FykbpDJbtei5mKiaLdJawzRDcf3h2Pt9D1n9nDQdZ1W+ujLqN v9uvtIv2igeNY4m02RZLdEGw4QlAGGSSOhXrVfVP2dvO+Ieoa5pfjLxb4ftNcuYrvWdFs10+ XT9XkSNIWMn2i1lmj3wxRxsIJYxhMjDkuamq937N/adr9tLX8t72u9FZbmdN0eX95vbp362/ S/zOZ+G/7W918UvjR4d0e38Ka7oHhnXfDmo6/bajrUEMZ1SKGaxSCa3MU8hSNkuXZkuEjlAM RKryDwngP9sTxhL8QVudbsXtPh8uh3njO81WXToJz/ZkkswsYofLu0mQ+XFGTutZ3kkkZQEX a56+4/YmOi+HDBpfjPxZqV3b6FP4T0r+17u3EWiaVcvbCdIfIt0Z5Eit18uSYvIWUB5COR3v iP8AZz8NeKW1NLqK5+x6r4cXwtLaRSiOKOzVnZdhUB0kHmHDBuMLgAjNQ41nKLi3pzb21up2 v0un7Pb+8tt9OajycrW9vlqr29YuX3Lrtx8n7a9vYeJ9P8O6h8O/iJpni3V5EFhoU8emtc3k TxXEgnEsd49sqAWs4IkmV1KjKjehZ2m/tw6DdeIdWgu/DXi7StF0nTtR1b+3rlLN7G7t7G4F tO0UcVy90W807VVoFZuw5GdLwl+yVYaH4/0nxXrHi3xh4w8S6NKrW2o6xJZq6wrb3MC2+y2t oY9g+1TOSEEjOV3Oyoqjyz4A/sM+I/BnjLx5beKf+EXfwl43tL621I6abUX2rPNOWimZ4tMt rmJkR5eZry8bdIMPld5G8Qpxj3U+3Re7fz79G00tLMVqLTf+Hv3963l266ps7Txt+21c+DvD F9NJ8LfHkXiGxm00nQb240uG5mtb26+zJdJKl3JBtEgZPLMgkDbNyojeYC//AG57XwdD8Qb3 xf4L8ReENG8BT2lq19f6hpZjvp7lLcxQZW6KwuzXCDdIwhVfmeVPmC7X/DIVpqXhzW7fWvGn jbxFrWsxWcC69fvYC/0+O0n+0W6wpDax2w2TZkJeFy5OHLqqqLWt/sqWHiG58QSXPijxWW8R CxuZ9jWaGDUbPyfI1KMi3BFwDbwkoSbc7SDDhmBbjiOj/LbX8UrX1tzP+W9iLoX95du/92/y vzW68v8AeOJ8Df8ABSXwt8VPItfCfhfxX4s1uY3e/S9Fu9Hvnt1tltWkZrmO/Nljbdwkbbgn OVIDjafTPFnx80/Sv2dJfiLpVvLrFhNpEeq6dbhhC175qK0CFjkJuLoCSDtyTzio/BvwDfw/ 4v07X9Y8Z+K/GGr6VZ32n29xq0enxbYLtrR5EK2lrAp2tZoVOM/vJMlht2nhT9nHSPDvwQl+ Hl3qOs674XbS49FigvpIUktrVLZLfYkkEcT5OwvvJLh3JVlAVV0Ua3spJv3mtOmuv/2r6q9y f3N013181f8Ay9DmvFnxr8Wfsy/DK88Q/Ew+GvEdslzBGlz4fa18PR2gkDBlm/tXUVhwrhFV 1uNzmUDyV2kmKy/bh0PxP4Y8I6h4X8MeLfGU/jOxvr+ystG+wSPHHZSxQ3O+aS6S2+WSVQGS Zkkx8jPld1+5/ZRm1LR7AX3xK+Imoa7o16l7pWvXJ0t73SysEsBWOL7ELVt0c8ys8kDyNv5f 5U26vw1/Zk0X4Y32g3VtqWvahdaBaataRzX08Tvc/wBpXcV3cSS7Y1y/mwrt27QAzAg8ETJV 25KGi6fdp3673+Te4XpaOWr1v+Pp5WtbrorEN3+1Bp99B4S/4Rrw94l8Zz+MNMXW7aDSVtI2 tbBvKxcTtdTwxquZUAUM0jHdtRgjEcZ4u/4KMeDPAPxI8TeFtZ07U7PVPDNnf3rxR6po13Pe JaW73LBLaC+kuot8EbOhuYYV+6GKsyqeptf2TrLw/pXgmDw94t8X+GLnwPo6aBBeWDWMsupW SiHEVytxbSxNzCpDIiMpZ9rKGIOXqX7DPh3W9SmS+8Q+LLvw41zqd3D4caS0TTrWTUYrmO7K slutw+/7XOw82Z9rN8uBxVVfbc16f97tb+757f8Ak1/s2Lh9XT97VaevW/l/wPMu/Gb9s3w7 8FvGMPh+70vWtS1m8XT/ALHb281japePeteLDEk13cwQiT/QZvkd1LFkCb2JUc54m/4KQ+Av Bfxas/BesRXel63JPZWd/Dc6rpCTaRdXSxNHbyW/237TMw86Lc9rFPECxxIdj7dI/sWStJq9 w/xV+JFxqOv2Nvpep3lzBodyb2yg+0eXbNDLpzW4j/0mXdtiBfPzE850Ph3+yDafB28sF8H+ NfGnhvR7YWn2zR7b+zp7LVGt4YoA0nn2kkse+GGKNlt5IVAQFFRsmpXt3U/u38tu3pbd73tZ Wu3H7nls97ee9ld/fey2tv2PX6KKK7DlCt//AIIL/wDJcv2nv+w7Yf8ApRqtYFb/APwQX/5L l+09/wBh2w/9KNVrzM6/5F1X/t3/ANKR35V/vtP5/kz9JaKKK/Nj7kKKKKACiiigAooooAKK KKACvyy/4Kqf8pfPhf8A9iP/AO1NWr9Ta/LL/gqp/wApfPhf/wBiP/7U1avoeGP99/7dZ42e /wC6/NHn/wC1Xrt74d+F1hcafeXVjO/inw9btLbytE7RS6zZRyISpB2vG7Iw6MrEHIJr548T /F/xrB47h8TW17Lc6N4NsvG+qDw9bTaiZNUuLDV2tYjJKb5UddrxkRyo8MYWUIiBozB9oUV9 lUoOe0rat/NxSX/gLXMvP7z5qniFGn7Nxvr+Gqa+ff8AzPjrwL+2p4z+IvgzwvrUnjL4b+H9 OPjddC1HVTbWF7ZXtvJYSSxxMtnrN2ltIZgEGboszPCdoGUk3dY/aN+IGneDtYn8LnwpbHRV 8Y6xdf2zBfaibpNL1d4IreM/alaLzEJy+5ki2gJDswi+/wDgf4z+HPiNql9Z6TfyS3FhdXNm yzWk1sLh7d1jnMBlRRcRxyMqNJCXRWO0tniupqI0ZNXU7+f/AG6kvxXN2fXq3TrRT5ZQ2auv RyuvV81r9LaeXyh8aP2xviB8CfBd/HrDeDptVt/EMGmnWYbCO10uyt5dPW8XzY77VbWPfvJi DG9j3ZDBM/uzq/ssftnav8bvjTF4f1XWPAbi50GLU00zQJbXVLi3k8uEyGa6ttTn8sbnYgNa iIrJEFuZW+99NUVUKE41XNzuu3yt3+fm9zJ1Yuny8uvf5326fotEfJes/tva5DqckU3xD+DX hMS61caffQ61ZSNL4IjiNz5a6j/xMYt8lz5KCMkWy/M2DL8obZsf28LixttPg12Xwtousa7p eg3WiWVzI0U2tyXd9Lb3T20bSB5Y1iSOVQoJjEoLlhX0P4Q8Z6b480Y3+k3P2q0W5uLMyeWy YlgmeCVcMAflkjdc4wcZBIINalRSoVIpe/f/AIbzb9f89LVKpC7vH+r+nlb/AC1v8Man+1T4 pS51Dwv/AMJrouizW/jl47ayv3nk17xHbP4ruYXWxlFwmyC3ghCOohmHlqynykwa9k+O/wC1 Prnw0+OQ8P2up+C9OihTTms9C1OCR9Z8ZNcztHKunsLiMJ5QAz+5n+YncEXBP0HRTjh5xilz 7O/4bb/ndeQ6teM5Sly73+V3ft8u/mfLXjv9uHxZ4a8C+M7yLQtNS68BTx6Nq9y6J9mt7+W/ aFZsT3VvGsCWixXTCW4jG28hBmTaxPJ6f+1z8Qfjf+z38UNRTUfCul2nhnwJe6j9t0Vo5rq9 uJF1KOGa3uLPUbmC18v7IjFRLcNuZhvQrmvtGsL4j/EjSPhP4Sm1vW5rmGwgkih/0azmvJ5Z JZFijjjhhR5ZHZ3VQqKSSelSqMoK9Sppa3bXv9708tG3ZNaU8RFVE4U9bp/itPml9+qtsfNu hftva+8/iI3eueBZH0zTNZvLnRrLT5LjVvBgsmKwy6kGvVEqygA4K2gy4xIUBkrzLWP+Ci3i /wAf/BjxRC/ir4feFbqOy1WOw1hoov8AioZYrS1eOy082Wr3MSXm65bDpc3DAouIMhlX7ml8 caba3BS4mlsgI7aTzby2ktoGNxIY4oxLIqoZS42mIHepdNyjem7WqZYSq7p1Olrffrve9/Py d46E0MRCnytwvZp/l5dV+d1rqeF/E34peIfCXxZ+Gmmr4v8ADuh6D4l0O+8+01KwMl1q97Et s0ccFx9oj2TFJJGUBH4SQlX+Ux+Ft+2x8TfgN8D/AARHr154V1SfX9B0jUIddmtFjj0uOeC4 JW9e/wBVtYriZjboBMbm33NI2ImICn7oorWrh5ylOUZtczv121037vpayVraszpVowhGEo3s rfPv92n49EfM/wAavFvir4z/AAE+EF9pll9o1jxVqEdxd6bpXje40GC+H9lX05jTUdNeY7C8 auoR3jYqgL4+euJ8FaR43+NPxZ8KpofifWLu20XwZ4avrnU7zxXqWlvZym+vxcu+mQCS2vp5 FtjFIty42mMfM3NfZ1FU8MnUc292n9ya6eu+66ND+sWpezS6Wv8A9vKX6W8+t9gooorpOYKK KKAPSP8Ag3M/5Mj8U/8AY8Xf/pBp9fflfAf/AAbmf8mR+Kf+x4u//SDT6+/K/Oc9/wB/q+p9 xlX+50/Q+V/+C1//ACjJ+Jf/AHC//TrZ18b/AAG/5Ib4M/7AVj/6TpX2R/wWv/5Rk/Ev/uF/ +nWzr43+A3/JDfBn/YCsf/SdK+o4Z/3F/wCN/lE+fz7/AHpf4V+bOI8e/tseGPhl+0Fpvw71 qzurLUdYntrezum1bSCtw1xhYitp9t/tAqZP3e4Wu0EMSdgLiXXP2zPD2k+FW1OHSdavmgsL /ULy2E9hZtpqWV4tncC4lurmG3iKyl/vS7SIZCDwAZ/E37JWm+JPiFca2PE3ivT7G+1qy8RX uiWjWa2F7f2vkCKeRmt2ufu20KlBMIyEBCg81Dq37GHhbU9X8aahHfa7Z3/jO/sdTM8U0L/2 Pc2cgnhktEkieNf9IBnZZFkVpHYkEHbXoL6xy6/3u19la3R683a6Svyt3jxfuLp+ne3n59tu t/K9P4f/ALZmg/GfwFoviDw3KYbe78UQ+HLuJ/smqbJXAbYJ7O7e25V428yOWYLkqULBlXld V/4KL6L8LPCPhe98cad9k/4SJZ5PtttqmlWtuixXckDBLa6vo7ydkVUZlt4ZSd4ChmOweieF f2WtN8PacyXfiHxPr17N4kh8VXGoahJbfaLm8iijiUMIYI41j2xJ8qIvfBA4rm9f/YM0DVtG utOs/FfjTQ7HVdMOkavFYSWOdZthNcTIkry2rumxrqbHktHkPht1O2I919b69vhh+HNzba21 EnRu77W/9uf/ALbb56eZn+Gv21rqfS9TGteGNa06Ma3ruiaf4gisoZNIknsri9WGIxm6Fyzt Da5ZtiQs+UEqEhRcj/ap1P7c+LVLu383Q0tYbXTh9q1A39tJK0eJLtI4WLKoVi7KmcHf94aN r+xRosOq3Bm8U+NLzRZdQ1HV4dCnubU2FpfXxn824Qi3ExK/aZtiPK0Slg2wuA1blj+yz4f0 +7tZkvNYLWk+lXCBpY8FtOiMUIP7voysd/qem2s4wxLXvOz5ofcr8/lvt3VubW46sqPO3BaW n97+H5W37O9tLHLfD79uXTvEXwttPEXiHwl4k8JT3nhybxLb2NxLaXTX1vC0SOtu8MzB33Tw hVcRsfNTIGTjpfil+0/Z/DHWrqzXwt4t8Q/2Ppqavrs2lRWrR+H7R/M2yT+bPG0hIhmby7ZZ pMRH5PmTfy2ufsVxTWHwz0i31zUL7RPAfiH+1CdRkiFwLFInMWnp5EMayQi4W1c+blyIAWdz iuq+K/7MNl8VPFF5qQ8T+LPDsetaemk67Z6RNbJBr1ojSFYpjLBJJGQJpl8y3eGTbIRv+VCu n+0OGm/n6Xu/K7UXbX3W1ug/cc+u3/BtZedk2r6aq+zMT4ffH3xZ48+PXjzT4vDk48G+EdPh Niy29qbrW7mWJJ0aOf7fhFeN8LHJboOjNMhzHXMeGf24/EXilPh9fQ/C7xSY/Gmgalqx0W2m sLjUc20mniOSOY3cdsICl1KT5rJIxVAFUkK3tvhH4Y6b4J8R67qVj56v4ga3aaElfJgEECwI sYCggbEGck89MDiuX+GH7MWmfC+/0CeHW/EOqf8ACL6ffaRpiXzW221s7qS1cw/uoYywj+yR hGYl8M+9nJBA6ddO0Jae9vbu+W/nqvJJdNBQnT3mtdNr/wAtvz17nB/Fn/gpr8M/hEmgveXb 3Sa7olv4iUjUtMsWtrGfcYpTHe3UDzkhJP3dss0g2YKgvGHpftJftda58N/imNK8Pa/4CjUe G7fXtN0LU7KafV/Gc0k06mzsCl1GVkZIUCkQTkNKCVxxXZ6d+yBb+EdP0GLwn458ceDptF0K z8Oy3Gnf2dcPqtraBhb+et3aTxh08yX5okjJ8wg5AQL0fxE/Z10L4n3fiCfU5tS8zxFo1vos zQyqhtlgmlnhuITtyk6Sylw2SAUQheOanGs5XT0Um100tKy31+zv1vdNF3oRdo9lv3vG78tO bbpazTOD+If/AAUV+Hvwy+N48B6lcEapFd2theSjU9Mi+xXFyIzFGbaW6S9m4miJeC3lQbzl spIEveE/26fDev6Fb6zqPh/xh4Z0DUdAm8SaZqeqWkHk6raQpG8vlRwTSzLIolTCSxoZMkx+ YOa6Sf8AZ6ms/iFd6/ovjnxj4fj1W5hvNV0q0XTpbHV54444jJJ59pLNGXiijRxBJEMJkBXJ Y8H8E/2Ebfwv8JNG0Lxt4l1/xZLZeFP+EaFlLdRfYNISWKNbr7G8cEU53NEuySdndFUBCgJB zX1nVPf5W2f4Xtbr/MCWH5U3/d9fPpb1/At+J/299K8CXNrp3iDwP430DxNqdzbW+naHqM2k QXGoi487ynjuDffYwS0Eq+W9wsxYACM7lysX7YepW37TVp4Bn8E6+0V9paapdXLNYQf8I2vl xNIlw321xcbfMy7QrhMKE8/JZb9z+x5cX9nfm5+KXxEvNU1W2TTr3Uru20O5lurBBJiyaGTT mtvK3SyMxEIkcth3ZVVVXwl+w/4Z8BeKdB1bRtX8R2EuhWEOkiBXtZYL2yjhSI20qSQNiNxG hPl7GG0BCi5WlJYn7O9+trW10dvk5db35VZK83ode3nvp+t+Xytza7Rx/tx6FbeHrvWNT8Le NtF0b+xbnxDpN7d2tsy+IbG3VHkkt0ineVG2SRusdykMjB+Fyrhdy2/al0xJp7TU/D/ibRNZ huNMgXSrxLVruZdQneC3lTyp3jKbopS3zgqsT5GRisSx/Yf0RfDV5o+peK/Guu6Z/Ylx4d0m 3v7i0I8O2M4VXjtmjt0Z22RxIJLkzyBYwN3zPv2vHP7PZ8a/tLeC/G7XEcFn4T0y+gaJZG82 7uZdiW7sm3YVhR7sqSSQ0/A6mtv3vNG21/K9vebv0vslbT1JfsrO2+ve19Ledt79fRHqFFU/ D2mTaLodpaXOoXmrT28SxyXt2sSz3TAYMjiJEjDHqdiKvoBVyuo5grjf2dP+U1Hwe/7AV/8A +kWq12Vcb+zp/wApqPg9/wBgK/8A/SLVawxf+7Vf8EvyZthv49P/ABR/M/Xaiiivyo/Qgooo oAKKKKACvw4/4Juf8kN1X/sOzf8ApPb1+49fhx/wTc/5Ibqv/Ydm/wDSe3r7LhT4K3/bv/tx 8xxF8VL/ALe/Quftc+CfGPijxDpsuiWHjrWNMTSruC3t/C/iVdDey1RmjMF1dMbq2M0CqGGz MoBJzC+Rjpfgf8OPE2heL/GWs+K9Q1e81G9uorfT86tK+n/ZVsrTe0NoJPKiJuluTuMYk5Iz tIFepUV9DHCxTlK795Nel+q8+l+1lskl4cqraUf66f5X9bvds+XPCHwK+KF1pfh3Uta1Txom u+HvDnheKGFPFTrbzahHO/8AaxuIkn8q5YxbAxnDq38GWyad4y+G/wAX7rwL43tJF13Vf7Ll j0vw1Faa5Jb3WpWrX5uGvS8N/ZO0sdu1vBtkuoGY2053FZsP9Q0UqmFjNttvW+nS7er+7T08 0mtvrcr81l0/Dp6X1fd37u/yLpPwT+L0vwk06SeHWR4usfA3jLSra5l1VVvrW7u7u0k0yPzn vblw/lw8ObqbYYxumzgnV8Y/DTx7L+0bp/iCfwv478QL4f8AEJ1aC7t/E1sujzaaNLlhS0hs Jb1EW7+0ScyPAmcsTPtOyvqWiq+rx5oyu/d/Pm5r+t+u9rrq7p4qTjyWVve+6W69F0XT1SEU 7lBwRx0PalooroOUKKKKACiiigAooooAKKKKACiiigAooooAK8o/bf8A+TXvE/8A26/+lcNe r15R+2//AMmveJ/+3X/0rhq6fxomfws/Uf8AYW/5Mj+Dn/Yj6L/6QQV6pXlf7C3/ACZH8HP+ xH0X/wBIIK9Ur8nxP8afq/zP0Wh/Cj6I/LL/AIKqf8pfPhf/ANiP/wC1NWrmvj/47v8A4XfA rxn4l0uCC51Pw9od7qVpDOjPFLLDA8iK6qQxUsoBAIOOhFdL/wAFVP8AlL58L/8AsR//AGpq 1TXFul3A8UqJJFIpR0dcq4PBBHcV+jYFSeApqO/L/mfF4mUY42Upq6UtV32PBvjJ+1H4g8K+ KvEuj+HE8NXd3pln4VNqbsSOsdxq+qzWUnneW4OxY0jdAADySSwIAytd/ay8WfCax1ZfFC+H NXfw14guPD2oXunWEthFcyvo8eo2TxxS3Mvl7nkW2ZWlfe8iFSudtew+Ef2e/APw/wBIew0H wP4Q0Swklhne2sNGt7aF5IZfOhcoiAFkk+dTjKt8wwea1tU+HHh7XILyK90HRryPUbuHULtJ 7GKRbq5h8sRTyAqd0ieTFtc5K+UmCNoxs6U3d82/4K8Xp5pKSv57dDKFWnFWcb2/PlSu/V3d vM8Htf2tPFWtfDTxHexJo9prXh5dN0F/s+jy6jHP4jlungubOKJru23R5NuqGSaJUM4Z5Nqm qPg79qX4m+MfDek6O2n+G9E8a3PjqbwfeT6np263tkTSpdR842trqE6hwFVPLF64bBJaMttT 6Dv/AIYeGtU8P6vpNz4d0O40rxBLJNqllLYRPb6lJJje88ZXbIzbRksCTgZ6VX8J/Bnwf4D0 2ys9D8KeG9GtNNuTeWcFhpkFvHazmIwmWNUUBH8pmj3DB2ErnBxUxo1HJupLRrpprdN27acy umtGtE1dntaajZLXW3/gNlf52bXddbnzZ4b/AGr/AIl2OqfELxBq9/4X1PQ/AHhe+vJ9Es9F ktHv7yyvtTs3kjuXunMKSPYhyHWQIjBfvK0j6Xhf9oT463mu6N4c1zw7oHhi+8X3yW+j6/q2 k262cYS2ubmeM2VnrV2877LdNjfaYAfNY7T5eH+g4vhB4Sg8RWurp4X8Opq1j9p+zXq6bCLi 3+0uz3OyTbuXzXZmkwfnLEtkmudsf2P/AIS6Z4e1HSLb4XfDq30rV3ilv7KLw3Zpb3rxFjE0 sYj2uULMVLA7dxxjNZxw9VWvK/z395vtfZpKz0tbYudek3Llja700vZWSXlpZt6O99ddTyb4 PfGbx5efCzwbaWmr+HL/AF/xb478R6RdareR3GoWVvFb3WqSqbeMTI7IBapHGhlAVCBn5Rnf 8M/tFeMtT8WaFqc8vhGTwt4n8U3/AIWtdEhsp11ixe1+1qZ5LkzmORs2bM8At02LL/rW8sl/ Z9M+H2g6JbWENnomkWkOlTSXNikNnHGtnLIHDyRgDCMwkkBK4JDtnqapaV8GPB+hfEO98XWX hPw1Z+K9Sj8q81qDS4I9Ruk+UbZLgKJHGETgsfuL6CtJUajatL+vd6ba2fpzX3SM51YS53y7 3t83J/heP/gNurPAPGP7W/jHWPgb4eutHu/DejeJ/EPwq1PxrcSNYvc/2fd2yWBURwtMMRk3 FwoEhbDImdwVla98Sfjd45+F9zo6ifw9rPim/wBD0qNrl4b2002Sa81q2s9/2QXMioFS5J3A lyV+9t+Qe0+GvgJ4F8Gapqd9o/gvwnpV7rXmnUbiz0i3glv/ADSDL5rKgMm8gFtxO7Azmp9J +C3g7QNJsrCx8JeGbKx0xI47O2g0uCOK0WOYXEaxoFAQLMqygADDqGHIzQqM3UU5vrqk3/f0 Xb4oq/XlLnWptJRjs/v96L1+UX958z+Pf2uvi5oPjXVvAukx+GdW8X+H7ma3e9svBGq6hZap I0OnzW0ZhgvCdPUreuGnuJ2iJgY/LyB6X8dPEXjOz/aQ+Hmi+G/E+gaHdan4b1ya5bVrWe50 +d4ZtLIcWcdxCZJFVpduZgY0eQ5bkM79o7/gn/4F/aY8Vw6zq6yadfCN47mS00vS7hr3cI13 lru0naKYJEiCaBopdqIN/wC7j2+leP8A4KeDvizplvZ+K/Cvh3xTa2qlIYtZ06G/WMEqTjzl bqUQn1KqT0FZU6Vf2dpP3l5vXRpPy3XrbXXVt1aSqKUdrdlo2tfXW7126dl843n7Zfxb+IQ8 PxfD/wAC2mrXknhOw8SajHFDa3cN2909wiRxSXGp2LQQn7MxWcR3ORKCUGwCSHwz+0p47+Ff geXxB4i1jQ4/DWq+KfFelQpdaZd6nqWjvbS6tdRyySJcqs8Ma2ZhFtHGp2hNsw+6Pov4hfs+ eAvi5FpyeK/BHhDxOmkIY7BdW0a3vRZKduREJEbYDtXIXH3R6VrP8N/DsljDbHQdFNtb3M97 FEbGLZFPOJRNKq7cB5BPMHYct50mSdxzf1ep7z5m272+b8ttNLa23WpX1ijZR5LLT8Itbu9/ ed+nZ3Vj5h8N/t1+Ofh5rmqRfE/Q7HStO0BoH1Of+z4bC4gjura7ktT5UGp6ggzNZ+Vkzbna 6jAjTbuk6C1+O3j2Hx5D4a2+G9G8YeJpdJtZby/S9vNM0yd9MuLydVtTdJuY/ZzGiRyQ7iWd mcptb2Pw9+zb8O/CPhy50fSfAPgvTNIvXikuLG00O2htp2ik82JnjVArFJPnUkfK3Iwea0/G Xwg8J/EbTNQsvEPhfw7rtnqxia+g1HTYbqK9MXMRlV1IfZ/Duzt7Yo9hVtrK+q8tEtVfu+/4 LW+Xtad7pW0f39Hb9DyL9mv9oPxx8Z/i5r2h6g/hCLS/BS/Z9RurKxuC2tz/AGu/tfMty05W 3jDWasVbzyCZI9x2+ZXv9c7a/CHwnZeHZ9Ih8L+HYtJutPj0meyTTYVt5rOMOqWzRhdphUSO BGRtAdsDk10EMK28KxxqqIgCqqjAUDoAK6aUZRioyd337vvbp6IxqyjKblBWXbsvXr11/pOo oorQzCt//ggv/wAly/ae/wCw7Yf+lGq1gVv/APBBf/kuX7T3/YdsP/SjVa8zOv8AkXVf+3f/ AEpHflX++0/n+TP0looor82PuQooooAKKKKACiiigAooooAK/LL/AIKqf8pfPhf/ANiP/wC1 NWr9Ta/LL/gqp/yl8+F//Yj/APtTVq+h4Y/33/t1njZ7/uvzRwP7V3wouvjb8EdT8N2ek6Pr M1/JCwttUvltLb5JFcOxezvIn2soYRy20kbEDcK8avP2JvE1/qfhue50T4aXN7Z6XpFlHq6O 9tc+CGs5WeUaTClp5bCRSASrWgYjlNm2NfffjX8TLn4XeEre60/TYNW1XUtRtdKsLW5uzZ28 lxcSrGnmzCOQxxjOSwjc9AFJIFcL4p/aT8X+EtX120m8C6Tdt4P8OW3iDXfsfiCWVl843GYb NPsYa4KrayHLiEnKAKSTj6ypCg5SlPvr2uot9v5Xq99tVofNQdVxUIrp+bS29VZdN9NzhfBH /BPLRfAXifwrdQ+AfhZd29neeIF1Q/Y1tpobe/uxJbzW5W2bfNFAgh2sYwFdgsmBg2vhD+xx 4z8HeMtIvtc1/SNTtgitq6tLPOb6awha00p9jKq8wuZp/u/vo4wu4AvWx4h/bU1a9Ly+EPCG k67YC11nU47zUPELadDc2WlzQ280sZW2myzyyP5YOEZIwxkXcBRbftZ+L3ufFUq+EvDl3ZQ6 3pejeGk/tya2uLqS+gtJY/toa1ZbdALgsXQyHI8sRuQHfKEMMmlG/To+ukdLb8yfL9pSul2N qk68k3K2t+q73l8tVfpZK+h5v8G/+Cd/iXw54Y8SaZr9l4DttP8AEWo6BcXWmad9lFhdR2V8 893uitdKsUxLE/lhJUmZgNrylenWaX+xZr+h/tpwePIW0Y+HbS4RrF7e5srO7020WyFutisX 9kvcNbggny11GKP58+WCuGu+I/23PFljqGiaNpPw3t9b8TXOoXWm6raW2q309pYSw3MUG5Li 302b903mFvNuktUHluNxZWAveI/2w/E+lfD2bxBbeCtGnWbxBd6Jpdl/a2p3d5fpay3MM0xg sNKupVO633BVR12Nl3QgKSEsLCEa0Xotb66/Cu3p9+mjYT+sTlKLXxaW7b+fk/u11scXp/7C Pii3vvFzafbeCPB+pavbeII08T6RdSTavrp1G4eWCO8VrRAkcAZQP3lxgou1QuQangX9gzxH 4T+Flvpd94Y+H3iO3t/ED6rL4R1bU7b/AIR6+RrPyA+LTQ7WGKRHw4X7FJuYFi4Ygr2Wsftz azN4Yg1rS/Blm2iReHNG8Q6rcXWtPBd2UepvJGkdvb/ZW8+SMxklZHh3ZUDklRieDP2yvF1j +z3pGq+NNE+w6n/Z/hjVBeaRqkVzNqltqF9FbSPLG9oI4JT8xaGNXG2TakyNh1z9nhYTlBtp pRXl8Ta6W+y/JpXV3dmn+0Ts7bv8ZWXe+vMvS62Vkcvpf7AXj3R/i/rPi2y0/wCG+lO12t9a 2WnzW9lb6k8eq2d7DHMbbR4Z4wI7Z0LzTXrBpCQOWz0njr9kHx54+m8K6hcaL8N08Qabr1/r El7c6h/aUGii6vBNtgguNMZpnVQjeZFLYyl4lAkVSa9X0r9oLXLH9nfUviF4i8NaRYWy2C6p plnpuuPftd28kavF50j20KwuSwDBfNRRk72Arjvil+0B8U/hv410PzPCfhW4KeGdZ1vWdIt/ E0htY4rSa02SxXb2CyyTbJHAiMUcZMh3SDaDWsqFCm1SldWu+unV3e6b5bPW6t0XMzOFWtV1 hZ6+Xa3o93bo79dEZ37Ff7HXin9nu38Wx6ze2Ftda9YQ2gv9LvbOQ3c6ebm9lhg0mxInJk3b 5ZrmQ5wZDt3NzOgf8E55dV8PW+m634N+FWm2Nnc6G1xZ2Re/g8QyWd2JLnUboS2keLuWAyx4 PmlhM6vMQa6fw5/wUQk8RP4ov4/AWuDwxo1ne3FhqhttSiS7ktphD5c0s1jHZxh33bWhurjC oxYLggbPh39pbxjp/wC0h/wg3iTQNIt9W1LTrW9gs7HVpJ9OtkBvDL5V5LZwGe6kWKIrbFF+ WKV9yqjMSP1dSpy1bja2m+rt09dF01a91NRes+ZrTvr5Lz9NX6J6tN/7SP7Jt38Z9c8WXv8A ZXg7XrfUtM8PQ6fpuugm2ln03Ubu6lSb9zKEjkiuBGGVXPzSApj7y/sg/s4a18EPHXjLU77w x4B8LWPiRo547XQrqPULgy75GcPdDTrKVoxvJVZzcNlzteNVCHtP2b/jVqvxm0DU5Ne0Ow8M 6zpd39mn0uG7vJp7cbQQ0ourO0cZO7ayI8ThdySuOno9dVOhTU/bw6r8+plVrTcXSl5f+SpL 9AooorpOcKKKKACiiigAooooA9I/4NzP+TI/FP8A2PF3/wCkGn19+V8B/wDBuZ/yZH4p/wCx 4u//AEg0+vvyvznPf9/q+p9xlX+50/Q+V/8Agtf/AMoyfiX/ANwv/wBOtnXxv8Bv+SG+DP8A sBWP/pOlfZH/AAWv/wCUZPxL/wC4X/6dbOvjf4Df8kN8Gf8AYCsf/SdK+o4Z/wBxf+N/lE+f z7/el/hX5s6yiiivePHCiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACuN/Z 0/5TUfB7/sBX/wD6RarXZVxv7On/ACmo+D3/AGAr/wD9ItVrDF/7tV/wS/Jm2G/j0/8AFH8z 9dqKKK/Kj9CCiiigAooooAK/Dj/gm5/yQ3Vf+w7N/wCk9vX7j1+HH/BNz/khuq/9h2b/ANJ7 evsuFPgrf9u/+3HzHEXxUv8At79D6Dooor6o+eCiiigAooooAKKKKACiiigAooooAKKKKACi iigAooooAKKKKACvKP23/wDk17xP/wBuv/pXDXq9eUftv/8AJr3if/t1/wDSuGrp/GiZ/Cz9 R/2Fv+TI/g5/2I+i/wDpBBXqleV/sLf8mR/Bz/sR9F/9IIK9Ur8nxP8AGn6v8z9Fofwo+iPy y/4Kqf8AKXz4X/8AYj/+1NWqzVb/AIKqf8pfPhf/ANiP/wC1NWqzX6Rlv+5Uv8P+Z8Pj/wDe qnqFFFFdpyBRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABW/wD8EF/+S5ft Pf8AYdsP/SjVawK3/wDggv8A8ly/ae/7Dth/6UarXmZ1/wAi6r/27/6Ujvyr/fafz/Jn6S0U UV+bH3IUUUUAFFFFABRRRQAUUUUAFfll/wAFVP8AlL58L/8AsR//AGpq1fqbX5Zf8FVP+Uvn wv8A+xH/APamrV9Dwx/vv/brPGz3/dfmiv4t8IaT4+8OXej67pena1pF+nl3Vjf2yXNtcrkH a8bgqwyBwR2qho/wt8P+FdCl0/Q9H0vw9C9immodMsobYwW6BxFGgC7QsfmOUUgqpZuOTnoK K+3lThJNSW+j9P6b+8+TU5LZnlMv7FXw51L/AIQmPVPDema9Z/D7R20bRrPVbG3vLe3Qm3Im 2yRnEw+zoA6lfvPxzx13iD4JeDPFl9rFzqvhHwxqdz4htUstVlu9KgmfU7dDlIZ2ZSZY1IBC vkDsK6iim6cJaNLq/vvf77v5aB7Sff8Apf1f1PEfi5+wH4E+LMnhiLyf+Ee0nwnE0FhpOl6V pf2KBGkEjeSs9pK1o5I5ls2gk6HflEK+ieLvgX4J+IHhaPQ9e8H+Ftb0WK7a/Sw1DSoLm1S5 ZnZphG6lRIWkkJfG4mRjn5jXVUVKowSatu7/ADH7Wemux5wv7JXw8f4ow+L5/CegXmrafp9n pmlm40u2kTRIrZpjH9kzHugJ84g7WxhEwBjnrB8NfDgs7e3/ALA0XyLSK2hgi+wxbII7aQS2 6KNuFWKQB0A4RgCuDW3RVRhGPwrrf59/Ulzk3dvt+GxzPhL4LeDvAOj6rp+heE/DWi2GuyPL qVtYaXBbQ6g7rtdpkRQJCy8EsDkcGmeFvgb4K8DaImm6L4P8LaPp0VvPaJa2OkwW8CQzsrTx hEQKEkZVLrjDFQTnFdTRSVOC2S2t8u3p5D55Pd+fz7nHad+zv8P9H8U6nrlp4G8HWut61BJa 6jqEOi2yXV/FIAHjllCbpEYAZViQcDPSk0D9nb4f+E/D/wDZOl+BfB2m6V5iS/YrXRbaG33o zsjeWqBcq0jkHHBdiOprsqKPZQ7L+tfz1Dnl3OS+HnwD8C/CN1bwp4K8JeGGQShTpOj29kV8 3y/Nx5aL9/yYd397ykznaMdbRRVpWVkS23qwooopiCiiigAooooAKKKKAPSP+Dcz/kyPxT/2 PF3/AOkGn19+V8B/8G5n/Jkfin/seLv/ANINPr78r85z3/f6vqfcZV/udP0Plf8A4LX/APKM n4l/9wv/ANOtnXxv8Bv+SG+DP+wFY/8ApOlfZH/Ba/8A5Rk/Ev8A7hf/AKdbOvjf4Df8kN8G f9gKx/8ASdK+o4Z/3F/43+UT5/Pv96X+FfmzrKKKK948cKKKKACiiigAooooAKKKKACiiigA ooooAKKKKACiiigAooooAK439nT/AJTUfB7/ALAV/wD+kWq12Vcb+zp/ymo+D3/YCv8A/wBI tVrDF/7tV/wS/Jm2G/j0/wDFH8z9dqKKK/Kj9CCiiigAooooAK/B39gD4meHPBnwc1K11jxB omlXL6zLKsN5fRQOyGCABgrMDjIIz7H0r94q+XdQ/wCCL37M+p389zL8M4hJcSNK4i13U4kB Y5O1FuQqjngKAB0AAr6HIs1o4NVFWTfNba3S/drueNm2X1cS4Ok1pffzt5PsfGP/AAvnwN/0 OfhT/wAG9v8A/F0f8L58Df8AQ5+FP/Bvb/8AxdfZH/DlD9mT/omn/lxar/8AJVH/AA5Q/Zk/ 6Jp/5cWq/wDyVXu/6zYHtP7l/wDJHkf2Fi+8fvf+R8b/APC+fA3/AEOfhT/wb2//AMXR/wAL 58Df9Dn4U/8ABvb/APxdfZH/AA5Q/Zk/6Jp/5cWq/wDyVR/w5Q/Zk/6Jp/5cWq//ACVR/rNg e0/uX/yQf2Fi+8fvf+R8b/8AC+fA3/Q5+FP/AAb2/wD8XR/wvnwN/wBDn4U/8G9v/wDF19kf 8OUP2ZP+iaf+XFqv/wAlUf8ADlD9mT/omn/lxar/APJVH+s2B7T+5f8AyQf2Fi+8fvf+R8b/ APC+fA3/AEOfhT/wb2//AMXR/wAL58Df9Dn4U/8ABvb/APxdfZH/AA5Q/Zk/6Jp/5cWq/wDy VR/w5Q/Zk/6Jp/5cWq//ACVR/rNge0/uX/yQf2Fi+8fvf+R8b/8AC+fA3/Q5+FP/AAb2/wD8 XR/wvnwN/wBDn4U/8G9v/wDF19kf8OUP2ZP+iaf+XFqv/wAlUf8ADlD9mT/omn/lxar/APJV H+s2B7T+5f8AyQf2Fi+8fvf+R8b/APC+fA3/AEOfhT/wb2//AMXR/wAL58Df9Dn4U/8ABvb/ APxdfZH/AA5Q/Zk/6Jp/5cWq/wDyVR/w5Q/Zk/6Jp/5cWq//ACVR/rNge0/uX/yQf2Fi+8fv f+R8b/8AC+fA3/Q5+FP/AAb2/wD8XR/wvnwN/wBDn4U/8G9v/wDF19kf8OUP2ZP+iaf+XFqv /wAlUf8ADlD9mT/omn/lxar/APJVH+s2B7T+5f8AyQf2Fi+8fvf+R8b/APC+fA3/AEOfhT/w b2//AMXR/wAL58Df9Dn4U/8ABvb/APxdfZH/AA5Q/Zk/6Jp/5cWq/wDyVR/w5Q/Zk/6Jp/5c Wq//ACVR/rNge0/uX/yQf2Fi+8fvf+R8b/8AC+fA3/Q5+FP/AAb2/wD8XR/wvnwN/wBDn4U/ 8G9v/wDF19kf8OUP2ZP+iaf+XFqv/wAlUf8ADlD9mT/omn/lxar/APJVH+s2B7T+5f8AyQf2 Fi+8fvf+R8b/APC+fA3/AEOfhT/wb2//AMXR/wAL58Df9Dn4U/8ABvb/APxdfZH/AA5Q/Zk/ 6Jp/5cWq/wDyVR/w5Q/Zk/6Jp/5cWq//ACVR/rNge0/uX/yQf2Fi+8fvf+R8b/8AC+fA3/Q5 +FP/AAb2/wD8XXmf7Yfxb8K+J/2cvEVjpvibw/qF7P8AZvLt7bUYZZZMXULHCqxJwASeOgNf op/w5Q/Zk/6Jp/5cWq//ACVR/wAOUP2ZP+iaf+XFqv8A8lU48T4FO9p/cv8A5ITyHFNWvH73 /keqfsLf8mR/Bz/sR9F/9IIK9UrO8I+E9O8BeE9M0PSLWOx0nRrSKwsraPOy3giQJGgzzhVU AZ9K0a+ErTU6kprq2fXU4uMFF9Efk5/wWM8b6Z8N/wDgqn8Oda1q5+x6ZZ+B086bynk2bp9V RflQFj8zKOB3rh/+G3/hf/0M/wD5Trv/AONV+tnxJ/Z98BfGa9trnxh4I8IeK7iyQxW8usaN b3zwITkqhlRioJ5wK5r/AIYW+CX/AERz4V/+EnYf/Gq+rwfEdGlh4UZwbcVbRo+exWSValaV SMlZu5+XH/Db/wAL/wDoZ/8AynXf/wAao/4bf+F//Qz/APlOu/8A41X6j/8ADC3wS/6I58K/ /CTsP/jVH/DC3wS/6I58K/8Awk7D/wCNV0/60Yb/AJ9y+9GH9gV/519zPy4/4bf+F/8A0M// AJTrv/41R/w2/wDC/wD6Gf8A8p13/wDGq/Uf/hhb4Jf9Ec+Ff/hJ2H/xqj/hhb4Jf9Ec+Ff/ AISdh/8AGqP9aMN/z7l96D+wK/8AOvuZ+XH/AA2/8L/+hn/8p13/APGqP+G3/hf/ANDP/wCU 67/+NV+o/wDwwt8Ev+iOfCv/AMJOw/8AjVH/AAwt8Ev+iOfCv/wk7D/41R/rRhv+fcvvQf2B X/nX3M/Lj/ht/wCF/wD0M/8A5Trv/wCNUf8ADb/wv/6Gf/ynXf8A8ar9R/8Ahhb4Jf8ARHPh X/4Sdh/8ao/4YW+CX/RHPhX/AOEnYf8Axqj/AFow3/PuX3oP7Ar/AM6+5n5cf8Nv/C//AKGf /wAp13/8ao/4bf8Ahf8A9DP/AOU67/8AjVfqP/wwt8Ev+iOfCv8A8JOw/wDjVH/DC3wS/wCi OfCv/wAJOw/+NUf60Yb/AJ9y+9B/YFf+dfcz8uP+G3/hf/0M/wD5Trv/AONUf8Nv/C//AKGf /wAp13/8ar9R/wDhhb4Jf9Ec+Ff/AISdh/8AGqP+GFvgl/0Rz4V/+EnYf/GqP9aMN/z7l96D +wK/86+5n5cf8Nv/AAv/AOhn/wDKdd//ABqj/ht/4X/9DP8A+U67/wDjVfqP/wAMLfBL/ojn wr/8JOw/+NUf8MLfBL/ojnwr/wDCTsP/AI1R/rRhv+fcvvQf2BX/AJ19zPy4/wCG3/hf/wBD P/5Trv8A+NUf8Nv/AAv/AOhn/wDKdd//ABqv1H/4YW+CX/RHPhX/AOEnYf8Axqj/AIYW+CX/ AERz4V/+EnYf/GqP9aMN/wA+5feg/sCv/OvuZ+XH/Db/AML/APoZ/wDynXf/AMao/wCG3/hf /wBDP/5Trv8A+NV+o/8Awwt8Ev8Aojnwr/8ACTsP/jVH/DC3wS/6I58K/wDwk7D/AONUf60Y b/n3L70H9gV/519zPy4/4bf+F/8A0M//AJTrv/41R/w2/wDC/wD6Gf8A8p13/wDGq/Uf/hhb 4Jf9Ec+Ff/hJ2H/xqj/hhb4Jf9Ec+Ff/AISdh/8AGqP9aMN/z7l96D+wK/8AOvuZ+XH/AA2/ 8L/+hn/8p13/APGq9r/4N+dctfE/xV/aR1Kxl8+y1DVtNubeTaV8yN5tUZWwQCMgjggGvtz/ AIYW+CX/AERz4V/+EnYf/Gq674a/Bfwd8GbS6t/B/hPw14UgvnWS5j0bS4LFLhlGAziJVDEA nBPrXFmPEFHEYWdCEGnK27XRpnVgsmq0a8a0pJpX/Kx01FFFfKH0IUUUUAFFFFABRRRQAUUU UAFfk5/wWM8b6Z8N/wDgqn8Oda1q5+x6ZZ+B086bynk2bp9VRflQFj8zKOB3r9Y65D4k/s++ AvjNe21z4w8EeEPFdxZIYreXWNGt754EJyVQyoxUE84FenlOPjhMR7WaurNfecOY4SWJo+zi 7O6Z+Sf/AA2/8L/+hn/8p13/APGqP+G3/hf/ANDP/wCU67/+NV+o/wDwwt8Ev+iOfCv/AMJO w/8AjVH/AAwt8Ev+iOfCv/wk7D/41X0v+tGG/wCfcvvR4X9gV/519zPy4/4bf+F//Qz/APlO u/8A41R/w2/8L/8AoZ//ACnXf/xqv1H/AOGFvgl/0Rz4V/8AhJ2H/wAao/4YW+CX/RHPhX/4 Sdh/8ao/1ow3/PuX3oP7Ar/zr7mflx/w2/8AC/8A6Gf/AMp13/8AGqP+G3/hf/0M/wD5Trv/ AONV+o//AAwt8Ev+iOfCv/wk7D/41R/wwt8Ev+iOfCv/AMJOw/8AjVH+tGG/59y+9B/YFf8A nX3M/Lj/AIbf+F//AEM//lOu/wD41R/w2/8AC/8A6Gf/AMp13/8AGq/Uf/hhb4Jf9Ec+Ff8A 4Sdh/wDGqP8Ahhb4Jf8ARHPhX/4Sdh/8ao/1ow3/AD7l96D+wK/86+5n5cf8Nv8Awv8A+hn/ APKdd/8Axqj/AIbf+F//AEM//lOu/wD41X6j/wDDC3wS/wCiOfCv/wAJOw/+NUf8MLfBL/oj nwr/APCTsP8A41R/rRhv+fcvvQf2BX/nX3M/Lj/ht/4X/wDQz/8AlOu//jVH/Db/AML/APoZ /wDynXf/AMar9R/+GFvgl/0Rz4V/+EnYf/GqP+GFvgl/0Rz4V/8AhJ2H/wAao/1ow3/PuX3o P7Ar/wA6+5n5cf8ADb/wv/6Gf/ynXf8A8ao/4bf+F/8A0M//AJTrv/41X6j/APDC3wS/6I58 K/8Awk7D/wCNUf8ADC3wS/6I58K//CTsP/jVH+tGG/59y+9B/YFf+dfcz8uP+G3/AIX/APQz /wDlOu//AI1R/wANv/C//oZ//Kdd/wDxqv1H/wCGFvgl/wBEc+Ff/hJ2H/xqj/hhb4Jf9Ec+ Ff8A4Sdh/wDGqP8AWjDf8+5feg/sCv8Azr7mflx/w2/8L/8AoZ//ACnXf/xqj/ht/wCF/wD0 M/8A5Trv/wCNV+o//DC3wS/6I58K/wDwk7D/AONUf8MLfBL/AKI58K//AAk7D/41R/rRhv8A n3L70H9gV/519zPy4/4bf+F//Qz/APlOu/8A41R/w2/8L/8AoZ//ACnXf/xqv1H/AOGFvgl/ 0Rz4V/8AhJ2H/wAao/4YW+CX/RHPhX/4Sdh/8ao/1ow3/PuX3oP7Ar/zr7mflx/w2/8AC/8A 6Gf/AMp13/8AGqP+G3/hf/0M/wD5Trv/AONV+o//AAwt8Ev+iOfCv/wk7D/41R/wwt8Ev+iO fCv/AMJOw/8AjVH+tGG/59y+9B/YFf8AnX3M+V/+Dcz/AJMj8U/9jxd/+kGn19+VifD/AOGn hz4T+HxpPhbw/onhrShI0wstKsYrO3Dtjc3lxqq5OBk4ycVt18nmGJWIxM66VuZn0WDoOjRj SbvY+V/+C1wz/wAEyfiX/wBwv/062dfnX8JP2w/hz4Y+FXhnTb7xF5F7p+k2ttcR/YLpvLkS FFZciMg4IPIJFftZ4p8KaX458PXek61pthrGlX8ZiurK+t0uLe5Q9VeNwVYexFed/wDDC3wS /wCiOfCv/wAJOw/+NV7GUZ3SwlB0akW9b6eiX6HmZllVTE1lVhJLS34v/M/Lj/ht/wCF/wD0 M/8A5Trv/wCNUf8ADb/wv/6Gf/ynXf8A8ar9R/8Ahhb4Jf8ARHPhX/4Sdh/8ao/4YW+CX/RH PhX/AOEnYf8AxqvU/wBaMN/z7l96OD+wK/8AOvuZ+XH/AA2/8L/+hn/8p13/APGqP+G3/hf/ ANDP/wCU67/+NV+o/wDwwt8Ev+iOfCv/AMJOw/8AjVH/AAwt8Ev+iOfCv/wk7D/41R/rRhv+ fcvvQf2BX/nX3M/Lj/ht/wCF/wD0M/8A5Trv/wCNUf8ADb/wv/6Gf/ynXf8A8ar9R/8Ahhb4 Jf8ARHPhX/4Sdh/8ao/4YW+CX/RHPhX/AOEnYf8Axqj/AFow3/PuX3oP7Ar/AM6+5n5cf8Nv /C//AKGf/wAp13/8ao/4bf8Ahf8A9DP/AOU67/8AjVfqP/wwt8Ev+iOfCv8A8JOw/wDjVH/D C3wS/wCiOfCv/wAJOw/+NUf60Yb/AJ9y+9B/YFf+dfcz8uP+G3/hf/0M/wD5Trv/AONUf8Nv /C//AKGf/wAp13/8ar9R/wDhhb4Jf9Ec+Ff/AISdh/8AGqP+GFvgl/0Rz4V/+EnYf/GqP9aM N/z7l96D+wK/86+5n5cf8Nv/AAv/AOhn/wDKdd//ABqj/ht/4X/9DP8A+U67/wDjVfqP/wAM LfBL/ojnwr/8JOw/+NUf8MLfBL/ojnwr/wDCTsP/AI1R/rRhv+fcvvQf2BX/AJ19zPy4/wCG 3/hf/wBDP/5Trv8A+NUf8Nv/AAv/AOhn/wDKdd//ABqv1H/4YW+CX/RHPhX/AOEnYf8Axqj/ AIYW+CX/AERz4V/+EnYf/GqP9aMN/wA+5feg/sCv/OvuZ+XH/Db/AML/APoZ/wDynXf/AMao /wCG3/hf/wBDP/5Trv8A+NV+o/8Awwt8Ev8Aojnwr/8ACTsP/jVH/DC3wS/6I58K/wDwk7D/ AONUf60Yb/n3L70H9gV/519zPy4/4bf+F/8A0M//AJTrv/41R/w2/wDC/wD6Gf8A8p13/wDG q/Uf/hhb4Jf9Ec+Ff/hJ2H/xqj/hhb4Jf9Ec+Ff/AISdh/8AGqP9aMN/z7l96D+wK/8AOvuZ +XH/AA2/8L/+hn/8p13/APGqP+G3/hf/ANDP/wCU67/+NV+o/wDwwt8Ev+iOfCv/AMJOw/8A jVH/AAwt8Ev+iOfCv/wk7D/41R/rRhv+fcvvQf2BX/nX3M/Lj/ht/wCF/wD0M/8A5Trv/wCN VL+xX8VNB+Lv/BYz4Sal4evv7QsoNJ1C2eTyJItsgsNSYrh1U9HXnGOa/UL/AIYW+CX/AERz 4V/+EnYf/Gq2fAX7Lnwz+FfiJNX8MfDrwL4c1aJGjS90vQLSzuEVhhlEkcasARwRnmscRxLQ nRnTjB3kmt11VjSjkVWFWM5TVk0/uZ3dFFFfGn04UUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH/2Q== --------------060603010501090401010805-- From kent@bbn.com Mon Jan 13 07:53:28 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 290141AE187 for ; Mon, 13 Jan 2014 07:53:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.84 X-Spam-Level: X-Spam-Status: No, score=-2.84 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4CKSv8nKZMzU for ; Mon, 13 Jan 2014 07:53:26 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 57EAC1AE15A for ; Mon, 13 Jan 2014 07:53:26 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:36256 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1W2jpD-0004A0-1A for sidr@ietf.org; Mon, 13 Jan 2014 10:53:15 -0500 Message-ID: <52D40BEA.7070508@bbn.com> Date: Mon, 13 Jan 2014 10:53:14 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 15:53:28 -0000 I don't recall if I responded before, but I will now. I support development of a requirements/use cases doc, so we might as well begin with this one. Steve From prvs=609043920f=sandra.murphy@parsons.com Mon Jan 13 09:21:04 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CC231AE115 for ; Mon, 13 Jan 2014 09:21:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.839 X-Spam-Level: X-Spam-Status: No, score=-1.839 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_61=0.6, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wDVuLUeOlgNU for ; Mon, 13 Jan 2014 09:21:02 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3321ADFD4 for ; Mon, 13 Jan 2014 09:21:02 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0DHAB1t008983; Mon, 13 Jan 2014 11:20:38 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hcg19s8f0-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Mon, 13 Jan 2014 11:20:37 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0DHKaV5014532; Mon, 13 Jan 2014 11:20:36 -0600 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0DHKLr0021372; Mon, 13 Jan 2014 11:20:26 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Mon, 13 Jan 2014 11:20:21 -0600 From: "Murphy, Sandra" To: Demian Rosenkranz , "sidr@ietf.org" Thread-Topic: [sidr] Master thesis - RPKI Thread-Index: AQHPEG9f72htc9mbv0+kLwS/BJ5WDJqCwqrR Date: Mon, 13 Jan 2014 17:20:21 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> References: <52D3FE0B.1080808@smail.inf.h-brs.de> In-Reply-To: <52D3FE0B.1080808@smail.inf.h-brs.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-13_02:2014-01-13,2014-01-13,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=0 compositescore=0.0475211685653588 urlsuspect_oldscore=0.457842179440374 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401130103 Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jan 2014 17:21:04 -0000 (Speaking as regular ol' member)=0A= =0A= =0A= >as some of you know, I'm writing my master thesis about RPKI at=0A= >Deutsche Telekom (R=FCdiger Volk). Especially I try to identify the=0A= >"problems (attack, misconfiguration, ...)" of using RPKI as a relying=0A= >party/resource owner and try to find ways to identify if such a=0A= >"problem" arises (i.e. competing ROAs). =0A= =0A= Sounds like fun.=0A= =0A= >Furthermore I want to give=0A= >proposals on how to proceed if a "problem" arises. To sum it up, a RP=0A= >should use the RPKI as a reliable tool to improve it's routing. I hope=0A= >this thesis helps to reduce the concerns of some RPs of using RPKI for=0A= >securing inter-domain routing.=0A= =0A= Advice on how to proceed in the case of errors would be very interesting.= =0A= =0A= >The following classification lists the groups of problems I've=0A= >identified including a short description. If possible, I used terms=0A= >which are used in SIDR drafts/RFCs. It would be great to get some=0A= >feedback to this classification. I guess most of you prefer textual=0A= >description, so I tried to represent it in textual form. Additionally,=0A= >you can find a jpg attached.=0A= =0A= Some comments below:=0A= =0A= >Classification of "problems"=0A= >1. Incorrect representation of RPs/ROs INRs at "RPKI layer": The=0A= >initial transformation of RP/Resource Owner INRs as RPKI objects is not=0A= >correct.=0A= =0A= You mean X issues a certificate for resources Y to some customer/member and= =0A= the resources Y weren't actually held by that customer/member?=0A= =0A= So this is X's error?=0A= =0A= Are you working on just the categorization, or are you going to propose met= hods=0A= of detecting these problems?=0A= =0A= >2. Incorrect/untrustworthy/suspicious RPKI information=0A= >2.1 Object related=0A= >2.1.1 Competing Attack: Router certificate: ASN competes with existing=0A= >router certificate; =0A= =0A= Could you say what you mean by "ASN competes"?=0A= =0A= A router might belong to an organization that uses more than one ASN.=0A= The AS migration case is one particular case of that happening.=0A= =0A= So I'd say a router might have multiple router certificates with different = ASNs.=0A= =0A= So I'm not sure what "ASN competes" means.=0A= =0A= > Other Objects: IP-Range competes with existing=0A= >objects (In my opinion, certificates can also compete with other certs=0A= >because of their X.509 extensions. Of course, at the end the ROA causes=0A= >the problem but it could be kind of an early warning system if competing= =0A= >certificates are identified --> Should a doctor try to take care of the=0A= >cause or just try to allay the pain?).=0A= =0A= Again, what do you mean by "competes"?=0A= =0A= A prefix holder might authorize more than one ASN to advertise the prefix:= =0A= It might authorize upstream providers to announce for it.=0A= It might hold and use multiple ASNs on a regular basis.=0A= There might be AS migration taking place.=0A= =0A= And there's the case that a provider has a ROA for its aggregate, has issue= d=0A= prefixes to its customer and allowed the customer to multi-home with that p= refix,=0A= which means the customer might be issuing ROAs for a more specific prefix= =0A= to a different ASN.=0A= =0A= So there are reasons why there might be multiple ROAs for the same=0A= prefix to different ASNs.=0A= =0A= >2.1.2 Whacked Objects: Object transition which results in a route=0A= >transition from valid to missing or invalid.=0A= =0A= You mean a failure to correctly handle the timing involved in changing the = =0A= state of a route advertisement and getting the ROAs in place before the =0A= route advertisement occurs? Or a failure to correctly handle the refresh= =0A= of certificates so that ROAs do not expire?=0A= =0A= (Again, are you going to work on the categorization, or are you going to=0A= propose means of identifying these errors? I think I ask because I'm not= =0A= sure how you would tell the difference between a failure and deliberate int= ention.)=0A= =0A= >2.1.3 Non-compliance: Non-compliance of RPKI objects can cause bad=0A= >behavior of RP software. Weak alg./key length could result in a=0A= >downgrade attack. (There are syntactical checks, but for the sake of=0A= >completeness and because of possible implementation mistakes it's also=0A= >included)=0A= =0A= Implementation errors are a problem everywhere, but you're hypothesizing=0A= two errors here: a compliance error in issuing an object and an error in ch= ecking =0A= objects for compliance. This is probably more likely if both implementatio= ns=0A= have the same source.=0A= =0A= Or maybe you are talking about error in issuing a certificate causes the im= plementation=0A= that is validating the certificate to fail (i.e., crash).=0A= =0A= >2.1.4 Expiring object: Check if objects are almost expired/forgotten.=0A= >Can cause unwanted routing behavior.=0A= =0A= That's another timing issue, and somewhat related to the Whacked Objects=0A= case. Right?=0A= =0A= >2.2 System related=0A= >2.2.1 Replay attack:A whole old dataset could replace a newer one and=0A= >could be still valid.=0A= =0A= That's one reason for the manifests. If you manage to come up with a=0A= scenario where replay occurred but was undetected by the manifest, it would= =0A= be very interesting.=0A= =0A= >2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes=0A= >could overload the RP software because of it's cryptographic checks.=0A= =0A= I think that might depend on whether the RP software is setup to re-sync wi= th=0A= the repositories on a periodic basis on on events like expiration.=0A= =0A= Another interesting question is whether short lifetimes would cause churn i= n=0A= the routing space.=0A= =0A= >2.2.3 Incomplete amount of objects: Incompleteness of RPKI objects could= =0A= >affect the global routing behavior.=0A= =0A= Are you talking about objects that are somehow deleted from the repository?= =0A= That should be something the manifest should detect, so again, if you come= =0A= up with a scenario, that would be interesting.=0A= =0A= Are you talking about the "missing" case of route validity? Different RPs= =0A= might respond differently to that, and the difference could have interestin= g effects on=0A= routing - but that's true of any difference in local routing policy.=0A= =0A= Are you talking about the "clueless customer" case - a provider produces a= =0A= ROA for its aggregate before there are ROAs for its customers who are =0A= advertising more specifics. This is indeed a recognized case - there's =0A= guidance in the origin-ops (see page 5) draft with obligations (MUST)=0A= to providers about this. Which is not to say it won't occur.=0A= =0A= >2.2.4 repository availability:A DoS attack could affect the availability= =0A= >of the Repository.=0A= =0A= Anything that affects the availability of the repository would be a problem= -=0A= DoS attack, power outage, site unreachable, etc., or even internal RP issue= s.=0A= Certainly there are operational means to ameliorate the impact. Which is no= t to =0A= say that it is not a problem. If your focus is on the effect on RPs, ther= e's no =0A= way for the RP to know the cause, so coming up with recommendations of how= =0A= to proceed could be tricky.=0A= =0A= --Sandy, speaking as regular ol' member=0A= From kotikalapudi.sriram@nist.gov Mon Jan 13 17:33:00 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788E81AD8EE for ; Mon, 13 Jan 2014 17:33:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJKWhPQtQVpc for ; Mon, 13 Jan 2014 17:32:58 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id 034F71A8028 for ; Mon, 13 Jan 2014 17:32:57 -0800 (PST) Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB055.namprd09.prod.outlook.com (10.255.211.152) with Microsoft SMTP Server (TLS) id 15.0.847.13; Tue, 14 Jan 2014 01:32:46 +0000 Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Tue, 14 Jan 2014 01:32:45 +0000 From: "Sriram, Kotikalapudi" To: "Murphy, Sandra" , Demian Rosenkranz , "sidr@ietf.org" Thread-Topic: [sidr] Master thesis - RPKI Thread-Index: AQHPEIPUW2CXk5SPXEaR2EKfTmaE1pqDYy3A Date: Tue, 14 Jan 2014 01:32:44 +0000 Message-ID: <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.6.140.100] x-forefront-prvs: 0091C8F1EB x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(679001)(689001)(189002)(199002)(51444003)(51704005)(63696002)(59766001)(2656002)(87936001)(83072002)(56776001)(77982001)(85852003)(54316002)(79102001)(92566001)(66066001)(90146001)(56816005)(80022001)(74876001)(65816001)(74706001)(85306002)(74662001)(74316001)(81686001)(50986001)(49866001)(47976001)(47736001)(81816001)(74502001)(47446002)(76482001)(83322001)(53806001)(54356001)(33646001)(4396001)(31966008)(87266001)(76786001)(81342001)(80976001)(69226001)(81542001)(76796001)(77096001)(76576001)(74366001)(51856001)(46102001)(93136001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB055; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 01:33:00 -0000 Comments below. Sriram >>2.2 System related >>2.2.1 Replay attack:A whole old dataset could replace a newer one and >>could be still valid. > >That's one reason for the manifests. If you manage to come up with a >scenario where replay occurred but was undetected by the manifest, it woul= d >be very interesting. > >>2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes >>could overload the RP software because of it's cryptographic checks. > >I think that might depend on whether the RP software is setup to re-sync w= ith >the repositories on a periodic basis on on events like expiration. > >Another interesting question is whether short lifetimes would cause churn = in >the routing space. I think Demian is speculating having short life-times for ROAs. (May be you propose doing it by having short-lived certs for the prefix?) I would like add/caution here is that I don't see any benefit or usefulness= =20 for having short life-times for certificates/ROAs in this context.=20 It would increase churn a lot but provide no real benefit. I think a better solution would be to revoke cert and issue CRL when such (= rare) need arises. Two scenarios as I see them are: (1) When prefix ownership changes: When a prefix ownership changes, the CA will anyway generate a CRL for the previous cert before issuing the new cert to the new owner. The CRL would render the old ROA invalid. If the certificate authority (e.g., ISP, RIR) is also the RPKI repository p= rovider; they must also delete from the repository any existing ROAs signed by=20 the revoked cert at the time of issuing the CRL. (2) When prefix ownership does not change but the originating AS changes: The CA will revoke the previous cert and issue a new one for the same owner= . Again, the old ROAs can be deleted from the RPKI repository if CA has contr= ol. The vulnerability period is only the duration until the CRL and manifests p= ropagate in RPKI. I think using the revocation/CRL approach is need based, and such events oc= cur rarely. So I feel it is better than the short-lived prefix cert/ROA approach, which= generates undesirable churn. Sriram =20 From waehlisch@ieee.org Tue Jan 14 05:52:09 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5AD1AE067 for ; Tue, 14 Jan 2014 05:52:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.285 X-Spam-Level: X-Spam-Status: No, score=-0.285 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJV8M_tugyZg for ; Tue, 14 Jan 2014 05:52:07 -0800 (PST) Received: from mail1.rz.htw-berlin.de (mail1.rz.htw-berlin.de [141.45.10.101]) by ietfa.amsl.com (Postfix) with ESMTP id 5A5F31ADFF8 for ; Tue, 14 Jan 2014 05:52:07 -0800 (PST) Envelope-to: sidr@ietf.org Received: from g231106171.adsl.alicedsl.de ([92.231.106.171] helo=mw-PC.fritz.box) by mail1.rz.htw-berlin.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1W34PK-000Afx-PP; Tue, 14 Jan 2014 14:51:55 +0100 Date: Tue, 14 Jan 2014 14:51:51 +0100 From: Matthias Waehlisch To: Demian Rosenkranz In-Reply-To: <52D3FE0B.1080808@smail.inf.h-brs.de> Message-ID: References: <52D3FE0B.1080808@smail.inf.h-brs.de> X-X-Sender: mw@mail2.rz.fhtw-berlin.de MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1302210395-31523-1389706406=:5660" Content-ID: X-HTW-SPAMINFO: this message was scanned by eXpurgate (http://www.eleven.de) X-HTW-DELIVERED-TO: sidr@ietf.org Cc: sidr@ietf.org Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:52:09 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1302210395-31523-1389706406=:5660 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-15 Content-Transfer-Encoding: QUOTED-PRINTABLE Content-ID: Hi Demian, nice work. I'm a little bit wondering about the classification. Can=20 you be a bit more specific how do you define "Object related" and=20 "Systems related"? For example, the "Short Lifetime Attack" is categorized under "Systems=20 related". However, it is directly related to the configuration of the=20 signed object; on the other hand, it harms the RP system. Does the classification reflects (a) which part of the system is=20 harmed, (b) which part is used to introduce problems, or (c) a mixture?=20 I think a clearer separation would be helpful. Thanks matthias --=20 Matthias Waehlisch =2E Freie Universitaet Berlin, Inst. fuer Informatik, AG CST =2E Takustr. 9, D-14195 Berlin, Germany =2E. mailto:waehlisch@ieee.org .. http://www.inf.fu-berlin.de/~waehl :. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net On Mon, 13 Jan 2014, Demian Rosenkranz wrote: > Hello, >=20 > as some of you know, I'm writing my master thesis about RPKI at Deutsche > Telekom (R=FCdiger Volk). Especially I try to identify the "problems (att= ack, > misconfiguration, ...)" of using RPKI as a relying party/resource owner a= nd > try to find ways to identify if such a "problem" arises (i.e. competing R= OAs). > Furthermore I want to give proposals on how to proceed if a "problem" ari= ses. > To sum it up, a RP should use the RPKI as a reliable tool to improve it's > routing. I hope this thesis helps to reduce the concerns of some RPs of u= sing > RPKI for securing inter-domain routing. >=20 > The following classification lists the groups of problems I've identified > including a short description. If possible, I used terms which are used i= n > SIDR drafts/RFCs. It would be great to get some feedback to this > classification. I guess most of you prefer textual description, so I trie= d to > represent it in textual form. Additionally, you can find a jpg attached. >=20 > Classification of "problems" > 1. Incorrect representation of RPs/ROs INRs at "RPKI layer": The initial > transformation of RP/Resource Owner INRs as RPKI objects is not correct. > 2. Incorrect/untrustworthy/suspicious RPKI information > 2.1 Object related > 2.1.1 Competing Attack: Router certificate: ASN competes with existing ro= uter > certificate; Other Objects: IP-Range competes with existing objects (In m= y > opinion, certificates can also compete with other certs because of their = X.509 > extensions. Of course, at the end the ROA causes the problem but it could= be > kind of an early warning system if competing certificates are identified = --> > Should a doctor try to take care of the cause or just try to allay the pa= in?). > 2.1.2 Whacked Objects: Object transition which results in a route transit= ion > from valid to missing or invalid. > 2.1.3 Non-compliance: Non-compliance of RPKI objects can cause bad behavi= or of > RP software. Weak alg./key length could result in a downgrade attack. (Th= ere > are syntactical checks, but for the sake of completeness and because of > possible implementation mistakes it's also included) > 2.1.4 Expiring object: Check if objects are almost expired/forgotten. Can > cause unwanted routing behavior. > 2.2 System related > 2.2.1 Replay attack:A whole old dataset could replace a newer one and cou= ld be > still valid. > 2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes coul= d > overload the RP software because of it's cryptographic checks. > 2.2.3 Incomplete amount of objects: Incompleteness of RPKI objects could > affect the global routing behavior. > 2.2.4 repository availability:A DoS attack could affect the availability = of > the Repository. >=20 >=20 > Kind regards >=20 >=20 > Demian Rosenkranz >=20 --1302210395-31523-1389706406=:5660-- From waehlisch@ieee.org Tue Jan 14 05:52:24 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB52E1ADFF8 for ; Tue, 14 Jan 2014 05:52:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.285 X-Spam-Level: X-Spam-Status: No, score=-0.285 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjka7hzkvBGW for ; Tue, 14 Jan 2014 05:52:23 -0800 (PST) Received: from mail1.rz.htw-berlin.de (mail1.rz.htw-berlin.de [141.45.10.101]) by ietfa.amsl.com (Postfix) with ESMTP id BAF1A1AE0DC for ; Tue, 14 Jan 2014 05:52:23 -0800 (PST) Envelope-to: sidr@ietf.org Received: from g231106171.adsl.alicedsl.de ([92.231.106.171] helo=mw-PC.fritz.box) by mail1.rz.htw-berlin.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1W34Pb-000Ahq-Ko; Tue, 14 Jan 2014 14:52:12 +0100 Date: Tue, 14 Jan 2014 14:52:07 +0100 From: Matthias Waehlisch To: "Sriram, Kotikalapudi" In-Reply-To: <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> Message-ID: References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> X-X-Sender: mw@mail2.rz.fhtw-berlin.de MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-HTW-SPAMINFO: this message was scanned by eXpurgate (http://www.eleven.de) X-HTW-DELIVERED-TO: sidr@ietf.org Cc: "sidr@ietf.org" Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 13:52:25 -0000 Hi Sriram, just a quick remark regarding "such events occur rarely". I would say that this depends on the scenario behind. If you consider complexity attacks, for example, where a prefix owner malicously changes ROAs, those event can occur often. Cheers matthias On Tue, 14 Jan 2014, Sriram, Kotikalapudi wrote: > Comments below. > > Sriram > > >>2.2 System related > >>2.2.1 Replay attack:A whole old dataset could replace a newer one and > >>could be still valid. > > > >That's one reason for the manifests. If you manage to come up with a > >scenario where replay occurred but was undetected by the manifest, it would > >be very interesting. > > > >>2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes > >>could overload the RP software because of it's cryptographic checks. > > > >I think that might depend on whether the RP software is setup to re-sync with > >the repositories on a periodic basis on on events like expiration. > > > >Another interesting question is whether short lifetimes would cause churn in > >the routing space. > > I think Demian is speculating having short life-times for ROAs. > (May be you propose doing it by having short-lived certs for the prefix?) > I would like add/caution here is that I don't see any benefit or usefulness > for having short life-times for certificates/ROAs in this context. > It would increase churn a lot but provide no real benefit. > I think a better solution would be to revoke cert and issue CRL when such (rare) need arises. > Two scenarios as I see them are: > > (1) When prefix ownership changes: > When a prefix ownership changes, the CA will anyway generate a CRL > for the previous cert before issuing the new cert to the new owner. > The CRL would render the old ROA invalid. > If the certificate authority (e.g., ISP, RIR) is also the RPKI repository provider; > they must also delete from the repository any existing ROAs signed by > the revoked cert at the time of issuing the CRL. > > (2) When prefix ownership does not change but the originating AS changes: > The CA will revoke the previous cert and issue a new one for the same owner. > Again, the old ROAs can be deleted from the RPKI repository if CA has control. > The vulnerability period is only the duration until the CRL and manifests propagate in RPKI. > > I think using the revocation/CRL approach is need based, and such events occur rarely. > So I feel it is better than the short-lived prefix cert/ROA approach, which generates undesirable churn. > > Sriram > > > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehlisch@ieee.org .. http://www.inf.fu-berlin.de/~waehl :. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net From drosen2s@smail.inf.h-brs.de Tue Jan 14 07:47:59 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 683D31AE09C for ; Tue, 14 Jan 2014 07:47:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.65 X-Spam-Level: X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1_FwGozJuoG for ; Tue, 14 Jan 2014 07:47:56 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id 34DB51ADF7F for ; Tue, 14 Jan 2014 07:47:55 -0800 (PST) Received: from [192.168.16.1] ([194.25.10.166]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0EFlgiC016823 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 14 Jan 2014 16:47:43 +0100 Message-ID: <52D55C1B.30103@smail.inf.h-brs.de> Date: Tue, 14 Jan 2014 16:47:39 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: "sidr@ietf.org" References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 15:47:59 -0000 Thank you for the detailed answer! I see, there are obscurities because of a missing detailed description of the particular problems. Unfortunately, I'm writing my thesis in German but I hope my comments clear it up. Beneath the classification, I will try to find ways to identify the appearance of a problem. I'm searching for anomalies regarding the repository behavior for several months. I hope/think this helps a lot to find reasonable ways for identification. The primary goal is to identify the problems and not to find the guilty one. This wouldn't help the RP/RO to react on a problem. My comments below. Am 13.01.2014 18:20, schrieb Murphy, Sandra: > (Speaking as regular ol' member) > > >> as some of you know, I'm writing my master thesis about RPKI at >> Deutsche Telekom (Rüdiger Volk). Especially I try to identify the >> "problems (attack, misconfiguration, ...)" of using RPKI as a relying >> party/resource owner and try to find ways to identify if such a >> "problem" arises (i.e. competing ROAs). > > Sounds like fun. Yes, it's an interesting topic and I've spent a lot of time to read and understand all the drafts/RFC's :-) > >> Furthermore I want to give >> proposals on how to proceed if a "problem" arises. To sum it up, a RP >> should use the RPKI as a reliable tool to improve it's routing. I hope >> this thesis helps to reduce the concerns of some RPs of using RPKI for >> securing inter-domain routing. > > Advice on how to proceed in the case of errors would be very interesting. Beside the understanding of what problems can happen the advices on how to proceed should be the added value for a RP. I hope this helps for some deployments :-) > >> The following classification lists the groups of problems I've >> identified including a short description. If possible, I used terms >> which are used in SIDR drafts/RFCs. It would be great to get some >> feedback to this classification. I guess most of you prefer textual >> description, so I tried to represent it in textual form. Additionally, >> you can find a jpg attached. > > Some comments below: > >> Classification of "problems" >> 1. Incorrect representation of RPs/ROs INRs at "RPKI layer": The >> initial transformation of RP/Resource Owner INRs as RPKI objects is not >> correct. > > You mean X issues a certificate for resources Y to some customer/member and > the resources Y weren't actually held by that customer/member? > > So this is X's error? Yes, this would belongs to that "problem" category. More in detail: I would say there are three (technical) layers which are of interest for a relying party/ resource owner (RO) regarding inter-domain routing: 1: RP/RO layer: How does a RP/RO wants to see it's own INRs at routing layer and rpki layer.Is there a correct mapping? This is kind of a semantic layer... 2: RPKI layer: Describes the permissions to use an INR (in form of a cryptographic object). 3: routing layer: Thats the actual inter-domain routing (BGP). Every layer has it's own challanges/problems. "Incorrect representation of RPs/ROs INRs at RPKI layer" means that there is an incorrect mapping and so a wrong semantic representation. Usually there could be another problem with a wrong representation at the routing layer (i.e. wrong route announcements because of wrong router configuration) but the routing layer is not part of my thesis. I'm focusing on problems regarding the tool RPKI. > > Are you working on just the categorization, or are you going to propose methods > of detecting these problems? I'm going to try to find ways detecting the identified problems with the given public information. And if there is no way with the given information, I would like to propose extensions to the existing "information structure". But just theoretical. Unfortunately there is not enough time to implement it. > >> 2. Incorrect/untrustworthy/suspicious RPKI information >> 2.1 Object related >> 2.1.1 Competing Attack: Router certificate: ASN competes with existing >> router certificate; > > Could you say what you mean by "ASN competes"? > > A router might belong to an organization that uses more than one ASN. > The AS migration case is one particular case of that happening. > > So I'd say a router might have multiple router certificates with different ASNs. > > So I'm not sure what "ASN competes" means. Ok, I should change the description :). I mean if there exists a router certificate with AS number X and another entity comes up with a router certificate with the same AS number X but doesn't own this AS number. Of course there are cases in which this is ok, but here I talk about an attack, misconfiguration... Here it would be great, if a distinction between intentionally/unintentionally is possible. > >> Other Objects: IP-Range competes with existing >> objects (In my opinion, certificates can also compete with other certs >> because of their X.509 extensions. Of course, at the end the ROA causes >> the problem but it could be kind of an early warning system if competing >> certificates are identified --> Should a doctor try to take care of the >> cause or just try to allay the pain?). > > Again, what do you mean by "competes"? > > A prefix holder might authorize more than one ASN to advertise the prefix: > It might authorize upstream providers to announce for it. > It might hold and use multiple ASNs on a regular basis. > There might be AS migration taking place. > > And there's the case that a provider has a ROA for its aggregate, has issued > prefixes to its customer and allowed the customer to multi-home with that prefix, > which means the customer might be issuing ROAs for a more specific prefix > to a different ASN. > > So there are reasons why there might be multiple ROAs for the same > prefix to different ASNs. Same as above. I mean attacks, misconfigurations... The classification is explained in detail in my documentation for a better understanding but this is unfortunately in German. > >> 2.1.2 Whacked Objects: Object transition which results in a route >> transition from valid to missing or invalid. > > You mean a failure to correctly handle the timing involved in changing the > state of a route advertisement and getting the ROAs in place before the > route advertisement occurs? Or a failure to correctly handle the refresh > of certificates so that ROAs do not expire? Not alone. I mean any action which affects an RPKI object in a "bad way. In the suspenders draft it's explained as: "Any object in the RPKI can become invalid or inaccessible (to RPs) via various actions by CAs and/or publication point maintainers along the certificate path from the object's EE certificate to a trust anchor (TA). Any action that causes an object to become invalid or inaccessible is termed "whacking"." I mean at the end, it's important what impact the actions has on the inter-domain routing. Therefore I choosed this description: "...which results in a route transition from valid to missing or invalid." I guess this was the obscurity? > > (Again, are you going to work on the categorization, or are you going to > propose means of identifying these errors? I think I ask because I'm not > sure how you would tell the difference between a failure and deliberate intention.) Yes, the distinction between failure and deliberate intention is not easy to detect if possible at all by a program. I think the intention of the causer is secondary. The RP/RO has to be able to detect the arising of a problem to handle it in the best way. > >> 2.1.3 Non-compliance: Non-compliance of RPKI objects can cause bad >> behavior of RP software. Weak alg./key length could result in a >> downgrade attack. (There are syntactical checks, but for the sake of >> completeness and because of possible implementation mistakes it's also >> included) > > Implementation errors are a problem everywhere, but you're hypothesizing > two errors here: a compliance error in issuing an object and an error in checking > objects for compliance. This is probably more likely if both implementations > have the same source. > > Or maybe you are talking about error in issuing a certificate causes the implementation > that is validating the certificate to fail (i.e., crash). > As seen in the past, syntactical/semantical inconsistence of certificates causes a lot of problems in the "usual" PKI world. This is also a potential problem for a RP. The RP software has to interpret the certificates and objects. Checking for compliance to the detailed standards helps in my opinion to reduce such problems. Of course, such checks are already included in the current three RP softwares. As I said, it's for the sake of completeness (academic constraint :-)) and I would say it's an important point to reduce failures. >> 2.1.4 Expiring object: Check if objects are almost expired/forgotten. >> Can cause unwanted routing behavior. > > That's another timing issue, and somewhat related to the Whacked Objects > case. Right? > Yes. Could be merged with "whacked objects". >> 2.2 System related >> 2.2.1 Replay attack:A whole old dataset could replace a newer one and >> could be still valid. > > That's one reason for the manifests. If you manage to come up with a > scenario where replay occurred but was undetected by the manifest, it would > be very interesting. > I.e. it is possible if there are changes on the repository and the the (now) old manifest has to be set on the CRL as long as it's not expired. An attacker could use the old dataset for a replay attack and until the manifest isn't expired the RP would see a valid dataset. Of course, the validity is limited by the update period of the manifest but even if the old dataset is expired it depends on the local policy of a relying party how to handle this situation. I guess most of them are not very strict. >> 2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes >> could overload the RP software because of it's cryptographic checks. > > I think that might depend on whether the RP software is setup to re-sync with > the repositories on a periodic basis on on events like expiration. > > Another interesting question is whether short lifetimes would cause churn in > the routing space. > I Agree, it would depend on the configuration of the local cache. Furthermore it would depend on the tier the objects are located in the RPKI hierarchy, the hardware the RP sofware runs on, ... At this point, I'm not sure how CPU-intensive the checks are, but the fact of the matter is, the local cache processes the objects on the repository. So, it's at least theoretically possible. >> 2.2.3 Incomplete amount of objects: Incompleteness of RPKI objects could >> affect the global routing behavior. > > Are you talking about objects that are somehow deleted from the repository? > That should be something the manifest should detect, so again, if you come > up with a scenario, that would be interesting. > > Are you talking about the "missing" case of route validity? Different RPs > might respond differently to that, and the difference could have interesting effects on > routing - but that's true of any difference in local routing policy. > > Are you talking about the "clueless customer" case - a provider produces a > ROA for its aggregate before there are ROAs for its customers who are > advertising more specifics. This is indeed a recognized case - there's > guidance in the origin-ops (see page 5) draft with obligations (MUST) > to providers about this. Which is not to say it won't occur. > I mean the first case. It's would be at least possible through a replay attack and because of the missing authentication/confidentiality/integrity, a mitm attack is possible. An attacker could retain a whole dataset (ca certs including all data regarding this cert on the repository) belongs to a ca cert. As I understand the data structure, a rp wouldn't recognize that case?! >> 2.2.4 repository availability:A DoS attack could affect the availability >> of the Repository. > > Anything that affects the availability of the repository would be a problem - > DoS attack, power outage, site unreachable, etc., or even internal RP issues. > Certainly there are operational means to ameliorate the impact. Which is not to > say that it is not a problem. If your focus is on the effect on RPs, there's no > way for the RP to know the cause, so coming up with recommendations of how > to proceed could be tricky. The availability of the repository is important for an RP to get updated and could cause in expired objects. To identify the reason (attack, ...) is not my first intention. To identify that the problem arises is important to avoid i.e. expired objects. > --Sandy, speaking as regular ol' member > > Kind regards Demian From drosen2s@smail.inf.h-brs.de Tue Jan 14 08:15:54 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E94201AE164 for ; Tue, 14 Jan 2014 08:15:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.65 X-Spam-Level: X-Spam-Status: No, score=-1.65 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1y2GR1tpND4 for ; Tue, 14 Jan 2014 08:15:53 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id 8C1941AE145 for ; Tue, 14 Jan 2014 08:15:53 -0800 (PST) Received: from [192.168.16.1] ([194.25.10.166]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0EGFfgI021436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 14 Jan 2014 17:15:41 +0100 Message-ID: <52D562AA.3090309@smail.inf.h-brs.de> Date: Tue, 14 Jan 2014 17:15:38 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: "sidr@ietf.org" References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> In-Reply-To: <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 16:15:55 -0000 Correct, Im talking about really short lifetimes for ROAs (EE certificates). The RP software would be forced to cryptographically checks the objects again and again over short intervals. But long lifetimes for ROAs (EE certificates) mean at least bigger CRLs. This would be one benefit of short lifetimes. Kind regards Demian Am 14.01.2014 02:32, schrieb Sriram, Kotikalapudi: > Comments below. > > Sriram > >>> 2.2 System related >>> 2.2.1 Replay attack:A whole old dataset could replace a newer one and >>> could be still valid. >> >> That's one reason for the manifests. If you manage to come up with a >> scenario where replay occurred but was undetected by the manifest, it would >> be very interesting. >> >>> 2.2.2 Short lifetime attack: Recurring ROA sets with short lifetimes >>> could overload the RP software because of it's cryptographic checks. >> >> I think that might depend on whether the RP software is setup to re-sync with >> the repositories on a periodic basis on on events like expiration. >> >> Another interesting question is whether short lifetimes would cause churn in >> the routing space. > > I think Demian is speculating having short life-times for ROAs. > (May be you propose doing it by having short-lived certs for the prefix?) > I would like add/caution here is that I don't see any benefit or usefulness > for having short life-times for certificates/ROAs in this context. > It would increase churn a lot but provide no real benefit. > I think a better solution would be to revoke cert and issue CRL when such (rare) need arises. > Two scenarios as I see them are: > > (1) When prefix ownership changes: > When a prefix ownership changes, the CA will anyway generate a CRL > for the previous cert before issuing the new cert to the new owner. > The CRL would render the old ROA invalid. > If the certificate authority (e.g., ISP, RIR) is also the RPKI repository provider; > they must also delete from the repository any existing ROAs signed by > the revoked cert at the time of issuing the CRL. > > (2) When prefix ownership does not change but the originating AS changes: > The CA will revoke the previous cert and issue a new one for the same owner. > Again, the old ROAs can be deleted from the RPKI repository if CA has control. > The vulnerability period is only the duration until the CRL and manifests propagate in RPKI. > > I think using the revocation/CRL approach is need based, and such events occur rarely. > So I feel it is better than the short-lived prefix cert/ROA approach, which generates undesirable churn. > > Sriram > > > > > > From drosen2s@smail.inf.h-brs.de Tue Jan 14 08:27:17 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 191801AE0FD for ; Tue, 14 Jan 2014 08:27:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.229 X-Spam-Level: X-Spam-Status: No, score=-1.229 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6vK_uo0_W7H for ; Tue, 14 Jan 2014 08:27:15 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id 8487A1AE117 for ; Tue, 14 Jan 2014 08:27:13 -0800 (PST) Received: from [192.168.16.1] ([194.25.10.166]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0EGR0au023419 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Tue, 14 Jan 2014 17:27:01 +0100 Message-ID: <52D56551.7030203@smail.inf.h-brs.de> Date: Tue, 14 Jan 2014 17:26:57 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 CC: sidr@ietf.org References: <52D3FE0B.1080808@smail.inf.h-brs.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 16:27:17 -0000 Thanks! Actually I'm not really happy with this subdivision and I think I will change it. I tried to make it neatly arranged. Object related problems belong to a single object, that causes the "problem" and system related problems usually relate to whole datasets or the system at all. I'm open to suggestions :-) Kind regards Demian Am 14.01.2014 14:51, schrieb Matthias Waehlisch: > Hi Demian, > > nice work. I'm a little bit wondering about the classification. Can > you be a bit more specific how do you define "Object related" and > "Systems related"? > > For example, the "Short Lifetime Attack" is categorized under "Systems > related". However, it is directly related to the configuration of the > signed object; on the other hand, it harms the RP system. > > Does the classification reflects (a) which part of the system is > harmed, (b) which part is used to introduce problems, or (c) a mixture? > I think a clearer separation would be helpful. > > > > Thanks > matthias > > From kotikalapudi.sriram@nist.gov Tue Jan 14 15:38:36 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4E2C1ADFCD for ; Tue, 14 Jan 2014 15:38:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdAwQFpgbAiU for ; Tue, 14 Jan 2014 15:38:34 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 243701ADBE5 for ; Tue, 14 Jan 2014 15:38:34 -0800 (PST) Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB054.namprd09.prod.outlook.com (10.255.211.148) with Microsoft SMTP Server (TLS) id 15.0.847.13; Tue, 14 Jan 2014 23:38:21 +0000 Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Tue, 14 Jan 2014 23:38:20 +0000 From: "Sriram, Kotikalapudi" To: Chris Morrow , sidr wg list , "sidr-ads@tools.ietf.org" , "Randy Bush (randy@psg.com)" Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Thread-Index: AQHPDm3wnSnUj8c+U0aEK9MFBqOGz5qE4now Date: Tue, 14 Jan 2014 23:38:20 +0000 Message-ID: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> In-Reply-To: <52D0A0AC.5040903@ops-netman.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.6.140.100] x-forefront-prvs: 0091C8F1EB x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(679001)(689001)(779001)(189002)(199002)(87936001)(56816005)(85852003)(81542001)(50986001)(47976001)(85306002)(80976001)(65816001)(66066001)(2656002)(74706001)(54316002)(81342001)(93516001)(92566001)(56776001)(33646001)(83072002)(49866001)(4396001)(90146001)(74876001)(80022001)(47736001)(79102001)(69226001)(81816001)(76796001)(76576001)(81686001)(51856001)(63696002)(74662001)(74502001)(47446002)(31966008)(76786001)(59766001)(83322001)(77982001)(74316001)(74366001)(77096001)(46102001)(87266001)(93136001)(76482001)(53806001)(54356001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB054; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 23:38:37 -0000 I support publication of this document as an RFC. I have some comments listed below that are meant to help improve clarity. 3.2 (current) A BGPsec design must allow the receiver of a BGP announcement= to determine, to a strong level of certainty, that the received PATH attr= ibute accurately represents the sequence of eBGP exchanges that propagated = the prefix from the origin AS to the receiver, particularly if an AS has ad= ded or deleted any AS number other than its own in the path attribute. Thi= s includes modification to the number of AS prepends. 3.2 (suggested rewording) A BGPsec design must allow the receiver of a BGP = announcement to determine, to a strong level of certainty, that the receiv= ed PATH attribute accurately represents the sequence of eBGP exchanges that= propagated the prefix from the origin AS to the receiver. Specifically, if= an AS has deleted any ASN from the AS PATH it received or added an ASN oth= er than its own then the verification of the update (if propagated) MUST fa= il at its neighboring BGPsec routers. This includes modification to the n= umber of AS prepends, i.e. an AS in the path MUST NOT be able to modify the= AS prepends (if any) of preceding ASs in the AS PATH. 3.4 (current) A BGPsec design MUST be amenable to incremental deployment. T= his implies that incompatible protocol capabilities MUST be negotiated. =20 "Negotiating incompatible protocol" -- the phrase doesn't sound right to me= . 3.4 (suggested rewording) A BGPsec design MUST be amenable to incremental d= eployment. This implies that a BGPsec capable router MUST be backward compa= tible and MUST negotiate BGP-4 protocol with a BGP-4 only neighbor, and MU= ST interoperate with the BGP-4 only neighbor. =20 3.4 and 3.13 are related (overlapping). You may consider combining them. In 3.14, this statement "Such mechanisms SHOULD conform with [I-D.ietf-sid= r-ltamgmt]" seems a bit abrupt. You should state what in [I-D.ietf-sidr-lta= mgmt] is relevant here to "best path and other routing decisions." Note: Y= ou do speak about [I-D.ietf-sidr-ltamgmt] more specifically again in 3.17. Sriram From wwwrun@rfc-editor.org Tue Jan 14 21:19:30 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1A91AE2D3; Tue, 14 Jan 2014 21:19:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.44 X-Spam-Level: X-Spam-Status: No, score=-2.44 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckfGupqzTPaQ; Tue, 14 Jan 2014 21:19:27 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [IPv6:2607:f170:8000:1500::d3]) by ietfa.amsl.com (Postfix) with ESMTP id 4A02C1AE2C1; Tue, 14 Jan 2014 21:19:27 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id CC0FD7FC39A; Tue, 14 Jan 2014 21:19:15 -0800 (PST) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Message-Id: <20140115051915.CC0FD7FC39A@rfc-editor.org> Date: Tue, 14 Jan 2014 21:19:15 -0800 (PST) Cc: drafts-update-ref@iana.org, sidr@ietf.org, rfc-editor@rfc-editor.org Subject: [sidr] BCP 185, RFC 7115 on Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI) X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 05:19:30 -0000 A new Request for Comments is now available in online RFC libraries. BCP 185 RFC 7115 Title: Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI) Author: R. Bush Status: Best Current Practice Stream: IETF Date: January 2014 Mailbox: randy@psg.com Pages: 11 Characters: 26033 See Also: BCP 185 I-D Tag: draft-ietf-sidr-origin-ops-23.txt URL: http://www.rfc-editor.org/rfc/rfc7115.txt Deployment of BGP origin validation that is based on the Resource Public Key Infrastructure (RPKI) has many operational considerations. This document attempts to collect and present those that are most critical. It is expected to evolve as RPKI-based origin validation continues to be deployed and the dynamics are better understood. This document is a product of the Secure Inter-Domain Routing Working Group of the IETF. BCP: This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search/rfc_search.php For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From kotikalapudi.sriram@nist.gov Wed Jan 15 09:22:37 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5E31ADFAE for ; Wed, 15 Jan 2014 09:22:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id my4mj6nS0PCF for ; Wed, 15 Jan 2014 09:22:35 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id 80D0A1ADF7F for ; Wed, 15 Jan 2014 09:22:35 -0800 (PST) Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) with Microsoft SMTP Server (TLS) id 15.0.847.13; Wed, 15 Jan 2014 17:22:15 +0000 Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Wed, 15 Jan 2014 17:22:15 +0000 From: "Sriram, Kotikalapudi" To: Demian Rosenkranz , "sidr@ietf.org" Thread-Topic: [sidr] Master thesis - RPKI Thread-Index: AQHPEIPUW2CXk5SPXEaR2EKfTmaE1pqDYy3AgAEDhACAAXu0cA== Date: Wed, 15 Jan 2014 17:22:15 +0000 Message-ID: <117b37a9b60e4417b41381ebdde53414@BLUPR09MB053.namprd09.prod.outlook.com> References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> <52D562AA.3090309@smail.inf.h-brs.de> In-Reply-To: <52D562AA.3090309@smail.inf.h-brs.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.6.140.100] x-forefront-prvs: 00922518D8 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(779001)(679001)(689001)(243025003)(189002)(199002)(51704005)(31966008)(15975445006)(85306002)(87266001)(19580405001)(59766001)(77982001)(47446002)(76786001)(79102001)(76576001)(69226001)(74502001)(74662001)(51856001)(81816001)(63696002)(76482001)(54356001)(53806001)(46102001)(83322001)(19580395003)(81686001)(74366001)(74316001)(80976001)(77096001)(15202345003)(83072002)(80022001)(85852003)(66066001)(33646001)(65816001)(87936001)(81542001)(2656002)(50986001)(74876001)(47976001)(90146001)(4396001)(56816005)(49866001)(76796001)(47736001)(56776001)(93136001)(81342001)(74706001)(92566001)(54316002)(93516002)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB053; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 17:22:37 -0000 >From: sidr [mailto:sidr-bounces@ietf.org] On Behalf Of Demian Rosenkranz > >Correct, Im talking about really short lifetimes for ROAs (EE certificates= ). The >RP software would be forced to cryptographically checks the objects again >and again over short intervals. >But long lifetimes for ROAs (EE certificates) mean at least bigger CRLs. >This would be one benefit of short lifetimes. > Even if about a few hundred origination-change events occur in a year that = require=20 ROA-EE-certificate rollover, you are dealing with an increase of merely jus= t that many=20 additional entries in the CRL (with the long-lifetime ROAs and revocation a= pproach). If instead short lifetimes are used, then 500,000 certs and ROAs would be p= ropagated in the RPKI system periodically in each of those short intervals.=20 The latter seems to be a much bigger price to pay. But if you can provide further analysis and insight in your thesis,=20 it would be very welcome. We discussed and quantified these types choices and trade-offs earlier=20 not in the context of ROA (EE cert) lifetimes, but in the context=20 of AS or router key rollover mechanisms to mitigate BGPSEC update replay at= tacks. Please see: http://tools.ietf.org/html/draft-sriram-replay-protection-design-discussion= -02=20 http://www.ietf.org/proceedings/85/slides/slides-85-sidr-4.pdf http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-02=20 Sriram From kotikalapudi.sriram@nist.gov Wed Jan 15 09:49:59 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D911AE304 for ; Wed, 15 Jan 2014 09:49:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbos6Ob0mrDY for ; Wed, 15 Jan 2014 09:49:57 -0800 (PST) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id C26121AE13D for ; Wed, 15 Jan 2014 09:49:57 -0800 (PST) Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB054.namprd09.prod.outlook.com (10.255.211.148) with Microsoft SMTP Server (TLS) id 15.0.847.13; Wed, 15 Jan 2014 17:49:39 +0000 Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Wed, 15 Jan 2014 17:49:38 +0000 From: "Sriram, Kotikalapudi" To: Matthias Waehlisch Thread-Topic: [sidr] Master thesis - RPKI Thread-Index: AQHPEIPUW2CXk5SPXEaR2EKfTmaE1pqDYy3AgADba4CAAc4H0A== Date: Wed, 15 Jan 2014 17:49:37 +0000 Message-ID: <71b374bea40f4b8d8e2f4e3f30fc6081@BLUPR09MB053.namprd09.prod.outlook.com> References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.6.140.100] x-forefront-prvs: 00922518D8 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(779001)(679001)(689001)(199002)(189002)(51704005)(31966008)(76786001)(19580395003)(83322001)(77982001)(59766001)(76796001)(81686001)(76576001)(81816001)(69226001)(74662001)(74502001)(47446002)(51856001)(63696002)(19580405001)(93516002)(54356001)(53806001)(93136001)(76482001)(74316001)(74366001)(46102001)(87266001)(77096001)(80976001)(2656002)(66066001)(65816001)(87936001)(81542001)(85852003)(56816005)(47976001)(85306002)(50986001)(74706001)(90146001)(74876001)(49866001)(83072002)(4396001)(79102001)(47736001)(80022001)(54316002)(81342001)(33646001)(56776001)(92566001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB054; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; A:1; MX:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov Cc: "sidr@ietf.org" Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 17:49:59 -0000 >From: Matthias Waehlisch [mailto:waehlisch@ieee.org] >Hi Sriram, > > just a quick remark regarding "such events occur rarely". I would say th= at this >depends on the scenario behind. If you consider complexity attacks, for ex= ample, >where a prefix owner malicously changes ROAs, those event can occur often. > Just to understand the "complexity" attacker's purpose, what is he trying t= o accomplish by changing his prefix's origination AS (and hence ROA) frequently?=20 Do you mean that he can bloat the CRL into something huge by=20 repeatedly issuing many EE certs and their revocations? Sriram=20 From waehlisch@ieee.org Wed Jan 15 15:35:20 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391AE1AE246 for ; Wed, 15 Jan 2014 15:35:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.885 X-Spam-Level: X-Spam-Status: No, score=-0.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_SOFTFAIL=0.665] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ov6aBQMYQ1Ik for ; Wed, 15 Jan 2014 15:35:18 -0800 (PST) Received: from mail1.rz.htw-berlin.de (mail1.rz.htw-berlin.de [141.45.10.101]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD121AE0D0 for ; Wed, 15 Jan 2014 15:35:18 -0800 (PST) Envelope-to: sidr@ietf.org Received: from g231226152.adsl.alicedsl.de ([92.231.226.152] helo=mw-PC.fritz.box) by mail1.rz.htw-berlin.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1W3ZzF-000AZi-Kx; Thu, 16 Jan 2014 00:35:05 +0100 Date: Thu, 16 Jan 2014 00:35:00 +0100 From: Matthias Waehlisch To: "Sriram, Kotikalapudi" In-Reply-To: <71b374bea40f4b8d8e2f4e3f30fc6081@BLUPR09MB053.namprd09.prod.outlook.com> Message-ID: References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> <71b374bea40f4b8d8e2f4e3f30fc6081@BLUPR09MB053.namprd09.prod.outlook.com> X-X-Sender: mw@mail2.rz.fhtw-berlin.de MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-HTW-SPAMINFO: this message was scanned by eXpurgate (http://www.eleven.de) X-HTW-DELIVERED-TO: sidr@ietf.org Cc: "sidr@ietf.org" Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jan 2014 23:35:20 -0000 Hi Sriram, On Wed, 15 Jan 2014, Sriram, Kotikalapudi wrote: > > just a quick remark regarding "such events occur rarely". I would say that this > >depends on the scenario behind. If you consider complexity attacks, for example, > >where a prefix owner malicously changes ROAs, those event can occur often. > > > Just to understand the "complexity" attacker's purpose, what is he trying to accomplish > by changing his prefix's origination AS (and hence ROA) frequently? > Do you mean that he can bloat the CRL into something huge by > repeatedly issuing many EE certs and their revocations? > there are different angles. Introducing a high ROA churn may not only harm the RP but also the router (heavy operations on the prefix table ...). Overall purpose would be to create worst-case load on data structures. We started some analysis on this but didn't finish. My main point was that "such events occur rarely" under normal conditions. But any owner of a prefix is free to create/update/delete ROAs on much smaller time scale. Or did you mean the (configured) cache update time with "rarely"? Cheers matthias -- Matthias Waehlisch . Freie Universitaet Berlin, Inst. fuer Informatik, AG CST . Takustr. 9, D-14195 Berlin, Germany .. mailto:waehlisch@ieee.org .. http://www.inf.fu-berlin.de/~waehl :. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net From kotikalapudi.sriram@nist.gov Thu Jan 16 09:06:04 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7026B1AE3A2 for ; Thu, 16 Jan 2014 09:06:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYYqGdS5Mevf for ; Thu, 16 Jan 2014 09:06:02 -0800 (PST) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id 49AD61AE369 for ; Thu, 16 Jan 2014 09:06:02 -0800 (PST) Received: from BLUPR09MB053.namprd09.prod.outlook.com (10.255.211.146) by BLUPR09MB055.namprd09.prod.outlook.com (10.255.211.152) with Microsoft SMTP Server (TLS) id 15.0.847.13; Thu, 16 Jan 2014 17:05:49 +0000 Received: from BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) by BLUPR09MB053.namprd09.prod.outlook.com ([169.254.14.203]) with mapi id 15.00.0847.008; Thu, 16 Jan 2014 17:05:48 +0000 From: "Sriram, Kotikalapudi" To: Matthias Waehlisch Thread-Topic: [sidr] Master thesis - RPKI Thread-Index: AQHPEIPUW2CXk5SPXEaR2EKfTmaE1pqDYy3AgADba4CAAc4H0IAAZykAgAEYKLA= Date: Thu, 16 Jan 2014 17:05:47 +0000 Message-ID: <3a88a5cd710f41c09732695a00568da7@BLUPR09MB053.namprd09.prod.outlook.com> References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> <71b374bea40f4b8d8e2f4e3f30fc6081@BLUPR09MB053.namprd09.prod.outlook.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [129.6.140.100] x-forefront-prvs: 0093C80C01 x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(689001)(679001)(779001)(189002)(199002)(51704005)(51914003)(2656002)(87936001)(59766001)(63696002)(92566001)(77982001)(65816001)(79102001)(85852003)(54316002)(83072002)(56776001)(66066001)(56816005)(90146001)(74876001)(80022001)(74706001)(74316001)(85306002)(74662001)(83322001)(53806001)(81686001)(50986001)(49866001)(47976001)(47736001)(81816001)(74502001)(47446002)(76796001)(77096001)(76576001)(87266001)(81342001)(76786001)(31966008)(93136001)(80976001)(76482001)(4396001)(33646001)(51856001)(46102001)(81542001)(74366001)(54356001)(69226001)(93516002)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR09MB055; H:BLUPR09MB053.namprd09.prod.outlook.com; CLIP:129.6.140.100; FPR:; MLV:nspm; RD:InfoNoRecords; MX:1; A:1; LANG:en; Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov Cc: "sidr@ietf.org" Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 17:06:04 -0000 >> Just to understand the "complexity" attacker's purpose, what is he >> trying to accomplish by changing his prefix's origination AS (and hence = ROA) >frequently? >> Do you mean that he can bloat the CRL into something huge by >> repeatedly issuing many EE certs and their revocations? >> > there are different angles. Introducing a high ROA churn may not only ha= rm the >RP but also the router (heavy operations on the prefix table ...). Overall= purpose >would be to create worst-case load on data structures. We started some >analysis on this but didn't finish. > > My main point was that "such events occur rarely" under normal condition= s. >But any owner of a prefix is free to create/update/delete ROAs on much sma= ller >time scale. Or did you mean the (configured) cache update time with "rarel= y"? > OK, thanks for the clarification. The deterrence/defense against a prefix owner maliciously creating thousand= s of ROAs to conduct some kind of DOS attack would be: 1. He probably has RPKI repository service with an ISP. The ISP would detec= t the suspicious nature of it, and would limit him in some way. 2. If he maintains an RPKI repository himself, his repository's reputation = will suffer and will be likely soon be black listed for having excessive/suspicious qua= ntity of RPKI objects, e.g., way too may ROAs signed by the same prefix cert (key). (The operator community would want to maintain a "repository reputation dat= abase".) 3. The RPKI repositories/servers can set a generous threshold on # ROAs per= prefix, and reject all the ROAs for that prefix if the threshold is exceeded. 4. Any fictitious ROAs with unregistered/unallocated ASNs will get rejected= , so he could only perhaps register at most 50,000 or so ROAs (one for each legi= t AS in the universe). I think one bad guy creating 50,000 ROAs will not overwhelm the global RPKI= system. But before he gets there, the other mechanisms (#1, #2, #3 above) will limi= t him anyway.=20 5. I think you would be right in saying that "cache update time" or RPKI pr= opagation delay will limit him if the concern is about how frequently he propagates t= he ROAs. =20 Sriram=20 =20 From keyupate@cisco.com Thu Jan 16 09:56:52 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08BC01A1DFA for ; Thu, 16 Jan 2014 09:56:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.039 X-Spam-Level: X-Spam-Status: No, score=-15.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RI1V8M99ihkP for ; Thu, 16 Jan 2014 09:56:50 -0800 (PST) Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 56DDE1A16F0 for ; Thu, 16 Jan 2014 09:56:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1695; q=dns/txt; s=iport; t=1389894998; x=1391104598; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=sQQ7HHui5J/NJmrFP/zxrTO7wbl6H5i1302cRmmzJj0=; b=Wr5cbkuqovXxGeUV2NltoaE7u7kUMeKF4dnv3IhloG7ILc9JqLZfS+D1 BfCZypF4FDnEQ4hY4biU/Jv7U1Ng9iY1zUv6zwoG3xSrlSAhqNkaRP7Ug Vs7e5fLVfake1Ad2qcPCkxYDqhIzgm3OGehkyEkCkzj5d0/MkWUxntnfv s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjEFABIc2FKtJV2Y/2dsb2JhbABZgws4VrsLgQ4WdIIlAQEBBAEBARodNB0BCBEEAQEfNwsdCAIEARKIBA3EdBePBoQ4BJghgTGQZoMtgio X-IronPort-AV: E=Sophos;i="4.95,668,1384300800"; d="scan'208";a="297759333" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-2.cisco.com with ESMTP; 16 Jan 2014 17:56:38 +0000 Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s0GHucZv003904 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 16 Jan 2014 17:56:38 GMT Received: from xmb-aln-x09.cisco.com ([169.254.4.228]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.03.0123.003; Thu, 16 Jan 2014 11:56:37 -0600 From: "Keyur Patel (keyupate)" To: "Murphy, Sandra" , Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Thread-Topic: [sidr] WG Adoption: draft-ymbk-lta-use-cases Thread-Index: AQHPEuRMfghGMjB9QUqSXi3PEnlzew== Date: Thu, 16 Jan 2014 17:56:37 +0000 Message-ID: In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.13.0.110805 x-originating-ip: [128.107.158.19] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 17:56:52 -0000 Support adoption. Regards, Keyur On 1/10/14 12:33 PM, "Murphy, Sandra" wrote: >There were four responses to this adoption call, all positive. But four >is not a strong indication of wg wishes here. > >Can others please look at this and speak up as to whether you do or do >not support adoption? > >Recall: silence does not indicate interest. > >We give this another two weeks (for people who are taking a Christmas >present holiday in some warm climate). > >Repond by 24 Jan 2014. Please. > >--Sandy, speaking as wg co-chair >________________________________________ >From: Chris Morrow [morrowc@ops-netman.net] >Sent: Tuesday, November 26, 2013 8:39 PM >To: sidr-chairs@tools.ietf.org; sidr wg list >Subject: WG Adoption: draft-ymbk-lta-use-cases > >Howdy gentle WG folks, >The authors of: > > >are interested in starting a WG Adoption call for this piece of scribed >text. It would be good if other folk also agreed about the adoption. > >The abstract says: > "There are a number of critical circumstances where a localized > routing domain needs to augment or modify the Global RPKI. This > document attempts to outline a few of them." > >Please consider this a 'WG Adoption' call, and let's attempt to close >this out by: > 12/9/2013 or 9/12/2013 or Ninth December Twenty-Thirteen or ... you >get the point, see you in 2 weeks with (hopefully) clear direction from >the folks behind the emailz. > >-chris >co-chair >_______________________________________________ >sidr mailing list >sidr@ietf.org >https://www.ietf.org/mailman/listinfo/sidr From bhavani@cisco.com Thu Jan 16 11:17:15 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F4A1AC404 for ; Thu, 16 Jan 2014 11:17:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.039 X-Spam-Level: X-Spam-Status: No, score=-15.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VhUwfr2VfsHz for ; Thu, 16 Jan 2014 11:17:13 -0800 (PST) Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id B0E9D1A1F66 for ; Thu, 16 Jan 2014 11:17:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=699; q=dns/txt; s=iport; t=1389899821; x=1391109421; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=DIboJul5yHjFKp2Kk4NQsookyF1XZtkiYJ+C7N0NLkU=; b=hWXUMQ+lYN0vlVUGWMSDaQr9mUDghr3nZQzBlDbNRXYcTIctObZ1DmXh MyAIFeuww0ns0LHR9OJmqjpY4oWBvkwaNdCVTQyJsRV36mQPnAWOixtz/ FXccNj0KcXXJ0wKsSTySjZKNSoNM6JUibD9IGObRMRM/IUrWQzsh3PQXf E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjAFAM4u2FKrRDoH/2dsb2JhbABZgws4u2aBDxZ0giUBAQEEAQEBNTYKEQsYCRYPCQMCAQIBFTATBgIBAYd/DsUiEwSPBhaEIgEDiUeOWoZGi1GDThs X-IronPort-AV: E=Sophos;i="4.95,669,1384300800"; d="scan'208";a="103119243" Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 16 Jan 2014 19:17:01 +0000 Received: from [10.21.66.145] (sjc-vpn3-657.cisco.com [10.21.66.145]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s0GJH02g003246 for ; Thu, 16 Jan 2014 19:17:01 GMT Message-ID: <52D8302C.5020508@cisco.com> Date: Thu, 16 Jan 2014 11:17:00 -0800 From: Bhavani Parise User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com>, <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE00@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE00@HSV-MB002.huntsville.ads.sparta.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 19:17:15 -0000 support adoption -Bhavani On 1/13/14 5:41 AM, Murphy, Sandra wrote: > On Fri, 10 Jan 2014, Randy Bush said: > > >>> There were four responses to this adoption call, all positive. But >>> four is not a strong indication of wg wishes here. >> note that the wg meeting in berlin asked for a requirements draft > I hear you, and I heard the comments. But the wg is supposed to speak on the list. > > Perhaps those who spoke up in the meeting about this could type a word or two into a message to the list. > > --Sandy. speaking as wg co-chair > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From rogaglia@cisco.com Thu Jan 16 15:41:53 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33A61AD8F5 for ; Thu, 16 Jan 2014 15:41:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.039 X-Spam-Level: X-Spam-Status: No, score=-10.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efhRoz4lReIM for ; Thu, 16 Jan 2014 15:41:52 -0800 (PST) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by ietfa.amsl.com (Postfix) with ESMTP id 2C3041AD8EE for ; Thu, 16 Jan 2014 15:41:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1787; q=dns/txt; s=iport; t=1389915700; x=1391125300; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=q9AuXiPsBDywQxyfuFBfeOcPWZlZLm7OTpluuhbRBXc=; b=D9spOsl3v+5Rkw8BakYYCWnXhmfEJC4vJ6AR0GoRTgX1QR/WYQFW3d/N zYdmvvxmh9/yCxO9EhP4IddnCJqWgBQ5MpgFe2jtB0k2j61HUspEZ5vJU Dx51cGib3ZtrAoGqG2oDV/QirkTGvLxNdVp1T4x7TuV2zSo99WDnDQw9h E=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjEFAHdf2FKtJXHA/2dsb2JhbABZgws4VrsRgQ8WdIIlAQEBAwEBAQEaHTQLBQsCAQgRBAEBHxAnCx0IAgQOBYd8CA3FNBeOTDMHgySBFASTeYQogTGQZoMtgio X-IronPort-AV: E=Sophos;i="4.95,670,1384300800"; d="scan'208";a="13460875" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by alln-iport-4.cisco.com with ESMTP; 16 Jan 2014 23:41:39 +0000 Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id s0GNfdX1016089 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 16 Jan 2014 23:41:39 GMT Received: from xmb-rcd-x02.cisco.com ([169.254.4.29]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.03.0123.003; Thu, 16 Jan 2014 17:41:39 -0600 From: "Roque Gagliano (rogaglia)" To: "Murphy, Sandra" Thread-Topic: [sidr] WG Adoption: draft-ymbk-lta-use-cases Thread-Index: AQHPExSAoZU+eZPzrk6A3cBc+T7rug== Date: Thu, 16 Jan 2014 23:41:39 +0000 Message-ID: <0BD924CC-09B3-4DA7-8897-D62E3A6FFC15@cisco.com> References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.61.100.75] Content-Type: text/plain; charset="us-ascii" Content-ID: <684CBA6577646C4E979502C336F82A37@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jan 2014 23:41:53 -0000 I support adoption. I think it is important work. Roque On Jan 10, 2014, at 9:33 PM, "Murphy, Sandra" w= rote: > There were four responses to this adoption call, all positive. But four = is not a strong indication of wg wishes here. >=20 > Can others please look at this and speak up as to whether you do or do no= t support adoption? >=20 > Recall: silence does not indicate interest. >=20 > We give this another two weeks (for people who are taking a Christmas pre= sent holiday in some warm climate). >=20 > Repond by 24 Jan 2014. Please. >=20 > --Sandy, speaking as wg co-chair > ________________________________________ > From: Chris Morrow [morrowc@ops-netman.net] > Sent: Tuesday, November 26, 2013 8:39 PM > To: sidr-chairs@tools.ietf.org; sidr wg list > Subject: WG Adoption: draft-ymbk-lta-use-cases >=20 > Howdy gentle WG folks, > The authors of: > >=20 > are interested in starting a WG Adoption call for this piece of scribed > text. It would be good if other folk also agreed about the adoption. >=20 > The abstract says: > "There are a number of critical circumstances where a localized > routing domain needs to augment or modify the Global RPKI. This > document attempts to outline a few of them." >=20 > Please consider this a 'WG Adoption' call, and let's attempt to close > this out by: > 12/9/2013 or 9/12/2013 or Ninth December Twenty-Thirteen or ... you > get the point, see you in 2 weeks with (hopefully) clear direction from > the folks behind the emailz. >=20 > -chris > co-chair > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From drosen2s@smail.inf.h-brs.de Fri Jan 17 04:30:15 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C731AE093 for ; Fri, 17 Jan 2014 04:30:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.25 X-Spam-Level: X-Spam-Status: No, score=-2.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQc4DpF52lZ9 for ; Fri, 17 Jan 2014 04:30:12 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id 298F41AE097 for ; Fri, 17 Jan 2014 04:30:12 -0800 (PST) Received: from [192.168.14.106] ([62.153.176.78]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0HCTvSj003205 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 17 Jan 2014 13:29:58 +0100 Message-ID: <52D92241.9070401@smail.inf.h-brs.de> Date: Fri, 17 Jan 2014 13:29:53 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: "sidr@ietf.org" References: <52D3FE0B.1080808@smail.inf.h-brs.de> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DE97@HSV-MB002.huntsville.ads.sparta.com> <5d0fd135e7b94f38836297f58bca92fd@BLUPR09MB053.namprd09.prod.outlook.com> <52D562AA.3090309@smail.inf.h-brs.de> <117b37a9b60e4417b41381ebdde53414@BLUPR09MB053.namprd09.prod.outlook.com> In-Reply-To: <117b37a9b60e4417b41381ebdde53414@BLUPR09MB053.namprd09.prod.outlook.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: Re: [sidr] Master thesis - RPKI X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Jan 2014 12:30:15 -0000 Comments below. Am 15.01.2014 18:22, schrieb Sriram, Kotikalapudi: >> From: sidr [mailto:sidr-bounces@ietf.org] On Behalf Of Demian Rosenkranz >> >> Correct, Im talking about really short lifetimes for ROAs (EE certificates). The >> RP software would be forced to cryptographically checks the objects again >> and again over short intervals. >> But long lifetimes for ROAs (EE certificates) mean at least bigger CRLs. >> This would be one benefit of short lifetimes. >> > > Even if about a few hundred origination-change events occur in a year that require > ROA-EE-certificate rollover, you are dealing with an increase of merely just that many > additional entries in the CRL (with the long-lifetime ROAs and revocation approach). > If instead short lifetimes are used, then 500,000 certs and ROAs would be propagated > in the RPKI system periodically in each of those short intervals. > The latter seems to be a much bigger price to pay. OK, thats right! > But if you can provide further analysis and insight in your thesis, > it would be very welcome. Unfortunately, I'm writing my thesis in German but I would be happy to get feedback from the users of this mailing-list. So, I try to keep you updated with the most significant results! > > We discussed and quantified these types choices and trade-offs earlier > not in the context of ROA (EE cert) lifetimes, but in the context > of AS or router key rollover mechanisms to mitigate BGPSEC update replay attacks. > Please see: > http://tools.ietf.org/html/draft-sriram-replay-protection-design-discussion-02 > http://www.ietf.org/proceedings/85/slides/slides-85-sidr-4.pdf > http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-rollover-02 Thank you for this information! > > Sriram > > > From warren@kumari.net Sun Jan 19 10:48:47 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D0C1ADF31 for ; Sun, 19 Jan 2014 10:48:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.079 X-Spam-Level: X-Spam-Status: No, score=-0.079 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hLTQrbnFPcm for ; Sun, 19 Jan 2014 10:48:45 -0800 (PST) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by ietfa.amsl.com (Postfix) with ESMTP id 0927B1A1DFA for ; Sun, 19 Jan 2014 10:48:44 -0800 (PST) Received: by mail-wi0-f174.google.com with SMTP id g10so2475708wiw.7 for ; Sun, 19 Jan 2014 10:48:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=faZUMehizTjWIer57jaS9f5Go1T4Vnv3g/BC/py+Z3U=; b=Nio+/9p4wcyE9kX2LcIkzMbvMfIDCgBOIyd7+nyIl+L0SVyiQ6FlOT0MXcnuUobc0C zDTQA7lYx3lk29x0lEF5oQv+tFx3cyZ2jWLK04+WeuFkdcFuu7HReFnal63TMlsVwdXk aQ5mBEKqBkn2O//rZkN5lh4BunICCVg4WnWrBOKRbkPM6NZFb7x9FLY9SQej3ixm66he pmDKyg5BQ0vNYKuzNUgJL7fEgXiyAouqvaioWNUZawAfagKTvO019IvNIYg5BhRl6B6a IFLe24/QmQ6zcpZyHC56D2S7B+ku8vuSU334j24EZxQOLyzFmzvOlR4SgAHFYUPbkTRm sGzQ== X-Gm-Message-State: ALoCoQn59pZpW32KqHOXSz31Hl3OJy5hIJOIs7M5WBgvwtZn+0rMaSdSsrxk7p7CGQJ7BlD4bmnZ MIME-Version: 1.0 X-Received: by 10.180.207.10 with SMTP id ls10mr6892862wic.52.1390157311108; Sun, 19 Jan 2014 10:48:31 -0800 (PST) Received: by 10.194.54.167 with HTTP; Sun, 19 Jan 2014 10:48:31 -0800 (PST) X-Originating-IP: [66.84.81.40] In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Date: Sun, 19 Jan 2014 13:48:31 -0500 Message-ID: From: Warren Kumari To: "Murphy, Sandra" Content-Type: text/plain; charset=ISO-8859-1 Cc: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jan 2014 18:48:47 -0000 On Fri, Jan 10, 2014 at 3:33 PM, Murphy, Sandra wrote: > There were four responses to this adoption call, all positive. But four is not a strong indication of wg wishes here. > > Can others please look at this and speak up as to whether you do or do not support adoption? I responded back on 11/27 supporting adoption. Wanted to make sure that my vote still counts... W > > Recall: silence does not indicate interest. > > We give this another two weeks (for people who are taking a Christmas present holiday in some warm climate). > > Repond by 24 Jan 2014. Please. > > --Sandy, speaking as wg co-chair > ________________________________________ > From: Chris Morrow [morrowc@ops-netman.net] > Sent: Tuesday, November 26, 2013 8:39 PM > To: sidr-chairs@tools.ietf.org; sidr wg list > Subject: WG Adoption: draft-ymbk-lta-use-cases > > Howdy gentle WG folks, > The authors of: > > > are interested in starting a WG Adoption call for this piece of scribed > text. It would be good if other folk also agreed about the adoption. > > The abstract says: > "There are a number of critical circumstances where a localized > routing domain needs to augment or modify the Global RPKI. This > document attempts to outline a few of them." > > Please consider this a 'WG Adoption' call, and let's attempt to close > this out by: > 12/9/2013 or 9/12/2013 or Ninth December Twenty-Thirteen or ... you > get the point, see you in 2 weeks with (hopefully) clear direction from > the folks behind the emailz. > > -chris > co-chair > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From warren@kumari.net Sun Jan 19 10:49:16 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 308941ADF78 for ; Sun, 19 Jan 2014 10:49:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TAydUu7QYjYl for ; Sun, 19 Jan 2014 10:49:14 -0800 (PST) Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) by ietfa.amsl.com (Postfix) with ESMTP id 30F2E1A1DFA for ; Sun, 19 Jan 2014 10:49:14 -0800 (PST) Received: by mail-wi0-f175.google.com with SMTP id hr1so2481283wib.2 for ; Sun, 19 Jan 2014 10:49:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=8tSB3eG/GIXWiQdjCt4m+Luh6N1QntMqwtfKPuPK+aI=; b=MHwJidk5wW1xgISWYWQtFXXKjniEwCf+tVgRTM1P2tjJm0FqaiPSBw4ANCXSXMcqi9 K2QbxbWQPBRms+UYx5/B1xmilj3lXm8ELcuP4XzF8NcQJD6tHukd6IPMHrCGRw3gYLAZ 4syXG+u8H0a6Qd6DbmooOUatzi4D9PmH09YUjIYOy2qq04z4vOhiCcjNM1MJlIxasH0y IcLtlvrJfGKYvvGAlBJlzME8RUWQACPiXGKvOjfKeWugX7BK2Z/hjocFrGTYYM7FBPlN zHxxeztciZ3h2vbenCq589pQ5o7xZ6Gwp02rwSkAbmGzHdjTLXpp3cu0oVhSN9/hysh1 7Amw== X-Gm-Message-State: ALoCoQlbXp6IwQTX8XP7E9+Sq5k+zQ8cwegtz8I7ODK7kkFJnRHyr7f0lEFJRA4tGDyr68AB/nW+ MIME-Version: 1.0 X-Received: by 10.194.202.230 with SMTP id kl6mr11236182wjc.9.1390157340472; Sun, 19 Jan 2014 10:49:00 -0800 (PST) Received: by 10.194.54.167 with HTTP; Sun, 19 Jan 2014 10:49:00 -0800 (PST) X-Originating-IP: [66.84.81.40] In-Reply-To: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> Date: Sun, 19 Jan 2014 13:49:00 -0500 Message-ID: From: Warren Kumari To: "Sriram, Kotikalapudi" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Chris Morrow , "sidr-ads@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jan 2014 18:49:16 -0000 On Tue, Jan 14, 2014 at 6:38 PM, Sriram, Kotikalapudi wrote: > I support publication of this document as an RFC. As do I. W > I have some comments listed below that are meant to help improve clarity. > > 3.2 (current) A BGPsec design must allow the receiver of a BGP announceme= nt to determine, to a strong level of certainty, that the received PATH at= tribute accurately represents the sequence of eBGP exchanges that propagate= d the prefix from the origin AS to the receiver, particularly if an AS has = added or deleted any AS number other than its own in the path attribute. T= his includes modification to the number of AS prepends. > > 3.2 (suggested rewording) A BGPsec design must allow the receiver of a BG= P announcement to determine, to a strong level of certainty, that the rece= ived PATH attribute accurately represents the sequence of eBGP exchanges th= at propagated the prefix from the origin AS to the receiver. Specifically, = if an AS has deleted any ASN from the AS PATH it received or added an ASN o= ther than its own then the verification of the update (if propagated) MUST = fail at its neighboring BGPsec routers. This includes modification to the= number of AS prepends, i.e. an AS in the path MUST NOT be able to modify t= he AS prepends (if any) of preceding ASs in the AS PATH. > > 3.4 (current) A BGPsec design MUST be amenable to incremental deployment.= This implies that incompatible protocol capabilities MUST be negotiated. > > "Negotiating incompatible protocol" -- the phrase doesn't sound right to = me. > > 3.4 (suggested rewording) A BGPsec design MUST be amenable to incremental= deployment. This implies that a BGPsec capable router MUST be backward com= patible and MUST negotiate BGP-4 protocol with a BGP-4 only neighbor, and = MUST interoperate with the BGP-4 only neighbor. > > 3.4 and 3.13 are related (overlapping). You may consider combining them. > > In 3.14, this statement "Such mechanisms SHOULD conform with [I-D.ietf-s= idr-ltamgmt]" seems a bit abrupt. You should state what in [I-D.ietf-sidr-l= tamgmt] is relevant here to "best path and other routing decisions." Note:= You do speak about [I-D.ietf-sidr-ltamgmt] more specifically again in 3.17= . > > Sriram > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From tim@ripe.net Mon Jan 20 00:56:42 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A138E1A00AD for ; Mon, 20 Jan 2014 00:56:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.265 X-Spam-Level: X-Spam-Status: No, score=0.265 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1_3jbhuQ-aY for ; Mon, 20 Jan 2014 00:56:41 -0800 (PST) Received: from koko.ripe.net (koko.ripe.net [193.0.19.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9E30B1A00AC for ; Mon, 20 Jan 2014 00:56:41 -0800 (PST) Received: from titi.ripe.net ([193.0.23.11]) by koko.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1W5Aer-0003OG-Ge; Mon, 20 Jan 2014 09:56:38 +0100 Received: from puppy.ipv6.ripe.net ([2001:67c:2e8:1::c100:1e6] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1W5Aer-000407-CI; Mon, 20 Jan 2014 09:56:37 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Date: Mon, 20 Jan 2014 09:56:39 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <0D7AD86E-2BBE-4ADC-A14F-7037D8A8CF7C@ripe.net> References: <52954D51.5020808@ops-netman.net> <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> To: "Murphy, Sandra" X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719b0f76b4f6bba847381932ceafff68417 Cc: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2014 08:56:42 -0000 Hi wg, On Jan 10, 2014, at 9:33 PM, "Murphy, Sandra" = wrote: > Can others please look at this and speak up as to whether you do or do = not support adoption? +1, support discussing this in a document Regards, Tim= From keyupate@cisco.com Tue Jan 21 09:57:42 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9366C1A01ED for ; Tue, 21 Jan 2014 09:57:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.036 X-Spam-Level: X-Spam-Status: No, score=-15.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdX2-jGdtYEN for ; Tue, 21 Jan 2014 09:57:41 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 60BA51A01D7 for ; Tue, 21 Jan 2014 09:57:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=874; q=dns/txt; s=iport; t=1390327061; x=1391536661; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=ZCE4umtHaWIterw9mkuiIhV8VBKLL5ix4OwGIelUic0=; b=GbRzgZItQR+6DDFpP9e+PgAk2/eBagtCN+9rP9HsTEAfxYiXJYgZkneo 8uHAFtHJUla2+E5jH3BPHoua2pBjEwgVJBuxgW/T99yC8Aw1/mYwZ27On hlUoYoZ+LmN1WV7XW9oaNXMhtJzuVteErKGXKd08v93oo78lZ5gtqYh1e M=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhUFAMyz3lKtJXG8/2dsb2JhbABZgws4VrttgRQWdIInAQQBAQE3NB0BCDY3CxQRAgQBEogFDcNGF48GhDgEmCKBMpBmgy2CKg X-IronPort-AV: E=Sophos;i="4.95,696,1384300800"; d="scan'208";a="298803986" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-4.cisco.com with ESMTP; 21 Jan 2014 17:57:41 +0000 Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s0LHvfu8018088 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 21 Jan 2014 17:57:41 GMT Received: from xmb-aln-x09.cisco.com ([169.254.4.228]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.03.0123.003; Tue, 21 Jan 2014 11:57:40 -0600 From: "Keyur Patel (keyupate)" To: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list , "sidr-ads@tools.ietf.org" Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Thread-Index: AQHPFtJGFIpGgiz9WUCae7VCyJLUoQ== Date: Tue, 21 Jan 2014 17:57:39 +0000 Message-ID: In-Reply-To: <52D0A0AC.5040903@ops-netman.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.13.0.110805 x-originating-ip: [128.107.163.49] Content-Type: text/plain; charset="us-ascii" Content-ID: <30C18073C8A534448A95C6CDCB3213F7@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jan 2014 17:57:42 -0000 I support publication of this document as RFC. Regards, Keyur On 1/10/14 5:38 PM, "Chris Morrow" wrote: > >Working Group Folken, >Today starts a WGLC for the subject draft: > > >Abstract: > This document describes requirements for a BGP security protocol > design to provide cryptographic assurance that the origin AS had the > right to announce the prefix and to provide assurance of the AS Path > of the announcement. > >Please have a read-through and send comments at the authors + >sidr@ietf.org mailing list. > >This WGLC completes in 1,209,600 seconds, or 20,160 minutes. > >Thanks! > >-chris >co-chair > > >_______________________________________________ >sidr mailing list >sidr@ietf.org >https://www.ietf.org/mailman/listinfo/sidr From drosen2s@smail.inf.h-brs.de Thu Jan 23 04:46:25 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33EDE1A03E6 for ; Thu, 23 Jan 2014 04:46:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.85 X-Spam-Level: X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k4t_eJn0MqMy for ; Thu, 23 Jan 2014 04:46:23 -0800 (PST) Received: from ux-2s11.inf.fh-bonn-rhein-sieg.de (ux-2s11.inf.fh-bonn-rhein-sieg.de [194.95.66.8]) by ietfa.amsl.com (Postfix) with ESMTP id E74D21A037B for ; Thu, 23 Jan 2014 04:46:22 -0800 (PST) Received: from [192.168.14.38] ([62.153.176.78]) (authenticated bits=0) by ux-2s11.inf.fh-bonn-rhein-sieg.de (8.14.4/8.14.4/Debian-4ska0) with ESMTP id s0NCkJlU023885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 23 Jan 2014 13:46:20 +0100 Message-ID: <52E10F1A.8030800@smail.inf.h-brs.de> Date: Thu, 23 Jan 2014 13:46:18 +0100 From: Demian Rosenkranz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Auth: by SMTP AUTH @ ux-2s11 X-MIMEDefang-Info-ge: Gescannt in Inf@FH-BRS, Regeln s. MiniFAQ E-Mail/Mailscanner X-Scanned-By: MIMEDefang 2.73 Subject: [sidr] Another potential DOS attack on RP software? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 12:46:25 -0000 Hi, I'm thinking about another potential DoS attack. An entity which owns a CA certificate has the possibility to generate a huge hierarchy of further CA certificates without any limitation (as far as I know). In contrast to the generation of a huge amount of ROAs, this attack isn't limited regarding the number of objects/certificates. I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA certificates and hand down this prefix until the lowest CA certificate and generates 2^8 ROAs, a relying party software would be forced to check this hierarchy 2^8 times. Of course, this is kind of a blunt attack but without making any provisions, this "local cache flooding" could lead to a disturbance of all (worst case) local caches for a certain time. Some smaller RP could be slower in remedying this. Are there any restriction to this attack I've missed? Any feedback is very welcome! Kind regards Demian From tim@ripe.net Thu Jan 23 05:38:23 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DF2E1A03E3 for ; Thu, 23 Jan 2014 05:38:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.435 X-Spam-Level: X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6UnAu1KJ5jBG for ; Thu, 23 Jan 2014 05:38:21 -0800 (PST) Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id B0CBF1A0114 for ; Thu, 23 Jan 2014 05:38:21 -0800 (PST) Received: from titi.ripe.net ([193.0.23.11]) by kaka.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1W6KU5-0006A0-Ec; Thu, 23 Jan 2014 14:38:18 +0100 Received: from puppy.ipv6.ripe.net ([2001:67c:2e8:1::c100:1e6] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1W6KU5-0002jx-6f; Thu, 23 Jan 2014 14:38:17 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <52E10F1A.8030800@smail.inf.h-brs.de> Date: Thu, 23 Jan 2014 14:38:19 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <8980320B-8C8C-45E4-B2E1-C03A9AB26EB5@ripe.net> References: <52E10F1A.8030800@smail.inf.h-brs.de> To: Demian Rosenkranz X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07195601ed23c0128b672020f77646c2d409 Cc: sidr@ietf.org Subject: Re: [sidr] Another potential DOS attack on RP software? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 13:38:23 -0000 Hi Demian, On Jan 23, 2014, at 1:46 PM, Demian Rosenkranz = wrote: > Hi, >=20 > I'm thinking about another potential DoS attack. An entity which owns = a CA certificate has the possibility to generate a huge hierarchy of = further CA certificates without any limitation (as far as I know). >=20 As far as I remember there are no formal restrictions regarding either = the number of child CA certificates issued by a CA, or the length of the = chain. =20 > In contrast to the generation of a huge amount of ROAs, this attack = isn't limited regarding the number of objects/certificates. >=20 > I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA = certificates and hand down this prefix until the lowest CA certificate = and generates 2^8 ROAs, a relying party software would be forced to = check this hierarchy 2^8 times. Some say that the same resource 'should' not appear on multiple child CA = certificates, however in practice this can happen in case of a child key = roll, and a make-before-break resource transfer. There is no = notification about the reason, so RPs have a hard time guessing. In = short: our RP doesn't care about resources appearing on multiple child = CA certs. If the certificates are valid, the duplicate resource is valid = for both branches.. if the parent disagrees, they should revoke / = re-issue as needed. That said, if one wants avoid duplicating resources in an attack like = this there is always IPv6.. And then it's of course possible that it = wasn't intended as an attack at all, but some over zealous CA goes = granular way beyond present day BGP --- eg. giving ghostbusters to all = their v6 end users ;) > Of course, this is kind of a blunt attack but without making any = provisions, this "local cache flooding" could lead to a disturbance of = all (worst case) local caches for a certain time. Some smaller RP could = be slower in remedying this. While I don't think we have formal restrictions, I can imagine certain = mitigations if this would become a serious threat: =3D Parent of the offending CA could revoke the certificate (if abuse is = defined in terms of use, talking doesn't help, etc.., reactive by nature = though) =3D RPs could limit the maximum length of the cert chain, or even number = of CA certs issued by CA certs they are willing to accept - e.g. pro-actively quarantine 'spam-CAs' like this, and allow the = end-user to override - or re-actively.. proceed, but warn and allow user to disregard - or a mix of both of course with some thresholds, prob. allowing = the RIRs to issue a bit more=20 =3D RPs should probably employ strategies to ensure that a lot of work = in one part of the tree does not block validation of the remaining tree = (if resources don't overlap). > Are there any restriction to this attack I've missed? Any feedback is = very welcome! I would say that been though it's entirely possible to attack the rpki = by producing many objects, it's not feasible to do this *covertly*. This = will get get you noticed, quickly. So while I see the value of thinking about these scenarios and possible = ways to mitigate them - thank you :) - I am not convinced that we should = go overboard in terms of best practices for RPs, or general restrictions = for CAs, at this time. I would consider possible *covert* attack vectors = on the rpki infrastructure to be much more serious though. Cheers Tim= From jared@puck.nether.net Thu Jan 23 05:39:04 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425F41A0433 for ; Thu, 23 Jan 2014 05:39:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.437 X-Spam-Level: X-Spam-Status: No, score=-2.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4xyLLpcaLD-0 for ; Thu, 23 Jan 2014 05:39:03 -0800 (PST) Received: from puck.nether.net (puck.nether.net [IPv6:2001:418:3f4::5]) by ietfa.amsl.com (Postfix) with ESMTP id 1374B1A0114 for ; Thu, 23 Jan 2014 05:39:03 -0800 (PST) Received: from [10.0.0.137] (173-167-0-106-michigan.hfc.comcastbusiness.net [173.167.0.106]) (authenticated bits=0) by puck.nether.net (8.14.7/8.14.5) with ESMTP id s0NDcxxM001640 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 23 Jan 2014 08:39:00 -0500 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Content-Type: text/plain; charset=us-ascii From: Jared Mauch In-Reply-To: <52E10F1A.8030800@smail.inf.h-brs.de> Date: Thu, 23 Jan 2014 08:38:58 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: References: <52E10F1A.8030800@smail.inf.h-brs.de> To: Demian Rosenkranz X-Mailer: Apple Mail (2.1827) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.7 (puck.nether.net [204.42.254.5]); Thu, 23 Jan 2014 08:39:01 -0500 (EST) Cc: sidr@ietf.org Subject: Re: [sidr] Another potential DOS attack on RP software? X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 13:39:04 -0000 On Jan 23, 2014, at 7:46 AM, Demian Rosenkranz = wrote: > Hi, >=20 > I'm thinking about another potential DoS attack. An entity which owns = a CA certificate has the possibility to generate a huge hierarchy of = further CA certificates without any limitation (as far as I know). >=20 > In contrast to the generation of a huge amount of ROAs, this attack = isn't limited regarding the number of objects/certificates. >=20 > I.e. a compromised/bad entity owns a /16 prefix and generates 10000 CA = certificates and hand down this prefix until the lowest CA certificate = and generates 2^8 ROAs, a relying party software would be forced to = check this hierarchy 2^8 times. > Of course, this is kind of a blunt attack but without making any = provisions, this "local cache flooding" could lead to a disturbance of = all (worst case) local caches for a certain time. Some smaller RP could = be slower in remedying this. >=20 > Are there any restriction to this attack I've missed? Any feedback is = very welcome! We certainly see this scale of prefix registration within the IRR = dataset. (Folks registering each variant of the entire covering prefix = of a /16 for example). I imagine the same would be done with the same rationale by someone well = intentioned. - Jared= From prvs=6101b368ff=sandra.murphy@parsons.com Thu Jan 23 17:41:57 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D281A01D5 for ; Thu, 23 Jan 2014 17:41:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.436 X-Spam-Level: X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62EwrsH2YpkE for ; Thu, 23 Jan 2014 17:41:56 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 1E65C1A01A5 for ; Thu, 23 Jan 2014 17:41:56 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0O1eaG6032586 for ; Thu, 23 Jan 2014 19:41:55 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hkdqq05m0-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 23 Jan 2014 19:41:54 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0O1frMq007614 for ; Thu, 23 Jan 2014 19:41:53 -0600 Received: from kraven.huntsville.ads.sparta.com (kraven.huntsville.sparta.com [10.62.8.137]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0O1frbG018071 for ; Thu, 23 Jan 2014 19:41:53 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Thu, 23 Jan 2014 19:41:48 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: IETF 89 - Important Meeting Dates Thread-Index: Ac8YpXH+48jOZnnhRqaC/PVchNAIqw== Date: Fri, 24 Jan 2014 01:41:47 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F24845@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.23] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-23_05:2014-01-23,2014-01-23,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0475211685653588 urlsuspect_oldscore=0.475211685653588 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=1 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401230195 Subject: [sidr] IETF 89 - Important Meeting Dates X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2014 01:41:57 -0000 Here are some of the important dates for the upcoming meeting you might wan= t to keep in mind.=0A= =0A= Note in particular the deadline for submission of an internet-draft.=0A= =0A= 2014-01-31 (Friday): Preliminary agenda published for comment.=0A= 2014-02-03 (Monday): Cut-off date for requests to reschedule Working Group = and BOF meetings UTC 23:59.=0A= 2014-02-07 (Friday): Final agenda to be published.=0A= 2014-02-14 (Friday): Internet Draft submission cut-off (for all drafts, inc= luding -00) by UTC 23:59, upload using IETF ID Submission Tool.=0A= 2014-02-17 (Monday): Draft Working Group agendas due by UTC 23:59, upload u= sing IETF Meeting Materials Management Tool.=0A= 2014-02-21 (Friday): Early Bird registration and payment cut-off at UTC 23:= 59.=0A= 2014-02-24 (Monday): Revised Working Group agendas due by UTC 23:59, upload= using IETF Meeting Materials Management Tool.=0A= 2014-02-24 (Monday): Registration cancellation cut-off at UTC 23:59.=0A= 2014-02-28 (Friday): Final Pre-Registration and Pre-Payment cut-off at 17:0= 0 local meeting time.=0A= =0A= --Sandy, speaking as a co-chair= From wesley.george@twcable.com Fri Jan 24 06:57:11 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E09FD1A0493 for ; Fri, 24 Jan 2014 06:57:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.3 X-Spam-Level: X-Spam-Status: No, score=-0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DlF8KfHlaIlY for ; Fri, 24 Jan 2014 06:57:10 -0800 (PST) Received: from cdpipgw02.twcable.com (cdpipgw02.twcable.com [165.237.59.23]) by ietfa.amsl.com (Postfix) with ESMTP id 1D7401A0490 for ; Fri, 24 Jan 2014 06:57:10 -0800 (PST) X-SENDER-IP: 10.136.163.11 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.95,713,1384318800"; d="scan'208";a="183235600" Received: from unknown (HELO PRVPEXHUB02.corp.twcable.com) ([10.136.163.11]) by cdpipgw02.twcable.com with ESMTP/TLS/RC4-MD5; 24 Jan 2014 09:56:07 -0500 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.79]) by PRVPEXHUB02.corp.twcable.com ([10.136.163.11]) with mapi; Fri, 24 Jan 2014 09:56:40 -0500 From: "George, Wes" To: sidr wg list Date: Fri, 24 Jan 2014 09:56:44 -0500 Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Thread-Index: Ac8ZFHyt6PtaN5geSLaxh7YvQvqU3A== Message-ID: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> In-Reply-To: <52D0A0AC.5040903@ops-netman.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "draft-ietf-sidr-bgpsec-reqs@tools.ietf.org" Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2014 14:57:12 -0000 SeKAmXZlIHJldmlld2VkLCBpdOKAmXMgbW9zdGx5IHJlYWR5LCBtaW5vciBjb21tZW50czoNCg0K SeKAmW0gbm90IGhhcHB5IHdpdGggdGhpcyB0ZXh0IGluIHRoZSBpbnRybzog4oCcaXNzdWVzIG9m IGJ1c2luZXNzDQogICByZWxhdGlvbnNoaXAgY29uZm9ybWFuY2UsIG9mIHdoaWNoIHJvdXRpbmcg J2xlYWtzJyBhcmUgYSBzdWJzZXQsDQogICB3aGlsZSBxdWl0ZSBpbXBvcnRhbnQgdG8gb3BlcmF0 b3JzIChhcyBhcmUgbWFueSBvdGhlciB0aGluZ3MpLCBhcmUNCiAgIG5vdCBzZWN1cml0eSBpc3N1 ZXMgcGVyIHNlLCBhbmQgYXJlIG91dHNpZGUgdGhlIHNjb3BlIG9mIHRoaXMNCiAgIGRvY3VtZW50 LuKAnQ0KDQpMZXQgbWUgYmUgY2xlYXIgdXAgZnJvbnQsIG15IGlzc3VlIGlzICpub3QqIHRoYXQg dGhlc2UgYXJlIGRlY2xhcmVkIG91dCBvZg0Kc2NvcGUsIHNpbmNlIG15IGNvbW1lbnRzIG9uIHRo ZSB0aHJlYXRzIGRvY3VtZW50IHNlZW1lZCB0byBiZSBpbnRlcnByZXRlZA0Kb3RoZXJ3aXNlLg0K DQpNeSBpc3N1ZSB3aXRoIHRoaXMgdGV4dCBpcyB0aGUgcmVhc29uIGl0IHByb3ZpZGVzIGFzIHRv IHdoeSB0aGV54oCZcmUNCmNvbnNpZGVyZWQgb3V0IG9mIHNjb3BlLiBJIGRvbuKAmXQgdGhpbmsg dGhhdCBpdOKAmXMgZW50aXJlbHkgYWNjdXJhdGUgdG8NCmFzc2VydCB0aGF0IHJvdXRlIGxlYWtz IGFyZSBub3Qgc2VjdXJpdHkgaXNzdWVzLiBXaGlsZSBub3QgYWxsIHJvdXRlIGxlYWtzDQphcmUg c2VjdXJpdHkgaXNzdWVzLCBzb21lIGFyZS4gSXQgd291bGQgYmUgbW9yZSBhY2N1cmF0ZSB0byBy ZWZsZWN0IHRoZQ0KZGlzY3Vzc2lvbiB0aGF0IGxlZCB1cyB0byB0aGUgY29uY2x1c2lvbiB0aGF0 IHdlIGNhbuKAmXQgc2VjdXJlIHRoZW0gYmVjYXVzZQ0Kd2UgZG9u4oCZdCBrbm93IHdoYXQg4oCc dGhlbeKAnSBpcyB5ZXQsIGFuZCBhcmUgYXdhaXRpbmcgR1JPVyB0byBkZWZpbmUgdGhlbSBpbg0K c3VjaCBhIHdheSBzbyB0aGF0IHdlIGNhbiBldmFsdWF0ZSBpZiBpdOKAmXMgZXZlbiBwb3NzaWJs ZSB0byBzZWN1cmUgdGhlbSBpbg0KdGhpcyBmcmFtZXdvcmsuIFRoYXQgbWF5IGJlIGEgbG9uZ2Vy IGRpc2N1c3Npb24gdGhhdCBkb2VzbuKAmXQgYmVsb25nIGluIHRoZQ0KaW50cm8sIEkgZG9u4oCZ dCBrbm93Lg0KDQpBbHNvIEkgdGhpbmsgdGhlIHBhcmVudGhldGljYWwg4oCcYXMgYXJlIG1hbnkg b3RoZXIgdGhpbmdzIiBpcyB1bm5lY2Vzc2FyeQ0KYW5kIGNsdW5reS4NCg0KDQpUaGFua3MsDQoN Cldlcw0KDQoNCk9uIDEvMTAvMTQsIDg6MzggUE0sICJDaHJpcyBNb3Jyb3ciIDxtb3Jyb3djQG9w cy1uZXRtYW4ubmV0PiB3cm90ZToNCg0KPg0KPldvcmtpbmcgR3JvdXAgRm9sa2VuLA0KPlRvZGF5 IHN0YXJ0cyBhIFdHTEMgZm9yIHRoZSBzdWJqZWN0IGRyYWZ0Og0KPiAgPGh0dHA6Ly90cmFjLnRv b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1zaWRyLWJncHNlYy1yZXFzPg0KPg0KPkFic3Ry YWN0Og0KPiAgIFRoaXMgZG9jdW1lbnQgZGVzY3JpYmVzIHJlcXVpcmVtZW50cyBmb3IgYSBCR1Ag c2VjdXJpdHkgcHJvdG9jb2wNCj4gICBkZXNpZ24gdG8gcHJvdmlkZSBjcnlwdG9ncmFwaGljIGFz c3VyYW5jZSB0aGF0IHRoZSBvcmlnaW4gQVMgaGFkIHRoZQ0KPiAgIHJpZ2h0IHRvIGFubm91bmNl IHRoZSBwcmVmaXggYW5kIHRvIHByb3ZpZGUgYXNzdXJhbmNlIG9mIHRoZSBBUyBQYXRoDQo+ICAg b2YgdGhlIGFubm91bmNlbWVudC4NCj4NCj5QbGVhc2UgaGF2ZSBhIHJlYWQtdGhyb3VnaCBhbmQg c2VuZCBjb21tZW50cyBhdCB0aGUgYXV0aG9ycyArDQo+c2lkckBpZXRmLm9yZyBtYWlsaW5nIGxp c3QuDQo+DQo+VGhpcyBXR0xDIGNvbXBsZXRlcyBpbiAxLDIwOSw2MDAgc2Vjb25kcywgb3IgMjAs MTYwIG1pbnV0ZXMuDQo+DQo+VGhhbmtzIQ0KPg0KPi1jaHJpcw0KPmNvLWNoYWlyDQo+DQo+DQo+ X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj5zaWRyIG1h aWxpbmcgbGlzdA0KPnNpZHJAaWV0Zi5vcmcNCj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL3NpZHINCg0KDQpUaGlzIEUtbWFpbCBhbmQgYW55IG9mIGl0cyBhdHRhY2htZW50 cyBtYXkgY29udGFpbiBUaW1lIFdhcm5lciBDYWJsZSBwcm9wcmlldGFyeSBpbmZvcm1hdGlvbiwg d2hpY2ggaXMgcHJpdmlsZWdlZCwgY29uZmlkZW50aWFsLCBvciBzdWJqZWN0IHRvIGNvcHlyaWdo dCBiZWxvbmdpbmcgdG8gVGltZSBXYXJuZXIgQ2FibGUuIFRoaXMgRS1tYWlsIGlzIGludGVuZGVk IHNvbGVseSBmb3IgdGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgdG8gd2hpY2gg aXQgaXMgYWRkcmVzc2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5kZWQgcmVjaXBpZW50IG9m IHRoaXMgRS1tYWlsLCB5b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0IGFueSBkaXNzZW1pbmF0 aW9uLCBkaXN0cmlidXRpb24sIGNvcHlpbmcsIG9yIGFjdGlvbiB0YWtlbiBpbiByZWxhdGlvbiB0 byB0aGUgY29udGVudHMgb2YgYW5kIGF0dGFjaG1lbnRzIHRvIHRoaXMgRS1tYWlsIGlzIHN0cmlj dGx5IHByb2hpYml0ZWQgYW5kIG1heSBiZSB1bmxhd2Z1bC4gSWYgeW91IGhhdmUgcmVjZWl2ZWQg dGhpcyBFLW1haWwgaW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNlbmRlciBpbW1lZGlhdGVs eSBhbmQgcGVybWFuZW50bHkgZGVsZXRlIHRoZSBvcmlnaW5hbCBhbmQgYW55IGNvcHkgb2YgdGhp cyBFLW1haWwgYW5kIGFueSBwcmludG91dC4NCg== From warren@kumari.net Fri Jan 24 07:04:33 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A832E1A03FF for ; Fri, 24 Jan 2014 07:04:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ono1zmHgXJD6 for ; Fri, 24 Jan 2014 07:04:31 -0800 (PST) Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) by ietfa.amsl.com (Postfix) with ESMTP id 8AE4F1A0009 for ; Fri, 24 Jan 2014 07:04:31 -0800 (PST) Received: by mail-we0-f181.google.com with SMTP id u56so2739329wes.40 for ; Fri, 24 Jan 2014 07:04:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=5knMsJMobRvv43qsHxHblLcaIVTxEvU38NRbP/NhvkM=; b=GD0WUUM5prWiurhpWLs0LIDk4chqZzDrZqLhITYszxSSNFxSfWKHQOWFqjNPvn3TCu 23YYWPWkntz+1oIYKdr3gxI9czbgRyiM4sFvXlbmyYV1XdLrx6WABuXENA0FuVJLQ9YU lTu2e1aRWuP2a/yrltMZGRvxxP4M728/KCmYWuO0zGoc8EpNViCpl8NTECWdGTcAh28z Hj8/RiHSzuc+OZG7vArNrnakfZbhpiqDgw70YhXFfYn47G84nOI5G6WWObvebeTtdKKA c6k79Kq2hr5olxc/VB73JfKyK1nyl3kEd13/1zA7ucb7mpKfTkEs9UJ7IzzPuHAxQ26I f78A== X-Gm-Message-State: ALoCoQljKU8KY8Kq41b2n4rU/KWljXD9hSpq5/uuiZ9tXIrU8qwJODj4eH1X4KBjmnXWXQ8wTN3M MIME-Version: 1.0 X-Received: by 10.180.77.74 with SMTP id q10mr3504013wiw.39.1390575869815; Fri, 24 Jan 2014 07:04:29 -0800 (PST) Received: by 10.194.54.167 with HTTP; Fri, 24 Jan 2014 07:04:29 -0800 (PST) X-Originating-IP: [98.244.98.35] In-Reply-To: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> Date: Fri, 24 Jan 2014 10:04:29 -0500 Message-ID: From: Warren Kumari To: "George, Wes" Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Cc: "draft-ietf-sidr-bgpsec-reqs@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2014 15:04:33 -0000 On Fri, Jan 24, 2014 at 9:56 AM, George, Wes wr= ote: > I=92ve reviewed, it=92s mostly ready, minor comments: > > I=92m not happy with this text in the intro: =93issues of business > relationship conformance, of which routing 'leaks' are a subset, > while quite important to operators (as are many other things), are > not security issues per se, and are outside the scope of this > document.=94 > Would simply: "issues of business relationship conformance (of which routing 'leaks' are a subset), while important to operators, are outside the scope of this document.=94 cover things well enough? > Let me be clear up front, my issue is *not* that these are declared out o= f > scope, since my comments on the threats document seemed to be interpreted > otherwise. > > My issue with this text is the reason it provides as to why they=92re > considered out of scope. I don=92t think that it=92s entirely accurate to > assert that route leaks are not security issues. While not all route leak= s > are security issues, some are. It would be more accurate to reflect the > discussion that led us to the conclusion that we can=92t secure them beca= use > we don=92t know what =93them=94 is yet, and are awaiting GROW to define t= hem in > such a way so that we can evaluate if it=92s even possible to secure them= in > this framework. That may be a longer discussion that doesn=92t belong in = the > intro, I don=92t know. > I suspect it is. It somewhat seems like a non-terminating discussion.... W > Also I think the parenthetical =93as are many other things" is unnecessar= y > and clunky. > > > Thanks, > > Wes > > > On 1/10/14, 8:38 PM, "Chris Morrow" wrote: > >> >>Working Group Folken, >>Today starts a WGLC for the subject draft: >> >> >>Abstract: >> This document describes requirements for a BGP security protocol >> design to provide cryptographic assurance that the origin AS had the >> right to announce the prefix and to provide assurance of the AS Path >> of the announcement. >> >>Please have a read-through and send comments at the authors + >>sidr@ietf.org mailing list. >> >>This WGLC completes in 1,209,600 seconds, or 20,160 minutes. >> >>Thanks! >> >>-chris >>co-chair >> >> >>_______________________________________________ >>sidr mailing list >>sidr@ietf.org >>https://www.ietf.org/mailman/listinfo/sidr > > > This E-mail and any of its attachments may contain Time Warner Cable prop= rietary information, which is privileged, confidential, or subject to copyr= ight belonging to Time Warner Cable. This E-mail is intended solely for the= use of the individual or entity to which it is addressed. If you are not t= he intended recipient of this E-mail, you are hereby notified that any diss= emination, distribution, copying, or action taken in relation to the conten= ts of and attachments to this E-mail is strictly prohibited and may be unla= wful. If you have received this E-mail in error, please notify the sender i= mmediately and permanently delete the original and any copy of this E-mail = and any printout. > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From wesley.george@twcable.com Fri Jan 24 08:15:45 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 977F31A0037 for ; Fri, 24 Jan 2014 08:15:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.3 X-Spam-Level: X-Spam-Status: No, score=-0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vUA7iV3W89n for ; Fri, 24 Jan 2014 08:15:44 -0800 (PST) Received: from cdcipgw02.twcable.com (cdcipgw02.twcable.com [165.237.91.111]) by ietfa.amsl.com (Postfix) with ESMTP id 437C81A0010 for ; Fri, 24 Jan 2014 08:15:44 -0800 (PST) X-SENDER-IP: 10.136.163.11 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.95,713,1384318800"; d="scan'208";a="58704510" Received: from unknown (HELO PRVPEXHUB02.corp.twcable.com) ([10.136.163.11]) by cdcipgw02.twcable.com with ESMTP/TLS/RC4-MD5; 24 Jan 2014 11:15:16 -0500 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.79]) by PRVPEXHUB02.corp.twcable.com ([10.136.163.11]) with mapi; Fri, 24 Jan 2014 11:15:42 -0500 From: "George, Wes" To: Warren Kumari Date: Fri, 24 Jan 2014 11:15:41 -0500 Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Thread-Index: Ac8ZH4dfm5MM00eYTaCxYhQqEd5RGQ== Message-ID: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "draft-ietf-sidr-bgpsec-reqs@tools.ietf.org" , sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jan 2014 16:15:45 -0000 T24gMS8yNC8xNCwgMTA6MDQgQU0sICJXYXJyZW4gS3VtYXJpIiA8d2FycmVuQGt1bWFyaS5uZXQ+ IHdyb3RlOg0KDQoNCj5Xb3VsZCBzaW1wbHk6DQo+Imlzc3VlcyBvZiBidXNpbmVzcyByZWxhdGlv bnNoaXAgY29uZm9ybWFuY2UgKG9mIHdoaWNoIHJvdXRpbmcgJ2xlYWtzJw0KPmFyZSBhIHN1YnNl dCksIHdoaWxlIGltcG9ydGFudCB0byBvcGVyYXRvcnMsIGFyZSBvdXRzaWRlIHRoZSBzY29wZSBv Zg0KPnRoaXMgZG9jdW1lbnQu4oCdDQo+DQo+Y292ZXIgdGhpbmdzIHdlbGwgZW5vdWdoPw0KDQpJ dCB3b3VsZCBhdCBsZWFzdCBhZGRyZXNzIHRoZSBjb25jZXJuIGFib3V0IGRlY2xhcmluZyB0aGVt IG5vdCB0byBiZQ0Kc2VjdXJpdHkgY29uY2VybnMsIGFuZCBpcyBlbm91Z2ggZm9yIHRoZSBpbnRy bywgSU1PDQoNCj4NCj4+TXkgaXNzdWUgd2l0aCB0aGlzIHRleHQgaXMgdGhlIHJlYXNvbiBpdCBw cm92aWRlcyBhcyB0byB3aHkgdGhleeKAmXJlDQo+PiBjb25zaWRlcmVkIG91dCBvZiBzY29wZS4g SSBkb27igJl0IHRoaW5rIHRoYXQgaXTigJlzIGVudGlyZWx5IGFjY3VyYXRlIHRvDQo+PiBhc3Nl cnQgdGhhdCByb3V0ZSBsZWFrcyBhcmUgbm90IHNlY3VyaXR5IGlzc3Vlcy4gV2hpbGUgbm90IGFs bCByb3V0ZQ0KPj5sZWFrcw0KPj4gYXJlIHNlY3VyaXR5IGlzc3Vlcywgc29tZSBhcmUuIEl0IHdv dWxkIGJlIG1vcmUgYWNjdXJhdGUgdG8gcmVmbGVjdCB0aGUNCj4+IGRpc2N1c3Npb24gdGhhdCBs ZWQgdXMgdG8gdGhlIGNvbmNsdXNpb24gdGhhdCB3ZSBjYW7igJl0IHNlY3VyZSB0aGVtDQo+PmJl Y2F1c2UNCj4+IHdlIGRvbuKAmXQga25vdyB3aGF0IOKAnHRoZW3igJ0gaXMgeWV0LCBhbmQgYXJl IGF3YWl0aW5nIEdST1cgdG8gZGVmaW5lIHRoZW0NCj4+aW4NCj4+IHN1Y2ggYSB3YXkgc28gdGhh dCB3ZSBjYW4gZXZhbHVhdGUgaWYgaXTigJlzIGV2ZW4gcG9zc2libGUgdG8gc2VjdXJlIHRoZW0N Cj4+aW4NCj4+IHRoaXMgZnJhbWV3b3JrLiBUaGF0IG1heSBiZSBhIGxvbmdlciBkaXNjdXNzaW9u IHRoYXQgZG9lc27igJl0IGJlbG9uZyBpbg0KPj50aGUNCj4+IGludHJvLCBJIGRvbuKAmXQga25v dy4NCj4+DQo+DQo+SSBzdXNwZWN0IGl0IGlzLiBJdCBzb21ld2hhdCBzZWVtcyBsaWtlIGEgbm9u LXRlcm1pbmF0aW5nIGRpc2N1c3Npb24uLi4uDQoNCkkgdGhpbmsgaXQgbWlnaHQgYmUgYXBwcm9w cmlhdGUgdG8gYWRkIGEgbmV3IHJlcSBpbiB0aGUgZm9ybSBvZiByZXEgMy4zIHRvDQpleHBsYWlu IHdoeSB0aGlzIGlzIG91dCBvZiBzY29wZSwgb3IgYm9sc3RlciAzLjIyIHRvIGV4cGFuZCBvbiBp bnRlbnQgYXMNCml0IHJlbGF0ZXMgdG8gdGhpcywgcGVyaGFwcyB3aXRoIHNvbWUgcmVmZXJlbmNl IHRvIHRoZSBmYWN0IHRoYXQgcm91dGUNCmxlYWtzIGFyZSBjdXJyZW50bHkgbm90IHdlbGwtZW5v dWdoIGRlZmluZWQgdG8gY29uc2lzdGVudGx5IChhbmQgbW9yZQ0KaW1wb3J0YW50bHksIHN5c3Rl bWF0aWNhbGx5KSBpZGVudGlmeSB0aGVtIGFuZCBzZWN1cmUgdGhlIHJpZ2h0IEJHUA0KYXR0cmli dXRlcyB0byBoZWxwIHByZXZlbnQgdGhlbQ0KDQpUaGFua3MNCldlcw0KDQoNClRoaXMgRS1tYWls IGFuZCBhbnkgb2YgaXRzIGF0dGFjaG1lbnRzIG1heSBjb250YWluIFRpbWUgV2FybmVyIENhYmxl IHByb3ByaWV0YXJ5IGluZm9ybWF0aW9uLCB3aGljaCBpcyBwcml2aWxlZ2VkLCBjb25maWRlbnRp YWwsIG9yIHN1YmplY3QgdG8gY29weXJpZ2h0IGJlbG9uZ2luZyB0byBUaW1lIFdhcm5lciBDYWJs ZS4gVGhpcyBFLW1haWwgaXMgaW50ZW5kZWQgc29sZWx5IGZvciB0aGUgdXNlIG9mIHRoZSBpbmRp dmlkdWFsIG9yIGVudGl0eSB0byB3aGljaCBpdCBpcyBhZGRyZXNzZWQuIElmIHlvdSBhcmUgbm90 IHRoZSBpbnRlbmRlZCByZWNpcGllbnQgb2YgdGhpcyBFLW1haWwsIHlvdSBhcmUgaGVyZWJ5IG5v dGlmaWVkIHRoYXQgYW55IGRpc3NlbWluYXRpb24sIGRpc3RyaWJ1dGlvbiwgY29weWluZywgb3Ig YWN0aW9uIHRha2VuIGluIHJlbGF0aW9uIHRvIHRoZSBjb250ZW50cyBvZiBhbmQgYXR0YWNobWVu dHMgdG8gdGhpcyBFLW1haWwgaXMgc3RyaWN0bHkgcHJvaGliaXRlZCBhbmQgbWF5IGJlIHVubGF3 ZnVsLiBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIEUtbWFpbCBpbiBlcnJvciwgcGxlYXNlIG5v dGlmeSB0aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFuZCBwZXJtYW5lbnRseSBkZWxldGUgdGhlIG9y aWdpbmFsIGFuZCBhbnkgY29weSBvZiB0aGlzIEUtbWFpbCBhbmQgYW55IHByaW50b3V0Lg0K From prvs=61026d0cf3=sandra.murphy@parsons.com Fri Jan 24 17:17:58 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BA831A02A1 for ; Fri, 24 Jan 2014 17:17:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.436 X-Spam-Level: X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3CiBlI0W7XTP for ; Fri, 24 Jan 2014 17:17:56 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 87FF11A0293 for ; Fri, 24 Jan 2014 17:17:56 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0P1FfCu015385 for ; Fri, 24 Jan 2014 19:17:41 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hkx5gs9xr-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 24 Jan 2014 19:17:41 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0P1HeRo014226 for ; Fri, 24 Jan 2014 19:17:40 -0600 Received: from kraven.huntsville.ads.sparta.com (kraven.huntsville.sparta.com [10.62.8.137]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0P1Hevw019024 for ; Fri, 24 Jan 2014 19:17:40 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Fri, 24 Jan 2014 19:17:39 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: agenda topics for IETF 89 London Thread-Index: Ac8ZayIi8JSXGMkbSoy5DyDyGrGISQ== Date: Sat, 25 Jan 2014 01:17:39 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F24B77@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.24] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-24_06:2014-01-24,2014-01-24,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=110.568 compositescore=0.0527339388916443 urlsuspect_oldscore=0.527339388916442 suspectscore=0 recipient_domain_to_sender_totalscore=1469 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=7945 rbsscore=0.0527339388916443 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401240185 Subject: [sidr] agenda topics for IETF 89 London X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 01:17:58 -0000 We have about five weeks before the IETF 89 meeting in London. So it is ti= me to start considering the agenda.=0A= =0A= If you wish to have some time on the agenda, please send a message to the l= ist or to the chairs and secretary (sidr-chairs@ietf.org).=0A= =0A= Please give thought to topics that would benefit from in-person discussion = at this particular time -- things that are ripe for progress but otherwise = stalled, controversial questions that may benefit from face-to-face discuss= ion, etc. We also welcome your suggestions for people who may be effective = facilitators for particular conversations.=0A= =0A= --Sandy, speaking as a wg co-chair=0A= From randy@psg.com Sat Jan 25 00:33:40 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 564AB1A01DF for ; Sat, 25 Jan 2014 00:33:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.936 X-Spam-Level: X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5k4bfmI3GVmh for ; Sat, 25 Jan 2014 00:33:38 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 941DB1A015D for ; Sat, 25 Jan 2014 00:33:38 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1W6ygJ-0006TV-IU; Sat, 25 Jan 2014 08:33:36 +0000 Date: Sat, 25 Jan 2014 17:33:34 +0900 Message-ID: From: Randy Bush To: Wes George In-Reply-To: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 25 Jan 2014 08:33:40 -0000 > I=E2=80=99m not happy with this text in the intro: =E2=80=9Cissues of bus= iness > relationship conformance, of which routing 'leaks' are a subset, > while quite important to operators (as are many other things), are > not security issues per se, and are outside the scope of this > document.=E2=80=9D >=20 > My issue with this text is the reason it provides as to why they=E2=80=99= re > considered out of scope. I don=E2=80=99t think that it=E2=80=99s entirely= accurate to > assert that route leaks are not security issues. While not all route leaks > are security issues, some are. hence the "per se," meaining in and of itself. some cases of pouring cement into a router (see london tube) are security issues, some are not. how would you make that more clear? > It would be more accurate to reflect the discussion that led us to the > conclusion that we can=E2=80=99t secure them because we don=E2=80=99t kno= w what =E2=80=9Cthem=E2=80=9D > is yet i don't think that is entirely true. they are announcements of P by A to B which are not agreed by all parties concerned (including A, B, neighbors of A and B, the originator of P, ...). the problem lies in detecting them, especially from a distance. > and are awaiting GROW to define them in such a way so that we can > evaluate if it=E2=80=99s even possible to secure them in this framework. = That > may be a longer discussion that doesn=E2=80=99t belong in the intro, I do= n=E2=80=99t > know. i agree. and i doubt we want "waiting for grow" in a document which is not ephemeral. > Also I think the parenthetical =E2=80=9Cas are many other things" is > unnecessary and clunky. easily nuked. randy From wesley.george@twcable.com Mon Jan 27 07:48:05 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C52A1A027C for ; Mon, 27 Jan 2014 07:48:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.098 X-Spam-Level: ** X-Spam-Status: No, score=2.098 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FH_RANDOM_SURE=0.499, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Meth0uKy6rTU for ; Mon, 27 Jan 2014 07:48:04 -0800 (PST) Received: from cdcipgw02.twcable.com (cdcipgw02.twcable.com [165.237.91.111]) by ietfa.amsl.com (Postfix) with ESMTP id E2E621A0228 for ; Mon, 27 Jan 2014 07:48:01 -0800 (PST) X-SENDER-IP: 10.136.163.13 X-SENDER-REPUTATION: None X-IronPort-AV: E=Sophos;i="4.95,729,1384318800"; d="scan'208";a="59073173" Received: from unknown (HELO PRVPEXHUB04.corp.twcable.com) ([10.136.163.13]) by cdcipgw02.twcable.com with ESMTP/TLS/RC4-MD5; 27 Jan 2014 10:47:21 -0500 Received: from PRVPEXVS15.corp.twcable.com ([10.136.163.78]) by PRVPEXHUB04.corp.twcable.com ([10.136.163.13]) with mapi; Mon, 27 Jan 2014 10:47:59 -0500 From: "George, Wes" To: Randy Bush Date: Mon, 27 Jan 2014 10:47:57 -0500 Thread-Topic: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs Thread-Index: Ac8bdyb9EW6ON0WSTZ6pYMrH1O0M/A== Message-ID: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.9.131030 acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jan 2014 15:48:05 -0000 T24gMS8yNS8xNCwgMzozMyBBTSwgIlJhbmR5IEJ1c2giIDxyYW5keUBwc2cuY29tPiB3cm90ZToN Cg0KDQo+aGVuY2UgdGhlICJwZXIgc2UsIiBtZWFpbmluZyBpbiBhbmQgb2YgaXRzZWxmLiAgc29t ZSBjYXNlcyBvZiBwb3VyaW5nDQo+Y2VtZW50IGludG8gYSByb3V0ZXIgKHNlZSBsb25kb24gdHVi ZSkgYXJlIHNlY3VyaXR5IGlzc3Vlcywgc29tZSBhcmUNCj5ub3QuDQo+DQo+aG93IHdvdWxkIHlv dSBtYWtlIHRoYXQgbW9yZSBjbGVhcj8NCkkgdGhpbmsgV2FycmVu4oCZcyBzdWdnZXN0aW9uIG9m IHNpbXBseSBlbGltaW5hdGluZyB0aGUgYXNzZXJ0aW9uIGFib3V0DQp3aGV0aGVyIGl04oCZcyBh IHNlY3VyaXR5IGlzc3VlLCBwZXIgc2Ugb3Igb3RoZXJ3aXNlLCBhbmQganVzdCBzYXlpbmcgdGhh dA0KaXTigJlzIG91dCBvZiBzY29wZSBpcyBlbm91Z2ggZm9yIHRoZSBpbnRyby4NCg0KPiB0aGV5 IGFyZSBhbm5vdW5jZW1lbnRzIG9mIFAgYnkgQQ0KPnRvIEIgd2hpY2ggYXJlIG5vdCBhZ3JlZWQg YnkgYWxsIHBhcnRpZXMgY29uY2VybmVkIChpbmNsdWRpbmcgQSwgQiwNCj5uZWlnaGJvcnMgb2Yg QSBhbmQgQiwgdGhlIG9yaWdpbmF0b3Igb2YgUCwgLi4uKS4gIHRoZSBwcm9ibGVtIGxpZXMgaW4N Cj5kZXRlY3RpbmcgdGhlbSwgZXNwZWNpYWxseSBmcm9tIGEgZGlzdGFuY2UuDQpTbyBJIHRoaW5r IHRoYXQgZ29lcyBiYWNrIHRvIG15IHN1Z2dlc3Rpb24gdGhhdCBzaW5jZSB5b3UgYWxyZWFkeSBk aXNjdXNzDQppbnRlbnQgaW4gMy4yMiwgdGhhdCBtaWdodCBiZSBhIHBsYWNlIHRvIGFkZCBzb21l dGhpbmcgYWJvdXQgbGVha3MsIGVpdGhlcg0KYXMgYSBwYXJ0IG9mIHRoYXQgcmVxIG9yIGEgZm9s bG93LW9uLCBiZWNhdXNlIHRoYXTigJlzIHJlYWxseSB3aGF0IHlvdeKAmXJlDQpzYXlpbmcgaGVy ZSAtIHdlIHVuZGVyc3RhbmQgdGhlb3JldGljYWxseSB3aGF0IHRoZXkgYXJlLCBidXQgbm90IGhv dyB0bw0KZGV0ZWN0IHRoZW0gc3VjaCB0aGF0IHdlIGNvdWxkIGRvIGFueXRoaW5nIHRvIHByZXZl bnQgdGhlIHVuZGVzaXJlZCBvbmVzLg0KDQpXZXMNCg0KDQpUaGlzIEUtbWFpbCBhbmQgYW55IG9m IGl0cyBhdHRhY2htZW50cyBtYXkgY29udGFpbiBUaW1lIFdhcm5lciBDYWJsZSBwcm9wcmlldGFy eSBpbmZvcm1hdGlvbiwgd2hpY2ggaXMgcHJpdmlsZWdlZCwgY29uZmlkZW50aWFsLCBvciBzdWJq ZWN0IHRvIGNvcHlyaWdodCBiZWxvbmdpbmcgdG8gVGltZSBXYXJuZXIgQ2FibGUuIFRoaXMgRS1t YWlsIGlzIGludGVuZGVkIHNvbGVseSBmb3IgdGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBl bnRpdHkgdG8gd2hpY2ggaXQgaXMgYWRkcmVzc2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUgaW50ZW5k ZWQgcmVjaXBpZW50IG9mIHRoaXMgRS1tYWlsLCB5b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0 IGFueSBkaXNzZW1pbmF0aW9uLCBkaXN0cmlidXRpb24sIGNvcHlpbmcsIG9yIGFjdGlvbiB0YWtl biBpbiByZWxhdGlvbiB0byB0aGUgY29udGVudHMgb2YgYW5kIGF0dGFjaG1lbnRzIHRvIHRoaXMg RS1tYWlsIGlzIHN0cmljdGx5IHByb2hpYml0ZWQgYW5kIG1heSBiZSB1bmxhd2Z1bC4gSWYgeW91 IGhhdmUgcmVjZWl2ZWQgdGhpcyBFLW1haWwgaW4gZXJyb3IsIHBsZWFzZSBub3RpZnkgdGhlIHNl bmRlciBpbW1lZGlhdGVseSBhbmQgcGVybWFuZW50bHkgZGVsZXRlIHRoZSBvcmlnaW5hbCBhbmQg YW55IGNvcHkgb2YgdGhpcyBFLW1haWwgYW5kIGFueSBwcmludG91dC4NCg== From randy@psg.com Mon Jan 27 08:06:42 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 069B01A0255 for ; Mon, 27 Jan 2014 08:06:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.936 X-Spam-Level: X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ahh_gqlWWfXT for ; Mon, 27 Jan 2014 08:06:40 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id A0C941A02B3 for ; Mon, 27 Jan 2014 08:06:40 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1W7ohp-0004WN-Q9; Mon, 27 Jan 2014 16:06:38 +0000 Date: Tue, 28 Jan 2014 01:06:36 +0900 Message-ID: From: Randy Bush To: "George, Wes" In-Reply-To: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: sidr wg list Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Jan 2014 16:06:42 -0000 >> hence the "per se," meaining in and of itself. some cases of pouring >> cement into a router (see london tube) are security issues, some are >> not. >> >>how would you make that more clear? > > I think Warren=E2=80=99s suggestion of simply eliminating the assertion a= bout > whether it=E2=80=99s a security issue, per se or otherwise, and just sayi= ng > that it=E2=80=99s out of scope is enough for the intro. i disagree. would be interested in hearing other opinions. >> they are announcements of P by A to B which are not agreed by all >> parties concerned (including A, B, neighbors of A and B, the >> originator of P, ...). the problem lies in detecting them, >> especially from a distance. > So I think that goes back to my suggestion that since you already > discuss intent in 3.22, that might be a place to add something about > leaks, either as a part of that req or a follow-on, because that=E2=80=99s > really what you=E2=80=99re saying here - we understand theoretically what= they > are, but not how to detect them such that we could do anything to > prevent the undesired ones. leave that to grow/idr. this is routing security. randy From prvs=710514c311=sandra.murphy@parsons.com Tue Jan 28 13:22:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57D301A026C for ; Tue, 28 Jan 2014 13:22:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.436 X-Spam-Level: X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7FEd4IjQoZR for ; Tue, 28 Jan 2014 13:22:53 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 56F621A01A2 for ; Tue, 28 Jan 2014 13:22:53 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s0SLHmwm031947; Tue, 28 Jan 2014 15:22:50 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hpgp41dmh-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Tue, 28 Jan 2014 15:22:48 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s0SLMlGT000395; Tue, 28 Jan 2014 15:22:47 -0600 Received: from HSV-CAS003.huntsville.ads.sparta.com ([10.62.8.138]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s0SLMlO3008790; Tue, 28 Jan 2014 15:22:47 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS003.huntsville.ads.sparta.com ([fe80::a415:ede2:34ef:d13f%11]) with mapi id 14.02.0342.003; Tue, 28 Jan 2014 15:22:46 -0600 From: "Murphy, Sandra" To: Chris Morrow , "sidr-chairs@tools.ietf.org" , sidr wg list Thread-Topic: WG Adoption: draft-ymbk-lta-use-cases Thread-Index: AQHO6xGReFLB3eVNzESqWt0J42rjVpp+r1FNgBxXOug= Date: Tue, 28 Jan 2014 21:22:46 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F678F2525E@HSV-MB002.huntsville.ads.sparta.com> References: <52954D51.5020808@ops-netman.net>, <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F678F1DBD3@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.23] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-28_08:2014-01-28,2014-01-28,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=84.1112099950422 compositescore=0.0149546072277923 urlsuspect_oldscore=0.1832254864201 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=11 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0149546072277923 spamscore=0 recipient_to_sender_domain_totalscore=12 urlsuspectscore=0.1 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401280143 Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jan 2014 21:22:55 -0000 Thanks for the additional input. The wg wishes are much clearer.=0A= =0A= The wg chairs see consensus that this draft should be adopted as a wg work = item.=0A= =0A= The draft authors are invited to resubmit the draft with a standard wg draf= t name (eg draft-ietf-sidr-lta-uses-cases).=0A= =0A= --Sandy, speaking as a wg co-chair=0A= =0A= ________________________________________=0A= From: sidr [sidr-bounces@ietf.org] on behalf of Murphy, Sandra [Sandra.Murp= hy@parsons.com]=0A= Sent: Friday, January 10, 2014 3:33 PM=0A= To: Chris Morrow; sidr-chairs@tools.ietf.org; sidr wg list=0A= Subject: Re: [sidr] WG Adoption: draft-ymbk-lta-use-cases=0A= =0A= There were four responses to this adoption call, all positive. But four is= not a strong indication of wg wishes here.=0A= =0A= Can others please look at this and speak up as to whether you do or do not = support adoption?=0A= =0A= Recall: silence does not indicate interest.=0A= =0A= We give this another two weeks (for people who are taking a Christmas prese= nt holiday in some warm climate).=0A= =0A= Repond by 24 Jan 2014. Please.=0A= =0A= --Sandy, speaking as wg co-chair=0A= ________________________________________=0A= From: Chris Morrow [morrowc@ops-netman.net]=0A= Sent: Tuesday, November 26, 2013 8:39 PM=0A= To: sidr-chairs@tools.ietf.org; sidr wg list=0A= Subject: WG Adoption: draft-ymbk-lta-use-cases=0A= =0A= Howdy gentle WG folks,=0A= The authors of:=0A= =0A= =0A= are interested in starting a WG Adoption call for this piece of scribed=0A= text. It would be good if other folk also agreed about the adoption.=0A= =0A= The abstract says:=0A= "There are a number of critical circumstances where a localized=0A= routing domain needs to augment or modify the Global RPKI. This=0A= document attempts to outline a few of them."=0A= =0A= Please consider this a 'WG Adoption' call, and let's attempt to close=0A= this out by:=0A= 12/9/2013 or 9/12/2013 or Ninth December Twenty-Thirteen or ... you=0A= get the point, see you in 2 weeks with (hopefully) clear direction from=0A= the folks behind the emailz.=0A= =0A= -chris=0A= co-chair=0A= _______________________________________________=0A= sidr mailing list=0A= sidr@ietf.org=0A= https://www.ietf.org/mailman/listinfo/sidr=0A= From kent@bbn.com Wed Jan 29 08:24:05 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B071A047E for ; Wed, 29 Jan 2014 08:24:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.237 X-Spam-Level: X-Spam-Status: No, score=-4.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-TVLBqOkgLV for ; Wed, 29 Jan 2014 08:24:03 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id B96471A0477 for ; Wed, 29 Jan 2014 08:24:03 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:53319) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1W8Xvk-0005eu-IW for sidr@ietf.org; Wed, 29 Jan 2014 11:24:00 -0500 Message-ID: <52E92B20.9060505@bbn.com> Date: Wed, 29 Jan 2014 11:24:00 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jan 2014 16:24:05 -0000 Randy, >>> hence the "per se," meaining in and of itself. some cases of pouring >>> cement into a router (see london tube) are security issues, some are >>> not. >>> >>> how would you make that more clear? >> I think Warren’s suggestion of simply eliminating the assertion about >> whether it’s a security issue, per se or otherwise, and just saying >> that it’s out of scope is enough for the intro. > i disagree. would be interested in hearing other opinions. > If just saying that it's out of scope allows us to move forward with this doc, that works for me. Steve