From kent@bbn.com  Sun Jul  1 09:56:40 2012
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9172111E808C for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 09:56:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sNQytQjEm1dl for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 09:56:39 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 5E01411E8080 for <secdir@ietf.org>; Sun,  1 Jul 2012 09:56:39 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:44020 helo=[172.18.4.197]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1SlNRa-000IV1-Qp for secdir@ietf.org; Sun, 01 Jul 2012 12:56:40 -0400
Mime-Version: 1.0
Message-Id: <p06240800cc16315859fd@[192.1.255.188]>
Date: Sun, 1 Jul 2012 12:56:01 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/mixed; boundary="============_-870960716==_============"
Subject: [secdir] review of Updated Specification of the IPv4 ID Field
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2012 16:56:40 -0000

--============_-870960716==_============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

I reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document, "Updated Specification of the IPv4 ID Field" is a 
update of RFCs 791, 1122 and 2003. The primary motivation for the 
update is a recognition that the uniqueness requirement imposed on 
the field values (on a per host pair and protocol basis) would limit 
"connections" to about 6.4 Mb/s (for typical 1500 byte packets), an 
unrealistically low data rate today. This document updates the cited 
RFCs to reflect current practice and to more closely match IPv6. 
Specifically, the field value is defined only when a datagram is 
fragmented.

The Security Considerations section is very brief, only three 
paragraphs.  It notes that removing the prior constraints on ID field 
generation (MSL uniqueness) make it easier to use this field as a 
covert channel. It suggests that rewriting the field is a possible 
countermeasure. This advice is presented with the context of 
datagrams not protected using AH. Because AH is no longer a mandatory 
to implement element of the IPsec suite, I suggested an edit to avoid 
suggesting that AH use if common.

The text goes on to discuss how removing the MSL uniqueness 
requirement reduces the entropy associated with the IPv4 header. It 
fails to explain why this might be significant. There is no 
indication that modern encryption algorithms used IETF security 
protocols are harmed by this reduction in entropy. Thus the paragraph 
devoted to this issue seems extraneous, possibly confusing to 
implementers.

The final paragraph in this section notes that the proposed ID field 
conventions may make it more difficult to count the number of 
distinct devices behind a NAT or similar device. I agree with the 
author's observation that this side effect of the current ID field 
requirements is not a security feature per se and thus not a concern.

Earlier sections of this document do a good job explaining how this 
change may impact various forms of middleboxes. The author should 
note in the SCC whether the change proposed in this document may 
adversely affect availability, if these devices are not updated to 
account for this change.
--============_-870960716==_============
Content-Id: <p06240800cc16315859fd@[192.1.255.188].0.0>
Content-Type: application/pdf; name="draft-ietf-intarea-ipv4-id-update-05.pdf"
 ; x-mac-type="50444620"
 ; x-mac-creator="4D535744"
Content-Disposition: attachment; filename="draft-ietf-intarea-ipv4-id-update-05.pdf"
Content-Transfer-Encoding: base64

JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmls
dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNXcty2zgW3esrUL1Kqjww8eCrd9N5
THmqeio9UVcvJrOgJdritEQqJGUnfz8HfFlgbDXIBBKSRRyVu31wcXHPuQ8gn8lv5DMJ
qRcFYfsH/vTjkEZcfRB2X5Qp+YPk5PpNxciqIh6NZeyxOHj6avH0WbUiUkRUenFMWBjT
KIw4YX5MeRwGJGAeFbEUBP/Pu+OfzkJJfRYTGTLK5fB9i/HPJh5+42d8xg9nkYw8T32A
38PfpKDCC31BQh7SGFDJakd+WQKix7yALBW+5j/p/ljuyPV7Rj3CyPKOvLrJ67TM05r8
vUwT8sc/yLRf/6RkWRxWm9eL5f/IuyWWeGTiFxapjKEZuIF3cpEiCmkYSX9Y5KJZ5Oml
kdfEHNR3WZ7FlHGgm2f5t2VyV08zu/ru3z++ub75eHM2y3eLdMzycPMgFtMs//t+ndRp
9TMJY3bFGOdX3POE0Q78mnwlwrsi3GP8fJZvF+mW5T1GWRzNiDb5Ol2Tqk7qA3bgQ1ns
iwoffKyTfJ2Ua8tG5V5EeRBJEnb4nTJqEHMqeBRMc+d3X/ZZaTnWBSH1g0CGZB5Eddj+
VTyku9u0bM+O3dDMfBwZGcRjuCep8Gx8EUSC8lD0UcsRUFAkElHwGWJdjDTDJEON2H7R
6peTbD9ImiDwqS94R6zfsP3iWMh8DyjiNbAMQfkBDQLOn7MUWe4uBEqGNAATdqBeEH/f
bOSI8ywHEcahm0XACQLJEVpTqdrSNqhin66yu2yV1FmRk+KO1JuU3Hx4kOTmLXmfpVvb
JCK4pCFjYliHWySCdCQUwUQSGXkCmXScZohnxn0o+hARehbctdLMtt11IBEd4sl4/Tfr
oCSN4ghErIN64cQjIGnpXpbWd7YRgkiE50djhJc1G1Jz5quMfJ7Z8jpBfmzZcpwJ5JEe
G4O8qOU4Q1khRKlipuX2D9K22URIBVK5McLLmk1yyoU322xr20bzGbhYovSkH4jLGg3S
KowCEKsOyjC4HZq83rbhIh8BeBx/dW061lmTSGGGYOaxR0MZjUMuqoTP1gDH8Dyf1l8m
sekxxoWqkRqU8FA/ivzYH+3tacNNUiHHoFC4nZZpcKALAhR8VfFUB3U5UQ+9HLGXMLW8
vmjLuN9jqGH3FgZV5oAhbkgUlltDGXoYqjso97RaPavIr+musHxMmfCpjBncTQO8OBnf
Jllxhuh9Smw9QT2UoForOgLKjyXiRZ9stzu7+Kv+AfIGyzvpoy0T8BiNmhnwlhu4W9/j
sAx0SG91pJrHjUOvbWYY0iwdk+GxbTsTsGB1uN1ldY06bV2Qm3fL9yTLyd1huyWrIr8r
yl2Sr1LymNUblYwrOy8sNoNQJQ1EIHuPcCr79iEPmJzaCzrjKdLwdQrhL0/5viwesgrl
liaG//Lmg+1DzyTMGPuMzLNnGBG0E4gCisTP8rkf0rYRVu3gjxNx2wYcqAZJL4rNsitX
ukI16Ceg2Bx2/PdCOPrGZufjGg2f6SlpyGZdrA67NK/JDq1CRMc6Qajcod9YZsmW3JXF
rg2gb7vvw4kqm08sd76EH9EgFBHxu7W5FTaBTsipna8zhk0Nn6lDvMH2l9ntQRWqK7I/
3G6zagMSxY7vknXafrLafiXJQ5Jtk9ttSm5T0Gk6NMtsO0UYYRoGUbZbnls+IWMqQ6Cb
NFZxRp/Q8Jn6BGumB9CGJku0LfZpWRX5p1fVp9dNsCiL7TbL75uWxqrYfy2z+02txFZV
7NI+f7LuFGhP8pgTv1ugY17hoXcUuksd8hifqVcMBKFYIy9qskkeUnJfJhjPgujeDBJm
YWW+6knCdOi7LTckZrTfVE6wLA9V3bhu67bIFZLttni07a+BoD73A/hra3q3/FUw6vt8
ejtu2HKDkboZtYghrdbwGftrsR5asE1OUGEI8EnmFIe6ykBwTWdWuUY/3lOpiZ9VWlXU
tlP0zNYtzy2f4MhgI+4us2n4TH3iD6T/2HhS3CrNq1gsyQlkzucD1C/ZZqs0rzAGqxSw
8osXqM+2X/STpH63RrccAx1AVHwjZyWPhs/UMdRu62LmOFhUV3AH1Ji0xElR4G1Kdk2Y
Sa0PdPTBolueWz7hYdoEw3fO+oSGz9QnBoawTHMMc56+qh7PQqkGi56lr6umvrRGUv+A
MSRItcei/LMhwqzJ/G1Hsd5hu1U55bAyRocUJXtXHVbHZ+qwXURaYQxESfLBf0+4SPpl
le4hiAvSlMhr204RcbT0eUT6BbrlFSBedJeczdukhs/UK3DasbddIacdSEwqpXv+/f6N
KvNg72skcdVWSSB8c5bjk22S3x+S+xTxAtRYWneL7u5Mv0K33AKRDMV+6Wyw0PCZukW9
gQu8y+9Vvc92+2FoO6JWdmxKN9oPGMKnHq7PdfvrCiiPctxecdbpgmN8pk53pjZ3jPH3
METyKjWUpztLk/rcM6oZvczTMZlarulzI2yj8K50nEpd22zEsjjlyEEjjjaYDtt0ID6v
G8XZFFn6a5wIOlmeQpfm9wq8zTZ82JWJe/Bu8QrmG4WM3eUVDZ+poy6T6k/yvigxbPHp
lcpMPr2+gqxoXDdBIq2a3uqvvRffl8VhX1GCfhL0B1jJugYN0McLQ0lktz63nEIN5cZD
L9ywun2+jpLU8Jk6RSMi0StQW910nZNtVZB1VrW9x3FMU1EDGnVgC8s3t/u2c782E4ew
zRai7xj0oNxSJ0JQydGpd7TvKTV8pl7acqxtMRwzEKqPE66DPC1OzjaLI3FxzPdFT0qO
iGGmJmXxaoWr7qbhM3W3IbzZvWj8JIY1lKf9zXZ4G8SwhsnUckdieN28TNEX5ivykGyz
dVPwSEA0X7LdYadmEqrsCyr1eb2pbJcy+slP2a3MhEzOd7o9ZEYco4euHiQNn37HYTyX
POmq24yLFwHHDVp1QR9XCY6M1vnoN6/WjOFB5qpBCXSI2js/6ytg2G+TVYqvUHYrbqti
m6o67e3Xtsg2tJcgfmro5K+2XbXvM/YLdMpVBR49Cn3IdEddVcdnGrnqbJci17lBmbVC
pTXZY2x5j7FLlfoU5IDm88AKdkUvDxgm1CPSL8Nk722TAg8CKnFzeAA1be97Vqhw0O7S
MsW8v+XiyDCw2luxA+yGahJRhCZX180wddDzZZKz4A1DaG3jYpU1NYMUHK/aFKp8gHmO
ivykqgtqJhHH675Uszw/2Q6mAu+pBXijrVuWyXk6G+3j6jGNxDCz4Yh7hnhqI2DuBngN
n+n5WaLZipYKRozuyOpQIgrVTyH9WOgvukf+ftwLdCwWUCyCiA64iQvaDunoYOBVJomQ
rlnTtHzchfQVTjWEVLJSY3lQTKgR9qa0M2wq+pvAPWwTW57vOEOaenhMoFFGp0XyJEwz
RLJEP89HR5/gzZwjTC+ULccaedplmWN4hje6+wnSWeg2db3/+fr68fGRqjdJaFHeX6sv
rllm++mD4ShrVtXi9tiWk07ysSkN76E/nWQNk+FOJ7co9SaruppxjX8x8SXOQdpqQE8a
z/ox6V9AFT5uVUM2Pnd2L3aJH29sUBb0Aw6mCe5EpXjsclNP7yx8x0w8JFU9bdgZWGd+
9/KRbtELl9rw0m/oez4ZgXrh5I5vNDYUTD5uknXxSN5mZbqqizLDYNAzpGw3ZRV9465f
iFukjNccON4OaUm5Ne5fXlqeeIZmTB0MDDgH3nMMWDWeQDf1bjuIMPIb3uX44Xp2eAhV
tNjd2m6OO8timM/R2GV8hCaxy4w9Hi5SCzyEJQJ3Jwp0fOYp1QUeyNChXjiC9w8RjkBN
iuCPGZ7CSNU7vLikmQ+3d4enoq3fdkI/xFOXIvtFuHWccdtV4n18F1KqXivyOEbfob9w
rud5F9OK6h0vP+z7w66AihgNn38YeIjF536FiocYnBP9pUpTUd38SwVQBfqv5vlsSK7h
fer2ffcj/iWff3w9qc+j+pV0B9Yw6jCur4GQ/3zAQDlh/1WwbQ799W2tEW43KJpjrgf/
jEdf9bwoKJWusCj0yVxQ/wcWDu/tCmVuZHN0cmVhbQplbmRvYmoKNSAwIG9iagozMDAz
CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291
cmNlcyA2IDAgUiAvQ29udGVudHMgNCAwIFIgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0K
Pj4KZW5kb2JqCjYgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9y
U3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjEuMCA4IDAgUgo+PiA+Pgpl
bmRvYmoKOSAwIG9iago8PCAvTGVuZ3RoIDEwIDAgUiAvTiAzIC9BbHRlcm5hdGUgL0Rl
dmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGdlndUU9kWh8+9
N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEpVmRUwAFHhyJjRRQLg4Ji1wny
EFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0WAGANKFYFO7rwVwS
E8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/kSI3QyQG
AApF1TY8fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuShGlnO
Gbw0noy7UN6aJeGjjAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJMkUU
Ge6J8gIACJTEObxyDov5OWieAHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN4Yh4
TM/0tAyOMBeAr2+WRQElWW2ZaJHtrRzt7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55BjJ5Z
32zsrC+9FgD2JFqbHbO+lVUAtG0GQOXhrE/vIADyBQC03pzzHoZsXpLE4gwnC4vs7Gxz
AZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YXP4EjSRUzZUXlpqemS0TMzAwOl89k/fcQ/+PA
OWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQKhH/V4X8YNicHGX6daxRodV8AfYU5
ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6Hwtcim7hTEEiU+b2DI9k
ciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5IAmlABLJBPtgA
CkEx2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGqkBak
D5lC1hAbWgh5Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0Bv0B
fYQRmALTYQ3YALaA2bA7HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMIQMgI
A9FGWAgb8URCkFgkAREha5EipAKpRZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzhYlZh
1mJKMNWYY5hWTBfmNmYQM4H5gqVi1bGmWCesP3YJNhGbjS3EVmCPYFuwl7ED2GHsOxwO
x8AZ4hxwfrgYXDJuNa4Etw/XjLuA68MN4SbxeLwq3hTvgg/Bc/BifCG+Cn8cfx7fjx/G
vyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRRgahPdCKGEHnEXGIpsY7YQbxJHCZOkxRJ
hiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSfIF8lD5I/UJQoJhRPShxFQtlO
OUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uRa5Xrl3slT5TXl3eX
Xy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXFUSW8koGS
txJPqUDpsNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5SjlHOUa
5bPKUgbCMGD4M1IZpYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWPqkxV
b9UU1Z2qbapP1DBqJmphatlq+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o96pMa
mhq+GhkaVRqXNMY1GZpumsma5ZrnNMe0aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGtru2n
LdE+pN2rPa1jqLNYZ6NOs84TXZIuWzdBt1y3U3dCT0svWC9fr1HvoT5Rn62fpL9Hv1t/
ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qRq9Eqo1qjO8Y4Y7ZxivE+41smsImdSZJJjclN
U9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5wzzIfKN5m/krCz2LWIudFt0WXyzt
LFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWtqS3fdr/tfTuaXbDdFrtO
u8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJp9+dWc4pzg3O
owsMF/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24+ysP
Sw+RR4vHlKeT5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9dvrd
89fw5/rX+08EOASsCegKpARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2hTwJ
NQxdFfpzGC4sNKwm7Hm4VXh+eHcELWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdNRXtF
l0VLl1gsWbPkRoxajCCmPRYfGxV7JHZyqffS3UuH4+ziCuPuLjNclrPs2nK15anLz66Q
X8FZcSoeGx8d3xD/iRPCqeVMrvRfuXflBNeTu4f7kufGK+eN8V34ZfyRBJeEsoTRRJfE
XYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykzqdGpzWmEtPi000IlYYqwK10zPSe9L8M0
ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kLs2qy3mdHZZ/KUcwR5vTkmuRu
yx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7rj20gbUjZ8MtGy41l
G99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fViy+KK4k8l
3JLr31l9V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fsvlZh
W3FgD2mPZI+0MqiyvUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+HhQc
vH/I91BrrUFtxWHc4azDz+ui6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2wo2S
xrHjccdv/eD1Q3sTq+lQM6O5+AQ4ITnx4sf4H++eDDzZeYp9qukn/Z/2ttBailqh1tzW
ibakNml7THvf6YDTnR3OHS0/m/989Iz2mZqzymdLz5HOFZybOZ93fvJCxoXxi4kXhzpX
dD66tOTSna6wrt7LgZevXvG5cqnbvfv8VZerZ645XTt9nX297Yb9jdYeu56WX+x+aem1
72296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOLBvruLr57/17cPel93v3RB6kPXj/M
ejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4Qy//lfmvT8MFz6nPK0a0
RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9HrmT9K3qi+OfrW
9m3nZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE8/sK
ZW5kc3RyZWFtCmVuZG9iagoxMCAwIG9iagoyNjEyCmVuZG9iago3IDAgb2JqClsgL0lD
Q0Jhc2VkIDkgMCBSIF0KZW5kb2JqCjEyIDAgb2JqCjw8IC9MZW5ndGggMTMgMCBSIC9G
aWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ac1dW3fbuBF+56/AbttduZvAvIC3
bV82TnKO2902jb2nD3EeGImyuZVER5Sc+N/3G1x4kWKbUkIeOOdEJAiCA+DDzGAwA3xk
/2EfWczdJIrVD37DNOaJTwmxvljn7L9sxU7PKo9NK+byVKSul0bNldOkVVMmgoQLN02Z
F6c8iROfeWHK/TSOWOS5PEhFwFDmvP11LxY89FImYo/7os7n7H6bufiHb3zEx71EJK5L
CfhX34mAB24cBiz2Y56CVDZdsheXINH13IhdEn3yFf1zuWSnrz3uMo9dztnkfLXJ16t8
c8Iu/2CvLkFjq42+HZWJzz0fFdil8lHang9NVMTTOIiObbqX62y+Yfj7/XaWbfIZu7jN
p5yVc7a5ydn5mzvBzl+y10W+mFEu/fdbds981/NPnP4NTvDpQFJ26KOwCJKYx4kI6wZ3
JCweBwMbuMEbrHop8ADqFFYfRcGIRGHMRGlgF1Gux700OXBUn5W39+vi+mbD/lVuimk+
cL96PhhiEPks7lJrR79Gqc8DP4ms6tcoCbgfBwZsPbk1eMjAXRlCCEZ+yrr0Qd6QNHGe
kiYN7q4m06sTyejY+avL1+xyva02LFvNJHO8zddVuapYMctXm2JegHlmFT0ZmitGAQ/9
EIJZN79VXDGCUiBcDYm+TT4iJI4hb1ZOt0t0Msu2m5tyXXH2y2LBJG+qINaqfH2XzziB
2umpfRwhDH3hcz9wgWpVBbt6PQp5GPh2ycIojHgU+f5hyuSIWOzQ13esXN4UFasRietq
++GPwYVjJHjk+gE7rk2nG7Yp2YuzNyxOav7ZsNQfK/Zrfp0thmacYYBZkl/Xwa4RJGK0
cHSgjjQiWDv09QXrm3V5V1QFicm3+SLbFKtrQoLs+peaq1ZDM84g5kGceizSVbCr3zHx
xvzNKHb26VAd+vr2+9XkZrO5/fn0dEMqU57zIt/Mebm+Pl1Ak19VDb9ynp6qHyMsvQBz
Mxd9rsnv0+dDT9V9D8aNGAYTQ9RhgqlYzUuoo8WK5fN5DpZarqQeSvN2TNgHHkUwMWit
84AWHVrRr+fi0Pah8kewdR1iNxqRe3bo6zuKbrcfMFzANdHT0iLTkvycvVnkWZVjcNwV
+SdCAm6MXlANLUqF4B6ZwkzD9xlfI6LB5YmnwdC3sccEwxHkTbN1Pt8uFvfP9Czzns3y
arouPuTsvtyuzXQkWw3c9X7kcTAw9Lyshe74nnJrRtOlzbqYEqYr9qnY3FAKbI6bgckO
YECJgogQ26bbEuuO58FAD0u3reyrQ1/fEQVFb9OerHB2Vs5y/Le8LVeYTlcs/7xZZ1My
O8/X5bKbmy2hOQwNCpj0U5jVsHahOsAuNuYG3IU10lpUdOjri4piNV1sAYOLYnm7UGaz
Fxcv2a9KL2QbYII4nGFuM1J4LsAfSAgKLjWdgVcd4gSra1AddfWswkSYClgxtZ2lb5OP
J9qOIo9WmpRpVVoBWGvSSLZWCD52S/PIGfgESYxyu2GfsvU6W23uAZWheYRRfHXd7IJD
EnJP1GtQPaXwiHjo0NcXr52xT+gYeL3AE1jhFljHCDvk9l1+/jInk/ZgvRrt1Cv2D6xG
HzPFDSGyAiFqou0CZhxhaUgY26sdalYYxbQ2ER8mUH/5AI0VWsrAIKy9C3aotKTpwgRD
xLL1x1CkXMQQ1ZaqzV36+nK/y9rxQi8sagvA1eT8Jew/WGiEL0a+yj4s8gp6c3ZNS1PK
SABxObQ0FAlsWK7PTN3s4jpg5JEbHzjARxSHHfr6AmINO0+VLz/IuT8pRBWbbtdr9Pri
ntHcWWnRMA6t84/bYg01CVMv2AW2q+LjdrTl6FBXzi5EBB4PQ9/amXXYoa8vIkgLxrSI
VKNl9rlYbpcMU6l8UyzholeuWYblaZiFs+t1ttRWloxdF3f50MahIIDTYEQeibpedoHB
hw0o8e2VFx36+oKhgvVvmp9CacbympQDp5gubcrpwAoLeYp6IRxEww7ZfbXmcsE229tF
ztn5HOIMsJ3ms2fKBqQY1yqvxpvc6TrYhVesYsGOnVir33To64tXLaSkQ82ncgtlZlEs
Cxh9wLSm5WqlbD3wpCpZxAX77cMtHG5e5NNsi2XDgU0/tXaja2YXHFzB49DepeKwQ19f
OBSrWQHbzjbr9v60XC7LFRSc/PM0J42GLMlQdohHACy4mWL9a430bDQrsamgVagQacgT
uDvayiS69PVFRf65IHF2zap7+A9AibkrSviP5FLn0dqv0X3V/IizjmfU0Jwihuurn/rM
VM8uTMBxHlZia+dBokNfX0xsZYgCudgOrdm4EQ8SN2FdOvtqNnkXmLvBFGoCD/X97euz
r0IpT90wSRB5A+ulnwooCqBQXz0ebxN4IXdpntytYDewwtmJsjnICrtj0HRUxM/j0R6I
p0jCNNwl6gGj9i558PB6Jpv0gCAgTaXTCpPabdKmcZ9oUhjIohjr4qZJbWAItdOOIeow
IeF5vv9s4LFWx/jskHiE2VMGxX0pGm4vIm1/5HS7OfAET6OAoIiLBKEEgieugKVRxax5
IqQy5yxAr8dYPN7JGMdpk5NANpfBTjIKLoBhPAlbb7gwUIiAIu0SRN65wvdV2QhHSVy4
LfgoKoG5DUa3+gIDKY147Ak4jIo45KkPx1qMH+EKlnI3DD0UR98dxr2u9ruC9RXrT6HQ
YH9gqLJdTjJaBIihT+Ee7dcrAoRWHYk5H8BJDobYw8GQqQcv5RBLJ4Z4GzgJ0BbFMUwn
hqjDOInvusFXNefTwYKeF2HZHuthOxQewUgeWKTb6+MeRJmgsh2ieg4UTIGXJYbxdFFW
OeZCcAFbkOenUYBvaV0KjhPKp15l/iqV4ukaBbXi2x36RzTzt+PXGDKpSwGGAsuOkFpg
3JJfS5ZJIcc1w5aS/uwCnGBPeUKaUZ4uzvaClZ830com+JpkgxcENDyxMsZD5kWIhA7Z
zu2CXch45KYAUoaeKg/xNLI8WZq6gRX7a8ryqRSiTZeG4O2jyguTVNMmy+vcHkNfmEIC
mrqamyPrWr+u6lrfNnWtFdFaDhvx2chhI0GVHB7EQb2RoBG+htB8ayWopu8wCWoY1jLb
TG8ojDxiFXkDZggEwqKFnAIh6ucuW2xzsuXM8nmxgpVHWnw+3eQrlg3Nx4zrH1Sodgcc
wce+nbhoocLlPkKmD5Oy4y1kiqhNX1+9yixJUY9DcMHkB5lmVrARQcnOyQoMoMyKarrF
mqec6w9s8q2nwrpKhw1EoHd5i7roAIwBd58IInhgxDH0m07bO5YAFt5IgUiFtYDt0NcX
sOBVCKqY3mSra2ARDqg35afWwip5JmJRAqG/w2LUN65eQtfChhlBw6soMDm1zNUL3nxc
+DDHHOQadElONWSvOyuxpQw81Iees0AnixMYC3bItWRM+1CbwsCMaUuIAr8WMMnojrWE
KBiMIzLBHIS2EcV1h76+3M+DQF5t1uVsK73v+eF/wcCMMaiVOF1BqxgjbHpYr4XEthQV
Xfr6osKnMJ4VXIlUCBfJPwrR6Eb6PAqV0VBhKmgXKhKYeRO9NNe30cdjFcEx5AW0+Lqz
XVgXAlqQwhw9yHTah/tO4sOzW5N/mBLfJXX/TozFxrrU2yHbsHUCTwJ7nZC69PUdUIKz
32l++aWN7vYB8KWU8UChO8AuLhbDghp59sq2Dn19URHC0Syb/u96XW6xBIT5ntkA8W3t
gs3Oq2qbV19CBKWFo7EKXUG7UBH5sKVZG3iP3f0OJy8CpzCOJ2TCbMQcbZUJ13vtfvQQ
IjiPRsOEqp9dkMCmSy6WyQ9WgodXeWKfCy/xoTQcRSNWmgY2D2BRSe3tehyBmL7p/Vsh
6mbs3+RNSdEBr9sxQw/ANh4Ns7rt7QItbW8ShYdLtzFBexSNcD7h7NVqipiB7BpB+Nm8
4WdAyQNoqJOT0WCha2cXLIIQls7Dg+/HRMUxJMLbseEVb1UMGbnnV5jVYcXuDTY6hTdu
DYLdi/FAoSpnFyZ8DKnA3pW6oENfX0U4Bh70utaKvdSRZDRj2u17cz8wX8CoQ2AnNsgx
1dEY6OlHY6isf9OW5B4iOL82TO7Qa8mUHhvRBZG9i3VBh76+mE06ivorE0BwsYE7X7ae
PThlq0HB04FR3KBCV9AuTubiCAicACGt1X0bHaJtTOl2DInwUO0gA56dDM7iTbc/euW5
o4FCVc4qTPhpioWtetuHnux2XFAcR2NCinBrYk+oIH/3R8FQPxwPFaZ2lsECznJxvTJs
KSyOoRE+NjuwaGkKzcE7387li47ZiUM3ZD65QR7cpmc4ngD7lPX687yxWJmpi12gTTwe
1ycTdDSx3ViioUOdat8ZHzaoBDqiFrodohA14bRPOfoaopgrI7Aejb9qiMKOZzhISls/
tCawdwjTbptdllu4eu7+vfp8iw1JKhzhcocdTPI1C9xn6kSNnZzv3pA9wn8/OET1kUK+
rqRdEA3hUu6ateEOGnab+2vQ0CcazwMpXhKDLz1MUz+EPujmr6Pv2Dsc4+Wx96Bqpg4s
+/b++Tg8I5ZO5tg+kZzgfYqAlE7n2NX6KC94KoGc1n1ZXohFD32jXOBbEYWPBXGRgzoK
Eg4FccXo8CXOclNJiGVQSQskwVIdwmfAJNFWhDjMjUKEsB0kwr2QpU5B+BAOvXCm+2m9
Utrvwd4isOGAQySY8uFYF3gBNoCqiaKtXmJY+BvKTQqVZWqj05y9lP08DOe9QSyKOEa8
kSlrgTRMWwMKsTRliRC9iEA96T8nqWqlKNplWXUunbaXy9lL6byHsA5qUwClyWdavqFK
9ReKMqTrDmzXRift5dlLmLIbZ8589om9e49wkdkBASkkTACqiBBJiKJrR14vcI098EKY
q+Q9JtoxruBFJRAqo+/ILtC6blLrK2BLXSeAPZVJpSA+URbcfCH1qEyig67oHXNdXzn1
FZ77QlAQI/IucI34DCJK3tPwbb6g7ujb9A49wbVTXzVp9XOydVCZlNfUtvkCtZL6Nl1N
URLR0U1t0tAxMqDn8QgiSFoDFUdECA6C4oHYmxqvhyAKrylE1VziSEQ1Q09D9TjWgmZt
2IGuCIa1YRCmavsp7fd0m7RHlEoCs1GnTFKtPZwKicGNgxcDwoIc94hshaqCOG1wAjhg
t88UJDnimThtN4VdFn8ypg1TFHPblAuPekSBmeBVfImCg/SPDFnFcjHKwxGT79jkAhtA
IuiBTXB2BYK3cHFrLrAfgUrB/jTqYmVSIKZl3n/Wb9WPUN57dvkPFTJA4aA1hTJGqbl9
mmBE4PJQIDpZRdri7AtF9uS7ZvbyTb/QbhhTxcjU+VTXGRGf1BrOxN19goVT1U6+uTCF
wDCrnvysCxEmQb/jTEzWX35rNyC5lRErFgJSlBATJQKcBxLMTZIEdmOcXoEgzDZiHDoY
Vf57XC+ucYhg7zCM2us/pBXD64xKUT9KTYNQrnFzVuIIOTZZoh5B/QM0IA1Q8NgEOBCM
ahWxybsTFrIJqop0qMK4RjvE8mkXK18+RzV0Uwhn2kJhj1Q3oYPvOrQqsGAD4ZrW776X
tPzphIHUP0sq/iIp/UGm/Cip+/7EAb1Xk6sT+eiv8pWfsE8AaFa5VT4cp4JSONCABzqz
eq6eINd7p43/L9epQX+IzR09sIHaQOmiP3crpTqgXSkXHwUFqlKEIlClktT/VxNFL7CI
PiHQIjdg5zmTUL4JYOOByqRrM1HVVWk7zYW3VfoXilIPriY/xfgMWlHTppo3kc2rsmAc
oJy62Vudjz0+nmooBGQIBBXU7eR5wV47Kd293U4x6gaSADj8j6YB+EBLIlsO0AQc6nR0
IFKaPI7sX7wA/NQvqOLQOMiq0lEpFHE1kT+qDNQ5Nd+hTM7kbzJFla2u23lUui6CQIWP
AoEYIqrwhjJHU6/eUMToF1RVVOUUZbpAJLVaGiz5qZYOBKKe4lhPIsHCSRffheT+OHv+
d3Q/MPWT+gFxhLkfQOpzoA5U4BkxTfyg/fBI57g6Qe9QqsxpHj5HM/UhO3RjzBqwWbjo
kv0YUyBi6jN+/w+UgUd5CmVuZHN0cmVhbQplbmRvYmoKMTMgMCBvYmoKNDUyNQplbmRv
YmoKMTEgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2Vz
IDE0IDAgUiAvQ29udGVudHMgMTIgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+
CmVuZG9iagoxNCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JT
cGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMi4wIDE1IDAgUgovRjMuMSAx
NyAwIFIgL0YxLjAgOCAwIFIgL0Y0LjAgMTggMCBSIC9GNS4xIDIwIDAgUiA+PiA+Pgpl
bmRvYmoKMjIgMCBvYmoKPDwgL0xlbmd0aCAyMyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNv
ZGUgPj4Kc3RyZWFtCngBzVxdb9s4Fn33r7joy7ZAliOK+sQCA2TbDiZA03ZaB4vFtA+K
RCfa2lIq2Unz7/dQomTTbRLZqFSmD3bdpDkkj+7HuffyK/1FXylkThSE7Qte/Thkkas+
CPWbStJ/qKDfXtac0pocFnuxw+Ng+262/axOyRMR85w4Jh7GLAojl7gfMzcOAwq4w0Ts
CcL/udj97Tz0mM9j8kLOXK//vtn+7yYHf/A7vuKX88iLHEd9gD/93zzBhBP6gkI3ZDGg
Urqif88B0eFOQHOFr/kR/TJf0W9/cOYQp/mCnp8Va1kVcv2C5v+j13Ng3Nmjn4cychl3
sYB9lI9i++fYoAIWhyI4duteVcliTfi6uMmStczo441MGZULWl9LOnt/69HZK/ojl8tM
fZf+Ok/uyXW4+2I2fMMVfQxKNgf6KC1EFLIw8vx+w2cNLR4nA4284Vuu8hh8ALqWq4+y
YEJQeGaCWNgFyuGMx9GBTzW4NvJR+jCWgRtTaOCDXVJWZ/aU1YkZna1uknRNZUHneZYt
5WX5Tdbsia+xHxo3Zn4geL8q/dAMtKU9eM5H3n0BexoLN+qBWsXZIHYZwAWHeaLWPo68
caHLPB65IR2HEVaL0Qd5V+XrvLg6hLmKGxMYfU2LbnVWGf0gEswNRWdfBz5UE9PiKIyI
9hgc/RKh1DG0EGObtc5adCdgFy0QCnuOZsVQBzKdgwuOgYewf8fB/SmTTFb0slzdVLKu
87LoPcVDb/h0nGjXZxclAp/5wu3Cw+GWYmTv0QU9gYFvKGc5fMdHmW7gPO5BhqLOwYpk
DTrUzAA+0ynqA+nXEdkAjwULuaAO+JFxzUNsVZ9PyFi9+3ZR1g9YELjuwTGPcfKdOPHA
yR8hD/SUNfANpiz82tnp29N9uj5GBOPfuDeZb9MLtIsVXsgC5JTWssLAN5gVQgXBC1nJ
In06ZzP40P5lQlboBdrFCgiG0J3szo+OwsiFSpDeltUKfu1WHsiSCWmhV2cXLaA+REEA
0fkQAXfCSNjAN9RYjI9vm9MbAIcq4OCs8nLF4ijWTshZvTrLOOuwiGvK2kOJPupxj4DH
PUan6ZeivFvK7Goli/WTuqTp43gwWdDTrs8uSiDPiT2UnmzS9gNHMAda9WG2Fb4M9bGq
zDapStNGDtU5D1Ca9FANNMHaUR3xYw/avk7JzTLSbK+meFDtYS+bnbX1zUdrW30ZyY98
xr2ujKTNz3clz+/gHVYc2QU4U/Xgp4tvnfk5Dt9Z0RQPT9oyYgb7ky/ytBEK6NPzs1ef
XtCiKSrmNSUEY7Mt3c768vYDGeTuYpri9tOLcSNUiz3fpW41Q6zN2KVbFycfxaje/4gB
T5afLvM13SbLjcQWJ2vK650t3HYIPLCFRyThIoiYCENvD+7Mkic7DKDLe9ZKF76Bb2iQ
sSnyrzhgRHUkb2V1T6jRJ1dVssJHxnGPp7Z1wPUDM1DGrPBQXyF5KqguN1UqKckyJRuf
UCZrlJ0aQzB2gBEiKHZjPPN674c88weZ/SOeoq3ZD0JVMQgPc+bjJyK92TfwDSVsf8xJ
kdFNVa7LtFyeUL1Jr7WZWlNWypqKcg0zfiNhue7y9XVeKEcxNiH8iAWhiMjXa7OLEEAn
vCMKzoYhGE989Q18QwlxnnzLV5sVagZNEkJv8oVc5yuJIOD84xtEAX9/+ONlGPPP6pVz
1/2MvKUmFBggzK2X95NRQq/OLkp4MfPC6MCAf0IbYeAbSokaHWYIBmV2Qsly2bu0mi7l
+k7CZSS904AR2fEXqitNu5WxadE1nvl6hZbRwoEgH9rrOrxdfENp0XkLWm1Gtmgcyb0r
3IB8A+hQra1e03UCXVgHZ12PZBOL11QiTgNLb9BFUWZtHyVSHNi6k9E5q/tmulXZxVnB
me9jzy3VhX0D31DO3l3nCGxwvuv7G2S3y+U95aoXGS0Sqpc2wT/clbTKi80aMc+n59xF
I7RMyyKrP71gNL9G1jZyC20fBOsF2sUK12VB5Nrr4Ax8Q1nRGoYC6Y6iRh/KUO/4FDFU
Tme4vxPEw1dJhS5S/Fy5GJsXaG8MRIBsXi/RLl6gngFFPrLWWhj4hvJiUSVNENyqYLVc
q/7LvbaZnx+/8wBBpI+DNjEbss136uIhHnhPjjtM/HQ8FvpdFdlUZGm+mu1OeRyUmu+B
IqeBNUyR9WLocmgMb9mnT9ciRfY4fBeNltRYpb3pjkMO+wjJAxMzzHFij0zcQ8MtZULL
1aos4Fxv83LZTKlc3tN1fnWtTCr8bCZvczRx/Gsqm9ktxCqb6SFnQW3D2qzAxDfUZuYL
qtdVnkIKIKnK26nKGyF935UbjCQt8xXeq1GllglNhljDrC5lLz+NzYquMblboF2sCCNU
l2D+LY27IW/s4BvKik4pUNH12XsQI7spEXgj3C4pYB6dX960EZaOy+l8fqGCKgw1Yvbw
8h7R+GSs0Au0ixWICRzMg1rLCgPfUFYoCdGLAwEJ8UwVxLTfaENt0lYByVchm0q4IkuJ
PB0OhRZJhcxtbE50uZinl2cZJxzmYkpPc8KIDxGKGQO3B4ViR4QMHoyCj9kw8gID1MDq
02G18SPwdUUSE95QnspvCFYacwTHVUtSDERlrBUT4O1KuC8lJGSqYA7doKnvKh+3TSzH
Zmrv0/T+28VUn6NSgoDSVp9m4BvKir2gHBLBVi+ALUuWFSZw7mlVlms28vG7GOgXHg/I
0yux6/g9FxcT9KX+X2uouosLPCGY56K2aCsnDXxDOakEStRr041qIKRNc0WAskdNuK2K
OLqjZ4+7bWcP3OuqrEYv6nalmu4E7OKqiysyfGGvqTLwDaVFuixrCRdVycUSsVQncSLj
wjQ8MnEU9lC5w/nnRbrcZBKB2M6g2MjGS3RVfk+vTRNiYOwAeidf5NhtkqKTXzuQVkRd
vTHjPvNi3AFjqzEz8A1lLRLEkpI0LTewZRkmGDH8/qApqyEsLJEU6CbFppsxGNvv9jci
eHqBdtkyB9OBbti5ODv8rsDNR6GPrsSDqIpZCcyuoj2tGVylTQ0RsWlB2nF3I5spl+Om
oxC3J3UrsOqsRRRBAtdaoinL/7JagVA3U4muKKSfeotk+ePwzRFMfZH30DOrrKZn5xcf
589O2ld6+655/+H1XxdnH16/Up9//PP0zZv+TfsdIzO1t0rdAu1iaoh7zAJ+oAGYrkdK
GPiG+iqc87uLN/rE1bstF16+Oz9//fZVS4fz0/+CDCraevbu/fzs3dvTN8+UJRubEl0v
eLe6w2Is9HuO3q3epQUdQqsCLBG40F+1/DqUExNy9hh4fZqY4KI3RFqXEkQ0emHQypdW
+WXra6HVjk1Sx0Hh2xWkd3uI2Rp75EM4Pm469HiHqWXlUAa4HPGCUrnVm8/mfRs/v3FA
oHLhoPnUJKsR9v26WMDHKBwyPb1/Bqhf1jcgPI/xoKu1WRigHIUPk1zKXvcyUDvSlV4n
KtmXFWKW339/poqtKUrxKqdKCjz4auILD/oyL+Sn52h2G/tZ7829XuOQh330KkaXTwvh
Q7Hsxg5bIeLJ+a4Jzf0x8LbliQQ60NdNXslWJFR1tiav3ka1y7xu2iEv0Rw7TddjpwHp
nbeLDS5G1URfaBuoS01IBwPfUN8EiU/n05TkyGQq9OTIO2UfEI6CHukXVdPKVK/RbOAV
vd/1cA2Y88RVKY66GhHt3c0mHxaYKkFgca8IjO7MhaJ4w+U2Wh0Rdj9buQd7369NW4Tt
zRekChHYW28TBr6hhO3i1X/UJL/dLPMUjUQ7hmynL3P29G3Sx1C1F4A0fLuMlIP7wHEd
eCOrWSIAuXEMAbKbkDNB/bKgz40d5oddhccWUBh3D/vrKH9sRWbt3ekHBUEP0Rwj+9vL
3B+42t3FFTeRmrr5AaV2+ktm6kL36UAFuFNQDbW3oB7wxftpzrxU86z7X6+/3SAIqnFz
1K1cXWIKSDgnzS3p+9/49/vkSpL4PFVM7OpFWmVgXN9jsWOFwswBhUehT49gesy+/B8V
iFblCmVuZHN0cmVhbQplbmRvYmoKMjMgMCBvYmoKMjk5OQplbmRvYmoKMjEgMCBvYmoK
PDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDI0IDAgUiAvQ29u
dGVudHMgMjIgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagoyNCAw
IG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3Mx
IDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDggMCBSCj4+ID4+CmVuZG9iagoyNiAwIG9i
ago8PCAvTGVuZ3RoIDI3IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0K
eAHNXV1v28gVfdevuMhLE8CdkJzh1wLtQ+MN4Ae32VbBPmwWBU2NbO5KpEJSdvzve4ac
oUUl64y1HWESIFYUJb5DHp5777kf+Uw/0WdKWZAl6fgFX+M8ZVmk3kj1i1bSz1TT23dd
SGVHActFHoR58vRq8fReV5LgGRNBnlOY5ixLs4jCOGdRniaUhAHjueCEf3N9+N3DVLA4
zEmkIYvE9LnF8femAD/xPT7jm4eZyIJAvYGf0+8EZzxIY05plLIcplK5pX8sYWIQBgkt
lX3DX9Ffllt6+z5kAYW0XNPrq7qXbS37N7T8jX5cwsaDa/T/szKLWBjhAMdWPmvbX10b
lbA85cmpl+6yLdY94cfH3aro5Yr+s5Mlo2ZN/Z2kqw/3gq4u6X0lNyv1Kf3junikKAij
Nwv7C67gM4PkcEOfhQXPUpZmIp4u+GKAxfNgIMcX/AmrYQ48wLoRq8+i4IxG4ZlJcu6X
UUHIwjx74VPNGS2PMej43oYCVCc4Hqa5xX7c2ySPGI+yxKt7m2ScRSku2YsYGzzi+FbG
cIRJlNPcPvgc5VEW3/UoH6jb73ZN23cEXnRsa8gDlvA8PTLW1v0Vt22xpXVb3G5l3Rd9
1dQX9HAnQbibor2V6gTDZzoq8F6321S9c+aOWA6sTifyirkTBC4i0JC1hcQZIXuKeVXd
N9Rti81GtlQ2211TAwwd4d2+Le5l2wENVf17Rw9Vf4eX20q5+23xpdrut67hEGcsSTng
MB7NLzQkMYt5ZPy4Zcx5RjjM7LOFK2563W2rrgMb0L6uAIVPr6+XH7tPbxi911wxEkJV
r6pyCP6qmlbVeg3mqHt6KB4717gwAV6iz+gXMOKEJUkUeevaZvbZAgP3eAjri3qlXiQ/
uHZuJqZKZuYuPImpRMoSBMx+xVRIxpHTmUDPP0aa2WcLvIboasTexRSsHBPQvqtqx5wT
xSFCEwG9Qp9Cc47lVb6ldbNvaa0y4s7kyTdFV5XqOVpYqg+nJMNpBtEnPDbbk8cogmqU
JNCaXqLbjGqCY/5JIybCLEJwfZKNd7JYyfYHulrBJ1Zr5SiVR/30+ury05uLyZPSv9br
TvYXVNCry6b+Sz/9ySvHeOaQpcZQW5/PLx8aBSwLNS5smeLcuDjBxPWmuAUILt8rEChX
ivt+3SC7mkKrV6Q/c43P0C//fv8uzcNfXYMhEiwNQw6wD4fyCwshmFdAz/VJMEsCzgLI
PS9mLse0NekXM/tsn6DJ1yZ/7GsRCBY1yS+9rIckYWQ66L7QOxzruglncRSjtKAP5xVM
41xAJNLpoO0FPy9lnWRiVZeb/Uoi5EIUdnnguhwjOcw5OImjSHXCdZ3cKij2GoS7VRxr
pC7ksgPJuo68DFz1CfxCaxazUExVCMso9sxwPcnGDhIV9MtBwbqTlVK19qrQtyuUKmvS
WOVYI5EEzj1rEDARR4CxPoxfKEgTqPDCSBV+JAVxkiqZNfXVtc7ts2X6mXgyUdGYFYzi
2QDOgtbygSrosG1faDWNDYKLa+eaoiAT5RGZ4/kFVCjBXEw1LHu6cuykTLgVz+yzxYRx
SCMKmrLct9AG6s0jFf1QSO+gGZTygroGicLle7qpeqo6qpueailXEOL7xjUuUD1MeCLI
HNEvXIiciRTyxksFhHPhYmafLS52rbxXUvqqeai7vpUo060cGxzGgmV5hp6gmcW2tUR5
X5UIEddts4WLrfoKkK6heR0WFxGGVUyyi7OwmakQmON4hloUboPUXw8H7f3JPlvUFhtV
+qGiRJhVwJmtwVh/C1XdSPdjJBMeSCeN4DJgvVNYV7TnmsomF6fP5xcoeMjiODIyh38u
bmafLSjQTwC9YGoloDsg40biPUMNcnVBTav6DuoDlzd8rpWlrO7lyjUsJq7QJ/QLFhH8
bxb56+Fm9tnCArLnrih/lwhzmgZhze0runp3jbIiybYFHLay6wq0oEyw2BXoPiiLWoU+
3d41IqbMXR9OI8LymRwagBz766nHMZ5df0/Ko3HIlXyfeRuWzeyzBa1qbW3l533Vqg4Y
hDnogKEwygLH91r1VocxWqqPLuuz6brrBmI0NLMgyJEXzK6lbcB489gPfcIJoblkqIQg
Fujv9h2e7pvfZKmIwfVTbrqLzAn84v0AJZnY32J+PLPP+hFS7UWbMd+dJDj1QgjBfx0j
Rfwx5DqQPVrPAIpWbuS9kkKGxHjdtK5hMYUD+oRewULkMcvQoeors87ts4WFaiiaYkRQ
gEoI0IE4aGYoPSCXHCAztCXqBlvFEx3IGB91DQjDE+ZsfgECcEXZydtcUszsswWEyQ5G
psCsCQhhaE3U3KHBwRzf+qnpx5zCr1uP1p5QxEJzwbPhgOu++Wm8RSQ5CzAz5oVRuD4x
mlzoyCjLOP5swwZz82yfkZ9VQ7aKSeWXUu6G9qJx/gp+s39oBgfaXQyfwCzW0HlmxGMt
ujh+erhuPTPH8+vhSQIWYbrIW0c6s88WEwiPUB2oHSckeYix0RhlQxRQDy/iswzkOiHJ
0XWdphBKjoyyfNiNx0FqN829jC1aQ1aCQHQrixqi9nq/OVsoGiONRiO5OZFfDxAaYrlA
Auhp6UXM7LN9gKZ7D95EEU4NPhUbVGBWjweKpRIsnz6IERpZj7U4SJvOOVWXac3x/MKE
iDD8PfUTWD566CpxTFimTCtm9tli4oAaoF6rPhLVwD0kJwcxKcZjkKZsNo9wua5BYJpK
zHk0CCyv9zgdm6gJbRMVTNd/8f0R+FOa0E0R+cjgZx2Ga1A8haycMxFhzMxXJpvZZ4ta
hL1oF0AAqNqMJ9kSI13ImWmHfGpsLnh7kF9TsVqhHKcwjr6pM0otmJ0e7oBfZIam6Djm
/jq4mX22sFBSix7zBZmpeHEgsrGxZJDYwmQAzh/hxjW3mSKt0MfzCxNhzESONSe+UsXM
PltMfM0Eb3dt0zdls4HqUu02kmkHAffgxEFEWOCSpHFMQh/Ar7seILeIUuMg/PBaGPxH
gSD1lp7m9tlCcXmHTGvVlHu1kwD0VO479BVhckoJHQNTHUQt3V7Cv924ZiQsMgrjOCdz
opdFW7IscAbdeJxMgZbFc3TCRiQjuRhTR56ab75ZHK1BelGcdRT8LcaVTM+u45niLJ5l
qF1opVoD4qslTV9Z97Lk4NC+hdpg9f11QSY5OMk8BUsTRI9rM9rBcR62Nal7b3KIzjAp
/eQo1Da5gT6OV0TK1ZYwPvUFeEKkKVaaJeELiVQw+jhQ0zdWXjl2llM/ANeW+3WPkwgF
AK3/+8I8ENICHmsH7iH1nGTf8iuX+ICQvmmr21GIAO9oZUqF+YaBdEmtdt5WZ5qouD6c
XygVgoXJVDuzVE7Op1Rh08CBfbbRE4TKrpPbG0wQmMlhRqpOpIY26RbNlLVO+02qf0EH
+b/rQGpChD6cX4jgMbTLl89vOo7opujkFPO0njNqQGNK59jcMMajhIIf8VPsbTaHc8cQ
WTFzavhsUtwHUX5b9OXd+VqD9Wn8AmyE4T3ubwWTz+yzpTDsREEJbkz4IELqlE91hg29
YEP3peoURHHm6nLcA6M1TbWgDDyHiNw1j5kOMXNCv2ARpown/tbl+Mw+W1hoJjvWpcYG
8XloA5zsGiwwu9lIjBxJdouRI0yiBJ/eOMeFXqlijugXLgKsasam5kG5tL3sZwx4TjEP
Ye0wIQD1Wg2WmErtMEmpmrTN7VcA+W8zrNr5e6Cqt9eYTHKNBpFhxXIQER9PpsFgGWli
bMqxp0Y6NC5X1PZ5JRVFeQ7F1cz7zrNIWm4Xh2u8/4x+RcGgYNnpV1EesDg1BSFfjMpC
lk5LSb+tqCzGfed/7kJpIW1hsY49wvKsDM7xW5DC3TNL2BdqCfv5jEL2gT33WubRBPhd
+XHZ7Mu7ce3Fwa8/ftlhCKSjfzb3yLZQS+XBxbDZ/OAzw8tfPqgpJuF8y4SJSCJ9SK88
D1rFWB4Y3XcG0a/U3peQ3qHWi/+twEaLVmPOYZbG9IxNz/HL/wBJOopoCmVuZHN0cmVh
bQplbmRvYmoKMjcgMCBvYmoKMzAwMAplbmRvYmoKMjUgMCBvYmoKPDwgL1R5cGUgL1Bh
Z2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDI4IDAgUiAvQ29udGVudHMgMjYgMCBS
IC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagoyOCAwIG9iago8PCAvUHJv
Y1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9G
b250IDw8IC9GMS4wIDggMCBSCj4+ID4+CmVuZG9iagozMCAwIG9iago8PCAvTGVuZ3Ro
IDMxIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNXU2T2zYSvetX
9NGumqVJgJ+1t8RJlWvXW95kUjnEPlAkpOEuRcokNc7k1+8DSVCCXDOB5EALJ1W2pyaZ
BvDQ/fp1N/SZ/k2fKfH8NE6m3/B7lCVeyuQXkvkPnaBfqaE33/cBFT35XhZmfpDFxz+t
jl/rCwp56oV+llGQZF6apIyCKPNYlsQUB77Hs5AT/p+b058eJKEXBRmFSeCxcPm+1fnP
Jh//4Gd8xg8P0jD1ffkF/LP8LeQe95OIU8ISL4OpVOzou3uY6Ad+TPfSvvE/mX+739Gb
HwPPp4DuN/TqXTOIrhHDa7r/D/1wDxtP9uivszJlXsCwgHMrX7Ttb7aNir0s4fG1W/e2
yzcD4dcv+zIfREk/70XhUbuh4UHQuw+PIb17Sz9Woi7ld82/3udPxPyAvV6Zb7iEjwbJ
8UBfhAVPEy9Jw2jZ8NUIi5fBQJY3/IjVIAMeYN2E1RdRcEOjcGfijLtllB94QZZeeKuB
NctHGcFZxiyjRLMPfkl6ndWfeZ37kwuyGS9IkTe0FnToxeZQ06btqMUt6mh/6PZtL3qP
5H8zfe9D3tu+PQn3GMvYsjynbk+cMY+zNL7M098OE7p9pphYC9HQvmvlcZeU95TTF/jK
oaXyLDyt5hD+THi6wlvihnlRHKakTJ/P2zCIimKgvCnxg3fto6DysK+rAiGBEBfybZfv
+jvbgI1TjycJmMSMDbcAm+I6JVx5VsNdvSFgNftMASu8rXdH+UBF22xFLxlA1x5Ap3r6
+Kpp5d+rhn6WnADL9wIvktzgt59+/D4IGPv08TXBy1WNbWQAEDGPgYx5kW4hAzw49Gdg
mG78DYFxjXlg01/a7r+UF4WoRZcPbYfw9Q44QYzrq11V5139NEc7eLqBBHzHQ9sPvfR2
nSgPhbgZKqYVugWKOPIizhQ7dM9daPaZolYmBdVunyNWwA2oGFG1DeHfh2oLtjNztpVJ
EnZFlGPIEOMkiiieF2By6raTMMaZFyE4LEZdxmrq/EmyxK4d2qKtpeed3XJZVgM2N69v
dpMu2FTb7HxJtOIo9uKYMSdymtSDMMIZnRllfL9vlNLo5pleb0CwEH1fNVsZ9e+//3An
w7u89I0AE5AZTb6feCFgaRmULIXCE0bHrXbipqeRl2bJ2fGb7u900ZXbFJaxwKMUrpIj
IXDpAimpLw7hyCFVXOYqb0ibNPtMT7g/7PedvEKIh7hCv7z98PG1Z/mcgygEJlOAUjN5
5YYiFUNZhkCpEn1HjGJQueMY2vglOvMNwafZZwo+qS4pyXZSmSooEHXfSklqTOT6doeE
XqwP26108kMr6Qb4etF2naiR7Vv26RwaOqInXNK8QBOffjuiwXwvDWZQmG76LUFxhXmL
ekM7kfcHJGYyWXvMu6o99FS3kHjgqyRMIABArlKJ3z4fHqReCQRV1pXKJb2fDsAtUAQB
imeoQrnqKjT7TFGb153IyyfEqP6w2VRFJRrrUQocOUS8jzWDTWt8gwyncG4xNIcihz+j
Q7Pp8u1OoPhXHkVKqvMCsoVtcnp0ZPNq3MKszz0fVQ1nMavZZ4rZd2/vCLEM6QhOfwpd
OYqKCsprIUPaYa5jIqjlj21VUn8oHqAz1FXe2FeklvA2L9ApVERZiMrWrEiZbvrtwttV
5oFmy/QUNeqR8Fin2jzywgx7qBurkdrVWXfCRfTlTBFbTZ0SL1bJF50kQm4ahKog/VWV
fHXaMvEtRpE/mmVoVBKjbBLO4s2Muq86Or7as8tqv6e7tpLtLn/eW6Bqv9FV9o1M+y0V
tRhlcKmOjDxaVn+b6vNBQMP7Ug0PiFnvf/7nHc1/BlRtE2yOWkSABhq1Lrc8UJzISkni
alyKNPtMXWTfFW/KfnijBFwaUDsVKI0hBkk9oO0GUlRlZNs3oCd+hI6qMCC1ohkGhjKl
rALnfS926/rpjtaH086q1dJ99teVrpdGnzNzNb9K3+JXv6UpLYKOxkN3WxV0+0xRi+Iu
qFN9wpwlmVI4BaWWYm9dt1+Wr43YnXJC214s4uhnZKRW5pYTCzMvTFJnyXWk2WcKh7It
DjKXgjoEAVM2fvTUQOO321IZxNjLKKQzm7V7f84NLirmnTIDNMKa8Cnp1rgfpedGPeM7
z81TN2jy9EhUe/RXyHs0Cm4TV0VgWFtX/1X7l763jqjCUehD/U/cZQKafaaXqBN7MXbR
Psf+6FmuAKY4oH3COj88omI6ALdcK0eDUcSc1doizT5TVBS57P207ElT1Qeu2+jKdWdo
4EqZipmaf///8boALCMI0suykcij7yAxbtEmh44n6A9zxeXkfG1QZDmOkUQ+lIfZahcu
bhCH8OKML0ZdtpU/LUkGvev7g+hP9vA45PJMmnEFo2eoj/opw7yMfvKOwNEPccKOFUrD
DP0OaJK/7GBvJxrq9pl6ZCnfbFpFymSRFIn6bpd3T7KtrRqxOGo20+VWlO4kK0Y1wnYO
pIpiaokuXPhFawwxmgMt2Vn+pttnigvZwUj9XvY6ieax6tpGpkQ9dXklC+hIjB5l2RSN
r7IDOsxi/skjeLFS9ksjfbYNCdUgr1bnFiQS9MbJZM7RQily9hP7TCEhmqI9oM6I4x/7
JFAvrQfC6ZM8/qkljnYtpBNMeORVje8rq744TC1A7eZmkJhX5xYkkN77mDt1FhKafaaQ
gIqPAuQUJWzT+gAdERlH/EXl/HQr3aAsYex7DHNH8/k6YlQUQK7N3PVDmn2moPsV1SQ6
1eFtEOQliQw1G017NMCqdvnv1e6wm3iT6j3CwMgfQjKrOPzHd1DDKIgtu0UG2hr7aNpR
CzFxixcJi1ekH9z3IXYiW1JGXeYW19Ww1LmhFeW2wbC0uJyZ68gtDxmeJ1B1ZVOE3jAx
0ewzveVlO8ruAzINqSSqujGiAPUCI3qoMqOND+168vzHzod8u+3EVs5p4n5BZ7Z8sTho
ho/aRzgvz+ReXdRrcMW9OiYlnHshQ8O7qwxUs88UExjDkNOZDQZ0x05Nec60rR6nSeNx
ZAjVhOGLHD3G0B5cr5zF27eVzFzs927GHKNPETztvDi3EMHwREnE3eUCmn2miKgxfymb
HpGQQIXcPiAflZP079f7/u+yuzefEpLhaY8J7pre3/8inYNtz4DnMNIoiyic1zQD4Zmy
2bnqG0R4FWb9hLLjnWUVkKsSiDLULfYayA4zvL/jqg/T7DNFLDqh+llYKfE6wtgrFXvh
CNlRS0my4NMyVX4irowN6CPebcNXtW6G8wLd8mM+RiBZ4m5k0+wzRUVxwNRJM8B9jVOF
oD7jhCGaUsaaikofekWDoNKiiF6LZVTWNiYWTzEvzylMcDz6lUR4LsNRT6HbZ4qJj68q
T+BJCogsEwqWrrqxwRdddWdcJy9LOXAn2ywkEe7KGn+zDQz1MJVao1vASFPUbGZp3nTf
b5cZ8WvMA3/58iAAik5vRwPBJb2TxuLDOrPllxGbJl9LUXh8JuWhQhIvSkggKB2r9eS2
waoYum6+G2k8l88N8ktr8DcEq2af6WVSkUuiUxUPJwyg6/JUMrbRKcAwexIGqCOrvXXL
OSUQtONARS1HUBgziOtzmcL0kG8IwmvMk7NydySkTCClomMuiEAJWBb5XjommRgGGNCm
eySPI8+y7Y0w+BvFPCAUNeSeuwVO9B37eDbBWUql2WcKVOWBpo7UM/p0lIrka3XAyqIn
5kXX9nIw2L6mOD9UyOfluYWJMPSC2N2yNtfsM8WEYtVwBiWmlaAkScKNR722YFicnUgw
dkJU6rEYL+kq401O3HZ5hqEpDEI7PJO2o6alBa088/GVZHhySy3vJFeqmzJ63klD1W0j
X/JStYQTU20UF5d6kjLVKd2NY7ITVcPJJtNbdEMKcI1547h8I363XSkM8H5uhHd09T3U
qN35lMRFl/maIQ4oNjz10zObnrkW59Y9jC1d00jxJEWIz4fqMa/lgAwY0zPihCRWtumT
6gqc99rEcZ76IBsXe6m/cYZZX760gzyz2efK/w0vkWaf6SWXg3Kov/UVuvyQxGFQo6w2
G/y5GSpQKrw5oAhWj7ee6NcHMG71lYly2UeFEq/VCbgFiyDxeOxuQw7X7LsEFuOzStIZ
HF9bWvfAxSTwjCM9yL3k/IfUMuOpAjJ2imK2brDtKuZSvVqeW5jw8XkT+LiJUbs23fIb
eoprzFNl2TUe/Jbq9fwmBR0sEyv5kR1oxYbgc43V43MFDTTzU13KRphYXm7VzXyRJlwU
uq6gCUvoYlmGApua8Xbk7QyW+V6UqO4FV4zCs5zJ8tq1dnpLZF9Nn8vyLae3vOGB/PP4
QTHPfGwMSxhUZDU3+NVGqQ+LWckPi7mdUdDd8Xk8s9I5+7g/ffnkvpXvFZ3/+uH3fYUq
F/0LT/Pv1jJF9+/GT2A5/8bfPqBVnaJPtmOLKoCxeZFOBReGBzEzXxXANIieM/1vQYPR
MDlMCdIkohdswrV59m2e/wFoumc/CmVuZHN0cmVhbQplbmRvYmoKMzEgMCBvYmoKMzM0
OAplbmRvYmoKMjkgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVz
b3VyY2VzIDMyIDAgUiAvQ29udGVudHMgMzAgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3
OTJdID4+CmVuZG9iagozMiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAv
Q29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4wIDggMCBSCj4+
ID4+CmVuZG9iagozNCAwIG9iago8PCAvTGVuZ3RoIDM1IDAgUiAvRmlsdGVyIC9GbGF0
ZURlY29kZSA+PgpzdHJlYW0KeAHNXVtv2zgaffev4FOnxWY5oqjrAB2g28uiwLTT3fFi
HiaDhWLRsbay5Epy0gD98XsoibIlbFzKXbpMUcRVnOYjefhdznfJJ/IP8omE1ImCsPuE
z34c0siVD8L+RSXI76QgP76sGVnVxKGxFzssDg6vFodn9Yp4PKKeE8eEhTGNwsglzI+p
G4cBCZhDeexxgv9zffzTWehRn8XECxl1veF9i+nPJg7+4Gd8wg9nkRc5jnyAP8O/PE65
E/qchG5IY4hKVlvytyVEdJgTkKWUr/2W/tNyS358w6hDGFmuydO3RSOqQjTPyPI/5PUS
Mh7t0f9PysilzMUCplKelO2vpoUKaBzy4Nyte1Ul64bg41+7NGlESn7biRUl5Zo0G0He
frjzyNtX5E0m8lS+q/94lzwQ12Hus4X+hkv4jCDZHuhJWPAopGHk+cOGL1pYnAYDMbzh
B6yyGHiAdB1WT6LggkLhzgQxt0soh1EWRzNvNbBm+Ch9KMvAjUk4kg96SWqdxde0zvuy
ESTJ6xJXJWkIc6HkxKos0ppkNSmL/IEkBRF1k21xs/CgvVLb5HO23W9N3xyfwyC4w8qs
ujhB7FLuRsE8JX85OIzl04UD1GdyWyVbkmdrgTMXlLxtJBIMg1gabOZLO33WtuZlWQtA
9Sapof0B0k2Sr0mPUnKX5HtAt7UGpiEL8xoDFsM67MJsxKkbcqVXNR2TC2J2JJ8uZt9+
IMvlL2Tdmvfrp67vXz+7IluR1PsKaMgKpdGuyI1YJftatDpMfs99UpsGhBfBtXFcEvRr
swsQcH49p8eD7n5fEA/niFdW2W1WJDnUQQ03MAMuUpLUJBWrSmwFvOyUFGXT2bZ1WRGR
rDZkU+4Aj33T2kLTmBiURLc+uyAR+NTnrnII7dMRI/l0MTucc+fckIQMlg7GbSMDA3g/
CanKPaIwcv0UgMm2u1xiJytM46H3c4J+aXbhwQ9oEMALmxXMXlBHjOTTxcMf/3zzMozZ
n1fGHRsnoDxy4BCM5NQlBZK82ZT72w0slsQpUJmXxS2ps2IlpDUrt/DepfL6JojS2PGj
COwHOBI39hiLIF//6jTnwR0fpIfHJssbB7eLCdMxa88nEfeiY11OR9zgepjvx1OhHtFl
U/FW5b7ozMP1MzrH74Woi7nkQBBRHobgnUbwOGf/WjbtazTaoqPRpsd9OHh53O2h+lzu
n0cRWnLi0cjxwjDG+yT3xcAXYK3rjgBrvyWgbuRLGMCh8PBlh/q+xyXzFlPH910eyoM0
zbwFXkgDMAfWKquRfNgkvRhdNPdl9REeTJ481CTBRuL+76veuy1BclVwZR/qKyLoLb0i
NUL1PM8Qr+dZ8bG++ibloMFwhQgr3Bg+br88uwwYSGFwi/YG6iP5dDFxv8ngta7AzSRp
qgIcGeO2ICHiTkimpjcdog2QYECk33vkB5vGBWL5gAdQbv0S7cKFixxBECCzMIelv6Bj
M5JPFxc34OvIqoRuqHdg8TI4C8lWGjRKllAT0Bw1cLGXUCCigFu8amMiYhoKWIwfcBiI
flU9FB4xyWTiMWzFapMUWb0lTTnHIp+RxRnoeiVpjw87mPHAdWjEeszqYuKSmD1DPFFI
ogaoRASmojJQz3kKq4aHxYiUlsYvzepVUqUipaZR63kUzjAUWLftdukvxpAPRWLRpsxN
4HDqIBNhrVIdyad7gX7PKpGLuiYqRwsjepetROeLrSvxaQ9eCYQTEieFWEmGCVgG+ySQ
RinvgGPfMw1VlWVUJ2AVVv3Yg6vbc0q6u345tXWWeO9udnC4kyIl94BH2rna0gNj5O/4
EoL1Oxmit34YdJZYJ/u8IZKIquGdVUluGhHKK+9XZxcgIp8yGSda6nz5I/l0Efsgkqqm
5IUibbZJ8QAvKzXsssjiEMTsERlLvTjpspgu6RgyehOhND0+434eiyK4/8y1a9NiTkPG
JzLpwg9II02VGEabi+qmIPT9iZC6jGaBuKRqyC5pNp35hM28lfUFZdELvtCpfJrQggcm
6vH6LO5HEJwfroldGjEEhRZ61vLsSM4fyacLyTzbgoZKr+DIC+RdlduE3GwmK0tWmwy2
kDDH+QuR9pQkO+RcVkmLBsNlWcq3VwvTQYNppclVtlgJNc8+gh4UleHrzwe3YgSI08Zm
FuN/RtA+lLP5QSgT2uG8fbugpzmST/cWNRvkJW83O6Sn22jilxfva+QoO7IX0fDH4cyh
O4e62kdqRs/QnC7jKBJEVKe214a74jJU2Yao3FVCzTtz4w7GwU6Ozvz0RTGtYFzuUh8l
QGdumsQaCm1ysDVVUtRrRLYVcg21LLhBJCRhuNAsXT4DhjyMUDE+D4WX0zzwLqC+FR2j
6eZeUPOM5NPVPMV+K6B7JGc8qKBUbMuiBgCkla4R/TYb8vLX5W+kfqgbse0Zj/ssFaYj
3MGh69dmg1pCFTtumB8Qf7Thuu4x+E3TDjxX5UcTCU+Gi5e7R15MvRC33FZmYCSf7j3q
wh3xeZPdZA0x3ePBuIPEW4yWmpGwuhhsXfWevZR8VetzoGIKxZMpCoKXshQF9x9xm6yx
29/K8M14HaXiN9WSdO76BUGLDXdCe91O71g+XdC2GRnVPbMvMslySxZcliG1xOa2RD5Z
IiTpypLagnHTSh8NK5Efg37o12QXEDhD4YurvABLVKqLPHzkzlSpAe3bqWD8ZXfIoZFK
dlehrPYiYfrBYe0XYddxIzBCOjbqjZUlx+14NPTtLXjxR/LpKqPW6qTlCg4pqvP2baOf
dEuFqvLu4Dht+uu6AtADAAdWGHdIVcGLWqJVYPVin0ZoFbPVsxrLp4sLhKQNquGavgBO
FvqjPGBf12IgRcw00qIugDpO7JGx3LpOVteYsr+pu+Qx/Ci8XLUh1U+95MaIcGVCleR2
wRSeHnLFypeyQ6ciIkG+0vesvTsj+XTvTomO6b4bSrl5nb5s+z6lY7euklupcC/ByKOA
mEYIWtRe24XKAHXMGD5glaX3Aoe66Em2FpUj+Wag8sVdmXW1i2QnKgARmXQ0PKAjJ5Ga
ftMXVYxBi6gUvX2p6fhD8Ttq8+2Cqc/AQsIo2VQU5nkuhnDYm9ocyzcDpq8L9IpAQ8IH
TdboMAZWW0X5nRHKMfMkQCeIWpddCOWcei6y8FYh1MUQGJ+ra2Mdee+N5NNFaFfwLStm
0T9CPmZyqIPsEOh7/Dt1ab690YVOirkHR7lfhQ14BEOPqSyYOKOEmmdDZdy5LvO8vJcV
9n3EgXTI1RB0mMnEqhSYktqGrRyS7x7zqRdj6pKl1P1YPt1bVCRbWc9b9+ddq+jM1IAm
Bl6TexjSMBb3dN74Ykw3Cs7REhjapb6R6gDjhS5KS4E3lk8XeIjOXjTlNlsdaey2/WHQ
37Kd60GAgu+jNIlT1ADKwK3tDzPtCvf5eLU8q5QRl/WdUc8i6G450vHmM/KhSz0WuSE5
S8T1voLxmUTmh5RMVrQpRvO9MS7m5XGPBWoVdh2+nP/HLePleYhhhQGzV0uN5NO9MtBS
74fSXVM2MVLzASd7eJIcNF1LFTNMJ/MR1k6E0owektO6vWvwFSiuwWVve0mSHLUhKYZc
oafEtGZX2Xa1NLtud+CCi+upOF2cXli1nyPiwYwPUYSh1AXaGWOOTBD+Hu3k6DZNp2LM
8jAnxX06QzuY6yMgw4iJsUyPXKapdJKqVl7P4A51XAyGPiUZ6tR2ZV1nN7mYNdLjjFpk
ruiX8UK+6+YOIRrHqCEHjRCdpzweM4Km68XxQNpvOXHitGd+ckzLQShZio/JIb1Qmkc+
01E7hmQ7BeXrcy3UZE1wF2fI15VJIXiUvX9ZkcnUXjuw4UYQ8XmHBn05qxCZ6V0t9mmJ
3tEUs3wkKSMpBUz2QZXlxdR8v0K71Dz3QRtb2zTKzxEvL29RN5P3VHFZtWX8n/YYwCoH
Mzx/foVCqu4dPyCS+0E+fPLk6GFZyWemYaHKGPol2oUKF31I3N6cFx/Jp+udfPlyRW7h
3snhc+3MAxz8z1138Q4xfwEvsMaj9R6VDlKPNA87iaP84foZdIZpPPTz6dTSdPBgmiUb
mvmUUD33MzKz0zEisyzaGab/YNHQm8IDy9Jw3MF0fAzHb0kyXWDOtLJnbNpgZc8R739w
ZD+hM+rVm+fP2fWzJ0+un77DS6d7Kf3rf5frdS2a9pnpa4N0R8jQzdtvvM61uRhC3TgG
jzu0q9hxbdwYY+NCe9NwY/l0r9BlGZKxjKezBhdjSCZCPeLhT9X1lCFRNxvX+cuX7mbj
ksuXRzf7Z3zV9MVWEZ5all03O2I0HGY6jy72NGqepW2OAyj8NhadmH6why447wiW2qqw
00UlD37VzMywc1nuMXhv+vH68w5DYGpQoXdiewMnjjtX7S8Xmb7xjw+yXCT40zREFYGn
FmkXRDElNHZUbua7QpRBFBaFPgGT+5hMp4iR/wKGgRkyCmVuZHN0cmVhbQplbmRvYmoK
MzUgMCBvYmoKMzMzMAplbmRvYmoKMzMgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVu
dCAzIDAgUiAvUmVzb3VyY2VzIDM2IDAgUiAvQ29udGVudHMgMzQgMCBSIC9NZWRpYUJv
eApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagozNiAwIG9iago8PCAvUHJvY1NldCBbIC9Q
REYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9G
MS4wIDggMCBSCj4+ID4+CmVuZG9iagozOCAwIG9iago8PCAvTGVuZ3RoIDM5IDAgUiAv
RmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHdXW1z5LaR/s5fgcvFsfYic/n+
ktTlst61q3xXfrmsXFdXXn+YnaGkSUYz8ozk9f77expA44WcGXEoUcucU1mRTRDTABuN
pxuNxi/iv8UvogyjqijVH/zN6zKsEiKU+mLbiP8Ra/Hy9S4W852Iwjqro7gu7FVgabu5
yNIqzKK6FnFZh1VZJSLO6zCpy0IUcRSmdZYK1Hnp/npcZmEe1yIr4zDJTLmg/dsiwv/w
G7/gx+Mqq6KICPifucvSMI3KPBVlUoY1WBXzG/HlBViM4qgQF8SffEX/ubgRL7+Ow0jE
4uJSnH2zvmu26+buhbj4u/jqAjw6ffR0XFZJGCdoQJvLo7x9MTZTRViXaTG0695sZ5d3
Av/9eLuY3TUL8fa2mYdicynurhvxzQ+/ZuKbN+LrZbNaoNCLoH8Hk7h4Iig/4FExSCFp
cZ7XpoMDKQYQlF5iQM2g/0bu8TSr0OVRYrg8TVi/nX0USRQnY3NZlWFZZXmby6PCOnbX
2XEe1xhL4E6N86kwBUEr6nRaTEVxGNfViRpx/FGQY6IpEgxVjz89VIOHNPYFlMtds7sT
l5utWG/WIw+GOM3DrI4xGDxug6NyN7bmjjPMq1kKze0z1VPbze42N8u5gNaeXW1nNzux
3EmdvdpcLeezlVg3V7O75a8N63Lq7rH1d52ERVpggtQt0vr7aDc/m84pwF2aVMVp6vr5
RpLPX9+RRAOoLQrnEIT7nZitVuJ2s9st3y9Xy7tlAwrm5PlmvVsumm2zCMcWB54ouWXT
EocqDZMSw29KU1ABSJ1Fmqe+IlCEcWig2o87gLjv16uPUrV+vZ1d3TTrO2gCKNlx0VuS
lmFa1rHQjZjW1y7yME+TaQGOIi/CokiSyWokj7++4vhqdXe9ub+6Fn/7+nUco3W7+6sr
TD5qemKT4lKaFNezndjA0tiOb1rArM3rXHCfn2Za3O+a3blYruer+8VyfeXBlUAb4wcM
zSF2EM+jLWYnMo9mZVgAJ09Waj3++kot4yixaLyvy66WA193gLMjjuEuSRM4VjxGPzEY
jQu4lDJ4cXymeoLRxf3tCqiTZhkCH4Cii838nmYeMdvtmq0c/LM79UgO/c93I09HaVFh
Oipti6Y1H8HfBrfNdMGox1/fQfTrbHXfkCGyaC6XawCRDQORSxeIiNl6AbVIknHzfvXx
T2NLQpKFZRynotCNmpYkJJiZigJuWunynIiOT6KwijVPfb/+M5pKQ9j7y18MSFbg49sf
316I776/EO8bgQl+IRHz7f0WNhNsJQVL7q5nY+PmNAXmj+HzLlSrhkunBCL7lgO8Wer1
W3zQOsqrCk57uCCSOovjyrl6+7rjqv/C+up56aHKwjpOU+I2KYswF1Vdw8mCJYQOYSXe
So+8rYTc/w/VCcCOOuFr5TolIc/EI6rLU8uiqi5RhGF1Yv3Db7ZHGFbnJ2j2KKslxtdb
AO/UGZZxlILriSieUZl4/PVVdscmtNBDkE9vH8AfHOZFVmHJTXXtcJXxdLDWfu8oDSN4
ACc1oeV1hkUkbf73/cbPJ4OD2HujXb/PaLL4fHpYJWgtyp7kPm8ZyYFaID66WBizxXKE
J3FxE7gLxQtvYD5g2rV4EpHk6jhPmMHrtEiwIN8Vt84ydrvHrA0l5rM1oZLZfL65gWW1
uwY6ud/B8yDgMbk+pRXe1E+RAH2WYbWvxG/FJ/3aKWN4n6cDk0m7Z9/PAO9O6TX32wc9
e4293T6HR3tt/9rHQRjX4Sqsqyit4WIDWs8R4OFcQE7VcnqF8BC4uuF1qARMDcwdYKkO
ozyPEdxBMR3Bw/O/+8synuRhKTLzQV7lYZxluZ6kDnwyDFUvpuMZda/mT81XfecG9ng0
0L53zZw8H9J+mEPUduIDXJpY4aQQijdCWRuwise2czl8YliPz97v4K85ZZQM0S0poooK
slG8Xj/u/PLx1ANqewhTWYbxgcCeU5g6cex6bD29CRYXWQxjJI7gOs5hgfn3QywR1BDp
GlV96i4rB9lfpraMTEXJn66P7J1B/JUIenNb7N0PrBG4WvYhcVgSysbd0Bab93WLzb1t
8cOK1xObfhORVbwwy5My4+UlbybqqNuRx71lqihphbOcqjWYe/z1nQ2+We9dhLcRdHa5
a70RN81sDSx3Lv2gcqkeeG/syQHRizXCHwQ3cFI2Y57DWZ9NNzbD56+vVADB7xosemzw
oRF78X55t51tPwrpJcdqYtiEtFjSAFz9cr/cNnK5hAOixl2rT82Mpzu+jzScZNENUFwm
sNLv7b5RwNvmtsEKVGt1dgS0wKuzLTYnol8zeGHLir0v00PbHn99R9I3b4Cpl1hYXMsB
M1ssts1u9/J2u7nbzDcrcbdd3q7kyhPU62qzvkJEgR5V0q0/tnLltUYYYbL3+wyn/QBy
BIdcDiBXROV0p1yPv74i0Q56+9PICMaEa7a6cyLDPgX8zxFUMKVVxDxBPGiVTFcXefz1
FTysI36/XV4t13KyEbvN/XYOk//bV/+rZntn34RCfdhM0RbWsfURB//zFxiujw46o7wJ
/ukNWrWmGGcpmYm8oqhvhxh3SUlmF1Uga5M3aTXM9NR1pVgCVbzp2lLcDuONKnLa6twO
q+852/qwEYupODhxK5C1F+OUIhGq07xzz+g9HMSfNAm0JTC2dys2ixIeq8ddbs8HTiIE
5+QmEGoas2lW52GF7S1TdVL4/PWduN42iP1fwOuAfQHYLflhs/0H9t4sKLIV/moZhYsQ
vSVtprxpFktsBxTbzT3ududjz1dsjnLDhs9XI+DnDLMp1o4ni599/vpKA747jOXZ2A7/
GiHuZQkM6HPZ16inZZXrDYLHzwU2uqiYrEXz65IQ17uzJryCC+W7VxfY2oKQQvVYG4dj
i2yJ7SNJnZh2TUtkywprboiVmmjMDTwUDn99RXZ3PdvSGvhNM0dY3nJ3A6m4hOPsAzQa
Lu/u1+tmJZor8g00u3cvzmkdfb25A/7AfhhIEnTc2GLBblZu4bTEosDCL/IATFYsPP76
ioW0ssY2/yveZ595PE4ERWVFFCZY2tcfdiIoKo/h1K+nq4Q8/vpKG8z/VwBQPAkhQPhO
NL/NbhDvruKLr5sZtlfCIUDhxcur9YYjAVQyhbEVELsiM9264QroE5v+FQK8HNNf3T7C
HEYF1vQvy3igqS5N67Jkt4S6hU54lOlv2ypN/3+Wto5r+mdZggw0vH7dd3w+n+k/jL+D
PsHR/QBwV0UR1LHP91RmsBSh+Uk6sRkMUYd5nk53BvP46ztCLlwP9dirJux8yjxWe5t/
lHdIJrZAPgMdNnF5v7L7yih3yLhL5Ql8QUWE7Qvcgj4T6uhL5VEUZnmSGqZOQ/Tt5Yix
vX2psYp8KTiKU0fvQ14k4Q87LfAcU8oa5GGbqgXv8ddX9fAua8oFANx8PUN+mgbr+liu
n62wI3TxEWHvDSJp9XbRBu5K+H2QUGCHQOXNduSxbvYMZ7p1fcb62IPHLIVgD1VYJCVP
kZML7fD56ysSH66X82vzweUWcvhrbmbL9U7cwhO9vENaulC8aqc7olw2KvQaof3jTgGp
0RT6C0xKLFLEwZY5NrpPVFP4/PUVi/cfyVu33Io3X5+Lb/F/cvCyWlBSsrm8pPA6Cagf
l02gux0WAIU3xh7d8ZPUUVhmVSVarfRmtvZ2lPNTQBcGg5tHsc/WKANZjjHV3ht1khpr
MdVnb1TKkKXF1AE11u4zJIppfrtdDei5wCRBfXjTitmLvZfJB9PaQWlho9ZyfQqXXhxF
vwjvlNcefC6HWHL9fDzEVneMgOaMETkScgTLpwDMJeV2zMIqyhCJqLZ9YzmCmnppd6Cl
CE+v8ti+AJ9KnqFNhaiQgzbKsLFJvvGwm2FAJ5ppNa3wa9glJdVnX/X0fF6GQexhqVfu
SCrOgafmM2Q3QBYmTLMzlXURFpXcWIidS1gYeT+b/+PDbLuQNKjW96vmz2PPqEaCVedP
a0KlFMgph5z0NVWfUSI8/vpKrJ+VR+46WGywiqrWx5CjB1B8tv5ocmTIKHWsqpmkVyIa
PQyAcRbSyMkvMDGxgA4s4uniLPikLX99xQLz6mJJkQBX93Kb8eheSM56mnrsDpm7Rgj1
wN5tLJDq9VE/6XgbkDwGL/UBcXZ+QtKSKM39CLgHN5OfqI5cQNdzwzNnAE4H8femud1i
ZiLBI6BPCXg4U62fIpA3xNjc7oHJf39AAtzG9NytbHG8bk0f1TO2h8rieK+L+85INsMW
9e5ubFDKC4++PExlYFOEWTHdgBi5Icvw11d575BoEw5y6UY7yTQagJdNGKnPal9hhBtn
9bjMig8ZIIePl4DpgbwHZGloKegzuE8y0of0Zw7LF8EkhqkpuJ/jHEZbDWOIe+o0p9IS
Ox3WHx+laB7xlXl9k3nXX/mAg6G9A/r8pAl9yAevU6QhTFtd23eoL29uZ/M7k+dZ5fJm
n/kl7XVD8oaV7Pug5xEoA6ZJs5DT6mPP3dXu2f0d+3SeBzm8UyyGpQgYiCmzqvQ8lFjq
brkeYiRCQSoyp2QdohhMbFtSuRxMmhzjpOC6W04KpF8hWehzMM6A/rYgECcYAA6cJtIn
YsABMm0woGLvNB+K2rBLSzwqjnfzK5aBml+x/HODqPQt4s8pi/kMp0Qgbn2tPBq7ULzR
eZJGD+U0gMbr+wGifgCmDuhvKw8JnGepCfjrqeOeUSA8/voqud39LawCnFiAWN0PlBqc
0sfq9OFwrP6kM4r/rFYDsNVXaUUUvGS/xdiOK17JhpqRH6APlNivAMeQihgp+IvpRlym
Hn99pWLbkHEoQa5cHIbHilYE/6b2pshDLZQTS2ZRWFC+heXucQtCPVYKcIKRTCjPbTpN
NSNN8jevv/2BRLwDmZ4+YSQmKXUwS4vZieiyCGfPIW/sVB3wQ9i7nW3vlvP71QzBC8ub
ZocTeRqltXYbVlXAA7fNHU5mgQxoS47k2Aj66KpMnxCWqgYO12SnQLljCetiHBuEAwVz
5KlDkiCkn0ZKvSLCNGfy1T0H1EqQx7jAOUGnDejnm1qZv9PGC1SoSnD9KOvsYb0ovyHO
BRvGJRYdlogRwogYm022vn0++3oz1FCeXWHB1x3Fm/n8HpH/FKqA1CTvZ0huD+wKF83o
Q1knd+LWjD2Wn36/fx5T4rqkwCFCFPTv3Q4J+s+RGlnVJ2uTNzm26z2irrymWog3XRvt
ARhSX4nVzzzCNizT3DZlWK0IVuZawSbOvtD3Q9vt1qCa7lJs68ddnyfXfF5ONwjb568v
qDWzPC3AYjurtm6qOPkZTh5AQ+iV1ewjLY/QuSlqayPu1N5GANyxVQqv0HPzhquUEQyd
pIrD0pyT5sHYT7ZOl5QJFq05BY+/ePjcwVbGTwANE+JQaL1orYXzwcXDiw0Fi7T/++q3
27Fn5SKTgI8Uo8N231kZW4F34ju4kW7ew5OURufyoN12M376YXbViPLnsQcQBzNwW6Y1
gODoryMOevqkA4jWHOKqxGR9mKd+4+egHcKe159wYHgsfsby+0Idjf70OCbJcIR5LpCU
m2zaCvNwkiKYHBTEPw6DC1SBf8wIAuT4sBWFFEyI4+GM4AHiWHNMpaiMzmqn496RbxNo
pkNbgQbucywDmXKU1BzHxyegUEKHOHAIgBkyKl1mvdeFNK1bqkMJiC1deY5d1gnttyIW
DA0XsWUphwcuLaFmDeNMkTXpBjKtW2oPBcfL47D7jPaE8nvBCjQ401LsSGMaKPiQNc5a
z7HUROapvdd8U02mjKIFHUq3jHDeQ4SR6k/iQNfFnW5YMt/FMG4oTmMMrVMKTOkGmzJz
gSh8kYgP4qefYeYtTjwDCGJVSBnHaT0lxMq/X+EeiXVzDAgaB7IMfFGlqJGzPEPeenWT
4DgTvI4P6d0fvdNl4wgahH4GlcaQbPlb/KMB8mIXeAYW5RW9w9f7ruYiyXC8iiy7wjUW
gYhJug9ogNtf0Hf4bXpHPiFNtudKP691G8VK1cQdYH7E9I9kwdxplsy99xRVgV3zjD4l
nbj0YMyuFbAIJwMUSId2Y8X1iCBCMvXYMOKzR6D2CFm3VJeyR01hND6skkhHaJ1hWHd0
S6GbKEc2jytu9kov4BE3UpJozNcJVudjSqxYIiQZp3TVSRnXPJeQyqVIKZpRYqE3CSD9
egoJrlWQM0LJ9K2pl07sycuInZ2QFVppVH8UckUAGuq7uBQ/ibO3yM6DxA7iDJETOC4L
F0Bg6gKHgKgL8wguE0XBOQOy7H91H6G+n8XFfwq5QkwBE4ZDueBpbzsMa/RiGUZ2mTDP
EN2tlntxwoRi++xfLEh80l9wOwYrKrKJBbf5pSakihCcRe0nMRMSvuBKaiYgh4isVVci
znT1wRkXffWt24Fk99JIyDIAKDpko6Bz/Oiw+ajCkjL2OqbyNBhnB0fP2Drb/XCJYl8V
ywut8xF6R/50+mDqj5IbbO42cvN68wKa/OwGDUvNH0gDaJCSWJxBDjJBrSrE2U8vRC7O
0CugAxTjGv1Qyqe+rOCEhCqK1Mq4PcotxxhKyWlbdFlNKtoy4TGrpAXxOIbZf/+9ZOMv
8t/PwUYkzv4oeUJ8Hfj4TD+AEhdn//pCVOJMvfG7F6IWZ6qQfg/Rq+Bfvf3uTN68eyFr
US+qJy9fBGi3oqhKIAKg6DdQV5+Gm2+UI7ADCVgch3FUJp2v1G3479Ey9Pkf5HdR1/8h
KZ+/CPB1/vpC4OO9OztXj94Rw/iAL9Uf8I0y9bszcIsLkm66RwO/QJ3/Jt89p2fBGTqF
aOp3ahoYuHup/6qS6HzQVFX6gfpVRXqJTsZPg6/TOgZnfGCHiHOceVRknY5R4utKxGev
JPvq38/oA4I5NBv/otnolC8/A19fxBAOdU8fjhoFBiUV8kG36uFrfYeWog0+za2UK3mt
6g70L3p1oR/kz7g/XuLHIHS6l0mZoAg6G/+q6iFuROL6FZEb4L/mN0eV/LMnjlDtB8Yh
MDsyAKmTVZxePzL6AvriF39Xs4HjxOtrR0EDGTsKfD3tmZLKjsIB4pRV1VhRgGCDs6wC
6RGE0wek4DgOvuttQ2Gah+FjTAyc4wx/tWtD5fBLSZoDWAzNwJMc2xuQqzmxRhQQRojY
Kqh5C2IMzXlPl+pQPCMKR92nMr2NLQZ3SpIAGRsUlReYV+jAKNscTfGsqIOluu9JG4at
KK7LtaK4LgM6c+bKoSjWHXMoV62xsFQTrHHEBPcl7k7HhjKdbrCr+TCkybX1pz+fY0Qd
LmXxrSnzFEZUHOOzaANKXjvGk7xXNg4dI24sJxom+AD6SZIG5srS7HNgE7aUYvgRyCpj
S0kgzBchqdI6oqs5aiJLyadaGltK9Ny1lOheWUH8C3QXIJEv9jHwE4mRyGYiqi7tPkeb
qE5ZQreWzSTUhF5SVhpdMR8+1X1+0CSC5nK2MVpZhDsXa880vB2aHoB75MrYRIGRhoFy
hZqUPNqaHJvI1N5LxRh1Ehh14qkY3UavPYamghotzqHNMVkGaWCbCF6kAgfG1+1INgJ3
/W0i7F1H6h9zArY1MQhqymPh8Luo72SbKCC0yzaRgvZPYhMxw+PZRH1/we0YtlGmZBNB
YqBdyIrWNhGO+YnzuuxY0cqqOLrV3pHDDJMsHytARuxINhHsQOC2x9hEOKW3xWoE3+nD
NlEOIAg4DwAIyGpMgz7gG0mBENIMFy//tBbSIzBQAv9TYCAPd+1Od2EgvsYoMDDDDigX
BmakgjA7DDhYHALo5tqHOlOHDJyCAg38CXIkuEpw9JyHApnmqmimWVAG7Zkj5ZmjouFb
R0yvjwKZ5rynS3UpVrUHGRIvJzihCH1kyiEXJ9zWOPXdwMAMaDiFwjUokAl2wkFNB8rs
eYlnLsEvOQBQkyySM+yY+dUw7WA5Q+uUcmvSjXXey7nj3LmNu9xiQP1ZHCzHH8rFgEwz
7TOfvUMBfh7sSKeQLoWtshQYUGMvunYxIN0rfJfh0EeLATFGDMaja11GXwXYJmGf51jK
YQyI4IoWBoQvS/NBV+wtZ2oQ85WQV4y9iOpiQLpX6I1/Qd9RYn35BDXh2lLtFWNE4pkx
ILeWMSANXMaAuELHK7znUR3ayW7xgCJ9cMAureIZ6TtNrhwsxzI0UK7QZTzgrNLpo2DU
adRyXc7w7igK00ZvnOh2d/ziNIhrJOW0GBBx8Jhv4PJuHfJxIgbE2RTIS8k7rz0MOEm/
eK4ZHhED9vyFT4AByeWFaa+XXzwj72iFZVSDAaGYswwe0ke4xfMIDo2Ss+ONCAGzx0PA
DqtR0cct/ualdiySrxNYULtBa03lh/AqSu+igoqqKBZDekFFmJlY5wIAsSwGX15Qb+J0
8I6ftuvA/gI/Rx5p5fIkvzHutAP0S8UWsKtyzFLBP9i7PvwZwE+ngsTYKqvHGvEHX9bD
KDr84zvZbfhpdA/8xn8Eq9ItG+BGQWywK32zvpcVfbDfy0poJI+wlbjF0z85vK5wLLcL
rysCSph4h8LrCht9ZH1YOI3VzTB4jXVt7Nj00DWTnLmPSRbpZmUIFxQBW70kjAPow6iA
z9VOfUiErGjdUnso7nvIVRwBustlaa4fB5VhLb/Gmzp2JkuwlkxxqzxtI1mrptip3NCs
X9mU2veegZumlIuwdf0OMGauDHzJNO+AE11ah+LWpNrsvcf950AHaHbV8wZi649jETZ/
LQcIMck2T3/3DgEgLhgYpmLRNcRbe1gDSKfyhurwFHmvkHOFSC6LrjFE0Hb9BNd7riBb
ilpHFMKkryn6y/Ow1kmOZ+RVpStG1x5VI3/1XKFaunbRNd0rvFzrX9B3+G1Gz+BDx6sQ
R93n1CZG19xai66pZ9Rv09VcBZnI/rFUe3U6ukaqNwTxeg5WMyL7SJTF1iw+AyXKDjQl
dW64CVftKJJDqgXd7pTS6qZD6Zbx3tN94rZfkcBUyx9LKqCkyLuOP9aFVpQA5zQsTvnh
aZ2tA20f4Y8NlBt2HH/sQYafLEal7y9MHYtjOkgqpFU0WBzHMKUxRW88AoyTL65E/IOz
Ia0Dzp4kRiV/NBjvsooULD38sX8lcKswI9AiUsPQTU/ISGew5jnWqPjH/194ZJMMG6Ad
yIhAN4J8gyEj3lfHvdBmBX3TgYxRXlVwX9oFO3uFlfkYJ97EKbmukOYHI5aim7u0FWiw
IJBMQ+YLiWiGB400f4LJiN+Fut33Lrn2BsXHlrTmj4YhSox6zbtd4RZkuXdLdQMohEe4
PBWwr4M1tZhp1LqZwFI4BEsEKDth3Uxy4DKTeG4KUiTli+AttnNTin146Gty1HEpYWiH
KYEp476X4ASFCksSjisa6VrI+e3EdacIjEW+WBvXHRiKA5cNzTa5/Z4wZSwcsHU5cNmU
M7DXcOVQNO8WLqMuTeuW6lLse7b/7ORue97AZf44BvkywbYGQqo+c7uMxdhcwjqjKRbT
tWkxIfOtjPcpRYmo9jpO4fBVXugAw5BxMg1JDyfLe4lwkyxycDLpBQiNfoJrugJ01FcA
lO5zeQCzLkvj38XJSY4pReJkeaVwctCius8lFpXPHZws7yXyTaTtjl/QdxWy6djrvVfm
OXjWONm01uBk6gmFjWWfaC+0vFYcUc/Zq144mTZrWFlKMYHATeM4oc0ws6IEodCDuC1K
+6SiLTkGSx+ULakJVOgTpFbJ3xGdYtnpagurG6y+6JbqUux7GEuqT2z7URWTWjg5xQSc
5k4oN5wbFYQhdkGPC5ORYBJdybHbcmna3lLPyRBxyhUOI4y31nkuaxO2EAwIW5BBup2w
hTaCPj2Umxnu4Pong8l9f+ETwOQKmK2vy5oEBoqQFjlM2AJm5xKRrI+AySniwUuTP5gk
DGLUAyi/aaTvEvkdEaKsrvHtEXGqrhfSB7svZPtgqCgC/8IsxVTbYmmPExPrQLAeLy6l
q59jBNpTiZ1JaEkX4dCAYH5jvZqVLcA1ywhurvnEIFSMLrVXSe5/G20zH7akKdSmt/JB
tz8N1kWyDCQBYMhHzlZnI98DYBc9XZNWY8BKYLdDA4jF8gtcO5T7EqNOg124KEvkwjPv
Etjd8+5gsIt2EZg3aNe/x49B9OVzifnpHqfAm/LyOd4H/pBo+QjcxZpqUSPIwcW7THMn
J02zAbdI7x7iRRt8AaRRhBVCQ9xJRpPsTNQiwE3XfQlNwa4oMirsexF8wmXmOIfpNIwy
hanDODYwFBfttkthU3PrPUux+NDW5aJdftPiCubKoWjeLfpAXZrWLdWl2PdMf7ozNHe6
RSj8sSweYYptDpSJ/sxcChC8RbFlhiBemhE1koxN7G2CHCT4iCYyVt4rrJrD5jCeYdIO
BvHiGkKB1SlJtVeMiGmhXHuGEfGIQeAh3iLBnh7yDCO8LeLYW3ltqfaKkSaVdREv3SuM
y79Ad0DOlGNLP6FrVca/Ms/RJka83FpGvKgJPaPRNq6YD5/qPj819hYuKew/luPaypge
alae0FV6ELM8HZcLlh4rK4cptiZ3OLLU7VEtzmBnrnj479USLU1CYibVD79kCJ4+Ut0C
de10i+6qjns4xX6spIbn3nUPd3Dv6VsYU8QlVFg31u4+D/dOMlSDGR4R9+oueegXpo57
ITFVhoisp8W9iC5ATkqWl0ngXp8lD50q043R6cm490jNR3DvMURd4XQ3BPx5FQdHWJY7
N08B1M8fzpsUOK/edR4XMv5guPO4SCleQea8otwxNnjBwdPHMg8aFEaZBxPMuC6iNDRH
7Rua0dd0WAMOgqM9ViokIMDOxzCFbe1CSkPjUkiUp0t1KVb1B5TwCMkoPB8qwo6x4w/B
7ybkAFu86FhY60MVhmKnscDQuNW2VJfiwDDznkWVti4zIRmuLIV5d9ChaQ+Xsi1kijBl
3Pe4t5wp0PS8gQHm65gJ3lDc9vC37pZiCr6hlgcLK092/1t/KsQcgqURnFx7t+iSnim8
WGAtwqJLDBWDLumaygQ0gLi087yUMQKqlhJJK3x0WZLFL9ElXbE/1ae6zxWCo+cuuqR7
hRz5F/RdYv2pxIehOleMLol7RpfcWkaXNH5r7U+lPmF0SdeKI//qdH9qgsxMdSXHuJW1
PnIl85KSdrAeVUc+WGZMKetTNaU6ZWQ4kvKq2vdO0zNGg7ihTUe0yjE9gzGn+saFmEzD
J2t5VhF8QLF4HsKUG8LafjKzUtXLs0op55CTnxeUp48wmeGH8N/wJBl9f2HiCJMEBluP
Pc/q4wMQkgqgklZZbAbpHn7VAUkysLXukRvCuqwilLVHAMJXKnIVOQwQCqwiVxGFAGY4
opXCW38n80ZwRCuCc+EkVndIpYD3FAU5JvpE3+ZYTc9q5FhglrVw70GeJneDl0/g/wAS
5oikCmVuZHN0cmVhbQplbmRvYmoKMzkgMCBvYmoKODQ5MAplbmRvYmoKMzcgMCBvYmoK
PDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDQwIDAgUiAvQ29u
dGVudHMgMzggMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago0MCAw
IG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3Mx
IDcgMCBSID4+IC9Gb250IDw8IC9GMi4wIDE1IDAgUgovRjMuMSAxNyAwIFIgL0YxLjAg
OCAwIFIgL0Y0LjAgMTggMCBSIC9GNS4xIDIwIDAgUiA+PiA+PgplbmRvYmoKNDIgMCBv
YmoKPDwgL0xlbmd0aCA0MyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt
CngB1V1tk9tGcv6OXzFx6nKrigzh/SVXuYpPtitOYsc57VU+SPpAcbFa3nHJNcGVTvn1
eXpmel4ALhckF1zIqvICDWDYM+jpefplGr+J/xG/iTKMqqJUf/A3r8uwSohQ6oNNI/5X
rMSr120s5q2Iwjqro7gu7FFgae1cZGkVZlFdi7isw6qsEhHndZjUZSGKOArTOksF2rx2
fz0uszCPa5GVcZhk5r6g+9siwj/8xm/48bjKqigiAv6ZsywN06jMU1EmZViDVTG/FX+6
BItRHBXikviTj+g/l7fi1Y9xGIlYXF6Li59W22azarYvxOVfxQ+X4NEZo6fjskrCOEEH
ulzu5e3bsZkqwrpMi2OH7vvN7Hor8N9f7q5m2+ZKvLlr5qFYX4vtTSN++vVTJn76Xvy4
aJZXdJf+7+fZF5FEcfIiGD7gJD6eSMoXulcs0qoMyyrLzYAHUiz2C4MYecCtrMY15AHc
KVndKwVnZApzpqjTaTEVxWFcVwfOasjayK8yh7IsklqUHn/QS6R1gse0TouZsrheYM5s
1+K+bUS7xlRqt5hGYjPD9NlgDs1WYiYws2YfN7NbMZ/Nb5qXYra6Eu3N+n55dbYJpHs4
qQlU1EmYJlVxmLI/n1j4/A0Vi5vZp0Z8aJqVWK1JoS6UKl3OtlikxPV6I9rF7WI520Ah
ztr1qhVv//zj6ySK0rGFIcWCXgAkcL+0MAxcZN+HI8/GNKuwlEWJ4W9SOqyo0jAp02kp
1gIILIs0T0MFtAiTUPywmq/vN7OPjXgzu7YL/V/axnnLgQGaD4CoI9b0uE7DMk6FZn1a
CqnIwzxNprWiF3kRFkWSTFZLevwNFcLLm0Urrtbz+9tmtRW3s781rbi+38hVc45V8yPO
sawSCNXr7Hy2XaxXLjIdW18y+uQ3MC1ZzcqwANKbrFh4/A0VC9gaQFSwNQgiLbatxFWQ
g8aoKyK2pLIIcc1aMV9v1kuspl/GloYsC2My/grdsWlJA8x3WIHThVIef0OlYdP8dr/Y
NKQi8KK1VsA7v8YbX39uLSAJHrf3j1iqkjiFgRfFotDcT+uVJ3DUFAXcO9JVMg3zs0ii
sIo1T0Nf8xkR/THsAZ2LOMYC7CAj64J7ABn1nGBhHeVVBTcZnGlJnUGVOEd7vSAxbLcc
VqoeWy2EA1E72SDtczGe5HDflF3On1VS4zQKi7SGEXSMKMCeP83JeIIU5HjjGdZ7Xwz2
DubLk1784/65OM/Cqq66g+nxFHR8tQfNoo7SDpTfeP9sgdu6zKOcx0mpR62Kep7kLncw
1i9f/4qf3W5mq0NGD48EB3o3kySB0z7tjt5Q79MtIaGZaJuPtD4ewusT6qakzoFC4aKf
kFSmURRmeQIT05vizyqVaZQjwpEBSng8PaDEe1JJFtIXOJUOecty7gROCOjx+Ww9MB6X
R4ycjE89FpgKVGBq/7ooV7+4xnyOAXHLKhbAPXAm00JKwaQYDnjMvWvEq0BIEI4yN0I5
RVlZ+3cihEVCm+duk/JONG2apClyLQdMRq5S+EyqHG+PeYjQQIZlpBAVomVRBnRwhuhY
EceI42G2HRQdOyO88vjTOvdRP/rdum0XH5YN2fubhsw6N/T07qJt4KRq5tL6r8Lk3YtQ
SO/BHL51chzAThzb9ivh+0tqeCZ1B6dlCERpGCGEMVmp8PgbKhVXi+vrxfx+uZUuc6xz
cFfOpYzMPq0XVyY0uWnumu1CCgf51jfNvFl8akYPrBQpMHmOdU93blISkdcZQljajTl0
wM+nJo5i7xrOaukICIUxyObr1Xx5f0WuQgBz/A8+xQ8NAjALSMI3OIH1Q36i6/vlN384
l47QvZuWQFR5GGcmVP0A7BBdqH62AGzu8TdUYuX7Nj5kzP7b2XJxCETqAeHHIRJlxUjz
wmd5aKbK/7GsKtFtyaNtHVr/QswHAxNYCHAcaHGkyOSJgXwEMz8tIS2BssqMAx0e6uyJ
5siv2SR55EVJEbZyqourz9/QmfPHPwJC2agfsn1W64PM3ZNmjj+ke9/z2NlTcZHBfoWt
6I/j0Ok8265vF3OT39GKn//y5lL88t+XWIYUlr0Sn2+a1dhrT16FRZlWphfHz+sHDTfv
jb9+A0nb59B887qX7fetMq4o+Y+zF6ssrOM0JW4TTP4cbtaqwp/O6VK8kQl9tgHyAz3W
Hmw82Z5sTZ1A1E5pK0s0b7o1uGWPbA95k25fndNT+Kuqc/R1UKjlUF+Y1bcQZbghtIk7
VJ+dEbsexV/brK4Wq49w183Xd18ohg3btZltlgukBLmqd+RAVq65H6Ifxla9SYxU3xL+
GmbqsCW2o3ptLHCc3F/j6Oxwu3f1OsjX7SlY8ow9DkbtrMnqMCPf2JRigXmGUEtUThc6
efwNVTXG+Jwt2/VpL3jvCro/yMGRNR5jPaEHGnbPGhTkOFaH9WedSCaQxUwdpouk98E4
KJDlizSlT81mObszZspIir3CJgjEOgTzfZgchOLN/fzG8DiO5rRGpzffgiNe+DBwOiiq
QBMoqYD7kdqRl7kOKqQ11ICOKpA+3hECoAdSbKXBjRwCqMMoR7ypJIt87A0yeQrUmSeT
DQH4/A1Vqnq2qJkzn99vKGu6vZ+PLJqUu4HIHOymo0Z13iBwgWRvFS1ubxc4pXzuGcmB
dldSAvjo5h+HJ7gbQ+DdaUvXIdgEYe6iShibDFyizojoPf6GSiyFJ5oN5a5+nn2B1/ke
B4vtjUpYnd2SUMzatrn9sPzCoQodtmJZX7RjewU4fzXXPZyWWCC5Dpli1WEr7RnFwuNv
qFioLR/w6FIIc9O0FL+CtUdhTbL/9H66VjqFrN7YbnFxbGng/NVcd2xa0hBlcKtPN381
9/gbKg2876t9iRe+mJN2cLPer5o7hCuxXawNxb+vPzeAjC8RzBa4RxoXkKGxhaKssJE4
Fty9SclEhjSNCvvzpqohfP6GyoRSCiMDm4o3Bfs8HoO5h+a3Po4I6hjpbjniOx2mBiIC
qFEgqXF3eMdxgfmQZV0W99oqYzvKkIIe1inmwXHjhn3xn9ebv5kghbi6v1su1G4a1ktk
sbbbxXIp1oS+Q/Hd2cAJd2paqgfQCQkUk3VdZR5/Q1XPjBFJZxlaIyhNmRJqh4WELqtG
bWtu7+/u1pvR86t4Zyr3a1rCgEUSWYbZZNchj7+hwqDNkDuCpWysOjtqxvEFmXArnNXu
mO7Vr2ezVJFdH0bk2pmSFz0rohBZrQfaSUWYhmxtiD+726guKVPq12bTLtqxp3WCYi5F
meeC+zCtaZ3HiDQiO3hSbxsxZuwOmi7m9fgbqmsufbOH15tNs5z9XS43XGdG7f28Xy1+
u29W8K6Nbf6k2D4fo9pQprs1LQFN0zBLkNWhBHQgTD6fhyTz+BsqC96eTmB6Kn5R1vF7
meZ7xlA4cz/klY+N8E0onJk67JV3QuHwNizCJpTJhLoa1hiFHLCLMcyLNEY1JiWnQ0by
fGt5gqSaPJ2Ydo/zMKtRW22qM9rjb+iMRjLhG5mc34oGm9LIl+nltIwFJZHyAFCe+Tx7
SLK7j+qgeQxjyc2vHbT3kONJHaYeUN1d9rrz2GYT0iYHwDa9TI7sBEkLRDjLsju0xziP
hgVsx8omxNZ9BGlNNqE+PT7DjhqwGXZ1cWz2n0wfrJF5qnjTp9hQckI2odNXaver6eu4
2YTYKxcWSakh1FCFdkYIdRR/n2bLe7hsKN64QKbJqhE/v/kvvU3qIwLS8OWpzVKzqyu4
m9tX2CEDrSzr54yNqLmGF4/8pEABNmwiygTNNtH11+dvqLjyW77brLfr+XoptpvF3bIZ
OyPSJE/4XB+zTDxdjMFkRKZIJK9QmUC+ab9gaHfZPQiTHoEKLE9UWjflkLd+vY+WJDhQ
G7kMyg3WjwdmuAxmehR/lEKmFU6LCI3ckCfWm8VHqXGABUeGK8Z48tkfuoXjZt1uYTFt
71erZgn+P5LGbEChClS/fHc5ug9Ch2CZ+2kpzBKhpyKersL0+BuqMN9dKDElQ2WNIPtG
aBWKoqyzDVFvG4qFLNrb9t0L4e9Ar7H/fOxFNEdqDCoKpLp30xKJIoGTXPvIp6JYMWBR
ijw+pe0HmltnVKxH8feo19RxpcGLCvtwhgCuCfc2nxZIUBxbVFHCt0iLTKS6i9OSVcp5
KqYbuUs9/oaqr5v1CtvbKcHs+x/Fh8W27+47vDrZ4yAhRnCM/C0dnvf6Ww5a+l3ggk8W
DPG3WGSV5gibcMEDjyfsHA7cbwWcwpOIJFd7t2ZYnhJsZ045cDdBtHcUf3D2SS+USW1D
ZtsaJVu+//FfY+uvwu5XjimjFIfK2cEOiEHGvut0k2L5yLcjTGmlVHdoiAoa2zgymx6Y
KW1ydkXT+4zFbtF8Zh9ahnrNjg9NnZ7gQ0MDxoeWZFl1pM+LnGZ4vNS86VPaQ3wcb9Jp
ZvvqnB7XnmLoPH0dNK2O3pGbYp9mWnCcfCqIL8LnavC1mqkCvmPY66pW+HFmqxb5wFcK
yln1Ol9i77CDAEY3SDh3PFX9GqJhJ6nM8goxSxsQUKcnTHA0YJVZjrzRU9oCcrABAUqU
PU2Z2b5KZfa19HVcZZbUNQICpryAtxw/m18wqRGmKjlW7WvYZ4OvCbaWlubTEt5AmWI8
gfr81u6p/oBTtwPzDcJDioJf38OeGUidlKiYCkS1y6trmBJxQN8EOx9TKAWHz65pH9lQ
nH+5Jrdp978f/n6Heuet+AXZmbcf4JhKo5fyQ1vdG9/+Sp/uqN6Pbd7zFrJEd/J4zf+A
OJxS9QA6ElvoJ+Hjpw3kcUX7iB/madhUfhDu88R5i4/exeI9LNEr9Xm/EcLnGTI3c1Fj
3yBAlqwqkyLNAhSU1j0SYaMBUUH7okFaM/M4sadq1XS+VfhwSdgAxnccJdi8jRdfJNj+
XmH/0u0O2hK0OETFTlURtqiQzk809CBC1hI/GxCt295S3GAn99v30E5XBxYyygGX0VPs
wDE99QhLdJ0KB5mxAAHFgZ1H6A48Epg2iBuqgETvPaYPKeZYMDCe9MlF+mojljMMaI+G
duCdy/KqDMx9VJwQX4GkSqaIjJfY+WUJgAkyVL6D1rsr6FEEscWNY0DTNKox3g6NFDoK
5jJTOADzeRSjLd0dpsi2urT+XT1KgO9Eoj5fVsqOqdbBQ4YAV5pSeSz9i6BgxOsCJaIh
DpIrh6J4l22Zu3R/ene5Lel7iAd+LlZjChlzaGrgDVPm3RjWDcXpDtOC/l19ylyKbyI+
Hyi7kKlCznHM0RIy5Z8vcY7SbRhEew+Mw1LUSLPJ8N0udYI5SY9j/LzzvWd8L5YbPEty
o56FvsCnTevA/DCmb41rYFMe0XN8vOtoTj6CSt27xDHqOIPRQD6bQMkJ/Jj8BVyjM/59
es4933OGfqqrut/gXZ3rQeEftWMmWSJNSsMEUffOA+/Mv4Z7lSLYX3sNCoKlLSgiFMuG
6sPLZBqmvp7pB0ml1SE7pBKN62nHcrqDYvWWbcvqKKvLrMpQOmq/krJddLvD3V7qghzE
X4wvzEIFYI8HSqaImEo+lNBHUKFVhiAn1lfPR2K0LQHTqIYrlyRTVmWyp6ZdqgydlxBO
5ZHAL9Gd6o8yLBA2g/YGNH0rLt6gXj+2dYgLVHRHHTscoFKMOkA5FnVgLmHTo6KIFwhq
497/7F9Ce+/F5X+odN+DGNaIzjIMJ3+Yo1J9pBA1PoGj2L74BxvIf9JfcAcGqF12seA+
v9KEVBGCi6h7JWZCwgfcSM0EpELLVnUj4kJfCchKkFe++9kdQLJBST9nGewekpgSn0eG
xOSENiqUfIeugVpiREbAZWCqhZUXYBPkSLG8yJBlSbkgKCNDkqP+KMlBMWcjOd/j3afi
YvlCFFJ6cIx3n/MxnO0QEPS3lBaQIxMQHSpss+Pby1h9szSjUtZdliKkKndZ6qLYq0U7
v6eMid0G1344i88TaDiLLo8NZ/FxAAJeKC6J14cDIMOT0CyKVxhvElVzpJMekq2iFDAa
Qlbl+AC3c+DAuCDHdwejCB9FdGCcoTkq0tCMikQCPr7pibJFTEFb+NZugu+fOHjM0Pgu
FArVd/Up9rmAqkrVZNo6OI7qH1XwVVgYl+Id1yjdYOEYUxyNnzOtf1ef4qww5jkL4wJD
M0saM2UJzLldC2WNLNmb3l0AVRqxmR67z/FYOQuMGXcD4/jdWIDGFLwJszwa2gAKkAVZ
IQTjDrZEaBlSgAhCLm4BoAgm0bGD4uS5BFo4wvrNEI4mCphWV+jYPwq862mi2gQORClX
TDDAQwvXUiwk6rfpiOEaU4OYj/CsvK7gGh1buKauSVBlfkGf4bcV/EJLOLZUe6ThmeRZ
QzPTW4PN5Eio38YYSUhHsJHGy1Cdo8NxWA4BKymRysFhZg4OkisjQ1ZbHClXGDKecrat
w7SM1R+utuB50tcpfYp9DvU/9djYcQgcmqqoZhZOmvxFDqBlABzCvmWNIs7ucowEAiyZ
+Ef+gkFohep6xvjQ3y4Ap5AQcIpyeJ4A4BTaAIALFKQz2O5wAMcMjwfghv7C1AEcViws
iCkkRgM42BVJAUDvSsyhAC5H7BkfH3IBXA8r9eHb67UEaLdApkBu+g8gHUAbRCGWYC6T
0A3w7q0EdqWkw9MLkLcL2EGkdgM7TBIAVWTF9FmNioo+y+NhTSXk+E6ExZqv8Nvf4md/
9/sXAlwhaeJbsPjP6s+7C/33xQtMi4t/lJ3Q116ps28kVq35TrTiANIH+XamOn3hssq1
hAMjR/h2weN8v3tB+B48afa5F0QMLiQ3GG+wiFvAE14ErAy6/1t1RiYGbvidIn4nO6Zb
/Cf5kLwSXPxhWH9yiBssfUAmlLmg/mgV442+EhUz+sTX5V/17k0oMAmjS/Vn32e1gKbx
MpTfUvpTR3MOx8gJ8NB0itnFAJg0riuUUHZ8yj1xa78DIWByYjM2ofMCNpc+6aHph/3C
cIsCl2CgKQ2MUFwJQI3W+jT4e1H8syL/McHGBJAQYCPGftESC755lvzCvfZO8AsX2BlD
vYSbSPXSOV2i0xTtNd1GSqW9ma7am8HXQ97gHG8A9oZnRWiSu7xrEq/JgNMwMAuUaWCK
LIcJqwX7VHfQ+ncxBS3B99d9Lob5nED7ujYE+bdhW1obAgYZyi4RC8rtG+RMsWAFbvHO
XfsoFhzZtqwNYZ+00F8z5RA059YWQFOa1r+rT7HP2RF1MQ6Pu7Uh9KuxxoEm2M6gJfWS
u/c4dod5iM2H4dOR7QZC5hT3YexOaVouqieMLxE/eUmM3QCVIDG+vIJjugct6SOIt3M9
S0lZqFayDOLu2Q0ZzBX123Sk7IYARXhcqntdoXS67toNdK4sAf4FfZZiTeEr4MNQnSO+
Tjyz3ZDq3lq7AaOkPLZyvOgZshto7HYdDbIbCLFaWYIKygt8/Ne1G3iWWVmCVOg53JWl
XWLRFR1jWjwoXJ7JoMVrj0qx7LBqAKWnGgKUMVadcztiaV3gj2UU6bQO8H8az22eVNjj
AgX1tXhumeERgb8eksd+4XzAPwMWk45a7f4d5rmFRo9TrDMG+D+F5zYnsSNnnZN7+Mye
2z5LQzy37f3Hj9gYfJTjVqyCMzpus0qnxkHlK5j0NFAzRsMWdFGIfVAOAmHNpErgLgBu
dbBmn4aFgyr0I64OBWiwZoJ9ljW+HmueBabb9ezROQjolwWMBIK9cwDbDNw7cDPO1NeX
FDiV1/E8+dQIrO4BnIgklrTvyvVbM81dHzTNZg0g/QM2EdXf55yBHPFS8pF7mJNpvbvc
lvrPocYKfETIC3EwJ0J8YY6OW9CJ2l+UuJXa/AOmOMsdim6quww03UMBqDBrq3nOAZ2G
ZtZ3w5VDUbzLtrRX2vSnd5dFCuYeFz3o8XPzD8zIW6TAb8zwjnFS79XpD9McQMF37Xru
cOhJi42GdMhPcY9d6JnhmgaNJYWrzBlkiV3WmNVweBMIpfltj/g6SRlDzxzl9XzoiSiu
5oOO5tp17lMVn/K6Bnp07EJPOlewkn+BzgIk7ZCE6ys43nXE14l7hp6Z7i1DT4BhjISG
vThi6OlT3esPpg4gMohaThnVYvegJ7KSUJyVJrcROzNJXcTGU5kFCkaSFp9dgtGnPUyx
LXlWoG59h4Jx1UlHwaAtUhR+XIy76HbH0joAlCrVIsJB+B5q0aYO5FU3iVF6nmkwh3me
I3gSbVUoG4mnOLD8JKuLsw5IHQjIp8ipA8bzrCnm0hGeZ83wY/Dw+NSBfOAvuAPDofxx
UgeOAqBc29gFoHkUldgW5BSXOtTznFEVk5RrROK9oizRMwPQDkueZ1OJMFCQ9CtL4M6e
za5fwnoJaaXM6zTFYtvt7C5oq7yn/BvwnKOoYBwnyfuDvagyBeh80DaJUDzPyUlA3SYF
uY744iUWJa77JD+gySc9L+qgnIQMn4mIlPpnpxxqrWmao3oNzWA0rCQhQKHFdkGGSEQC
7hx3IpPsU/qeHsF5KEWORVTGFfCMuS2lWvcJnOrGmZjSx6RRocCwzQRnEWES3xN0CYIJ
DgRikoPomGRWSGYHMEmDN2Yave/TBlA8IKgHyVmvzGjz8mvfkllY+R15+JTfZe8uB8Py
Pf1MhE460cMOfvYoqm0MGtZBzBMJwVQ+aSDPJVBLItgcBtbR9MC46Ss43nXE12OoxKUC
fhA2TCvXo5ggtqtgnTyiZ8g56FMtTcGpQF53YJ08l5DN/II+I3WswFxCfFiqOcLgq2Pq
k4Z1prcM69QoSdgmx0TDOnlsqMrjqK8/COuwMOyCdfiYNcEgF9aZ+XmkWEnJVvmfAYva
DiHqC5ozIc1zVrXYtsxkN8JuKcNVi7UZWfk4qsUMizsGPFS9LFKa9iVVQzBQEG7Lskaq
4GlQkKqmJWS4St9SMH0oyAyPBwWH/sIzQEGNCQf5ImldyCpkWRpf5FMkIaRwakSmXLiE
gr34+JMkIVQnJyH0Wf06khCokBz8Y5WW8K8+CYH7o93XHlT/6pIQEsqtcOGztBuwuh4L
n20FCIocytIXx8HnNMEymyLpw3GNGppd44ShmRUtxa67iLYaMAWQBv5i+XE0QwN80TS+
ax/FrnNBCsu6RjQUY2SfhMtDRjQshMbnziJKhmN8jI2ommLXbLT14F27njPrv3nOAmnb
lkXEzJVD0by7SJr7w3fZHjIFvO94jsfPWe/NyDOUDszbsbzze3XtAqb172KKbakPpaG2
OTmGPD6PQ2ngPyS5MJSmY8dDKq8pmExfdbNQGlPFQGk6pnsCmkDyCBtX3evSd65bwSZC
H0pTrqWCynSkoHSQ+FT3ugKudN2F0nSuADGJHf2CPquwmcIe7zwy18EzQ2nurYXSGBkN
lWmMGErTseLIPzo8OJ/Cz4l9IF5Sr5mX++TKzHrrTDeSdphc2ZbsvDQ0OcfVDlBLs7O+
q2eMBsHw27t4ngyheM+psXFDD2a8+ngakoqdYxSpta7Vosj6e2wOc60iZYV22e1M6lWL
nQsbD3CtynRNdq0+4a4sZng8PD30F9yBmaBrVVb9olLOBk8DpqVI4MtPca2msL8qv5Dk
OHga6aTINz0lqbfPapQVA5J6/40yKJDyitxccPBSnQzNZIXKyHPS/nqctJh6ILKTR3xo
Jisb0Gf0wSK/ygORBF5OyGSFAW/3hemTI0Ek9tHXCFm5GFKTXAipSVZDYyMfqiI7CZ1U
9iYqs8TV7Eyzun4PxdHsCX17sEgS1wmbyGxe5GYZBJkgZSNGfrxFkIbirFRMsyF4pux8
jtEUsiV06xZBGpr1vBquDBJk3qXHSvtnDa13l9uS6rP3nB5TrLLmyZRHnhEkZop8hc5C
r9+Wu85rkumefsj60JgAjBKcuiMMQI0zOwm0eZmd8lzBvgLJUxY8Ugoi+1npWN/jHkG2
NBW14nR4PSkB4n3wWCIOoMAhHbEf1qOqkHuiriuoRscueKRzBRf5F9SZrFOnr+AY8A+p
NwlR7RGDR+oHg0furQWPNDIMXIEfNJD0qc71g3fmJzAuqRdOdN3MvyESZYQDBo/SEkdK
lGOqKVE9TrXgVRoFxB2xHlem9O/xn1Nj4vRfDxOUTScaTypA5h7thYxmH9jgaHwCl1qM
YkU9BHZCNL672Yvx1JNs5H+Q4SfbyD/0FyYOGWk5QKm1Tjoodr2fghgRecQSbWq3UTB+
HMSIMgfAa5Hca4Ww9sGbwRDKq2rs5XUYDv50SS5j4MYeyx0Qhx2Pj+BGVPd9OJqP/Efs
SYet7vy4wI/vxo26qpy7A+r/Abs9MMYKZW5kc3RyZWFtCmVuZG9iago0MyAwIG9iago3
NjcyCmVuZG9iago0MSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9S
ZXNvdXJjZXMgNDQgMCBSIC9Db250ZW50cyA0MiAwIFIgL01lZGlhQm94ClswIDAgNjEy
IDc5Ml0gPj4KZW5kb2JqCjQ0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBd
IC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL0YyLjAgMTUgMCBS
Ci9GMy4xIDE3IDAgUiAvRjEuMCA4IDAgUiAvRjQuMCAxOCAwIFIgL0Y1LjEgMjAgMCBS
ID4+ID4+CmVuZG9iago0NyAwIG9iago8PCAvTGVuZ3RoIDQ4IDAgUiAvRmlsdGVyIC9G
bGF0ZURlY29kZSA+PgpzdHJlYW0KeAHdXftz3Dhy/p1/BXI556REpvkAX7nK1vmxzm6y
3mwiuVIpWz+MR5Q0t/OQ52Gf89fnawANgDN6cChxzMpulQX0kGADbDS+bjSan8V/is+i
CKMyL/Qf/M2qIiwTIhSmsKzFf4u5ePF6FYvxSkRhJasornJXChxtNRYyLUMZVZWIiyos
izIRcVaFSVXkIo+jMK1kKtDmpf/0uJBhFldCFnGYSHtdsP1sEeF/POMzHh6XsowiIuB/
W5NpmEZFlooiKcIKrIrxTLw6A4tRHOXijPhTt5g/ZzPx4m0cRiIWZ5fi6Of5ul7O6/Wx
OPur+PEMPHpj9HRclkkYJ+jANpf38va8b6bysCrSvOvQvVmOLtcC/72/uRit6wtxelOP
Q7G4FOvrWvz82xcpfn4j3k7q6QVdZf57N/omkihOjoP2A07i0xBJ9ULvFYu0LMKilJkd
8ECJxf3CIHoecCercQV5AHdaVu+VggMyhTmTV+mwmIriMK7KPWc1ZK3nV5lBWeZJJYoG
f9BLpHWCh7WOWGGyTC4n4xPx5u2/xOJmWX+p5+uVuFyOrmb13LAftNFHHaZHkiTQ+im0
vuHfTI+WWnM9mV+J0Xoxm4wF5v7oajmarULdk9F0teh7chclFrF4m/lhTKO8SsI0KfP9
1qHDSWyTv7YS6+Rzs4R6X7KcKklY1uN68gUrgBHeNWTh53nfQhBlWPllLLhDbTR830tq
CsATZ1llmdpPCgBEvi6Wv/esu1Ipw5jACI/coDR+XqZhUqS8DLXUSAecPw3+2s4fnhmj
9WQxF5OVuKmXs8maYNNiPv0mvl7Xc9Kf0Z+BnvDzxWK8wTKwRqFeifli3fdsKjDqSZUI
Hv42s6nvRdbipRzmgoyMSLQd8gOKRBf2xtej+VWNtz1aYwH/vJksa3rhYc+Tn2yaNMpK
0RzTxtoZbBlJe73nLTQSaIPtXrDu3nOehVmaGFy8A9YD33J7DFMiUmy1ZCrLwzxPEq0l
jfTtGJbbY1ZgCZzdjMZrzG/xxmAk8X5V9/1+cxnmUZKKvMF20HjB4jEv+DFGei4LcJcz
nB8IU3BgwA4eLmJr8NdW/Z3BCL9cTKeLrwTWsaSMxGozm42W37SJbuUQNob1Ct3h8dia
09oFc79fJolTmLgR4Jnhfj8Lo8Yjx4sZNCLsCyyZK60oR/AEkHdhWa82097XRCD5PM2B
k5pdGIjUJvC25Tl8dPv4uw64KDb4ayu1xntE5sZksVkJvUri7S/Ue2ev0qXyKrENrSQk
7BshWdRsOjYshJREYRkbYWgunNsr02MWzv1W8ziG7xhOWO16uwPJ77C3n+/GV00Buasf
9g2y7ybvxN+rejzarOod94cYj+ZC/bD8NFkvSc+ytH4ZTTf16kRL8Ju+5dQiedO9Yclp
lIYRnE6D1VoN/tpqLa2O5gsxXQDTL8VkdrNYwW4bkZl3uVjORvNxTVTCg5M5BAE/Q2Bw
TSh+WnyF72950rdc2NXMdHFQcpFVEq5TBv4t3aiHW8w6sUdARb1/C7X62VyK4cPN4Ivu
xGRTNmGDjiYAW5BZOB3YC613xQKzc/iEGFEmYZJGlvM2Etm3By+BhRKVCW2MdpDIXZ/4
S9ICGq7+sycHQQ+QO+UZblhvM5x7gYHHWH5ZmYWxHNiWV1bk8DVKY9q33TM+oNpp8Nd2
NfrhB3G62CzHWIAAp7enMQcA3DGNO7zjWGKXX8JjuzWc99pJfc/jWELeqizeZuoOFLrt
ETETWSE4u8Ml3r0/PRNLbHbTTA5ahgv4CFUFVDyMUJMqg5sEyJlHtM1U7ntE0ygKZQbP
EjO1H4abTuDvJgg8WYrFZn2z6TvmwoYAbPF7r1jerg/VyndbsExjtrw+xQyt4FstEdKC
KZFUEtssXun09U4gy3MXycKBOaUMqzhN6ZUnmP+ZiGmCZWKrOhWnCk64Bsj0eag9+FdV
e6o1VYmqTDyirQjLpObNtJai2q09asjrq1ft1t4h+9rKhxbsGcRi/eJZXtD+R9GwpB+M
MjjgOtWJP/h04OK7od2vyfraWMdiM5983tTzerWC4rTbIqu+3TtJiaAwqDfBY91G5d6u
LZ5uZXUCkJVYYm1QQQcV1gdTsgplgTiMgXogswZ/bdHT6WZ8LVYGP03m4+nmoj4ho/1m
tFxPxpvpaImYnV9PxQJGu3j/5jfx4b/evkYEZXzet4xCAhCxF0FGTc+GJaNYpfKoMEpq
IBtOWQrbOEsGu7fT5K+tjL7qexcR+jzLsVknmvy1tZC0hxRYD9s12HmCY2y1Xk7g+7qo
LyfziYqBMJ7+d6e/nEDRj1arevYJS8H16H9Hy4tV384wDg/l/g1rJiE6Ly+T4SrWBn9t
hbb+22RFoQ5XeL9TWt63IoWXNXnPJxSQDYe5gAdK7/SxaPQtEjmW2KKQIjO9G5ZIYDsV
+zvlYNfaBn9tRWI9mdWwBUNxh5fswY3phv3VbveHDicUWZSJrMHyUNarSII7G4vQAei1
s1X1wY4ygs8wwdsqgSiAK2wBkTFFEmKUcESjguRlqRTY9kQkdlqJKoywpCLMGdq9zamO
Dg4QC3wlPCElIq3NZGzpvTmc5cP87WeZwUPn+YL7kHK8PRmTG7vJYNsF/KfJFRbvnnnk
fYsmi9938xrR+2FaRuXWuBmF9mDU13T0DUbBzXKxXowX05U4/ek/3v/yRsBSmFx+U+sZ
rW9Xy8laReGQe9EMcl+R/mmG6Ys5zoPcfVVrp1ie3gmWZsqRkxX0ZyYa1S6OoTRTniW0
p1rTlTTq5LTitqAb/daSsqMTLEP8OJxg3NdGtUtfM8QA6PbQV6507Cvfbvpqq66v/TrB
JDA7togH6wTrxp/dXDgRdXgVniCERB2uEeO+tS/8zBG8t6LJd9sV4roe/454QoLp16MV
ee8Qx0whMBf1uoal50y6vnE7m3Lcj+4argcfGfxj2PbM5FBxe5O/tri9Xi4Xy5X4eEQW
GrnAxiwOsPa/1qPfdZALKtrcOxGfNmvxqcZ5B7LqRr2fDWJbjrs3LJnIgaBxpHqwMtHg
r61M4IzKNTTXx+MTMVrR+z/98eUvyjeKiP4IvlE+Yd1TvHFUhkmOQ03ScD+wVx6FCawn
88o7mHV96KYsxqYCVoCB+u9lg7+2cvjy4kI5GOFCclhb6ye1Pn2qRY1Np8U3HL3Sa+16
M5/XU8RnKrnte7myqsn0rructgPkD1v6CTipJLa3JTz4SR5LkRI0SJPDWvoUDFbJ4Vr6
hj89W9pKIynBEwQCr2qc9AZWOn19pjeMZBrF57RzJKs8It3YZzgJx9nJTmN8/sHq7n4C
GJUA4lQqBFDLwH4aCYNIS0zfTCKAraxokvg8tpWD81CojUWniHpmN+Uw8Ca/Xdyc7fTM
0xv+cZqo8JeSTgXCfm3Wu5jDaEH5EtCibk/Xkm7Gv20N2Twa7cXOJN5OXHN/fE6cAcXA
Xrc9btQ79TiLiDlqkXrMta495vu5x7buevywE6CD0975g9M0lEnKQGp4/uAGf221w+jL
YnKxtd3FO6HOsl6Mx5ulPimugQtZXqP5hTh7/VvfqMVk3ECUpxr+7qClDxybwIdHOxRD
xbEN/trKBJvUK2VDASWk5wpBqEwB+v2riBTgXHeptrwgF33LA+KR8gLTUJq+tRGI3gNU
c8QeJllumdpPIH6Z6LjeHtOApcgDViE5zDaHA7EH4yyUFfK3DXUeNfhrO48IY2PcSyAw
Prq3ohCvW41Dp4jNYa3FZd8zydqDpndtZlLfu4duucV2WJ4Uw11uG/y1FQnnmxbkyewZ
iccp4uJSshwazLZ1tC9X/rmhPvaK7VGJLQaHoZUwcoiIQFyO1koDYaosEZYw2K2otAt7
3+3YUJPbxgvePhy+F4TYijtpc3bdToUmT3eYGdvc3X5oSGM1BEDibPDOqmN0T2+7/3wk
0PSn++LyvZwA+ghMEqtNez4CY6pdDOJEhRFQA7CHuYIjqI9pSxntXmsInu3YHgUjeH31
qo/h7zB9fdjwx4TsfAQmpeTCKQdAtl3pDxcI1o2/dy//B4NCca+0k4p0uXQSBntniIoW
OmuEWM1G06nZNqVg6vW3m8l4NO3/rIFJEsgd6646ejD50wIn7WinYlCgIE+wr2u2dQco
oV3Y+3WxxumXa5OiQvuilPl0SYezKEGhFl+K/FitJ9Mp6pSaiTaAx4vlcnODFId9m1B2
kdM9HJakIv4uSpFvb6BGNcUHOv7aSq1nQZED8mahovWXi83VNQ72Yid1ihQnhG363NVK
CwTsY75xF8x7vwOsbZ/wBqsCB5K/LjbIT47gBYravBld9X+4GxnXtZtqi+8G8N3m9mAW
v0oOmw83YKnJXwd5NbFLOHx6rYKcxVbMbt8La4JPHqQyzrHJjhUWIz0sdZVm2IXnPDwN
kdy2dvYSSSwLfgr/NraYdULRNmCScvCMeeUPhmKXofkwgUoe9yMdPqLAytM1FJY6Ycbx
SP3saSPYB0foZCma3HfZf+0DP8XQnbkN/Wm85++nemBHSXxHRK2UbWf2ARF+F/bOAOtd
Fk5EgehklqOLC+AkSmpZ2y8B+LkO1Vk5iGvfyMkuRbpvg1JFSVXB92zPvLdc1g8nD03+
2sqrOxsymV/AkKMM4J/oaAhMO076rWIlD4GcuAsDe+84A1HY7dxh6CZKD1HYDOQNnr7b
upjgkFeJ5cUozAZTUOLfJ1t2ApWCT0kZy7ztYn22oC257f9+/NsNsqKvxK9ItTDreZfG
5itudqDtLs0neGjS6ER92mi7Gx9+GyHRe3XetzLngxDcg2HNajhwq4h3TBqyeugJRL7k
uMTxr+RuntrNnzud4gx3P+AzY7E4B9y90B9Ue/oouUTiw2eI8IppLSefdoqNZKpLOvrV
yW2MFvxETDlXdGPeh+HuOz+cVUiBhaEOoMvxWTh4bnECzdCQQszQpqDhqGqGvTRLo/SF
+N4c0pxAwcXILKdyMRIlyBDcX5GLzZKQr0eT3F13EfybkAO4KsoqoOfz03DOsEwRPuI4
gnxEFRLcOL6ZQm3p/onM0IIdyu41YFzi/LksCjTKbU1BAxxPEU7DtEDSoUfE/IBiuPIo
mnfVlr3K0Hau8lu65T4zVsQCN8WD7pgyLwtNMev8+vzuMG33qh1KMBbXODqeiK/iwzmy
ll3skReNVjvIlRLKRMwCV56CTolLYClC+hPUkIwmjhHdLnG23dQwpGOv7KhUCmgW2d8T
BOpQm9QK7E/VsHtCgk8N6mdTidoknpga2JKmjUUiYQwq6hTlNFdMqTrNYPcEU8Oz6Z4E
PBEfjupK+nf0EDxTm9QK99Y9gUZCPxslDLwt31qiF0N55e5PZIf0ACwvmJL44ARtzMws
zc7JVmKF27RYOU3RUawwYjwHXVv7aRjLulMWrod+d7jXU5MCgToR40OUagrnCENDuDIU
cIGvYCIcmHLpVFgUGttftDTE/BWFqIKI4T+VHBK2DldduxDtCI4jg/bwJMr3p//oFRS7
D2gPX7X8II5OkV0RhznEETIFIeYYhRsuXHPB/oQ8v/oacQy8g2v/ffcntHcuzv5NB8dR
VLPlUGVcd9Udhg0McQzjOGSYoSOR9jTgOxGa7aO/cxjvSZ/gDwy8VqqLOff5hSGkmhAc
4SCBHg3+JWZCwgVupGICQnRUqzjNr+81lwZHfOnLd/4A0l4p6VcpaXWD6k0AjWL43qKy
LAUS0SBLiRIY6zRrmdvejT4+/1JSrjDnTSGXGXII0vvSf7TYYI2zYvMaTnu8f4Dt56n9
A2EADUISiyOIgRTUqVwc4VhIJo4wOqDHxwH+PVcUDEahrmkKzO3fb1VZWCp8uSBzDAev
zkjAIqm+39pgWYsMUrtalv9C7wvM/kHxcaIrf7aDrU4bNnNkuloG6ITvsmLJdw/Hx2Ob
o2QfiR7SJ2P/5KTU2/JuCwUx+BoKBv1BQayADShICVAfAwVdOgL6tq8KoOgGBSmXjCyB
czwoaGmeorY0C85kBftbEh4ycC2QJdxDZJFbEk6yaxJfczfBvwnfPcaq0YCCEn2UEqrb
QkEJdFMgYYldYPDpYkNxi46lOShor+KFyV4DxmmyKihor/KgINMcgLNc8dqLtjTvqi2D
3yxt5yq/pVvuM4PnLXJ20C0U5BfjoCBTGt3h1+w6eCflaaAg1lkLBansQ0GqaxCXlRp1
mRrtKPAvKDsqlQJoYPd7riCWvoI+nEa/OShIx441/KMSQ0GmBjGXhCoxBCOqDwWprkEc
P8HUFCSlMlpC2VFdiaEg8cVQkHvroCCNhIZ/KFko2KC639GPfaGgREoJPA2vwkFBnpOt
xMrOiOCxYgXueca5tvbTMFZ7OGVhlc5+GoaHxR8DQ4MBqlNo2YVbQrySHEvfbfjRwgFK
JL4ffkT22BDNxjtwjPCA+h6cD5Pa4cdAgx0PP2oY9CT48U6Gnww/tn2CPzCM5waEH0li
yrhq4scca1WHPVe2YrD4YaXmFJSExgB++oOP+Bz8I+Gjx/Dh4aP38P8H8BEmSAM+4itz
j4KP7jRrDEtD1/bBjx6aghemrJquRMk0X7szzelpfMIPzsgUbRl3H7lgIvpimocfDWnn
mh2CuymA1Q4cioAZer5pm84syByzx+LHFHkMiwSfP+FVSViKt1JZ2u5VuxQPP9r7HH4E
X+aJFgdarjyK4d35c8CXofFVrodMcdd49/F4+oucGXRl6pJ/E9EP5gU6ZMgUrzv3XMX3
uZaewJUYQCgJtGgMR2UfP1JdI7+SlKJ1JZKlzviRyho1cgmC7n5PopLsL9VKElWYTj5+
TJB0UD9blTR+DLaoijfzu8JwquzhR1VXiNA+wdTKTGE9uAcVH5aqkaSiMX4knhk/cm8d
fsRIBBo/0pgwjqWyo7pSK/wYeK5EZH7ESams6UpsI1a4UYuVZ5Z0EyvXkpuVlqZmuNms
4Ce6OS9Z2K0WMKxj8LdJLQiNm8ywTD0LjodqBz+mEK8EviMLHxFHhW+SwOjeggN7wkec
/IaWY3+S8+YBPg7S/UhH1YnhHbz7dPCx5RO+A3y0zkyGq/e4H2lZiJAr1uHHFKl/E4l9
L09i9vU/SmTRLimn8GH8j+njAaRjmAEkzr1uY17rDLT+x7d/VI7HZ+pfnE+Dq1SX4SfM
giN6E4C2cAzj30z9Sz+Io384FvBa6ktfKq+qLvv0j0cfj02LhI916/p2ODpBgQMa/4LS
xtXqTMwYe/HQV2ZqkKsViZ4f7urHY3J444Hg0f4Lrp/HwdFzBC09R9/NFR+PdJX8sZpD
dPbvmedtEoaQSKYpdAcXm/b0o0yrjQYsN/+ohui5vu3jMRzB4IMuDXSL4shwAa8wGtbX
/YVHDpTn/6SZfa3ZMH8UN/hRt7T3GOOwbxnb4BwaY6yTZ+PgAXf2DxUxY4esQAXCUr16
ptl+9oIkAj//8ThwV2GQSOwgRujNM1NTrwBXmhtMA0x99q/oF26iZgMaLXp3+hm6wu9k
344jUBcfL4g5rJk6DrfTw8IVgm1wryUaLNgy+A+IOdVtvGvsP4AnDMrHI+zQoIM0RiDq
6eM8/7d8Hcvz/OMjqHBNpYCyDXbvezv02LO/7qSHuNPzz3luTBCI9fyL10//oTB4B2Gj
JXBc+qYbjhI+ynTD/fAqAxnjFCadS6TKPpabtXaClFyvJbxanuff0jzLzdIsZErhKSsk
xUuw55+yaMDzT+ibacLS2lDcfUGKI0MyB/72rbecIjsK2mswaA/nd7CVC8zurDCmUFsm
0OWeq/ganFUxLXnmjqX51htf52wu5sqjGN49K8z2h69yPWSKsNf49/GYeuabHXl2/7u3
yGYYxt28V78/TNu9iimupacw30jM2XxTZc98U3VteOGwhTPfaKqw+abKynyzJTWV7O8U
hczmWwK41DTfUuzdavOMSmy+Nan+79p8o999843q2jTjJ5hamVvzjfiwVK9kzDfFvTHf
sKupe2vNNxoJbb6pMTHmmyprjmgUXWl/8w1fT4H7X81xJ2tt5MpKkbPfOsqVa8nNS0tT
c5xnNMuopy+29Azu03rGN+CY1krzOD2DHWU9NvD3u7Hh8dq14cgNm8LYskYcjsAUVYbw
kC1Ivp8RR2d56atOGpMP34Yz/PZnwrV8wHew4EwkSasAkhTikuMrKc6Ci+EDyBFQtC0u
KlaHQ45uD8iwVgLOB+EoGKeD6n0LQD7agvMYZgsub2PBvXlhUDZBZABJsjwAKw0OB2BW
SNvAaA2OzW8vdA0WB6FVhtZ7I+YcJwLh9upsjhn2uRfEfgB0jL/AzWARnQFPYBF4mXpm
TCUKnMEFxs6B8aBRNl2hrS5jj7WF1BC6qkLkf2r6Y9RMA1JrV5GN32lA6v8DMoW+qQpl
bmRzdHJlYW0KZW5kb2JqCjQ4IDAgb2JqCjYyNTAKZW5kb2JqCjQ1IDAgb2JqCjw8IC9U
eXBlIC9QYWdlIC9QYXJlbnQgNDYgMCBSIC9SZXNvdXJjZXMgNDkgMCBSIC9Db250ZW50
cyA0NyAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjQ5IDAgb2Jq
Cjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAw
IFIgPj4gL0ZvbnQgPDwgL0YyLjAgMTUgMCBSCi9GMy4xIDE3IDAgUiAvRjEuMCA4IDAg
UiAvRjQuMCAxOCAwIFIgL0Y1LjEgMjAgMCBSID4+ID4+CmVuZG9iago1MSAwIG9iago8
PCAvTGVuZ3RoIDUyIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHN
XVuT27YVfuevQJum2U03DHHhLX1p7MSt20knjbeT6dh+oCWuxVYSZVFrZ/99v4MbRWkv
FG2u6cxkSYgCPwAH536gd+xf7B1LwyhLUvMHf+M8DTNBDam92JbsV7Zm3z5tOJs1LApz
lUc8T9qroG1rZkzJLFRRnjOe5mGWZoLxOA9FniYs4VEocyUZ+rzafztPVRjznKmUh0L5
54LDd7MI/+Ed7/BynqksiqgB//k7JUMZpbFkqUjDHFDZbMWeXAJixKOEXRI+/RX753LF
vn3Gw4hxdnnFzp6vd+V2Xe7O2eV/2Y+XwLg3R58OZSZCLjCAQ5T3YvtmbFBJmKcyGTp1
P2yLqx3Dv39v5sWunLMXm3IWsvqK7RYle/7ze8We/8CeVeVyTk/Zfz8VN0xEXJwH/Sec
yKdDknpB7yULmaVhmqnYT3igyeJ+YmAjT3hLqzwHPQCdodV7qeARQWHPJLmcFqiIhzzP
TtzVWchDS5YN29Xsl2dPWZrzveUNPCO8Y5MPoDkeqzDLM7BSC3pSNJfkIpQiSya1vEkm
Q5FKR3M9mTZYyd5StjLtjqUcIFViyMJE5KyLD2KHhErwkFCx5MaaHfgiCHBR7L4bGbCn
vS7iYBqsJYG4V5Fd5S4PDg4E8kkre7BJA6Mc3CsYPA9OkjiMpbA82C7tkb5wBE+LsVMW
cx9jQPrUw8IrFaHimUjZMIyXEL/1tnpbrYtdtX7LNtt6V8/qJVvV8+slPrtixZpVVvNh
EN7F222xYk25I2ItRxfNIszBifzopsUm4yRMEiFOUyONcnMKWQxgSi1ZDMJYzcv1rrqq
ZqCKes2uRkbLY3BLlYCHDkNLaiNEd8HeF8vrUjNRtrpuduxNya7X1Tu0XdVb3T42wSYy
jEUMc8aOZFoEq9Iwgd42aYIdhLGpr7ezcmwyha4Wk6TvQLxfRp1kmO3zf9jTfWQUdIxQ
ZhE4ZBfUHerRoYyalw34vtnlm6LagtvPWyFgNg02VLWiXVV6/k8THfQ0gQ8G1UeoyRSq
nsiFH9S0dhGcGLCFnXZ8x0yzQ2XlZG3go9j+IIwfquWSeGYx21XvS4h9vehe+jc3za5c
hSOzUHBPmONwNSR2DNNafAHHVZLA3aVdRxPRmUUUZtxi6mt5PKJlNATe92BES9hERmyP
bhPJKExkDjW6g7WzvIe88/HMD87hWIWH8na/VLDvpPwYUCzSEqenTRTJMIL3woK6gwse
zdnJXHBffJxsEw3CeLm4bi4052vK9RwEqFXJ2aKuGyMFn1vtmGizPtIxq2ZkBun9lYkd
3qQYZJwreD66pvKDXhCiipGVt0SEKScbYyDAkeF5g20QPKP+XrCh6tzIDvY0QyCJu5mf
FrlmcciVd6/fwcY+rzIXD8L46gwmb7G+YVfb4u0K9jw5c6rdq3M2q69hMJOet7xFzRtb
v5MSEb+Ewol2WNOihzSBl1k5n05HATiigpF5gvc/xklKPtF0ynb7MIzPd3AllivtSyRr
o9jBi0Ni9zZn5Los5zpG87+y3OC5XfFmOboHEqGQRCaKufFNi1rjLJTKB2qmyb0GYQSv
atUsqGP1umTgYVuwM7C1spgtOsKuGlvnimLkDijIMDsaSwY9Z3zHFkUDvrtawR0Jp2o5
32MdY8QXpSfbLt6J8DOVhyqFRmCM6J6TqE2HsdXEVg8bhPFDtVs4v8mygAd6VfxWra5X
3nPGltVVqf1pzrnm3Cujy13nmo7tyKbFyRQM8Ch1Im4idCrh8I3FpD198SCMf6s/lO/L
7QVrqvXsyKq90ok4xXJZf2gQybiIZcLm1dVVuQULHpvTgmElqcyYG9i0yFRAHcjEtDnX
IIw6dAZB29Tw9S9qzbputJEAJYv8HE212ixv2DWcIDam5qKE5XZ0l4cLCMR2bNMiCi7J
/ZpNWpwNwljB/7UhJ5ixHvfcC6FVYII+WZD7PjydJ/pwXoOAb0txBFliC3xaKx6pMI19
CGga0krlcZghFWnKZDgMI6zEqmHFBtkpm20F9VkbAYZTVW8X8MMuIc2WPnCpjcTWYTu2
xLLuLTe2SVGqQnIr3LFOr5qkqj0MYyt9QvaMbMLfCgio8oJdPv3ZU4LNY2qgh9+AC+22
xbpZVXAyrB+LKOz8T4soQLFcxWrSnGIQRkMUs2KpqaAptePzQmc1UP4CGMib4k21rHbG
jzCrt9tytgNlzMoNpTqNTRVI7tf5bLB+9QpMiyySPIxQvzFpshiE8YPzeJfrRQGDZ84q
U3rgWULTVPXIi+8TGxCF0vNsF78nT16zWbHdVsBOlNwUq/10p1F8SEqF0GoVO8A7EW0n
iUKBdP9pE+sQjK1gY3Aa0mLbDN0ls/KLiHVtTXcX3WkovFPC/VRuR6ZjH39WdgmmxcRi
Dpd4Pm3ZNgijT7728TvY4jrxdVavm932GoKsgJPZiDTSgqz8G92zGMP+RRq0ssOaFj0o
gQLDjwno6SrI28ofjxL0wjyL4HkXSMHK4GWN9i6QVCM4qg6VjJEwChLNOZPIlIikYJAG
8DKiWKRn6eMAc9qHEpWEXS1kdprsGT89w1XROHyGrffNZbtcwD6c17NrHeeeQca/RTGN
q60BF/XhFvgrRijn0kubUpHqoOm9qrWr1YMcp7BUYHvmUkGeW5BWdN4rz8dOvGuVohNA
tcu5P1P99unTFyCqPIqzDMXEKDkGbyDXXXv14ulRCfE3bQ2xK4nOVJhzKWkbcQ4WEzOO
e/w5vF+yFxpk2wVV9TzYIwIPukfTn77Lkox9TG8o5Xb4bH8J7gf1KAVqsvdG3Lkf2CNK
rPyIUWtFd4NH7L9vR+zv2xE/zAeO2PvDXsuWzdIExdJpIfdusdup+dMVKLageByqHEX3
p4ZdR2ZMnvd38PXl/TXzBeQmLrEuG+0sXFZUUFkjdQBhi/Xotn3Lyeww+qhBJ5WHDCBI
kXCkr2RMDZraYlevqtnY9Cngt04ipDd3QfY9lsGpxY0LSYDdjrK5ITqtPdyZzInUzSI/
PExE6uzhaXAcZNQjTpI6NtjT0/F42mYX3wkc5xfvSqbTLIi5jHsoiK/Z7iK+n/bGZi50
dksaRzE7ANVzmS130ad/+E3MChhB65ota6jwW7Ypt3DX0xzvxnbP+ZQpN5o+/Hts3uhl
t8wyBPdsGKcvoT5uxtQgiNuSEgrIyYUDYHQOwthsnCcK4kZI1sXbYZhHZSunbO8D87xP
FWe7zHQuknSpBN3SUqQff55SH5nCYkq45eKW+B48/iALxdHBKpwLccpUDtB4WqbUQX0/
p3y8bYwylAiun1squT4fzcF9F8nYag59l/dEIb2/KXqWcTmzQA7CR84fIrfHPVnFCcQO
5KnQHumviY/6dhjeZyttkDKGe3ZAuRjJtpFZiT+JbRBIlLDjaKkY1mnnMI3vyC3ZAR5Y
n9IdFv/+zumbPEWeZnJHWuB9NJmxlUWBzL1MoIZl0GTiRC72ApF6inthYjvz544pvGP+
BsgQb5F2sXZ2zOdj1wIVStIFPqeiIoDiZOKibifIEKOinriXsSWCEw/54/bsDnkb0Afr
U39dlIi32rIkOhBJb2lKMxmbEnFSZZLGMLE6uPv6Rmb15sae4VQWWzjEtr4QAUkxhP0x
TvFw2PuwobEntNW0IxxFipNIjSZmTNYH6cBT64kEO4AHeYIdglPnb//0/X9YrbOakMmv
s98Ke6IHJY8ciCVmcv6r8TOg7GGb0oxrUjQh8hw+tGHldIY0RmYHjii6QPu6A8jKJo4w
uoWtUFOdx5x1YU5EDRZ5FMbpxEIzIuNhOrFTDwVq4TLpqp8momgIVLHh+OkTfRGX9TUK
Rg///fjbptoiRvTP+n25egPZKKMLfeDwwYMvfy7eloxHrx8rscoNclrMEUfW5pHzQH5W
XZi84TxLYybuxtTPW3ZnzoCzul7i8G/OXsOJNzfHnH/6/AGhoORR7FtSdHrFhER8ScfC
Kcg+JJpOPXSi84m7M73tndd+T8JSEINToidKGMEp6AIOwBXO8DhsW6INh5DGcE775+gQ
ExwDj5QwHJclMpmjL9+SIvOZDjPS54HYp2zb8VNHLcH+9xDzynMwA8Lg+kdpDpKv6LQR
hwqlRFyXEnnstkX35cZz51Po6fAZnBSP2IdKU85wLoPuPViiDUaQpGir60vFWMkcZ5kp
h2qvxWKnvvxTpi04ajl+BvPXPgUC0nNKGFxfbuZbVG4VW+yuZX88ru3oKaByY3bPzNgC
h/UL9oG9fI3siPmJmTMgLk2ZRPXt9RLXlKoCExc5Ndr0SXGFjAqFjDoYE3SHitRZex20
re2V/VxEON2F+sT3RITD5ahj/wak3SW4Aw59NUNP7vq2K2TxKZWZZ5e4xpYlUPq7tI/b
N9BdoN9N39GfAMdtV/ZzPSbqE8/60bo3BHom9Lv1lcVx0Lr/+ULnHd2S6gTb0SU9ISlx
j16ggWR6j++13U1X+Kahdqh1ljvcRh/HbXe3tD3RHnd7zvXei894PhBgGj+Kz+zxJ/Rl
56azv3yb+bkKGhfHz0vo3Z+AM3Agj1P8tAUcNmkew9Y8cFuQZOHuJyuiHE4d/NNJRjBH
3W3bLTYAz9whMAwvokQy88c4oxBaQH/4qYqX7OwFfqYCyefsDFUCSDbDxcZdLNyF/wjR
a/MMOwd14Nl/HH+E/l6zy7+bH76g39jwCPUp1e3tEWCrxbSAUXkUEoeOjNcZ/NPAPvtd
az590jfsTwwcDHqIiRvzt7ZBmobgLDr8BD8GYKYHfkc3T6aT3DUgTVL3qlxDbC6CM/e+
73/an0BKUKENpBQUKRIOAqoMKCbGQVkZ+B7YikqFU0JIXvcMmrSzz+kcNu8mJAcHhexA
P7Re5o8hGzznyeZpfQ52frYCeun/gBjQBiLh7AxkoBgNKmFnL89ZzM4wO2iPzwP8/7Vu
wWSk+pkuwdz+oyy6vjfH4ZWqBRw8uSQCw5HQR5ANycC+9JD/8sVXGkEKzHjt7/UNPOzf
APMfzgMah32CFhZ3X5rPzLdeneMOyL+2raAG+uIfTatt1HfBmfnGF7ToeAR3fcbXLgiO
kMHaUqjDjQ8S6XBJjscX4u1AjbcC5hP9f4wRi3CB64BGg3aAwVKYJ01L+LV+COPBxzRK
QDaf0ETh6+bm1dkXuvuvzgN0YK7NJ3/V33SfUvfm5QgUoKs/6xea10Z/Mu8y//9SU4L5
nn+2z0yhnhqObQh81Z2pDskezA8N3P84zP8Bng6OSwplbmRzdHJlYW0KZW5kb2JqCjUy
IDAgb2JqCjM5MTAKZW5kb2JqCjUwIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQg
NDYgMCBSIC9SZXNvdXJjZXMgNTMgMCBSIC9Db250ZW50cyA1MSAwIFIgL01lZGlhQm94
ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjUzIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BE
RiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL0Yy
LjAgMTUgMCBSCi9GMy4xIDE3IDAgUiAvRjEuMCA4IDAgUiAvRjQuMCAxOCAwIFIgL0Y1
LjEgMjAgMCBSID4+ID4+CmVuZG9iago1NSAwIG9iago8PCAvTGVuZ3RoIDU2IDAgUiAv
RmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHtXd2W3DZyvudTINlsdrTR0iT4
v3uTtbzOcXLs3axmTy4kXbRmOJpOerrl7h7Jfs3khfIVgMIP2d3D5gxHdE7Gx2qyCIIF
sFD4UFUo/ij+Xfwoqjipy0r/4LdoqriWRKjMwbYV/yHW4qtXu1Rc7UQSN3mTpE3pjiJH
212JPKvjPGkakVZNXFe1FGnRxLKpSlGmSZw1eSZQ543/9LTK4yJtRF6lscxtuaj7bJHg
PzzjRzw8rfM6SYiA/+xZnsVZUhWZqGQVN2BVXN2Jry/BYpImpbgk/tQt5ufyTnz1bRon
IhWXN+Liu/W+3a7b/Qtx+Z/iT5fg0eujp+OylnEq0YAulyd5+93UTJVxU2Xl2K77Zru4
2Qv8/e3j9WLfXovXH9urWGxuxP62Fd/95VMuvvtGfLtsV9dCvIiG9y9JSyCB6v2dlIIs
KSAGeWr7N1JSADkZJAXUCvU3cY9neY0uT6Rl8zxh/X7xs5BJKqfmsq7iqs6LLpcnhVVM
zJQb52mDsQTu9DifC1OQtLLJ5sVUksZpU5+pEXko0O/E7zQFg4VsRBUwagZt9JDq/ua7
16/+9vr1d3/+4fdT81nkcd3UmCMDRqN5yF7ZyDiTdTkr2SvrLJZVxgPiXD38fLIXMjpU
9l5v7jDFGewgPm43+83VZiXanz622/1O3C4+teJusVzv8T9mxv3tYi8+37ZrsZh6IgTS
aCANgttlJsKZiCpgX54YoRja119AIZVj+Lzd7PZi166vd2KxFsvrdr1fXi1W4mrz8WdC
RSC2i+1q2W4F8NLiw3Zx91JBpXX7eWqpgIoosxJAWzdsXkJRFnGRSZ7QZ6wqAkaHiq96
/bvbzT1g8NVGaQT11ncLUiFKSm4gJ/vlZi0+LVb3rVjsUGBqiSjrOKsqSIRp1BCRaCee
Z7MKk4ZspGVqXlNaUcZlKaVhasZyGjA6VE432+WH5XqxioW4vG2xBFvg//3njdjdf/jQ
7miBt7j+tIAA4+z3Qry9SN++EEu12ptaWO2kZlo2RFinBq92QVLmVVwC/M9fLgJGh8oF
z1WY1SAQN9vFhzvMbCQN62uxIxxkVvx8SRdcYTZ8ObVc2GnNtGxecgG7GMwrjMtnrC8C
RofKBRl5tu1Vu/wEQHMHy8R7qIz3K+iMDdE3691+e3+1FwvMencfV+2+tbBnarFg+0Vp
GjYvsZCwkpYlbKvn2Cm/BAgOGB0qFjfbzZ3VEjvWDTS5TAweJOy/ZVUUogz4HmoIpqlP
qTSSa2C2Zbv7A+Y4iTluYTiPhhiHxxgviwwmeKAew/jMxDWJ69RI61Ah+CLSOoJPaCkD
bT7Agv0ZSuxu+eF2L+53UGPKiN1F6DfKnP32ApPf1FrMTm5StWxeUpGmcAvBvzJ7JRYw
OlR+vzUoR/z55mbX7qEDMKldL3dXi+21uL7/uKIFm5vPdlB40HqQmKllwi6QTLPmJRRJ
Ficwkc5fKAJGhwrFj/ftfRtPPIulWQJLTVOJMuBxJqbmosnhUDOWmtCxGnUcq4eXX8r5
/JDXOdJe5zrJGsyKUH4FHNDeATyBUsq4yutMFLAzp2laiwycJRlcyk2cFEUK5zOtVjBl
W4/3EW/uiAnbLv2KuojTPC/MMBwO8SeWogKufKAJ9I7mT4/IoYJ+ebvcievN1T0t9MTV
7YImSfHXb1+JNMULgXlqYkBEb7eWGYITRvXvzWa12nzeTdzHEraIqob3nJk0au+kpX1q
T5UsU6iPusPTdCP11WsIVZMUdY0oDsR6yCanweiOXr/qxW78zgVvcCxKncdNmmU0jNIU
lslCpAngTyG65yvxWgVouCooGuTBGitTo65Pn+WVeFRtecn8mfpgxR5XY1Ykhj9dY3A+
isesgGNV9SG1mM/Gttjeb1psz12LH1azjwntKaoSzsScLa8nRxjrpqkieZzuLyvyZVVn
o52J9ZLV/QF/Q3X/Rll/bfTOzcTMQjbjvAGiKAJuBy/aKbYIk9V6I1a0lNsK+F/vlnsy
TwKxwyKFldy1uNnA5caofWqIzsYnbtGsIHpRwO2T21iB4YBleod8JeM8rSUm/VE8XsPA
eEVOtBjuC4jE4iNWaYAtJAab/a1Y7Dd3yytl4Vlv1hMLgWwKuASwPOa2DBGCqcP9siSJ
80ICsIzqYNOB1h0w9UooY6dPh92ZaP+8ifOq5rXuXJjC4jGp5jsl5T5/Z0xJf23328V6
ZzQ7jd9pw3VTDvgqAo5Pr8KnHr8UVV0VCebKkKmBStyMXxWXawex8ukdnj0nVpFY2+uQ
FG7NEBX5fOAuA4Au5Cj75sSy6ebJUTxuW2vc/kbHm0ytyNMyh1aieSdkeCY6E7aGspYz
U+QpPEK0kD7LvA5oF5tgfIV7yGIjYRTzBDKawBrm9JLhel4jOcmhNa0Xfh5ClwMf1rDQ
nfd+p8fgvHYM+Rs6UV/eepL2oN11hEEAa0S8SZgxQv4GrxY9q+a92rOCSN3NZ7XYNZxP
5eKVsObnKaSQOR8yRqYGFDKpY1liUxIzdZ44LqdGYTLFjq6KdomFw+XkGJ6809g23WFq
IApT8Gt/v163q5242rbkRuStUir6czc17mL7BPM/RBKfDXfl4A4OptmuYEL+hipGsj/p
cALsidvcY8ehuG0X1/h5gzmapuh3L8X7+73YrFc/i+VaFVbxwRSSAH8LKng2sTBvYF5i
UdXwsxX5eQrqGefLgL+hYrFYY18A5GKrNQAvyhBUeb+9amPsLxE7bKlcIjz8pXK/kaSI
3R46gyLEJw824BBx2DlU789LJEo4erEvebYiEfA3VCS063K5/vCStgvBg71tb2LxJk3e
kZmbAH3VpMqJGA3crDzCvS1zGcsswbxr2jCzF5/EEtsazYs/CQaeb96Cwy3Lm/MV1PQ6
ytoL8rE8Tozqa96GPo7BcAvNS/HtavFhh58whGvi6VMij0EGgC+4DfMaMjSgm5n5T/MM
SyKJWIWzbBwYL/ZvYrnk3ckho0M1+eVtq4JIty3CkChoVG+LQDQhATozr8M3CbRH6j2O
44lFNMtzRErRas90/LxEVCIhSJGxAh2h1Y+GlvUMDXEzKLQshzkrLwE6w9AymZRU45B0
JiPmXhtekKfkGa+leUsDl5cYGxOPCmsiMvzp4Tt8VBwLLVPY9hlDy8b17zOHljGTQ7DO
c4WWhTz9AkPLkEGF4q1saJk5HxVolZJJknKyJF5oWVOODATTtSHVEnRhUF+G81H86VAy
1+LgfGSNFFrGLTahYKNbbO83LbbnrsXThpZhD0NcyopRyIh550hYcW/WeTiJkdX9iP+G
zwKbs8+FRs+k+0P+hur+bmiZ2kmD6cBAIhe59f5nWDe8eWJyZJQhXVmJqHRu16yQUVbX
8BUZi+gYdXtEQDvgJNKJ1U5m2XICSpneMvZPGgHo5VrrbgloYNK6+7jAnlCkOvh+eX29
at9vfmqnDtS2/sks4Pp0MMfUMMrrSgRQlymP9ZkooFLCuGZsa0PH92Ox58k48pNyyZg0
02yfB5mxUBOwyN897o2PZ56XmSHzJ+Xgvx+l5x/DahlndYLNNkFHn+T17lG8PjxpYvMP
jJWI1DE8nbceeSIl9Igu5aCuM7r0f6buUg7YCbs0eM1d3X7W6OlNPY/oP5ioyTEUdt/A
1TKM6+2WQmUe1aHjmZewMKSA0h3ug44Wg/bVHZnjR4BQ63QPX77u0Qdz8m3bz9vlHv4L
cd1+Wl7BT/WFutYmBB0lGLv7K0SMTw1MMos7g+k2eP1PO84eVqfWSnjo9T+I8JBI9/Nm
+19IFHS9bXdT9x/s7UjLiNS/Ia8j+u+o7dDXVGZb6onNbgApgCJNQkuJEiOmQC5k5HbI
Ewpi0VvW4MVGndGNypFcZdj5Yksix2SSV/Ah+SVhZ0yh4gpZNF7JmgIqvYLaIKlkvsi8
gtpySVtnKXmyfjZqtFA/w76quoD+wSxUV7C+wjBS5FgGlXob7TPZOjN0UpIV9XnA7bF4
8+HBYHGl4e88bKFC1lcIu8YU8/bihz9e7t6+eMlD46uPm+1edIv8xZRBZiUVGDC1S6CE
mQX7WPH+gxcQjKDnnoDcyogcFmR/n6sVJOAPQ4dSTT84QxrVKHa3iy3Nk3ctbbBe7u5I
SP74+nsISawmzdEO/j4eQYAk78w9uY6yKXTULGC73jTtQe3PK6lzpnyjYCMv2/xpBXs8
EzxMOHGONL3w12jBmYMZxzqGmanzpHmx2n0xcNoklGLhObuzL7kQvWGSyxvuuJvPm0ra
NeUoW+x2kxujbAZ4ZtTIwxdVuaT+KQFVyNNQjcZIn5IcnzP0RyxO8hR2qTwDaAp07xhT
3lHI12PrIakkrVnBtgim8JUHMkVgCitTCYrFXRqgSRpSBeLXbUnsxJRqBWhLkkI8hNC4
bofQYBauKEWKrvthN4mPZdWHPR4GQG4uxj5tbGo9b1Q9I0DT7J2Hz5ZrisJAOMbEQmsN
fGOYBBK8Wa4oYpjDQyn0E9nEKRnnerMXWxVPjIAnXrNO/KENu2YNJOKLqi8npRLrmcyG
Bg60Aj2jmAb8DdWvi6urdtVu9UKCkq7eLGFmWaxWu8l37pHrCZpMQKn5HTuTt43tIVlp
Yy5nwhT21OT4FpJas8zEWyebBj5uTvoQMoXVXeR/D+kse11vRlFOxJNLDDtWaS4syORw
oKe+HFN1GmNOPcKT/nBUpD8c9biOMlMvtmPqif/Ed60kAnhrQhWHO4q/ZhXR16yejylY
DvDBMH57RzRt13h5uSG7avfvTz99hELbiR82n9q795jpsuSl+sxRp+CbvyDzOPJDvZva
KsI7pKRp5BzWkW7cIDVBk8wiHICyJKR1hWig4zwNG8pHwThrmDf4XFsq3kG/XOsP0z19
4jHselCJvFIENlL0lYRxFgdIROZikbrD9XTiMarBS2SWFfgynk5rpiOvPJvHiYDUqICm
RE05krpR0kNsVb/DV/u6tBVoyKBTIFLElqN0jYgmgxEaei1J8hJ1MQV7ejC1Q9Xhvi5t
ACXy78MqpkqRC4V44LqQHQ8RTMhEZ7minBr4wgMozLuhqLo6tH6pAxR82w+G67yqUuS0
0bVHK9CACzJKgsdPzAu8yYZS9TFXHsXwTnXZUpoW9Sj9Mug/V4r7lHjgurjnHVf8Fh3v
TPHbw7ReKXDFbeYyV+IWa0YpPos37zCzXJ+Zcg/CVZJk5hAsd7zCMUU3Ak6ra1mKxDJp
ShuZkYzTnFEuUHccOao74usSDguqk2qRWDxQxe4J9EE3/Wz1aTfURDyFVEdDAtAcsqWu
r3AMPwYxpc5pHLsn0FmErJWYqVBOXcHxoSO+jvEPPnUJbi0/IVI9oZ9N/cV80LGjuiN6
MZSw8ECOxNAm6+QFGX6LRI1xj2bG6gG5gqRpaY/sqD8kH33acYqricY4j0uWtUF6Bvdp
PRAVPCZ8fcFt9NvjaDqynvhL8WFPjFl82rFJ8U4pfUgF1xQWI1UDB1jXUkNTRMpfC4Wi
zRr8KaQFfMKnrt6qwERqvyOIJ5FbzPwopztsTagPuOqNuHgN0xb2nYkLfAMHWh8HH/kA
WQ80xVyKLrAxXlOAx1TZf7N32Uuo7524/Ff9zVGaVyyHyjvnTnsMGzjiGEb8Q1zg25eJ
dtUgpkCzffF3zrLxpE/wO4abWHKbvzJtzjQhuki6V1Im4EOWYT81TEAwu+q4nAmFPogI
4qorf/ze70CyftFIyHMsA0limhzTHmUXTGqYsOEozvNKMpqgiVd5c9UrP71esWKI7yRV
ObIvaRhOiJccIsj/SO9L/2i8i0TEVmxewXoPWUEQ1O8y+wNhAA2SkIoLiEGucHspLt68
EIW4QO+AXr7AOuPinaKgMypVJhSYw9/DLSgJS4OE/YVjOPr6kgQMAKDHshYZZAm2LP/z
r36jOKjAMx779+rkFU7A8z+8iKgdpgS9WJz9Wl/Td719gTNw/ltDhTTQjf+oqYaozqIL
fcev6KWjCM6GtM8NB7zuUinhO24fppbuK+m3L8bTwTWeCja/Vv+ijXgJL3EcUWtABzN4
FbqkpsS/VYXQHlymVoJlfYU6Crfrk7cXv1LV/+ZFhAr0sb7yL+pOvkrV64cjYQWq+oN6
oH5s8k/6WfrfXytJ0PfZskN6CqlSYLTBbFaEPRWIbKd/qOEHPtR7FJ+zCjb4HCNhanyO
TCqExy0+R/gUbUgYs5dBdY6/N0KqfQ22tnPxOW0YS5qi9vG5pXnzpqXxLCmQNDlG/EPm
8Dk+qA3PAKErV8iQHia4m6KsxjZ5gHMfm2e04xZxH6jarBgyyrONeF873TPBIQDUdKTM
gZtokCpYzjd5qNyQHLi27FjAY5n2wLWl9Ur5NZnGevdxR3pYg3vbYif0v35zDlszBS/A
NsbSBlCwphmNyWmKUVgXsinFncbC6tjD5OpcoWkJuOgwOY0PMG2u4Dg8ioLrKfYEG0wO
YcO48jG5TLFi0nzQEdUJTG6pkT3SNIOFFdXD5OpcoWn7BHNG+5EVzkZNOHZUd2QwueLZ
YHLbWsbk2lSkMDf1CTreHh88OoHJMUl63mYWtAhZnvENAjWumSbOEisrQpEVoZFihR7j
4ebqGqRa+nrE0xLcmnNUC7rAdIs/tAwNy/AOjKdhX1GkbgjjCyB0eLL8z72fB+NpA5eE
faOHigmWjYTxkUalFqsz5nwSGH+U4SeD8UOfMHMYT/NCXgOz+jBelljW+RJzLo7PmhKT
NOdCIFg8KY6vHo3jPYYZ5/6fwvG0vy1FiiHMety+/8fxUF4qZJf8QhbHd3rqF47jMyTS
83F8ljwOx1N6c6qvgOUX2YvopGdmPxlaCOMezJ0SXxCkePK0hm8Se8R7tBVoUEywjaqw
acoBTiQYqRKKATK3YgI8dCthwlE2WkRlo0FSwjelGumfYv7PiGxbrRLtcmFc9QqDL22S
tLMs4wnVmhJZSf3lCwWGK5qHMZjmFisZFpgNwsgtfMhggakTGtMHaP1STIkO3gfuS9gz
iAPjXECmHWTmgJZwCxiEpVQZTMDcmog2VyiKQ0zC0rjUKYpDaK4ufxnD9VtIaLnyKJp1
txyJMtOaXpkewd2EN2O600Naps+xYjHeDn4tFmy6F+qa4mh2DcP3ubUPU/D2eA1D5kPf
3gSAxKfKNlCJynzDh9S4XihgQEOU3LG/eKFremGSIRmDdShgIx8tCswVKbVDQVEtzV2H
YY8XLzD1dhYvgLTm2XR0ZXgKqZo3dd0sFejYX7zQuV6O8BPoLELaIpJtcwXHh47sdbSJ
Fy/cWl68oCb0hF6w0BEvXkKqf/1chwJlfICvhEa1E7Hj8oRCxp9gpaAnKeCyTztOwag2
SsQfikw7oFi8gd5RLIcVBLfG6YfjFKeQUJfpmWBUWVp3/YKk+1KjUeOGSOGVybF1G2g0
Gr9+gVcYi0veau2M+kAA2pzso/QzvBDKwMzWdTibYGN8kuWL4be33Hqy1cvAB/jdwuuz
iX0QpvpBPogM4lJjpWLXLkjOnpYY4eFid1DWBQwV5QmjqGH4Bk3WcLV0QSBI1+Ldd0J8
0yqT9OqFgJNBH8PtAAO0Pr5WBuhDTgaIDWt5Wk27M3yPMc4zLEM6LB2ApAg8UK6F6AIO
m3NMy9xTB0zL4OtJvzlH2pvwU65glDMtQwuDPN60zJC0hhNU+SItQiOnsGdePo5LI3in
0gpgFqnyLLgkXNqjAXDSXuiMouMhMQaXUg5XSRHnHi49cOtoXFpj2vdwaXC6EtRwD5fW
CGWzhXHVu/cULsVX3OHhD3Ep0/zpw9A8XIq4gLJRdm1GjtgRCfdgCEyZ5uYPQ/FrOnAf
FjDoaciHuxGfaoaZ0wemmCWwuJWoynjSkTZFUTCL9mkDKDBwurmW6/KBKdPcdM9ceRTF
uqrKBKrQcoxa0y3TJ/jAlLtu5RnhudMZSQBkmxfo+GaK3xZ+ff1SfcoYZEpTlkF8SNTp
H/vIlJJ4aqyZS2Tg41AX0g14Y+ZKVhlkSlRLs9cLhJAyMi1SSE5gVi8QgKL5oCNGpiHV
u27QIV33kSmda9TJT6CzSNKzGXnSsSkTHPF14p6RKbfWIVPqCY086YiRaUj1r5+NTPG5
e0SnhcjUCpQnd12BwnrsHIHyhkv3PleTPxi51AHd4g115ooHP+o6oCOYxqUwGEypPsXH
ptw3PjZ1tC42TeH3ohBha1uHDngKbEoRNzaY/ReATTW/E2LTYQ+YOzaFuCBmEmExHB9z
AJyebVcnJySwhwuP+eLYtMtRgnQMXbQMF1Gw/2G5vlrdX7dYUYzAqtEBrArUPAlWxTfO
gaWeHqumJaIOzsepCLuLMthFAa50OhtjP+3TMDHCWJrn5Fy2ODXDV5qyDBrGw6mHbh2N
U9MSIMhiT+Dn4JywM83TruFYqynoqg2udJ3uj4wB9oQRlTcleTHaAAh6o5I/oRiaBzER
bl7SB+zdxICoBGzAprm3T+tR/JoO3IeljGzCOBDaF5TmfhyIROJJREc4sGoIigODX5lk
oepRggN3EZfxcCqTLOC07FgKrb8U0w5yQsgMrV+qT3H3AXGZTnEzKtkEdZc7qMqvykFO
prjWEOLTL5RLERoMKa7M46BqkVFmWQMHcexDVbqmwSeSvnhQlYYgQ1UcG6iqBiZFX8PD
4a6XCKxlqIo9Yh2oSp+S18+mI4aqIdW7buAiXfehKp1rGMpP0FCVns1QlI5NmeCIrxPP
DFW5tQ6qUk9oKEpHDFVDqn/9bKgKZZAigz5ehROyvkBRX4UCdVowWHzoLR4THy7javKh
Kt93QLP4OqOjWVDXAQ3BtJ5m8Wvq3YcBafrGDSxoeEvrQFUa9cgW7IWBPBFUpZzOLiPp
LwCrGoYnBKsDnzBztCobaCX63ouHVosEvtaMLYRjwrnJNJeVnPd5HrbUHktDAKtKBmBQ
69mgVfktnhG0lohJD0ArtMGjDKwI5qH60pQ24FCkDNc2yLhKoBWIjnJyAIwipUieYxEN
TN2jYeqBibiE8lcm74TsQkTDAyFF9l5YMQ/dOx61puTXRMtqHfOMdnrnQKWp2pxoW47v
e+hAAFVeXUd5clfS/cdRq0TPwXuOYFPoeovzDM2bW7icw5qYFPFNThiY7awhKagYEZ0K
Mxqzq6X1Svk1Hbivhj1Vws9APHBdsCknNXYuWue/rMBpntUebDUUxQO3h2muhUcpvo2V
awcPFiZamkUDSCGvuXIUw7tvZJXcnl4phytsGQ+8cv9Bvtyd3POOK36LjBkEvy/0Q4/m
/P22VK8M7js/AsDZWcvcbimUdOyDVzrX4LVE4LGzs0JF4KnmSlkY8EpUS7PXkT9R1Umg
FhtjO+C1wn5bDU7piMFrSPWuGwBJ1wlowrxHTEk618CUn6DBKz2bwSkdmzLBEV8n7qlO
bD+U3Fp+QqR6RoNT6hMGr3TsqO6I3sh5WwppCZuUanB7wmMG2ymBwqrNqIBDgtGnHae4
mjzwams/oGC84c5izgoAdR1QFEzjUhB9U6pPccvpyPaN3w/cX70YZhr2SDBHG8ueNAZA
YpNGXkLNaePZ/MErMzwdeB36hLmD1woGlUJZ5s1WRIDZR4NXpBbDdJ2wvFAM85c2tvZZ
GgJekTHy53GmVuzJTbFDUm93V2BvsowQskJ3T4JaKe7HYrfBIQHK1IrYJUSgUs45i1op
nimkYb7N4Rkq4AGnQA2DWrOcojXhEOR7gSoO3TsetdaUZsFDrcE5UGkNTum6weuIMdG2
V0atqvwA1Iod3MgkEIBWQ/KnFE3ygCa2mucNlKybGejrjYiwwOTbp/Uofk0H7qNoHfp2
jw9ZEcaWpNih7SArItQwm1BCDoanhqJ46NL6pXqUALJyXT5kZZrDAMyVR9G8B5CV29Mr
5UFRLuNDVtOnAWTlnneQ1bwvBx0MwQesnTIRMJl67wduegxardQOL0aEOrbUJMDAE8kQ
qnAmSA6tQjXghZkrVWPQKlEtzV6vkWuATa1KwoOogBqOcP1sOmK0GlK96wYb0nUfrdK5
xpn8BI1W6dmMRunYlAmO+Dpxz2i1Mq11aJV6QqNROmK0GlL962ejVZgImoYGtRM4Hp4+
SOuK0imp6AnKgwSMADfCjLj1dYqvLY7pFFWTXboafdHTKX5NB3SK7pNgKJlu6mNUjHN8
mqkLURHZ40UeknPXbgAYlBpCUiBZYxN+/QIgqmF4Qog68AlfAKJSSgJYTgZFqiL/Oz7q
oyzyTwlRKbMtYl1mFA+AXaI+SydjVT1Q2t364EfBArY02GLdqZlSbRwINehmw+sbbf8X
/wgcAgplbmRzdHJlYW0KZW5kb2JqCjU2IDAgb2JqCjc2NzUKZW5kb2JqCjU0IDAgb2Jq
Cjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgNDYgMCBSIC9SZXNvdXJjZXMgNTcgMCBSIC9D
b250ZW50cyA1NSAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjU3
IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9D
czEgNyAwIFIgPj4gL0ZvbnQgPDwgL0YyLjAgMTUgMCBSCi9GMy4xIDE3IDAgUiAvRjEu
MCA4IDAgUiAvRjQuMCAxOCAwIFIgL0Y1LjEgMjAgMCBSID4+ID4+CmVuZG9iago1OSAw
IG9iago8PCAvTGVuZ3RoIDYwIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl
YW0KeAHVXVmT3DaSfuevwHrDO1KMTPE+diImQr4itLtyeEftnQfZD9VVbHV562hXVVvW
/vr9EkDiIOtgVYslWp6YJpMgKgEmEh8yE4nfxH+L30QZRlVRqj/4m9dlWCVEKPXFphH/
FCvx8pttLKZbEYV1VkdxXdirwNK2U5GlVZhFdS3isg6rskpEnNdhUpeFKOIoTOssFajz
zv31uMzCPK5FVsZhkplyQfu3RYT/8Bu/4cfjKquiiAj4z9xlaZhGZZ6KMinDGqyK6VJ8
fQMWozgqxA3xJ1/Rf26W4uX3cRiJWNzciWevV7tms2p2z8XNr+K7G/Do9NGn47JKwjhB
A9pcHuXtq6GZKsK6TItLu+7bzeRuJ/Dvp4fZZNfMxNuHZhqK9Z3Y3Tfi9Y+/Z+L1t+L7
ebOYUSn9783ko0iiOHke9O9wEh9PJOUHPSoWaVWGZZXlpsMDKRbHhUEM3OFWVuMa8gDu
lKwelYIrMoUxU9TpuJiK4jCuqzNHNXo3FP9oPmzmu/nqvXgzn80WjfdxA60GDwzxCyQu
znJwmsei1CxrieupiG7XfzRbj0XW1AdYvEBXxkUdZjmUkNep/pgIWgryLPFrdVuglPXR
gWrGRFEnYZpUhRI/nylxswxcrf0UpkQk2erJVJWGSZnqMYFpZ++k0ukzcTGDAc24p9Vb
jrm6SGpRXMTfD69utmKymokfXv2Iq40cKKSyxR1p6+0L+XD3uFo1C4EBtGm222Yrfn72
uKXhRKp9aPVdVoApsWnfqLR3AfCSRb5MBKeABqa/gUe3kYlL2GtW08nD9nEx2c3Xq5+f
i+n64aOUguV6Nr/7KLbrpZ7TWUS2azFZLMRk0wwtC1kWxoSddL+PSxaKPMzThGfyAwoC
+stDnVcUBo8/rcBOCut0vdrOZ80GoG67ftxMG1IJWzHDJ199FLPm9zlIgHmTnVEe9OBh
vSHx0RBwaLHAfFGkBcRCN3FccpEXYVEkyXmrkSvKhcdfX7lQwiAmsxlNCS8gCVsALKkz
LPFhsx740yd5HNZphk+vW3Ee1Nqtp+uFmuOwQNk9PiywOl1vSLYHZjzFOrAGyGkzPo4F
QJGVYYEVwGhl1uOvr8xibTp5v5kst+LdP77/Jo2S5JdQ3NzPtwL/mywwje02j0oA1li4
bsSrt28g2vPVdPE4I7iTbWYvhpYLo8t0E8ely2DggZ1AI/O+lpUr6jKPv75y8fp/Xisd
IL86pGEl7RZfvPrrj18A6modJx4Wj1s5sQEU3U2W88VH8e7rdRz/It592+DP1SRDN3Jc
kpHA4lcUsBOeY3O7omR4/PWVDNITRRLX0BOvd6Qlmt8eAXU/WkVBYEcpC9YuGgdBXwwt
EHkVFmWKKUS3bWQCEYVVrOWhb39fUx4uYG/ZTO8nq/l2GYpXg1toEpjW0yLB13U59fBB
x9pwzrryAgtNnOQwpZYwNng8HVjqtLmb4Bexrty9OGv5K9kMPCdElFcVXAVwKCR1hvWg
c3XUlkPmsxQvM/tnYsX7Ztvwiuecju6Y58L60hYkaRmmZQ1riPoAYxjxSZaESRrtF4qT
60sYDcT28fbXZroTO2VHIJ/BBop2vmmWzWq3ZXEJPI+MtNr29Fq1uxvAhUUHAiPFAp4j
+J6AbkppawqjqEhrCBa5mmDPJSm8s+a4tAiTCgZe80YU5nmWkqOrguMrypKEvnofR5eU
b9/JdpzdHg6wIsaqKIPPS3k6eo7P+fJhvcU6H8v2c8QbDQjOdMnUWBGXZUL95zF6gXLr
JQbSlHpq1GnzsyiiGkXLUmSYXqOkJQXBPingN7pSoORmEEeiNZdHaRjBkD9a6OXx1xcK
ELA6Rww/oZaF+zspoQAgCqpnz5sopL/ToMEnteG0+d/4mpjX86RAmXGkSe9JjJ4aXIeV
Flx6YV5kmJQv6uyHDUyQ68ft4uOT+D/d0QnW41GVYJbwxDnwdFbHujs0U8b85TN1QOO3
2Vut4awPh+axQoxFlgPI+jxe0HEHlf3Zgx9DPEVQCEALHKBRWsKACDdTBBuymfLVBC7F
M61zW3DvtLAXHEQA7jkcAnZaqMMoz+OyuBgcnJZTMy3kdQYfZT4GiGh5quAZz0y0Q08x
vd6qMPf46ztVkRP1JdkKX2r/6QZ2Iqx1AF7FRDxM4AqZwp+2gd0A68fFolm9J2vidr57
VAZzmJyHthVwEAy3cFxiUQJPl9loXSS5x19fsbjbTN7TAkZ+41B83Uwnj1hBYnkDk9Hv
zYZiUhppUBz44ydFDP9YJbgZ58EZuPG2HMq1aSbw/y9vzWzrr8kOxKd0ljintVgKdZyW
UMstni+YNA4w1ZkyTjNl1VhRktu/PA9rXVGNefz1lVfl/oLx+xYGTTHD8ntKPlx4QKTI
Ticr6eXbrGH+lJ6yx9X8t8dmBf8fxQcMLMSITgwxmRYi140blwaDLTbNOGRpfI6R3OOv
r0Qoex35Q8h2x0Nf3E/+b7KZheKf9/j4UGQqwrPlER5aHADD6jJKBLdsXOKQIbyOLEkj
9YbkHn99xWGvjx/ecrj5pSNdx4xRIJCQwULzZoal5dCSkGRhGcep4EaNTBIiWJFgTRqt
JLj89ZUEIF4CvAbvilXTzBAGtBbNavuIzy8Dgnb3A396E/2RZ6oV5yEbhLF9q2SWXHvv
ocw2FL2u18PDQRueyHymRwJt0him7GS0Hv7c46+vvE4eoKMeNnN83sXHFwKfmcI7IKQr
rMKWD7QwWz9AW4m7zXpJcIeCPtZLWqWxIS8cWJbNNgVu4bjUWIIQuwoW+7GqMY+/vmLx
Gp8fO1Xmd/Ppvw9sBYvjAuZDBKrlHqef13xoFzRxSs76Sn/ekaiiCBN7Pt5go9zjr6/M
/f3v4pUKmhTb+8mGVAwglDIcSX2jQ2rf/PT2pjWbmq1UV1NFuoWXq6J+Fttv3qL3jjnF
337T2ff3ld34J38E2xarLKzjNCVuE1hscuw+xE7AXLRuF+Kt3NpnK6BtFqfqQ3C3rE/W
Jm8y7G98Ql3wK2vedG0wE19YH3ZQum11bp/AH/ruGm097RvF4DjXwWwUW1bnYYX9MUqx
9R2j17PUXMaf3HhBNjkGJ1vx4R6+e468Jo1iFmW0GtttJqstdnQA4QDWAO8MrUH0ph1u
3uUKZADrXQZbOBwjo12S+fz1ldkPcxjtgFwhBV7wDDZrzNU+XBYW8QHbOfRujpm4hTUP
uzeGFgi23nHjxiUREFc40rOxoluYkhz++kqE2pwztHu3jpE0IIfvxmdyJMA2wz7XCDkL
RgVssyIKEVTMaHt0XlCfv77iJjdSPGkVdRQCHo3sNEkVmHWtXnp2raMwP1MD4jQPszrO
RasBn3UlFsNAlWbY8sxMnacflw1Ah5xcpEWF00AY8LJar4aedZB0JM5zJBfRI67PrDN0
ro00zhFpQvGFF6mByQ52qalFfk8S2NM+z5T3I7W4vUAw+60FVZ6ZdggslJATsUvDPYa5
X2Rwa8UVUtdUUKgxEs+0onfM/nkO2OUXbEiOjNdFK4GaesXrPsVvnCFcK83q8eIMj7++
it9ZXGAX8ASpBA45B9a3CH0g66r1HA+tAXIYtrD3lnu+jwJ4Wtjp6SFlF6cUOV+PN+wl
8/jrKw7OZGpC9y9LpnQ5Hoh58ww34Tw8oCLhn6RZn8B7DtQC3Cou413G75NXfuiAWBO4
y3yOAWMniDHNYtiMW0z1BIJ+6LaKaAjFTysE6CEHivYecVzXdmDdlSWwYdZVZdpyufL6
dFOvHFlJCqAKcIjAMqQQwlbxmFLC6a0yKra1O/Ny+c809aYQjARBcCN1YAFmO/z11bWT
BcJyZh8FQuDJuqfAtqOAZWA/JtyPQDcPDc3OK5OOjQxG88EROBsCdfMuF+EhDIGIHMnz
dLxwzOOvr0wQvnrz9r9UHgvxfv57Ay+nTN3C5uED2TooDRRbjQdWbXZVoZs4LrnACi2r
4d0Zq67w+OstF5s50ptczxzoMTkWc2CEnYdJybPABYvYAdQQto3Cz41Y55GKm89fX3F7
+zi9J3Vyu2iQcEV5J8gLtZzvZCZGRlEDaxoTIsatOG8lQParzfrx/T2tatubPAZm3SjJ
FusjkdoKlhOYXqTQ9hWK6zlW00vYI1cpQ6r/Xa0/rP5mPKeUzAxBgrcTvUOaZllp+KBM
Z3ITh1g9Lm+bzdUSBOkWjmrmRG6CsEpNHFHPVdcVpcLjr6/UfrifQ5fh6/OmLgTEr1eU
BQZCcDffbHeIG1R7fShz2AfkNW4lmBpaU2iUzd0/MplAbA8tFMc6vZUuf31lYraePtLm
LpgykR1xO11jr4SUh4f1HFQZ/4zttUpOIDrO9glklLrebplUt25cIlEk8Mpqp2zfHr+i
lriEPeTO2M6xMY6ymVwtNxDyA53fkUitQoLLKovzvGqzAWKgET3ENn1Me0iAtxPY/DW0
DuOEiLpN4xJYuBGiFJmDxqrDPP76jqhbOGIIzlDend/X8xmmuO0j1JgE6+yuta6aoSPg
kzoKywz2zlS3ZlwiQLmHCxMjNBIQjrCBBMkJxgrCL2HvBySlUPOnWXIZUE7bjOQuoz+a
zXSOUDcZvj9ZQD8Bun/AfsShtRQ8zTLnXqqaNi4RhcMA+YrGq6U8/vpqqYYtBhy/iN3o
MkHnHEGuj7cLBENQhuoX4lZvsF82G5lfwZQfWiYYfevmjUsmYmQ6KcYbcpB6/PWVCblN
a0lZmoc9rCdGdpgchyu0uPSUfzvN4VnhAxR14iRP63NMBtLWhGkVYZrc13WdY47a7ClX
AI0hmvYxdFbvkfR6/bh7j4ULkpJ4ngLCfWCRsjZiR9zQ44hDjbhh4xpIEc62QoTRWKfa
S9hjjIck6Iv5lnI96HzYNjUNTB7TBhu/MSNjFcurXpUuGQQsca8mFaqFoxKKpK7hTxhv
2gefv77adXJ3h9QfQFrYGzDfmdTHf0ymzeZWbiKBAQz5jN4Pfd4HJ67hZvT59kOHbyZF
EWYVQBYzdd6acDudLIBVtuuBZy5kN1Ohry02vamrnQ9u6L4zoa8tpnraidF1C0jlFwD7
m3mzGboHOWVWi9mjPXjW5P+UUFJaLOfleGMXfP76ah6czjBrvpC+NvHuR0qqP7S/OuZo
O5/hkfirE+wRLc35Up7ktXHdWZJ3Aew0UatJmcDHwxkiRnI6W4L9ZTi2VDsZxsJUjg3J
yCvtQsaT+PxmTY7z9r/v/hhY29FBrWUe5QJ7uTpMn8zi/YBkYVvxA7LakQtUpNELebJn
qxXvfpy8b0ScDH5ShtHcqi19YMNZw+dJijtDIgh7hIo3ptvz8dBMYQ8FbZ/AR38yUycj
TN/hmN1Y/ILw+Jk6UHiATf+Z3O5fI8MGVmoV7V4nxJGLGplYL9xbjwpEBZSPCmtUWCMr
tLlVm+ud05EP71oJZJ558JLiqGOcKIJcIMgOtkTu+TZtIfPRI1RVZZcvKmxUJhoON44h
LPxuQLTuu/fYw/JOdXI75fLxBAc1MrGjpRXArW6pT1ig6RQVh15w2k+XzluLoFXNQtzL
ZAv06WM6vTkHbEGXIt0ucu1nOH4afdClLUDDN8yrMjDlKJ0tjp5GGmFkUinKGEUMAWGc
MqhrD61TKuhQBLHFdUU4epQOMyAWDI1im5Han5nCBZjPoxh16eYwRdbVpnVLdSgBDqeG
Bs5K2TBVO3jIcJJjmlLqTv2LoOCj1zipuYBMS64ciuJd1mVK6fZ0Srk16TLEA78Xqz6F
mDk01fGGKfNtDOuG4jSHaUG3VJcyhcDciUR8ODPfB2SqkMMcAkppK/z7Be6RNRKdaMvA
yFSKGqukDEkE1Q2GJb2O/vPuj95xWUw5eJfkRr1LA6Mu68D8cBxBqiRb8oreA8stqqVN
oZORFF0+X+AaG9jAaCDvceIGWNe/gGd0x79P77n3R+7QTvVUtxu8q3vdKfyjts8kS6RM
qZsg6t594N35z1BWKYLjaV6gIFjaAjqGIYb2w8dkGoa+HulnSaXVIXukEpXrYcdyuodi
9Zaty+ooq8usylA66riSsk10m8PNXujdiMRfjGPtoQKwlR2J1EVMKdBK6COo0CpDaA3Q
vJcgxWhbmgKiGi4hkky5I8PemnrpDI68hHAqmIpfopLqj1pkIMYA2vsGM4t49nb3HJUm
4hkO0caMgosHvrjnC/NoxRTxHClRUfY/u49Q3y/i5j/Edzc6KU9vhjWsswwjg0OYZzG4
l4espiF1BNh+9i8WPJ/VJad+we0YYDXZxILb/FITUkUInkXtJzETEr7gSmomIC2ZrDVj
Qqkugmdc9NUbtwMpmw7p5ywDViCJKTPMHrS7HICjwuE00DBQS+76r+c501Ze4BPB2TIs
L9J2U9KyBvmQSXLUHyU5yEBvJOdbfPtUPFs8F4WUHlzj2+d8jbSLEBC0txTUNkcmIDq0
tSiK1J4ie5dh9s3SjM7paLOEkxo6LEEqvKPD5b4YKxlOIqKDYJb7DWA2uA6YjbFWAMSy
UBZ5byW4vSizE76+qHGQhawB6BNa3NyeiWYRDpFHiP8tYmxijRFSDz3dJkGvAbaS8iFt
XhHuA4k2veJgOH6RIEb3xYuBbAIEh0amOJhbQYEWAbgZxw853UAEWh6YVzANUh2BQziE
YjGWsKEbsY0OijU0O0MAJ+pyZobIkZgKB2LUGKQaZuY1doDh0FUXjhoal0JNuhRTUMGe
92A3gkmEVg62HGJfsXsPGQgZW2MSgScR7k0LR5liZzxkYD9Yit8LTBlnhjU0mt1QhYSx
XJeZ0nPmiilBzrxbMID9/bo9XOoYxb5ne4t40NDW9Lzlir+OwQLme9n22G/YLdWlPAnH
wutMI16DQVw7+FU+kxAzjrB3yoBX0hOQHP0kLQA8gW8l1V7xc7wq66QSyJwsgbEFqnGS
6t+mqylqIqDqUy2NgSo9t0BVlZdw0vwC3QUx/bYGnvJalwHVXvFzapMGpaa1jEoBhdEz
GiTjivnwqe7zgwjUPw7OCgq2EOBHUtJsVnj0YDsmUMdExQoURp1WCl3xYYqtyR2Q/J5V
MLYuO9zbCsYOBme9i5MUVRvd9liaOsCOuFEQFMO3psNyOhC0bRE7D4KSHsnteQoW0dGM
L7Gci7TOgKDBMweCKiT1SSAoM3wKIF4OQfv+gtsxDAkHhqDVORAUsVHIa+RB0BzZb+qU
oRSZz86FoHkFEwt2RbmW9c8MQbss9YGg67uL8ScQ6DWMqcizQ+DI4k8onyeYUmtgL2lE
BPikAW/uz0SfyPWDpQ2d2YmED3GBQ7YIzbZpBO0QryltrrBalFgnYD4B6oW9kOyr+l2y
pe5592IIGuP8TwKUFeYKAr/UVp+CH1S43mk/KBKG8lsLzHDttw7iUD6gyMWhTLPTBHCa
PmjJThM4EzdP5TmqjEPh30uBfT0cyjR+DzXpUkwBTtzzHlJcAW6TwNhyCKGN8hQndxgc
miOijRJyMp7EoR6a4k57TOuWYkrgvMdTqK3LxaFcl53YmSumBDnzbvEkzp7R7eFSxyj2
Pdtb7jTLPW9xKH8dyztTLGyw37Bbqkt5Gg6NsTZgHErXLg6le4UsY5xHb3Eo9IXBobjW
OJSourTzPEHeEG0wjRPy3cBAa3EoDjvWOJSuGIf6VIVD5XONBenaxaF0r5Al/4LCofTb
jDPpWpfxrvg5cc84lFtrcSj1hMKZdMU41Ke6z8/GoTBdR1hl4lNYsePBdkygjomKFShz
xBZqZw8Eix1TbE3ugORSVsHYuuxwZzFnih0MLg7lNrrtsbQ2DsXwxSnLySfHocgWCku7
3k8R/AlwqGZ4QBza8xfGjkPJJgovt2sK/QQ4FAMG4TDe/pvPjUM7LPXBoffIEn3bYPfM
vnD6U9bQ4HqufSTz9NAoEvzj9GDo5gsy+mPqcJPmQzTUaQEdJFrBTIcUgnSYKyzOzoXj
zw5ychxTGmQXgTHNVZBMY3UoIIaUQIvQj0JgAXLPwBPsIzBD41LiCMUq1oCyMsOhTfYe
+yYUd1wV5FVWXnbkboYpiRJTMpKyFKvwUdfBUvve48nD1mURmK3LTGkZc+VQNO8WScks
07I9XMq2kCm2jPse96k7wXDPMwKzX9Hwbr6rO2HyN+yWYoqtySKws+MyaHlLACeAZFog
RtcuENP7U2DKyz0ghqFigBhdE/xCTfoKpZ3nBXLkMhArsGPcB2JFRW+TEZCulOc6kNeW
aq8YAFFZF4jRvQJZ/Av6Lq/ZE439lQSl4L9uXTEQI54ZiHFrGYjR+K2VE1r2F/NB/aPg
l3/VyyVNcTtWrmBpj2M5xh2aHqvH5ApjXGkHGwPBFHQny4wp1YeCLjNjztR1np4xGkTW
pVd/R7SK1R88lqyeQV2qb9yAEabhk7UAXIbQpSiSnknty8beubKGw7JtFjrPkEjnTeSQ
nT+NL5sZHg7A9f2FzwDgtJe7ly+bJAa+bIvfEGGRFAhtaAuMchJj2Lbj3xy/MduzMxz3
nZrD7jDDwz502pH9DfZuwFW9hBkUPmz9B85t0ACgYunWzqQTG47ud9LFDU8/6NVzOI2f
/SIp+xzdYGC/ozun47nIZ+owHHx9QwxHmMbbLCuTOU5at773lxQ3AF/7l395LsBbiDuw
8lf15+dnzwO6/fm5ZPNfZVP0s5fq7gvpu69RUr6IWhwH/UG+SbNJxwHi2ihmINFiTnxD
05/m++fnJCNgTbPPrSBi8Exyg14HiygCnvA51P8j9oLe+krdUeAFin2piK9k83S9/yZf
/VK1/2/9WpUj7gb2www4Q7VKaxsYGtrxD+YbEF83v6ogl5EGGpQ4ycMx9MYlVn5PgdYl
jvCm+shKi8osTu8VMItg0QCWULIGyUT5iHMiCNQhLQTyhiRRWalk8FGNACnQEGBb14hp
oqz19CqmpT2vXmzhzRD0gNVDSW5BaqJ7CyCAHbr0VLc5A8w0hfHUKQy2Dpl0CZNWyDbo
LigMzZnomQb3Hk/hsI7Aw+KEFmRIqFHLmHNnEcA05z1Vyq1pz3sZtqSQ78VdUKQU7VjY
0ALEfYD7vKpRl46GZQoAT5fWgwKQYoCSqYtAlw4tMDQLzZgrS9G8y7p0OEDG7emUQt3t
Mi4Y1P3nAR7uecsVf0XLO1Pc9miahYf8VZ022/eeECKLNUAEiVJona7dlQTdKyNtiagM
a9KFZjArCVxrky5RdWnnuQpXV3QsMVsriQpxQuq36YpNuj7Vea5xOz13VxJ0r1YJ/At0
F8T027xSoGtdxrvi58Q9ryS4tbySCGQvqTUD9QmvJOjaUu3VkZXEgdAChPZSCCcNbitk
PCCdlUTWFihIiFYLvQRqj/jwe7Ymd0By7XsUjKs6WgoGde1RFEzrKBi3ps57gekbtx+4
v7orCVrzxpiMOyEJAIZPiIpFeD/Ol4c/4s8SFcsMD7iS0F1y6hfGvpKAxNQFVIgTFft0
UzClw0eAI8vLGKJiuyz1MQXL8yHnk9W0QTjJ2ZA1WCFInNYdV4lNoC1JLmStsDf/KZC1
KlR9RQzIqm461uDDe7wIssKNiSDLDJiVXPeljAzt0uD+py1gCMWWxyjAlEbmNxxgRDsv
scrT7wJa7Hv3YtRagDkA0SqnP0tsJXNuF4jHlaiVm11gF4gpjKdO4WOoFdHK2EbqmcFp
74qkuZOKpjlYk2LUY5j+7HSRYqOxTF20h9Yp5da05z0cCFOQp8ZFrXIdh5OfrBkcXQBg
UDqoVVM81Mo0i1oPUjzUyqVc1Mo0CwOYK0vRvHuoldvTKeUACi7jolbdpx5q5Z63qJW/
GIMF4Hn9DV3Uyt+wW6pLsWbwtl3m+L5EjQYrgkr22kWtFZ5pvEmR0JA9dQflYFArrjVq
Jeqe5xh1bP9G4v8Waq0hI+q36YpRq091nmuMSM9d1Er3CpHyLyjUWuO3GZXStS7jXZnn
4J5Ra6Vba1Er9YRCpXTFqNWnus/PDUQAyIZ1VQ5uK3Y8SF201hYoZFPQ4rNPMLq0wxRb
k4taufY9CsZVHS0Fg7r2KAqmdRSMW1PnvcD0jdsP3F9d1EqpuzJsZv3UqDXBFBKb3Axe
AMMo93JlmuFTmPLyQNq+v3A91JrDDik3dekNYf3s35AY7Lz8xAEMGSAHUq4iEmoplD0Z
5tqOXfaqe7m6LPVBrTgL3c8G+P/LZVo8CmVuZHN0cmVhbQplbmRvYmoKNjAgMCBvYmoK
NzU2OQplbmRvYmoKNTggMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA0NiAwIFIg
L1Jlc291cmNlcyA2MSAwIFIgL0NvbnRlbnRzIDU5IDAgUiAvTWVkaWFCb3gKWzAgMCA2
MTIgNzkyXSA+PgplbmRvYmoKNjEgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0
IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvRjIuMCAxNSAw
IFIKL0YzLjEgMTcgMCBSIC9GMS4wIDggMCBSIC9GNC4wIDE4IDAgUiAvRjUuMSAyMCAw
IFIgPj4gPj4KZW5kb2JqCjYzIDAgb2JqCjw8IC9MZW5ndGggNjQgMCBSIC9GaWx0ZXIg
L0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ad1dbZPcNnL+zl+BJHXJqqKj+f6Sq7oqn3Su
cxInPmuv7oPlD6NZrnZyszvrmVnplF+fpwE0Xsh5IbnLEStylZdsgpgG2Gg86G40fhV/
Fr+KMoyqolR/8Devy7BKiFDqi20j/ioexDdvdrFY7kQU1lkdxXVhrwJL2y1FllZhFtW1
iMs6rMoqEXFeh0ldFqKIozCts1Sgzlv31+MyC/O4FlkZh0lmygXt3xYR/sNv/Iofj6us
iiIi4D9zl6VhGpV5KsqkDGuwKpb34g/XYDGKo0JcE3/yFf3n+l58810cRiIW17fi6vuH
fbN9aPavxPX/iD9eg0enj16OyyoJ4wQNaHN5krffTs1UEdZlWozturfbxe1e4N9fHm8W
++ZGvHtslqHY3Ir9XSO+//FTJr5/K75bNesbKqX//bD4IpIoTl4F/TucxMcTSflBT4pF
WpVhWWW56fBAisVpYRATd7iV1biGPIA7JasnpeCCTGHMFHU6L6aiOIzrauCohqxN/Clz
KMsiqUXp8Qe9RFonOKd1rp8eHpq1WD183Da73bNYDesoryroUGjapM7iuHKuTg6ROMkx
RErbhumHyDOYTaOwSGtMU7rDNbM91fzjZvWwf15Hn9c5NO2VeQSd4wlF8FWHd1xkYREl
UPI+Uz07brHci8VO7DZP22WzE7ebrdTumydMm/eb3V7cNYubZvtafHjai70U693Eqj2L
i7Cqacb3RWFEN0ssdAgEdYDIOcmVgympUlHUUO1FEYs0C6MoTTRUibOc6ryVUiQhTVqE
SZXH9oUozPMMIl6ICjAqypLkErCpqBMojqoYBpsup2B9/voqWC22WymnVmxXULtbLbI7
8f5qFTbhaynQNxMLbVLnGIYApNyeYfprsV983C7uaSguttvVJ8wcZtYIziPW5wCoFsMj
RtnLwWgDoIoqDZMyZazSU5ldUGo9/npLLVQooLNSo18bHfBkxl09a3TAk1yL2Z5yIdGB
GU/TrADjClq9iBPBLA5TuO9fheL7rwoXk7QM07LGhKVle84CkWRJmKRR3WZ2iEBMDRcT
2D5SgBnD4xwWXklZYL2VwiTjabC+5pTl4kEs1p8XXzDnbhcf75sHCR+dsRWMskAdX+ME
WONI4J3GOZgmcxIQeAIQVldpbdGXwlJSiLPSKdkbpnHVXwmmwWCWRXq+6zufbLarj6uH
xd5FC9Not7oIi7JMoBw8Pj2wELRMb4OW6C0EEygz4Mn1rQULRR7maaKtLbrzOpbBDnvD
bAgugwGZTc+vF9mGUIzij5dk2t4mka5djTXLxdMOUOKu+SKWm4f9drOW2OLpYfXrU/MA
qwMMdRNj3hRWzxprC8ENnH7GON/pVipyyGyBRdYge/EFIaTHX98hv79b7I3t9VbaXhcP
N/LTf1qsnxoyz779TmweJMkVmqmFIYVPoMBau9DtmpcwZCWWZ8VszYyFx19fYVg93DSP
Df6HWRjf3ZmFrR/o5RZnMZvofGb7Qof93QYKSwopdJOST7Vef3/Fa14BR4NcCL9/pVVd
OLXYsh+BGzUvsYXrDR4cNt540614znTbsX8NUawAXxVZwAYpVmiHEM6iNeyKgCvih9XN
zbr5sPl7Y2H4NIaOuKjDLAfg1WzP6wMnUVjFuit951UHrwwZ3i5agZN3GJyKY7iEYcpS
HrUjS6oOe5eDU6P4cwQOK5jdBuaX5frpphE3zacVmb7lzHorBdSood1rXYwQ9sQOzRIW
r6SG/UA3b15yGqVhBHv8sDF/QTDl8dd3/kRcwOfN9m9isVw262a72G+2sL8CTt2uts3n
xXq9C8W7zX0jdk/LOyMo2+Zxs4U/fP1lapEoKlhkSqgu3bpZiURewwGCNbmrJc46Ri8n
EaPYu20W+ye4cRiG4JsP0bojZtU4h37NAEx9fr2Zvq1qB8WNjJgJ4jyDA66i2KHuJz67
rr55elyvljBKbB5eD4Kk4DQYGAWSxIgJKhFndIjTs8L4+W6FYb1t1iuofyDS73+kgBZn
Bb3f6K8PZDKtE0bzP68BXuVhnJkgliM4oANDh+GAEUOGzSq5x19fnb+i1dLq9otgOW1I
yZN+92eB9RaO7y9iu9r9TdxsN4+PhFofNg+X0vncuj4iMUghjOjxlLEJM6VhgKelOoIw
seY0hp4cJu2kzGZr6PH56yunRjzNZLQTH7TVD2v9ZrFdfyF1tW1gB3xNqAX/A3oBYfe0
JnvA1JJaVog0jQU3r4+gDpoPRgiqlYmiJHN6OVe8mnv89ZUJ+ugrBDhsm1+fgFDJ+7L7
t4mHmQl68ln+ukFP9jvngMiZiW4ZoZCGhAhVUVrDoIwle46QaecCfooyCREaBiQCSx4m
zUzAdFNFJcKm6zDK87gsSJ77BEnj8w6NhrX9kcHYUVaxHozzm7M1f8NWDb///dSKA18v
i6sEkNdjsK9t8602W049FmEaSNKkaHM5Quxf0CyMcL2oyrI2Uz1lb/oVFofBtj7tyU6b
GlEZW3qLqb6dZtdY4r5Z3i0eVrv7nfjhL++uxerjwwYaZD/19B/l2JiRYf4fpXJoB8Fb
6w3wBk6gt7AckdER+jFlrOLzelIEDqucftPFm3eYJE4Fbr9709ny8lu750W3H/sbwjpO
U1LmaQ4ft4gRUYo/rdu1eCeXp7YCck6fqw8bdGR9sjZ1k0XiOXXBA6h4U7VhAsxH1ZcX
qeZN1ufdjuEvR/SYaSvfjGwrv67bam5tW3sZCoYaOpwJHnHyUamBbV/geEGzWzaGP1he
71dLu9IJPX3AW9qO6IMR64QYXKYZwktzj925gNo0Rqg4pnnlYBuhpV6up6zgJUlYVIgA
Ukz1nKiwP1B8f/9I4dowsP1J7iUQbzb3j7QvBhZC+s5Bz215I/Q+YsRCDNFK5Jr7eS1S
45Scf9W8vnOUYZOLcTn3/M4XVDAef30VoJa8pZU8OAE/In5ufwfctNDGPlgAN/f3G9rt
CGiyXW2edkLGOq4mN/sZC5tu3qwENcPmhgrb4YaN/cvJhM9fX5lQ5n93LysB6Y/wBXyA
X7BpHsQOdhayFi/WdmoSP//03ZsYdvFfpgbY7P3j1s1LJBA3A+/fbA1smcdfX5Ggb5vk
UfWL/MppnuXqCtNH/gu7CbTemPjzm+hxbon+/D0VMrTa8mm7hfTCTLzY7Z7gxaYIh4kn
XLMtu8X1PDAMLGPwaME2NwjDXFCPefz1FVpXg612gqBVs/2E/fqIDPRw9Muvq7GTICzj
FGkeVMf2UVGTm1YY8zFTw7628fliSX1+KTdi7ZFEFQJlkSqixd/JITJ1pyWAojHSNrSZ
6qltIGk6UuYAqtIyOM6HfsqKQltDjicOSXOga1jr/W7Wg+psFIMLBTHAvHH08uvRLCnC
vK6qFrNj1qP9DFQq78vxXTeUk4U6sCwR4ZPRniFsgCYfB9YrCLdQlqbje56xAyesk5JS
FfCeZ/aC0CqujxdkxMgya1XE04QRctoMG/nP1fOnRPV0jhuOaGC+h031jxsspT+s1qv9
FzPFm1Q3Q3X+qUacHm9xmodZTeLi9b4f1GqCBAKVnuewkfWI+eKYAQBbznzTp70zhp4W
U0f0WjvSSk6tb8XNBouCh81eqAUCNpY34UdsLP/pv//0RiJFiQ/fv3otPt81W6ksRhs1
uh8ATijO/HFa4WGnf5EWmFj8D9CzrQsbiN1j4nO/Rc/tUFmETAQpHKIt/ryJr/0FDgvI
USXXYavbnZAVpzsx9OoIu1YyOOSjvEwF9jRlCfy2VsehzuBWwPMb5mVN4q1LIhlIndGe
PaMN6dcPZIAwb1htyBkgLuETzoooTGAJG6ZVNpD97SCRGKGxjduVedQa2xMJozN0Sq/D
InFEZ4xgyk4jOW3gree7XPD4gxj2yk3Ece8UyzZtUjRABeWuzjxGT6OaqZFuzO7qFlNH
tGRb+OQMQKGA37/diU+rhfjfZrtBmPB6j+Arnhf++Oan64nNAyks63GOeBNuxrDR/aM1
cCDzwMRyYMIHmdd5jXJKJVCb8MGZqJ40xTSUsmugp3A+F8Ge3wRmkKrHX1/V89c7GFU9
G7w0TFHUojOuVBjjTXO7QBzja3G3oGw4KHKB4Fu2wsM1KLt/DvYMjl1gntTg8WF1P9R0
ZIp0MdPQvWJZAtd6jnQS0qKm5eDs4nqgnLoM9sSaRk5H8ecKI2W8uF/8rfHkdk3765vb
29VyBQurNgxfQD6RzCKLkQKVu30W8skbv5kprd176izu68nnIBWt7DM5l1EU09IZiXXn
OopG8UcICcq7gTsNav+m2S23qw8wS68ejHMV7haLmm43mz0W2Y1AkMH00etsHdRN6zOS
LrfwiJC6gsxnc/VTePz1nf3ZcSp3WC5/ulYYVLrbKPsVwIHWAeMsxefBi9kths3Nsn+H
YWYfushMSMqvdhFoQjFxSV6IFu8n4erUa6nUuKg9gTi9wLvYKEKqTUSyYPvsTEeRz1/f
UcTzpUkCM/HEaSyoPrunv/HUggfPA/J/IbnqEKamFjyzlbfFVE8gBPvBZ4QjKaMybUIn
K8KPLtM2tVo/JC814pn0+kkRw2hcmY7sMw9O/XWRRijMsAHZMKVH8Eld53bUFNlvTDzG
uK/Li4Ul0nVhRfGB57qpvMzs/fS5nQneTSlXJvaXzxTujmIPZlXsGN41N4OsaXJpGziH
cZxHMcg/H6ZVhNHh9aI3OL6aPQAJRMMq5ZBWX9xgSg3cozkGjVjXBiBPLZEpbU76w4wd
Py2xGaOIBxopYLwW7xoEUZFf9c3mYYed40gRgqDlqb0ipN1T+OaFz/jpKXdQbz7HK5IW
CZzr80pZRNouStFjc9Uoo/iT5tJWdJfa3XVD0fTbZtmsHvfG60C5+9sbKeCTntoRwQnU
+Bv0QRCXE9YsQ7b++Ub8pR5/fdcAqz18TzLbIzICID/RDklLkAR0t98uVg/Nze84l9XE
nz6BWw+phLHVWbdi2Hqazg2CdGNZTSZW2rOI+XOFcFWAo4lzbXHi0hbj3hza9vxdTmYR
SIPjBDxddjaXzUCT+ogJgE3q6Rj2kKPiRvl1lptPzXYv/T04IgcpAaG1nCXsJGscpM9C
Hu5CaNaHiWlbpU7OLbZ4VjgIx2d2hGgeDZI5+vH5yJIU7i/sMaQzh7zwvQRJAS8Qvocd
7ogbwPpvroYbj7++Spvixx63sG8v6Sy1D0je8uOuWYpvn0gH7nXGLN4i9/7q2z8hByqZ
TLM0Sp6316QbA9U7pIwUOx1r538SH9e3FxuvneF8diXewvV9ElUi3weSfiH9ximmLr3Y
MOvtQ7Jx1iG62ovVoFWF2209XaLsRz7Va+1P6eo6+ymPKpYOV13Jw2hxou/U/IuA4hR+
WkTdCSSeizIkFXJD6hB8Z5KtGw2ly1sFJSPqEKR3EQWFtHNpMd/AsNTjr7+C+ixULPFa
JZSC35vAGLnuVtvFB6LuN+jfz1gSy9TzxgatEpFj68SlcJtu4LzWGtjYkSG81V2Dzgm3
jWFv8WmzgscW6w06bQAmapkJVYXrEHwzqn6a3M1mW0qqmJ/V905wElxhT1YbgdCOmPGP
4rPjce7G1pXUUIklB+T0zV90udWDz19f1XTtHDgrkzc/bD6Lxc3NTtxT5kYVjkOHYDx+
oUT4ZDNR5xbS3WJqrYQcZEUJHwq3bV5SinNtyqEHy1xQHsawx+l5Q+EKxt3ihjY/fqJt
+9KKANOCSuYKE5k0jomPq0/N5Fv5dWRJolo2L2GgHVwAgHNdWSUef321gzop55uFmYx6
7F8ZoWPNGUg+l3117M0N5TwRj4sVTlMl/y4tBjdLnNsj0RNWe+T+RXDU5qERP7z7TxRa
48yMp493U+svjnrlds1LZBH4gqPrOYpjJrMsMmTXWK4oqOfx1G8JdWTmdxdQQ0Nxkwx5
+MxZIXrsnF15Xm9oAm3/++PfH5FfdCf+C8a6+w/IOJpGr+Wp7q2CP/+4+NiIOH2efeK8
z9OkFeBGjhfRo4tX1gg/Y5tRLH4BUzfimze7WLx8MjecXlgiIxnlSMCCoUQGtgSn2xGF
TgoblTONKsDriA+usQS5xzY22tOmb1XSNNmYcxt/5XF72DCGc73UWdzY/BujvrhDW8tj
+SoY6uQRx1GJbLtEw4k1MSJz6PBmejcA7cC7d9go97Pq5DaqPZ24DtMXEq3STnV4H7ix
HdoaHYAt1W4XVDhqBQT9Ftjq1rQWdzKVHglATFt2c6BpdCxOYEBSgbIuKL1dh4aqcmwO
zHJENJhylNA9rpEyp0AUmswLawmU1Y8yp8is9bqQogXOa7pUl+K+B0dGGVc1Ot6Wq2gF
kBeoi5lCdoYqpVTNpjlMcZvItE4p1MTdwGWW6EjKNFvSiYC69jVosIukQMKGllHawrrA
sdnMlUPRvFNdppSm9aAE7nvoXNmnxAPXpTveMsXf0LKuKbIqbs7RUk6TucwSAnMrEvG5
k4fgtBBDphDJCY8EMjny5RqX2FqKNADyCWw4GMHYR49ts3hCNxQxYy+JFhCt/RCp40Io
ARIK+UjmKKyxo9XUjwWiKiF/nO/QC979ybulSDLKq8Y1rXEP4xwxy7SA1Jwwv67umDd6
n57y/am7paqJ2ko/Q5pN94v5TepLyRBdaN48Gj9EI9UYP52fE2PfClKFvJa5HPuWpgUO
Y9+hqZHeQ+DAYlcIO5RuGakzeCyyEB5QP64e6aN+uIVuazQNLVTpGoi9OKKjVRHjA0Mr
MmpSnsIS59nH0AAZImxa8EVqUalHScVHNaYKEktpzLW3tt4a7uS8qvXcjl+ikvqPPOwM
gSeo8xozh7h6h1RG2NcsrhBJh8GGi0e+uOML+JHVI+x0VRcwaMuy/2HeMo9Q3y/i+t9V
5oTnMYwUQ2GO1LiR8iEjtYpi++of7BLlRX/B7RhuYsFt/ka3OVWE4CpqP4mZkPAFV1Iz
AWnmZcflTNDvBFdc9Nsf3A6k1Dk0ELIM6Jgkps5KCEyOVNFIc4KsjBH22KeuwPR0Y1hx
ofV1jc1Qjr21JLwLHEKCo/4oOI5jbIzgvMWnT8XV+pUopPDgGp8+52ukTIIsobmloKY5
IoGFHlxhVRQpb4S9Qy74MEszOui5zVKETT1tltquKecEPHfhehSocqdJoBpcAqgWhOU8
oJojCOwZQDVH1LHGbnGWApjw/UCkSitW5NZXx4DnyL+PCbVLw6SBo7ghiHS2eYwMYIBC
RIMiRRJY0LC1Au9C0x16dzRSRcsIguZwV9q2ehRAY3h3qYxtfyx3qNm31kG7nhMotcSO
hwTDykWpTLPTRICjnFU5CxopYU+NuE2HgvRJWYUwlAM0LoWadCmmYKwfeI+CzHEEggdT
MZ0g0x7SxmuYGhRQF2WJM90t3GSKC1OZ1i3FFFuTO83yey5MZZqdw5krpgQ46FLx7iIC
pnEpnICsS3Up9j3bW+48yz1vYQN/HQsImGLbY79ht1SX8iycmlcR41S6dHAq3SqICbBg
cCq0BYRG0umSLgK+wFF29iHC/F2cSouG3MOpBRbIsoTEpXzHOJXvFU49cqexoHlKAFLj
VKYpdGl+XQLMgnnTONXc+0/9O41TqYn0MwRvdb+Y36QeU8AZF5o3j8YPx+BU7MbCtgka
/VYK9Wj0cOo4icPIVloj6MpXl+KOWJZeq4FsXY7eGKWBjL5xIO9BDaT7xh153F9dhEun
yiR52kW4bCRiW4qxFPSDc5hyqhp6UAU2vQjClcA2uDIwluHYyyBczXAHkr8cwu35C3NH
uJCYqsTS/WUhLgxnZeIn+//aELfD0v8PiIsDWegIB2OJxUkbBNXGHDchTbHmpA7YP/jY
jg64PXWelAEzdKAUlt1kJWYa0KGmOSrV0IxKRfpiINwKpxxo22OQI04glmsmQ0Ndmsal
TlEsGAzyBEGiOSAj8aCNnTlsrLUL6gTAeRjDSmhZ1wQ7QQRHyxx4ycw0/JID5zQJ85M2
ARp2HIpm2qIynA2gaZ1Sbk0H3uOOc+YU0+UGzfFnsbMmUzD/29bwB+1BkdBAWR0HW9Bp
5pFgCvIJiQrstQPr5DOJ3+IETk8D7GiMMLKT16oMUSXI855nEu6rEllCyI5KaQMnljR0
ByOovNKGR0OlJY//XMIiSXUAnLyXOAuLJvUL+o6mWInAUBOuLdVeaWAnedZozbTWwDXZ
E+q30V/oeHN98GqwbTHI0xKmeWxccjCbGZC95MrIEAa3Vgoj5QpdxgPO1jVMwVjV4SoK
HidWTRyn2PeE6RvbD7a/OpiNBn/pYTY4gOCygUEaIevuucISs3Eu07NWSTohBom4ODfL
Ycymspn2tkpqY+QhzNY2WA63SjLD02G2vr/wFTCbNmD2skrS7JCUcL8azIbUgFlWegIz
1CqZw54TmcNoyewNg/VZm+QbHDQNq+M9jKswR+o/sFOCBiGJpYUyk/ZI2Cx/ltZK2F9B
r19B9K5+kZRDNkswcNhmmdPZM3WMidkyHPzhmhiOiqrDsjJkI+mCNaN+U4JbmE1/8y+v
BHgLcQdW/lX9eX8F0ztu37+SbP6TbIp+9o26+0dphq1RUr6IWhxb61G+aX6UXog8gbcg
S9hbQHwjG2K7q7t8v39FNm2wptnnVhAxuJLcoNfBIoqAJ3wO2M+p/G/VHRnPUeA3ivit
bJiu8Z/lS/JJcPW7fu3JIXOwrMIMptujzdkHjNim94mv6/8xKZ45HXkfgzGk5RIG4xjB
8R6aJqvgc9B0QYZeTJJxhdUQUIS1PvNK/Jw/L8BpHtg2Ip2HSMCP3RCorksDDKL4vQJR
DeRkxNyckcULbsoShmbQ1Luwpxx6d7ytuIInHx61guyPsp3uPezEFXKw03PdctyT3ViX
p+dUPjD3x+IYqE0lbN7OWoJJzkyvSdakkmFHOsYXDNWM9DNY1HEiEKbFA7ROKbemA++h
0UUBc4uzkiD8jKzaqFwHMRA4x4GIOarSDlCmOLhFGr6olEEyJyiAcwZtm7qc5YSh0YUM
YmCmHILiXFZlCunWdEpJXnRFuoyzDOEedU11pt/NcoK/luVcf1G3MZrEZYITLz0jfgHC
SIKkYDxdu0sIulfgH4fGOUsIuWuGn9QZFiByQGMvjb3SxmMcmayszVQCkSatJQROOda/
TVdLvZTxqYo3+VwDdrp2lxB0rxYF/At0F8jf5iUC8aHLeFf8nNrESwhuLS8hMCTRE2rZ
QFe8hPCp7vOj4Qn+pj0rXTBV5wjwdlYQLErgyhbjIcyidEoqWHKkDiR9cZaAEWAHppa/
rkZxdcUxjSJr0vYE05CORnFrOqBRVJ94Q0l3U2fhkOXIpwJ1fzKagWDgMFtvBusyToDl
pCPeukE5pV143C+aobtugEwAjLyIrZcZnm7d0PcX3I5hc/bE0QxD1g0kMHCzwKxnwxlg
2QDQdxaaQ9cNiB5UQUbziWbostTH1LtYrzefZ49Pq0jhLB13G5dA38/Bp6UMLqXgA5i0
1E3H2nvytB3AGlrXIJSTTsdIC6wICKO1aVCp0iUKJEoeSgSlgULiiAmAX4TWO/TiaGxK
G1kANcuIYpbRRPcW0x6UPT2VHYBbcG8K49YpDL6OwlJgc5wdI5ts0J0iuZOILsWTAUyq
BMtTF5bmOH44hs3HhaVM4/cwm+lSTEFNB97DAdZZjHFOLPCERBuQEdoMCuNS5GTOaUsN
T39I06Qp7pTINC6FLfSt9yzFQjlbl4tL+U07tzNXDkXzbgEm6tK0bqkuxb5ne8uiCdvz
jCZQSn0vixQ0wbbmaBlrG+daxgQssG0b4A0hZgxM6doFpnSvoCZMPw4whUaA0KgndE1X
QcxXWGC5zzGbU50ETHEuaguYVjUyjUjbNl0p2zZq8qjucwX+6DmBSB2cIMsr0Mm/oO/K
HAjJXB+8Ms/BM9WJRW/MrbW/gJ5A6AOCeGV/MTCl/rFUe9XLtk1WVStLcD8huy/tRrA0
HmdWlvBQj+K2LB0Si454nSfYYYgKzyoVy44d9My0VSqoqaVC8N5Rin1PZNwptgMCh9YK
tc0kwsDX6xtpK4/COmvThpETMU28SZhDbDVE5UjbOdm0meEJsanuknO/MHdsCoHBzpfk
ZbEpnFQysGhG2LTDUi9sSvm66TCRUfg0uNzOMGxz02ALEwXwFNTws6IR8D5VA/tphL04
+m4gQE1wMjnc27lMTIUNeQRQuzRMN5RtCwAW5bAPBQGkRMLJb3C1mFcBBQ+9OhqiolkU
vYG5TZuJvXuYRyMZr2waHkcAzaa8fI73MRvK94/jVGpSVQPsOfZTQ3OQKtOs3TOFBsd5
TQQcNZREGhw4hyhV6gFap5RT06H34EWosAHQQappnCErAZzfBqmmMb5HmiXWgsoUyYLG
3YZmkOpxijR76n1TppSDVA3NzP+GK4ciWZdVaQsqFtOyNe0yFkZwCQdtmO5cY27mirjT
DbLgD4OqmG/+pA5O5VIWgDDl4HvPsKHSwIYwSTgorx2oKu8lyEyoRSYMg5QDQ1W6VjZU
SdWlned5quyygKpJjmxeXhhGguxu+rfpSttQW1TFm3yugKF8TrBSQ1V5L0Gm+QW6C+CM
V/ZOwE95rcuAaq80VJXcU51UllvLv0AoVW/vklcaqraouJXIlSD3UBtqihCgIpfj2goP
jzOL1KC/9ChmgQpOCkZXyI5TbE0Wr0oVKvXNAd3iaA3mirVGYAZDL93i1MRttu+hLt03
bj9YWguxpvArZ1ixHISsQScMg8/FPQtZKWsZOaAUBJm/NVXzew5Ojt8a1vMHvgJeJY86
zNK9YjBoPojgX3BMqc/fGUaYCbENWlYoBAOpGtqRARfdGNbhqA9a3SGz7zikiv2R8YU8
/UkuLXwmbpaUMpDV6LhZvK+Rah7LrRJ0NxSpYtsIUhDAPYjVECPVDg2zDUw3EU5ZlGpW
I9UKQQJ4zbxKSPXAq+ORaq4BPSNV7x5IFAYTiUxlN8h7ipwwyBTtQo/0QKpIX19hPvaQ
KtPc2UTTHHyJk0UjxLI7swIsvzjpmCZWnmGQEETTOhSnJi7jvIfExghAQPCFA1WxYy0s
Ium010bVBFuBKyAbg0E1wQWqTOqU6RAssgv4JQekMslM/IYdh6KZtngTNWlat1SXYt+z
HWenUwA43eUMKwDK9OezgIEptjXdUqjpxHvPwak5PN+MU+naxal0r5BnDuu/xalQDQan
4lrjVKLq0s7zAtuDtUk1KcgX5oYL40AYHQ4srxin+lSFU4nG+JCuXZxK9wph8i/QXZDQ
bzMOpWtdxrvi58Q941RurcWp1BMKh9IV8+FT3eeDcSoW0nklR7URMjMSrUChf1sCdVow
ukJ2nGJrolFtFo1a7A5oFkdnMFesMwLDu6MhDI1L2SHTpdj3UJfuG7cfLK2FUxPy3yQ4
E+SQafU5OBVWkrrio/t80+os3f6pZnhCpNrzF2YOVUli6hKh+g5WfbbbHwdP4/itOeUw
8DnywlBVMG2scykEV845YLT98XCgcYYW5oBUyI7pNtWrWA0MrljGOXN866mKkZIpT/x6
KRnfEWwt3LOHkIwdCY2/IFPoZoc4a/41ylohw2iR+wogqIAhBTuSyaIOArax0gVvAb2g
NbjALhzpeqd1BIFB6lNMQ+9kvgi/57H04g/BLSFMG6cpjXC5Nw3vE6bU0bT6biDGNtGv
tA6lrf0AB3CuyQBbJmE+51hayu8dx4CQRNOxtLoYEPaBN8cDbBVJmyBRh26jjKTV9wDU
KpLWtFpH0jrPZSStuT8WssDJXl2AbWjONMg0C4sTOrcrRbC6mc5oIVKQWdlOZ3JxImmd
Um5NB95DnF+GNDroafsmoobR7RQnwQAb4cNF7ATTUjYMECQHelJnkpnljxIsJA24jAuw
ddUGsVCWDcmOQ9FMW6CMmjStW6pLse/ZjrM4IDBdbgA2fxZr0DUU2xqT0deUAuyn7Gpw
nRqEZChjYhZoTGrgCpuWe01gWO+Wg9LBgpSiDZICY9kCbOgFfDD9pC40wCaqoZnnJZyC
VCfVUlI0vgewS+wSVXzQFQNsn+o81yCXnrsAm+4VeOZfUACbfpsBNF3rMt4VPyfuGWBz
ay3App5QAJquGGD7VPf5UIBN8UrIYEfLZitkPDqtQEHI9BhmgTotGF1hOU6xNTkA2wjZ
Ac3ijHPmikc+BP+AhmAal7JDpkuxGgl16b7x+sHQ2gAbAdu0DeSlAXaCbD2lPeoNUmCz
hM0SYDPD0wHsvr8wd4ANicHmcXIdmDRhzwfYpOqQInNGxuDEZ8lDws+E2CdqPoGx//x/
BFuIeQplbmRzdHJlYW0KZW5kb2JqCjY0IDAgb2JqCjkxNjEKZW5kb2JqCjYyIDAgb2Jq
Cjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgNDYgMCBSIC9SZXNvdXJjZXMgNjUgMCBSIC9D
b250ZW50cyA2MyAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjY1
IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9D
czEgNyAwIFIgPj4gL0ZvbnQgPDwgL0YyLjAgMTUgMCBSCi9GMy4xIDE3IDAgUiAvRjEu
MCA4IDAgUiAvRjQuMCAxOCAwIFIgL0Y1LjEgMjAgMCBSID4+ID4+CmVuZG9iago2NyAw
IG9iago8PCAvTGVuZ3RoIDY4IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl
YW0KeAHVXV1327jRvuevQHvT5ByXIcDv3iVOts222aax215kc6FIdKyuLDmSnLz59+8z
IAYAqQ+TcuhwnZMjYgiCA2AweDAYDD+Lf4nPIg+jIsvrH/ymZR4Wigi5uVhX4r9iKZ6d
b6SYbkQUlkkZyTJzV4GjbaYiiYswicpSyLwMi7xQQqZlqMo8E5mMwrhMYoEyr/y3yzwJ
U1mKJJehSmy+oP1uEeEf3vEZL5dFUkQREfDPppI4jKM8jUWu8rAEq2J6I15cBngpZTQ/
lzfi2U8yjIQUl1fiiXgqLv8nXl2CJa9JhmBKlqFUSWqYisJIRpm4pEY7wt7r5bZaL6vt
wFwWCryhVUXe5PIob38emqksLPM4Q382merYdC/Xk6utwN+/b2eTbTUTF7fVNBSrK7G9
rsTrt18S8fql+GleLWaUy/y9mXwTKpLqadBdLEimG+NEd+hRWY2LPMwLSAPXLdCyelwY
HlFW0cZZGY9rAEUylGUxrlGdlSqMVZH1G9WQtYHHTgoNnqlSNPmDsiStE9yndbbX8w2E
+vPdfF3dVMut+DrZiOVqK6rl1Wo9xViaLGdiuqgm68U3MfBQUQW0dZIqWxczVDqqAdRk
++12Pp0swOr803K1rmahaf2gi9I/aXSrsIRYtFk+qk6HFgk7PWZFHKo85tHdsR0fUWYb
/HWV2UtPqUPHT7arm/lUQPNPPq0nNxsBOSAJNlI9E3fL+ee76kxL8mY1sAzHaRFmeQyB
MHUblbrPAMGSyMhD1/Z+RHk4hb3parldzz/ebSvqdyiu7Xp1+01sV3r2v64ms2qt1UDQ
EfudoAZUnIdxXkphGnhcnZ6lYRorxqMjUU1pFmaZUqOdThv8dR0qpJpm1e26mk6289Wy
DUGvCIL+aWM00rLabARmWaPBhlZMSQGQHWFyNTUbl4wmeZgBiI5WHBr8dRUHNydNJ0sI
xlU12WqtNPk4X8y3WklNV3eAXbPqy3wKBfaxup4DcE2GFoYYi/UMBoDM1GtcwgDjApaD
44XaDf66CsMvzy+fPb9482xdfV3PsdYX719UkfoQPgwNhmWUFgXMKTC6qDKRsvCuji5M
yXIjUzLYmOoYGeiIEv+2+lp9qdZnkOf55kFrnNOroBIVqjjC4qdZhQGnuIcwS1Y4hTHX
ZLZje08nt6w19BqNGt82O5Y31sh3wKJ1AqqJkySEQMFUdxLHc1i0ljMsIS2bpxjeTm9w
a3k5jX0AyI/Vw3i/3zqUyCwsSlgymcd+E+BkP3/a3LvPzrtja72vdbWSiNMU/GVhHsW5
kECTkcpI4ZBxViYpFXoldGvnCYm3yamgX8oiLl1OksEr3SjawIuMqkgBmvmJKEzTJCYj
cgGjcpQoVZc9iHS7VTIYLbJM9tN/m2p6Bz3+TdCkfreuGkIeGIN717F4rBuC41pcwS4f
Z4B1pha1AB0wLwa1KZytIp1M4YcUR3DYPi9VCptnDr3chSkhA7LPD85UHIUZhKsXUz3H
105bccdi92Tv9Cyp+1SM8YWdjCKOE5GERZTkpRlf2ORImqMmsKMGT2QJDJJu1JRhlKYS
w0ePs/tHzY466KCweOslA+eFxG4R7bw0xS14yM5LqwmDeu/n6BhwI1lKbFxhs6Vm6sDM
2mZPqlC8fv7Lc3G+Wm7msBbotdvDMM39DSlT9HRZQBwbTI9kDyuL4jDKI9O9I2EqLRNY
tY0dA2LfycL9eNark9iDxQCDdYL/sF1pKYQ9y5NCMV9qhC1mq+kdWejDoZeGURTCBh9j
k1i39qhWhmmRhjKxW6sD4vz7B7DVOlhDwcqejNaU1eSv67ghU9a7n87Fq9l8CxvV5np1
h+1T7BKtvlS1RAIBaSPX7XqODIDLt3cfF9h+IeLQQspWdq7buKQ0y8nKnhssPxIpRZPF
BBdqV4kDc6NoTd0yDsU72K3W1RLmqQbGZaeSAxj3BGwhMROqWGUibfI6kgZMyjDJi5FN
iQlAbZSzqHXvVRmKXwbuTvgWqTwCGktPYnK1voEqgbJ5PPnL0MNp0uJ3JNg2jSVWxxgc
ewA3Rm1wsqtTC3CLSEPuboA7VSrMCsWrgAPi1wbcPSGZz2BAzmn3z83sFHEaf+8x72Ez
74MQb1ebbbU4Ez+HZ+KP7KEl3q5X29V0tfjjmZ4had/vmbi4fCnSM3FR3W6rm4+wzQ3s
VgR3FNhNIKymC8Y1A2LewOKw6DfZQC7c38DKCc4xYVxEhUhPYhWGLdnLYHHKdMgGixaL
I5kOoyTMU7tJMw6mkjINC7hD9Za7gaWN9VGTv65QnPSRlEp9EC/W8GZYQu1AH72akVJ6
53y36s1kq6X+Bt21GdplC4iy3lXmmnVRQ0O7k8YptA9cC5infVPmzpzURwL8GQnu0r1s
VAn8QWHEMIjNiMCOd/AOe04x9vMoBKtBT49Vqxr3snqvS+H56uYGLlfGA+Ifk2/VemNm
ShJiM1XGZ+Kf0+0KE6UgV8/BrRoZVj95DvOqaf4ucrrf+Pv91jvWgoBlBcwaQJ712mwk
uhRoOMIhgNHq0gZ/vXRpn7F+wsRtfeyTBovYA+h0EqCQpOknv9Hm+k+h+PUJNP2vT/fq
+rfiPxhd5GmUiHcruMDRUBsaeaJ62uWVazeuoZRFoYJG6S21TsEOLB1OvZ7EKtnkJETE
6NEEi5O7ZQglCuhjOB/K2dm6WySG83H1fCph4MLG2aiUKHmolOO1DScN/vooUSVlWQPS
JSmqCwKjf6++ia+r9axGonebinYvILBwzMfmxnJGoKAaWj0x+DM1G5eMxnGYKHiH9zLC
OtWEq0fTTiex6i1HxD/gorRg6EfiApX14vytkNBZbybr6TUprXxw5MfyYOozLnlQOBJJ
W/yj0lkyDZMSRzr7CunAomkX0Q3+eumsKIo/iLfV+rf5cmBmZUyNiM3qpMFtVwy4ORPn
pFFfvxWvlnD929wtao/yr3P4Wy5xqNEsqRSqNDji4902rsu4xhAsefCe+V3o1JNYdevk
MmOI18lz64SlizRbIHCi8Rp1JFsgcN6CyRGLeK2Ymkz9sC2QuICvItx4ap4OLPHa5hzY
nMnpiM5YPvomF7t9Nxlv2Bza7PYCHQ8xjuEMFbzgeN9gLD2cw0cvkyx2Hbu4J1TzW63n
Jld8En/16QOCli+qxWL1Zb40IP65uKym1/rMpD6ddE4HVObLTwIHGOhwvbYrD29lYIMd
125Ucw4cbmEba2573msYpba2f0PDD97eOolTu4fwppps4NusT4bDO9L4gZzRDui0qmaQ
ig2fcVM4tvT8/M3Qqzve9jT1GpdUYKkR4QBwb+BspGJgmSgldkVS2CJof+QkPgdm0FrG
TmPw4vVfz//55o3472r9G9zVbgXMovsk+Uz8svoSIvZHpIZffJrT4Fyjcckrne/JRrbt
EGPhpMrROvmexN77FytJ7iSYa1d308lsMofF7A3Wdz+H4hKUa2jUkOwlc6z73oVYoS6X
K6z+ni8ni28bxDNYXQ2tV9mob+o3LjlVcLCNfxc2fXgvnsDqxWpxp11pzxFtZU4xjLTF
9B0MaJOFmGjIJV5j5387xxHyNVlVL67hMz57NKkw1RqXWEgEXciswf8ALm97tFoERheP
NqGdxOrz2WxNMQJeVreL1TcCYWRN/fUJTOy/kQzcrlefKANtDs4GdzhDaK4ihWKOTV2M
LHRsdkToGrixcXgqTCRiwTGDBoY1VrZtaRjcFYUP2reY6thqH3m6GLrtrPpvCuqPbTuO
nNZqu6NMDT2krc9GHCECIgIg+nafkS4BT+F0vtxigpkMLHcSnuFxggBVzdZs9HDbGNVr
yPpmlY6eWnDEwbllHEtu8nRgxLa5W0566Tmfv45mHwq0macRFHGjX39sm2UJjiHg0FiT
p45tttY4p4+ondJsZRzmss3hj221sghTHOE9rdUmZnFQ+5zTehbHZ/o04gnbAzEfDmz2
89FW7KWR/Y7tOF6tRlZliT0LPuE0EuOxKnE8O+cd3rEwBed1BHMwc1ej9yxAMqECHtJ7
9qTGkVABrvdyBdP/wfMtHMpXhwp4PKYyKA1yG92/4/SDmMLJ8TK6Z8epvR+mzQyNtQ8l
Xv3fLQJ/bsggpg+tQBOd6aC4rZzv304+VXDc+DD4gtMEy4Wdkuo4qvWmSjKYTcdx4oGi
B8giT8XDmbo3WMx7BNCW4gNG86wOEH5+AaeLY3GnLs53gnf/2UXvNrFREBQ5LGUcUx/D
szAPUwHzNGHqQoASw28CFMQhSMVCXOjQQa4MOgN2T5EoAI8rKrBEgXBZdcm6QC/a+eEg
WhR+RRaAqTGFS8NyLpI42Xuzh7bQwdCVorgnCNKBuA4xOJfk2y0pNKR5NgBtp7yFuEZk
nPd1I7cDqxyvaInYk4guDR96W9MGYYGq4+igX/mybufSPbUIWsUQQ9To1PWSorGnmMjQ
pBQMCienYmwj3OyhLUBDk6dFHth8FEgAoeQRogYr9LTEAPIolJlmxz00zoWSTC6moKQ9
zyEgiUozkhaXT1Ljo+cdVwi4FMOJABSuD1P8OjJtNxdTgozzILA7IHmS5+hjpi1Ag3Uq
pkCwTEtSSHSJKOcZc8WUgIKpaN6pLM7FtC4U95xrLeKBy+KWd1xxLzremeLq4/pwN9cu
ZaplWImvPQc/pAoBnzDQMVBpZDXTC6Rxnj6FVrB5YBDIRQEnigTxLOsEHOno8WDaTB9N
cV5IAp4tITi6rBJKA19IKAP74pJCtFAOzZpN0fNg3aaPpMCXSoD0bd4F0mhwqoClkRYU
/HatE0XBvNHzuMvpoJFq3sNgqu+aNkG96rRpMPtibk8UBtY4pR/30827zRT1OakJOx8c
CnTkRBGaPkKgQnS0o/Fw3iOyQT+RdeppR0BREg9TJ+o8nN1zToU5mlMo9UDKA4+yTxWZ
Ovr14XovzFcxiBuJr1hoBVHGOGgjSU/nCN8E/VAkcDlpr9CsMqYZIkLcKC2U+jy0S7py
EXwLpXDcX7yJcpofHecBTgxQ7gi+9V48uYDdAkpIPEEkM0w4uLjli2u+MLeCJ/CerPMA
ieu8f7dP2Vso74O4/Ln+4kYvhg3qcwzjaFSYQmSienUSh9QQFDPsD269+13f4DcMVzHj
Oj8zdY5rQvAkat+RTFB8wYXYO/aZv5jSDCF4YorVHyzRbfv8jd+SFNWLhkSSYN2WwVyb
FAkkBrumUVFgFIdpFOX4oEP/c39OcGDqj23AaBI1yCnZNgF8SITMjxYhxAiyIvQSQhCL
J4unItNihGsIQcrXs6cCUvWXp0Gu69YUjgMfeoH6S2LUL9thCaE0cWoy2MOS++TLJX3d
wImIFxBtRKC3BC4cCvRKIGof+JGq7ox6YxhC8VEWh1xpbt6hYdKEGwHWaxTD0qJeGHXp
RCPFjawRM1DvvmdPRr2ywOn4BuxtUwhmk3u9X38cnMIA8WHv7lMHcS8WJPTNJB/2GpKb
MoAK61xufsCsm+IIkA9KcVBJH1LfQ/Oeq3N5Mw1QSPu5FDYvWWC4e6CXvu4UYcww5sUF
OjIqUhRlMC9TNO5u03Zz7VAAZ+xkasvyMK+l2SmemfIINee6KANTbW12cjmsYPM4yAvt
YNrKn2+53R1+MF1jOee+8irDJM5j+5MJeFfdwQ9CuyX0NuZuWuga0GjSHtq1eWpQCvhg
0W6JeLx43KJdThv8au62UgbtyghbBwbpyghrE0LWjHQDidCuNUv6yiDcFlWzbO5rOKiv
PURL6Rqh2jdoBKrfbdCpvnZUd2Xu2zot6pJK0wAWvdr20SzYFD2ugbZp0UaqRrpe3hZ6
xVy3N0ynlUfEqKfotzAoAE3y4orH5YnS5+HSQxK6R/rsmGSB7KCE0j0Kx195c+VcRQJb
4R3YSmO8wGp2B7W2bPiAB/RvM9VW4PtRK+1qKf4iFcPVFmqtjdP9UKvYi1qDGsc+BLUa
hgdErR3f8HtBrTCCwFMDVvXvilqhxzA/I5S2tyP/g1HrLktdUKv5ftHYcauM4EacYgb7
7qZahQ8U+qitF2qFYIUIKOKQJzjcpUHDYeorCmyjeKiVzrfBjEf2W4ta9z17MmpVSlGb
ecbaNgWzqEINGqgVFDLg2qcwI7bKOWytrfGkRhp2xrA0b8qwNAtANXzMTCBYbb+tC4DL
i5tGmOQ9RXCydKiVc/gPkUkclWqA1jxFICEsYB1qxcegVCJjD7UaSgO1Ms3V7iClgVo5
F811xlKLo2X6jR7YZK7sZJ8a3huwleuzk8svydTZg62mabA0cg+S9Zwa3TGlrefoQIsB
bFd5uJVpDkswZe9zJMAnGmplBHO6ga362oOsOq3hqowS6fAqqQp0mrmTxrCswoCrqe6K
79NBccankhZ5Hj4VEh5DBp/SFdb/ZIFtUR3NgEF938en9GyNOPkNlAoQgJSk29zB9b4r
vk91MpZVW1sGp8DRaCWDjXHFfDSp/v2DQNQzqGIXxgkK7Z5hUUXajYEoD7Vj8mQGZld5
2iM9LIeuJG/jxEqdUy1GWeCN9U1sBO2oFjPGm6qFa+hXx9HqTwsTM9qISmM3L3H2ZgeO
PsyIip0sGEE4wmXgbJJkCBujEZUZHg6Odn3D7waOQsnHKTZiPDgKFYIdoIcYUWHIp61i
dh0ZgxF1l6UucBQfhB09FJU4LepD0RSzKO3Xne44gGBCxiibwbKJr9TUyb6OAzg3UdJp
JvoQCrRTBnUtd2iwVGJDvlAERmHlSFOoSKJBo9GExM+S48CeZ08Go/A8JJwJa5GtaYOw
wNfhsBPqV56wsvcI5cAjgS3jCA6Fe1eJOHdoAA+pGZqbLIKU87nJgj4Xj/nUmz4orBos
sT6kNCT3VE0wkxTNOXsewpcQ8Zkhamz3HLaacpX5OBTChAVFYuYoig9tKJoBtp4yzdXu
IKWBQzmXj0OZ5mZ25sqj1Lw3cCjXZyeXhxE4j48lTFv5Ey03usOh3DE8/wvbVT4ONbk8
HHrsuYfgUIlvTTEOpWsfh1K6RpaAhx4OhZ5Ap5k7WWFwKFEtzd5X0N2MQxW2PZo4VGFv
o8aZdMU4tEn17hssSPd9HErpGmPyG2ocSu9mnEnXJk/jiu8T94xDubYOh1JL1DiTrhiH
Nqn+/d44lDwkIz2undSZoXZMntxA7yRPHg5ty5MrycehnMupFievbrCzlDMl2KclTG04
j9UkO4SGPqqbpbG246baNaWSJSWBr9AOePVtqXQ+gG2p2sXmXlsqwjPD/QkKrjaJNcBr
fXDBx2g9PAAatlSsULCv+108AJjhAcGraZL73uA3DG/ej9EDAB/Mw0f0yApvHQC+A3bF
irKEGWJMptQmS41t//YZnDOHV58h2NcUIfnvcI52PceoAY6D46l2Y5BYOcLglGC7NMYO
Iqb1utYkGs9e30jxcoXtcnIawBdWwzyhLVUEvsxqGEe0FJuRjkaqBh6qwHuWBswAyx38
11A4+VRABXsU+DpHsoYxNpeh7eTyS9r/HD78hnnAe5BCodO2M/NETjRZJAPHuaFgWtil
daAAe6TQoDkAMokhFU4cIByNbk1DSYHNc9ooovbVHDkCwG7dAIYUpLDFEcl76AAB7/bL
0S2Jlzta3d6YHWp2uOcsx0zwKsGknTyGgOnB9D/t/lJYbe1Hktc/1MuQpYKcBHBooL7A
h710+O2WHEJn+h4vhz18aQg+u7jG/tm1Ecb7Xtmwd3x/V+0Y2AFrAKlof10DMLjF2zQB
JnRzjPFpcmBrmRYRsPei6SAFdTpAugSZwBjfp/SxlJdX+35owIeyURbM9fDP9t+tmQKv
NW/6h5730/tSKIvz4lOKmm+dxrvgUqErYHLEEV5K9eJ32zT5peBdOk28Udrl3k1xXmoj
KpLeZcrmNjPvRmm61WPmTafoecPrnrvNe+yvSU5AHc8bEsxXEc5D0vjNG3GwoiihyPVQ
eGQNq39qZYwAM8Aq+rOeYSjeyw9OJf/r/wGDtpCfCmVuZHN0cmVhbQplbmRvYmoKNjgg
MCBvYmoKNTk0MwplbmRvYmoKNjYgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA0
NiAwIFIgL1Jlc291cmNlcyA2OSAwIFIgL0NvbnRlbnRzIDY3IDAgUiAvTWVkaWFCb3gK
WzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKNjkgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERG
IC9UZXh0IC9JbWFnZUIgL0ltYWdlQyAvSW1hZ2VJIF0gL0NvbG9yU3BhY2UgPDwgL0Nz
MSA3IDAgUgo+PiAvRm9udCA8PCAvRjIuMCAxNSAwIFIgL0YzLjAgMTYgMCBSIC9GMy4x
IDE3IDAgUiAvRjEuMCA4IDAgUiAvRjQuMCAxOCAwIFIKPj4gL1hPYmplY3QgPDwgL0lt
MSA3MCAwIFIgPj4gL1NoYWRpbmcgPDwgL1NoMSA3MiAwIFIgPj4gPj4KZW5kb2JqCjcy
IDAgb2JqCjw8IC9Db2xvclNwYWNlIDcgMCBSIC9TaGFkaW5nVHlwZSAyIC9Db29yZHMg
WyAzMDM5IDEyMTMgMzAzOSAxMjQ3IF0gL0RvbWFpbgpbIDAgMSBdIC9FeHRlbmQgWyBm
YWxzZSBmYWxzZSBdIC9GdW5jdGlvbiA3MyAwIFIgPj4KZW5kb2JqCjcwIDAgb2JqCjw8
IC9MZW5ndGggNzEgMCBSIC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lk
dGggOCAvSGVpZ2h0IDYgL0ludGVycG9sYXRlCnRydWUgL0NvbG9yU3BhY2UgNzQgMCBS
IC9JbnRlbnQgL1BlcmNlcHR1YWwgL1NNYXNrIDc1IDAgUiAvQml0c1BlckNvbXBvbmVu
dAo4IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Afv/HydQKHmpWvVKoxaB
IEqBgiY9r62nvIFwgWwIA6gSKOi64C2Eq98GFYdw7aZD1QOVQUSwkgB/Y3mJCmVuZHN0
cmVhbQplbmRvYmoKNzEgMCBvYmoKNjEKZW5kb2JqCjc1IDAgb2JqCjw8IC9MZW5ndGgg
NzYgMCBSIC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggOCAvSGVp
Z2h0IDYgL0NvbG9yU3BhY2UKL0RldmljZUdyYXkgL0ludGVycG9sYXRlIHRydWUgL0Jp
dHNQZXJDb21wb25lbnQgOCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGb
9h8MpkEoTBImwcAw7f80IAIAVBQq9AplbmRzdHJlYW0KZW5kb2JqCjc2IDAgb2JqCjI1
CmVuZG9iago3NyAwIG9iago8PCAvTGVuZ3RoIDc4IDAgUiAvTiAzIC9BbHRlcm5hdGUg
L0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGdlndUU9kW
h8+9N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEpVmRUwAFHhyJjRRQLg4Ji
1wnyEFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0WAGANKFYFO7r
wVwSE8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/kSI3
QyQGAApF1TY8fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuSh
GlnOGbw0noy7UN6aJeGjjAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJ
MkUUGe6J8gIACJTEObxyDov5OWieAHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN
4Yh4TM/0tAyOMBeAr2+WRQElWW2ZaJHtrRzt7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55B
jJ5Z32zsrC+9FgD2JFqbHbO+lVUAtG0GQOXhrE/vIADyBQC03pzzHoZsXpLE4gwnC4vs
7GxzAZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YXP4EjSRUzZUXlpqemS0TMzAwOl89k/fcQ
/+PAOWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQKhH/V4X8YNicHGX6daxRodV8A
fYU5ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6Hwtcim7hTEEiU+b2
DI9kciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5IAmlABLJB
PtgACkEx2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGq
kBakD5lC1hAbWgh5Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0
Bv0BfYQRmALTYQ3YALaA2bA7HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMI
QMgIA9FGWAgb8URCkFgkAREha5EipAKpRZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzh
YlZh1mJKMNWYY5hWTBfmNmYQM4H5gqVi1bGmWCesP3YJNhGbjS3EVmCPYFuwl7ED2GHs
OxwOx8AZ4hxwfrgYXDJuNa4Etw/XjLuA68MN4SbxeLwq3hTvgg/Bc/BifCG+Cn8cfx7f
jx/GvyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRRgahPdCKGEHnEXGIpsY7YQbxJHCZO
kxRJhiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSfIF8lD5I/UJQoJhRPShxF
QtlOOUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uRa5Xrl3slT5TX
l3eXXy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXFUSW8
koGStxJPqUDpsNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5Sjl
HOUa5bPKUgbCMGD4M1IZpYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWP
qkxVb9UU1Z2qbapP1DBqJmphatlq+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o9
6pMamhq+GhkaVRqXNMY1GZpumsma5ZrnNMe0aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGt
ru2nLdE+pN2rPa1jqLNYZ6NOs84TXZIuWzdBt1y3U3dCT0svWC9fr1HvoT5Rn62fpL9H
v1t/ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qRq9Eqo1qjO8Y4Y7ZxivE+41smsImdSZJJ
jclNU9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5wzzIfKN5m/krCz2LWIudFt0W
XyztLFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWtqS3fdr/tfTuaXbDd
FrtOu8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJp9+dWc4p
zg3OowsMF/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24
+ysPSw+RR4vHlKeT5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9
dvrd89fw5/rX+08EOASsCegKpARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2
hTwJNQxdFfpzGC4sNKwm7Hm4VXh+eHcELWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdN
RXtFl0VLl1gsWbPkRoxajCCmPRYfGxV7JHZyqffS3UuH4+ziCuPuLjNclrPs2nK15anL
z66QX8FZcSoeGx8d3xD/iRPCqeVMrvRfuXflBNeTu4f7kufGK+eN8V34ZfyRBJeEsoTR
RJfEXYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykzqdGpzWmEtPi000IlYYqwK10zPSe9
L8M0ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kLs2qy3mdHZZ/KUcwR5vTk
muRuyx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7rj20gbUjZ8MtG
y41lG99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fViy+KK
4k8l3JLr31l9V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fs
vlZhW3FgD2mPZI+0MqiyvUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+
HhQcvH/I91BrrUFtxWHc4azDz+ui6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2
wo2SxrHjccdv/eD1Q3sTq+lQM6O5+AQ4ITnx4sf4H++eDDzZeYp9qukn/Z/2ttBailqh
1tzWibakNml7THvf6YDTnR3OHS0/m/989Iz2mZqzymdLz5HOFZybOZ93fvJCxoXxi4kX
hzpXdD66tOTSna6wrt7LgZevXvG5cqnbvfv8VZerZ645XTt9nX297Yb9jdYeu56WX+x+
aem172296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOLBvruLr57/17cPel93v3RB6kP
Xj/Mejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4Qy//lfmvT8MFz6nP
K0a0RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9HrmT9K3qi+
OfrW9m3nZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE
8/sKZW5kc3RyZWFtCmVuZG9iago3OCAwIG9iagoyNjEyCmVuZG9iago3NCAwIG9iagpb
IC9JQ0NCYXNlZCA3NyAwIFIgXQplbmRvYmoKNzMgMCBvYmoKPDwgL0xlbmd0aCA3OSAw
IFIgL0Z1bmN0aW9uVHlwZSAwIC9CaXRzUGVyU2FtcGxlIDggL1NpemUgWyAxMzY1IF0g
L0RvbWFpbgpbIDAgMSBdIC9SYW5nZSBbIDAuOTUyOTQxMiAwLjk5MjE1NjkgMC42MTk2
MDc5IDAuNzU2ODYyOCAwLjYxOTYwNzkgMC43NTY4NjI4Cl0gL0ZpbHRlciAvRmxhdGVE
ZWNvZGUgPj4Kc3RyZWFtCngBZcFT2BAGAEDRbNu1tGwbW8aWbduuP3vZ1rJt27Zt2y/1
cL97TqBAvwSWIBSUgklwCkEhJRSFpjASlsJReIlAESmSRKYoFFWiUXSJQTEplsSmOBRX
4lF8SiAJKRH9IYkpCSWVZJSc/pQUlJJSSWpKI2kpHaWXDJSRMklmykJZJRtlpxySk3JR
bslDeSmf5KcCUpAKUWH5i/6mIlKUilFxKUElqZSUpjJUVv6hf6mclKcKVFEqUWWpQlWp
mlSnGlRTalFtqiN1qR7VlwbUkBpJY2pCTaUZNZcW1JJaSWtqQ22lHbWnDtKROlFn6UJd
qZt0px7UU3pRAPUOCOhNfaiv9KP+NEAG0iAaLENoKA2T4fQfjZCRNIpGyxgaS+NkPE2Q
iTSJJssUmkrTZDrNoJkyi2bTHJlL8+h/mU8LaKEsosWyhJbSMllOK2ilrKLVtEbW0jpa
LxtoI22SzbSFtso22k47ZCftkt20h/bKPtpPB+QgHaLDcoSO0jE5TifopJyi03RGztI5
OU8X6KJcost0Ra7SNbouN+gm3ZLbdIfuyj26Tw/kIT2ix/KEnsozek4v5CW9otfyht7S
O3lPH+ijfKLP9EW+0jf6Lj9++wkL8vfqCmVuZHN0cmVhbQplbmRvYmoKNzkgMCBvYmoK
NDY3CmVuZG9iago4MSAwIG9iago8PCAvTGVuZ3RoIDgyIDAgUiAvRmlsdGVyIC9GbGF0
ZURlY29kZSA+PgpzdHJlYW0KeAHVXdtS20oWffdXdPFEqjwdqW+SHjlAEhLI8YCTqanA
g2ILrAm2iSTnMl8/q2W1ZJnEkZTpWEBVbCg7rO7ee+17+zP5J/lMPOr4yls/4FEGHvWZ
/oVXPEki8i+yIM+PU5dMUuLQQASOG6jq2aD6XTohgvtUOEFAXC+gvucz4sqAssBTRLkO
5YHgBP/n7eZfdz1BpRsQ4bmUifJ1g+2/TRx84298xh93feE7jv4FvsufBKfc8SQnHvNo
AKhkMid/jQHRcR1Fxhpf/pbiYTwnz1+41CEuGd+Sw7NFFiWLKHtGxv8hp2Ng3Nij/x9K
n1GXYQHbKHdi+4dtUIoGHlddt+4kCW8zgq93D9Mwi6bk6iGaULK8JdksImejL4KcnZAX
cXQ/1a8qvi7C74Q5Lns2aL7hWnxqIpkf6E6x4L5HPV/IcsMHuVjsFgZiecMrWXUDyAPQ
rWV1pxT8QVDQGRXwfoFyXOoGfkuthqxZPkoJslQsIF4NH3hJs87gV6zz4SRy3RutESdR
+pBE6ZBcUnJ9eDql18+G5IqW6Ae/pqMO2sEcnzKl6aiA3wftYC6HUjhuCaodk1+EWbpK
Z/E8HJIxJRerJPwUzuMh+ZuScbIMF0PblOP5MK0V/D7sack4KmCUM1+129OCs9cPpUza
MZHQG8p9xyfdoB7kBucySuPpKryHXj3cL7/Po0VGwkmyTFNtkJRlCWC+pH7glStoIgG2
jTwLHOoJv+u2XkXJl3gSEbhIX5fJp9SyEHDlU+558Ajr8toPC6l8TpnHjYVs6GLuR4k6
Qb0+FMn0+tnBELZIHzeJF+QhWd7BQqXaME21y2dbiZSiwg8gsMUSeqFFiFO4cBHRdNrX
6drK21YeRyIWEu42yJ3KY5t/OEJAV8pgG1RD5YkXWZhEoe2dE4K6OjzbOt797pzwEZ85
bBtUw52DJg/JRZhUvqQdu83B1Iqrdntn2z2v/B4kGoRTMHZT93w/jN0FKdxl1/YBu9zB
AWu3poawphuDrbRKq/PdCmAG6xTPzvC+Ol8lqeSsiKQfhfeDzVzP74AiTg6rISipqFKM
rZ3tQuoepaIe7Vm7oHVz1wY6T/frpIgJWlUnfB9GJmgdRQk4eXWf6VBV+wpF3HpGyb/D
eXgXZojBrhCDxd8Rg30NLXsMnAVUKg67V6yr8BgaEuWQHNlWIV5SeW3nBzUdIr+jQ7+T
OVXCowqZn6cQG3aC+hZSeAc5HJJXlBwhRzDF04Pj5Xy+XECNPq/iJNKhYqqTl2cjEk6n
2uO1LbYeogkWwL4Xi2ri6LbisN8SCmT1kRx+EgmDTlDTWZjEiztUF2Y4/HSvMQ93JXUc
Dya2WEoTUbDvuaOcIwNZgmrHD3GU3dp22znqTAq1K7NtBcKdtGp928pYopNYfoxm4ZfI
9saV1FPHuN+NK/Kn9cOsu3SPfKY2G7XpMaGy2c7PhI/hK4WKqK4utnDpqliiJdRBy4pX
lT/9EdRfliTu00UbgB1MC3L7NOAK9q4GcLcTZFtbXSZRJ/SQnqiDaug7bjoP62hbFzdr
IdmgLLn/pJy8JZZNHHkmGGXcqVA3sRd/znXAQfuuUZUap+xPf3EogUBDQFv9baMUmyfZ
NiTrhO/D5Ytj1xXihrwOJ8uP6XIxJO8RkWnfVpcVU+3gjI9Hz+HUvorCaZRoPwdvIvpd
Q/Iisu7jrmtiqlheu8jso/W4zHQJGHxNHIg/p0cOpw4qtAWohpRUGRw8ayO9XSi9rNl1
guoGKE7Zhlhmr+oQa7S0t9BbBgIdAz/MXu2NKiWqmGAHA+onYvcIXjth+w2q7IZPUyUT
yrlBaTjSgd86d4W2i1fxYhqBOA9MLxgZJctsOVneg0zBmDGSBLYrx+jCopJJRcziemXQ
padQ9xRFPrNpa91eiKgb1OtD3R1w/SxvYYtv40mY4dQLU6mlZgipQW8bCMuntk2myQWY
pfRLFJSn6ylerwyllOgaEB2aWyzbHpNvr+NrWoXKGUs6/g05DtNFlKwJ6z0tfT1a9/PO
Rs/fnYyeX45LX8+2pBYBu1levwRVBFR4aMdat1j+xIo9MvybpGVZOsqAXXaCertMyPny
q22QAh3cAi0vWyB3uk/Wg3YBDyWQ7jaohoeMPmXdrQwvAI1i5/Hik+U9ZOhMV56UHeGa
kI2BC3TI9jG3Q8Gm42wjx8BNHtOcfM/UG0VpnTHvUwe15C6VkrWvmVgWwNIO1fC1skPK
Q7/y+/hbHA1HOsFw+i2LFrlrfBFNZuEiTucp0ZR08vZKF4Tx4OSNZDrZgPES13r3rWlD
MYfQL3FlaJLx2ZOwRp2gHq3uHtNSNW30k9Rnl5SDFOix9TG4VMe50yDZzoOU7SgSPexI
ffr9oiVHUE92KOX+KVqq4WtDS9xh7IZcJXG6QrZzNiQjSsLFlLyh5PQu+hLqKP9gnITT
WMdzsPbIg75ddzLb9o3LgL5YXK/oSARoVMf8yhNwjrtBPVp3cGDwI1yk92EGw3R9uCkI
b4/GpXnSUjREVLWwLRMIU5XHfWLWVMhEQ7eVorSEcR3LSlm2cxqQvaIygYQ98qX9cvsQ
ZiJhKkVrbbJ8lMbtq+Nrxa9SyBvyZpno/OgYfh+a+kwy4jUlLyNwbHI3i9JoSP7CmNUM
Zae8CDWyniUz/GoW1y9+VQF1MDTdWiKq9INl2SiTD6IT1MvVdPpdhwEL+P4TRNOm4Iin
OgF1fXiMByRU8ywFQuyUfI2zGXLtdzPbLGtqemZlPZMMhzIMtD4JyegC9SS6DyEZo3Dy
KcqQoMLknfbILqNlgvIz6i5FVp2DWmB0V/e5WePW+aLIVSKXn+9/v4RC6umiwBiQfoQy
QveYBB2KPpaZq7RqNXytrJrPkFQ/D5P/6n6Jc8t4XQn/DlxEtjZ05ylbz6CaKHoLVENX
9AiuwAVFTewuSua2h7MYAn2foeTUDWvyKXdbRjBC9g+7nLbdwrrXw2aI9pSD3qctUA0P
+xQVp+Uizf06DHoMyUvrMUhpwms6vrtT8I/leFANoYIhjOt/Zakb1BdhnMxWSYrxnvy8
D8a4z+Ucnlv2NdL/kndphEQvpnzuknBedkvY9utMz7JZVL9MOMOFRpIbE95QtSp3H89s
2yHTqyU6Qb0+RHHZNkTTjLsFca/sWY4/boFqeMTncRZVmSZ4HpXTKwyP4pIXO9e8mFF6
A71fKoNGFxHgurA+lfDQIkwV89qTu2XVKL3eGr42Xq/gDkp4bzDmtm4kQY78Kloihr+K
Jqskzr6To2Qyg7ROMiTT88A9v8fLXJBm+74uhuEAhtxoscBeiSqmn1FBwbUk/Tf53aCa
jsciONeyMrQs0Qz9uLhRQ5EtxDvJ3raRLC/G2gLVkOzzJkFk6aVhdvD6r5m9QxUUraIY
W8HVfVs497p5ZRWU+z7KS0WSvicDXFxfTslNZbYgzh7N5HfDp3sEoawoglbEjpuwyNEK
3L3IikbWYvajUm6UuzZE1TazFzcxmhX2i9k9DKUp1zB7T/RHMZQPiupBUxtvP4IwPghm
+NrDyyVVCI5u1iXu9NGXLuR5mbIbH/mkl6uHLKyuk6ga8vVbkuW99QhzPaxUrK9fciox
C8Rle7+0CjEt2/OyosQ7Qb3AtFp4F5XZBIjB2fHFuitfF5E2fdHqRcV8hm3BML1lZmn9
Eg3dqKk6lJ/3IBqdoCotCxvzGbYFGdcccQeqlnfAtt7YrekRAc7LJ4Mns7zSpaxXujhu
vHJxD7aB3y9h5RJVJTNbVjO3jybK2pzz5jxZ29l+zjDexE1NtoeuYSd8ucEN9MDbVRZ9
DROE/Zt3DB9cZbjDaZ5bY5jWdafUPMbIMMbdqnDQNrOaTL85g34Jq+tRrsq6bMMgsKJV
+y5ZZXQ7QdXN2QIyAk8sesjpybMeuZZhfx1xjQoejeW0oYIO4XQVueJibIGPMsjzPD2J
XFkQICVpptv6R0/d8BX0hHjgVXR7m4+3vV5XlXGR9yzGjehoKDtGd9H0Xo++meudwzSN
5h/vv9vmJdNeZhbXK17SVWbpPYliUzeop0myTNA4lOUNY3mpkVziMybS4UF+e4UILJ8/
M/f9GvzF+Tc0AQoun2ltss6o3NyCZbD2qqDCfJd65QWsNZbfm8PHPHSUwOP4Ec3D9Ozn
0lAGysFn8BSZqKY0P16uJrOax6F/OP32gCsNU/J2+QVsiWI9h4nXn7qy9coPIx1yu/LG
sjqVn8ZiFtkvOkUzVOD0Il3tAorre5Kwn2PaJaH/A0INtSgKZW5kc3RyZWFtCmVuZG9i
ago4MiAwIG9iagozMTc5CmVuZG9iago4MCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFy
ZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDgzIDAgUiAvQ29udGVudHMgODEgMCBSIC9NZWRp
YUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago4MyAwIG9iago8PCAvUHJvY1NldCBb
IC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8
IC9GMS4wIDggMCBSCj4+ID4+CmVuZG9iago4NSAwIG9iago8PCAvTGVuZ3RoIDg2IDAg
UiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHVXF1X28oVffevOCsvTVbd
ieZTUp5KwCTcS3IpODddveRBWAJUbMmR5OTy77tlSwY5xZG8OkaFFSCGhD1n9pyzz8fo
K/2DvpLLHM+4q0/4rH2XeaJ8wa2+yCL6TAm9Psw5TXJymK98h/vm4avBw2v5hJT0mHJ8
n7jrM8/1BHHtM+G7hgx3mPSVJPyf149/O3cV09wn5XIm1PrnBpu/mxy843d8xS/nnvIc
p3wB7+u/Kcmk42pJrnCZD6g0mdHbMSA63DE0LvEt/0n1aTyj18ecOcRpfE0vT5IiypKo
eEXjf9NoDIyPbPS/Q+kJxgUWsIlyK7a/2QZlmO9Ks6vpjrLguiC8fZqHQRGFdDGPJozS
aypuIzo5+6bo5IiO42galj9VvX0I7kk4XLwatDd4SZ8GJZcbupUW0nOZ6ym9NvhgSYvt
ZCDLBn/gKvfBB6BbcXUrC/YICmfG+LJfoBzOuO91PNXgmuWt1HCWRvjkNvDBL5VeZ/Az
r/PH+fGhFkJ/obNoOo2KOMqG9I4N6VdGF0ESThdJOKQX579dLfKC3kdBGGV0mM7mWZTn
cZrYPjzGY9J14a2q1fXq8BhfMCk8083R1/5n+dkyOUABJj3Ho92g/h5l5SaTsE1irhXz
fM/dEefly/Pf3h9+E5ev3tBZll7H0yin6zSj8/HZkD4d4cMJ/owuzgicLl+wzdva6dd2
b8Nb21FWgq5GGoicJm/74fSNJ5lwZe30W6qm5zlMO0E9jYvoxZDgcKn0uEM6mGcMCsTx
WOUFBm003w4SREgXXtTnVNu4DRttH/m1BDFQ4Mqp9r0piwYbGrkTpg1DDVZ6fatWe8Bk
NNNSVLKoCqY/SPgf4HUL9o8BDsr85udisg72Zid8y2AvhfOFxtFsPo2TIR0j1I9CfHgx
hlS+WFwhA/meZnc0SibBPF9Mg6IMAPCatj2mlsj+BNUr6xdFtWHGAF2njO55fNNOUA/C
YF6stvo0uIfEu3x5MTo4vXxVOyywBmSJrkqHhVTaNhmEz7SRcFjVavrFBuUyg/ykV+mJ
Qe0DKXR3LWpZga49VgNfl/TECO5/odN4SP+Enzpk9DZIh/SB0eFtBA9mO3aimGNcrak2
cEXFlvrkPaN/3QbJzZB+YfR5UfnZw9s4CWyfIe0BuIT0ryzfrzOEE+4Zg7pelxrZ83jU
naCOwsVkHTvpPMqjIJvc0scqvF6+PBydfxyNL1/Rye8nNM6CJF/FWtu0cCGzhY9AWy2r
Z7RwmMcrVrR1Es/Eih2QHkV5fLNUU3QUzafp/SxKimWiWhcqX6NaaVBgif6M8yJKJtE+
pNcDJZZr6hcjOEfZH/Xz/wNHsRPU5dGPS5Vdaa0y3iG+rarTfJkbDlr2Ax5nFMuOyc8z
CmE4igKIEhX4fm2+I5mD0l+vlJb2FWqrzdTwp3VWrhgdTO6S9Ps0Cm/KY59bFl5caqZ8
4GzibRR7fkhgu2DaIFun/Fp7mnFVtx2aST+NZ4PHjbFa4bXqiG2AImcJq13Sr12DCpSq
srz+Jf274RvfxjmF6WSxjDXfg5ziLru8QyOUa4hjhfyoCbhtIzTJ53GGJt7VfdnBS4A7
SxdYQpxPFsueQ07BLE1uyuaebbFkJNNCm/VKeuUdtXHLwpnbOTRa3v865Wvia6vmgkVx
m2Y5EqYgi+kgu7tDtncaZDmNbm6irBjSUZykdIzvJsFkgrSwLOkfl4ypq1q2WYEeuo++
D9UL7BcrkPdJtUNTal+saOBrzYqcvqNBSXBfs2h2hb4UzYOsiCfxHFkWnEGcrJr91RQF
iBMF9BmVzPKb7+BB5taLVnXPR1cr7BctlM+U69VSqmX5AqnVvmjRwNeWFkdREaDZF9J1
FIVXweSOygA3z9JvcbgKIe/SLLuHt4iz20WWw3u8zeIgofcBODQLrPev69RKV8trw4mh
ZZNL18PkFaca0yp+NEXY8ylD5aC46lZBrYcibCd8Y5DxfZCFcYTMLr6LykmKDIMVoyy+
o49pFs6C7A7FzSCbpjmdoUgQFEGGwFfGtiP7NK3HLHS1ujY0te0Z1s04LTnTWnQvAVg+
R2ud08DX1nV9RmBi1FTnaRbfQNWUI2xwY3BTJ0kYzSN8QJnookBIm1G4HHabpLZFzpoS
1eraUML6BMPanTZMPmgktcgfG4OV++OpwHyFJ/obYhv42vJ0pcdXwfRDUBSoTBVIKYd0
dnG48k9lgjlJkyKLrxZlHQvMxZjkDdhaTO+t07TO0KrFtaHp/hjB0dTm3OtthtbA15oR
c0z/TeLSTdWTK61qM7uUEriBVFGKdANpXw68o5ir1z3Xfngh5WvmYSK0r5xr4mvLuWac
XIn8CBkg/NIif1zQGqzvFTwxM/9DhbBFjRxlaMWxzzX2ysm0TKKQgArLUkTA+3kY81oj
rHZ/KyVtR2tRt85rs3WjJJL30LbZMMnheKJnZtPoeEn4vN3M9k0whxXlfBccNAvTwraP
lhJ3bAzu7Wzg3cq9vYVghaoMujV1kbQnoJCBc6VVtwNxsKyM/iWngzAsx+8tHw4ucLlK
IpCgbPQYbU9MaHzm4DZYG0e3P7IZh6F721u9pxr42sbeX9KIxulicmubcLjjoXGTZQNl
g2/PVpdS8MpS+dWRrUzXo4ng3fB9ujh8fXJx0mVjK/00WN/K/Ll+8jnEiUZjdQNkT3ZW
CdwR7W/bV+2ETxncej0IZ3EWTIt7+hzcd9nkXVI1hZa+rzk18fYkVVMSEl5gzqXrGJFl
q9U1xCa+tp75w7IJSmE0xYThPerHB+Q7GO6zDLrMrKSjPbQMGlZtnOfNMpztbKO88w2d
hyStCaplkmaMr22bzfcw1a66mW1/2kXgIryWHTXp/hqEqoGv7Qn5xC7Yge0MyKuvrzcx
9sX18XIQDA9DWLm+rYd0f2zDxVQj3P764wa+tmw7u02T6A39leP+jOQOhruV8mx7lXra
CkOyj026dZ+tO+P6Pu8GqJbOGGOL3LbZ1jGsg9n2djwknoXiatx776lcaeJrezxGMwxr
vKGizCX/Hucxi8KF7W2uidhE3BPXLD0Ptfp61qFxYp8t0cVFYebJumfVnAp5ttFc6aIW
ZXidfTcs9XygDEqtuFW9PKM/GGrVgx6sHu7TyXE81aFAa+PhaUNPPHtI4hqtIyHNt4Ei
PiifOLQ/UEoxbupy5xOW2jsozMcLvx7j32RUPUGwZ0MJTKDLun7YF0NxPD3ArCtfPbEU
npqg8KSvPtFc+D4EWD1525PdE77DtFundX0B5XHm/vdHPjwqG+z37AkXLVRZT5n1xVC4
gIDH4dVx7wn5vKkVlsX6xq3I8i+jP8t7FTnGDb8tJ6hJ4kp/+QC05U9WOszaI0gwlWAc
XOMT1Yq6tdAfFmNZL6LvyjCwo9Y4uynwP86Cm4i4+WIbZj1rXpuzgvmUc14+YbBTvN+h
Arwe2EStn/lOL2Rt+WAp7rmatmDaJiD/A3qvxgkKZW5kc3RyZWFtCmVuZG9iago4NiAw
IG9iagoyNTk3CmVuZG9iago4NCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2
IDAgUiAvUmVzb3VyY2VzIDg3IDAgUiAvQ29udGVudHMgODUgMCBSIC9NZWRpYUJveApb
MCAwIDYxMiA3OTJdID4+CmVuZG9iago4NyAwIG9iago8PCAvUHJvY1NldCBbIC9QREYg
L1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9GMS4w
IDggMCBSCj4+ID4+CmVuZG9iago5MCAwIG9iago8PCAvTGVuZ3RoIDkxIDAgUiAvRmls
dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAFdjsEKwkAMRO/9ijnqJSa72WZzVfQu
LPgBRQ+CQu3/gykWKzKHmQwhLyPOGGHEtbePhRc3qmkubAmvKy54YneYBMMEJldn8X5N
3dpNAzRXUnaHmFO1miDFKbn16IUpu2bEzdsvXUypiENNKOl3r/tng0PBGAMuVSvzXIS+
k2bKbCXDkpHHqxge2LcuoPPiYu2B3UmIIWg3bLBFu+PY4qXzG14EOtMKZW5kc3RyZWFt
CmVuZG9iago5MSAwIG9iagoxNjcKZW5kb2JqCjg4IDAgb2JqCjw8IC9UeXBlIC9QYWdl
IC9QYXJlbnQgODkgMCBSIC9SZXNvdXJjZXMgOTIgMCBSIC9Db250ZW50cyA5MCAwIFIg
L01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjkyIDAgb2JqCjw8IC9Qcm9j
U2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0Zv
bnQgPDwgL0YxLjAgOCAwIFIKPj4gPj4KZW5kb2JqCjMgMCBvYmoKPDwgL1R5cGUgL1Bh
Z2VzIC9QYXJlbnQgOTMgMCBSIC9Db3VudCA4IC9LaWRzIFsgMiAwIFIgMTEgMCBSIDIx
IDAgUiAyNSAwIFIKMjkgMCBSIDMzIDAgUiAzNyAwIFIgNDEgMCBSIF0gPj4KZW5kb2Jq
CjQ2IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDkzIDAgUiAvQ291bnQgOCAv
S2lkcyBbIDQ1IDAgUiA1MCAwIFIgNTQgMCBSIDU4IDAgUgo2MiAwIFIgNjYgMCBSIDgw
IDAgUiA4NCAwIFIgXSA+PgplbmRvYmoKODkgMCBvYmoKPDwgL1R5cGUgL1BhZ2VzIC9Q
YXJlbnQgOTMgMCBSIC9Db3VudCAxIC9LaWRzIFsgODggMCBSIF0gPj4KZW5kb2JqCjkz
IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvTWVkaWFCb3ggWzAgMCA2MTIgNzkyXSAvQ291
bnQgMTcgL0tpZHMgWyAzIDAgUiA0NiAwIFIgODkgMCBSCl0gPj4KZW5kb2JqCjk0IDAg
b2JqCjw8IC9UeXBlIC9DYXRhbG9nIC9QYWdlcyA5MyAwIFIgL1ZlcnNpb24gLzEuNCA+
PgplbmRvYmoKOTUgMCBvYmoKPDwgL0xlbmd0aCA5NiAwIFIgL0xlbmd0aDEgMTYyMTYg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBhXsJYFTV1f+99703b/Z5M0lm
Jslk5iWTDMuwhkAIRPICCS4RWYMZJCVhkVUBA6gIEq2CRBS0FUVtxaUVbJEhCTgJtqRK
tWKptFistiptqVsbpZZSFZL5/+6dCUs/v+8/L+fec5d3t3Puueec+7LqltULiJ00E4kY
825qXEHEL2c0olfmrVmlp9IOPyGmGTeuWHhTKp2xDOmbFy67/cZUOncQIeHORQsa56fS
5DziUYuQkUrTEsSFi25adVsqnf0nxLOXLZ+XLs/h9Yfd1Hhbun/Cy/WbG29akKpfwcej
r1jetCqVHvcJ4ikrblmQrk/rCLH9HHnNDEEymdwg6lGEPvIlKSc/ICphRCNDyUxC5J/K
eURBmpcrrtnf63x+9BxX+b/NuWbx2jN/7TeQI798Yu713+ztWagRsx1Ji6jPC/CeOq73
OjJBI9/s/WatJnJ4wYWfr4PMkPq3RfyhYy9LA8hJAJMGtEbzQh1SPymvdWzISEjhNk9W
satysKSjxaEi1BEuB+wFHALIZI4URKmGcAOgGbAXcAhwDGAiBCEv1QHLAU8BTgJMUp4U
aNVDWmU/KRvvZmO+LslHvgAkARIJIRwKmAyYA9gKeApgEvV4znLABsAhwGmAiRiSr/Xh
ERi7r/V+EbUtWVYsko2p5Ox6kWy7PpaKJ01NxVVXp6qNSVUbXpLKHjI+FfcblIo9RcXN
aLzN6ijuqvRKXkzSi4GvQEjZYeKilITITimLxAFMwlBFjiF52gojxU8dkmRCJSZRMp+E
kl0SbXW4iyutLMm+IB4SYp+z7lQJ625zuoufqryG/YXsBRwCSOwveP7M/kw2sJN8zRFW
AJ4CHAK8BfgCYGIn8XyI5wP2AXGx98lQQAVgDuApwCHAFwCVvY9QY3/iHCNCjlcAGPsT
Qo39EdP6I0IXew/Ye+y9ZBc73lpaVtwhkOjQNBIqSiO+3DTi8RYn2O9avx4AjoqA0uCo
g1IBGUdGSAWtRcNDCcnfWr44lGB/bdOjoZ2Vw9jbJA5gGMnb6PltogOmABoAKwAmYCeA
ncAuOkG2AXYC4gBwGUINoLMjgF8DTpBhAAMwBWBmx1rRTYK91RoZH6r0st+w17H1Quwo
+5WIf81eE/Gb7JcifgNxEOVH2GutwRCptKGc4B0NsYZ4KMoV9ou2Qk8oWelmh7CCIYRD
ARWAyYA5gK0AEzvEClrnhzxo5CA5gj0cYq3kUxH/mDxjJsaSkBGZAAbUeRAZcwUwBE/p
T0WYEdm+A0keRB58GBgPIvdsAcaDyNq7gPEgsmwNMB5E5i8BxoPIrDnAeBCZPAMYggT7
4UuF/UKlk5dSvdLFbsUq3YpVuhWrdCuR2a38IV/LfIxPtA4ciBV73IgOGBhq7qTNL9Pm
abT5Gdq8gDbfSZvvos3ltPk7tDlKmwO0OUibDdp8kI7GUjRTo/2yZJnhp81HaPMe2txE
myO0uYg2F9JmnZYaCZbfejV2HaJqEbVV8k3H8tuuGAfp42L5WNF88Hw+ZMIhhG8BkiJl
oJJekKqcHeRxQdvAilR6yJji5ZVXsVfx4qsgw6vkQ4AMAr0KNnoVjbyK5lwIKwBzAF2A
LwBJgAm1CzCPrSJ0IRwKqADMAWwAfAEwieF8gaEwshwhH+JeMbChCCsAk3mKvYqnAE8+
yzfytIAW1a6StgaoK0gnB5NBVkq8Xghmj9vsTlDHgf84vvqPg1gqLexBtpXkgRDb0vHW
1q/zQgn6WGvkYKgyiz5KgjK4jpaRCC1CPJo0ifRIEjDz/BISYD9BXNwamInXXK2RQaFO
6uRvHQh9HTgV+jSQYEA/CRwMvaMnZNoa+j1yfnIg9HZgc+iNoQkzcl6OJCiiTl1U7QiM
Du05IqrehYLHW0N38uhAaH3gytDSgChYkCr4ThNShis0LTIrdBXaqwrMDRlNaPNAqCLw
nVB5qtZI/s6B0DAMIZpCB2KwAwKi03BQNFhbmqCLjEHqdrVOnayOUovVQWq+GlLz1Fw1
0+wxa2an2W62ms1mk1k2MzMxZyaSJ40oP/UyTeLwM4GhKZEFrkHCUC5mEBJGzYxcQ+IZ
Ug2rmT6e1sS75pGauXr87PRwglqnzoor4fE07qkhNTPGx0dHaxJqclq8NFoTV6fcULeP
0gdjyI2z+xKUzKhL0CTPujc37plQ10Eodd/7QC6P+9/7QCxG/N41Ff4Kzzh32cSqbwka
RGZDVfTiz38RjfqjefHtNdPr4i/kxeLFHEnmxWri35uuz67roF/S09VVHfSfPIrVdUjj
6JfV03i+NK4qFqtJ0JmiHtHpP1EPHIMI9cw4mHk9opuDqXqPp+oV4X3UK+QR6lkspEjU
K7JYRD2Z8nr7mgqrq/YVIkAdn06aRJ0mn35pnSNFqFOEAHW8zeSIqHPE28zrxMeJZgIB
VAkiQBWaQwKiSoDmiCpi5PtElaHpKpsvVNksepJSoxF1eIBmHCf76jhOos4lC/l/owvG
R6O0bWxs3uzqBeHqhnD1AkBD/P41i/zx5rm6vm9ejBfocSnSMHfeIh43LojHwguq4vPC
Vfq+seK9/yqezYvHhqv2kdnVM+r2zTYWVLWONcZWhxurYm1XTikpvayvzRf6KpnyLX1N
4Y2V8L6uFO/9V1+lvPhK3lcp76uU93WlcaXoiwgen1K3z0zGxyaAfjxuYzYr+LUhNz82
3qutGCeYd2y+/87cTmgru4gtGovbw+PjDgDn68GVgyt5EfYUL3Ii25Uu8t85Nj+3k+5K
F2nIdofHk+iq1U2rib96cVXqrwk/ZK1azUmRCqM871t/qFIdNxqruG5dEx84vSZeMXVW
3T5VRW5DVQx5Y/rybLbqRLIrlTkEmWN4RUm6UJHnlfM8iyVd8X/yghgTsrE6HVA0DrZR
I0hXkaaYFA/WzGAQBTNmYRlmz6rrhC7FD4mmGCbYRKO0qa81Pg+Bk1QOwbSb+mDV6jSW
XotV6VhUbYqSaFPfkvQ1F+WLJQKxVquiEG1KJ8kG5CjPk2w5QmD/JD8GwO5Ifty7OPkJ
L+cx+wyCLpEGQnaRPXQx2UMOkVfoaby1l3SQdsJVoCryJFlHvk824VibhZzNZBoeBfnf
p9nJdlgmT+PAfJocRd3ryZ2kk3ipP/kp2UDulY7jrXuJgxSQSjKFLCcP0GuTq8ls8qH8
XVJKriU3kxW0OVmXfDD5cPI58iPSIf0q2UNsJIfMw3M0+bnyh+SfyGC88QjZQT6kD1v2
EwO9NKPmD8gt5HGpXqbJhclvMIJ8civGIJNJ5CjtYlG0voB8TP10nTQBrTybjCcPo1aA
1JNF5HHSSUfSK1m+Mjs5KXmUeNHHbWh1B2klB/AkyM/Ie9SunE4+lzxNsskgcjXm005+
Q7uk3p67eiuwbgpWaQApQ8ly8nPyOjlGw/QXbLliV4oVQ1mbfJtkkuGkFqN9Hm9+RP/D
7sSzQXpNnpgcT5xYl4f4apNfkj/THDqUTqYz2QC2nP1QuoWY0eNwPPPJYqz3Y2j9A7DR
AWZnb0nPyj+Rz5nyek8mnaBIhDxBfkB+QR2YqU6b6N30BP0rm8DmsCfYX6Tvy7vl36mN
mPV3yE3kAfIT8h/qoaPpVHoDXUTX0U30IbqDHqXH6Cesks1gS9kX0iJppfQzeTye6XKT
/F1lo3K/6ZPeut7Dvb/t/U+yOLmRTAU/3IXRP0J+iJl1kLfIu3g+JH+hCrVRJx6d5tNa
egeeO+kD9Bm6i+6m7ejlGP0L/RRH0r/pOYaTlplYLpQfrgKF2S3QML/PnmRv4TnG/sG+
lnxSgRSVRkrlUkxajlFtkrbh2S/9Wc6R35KTWOdiZbvylLJL+YnyinLaZFfvxhn/6/PP
9gzs+aCX9N7Xu723tbc9+WeSBRri9IAJVo7RN+JZAnpvB8ftJcepHWuXQwfScfRarMwc
uoSupLdhJe+hj9MfibG/SF/GKr1Dv8CYHSwgxjyEjWTj2WQ832EL2EooYw+zdnaCfSOp
kk1ySVnSQOlKqV5aIK2Sbpe2S3Hp19L70l+ks9J5PEnZKofkAjkiR+Ur5TnyavmH8sfy
x8ps5U3lbyar6SbTRlPC9E9oNePUKepUtV7dqh5Q3zY3gDtfJfvJS+DACz96UrpLqpb2
kwfZCDkbJsxvwM9zyHxpEgOnsl30PraetrNC5TbTWDaWXkdOyxGs9WvsKXaWjZUm0Ro6
nSxhw1MNmjLlF4CVy6+SbvllzO03aPk2k53eyb4w2UkrdKQy6Ei/lIbJUelN8p70IVXl
p8kfZSv10W72vDQFXPAzeZxSR/KlJ8mL0kq6nuxn1YRYz5m3gI+voy9ALsygxfQrKQk1
+DpwUan0V/JdspT9gXRjH99HHqXz5YXkQTKCriMfkx9jVwxQbjYNNGXRN9hiuYVl0HbC
5N2YXRktpJKSSe6h9dLjpi/Yu2Q1eUu2kg+kn2L0b7EXpUnyaWUaXYQdsJ5sJCuTd5Hb
lTr5d3QhkehMUiSfhHRbJxXL+Yg3QKrMhkw7gN3dCTlQKU1Cjh+ccy34ohYS4nE8j0FO
yOCgxdjj10OK/Ya0m2awBFmoOCmkDjw1b/ZOI7OSPyY7kgvJzcmHyWDIg03JdWhxF/kb
2Up20Xt77yArYEq+i719rTKRvaVMTA5mLexdNp1tv5y+WO0i6ief4XkRlBmnHCQt8jtk
OqlIbkn+HtzdHxJ2B5kLhfUUZvk5erhK6iIjeq9j+5ITpRWY74dkavL5ZIhayaLkMjKZ
vEx+pCqkUY2CxnH6O8z3DrKATUuukhb0LsY6bMUqGFit1ZA/m40JtTMqjYpxV5SPHVM2
unRkyYji4cOGDhk8KDpwQP9+kaLCcEG+HgrmBXJzsv0+b1ZmhsetuZwOu81qMasmRZYY
JYOqwxMb9HikIS5HwlddNZinw43IaLwkoyGuI2vi5XXiOn+vEUWX1TRQ88b/qmmkahoX
alJNLyflgwfp1WE9frQqrCforKl1wB+oCsf0eLfAJwl8m8AdwPPz8YJe7V9Upcdpg14d
n7hmUUt1Q9XgQXSfzTohPGGBdfAgss9qA2oDFveFV+yjvnFUIMxXPWYfI2YHphjPCVdV
x7PDeBXNSEXVjfPjU6bWVVfl5ufHBg+K0wnzwnPjhGtKUVGFTBDdxE0T4qroRl8MHSdO
7tf3Depq2ZLQyNyGqH1+eH7j7Lq41Ig2quPuKPqtivvWnvJfTKJx6GSbLi3NlVqq/Yt1
XrmlZZMe3zm17pJ3c/N5C7EY2sC7rGhiQ8tEdL0FlKrhunic3Ruri9N70SUUyyIxq9T8
UlpvUcMSPW4Jjw8valnSANLktMTJtNvzW3NyjI7kSZJTrbfMqAvnxytyw7HGqsC+TNIy
7fa2bEPPvrxk8KB9mju1sPucrjRid1yKLMCip8oEJqpzrGbahZWlfIzhq6EJxvV5OkZS
F8acRvNgwWjSMm80CIBfjOKt+HxQZHHcMqGhRRvD8zFFGleKtLDe8m8CDgh3/+PynMZ0
jqlI+zfhhZxPLrBanDb24fFoND5wIGcRdQJoijGOE+mRgwetSbBweIUG+5kbDWQK1rYx
NmYolj8/nxP4/oRB5iIRb55al0rrZG5uKzGGQrdmDbykq68kq5aXNPeVXHi9IQxObuf2
LMmKmyMX/lyaN6N60Zg49f4fxQtS5TXTwzVQjfXqloY019bMuCyVKucLinVDWRqLZ0yo
k3IZ8jjGciVRmtKQ+6pAXa6zx+Ui/JkEU89PqGZwpcih+sS41nBVKoxZ8/PTe+b/91Ii
eZq/JaKLr6WnER8TTQ80Nez42MvSlw3P3iLVzIDIYdDsW1qsl5WB1VKjvDodgeNh6Ofr
E+KkFjuzCH8wOUZziOXGDSwZSmZgF4nsWG46eVnF3PRLMfw4dw4eNBEys6VlYlif2NLQ
0phINs8N61q4pYO9wl5pWVENaZdinESy8/7c+MQtMazYIjoG24OR8fvC9L6p+wx63/RZ
dR1wcej3zahrZZRNaBgf21eIsroOnRBD5DKeyzN5FZ0nSA3FJFuZWdTP7TAIaRalssgQ
6Xnwboi8VCXkUTIvwVJ5Wl89hjw5lWeIPD4/LmMmzKhLk0UwBN964CHc0KAZrmNwkJtI
LeBDQDlgJiAHwPMmARoB0FNJLep2KDOTPcpMst30AnkM8Wzk1wA29QHqFBKCxvmGILg9
MkHzIESHlp7KEdnfEjBYDjI0fhNuY8y4T7HCRrHDrrn057w0kcZdiLHwF37uC9j/jnhE
UcYlFTKBZ6XT3CHIf1l4JkGX2gH95gm5RulvyjAtVtvMR83nLMesf7c3O37vbHdt1Ba7
a9zvw5uFVxQ8mIdKSL47312EAJ4vcl6Xus4bCjlHdLmLrw3sRFamHEfN6R1ESn7QmlnG
EskPDD2z7FGJMukpaS8uKtYQimFRNCwRq/QJYZ/QBN29H/RqW+uPauXamW6tm1SUV5Rv
UoZE69drh4cPo/XRaBYdQenubb112co/vkELjNQmP5bdShfWKY/W7gMfzqgzrDlBWckM
Ohw+SyL5SbvLxWo5YmQ7HMDcxM5ziNduR2jneWQobOKjCI6Siu6K7uHDcveZ/mdLZ9CS
ibf0UbvDIZDPjWybDZibaDyHaHY7D3nehSYvttlu0rO1AAQLtojt5zjUvAAPwAW34lzZ
tIndZ7vP9YZTsag2P6vOuDbrmuwJuTMyZmfNzp6Wu1RdapuXsSxraXZD7u3sVtMa21rX
JtNj6nbtDf977ITphO2PrpwLE2+yGPnhkmEWSiyahVm2hdxNBMLEcCJXh2rGyLbg6/dj
qc/WR7sRrIxiucXUaf1KGLmj+Y8CYrEMzTNqRLHX68nSmClc0C+SoXlHFI9ya5FwgWqq
XXp855rWVeOXHH/67dsf6ti9bt3u3Xeuu6aeHacyveKnc9p6k+/19va+uuexl+gPeh/9
4jQsxyWfL97IeeVDEPAcaGclew1dMhzukqXyBraV7TDjqpJaiElhkkWhdkaPWMXorXxO
hOp4F67Ydk0D6RLJzwy3IGhAENQpCIpVNrI5ufpoIuiTY1cMh6tE6VuJYQrVYW0zJdvW
ScvpvcQfvU47hcXAuqS9JEiUT+opJxUVvjLqLuNsSOqj+WG3yaSOHDWqdAQ71155fMaj
fxm6Sr5j3LrQi1cemcPnVg5eVjG3IH09zUsWt+bwZ2SYah2J5Jl2t1sgnxsWTQMWzFSC
nEV9vEIwyEuDASdKgmBQhAl20LAzq8+Hm003Y3rI7Skb+vZRHh4lQ7v5YCt4eBiqdW56
G/AO7R4PEx0aFpcbWKqfk4bNk8Fqg5k8j7fdiqb5VrHZWC2QfxhiFb+tN75HeH+8N9GZ
MWqsMtZ0UDlkOqi+bn4joF5tj9lnOJfa5zvXetZmbPa87Plbzt9yT+fYD9leymC5uKjI
04Ka6edwjahgfjNiC6iVE7RqZpPpSCAnMxDIMQdyIC3MOQHJEdQS7Lm2yW6Kawz/fj4D
IpbDRZnd2uQ7jtXmvE4PsrsgizU62rC791fAhbGcbWAy62SFuKzYui/F7JArZ6NcvEC4
9JRXdPfUn3J7OGURbHIOiTohapAAncUW4DtgNKmn9bfEYkVZ+ZFSUHzUqJElYH2T2m8U
3xdZmeAE/Mnq+VLmK3r28S927bjj7idpR8ZXvz1+9qrnX3lmdnDPnsryeV13Hv7bjUu/
92RLxlvvfran7oWXn7uvcTg4ZWbyI9kLTonSWJpwtmy/wbnYHyCUs2rUjgQdELY6XHZX
0GodkBUMyMEBAWWAI+yw+7Mp8egQPaxWVyOcirx6ZCgXaEeH8od4yioqNEhUcEv3a9pr
njLtcLSYA5jF6K84vI5qx0aHXO2+3r0mV5rmXaYtyZzvXe24PXOjoyVzc+6PHFZFl/jt
h81mdzhllaJfysliYAIHYVwOIA46st1uz5L9new5ks0WGf0wSgXDdHia5ujLdab7OSfr
zWpTRMimCCURLcIw4jMv8ZLItsH+BB3dmn2cdtLROEi6DNtFaTUoQR9O0zDaLajIZdaZ
aH1KbvWAjJicJuiZIie2KkQYditdGcso9XKZJQinll5A+2jIiah6EZJwQWRme+iRpRv2
PrN+xLWZHltTYuOSxVsy2/M/e/G2I0tvnH/3tt5PTvwiSb/r37Epfve6pzN/yG5bP+/u
e+7R97++sHX+nCeHBH/2YFfvvz+CiM2BDNCUTsg3B40Yozx19kX2x+277W/YlWulax3f
lyUPeJzYTZKqWG2SSuzY7EckOVOSZMlBmN0hq9JBXO6acQTvNKxEllGFHLHKCXbjS4pi
NfJCJdY+SQiEH0ysFsjn4oSyJmip4VCNgnCJ2pw/Ut3mwlGMVXVklhCmQU+TkD4p3gFy
6gCnAtvvTNAtYqX/EY3WC0F4houXcu0jTchB7Uz52XJ3GV/ksrJNQ6IytozL5cJyC9+2
A2e+pwwy7m3DNqJMKhhcJsl5eeW8iRiIgTpGpt2wldmbp5TZjUiZvSCAeHAZrxCNQa0Y
SUe4R2SF3ZKbsu0997AffO+119p7R9I5P5IOnL/mR71PY1M/0rMUjMfP/nzlx5CxM1M7
B3dimJ+DLwINOK3BrKyAh0tOm0uWgwGHkxLVj/NCaAQCEbuMn/t8l/DzD0zUcxg7g2+M
AR4he10irMm5Pa8lb3vG8xmv2k/Y/5hrtmT4nQNzJMswZZitE3JMwu7QMqxZnoyMI05X
pjMj0+lyYIsYGXwghnOnkzmdLiOLpgf1kkumx/n2gVQzdD489xxtubZB26rJGjaJX2wS
PyV+zc8w2NQm8W/TPS/Tkfj+4xEw1ehW5/5v2yy4lr10s1zcLvU4yLjMExOtd5cNrYdY
OLXJPCSqgIpECD4h8+hKaFuXbRvslYz8rHwJMo9kZarQBCK1P8vasezu9j1brt/Sf/eD
7N2elybf81AXNa964Myvemiz1nL/4Wceb51c4WX//Gnvmtm9Z3/7+kOtJ7nWNgmUy4LM
yyMD6eS01Au5aAjuU4nm9g8aDupw4EjMVQqCmQ5rkJIiDUuQ0uC0oE/jB75PyDwfyAM8
rcEdffuo9ss+StZ3a4frOSUHL82mVaqRVZVdpc/yzNCXSvPV+eYlnvn6KvPqwL3mjYET
5re9blXnO6Bfak+YasNC4PGsfFGg8oJ+eljP5wVuPsopDoZx5tLjczghIfQsfWOGPjva
8JD9RU2aIKSGD2ugr2AWp1/iWqK2bZCVi7kgLTO8Fb45vuW+DT7ZB6XUVOvz8k59CVbY
Fk0padiJ3fzkEjIvLfH4yQUCQlsVFOPbh0u7GFUj/YRqZlL5AeXhB1S4gLi1UqS8NPOi
JDRJ59r8g65eOrOydi6rfHlhe8+tx+75c++pH2z+ZM/7PaWTH7zulueeuWPtC/J055Jh
k4aN+/xP8xp6//O7lu474fJdR3f/Ytcr59+vfyGW+OFje/diARoh77y4OXKQFYbzsIPK
+GNm2QJZxnfhMEZli93RJEmML8lkcURLLMdlbrL8nUwG7ecwqQLRcroBymM2BJHg4uu0
M/Uryyed6b5OO8u1MW4Z8NO7zC1kEOa/sj5jZH6WiUgmNTzK4yltlPZv6e2uGeXqkO7+
12b5mz1bHun19J5L/HEP/Yy+/iS3Y6aDA7PBgT4SxrcqJMWD7XaSGxzCZST0MFY7ZIgn
P2hS+gc9jqDFzg9YKP9nICaBRF2gpBAkQFKKE0dEocuPs/K0UE8FwpkVSJp9pcIsO9ez
skSLWYJ9s9Lsm7JCLjFFQOFodxnUkbRF8pIYiDA++ECA8IGcEpYJR0Reun+u/qLb80YB
r8i75czFO+Qhn+nF+fVtGfRFhTxMjUTYRHwHlY700gHeq71XRz6yfzpMsQyDU349XSev
Mq+03WJf7Vjru5+00C3yRvNdtnvsGx0P+H7tfi3DU4Cd0hrQc3ik60N5NFjHiX/SCA7Q
7SToJ3YMY+cQenEkwaZDFmpJsIWGFm1yGTo0fhclLs3FXAn60IFif1NcohLKWwubsvoU
eT3LyGJZ24ZfMGnOYO+Da6AhpBUET1n9UD45fmildwzX7aDZrSQrYzEaiYws4fvjEk2A
ICcj09unN5ikS7cOXbJi2UeHuj5betOmB3rPvvtu79mH5m5cuujezTcuvG/M1dum37Vr
z90bnpdyBzy2ZOd7H+688dEBgw7f93ISH210bf0FnbHonu/OmbfpnvPJSdsm/7j57hd2
9dmynCeDkIovpqyGl2whHAFFbhwAZwWR+UkgDncgp43+nKJ+tyCpW1ifbr97UNTWP+hy
hpyTnZLTmUmmUCrUSIcGq4LykwZCVREUPxytLxZCpFgsDCjPGVHjUvT9X3KmEwb1JYO4
eHYaA8Xh6RZc/L/0enlf/9UVerrYkVEyJudarxG+wXt9+EZpmfemnIXhtTnrg1ty7g8+
7t2d83LOZ96P9LN6xhXeH3r3eKUxA+abWD9+7obBTP583aT3D052zuGHbIBPjx6fkhLJ
7XwQ+ECpjNggkd2XH6vbBnE53c7FtPsCL7kNN3NvS0temMf8+OSsxOXuhbOzT+yS+pW0
HkayUDDHsZEl/bi0RUzATLjH4CZzhAqDIUvw0oo93nWN09dPGUVHHbzpwHmqvra1+461
/3zmp++xN3+06rbW3evWP02na2tvvnbDH1bY/TOXUvMfPqTa471/7f2y9+PethcPSSVP
HDj85BaIXJykHTB/NuKmnntmRkOPgJdJtTBTuSyVU5NsZeXQawjTsRZPm59+DAY/dgWX
n7AGBMnFdsgYOSJLAnQcPXpUih09ev75o0cJw106UWLQX1XipAsPUKcL9jYUxS/b08hX
ghGRc8aIcUbkMtJUq4hwqDZMW2heZGnQ7pO2aW8or5m6tNOazazEcFE9RVtki2v/sv/L
8S+nRbbLDtkp4bJHkWVYF2aTqtqBm3EjC39SIvmV4RKWva7aM1HEJAi1rwxIM0hVXbZn
4i1LUFHMQZNkSrAVhgXfLX9qwFPJOqkNG85meOw6WaBK06bg4vdDWdomUxlfghm2KfYu
9UO7tM1O7TytudS3VLZBbVaZ+j3XiXdSq5WNFcOfHyuWk62BC/wV5TndFafKtW78cf9U
FLrTpiH4qCptPOJgKtukHT7sPHx4k5KKIXJq4jZ8JxKEM7xddklmtROGL0l+xaVQjN7C
9S3+C8PDFZbypYx8KdLPpEpsxG9Z3fs/6Xni6XfpP3dMLAiMUDq/mUhf7q1is+j2jlsf
uB8MgLtookwDpWy01whKBaVlZsuYftaRplHWK63XSxuldyR1jfVd6V0rVgjUgiXGavsr
W+QW5QX5M7NilelI+YTMcLydNCye/BJJ5wH8dm32Mg/PbUPanI5lHufllyDuavN4ef4H
xhXZ6LOo6AqzJTv7CpjDFtzdWRVJlnXFmglTxWI266oJ9DNZrfjCVaZMteG63SoxG/yI
CTbGcMEbs1OJK13KSUVWrjHzPNswleqgR1yV1ATbaNhtOmdlPe354SJRuIDOCiMGvPIN
bFCRwxF4f8CthpUfeKTePnYXJ2hqmeuxk1ficFjZDWdjeTnUYgQcIA05SbkfALFfWDeq
WSs3l4OAfhAwFwTsIHLyD6NjKRHNE6fb7G6+XqcNHxCT5nSXmDWnVmLhmFVzaCXpT3Zi
YITUCPiXQIbbUoB1G5RdJnMoyC2Da+qDA16g3jJQ6gP4acrMBZllspFZxpd5fxHQrJSt
lGoGHwlB71t5S32UcBaC6eSm+RR/qnv7K+wPVO3Zwe5Okp6zp5XOngHsnZ4Xzz/GPvqs
F59g4R6amFzgGo2d6rOfzMmzho0vodnpgG8IexumJBCM63OjP8fsHl6suOwS/jGAmS02
JzFbmNVm4jSxwQ+KEHQ4wGvZNBDgoz4/3Vd91DqfohY/ariCwT2kFV1d2rFjXdwNE4Xx
xdeI9DlhQ6rOPaomEUoilEWoiBDr8qUR5jUY9CooOiZOeea8KJGsQiJBfU8JLLzwlRHi
TBGBc1G3ekpcIlDsEqFOGzGbKRM2NG9NILwp60E2k3iwVjMNBxEdEdERF1BCDhKuOEXP
DAWHCc91eWoyMED6KI6PsPgv19hAmMucyXLN8hr7RvuvsJT2q+1Xu6QBcpFjkLNOukFe
47jNuclhtjHFXOYY5ZzMaiQYMOZJjvFO62Nsh7Rd3W7eJT2vmjzM5XQOUxj2GDNDDxim
mIGa7dNc06gBEWg2W6w2m8PhdOLfOSyswdPsYZ5OtgvW4/BWRTcn6HDDardYdcO+wUZt
nZikk9pQwhIQnBaoXrprhUbhg5v5kq40KM2KpCTYrjb32Jg/mo3T5Ex9ub8HgpDLRuA5
FxKn6iEpsaX4But7ciA/+fbatF4ITERwtF0UjD8j9uQ5eARP4PA5IeRiTdyOPddf7DlH
8qt9TiuXlmlHw9sH8sucg/KFs+FAaZmzuFSg+wcjN+1QiMYgWbEz+Bk9AlcWXt+oUprv
DrvxuZX7MXz7ccMwbzZ8C1Q52Dtzb2+d0nnuy4eumvKEdP6bifKb50bKJ89xgTMb1sLf
casxjGUZ/eZJ8+QmaZUsF/UbKZUFJkhXq9fmVYeqCif2my7F1Nl51/ffnOEM84OS74nC
PgRXd6kcKMApBKZmCkFliLBU5RSCyikElVMIKp81JvJK/R2RQlYo9Ssa5cL3mkXVQ2fp
M8O1RctsSxxLnTdmLvDfblvrWOtar60ubCraKLXYNjtaXA9o9xZ+t+hhx3bX9qxg2iU9
OD/iyY3kWCIDaISQATkeuXh4BB++MeIYfHvu5lyWW+R1DA72K6JFihci4IyROuGDgy3B
oFcSKmQUGnU9IB3VQ6vwwROXemB6FxU6HTYlP5AXzMXHHPiWw0SLCguQZ4KpPDgHLbLa
rTk0pxtf0Qk1VcgXjep0Ci7FV9Bt1AQdLW5kDOZdKugaI77GEiED6ADuy3E6WS2QM4aD
tzQgpxhzohEPnNiiCAiWD0IJSFqRgAMAJM0ePu8G7u4/Uz/pFDYlTneYl7CzJ0HfExOD
LzF6igdn+Izc+IOuRIFChkPrE1tZBLgxySgNMtgJ3MHYL1LYTxgT3Jrw+tQIbHFTVqbP
C+NeOIvDBYWR2S855vxq/fIXpk+ZPbZ32dTFC+/88vvPfr1R6XTt2R1/umw0fbeuee3G
cz94vfdfO+g72s0PXD++qap6YdjXGC19dsHyX8xf/Ou7nPc/eNcNk0eMWNp/7P41q99q
WvUp1wdrkp/IQXkcycJ92HTDFyKBLKhJ9Uq9pda2QFqqLLcssJlhN50SMgtK7yljGheF
eQEe9vO8q3yTeTZHHu4Zkz08UOmZlFMZmOrB/VOg0XNTTmPgNtNtWWfZWb+GzzRdDp9v
irfBuwL/sBRwbdN2wr2hybkBq0o62QvcFSf4XxAVvg/4PGCIPJIRkG0+A/7BPwmyAEk5
K4F8Js5sIF2Gpd/AkjicQDkhrmQURUp4bFQGYQ2GaMg7QitUjcKBJSG1At/uS/yAYLWq
n3OAiokgdHLhreJKCKGXT03NDpaUCoKnKFcfndRz6joNdIRTAb9JKfU+Gk07x8p7Vpan
NWRIcH7pI85Z6kt7U6DfE3emmi/cKTRf+FxM0nc6B33e8WnvFzTzT7/Hl4znP7G23jtv
S897bKp99MzN63bTmb5n2+HnkvDZYP/eD3q/1vS9nYvoIxsnLPoxmHITXBP8G9tM2tiB
68GutiwfVytO8vsYU22RPBLf6XU6ZJE1xpdd4jO77e5MSYGBHFDUTJvVXmQxRowqSVpo
l4V6Db4sXoNLIUt/EWby7QKF7h+Gmy8TlG8smSWH10Muzn6+bJZMTi2kv4KvGP1arOmL
z7M41ZG8zsuJ4SsZVRL3nvayFd6d3rg36ZW9LLOI38x1GRrGcBrzITo5Rk7inphrZnwA
HDF8fBBEdE3MvGsi825FmVdc2jHeDz6WROfkuqwrp/CLyhTZsEPhA8KBgyity6UKuIXG
z93uCjd3DPErnAm3G06TUy1ymuy51GF25VJcskSjdxH4talQlcQezcJxIAw0U5Z7U/ud
XWterGlfvXTKA+XQmL58uP65J3vmsKc33TH9wfU9B9M0+gg7zEvXGxmKZMpgu7SE9lfp
44zT0tkME7Ti00a5zVFyu0Yf0475T/qTflk3ZzozvR7QiJq8DqvDaXcW+gVd/IJGNkEd
m6AOtKc0dWxiiWwFfImQeyZFHZugDtJfp6hjE9RB+izsHCybTTCAjSZxnF8HL0GXkcMp
5T/tZyv8O/1xf5df9sOuyPIKYp3FVWSKLt9OIGgPlxEId62cNIJAsiAQ78Lz3wS/zieM
5j6icZKdEUTjpvSlPxhRXPuGRXqRal6T22I1W1WYK1rEbXLmUpfVk6bewLv4DTW4gN8S
pGSsN0VBIWjdm55Z/X7D01M0a/vApVc1PS9HHt1bvWJS8fqeJrbx5psqH/51z8tcTm7q
XSzng4oeeGDnGg/atcHaFVqNJlfocZ2F9AH2cF5xVnHe+LwV+jbdPMY3Jvca3zW5MfMN
9tm+2blLzEvti7WbfEtzu/Tjme/73885HjyVeSp4Uk/q3rAc1aJZI+Ux2kT5Gm2W9jfb
3/N6NZvbCTEZMHEOCEDLdGYXHrNSzWpYG6zNVlkXfKCLez9+k4M7C5g2VmGpIZ2yay7V
SlNfIyDnEyPMiWFdRTNGsBGeIkK6KE7NnTROT1M5RCvwbbgEIXzeyOP7jgoVnQrfOcWn
CsgR2ixqnAUHwEPEq4ptSMVpTz2cyjQ7dGWpn/ID8wL16lfeAm9szxmckn15aeeCoKa4
RYXmtfIWsjKDEyu12zKFS6SfG+60C661Tc+NeXjRfceWrP7wjllbh7h/vOa2nzy/qmlf
72LlZy1Tp25JPvZs77n7rx3Tc0567ujhN3//5pF3CHZiYfJLNlDZAR/uHzqIFdIyHCmB
1MI5AaQZ16LU7rBSiXg1eEmtWHbJ5tIKSAF1eIrsNKmaqy3VDeoK2JfbVJmouroThmaX
ekw1wVb4XGwHIHyhcaBwVY2vHxCu76cRceKkhBuOGL71QTdgwjRA+hNxzKqdbAnx01H7
brxUkIGHsXTdXJidOsMvZrhT210GVWrECO0NfuhEo0U+7j+KjHSHR45wl4p7MeGFZFrO
teVzlw265562/fszov2DTz+ljVvwDJu3harLeh/Y0vO9SYNw/cg5XfyS/biP4Ft+PuRJ
2AUZ+BY5i3ixln7xtXsuvnfPw/dOQ8gwMopcRWrw5ft0fK3M190D4D8T/g+BzJo56/pp
NdHKWxY3Lps04/8BPwnIcgplbmRzdHJlYW0KZW5kb2JqCjk2IDAgb2JqCjExNDA5CmVu
ZG9iago5NyAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0FzY2VudCA5MDUg
L0NhcEhlaWdodCA3MjggL0Rlc2NlbnQgLTIxMiAvRmxhZ3MgMzIKL0ZvbnRCQm94IFst
NjY1IC0zMjUgMjAwMCAxMDA2XSAvRm9udE5hbWUgL1pWWldSSytBcmlhbE1UIC9JdGFs
aWNBbmdsZSAwIC9TdGVtVgowIC9BdmdXaWR0aCA0NDEgL0xlYWRpbmcgMzMgL01heFdp
ZHRoIDIwMDAgL1hIZWlnaHQgNTMwIC9Gb250RmlsZTIgOTUgMCBSCj4+CmVuZG9iago5
OCAwIG9iagpbIDI3OCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMjc4IDU1NiA1
NTYgNTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2CjU1NiAyNzggMCAwIDAgMCAwIDAg
NjY3IDAgMCAwIDAgMCAwIDAgMCAwIDY2NyAwIDgzMyAwIDAgMCAwIDAgNjY3IDAgMCAw
IDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA1NTYgMCAwIDU1NiAwIDAgMCAwIDAg
NTU2IDAgNTU2IDAgMCAwIDI3OCBdCmVuZG9iagoxNSAwIG9iago8PCAvVHlwZSAvRm9u
dCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9aVlpXUksrQXJpYWxNVCAvRm9u
dERlc2NyaXB0b3IKOTcgMCBSIC9XaWR0aHMgOTggMCBSIC9GaXJzdENoYXIgMzIgL0xh
c3RDaGFyIDExNiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcKPj4KZW5kb2JqCjk5
IDAgb2JqCjw8IC9MZW5ndGggMTAwIDAgUiAvTGVuZ3RoMSA5NTA0IC9GaWx0ZXIgL0Zs
YXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1aDXxU1ZU/976ZyddMZibJQJIB8oZHIPICSQho
giNMPoYKAR0g2hmoOIEJBhSIBFA+hPgRiANaRSquWMWt2+3u1vIySduJFZOtTX+yW1vq
aqVbC7T267crre1a6baW2f99781A0ujPbrt7M+f+7z3n3nPPPffcO+++ybat29vJQd0k
UWhVW+d60tO05wB71m1q6zTqU+3AI+t2bJONen42ke0r6ztv22TUi4aJHLW33bHT7D9V
I2JPdbS3xQw5fQC8ugMMo87mAqd1bNp2t1H3vQcsvmPLOlM+9Tjq+Zva7jbHp7dQlze3
bWoHIk3bg6yic0vXNr1K05YCqzu3tpvtWZjIfoIYuDa6i5x0I2Wh5qJq2k1kPe+oxXyZ
IWc2Z+T2E7c6/b9lXkwLaWDfyy8KHLaefPvijt97Hb6cZajm6O2FAHqzXrwUwpynXNxx
scnhy0iEVCRbku5Uk3Qb6BbQSrUhn4gvIheI0z7eTIwv5H70U/kC7k8w9Vdf49eBeR0q
RWV0EjIXiLMDrDdRWhZIsgf7XRPqqSGf9ZILxNn9rAe6VPaAiftZT4Kr3V9j+6D2HNsT
WM/OnZ8wcdLrbyDbvWeC17m7bHfVbmn3npLvvgbWjruQbepEdscWZLdvnuC9dfO+2/nt
m/dtLd22vcgz6baNyNZvQNbeUeT9dPvx9tPtUntHz52lJV0TdjWV+HaC+KC0QlqCkV0n
pUUUAnEKSPWJvPz6wdSwVJfINwv9Ofb6UEOeNIuYVC3VYAVU/h7/L8oGvp14iatJ/lb/
SzHMlf+gv2Z+vcCEMkNoQaGoSC98P1FbbxZmzjYLPsUsTCwxC/luvXA64UaBd/O7hXkN
Kt9GIRCHa29B6RaU8vhS8oJuB0motaDWQpzP5xaaQGW8DlgAnMNrhLN5tYlVwCngz+Y1
iSllchJQMKF+kF1kbyckNbdBZu8RY79ivxS92AUT3zHxP038Bfu5cAP7GdAC/CkQ7VP/
wt7uz4PpDZPBYLQD+X4hYkfYYV3hYyYeZo8gwlX2KDAL+GmgGPBh9gimPDSEKqNO5N1C
wD6ZOGxRk2xl4lEBNyaOCri6f5+kIsDqEwXF9Q05bBor141yMbeOlsC1H8B9vwv9jgd+
Vlpa/+QxSX3qmEU9djRXfQz6Hj1sUw9D02dATxzl6uNHJfX4UfbM0RNHh45KL0rXS4vF
5KTFiR6uipBo6ne568tekrAJ6LzIpXnSXHhNbiiQaqkaFACFQBapVioSRkhzTKySitCy
aghV7EJEjwzi/N3ESRvi58eJoWwxBP9RYmKFHgI/SiAWkvx84kAu5Of6hyyYKn+zXykX
8fVmwoNFQ/vXEjCpwcG/yUeEP/nX+bCO/2ziIWH7i3wHv0tMhd9lToXfaUyFbxVT0fMA
j6aVRhO5ebr2WxMTi/XCmsS0q/TCKr1fQxFfrXcUuZMvQT6BL6bpIE45fBaVgDjMUxNu
j97vqn6Hux7RpohoO8mnclksN/dxOWFRT0GfjDNkCnKxucoMKXuffUdfyPPsyySTj51j
X05M98lJdi4xxVffUMp+yN7So+YHJv67id838Qx7U1fwJvue3u577HVElzaEKmNvsNd1
5r/pzA0Neew1zGNQ5Ow1U/ZdXYYRTydwCAwivr8j4lsdYp+j50ADICl1nn0+UejBMrCH
2CF9wIMmxoEirG9O7McxwW5KdEuA1sR+K2BF4oCA5YleAaFEr5DdkOgRsFQsVJLVJQ4I
qEkMCeZUg5kfyIPw93+wqH8QjVLDgdzfisB8n51/n4lqTp9nUn3gpwh5UZt9wuGsh6WB
gdBAdKBzoHtgeOD0wPmBdwdyBk7Eyn7xc4v6YDxLjR+0qYdA6PLVh6vn1D/8EIZE96KH
pij1Dx3k6sGebPW+ey3qvWIOqeH+7iXLhP7+7oVNBs6tN7Bitj6uvXuyUt+9l6v79upa
A/Z7govr70FlLzQJ1XIvVPdihgfA2N9jU+9/IFd9ANjZ093Dh3pYQ660UmqlfCkkLUd+
g3SjyBNSrKzhJmmptIyckleaJE0mu+SUXJIbaJccUj5wBvAqckg+yBXgFMhl4AzySz7Q
FJAX5ATZyc+f51/iJ8jOn+V/yz8HfJo/w48DB4FfIwfvh/zLQA3yBHAQffpBmugLehb0
NOhefh/l8718H/I9/B6R6/Zu57v4buwVF3fzAuh18HzuBDLOuUR2domlOL77cZK76RiI
i7Y46130DGgIdA5kxcntoIWgfSCJytgl7JsS9PXCpkLo9ABLYEchyAVygGwgRn609bOT
7CU2hPH6WIL1A7/ETjANeAr4r+RgL0M+AhyG/OvAU+jzMmhY9AX1gb4E2sQ2sy3o18bW
snXANexWFtXr6xMTy8oaGtl6WgjaB5LYTkh3Q1sXem0HdqLXVuBOaOoCdQqNoPWgNtAa
UCWbRU42nc1AXsGuonw2k6nIi1kJOAWsEHkR84AzgU1EbmU25JxJyLGFRR74AkLlUsrp
vcZTfLXHM89TMNfjrPXY53hyajy2ao9U5aHZnukz8itmOGeq+ZWqc6qSP01xTinLl8uc
TpfbnpObZ7dlZdsli9UOT9tJChSWKiQVltmkSWVlzoXOfU5JlliZdKM0JKUki5dNdhRn
lTo8romOAkuR4xEvq/TP9Ff4p/un+af6Zf8Uv9df7Pf4C/xOf47f5pf85A/VMq2ghVpa
G7VCBlzZqNWqLUlJXqHNUVu0nNDqcB9jD0fA1XhvklGrZulNckBB06rV4SQrEeIe76CY
t9YS7Xko0sepUWO9mrIyLCCwPKzJvUkXtYb7OGuMRCLaNS0hlKkxok7WYi1o1j05os0R
hUcmR6hFm79c8yqN6tjUJRhd23S4LOurmB7UZgbbtMpgtPkyW1UJFRgc1C4F25KMK6OE
6YZjlKXZwC4ks5rke4JJvgtq+N7x1WT6JaUbgklpKZpKIdF0WxfLyMYpdG0Dk+n5WKk+
+LbtMGSUBAykLrhBdBX+0OGKTDe7yxDQlWLKaEpz03jFIFdM29QpenWprCnsjaiqVqwp
CJJ0B1OjAJZke+TgxuYku8eAvQbsM6DbgHsNuM+A+w14wIAeA/YbcMCAXgMeFGDODE8l
1+pc7jfgOgMWGLDQgIABDQY0GtBkQLMBQQMWGfAJAfAb5tbVlyOiP7SisUXLXgEKrdZK
FVReQeVqVOxKI9lUKsHN6BUqT+fGRcbILQuoWJRSP9DzX6TLl7an9DLRpTOC95ckcfcS
ZPlLlIi+I4QDNXVt6tHUezREHVSUakg9kXpnXLX3pfbSOXqNTtEAPU/H6CzKI/QSDdI/
0dsofxOl5+kztBa9n6PPUg/wH+lZOkJbwRcoOCN/qptVjOJdpIt0lDXQEuDYdARajoxl
fmj9Z6nScWRnU1NpD+3h2/lPaDv+noTGL9LxK1puQPnvqAv33xF2gdayF2k95tNLMfo0
D6X+w3qKJkh348qzxXJcRMKo9DiFaSfFpKdSv0acOLNC+FI9kfq1uEuPSh/VbgvGTqdB
OsRyaS/8VoOb+ZPUmBaMRvjwIuawDnO5D39HsRr9+NuDcR+9sqWtWdTSdmeTEa3pOLKK
dw1IqZ+D7taLI8LfZsT+iHZgBD/NwnXOmSpD3Fyfak/tTH02dRLRIFb/82ZUDKH2D/Qo
OwoL1tKn6Gb+LVzsRG0L6jfTEjaZOehp6J6nj5LJzF0lGQwR4yKl7bOYXjT3Fqw0Uura
dIkdxhfzRXqFXqakbs9TdJji1A0/bEN8r6IQbJ+P1xJGu5/qMSwsv9xmDbUi9pAQgwsw
n7Np3QKtb+h733x38yf2ib0/In3d6CO8aKRL6QLRq1hJYzf0whvb4Y91WNmL+u4R6zeC
VXsWsZaW3ZyRflNfW9F+Ac0RVqTmp/bC99+mT9IW3o8HlvvRr/fyUJnSF8FNR3IxnWUL
MpLRhb8k7vdgD43Q46MU9tAt1D6KM6Yy1n9jxONUrRfw6HgEq/YVjLcbf+Lt1tg0iPge
gZ920XJqoANYx7PYHx3YwzF4/DUmY32+i1NsvNQGvaexKluk9ZK5yuM1Q4SIv3GS9YLB
zCZmQeRnYjfd1IjddG0ULrBKdIYVID4eozOIiefpqzhLbhNcRLGR/rw1uo8200zzjwKB
FYuv9187v77umqvnza2dU1NdNXtWpTrzqooZ08unKVN9ctmUyZO8pSXFEyd4igoL3C5n
vsOel5uTnWWzWiQ8z1eyYq24KRzcqJU0RfFd2Ky4ZM1+w7vLqjQq8PoUt1xbFZllttKs
qkaFLVoRnvkoUBfRbOrYJjdoUrnrNz50XuaVg5qlHB9lSVtMq1gR9imu73kz8gjUaqVN
YZ/Pq/FyfBZDhM+SNjmmuULgQ6BzFmsUCgtKpn5cBybV+SLIV4S1KekqHkXHMXIQO2p4
jJk3sLirz17S1KxRUR/Zf6yRRzR7t45wCdMq8Ghc7kJJ10ZVGiv6jcYKNeZZhimNHkJ0
O183jg+CsY1KMLYBHo1FL/v0XcOjPjkux1eE3bVen083Gk8iy8N9eblNSlN7LmaBh2Yw
qC83D5w8wcCydPYx+wKmF7g9OB9P3NkOuK9AmBsUtFELHIyioDTDb5AUXpbgknzoShGh
m9GI0EwvMX1MzdakZRlGyBu0QJtGB+W+yuH4ITzxr42q9pgSa/tUWJPaYFQfSeXBjlZt
UktoFVgwAhTtkMVyN+uZWDw52CHHURdto8iVZnQdzY91tEdFmLCo0gxZTlP4gG/YiytJ
+EBQc6uaA90du37ileLB4g2yqMbjB2TtOK4iV0h9og2CoHhWpRwPKhgNyoIbG8WKVWWW
TY/GxTF9cQIH22Ste+1G+AyftkPp+PfFXZr9fR9WB+uDnmJ3CAcLikU3iqlsRE8LQI4f
bNenekifGuJVPHYKEh0R/XQTeq8KBzuUIPxpDgiHoL9UPravz6eVqKJjPB4UJrbFYL3w
DD4leFiHGUYFe8KrMtjTpAVadaBWfQ0wYqCtOWKyzAaQWLAOWiDaHImISRkLoGWVH7DO
VuS4UJpVrhWpLt83IBueVdmyIhxsFtGJlrwpfN2FYu8FlHHRS7NZMdrEqy4IJwnJSqVl
uREFHcI/Iou2GhsYXjNXHk3N9rrWV4u9r6LvImVRNB5fpMiL4tF4WzLVvVaRXUq8z26P
dwajsr7zGfgvHPRqiw5FNFe0g83HIot4W4Qn+MLlq8XyLJI72sDBZ6Hiq/P63FBttMHJ
Mb7Y3GeIeMS92Gdx1zuYsR0nkldeJI6XJE4Fr+aqE9sUltwUxj5YhyGCMT3D/sA1l3vF
TpEi5cENK00HeX0YUg8Yce4tN7lQ4vOJPXQwGaC1qGjdy8NGXaa13gQFqlSsXVRIhtMS
z01C0p2WZLpHFaxVsbhm6zHxYTGN8zwTz3G3UiDXi8Mc1uGzOKYNt2KOv6vTsuExfbkL
m8KSl4smKHGvJEq5Kr4S/NpEVe8ofIJTMu5S5NOK5lI1a1N42OuPyC43DkiWCQZTowhT
12nlFBOHKBW5NObX2ASxrQiHKtyIQ39iHYSZjnIwHjWj78r5oaloHevI7CNjFti4YpJw
g0vBvvUa/nAXKGKq3xLRbnzBadbyRWJTYW10jy2JaPniy07Lf0fPMDlvU1jGMYRtu1wv
yEG5Q6y6Jkeb9fMg4hXyNDuZOh9tFudfGIGGJl4zvhHlcJu5J0w3tLSG06UV4Xu8uyKz
8KtYZUuScvBNKt7JJFmqJ0nNkwfxO5t06xqIWytlObihGQOiclMlGDN9KN1cidgUoR9W
IuKbZHEsLovgj2FaOkLQHo9UIV5XhnFe4lWNTwtEvJlieyQyH3o+KfSgC5rHI9Cw0dQA
1FlVf0SjcGULTqrpoTAO2+5mBHqz2MKY7jB21bCYsZhIJGMpLL5nQ7Fp8yrYHJkJ+WpD
C2K1Gyoi8bjQuTKsIMzjcW8c8zDreMMzlhEwGUkSXTDxYJJ1h9AXoOjPB0HFpwjPR5ox
1Kfg9/Qphd8eP9rDazJ2o+etsHaN7uHoX8nDbR/Hw2s/lofXZSwd5eEYbF4nPNw+voc1
Pv0jfHylSwOGSwPjuHT9KJfe9tEu7cgYCqs2wLwO3aUb/0ouvf3juPSOj+XSTRlLR7l0
M2zeJFy6ZXyX/l8EbecoD9/50R7emrEbRnbB2q26h7f9lTy8/eN4eMfH8vBdGUtHefhu
2HyX8PDO/z8P77rCw/hhkxHHnRr0itXJ5vInaQQkbn7G/0SIH1BstB91GfdyBvywhN9a
kMw3Gx/W6H/FF69HrHpPGVbMx534OH0bddzYhAAiCb94F33Vxi0kqOrV11/Vs5pqn9vn
LkfGcE/9ICB1f9BtpT9QwNKNnpjNK8iGcBOVyBtw4GtYOgGZlU5UV6ustNi17AJVXaip
rp1X63nl4kX9dR0T/69iWYJbcA6FA9UPWv7GMmg5ZbFYXHnu6yULW2E5ZrUVWW1WW1YW
O0bZX8g6aGFfkGEqfqfiHNePrxQWX895Xq67oL5KveXOC3P+KEaZs/CHNdUHVNX1DVLv
9M3zua3zyt0+D5vLKi6dYb9kFUcsjyx5Yvfv/x6vqxiNXDrDQ3j/lkXTAgWWY4ysx0iW
sqwPUSCb2rlp/KtzaOGFhZhAITQp7lrPCDt49uylM1krj/z3G7qeJdD9hq7nGvGfKS9A
Naeb8V8qzJUky1tJGJ0k22l6Qfe/EFhdL6CJpDfiruoaBtW1bsXD3ri0/UrdRjRQqg7v
JMZLNjAlclMRoiqgN2D45wojvmxUSNS4ONK8arG6dPu6DbG2T2xt2xzTX7VcjkAZvSpB
ftBSEN5F0B0pM6FMmTJD1Iyuzx5TrxlTXz2mfouo/w8AVgdyCmVuZHN0cmVhbQplbmRv
YmoKMTAwIDAgb2JqCjUxMTYKZW5kb2JqCjEwMSAwIG9iago8PCAvVHlwZSAvRm9udERl
c2NyaXB0b3IgL0FzY2VudCA5NjcgL0NhcEhlaWdodCA3MjMgL0Rlc2NlbnQgLTIxMSAv
RmxhZ3MgMzIKL0ZvbnRCQm94IFstMTA2NyAtNzM3IDE2NDEgMTE2Ml0gL0ZvbnROYW1l
IC9CSVlEWkkrTHVjaWRhR3JhbmRlIC9JdGFsaWNBbmdsZQowIC9TdGVtViAxMDMgL0F2
Z1dpZHRoIC00OTAgL01heFdpZHRoIDE2NDAgL1N0ZW1IIDc3IC9YSGVpZ2h0IDUzMCAv
Rm9udEZpbGUyCjk5IDAgUiA+PgplbmRvYmoKMTAyIDAgb2JqClsgMzE2IDAgMCAwIDAg
MCAwIDAgMCAwIDAgMCAwIDAgMzE2IDAgMCA2MzIgMCAwIDAgMCAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDAgMCAwIDMyNSAwIDMyNSBdCmVuZG9iagoxNiAwIG9iago8PCAvVHlwZSAvRm9u
dCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9CSVlEWkkrTHVjaWRhR3JhbmRl
IC9Gb250RGVzY3JpcHRvcgoxMDEgMCBSIC9XaWR0aHMgMTAyIDAgUiAvRmlyc3RDaGFy
IDMyIC9MYXN0Q2hhciA5MyAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcKPj4KZW5k
b2JqCjEwMyAwIG9iago8PCAvTGVuZ3RoIDEwNCAwIFIgL0xlbmd0aDEgODkyNCAvRmls
dGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAG9Wgt4VEWWPlW38+5Odx4dkjQkt2kC
yA2Eh48EW+g8OiNEsAlBu0GhGzoQQCCS8EbSooHY4AN0ZD51FHdm59vHKDedOHZWMVld
/GR33EHW16yuoI6Pb1d2nFlH/EaX3r/uvd2QTMaP/XT3dk79VefUOXXq1Km693anc/OW
VrJQhCTyLQ21rybtGq8CKldtCLXrbec3wNJVWztlvZ2bSZT+i9Xtazbo7cIhIsusNbft
SOqLfp621lBYl5PQv7oNDL3NrgROaNvQuV1vO78AZt62aZUhH1+MdvqG0HZjfHoXbXlj
aEOr3n98D3By+6aOTqMd1NqbW43+zE9kPkYMXE7byEo3UgZaNppOu4jSzlpmYb5Mk6ez
dGtg/bEVVvcfmAPTwtXf9dLzAofSjn94fusfHRZn1gI0s7T+QgC7Gc9f8GHOZee3nq+3
OFMSIRUXj9PtSpzWgG4FLVZqc8FsJBuIUxdvIMbncjf0FD6Hu2NM+e1z/Dowr0OjsJyO
Q2YDcbaf9cRKyz1xdk+fraiGanNZD9lAnN3FumFLYXcbuI91x7gSeY51wewZttuzmp05
WzRm7OtvoNi1u8hh3VW+q2qXtGt3yWunwdq6DcWGdhS3bUKxfmORY8XGrvV8/cauzaWd
WwrtY9esQ7F6LYrWtkLH/a1HW0+1Sq1t3beXlnQU7awvce4A8QGpWZqPkW3HpUbygTh5
pJpYTm7NQGJIqo7lGpW+LHONrzZHmkpMmi7NwAoo/Av+X5QJ/DD2Alfi/N2+F8KYK3+n
b8bsGoEx1yRhBZXCQq3y69isGqMyZZpRcbqMypgSo5Kbp1VOxfJQ4RG+XbhXq/BO8oE4
QnsrareilsNvIAdoPUhCqwmtJuJ8NjdREZXzamA+cCafIYLNpxtYBSwDfxqfESsrl+OA
/KKaAXaefRiTlOxamX1BjP2W/afQYucM/MzA/zDwU/aJCAP7GGgCfgRE/8Q/sg/7cuB6
7TgwGG1FuU+I2EPssGbwQQMPswcoHYqHgBnA+4FiwPvYA5jy4CCajNpRRoSA3Rw7bFLi
bHHskIAbY0cEXN3XJSlIsJpYfnFNbRabwCo0p2wsT0OT59pvEL6vfF9xz8elpTWPPCop
jz1qUh49kq08CHuHDqcrh2Hph6AfHeHKw0ck5egR9sSRY0cGj0jPS9dL88TkpHmxbq6I
lKjvs+XVlL8gYRPQWVFKV0lXImpybb40i6aDPCAfyCTNkgqFE9JMA6ukQvSsGkQTuxDZ
I4M4/zx2PB3580FsMFMMwd+PjZmspcD7MeRCnJ+N7c+G/EzfoAlT5W/1uSpEfr0Vs2PR
0P90DC7VWvjL/ISIJ3+RD2n49wYeFL4/z7fybWIqfJsxFX67PhW+WUxFKz08mDQajGXn
aNZXxMYUa5XlsQlXaJWlml5tIV+mKYrSyuejLOLzaCKIUxafSiUgDveUWJ5d07uiz5JX
g2xziWw7zsdzWSw3d3I5ZlJOwp6MM6QMpdhc5bqUfcl+pS3kWfYMyeRkZ9gzsYlOOc7O
xMqcNbWl7N/Yu1rWvGPgvxr4awPfZm9pBt5ib2r93mSvI7vUQTQZe4O9rjH/RWOurc1h
pzGPAVGy04bsNU2GEU/FcAgMIL9/JfJbGWQ/oZ+C+kFS4iz7WazAjmVg97KD2oAHDIwC
RVrfFNuHY4ItiUUkQEtsXxqgObZfwKJYjwBfrEfIFsa6BdwgFirOqmP7BcyIDQrmeJ2Z
68mB8I9fm5SvRafEkCf7DyIxv2Rnv2SimdVrH1vj+QgpL1rTjlmsNfDU0+/rD/a390f6
h/pP9Z/t/7w/q/9YuPzTT0zKPdEMJXogXTkIgsqz902fWXPfvRgS6oX3lrlq7j3AlQPd
mcreO03KnWIOiaG+yPwFwn5fZG69jlfW6Dh5mjauOTLOVRPZw5WuPZpVj/kO77yaO9DY
A0vCtNwD0z2Y4X4w9nWnK3fdna3cDWzvjnTzwW5Wmy0tllooV/JJi1AulG4UZUwKl9cu
kW6QFpBVckhjpXFklqySTcoDmiWLlAucBLyCLJITchewDHIZOInckhNUBnKArCAzuflT
/Gl+jMz8Sf4X/CfAx/kT/ChwAPgcWXgf5M8AVchjwAHo9IFUoQt6EvQ46E6+l3L5Ht6F
cje/Q5Sav1v4Tr4Le8XG83g+7Fp4LrcCGedcIjO7wBIc936c5Hn0KIiLvjjrbfQEaBB0
BpSGk9tCc0FdIInK2QXsmxLoOuBTAWzagSXwowBkA1lA6SBGbvR1s+PsBTaI8XpZjPUB
n2bHmAo8CfwnsrCXID8BHIL8ReBJ6LwEGhK6oF7Q06ANbCPbBL0QW8lWAZezFSyotVfH
xpSX19ax1TQX1AWS2A5Id8FaB7S2ANuhtRm4A5Y6QO3CImg1KARaDqpkU8nKJrJJKCez
KyiXTWEKymJWAk4+K0BZyOzgFLExKNNYOkrOJJTYwqL0/BVS5ULC6rjGXny13X6VPf9K
u3WW3TzTnjXDnj7dLlXZaZp94qTcyZOsU5TcSsU63pU7wWUtK8+Vy61WW545KzvHnJ6R
aZZMaWZE2kySp6DURVJBebo0trzcOtfaZZVkiZVLN0qDUkIyOdg4S3FGqcVuG2PJNxVa
HnCwSvcU92T3RPcE93i37C5zO9zFbrs73211Z7nT3ZKb3L5ZTM1voqaWOrWAARfXqbOU
prgkN6szlSY1y7fM38vYfQFwVd4TZ9SimnriHJBfv3SZP85KhLjbMSDmrTYFu+8N9HKq
U1mP6lrsF+BZ5FflnriNWvy9nNUFAgH1miYf6lQXUMap4SZ0i4wLqDNF5YFxAWpSZy9S
Ha46ZeTVIRgdnRpclPVOnuhVp3hDaqU32HCRrSiEBhz2qhe8oTjjrmHCZMcRxpJsYAcu
oxnnu71xvhNm+J7RzaT04tJCb1y6AV0ln+ja2cFSslEqHZ1gMq0cKdUG79wCR4ZJwMDV
gTAIVREPDS4pNLc7dAFdKqaUpSQ3iZcMcsm0DZtCq0Nh9X5HQFHUYtWFJEkqGBYFsDjb
LXvXNcTZHTrs0aFLh4gOd+qwV4e7dLhbh24d9umwX4ceHe4RYMwMTyXXalzu1uE6Hebo
MFcHjw61OtTpUK9Dgw5eHRp1+IEAxA1z6+jNEtnva65rUjObQb5laqkLjVfQuBoNs6uO
0hUqwZvRK1SRLPUXGb00zSHxRkaJd7Ty02T9wpaEVie68LbgfZdLvHsJMn0XI0L3BOFA
TVybOJT4ggapjQoTtYkfJT4b1ezexB46Q6fpJPXTU/QovYf6CXqBBuhv6UPUX0btKfoh
rYT2T+nH1A38G3qSHqLN4AsUnBN/aptNHsY7T+fpCKul+cCR10Ow8tBI5p9tf5woHUX2
XmI87abdfAv/DW3B5xFY/DkdvaTnWtT/kjrw/nuCnaOV7Hlajfn0UJju577Ev6edpCJp
O155NpmOikwYdj1MftpBYemxxO+QJ9YMH26qxxK/E+/Sw65v67cJYyevATrIsmkP4jYD
b+aPUF1SMBwRw/OYwyrMZS8+R7AaffjsxriHLu2Z3iBaSb8zSc/WZB6lie8acCU+AW3X
qidEvI2MfZ+2YgQ3TcXrnDVRjry5PtGa2JH4ceI4skGs/s+MrBhE66/pEDsCD1bSLXQT
/yVe7ERrE9o30Xw2jlnocdi+ShslVRi7StIZIsfFlfTPZETR2FvwUr8S1yZr7DBuzOfp
FXqJ4po/j9FhilIEcehEfi8lH3yfja8l9H4faTksPL/YZzm1IPdwIQfnYD7vJW0LTHtD
2/vGdzd/4p/Y+yekF3UdEUX9upCsEL2KldR3Qw+isQXxWIWVPa/tHrF+J7BqTyLXkrKb
UtKXtbUV/efQTOFFYnZiD2L/z3QzbeJ9eGC5C3o9F4dK1X4ObjKTi+k9NiclGV75Lnm/
G3voBD08zGA33UqtwzgjGiPjN0I8SjPtHB4dH8Kq/QLj7cJn9yidBpDfJxCnnbSIamk/
1vE97I827OEwIn6ayVif13CKjXaFYPcUVmWTtFoyVnm0bsgQ8RnlSjunMzOJmZD5qdxN
dtVzN9kahnPSJHqb5SM/HqS3kRNP0bM4S9YILrJYv/53a7SXNtIU40MeT/O8693Xzq6p
vubqq66cNXPG9KppUyuVKVdMnjSxYoJrvFMuLxs31lFaUjymyF5YkJ9ns+ZazDnZWZkZ
6WkmCc/zlaxYLa73e9epJfVB3AsbXDZZNS/8fEGVSvkOpytPnlUVmGr0UtMUlQqa1EI8
85GnOqCmKyO7LFSlCtvvnVBe4JC9qqkCf675obA6udnvdNnedKTkAZhVS+v9TqdD5RX4
mwcR/uaH5LBq84EPgcaZp5LPLyie+KAaTKp2BlA2+9WyZBOPoqM4OYAdNTTCzYUsaus1
l9Q3qFTYS+YPVLKLbp9XE17C1Ml4NK6woaZZoyqVFf5eZQUqsy/AlIYPIdTOVo8SA294
ncsbXouIhoMXY/q5HlGnHJWjzf68WQ6nU3MaTyKL/L052fWu+tZszAIPzWBQb3YOODmC
gWVp72XmOUyrcLN3Np64My0IX75w1ytoneo5EETF1YC4QVJwUYKX5IOXighqeidCN63G
tDHV9Ho1Q3dCXqt6QiodkHsrh6IH8cS/MqiYw65w6Ba/KoXgVC9JFd62FnVsk28pWHAC
FGyTxXI3aIVYPNnbJkfRFn2DKF0NUB3OD7e1BkWasKCrAbKsev9+55ADryT+/V41T1Et
ULfs/I1DinqL18qiGY3ul9WjeBW5ROoUfZAExVMr5ajXhdFgzLuuTqxYVWrZtGycF9YW
x3MgJKuRlesQM/yFDibz3xm1qeYvnVgdrA80xe4QARYUDq4TU1kHTRNAjh5o1aZ6UJsa
8lU8dgoSish+WgLtpX5vm8uLeBoDIiDQlypG6jqdaokiFKNRr3AxFIb3IjL4K8HDOtzQ
G9gTDoXBn3rV06IBtWhrgBE9oYaAwTI6QGLCOqieYEMgICalL4CaUbE/bZpLjgqjGRVq
oWJz/gNkQ1Mrm5r93gaRnejJ6/3XnSt2nEMdL3pJNitGn2jVOREkIVnsalqkZ0GbiI8o
gi36BkbUjJVHV6O/ZvXVYser0G10NQaj0UaX3BgNRkPxRGSlS7a5or1mc7TdG5S1nc/A
/7sDDrXxYEC1BdvYbCyyyLdGPMEXLFomlqdRbguBg7+5Lme1w5kH03ofnByji419hoxH
3ot9FrV9hhmbcSI55EZxvMRxKjhUW7XYpvBkiR/7YBWG8Ia1AvsDr7ncIXaKFKjwrl1s
BMjhxJBawohzb5HBhRGnU+yhA3EPrURDjSzy622ZVjpi5KlSsHZBIRlKSuxLhCSSlKTU
gy6sVbF4zdZy4s/lNM7zVD5H81z5co04zOEd/uaF1aEWzPGrajUTEdOWu6DeLzm46IIa
d0iilq3gluBWxyiaoogJTsmozSWfcqk2RU2r9w853AHZlocDkqWSwbAo0tR2ynWSiUOU
Cm0qc6usSGwrwqGKMOLQH1MNYUpR9kaDRvZdOj90Fb3Dbal9pM8CG1dMEmGwubBvHXo8
8vJdYqq/FNmu3+DUtIpGsamwNlrE5gfUXHGzU3M/0wpMzlHvl3EMYdsu0iqyV24Tq67K
wQbtPAg4hDzJjifOBhvE+edHoqGLw8hvZDnCZuwJIwxNLf5krdl/h2NnYCp+FatsilMW
7qTiO5k4S3THqWHcAH5nk1Ysh7ilUpa9axswIBpLKsGY4kTtpkrkpkh9vysg7iTzwlFZ
JH8Y09IQgtZooAr5utiP8xJf1ThVT8CRqrYGArNh52ZhByroHg3AwjrDAlBjVf03Ovkr
m3BSTfT5cdhGGpDoDWILY7pD2FVDYsZiIoGUp/D4jrXFhs9L4XNgCuTLdCvI1QhMBKJR
YXOx34U0j0YdUczDaOMbnpEMj8GIk1DBxL1xFvFBF+DSng+8LqdLRD7QgKFuQdyTpxR+
e/z2CC9P+Q3NFfB2uRbh4PcU4dDlRHjlZUV4VcrTYREOw+dVIsKto0dY5RO/JcaXhtSj
h9QzSkhXDwvpmm8PaVvKUXi1Fu61aSFd9z2FdP3lhPS2ywrphpSnw0K6ET5vECHdNHpI
/y+Stn1YhG//9ghvTvkNJzvg7WYtwp3fU4S3XE6Et15WhLelPB0W4e3weZuI8I7/vwjv
vCTC+GGTGS9eqOhVM5hmMMV/MiSFMsng4A0J3xDgg59JMqjw2XRuIkFVr77+qlbMmO7M
c+ZVoGB4L/zGI0W+iaTR1+QxRaCJH2C0K1GN99TRLiHXR2T4oV2vpVMB0RLfzfOaW5Qb
tqxaGw79YHNoY1h77dZ7CEs20NiEcQlGqm70+R9VUoDMCmVuZHN0cmVhbQplbmRvYmoK
MTA0IDAgb2JqCjQ3NDkKZW5kb2JqCjEwNSAwIG9iago8PCAvVHlwZSAvRm9udERlc2Ny
aXB0b3IgL0FzY2VudCA5NjcgL0NhcEhlaWdodCA3MjMgL0Rlc2NlbnQgLTIxMSAvRmxh
Z3MgNAovRm9udEJCb3ggWy0xMDY3IC03MzcgMTY0MSAxMTYyXSAvRm9udE5hbWUgL1VQ
V0lSVCtMdWNpZGFHcmFuZGUgL0l0YWxpY0FuZ2xlCjAgL1N0ZW1WIDEwMyAvQXZnV2lk
dGggLTQ5MCAvTWF4V2lkdGggMTY0MCAvU3RlbUggNzcgL1hIZWlnaHQgNTMwIC9Gb250
RmlsZTIKMTAzIDAgUiA+PgplbmRvYmoKMTA2IDAgb2JqClsgMCBdCmVuZG9iagoxMDcg
MCBvYmoKPDwgL0xlbmd0aCAxMDggMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0
cmVhbQp4AV2QwW7DIAyG7zyFj92hIukZIU2dKuWwdlrWByDgREgLIIcc8vYzLO2kIfnA
//szP5bn7q0LPoP8oGh7zDD64AiXuJJFGHDyQbQncN7m/VY1O5skJMP9tmScuzBGUEoA
yE9GlkwbHF5dHPClaDdySD5McLif+6r0a0rfOGPI0AitweHI495NupoZQVb02Dn2fd6O
TP11fG0JgRMx0f5GstHhkoxFMmFCoZpGq8tFCwzun7UDw7h3nlqtSjV8av/DKWj54jOS
XYk4Td1DDVoC+IDPVaWYyoO1fgBtmnAQCmVuZHN0cmVhbQplbmRvYmoKMTA4IDAgb2Jq
CjIyMwplbmRvYmoKMTcgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVU
eXBlIC9CYXNlRm9udCAvVVBXSVJUK0x1Y2lkYUdyYW5kZSAvRm9udERlc2NyaXB0b3IK
MTA1IDAgUiAvV2lkdGhzIDEwNiAwIFIgL0ZpcnN0Q2hhciAzMyAvTGFzdENoYXIgMzMg
L1RvVW5pY29kZSAxMDcgMCBSID4+CmVuZG9iagoxMDkgMCBvYmoKPDwgL0xlbmd0aCAx
MTAgMCBSIC9MZW5ndGgxIDI4NDY0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVh
bQp4AdW9d5xVxd0/PnPOuXXv3l739l53b9legLuw9GJDqqsgRRRRUUCRGGxEEbFEVARb
EAkQo0jTRWOJi8YnEvURC4nGko0l2ezjY4gSXQ6/98y9C8sm+b5+/z6sM2faOXfmM58+
n3NcduXyBaSSXE9EcuasuVcsJPzfolsJUW6ft2TuFaW68VJC6PXzViwLlOoVxwgR7lp4
xUVLSnU9xpP1F126sny/eSMh50qLFsydX+on/bg2LEJDqU7rcI0sWrLsmlLd4MTzp156
+bxyv6kX7U8smXtN+ffJh6gHLpu7ZEFp/KJFrH7F5VctK9UvehDXN664ckF5PJ1BiPYh
QtF6Lr2baMi1REEEYiRFYiJE9aX2Z1gv5f0Ys/aty3ouMLT9g5rU/HGP3VC6vuxpvuL7
V/qfU/rUz6BDycezEbhHqZYxSHnf9698/2ul72QPvx/Zue0nhOtpO7EQkRaJDvlwIiMf
xvMWMhzlZvIc8ibe0sjLDaQTLfXkPuR1vL2WtxfIfLTkeEs1zzM0gquCpngtSRajP0Hq
kcd5OcZ/M8p72UiRhvlTA9RPQrgvwNtYWaQ+PtZLPeQc9Hj5OFYWqZtMQl7Fyy5+h5M6
cFXwXKR28jKvWXmfhf++mYzFPSZqJN9jnIn3sLJIDbys43kFz7VUQ7wYxXKRqsnfiRY1
NfZJpCry33iSAtcO1JR8vILnUnmcxGsizwUOUUpqMJawFZATaNdj19mVjTkOLGD361Fj
ZRE4idHkB97/PfknuQ793/MaK4vkGDEj/458Szag5zve8x15iUho+QeZizbWIyK/Hm3/
IEfxPAXvEck/2k8A1yS08TXxPpGXRfI1seGu/+HP6yN/IxW4q4/XWFkkveRz4kBbL2/7
K/kLH/FXXmNlkXxFfMi/JNuQf0GakX9O/kzUuIfdKfKySHrIUwyeuDII/InnnzEMI5/y
8ifoF8nHvPxHnv+B578nVrQfIR9wiBzhbawskvd5z3u85V2yl7Tj6e/y2mGev1PaM/IO
3wG2fyJ5m/e8xfM3SRVafsefcoiX3+DtvyX/xfaa/JbXWFkkr5PfYJwCVzZ7VhbJa+RV
3sZykRxkmE66GYWQV8ivec8rJMpqJ9gu/bq8ftYjckwVyQvkV+R2PPUF/tQX+G7+ijxP
ZqKN9YjI2W4+j6fG0MZ6RORsL1mLSA6U132AFFDr4nB5lj/tGZ7v5+vah/0vwWcfb913
4i08gbWIZA/Zzeewh/fs4XPYTZ7mc2A9IvrZHJ4mu/gcWI+IGpvDrvKaWI/IyyIdTRLA
+g6Wkyf5nv6SP/kJnv+C5zuBHSLZzss/5/k2nm8ljzE65blItjA6JT8jE5E/Sh5h/ABX
Bl9WFsnD/J6HyIMcM1gukk3kAbQqeC6SjXzEvbxnAzhmC3o28Ofdw7gM+Snvv5vcxXGa
5SK5k9EuuYOsJ0mMvoNTJSuLgAXb+3U8v43na8mtGK0ga/kvsLJIbuE9P+GYvYbjxM3k
JrQpeC6SG3n/DZiLCLiC45HV5MdkDPpXk52osbJIVvL7r+HPvZrfsYIs5/NfwWusLJKl
vHwZz5eQS4kBT1lCatHDyiJ+nc34EiJj/0VyMVkEXqbAlVEaK4vkItKIfCGZxWlzIeNu
ZAH/1flkKh89n+/CPHIhIKYg8/gTWVkEz5kDWa3AtRo1VhbJ+Zg3oxOWi2R2+bmz+V3s
N0RgD5vTjPLTZ3DITid+zg+n875p/PfPLY84l7exuYjYdXbv2aSB79fZvHYWf8KZvDyF
Y/tkfv8knk8kTbhjAu8dz+QWGcfLYzlPGMN51mjeMopzsZHlZ48k12BsO392EfvKOFeR
3z+iXBvBn8B6RDKM5238Oa08b+F5M8+bAGMn7m/ikGws/wJrE3lZJHX8WbV8dIHneZ7n
+B1ZksHIGt7C5S3qDA5pnqf4mCRRoSVRxvEEX3uc00qMjWq/D5yIyaEIfpXtT4Tjapg/
IcTzIM+5JOa7IQIeEh/r41jhBRRF4im3efhoN+CdwNPcvMbKInGVf8HF29iviZACbL52
nnPpDE3EzCUEy0VoQUZAWsFzEZirh6RX4Mron5VF4FaJeiv5M3TYf0ZRLBcBew2ereC5
iOexNlV5vIrDgN0rYkRpPQrOAVhZxB8bTTneEC5hKXWuWU/T/4f/kf9bc/eWtNSNkGWz
IFkPgWtvI1rBLYwjq4DHe1F/kDxBDgpaeh95l46gz5J76Fr6Mp1P1/LRh/AAq5gF9ujo
y5Ja6MUdT6JtLXjxIfon6Qj5A3B3PfmDuImsFEegZyV5ks4SR0LPWypZeX0rxrxLiNQs
tpL7qJY+T4/QP9B1ZBt9jeLXxRnkGzxvrfiguB+zXCu5yDdirSjgl+7Db2znz8Bz0b5R
FOgW+hHtI/uJgy6kT1Id2S5sxG9eTb8HD7+PrKXV5G5yNx0Bnnmh9CjabgA/ZH9f41c2
kvX0t1j3eqSXxUkY/yRWe4i6MY9DZC9dSuaLanoD9EWZfi/qRQd7FmThLfi7h2wUbqJj
6N2CF5oUg8B65ET6VtpS+kPFD7j14TfXk6DUx/4UerJccGMmGIPW9Uqrchp9Taimz9LX
AOn5gkNYT5dApyHEReezu0Qtxt0tTBFXk/Xi24ILGsl6rOEGukraImwVFqKmw0rupBuF
WbjrPqEVPHuV0ippAT/+h9b1bKXCOMUhxTCFF2u+T3yQ3ik+SF6gSuLCdRV5WLxPuQYw
u5ruBPSuY/AnSwG1+dKjmOnl+FuKtArPmgEZ9zUk2uWiGhLoEJstZu0ApLQMUnjGUkAq
SFYplkLXukp4m1zF83sArZWQux9jNvi3+gTmtBESOldUKRUSNpJkAsZdQnT8/F3Fs2YE
fjMzWJ0ZUg0YVYFd5MxdlSsDz544ceYMya2YuUvh2SVG1bukaPjT/9T5aXVm4pkzAs/S
UaM7yo8dPacDjefMwC/gP9aMnxvdUY2ZSYfIQiRc6Qxc90qHBDXKDyJtQv1CXJfgijLd
gusXSIdQlnBl9f1Iu5GeQEI7ebOcXi+N5/ey549E+kg6dELGdSrSFCQ8m7efh2tHuf4C
ruz3xiE1I+mQgkgTkNj82LUV6U4kdt8wJD2SgDQNaRIS5sTnjzWc6EP9FiT2/DlI7Bls
Ps8jrUGaj7QN6SukRUgHynNk5VlIbN5srmxObJ3sfja3JMb14no2Epvna4Ab2sgfkI4B
rCWbmwBblfRK1APgNjDYYJuX/omQGApIEhjpkCsaSJoKjK2ETDKA25ggLyyQIjZIHwfG
OCH7CCSJG1LSC+npx/OC0PDCkLZRaMhxyMckSUFuZ6Ax1ZAsyZE89PZayP963NmA1IjU
BBuqhbSSNugVw8kI6B3tZCQZBSk8GrrhWGgw48HPJkIuTiZTyBnkTHIW7job6f/Kv3Og
27F/IfxdS2N0Bt1EPxcahBXCFuHXwlFxhviE1Cb9TnGF4kvlVOUB1QTV86pv1JPUd6g/
01yj1WrvqLBWXK+z67ZWdlT+Xp/QbzBMNew3zjH2mlpMW81F89eW3daCda8tZ3vDvsWR
cTzh6HMWnOOch10/qVJWPes+2/1HzxbvVO8bvjF+p/+KwMJgVXBRKBT6MDwrMidyNHp7
zBn7ffybxMbk1OQlyW9TNwIjFsr3SQsVW6EtqIijqJGAMmqFIJHsGx++kSfGw28cfiNn
MQVN0aApuFAi/VeJ7v4/y/ep9Me+uVKZZKsV6AxxibhcMQuYEybDi/GAz2HT6xSi2kye
qVLviYQD7iqbWemzm/QatUiUOkGyC76I8XDvh72OZpPZ0Ywf6m/rKTiaczQUi4v1dQ2t
tGD3UlFPw8F/aRF1Lrvkd9jn2h1+ye6Sb3E5RL/dMcdh96EqLnHF6FKdy+l06eQ7Y67T
a2y+ZO+JryQizQEGTiA/KZ5VJONaa9ujYt3InCaSdJt9tlxX0tbt9o07mBR93YZXxH11
Xa3RSH2kufICzeUahWZ0sLW+NpVLtqmaIuZokYxsVzmDBl2Ts3p0pU450fhhd+/h7m5j
n8nRjNWZzM35TpLt65H7jK/2GQ/3ocPMWptN5e7mXBQrDcWw8MYairy2YHcMp8htViXa
wyGlzWp3WBoaOWDQqNJTlaPUn6aheCzLYIUxtYUG0dhx9xm3PD1nSSGzeWnsnFaFVhsI
F9zmVTWFkaGm7yxWT91we7AqqotVDXNZnB7HVGdAIS7/tLXlovGZs85vbXlm3ZyHzx57
ee0lP63yU+r3hFsmDK8JTJgoP5GdtDQTiPnUhUWN0yL+aLpaBemWTc5pmXJpjFBBLS4R
DnI8iBQ5BkjkGfUe86ltN2PPS7vd82/3WpjFdtbpuMDhZDtb3kqny+XkWwnORh+ULxfz
0kFwomDRJGoMr7n3+HTEcpeSKk02H57f2VNg6NTTDGQCnJQCg5wPsGGAjMeE+jpzIwet
mB9l6mjO5V3TLUb/pMLiS6bPbLkwZrRIG23rko/Ix+646R/Xjtxjs7vaxz1Az+zaQWvv
umAOWCGlm07OobYY0oju1wx7fC6NS3RZXI6kJikmLUmH+hE+I4uOYFJtR3s7gQLlWWGT
G8z1dbH4ya22m21WAVuKGdJNHeZRLflC1TSrMTgRs5o5c3hnzGiVH7auTT5KNeuv/+5H
I/fYra72sRvlJ7t2yG/cdeF5VYwOKWzZhdIl0i3g0MVi0KDRqfwuz28d5A3db42q1wMO
k9WgopJdTRxWu9MQwLR6QHXAQmAiQHZ0UDVHgyXcC5o43OpNIEOGl0ETR06bsIsuDlVn
wvK9iZCvWr4/XJ0L0ItTwVBCeDkTCCTktZEMWq5OBHw1dEUkk4kAbkvkF8RqOgkSpbpY
5TSbKiS9lrj04iEXq2glWDkql811EkneYCTCEGU4ZfyAoT3lQMpSgK6NNtKv1VX+PxjM
kiT/TeXUiyr1GKNRoI6QRadRGFXHuw1mQaxSmXUVGgXgswkaQa2QhZQLFtEmiZLqbfKW
0aBWEalCNBoPd3PkPMqQ0xKKDaNswYwPAQYHrQ6HVRzmqPJZ6BKX/RKL3W65xMyUfEq3
nPhGTNNpkKLWokY8rHlHp3QTHZbBoNqbi5ZAxgFJtyyZPvPSJTNmXLp1yvwLzzzzwgsx
ry9O3ClJio2Qur6iUay0LiQLLYJFqyGSUWktzQrIc7g7pzjJJQCSEvWr6Bp73O1JKRXC
Fa6Y25dSKNyFSNKrtukU7XXRhEdt1TCed+jExxD6eszRQS4tzlZ26UiX+QXdu87WilZV
Ha1TTKyYqOqgHYrZptmVUy2LTYsr51s2V2xWbaAbFDsqdqi20W2Kroou1X66X/EqfVXx
vun9yg8sHzi+MH1R+aXlS0dEo7KJKoPHiSVj5ZhwT3+vsQ8cHRRori0A4wUxJJiMrGwy
CsLCq66//qpl11+/7PmPPnr++T/+UVotf33sn/L/UNM/j1HjD3PoPFpP6+g8+UH5EP42
cxynEiHi9wo1NJD2YiRoBJAUYuULflO3Uxtwmm1G4tL4pYDSZvQGlAYP9YSMhzu7D/d3
MzHDEB28mGR7C/3Y6lwJmRjTjZbAaSpz3BKyt8LBfnVlpcIfDwVossJWYbE/OjOXSBzf
mUjkZm6T8oIQ9jojmjNFMez74VVvIoJ/Ca/4NqPFLZjnnwDvWrKmOC+ihC1Q2bXaSq3e
ZLTb+wLxuVbprlWsUv8ktFZ6RL1ZsUna5L7P/5Brq2Greadyp2qneqdip/RL1+PRLvW+
6HOq55TPuZ+Xnld4spnaXAxCNKJQh6KqgKhVZQJRh1gH9HjpcHcvWyYWygVOb3+38dVO
JmvAC/mSRtCGRgLOA3miwh/YDVt8GZWo0kCDA2hlY9yIautrX/J6G+msa+eOuCqsrIzW
RHx6S/FX87Z9LD8xvWYVfV2KB4MxMH6fM13dvsfjqaNj7l28pi6jtozKDI8ELcPHv/dg
t/zcWTUr0tWZmGgQJ/vDnFftP/GxeAzwyZP7i8uI1xbuysVoLOPtshm6dMp3My/YClK1
tfrsyNn62cZ5kXn6i41XRK7Qr7Ku8q0yboCZuSG/IfLTmg2Ku/WP12zNb6WP6h+vfDSy
S7+H7M3vpntrdkVeVAdtxBVQZc2qK0QqzklekRSSRlfAJbg0voLxaHdnd+fhTiCrCfwP
+Nrde7QbGFuGWY4OCI2SPIZkZTwbf/V1jQxoJTiWYFjCG1FYfsOxgxv/lvab3j3v6nsv
muXOTD07YJsyZ8XsqU/bPdFPbn3wzXnCrsCOa5/6ePkYX3zhrZfOXGVSiIr2Vq0o6RZN
uOCaRRH3sJW/uu3iWxnN7gYO9Sl0KDWRB4rzbqMHqEADXk+VzaqKOjMGY1qqiAZJd7Yi
r+l2viAmbE22acJC6Js/ETYI24R9giadaCpkQ1ImIFh1okHp9QQ0ok2E6l9P6zMJpV9L
vIYETfhzgdUGamgGsUAqdEIsGF8tdDJkYiyYk84AVvX1FQ63yW2vlhtzndSkoRyRWmk9
sAxcE+Dh/Mlh9zMggqqYQgP2bQDFpamtTGXCAXkNNeRC4fgyudrl8SpEuk1vNigNkrRQ
b6qFjLJ6BFGtcnunhougO3pI2HZ8llzrT0aC2wO+0YkMNNU3XHqBUqPgth9Xh312jUGd
jFRt98ciEc4vyBPge4LUB/vk6uIZ/mSI+MQR7jPcF7hFt7PLALR439x1JpauSXaH3tO8
m17suNSyWL3K8SPLBtddpq2uR02akC8ZJjZVzACJTryX61brBN0cH/WlGWsB/nSC7Dhj
KfM80Ny3nXJ3Jwcdl158wdJJVCmhEoiQtTCBOiBs6ZqRV9Q+9ZUsv779TylPxbuzf/Lz
h6+Z9Uuzz5Wspd/ncoUauVXUOx1/3/visdntVcnJP1v9o8dnZVroN0FvPB5Nlvi82M/5
fITMLY4OuEM6m+aIASt8X+yyhbrcL9jejUpha3iqfaqwWL1Ymi/Mt69Sr5KWCcvsN1fd
bL3ZuC1sVKp8ITMJ6FTmoNMTNR7t6e8x9vSdZOrfdvZxBRYaFtM4S5QQH+AdYcblCV8T
4zICvfPGhXNWrZ4/d7W94eYpD3/03s8P/o2eT/1zh6+Ykn34IF2zavNPV1y78acbx4zp
e3L/X2gzVdCp9CFPvChQjU8+wfnFmyf6xF7sYwirKvocfrtUFdLhYMOo6656TzwQvrhi
DVmn26TbVPEY2aHbQ57TdVVoHfYq0VIZcusqFLBvfOpKn3qOhVrCbOO6yyIBIr+0b93Y
RK6QM2U8LZR4Iw0OiNwRDKXL2oBKWK7WW0xjrQ5RpGtlSYyEQ0FKtZADwr1et7bC6tQb
9WqDVkpnq0MRrVaa5fG5sBXxIEiavAneJ5dlcZbcXbwq4jQ8paGa34tdKVuX74XUuzmt
V+Gv8tr816qvlZZrlws322/W36i9UVhnXWdcp14nbfZuTm/wb0hudm6IbM5udm0Ib4hu
DW+N/iL7C9cOz7bA/sD+8P5ol6fL1VUTizh1ZlUwrFTFdSp3OE5U1Z4cpHT3UXC7o31l
7sel9dHO33G9+dSuWgbtsGVAYWWa2CDuSK9ac9nla269dPGt2psWXnTTTRdddGNw7oV/
/OXOz+YsWHDpn/bt++xSOuOSm6+/ZNENq2nfvB+vnj/nuuvklbl7Ltz82m/uWrwhl3xk
8eNv/ffPFz7CaFYgr5dlgxMehiXFs4hGtBrsoSM4fxPf93Rp7F2GdzUvRCvUFVKFw+2Y
Gpztnq2d750fXOxerF3mXRZc5V6lZUC6Tb9ZvVm/w7FTa3cFiEoX9KvMISXH596j/T1s
33sZDIDOEJL475RGwHUUwoUmuFmD2cKFZtnAmtBwI9D43W3dX8s/k3/fOezqM2oePqi4
aeHca348b+71wnmjO/72y/1/lQ/K/fIO+SJPrCgKGi+cMh/+iCH6A/dgjSWdEZ5Gpo8F
ikbNYdFw2PaO+HenWenWESeU815mx/D55ZgiOmALlhXwIdrkgFYpHCqrlXJ8QL8UoHe/
LMbxWwye7cXogOYd1b8phg57/i4eQpOtpIArXbaIyu92RY2H+w/3Mh7PbYNeqHKfM34G
rQm60r/RxqFHWAbNkn6lcXrfrDRBM5fVFr1aI44EDxLTmOdll82ccenRoFmnEaGif2HU
42hCaa6QtBXi/inz551xxrwLgQML6RppobgIXik3SRad+jdsH6veIH/02G0GvVpFidos
RV0VHg6nkkmJOeYsA5yUU+/ptW3iDb5g0Ne/2h8M+geVBVc8HIlBYMToGTGUotFItCQ7
RpL10lTpfNiaxWJGrXVqBa/NUqGlzFVCVR85PvRFyAVEGGNYUHGyxxCtkpjFBzuXm3yw
/ACzTg2zWDh8HNTugCwEZ6QnNTBx6fFoTSzsM0Q9oltSz5qhlfr/LNU5feFYjbCSTrEl
q7yhikr5HkFKFPJJSZDXC46Irypp4/Ty0Yn7xEOKGdClhpPlxXG1Ba/YRjwN2VhbkhLX
p1LDZ9lKbbjt02xS+6klOULSSFVWjVWRdrY6W1ITnRNSs52zUhUxIwkUSNroaU5lVCl7
coTxaP+H8GP0FsApSwrSh71wYHQb4dl4tyQAmG7JLTQuAkrK/UlULVXtNtMAq4gP8FIg
s8VUA3OXuTUgQMTgeVN/vP6xn1VfY7JU3brgyF8+6H7op3ZDIWAKO5MTYvNu2rtJ6VCq
jYbzFo8faSqIW53rNsi/k/8ivyK/HPPa86Po9fQi2kl//Od+eZHHVxmstVVZjJtX3vtL
QW6nkyi9tHPi2ToGqxMyvM3vS1uAYTmyoViYKMwWhITYpSVd/j9pe7JBr2joTthzYoXe
AI+Gzx8I6jJV1UZIjZpotSqTyRsP9/Qc7ewBacCQwDYXSiQKB3e7C3Tdgefi5A1XP5IP
yYA/Pe8RYRh0kABSEImNy6kUxt7eXmOvil3UvTNJJw3CluToy6SNY8AJxFkRvD/xoKrM
CgZa6Eb6wPt3/nRYPj2HehvjRnqLqSERq5O/npTOtnfOlaVpc0fm0uPlfxZTqTaLQARz
MJ70e+P9WR+u/mTM39fnj7FS3MfwXmReTOkqwEgNj16BrCiekdR8ofrcbewK9bhIt1lK
SlFr0goymZm8WHFx8mJxpbhSsTL5k/Rtot4Tclkkf1UhY07GjFqqCpuVpLIy5rfHpMqM
XUMMVdlaYz9w6nAvRyTmImOslymZYMjZvoLM/gObKSkWaVo/ULAMrNhU1qRKxF6SRNxe
ufuPz2+6p+vLt+9Y+6Nlx16Xi+Fw5pxgcHImEqLvHP5jx6hLL551dv6ay9ZfcNnl56+a
df7MC37o4xbbGn8yHH38oTNWxOK3Xzr7vpyHebwpmXLiT9LZ0svYqWuKM9QZdbUw27TY
tMq0znSfe7Ppsdw2957cc7YDkWPVxzKVyzx7PQKxaHSi66A/ofvK0i1+WbMnsS/PyD3m
iNmWOZdZ1yW3Vu+t1hjtSpIPaeyV6VyemcvdvSWTDSYz07ReZeLI3NyZ61zKlA7G+e31
jOHD+mBUUzKoTxpuzBkYDhHoXBgqbtFGQlGfFEiOtKoky11zn37vyO6Wa1rc51v96Wxx
6s7zv5NfoGO+G7lWusFtjzRduKMiGzzfY5h4gXz897+XjweD+lFJn68x0VgHgjLSSjo/
wGTyhSf6peXACR28/DOLLRqHrssndqdspNvXU+lWu6W0Oi21qlulX4R2xJ9TPydpDT6n
TbKbg0RZGal1m+sClcRgL1SzzS/0FI72ntrz3t7C4V6j3HYwF/VhuWV9UmUq0wHs8NKG
t4oFAn8UX26MXh0Y4fv2z58fz+ZtD1dHo+k2s7GtOhpPP/zRP2ni3LMmvr/DesF6Ufzw
b31HBJFtdNwnrgkkomH5Rfl/1vRMmzJWwh6PBK43Y13DyO3FMxM12XQw4rcZNbXNDS0q
Eunzf5HuI1n6dZZme72aLtdfjT15VXfDX8gws8dm1MKfppZqAvl4wZO3kTj9Ok7jOZ+h
2VZfKamzw4393Vhqf1t351JjXwH/lUwpJlKzsKNkljqX9sg9jACYodVsNrG8OVdbXvHJ
pTOHHHdEMQsLvviSMPkPLQeykWh6crE4sToaqxZbQmFG6cd7qdIbCbs9kYhb/l6wMsqP
BAfwPxpOxnvrEpnJd8pP1TekqiccmJjKjQ7Lo7dMziSb+yPw75LzAKvzAKsm+DQm1mcb
ColY2uM0pftiXxT6SAP9uoE29EZMXYG/Onv0pFulIvGoK+xxmvVqyVgB1019PF8Tznsk
UkO/rqE1jVGDx1ZhbIa/vNDNoQTJwqHE2QEDCmDBYHU6qAaABBbBrEp2RABwtAqD+ULJ
b/nvQSWcH0/FIiHZEorEs8ERIyalIyFxeSgcDqV8xz+lak8k4HWHIh752PpgJByNhqMB
kbOIZFyWwVMYjKrGF2IpuRArjPfKowGbjhOfSvdIr+CE677iogm52bnZ9sX2xbnrcqvs
d+YeyT2SfSzwnP1A3d6GPQFDsJCIpyNmp4mYmgy0a4Saqv+nqduZ/qrQHfnSt8e5r9Ve
Z2+I1cUaltUua9zqVRk0Rp1aqA5mFYp4XpEkBp2xvtKda+W8o7+H62kMUtyQYRykT+4E
snGMYiCEZtsZrT+Na6apiWnx4ByBMucoHTiUMOp0RiNuPebzVkXpripXMFWpMzf//gr5
qLyfjvq+Y+0EbdiT9YdSdQ61InrbzD3v9XY3r3yiLxCMeYLBqEf+q9Nt04ZydBqFCKUL
/f4qR9OCW/PxokV7xjT5+Id/ko9C6jDfNYHvegtOAlcWx4W6Rn9eGwmIpq60s2dUvQEB
iG2q2uq2BqkuN2pYOiolwgaN0ywZdYEqkKBEiommjrChOVdX55WagsRQZ9PVGQtj4XAv
vMFOlow9BRmXk56MsvOCSfA+B7pY1sdEDsOnsu13iu0IpWaKY7AyWZ5sKd9BSxiIEfTq
Ua251Ng/DOZIb5+ZbphYTT/uaM5Xz3itOhJNNTiNbZnUpDfPytSNz8vB9YFo0n+KQfmT
iYC8lZ4XglRGa7B/1YB8po8yWL0AWOkBqxBpLPoDxi4HozalXu0wSYaKQJWSSF6xOWiw
VjQbwsYPwYDY0RoXsNz12VvIRcuE869cZmBBJvG+yen05OM/y0ZimcmffTaxJharFi4A
Y6me+Nl6b4LNDL5OkEU0HIkk/f0sYAFzWwKZeQ/mliVnFWsrLFNTU2vmp+bXLEstq1Fl
Y1GP2a3M+DNfwFHbpeqx7csZtaZKbCExVJqC0bw7B6/50e7+bo66IH3mRAbjfJUpmVCN
ymAOnpwlN4MgFLmvHuqSjwKB2YWJEUGWv5mYCcerhepsJJyZcMOvPzh/59Sw3RtxhtSS
pFTabzzvth9J5oE1HL/hz79NV1ui+b+OCVvMWk9EG2x0nzF781NY1zjAnK1rHHmmOKZi
bHpssjZany50BDtCU4NTQ5pEbXDsOImYCiE/0Dbl7GnAngxThQq1DcPbx6pqiEdqGjcC
4qGmJTjOAK6XHc+kAyTf4e5O47dtbHsYNhZK2MiqJZWyHapiAxmLnB2R17IrEjuAR2Il
pAJ6xvFWtKmMUr+qV9FrVOl7+5X6XqOid2YuTzr/X9wSSA9n9yC9k5EBhfPOMgBpdnbG
jl3iKrqJYXirvBOOu2ygWJyUCofotNYUQ/Gf6ez5DA6x4qFItk0vXzd9yy/Mw9E/J+A1
aBbGR/x47GXA9UTgFEsNJIDrF9P78fxgNBwPyreZn5df9MXDUb1L/6vxy5drF3G8agb8
Lwf8E+TMYkpdoSQWMWrr8vSIcUt3RdQfC3nslkrJakRPKEbyyhaXMWawJo0f9nZD1zAy
E6ZE/WWB8irUTMYaTTD6uV3mpUxkBP8fFBEUP/alYCaG+tdmI5H0pOuum8D0DfoKSKR6
0nbBSu+ZmEGD/Ew4/m+Ig0J3ItLLWEM72VS8XNFuwEGdrT1Lou313voozmDa64odXpzB
tHcUF5CnvE9Ft5AXvS9GdyMQIxrxedupKjgs2FDRNUzqqYu5xcruamvER9qpwht1Fj1e
vbpN1+oxmEZUpoqxqL6lraG1ctjwmCE/ot4/Ej683kLP0Z4e4+fGz/vYFUpHyYYpccDC
q+YSkVlO2vfpge0fkLC0onRkEq8oaaUnRS98amXSBA0Ki97X52u2BoLJRqPH0Q7tW/6i
JVUYm7a9ashkUhn96+YSBn0JWdpu9xobU6HA1pp8Je0VrowEwsGYt/9KbwJSNwGV7bzj
L6fwKGFE/1aGORywd3hjwXAAHl5Kgie+ltYCpq3Q0ZtiwfrgwuDFrVKipS7YGlB41IWQ
uSvl6TGS7kZ1S6A1aB9VGR8ZjGfrahUjW+O1lXUek6a9DdEHbT3dzMcpc7g0gxS7oXQw
cmRQyoEUX+SUhgAW0FmAhcDAZDP2zmSEVXaHDJUbtTl+Wu+gJxXZk2KjxLYonVY7oaEm
Pf574FOy1eKa2lrbnLCeXxN10WPxsQ351Kj/yUXC6WadO593uI/3luUE47tQZIOCLd2/
SbSHufBIBPpNXntFjXgv6EUgE6CP3AR9hPmXhhUzum7R3K3ZI+5zRiwRR9qUrmytrLPU
OVpNzFF2s/ZmQWeoJB22SmWOHeAdHXyAZyQD1gWh/BiP2+1m6Sb5rb/9VX6T1vT9jeaO
/2n7yy9v3/Hiy8LZcp/8MzoH/MRKO+VHj+so/ewzSk/0fMZduZgb3hvieqQa1Hx+cRjt
Ijj6ccIC77Frug2xUCwyWzVbXKxaLK5SrRLVfpfdKDksBo1aiAWUCNeuDOvixBAe7bE4
QOBQsaE7spiKspAbsCLf68TpIzt8YM4Jy2mq4oBazUxszupM9IXnHnrwoQfBvsDaHCGo
fTeMmQG9kL759/7v//GUZJZzy5Zftax/VTDC2Fc4VNIIn3/mmQPymwze8vcc3mnEOt1V
vMzQRDK6qL/b/nXoC5el0K3MdFt0+5R7miK1kcZ0dTpfV1vX2Frdmm9Wj7GOso3xjvFN
s55jm+ad5ltgW+hd6FtuW+Fd4bu54na6xreJbgjf59uq+IVqB9lf10VDBkSN12crPZqO
+sqEmGvCWRY7uwL9lnyab7BjrO6+b2XG9qD8RRH2wKxDpumFU+Dh3KoEZErcHbRbPoxg
RzflLWZGJn39ybdpU8/ntFH+73+43JWL264dmdkc9U83uCLXjmx6u37iDq29ek5N19aD
3Y9v7e4WCnT0H6iaXiRvlL+Te+UnhYudjmw07fWPGjkuV+WenVlHxT9+TCW5/+OPZbhi
BNAtkXaDftWkSH5enM42/rw2tvULa1bUqKrbaKKtZoQmDRwZYRwhjKgiXcGerEPT3WBs
yNUm3A5TUHJZa9rSamFEc1adoEZtaIRUSWoVlYnKJrgbEj6rK9vORC0sDCjGgAg8DoBU
CV0YpXOh21cAunB7o0TszSDzLGlDXsNi2lR6Yy9cNYzcYRYPIJVYht+/MUBKISfwTThO
iVBo1WINpCy95c3b19+29t2OllyqRd4ViiRqgi0t0FTCdNsD99eNmrz+x1VJy+vBJkjO
pfmsUnypdfKINZJbvnTB/AUL+688KUHv8MRDIW+4esO5Vz0eMCQ88hv+WDg6TinR8My6
kj5254l3pFrEy4wirxTvSraMbV3r+knrPa0PuDYYH8w/DLvk8dAvRm1r7hq1r/WAa2/I
lEqEqqNEqRVbna4Wqd1f/VVdxVdm+DLa67qjX/r3tO/rsI+YVDivsMA43ze/fn7zYsti
xzLfsvplzascqyzLjWuM6yw3t93su7neuji/Kr8uLxqIp8Xpag3llY2JpE3pUSVtY4Y3
jlF5OkC8OH4tyWYeCtVccprChOkd4MVsp0raIDNimKcDegi3fh0Del4d10zK7lWO2v5S
vE/ZjGFeRn4SydkuHamIxFNJsRIugypdRfj+i2/42bwLNrz5wvFfNV47WfCEMiFJn4jU
e/X64I/OWHn/0mWPPrnr+7fH3RGuDucbvzTnEtPS9jGTrr3gjDl6q/fRux94y+v32qvy
b2vD8QkpW6HhmrmTZhitjp/fsf23Ia67MLt5KXA8Ty4vjvC4SR46r9tm1iiJ0uMUc56u
yp5qX3csXp1NBWLesN5sEt22Sq0G57TuvG1ceKwXCs04ryE1NluA+5E5HHtwblPmdwPg
KdvJhVcLwG6ALKfSqywcXvW5hnpIde5PxHlOfUn6iEFTWXANiHfBFPxa8FeHw4JWiMTE
BbEIrRBisYRP0MqfbuI28/E3uc28Sf5U1E9MRiN+I50QhaEn7zcHaCScnEglxiIHjOYS
Dg7DGex6rL9AritO7rB1uKbaprrm2+a7llmX2a50aapMmYJEHN3ZlBumXldI1ZPdV5tK
R+LhcDrk8Vcx85fZCP6mqni8Lq1rMhrSUp2atMOTeFJuD4CBXbnjAEEQzHxgLloeiZfr
HFBSTonhAQz6F7uOg6h+PzxKMHsOMTMtbXOGr5t05031U+pTIz/KRaKZFv2R3x/8q2Rm
PiVmsh3/8PIFqWEdT7wkNPqT3D4KHN/z97///XdMT9GfOCq9ABjgHZZidqqRJuLGBFxN
Jj0W7FT1RPYlAxVZmwC5ZgoEjQm1R7KNNyJ+pWK8lMSeH+7k6lrnySXBuMcWMxPBSIzg
UgRPNg2oJrzFwFvRzn3M0Fa4e7kMg5OCT8MIipHOgCTkR/ShLCJfCimIv2xrMpO7DOex
E9dkq1MtFM6kVJ1O3uiPeJpHJgUJzmSmqEXD/RvFRWGu2sNgPXti9BIWX0zB4Yl0EOtu
IeuKhRdDdGzV9CohFKKJ5rRT1HYVTD1SzBtoyOoFV1UqTdUtJKTRAhL6CbaGCdlWtvSB
lWfbXuWWOl+1lWiwPg3kRhXRouTCH8Lg+JopTvtbUErjL8VWb1TDwQ6LqORg7wQPLyu5
DvfQ5SOMkplB0HDLBXEofOY/oXH4qr0uzSsXPlSTTjbRUfZQLKa7QzRZxjqcmiMvqeyu
iVaEEeri8YCDdjQm09XrAYhpAZPZfXyb6A6EY764NxTsd/qtZpew6/gUl9ESEj8PBX0x
Xywc4HCbBrhdDbi1k2+K05XB8e1jgjPbpwXXmm4xPGC637DTtM3QZXrG8Gy7PtGeDxql
UMBUCVRyKXuKhawY6m5O5LS5hhH2ERnY1kbgVCiXLxTbdcOi9ow3qm2IisNGImao+zC8
8O9xoQi16aQzhFkCDLcyJA84MhPTBPlsgq3RwXErhzkOYFuBFNBa5P1sNBvDzjxC/D6G
myVMZPfkUAuxPgXwkZ95sKxUVvMCRCztLB00n1Sr3QOW6QC/0pRjcwb8AfR0QdxIX05H
w6H+aLyQsWj/1Ku15RpSkf5QOJmVX6bnZSDj5KN1kUwxeYL0V4/O4bDk21AiVUPPlswC
rFB4/EIx+UXajuCmeDQcC8lnymkxFAjGmUVC58qP+OKJQDwINKZvAscnYa/wjgji3W8o
phXBK4NCIgj/vl80diUdPZXwzQSNhRprbErNZHFsrWeKdXKtQTvWUM95OQyOo58zpgVN
hJscDjjuOPDNHIC1AJeRW/oANMLJ2GYY+CGSkfVw9GYQVJeNkSF6bhm/Wwd43gDCn2yg
JnEkPD3tcrQ9lZ1wt7zH1AYjtvrPrcl8e/CbH5KA3Piqhyel021G+Qnu+AGv89JJQjOj
em6+T6G7A4mUj/PALvnXHH/34yCpFzDJksuKuXHZsY5Z2WmOa7OKhhqagOvH0OPo8sad
+UgEJ/N5nU4rufKBrEXKay2ONJxAL+F8yPjSe+wgBOHvLIN4e7VPfrWPgeZFnL8yxSyL
3I4/RwkK7PSsk8KnCZUeOziMUXmZr6losLGunuu7OaWtHFcOttdI6XVaSqPxaLASudDW
2mYxH99N39QpxkZDgp5G4sdvTzc4XcJwyfxWpUMXCcar49QaCVWn7XlP/7a/UPGqZDVC
zd+O+gsJZ0tUbGfrR5zyesQpb4H11VIM6OyGCvK/qm/s/2vocRrUFXYjE2cWHM8Ae86o
wGk/C1suiW1w+H5IeKb15BSD9MtTcUJpKozb7o2EvPLf/amUn1Z6QxHv9mMBtzcc8yju
9sSC8F6fPofhxRCbg4pgBt9gJqdmIT3Cp2CxSCzmAKfVTDVmPhI+C0yCzWMwk+RekrKx
L6zZ7gsHfVQXSKUC8lEvDhq2IyLQ44X39/vLPbGw1+Mn9ESf7JU+lu/ByaKpqKR4+USQ
wHrwEwhppbZgvfTxDwb5nhUrmD1wy4kvpFvEvfCV1JObitOvVaxTIDrSdq/qF4qtKsS3
JHba9mmf8x8wVVZ5XfWVeQ3RpVxJ8ZNP7NTer/neGDjm/ST2nfGd1A/5tKnFfMAs5tM1
9QXwxhq/i8STZyoTYUsDUzyPwh/CbAHuN8/29vSX/ebMJzSgc8LnWIPFl4+p6x0ldap0
jj80/q8cPMqlh9jReFHtpt2XT1t9RH32ywvvfebvH7asGH7Zsikv+b2xj57YtTc/FgFt
D3kiSnrAbFo0o2PGmnFvTpiybc3DTxqMqqsum5qNtp695ym51QdPUigAuHTgbaKbEEVa
gdPII+3nQp+vxHvDlXiD0I73yivxrpod77yz90lzOKGLAn4GlNlbqx7g4yd4mydKCXqU
KBvwnQUbvh+QwXcbwvg2gwdv3bC3RynebFYgUfI4eP3jiEfeh+s+XNV4zyeJsV7cI8L5
4cGbPhFIX/Z89s50Au8MYSfwLpCZnIuR52DM2RhxFsnDB9/Tg0hUFmcEXGLhAqXw1D7+
QgR7GYJ3MDzrjA4c/kFjF5kmT2xWeB9icW6kl7FuQFmjYHXCg+t37blt3dNP/7Jp+yWv
U538t1cvfrBgsT8Tj9V02CwdOGnZ6HOv233Hur17br99r3DDmAny//7moNw3YeKZbidz
JkkkgMBdqw2rngPcqwbuZciq4nlrPHcaHgg/Ytisf8C8NfOc4UB4b0arrkDoiWiSzqi4
oOLyivmeZZ7VFY9UPFWx1bPLp/U5vo9UmD6RUt9F3qnuMHfYp5qn2nfEdiQOxA4k1Hor
yQdVU62J+DR2BsrM9fKBTTdOwhEuyPV55uUuGTLloz1+4FvGPxaJxDkCQgkRxsuPe++J
wRUfi7njntzamQ++8tw9o1Y2WALtUX9cfnf7EfljGvhg0gPiHCnoz008EI3682ed8+xP
7/1VNKpz1cf9ZzxO7W+9RR3sRR74ZbD+TcCxCHDo/fZpwDEDdtIAHFPgHX418MwAPFPg
jVY1cM2A3IP9N0E81QDz2FtlTAv9BOExJuCaE62foP071N9B7QSw5weMYHZ1BzBlKq5T
cd0JnN4J7DmA6wGu0bHT9zRm4YOLm/2CGU9mT7dhXBq/Fkf7dPScCzxP4O21aQzLehGk
2I3IfYZjAzQNomaekMEYBpVhGHdi4kUQBkDHYGwqk3B4cFijeI/N1Lb34l+doMbfXrS1
tX56bTJ+yOeuzmdigf5du9fetvvpdeuftPnOnngOrfzNm9QyfixdjRBVoNQPDwQjcIa/
fNuuZ9av2wuJCBgvBIxn4W1bD6jpV+1TyELAcwXSNp7sZAfWtwPj9qPO3n1n1BpEbgP0
usj1oF+KdCee9Ql/HkQN+r7DqHcAsQ7cORVpG+TODtDtDuzODtyxD/UDqB9A/QDqWv42
nxNP8AK6HkDdB0hqAOsZaGHUPI1EBrAUEMV//HCxt59FvDKQAk99oM9ISUKVIhA4REGx
ODqIBjnfpFb1ns3LEfXug3o1/92L8QoUDX31DrVnFxmOLxDWGXasWrOfbrnroetiHm/O
ka+jqiMfUfMJsr8pdtPVd9+OCWK2z0O/alX4YT/f2V6L3Wdv+7vB74IofYISe6OjC7M2
oI0SOxXQdgKYR4BvSrQZUcYrHoCBFnUC/pRFjcXfOPC0OK4+0HwcLXHASItonQIEBN4R
KL3ENeBXZPoZDlbhLgK5AiLMsTZE2wKrAvUiEJqLiJIaAvHhPfU6jbgpmU7Gj1/J8p1b
k9WpxMO/+/yKxTUR89r80gvphcl0JiZvuzOCQ7UIMmEeQtIiHfseK9T7E84LLmuGOIgf
f4jBRSBr5KXSGvFh0E0j+Vv7XNBrCrpoADSbwll9AF/LCOCN4BT5Ea5PID2G8vO4HgDu
7UGZxXKkcbiUxUEE/z4RCQE+DZSghUH4E+ABwzP2/YVP0GemjNN/B7VLQgxAB2DdASyd
iutUXG8D5uyEnNiJXTmA6wFcNXh6DkprFr+lwW/5AOFa/NqdqD+FJCBNBfzjwOEoaYJC
0Hu0k7lzEYhbOs/u7e2BJtgHiIOM+U7A7O2kJ0VyXYy95TVILsOrWSJwbtWCwPmGlN28
woSbtm276caf/5zmPKGm/1p75cW1YfcV3g0/GrZhznP/6D8w+Z6Jbu/9iURhtFlUb7lh
9WOPrV699Xj17cszEyZncv6s4dbHV44d+c8XXzre3DLOZg2HEwGsfj7T/8E3m8nr7eOA
a3FgnA7ckdmhEWAUWx/Txwja4vj6gxEwVAND04Ap+1oDw9MC4O1BPcwOhVB24r4MWhnk
mgEz9j2JBsCQwUyBO/yQr2HsshOc0IJR0/l+xtF3DuqzMZa9OTuTtED+gg3C9VkKMwHa
nvKoMV5ZPgPvw8uJAwBGc67xNL7IRDEC+UrEPuAuoqZSUOzpzbV9lg6wyI1u3/g7J9//
y2whk0jI32aDyebwJQsu2hxuSwWz8rfxeLZjfUn02i1ya0f789vkVgSjRLhx8ejyVbct
lOewqBUmohmubwOMz1TMAa7HybXtKeRhwIt9s0pDFcQD2IaBlVWAzw9YvxWlAKg7Akji
7UDsiRE4zPSXAKByPspFtFC+T3GMC2BcAjSPk+dO/j4IgwxSGUB4XwjqIgPL4EhcS8ll
UgYHXo0rUT+3OARtvDg8EW0vxrtgRkbD2f5jiUQqRfOvJNN4kyHq9kvPX9qUnTEtGeuv
DOL8HMQeEm7AwULYbmHr/UpeLm7i602RFe3s/eoYp1E/dpyv+iSF+rF2BoMY1s8oNA1K
9GBtcaxciZXFgE+lNetQCqM1jifh5QXEneFl1JL2VQ4dQRQWpzMs/vS1/iuRnXolkKlh
6xLtw+KRYnuCGnyh5v+6deklIKwrvT/9kbxybj6REOJswYuba2bOiMd/OLD6ZtBTDaOn
W7YJbyL4ji2a4ksHRNoIOmoj37aPASZn8GZ4BhEh1YjSSoNPZIDTaXwLqQ2pFRSRwC4n
sEL2NZZKtGagj6axVgVaKTBFIpWAjZUkkAcAHStorhVPqwCO1KGX3VGFO6rRioA83Ml0
nyaU1KAfpoXEIS91ZBgzFwo9hyEPGAuCnwQhbCwkmpmnTJ/liML8JXaSoWzOeCaurfhr
I2nWgtTGe/DZA1y5t4oZ7Yj6ZLYrHFM5+D3YEfS/BL0xNdcULYUPc4xD6LCeGignSRi6
JScIDNldwaqueCI7OZecVkjGX3T7KAKdMylqiCXmWiqSFxbupqumpaMIYvrfTCIel9+n
q+UjiVxJCWYai91yvPYbfcjh84VCbVpBUNRnVsvz2WG9L+iO62BsU3B1IrEvW7jJzHY/
IIkmyNYTJymvRGtq9KjQxegQr1oDkka0xPFOvwOtDt6C2O3u7s7Sm3kAIOdEjNCGmJtD
iEwI75ybT8bpBCyvBcdW2ePgEiAsm7S+tASmdJXICb9KebzvF9C3zqBV7ZfgK1lN5F7M
6R7+nSACiWnFSpQc186AtNNj1sMgTWs5zbAvGX0Pz2UGa6wF/hRR/g4yL8U4D0b+AJsp
jHtGAz+xv9BHRyK1kQVIy5GU+MpBHOsdjXHj8FvVkIV1wA0v7mIcZxg0FvalID1go2Re
JIyah/w8jA3g+1NutDOpfgF6G1E7D/dPxxMZFbA2Zm2dyQJmenC2b2RH+sa+nhLTKrEv
CNFSPCELRc+2MfceC6VjIXYM4Iy7AZ8hTk9j5AwDh1FTyb5Vnc7dTwVFAS1LEWOlfEA4
cPQVj9QOnzDdPCwZCq9O+ztaqye6o22pUA58P5rtsJrH1CYSDwRtQvL81jGz7anLxt5w
tXF4KhJemYgJ1evnXX+FPIe9TZkY6aXbpkycXl93/AiTBXAve4UbAolw2BHNpIYNH9G2
/fmSiZzDaVeJf6yG/dZK3myfAI6gBx9QY4fT0C3Y15CYdfI9KJpLYuynCbuZwV6wLwUy
GVyLfWUyIgLoe6A3unBvLd+1SjyHfdmwFV4J9lXDJmiJlWVJXLJ0z8Po6RjPdiiNvpIk
tkISN2G/2GHcTMLiDP6tMGYbMZD+jTweJI3hxvOWY4LLG3OKX5y+iaUXmGq/gTROZbNz
TonjbNtHxUiqBdJ44YOQxpEx+xuSSUhjBtlo0G7pGBDG8aAvBXfnSWGc8rENwKpnwYa5
StwN7HSQ0cU68olB+YntO8M7zg5VR8VExUQ6VTW1YrZiNt1p2ml53PF45QHTAcs+x75K
o5jQzdckzNOc3LtUEjpgo9Cjy0G/sPsps/hL5i0RFm46+OoDDxzsFn4uf/jVl/KHNPLl
lzR61Sv333/w4P0bf01nvSd/TY3vvUcN8teAsUBGQie+CTpxAjD/Y/t06L0RpDh0Xy90
3whSHLqvF9TDvloSBVV5sAojcIVhgAptn6A1Czzxw9NN4GiUiIqK8J6o0PId9n8i7NqJ
4AGzcZ2N6+OwQ7YBb/bhuh9XNeRRAc804ZlqcDoD4MR4IeOCGfxqCCWm7THpEgK/sKKf
WdlnkXoWr8i03wEZzFS10pE+XCjc7CpFxzJkAdUOVccGrI8BHIEpBk9BLH4adOd/HYtF
s/LYRLJ2tMUyujaZgIOk4/ELXqf6E+S1S3a30YZ1u/fcdtuup04QBB8GItBxJT0jOqtt
7pgx8teHDsoTxwhPrbv16V1rb9vFYD4FML+T2yF15EP4pnZi7b/A6h8DJJjF+RzKe1BW
gvO6sAd4FxoQF6GZMG2NfWXvE9QjgLYX1PUJKO87yE8R8FcRL+BfD56rRWK2rRZJwC+Y
8WQz54EpaDPMG4U9wg7UYVfyeK4XNSbTmQ+MaTzMY5ACnKOAOOMDFli4gDfjnQzgAGiJ
AP8DxFknDhAHvQxHTczoiJS9CIONjNM5Zm3/rnXwT627/SnhquG7Fx+UT1DDf52/dYzb
d38ilh9lYT6qhDwmG03E6Gu3Pvn02luf3t3/JL1zzET54O+oYcyYuTYrIgQCP3yDPYgE
4A/E/BFnCTl8OXhdmtzUngU2JYBxHs7pIGsZ3mKlzBfDcJbh8AB+bwAktiLtRWJfoWN4
yrDUiv0xlPG0hJtWYGcF2jJML+4GkPi5auktjV6oP9ynV2JcuehpUvo0ITHArrhLHraw
SpDoJKYRH78ynkimn+yYm4snetyeC3539czLGoOOJekpv7wYcdcDKjHTDm3WnVcvG9cc
bR52+TVY+258v8WBtRfp7PZ7ERZZgI5owv4WsKcmfPOqldwITLsRULkRMFmHvV4LXLkZ
vPwnGPMQ+u/hOoAbVw/ZjP4H0L8B/feh/z5g5wPAlV9i3GMY9xie8xjG7eC0Xgno5YB/
NcDqVmB1FZIbyQN8TMELUQ3I5gH7EFIQPRlgJ2JcIAUq8Gwz5sekh5PzgwrsTxO+0xXF
174SwOooLWL8J7jDiV0bjr53yBXYG/AO9LRDJ63DL1SCyzDfRQWeq8Yz8a0e/lwbdnMB
viEahGUdJAhXw5ggaCeLVgIZ1860WASbspeVobQy5stOHfq7e3s7mYtswLrmdABkb+RO
jEFBFmVJA65Tihw6LVScuShPfWaF2+O7g9Gk01iZ2jrvkusvuq7xjffe/tXkR6WK4b5Q
MBD2ZfzW+mvOOv+qFa+89dLhvc23XxIumBC7sjsTawqZGtqnjRnbdsctN/80HS8Ultdn
a8PmfPqc4ogGSXHL+lu22FwOB9PXKXyWfdKF0gFA5NH2FljilWQZ0s1IG5C2IinACxyA
lA9JD36QBY/P4F6mdX2PHj/autAS4141kA7FF1IA+TxaAuDnTFYwHVdE2YS78VYD/gxo
p0h4H6wT5gB7nbgkw3Gs0dPf2QaDoeQlGhDs4NfcCRHGJ1XKAIR/qOS54AHMJw3uciwz
Pn90db46lZIXn3vRbNnniedbL3xo9PJH4lbTzlSs7tyl0XgmJM4PwWaUd29ddEnCG8w7
4pGJE8Jz5vvpFADfd6g+nSzM/C2D0zh8MewqfH8uT7a3M3xk3FEE5ueBO0zrZd/1qkIL
8/PEIPEIMFkPvhECJCzg0lVYczUwPIqSFfAxALdP6a41aCeAJ/MjMb3UAWo0w7fJOC6T
c1FItwK4LQJ7oAKVmS3jHQMwY+cvACPDQw4wppaWvbAn4XLKA1HSUEtOn8HddMklVy3Z
vDYejqXejflr8vCxwQ8xZ+2kxx+3dRTiyfvDbrr0x8tuW0QfCoZjkWDx+NmBKLN7OiY0
PvU0/TWTch52Tk1J8sRH0qOAV4z8rD0OnmCAzRkFjTIvo7KMGT6uN0B35PxWCWiFAa04
7o8BEgHAlR3dqgApETBjPJp9VTUOuwf/cUuyHJ+CRUOgMwPSjMPy0bg1hocYUWKP8fO2
GLZjNFrx8KFnvvhWDaPVEg9O038X0sHUgAdHwhKnzuZYYVSUSjTYNrkh1kzrE4n8SLO8
35XPprMukUt6P463j68UbsErgX7m4zoebwwGmvDT9EQv4PI24NJCDrePgKRWYY+Zbkvw
/V2IJKwxDJzxYLXMDm8Fx6IYy7yvfqRayGkXYKAGxDJYlgS7RgLMWjGCRXK4MZqdV7Xg
vtIX5mpBwTrULwbVXgQqpyhZUNIRFhuC4BB2hgeSw1tWLNDnVcjvcuyCGR6h0Xw2EVxr
8VdH3Cgxja8KVzX7TRaHoO4t5SzygH9yDLA6PeoDVJrGlyq5FwwhIwOMsARwFTtNxi3C
nBu0iUQkYfyzJhWNx2hFQ8xuMlUHWp64oSIRjySN1z3uTI/OReqozu+PFD6tjMcjKT3t
l6OI+igIR4IImvfHnWFJIR3fTvciRiQvzxFmwCHmwylCQDhuYU0M2eDZk/DNTjKKroBN
2wB4NQBNluN6NeTBLUhrYYneAuy7GW0sHvherH4H2vbiqgNkg9AUCMYFAdlRkJpBvH8T
xNcmR4FmQ/gq5Sg8YRSk4CjQdAI5G2nETiGCA/1+7CA74UkSJ3awHc/Uo4Xpz2ynDeCS
ebQFMHIkWtXY4wog9BLwj8WQaktQ9yC3oSbhWkT9TKQ5SCJSBekAeXQiVt34OYuMKL0X
UX5LZ2Bza7D40Qg8GY0fKYWajOb0MhI/HkJrHn/4h1IpFIXRErtjJBKbGgtaGY1YCtAa
kgkTRSr31TL6Al6U4lGGRqewGIMhr1KcpLiBiBXqaCzp4oNosqSsn7TW4nSdt9CUr5d7
fYmGVivtkH+tb6muHXeoId9Yp37/kK2pIddAJX+80OiRP6Xna2Op3MQ36gu5VFP/+mgo
Ekr4oiG82lzv54ZxKPLOO8FwPBz34/3Gd+WdUfSHIsHYtwxfmqGfrwe+ZMkL7QUALABd
OkAWIC3ku8p8aDkAgOmIXdjBLHbbV95j6JXYY2YB5QBK9nXILEaVvgGpBg1bwRUvwlXC
vrl5CTYw9g/eMmNp807G4LH3LTiTs/KtYoBnz2MMj20EO3UgfDv8qOHduFJwC98J+Ml4
6O0Qi8cCT8W/43zlfVAJ7vT4Ovi7arPRePzIFvluzgEdTZwDGqg1Prou1vxdMp5pOkGg
Z3Ltmo4Q3mRygPPAIwIL+QEPBP1hcoDla6A9HWAZp0L7PHh2CHTPOKRdHNRjJQtQX4nr
SvColZCAa1FeizLTPx9A+QGUma65A+XS+ZwZELciWZDMKOHFFthAcXBWCzhlHHRjAZ3F
AVkLdobZLXGMYl7NLkBPgZ1wYfcUgJ0Le4AydovtogJ0XonRVuwlk0hKEsF4HWoUpBEB
VdpwNYISE9itXva5Ca4B4sUHfDcKSiKkM4+0YTSExyBnag9hrJJFGuU4HQx+DXXADxks
HXtxLabMIel6+g3gG6obefyxphZXjdAmI2IyEhk1TnCMGVtdvb5uGjxC26rjNRl3rkZo
rZ0Om2hnMo4vGYxnjApv4idltbBFmQVWmosqBJDQpfg6Gv/CGgsiqTWFheTKlcrsd0cg
o/8gPC++Lh0ENGrJynbGi6qBoUx3iUDGuLAcM1ZeAWnMtEAv/OlJQJbZqDgS5mPZSB96
qgCnHGBWuofdwU6iGU+zg6eq0HMv+vHxLYQxMz8w1GoEzuBNQ6a+lAIIgZ+NLA6p4LDX
loPC/3OPOEdlde6q0EvCh2qjWqHG/79EV0mpbETzkzqDKP5BY9Qq1ILQiIogfOExaFUi
YmMPGvSCYJNMWnxoQ77sX1olLVRYgRwTNol/lrbAusiTVYBLHlKAnVCFsT52ym4qw4TZ
y3rAhHk5e8AqT43zos2F1dcA507dMQATGyASAERqgFsMOghWZl/XAlSGQObkG0Zl2cm/
58eCsf5jx4Uqq+tJrREAwKdCBJWqSYcF069VFrTqRfGI0qQTlOrGSnxMRLraY6hQAypy
a2UlFa0Kg0aqUNAN/9IKWDHc4oRNCOKTVrDqv/xj/gL2lfWB7+T+u6/ksm/knvpCbgB4
8f/v67gNkHenfxe3CFHUAb7yn76IezY06qnwYUwDz5kBvWsWfFDn4f9LcAFk+z7MlGIf
KV+DkvHz0eeMmzBzSnrU5cuvvHjBleUeNgwx6RTnLfQapFuRNiJtR3oW6TdIHyB9iXQM
AFIjOZESSE1I45BmIC1CugbpVqSNSNuRnkX6DdIHSF8iHQPw1EhOpARSE9I4pBlIi5Cu
QboVaSPSdqRnkX6D9AHSl0jHwG/VSE6kBFIT0jikGUiLkK5BuhVpI9J2pGeRfoP0AdKX
SMfAstRITqQEUhPSOKQZSIuQrkG6FWkj0nakZ5F+g/QB0pdIx8A61UhOpARSE9I4pBlI
i5CuQboVaeOJ8j8G+5NlCno4vR4aUmeK/uDxjFcPruM3T6uzSJ3B/Zw9Dvo9ZtkO7sd5
02n1miF1JnMHj2fWz+A6V6MGPb8wpL92SJ2/djJofP2QfqatDn4++zL04Drge1q9eUi9
ZUid2bKD7x82pD58SL04pN4+pD5ySH3UkHrHkDo3yQatd8yQ/rFD6sCd0+Y7fkh9wpD6
xCF1dko0eL2Th9SnDKmfMaR+5pD6WUPqLGpg8POZ/T64PnVInXHHwf3ThtSnD6mDbk4b
zyzHwffPGlKfPaTeOaR+wZD63CH1C4fU5w2pzx9SZxrc4PksHFK/aEgdPOC08cwKHnz/
JUPqi4fULx1Sh1/3tPsvG1K/fEj9iiH1pUPqVw6pXzWkvmxIffmQOpeJg/D76iH94H+n
zXflkPq1Q+o/Or0eYNb+IHgFEOxByP8HPikz7wplbmRzdHJlYW0KZW5kb2JqCjExMCAw
IG9iagoxODk0NwplbmRvYmoKMTExIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRv
ciAvQXNjZW50IDc1NCAvQ2FwSGVpZ2h0IDU5NSAvRGVzY2VudCAtMjQ2IC9GbGFncyAz
MgovRm9udEJCb3ggWy02NTUgLTQwOSA3NjQgMTA4OV0gL0ZvbnROYW1lIC9FU0hKWU4r
Q291cmllciAvSXRhbGljQW5nbGUgMCAvU3RlbVYKMCAvTWF4V2lkdGggODIzIC9YSGVp
Z2h0IDQ2MiAvRm9udEZpbGUyIDEwOSAwIFIgPj4KZW5kb2JqCjExMiAwIG9iagpbIDYw
MCAwIDYwMCAwIDAgMCA2MDAgNjAwIDYwMCA2MDAgMCA2MDAgNjAwIDYwMCA2MDAgNjAw
IDYwMCA2MDAgNjAwIDYwMCA2MDAKNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDAg
NjAwIDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2
MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAg
NjAwIDYwMCA2MDAgNjAwIDYwMAowIDYwMCAwIDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2
MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAg
NjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgMCA2MDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAwIDAgMCA2MDAKNjAwIF0KZW5kb2JqCjggMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1
YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvRVNISllOK0NvdXJpZXIgL0ZvbnREZXNj
cmlwdG9yCjExMSAwIFIgL1dpZHRocyAxMTIgMCBSIC9GaXJzdENoYXIgMzIgL0xhc3RD
aGFyIDIxMSAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcKPj4KZW5kb2JqCjExMyAw
IG9iago8PCAvTGVuZ3RoIDExNCAwIFIgL0xlbmd0aDEgMTI2NjQgL0ZpbHRlciAvRmxh
dGVEZWNvZGUgPj4Kc3RyZWFtCngBvXoLfFTV1e9e+5wz78eZycxkkknITIYAMmBCQoBA
KiNJIJJaw9MEjCSSYEDeIlVQicQIBqRQGKx+X6/Yl33o5SQoJqg1VURrtUWLQKullNpq
q7niq1IlJ/e/z0wi5Fqv9/f1u2dm7bXfe+312vvsfdatvamJOVkLk1j1gobVS5jx5O9h
jN5cvKJhdTKddR74mcXr14WTaVsBY8qkJauvX5FMu5sZcxZdv/yWVPvsjxjzhJubGhqT
5Uy0n9CMjGSaxgMPb16x7uZkOus/geuXr1qcKs/uQbpwRcPNqfHZG0iHVzasaALGk4/x
2JjVq25cZyRZvg947uq1Tan6VMOY5SQj5AbZCuZmVzEzUiorYBsZk9udRZgvGeXEWntW
Hnp3kbv0YwpZjO4e3faMoJf1KE/99ZPq8xudp60LUNdq1BcF6Nf8pF7NmIt9Uv3JFOfp
wRJRKp5gF1sT62LXA+oAc2KX57KreBrqLUK4CrAJ8C3AAwCFMe5lKiAMKABoAIV7URZg
IQNn9PfQG/GbrPaSP54OpGcdew3BxlsDoY23ZrzyKuLrv4lgxWoEy1chuGFlILRo5aqV
m1ZK7Aa6YeWmtZnrbvL5s65fhmDJUgRNzb7QquZNzd9qlliT2hRu0ppONyk9TdTU3LYm
M+PGwIayjMgtAM67+V6eeGxKjt7PY13EDwDFu4gdtNlKzibMsctdfAqfzKawHB7mOczE
YnwE9YHDsf4ent3p8ZQ8xbN5ViojqzO/oKQbJVmdGZmpiFtFlazBNpmdaWlGSWan04WS
DJSIXgPU12mK2S4voOOM6DV6lXEWo2Mp/NsUfiWFj6bwy/S8Ue+lFP5VCr8IDBrplyn8
Qgofoec75Zj9cis9B3nZkRsC8P6jdLhzQgnoOo5ITiQV8aUnIwesrhL3k3QHywFwinXu
lcCrSzp3CTTywC6LYFneAautBDh6wO4wcCfSXRTqTERyuijSuSsHKJhE8kGw9l9wvKu/
Jz7lr960ks27LbGtCTm2azfF2A7akbDFdiWk2O4Ej30nUZjzwL10dO/pvWf3SnsTFIsn
MkIl8QSY3cVXdt6hxLr48s6nlZgQxnUHIMyWJ3glI6RCB0aMBH3AgYCBOx1OQyD+znBu
KpIeLOnmIe7vlDAznt4ZQBpNfZ1WBwp8dL7T0JLzB0Ampny+E6rbTafo3s5hEaRPdfoy
Si630TP0tCGdX6RwDz2Nhuzy0fQHpgI4CyMsMGIt9HPI/QnqMlocSuHuFH48hQ+m8GMp
3JnE/aepq9PhAg0HqAND2J+gDkz2KGkDUtUGpKp1pqSqdUKqT1ErbWYelgML3Cx6eJKa
aSkrhKTTOzeZIN7RnW0CjercKgON6LxToOEH7sA8DlEuSM49gAqYdEZnxjDBJUSCBrsQ
cXmgATlxtTWS03cevPwMjP2sBVrT33PgnN9fYmCPV+C445zTWfKPj6XYxy0Wo8KHhUVG
hQ+HDzcq2D8MZJYUdMQ7qjsko0GHJ1gSf3Nsfon6JomeOjOHGRUndKqeEm2/EtvfpsTU
P1f/eeefpe1tUNIzGRkl4TNTzzxwZv+Zp8+cPmO6bRNyb3e7S25PjdkyeYoxZktq7JbR
Y5LpkNH1gZZokhZfiy9Y0tLGYzvb5Ngd6GUT+hdEhbZMqy7Z0maLtYoB2/LySuJtOTkI
YAyX38IlLnOFOegTOkf/BP6IPqZ/MAe8i/DZOfQJmwqoBkjcTR9zD3NyK9rYgU10jluA
3ayUWwEmgMRKUbeUPgI8QPvoQfS5m/ZQAngn7aJvA/8M+BHmpB+i/CHg76H8B8A/Q5sf
Ar4n2gJ2A3YCJtEUOP8cmkKl9DW0z6cCGgc8hsbSpcAzgK9A+8tRXgZ8GcrjwDPQ9nLA
ZYApgHzAmPju0tBEf3CC31/s9473u4v8jkK/dZzfVOCX8v3sUv+Ika5RI92jY64xMXdu
1DU86h6W4wrnuN2qx2G12R0ms8UhyYqDEXcwyZuTI10lPS31S3KOe6q72i2FKNsZNGc6
/Wq60yv7nGNKR5eOKh1ROrw0tzRcOqw0VBos9Zd6S92l1lJTqVTKSquLSPNWsaq507Q0
Ap4zTSuKVXVJ4dlaYaxKs1YvrOkg2lGLXI1vxVowV5O3dnEgb9mChTXQdFHcFuqG8jOt
qr7tntoOzqZptFWLzqkRKD6rRgtv7VLZ3JoOTtNqa2u1iVXViLNptbFsrbEK1Vqya7VC
EdmZXcuqtMmztFB0WuyLnhtvvDC3Y9SICm10RYM2pqK+/MKC/3vc6Ii+oB4GMMZAsG5o
8UWDf5648cYvrMnQPEnv/1E8MMbnfYi6Q4eLxaisJlQrIBbTgloc4gFVKR5cwIouOhGu
WFbeRSeT6HdJ9Pskej2J3hDIIGldh1UI97LZ06o0y2xA9UItM4rEC0hMQMIRnWaKsQzs
/V5g0eRG5+JQnilKGev/gxG+ZYSvM6bf1P82Y6aJiL0k8v4rj9ijCZD/K52Ito+y+aD0
6/0/Rbyb1SE+o//7/7pT2O4HNJ4cVMxehe1+TKOwERzBXsA2Usy5D/AkcuzsV6k+utnf
2EPshX/doyihH11YDn8xCrQcYavYJxfmG/FHEAr4/Lnj8+iXxPaxgV30g8la0ljuldrZ
0+wAS7BTQ1p2Y+Q9bBcWLit7n/KwhG2jJymNvclewd55G39cuov9BG26h7QTyVP4bUXr
wYcuYZ9QC7ucncAOfBw7QCFqYi8Rts3sHcz0DfYO28yepqxBnqVaCvmKR2byI0mNSqb/
G8KN4PVzbPFX75lGkUTBf1UflpEH+5CS5Z/PI5mWU9zuh01A3wz7MGJTkuXQh5XQgYkY
I4sC0DULSewcexfcPwGt6GY72Z3sZiFPo96lqBcGT1WSibN/gqtn2c/Z/QO1sNIwFjO0
/LX+n1IeG4n0cwMjfTlWlgi+D9izhYGOVz63OeW1lJ0nLfyjgb70943YQXaQfcpOs/fY
r0llB2k7KHuOPQN92w6pbweFG9l17EMinUnPYF7V+H3Jo2QpYiYXPxvZHsxeWMsq0HKK
XsZIX/TsgT4O0XFTNb02xJIY+wXseB/6u/B5+MJEKr5Hupl9xGZeVPIm5vMKf5xtg91s
ZiuNslXyPrkbo4xO/uLx2VdUlk6ZXDJp4oTi8UWF4wryLx07Jjb6klEjR+QNj+ZGwjnD
srNCmRnB9IDfl+b1qG6X02G3WS1mkyJLnNgYCmrBspqKZVpGWT1ccXlUDWuOb5y9Ml9j
3lAk6gkX5deOTdXSlJjG0qo0H1ZUFp9Uq5liQ6t8Q5Py1A8iaHxlKFyhyXn4R2c2NGqj
ZtdEourx0GB5LbrVMstqIpGQxvPwvwJF+M9sCDdqajXyUWDkXKGx6hoBXf1nJiGTTYrU
Ipxdow0bSGKh/wIi4U36e4aQ+Q1qVzscGWXlGvN1MMcZjflFtbOTmMZKtVHYeOSpiBm9
sXyNfB9olKaR/0pM6eIhRLPTk76ABxWNy6IVjUvB0cb6z3l6NsnRSLg93D67xlMUikQM
orEQzqrpsNvKomVNNswCWxJksA6bHTl2kQGxrO4gx2VkRLijYjL2MxYn2OcV5FYIWKbF
t9UjEi0H31CS9nkJNsfbLyxiaJasxFDNiJExpmYq08xJIsJLtXiDxraFO8b0tG/Hfuq6
+pijMdrYcE2NJjWAqA4m5VU0z9WyqqoXIAtEAOqbw0Lc5UYghBeuaA63Iy3q1iOMlqPp
xfmNzU31Qk2oPlqOMmtZzZZITwgbvpotFZonpjnR3LnhzZDUXhFcGhbJ9vYtYW0fNnoX
lEZEHShBcOyYcHtFFKOhs4pl04TE8gfFZmjjFY2GcOLbGsJay3XLwDP8G7YP6H+kXdUc
/4hAOpAPWgrrEAwW0Fi/TExlGVrKQOH2bU3GVLcbU4O+ik2PANEQ2s/mofWCmormaAX4
mRoQDEF7KW9o20hEy4iJhu3tFYLEhkZQLziDfwY2ZCAjmYBNhGIEesq0+FwDsbmGDDBi
vKG8NpWVqoASGXLQ4vXltbViUkkBaOa8Lcql0XC76NScp/liauQwynrGjqmaXVNRLrQT
NXlZzdd6g6FexLGNHsimIOq05/cKJomSOdGqWUktaBb8EUH93KQBg2spyaNqqr7R68vB
0MtoOz06vb69fXo0PL29vr2hq7/lumhYjbZ3OBztqyvqw4blE/IPbQtp07fXamp9M02G
kIW+TccGMm3WQiGe6eHmBuTgPzUamRSKeNB1sg48xxcXp+wMGg+9F3bWrr6LGTvgkULh
6cK9dMErhDR1kjBTUDKvBnawGENUNBoB7AMvETwkLEWqzatYOifFoFAEQxoKI/zerFQu
OolEhA1t64qz65DQWmbVJNNhdl2ok8XzY5BdvSjpGSjxzxMlLQMlg83ro5BVULzEGDrx
r3Qa/nxQn9s9UW+4RDhzUIf/FY1az1zM8dwkzQKOGeJOK6uRQlxUQYyHJBGzxbAklGrp
MaOh4Am8ZLsaDR+NampMU8pqekKltWHVAwdJg8qQ6lGoqXo0+ksSTpT5VI1KNQoIs2Jw
qmAjnH76JBQONgxXtNentO/C+aGqqN3YPGhHyVnAcMUkwQY1CrsNJfnh8UbFVF8S2p5c
4DQlb7owKsjG4NjMWs0lFjvN9a4RYHKhspow3BDMdpYRCVeEm4XUtXB9ueEPakOifCC7
q/90fbnwfzVQNFQJpfQbWg62pWwixYaquTUDsdk1t4U21I7F6e2Yqi5mxUoq3ni7qL+t
i5Vnd+M8WFp0LYrnjgmHK5aWY0Ak5o1BxugIYvPHQDeF6tdEa8VKckVje1gofyOmZWAU
NLXX5kNf59TAX+JFOKLFa0OD0aba2sno52rRD5qgensteliW6gHYyMrvQ6WaMVXwVCOq
a+BsW8qh6OXChDHdHlhVj5ixmEjtIKWg+LalwRTNC0Bz7WiUL0z2Al1tQRe17e2izzk1
Uah5e3uoHfNIpfHCPzQjnsroYqIJJl7RRS3VaAsUNfYHFdFIVHC+thxDXQO+D3gpnJF/
OYevHaQbLReB2msNDtf/mzjc8FU4fN1X4vDiQUov4nAjaF4sONz0xRzW+Igv4fGFLI0n
WRr/ApYuuYil1385S5sHCQVVS0Fes8HSZf8mlt7wVVi6/CuxdMUgpRexdCVoXiFYuuqL
WfrfobSrL+Lwmi/n8NpBukHkjaB2rcHhdf8mDt/0VTi8/itx+JuDlF7E4ZtB8zcFh2/5
/8fhDRdwGFc+xDhOZJQZbIkyg8LAuwEvAuoBOuB6wEeAHYDN9ClbqhxgdaYa1s3xxglY
rFzJ6mSNzef3s27zM6wbb5LdShabL13Gvo73tOQdIMPpsgnnQYyF2TzkffnDcWsk487O
hDtFC1YBG7Oj/dDHifPh/5fHjcoXv8F6mPeiDtKYj/lxHzjwpKcik9lkdjvroZl0kpfy
H0ujpR3yfPmM4lI2KMeVc6awqd3MzFnm/2F+11Jp2YlWeJsEV8W1o4Q5YHGbgztKSz4W
OYBF7WLsKECkEZfeQBxYBpaAlTfYIePwbT4ayeoh3MWYmIhztWBcxBPx5CEg1Dgfl1rO
tyjsMxaXW1BrSf/r8p+UXnArjRXFc4psVMSp1EKlMjkSLENNmGRX61krWf3eVsmnHu9V
T9X1sqm9U3vHFdThUXKZR2WRsAjzwh41AuDfPa8/hzN2zIi+pj+rnyez3qf35WEXU0t1
9LA+T/+R/l19fjev5tV9HX37cR4dxjnGfaDDyq5+zKRm5FbipuTtuN0brDTjTsArJxRx
SZGXk1upxP3BSsUkW8wky+a2er6T9+A6gatc46f5Wa7w/Lo1vUeOvKy+zKb+IRbrndrX
M64gFosURzxKcZ4n4qcwjdJP8lk06hG5fGbnnk97xAkesd2gYT1oyGBPxe+6y0dVafR6
GlkV+p1CSxSaJlOhvFn+QJaKpXnSX6SPJdnP83gxl6Yr8xX+tcCVAR4oCGRUVpjoMdNr
Jr7URCWmpab7TJIS8Ad2yIpPlpWZMgVkxS+n783wOhI5drJbEy45mdVK5lZPPFgd5MGQ
HUyhTPV43RHAsV61N72QTe07XgfOpxdS3RZZjW257fC4AqpbU7cmtqaOQRhrxH9NXVHx
xAlTiRWPj+SaiycUFcp+n8lNJnPEv1v95m23UEw/9/0TZ377LmW1/8/GV0byHX8PPLDi
BrI8//bK38394xN3HNte/eOdfwdLwJMXoR87lf/FclhX/I6lGbQkSLVBqspamMUzzaPN
k81SgZNM/gl+bnW4slxjXJIjEBgRmBCQpCxyZC/PvjV7e7bsllxpLq5K1oQt7htmSxQW
sARJiWEZ3kSBhzzuhE92tqabWleHzoZ4KGLNWGXbZOM2Txg3NPU45aLV1IIDvjBYseb4
kbrCQkR6j0EPDYb0He+NscygeiV0khZdW3ctWHFtHRNIPBOLA0WFE4rVSLR4YtgzPjrA
FFWRPT45kvviG99qe1Cfs/BK+va573c/e/IvJOndtF4/puuv20/N27qG8rDJNP9yzotl
T/5I/3T5fP3I82/DXlk99OVZnC3a8K3G9vg1Nzg3OvkS+3o7V2RqkilDvk/mst1p3yHJ
PkmSLWSW7LTX4ZCZ1ylLFsUmO6fZtuewTYxXM6pmR3FSKDFmXyTRH3FRxFdjxlKBpEmS
BJWuW1NUJFDvm4VqzxE2tWiqtyS/t6ewR+3ZogwqAyqwOth6MUU8Rf6oB0hK67uSP0Tu
Rx7pm0gv0bZT0qLzD57Sb+JLebkhYx0y3op5BNjd8VoYfqn5GjOf7KUTvrd8vEY9qb6t
SlM8VR4+UZmhcHOBzVlpsyTcbjtLTKWrYOZSwp/h2muXnJCg96yXe4Mu9w5bAW6ZKE7V
kGALKeKi81FYLqWrx2OQYp/Q697DwpUIIXpK8vuOwEwNidEFQss1w2IjUpj5haz0p27f
lNAnTpggze67y43er9eP6O+tM5244t476DIrf+vv+i/0T9/53adCPtdjXr+E7vpZhH0r
3pjpoJn+BX4+neYTn545P5OPt9EGa7uVzwwuCPKZ4QVhfokTQqL7fKT4/L48n8QyEm5O
nLtyEhY4w6lQ1jSY61WeRZ5VHskTaDurkBLPyKpUolms1Z6rHu97Tsyv93DdgLVCSmt6
cbSISRmPMNS6OoJdYkosanjOSGG6f0Q0l9N4hCa/Tygs/ce23x0hWT/2rv6u/iI10NS9
p17c13mYm9rWrkh8e/3KVsnzY/2z5/+mn6C76Vq6g3424eQ8/XTfQ/dq+9b/x88fNGSL
U2D5bcjWznbFVy2xkt+aZ62wzrM2WRW3lCPlS1JQIpM8QZ4uS1fYam3cbE23jrRKG6x0
yPp7Ky+WbpL43zgVc7LabrHdbZOY16LsNUky1iTLWYtkcTKlQIkr1cpqRVHst21iOPMN
G5qcX1fXe6ROhb2CFz1TB1gAL2V4q7rIZZRGcMt+C/mpyL/xBF1zXpc+0v+gH3zoPE2m
z86e1Xf1rTguVsQdkOVRyDKNDWOjyRJfvp7dxTgmtMRJSz20VKKZeQvy7s+TKqLzojxh
pr1Wil1CP7uEEtm0exjNH0Y5OPT1DRs9zDZsJxvtY2z0MJbjs402KcMT7oyMhCIjNWy0
4vCygBoIByQR7AzsC8gBsfTMyolWBu62ONxZOVn5WZIIHsjanyVnxVGQdXcca1k9bsm9
bGT9yNUjJTZSHblzpDSy/ayDHGPckVWRTREpJ/JAhEfamWEjMaH/dWtS4bG6XliFekyE
Hm96ibHEAm8xLFt1HVa3uODtDeVZUzegS3U0onj88KJCnE6b4eXlaO7wYpVwlp1SIyml
S8gYSQePk+v1X3/yKZXqL336nv46X75nQ2PdjWttDz5464rdi78lZdzz/MOvHfzO4f0/
/PTZs288Cpv13Ng6//oFV1Su0H9/V2Ld3vU1X18+C2oF29oMeZzBWils6ycHHjIT1ufT
8RucnspaLHm8NpMkb5q3zDvHe6O31WuqCM4LNgWlmZlUFp4TXhyWbnK3uflkN53IJrsc
kmOyZMpIWCw+F0tchYVPSvgycmBoWabWuIeY56yHe6JJXyJRoA0fANmFPwlmVwqbM+wN
jFzT99ygPxHOcYjVxZJLgbfYFM3F6siKkraXm2bYW5JpR5/6wf5f3fObZ/V/0Ni/k5cm
6t/Wf343ta1dvmfX+pWb7cevpOhnPyHXkbfoEn2D/hO9Ra+SC+7v/N767/bsA1+WYtHc
hRsasYcbGw/K+xU37Wde037FhJ3JfopbrLS/sCBGxnoF360O7KaKsEsjwFKxORG3KPpJ
KVeEhh3X9b+u1Bv83hy/eqEkvNQ8M1nNRB6Phzvd2W7uCHrTKwNYd0zU5KImL91s3mrm
bJfqJ3/aLp5m22V37rLIdqa2KnGYKcPWtgCLjmyVWHpAWc5jFFSPYP2sy8RSqsI1Y2E1
nHPScqF7Sfdcl2eKDLotXJNw7P2KCicq9Sf04/oefRndRxs/eE9///G/6+T58PenptTT
/bSK1tPukvcX6Sf09/SP9GPGhQwXN5bKefgnCyx7WbzyOjutUqlaXi23yDtleaGZ5kq0
0ET4hsRr6jQ9Y5JWuMlpz7Zzp5qtcqts3cXS0naR5GxVrJtY3K+s4j52A8dtvMHgQe6K
fYFwO8L54AGzkzPIKyr0esaPvJRi1M1voxpaqd+qf19/9a8fvlc/7VDnIeUFfbf+YyjB
Da+Sk7zH7mkQt0zEnsMGcg/u3c0sJ+5R7mXyvcQkk/Loany1yVl+Xd8feqCK+diRpGH9
imItfo5+c/KkftI855FPzcn95mL0UWj0gY36nNghdCsbm3Z40EN4ETAbCcXYzUuDu3no
iL/IE/XzQn3chR1yVtf/lpxAfy58X3lbfNZ8ldrctCONav20xU81MtnxaViMV3HZlj4K
i7hs99mH2yV4dNXLnQrzBymwVwq47Z6EVXUwe5C1uXytpnimq5lnmJZ8ztS+o5jc1N7C
QgOSmy62qC6W2nFRXUSYGC9WvUWF6UKtDXekQkek5Ws/PnKm/8TD98B8TtywYcXmk3fe
/Ju3KVcnH1Vu5dX/fE2K3fxqh75fXGeDk/Mxp4nyYqiqn90bH+7B1zvOWc5XnH9yvu9U
2mRKyD+UeaaJTEFvoHKGfLXM8eJwNp4JU5gp0QYbOe51e+hpz2/gQDwuH/uOKpx52J1W
qbq+wwO+hEVV3V6ySt5Wu8MDw7DDFDBVYQowA6zmvdAcIUtYQqwXn3yJtwthEGti+IpU
bLfX5JnEKg5/AlWKeCOFEymiRnPlib99Su/Vn6Hoe++f6rt6GE1JPNE3h9of68q7DJ8q
ufrhW47qj+tHKug/xccKJGyB/gT5SSwr7mJ+KFQb3tIU1jboL8D1cQXCUXTTKFPsn68J
HhntzAHwKMQejtsCVpJMaSZuhYM8Gm+0Oirftp+z8ylylfy6/I4sr7Pead1jlUTAXX7m
t3j22qTgXkUlt4X5XG1OKYRR8VWUm5FN8jOfs2mKr80f3+Qnt3+q/2m/tM9PGojzozgr
228QBxatWVu3xjC5mGFqItoH5waGCVUpOtpbNPUo3sPAtzXg27VYwjAPP3ZBgfQJReEM
7FPFzhxTM1A3ZW0+e+s+7/2/p7H6m5vbbtffbG29XZ75m7c3rHxbf/T83/jBZ3v6ZvCD
h3/RNyPFA3mPoScN3czcfzJuw8y52+vmklswwu5Lr+SSV+KqbLxZZiPtlpzGvG3M1mbl
KqbttTbjy7WmAU0XE2D5PYaqxzDH2KI6zCA2QLj/c2pH7frL7p/qJ2+9Z7Og8dCD58/x
p594vu/KQR1+DrTZscO+Jj7ZZSGXTHc773Ny7HtcbnKlkc1Jkt1Bdju2zORSPAmTitfv
gKvV6muV4kHrUp4uXWCAA2tG0qstSm6n8DKe9GlGmFfoGdgF8Lv0fv0VGkcmMtM4/df6
uf4t62/aclcGvmkwk43G6y/p5/QP9F9305YDR48+duDVpF59vf8t/p6SB898VbzQZmGJ
NE+CB1yKXUlY3E63Sba7LXKau61e7pE5Th3kMPz2Tlyxa/Jp2SLDULDJF0vcERXvK72I
iRVFfXlcgbCYDIoWFxXn+cVbig+ugb+37Gv6po0badQ77/xwRLEph5r5tO7u3Ne7+/7y
Io5tuCAKd8aTWGMyNiQMIi2B1uR5TDp8YAbLhE1ksWw2Al9ZXAatnsEq8c1LNZvFZrOr
jfaE8xyshHhMaMEqvlFetWBe7Os3LV7a2DBjbcPKxqax01YtFyMma4mazYB1gDsBewA/
ADwKOAw4BngT8BEayAAfYDhgPKAcMBfQCFgHuBOwB/ADwKOAw4Bj/akHfbDBOGFHfXG6
YEh63JB04ZB00ZD0+CHp4iHpCUPS+ErsInomDUmXDElPHpIuG5IuH5JeOCSNL78uGq9x
SLppSHr5kPSKIWlju3EBP1cNKYc8GPvfk+bTLQplbmRzdHJlYW0KZW5kb2JqCjExNCAw
IG9iago3ODEyCmVuZG9iagoxMTUgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9y
IC9Bc2NlbnQgOTY3IC9DYXBIZWlnaHQgNzIzIC9EZXNjZW50IC0yMTEgL0ZsYWdzIDMy
Ci9Gb250QkJveCBbLTEwODYgLTQ0MCAxNzM0IDExNjldIC9Gb250TmFtZSAvRU5ES1pV
K0x1Y2lkYUdyYW5kZS1Cb2xkIC9JdGFsaWNBbmdsZQowIC9TdGVtViAxNTAgL0F2Z1dp
ZHRoIC01MjMgL01heFdpZHRoIDE3NTAgL1N0ZW1IIDEwMCAvWEhlaWdodCA1MzYgL0Zv
bnRGaWxlMgoxMTMgMCBSID4+CmVuZG9iagoxMTYgMCBvYmoKWyAzMzAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgNjYwIDY2MCA2NjAgNjYwIDY2MCA2NjAgNjYwIDY2
MCA2NjAgNjYwCjI0NyAwIDAgMCAwIDAgMCAwIDAgNzEyIDc5MyAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDM3MQowIDM3MSAwIDAgMCAwIDAg
MCA2NjMgNTg2IDAgMCAwIDAgMCAwIDMyNSA5NzAgNjU3IDYzOSAwIDAgMCAwIDQwNSBd
CmVuZG9iagoxOCAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUg
L0Jhc2VGb250IC9FTkRLWlUrTHVjaWRhR3JhbmRlLUJvbGQgL0ZvbnREZXNjcmlwdG9y
CjExNSAwIFIgL1dpZHRocyAxMTYgMCBSIC9GaXJzdENoYXIgMzIgL0xhc3RDaGFyIDEx
NiAvRW5jb2RpbmcgL01hY1JvbWFuRW5jb2RpbmcKPj4KZW5kb2JqCjExNyAwIG9iago8
PCAvTGVuZ3RoIDExOCAwIFIgL0xlbmd0aDEgMTk3OTIgL0ZpbHRlciAvRmxhdGVEZWNv
ZGUgPj4Kc3RyZWFtCngB7Xx5YFTVvf85984+k1kzWybLnUxmJskkmZlMtgmT5CaZhJAE
CBAwYU3IoAERUHBfiGIEg6JUKW5VWkH6bN9zAPsKfVpTn6XqE6tdeK1dBJfWKij6bCsq
k9/n3Jlhq/5+vz9+v/fXu+T7Pd+z3HPP+W7ne869w4arrl5BtGSM8CQ0csXwOiJdpTok
l45cs0FI583XEaJ69NJ1l12RzrschOj6L1t9/aXpfOmLhJSMjq4YTqTz5Eukdawgnac1
SEtGr9iAftjlXw20a/XakUx96Qbk514xfF3m+eT3yAtrhq9YgRTXzBCQsO6qFZl6OkCI
qWjd2vXsPlzBXKD+C+tVvyEUpaVkklSSnURBOGIkQYIRqxeZijBfKtXLP5tbId+VXGaI
/ZW4VKwzcuhPDzSx9MWm/M2f1pzosX3s+AhZNXpIX+hX+VAqSoh94ac1Z3bbPpZ6ylRK
SekhItDU02oH7RYO0s+zxOks8VmW+HuW+FuWOJUlPsoSH2aJk1niRJb4IEv8KUu8myXe
yRJvZ4m3ssTxLHEsS/wyS/wiS7yeJX6eJV7NEkeyxCtZYleWuCdLbMsSE1liS5bYnCXu
yBKLssTCLDGYJQayRH+W6MsSvVmiJ0t0Z4m6LBHKEsEsUZklKrKEOksos4RcnJIk96mE
P5HwxxI+JeGPJHxSwick/L6E35XwOxJ+W8LHJfxHCb8h4d9I+JcSPiLhVyT8soRfkvCL
Ej4s4Rck/LyEJyX8nISflfABCe+T8FMS3iPh3RLeJeFtEr5bwndJeKuEJyR8p4THJXy7
hDcBi83dwpiU2yjhWyR8s4SXS3iOhPsk3CXhNgnrGTa0jshaSREgCGgBzAYsA6wFbATc
A3gM8BTgOcDPATlkGf8+TGmM/5TcC9gFSAImAa8BjgFOAVToNYJeI+g1gl4j6DWCXiPo
NYJeI+g1gl4jRIMx1KB1DVrXoHUNWtegdQ1a1xAlnuohbwI+AvDEAFwEaAEsAzwm84ge
+am3aPLM5Blu8sxrZ46dOXVGlk74yanXpo5NnZqSrWvVyLwY9iTwa4BjgFMyr6iTHfvx
qR9zEjK0mmRudOxmXogbQGsD8DEAh8dqWF6mepoafNTQ6pIppbwCeCNnl9o+Qoq4R0gQ
0AKYDVgGUJA3gT8CTHGPiPP4N4/Z7Pm/+jXQjTfZXDfe5Hz9F6CvuRboinVAq9cCXb7G
5rp8zcar8jZcnWvNv2wV0KUrgVaM5rpWjI5fmedcb7uh3em+HuBsDXPfIA8COJIPXMEo
7kHuIe5houPu5rZx9yCd4LZydxEdcXEPkq0ATAn4McC/AX4HkHF70GYvyeEew73fRvoI
7n2U5Ey9x23bn+uJHgLxECNa87jbuJsh4gB3K3cTkSO9hbuByJDenElv4C6Ryq/lLpPS
y7hL9ssDwkFu3X6XEH2Wuwr1rP0alMtY+SUHwpGourWVu5I4AU+iHoVosxK5N0C9B+C5
27nrwdEAN4aU3b8RKRvHjZn0em6BVH8dx1a9AHcNUlZ/dSZdn0kvzbTbgJS1W59J13IL
9isDZa19yFNyB8PcEm4ptwwsnMPN5eYhncXN5vrASi03CzCHaLglZBroQdDXAK5G/mHk
f4D0t0g13ErccTkYOoKeViAdQk/Lka4kMW4EMARYApgDmAWIczGJa+2cCYIKcGIm34w8
m3UTZwLXOlutKKekE/gwgOOmoV6J+ihSxqX6THs32isZlyP7LbZoq40LZiqqMmklUibG
ikw+kEnLcaM8ML21DXlK5MB7ABymGyE9gARyGwAyro0zSo9uRcp6akHKht6YKW/IpHWZ
tDaTCpm0Bim7L5xJQ5nyskxayhkxhYnWNchTkgd8iKvGlO2cg3NCKFpOx+UgVXFqTiMJ
RwXhaMF8O0argnC0EI4WwrFDOCoIxw7hqFDvwR1eCKMAPRUhzUNP+Ug9EEQBIA9gB2gB
KhKj8+hMNjM6K5MuoIuZUOj8THoJUlb/Bv0VfFuA/iaTvkuPsRnS45n0GP1Ayn+ElLU/
QT8Ar8WDSNQaGNskle0PhzMEjObg1OTTPysSomjB76+oiP6I8iw62l9U7DnEyAOThYWe
bGFBQbYwP/9socuVLczNy1BjWkuGEtUaUBylB8S+raAoemRUqwaFhMwmRayIpRgZ2d83
XxoZOeDxsBGRHxYURsX3XC5pmH8u8UYXHKQq0UL/8Bt5YNrRnqOcmNTmRH8yKQ9gHmL9
YxZLVHwkGIo+8hANPPyQPPDQdlngnx6UBR78Bh8Qf1oRjn5jOx/Ysv2B7Zx6xDHysxFe
GMkxoPNTT08v8kb/4yDViPn0gR00UP8o/eYOLuDY6SuP2ndS444WMfrbHfQZWkcrsF4E
aGj/EVngIA3uf4UllfuP8EgqWOEztJd2S22692+UBw7RRbQfdmVoddJ+TLefcPQOukUS
zmakTMh3ZtIt9B7pxm1IWfk9B8blgZZWHd1FKH2VviJV/gIpzJC+Tl/Zr2CSVe6vro6y
5CmMYWrywB8LJbGKpt878qIvvcwHXn5RFhBfdBczLh540WqX0sPgJssftuWxVPQ8VxmO
9s0Bn+aA3+9iWu+8jczb5eXRI69Ag15pi0vtX/H7WfrDV+x50effp5i1ev8b0oPFyPte
b/TN96n4gqsgemCfPLAPghEnm5qik0/JAr98Sh546ma46zfMtuhPn6XCNmrcRtkQttY1
SF1v9QekoVRvRd933S0P3D0hC9w5IQ9MgI+ffsQHPvlIHvh4jAuc2iULfATWiCeqa6Li
CTyNdbNrztx02jE9nTbEpO60uyD4N3fRXbiTtbsf+o9U/NUY+HPrRhq4BaO6GY84CfjN
Rrpx3Fu0ZZwGNgNux1M2AcrGo+MzxvlLx2nnOK0bp75x6qq3Ouqs1lqrucZqiFh11VZ1
2KoIWfmglVRZT39uEE6HTnM+v77UbygP6CsChmKPvsRjKCzSC0UGIjfKuViTXhvbEHsw
xhuMJp1ao9UplCodL5PrsEDoFHyiaF05NZRTraHHAE8xjcT5Dfz3yO8MCi3R8lrDNDJN
PcgvUl/DP0weVj9o+C3RHaJaqhPLDS5akONQ5uVYjfYcsyw3J3h67enHTu86/fPTr51W
tJwWTz91Onn62Gk5OUi1+4Ongz+iWtJCtWKV7IvY6djfY3+NVcTKY6UxX6wkVhwTYoUx
V8wRs8bMMUNMHVPE+BiJ9UX6adLcQ3r625IWinReWzIS6DnIC3OT1YGepLpv0cA+SrcN
ojTJbYE99ydlWw5ySMztCxcNHKROVj3uOgT1JsmeofG7BwOBgmSiZ95AcqxgMFnNiHsL
BklPsnpO0uVpC3zVtX7D1VIx0vUb0g3WB9aniX2lvo5kecdwsqJjKB7Ilkp1dD2udPvM
XYFsmr5XwugzmztLZAvOpZkqllCplGxgnW1gD9xwfq/rv+oZuIOc6+uCnNRjdlaZNiQ7
4XQ+U3uuh6+554InICPdRxlOOpItkN3FDfapmRD75rYlufbFPcnE3J5kYd+ioWSep60n
+SJydX2LkjpPG8bDWIkL6Yb1VwMxkEr2Ea69fx/HkAJo0aKB1hGaIgn6OeA04DPA3wF/
A5wCfAT4EHAScALwAeBPgHcB7wDeBrwFOA44Bvgl4BeA1wE/B7wKOAJ4BbALcA9gG2AC
sAWwGXAHYBFgIWAQMADoB/QBegE9gG5AHSAECAIqARUANUAJkIsrE58mPkl8nDiV+Chx
MnEi8X7i3cQ7ibcTxxN/TLyR+E3il4kjiVcSLydeSryYOJx4IfF8YjLxXOLZxIHEvsRT
iT2J3YldiW2JuxN3JbYmJhJ3JsYTtyc2JcYSGxO3JG5OLE/MSfQluhJtCX3iYsH8/8nD
9P47LiK/GwEMkc/HmUxAOjEhMjvozMU/k6axvfoWIVOnsuWpuedo3L2P5PBNJIf1wlmn
TnHHiHFq1/ktsvedS3m0SefYWQ8DGcu2kZtZgmsknSBNnzWxGP7rr+e/vupra14lL5F/
I5uk+mfIAfL9TMvvkx+QcfI8eYakT8kGERDdTnYB96NkIZlB5pOlZCVaX0l2kz2Zu5aT
IRLGP0KawdGJTOnL5D3yr/RLtHs4U3IuuQ9PuYocxJMeJt3or5lsx2zvJ98jj5Eecgdy
566jEnmMGyaryHqylyRxb4KMSqUzya2kiyzG2DrJAoxpDZ6+kDxFniYryD7yIMqfIXPJ
o4ofExW3gUlq6r+4xqn/Iltx9ze5DdjfbePHyAZyE3mU/JFgy0/uST3/v5feuYF9LXUv
eQCzuJ1sg0wX8k18Hz90VrZfe1Om4ofg10/Am+sglScgl0fJvdRLHiKbyc1UR75FnqHV
F3Dn/9TfV9X/kNyFvi+8/p0cAt/2QL7bwLH1kMt3Mfq+CxsRQkupBnqziiykevI5WXZx
/f+T/DrownXQuNvwnKsw8wGcmIbJ1UhHAVdnn4EQuJlsgdQfh1N8B+Vt5BayhrppiBwm
W6iD3ID230Lp/eRHNIS268nTtJSchlUtwiz/4YI/gF1K/gB1KkJt5FVmm/znrCn/ftYf
sBzTEVpCXiTknD+gHpoDffsheRLP/w55mLooT/5KjpMUDdJ8SK6MvA44DL79iPwE/DuB
Fg7yn2zfcfF18Vhwx1b5CslPoOk/jgXafvf5Y4Fd7CWPwL5uhg49DVv/CfkG+VekdyG3
Cxa0k/wzdOAJ6NIYxnr2ki8kEfDgMoYlHujJv2f8E/L8JCufen3qCKtNY0altp2lfw1r
/h3suQ++4n+u/+HAfyMHOOWXb8vf5GbIDXI69YHsSaUstYj+FQPYA4u/D/hG/LvsqwfE
n+Hfkz819aH8R6k2uUlekroydRPWsv8kvyU/Jz8lb5Nfkl+Tl8mf+RD/U/44/4lsSKaQ
H5F/h/xAVkWuJd+8uFfZGtmobI5st2yhrEruhwXlk5nwq5dgrRoiy8nl8GtEfq8yLPuG
fIE8wX/Cfy5/AH2sht+7A77pPngyIi5ckVi2dMniRQsHB+b3z53Z29M9o2t6Z7y9rVVs
aW6KTWuMNtTX1dZEqsOhYFVlRaC8rNTv85Z4it1CUWFBvivP6bDbrLkWs8lo0OfotBq1
SqmQy3gceFRQR9LRPtCxKulsH0LsHPcYhaRu1qmZwSQxu9wekxAJDlZmWiXlgSSx9CRz
+wb2EbFhMKkIXNxkVpL3Gj9x4+aZLqEjKfPiz9M9nEiWzh1we4xHXWfrB9FtMq99wO12
JTkv/magCn/dw0IiaexDOSqkkhlJ0jfA4ODUWw0oJA3uQeC5A8nCbHaQ9ZaeynmDPATf
NHnRMGfRCeM+nbM9niS5+4jurSSxsmanGhBPxJKl2BZ6jaCk3kgwSXM/SVJLklpnYkoX
PoLddqzhK3jQkVjl6UisBEcTQ+d4eirNUbcwIUzMHTBFXG63NGjsXOYM7NNq2j3tKzSY
BbaWKCD7NFqUaFkBxLJuH9U1U4ngdB2N+ziiygH7zGy4HQxWJcWtQyA8cfANNZZzNThZ
uOv8KoLb0o0ImkkUlZ6ZVLQnlelBCCuT4nCSbBX2VUxO3HXQSJYPBXQJT2J48UCSH8ag
9hHe2zHan8zv6VuIIgwCMDQqMHHHJcSEJ3SMChPIs7ZDwJ44br2wPDG6YoipCR3yxFGn
bh/Y7J50YTs+sLkjaQokc3B7zg3vuPiJDsdKgWUnJjYLyV1zBs6vdbM2UAJHZYUw0eHB
09BZx6o2JrHgWbFJ2jgjIQlH3DosJMeWrwLP8Dd8V1b/3RPGpO5vbkgH8sGdzDoYgxkk
hlaxqazCnTIkwsTWFdJU75KmBn0VOlbFGbAbof1kPu5eONAx6ukAPzMPBENwP++9+F63
O+kMsBsnJjrYEIcTGD3jDP6c2BFjGOkMbMIVoBhPe1LslxLSL8kATxSH44OZokwD1Mgg
h6Q4FB8cZJNKCyCp9G6WV3mECdap0pvMDRjdL6BusrKiZ+5AR5xpJ1py7QNNJx2uk6B7
+s4WUwfaTARPMiaxmnmenjlpLRhl/GFoqD9twOBaRvJommkv9XrE4TqSfsLigU5P59DE
RKdH6JwYmhg+ODW23CMYPRP7dLqJdR1DgmT+FOU/2upKdt41mDQOjdJGSULs8Zgc7+3E
7t8yZxETVacwOowS/LV43A0ut+lsG3iRr67O2By0HzbAbG7CeAKz18E7uYRO5mpwItvg
ShobmMliQPMHYBMjeERHQkKwFRwMcS5mNfygt2PlvAyzXG48UlIe5gPnZErRidvN7Gnr
QZEsRyY5NmcgnRfIctd+IgYDkOMQq5nM1ljns5qxbM3Z24c8kJuDHUxJ+vF1+g3ffla3
J0wesxBljh2jw9+MRHKyH3P8rCGpAsck0VvaB3gXx5qA4lw8ozQBLA+xpD0g3ch4Ao85
YfQIr3mSxkBS3j4w6YoNCkYTnCVFmy40ZJpqfM3zEmV+lOQakzSWpDZWTuBXwT34fXsD
Ks8qktAxMZRRwPOnhaasdWL0rCmlBw/bZXPD7I0emK4rzQaT2cNm+ApT+OzC4O1kdgWR
SIzqHkzq2XqX1J+QEMbrah8Q4IlguXMkQugQRpmwk8JQXHIJgy5Wny0+OHVsKM5c4AB0
EE1cGRWHoqdZe6EqVlb83yr6GBT91rsGRxsxJrEcMxBq8VjG9Pb+gYy5SXKSjADPmsGm
cmH9WS5m28CxwZzdyVDeSw4oap5Dsuq07Z5tDCH0YzZnBXD+w6S6rHqwkSQ7sf6nfYA0
suR0KS/NnVV3XVQ9I1sN93Gz6wa0w0LWts9Dt8zZJ9It8xYOHMLGS9jSP7Cfo1z7UNvg
vhLUDRwSEARJpTi3G2pjhayJwDKkh6K3/Xghxtq7DomEjEm1MqlAyo/goFcqSzdCGSUj
OPWVyozZdhzKZOkyUSrDeoIhdjhG4d4GPBB6Iin2Ddw0ODoxNMiYTWxpBYRme5pJkvM0
76OcQpfUeFa0JbWeNlbewspb0uUKVq70tEH9YRzCQZj6xJAH5g8HPEBcdJCpMNNyzisc
nJqCBz0Cz+tOKryLAXCw6sCgkJR7u9FuOoMhFE9Pjo0Ms3EwNcW9Su+MkcGk6myHaDIj
qUYP6kwPaNEp3YPlmd00AmUd9kgkimEcY4PJwQB76MBKNiJBQDzU5WlMKnzpQcp97EHB
wQmzp1paThTepMa7GXfgGd2SI5RKXMjiYWw9wp9Sh5GPeNBqZEiABGRkZB6UUeZjfxom
N5SswKou82FRBWhgyFIlvrtghq/N0STVVegQf4zWVqFD/CkHwRQ2eSm3OdMAzzYmtRiR
7zxWZm4Ad1A1g40Ff5sxeNb0J6ybOQfJXM91SSpxVHqUEtXJHO+MYQQL6fu1KPEg7kvf
jL5UXlbE+nghXapkM9dJAW3/wam9nuuZkWSvygpPkvQPMMUkeM9ARDI4cXFBchEcp+ri
0hypeGJClfPVN6T5pco5m7JehI6V0FUiYE0BGxW+GcNbG8w1lfI4+TFlO/oxcq3sIXK9
rIdczz2A9DNyPf8ZWSf7MWmT/YrYlMuIjX+P9MmGSYjfTFbK1pGV/J/JKLeazOY/xVck
q4jIRck8WTW+BqkgLYrvgr4W0IK268kM2RAZ5WeTefw6spT7AfHKLkeZilgU1aSA/yOx
g86lu4kDcAU/TBbjBe9KwHQwJ/1NHD7uw8tFfGNH3MSP140WUkDMxEBcqLfjMx0rKSR6
kk+c+HJQRwTiQ2sZ4dDWRjzEQXJJCcnDDq6YePEa2kiKCPt2QI1jHTf6ZNc1+Pc2vZye
5Mq4p3FK94BML7tb3iP/saJC8c/KQuV9qjG1Ur1EQzRN2irtszqD7rEca85tept+jf4t
vAf7wHiV8YTJYQqZ7jf92cy+LpSRHwPdIe/HF38VJERqSI/otQZrSssqSEWBNlxVU6Gt
qtJW1Mhq60hZIBQxWyx6h6MqzJOWI9VB/LX84eiRapOZ2qNBXMYjxiOmiPFItfEPh8Mh
WlvTzNU387U1Pk+xnlN6auvqItWFnDUXGT1vtdqtnlpqcpsYcPUKW3mJ3ecytDYLoRKn
eih2Z3vnSHO+oSRWIfisSvO99MszCn74ywb6Z5vNW17rdwYjUU/P3NyS6sLbCqsKIp1l
vuamzkp3hb80X7Hm299OvSN76ItLZX///PuYIKRw7dQpmVm+ArxfKxpzjXprV67BvMy8
1syb7QQxghhCESFcH74HeY2TqXmu0K7n9dtFu6VQwSu2F8oKqULBaahlN2c2F2tuyQse
N0eDkeNgQBR/pOVkgDha8hg2voCNcDRgfAEInDB5qjhPsQJTN9si1XV19RGTQuEpJqYa
c0mk2iYzjzi6l3dc9u3Fvfevnjs6XRhZ+tNrUqkvN1PFvy56SN6Q+uCSyyruTJ389xdS
H9wdvHQk9ZbTSQfo/KMUrw8xs+shxXKcA1aRzYeIAS9oe9S6LoOmqMju4Di1RmPnzSJK
zPbtoqaqWLO9NFTseSJe7OAd28Xiqson4lVqXr29ijftNpjNUHGOc7iF3UVFIY1joz94
vBqzTCNpumyemGIQE02nZw4HAiYziTqC4ELQeDgzY5nHbcpMlk3fY3JXN/P1Ed5d28zV
mmqqOH+tTFhuEIrLGvypF45WVLsNS5fqi4PBo7Q+3FRRbM8dsXy5vLk8R2P3Vcnnp34R
7q4u1J751BkTU2Oxprwzz5nK2qbHU98OG/1d3fxwR4vHmoND/TQ/1OBHOdksziN6o17Q
79In9XI1r1dznEqttvEGU5EpaHrK9JxJrjbZtotETa28urxQvV0dyi8qLHoiXlhe9kS8
XMWrtpfzht0mvd7DGFOhtm/0fBU3AiYSYVyB3PPOHF66JMMR42EUpDWAv5gfuYWc3Xo+
N9TLbWWVsXDqd6+mmWEoDla9qhfqSlPx89gQ768wnzlWEJ+eWhjvKEhdF+sqxwv0C5kg
8YArAg/ySIlolquUqifiSqvZYn4ibuHJRl3wOGlhQ3YEGQ6HvBcPxm2FidIn1dayqtTC
zNPpExV+u/bz9uYSh+7CB4a1NndbB4xH0sXP8NwgiZEVYm2+i4TDhA+Dw2SaskStUCqe
iLt9ylzLE/Hcafy07bl8eVGRy+fFyfIt9fXN3jDdmAP+Bk3QOVPUFIFp4bvFtMZFImyw
EWiZpH1M56KMt/8w9mqcIimUVpvNbpd47PP5/VW8h4c+QvdqfHBI9EmtzXfe1D56/72d
O5suqV3ob2gMpT7wxd0DpZFAOLzmyktWL65vvX3dQm5O6vtdrW7o2AW8fvLAnZN1KueS
5bu7ektV4dobWvb2dhVoue+e+Rdn582Llt3SBo1cN3WK3wHfEyLjoiHIfE+wMohyopXZ
mOuJocRmgd9wCI4xh0zPOxz52pISWX6ljJdtFystlnw+f7tF5tg9207t9lLhpMEQKj2p
VFaT3SHJDTFXBIYFl0CwWT/EGMQ4KGmlOQqVRD3ScMhSyME0GSf8VWAIc8w2e8ZLKay5
YFzaT3uK/aZf5cZXz7/65pprrr96S/vK/9jUu/2KEXvn0p7Wy2KR1avG7p7ddvXjw986
QusHLg3fcHXPpQtjjWtvm7luz0JjfuqTgeX+0HD79OX9NeKau5eu3L6orJaamY22wWfd
BD0RyHyx0mA2QTFNvKGI5vBFRSa1kzh5J3SG53bzek2Ro61otyC4NRsdjmI3m4U02wA1
fnI87XGhFplpRjIKbXFjOjy8TlY5ZLWm9DLUJmtcbguE6us35riqwql6rB0W7S3BppqA
ZQRuZveCRI3tSzKts8yuDYeVRntJc0xGzNGVfRi1DWvIrzFqN7lJnK8QTHSmQtDoaa+S
kUqJVDFSJZFqUY06tWCgM9Uui9kqIGLAKxYKG5QXGBxywuepXa58p8HgcctLDUbaK88P
HpHEdASTjEDx7RH4VmKPOFpgpNlvJALUqsdaYrNbqLS8+mthrZwS73OYU6VvVIUcRsP7
tEihU/P1bXR3WXXYkxrelHrKVRrCOhFWOSq8xbPDX77G11nKSwtzYvWacFjj61/8xfdl
ixbN9GskL2qbOq0cwly95BaEf1OviRAL7bWGGDZLGKvma2JUTWeikM5EGZ3pNVt5zqx1
FfIqNVyOJV+mJ45ipZr3llithfiCy2xW5VrwpqbQr8JSwSxcMnFm1CClCafna5cmzF6s
UzYxnk1SwXQTs45QC1Nead485s3/c2ryO6k/mPHFnZt+vzlsNr5E275L5ScCkWl0orDE
7c9L3X+PbMEXj8ua4wvCTrhLXSjgGWr68n3Zmi+2c19sndZUx3jgDCzs/eIl5sf6YLFJ
/gjitGryJ3xmM/Xe00xAmPJ7ooZRXBUtkJViay3G1YauUq3Wz/u/Ka7TjmmT2kmtjGiN
2j7tvdpdWrmO12qdIVolq+KrHhVlNm/J3rjXKlhCll2WpEUWAuIs7Lsqv7+iS2bJRc6Z
Yy2wVmJF4q1Gp5E3PuA0WnJzVYXjVOvjq9lD1VCq6uqa8nEVcgeQUQUDzCoC9ghLjjAv
AKvA6oNg5MrAkitbMsEJ86AZW7kSSziyAWmJCgS8fhaU+Hy1NSXetJNUIGhrhqew2ayw
Ix6rFS+JQApiarnHDZc8uKB3QzNeYbpLF3TNWubYNDQ21jZyXYzT5PorUh/q/uPlqs5Q
fG3zPbLB7mmXd37jsZzW0esa5s69rTroarltU2p3d1NNkU0Xpi9yoyujbc62S/ERKQmB
96flOxEtV5GloreClsnL+LKdotxotppsxhxPjof37BBzbHnOvfE8kk/Vm3yMfzlMLj5f
yFhVlT9ukVZpxhF4xLOTZ2FKSwsL0hgfsHjYM/PLlebuV/oRmUDXEKFhwmkfydyGlS6R
dS4ZmXb5g/NGfnJ796auzg4+x+6PfDJN726ZFbrupiuvivbN9vJFdEab54o3Hn38+HpX
cZNR1jLUW1toVtdovnh95qJYteWFFw7/zNPdVQVfshKznAsNc5NrxbiAF75cEp90Fo1Z
pgvEbDQLZl5dZKYGM3UifPOVdZkNDgNv2Ck6bEUIR3eIRUajUWMWLBYPvhL1aDa5JP/P
HEeeE9gRJOlYNBORHmVivgrRifNknsN4ZMmVmLw1HZfCqqT1oB7xLhQgsx7w3RtN1W3h
ztUtjsah6R3XitHIrMFLIs++uO7l2+du5fe83tpTuPDg+Py7Ew118baGpjLLFyfvf/cm
GDfH5iYLQILFpI5cJlaZnjQaDXvjRmskN+gI8kE2ieKyoiJIlc1DqdgbVxIV1Yybc4t5
DxMlU2+Pp6GCzSqj1RdLMSNDB5Ot8V3M5pzgEFcpPfV+PYLu7GzsTK6IweFAEATIanlZ
Rn6K3EDdiZjO0LJkZWz3/g0/vbFtdVTvbmgPjt2xZl1FY0OjS3+eFG+Y1V7q1NZodsva
20tPf7D73XVWR2rfrKViRe6RyckXDe7GUDO8J0dGId37IV0n5Hud2CZYbIVuE2/6puh2
a21kuvCm8yMnR5xGp+A85cRmw2mT2XjbTrgHbSFfuEPUosZuJm6zcVNensd8u1Liw8fm
6FFTFPLNbjSywoVs8SuEk/Ci54dG3vM4gEDIzVZ26HQ9L21HlPyYePnYzFd/cfnhW1ds
mx/kz0zUXj88d1Pr5Yry/vhlN2qfbO8N/P3jHe/cJK79py3ma769qKmDzl9954w9D7IV
fDam+Wf5I9g5rhYFjVKl3BtXWY1miNlGPwwYiGAUBGFSeE2Q5/A43JgUHcXeLqFALCjh
S75ZgNiHc+8RAty4w4DKA0Y60xAMRD6u/hWTtxTDMDVlSttyMlLNnBczWYj53JLOY0mv
bZZhjxmpxmaShXVsXxnhRj7KcZZVpi6r8Fk11/ucdlOOTN109fjC2fUjlkiVu9LnyvmI
v+TM4+1xjxVuX2crFju4JRGFUp8Xqbpiy5Bf+4NpYbNPXNa7Eh8RkJZUK/8WZFlNWsk8
ckq8pM091+/XqIKqOl61Y7KOGuqK6oJ1vLquLmiYS+eKxEit8EUGY5ExaPzIOGWUe3ij
MdhF0QVPPhSrDc4uvmuH6MwPtvAtO4JGv0ZX3FvCmFQGRpSUFLrb2no7BKOF9nYUFvZz
6tKwrHza7XIjzEIut0YImd/LVgGtAS16rdb5kdvLJQU5EgD3WISExcAeRTyIcAILKwhU
HKnG6Uc2ODwbOEk6w/QHvuEIwsMgSLhHeEq2q2UBtl+JBSAXa4Nfig0j0oIgOUwpeKxn
S0adhJkztbupZGOZQFthkZYMthOsxabP4ynm3zqkLip56dC8WG9Be/zUqjuiq1/ZsmLv
ta39M4N14pyunuiKib6u6XT5me5LhyJdldbqBQ3LEs5I5J77Ft4a1/u7GnfM4S9Raosu
b358n7Wxwesztq3tXnrfXEd0SWfLZX5Ld3V0WVP5vYsXbJxXZkq9dvMWf3wwPHBN/S1f
nvTNr1s4P7Qwll9b7oQOY1ciK4afaiSrxBjPuMuVAlGGCENGS4AvLSvdGzeXWQVaIC/g
C9g61FC/N95AolQ37nDEiGc8lFHhEPgubZfPc1ZYZxC9QXmzEU16zSnksaYi0GY7QCiy
tCnBOnM2XmVl6ZWIXiGbtWgwUr+gtSzX4J+WusZfbM9xzZ5eKvYHlLllgdQGpueSO/s4
hhVodouQVzvz8rmpzZe0eIxQb7PQHqeK8bs787t6A6lb441+J0JbSev5juwCBZ81D2b9
F5y48fBaC8Ryu8wp2xt3WrPe28CNrOOpgX+T5wz8MiQ8TzdxlnFOkwlBkEqGrAkGAi8c
Nx4nwSVXLjmZ9s9Z68WZDy/Nl4WqbJWVWEA3HrzU77bnyBzhyr80GSsjqevk8eef//wk
xt7WSZ8WZwXtqlr1mdoF7Z70Hr8FkotBciK58xAxT73HQiAEUVKay7ZUTSgor2oS7C65
tYQvEzkcx3E6fJFkcOaH+apg1d64K2g16PfGDYbmpr3xZiJSvcnqLJGT8vG6zEzqmDzt
sBopgGBOKC3ITACVd8QeQdQKM2HBeYBGqutxuMP+MtGpQqFU0rSQmfpL+1CYAPPDZwWf
EfJqwW11xuqrgmqVt5w+VTVa/ycqVM8JpcbynNriymuLCwRXA+PM+mq/SZmRNlepVAci
gZgTwXWxIhxWizVvpLa0tcCp8aZcQ0F1867KfN0piWvhnHx/e915Aof+g4v09+CijYRE
q0ypgA+HiVv2xnOJFaf/ZDwnw4icdBiVZoPkh71fNYeLx/f51z4ZuqZYxr+Cr0uOiwu0
KghL4wCSNksyluUZ4tjeiTJEGFJFFA5XZPZceV1t3d54X16tddmTS5cu2RtfaqDq0kCn
vF3RzrfvzFEY1ZXjMaYN8KYsFZlpx2IDlnGDm7a/iXiVqSwqkb4HLwrCvXyIdI3j5eLk
AWzgkEqqxF6osnYDUGmoArPtQACeUgpKUEBaIiyUZBs0KQxpkc4ooBUZlWD7lwAMHiuU
TQo1Cy82cZkUXl5o9mfLWMiddg9pc6Fr9bGZXS3uxC2OniXDDe3D7UUai68ydS1zCWqL
q7jKV9oxp+RcmcbqLq4qKOvq8Slycr3e1HU+t0PHrOz9Jr5YFmvyGhcv6+3y++fccFlq
c2+jYMfBTsZfzF/b5ss3Cr0za1L3XVgzuC5ebtN6O3srUndGY8VWC1tDLzBUFh9AwrIg
JBwj14hNVUwAlcyjVjAUYMiZH8OnPRxCeGote7K01L83XmqoMBtCLMwNGevGVarmivLc
8WJsM5l5I5182miivcWQQVoW0mEHi+TPsv88P+vOsi7LzvONTvI+yrRImCdGeCQLpl2r
yuLyhvz+zn6f5Iiyfun9Jq2+e9GSmrr5reVWVa4vmGVU51UzygpMRb3dodTWtL5fyIzH
ZT2ix1kzc/W81OaOZggqEyHzRxFT5GCXM0PEaT9v2iHiPUYen7dDabQZtXSmbZNG0MEu
NIV6aOEPUKLfxDO9RSEPe2RLPfC5JT0ckp+Nd7FeKy5ch7nc1363/sWxo79f83Jqy6Yb
2pdOy2td13X9rca/ntrzztrTf3ninSvp56/+oXXN9tn3Pb/oF1gPZqTmyrSQYClpIGNi
OTu8Q6DuIr4qH7ayO0SfrS4vUhThIzsRxNufRJCwN24zFG8KZ9YDpNiUwXrC4UbiyOMb
xlmoJ6pRYmD6gIAvcNyetilIMm1AZ8N6RkjbtXTc52WblHPmIO3RID9mWGyuiPT59C6m
1pjesK1T2wOh1GhJpUMl09n9lR805Riau2ZOL92zL/Hc7d3XVTua5sWvv+Hdhjl97sJf
topeBzsBsJZ1NvILu5pK88zqWvXjspaoz/j3D/ccv9JJlw2NtgovvUC3eGbNKJdifPBH
gAwL8bXvQtFXKCkzdVWpynXlfPlOUWezlVgsCHd3WIwOg91oc46rJJ6w3U04HPFvMqR3
N5HjeHvQwnbs0oTPsiA9c5rW4/NieZu93i6pLPY87MVCdlMjE1KjoYBdXbfkKnHPvvWv
bp5+VawzrrZXlqTedjTOqr31zrVry6dFp+XpU3PDGoe3pY0ONs2o+tsHT7x7ZYHQZPxi
27SOUpuGf33JpdOLXnsW+5nixiDbz0jWzFdirn6SEAttTgd23g4rO8nwPek1GPCpt8qo
4nJ5lXxMx1Zfs9HWhYMPndyoVqnK/NQ8Xpix4kK2pFazyBQvkfDzHRblI/rEMtry7nlR
vmSZ2aCe+cx/MF74wvqlV3Q0Bq901AVLprc5bZFI6orz/JuNb59ZrvhTXbi8rzOU+s6i
DoGd+5znp2o0bGZLsVPTYGZh8qBoC+a15M3O45/Lw49ajXkCrDHPV0CZ1naZbV1BbNCp
3Ke7RneHjvPqanUcT3RGnajr0w3p5Gq5rqDKighxh2i1Vcl5+Y4qY94ep7O8muKXByrj
eHFxRDWejtPZUe1xLBLsHD4bkTPhgxPLloAZLMBg7xBwYLvkKrbpycr53Mksjr8ibDuX
PtE+7xyXmxqyxXrr+5b5+lZcuralbvnmvv5He5a7Vi0p6agTSvtXLVrTMvjdK9tuXMId
j3Xk97RWxWoCFd3L47NXxwudua8vnmfwxCojYm2lr2t5+9zrxRwL45MXvxZ5XnYA/mqB
GLYb+VzBIvqCXRZRZ+iyGHfabZzGoKA6XqEUNQTBleZDpcGSq1YXKuXacbwrizKhH2UH
U9jNZaUebTlzNBDAhpYdSjfj9ZDVbXUz1WbbVLtk1tjkeaubPbnabbQ99ayxoqGitLO4
cvrG+K233M9PqEpbli36+4pU+/D61nx3UV1H84OPc/h5DCUzcAbhxa9i8OMjsbjgyfx8
1954vhU7VY+SV+4UPTZLBa1ApEMNtnGhEFqbPlTT6aq4cZzrwU8hDihlYUcp81PM2UYi
EJf0EkJ6z3fewoPRZ4YNcaQDdymfPoiQ5uGTgnz/DFpgLmlr9HUu8Cr0Fo+fFihyy+ve
bVIY5u3sXXRNY463mX8mxV99Q3N5YU93mF4bbfTYzJrwmfkz45mjh4X9XffcRm/ob/Gy
H19bpv4m02CeRThpEdUhC4KoEDt3VhrZcZhKwgirQKsdNqOlkB1C743Lc0w2l5wYLHpI
qK2wUHA61Gq3AI1rwsEzUz8crx9DwIsT6HMH0PiNHn4ud/b42SIFtRcdP3+vymfJ0f/L
K7nGyhi9xl9eXpB66prUx/luP6QR1uYKLtc0f0pB3w01u8or8DZF5Z4unnFxH8yM5qsk
X1Mw9YWiAjPykudFo94oLRdAOO9CHMgCtgIQuQKQiSG9tJYwhFMmqcUpnFWDA7lGhk0S
lu5rMuDsOldg2JTGuV6eWonZoMGJtXSEIctx5BfLVQZvSW5ugYWjJpMF7ytUBQU4r4YK
SKfU7KQajLrwvDoCTkm7ABbwAdjPClmKszkct1xwem05j2/S8XVh6vOtp+xFUIatjWU6
3bcovfuNpN5cWUeXQG3dztSbm7kPzhi5P3VNK2Cxlt/PWMjxii8/p3/xdRSWV7FXFYaC
JvGMAI2w49DiZ+BfPUkcIuVTn7HgCT/g/UwMgXCVE73MEzJbvXyxpxj671FqqvlgKIjj
m5CB6F3lMpzkh9ResznqTU8ZL/dxmJDWfES6wbRGmFCGCdMAxY7nvP2OJe2ppSK/Mn1k
L73mrLdkGYH1ys6pbrPmFZfQ6b7Z0Z+/E57lT62Zp7dsf8hk8Zam9rtr6ytf+3VFTYWN
bplttXGte1wRl71QGQ5rxemp1JG2TgMW6xqrz/nyizav3eWRgS0l0Xr8OL4kVpePrZCu
2l6Vz/xAbqpbso8q2Eez1mGydb2r/auWU4qgiNKoFJQ4ZldqRYQ62u+JsnyBGG1Wfznv
sDsQkNoNqj1Kpc1IBKHMlhY/3NjJs8xAwC+dwcGhvQLnHVgCRyZnS/VZ71wvvZVhb2jY
tM+XPafkVPWjNy+o7xjUlRQXBiMdgdR7LrfPT3cGfeYc/f4XTZZgY9qG5t700Kycw2WC
vWHDIPfxjMZCrGVaqzvP1ehPaemx0vaCQNaWMGdH6gRtx+/ZcohHNCv2T+aI6pyuHIUy
h9un1Rr00sJz+HA1CQbyTuDlrxRBKf1sJfHTWn1o5eK6SFWu8r3OeOeG9R1NoZnLu3u7
GS+vAKpHvzyxixo+OcbRpzhOLpP6I/giAH2xjzrqX37vvfdYhLQYmmjDe08vKSMzxTJB
pbIRX1IsZQfcnJs328Zs+MTiGzaZ76ky7xgh5rxbNBose0F2jM1c7vGj6QUys14E8868
ys6zsCKmvy7JHjJlvi5h51R6XglWp78uiWmcteHGSF55b/XsZeYtVz0287pvTTcUVkWn
14ZyPS/SXcVl1dFZTd2LR5pmXl63dOnuxqqum+aUdbR1dM5r7pkedR5k8+Dxrc8LPJV/
F/x0Yf0TRbzWFm0qqzKf5uRolSqty+W0Cjan9gDvPGAKfvzH48ajmUN449HsYfzRaueR
6jzHEfz6gUonZtICZ821uy/I4f8r0GpL+udE6/2mlPksSd/mXyjpLWhZsWpGXeeNg+1z
Lsjg17zg9nT+APcAdvN6fHtUL+ap7ILSRgpoQYHLZnfp9Tr8RN58wMUf0KVHyHhsPMow
tPlX1RgwG5p01KfIKIP7ghyNaLWeefOiZR6ziX54jpbvZINJjPbW1XYvbkkP7VwOHxpB
c8wAdikwOtIxZ37/ws5A+/AVy69aOfy/ACSnLeEKZW5kc3RyZWFtCmVuZG9iagoxMTgg
MCBvYmoKMTI4MTcKZW5kb2JqCjExOSAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0
b3IgL0FzY2VudCA5NTAgL0NhcEhlaWdodCA2NzQgL0Rlc2NlbnQgLTIyMiAvRmxhZ3Mg
NAovRm9udEJCb3ggWy0xNDc1IC0yNDYzIDI4NjcgMzExN10gL0ZvbnROYW1lIC9FUVVU
WkYrQ2FtYnJpYSAvSXRhbGljQW5nbGUgMAovU3RlbVYgMCAvQXZnV2lkdGggNjE1IC9N
YXhXaWR0aCAyOTE5IC9YSGVpZ2h0IDQ3NSAvRm9udEZpbGUyIDExNyAwIFIgPj4KZW5k
b2JqCjEyMCAwIG9iagpbIDU3NSAyNzggMzM4IDU1MiA0ODggNDE0IDIyMCA1NTggNDQx
IDI3MSA1NTIgNTU1IDQzMCA1NTYgNDg4IDU0NyA3NzQgMzc1CjYyMSA1MzcgNTYzIDM3
NSA4MzIgMjA1IDUzMSA1MjQgMjA1IDU0NyA5MjEgNTA0IDQyMiAzMjQgMzAzIDUwNCA0
OTQgNDk2IDYwNAo1OTMgNDgzIF0KZW5kb2JqCjEyMSAwIG9iago8PCAvTGVuZ3RoIDEy
MiAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBXZPNjpswFEb3PIWX
08UIg0kykRBSNdVIWfRHTfsAYJsUqQFEyCJv3/M56VTq4iAdrq/tz5j89fDpMA6ryb8t
kz/G1fTDGJZ4ma6Lj6aLp2HMitKEwa8PS+/8uZ2znObj7bLG82HsJ1PXmTH5d1ou63Iz
Tx/D1MUPevd1CXEZxpN5+vl6TG+O13n+Hc9xXI3NmsaE2DPd53b+0p6jyVPr8yFQH9bb
M13/Rvy4zdGwIzqK+5b8FOJlbn1c2vEUs9rapn57a7I4hv9Kj4au97/aJavLXVMba+1e
j8CjtDxaa1LvY5Tb3Vfp+sf0ZdHUwtpq0zBJiYK1273UoWDtrpJWKFB9kW5QQFPvFgUG
l6q+oEA1SvcooE7aooB6aYcCvWkqjwLVtG5AgWrqjSigVr19UztOicEF6kgjqO6kpBGl
LbSQI42wdqNNOtII4m+lpBGoFnKkEfQGKScsWCgp4VwKyFapEk5Q7aWEE2gnJZzgs+g0
HOEEm0x7JpxLATdpz4Rz94D6Ck4BwVqeWV2RVbBJVSuyChZShIqsgpmTkpUsqmrmiqyC
+ArIN0+gaTBZOQdVdewVWQVT8bm5gH9vje6i/pn3O+6vy8L1Tj9Wuvm60cMY3/+9eZo1
QeIPETzyrgplbmRzdHJlYW0KZW5kb2JqCjEyMiAwIG9iago0ODAKZW5kb2JqCjIwIDAg
b2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL0VR
VVRaRitDYW1icmlhIC9Gb250RGVzY3JpcHRvcgoxMTkgMCBSIC9XaWR0aHMgMTIwIDAg
UiAvRmlyc3RDaGFyIDMzIC9MYXN0Q2hhciA3MSAvVG9Vbmljb2RlIDEyMSAwIFIgPj4K
ZW5kb2JqCjEyMyAwIG9iagooTWljcm9zb2Z0IFdvcmQgLSBkcmFmdC1pZXRmLWludGFy
ZWEtaXB2NC1pZC11cGRhdGUtMDUuZG9jeCkKZW5kb2JqCjEyNCAwIG9iagooTWFjIE9T
IFggMTAuNi44IFF1YXJ0eiBQREZDb250ZXh0KQplbmRvYmoKMTI1IDAgb2JqCihTdGVw
aGVuX0tlbnQpCmVuZG9iagoxMjYgMCBvYmoKKE1pY3Jvc29mdCBXb3JkKQplbmRvYmoK
MTI3IDAgb2JqCihEOjIwMTIwNjMwMTQzNTQxWjAwJzAwJykKZW5kb2JqCjEyOCAwIG9i
agooKQplbmRvYmoKMTI5IDAgb2JqClsgXQplbmRvYmoKMSAwIG9iago8PCAvVGl0bGUg
MTIzIDAgUiAvQXV0aG9yIDEyNSAwIFIgL1Byb2R1Y2VyIDEyNCAwIFIgL0NyZWF0b3Ig
MTI2IDAgUiAvQ3JlYXRpb25EYXRlCjEyNyAwIFIgL01vZERhdGUgMTI3IDAgUiAvS2V5
d29yZHMgMTI4IDAgUiAvQUFQTDpLZXl3b3JkcyAxMjkgMCBSID4+CmVuZG9iagp4cmVm
CjAgMTMwCjAwMDAwMDAwMDAgNjU1MzUgZiAKMDAwMDE2MjU3MCAwMDAwMCBuIAowMDAw
MDAzMTE5IDAwMDAwIG4gCjAwMDAwOTU0NTIgMDAwMDAgbiAKMDAwMDAwMDAyMiAwMDAw
MCBuIAowMDAwMDAzMDk5IDAwMDAwIG4gCjAwMDAwMDMyMjMgMDAwMDAgbiAKMDAwMDAw
NjA1NiAwMDAwMCBuIAowMDAwMTM5NDA4IDAwMDAwIG4gCjAwMDAwMDMzMjEgMDAwMDAg
biAKMDAwMDAwNjAzNSAwMDAwMCBuIAowMDAwMDEwNzEzIDAwMDAwIG4gCjAwMDAwMDYw
OTEgMDAwMDAgbiAKMDAwMDAxMDY5MiAwMDAwMCBuIAowMDAwMDEwODIwIDAwMDAwIG4g
CjAwMDAxMDc5NDUgMDAwMDAgbiAKMDAwMDExMzc1OSAwMDAwMCBuIAowMDAwMTE5NDAz
IDAwMDAwIG4gCjAwMDAxNDgwMTAgMDAwMDAgbiAKMDAwMDAwMDAwMCAwMDAwMCBuIAow
MDAwMTYyMTI0IDAwMDAwIG4gCjAwMDAwMTQwNjcgMDAwMDAgbiAKMDAwMDAxMDk3MSAw
MDAwMCBuIAowMDAwMDE0MDQ2IDAwMDAwIG4gCjAwMDAwMTQxNzQgMDAwMDAgbiAKMDAw
MDAxNzM3MCAwMDAwMCBuIAowMDAwMDE0MjczIDAwMDAwIG4gCjAwMDAwMTczNDkgMDAw
MDAgbiAKMDAwMDAxNzQ3NyAwMDAwMCBuIAowMDAwMDIxMDIxIDAwMDAwIG4gCjAwMDAw
MTc1NzYgMDAwMDAgbiAKMDAwMDAyMTAwMCAwMDAwMCBuIAowMDAwMDIxMTI4IDAwMDAw
IG4gCjAwMDAwMjQ2NTQgMDAwMDAgbiAKMDAwMDAyMTIyNyAwMDAwMCBuIAowMDAwMDI0
NjMzIDAwMDAwIG4gCjAwMDAwMjQ3NjEgMDAwMDAgbiAKMDAwMDAzMzQ0NyAwMDAwMCBu
IAowMDAwMDI0ODYwIDAwMDAwIG4gCjAwMDAwMzM0MjYgMDAwMDAgbiAKMDAwMDAzMzU1
NCAwMDAwMCBuIAowMDAwMDQxNDc0IDAwMDAwIG4gCjAwMDAwMzM3MDUgMDAwMDAgbiAK
MDAwMDA0MTQ1MyAwMDAwMCBuIAowMDAwMDQxNTgxIDAwMDAwIG4gCjAwMDAwNDgwNzkg
MDAwMDAgbiAKMDAwMDA5NTU3NSAwMDAwMCBuIAowMDAwMDQxNzMyIDAwMDAwIG4gCjAw
MDAwNDgwNTggMDAwMDAgbiAKMDAwMDA0ODE4NyAwMDAwMCBuIAowMDAwMDUyMzQ1IDAw
MDAwIG4gCjAwMDAwNDgzMzggMDAwMDAgbiAKMDAwMDA1MjMyNCAwMDAwMCBuIAowMDAw
MDUyNDUzIDAwMDAwIG4gCjAwMDAwNjAzNzYgMDAwMDAgbiAKMDAwMDA1MjYwNCAwMDAw
MCBuIAowMDAwMDYwMzU1IDAwMDAwIG4gCjAwMDAwNjA0ODQgMDAwMDAgbiAKMDAwMDA2
ODMwMSAwMDAwMCBuIAowMDAwMDYwNjM1IDAwMDAwIG4gCjAwMDAwNjgyODAgMDAwMDAg
biAKMDAwMDA2ODQwOSAwMDAwMCBuIAowMDAwMDc3ODE4IDAwMDAwIG4gCjAwMDAwNjg1
NjAgMDAwMDAgbiAKMDAwMDA3Nzc5NyAwMDAwMCBuIAowMDAwMDc3OTI2IDAwMDAwIG4g
CjAwMDAwODQxMTcgMDAwMDAgbiAKMDAwMDA3ODA3NyAwMDAwMCBuIAowMDAwMDg0MDk2
IDAwMDAwIG4gCjAwMDAwODQyMjUgMDAwMDAgbiAKMDAwMDA4NDU5OCAwMDAwMCBuIAow
MDAwMDg0ODc2IDAwMDAwIG4gCjAwMDAwODQ0NTQgMDAwMDAgbiAKMDAwMDA4NzkwMCAw
MDAwMCBuIAowMDAwMDg3ODYzIDAwMDAwIG4gCjAwMDAwODQ4OTUgMDAwMDAgbiAKMDAw
MDA4NTEwOCAwMDAwMCBuIAowMDAwMDg1MTI3IDAwMDAwIG4gCjAwMDAwODc4NDIgMDAw
MDAgbiAKMDAwMDA4ODU3OCAwMDAwMCBuIAowMDAwMDkxODc0IDAwMDAwIG4gCjAwMDAw
ODg1OTggMDAwMDAgbiAKMDAwMDA5MTg1MyAwMDAwMCBuIAowMDAwMDkxOTgyIDAwMDAw
IG4gCjAwMDAwOTQ3NzUgMDAwMDAgbiAKMDAwMDA5MjA4MSAwMDAwMCBuIAowMDAwMDk0
NzU0IDAwMDAwIG4gCjAwMDAwOTQ4ODMgMDAwMDAgbiAKMDAwMDA5NTI0NSAwMDAwMCBu
IAowMDAwMDk1NzAwIDAwMDAwIG4gCjAwMDAwOTQ5ODIgMDAwMDAgbiAKMDAwMDA5NTIy
NSAwMDAwMCBuIAowMDAwMDk1MzUzIDAwMDAwIG4gCjAwMDAwOTU3NzYgMDAwMDAgbiAK
MDAwMDA5NTg3NSAwMDAwMCBuIAowMDAwMDk1OTQwIDAwMDAwIG4gCjAwMDAxMDc0NDAg
MDAwMDAgbiAKMDAwMDEwNzQ2MiAwMDAwMCBuIAowMDAwMTA3NzExIDAwMDAwIG4gCjAw
MDAxMDgxMTggMDAwMDAgbiAKMDAwMDExMzMyNSAwMDAwMCBuIAowMDAwMTEzMzQ3IDAw
MDAwIG4gCjAwMDAxMTM2MDQgMDAwMDAgbiAKMDAwMDExMzkzOCAwMDAwMCBuIAowMDAw
MTE4Nzc5IDAwMDAwIG4gCjAwMDAxMTg4MDEgMDAwMDAgbiAKMDAwMDExOTA1OCAwMDAw
MCBuIAowMDAwMTE5MDgxIDAwMDAwIG4gCjAwMDAxMTkzODIgMDAwMDAgbiAKMDAwMDEx
OTU3MyAwMDAwMCBuIAowMDAwMTM4NjEzIDAwMDAwIG4gCjAwMDAxMzg2MzYgMDAwMDAg
biAKMDAwMDEzODg1OSAwMDAwMCBuIAowMDAwMTM5NTgyIDAwMDAwIG4gCjAwMDAxNDc0
ODcgMDAwMDAgbiAKMDAwMDE0NzUwOSAwMDAwMCBuIAowMDAwMTQ3NzczIDAwMDAwIG4g
CjAwMDAxNDgxOTUgMDAwMDAgbiAKMDAwMDE2MTEwNSAwMDAwMCBuIAowMDAwMTYxMTI4
IDAwMDAwIG4gCjAwMDAxNjEzNjggMDAwMDAgbiAKMDAwMDE2MTU0NSAwMDAwMCBuIAow
MDAwMTYyMTAzIDAwMDAwIG4gCjAwMDAxNjIyODkgMDAwMDAgbiAKMDAwMDE2MjM2NyAw
MDAwMCBuIAowMDAwMTYyNDIwIDAwMDAwIG4gCjAwMDAxNjI0NTIgMDAwMDAgbiAKMDAw
MDE2MjQ4NiAwMDAwMCBuIAowMDAwMTYyNTI5IDAwMDAwIG4gCjAwMDAxNjI1NDkgMDAw
MDAgbiAKdHJhaWxlcgo8PCAvU2l6ZSAxMzAgL1Jvb3QgOTQgMCBSIC9JbmZvIDEgMCBS
IC9JRCBbIDw0ZWRkOGE1MzIzYzg1ZjA3ZGE2NTRjNmM2MWMxYmE0Nj4KPDRlZGQ4YTUz
MjNjODVmMDdkYTY1NGM2YzYxYzFiYTQ2PiBdID4+CnN0YXJ0eHJlZgoxNjI3MzcKJSVF
T0YK
--============_-870960716==_============--

From smb@cs.columbia.edu  Sun Jul  1 11:39:34 2012
Return-Path: <smb@cs.columbia.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E1A411E80AE for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 11:39:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ow2mP2QwQYNv for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 11:39:33 -0700 (PDT)
Received: from paneer.cc.columbia.edu (paneer.cc.columbia.edu [128.59.29.4]) by ietfa.amsl.com (Postfix) with ESMTP id C393311E8093 for <secdir@ietf.org>; Sun,  1 Jul 2012 11:39:33 -0700 (PDT)
Received: from [10.9.0.170] (fireball.cs.columbia.edu [128.59.13.10]) (user=smb2132 mech=PLAIN bits=0) by paneer.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q61IdULK028005 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sun, 1 Jul 2012 14:39:30 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <p06240800cc16315859fd@[192.1.255.188]>
Date: Sun, 1 Jul 2012 14:39:30 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <1496F5C4-1EFC-4B69-8034-4898EC49CD1D@cs.columbia.edu>
References: <p06240800cc16315859fd@[192.1.255.188]>
To: Stephen Kent <kent@bbn.com>
X-Mailer: Apple Mail (2.1278)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.4
Cc: secdir@ietf.org
Subject: Re: [secdir] review of Updated Specification of the IPv4 ID Field
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2012 18:39:34 -0000

I would add that there have been other security-relevant uses of IPid.  =
Hal Burch's dissertation (sorry, I don't have the precise citation =
handy), and I think his papers with Bill Cheswick used it to see if two =
different IP addresses corresponded to the same node.  The Rocketfuel =
paper (Spring et al., SIGCOMM 2002) did the same thing.  I seen to =
recall various hacks that relied on it, including to detect idle hosts.=

From paul.hoffman@vpnc.org  Sun Jul  1 15:07:42 2012
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20C721F85F0 for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 15:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.576
X-Spam-Level: 
X-Spam-Status: No, score=-102.576 tagged_above=-999 required=5 tests=[AWL=0.023, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2I5PwlCOZ2p for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 15:07:42 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 7462021F85E5 for <secdir@ietf.org>; Sun,  1 Jul 2012 15:07:42 -0700 (PDT)
Received: from [10.20.30.101] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97] (may be forged)) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q61M7hVk016177 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sun, 1 Jul 2012 15:07:44 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
X-Priority: 3 (Normal)
In-Reply-To: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
Date: Sun, 1 Jul 2012 15:07:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA1968E3-0A13-4398-A42C-42610D011619@vpnc.org>
References: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
To: secdir <secdir@ietf.org>
X-Mailer: Apple Mail (2.1278)
Cc: draft-ietf-appsawg-received-state.all@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-appsawg-received-state
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Jul 2012 22:07:43 -0000

I have reviewed this document as part of the Security Directorate's =
ongoing effort to review all IETF documents being processed by the IESG. =
These comments were written primarily for the benefit of the Security =
ADs. Document editors and WG chairs should treat these comments just =
like any other last call comments.

This document defines the new "state" clause for trace header fields =
that are used in SMTP. The use of these clauses are optional, and are =
used to indicate that a message is entering processing queues such as =
for moderation or quarantine.

The Security Considerations section is quite short; basically, the =
section says "this might leak some local policy information" and "there =
are more security considerations for SMTP trace headers in the current =
SMTP spec". Because the new clause is completely optional, this =
adequately describes the relevant security issues.

--Paul Hoffman=

From suresh.krishnan@ericsson.com  Sun Jul  1 21:27:41 2012
Return-Path: <suresh.krishnan@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D86821F8920; Sun,  1 Jul 2012 21:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.573
X-Spam-Level: 
X-Spam-Status: No, score=-106.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i3P7HJ+Ehex6; Sun,  1 Jul 2012 21:27:40 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by ietfa.amsl.com (Postfix) with ESMTP id 63EE821F8911; Sun,  1 Jul 2012 21:27:40 -0700 (PDT)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id q624RE3p005748 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 1 Jul 2012 23:27:41 -0500
Received: from [164.48.125.24] (147.117.20.214) by smtps-am.internal.ericsson.com (147.117.20.178) with Microsoft SMTP Server (TLS) id 8.3.264.0; Mon, 2 Jul 2012 00:27:25 -0400
Message-ID: <4FF12324.200@ericsson.com>
Date: Mon, 2 Jul 2012 00:27:16 -0400
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>
References: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
In-Reply-To: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-6man-lineid.all@tools.ietf.org" <draft-ietf-6man-lineid.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-6man-lineid
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2012 04:27:41 -0000

Hi Dan,
  Thanks a lot for your comments. Please find responses inline.

On 06/30/2012 01:49 PM, Dan Harkins wrote:
> 
>   Hello,
> 
>   I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
>   This draft defines a new destination option for IPv6 datagrams that
> tunnel router solicitation and router advertisement messages. The
> purpose of the option is to allow an edge router in a broadband
> subscriber network to identify a particular subscriber that comes up.
> 
>   I found the draft a bit confusing. Terms are referred to before they
> are defined and once defined are not consistently used. There were
> several paragraphs that I had to re-read a couple times to figure out
> what was being intended. I would suggest the following editorial
> changes:
>   - in section 1.1, move definition of GPON and RG up before they
>     are referred to (AN, and Edge Router, respectively)
>   - in section 5.3, pick either AN or "access node" and stick to it.
>      By sometimes referring to the entity by acronym and sometimes
>      by full name, the casual reader (me) does not immediately
>      tie them together and creates 2 entities in his mind as he's
>      putting the described behavior together.
>   - in section 6.2 it talks about creating a new IPv6 datagram, then
>      about adding the option to it and how to determine the contents
>      of this datagram, and then it says a new IPv6 datagram is created.
>      Wait, so there's 2 IPv6 datagrams or is this the same one? I had to
>      read this a few times to figure out what's going on.

Will make these changes.


> 
>   There is an apparent technical problem in section 7 where the new
> option is laid out. The option type is an octet and the option length
> is also an octet (whose length does not include the option type or
> itself). Then follows the a field for the length of the lineID and the
> lineID itself. But the length of the lineID is 2 octets implying that
> a lineID can be more than 255 octets long. How does this work? If
> the lineID itself is greater than 253 octets then the length required
> to be encoded in the option length would be greater than 255
> which cannot be described with a single octet.
> 
>   Either there is the possibility of a valid but unparsable option
> that would likely make the rest of the packet unparsable too
> (which is bad) or the lineID can never be greater than 253 octets
> which then makes me ask why the field to encode its length has to
> be 2 octets?

The LineIDLen is actually 8 bits like you suspected and there is an
error in the ascii art. I will fix this in the next rev.

> 
>   The other option is, of course, that I'm completely missing something.
> If that's the case, forgive my ignorance but please do enlighten me.
> 
>   I found no security issues with the draft that require the attention
> of the ADs. The Security Considerations mention that this is all
> unauthenticated and should only be used on a network where the
> communicating entities are already trusted, which seems reasonable
> for the way this will be deployed.

Great.

Thanks
Suresh

From alexey.melnikov@isode.com  Wed Jul  4 14:04:10 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575E821F864D for <secdir@ietfa.amsl.com>; Wed,  4 Jul 2012 14:04:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.894
X-Spam-Level: 
X-Spam-Status: No, score=-102.894 tagged_above=-999 required=5 tests=[AWL=-0.295, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YvX6jH1JiSc for <secdir@ietfa.amsl.com>; Wed,  4 Jul 2012 14:04:09 -0700 (PDT)
Received: from statler.isode.com (statler.isode.com [62.3.217.254]) by ietfa.amsl.com (Postfix) with ESMTP id 7C09121F85F0 for <secdir@ietf.org>; Wed,  4 Jul 2012 14:04:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1341435860; d=isode.com; s=selector; i=@isode.com; bh=xHiSHEuKDzFBYAV2EomsoI/Ecoq/t9encvHby10w+2E=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=FzN7QdmfE+kAA/Q9zYsr5ubaPl98u19t/31Ww9bnCNmU1vVxkadQpvzEVGP/72h55ubI3K TZTLGUpBtsgZYoudWKyZjzmewBMvGkQYhhZAUrxkXw+vHwjhTqOlbD8vU8Cp/1uHPsL1Ga 4Sy7kYl1xe3EmNLslrEGtbq/zQv4VzA=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250])  by statler.isode.com (submission channel) via TCP with ESMTPSA  id <T=Sv1ABPiACL@statler.isode.com>; Wed, 4 Jul 2012 22:04:20 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4FF4AFD6.4070303@isode.com>
Date: Wed, 04 Jul 2012 22:04:22 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: draft-ietf-krb-wg-kdc-model.all@tools.ietf.org
References: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
In-Reply-To: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: secdir <secdir@ietf.org>
Subject: [secdir] Secdir review of draft-ietf-krb-wg-kdc-model-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jul 2012 21:04:10 -0000

I have reviewed this document as part of the Security Directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the Security 
ADs. Document editors and WG chairs should treat these comments just 
like any other last call comments.

This document describes an information model for Kerberos version 5
from the point of view of an administrative service. This document
describes the services exposed by an administrative interface to a
KDC.

I believe the Security Consideration section correctly describes what 
kind of information needs protecting and how. It also talks about access 
controls and issues associated with exporting this information. I can't 
think of anything else that needs covering in the document.

I do however have a long list of nits and minor issues which I think 
need to be addressed:

In the Introduction: LDAP needs an Informative Reference.

In Section 1:

    Implementations of this document MUST be able to support default
    values for attributes as well as the ability to specify syntax for
    attribute values.

What does "the ability to specify syntax" means?


In Section 4.1.1.6 - What is the allowed range for "integer"?

In Section 4.1.1.13 - what is an enctype? :-). How do you represent one?


4.3.  Key

    Implementations of this model MUST NOT REQUIRE keys to be
    represented.

I don't know what this means.


4.3.1.2.  keyValue

    The binary representation of the key data.  This MUST be a single-
    valued octet string.


Can it be zero-length?

4.3.1.3.  keySaltValue

    The binary representation of the key salt.  This MUST be a single-
    valued octet string.

As above.


4.3.1.5.  keyNotUsedBefore

    This key MUST NOT be used before this date.  The syntax of the
    attribute MUST be semantically equivalent with the standard ISO date
    format.  This MUST be a single-valued attribute.

Is this the same format as RFC 3339? If not, why not (and what is the 
proper reference)? If yes, can you please change the definition to match 
other sections.

4.3.1.6.  keyNotUsedAfter

    This key MUST NOT be used after this date.  The syntax of the
    attribute MUST be semantically equivalent with the standard ISO date
    format.  This MUST be a single-valued attribute.

As above.

In Section 4.4.1.1: Normative References to documents defining OIDs, 
URIs (RFC 3986) and UUIDs are missing.

4.4.1.4.  policyUse

    This is an optional single enumerated string value used to describe
    the use of the policy.  Implementations SHOULD provide this attribute
    and MUST (if the attribute is implemented) describe the enumerated
    set of possible values.  The intent is that this attribute be useful
    in providing an initial context-based filtering.

I find this to be sufficiently vague to be pointless. Do you have some 
examples of what this value can be?


SOAP and Netconf (5.3/5.4) need Informative References.


From jhutz@cmu.edu  Wed Jul  4 21:17:42 2012
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8BDF21F84C8 for <secdir@ietfa.amsl.com>; Wed,  4 Jul 2012 21:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZR+mQr8posEH for <secdir@ietfa.amsl.com>; Wed,  4 Jul 2012 21:17:41 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id 0775A21F84C5 for <secdir@ietf.org>; Wed,  4 Jul 2012 21:17:40 -0700 (PDT)
Received: from [192.168.202.99] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q654Hobd028603 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Jul 2012 00:17:51 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Alexey Melnikov <alexey.melnikov@isode.com>
In-Reply-To: <27876_1341435865_q64L4NNL000555_4FF4AFD6.4070303@isode.com>
References: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net> <27876_1341435865_q64L4NNL000555_4FF4AFD6.4070303@isode.com>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 05 Jul 2012 00:17:52 -0400
Message-ID: <1341461872.5329.22.camel@tuzanor.jhutz.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2 
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: draft-ietf-krb-wg-kdc-model.all@tools.ietf.org, secdir <secdir@ietf.org>, jhutz@cmu.edu
Subject: Re: [secdir] Secdir review of draft-ietf-krb-wg-kdc-model-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 04:17:42 -0000

On Wed, 2012-07-04 at 22:04 +0100, Alexey Melnikov wrote:

> I do however have a long list of nits and minor issues which I think 
> need to be addressed:

I think the majority of your comments can be addressed by noting that
this is an abstract data model, not a schema or protocol.  So, it
discusses values that must be representable, but not what the
representation must look like, because that's up to some schema or
protocol based on this data model (e.g. an LDAP schema or XML DTD).

I thought at this point that the introduction makes this point
reasonably clear, along with the notion that "implementations" of this
documents are schemas or protocols, not pieces of software.  However, if
you didn't pick up on that, then maybe there's a better way to get it
across.


Aside from those, you also pointed three specific issues (quoted below)
which I think are answered by text in RFC3961.  If that information is
sufficient to answer your questions, then appropriate references to that
document should be inserted in the text.  Otherwise, we'll have to talk
about what the document can say to be more clear.



> In Section 4.1.1.13 - what is an enctype? :-).

See RFC3961.

> 4.3.1.2.  keyValue
> 
>     The binary representation of the key data.  This MUST be a single-
>     valued octet string.
> 
> 
> Can it be zero-length?

A valid question, I suppose.  But I don't see any point in saying,
because then someone will just follow up with a question asking whether
it is allowed to be length 1.

In fact, a key held by the KDC will be a valid key for the appropriate
enctype.  The set of valid keys is a property of the enctype, as
specified in RFC3961 section 3.


> 4.3.1.3.  keySaltValue
> 
>     The binary representation of the key salt.  This MUST be a single-
>     valued octet string.
> 
> As above.

RFC3961 is quite clear that any valid UTF-8 string is permissible as a
salt.



You also pointed out several missing references; I agree with all of
those.


Leif, can you make sure we get in whatever changes are needed to address
Alexey's comments?

-- Jeff


From gcamaril@gmail.com  Thu Jul  5 02:46:23 2012
Return-Path: <gcamaril@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B57B621F8608; Thu,  5 Jul 2012 02:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level: 
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ys7n8SC8-rxS; Thu,  5 Jul 2012 02:46:23 -0700 (PDT)
Received: from mailgw7.ericsson.se (mailgw7.ericsson.se [193.180.251.48]) by ietfa.amsl.com (Postfix) with ESMTP id 6052821F85E5; Thu,  5 Jul 2012 02:46:22 -0700 (PDT)
X-AuditID: c1b4fb30-b7fb46d0000064f2-c8-4ff5627a628c
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw7.ericsson.se (Symantec Mail Security) with SMTP id 45.51.25842.A7265FF4; Thu,  5 Jul 2012 11:46:34 +0200 (CEST)
Received: from [131.160.126.161] (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.264.0; Thu, 5 Jul 2012 11:46:33 +0200
Message-ID: <4FF56278.1000509@gmail.com>
Date: Thu, 5 Jul 2012 12:46:32 +0300
From: Gonzalo Camarillo <gcamaril@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <4FBFAE5F.8010305@gmail.com> <4FC742B2.10508@ericsson.com>
In-Reply-To: <4FC742B2.10508@ericsson.com>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFLMWRmVeSWpSXmKPExsUyM+JvrW5V0ld/gwfHNC1uv5rFZjHjz0Rm iw8LH7JYrLo/g92BxWPnrLvsHkuW/GTy+HL5M1sAcxSXTUpqTmZZapG+XQJXxr3zl9kKDkhX fLl1hbWBsVWsi5GTQ0LAROLA/yvsELaYxIV769m6GLk4hAROMUpc+PADylnDKPFn1V+wKl4B DYmHf1qZQWwWARWJQ2umMXYxcnCwCehIPFoRABIWFQiWmNd9kwWiXFDi5MwnLCAlIgKaEtOO WoGMZAaZf+DwZ7BWYQFPif6nESDlQgJuEh2tL5hAbE4BLYklh/sYIW6TlLjXvpoNxGYWMJA4 smgOK4QtL9G8dTYzRK+8xM1LB1gnMArNQrJ5FpKWWUhaFjAyr2IUzk3MzEkvN9dLLcpMLi7O z9MrTt3ECAzvg1t+G+xg3HRf7BCjNAeLkjivnup+fyGB9MSS1OzU1ILUovii0pzU4kOMTByc Ug2MawKur4jev6iVt/H6bma34IxD51ZVXVlrHLtG0KAjzG1K6A+JbdmCB9bqfvq+tV4y0L74 nUnoIgM7h0fdFxna1fgi03r8OJvXv08VWn3ALU1/kxv7byFhwyvn3m+Uyp/w6ci/rDVJPreO /hNtmf70gZfoMcub/L9OMD4SvVenVHJK2jbRqVNFiaU4I9FQi7moOBEAqAnyxD0CAAA=
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-camarillo-rai-media-policy-dataset.all@tools.ietf.org" <draft-camarillo-rai-media-policy-dataset.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-camarillo-rai-media-policy-dataset-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 09:46:23 -0000

Hi Yaron,

per your comments, I have added a reference to RFC 3470 to the Security
Considerations Section. I have written the following:

    Section 7 of RFC 3470 [RFC3470] provides general
    security considerations regarding the transport of XML documents
    in network protocols.

With respect to the other reference you would like to see included in
the draft:

http://xml.resource.org/public/rfc/bibxml4/reference.W3C.REC-xinclude-20061115.xml

How do you want me to include this reference in the draft? That is,
which particular part of this W3C document do you want the draft to
reference?

Thanks,

Gonzalo


On 31/05/2012 1:06 PM, Gonzalo Camarillo wrote:
> Hi Yaron,
> 
> thanks for reviewing the document. I will add the two references you
> suggest in your last point to the next revision of the draft.
> 
> With respect to the remainder of your comments on the event package
> document, that draft has already been in the RFC Editor's queue for a
> while. So, at this point, we will not change it (although I would be
> happy to replace that "should not" with a "SHOULD NOT" in AUTH48). Also,
> SIP security is getting deployed on the field slowly as time goes by. It
> is true that it is taking a while, but we are getting there.
> 
> Cheers,
> 
> Gonzalo
> 
> 
> On 25/05/2012 7:07 PM, Yaron Sheffer wrote:
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the IESG. 
>> These comments were written primarily for the benefit of the security 
>> area directors.  Document editors and WG chairs should treat these 
>> comments just like any other last call comments.
>>
>> Summary
>>
>> Nothing much here - this is not where the security action is. However a 
>> companion document may need some deeper security review.
>>
>> Details
>>
>> This draft defines the contents/format of a media document. The document 
>> allows a SIP policy server to dictate the media policy that should be 
>> implemented by a UA, in general or on a per-session basis.
>>
>> • The draft requires that all documents be well-formed and valid XML, 
>> which is good - not only for security.
>> • The real security stuff is in draft-ietf-sipping-policy-package-08. I 
>> will not review that document here, but I find it puzzling that session 
>> (media) information is transmitted/secured along with session encryption 
>> keys. Mixing together data of such disparate security sensitivity levels 
>> is likely to result in either over-engineering or under-security.
>> • Reading further down the said security considerations, this issue is 
>> addressed ("the user agent should not insert" etc.), but none of that 
>> discussion is normative!
>> • Moreover, recent discussion on SAAG 
>> (http://www.ietf.org/mail-archive/web/saag/current/msg03695.html) 
>> suggests that some of the security solutions mandated by the Policy 
>> Package draft as well as the current draft are, to put it mildly, not 
>> widely implemented.
>> •  Back to the current document. Re: XML security considerations, please 
>> reference the security considerations of RFC 3470, and possibly also: 
>> Marsh, J., Orchard, D., and D. Veillard, "XML Inclusions (XInclude) 
>> Version 1.0 (Second Edition)", World Wide Web Consortium Recommendation 
>> REC-xinclude-20061115, November 2006, 
>> <http://www.w3.org/TR/2006/REC-xinclude-20061115>.
>>
>> Thanks,
>>      Yaron
>>
> 

From masahiro@isl.rdc.toshiba.co.jp  Sun Jul  1 21:59:22 2012
Return-Path: <masahiro@isl.rdc.toshiba.co.jp>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C25E311E8140 for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 21:59:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.23
X-Spam-Level: 
X-Spam-Status: No, score=-2.23 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8RXFpB6Dxk8 for <secdir@ietfa.amsl.com>; Sun,  1 Jul 2012 21:59:21 -0700 (PDT)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id 02AA411E8158 for <secdir@ietf.org>; Sun,  1 Jul 2012 21:59:15 -0700 (PDT)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by imx2.toshiba.co.jp  with ESMTP id q624xJkD002606 for <secdir@ietf.org>; Mon, 2 Jul 2012 13:59:19 +0900 (JST)
Received: (from root@localhost) by arc1.toshiba.co.jp  id q624xJVV023254 for secdir@ietf.org; Mon, 2 Jul 2012 13:59:19 +0900 (JST)
Received: from unknown [133.199.192.144]  by arc1.toshiba.co.jp with ESMTP id PAA23251; Mon, 2 Jul 2012 13:59:19 +0900
Received: from mx12.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp  with ESMTP id q624xIrR017494 for <secdir@ietf.org>; Mon, 2 Jul 2012 13:59:18 +0900 (JST)
Received: from snazzy.isl.rdc.toshiba.co.jp by toshiba.co.jp id q624xIfc014258; Mon, 2 Jul 2012 13:59:18 +0900 (JST)
Received: from maltesein.wide.toshiba.co.jp (unknown [202.249.10.100]) by snazzy.isl.rdc.toshiba.co.jp (Postfix) with ESMTP id 2290E3FE67 for <secdir@ietf.org>; Mon,  2 Jul 2012 22:15:29 +0900 (JST)
Received: from malteseout.wide.toshiba.co.jp (maltese.wide.toshiba.co.jp [202.249.10.99]) by maltesein.wide.toshiba.co.jp (8.13.8/8.9.1) with ESMTP id q624xIYb011507 for <secdir@ietf.org>; Mon, 2 Jul 2012 13:59:18 +0900
Received: from tsbgw.wide.toshiba.co.jp (tsbgw.wide.toshiba.co.jp [202.249.10.123]) by malteseout.wide.toshiba.co.jp (8.13.8/8.9.1) with ESMTP id q624xI7L031140 for <secdir@ietf.org>; Mon, 2 Jul 2012 13:59:18 +0900
Received: from localhost (localhost [127.0.0.1]) by tsbgw.wide.toshiba.co.jp (Postfix) with ESMTP id 5C3432E3F3 for <secdir@ietf.org>; Mon,  2 Jul 2012 13:59:18 +0900 (JST)
Received: from tsbgw.wide.toshiba.co.jp ([127.0.0.1]) by localhost (tsbgw.wide.toshiba.co.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2lit8vJL7b+M for <secdir@ietf.org>; Mon,  2 Jul 2012 13:59:18 +0900 (JST)
Received: from grayswandir.isl.rdc.toshiba.co.jp (localhost [127.0.0.1]) by tsbgw.wide.toshiba.co.jp (Postfix) with ESMTP id 39A6F2E3F2 for <secdir@ietf.org>; Mon,  2 Jul 2012 13:59:18 +0900 (JST)
Date: Mon, 02 Jul 2012 13:59:16 +0900
Message-ID: <yd94npqbvx7.wl@grayswandir.isl.rdc.toshiba.co.jp>
From: Masahiro =Rhythm Drive= Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
To: secdir@ietf.org
In-Reply-To: <tsl7gus37hu.fsf@mit.edu>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net> <tsl7gus37hu.fsf@mit.edu>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) LIMIT/1.14.10 (Furuichi) APEL/10.7 Emacs/22.3 (i386-apple-darwin10.2.0) MULE/5.0 (SAKAKI)
Organization: Toshiba Corp. R&D Center.
Sender: Masahiro =Rhythm Drive= Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
X-Dispatcher: imput version 20100215(IM150)
Lines: 37
X-Mailman-Approved-At: Thu, 05 Jul 2012 08:05:11 -0700
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2012 04:59:22 -0000

	At first I thought that it might be good to leave section 4.1,
	but now I changed my mind. I think the order of the preference
	might depend on the running environment: some people prefer
	"secured" one, some people prefer DNS...  So I'd like to make
	the order configurable and move section 4.1 to appendix, as a
	hint for implementation.

masahiro

>>>>> On Wed, 27 Jun 2012 15:00:29 -0400, Sam Hartman <hartmans-ietf@mit.edu> said:
 > 
>>>>> "t" == t p <daedulus@btconnect.com> writes:
t> Just to make public what I have hinted at privately, I think that steps
t> in section 4.1 may be somewhat underspecified.
 > 
t> A related issue is that section 4.1 prefers DNS to DHCP for Kerberos
t> information but the Security Considerations stress the weakness of
t> DHCP and recommend authenticating DHCP.  What if DHCP is secure
t> and DNS is not?  Should DNS still be preferred?
 > 
 > Yes probably.
 > DNS has been and will continue to be the dominant way to discover KDCs.
 > I see this as a specialized DHCP option for certain deployments, not
 > something you'll see in the enterprise for desktops or laptops as an
 > example.
 > I mean some people may deploy it, but I suspect that you won't see it in
 > most situations where DNS works well today.
 > So, basically in all cases, including preconfigured DNS servers, I'd
 > expect DNS to be preferred.
 > 
 > Note that choosing the right KDC does impact availability--if you have
 > the wrong KDC it won't work.
 > In general though, choosing the wrong KDC does not compromise
 > authentication. It's a bit more complex than that, but KDC location has
 > not generally been considered  security sensitive.
 > 

From kent@bbn.com  Thu Jul  5 09:32:34 2012
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04F0021F87BF for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 09:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.285
X-Spam-Level: 
X-Spam-Status: No, score=-105.285 tagged_above=-999 required=5 tests=[AWL=-1.100, BAYES_40=-0.185, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tYZnV2OnS-WP for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 09:32:32 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 21DA621F8722 for <secdir@ietf.org>; Thu,  5 Jul 2012 09:32:31 -0700 (PDT)
Received: from dhcp89-089-227.bbn.com ([128.89.89.227]:49163) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Smoyy-000Hse-Ly for secdir@ietf.org; Thu, 05 Jul 2012 12:32:44 -0400
Mime-Version: 1.0
Message-Id: <p06240808cc1b72007771@[128.89.89.227]>
Date: Thu, 5 Jul 2012 12:32:42 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/mixed; boundary="============_-870616532==_============"
Subject: [secdir] this doc needs work
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 16:32:34 -0000

--============_-870616532==_============
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

I was not assigned to review this doc, but after looking at the intro,
I chose to do so anyway.

Steve
--============_-870616532==_============
Content-Id: <p06240808cc1b72007771@[128.89.89.227].0.0>
Content-Type: application/octet-stream; name="draft-ietf-dnsop-dnssec-dps-framework-08.docx"
 ; x-mac-type="5758424E"
 ; x-mac-creator="4D535744"
Content-Disposition: attachment; filename="draft-ietf-dnsop-dnssec-dps-framework-08.docx"
Content-Transfer-Encoding: base64

UEsDBBQABgAIAAAAIQCLQKs2mQEAAEUGAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCi
BAIooAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAC0lU1PwkAQhu8m/odmr6Zd8GCMoXBQPCqJGM/rdgqr3Y/sLAr/3tkCjRKg
KHJpQod532dmd6a9wVxXyQd4VNbkrJt1WAJG2kKZSc6ex/fpNUswCFOIyhrI2QKQDfrn
Z73xwgEmlG0wZ9MQ3A3nKKegBWbWgaFIab0WgX76CXdCvosJ8MtO54pLawKYkIaowfq9
OyjFrArJcE6vlySUzpLb5f+iVc6Ec5WSIhAoj1G+Nc9DhXsSP0yxQZeuyDLKrMVxqhxe
7HZ4czDZcFA6llYHiOqR2ulVAclI+PAgNLHzT+sLXlg501R3tr+4LYy2LJWEJj+qOW8l
INI56SprIloos2bfyYFhUQH+P8VS90D7FxWmw7IESRekvR8a01h0trT4ltvuBiFQkw4x
+Xlt07am40q5FeETXp9ORvFNvBVEWh3v3wl6sVZuRShppMfitYIDDv2X59FIt0IEWlPA
62f3aI5aZp8lDefIW4e09vwfyl7vp5id0tQ78EFBs6G2TXnjSDvz6PogLuUCii3evP4I
9L8AAAD//wMAUEsDBBQABgAIAAAAIQDHwie8DAEAAN8CAAALAAgCX3JlbHMvLnJlbHMg
ogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAArJLBTsMwDIbvSLxD5PuabiCE0NJdENJuCJUHMInXBtokSjzY3p6ww0ql
UU1ix8TOn+/37+Vq13fik2Ky3imYFyUIctob6xoFr/XT7B5EYnQGO+9IwZ4SrKrrq+UL
dcj5UWptSCKruKSgZQ4PUibdUo+p8IFcrmx87JHzMTYyoP7AhuSiLO9k/K0B1UhTrI2C
uDY3IOp9yD//R1v2xGiQUWofaRZiJotssxdRY2yIFRivn/N1OnQUmRrkaaDb84H8ZmM1
PXq97cnxCc+SdkzOkJlGwhCmiOaXJBozD/P58tHIPKSDlSmaxfk0fy/DEBi32/7Noe0G
lGNUx1rxHqj5CUyO1rL6BgAA//8DAFBLAwQUAAYACAAAACEA2O2+/i4BAAA8BAAAHAAI
AXdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsk81OwzAQhO9IvEPk
O3FSoEWoTi+A1CsEcXaddWIR25G9/OTtcVOFJmoJl1ws7Vqe+WzvrDffuo4+wXllDSNp
nJAIjLCFMiUjr/nT1R2JPHJT8NoaYKQFTzbZ5cX6GWqO4ZCvVOOjoGI8IxVic0+pFxVo
7mPbgAk70jrNMZSupA0X77wEukiSJXVDDZKNNKNtwYjbFtckytsmOP+vbaVUAh6s+NBg
8IwF9YAYbuaDJnclICN9Jw6chJ5HuJkT4Qt2LycUg+YUyO2cIMLq/TMN3qLvTCEs50SQ
1mDOdzUc/+O3NQWxmhMCw6wOALqSdms6xZDOyeCxrUOwjlPZ1VP2iz/stRLOeisxDr9J
D4nYJ2E1Dhs9OL4prB6lBDEcg5OtnoOOMp/9AAAA//8DAFBLAwQUAAYACAAAACEAbk7F
sq/JAACTBQcAEQAAAHdvcmQvZG9jdW1lbnQueG1s3H3bcttYluX7RMw/IPTSdoQk435R
lNWB65QnszIVljpmoirqASIhCWWSYAOglcqn/of+w/mSWXsfkAJIkDpiZmWBcHelZZIC
Dzb2/bL2n/79l/lM+Z6VVV4sPp9pl+qZki0mxTRfPH4++4+75MI9U6o6XUzTWbHIPp+9
ZNXZv1//z//xp+eraTFZzbNFreASi+rqeTn5fPZU18urT5+qyVM2T6vLeT4pi6p4qC8n
xfxT8fCQT7JPz0U5/aSrmso/LctiklUVvi9MF9/T6qy53LyQu9o8nawvrKuq+2me5ovN
NXZPVCyzBc77UJTztK4ui/IRv1F+Wy0vcMJlWuf3+SyvX3A+1d5c5vvns1W5uGru6mJz
V/Q7VzjA1ff5bP1hHHv/ZwUFrsRf698od26055DiV6KG5Hy8T2U2w4GLRfWUL1/pduzV
QI+n9ZEO3nDrZp+XmrnzfRvyyDz0qEyf8ezXX/y83LlcDzGm4pfmM0EHYqhXNtq+oqZK
PBG6xOYMMkfofuf6JG3mez6ONK+c9LyECP4WgfpfZbFabu5qmf+2q31ZfNtcizTBO06m
2izq7Vur3nWBHV1x+5QuszNlPrn68rgoyvR+hhOB4gpx5Nk1tNN9MX2hv5cKXr5apmX6
Zfr5zHRUQ9W9+IxfrbNfanrVaf7g1StowunXz2eq6mimEdIHxUs3ENOdF6PsIV3N6t13
bugl1XecKODTLG9KPsxt/TLLcMnv6ezz2c0MuuoOZzj7dP2nTzgqfYj+3j235bmuqTrR
yZ070OLI1GFV6CmcDr1NNwj9IBowvcGWvaxJvMMm+apaphNIxbLMqqz8np1d/5TVUFvf
lP+D/0DnKqwfFLk/yaVCrFkzgwpeLoviIS7pFPXLEl9ULbPZ7LZOS+bng+e7/vEfq8Xj
Y5ktpC4aL6ZrEdkVDdXTfNUJzeGy2EFSkLuz+6i+LOqsXGT1BazZQy33iNqfkiKr5LP6
IS+zXOqCzXM64n4VP+h8Q78WNG3fDfQwGd2jXkyzKbnZ9aq6Ur4shHcKzy6dtR9q62f/
L7+vPMbfZqvFtPMIYId6Jfw3PGSp60ty5Y8F/MZpVkpd86ACsdRYdT3bP1Guuo5/WUJC
wThRNsnm91mpOOcK4iu9xS9v/nh5G3co2S+AlqaajuUjJhyqOT9G97xJnMMfuLtUfv62
ui8k6GcYuu55+oDdz38B/UDdL6H/008S9LM0KzC9kRmAw9x1+N3/vVpkiiXEXYJ+hq0H
th9Yw5Xffr1j+L7neGF4aufW9EA3/WRcDgtzpK8kZTrPOJ6Au6JEP93exqFyU8zySZ5V
CjKGm9fKdFIj8afAstcZZQwrCVa1wsSItcgZ7iP/HVQlElkP9UWe1Q8X00VVLOm/VTa5
mC6ri4c1fS9UV4JemqEHsXp6oq1ZlguXfsAZgoPP+dq/r2picIlH5OihGvjJgFm6X/va
dqR5tq2NTRTvnvJK2VQxOE8C3aSkykb0lLpQUhQnqlp5LnOE5JVSPDR6TeKBa5qLbOOQ
zdZB3u5PTUD9S2r5c6VaTZ5AQCUqKDOu/CVdpI9ERFgHCfLZvppoRjCuJBzI91dU0pSf
l1mZ1gVx1EK5L+onpX7KwG/Li1n2PZuxAYUpKFB5K18Ufu1ceX4CP5aZBO2sxLH00D5V
tbqX9ebEQpS8JAcDpSHQkP9FQqn8SoR9zkHL22yygsC+KPEvdbag4malfBA+ykcJ6umR
geS/MTrOy+fLGXtg2fRSggymkziBqhnDVfz9Bks1dd9X7QGHC8fp3S8LBYUs+NKrWVqe
s8J4NVXI1n3Pp+R6K1TKLrMnYvzvmTIj8wWzBd2ST2Rcb0e3PNUNxpVRh96tn9JaqZ6K
1Wyq3GegEuiDDCJSrxTB5IvJbEWaAj+R2d+ELxTSvEhIixX6Seg4o3OTptlDvsip0YCV
7s1OOCejSqzYNXRDH7BI9qsS24k909NONWN3TTH3ir3Wmrzdv2RzmTylE/h2rHonlycy
Q1X3XTsYrsE6TvFzpLJVE8TTrFb387yuocDgXD+sZjPSaVw8WiDdwo4QnEoJ1aVFqhE7
J8vle71FtonC+4MBDMIbxXFZifGPnoziMrzQ1pIhp/D6FZeqhjbMOJrYxlWq6UoBvJ0S
nN40NKxj+UbfZSilijK6Ei8QNGRZiVhBQhws09ISZ3z+411afVOSooRy+PAlvks+XirK
T0WNsJM8I8SgqB0+UtNYpczTFyWdVYUyhfdY5verWkaP2I4bhZanj43pdhkMSY01c4ke
jQq0vEMEv/a2EX+ivaV+/ZQE35lmrNmOMzrHm5tYKgUWC2zW9A1OU3gmcCW/ZeUlJcC5
FZfz4dWnhnafZPSzZpu+50YDZrl+/WzakeVY5oAd4uNclS2pYP3Mj3WTaa0UdD/mIuhK
oWh+yeerOQWoVf6LMi8W9ZNMkKraqhZ6Q+7kPI5+lNci5YsAdbWEkGTTc6XMljP08uEn
xKnFfVXMMnL67l8anf1q9yBf6UImWFUjJEhUfXSVyTqfZ9DEX2rSNvkiXcIFXJY56Ei5
/FX16hM0apvS02X2gDQAfGYJHW2Fnu1F8QgTq3CVcjScgcVAqQmqHZRggmCyWwAPAeF/
pZxxxRfhBuiK/s2qujyTIJrmGYbjawMmWr+SRuUrtj1vwOc+Tsn0xZPPOeLHjHvJqCSx
3UwmY4udyDV93z29AqflxrE75O76g4/5OiyWL2X++FSTN49OCwmJNGzHixN3wJ18/RLp
xMhT6NboKjOvj/DD5KPo3qQITbkrV8jek1MANayg3lVRKQtp60WdP+RwAqCT8Y7EE1e1
wHU0Z8DFnINMvjfHs3Z+lHRVP6GeCuvvQ5OxPJBp5+EHqXKXFsRmktgnp76MQEcwgUmj
kaV6uv0ZIt/5j2xSk3/SyuWRYLzKyr9Vyo/ZYzqTkAgriB01sQYcOh4nETdUCRRZz688
IopyOUjGNIqaCVKZEMv0TQPDNQOOEfpthBYZbuAGA9Z0/efWTU23NXfABcT+c2Om0sBY
wKBTGQhX/uBptYOye32uZDDrMxgr/tPMcOx43c3bm7/+doMGKkX7u4R2c3zTct1wwB7e
IQrdl5u5wiVuuRn/2z8f63qRjfTpaZrAWVrVXzOaZsqm9ICDMku/YSaY5i27+bQNIzQ/
RDe3rW7F7Xfxbx4QoGEgCY7RPS2KjcAbLhH36B9MNMShM2A73n9uQzXCyBhf1fVDk+Kv
KXbJstf0Phpp0JOUXeQoUn+kmnX28ED+HNIN5MRRthN5YBlOdZ0g9twBeyaHdNue8WxI
63J1DxoxqAd3bLUblGEqbmZZigxmmX3Ps2ciGf6xDn9kHDrDDII48kYXPE9QBKb2h5fz
Jhx+UdAIN0HZMlNeilW5DgYpjEZAiHomBlIojuYWCbyyBBdKsZ2H/i5/wIrmOLZDcMDd
QWteAquFxTTDf+ZLtNRSUzxQKqjvi3rlymLe/bgyh5xLkM8y40S3zdG1JHDnIMh1S+21
IisT3EbKj0LbKYR6QXy5Zknu1kGDMnfUmZeSKs+xvFCLwtERjxS/SHJx2K60glcSV2rv
gO9Ona1TFtdihVmMtCzTBbq7UxmtB+cHbOePTut1+InI2M9/Mol71Y0D29RPLmI2PTvC
/wY8ut/v+QEayDaik+1TvL4jwCXyUEKU6yUHOlXTjaMgGrAC639WjuOZxGfDjYqOM/oa
rDyCy7KYroQpulTe+3+KIWH11TjSInfIuuU4+imKdkk0DNDDRE1zMFb/FPrphgXyhQPu
xT6efjoFNatyWSCQeTf18LumBP9Zlh27mnqiqaH9sSLxnwEa3E4wBncM9STph5lytECf
bHF8b92QeA/4fc1oS3UMBaX4T4111fK0AWf1j5Nf4j2Y/0m2RHj4Xs0nPq/YEvKr+ioQ
h4JBVxcoWc3AkR2UyANQfJypNdh+tJEzXt7HhVL002zdTrwhV/GO4z9FMS5ZhhvkEUpP
dFBG3qalFP0c1bRsLxid/BL9SIZFiRjZMKAIo+u0fs4ydH+14FwQZsO3WY/9SUisoSUY
mTPMsXnM6/LKBsfmbQ7b1ouKI0E/NXYMS49Hl90mjjPBcbcofSJ2bGV6pO2HIgOFg4BN
M/Uh97Ydp/GIduuAmwiYvp+SmirBf5bj67aVDDgbdBz9EC+wxf0NUa8U/dRQj+LEGyX9
RMT2WqUSJRUEcDmwTAj4a1vjdf+taTL855mhB+C08dkPky2ugH5BAQrd9mX2nyugdzIq
2hu0I0pK1fFtP3bRADVK+pEOTNIJL2k4x6AMAQrxEgpixAYPhgk7QWayLGZbcZ0U/Rzk
Zk17jCid5qUF+t1lk6cFyswzBQBDAiann1pd2WX+k4nYdMAHGJE64D6S4+2HDfoxflOV
Py4IeWiXRode0WX0nx6HpqW7I8z4mZcO+zBUJ00JoyBdTfP6HTTUZfqYjNCLXdUecKXh
eP5zQT9RKMW+Fkxsbem3Q7xH7+kyGXvIr4qR2tH1k5Pu+3lVz4AEsM99/l3oh7UhZhgb
o2sTId33xf/J3yAnie1D74mCdRn7Yaiho9nW6PwX0n0bYDpYXEafeh8Npehnq4GKoseA
51iO03+k+/zJt0XxPMumwu17K97Ylmc5+rmqHhjG6OyvB/p9XY86v5dygpK6TP4KM6Aa
ujNHmLH3OH/wEy+PI2i9zeC4LDXl6EfrKNDfOr741+OM/WbByfspKEU/R0+iQHNGV/H1
xYDjvyn+dEqj929mW7a1H/w/GfmF85folntyXVWW4SVhHA1Y7/R3GBlmmCBlOGCUgf5z
6xrcNDTgDVdP9Z9bs13dBR7lqZ1b93wtAR7dqZ3btNTAjrUBx5P9fGLrbhBp4YArv/3n
1t3Ej3Q1OjU+MTzLTWx/wH73HnqboHeAvaODnb/vP7dpBwZweU/u3Dayy4GtDnqydVTz
xrrMvLEVOpHpnGqf2zvnjU3YBVMfMpz1wRTLHzlVbKk6sL/cAWdD+7WjE2pJYCUDjsL7
zw1gJwt7UwbsJR5mze25BJmGAeSLPds9uUelhr6bJPqgDVm5v7X1ensAQuJRmT52OMbx
gGtz/VKlxwBZisdXk7jD3GCznekn7PNTbl8wsj/nXTkfMWdZKYsCzXoA0wKWJgasaYgV
he9mFhMri8tCClFbjY3EStQBu5oHldLeIYJNA8UcPRXpIq/mgGMr1hOrtEkke+Q9RDzL
ivwd4bYBWxPIrQ9KLrUIkTeIJfapKom9pAPaQ4qCxM/fATpO06svWVpWGOBXFiteYgwC
fV/NFtjwdE/dPtRb9pQiY3yP/mQZRaNrkYc5y+EGZcdxHPDYJwVoBhFk1Pb6CWAxmMFk
GpYZ+iqYXKJpmxE4gNiK6f4FEsbEdCC1BPVUbJP0kiGnyI6jXsXqTWYkGjg4huqdYHIT
3UOwrwNO/hz35PYYqk09fXfR27nyt69JaAKc7O/nEiyv267hJOqAs/DHEa4hgvn3DT2s
v39UUlFCInWA2cttRQtkcazCQnebAKSRoJ4W+YCWGfL62eOo9y17USbly7IG2nW6fHoh
6w7aEVZR2vhFDDzKdp17Oc7FexvTL0E82wn9OBmyU3wc8WCmAIci8Ixg2QnOY+0CwWSB
iNmCEccfAC+DNSOEwK5M0uWrwa9lllXZia0baJkcm6UnpwhzWPCRsPcPa+vK+nw9l9Ug
otCuv2fsCqD1dVXxUAMXhWHume5gVSlTrzuY0Pej0fmXImghlwdEFDJJHMi7J8B9oA6W
JaD59KkJcsivxPqJqQDwyWV8TCeJY9PfgbQI1Ahw91ReFEOhn89U1dGwUJQ6EnrmRNcv
Yho5Xc3q3Y/f0Euq7zjoyaSh0uUNgBDx1239AhiO5yvc0+ezm1maL+6ANdRgJTYfKtdX
f8doKqCe0JzWhXR6vsoJMOsqn+IwdB8Cbvnz2W2dLRHWKD9ABdLr0IzZ5zOCHLxQnQvV
utPUK8O5UtW/8tk356F7MjXD0DV+fd+gO1h7W4PiIHT7r+ehCt27zmPa/edRXdRDwkPn
AWjdm8ehVOe7jiNDnusKAzYE/vkhu3y8PIeenMCpf9zZZtsQZ0Pm3cd+LeP+OvB/Y3XI
U8P9eRoIGQDuhpy1Pc6U3r0mFbAzJ4N8stbHQhO0gNNaaIR+SCrAUIj0DIHaocMUQXOD
1yYV9emRbmjh6GIHMgAfzohC7NPSCt2sOvtIvlwG3bkS5iCjdFa2eMT6aDIUm9SOdNCM
bU6REUej6ztrhsGR4IL2I2oQrif5cwp5vZTL6u7hvo1DvEMQUVOxkhv7jLaV5pINGBfM
sdI4/QKrYqNq4XvjA3qYPBWEb0NpQYL3rMBeaz9uPVSvvI6UfwCk70eod1rhDBB3qeyq
oauenWwPXKlhGNuYAyRrxOAUu47F1451WH9uMH5IVUMyxWhkh3/gZGQznJZ8EXaz3uWL
uLu2v48MUQanSlWtyEyAK03sii8l/6o/owm5oDM2n7mmn0v+L17peisUqLzPPeg58dbR
6usGDXCbYVrWpvUr6yfduW865Z6b2+fzHPIyAL+KVHfvkCGpV4Qw2Gi2gp0i0wU1jF2J
iGM6z7nfxAMZwbJdf3SZXQDWrmrAEf1KRoqCv/7srdLkMMW6SQIAX+/qlKCd5gSRavqn
WhzuFz3gcjQLcSjr/bJRrrS4ncoGCPKq1XKJABr1BWy4okCJaPxUPNN78yyTKsQABNBN
oA4gvpp5RaiuZLWc5s/palmwWg6I5NYgukyAYPl+4PnOyTXrAc1Hs5PxDafE37kGVKwe
n6A8sCxnDeZMixCfsvR7jvgAweESaAO8OpI0DJAwsnIBOJb/e2mpnoT+MA1DTexgwM08
LYMnbd0IhJAgLZDDeAFNHkrsYyiBignrpIQZogVOYmbKDWkUUVl7fRk4DjKEcx0zNs3R
zeStPdhKSUr0D/B2SKo4GLbpoOLAAOuztETeAm4+gOLuM9K8WAj7jI31Akk87Saa+o2+
6di25cejM1xrKT1niw+nCKEU17o5BN1woYhB15aNHQPKVcILRspXgv2MMPATa3wgjg+A
XQXbLWrRnJJjnwRv3W5Yi+KuhnSs4bp+7PMVoiz65a/p4jFDCFYCWpyDCotyqAc1yfXN
D186dO9eLIaH23+plhfOXyFSuWUnlQvcfT7WelazOU0CSBNKwabVJM/vsJsVedZ5vijK
P/tI15ID8kQ/7L6Dm6FwRHzV+p7XF2+fUwQth29cxjmwA9t1vdPr+dRN7LIKxzd5mSCL
nv2SAnYjO6e9K2T7m6xOW5fgZVg8+AsLLACGXJSI3hpkGIhRh937tbSqRhEyx6OzcmlV
rVATQXmStiPzSs4ONbrC39Yk9tuaBMFvNusuMuhe71WZbF+NlEnk254qahaNhP/rlQmf
U0qZKEqMQsY6TUhoTihlIh8wgaYDOyIwKeApoMjZoXc/92HuPIxde8DzWgc1697gFhaM
ga7Ic0I/Aqq+sC4brCvEtEJuhWsF0V1kEzR7UWIWOUfumZPbCQ8PKwhMY3SV4ElRlFP0
r/LCFRBzk9lfNpix5JYK3FNUfxsPosNvXXlsy7fztnz/ihU6cuK9fbGhijefU1K876Sa
EGyHGoi80UGeTtH+m3Hu//kph55LuU5HgkzhEFqLUEQR9gQyrNznC/Dpo5LN79GHgDBd
mOoOK/arPsc1sal+fMude0tP5KFMs2WGhYlIGjfL456xMjHDqmygO30TPj/aOzqU2y/E
7ttCzMWvA5d7tdHbFyMhDi1b810uIgzGRvM5pYS4c9v9/Gcl2CBkja95kldQ81ov5JGb
fmvUidewiTAmrN2JIx8z6lWnGYl5AS96Xf6QIB74Q0ewNOBU6nF+y1P+iIBCWS1bIYes
SHpvi+RTDnqXk6eua9iV8lex3L4giWUQoj5qD0ss+Zy/l1iapmUACXHAZnWPOtGB4WN7
o+ukCKkl5z9XMFu8q1Kh6h1UxwOWslcw98Wi6eFB3Zv8APIJNroGGMuUkJbQJxoy9EmU
jC4Kh7ZN2W/KJyvklFn1nvOAGhEKREVpA2WPObWpLGiYrUOrrmJo+/Ca+rayEUXXAxd8
1TQ7l2M3HrvdHW9YqkYcVErXKMpfYNRo7khmlEINEz8IT3audW8gTmxGvWQQWeLFBRa4
zyGVyuo+B4p3XayQOUu5akQROrXwzLKa+/LgrKKP+47yax0e6ld/qq9pmj6+lSPUno78
REoxkWjr4foQkXXdnNehzgGR1d4WWYqwUP4/cMWWzG5fj2TWDC0d2aRBpemBr9Fk898q
UMjk6c1QtUM1GHBLQ7+AGL4W+KjkD7cVo//clhqrhucNuHWp/9xA8Ir9eMhwJ/3nxhKT
MHCGjBTUf27DMW3YgEG3WYwK4ciQQTjCSHSsYZffcLXOoTj9nQhHiL4gPfGpFlP+SIQj
wwq9ZNB9//1aRsdMmmVZwXD5ec+5Ez02AF033HMfksMasDmtvbcd97T/fuHr6PoJ4mca
Tphg8empPqe9YSDCOIxyiK3FiAN3ui3r5+KhmE0R8CV5WXGqh0KcdauXkubzblTS/9jR
aRkBhn7AUEkH2Xwv+VCU7jD9gShPfzvKa/q5D1yxFeVtX4+ivCR2AtscWJTHBwVblG9E
eXuITOyGxh2xm5fTZk0hrelgxZARICCoi4BSauK9DgX7ORIMif/3T9Un2EMsdP/u7o5t
xrCIRuDXZriGhsY5VSGWdrQWpkoQD1CCceiZo8MXIZJA40Hb3WbguSlltjFVQUqOSNeh
zAFRN94W9SWGhZDlPXDFlqhvX2+wos4HPV7UU7RRrxuvQW5gaBRoVUO/NVi3Q6l+kbY9
L3BDY3QijY49IIoozxhCowlp6DlWfTQORDK9K/EYE1qgaAssLVReJAinJhZcspONj/bq
QogwUY46K4hQlMTGfC5meTf+SyUQSTi9yoUY0bu+YUMJ4umujeydP7r6XjOGRlxGahF9
jCLNzZ0DgHBZzTB6w6aZdz+JDh9MPc5Rz+KKH4zxjQT9kIWI4mh8k+boriUK3BKH1WA4
0BH4k+c0qYcm2RLQStkDbW/rlAEbn0ZqdtSBs4fdxjQ0PKoZvl19RoXRUpCQ5h+z7BtP
oJfFdzCpMsse0dudTr/n3NMswXIWtkKb1vgmv0o4LTRtAdgaTHLBOrDX0jjQpAYrqUJK
HKlIkA/YjPabf8MOLM13BpwCOhhjIpVikOM5QTe0DA+HoeV7+oClv/8p6RaaYdCcPTat
dQcbCTTTZTOkRW2d6IQhk0kl9lk+h/Mm4i+Anq7g0aHXkxMu1FG7zCcyWRQHANuJM77O
WHYpqH2Y/QkYR+FMkPmkIRU2o+fK/erVjCqPBXxcxAhQbhLCAlw4uLf66MCAqmU2oYFe
+BJ1mmNBuKAk+2bosaryezRhgaj5YjJbTQVVM5pRQRs/e74StFOj0Lf08W2g6/r8bXld
Z0iE41u/LOG6QVTzBXm3bFqZzhK0060Q04Pjg3Psdf9BHcForNtEu/9cxuFQHSdOAnfA
2aQ9pixyDS02RqdVyJR1c6z9aYZWtuaVIb7n2XMmk63RfB062RudI0C04g5YeN+pMnnK
Jt8AlIXZjgflIZ0A+LDR0oRuUZNyrjHssYDkwA+QUSmq4/vekBcsHvRyD+dqpuiC58k2
4IVBm3C2ejkrGOpOcGQDvUuZL6Vo9p/jY5zskvEEgAioWaY9YF1zHPmIHAK5rsByCyBS
gdUQD8MLhbs5KzDy+5r0guX3K8AITZ44uy06tmHiFjLsZ3mx72mj03kUJAs/XEkxNjkh
Zx3I4fQy/MyymAJCpXHZG9XI7mfKjdsg6M/4pAzgl6VjT44dD7hL8Uj+I1eUMKmIrTjx
AMptOJL9J25jB8Yn/HuRuC6zRyjG8qVBAatk2rGN2Lf8cHzDWdROzOlqqECwHlQbGQwO
KMFdZJE3OWmKJ6Ef52lJMEioTeHzmA+8+zGSkF/HDIHcY45OfnmofM1YRfmI/TW/Nlkw
ATBOMyivDAcuJO0ogkrCnLuXMR5YRqqaxvhS1eyuQNvRkNsFgchuRk+e0PuxpmpVIPUK
6SXpbjs28PslGE83bei9eHQNNI01QLEN4860lwaimDIlkZgGGIZMAIR8tKF5zoC7Y/oD
ICPwTT/2R2fMeFJ2k74jwJQ5V8HwaMkhoGeNWVCo4Yd0jn1OGN/azH40k7MSAoGOstAD
uP7YEqHtXh0Ix2bPA8eQP3yRkQcjCRwnHDLAXL88OJHuuFYyYB2359yqGahGdKqAdNfU
ggqgZyChct1LQvhUN6JllSdX49J021G1cHTjsF2NOyf4C0qirCskaEGdFc/kwomiOQop
WTmvriSetGYGQewP2Ub1y6QKEAXTGB8ytL+aooY/Kx4r5UIJgQJYFjNsLqBuE5TvOzl2
sSYCcbkIwpvtk1LgbZrra4437KEjeA09C3SoSXYfcrkikMYrrMLgoBAeiIhdGsCOJmkB
q8v9TsI1vcA4KqDnsQTiBa1Qc6koW0U/k2MHo+tpIujsGYERNakdpMXKYiWAipCcpd2c
6PhE5rG4Rz2NVsMy+CaCyxWhocioGw1jkf6QXZfj8jvCrwUbUS/O4oJR7bAvl0qPTZmb
o22wZUvAn/PZjDLcBNdI1JSgn637kYo4e2xe8WsuESDVSNDCG/4EPgPwevNvUouoDci4
x7puump0epPOpmbqTjK+SrKP1PB3UbdA51UKuxbRX5xIQYqpoNQwVYwXjHh4jvgRCAu8
9LZoUqRSyacEW4ADbXSIhmTdW1spoVEABr2aCQeQO2aQwKuRXGY/gDEjWSmvFmJTSv6r
lGIx1QgL7sIBD7z2+4GmlgRhbA74sfef2zF1yzV0fbiKvP/cVqxjDaI76AhrVOPqpsy4
uqnqupqEJ1q2fee4umOFhhpbA05OHPQh/8hxdctR0QM75G3D/VoGWQlDDYccYPWf2zAS
zP1FoysfItck43k7Ac1cDHltUv9jU3Vk0z1rwAWmgxplb9NQuF7jeMc49heKj8qbQNIU
69qARyxW31CrNX+mmQmjXCJeQ4pEIig1bTvxnFEuhEd8QltWGekNP1ORBptYMFHD3S68
gJX2aU2AOi761rAHhzYkI7jJEezIud66Bhc2Gl2lCy17KZXEMSJHO4wXlJ3jiST2z4i9
KELBBABWt9FmUYJXwLgSFjKtp+mQ75RgPwNz6lYU+cN1pY+TXo78SILPG8qRUHIHO73z
QHgTr4QC95H8ZgRF8R8Vp+N4VlOGfg6tvYxHl1PaoVDa6Dhs93gqSimD5npGktgDFs1+
g2argWdH/onGA/vz+yGtyi3mOUpfH2iB2+u/PyKt1H2FGhCgf/IaO5+pNRF6GU1kEB0J
kTBNH3sDzQFnQ45TKeiLQyaOWunmS8y4EKQ+oYLcwsSRciECgmodAh3AcTDfxnFAa219
4HItEIftizGSrmXYsT4wvBY+KMTuOLwW+BN1Mcug04Fmg51lKBgcoE8Huth6m9xIDWLe
acvr6D7BFsm3LzhYkvNBBcn79R02ilhecKpwffv1HUog3HxIrtRCaad0pblme4/U7qbM
a9TvsM/gABu2eGb7coPlmffspSLAa8hlmU8YwQt9iey6rrBBdQLT0aFMPwM6lmlZoTZC
HxRNfbAUjXcOu/uE9tZiMkFlGOXfTQVzIZbRFlTObPVp47OoSEjQT1XjwPT00fmgZGiF
wyLjblqRbZhRMOD0UT/3A9/FN1xzdE+POkUueLogEqsGfqJVA7fcKKJ8wLsfhZPZSao8
zor7dEZbCeBSSbA+AC7jJBzf8PUERV70MWHjRcn+5gqlfEqnbGYL8DqtcAfSF2Cs0NwE
vYF1dghhabBN0k/XrEiLxrdOZ72sW0Zp6KFhxIY54C7zfqVhRb6OVWajS7qS0vgrmUxK
ty4LLCZ4hbJodMNebUIzYNUyncjEqEYcxknkjM7lIH3RbNCbQoXSCBwCeMzVQFEgaAVo
A/ehsSNyn8FTaxKySH3JaFsrSjTLODlpcXwj0k3jVHvQ95YoIC23cUg9QRAboEqugOL3
osTo+8KTJpAmMrP4RGNpqwzu6IPyJb5LJB62ZvuojNujm6Ff45pwYks+X7O9c7QnFKT0
coewe5MH2xcbbCAou8F0D4tSm/1ydT9D4xVCmXYrFu/cTaeoCFE7W1Hmj1LlCj2E1rb9
0dm9TTGHuRL4fUQVTIE3fekYayYonuZNKqS1fgE+Hxrc83TW4b1+vwHbkiLXcgYcJB2X
m4Vay36BteNG/0m6TNnOMb5kQdpRxrqpQWBHlnVyXWUq+pcsdL+OrYTXWLcGtpIcwu4r
DM4Nm0Z7Acv6iQugTfurQBOFnEiIhKmqGJAdnytd1bj/lEvrnFmi7awMs0qTBxQ+rsnJ
hfipAJuQoJelqzpQHAfMbv2qz7LMILGSU+1822NhMZwonMBdZFOOofa/y8jtnIKReeix
biemNzriHcSyEf0CNAVFsz3QMdzCgiQtKqM07MPSJGd2HVdDf/joSqLr+Zwm6bThxQIe
34vyIQfKCEG2sGmuPooWIOilGg34gCqWzFNZtm2a8fjWtApYEUbx5ELyI+L0BathZaOr
CY2lmGRTQCyhIM844zzVKKAgJATX1gwbO4BG5zATnIg8CIbjur4duqeXuNAcXbWs0aWp
qFcCs7kzWpRLZmobYAwsD7QTwl7DZBN2NLwW0RoVI8H5Rmyapj4+zu/cejfD0Ol4cN/u
eEBM3oUG7l6uVbnevhglLAzV9v1gYA0mfFA4gMc1mIiGAfKOySmmrp4GhK1D9D3+ZeCH
kT3klHL/uTUV546w2akD9W8GXqQbEXn5YpCcnriDRXghDW63Z8tjT7UZ7IJfjLIZfVL1
HSei1KH4JAA00tWs3r3GTevDNJ2+vOEHt7ytX7BJ4/kKrcCfz25m6OO8wzhrw9HiM8hc
4wP59POZRn7VlZjY+3x2W2dL6iL+AR1a9Dp1En8+01VNv1CdC9W609Qry7xS1b/S5YhV
6HpEG3HdEr9TYu3E190M314f/OaHL9s9Ja/H06mT8Jjj7d9p1RyxS2z6OL6VCHV9QTe0
/gffJN8iXqFP5UgNC9IxEv9vPtvWQ6yv/99//Td9aS3oy//FdzYHXH81JVre99UWPzVZ
sviaFXsO66eGEnuenyytqJP1fQcWbNY5cItWuFqL0Ro5og/v62naQ9PW4yQpft8R7V2a
0hFbxGP5wFETAGoQ30yqz2d/zmbfM/Sep20ZogfeU3punnzrlARi9L5THknIN4/O0o9J
D3IyGokgV/l9h2uxZaNC1qRKq0met6mFSz/5KM5svbZD0uer6ld8ltWf3rSNVb+GRP7W
ay3lhTsVtyFETpxjHx89IS30DFRINBQUD7X4aZkViGjRLU+xG08dULjRij4WWTYV7QUC
EPcc+CALLNBCsprKjDkg9PEzMv7cpUkXpwuU2ffiW9ZVjjj2Lk+wpXmXDv99ObdfN7SL
Fxmq0ZyERyjWkUQwEZ4Li/JvEZ2/fU1CS3fVnZnVhlhQYvgaMng6TWy/j0d7BEjYt0Pm
u1HYbFFuRBmHPPcvC+CF4pE3408fYP2aCiO6UGiX4jpx8oq0dEDFghuW9EVL9j9oidYX
3KKlB1YSbEc+ehA4QcRb2F7pPVCvRP9dvZLXh2/8ju6E5MPvlw1FAVrnC3YCUe/nTm0P
moPnlZArEy1fDGO4KWkxHm9jllteAl7hf/VwhO4jije30aFNLPwNdV5V8y6O+Po7uqTE
wULhtp4SpUr/WBHd/5TWk2JN/RBS+iA2sGHQjkCJSFET8k6ZLQEVw586ILAtdddRIey5
XF92VGO/cNuho6nh8XitTeS5Vrr/hEfZf25A47h+POQ00s6zaZTjIa8Se11FvtYHn6AS
jxYS0bd5X0y5w1A0DiEe48A4q8UGPvBM2vQYoTot1a2pqdgEGXhboabT/CGB2RjRXqW+
9eI/4bkfR79NKU0QUggUEQurc4AliD4sZBIwQgXnuNk4RHWXapXXvDASn5QQGs3XPcMe
H/oXD2V27r+bhWontYztxdS7Mfq1eAYHLvia1tq5HLlvHlwMgCeQxKzDh042AmNzlLP/
mj1gJA7uTpOU6Lj8d0+oDX0+w5Mvyj+Tv0+8zY7/7jutJMTrja8vjl8jh08cFEqJsyPl
WlB67l5G/Rq+BsQi++SgZPUYGw5UzvaMainl12zGW0hu0pJ1L9LhNNiNn1k2gLFIjSxo
hKWJzEdCDmy6OQm4v5hLltEMx1fhPg0Y7Ok45YsKtwzTaz7ynIkxYNjJfp8DIQ+AvKMB
l477z62Zjh954clNf8PHU4MoGLSYILYqHuKS7ABtkPt8hp7W2YwNZWONDliIH/+xWjw+
wnRtmcj+i8JYvn1JzOOiN2IG9AT+E/+yBARhBdjsSTa/h8vjnCuUf2/e3vz1txvav27t
5Dt6gj8rcQBPaA5Yeg8pr3didGkqtn47wYBF/tDN1n8oRpfrh6Y65K2l/drRNgzNcraT
GUOKhPrP7dixE0Unuwd5b4rkawY8AQLJpdjXB4S46LUmpwtBGzKeBKULJYeWBEAQYOA5
usHyiZvbc+WOkGM6qrSfcoaruwHCX0QCLecVWG2YwXPIFT/R2NdnPBjRnCTQaNeY4B28
dYxGbCfNW8myd1fWTG+3bNWJhhp6RqIcHb1iYeBbOZ/9ulXyG2WsRaKfnuP6A/SzKAzj
FYoGXwtYPAH1ruRe33kp2GwdrL6eg5NoBnyOFTDNgWgJ13ds36U8wTaTNWWB3xoNqqHh
eEF0cm3vZmgDhn98/bybOa4bwL+g748V0s6LhM9Diz2nNBWCTBM6CKmjsqIhsB1O6XOo
gIOOBqnRjcSBKE3szBSatqjCmrx5cyP98Fm/8BZ1UvNwWtGlsi1nPdRzoE80wI13lfmQ
zPdBD22vGaQ+VKQZpgARJ6Sj+gnrqGrCzEbpkau5efUNRR/siKgoByYTdxsAazaTIa+i
6rfXqoVskxGMTkBuMyqxrueqo1VNuSXyeVh1UNKpU8Sd5fMcXR8kHbDn2N6HjKeEgJi6
57qhNTrqcaN2hXQ+qiFYiVvBP8T2hQpjegxriTQ/2lpBUNH60Bq5BpVlpAUVjsiOPPKH
Wl7ikBRLv7Rg/AwzVO6gsyYHHKW9CrEN7kZCgo7Zi2WaN8hSnUZR1MMa4NIGswDWhLE5
JMRFCwLL0uxkuI/9OHuyBnel2j8tIYcW+RW93DKSoNmqFiVhNFyS9EuCrSaGo49vlQZW
ALOZuCuWFz/S8lGlAeL4gHe4/afVpD9lxB8eUqFnTsMamVSU7Nh2GA96UOM4QeB1rYjt
sGmOpQAJXHidQiLWAEgbFF/JigaWz/lY2Hd6tsLHAL+djA5flTNBmGUhfFyIStMw1wKx
ecUK7ZiE16ovtaF2yt2M3XiQ467RkHfgaq1a9/a1KP2gulbshgOrdfNBRfLl4K3vMdpc
M0XwB8XTIcwedR0nARKaAxaiY2iAzrymlweePtB/mqiX4TCRwqQ36SWkDsQGxC20Z4SA
EqQzEztwjXgrozkkX/U40mHmDJoZnj6Dgsv4KrYfaDoyuafmq+huhBbb7SbbIT3BfqEl
wIvEONlFftcGsk6haJXuzt/tuV0zQbeOP+Dgas+5XQBrmNr4DP0Tde8BbZECvWlWTTD8
gJifPN0md4JuHYIGX4MviPZKygnQyxKqFe2xXhiOb5vhmiBlCuJhxleBt4O9sZRKVJSf
QUDaByI2ym4oiTmVDZHRciojMBrWDmADN80fDjSLcpxlekaXh4w9shKq6VgDFrx+hWF7
mhbrzqn2B0Ova+DjNZOz1EsIO1D6PcwND7jdo/9pmZYDv2d78RMGmIA34Z5wRbvzyLge
jGIyd+G+czRQQ436XWVqzTF0VByo2NxUoftjnDtYGjqlTKn6nXN1/WemWLF1uPra3yJS
2e5faD65fqlTlz80iNC5Jm5PosDdkTXAXd58hGHeIIJ10MA4LiRjki7R6oZlHrA829/Y
U+pT40RLwu1CqWpatmP6FPucaN8G5a7TAy0Z5G2+o8Whn286j74hVSRaMlrsdJDX1yMU
6HqWZXnSpL/56Dss3+CG7uwH+VexvkgpkkNZVasSa5ky2J4ET5U2ovMoLxzQGzSTvCD8
Jyh9fE6C3x3TRp/S+PLXKdbF1wV2UrBvjnIEYANLIEY/F+U39K+mgKniCcVUmWDQlzIA
DVzuui4qQTs7seIoHDIEyHF+Z1uP0oR4BRxpdCY9lsVqCblMJ7TCj2ackFsCdBWce7Ai
GSkoWlRG8XGpPSC6ZUTYXDq6rgoe0phn03yFWY2CqyHbihfyyUNF2xlgU327+5oVQVe0
uynl1yTwzuW2tNxgBp7EQeEDvDXw1O8gKc/FajZFNI5FK1SE560I+YKAC6h4T8E7Y2VL
yLThuJaGjcmwKaOKJdsyze0Kr8QiCrWIJfiLUxcbSyNBONWOgb9in1xSFDoIBjDZyrap
nuuhJM2z96c5pNp5ZO1uVvOdo+pw9cjb+6soG7Ud4JZPtwd6xO8qPkkn/2br7HAY8bUU
kpnvBBHqP/u73NRrVrV7Q6+NO9i56KGwJ51VALoDXD9G/oChsnWvr13HJhWp3ufXSjwn
cTs9SE1H3IhyD/XKcMzcRggsgRqz0BOoXfzUgA9Q2LHgRvHOjYITeoIv09BUyxvy8Ntx
DtVrCyWr1XXPKrymmBzRplxHa3/RDi4+TH7WI9xStIhzo4XMyLhtWUZoaKPLg87FBAal
3NGemnP/boebuv5Pu6SOVT8YuD741K6pawnof7/uhHptL63lVG1fcrBOFR/0eKcKC+k2
wLTwEaQy0Z6jhuaQETP6FY9l60mkDnlE/jALG5d6KxPdlFteqy0dYemngGpYvu8Muf+5
/9ymE2suCsRj89f/gmmQdWmh8/gO6Lrtlp9dl+QazeCoxOXLFNh+By7b0nbbFyVtl/iW
hoXPrFgbCLx/OWaG+Rv7iHg9JzwV7MpCBw0VdwkBjwJ4gX+H7CnB5dDuzg7h+tnSULG4
ZieqGFKrxUGFsifMRp8RYmukaDGiBtpU62oueTUbaP3dtCSa5XkzGVZoIz0pQT0MRHuJ
EQ04ljyOevDuiLEqzAxQ4ZtRQEgiuRWU5i6K5wYRnugskhrpDFmM6Qt7hgTdKEE+046w
/8wfHfnAZSyXKc/JEYm4ZQspXWo3JwhxfILIuN6bCVb8gtYu/BLWaqYYY0J4IkE/PYzM
MEpG1yRIvfgNimfJhQLkaxm0by2g3OGyJp7IjxcLmklVANz+gjHpZwnqOX4cBR6QeEeW
QdstwACeFZwlZFq0wNMmW7S53GebrCPUJJVkaH29BO3UMLGixB8w7frNnZl4mHX3B9zJ
0X9uLNJCT6t7cvS2IlXzrSF3oCK/MybUGlsGtUY3TMCV2Se6NemdqDV2pGEcxdzKm5+M
h/tHotbovqVj0unktKPheiYaek+uU81wVN2K/dHV8NgXm6cldqemM6XEcD4ydA+oJcyh
a+d5ha3OAHcl4O4K/jAtMwFkDUGPzpFMkPA+HDWxAtemLqeR1T7huyHjwYC2nGxngEUM
dKNIwXRiz5izyyjMUDcIZhnFThhCgF/IEE+LAs3UhtzWeVzMulgxphsiK9TAeOqdNk0j
LSLCqg5bHchNNUsNDlSZrtdP5sAlW3mp7QtSXgpbaBzNHlheig8K9/Ot1gYpKG3DNFRf
jU+u1dt0PdfB+NHYVIu/ztH27OMUGzcb6JlGrxCqRlHOBSBHM7rY4ff+OEUD+JEZWwOO
U45TLkiCCc0MfUKpnQ4pDmiT7YXqPZluJCe/ZU/FbArYjgOXbWmU7YuSRrEtJ7DFUqHh
NEv9xi3tTRptQ3syfh+qj/AdbtEGxOkMqWSFFWJDWDw+hOHHbAHPYIa8F8gxWwGcjVhz
gwlIVeHVghcpoBTdiDcVDtYiTjtQOxy3R6ZdAEf43GI0Km9rR8NNuDkPuW9qesEiCrSH
kP+AF6oML/x/7r61uW0j2/avsPLlJlV2DoBG45GpqArPmtx5+UaumqoznygSkjihSB0+
7Hh+/V27GwDRYJNq0D6pBubDRJZkGNy9ez/XXltMLMuegpyj25gIL+RemdhMM3WbQZRQ
kP8DQcjoFBIz6bsD+cGZZ/NVvHAHnCgLkulBgK+FBVQOlutYHqmyXu+axp0gjtHPzysA
gsy6ZCHwli7LRlpuuoAYBFv0/viwByMdrgJMMKyEoDEA7da81zODDUHwsK6p64zK63ES
Znk0ucaYpg0233zBorYn4PDWIpEVPbM99XGw1AzKdhTAaHJsJyrULipQg85zeMT9YHob
dkHyRY1DEY1L+2tkcv2CeUli8e3Tm9wwLkIcpMVFvaueE0O3RKfwK42NY8wEha5X2IjD
5worYNXpQOoPn2dlBrEF5lm5z8bHkOvwMEzc6REtnZzpiVgBpc2/398XmeaEwWe6pCEk
EbXv0Y+lyS6DY+dxlDFuM7/W1YtxEbJDpk0OwgkLRyOx+BZt5oOUDhSJkxfopsv44Qw/
fRHhOH5oILzQy7OynN62qiVRfSIB3NaRWat3Z75VtPkRrQhfLCrxH40k5zGWsDwbax/t
otph4hqtCgpCHuvNWdSJIM2Ctj1uF8dGu8CuKXAoNDW4h2lP6v10BlrnZIFTBGxysuvM
tJO0zma3cFk3Syz1FXV46FwL00ZgJwa9DWQXZkGW5NFY44CLelf7hXpzlqAfFTp1Bop+
R1S+VLOh5ba0xBgEAXvBH26CEUPrO/HzZJoYMVl8wOjO9xREtQPAsuPThRA391muhqaR
VvItJvID67EbsNji8Pk2b/sE/j2J4QRJKs3lk1D2ZOEW1RJc/ZIrWqjddi3u70tFi0aM
fEWYJxx3doJtgP85YoWUFJW4iMtGs+R6R7iFFsgJuOcSQE4yjPUi0/38i1ri12c+PCxL
4hieWg/qM01FEVi9cQdLFPRrAZ1ZvRkJC8EMDVLVQEUTZ+F6BeM2p0S33VaSlEmyD5p2
Fqc21+r1Ko+mYV7m7uSQMAltrcCQKUJG1Lc6IWZTCpg3toEcGP5wdg8MlN6JXS/P/Qmy
tBPlXp0fL+DryWcvtigN0n4+ShdhWg+ft7PfsG9GROlLhOvCOLc9QhMXz1jmZNH0Isza
68B8onrfHYHpxunv6jnVB8qxRQUbgbmJ0vE8ceJgcnFl3TWlPWtAXNGO7BfQo9RdLnzn
6YieyJqmOKB+tITmCLkhtXlBcPRgMjPkRkmATXWT8+6E7jtNCgG49idMiKNHgjYR2s/U
TBKEAhBVQ/f8OF+s1jSAb1K44SwpnSCZnJET9a22iSqyklk7wSFqNG3ZWLmVV0An0duj
5JRuqqGo+rwO2qT/NEKbYH+uCzpMu+YqxYsivHgbv0YkUEeE5q3zNexjZonDU2dylQgQ
D6KBidLhC7aMrZAKzra7pzmIBmTnAn86/UQoDrxr2i1JmDhZr8jdwC8txpbfFpmfR2z1
PORxfxTYHCldAYmGiAmtK7Y0kSBrt2Lkb5nnoomXTi5CJt6VRiZdtTPJdnwPm0Yix2Kd
0mc7ThADgx1aDI697S70WB5pNc/f5hsE69gDSQzaT0cE9LTLttkC8UXEBcvqEfGU4t0u
yS1I08Lr3wGHUKcCczpSztNuPE71pNYvUY2ckhwlPhCGAyaZyGZ0frzDzESuahgzU6hn
0EpC180L4fAv4WH654fXoPjg9DaC93vY20Rvv80dUDiC5VETRp6/ApVxh73C/6ZAhpOE
mQhENEqRmeD6XTiTHYQgyOI0cGT49o9GNd6gCBLfCSaHlK+zZkGzgWRlPnvYbec9Dgm6
kzX6Vm16meXOYc4C7LidHLxLdFcobSb5KLqnZhf3B3BJQAeJKY8zs2zlyuNOycrZw+Sw
TWu7rIHGyxc1TFYSYebbYLFp4NdeQ2CUP+9WWJlUM3MootJ7UuypSThWY6otBs4DXgJ2
RUZynGSSmmgc5rCGrgq1lNdbEZHipCiYHOYhNCvfSe3KgoWB5B463L1T/kGcSe2arlji
C41j5UHdLQCcwqKvfnPFI9RqkEtm9M4Hqlkm9a+IbjW9ZP07d/Q1UnL5nTco7vQPrH5/
XWPUkQwL7RK/LIHhexA0Z/cNJIB611UJdGIicddkOPzzd/eH6hUL0GZ/QSuWDnOJmObn
7zzH9d474XuHf3RBnKl55TN1O8WMvdyyE9d3/lJ9zr8qH52OamCsd0Wb76h7rFacoBE6
8G5ZZG5p84RAR4bGApsJ26PE+XX/QtojRF3JGlC2DUou2GH6hWpTSoUAf39uAg4Mnajg
cX+3lVuGMXPLgpRqnIadmhjER0uaLUEcyClrLDQJqmcUOjeMQFdfbRbpsvCMJ7Ejc6Bv
aNCp8UdTWU/U2NoAGAX7SaD46nehD2vlk+nvDPZKpanX5/f33DItWTodamh4FBylCBoH
J7busI03nbO+6uvqZMHQ2gfiLIZYe91rn+ki5nEUJekYqM7vNlff2GYpz4Ti3RqyUOtH
eVY3ahEkNIOup04kymeqP2guoxbTkwTLNTZxXD3Ia+4Ny3XBnEVF9OVqv1jT123RBp3/
17qvDySLUY8Q4XkSlT2yUIzUZ04aJOO14mKEp8P50VOLk9UOBpdGdGrR0X4Rzdz9KLZ/
KI5VeYWTlp9sjWhx26ChAjFL/u/1uCOaNvi/W9VVH2f3b2nnOAZnRSbHoX+LFyxlP8yW
yNrg7bfqO53O59pdFCjtpXKw3RRPsCd/9YH2dUv/YXplkNP7d/RrcNaik+03sICUX92q
UHcAJ2/2QNxipROFL1SUUA4An1wT7PsZQ6Js84yX/r0xChyn3OaFkPr3xiszx3XJg1g6
yq9/bx9ZjcvsXnYDq7N9LHZkmA5fXpG3YzHbei1KnW9XOP/67+PmCRM8G+XSXOImRMHz
7UdiedgBORMyS/G/4vdXIJf3s7xaVIIoKXw3o8pC/eP2P//6QOC60IhGECswykwsG7RU
mzqRsGIgKRoYSCOItd6Mg7DN3qtz7cMe/kgawSDO/TQZ35pfzymzKO1vWLKJKVJvHV0W
eyF2I6qq6Yc5h48igOZIaz60VgZ435rFRg4sUnu8ZyM7odTgaioVVPsboxRLcVsy2fS/
8GofUcc5r4F3QuvB9SndO/ej0Tu0gnpiIsfU1v7qrLj5lvKRv3Hht02DjQhiMPIfOYnN
w836OxgWZchLp3cHbbIdV92DPntBUJC8NZ8gy7JysqGZhWrxq5ItSVHEC+Jjjh9nZS8w
5SUrk1SMHJ9UN3R9lp0q2YrqNvqcV49zYBnpVqi//oG+RfSLYPgjPX+VW0Fela0gH6jb
RPeWgix633p1SPN05Z+8dltmfVPVufbDK5gaU0WfJom8lLl1WVrsi0W/DJEetgj0BY9/
nl73ZDBFODMsFda8hSKPWki5rL51Xq6xhbLvoQxT03s2P6avTduFdz9B+7DsBKtOqDEA
PBTVGgHa+DSnNdo0py1AvnXxrS8OTULqMid0Qm9yg4tIQw5ibBHLElDmlBUSArcsq/1i
t3oVCxVwMpfGP5HRG0gP+3aI16N3i8dvBFGJEmJrIL3QMIG+axfMoDl3Qu015Fi1kM9u
oUbtsFwY/I3TWw7VYKTAsbDBMqd1ZRQDuMhLw9izeNRD78R4HntJGk2O5eGj6Lki8D7N
L9JEruQyarGqVPTTwG/kskgD48GLDAym6eTwhPvjC/hFaGsjzUM9btfYTrP/yUAgLOMh
z21eXKC/BmGRELzM4mugf28WMKrqUqtjhOWsS1CdGbgxfpjN/tHQdMoJM5CPSHzJ59Xh
uaGoqoMnBYhgznHjF26ZselxForKqBj1rDBEK3YWoIyqQHnwfTEtKtgKKPeX7HxNB3jz
ZHLbWZznTpir2ucCCxV7MbnCkWZAJ/GJtqsYl11uCe/UbBfuJ0md9ITS6WHpiTeonkMk
9UUmcqc6/9AnwuTE6AwvJimnxC4c3rnWvDMldp2XO9z1JxQ72XzndxstUTKyaxlqXzHr
DHF3+UF3mN6lAZUzogLDjh+oOT1/enzIQs1b6AfBVGnomTCPWuRfGzVhwKf+5ee5SabA
izKP036U5Hg+psqZqCm0NT618qGCO5vztaZQIuTX8hAhVkJWigWwAjoDRiKqZoi2ckNI
pChut7svC96DMFYm9w91BJD9gjZqLqm4EMZRv1yDJoeZMLhFPyofQB+Q4KJk2NQyukDK
8cIyRkFPdWXjLwN8/4BAqi2IUrR0YjBA6RNwzbbWTVFWWwVVjvryJAzgBG+ugBeEAFee
dxqFOXsauYmsCN2wFP7OmlEY+aK4Aaj6dbyasQs7PJvuOg4ZC1OUWqaml8J27ivixUFp
D6NV4MLZSfVriSwp4H9e4Td2i+cviL4Gz++zJOJZND0ePCE8TTRzzprTjqkr+EGIWrmP
elPO4iDDsGRv3mr8JlFIb+jYPsA8ZV6IMTNLE239IYYcM/tBPjnKo+8X0q+dh/S4BKcl
M1dK3gY3wHdycJSl07wBVPsE3GtBKwskNStVAfp2AqbiRKvSId00kJ4bsyDGHtNJuq43
Qn2E3hAvZUmd0opMrTAnYyA8nodF5E1vKZkwvmohqtbBlpW0yxUhchXSz+NmCUYOscHF
RHoxTwEwmlxdXkgPSbqM2SEWSchskpi5aZI7DuvV6mzy5noHxoOiKJzC4ve+mgBgpYaP
0PUeuFakVx92208rwcVuoMQeoJtZnFvcmdafWBD5wKr4k7t8Ce26oFMUTXJxikTzS8WV
9bpaNHCEerxOsXFG8bYbx+hCFQQTsjTEvKrp+io0LFabqFDLQfJQN3ADqkcoN+FKpYG/
XWmowOa4Vb2r+sBOqaH/OCo1gBwGpL6WlRrEi+Km3VxqQOn7FSo7B6mlRM48oFSJzvjh
eWVSvUU/N/fdiCZ+JqWWjzusrwHf+W9yVQEqEQ0LTL3RBVKr0ARHxRTCuq8vOAeIAM1w
mHQgDBTV1RtD3wfMmUGpJia9RkbArylKJeFFJLF9LTHfJDrxPTfA/jiLcwX98YYRunFZ
OUFfV7sxCYXBYL+EZwo8SFtUOvOHJkcdFkHsZAm390boj9ot3dAFbNXe977NPaM5cF5E
oWNvqI+vnb2BBeSMcc/1Jie3ThQoACkCxkyE0shfqecmF6U1PkUNBx9nMsk1EB+LfO7G
0yvgicpck94TtEKlklEkowZxwAW3TGxh8HZUuFI5aNSHdSLC/qMoInR9XroSbGFP80m8
6O0RYbsyGnb8LKExpOzxMUQZY23J1IwhRviJ12ZXPQKZT/vaidVGLmUCDyyWqcktiQ9H
bHjZ7A8VSBab8AeJoBSnorp6X4IFTSk2nBLsZlIx9b5aP74HIgJMD0BD0Pqveg8TVUF3
4IgicyjECVT1bKZy7xrIzXUCHnqFxSjr23ywzgM3i9177hce5mFFlFvbDdUiIFgTuRVl
UObpWItoF0sLEpkMpTLBJjvohJWhY/Gl0xuLMAODDhfjY5YaC/17O5GTxkDY2mvk9O/N
Sp56Vnf99O/tBXGWgp1kbPIO/KzkLrfYOOnlLec07a5zI0mZDsFHZELw4fpeyVifhsym
Pte1EGEgwUfoFlEYORbXUq592D+U4CMsuOsnocWF2AtWpkzAh2mzPuvf2wXyDh2VyVVG
xWTSfLZeYYUadXQpISSAQs3XjbwHXKiU7uQf7v9kEJoz4KWzfHzRXZi7EbaWWnyfrpqe
iymFAEzTDhNRz6ur4Ghn4NxpLl9fMTFuYoZvl6sobQaXg9qau1i06j/Q2qKVeFGYCrQx
9QbD8/Mw8n2LW0C3KZTA7Jxa31cLwzAdj+A6qHuOspe2p4qUgSEJkzIJnf6UzVgCn8uj
oLX8Vq+0iKnpXGNVTF2Ko5sqm1PYB7euHrHuWzJu02DTrqrrJCbyQ+qElUG99Ikzn8VR
TG5s3MOMPVZPhVFlMJ2TzweNLPIYmyVygatophHbsSkJjWm+TeckLQS+Q7MVMISQPPFn
h4PZZ3RvSfaxfp3mRM+nNu7at6vOgPImc1LAe9EK0c6l31e7T4JpeU+YUIkLNUJfuIC+
BRPc8ytudaewrqmAtoegH0c0q3yGBVCP7tn6tdosjvxWd+UnGhN/MpvscLIsyvPxkZW4
DvY3h9H0Yk4aZvja2DJyvnFsefZAsp0+iKY8acqtaYjKF5We45YYrWOnse9xvlvWTXuD
oMENA/AfFD1wnMOyMEs8Qu6OOWiQ4PKGEQLEZEC+zoFzxWjzu37GA3dd++loMAGCzk8r
TrkWYy752ToqWIcN+mROniX4m/amPAgR9YYGcTfoXr13TQ53K8wuvFb4v40ax3d0tfN3
Gp1RJPCN+RBQuKDGtsxuTUBbQZolMYt9yGdUPSjOIwyA8tFh6J00LBjLLe6ddZTXWFMF
aLYbFgsM1VImdVR4ITz4/Pj0QgAqJHaAYWDJrqimYdWJSACJH9HALjsYXsUAVa/6yNMi
xEzFiJM5cXEJz42qI3h9qvoKv5sRIqUde1QE1M2hIspuhxm48DzTI2MVp6A9u75cFwG6
isWHh347e9LbcixzR72VoDkojz3iw2MVJ7FA9T5pxwuRqfrqT6podm2Yay/UEUDthe7w
gV/ohZo/09cXktmIWjZf/Xr9g6A3wPW6fFPeFv+diTdgZeRy3ifL8Es/AEdtRp9snIQu
v4C6u9pR9XW2mPe5aLsVEzEN8dXHN0i7LtwLlBKIROGq2u2aA1H+QRFS3AmuWQlqS46g
pQWDjVxwDu61F0waVr8vKsG0amJ1waAX+oXNZPS3ea2HajEnCqlWOYDyrTZ7SaDWwtwk
GqvhUWt4lcSoTZ/ZHIZBw6jKnCgPM5s3ndwmvqa2s58BultT+s6JUpL4plCtraMAZMAt
/cx8vz9iO8/CBNzGirwA4XYvBxt/4bv6n+Pq03xNsRCE9HgEBzLBy9crkot0f2TvZR3c
xGw7LpARSUIGelRBfJC6RYz5ZXvf+7Z78RGnd5pC2x4PaPygk0yHSkYFBw9SHGRq503H
d2J+DxbaxCo7RRZHvju5+wHRVGLvGpiawVb7RdwOMXxBDOqDaGsDlmdlKbo8o7oZICwL
UoDn7L0Zek/ncS/gjliYaKm8b7vRLkDtvxDqfXkU8+BKeqIXhR8XiJpFTmqpKPTv7SHU
SwDGt1f1bjtCD0f44QjK3IXE2BOPy68VJhpWBwTH5/spNHEcD8s0x7igvaLRH2nowdGG
pcXxwW1HynCkLZc06OZ+pchqJ5kIDG6oV7gY1xnfDfWdoogKu/HJu8up6YWEdzYjPpVy
vlitkaq+m/1tvsHyP6oYSs6l7kFn9QSSwSG7Sc7j1Bkfb2mJujzPJxfccRzyx2rxvBF8
umBfOIrKxIATDWLM5hNz6NiyHRd8G5k3OdK5ACf63zT2fL962qDDanApHTctUWe22CHp
HSnzygjQWIvf+zZHGuIIs1MJIjkue7PVenGEOaP9Gr1mjE0FGv17B9wtwwBdDmstyG3H
GOEY/wqgwxrO8wAGaKMiAnNTJG2js6Z+wgIvsHlCRq97bgKn7gUTrHmBMu1U9KrpZVBc
F3MTNdy+6UTQXAVKn5/h+jFP8ff7+yIz8RppzLGYkU3t2grhkEgoJQVSXKFqPQlKkZDS
tCJo/aCmFR+2ODFwPaz17cJ8L8Twc3rHi13S3eCcoAYqNX2GU5vBaHVbGDNqZk/uqv15
/omAbG35eLldHClPAqCaWueiVwwKNDSMd6hWHcHkdVoNYOISwgTk4I47OfdITRbwvu0J
8NZKarHdYT8puH0EOPAkShSht5DkTtxGI3ULohzAHm5xfK/3SJ7rMlRtx1fVQvsItJqO
ve5AL283zLwgtLltc+m9yzgIfIsrEvr35jznPBAQ0FEV4kM/8GPGLJY3wA5ToiGITWgI
uBs6kR+PdJpxIA0BFDANAsdiE3s1Ub5Dy67abarD+3w3xwBh738Y5O5kLL0f0h//7xFV
Lez/9ZTQW29lWJRwh9nM669/by/HmAMfn/fnbs7cfLQjQ3fU7KCi9wkMci85+z4MopJP
PZRvmMXWSK91fojDC2zmir1qWC6kvwSDRxWkIUhuCASNkD9Qh1+JnBB1EQNrwwsARHhq
dWwwPN2ndQoCXjHj2E0NUQjAFJBxFcpENYzKBA8XgIQx921eLaG/FTxCV8TNJwe9EN4X
5WgCvcHp7gXWfwsYMqoYYqhfKR3OUbCQIGViBcDPwbhrcCXA8J8EmPO3Nx28zaTg02P5
6HaDqr5A0Qop7o8PVM2QoDjJXI/bAnbOlrUUS4rAdErio+1EBvLjRYHFJN7k5FevwlrM
NlW1JHLSpMbb1sIjwh85qHQyPhjmP65RizVBKXtpnLkYn52a3hEvvABf0ATSkuJnusE0
yLWu5uA86OgfFdNgnrsTKrPV42xv4slg7mIP29imJr6aF3xp4q/8Mnf9iI+uj+oluZvG
wVgLxYjBb8F1JhkL48ziroI+uPAjz/dijNRPrOktQu7WGM1WNI0tVx9SOw2bkAVot4bf
n7F8CWyZgXf0CgrOprfzECPsBIitxXP48oqvCH8PGR6almQ9lUpBCIHvd3JbH0XnJoIL
0qQEXfDU1K7pFM2+r+D9kLfVLW6I57xd+QPtE8N2gyckMkYeISi452Hjur1S0xsZXpYJ
1hGONRgSHoF8wj8wevlpVX02UfAiyzLmjw9g6gQZz6PJBV6yBNPJj5oxRNroV0/St25B
sMiJFBSZU91GN4nYeOTnSd7f84DlGSko5UikYx2UPvQn7088bdFgNjnu6TkGXMcry1Dg
SS7QA4oVRf3L9/aQu74uR1gk5VkKeGYw+5zuUykD2PXp13wCnQ9bI2P0b9l+5FvwM3cP
1UxgraDLp6lbWYAUU96KU8cviYW7hi6cBSWQno7FEMHbKivXPLak4sAyE0VxLji9LIgy
VGPH5qxZEhVh4Y41NBPOmqa68tpwzzaEehJRf50EyFEvgyME+VyYJK7FKq5XvTCJA3Tw
xhpv6S0hOq/XnDj4rTo8OXTmSFl2NVqrTf+MwM8Is1OGmNXem3ubZUMGR72TIRENyxgY
lGzewKS/AW7hZ2k2WuckjBjNMWbbl5fjhkhayIA1Ci5m4Uzsl5ODsHB89itwoxKLdC0u
pt12Ac/tV2uYZDcY1JS/Vc/b9ZKK6vP1Fp2wBpK6OqMm1owi+2UZeKlgm7IU1Hab4ED5
jRYw+jFYMAe7TndBwnP3qwe6DKhJ4bJ8fEZvAkncYn1cVrPvqUNBXUMzPnXmlk7Ipie6
9Qq8TqJj+gPk1tAV7eVQnvAHNFjw7lTba/b2YeGcWS0PyLcM82+TKxmQjCA4KR6J+m4L
oLQ3c/ZMDa8tmtKCOgCdWMUkqzscQIXUbjGNDah7GwrRhcqppz70tM307JHEFdfJMa0h
75UvCqcNprxbbIGxVvIYQ5ng1JxaEKdopQgK2kstlBIqugN5It14xHpiaKi+7CZJK5bK
FcjpLZbahXgvBwEz6mzqaTte7iRo0OC7Y6y8USOSAIE9s3KqvcUEyxg24uXra29h4qeu
5Pm+UHtLlgDmABQhjZ36TjiTW6tw93Ds6MvV7Cu9T4qaFz4fbYOIvW/xSa/U4zoCaCpt
c+UT06s1P6GvO0yfepUMHe6Bps5i5Iz+vZmXFy53elfJpvHtW/yGrnhQR4oy9G6rRAta
yATC2WYdj8yaFc3UC87J8sQtpjc/vt09zTer/0h+JOFj0LZsw2+QElPz94V4WWoifaD5
/guAPjN/QysenNFNx7kc9YW8nBzS9hfiH8R5viCaxakqWq/GnkpAy97eRbHayMdeeWQn
nO0/UISzMVgNfdEfsiecFS8q3cEtZqk3Af+FEAG9q6UITG95WOY5fjI9JlmYYKIlJvoY
tKYqBLQ7qCcN6EBM++PqIDjRyfxQrCtl+Q5fG61aAgck6uSj7XNcLJJ3QcACmNkUREhG
Z16uvpb13jTDjN8rkwIEIWNF+F0UnUjvcQfBB/5MsBxqj77MfyP129OGrzkFBUIjhTNE
aA4KcVI3wR9OmmeCffIjwPmj6eH5FcUTfWslwEIDelEtwTuwJzaLptMM2SkyNbF22Pdc
lshWJgZZhChe5svKJGxiMUC20fionVmahaguWJxb6B0sL9LIi0KLUbIX3jtGH6UMuL1X
Rf/eDra2EGWwve89lSH3f30AnebMdUyG3N0wisMi820+lV1T6lNqPVRrHjjkjuWDTsFH
u9D8jx1yLwsn6G/Fs6lidMHK+DzFApPRYXR9ljhJHFr83ldTYYAbdKzbu2Gs21jr64HI
a3xYeBBnZHDK4zSiF5oDApvVGf5r501lbbWeepNsZJSunxrRhEwl+vX9s0HkHwYh87Aq
b2qy6ybhp5Wk2CIE1G67gVOIaWFckvPfLsn9Vn1Rid/UCl+nHNd/GJXjwHcTJYll5Tjx
orD2b3WXsQiLyiGgmd4h6Rc7Co+qLPQug6UckNDYYqtz1fRerHyg0CEqHKQSmA7HRBLV
2gT2qOmDABeCqkczm1+hTHnakoCSicH19bMADB8JtfImhU5qahmEPRJFblFNQzr/XK2X
ApckUnsqLEloEqleW+Wt8Usm8vNTv0zY5JhOoXy1Dzg1kO4FyAs/qRFyX+hHDXKVvArw
NzW4S1RNDMQX5EXps9FOoV28u9IxrAER/TRfrUVJfPv5dFFXO1DPbLDPZAW00mZOzJ9A
e/349CMx0giafQPZYbdECuqUsYacF2VHzV5gCvfvZgvwF4gVdDQpUxcq31EP7OG4pz1d
++7lNqnRhT7Lgsyz+LbqXZyfAzUc87EetcguaFhz4BYfghyXeTG6TjRW8+bYKTW5avg5
VlolzmrDD+wvxeIQIBT2L3s57UYZhmzbGFg2P8GOaGz3nVpQ0g1FTo6hHmrt4szlHh1i
cKnDk59MpJa6rpfazEKqN25BlrIo8EdnlFmBxDcda+n1ctVgK1D7s/VWAgAxsiVnlNrb
3bBNUMj8Us1BNdFpHlZid7GBuiJtS9wom1zmgboLRnzniwXik2r5JwNJONjjFyeOxSUU
/cVloJhOQSw0NTONC5BsmiSngcHWl6CGI8Cbia/oKoi8R44cmEANuAfX5oUWm7vbyhXQ
+66FeFfDM4jLQVmTQfH7fPbxr3m9N25nckXAnVpmeWBxAKy/IjzAqGZyxsSOexP7YpZu
jBh4nDRdEWHhxJpkZGuKmRPQ8wYlTo3uYXj4UI+HLyMftPaiuHm4OysM3gp2n2F6pa50
YD6jG6FtH/6NATcjXgHGObbG5xb3xvXq6SBedMo+azi4JYMsLMXB7far5a9UWg5d5M7k
oqTGKq3c5pt59Tg/rg/nv/5BFKeTMATMhPq+rx9EMfj1/vAFWOXPP2HH+s/ffVjPV5uP
1e8HqpLT+8pf2jVPV/5JesrVECbB8DmmDE9zDHviCYJT7lfrOwMNBB3+alVVXrN+97zC
53OcjgbXYwv6IogsXpIMLkw3KBeM0qSvfuve6x3uyKv1LnV7Ep1fHnw4yjPxCd++t3eU
ByGkApZtv9itHsTgJIWciD/7T9PM33oJZ24GwzGxCjessPLp1UaRAgWP3u47dbPPK4/t
9J/6D+0ohRgjrG+vcsVpdB5xk6DPrjaLqn6vEhU/LPr5ab5frFYfn7FK9ufvADHe7v6c
oEhK6v1MX5z/RBqKGnkOZkHl4fhrYkxJvCg07c3+k0kggqUSWRi7Fse8ZDmFjRX6jjVK
818wrOWVLOeezXB0/XvzImK0Rnakt1dUPvvIiqa3spiddXv1QgiRLqSA89grBP1789zP
8yTK7H3v21Kd8zqoGFCjIdBuANnvzsqmkJzZ2j4qVlYvP6fIAjfrc9fZBOK6TX5SEEL7
TQqbgcvcIrd5hYL++LDtI/aZR3G0pb11/XsHhetmpc1rz25TOySt/6wnlqh02dFC0bau
S+2UBKJAAdM8e16BR2K3eMaO+zZFNLi2DFiyIOSULFl67rfJDxHnfD/7SFQGKJAtnre0
J8J8IDF+Owp9AKWHImA1qO1En/2HUfSZ+RxslSLBtGcYUbwo7tm3iT6TyOfZ+EZzPS9L
kzSzOIC57UbUrZLl/FBP6CKNIf6PF2C1tkt83aI/0ORDkWOF38SmD6O8NUyiOHbKyQVP
ZEWOEAF4yxdEoqZGwyY5GPhDMgerue21r3q/yuIi8WJBEDIpv1DfgkeCFCOrl7x4B3Bc
AR7WnO7+mf60qT53I2TF1OtlFqA1FvDE4sL/bZYDt+D71x1CjtXrfE04MRiL5ac5aiKi
aon/EGJCEZDqC7sFHhcVXJRCrr7J3eAKz/lTbXWy9ZsaeFl9vRWNq7UAMxozWTk8yzGL
NDmHBrXshMU/mGDqfJazLAstBjvpLYtX8ijl4ei8SBgznhTJ6OTtpmHqYUXr2Lw2WBSh
4jZvDdPrN/NYmWFod3TyBkOXG49vAjBw4yDFBNzY5B1kZeRhgsve957YXLdrMtftBDzK
uM2gyGvR5tC57iDG2G9qcaH02oc9/JFz3dyPigIBgL23Ve+NnAizKoAnj+293cIrSicq
7X3v66rp/8gwd/GPDiFyd/BXyS8vHFyclaGbjS6MCAM/51kwuQxN9B5PSxTVAYwu8XX3
nImpbdPQYm+eDI4dVBsFgDMW25mren8hz0fpcZb//f6+yGYdzmajLDcKOfdsVif99eVh
EZSgGxqz/aLJsb9hzqCuJy63LwAKCtq8MxSoBvnCPYelfsDslYD+5ECrkKHtbXG+fNsN
PAdP9GwYFjqiJDp73a5XqCWjgLx4XmHFtwCRgysRWvDOwICFRRJ6/gR5KcAGu/liYrKC
HN1QzCGOTfED4NTCLLAYTH1V8QH5YoJM5xdltZnoC7aNrwYE1NVtQddcmayU4U6Sc0cA
tC1tJOlNmuc7IdjKLNbIqyd7Mai4ZtKet5+p4as5aOwqIbwYSACoA2Rg0rjHM1aK5Z6W
Hvtt4nuoEJy2W5eWcviV5AZDJ1Dfoq94IALYDYjxRJsREBQzRuGwBHN+2Ms7WZjHUZRQ
wWGkAzgdSwI8PBRpu1uB612ywTzuti9C6WqTokHpnKYeXFGSHzZAEJ9P6FwZewAIzgVm
hRqUV8cecE1AjEEXwWDsAYt06PRIDtvdz9/dH6pXynH+AlwBfZ+AFkA9O6733gnfO/yj
6/7ENa9NLc3O+x3uwBz8X8pdvNZ2FUzjHaU/f9q5Pa8HHhq0Oqn0CdfkOvUjCUsq8euu
4w/7oLTK9/x8eq9mDUCq/sQ4dCCk8P+1eLqfn5KXb3nQeJoYa1JUlrTz0kCRog+nd9xd
ftCd1MvVf6pl/y9rUhQvjpI8TCcX6mMeFJRKuJEwS5+MSJTB/OgGiWexJHD8mhPkPHcD
0K9DU8fomkXMSoXCX6un0z4hpF4wxNWTDFZFwWQ3+z6//wEueL897gBS2VWL7W5plIZn
OSuS8cWsqLfHCT+b4K1B+GSZxjkieS1mpXhVMC6BYQlKUAE6JOggqQAjY1kUYN5vH98b
2DY/CIHf4uTDxngzLsb8YqMbaPn6wT3mEoHq2u5et7SViwjStFfIRHI89F1XbNmalOSk
zfh+/wMEVcuPajsmJQ1Upb0iTS1WJr17cIIkdvLR1vKEe6Ctd38TuGbSepgHUNeBbXIP
mpMVcHME9NytPhG+GaMTBurtYrIvd22uTOvP0scUZcT5WCvqFw3aNYdQL/qRmfkKvKTb
2XGDhcjoK/WmxPUyc4owcTKbqak6SZxxWjCbLVa7xfEF7hG4XfAVXqjzgGm0bsZhAai8
Oqh20BXCpTEaBAxTxpgzvcqPCDQUGyJDD2lHTl1OyIlqQQ01MJDRRAYgy0IGpibkeZxx
d3Ig8k5j5L5eHv0XjK0h+pBMtksRsG2p6Xlfh+rmkPLwbUg5Dku19GqtpFvW6D+NyhFu
xrLUsWteywUXbc0q8Aag/oIh/QzadNxyA61kRZC6fmlxrnubUTyFv0S+XEd44CFAHUA0
8UwCPSwJLlmUUonP0thX7+hYWhYZ4gN73/vqmYpAj4s6wMsW82oU1QnTMTjdZyGP3MLm
tE9/gD4CdaC9J3cpz6O7zys02avfX4l1aYZuyzsBEpIh3qDgDuqegJ2iHKnOX7DjveBO
xHatF6WtcIKTaFfhnqAB03ZcTDNZjo0FZViODpXioRrmlKHFGfhbBo7y2HK+IIp/zPXL
DhnxBokGfRdA1/CQG7hyTCmWcWgzZEFv7UIGcFgeW439R5I5sF1T7xU/pQ8ngNFmu3l/
ADX1BrSe65ZsvyEx3M++X/1Y/WgCL3JS5pfM5i1+V+/BRaP3+vxlT7IB40VNuU9f00w7
IMT77WZTraluR6TeNQWbJEIFG9tWyhOjlAY3xokDMN5mvWmZwHMjnsYUPo20rA4p0bqR
fpqFIjA+EtGRuY74dOZ9a7RzqaP73zJPagSjFCnqb+aSZRCBV5DIndz4Z4lQUX/alGrT
SdW/JLqvsgeL77yR/NzVKFpBcUT+77hZ0IYVtRMkurnt56azHtDG1X9uyhs7H/Bwd5ZN
1A3k4WZD0VohlubVXcKiffWrDzoySXB68Wg67XHBRffVL3cm13tFHFCTW+VKS5qVZyla
4Q5EcZhphV7hG4dODZr1ERU45bVOHxFSb0+eArSvFu6gk9e/OxA+9LYXFeKKut81Nr0m
JX9nWKD3/YwXQE9DApbm4Le5uFPI9262XO3ne6wPF9UxAI8REc6PS0DyADIWXo/on1af
8MczO6NBAYRBybDA3mKJQYU07+242GWAdox60jyME2Bxhdkea48b6BPwaVyP+WhlFXhl
QUeDkJBYN0Rrl0qnin1QPcJwTBYb5MTDDENnTPj85s7DX18xAfqT9dPSKfw+6gJrOsMs
EyibkYZZvZPpukMB6hwUXmlOhtxh5wgOTbyjxjd6lzEQrgaPdv0F4IDO4Wr1N3MZ8nVe
tdEW4b+bP5C4jEM7dBLERjL1s6peeyDn9JufUaDv7s4Sr1tjDkx3EZPOer74jUqYzVI1
UbWhtBD42BUsQx3Etkm/Edd7yDCYPUEusxKWr/p9/vK6xi66FdDW2yOmbtBIAqM7ZXyU
Lix2lQSDkVBbPRE7KZUbqTdGQZLEaen33KML8nyeRkKjxulmqt0O+JXtUWV/hTgbqZ00
DnJTBKU6leGZocZyXAk2z82EPth8MzPs2tvhaZ3mpc/s7bwnpja+7fym1jB+Yxxvp69q
EgE6uZuUnsgXLY2Z9VeT5+iPI+BXI0CbmIb17x1kSRR5bHR9QhdzUEksYutR6QlzfJcl
bi9TsElPJkYW45mQxXCX52lW9ByrXafSGnDFP5G1HkoW43ssyWzm47palvgjyWKIfzzP
o16R3Sa9uGDVuQOuVIcyuVFZR46RaycRJc3Oezt+mWURExWDcQa4/1wdQN86q+Yo5QJ4
1zbW3l0JZkXdcFjl1B9UIck9FsUSPdakufuK1p0AgYxKL/ZWgUeAehIUSTa/QV8riXAn
kpX1kEGVA80bU3zaebXDnZDa4cvr2a6im5PbXmjc/QjDq+kGH0GfJCCVqQvqqhZAwm9/
sjuBPjnuj4L8dlOJnU7K59JbBo5utVemiWoZeJaBKsOh7460noX1VsqnV/JCsa/8D75K
TxjYQ86/lZce8Aii6m602Og2Da+QGqjiXdPKX6KoIy/7ebvZQP1McrkQrdqsiC2Guujv
SAiacSewOQe9HiD5P/o/EuXPhxqK0JgZtR6p/+yeW4aom48u4mHUgQnFRtBO5GBTpHb1
zPQeAmTSv1DdEPMPatRA9aW2Kdl2ZSX59uyxxmYBk3hEGdeErIwlBTYEFRZXAW6THsmp
Nr37L2hTvoAkHs2q1gbiknzcvq4WxB2/RKUW+6ZFibvub5vsVmKB58eZQNx8A8XLZTuC
RY7HCUIrvfE3XAuKJ8q9gnBBeLwA1IgFS7e4x872QLIm9GC9VWEcG+iSKFejDptup/69
vcxJkY9MDsyMhRP3K4T5zYp60amnmB+dWwFDOi2fVlgQqbn7gnbGCj0OJdzSiw8t8byc
5u6JAzZbidnu1gw/zHc7+uY7kTw1gmwG1wgguxfN8efV07PJ3HcQuoHrZZNDhcOpte1E
GGPgcqrDAob4l4MwvfM1ZiMbAy16ZoSURK4EXf0N5hkzfy/7sz6nBpPB/TwL/cxim3Ob
T4P8FvMnmpbczx/pP4QtXcwfVpsKGkayNFkB5EVhnI1wmQAArj6PRksnfDHOg0Vuw3XF
sqoTgcrSGi94e8JwLpbMX3liZ8bw7HlUinHAExVK7il7KI/km8LpIOK4eovu0IkHIB37
xIj7bLVHAIiUvCm7SOHI2RM0oCk2VNumerfmY1GBHyWTiwpgWWBnKWZuUwgIa44l8M8A
+MH1I0gGymu7AcyrTTooJIDYAPIzyzRylHiTLLU3EryqTxfvL2QnRjXJu0NYIjw4BVFL
lOne19rWKh/M9uHz9j1kfdiakFZ6jlPGLLa6dbhrUpazJtUFDD3khv9RzZjytIWoN5v4
L/Dh5b5nc76vtx1AkKRItCdHfkH+a/sZmk/RyBwshFBzaSxgF0wONHTSjLmlxYO/Fw60
yHnJbQZQ3GbQcKD/RCeIIG0gqTmiOGJ0ishYQlaOrnzIMfEDPp3JJQs4xXKFitfrrkI7
gny3uKDAb2KIj/5ocqgYcfRKn1nMOqy/ml6KTiILJhen4VD/Vi1X89kegQNSwXez6sen
H+tKA8HuKYSrf0YR3QNQvMdXxMD0d9CGNolxeZzGZfCtypq/fsMKJp21LGHeGGw0fa9T
9esAEiawIbcldawTFSUKZAQ0tykvCw3pAfaspFJ6vfMLKJ2P1rq16IvbXAICtUcYE4S1
L9vf8B+0DxGyEdqZxPRZeIvl/AUaaWJVnDQtk1KQEH+Dwvn/hobpTxc7XeIY67amdrrC
4aNHQiNd8Pjz9Z/oWA3U3cuCOI9di2fg9QcZsjRxeG5xxHnbNcVB/uPx8f2eCvzS9Js0
65FMlW4mICCjuo4eaIOj3B1dcOIwL0YDbKzBCYiOfLGk40PLctDWhAxsRhDlYV6ko8sT
WBZFcACTS9/1MIOz3p9ystcq0322uvNy0B2x2D5tVv/p1w3Vx3bL0/2HUnkaKxHLLPhO
lIHrqPD+8GVdoQ4F+q2fv8u2L9R6+7V6rMCftqjqinm5pXYcBtP3i9Xq43P1gl0HWIy0
3f05AfARrv2nZ/ri/CedlvfpRZuH46/JhvpXUuCJ+VnR61pXArGgyF3vzbhf5nnmTq5d
2LQCsdXksH0CfS5KEp8BpwUno/zRq8hq68K1pG3crx6InWgF4Rmxg3px6UXYmjy1kE4g
Z3fbNRogs0JOJoqetapfDZmDRMigyI+LIDnst+hmm6geEGNF3h9LtAndcVsg1bapt4+P
q4Vo7VOi08iJaA4gIaPgKozyKE0tLi/pjQoIRoOEeT2j4sVunrOUZt1GihYWo7oExle0
W5nQ9obPkgbn8PuOi2qEde4K9U2l0z4n9S1xUgb43MN8/1vvw3URXxR4DUN8aT6c8knq
j1cD2DpuGf/sZQqlztYqetv6dwWMTJkygM3XzPCLUVW0eKnetTm+PMA1wA+s0Hj4tKKW
m0IbrUhDr+4Ix0snjyYX3TWcWiQnUozZ9y8kqM1sdxSz6iCHfn3Fskgsqah+mO2BG8Xg
OhD14OU+UNnLqD0Z5pyGSSeHIRVOVFGeU+BHu6cUSAZz3oZkkEO+8rxOxHv2NDInXhqA
YNWyiFe+KW7Vm4AMQnq9udfxLPGgQ1Bkpr/ADk9YVqQ9fzX+SIRU5oSOw81cVo/Aey1N
Yo8wYiVDI8Te4FZ/ll7qsSCNJocUOScSFpDHOgoHPomaN3I0h9p1sNPLo0hl0LlBPxYI
JqOcxokKN8K6F3uP/bagnMRD14EEha7NYr4BPomcVe3k4K+wQUgIcf5C/OltMGByWfzC
cyLAEOyVmv6ycAcQhHx8bOEYNyqyHCsDrG2V6eXth07GLWevRd9y+1jsdgidae7w5+/2
r9V6LcKVt4OUv/77uHl6QslM8bqXuCEQs7z9SLSpwRG9RgAg/lf8/opm4n6WV4tKhO7h
uxmtG61/3PznXx/QT5y5zITGgRXYfhiVFmvTNZs3kMYhiF0PS1nG2mX+I2kcnMRhUWQz
6coFK+NHkeMkFodA+vfGpqUiiG3eMnftHh5Eb4uWeX5oGLsHtbYAly8cNxmbSwujOPSS
6eVOmni7nvWUsfbjdr3efkYXymTakydos7iBxR5GfyN9hrmZdIRENiVPk6Kw2AJetST6
yi5CG2A0/h8KlCv0FQTkHWNcwNlWGCBEj7Ie6VpX4GKhvXgy08FP92J9ACYw9wclLNOf
uZdyj2P1rr2G6DbZQXzPc+zOxOTg/AQzp0T5ERt5BP5xBwm1/VMMqMgJltULdspi1aCJ
8FyMmeVYXTxB4YnsudsRbBqAICcVlTnUI97N/r196KikHDM0UDpWYCkPZxYn0DcrnegC
rjD79ISNRbuNWHkD9GN9SU0gj34cRX4aWFyT0VsSB1zXSHh7k0eu6zAfs1y4IiNtA8IK
p8BGP+22R/R1F8/V4jfYFHypKLrSFmQE2BrWOYv0bcEkDdxADlZemI2SVkt5F5xP3fzr
dPPE8MmwdwrP3+lKN6/zqle7ee1tEAK82MzDJ4AMBVKGkU599atTW6Tzjoe7T9WBNhAo
ouvc+87vN7qrfHrRV7zgu5Vnno5jd/lBdyjELKoljdBIT04UJO0+25VaYdFfQDdBay3j
FucUHekai1KUeDAntpGjKBLWQ5Xb59WO3Dg8+inoueTb++ehYwII3CxDcxKqZim09Wbp
9QIbWRmHb7+npTGyTE6L9mpto3iJjBxJFnJeGU2dEoWX5YS1Vy7fhVssVW+3AtQJDp2g
iLslYhw01RBxk49vv7VrwH34MbkGrFE2UDlUIWOwAvkTVLnuEHgb/TQaJsACovuCEQIx
K04DR/9zrPamw2YsKaMos3lAXG+ig4wVLrd5fvU2I4MY6eMOG07JICtteboMh+YnHRdH
hAAt8NDgqnhg2E0xpjfBq9KWlsSN0Hg1k6QBhVTQKI6wCMxdjGbYPAp884VINuRST8qP
us2WPANt+zh99xT1Db0SYci4G+ZTDPfmjzRTTgTI66oBbsO4HMjnNqIzuRV+UoCYxmYy
DL2bYNzLEhRIVGvnc88NS8n4PE6Ga7iJktwD6pdfxE3Yyz+ASwb+gIpJmKKVq2/mL1v4
kk9zXJojEJqE5VDchJpvUwg1LEE0yLeJFqgLelT+fbOkzkRJsTmswMCQxfdYr6RhGTqu
O70iHpT0HvE92R3UeZ4Q1ewP3RQTmnrcSP7y1X9QPwYzD/1qy+PTVxNNrunE3EsSAR6f
Wq6piKYm5auFRYvA+8Krf+P/c/e1S24bWZavwvCftjckG5kJZAKesCbwOa3tjm6FSjMd
sRPzg0WiqjhmkTQ/VK7+tQ+y+3L7JHtuJkACJMhK0j2eBBxhWypSFHgz7/e551I+35Lb
JfRs8DaKhFgstu0UrP2JTfzs8edR4ScKZRKHruFn9ZNCGw3qveNi+SKQKhBD7OZU1Lw2
FlXKLPG9/uHcPF+AdD85cvv9BybDoqYYpYQTByx10bClGpxJhU7U9xDXEcUZfP0Y1gDk
aKDiG5WIAJev5ZHv7/ZHLMmxFCQfnPSoEWwI96wtpAXl41UW8vjzyEKyzAODiWsWUj+p
sZAXE7cP/1RvYaR1gnpPtQ2yA+Powg+Fw0iDM7ohAgRrQf96ikmWFMUxtTYDj0gaFfRt
etpThE7/D7QVif3uuGJ2pOTNDh4Biq7LcqKrOnhFxENpVPpiBw82nJ7SqnV3/YBkxzOT
vWk83PbD8bBZQ9cb762vh3WvqSV7fEOLEcrac7X+aDs5vX6M0kYEp+N2bz/tmT7Hvn9m
E1wxlvlZzhyuxHabQJ4HYRS7bLobl9j6xuoWFUyJjq8QQAEu1i7AG+dGVgZDLuXzYg8m
0yUXQ8TVrqx0i4+FHGbX5QLzzeKDDKc7zLwudQG+SufrmKvWbySuV6lJEGe55yuHoWFn
zpkHBWDwg2O5MB43JjoGUgYqw6PCSNwM9FsE2J0HTe9rWfZuocnYCxVW+7brtS4lbmee
m0eSMb2Rb2h1KNjEv+o8Up9rlXnWZ0xHvtdmm4k/AKNTFqUOg0O6D1glgKEHLnPWdD83
pweHHXJXoW7zNqiEZMvJjlChps0Bp4Op1M2OmBVQS8Zv9/cSTknbpuPGlxXZTub5ERbr
DU1+sOKH5qmuJmts08tsU9qoMRMiTeP+sYmynGFUqnAYL92txl6RBeAB6l0QpIoIayn7
V0CWLIiDxOWRuu57IrlKkZ71LqeUqcpFJnvXuvW5J/NCOl0qB1hsOIPpvs1gOitYjDSi
p7PaVw6mBwp6w3oL/Po9B9MltmvFAoVZZ5Hp3VZdRUEk0Xbo3XMHGUhxhMNW/WLyoQfT
fcD7dbED+wseH3W+u0caWhQ00Cui0+tdwEnnhvE5h6/cxaM7U58HuPp4uzMtogB2RmeM
NfntSG9v2R84lbjGVO+yOG+fU/xVOByo3ya3CjQCIB9BSSnthsgIa0iAo9VujfmDkop/
z0B5bSv8OmAHWmwaaTq3EJ7HwC2fiqPikKewWDQzBKH9RGvSBWp9/VZbSzP5XtWNZN5p
N5K6dYngtMH2wjwdyiKtB4G/ebvZRRN1YPjEbm/6L0bk6aDxM8zKU89/Wz6ugRGjEWdz
M/ZAALocx39dB9YKAUwQ5XJwWKv9PIINIELkKlaSO+wrz8QmCZCrMnXY4HU/t68KT6R9
Ja86M8KMqh4Ko19AP6aJx7UbI1ZemrcrQem+oTlFInLYbgEIAyU/7EG1J5PseEtX2zDP
Fu2qz94GjhqHceETG8DRk88jY+YzX+bKMViUeVLcKABHLzrSDzbFZSmDIoqjwRk+XENy
eXpAYYNb9jyG88BVoztm7oUNPkKlSSxY/2ZOvBwEDt4g9+AdZk70ToiXpxnZEwqNKViG
XQECtQoMEB4iOhyvsan4K5meY6BRt1VmIBQueOGwF7yo9WfTDmhEaTZCvBu9lOXPcyD4
9+EBlAVEjeM1WMJpoevyeTynUR1tvak10zKi3XLDwkjO4uF5M8jtBauKIQqTaezv2miD
kRFYGBBVw9eNq+V4O0hRv2JjXxg69n6GbTY9qwYJbOHBQqfBpeaIXD6Z0U7KKztty8/l
amtztAFXeQ6oQd+OFseaBv7wAgI62v0OXMoe93q8scmNpIqDjHu9W18WFEpFWHXct2vo
getWRqnDIPebvTDQTH97WhKP+ejrrHxpXEQdotReGtM12EpL8aq+qTYemCsWpoNExVI4
39xSZWOBce8z5TOHcTPdgZSKiiRBFdJdlf0tV79hhOt53Ofl9IBkbllmoxA0tEu0mFZr
rP2Q+zxxec/kzdKDEjT4WGAasA1hsYSdMJtCtBhfKYDHMEeJVbB721GVX2yg4TyPcx5h
WtbZiPS3iA+y0VLTpnXfG2hZFr10pRLg/h2gIiP2UQsbLOPQy2ToNBpjffUsDW6e/of2
fx9iJy2VmuTBdne0TBIuvf4xJIDGI68IOwYIr+6wyloHqn00h1jZBpkZoICSBrx3g5XS
T5PMj3pH9a3iWIGwb3ABA1K2uC7sVXvNTWlPM2vahIBenHlB0D+MsAqCCDdxiCf6tyez
0fcQnKBsi4Gd+bziBH3YGb4WQkVQZ3dNfI1w3OWv5tcWTphxkcvCd9gA3RzEXN3CQBfL
87HA3N2ArjsLEkR/O8AzhFFrqsBmd/+fuPioNVJFQKOA9lGngQDhxJeTyW5N+oDFZ8iU
SpsxNpFkXiQKh+uPN+sAUsSD9TAjnrbRp5+koQxdTm+6tUFyKVLuDy4tgzb8226+KNdj
vb8dRHKbDSA9BO4CCRcV4Q89KxDJVLWw0XS8HZM+rHc2XNrY9M5AhuBw7fZmVdg+gcn+
EQ1Q9LaX4FOkksB+jfRmtFpuiRsGDrQJt7jXPSvSIRtfmgCHWQQOt6huFl5j27s2KAYX
YJPheEqBlip3GDXRbUZUkOVRcLzWwf3ZZqW4H/QwowRnAIg+hcOWp/uesEwIkSiHp1e6
nxscukme+v2Td8z9KHIZst0tb0SYvlSidxUTEcsQ5IoOO7VueftFGmVe6LDfObcvtqdL
aAObWT8sBmbAifa0WnPlrB8HN71kscP1hIvx4O8566eSSIVFwvtWevE85UUepjic7QF2
W0cVYUBRuGzVL19N/3v/+wAzLCm48tfLZ/BgaAzzdLYZY7nhWndxgUJsUyF3iwI7NFUk
+pegAG/PkHA6HHhePMKz4NvTmb960I9mI37ZYS+6rnngN3OQyYDSCGU/U+0z60LpJlhk
60EiRRD6g2s/0/wIXf1G/wfNAZ21myopaoK0YqJSG8JAVFpDM2FA6KJrbSE+LxNZpkRP
Pfn5iRwqlx6w3rQfbFGaeVMQFmG9ExbV0fzppkSDf7wt5682kEgWKgm0yNGopPvFBB6A
nEG6vH6o26YLH5MJicsEPLfZRtSAP+ottPVqZOr2zWfYH2bI/HStnzi1JuN7wHBAgqkr
nJYWEWsifS/BFJezwcxtUgMep2Hw1uUKi45JYDT1BLb1qV6LDHtY7aG0qWqKUETAbvju
iqpbMTysaA/y0GFDdNsRQzG+wHB3+T7dKMRCG7oCO33uMOHL3Rrz0BixXD5sXzAHZTP/
x1keZ7HvcI5ym+ygHlCCHygQoF6R2UuwXu9WRBqAn252mxX6rsYJ6uXi92W5gDyr99jo
ix+BKCB3Ob+7WXa4d8g+DuYDkNLNZD1DtPC0fDFrMbFAGTnJC3WcJrM1eBANSNcGJKlU
lskiHeKlW4LyUbNB6ulncl2mq6RvIGJ6SFBfPQgPE4kQpjbYNGCGcH+NsTubKDVgQYC5
MXft9M33riE+UlkYNfBrVoLSwtyOfy6flnNcPTPqaUQ6W6BVjDdaCI9lWZpEfHAZkjF4
+kZBJqaNrvMjQwuur9lkvEYKtdxt9QvgZIPqEubEQmxCJUqg7jfAOzcGwOx1M9vYmHwv
jkUQJ72jmhAqS1MQYQ7t+CxCJKxvHv1cvhpzcQiZpygMaC9ncfl5xnx05xxuK95scM+4
eABKNDoChDuLr7P1ckHVKY24Kd9jszMSsdnmCYbZQnhe4itZDNLgkvsmr7S/XtiKNaf4
EqWqyrmj0PKCdco7rB1syeoStQl/m9okXkyejqby25/YpDY5/jyiNvEKkWBWX1OIfDJM
InfbV6TXLz9+Hc9/+iZdPtORf653oVePVGC314YW12wmsxnU57n86RtsVF+u/xgvNjNY
lx+f6Benr/zwgb7+2vxV0MLWh+OPzaY/fcOQhlTve4Pa5EydFYgw3GdiiLKJBHzMc4ik
rxSd54t9iAQQAdC9JDnvsBfhdfRta/npdyaCp+tL1/PvNEFmQihDZD6zCeI9zn0vdpm7
4HajuKvsm01IIJIky80mX0cHg85UTbwwkcCGDzQkINzj9vUPG0S4KwMunYGlA4pRLjY7
pBb3u81sQexxtEdittiRluxL5C1T3S0+lYdhFA1yO+d4tBhvd2szdqE5+ZvdlDsi8GoJ
lfoJ1d49MjsWwgOXbBxGanB3j5Kwr+PZvEYz0zDzXnaHQt5mhulc1E0MwUgj54UkLaQn
FQ+9fHjTQZAeyiNVubOsAvRXPZA7nm+W+zvWiFkJIW5gvCh9z7ZWfkumQaSCIRafHsaT
2ZwMWbVthGIA1KNmS4SkmJmYPTe7gKdabnP1Aj/OgQ0ZmtPA1asbxrpScl/iZkFH7bKg
UTmDqG1IsrwgS4JskKMIsGd037CDCxTV8B3ayEE98fNzNhApeIF31CMeFvfPT6JEBMMM
Ove9OopSYOO2NBdWc2RAtA969H6D+AVrz74S5wNAQZjt2IweAHvAtbWQH0tlnPJgiGW8
EtwET7/sUB9+b0qewDPAz9qE8L6M8zjN+lfVA1lvrDyH0VLdsTPLAuzv7CtgdqtJ+SUB
i3SOMYIaogaiU2cLFVRBGMKEORx/dB+aF4RCRPngRhBvgua1Q1CLU2cyALO8GlzbqXH3
NTGMTqfXGModaXpWzDKbRPxdU0tayEYL4fl+jknw3u6XOVOtNAzF2/VYO3Ts4UaMjobn
aonf62nYqmABOlaKLitBmrZFve/AQng88blCrW5oITtVHZAuHio6eviVQtCGSLWeosjz
MpvP9btJ2gA54lLiT9pIr+AsTDyHJ4Vuq3KSnIA1ftXbZBA50V0j6JgWFC7caPzwQPEn
vW9Trr/OgCyyCaWEnxXcjx2eUOr2brIIs5i7zBRz8ZwRktDkwJdy8rQAThLZVwnKCCoF
1Ctzbe66AqVv4TucHJw5u6SQTLm8U+vi2Z11DzoyoY41+jOm+6phf7B40/IBxetKOauD
fi7HVNhGjRspEKDxNtYtAHw75C7Pg98muTp7Jus1Wb+utsvH9XgFqviqVQtDR7whX027
SyMEvy2/f/z+3ejTx79sbLraIBgChlwd2TnBcx4zPZ/5Yz/3BK2AHHrBqg7ASFGZeR4v
duP5/PX9UzmfkuxGmyc4z8135DvKr2PtRY8b2yCO2zd0Kd69bq8QO90r9GlNHWvFfKAt
6fNIslmJJnWrjY2/9gs4orq1iS4CWcDqTR/o1+h6m5+80Wz+kP3l7i5PLQyoiAQLoqh3
qZ0I/KCQWCziLEa+2/AHoefnYexwUtX93ICrZ3GcOw3ghAkdzspWaTPGHSgleBb3NNS/
coxbhXECg+qwyl/0/L/nGHcgBRikXIZbd1sZGScZMleHE//u5/ZAhpI7vYbu4tXsDkDQ
YDz0+ZGp3VF+ppGDFGSNH/X4LwEsMWWx1RncUWEDYZhFBOL7UQ4qWIcjkNtk1/rqbaSj
ZhbZB5z+29hJpMbrcnvhE5vYyePPo6CzCAWWU7iGndRPCo0yYM4qTP7cip0p0D0TIOvi
z2pNKVGNZ+1Ikmgmo8qtAHOlehFlpC1Rdus0at9RiA1R7kaYt91LTSR/D9rC3RZ4XOyD
mhLgYrNcLMq5TbkMGyqYilwuL3afJ8ecaIShy6GdZ0w4o3rWDYO0JYFA8K+pwKMjf668
Vi9wttAFzpIYzc/ByQ4Xn6awdFWqJnHWU3BUN3jEBjUzGAfsMZSFukKG2cKm2uLl0svA
NDa067YuHzHnfpALthiiIG/Q2WZvIX7bquvW5dwaDGdx34RIGedscNMr89lD+X7yOsHQ
wkm1+zAEDW3+Ws6XKz3A0hhmsRAcEyiLRPyoxucSwcVtTquWlrln+7C0q2tg48NUrgTw
M4m7ytntwwSQM1k0PL34CNDxni4DZVwYW6y9ueC60Hom/gigpRDCgEDAQjWEjIIg8Rxu
Fd2mGlUct0VjAAi7xRiIWep+IqTT9XAjS/SP4bxmK5S/abEwoj+KGu5tgO8szrDWzmXE
1m1ymy5BAACfjviXYiYbs8EChmpb4vAV6jYbHoq3ad5bGh7dKWaIKf6EqGw1nq0boZnO
6PS2tTmxkC0XFpaApUlYFLJ3NXjP4zFHYOSu17pNE22Otcn+hYAS7TToLFgWzDyK5RBK
CibxbHgZ4GzxdTmH7QdO6AXwamLiQ+9wPxk2+mWH+WeohtXWWL+IizRzOYLstnFcBhlw
PA6nqN3PrWJfpZ7f0xbOudLcaET2mnbGVlk0gTxwKWluFwOOK5pWnfzQKN5pu77559Ho
j5jwRU0Zb7aw5PDGIRZWDw7gi9K7hi4cShBUo6NSRTmFjD4aYbaLFId3jO5tRvJ4GCEi
DgdX3yTZAfExJToxTZtVUYv9s8V9EqLgiUodLtp0GxEPC094LB2mP74tMuAwIpVBaJ3e
pXZK8HY75di4tD+u2Us5/jDqpQB0yZAOOcZDoZ8Ut+PGXkrTFFfhNBIj8NWiiQfbvEba
SPOYMOGwOq2z6L6RAQpRYREMrhBF1qXR/TRMaTamhedRGAmXcYvdB8lzGUkRO2wSbzMt
ojIt5CVOIhODuUTbUBOzmFotkOeE3Kf3GjS+hRawlHtJMbwBJNICTcFC/dTDxq4and+S
TNu4tlvf8m1brStXZXtKvv2RTXt9/IHu2mv9pBb2+oOVcSlkXng9RBXmjCtPDq6i4Xcm
Pybr0YE9bjUKtZhE2+CdVTiPQWDNhGD8bEuHuk0zFhnlINUcpI89CGg0eSonPyMYqRgi
2lmPjXZ4SnhhGvWubCvTMI/SzOE65W2ul8Z+iERBE/Gudmv0cVAeoK5EFV9uaO6NYDq6
3UeMyEh922+3UQ/JhQ8G+qGVS8n5bp6WO4w37DaA4TUCc5JbSzJtT9l2vupt54u5ie16
RpzTFz616X+PP1MPPDDuYU+cY/mSftJ/lP/1WBYJjKy6e9W6PYjnK6+IXaZl6n5ulfkx
YA4OF3svWkbd0KLaxqcDerEGKaJOr3ta7Rmw5+V0B9BIuQBRTalr/C2F7JYSmPKkr6LB
VYXIAF4zJCqFkCrx075pJ63PLsJicK2Bz83tUeTZm8WnCqt7SQ3ayWD33VdMFtiMNDgE
WWMJ0qENqsOjdlxc2ZDSjIsipdjMHjVFot1MvIxZwbPhFS6+dDdGdfDZEK3ppJZTm51S
PiYoPZE4nIWd0ZBQhiwVDvd/up/bzzxQq2QO9/y6nzvAhmrgD3r33H4Ugy7YZez3GXkD
7Z/xvHdMYyqWUerL3kUrYKRjgXSZ0qL7niA2TKUqHL4nA1tQrawmm7M4FdJlr3opw7ty
slnwJImEy6pz6ctuf8/JZsnQMUh47yotLMMeHtY/7y+SLJVgjXE3d754Nc9ONhM8Dfg0
MP1iNcxiCrwQ4PK0cWLxiqIzesLViuOpzq2oLt0qyFhUXxjzY5a5fFNvk5yuvlT1qJrc
qQb57Qv4AKnFbYmNqj8yAb+i1dyBFH6KFUaDq35o+WmKLDQ4qHZfg9UOA2DvRg+z9bPe
h0kINloHhT9wXxG24s9YXD8PG2T97LgkLYs89SJOSUhP2Z60+KCPLRFgGc+CdvyYlTz6
25mxmJ++uduWK1pV+CeMetC3BnMWFgBxj/H3nnrvBV8Y/5HJUwYn6lzkaVDEvu5cnAO6
ju+xOan1LIgy8TDU7WiySlEh6jpWqY5nak3GVydYsUo1HrUmjHqmx6p/Q78GNMz8RLdi
qj/fMW7/oerP1STn2h6SCazQu4dS0sFKAhljpdWsiLOE8WHWpGszSI05guEbk0f7Wp6x
C5qoxzTDLInyX+9GxcdPdyPme+/58f1Z0QGtNLMV9cE/YtGUDJQAIe/g/LBW59oFE7QZ
lcoljXXAMxsY+OGOHQQ2ApMbKNuskRJewlPQpQ9TeuaWkcc1UDb8lzxGzcC77xiRKzE/
rCeyLe5dEAgVAhU9tPhP3zvg1VAfp3kZrB/tDFfgk2l30NgA7vUS91m9891Cen6WZmmY
OVwb/g0xoNG+TrGN7pc7CqoRS88W2Pb9Axa44n/vRtg2aFh7LYQn4wjr7rjThZn1eS96
NvUwJq8iKKZQD+vuMLOLAV5akDF5Qof33Wj1hP2uTVbcQ3RoIbogU0XmsWSQWnvgAqh4
AKDA1cbqw0vj+SMmw7dPz3vnO7FaLu8lQRGyZJieAgSoky0Wr4wfFyXGwbVoYAA1czul
vQDzbso5YP6A/VhRZ8uoKIqcOywtBLwd0RRLU8l4dFRjx8ZhKI7+aU+TI8KU1HDSZlMd
xhiECi3D0UqZAjKy16Unqjtlkh5jQWJSpg//73//n9bficOoUqMLdvNDe4S7lUYF7B/x
nBfSqMbjV5nTGTMOh0Zf7Zb06twnPox0xrbVWRpytfYJUQT2X3FC//f6EzrzBZ538+3s
veESg2lZwNLMdUR//Dd0KKQKUj8O1ZFC9p+3Rvv6VxCUELyLhklGBt31PPp2+4KVWZp4
rRYWJTxY37YqJ1iRhX2VGw3tbKvDGXvmh16k4mFG6VA1yvSeKSskcrPF6KfRM/7l331v
cbO472OBXexwFNl9pJiLUCIPBNTe0R29t6UONHfV5aLKzWS9fDHjzXUNAPszTeJlXsRm
ORTxKKWwOPcgyXPk/EfwloAzKopSQtZTF68tii6P0Dh4LSACf9USHOm9AC0RtV0J3al/
iCtREYaOs8rZn3Awve3qzziS1Xw8Ay/PrzjqcqHbLjQJsEEJrU2B2q04Sqg4UMOciqHZ
oWoTur4C9fBinffUngTDulingTJjpTj2Y6pCKQ54lcNdl+5TBz89Z6oYXABBk2Rd5vJ+
rGeidqtmzXRvL+nV3aqyly1L0C09lkiMD54ipDMvQAWm58YSQ+yd9nIvwjcNJjmRf4jB
TATnUfD7GEyLY/cyFMW9ZKBlIvIXVxtMozk2smOFFwZqkNNlVTnNarZSiMzPXWYH7LZ4
kuVBkSUO+7nbwmuarezyF4aa90x4bV5EzmkCbIvb7xe+4LF/ZDkAJw/TUO+J7XN0fc5h
1DJ801/o9OIqAMKZaloklZdXAIQP/8UBtsWpB3kCcHJveSTPpBs6o8JI7U3+olYdC+kJ
D9TMmEpCMDGojF7Lzz7DCHLh+SxxGAHS7TFUCgiGL49MXv9LlLQVfPSvukGgw+TJbA1i
XIJkYH/qARNJuL1xa1LPCu8jwpDnqcvlt9v8rL70emvvQ7kGEymKUgARAGHxgP7aGTAB
UjViRJzZzC8ylqQh+D0GaSxQ9n6ebYl5GTKriA0roIXZhAyZHnYPUYbbTuEsjK2HhTcs
DSh3HZ6xpcpOs71XMaPQj+sraWIUtB26amkW8gsKForM5aXIv0FvoaYHb2+T5fiex1Jf
OFyM7/ZZLMfYQRQ63J+/7RQV+awDU2xLGTZYCaDtsS6AVqjzalXuQRssVMCX4E9AN3uQ
JqRRWL9aGzDvnPECdSxnbWu3NiDnV7wIB+cTQtIGiix0jGaWRJejbzGc8Z3WgYar0CEI
oLW0ShqE4KPn3WZrB9xWGZMqyh0+9NtMiQ7kqhjEBCTVmm1DC9mQXe1S50tAauFZ0a1E
lLI4Scs74A0SRB6+YoReGV40stlhdcsrrSGn1ix2j2wR1mGf+w9oVgFUttsCcAa0GZp5
28n33+EG/hWZRT0pZBkNY67Yx26jQcqvvm/ocVbtburm6p8Siz/N/0Cu07ICiuKuzpZ4
r3mDhR+TSY7oRTiMgPgNmkvyAaf8aDt7BmqWhEX2r5IbFmlBaKTVeJUSDQjOJtwDJ5YM
Apd3t3U7OAzGygIFWHfVpPu5sV5QgI3E4V5K93OrQmRc9G+RjMRIRyj6l86IxM+w8sHh
GKT7nmCFVpoBjuSuXg6MYiK0oZjgUtKMbE+DsispJmQoC6wz7umX/V0pJljKUx4UvWtQ
SD+JFdaXuGtluq1jUKRF4imHibFui0+jZlo+Lesw/zgl12M3T8sXJEb5r2MMCmNAjuDO
JdZzT21aBQID1Wky0OQIktiLjiY1G/n4BlnRZL4Dph4ZOVLyxxGQ4u9G2916oWc6jzgC
ui+fDNMMW0EHxxNpyhqmRPHwgMHL8hnzBzTqSk2CjvS8IWbUNOhSWqSWHADgIDueo+p/
T1RLTyeN5a+rmVl2bTNsEGDFbJ5Lh71stxYEXizzfHhAQObBBteV0WkJMvOlIZlvmJHL
9teObIUXnEkvGmaJpZLbWeurrQnat2iDE4oAFpjMi431yEPuJ8XgEBXaemip7XSZXVvT
0d/L9XL299oEo8RnZVBUHMUi6l1Mx1kRJEH/FqxLbOPkvurrldTE8jRh9Ve4edRCaZbQ
bG6jkrJenXxYXmahoeCPL6TKHEbJdvszWWAeJM8G1+nrPNbDiXYvSd4z2BF9k8WhB7xA
HBM5DHa4LR8zbBG6nwLeNa0gYFdCZ2q2AjXTBlpT4EXkaU8VsRDmb7evK52OWYgN+z9C
L3RZV24TG0YuZ9sZQQEpdejYKv2byNNZodI461/AjEXsChOmfau1KBUlfji8bY5m2zQB
GwwH1mg+eyjfT14nWJqimXU2eyvYMJcoLhBT1h1WIyAus9Bx9KkKlqWxu8d+m45TxPqn
8nVj0xwNCikjT/Tv6qdJGGYuL2C97eyI8+VvDbq8ihRpucA8j2l5H9wZokDasa7fXmuK
3iFmcff9gosgcnlX1G3yo7tv5IS66x4/QPaDCkAHu0HRs5WCsFigHuvy7pTuoNkTMhS5
17tcM8B+uSBweb3jxYupczYa844Nco82H4GkdmyhktILMR4W9S4985MUfVfP4Q7bxRM7
O0d2dIIoumOQAQwmS32go6/j+Y6yCZ16bJ8A63p5Ah9iq6dhceo+j3kMTNfQghBIxMRv
e+p1mqiBaSZixEbBVpvpFht7TbRrITwVgGYqHB4invi2wJpyXKQ98JeODUBzNd5sVk9r
cEtptNxqiQSYgMAUCluIL0g49i9xp5Es65rbp8XzRnxq50i8EQA0FjFqUnvMAI+JPOC9
HhTRJLEbLCJ+LmGoP62XW9TVyFCT2PZm20J+HIxOXuENrrZCDgtCBCszKimj3cIMP8/+
DuwlxFkFoC0ptzbHz18tZOcLJRKkHkOze7R3TjuJeyyZgC6CJY4GWAjZShUXqtpVZvB8
7cpGfBFmH4pTjhfTrYVQezqyf6cJmveSMwsPaZl0vc9vPJ1ij3FFJIZiFioEjeoANBhS
tpGfF0W+JweHFDjYLxOl6AHWismeTNz2ab3cPYIDew1qYoQwul/a6G5ZtbG4H6aYvhma
6h4VjEFXhlopOsxUNUbXb15T1I9+QeBnHO18tqHBV/gX//vge2Zz8TB5GIW5wzXS26Ll
+mKRHATGabYkPcjsoLkwiPUmTrM5AXpMHS1E1BZyC0I/TdnwoD3HCov4mJp9JqEA5TXS
jlpKFMFYETkzEclAuLyW40zNIvJYnrs88XBRN3TuT5Q9KTaE7LY4xRMmP4uLjnwwYhhV
dde6njk8vyhCXw3OK3x5whzXZnevlzwtYNVorktnFVQJIErGmQ71zh25pkKwOPcgCiOl
4sGVUcYbm73LXpQyKZnDsOHuWx8kCo+tGdcdnQXtfm4MDXlYYDi41J9ah40cdbvGSDQC
NFLenc7774mIG4nZpFyBiBoIgV92FAdDr1s62iaqp5rsdZSR0SmhfquAUSVoWTmn1WRS
cKQjmkmy5qD/J3qc+jf0a3DIm5/o/3eMJQuVqkj0kIopV0nGXIZanFGhgmdFEjkMS+p+
blDrIs4Ke9fy5aB+D4PIYQfZLW/BM9T3M4dRiGeeO/SzInd7ZSf2MCwf8vUa5pTS9J++
Qa40n99tgQT75oe3FiP++T93i8dH4JyPLH/3h+aL6dsfSbQIqBTACel/cpo3QJMoKyfl
8z0SAvVuRMsqq5fr//37J1B1jlhkNecoRJwXwmGrcylHunLOEQPwAPCyvpIs/p6rtBUX
jPP+YdgkZ5jO7N+co8c8Dw17h636JT083zsjANJ0hqwWgBmgjtbEXQLqSFp7qncAvRvN
x/flHAVRQO/QKFqevKM95dgOpKk64HwgrSKf+eDQ71sFJggLlRXDY5mkEYjl/X9SqXhd
vkd2d+SvkSXhVult0cH126L/OzK10Bc4LIf7xt0RoRcnoc9AYT0w4ivCa413UwDjj3DD
beN1/dbv/4a7FUQphp5cHuLtvlvSk1nqeT2Na8/7U+oHtDcN65YrQSqoQzbRHe7zBk0S
QMJ5jykzmWD0w+Fq4plLx71cpMdgU0w6KpaEREzUUxQFsYDXpc8VGooX7hf1mRy6X7cE
rRe+HZmT3/nbVVwLV5VuwUWvUt/lIb1u/WEMRKLIOyFlR7sft9yn0YgYife92y2BPRaP
NsgYTwZgDuhfYKcSpLMsGRwaCtjO6Q5pA2CyuzWtQNDTjeP5Zgma3FEFJSunNkerEPxi
O3bvquaMheguJQ7DCW5T0bjq6TVRFkTtAlIcwlqahh+9+IoG4DO4kYEhxJkTlmb2MLM7
c+kHQKkOb7LhC4Colawmy918SoKhvih4aEl2pSGuAqTcLAnZ46NRGH+YYcTh20+fvms5
3W7vgJ233PPQ1xyYdzAgU0L5PENC6XoGqM9srEX3cQEBEkEyXvhSTp4WS7BZYSa1nOzw
NhtcNKaAMuFlg8NF5zQvowXzbvTx7q8/fMzTEQt8L2yjQ15+hOY+IzP6PF48lrqRgwhO
13bAzPpmS4dFUdS6me3PQw/n7KdRHx4MGXFo+vDrT2i4wzTdbV9x419+xOP/9A0dOT0b
TQKBc7+sHqhAaXRDgeZmMptBuZ7RiHqeLZbrP8YAgFMI+kS/OH0F3weqU/1V9RevP7z9
pPS+txpaNn6MAxsY9tCPoU+QBr5/VJQNMhHwSGMHepqqncLLju4vSNj3N4FM6VXpDGen
OBS66MAABLza9dw9AKeDpNaj4AbeugSanG/rs1qFNakz7Ws27HV9rQvwmsa3rdKyN77z
meTtYqTyoZ5MqAbeyFCYeWO4TYpCWwI44zHB/ijEAEHOdfyNRQtVSF7u/QHqYeP562aG
llKVaul3IdJAMLf/AxbSA6E0y7FaYGjxxgRLGBCzmlKhph/7AVFaLUi05zBgNNtq32rj
AWQsMPgSHllSl2geu5UjyP08BOKqp8er0eFUmPtLuX1Zrn8+FBiqzmq7b9otA0/GUYIK
v7sy6H5uEfpYr+zF7j73Rdve7S4A3zn13nVRYYOJtaNzXpdzDD8TGFV30jc2u2b8WBRF
EDisrLcJzpD96mwdCKkXDArB/GM0DanURjdIiOIWk+IGfGBj1hhPUHxjvVMNP2RpmkTD
KtDQFBgVUVte+zeuJfhCBC5bcGrj1lh9boXY67ZITCSxn0rprkXqfm6ZMRan+eBKtZcs
aSui1qEPTc0BlQQ8CEwqWRHM4qCh2roW3fILYi58lTt87rcZ1HrooVYSkEAswFGCJUm7
jR4FhjZ+3B7q34Tx2gHW9fIEanrUSZdrC+ExrPUR8fA2ny2WmEIlKnVI731tY0ZjbEKr
om6zWo9kPN43VjWj+Ga5W09KG//kFzmXGXf44nUrjEhDUIX1dmBZh920U/HP4AAbGQ5B
8H08LXCy830oZnH3ZQxoDcv61wDywJ8rfYcn624zeJcchmn6YDrzazlfrqgSsz9pHVzW
vV2LY2cqV3mkHFbb28TXIM6s8xEbKyZwmVjiOyyObivmZ6niscjcDfduO8Y73d7svun1
QpWmGpSLr7P1cqFVotYCmzxUpnFKHmxo8mvKBuRkm+ViATTxXjJkNh5mjwAP6JZeQ2nq
t1iYEB6FTEl/eLJDTxOhd12IfAZjGVg/CGYBorLlw/aFSEnLBZb5lGiQ6ndWcfvhdQvx
SRlzlWWDc2DNq2f2Q+lmMQYr0C6YI3LfYuHufPyqZfeunmp+GM/mmzFCGVAPgOnYQn4g
eOO0AbWtukEK5rJM6dbLGixVn6ktpJgvUopwTDOtq6XyOSsfxrv59vTtn+hHXqwURh2p
U7kyHdRVq4P6aY5b8qX8VY/nkamu2qydfyV9ynlkLXGOzWjDFhkzo58msCN6HrPeuSUd
3b7at9LIg/1jWmkALQdVK+3DiSm9tWOG430o0TPG8lvo1+N6/IyG8uN3FL20vlS3t8NJ
iiRNHPbSt3m7pso8jCfoEIGfqbbENuGLEiD9zvoHtFSKSZ4PD6B3VwFjaJgMM7DtSL2O
X8pf8S7tfwl5s1zOdYXYQg145CUyGN7iEFiESTnd0WQx6l4wE/glMUaZIkaTMrxGv5Gt
rPoREN4UBR+bWpkIMAHOlMOByxnzF6PEB4LEtsdzv8PJYhalXv/2QxGgCJuzHW69/MbW
g2NMAdyzYQpQYexFocs8H5eCgCuZAnzfA64tdnik8tKX/V03IosQYTrnDuMouq26EiAK
8D2HkbHdz+0L7oVF7PBw3MWreRb7gNCjro4A1LCPwgkUUaJRsg/UKIGpw5U6pAP59uRn
JDQWQVwghI+BfIeDkBvFh34TFUweKdGvObVrKe7rJ0Dkz9bPVEkxeyefxuuprqtYkaZy
gU2mIMh3NxC6TXb7kLec0agHdpViyGcf99okgoEIs5j3cVIrYUwKh0PbiyeKbhxB4P4X
saBT+crWBMQF6qcOlzO6Lb8XxyyPisE1HXTrDeMKKxyjbq191agtEGQ3dpRqpvvqjN9V
y92pCIw+u4XVx9xQLNL0qGjpUgp38Z6fdZrtTSfVNJpB9oIodg0E3GJaSaneZKd3uaFi
bq0uImSxlwQOq8ttsjMrO4wfbBTM9eAVqLFH6+V8vsRV1C1egnOg27BDk795E618A1Z+
JZmugw9qqjl9mmHWj6RhIJZmdREgVK904/T2VLxCsxrTclWiYgQEEYlxdhhqs9BczZ2U
DG+rIjj+t5oKGrGG3qSwxGYULPcAXAiiIjmVvxKdPWJhvT9Fv994OfyIpG4hPA9MAF7M
jnMcP0qFQJOh7pKcNl8+u9+rmZYA96KLQaVKituWL4tjfGiDyUleTRV25VBQ7Psxlq1R
j6ke97kvn8ZfAZjTULj6h3RqmLzDf/ETendzIOtquqmuh6TTrJ6mPuDWaeo22Ifq4U5g
em93mD4Q9A+jvFNiOFouaPUvUZpX9/hlBr99b3M5eRQEaVYMLhMDrA8KvDSrZbUmU2wz
n2nCAAMsHbX9Nmn8Pt0Yzy0UO4BFjLCubGiZWAuaCwBFvbYMYmu6XQSAejuvjfv1JMtE
nDoMiO+O9tFkx0arsK/IbJ2aEX36nxBKgQ/9cfuEkQyKq8zadLrz4/njEuWKp2ebWSU/
D3IlC4ITOBpGdZ8j2LFBxiMGVzQ5BUzW2yvMNi066samqP1Zm1XxeNXGzEWYVgqPWVK8
JIziTHciejqlbVRAOwpiyKhyMe0rSGwbYn2GfmiTR9GfSVJaAmuPPJOVuA5+wk8nuVtR
QhU6ZGajwGl0052SUtxaxTaEytFxTivaWV8ISeirG0tx9E0bIZK6msCOd3zTRohkoqHT
PUg6DurWaOF7IuLBUX8Se4bBpK3r8r28lUcyR3SKo9JMGYp8pwu3S+/imF6+YM3nptDy
uufu4De4Sis+UBdjXdJSWlIF3Gjt2vBQ3erQfFpqNl73tB03+6qn7dbh7y8L+IIGd38e
zQltnjQxkGaBmOiiytPyZTTBmuNHgzqBtI6IeLt1zwvBQIV6FGTlaBRwWzHqYPtOoqQj
xax5XU4IbZT/NqHN3gu3I66ztDYnn3lkOd2htTFPiksDd3PLEVSEXsg5iHLJjtCLI0ZH
Xdnhy9itRDJVQZ66TJJ/8QR1akHE8vGB9ZbKZOUCGyKp9Vn+Sns0ARxvqU63LDwBmHLi
OdxU6X5uLHoPZJwNDgbw5pliSBd0WRqqSC52t6FlJzj0v9zlqcV5B4XH/MgbnNz+/XOR
Ii71/+OdloQY0Q8CFgT/QWvJxgtgAiCu9egZw4rjxWzzTJBwVE/1tlm8YiE6vwhSkQyP
U/tht90jXhvLGBuc2iaa6zAwuHgWgkNqgP3Q+QCrdWZeGSoJ1MR0A5N8qSrwQpDi/f1D
08gKNexjLxpQ132tg52JiU0qQ3n9K7XKxmhA6qb3ZrOczDStywtt69Uo7L3ITBmAImfb
cJklceRJObga+14kpvXYkGAVx5nUwoqKV4DkK0pE7wrEWLiZhqnqqyfTURztYrkDEmGs
LbAhO7UwqIEMJfOy3h2Z8kC/lOrO66Cy11Or3/CjdVlYV0TqUqcBXFCV0+K4JcM239h3
OEa/mK+cdQGHbNxsgKZaMMW0zVaXTYsr8FnoRSDgdLYo0p3DoIrqFyD8d/e5L56rtmC0
7OdPKFzXaCGL6xxEfpDSgt6eHReGfgULA4c7cBeP66wanlovQG9osPjQyKpPd2RAY4bX
fDx52jc0bdRUFFmciLh3aur7PAHTUF87mFpNaW/SIdCYg7znvSZcojYbtsDVbumBAAio
HNk0J6UnRMpdpnI5Y3XTBIsmeV/jxivUuI48jB7rQzeMTRXl/ueyyl8/6/zVwnQrMCti
MVVf8fJnZXdQjW8/f777+C/fVSm9jVkDGUnuJS7PynXrgRIpekkurz7ufu6ApWAwyR02
x2eeWyDNzo/BHC5h8Lufm/gxwyx0GP/e/dwedUpD1rvnZr70UvBq9i08DoowDotMuPvc
AxtbZzZj65IlqYxzh4PuS0nLlWPrzEd7S8jeJtQfMcC6BrHI+2w9ftiCEL31T/bpbvRA
pXLNd996yfzmf+4wDcA9xi0iOZSUmMxdXmTWbdWlyHDCUe+8P0oeiZ+4HG1d0sOtTiJp
1vTfwJ9WL8+gtjNYczRnb90Ds7h6XDAvKlxOwLqvnl8kCgU7h+EuF4/wbPJT13/qEZbD
zgUqxtZ0pmhX0jSlLtBiKrB1CSz759iKmRfJ4OpnxyqACT9gDjDLRlMw2MszA4QZ05ME
+G8AdrQg9Wgb3mU1MCT9NGYoXrgcYK2B4dT8hy0gpgYZn71/VHwC4KxqnlMDs+a1GAMK
Tr1NiI8AgoQLb109TYUB1vWZDQpBhODw85LB1X12G5o3hagwY7U1cjKzzVWx1qaGIaLM
LyKXZdNtkkWsMhnyvpoU7VVpsce+ElchSQx1/nb5fg7KSguXqkLGQ4/F7pqG7vNTYRrJ
1HM6Z7zFpNUu9cDqUG/KNbXYY5fxh9aBj7798uXP31kcu+RgD1e93eF11iNQIxg7jKpR
OYzUY70dmDHgKLO/3AHnCCAQVm2UmiFDQ4ge58t7YF8POBgL4Xk5CqC8GFwtW2Omxg8P
ROKjAzj06chDNDBDVf2fbuEcDvV0+mdFHnul+7Mk04/Tn74BiQP2lfSQ4idnvsdUX/Fz
cBHkINLDCPV4h8Fzi/uN1ceRynOH73e3T2BBplRUBO76shvTrCVRt4GB2mRV+5F4DXQc
jz4tsR0HKGUDgQENBvas652nhvnC4sABdMxlcryDC1xvPsfidYizl3N5o9Gndb2f6q6W
ChwAEtO9CLVKXGC/MLzslH0t1z99c7ctV0/lArCVxZakQunZT99Q3ey9p957wRfGf+Ti
qvnQKMI2G9Vkv+j2bZOxIek4OxDXHPWkzsV1A3EdD00DS42n235AftW6S43L3HhvfVms
07jWZ0Kx9fxo47NPPwgUHFRcoF2+++zv+FM6/FAQUEMqTYZmHg6h4qFtX0GdUTeAyR8B
U6hLBQepjSqOals6HEzioyPW1/J4t0qh9G24Q/SYxxQbjpebzex+jm0PkI4Z+pgtvlKg
MwW59xakLaVdwIMFyB4TDueWZ/xnEnsh7y1jlA54iDijqLFIeqSNDu71xOZb2AulUumr
0OGqbfcxemnCsqIYXLXvNDU+2DuKjPYQNDr2o1BJ20GbehbL8yhLQwp6HAWanz30LMMw
hrvPfdmlU7JCk6kfMStGCvvDL2AM3LcKsEQTtEXky6zWY2JFIBC30uHMrfsQpZRZClrw
nh7iWTd7qrmHTpGebTs6bNpXVRFagd9LK7OFvWZJwQpgSYYmverek2NDpILwGESHE7BB
miWypmgDVjmjHWZB6j3WLRLF63I0thAcx1R7oYTD6nLRdpy9djWrK2p+ZjiQ6CJ1mmyi
39cRaAaRShi2NP3/g8WxcRa+H8VezntXPJcBy3nWWzpyHejRAFxs7vwf6v3Ty8XmabbS
155eQdiOGuS2nbV2W15AQwP06B1Wge7n5hHzwtgfXE576jEac3ETWsr3AD48BH1m8Xh1
8Pfl9qVEfQYvWJg9BdpRMcAR39oTEG6ARGQCKiAFdLfXKAaUR4v4Hvj9ZxAJYX/fEpyR
aJVYdcRlkbBABYOrB0BcCD0o/KDx8hanJvzG426G8huoHzZ6jIlku0GHydAQW4cpHoP0
ouFtwK3DFAvNE5KjaBo6DKjotrYoIHKeew4nhxcDJe03aezyy3I1m2xQE0ELD07y/tVE
jxYnB+LhNHY6Q+k+OS7jyPcGuAGi+yQr4nikzYY5fjNBpbMui2hFxS24A1hK95Qszt3H
1ssikQ63BC/e/LMpgkEF1C008pgdPSNdP4exny4nO70Z0xTTtRxLmzF8JpQXpenwMtNH
mvXdglRa9xjgHQGlgHAIbqe948m1o1ebr1hcPclFEvjp0VSLH8IUg8cLyX5Pm5MkhuzT
D8DmQxf/uHwpYYwNxa/R1oqPZTHGMpIXWOmWqFoktup6iv6Ofl+rz1ZJNatIbDlKBNHb
TcppvUrg/7P3rc1tI0m2fwXhL+uOkD2FAgoP71oxePZo2pa1knr73pm4cYMiIYkjktCA
ZKs1v35PVoE0QYFykez2FhDbMTGWKZkqJrLyefLkzi5ltXpcjd+mqGQRYWF8HHcQH3bQ
pFlsN+o2VosGfv8IjrCmHTL4dzUr/9uAVmtL3nZoTB2dzsoFwvpyeXePIFXB6GWLr+6K
alV93NyPncTv6HzP7nXkt0tCd1Gac0LFnjnyG3T2KrkrhJJI2hUC//grSmSP0pqT1SeB
gn129ExCb9y0dtXDUEbixdztW62RjJKKD3SEkDlYVJ92rvzlcI52dvcmmJzIyfwk7Fxf
mUVOHrCoc8U1F3GbjxFmcy95u3FiQQxIfmZ0LxCAtvI2qygeIE7/j29QrJ9MANOqFt8m
YzZtDTTXmad1kAFgsHwrjjVpiv+1FGrPeVpMHAVelBtc4Xntw37XNdC+H6dO3j1yI4e7
LOUZYQ07hZTw48wP8qCrca8s4hEpUyTrzgj7Bw9oeWCsYUC5wHIC6NqtpCgejjX5mPzU
j0HOY3ATqd3P+bAyifA7alF3ZzAvm1/NGSACNVNhTz74zZHR1QZmNC80wncfYVmUhAY/
9ldt9M6a3mg8xyYRFBIAipfoiHt5OdYrvdHrggSpDE7r94Zyv8aNbiEUAWGa8KSrjm2n
0CrMDIzAn0yKtRqOXbFqyoQQ+8/lRlzUlDdZ0Ve6WGooHI9RQU5477qGG9fO2lS+moga
ZT45e7aqMkN+6yKzjtRE7rhe3LvS+3okQwdpw1iWJrnJ47rtLsrJMP3mu111UTLYIPKO
pJxOl7NxvSAbAYYKNbSqtK5g3A0MLpW1PzrPDkUQ2b1zj69FF6uxkfrpNjqGBIvQMFcu
yxgPTWYYPyyqAE6mvgFoT9RdrIY4mqugZCUDxQ21By74dk0DqM6H4r6coDrdvFXN981Q
rN71rjSFZQs3zFSrxqAVU/Lz45p9a8XUqY4v8HlsM84MRkm3GxRQfXpxJLpqUOALAniC
T8UdmrzTwQKEY01Fbf/UNmZosszkRRrt5/ZYyNIeLoq+RodnPFtUJY1PSkD07So+xcsA
jCsSfeo+S3T0RD5v5EwYMpbpgdYIHM8jHgT9W9yTAGkqia4XNCZYQ/CRPA4ekTQ9VrSA
hpzDqCCMqhrYVgKEeV8saYyl4TPaVY+FXuxktsF9h8NcKDUXb1QWaRXTm3I0hitVQ+or
FRyN78YL2BdidpKrTdSaGoi0Bv1qiM/nTpi5Yqv94QK3B77lDgNGGh+9CQCh1tp+A9/u
XlPqWeyncfRtAAiKB3TKQ+Af7ZUJguFOxlPoBNkqOQY2GQ9uxiCsen4FESNHqPYTiPhD
BILJE0DGvrF5d2N0P6DiyNEHp0Bw45EtTnEMDLlsYdU2LvHGP8Cv34+GraGWePg68/sK
u39Z3GHdZPVsfR7MsIuw0gn+HDsPnSjoHObAtV0/DOWSa0O7JRvq8BKc1X47MUF/NrOm
5XxhDQfzYq7ga8Q2i8IqQWqIawOxBoqEVDWkYRxKKb+++u/bytNC2+DzNHf8aIvVhdvc
zp2ww+ackJNAHK3Akw1JNKy7bBkfbRMaz7S+5DW8z0/dxA02rfsplriMrHIp2YJ2WvNN
u0Xe9ugzkhnaOMziVG0EfwGx/baJ2aGvc0KfYvhvvEDfrKimKrog1BzIHci/yNGPR8S6
W7ayPVDzAyzAy1KDM9HDLnVd3qD7CsoLmg9Ys2muMNC46/Ml1vigtVIpMz6o6I6v/jLT
IZoCR4YfuHFXM+IdSmZZg7uqUBxMSJhhIRWXSG0iSffIKmIsa448WiIOpxu2UeYLDWvQ
rnyOk8axi+3dxvbfD1O+tcdYTfOt1PBtgcWehN0cg+sS+Rep26/jQS3drzL/QSeOYBlt
II8MjiMOkx60bSHbmvDHJ5bKPYGqRvQ3nmNc7X7V7YSUCSuA0PSJGK1G1eCJxgOXjxqa
h8w+wObv3smuprGWWQblqitbp3zGuiKyUlAQVNDc5F51ERYE3A5NXiDfbmwY57aDIem+
GZuIYtTpeDaeLqcqelVXpq5vwu+pIll9cah4gSoYlqdLFDlxV2jcFzfLQVrv9c7N/WNZ
jecQiCwj0oWpnT9ouHGHYHMgKcS3hK8n/kKMB+EnbjHDgLkzOa6gh1PhmQBXMzMYaHaY
qV6xUsAGf3VeytZQGIrCGAAYw4JCCEX1MZggfm0WGzW0z4/Qd3A6y+q1M8hCkDqeQUJT
mVKiTgT9AnXQrSwqbpjl1QwkVHCxntXWkJvAkLbrJr0L7nEv5+UMJMlfJTa4mWBGphr/
SqZNCVXW23QCKSemFcMmUwPu8GgeVkrw7hHXM7DWJ5io6KgnPiXo6pflgmgUVC3oCsOi
KApdkIeYUxKucTc9UNNisaptrhDalU4kkY/AuXdhlMKU1NaV4mO5A5gAyQSbKORIJ6pJ
8qETqpDWc8inLuMC+dRPNB47Dxw7cvpXL0DjVckIPg2FenBSScTq8L4YPkxQIpeQSwst
xNloUAF9UsC9kakmUS6R1qFAk15oyM92PGxQElul1K6MoOwGTEMMVHR+qsD5BE56UBvI
0hTKLNMpWlIrzXsaYzL0djCk7hHE90FDYiICyNyLOze6Bi/hMsyAdc1A2lgLjbUevWt9
vx38oKj4wVyF6Et5PqmzqGnBHKYXBBsoUJORqAHFTyeV+naAn6CZZh1Iv4etHuC97J1/
kVsKqdaiqqpIkmimm2jvdUJU5rAoD4TBUtkRLYCVP0QK0rVLDBZToEBdp2vn9pnjslgY
XGho1xMbkzxJlBjs1tvPjbVTXgTK8c7piZ2KKEkMniBslzdPhcPt7U66WeEfEoL+zIU7
OnPhXuhkAci1zL0Fr5U395wLB2yb2WlnecROv+OeZScHK7NrMknvDiuDXcVJFBncl24/
t0CslYR27+bs3t68SD0WT9iHd3Glh+R2czcMuselL7zAj7DcsptmdXet46qusrmUQ8pW
/7pNja4b4JTL4QJJ5AjEV6qXBJC6rLJhWYZksCXyeI3KB0+x+yQ3mbTnNbe0W35UMyuw
2BDFoQpjbo+E/QLwAaUifIkGkmxXzpc3776+IgWNarUqYOpknIi0cuYzg21Juw10bAyP
RVnnMk5yODwxuUx3mLKi7kELjc7Ory+/pD8n12dfzjWuru0H3A/MjvOrvXHmsgZE8iCJ
fAFZ5q/j4klDGswRYDeJDY5HDtYNkgYtzUlXxLSzAcgOCW+x6oWrkS0NKWHUOWRxZwmb
dqIEpNbY72lbRKImeDE4QhLCxBYht9QoiYaAvAB4y8gxuMhylBoRLfjVYzFcL0CxBiPC
RSGgkFAADQlxB5kd4x1NZHdHDGvD40rT85qU0Ki7G8zG/9IVmRPkOcvsrhLKv37ryDq5
0j4l1BHGDMgGtERHn2KwO3HH4GDkiBunhENmqalPw/vB7I7AOOWwGCGO10FDiMDHXLnJ
I9YHC4q828XP8aezJKLgx4rOU+syu/hydXb95fIsu9JQIzsKXF94/VQjLk3SZYHVpbQb
D9MaGhLB0Erox57B/ZmD9cWyuLQ4F8ubFS6b8uRH+VfroXjWkQ+WKuWeMDkLOlg+ZHC+
XGSX8jZFn3CX/vPns8vsc3Z+rXOXHDcUWdS/TXHSxTvyLn0u4MBREIDWjMopcEwWBdU6
agOkiC8yp3djEbVwvm7nvF3xQMk4GrvRCXf7lRpqeD+ejFYsEnKwV8Mm8Sj3ksBszuKD
c1ZH5h/1uLOMDaV6YXfUnfob0R1gsultevUDMHOK0F+C56qRjuaJIBCBwwyGQx5ssCzL
QRBpWZ+LxX0piZeomEnoD4y0Y123wtKssMsw8Bq6Zrt5HovO7sp9Pep23hPC9rKYlr9i
PglWLL06RKUcGpDjmcEAsiNUipRKSGv/yz2YRQYzSOifywJAS9Bgktw0lIhHGWfc6WdZ
SQlIBt+rRESCTWvxrMSlISYn9mPB+7cooy4KkB5RTJVNi+qO6JZXGrSHiJhgMYbrDIYd
HXzVyHKDY/js09n1/z2xPkfn0Y8y1pR53GYcmnyhEvcnnRgU1tv28/419qRGqRLTxf3z
HAHVRM6JV+VEJwZgeeQGsdPPGMCySDBU+L8CxNualHW0SQEoxg1U1xOxgI5B8vwkSLze
jXXVBonkJO32SoUGQwxb6iiQh7U4tpMajMY72AyRbEgwZKkvsEyNCKzRARhXpDyK+gMp
n4bycBS47SwwuK97tIzIZP+C6Qi5jK0kPLqO8ogYUAs0YfuGtti4VRRW56CeQG0Wy8OQ
8SL1IDVCPlLPlWooEBMhwiGTuUuPViCii/5MXPIAo5QVeL00xOJw1K8zu6/ZBtkeX94r
UD4RRTyyV60kg+V+BpPcOxDTxrUiTtkvt7fvUL/GINtg+KBFQeKHLBKB3c8StmqaXdSZ
135hoJ1kdiL6xzWx1hjV8biulrhKIwvBsZZ/gkxykZk87X2k3VVtj/Pl9Aaemzoecsqf
yLn+uYTTgpvC64vB/EHDGtt2wjEz1d9UgstI8Kzmi9jIJQbNYvYaK0hqpiE4EeVhjhnb
3kZBXNZir6FGK82iVklNDlfXYkdLIo3TkJZr51EuTB7iP+JOuirZkLdwVuyVyQsncoEd
7SsohCRDmfx/gj9rjTaan9Du5wINbKCTFWXQcFIMKk2wsucFmKExeaPrEapUuz78URtz
2lqsc8GYh9JimPSxsEgyIUWiUkeMoPGuKkHJZUnGhP3AM4gj3RgUs7212ar5eF2hlU3G
ek8d8jIAIbjf38xMtRf/Wt4gllQs49at7AZRMZ/ye8X3rzUz4bpow+Zen4VFVZArWGVF
lysJSGYUNQF79C8iMlPf0PD+YEL0OGy2ufeufUTCTtPET0OD68ft5+ZZEiYZMzg2bT83
WLps2w2Nts8oAfZnaNnVGVoW4H9NslSYe3tfC7j2HFpmXh5HWdTVfPh7Di0z5oFFIzA4
5NxhZaI8y4CjNlef288NzQzAimawvF+7h9+cuaAQX62fVFskKIBVlS3KqfcMZZmXQVii
z9EZNRlWw2A1snCpthkQvdRachrhme3kgjmZwRwnRyiWK8tY0RKtX2AJ7u6kWq2ATjqZ
NRaPuB6WmpprLo6QDmXW1LHCguznRwyNo5osG55U8sPQ9EhvNQYXyKpNnoA+WkJUe8jX
qSLV3EmFgEmFkYJWaVwyjqXGKFz1t2uuqqCXBS27oPIwVfiA4qW0US0Vh5z2nAoTmRDM
7t8C9rrKR1ePIBgXa1QB3b+1sDSUCh1jnsb9463eEBAVIdbWu24a71n1Y1x4To/LWq6M
m5SQhuVkUrOGzJ/RNp1qaBHwqF6Quv30/8rDUbD0X8sJBi9WCwVpTd58rltepzYNCIn7
KSJXjhFgZB5ObUqrY6gUCuTKAPpDW56GGMKodIYtMBSVJk7eXx+nBgnOZkPJuSDlRNQx
tdgwzjsC7TXSln3iS8jMdXma9Da+FPVceFUtHwnHQRJD31j2J9T4EzqC8/J28YRVGLIf
+Key0jJbtkjs/pF41c5v9cdosBhoSMPOQOcTZ10tXL0+6ERGvB6+QHAJVo+NITCpT/UN
3O/iiSRLHLmFtVdrOtfBk5DRZbxElgJXR/hn3LoliY8M/Nn1QTaeBxxF+rCvlZXVrRsO
HlWkoIdvcVjiRL5cRdw/XVLxZaZuHq3SHGNft94EhkjyNMrTPlolSkyus+Qv5+Cr+GRd
ZcnPl5h8svaYbmKxmyVGc5UfUTdRodJPBWw1DV9gYI52hK2A9LQQF2uJdNXIAykl90Rf
sdEkK6rBtUhLw/Nz2jkXmUwJfoQaWRYJR045rXk9LGwpHmumJFz4Ls97yZdDroqEIyed
vgoHK1RBYkHLUbYv3T8JhbfQSeR84UYhBi97mpOsnTwt3UEionHJ3DB2ctc3GMJy9CWj
UiRZoOUcgzyg0akwuaIF7gXjopenrtGwjepQDkqVvV7UC/NAOkHZ/Wq5IMXRw+r5cVHe
VYPH+/HQmpajpRZ+3OOcBX1FRKsLVszQbSvQBkCqT8mH5nSzDduT+qHBe5iOvGpqrCVp
0Zv13q/1snpdoQksCoyxG6SnFptuoQwCNu7h2+m78vbd7AdriuXW43eq471SNB2T7mHJ
cQ+XftbejUQmQ4MNkRXzYVXqEOkChCcy7GzpsTqpzpvag0pmXX8eMYgc3le4BIWUXPYD
Nl1ePd1L63UPdHdcYDFxyvvZQFFCI/DSptAGFdjR9AiGfBHQ9sE+uzzqwG1KB1zDszkW
hAMSALgSQAK3qOFiO15DvzSsOHd8rE3rbbSwSlW040q032LPFn0OBGiMvOaII7wExhCw
zFr13dbmXEdzkgSZi8k40KPjzLAhqRF2YRwoK5uWoGH9d4/jAZu939AqbFBB6P28v1bZ
OQ2NsH6actWD+wIWUIC65qCQX0jIoMyKqco7HRAHKIEqNO6fHfFQ5D1FxKneW1TfN8RN
mm1cl6FcmfV0qyvFSQptuiWY7Urlvu0BwTM/9A1G9B9pyRVLyLbQvhaiNG4bVcFj/K+3
FlzhT1/YppXL07+CLLcjNzR5eu4IbRJrrNeSwF3zYrjEJvXnVdlEBxDvZ14eOXY/AfFC
YinPC6zNqx4OEo8dpywNe0rpICS3VcPcPH2AHTp8JPJ6DMb1xWD6uN2H2fW+2Wz05k+n
dITH0//A/1lPQFxQ0+ts9PGN47leiMXyvbRy4j1lPp/Gt4U1fAZlhoU2xP1sX/JQF3E8
AL9uD0VEFZi/fTnPrKuzH8/Pzn9s6Gm7wtgxuOiYa/BQXfu5sfEStN3M4KfYfm7OMhhH
k8sT7ecWPhNZmhk9BH2UHf70j+Xs7q4qmry63zDCrwYip+D5wYrNCS6l/C/77RHsZHMr
LYaFpC7zTyzObL4qcdV//v2C2s9c6Iym22HgCqerYMR9R9OxIDoEmq6jhvu7jqYHtsgC
k5Oddivjglo3D03exNB+buGiW5jm/UwuvTU2bwJEw+Ie0wpU8FrIgVlCgAwmd6DEWdxP
dbIntCtinuQGO+5XjfrrOH1PNumjr8yKGPcA8+IYvKY0WfwbVkwS6ZtGXCYiFrhpTwN5
Tzbmr7AIaED7u2lGdjrQKZmyOHDjqKf7EDw5rvATrhaAQhOaOdPQEz/NHOZ4/Uz4PFms
+aon4FAs3i2QMMsBjqoAkfKdJHpbs5hpSIyFzPNyv58NCk+Wb/4LmLP14jIYnkPWbHng
ooqDvno06sZfbi0fs0iz3i3KdwSu1lAknjEWAgjT0Xj0NU9G4km+fL74dBadJ5kV/Zye
XWtIhO6VHab99O2+DIMaJBjE9CBrx1Ps1yb6VkVeoCEph0VeGpmdTleHQoZ9GQUpyunF
858k7H5ljmS/VFI8aM24soQHrpf20wz5MgySvAVl9W9EOaMGgub340fiMJJiIjrzQaU1
tcCYw3MnTXtokCzLl9HRdfk4HtIoJ6IjSOYGo5zEbKRz49KE20Cc91Q4kiZEEZKC+v6h
wL4WYKjJ8wMcTMnHqMAVJMppnfkXEcK1sbivmqRo1qbTJTUP5EyeCpIgKp0Ulok4BQ9d
H1VJNliyHzHQ+Tm6vs4urzRuluCgT+lgC8EFSjCNhcFDXu3FJje0bR/YPXMtWfu5nSyL
05B39dqcktVAPBwRVmAOAhQ1zqtjMPwg91xucrTX/sTsyLedLO/qE9uZ4ZwjtpK+Ev5R
rYx5r2HnmAhCFmQGFw7an6IvuB94Jm/LbD83gjWgAZPO9nsoib7awBftZzMIg0VcI12z
8swJMXG+TRfKwTOTuCGVKT9UEMTlxzeM+bbrJNn6pYuq5cW0uB0gLHv5nQt6iUW+j+RQ
4mAuKvnH1eIZyJCnDxg8+fjmYoJNENfFb4sVYkb9ULU6ReNX0j/fzdJ7fV9YDSPx9AFE
TgT1vRzM7oqrBZI0vO0YIBw7cOn3vdpHOJ0XcCJAo28PpDffFmCfnW9KAqBiuJNLAVT1
Z2sIAKRm8ogFJk2o81CfK8c06hxvPJgPx2N8smnx8Q1YTcrqLxFORU/knr54+R0FPKp/
1erzr968eVJcavlE9hc2gnEgrDe5MlczxyrlS8+vQDey/TRAirA+AHmsD2pVw8c3V4vi
8R4J0U94VvQ6kMj4uNR5f8f8d0xc2/wD9z4w9jclR/yIVNGGctQvpgW0qiF2/FpSsHZf
A9Al6Uz9MxK0BZmoV0hBgPPFGyudIQjO0WfeOtzidLAAy9GtfPrNLHlDOzf+Uetnf+1i
NK4EPhg+Ef345sOQl/67PoxTUKtYExD5qm3SWuInOOfvL36sB6teRIhSRpBVC35PJKkX
BO5WBRXxPhcipj0cHbWe45m80ri51qIqXljSTXWh+OroB7HX3T19GkNffh0ojkcdbZEr
UY4+5Ma9k1fsFEdooduqr1S1eviNz/ba3ZTdMSq8zhaTZ0peUBQaoVoGEqITehzovIJx
0JqV25e4RTF5iiajt01k5aUej5BHd1cxUSBbVOO6cIaSGcquT/cwmgrdAE80nqnu9Dbf
V8N4h5SM76cP/kuHQ/oQhl6eJ9IR7fAp1tvx++L9iUV3SZGUz3/YfoAvrXDIf48TNlSv
1sdUucSNg9c3qN0lQvFUq3/nPdtf0aHh1g0tq5bEJFqc7Xbqg418m1rbQ5oUBpJnq6OG
lsgO70g3ECHhyjcUo+GWQ5qQPVplX1EI7npB4khNflUhMmqiwexpR0ohecejT06XbeOI
i9NsMLynFoyaeXzRctmKl+p/Wt+By4YcXrPJjQfyNV7aW+eny/kCqwoGkyWi2dce8/6h
cItlany85r3fkOGrjxn+BgOS9PF3XnxYLby3jIbD/aPhlmO/eMbjrfr+/9hDPS2fZlYx
+3VclTNK0CSgBSLaVo8WT+zywI+yZAvxw33s4xNMRrHdTLCH98jVqVO1oH3XYEQYgz1J
zbVLaoSGaJqmbP8Mo0VZvr+O759ytBz7hY43yZL/5zRcri23otkQ+xJluImO5LwcjmGv
Ro1n2Z4JeZGLjYnbu0q9wI0CgADJA3RTzRf3VTFA8YWAs79uMPLDA0JKJfq0imEW002o
gcgkli5FNZ4/vGbm98+aWnTp97kCz7pWnjOZ0e5VGmg59YsbgE1H42bS/cfeAji02m+h
qPR7xCZ7PYdT5HB0n3a41fbbxaIgjR1ny4lgNsl3XC4/QzdvF2XyFAATemY4LB63a15f
QwzO9s+IgvacbSME2pWzPVEBchVcoiqoAvR364zFKm/+QWwS24axTuRuyvJhOqgeNqvM
XE5of5iB7PTjm///Y0mroVV5d/XTX4vH9LPfrEjr9MD8kLM8FBG03FCe7x36brMoZyav
tWw/tx3DBQYy4zFU3humtWG2VEWL8CTR8GFWPk2KkWJGeaHjLTGuZ+ceujuda35hk1CK
sVTqaXXxce2o2IDn/X48t0blcClzFXwNu0TDjBKBd5knFubOfRnSIMNCHaYYYcYR0V5l
vaXvcnSgfzjZtm0tz90J8ihzE4PNy6vqvlN+FOxROKdCHQR/X6+EfF2SLdQ18hH1LcpH
KWnVCZvrpIVAyvp5ZPLI32GiW2ndXMs9uXGGAioVDwy9f+1m3s1i7uYy8DL03Ic9vO2O
w/oCPJXLyciajB+Q5lCotvYQ8jpIsuTxDZYkAWmlYTZ4GHKgDihu7ZX4poNRQRjnyzGK
I9XI+jSY3pxsZ4FHTb3/dfBQ3jQkfMzE+w77p/X+MrT9dpB6NbyfPCND1nrPmirlEN0l
i70CDnwuK6TfWvbHB6Ui795KcOEIxzd6tH6H3RQMtGdZV8dDTomf8nIFn9GxdLbvYhOj
yYsp2h8UrUiIksjgwK793MJjUZSavCOt/dw+R7qbmsxR1n5ul4Wem5i80Lf93J6NZVbC
75x+s8DHimnf4IB5VzyiGS+YRuvjadH6+GHixbKW3MF4dk9aH89LMGguqBXQwQ+7+J60
PtiyGCSw7OaKqt06gvTMDhzfYE729nMzz0/CrLPL0xBe0la9c8muAk4DNCBqGLhOqOkL
rETH3u+uKRvDJeGgeDT33Ifko5b1d1RSXeY4/+8FquuoCkCEuYBRUx92udzD0+kT6xKI
Ra2cXdOvR0tQKY1nWm+pc+5TdcRPg2pO6NjPOO5n4BWKZwAt8bUsB+hUAOyQZYHrpH3T
vg2SwkusxTux3hD+dD3edEbbzUZLNVRHwrpUg3VUxZ6/0Sn9Y1Ouk2JZZZ8Fh1YI3WBS
LezGAfkjE1o6ZaPMAb5Tc0XT7j5FDKJTHm+BDPz6P3yajkJ4akvs/q8lxsDcqamW2Auw
kNzzDQ6WD4sDXlriNZHVZTEsq9Gc+PRkH6VhorPfwD04p46Klj320zSPRG8XlpEUqTUN
e+zua4+ZnzLQZhtcNGm3x17KQBbsdrVavqO7tI6Mxf/aY5PtsZ/4Tub2doWWNCgqMr7A
HFI5LCfW5xKztzXFULtVbuQv7beWCTsCF2Of/dima1pZZbGvVUYh27UzDMMbW0dsf74O
KBMFNj6be+5X4xQUmWgx8dlqTHLfMpPHY5GHdvdYVSLOMSvYuy1AlNwQmu93dqbJfflw
P5iNGwbvjyg0XaFakyMKPrF+wVdav06z5HQ1uCkW24Dy9trbHhWnzwXAJZPJiZXsU2Zi
oRNh4qurRmNnKLeR3PyyRJEJdaWimmGNxv95jxqIdbG8mYyHYPJ4JoNTDTC7jZrTEkPs
SVEtlK/VAUtyHmSp6/ZZfBclJAV6TNTivsoG2R+WEBP3FeC5Vl5hdoCgp29Q/KxBvHql
Ot/BqCHNT3SxY6ejfOcgGJU7WlCjc3RqdG6WuT4zuXzZHn3wJI7y2GRysFejj53PktyY
sAXlhJ8GWPGHinUMA3s1Bip9dmL9+Dv7hu/YRaEbnb7/XT1bPAECd3tu9CjPRt2Bhu9t
1z5wggF5GPauIrHhxtYtkrdq5usH6y+D+T0mJ6LGlpB0tSVEQ2oizWI7Nhkkddid3ZBa
tlqVUrsmusobCWGgY5KxSQgboyKDlav9UnDmxnHcPRCx7XoiyTyD21SvqiUaGQuMqs//
zYpGI9ACzYtmV3zXw4pikMYYHEm2n9uLmGeDvalvMRz2M4yq8YtR+XZnppn4HYQhbBc7
81E2yPq3M6ThtXal9Zri/gmDhX90ncCK4saR25+W76RYN9U/GvyL91/eW3H5m4X2PHM1
BOECeZhhI1nfrMWPIAy7Kas7EPVm71zGLNvTkIaHaQY77p80rp4wtzvTEIAbJUFup52r
2dphzrFe0uBzvxqh7Ex2s+lgPPlgYQsa+b4/P5ABfa81NWyHXmRjZNbci91umTFl5/KI
d+7cMB3I3PzEXHkfpoHRbFa8A6pt/IKL7qjIK3uYLGdNtqhdwYVOyX3HBWpYvF3vrxm8
fCqfxjPshtB6z/rM7SruOQJgf8fgkaLDVOX9VWa9vQYZwrq2v1XKz0s8c7mW5wWvaQtl
hMhBuhSbPcFUraCOLxlSdqikZa1jNN8Jw4Y27VCXNIm8sLPZ9045XAFK8XBfTqYyRrOZ
Y4W2hjjQIAuxr753rl47RmMZAJCh6J6HZOgthXHvzF4do6HjNvnzGGwCWuGZlyaOHQvX
3HCh3Rj5LE88u4MLj9AUBoVD96p5voh4mBvMO9WuJ1gyGKapyZe9/dwCJKSAmnVOT1wH
xepEGFyib5e3a8MpeGbP9B2V6BxUYn41/j49sQCbGUyAzZP/Zb8RYdvcSsHMJpEN/gkG
kGy+0XSjL/9+MbgrLO7rjKlj9QOqQCZ7p9cktOeYuhOAoUuEXc3cv+eYup9kucNMxpS0
Wxnw6gSpSAzOGXac20uyoLsMCjtTv0aad2Rd5rqclrfL6R/eV/rysLzR2afjJYK5Wf8K
geuiTlJWj6VakUp4XCua0zoi4F7OkQIp+vPzJTkinS67yNM8jbBNpGeIQxc7lQA3mI6r
wWTxbP0ywLj51XKMjR6Owxrq337zeZgGwGr3Ti5USZ4NwIU/sS5JJklkWSHjIdeQiYcd
wx5nXXXUO63hz1eRxqfnThIImxuM62jXZBAnp9g637unVpd9FrX7eV+Sf/gz7WSbvUfj
WeOJMjdKc1/uWDMUbd3+REH6A7Yik3mddpw7TUBCnXVujsx2fC9hfuduvpsmduQwgwu+
7XpiB2EQ+qJzNTeH5U7sx52DxdosTUSWdk6/fZujFRN2Tk/sxGfC87pnB5OYhYnfOXk7
mc88zoW5OU67HfQD38a17Ny5XRGhRcwN5p1slzfsN0iJ087pNxDnceR1L64Sic3skHdO
3j6LeBabPOO6Q78FqhpAL3TNDmLHFqpUcqVdp/I0NxVRLILO2UEeEwQ56lwP1g+cIFA7
0zulJzx2sJ5cdK47guaI42Vy3XWn5A1abAFP3zl5cztIIu50Lk+Dfvu20718x49yW3jb
m+xNYtls9/O2H8ZJ6HYvb8gCAQ52g1lN2+VNw7mIrDonb8fmfuLknatDiDT0kjjonJ6A
3DJKhclzB+36jVEJxza6F9p+bpcLkGB0b6Wug2WdIe/eSicuwGubdHB4kZZ/hEHn8h1m
ZwG1eLqWz4sUi5FE0Dm/4/M4SsEQ0zV5M5ExUGF2zl+yzOe+wwyOq46EzpmGTQ50sMnC
jx2esg5o07wYLi6q1YTgxzcMt8B1Eqo3q/0IjaHB+kWwSi3oR7OQedhOSMvWH++u/oXv
Pn18A/iPS+W8D/f4WgT4+k/qBwCrwquL8vHjG182Pj5U47t7vJHNZP3vw025AFJl/d1J
cbvxzfsC62ir9TdvS5AnfP3r3XIh/1r/MtAfz/G75o+DYaH+iTyD+rAJmECBMn/6MB59
fAMGCjqrWo398c1q6epP2BxCr2MSFG9ASPV3zH/HxLXNPgjxgbG/yU/9+0lvQzi2q+S3
kk4gq7pr6ay+XYun/u4e4kEgqM59SvifTZlsvCC/vClHz/KL1Rrs0/8WAAAA//8DAFBL
AwQUAAYACAAAACEAmO9W2WMRAAA8XAAAEQAAAHdvcmQvY29tbWVudHMueG1s1FzbbuNG
En1fYP+ho6cN4LF5vwixDV6zxiwGxtjBAHmjqLbEmCIZkrJGecpvLLD5uXzJnmpKMiV7
EvYkAwyBJDORyGarq+vUqVPV/O764ypnT7xusrK4nKjnyoTxIi3nWbG4nPxwH79xJqxp
k2Ke5GXBLydb3kyur/75j+8207RcrXjRNgxDFM10U6WXk2XbVtOLiyZd8lXSnK+ytC6b
8qE9x8UX5cNDlvKLTVnPLzRFVcTfqrpMedPgeUFSPCXNZDfcqhw22ipJ9wNriuJcrJKs
OIzxckZlxQvM96GsV0nbnJf1AnfUj+vqDWZYJW02y/Ks3WJ+inUY5ulysq6L6e5XvTn8
KrpniglMn1b5/mJM+9PXdisw7f7Y31G/+KGvTLK7JSzTNa25mN5FzXNMuCyaZVY9r9vn
job1WO6n9Ic/uPdjN5VqvHjeYXmGGD2skw1sv3/wpnox3CuLMe9uWuXdOtCGet5GpyOq
ygCL0BCHOQyZwvEz9zPpb77N5y3N807aVHDBv+JQ39flujr8qir7a6PdFI+HsQgJJGam
WMLV+z+tkRrgBVbcLZOKT9gqnd4sirJOZjlmhBVntCMnV8/oxDbTbH45MSf4S7JulyW8
7a7l1ZIX7C08iT6fJy3uBiJpbxT7jWLeq8rUUKeK8iN9mxVZmyU5Jnx3/1YMXTE8aVol
dXKDoe0w9GPf9XAtPm35x5Y+1Vwt0uM4phEArvP3lxNFMTzLi9zDRyF/SNZ52/uGJl7d
1uKPu3abc9z9lOSXk6DD2nuMPrm4+u7icJm4tu5uqV+75T1/4DUgne/u212bFEXZCvTA
Bd2I3VD07PbqfombWIJ/59nDboDmjM3WLWuXfCu+wQCMJWm6rrF++ZbNeZPW2YzP2Yzn
5eacZtmKuWJkmrH4LyCTEOyliQC3cibS3aEm0m1T8w1XOzaRpTi6FgT+wR49Q+yt9lWb
KGsY/sHWLFlbrzkrH9jt25vmG/ZhWbJ5ybblmkyR8SfO+Edep1nDG/b7r/9LYYA6yVla
4s8y//3X31hWsITuvpa0mi1rNUMZajVNNz0z9sl1e46laJ5nRb547jgdizXJipPlyGhn
tPJswQsOg4j/EWY4Y6Bc4polZzVPmrJg4CzwsQfgUbEgL2RwQER/MnvCgts7WYcDs5Nz
uOGYqBtBGCshyGTfdHZo63EQjBgTj0wnDJKwlNdtBmILEGTA6gzRhKwCLrmUtYgIDV8m
Slmm5WmWQm7TcyYjdi3X8SPaCSN0Jm8Bsn8mfKHvU8IwgdewNC8bXrO2hIPA2ZoWXpWC
AhzQTtZAKu1oOR6hDYU7y3BNxfbCYwtpiu8aiieC4/gsRLnctKmSFPyqqjmM8cQnIBdd
5DoKNeAHdVk+RHWNFW63Fe5oKp7nd21SC86DHdpxE0rUcg7K0Q4aICrmRH32t78+JWwM
JLiLcg1ULtlmmWCrEKYijCJkEvImjHJUMLLA++bouX/ObFRVetcYQ3eNGsSW56uEqT2/
VnzTUgKd9tII/fp1E1XrWZ4h1UXwS1gI02TYBlmataCeKUJkC0MlZKqViIiLmnMimmBA
7YaD7VPE/AUaBuy4QLQVATYFOSIF419Ipbc0Mkh9m/HmW0Tic37eQcv+ImLDMy6Cb5nP
u00iyHCaFOBXFU9bApaW16uGptBwUGNoCayqk7SF8tGw2bYDKzGDc7Z3BOgvW7Zap8s/
3IbnTHbfEeGVQytz6L5TLNN2w/Ak67FtNTZsTaDk+NDq6qZlZYHtBIqcZDAioAB2zRFk
rsGRZVdf/4Krb8aOo+knq694Xmzpxlij+c0sm0sHZEN2kc3B+YfiGG5gayeLbNu6b4SK
IM9j3OIPAoGqOnsiwvqIXB7BGDyJuNGcUgpA6LqYnzFch2825RpYRx/vchS4x4xT5ghR
AxrBHJhLGSVicl2ukGB+hqNIizPmYFKlu4qtKkJz6YVH24pd04vHmkPuaC8ZBenHYeXP
WIWw1nBpH5JWXiTWXw90xQkIknrrrxmhoerWsxI2LuXlnVh47Hrynuf1JxmFZ2AE9S6y
r7LFkviH8DiwX2h9XbIuxOo5dLP8mSQ8JFm+BsMgLzzcWIPCzDNS1MAPeFI0BzkOblpD
9lkiwYE+8PM6I1fseCq4UC4c+3lq0ltCXtYZLsZZahzEATl9b0uYkem4vjHSPOcqyACm
7+OgkSUJkiKMOjUGL7Qd+aoWucHxQtueogaqIVKS8cWv11ODkJI0Ea6odokyXgOqXbZL
9vbuLcj9ZpmBWhPtJ7eAjH1kJGRI+yzpFsUBRdEVy/P8iUgZO2F9jQuEDN+lgMdKevv6
nAidT5/T5a+UhDTfCkf/EfOTVVx1SVaPLeMMZfXwQs2OrRPfVCPHRXFkpNnk1Q3tDVHO
YLeewEgI4ki4wltGUtBu5yCHKytS7gCePO9SRyRxYlcldbqEg6ctAFraXNLsZri57BiB
1Ispjvag1PD10Lc8wYzH5+FXN7tKBCTwE9GO8nu49ywrOolVCN9CFkhFvKPQCdcv0wzU
ds4gxCZnjJ8vkMcn+aJELr5csZtQeB5V71YQkWoMitvQogCJAHsApLZokbSfM2ybhN17
lNKH7+7uooB0+Bz096c1kWX2/GDZLWFIqogoRQ6uRhqaF3uxerolotAw/JhSmRHqQVf/
gcPmQlMhZU56uSVzRKz14PzC8tXQ908LHTpKi6rqC6Aenwe+Hs9Ad2uelosi+4XPieoC
O1NIIyshiJFgmuEfUmZFU9D1cfD7c5HUkMRJWEkfGta0wFTUSDtxCj3wA+hVY83kYRCh
VqZZlUDDJIWqU686fRPohWwCuiZ/wteMAuCZyOPf3zaspszkGvojZ9WyTpBDYLQdyvUH
pTE3SSPuE6VHyvcBl+1y3dWeAcaLNVRz2QSjI/rDS12w9mBJ3DRcNXSi01KXE8aab45W
mtzTlHyTbPF3lI6v2QchziTUvwdVJlt0+vYGcQ4WQ60454uuQUwYEIlowhZlOWcQrOdU
p+S7jBFqujSoSmaIMgZEG58b6spJ4qLETqB7XQVufKB6dY+yQN+PpD1GOlNU7KH4aBqO
Y4UhCdY9HqmYboyMXMjYI1zwDxSTRPkO7L8Hc1kB1oemQnQtHbonAJI8J21GVIkJ9Uht
kfUJUyyVFKgNzswUP4gN7VSMNozICYJgxCGMbEMJ8Y5RIAztPxGBplnP0JlJhL+7rMF1
smaxpfmfOphZWHYMsueTbNXzHEMNTd3RxypmiV4K1ACo1wgBv1oSQQAL4EmNeinUzbDr
LSMfQUhBHr1KtlAyUdynyxI2Sxqk1aRGcvSO98q2yN5W6I3pvt+7Gx7x7I7tEk2ri2WJ
RkNU3LkQTIVgckaEsymRs4kScJ49kq4qnw3Y0jzTGMw81Ciw3I5R9neDaym6p4vnjhBH
b7qK0QPly+h6fhQ1bioNzXfN6CShkNr1UOZo++QoHeED8mLgLLKDEn0V2B1tlucsqahk
T9260k4sWaSA6jXYbApJz7YoB/XMpqN0Yfr6WItEN53/ki4N/s9TTsKGLOmwpVmeMbiD
wHKcWAVXP4ZOVVVDVXXGqlRECSnNgC1qrUXfAMRmwBY5Az7s2jsX6EwBLRc1VLpE1hMc
afXIsIYSQRAM3XTd6NgmiuarqqeONZzdUbvtz2uEIuJ7FKBm5ZN0ldSVXnZzMAAZZqQo
innCIjRQC811R0zu5hynrYA76ZboXUN9Beg1oMgNXSJDLyYkCZITcBgjFf7wEwT2hkGh
6I4akIJBcgVYIXjEI1+i7wqKLQ1GegYJGAg1DRq9EHBK8rkHhJeWiQy4qvlTRg19RDpE
lxfsDlpxMtg5Rjuq0/y5VOVK83xzOCqGru7apw0LSuQ4UTDaPt0fDlySKAHkJ45KjLRm
5ErzeHN4Bqy7uq46xNF6FAAHRBwLjW74dIyyefQx5RXxMupe7fc/IyihD7Jr7dk1Lj5X
M4QrQSuiVkbELaiCqIXgr0TLMc6iRIEM1H2nFpI6SG1yqLuin2HB2Rq5Ar6+8d55hLX3
/45QREHkQz9kSf2Un3ZYYvNieFmW0kGkTN5tDs67iY7E5mk9xVZtN3bVsbKUXQPRCRKe
YjQhbycb07EvYvjYEqiAQT7EOSJpIxHRk2hGVafDjWSYoRc4whw979V0w7UVOxip995x
CokidHWMhWCzcysqWMI3a3hWl2Z3zihrElWR5zSDu09M3QpV3YuPEdWyDXQYdAF0hLlw
zyY7GklGOfGjz2AUqiJJKVCghKI+7ICqFpt+FJ3GNtNVvMC2wy/tHciB4Pd0BldVJKUX
qsKKH3k4vfG3HXQFycPEDuO2V7AhPCqrCQQRoir04iHOEfDhmxVOhyz4/jtqAlrnSS3J
GlVx+EoCAfHzh9eh0YyPgyBUce4hoB1GSui6Y03cjleePTXnZAyYSaQTsFKCoEQwuLfI
xc5s6K+ExLSSNZAmFmo4j4B1BvN6NME6gY+2siMDIelTVVMTzj9COBRsDrl0nScVvJzq
jrAHzrvsMi+cgKGc+wxnZagDr6aj6IIuVsttAx0QgmBKL/8QagkOIkuTClWTFKhgssFi
iB0iAbdPD/YruqEbxmipHxxo38YBGNujHfwFouxWkDyy4AxiCVWVZ4IASvMKXZJXyFjF
BK0wfRFKekin6bpvRpZ47ggdiaxS5qIIRnoIoVzSPJJ1SAJBSjUX3FsoHGtCO3Rl4OAG
ZWgin4LACwVF3k7yAXk4/3N1E8XJEynRtqJQQYPal2Yd3bss/vbXYnwQONZ1CF6zm/b3
X/9L9S68Ggkn8jPIjLANlCxhFZI6RPMMme8M2a/ARvQQQsISBTPk2KRYCet2WXQHk93w
+yLK54v3OGFByywVzwabF+USnKEJSZzsuSGO95u+a45Vsvy8E2iilV5mldXB1N2wDc2P
Qkphe6uM8+BmHGrEJcYoS4nGDMBWx+VYs21aviKsI7HhnH2fPe1O6+LtVnAVqEuoIC4I
9KAr0VkXBKcGHjSHo5UvR7lhS5STOx/EU0i3QI363R10YhSoa2mQNEQbp5R9B7cPIGj5
uuIT/+vb1w8t2xqt2rtTl6D4CRzc1Xy74gvVf+msRslWJSIbJL9CaBqiZjzPmnSNV8F1
7zRB6/X+nBTuwCho2qmps/uaxVA0SQk5OwiT4rVEGJDkyCQnkMU7iubYK1Ro2xeqRcOP
vP0lZWdtOrx9RIeKaMT2aQ00DgM79L94av6FgmSc1WCPVHLZWRKOjkyg5giXv4kTOLIl
T1W2ORg2GFx80ywP74cyyMo9H9Qs1bQ0h5B3jBjbYSutd1cdS/aNup2iK5sZy7brYv0H
Z8ZqaGtWIM4m9NbfdFU1UsOxEkUBfnjrljhLsm+QoeMkBHQFaOMesMRhEqrG4HDnBtGO
ijWUgb2/Fe+iED2JxPH39Wt515HOkNXBGbIRhXGgGWSknunswApNLSLm/+w6OD+mxM8f
hc+vvtt9Q1rcV/Hqu5uDfbDs6D9s1jiDSwdwdxWvfTSRPrindq20MkxCG/yyAsN0VMe3
Tvi4qodu4CknXmQZniOCmsiUe6Ywum++GlPc084XqhGlt0egha3V316xpllQHWjmnziP
uQNC6gAAjaTmdzqlDca5OyfxhHcXzFkQHNgCKis4YY33wLqnDxZPuZImErJ9qNpUG6z/
6n6oR7Z6Yn7xrgrsgSNP9AzD60nCPfPvvvlqzH/kiUQUo/u4I4I4jNuRQ2iHG3qVJyFo
m+SPYH+iyaPgm+czf/KeaosMVspTh/MNtLgpmkG14x5omqHuxFokco2DgEXtca+/L3T3
zVdkqo7si3Am+ndE08GsLoXcsWvkRYfoo7wxOqySMsbwCGaYsfvi/B7EjSjSrOO+D99T
Nf0ZSXt+s/vmazHGJ8/vNRwvbWmzJxxvJWYIC4Em4sheWeMF3ympj396ag91s3071dX/
BQAAAP//AwBQSwMEFAAGAAgAAAAhAJ1ci74QBwAAhx0AABUAAAB3b3JkL3RoZW1lL3Ro
ZW1lMS54bWzsWU9vG0UUvyPxHUZ7bxMnTppEdarYsQm0aaPYLepxvDv2TjO7s5oZJ/EN
tUckJERBHKjEjQMCKrUSl/JpAkVQpH4F3szsrnficeOUABU0h9Y7+3tv3vu9P/Nnr147
Thg6JEJSnjaC2uXFAJE05BFNh43gdq9zaS1AUuE0woynpBGMiQyubb77zlW8oWKSEATy
qdzAjSBWKttYWJAhDGN5mWckhXcDLhKs4FEMFyKBj0BvwhaWFhdXFxJM0wClOAG1twYD
GhLU0yqDzUJ5m8FjqqQeCJnoatXEkTDY6KCmEXIsW0ygQ8waAcwT8aMeOVYBYlgqeNEI
Fs1fsLB5dQFv5EJMzZCtyHXMXy6XC0QHS2ZOMeyXk9Y69fUr26V+A2BqGtdut1vtWqnP
AHAYgqfWlqrOemet1ix0VkD257Tu1uLKYt3FV/QvT9m83mw2V9ZzW6xSA7I/61P4tcXV
+taSgzcgi1+ZwtebW63WqoM3IItfncJ3rqyv1l28AcWMpgdTaB3QTifXXkIGnO144WsA
X1vM4RMUZEOZXXqKAU/VrFxL8D0uOgDQQIYVTZEaZ2SAQ8jiFma0L6ieAG8QXHljh0I5
NaTnQjIUNFON4IMMQ0VM9L189t3LZ0/Qyf2nJ/d/PHnw4OT+D1aRI7WD02FV6sU3n/7x
6CP0+5OvXzz83I+XVfwv33/880+f+YFQPhNznn/x+Nenj59/+clv3z70wLcE7lfhPZoQ
iW6SI7TPE3DMsOJaTvrifBK9GNOqxFY6lDjFehaP/raKHfTNMWbYg2sSl8E7AtqHD/je
6J5jcDcWI5XH2/Hsepw4wF3OWZMLLwvX9VwVmnujdOifXIyquH2MD31zt3DqxLc9yqBv
Up/KVkwcM/cYThUekpQopN/xA0I8fN2l1OF1l4aCSz5Q6C5FTUy9lPRo38mmidAOTSAu
Y5+BEG+Hm907qMmZz+ttcugioSow8xjfI8yh8T08UjjxqezhhFUJv4FV7DOyOxZhFdeW
CiI9JIyjdkSk9MncEuBvJejXoXX4w77LxomLFIoe+HTewJxXkdv8oBXjJPNhuzSNq9j3
5QGkKEZ7XPngu9ytEP0MccDpzHDfocQJ99nd4DYdOiZNEkS/GQkdS2jVTgdOaPqqdpxA
N87dubh2DA3w+VePPJn1pjbiLSDBVwk7p9rvLNzpptviIqJvfs/dxqN0j0CaTy88b1vu
25Yb/Odb7qx6nrfRTnortF29vbGbYrNFTmbukAeUsa4aM3JDmk2yhHUi6sCgljOnQ1Ke
mLIYfuZ93cENBTYySHD1IVVxN8YZbLBrgVYylLnqoUQZl3CwM8Ne3RoPm3Rlj4Ur+sBg
+4HEapdHdnhZDxfnglKNWW2G5vBZTLSsFcw72fKVXCm4/TqT1bRRc89WM6aZVufMVroM
MZx2DQZLNmEDgmDbAiyvwvlcTw0HE8xIpHm3a28RFhOFvydEudfWkRhHxIbIGa6wWTOx
K1LIXBBASnlCdz42S9aAtLONMGkxO3/mJLlQMCFZl92pamJptbZYio4awfrK0kqAQpw1
ggEcSeFnkkHQpN6yYTaEe51QCZu1Z9aiKdKJx+v+rKrBLcOMgnHKOBNSbWMZ2xiaV3mo
WKpnsvYvrdR1sl2MAzZRX8OK5TVIkX/NCgi1G1oyGJBQVYNdGdHc2ce8E/KRIqIbR0eo
z0ZiH0P4gVPtT0Ql3CyYgtYPcA2m2Tav3N6ad5rq5ZPB2XHMshjn3VJfoxQVZ+Gm3kob
zFPFPPDNa7tx7vyu6Iq/KFeqafw/c0UvB3DQX450BEK4hRUY6XptBFyomEMXymIadgSs
+6Z3QLbAVSq8BvLhLtj8L8ih/t/WnNVhyhrOa2qfDpGgsJyoWBCyB23JZN8Zymr50mNV
slyRyaiKuTKzZvfJIWE93QNXdQ8OUAypbrpJ3gYM7nT+uc95BfWHeo9SrTenh5RLp62B
f3rjYosZnDq1l9D5W/BfmuhZ/ay8ES/WyKoj+sVkl1QvqsJZ/NbX86le04R5FuDKWms7
1pTHSyuFcRDFaY9hsNzPZHBdg/Q/sP5RETL7YUEvqD2+D70VwXcCyx+CrL6kuxpkkG6Q
9lcf9j120CaTVmWpzXc+mrVisb7gjWo57ymytWXzxPucZJebKHc6pxYvkuycYYdrOzaT
aojs6RKFoUFxDjGBMV+kqh+NeP8eBHobrudHzH5Gkhk8mTrI9oTJrj6PxvlPJu2Ca7NO
n2E0kqX7ZIBodFycP0ombAnZTxnFFtmgtZhOtFJw2XdocAVzvBa1q2UpvHS2cClhZoaW
XQqbGzKfAviQlTdufbQDvG2y1mtdXAVTLP0rlM1hvJ8y78lnXsrsQfGVgXoNytTxqynL
mQLyphMPPkUKDEeTrum/sOjYTDcpu/knAAAA//8DAFBLAwQKAAAAAAAAACEAWNaNHiiZ
AAAomQAAFwAAAGRvY1Byb3BzL3RodW1ibmFpbC5qcGVn/9j/4AAQSkZJRgABAQEASABI
AAD/4gVASUNDX1BST0ZJTEUAAQEAAAUwYXBwbAIgAABtbnRyUkdCIFhZWiAH2QACABkA
CwAaAAthY3NwQVBQTAAAAABhcHBsAAAAAAAAAAAAAAAAAAAAAAAA9tYAAQAAAADTLWFw
cGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtk
c2NtAAABCAAAAvJkZXNjAAAD/AAAAG9nWFlaAAAEbAAAABR3dHB0AAAEgAAAABRyWFla
AAAElAAAABRiWFlaAAAEqAAAABRyVFJDAAAEvAAAAA5jcHJ0AAAEzAAAADhjaGFkAAAF
BAAAACxnVFJDAAAEvAAAAA5iVFJDAAAEvAAAAA5tbHVjAAAAAAAAABEAAAAMZW5VUwAA
ACYAAAJ+ZXNFUwAAACYAAAGCZGFESwAAAC4AAAHqZGVERQAAACwAAAGoZmlGSQAAACgA
AADcZnJGVQAAACgAAAEqaXRJVAAAACgAAAJWbmxOTAAAACgAAAIYbmJOTwAAACYAAAEE
cHRCUgAAACYAAAGCc3ZTRQAAACYAAAEEamFKUAAAABoAAAFSa29LUgAAABYAAAJAemhU
VwAAABYAAAFsemhDTgAAABYAAAHUcnVSVQAAACIAAAKkcGxQTAAAACwAAALGAFkAbABl
AGkAbgBlAG4AIABSAEcAQgAtAHAAcgBvAGYAaQBpAGwAaQBHAGUAbgBlAHIAaQBzAGsA
IABSAEcAQgAtAHAAcgBvAGYAaQBsAFAAcgBvAGYAaQBsACAARwDpAG4A6QByAGkAcQB1
AGUAIABSAFYAQk4AgiwAIABSAEcAQgAgMNcw7TDVMKEwpDDrkBp1KAAgAFIARwBCACCC
cl9pY8+P8ABQAGUAcgBmAGkAbAAgAFIARwBCACAARwBlAG4A6QByAGkAYwBvAEEAbABs
AGcAZQBtAGUAaQBuAGUAcwAgAFIARwBCAC0AUAByAG8AZgBpAGxmbpAaACAAUgBHAEIA
IGPPj/Blh072AEcAZQBuAGUAcgBlAGwAIABSAEcAQgAtAGIAZQBzAGsAcgBpAHYAZQBs
AHMAZQBBAGwAZwBlAG0AZQBlAG4AIABSAEcAQgAtAHAAcgBvAGYAaQBlAGzHfLwYACAA
UgBHAEIAINUEuFzTDMd8AFAAcgBvAGYAaQBsAG8AIABSAEcAQgAgAEcAZQBuAGUAcgBp
AGMAbwBHAGUAbgBlAHIAaQBjACAAUgBHAEIAIABQAHIAbwBmAGkAbABlBB4EMQRJBDgE
OQAgBD8EQAQ+BEQEOAQ7BEwAIABSAEcAQgBVAG4AaQB3AGUAcgBzAGEAbABuAHkAIABw
AHIAbwBmAGkAbAAgAFIARwBCAABkZXNjAAAAAAAAABRHZW5lcmljIFJHQiBQcm9maWxl
AAAAAAAAAAAAAAAUR2VuZXJpYyBSR0IgUHJvZmlsZQAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAAAFp1AACscwAAFzRY
WVogAAAAAAAA81IAAQAAAAEWz1hZWiAAAAAAAAB0TQAAPe4AAAPQWFlaIAAAAAAAACga
AAAVnwAAuDZjdXJ2AAAAAAAAAAEBzQAAdGV4dAAAAABDb3B5cmlnaHQgMjAwNyBBcHBs
ZSBJbmMuLCBhbGwgcmlnaHRzIHJlc2VydmVkLgBzZjMyAAAAAAABDEIAAAXe///zJgAA
B5IAAP2R///7ov///aMAAAPcAADAbP/hAHRFeGlmAABNTQAqAAAACAAEARoABQAAAAEA
AAA+ARsABQAAAAEAAABGASgAAwAAAAEAAgAAh2kABAAAAAEAAABOAAAAAAAAAEgAAAAB
AAAASAAAAAEAAqACAAQAAAABAAABi6ADAAQAAAABAAACAAAAAAD/2wBDAAEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB
AQEBAQH/2wBDAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/wAARCAIAAYsDAREAAhEBAxEB/8QAHwAAAQUB
AQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQR
BRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6
Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKj
pKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3
+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcF
BAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcY
GRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaH
iImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk
5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD+/igAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgBkj+WjvjO1S2PXAzQB5Rd/FG0snK3EEMYDbQ0lyqhj7ZWgC1p
3xM0++Zxtt1CqG3fal/+JoA0v+E/0s5xJakjqPtaZ/8AQaAJ/D/jS01y4u4R5MYtlLBv
PVt+CR6Dr+lAGDefE22sp5IZoIlCSNGHe4VQ2G25GVxz9aALF18SbCGGGRFt5PNxnF0p
xkem3v1/zmgC+nj3TmRHLWw3KG5ulHX6rQBp6Z4u0vUXlQXNrH5a7iftKNk+nb+tAGTq
3j6z0xd7pCU8zYHa4UBuuCMr3Az1/H1AFh+IGnSwpKTbAOoP/H0vcZ/u+9AGnpHjDS9W
uXtYrm08xELsEuo5GGCAQVGCOvOenegDrAQwDKQQRkEHIIPQg980ALQAUAFABQAUAFAB
QAUAFABQAUAFABQAUAFABQAUAFAHDX/jOKx1iTSjArMmPmMoUnKB+m09vf8AwoA2LvXl
ttFbV/KDAY/d7+OZAn38e/pQBnv4uto9BOtSCJCOsLTqCMybOpH49P8AGgDIs/iNptzA
JnNsnJHN2nY/7tAErfEbRVO1rmyDf3Texhvyxn6etAEyePtLkG5JLVl/vC6Uj88UAdNp
WsWmqwLNDLDlmKhElVySOeOhORz0oA16ACgAoAKACgAoAKACgAoAKACgAoAinXfDKn96
N1z9VNAH5x/tC/DC71Sz0w22tzWhF67sY0bLDAwOJlPX3oA8v8O+B9QtUeNtauPlgCbm
LjJAxn/W+vJ5PpnPNAGbpXw11OS/vJP+EkuyrOzYO8Y53cETH+Q496APQrZL3wW0bpdT
3zXRWBgHYFeR8zEM5PX+vWgDqvid8Np/EehaLdQ63LZvJtuXVVZiN6bypxMhOD3PX60A
eWaH4H1CN5oZNbuJfJTaNxfHyjqB5nHHufT3oAyNd0jVJGigt9TumYTeW3ls7FQSBk4f
pQB7x4B/Zl1WYf2g/jS7Bu7eK4MTQOQm/DFf+PvqCcdBkUAeq+Mv2arzxTo1ppa+Lp7R
reSNzMLZnLbEdCMfaU67853HGMc5oA5lv2TdSOnwWQ8cXKmFFTzRbOCwVNueLrIz1xn/
AAoAy/h5+x7qngjxVqHiKb4gXeoJexyoLV7V0WMyzRy53fbHzjZj7o69aAPt/S7M6fp9
pZNIZmtoI4TKRguUUKWPJ5OPWgC/QAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAF
AHjmsfC2XVPFkviQau8KSbf9FERIGIRH97zQOo3fd60Adje+FGvPDMmgG8KM+P8ASdmS
MS+Z93eP5/zoA+J/ilpV7p8mo+FkvLgrH5OLtQ6rz5cv3dxA+b3oA8ntPhFqOq6LLdL4
ouYc5AjAckd8/wCvUnJ//WRQB5tb/s3a14i8a6fZDxze2q3TpGT5bsFwDk4+1r/OgD13
xF8GtT+Gen3eit4pudTaCP7R9p2tGW8znGPPkA477j74NAHsX7Pdhd+XpE02oTTbb59y
uWIYYPBy5/lQB92UAFABQAUAFABQAUAFABQAUAFABQA1/uN/ut/I0AfGnx3vJLSw0x0h
abddMCF7YGfQ0AeJ6XqMuvK8Bt2tDbR7t/P7zA5H3V6/j6UAVNJ1eeC6vo2tn/db1DEk
btuRndg//WHPJ4oA5zTvHEz6jdpJpbyCOVgN5JBw/UDZ7flzQB79pmp3Hiq1Fu1vJai1
g8wZy+fkPAGFx6Dr+NAHnOiXMsupatbvCyCBpUDkfewGXpjvigCz8M4idc1x7qMMi7mT
zQMZBJ4z9KAPf/Dvxd+x3U9oukeYIQIARNgYUgAgCM/Xr+tAHs83jdo7SG5FgWMiK5US
5I3LnH3P8/zAPG9d/aJm0ieaEeHHm8qdodwuSM7Sw3f6g4zjOPfrnqANi/aLleGOZ/Dj
xiRVPzXJx8wz1MA/z6dKAKmoftKyWUKyjw2z7mAH+leoJ/54H0/+vnggGp4R/aEl8TX8
lo/h5rVUhMokNzuyQyDGPIX+9nr2PHegDZ1X44tp7Oq6GZSkpQ4ucZAzz/qT6dPfPrQB
yV9+0s1oqkeHS5ZwmPtXTOeceQfT/wCv6gH0r4b1ga9ommat5Yha/s4Lpod+8xmWNXKk
4GcbsE4HPYUAblABQAUAFABQAUAFABQAUAFAHMeMPELeF9Cu9YW2N21t5eIA20tvkVDz
tboGz07UAfMB/anmGu/2OfCkg/6am6P9zd0+z/1oA93HxDc+BP8AhMBprGT/AJ8hKSf+
Pjyfv+Xnp833fbrQB4Uf2pLka3/ZJ8JShf8Anubo4/1e/wD598fr1468UAek/wDC6T/Y
f9rf2P8AvP8An3+0c/6zZ18vPT5vu/rQBhWn7QTXNwsB0AqWzn/ScnoT08nnp6/1oA4/
xRq6eMrq4D2gsTd7MzMd+zYqjklU67cdaAPGda1iTwndtpcUbXsaqr+cpKqd3bADj8c8
0AdL4ZmaaCHxkQUaykLfZO77T2k4wT/u/nQB5p8R/i5cazr8mjLo8gF5AifaRKWCZB6j
ysHHT7498GgD6W/Z80qQ6Np12wZSl9LkFT2FAH19QAUAFABQAUAFABQAUAFABQAUAFAE
FzIYreaQDJSN2x64BoA+DviH8QprsRwSaK+2GdsM+SDx2ynX19uaAPPNJ8WJeySxx2Ai
KDJ29eeCD8oz/k0AbP8Aaf3ytjliDnC8n6kA/n/OgDJ8KyLfaleK9iI8MTkx5zlvp6/n
+lAH0xNInhnT4LqO0F19pt8FEGCvyZz0b1x+lAHyrL8QbibVdRjXQpIttxN84DfN85HX
y+eP15oAp33xCuNOj8yPRZd0m4MV3Jng9SIwT/nvzQBkeB/i5cjU9QLaDIcc/NKTnntm
Dr378dc0AfV/gD4ky+Mr59Kk0lrYQ2pfzCxcHaUT7vlrj72c57fmAHi7wolnu1EkS/aL
n/VmHGzfuc85OcHjoM0AafiT4exy+E9KvEuViaZIJCohAI3QsxBO7+lAHyhqviWf+0Ln
Qv7JkZdPuHiFztbEoikMe77nIPXrySOaAPbvA0QkELrAEdrRSQFwwzsOD0OQevuDQB7T
D8HxqcSXzar5ZulExjNtu2eYN2MmUevXFAGFP+zss0zyHXBgyFwpteBzkD/X/h/SgD3X
wx4aPh60tbb7UbgW9qlv9zYPkCjcBubH3ffr1oA6ugAoAKACgAoAKACgAoAKACgDJ1vS
11jTprBnCCbbliu4fKwboSPSgDwq8+AsN1q76mNVSPdjCC0BI+QL97zR1PPSgD1W08Hp
beF08OG4EirnMxiwDmYy/c3Efr/9cA88vPgnbXVy9yNRjjZsYxaAkYAH3vNBOaAI/wDh
SYxj+2eP7v2b5fX7vnY68/XnrQBVsvgUtpqyaj/bAdVzmL7NjOUK9fNI6nd93rQBv6t8
Jv7RspbVNT8h5NuJVg5XDAnpIDyBjr3oA5QfABGtXgk1oSSNn961rub9Zvw689eKANW1
+Ci2uhzaQNXH7zcfO+z4Az/s+bj2+8M9fqAfNPxI8JRfDuS8uQU1eWwgW4A2BGl3chAc
ygfXB9xmgD239nn4gvr/AIXsY20Y2Xn3s0fL52c/e/1SHr7e2aAPqegAoAKACgAoAKAC
gAoAKACgAoAKAEYblZT0YEevUUAeU+Jfhfa6/EkYuooCrMxYWwYnIx/fH5/zoA8v0X9m
9dKvLy6bXhKLkkhfsmNuWJx/r2/p+XFAHb2HwchsmkJ1FJd645tgMe/+tP8An86AJNP+
EENhcTTrqCN5pzgWwXHOevmHNAHdDwinlJG9yr7ECgtAD0GM4L0AcrJ8K7N5JJPOgBdm
Yn7KoJyc8/NQBl6l8GrPUI1T7XDHtJOfsqtnP/A+Pr/OgDl7L9nm2tJppf7VjPmk/L9j
HGTn/nseg47f0oA9F8GfDWHwlqMt+t2lz5kDQ7BbiPBLK2c72/u/5zQB2XiHQl1y1jt/
MWHZKJN3lhs4DDGMj1oAq6l4a/tDSLTTPtHl/ZRGPM2Z3bEKdNwx19aAOMPwqtGZnM8J
diSzG2XcSTkknfk5NADtG+FyaVfTXf8AaIkWVWURfZ8BQzBsD94fTrigD1a3i8iCKEHP
lIqZxjO0YzjnFAE1ABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAfN/jr46X3hH
xHe6HD4YuNQjtfKxcpKyh98SSHgQP3fH3j0/AAHYaT8TbnUvh7feNW0WWGe083GnF2Ly
eWwA+YxA8jr8hoA+OvE/7cGt2Pi6Hwcnw0v5YrtUzqK3UuyPfz90WByV6H94KAPCviD+
1FrknjAaYfAF/PHNFEDMXlZBkdCDZsDgf7X40AfYP7PPj2fxFp2lNL4el0wzX0kZDBgE
xn5jmJPx6frQB9s0AFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
BQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAIzKgLMwUDqScD8zQAKyuN
ysGB6EHIP40AU57HT5Gaa4trd2ON0kkaEnsMsRQBz3ivVbfw34X1PVLawjvYrOEyiziA
CTHcMr8qsOT1+U0AfDviX9quHRrqTd8Ko7mSKMOJiwB69ObBs4PXnk0AeJeJP+CgKaTd
PH/wpFLyREDBxMNzZ5wB/ZZOfXnnvQB9J/s/ftSy/FdNI3fDpvDA1C+ktirPkw7Af3nN
nDkHtyO/NAH3VQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
BQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQB4Z8XPH134b0TVRbaVNePb+R
tMTsC2+SLONsbdAxP4UAfLKftia34csRZ/8ACvr68aDP737TKpfeS/3fsT9A2PvHofxA
PZdB+OmoePvCMN9J4YudLlvd2Y2mdmj8uZl6/Z4852Z6Dg9+tAGr4U+Kd2Ne0/wZc+H5
pYL6bbJeSuzKocbvmRocEemXGaALPxW1Sz0a4voo/DsN5stkcOkI2knscRsPryeTQB8q
QeMoJfEtoZfBCtHuXdut9yke/wC42nn1H1zQB9b/AA+1G0v7jT5oNBi00G4KhUgCbCuc
twigfX86APoqgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgCCa1trgMs8EUobG4SIrA46ZyD
mgCi2haM4w2mWRHvbx//ABNAFmLTrGBBHDaW8aDoqxIAPwxQA4WNmsgmFrAJV5WQRqGB
9jjNAD5bW3myZoIpSwwS6KxIHbJBNAFYaTpgYMLC0DDo3kJkfjigCzHbW8WDHDGhByNq
KMH8BQBPQAUAFABQAUAFABQAUAFABQAUAFABQAUAFAEckscWDJIiA5wXYLk+2TzQBC17
aLy1zAPrKn+NAEY1PT2JC3tsSOuJk/xoAadW0xfvX9oOcczoOf8AvqgA/tbTP+f+1/7/
ACf40AOOp6eACb22APQmZOc8+tAE/wBqtsBvPiweh3rg5980ARm/sgcG7t8/9dU/xoAl
NxAFDmaMI3IYuuDnnrmgCmdZ0pWKtqNmGBwQZ4wQfQ/NQAh1rSR11Kz/APAiP/4qgCWL
U9PnYrDe20rAEkJMjHAPJwCfWgBX1GwTO+8t1wcHdKg5/OgBy39k/wB27gbvxKh/rQAG
/sgcG7t8/wDXVP8AGgBralYKMteWwHqZU/xoAlW7tnUMk8TKeQwdSD+OaAIjqNgHKG8t
w46qZUyPwzQBILy0IyLmEj/rov8AjQBWbWNKRijahaK46q08YI/NqAEOtaSOupWY/wC3
iP8A+KoAki1TTp22w31rK3XakyMffgHNAD31CxTO+7t1x13SoP5mgA/tCx2eZ9rt9n97
zUx+ef8APWgBq6np7sFS9tmY9AJkJP60ASveWqKXe5hVB1YyLt64659aABby1dQ6XMLI
ejCRSp5x1z60AR/2lYeZ5X2y283+55ybumem7NACHU9PV/LN7bCT+4Zk3evTdQA1tW0x
SVa/tFYdQZ4wf/QqAAatph5F/an3E6H+tAEyX1nKMx3UDg91kU5/WgCwrK43KwYHuDke
/NADqACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgDzr4h6LLrNpZRxXMlsYpmYtGG
JbI6HDDj+tAHg2v+AtQMMWzVbrO4g7Vk4yOvEnegDgrX4aaxayXErazev5gYhdsnB54/
1nP1/rzQB5Zd+Bdf1S8uIRqeow+RM53ATYYBsdnHce/49aANiPwHrsaop1PUGKgDOJeS
O/3+9AHUQeBtZ1YQw/2lfQG3KEkrK2/BGesg6njgn8uKAPcJ9BC6VZ21xrJt/JjjUyvI
QWZUIwcyD0Pc8j8wDyXWdEeymaYa80iPPgESkBgWY5z5nfGfpQB7TqWmpP4M0cQawJJm
gt9yxtucAwc5IkzgHv8Aj70AfF+q/C/Uv7d1K/bxTdRpcXM7iMmRQu+VnxnzyDg+ij8O
lAGXefDK+vkEcfi+4VlbccSOx4yOR9oU9z3/AA70AevfCPwVc6Dq00tx4imul+xNFiWR
gM74ju5lbBwD3Pfk9aAN3xH4UOo3l15XicxMbmSQqspOPmY44lGOv4cDvggGPZxvpDGN
tYeYoPK3GcruxjnlyP4cnnr04oAjmguJpGlXU5cSEvxM2PmJPXdz1oAyb+ylu4zbjW5I
5NwzidiR+G8UAe56CsemeGdOEmrrK8caqxafBOee7n+dAHjup6ZcXHiG9v4tZlZZnLCJ
JmPX3En4k4x60Ad3Y2TR2ULT6w0fy/xyEYHbkyfz5oA+dfFPgG9k1/UNYg8VXDLPKSII
3cgAjswnIOOP4frg80AUZfhtqGpWqoPFd1E74YjfIzDAyQQZ1/E5/CgD1D4V+CLjw9r0
FxeeJpZ4o4JIz50jKpLDgndMwHPXk/lQB2vibw2mp3t20XigQ75Nw2zZxnj/AJ6r+eBx
zx1oAzbvQTb+H2sF8RGSQdGEpyf3ofoJT/P368UAYmkeGJtPaPUj4ikndM/6P5p3Nncv
/PUkcHPTk0AdzrM/27wrLZnUzbyPjLmY5XEytz8wz0x1/WgDovC+jynwfbwR6q87nfiR
XLs379ycAOT69+n50AcBefDvV7XxA/iUaxfSImP9ECS4OYvK6+Ye/wA3T296AOZuvBmt
XPiBtbGo6giN1tsTbRiMIOd/PIz9aAMTVvhtrupXst2usajCJNuEAmwMKB/z07kZoA2r
X4W65baWs51vUH254Ky7uXxz+9yePYfiOaAO+8E6RqljPZ2E1xeSgzEmR/NAG7PXJPfq
T1oA+xvCls9rpSxyOzt5jnLZzjPvzQB0tABQAUAFABQAUAFABQAUAFABQAUAFABQAUAF
ABQAhAPUA/UZ/nQAxoon+9GjY6ZUUAN+zwf88Y/++BQBGLK0BJFtACep8tc/yoAd9ktf
+feH/v2v+FACG1twrYgiGVPRF9PpQB8b/HDwDf8AiXSltrXULiyZNT87fEjuSoEw24V0
O3kdzzjjjNAHk+p/CjU38PaZaHVLvfEIA0nlSbmKxFSThyRknJznnqSaAPWPAPwqvtCW
C9n1e4u1ks1QQSI4Ck+W2cmR+Rgj7vrQBN4z+GNxqVuTDfyRO85kIEJOAQ+f4xnr7E8e
hoA8z0f4Lahpt/NdtrFxMJVZRG0D4Xc6sD/rD0Ax+J+lAHpMHwjumhEq6tNGzoSdsTAj
IzjO/wB/z5560AeASfBzV9O8R6neHWb2ZJZ5gF8mUABpM5z5zZ6Z6c8Hg8UAM8Y/DTVt
O0q1vI767kaeeMFVhfI3qzHJDk9R39884oA9o8MfCW6utB0u4k1KZHls4HZWhbcC0ak5
y+e/fn1J60AeO6n8F9TsfFeoX66tdSxs7ARCBwo3DrnzSD+CgZ9KAOmf4N6tqViijW7y
BWw20RSEDGeP9aMc+1AHV+EPg9eadfRGfVp5gkTAl4G5bHGSZD196AMX4y/C3UY/DNxc
2mpXJc3MQCRRPuC5/wBmQH9fzoA534a/C/Ub2Gxiub25XNuxZ5YXyTnvucg88Hk57HOa
APS5/gpdWE73y6vK4ZiBEIG79/8AWH69OKAOP8Z/CnUtS0d7eDVLq3kMit5scD7gAeRx
Ipwe/P1oA8v0j4A62958/iK/yR1MEvPzDubg80Adm3wO1XTh9rOu3k4j6xmGTB3ccjzT
nrnp6/WgDrfDvwHv7maDWZNeuUDbs2rQvtHDR9DKO3PI64+tAFjxZ+z/AH2p2dysfiC4
h83bjbA7YwVJ489c9Pbk55NAHrPwY+G1z4RTSbe51KW++y+fuEsTIr7/ADSMgyOBjcO5
6Y60AfUZtrc8GGMj3RT/AEoAb9ktf+feH/v2v+FAB9ktf+feH/v2v+FAC/ZbfGPIix6b
Fx69MevNAAttbqQywRBh0IjXI/HFAEwAHQAfTigBaACgAoAKACgAoAKACgAoAKACgAoA
KACgA9zQBzWs+KdK0ZYmuLy0HmuUHmXKR88euc9aALMXiXQpY0kGq2HzqGx9pj79utAF
kazpJGRqVmQec/aI+nr96gCNfEGiOxVdVsGYdVFzGSOccgNnrQBpRzxTDMUiSAjdlGDc
HvxmgCWgAoAKAI3hikGHjRxnOGUHn15FADDa25GDBEQOgKLj+VAEgjQAAIoA4ACjigAa
KNuGRCPdRQAz7PB/zxj/AO+RQBIEQcBFx/uigCI2tsSSYIiSckmNck/lQAySys5VCyW0
LqDkK0akD8MUATLFGihEjRVUYVQoAAHYUAMNrbsSzQREk5JKKST6k4oAX7NAOkMf/fC/
4UAKIYlOViQH1CigBJbeCdCk0MciE52uisMjvgg0ANjtbaLHlQRJjgbY1GAfoKAJTHGw
wyIR6FRQBGba3PWGI/VFP9KAAWtsORBED6hF/wAKAFNtbngwxke6Kf6UAPWKNBtWNFA6
AKAKAAxxsMFFI9CooAVURPuqq49ABQA6gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAinj86GWLcV8xGTcOo3AjP60AfCvxh/Y91X4nwWUVv8QLvRza3TXBMds8hc
N/Cf9Nix+ZoA4O2/YO12CKGM/FC/bylRSfssgLbcc/8AIQPJ/GgD0KL9kLVo7dIT8QLw
lYvL3eRJyduM/wDH3+NAHC6T+wnrem6ldXzfFC/nWeXzRE1pLhf3m/HOoY6cdvpQB90+
C/CE3hW0htpdQe+MVnDbF3UgkxKFL8u2C2PU+mT1IB3VABQAUAFABQAUAFABQAUAFABQ
AUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
BQAUAFABQAUAFAHNeJNfbQbeOdbY3O8uCobbjau70NAHivhr48nXdT1Kwk0T7KLFmUSN
c7vM2sQeDCmOOep/rQB6LpnxEttRkljSCLMQy225Ukc9wFoAxPGPxag8KwWk32GO4NzK
Y8G6Cbe+cmNs/wCTQA62+LNtcQRzC1iy8YkKi5BK5GSPuc4PGe/XFAGfa/GiyuJ5oXtY
IjESNxvFO4g4/ucfnQBNd/GK1txH5VnFcF2wQl0vGTjPCHv/AJ70AdqnjSH7NDczW6RL
LGrjfOAMsM4yUoA56T4o2azSRJDBIUJB23Sk8HB/h/z79aAIT8V7IEgxQAg4IN0mQf8A
vmgCjffGOztI1dLWGZi2Nq3aggHPPCGgDd0j4kQaoEItUXdGJCBcA4zjPOztn/PWgDeP
i+Ef8sU9f9eP/iaAOQ1f4qx6ZkjT1mxIUx9pC+vOfLPcf/r60AUr34xQWVnDdyWEYEpU
bWugoBZSfvGPnFAE8Hxf0+eKOXyrcGRVYr9rXgsM4+5+fp3oAn/4WxY/88rf/wAC0/8A
iaAE0r4rw6lqZsFsEC7SwmFyCD6cCPv9fyoA0rv4ipbSyIbNSqHG4zYB/NKANe28aQ3E
Ec32dF3jP+vH/wAT+NAHPXfxSsba4lgaO33RttIN0uefUFc80AU9M+LlpqGptYfZIkUK
zCX7UCGx7eXx+f5ZoA2ND+I0GteJJNBS2jj8tZGEwuA+dgz93YOvXr+XcA19b8ZW2jmY
SJEwifYXadUHQnoVPfjr70AcSvxgie9+zLpyNGek4ugVPy5/55468df8aAL7fFW0TO6C
Fcdc3Kj+aUAXLH4k297MkaW8ZD5wVuAc4BJ6L7UAW9Z+IEGk2Et4bZH8vb8puAM5YL12
H1oAisfiEL3SE1RbDaj56TZUYcr97Zg88fWgDzbWv2gItJv5rM6Qsgi2/vDdBc7lBPHl
EDk46nmgCP8A4aGtvsP2v+yot39z7av97H/PLPTnp0/OgC/4Z+O8fiHVrfTV0hY/P3/O
LrdjarN08oZ5GOvX8iAe+afefbrcT7PLyxG3O7ofXAoAu0AFABQAUAFABQAUAFABQAUA
FABQAUAFABQAUAFAHA+Pr1LOxty6q29pQN3rsPrQB8baNp/23VtYO/7NuedtwHXdnvkd
DQA3wD4ck8O61rV1JqzXIuy4WNmICfMTxl29e3egCr4s8JnxmVgfVzYLbTtKrtlg+WPA
/eJj9aANDwx8KSTLEPEhk2whcgdOMZx5x9c9qAPO/G/wDmtPKuR4vkU3FyxICEY3HOP+
PkZx1+npQBoaF8OJPDvlXH9vtqPmpGNhz8mGBz/rX6j26cUAeifFvV5h4P0yCJniaOWB
C6sQWAhlHOOx6/gKAPmnw19qh1K5uZb+ZxLHJhHdsLudW6lj/Ic0AZ8mj3eo6rd/8Tae
FXmkcfM5A3Sf749fzoA9f0b4M3otoNQk8QzMlxCHVHjYqN+HAyZuoGRnGehI7UAdz4Jg
n03V7izeeSRbeFoRIzEBtjKoIySOQM9T3oA2vEFybEvcRXv2l5JiGgR/mTJJJOGJ44Hp
9etADZNBOqWMFxJqHkmVVlKsM7SVyRkuOmT2z25oA5PW/hw/j22Ggx622nm0fzhcKpk3
+WDHjb5qYz5g78Y+tAHlWq/Aa/8AC6vdf8JXcXQRiu3ymTPO3O77S+epJ4wT09gC6nwm
uDpkOoP4olUy8+WdwxnnGfO6+nFAHp2i6ePBWmWuptqIvmjjERUtsLFu+8sxOfpz7UAb
Go+I4Ne07yhIkDyHfvE4ZuD3AAPPrx7igCbSNca8WPQfMMSwrxdeZkNt9Bxx/wACNAHP
xfs13HizxHcarH42kt2vt032dYi+wdxxdA9O+0c0AbjfBGXwpI27xO07258pmKbGcnvz
OxGevU+nNAHK2lxJ8P8AXpteS4bVXXdF9nVyrnzOpJzIeO+QfrQB6TqfhGb4k6DFqR1W
TSX1I/aDDyxjOCNud8eeueg+lAGbpHw7i06GLw82vrPPHu/fHHmndmXkeaT0JHX9eKAO
M8XfCm4U3RXxBIo+TGAQf4D1870wen3vzoAi8J2X/CL/AGYy6kbprbfnfIVLby55JZhw
W7/qaAOm1bHixpbOO++z/accrJvC7MHpkA5K/qe5xQB65aAaH8MR4fLi4kh/5et2GO66
L/d5P8RX73T8aAPkjxJoA1rVpoDqH2ZptvJOSu1FHTeDyB+f50AFr8GUuYFdvFqx5/5Z
kDjt0M/+frzQB1fhDw/beBtdtbs6vHqP2TzP3e4IZN8br13uBjeD0OSPc0AfVXhv4sxS
S2+nCwRllkI80XPTPXjy+efx+tAHf6p47g02xuLw26N5KbtpuAM4PTOw/TNAHny/HOB2
CppSMx6AXeSfoPJyaAPXPCniE+JdKTUjbG1LSPH5Rff9w9c7V/lQB01ABQAUAFABQAUA
FABQAUAFABQAUAFABQB4p8aFkbTNNMauxE8pITJP3PagD4rufGlxb3E8S6dJlHdC6kqW
xxk4TPPfk4NAB4fnvdeu7j93PBsxIfvHOTnB2hf16/WgCl8Tbu70jT9NKpMC8pjJBZST
9R19aAM3wT4w1Hw5JNctbXF0LyFFAMjDZnvyrZxnPSgCf4geI9Ru7WwkS2uf30+SoZjt
3j3AAx69+nAoAu2bXfhi2tr9jLfG+jjPkkt+6JAPfdnrjoPWgD0C5jm+IVlBpRiex8lU
n80qX3YUrjHyf3/Xt9TQB5/4s+G9x4XsorxbuS482ZYdqxbCNwY5zvb0+nPrigAn+Hdz
Z6RY6yLmRmulik8oRHcNyb8Ft5J9ORn15oA29V+K91Y6HY6ImhyytYeVbtMjtufyozEW
YLHnnGTliM880AdP4Vnn8SKn7iSzeW2E5YqS3zhTtJwuT82Tk9ec8UAcr/wil54c13UN
Wkubi9S4kmVbd0fam+XzNy5ZhkYwMdcmgDU0S4uvFWoXGlKktn9nV5PMG5t2xgm3HyBR
82Rz0oA6jS7W58NXs87mWcAPEc5TPzA5ydwPT3yfzoA5TWPHMuv3E+jpYMGSR13q5cna
Sc7QgP8AD68Dr7gHM3+n6jc2xhAuYhkHO18cfkP6mgDz7xRPqY0ttNWK6bypFG8BzuAz
noO/Xr7UAbPwk+HepeNPEMGmy6lc6ckttJKZJI2ZVKjOCGdOfxoA9f8AGfga48B2czx3
kl+1pKsO9YynmFv4gd7+p9aAE+H3jS98NanBrT2s94PJZPspkZR84wT91gMdcbfpigC9
498R32qw3WuJa3EQvJhJ9nDOwTIwAG2gHnoQKAPHdCu7x9be4ngmkR1fMUgLD6kEZzQB
6anj+7IGkJps0McPAkDMFI6YX5BjqSOeTxQB4gfGWq6Z8UPtotbuaGP/AJZ+a4jO6129
0Pc989CfegD3ey1m48Z3SQGOS0lu89zIR5YJ+7hR1XP0IP3qAOT8XfDy/VroLfXCn5MY
jYHovffj3+tAHnVpLqfhK4WUx3V99m6jDgvv46/MeN/r1460Ae1/D3x9deN9ZsfB9xp8
umQ3nm7r2Vyyx+WkkwyGROrJt5bv+FAHX+OP2cpbaS88VW/iV5o18vbax25wc7IjhhcH
PzZPC8cjpzQB8m6toGrp4nl0kXN6kXGJgJAn+qD9N2Bxx15+tAHoXh34E6leyQa43iK5
w+7/AEdoWbpuTmQz88/N9zoSOtAGvcvfeAdbhtAs2oG3xMHwULbu38ZH1yaAPYdD069+
J1kA002lfbnNvgq0gTb/ABHmPP6euaAOs0T9mqbStTtb9/Ez3C28m8xG2ID+2ftBxz7H
6UAfTGgaQNEsFshIJdru+4Ls+8c9MmgDboAKACgAoAKACgAoAKACgAoAKACgAoAKAPI/
i14jbw9p1jKtgb/z5JVKr1TCZz91uvb3oA/Pu/8AiXI1/dgeG2P+kSdAx6uf+mf5+9AH
T6P8Xm8MFrgeGzc/alVSoO0pjrn9y3HP4H1oAn8WeNT8SbWztxpP2A2T/aCR+8JyBlf9
WnPbPPrQBY8NXov3azk07yvsiqnmNGfn28ZwVHXGe+SaAOl+JGsf8I5pWlTJpP23z3VN
oTOz5cg/cb+nHFAHH6P4mm1cqraU4VVRtpUvtyRxjZxjkfp7UAereIfGn/Cv9Gs9XXSP
tvnmODyh+7K70L5J2PwNgHTPP4UAeaaj8b5vFESWp8LyQCNxKHZmZTtyuP8AUju/r6eu
aANPxL8ZZdE8O6dt8MvdfNBCU3FMZiYZz5D9geCBznvQBvW17Emj2PiV9NWVtUhinNkY
wTAZ0Eu3cVy23O3JUZ9KALPhf4jh9UuLY6GI1iR1BDY+66D/AJ5cD8+M0Ael61rIn06G
b+zg/mFWCY5XKN1Ow5xnngc/nQB88+J/ilcfDZpNZh8MyakbidrcwplNoYs+7cIZM48v
GMc54JAOQCn4X+PN58U7yTRJPCc2jiGM3P2lmZ9xUiPZg28fXzc53dvpQB1UWkyeArpv
FjQnUvOJk+yGPbgy5XBY7848z+59eTQBk6r8fpHD2qeDWyrjLgnnHXH+j+vvQB6Fbaut
34as9fOigvdqrm2KbmUse52ZPf8AhH4UAchonxalsvEctknhh4fJWRRMpKZH4Qjr6ZzQ
B1w8fSeN76Tw/Lo72ob94blyZPueoMa5PHXd+NAHHeMNck+H9lLqcektqYgkEIhVTHu3
9G3bJMAHtg5oAl0b4yPr+mWtvJ4XMAkTeQx3bNvIBJgXJz9M0AZVr4xA1yXGi4A3dueB
6+X3zzQBuX3iqOeMg6QsJzkuePbrs60AW10qObRv7eW0EhP8AhyT8/l/f6//AF+aAPMr
H4lXXgvxiuoL4dmvUtOkOWRW8yIr18l8Y356UAeq6z8dZNW0SXV/+EUaJ5dv+jby2Nso
T/ngD1Hp0496APP2+LrPZm7bwmWY9Yzyx+fb0MH+W/OgDUj8Rm70pfEcOkmzmbOLdFKy
LhzEcSBAwyMngdMjtQB6f4H+M93f29n4Tm0GYiTzM3byMx43y8qYcn0GX64+lACeL79B
LdN/ZQ8wbP3uz5j8qD+5noPXqfxoA8E1P9py+8E3kvh+PwXPfpabcXSyMok8web0+yv0
34+8eRnoRQBxmo/tI3eq3R1p/A8ysgA8kyMSdvubTv8A/qIoA9i+GP7SFzfz6fE3g2W0
33LDJkYBff8A49l659fpjuAfcfhjxm3iGGGU6e1t5sjR8yF8be/3FoA7ugAoAKACgAoA
KACgAoAKACgAoAKACgAoAKAOB8fTCCwhc232kjziF27iMRk+hxkjrQB+TPiv9pS/8Ia1
qEK/Dm41BX1Ge1V13R8LKVMg/wBCfORzj17+oB0c/wAWr57G2vz4LnzdxLN5Wx/3Zdd2
3P2Yg4zg/KvPrQB5Ra/tQ634Xvrpx8Nr67WaRoh80iYw/X/jyfjHQUAep2f7UWrPHFOn
w5u4zMquQGfjdzgn7Fz70AdNrP7T+pXNpaRv8PLqT7o+ZnbbkYyM2Wc8/wCTzQB7V8Df
EknizUNRa50B9OAto5l8yNjy5+780adPw5oA+lPFXwuh8V6Xb2v21LbbJHPzbhwPkYbc
eYv9/r+noAV7L4QWdpawW/2iB2iiSNn+yqCxUAE/f7kZxk0AW3+FVpIArzwsB0BtlOP/
AB//AD+NAE3/AArGLYI/tieWvATyBtGOOBv44oAyrP4Pw2l7LdrqCHzCx2C2Axlg3XzD
nFAHbw+DoookjNwjbVC5MA7DH96gDN1T4d2GpRCOVrdhu3fNaqeeefve/wDnsAVNK+GO
n6XO00LW6MV2lktVU4yDjO71H+e4Bp6h4EgvoTC08eCe8APOc5+9+FAHPn4UWR5MtuT6
m1T/AOKoA7PR/CltpaxKWinSJCgQwKq8/iRx9KAOe1L4b2d9qFxfJJBCZ3LbRbLkZ7Z3
DrQAlh8N7ayuftAuIy2CMi3APPf7/NAF7UvAdrqNuYJJoiCQcNbqwOPq340AYS/Cq0Tl
J4V+lso/9noAzovg5bx3z3v2+Mls/J9lGRnj73mc/wCc5oATWfg9HqlobZNQSBi2fMFu
Djg548wdfrQB2/h7wXDovhiDw/JMly0W7Ny0IG7dM0g+Us3QHH3u2etAGHe/DCyu53mM
kGWxkm1Qk4GO7f5/UgFf/hVdrt2faIdn937Mu3rnpu9aAG/8KossY86DHp9lXHr03+vN
AEo+F1uI/KF1GI/7gt12+vTfQBpaJ8PbXSNQhvhJFIYt3yiBVzuUr13H1oA19Z8JQas0
x8yOIS7fk8kMBjHfcO4z/wDW4oA4yT4RabKxeRrZ2PVmtFJP/j9ACf8ACoNMC7QbXaeo
+yJg/wDj9AEsXwnsYSDFLbxkcgraqMH1+9QB6JoOjLotitmHWUq7Pv2BfvH6mgDcoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgCORInAEqow5wHwRz160Acvqng/QtV2FrCwDo5k
ZjbRSMxJzknrnPegDVj0HR44o4v7NsiEUKP9Hj7fh+NAETeGvD7HLaNpxPXJtYs5znk7
eeefrQA//hHdCHTSbD/wGj/woAVtB0Mgb9MsOOm6CP8AQkUAXLewsbUk21pbwlhgmKJF
yOuCQOaALlACEgckgfU4/nQAvXmgBCQOSQPqcfzoAXrzQAUAFACZBOAQSOozzQAtABQA
UAJkZxkZ9M8/lQAtABQAUAFACEgckge5OKAFBB5Bz7g5oAKACgAJA5Jx7k0AAIPIOfcH
NABQAEgck49yaAEDKTgMCfYgmgBaACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
A4XxzqR02zt5QpYlpDgEjO1M449aAPnPwh8f7i41fWLJ/D8oWyMiCRp2xJ5bEbgDDxnB
7nrj3oA5bxh+2JfeGsfZvBE+oN5zxERXbZULnk4tH6/48nrQBxvhn9u7U9cu7q2ufhxd
WIgGVkkvXIk+bbgA2Kc/iaAPSbv9rO8toI5l8GTyeYM4F03HGe1rQBxkv7X+o6xIYP8A
hB7q3Fu+7eLp2L4OOn2NMd/X39wB+q/tqahpEVqqeAri4LssR23b5UZC7j/ob/4k0AfT
Hw0+Lsnj6ZIptGbTA+ni83PNvwx2fu+YkGfnJ69jxQB538S/j3d+HZbuyXw5NcJaX8sC
zJOw8wRtIob/AFJGGC56nr3oA8/8GftgX+varPosngi4tks4WxcvdMRKI2VOhtF5bdn7
x9+aAOr8W/tG3VtYxunhid8zKPknYtnax7QdMA/5xQB5f4h/bgv/AAzp0MkfgC4vmVlh
2JeurAbGYM3+huf4eeO/PJoA81t/+CketTXUkB+E18qoThzfyYODj/oGD+Z9OetAHYW/
7feqzxo//CtrpS6g7ftrkjOOv+gZ4JxyM+vNAHo/g39qC81i7e6fwpPAZ4DM0b3LEJuK
kqD9nGSCePlHtxQBX8SftkalobXAi8BXN15MrRjZdON219uf+PRuP8e9AFNf20tROnRX
reALkNIATEbtwVz6n7Gc47/LQAlh+2pqF7ceQPAFwrYLf8frMeOvH2IH9R+NAHnFx+3V
q9h4nvbc/Dq8ZIndd5vJArH8bIjmgD6i0L9oq51fwzp+vyeGJLdr2MSGBrknZnsXNuuT
/wABGe3rQBbH7QF0wyvhmUg9CJ2IPuD5GD9RQB4Z41/be1LwpPeQp8Pbm8+zTCLIvXXd
nvj7C2Pzb8aAPJdI/wCCk2t6rrsmjj4TX0aoGP2j7fIynb2H/EuA57c+vegD0TUf22Na
u9ODL8Or1Wfni6kY9D2FiD19/wATQBl2/wC3dqunWyxTfDq7Ajzl3vHX7zZ53WJPfuTx
045oAkH7f98wyPh7OR6i/P8A8g0Adr/w2rdf8I1/b3/CEy7/APn1+2nf9/Z977H+P3f1
4oA9M8K/tCzeOPC9vqb+HJNPa835iNyXZPLlZPveQnXZn7o64PegCndftHXGhTNpw8NS
XIh6SG5Kk7gGOR5Df3vX9MAAGD4c/a2vdc8c2/hJ/Bk9vBNvzqJumaMbYWm+79lUHONv
+s6nPTmgDo/ib+0RdeF9N1E23hqW+a38nasdwQz72jzgCByMbu2eAT0oA1fA/wAUr3WP
A9n47k0W4hml8zOmNI5ZcTvb8uYgTnG/lP8AGgDz/wAeftd6r4Os766i8A3l/wDZIRKE
W4kQuc4wD9jfBzzyDQB5z4N/bx1zxTLaI/wwvrMXMxjLNdyOEx/ET/Z6cH+fegD0aH9r
nVpPGFj4ZPgG8EV2yq14Z5Nibsnp9j5P/Axz3oA+wfC2vP4i0tdQktGs2aR08lmLH5Tw
clVPP05oA6SgAoAKACgAoAKACgAoAKACgAoAKACgAoA81+JKs1jabQWxJKTjn+CgD4su
/GcWhXl4YNNS4eSWWN9hCkckZY7G+v1z9aAN/wCD93Za3rOtS31hAB5XmqtwquAzMTgb
lHP060AVPilrWmrHax2ei20Jhu3DPEiAyKrY5xHzkjuf15oA523+JASCGE+GRIERU3EZ
zxjP+p/r+NAGzc+OIYooWj8NRyNLtDBVUlNwxk4iJ/8Arj15oA3LM2kMZvp9Jhfz4/MW
OSMLtOC+ASnJ/CgCp4M+LRm1y8sBoBtUt0kRZRJtD7JI1AB8ocEHOMn8ewB3HjrW7a40
e3uXsYmMsqSEFQxyyOeWKnJOck45P50AeQR/EOHT28uLw1GSnyecoC78cZz5J4OMjnpg
0Aal58Rols45v7CSVnAJjYg4JUn/AJ5np0PHWgDyLQ/iOsniTUfP8KBoy023zQDH/rRj
GbfHTPf+dAHq1z4s0+2tIbv/AIRK3HnbeTEoA3DPDeUc49vw4oA6bwxBo+pTm5On2kZn
gMph8tCY9xVscAHjOOnHI4FAGfqur23hq5luLfTYrkvO0IjjUAqGcnJ2qxwCvOR1IyaA
PcrDRtGGgaf4gmjspZb21hnks3jjLRtMqsyNk53KWOTtHINAHi/inxjY6TdXQj0G3lRJ
dq7VQAhuuB5Z29M98UAZ2g+I447tNYXw4JFlU/uhFkc98+WVx0zj8M0Actrvj5NQ1S7s
h4J8v94WE4gJLfUiAHP4nPQ0Adbd+Obj/hFrWwj8OSp5e0DbGwAA9AIvy980Aew+EtSF
x4f06aXStrvDlg0XI5x1KDP1xQB5p4sv4rm9u7RvDquFlB8wwbskc5x5fXn+8evWgCt4
Js7BdbV38OQAmJ/ma0Gffkp/XjtQB61F4isNMvHH/CKwTrH8uPJAU85yB5RAz9eMk8mg
Dyn4oT22u6ZqEtv4bS1M/lYEcO7bteP0jXqRQB8xC7n03/RP+Ealm8v+PyH5zk/88z6+
tAF611q7uZEtj4bnSNs8GF9o79PLx1+b689aAPrfwbYvB4HtdQFkyMu//R/KKt/r3Xpt
/wCBfQ+vUA4fWLqaW+lY6TJk4z+6Zj90d9g/z75oA2LG+FjYpdpoRMy5xKIir8sV6+Xn
vj/63NAGP4Z8UTa14/g0i78PyCCbdummjZ4/lt2fkNHg8jHNAH3RoNjaRaRBbrbQpF8/
7oRqEHzk/dxgf1oAlv8Aw/pV/bywS2NofNXaWa3jf+Y5496AKemeEtD02FYk02xZlYsH
FrGp9uMGgDTGi6SJBMNOs/NX7r+Qm4fjigDRREjXaiqi8naoAGT1OB60AOoAKACgAoAK
ACgAoAKACgAoAKACgAoAKAOD8eXDQWEREJmLecMAFiP3Z7AHrQB+cmhXV/J4l8QCfSrk
obmcR743Zf8AWtypKY6cdvqelAHoMVneaKxuoba43XXVUjdSM/NgkA5xnp+NAA1pda2y
pJZzJ5JEmWic5+YZzkevfnNAHXXGpHTrWGMaG0uE8vd5ZySBjP8Aqz259vU0AaXge8M1
7emfSSF2blV4SQMnHdB/+vt3oAk+J2u3FlY2H2fSpJN85XEcZG0Yx2Q54+mBQByHhu1m
1ifZ9he0cxec0nkHJ5UEE7VzknJ9evODkA3Netrm/to9N+zTILWQDzdjnf5YK9NvGc56
89eOlAHPa/eyaZpNrEmivM6MkRcRtl8I3J+Q9cHrz9OlAFPTNHmlRL9rSX/SEEnktCxC
bwGxyMHGcZA5PTigC7eah8qWq6CQYWCtKIjlimQSf3Z6nrz789aAPT5rEaz4fsLf7F5D
CGKTd5BJ/wBVjGMDuc+ufpQB4npdtqHhnxDqVyLa5uY2aeEIEdVGZQcjhum3A9jnvQBc
tNQvLbUbq/l0uedJ/MYROjEKWbdnJQ/y96AOJ1PxhrWn3tzcLpV9LF5z7IB5uxVLEYAE
Z45BHp3oA2xfXmuabDK+lXETTAMwaJ2YEdiSgzz35+tAH2L8Lb+GbRtJ0mfSEQx2hJnk
jGSRzyGTvz1NAHrh0nTCxY2FoWPJbyEyc+pxQA46bp5XabK22+nkpjj8KAJltLZFCpBE
qjoAigD9KAGGwsmJLWsBJ6kxoT+ooAVbKzQ5W2gU+ojUH+VADja2x5MEJPqY1/woAa9j
ZupV7WBlPUGNCD+lAEB0jSycnT7Qn1MEZP8A6DQADSNLByNPtAfUQR5/9BoAtLbW6RiJ
IIliHRAi7euemPWgCM2FkxybWAn1MSf4UAL9is9u37NBt9PLTH8qAGpp1hHKJks7dJR0
kWJA44x97GelAFwADgcfSgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAKE+q6b
bAG4vrWEMcAyTIuT6cmgCOXU9IKqZr2zKt9zfLGQc+mTzmgCvt0CP95t01PM534hBfPO
c9TyfzoAsbdIZRkWJXGR/qsY+tAEcMmhyM6QPp7sn31Qwkr9cUAEkuiD/WPYDt8xiHv3
oABNokQyslgm7uDEM0AOl/saVR5xsXXqN5iI+vNAFNNR8MxsVju9LVl+UhZIQRjseaAL
MV3oc7ERT6fK3UhXhY/U0AXGsrGZRutreRDhhmNCDnoQcc0APFnaKABbQgDgARr/AIUA
NNhZE5Npbknv5Sf4UASC2twABDGAOAAi8UARmwsiSTawEk5JMSZJ/KgBP7Psf+fS3/79
J/hQBGdJ0xs7rC1OeTmFD/SgB406wUALZ2wA4AESAD9KALEcEMX+riROo+VQOvXpQBLQ
AUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
EU6l4ZUBwWjcZ9MqeaAPiD4pfArVPHiWkdt4nvNMNndG4LJHI28cfLgTp6dTnigDltS+
A+sa/Z2GmjxPfWp0oIGl8qRvP8rAOR9oXG7GfvHrzQB0epfDrVrmysNPGr3gawCRGUJL
+88sBSSPM43Y55PHrQB6lo/wwvb208k65cRmO1A3sjkklCO8o5z+VAHmnw7+EOqeE/Ef
iG8m1+7v0vnkRI3jkjWLMhIKkzybu/YevGaANvxp8GtTjjgvIfEd032qZpDEkb/IGO/B
PnHpnGcDPp2oA4+5+Ger3UdvENZvUMbJuOyQ56Z/5ajv7/jigD1PVfhDfDR7IDxBcszQ
AHCOGBMWOT53v+mPegD5Jm/Zh8Q/2pe3f/CaajtnmlcJ5MxVQ7EgD/Sh0zjOB9KAPW/h
N+z9q+la7PPc+LL2ZDasoWSCQDPmRNnJum/u9Md+vXIB946XZnT9PtLJpDM1tBHCZSMF
yihSx5PJx60AX6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAbsX+6v8A3yKAMbVdQt9IjSVoYj5hIOSq
dBnrtOe9AHM6F4y0fWbq6tm+xQG3z8xmjO4g854GPXk0AdfHqulOWEV7ZsyjkJLHn9DQ
Bzc3ivT7SRhJFbRgsVDtMi7uevK85PPWgDbXW9EnjRpL+wOVDbWniO0kcjk9ulACLqvh
9yQt9prEdcTQ8frQA46/oP3Tqmn8cAG4iOO3rQBV1LWtIsYFuN9nMJHA4kjGQwJ3ZwaA
JrXXNCkRJEvtPjd0BZRPEGXIyVJyOlAEF/4q0ezjDpfWc7lwpRbmMEAg89+/FAGvb6ha
3FvDcCaELKiuP3ikfMM4zkZoAVdSsHdo0vLZnXO5RMhYYPORuoAbJqmnQ8y31sg/2pkH
9aAOeg8b6DLeT2r6lp8XklxvN5EdxVscrwRnrz+NAFu+8VaRaQJNHfWdxvYABbmMcEE7
sgnPp+NAF2HX9JlhjlOoWaF0DFTcRkqT1B57GgCteeJ9Jt4y0V9Z3EgYDyluE3Y7ngk8
UAXYNXsZbaO5kubeJZACd0yYBPYkkUAWRf2TKHF3blTyGEqEH3zmgDl73xpp1nPLC8ls
fLYruNyoz+hoAs6V4qstWuRbQtASys2UnVz8vXjAoA3ZtRsIM+deW8W04bfKi4Pvk0AV
D4h0MEg6tYAjr/pMf/xVAGYni/SHvGtje2axr0nN1Htb8Pr780AaR8R6COTq9gPc3Mf/
AMVQADxHoJ5Gr2B9xcxn/wBmoAki1zR53EcOp2Ujnoq3EZJ/DNAEsuraZBnzr+1jx13z
IMfmf8njrQBSu/EWlW9q9yl9aTBcYUXCDdk4POT0/nx1oAnsNZsr60juhcQIr5485GAw
SOuR160AZsvivSodQNlLd2kaDrO9zGoHy55B468daAN23v7K7VWtrqCdXztMUqPuxnON
pOcc0AW6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA4Hx74dh8RWVtbzasmlB
HkIlcgbyyYwMunTOf1oA+R9O/Zkt7TU9TvY/ibE/215XMYUL5W9icf8AH8c4zycDjnjp
QBp+F/2cI9A1C9vH+Ja3YuSSI2woT5tx+Y3rZ/IZHNAHceOPg/Z+LdO0+xi8cwWD2Z+a
VWVjJ8uBnFwh685yf60AeIT/ALJA3O7fFoIHLEZUYGT/ANhHsTQAmhfsiPaT3UifFlro
yqRtUEhAe/F+38hxQBl3H7Ft0tw1y/xblQNN5gVkIGd27aP+Jj+FAHpdx8HJ0063sf8A
hLZGFtGsQuG3Yl2KRvx5/wDFgn7xoA+eLv4J3Gk6zfXq+P5Z/tE8i/Zw7AR73LYH+lHp
jA+Udew4oA63w/8Asw6q9wdaHjq8mS8j84QKkjbBJtl6/ajkAZGQo+nOKAPdNEsnnRPC
r6k6PpUIhN15hLymDbBlk3gqW+8cseevSgC1o3wOTS9Wu9duvHoEd8JSLeQ7RGZZBJjJ
ujyMY6dOfagDnvH3wOi8Q2XlWnxBVHNwZMQnc2CJOuLtePm9ecdKAPkfxX+xnfnfdn4s
XECy3BkChHBGSzbcnUAD74zk/WgDsfAnwAv/ADU0z/hO7i4FpbCMTgPmTyyibiPtTj5j
83B+lAHYeKv2fdUsNOMw8Z3Z5B6SAEbgOv2gc59+aAND4Yfs0ah/bUGsN48uZ/OgkP2R
kZtuevW7I4z6UAfRevfs/X2saMulp4suLZgyHzlhck7fYXA/9COPegCzZfAa9tdGttLP
iq4ke3VQZjC+WIz2+0HHX+8ce+aAOC8R/sq6lrsUkS+Nrm23uGDC3ZyAM/8AT2nXvz+B
oA7H4cfs+Xvga+trqbxVPqSwQPCVeBk3FhwxzcSd+3P1oAh+IX7PF/41N6YfF1xp32qc
TDZC77AP4Ri5j/Pj6UAeCXH7C2uTSvIPibfgMcgC2k4/8n6AN2b9izV5dKi04fEW9Vox
zN9mk3Hg9vtvqf73SgDk7v8AYK165haIfFLUELY+b7LKe4P/AEEB6fnQAWn7BWvW0KxH
4pahIRn5jayjPJP/AEED6/nQB23gn9jXWPCviC01mb4h3t6lt5mbd7eQK++N05JvXxjd
u+6eR+NAHZ+Nv2XtT8VRXcUPja6svtOzDpA5ZNmzp/paZztweRwSOetAGHpf7I+q2GjR
6U/j27mZM/6Q1u+45Ytz/pbeuOp4GPegD0rSPgFe6bokelt4ruJnTOZjC43ZkL8j7QfX
HX39qAPLfG37H+q+LIruOLx/d2H2nZhktpGKbSp4xeJ12+vf8aAPXvg38DL34XafpVnd
eKJ9bbTvP3SSwuhm85pWGQ1xLjb5mOp6Z9qAPo2gAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKAPG/jD8Lrr4nadp1jba5LorWU8krSxIzmQOu0KdssRHPuaAPl/Sv2LdZ0
+6u7hviNfSi4LYVreQbckng/bW9fSgDQtP2ONXtpZpD8Q71/NzwbaQYz7/bWz19B6+1A
FB/2LNYaRn/4WPe4Lbv+PWT1z/z/ANABrP7F2s6nb28CfEa9iMPVhbyEtgY5/wBNXr16
nmgDb8B/siav4Quru4m8f3l+LiMIFeCRQpB683j/ANKAOi8V/sval4jjtEj8bXVp9mmE
pK27vvAIOD/padcepzQB6XefBq5udDsdJGvyI9pFFE1x5RJk8uIxkkeaD8xO45J/HGaA
Pntf2LdR/t2+1hvH1yy3k0koga0bbH5km/AP2w5x0+6M9evNAH1v4I8BP4SsrS0k1A33
2ewjtC7R7dzIiKZMF35O3PU896APOH+BE7+JdW14eIXjXUbi4mEC25/diabzAu4TjO3p
90evHSgDhfH37Lmp+MbIWkHja608i48/fHA5JGHGw4u04+b17DgUAct4I/Y71bwnqUt9
P8QLy/WSExeVJbuAMsrbsm8fn5cdO5oA6Lxx+yrf+LtOhsY/GlxZGKdZvMW2ZidoYYx9
qT+9nOe1AHUfD79nS58FPE8niaS+MdotsS1uULlTH85Jnfk7P1PPagD1DxH8NG13Shp4
1QwN8uZPJ3dGVunmD+768UAZngb4Tz+ENaTVG1p72NIZIvs5iKLl+4/euBj020Ae10AF
ABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAU
AFABQBlarqf9mxLL5Xm7t3G7b90Z9DmgD59vPj/Ja3dxbf8ACPs3kTPFu+04zsYjP+pO
M9e+KAJrv4+rbRwsNEDtLjI+1YIzjr+5PXP9fagC8PjnGIkkfSFXcoYbrrHJ+sXPPvQB
q+FPi/8A8JHc3kL6V9mW2Term43CTn/rkuMjnv6UAY2sfHT+zJWjGieZtmaP/j6x0YgH
PlHqf8c0AVb34+/ZYIphoW7zBnb9q6ZHr5Jzzx+vtQBX8LftAS+IdSmspPDzWiRxs6zN
cEhiHVQOYU7MT1PQ/WgD2OHxjHJCsptlG5Q3+u9s/wBygDz+8+NEVteXFoulrKYZXjyL
rk7WK5x5Rx0oA3Yfib50Mcv9nbfMQPjzs4yM9fLoA564+NccE0sR0lSY3Zc/asE4JGce
Vx+NAGTb/HvzrmSFtD2qm7a5uuGw2B1hHXr1P4mgDpLv4wRWtpDdHTkPm7fkNyBjcM9f
L5xQBu6X8Ro9RjWT7GqhovNx54PYEjOz3/8A10AeY/8ADQxHiC+0ZtB+S1uJoRObrAYR
Oy5/1GOduR85/wCBdaANO/8Ajwtnbmf+xQwDY/4+sD3OfJOf6560AYQ/aQRjhdDBPoLv
P/tCgC9ZftBi6m8ttDCDBO43Xp2/1I6+ufwNAHp8PxCSbS4dQWxAMoBMYnztyf8Ac5/+
vQBx9p8aGu9cm0ddGJMe7EonJJ28/cEWeen3uOvNADdZ+M82lebnQXfy325M5UHPuYTj
6d6ALvhv4xRa9dR2zaatu7xlyDc7iCO3+qHXrn8PegDW1f4mjTPMI03zQjYH7/GeM5z5
ZoA4c/H0C++ynRMD+8br/Zz/AM8fXjr15oAUfHzdffZF0PcP7wusn7uenk888dfegBur
/H4abaSzrofmypt/dfasMcso6eQSODnoePrkAHcWfxMe6+HyeNP7MKytn/QPNy3FyYfv
eXnoN33On5kA8/t/2hPMnWGXQvKznJa6xjjPeEdeO/egCZf2gY3v/si6MrD+8LvJ+7n/
AJ4468devNAFm9+PUVpC8h0hSy4+U3eDyR28knoc9DQBAvx+V7EXSaIGY9EF1n+LH/PH
PTnp0/OgDcsPjMt3pb6jJpQhKFgYmuPTp83ljr16cepoA6Lw18So/ENxbQpZLF9olMeR
OHxwefuDPrQB6pQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQB5r8SNafRrC1kS2a58
15VKqSCvydfut1/nQB8PP4pe91DUQ2nFCksrAnudzf7HX19DQBX+H1rN471bVbSYPpya
eGlWRwWEvz8AA7fTI/M0AN+IFrdWsVpb2/mv5M7Rlo1b5grAZ79evWgDsfCeuS2sBxav
vFsoYgkMSE7/ACnuO/figDnbe+uPFGo3Vv8AZpIPs8xbdgvuy/fAU9efc8UAeg+JvBrW
GmafcfaDKWUMU8vptXfjhj39e3HWgDxXUPi3LbF7CLw26m0dovPRyGk8slc8RA/N1xn2
680AbnhD436lrt8+kf8ACP3MAt4SBN5zOW2lU5TyFK53FiSzYI70Ae1eEvhI+tajNrUm
tGA6hE10bdotxiMzLJsJMo5XOMbRjpxQB2vjfQ5PBGiW13E7akTIlvsRChx5btu4L8fJ
1x3/ADAPjrU/El3Nqd0RayruuHyu4/Llzn+Eev1oA9T0bSH1+0tkVjbv5CTEhct0U4PI
PVuffNAGR4t0i7WyS0Ekw8iYAPhgG2BgOpxz/T0oAhsPF114btrcLay3LBEtid5HYDdy
GH8JzjucDgnIB6jcfCsXujW3iz+0xFJq0Ud4bXyctEbkK+0v5gyU34+4Oh4oA8P8QzXE
s9x4bEcn+jyH/SsH58c/d6DPpuNAHAxi702+f91LMqZXocHjr370AfROj/D2TUPD1lrp
vGgN3GH8oxH5cnpncM47H+dAF6x8TNp0/wDYHlG4NoNm/wAzBbB67Npx/wB9HHvQBFpX
iKPwj4gl8UTWy3IcMn2V3CAF88lyrDKjn7vPbmgDatfH6fEnWpdCXSV0+ObdOLkMJVGz
sP3aAjPcN3oA851azuPAPiC91pHkvUjkaIQjMYw45OcuPY4HNAHTaP4v/wCEvZLEQeTN
Ku84fzHBB2nK7QeM/wCc5oAyvGHhuTR7K61bz2d4dn7ryyrHcyL/AHj/AHs9P8aAMDw5
cPBFBrjRmRxvzATyeWTk4I9+nT35oA7u28Bv4gmXxe94YEnz/oRj3KNo8rrvA7bvudfe
gCr/AMLNOk6ufAf9kmaKLrd+YVibcvn/AOr8sgYJ2/e6880AedeIZZda8Qz2McLWqTbc
SLyq7Y1fsFJyRt+p/CgDOs9EudF1NLgyy3CRZ52kK2VK+pIxn1647UAJ4k0e5uoZ9YSa
Rd23FsAcj7qfe3f8CPHXPagDp/AuizXkFn5kjqz+Z8jLu6FzyCQD/hxQB9CWfwefxJoc
uzV2sjOWjwLcnG3jOPNXPH0z1zQB1Hgb4LyeELiyuH1xrw2k5mKmApv4PH+ufHv69eOh
APe6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAPI/i14ifw9ptlMmntf8AnSTKVUEl
NqZyflb/APXQB+eEnxWvZ9V1GMeE54wlxL8w3ncN5x/ywU+/U+/rQB1Hhr4nXtrNO0Xh
qeJnUZKhkLc9z5RzjOfqc0AbOpfFq7iVN/hWafzGK85JGeC3+o9+560AdV4e12WaO4ul
0p9z25mMSqcr+7J2n5PXj68UAeCeGf2ltR03xLrtmfANywt7iSAS73XzNkpTd/x6MMHG
evXuaAPVfFP7Qmox6fZyjwfcy+cM+WJGGzK5P/Ls3POOg5oA8Ij+ON7eXk4bwPMvzO+S
D/e9fsvP+fXIAPRvAfxhnTVJS3gx03QkbiCOrp3NsP8A9WaAPpnSfGt55a340m4RZofM
ESlxt3AOACI+R26DPXtQBh6f+0Nc+KtZvvCU/hGWFNKMoW7eZpPNMEggB2G2XaSGJ5c4
5zyaAPO/EgfTLq51mPTmm+1zyN5AjP7sOXcc7SDtAxwB27UAcv4R+M2oWOtXlu3ha4ZI
Y5EDFmCttdRwDBjnHYnjOM9aANLUPjpe+JrmfST4QntRau7icszB/LLJwPs69d2R8x45
oA8o1j4z6jp1w0I8IXE4juPKDfNg4Yjdj7OeOM9T6545APpW4+K1/b+BdI1BfD1yzS2V
pIbfe42744zjHk9s+n4DpQB4hB8Vb3V9bmgbwtPAW3EzHc2cdQcwA5P+8enpQBgn4t3x
1650k+ELgiFm/fkNhsck48jPOc9T/WgD6T0f42XmoeHLHQP+EWmgEMakTb2zlDwNvkAj
vn5j65oA9C8G/ByTU76HxtLqjQjUoml/s94Nxi3dAXMoyR/1zUn27gHzF8eb/UtNuNY0
W20+5mFpeqi3ESOvmADkjCMACOTgnFAFH4I/Em9j1ex0iXw7OskFpIHuWL73IHceQDz3
+Y8c0Ae5eNb+fV7ObOmyJ5kofJVmOcAc/IOpzQB88aH4l1D4aeLbjxQuk3OropMQ08b4
xgurg58uXGCmMbM8++CAfUkurTfEzwU3iiXTJNJbUOti2ZDF5U/k9fLizu8vd9wdcdaA
PnzR/Fd8fiBF8P8A+xbgQfNjUtrGP/j3Nx9zy8f7PL9eR/doA+hNW8TXXhfQ5bGPTJrp
rbH7xQyK2+QN93YwH3sdfXvzQB8tXnxEv7vxg5/4Ru4RnxmX5iOIR38gH/x7268UAad1
8Q722uGQeHLh2XH7wK+TkA8N5eTQB0/gj4i3ni7xDZ+EJvDc1ktz5mdRfc3l7I3m5jMC
5ztC8y9/WgDt/EcE2jalPpwtZLlItv7zyiFfcit93kDBb39aAPLU+Lt/4X8T/ZE8L3Fz
Hb/xKWUNviJ4XyGHG7nnqPwoA9i0b9qjUbZY7MeB7naz53+e64LdePsx70ARaz+2Lqul
3htU+H93OAobet04Bz2x9ibp3Of/AK4B698Ofj1e+OLO1up/Cs+mm4naEo87vsC8biTb
R/XGOPU0AfQ9hdm9gExjMRJI2k56HrnA60AXaACgAoAKACgAoAKACgAoAKACgAoAKACg
DyP4tePm8B6bZXa6Gdb+1STIYv8AnntTO7/VS9foPxoA+DdH/amm1rV9YtX+F0lsLKSU
iUhj5212H8VkOuMjk9ecigDn4P2vbyW9ubQfCmZBBK0Yk+fD4YrnH2HuOTg/jQB7b4Z+
Mx8QjEvgdrXMaPl0LY3jJHNuvQ0AdT4l+Kc3wvtbPU4fCjax/bTCI265i+zhhuzn7PNn
huflX8c0AVo/iLbXNv8A2j/whSRPcRG5ZRCN4LKXKlvIBJB9R15xmgDkvhX8bT8R9f8A
EOiXXgI6THoayGO4kUyLc7HKAKGtYsZxnhm5P5gGf40+OCeE1leH4eC+KXbW/wAke0sF
3fvCVtWOPlwQSRk8nPUA5OH9p1wkcp+GrRGQA5JK4z/Dn7F1H596APb/AAn+0rcavHFb
HwA8CrbAhyxIbhQP+XQZzn3z79aAMHW/inJoc9xrMXhB5XupHzGiEMu8mQ/MIDkArjoM
k5oA+db39tzVU1e80lvhPdypaXEkaytJIVk8uQpu2/2fwT/vEc+tAHX6r+1NcaZo1lq8
fwvlmlvPK3wDcCnmoXbkWRY4IxyKAOn0z9oeS9sre+Pw6khe4hSV02kspdQxXP2Vc4J7
jPrQBx99+1LLBdTwn4WPKIpGUMVYh9rH5ubI8nGcg/jQBq3H7Zd9PYRWH/Cqp1SNFQHc
SuFx0H9nggcdM/WgD3bwp49h8QaFp+tP4RW0lvYRK0Jjy0ZPbPkqT+WaAPHPF37Q58Na
tf2cPw3N21rN5XnqpBkHc8WbH82Oe+aANHwd+0LP4jvorV/h/JY+ZGzmQ7jtI7AfZE/V
s+tAHqvib9pbUfBXh5Lq38FXN6YGSJYo5XQkHvgWr4+mD9aAODl/akm8Q6fHNcfDWSKS
4/eO0jF3yOPmJs1z79OKAPPNa/aeufASyeJbb4aS6gQ4iFrGWjbD/wAW/wCxS/dJyfk6
dxQBtar+2hqN34Ottb/4VZcrJclGNr5rl0ycYLfYATjqflA9aAOe0D9qK6aaPWJvhlM/
npuNu7N8pJHrYn07jPfg0Ae0L+07eX+geZH8P5rWN+kCOxKYcjgCzXOcbj0659qAOJuP
2lZtDZtZX4cSXNzD0wGWR93yf6z7IzcA+h4zQBpzftb3ur6K00nw1njMuMo0jMw2uF6/
Yh1xnp0oA80uv2qrmC4ZR8L5WZf+WmGyc+/2Lt/nmgD3b4ffE5fGtpY3M/g4ac955uUk
i3+X5fmdcwITnbnnHUD3oA+o/C3h+xYW2sLawQS/P8gt1Vh95PvcH36UAbOoeF7a/upL
pzEpk28GBWIwAOuR6UAZjeA9Nd97JbM56sbVCfT+9QAf8IHpv9y1/wDARP8AGgCe38D6
VDcRzvBay7GyVa1Tn8ST9elAHVQ2FlbgCC1giAORsiRcH2wKALQAHQAfTigBaACgAoAK
ACgAoAKACgAoAKACgAoAKACgCvcW9tcBRcxRTKCSolVWAJ643UAZ66JoSMzJpunqzZ3E
QQ5OeuTjnPegBP8AhHdCyW/snT8nkn7NFknrnO3mgCzHpWmRf6uwtU4x8sCDj8BQA6XT
9PuQFmtbaYLyA0aNt/DHFACCw00DaLW1AHGPLj49sYoAZDpWlWjPJBY2cDy/feOGNC+e
eSAM5zQBG+l6Lckq9lYzNkkgxRsc55J49aAMPXfBek6vax28dpZ2xSQPuW2QkgAjHGPW
gDY0/QdNsLWC3WztS0USxmQQIpbAAJPB649aALj6Zp0gw9lauOuGhQj9RQBnjw/4ceRs
aVpjSclv9GhLZzyTx60ASSaLoO0LJp2nbQcANBDgH6Y4x+nSgCZdG0faAmnWWzHGLePG
Pb5elAEH9h6BI5H9m6ezj7w8iItx68UAKfD2gjk6Vp49zbxD+YoAvRWFjEipFa26RqPl
VIkCge2BQBWk0bR52Jl0+ykcnLboYySR6jH+etADo9G0mEgxadZxkDAKwRjj8qAFn0zS
pIyLiytGjyMiSKPbnt1HWgDOvPDujXtt5EVpYxjIKskEbcDr0wSD0PNAEkXh3REt0tp7
Cwm2DBL28XzH1IIJ6ep570AT/wBhaEyCL+zNPZB0T7PERx7YoAcNB0VQFXS7EAdALeMA
f+O0ASDR9KAwNPtMenkJj8sfj9eetADW0TSHGG02yYe9vH/8TQAg0XRl+UadYj/ZEEWe
n0z05/WgBh8P6GxydKsSfU28f+FAFqHTdPtwBDZ20QHTZEi49cYFAFseWg2jaoH8IIGM
89KAHZGM5GPXPH5/WgBQQeQc+4OaACgAJxyT+JoAbuU9GUn6g0AOoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgDh/G9+9hZwSojSHdIcKTztQnBx6kUAfD+v/tRX+i3k9svhW4uB
BcyQ7xcsu7y2xux9nbrj19iaAIZ/25tStI4UX4e3Mp+VCVvWPtkj7CcZ+vtz1oA0NW/b
d1DT7S1nXwDPK1yBlReMChYd/wDQz6+gOaANrwJ+1Nf61c3slx4QuLUND5i+bdNtO/5s
KTbKCfp25xQBm+Iv2mNQ0uUPD4WubvzbggiO4cFAW68W7ZHbtzQBD4y/a21PTdM0px4K
umNwVUgXLgjKjr/ouc4PPvn60AGj/tJ3uiiPVpPDk9x9sjX9w1yw8vzcN18hs7enT1oA
9xi/aEabS7XUE8PkyXEKStCLosU3JuIOIc8Hg5A59KAPGV/bUv212+0g+A7gLZzSxCc3
jESeXJ5ZIX7GOp5+8fTqeQD1q2/aJu7mxiu28LTR+dCJMGdsDcucZ+z+/wDWgDwrQP2q
9RTxnrds/hK58uF7lQ73TBDtmx8ubbH6nnA+oBQj/ak1PxJr9/pY8KXVosE0rif7S7Bw
suzGPsygA7s5B4PHGcUAfT4+Mr6X4Z028/sgzyyW8IeM3GGUmHcS37tjkEYIx1+lAHyr
D+2Dqej+LNXU+C7q4jWeeIZvGVDibG5T9kcdsY9T1PWgDb8XftoaxZ6Kt5H8PL2XftYK
lzJxuK/xCzOcZxnoetAHLeG/2/dYvZ4tNb4ZXiMkbEyG+fPy+39n/wAyfTrQB1tl+2Hq
I1J7ufwPcwxvnIku32At23GzHPpwO+aAPoXQ/j6dX0u11A6D5RuI95jN1nafTPkjP5D6
UAeMfEL9qe9t/tmlQeEZ38icBZo7psuB34tjgevJoAs6P+0ddabodnrJ8OTXEzoAbQ3L
bl3ccnyCxI9069aAOhg+Olxq8Sag2iS27XA3mEzsdh9OYlP5gHvQByGv/tQ3vg5Jb+Pw
rPqJicRCIXLKSH/iz9nk6fQ9euaAPoHR/jTNqngLSfGLaE8MupQiVrEzktESGYgt5Izj
H9wE+gNAGFfftCGz0x746ATIuP3RusNy4Xp5BPQ7vu9PzAB4Hr37cuoaRqU1jH4AnuVi
24mW9IVtyhuB9ibpn1/xIAtp+1/qt1GmvjwLd5bP+jfaX28Hy/8AWfZMep+51980AUdX
/byvtMtpZf8AhXs8k0e39z9vYOckdvsBPQ5+nNAHs/gr9p+XxV4StPEc3hZ7CW535tHu
yzJsmeLljbp1C7vuDrj3oA5/Sv2hLjxP8Qo/DB0CS0iuc/6Z9pLIuy3Mv3fIXOdu3745
PvQB0vxC+O8nguxvtOg0RtSa08vEkdyVd/MZG4Ahkxjfjqeh+lAGV4F/aWv9ZtrOKTwj
cQrJ5mXa4YkYLnvbDPK468Z/4DQAnjH9qu68MahJYx+DprxkjVxtumVmLdgBbP09efcC
gDzu8/bS1aa3lib4e3cQcYMhvHG3nrzYjv7j60AJZ/tU6hDpUmujwlcSPbbmFoLli0pH
GM/ZuM/7h9aAPe/hH8e734lWtjcXHhafSDeXT27CSZn8sL/ESbeL+XHqc5oA+l6ACgAo
AKACgAoAKACgAoAKACgAoAKACgDgfHt8llY27Ogfc0uAcdkPTPegD4Rl1uK81XUI5dIR
VS5kw7Jw3znnOwZz16+/NAHe+HbPSrgTsbS1kZYC+zy1YhsE9MHB7CgDwXXvH8un6m9s
PBz3EaXzQKwiYLtEoXd/qGyCOfSgD6z1TTtOuvDWiXnkW+nSTWcUzL5aq2WhD+Wc7TkH
jOM+3agDh/h9qcVzq+qW9xo6MkAISWSIMsmGxuGU79ep5oAzPjZ4uttB0/S2tvDseotL
clGjiUZiA43HbFIev0570AeSXPiOW+s7cvobW4fY/KHCkj7vMa9PXr3xQB1vh7WW0vbd
TWplSSAKIn4C5CnjIPI6fWgDGuvF9r/aEzrosIZpzlgoJOZDzny/8g0AfZt1Jptx8PvD
tyIrWKSW0s3dAI9ylrXJU9+CcHIHPagD428d+LbbwxNPdW2ixXkj3jQny8KSCXO4sI3z
05+vBxnIBseH/E9nHawarJo0MT3cCyMrABg0gV9pJjGcdDwOeOOlACR+LpdQvbiIae4j
UuygEuu0NgYXYAOvGOgzQBhS+JIIrt1/sONnExVnKDJIfBJPl/5FAH2/bRaPN4D0S6bS
7KSWbT7OR4jDGzAvHEWB+XOQT1xnrQB474Ss9F1H4g3VpJYWNmm2UmRoYwBjtghQMnsD
QBV+N1rYR6BeWVhZW7vFdxhZoIVywHUjaD396APANO8YTaTYQWj2D4gXbubK55z02HH+
TQB2el+I7YiO/l0uKXzEyQ4BJz1ySnOe+efegBlvrMEGrSagbKN4pP8Al2ONi8dsqR1/
2R/iAXND1yLxJ4il0qO0W2GGYFRvxs5IxtUc555+lAEXje7tfDdpPO9lFftFKqGIqAxJ
/iIwx4//AF0Ae5eGNTs9Q8BaPdukNqksCt9nYriPIYYwcfy+tAHiPiFIb3xBPaxyp5T7
cBSCvCA9B+P8uhoA5W+vY9Kme1OiLdrHj/SDFnfkA/3G6Zx16g0AfVPgWy0i68B2erPa
WaXD+ZmwaGMyDE7r3w3I+b7o7duKAPl3xjbwL8Qbq4bTUFsNmYzCPK/1CDpjHXP/AALi
gDV1K/toNFkkt444wMbbePC4y4BwoGe+Tx60AcVovjgJqUVh/ZWyQbv9MzhvusfvbM+3
4/jQB2UOrKuqDUJ4BcqM5ikOQfl28kg59ee9AHuuieJtOTR4ryPTLYSjdiFdofl2HBCe
hPbpznNAHJ2066t8RdK1N9JDQiSNTG0e5DtHdtmPpQB3HxO1izt4r+ODw3Ex+zKVaOEE
A59ovz9zQB8+eDvEr3fi/SdIm8NOkFzOqvK8LGMAjuDFjr2NAH6EeGdPs7TT0EFpDBiR
yAkSrg5xkcccUAdNQAUAFABQAUAFABQAUAFABQAUAFABQAUAeZ/ErR11eysle5FsIZnf
J53fLyPvD09+aAPlvV7/AE8iS2Ato3gMiGXcuZCgIyffPJ5+vpQBxXwuufL1/WTPLtiJ
Pl+Y2FP7zPGeoxQB906LLoV/boklhp6GO3QmRhES7bc5yVHP8XU+tAHgXxe0ka5Hp8Fj
deX9mvnYrB8w2bhgEIwwP5igDvtLt7Cw0m0UiBJFs40dztDOwj5yT1JOev40AeWeG9Qi
k1nVVvrJZIhK/lNOu5D855TeMe/yk/lzQB1Hja105tIgeC3twzSqcRopIBRz0A/X6d8U
AfMHjTXn0q0TZp7PicJwCueG/wBk9cc+9AHF6D4hOsXbQSaeYMLv3sScncOOVHrQB6v4
zvLrQfC+m3sLzXfmtDGLdGYeWGiY5wC3Axjpx075oAqeD4YNaZZL3y4fMtxMROA+Hbac
ENjn5vr/ACoAdq9pb61M+k28scP2SYnzI8HcsZKYwCCAc5PPXHFAHpXgnR7SKRba5aJF
itQvmygKHZdgB3HuwyeSehPNAF/xL4c0zTY/tyXVtMZp/uBVG0NubIbcc4IxyM8igDqf
D+pxJBbRxyLOEhQeSr7gMKB93np2/OgDwvxXPOPEOozx+ZAWmP3CVI6nGRgj/OaAPYtH
gtT4ZsLm6uYpGZF3pK4Y5PruOc5oA8x8VaFBrAuLeBUjVpAyyxpkYHPBGM5+v1oAw5bK
Ox0qLT0YSywjado+c9xkcsPxOfWgCxd+GZLXRItXeVv3mP3ZTGMn+9u56+n5UAWvh1pt
vpfiVdae4jcyRSAwNgFSw75Y9O/A9aAHeMLZL7VL64jYTebLuFuvzke+0Z6dTxQBm6lb
3MuhQ2iSSwbTwikrtAU8bcjH0oAb4f8AAlxb20XiCW+kkC5zEyHnJaPli57H06jP0APb
9LutPbRoreaG3MvzbncLv/1hPOfbj6UAcNZ6iLHxupEuLRM/u9+IeYCOmdvU5+vPvQB0
3i5rDU7O5lU26PJsxICuRgoOvXoPz5oA8QHhdJb7z1vxIp/5Yj5s/Ljs2T69OvtQBOug
SfbhClu23tMIz/dz1xnp+tAGhdeG7qCB5ljmfbjAEbHOTjr06n+dAHU+B9AvJ9Rs3kE6
IfMzGyPs4V+ufl+8P60AfZXhPSoLTTI1eGNpFlch2jXcMn1IzQB00lrbS582CKTPB3Rq
cj8RQBCmmadG6yx2VskinKusKBgfUHGaALoAHQAfTigBaACgAoAKACgAoAKACgAoAKAC
gAoAKACgDyf4rafPf6dZJBJJGyyykmNSxOU4zgjvQB8C3/w+1XWNQulF1dwrFcSPu8qT
DAv0+93IPWgDppPAd60VtFFJcRNFsDyLE4MmMct82efr/hQB6dJpGo6bY2oWa6lYxKhw
sgPC9Tgn9aAOh+HOl3Ud/qMl350okjG0TK5CknJI3Z5z6c/hQBY8eaFeNHZGGWdd1zki
NXPBYcELjjn6HoOeaAO91nwMtxoekMlx5TiCNpCkOHJMYJ3EMCe/XnPWgDzrw5pVzPql
zay+cY4lkVWkR9p2uFUjdnkg5/PmgA8e+ERLpsQEe4/aFJIh3H7r9hz6fnQB5pL8PpLW
3huk3Zl2jC25BG4ZwcEnr6j680Aen2Pw4N1pts01wx3Qo3lyQFgp2dAGfGRkgHg0AeQ+
IPAt21zcW1vJPEI53AdInAKgso4DDAIwcAkcCgCn4K+GV9p+s3F3JeXEnnRt8rwuQCzo
c8t1wD6nqaAPY/FfgS61XQ7O3t7uW2ljaNmkSM7mAjbIOGXqTzycnBxgGgDyDUvBWqSw
rYm7vH8h8FykhBKgrnBbGe+QevTigDvvg/4EvLfxKjXN3OYwjcSxOV/1bgfefH07/nQB
1nxE8BmNr27ilaQmcYVYT34OCGJP1/OgDxa98J6ndW32dJruNcg4CyYA9hkAf5xQB7ho
HhyXT/DWn7980iRgOWjO5iTyTnJ6+pz3oA4fQvBtzL45ur6V5fJkEhETRtsXIx1Jx+nN
AHuviTwAureForZLkQsWRuIckYOCPvDPuaAPlW7+Ht/petXOy5uZUR2UbY3AOfoxH5cU
Ad/8P/AFxYeIF1q5uJbiOWF828sLbQWxzlmJ68YIoA6XWvDD3GpXUqblRpCVQQEqPpzj
9KANLVbN9M8FyokDyvHtztjIZt04PQZI5Pb6HjNAHjdnoF/rMyPm5thLuwvlvhduc85A
5IoAwPF3hbUNNtLpozczSx7PmWNwxyUH3gSO+OvTjrmgB2k+CtT1PwrHdvc3cTSZzG0b
kjExHTcCfu/gPagDQ8I+CL/TtctbqSa4mVN+UaJ8HKMOpYjqc8jrigD7G8O+FobvTYLl
ykcjbvlaAFhhmHUkdR7UAd7aaVa21skDxQylc5cxKC2TkZBz0HHWgC4lrbRkFIIkI6FY
1BH6UATAAdAB9OKAFoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAK9xJaoAbp4lX
J2mYqBnvjd+tAGRHqHht3cR3WltIud4WSAsDnncM5HPWgCWK+0CZmWK506Rl+8qvCSOc
cjr1oAlmutGiVTNNYop+6XaID8M0AQR6x4eUnyr/AE0Ho2yWEd++D60AO/tfQJ/l+36d
JtOcGaE4PryaAA6/oIwp1TT/AJeADcRHHYADNAEn2/Roh5v2qwQOM798S7g3PXPOev50
ARf2z4fmJQ6jpshU8qZ4Tgj1BPFADP7W8Ns3li+0tmX+DzoSRjjpnj0oA0RdaeI1cT2w
iIG1t8YUjGRg5xjHNAFJb/QZZGRbnTnlBJZQ8JbPfPegCeObSXYrFJZM4ByEMZOPfFAD
JtT0WIbZ7yxjCnGHliGCO3J/z1oArDVfDbk4vdLY9T+8hJ/nQBKmq6BGd0d9pyN0yssI
P5g0AWzd6bMm8z2kkZ5yXjYH35J/zzQBVS90GSUwJcac0wzmMNCXGOvFAD5tS0WBds95
YRIpAw8sSqD26nFAFZda8Ng711HSw394TQ55685oAU+JvDg+VtZ00Y/hN1F/LdQBH/bf
hiQlv7R0l2PJPnQEn685oA04ZtOdFlgktWRhlHjKFSD6EUAPV7CaQorW8kndQULccdOt
AEN1c6Vbq0d3NZxIuN6TNGoHcZDUAUY9U8NZCx3ul57BZIR1/GgC4p0e8wiGyuN/RV8p
y2OvTJOMf0oAtrZ2qKES3hVB0URrt656Y9aAHC1tgciCIH1Ea5/lQBMqqg2qAoHQAYFA
C0AFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFAHnPxE8DTeOLG2s4dTk0ww
PKxkRS5bzE28gSR9OvWgD5C8M/sXazoOs6zqknxGvbpdVaVlge3kAg8xywAJvWzjPJwM
0AdH4O/ZK1Xwxqmo6hL49vL1b4sVieCQeXubPB+2NnH0FAHU+O/2atR8YWNlaReM7mwa
1csZFgdy+Vxj/j7jx9cn096APH7b9h7W4JZXb4l3zCTOAbWQgZ/7f6ANDR/2KtZ0ya5l
f4j303nqVCm3kAXOeR/prfyHFAGPJ+wxrj3LXH/Czb8BpvN2/ZpMfe3bf+P/AKdulAHq
Wu/ssanrGiWWkr44u7d7VIwZxA7M5SNkOR9rXruyfmPT8wDy/Q/2GNb0nVbvUX+J1/cL
cCRRC1rKFTewOQft7dMenegCG0/YT1u31m61Q/E+/dbh2cQm0lITdJvwP+Jh26dB+NAH
1APgpeDw1pmg/wDCSTmSwggha6Mb5lMMPlFivn5BY/MfmbmgDyPQf2S9V0fxJqWuv48v
LiO/MxFq0EgWLzZBJ8p+2N93G0fKOD2oA9P8NfAq+0LU7i/k8UXF0s0TxiMxONpd1bOT
O2cbfQdc+1AHm/j39lLVfGDXDQ+OrvT/ADbuS6GyB2wGLnYcXceR8344BwKAPFtB/Y61
+XWbuyf4g6gqwCRRK1vKVfY+3IH20YJznqaAO6/4Yq1n/oo97/4Cyf8AyfQB7ZpPwAvt
O0Cy0ZvFlxM9qiqZzC4L7e+37S2M9fvnHvmgDhtB/ZT1TSPG1z4rfx1dzwzrIosmgfau
8dQ32tvy2D6igCr8RP2S9V8b2l1bQePbzTTcTrMJI7eRmUA5wcXkec9+meOO9AHl9t+w
Zr1vDHEfijfuUGNxtZeff/kIGgDjNR/4Jx+Ir68muh8XtSiErbtgspSF9gf7UHH4CgDa
0r/gntr+mlC3xY1CbYpXBtJRnPc51Juf85oA+0PBfwfu/C3hrS9Cl8QzX0mnwCJrp42V
pTnOSDM+P++m+tAD/DfgW60jxnPqT6nNOhDDymDBMkqc8uR29KAOd+LPwGvviRJqj23i
m40f+0PJ2iOJ3MXlLGDjFxHnds56dTQB8/6X+w/ren3kd03xLvpQmfkNtIA2QRyftzdM
56HkUAfSXw7+Cd54Iv7C8n8Sz6mLPzt0bxuvmeYkijJM79N+eh6UAfQlABQAUAFABQAU
AFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAIzbVZj0AJ/IZoA891Xx9baYE3wxfM5Xm
cDp1P3T0/WgBifEjRXVSbixDEAsv22MlSex47HrmgC/F42sp8+SIJcDJ2XKnA9Thfx/W
gDH1L4m6XYBctalixUqbtQQffK9QaANXwz43s/EUtwkfkp5EXmZWdX3ZP0H+eaAMS9+J
ttZTyxS28ShJGQM9wqhtrEcZXvQBPpvxJstQeRQkA2Lni6U9+v3f89aANP8A4TvTSQu+
2yTj/j6TOT7YoA7K2u4LpEeKWNy6B9qOrkA49D2JxmgCzQAUAFABQAUAFADBGisWVFDH
OWAGTnrk0APoAKACgAoAKACgAoAKAEwM5wM+uOfzoAWgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKAI5U82KSPO3ejLu643AjOMjOM560AfNviv4B3Pi
NNqeJZbb5nbiBmxuGB/y3Tp/9b3oA+Yk/YG1pNQvL3/hZ98VuZnlEX2N8IGcttB+389c
dKAPoj4ffs533gs3Rn8WT6l9otBbjfAy7CFK7+Z5Py/U0AeQ+If2J9U1vULm8HxDu4Vn
u5bkRizY7BI5baD9uGcZx0GeuB0oA9e+HH7OV54EkuJJPFc2oefbJBhoHTaV6tk3D5z/
AD7mgCp8Qf2Z7nxrFbxxeLJdPMM7zMyWrOW3HO0/6VH+fOfQdSAZfhz9lm90Iy7vGc9x
5kQjz9mZccYzzcn6/WgDNl/ZL1KS5eceOrkBpTIF+zPj72cf8fVAH0X4F+Hk/g+VJJdX
k1AJZi22ujLkgp8/Mj8/Kf8A6/WgD1GgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAOJ8a+Lj4
StrW4Fmbz7RI6bQ5TbtGc8K3/wBf9aAPFbj9ok27ssmgbMMVG669D6+RQBHH+0Z5pxHo
O898Xfr/ANsKAOjPxwCwiV9FK5j3/Nclc8Z4zCM/n70AeWW37WctzqFzYp4Ub9xOYt4v
CQ2H2bv+Pb8ev4mgD6bsPGRvLC1vDYlDcW8c5QzcqXQMVzs9e+PwoA4Wf4xtFcSQf2Ix
2StHu+0HnDYz/qf60Ad9H4vV7aO4a0274hJgzeq7sfc680AfOOpftRXVhr2paOPCUrx2
VzNAtz9pYLKIpTGGGbYjnGeGPXqe4B6lB8YHm0uz1BdHLPdRxu0An+ZN6BjnERJwTgnA
57UAYPjf473HhLRbbVU8OyXjXEqRmAXBUqHjd8kiFicFcdByetAHidt+2he3F09t/wAI
JMuw43/bWOcNt+79jBGc7uScdKAPaYvjzdy6VZ6iPDEwN1FHIY/Pb5fMj34z5HPp0Hr7
UAZmk/tFT6jfz2b+GpIhCHJY3JJyrAcjyBjrnqfTnOQAR6r+0bNp7FV8NtJ+98sH7SfU
jJ/cH05HvgnPUA9xj8Yb/DGm+IDa7Wv7W3uDbGTmMzIjFd23JwWwTtHI6DpQB5HqXx9a
xvp7NdCMnktt3C5xu98eScZ9MmgDUtPjZJcwpINBfLjJUXBOPXnyeceooA5rWP2iptMM
gHhp5DG+3H2kgn6jyCQT1wc47nmgDvNG+LLanpNpqculG2FzGHKvPwpPbcY1z9cD6UAe
a61+0tNpWp3VjH4Ze4S3k2LMt1gP748g4/M/WgC5bftFzz28czeGnXeM83Jx+fkf4UAT
/wDDQ8v/AELrf+BP/wBpoA7WL4tSSaVDqR0Zh5qhjH55OOv8Xlc9M5xQBzni748t4a8L
XPiFdCN1JBsxZi62s26VI/veS5GA2/7hyBQB5lpP7W1zqdlHdnwfJF5mf3ZvCxXDEcn7
KvXGenf8AAeh2f7QL3WmLfHw+yO2f3ZuvRyvXyB256e3XkgEH/DQs2M/8I4+PX7Qcfn5
HrQBZtPj/JczrEfD7KGzk/aST0J6eTz0/r60AbesfGltL0KXWBoxkZNv7j7RgnMip18o
n+LP3T+vABq6N8V31XwtF4h/shkeTd/o4nJPErR9fKB7Z6d+/UgHDaz+0NNpZl/4pt5P
L28faSDzt6/uDjr79M8DkAHc+AfirL4zhtZX0hrL7RO0RBmL7cd8+UmfcY9smgD2agAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA8z+JaFtPtSE37XmbGM/wZ/WgD84PEviS
616/urGPTZbc2V3KvmqGPmAMV5G0emevWgBItSuvByx3jWUt/wDawo8shl2FcNn7rdc9
aANa9+Jt14igitF0WWz+zr9/cW3546eUv8+aAOo+EPhltd1XVGuENuEjWYF4t24l92Mk
j8+aAPefFvj+XwXY2aJpzXgJ+zjDFOEXGfuP9cUAeW2PxOn1GeVm0J4ud/LE53Nnr5Q/
zzQBua18XriKziSPR3yrKnEpHABH/PM/5x6kEAg0vUYvFrKj6atk7qJ2mZA5YtgkH5Vy
Tu556igD6G8J/DRbGOLUTqAkW4tVIhMHCbgrDGZD6dgMfjQB4V8YfGH9jwPZjRjdC31I
2+/HD7BMm8LsOM4z1PWgBvw78KWnjVomeOLTjJZreZaAPgnYdnJTn5j79aAPVvFPimHw
zpFtpK6Ol0LGRLTzlUKZBGjJvwEbAO0dz1oA+ePEXjRPDavrcekidryZlNuh2tH5m5+u
xs7SNtAGTonic+JLnzJdMNssg88FssMkqduSij+I89wM0AfR0N876PZW3lsqLBCoOTjh
R0HTt+HagD5g8Ra5Pp3ibUD9hkmRJCoODtbPfOw/X9KAL+ifGyawuxanw00ixKy+YX4P
PoYT1+tADfEvjWWS2k1waI7i4kVvJCkgZzzuEeDzxx+tAFtfiZPr+g22iLo0liyqG84O
crt7Y8tTz7nvQB754T+EEWu6Bp+qy6gsb3cIkKNbb2HsWMoz9aAO5f4PQNZJZjUEXZ/G
LYc+vHmf14oAzf8AhR8f/QXX/wABf/t1AHbwfD6OHTILD7YrGIAF/I+8Rnn7/Hr+lAHF
a18El1dZlbVwiS7f3ZttyjaQTx5oHJGf160AZ9n8Aba1t0h/tSM7c8/Yx3JP/PbPfuTQ
BfHwQRRgauAPQWvH5edigDS/4U/D9h+yf2im/wD57fZhn7277vmf19/egCvZfBiO0uEn
/tRX25yv2XGcgjr5p9aALms/CRdV0+ax/tIRiXb83kZAw4Y/L5g64PcdTQBu+G/h4mha
Rb6Yb4TCHf8AN5GAdzM3Tef73qemevQA57Wfg9Dqt7LdHUUjEm35PsobooHXzR6f5zQB
1nhbwJF4ahgjW6WbyZWkGIPL654++fr/AFoA9BoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKAMnVtKXVYkiaQRhSxyU3/eGOmR/OgDye3+DlpBdXNybyFzcOz7fsqgruJOCf
M+b8fr15oAXUvg7baikaNexJsJIzaq3X0HmDH1oAyF+BNqpyNSiHPazH/wAdoA7nRvh5
DpG7yrpMtGqFlgAJx6/P3oAreI/hpDr0UEbXqR+TJv5tg+fzkH/1896AKcXwptYowi3U
WQm0sLcZPHX79AGDL8EIZXZzqqfMxbBtAcZP/XX/APXQB0Nr8LorWONEvVBRVUssAUtj
H+33xQB6lY2v2Ozt7Xdv8mJI92MbtqgZxk9cUAef+Kfh3B4kRle5jiLXBn+a3EmCd3q4
yfmPP40AJo3w9XSAix3w+SMR5WHbkDHo/Q4HFAF3UfA8d/GEa6XO7cS0OSTgjJJfk8/j
9eaAPNdX+BKapuzrCqDKZAptAwA54/1w9etAGsPg1AljbWkeoJG8Cxq0q2wy+xcHgScZ
69TigDrP+EBUWEFmL0ZijSPf5OCdoAz9/wBvXvmgDntQ+EVvfxMjXsauzZMhtgxPrn94
M0AYP/CirTdxqcO7v/oi7v8A0dmgDtE+GdmmlQ6c00MnlAAubVeSDnOC5+lAHKz/AAQt
5Z3mTUo4txyFW0HA9MiUUAeyaBpQ0TSbPTBJ5v2WPy/M27d3PXGTigDYoAKACgAoAKAC
gAoAKACgAJA5Jx7k0AAIPIOfcHNABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUA
FAHnPxF8dS+B7G1vItNfUjcPKpjRyhXy03DkJJ948dPzoA+QvDH7aOs+INZ1nS3+HN7a
ppbyqs73MhE/luVyo+xKOcZPzHHrQB2Xhj9qrU9fvr2zk8DXdqLXOJGuJG34OOn2RcZ+
p/rQBlfEv9rvVvAdpYXMHgC81Q3k5iZI7iRTGB3OLOT+n9aAOYh/bb1mWCOY/Da9BeMS
FTdyZGVzg/8AEv8A6UAeb6n/AMFFPEFhKYx8I9RlAlMe4XkozhsZ/wCQa3Xt/OgDq7L9
vHXLtbdv+FY3ymfy8j7XIdnmEDk/YP4c9SBQB9k6V8UJ9S0qy1E6NJE93ZxXTQmQlozJ
GHKH92CSCcZwOewoA8btP2oNSufE+q6AfBN0iadNcRLdm4crMIZvK3Bfsgxu+998/wCI
A/xZ+09qXhuxS8j8FXV4WkCeWs7qRlXbdn7K/Hy46d6APMfC37bus+ItavNKl+G17ZJb
JI4uHupCr7HVcDNinJ3Z+8en5gFXUf249bsb65tF+Gl9KLeZ4hILmTD7GK7h/oB4OMjk
0AehfC39rDUviDrdxpV54IutGjhtHuRcTXDsrFXjXYA1pFyd5P3ugPFAHU+Kf2krnw80
gj8LS3e26MAK3DDIy2G4t267c/1oANZ/aRvNM0Cy1iPwjPcSXSxs0AuGym+IydrcngjH
Qcnt0oA+Xbz/AIKI6/baxeaYvwl1GRbWeSETC9lw/luy7sf2YcZxn7xwTjJoA+y/hj8b
rzx9o+lanceGZ9LbUbUztDJM7GI/3STBHk/8BGfSgDzW4/aG1Kw+I2reHx4SupYbSSRF
ufOk2PxnIH2Y/h8xoAt+M/2n9T8L6O+pxeCrq9dZFTyUmcEhupz9lf8AlQB574a/bU1r
XdRFjJ8Ob62Uoz+a1xIRx2ObFevbmgD0XXv2ntS0bRhqi+Crq4csF8kTup575+ytn/vn
mgDhfAf7Zur+MPGL+GJvh1e2ESxSyC9e5kZDsGcYNinX139e1AHfePP2mtS8IadNfQ+C
7q/aKZYxGk7qSG5zxav/ACPrmgD5mm/4KK+IYtRmsf8AhUeosI2x5v2yXDe4H9mf+zHu
eaAPq3wr+0VqHiL4e2/jWTwjc2c8+/OnNM7Om25aDlzbKeQN3+r6H8aAPNv+GxNY/wCE
l/sH/hX17s/5+/tEmz7m/p9i/wCA/e68deaAMXX/ANtnWtG1OewT4b31wIdv71bmQK25
Q3A+wt0zg8nkUAe2aB+0Ff6z4Dh8YP4UuLeabdmwaVy67bgwct9nU8gbh+76H3yABLv9
oW/tvDz6yPCVy8i4/cCZ8nMvl9fs34/d9uvNAHkd3+2fq9tK0f8Awrq8bb/F9qkAOQG6
GxOMZx1PSgDz/Vv28dclu5tJT4Y34B2/vlu5G6AP0Fhn34PT2oA+1fgz8RLnx74T0jVb
rSJdLlvftG6GV2Zo/LllUZ3RRk7tmRkDqB7kA9poAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgDyP4s+IT4e0/T7gaadS8yaUeWBuK7U3f3W60AfKlr+1EsV1d2qfCwK1s
zxtMOs20kbjixB5Iycs3XHPWgB1j+1hJLNOqfC1oSmcsHPzYz6WK/wAzwce9AGdc/tdN
M/lz/CczKjkL5j7sHOCRnTjj/PWgBusfta/2XbW8yfCbzfOwNgJBXjPP+gN06dBzQBp+
Bv2lrXxlc3kFx8KIrHyI94d0Dbyx/wCvGPn8TQBQ8e/tDw/DiO2vbf4Yrq51KdovKRPL
MGTw2RZy5wT6DPXrQBa0f9qG+ijS/Hw/ucTwB/ILuBGHXdsz9k5x06DpQBQ8NfthT674
jv8ASW+FElobbzWN2zk+cUkCd7BeWzu+8cnmgDf1b9qqS0LK/wAMGuFWQpgsR6/NzYt6
enegDZsfjZBr9vFIPh6lg0iLOzKgL/MAShP2VCcFuc/iM80Aavhv41WmqapcaTN8O4ox
aRvi5ZM+bsdUyQbUdc5+8fTk80AS/Fr4mR+GfDVnqem+DVeee5jRkth5bhXilc5ZbdyQ
CoGNv45xQB8qw/tH6jd3bQS/D25YK+SzliCc9cmzOep69RQB9ZReMseE9H1aXw7v+121
tJ9kaPJhMlv5m3Ji529M7Qc9RmgDwnU/2tY9H1C600fB5Lo2czwfadoHneWxXzMf2e33
sZHzHr1PWgCzd/tv6hpGmJd23wnuBjCrDFMyYBPPA04ke9AHF6f+37f6jqz27/Be4jkI
ZmuTMzFiOuc6WDz/AL3WgDv9L/bHuNZuRZ3HwnkWMguTI5Zcj2+wDn8aAPqb4ceNdO8Z
vZb/AAfb6S1zbvMWaNTtI/hyYUzn8M+3cA9rbStNddjWNqyf3TChHr6UARxaJpEEpmh0
2yilOcyJbxqxz1yQuTmgCWXStNnUrNY2sqk5IeFGGevcUAUv+EZ8P5z/AGNpxJ7m1iP8
1oAvJpmnxwi3jsrZIB0iWJAg5z90DHXmgCH+w9H3+Z/Ztnv/AL3kR5/PH+elADH0DRZD
ufS7Fm9Tbxk/yoAtLptgkXkJZ26w/wDPMRKE656Yx15oAU6dYGPyjZ25j/uGJCvr0x/n
pQBmX3hvSLy3kg+wWcZfHz/Z4zjDA9MDr9aAMaz8BaJa3KXLWdjKUzkGzjDHII++ST3o
A7GC1t7WNYraCKCNc7UjQKoz1wB65oAnoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgCKWCGcATRRygcgSKGA/PNAFH+xdJyT/AGbZ5OcnyIznPX+GgA/sXSAc/wBm2eT/
ANO8f/xNACf2Ho+c/wBm2WfXyI//AImgBH0LRpAA+mWLAdM28f8A8TQA6LRdJgJMOnWc
ZYYJSCMZHvxQAs2jaVcgCfTrOUKcqJII2wfUZHFACDRtJAwNOs8dMfZ4+n/fNADE0LRo
2Lppdirnqy28YY/Uhcnnn689aAHnRtJY5OnWZPr5EefXrj/P40ASLpemp9yxtV+kKD+n
+elADk03T42LpZWyO2cssKAnPJycUALNp9jOoSa0t5UHIV4lYD8CKAKg0DRQdw0uxBPU
i3jz/KgC79hs9gj+ywbF4VPLXaMcDAxjpQBSbQNEdiz6XYsxOSTbxkk+5xQAh8P6Iy7D
pVgV/um2jI/LbQBGPDPh8HcNG04H1FrEP5LQBKugaIh3Jpdip9Rbx/8AxNAGhFa20GPJ
gii2ggeWirgHqBgd6AJ6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAI
PtVuc4niOOvzr+vNAFc6rpoJBvrYEHBBmTIP50AJ/a2m/wDP/a/9/k/xoAP7W03/AJ/7
X/v8n+NAEkeoWUxIiu4JCOSFlU4/WgCw80UahpJERW6M7BQeM8EkZ45oAhhvrO4Zkguo
JXTllSVWK845AJxzQAS3tpD/AK25hjycDfIoyfTk0AWFdHAKMrAjcCpByD347c0AOoAK
ACgCnJqFjESsl3bowJVg0qAgjqCCc5oAi/tfSycDULQkdR56Z/8AQqAJW1CxVQ7XduFb
oxlTB/WgBE1KwkOEvLdz1wJUJ/nQAsuo2EK7pby3jX1aVAP1NAEQ1fS2GRf2pHqJk/xo
AYdb0hThtSswfQzx/wDxVADhrGlN93UbQ/SeMn/0KgC8k0Uih45UdGGVZXBBHqDmgAE0
TP5ayoZO6BgW9TwDmgCOW7toMmaeKLBwd7quCfXJoAhTVNOkbYl9au391ZkJ/LdQBZWe
FyAkqOT0CsDn8jQBLQAUAFABQAUAFABQBBJdW8RIkniQjqHdVIzzyCc+9AFZtV01W2tf
2ob0M6A8+26gBV1TTXcIt9as7dFEyFj9BnNAFkXEBYKJoix6LvXJ/DOaAJNynoyk/UGg
B1ABQAUAFABQAUAFABQAUAFABQAUARTqXhlQHBaNxn0yp5oA+a7zw/e6XJcTLd3E/wBo
3rtw42fLwR8xoA+cNQ8E63NfXcq6hfqsk8jhQJsAMxOPv/r360AYd/4Q16zVGF/qL7yR
gCb65+//AJzQBd0DwLr2syzRvqeoW/lKG3Mspzn2Mg6n3oA9N8OeGdW8GXL3El5eal9q
2R7WEibMMDn70mfWgD6U8Y6NPr3h/R1juZbRxCjsUDFsvCMhsMp4P60AeIfDPwBqPhTX
NcvbjVbq+jvtwSORZFWPLsQRmRs8HPQUAaHj/wAGahrcVn5Oo3NsYrkykIHbcM5wcOuP
Tv1oA9e8AXFwrQ2Uyyn7NYpEZH3fOybFzznk/XPvzQB6vQAUAI33W+h/lQB8UeOfAGqa
rrOrTQ6rdwCS+uJlVFkIAMkhCjEg45/lxjIoA+c9M8H+If8AhJNRtG1DUykEkyhys207
JQvTf6Hk9MnjigD2M+FdX1qxg0sX19btbop87Ep3bF2dNwxkEnGc/hmgDd8KfC/VbO+k
km1u8dTEVG5JOpZDj/Wn0/n3xQBY+IPwl1PxBozWcGv3dq5KnzEjkY8OD0Eyc/j/AI0A
cBp3wZ1uxs4bU+Ir+UxLt8wxygv74884z9aAPNNa+B/iGbUrqVfEupKHfIAimwPYf6RQ
B0+n/BvXdKsobtvEOo3BC7fLKTL17n98x9ev1JoA+4/AHhaeLwlo0c1/KZFthuLo27OT
1y+fz+tAFLw9pFzZePLuVrmWWECYBWVgnK8EZYjr0oA4b4naHf8AiG41Gwt7q4tA1yrr
LGHIwo7AMvfnrQB41oHwo1jR9YOqPr19OpVl8lklx83Xnzj19MUAfUngXSrm1mtnmnlk
/dEHfuGTuBBIJPb3zQB7HQAUAFABQAUAFABQB8y/EbQL7Ute1Bobu4hSTysKiuV4jToQ
wHUZ/X2oA8R1f4L6xdiXXV8RXymBeLUJL823nr52eevQ+woA5Pw34K1yDxxpMsmpag0a
TKWRlm2HIJ5y+Px75oA+qZfDt3bXqap9rnfyMN5GHIfHqd3fqeKAO88O3M11c28rrIn7
wght3THfNAHp9ABQAUAFABQAUAFABQAUAFABQAUAFAEbRRP96NGx0yooAj+yW3/PvD/3
7X/CgBrWVo33raA/WNP8KAFWytEOUtoVP+zGo/kKAHG2tz1giP1RT/MUATbVwBgYHAGM
gfSgBgiiUkiNAT1IUc9/50ADRRtw0aN35UUACxRocpGqnplQAf0oAkoAKACgCIwQkkmJ
CScklQSTQBANPsVdnW0tw7Z3N5SZOfU4oAlFrbDkQRA+yKP6UAPWGJTlY0B9QooAVoo2
4ZEI91FADPs8H/PGP/vkUANNrbHkwQk+pjX/AAoAX7Lb4x5EWPTYuPyxQBMqqoCqAqgY
AAwAPYCgBvloH8wIoc9WwNx7detADWhiYlmiRmPUlQSfqaAE+zwf88Y/++RQBIqIvCqq
46YAFADqACgAoAKACgAoAKAI2hiclmjRmPUlQSfxNAB5MW0p5abT1XaMHnPP40ARCztQ
wcW8IcdGEa5H44oAmMaMCCikHqCooAFjROFRVx6KBQA+gAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKAP/2VBLAwQUAAYACAAAACEArEReSh8GAABNEgAAEQAA
AHdvcmQvc2V0dGluZ3MueG1spFjbcts2EH3vTP9Bo+c6IsA7J3KG19Sp3XiiJNNXiIRk
1CTBASErytd3QYqWL2s3kzyJ3INd7BXE0dt335p6dsdVL2S7nJM31nzG21JWot0u518+
F2fBfNZr1lasli1fzg+8n787//23t/uo51rDsn4GJto+asrl/EbrLlos+vKGN6x/Izve
AriRqmEaXtV20TB1u+vOStl0TIu1qIU+LKhlefOjGbmc71QbHU2cNaJUspcbbVQiudmI
kh9/Jg31I/uOmpksdw1v9bDjQvEafJBtfyO6frLW/Kw1CPFmMnL3WhB3TT2t2xPrtZXH
cPdSVfcaP+KeUeiULHnfQ4Gaegy3YaK9N0OcZ4buU/0GUr0Y914YU6BOrOHp5HlfP9NH
qj1W8VKsFVNjmaEBjBdNGV1sW6nYuoam2hNnfg4d9V3KZraPOq5KKBK0oxXMFwbgzZpX
q0OveVPIVveDECKUm5VmmoNO3/G6Hpq2rDlrRzWtWHn7id8J092jUsU3bFfrz2y90rID
xTsGkfjUGjUq0Xc1O/wplfgOG7E6U2wPZt8rUeUwJodJ4/H6r1xpUf7/avm31F96fsXU
VrR9IdUD8x+VAOEQWSuvd22pd0N3/sVVCx4MQHnDICTN1apjJQhT8FHJenKqMvZTGC0F
lR8D6tkdv1aQAr6/FmBS8cHQsPIrq0UF6Yu3UJNer4apPcEZzLAqAb9oIUmi+gcayRRj
nF3ztOt5kV+yg9zpB8hqPBfAqZY1UN1x/XHWr2TF5wDtlHjWQC82oFEY6gR98spGEgoE
deJQ3Jqv9KHmpllW4juP2+rDrtcCTo8hp7/gwWsO8Nbs/BFOvc+HjhecmXzDyfLT4b62
2VDCohbdlVBKqou2gpn51c0WD8sLH4WqN3U2D5+k1FMZLMt13YwcZ8CgJwSOCuqHo+NP
EWoVOYoEThDHOOLmQYoise9nCYoUdlL4GAKuFS8gjlsQdB/iOmGOxkN8mya4TugQ79iq
j3NAUjtN0LyRzMptD/OaOl6Q2iji+mGO5o0mnmVnmI5teXGM5s0OLOoSTMchtk1fQBwv
R3Pt2Faco9lxPCcO0Ow4PvUp6rUTezFeBSd1qYf65loQD2rNpcTF93m5r92AeDHqtRtC
W+P7pG4cotV2M6dw0FnwLEJctD4eocRGO9GzaRiivnmun3hofSAYgnvgE8dOUd/8kMYe
GqkfW6HrYr3jx05CcJ3UCgq0r/3MSZ3jp//x/ISOTSw0B6HnWzmagzDwkhi3FrphimYn
DL2iQLs3TPwkQbMTpjbxUQ9i4uYhuk9MaYqflrHjxCF6HsQ+IRnqARyJPsF1AprY6JTE
iUc8NKOJTWmI1tQgaYFVO4kJtXEk9YIE9S01w4gj1HNttAqp48JRjnmQuh7Bq53mPvFR
nYzaAT6nmUNe+Jplru3lFPMgiymx0KnPYs9z0EgBCS000pzQIkV18tDyArSmeQKfxhjz
LU/dAj/FCko9G/W6CGxCUQ+KwCnwHi1CGni4TuwSB+23Ird9vBOLHE6xYbLgfmIOBLiV
NJEhXNdqejJXvVkzXhNT1qyVYLMrQ8ngwthEa3WbiHbC1xwoKX+IrHbrCTw7G4G+YXVd
wHV7AobkNJGhCBnfPJHW453+iVShUuAgH+6tGqbD1Xsld924716x7pPY3pgrdROJVl+K
ZjLb79araV0LlAqFFqfU7CMNTHy4Bl+ydjvd0nh79mVlrqWc9TruBVvO/2VnH66NA3AB
rNVABYCmdB2QDFi33pLlvDZOEaOm4a0CIj+8rLf0iNEBgzeDDS+sNOHB6uODWTA+wqrj
w0lmTzL7JAOaOq5zTjJ3krknmTfJ4I+EfXQD128FdPAWOMb0aOQbWddyz6s/J+Fy/kw0
JmG4Xcc7LSc6dWRPI4vsb1jHoQkMlYRelNEgOHLLfnYX8W9AX3klNPx70omqYd8Mmx2n
6LgaaCbwpkdrjSWzuHsknQFHgwoNk754pHz+FubhiS/7aHA9HxgzEDigutuJ+pYCenp1
aNYnyvhmDLcWwP94B+xSSwWJGtjWHwNGHLBYXsAVH54GuR1mqR+PH3XjwPF/oPP/AAAA
//8DAFBLAwQUAAYACAAAACEA5cqzQwUBAACvAQAAFAAAAHdvcmQvd2ViU2V0dGluZ3Mu
eG1sjNBRS8MwEAfwd8HvUPK+ppUhUtYOQSa+DGH6AdL02gaTXMhli/v23jYVxJe95bjc
j7v/av3pbHGASAZ9K+qyEgV4jYPxUyve3zaLB1FQUn5QFj204ggk1t3tzSo3GfodpMQ/
qWDFU+N0K+aUQiMl6RmcohIDeG6OGJ1KXMZJOhU/9mGh0QWVTG+sSUd5V1X34puJ1yg4
jkbDE+q9A5/O8zKCZRE9zSbQj5av0TLGIUTUQMT3OHvxnDL+l6mX/yBndETCMZV8jLxs
JE8Uj9fV+eWsKJxuXiaPUfWWE8z1UnQcn7IW8+v2WZ6KAbeYduoAj7TjBSxsjAXuyD8x
d18AAAD//wMAUEsDBBQABgAIAAAAIQDGIxFrXwkAABBJAAAaAAAAd29yZC9zdHlsZXNX
aXRoRWZmZWN0cy54bWzcXNty2zYQfe9M/4HDd0cX3xJNlU4ix407aetWzvQZoiCLNUmw
JGXF+fouFiQEkYK4EJlOp0+2SWDPXg7OQgqQH378EkfeM8/yUCRTf/Rq6Hs8CcQyTB6n
/ueH27PXvpcXLFmySCR86r/w3P/x7fff/bCd5MVLxHMPDCT5ZJsGU39dFOlkMMiDNY9Z
/ioOg0zkYlW8CkQ8EKtVGPDBVmTLwXg4GuJvaSYCnueANmPJM8v90lwsaNZiFlSGx8Ph
60HMwkTbaHokUp6AvyuRxazIX4nsEWZkT5v0DDxMWREuwigsXsC/4ZU28zz1N1kyKaM6
01HJORNwYPIcR9VgcNs+VmVgon5UM7JGoAecVFNuRLCJeVKge4OMR+CwSPJ1mO7ydqo1
yMe6culowEaw23R00cDT6aEU/SZjW6h9BbxNG+YOJGOpJsWRyoMk1I5GdYujIaEi0oT2
geLCPmbliUm+7Wmp2TFpm8IC7LKgfsrEJtVRpWE3a3fJk7YldcDBs+EVLnUztNzJQEMr
5muWct+Lg8ndYyIytojAI8i4JxnpvwVtWorghq/YJipy+Wd2n5V/ln/hj1uRFLm3nbA8
CMMH0CywEodg8OO7JA99eMNZXrzLQ2a+/FA+k+/XcqD5Us8M8sIw+D5chv5AgkYseYSJ
zyya+jw5+zw3Yab+X+zs53v5aAEzpj7Lzubv5MQBxlD9NGJJdWRqVC1wkAgQjLlSakgL
X30SwRNfzgt4MfVB7fHh57v7LBQZSN/Uf/OmfDjncfgxXC65bAzVwGQdLvmfa558zvly
9/z3W5TU0mIgNkkx9cfXV1iMKF9++BLwVKoV4CVMJvpXOQF0E/qIgYMObcKdN+pBDRUf
/l1BjsrMHkJZcyZbmYf+HwXCqDedgcYyIjMAtOvk63l3ExfdTVx2NwEttGsurrubgA1M
Vy8UNwxW0otaiECRz+TE+ZsjlJUzGixqndEgTeuMBkdaZzQo0TqjwYDWGY2Ct85o1Ld1
RqOcR2cEDIWrzqJzzAZpYT+ERQTtqkXpRh2lrmwK3j3L2GPG0rUn+1vd7WNiOd8sCpqr
KKeni+W8yITc9bVkZKyWwcma/CFO1ywPYXPcBtQx9Q9yB+L9lIWwi2yBulTka8SkNgeH
Wth9xAK+FtGSZ94D/6Iq6jD/V+HNUxbgNntfCDtW8VP4uC482IvJDtsa+JUlx/bAlf1P
YY4hH23eV5ZQ2oyTSnZloaHd+C98GW7iKjWEzceVkm+HqtYg0MXjKbqQJWqu2dYoZAEo
Iaju4B4C2if4r3qJu31ZY4r/qvOcaJ/gv+pTJ9pHfhyvr7Ow3MA3Hx5peV07r92ZiES2
2kTVGmiVh2vnFawhaCE4L2JtnyQS184reE8+vXdBAB/UKDx1rsVORx1QnMuhUHCx0WNx
LkpN9kYOETkXqIY1dsDqprUOQM6i+wd/DuV3va7NAFVaby1bl/O5JQPQgkhb5t83omjf
Mo8tmkdFuUvg25GcezS0c8vKo6KVfFL9zqHG3RqfA1C3DugA1K0VOgBZ+GHf8+ieSAfp
3hwdsJxlWXcxpB1Zma+dlVkDubWAnvomYf9lWb12LjT7JgHFuUDNvklAca5OrZfpvknA
6q1vErAsXcNeI1NTXYJy7psmkN4JECLqR7wJQP2INwGoH/EmAHUX73aQ/sSbgOWsDVpT
TfEmAOEQl4/6GsgUbwKQszYotSu/M6r6Hlo5/uG2B/EmoDgXqCneBBTn6tjEm4CFQ1yY
UMPSUkfA6ke8CUD9iDcBqB/xJgD1I94EoH7EmwDUXbzbQfoTbwKWszZoTTXFmwDkLA8a
yBRvAhAOcdGGg+KNq/6bizcBxblATfEmoDhXpyaoepNKwHIuUA1LizcBC4e4kKHEQnK7
BNWPeBMi6ke8CUD9iDcBqB/xJgB1F+92kP7Em4DlrA1aU03xJgA5y4MGMsWbAOSsDQfF
GxfjNxdvAopzgZriTUBxrk5NULXOEbCcC1TD0uJNwEK+dBZvAhAOORXIJaJ+xJsQUT/i
TQDqR7wJQN3Fux2kP/EmYDlrg9ZUU7wJQM7yoIFM8SYAOWvDQfHGNfLNxZuA4lygpngT
UJyrUxNULd4ELOcC1bC01BGw+hFvAhASs7N4E4BwyAlAuIpcytSPeBMi6ke8CUDdxbsd
pD/xJmA5a4PWVFO8CUDO8qCBTPEmADlrgzxWC8dDyadRRxYSUM8ZVKcayIBjS5GogGWA
f/AVz+DyIG8/HdIRsIrQAdFCD2qI74V48mjnuM8tBCFDhYsoFHiC+wVP6Rj3Ds6vj1wc
ePht5n1U910a85BS+ydv4EqReTtIXk7CG53gZ/GSwg2dtDpILq3BzSF5m6q88YMD7+D+
T3mLR06W13pgIN5sKh/jv9uWqPg7XDNdVmOGw8vLyxs49a7e3Gfowdfq9fhCvjDuPSFm
08tgDW4GBc+OeFkejdfHl/BgfN1ny/l59G53eaNyrzxHv9t+qXF7xzuV/xa/C3lm/IjP
eKb8aHo9HKLS13QQrnGhS20eQrUXkUo+/HKXyPpsy3tcigfLL0yZgvczHkW/MCxVIVL7
0IivCvV2NMTmWTO1EEUhYvv8DM+WoyeHDAAtTGfUnzII+M2S72QTL3hWnlS3slk2Hbyz
ts9mdUzWQgVqpu2+7a00vbbg4H+Y4In/OlXxjboMgD4tGFzG+03erWusvihMnqrn2uAM
1kwbb/b3bwizv3rHt5evKz2C+5XSx2zvRuXUn4lNFqqViTcld08UNXeLvVpOX2fyQiZG
AV0JRkHS0Lg9eXsCEGxy4NVc3nesS9V+9PaUervs1PJ6UEYwkoNZbsvwfzOdh7n4nkWR
EIfZWL5z56NhdJfzLkq2n9HLm4vbiw+qChaCftoE4ZLBzR34Dw5QjEuaNp4HcGN5/2GN
waPXCig3GKye9cfger7qHDYL0ZXFBlYbj2sd5v9QBK3BMxHL/3Fht9Gs55wliYC71PJm
c6b3v8gNsnh8U8bnWmO7MPSwKJTJOdiijLwU8tLaoZSYu0RTQQ27/5IumKv2pI3nkb5T
j6bOoPI9ymfXVWtg9b1qd0RSCYKNliF11KQdJRJ8jvyLB839l8GlvBxyiE6N4BMgXrWb
aLw8QLgS/1/i3ELFMMvxp5He8hPRXnrxWX+dpMyGGbCNluUYOzONzO4yZ89u37y0phE/
P9JYWm0u87f/AAAA//8DAFBLAwQUAAYACAAAACEArI5LrcIIAACuRQAADwAAAHdvcmQv
c3R5bGVzLnhtbNxb31PbOBB+v5n7Hzx+pyHhV8s07VAoV25oSxuYe3ZsheiwrZztFOhf
f6uVrSh2FK9i07m5J4gt7afd/fStAtq375+S2PvBspyLdOwPX+37HktDEfH0fuzf3V7u
vfa9vAjSKIhFysb+M8v99+9+/+3t42lePMcs98BAmp8m4difF8XidDDIwzlLgvyVWLAU
Xs5ElgQFfMzuB0mQPSwXe6FIFkHBpzzmxfNgtL9/7JdmMooVMZvxkF2IcJmwtMD5g4zF
YFGk+Zwv8sraI8Xao8iiRSZClufgdBIre0nAU21meNgwlPAwE7mYFa/AmYFa0UCagunD
ffwtiX0vCU+v7lORBdMYgvc4PPTfQeQiEV6wWbCMi1x+zG6y8mP5CX9cirTIvcfTIA85
v4WQgoGEg61PZ2nOfXjDgrw4y3lgvvxYPpPv53Kg+VLPDPPCMPiBR9wfSNA4SO9h4o8g
Hvss3bubmDBj/+9g788b+WgKM8Z+kO1NzuTEAfpQ/TR8WWjP1Kia45AySOBE8QjCwmbX
Inxg0aSAF2MfuIgP765uMi4y4MrYf/OmfDhhCf/Eo4hJ2lYD0zmP2F9zlt7lLFo9/3aJ
HCwthmKZFmN/dHKMyYjz6ONTyBaSPYCXBjLQX+QEyB+w3MDBBS35ajXqQQ0VH/5TQQ7L
yG5CmbNAbjQP178VCL1edgYaSY9MB9Cu01oPups47G7iqLsJ0JyusTjpbgLktesqFDcM
VtKTWohQkc/kxMGbLZSVMxosap3RIE3rjAZHWmc0KNE6o8GA1hmNhLfOaOS3dUYjnVtn
hAEKV51FBxgN0sa+5UXM5PytAjTsKHVlUfBugiy4z4LF3JP1rb7sbWI5WU4L2lJRTncX
y0mRifS+NSIjtQ121uSPyWIe5BwOKy2hH3UM/a08fHh/ZDxqhTpS5Gv4pA4Hm0rYTRyE
bC7iiGXeLXtSGXWY/0V4k0UQQhVsckEqY8MUPCTR+prfzwtvMscK2+r4sSXGdseV/Wue
o8tb986xhZBtxkkpO7bQ0G78M4v4MqlCQzh8HCv5bqSCDIFL3B6iQ0y/O4RMAMUFVR12
tE9Yv6ol7vZljinrV5VnR/uE9as6taN95Mf2/DoLywV8VfRI2+vEee+ei1hks2Vc7YFW
eThx3sEaguaC8ybW9kkiceK8g9fk0zsLQ/iiRuGpcy5WOuqA4pwOhYKbje6Lc1Lqyurg
kXOCalgjB6xuWusA5Cy639kPLv8S5VoMsAroo2Xrdj6wRIB6tvi2FEX7kXlk0TwqylUK
fx3JmUdDO7DsPCpaySeMpAuZuhU+BzJ1q4AOQN1KoQOQhR/2Y5WuiXSQ7sXRActZlnUV
Q9qRlfnEWZk1kFsJ6KluEs5flt1r50KzbhJQnBPUrJsEFOfs1GrZsKIcAau3uknAslQN
e45MTXVxyrlumkBavAke9SPeBKB+xJsA1I94E4C6i3c7SH/iTcBy1gatqaZ4E4BwSPMP
O/ZtpIFM8SYAOWuDUrvyb0aVCKGV7V9uexBvAopzgpriTUBxzo5NvAlYOMSFCTUsLXUE
rH7EmwDUj3gTgPoRbwJQP+JNAOpHvAlA3cW7HaQ/8SZgOWuD1lRTvAlAzvKggUzxJgDh
EBdt2CjeuOtfXLwJKM4Jaoo3AcU5OzVB1YdUApZzgmpYWrwJWDjEhQwlFpLbxal+xJvg
UT/iTQDqR7wJQP2INwGou3i3g/Qn3gQsZ23QmmqKNwHIWR40kCneBCBnbdgo3rgZX1y8
CSjOCWqKNwHFOTs1QdU6R8ByTlANS4s3AQv50lm8CUA4ZFcgF4/6EW+CR/2INwGoH/Em
AHUX73aQ/sSbgOWsDVpTTfEmADnLgwYyxZsA5KwNG8Ub98iLizcBxTlBTfEmoDhnpyao
WrwJWM4JqmFpqSNg9SPeBCAkZmfxJgDhkB2AcBe5pKkf8SZ41I94E4C6i3c7SH/iTcBy
1gatqaZ4E4Cc5UEDmeJNAHLWBnmtFq6Hkm+jDi0koN4zqG41kAFHliRRAUsHv7MZy6C1
ibXfDukIWHnogGihB9XFD0I8eLR73AcWgpCh+DTmAm9wP+MtHaPv4OBkS+PA7ddz75Pq
d2nMQ0qt3+qFliKzO0g2J2G/GayzeF5Ah86iukgurUHnkOymKjt+cOAV9P+UXTxysmzr
gYHY2VQ+xn84laj4OzTBRdWY/f2jo6MLuPWu3txkuIKf1evRoXxh9D0hZnOV4RyWGRYs
27LK8mq8vr6EF+Pra7bcn8fVrZo3quWV9+hXxy81bu16p1q/Zd2FvDO+Zc14p3xreD0c
osLXXCC0ceGS2lYI2Z7GKvjwy1Uq8wNdffgPN8WD6ClQpuD9OYvjzwGmqhAL+9CYzQr1
driPxbNmaiqKQiT2+RneLceVbDIAtDAXoz5KJ+A3S7zTZTJlWXkL3spmWXSwZ22dzeqa
rIUK1Ejb17a20/Tegov/PMUb/3Wq4hvVDIBrmgbQjPdV9tY1dl/M04fquTZ4DnumjTfr
5zeEWd+9o8uj15UeQX+lXGO21lE59s/FMuNqZ2Kn5OqJouZqs1fb6ee5bMhEL6AqwSgI
Ghq3B29NAMJlDryayH7HulSte28PqbeKTi2uG2UEPdkY5bYI/zfDuZmLH4I4FmIzG8t3
7nw0jK5i3kXJ1iN6dHF4efhRZcFC0OtlyKMAOneg/RrFuKRp43mYj/31hzUGD18roNxg
sHrWH4Pr8apz2ExEVxYbWG08rlWY/0MStAafi0R2wK8OmvWYB2kqoJdadjZn+vyL3CCL
x4syPtca24Whm0WhDM7GEmXEpZBNa5tCYp4STQU17P4iXTB37U4Hzy11p+5NnUHle5TP
rrvWwOp7166IpAIEBy1D6qhB20ok+B75Nwub5y+DS3k5ZBOdGs6nQLzqNNF4uYFwJf4v
4txU+XCe408jvOU3orXw4rP+KkkZDdNhGy3LMXZmGpFdRc4e3b55aQ0jfn+ksbQ6XObv
/gUAAP//AwBQSwMEFAAGAAgAAAAhADlqjUt9AQAA8AIAABEACAFkb2NQcm9wcy9jb3Jl
LnhtbCCiBAEooAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAIxSUU/CMBB+N/E/LH3fug0FXGAkanhREhMwGt9qe0Bl65r2YPDv
7TYYTH3wrXffd9/dfdfRZJ9n3g6MlYUakygIiQeKF0Kq1Zi8Lqb+kHgWmRIsKxSMyQEs
maTXVyOuE14YeDGFBoMSrOeUlE24HpM1ok4otXwNObOBYygHLguTM3ShWVHN+IatgMZh
2Kc5IBMMGa0Efd0qkqOk4K2k3pqsFhCcQgY5KLQ0CiJ65iKY3P5ZUCMXzFziQbudjuNe
agvegC17b2VLLMsyKHv1GG7+iL7Pnuf1qr5UlVccSDoSPEGJGaQjen66l91+fgHHJt0G
DuAGGBYmnSPoNSjvye1W156AyvINHMrCCOvKO5GrF2C5kRrdIRvxTsKxM2Zx5i67lCDu
Dz/6/MardgZ2svoZ6eCubtjGbr3azWZqEJ7zJ2ncPCFvvYfHxZSkcRjFfjjww9tFdJP0
+kkYflR7deorv5pEfpzwn4r9JB52FU8CjUXdP5p+AwAA//8DAFBLAwQUAAYACAAAACEA
lz58jKUCAACbCgAAEgAAAHdvcmQvZm9udFRhYmxlLnhtbNxWy47aMBTdV+o/RN4PcUJ4
DJowAgbaSlUX1fQDjDFgNbYj20DZMvuuu5h+QtVFK3Uzf4M02/mF3jzIMDAUkEoXDUJJ
ru1j33NPjn1x+UlEzpRpw5UMkVfCyGGSqgGXoxB9uO6d1ZFjLJEDEinJQjRnBl02X764
mDWGSlrjwHhpGoKGaGxt3HBdQ8dMEFNSMZPQOFRaEAuveuQKoj9O4jOqREws7/OI27nr
Y1xFOYw+BEUNh5yyK0Ungkmbjnc1iwBRSTPmsVmhzQ5Bmyk9iLWizBjIWUQZniBcFjBe
sAUkONXKqKEtQTJutiI3gYLhHk6fRIQcQRtvRlJp0o+Au5kXoGZOnDNrSCIg2CGirzlJ
G2IilWEetE1JFCLs4wBXcBn+Aa7CHd6RmyDQMdGG2aIjzsJDIng0X0XJxKosHnNLx6vw
lMB0sJ6syfARNExMH4eoi+Hyez2URbwQBUkkKCI+rCm/8j7lpxGa4qRdvPMUByKAU4yC
1buZcraIeLj79nD3w7n/8vn+9mtKx0aWQfdEWVZbnVrvqtfOcyqy9Pw9WYJ0j83ymgtm
nHds5rxXgsgdZffTcidlr0DRy6cvu98qigzl6kC9avXA2yQEn+8hBGMvwzm87B010Zzp
HURgIODJlUlgQxn47+g/n6icJ7mu2+yLKJQBE2aR3foHKpI+hxPxdkL5gDivNJgt20FH
G3QBH2SqCv/kduDBXK3umh0ktWjlFQbLOIYOr32kHbxm0ZRZTp93xrxU67dTKmPbGRMq
avXKlmccoIyjnbEFhh39QREBKGH1O/kG8axTrD6ZR0WcwCnyDWK5+Llc/Fre3CwX31NS
Nszgv9gmOiTicCzYUfTeowH8g1NBYgNbp4JWp9gwjir63v0yPx6Y5m8AAAD//wMAUEsD
BBQABgAIAAAAIQAH+O6emgEAAOkCAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCiBAEooAAB
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AJySQW/bMAyF7wP2HwzfG9lZmqQFo2JNMeywFgXitmdBpm1hsihIatH8+9Fz47jYbT6J
j/Lj0yfBzXtvszcM0ZDb5eWiyDN0mmrj2l3+VP242OZZTMrVypLDXX7EmN/Ir1/gMZDH
kAzGjC1c3OVdSv5aiKg77FVccNtxp6HQq8RlaAU1jdF4R/q1R5fEsijWAt8TuhrrCz8Z
5qPj9Vv6X9Oa9JAvPldHz4ElVNh7qxLKhyGOXdSUehCTChUlZSvTo9ysWZ8qeFQtRrnc
ghhX8EKhjnK73ixBjGvYdyoonRiiXF2tvpUgZgp8994arRIDlvdGB4rUpOxeaeMSxS4b
TEDMdwETOqB+DSYdZQFiXsIv4zjQquQp45IjBtUG5bsoy/JyCDrVcNDK4p5RyEbZiCDO
Auyp98od5e3tQ1ah7hxZavk+Of5HZxj2Oz75iu4Gdh8Wn8XZ6V9M6g5eac53ubnaMrMz
h1kPDswLaz7VyfEswE++sGCHsfyva7E+7fm3MZB9Hl+uLFeLgr+/HE8ak5ielPwDAAD/
/wMAUEsBAi0AFAAGAAgAAAAhAItAqzaZAQAARQYAABMAAAAAAAAAAAAAAAAAAAAAAFtD
b250ZW50X1R5cGVzXS54bWxQSwECLQAUAAYACAAAACEAx8InvAwBAADfAgAACwAAAAAA
AAAAAAAAAADSAwAAX3JlbHMvLnJlbHNQSwECLQAUAAYACAAAACEA2O2+/i4BAAA8BAAA
HAAAAAAAAAAAAAAAAAAPBwAAd29yZC9fcmVscy9kb2N1bWVudC54bWwucmVsc1BLAQIt
ABQABgAIAAAAIQBuTsWyr8kAAJMFBwARAAAAAAAAAAAAAAAAAH8JAAB3b3JkL2RvY3Vt
ZW50LnhtbFBLAQItABQABgAIAAAAIQCY71bZYxEAADxcAAARAAAAAAAAAAAAAAAAAF3T
AAB3b3JkL2NvbW1lbnRzLnhtbFBLAQItABQABgAIAAAAIQCdXIu+EAcAAIcdAAAVAAAA
AAAAAAAAAAAAAO/kAAB3b3JkL3RoZW1lL3RoZW1lMS54bWxQSwECLQAKAAAAAAAAACEA
WNaNHiiZAAAomQAAFwAAAAAAAAAAAAAAAAAy7AAAZG9jUHJvcHMvdGh1bWJuYWlsLmpw
ZWdQSwECLQAUAAYACAAAACEArEReSh8GAABNEgAAEQAAAAAAAAAAAAAAAACPhQEAd29y
ZC9zZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEA5cqzQwUBAACvAQAAFAAAAAAAAAAA
AAAAAADdiwEAd29yZC93ZWJTZXR0aW5ncy54bWxQSwECLQAUAAYACAAAACEAxiMRa18J
AAAQSQAAGgAAAAAAAAAAAAAAAAAUjQEAd29yZC9zdHlsZXNXaXRoRWZmZWN0cy54bWxQ
SwECLQAUAAYACAAAACEArI5LrcIIAACuRQAADwAAAAAAAAAAAAAAAACrlgEAd29yZC9z
dHlsZXMueG1sUEsBAi0AFAAGAAgAAAAhADlqjUt9AQAA8AIAABEAAAAAAAAAAAAAAAAA
mp8BAGRvY1Byb3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAhAJc+fIylAgAAmwoAABIA
AAAAAAAAAAAAAAAATqIBAHdvcmQvZm9udFRhYmxlLnhtbFBLAQItABQABgAIAAAAIQAH
+O6emgEAAOkCAAAQAAAAAAAAAAAAAAAAACOlAQBkb2NQcm9wcy9hcHAueG1sUEsFBgAA
AAAOAA4AjQMAAPOnAQAAAA==
--============_-870616532==_============--

From jhutz@cmu.edu  Thu Jul  5 10:07:39 2012
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35CA421F870A for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 10:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PIgOhpJ4aKu9 for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 10:07:38 -0700 (PDT)
Received: from smtp01.srv.cs.cmu.edu (SMTP01.SRV.CS.CMU.EDU [128.2.217.196]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7DE21F8704 for <secdir@ietf.org>; Thu,  5 Jul 2012 10:07:38 -0700 (PDT)
Received: from [192.168.33.132] (c-67-165-85-247.hsd1.pa.comcast.net [67.165.85.247]) (authenticated bits=0) by smtp01.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q65H7nLC000447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Jul 2012 13:07:51 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Masahiro =Rhythm Drive= Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
In-Reply-To: <23445_1341500728_q65F5R5I014871_yd94npqbvx7.wl@grayswandir.isl.rdc.toshiba.co.jp>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net> <tsl7gus37hu.fsf@mit.edu> <23445_1341500728_q65F5R5I014871_yd94npqbvx7.wl@grayswandir.isl.rdc.toshiba.co.jp>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 05 Jul 2012 13:07:49 -0400
Message-ID: <1341508069.3279.798.camel@destiny.pc.cs.cmu.edu>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.196
Cc: secdir@ietf.org, jhutz@cmu.edu
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 17:07:39 -0000

On Mon, 2012-07-02 at 13:59 +0900, Masahiro =Rhythm Drive= Ishiyama
wrote:
> 	At first I thought that it might be good to leave section 4.1,
> 	but now I changed my mind. I think the order of the preference
> 	might depend on the running environment: some people prefer
> 	"secured" one, some people prefer DNS...  So I'd like to make
> 	the order configurable and move section 4.1 to appendix, as a
> 	hint for implementation.

Since the current text, including the requirement to prefer KDC lookup
by DNS, is the result of working group consensus, this change requires
discussion in the working group and a consensus to make a change.

-- Jeff


From kent@bbn.com  Thu Jul  5 12:10:19 2012
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C150221F86B8 for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 12:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.431
X-Spam-Level: 
X-Spam-Status: No, score=-106.431 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1IHPP3FNeuv for <secdir@ietfa.amsl.com>; Thu,  5 Jul 2012 12:10:18 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id A186321F8661 for <secdir@ietf.org>; Thu,  5 Jul 2012 12:10:18 -0700 (PDT)
Received: from dhcp89-089-227.bbn.com ([128.89.89.227]:49172) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1SmrRf-0007FK-88 for secdir@ietf.org; Thu, 05 Jul 2012 15:10:31 -0400
Mime-Version: 1.0
Message-Id: <p06240810cc1b96e2299d@[128.89.89.227]>
In-Reply-To: <p06240808cc1b72007771@[128.89.89.227]>
References: <p06240808cc1b72007771@[128.89.89.227]>
Date: Thu, 5 Jul 2012 15:10:28 -0400
To: secdir@ietf.org
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: Re: [secdir] this doc needs work
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2012 19:10:20 -0000

Paul pointed out that I should have copied the doc authors, WG chairs,
and cognizant AD on my review, consistent with normal SECDIR practice.

I have now done so.

Steve

From mnot@mnot.net  Thu Jul  5 22:56:43 2012
Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EC4E11E809F; Thu,  5 Jul 2012 22:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.189
X-Spam-Level: 
X-Spam-Status: No, score=-105.189 tagged_above=-999 required=5 tests=[AWL=-2.590, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uJLAiOh4dOcL; Thu,  5 Jul 2012 22:56:42 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 7143711E8097; Thu,  5 Jul 2012 22:56:42 -0700 (PDT)
Received: from mnot-mini.mnot.net (unknown [118.209.196.77]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id CA74E22E253; Fri,  6 Jul 2012 01:56:49 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4F955E48.7060908@cisco.com>
Date: Fri, 6 Jul 2012 15:56:46 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <F76C6CF1-F6B8-429F-A57F-D2B4794EFE93@mnot.net>
References: <4F955E48.7060908@cisco.com>
To: Klaas Wierenga <klaas@cisco.com>
X-Mailer: Apple Mail (2.1278)
Cc: draft-ietf-httpbis-p4-conditional.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 05:56:43 -0000

Klass,

Thanks for your review and kind words, and apologies for the delay.

I've opened a new ticket for the security-related issues:
  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/365

... and another for the editorial matters:
  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/366

There are a few remaining below which I'll answer directly.

On 23/04/2012, at 11:51 PM, Klaas Wierenga wrote:

> - - 2.2.2 p7, comparision
>=20
> Is it really neccessary to have the elaborate determination whether
> the vlaidator is weak or strong, with arbitrary time intervals etc.?
> It seems very error prone and confusing for implementers. Why not just
> say that Last-Modified is weak, and if you want strong use ETags.

If we were defining the protocol from scratch, I'd agree, but we need to =
stay consistent with how HTTP is already implemented, used and defined, =
and that can sometimes be messy / complex.


> - - 2.3 ETag, p9, Note
>=20
> "ought to" is not very normative. Why not make it MUST or SHOULD?

We've used that terminology when we want to give implementation advice, =
but cannot impose a new RFC2119-level requirement, because it would make =
existing implementations non-conformant (as per our charter).


> 3.4 p17, If-Unmodified-Since
>=20
> Why not defining the the result of a request having both an
> If-Unmodified-Since and a If-None-Match or If-Modified-Since?

This is already being discussed in:
  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/241


> 4.1 p17, Not modified, second paragraph
>=20
> A 304 response..... isn't this a fine case of a SHOULD rather than a
> MUST? Or perhaps "A 304 response MUST include a Date header field,
> unless the origin server.... , in that case a Date header field MUST
> NOT be provided", and what actually does "reasonable approximation" =
mean?

I'm not sure what you're concerned about here; it's a MUST requirement =
because it's important for interop.

--
Mark Nottingham   http://www.mnot.net/




From klaas@cisco.com  Fri Jul  6 02:11:15 2012
Return-Path: <klaas@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5FC221F86E0; Fri,  6 Jul 2012 02:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ms7Hafx1Z66W; Fri,  6 Jul 2012 02:11:14 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id A797021F873E; Fri,  6 Jul 2012 02:11:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=klaas@cisco.com; l=2804; q=dns/txt; s=iport; t=1341565890; x=1342775490; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=JKbk8Z+a45xxb16RtAUfkD0h9Ka/yQyNhVbTXz66Ahk=; b=By11fgf6YmE+vhlLPP1TuMJyUeYH5M0rzFJOGFpOSuEnA3gvBK2B1eQt W1d+UE5H+F6fQgzyMTJBx8QYbEKNErsqT2Me1C4Nf7QeB7zErhB5Mv0bW txJN9I6dH5GeAvVaR46pSwHL9gKR8nGNJ3ejYnaLIMkd0J7ufSALaWiKN o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AttWAIar9k+tJV2d/2dsb2JhbABFpT+ReYEHghgBAQEDARIBZgULCw4KLlcGNYdkBQuaFKAfhhmEV0kkhSJgA5FXg2CBEo0LgWaCYQ
X-IronPort-AV: E=Sophos;i="4.77,536,1336348800"; d="scan'208";a="99309320"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-6.cisco.com with ESMTP; 06 Jul 2012 09:11:15 +0000
Received: from rtp-kwiereng-8714.cisco.com (rtp-kwiereng-8714.cisco.com [10.116.7.37]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q669BDQB002338;  Fri, 6 Jul 2012 09:11:14 GMT
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Klaas Wierenga <klaas@cisco.com>
In-Reply-To: <F76C6CF1-F6B8-429F-A57F-D2B4794EFE93@mnot.net>
Date: Fri, 6 Jul 2012 11:11:13 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DB34634F-A783-4B18-A9CA-C0D571A717F4@cisco.com>
References: <4F955E48.7060908@cisco.com> <F76C6CF1-F6B8-429F-A57F-D2B4794EFE93@mnot.net>
To: Mark Nottingham <mnot@mnot.net>
X-Mailer: Apple Mail (2.1278)
Cc: draft-ietf-httpbis-p4-conditional.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 09:11:15 -0000

On Jul 6, 2012, at 7:56 AM, Mark Nottingham wrote:

Hi Mark,

> Thanks for your review and kind words, and apologies for the delay.

no worries, it is not as if I was blocked on waiting for your reply ;-)

Apologies for the fast response, I am in a boring VC ;-)

> I've opened a new ticket for the security-related issues:
>  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/365
>=20
> ... and another for the editorial matters:
>  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/366
>=20
> There are a few remaining below which I'll answer directly.
>=20
> On 23/04/2012, at 11:51 PM, Klaas Wierenga wrote:
>=20
>> - - 2.2.2 p7, comparision
>>=20
>> Is it really neccessary to have the elaborate determination whether
>> the vlaidator is weak or strong, with arbitrary time intervals etc.?
>> It seems very error prone and confusing for implementers. Why not =
just
>> say that Last-Modified is weak, and if you want strong use ETags.
>=20
> If we were defining the protocol from scratch, I'd agree, but we need =
to stay consistent with how HTTP is already implemented, used and =
defined, and that can sometimes be messy / complex.

ok

>=20
>=20
>> - - 2.3 ETag, p9, Note
>>=20
>> "ought to" is not very normative. Why not make it MUST or SHOULD?
>=20
> We've used that terminology when we want to give implementation =
advice, but cannot impose a new RFC2119-level requirement, because it =
would make existing implementations non-conformant (as per our charter).

So would that not be a good case for SHOULD with perhaps some =
explanation along the above lines why it isn't a MUST?

>=20
>> 3.4 p17, If-Unmodified-Since
>>=20
>> Why not defining the the result of a request having both an
>> If-Unmodified-Since and a If-None-Match or If-Modified-Since?
>=20
> This is already being discussed in:
>  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/241

ok

>> 4.1 p17, Not modified, second paragraph
>>=20
>> A 304 response..... isn't this a fine case of a SHOULD rather than a
>> MUST? Or perhaps "A 304 response MUST include a Date header field,
>> unless the origin server.... , in that case a Date header field MUST
>> NOT be provided", and what actually does "reasonable approximation" =
mean?
>=20
> I'm not sure what you're concerned about here; it's a MUST requirement =
because it's important for interop.

it is really just for clarity, I had a bit of trouble parsing, rereading =
I think my remark about SHOULD probably doesn't make sense. Still, I =
read it like "you MUST do A unless condition B applies in which you MUST =
NOT do A", I just suggested rephrasing, perhaps to:

"If condition B applies you MUST do A, if condition B does NOT apply you =
MUST NOT do A"=20

Hope this helps,

Klaas=

From weiler+secdir@watson.org  Fri Jul  6 10:24:06 2012
Return-Path: <weiler+secdir@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94C1B21F864E for <secdir@ietfa.amsl.com>; Fri,  6 Jul 2012 10:24:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kBuXuPxYEQ1T for <secdir@ietfa.amsl.com>; Fri,  6 Jul 2012 10:24:05 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 77F8121F8656 for <secdir@ietf.org>; Fri,  6 Jul 2012 10:24:04 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id q66HOKb2052402 for <secdir@ietf.org>; Fri, 6 Jul 2012 13:24:20 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id q66HOJwk052396 for <secdir@ietf.org>; Fri, 6 Jul 2012 13:24:20 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Fri, 6 Jul 2012 13:24:19 -0400 (EDT)
From: Samuel Weiler <weiler+secdir@watson.org>
X-X-Sender: weiler@fledge.watson.org
To: secdir@ietf.org
Message-ID: <alpine.BSF.2.00.1207061322490.97500@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 06 Jul 2012 13:24:20 -0400 (EDT)
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 17:24:06 -0000

Review instructions and related resources are at:
        http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

Tim Polk is next in the rotation.


For telechat 2012-07-19

Reviewer                 LC end     Draft
Shawn Emery            T 2012-07-02 draft-melnikov-smtp-priority-tunneling-02
Leif Johansson         T 2012-07-04 draft-ietf-cdni-use-cases-08
Stephen Kent           TR2011-08-15 draft-ietf-karp-threats-reqs-05
Catherine Meadows      T -          draft-ietf-idr-rfc4893bis-07
Russ Mundy             T 2012-07-17 draft-ietf-pkix-caa-10
Yaron Sheffer          TR2012-06-11 draft-camarillo-rai-media-policy-dataset-02


Last calls and special requests:

Rob Austein              2012-06-26 draft-ietf-bmwg-2544-as-04
Dave Cridland            2012-06-28 draft-ietf-nfsv4-federated-fs-admin-11
Donald Eastlake          -          draft-zheng-mpls-ldp-hello-crypto-auth-04
Steve Hanna              2012-07-11 draft-ietf-6lowpan-btle-08
Sam Hartman              2012-07-10 draft-ietf-abfab-gss-eap-08
Jeffrey Hutzelman        2012-07-10 draft-ietf-behave-lsn-requirements-07
Charlie Kaufman          2012-07-11 draft-ietf-dnsext-dnssec-algo-imp-status-03
Scott Kelly              2012-07-11 draft-ietf-dnsext-dnssec-registry-update-03
Tero Kivinen             2012-07-11 draft-ietf-oauth-urn-sub-ns-05
Warren Kumari            2012-07-11 draft-ietf-oauth-v2-threatmodel-06
Julien Laganier          2012-07-06 draft-ietf-ospf-prefix-hiding-04
Matt Lepinski            2012-07-11 draft-ietf-v6ops-6204bis-09
Chris Lonvick            -          draft-ietf-geopriv-dhcp-lbyr-uri-option-15
Alexey Melnikov          -          draft-ietf-krb-wg-kdc-model-12
Kathleen Moriarty        -          draft-ietf-v6ops-ra-guard-implementation-04
Sandy Murphy             2012-07-19 draft-ietf-ospf-hybrid-bcast-and-p2mp-03
Yoav Nir                 2012-07-17 draft-ietf-ipfix-ie-doctors-03
Magnus Nystrom           2012-07-17 draft-ietf-grow-private-ip-sp-cores-05
Hilarie Orman            2012-07-19 draft-ietf-grow-diverse-bgp-path-dist-07
Radia Perlman            2012-07-17 draft-ietf-dnsop-dnssec-dps-framework-08
Nico Williams            -          draft-ietf-httpbis-p5-range-19
Nico Williams            2012-07-02 draft-farrell-decade-ni-09
Tom Yu                   -          draft-ietf-httpbis-p6-cache-19
Tom Yu                   2012-07-13 draft-hoffman-tao-as-web-page-02
Glen Zorn                -          draft-ietf-httpbis-p7-auth-19
Glen Zorn                2012-06-27 draft-hoffman-tao4677bis-15

From julien.ietf@gmail.com  Fri Jul  6 12:44:37 2012
Return-Path: <julien.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43C4221F8620; Fri,  6 Jul 2012 12:44:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dxb83GsmPNze; Fri,  6 Jul 2012 12:44:36 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id A91D021F861C; Fri,  6 Jul 2012 12:44:36 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so15395466pbc.31 for <multiple recipients>; Fri, 06 Jul 2012 12:44:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=tCoz3CML/HwCVCyQG3SLSTTEeA1Su8UW24GwDje8Im0=; b=DokYMAAs830gWDNbyF4TslhFNHBMif6VoWaniSOc7JH1sS7tIHjS2ECrrrx06nG8ZV 7eFu8bXKdeNM7XJ3leXMqunaA0JBxYI02Nun6onUxrw7HxVHr1tbI8cdYO6Sc+zbqZhs NWdkg0CK99YHsijO/HyqplUeGGoo4lcqbKAO3J1b13fNHPbpDi3abns9eH+KwVyrHCx/ Wp5VXujWBt0TK9ba8k+IW6wuPyVunchdaoTqiFrSLshguXYSjy2JyFaLarYQDLAcEWuy w9vmS4jJ+ue2lpqYY28H7S1791sCK5WB3mWmbz+YEc8D0uy8H7tRJPBQfpZwt1x9LrCH 4fFQ==
MIME-Version: 1.0
Received: by 10.68.193.195 with SMTP id hq3mr39578810pbc.30.1341603893771; Fri, 06 Jul 2012 12:44:53 -0700 (PDT)
Received: by 10.68.138.137 with HTTP; Fri, 6 Jul 2012 12:44:53 -0700 (PDT)
Date: Fri, 6 Jul 2012 12:44:53 -0700
Message-ID: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: secdir@ietf.org, draft-ietf-ospf-prefix-hiding.all@tools.ietf.org,  The IESG <iesg@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 19:44:37 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Disclaimer: I am no routing or OSPF expert and might be missing
something obvious...

According to its abstract the draft describes a mechanism that allows
hiding transit-only networks in OSPF:

   A transit-only network is defined as a network connecting routers
   only.  In OSPF, transit-only networks are usually configured with
   routable IP addresses, which are advertised in Link State
   Advertisements (LSAs) but not needed for data traffic.  In addition,
   remote attacks can be launched against routers by sending packets to
   these transit-only networks.  This document presents a mechanism to
   hide transit-only networks to speed up network convergence and
   minimize remote attack vulnerability.

While the desire to speed up the network convergence is probably
obvious and not of concern, I think the document and its security
considerations section in particular could do a better job at
explaining what the mechanism achieves in terms of minimizing remote
attack vulnerability.

As per my understanding, the proposed mechanism essentially remove the
subnet / netmask information from Link State Advertisements, but these
still contain the routers' IP addresses.

It is not clear to me how removing the subnet / netmask information
actually minimizes the risk of remote attacks.

First of all, the type of remote attacks that minimized should be made
more explicit. What is the target of the remote attacks? Is it any
address in the subnet? Or the address of a router? If the latter, then
it is not clear how the mechanism actually improves -- the router's IP
addresses are still in the LSAs so presumably an attacker can still
launch remote attacks on these addresses, no? If the former, then it
is not clear how effective is omission of the subnet in avoiding
attacks avoid addresses within that subnet -- addresses in the
(unknown) subnet can still be inferred from addresses of the routers,
no? Or is it the case that the LSAs containing the IP addresses of the
routers will not be propagated outside of an area that the attacker
has no access to?

Expanding the security considerations might help answering these questions...

--julien

From kivinen@iki.fi  Fri Jul  6 16:01:21 2012
Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C6811E8093; Fri,  6 Jul 2012 16:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yG-weOqU8mBF; Fri,  6 Jul 2012 16:01:20 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 3174611E80AA; Fri,  6 Jul 2012 16:01:19 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id q66N1VI5024675 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 7 Jul 2012 02:01:31 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id q66N1UdQ016648; Sat, 7 Jul 2012 02:01:30 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20471.28234.114292.730341@fireball.kivinen.iki.fi>
Date: Sat, 7 Jul 2012 02:01:30 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-oauth-urn-sub-ns.all@tools.ietf.org
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 12 min
X-Total-Time: 11 min
Subject: [secdir] Secdir review of draft-ietf-oauth-urn-sub-ns-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 23:01:21 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document creates a new URN subregistry for oauth use.

The security considerations section points out that there is no new
security considerations in this document that are not already
inherernt to using URNs and points to RFC2141 for more information.

On the other hand RFC2141 is very generic and says that there are
security considerations that are outside the scope of that document,
and they should be included in the document registering the namespace
identifiers.

As this again only generates subregistry and not any actual registry
values, it might be better to just add similar note than what is in
RFC2141, adding pointer to another document which says "there is
nothing here", isn't that helpful.
-- 
kivinen@iki.fi

From acee.lindem@ericsson.com  Fri Jul  6 18:33:15 2012
Return-Path: <acee.lindem@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06DD621F85E0; Fri,  6 Jul 2012 18:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.532
X-Spam-Level: 
X-Spam-Status: No, score=-6.532 tagged_above=-999 required=5 tests=[AWL=0.067,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stHCpbsGGyTp; Fri,  6 Jul 2012 18:33:14 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by ietfa.amsl.com (Postfix) with ESMTP id 3DE4221F8540; Fri,  6 Jul 2012 18:33:14 -0700 (PDT)
Received: from eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id q671XOA4002421 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 6 Jul 2012 20:33:25 -0500
Received: from EUSAACMS0702.eamcs.ericsson.se ([169.254.1.236]) by eusaamw0706.eamcs.ericsson.se ([147.117.20.31]) with mapi; Fri, 6 Jul 2012 21:33:23 -0400
From: Acee Lindem <acee.lindem@ericsson.com>
To: "Retana, Alvaro" <alvaro.retana@hp.com>
Date: Fri, 6 Jul 2012 21:33:21 -0400
Thread-Topic: SecDir review of draft-ietf-ospf-prefix-hiding-04
Thread-Index: Ac1b4H9T1NGStHs7S7Sp+FR2GPic9Q==
Message-ID: <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com>
References: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com> <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com> <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net>
In-Reply-To: <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/signed; boundary="Apple-Mail-2-392865302"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Cc: "secdir@ietf.org" <secdir@ietf.org>, Yi Yang <yiya@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ospf-prefix-hiding.all@tools.ietf.org" <draft-ietf-ospf-prefix-hiding.all@tools.ietf.org>, Julien Laganier <julien.ietf@gmail.com>, Abhay Roy <akr@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jul 2012 01:33:15 -0000

--Apple-Mail-2-392865302
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Actually, with this draft, the OSPF LSAs do not necessarily contain any =
IP addresses - only topology information. The OSPF Router ID certainly =
doesn't have to be a routable IP address and can be explicitly =
configured to avoid the default of configured address selection =
supported by most implementations.=20
Thanks,
Acee=20

On Jul 6, 2012, at 4:50 PM, Retana, Alvaro wrote:

> Julien:
>=20
> Hi!
>=20
> [Thanks for forwarding.]
>=20
> In short, avoiding installation of the routing information (even if =
still carried in the LSAs) means that the routers don't have forwarding =
information to reach a specific transit interface.  IOW, even if you =
know my IP address you can't send me a packet (if you're more than one =
hop away). =20
>=20
> We'll expand on the security considerations.
>=20
> Thanks!!
>=20
> Alvaro.
>=20
>> -----Original Message-----
>> From: Julien Laganier [mailto:julien.ietf@gmail.com]
>> Sent: Friday, July 06, 2012 4:00 PM
>> To: Retana, Alvaro
>> Subject: Fwd: SecDir review of draft-ietf-ospf-prefix-hiding-04
>>=20
>> FYI.
>>=20
>>=20
>> ---------- Forwarded message ----------
>> From: Julien Laganier <julien.ietf@gmail.com>
>> Date: Fri, Jul 6, 2012 at 12:44 PM
>> Subject: SecDir review of draft-ietf-ospf-prefix-hiding-04
>> To: secdir@ietf.org, =
draft-ietf-ospf-prefix-hiding.all@tools.ietf.org,
>> The IESG <iesg@ietf.org>
>>=20
>>=20
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>=20
>> Disclaimer: I am no routing or OSPF expert and might be missing
>> something obvious...
>>=20
>> According to its abstract the draft describes a mechanism that allows
>> hiding transit-only networks in OSPF:
>>=20
>>  A transit-only network is defined as a network connecting routers
>>  only.  In OSPF, transit-only networks are usually configured with
>>  routable IP addresses, which are advertised in Link State
>>  Advertisements (LSAs) but not needed for data traffic.  In addition,
>>  remote attacks can be launched against routers by sending packets to
>>  these transit-only networks.  This document presents a mechanism to
>>  hide transit-only networks to speed up network convergence and
>>  minimize remote attack vulnerability.
>>=20
>> While the desire to speed up the network convergence is probably
>> obvious and not of concern, I think the document and its security
>> considerations section in particular could do a better job at
>> explaining what the mechanism achieves in terms of minimizing remote
>> attack vulnerability.
>>=20
>> As per my understanding, the proposed mechanism essentially remove =
the
>> subnet / netmask information from Link State Advertisements, but =
these
>> still contain the routers' IP addresses.
>>=20
>> It is not clear to me how removing the subnet / netmask information
>> actually minimizes the risk of remote attacks.
>>=20
>> First of all, the type of remote attacks that minimized should be =
made
>> more explicit. What is the target of the remote attacks? Is it any
>> address in the subnet? Or the address of a router? If the latter, =
then
>> it is not clear how the mechanism actually improves -- the router's =
IP
>> addresses are still in the LSAs so presumably an attacker can still
>> launch remote attacks on these addresses, no? If the former, then it
>> is not clear how effective is omission of the subnet in avoiding
>> attacks avoid addresses within that subnet -- addresses in the
>> (unknown) subnet can still be inferred from addresses of the routers,
>> no? Or is it the case that the LSAs containing the IP addresses of =
the
>> routers will not be propagated outside of an area that the attacker
>> has no access to?
>>=20
>> Expanding the security considerations might help answering these
>> questions...
>>=20
>> --julien


--Apple-Mail-2-392865302
Content-Disposition: attachment; filename="smime.p7s"
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIM8jCCBDQw
ggMcoAMCAQICECFWwVQHDV12M/Sr0yNv0sYwDQYJKoZIhvcNAQEFBQAwOTERMA8GA1UECgwIRXJp
Y3Nzb24xJDAiBgNVBAMMG0VyaWNzc29uIE5MIEluZGl2aWR1YWwgQ0EwMTAeFw0xMDEwMDEyMDA0
NTlaFw0xMzEwMDEyMDA0NDhaMG8xETAPBgNVBAoMCEVyaWNzc29uMR8wHQYDVQQDDBZBY2VlIExp
bmRlbSBMaW5kZW0gSUlJMRAwDgYDVQQFEwdlYWxmbGluMScwJQYJKoZIhvcNAQkBFhhhY2VlLmxp
bmRlbUBlcmljc3Nvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAI/Dc9ALiZuBMyuv
bsc3eBxjXZpMi45Z0vzsUQZTJGTBeY7p9JsdzXC9J1uMisBxYVi39R3KJo6I4hXVp9wrA1rxh4AE
bnP1+Gxfpj33uWEFYbBnVAJkIWYWF7CYTn8Zm/yd13vPXtuGA6ESeLnnJafwC9Y0YwUQ+4HX7PNv
uauVAgMBAAGjggGEMIIBgDCBwAYDVR0fBIG4MIG1MIGyoIGvoIGshjdodHRwOi8vY3JsLnRydXN0
LnRlbGlhLmNvbS9Fcmljc3Nvbk5MSW5kaXZpZHVhbENBMDEuY3JshnFsZGFwOi8vbGRhcC50cnVz
dC50ZWxpYS5jb20vY249RXJpY3Nzb24lMjBOTCUyMEluZGl2aWR1YWwlMjBDQTAxLG89RXJpY3Nz
b24/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDtiaW5hcnk/YmFzZTAjBgNVHREEHDAagRhhY2Vl
LmxpbmRlbUBlcmljc3Nvbi5jb20wRgYDVR0gBD8wPTA7BgYqhXBrAQEwMTAvBggrBgEFBQcCARYj
aHR0cDovL3d3dy5lcmljc3Nvbi5jb20vbGVnYWwuc2h0bWwwHQYDVR0OBBYEFAgOzAPuplmPr7C1
BTqV94OyqUdhMB8GA1UdIwQYMBaAFJYnw7jepV9dRD45UuVFsXZfYzCbMA4GA1UdDwEB/wQEAwIF
oDANBgkqhkiG9w0BAQUFAAOCAQEAE1gyNW6c2t/YsLxW5sm67+gVGK0Lnge4ub+k8dgGrK7Mj7em
nkOIFkjdv/tqdJ/SoUy/WEkBXba2TfpZ+lfluMgLYux1vSvqBUxYBsUHeNth2Q/Y6A9sCaDTBPlK
vZ2jLz814NavrVfgTCLdxX6zNtGdwzhviz+FyqyxYF43Q86RP8Gd/Npaz1W8pmYAHm0+lezuTx5k
F3Av3+SaZ/MR6s+RWuXEIdED36ajeQz+OG8Mh3nplofzdrOeoWGDz53YlfRhgj+TXo+H1lclZAvD
WVaMMXPdb27h9Hngsq87dkCW9uAyv8DI993rdhqzlEgUyQIL32icAXfTmTYgoGPOwjCCBEUwggMt
oAMCAQICEBPJ6v/eJq2p3KTKI4GDR+MwDQYJKoZIhvcNAQEFBQAwRDEaMBgGA1UECgwRVGVsaWFT
b25lcmEgR3JvdXAxJjAkBgNVBAMMHVRlbGlhU29uZXJhIFB1YmxpYyBSb290IENBIHYxMB4XDTA2
MTAwNjEwMDA1M1oXDTE2MTAwMjA1MDQxN1owOTERMA8GA1UECgwIRXJpY3Nzb24xJDAiBgNVBAMM
G0VyaWNzc29uIE5MIEluZGl2aWR1YWwgQ0EwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALYQd+Q1HuuHxDyNGFlEPzCxuPPFO5W2xyr+nqCVnNJ4QYFe1HACqavqNLwUGIqIEyHv1rLn
fub9LBc7dQpRHjl/dggin0ONOFJ36nbGEbfHjLJz2BzOWvwl84Sc+Fx09IrDU/SZSWFSfhqTu3TT
39h79brHdRkdPBUgBYgsiFKriHI0TjP5G8628H27BDzqUpzGLSYWgt6/tpwuOH5lcfNfHWMcCYXR
lobv0Klu8lxG5amWqAnqrH6ECOyYJTRbHTsaTIZOHy9Qw/0eXPujKT7tU5xxSI2SdceJqzUbAz2o
FRQ6Px7/GydpM/Rl+qYoGPcauHUL1aSeVJZqDFqcIF0CAwEAAaOCATwwggE4MBIGA1UdEwEB/wQI
MAYBAf8CAQAwRgYDVR0gBD8wPTA7BgcqhXAjAgEBMDAwLgYIKwYBBQUHAgEWImh0dHBzOi8vcmVw
b3NpdG9yeS50cnVzdC50ZWxpYS5jb20wgYkGA1UdHwSBgTB/MH2ge6B5hndsZGFwOi8vbGRhcC50
cnVzdC50ZWxpYS5jb20vY249VGVsaWFTb25lcmElMjBQdWJsaWMlMjBSb290JTIwQ0ElMjB2MSxv
PVRlbGlhU29uZXJhJTIwR3JvdXA/YXV0aG9yaXR5cmV2b2NhdGlvbmxpc3Q/YmFzZTAOBgNVHQ8B
Af8EBAMCAQYwHQYDVR0OBBYEFJYnw7jepV9dRD45UuVFsXZfYzCbMB8GA1UdIwQYMBaAFEXb8I+4
GmKhqCMbY4g4o9vgGmLxMA0GCSqGSIb3DQEBBQUAA4IBAQB2AEoqQz+M3Ra9alkpn/YnwhXIv6tP
jhUvSuNs00Nhd0T9XhlIU3a65CaB/UKSqnayE0t7Q0Qq3r+x/GK3in/mik8i/PK2/q8HutzYFSzz
6Npztpo2JG7AEKOJPVaeebjng45m6vNC7RIfzU9sG2LBR/hewS8s6dFFn70w795xUwJBWZ67OzIK
XrIVVvHTOYpbWA+MESKAXwFhnVONrOTWlVwrMUi4HbiPWpOk+xQbgehCEi7mu3cXsaU1Xq3kMXui
NuC7VKoob8mFO9o9RT+dlirD2uRXwNpvCu3but6Kyhu0+nvy2iXGKjdlxlWTsdDyulXYz+OYCMZ9
lFWRzMIPMIIEbTCCA1WgAwIBAgIRAJywjASay5cieGNithuGWj0wDQYJKoZIhvcNAQEFBQAwOjEZ
MBcGA1UEChMQUlNBIFNlY3VyaXR5IEluYzEdMBsGA1UECxMUUlNBIFNlY3VyaXR5IDIwNDggVjMw
HhcNMDYxMDMxMjA0MjI3WhcNMTYxMTAxMTU0MjI1WjBEMRowGAYDVQQKDBFUZWxpYVNvbmVyYSBH
cm91cDEmMCQGA1UEAwwdVGVsaWFTb25lcmEgUHVibGljIFJvb3QgQ0EgdjEwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDKTxADapCAq3mplX4R4gNt+WZe5QKGnaVEQSyY7lICKF5DuVdW
PMLHDjzhw5IzDd860ZZx/0VrhGB3DmP4SDIWCKo2PxvY5NckdBWPWp/T2uaQdOAwgqHpN0pe1X7/
jel59WsWYXKGg/81Wth73ZK/geE7Gz9Pvj1LU6N4YhLMgooxKnCS+ZjB5icWAg+Qd1QpQhF46H1i
bp6LsBWDp56MPpg8F5X6y7MGVcKYLdnLOPs84uxRW9qs1kBopzQBj6s5SyVh8A+j5liDBjghXYpw
/+paGEdqHPeSFYxZKeJatmjEKLYlxcZWRKf436KvQA9jBhMEmytMNbGicR1mRH6tAgMBAAGjggFi
MIIBXjAfBgNVHSMEGDAWgBQHw1EwpKrpRa41JPr/JCwz0LGdjDAdBgNVHQ4EFgQURdvwj7gaYqGo
IxtjiDij2+AaYvEwEgYDVR0TAQH/BAgwBgEB/wIBBDCBhQYDVR0gBH4wfDA9BgkqhkiG9w0FBgEw
MDAuBggrBgEFBQcCARYiaHR0cHM6Ly9yZXBvc2l0b3J5LnRydXN0LnRlbGlhLmNvbTA7BgcqhXAj
AgEBMDAwLgYIKwYBBQUHAgEWImh0dHBzOi8vcmVwb3NpdG9yeS50cnVzdC50ZWxpYS5jb20wcAYD
VR0fBGkwZzBloGOgYYZfaHR0cDovL3d3dy5yc2FzZWN1cml0eS5jb20vcHJvZHVjdHMva2Vvbi9y
ZXBvc2l0b3J5L2NlcnRpZmljYXRlX3N0YXR1cy9SU0FfU2VjdXJpdHlfMjA0OF92My5DUkwwDgYD
VR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQAEXpos2CnIm7/872ytSrEHWZgvhOUEkUm2
5PWf/XkWko41TaL9vIS1S6AdWChNqWmnYiS7GfaIiDM9s1D6K7hidWBDOm46bNdM3ZwhMyDCfkDJ
SgeJ0w+7YmjvChu7gWqDZCsbtZ5gA1ixCTdDnuZB67JGSPGW6r73coraDP8diOpiQouMvM6bKuTP
BH/1poLccsUxsKgrQ23JC9LWCRb8cYHkZjXFH1K44TsIl5Lne2oT0JI3pwdA2v6jO4p/OLHntP+n
pjwPbedMPUZkDYCkd3LSxj8c3JTxtA8SlPCtIHE1hh65xihg1JRIliSphrqr9kbfwHdeVxPdOI5G
tDYPMYICEjCCAg4CAQEwTTA5MREwDwYDVQQKDAhFcmljc3NvbjEkMCIGA1UEAwwbRXJpY3Nzb24g
TkwgSW5kaXZpZHVhbCBDQTAxAhAhVsFUBw1ddjP0q9Mjb9LGMAkGBSsOAwIaBQCgggEbMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEyMDcwNzAxMzMyMlowIwYJKoZI
hvcNAQkEMRYEFHU9KXdPjL5sM6tS/WlemN3kGkOaMFwGCSsGAQQBgjcQBDFPME0wOTERMA8GA1UE
CgwIRXJpY3Nzb24xJDAiBgNVBAMMG0VyaWNzc29uIE5MIEluZGl2aWR1YWwgQ0EwMQIQIVbBVAcN
XXYz9KvTI2/SxjBeBgsqhkiG9w0BCRACCzFPoE0wOTERMA8GA1UECgwIRXJpY3Nzb24xJDAiBgNV
BAMMG0VyaWNzc29uIE5MIEluZGl2aWR1YWwgQ0EwMQIQIVbBVAcNXXYz9KvTI2/SxjANBgkqhkiG
9w0BAQEFAASBgF6rqBycRAwDg3GaL5PtlkHnMG0zvqnV1mAFTRuQK4+1dyqmu9Tl38SM3WofujTI
9urBpRfv6PQdtEN2M9xPed73OcEUhMylc5aBv22BMYv/bMBd4q7je4V9oBtaytbrLRVRFuEkLpLk
BxT/dGJQMb7aTHc0Cb9bh2C44jRvqtisAAAAAAAA

--Apple-Mail-2-392865302--

From alvaro.retana@hp.com  Fri Jul  6 13:51:25 2012
Return-Path: <alvaro.retana@hp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8CBE11E810C; Fri,  6 Jul 2012 13:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.299
X-Spam-Level: 
X-Spam-Status: No, score=-109.299 tagged_above=-999 required=5 tests=[AWL=1.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1JC8TnhBvgDo; Fri,  6 Jul 2012 13:51:25 -0700 (PDT)
Received: from g1t0027.austin.hp.com (g1t0027.austin.hp.com [15.216.28.34]) by ietfa.amsl.com (Postfix) with ESMTP id DB5F711E80DE; Fri,  6 Jul 2012 13:51:24 -0700 (PDT)
Received: from G1W3635G.americas.hpqcorp.net (g1w3635g.austin.hp.com [16.193.48.86]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g1t0027.austin.hp.com (Postfix) with ESMTPS id 8CED63842C; Fri,  6 Jul 2012 20:51:41 +0000 (UTC)
Received: from G2W1813G.americas.hpqcorp.net (16.238.8.212) by G1W3635G.americas.hpqcorp.net (16.193.48.86) with Microsoft SMTP Server (TLS) id 14.2.283.4; Fri, 6 Jul 2012 20:50:20 +0000
Received: from G2W2446.americas.hpqcorp.net ([169.254.7.17]) by G2W1813G.americas.hpqcorp.net ([fe80::2d8c:5671:edf9:26b0%12]) with mapi id 14.02.0283.003; Fri, 6 Jul 2012 20:50:20 +0000
From: "Retana, Alvaro" <alvaro.retana@hp.com>
To: Julien Laganier <julien.ietf@gmail.com>
Thread-Topic: SecDir review of draft-ietf-ospf-prefix-hiding-04
Thread-Index: AQHNW7H2jmw/JizKEk62icH9vhErYpccuHkA
Date: Fri, 6 Jul 2012 20:50:19 +0000
Message-ID: <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net>
References: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com> <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com>
In-Reply-To: <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [15.217.50.29]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 08 Jul 2012 10:42:12 -0700
Cc: "draft-ietf-ospf-prefix-hiding.all@tools.ietf.org" <draft-ietf-ospf-prefix-hiding.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Yi Yang <yiya@cisco.com>, Abhay Roy <akr@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2012 20:51:26 -0000

Julien:

Hi!

[Thanks for forwarding.]

In short, avoiding installation of the routing information (even if still c=
arried in the LSAs) means that the routers don't have forwarding informatio=
n to reach a specific transit interface.  IOW, even if you know my IP addre=
ss you can't send me a packet (if you're more than one hop away). =20

We'll expand on the security considerations.

Thanks!!

Alvaro.

> -----Original Message-----
> From: Julien Laganier [mailto:julien.ietf@gmail.com]
> Sent: Friday, July 06, 2012 4:00 PM
> To: Retana, Alvaro
> Subject: Fwd: SecDir review of draft-ietf-ospf-prefix-hiding-04
>=20
> FYI.
>=20
>=20
> ---------- Forwarded message ----------
> From: Julien Laganier <julien.ietf@gmail.com>
> Date: Fri, Jul 6, 2012 at 12:44 PM
> Subject: SecDir review of draft-ietf-ospf-prefix-hiding-04
> To: secdir@ietf.org, draft-ietf-ospf-prefix-hiding.all@tools.ietf.org,
> The IESG <iesg@ietf.org>
>=20
>=20
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>=20
> Disclaimer: I am no routing or OSPF expert and might be missing
> something obvious...
>=20
> According to its abstract the draft describes a mechanism that allows
> hiding transit-only networks in OSPF:
>=20
>    A transit-only network is defined as a network connecting routers
>    only.  In OSPF, transit-only networks are usually configured with
>    routable IP addresses, which are advertised in Link State
>    Advertisements (LSAs) but not needed for data traffic.  In addition,
>    remote attacks can be launched against routers by sending packets to
>    these transit-only networks.  This document presents a mechanism to
>    hide transit-only networks to speed up network convergence and
>    minimize remote attack vulnerability.
>=20
> While the desire to speed up the network convergence is probably
> obvious and not of concern, I think the document and its security
> considerations section in particular could do a better job at
> explaining what the mechanism achieves in terms of minimizing remote
> attack vulnerability.
>=20
> As per my understanding, the proposed mechanism essentially remove the
> subnet / netmask information from Link State Advertisements, but these
> still contain the routers' IP addresses.
>=20
> It is not clear to me how removing the subnet / netmask information
> actually minimizes the risk of remote attacks.
>=20
> First of all, the type of remote attacks that minimized should be made
> more explicit. What is the target of the remote attacks? Is it any
> address in the subnet? Or the address of a router? If the latter, then
> it is not clear how the mechanism actually improves -- the router's IP
> addresses are still in the LSAs so presumably an attacker can still
> launch remote attacks on these addresses, no? If the former, then it
> is not clear how effective is omission of the subnet in avoiding
> attacks avoid addresses within that subnet -- addresses in the
> (unknown) subnet can still be inferred from addresses of the routers,
> no? Or is it the case that the LSAs containing the IP addresses of the
> routers will not be propagated outside of an area that the attacker
> has no access to?
>=20
> Expanding the security considerations might help answering these
> questions...
>=20
> --julien

From leifj@sunet.se  Sun Jul  8 13:12:24 2012
Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E7F721F86A7; Sun,  8 Jul 2012 13:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.266
X-Spam-Level: 
X-Spam-Status: No, score=-3.266 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 19+8tTbXJfWz; Sun,  8 Jul 2012 13:12:23 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 7822021F869D; Sun,  8 Jul 2012 13:12:23 -0700 (PDT)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q68KCfD6008521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 8 Jul 2012 22:12:44 +0200 (CEST)
Message-ID: <4FF9E9B9.1040705@sunet.se>
Date: Sun, 08 Jul 2012 22:12:41 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-cdni-use-cases.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] review of draft-ietf-cdni-use-cases-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 20:12:24 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.


The document is well written. The security considerations section
refers the reader to the CDNI problem statement which is fine if
all the security considerations from RFC3570 (which is obsoleted
by this document) are carried over to the CDNI problem statement.

	Best R
	Leif
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/56bkACgkQ8Jx8FtbMZneEEACfSx3EDC8LjfxAVtjlG26U0yke
A/4AniNhNV6H7bR5HCqfisT2mZ2lFgp0
=UlPC
-----END PGP SIGNATURE-----

From yaronf.ietf@gmail.com  Sun Jul  8 13:37:41 2012
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 016CB21F86F1 for <secdir@ietfa.amsl.com>; Sun,  8 Jul 2012 13:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.356
X-Spam-Level: 
X-Spam-Status: No, score=-102.356 tagged_above=-999 required=5 tests=[AWL=-0.214, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gV3zN+CTuxnX for <secdir@ietfa.amsl.com>; Sun,  8 Jul 2012 13:37:40 -0700 (PDT)
Received: from mail-bk0-f44.google.com (mail-bk0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id 39EA021F86F0 for <secdir@ietf.org>; Sun,  8 Jul 2012 13:37:40 -0700 (PDT)
Received: by bkty7 with SMTP id y7so2280128bkt.31 for <secdir@ietf.org>; Sun, 08 Jul 2012 13:38:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=ytrEXlWB12PHE455qHwdpHEaufcFaLa/S/Gu487Ex2U=; b=xQlVjfhwwQZ24SzfwKdyAG3xpG1lB4dhislPPvNmJNM8e323OrPUy4S+xpMI9FgmTA 1KFQO4fbDXhdnfooDYThfvgKkULTJR2Uko7/D12srfHgL45M8QDD5R+F1MnRQ3MziLLJ ZCSNLic5kCCuuQT7IhaM8u7gdHEBk+hag861rZi789Wcmxzt8WyhIjIPMJ/tBEUvubFm OeDn7EhQ0hrQ56fEMYR+Yp11qii2e+xN42VA1saPWY7mioHNqFyyAeD9zaaRdb1plBhG f9/wuT8pTqHDVeVkGpthGbXwKvNCKE43f7BDojNWA1uiN0GoM1qaSj28ilL0Uhm/eZ3U IAIA==
Received: by 10.204.153.28 with SMTP id i28mr15661430bkw.19.1341779882273; Sun, 08 Jul 2012 13:38:02 -0700 (PDT)
Received: from [10.0.0.2] (bzq-79-181-164-236.red.bezeqint.net. [79.181.164.236]) by mx.google.com with ESMTPS id he8sm3563860bkc.3.2012.07.08.13.38.01 (version=SSLv3 cipher=OTHER); Sun, 08 Jul 2012 13:38:01 -0700 (PDT)
Message-ID: <4FF9EFA7.7070904@gmail.com>
Date: Sun, 08 Jul 2012 23:37:59 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: secdir@ietf.org,  draft-camarillo-rai-media-policy-dataset.all@tools.ietf.org
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] SecDir repeat review of draft-camarillo-rai-media-policy-dataset-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jul 2012 20:37:41 -0000

<html style="direction: ltr;">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
    <style type="text/css">body p { margin-bottom: 0cm; margin-top: 0pt; } </style>
  </head>
  <body style="direction: ltr;"
    bidimailui-detected-decoding-type="latin-charset" bgcolor="#FFFFFF"
    text="#000000">
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
    <pre style="white-space: pre-wrap; word-wrap: break-word; width: 1097px; color: rgb(0, 0, 0); font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This is a repeat review of the document, which I reviewed in its previous version.

The only semi-significant comment I had was addressed in -02.

To answer Gonzalo's question of a few days ago: I have looked at it again and I now think the XInclude reference is not warranted here.

I would like to remind Gonzalo to change the following text into normative language, when it comes time for the AUTH48 review: "Thus, the user agent should not insert such sensitive information in a session information document that it sends to the policy server." Though given the history of this document (IESG comments from 2008) I will not be holding my breath.

Thanks,
	Yaron
</pre>
  </body>
</html>

From mnot@mnot.net  Sun Jul  8 17:52:25 2012
Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0148A21F87EE; Sun,  8 Jul 2012 17:52:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.148
X-Spam-Level: 
X-Spam-Status: No, score=-105.148 tagged_above=-999 required=5 tests=[AWL=-2.549, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NjwSvGvScWsq; Sun,  8 Jul 2012 17:52:24 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 28C8B21F87ED; Sun,  8 Jul 2012 17:52:24 -0700 (PDT)
Received: from mnot-mini.mnot.net (unknown [118.209.196.77]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 1025722E1EB; Sun,  8 Jul 2012 20:52:40 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=iso-8859-1
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <DB34634F-A783-4B18-A9CA-C0D571A717F4@cisco.com>
Date: Mon, 9 Jul 2012 10:52:37 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <DE72BACC-BF0E-448F-A8E2-DA02F162FC10@mnot.net>
References: <4F955E48.7060908@cisco.com> <F76C6CF1-F6B8-429F-A57F-D2B4794EFE93@mnot.net> <DB34634F-A783-4B18-A9CA-C0D571A717F4@cisco.com>
To: Klaas Wierenga <klaas@cisco.com>
X-Mailer: Apple Mail (2.1278)
Cc: draft-ietf-httpbis-p4-conditional.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 00:52:25 -0000

On 06/07/2012, at 7:11 PM, Klaas Wierenga wrote:
>>>=20
>>> "ought to" is not very normative. Why not make it MUST or SHOULD?
>>=20
>> We've used that terminology when we want to give implementation =
advice, but cannot impose a new RFC2119-level requirement, because it =
would make existing implementations non-conformant (as per our charter).
>=20
> So would that not be a good case for SHOULD with perhaps some =
explanation along the above lines why it isn't a MUST?

No, because that still affects conformance (saying "you SHOULD do this =
unless you're an old implementation is awkward and hard to enforce; it =
also encourages implementations not to update themselves).


>>> 4.1 p17, Not modified, second paragraph
>>>=20
>>> A 304 response..... isn't this a fine case of a SHOULD rather than a
>>> MUST? Or perhaps "A 304 response MUST include a Date header field,
>>> unless the origin server.... , in that case a Date header field MUST
>>> NOT be provided", and what actually does "reasonable approximation" =
mean?
>>=20
>> I'm not sure what you're concerned about here; it's a MUST =
requirement because it's important for interop.
>=20
> it is really just for clarity, I had a bit of trouble parsing, =
rereading I think my remark about SHOULD probably doesn't make sense. =
Still, I read it like "you MUST do A unless condition B applies in which =
you MUST NOT do A", I just suggested rephrasing, perhaps to:
>=20
> "If condition B applies you MUST do A, if condition B does NOT apply =
you MUST NOT do A"=20


OK, I'll pass that on to the editors.


Thanks again,

--
Mark Nottingham   http://www.mnot.net/




From gonzalo.camarillo@ericsson.com  Sun Jul  8 23:30:45 2012
Return-Path: <gonzalo.camarillo@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D02B21F8794 for <secdir@ietfa.amsl.com>; Sun,  8 Jul 2012 23:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.213
X-Spam-Level: 
X-Spam-Status: No, score=-106.213 tagged_above=-999 required=5 tests=[AWL=0.036, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NaGElopyhiB4 for <secdir@ietfa.amsl.com>; Sun,  8 Jul 2012 23:30:44 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 32E7221F877D for <secdir@ietf.org>; Sun,  8 Jul 2012 23:30:44 -0700 (PDT)
X-AuditID: c1b4fb25-b7fc16d000005db2-86-4ffa7aa842bc
Received: from esessmw0191.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id 0E.37.23986.8AA7AFF4; Mon,  9 Jul 2012 08:31:05 +0200 (CEST)
Received: from [131.160.36.42] (153.88.115.8) by esessmw0191.eemea.ericsson.se (153.88.115.85) with Microsoft SMTP Server id 8.3.264.0; Mon, 9 Jul 2012 08:31:04 +0200
Message-ID: <4FFA7AA8.4040602@ericsson.com>
Date: Mon, 9 Jul 2012 09:31:04 +0300
From: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <4FF9EFA7.7070904@gmail.com>
In-Reply-To: <4FF9EFA7.7070904@gmail.com>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGLMWRmVeSWpSXmKPExsUyM+Jvre7Kql/+BofmMFvcfjWLzeLDwocs Fqvuz2B3YPbYOesuu8eSJT+ZPL5c/swWwBzFZZOSmpNZllqkb5fAlbGr7wlzwT3uiom3vzA3 MG7j7GLk5JAQMJE4O/czC4QtJnHh3nq2LkYuDiGBU4wS3x9tYIRwVjFKnFjXzw5SxSugLbHi 2UfmLkYODhYBFYlDm4pBwmwCFhJbbt0HGyQqECwxr/smC0S5oMTJmU9YQMpFBDQlph21AhnJ LLCcUeLsuV1gI4UFAiTe7jvLCGILCWhIrHzVwgpicwLVf53Xzg5xnKTEvfbVbCA2s4CexJSr LYwQtrzE9rdzmCF6tSWWP2thmcAoNAvJ6llIWmYhaVnAyLyKUTg3MTMnvdxIL7UoM7m4OD9P rzh1EyMwrA9u+a26g/HOOZFDjNIcLErivNZb9/gLCaQnlqRmp6YWpBbFF5XmpBYfYmTi4JRq YGRRvHR0ycqaVxyXVjluPeHz4L3gvySnIKfSQ895Dv7IuVygMa3jbLvsyrMWD9ekvn3yT0fM 4/ueuAJJM173hB/6B0/4PTotUbvDlpl5o2CqINdle1fpW/MPeV+dkDa/8IigU4NM8PKmwwL9 r9aprdtvxX30kbRuz/W93/IyvZR2XOL+zPjH8rsSS3FGoqEWc1FxIgC02NDgOQIAAA==
Cc: "draft-camarillo-rai-media-policy-dataset.all@tools.ietf.org" <draft-camarillo-rai-media-policy-dataset.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir repeat review of draft-camarillo-rai-media-policy-dataset-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 06:30:45 -0000

Hi Yaron,

thanks for your email. With respect to your last comment, note that it
applies to different document (draft-ietf-sipping-policy-package-08). I
will make the change you propose in AUTH48, it is in my notes for that
draft. Yes, it has taken a while to finish this set of documents but as
soon as the draft you reviewed is approved (media-policy), the whole set
will be approved.

Cheers,

Gonzalo

On 08/07/2012 11:37 PM, Yaron Sheffer wrote:
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This is a repeat review of the document, which I reviewed in its previous version.
> 
> The only semi-significant comment I had was addressed in -02.
> 
> To answer Gonzalo's question of a few days ago: I have looked at it again and I now think the XInclude reference is not warranted here.
> 
> I would like to remind Gonzalo to change the following text into normative language, when it comes time for the AUTH48 review: "Thus, the user agent should not insert such sensitive information in a session information document that it sends to the policy server." Though given the history of this document (IESG comments from 2008) I will not be holding my breath.
> 
> Thanks,
> 	Yaron
> 


From flefauch@cisco.com  Mon Jul  9 01:04:55 2012
Return-Path: <flefauch@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D98121F8668; Mon,  9 Jul 2012 01:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HYyWdKtro6q; Mon,  9 Jul 2012 01:04:54 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 7A26A21F869D; Mon,  9 Jul 2012 01:04:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=flefauch@cisco.com; l=2314; q=dns/txt; s=iport; t=1341821119; x=1343030719; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=3yz7Bnzo11ks4TqHaDH+N9pgRurJKG+d2kCXjgcbAcs=; b=Fk+dtN8w1cpqMCwlCoDbKqqGrk8KHCX88HNSnqtBk4POJzaXPMpZYoBe xxbYgWEpndZ4lg4rUe1GuQSQpY8rzOPS5RVqz4j2Hp924bI4TX/lPtDjA 4chauVvz/CNymFLXGa4KExs6PvuzEqp+3nF+OY+r5l0jgXPaYE+l1WfyF 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAEiQ+k+tJXG8/2dsb2JhbABFt2SBB4IhAQEEEgFUEhACAQhGMiUCBAENJ4drmwCfFYtAhSxgA4gWjSCBEo0NgWaCXw
X-IronPort-AV: E=Sophos;i="4.77,551,1336348800"; d="scan'208";a="99897122"
Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-2.cisco.com with ESMTP; 09 Jul 2012 08:05:18 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id q6985IY0020515 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 9 Jul 2012 08:05:18 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.17]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0298.004; Mon, 9 Jul 2012 03:05:18 -0500
From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>
To: Leif Johansson <leifj@sunet.se>, "draft-ietf-cdni-use-cases.all@tools.ietf.org" <draft-ietf-cdni-use-cases.all@tools.ietf.org>
Thread-Topic: review of draft-ietf-cdni-use-cases-08
Thread-Index: AQHNXUYQp+sxNL1S30qFQw+jO95aeZcg7HAA
Date: Mon, 9 Jul 2012 08:05:17 +0000
Message-ID: <3E4E0633-EDDD-42C0-8A22-1A8247671211@cisco.com>
References: <4FF9E9B9.1040705@sunet.se>
In-Reply-To: <4FF9E9B9.1040705@sunet.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.55.161.195]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19028.004
x-tm-as-result: No--38.983300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <6359F048126F454E9D8561186CA47732@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "Francois Le Faucheur \(flefauch\)" <flefauch@cisco.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] review of draft-ietf-cdni-use-cases-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 08:04:55 -0000

(speaking as WG co-chair)

Hi Leif & use-cases co-authors,

Thanks for your review.

Regarding :
"The security considerations section
refers the reader to the CDNI problem statement which is fine if
all the security considerations from RFC3570 (which is obsoleted
by this document) are carried over to the CDNI problem statement."

I would say that the fundamental security considerations brought up in RFC3=
570 are indeed covered by the Problem Statement. But arguably, there are on=
e or two interesting specific declinations of these fundamental security co=
nsiderations that are more explicitely spelt out in RFC3570 (eg "Delivery o=
f Bad CONTENT"). My proposal would be that we catch all these "specific dec=
linations" in our CDNI Framework document, since this is the target documen=
t for discussing specific declinations of system-level security issues (and=
 each individual CDNI interface document will discuss its interface-specifi=
c considerations).=20
Does that work?
If yes, I'll drop a note to the CDNI Framework authors to make sure they ex=
haustively catch any specific declinations of security issues that was brou=
ght up in RFC3570 and is not yet discussed in the CDNI Framework.

Cheers

Francois




On 8 Jul 2012, at 22:12, Leif Johansson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>=20
>=20
> The document is well written. The security considerations section
> refers the reader to the CDNI problem statement which is fine if
> all the security considerations from RFC3570 (which is obsoleted
> by this document) are carried over to the CDNI problem statement.
>=20
> 	Best R
> 	Leif
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>=20
> iEYEARECAAYFAk/56bkACgkQ8Jx8FtbMZneEEACfSx3EDC8LjfxAVtjlG26U0yke
> A/4AniNhNV6H7bR5HCqfisT2mZ2lFgp0
> =3DUlPC
> -----END PGP SIGNATURE-----


From leifj@sunet.se  Mon Jul  9 01:07:06 2012
Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5DE21F8683; Mon,  9 Jul 2012 01:07:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.17
X-Spam-Level: 
X-Spam-Status: No, score=-3.17 tagged_above=-999 required=5 tests=[AWL=-0.571,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ge0ZSpLHvnmL; Mon,  9 Jul 2012 01:07:06 -0700 (PDT)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id CFBA821F8668; Mon,  9 Jul 2012 01:07:05 -0700 (PDT)
Received: from [10.0.0.11] (ua-83-227-179-169.cust.bredbandsbolaget.se [83.227.179.169]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q6987LD9005545 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 9 Jul 2012 10:07:25 +0200 (CEST)
Message-ID: <4FFA9138.8050204@sunet.se>
Date: Mon, 09 Jul 2012 10:07:20 +0200
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>
References: <4FF9E9B9.1040705@sunet.se> <3E4E0633-EDDD-42C0-8A22-1A8247671211@cisco.com>
In-Reply-To: <3E4E0633-EDDD-42C0-8A22-1A8247671211@cisco.com>
X-Enigmail-Version: 1.4.2
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: The IESG <iesg@ietf.org>, "draft-ietf-cdni-use-cases.all@tools.ietf.org" <draft-ietf-cdni-use-cases.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] review of draft-ietf-cdni-use-cases-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 08:07:06 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/09/2012 10:05 AM, Francois Le Faucheur (flefauch) wrote:
> (speaking as WG co-chair)
> 
> Hi Leif & use-cases co-authors,
> 
> Thanks for your review.
> 
> Regarding : "The security considerations section refers the reader
> to the CDNI problem statement which is fine if all the security
> considerations from RFC3570 (which is obsoleted by this document)
> are carried over to the CDNI problem statement."
> 
> I would say that the fundamental security considerations brought up
> in RFC3570 are indeed covered by the Problem Statement. But
> arguably, there are one or two interesting specific declinations of
> these fundamental security considerations that are more explicitely
> spelt out in RFC3570 (eg "Delivery of Bad CONTENT"). My proposal
> would be that we catch all these "specific declinations" in our
> CDNI Framework document, since this is the target document for
> discussing specific declinations of system-level security issues
> (and each individual CDNI interface document will discuss its
> interface-specific considerations). Does that work? If yes, I'll
> drop a note to the CDNI Framework authors to make sure they
> exhaustively catch any specific declinations of security issues
> that was brought up in RFC3570 and is not yet discussed in the CDNI
> Framework.

Great
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/6kTgACgkQ8Jx8FtbMZnfPTgCcC+kI6kCmX0cvXaRHYX0wrpWf
WaAAn2l+rKNlcDsfls82ON1/P945Hv1j
=YxCr
-----END PGP SIGNATURE-----

From julian.reschke@greenbytes.de  Mon Jul  9 01:58:48 2012
Return-Path: <julian.reschke@greenbytes.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0871521F8803; Mon,  9 Jul 2012 01:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level: 
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XVAx79LXa4hG; Mon,  9 Jul 2012 01:58:47 -0700 (PDT)
Received: from donbot.greenbytes.de (mail.greenbytes.de [217.91.35.233]) by ietfa.amsl.com (Postfix) with ESMTP id 5821021F8802; Mon,  9 Jul 2012 01:58:47 -0700 (PDT)
Received: from [192.168.178.36] (unknown [93.217.121.123]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by donbot.greenbytes.de (Postfix) with ESMTPSA id 45E05C4C0ED; Mon,  9 Jul 2012 10:59:04 +0200 (CEST)
Message-ID: <4FFA9D54.1050900@greenbytes.de>
Date: Mon, 09 Jul 2012 10:59:00 +0200
From: Julian Reschke <julian.reschke@greenbytes.de>
Organization: greenbytes GmbH
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Mark Nottingham <mnot@mnot.net>
References: <4F955E48.7060908@cisco.com> <F76C6CF1-F6B8-429F-A57F-D2B4794EFE93@mnot.net> <DB34634F-A783-4B18-A9CA-C0D571A717F4@cisco.com> <DE72BACC-BF0E-448F-A8E2-DA02F162FC10@mnot.net>
In-Reply-To: <DE72BACC-BF0E-448F-A8E2-DA02F162FC10@mnot.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: The IESG <iesg@ietf.org>, draft-ietf-httpbis-p4-conditional.all@tools.ietf.org, Klaas Wierenga <klaas@cisco.com>, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-httpbis-p4-conditional-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 08:58:48 -0000

On 2012-07-09 02:52, Mark Nottingham wrote:
> ...
>> "If condition B applies you MUST do A, if condition B does NOT apply you MUST NOT do A"
>
>
> OK, I'll pass that on to the editors.
> ...

That would be a normative change; right now we don't make any 
requirement for the case where condition B is not met.

Best regards, Julian

From scott@hyperthought.com  Mon Jul  9 09:12:59 2012
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5B721F85FB for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 09:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8sJu2CF6PYz8 for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 09:12:57 -0700 (PDT)
Received: from smtp112.iad.emailsrvr.com (smtp112.iad.emailsrvr.com [207.97.245.112]) by ietfa.amsl.com (Postfix) with ESMTP id 1968521F85F2 for <secdir@ietf.org>; Mon,  9 Jul 2012 09:12:55 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 0A407206EF; Mon,  9 Jul 2012 12:13:20 -0400 (EDT)
X-Virus-Scanned: OK
Received: from legacy10.wa-web.iad1a (legacy10.wa-web.iad1a.rsapps.net [192.168.4.112]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id A8AEC206F1; Mon,  9 Jul 2012 12:13:19 -0400 (EDT)
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by legacy10.wa-web.iad1a (Postfix) with ESMTP id 75FF17E0001; Mon,  9 Jul 2012 12:13:19 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com)  with HTTP; Mon, 9 Jul 2012 09:13:19 -0700 (PDT)
Date: Mon, 9 Jul 2012 09:13:19 -0700 (PDT)
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-dnsext-dnssec-registry-update.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1341850399.47832875@apps.rackspace.com>
X-Mailer: webmail7.0
Subject: [secdir] secdir review of draft-ietf-dnsext-dnssec-registry-update-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 16:12:59 -0000

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  These co=
mments were written primarily for the benefit of the security area director=
s.  Document editors and WG chairs should treat these comments just like an=
y other last call comments.=0A=0AThis document updates the IANA registry fo=
r DNSSEC algorithm numbers, changing 3 numbers that were set aside as place=
holders but not subsequently assigned to "Reserved".=0A=0AThe security cons=
iderations section states that no new security issues are raised by this do=
cument, and I agree. I see no issues with this document.


From catherine.meadows@nrl.navy.mil  Mon Jul  9 10:53:52 2012
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F257011E80F0; Mon,  9 Jul 2012 10:53:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tl-U2khtLol4; Mon,  9 Jul 2012 10:53:51 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 1488011E8147; Mon,  9 Jul 2012 10:53:50 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q69HsEZC020463; Mon, 9 Jul 2012 13:54:14 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q69HsCr6016596; Mon, 9 Jul 2012 13:54:12 -0400 (EDT)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012070913541230130 ; Mon, 09 Jul 2012 13:54:12 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary=Apple-Mail-6-624516435
Date: Mon, 9 Jul 2012 13:54:12 -0400
Message-Id: <3EB9FA7E-C982-480F-9D09-73A7243E48BB@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-idr-rfc4893bis.all.tools.ietf.org@chacs.nrl.navy.mil
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] Secdir Review of draft-ietf-idr-rfc4893bis-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 17:53:52 -0000

--Apple-Mail-6-624516435
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I have reviewed this document as part of the security directorate's=20
ongoing effort to review all IETF documents being processed by the=20
IESG.  These comments were written primarily for the benefit of the=20
security area directors.  Document editors and WG chairs should treat=20
these comments just like any other last call comments.

This document describes an added capability for four-octet Autonomous =
System
(AS) numbers in BGP.  This is intended to  replace the older two-octet =
AS numbers,
since that space is filling up.

In order to preserve backward compatibility, AS's using the four-octet =
systems (called New
BGP speakers in the document) must advertise both four-octet and =
two-octet AS numbers.
This is the case even if the New BGP Speaker does not have a globally =
unique two-octet number.
The document says that in this case the two-octet number is obtained by =
mapping the four-octet
number to the two-octet space.  The procedure for doing this is not =
specified.

The authors identify a risk of routing loops developing when ambiguities =
develops as a
result of a BGP speaker using the old system aggregating two or more =
routes carrying
4-octet attributes.  In the Security Configurations Section, the authors =
point out that an
attacker might be able to exploit this in a denial of service attack.  =
They point out that it is
a misconfiguration to assign 4-octet Member AS Numbers in a BGP =
confederation until all BGP speakers
within the confederation have transitioned to support 4-octet numbers.

I think that this is a good recommendation.  I just have a couple of =
minor comments.

It's not clear to me what the status of "misconfiguration" is in the =
hierarchy of IETF.
Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're =
saying
"misconfiguration" instead of one of those?

I would also expect that the chance of routing loops arising out =
conversion from 4-octet
to 2-octet occurring between confederations would be much less than of =
their occurring
within a confederation (although one can't know for sure without knowing =
what the 4-octet
to 2-octet mapping is), so following the recommendations in the Security =
Considerations would
greatly reduce the probability of such a routing loop occurring.  Is =
this correct?=20

Cathy Meadows





=20
Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil


--Apple-Mail-6-624516435
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>I have reviewed this document as part of the security =
directorate's&nbsp;</div><div>ongoing effort to review all IETF =
documents being processed by the&nbsp;</div><div>IESG. &nbsp;These =
comments were written primarily for the benefit of =
the&nbsp;</div><div>security area directors. &nbsp;Document editors and =
WG chairs should treat&nbsp;</div><div>these comments just like any =
other last call comments.</div><div><br></div><div>This document =
describes an added capability for four-octet Autonomous =
System</div><div>(AS) numbers in BGP. &nbsp;This is intended to =
&nbsp;replace the older two-octet AS numbers,</div><div>since that space =
is filling up.</div><div><br></div><div>In order to preserve backward =
compatibility, AS's using the four-octet systems (called =
New</div><div>BGP speakers in the document) must advertise both =
four-octet and two-octet AS numbers.</div><div>This is the case even if =
the New BGP Speaker does not have a globally unique two-octet =
number.</div><div>The document says that in this case the two-octet =
number is obtained by mapping the four-octet</div><div>number to the =
two-octet space. &nbsp;The procedure for doing this is not =
specified.</div><div><br></div><div>The authors identify a risk of =
routing loops developing when ambiguities develops as a</div><div>result =
of a BGP speaker using the old system aggregating two or more routes =
carrying</div><div>4-octet attributes. &nbsp;In the Security =
Configurations Section, the authors point out that an</div><div>attacker =
might be able to exploit this in a denial of service attack. &nbsp;They =
point out that it is</div><div>a misconfiguration to assign 4-octet =
Member AS Numbers in a BGP confederation until all BGP =
speakers</div><div>within the confederation have transitioned to support =
4-octet numbers.</div><div><br></div><div>I think that this is a good =
recommendation. &nbsp;I just have a couple of minor =
comments.</div><div><br></div><div>It's not clear to me what the status =
of "misconfiguration" is in the hierarchy of IETF.</div><div>Is it more =
like SHALL NOT or SHOULD NOT? &nbsp;Is there a reason why you're =
saying</div><div>"misconfiguration" instead of one of =
those?</div><div><br></div><div>I would also expect that the chance of =
routing loops arising out conversion from 4-octet</div><div>to 2-octet =
occurring between confederations would be much less than of their =
occurring</div><div>within a confederation (although one can't know for =
sure without knowing what the 4-octet</div><div>to 2-octet mapping is), =
so following the recommendations in the Security Considerations =
would</div><div>greatly reduce the probability of such a routing loop =
occurring. &nbsp;Is this correct?&nbsp;</div><div><br></div><div>Cathy =
Meadows</div><div><br></div><div><br></div><div><br></div><div><br></div><=
div><br></div><div>&nbsp;</div><div>
<div style=3D"font-size: 12px; ">Catherine Meadows<br>Naval Research =
Laboratory<br>Code 5543<br>4555 Overlook Ave., S.W.<br>Washington DC, =
20375<br>phone: 202-767-3490<br>fax: 202-404-7942<br>email:&nbsp;<a =
href=3D"mailto:catherine.meadows@nrl.navy.mil">catherine.meadows@nrl.navy.=
mil</a></div>
</div>
<br></body></html>=

--Apple-Mail-6-624516435--

From catherine.meadows@nrl.navy.mil  Mon Jul  9 11:15:10 2012
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205DA11E80E8; Mon,  9 Jul 2012 11:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C98a6baJyb52; Mon,  9 Jul 2012 11:15:09 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 6BFCA11E809F; Mon,  9 Jul 2012 11:15:08 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q69IFXV0022984; Mon, 9 Jul 2012 14:15:33 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q69IFVgh019019; Mon, 9 Jul 2012 14:15:31 -0400 (EDT)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012070914153030202 ; Mon, 09 Jul 2012 14:15:30 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary=Apple-Mail-8-625795382
Date: Mon, 9 Jul 2012 14:15:31 -0400
Message-Id: <B684B31A-D5EA-44CD-B369-0F7F08B7C00A@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-idr-rfc4893bis.all.tools.ietf.org@chacs.nrl.navy.mil
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] Secdir Review of draft-ietf-idr-rfc4893bis-07  (resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 18:15:10 -0000

--Apple-Mail-8-625795382
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I screwed up one of the email addresses, so I'm sending this again.  My =
apologies
to everyone who receives this twice.

I have reviewed this document as part of the security directorate's=20
ongoing effort to review all IETF documents being processed by the=20
IESG.  These comments were written primarily for the benefit of the=20
security area directors.  Document editors and WG chairs should treat=20
these comments just like any other last call comments.

This document describes an added capability for four-octet Autonomous =
System
(AS) numbers in BGP.  This is intended to  replace the older two-octet =
AS numbers,
since that space is filling up.

In order to preserve backward compatibility, AS's using the four-octet =
systems (called New
BGP speakers in the document) must advertise both four-octet and =
two-octet AS numbers.
This is the case even if the New BGP Speaker does not have a globally =
unique two-octet number.
The document says that in this case the two-octet number is obtained by =
mapping the four-octet
number to the two-octet space.  The procedure for doing this is not =
specified.

The authors identify a risk of routing loops developing when ambiguities =
develops as a
result of a BGP speaker using the old system aggregating two or more =
routes carrying
4-octet attributes.  In the Security Configurations Section, the authors =
point out that an
attacker might be able to exploit this in a denial of service attack.  =
They point out that it is
a misconfiguration to assign 4-octet Member AS Numbers in a BGP =
confederation until all BGP speakers
within the confederation have transitioned to support 4-octet numbers.

I think that this is a good recommendation.  I just have a couple of =
minor comments.

It's not clear to me what the status of "misconfiguration" is in the =
hierarchy of IETF.
Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're =
saying
"misconfiguration" instead of one of those?

I would also expect that the chance of routing loops arising out =
conversion from 4-octet
to 2-octet occurring between confederations would be much less than of =
their occurring
within a confederation (although one can't know for sure without knowing =
what the 4-octet
to 2-octet mapping is), so following the recommendations in the Security =
Considerations would
greatly reduce the probability of such a routing loop occurring.  Is =
this correct?=20

Cathy Meadows

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil


--Apple-Mail-8-625795382
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
screwed up one of the email addresses, so I'm sending this again. =
&nbsp;My apologies<div>to everyone who receives this =
twice.</div><div><br></div><div>I have reviewed this document as part of =
the security directorate's&nbsp;<br>ongoing effort to review all IETF =
documents being processed by the&nbsp;<br>IESG. &nbsp;These comments =
were written primarily for the benefit of the&nbsp;<br>security area =
directors. &nbsp;Document editors and WG chairs should =
treat&nbsp;<br>these comments just like any other last call =
comments.<br><br>This document describes an added capability for =
four-octet Autonomous System<br>(AS) numbers in BGP. &nbsp;This is =
intended to &nbsp;replace the older two-octet AS numbers,<br>since that =
space is filling up.<br><br>In order to preserve backward compatibility, =
AS's using the four-octet systems (called New<br>BGP speakers in the =
document) must advertise both four-octet and two-octet AS =
numbers.<br>This is the case even if the New BGP Speaker does not have a =
globally unique two-octet number.<br>The document says that in this case =
the two-octet number is obtained by mapping the four-octet<br>number to =
the two-octet space. &nbsp;The procedure for doing this is not =
specified.<br><br>The authors identify a risk of routing loops =
developing when ambiguities develops as a<br>result of a BGP speaker =
using the old system aggregating two or more routes carrying<br>4-octet =
attributes. &nbsp;In the Security Configurations Section, the authors =
point out that an<br>attacker might be able to exploit this in a denial =
of service attack. &nbsp;They point out that it is<br>a misconfiguration =
to assign 4-octet Member AS Numbers in a BGP confederation until all BGP =
speakers<br>within the confederation have transitioned to support =
4-octet numbers.<br><br>I think that this is a good recommendation. =
&nbsp;I just have a couple of minor comments.<br><br>It's not clear to =
me what the status of "misconfiguration" is in the hierarchy of =
IETF.<br>Is it more like SHALL NOT or SHOULD NOT? &nbsp;Is there a =
reason why you're saying<br>"misconfiguration" instead of one of =
those?<br><br>I would also expect that the chance of routing loops =
arising out conversion from 4-octet<br>to 2-octet occurring between =
confederations would be much less than of their occurring<br>within a =
confederation (although one can't know for sure without knowing what the =
4-octet<br>to 2-octet mapping is), so following the recommendations in =
the Security Considerations would<br>greatly reduce the probability of =
such a routing loop occurring. &nbsp;Is this correct?&nbsp;<br><br>Cathy =
Meadows<br><br><div>
<div style=3D"font-size: 12px; ">Catherine Meadows<br>Naval Research =
Laboratory<br>Code 5543<br>4555 Overlook Ave., S.W.<br>Washington DC, =
20375<br>phone: 202-767-3490<br>fax: 202-404-7942<br>email:&nbsp;<a =
href=3D"mailto:catherine.meadows@nrl.navy.mil">catherine.meadows@nrl.navy.=
mil</a></div>
</div>
<br></div></body></html>=

--Apple-Mail-8-625795382--

From catherine.meadows@nrl.navy.mil  Mon Jul  9 11:24:38 2012
Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5105221F87BE; Mon,  9 Jul 2012 11:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhYrLVFgpGpe; Mon,  9 Jul 2012 11:24:37 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 7B56B21F85AA; Mon,  9 Jul 2012 11:24:37 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q69IP12D024015; Mon, 9 Jul 2012 14:25:02 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q69IOwe6019881; Mon, 9 Jul 2012 14:24:59 -0400 (EDT)
Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012070914245830226 ; Mon, 09 Jul 2012 14:24:58 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary=Apple-Mail-9-626362508
Date: Mon, 9 Jul 2012 14:24:58 -0400
Message-Id: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 18:24:38 -0000

--Apple-Mail-9-626362508
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I managed to screw up the email address again.  Here it is for what I =
hope is the last time.
My apologies again to everyone who receives *three* copies of this =
message.

I have reviewed this document as part of the security directorate's=20
ongoing effort to review all IETF documents being processed by the=20
IESG.  These comments were written primarily for the benefit of the=20
security area directors.  Document editors and WG chairs should treat=20
these comments just like any other last call comments.

This document describes an added capability for four-octet Autonomous =
System
(AS) numbers in BGP.  This is intended to  replace the older two-octet =
AS numbers,
since that space is filling up.

In order to preserve backward compatibility, AS's using the four-octet =
systems (called New
BGP speakers in the document) must advertise both four-octet and =
two-octet AS numbers.
This is the case even if the New BGP Speaker does not have a globally =
unique two-octet number.
The document says that in this case the two-octet number is obtained by =
mapping the four-octet
number to the two-octet space.  The procedure for doing this is not =
specified.

The authors identify a risk of routing loops developing when ambiguities =
develops as a
result of a BGP speaker using the old system aggregating two or more =
routes carrying
4-octet attributes.  In the Security Configurations Section, the authors =
point out that an
attacker might be able to exploit this in a denial of service attack.  =
They point out that it is
a misconfiguration to assign 4-octet Member AS Numbers in a BGP =
confederation until all BGP speakers
within the confederation have transitioned to support 4-octet numbers.

I think that this is a good recommendation.  I just have a couple of =
minor comments.

It's not clear to me what the status of "misconfiguration" is in the =
hierarchy of IETF.
Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're =
saying
"misconfiguration" instead of one of those?

I would also expect that the chance of routing loops arising out =
conversion from 4-octet
to 2-octet occurring between confederations would be much less than of =
their occurring
within a confederation (although one can't know for sure without knowing =
what the 4-octet
to 2-octet mapping is), so following the recommendations in the Security =
Considerations would
greatly reduce the probability of such a routing loop occurring.  Is =
this correct?=20

Cathy Meadows
Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil


--Apple-Mail-9-626362508
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
managed to screw up the email address again. &nbsp;Here it is for what I =
hope is the last time.<div>My apologies again to everyone who receives =
*three* copies of this message.</div><div><br></div><div>I&nbsp;have =
reviewed this document as part of the security =
directorate's&nbsp;<br>ongoing effort to review all IETF documents being =
processed by the&nbsp;<br>IESG. &nbsp;These comments were written =
primarily for the benefit of the&nbsp;<br>security area directors. =
&nbsp;Document editors and WG chairs should treat&nbsp;<br>these =
comments just like any other last call comments.<br><br>This document =
describes an added capability for four-octet Autonomous System<br>(AS) =
numbers in BGP. &nbsp;This is intended to &nbsp;replace the older =
two-octet AS numbers,<br>since that space is filling up.<br><br>In order =
to preserve backward compatibility, AS's using the four-octet systems =
(called New<br>BGP speakers in the document) must advertise both =
four-octet and two-octet AS numbers.<br>This is the case even if the New =
BGP Speaker does not have a globally unique two-octet number.<br>The =
document says that in this case the two-octet number is obtained by =
mapping the four-octet<br>number to the two-octet space. &nbsp;The =
procedure for doing this is not specified.<br><br>The authors identify a =
risk of routing loops developing when ambiguities develops as =
a<br>result of a BGP speaker using the old system aggregating two or =
more routes carrying<br>4-octet attributes. &nbsp;In the Security =
Configurations Section, the authors point out that an<br>attacker might =
be able to exploit this in a denial of service attack. &nbsp;They point =
out that it is<br>a misconfiguration to assign 4-octet Member AS Numbers =
in a BGP confederation until all BGP speakers<br>within the =
confederation have transitioned to support 4-octet numbers.<br><br>I =
think that this is a good recommendation. &nbsp;I just have a couple of =
minor comments.<br><br>It's not clear to me what the status of =
"misconfiguration" is in the hierarchy of IETF.<br>Is it more like SHALL =
NOT or SHOULD NOT? &nbsp;Is there a reason why you're =
saying<br>"misconfiguration" instead of one of those?<br><br>I would =
also expect that the chance of routing loops arising out conversion from =
4-octet<br>to 2-octet occurring between confederations would be much =
less than of their occurring<br>within a confederation (although one =
can't know for sure without knowing what the 4-octet<br>to 2-octet =
mapping is), so following the recommendations in the Security =
Considerations would<br>greatly reduce the probability of such a routing =
loop occurring. &nbsp;Is this correct?&nbsp;<br><br>Cathy =
Meadows<br><div>
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; =
font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-align: =
auto; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0; "><div>Catherine Meadows<br>Naval =
Research Laboratory<br>Code 5543<br>4555 Overlook Ave., =
S.W.<br>Washington DC, 20375<br>phone: 202-767-3490<br>fax: =
202-404-7942<br>email:&nbsp;<a =
href=3D"mailto:catherine.meadows@nrl.navy.mil">catherine.meadows@nrl.navy.=
mil</a></div></span>
</div>
<br></div></body></html>=

--Apple-Mail-9-626362508--

From hartmans@mit.edu  Mon Jul  9 13:25:18 2012
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81B6211E8165 for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 13:25:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.508
X-Spam-Level: 
X-Spam-Status: No, score=-102.508 tagged_above=-999 required=5 tests=[AWL=-2.102, BAYES_20=-0.74, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcJHNyQfyJLb for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 13:25:17 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id AB8F511E814D for <secdir@ietf.org>; Mon,  9 Jul 2012 13:25:17 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id C412C207D4; Mon,  9 Jul 2012 16:26:08 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 9E10941F0; Mon,  9 Jul 2012 16:25:33 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: secdir-secretary@MIT.EDU
References: <alpine.BSF.2.00.1207061322490.97500@fledge.watson.org>
Date: Mon, 09 Jul 2012 16:25:33 -0400
In-Reply-To: <alpine.BSF.2.00.1207061322490.97500@fledge.watson.org> (Samuel Weiler's message of "Fri, 6 Jul 2012 13:24:19 -0400 (EDT)")
Message-ID: <tslbojoel6q.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: secdir@ietf.org
Subject: Re: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2012 20:25:18 -0000

Hi.  I was assigned draft-ietf-abfab-gss-eap.  While I'm sure my review
would be glowing, the fact that I'm an author might not make it as
credible as some other reviews.
Instead, I've swapped with Jeffrey Hutzelman and will review
draft-ietf-behave-lsn-requirements.
I mostly understand the behave issues and Jeff definitely understands
GSS and EAp.
Neither of us have conflicts with the new arrangement.

From clonvick@cisco.com  Tue Jul 10 07:29:33 2012
Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026AA21F876D; Tue, 10 Jul 2012 07:29:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level: 
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CzAzFaSl2gGq; Tue, 10 Jul 2012 07:29:32 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 3E6CF21F86EC; Tue, 10 Jul 2012 07:29:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=clonvick@cisco.com; l=6005; q=dns/txt; s=iport; t=1341930600; x=1343140200; h=date:from:to:subject:message-id:mime-version; bh=DS2RCBDHMLWtqyI8pdJsEQoxhqxO1EH/S+4AYpds4A4=; b=eQrUIXD6wvRdZndaWqPGehQ4qxY/LwaAjia6rOLrnkkvc9HK1mzVKJUl Rsx6rkhhcXrRfVydvG5SYoCpNABuAGo5aJWLwEEdQPJP8WwvRCiq3YPrW wL4pwoOS6G9iTB8pNRapI2EivY+n9Wgxd5c8hY+SrWjACyJpp5zmUnyst A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvwEAGU7/E+rRDoH/2dsb2JhbABFt3WBB4I5ASUCOIFGEiKHapxPoDiRYgOISZsMgWaCfw
X-IronPort-AV: E=Sophos;i="4.77,559,1336348800"; d="scan'208";a="51464423"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 10 Jul 2012 14:29:58 +0000
Received: from sjc-xdm-114 (sjc-xdm-114.cisco.com [171.71.188.119]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id q6AETwCK009060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Jul 2012 14:29:58 GMT
Date: Tue, 10 Jul 2012 07:29:57 -0700 (PDT)
From: Chris Lonvick <clonvick@cisco.com>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-geopriv-dhcp-lbyr-uri-option.all@tools.ietf.org
Message-ID: <alpine.LRH.2.00.1207100721460.8658@sjc-xdm-114.cisco.com>
User-Agent: Alpine 2.00 (LRH 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: [secdir] SECDIR review of draft-ietf-geopriv-dhcp-lbyr-uri-option-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 14:29:33 -0000

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

Overall, I can see where the document is going and I feel that the 
security considerations section appropriately matches it.

In my scan of the document, I did find a number of editorial issues. 
Perhaps another scrub of the document would be in order.  Below are some 
of the items that I had issues with.


In the sentence,
    The DHCP implementation of the client can then
    make this location information available to upper layer protocols
    for their usage.
Would it be more appropriate to replace "upper layer protocols" with 
"other applications"?  Then just remove "using upper layer protocols" from 
the following paragraph for consistency.


PIDF-LO is not defined or referenced until its third use.  It may just be 
best to swap paragraphs 4 and 3 in that section as the text flow seems to 
be a bit more logical that way.  That would also then have an appropriate 
reference to the first use of PIDF-LO.


current:
The LS will grant permission to location inquires based on the rules
suggested:
The LS will grant permission to location inquiries based on the rules
                                          ^^^^^^^^^

The following two paragraphs should be combined.
    Server operators should consider the relation between the Valid-For
    time and the lease time.  Clients typically request a lease refresh
    when half the lease time is up. If the Valid-For time is less than
    the typical refresh rate (i.e., half the lease time), then for the
    remaining interval, clients will run the risk of not having a usable
    location URI for applications.  If the Valid-For time is less than
    half the typical refresh rate, it is a near certainty clients will
    not have a usable location URI for the interval between the
    Valid-For time and the typical refresh time for applications.

    For example, if a lease is set to 24 hours, the typical refresh
    request is set to initiate at the 12 hour mark. If the Valid-For
    timer is set to less than 24 hours, but more than 12 hours (in this
    example), the client might not be refreshed at the 12 hour mark and
    runs the risk of not have a location URI for applications that
    request it.  If, on the other hand, the Valid-For timer is less than
    12 hours (in this example, which is before a typical client would
    ask for a refresh, applications will be without a usable location
    URI until the full refresh has been received.


In the following sentence, maybe s/identities/identifies ?
    In the <presence> element of a PIDF-LO document, there is an
    'entity' attribute that identities what entity *this* document
    (including the associated location) refers to.
Beyond that, it is unclear how the term "document" is being used in this 
context.  Perhaps use "this specification" when appropriate?


The first part of the following sentence indicates that there is one 
model.  The second half of that sentence indicates that there are multiple 
models but doesn't indicate the context (models of what?).  Can you clear 
that up?
    o  The authorization vs. possession security model can be found in
       [RFC5808], describing what is expected in each model of
       operation.


First, the following sentence needs to be straightened out.  Second, just 
because IANA registers them doesn't mean that URI schemes or types cannot 
be misused or will not be harmful.
    Instead of listing all the types of URIs and URLs that can be
    misused or potentially have harmful effects, Section 3.3 IANA
    registers acceptable location URI schemes (or types).



In most places you quote the uri type but in the following you don't quote 
"pres:" in the following:
    See RFC 3922 [RFC3922] for using the pres: URI with XMPP.
Maybe that should be:
    See RFC 3922 [RFC3922] for using the "pres:" URI with XMPP.



I have an issue with the following:
    When implementing a DHCP server that will serve clients across an
    uncontrolled network, one should consider the potential security
    risks therein.
Actually, this is the section to describe all these risks.  You may 
consider referencing RFC 3552 and restate as:
    In some cases a DHCp server may be implemented across an uncontrolled
    network.  In those cases, it would be appropriate for a network
    administrator to perform a threat analysis (see RFC 3552) and take
    precautions as needed.

Is "revelation" common nomenclature for this?
    "security properties before location revelation"
Perhaps revise as:
    "security properties before location assertion"


The acronym "LCI" is not defined in the text.


current:
    In enterprise networks, if a known location is assigned to each
    individual Ethernet port in the network, a device that attaches to
    the network a wall-jack
suggested:
    In enterprise networks, if a known location is assigned to each
    individual Ethernet port in the network, a device that attaches to
    the network, such as a wall-jack,
                 ^^^^^^^^

The acronym "RIAO" not defined in the text.


current (Yoda speak?)  ;-) :
    A real concern with RFC 3118 it is that not widely deployed because
suggested:
A real concern with RFC 3118 is that it is not widely deployed because
                             ^^^^^^^^^^^^^^

You use LocationURI once but never reference that to luri.  It might be 
nice to reference it once to people unfamiliar with this work (such as I 
:)


In the following, is that supposed to be aTlanta?
sips:aliceisat123mainstalantageorgiaus@example.com


Thanks,
Chris

From masahiro@isl.rdc.toshiba.co.jp  Mon Jul  9 23:54:42 2012
Return-Path: <masahiro@isl.rdc.toshiba.co.jp>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DFB111E8122 for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 23:54:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.16
X-Spam-Level: 
X-Spam-Status: No, score=-5.16 tagged_above=-999 required=5 tests=[AWL=2.929,  BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_HI=-8, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bT6J0VrKcBlO for <secdir@ietfa.amsl.com>; Mon,  9 Jul 2012 23:54:41 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by ietfa.amsl.com (Postfix) with ESMTP id 4D82121F850D for <secdir@ietf.org>; Mon,  9 Jul 2012 23:54:40 -0700 (PDT)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp  with ESMTP id q6A6t5jS026254 for <secdir@ietf.org>; Tue, 10 Jul 2012 15:55:05 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp  id q6A6t5Ek023257 for secdir@ietf.org; Tue, 10 Jul 2012 15:55:05 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148]  by arc11.toshiba.co.jp with ESMTP id RAA23247; Tue, 10 Jul 2012 15:55:05 +0900
Received: from mx12.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp  with ESMTP id q6A6t4tf001562 for <secdir@ietf.org>; Tue, 10 Jul 2012 15:55:04 +0900 (JST)
Received: from snazzy.isl.rdc.toshiba.co.jp by toshiba.co.jp id q6A6t4Rq001548; Tue, 10 Jul 2012 15:55:04 +0900 (JST)
Received: from maltesein.wide.toshiba.co.jp (unknown [202.249.10.100]) by snazzy.isl.rdc.toshiba.co.jp (Postfix) with ESMTP id 9CEDD3FE97; Thu, 12 Jul 2012 10:40:24 +0900 (JST)
Received: from malteseout.wide.toshiba.co.jp (maltese.wide.toshiba.co.jp [202.249.10.99]) by maltesein.wide.toshiba.co.jp (8.13.8/8.9.1) with ESMTP id q6A6t3DC026818; Tue, 10 Jul 2012 15:55:03 +0900
Received: from tsbgw.wide.toshiba.co.jp (tsbgw.wide.toshiba.co.jp [202.249.10.123]) by malteseout.wide.toshiba.co.jp (8.13.8/8.9.1) with ESMTP id q6A6t3Eb024130; Tue, 10 Jul 2012 15:55:03 +0900
Received: from localhost (localhost [127.0.0.1]) by tsbgw.wide.toshiba.co.jp (Postfix) with ESMTP id C40352E3F3; Tue, 10 Jul 2012 15:55:03 +0900 (JST)
Received: from tsbgw.wide.toshiba.co.jp ([127.0.0.1]) by localhost (tsbgw.wide.toshiba.co.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMD6TzYyNtGJ; Tue, 10 Jul 2012 15:55:03 +0900 (JST)
Received: from grayswandir.isl.rdc.toshiba.co.jp (localhost [127.0.0.1]) by tsbgw.wide.toshiba.co.jp (Postfix) with ESMTP id 64B522E3F2; Tue, 10 Jul 2012 15:55:03 +0900 (JST)
Date: Tue, 10 Jul 2012 15:55:01 +0900
Message-ID: <yd9bojoumuy.wl@grayswandir.isl.rdc.toshiba.co.jp>
From: Masahiro =Rhythm Drive= Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
To: jhutz@cmu.edu
In-Reply-To: <1341508069.3279.798.camel@destiny.pc.cs.cmu.edu>
References: <21762_1337814743_q4NNCMPh008981_alpine.BSF.2.00.1205231837020.9762@fledge.watson.org> <1337881837.3279.45.camel@destiny.pc.cs.cmu.edu> <004a01cd4562$b7b338e0$4001a8c0@gateway.2wire.net> <tsl7gus37hu.fsf@mit.edu> <23445_1341500728_q65F5R5I014871_yd94npqbvx7.wl@grayswandir.isl.rdc.toshiba.co.jp> <1341508069.3279.798.camel@destiny.pc.cs.cmu.edu>
User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) LIMIT/1.14.10 (Furuichi) APEL/10.7 Emacs/22.3 (i386-apple-darwin10.2.0) MULE/5.0 (SAKAKI)
Organization: Toshiba Corp. R&D Center.
Sender: Masahiro =Rhythm Drive= Ishiyama <masahiro@isl.rdc.toshiba.co.jp>
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
X-Dispatcher: imput version 20100215(IM150)
Lines: 24
X-Mailman-Approved-At: Tue, 10 Jul 2012 08:20:11 -0700
Cc: sakane@tanu.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-sakane-dhc-dhcpv6-kdc-option
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 06:54:42 -0000

	Oh I'm sorry, I missed that point. I'd like to withdraw my
	request. Thanks.

masahiro

>>>>> On Thu, 05 Jul 2012 13:07:49 -0400, Jeffrey Hutzelman <jhutz@cmu.edu> said:
 > 
 > On Mon, 2012-07-02 at 13:59 +0900, Masahiro =Rhythm Drive= Ishiyama
 > wrote:
>> At first I thought that it might be good to leave section 4.1,
>> but now I changed my mind. I think the order of the preference
>> might depend on the running environment: some people prefer
>> "secured" one, some people prefer DNS...  So I'd like to make
>> the order configurable and move section 4.1 to appendix, as a
>> hint for implementation.
 > 
 > Since the current text, including the requirement to prefer KDC lookup
 > by DNS, is the result of working group consensus, this change requires
 > discussion in the working group and a consensus to make a change.
 > 
 > -- Jeff
 > 
 > 

From jmpolk@cisco.com  Tue Jul 10 08:37:17 2012
Return-Path: <jmpolk@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 958D221F8622; Tue, 10 Jul 2012 08:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.505
X-Spam-Level: 
X-Spam-Status: No, score=-110.505 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgrSpr12K02C; Tue, 10 Jul 2012 08:37:16 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id CC3F921F8621; Tue, 10 Jul 2012 08:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jmpolk@cisco.com; l=6302; q=dns/txt; s=iport; t=1341934664; x=1343144264; h=message-id:date:to:from:subject:in-reply-to:references: mime-version; bh=cPkeG3BjEfbHLOzTGqQxJmYkLEgg5o2i79Q6Y5wW1+M=; b=aNkLslDHOFdd1v/rDlys+HO4+Po3pfErm1OLhJ3uEG4ztY5e/YLSCj+b dji2Te0Ndn/UQqPOLUdFbSqPcrEhe1zVibKtUGK51aSfjJ1S+6tWC6Dn4 jY7mDB+EZNgMBstTOA08VOWgG17jOwT7kPigfE401GfQ1wGWMaKO6u3I8 8=;
X-IronPort-AV: E=Sophos;i="4.77,559,1336348800"; d="scan'208";a="48437537"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-1.cisco.com with ESMTP; 10 Jul 2012 15:37:44 +0000
Received: from jmpolk-WS.cisco.com (rcdn-jmpolk-8714.cisco.com [10.99.80.21]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q6AFbiCP000308; Tue, 10 Jul 2012 15:37:44 GMT
Message-Id: <201207101537.q6AFbiCP000308@mtv-core-3.cisco.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Tue, 10 Jul 2012 10:37:43 -0500
To: Chris Lonvick <clonvick@cisco.com>, <iesg@ietf.org>, <secdir@ietf.org>, <draft-ietf-geopriv-dhcp-lbyr-uri-option.all@tools.ietf.org>
From: James Polk <jmpolk@cisco.com>
In-Reply-To: <alpine.LRH.2.00.1207100721460.8658@sjc-xdm-114.cisco.com>
References: <alpine.LRH.2.00.1207100721460.8658@sjc-xdm-114.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-Mailman-Approved-At: Tue, 10 Jul 2012 08:42:51 -0700
Subject: Re: [secdir] SECDIR review of draft-ietf-geopriv-dhcp-lbyr-uri-option-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 15:37:17 -0000

pesky little details...

I love the last one below... d`oh!  ;-)

of course I'll address these.

James

At 09:29 AM 7/10/2012, Chris Lonvick wrote:
>Hi,
>
>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors.  Document editors and WG chairs should treat
>these comments just like any other last call comments.
>
>Overall, I can see where the document is going and I feel that the 
>security considerations section appropriately matches it.
>
>In my scan of the document, I did find a number of editorial issues. 
>Perhaps another scrub of the document would be in order.  Below are 
>some of the items that I had issues with.
>
>
>In the sentence,
>    The DHCP implementation of the client can then
>    make this location information available to upper layer protocols
>    for their usage.
>Would it be more appropriate to replace "upper layer protocols" with 
>"other applications"?  Then just remove "using upper layer 
>protocols" from the following paragraph for consistency.
>
>
>PIDF-LO is not defined or referenced until its third use.  It may 
>just be best to swap paragraphs 4 and 3 in that section as the text 
>flow seems to be a bit more logical that way.  That would also then 
>have an appropriate reference to the first use of PIDF-LO.
>
>
>current:
>The LS will grant permission to location inquires based on the rules
>suggested:
>The LS will grant permission to location inquiries based on the rules
>                                          ^^^^^^^^^
>
>The following two paragraphs should be combined.
>    Server operators should consider the relation between the Valid-For
>    time and the lease time.  Clients typically request a lease refresh
>    when half the lease time is up. If the Valid-For time is less than
>    the typical refresh rate (i.e., half the lease time), then for the
>    remaining interval, clients will run the risk of not having a usable
>    location URI for applications.  If the Valid-For time is less than
>    half the typical refresh rate, it is a near certainty clients will
>    not have a usable location URI for the interval between the
>    Valid-For time and the typical refresh time for applications.
>
>    For example, if a lease is set to 24 hours, the typical refresh
>    request is set to initiate at the 12 hour mark. If the Valid-For
>    timer is set to less than 24 hours, but more than 12 hours (in this
>    example), the client might not be refreshed at the 12 hour mark and
>    runs the risk of not have a location URI for applications that
>    request it.  If, on the other hand, the Valid-For timer is less than
>    12 hours (in this example, which is before a typical client would
>    ask for a refresh, applications will be without a usable location
>    URI until the full refresh has been received.
>
>
>In the following sentence, maybe s/identities/identifies ?
>    In the <presence> element of a PIDF-LO document, there is an
>    'entity' attribute that identities what entity *this* document
>    (including the associated location) refers to.
>Beyond that, it is unclear how the term "document" is being used in 
>this context.  Perhaps use "this specification" when appropriate?
>
>
>The first part of the following sentence indicates that there is one 
>model.  The second half of that sentence indicates that there are 
>multiple models but doesn't indicate the context (models of 
>what?).  Can you clear that up?
>    o  The authorization vs. possession security model can be found in
>       [RFC5808], describing what is expected in each model of
>       operation.
>
>
>First, the following sentence needs to be straightened out.  Second, 
>just because IANA registers them doesn't mean that URI schemes or 
>types cannot be misused or will not be harmful.
>    Instead of listing all the types of URIs and URLs that can be
>    misused or potentially have harmful effects, Section 3.3 IANA
>    registers acceptable location URI schemes (or types).
>
>
>
>In most places you quote the uri type but in the following you don't 
>quote "pres:" in the following:
>    See RFC 3922 [RFC3922] for using the pres: URI with XMPP.
>Maybe that should be:
>    See RFC 3922 [RFC3922] for using the "pres:" URI with XMPP.
>
>
>
>I have an issue with the following:
>    When implementing a DHCP server that will serve clients across an
>    uncontrolled network, one should consider the potential security
>    risks therein.
>Actually, this is the section to describe all these risks.  You may 
>consider referencing RFC 3552 and restate as:
>    In some cases a DHCp server may be implemented across an uncontrolled
>    network.  In those cases, it would be appropriate for a network
>    administrator to perform a threat analysis (see RFC 3552) and take
>    precautions as needed.
>
>Is "revelation" common nomenclature for this?
>    "security properties before location revelation"
>Perhaps revise as:
>    "security properties before location assertion"
>
>
>The acronym "LCI" is not defined in the text.
>
>
>current:
>    In enterprise networks, if a known location is assigned to each
>    individual Ethernet port in the network, a device that attaches to
>    the network a wall-jack
>suggested:
>    In enterprise networks, if a known location is assigned to each
>    individual Ethernet port in the network, a device that attaches to
>    the network, such as a wall-jack,
>                 ^^^^^^^^
>
>The acronym "RIAO" not defined in the text.
>
>
>current (Yoda speak?)  ;-) :
>    A real concern with RFC 3118 it is that not widely deployed because
>suggested:
>A real concern with RFC 3118 is that it is not widely deployed because
>                             ^^^^^^^^^^^^^^
>
>You use LocationURI once but never reference that to luri.  It might 
>be nice to reference it once to people unfamiliar with this work (such as I :)
>
>
>In the following, is that supposed to be aTlanta?
>sips:aliceisat123mainstalantageorgiaus@example.com
>
>
>Thanks,
>Chris


From charliek@microsoft.com  Tue Jul 10 10:13:16 2012
Return-Path: <charliek@microsoft.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D9F21F842B; Tue, 10 Jul 2012 10:13:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.533
X-Spam-Level: *
X-Spam-Status: No, score=1.533 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_RAND_6=2, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQb4UGHk+J6S; Tue, 10 Jul 2012 10:13:15 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 9AC9B21F8525; Tue, 10 Jul 2012 10:13:15 -0700 (PDT)
Received: from mail4-ch1-R.bigfish.com (10.43.68.241) by CH1EHSOBE003.bigfish.com (10.43.70.53) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 17:11:24 +0000
Received: from mail4-ch1 (localhost [127.0.0.1])	by mail4-ch1-R.bigfish.com (Postfix) with ESMTP id DC8AC320525; Tue, 10 Jul 2012 17:11:23 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: 0
X-BigFish: VS0(zzzz1202hzzz2fh2a8h683h839hd25hf0ah107ah)
Received-SPF: pass (mail4-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=charliek@microsoft.com; helo=TK5EX14MLTC103.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.236.5; KIP:(null); UIP:(null); (null); H:BY2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail4-ch1 (localhost.localdomain [127.0.0.1]) by mail4-ch1 (MessageSwitch) id 1341940282451219_3930; Tue, 10 Jul 2012 17:11:22 +0000 (UTC)
Received: from CH1EHSMHS010.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.253])	by mail4-ch1.bigfish.com (Postfix) with ESMTP id 627F5300047; Tue, 10 Jul 2012 17:11:22 +0000 (UTC)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS010.bigfish.com (10.43.70.10) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 17:11:21 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.2.298.5; Tue, 10 Jul 2012 17:13:35 +0000
Received: from mail65-co1-R.bigfish.com (10.243.78.229) by CO1EHSOBE013.bigfish.com (10.243.66.76) with Microsoft SMTP Server id 14.1.225.23; Tue, 10 Jul 2012 17:10:59 +0000
Received: from mail65-co1 (localhost [127.0.0.1])	by mail65-co1-R.bigfish.com (Postfix) with ESMTP id A9EBF2002DF; Tue, 10 Jul 2012 17:10:59 +0000 (UTC)
Received: from mail65-co1 (localhost.localdomain [127.0.0.1]) by mail65-co1 (MessageSwitch) id 1341940257518405_28944; Tue, 10 Jul 2012 17:10:57 +0000 (UTC)
Received: from CO1EHSMHS010.bigfish.com (unknown [10.243.78.235])	by mail65-co1.bigfish.com (Postfix) with ESMTP id 7C2D65602B0; Tue, 10 Jul 2012 17:10:57 +0000 (UTC)
Received: from BY2PRD0310HT003.namprd03.prod.outlook.com (157.56.236.5) by CO1EHSMHS010.bigfish.com (10.243.66.20) with Microsoft SMTP Server (TLS) id 14.1.225.23; Tue, 10 Jul 2012 17:10:57 +0000
Received: from BY2PRD0310MB364.namprd03.prod.outlook.com ([169.254.4.87]) by BY2PRD0310HT003.namprd03.prod.outlook.com ([10.255.80.38]) with mapi id 14.16.0175.005; Tue, 10 Jul 2012 17:13:16 +0000
From: Charlie Kaufman <charliek@microsoft.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dnssec-algo-imp-status.all@tools.ietf.org" <draft-ietf-dnssec-algo-imp-status.all@tools.ietf.org>
Thread-Topic: secdir review of draft-ietf-dnsext-algo-imp-status-03
Thread-Index: Ac1eulsWmjqZCFKMTSmBiaFh8/ra9A==
Date: Tue, 10 Jul 2012 17:13:15 +0000
Message-ID: <2C287BD334E3694A83466B9C9977F7441E5C640D@BY2PRD0310MB364.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [131.107.174.123]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PRD0310HT003.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%TOOLS.IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
Subject: [secdir] secdir review of draft-ietf-dnsext-algo-imp-status-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 17:13:16 -0000

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.=A0 These =
comments were written primarily for the benefit of the security area direct=
ors.=A0 Document editors and WG chairs should treat these comments just lik=
e any other last call comments.

This is a short document intended to be BCP recommending algorithms to be i=
mplemented in DNSSEC component software. It explicitly does not make recomm=
endations as to what algorithms should be configured in deployments, but on=
ly concerns the algorithms supported in software (and presumably hardware).

While the document title (Applicability Statement: DNS Security (DNSSEC) DN=
SKEY Algorithm Implementation Status) makes it appear that the document des=
cribes implementations as they exist today, the main focus of the document =
is in recommending the algorithms that should be deployed (appropriate to a=
 BCP). It divides algorithms into four categories: MUST IMPLEMENT, RECOMMEN=
DED TO IMPLEMENT, OPTIONAL, and MUST NOT IMPLEMENT. There is a single MUST =
IMPLEMENT algorithm: RSASHA1, and a single MUST NOT IMPLEMENT algorithm: RS=
AMD5. Nine other algorithms are divided between RECOMMENDED TO IMPLEMENT an=
d OPTIONAL	.

I found a number of aspects of the document troubling.

First, the document does not distinguish between algorithms that are recomm=
ended for signing new DNS records vs. algorithms that are recommended for v=
erifying existing DNS records. It's possible that this document only intend=
s to speak to the former, but I could not find any indication of that. In o=
rder to be able to advance to use of better algorithms, we need to deploy v=
erification software for those better algorithms long before we start signi=
ng with them. I would think that any algorithm that is RECOMMENDED TO IMPLE=
MENT for signing should be MUST IMPLEMENT for verification. Even RSAMD5 sho=
uld be at least RECOMMENDED TO IMPLEMENT for verifiers unless there are no =
such signatures out there. An implementation that only supported the MUST I=
MPLEMENT algorithm would not be able to verify signatures on the root zone.

Second, while the document is explicit about hash algorithms, if says nothi=
ng about key sizes for the asymmetric algorithms. The world is ratcheting u=
p RSA key sizes, and signing with a 512 bit RSA key is as bad as signing wi=
th MD5. I would think the spec should say something about minimum and maxim=
um RSA, DSA, and DH key sizes.

Finally, having RSASHA1 as the MUST IMPLEMENT algorithm should be controver=
sial. SHA1 is showing signs of weakness, and DNSSEC is subject to collision=
 attacks if the attacker is allowed to provide arbitrary data for posting i=
n some DNS record of a zone. It is possible that RSASHA1 needs to remain th=
e BCP signing algorithm for some time going forward because there are a lar=
ge number of deployed verifiers that support nothing better, but if that's =
true the document should say so (possibly in Security Considerations). But =
that is all the more reason to specify MUST IMPLEMENT for stronger algorith=
ms in verifiers.

Nits:

Section 2.1 first paragraph last sentence has bad sentence structure, makin=
g it difficult to interpret.

Section 2.1 second paragraph: "percieved" -> "perceived"




From hartmans@mit.edu  Tue Jul 10 11:16:00 2012
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC0C521F8710; Tue, 10 Jul 2012 11:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.346
X-Spam-Level: 
X-Spam-Status: No, score=-103.346 tagged_above=-999 required=5 tests=[AWL=-1.081, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fxd2cRpF5pUz; Tue, 10 Jul 2012 11:16:00 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 22C6821F870B; Tue, 10 Jul 2012 11:15:59 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id F1726202D8; Tue, 10 Jul 2012 14:16:53 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id B9E1D41F0; Tue, 10 Jul 2012 14:16:17 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: secdir@ietf.org,ietf@ietf.org
Date: Tue, 10 Jul 2012 14:16:17 -0400
Message-ID: <tslobnna3da.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Cc: draft-ietf-behave-lsn-requirements@tools.ietf.org
Subject: [secdir] secdir review of draft-ietf-behave-lsn-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 18:16:01 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This is a document describing requirements for CGNs in order to maximize
interoperability. It's similar to other documents behave has already
published. One area where requirements are considered is security.

For the most part, this document looks very good. Unfortunately, I do
have two significant concerns.


Requirement 9 requires a Port Control Protocol (PCP) server. I think we
need to say somewhat more about that in order for PCP to be secure on a
CGN. In this
discussion I urge people to read section 17.1 (the simple thread model)
of draft-ietf-pcp-base. We want to be using the simple threat model
because there's no clear credential that CGN operators are guaranteed to
share with their customers. If we ask people to set up a credential and
configure an authentication mechanism to take advantage  of the CGN's
PCP server, people will either ignore our recommendations or CGN PCP will
be useless.

The cardinal rule of the simple threat model is do no harm:  make sure
that PCP cannot be used in a manner that makes security worse than
implicit NAT mappings. The CGN situation is a bit more complex than the
typical simple threat model. I spent this morning going over the CGN
case with Margaret Wasserman and based on that discussion, I believe the
following additional requirements are sufficient to use the simple
threat model for CGNs.

The PCP server MUST NOT permit the lifetime of a mapping to be reduced
beyond its current life, MUST NOT permit a NAT mapping to be created
with a lifetime less than the lifetime used for implicit mappings, MUST
not permit the delete opcode to be used, and MUST NOT support the
third-party option. The map opcode MAY be permitted if the
recommendation of endpoint independent filtering behavior described in
REQ-7 is adopted; the map opcode MUST NOT be permitted in other
circumstances. These constraints MAY be relaxed if a security mechanism
consistent with PCP's Advanced Threat Model (see Section 17.2 of
[I-D.ietf-pcp-base]) is used; this is expected to be rare for CGN
deployments. Mappings created by PCP MUST follow the same deallocation
behavion (REQ-8) as implicitly mapped traffic. 

justification: Most of the concern has to do with one customer device
interacting negatively with the security of another; this is of
particular concern when the devices belong to different customers, but
devices belonging to the same customer are in scope for the PCP security
analysis as well. Reducing a mapping lifetime or deleting a mapping
create DOS opportunities and can create an opportunity for one device to
intercept another device's traffic. If a device spoofs creation of a
mapping with less than the default lifetime, then that can create DOS or
packet capture opportunities. The third-party option creates significant
spoofing opportunities. The behavior of REQ-8 is critical to avoiding
packet capture attacks.

My second concern is with section 8.
This section says that spoofing is a concern of DOS, notes that ingress
filtering is a defense and makes no recommendation.

I believe spoofing is a significantly greater concern than DOS. As an
example, I can spoof traffic from you to create an inbound hole towards
one of your ports. This is particularly valuable if the filtering
behavior is endpoint independent as recommended in REQ-7. Spoofing is
particularly dangerous with PCP if the constraints I listed above are
not followed. The analysis of the impact of spoofing is a bit tricky,
because it depends on how spoofing is accomplished and on whether an
attacker can observe traffic destined for other customers as well. So, I
think the warning about spoofing needs to be increased.

I also think we need to make a specific recommendation that people
deploying CGNs deploy sufficient ingress filtering to avoid spoofing. I
understand this specification is mostly about building CGNs not about
deploying them. However this issue seems quite important to the security
of the network.

Thanks,

--Sam

From alvaro.retana@hp.com  Tue Jul 10 10:38:29 2012
Return-Path: <alvaro.retana@hp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3679121F86DF; Tue, 10 Jul 2012 10:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.499
X-Spam-Level: 
X-Spam-Status: No, score=-109.499 tagged_above=-999 required=5 tests=[AWL=1.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXDUJPQDhBm4; Tue, 10 Jul 2012 10:38:28 -0700 (PDT)
Received: from g1t0029.austin.hp.com (g1t0029.austin.hp.com [15.216.28.36]) by ietfa.amsl.com (Postfix) with ESMTP id 1DFCB21F8690; Tue, 10 Jul 2012 10:38:27 -0700 (PDT)
Received: from G1W3635G.americas.hpqcorp.net (g1w3635g.austin.hp.com [16.193.48.86]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g1t0029.austin.hp.com (Postfix) with ESMTPS id BAEE4381BD; Tue, 10 Jul 2012 17:38:55 +0000 (UTC)
Received: from G2W1954G.americas.hpqcorp.net (16.238.8.186) by G1W3635G.americas.hpqcorp.net (16.193.48.86) with Microsoft SMTP Server (TLS) id 14.2.283.4; Tue, 10 Jul 2012 17:37:46 +0000
Received: from G2W2446.americas.hpqcorp.net ([169.254.7.17]) by G2W1954G.americas.hpqcorp.net ([16.238.8.186]) with mapi id 14.02.0283.003; Tue, 10 Jul 2012 17:37:45 +0000
From: "Retana, Alvaro" <alvaro.retana@hp.com>
To: Julien Laganier <julien.ietf@gmail.com>
Thread-Topic: SecDir review of draft-ietf-ospf-prefix-hiding-04
Thread-Index: AQHNW7H2jmw/JizKEk62icH9vhErYpccuHkAgABRH4CABcNtQA==
Date: Tue, 10 Jul 2012 17:37:45 +0000
Message-ID: <C03AAF38AD209F4BB02BC0A34B774CE70BF510@G2W2446.americas.hpqcorp.net>
References: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com> <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com> <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net> <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com>
In-Reply-To: <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [15.217.50.28]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 10 Jul 2012 12:37:06 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, Yi Yang <yiya@cisco.com>, Acee Lindem <acee.lindem@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ospf-prefix-hiding.all@tools.ietf.org" <draft-ietf-ospf-prefix-hiding.all@tools.ietf.org>, Abhay Roy <akr@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 17:38:29 -0000

Julien:

To make sure that your concerns are clarified, I wrote in some new informat=
ion in the Security Considerations section.   Please see below and let me k=
now if you still have concerns.  We'll publish an update before the deadlin=
e on Monday (Jul/9).

Thanks!!

Alvaro.

[Note: the 2 middle paragraphs are new.]

8. Security Considerations

One motivation for this document is to reduce remote attack vulnerability b=
y hiding transit-only networks.  The result should then be that fewer OSPF =
core networks will be exposed to un-authorized access.

The mechanisms described above result in reachability information from tran=
sit-only networks not being installed in the routers' forwarding tables.  T=
he effect is that even if the address of a transit-only network is known, t=
he forwarding information is not present in the routers to reach the destin=
ation.  Also, in some cases the address information is completely omitted f=
rom the LSA. =20

Some information in the LSA (such as the OSPF Router ID) cannot be omitted.=
  Even though the Router ID is usually taken from an IP address on the rout=
er, the configuration can be easily changed.  Note again that having an add=
ress doesn't guarantee reachability if the information is hidden from the f=
orwarding tables.

While the steps described in this document are meant to be applied to trans=
it-only networks ONLY, they could be used to hide other networks as well.  =
It is expected that the same care that users put on the configuration of ot=
her routing protocol parameters is used in the configuration of this extens=
ion.


> -----Original Message-----
> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
> Sent: Friday, July 06, 2012 9:33 PM
> To: Retana, Alvaro
> Cc: Julien Laganier; Yi Yang; Abhay Roy; secdir@ietf.org; draft-ietf-
> ospf-prefix-hiding.all@tools.ietf.org; iesg@ietf.org
> Subject: Re: SecDir review of draft-ietf-ospf-prefix-hiding-04
>=20
> Actually, with this draft, the OSPF LSAs do not necessarily contain any
> IP addresses - only topology information. The OSPF Router ID certainly
> doesn't have to be a routable IP address and can be explicitly
> configured to avoid the default of configured address selection
> supported by most implementations.
> Thanks,
> Acee
>=20
> On Jul 6, 2012, at 4:50 PM, Retana, Alvaro wrote:
>=20
> > Julien:
> >
> > Hi!
> >
> > [Thanks for forwarding.]
> >
> > In short, avoiding installation of the routing information (even if
> still carried in the LSAs) means that the routers don't have forwarding
> information to reach a specific transit interface.  IOW, even if you
> know my IP address you can't send me a packet (if you're more than one
> hop away).
> >
> > We'll expand on the security considerations.
> >
> > Thanks!!
> >
> > Alvaro.
> >
> >> -----Original Message-----
> >> From: Julien Laganier [mailto:julien.ietf@gmail.com]
> >> Sent: Friday, July 06, 2012 4:00 PM
> >> To: Retana, Alvaro
> >> Subject: Fwd: SecDir review of draft-ietf-ospf-prefix-hiding-04
> >>
> >> FYI.
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: Julien Laganier <julien.ietf@gmail.com>
> >> Date: Fri, Jul 6, 2012 at 12:44 PM
> >> Subject: SecDir review of draft-ietf-ospf-prefix-hiding-04
> >> To: secdir@ietf.org, draft-ietf-ospf-prefix-
> hiding.all@tools.ietf.org,
> >> The IESG <iesg@ietf.org>
> >>
> >>
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> >> IESG.  These comments were written primarily for the benefit of the
> >> security area directors.  Document editors and WG chairs should
> treat
> >> these comments just like any other last call comments.
> >>
> >> Disclaimer: I am no routing or OSPF expert and might be missing
> >> something obvious...
> >>
> >> According to its abstract the draft describes a mechanism that
> allows
> >> hiding transit-only networks in OSPF:
> >>
> >>  A transit-only network is defined as a network connecting routers
> >>  only.  In OSPF, transit-only networks are usually configured with
> >>  routable IP addresses, which are advertised in Link State
> >>  Advertisements (LSAs) but not needed for data traffic.  In
> addition,
> >>  remote attacks can be launched against routers by sending packets
> to
> >>  these transit-only networks.  This document presents a mechanism to
> >>  hide transit-only networks to speed up network convergence and
> >>  minimize remote attack vulnerability.
> >>
> >> While the desire to speed up the network convergence is probably
> >> obvious and not of concern, I think the document and its security
> >> considerations section in particular could do a better job at
> >> explaining what the mechanism achieves in terms of minimizing remote
> >> attack vulnerability.
> >>
> >> As per my understanding, the proposed mechanism essentially remove
> the
> >> subnet / netmask information from Link State Advertisements, but
> these
> >> still contain the routers' IP addresses.
> >>
> >> It is not clear to me how removing the subnet / netmask information
> >> actually minimizes the risk of remote attacks.
> >>
> >> First of all, the type of remote attacks that minimized should be
> made
> >> more explicit. What is the target of the remote attacks? Is it any
> >> address in the subnet? Or the address of a router? If the latter,
> then
> >> it is not clear how the mechanism actually improves -- the router's
> IP
> >> addresses are still in the LSAs so presumably an attacker can still
> >> launch remote attacks on these addresses, no? If the former, then it
> >> is not clear how effective is omission of the subnet in avoiding
> >> attacks avoid addresses within that subnet -- addresses in the
> >> (unknown) subnet can still be inferred from addresses of the
> routers,
> >> no? Or is it the case that the LSAs containing the IP addresses of
> the
> >> routers will not be propagated outside of an area that the attacker
> >> has no access to?
> >>
> >> Expanding the security considerations might help answering these
> >> questions...
> >>
> >> --julien


From simon.perreault@viagenie.ca  Tue Jul 10 12:36:23 2012
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 723EE21F86C5; Tue, 10 Jul 2012 12:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.456
X-Spam-Level: 
X-Spam-Status: No, score=-2.456 tagged_above=-999 required=5 tests=[AWL=0.144,  BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gPB+winjd+gD; Tue, 10 Jul 2012 12:36:22 -0700 (PDT)
Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by ietfa.amsl.com (Postfix) with ESMTP id 6341121F86C4; Tue, 10 Jul 2012 12:36:22 -0700 (PDT)
Received: from porto.nomis80.org (unknown [IPv6:2620:0:230:c000:8e70:5aff:fec5:72e4]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 1D294414B1; Tue, 10 Jul 2012 15:36:48 -0400 (EDT)
Message-ID: <4FFC844F.3010207@viagenie.ca>
Date: Tue, 10 Jul 2012 15:36:47 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <tslobnna3da.fsf@mit.edu>
In-Reply-To: <tslobnna3da.fsf@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 10 Jul 2012 12:37:06 -0700
Cc: pcp@ietf.org, draft-ietf-behave-lsn-requirements@tools.ietf.org, ietf@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-behave-lsn-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 19:36:23 -0000

(adding pcp@ietf.org to the recipients list...)

Sam,

Thanks for the review, comments inline...

On 07/10/2012 02:16 PM, Sam Hartman wrote:
> Requirement 9 requires a Port Control Protocol (PCP) server. I think we
> need to say somewhat more about that in order for PCP to be secure on a
> CGN. In this
> discussion I urge people to read section 17.1 (the simple thread model)
> of draft-ietf-pcp-base. We want to be using the simple threat model
> because there's no clear credential that CGN operators are guaranteed to
> share with their customers. If we ask people to set up a credential and
> configure an authentication mechanism to take advantage  of the CGN's
> PCP server, people will either ignore our recommendations or CGN PCP will
> be useless.
>
> The cardinal rule of the simple threat model is do no harm:  make sure
> that PCP cannot be used in a manner that makes security worse than
> implicit NAT mappings. The CGN situation is a bit more complex than the
> typical simple threat model. I spent this morning going over the CGN
> case with Margaret Wasserman and based on that discussion, I believe the
> following additional requirements are sufficient to use the simple
> threat model for CGNs.
>
> The PCP server MUST NOT permit the lifetime of a mapping to be reduced
> beyond its current life, MUST NOT permit a NAT mapping to be created
> with a lifetime less than the lifetime used for implicit mappings, MUST
> not permit the delete opcode to be used,

Unless I'm mistaken, there is no delete opcode in PCP. You just send a 
MAP request with lifetime=0. So I would propose saying:

MUST NOT permit the lifetime of a mapping to be reduced beyond its 
current life or be set to zero (deleted)

> and MUST NOT support the third-party option.

I think pcp-base-26 added restrictions to THIRD_PARTY so that it could 
be used in CGN scenarios. If that is right, wouldn't it then make sense 
to allow THIRD_PARTY on CGNs?

> The map opcode MAY be permitted if the
> recommendation of endpoint independent filtering behavior described in
> REQ-7 is adopted; the map opcode MUST NOT be permitted in other
> circumstances. These constraints MAY be relaxed if a security mechanism
> consistent with PCP's Advanced Threat Model (see Section 17.2 of
> [I-D.ietf-pcp-base]) is used; this is expected to be rare for CGN
> deployments. Mappings created by PCP MUST follow the same deallocation
> behavion (REQ-8) as implicitly mapped traffic.
>
> justification: Most of the concern has to do with one customer device
> interacting negatively with the security of another; this is of
> particular concern when the devices belong to different customers, but
> devices belonging to the same customer are in scope for the PCP security
> analysis as well. Reducing a mapping lifetime or deleting a mapping
> create DOS opportunities and can create an opportunity for one device to
> intercept another device's traffic. If a device spoofs creation of a
> mapping with less than the default lifetime, then that can create DOS or
> packet capture opportunities. The third-party option creates significant
> spoofing opportunities. The behavior of REQ-8 is critical to avoiding
> packet capture attacks.

Thanks for the full requirements text and justification. That going to 
make my editing just so much easier!

> My second concern is with section 8.
> This section says that spoofing is a concern of DOS, notes that ingress
> filtering is a defense and makes no recommendation.
>
> I believe spoofing is a significantly greater concern than DOS. As an
> example, I can spoof traffic from you to create an inbound hole towards
> one of your ports.

Is this a new attack vector introduced by CGN? Without NAT, there's no 
need for a "hole", anyone can send traffic to any of a subscriber's ports...

Thanks,
Simon

> This is particularly valuable if the filtering
> behavior is endpoint independent as recommended in REQ-7. Spoofing is
> particularly dangerous with PCP if the constraints I listed above are
> not followed. The analysis of the impact of spoofing is a bit tricky,
> because it depends on how spoofing is accomplished and on whether an
> attacker can observe traffic destined for other customers as well. So, I
> think the warning about spoofing needs to be increased.
>
> I also think we need to make a specific recommendation that people
> deploying CGNs deploy sufficient ingress filtering to avoid spoofing. I
> understand this specification is mostly about building CGNs not about
> deploying them. However this issue seems quite important to the security
> of the network.

-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca



From hartmans@painless-security.com  Tue Jul 10 13:03:31 2012
Return-Path: <hartmans@painless-security.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9FC411E80BB; Tue, 10 Jul 2012 13:03:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.301
X-Spam-Level: 
X-Spam-Status: No, score=-103.301 tagged_above=-999 required=5 tests=[AWL=-1.036, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uC6L2XxaUAqr; Tue, 10 Jul 2012 13:03:31 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 2CA3A21F86B4; Tue, 10 Jul 2012 13:03:31 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id F06E12043E; Tue, 10 Jul 2012 16:04:27 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id A323441F0; Tue, 10 Jul 2012 16:03:50 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Simon Perreault <simon.perreault@viagenie.ca>
References: <tslobnna3da.fsf@mit.edu> <4FFC844F.3010207@viagenie.ca>
Date: Tue, 10 Jul 2012 16:03:50 -0400
In-Reply-To: <4FFC844F.3010207@viagenie.ca> (Simon Perreault's message of "Tue, 10 Jul 2012 15:36:47 -0400")
Message-ID: <tsl1ukj9ye1.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: secdir@ietf.org, pcp@ietf.org, Sam Hartman <hartmans-ietf@mit.edu>, draft-ietf-behave-lsn-requirements@tools.ietf.org, ietf@ietf.org
Subject: Re: [secdir] [pcp] secdir review of draft-ietf-behave-lsn-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 20:03:32 -0000

>>>>> "Simon" == Simon Perreault <simon.perreault@viagenie.ca> writes:




    Simon> MUST NOT permit the lifetime of a mapping to be reduced beyond its
    Simon> current life or be set to zero (deleted)
OK.

    >> and MUST NOT support the third-party option.

    Simon> I think pcp-base-26 added restrictions to THIRD_PARTY so that it could
    Simon> be used in CGN scenarios. If that is right, wouldn't it then make
    Simon> sense to allow THIRD_PARTY on CGNs?

I don't think you can describe an subscriber-facing network of an ISP as
"fully trusted."
The text added to 13.1 might permit third_party to be used by an
administrative web service within an ISP  but certainly not by customers
of that ISP.
I'd be OK with "MUST NOT allow the third_party option for traffic
recieved from customer-facing interfaces."
or "MUST NOT allow the third_party option in requests received on the
internal network."
Then that still permits the case of third_party for administration
motivating the text in 13.1.

    >> My second concern is with section 8.
    >> This section says that spoofing is a concern of DOS, notes that ingress
    >> filtering is a defense and makes no recommendation.
    >> 
    >> I believe spoofing is a significantly greater concern than DOS. As an
    >> example, I can spoof traffic from you to create an inbound hole towards
    >> one of your ports.

    Simon> Is this a new attack vector introduced by CGN? Without NAT, there's no
    Simon> need for a "hole", anyone can send traffic to any of a subscriber's
    Simon> ports...

I find it difficult to answer that question. I'd say that it is likely
an unexpected assumption for someone behind a NAT.  It is a
vulnerability of CGNs over other NATs, but perhaps not a vulnerability
of CGNs over no NAT or firewall at all.
Why do we care whether it's new? Is it actually bad if we end up
describing a related attack and recommending people deploy in a manner
that avoids it?

From simon.perreault@viagenie.ca  Tue Jul 10 13:31:37 2012
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25B211E80A6; Tue, 10 Jul 2012 13:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level: 
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.115,  BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9vJf1KENulu; Tue, 10 Jul 2012 13:31:36 -0700 (PDT)
Received: from jazz.viagenie.ca (unknown [IPv6:2620:0:230:8000:226:55ff:fe57:14db]) by ietfa.amsl.com (Postfix) with ESMTP id 110F121F84D3; Tue, 10 Jul 2012 13:31:36 -0700 (PDT)
Received: from porto.nomis80.org (unknown [IPv6:2620:0:230:c000:8e70:5aff:fec5:72e4]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 1B35A44B4E; Tue, 10 Jul 2012 16:32:04 -0400 (EDT)
Message-ID: <4FFC9143.40407@viagenie.ca>
Date: Tue, 10 Jul 2012 16:32:03 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <tslobnna3da.fsf@mit.edu> <4FFC844F.3010207@viagenie.ca> <tsl1ukj9ye1.fsf@mit.edu>
In-Reply-To: <tsl1ukj9ye1.fsf@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 10 Jul 2012 13:34:10 -0700
Cc: secdir@ietf.org, pcp@ietf.org, draft-ietf-behave-lsn-requirements@tools.ietf.org, ietf@ietf.org
Subject: Re: [secdir] [pcp] secdir review of draft-ietf-behave-lsn-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 20:31:37 -0000

On 07/10/2012 04:03 PM, Sam Hartman wrote:
>      >> and MUST NOT support the third-party option.
>
>      Simon> I think pcp-base-26 added restrictions to THIRD_PARTY so that it could
>      Simon> be used in CGN scenarios. If that is right, wouldn't it then make
>      Simon> sense to allow THIRD_PARTY on CGNs?
>
> I don't think you can describe an subscriber-facing network of an ISP as
> "fully trusted."
> The text added to 13.1 might permit third_party to be used by an
> administrative web service within an ISP  but certainly not by customers
> of that ISP.
> I'd be OK with "MUST NOT allow the third_party option for traffic
> recieved from customer-facing interfaces."
> or "MUST NOT allow the third_party option in requests received on the
> internal network."
> Then that still permits the case of third_party for administration
> motivating the text in 13.1.

Makes sense to me.

>      >> My second concern is with section 8.
>      >> This section says that spoofing is a concern of DOS, notes that ingress
>      >> filtering is a defense and makes no recommendation.
>      >>
>      >> I believe spoofing is a significantly greater concern than DOS. As an
>      >> example, I can spoof traffic from you to create an inbound hole towards
>      >> one of your ports.
>
>      Simon> Is this a new attack vector introduced by CGN? Without NAT, there's no
>      Simon> need for a "hole", anyone can send traffic to any of a subscriber's
>      Simon> ports...
>
> I find it difficult to answer that question. I'd say that it is likely
> an unexpected assumption for someone behind a NAT.  It is a
> vulnerability of CGNs over other NATs, but perhaps not a vulnerability
> of CGNs over no NAT or firewall at all.
> Why do we care whether it's new? Is it actually bad if we end up
> describing a related attack and recommending people deploy in a manner
> that avoids it?

The DoS part is new. If an evil subscriber creates mappings in your 
stead, you may be DoSed. This attack vector does not exist with neither 
single-user NAT nor no NAT at all. That's why we mention it in the 
security considerations.

I don't think it is useful to recommend ingress filtering to prevent 
unwanted traffic because it would rely on an unrealistic assumption of a 
new security benefit that a CGN would provide. CGN does not prevent a 
subscriber from receiving traffic from anyone. That's true even with 
ingress filtering.

How about adding a sentence like...

"CGN as described in this document does not provide any security 
benefits over either single-user NAT or no NAT at all."

I don't think we have any power to change a subscriber's unreasonable 
assumptions, but we can at least honestly say to operators that they're 
not buying any security with CGN.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

From miyakawa@nttv6.jp  Tue Jul 10 13:36:30 2012
Return-Path: <miyakawa@nttv6.jp>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FC6711E813D; Tue, 10 Jul 2012 13:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.09
X-Spam-Level: 
X-Spam-Status: No, score=-0.09 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bepVbC6Z44RE; Tue, 10 Jul 2012 13:36:29 -0700 (PDT)
Received: from guri.nttv6.jp (guri.nttv6.jp [IPv6:2402:c800:ff06:144::148]) by ietfa.amsl.com (Postfix) with ESMTP id A0E9B11E80CB; Tue, 10 Jul 2012 13:36:29 -0700 (PDT)
Received: from z.nttv6.jp (z.nttv6.jp [115.69.228.212]) by guri.nttv6.jp (NTTv6MTA) with ESMTP id E1838BDC18; Wed, 11 Jul 2012 05:36:54 +0900 (JST)
Received: from localhost (localhost [IPv6:::1]) by z.nttv6.jp (NTTv6MTA) with ESMTP id B66ACE169A; Wed, 11 Jul 2012 05:36:54 +0900 (JST)
Date: Wed, 11 Jul 2012 05:36:54 +0900 (JST)
Message-Id: <20120711.053654.193724485.miyakawa@nttv6.jp>
To: simon.perreault@viagenie.ca
From: Shin Miyakawa <miyakawa@nttv6.jp>
In-Reply-To: <4FFC9143.40407@viagenie.ca>
References: <4FFC844F.3010207@viagenie.ca> <tsl1ukj9ye1.fsf@mit.edu> <4FFC9143.40407@viagenie.ca>
Organizaton: NTT Communications
X-Mailer: Mew version 6.3 on Emacs 23.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 10 Jul 2012 13:40:21 -0700
Cc: miyakawa@nttv6.jp, ietf@ietf.org, secdir@ietf.org, pcp@ietf.org, hartmans-ietf@mit.edu, draft-ietf-behave-lsn-requirements@tools.ietf.org
Subject: Re: [secdir] [pcp] secdir review of draft-ietf-behave-lsn-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 20:36:30 -0000

>> Then that still permits the case of third_party for administration
>> motivating the text in 13.1.
> 
> Makes sense to me.

+1

> How about adding a sentence like...
> 
> "CGN as described in this document does not provide any security
> benefits over either single-user NAT or no NAT at all."

I agree with Simon (also as one of the authors of this draft).

We think that CGN is not the machine to proveide security benefits
and the original intension of this draft is just to make CGN as neutral as possible...

Best wishes,

Shin Miyakawa

From ynir@checkpoint.com  Wed Jul 11 04:26:46 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 398B721F84CD; Wed, 11 Jul 2012 04:26:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.235
X-Spam-Level: 
X-Spam-Status: No, score=-10.235 tagged_above=-999 required=5 tests=[AWL=0.364, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QGWNJN73UBmM; Wed, 11 Jul 2012 04:26:45 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 3B4D821F847E; Wed, 11 Jul 2012 04:26:44 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q6BBRCTl005414; Wed, 11 Jul 2012 14:27:12 +0300
X-CheckPoint: {4FFD619D-1-1B221DC2-4FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 11 Jul 2012 14:27:12 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org IESG" <iesg@ietf.org>,  "draft-ietf-ipfix-ie-doctors.all@tools.ietf.org" <draft-ietf-ipfix-ie-doctors.all@tools.ietf.org>
Date: Wed, 11 Jul 2012 14:27:13 +0300
Thread-Topic: secdir review of draft-ietf-ipfix-ie-doctors-03
Thread-Index: Ac1fWBwy1r8fRA9fRqCV3KYfY5T/tA==
Message-ID: <56C143E9-A517-4DDE-8CCC-3C4E1B0FF17F@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] secdir review of draft-ietf-ipfix-ie-doctors-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 11:26:46 -0000

Hi

I have reviewed this document as part of the security directorate's ongoing=
 effort to review all IETF documents being processed by the IESG.  These co=
mments were written primarily for the benefit of the security area director=
s.  Document editors and WG chairs should treat these comments just like an=
y other last call comments.

The document defines the criteria by which the "Information Element Doctors=
" - experts to be appointed by the IESG - should evaluate requests for assi=
gnment in the IANA registry for IPFIX information elements. The registry ha=
s the "expert review" procedure, and these IE doctors are the designated ex=
perts.=20

The target audience for this document are two groups: the IE doctors themse=
lves, and the people who request assignments in the registry. The document =
itself does not define any new protocol or information elements.

The documents has a lot of advice about meaningful names, about avoiding ha=
ving >1 IEs with the same or similar semantics, and what registry applicati=
ons should look like.

The Security Considerations section is used in a surprising way. It does no=
t specify how to securely implement this document (as this document specifi=
es no protocol), but it specifies what to consider when evaluating a reques=
t for assignment. This is important information, and the section is well-wr=
itten. IMO there are a few issues with it:

- The section says that you should "not give a potential attacker too much =
information". It would be better to explicitly list the kinds of threats th=
at leaking too much information may lead to: breach of privacy, vulnerabili=
ty to traffic analysis, and leaking actual data.

- The section also talks about what should be included in the Internet Draf=
t that specifies the new information element. That I-D would have its own s=
ecurity considerations sections, which would be reviewed in due course, but=
 writing an I-D is not required. Section 9 says that "When a new applicatio=
n is complex enough to require additional clarification or specification as=
 to the use of the defined Information Elements, this may be given in an In=
ternet-Draft." This language is not strong enough to make anything with pot=
ential security concerns go though the I-D route. IEs may still be submitte=
d directly to IANA, with the security concerns only mentioned in the IE des=
cription.=20

I think this document should explicitly state that it is part of the task o=
f IE doctors to consider the security aspects of new IEs, as well as to giv=
e guidelines about what they should look for.

Yoav Nir


From kent@bbn.com  Wed Jul 11 12:42:53 2012
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E85821F8541 for <secdir@ietfa.amsl.com>; Wed, 11 Jul 2012 12:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level: 
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id te4iv7zS2ijZ for <secdir@ietfa.amsl.com>; Wed, 11 Jul 2012 12:42:53 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id D689421F8549 for <secdir@ietf.org>; Wed, 11 Jul 2012 12:42:51 -0700 (PDT)
Received: from dhcp89-089-043.bbn.com ([128.89.89.43]:50786) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1Sp2ob-000MSB-Ca; Wed, 11 Jul 2012 15:43:13 -0400
Message-ID: <4FFDD751.2050200@bbn.com>
Date: Wed, 11 Jul 2012 15:43:13 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: secdir <secdir@ietf.org>
Content-Type: multipart/mixed; boundary="------------020507060409010901070104"
Cc: manav.bhatia@alcatel-lucent.com, gregory.ietf@gmail.com, stbryant@cisco.com
Subject: [secdir] review of draft-ietf-karp-threats-reqs-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 19:42:53 -0000

This is a multi-part message in MIME format.
--------------020507060409010901070104
Content-Type: multipart/alternative;
 boundary="------------090607020003080306030306"


--------------090607020003080306030306
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

This is a re-review of this document.  I reviewed version -03 in August 
of 2011. I provided an extensive
set of comments and edits in  an effort to improve the readability of 
this doc.  Some of the edits were
accepted, but many others have been ignored. New text (several pages 
worth) has been added, which has not improved the overall quality of the 
document.

This document is very, very badly written. It includes made-up names for 
attacks, bad definitions, a messed-up terminology section, an 
inconsistent discussion of threats and attacks, and a set of 
"requirements" that are a mix of useful, vague, and silly statements. 
(One of my favorite examples is the definition of INTERFERENCE attacks, 
which begins by saying that "ADDING NOISE" is a type of INTERFERENCE 
attack. Since this does not appear to be a discussion taking  place in 
the RF context, this is not a helpful bullet! The extensive use of 
uppercase words
is also not much of an aid to readability.)

The threat/attack discussion is a hodgepodge; it gives the reader the 
sense that the topics that have been included are arbitrary, with no 
sense of a taxonomy or a comprehensive, consistent treatment of threats 
and attacks.

This document requires significant work to become an RFC that will be a 
useful guide for the KARP WG,
and not an embarrassment to the IETF.

An annotated, edited version of the doc is attached.

Steve



--------------090607020003080306030306
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    This is a re-review of this document.&nbsp; I reviewed version -03 in&nbsp;
    August of 2011. I provided an extensive<br>
    set of comments and edits in&nbsp; an effort to improve the readability
    of this doc.&nbsp; Some of the edits were<br>
    accepted, but many others have been ignored. New text (several pages
    worth) has been added, which has not improved the overall quality of
    the document.<br>
    <br>
    This document is very, very badly written. It includes made-up names
    for attacks, bad definitions, a messed-up terminology section, an
    inconsistent discussion of threats and attacks, and a set of
    "requirements" that are a mix of useful, vague, and silly
    statements. (One of my favorite examples is the definition of
    INTERFERENCE attacks, which begins by saying that "ADDING NOISE" is
    a type of INTERFERENCE attack. Since this does not appear to be a
    discussion taking&nbsp; place in the RF context, this is not a helpful
    bullet! The extensive use of uppercase words <br>
    is also not much of an aid to readability.)<br>
    <meta name="Title" content="">
    <!--[if gte mso 9]><xml>
 <o:DocumentProperties>
  <o:Revision>0</o:Revision>
  <o:TotalTime>0</o:TotalTime>
  <o:Pages>1</o:Pages>
  <o:Words>26</o:Words>
  <o:Characters>149</o:Characters>
  <o:Company>BBN Technologies</o:Company>
  <o:Lines>1</o:Lines>
  <o:Paragraphs>1</o:Paragraphs>
  <o:CharactersWithSpaces>174</o:CharactersWithSpaces>
  <o:Version>14.0</o:Version>
 </o:DocumentProperties>
 <o:OfficeDocumentSettings>
  <o:AllowPNG/>
 </o:OfficeDocumentSettings>
</xml><![endif]-->
    <!--[if gte mso 9]><xml>
 <w:WordDocument>
  <w:View>Normal</w:View>
  <w:Zoom>0</w:Zoom>
  <w:TrackMoves/>
  <w:TrackFormatting/>
  <w:PunctuationKerning/>
  <w:ValidateAgainstSchemas/>
  <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
  <w:IgnoreMixedContent>false</w:IgnoreMixedContent>
  <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
  <w:DoNotPromoteQF/>
  <w:LidThemeOther>EN-US</w:LidThemeOther>
  <w:LidThemeAsian>JA</w:LidThemeAsian>
  <w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
  <w:Compatibility>
   <w:BreakWrappedTables/>
   <w:SnapToGridInCell/>
   <w:WrapTextWithPunct/>
   <w:UseAsianBreakRules/>
   <w:DontGrowAutofit/>
   <w:SplitPgBreakAndParaMark/>
   <w:EnableOpenTypeKerning/>
   <w:DontFlipMirrorIndents/>
   <w:OverrideTableStyleHps/>
   <w:UseFELayout/>
  </w:Compatibility>
  <m:mathPr>
   <m:mathFont m:val="Cambria Math"/>
   <m:brkBin m:val="before"/>
   <m:brkBinSub m:val="&#45;-"/>
   <m:smallFrac m:val="off"/>
   <m:dispDef/>
   <m:lMargin m:val="0"/>
   <m:rMargin m:val="0"/>
   <m:defJc m:val="centerGroup"/>
   <m:wrapIndent m:val="1440"/>
   <m:intLim m:val="subSup"/>
   <m:naryLim m:val="undOvr"/>
  </m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
 <w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
  DefSemiHidden="true" DefQFormat="false" DefPriority="99"
  LatentStyleCount="276">
  <w:LsdException Locked="false" Priority="0" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
  <w:LsdException Locked="false" Priority="9" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
  <w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 1"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 2"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 3"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 4"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 5"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 6"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 7"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 8"/>
  <w:LsdException Locked="false" Priority="39" Name="toc 9"/>
  <w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
  <w:LsdException Locked="false" Priority="10" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Title"/>
  <w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
  <w:LsdException Locked="false" Priority="11" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
  <w:LsdException Locked="false" Priority="22" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
  <w:LsdException Locked="false" Priority="20" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
  <w:LsdException Locked="false" Priority="59" SemiHidden="false"
   UnhideWhenUsed="false" Name="Table Grid"/>
  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
  <w:LsdException Locked="false" Priority="1" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 1"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
  <w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
  <w:LsdException Locked="false" Priority="34" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
  <w:LsdException Locked="false" Priority="29" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
  <w:LsdException Locked="false" Priority="30" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 1"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 2"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 2"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 3"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 3"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 4"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 4"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 5"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 5"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
  <w:LsdException Locked="false" Priority="60" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
  <w:LsdException Locked="false" Priority="61" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light List Accent 6"/>
  <w:LsdException Locked="false" Priority="62" SemiHidden="false"
   UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
  <w:LsdException Locked="false" Priority="63" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
  <w:LsdException Locked="false" Priority="64" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
  <w:LsdException Locked="false" Priority="65" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
  <w:LsdException Locked="false" Priority="66" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
  <w:LsdException Locked="false" Priority="67" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
  <w:LsdException Locked="false" Priority="68" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
  <w:LsdException Locked="false" Priority="69" SemiHidden="false"
   UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
  <w:LsdException Locked="false" Priority="70" SemiHidden="false"
   UnhideWhenUsed="false" Name="Dark List Accent 6"/>
  <w:LsdException Locked="false" Priority="71" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
  <w:LsdException Locked="false" Priority="72" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
  <w:LsdException Locked="false" Priority="73" SemiHidden="false"
   UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
  <w:LsdException Locked="false" Priority="19" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
  <w:LsdException Locked="false" Priority="21" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
  <w:LsdException Locked="false" Priority="31" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
  <w:LsdException Locked="false" Priority="32" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
  <w:LsdException Locked="false" Priority="33" SemiHidden="false"
   UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
  <w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
  <w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
 </w:LatentStyles>
</xml><![endif]--><!--[if !supportAnnotations]-->
    <script language="JavaScript"><!--
function msoCommentShow(anchor_id, com_id)
{
	if(msoBrowserCheck()) 
		{
		c = document.all(com_id);
		if (null != c)
			{
			a = document.all(anchor_id);
			var cw = c.offsetWidth;
			var ch = c.offsetHeight;
			var aw = a.offsetWidth;
			var ah = a.offsetHeight;
			var x  = a.offsetLeft;
			var y  = a.offsetTop;
			var el = a;
			while (el.tagName != "BODY") 
				{
				el = el.offsetParent;
				x = x + el.offsetLeft;
				y = y + el.offsetTop;
				}
			var bw = document.body.clientWidth;
			var bh = document.body.clientHeight;
			var bsl = document.body.scrollLeft;
			var bst = document.body.scrollTop;
			if (x + cw + ah / 2 > bw + bsl && x + aw - ah / 2 - cw >= bsl ) 
				{ c.style.left = x + aw - ah / 2 - cw; }
			else 
				{ c.style.left = x + ah / 2; }
			if (y + ch + ah / 2 > bh + bst && y + ah / 2 - ch >= bst ) 
				{ c.style.top = y + ah / 2 - ch; }
			else 
				{ c.style.top = y + ah / 2; }
			c.style.visibility = "visible";
}	}	}
function msoCommentHide(com_id) 
{
	if(msoBrowserCheck())
		{
		c = document.all(com_id);
		if (null != c)
		{
		c.style.visibility = "hidden";
		c.style.left = -1000;
		c.style.top = -1000;
		} } 
}
function msoBrowserCheck()
{
	ms = navigator.appVersion.indexOf("MSIE");
	vers = navigator.appVersion.substring(ms + 5, ms + 6);
	ie4 = (ms > 0) && (parseInt(vers) >= 4);
	return ie4;
}
if (msoBrowserCheck())
{
	document.styleSheets.dynCom.addRule(".msocomanchor","background: infobackground");
	document.styleSheets.dynCom.addRule(".msocomoff","display: none");
	document.styleSheets.dynCom.addRule(".msocomtxt","visibility: hidden");
	document.styleSheets.dynCom.addRule(".msocomtxt","position: absolute");
	document.styleSheets.dynCom.addRule(".msocomtxt","top: -1000");
	document.styleSheets.dynCom.addRule(".msocomtxt","left: -1000");
	document.styleSheets.dynCom.addRule(".msocomtxt","width: 33%");
	document.styleSheets.dynCom.addRule(".msocomtxt","background: infobackground");
	document.styleSheets.dynCom.addRule(".msocomtxt","color: infotext");
	document.styleSheets.dynCom.addRule(".msocomtxt","border-top: 1pt solid threedlightshadow");
	document.styleSheets.dynCom.addRule(".msocomtxt","border-right: 2pt solid threedshadow");
	document.styleSheets.dynCom.addRule(".msocomtxt","border-bottom: 2pt solid threedshadow");
	document.styleSheets.dynCom.addRule(".msocomtxt","border-left: 1pt solid threedlightshadow");
	document.styleSheets.dynCom.addRule(".msocomtxt","padding: 3pt 3pt 3pt 3pt");
}
// --></script>
    <!--[endif]--><br>
    The threat/attack discussion is a hodgepodge; it gives the reader
    the sense that the topics that have been included are arbitrary,
    with no sense of a taxonomy or a comprehensive, consistent treatment
    of threats and attacks.<br>
    <br>
    This document requires significant work to become an RFC that will
    be a useful guide for the KARP WG,<br>
    and not an embarrassment to the IETF.<br>
    <br>
    An annotated, edited version of the doc is attached.<br>
    <br>
    Steve<br>
    <br>
    <br>
  </body>
</html>

--------------090607020003080306030306--

--------------020507060409010901070104
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document;
 name="draft-ietf-karp-threats-reqs-05.docx"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename="draft-ietf-karp-threats-reqs-05.docx"

UEsDBBQABgAIAAAAIQCLQKs2mQEAAEUGAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIo
oAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0lU1PwkAQhu8m/odmr6Zd8GCMoXBQPCqJ
GM/rdgqr3Y/sLAr/3tkCjRKgKHJpQod532dmd6a9wVxXyQd4VNbkrJt1WAJG2kKZSc6ex/fp
NUswCFOIyhrI2QKQDfrnZ73xwgEmlG0wZ9MQ3A3nKKegBWbWgaFIab0WgX76CXdCvosJ8MtO
54pLawKYkIaowfq9OyjFrArJcE6vlySUzpLb5f+iVc6Ec5WSIhAoj1G+Nc9DhXsSP0yxQZeu
yDLKrMVxqhxe7HZ4czDZcFA6llYHiOqR2ulVAclI+PAgNLHzT+sLXlg501R3tr+4LYy2LJWE
Jj+qOW8lINI56SprIloos2bfyYFhUQH+P8VS90D7FxWmw7IESRekvR8a01h0trT4ltvuBiFQ
kw4x+Xlt07am40q5FeETXp9ORvFNvBVEWh3v3wl6sVZuRShppMfitYIDDv2X59FIt0IEWlPA
62f3aI5aZp8lDefIW4e09vwfyl7vp5id0tQ78EFBs6G2TXnjSDvz6PogLuUCii3evP4I9L8A
AAD//wMAUEsDBBQABgAIAAAAIQDHwie8DAEAAN8CAAALAAgCX3JlbHMvLnJlbHMgogQCKKAA
AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJLBTsMwDIbvSLxD5PuabiCE0NJdENJuCJUH
MInXBtokSjzY3p6ww0qlUU1ix8TOn+/37+Vq13fik2Ky3imYFyUIctob6xoFr/XT7B5EYnQG
O+9IwZ4SrKrrq+ULdcj5UWptSCKruKSgZQ4PUibdUo+p8IFcrmx87JHzMTYyoP7AhuSiLO9k
/K0B1UhTrI2CuDY3IOp9yD//R1v2xGiQUWofaRZiJotssxdRY2yIFRivn/N1OnQUmRrkaaDb
84H8ZmM1PXq97cnxCc+SdkzOkJlGwhCmiOaXJBozD/P58tHIPKSDlSmaxfk0fy/DEBi32/7N
oe0GlGNUx1rxHqj5CUyO1rL6BgAA//8DAFBLAwQUAAYACAAAACEA2O2+/i4BAAA8BAAAHAAI
AXdvcmQvX3JlbHMvZG9jdW1lbnQueG1sLnJlbHMgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAACsk81OwzAQhO9IvEPkO3FSoEWoTi+A1CsEcXaddWIR
25G9/OTtcVOFJmoJl1ws7Vqe+WzvrDffuo4+wXllDSNpnJAIjLCFMiUjr/nT1R2JPHJT8Noa
YKQFTzbZ5cX6GWqO4ZCvVOOjoGI8IxVic0+pFxVo7mPbgAk70jrNMZSupA0X77wEukiSJXVD
DZKNNKNtwYjbFtckytsmOP+vbaVUAh6s+NBg8IwF9YAYbuaDJnclICN9Jw6chJ5HuJkT4Qt2
LycUg+YUyO2cIMLq/TMN3qLvTCEs50SQ1mDOdzUc/+O3NQWxmhMCw6wOALqSdms6xZDOyeCx
rUOwjlPZ1VP2iz/stRLOeisxDr9JD4nYJ2E1Dhs9OL4prB6lBDEcg5OtnoOOMp/9AAAA//8D
AFBLAwQUAAYACAAAACEApMBn258NAQBgswgAEQAAAHdvcmQvZG9jdW1lbnQueG1s3H3ZcttY
tuV7R/Q/IPTQZUd4wDyoyrqBMa8iJ4etioq4FfUAkZCENgmwAFBK3af+jf69/pJe+xyAAkCQ
PqCdmQCzKjJtiiIP9tnj2tPf/uO39Up6TIoyzbMPF8o7+UJKskW+TLP7Dxd/v4ne2hdSWcXZ
Ml7lWfLh4jkpL/7j6n/+j789XS7zxXadZJWEj8jKy6fN4sPFQ1VtLt+/LxcPyTou363TRZGX
+V31bpGv3+d3d+kief+UF8v3qqzI7E+bIl8kZYnv8+PsMS4v6o9b52Kfto4XzQersmy/X8dp
tvuM/RPlmyTDee/yYh1X5bu8uMdvFF+2m7c44Sau0tt0lVbPOJ9s7j7m8cPFtsgu66d6u3sq
+p1LHODycb1q3oxjH34vp8Al/0/zG8Xegw4ckv9KUJOcHe99kaxw4DwrH9LNC91O/TTQ46E5
0tEHbj3s00bR975vRx6RSw+K+Al333zx02bv4waIseS/tF5xOhBDvbBR/xMVWeBG6CN2ZxA5
Qvc7m5O0me/pNNK8cNLTBiL4LQL1Q5FvN7un2qTf9mnX2ZfdZ5EmGHEy2WSi3n60ctQH7OmK
zw/xJrmQ1ovL6/ssL+LbFU4EikvEkRdX0E63+fKZ/ruR8PLlJi7i6+WHC9VxLd+PtAv2apX8
VtGrVv0PXr2EJlx++nAhy76syybUYf3SR4jp3otBchdvV9X+Tz7SS6qlK5rMTrP5WLDDfK6e
Vwk+8jFefbj4uIKuusEZLt5f/e09jkpvov8OnNswQy203LmdW1GMyHZdfXbndgzTUmyYAOKe
KfIJ2HKQNYl3qqsf3U8fpX/kxRfoVonpAUn8nx/eST8lt/ljWv03sWPFmPIwa+p6ECqqMVdS
XWdVUmRJ9RaG464SeGDD9TXFt9U5P3C2TJbk11Xb8lK6zrg7BFciXn2VTX5+J3kP8DtiAVLJ
ruo4kT9htXVcjMLfNmmRgES/5I/J+jYpJEV5I8F3Vb9GJne1iKtk9fan7QIusgCpLCfUfCOY
K1eR135ZbuIF7PAGJEuKx+Ti6mtUOvbzn+NnSZE5tQXop6mqI1vmhNXQsGU3PTmwfHV2FtKK
TNlQPG+mWvAwv/6YPJPRRMgrudvqAdKbQpShGyVoSelTvq3oxx+LvMoX+aqUXpGtfS39iiD6
MU2e3gjwqhqoPugXnB3tBuT55qFIEGm/YQT9lPx7C4VKqEEpQCclUhVd1ZWzpxMC2rvqbZpU
d2+/xMXmbcWJ9rZI/l2+lQ0BUhlOZNmyPmFxHFZ/siUrTmhGM73iK/e2rIp4IWLhTV21XC+a
sNQPX5EpR0Gkm+FMr+igpg/Su7ukIAATOAlT6gCRaqXekThAnckKwVYKqIABAjHsQg484HOV
bGAgpB/xIaDO5RIuHzAGuIdvZeutIt8o2qViXMryfzEQoBgM2OoXgwSIgCwHhkJhPkVx+FIC
B4bPn/yWlhXTqUm8eJDovPX7W9EaXqEPGv5eHigm680qfz74uKR6L//Qx71ihuGUZxkmFCPN
LoRtXyW52n/ssw2fMK3K4/eXZiVOStxHuNU3H7nHZtXVshGEHhvs+Kb1G/h+hpB14DDGSsMP
1yU/uBQPUzN3/Uzk+X7zM3WOU58xGCdR+VN2/Bp25Oh8GRejdbJ4iLO0XPdI+HJ1FJh882O2
LoJ/754Xxcg7rMdlx7EUNURCZ5aY1gH+kphbXiaLbUF+eY/+0CM1mxGU983079z8aWyGiOJ0
NmsMlIRA+0sCvYGohD7wCU71O0n6x0MKdHmdk2VYwe1edhX7AbbQPADiwYQh8aMW7CBbPMSP
iVTmaxAkgbleMj6JF5TmW6VImYFZFsXzpsrvi3jzkC7wtrKM75MOBx0gmRoC19ImjDWcRjIy
9C/x7hspzaR1nD1Li7hMSsZozO0g0nGallJcJBK5PUuRuFd3FV+z7bPTQI/bVZawJJRU5VJc
VZBOHvBy96rHaPHqPi/S6mFNNI0riThVgOs0y1Ps0D07P/w2gQu9TIAaEmS6hB67gUq7EMJh
RMgGkMq0LXIz5pjKOajfdgjURQNBJXdAqKD6U2KsXAJkXTwgPcmihHQN2wGFCAEvRZjNClw1
dPQJB6unqbido1a+E+AdMwgCTQsnrOiHDZQBRet58oTPfdrt3TykpbSrO1rmsEpZXkmLPKuQ
Spd27lG5SRYpio14eQw0ynVWVvCHYNJEkBrF0yInUs/OJVomd2lWW3IY7hhh5QMQkAN0k1Dj
8kUCwbMkoXQhIeIiST9L9W0vCq1zU7hlUkn5nQRMdodhM5+S5dqXSZnewxlPYq587/LVKn8C
532KfMk0FFvEP1Jcy4ysaMIg7mliK2bL93MqASOqiJ5WkCfQfOfcWO6HbYoIlmT2ggQxhqZD
kWJGySgY+KqtDf8q7fPhU7paCVDP8N3Ac03/3Ki3LZm/swat7hECInsPohUJZemYMts5SHv4
L/dBhRwlgOOG6xpn5yhVT/nO0pag2t0qWVQsBkyzzZZpwtu8emCvXIc30V9K6TMDYapnyYVt
IQoL8J6iRoYRaYTFnpV33uSJGSngmqC+lPMfldpAkNfbahuvVs9SfF8kCdUvcnO7WcWZkGfq
IvluWROW2QOeqRc5sm7MtbDuYDTW9Uwf4FpRDhfYE/NL4wK15jyuvUsLwHOoR8W/EJFBv0Ov
ZwKSYnmqrQbW2TkHpIWZSoZvBSXNzRgPZWuSAdzN4XsymgG6A+xJ76tz5NJdkXdR92HG0yMT
dq5ftWd4iusZKksF/dmVv6f5VuRf6oajdTioneYiP3wc8G2Oylg6mqXD86qTOpSxvGK+7u+X
wntJqhCS+M3PRkmV1kNUV686tAQ7saTK0eu5+iEBAggQuS53kW7y/VKhzseyT8XpKa1Hfuv3
f4zXne8Te4w3ECsgkggOCfwtF2i+oBin/0kDFepypJie7/diZkO3ZMdjOac/vbL+6AUeVOwc
zYWOvocmh+bu+4od0rTlThldKqCOEzxFUU3UO7YFr/wLHec7Sh5qW7JyQ6hi+QwEZd3NN7Z5
WBldKjD0uCSLreeqrt5BotLut75w8kt2T2EafEyhwtC3H0nvtQ7VkPd7a7k0W6y2XZ+5Q2AS
rVFaYugR9wicCBB3dIp+6JvHERc5pu/MykhkdWQVbDSgxlBBrOuR3MsW6Kone5HB6DBPN+EF
95Zut+mqgnpnCEKyp9CYd7Uuk9VjgqrNDsk66o3A5W9mx3FM8YQ07cNRtnhxDZTRCf8hpt0T
FxCtlSXdy6QwT2GYsxRkoXQj7PVC6IqL/9uU1JulgTzMH6P9ziH6j+KPQzb8Jen/DZUXrODi
8NOO9kR/r6dtcSdgQlFhGe2BDh1/T1gOmZaiYfbO9fKKpjrmA7ZZ1CFfkqHNvEBqmGmmzhUM
S5rs6mFonh+e2ck8MD+974xK3cQXUCZ4rOsEiQskekRABjkKXdO15lqOfUgDSPFyiaYkmjKA
ACdnuDBrS2AJnCZFAwjzgnompY/AbxJJuaBoKJG2GypwAXYswHoqXAdNnW3f6GH67bkJINau
GKgVJdQQsAiEqUeKpujBhJM2w+pFdRXNCZkzOEfI+uoza/ukVCZLIP2crEU4Ww+QJHLcCddu
Dd8WCiFsHf/AwZrjbR2USAY4d3uXKUVYbm/XaYUyKsJv7rarFRVHUM4hzhZUJ8ozNgKazNSV
yAnOLzHDQHeadoPi2TvJ8z9Kls2ygeyPjojiUr0gtA1vfqKger5nuGeXQehKAa9JpdoVsvZN
sRC7bbLmzZulMLtHYh2gLUcadi0iw2rE9B1VVZXzq6iKyy9SlBdQDq8ojfsa/vcvObk7hAMj
wYus5T3czE2JVBaylasSaWHkYIr0dlvthb8DgAoqy1XTi3ph7/QnrhiqibyQNTvvRPZDWw+D
CTPqsIDplgrczZ9r5HHVTEyR/le83vy1HpFR90PXYyS+OkXinx/RfyAp/xIxz5FmyaE20zz6
LSEA1fOGhkXgkev5R8UVPfiADqF2C9WY66yBVVxWnxJMXCmSJV2wh8jzCyY+0WSdxhrx4TNg
F1bE9WszS2CXTqTay3bzfNNoT0MyqN9UgGMsDy0rikxZqYk6wsOXr4WR4yONOLdzy2Gk+JMO
b09LiO57Vih26fJxU+tCxRrkZaM3j/VZ794lwK6mrzimo024wOk08gU06qFk1Zzo/OHjMoEv
xTRF4EtSvKMhEGws5ZK98X1Nu/dCgYkRIt3uBnMTFdUz3Ui3ZmrMDnToQ0Xv+L2+dCqrYNfa
CkswCTCtexPhYf+WrrdrEpky/Q2NnFn1sIehD9hHjBlUFNvr1V5Mycc+TVbI6lHUcduAsGjg
KBKUSC7Qb4iSSim/LfNVQmjH7XMdrLwEfFTHIpTzVTQ7MKNowi7zaeSr0jV1BV8j2QuFk8Ub
YB+bIuVgtkTV0XsMyip9aSjGQii202U/sFRKXk7UpTiNcBiFC1wAs/DAYkj4LlIWDycQTBYP
IzTOJBi9C94gw/qOUMVblu8uRAyb51qBH0040Bn2w1QlMGVlyqNTT7vsISCVGieQ3qDhf9Ri
vzf9T8gYu4ph+SyzP1HhGL5nxTBs2XcnzJ9H7/nKzzfPRXr/UBGOhXnjIiIZhJ5h+7MDdC3b
c0KMjTw3/ftyha8Wr/m4TcImpZuC8tnkFRCSu8HUeoLxUUKPGX13KbUoCpcIwNwboTrhoPIo
kx/MCjXeDytSygsKxFyoMiYPZNvZXM6liPoykMZ2vH69/JR8ymH1ZVih6tnnl+RgZmp3vTzT
979ZS1bezmKxFMdOVpCk/ym5j0WaANUo0MxQnzDefZpEfKQmG57v+8T2JVAJSC4xfRLU6xRE
Yiwj0FzXU8+uq/lVjUFUpFuT5AV/WMF2ZmXyNkX6+DVlk9GTQ/xWjxwCZgHf6E7AuqohYLDI
owrtiTpCp3HWZnsLGvHRsE0xRSOg0LsfV2iwR3kt7zeFXOIvzY+FGE7xTUuVJwzmnEa2BVAQ
Kkx4xoQcZq6fMfylXCChmEjP+bZojBWZeRgsZBoXbMkJL17AK5jtIDLEQTcUVdP7ldxTMmCn
0Y+VbUP/N7wEVvPzZYJ/rTdY0YPJuohcCE0kWISa43iZT/N2VhMoILWmaaq6bVJXx1lJLe+y
SKTPmIiz4l6j9zmQfuLaDgMcMHETfNmwJKujQWMzGwCtvxNUeaZmRa7mnp2xIO+CO+HMraCJ
DY1xJXElfJPV19C4EKo1wlxV6Sku0ESErvBYROtpwIJVwz47LK7DT0TGYf4T8cwVROdqNL/y
I81yDMIWpqtRhiMKzGQJAiTb53ZuWdOA1wUTzqoM0xttMiry1BP2F4fPrTtmoMjOhC3m8Lkt
W1UsfX6VTppphRoWBMxNLlXV0GVLn58+wfiEMNBmd27dclG4OeXExbBcarImh+H8RryYsuYE
ijlh53eY3qqBeNHrTzCYUsA4fG7DVEI9nPJU3eFzm5pnOZYxO39QMTTdN1h/8UQj42F6q7Dx
jjdDfYJ6ZqyQnJ1fpfpoQlVojfBUEZRhPlECVQ88f370duVI08IJZzCG6a3quqVFxuzObfiY
3IecyNz423Ss0HCj2cWXamRpga5OOCEwzN/YOxLZjjo7/tZtI7DnWxb4HTtSVJGOFCQLbDs0
ZorcjuxIMdGRohnyhCuGjiaX/si+Ey0I0ds1P/G3osg3PX12YayiuL6tOHMtBr+6YcNwkVD3
Uf5O6UyBZKWKulQXQdncXBHFk3Uf9UrTPfdRNXKwDE2hsvOsKvLllmdO30lj/yfpIveOCYhy
ONfGwMONI5KkvCMa3iTFOs3yVX7/LI2koGQI0A/lEchtBXOt9T3If0Q/FfTrtEz+FGf3W2qw
FaKkZAvQz1CjyLaCCcvvsEuuybLny9qEbdtpeofunHXQhnwVUtNIK3TjXENJjsC960Hg+Nb5
7ZuQJJXpHUbDz2z672i9LUI/zQTGJLtz9VGO6B2V6Z3rbMG3nKOHyKW2K9rRK0ZJRRbgP82T
TdtU5xp+HKWfBhn+IcegETE93aeqogjQDxsIDGvSqYfT9B/Jrw76/ZJnb0+koaIJ0M8I/DAy
pwxFnU4/A/Rzt8uUeiAFZbbNg4qI32paviXj/9P1+4f9BsPVDMU9v0Zj0jnN5P4T7pzuXxHy
t1U9xBSps/O7JEnj8Qp2nqDt+jPKuBcY19qWi6/9WYx+rhU6pj9h6P5UvcMpSDHfr3+/+Xwd
hJ8+j7N/QvSzDAx3tadc6vVt9CP//3OFkQCZhPWxozwIxRSweyjv873QnXAq43T6cQ7k/j/H
HdDhs5RClMnnz9hk9BVpViwB+qG005PlcMKp5VPppzG/n9sQya07Vq4ziQdRX6Edsx8ieIMq
mxjDen5NGcR7LzZ4R79f+Z45IRoqInGn6rqK4k950Myw3yUrfuBo9oRLXU+TG4pVOhgdJtVy
AKc9h5uP4f57M4ZbaAmtbroonpxyk8RpFKPBb81uwd3CVLT5hr9h1hYNPL3ZbezZrWPsaR9V
JEJWzUgNVHN2xQa6b0WWPeWiwtPunaLS3YUiM1Zi6gF2IrA5xr37PeRpqyIW2lA0y1L0CY+U
GNaQhiWrpmKdHaJo4t6v3V9cyoaecOfEC6qIZ6EoJkq2/dkhEqYcGJhacHYeuYV7dxdfsvxp
lSzvkzXr6z0k2cOvqyIekWy7kWcqE6bfIXkPHVcJJmyfTtPzNvOI7vgItnEISsMFmlAGwY40
R/HOMPNrMyTqF1p5UKWPCfzLkdQUop+FRmUUeJ+dRy5Jdp3BYksjTqGgEP0MF/MFDG12mXPF
c7Gt/PwQSHeLbv2i/Ivk8k1JI9Fb0j2ayBRq1UPu0p/yZIRhe6NoJsaJTDnjf+DcsmvamjNh
PTV8biNSMH9sfs0zpoG1OZY2O39KtiLHxBThuWUkZQM5SQjm3M5toQQBhXcTruAYlksdetBw
rAln4IbPLdueojtTnqY1fG5F131YzAnjGsPn1j0bfT/za8ajpWemMb+lhJZuwFpOOTM0zCeK
aZiON+U1cwfOrWFeMOYwzc3uKErkBbIzYZzvKG7yHZvaNJGmNlm3/ADI8nSv+Ri5Rja16Zru
RJE2V0zoj2xqk+1ACb35ib9l6w6K12fnLquR5kfylLcIHpPD6qrfECVQK6Oj9dhEvcJ0Vc8B
y4i2WDjbZ1fjiGKen+MCdfyqLJtsAH2zPUVy8TJ2hCyqLQZgenmMzfWvrl3vtfSQrDAVU6I9
IeVDvhG4dVnzfc/1zo569dToKt+kC9pvdPH37AlTQVFgtqMiKhfu7tLFBTIgNxiQiUU/eVE1
E2xjkZG/pqxqrnd+M8wb/qE9Ps0cX1AOM7n/id310Oj2v0C0ZkotEiBEYbbAtXm3AOcZmhlh
k+Bcrf/BnpISu9WAZl+42KmFWkYwVoqVt3EWr55L0PMp30JGy+39PWZNc6LFGe2UQOtOXFVY
yiZAO1O3A8OMzk5qq7i4T9gKP7ShpmuQZJGDSlj9y3eV4QUsAy62GzYeGdSkybaLHFoQK4Op
HEmAdkqgh5pnnB3tMDe/wObPAh3QMAvvLtoCqkqLeIUOJyp3u/hn9S9aV5NkVL5FBCwTLP1L
MTFZaLy+EeiW7oZzjegOym2flaDu+gSNaFz8OoYexOoCbKh+Qtq8tQ5GhPmwERV7YM6O+Yix
mAGodqx1KUAOy4iwOsWcXXhgRIGha8aE0fSj4cFBGcgx2586amqdkEjrZIHlc2m5xpZ7DFzf
0Jh/TK7nmiTHRiTUPECLkPbFdiShaeKabcwxQSjrWK/mBhOeRnv6lWNzSCZtN8wY7Nzjpur3
U3KPUt/imTnIZVrl+OOr60+fXmOfRrYUEHLdwrjnaMpz206jHCqjueWEANxiUyMjH9bUxLe0
h4XEhUxKvIC4lG+kMucKMq1gizO2YrRMRMhn6pAXw3OnG5efTD6yGrXjJmEFObZj8PU2InpE
tQhanl/Cx0LiO8Bup3O7zpbpwMKc3VVyS7EonjdVfl/EmweE42wF8W6PkbjnjsHadoRZ/edG
OiiSNXQEjYpZ8BlUIgKgWa5revNbIqkAZ/Rkd8I+32n6DALAGiYSpvYbtYZZHFW+yFeodNvQ
wnVsS6qhqScsexWwnioG/tj2DAtOAqx5iPyz03M3sOl3acFQiRV2gRNGdpuQExzXlYwMKCPT
/+vHz6HPwFj68T1YYsOxRoFrlzGuxrKnPOnpNCmBx5TDM7rFQjbQDiA1oWG3cJN2xKseQKj7
B2mVxmlJ+1ZpsRNkKqfldtuMUAsB+qmy78mROdNE6uFJbcRXcL7RgXe/ym8B6jzX8HX1kCIN
UNP1ME+i1f+TCPkcxbU9a8Ll0qexHyHbL8IoQAjLNQ3PmN9SI9WNsPT9/FC67lraRmtwIHgF
+FNCXmxNmQoSlBUCVym+zR8TxF8M5IQexg8E7h2lTT7aOnt1tXLoY5mORUbtskB73KcPF7Ls
Q1ebBIfylz4WAy8GyV28XVX7P/lIL6mWrmjyxdXfni43Hwv2n8/VM1IHT5fwlT9cfFwBc7zB
psCL91d09vpNxeBX0q8f0R/UrrtOS9pQS1mbvp/yVS/l6XKZrPDF6fLDBdtnfRmzUv4PF5+B
iT6wSRhZRdSgja30HkV9K1tvFflG0S4V+1KW/4s96fDp60cKEjy2LDu6rJkeezu+lSgwDF29
kYgs9VsYiUBF/gqRIyUrwk9MwcM3n7h3tOqq66+3VFPrnfWTferwx7HL6nMpnoLe3iI/VYN9
88N0zlMf8iD5ryhijyFChSjBqZL0m8/YIiOj2NXPlPPZFAg0ywSbXQ+QqnXv1JAw7hjOPqf2
jzHMjFBBSLQstiVg0jwbPNpwJQNa4G3Mi+i5zIpraqbuU7w0U53TVr1MUKtGRDvcTNOUx13R
76NM+ioRodtRZi+ai+lIEudT7MXNSlZXUD4jZ7TuDpfuaCZyVb/58QU5NOFDduAvAtblmVNa
pMoj1UGObem0gcd8A4u7WGGIHYVB2XP/EzZEjA1bS7OJi/gapkPWPcc0GFe3lhphOLUfGeqM
eb2VMLndpiv4IxlboJwcYXzKBo67+QHd1LmVmiMPqvFhxdVwwqncPvypO74iz2sNdf0Ivdjh
kI4WoJzaKGKo8r6iHkWMqyeAkg9HH7plSMgj/Obz9cX0CjxCbhS67gkC33NQmekfNhqGZWuy
6fTzUirKRW2WZ56l0TjIH3CTvwP9R/HHMFtLlNnBCnTEGA+n2weOCfae9oXbtNHu6pA07HFb
1wqBrxh/tcWQNUh8M5t/DzK3xAIhy1EpLWq1N+BiXzGUBLBIwgd1408F9ekXKGsj2dujyIDJ
MuCc+aEVgAFbJmtK+xqPGulDbEyTC7ndXmIO7U4HUXxI+blPtXvwsXEP3kh49YImdlPlJJvc
nQqRT7U87Dc5u7oh4JmLpMjASAyoRGi9hYFj6V8UT2Tpv+mvREkyhKjZJVqDyk3Kh721owCG
9bypYfqDFZ5d2gSkSIu+PwDFShNoPmGDQvIZRYEVJJsAB00jBOQom1/VKbQuSz5dtj8yBAJ9
4ANJV8quYnghByk4HFN04Bi/Pl0z6KM+U4TcHeEMcblI0xv4OkA/aJtG8Z8uRimR2XqgP+z/
hIM6Bf+q5pzNh3cOCtYAsHH0+Q+I+W1SPSUAZ5bIOi2q1TMyjev1NmMJdzDkJqHyHSqEhmZc
xyIevOW5rowUz7mpQ6CFxSpGtIK0wxtWegqSoAAmz+5BNpSfQoIXvE78zU6moSyXSZnekxqo
cgFx1nVVNrSgF+vP35gkWUlNCawWsIknUEjJp+OASqAl9CAKx0BLDhym/w2aFcmKT88RIp6K
xYRO0N+wbWihZQVsr+UsfV6prwVbfuBo+EpV96Mi0m2hb5g6R1QPYKlkm/oMXPuHxxysks3g
7vxix6Ecje4MPcERh7L1YA0OzExA8xc6WQcUPvIwB3Qo4PLe87VuaDR8M/R8v+sNtcQQmv7z
Fq1FMZwVIFRU0BkzQDV/RCcCg4VQ0MZB3h1YN+yXyEqoaKjK6ZoBM3LtMJApfzhKFmvEor7M
5pe/Y/YEx+F2FnzRmNbR+IuqMeFq2W2iTe0qNIfu8CpDAw+wFVX/dKps6SrgddP4ReYplmwx
DmuxgfocbLHpiNp4CIU/z2HPon6m7u3Q22vpOvBk5ARTxpWZAxKd+u0N/MtfYX8biLcwRUi3
FavnYJgG1qGrDhO3Pz8F1+Ki8cDQ70R1iaxpCpEmc8va2A6Q/agf2ctpDQu/oqu250x5Pv3w
uS3HtLDkvRfK66YXmXBrxyqtT99RP9F5T1ck3ew4lEWeQZWgN++JVx8fNF8sLB+H9wxwL5kv
C+ORZIUFT9XVocTceNuL6tFkzyK18yf6eKjsj30C8oGZOr/fpkuyuYLl87Knq5hid3aRAnwn
1qzGRkoTPsKgJB5FSVUSo+WkqdYBQkdR2QNKKKQ6qOhw8rCQy7Ae8hmO6iUciUpKpVZyse7g
YxE8JJ4kZecoUMxFTj2jb8CiVAHqmbrjqsr5DbT/AdKXsD5mjM5DH7MAKWQbu7N8nSKYiQK/
wwJgqjIkgGVTJ3ruox7IAaeyBqkaNxhsDlcny9FWA/yNejN38lF2GhEgG9dQOUm8RLZaaMuz
6ZqKHk15k/hp9LvHtkOmFHKAVncpXARSD4g6YqhcaA6qrKlVTIeE3JcXAvs1VTU9U+9nJWt8
awoO1rDIKKrqu5oyO1HHeklHlYMJJ1eG6a2qIeq03QnT+6iIfcfxYLrIeDAzQBdq6E34mo+R
a+R4MCsKXBtNt9M1u8cetvojx4NZPrYPBfPbqqDrnh4g2zbdKx5WW6ajRJp1fp5BliQE/7Lk
dU5eAMHBGChV8qEsRfLvLfKHfDnIcMgmlL8xA0dXZLOH7BmBEmDhHEMvxyB7Aa8VDz3DDlie
hP3yd8RkIOZ9zJjh3ePwEv37YsZ3+WqVPwHBJ+ftuZ+YeMEl9dEF2DW6LYwGc7q30OArmmKE
7gUaFsWCrDe7WVH6OwWtSxf/IFD44wP1ySsXbN0ahWEHYMoDIqjr1n77q6mGtuFFDAsaw0O/
D4TXuoXxCTzOL6ffwsHw6Qipjxq04Q/c8jV5nTC6nY1gYfMpkvK9nxwg0qlPfhVLTS67iYzA
xUmzAm8fh+lR4yVNqI9PEw7wAUsTvojdgUSu9KpMupWkrettfcTohJWYXPdoUDRf0/pmuuLq
6v/9n//7uvNmCDwodvj++a+JIDeqGqFjy5xdGKqqluE7zoT9ohYrjUh0dvMT0P8wXgV2/bKZ
WmgNqHgNUtNhTa+8Qe3cFnlEADtor6e5b31eGUgdKp6vqVbYS0rPv7pGZRVH5JRR2SADxR/T
5ImPX6wRXl7hShl+Ti5JY32QzE8QIJ1qB4Fnh/3RVoaGIfX+ROzqTpeMYD1itBj1eXdFvuZj
LA1H69CjY7XG1wQM6OnO8Xo59EjVNJ2lyWq3Z9i8/ku4tVEfn/YfODLTzvxsjcLuPAXXvV2s
oqULWr/O3jn8UNKrDuHF9P0PSYYRQQuUKPKLvMn3a5M7H9vJDo7Pzh8nDqfDKXaL3F2h6bIG
6mcsxSePoQXfK7qH0dQm8+rHeLhBHSV17/b3jZKM8c0axveNkqiUhsY1sgoailh7HPLioRvj
88f8rMQJwwrpNInve5poP2w5mLyL8Bs6ElF62aPBi3dqjG4oVgdo0NcBV287X/gi7S3ijw9S
B764o6hOI/7pIcJXOnmM8QHgwBP2SXtAvQ7SeziMVjzFdnyrhyjrpmlF6ngl83uH0QZ5xOOC
yQEqfg8+4cW6telmFWyixaVX+x1NuxLLtskyxoeKA88qyDGkGvuKp8NFLR3X+sjDLsIBztzT
ZJ0veVENwwqVG11e5ID2LcwAIGPaqoncTwbH1OiAKdz7PZVDYYOrmZps93DJ+YcN3PeV1jn4
9a80noBNJn+WNjm6kxEYUHEYkr4UfzWhxD0V3NQTosnf6t/TAPVU4G6oqzu7oIuRjTltAyVK
6y2NmOHDq9hAVMBC6AldpNRjw0fBC5DODFXDRCFl19WbP+OxzuqaseqqZmKwF3dsr+arFbfq
AoRTfScIPfXseC7Jtmsarow4n0Szk3jp9NY0eKTUqdRADxf4UoB+SCerGMhMvm8rxpg/460T
ZKxQy5I1ssm7LmmGXAMEsJYj1q7FxHo/LSFAPtnFLHzFPDu5JZ6rgX0Yh7Hotwgya7quoRqz
Lfw44N5I0qt2bktFbisG4hSvE9YGQXnVLZvzCiUYSz/+/PEN2gxXq+4AxFQE4TSwC1AxtV4F
+/wFF+TasrVGTX3fP8t/vRZhKEPRfFme32JHrIOQDbOfC5//RXahfjYMi7QK1gRQT/Qqv3+W
LtCgQq/RJNwL8kLZSIbaHRXSvqbsqAyUPivj1WrUg7rg7Xj94GwIFWKBERV7g8YC5NOM0PXU
6OySTKDAEzIk8L8Z8QD/XYc3kYRiBIzhp1VCeEPzkzJBmMO2Ct3dofA1g9MQPwvtsZCtEHMb
jfDcPKdrkslWSE3F0juK7WT0lu07yIGtIgpf81nuyW/UxXgvtNRACww11HwCxc5KdJsxC31x
BaEQDFKjLQ8SQUgkNakLnhzTxoknZ18s1I6wN8cPz050MXlCildYlUGFaGQIbnktOjKZ+DsB
+XVJv7RIi8V2XdMUiu86W6bIi27jlYDms1Aq7U66XLIFt3XQymNJNWnHR8gN19vmGi+KVCL8
zBZZ1zRBc0dOkBaWOO2mBg4gxopnImL0uqJr2ljlZ4bkj45q+P59EOOiOcUI4m37E2Na6Ynx
2eBxoyk1w/SRfKHbbSDlmE05b/5GTC0MMPeLfloJnvE54oEHIQC4deJD5UdNw/rmoUChX18s
R1f4tNPzfMgHnx8iNnhYtfbnYXSYo+aYgKdJIwyrQpl9+0Iu6AkO3MewpKiqEkBYermVKbn2
w+c2FDeKIvm8YkvlHe1E7nBhdyhUe84U7uyrc6ZuXiKZI5/6Mmpq7zNJjCzNdHSf8VldY/zn
j5riB90pnAGk37QC29LkCaOuw4yNojo5QoKna7qmJJCn2f1/YFQVt+A1tN6o3sb8sxJrFNJR
yTg5nECjlvBECSDt8O4w2WRTs61Jr9o6jWy32GzH9onAOcKKEaQK401aIRpEuhAxNBt0CA8J
m0qY74llG807QLuHHItL4DMJ0E+LItNQgzME2bEaMrvHSJqkXBTpLXfZCdEpaAsoZXqSGFOG
CI8gF512RMPnBBrKGBBRpQDxoGu00OwPRZ+/zDIEYpvVLEdD0JiQ0sgWCreRmE0QILIg6CF+
RBUTcrM0sw+YWYhJdJg6K0A83YJTjpml56bwWNtySsXAItCwrKCMTncmnNY/oHd1R8ai5bOD
mLDv7npJo67v0l4x2jAdtMDCqkdnwmZ7+NyG7QeBZU/YTTrNbuL+bgjKf96wGTa0z3GLfGGN
VMdsmCgpf1Sot2qdoMvqLYcCisv0AsXClvtzU1wgXQOTErxFE0PTu2c4YoBSmd7HizGGWdD8
FprJyiB9bPzaiYuY0TQCDAzSlPOK4EA7/NOwGXMzkkWSAsCnLkgwWwqD+RtZTkpZYw0vWhDr
mSDk895tCyKrAPPpkQ08RqOS8bMCp0G9Nl6PxVhIhhAdidPwh5hxYF1rwjwPIl+aQbiBUNMa
Y9BRhH6+Yzi6e456j6hVazFqTCogzTGVF4Lh0G6zLdLqWXLLMl+kPCfy6rP7mualf0nEskqq
YmmhMr9GfsuwI8x8OUeFw3Uv7rXD+UewI+Xr2JHbmbN/5INb8FH/Ywk+8g1dj/g03+nAR+yg
8Ig4Xj0AHymKrYfh/Jhc09wwUqa8U/SAH+qYkWcbE14dMHxuNZRl25ryxojhc2NELZzXKRdV
Dp9bVjQ9cqIJK/Hhc5u2iQCf5YQm6q8Nnxsl35Yt93tvZgNtfcfhV0a3ofQAuWzfUlW71w85
F3KNHH5lujaasLyZPuwfO/xKp5ngwYRhsmF+NkM9MmVtdmbZMlUPq6V74bEeBCj/YLcw0wIQ
hMe/0lhmivFQP4jIF04/oPiee44SANQK0DYikyLcUd2I2sDI6SNVCJoG+8AXETWFB0usvEVa
gM7UvER/7tSGvNR78A7OMXUSQydk9R4vR6muALkQdstOsetdxCkEajrqJAchMYik0aTCat+l
RfG8wYjvIt5gF2OH4MOyIzuYhCgrEy6tOBlaBdQC7JRlcAmQqRmR6Ia/7tAa9OStUOEK9qyx
Q6zySKh/T2gAm2pZdmRNuTLlZPLdJsBMPzY0bMiHxG3GOK3AuhOUqEoxEmn12iuAYoBv7jBG
hWp/90bWDwSwZJgjmJwzBAjbmFb5jC1sFc3coMaV+OWvmyJ5Wz6goW/JgC2WKI9FKgkULfSU
wOyZPOpBkwOfjegYM9JiOrWDMB0dpdWuVTP10VZCGVWrpqIFDWtR27VqUAbP/OpEDQWVEo8z
ZQOHJENRn6Yup/vUsW6sevXqhZE6NBOyHwf6rgCvHrkAcqK/+dk6D1I/XcCLBQcuoM47oGpZ
9AJGl5hqJ19AfbhT7PcB+jMNii2YlNKl/cVQwf7L31C4wLRv/7oHNKsWBLotq2fXUNkkrkAo
MjLcmNeZFppeT22qrJ4B1UfldkMb4ylnNbQ0ftghQoGD4WlWT7POJTg+VEIMslHCFAVEKGin
hCn5P9RbgW2V9Od6nTjYzc12qRjmOpFjlG9RonUrVKHlyJqJhWVnaNC3lLTDAN8V2u75fsqW
nFLaFJZdusP2RekuRR4LhUWscOsi3sARfdzXEQNCi9q2QA76dQ5yoNqKaxJN5xsQVg/b9e2m
oDEZtO34BuyHBDT3zhP8YZk2fWM7T7Oj5TqOwOji+6Fg7IgdckLZiaKuI7CXaBKJGkcPSxs6
KDkDrRM1USPMw8AMRxY5Dms22TB8VZfnioQdsJhMs7X2/j3GBaI5KDG0ShB7LZPNKocPl2EA
ZvMaIhYMbLnHtMwsvmdTuEWCFc0NsOns/No8QUG0fxXVdlMvdUcYUhOoJ4LNSuX+Nmkg71+t
8ufTNI984EuGdu/jehIwmQwtPyikDajRKXE22YwWD8K41JUPWOiVZPdYm9yh1wGx9uCxoIng
DE0u0Qc+dolp+Qnbrcpmjq7ykk1XArWKBEANe5H289Hcpdqi1A6fCPmQX3SMKee8TuEsphUb
Ny/hngi5fNwPhgGOXkpuGJJIC7nJApPqLLDajDeEitBPDTxV9s6yRonK33YyeQukcIFF5sSU
REqu0JqJQqzKq0Ouw4UtVr8CpeOK8NielkMsUfvUdbq7n9nSmP1PJI0ZRigmmlhNC3/00zUm
CN8h8rBKVD1bxS6ks+vqhlQDpEZwwcWYZJVx4iPNW4CvU7JV1BLn1NrLZqPpJJYlEGoT0cxA
U42zBA4a4B8JEzZDbUMONDqQYIKfiXx8yBr9CNtZKlA5ZRWJUKMJ/pA/C3CeEeiGY0x5w+HJ
1oT0HnemRVpFULiDYahTrmM8oDqCEDV13jmqjh+DSHr1IwDeJbKOj7ys9g6NUyQFe/O3B9AJ
XVdlLQomjIwduFJdC13rzLqwmYMnuRJdKiA6mvbFb5KMQq3IqJB/g8p0AvVJenk3BH9tGVex
WAuEojqeiXVA3fhCNlw/NG1t1qAUa4GAer+nifj7vhYQHkBuVKDAZrGOynzo6qjUE1WvaXYb
cToAd7yC387kN2EiexCEKhqwcN+3PPDJ4BKOiQATTgESd6xdG36z2KWPqYXQB1YAdM7VTQNZ
lBbuVmsw012nnrkxFk4IWaPThkPHJYe6da7qivK7hGBSx3OHVFBCR0A4E6PCvDDqKVHUuWqB
F0RzlaYOATq8MjodOkT8UbxygL1JYd7y5OYpQnPVKazBbKX7HD0qD+uydrNJxzaNP1zDQq9g
MiVTzx3yDBspPfBd39TPMXGyQIENFYowO9TyPUAyEA8UatKavCWtpY+BQwLDFek0sywVNgrR
ZafTTNVc39YVlhGebT0Emy8FWtVAVwKuA0zzKn0NinYYqyN341P1ziiD1WqYqcVpWO6qYovq
KjrnSVKHIqMl1gxB127KZLvM679jH9tezdyAx6qYjmdjwkqXK84il8tbhUGXVyk4AYjddrXD
PgMgeWny9j8xcAOh7UufLH83MU6Hb4YVkmk7iur3i1PPgnZZnr3dol0YAxelmqE6BOmibO1x
Rpb19URHmW+LRRel6n5gC7brf1zPy5hOooMdFIxyYqKDcd4jaaxuxVsdqdC0QiE1r2JKeKi4
vVjkLJiSaIB+daqtXCfQ+azrGg5LLCFzHguN59AwScpG8fh01d2wqgGqYFuWf46+DyaTc8zl
512qmWpqq3yRr0QwFzNUbBdDwuZ2pboa+rI95Q7Pk3FQ92U6KCHDSJTd0hAhCGpdyftS3ktB
QTPIFqovTmGuhfQcejUxOdDu53QxG9QGmAVmmG8hUM/SwitsMJbRVT36uFGUvq2ZLh8ReNRl
5W71QXf1pSnEGl3eM3Risvmto1VXvKK+66O1uLX1/oYPOvExyx8OO+PdeAHK+Ot9JsMfdI/S
wQ3mMdxRyFZQDHxdAZYCcoSZ9Fi18oCF6jw9z+raWbqld/GHaknA9F+tJWnwum4McMjL2vvE
FgVZ3QbfSf/nz4vkB+Ve1rClNDFRJbBtAlUm2qDbYlRhrmRYNgHU63iJ1NxjnK6Y9wP1ysej
I9tOtR1pwjgNeU6aoIL5bXArsQcNwY5Ip5PmOJaOxtczpB1DByhveZsQhEuw9htaikKZAYSG
G2Q5UxriQ5hlLTv0PgAJa0oMdCRzmPEs3/AtN5qwa3ky4zVqiyjCFh2BLNg49lAXPYOAWfKU
LEWSnrIaWrprTLjo/sDthoqvBGeZ9OzwdtdCtAN7u19As6+8rtwjn/US0+990mStTWu8zCnC
U+uXh2S1udvS5qVFTPkQTF/Lkvu8otolrAfJUtTuvWlgFqaoKGOCzoMONYf5UrFc34k8Souc
nblbwlNClR3SjlDKafaYrx5ZJTL3perdDQ0dUXWGTXTUSQ1EXERfG7rlgHq91vKzAEqSuFhh
3OUbeAFon0aiEl4oVUF9RmAW04YweKFk9lDDQ32VZPPox6yOrwvLDTOdrsPFCoIJK/FTpJX5
WKilzbABBEyEZTTZYrVdktGjKHWV3qFfP8VENs5/X5Jkg8agIl584fTFwj8BgZUNGzhOf9P6
WbAdUYgRiFeAtnQc3IM6yoEL22LBW7ZYl5hPpHJMNzD0wfAnjPSczHZY5ApRBN3u4xScV+t/
dOp1VSDkNmbMCRZ0d118q2eRInhDViNdwwS387MU/SLPgZJkti6KRJlscmtSLARdQGh1WY+o
6fEMaYcGATb2AeaU7+1J0YjPyqqRlOT+CnZyJqQBEWzmC7RfNAZDhHCR6nuhfY5G9oaH1dKP
yDs3Cu9Jar/K6YlsBTAkjPpnGX7oP4o98ZIA9WTVMU3F66Xsz8JWkL8BVmJr8F5srkgEaYRq
aGOkyHRlcdhp0lxFMw25D1jXt4mn+dMB6+FzK4ZiWvaUJ+weOLeroJBMmzAQOHxu1XBcH2M2
psvfR72c7zipzxSZ1IcpDqhgmmsBy8hJfXKge57rTFiHHOeNa2waKbKkehvAeFYIuH50P32U
fkWQ+pgmT2/Q844OMvQrEtL9iYenFNKXLDTDv35GBYAqK6qA7VQDXQ4iNuhnosDIAfH3AyPE
Jrfpiv+Bc+s6RkR75+giU8jw/7n71t22sSzdVyECDDoB4jTvlxyUAF67g05VPHEajXMGhQNZ
km11ZFGjS1zuX/Mi5+XOk8y31iYlboqSN5VUDclCdyWWXTK19trr+q1vZcXsgILmuVaaOnGX
9802n6AdAguom0Ps/oSYXpNO7kyZ23y5uYocvL78VX7DSq27/nZU63YDcMuKUYbO4NdAqYKm
MjTjQvwaXZIis+FiomiiLYSF3+SLHdXUMIiO6iM2wn2VTqNZHx0rcBNUy/pmCVGhCj1MOHb3
uc866WY4g/DA17S8AwmvwunZnpO4YUKDML3yv66TeKj1DLG2TZUK3E3QL1EjnC9rlZqSFtto
t2MQG3CBR5AM3fHEE1oqCkduBpnrm84Q67PFniSUXb88zNDCQzkM3SbG5PIfBSz1UMm4Ktdd
q5RmPWwKNZMuTwJfbDEwDj3DunQUXmH9CfNEtX7tiRh597hAgmJQxP9EqkmQc+YuKUmuFBTP
io3AwJoP2dY4WKyUpXa/R1tILqUkanVrdDupqj3fPEoiYshaARgUw6et5hAbZlwoZPEoakl4
+vIUgR6MivQg8OqXguekSGJPyILuJfxP/Xc0DLWYgW1HZp361TVt1FYYKPw/Xmq7+D7B8BT4
JKJkLmkHCW/7DWoCCkKCw1MsJompOvfktx/2bNAJCfxR1C4TQVFaUZWzIFL2RPSYCjhSxvO1
my5ueOi6Io/qyK7KsVR+tizNSp/5x2JIR+IkQY2IAAsdA3LO0gk2h8h25CVh4A7R46LZNCUS
BkDygM/DYt+i3UKeV6VNYKaJn+LGyz6hS72T5iNFtT1OjLRWtrbQO4hDnonur+2SFFpyU61H
Me0TtzvVvcgRc/Hb0XV1HrIs4GivpcdQclKj68+Z9F9JD88Bxo/wsdLDH42+sC89oTNYYYqx
pg6XhZufG1tDrSALapP+oLh2dd+naK6/uv5hWd0z8YwAVx7PLblIamoFV1iGbu1nPRruhOSy
ZDedJrptelU+jRGe8hbMWN8ImMju56RnXpdnI/0CZZ8o3Z/2IyINH5TcdeUTbUc/+ppz06VV
BOLox+PiR4/ZfM2r8VpAncDv/sXSOb2sCKSWP/DwUVKQh3Wa7YGRBmkWhrXai+XbZoy16r22
BxhmXAhcIYEFQYw4n8zR2Vo8X2HKBwxEPM1RGoUze4ACCmh+T21wU1SnJWaZ5oKgIFA6qyfw
WHhWIgcKWvPhnLo8lcfbjiiDqBnQvWGim1b8cKHuDfshmj+anDtBVV9OY0ezxx0F70pq7ti6
ZRqDLPfsySjGEwzTFLi8O+h+/sTDI+Pn99ovGAkt9f/AEkN7G6SzPGEisH0x8NIOl5UrOaRk
dM85R66uT4F1h5B2NCn7mhCgxcp2bLkAd+V4+g1/gIv7TWVetjQY2uQB6GMV+VlpFgUZEz51
tCx/sfyE7qEqwmzHBDBD2K7djR/neI3qaMAx4g/mSmH1fF2hhANpqBJ823FNQ7fCDofaF8sP
AydwRPDUqM2WE19ESrQtxPaGcO9Lqs/SOjCKaEm+2/FXDLGoeHc7Cuw0TjqMbLhYdIdB3kLR
NjOmmhE0V0xEAxlBBVGnm+6w3b4Q6RVYeoDwVll0b0bg3EQgBPc/tIsrFE8rxETTKEQjDe9B
zIyST5C77NXptMB+uW3Pv+DM+x269kfvRtFE4nmu1zGyaPGgcJUvde1HKjUzHdYtiowOd66b
gwILc7dwah2GBF9sWa5v/qa9vsYOvBuxAw893KOUsaEDAsSu60ccdnfUWjSfpJmFjus7Q/QR
IU+RcdcdtW3idsDkJy0w42mfgsdPYyo7anNtKHouBlmO+moNJ+55IfIdq5Y7d6neffEdQFf9
bn6/wxwoIEQ0+bTgvWYUL6/nt1jQBd7e3fYqv7u6FT52TgONxC15N19v5AyxWe1cPTL8LKo1
kIcivGKgUcUDGFgU7Zpxh7Wo+QDBxp/6mT7EOaPP0G3KnUtOLCmAaZaGjn0jVmhRxaxX1l8P
3MzMBrmn5x8Ps6VANXBmPxmv5hgJ0159fsV5wavrV6JagkrpNJ/sCPXOMEr0g2V4x4kTDzwD
bFhDjIDWM+zc4Q2MWv0qME5NFCIJU0pcLoLeZUqsuErbqT0HgD99kLssC0wIUQDNlgAKTYh5
YsMYmjqSSLIpZ5Is5+Ukaw9K2px500qmVX9LyrRQn9Jtl1tTncFHB/yguH0/JNNyMJpiul1m
Wmq2M2biRIlXR9oNIlACOcbrm3K7XLjZ5BO0QRFwqqRbFiTgh1aHzW/zcXpZlrnmIDkBQgyt
oyODA9w8zLG2ERPYTEJJGLnZ9mkGd7x9wkD7WqRcRBxD7GmUN8yW1I2TzFez+LCPwrFSvXbs
LqaTMXpGCJ5W+IVEwOd0HeuRDqDVZHY3BnE1mcVYx2pSqjzz217TS8BKlPvYV4Kjb3WzfUbr
5ek9ql0/vbpegE/iC7YaF4Zb/MwBZRBQpt2unWhxV7uYFaH3I9kU/IDlJ27X+ECp/pHkDoe1
RY9U48UrjBOe/ca8DbTjO/1tTKumGBosHY3UK2+NxXHaLSEpDod6OUV7vLmFiN1YQDHTc57s
ole6o62hHk1PTepQebwTKN3xtsiZaz1mPGnR5aw8V2tkhiOUg8SzLnVB7bkYDEqAeoAfpeNt
ejCDp+jbqW3DOdefbDQurD5sBEXpJ57jcHsMnUEJbbBfTScn3ZZCbIlkDCr6xk1vmjk4o1x0
I+k/WXH+R3w7H9CEN4MwxBKIWlYIpJWNcRf+IP/zCyCqsm2PdGjQvlaybb7LYvRp9hvKTcjR
zoi9ovTSr6WjOHEdkfwRK5dgmpq91z4wFwtWE4C8C6VfTEQfWEZUJkn0KEQZJB1ie/LUdpm3
e3YuQc5Vv7UNN8GNzMQP0TvpWX3ETszQipyku899yRXg+1XRc5UD9C0bKzh7d4CW40Vh2mXO
wWbX4dqp71pdXirR/Ny2aTu602UCpebnxuCab6VOh1FOzc+th16UYuiuuwaq+bntDPs1LL3D
4Irm53bMwLJACdNdeZ91CD+QK8hT4QrybKzkTOJavt6X6lVLriCHBsOs3u5ZHv2BXEFOhJXe
adhhvWi+/q6lB1EQ9s9NeKbl+3Hd3EZmFBomnUKrutnnH1giIzl/Vy3rC2CnNKNLS2h5NeMd
gzgYDUiji29EE5BAbkW5i3q7UshbLWgBa0riaFVhaJcFm5EbmgH3WopSVXMWTHjaS3PfEXah
UA9b+pjNKu0FNtC1MRVPK61rM3UzK05JYVqpRlFFAY2mX+EBONYXLpaIc29XPzV0ykHanY/z
wwuopEm0Lqsckn13TqG4Lt1KodqtJi6EXSlZNSuUdoOqB7q00CuG6BTax/VkUVXGK/Quh4Kk
obcvVzc8PBfOhUpwaWYUiifYVn53UQxdlwp3XNAZHQaSJb2Wr2/7grRQD3qw5l9ePJGs2hVp
j7jxelKazW/KcjhxTrVPVz2O9oXrhk9Hx4H16UkgGLG2I7FYpPZr989dPz2Vp4atKQ4UcoEA
aSbJYLTQJVf3O86G4X8M7ENVdjufYGiICS1OHFezjbRMLwoiuzb1b9B+35g3lHTMRhrcs2pl
csTassYmU+UEjfbl9wb9k672S7frhLZxDevA/sMzFKTAJ8711N0+cw2JYah2JSo30WhfLPeb
p1OrN7H5w57u0OzvqCTSMx+KEJq/odtS+2DVI24f//w+R0z39XwAVD2OS6MCybTULd2oaYBh
L/PKT592Ws0nKsu/0Vga7cOGBgWT9EK+ahW9Ky5N87NievbsxaqeQvtooeGZj9xTjbq9cpcr
P/qjjmB/vJLo+EqNxhjT+jZHDCUBpGt3qSqPHxKMVPRMPMY7DfHTIRg67AWTnuSgVdUnah9A
uM1mqxJ1nmq1fV3mT1iIt8Q0IMAGFHcKHzxfYbCygNsfTDiW59APEVkegfURYj/OQfwG9dtg
HdExOw8+lXR5j8+rWZ/luycFj0b7/nuDdKQHke9cRWhn79wyV75z5qW+XhLekY4d9T4LcVc8
BTe224Vz7ZajHktrREiVM9aoOXyzI8yShW6taIuCCIEeqbfXsfCNGYEvEexL4ZvZ3rd/74md
uIMcvnGHn8Y0n7HjEDOwswXuezHCnq+weQf3/k8bTdDRgdngYY4hRcxmA7LSWgewtc034qg2
r2BbUYL95BzL/UgsxiHXfRkkRjorKiHVu9U+nvk9TwoWeDFbsk0o7FYlc8crki2R7B97rBNK
MHt3/64878lY2PqxRgD8+ZIIcXiX6g709VNtBiha/jyTMYJSpcJsHy81SOzYDmI6ABg4SgbA
igZcID0wBqEmi3yzg87SoreDK5Yh2AcPfC6ooCFv1CzrvrsJRRFimWeS0SWulOoc23QDPyXr
1sqOdaqKi43N2ElAB54jTlgLRCL7fZoxEOpH3z0EBqAwLSuk+zKS5MzN9sFog0JIyvySMwdU
bI4FgOfrQZVoDGxQeMsL8nTpvh3pLCCH2JGHGY66TrEPb/aReuJmHtCtsm71pVN3KgJlN0Mb
3nCBtfEEPACMNy73IFVvLq7hF2LKJUgk/xf7H69LseFm6p6ZWn4UDlB61FthXkiGdkM8sM/z
8eIt1jN+BfuOAM1hJpRNZJNgFcRnWLaZZF1G6VRyTskinHNvrHxQPZQg3ykIQff8yMBYbHd1
qNlyeIkeG05ai6x6YzlGxjsTd19afvNxDFYgMP8onJpjRUYAeqm+nZqT+r7pDY/IFjac28EY
T5xutFc///3my6u34k/tl0/898/pv//9w+c0oddv/hp+/Lj/i/gJhVM3fScOQXfe3VO/zGBB
Hp/+/rGQDP3tILP4088/p78kQmw/h/8bQqPZ/1efrr98+PRL+HE/TqsgPt2xstDOKO2qBLK9
MRkn0hntMEhMjE4oeaFwP6cFXKs1FkCD2AmjxrPNBBQK+AKO4TNGEg0j0P6j+MuvKm7CczBT
kBi9MzhA4rpY6Ep57aDO/DBnjhMF6x6SF8plOTtBSivsEKqc3xBHIWGZgyjjeQUakgXFBdAC
hetiOA4Yqp3BRZdEyYIlFYvC2wqDQleHsu0Xr4+C4Ew78Y0k6vBducxMX2Q4DCPzDSPuX3xp
x1hCHnY4M22Oiw0MKDtp2mEn1/zcFlANkcforY4a6ubnNoPAyEKeAu7Vc7u649gxL47p1XPb
WK5s6f0bUTFiPQADCfV9eiVvM7UtP3FrQM0uBc3N99LTgTB1+sdxiPF/x7KTuHd64vuBbzgd
nkht1hMrtcwQvHB9k7flG6j8Miy5X/bECx29h6ORumnpJjLnvukJIAhw8wwx6ZWegB0lMbw6
eqIHfgddUQzm987Po52rg2Kmw9l+s/0GwsKzY6938YmNCUUjzfrnL0PTDzO/w32XZj2xnRTT
Rdyd75UdBEmrrWd22je/Y8ZplKHV07fn9rCDyI36lxfrhu26Hm897ZV+644e+uDU65uegJPN
R17cu7zBTGMntfpHOYGyZhqGRu/iKieLDcNIOpw3nG0G/EDqBl+FukGPE8d3+gppakndgD0j
XhJ1ueZ9Xjf+QOoGEIbb2KXWu7DTQept9PG57ci2kch21y2fV00CV/0t/HytpXfgYNhqn4Dz
/TafPam0by0roSCwux+9OcPxkFDqYW+xtCPznVEe2s0EgxgKR+WFHniN094VLUDwa4Z+0uGm
+NnbdRKJ9OVhPZtpt+PNfKIRth5DixuGNgOSVMxSMAQJKDkAVoC1wEI1GmfALI62ms8mNNig
cuwOKlWx3+HayWXiY0JkwLXmGPcAYhxbDDeP8y2PpNCYAg0ePM3XoA/lQVCmEB0v5tvno6m5
Bqy45yYWSAkHB4SiMQYi9Z6QHGhWg6Bv92t8JaD12B0x2W14gwTJj30CLZEgOp578NWsFPSN
2DhNz+pwjfEyfXuaLxaEFnzEgAJwx/VtEQS0LL+1lyoP1rJooaIkSAX5WaETgXkvkz0qLGBm
BAmFGD2dIJr9tlqQ4mHSGAzmix1glkCT0UIXyGaVQ2aEtyS62rdnxn/N9sPRDYvRpfkAeWLI
sbzAt1+mflqt59/Gk2f1GWCKxtvNETU8OM0RVZ5wO6oZt7p+HU8E8yKh736OVgIcld6Nnu6S
2cQRrtAv+fKq/umaLDdaBXas97WCcDJYWM9Wu6nYvUHubrzAIH5xjRi0PNbuc+BVy/tE1whC
27NJKUjO0NM49eMagU6XeoiX2e389p+0Y/4bz4E+5uArL4jXmGuOGMIQQ/DI2e06H09pLfIU
AcSWiA3gBBUk50ZhpNteh9GPl0mulNM2X+WL/B4RQ/nKnlttRUOMxXpkARWG/LB0W9hyJekZ
YeJZRjK4eAG73sfr/1WPPknVCDq9LDZGY2L5P3cIU6ccdBXyVdA5Ow4AFY46jHy6TOdKzdrA
ev0VSH3cxLfYPYM5bopBmXpkr4S8EJSw6PuwlnZwKwjPSG09ib3Bmbp5uSgBg9cUj7K4MFW7
zu93IHZheSHo3y0PAqN8qbzEoG1QEJ4VOFgVkHa44nOZ5h3G1snsY559fDunfJHpA/BCqXaz
5bf5Ol/yMkJcZowKIZ+iYVtIXEF8dmoEadjlgtll4ts+IHHMd2uRQuL2xrSg9pB2s0IuEcRV
I5lit814OgVxw+aYP6ghwHMsyzUNq8Otrcvkh9znbrel+g7liSpTZk4aOpnldrjq3Fx6NTK0
J5Phua5PN9cZzwk6gFP/+lb7cHP14Ua8YBk6XviYXIsvdcvFl2ShP38QL2Elg6XS8fOsMEn8
eg3XTDM7MQxmqviRFDlt9qjRWV9OEk3jlbZvmr8is1nPxlORVzeThvAK3xYZrP3easd+6Kem
CWo/4g0os9WHMfIH5kIqGJvLb5DFP0XMa1EW+t0PSil/5Ym2IzAE5+tVDuqlo+SkSPfXZZFI
StPP8SAcFpRyHCqtFVIMqtwMDdrU6LA5uswwV2IlCkHp1h7qe5OH2YSroxQyFOU/uEHUsfA1
lZ9VDLmnO6ltDK9Cf73Op7sJskPe7gyJIKOuKBrfqVvaOYmgHz84Q9Q6yacz7QFVfXpdIZpy
Ix0U6O7ggtEnRJVbsHmxuklyOL2I2LCslzcR34K76cz7HXYQH78bGSI3tTxdUFJ3Zglx8aTC
EF9yxw+KmK9QOJv/q8jGhcaWVl+035AQSOJrDnHAtmLqzvAWaB9uLwL8z2MIiBptYPtD4LrU
xk/gZboDJyhZP+mu06T9/IjqqiG6x3RRYKLADcfZUWDmJQpWZZ2YYwUqernl8nFI6vGttluh
mykKHGLr6yPsIEkUzkZ0fRWUzgBYEduzB+eAFygCLTYqjtRwDRsLgTtc12k2F0aIilSYdBiZ
cZnWfyHKUCCKBNOGtiGgCpVTqK8M0lAqtz+OV/QK5bwIq0Rb8L2KsnsmRrXCDous+ajtOI5i
bEaXDZzjOV4IikjKF/qZwOWa9vOYI2GiTMGJSmcokT5aBKtolRbZ7Ugfbc8Ifa+avzW31fae
nZ71ZEK3Ls/kOJkqV/jsO0kChoLcbNsmWrB1w/VSZjkelNMDud4hYHgLbmBYAwoNCACAvcEi
uBWOkHwfVaYlPzhWiRisIIszpJ71C5WlnmNTlbCnFwrCWwLjBazJGkEVZFOEBFJqjjQJ/czV
eowGJ362ducqLKYMx/nuO0cZQOVynWL0fC09B+5WAwqBMrbvfh7pRhYnnYgd4ZXHLG52sw1A
HHvx7aeilesY/q8qkDIL4J2UlopJka0dWl6CSY1e6+kN9ddR87DfGSCKukWwxuF+6eZf/YOc
+zWy+plmSKohkUNz0N9OJU4spqic/Xb0///r/705ih0bFLIlrsh+bzf89lYKOeLHOul38A2o
NC9lslpih/Bw3+sxR6/OXIvm0Mby0JN2urxbs/m5MTtvWZ0m3bos+kZIllDqlK+4bonMfPw4
40Cb3Mluw6/utjnogoFAJg7hx/ESyEbR2cRSEMIdS/e1WX6GiyFna3g5OzwwJepktqYzorYn
wYBTWfAHEpAIYa7YgQDrJ6IZ1MrzJwHlGK/mKv1gS9dDCxB32S8YZmg6vkcDk/2NX9DTXeXL
DVDtJXid2um36O+gbF4PVirmjoXx3Z7gjC2OXNMDGX+lwXMqODhjBC+5lNJtkryfzSEA9Rry
9U+vbrazFYDa2t+gcaQCqA7Nfnpl6oZ5pXtXhv4FeUKT/6EArfLhtqNTodi61CtJStwhGh3C
Gu3Ys0uf4IQ9MNIgOd6/HZiBEfc80mGsclG9qIY1piQWKdu1WzcBmw5WOqbi7BIR6VbOu4wl
zgcW586evX6l7VpJIWyaOv/uW3mkoSeCs2bVwmp3rOZ1OlzibH5uFywJIESqBf8DwNYCYrya
TeZ3zxxMoGAt4gk0UGrxBFp8xTZe2h4mcD/SpTklOCdJvaCW3YPjw7cCpqvrr3cE3ux2Tntz
yu6odjvfbq6AkEKJ5Ip6x/UaGgFs4RA+g4t3drOl1YtFfmDbLzf+DpUYSexyO7HS/jt6T7q5
oa5nYHklP9Gd9p94UugPcBiy6XV+hMU6Y3pBXZWBDK9TcUT7wkpDHktnXflwPyqOkDTvxIUP
/RB3u3bh9STCBrCIc/R+1seRTCiUR87FESSS73a/rZT5hQLFpXHED6m0HGlouzgiTT0j6jIE
8cTtsIwsCXXKFQbVKfhlNofTIywBENVTzKByDQIzEoyX5BorDVJsaUvUPpLYcOQB7DUVH5X6
w46XYUN4Rln1oMT3YbnZAjTJ+wxoE9Qd4gpqtNDGbWCpROOlWW5F51XOxpuVD5xwUYDJ1KFJ
bzmbTRGGCawFbbadIvbiijZqOujjcZ2nGNMhvaSxVeAyMACaE/Yf5Q3U0xRcmx36gYHFIEOT
X4HepwyAB06ke6mMZtf9GBE9J5kdvZvNt8J0jDBDq7G7p9r83IaLgXIzohC5V/LWA5BepXaH
MT5nC4M/kCIsUBkYMF0sVdbtns4JtqQIc63YNYIug4LO68YHWkS1nG2vEqyr3SJlYAKOko3p
LZZfwp/TtC1Njoi5UXZI+En+52fgL6lIrOKMjATLtet5VpcqUs1mC6OHUYaBiN6ZLSxTsw2H
isEdNbdnVbO5PwKl+8KgHh7CLUOlbaGlaPqUM5Nl7EnAAJT/6McRzm8wHojJZwVtRdE3DByz
p1bsFE5GA+LxSoAiqSNLl73oIrIoDxLCXOX2Kr+7EghKQFYgdXQlIUYF2VlmGnjgaBua5klr
+qYz5IYLyJPTntJOvi77V9YbwuMxSAXwlPzpCBDSAEW3QWIUZV1eTHbCQmI+ECSK1K3po6UB
sx3REX5YTtaMRACpSbiC/UDPWEHZvdSyXa/LQ2jNh2ZFrp3p9cVBruGHeupzSbefZU/pyOTi
fHtMUwMf0pl6ZhIQhX21OD+C2eR8lJ6q7JXS39E4EK9QJb/S8uQFPe1qrg3PSKXKysNs8RiV
KpckITxFAU1bF03ez9InpOc75U2YEoiYllCQQNEHQznjexAMciXtdrZ9okE7qgl9hjOhXD1E
LMmRJF6sP0SDOcRkDmZLnA7ni5cFMHAR4BYBLkXI4xbSYTFVyjsUbjNuaoU1mAzuwaRCaZ2U
CEccC2NN0fD6v7hEIFYqqFkQkNzmGJMmUYkYhWpky8l8teCJgFeT9fgJPBlP48VXUAntlvBQ
4NRT0D3kr34S6INrn98eiD5ZYGDQqEfMFW4bDl8ObVxuooNKSEF+pg/agMysYcy6lOxddnfv
c22Oljjxos3AO1WOHmJ/L+70GqVaYnHZohSeUyGX/4p5pAVFglysVLF7nuOngC4Nzu6JyYF8
s5nfLjCfxcRoxYgBQmVhEveDBaydcFoFTaNKt8ALgtCxe1uLOZnwzh9pvGcM3YKThetEKlsy
gxLpHndbhKMlCV+VsrxaFaJWtXm0tjN13L6G8Sfld09MfDQojEv5bbwBHegVRLqG45he4V/r
q+LqHiR3i+QXg4LM7YufhslTIYK0we4dY+tIT9Ogk/J7RnmQNUuy+1Jo7bTGkjr6e13/Pxwr
NweeRTSaCMhhHFoOlvu9iHu5fLTm6Nq8pdy+YMKmElIlAqOOMCLdjYpVsjIQv9ldXrB9mSfc
5k/jNXqYsOMwSCy9GXJoUU4uScWRQs8xEDCFNQ832mY3eVCey9dT20SHbnCd8z3WgG04aNwW
VGvTEOgTGbtonB/SqJKYBKSNBGGfguhFuoVI3xoyJ8MF7iDpcqftMp0jBaKBVzC25Hd3SgAM
28ciPy9Ou2uUm4/QDJIsdkAL3c+a2klnUq2yAUKyIqoeXAFCRJB/Rn6yHX9F3YDK02Ptbvak
wUNj+4AYOB0r5W5+GBhJNjjUAyFrCHakadl8TcPMIhak1sZ439wYI7bWlrvHW2CbMCwkxogg
2yLLUzAeTghut8gZHOhmOhP7Lsirr2bgMqOMDK1PKh4UXSKhiuDKhRqyIKmhtBOxNaUrCtKj
cQE7CwcXBDbOgldKAwQpJz+2md8v53eAyFG6gioWmF8nk9kK1KYLpdw3CaIoYL69PrYSTpo9
KBwsGqYdJ8SKuxwvCMXFOS7RvApSEjZ5S5nsSY6yWw/2OMbvE2XnSz7MkxXt5pD+XC35qAr1
899vvijcNyc04sBMBleoO4x1VvOOIm8VEAzMv+/5RPZDoWheFYZOpeNoOBaK7PrgXOXNDK1s
oFPLotyRdlXvI+S4d5Olk0DcraB8XuxnpllfnNL/KidTJJa5m0Y1Em5QLFA8AdpHewbNPHlM
SPX+AToI2sAN1Vi2uyX5VKUdUUZopUHaZRDjhSlKfrdFYoz4Ac7vARkyfzFbcFeswPGirCkC
Ni7q7RcgKSicm4HNCSHG0LKCil3Tbp8R8i+nOVSMZCgsG3+1mH+lFSNf0FIEH6qg+iQWEMS5
S6XVgW6aGKDoGVxoW9auKuRH2vjuDl0HuqZURa+EH7dj9BQnhSCVdC4yEtchSEAlJNNj27Yj
s8d0R1WZQP9AaESKRKvuqh5XEpAcjVGhvFWr/neKxiiNpkenR70kIsOypKL7UrmG0uduLlEY
tocV2+HgKnT1gsTTbH5PpTcYJmTcyLQfH+HoaJ0d2afSEuEHkFlyhWqsIDw3SzLfZbqwyq3q
f+jAfRZGXBIvCferCnMuWfODFOEKV+MtynromE6JDVepwoltibrpdnnd+GXhA4NVd6uHfDFF
Z54LPlyIqBqrx9l2PZ8U2WPJdjnB/ijMqqloXmRZple35/3XPHkIqIy4yk5E5ZpOxus1swfQ
bX5189dPf/+YyCwUzfbOhL3LDHd4mIbdfEoRAXAyKOKwjYO0gGWg2IoVkgS1AZXTIb4QVVuW
pKZi7uw00cPMGVyi+YrKFK/I8qNYLZaprKF6xOAEj8xyq86McvRK4X+BL9WoN62SaWLpCmjQ
Qwq3BuUuSELVaB8RiEiVKOCnb94XyklfPO/bBMg0edx0rjQFCbZ+l1gTBia7TWOqyaoFFJwA
KIncXaxm/Ij0/a22yXGPy4hPwV3YYZQmcTw4zavUrotJW9a32918gaQTlWzcX2wuoDYKnC9P
fKO2ttmtCIyjIDfDMwMPvMuD07pn5BuPRSWDk0uOl6lrx6t0VcqOZgJH6jsdvpHNEYDrhK5l
R4OrH4RUSR6T6T1QJsOD0VgV2hOi7ag9EfAMOBggFShFRjiPf+9ByQo3wrJt00Uvfmg3opI1
73s5T4DqbQj/DkGRG6v+DAxL9Bdio+cVVKZnqEzVehZcWDa8AKD0RNq3+Zgl9SW+1sJyaTyb
Xe0TZ4Xaa3zrKvz0Rmw0w9KOX7XZHZpmWxWTo7tR4FjR4HhMPoCSK9/BZR1WymDGsVgOibvL
2GMqXgAaykk3YvpS5gp3FhuaYydIa5hQx0rCFOTSuMk9ZUMrccYAUeRCdBS/13e5yqM5Nn3c
NnyZjnvcfaXRHCvBSk4BZtyOjpClxTgOKnn4dUzGzCMw3/2bpbGe4uAKdGXlgYoC4olGNmnM
ZSVGkQVBEU+x9OEiK+ijo4eGniWDi0aXs/t8S8vW0T8TZg7+AaKir8GWjIEXutKzd/fvsLqH
eZSp4MNAiy1gg2rCs5M0dN0ur+tpDrss20lju8v7uk88txkZWadTgObn9gzTCZ2kr6nLjyA8
+Y9r0JJr2KGqYJNs4DSNpK+7vdsSnkTYummkfY2jRh/+OMITM0LBDtvBupvvNF9/J/CcMOoy
qqX5uWG1bMsxalAwQ0/dwDUpZ+9rrDpDEYriTirJC+5B1JH/iqUAAObIi2DkgJVa9t8dNtYD
1jOR4Z7FG+fz8lA5tgpzwrdZzTENTeW2duUE2/KdGNUY+Xq5dux6IKDq73ELLBpB/N7W6Zir
OQF55+8+3B+QEzwJ0uiTWUGV3IBQ0d/9zHWFHFF95UP6JZNcdaX9WvkPShsgfe5zsFTpPdXU
+o7A+ehlT2lAjFABm80OITqBlzR5ldZ4cU98jg+P9d/SMNKDnU1GGnk1FE7/u7bj+/mCsRRr
LDxBYXG83Y4nX4vyMtWCsMxjQ41ISHO25fyosBu31GQTuZKC/GwQEoHCva9xywmrq9EkIrPc
CzAK+QhtQfkiCj73qNAyiQRKHBAtXqvl3tTezQk6pCA/HdxtNhi6ZWvbf/2bK1UPjURPsrB/
U2RW7EQ+tv309NTAzGQh1PlLDqYZBR0FTBEZd5eX2jYHrm5qJ1HY5XZYxZsqu04B1L2ns2Po
1/1siT7q4tDRp3kX8t1MOcmG6i4n0JhKOR/dEMtI4g534pqP2vRibJMJqZQ8KByHgWt6DUoF
9B5qqUoJkpzdM+cR+auCF4/OH/QVG1RaNmpzzbahe6i01Jw4moqBGwjmrH5ylhGVKt2EphUs
1Zi/NYGZ024po+9jt6jzMssCcjUyxyoxP8Pl2sX8Dc9MIXzl4bajesG7YqAqP/tHhPv7Eaz6
jJHaeHqATcwmb9vsqD1otmOOY5o62lhDs2NEBJmIbQYHXHKlLgHOp6KVv++ilkC/4vxV4hTX
dZxA77DzqlynFv6ezNh8iaWfm+16N9nuCC+yAbIEiR2vnSoSN0yPLebIRiRJyVuhpF1TrvHy
rim0tAmuKkeJ8ntWNk0dvWPFZlA1oDubpsST4g6CMPLsoYjNOdUKXEMRwQ4M1zZ4P2CvrI3n
JKYd231tSJ1M3im5SZcbuih7nHVhXqYH+7LJF+DPhHIjSConWmGHQExA45bSLWo21mhCOmYa
XQxczwLX5dxXFNBhH8e7xZbuTIw1ssLDU+B1TS+Znm1YOscQq2vW2tXN9pmQZe+/jRc/vbom
Y/AFQ6PFpRY/84ARmwX+Twvm+MeeZ5QK7H8mfqAVdPgmAyJAsoq/toJiVFaOXa//PCKp4ZaL
ty2/4j+Lh17jF3Aw2dL+lVFAzQ4Sdf6KiVFpNlSUeGmwAwrA3KzSKR5d9OIAKqappbyoAPB7
yAvcsCMUmhiqLX2EZkUEpXoMasM+RQ3fLfr2qCE1VT1Ny0tuWFP3rk6jd/3uz92++aT8uUcl
Tz3DAyW9O+3y6x+TbNXxh1xLtiou1l/O7oB9xYRMIakMe8HAW/R+vJnM518eMNr906vHOXaH
/TXEIDxdtQf6y/F39naHbnK5W7N8c/xnwrjxkyq4/BNuBckZ5ZIl9YEgIcWLyLzBMMbYoRUv
FB9/A4G9Ii+LqYehbzq13mr/y790U6i5AMD/DBMnRYRasAKhOj4dP6uUo2zfwUKmqMOGrdkg
O4ETYjCrVo6Ct09AP0bxQk9b5jb86qfK2EbpcLnXpF1pIcZgRFAFmF1JUCS+WTMnlfal277l
WjFpVVkmhh6jlUdW4AS3OlOrS4+CA3y5p95sEnhAQ3ozaZDdbd+WbfhcUpxUfNhEkHdWPm5Z
MqLPR09Ufk1/R7AoXhFxGElnxWXS1Xg9/jCFwY51y/AjCv46mr4cRW5FgHzmpMkC4Z9bGq4c
UyrAg+YP+VMlSmSDXmosGso0ik7uA5arpMeQjhdibMj+3ASlU3t42wBJfNLHP/jWo73VbtAY
7VSPaYTFlo+qhYT621FUUVH3DhUS+EnFLbtESwvQsVC6A0RFWfCe/rLgiwilNhArn2alinP0
liR8bD3wgoxNa3eEL570cuELnolqYU2puIweWWA4xuAwI3Thb8qxasxsYHCdeiegEd2CKhRo
h0ceRuSNVaXVBEYeIDOUI59QWMCfksFotpdelCI4Gh7ZEolvzw2PSf98nytUJ13LCRnRvBUB
sorQQkdHf3OQte2D2SvLNqx0cN0Ps/G3OfUGlneLHWWK7MRL34yXV7utjNQ8oXJeiMZAb5H3
zeEn6Rv+gZ6BJ25f63wikhjcW0HbgXgGaKWrK+oW02oIFMlQCBVrD/iCq61tMZ3I9IPMGWKE
COFA04QOQr9yaFkhvDm+ZBdRkicI9St4FZTy1wRzzUkQDlFuCYCF+TPXXmWMMe5rlbv+ROVW
iVMHgHnQyjmDG0vje0vw2pLXH7kHFZew7h1IniJhoQYoeK+ouAS7+DNnMSgrsVtW8BiOYQRA
tna4dnJJvMwmrxjNZegvzB8GwnFP4Q0wNU/g1bLatGfrlqQlx71SRxQIGJQSzz7WCJb22+y5
tutUfs9qLF1/R46lbRsUFl2LpflJRSzd7ESxfzq2zGCQYS9Q0Csw22I4gHZFgJ18Rk6y8Ao0
LEq3c7eaAgIMnyDNjJCLkBSsWXqY7QbUfHhrg+lCEq2VgKFV2F/ELcQGr5ILHlDqfZoAWqcN
WFxX2nq+UeIv930z8s3BdaqF9DB6TGORJXBzm2/hBVBmnUAf6Rui9XAQJYqrRWVdKQhBzTkM
/A470eYbQ7xwbpDViujD6I1IBkP2HrJHMl/2SBxEfJvPnuTkW37Xqk+qv2d3fRI/qfBJZ73y
iQSJeffKbBHEMVT93dB0H12vHFYLSfgtcVIVMap0Ks1KaYW+47vuICP6kr8E0WaxCYVpzjz9
38gCHeTIlCj7hAl7g5ZwnkrkXRgVMl1LrwGNh3Gl0TxfFghsFFxLMDbR79Aw1c+Jw/w6luOa
v1JrFAEFDDqRvK/nShQdlm/EmRsOMp6PxD64vyC8IqLb62L4Sns9A6MTiIk+3Hw2gVT+FbeX
p9YoIfpE9PmO829a2fN6CaQXWhi2qtMJoA5pxxnzF/W0J0shhLiMe0XbqxcFZqReWrOAJXvH
fdASLOG1RDY573W7mZQn0T2QjIie7OhozdSlrVft9RyaIT3/CXuNYr1p1U99aBZnI8YUHVhq
rtHvkAXDZJeGB0vdALSh2pagqWT+RQXhmX5oe6lVG3PDKnvTyTzGCvZ3LoSvBlVb7gujQ0Y7
n+QL7fUH2ByuRKMQyNm+JCr5nlB0qooANL4YznvTbL4nIRgtMHd1rqO9N4PS80Dvi1t0m+df
H8frr3IESUXb90uwDP/06v/+JY8wBSxCyvKnq5EhQ6QuibQYDUU1LBSfXykRFwfQIj8YaiQA
1C6iTNoZt69KEXVhfruZoXyEm0jOa7XG6rR8Byj/dF4AkRljVj/eBsyBY9uWGQ2PPZacmbhz
nA0f7JhGARTH8xwy0cVdgb9jU4QItFQWrg4vKwgPm4VsM7IGGUkVQiHv+IabFyS3YpUQQd2p
xgD7tnn3ihDSvGiISlsobI0BgFEQnu1A71yrVgU0gzTEbkiqMfQ4jMJCavTLVjRhw1snSDKi
EshLIbnwRwTatzMM2nyT61ayWyDxqLoFndyCjv/V9zZTXu64dhCWnIZHrc6Lw6cxUpUplZkW
9b14eEs8OiNmGdLU5U9B7kZBZS1s3Uwsn7hrBodv49JgjnCPqtZyYl5Gf8RMLvYf10uyR/rU
4Glcl8ifot5VD60stILY6DBgojlh0c0wsPSwZl+7lLA0P7eZRbEe+3FPL9kPJDdU4p0GxVaI
xLSWWnXpmM+lAS3JDXEXbeyO7mvA9YeSG4aZH6Z+hxtdJ66/QYOkXW4ONz+37rqW4Q2zPpQv
AcURDQ7TubJEGZ9jWmks59BX1A5DlDWAQ7PwTNP3Mmxq7anNP9E1ohxUE7kmCavW7ceSaaT1
U9SHfsG25hIoIGDcH67RQlEISB3XsbzA6PAlP2f8T4zWCLGJ5Qto8fxKwMSiEcLoiRIHVtbZ
SmY1QJ+oNDJGEXuyAJ+BivwiGrDKBrcMnkR4t84fWV53sydRTxMZKDLSKVqW96jglgCnff2I
Fgf/SSV511PdioEjHuKFFWKi3iVJUNIiuRUul0f9lxvs+U6m0Jffrlo/rb9ZLYPv0OQEPyms
+voFvNsJGwlwyianIhy6nihlbnhiGBeZFt3tG8VvBXAF2al0Gs2+xNYzl5YXDVE1hXdAJQ42
b/GYE40phiUKjJn4JnwJ8Nnj5Y5KMlfTOahe5rcYnuXFDgric+IgplnZIYqv2IhOQA1yyETX
vJ6VsDLRqEEBhBcp7nWvlK5iichDExjzAT1Nx857ZJIZjaejGUFEpQ9wtlTo5GX0E+b/ACkK
2hToVWBygLoU6/k9AZFrtcET9xb1oUw3+pr3n7BvIphBLZRKpDOMTlARbYt9fzTv9A3NVVDs
0TAFeV7ELvc51PAfRBI73nzFnX16eFaprVmek1nRMMFEGC4Gq/puAVKq5z2ycVIs8CziQgpn
0KjYozqKFSwoXKpYvMjzDCMepOKxq6B7K5g7SU7lujhK0bCgEqpGO06X7xUkpRuZGVhdvqLN
psUxddNK9UGSY4TvNCZJoqOlg4ZlRvschveempqMGcORg5q7TJPQJgZUEVZalRQIS9nM2Otr
hfG8S4N5Rqr4dfPn8fSfY6CkJ/MZIDA7APjXIIwhmd6gzz6HS/uIPt1CC++xcZFGlVSSJCf0
9MjzB5ldQnCvbz6GmzcqwHHLsJI46vL0WrPdMMPID6JokLFw9E7LEHzIIAjRnZ7O7+7I426f
Ke+a5MBUIorjbePlAnIVZ+FZoR72ikusyjJxNp6D9herh9cg8Z//SwgHBSiaHqN1EojiPlEg
DIuMoGW+nLJtnuTrNZC9CsJz/NCx46CvjY6XhIdkH1skkL2KRKxBlq8psxgvAOIF3B6DyePN
8xvWTiXheYEFtqchprDQPOlC3sGT882E8gEShi2E838hb6BpY4A0QZFL8DDgm/4c3ihIzoqz
1E3CQZb1IDlsJJkT4vsL4iRJihAeik+YcedJT0rRWIKomjCsbstUSC/AwnUPIAHdHWQaAdnN
fptNUEaiknHJPKHk+tEVM9Cz7e5dbHb9hpWZTuoO0gDH77S/UZbwuEMB8RZXoajd0O5w+CcM
UiLTplyCK2FUrEABFhvOttoCdljJfdlG4sS8f3hwQCncBYqCcA9cHSYXrmwK8CiqXZvdiqaX
YH3B/rV9Ipabf0JsBcvDG7o5PJ2iYId1xzfTgWof5IeG3mL+iCIhhMejTt+wYUpDWZZmVKe7
NYdTbKdhmOl/NJA/nYOyQEV2kW6EaTrIXjJktw/OSYrTHDfzQKNIlA6YP8cVpporrvb2iVbc
03+CsY2l0s0NwfUQGRdTURchdIne/YFU1GSnBRf1unx3idLw3MAD5Cb+ySvxuhJFl+F6EdZq
dTgiOuG/DMf2dGeQyICE/Vfhtsg+8IQ7ipiIe6nktZ5hwxq+xBUARTl8GgbXyMCAkRHFZCVA
Cnboum4WDvUawHQUOdfBeIjEVelSYFcfkel2WLmaL4UTxwngkoNsDafvtI8YyaKKDXpNd5j/
Abyj5JsS1QcO83hJAWFkqKp5dYsWMf9NwbE6ceK5nT71y8FG8A4iOVSQg505FihsOtzibdZ+
O8X+Zd0eZDUze6cO1KlTwh5HESMUCNYy1uQ0VKf+dgTVsTwzDoKuETPxk0I3LoTqUMMQCApw
ZNE0HXVgxRRYJQDlUhN1TSiVxEpThduku0Zm210mlfkuq0KK9J7FQsVhGgbDdGGZ9qBCJ4BO
SLbXVbjT0Uy6xAfuM/G7+nYVzArrx0NhktoXEXXBB56GtoHFRhRRl/zfjEIov6BjhRLh33iF
/2yY9/H8wAlMv8Nm8rsOliusfG4lHrWklCjLA2CmwlUAWKbEEnEHVuFKGIlpBlE8VMmV4rja
5lcTlKBQbV0X8QgVZ0OiCWYzw1NoXJdtlcFaUWqB5EuuOJp+6kamS1NcPZ4rRZgCxAti9i33
qUkHkekz2n4P7kUKdChjS9omTZb6NDHfaiazyYiwswuMEKsXzuXfiEUBSaTqDlMDITOTHgyG
5OUB1BH31A63qf4ODSbItrCVPRhsA35/5PvdZFywJWwekmI46SnjpUhD9vcMBd5HNaY8G+sI
fFDly/eoL4NlL8I+Dgu/XsfX6Z6mA/QWe3uNQkJR0GUBz1U5FazYC3wrrFmgwUhur0u40oLH
ck7gIqBm5v+5E9DQSb5boAyOKBFoM1TE8e3FlkkCFG6tEUdxljiDzNJhwKmxskAbRaPGCr7C
Vc0nkx2QAYgOURIXEiPC3geCE1SiaxXZBXbm6mmHh6y/K+gCjft0PIEA9xZvPCWcFkDu4y0R
KixR79ttGPuubWmRQKmsKngtlExdIw6H2sHdyyxfMWJgms82yz9tNQDblmjvQogAWOTa+Fs+
F3CVfasBwYZSrzeJ3TCyh4p3Q1GA8t4iYr06mDtkdkiNl8QHWfZSCUO4AMUc3XaFa6sHoRO5
SU3z3BgRK0aeex+zljJDlE8+gxA9BQrjEbtGISOyefUCDlJLBKjMH+JTM69drGq0SnjjwE1T
KeFtRjAVZQ1+1BPJ8Fn7NqJyAAVnfBdV6K1A82gnnt3hXBDBe0Po7YGVK/W6DKpvfm7Yf/Bj
RrWb2KXYrfm5bbQpE92mpK6PiIsfyJph/qpgcL00dE0v6zAs6ZwdacmaYXuO7yVpX/3yH8qa
4aeWoffP3JoB5r/AotDd699stnRHd6GafTVbzVGCgJrQv1HrR3rCux5m6MXmz2ie8Fy+nN0B
JSZYt1DO4zUtiMMVjJjrGF6cZYMVHvI8YsZ4DfEUZOtvxHjTobQlL9DgWBJBuoLsnCQwrEjv
MDvWOQfwcnVr+W2+zpc8qQTcC1VjJKHI7UyJyAAdmxd31wAGim1qZ96xwmVw9H5UM64E3N3h
MhBPCkN1YYP0iQrcKNmMtxhu+MqtDKYSFVgk1ekFrMcEnddgpxfK7k+hlcwoTVlyMbhYAJPA
AAEawidWXBarWh5tpjHcSW/5wV5yJ3vF+oCCDTDIVG9AG541q9A6eomlhu8utds1NeOn+dNS
uqsnfHEWhVE8zHWa8MWoPABjzDV8TZr2nIwFc8Z0BuDULZaMF+NcqIWpaZ0epDpa5kNFHO/7
28+b7exRpRBo2L4XonfUt2jUslxbT+3BVc8d+KJ/gOKWK5SVzVp/Cz+DM0Es6gWYZzlDCwJa
j74NOXiYEnwhNkIomA9T/2/yvrW3cezY9q8I/eFmBmhP+H7MRQzwOcfIdLthOzfIOTgfaIm2
dVoWHUpqt/Pr76rapMxNUfKW3BmQPEGQ9FNNFetdq1Z5Npadg/6+9NMzKrTr+NAKur+Y0yzX
uKyIcdYMq+I0gsc5IEqwMJn/BrZ2cLMLMvbjJjeg70h0iwEKQ2zgHAxdOe0Tz7Fd/4IjCcQL
nS0KxCXGPq3m98s5fjtbrsXKAlImgRIgyDbEq6B6mq8boa/1uGn3HtXrao4Dyk65/VW2vM/l
7N16O3uvSVMKOSuQa4JmBt/+TMrgPdxjSTVGffQog+cnVcjgCUxyQ6NXCPK2Xm5HcvAtw3lo
pAq0PAN+KEFrr1KLG4mtR77Z4wbM6So4K4mp6JEG0rdlkc1goNlMDBGVsgEj0A2rz1cSuvNh
C8SQuOo0ulfqUGU6m4EUhseT1fgNx0OWGyDxuFmFuwQYpIt2yuTDDc/nVh/ILdPkWMEjG55n
GUHSY9L0083hp+vqOpv5M+OrciASJnWSTL6Vjv9Axp+ZwUCAGTNcCBReRUF4ru6kcRqNsjfF
p2xEjpkJHSTYi0iu7uYlYDFVPjoVnBriVK7AsS3ljlO31WJDxfPjcYI4qBvaULAr+OLH7InY
MoF0QcCa5aAagTxBmMED5lsseXFvhVGXyKcUlM+2UxuUN6NcfAdMI+OMHXX91mLFLxKvEzFm
0GVP+l2BSdiKVkFwVqqnGLONMgl9NVXaoVzkgFahl0J4FwKxqSQBmhuESRj0uLTe405wYD2N
xueLXQSoiKGGvDB7hsPRdGQsK6cPczo5uinRVrwrAYd9Lsqvos6936C8JWZt3vtRMAk3SAMQ
Bo4ug6LR3rcMa8Wb1eQiuUnRqC6/Uqf1HmkA+WPqXZNPruyGPAqgY0d4YSfQIjOMRtlSxFYq
OiWCRY8Dey3KKzBAkBS/VDkUbYPcwBdPy833unNLLSsVzTPs2PGdUaZQpGyMISsAUIfhUrBq
W27DVKlDRX9ga8wK4tOsQHfCaJS9POzHcCmL/38qcASY3d60xA+JOCD/hkbUpEsTwZanIDkz
DbVY03vc+j698Mm/ZxT8PyLPpK4d8YtWrc9sjlMDkjrSEopY+aE+lYLg3NgIUqPPRBunC67O
2WGHQJC2s3W6pAjy4j+t+MxucMnk2jyLWsxXD6riM300jxkrPLr2MQmIrJYHeHBl5TZ3rwWL
jvKrNauko4bme2GcmP0dVnSno3oSCqjyMGGee6cEHkJ9WM5nDKCgKQGyqJq+iDIsGEftkyme
oQOzYUqXACks/qRKYWsFceq67b3QPiF7T3cwYG1jklYs3m8JiqmaFakCpraYVFHnlroFr7l8
RgylBEdTcc+ghfKccSaklB1NC4yh/kWxn1RqEuMwxJQ3iur06YLPAuf0+68l0iQsslJlQmWH
6Ekl2ih32n66CEIlGmgrxHVf2+xxh6Tb6Ro4SadF7lCLiXPjF4vb0cuz34psobIJ58awdRQB
QwuPpu2FkWX1mJjqNB9/Q/VbscBQhupj4pa8pzfJe2cgE+Ej8ej7on4+K+7OVlNAD7iy5u1S
TN9BS6ly38GK0fv1jR6vfHcbqINNudjzR/faC/ToiuUdum64VARmZ0HITuHqCQDTHDMlxHj6
6TPCFUy8ohzHWLsK9mgTKMR2cGVraWS0kmE7dn1w4DLXTAkNu2LcrmZpzusvdXHIXPWJ8xGx
nAmxP06exVi/BNvZis4TURMF0pPEI7PsULA+bunQPWrpsIGgqHcJQVX4LZtyNlv/Ej1gg2tH
5vCgkPTuR2yhOdbn8ChNnZNEhKdRoepo/52ODUHd123f03rMkrDH2SATCIy4x7HxtBgDZ/MJ
kADCsEMBcBdoTWiY+Yy8zk/oa3NrFnwPGYjy8u1vCeIMeBwyKJW3ntiGB0CInFkYuPjrhYx5
Hy47D4Rwm1N8fp2WYbAteDZ5SiCJR/Y1FLrebchd3jjOFy37rh2LSAs4PtS/RA+419fQFOfd
j9h6lvU5qc3r5ESSkJKr6e4ofGz79f14uTZ9nyRE5jQ6X8y/yitF+5Fy7U9rfd8eIeX4ScX7
PsVfXF/EVyqNNnDoB7o2PP5/Aywqmh8NLhXWTN+LjGRwzw2ebS/Swh5H1e5swNQ9x06DVu7c
p65i93NroZYGqZXKcbj/z+2akQ16/+HhSMIA/C7JYHtIv+e32G5Y/2vyfzAD/L+TEIOseUY4
CPwn+f6E+nMFwCOm+rcYz+j6x4mh6Yb47fp//+sL5Za6qcTPEOIEse32uFV4KGgeyc9gR6nr
4b/9tcVDX3b9h/IzaOCeT7gp0dMx5x53qxme65iDc1tGaEWBq/c4LB9WTeMX2n0LNjPaPpKT
+O4XZTohmsh9nqN3P7fuO76tudZAfUh3GYfIQZ3vrHp9ry3tWQGKW+pQ4DLQYgM4ikp32/Us
zUz9wdmgbca2Y5qtlkmfUrWDNrj31aLhVM/0eeYqtQKISA/rAIzWfuIL4PMnTGdXkzNSCTSg
nvICWKR2w6Cjz2hGVmhZbR5bOzAMLealpOF2nABdJzmV95j98DKlJA6pw+Rz016dM979VfeO
6mbjWI4RGLwPWLWTul+8WOhYcYNGpe/kk94f0XfqfnDqwzSecH3Oj4HGkyQxuNaquY0nw7/K
5INMiPDuB5DaSvhomqjEojfXeK5aIMDSYaxDz1b/Cv1Yas2V1YdcSZ98iIS7NrYvFbxW3rRR
YvgEpV+SxkmPe/anuSIEmgDsEIT1YLbs8uVpXdyX2dPDfIrwg3eBAVy1kVRPjvCLakxDXpwm
sd+qtPVQD92Y+YeG63+kVa1qV4a5jGmjq1a3Xd8OCJJkdrKjolbKH2xu5DsPGhvtrNfugFKs
dz/fjj+a72xVsifqTvYMPQjBzD5GNNF0UVBwR8QnfPHD/EkENhibDPpDVh8VZ9kM01zifWZS
tcplvnGn13bdxNGD0WXK8GESLJL3TYs7DPJoNXCJTR5xDoD9liThahKk0s43HNcKIr/HrYpu
i3FsLU698S00IIeWXzrhG/JnguaDzaCe2iJPxMW3qmY6IYUmVhwgq1r4GicMA3Ri2V8PFiBC
KfSBYHQkBgTJp39U1pzoGtzR21kz0sD8nlfzlePUkdiQ7kenONV4xvX5Olt9bV3QbKRcjT9+
dHoqvQVYsQLMhO4stwNDA7qLLBqncgB+e8RmD5kF4aXa/0xHxajbTmLGfo9nOg2RK6f/3Iav
PcJTdw1AaxSQ6AvCA5ND4I/fP8jbjQrys3QzSoxodA0LSJAPd0ypRsBOykVy/VulWUhHbkhu
vNvzBPoY0bPYLDK6m05gGvBmYEVKQXq2i7aEYQ+UmvogMykZK+0rIjRND5VYVIct82fsmNfk
ZCoYe9fxU0c3BjozOii4enMYvGPo9+DeyaM4vUgCbZt0tTVb6WK+XGGVW0XtQjuNzHSMaTFv
3fENeeoZZ4vtIjYdyH1dRaZUQAC4HsFx9JFqWFp2V5CdZiaxpY+S7YbbigwjryDFKlUCDqa7
YMPqsS7tqRLCBPjm/wVVQr68h2ZTlSC30+uyUBTdtWeh8kHBCnTbMNzIHGPgEn3z1Z9fF58r
4H2XY4bfqCVXp1kK0nNcnGaO3aFOWrub/Zxz1kFc9E8pPF3j5GdF6IBsYCtDLlNfVbPak1aQ
nRHqselrrRbr8CdkEB/ycFq1xzG9g7UO9hse5nRqFhkBrFpddDquRoQgLkJTs6eAipNrHT61
jD16CI+zcSCUYJqcMtU8D9LIUWkCose6YaRuj2ub7tBmx6ERReOj9UID7BJFvrj+x8Fse75T
rMdlTKewCyGgV49VaNULbUZqW4GDM7fjsxMeaDEV6naREJ0TPr6MMyVTkELDgoolqjFcQK3p
+1cVMXQ9p3yr6R57Gm7xtswG53kTR7N5s2CwHUSwZT0si0VxL5MQcANrOzQ6cr9jfzPOsywz
8LhhuD7fycU7ptcs3KPm/sd1MBsPVM+qD92KP8WbSxmAPCykZPO4Ydx7v113ovME/OvmERRq
L6rABkM7HpHR8ezUcW28AoAxAYoi2Azm1UDMUPDj8lfQuDNmipODdfYVY7ZF1gLFNV5P45N/
VC/3dYwKdPCxb27f+fHmt+9+Obu+S9Ko114zFLiyWEMj6rWjNKvr+aTmbCXFuNrIejXk2m5m
oJ6G582oaz3N+UgrPWj92/RjCQLSFOfRU/Oux228crH5xA8C8uc98irfpxhNF2loR8/Vlb4B
Kz9yvj3foPnGj571dD3AcW8cjVCJ//7A6+5O6wzb0dyofT8N5EZo5vnsHAcbV6veHNhsa7If
6R0244AhcDTHRDnjuAOxDSdTmWO3qxH88Qdeo6zzR6cFXY+9Y7V8U+m1ZLxq0SpOKgheS5xb
Y2583nvtu+szhWd5zsqS2HbUTPPoJKZLTseZJq4oAV9a4SpBDIh9F5Dgr+aPc8x0aCdaDHP2
OOdua9X0wPRNvVVEIAvWdNNi9zNEa23pUdOlHp2evfu9dZsl96EaKdBBA90qraQwQm0F/fF3
ev80pJoWK5nbUDJvxhwfl0N0eKWGOR5CdyKUdJzqaeVzJmZkOJMivgsng/QtqKZbZx3E/goj
eMZhLcEEvQIltDhExvWkegfKBdm4H7TvBtmphZumQoJDNArWuAY1Tza5y+YLjOKoiN5vMUwc
+m6VkRRXTjsbGnAwkFGb7FQr6bbBRuegmCxxG+GAFI5PvjsM5wdIYUozQaTkp0riXJjkZL7m
mviNJomueyF4d1u4E81INd+2OD0erCVU1wqrCgdlJ8h3duygUc/ox9czHRpArrOh8HtG7HWR
0zqRihD+tv/rVnWRBQIh0lLx5hc8vtwxdpFlal+wkrr0MErf7nwrGunvSqm3fnzZ1PFFfoCt
8p1g4nv6+VRr7X6Z7ZfYyG/0ozF2xnu/+zldXTg7+A2bWnZ8gdHxgG0tOxeuHAlDtpAUo1aq
7uwXN21D8Ne2R026m9huSKid4S5CvKaFkjxkQzm+iOl4Fz/CUOB5t2/wMP/PoVQYmV+ARiMA
cKvNYi1Sv9+uLv/OifHll+skmvz9NxX6Oc33HYy+W2FvFNPbih79lq4bP+G00T83SChokCLm
kIuieKIR1HO+WOz08juAqY4Vg12+zxTG3ZaPVN42bK81/enTG+5+bieJIj8c3nObAeo8u8/D
3m55u4YVBKHbYwRR93ObNi4cJsPTE830AJxJKPb2FPzRLW/DCcIw0ganJ4Zt+3YQUnU7KHnj
sIRv2MN7bssy3DRJe4wL69ZvK3YSwE3ioemJHoE8JdSHZ5duGPhYbByavEFtEYSungztuXUf
48nYHZwf1EL4b1Cx9FfejX6/VCmKjv+PI3GzlEjcYivyHXeg4jqSxM1N0N+wrR7XOId1o75v
chaX2d0a4wu6tDe5RLeJNic/Yr0NvTXw79DA6Cr/5waMfzRAWvGgA//zCUtvxPknNUD2hDcQ
ioHss8ei6n5uQC382EgGF97MyI91j+EgPU07D6umyduVrH4K2oXNI+yqW4MLLshVIyttF78a
8lc3dAYLDphMLqjXBUhizT9Alxh4OlxfruSr1XNekEVn8oO4vPzhUNudLPC4Iam9OzuR4mNr
SKpbMSaxFDRrfAe6dPV1bUHVUv8GaeQ+VB5fUnn3g3L7/fWJ1uddJ7t4VNXttkwHuJOUVWiI
5r9nKgPyuDSyfMuf/Ff1g//+dfIB2MmCt62x5UlnA7/NC0LuYFsLqlUDyXhZZsqMP29MZF0f
J6u8sMcJ9kHPuVd0+ff5CqH7GbxWhMAiVAK18qfzEryKqzUdhvs4mWZP2e2crs5gT2JKQvxI
W+/5N4R9BT9sm34QOuNbx2ZEKdBhC+xkISZNH7Z6JSBBGfk1kPI9/vJBQUquboWe2+eLVd1O
xfV9rI61WRX71NI/zTJuKFTBUbDPEB6fV4RgJiL/5ddPsBDMcJqHtnJOmBXeuGM7vu73Ofs9
TXKCRQqpGjYQcJuswPI8+Zj1AxF67Ugv//60wIbCGsMwwFPZO9PVMgX5aWGqG2HQ46beafKj
cEWoK667KmEqiIO5QpyI4CQ9je7dDsQydTuIkxYWdiQOZJvr4p44lhPvsXpKr/bDbzlY7UAp
WRfTgJa10dkrlahh6mGMeqHHNc5pNvBYIK3+KDI62zf/G97k+imfzu9Avrmo8aW1L7nNcQ8R
1QR88QxS/caIdwWLsTBkTKLxHfASHFd0TIkzYpIf3frNFi//ol/c+haQEuDm/SPW8rH9BfhG
BW2HLqrBFOFs0AVhhF7D49heHBugLqLSbJgwRepsSeojwXcMale9u5Y7UHRGqWVjJ7BRdHan
71hBeHprzbCsX4L074kmMIXlWh9qU9omNdkThWXsMTLsdasygvdCEk63V3fcJPa8Pp97Os0x
rfPscfUnZkLjZlSznwFei/y+KOf/gpffWt424wELAZE5IwlSEJ+eBJofBqOrN7e5MtmYyAib
WR+X6pT3QLYJVVTzZXXEViio2hlT3fB0TNh7PMU7Tfdm89V0s1pReKOIJ+63z6kVXxkr1+gE
U9/aq+zilY7Auqln+G6bs8mKbGQafKRzoF4drmtazm/zGXQLeEUwGjwIrKJkjrKrp7zqOFfv
HNVfVHX1IsOhB1XqNnLsPWoJsuOxqdvYeD50G+u70y2BbWNM42/sDzvdsUyOt/iepyLu1/l3
OgZSES1Srih/tPx+j8fedwhKCq3VF4/FbndDftWL6/76swIhQ/n18gzgh7/elnNouKg+vNfD
e0LG8fj7975IOo6M/Gm9WXM8V7LL40H4HU/ZeBsij0O7tgB9YY4e7mrfin53kmalaZy6Jgmv
kcBrvuYFscm+b4gJfMs94c3AKOmCh2Ecj7zveAE/wN5B54Xe4uLujFrss+r6yF4V2jpY6V8W
L19eJ5O92/HTsX/TtxVbEW8YyoFv2e00q8xaVLarHffV2H4xj2ZYMToksWN4O0j9Kmg1NI6P
Nf2xGcT5x8nthucypyjUHlHvtynhJ94bjSTNfiuGnpeqoZIRWu8W/86Lv5LE8Y5sJUOifmg5
0PwhCUr7+bvf8by1iKv0tbDXKrJqVfo0GxQHgcFHqJohxwJ1iR2FCEQDrS7kEgwzZirBeLoq
Wiw0M9p6qtfugKRIEmeAeXyW5+7WHmqvXk6RX19805Edn2F1PM5RZt6tpmhT5t+IMOSgDzgQ
TM6VyNcNIwLJn9Xj89mNBF0SK+cF3bKrwHw7catjw8zUXDOM+jy0705pHVNzcKd0dI2zz0Cz
/DpZ5yURvpfF46sLoe5PjusCQGnMwWmO7mPVH5qcnU3yX+5V3rauW46heQMF6O5Z54e2X/7t
5voiTq6uSRaYRAO8he7YI1He1XNndtQk1z/hKEg5Bx226Kvhz+VL6n9LLrpb6azARrs2iBC+
GkFt+CNM3L2bg9umLHADpMzvMGBbTjmciQ7jqtiAno7gVyo65oamHodWe+u7klIfIv+el2uE
2Eo2RjefTgEzQA8DIC4+iQytJ/cCiIYMw3wEs1HD2QgP1Cq2ugUHfIvuWmGP0d2nhdCaVU1y
DM+/osglHPxVtrzPr9e4W1d3HUz3w58pKB/KSQh6d+DzEkxLqh7GzqdRimekhmGbPDIsvwCE
in/sev2C2d3zr6Ag+cuHqHq2yobz6oHSgnD76HCvpvP5zQNw/H/58DhfFuV/BGglkUk+0A92
fwffB++8+qfqL15/uPyk9Ofe+vY8SSN0UIOpG5OibPJYYKaPMRFo9HF+SNQaTIcJnJAkrj0a
6ESOb4Lnamx+uSLyq68K1J0Q4ZBxVfOxAEkdw13xE2pUYk+D7p7z1oaK4EINsBxtdPmAQK9W
tPjPTDtYILJls4aHu80BwMI5ZdjGfLmhcEfGqRLh9AC3wnSnx2CcbjPRfcuzPJBJj8lMzF90
ditceEsqf8hVe2+76mvOemQ+E/kjm966/YHkrcPEdNO4b96an1R462410Wzd0x2vNS3oU5a7
57k9wwqjHbqhHiWeh3MD0mTS5W0xI2nznu9sOZ43QCIKMzBwnXV8B1wul/WdmypWU78UHcGK
HXOSzWagTyJoB/Ke5pWtCSHMVVFDWFaKEi2mzuGo6lCsp7AUQLsrSk5aUlluDYIAHa8/ozOL
oBVEX/0Rm6iQ6nwmp9bdFgPAWmBE8ehyxWz5IsTHipVjCw8l3DIHTxcf9qA2dbXcQ62RVY5K
4+LLZI3dX2BtKyyRgsPR48iN/bjH6PODTnZvv5QOeOUlMmro0i2JSgAii9sV9qHJMsXdxbxE
+6jMgZnMkXETuI3+Am1IqcjOwQJbMr5CmVLosliwkHCB4oHRfdkEB4yx5PkIsCTuG7DgKm1r
xjj2ewB9KIgPKYkZBM7oWvVNOaGdwGc8qF6vDJk0k6qTugjkbHd7VvUR0QTrBgrisw0EXF8b
XcecRtLoxwDEzCtcZJPUXrhnznYSWrXbVV2W5b2CSTZHfx1+EDEDf/VOvuSzJ3DoOOBh9Jlj
7TTPh6WArznUTTTFIUToGk8etnmoUk2sgZkmaC+z979o0ONEc3yjxxQPp71VXioTKH60e4Fl
Fyko9Yig81g8e0YSUG3a8InmabZC2wgD7e1r/1XBqVi2kaQRX+MYVSZaQdaXZxTPqkER7zWi
Kcy/pmITpuO5pt/naVu3p3MjrHGDkay/5cWe5zZTH6PswT23lYamGQ9vo9MIbPzHHWoZev7j
2LFsFXYswwHQwnV63Fc7FGqOZMfSQ0szvKTHPfJDXxZX9ary+Q9gx9JcJ9bDqMfz0z3uNo0S
V+vzXn73cxtxZCdW0hqD2Ilnh04wWDT8ZEKXcZdnX6gAr4+8SxmcBBrnq+3HIWa9XdihBEjD
PJjWCGKxEpP44DMNePhR4ZO7ey/VLPMwzK+B8Wao3rsfnMYzjSdcn9fNxPa8p6y+1VXjb9S/
JH37Q3A86TVAKd9eejrnpl3dWEFWnk3Qy+NDS+h0iuYocB1Z+5M7EH56mISu3h7nmEaSgFKZ
0Z5DXP5gFsJ19oSmE9rrK96OXBTV1js3oSTRSLrPnI3vViHp7Z+m+3ivdfVNT/vjcPy30JUc
VE8HZMCO7ig4/7/H/qmzeuqXP6cqtuqPSV+12/GbhpMketpy/H3qURzMSbr9JxsCN1hXNB+Z
fPiULc+wTg25nn2az2aL/MPkp0/z9aefxZlgHPbmAnZSezz8rRRAUwX5oShMcdFloAnsfvQo
RMijOIKbo5cKRjk0EMXOcC0koG6XBBWZbabrSXXbikAmGA0UvKXyBq+cGem+AW7c/pbUp6te
tqJ1xEqfWAkB6RKyEeKbFNPppnxln9uqnoLOYVSHowXtrrVpu+g2ijW/IUYv6YvLsYmwWP/O
2OQFRDv6dl7GfgWvcbPdrT4lPJ3zxfHVNsyBl5Ecfp3LAKf9RAjKao9GqAuNh5YqEw0r1EwL
XHojNKrKfshvV9aCqWO1EIOxBXV3qStZ29kzyJmRDD1R714IUd4X7Y6Htpumdq+vapzslPZ5
nMk6e8SNO+qGo0yqk6/H4htJrs6akFVIBtotPTeADzLbG26jyCYaE0kxFxf5BU0kiU4Dxcgz
pt6ced8WJEeMdwnoMl9+JfNWmabZmuV6pje6uQvcJiN5ssVXUinaLiF+G0gJQ5cZzHQKBkTi
o0V2DnHewdBZZPy3aneroH0Ommu6wbcYG4MXyzctP3KJEWeg+5WUi73KjmJFnYJJQpFj5vHb
s/5RvQzT0uI4VIiZxXLByn9SqETc+4JxdTEtFivKNQFPBkifdYjSU+n773FJqe35iZ2OMCCW
RTZ7RLm/JRKfli9P6+Ieq0sPwC895tOHbDlfian+LKeh/6QRPVWkpyEWeglzCDRMyvCxapgk
NOQYrkkRKKLM/4eEUsc8HvELb844utXkp/kvLfi7tKgs7tUf1THosDJqo1mJCyQUm9P6fCdR
ebs5tqcQlgxEdhDc5nrvox9o+DS+0cFm53qLUt/rIZqtzuN5ZFQkLhShJa2yqd7V16l/Sfri
P7jPCQ//SOuaahAwy9VDnG4aHeMbZQ01jOlnigNVTS33agDPoEJ6y+LeHRq7Q4NmOWZqOmOs
lVbzBUBcIAC7Z5oN3G3I1hljM5kLlWAt4LxAJnafIePKZlWb51XMkinsEZ/vRqnZhnLYnpla
mHQOOzZQqwac/5PbF6ooZZWr0NWShGTXSt3U4/oVHT5K8jCV24nFHEnVtRZ34IITtwre2bJY
0J4Y1CVTwvTilrFvDfZC2J5QWjd/Xvt6KngnS4s0E8NsaEQjgepTRdxt3AYuG+CW1+h8Iw2E
AVf70pwI1+NWTMxg6tizeHztxgFoTOBA0Y3DVI0uz0uW3y0+Hc3tIAiGCgM6ZALPqC0eJuVm
Sd0NDAYqqGyjUVSPn7YTmBv8uWpAi9UABfFpbhiZfjzG0QAWKQpaiCqxb0K0+IvJQ/GElR50
j6jJW0Ept2kMql4EoEW2WVKPiScICvKz0QV2Q7/H8JmTu5ii9YFFE1GnCerQ7aRJXkaVqAgs
X2G/9cvlZXrx+TdJxPJnNhZcdz6RCjmcQEwjnwu5/tARiCeFqyrfoCPYY/jQViwFzLPFWQHe
RrqGCO6Tn+Li+udKUfE+1Kil0sCzoJ39DYcnK+YyQ9jIJnf5s0pe4NieY0Vxj9tS3YENdw9A
uWGPixGGtowNeN/rdYGyqY0QqTk+dshNbO1tj/LX/EXus+31JjufRt7E0RwnFfcQ+uNNxJMK
b7JHS5LAidAi7K+Zdz838G92kpo9fu7T3NMNHfSqzghUiVjz+h0yjM1StAKZQo32v1D8UiL8
gOsyj+gZ4HqPFBS75QdySzcGBV1/3/tp8ts2SqbgkeElua/5C80haJOzRFyE8/jbigcTJOn6
V2W8jIr8YttMEmd08pvypUBesK7rBZ6UPqGnx1XEttNHejd9yKdfV5NbbF/NqCBT3+dE9hVF
lj66XuhWPGKfc4oLUZhNfAqiFXVGqbwCAnaz4D3Fen39cX7/ANrVJyZIVEvOcFIuAhRGtl5H
NxOY9IAbegjguVjfrCb3gWSK0kTHJttT7d3pN7r+q2Htzk0pdOumYYIC+8Bs4COxeuGdQcvp
7p30UPCv1dAHUxE8EXO428cAVPc+3IHGYuOZD85sqBVIj7t3YlNWDcsr6R9jWZxXLyGsVwg3
lQuoqSvYWbSF0QHiNtwUuRGzjPe0tXZasMFpK0BHiiWRBBCcCUMQPqw0435KZe81AgBDcTrC
ik4Mt/HxF3Mxbt+WxN2R2nId30GTQLb1PvUlTxMeqDtooluD6W5zLA3MYVxo5FP4oRB9W9xD
5aqgQrpH7NS1mwTgSUH1TM2PNSscXXtvG2ckLat7d0/gQkX6I9IcdPREtYRMiKAZfAqYeltn
CvLTjShwksHSUu3pkkzQDKXN6Hofmi9FExhMpSHghpqDmyQ9ph3sdiRmhNPqdvtk1vAdCSVV
xS18B/kKcLZgkEoX1ClQNxWf6qoCGSs1BziTJXNQsABcGtNiww/H5n8xiwdTMk2eMVemI+Bw
vAhOTeKbajmlMR2gkmkrYgXhaZEeeYk9uuEUtfoxH6h2KYCLERsDUDlwtpyJn8EzX9W/8Sq0
ap1AQXZm4kWp47YWfrQoTMH6wUD7IS4PTAQAhGMRYU2FQVL1CE3MMAZvpddyzn/MfsHetJpy
fhsb3r5Y8NyzWkOzn/ZbehvdhdVH6S/Jj8+lmUgT//Lhep0/UTL4V1ghlTIAfoDZ2NB040xz
z3Tlxz/f8WId9QglQO8ulqQSoaobKqBDQ551qUGodJJF/XP6MaYa4ldOm27QbUma66IO42Sw
JWr8S3gqUYAdA5rbK+rjvjB5zyc6a4xIdOCLd0dngHQ9HEcf3SCVDf0uXywQZhB/WUZVdoog
jdUZqZ+JOFSuqpRWBG/pFe8RnRHbmueNrhe3k6BI2CWe7Bxn0vZu/+OAhrugGYA+kqXWJsxw
1/on9Gbeac/bwNmIj0TlRMueD+iKLagzBmNnZk2kKUXJ7E8qCy4acXh4zugKP7oIwkhAVHKP
j2RC6EFwxguAAnAxG5H9CjbNZf48gRZRHVh3uhmDrmBUrhEaSN7aVY4V+ppv882+YWYf0leX
DeoYMKAIGccZlOEaGirphkF1l6e3OfdB6Un32loDaC3exlFZRcdzU1LUeMD1+TKnKFtQmvu0
oWu1E96GlOSHJ9zNNZjj8t/pmBqPWctnmdO4JytP3l/pfhNi0W4xX69BqIrkfglcJSFwpxDN
c1YuYVgIVhfbxTLyXW0BdfRDrSSiywWji/WVu0GNuFmtSXFqIlr8EHqC1agFBEfrHEKjoF1U
eCKhe5n8czOffsVymYr4tDjwYnd8HVEIhjc7a4VreHa4fRzOzaFt2LKqCsxGKa5eVeqgU0ki
u1VVDr8LxDuJqMpFOIStYmC5QetYFApSkll3RxE8eSFL7CXQSpGC8rmRZwXW+ACP4DpGWwwJ
Ov0/aSHwtDBhSh1eq656EARnyLoJMWP7mIRcoJH/rCA+4EWtQIt6bLvdNYbpel6QBj3e+O1+
bl2P3NAd3oVE046CMB3shcQfyM7oqLAzmlinDsOhDgmPZGd00sBKLTMaaEf+j2RnNEA673va
4NwWEIkujjD3OEPudremk3huyNQ+o0I6tJsIjV7MZIpEYQXgA0inKB+gs6VSIiDjaCWkP/Bz
bx4dXKIR/32+wn6cfGZB/tgG2H/nQ6m0DQyYQsq1d3/gueJJoUloox0EUZxT4iUJtVv9NCw0
eIkzullljaHB+ZLn+XIGpCsax8XTE5RusyQgYlVJUne5OfPNGWOCPcDFi8pk3zKwDRlrg0tO
cZM+ikMjlQOiabpJYnoEkR4o9wMaK4Ir6hlzQgJYiftTKOkkW5BmbHzY8Ljuk7PbFm+5jPU5
oQdenlD37Fz07GiAHT+l7HiEA535hjOrG2Dcdqp/QtJ5Z2deWFzbkeMfqAdsvIz/bjkf9SW7
e3QrwSfLjZOm7ZMQThHI+a3K3qON/p0XeuMDNhDHBxX99XkNHidUXRSO7Vi9fSoJ4YBbNAyy
Iae7bQcowZc1UMkbWkoY2VFlSVUPswYZ8eizbqWgiVJuxFVg6rJAZjW6ZvWC5OaRWyuSW+sO
8aYOPCjwSGOTHdsvGKNwcmtRqRNQXPRjtIcfQGqA1udl1XQSq7Z3mxJiRMYpAEkqjXcjccEa
qLXyI0sLYzcW89RhDrXaeQ/PUIHnkvRJGnbxYLQP7vsBd/1UaDobAy8+QvHuZ98J8WV+v1lk
ZQuU3cjL6W+Yhm2Y4iruHtzQ5Ke7kg9ZA1r3c+sFlM1UrIri9S9JoZDqgX2fL30mnESVgGw/
e/eDzhlkRV6dXJJSJhx5mg7kY3+9TLd3xDEsy9WMca0ViaVXPhSdE6kecGKztmkTGAAV8tXO
6qvjvl1iJ49Pi+Illz3o/vq6/YlkF75vRkbfrkWL7w5NEclwxyTWxBJpEgzveomtYQYajW/9
MMC5t62K55VaVtTv2LZBvQ+W80n+HTy4NJGnyxIfGkn/h7Zv7Hrlrh/EUfuAyvAHoPLSMHJM
kHDytTwkTmi63UFW6zXOShI2HtVshkXEDINmhn9XqaiC9KxQ911sQPQ3MDQC9m4k7C4hQRgl
ChjIZiVmnCucZqjzAfQeAFOgGojY9akRiT3i6kyskLqC4IxQ113cMB2b4ET5DR27gXRkHSzn
q69gBp6T7MR4frvtta0Xnx9UwHy2ZxsGRpljE94DuNpu6dQJmGBxsgvYmObaOsqcHIAinq4T
mAYEcZVHhLgv7hQn7o4exbplt4F8lcODRAfaHOTqmjYIZjhojewFh3ORAs3myI6Io5pLoi0c
kiNFR2hRMFzd9HWw6MZj0z2xwsJIQzmIfmzssHyA71vlcIngpcxX03J+S0p6i5pcBahl4zCk
FY1veRB4W2o8YAUBPWkpAflIUZV3gYTkVGotsMLaWmoNbtZpBbqbuPHoDOMSIDLs/uDlzuBG
dtPRxg5tnWLBKC4+X1/EydX1RCiHimPBSDIFMevYHAubxfYO80cEOM6fkH6yXPk+EcGJBeIM
Bxcmz9joaW7PKzWRXezBuag7xyY+vp1H0Yt7NXRNhmOZuMFQKSUJDaFv+ac1Z/G0OTcJ//Gf
weebi8+JgupZVmwHQTy6Bnw9J6YTFcR9iTpnlt8xbwcKIpFDVZMtZpCH/67sFiFOQW62pbmG
aY0ul2qcTJGkIPeAZOiG93ZfSfCHHPjEJmqj/XnUVXLRzNP6Rqrm8JOKrtLBYvMcaXoqhhSA
xmBpoBFNKsKpijGEh2ySnLrbm4BFaUHsjau9ieq7Ln+qyVhH0KVqPCuZFaT2jWTd2LYsvuY0
G7rYGcx39X4cJwGp5ejsV1KdQ0arwKwK8coDcPnzmibb/jQyWTum4NI3oBU/qYLJ7ukPPWLj
bk1bd43VAZSUW01Ulb+rwEOpLv+dTyP5G5Hr62bP5C+e9HT5U5lPZRUmWHgJSlA4M3XRqzRH
B9CQNlkEFTVaQaQ0k/sCUeYVCldgtYqbJPCqNS21CogQh+GS1O7zysDBqLvHhHGjhGnLhKhE
3wiZ4Zy6RZJuyQvplYQpB1c6YoXwrPlJn/dEThMe5MDuris0i31VjBSWk7rso2KPvKMo9nZB
cx2xGRS6QE8Ho+vx1hLDbIGTPrBmUleX7BQFyQmZN0hb3wRNP+Eu6Xw6f0JXWWYH2RvMdz6V
g7ltoMvTt2DC3//0YEKtB6im+sxL033ftf3RUQkI4BnlzrTp91CITT6IZjudgY62CLOgwjgK
Sdf9qJx5kCED3UWL64JqxxsZETmKFqo9poJtgcYLzVKOJtOkYwUIHykEf6S0pSavAGANKDfQ
NyvKT7MM3XDHd6RHGhbuQ/arNNA1J/E90+2xfXYbBpg9rSixRteFu+JSfUH827ADTH5hCiX3
fut+OcEP6riI3nk91lTL7DXd8gNdG53YPgDIhwNG5Qdao0IupVxUGm/nA3VeduAzG4W92/5E
ygWC0DUjQQfUnw0q8aQKuQA2qABcR8foFUVEwa2CyJAnxiFH/B/B3yUhdZuupoVwyXGPN4VO
S/MFmgMne9abmUj4iaCjmgGDnuJ1A4eiFwmLYTEleAIojxBEKArys33sK9vh6BqZGcuK+ROq
NJMWmEjP1vl3LEgqMaQoyM+MsQJgx7TbNaoNCuKGeczoiluD+0RO2AmdUJ2ZlohjWOiTf+Wl
EqDIiCLLd0fXHYJ3Q5+McnRKPzs2TISUDhDMKCifZhhoESU97qJ3O20zSny47dE5nRu8aimZ
rsuP7hRr9mfkF6Qe4tB4PlPhAXciV4ui8SVdAjx8xn3SWYlNYQHzpA2OeZkTpJ6BnrzZhaQM
uWq2eqGaDsa1WNBukkqFYiZWiq2t0bmbhuZRex7ZFNEuFVMC4VVcVlA0ZBAir8DvopFf72sB
sMdVsorHcX2sDI6vq7pttDwAYPeYU69lvnpEklqR7U1+IlJ6/JQIMKGKVSSsIyDh8hSk58ae
60bW6Dqrz8QqC8HdbuYLko2IenPioKAzWGy8ose1+hkOj45HwGSfyfc9UogkC1YQn62HuADo
j67epBDAfq9eW5VWMN/IJNYTSFJBeIafAjETDg7cqPmGHobu4J7bSQzddozB5WZamhqOYw+1
oPmBfF+uCt+Xo1txHA2VHu1Ivi/NxB3Tna3twWxs/ZF8XxqOHUVBqve3L9BdmmlhEphxMjh3
a1q2jT5Cj0cPp/UBm+2XabFaqxQ5lpPgMkmfi5xu3QMjqWWlg51Pnpt8EfmGu7GToCrDLpaT
6yneokKKpjmBFdnG4HyGGxihaQVjbOegYg5uboLor+pDIPPtIVAQ3Vxcfr6WVGI/HqT9gTQD
cmIQYPQNj+3yk8K2seV/irejngQKa1yWAb8XXQ2jlv2vkpS6HYfj+JoFnoyhBVvLw+wq0ccX
tLDo/uXyMr34/NvkrNo4bt3LnuE6D4Arr9zgePUzWujGHjyBOFTwkYYFMEsSjW7vDZCWGsSC
5h1W4DDR28qzOniGaSCW4shIKg4GxgPNl/+DU54KFmNqdmL5fWb/PsWBQHAT9JwWANzRDcJ6
6jInlBTOrhDhAnefGjQCDTYwJXCkgVvZehr3uKw/WXD1AVhcfiLbXLW1LluAiwFISVI96tpV
y4QYpeI40G1RKqid7eOEqZWMzuFB7cp8IRj6HuZPJB1SOaFtq83tquahwqhnOa9GG69KKUBq
CvLTcDIiiPuc2Z+sfZL8uAFKbdEGKlfssKnUP2aSpo7h9Dgu7EtjnDQCWWx/05jT3m4xmcTF
dQX7x+hJINLXYNpYEZEQdiJeAEs7A3EJwYLwB8CvsSUWUrAKxwMKDTvwY5MbvIr07eUSQVoC
BYDiTSh6nUIc+Mwm9Kz9iVR26BH4rqK+wdD5SRXKDloDBcKaCYyrWCap2iQNfr++SC+igMoz
GjJLouo2Ws3WYl1LRjdRhvJdfL5JrtLkKvkcJZOfVjkuE+cYNv0sxMjHemo+IeyC8VIP7Jhu
xqsMQ6lzHvjpGHMBuLXiDkkSIEBfcwDzMpzyAWRvDSqLBe/OIW1/Amqd6h1s0lGg2ywBOF3Q
gUAFncMhmThNx3dnEzpXT9SZbbYiDyD51Ln89vfLzZIy1LRZAYW/fVGQnhFG2GXv80TxtDBL
SehmSafwhPBufr8GyAyT+dWa/ndZ4DpEsfjG2w4k59sFpu9IPcVtqepCnIL8XDSXHdcZHV0K
5Ee+C+jj2n5voi8TNDEIBk4/vLq+YeQRFT613ULl8LdWK64tVQCPumGauhGPji0F0sPaKy5C
EP74es4kC5TPVcue4AajuEB7sSxdyA9UDFsaabT+FDTPihwnxlRthIlevpyCPh9gGS6tBZMa
GSkkxM0gChXVjlMDnoQ6s4ojCtLD8lKUIuaOUHqrDThmhKZx2+Ipn87vank9F+VXuouzwQ4Y
Tjdu0GXmLtAVDuupxVvbCgPNd8YouS9bDDelxcIgAfoGnHLyWqChg3FW4beoQZ9N7rLVQ91N
U9A8hFtPc7wxpnrwcGW+mi/mhAqEObImNqpdlX6FlSQJMCQ9LiG6Sx8zAulcaPYYK3BaIoV+
hVwJnlFLQuBqaZpR5mD0p1+RSh4YxQLjwipRVbAKy7RS107/V7ct7LfbFo3uvSRUuRuSIHED
A//sLx8MgEDkXgh1LlwQh1ph3zoX/KSKnYsb9JShYfM7sQ5WF0QN8QCF3FBKIJkleXXbsB04
sRNZPb4vcJoNIx2FN8a0IscFXQpmqCGLcn5PpP1I5/FfRLGixO1w1N31moa67ZpGnCY6WmEj
W/uC2BoKRfW11BJ7BPmIONIsPODl1cVvF5+Dm8srJPMQqYrC6ZEPoNYYc/j08urvwRW4R8kQ
aX2OKN2/ccl9+f+Sq+j34OITRuIfJ58url9/ojQ4MwEmdn1vjFKDMG6Cm+RT8vmG7LCeQiKr
EvfEiMeXbtMQRT4U8u/YW6mO2k9RNd5tVDYH3CixTWeUCTy8HK1HPd6yk0OPkVdTkJZy2YN7
fYSqKZbgVlpn5X3ODUfJqBVsFngj20u0Hg/UTg4SzD5aL+Vf0xLLq4/j31vjwkVeUruHh5J1
SxdSlgQnZyPybMZp5SO71xDO7xaYocvADfkTm/lN+/Mov4ljG12lvuU3/KQq+Y0aiTloSLV4
jKkKYie1HknLqNGDWfhLVU48oreIrtBqJxSzcm6phmUs4Z5Uz0O9ERjJCHMWHk5RiifAt6vJ
JU4hI5gw8haiZSxuNb1ih0jN8IpCAR03pUOTboRDieEomxgkOaZHUHZp7ctTHS4NJ38x3D/w
iU2X1v68/ro0flIVl6bS+QGM1/Ytu8cdlG5XArSF58XO6G7ooPMjDb1fwavbXg9WgOc4lCi2
0/PvgpUNq68yVW+32Jwgtcx0ZEfxUDLiPztALYpYN/ArdKwZY587WbBN34vaXInR03QNT4+t
MWahnKtjZrbYzHIVwLvupV6KXZn+hvJuAzD0CEMoa4wpSAB9BzSTIO8HYp5cGLSZ9jui6OfL
i2v5kMT+uqD9cRREfR/HzpK+1QUN4v5uRdGCKHb8PjPy7XluGhWmfV77PLlSDqHgV8mX34N/
kI6jZD6L0baJ1bW9TVLfoe1fsGmV3MjFzH59b38g6bsemQDo903f+UmhMeU5+YYOzmXLDLC8
6vQYFdL93LaLVNAa3wgQGU0EfcdNmuQKp3zUfbqncFjgU3J9HfyWKKr5zif2Vs3Fkx5Sc9ML
HXOIi3pIuGwwbw0t3zJNTUtdrcfAi263Yrm6btvDk7eb6lagRUNlKPqB5CmeCnmKbTuepRs9
Br4cypaOJE/RQ9+N7WSo5esfSZ5iBKkTGE6P9aLbbeFWixaAlHNoYcICCauWpGOcrMTI4qLL
q6u/fTkujVM47XFkGtf+RErjTM1NDL9n1Qr2SoCfOpTGGb7j6r42uGoFtxs80x8laieBnodX
SfDXo4qVNr18R0l+/Y/P0X9cXX6++E/eijvQ22rMc7z2B/e2FSWe9JCyW0mqO3Y8uBmNDl66
0EjGCFpPyamDohVovnuwtfKEXLkP5bX5dDqUnmnil4rDy50P7K+yNwh6ujMY04k8J+zzXd3u
57b0yI3AB9PfzOtQJbHeeyqvtTr/undGBDGNnaADblkaOXjtre4O5d/uFx340Kavb38kqX+U
GMiE+5bY8JMKX3/K66gZCsScjngKJAl1a6bhujZy69GNytEh3c7Ea+xSDY4TJDvF8o5ulhDa
GutE2JtY0GUXgHE2JaCcCqKztSiIwlEOfLc2hmM4q3xxh4AWvLJeAL1JBzFB3k4BLsNeVi1A
+vmiyJSICZLEMXHdZWwuEYoHNEG9oluvQWBVkm+RbHfuax3ka8HZ5FMQ4ZgOXeNQOiuEFV1P
10ZJ80RgrzKf5jixUAJtnWMpl/bWaD2XtyQgSZA/8YLz9GWK42H029OHfPqVflvBbB1fD6yw
z0zjpzh/qN1EaJEAU2PXeb4CAl0IrVZH4QE/8j2rDc4L3mMh8Ha1xvXPebaYRF/+piA/U4sR
M/p81eVk+dWgfgIHBcBg0mZOTfVDkHWkNNIOE3OJqMVZ24oNjA3GWO7seH9ygDgYQOq19Xt1
wKDTH4wNvi3uNyobYIaeJl4SjS51hrlWx05UkJhmDGhv1GdSi+700rHCJHZwGnhki2gofMJy
s86J4AU8oQGv2q4mwX2G44zryRcQhwI0N/vz/+fuW3vbNpd1/wpR4JyVAk7K+yUbNcDradCV
1sd2sXG6sD7QEm1rVxa1KSlu9q8/z8xLSnwpiiblOKDUBWQ5jkyTw3nn+swzkj2VoSJy4sOj
lp2G6/JXLIjtuF4952lebbw5D9/pt8t5xDilJKV2xVRdIwSZ3VmGn4v5bCESm3sM7uBLkQmx
A8O0Ff6GRarE+4S/8BK9AuwntIkJYx2cwveQnxajwh4555g3Tmf392KNEm29+WlZnuUVSLDA
VIQcEVyt4PNAQHCfbxZTxAr/+TibgyAYw23yAW1XPVPXLYBjR9ye6LRDB4tB8Gi0NBWxOaib
KCp/Sv8CJxubScxaEJ1yaSbBssMLhSb503KerTFO1EPjdD8yYt0fMVjkaLGBK2wzoawG46IX
Fa3OFLwdDwumA2RB1klkMGMKDXwU0+HrXrxOke97xnmGUSS7jM4hnHEVr4NvGokktAzQ/8UD
dqOVDDsYuV9t7kG+Q4wosHfzvBelnWFgNEI1zlH5yqoDckJk3BSzk+DEmB/S7hTHFuH89ljz
uaUC0BNC+ztiZetxdA0v9rX4LEcjRcmbDNlmzQTLyKOX+TMnjqB5ovWGsITQuvRLOpszi52m
Kl+ztMDUCU0B9uGlti0flk8/R+2TtKcrQG5OFbd1BvIGTZt8vXqA3LwaBcggYUFtaGxNgd4z
yrB/f3BZjDjZKs6/6rimZTXjGVsMOMqDXj5l68d8SjQj0ktoD1psyzMC7yz7BEU23Uwqw7fY
MFUBTF5b4IL5e5oGA3kBsbWxW57JbdgD0kssDetzzjVank02WKwJO/ewQRBTed5Vn8KGpjuu
GuinNyqmWxo2zY4YdnFENGp8MGBFGhuiyll1yUbIhlWuZDRnpVsM9f7GKfmCdUvdvBxZapCU
gtZ6bJa6NnrdbgUMy7c0Y8w14Pb71lwwYQPwem5FvIqNQeaq6I/UaQ40tmh6WeLtODx1XW9e
cLy6XpuQPMLOKO/fgz8EPuPrBbZ8Y6HW4n72AOJTrAwiqpHNHTIRRM6S1A6opmW5tnV+kTH1
jbNidaHMPmQfLurj68u0ANXubImeHe//pmxtr8sM+fajLHYCkO6iE39uR5tTK7Tht7vaOGwr
AE14Spfwcf4CTHG8VX5blEK9ZVLM7hAYM0VVn7wWRWSsmz8/ypr0DrUAgsLwTqp3N+UX+get
3I9OJFTIaefYksb8NCiKbrl+yrZWj8PrOB6O7vktZqS6OvWOM6RWSPxpl0ddHy+U7MMDdFCS
kBwAyRFVc5C4xc8cpkyTL1z3Ns3Ljtfb1OaTO73NJfuPzWK3nk6ScbsL0ZNIjwPn7LgyK+Bx
CRYGBQxOaY0HZSckZZllRZ9kzfR8Whw94s5F+ys2PNswA/Xs0u9PgKNMp0Di5QuudxOckQxP
6dMUwQktGn11C0Q1Hy5k9DgehmZqquMF5xYhEKdNHy4b3Q4jL3FHHCEd1PnIt6JGzdj0YtVy
2dh9LFaz6TUZ/VA1VSbLEt+S3AtYq/lzUcYB+/7Hr+hbumNqhsBTL68KWq+7vFl/RRfw+eOX
dP7zD1dz4CJus7/X5ehW+aGiurr0K+nHOyHnktY+f0RFs+LW9uiIfxSW7ecfbtbZkiBbv6Kb
Qd+foscNAm6UD96rzntNu9W0j5b9UVX/FKWE1rspvxlleAzwWPq2rfr8cfxaeqL2dujNb58S
3i9L91p+8pK+hnDEd+gpgRXB5ZkVHIVnfPnaO2/c4vqSmtdAUoIctMjW6XKJMmdDett3UPvZ
VkF0vRbpmng+PBh9fHvt/fd7+R5QWHFvOfZPFl/E/lPE5Jz6bMdmSu9FqU7zl7TwlBixk/ha
k8HMBPjO8RLy8Ceq9GitCwpWhI1Ruk6bsWP9CBCkZZgimYOOQK34Vin2sph9SSfcxK++RS/r
oK7TetpX3yLpa+1e1pdcRuAlzVixu4/g76GTIMaGs5w8zrD7jGg3FViMFL3QSfF1KZwsav9w
sD000dRAl+NaZ+c2oYlodj4BwbGbEaBootzzQ22UyvZBVwUwBmMWBGzoITXwiCdBwLZQMz+u
YV4/YWWCU/530uc3A4R9ApQ1um9olJTi4lbJQ0oxG0kO1o81jmDvUED6XFZAuhhM6WP9VNsO
XC04R6hsfn//fgk5lfMT8Aa0SZx2/AhM0UXzqBI8CyHv+/z+PReBeiifDUoXwwjOEaJNJ5QY
dD/0EIMWGZ5lj5n1BK6lzfcHvo8lTiNO8trvWzMc1XO9Edcf2u/b1rzABuU5rPJIbXX7feso
YWihHZ/afdt+lDjRmNdwdQf8/8xQVZ6t/0f531hZ8B9KgEm3WYpwgv6L/14iQVkpv6HuzPgL
TbtQKFET/1z9+a8rcM0rmteHvEnzw9hMsFNptOrZJa6B5E2OE5ohxlFP82HX35O8yQL6Wk0C
SkFOymw5euTqwZjXY7abWwz/OCZY58Yr765zeKC8A4OECSApmJL7LFIDx2tSELSUQ+q87h3X
rfVv9q5KCbEVAahsinKWKMQVUiEuRO6Gath1xhMOk6xc/ZLk1E1GTr6azGa3j1jY8/MPGA/N
i1/8xWqGV/fxkb7Y/5eSiUn8KkoM6xfHj4na1iuJDaYbGifoU6xFSKLSxrjxKlv7IdFdNKEC
LRnvfR93SHBOiHj8t99vlXL7GPE/lTTKynsabqBVJ2gllwkxsl7aYySdgHaRaeCC0YxwxOHn
0SKjcIdLTvlDkS4fZ5PGimWSaL7OPiqfgHDI/nuDAlWmCOAqDnE/8RmmgbWuZ7ndk8S3ms94
XdHzbIGd36IDhjJUhe2gTfPYrozywTtU/FAqmOaL7KIvFDpCdhye33YRkhv+KwfeAT1aKJ+u
AAL5x6q/p7Ne3iUW31xJx1t2nHUH17zYeB0c3ynsFCrex5z6f10nIY0X/Zv2MgZJpNA3LNdV
/42K9JYNQ5Jau1G0E82Nbf3sgi2hmTwLhxWC8yzFjPUUg4MToM6Bf+OdnwWbQQZ14UCLsmCf
epfuoXeZ6COumra/a9PRsT4jjM4wZqBdDlFcrnKQ1F42FnKU3ZzpaYmyh3Gies0rjtcA9Z0S
au9Wd0RiciAivYsDaukGnuGcZShLVog69DQcOeF+9TYSu50BbkW7OFdspBDQcrSBDo4wUz0E
p5qu6cTOiAsTx7i20nIrkMM8/dprJMj2EiPUvBEbtgOa72AHsp9Q/32klaWjX2DIBvm3T/4/
ld8TrNkJ409Xt9/Saqh2rOKVn2MCTCdAOv5dPqw57dTiw2QL1HHleijdvO54PdmLU1RWbKLI
ZY3YTrabB8t0wSJwZhODwrwTi/0fv/l/3P7y+/WnP7F0q4yz+ut9c/KpRe/D33+7xRL2ngrf
vOB4Ff61o1ScAfGGxnKg5VN8myBnv/kUXUvCaldL09cjLwpG3A492muRcpJgCFrzAFjhsoc4
LEP1bOtku6wH4ntxTPHnu8f1evnxp5+en58/zLL1/Ye8ePjpcf00/4BNsZi5K1Y/ARVcvC//
9oH+6cdeWbTvOG6CodzRBj8H1N8JnMA+y6CNdi5E+U1ZClkpVGmfLb7k8y90IKhu0pwbxA8k
QApVFcAex8WOEt1wohPtsh/u7pUHJgXsNgdHBlnWIiXaIMgNFaj72XwueA7Ar/aXkj5mqfhQ
KdSsIDbfHvJDx84KDNCej/bYvMr6srAqTcNcCgpzKNNNMRo3BZvaZsV8OFT03CyKDMBb/jtw
txgamPUZ/0VTHGUw41ydl6Dr5QYFtdDAtC3KmkIJCdCHds8clHTTKdAzxFr7OcVgKzGF9dA9
C7QbPii4z1T3SiuGggyTtaAkI8mkKwtrTka2RKM0lwDUe2NIXb5oPQFrXnK88WjvYcs+YYEZ
+XqsjfmAtocFTug7iaGN2LC03zfQTXaQhCd334bheVgGenL3rdmRZfvWyTWPNNMCnGzMK/Xa
9dvWHVu39BH7rAP37TmBZY95V0j7fWMcwg8wVTLeGKH9vrUEuwvt02vq6uCH8lR/xHXwdnlj
qNhFWfbk0n/LU4Gpd6yT0+8gCWzs4Ti5+3Z8w1T9k7MndpiYOJgn13SwAwfkDdGI6wvt9sQy
kzgAI+up6bfpBUbk+acXxxqBHngAvIy2DtWuJ6bv2nakjrjn3n7fuq6poTnm9Qnt9+24Zog1
NCMGGLbft2E6bmx5p3cuIzXy4jGj3NvlrccIrLzTq0OAkg7mOzm5/BIjVjQdOmJmrs4+wuU3
Gw7V1T7DoTbo9A0fRD6jdXdd4ho4HGpbKjIcKzzNh/2uw6EgwlJNzT+5MB+of8yGWicXBpmR
a/namN1y1zlcX5pouV1jAgvD6zT5SBuhBNGG8p/AnShXjyko+TDKTi3QP5bgduG9SKlyDWoS
NOGlhlS7I9V8z9ZAcXyih/cwHuWq3IgLpFL892zFq4Rvi3SBVaXFWgHlbN81zGpg6L6jjti8
tb9Zg6ZO4pM1ywff7C10nVvTkVhg9X822DnCE03AVbmYaKrohM0PGlDhgnQZYIpnXlkLPZj0
2ahhJbEOFOiIE9ZOy3FQegzkW5LdEMaELAdLM7uHbVnD3tzSAhKM5Qn2I9H5x4eLmhnqYVdU
yze9KByxpztOfmSASWb3swIzYjtpKrQW+UL5oW6XfxCGebMzzD0ER2wGSTBmmqHjBNfEgsEu
Z5VdBvaptMvQO7bL0MO6KHWIMu0hPIzNenEQjrh8cJzw7ov0KWNlYzDTimhqgBlLlV8/X10I
jA7wJyVMR0whA1q2WWPnQQ+pabZrq9H5EZNN88mGwqZ3qx8//NBDDnoSelZsn1zzAAg/xxk1
SOA4rSdPf5/P5zmm7B+UOYI4Uvq6I1Jufvn9j39GvP+u9FTMq4mDQeA1MsY93jtkFzmWO+Ki
zHHyK9MDcuZsVJWaJwKMr0wSlCpSBlfBZIKl0ozezasQoIf87NjRIs89O19PAWQ589ARcFZW
5kf4rE+3yqcbBfNrv3/+HP8WxVEP6elYT2ZZyYnWig5DnBmbS3DRekjUqov7mkjoRzB69/L5
jul5GnYen1sGW4XgpQYyvSsA4oLHulI6gdTdZTmP+bNCQOdSb/uoH0bGUMFrJDp6pOHbNuHu
T5TSWnr0Ook7YID0VP2p0M2PujWIwTqyDcsW6+NKuur2dOwug2tj1HAPVmtDJf/06tsmXHDt
/taXWwfbEFhRf/PlT1Tf2scrtz+gjIhGmaIHR7bk3nmDfEZZ6Sdafo6QtkDyVdQtLJ8A6d7b
yyFa5MQEpYQQz2p6+r82qG1t7YJguloh6EUWQLkqGWBJpMIsFxmRZvURmx7GIRY4nJvYtrlS
H5S5rjuWrZkjdtHtOq9ieZimWWf38jQYBCUETU+BAt/9bMEbasDHfa88g83sUcnmZbm89J1c
X3iarelQEAF6H73XksQxm4vrzMRNAHgigZ6oW+TBs3dcT7goyc4xSpY9UJ6MxWHryYcfabUf
+PLAAMfrxTEuJclL9qUUdg1zSgMXouz50kt4ALqhXj6TcpJX396ez9xny2fH1n4INdUwTcNr
xKe2G6GdbpE7OmVN6iSLgFDwdETRabAD+fYv4qcZHN1DcdQ2jgMhy3bthKT07a/WVDU1DqyT
Q/3YSJcMtHShfGcVC+nkF27WRY5yUYPgcv6QQ00en7DyFIyM7DXgDKiaiqJHtiTPAENXmpb1
Jb18sV6mZROAmsTAdAfRuYmPfQOxO+yydOkQyNOHdXI0Q21yKe6nCNif8/S0ga/mPT5bEcsX
3Y007l+yYYaLsfAPl3cqNAZqU1n0FhFcKJ//uLmlcmWZzmdTqCzVOUHnRfHLIl+8l2Tebng0
K8DSqXDE8OVOORwwvax/vcmMDNQsQA/d+YsuwZm2mKaFPOt9WOWaVxyvyr2SkA+Z4Wax3Nyh
qP5IdnBrHquKehAr6ZccnfVpnwQJ/sRS9TF3kNrPka7GNppfjeLX6e+DMsgR+tVLVdKHGW0s
44IAXNxB3yhIBXuvpzaBkAid5vCHEemOC7bxs4ps9+22WJ0u2Wqub20jXjLOwyJeZ7/KSAYI
M9eh6zHn/vpyb8vZyyW1A9b2iZZHoxq0AHSBtkiXAZL0RAdOjRFrsWafXVmB/c+eg+Ygcbbe
asCE6w5UaF9kzzu5rZTP/v+DZ+8jvwDgdftkwdQH9Kn03tvAhuXGLKVEGS+MSrOSUG10SBcP
mRxPNvnVWoIpKlHkk3wuSfywb29esXG0RhRO9mVsu+TYkTlvthBRAapZSTJpP8W2qodaoJ9n
FnOXTVIKqUFbgyohSoKIZMCqe/+VmtvPWfrXAnw2QLVBLaVEsYfcNEcLnGjM1AadIXH36d26
AcEzLIRIIcMWQ7DN4mh9JHiWNhPEE/ningQ86WP9NDMITTscMZ72FfKDPq3yp5o7JdKkANxT
TBKYKpMZNkYTT9XiH2vAt57At4S/IvGb3V8od5s+yFTNSrCLa8z8pK+Q3zPt04azZdoppt2H
/H5Jt4xy6Z2IZKF7wtF8hQeGCBeAvvc4u1iZq2MTznnavNrZfbf9uor9f+TFLaUXrjxnVYUQ
oII+8sMySS9SE4S2Z1U45NiFdGqz5PEAYjhD/KJgT/OCG8/kLeA/0jnUERxoaCIxSgqY8q2k
+/hcUKFijz0DEM5PftCqL/ACK+Uub2xYkltGNEQ4LDHy9hMjKR4sK25RNqegTk90H6sKqTTU
Cb8Q6KKDbaSivOq19KvoqocwT+QNoRqLCYDgXFlu7LDOFilQ9cyNmfax9IYVB6Yfn2eetRMW
mrYw+pL1kaN4KTPQ1JerfmK/dccVa2Xmves1VGg8eYG4UwTzL20BorwgEUgZMYGw7WmJJLaC
i0kCak8StNjHQH4z2DUwMY4iD5XNTrl5KT2/ZKO0wVgrQx9ko7TYiA3nZRtFoTfd5kErVeux
aoN78W03Tepfu7v1pYyWqMV2tU9WetDbVEqix/O9XMW6fMgW2GI/QcqGeO8+RdpB+CaqwUgZ
XM0hU4bSqyBjGJYLrMx5tlOoBENswQIqOntaCnAMqLh5lQxlybsYRoHrRkLCZcH1Y77qE1Rb
RgRMzJiHmmtK21tDm+Us4dIrMTZKf0/pV6mpR+6/qeItjWQnMMMosc8OOM+yK2NpdJfKrEPM
I/VqJyW6HkVjbrC3e0ucAs1RxzxAdNxJoDF0GqvFOFnVqL66+RVQivwee34poqWQX8mXWcHw
9HROJSHkTjPemcexcI/jYIFRUfXOdGfoHUZuQeaeYbvgl2xOJZ+qpNYGCughLdsBUWkUjjgX
bz8kmot5Nc+iCGukOXD7fTtxoLuOdnIgYF1LrMSOTg6k5phq6Dhj7jK264kWmZGO/uh49bvT
CXxDqiStD1WSAUJax/AILjBSc9AlroFUSY7umKGRjPgsdj3sd6ZKws563xnxMTp0/IMgCppw
7zFBitrvG4VG4NTdEYcTnap5sK1pUexajTpXjY+V8q7k8dhRT3AxASwx4FXa1st6hGFqECJk
9U6VGe+g3DiHI3kREwwi/CZ/x+pHZfVYbT7hvTqotpQ7s/tlv1ash2ZkNhrBdmIk6JCcem2x
yP6LtocX2RJraZEDY30vsXZQOzghTcsXkm5J0DFt8NSKYexXH6k859sAj6kldGwPWFwW3VBb
RP2OxzR4L92g3kzbb5ZqLGVpMBK9mdoNlSXNAwpI0jlY9CwO1xsvb8MrhXKtKY8wET5oBeqI
vzLl95urRJJ5ux20TS827DM9z/+6TkLd0Ikl69PNe1AV0Dc0zbP+rYjhL/QL0NOks071QRoE
W6WzKRVSH9MvfYqBuulrdmCM2G0f50bYHKbI2VerWb4AkwYQGzQuAvwBhFTZv+xv7BgDlm2r
e+WIXa+91Fbi+apzlqsCFeUqnfyVgcBwki6JlQjDyUX+xMjTSqRPG/C70A7Bu5088WWRvafW
e4+Taxgg8DHNM1W9+qTSFHQucMmpMgfspaiUEq7Fn055FjadExmZcD49JAeWczeAqzjNHOxQ
O56PrLIL5lYKqxhHeOC5KeCf518Z4lFVqJcEFwSKjapzZbzTQ3rgocZmdvM8u0cUAZITLQ0Z
DNuMBulm/yN4SMTMXP/mfY8xMeF8JLnLcIB68755vUbQM6LmPd8pQo6Xm/fSox8IUhI7NL3w
5JjKdNdynOD8WCHZ1EjvTVZZGcHSnDKT4mUGGF36HRer63/zUqT/oPPRdZOD/hHpf9+BNQFq
xwZX4ntBwLXMJkRvgsABjWqyy5xRVYtKgUa+Q1NlyuhGSWbtB8dIDCOwx8zk8YrwlLQQ9MY5
GDFo/zL2CLPDo3iqIsdDjPAJEGW0oAo06fr7OCOKLc1y/bOMEEhulZ9DZSj78PDhgtNFTo/a
86ULJUiiHgqnuY5rWNp5Io5JcJRBYjmbipTy+tOVkJhpGfgrk4kANoEFwjjF6V+UUa6wBZ6m
ziivfOqTT1q251voc56t4v2FFPLdrz8iFYK1uyvydApLt8YRZUoWnNdbCKsGey829MHPfthD
+RCZ6m7iN2qTWKhuBBrvADxl9B4p3xZxwPZf+ZV8BuGdGBomCUiG9w2ezTSGMcCBTDSM3Zfh
fWIqCZO5dK8Hy111jB+FfMMKdC13TlFC7RbXl+8e4AqW7xma0BBbUdXa6IdQTKTpCRGjgCho
g5MMWHxJSsig57LQyTC9LmYWPC2uLKqOgxHhA19H7bYrIfMGeM5hOkW/ffqWGI0RYZK0DsQc
rkrOs0FKrfm675oecxEWq9n0muQLojXV3n1L+qXVe4iy+3QzX+9//IrfkGNiwoDf0FIQZCxv
1l/nGX4aj/zzD1dz8GreZn+vCUVN91uyaFRXl35lF9idjl/53zsAgwrowfzrjyjglBBCSTDS
6UNBGr9tCP/i61/39qD1fO+1I8fLgF99u3unRz47krTwWl7Gwx6om08es8lfZAalK3ZkIyBO
fZFFA7guYG2fei6jN/Yu2Xj48WQl4k4h74JUveuw94EtAtmkG37cCJLtUA8tM9qd6v2Tey2d
uvIoRuU0izC51fncP/105y8fdTydOOk1u6sP7zMJ8jZhOviC38iENLS1fpM0/jLs+A1jmGtx
Dv5qBeJ4ClMRrFLAep9vCs6WKIbdrLj4Kvs+Dt/+6f/G/AyVk6GngmbhT3xHmFt+Wwx1WaZF
+gncaLrl+5GtNdqgThDEnh8NZtGI3l5rmLNukPnu0Jr6m+ae7xEXPnx2W48Sfbx8QweMaOXY
8P/XmvJeuSYArD8H+DsVmoGxXepnFMoPf2IzxfNjThYXhKpUks8eUB7FYC9nN+Xv4XffQxNi
M7SadHJqHMaRb3GMNCRQ+A6aMDyM7qkJw6Pc1575lzVhkc0eHu/yAsQvoBq9W2UFTyUTuBmt
hJI3f1m2uWAOqiRXgVUoTQDFXf1UwTId046bBF+G6gWmxjRLgzK376AKw0P4fqqAWPZ7m/+X
VWGXnP9ZNTSpVilevuhsXmMrG6mG6Adj/VQnaSl50X3PoGmhHwTNpeBmYlhW4PPZG5c94K7/
Ma66NZ6A6cSb5wTRGD7Z9vb2YIWYAK3CT1jAsy26grkAUAkuvaJUfa3z+CXVWxdTVoFSRQab
A91zLM3TGi1GzdTcKPYp3hyZOTC+aWRZ14TvHw2+bA5KYw87jzDhT2WaYwaegAwEmVF+ZV4P
0WGG4+A2BtSk+tBgVVBDSyXngJdew0trnq7HWMIyQlV4q3DRGGO4WBK6VPRDiB7TOdhfpl+V
bQ7NgQHqt7vipfAUfw5WBScO/cTz6EjUVMH2jTiJjGSEqvBW8aIxxnhxRaO2tHzhPSrSZP3R
j8Nrh4m4Njg0uDYFzQ1aTxPAylgvRAgxWBNMLOf13aRhFNQIi12DUfqHtwoXzTGGiyCcBlgQ
rWqqGzDurYwMSB8QIVLFjgmPigzYuIXCNcptdRneb0DeEAdJGDiNARPLx9CJwRPaIwsUGK33
FiGjOcaQEUnAV/Gmq01sj9msLCwpawKRIo2odrDNv9ZNxWCT4MRx7KlBwyTo2Ork+g775HEl
D+ZbhYzmGENGDg2ZNo/K6sI5UMGADMIz7MUEQUPJSU98csTQ+pjPaTXfYEXQNeyv3hvsMfzI
d22etR6bSXirgJFj5mNszVvWF8v0gNIFjhCI+w7vH0RRGwLxUuoIRDSWNdJuA17NjCQiBYXl
nHlPBzkHPY6SUG3O14P/2ohd0QsYmUl4q3jRHGO8+Ncifwa0gyvLAs4gvrPK5xvaxU2jQzfE
LblaM/q7xHYNtgcWIUJMq9GlsoIwcl17hLUE861iRe7Ij80eAKkHfwCOIyojCX+wA7mwhcAK
jf/eZDANoqd9P+Pk4ohugwoIQuBRnljLHh34BAP1hfFlj8wYcczreqm6yHMPx1z4Lf0ClQyz
go48zV/Vj3xKfShgOuc5YDesK7XMEQyWk8fBJkF3VFePEnK8NVVQTd80sbxqhKrwVrEir8ob
myqIuICmzVBBKDXhmTrTsBHQA+a/hR6k9zQLVBqNwSrgJNhHZruNESDdiAJwVFE6ObIoUWxO
O6JZ/KI1oIxpbCqwdQFoPiJArMauxbg13n05hoM+ZDYDtBtmI/47JaY3JqUdFCRir0Nk7CmC
ASZSzfRGmDdabxUkWmMMEok2qooHt9taBGffDsE+W0zmmykCxQyBQknKPkgH9MBQY8enY1/z
BxrKiY7rRCM0Bm8VIgos5hFW5i1Dg8Xm6Y5wSLRWQ1nNZ1QVoLIRttiBexhIz9limj+DnQ0w
FMoWYAjwl09Xg32CCkaQwG36BNMPPajCCMMCWzvSdL/kE+wxFhMf0VaCw58t7nPl3c11eKFE
N7c/XmCvF+UHu+yANIW34gLINlgFNMdzND0iU1izBLqmx46jsaccUjK43kcvloGFwC7v0OUv
Axp3wEOYNlyFgQJMpTk2573OnkAqnxYz5Gx3+QagEARuIJfHtAzmtTFyLNgBBllozUNfxxzz
WFE7pEV3DTuwm/0JIzSdULcpFR0UZr6kT98PC28j5FL8Eu1TJ3fsjcMG0R3MEJ6/koGECaZ/
WV8SZPQpQ5gv7xqQ0d218dC9axL02ABxpG7xhMB4gNjiTqEzLwGxD6AxyLBtoXXStIHNMesg
F96yh016GeUbigTUtibP6ghfx//3j0/X8U2HuWWI/9ZsDc85Wu6x8XIP0CLwfjNUEB8e4Dwk
sUGE+4xA9vDwuuXWBomv/RULkAQt5KDhLjTML/juK5HTk9QAtt3nSKY0x0+2gO8sWzWCqFks
VwPDBcMN1x++pef7fpaKsc0lSw1lEyWhDXjQ7mnMGuOIVGi+pQnNavS6IqptakuL1GzXw3Is
m3KEWrygAZLiBMkJ23eW2s788nwhlVq+wK3nmxXPBlAYvkvCuKE/nRFB8raVv7VQ7SpnqLoT
qJxg1YQ3JurAzmPVfm5ZcviD5YFy1TTDeLooWWQptuzsJIa1FLMH4Kaz9InqntTqyGpVjBeE
50Q+WGyakeqZCI/45aXTJ7t8iV4C9OMvBhJlhaDjkvUoonnBhqMZURTRe3PiR6xeW1G9FPbu
gv4AR9x9RgnzxaF1EnubV1vMn4Y1yIERNNKlM1FCmucHfcQ9s3bBdcD+gZKDQQwPTOlVs48l
7L3EP6e0pkNStgMGMFIDE7skZO9xJuJr8bSCn2P2BAjIDL0cyg9h81CxqfZyi1EzCLqH8Bwz
AHn+mZJ4CbwUOB23GVAZpJQUJls3goAG08i07HpL4ionSwc0z44iNRoz2/ArXC+H/NVqO6zi
xYa2DAAkEHl96KFXlmd5TmQ0isFjOpTtr9TydNvXuE450miq/b4NX00Mxw/GawTb79sxIwft
gRHfd+cR+oa893of3nvVM6w4bOaXYzpWXeIaynuP+XdHbQIMTuVhvyvvvRO4vhmFjQx6TKJq
P/4qtoAFXkjVtpMyt6qVxMgdG8AH23Rj2x3e4ahqgp6qaWQJRTn7hbbHkOIPrrjH42APbn+a
KvOFt/a9iuqupaIdF6APZvgOorFmglqjUHEGT2WUNygVxDntFILtuJub/fhPbL3c7otGZJgu
MG6TKxmqMyBpbwZB+1VQDgwH9ZXaHkASaKOIvHuuqqL5iW6r+gt9LZU369Il3X31zTWlezk7
IJbB+rFAbREczoI4G+NQyLapVCZdXirZO4PhXa+Wdrtmi74pryEXhDoHX8dgoVDzHizrXVLg
DvuQxsWrpXBJDHRg6lPyokP5Dtj/RAfvaNP+q3Hse4E+uFPc146SIXi5V9xmNMUMzBHibTWa
UAycQe5BO4ObOa9+b+3aW1VeeWFqsVkSiFyMp6NqIxi7Ot6y1KByBneB2p5pz8RMZyu+L8Kv
SOYAKlYa4cEHa1uKLy2OdF3ZzAwGeLU91DCjzq0AgPjulWUOg4iJr+GEQSaWL2tB86Q5sYox
PyaL+JY9dGPnmF4+Z2QZ9qIT59joRHL+g8TcfR4q0ztN16DrwWtoWcDYeTA6dJLYi39FCw0F
T/Q4BEBX1EL77IPVErSA9taDgczZ0gwe7v2WbxaryL4rU2DjIGIc9gmzTde0LkPqX7g9Frxj
mH6WT8E7iRGpjuvWmhh7VyVjZCWOnxgjg0KIOxXxHhzX4Wj88oLakI3Hr8WF7mA4nKm1rxGq
GYEDqIImFShR35Df6ckAyhjDYSFsy61+CxuxRVqnvMP2XgzZpHNUlI+1CQesEfNMd7y94UFw
i0j2XO5eF+toP/sM6lfA2KQnaA8NNTPWQE5A7f+RlgY6z9mB91eGV+kUY/0zjGWka+z1Iiq4
xxTDGIDjEqWDmOJCxoMlVBnoYDC7uUB0/ZAuyg0aP/aQH9akuaYVNCqrmmeobsy7FAa5hTK0
tgG583Y4lv0SxfGhtcAGDwqt9W9bj+B3QzYIBlKBlynyZf8GuttcKiLZFS49XC43BQI4MV6x
BSbITfm682lekY4laNMD1R+b85HWlNSyGnd4ViPead8ortRH+jh+LTNeCMhXShQqZc1g29PD
SxV0CWVvtPoROk21Okm7PbLBnoZeRbPkp7qqofF+50Hn6QUQau25jgyg3eHJ12tF323yhI/M
ASynGtrfKLitBad/CSurAmxAe6YbbI/8Qu1YCrTp7Rx4U50W+LJPn1LXUHM9wb3ipm6YiXN+
K0nclprw4aC/iTFqsbkxARRnsOaSyzxsdJuXJKNbO43jgS25fWFLB47lzj7e/PL7H/+MCEXS
ISM52/JeRovhHH9BHCxnsIfl3rwiyd2JncS3x+bs+E6Fx3jB/siI2O3egK3rb3c0qpkkgZ9Q
96MW+FqWagWOu2sPkYB6MP9HAm+O9UWR4FdkAPJ+4FZmjMPXAUAGe9UbsaBgUCwndtG2lkk7
stkDul1G2aViVyCWIisDgu0mxKq/UPkeqr9Ql4Ei8KJZI4APqqq13vAkuWXXrmStSvnLr6se
1/zU4QfbFcnWAiy39BuKpAex60eCvuAbgtFLBaM7PjJi4e3nw9L51wq1W33gd5YIUjrkLpW7
RV50hNJLwS4d65osD1VOGOMnmWvowNFZ+RNWg8ww+M1A/qYXqBWHmDXy1a+o3yPiDJZrNxp+
afeg9RM5eGDHfBvlQbekU2E6jBkaaQ8YxF+UfL8VVpFWCWBFMAZ10YppvvIWOLGhG3YcxedZ
OOGBAO6tUjsEWR7aofIIRW0gALy5mPvBYPN2wUwP8aHAqwcOTwXX3O+YoDSdUUe3SXvGSAAO
loj9mE90tZ5h1Vo65a0V5PcwnyKoAQoQAcyKjOrtoKIkavpZH1As5KcFjj9iSM8r5AecMJ3C
Ppml5SVx5DFp2Ej1qD1q0NVYdwO1UTc8ff33KLP8LXuuQbwFkh6z1KjEKlF+U/KorTButJoU
szvixyHVf7+aoHqBL3qYDzAiYYnbmZatAZNiPIDxgYgFr2F7iVICmd6aEFFkOjDYgbopFj/P
U7BPgmGG+IzZhsBK9xCf5dtRoGoN6wEae8y4uQRv/JZVtu/dzNwWIrkGJklDwhh4w8um5n4P
riO98G0YaZ0Ta8RQVDZtdxv3szmNO9Gdlp+7pK9rtVI5Ah5ec2y5bwoPaze4viyy/4J6NcS1
jaNqH6+0Q3pyiq4PPJ4c6bbHlcPhHsPiytqTdr4KSkbmmOLHuE/n69jKZV8Il2hroOEEErjZ
E+2cKId3wSIqybbdLRiR6iaGd55TVmWoA3PfZsV4waXybvYhw4bfzeI5RYsaMA0hvh/7xAII
iKzA0xsTfprraYmLc1jpLalyj5LOC72D723Vbr8uWzEV9bxxOJrngGGIQk1PNLZc68tv15ae
Y7pYnI0l72JC1kCWjzKLSboUi3SJMnOe539BSXqcFxVbuWK/6chOP4zi0hrRBxXYWkHYQBwZ
2BVJInKVt145NtUeOJ27bJ7Lg5/yBXc90v3L0RGq6choyvXlnQrneUwCQsEVuH+oPQ3Ls8Dy
oGKtvLsNr0j6f0RXfSABhhOEsanRYRxpSnKMZMpir2C2AizvDgDpac67dCpOu0csYUMcM0+/
4s+a8ooSS5FBm/sMy2K+w7HC5sKMMznTpGAYuK6nRyuAzefTxT+wlAidHEiUYBGT4utSeMma
IKXjfyCAcFUbbE2ETz8/5ZukRTFDUMBlkpaDyprHVRQ5QRLeRlB5vdAWshJNMwwGoI9Ufgfe
u5aoqqY2MrrTPzSaCuvxGfaYIFxfD/E/EHRrWj9TPFZ918faWIltJFFIuWDthWuhaWIB+A6D
dZpBY0kThCNDYCvJfNRTSlMd3mk7sLrexFajbeRIJDLSL4Xult0TZGGIx2kow1Q5NB/U0Wn5
5VIiVob6kejK1u6pTP4ueaSh+gvdopRsF1WqIF20K8VtFsilp5ZFPRw72vK0pI61xzqUee8T
Lkg3tnsdHU9MsPlkU8BxgSyJ3BcVovJJPm9eqqVJovlq4Kj22VU5ORiqOLhEgM4WRxAoEY9S
il5fC98FvrWmTkqfEr9pxKbrM0dezTKdvkln4ZE9woTArnDJUuSKHVayAauLBt2CEGzLOYBF
6y2VjRB2rxaJoXmxpoJOUbLsegwWoIR5bAYVOUtb4iea64a4pPjhfYRHv9Y8frwJ5zDV4UOF
HXt6O050exWyDPDpeDOiSK641CunJocZwxrUw3a+llImWZZG+tA93+aoFU1RHwe/MnI2jq5L
d8dsKrX2GtijsKkFIfbwAUrNiWJDixspHaBTUQB/t9WGnkHCd1Cl4aXtDlXCK9j66uG157d6
80Jf6Y3z3lZYDHTw91vVIBOj4BFVJUMRlH8lSrFUrGapvT28NnUQLWNBm2xLHC30bEdLRqgA
wwvqPRVgeI3xbRWAE+X8oUiXINKGS3nIwTD1+LTiiDflpW3buSFEMqBIoxp/uviq+BTADNIC
2068OLIogqt5ZMt2rcTkmv3IPIo2nNuhnxZow/OFt9WCbf8TmWClAgoW/CKggIGo4jEKOtgr
VCHsBdGvz7uwZ+3mQIs03Q5jSlxqiqDFDjIphpSOTRGGp1g9FWF4NvO2ilAd7mAXWdZVQm+o
REmCuH7OjzAGsRP7ERn/mg7YqP5qTi1CHE1MoH3T8LIWE3D3ZRzRoIgJdjMwNPInppHYDuyn
w2JRRy3RGK4GPsICK4plNVBN0zACEdEPgf9GomLxhlmG4E0aVG3paQrGFhpW7KciZRRoO+zp
Qi9Nubr5VZAeI79E/5EW8eC7+IGFgN4M1gLH8fTEakYGum4EIITYpYvjMQZvFR9y22tMxuA+
nc3BgEuh31oBvSZtc80W+ebhESYBXVUmut6GD2V5oUJTDdYDK4h8UAc2ag5qYkYgH2aZj8sa
6G8VIepjixApDjTKZJA6CdswcfUfTJpcxYi8uvVe1DsxrDVYAxAA6L4WN8dBTC02I5e8xMhC
Q/2tQkOxtfgIR0NVn6KSk1SBL78pO8keRSIRFuyaIegf5gXqQATSfkjxt6f079nT5kkB1PJ9
fv8euvL+Lv978Ls3ksBTHbMREhqep6uuN/j0vwBAqtXIjhsFMvVjI8K3ekPMhsXR292MWD24
BDkoQzdcC6uXEvK4taB8TDXz9oTS8XwEC3tb/fQo9DXHH2o1XtCc7whd0zTqHiHtvgPg6zkt
pqL6sp6JF4wRiXSFoiydtG1jXmqXcfn+1fEExV1aYpkQJenut8S0obyIbfA00kUwtgF959DA
wveoUUIYk6YessIswUP1+NLUbpaEnMqmchOhXfc1BEe6HTU85pgk0X7flmqAQLHJEq3GluWD
a/uEzyxNHTROZC3dF4SRb+jXawe1sv1+MXmc0fQDInna4AYH3eGcZQPyTdLSPQNyu7/34ei5
ULmR3JA8ClqtXGwmcM4v7pIRo9kdV6yBPPeu13jm8YA8xZ3iUAK0cYyRqtqADBpCEzp/3iNr
az/xaqIGZuKNOLo4RhzCZCv3Gz5d1H3HCUuVXz9f9bHeRpJ4kW00Mt7xW2879gLPHPNKhHYd
tDUv1IIm4dj45W2EsRq65sl5eQ1NP9VpctCfgrxd9CT1BmRhTPfdaau+4coPo8/KDxNBW+Rj
P9toE8cucQ1c+WGhRhVoYaNncTq68QmjYcUiW7+PMB22hv/61b++Un7/khVfZtnzBTZkIq/E
OD1Bgq7r8/Wlq/uM+Xxd1XQpMGo3t46uhartNEo6YxJV+30brqHr8ZiHUNrv23G1xHSY5KVW
wFE9O7S1iOtVQwroIyqEGEiqkDQ0yXi3w8o01CDpo4S4Yzs+rAwybNVvkNhk/SigLpOu9gwf
mRffZpWZ0S1L2OndPKJpDG8utNw0pSG1u1sL7HatWlRUteLaJ6tvSeXjrsKFJHo808vJ3CUN
5lPN56rEQw8o/tiG6kU6d+RrWj4mq9LlbQ6hzUvrOs0m+QZT1Bg6KPInbryjOkatl/SBOQqU
1Vfs93xSkGpMRV+uf9lM9cMIxDtkCc5PcpISytOY0ninob2c+ud3WCK4aVZW69WEWu6/d8Ha
UeIcW4CVi5v1V9BXPX8EZdTPP4RlZSLDGmXqoJf3lICbYoXPpKvJbAaL95T9/ANomPPiFx/o
WyqLPdIX+/9SY6XbPXt1cfwYD4uIOxVG5xgdfUSyTzasIq0FMrSYoX77DKhYfrdGMyibCm5b
+hRwYsQVLb2XA34rChJHt+yz1EvCzQnhkL1rEx8f4OxvYniBVSSQda1Mt7XV7aIzTA+LFYyG
6LBswTBUg+GmQ1x+JBA0jmvr/u6H93H6UCi67DdhYjSN4U1U4elqOk/CKY9ZeW/Xvb1XaXmb
HolDDmAemM5LUmIpuBCMlYMqui1+WrrZ8gnkl1ELLi63ZTdWp2pVO04l3eaB4KJdfWzPTQK3
WRAxTd0L3ZDfy1uoDz3Ly21X6NjemIcxvOvqHmZgh6i2ppFqcG8ZI5ZnqvYa22PEUhuVh2yR
gQmF6AueMqzUmrIhPfBypaI9G4NXPwo5sdo9I3KckP/LaRxAOg1QrP2xRGN44+DVp6Jr4dAx
3k56SvnMDweAvfbp2pVlPvtrQEbBFv21lmpPL+4ADmyIqqhscO3D1bckS0en4VBALF1zp2Tb
a+9f6HLXTpZ+WDodXET99qcDvl36nbsbrhkZcziu67V6c9ltNjqk2a5xXBaSnlSW7rG+nDRh
ezM1tenQkLLZIt3MTuzbi7XoCbozclgqnW5zOCxf+BjpGaRfWyp/JIVX9PHKngNKnxO7OWV1
DKump6r+kb6ulQnwt5ZpYdPzY3QJyO7WcjvTALra8AJ8dxB07oXaT80xvOzH6X73HLl5rCM/
XsgHFLp0uBSYr9KnjCkDpcrEtsrU8U5qyiu9eFbfXlseLF3XAx0ZmvT+xlTVaNc7zdX8KI6i
8d5357s5qBSaiQQgzBeoiyMUA8R9PXvCHKTAT+wpyUopidx/+/22BL6+kLhZHgbU42DELb3j
5MbHCbxbXBkAE2DKq4i5VvXD5+23fyA0OVDDVDFQxPApdRy+YsBs35G2WDtDNfUoai4gGNNp
eYX0HqgBQwBbMW9h/S+UtycE9iN+Vxq0kHSS1BQffIBy4l9hxpoOsUV8mmp6Wsw4q5qzOBPx
NQUkMng41xnAQNMZRAu1hAhn9zNatUQMsLUf6SE9W9XN0HXOs4yKkR5UrBBJk8nLVjKPoBwn
DU+Zh8VJCRbB2QJ0WoZCB6z10Y4Z9Mk04IizNQUN8ILCL1KHpxylOGKlwSEE2f2UNkKhHdpD
NZxY9xP3ZJvDB+RbhkgrahFDLSQ57KrNzYWnpmm/XGlHkZgIM4pmPH6g1r53SUoVanoyHpyd
uFMRuXf6AqII+g3s1GTumapla93JRc7gPtEgIDY7DN/d5b2IcMFF7aoYqD63mIz1kOIwiMyf
r5hAsUVu9Aksq8SZBRkqJJcT1yLtz+npHc3EjSKPqbzPzzsCL4uQC2Fs2Z4h28ZZJwqNWEOB
nXZTguRvObkynM2qp9OLOUhNIvyvOcN1JrFFKTTKD5f5MzN1ishsRX7jcw6Szn+Agjd9VnIc
Y84ZLlC/xVbUXmGt5nuhGXJL4fw0j+3bNs1m9wr2mflkM+cyN7tYZc0h2TJflt8tFbGxkLQ9
FcUYMThsrbNLRdnscRsK6IBtHoANYeVwdqVpsIq3lEshfsuIm6HXcXUsPY7tgOp256dyNQIr
RTDFUpEN0T4zWZEdXCAXoLQpK8B6Q8l9vob1W2ye7gTT1QtZvG5YlhafqfSEk2C6wnLfEzHC
IEjhMV8IEiufOPMsm/5z2gxN7e6eSagBqmJPbbSuz8RRIH7FYjY+oNAnms2EzmFb7M7xkg8h
JqUctO69I2rn5YgaVaoVsEIdl6xhV8zmBSme9oEnABsDV1pHg10Rd9ornpYevd1VmD6A6ehy
n6XV82kvwAK694UqHczZRFvGcGBXxNWAugcsH8KVVcpjl1u/DGrtHqLTkgQr7890y8a21r+q
/AV7COxfIkpSOIpUARxr9sRneueL+xk8IJyw1tI+z7RMuEyyb9vUoYJ2lgzi8CEram/dZevn
DAylFApK+tZVSugxr4fEpncZoXk5MnuxrcVhMjaz13eFcq8mkxFEmppo1OAcabDXbq6t2AgN
NRxxc6yzxHOwrKZZImZXRBzFDL6In9LpdMbIH5ymfdqteq9JOj/tsjNtUBa4/oiHMI6THWdF
k5RKtiAu/f/kfWtz28aW7V9B+cMcp0p2gAa6AWRuXIOnoxM/VJIzqXNOTd2CSEjimCI4fFhR
fv1duwFQAAXSTdqT6uY9lZnYssxAG/u91167vIGPvmvdD740RlW0miyb25AQavOtjWgLFQZu
kYDKnuU0Pe+Yi0C1xLKcBPo9Z+p/IbGEFF1dgPcUqN/ePxguxJ2DLrx1/G2LdGjfmjzoSY/W
/gH9ugOB6GFO+MGbEkMP2okA7XsdmOS3D1irVU94eMKv7z3s8AQ1+KOB/CkSP7gewwlYjc16
2B35fhy5iWS46tiU+VWfI+DKL+uZUZ8RTV6fpCEHWq4TItid/IksaEVDXtJzWTGP4KwAn99W
qIHRLWgzHBAlabwy/g3uHO3VXrsBIs3huss/CiKVO7M+Xl3k1i/Zu3cfNw0JWlOMkl/RPVS6
j8RTz02DYMulm69+0qV39Yv6MJ1udXGNhnRzNVlKsT3rI3uGCnpnZ6nvuZHGqeM36N3zJKuL
55HMWjSG2wyRrPrcHh2qVhCd73qRb3ND16N34XOlxllYbaGxMBIu2GFJN/cwIF6uR3dPzk42
wWDJEZpdpUQDoeclv0dBdjYGImn+jDu+MVjDU7DGXgE4KKkAmCzRg262+TbHO9DBGVejNUUK
RA2S8n+vcRCdejgqDCPCTrwoCjROE77BbC9L3HB+JDdH9Eb1qsRGkPiqPMVBnS5qNWy3JfqI
gx3JCk7KMsFOU3pS0x6qxWerBMjFmoDcv85CpEDpSNFTkIXvqyQSQQUE42AokpzgefZnMXaT
w6lYIk854Xs15j8atgE74VkaelsJp0hDFoeRLL0OWRH7CrD8LyyCHb9J2OUwv0k8G//bC0y9
qpgfuMKB82OHrXAI16HFzc5ywHDNKPvS9Jw7S+TFnjp2CVRbp5ONsN2cyl2UtyCaVEMrgGDT
SUHY12+PsITHfl4T2JqpGdLOKWTQrhTiLk5HbwcXisN7lISm6QfsGP2vKUnbYt+pIx3CCcm/
/s0PTW2UjgpjbXC5rEYEuu1Hjk7U7/yV3Ro7bAT9dwBjOLYDMy8W2P3A2EyCqLfebBeL2KMS
4N7Xx7GTVT/R6A85OqPYZx/WkYteo9j6SSFtdOQ67/F5u2zHS6N8TfEGom1jKyZKTrPqfCrB
P9Jpd8nm2+AnAP3EP2gLfi7LuUxfqbVEkeqijVQ9JR0O3R7Os4osO7mxiXTQwHeOpkDWyZro
BiUSzRbxxXm1XE6A669Bi9OqGD/NUGblbbWCM0Kp0LfKYfmhbndCHmf9AOenGKPF8p6dyf1/
dDWqoRksYgXcsOQL4Qci/P/X4lhDr3l0uoOFT1KNe+pLdFRENiXq2yaN9UmjU7Asl6MngWPh
W5pxGm2J4ks1QTPnD1hSC1LaNMg6FgQ4xCZvVBCZcDh6YOFpbs2s6fgNAa8WE4LcVBsvZBWr
FdjbKbFA06vNxzaown420E8uVLYnime7991kpZtdbH+avtmFfFKF7EIJ8SCYcHF+UmNDHQ49
KAJjtAs0TnyGn5unru1wnTtmw8/tBFEY2tl2qNfIoQ8/N0apYWJHps6zviNTrafCVMuC1PFw
hNrMuH0gU62fJXEMqKaZP+zqzV/IVCsC1/fdfKuVpdNYeIf5MxG6zNb4FQ8/tx3EiBLy0udp
oUCCwaayhFgvCI3dJIHnF2A9KLD3ar3EnP6wRNrhceDn8nBoR3bCBQ1gmElmKoPbrr1Cot95
P5BSDMWofRAejWdcJD0W3zfLEuvw6F3uLTy7PdQDicGGn5FS8+ZhdjdE6dnQtNxJxrbY/Vd3
tOUk4ez2lBQjwEfqofxARQ0wTOiG39Tz1Fk5ub27rha9NzZs7YCp4YQUNqJ7OEqdvOsxbcwG
ACFtG7Cu2wlWLgjYhcFB3dk7q4f5JTaPYejU9cSUWv75k/kryQ99vDSx5QHEjsWfiPwgFwmO
W1bY2q6bMbQwK7ufnQEM7XmXVqt0KgNXzw7svD4m1ZVa6okIaSB00eTu3b8u80RgUPhfYNFZ
jhaTa9C/SAnW/YZmUa9nm31veiC6F57qMPIOHPL20D/szDHfAKGHU3bUpq0k0lFlKiUOBPcO
Pyd51M4Drd7cow385Xs6z2fbtj2Isjh8ajwg7e2fYocfp6XXhQQo914/XPPXp2NKPRWWRV6a
mQc9RlCN7Ejna0vHhSEnRNKZYd/hEf7xQd7zeDUGpmeKa6Cd4cc2yGxZ3xncVpIBzLGfhRgk
nShoVnJrEbwOO31jAMqqR/oNJIqT13Lpno5eY3fyBvM5mitRIlR/H/ZO1FYmhRsDqh9oXF0e
p3gyA9oeTO5ETSCAI7u8vcMgU0puRdgzBe3DnU+eJL6hPZuvwGfhklcFdG9W4t7A9LFWu4K4
be6BbGxUrx1pdlRPQmwLBemBkcpJQp15Jb9B9zYujSQDVnSLypcGxAHynwLUjaSO1ay6h3jb
0xkvo6sfMJdREZ4DBjLhn+YA/RDiAUw6v3ovk2iXejLtD7c6w6hnn0aZjR2JFCFGL6hL/aRI
nb4GdSEWL0AzYKkUcqspwBrAGNQFYBNoAVRApwdL43Ww6YlqR90cpKAp0Pm47zfY7lOsbQju
ER/ALdKUg001cw0W/JtJvSPVE1hft3qDU+Eq6OodXtSeD+wq6/bHkbL6wLiBJ1ozZZVPqqCs
OwqHhzuVbRYnyHB0Ot3CA59KM6LA0vBoMkdpCIOOy3ppGGvYVN8RpxJtAVEdu0R+vUDG2GEY
UkEUOcJ3Qz87zYUCab9EaQMbrh2hPC34FKQbCqaWf0mliSPiMOAGnuLzcp5ldnyaXB8RbOMT
unHPUv8NTOjpndfHjWaS1q0sRv1TEcNhDxRueRi7Gm9KfEPYo5qpzlIpZ4Up3Exu0a6R1LPS
z5BvGa2xJtxZC6OxUWFhFvGqF7OGxScy4C+SUOOZ4DeKj4heqJEIsN6DdMjUGSbc03rWQvXx
R/Rdr1bVK/q3gtRkg5CfaKpPSvdSSme5+kHF7bosd1m6vfSjU5Af1n1XOInP5BS02/NvHtzw
nn8Mt3tAm68uPpp8WsEC/MQHAIpthywBlr5I0rmaPC8hC7gGEPMB203kK5DhTa4nU/KyPdH0
hiSCwKqHrcSEB42c7Rzk1f0hyROHv9J45HCE9sATyvL76VFWbyRZMgh15nJg+awq+PocYUeF
0XAT0pID9s1on0Ee7drAYYeN2nEFdieT0w1oqwXmnfcT7C1Us3ptAVZLcGKCX3cY1To4EdAZ
LRbYAe8p77D4BBciS3WGZH5jPtD0lZEh9aSxr0WwjYZ+vrv05n7yx5Z4+x/YbRFsf9yWQenD
Si9UwdU7DHiTmpazL5NFNWtGJe9rztGOXaPT1XsZw6rpBtiiYJHG6OxvVM3CullPAfuSckNn
sCM26330D5orgfhhTPeeJbnkrJq9asOUgvy4G+eZuw1nddwYnAUe1U+mh+w2UmPsdlMs7+Af
e1LpD9kPBog5AwAxMl0GUmfkvtTdW715FqGOjn644onxF3nuckOhvCo+ExVmBc1YUhlIPZTe
jzhsODZeehydaHuBcjUqkSn6IRD2GKEgPYhrUaD7BuI/yczTHPWRfwVfVZAeA4FtnOan63Zk
J25czf62As/OfF4tatgZoQPq1EulBhRJKhJ7m/1Q/xrQ5rHgPN7qsXpunnGsAhnuFBPUgOe0
89oLJXUb5BrouU2kIYYCiiZt5OmZRd9vHgxaVfGbwwlEO5/tPQ1cXONTO7un4mCA2tBT9fK6
Jhym9RXOjpNvK63l43JV3ksP0n6JHhSzP/x/fEX+ewAf44JL3E1P9N4OeWOKWNLXAlEEzDHV
bci2t5u88oI9/Eurg9sveUByzE78iEenOWAnyTUqRRF+g56GtdIgSXZ08S8S7GyMDJDamE2F
TOhXFfEJFqbxswX102h3kfiQHzcOTCVisQyHh5iz3cHSSBzD2RzmHY6XhKdpBemeiNUGp/ay
HNr2df+L8j5qgKD7oWAGduoQVcPp5nPXJeXCNWKipGsrw74XTqZN91SgYW5gpyBD1dhcvrH6
ln21mkkd9OBEYQdvUt8wlNFssZ5LYqeXcswvb2LABysonMjgZ7h7moBO8rsdcA4iPqSmNDVi
IvNxEcm4pXVwZLLM51sVg06VznGGwOxmUA9tX1Tjdc2RCSvYZG5yywZ01djBeWLIlF5Zzp+L
RwVj8NOYJRk7zXH95vIyJWdNUJJ9ifpMLrI20Ivi/oDEnULaV/gLyOLogKxS6PLyMAE8/DRD
F8kMUAa6X0o0thJcD4m1ReBYHvBEAxS6d4e5HGZzhK5XUDk3jcIg9k7T/xajUTmVa6fWaPE4
X1W3i2J+NxlZTfEFXKlEoqH/9fQVzDTXU5VpEOgZHXDwa0x0cZyvo6iFC9+EO4M9Lie3M3Ak
o1koEaXtLO16vcAKq7VGuYWgRguHo8kC5MqEwcf3qNQYXiJiH2Bl9JFOD2Hw6Q4oeXi5bRjz
0+3E8ksxXcs9156Z9kdjPTiub38djkstcTko2fOhnXnbs4+kpn2AFWPAFPSC5NZPWveQjtFr
GsT3ZLKjgLRjAF/EaRp1TUlLHZStGNxYM74KqBy2ZWrrP4Pxw5gVpOZzkfr+iYKFOhk8yQaN
FIinpDYTiL5nOMFGxN91/KAT0MjyRyUOBsoBlKVSPWL5OM0DV+O1rB22knmBK2R7WVMHPvzc
YFVH6AZaSNvAM/zc3I9ZEMrBi6by3uuYvyNDFVdhqPJxZSVJTN21PZShKrcjYL1NLR3/SoYq
nruOzzyNC8Vh87dBQOahu22a22LoKEfsRCdT7YJiveC+qZo6/Y0mt3pA3XlnNQw2SKvWSvgK
cP2kcZ4Qx0rX5TOeh47xzCvL9TWVi6CRngKMMp8QbwC4coHfAeU0hp9AI+KyG35LGWsvC+1h
i+WmwUHYYuew84o8EQlAn1QPtcNsUMWs5OWqP2V63H6ZHrIz4+6BA3wJmCAenmrx84urVTnH
RQTrV3R08HJ/GuMH/fkFsx32yvZfOc4nh/809JhUn3WeZ/VmXKKpMX6WpEsYwLAfwW1eN8nl
wZGOTnE7SBxbUDVuMtSt7ohtKQuEgZ9KEnH71FL/ZmXZfgvDEA0qBSRIaKCIeg7T8A+GyA/p
xx6YRkdtWn3dB9DYn8upNHh4aAOWrzPafIeBeIxmL8SX1DEQO4gCVLlEvWaogTAHbfW3KE1r
+uynO+Nb5kILYHBLl8Xstuw3oPjXG1BNS3rPR3bbT9sfSIaF7Rk3TXVrP8knrd37XsvY4Qok
jvCBOsvtovO+iCaV7KBQwQ7alumIuHEFw49NbSJ6k62/oF/vjG+Hg4YHHnpLAXD1ZkuTFl3z
a36O9ks95ycxx8M/Vl/0+Jkab7z57Ocf9EaNn8jPec4S7zSBAB0OQcDHu6NPibhfPc4xJpha
51cXnak3mogth0fvTULqAyg223FZBEbbvus1f34sZyoEuO5OQScArs3nJUSGyef9ZDa5n/xJ
E1GyuqZqqAuKlubvK9td4GjMXMxAT1J4W5xENzitsSAYitz7npHYupMq2ZMltlVZO/R9yLDm
+UGae9GJMquCMBlYU/DYYX/mniT5FPtBbzehgZ1lfZQQHmgj+NlW2KAAZExl3ZuBEkvY/slB
PuoxKLEMSaJNXF9bY7kQkAQZykvkRjT7xCmcCrN2ZPpfsEaPrv9T5a/g7oTwcvRGKNx3Ms0T
cXe1+TW7WfeoUa3iSzGZSv4KwjY/zVW67APFeCxxZsVUQX5O6OZeFp6m7sECqzVmSfIgu1XC
0VX3FGBhxD3R7JsYB19P2JsjyPRa9nxsN2nf/lDK2dzQiQBX02xmLJ+0zln3Ju1qZK1JDApA
nRmHhiMbw62omNsnl1MxhqD1AYtYW3kp7es8Ae+e7oFvafdWsh+FXoyTWh0FvgMr+xT/B/LS
n4DV+PnFYzmdVg+NRV0sEuybghWxbSwdvmXjPtVsFwuQApKith/b/m5PFdNASbZ+rJ3FezCM
HvnWnzsgvTqsoab8c78Ba+eeH6/jk579cOSTnv9oi6vVIxZgm/eZNH2O8gZcZIjszZvNq9mK
+oXFcjSZfLoDyeDPL5CdV4tfotlyQj/tHf3i+Z9sXiG9tPY9tB+OvyYbkPWTKvikHaVrc/ui
J5Yddp/lThzJhtXpJRftNlD5B1hKZ0haG1ALtZ9kMSAX0KyXVEuBxXsyp45WnbpNVBZbbVSh
Nj89hmuZ1TZ9aZITEjEicsEvf6CFkQqovgV9URahW8JUApQ6QPOL4PTu0UjB9azuycafNUoD
BZLXm/VMosj3fGbXwW1/Ijk4jhNc4FXtxCwdHJx8UgUHR0SvWMCtVQ7mu9nbB34e00DicUAl
UEwnf8ozs3Sd9ke1ihSc+gKsgf2qikcijHMmryAYfNZnUaI2lzwH7QIOmiA3qKuAR5tVmEtu
6VNn9hUcPvvqhGoEsI3YOor3PWkdQE9Le2uAHi9oLkw+fVFi2aJfmAxHO9vD3absRJkIEPQn
svdQH70CMHsT99pA2MS/Wzkyx84EfcOsnz0NC442jfwk3Jp2nUgPAvBreWoArubiORj76peP
v71LrQ8fP22GMqiycX+2ppxWinduyJwwEBqjcvZWvjuyTBntrGdadgb062OF+gogBijheLKA
rNCPmMy+VNMvhIidoRVWLpBO9NzQsOZx4j/2I4IcdBJUN3CY8I2nyatbrtgwuZvMl2dPuZX0
aa0LJ6R+u0hJ0ZD8X09wcjS1KR0ORwjQWbR/1glC13+zzGZpfaBtl//e8cp44LvJ9g0E4QVJ
5gOh3/1vJLZn1zeHZNjojdTa70vLm2I9XVEu0//2C/oS8z1cDZBPP79YUJYz79VvF9NiMvsE
R0eFGz1v/U2L9tN7/8k9hXSj7NZd9UBc1HteAEGGD6t1j38Bx5gtLTzNAUwikqcmhx/YQZEq
iJqI+tZYr+v9vMOv3bOd1GEnu5jYSzOXj7MRzqvM2rRTMjg+C7ebWkktSAgvy6L05Fpw0nIa
XraN2GhC0qFe7qnXvpppm/rvufm+6dA27vnYbtm0/aHkV1IcMOu3+nQom1T5BJV61UBduU4S
aTwYGXY0Nkvg9rdLtxNJRs9vVFvVTZOv5bzp6fqw4JgdI6if6Pbzxvs2RU6/LyVXeCWkDQFN
kuRjRYtO8iAC0nBWQXp2KFgKnHo/Ez0RtavkXB9TxM30FWIEfAIdFrmzi+NONIstMc6ejSYS
CiATUbqZpSA7ljOR4KzdScquk1BBaHK/vqYooN4pUquaUfFl+fr29RmWoTGeRendqOcPCsLz
sxQcmdsXqE9E8WqlstZzdC1GFcgLcLN3s2dP2B1sl7cHGjayJHQFlUsKwkNGGodhGJ+k5lGJ
eNbY5XKPDGWuVWD/Ho0+uXuvxpbB0hhOzztNjycROm2Q2GjWy8nrElZKAtu2VNTev9TFH1RP
xemJKHCC0NlqmvHYSQI3k4sem15pv7C97GW1baWqVx2MHmzP+nrbNpLk6rAaWDxvQgxJIa3Z
JKOAO1mNJNmLTa4+YxmbnlMFnCyJnb/5qal46DwewMmbentLYIv2zXb+Svul3s++ry3R+0z8
oAoo5TZIbbnZ57ZQR6x7NF9kzNr+Tw1Bc4Xv4ZDJaXqMNmQ3Drf2t1tCfBarznA0B0t9CrJz
HaxuClfjcuyYblPTN6vDfBOjJMS5zSY3qdCuVElBdJ6LxZs83uqv2xn3UvSOEfqfplLmedpW
7RB/roD+RiZOzXQAjuSiCMqYnoD6fvhwvJEGfliOmf4/8sOUbPTdSO+NDtfywLSClCs5TRz/
s1DUrRIGCoLGydIAhVJiBfGxOHU9YZN9dMZKJ1JTrZeEBwZqAqe/UUFdS3LyhoMGwb/8Y1Sj
EjudUqymg80cx3KrlUovBGN0FmTZadbzzbT8tYoagUzbBqpAXzUa9h4sCT3o/xb6RSf1H35u
L4kSJ5dzX03Ndvi5bYYdjjgzjk3I4wFjYaSxmxyWNwbXKBDlHr9RekKnw/JYHsIz6rk5OuM2
OH1N84M8R4vG8zSeuQ7rty3iONK6JTz83MKPg0SYx6rmisjHioyptfl3ZFUTKqxqHudBHLka
p0X7WhmHsqr5WRIkocbMjPt+2NVfyarmBWkUObiKqG3VNey2bMTlMBYaMzYMPzdPwJ+cGrv6
+oZTz6ud/iXASeKoDx1Ewq8UijM/dgT3XY1Hf8NvjbkOKIQyjZPuvQ5lJ1r40x2GRuMKBOC0
ZoVfE28/epnFNTUqNp1zoKs773mDUfw1urxQeOngtvApp+u7GMFiN+E5xW9DW8HlDcCaK4CE
ezLodXvlRaNv7pv2Jk+NuJqpmyOYjdEejaP2Tt3kZTx6TpWpW3g45d1Aj5pGaJ3Hw9RtPMZu
vDzpTI+zJbVFVw+av9d+qSeA7z16k2yF1JzbUDyRMSyllnceuYbO19yGSjz5IsxsPzTW0+/0
Ge+JOGNcrurdpV0+4gG7udZ8Wozq7QJqqLdho/fih/2tcCMRJVzj6H6cv+0HTHKw8vwSOsIk
IPKnVloSIY71do3Aav3rMk8Ed4L/an20SgfUTlgmskTjymjHS094GuXS+XQ6LY7veRmryULN
BGdczavqhoBn8lDOu/IWuPV78IZux4129fzZWmroNivuu/3hmw8lKA+ut/Ys+7DtDr762SeS
s2YRyER14wKpnxQKIxdJNkFCOSK8ol3VJe2HYNl8e4i1tAgC2PNHvc0doM0h8oMI/fznoBkp
W4FdjFjG6dWb18MXtXdYBTazfZafnCv8eHWR/2ARqdUSXGqfiZJpiRtIzRYCIeM+l4906O8W
b21e/waAxMK6XoAfjACbvfc2LDzfiwPBgq1VNZ2GKsfFkWV5S0kKarELbEpSUgXRNFFkIy8g
Epbl9IbSeowfxzKhqU+wrlSumgki4sjZySkeOGEmoG2GxKBd8ka0hWyUztACSL2iq2+ju3L0
uRUbZPybvJaE71mqDGJ55GW+42lc4x6ncygCa4ovOcguVqsCQirp5HHLA0bg/VkTh6yXGcDV
lnUp78JZDjGDKxgsAEKpG20vKppvsJfOD+BKB/lmsfyfNWIRsapBjljFvZEsNquN4M6sS4Z9
XTD+AdlPWcOS0odyrCA8FgYZi7cLbfOFN4emldCytawdLxmJjvLlmmfNOr+wmjoN+vY7sbPX
9tyqIir0S1dBfEgzA8azrT6F+eIjJ3fpnQFK0h44giOzGqFKYPVjfQYBJHWjNRgn6xj8PkoU
hOZzjwUxlpK17R8f5+2Wa2CEl0u5JFnHCQDS6SsUVYm9lGgaYMH4PSIsQD2Lye1kBtkhzi6q
exixSqnmeIBIJqdnsVcXHz/m5x/ewkyRfTwUSOTIYOuggVBLrlBKuO4OtPn5xhsqKJ4TZU6Y
ZempKR7omInCFVs2MsJKDoLRdC1DQR69uzrPz5Po0/nHDzJ5Of/wKbvMs8vsQ5LB+31SOt7M
E+BH4vjkgIpNPIDsoFt3BLdrshToYGHF//hn9OHT+YfMKkaratFcyevopYLSuYx7Nvc0bq0c
5+023gttT/JehTV9alNIcUkgJ0y4LaFrRF7tGUnaCsLD9bbE57bGo8bjhNele23wncsR0MOy
4KKenjRM6CCZ9pNlYy1xCV4WpCsPIKhUkB9a/YwznUe1x8mv7W0+dYo3JWyzrglijHvkwWgm
1wo3Wf1tiTXX2avVYvKFzhApsTnYGe702P7JRQwQ9X8pa+ePxOT+Hq2A+xLjinFd9gNePF+g
ASZ5FJ9rIX1F5eK0n8P3OTrjU4/TPrRG4O6wWYi6jLpM0mrLAvGDCjDkKphuU3cAy4nUfdqo
JgT+kf5AwXC56yWOH5+i4oG1E7Phug0gAeuE90eY2IiJLBjcZtN71LQYKePP0F+hu9OKh31B
Uw/Sj9M7jtC9etAel0AtQRvX9/Mp2iroQ1HhRr9dr2S7Cn5uQmXHEn+mUlxwz/N8T+cMebhp
K8COGXI5Ou/MgXSqw3c8d5x5iZtrDBIZfm6PuTlztvnc9Je3jf1CHvnGbUwIP4mxbW7ccwO8
lQocDNC34h7Wb9cJnNjhGjfkh5+b+34ao2AyTd52gjW0zDNOv11mR/KYgLatzB16gtE9ixLj
5I2rV44d5tw0/XYj7ueCadw+26EncRD5oTw/bFZeFQlc59OZbGlY3oB8cNvNjbNLgE182/O3
qBsMyAfd3M0c8zb18NBYZYqNqxvQ0kDk0RnoMGyXXHAvTnONQUHDzw2u5dDGjqFp8ZIzdF1j
W2Mg0bC8eeolYYrraKblgzkWKzxjLwN8x81IX2UzkgUBt0Odd5L2NbYP3Ix0WJxnia2xTu/7
Yf/SzUi0adI005n8e4fbyrMwS1Lj2gYMawtJbiz0743AROg8+hBZ/SUPhfmQEyW5JzzjEm4H
0CWsD2vcENzrTHZuOPW3ImlMPwPzcnNdhg400GtWm8BkGbhxjHuxXubFPtrrpmU+mGNkccKM
y5D9LIfAzasA7RTjgDTWGNEzHCLBlcb90DYuRDpc5Jnr03quUR082/Y5T1yNQcLDeuI6PMfW
v3EdPJczV3CdK8BhebMwTxxX53sOw8/tCT/0Hd88/cbVlhTXF03zJ9wNQrhC8ya6IkWqrzOf
9LB+48RKGsShcR08384B+jRvgi485uMGuHF26cU8xQFf4/JvkUU5S8ybjHLHS508Mq6+dETi
ZYl58dKJY1uEtsZA3mH/zcM4SkTsmRbnRSp4nJiHEPFdG5tpvnkT3SwO3Twwrr70QDHmZMw4
/WYMWxUsNE5PsIeUY5XGuLrYceLAxRKacX6Q5W7KM/PqS8DkbOYYpycsBQk1sPym6QlzPMeL
dF7GH85PhJ3Zuc81HiQNP7frAMqPXNY0PXECH7u4OnNKDcvbF7bPcMneNHkDtQUAlHk3MtzY
xe5datx8x8l57jmpcX0IBmEjlzWuvrSzJEu8wDg9YSkXmDcY1z/hEUtijxvXHwQhsO2L0Dh5
OywCpap5fhD3XzLh2BrX83sBOt8RCRooIUEdUJSwTOM0dJ+4DkSCijTz3MBYese/8kYGLujG
zA2MK2O9IMxzzzxcoRuLOMuZxm2xfXa4euMDCRqNPs+qh2k5vi0lnbwCDNQVCW52JRr/2MNV
mcBeOAuZxt2pva9rDwy0BF/nf4MbC1wcDbnuqvxjJRliQCgtSXdf2Xb9Z+DRaYmMQHgHUh1w
Gs8U3joPEjuBmepb0x4nPckj9uISXM33xVyKLFk8zlfV7aKY4/y2Fa3BBQO+3ZHkNiEZElUs
0cVcLKpVNapUKLF8LOKGYMc+NeFdNIynoHIiNp3fJ4vyxZk1XhQ3q1fT8rr6Mln9+epzsZi/
IjJsCBi8WJAnLjOMQR2roHVe5OAovM6IvOO07u2ivK0Wj9b719a7Rk4qQG0vF54HBIC+ejTs
erknUMPqDMA97jXGiwnYtn4v4VRBu/oFzNxjq8uYVIDxfLkqZqOSKJPAzDWekucgW7kvZioG
AMgHDpKe3rlkIoCTzLTgK1uBZxVMW9dE1D1eL0hC59nVW/BxfZmUDyp24Ti5AEbQuEYaKI14
HtsaP/dxdvE7eNOq9XRsTSefwdJcQeOL2Wep9zfVdFo90DuelxUYxGTIhUFMiLquAm3nrQpH
J4uzOEUVrK8jPE5wtcoTc72kVJMm8pP15GbOrH9Uy7vJzfp+Yn2Y4Ffj4sy6WpVzohP/FQb1
7GTHnO5QzSUQf14sivPxzy8c3KqJbUfj8cRxwvtPCIRS2vfFDFdUVPyG54VuAJ4UfdVoOJ4K
9Pnw2Bo34I97g5RsY29tIDuStUoJysHqETEWIePvoMKcg+/yQ7l6qBafwT99Phu9Jm+ikFba
UeDkjji5fLxOLLZKwQliKxIOkhJEJ1P1ThFIjOfkdLE7uIJcFYTnCsdPOdOYl+I45SPh4eKV
pD4m8vz5+npKLnZ2K0lr18uNzuHUxWwpi5h7IvCWNfdE5a4ogMehH0eZvv7mONHVJyaVPC7L
otiOjVuJ8OwgSsCHqO+bG44UDNx8RkKy/CjM/FTjkdCwvHHUEFBJnZuMO57bB70TYBSm6bfv
RT6xO5n23B6PUyCyjFvtBWA8i8CcaZq8fReXRJh5EArXdxxwIWqc6Q/7EzdkzHVTjTPs4ef2
bZbg8L1x/sS2Uy/CINU4uwziIBU6V2LDeiIA8RShiXGHh0EojMurUKwHLmD6pum3l0Qet2Pj
Vjm4iEORbB+51p9cFam372CtzTQ9cVE2AKJvnP9mSGThCY3LT7jrBpGJ+WAWe7FgxvlBFwuy
tsc0xiwOx3k7yH2Geymm+RMbJxlSX2e4zrC8sWKFK0qZcX4QzCMhsO6xaXrCGAc1onn5t8fB
Mu3pPIQY1m87QKWWJ8bVxcxDOsgTjfV77+TiO0L0QxWIvoeggYCn8WveJ65DIfoid4Bw1Di2
7/th/1KyZh6ELg+5xrPTYbeFMZIf4zqkaeHNCd3MDnRui+1XzQCj58vyplyUwBCqTJhxvjPy
7Ny4egzUsgkTrtBXwb72ohy8qg/V4h448S/lYS+NRRzMGTrvvw17BS/GpV3PM/Wl7dyo+Ncl
lBFzl/+yAL0rxrMSV9ivXp9ZL37FVVjgaMY4Pw6YEp3kBawX30y3iYE/GtOWQKkAoWECGAh+
etdiraf/XZb/s8Y6ACEYAXH/Uk6X2AyIkwvL8c5IZBYJ+AxYvQUQNE4Y+iroERAOQmyecd1U
kYZhknkaV7V7vdteQ/F46JKhFIvrCewkgp28Xy/md4+1zRCS9R+vrX8Us1sY0NsSxoStmk93
OLYMjJXSSW9gb+LE5xr3vI6T3pOxPNspImMhIyHhnlkfR6vqGlhHZttCxUy8VES+n2lcrA3H
E2RqPg90bhIe96IpnnihF8BMIrrVvlxWszPrHSwlLbDiAOxqhl+Tpbx7bf0TUHkylctyXi2w
xLeo7gk4rxBVEI4TurxlaA6108t07OQ8iiWQdXlXzQnK+tvsocCt8bH1CTtnN3AsdTwJXzn2
mTSXFyqAeI6azOaZxuC+4/SuIzjpTKCCcNDr2/VyRcJRCrlO6LlxoPMC0rAvAWNKiOuQGgM5
9r7TN8FrhoLifIZE85iSwgmAVg2ZefgyOxOx1kdU9762nT7sX+dXlzA5CgHvRxd3iAEUAtLX
0usn2AIt6m1ZOP7fq8V0/IBdQnr7i2K5WqxHq/VCJQJgVxaH5nUmrjlOeh1HdlWOsCKITfc6
PiJP6mRHgYq3d9LMzxNXY4jANwvp36arf79breY//fjjw8PDa6Tm1WLWLMq8xurlj+P7lgRg
+WOjmf/3t6vX8/HNv92u/l0lx8TZOS8ycBDtZ0xw19E4Nz7u7VOOiYqaw8EkBVYs4V0ukVS+
+A1NCiyofLw6t86vXp1fyc4F1iwlhQG6F5+Six/PL8gNKWSYTu7lbqDz/vlxwuv4l/G6mFrl
7MtkUc3k+mVTiZFs4bDLUXlPpRg6FraKmbipx5hjHl6apY4fRTpfZzzuTcvWnstkHK7Qovg7
2cjHq4vc+s+GKYXhhV99Si3e9qnw3cia54vJlN56oPLWbfwvZub1qUA67ea43nxqFaR86x6n
PtX7Yvp5Auf4ll78JTzfs/cumv4kvl8lnXCD3A5YaGqhsTNj7fjED9WXjddT0n8/Rbczdc3r
02Y+dz2dD00d7/VcLhj0/11Zju7QoiX1p3EGluWLmvtr6yBsS8xAGYL1PuUK6QEDzzTWbE7Z
FK4mt7OCqjHr43w1qWZNdkDCRTBZTx+pseKqxAjMzTI7Nu+4IxDtQRa7J9eNl01a3LOCjVyW
n+9WNPT7B6zk3eTM+oR/U3v26rX1S7Gghu2LyIoxCEQm+BYjv4dChcsH1yVdzBVPbgrUiRQt
J5rlWS/jtxevvB8aA6FLYTCQYrYuQHsFG1EaZODGYpjm5h3qcj0HF8L9k+vESxtxbbIRSTZD
BkF28etr66qsYBWb7kyEse5kVcrGVRtJVCJIHIc5SN9OLQHtmMg55hXUjNnwB7YWArl2CkyY
CFcJI46fRRGOl+grseH+vJPbaRI7J4kd8VybSo3WRGAXqDOy2aiYL9dT4INAfrUxlIvicQpu
ROtldnUBZ6lgIyJ3vSRzT35aBSEeYQ8cSEU/0Lm/N2wPIDHwg4yd3FuVISNgVHpEK1Tecu5x
WYcNsF/mGN9S4EAl/oVZPepVBVMAYMDzs0DjOvO4eq0TLvr8s22sgEDPrLy8XrTplNIsF1dP
wd1sHjkJToq5PNJ5Kf+41yxtI/QIZ3h1B7Ac+pGyZ79JETZR4u20Wi6ROZ9121UKBuLbno2b
yKc862qQDeHByAZcFkjAlq/xJGg4UjgRtwMgffTN+I63Bm67giJFHyX1fjIrUYWfN1V4/Br4
weq+oDL8XXqhYAZOhgPyWXJyyWYnTlzNy9EECChJU96ECZJmbz6uFCUEThpgRm4cybSDNXSW
MePsmTOcauapxs2CHX4oFEEW6LzKuNcPfb+VQNdWWQkUYLpx0AYz020fuBKIUibC1NvUScBf
ebUH9+gAPzVvVsyE8NJY55g67LZswW2HJSc54wawyUb6FINTfwJicBry1WTYqBs6o4xuIX5m
/U6NWll5KGRSHhLmPNOZv3Wv01eZdlNDu9OZqFFT7eLKoR0KZodYaAg0bs9+s7wGOxSkif0O
RajSzbbB5+nw3LhcyLPdMMnDk3vN1KHgvi03IXc4laaDR77myZPQOtiM5qT4soJXQY8iSZJM
49f+zVbSHSOj/fnkgiX6DL3PX95HyaurX6KDm6AMrbE01vkq+TcLb9jFQC971a2Sh3HCxBW5
eScf/DDMklzndOu4tyw9TBBQ2vJrsfpzsxOB1Yjfi8UYLZ54MkZvdERom2Jq5dXiAV+nGVpa
0oAZX1bwMDwJeYb9CzOrr5VK3vIyztMWbsEhUcIjzUpgLRwlpLKfJLaIA+PaJz7iRpTrvOn0
DYYRMgL0f6pwZqLGKiOdl/BVWrOmRBWhJK5maPvBUD7hgAXAeirWwLyUu3F6wtbQDxl9tB6H
WA+1DizTebl5a5DgD0frW5xkYiqQdMM6uhVut/L9e1He3k4xNyCMf2MrTYb64ny5XCvx6dgs
ChMnMbRrpxQ3HiarOyv7A4cKKaj2ClyJUapjrPW+xKGghvmkOYGq4Gk87seh62jMn3mcd+5M
XlrMY8vZQGrZzUvVwq9rJz4OQnB9XfJwOw3UJo7IxMkZCOWlgju0KNReaKWlEelI0B1qHQ1h
6MlsyL9shRy1U2TgaOVefnqn3DoGsn0weWm9/DW6vPgBCTwdS7XerrHsjMOo5caCIHeVtgFD
bEPbJdfXZr7ZuXQwPg5T6aBhLTeNsH6mr0yG/YgX2rbj64x/G35u5gYemFE1TqV3PHfkAhER
mffcXpQK37yDOCz2BQ/NI7b2MeazPZ3RxsP67QubMdvXeE1p+Lm9KHIjZh4hNyJxLIBvMC3u
AOmUJb7OxNbDeiIS3xVpZFy7jrkebp2Yp9/C9fMA/5im3ywLbSfhGqNFd+g3GDM9h5sn7yhw
QaJgXB3vJLYDJKLGjcJhPfHDJHTzVGOE+/Bz4/yQ53iBcXpih7Fnh9y4+hJDcp47jnF6wpMg
zwLz4iVuxHuprfOp82G75BEXPObG2SVurUaRH2rch90hbxdcfMwzLs7bKXPA6m1c/0SISOBW
rMZ7psN6Ar58EJIxA+2SAadkayzvvT3q77gl4ahsScCmHD92PH3LrH3iOnRLwkFX0A6N1Y12
T/VVCvbtFSY+NNaxPn4pF2A1fwBtTsPyL4fvT/cglu1s6H1BVDAOU5gjsyiIoswxLrwxjgm4
L4wLbz6n0ZqvsbvdZ4erNzSLrRbLv1nReAzCpqUa2AOTeyfPjKuBYRxBHBrLdb4T3Ph2Ud5W
oItqB/AKfoJHLg62ehq/wr16u1MU0XxVAU4Pat8JcAWzSWFZKMJtV0EkXm7nIJrTuFN8nEh+
u4oUfno7B68KBlj6JhTD+S5KOdsTOh/wPe6tZffFZPqTdVub9utJubr5j1v6GvGSK7xPLEvi
VFyqsYEPv08vc3gaRsbNx1xsZOWOSPS1n+P0kHhPvzQwLgW1446TBLbO44jjxBBN6WTd9NW7
9QiX2hQE4aU+dkBNLdB2A2JjXF0qptWiVAGe2bEfQwwaO6HjtIFOGBYKSuBErsN8prFTGHbC
IoqxGKMzmOW493ZxV83KnxRenIfLF3Z6eifCmqzinpz662u5qfofRePaptK1KaYXfp5FPijA
9Q13OzTb5sIXBqa5qGHSVGdWlGF589wLbCc1rqwQgY82ms77LMPyxjUBz89d4yKOz2xmB6nG
EPVhedOJJDcwcMwvPCzR6JyeDsvb822W47qSaXEHhzNDDo9i3HOL3OaRebTZPI2zIA+MayP4
uJAjHBaZpic4cG/7UaAxc+SwP8ElyNCzI+Pipchw4j3XuUAZljfaQ8yNdKazH35u4bqxLcxb
A8KB88QGC75p/sT1QHEVp8bNsR2R40q2zqx5w/rNcQog9gLj5u8uVsXwj3FxnjOfMxEbt27g
uwB95tw4eTuu8GKwW5vmB50ojXC6xjz/HacuyENj0+TNci8F4b1xeawX+Ck6ssb5b5x5C1Jh
YL8q56CxdIxb73BAIWn75vU1feHajIfGxUscK8s9XOfT1w/unaR9R1gzU4E1u5FAWmTC5Z0l
6J4uFhakt5yML39+YdsJbsgIcgj1ly4Wz7+IOzUr+mqOS3SAuLz5Pw8/zW+v/sRfefj5hcOY
J//6HX7NA/z6x/ob3hf031lV859foE0u/wOT2zt8kGMH8rfX1WpV3W/+dFredP7wrixwfnPz
hzdVhbt6m9/erlfyt81/bFRNl/hvLefFqKy/B8+AiqH+aeUvr6vxo/zFuBqt6fL7m/8nAAAA
AP//AwBQSwMEFAAGAAgAAAAhACuzOhk7HAAAlJwAABEAAAB3b3JkL2NvbW1lbnRzLnhtbNxd
W2/j2JF+X2D/A+O8ZABfeL8IYzd4nXgn42nYmjSSN1qiJaYpUiEpqzVP8zcC7L7uD5tfsl/V
oSRK7SQ8DhZYLtDT7pGoI5p1quqrry7n2w9fVoXymtVNXpW3F9q1eqFk5aya5+Xi9uKnaXLl
XihNm5bztKjK7PZilzUXH+7+/d++3U5m1WqVlW2jYImymWzXs9uLZduuJzc3zWyZrdLmepXP
6qqpXtprXHxTvbzks+xmW9XzG13VVP7Xuq5mWdPg+8K0fE2bi265VTVstVU62y+sq6p7s0rz
8rDG13dUrbMS9/tS1au0ba6reoFP1J836yvc4Tpt8+e8yNsd7k+1D8u83l5s6nLS/VZXh9+K
PjPBDUxeV8X+Ytz2379WPIGJ+LH/RP3VL/rGTYqPRNVsQ8+cb++mzgrccFU2y3x9fG7vXQ3P
Y7m/pX/4C/d+2e1aM7/6vsPjGSL0qE63kP3+i7frr5Z742HMxYdWhXgOtKGO2+h8RU0dIBFa
4nAPQ27h9Dv3d9LffNv3PZrjTtquoYL/ikJ9V1eb9eG3Wuf/2mr35efDWmQJJO5MtVnV+79a
I7XAV7biaZmuswtlNZvcL8qqTp8L3BGeuEI78uLuaJ2U7SSf314YxgX+lW7aZQV1e2qz9TIr
le+hSvT6PG3xcZgk/Up1rjR1qhkTXZ+o6p/p3bzM2zwtcMdP0+957bWCr5qs0zq9x9q2qmpu
ogW4Fq+22ZeWXnViPfR0C0ZkO4F1nT/eXqiqHqt6BIvavRRlL+mmaHvv0J2vP9b846ndFRku
fU2L24tQGNspVr+4ufv25nAZX1uLj9RvfeQxe8lq2PSs+1x3bVqWVcvmAxeIFcVS9N3t3X2j
tMscf9U7qKfSVso8b1r8c5M3S+U5a7cZHuAKljtdZMqsKlt2BXAUyjJL53AoH5TpErcPxaIF
lrgHBeulq+d8sak2zTX9Di3/Jvhe+n34b1hUMnBfS9CGZxosQW2qaRPDGypBKwrj0NZoj/Qk
aHlR7DnGWCU4JfE12Yw8BD3553Re7JRtnbcQ1bVyXzYtBKVUL8pfNk2rwIC+5iyqefbCWx6O
5RKbIFNoSytFuinh1RslL7EZUtoOsw38NhanNcR19aq5VvyiqS6VEo4K9qdRKrxVYw28p6TY
BLx8NseCeA2r8UfnnWO7xAuH+6I9I71NNIltwopuakO3iR5aphGebxNH82zTdZODVvfUeQSK
/indQbsrZbWZLSGbNs0LVtZrqC92zaKCyLdZUUDndxW0mwR93CEk+pSFKysoR0afWVCGOVRQ
lu36ruk5p/ps6pqpJXo8UkH9+st/VuWigjH99Zf/UrbLtFUUvJa9AMu2eOmDpEF1pDXFcIYK
wHHDyDVc/VQAduI6muWO1aDiYdfZKpvnMFwkAmjHptmkBazq3qbBMq6ytJyQYE7EAYdPLm3v
pxP4S6jVJEub1m/y9PZimsOXKg/ZVnmsVikiGMRXQBznL3eOWrj79m4KZUxnrVLVZL8pjiKF
nFV1TXYfbjdVGGHQBXSPsxxAYHdNdz9dwjaTMpOHpt8lR9jHn8Pvs2lgoN9jfh3SOSmcZVqD
N5UV27FmnnlpVfcC0za9kWr1p2VOdjd/AUhrlJe6WkFmNWAU/gHgt8mUZbWVVW1X2raa7lAp
2FoQ6GFAVrSHlUxX8zxTtUYqhYeqVdJim+6AePJWWcEnAr1kpNlAvXX+vGkzwlJ11iqfsx0p
DszvMn3N4BaBgxdZmdUwC1Ckcp6BYpgDw+LTHTCCbrbVrCqUNRBPI41pXGlLbdpDxWnobmQE
HgmuJ04nDC1NNcaqVBy5UHi2qNP1UmCYDr4AuB7gLYTFULZJC9jev1TPshiGHZyctRusZ6pt
hWpinWEYI3SS2AtZv0cYVfrwT+t1Rd6FXOUOgpqlhax580wyMzLBvDUc40dhEkZJeKYPdqBZ
kUoh/hiD+ShrZjBi7EvgXj4+Juce5/sokd38bDPkpDCYUnHUOLFiRoo9q2SZfmKGvj9SKUwR
AisgXfZoUfaBa7IkljkxBvsB2/bVIDLOELul+baXWGONbYHCn0E/7OOlD8qfqo0yy+HLTcLL
7JNBSjxXr9I+WTMljZA5MQfzUbrqO17M7re//d0k0GGGxrn9Ka0zadbpDEzrus6arH7NLu4E
/CU55QiIwCVxRJKDJlpls2Va5s2qodhWOYmm/jlbqNmSmMmcWMOj28j34virQMTwHdVKxmqd
PjL/h3BSadbZLEeseCAP6z2DLC0EjgeGO2oIYTA+MvQoCL3gLBo0jTjRAJ3GqSNQB4QVc6Lc
BIRd1mlDqpCWshhJsxm8Sz37wfbJ8Qw1tmza6j37ZLtBotva/yv7dM8cCcwR5SVgnhBRZOCA
SlAuJUXmnBihgIIUB2asuww5S4SDIF1Asa8+kP+RVR1ZehQsynCMC0OVeOf2y/IsXdMiJnBG
GFqkJSoUFpRw+OsmazjpwQSW8ntI6ahSqGVohQCXWbFmd/PpOyUjqgVv8P8jgC+qXSoKASiE
B1QQMUtTFRtOuF/usxpwUcrzTknX6ywtiHBDWEMubL2p16BlEedkX7AX2hxqjJU2ZU7MAKyr
oApypFzAIDaKSOWDTuDPg40DXkd6JE+l9V6W1sXGGQzLbcN1A8s/i0nVyNVtwxhrcPRpWSnb
HAkOJDHnG5CpbHqbDfDJTv7pE4CWCIrw9IdnNWIdOuqeWV1gDjWJzbE+/SPsAC7ndLSCfAbp
EDQG/AxgYp5tkVW8BxzJED7B0nY5wwMsOaQ5pSMqh3Pxw50kxIU/w8oCkOmITEM9ByimEVmO
N1JxvQ3i4feqTU1e7paNX7tFgphLLVAEIO34JHGLNdEG4xbd1yNbDUjoPdyieZZpxd5Yyc4p
pWmPZCe7OmIZoC4rciegfQAqySk16SpTiuw1K5RU5H44Nw/Om8o24OWeUUcD0nqzWLZMVNBH
kad/zgq4q+dNUYD+3oDbRtoeTlT5rSmtcC6pg5R91I3BCqcHuoVs/Kl0bVtNNN8lQm+M1B1l
JsqMMntpnRe7a4VDhB3xGIAeDRIVkL7IRoDe68TKKYoyy+aCZ53lNcoGXwm10jYgq7oAvNjd
kJISHJkJw3sMucnEIgdINQD7gIS2VL5aY3+cf9v+9gCDkHQEhtkifm8BiTgBOeOsJLG96eeM
Fu2SIvgH3ab8DpLkXayJPpgE0yMNyUQUkJ3aBwe1XJo+0rjmLurVbcFSI4u1IeGTuX6FX8VL
7bLOIGYYgFaUC1GCWNZuu9J2Wx8c69tWrNlJSE6zb7dV37B8c6yxPh58kX/OODrkag5RKPXp
uwbhikIazvlFaOIKSUVZJKobkpl4Z6IPJ8BM303UiGjhnjwM1/N8Vx8ptAH3smOn16FLIE88
9wox5W5PhMnLQBJeOhNjcCym+wEyt1Sk3peBrZuhrjIrNkZv53/vK+mc2hHg7bJG+oGLMpDh
eB4PXB0KL0w/sGzD088euOnpejxWUv7OV37Ipz+g9qGpGFA8ffzxxwRFvym1alwqeJWjYWCM
lOLjlw01agA9gsaQ9dy6JVOVwhW8w7GfZZiWmbjxqXDU0PJUd7QVf09tVaC4hNEcVc4SBEOx
pfDWDUKuWab8LrteXBOAP+jN7ptr5fyTeDv7kgK9Mfqii9s2nX2+VkSRZ69KuKWysM4EbmsU
HCrrAjkbaWFL5V+EsAfDNMeNIssMCdL33I9pAguYYpONkL9E99Ovv/ytpXANJMdV9gWwDdhc
EobptozbF899MAwzLcNOdK5G6j13y9IdOzY53zbC5/5DBc3i+i0qReHwBtaODF6p3D883Ufx
417lOhXaV7gTFXUoAKWcDeknSsSIRxbZgGuNUHa1aUEN7yNvURKG78RXCIUGELzW6cJDaE71
1vIaJwM2WPLG4IyBk7hmor1Rj+GS6KGHYwQbTJx0UqC4uFcYRjFqCmL/5xTRMeV22Fz+RvGV
4Ow15XdgK19QNL+ps2+UdrfudlFevlbFKzbFCg0+ORleuM9mndciKEZuSDr01aVSeizh4cW1
VhTFsaWeoRsVpYF+HDJpM0Ld5tg241AXcl5DRmlxSREv6jnpRwaPWO2yfTU3YZtNkdbSqieV
rJMUjKZbiW0nZ6yWpdqm6oVjVb3753wu/5TZxQwE95JP2fFtP3B04hL6rk3zPaqKGqmB8+Ff
qPcKrVjP+LFCMU3azpaykMIhozCUsxWOZXAUa9iW5oTqGZRDOb9mOwl/7wjNDjEJgmglmy9w
3J75nFFBByWmpWNbh7ehzPY3BlPnumkFYWTTN/S2P0hPK7ADEs4Y/fsTuhApbIIo8Mynv3+M
/SlT1BAKNcT406kffr9/RbSrcqsjfAVJaN8UsxchcpBA6HPlFTQpJynFAvJ2jK22lCAHJx2N
OFY1Xz/TJ/RmBGakj1Wf7qm9FELBH25VPY1mm3VVoQBncYmeOPRrEBCnFg4UT1C03GSUGmuz
S06RIYOFRkZOZH1QsCwuwaKn6wmbKRAfATqsl3EzK1ZBFiwrqq1oi+V02qHYBFsNRR7UP3Kd
ISCnL6eiEDT1tNWaojouekTqZb5Px4nwmkG//B5i1vt/Zw/piWl4vn/G7tqWHal6wkHGCG3y
VCS+6opKPKhpuUlzNCFQeotMtXiS+c8iEcboH83L4IApg9qgn+dYFUmvE4jH0IBU2SLjhv+n
eKGZoeqLKTPah9hWvGdpA3E0wRGEUpA3EK118g6AuF4pP2wOZ/TRVeIheXrqAOAVLMOJxmo3
RHGxUPBD0lN5zSsxNgUmAUaimv9GGhBJcyzDBWGHfhxAGKeCUP3QixOdVHKEnvjtqhEfJVdM
hkBA+NPXomvZqhFdqpCHMao1mPi3UYofG/65boRhmOjmaDuxgG+2wEZp8ZkZiWd6/ugLeh80
lcn9Sj59Q3f8JODO0h40VUM3Bjod6dN/WyEeUXcq6jnSo5EiFUEUgRoL8lpXFdJijCEO9kxe
V6S6g0UcPbjCytC0QHOsM11RncCJLGOsmfrwHz3/o6j2/kQazEn198oKxIrB2PtnxIZmG9RK
N1L1ufuPDQbWED+/r2Q6CkH+4UuzG8N75XVdD4CfzsJqO9ICI/LHiqTvO2RLyYtDOIbxBTSG
Aqw5couiCmwfQRHEplo1hEAryrU0oooM3V01rgQC+1mERKg0rLYA3BwQSYNjqcJCoUPD816u
7TlgAk8xmZUEjhcFYy0L8zEU6mv1eb8NkyY1hvdkG4kVxZYVnD5/PVJ9P0rGSoFH1RPBXvwA
ryQ0BK0iRQXiAPNfaPAEjQShmk0SU/2CJHxD1Z87BSmmz0LzOMJEGlJeW6Tpg+HSUqNQ1YEC
TqVlq0aYwBaOM4K541xhg46eXiwP6aFSqS8pMb5lH9cg7ge1AAKIOo7B+nCbMUsQn8wh53dh
bTE+SYb5sQaz8Wpomgmaw05F59ihCkaIMf5ImR/k+kD4kvuhPHs3Y5ArkjtnhrpkzADBuLNN
Pk8xK1EeRkhzAtZgUtd0zcgzfQIqvRDIQGWTpY5Vo94Ogbi4HdpBlBxYW0Q8GM3CXDumUxUb
Hk/YVOhioP4DwdIT7ZtTXdMKgw0plO20DvzunoKjxbIGeXhSXi61PVJ+fE35GRfw0Eokyaj5
IV+lC877Q1HLK2b2cE9cJU3oBgkE6cYW3ZWuz7AG529sOw7CJD6j/W0XlTmhw7ThCBX3vNSi
ueFZZuj2Wlabgqj4/SQNKlh7EhGyosurrjx7MbhnzwwwCs/Tzyyq6YZqEIx2EN49xg3+DW5t
Xw+KNBvVrTUt8iIVU9xK4v/h6T65D/3p/Y8P1G2EAOCgSV1kwA6RUyldIwsnY/o8IHtIaXlK
jQcSbNTg0kMrTlxX185yI06IBjIjGim4edsUT2E1qQaeUxwU6/EQ0P2gQyS2ijyrRecYrCkS
rF11HDVjojcsrZ9zlBHX6FiSpdelBgsJ+Q0O5XQgGVeY4p4rRVrL0LV4rIYyfvpIoQQwzJzG
EqTKGlNC26vqqq2u+J+Y/YsyBFGqRhMGqXKRkloivUVJUnaNGBqZoX+rbr6BulJybMPMvKhS
XFQVNbMfi4iPE1pwJQzAlo0yJsgSE7Cl8doYZAhtxpdQfRwcbUWefJti3CRuEeXHWXspvTdY
RsPRL6Dv4CJHOzFi19PObbWnqonBjOYIUy93Hwn5rLivk0APbDaXOIgea+wJ/KHX5zhKgMcV
dhO9MS66G/EtRIi8dk3I6IMSIE9An0BV+OeOnOYVqb1PrHUcsfDuYd86z+6VynVagzlqywxc
M+YZMX0boAWJZyRk2ccoZw5QIUz0B3QZ54dHQsYYLko56rQggItOJhp/Af07zbcds9YYwkQE
BDWFwkjgwgWO05CmFzx5qDtYegiFIuurKbAa+gM91CiPVHog49JV+jPCFxSgd8Xo7H2lc9Mi
TJcykIMToapmYPLrV4rjhmird0bKw70NfpK8JjQL2oAMZg2nOCfioDOWonCH5yYThYN2mwyX
zUUBEl+Dv9BmX3blHtKxoiEG6Q6XoinR5GyGkZf4VnzKJtghMnemOlYFCkEICLeEAhtCGggO
GQ/tHV03sWdLg3iYNoWIBLDBZS8bTH9BvRiVg5Sy8YbowZTwVRDW8LqcGC3Ouk+RRc9XQVRW
lPAcizH6KlGX04FOcbhUPQej8nD/NL1UvvuR/hZVeAtMZqxLckcAIL/+8t+ynggcGXkEKUUa
7IkMDZX5cXCelgBZpwdjjQUF0X3QDYCGBhwcTtcBQfbXDeY6kCxoLATVx/7w09OUFA2toQUC
QgANOkqCukdRMksAQswzp2gjLRYoXWiXK6XZsKqKMVklTha5REEmIn8O/kkje9+JxeY4R4xj
EUQYnD5ErFFyAEOv04y1HYU5lFMUY73E+j1uiCwAhThi7AFPOaBZ3NJqzoGB1FYa3ltsYHxW
GJ2X7aICHsNXeRzFCNX8bc/6mM0xQQYU+07BUXJC9qf2eLFBYhhRCtlpCJ1iDfoPvhgyhJsl
R3zcTtiqtL+wUzqwSwcaEDt43IXSDAQUW9ZqSJxNEmNyQsxDjHsW3YDL92KVkwgjpGqP0cdC
AU2A7vBUiJZd7BymA2EHoG03WjSbc86TJtSgQY6KAsTBMzQHT6Q7r5iBAItRp1eoquZjhmpR
H9UbUyLJHhiaJHuAAcqDmV4MHXVcjGc79dSOZ8cuip9oP41Qrj6FfyhmfznOI4H1hSr6E1Gn
gfcQusAgix5XgsBd50Sns8GhsVXad4t+BRnfPXzctRp7KG02aT/0tNDBbLAotAkaj1FaaGjo
BkNxJzmVE0B8bD173hvjmXAKHlwukXDdEQlXONxzsWf3LnmVeSX60XneF4M0+Ghpp2lzWCgl
w8HYWHcSP7F4KH9Phlake7E72j6FB4I8+/PXiF8Tfm8D8ITKD8hrBYK1ppnYssbPlobC5mBm
wAoDNY6MszAFxaCJgbaycasT/A2mtIqpDDhqEi2UNOOsY8JFAqTE8BQRPuK8JcBNzjEDqzRt
3oIAJ1buiD/3MmQPl6V86lqTL3CMHg0LVua3iwwsHEPfGX0vLwaYQzD4AMx5uaq/JSiRhrf7
io7/fU1n7zls0ZCtEcZ0+8E8uwMGzzeZI+zprap6AaZ8jbXKhHvUgEPBki+Q8SB5UXsJoqcS
LWc0yn6B5iABZvEm/jz8OBXXoAUFw9apHnKRyfJ9hisNVc3B5UDUFKp75web2pofq549Vq1+
+FHaiclWbkAZBj9jAETNj/wzEsHUDcNGK+dILedbTgznFPLxc3RUYX+ulCDhXvOvSAZZ/yY1
gBBpY0hpcH2Nie44B1XbkEfPZFmJGVmYmjFSKT1SOD2j2il4jgrHEQIXKr913nceiqnyZpVB
esOHkziRivLR8ykBjh/ousdH1owRrQfUSazcc+oeyVc4DR1RMaVQ4RzIUVDdL3L0aD2lztIP
yk88e43eWYtzIQANQZAAb3BTMvMiTJX1L8D6zJ8RJ0cT6emqfaoW34MqAHzJDATde89lNnV5
XDm43EZ1VBcR9FmYpsemb6jOWKEC1XCT1SP6FJlXVDaiMyItcQ4AjXqjEkYIhifypYJiFQQo
plRVuATvAZHiGIpGejyiaVBRthSFObxxVYsSLXQc/9REGpqfODi2aKQm8gFiSimRRBkixF0r
hveoa+mR4ZJ+ymTSQU4Ig1MSKgSAM47P9MXQgsiyBak5RhIKpCCsHhJ36SsKiRgoUJTVO2qT
jkpF4TbnHHAcx308TVDEQFNv5JXElKzkxqFFg+NkM1EtLTwfMK3jXFtU6o7VnjH5i6mtOewY
RNWdioNDi3CGBlccIYeHmga8S5WBHNoCeIDZRdgj+P2umhAi48/w+Tr7gJrruxEkf7r/wx84
2cStZvCKkPPhpKpD+oe3QEN9MlT5sl9jP1AZqSWa8LdFeoECbDH+S5aXNE1phze8eUb3TVdN
OKjrAU3bNx0cr5uM1IqK2JiofWIx4NpgSUumUUCfdMmBffKQC5Rgcw/peFGsKCq+ud0Q1piY
SCpE6ziP3oL0FeRb6XAf2GyszwVN+IzAVA2SmA38L9ty4CeMeEatf/GOgeeYNSrnTNHuMZja
RArZMyL1jE9zElQnokxtnNvg7XwgZEAJHcrIEqnJ8Kab09cN6cPBgN0bh/l8siXFpkUeUcLn
ysjKRkGNFp6PjoP0AsfWCQ6NMThhmy7yrb1GHCjXft4ReWFol6j7l2VUTJsB4fBgEfIYXOJt
wsF6KPLGk++ZUNUy1dCISaPGKA86xOw4y4wO2AEPjXIl9mdsM9lpHppGpZ0az36T05DBqBTH
ViUq5oieSkTDBA8b0cE4JfJ3rRlya4041IHkhRErOEF+tkEGm+I6BNv1FUXsIrPtPyHZQyNI
WXjcDipt2gQRK6NK2mC4qrmm4Rt8JGBPlTQ7Cl2cvTlOwd1F4rhGdv5fiF3ZVwZl5WuOiedc
4QSPIxvXyQ6BxcFVg1liNXS0RBz92xOEqqMSOhgrHsDZA3s01gun3+9THMlMiMzzNzHBJg65
Orb3/E0tRtFWMFYf74Ms3CcXudSqmxNLFR2Udu6GWSv3Tx/5kBp4f+YmU4rTStgzIkUOvkfa
48iO7IK8BvP1mqk7RnR+VocVGDijWRsrGcWYDELAoRwHtpbiG0Syz2AQd5gsiPrlTSObQ0TE
SaZcyoUMloSlB3Zo8QjhnubodgQspo5VcyJxPpPgEZiuZxH89PGjHz+G/lMsrQwMV+VEMHh8
gOPjoCD0bZzCLwttrG4kkmYjJAX/mC420nNPTNnhGbA5gx+zYZroI+U0WG+nG1oSoDAwOAFL
EWakiS5lfvJAJCmmE9xeqGr3zt2328n6Y80/ntodUnTbCSjO24sQx1AjZTNF3fTFzR1BlO4y
vrYWH6nf+sjj/hD37nPdtWkJuoRZM1wgVhRL0Xe3d3+kASdHa0M9LzD80vGeR5lTue09ON5T
fRXTAPmAx95zBzYKA0yvPnnuum+pYlDU+XPv3vk/89w/Uenz3uHO0c67ENNiMCqIe++7Lnk+
m+fU3iO87Ye4RqCHmn/B0nw7ZqHpQ5xtEmlBotdQdrYCMXe1WXcnXygl6s7QQCwOGzpp7he9
wpgtjw+i6ho5ksN1wZ/+7D9M7x9inEj0T9A0NnI3laW5+x8BAAAA//8DAFBLAwQUAAYACAAA
ACEAnVyLvhAHAACHHQAAFQAAAHdvcmQvdGhlbWUvdGhlbWUxLnhtbOxZT28bRRS/I/EdRntv
EydOmkR1qtixCbRpo9gt6nG8O/ZOM7uzmhkn8Q21RyQkREEcqMSNAwIqtRKX8mkCRVCkfgXe
zOyud+Jx45QAFTSH1jv7e2/e+70/82evXjtOGDokQlKeNoLa5cUAkTTkEU2HjeB2r3NpLUBS
4TTCjKekEYyJDK5tvvvOVbyhYpIQBPKp3MCNIFYq21hYkCEMY3mZZySFdwMuEqzgUQwXIoGP
QG/CFpYWF1cXEkzTAKU4AbW3BgMaEtTTKoPNQnmbwWOqpB4Imehq1cSRMNjooKYRcixbTKBD
zBoBzBPxox45VgFiWCp40QgWzV+wsHl1AW/kQkzNkK3IdcxfLpcLRAdLZk4x7JeT1jr19Svb
pX4DYGoa1263W+1aqc8AcBiCp9aWqs56Z63WLHRWQPbntO7W4spi3cVX9C9P2bzebDZX1nNb
rFIDsj/rU/i1xdX61pKDNyCLX5nC15tbrdaqgzcgi1+dwneurK/WXbwBxYymB1NoHdBOJ9de
Qgac7XjhawBfW8zhExRkQ5ldeooBT9WsXEvwPS46ANBAhhVNkRpnZIBDyOIWZrQvqJ4AbxBc
eWOHQjk1pOdCMhQ0U43ggwxDRUz0vXz23ctnT9DJ/acn9388efDg5P4PVpEjtYPTYVXqxTef
/vHoI/T7k69fPPzcj5dV/C/ff/zzT5/5gVA+E3Oef/H416ePn3/5yW/fPvTAtwTuV+E9mhCJ
bpIjtM8TcMyw4lpO+uJ8Er0Y06rEVjqUOMV6Fo/+tood9M0xZtiDaxKXwTsC2ocP+N7onmNw
NxYjlcfb8ex6nDjAXc5ZkwsvC9f1XBWae6N06J9cjKq4fYwPfXO3cOrEtz3KoG9Sn8pWTBwz
9xhOFR6SlCik3/EDQjx83aXU4XWXhoJLPlDoLkVNTL2U9GjfyaaJ0A5NIC5jn4EQb4eb3Tuo
yZnP621y6CKhKjDzGN8jzKHxPTxSOPGp7OGEVQm/gVXsM7I7FmEV15YKIj0kjKN2RKT0ydwS
4G8l6NehdfjDvsvGiYsUih74dN7AnFeR2/ygFeMk82G7NI2r2PflAaQoRntc+eC73K0Q/Qxx
wOnMcN+hxAn32d3gNh06Jk0SRL8ZCR1LaNVOB05o+qp2nEA3zt25uHYMDfD5V488mfWmNuIt
IMFXCTun2u8s3Omm2+Iiom9+z93Go3SPQJpPLzxvW+7blhv851vurHqet9FOeiu0Xb29sZti
s0VOZu6QB5SxrhozckOaTbKEdSLqwKCWM6dDUp6Yshh+5n3dwQ0FNjJIcPUhVXE3xhlssGuB
VjKUueqhRBmXcLAzw17dGg+bdGWPhSv6wGD7gcRql0d2eFkPF+eCUo1ZbYbm8FlMtKwVzDvZ
8pVcKbj9OpPVtFFzz1YzpplW58xWugwxnHYNBks2YQOCYNsCLK/C+VxPDQcTzEikebdrbxEW
E4W/J0S519aRGEfEhsgZrrBZM7ErUshcEEBKeUJ3PjZL1oC0s40waTE7f+YkuVAwIVmX3alq
Ymm1tliKjhrB+srSSoBCnDWCARxJ4WeSQdCk3rJhNoR7nVAJm7Vn1qIp0onH6/6sqsEtw4yC
cco4E1JtYxnbGJpXeahYqmey9i+t1HWyXYwDNlFfw4rlNUiRf80KCLUbWjIYkFBVg10Z0dzZ
x7wT8pEiohtHR6jPRmIfQ/iBU+1PRCXcLJiC1g9wDabZNq/c3pp3murlk8HZccyyGOfdUl+j
FBVn4abeShvMU8U88M1ru3Hu/K7oir8oV6pp/D9zRS8HcNBfjnQEQriFFRjpem0EXKiYQxfK
Yhp2BKz7pndAtsBVKrwG8uEu2PwvyKH+39ac1WHKGs5rap8OkaCwnKhYELIHbclk3xnKavnS
Y1WyXJHJqIq5MrNm98khYT3dA1d1Dw5QDKluukneBgzudP65z3kF9Yd6j1KtN6eHlEunrYF/
euNiixmcOrWX0Plb8F+a6Fn9rLwRL9bIqiP6xWSXVC+qwln81tfzqV7ThHkW4MpaazvWlMdL
K4VxEMVpj2Gw3M9kcF2D9D+w/lERMvthQS+oPb4PvRXBdwLLH4KsvqS7GmSQbpD2Vx/2PXbQ
JpNWZanNdz6atWKxvuCNajnvKbK1ZfPE+5xkl5sodzqnFi+S7Jxhh2s7NpNqiOzpEoWhQXEO
MYExX6SqH414/x4Eehuu50fMfkaSGTyZOsj2hMmuPo/G+U8m7YJrs06fYTSSpftkgGh0XJw/
SiZsCdlPGcUW2aC1mE60UnDZd2hwBXO8FrWrZSm8dLZwKWFmhpZdCpsbMp8C+JCVN259tAO8
bbLWa11cBVMs/SuUzWG8nzLvyWdeyuxB8ZWBeg3K1PGrKcuZAvKmEw8+RQoMR5Ou6b+w6NhM
Nym7+ScAAAD//wMAUEsDBAoAAAAAAAAAIQATcWcqdIwBAHSMAQAXAAAAZG9jUHJvcHMvdGh1
bWJuYWlsLmpwZWf/2P/gABBKRklGAAEBAQBIAEgAAP/iBUBJQ0NfUFJPRklMRQABAQAABTBh
cHBsAiAAAG1udHJSR0IgWFlaIAfZAAIAGQALABoAC2Fjc3BBUFBMAAAAAGFwcGwAAAAAAAAA
AAAAAAAAAAAAAAD21gABAAAAANMtYXBwbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAC2RzY20AAAEIAAAC8mRlc2MAAAP8AAAAb2dYWVoAAARsAAAA
FHd0cHQAAASAAAAAFHJYWVoAAASUAAAAFGJYWVoAAASoAAAAFHJUUkMAAAS8AAAADmNwcnQA
AATMAAAAOGNoYWQAAAUEAAAALGdUUkMAAAS8AAAADmJUUkMAAAS8AAAADm1sdWMAAAAAAAAA
EQAAAAxlblVTAAAAJgAAAn5lc0VTAAAAJgAAAYJkYURLAAAALgAAAepkZURFAAAALAAAAahm
aUZJAAAAKAAAANxmckZVAAAAKAAAASppdElUAAAAKAAAAlZubE5MAAAAKAAAAhhuYk5PAAAA
JgAAAQRwdEJSAAAAJgAAAYJzdlNFAAAAJgAAAQRqYUpQAAAAGgAAAVJrb0tSAAAAFgAAAkB6
aFRXAAAAFgAAAWx6aENOAAAAFgAAAdRydVJVAAAAIgAAAqRwbFBMAAAALAAAAsYAWQBsAGUA
aQBuAGUAbgAgAFIARwBCAC0AcAByAG8AZgBpAGkAbABpAEcAZQBuAGUAcgBpAHMAawAgAFIA
RwBCAC0AcAByAG8AZgBpAGwAUAByAG8AZgBpAGwAIABHAOkAbgDpAHIAaQBxAHUAZQAgAFIA
VgBCTgCCLAAgAFIARwBCACAw1zDtMNUwoTCkMOuQGnUoACAAUgBHAEIAIIJyX2ljz4/wAFAA
ZQByAGYAaQBsACAAUgBHAEIAIABHAGUAbgDpAHIAaQBjAG8AQQBsAGwAZwBlAG0AZQBpAG4A
ZQBzACAAUgBHAEIALQBQAHIAbwBmAGkAbGZukBoAIABSAEcAQgAgY8+P8GWHTvYARwBlAG4A
ZQByAGUAbAAgAFIARwBCAC0AYgBlAHMAawByAGkAdgBlAGwAcwBlAEEAbABnAGUAbQBlAGUA
bgAgAFIARwBCAC0AcAByAG8AZgBpAGUAbMd8vBgAIABSAEcAQgAg1QS4XNMMx3wAUAByAG8A
ZgBpAGwAbwAgAFIARwBCACAARwBlAG4AZQByAGkAYwBvAEcAZQBuAGUAcgBpAGMAIABSAEcA
QgAgAFAAcgBvAGYAaQBsAGUEHgQxBEkEOAQ5ACAEPwRABD4ERAQ4BDsETAAgAFIARwBCAFUA
bgBpAHcAZQByAHMAYQBsAG4AeQAgAHAAcgBvAGYAaQBsACAAUgBHAEIAAGRlc2MAAAAAAAAA
FEdlbmVyaWMgUkdCIFByb2ZpbGUAAAAAAAAAAAAAABRHZW5lcmljIFJHQiBQcm9maWxlAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAA
AAAAWnUAAKxzAAAXNFhZWiAAAAAAAADzUgABAAAAARbPWFlaIAAAAAAAAHRNAAA97gAAA9BY
WVogAAAAAAAAKBoAABWfAAC4NmN1cnYAAAAAAAAAAQHNAAB0ZXh0AAAAAENvcHlyaWdodCAy
MDA3IEFwcGxlIEluYy4sIGFsbCByaWdodHMgcmVzZXJ2ZWQuAHNmMzIAAAAAAAEMQgAABd7/
//MmAAAHkgAA/ZH///ui///9owAAA9wAAMBs/+EAdEV4aWYAAE1NACoAAAAIAAQBGgAFAAAA
AQAAAD4BGwAFAAAAAQAAAEYBKAADAAAAAQACAACHaQAEAAAAAQAAAE4AAAAAAAAASAAAAAEA
AABIAAAAAQACoAIABAAAAAEAAAGLoAMABAAAAAEAAAIAAAAAAP/bAEMAAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAf/b
AEMBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB
AQEBAQEBAQEBAQEBAf/AABEIAgABiwMBEQACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAA
AQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGR
oQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2Rl
ZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbH
yMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAA
AQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgU
QpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNk
ZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
xsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/AP7+KACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgDiNf+Jvw38KeINF8JeKPiD4I8N+KvEghPh3wzr/ivQdH8Qa8Lm+j0y3Oi6NqN/b6
lqgn1KaLT4TY20/m30sdom64dYyAc/Z/Hj4HaifC40/4zfCi+bxxp+o6v4LFn8RPCF0fF+la
RcXNrq2p+FxBrDnxBp+l3VneW2o3uk/a7ayuLW5huZYpIJVUA6Hwx8Svhz428LTeOfBnj/wT
4u8E28d5LP4x8MeKtC1/wtBFp0AudQlm8Q6Vf3ekxx2NsRcXjveBbaAiWcpGd1AFrwz498De
NY7iXwb408J+LYrU6WLqTwz4j0fXo7Y63odn4n0UXD6VeXawnV/DWo6f4h0sSFTqGh31nq1p
51hdQ3DgFubxb4Yt/EWm+Ep/EGjw+J9Z0vVdb0nQJNQtk1bUtI0O50Kz1jUbKyaQT3Nppl14
o8OQX00SMtvJrmlLKV+3W/mAFnSfEGi67bPeaRqdpf2qaprOiNPBKGT+1vD+q3uia1YKWxvu
NO1XTr6xuVTcFmtpQCyjcQDWV0fIV1YqSG2sG2kEqQcE4IZWBB5BUjqDQBxfhP4l/Dnx7/bZ
8DfEDwT40HhrVn0HxGfCfivQvEX/AAj+uRrC8mja3/Y9/ef2Vq0a3Fuz6df+ReKs8LNCBKhY
A7EXEDEgTREhzEQJEJEisqNGcNw4eREKH5gzqpGWGQB6ur5KsrAYyVYNgkBhnBPVWVh6hgeh
FADqACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA43VfiL8PtC8WeHvAWt+O
vB2j+OfF0dxN4U8Gar4m0XT/ABX4mis4by5u5fD/AIdu72HV9ZjtrbT9QuLh9Os7lYYLG9mk
Kx2s7RgHR6rqul6Fpmo63repWGj6No9jd6pq+r6reW+n6ZpemWEEl1f6jqN/dyQ2tlY2VrFL
c3d3cyxW9tBHJNNIkaMwAMH/AIT7wO3g7/hYcfjDwzceAz4cufGCeM7XXNNu/C83hOz09tWu
vEtvrttcy6bc6FBpatqEmqwXMlkLMfafO8ohyAdDBqFhdW9rd217aXFrfW4u7K4huIpIbu1a
NZhc20qOUngMTpL5sZZPLZX3bWBIBRu/EWh2OpaLo93qlnDqniK4v7XRLJpQZ9SuNMsJdU1C
K2Vd257TT4ZbucMV2RLknLKCAW7HVdL1Sy0/UtM1Kw1HTtXtYL/Sr+xvLe7stTsbmFLi2vNP
ureSSC9tbi3ljnguLaSWGaGRJUdkdWIBfoAKACgAoAKACgAoAKACgAoAKACgAoA+A/2nPhf8
GvEH7Q3wB+IPjb4pfEv4afFzRfCfxU8KfBHVfB3hRtW0HRptSstL8Q/EfxHrGuXnw98XeEdK
u7fwZoFxaKfH+pWGjWWlSajrGjW8WuWUeqWgB8jfCv8AZd/YQ0fxT+zza/D/APbGv/E0/h5v
H/jv9m/Qk+Jvw78XaFLc+HNc+FGq/FTVdOuJ9F1K08cWq+JdGtvFd3onii/1u30HxF458R+N
fBVpoup6NoWr+FgD64/Zsuv2KfgX8HPBHwW+H/x3+Gfi/SfGxm8J2etaz8SfCeueKvjH4h8P
eHvCHgDUHuZLS/SPxFrun+FU8BeHrmy0SxhsdL0FvC9tZabp+jT6VEQD5M+E/wCyR/wT38J2
3wWv/h3+1v8A27Yr8SLW/wDAmpan8ZfhT4yuvHHjDQZ/glqVxpXhrXr3Rbi+0rV77xH8OvBF
/q974CutE1vUbT4ka54QjvV8OeNvDOk6eAeqfAn9jn9lPx14A/Zx+InwV+Msnjbw78EPGvjD
x94D8b+BtL+FEOleL/FviLX/AAff63d+PvD+heArbw/4p13S9G8IweFNIn1HQ4fEXhi3vrPX
9Fn03xl4a8FeINAAOC8MeAf2LviFoXwY1q5/atuy3hT4y+LvF3wcfxz4V+HPwk8Uf8Jn8Y/i
H8Kv2lP7F8GeFfGXws8G+IooNSlg0jUfCN74b0W21G++HPxB1aG01bUdLawvtOAO9/Zll/Zv
/Y6sPG2iN8c/CHxCf9on9qn/AIVT4G0zwRZ6Pq3iG08WaD4C8P8AhTT/AId+KtR8F2Fnc654
70bwt4Ul8YfETxn4mtLLWrq91i51jXtT1jWNVh1fXACb4Cfsgfs2/EfRvhf41+HP7QGsfH/4
e/Bj4m20ng+z123+FHxA8KaQ3ws8Bt8FtM+HUkF34DZ9J/4RvQoPtN7qemf2P4j1nxNBonjm
7v7nVLTS9TcA6iP/AIJh/Cu1tFi034n/ABQ029i8R6Tqyarb2XwtkvJ9J0af7bFpmrJc/Dma
017xHquqQ6Tqvif4qazbXvxW8TX3h/w/cav4xuJdHsHgAPV/2Lv2Rv8Ahlbw/wCNhqXiaz8Q
+KvH+u3eoa0nh3RNH8MeDLLT7Txd478ReHxpui6Xo2mXl74hNp44uNP8R+LfFN94i8U61aaV
4d0e51ybRfC+g2loAfa9ABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAfMvi
f9mLQ/EXx+0D4/2vj/4heG9V0+LwoviLwdoeoaRF4T8azeAtN+JOm+DJNcF1o91rcVtpUXxW
8Vy3ulafq9tpGr3KaLdXNjHdWFzPqAB6enw+1Cf4SXHwv1/x/wCK/FepX/gbUPBeq/ErXrPw
evjPV59S0e40i58VahYaH4X0XwN/bjm4a+a2svCFl4fa6UIdFFoXt2APhPVf+CYPgDxNqXgj
W/F/xw+OPifWfAXw2vvhT4evbzUPBOn2uk+ET4Q1bwZotvomg6J4N03w7o1zpem63qE+o3Ft
pLjxbdNbjxRHqVpaW9rGAWPC3/BLj4HeHZfCaX3irxp4n0jw+YYtT8Oato/wusfD+tabaNfr
HoOlaZ4c+HuiW/w28Pa9aald2HxK0X4WL4Msfi5aTTJ8RovELXV49yAem+A/2E/APw2h+CNp
4X8a+Lfsnwd1r4i67qTazonw31fVPize/FLTJNC8XD4j6zN4Ij1Ce2vtAa00Zrbw3J4eintN
F8OtfLdzaDp0kQBgeEf+CePww8Fy/sxJpHizXV0n9k/Vdevvhlog8C/BOxs2sdWt9FsbPT9V
n0n4X6ffm50uw0iZZNf0260/Xta1PXNX8Q63f3viGDw5qfh4A/QGgAoAKACgAoAKACgAoAKA
CgAoAKACgD5L+P8AJ8F1+KXwJi+KFh8T5vEdx/wtGPwBqnhDUPH9l4M0kDwJft48uPG48J6v
Y6Id3ggat/Z83iWyv3iiW+/sbyr45YA+a/AD/wDBOHVT8LvDXgXxldajZ+MvD3xU1rwdInj3
4z/2Pr/gnw54S+D3g34n6D401TU9YisZvBF14S8OfCK9vvCnj64Tw9r+maVpnii1sb62vbzU
NQAF+DFv/wAE3vhzrvwZsvg/48h8M6qlz8RdL+GmmWfj34q2FnfSeJ9J+Gum+LbXxHp+qahF
plxFdaHb/B2Pw/L45hCSWN18O7/wvNL/AMJBot3qgB578OLH/gldr/ibwTrvh+8s01v4XfFD
QfCPw18S+KvGfxCvUvdX8O+Af2YY/DF7peqax4i1Nbj4eHTbb9m/TtE1bxS2neH9Y8Yw+H1s
2vdU8UCfxIAfS/7O3hz9i/4z6LqV/wDCzwlpHxF8P/Ab4rXll4L8UePob3x5D4D8Uax4P+Hv
xMj1P4H6549vfEOp+CvCTaH4o8H6loDeEJPDmlpLbxajo9mbQWOp3gB5n8M7P/gn34X1v9na
x+G/irxYdZvviNq2n/Ba/Txn8e9WfxH4u8O/CTwnoUdhq+r63qN1H4h8L6b8GNR8LaR4Mi8W
XF34I/4RHWFPhQyRavqNzcgEHw/8I/8ABPb4WeLfht4N+Hmt+LvDXifVf2kNdv8Awhodh40+
Pokn+PPhD4T6f4X1W38R2uoapJGLU/BzWtJ0i3tPFaf8Il4m8LavZ39qNW/tJ9SnAPdfhb8Y
f2RPhzYx6b8OfiYG0z4kfEFJ9J0Zte+Ifi+yi8TfESHwr4zSPw3o+rNrEXgrwnqjfFLwrrUj
aXa6J4K07UPG+nxXMtne6hHbgA+mvBXxJ8AfEj/hLf8AhAfGHh7xh/wgfjfX/ht40/4R/U7b
U/8AhF/H/hY2o8SeD9b+zSSf2f4h0Q31n/aWmXGy5tPtMPmovmLkA8OH7ZfwFs7u7svFniPV
vh7PD8WtZ+CVgfHvhnXPD8OvePtAt7O71S10S5e0uLe60a1s7+2vZPEc0ttokdk0l3Lex29v
cyRAGVp/7cv7Odw3j2fWPF954N0bwB8U/EnwdvPEXjPRr3QdJ17xn4Js7298eN4bWVZdWvPD
XgWPTdTPi7xhqGl6X4Y0a30671afVDoSJqsgA3xV+3x+yF4Jl1iHxV8bvDujf8I/421X4caz
Nc6X4qez0/x3od3e2OteFbi/g0GayGs6Td2E8OpWi3DNZM9m1yY01HT2ugDr9e/a3/Z78M61
a+HdZ+IUFrrV38SdI+EsenLoPime5Xxv4h0XxJ4g0GzeODRJGOj63p3hDxGdK8VxiTwrf3Ok
31nbazJc208cYBa8R/tTfBDwYnjm48beNLTwfY+APiEPhhrN9r0UkSXPixPh5pXxTvoNNs7P
7bq02n6T4H1STxDrGp3WnWdnp2iaPrniO4kXwxp7a3IAU/8Ahrz9m9rL4g6lF8VdEurD4U6z
HoXxDvLKx16+tvCt5JqniHRmudSls9JnT+w7XU/Cfii01HxNbGfw3pj+HdbbUdWtYtMvHhAP
TvBfxJ0bxxr/AMS/DWn6drenan8LPGFn4N19dXt7GK3v7rUvB/hjxxpuraFcWGo6il7ot/oX
izTHhmuvsN/Hdx3ltdadbGFGmAPQ6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAPnDxl+1
h8EvAXx08G/s3eJ/Eeo2Xxf+IMPhm78H+GYvDmu3kWt2PiiP4kS2uoQava2M2kxWWmr8K/FQ
8QXF1ewLocknh6G/8qXxRoKX4B7h4r8S6b4M8LeJfGGtfa/7H8KaBrPiXVvsNpNf339m6Fp1
zql/9jsbZXuL27+y2sv2e0gRprmbZDErO6ggHyL8Iv8AgoT+y58btS+HuneBfHF3cD4q6Dr+
ufD/AFO/0W9tdF8Tv4V13XfD/iPRNO1eIXNjJrelXvh6/byDMLPVFxbaHf6pqVtqVhYgHqfh
z9qv4DeLfFXw+8F+HfHaan4k+KGnfEDUvBunJoHie2lvY/hdrmkeHPHVnqX23Rbb/hHNW0HW
NbsbS40jxGNK1KQtJLBbSxR7yAXfDn7Svwh8R6X8NdWTxFLpMHxe17xJ4a+H66xp95CNb1rw
xreo6DeadNfWcd/pOi6he32mzR6Vpevajpmq31w6aUtimux3WlWwB7zQAUAFABQAUAFABQAU
AFABQAUAFABQB8T/ALRfiP8AZ2j+N3wH8MfFj4i/EDwp8Rm0/wCIGo/DTw34YsPGTeHPEGn+
IdIj8B+MNS8SahonhLWdBjg0XTfECRS3Os61pMfh631P+3LwwWKG/hAPE/Afgb/gn45+H/g3
wb+0fomuT+I/+El8O+GNHs/2gNHvrv4n+HPFfg34R+BPFXw/aOz1BJvFPhrWNM+HPwsjv7DS
imorrqWcUOowT+Ibmx1AA5b4efAH/gnr4f8AD/wesNJ+JU+i2Hi/XfEEHw10PxH8UNM03U/i
nceFfiV8MtO1OGOziaC78Z2llrXwg+G/huS5t2l1BPDUFlY6tdRzapPKwBkeHP2Y/wDgmfru
rfDPUoPjXpfxK1e88ef2F4Hk1v47aX40n8XaroGi/BTw/Y/DqOBri4XU9L0LS/h18EzpNpZR
W+rxM/h7UYdYmk8Zvca4Afc37NHwn+Dnwg8D+L4/g545134heF9Y8U3a61rN748/4WbNZa78
MvDehfBW58J6fqdgbmS3n8DaR8MNJ8C3vh+My6pYax4bvLfVkk8Rvqks4B8Y/s96d/wTysfA
Pwng+Dn7QGv6T4f0D4sW3iT4Y63r3xA8R+CdQ1jxL4y+HngqC88E+HrTxnpXhu3vfCur+D/E
Xg7TfE3hnw7o1tDp3irWmsdZm074i6prCXIBb+E/wv8A+CdXwog0KX4ZftG6Rok+t/HLTfi1
pGs2nx70RtR8Q/Efx18OfDugvbTai9zu162+JHw6v/Bw16S+N3q/iwanoXiS+1q58S+IzrOr
AHA+HvBv/BMTUPGHwlg8M/tKnX7uH4q3fi/4aalo3x7h1PQNL8Z+DdJ+FPhyw+G1p4tsLlpN
AgHhqz8A6RoPg2LW9P1TxPoNhrFs9xq8UviIXQB9u+BPjF+yF8LYvHc2h/tB/DpovHXxx8UX
uvvrHxU0HVtnxa8UWy3+qeDtGEuolrSc2Wh3N7pfhazEjx2dhqt1aRyQWl7JCAef/Fb9mL9n
vQrewh+I/iv4yz2/xW+Pes3Omz22v65qUVt8SfjdpKeFZNOkuNC0KaPw14WvoNPt9L0ybVmt
tH0vU7m0hOoJd38CygBpH7L/AOzn8bNM+J2hW/iD4v6pDoPxy+N1n40i1PxD4l8M6hpviH4p
6ejfGf4fac11pOkXFx8MvHui+KbafbYi7tp7C/stT8J+IbOaG2vIgDlv2if2YP2WvCfw+fUP
jbrHxqvvAF38Z/Ffj65n0rUPFeu2fhvxV8YNXjvdeutVPg7QLm60TwMmsr50Euqn7Bpl7fx2
EF3LcX9hYyAHl3gT4NfsK+E/EHxfvPAnin43aT4w1P8AaS+FWm+NfF+nz/EP+3rX4v33jv4l
/BzwP4h0zxHJ4Zcan4Y1Txj4r+J3wa1H4g3sutaAsuk3fhq58Q2v/CJ6DNp4B7i3wC/Z6+On
xE/aB8JXnir46v44sPHuleOfHWn6pqfirwadBn8afDbxT8EVu/h/dXvh7Sre78C+PPhlo3iT
4f3Fzpdzq9re6f4fh1rSryy1WPSPEt0ATfEH/gmb+zH8TvC/ivwT4rtviBc+EfGN7Dd6r4dg
8cX0ekJHa+K/ix4ys7C1sZbeeAWWna18Z/GdxpH2lLq70SePwzqmjXdhr3hTQdXsQD6p+Hvw
c0T4ceLfiZ4x0vxJ421nUfitq+h674jsvE2uxarpFnqfh/w3pnhKyuNAsksLQ6V5nh/RdHsL
yMTTJcjTLadlFwbiacA9coAKACgAoAKACgAoAKACgAoAKACgAoAwvFPiXRvBnhnxF4w8R3Ul
l4f8KaFq3iTXb2KzvdRltNG0OwuNT1O6jsNNt7zUb57eytZ5VtLC0uby5ZBDbW80zpGwB5Bo
X7TfwY8RweDNU0vxav8Awivj/wCD3iD46+GvHWp2F/oPgub4c+FLnwzb+JtS1fXddt9Nh8M6
l4fHjDQbnW9C8TR6Rq+kW9zcnUbS2m03UobQAiX9q39ml9J07XIvjr8LrjS9Y8NeO/GGkXVr
4x0W7/tbw38ME1WT4i6npkNtdS3GoR+Cl0LXP+ElgtIprvSTourrdwRtpt6IQD5/1nRf2Jfj
F8c/gz8fl+J/hXxL8Y9Y8N+FvE/wN/sTx9op1vxB4S8IJ8SL2K28FaEWGrXmkeKH8R+LW8T6
VabP+EnufCFvHdRmTwVdraAHsPgu++FniP8AZStzD4t+JmvfC3xH8JPEstx4h8ban4t1/wCM
N34S1LR9XbXZ9Sn1ODUPHGoeLbCzmv7eGAWd/rMV3awWdlbXEsVvE4B8bfDL9ln/AIJ7eCPB
/wALLPwV4/1XwB4e1nwtpvjbwLod58Qbv4Tahqfh7xhYeNvEmm+JY/CVxY+DNU8KNq2jWPi/
UEm0zRvCtwD4f1TXJoo/ENtrGrXABv8AwL8Cf8E/Pg9oXwZ0r4LftGaHomm6P4l+MEvw7Gh/
Gzw3Eniq68b634U8RfFnwnLYWP2fTtS0e68X+FvC2vX3h+y06y+x67HDZ2gitNYudKvwDE8J
/Bv/AIJ8+NfHP7KcmkftBy/FHxv4O8U/E/4rfs4Ty/GbT/FUuv61YeN9C8UfEa+0ibT4Dpmo
Pa+IfEsIvrfTmsdT1XQPEup6dI2q+HLaOLSgD9ZaACgAoAKACgAoAKACgAoAKACgAoAKAPD/
AIgfs7fC34m/EDwb8UfFen+Jn8b+ANNvNI8K6xoXxA8e+E102w1DVdN1u9hfT/C3iTR9MvTc
6po+lXM8t/Z3M0y6fb2k0kliHtnAPAdB/wCCd/7P/hTxt8OvEPhdPGujeDvhpYawdD+FSePP
Gd94LuPE2qePfBXxPh8W6n/aPiC61fUb3TviD4C0Px3b6Nf6hdeGZvHraj49utHm8Y6rqWt3
YB614Y/ZL+C/hK78KXml2Pjq5l8GD4ox6NHr/wAW/ir4otJrb4z6laaz8TLHXrHxH4x1Sz8U
af4p1mxttXubDxHBqlpZ6nGbzTIbKaSVnAOF8K/8E+/2SvBDfDY+F/ha2kR/CPxbJ438AW0H
jPx49pofiPb4LjtLw203iaWHUY9Lt/h14Ks9MtdTS8t7Ow0GPT0jNlqOswakAfTPg34feFvA
Hh++8MeFrXUrTR9S8QeMvFF3Ff8AiLxF4gu21rx94m1jxh4nuItU8Q6rquq21tda/r2p3Nhp
ttexaZoVrLBpWg2em6TZWNjbgHzZov7AP7J/h2002x0T4Y3GnW+n6lFqdwsHjv4i7/EUkelf
DHSZbHxhJJ4seTxhomow/Bj4XXus6B4kbU9F1zWfB1hrusWN9q95rF7qQBo6n+wp+yrq9x4f
u7v4TaeLrwv8QPGvxN0W4tte8V2k9p4s+Iet+HPEXi+US22uxyNo2p6t4N8HSweGWb/hHNIt
PCXhvStE0vTtJ0aysYgDmNK/4J0fsjaJPpk+mfDvxFbf2XajT/sw+Lnxjew1fSjNZ3F1o3ij
TZPHr2Hi3RNTl0+zOsaL4mttW0vV0gEWpWlzE8iOAdX4I/Yg/Zs+Gl7od/8AD7wRqvgybw58
Q0+KGjxeG/HvxA0iztvFcWheIfDEHm2Fn4nisr7w/b+HfF3irRIPCmoQXXhqLTPEer2iaUIr
tlAB7h8Rfhd4Q+Klp4YsvGMOtT2/g/xt4a+IehrovinxP4VeLxV4Qvf7R8P3l7L4Y1fSJdXs
rK/CXb6Lqr3ui3k0UD3thceTHtAOCl/Zt8AJPqE+kax8SfDp17456H+0J4qTRviX4yEfirxz
oB09rTTNV/tLVdSe18BXT6LoH9qeAtAfRfDOp2uhWGl3lhLo8moaffAHV/Fj4L+APjZYeFNN
+INpr95aeCfG2h/ETw6ugeNfGfgqS18XeG0vF0PUrufwZr+gzavFpsl7LeWmm6vJfaXDqcVj
q8dmuq6Zpt5aAHAy/sk/At18WiDw34g0w+NviN4X+KviCTRviJ8RNGnm8YeC/GuofErwy9hP
pnim1m0Xw/pfxH1jW/Hsfg7R5LHwjL4t1vWNbuNElu9Su3lAO++HnwX8A/C3xD8TfFHg201+
21j4v+Ln8dePJdY8aeMvFNtqPiZ4Tam+03TvFGvaxp/huFbEW2mw6b4bttJ0y30nTdG0i3s4
tM0TSbSyAPVaACgAoAKACgAoAKACgAoAKACgAoAKACgAoA4n4kfDzwp8WfAfiv4aeOrG61Tw
Z430W98OeKNKtNX1jQpdV0PUo/I1LTJNT0G+03VYLTUbZpLO/jtb2EXljPcWVx5lrcTxSAHy
J8U/2a/2Wfgr8HvHPjvVPhv401L4d/Cn4UftC3V98MvB/jrxydJ1DwL8UJ9S+IPxe8IeHfAM
/jrRPBtxJ4q1eBLzw9pEp02z0DVNO8O2/hW58ORaPpX2IA+SPDHxV/4JteOPFXw0+I1/ovxj
1T4iaT4W+PMHw5m8ZX3xz8ceN/E/hL4Z2v7QFp411DU9EtvFPiy/1y68deEj8etS8C6P45tP
+Et8W+E5tQsLHQ7a8sNE0TTgD6x+C3wF/Y/+J9t4B/aF+Ffh3xL4qvPBGj638PPh18RtY8Z/
FC91q/0Dwdq3jnQNPXR9f8XeJZrrxLoOg3vifxta/DrxK93f6VY6frMtz4U1FNMXTZ4ADwv4
eeJP2Prxf2XPh1B+z34gkvviH4G13TPBHjTxxqGm+N/iT8D9N8cy/ELTIPDFh8Vtc8XeIfih
p769qXhnx9p1tf8Aw18S6hZ+F/Ktr6a+0qw1KyugAfRqfsNfso3Hh3SbiHwf4j8a6R4c0jUb
LT7a++NHxO8SWniLSLfw2/g6Lw1r0+u/ESXSfFmjaZ4dguPDOh6T4vu73QvD1vd6klommtea
hcSAHyDomp/sd+N/Ff7Les+I/gZ8UtR8Z+JNR8a+GfCvjvxR8V9X8d6r4b03TfipbeBvD+rX
/j+X4oa1qPxT8HeIfiReaTefDTW/DuoeLLDRdHmt/F2nNpHhxo7m7APUPhnP+z34Zv8A9lu6
8GfBv4u+G9T8e/Er4p+DvDqWvxk1W+8Q+DtY+H0eh/DfxdYeMdKtPivfap45+Gb2/wCz/wCD
Ztfihh8T+AtMi8M+HdV1+GPWtbittXAP1MoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAxvEXhzw94v
0LVvC/izQtH8T+GtesbjS9c8PeIdMstZ0TWdNu0MV1p+q6VqMNzY6hZXMbGOe1u4JoJkJWRG
UkUAeW6n+zj8CtS1K68Qx/CjwDovjKc+Ip7X4geGvCmheHPiJouqeKv7ZbXvEPh7x1pFhaeJ
9B8TX9x4i169l8Q6Xqdtq5v9Z1S8+1/aNQvJJgDtvAXw98IfDT4e+EfhZ4N0eHS/A3gbwlov
gfw3ojSS3kdp4a0DSrfRdNsJ57x57m+ZdPtoorm6vZZ7q9kMlxdzTTzSyOAYegfBD4MeFG8H
P4X+Evw28NyfDuHxBbfD+TQPBHhrR5PAsHit3k8TxeDpNO023fwyniKSWV9bXRWsv7TaWVrz
zjI+4A1fBfwv+Hvw8+HWhfCPwZ4Q0PQvhp4b8NReD9H8FwWaT6Fb+GorRrFtJntb37T/AGhB
dWzyrqL6i93Pqkk9zcalNdXFzcSygGPoHwL+CfhWDwRa+GPg/wDC/wAOW3wzl1mf4c2+heAv
C2kQeAZvEUTQeIJfBkVhpVunhh9chdotXbRVsjqMeEu/OUKAAU9K/Z6+AehXvhHUtE+CXwk0
jUfh/da/feA9Q0z4deELG+8F3viq9i1LxRd+FLu20iK48PXHiPUoINS16bSZLSTV9QghvtQa
4uoo5VAPYKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgD4n+P/7V+v8AwW/aB+A3wb0/4e2HinQvi3pPibW/E/jJvEOqWt18PbHw
34m8E+HbVbjw5pXhbXrrVrrxxqXjOz8K+AwLmxstR8eTaZoWsX+h6fftrVuAeVfCr/gpJonx
dtPhLfeH/wBn34yWNt8YviTqHwu8OSasPCkZsvE2m6V4H8a39vrkVnrt5NoraV8K/EnjTx9r
kerR2H9nN8HPiL4Wje815fCkPicA0tI/4KHeEp/+FZRy+F18Uf8ACwvij8W/h/qep+BvFngr
UtP8CxeA/wBofwZ8CPD1xqVu3ie4vfEtz4jn+KPw88RW3/CMrdPf+GrzVvFUGn2NhFaadKAe
9fssftQ6J+1P4a8c+J9B8G+I/BVv4H8cW/ga90/xRe6Dc6rLqFz4C8EfEPF1aaDqWpjRtR07
SvHulaR4g0HVJINX0LxPYa3ot7b79PE84B8q+Ff+CqXwy8YNo8mk/DDx59gvvi7q/wAMtUvr
vVPCFi+kaTZXfwbt9K8fLpV/rNrrOqaTrK/G3w6G0C008eKdHvtC8Y6Vqul29/oEkUwB75+y
J+1vF+1Zc/Ge8s/Cf/CJaD8PfFfhHSfDsF9q2l6j4kudI8T/AA98PeLX/wCExs9H1HVbHw34
q0vVdR1TRde8Ky3aav4W1TTrzw54gtLbW9JvjKAfNnhX/gqx4FvdM1/UPF/w41vRIrH4rap4
M8N32naq39l+LvAWpapap8KviVplx4w0jwZPLD8UNAt/GmqaLoemwat/pXw98SWNrq18kllc
yAHTa9/wUVuPDk3h6fW/hNHpcNt8ePjH8Hvid4cPxF8E6n4v8HaB8NdU1+x0r4jpb2erR2iW
+uWWhJrg8HauLDxJfaVq+nX+gJqek3GnatqwBmr/AMFT/Asmi+I9f/4Uh8WbHTvC3xS1z4fa
suv3Pgfw5qUGleGfB/xD8c+IPEr6TrHia21GHUNI0P4Za+LrwVc28PiFtR1bwhY2y3D67cPp
QB6Td/t26Zp+i+JL3xR4Z0P4can4Q/ax8Ofs667pviz4g+Cr27h8N678VrrwRY/EWfTrTXtO
1DR4de8L6fceMtN0rVkivrTQJZfFkNr4g8MaXNdXwBwXjj/gqL8Pfh/4Z8Y+L9e+FHj3+x/C
nxVs/hkLSy1rwPe+KLmRLv4kx+Ir7WfC1t4gk1XwLrOg6Z8MtT8Q23g7xymga74m0bX/AAtL
4eW+vdRvbLTADutb/bv03QtM+LM3ibwxofw+vvhT+0l8Pfgnex+K/iB4Mu31Twb44+ImieGr
T4pHSbfXNL1TRdM1Hwnfah4w0qx1cQXD6LZ3Wu2g1vTdH1SIAHJeN/8Agpp4L8HXHj+3T4Pf
ELWT4B8Xa34cvjBrXgPTmax8MWnxpvte1LU49U8R2zeGtWl0/wCBnibXvCng3XfsviXxn4U8
QeCPEujWjWOvzDTgD6R/at/aB1b4DfAW4+LHgzRfDHifWNR8SfDDwv4ctfGPizTPBnhiOX4n
eOPDfg631/Wta1O7s4RpXh628Qt4i1K1hvLWWfTtOume+06zjutTswDwLxV/wUZ8LeEdT8fa
Be/DHxHeaz4C8X+GvAs7TeLfh34Y06/13Xviha/CAT6nc+JfFNnH4EsL3xDc/wDCa+FE8Yz2
N74y+DNrqfxP8PQ32laZc2xAPXv2vv2mfFf7MnwV8P8AxP0T4Wv8QfFGteLvC3hX/hW8Wt3U
OtT3uv6Zq1/c6doU2g6H4kk1/XLObTGt4LGxsil/ELm6tZZXhgtLsA8W1D/gpd4B0q48ULff
DTxaLDwrbaVcaprtv4h8FT6Jp0GpXnhDRodX8Q3f9tR3HhXwpr2ueO/Dw+HHinxBaWOm/Ezw
1Hr3i7wx52k6HN54BLqf/BQ3SovAH7QHjJvA9v4QPwm8FfDf4g+DU8ZeN/BYvfH3g74k+Avh
v4xsvEa+FoPEWn61p1tpl/4/k8MRW891FaeJ/EGhXehaBrcuvfbtM0sA3fEv/BQzwR4d8UfF
3w4nw88Ua5b/AAyOltpPiXRPEfgW98PeNbO9vvg5Z6j4gS+XxAG8JeEdBT46eBtQ1LxT4pis
dLOmQeKL2CSSLQ0N+Adz8S/2tz4U/Y38Kfta+G/B1tNB418N/A/xVo/g3xjrz6VLaaZ8avEH
gjS7SDUtU8MaZ4u87VNC07xmmoz2mj2epQX9xp01nb3aQyi+jAPN5v8AgoBNocvjXSfGnwL1
3wx4n+Gnhr4LXnxF0t/ib8MLux8H+Lvjavg6LSdA17UJNdsrzRPDHhK+8T3y+O/iRr+kaR4X
0HT9E+3o17LqUNlAAQWv/BRTRHPiW71b4PeLfDekW3wr+CPxT8Ev4k8VeB9E1zxXpfxl1jSv
DktzqugahrMFx4P8H/DrW9WRviD8R9QmvPBvh/QNP1LX7rUVt20mDVgDPsP+ClvhHVIdRvLT
4O+PbOx03wf4X8SXT+IvEvw28N6lbTeLb74eWGmave6FqviyLWYPg7DN8SNOmv8A4+R2dz8N
bSx8O+M799RNroUct+AWI/8Agol4YgtvGvirUPD0a+HNC/Zn8MftA6P4H/tPSrD4rSy3vjPx
P4Q1zSLy2v8AW/8AhG7/AEOYaf4d17w14l0u9W01Lw7rVtrVuNRstW0ZpwD6c8PftG6Hr/7L
R/amHhfxHZeH4/hDrnxdn8HzwqfFCWGgeHtR8QXuhRxskUU+pypps9pZyKot7uV4JomaCVGI
B8ceNv8Agoz4g8EeOfGPhjVvhb4St9B8I/sueH/j0fF3/Cwta1Gw1nx94r8C674k8OfA3Rot
G8AaibzxXrOp6LJLpN5JJarrXg4za7ollqWr29x4dgAPNrz/AIKv67GNQlg+BNlBFon7O/in
4neLTrPjjWtKTwH8ZPA+hfHC48TfArxXLcfD9ZbXXH8VfAjxJ4e8LyfY4de8UaVqNv4qs/DE
MGmajpdAH3N8I/2kvE/jjX/gv4U8cfC//hBdd+Mfwq+L3xQ0+Oz8Tr4jg0/TfhV48+Hvhexu
plGjaZcR6R8RPDfxN8M+NvDk98ljqekxSXPhzXtMg1aIOwBwfxz/AGx/FPwk+N8Hwk0D4LX/
AMSJX8Jafr9lo+i+JU074k+OrrVvDfxX8RFvhr4X1DRh4f1zw/4Tf4WwaH431vV/GGhpo+r+
PPDMTxIxsotfAPOrb/gpt4MufEHgrRT8FfiraWPxB+GfjT4u+F/FWqHwzovhnUPAOgp8Vb3w
t4jS81rV9Oul0/xjovwoutfnSSzTUvB2k+N/h5deJtOtY9evW0cA9B8C/tyjxprfwX0p/gj4
z0Ow+OPgS7+KHhrxRN4s8Aaz4U0fwDotp4nvfF+teJvEnh7XtU0LS7nwLHZeALPxXpg1Gea1
1j4q+GNN02XVW03xJPpQB4/Zf8FQ/DZ0f4NRWfwh8d/EfxT8VvhT4h+IpHw4l8Kt4as9X0H/
AITSG48C6bq2reLJLbWvEdjqPgq7svEdrpl/fTeHLXWfC2s3kUln4ghjtgD6j/Z+/bI+Ff7Q
eleFtT0aPXfBkvxI1z4hWHwm0Hx5p0/h7xX8SdB+Flt4fHjvxho/hi7jTWdN0Pw9rWujQL9t
dtdPnjvreCVUe11jR5b0A+s6ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA5bUvA/g
3WPFPhvxxq3hXw/qXjLwdb6zaeEvFN/pFjd+IPDNt4it47TX4NB1aeB73So9atYYrbVFsZoB
fW8aw3PmRjbQB1NAHN+GfB3hLwZb6laeEPDOg+GLbWtb1HxLrEOgaTY6THq3iLV3STVdd1Nb
GCAX+sai0cX23Urrzby5EMKyzMsUaqAdJQAUAFABQAUAFAH5J67+2r+1X4C1jx5feKfg/wDD
Txj4X8BfHLXfhzqOi/D21+MMHim78J+HfgT46+Metaxperap4X1PS9Y1K3utL8LeDdAv7DRv
+Ef8X+Nhr/g9Z/DtxdaXrNsAdz8R/wDgoD468CaX8Tdb0r9lnxf8QNN8B/HW9+CWmJ4V8U6m
mp61/Z2g+JvED+Otatda+HOl2XhrwtrJ0XTPCnhS6tNU8T22t+PNet9BuL7StNWy8QaoAV9a
/wCCgfjoa78UdK8P/szeLrfT/hJ8Xfhn4K1/xH41uvGOi6VqfgLxnr3jrwr4n8d6fHovwz8R
ail54I8QeEdLW80S0s9btb7w9428JeK7bWv7I1izeYA9Z8F/tu6Bqnin9oPT/iN8PPFvwp8F
/BHx54F+H+jePNX07xRrlr8TdZ+IfxD1b4ZeGYPD+jaV4NW7h1DVfFEPhu3sNGs7nXdTktvF
+kajfQabpkkF9eAHpX7Wn7Q2ofsxfBzU/ilpPwu8WfGPVrXVdO0nTvAng6PUf7V1Se9S7uZC
b7T9B8RDTgLSwuYdOe9sFttV1+40bw5Fcw6jrdhvAPkX4hf8FE/HegaP8Xj4b/Zt8Vzah4Ya
e1+G/iHUU8fan4a1sSWfiBbXxB4507Rfhj/bfhu0k1nT9B0LSNC0BvFVz4j8QeKdF0efWfDF
lcy+IbYA90+PP7RHxi+H37K3w9+Mvw3+GR8c/FXxo/wbg/4VnF4b16+vrm++Ix0iPW9N03RX
1zw3dWGoaOdRuJoU8TeINJs7NbGS21e+iuGUkA+fZ/8AgpZ40sR45XUP2R/iXZ2vgjQfA+qT
+Lb++17T/BlyfE+m+Fr/AFHWtSI+Hl/418P+BIW1+/i8N+JT4M1jUdWfRpo/E3h3wRK90ung
Caz+3i/xM+DvxWXU/wBne4UQfszn4w2mieKbLxZ488HeKofE3hT4W+IfC/hJ4rH4aQaT4wk8
TRfFOLTtJ0jSNQurjWta8I+JdH1CHQbCI69AAeheN/23NT+G/wDwtvTvh5+zjqnjnwF8E9C+
DMXhubwfqur6DP4i0z4oR+DIdIvNK8KXPw0i0vw/8P8A4f6Rruo3XjTWbHXtXn8MadoFtFF4
buDdajF4eAPH7r/gqH8TLK78Rrc/sM/GFtO0nw14K1bT7q01nUrqc6z4sh8GXWpaZ4o/4t1F
ofh7RvBNj4k1i/8AFfibSvEXiyO0tPDM0ltpd0byZdMAO91f9vz4tPpXjGTw3+yb4n/tzRvg
tp3xS8O6X4h8SeIY5dS11fBXwd8e+KPBOtpoXw01iz0+XQdF+KWq22n6loer+JrnxFrPgDxD
pkOi6fPvFmAe5/DH9rfUPiT+0LJ8EIfhB4l03QI/hFpPxNT4trN4hn8JXuo6np/gu/Phizg1
LwNoUsMOPFd3Dp+t63d6LcavL4fv47TQBMt5FpwB9n0AMlijnjkhmjSaGZHililRZI5Y5FKy
RyI4KujqSrowKspIIIJoAq6bpun6Pp1hpGkWFnpek6VZWum6ZpmnWsFlp+nafYwJbWVhYWVs
kVtaWdnbRRW9ra28ccFvBGkUSJGiqAC7QBmnR9IbV08QNpenHXo9Nk0ePWzZWx1aPSJrqK9m
0tNRMf2xNOmvIILuWyWYW0lzBDO8bSxRsoBpd89/Xvz1/PA/KgAoAKACgCjJpmmy6la6zLp9
jJq9jZX2m2WqyWkD6lZ6dqk+n3Op2FrfNGbq3stRudI0q4vrWKVILufTNPluI5JLK2aIAvUA
FABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAfGH7bnjH9qXwr8M7
aD9lXwTc+JvGWuDxFZ3WuaZpfh7xHrXhe8tPD17f+FFsPD3ijxX4Q0TyfEfiKC20bUPFOp3e
u6f4Tt5PtV54Q16O8D2AB4345+O/7f2ieEfGPiHwT+zpofjfX7X9oDW/B3hHwXceF5/DF2/w
V0GfxXe2PjXUtcvPjbf2+sap490m18K6do2o2WmaFp/hbXLi/m1/Qby0vYINJAEPjL9vHTNf
+JniiDTL/W/D1n+1pZaFo/gi/wDhH4Yka3/ZYtfCmvafb6t8PjZ/F/w7qXibxFrPjGfw/fa7
4h8TeILO4sIobi/tfCllon2jS4AD3L4u/EL9pnR9A1+50L4NbE0v4u/Ciy8MS/DjxXafEnxh
41+FrfEXT5viVqmreHNd0X4daT8Pb6H4e2N9IkCeIvHplu9RfSLPdd/ZNSIB4TrHxg/4KK3W
sfE17X4GeCfC/hnwP8a/Cdl4Vew0i58f+J/HnwTn8X+NdI1++sNOufiV4I0nU/EV14Pg+Hnj
IXNlrWiHQJ9Z8ReGbrSb6/0hrpAD07wx4k/a6bxt+07q954HtfHmlad8T/BGkfAL4c+OpND+
DHg62+G1p4P0u91rxbYfELRdP+MWv+KfEj+OJdat78a3oWkRoNL0270a303T762ggAPFvGXx
l/4KNeCIP2kF8I/s+WfxJvLDx1Y3P7OSawvh+4sdV8KX9zfjxHa+JtV0bxv4Gu4rDSdXso/D
ngyxk8OjWf8AhHtY0X4h+JfFeoWz6/4b8KAC/Fv9qT9sfwDZ+I9cg+FWhaTp+ofHP4T/AAs+
Gfh7V/hFr3iTxHrmgeP/AARbaxrPiH7fpX7QugaNrl/oPjmPXfBP2O5/4QSx8jTNP1576Y69
baXbAHuXj7x/+29/wrXUNW8M/BX4deEfGGlw/BnW1W08ZTfGPVNXivPE/gmb43+FYfh+lr8K
bCG88O+GLrxvb+HdRs/itqba/NpFmdOjt77VbRrQA8Z8WfFD9uewuPjvptr8E4vH/gvW9a0B
vhfYeMfhzoWrzad4S1e8+Ceh+P8Aw14k0fw/8X9EtfGektoni74va/ommzT6fqOnv4Eu9C1b
xB4zttZ0h4wB+q/Fz/goH4Jm+MnhPwn+y/8ADO+8MfDvwt4Q0b4F6h4ZsbzTdL8U3j6j8OdE
k1d/Cg8fW1vp/hW10bU/H+sy+AtJ1m38QeCbTwjo+hrqfixtQTUJwC7dfGv/AIKBad4Y+Jmv
v8BdGvPE158PfgV4v+FngRfDMd3pvh3xF4k074e6d8bPB3i3xfpXxca+8Rar4L8R33xCvdK0
3SfDFm1xo+jWOoRa5qcE9pZagAeq+Lvix+2jpXwh1PxHo/7O/gx/Hlv8Mfhvrmk2Vv4vuPFm
rah8TtcfwQvxA8Hal8K7KXw5Z6Ro3hhtU8apba1p/wAePEhaLw7YXcaauL9rYAHmnjH42/8A
BQLw1458a6RpnwD+H/iL4c+HPA3gvVtI+I9vYanZ6lrt9er8NH8eeJbXwHefE+GAy+Gl1j4q
vafBu78eab4hvU8C6K0PxIuV8S2rOAYv7PP7Tv7cXxdbw94ivv2dfAt14D8R/s8eHfH+k6xL
qGtfDOy1L4uarF4MuL/wfda3qut/ES/8PaPY/wBqeM9O8mLwV4q1Eah4Yikur+0028s77UwD
oviP4g/bvvvH3jGDw/p938O/C91+zzd6hpUvhPQvAfxc8OeEPia+nwOs2gXuuWPhXxl4++IW
neKTd6fa6DqWlaN4D1TwOkGqtpC+I28mUA+0fghqXxC1j4Q/DjUvivol14d+JN34R0Z/GmkX
17o9/fW+vraJHfS30/h+y07REvb50+33dnpdlb2WnXF1Jp8CFLUMwB6nQAUAFABQAUAFABQA
UAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUA
FABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
BQAUAFABQB8F/tS6R+2RqnxY+GGo/s9Q5+Fvh7wn4wsfilo//Cb+H/DVx4+vviFLaeE9Oj0k
ahanVNF134Q2CXPxM0nXrXVtHj1W8MPh6Ga4kkuLdgDx/wCFkP8AwVHtJv2dNF8djwU3h6z1
C7sPjfreoz+ArrxZLoMHhbwLYpqGp3ml6hqVle6pH4wPxH1Pw5F4P0xp9d8NQ+DU8aanoOu3
OvBAD0H4ZWf7fNsv7NegfELU5LhdB0jxpaftFeL/ALB8G5P+E28RaCPBlx4HubGPTtT+1+H/
AAp4xlg8caXfah4e8PXnii1sLnRdTvtC0DUpZ4dOAOQ+Fk//AAU+1K4+HUPxetfBXhqyX4la
tJ40u/CUHw11rUJPA0178MNS06y8QRXWuRWf9hWWmXHxh8MW2reB1j8b3ep2HgHXtR0SGzuN
btJAD62/Zbs/j7pXwrtdE/aT1F/EHxO0PWNV0y98W+T4PtLXxfp1vKn9n6/pun+DH+xWOm3c
bMtpFqtrpmvssbS6rpdjK6xkA+jKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgCvLd2sE1
rbz3NvDPfSSQ2UEs0cc15NFBLdSxWsbsHuJI7aGa4kSIOyQQyzMBHG7AAqnWdHG4nVdNGzUk
0Z831qNurybNmlNmXjUn8yPZYnF03mJiI71yAaVABQAUAFABQBXt7y0uzcC1ure5NpcPZ3Qt
545jbXcSo8lrcCNmMNxGksbvBJtlRZEZlAdSQCxQAUAFABQBWur2zshC15d21oLm5hs7c3U8
UAuLy5bZb2sJldBLc3D/ACQwJullb5UVjxQBZoAKAK13e2djGs19d21nC89vbJLdzxW8b3N3
Mlva26yTOitPc3EscFvECZJppEijVndVIBZoAZJJHDHJNNIkUUSPJLLI6pHHGilnkkdiFREU
FndiFVQSSACaAKaarpkn2jZqVg/2Wzg1C62Xlu32awu1nktb64xIfJs7lLa5eC5k2wzLbztG
7CKQqALBqmm3MtvDbajY3E13YrqdrFBd28stzprNGq6hbxpIzzWLNNEq3cYaAtLGBIS65AL1
ABQAUAFAESXEEsk8Mc8Uk1syLcxJIjyW7SRrLGs6KxaJpImWRBIFLxsrrlSDQBIzKis7sFVQ
WZmICqoGSzE8AAZJJOAOTQBFbXNve29veWdxDd2l3DFc2t1bSpPb3NvOiywXFvPEzxTQzROs
kUsbMkiMroxUgkAmoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAwvFGj
t4h8NeItASeK2fXNC1fR0uZ4GuobdtTsLiyWea1Wa3a5iiM4kkgW4gaZFMYmjLb1APzk/Z0/
ZG1z4cQ/Bd/Avxz+GHibSPgx8TPFF3410jwf4R8Q2nhWSdvg54Z+CWv+CfDWhaV8YNU0bwZr
sk+gXPxJ8YXXiO38Vak3xS8Qa/qdnp/h+z13WdP1AAoeB/8AgnTd+EtP/Z5s5vHnhi8n+Cfx
y+MXxw1a/h0X4qvceLvE/wAUYL6HTNf2a98bPEEDeNPBz6g1xY694xj8cadPLp9kLbQtMjvN
cTVADY+F/wCw/wDHHwVH8KLTxn+2D8Sfiha+A/G/jDxb4mvdd1r4qaVrHjJdZ8M+BtI8PwSy
aH8XLLSHh0jxR4OvPiJdaD4r0jxl4QufEfinWbODQLfTLrUk1YAzvA37C37QPhLSPh3a6v8A
tr/E3xvrfgTx/eeNbrXfEl78Sc+J1m1T4KzNp+s6XpPxa0zS9RstU0z4b+PU1TQtftvEHha3
1T4w+I77SNEsxazJrAB9Ufs6/Cab9mzwTc/DrxD8SYfFWmat8R/Fl94BvfEereMrjxLLb+LN
U1TxNa+F7/VfiD8RPHFxrut2UBvlhtvC6eG9IkstOuNQtvDFvdS6pdSgHzpafsVfGu30bwtb
J+1X4ys9d0z4i+PPFviLWbbWPjbqEWpaX4n8Y+HPEfhNNI0/xH8eNajsNY+GXhzRdT+HHhvS
Nal8R/CvU/DHibUbzxJ8NNV1i2t7hwCxpn7F/wAYrbW/Dev6z+0xrPie98AfGrRPiT4Dg1dv
jPHYQeF9P8BeMvhxqHhbxfDpvx+sZvFWo6no/iPRtbuLz7RpnhW91/w3J/a3gvUbPxJrwuQB
/iD9jv44azJqsmmftHjwc0nx48f/ABr0QeEtM+LGjiJfGGmWUOl+GPFAsfjlajxjpvh3XLGL
X49O1gSeFLgyPo9t4U07SIre1iAPR/2Uvg78a/hh4y/aH1j4rfEnUPiD4e8ZeOtPHwwOpeMv
GPia+tfDuhyeIZL/AFXU9I8QeIdd8NeD9X1i/wBcSwvdF8AweHfDvk+HbNl8M6H5cNhAAfOv
gP8AYz/aa1ODWLr4j/tDeKtHs7/9oXUvG0ngW1+JHx51yG8+FOn+MPjdcaZ4fXxvpHxv8N65
pGoeJvBnxK8D6He6R4ft9D8BaJafCbwpA/gfV9SN3rDgG5Yfsg+PfFupa5rll+2Dq3jzUfBv
x60jxnolrJr3xSvtE0LxJ4Sn+K9t4h8OfECz8HfHnRLuLxBL4c+LGjeGdU8K+Fb/AOH/AILt
bT4Y+CJbvwB/xMdUtqANHxP+xF8d/EGqeNbz/hsPx7/ZXibxtc+IofDkl78YNJ0+50m9vviX
cwW2r6j4K+O3hHxFouqeEbXx54Z0/wAKR/CrWfhp4TuIPhH4Mm8U+FdcubmSXSgBPE/7I/xQ
S48WQaz+1HpGuS/ED4t/DrxX8OtH+LmgeKfFenWeufDv4u6r8dtNt9N0bVPi7bQDxpaeHtJs
vhzpcnwxg8C2EHw68Gya3qvhzWNbDX2lAH0N8EPgf8RvhX8Uvj98QPHPxz1v4keH/i/4n07V
fB/gjV11yPSvhlbW+teLbyHSdBfWvFmvW0cdxY+JNI8Pm20uw0qCWLwzp0kccdq+n6NowB8r
fEn9gH49ePvFnxR1mD9uT4v6Hofj34lx+NdH0Kw1T4jaMvhLw8ieM5LXwXpUvgf4reCVtLHR
W8SaNpGnzWCWltqOh+F7B/EGm6nrhh1a0AOV8I/sO/tS6t4Z+Nnh34nfH+01j/hIvEFhpvgY
eOT8SPi54f1TTfDXjHwH4y0D4nap4d8R/FpLHwf4ntp/C+rWPhzw74Dh8Jr4fbxLq914j1fx
1c2fhu80sA7j42/so/tO6i/xM8V+Af2j/FMnijxpr2hz+DLC28W+OfBGleCtQ1Hx94E1Yarq
1rdePNe8H654a+HOg6H4n8K+FPh/4Y8F+DW8eaF461bT/iFq/iLxNFpXiyyAPpn4wfBq9+Lf
wNt/gz8L/jHqHh1/Cd94c8L63rt/r/i3xhqHiDTfCunw2Gs+CfiT4g8K+PvBPxHub7XNOntb
3xHe2nj3Q/EeoaittLr1xqek6lq+laqAfNN5+wN8RNQ+DHxX+CV78ZvC1z4c+I37On7PvwKt
7tfB3xL0+6sL74IaPDoWoeKr0aX8b7Ob+zfHOmT6lbaj4R8N3vhmyjVdO/tW/wDEDT+JH8QA
CeMf2Ftc1/xt8Y9U+H/x30/4T+M/GXwg/Zw8BaTL4Dt/HEfi3wF4J+FGtpc3PhyFtR+K+orp
Pw3+LUnhzxD4euU8PaN4a1tLezvZW8SeItVg8SSasAamrfsQfHDU9C8d6cP2wfiTa65r/gT4
I+EPDXi+31r4p/2tpknw1t/BMfxFudZ0q6+Ld54RuZfjg3hCWDxZr/h7w54c8ZWVtrN/IviH
U7m81h9ZAKms/sFfFbxHpHjDQfEP7WPxG1rTvF/wa074YX0l9rXxaW8Ot6F4N+D+l6H42K2P
xmstNsdVHjX4ceJ/Fuv3nh3T9A8SeJ7T4keING1bxNNIbvU9TAPevjh4D1Dx/wDs7P8ABGT9
oPSvhX8QLl/h54du/iV4c8SeMtA1az1XRfEvhDUb3TtJm/4WzafEWPVPFWn/AGbw9GNV+JGq
a3fjxPb3Gr3OuvqJtr4A+RZP2MvjB4OvNdu/E3/BRjx1BYeH/g79gu9M8S+IPE+ladofhzTt
VZl1vxNcTfFq28Qr4T1Cw0u507xF45uPEth8QkuZdcn0P4j6HNHYHSADtYf2FvinDqHiPxf4
D/adu/DOq+O/g9Y/DjU9W0xPi34ki1O2Tw5rFrY63/aXin48eItQ1e8sNQ1mOXwv4y1rUNb+
IWg+HbHT9IsPGkkEELIAdF4A/Yz+Pfg+70W/179q/wAQfEKfTfg/P8J9UtvE8fxaGkeK0Xwn
4v0Cz8Q6zo1v8cjp1tr02qat4Q1vWPE2k29l44vW8INDbeLrK61mfULcA5XxB+wz+0HrFn4L
if8AbG1zwrp3g79nDQPglqGneEdN+JHhbw/qer+HLbVNOk+Iy2ek/GmwutF1rUNMm0i6u72z
1dNSh1DRMHU57S6tv7KAOy+BH7GXxy+EvxR+F/jLxT+1549+Jvg/4d+DfEHhi/8ABXiBvHt4
vjK51q98b30Wq+IL7xL8UvFaXt/YXHizSmt9S1G11K9S18HaRpxLxmwudDAP0CbxFoC6/F4U
bXNHXxTNpE3iGHw02p2Q1+bQba8g0641yLRzP/aMmkQahdW1jNqS2xsory4gtXnWeWNGANig
DPvtX0rTJ9LtdS1PT9Pudc1BtJ0W3vr22tJ9Y1RbC/1ZtN0uKeWOTUNQXS9L1PUms7RZrkWG
nX94Y/s9pcSRgGhQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFAFDVbqzsdM1K91C7t
rCws7C8ur6+vHCWllZ29vJNc3d07SRKltbwo807tLGFiRiZEA3AA/Mr4Nf8ABP7RfCPhT9nK
48DfHme68LfC8weKdHu/BOgTaV4c8a2Oq+PNI+KNp4i0NbTx5qtlpuo+OLG0j8E+P/ELzeJ7
Px58LNVv/D1jYeH5L3+16APrj9mP9n6H9nL4S2nw1XxM3i/VRfalqOs+NZLHWNO1HxDfXuyC
2v8AUrbWvFnjC5F9ZaZbafpSPBrEdmLPTrOK0sbCGJIFAPi3wh/wTD1TwzB8JUuP2svjPqL/
AAx+I+u/EG4S0udX0W18QT67J8L5ZI82vjObV4dZt2+G1zANe8Q614viutN8feOtJvNGm03W
ntkAO18Pf8E+NU8K6H8PdN0L4/eItP1TwZ4+sPFuua2nh/V7p/Hun6dr/wADvEXl+ILTUfiH
fLB411rUPgRoknifxpp9xDY6zJ4x+ItzH4PsLnxTNLAAdX4K/Yk1nwHpPwxtdC+LlpHrngP9
oDxH8ctb8S3HgXXL2/8AGsGv2firR4vBN4uo/FG+Ol6bo/hvxjqfhvTbm3nurC20jTPC1ra6
BbR6EEvADwvWv+CbHjvTPCvgPwt4I+PutahZ6L8Z/A/j7xDb+Jb7xVpGk/2Fp/8Awrn/AIT/
AFOxsbTV/FF/rHjrxCvw4EGkNca14e0Wws/H3xBs7h5YNZKMAe3ftdfBe6/aO8ffs1aT4X+N
Hh/4e2Wj+Ivi5LqtzpXjLVbDx/qyWGgWul3s/wALdK0WWPTdY8aeAvEFjHfyajrl79m+H+q2
kGtzaPrlxZT6JcAHnPjr9hvw54Z8Gavrviv9pG9+HVsvxc+IXxI8R+PY4tW8OWNrZ/FDxXLe
eGbeOfWviTfWeg+NPhLf67N4e+CfjWO7XQ/B9hqIsZPAWryyLKQCp8Wv2Ofh98OPhv4kPif9
qCL4GfDC4+Ofj74m2msazcN4c0zRdf8AjxrviNGtrrxDrPxBsYL/AOIOg+LfHFu/wT8SxPp1
t4X1yx0R5fBfizWZbu9vwDa1n/gnDPqmn+KLSH9ofx7ZX3iTxxrHimfxD9m1u4169t9VtfH9
tY6n4juP+E7hsdY+KXgiXx9Nf/Dz4kabp3h2z8O3/hvwpLqHgnXo9Es4YwD7N+Enwo1z4a+J
PjXrep+M7PxTZfFr4lRfESw06DwlH4duvC8kXgvwp4DbTbzU49d1UeJ5Z9G8E+H7m41WSw0e
aXVv7WuzbiC/t7TTwD879X/4Jq/E/wAd6P8AG+z8QftK+J/hlc/E740eNPHGiW/w2vvEniCw
03wpefEL4s+NPAt5qNzrupeGdUtPiB4bi+IugWmnXHhqbStB8PWvw68M+H2h8W6Ck8MgB6F4
6/4JuRePbHx5BqXx18WWmqeMvipp/wAVE8T2mj6jJ4iW90eb4r6ppPhzxHNe+NbrStf8N2ep
fE9fDctnpej+FZdQ+D/hnTvhXqM91aTf29bAHOePv2EPBXh2z+Lnir4p/tN66kHxX+Nvwm8f
eGdR+JN/rP8AwiXg34h6T8XLzxL4M8Nx6VJ8RdI0zV9P1TV/FUPwu8J6Xp1x4V1W08HReFfC
qapq17o+nXxAPo/9n/4F2Hw5/aC/aZ+IC/HfUfiV4j+IN94PPiz4eTpGlv8ADS5FvqevaIkk
M+u67fWcuq6TritplpAmg6THokNotrpLqkc6AHzZ8UP2Pfh944b40/ELWf2tNQsPBmrfEnUW
8VTS6jPLpXhzxDb+MtQeXwp431iy8eaZDqGq+A9d1qx8C/D22WHwxJ4L8GRr4M1PTvEk97Hq
sAB9o/GT9ne2+NXwD034LeKvFl5c6jpc3wr1mPxtd2d9cS6h4t+FXijwt4w03W9Z0mw8QaPe
X1nruteF4/7d0yDxJY3MtlqN7HaaxaXottRhAPk7x9/wTcvfHGofFvVYP2iPGHg6++Mmp+G9
b8YL4P0G90TTtc1LwpH8K7XRrbxHYWXjeFdX0CCw+Hms2kml2c2iXtwvjW++0axLFYGHUgD6
i+KP7Nlz8R/2e/CnwRsvi58Q/BPiTwTb/DN/Dfxo0LUZr74hWGvfDiXRwviea51281JNZ1jx
BZafqFrqk3iKbWvMn1m41S4+26jbwXFAHzv4g/YZv9O8A+OPBkP7QzeGvCXiz4Qfs8fCWXVN
W8M6ouu2us/BPxQ+q2fjrUPFlt8UPD9xc+I/iDqWvazpWrQ6b/wj8iQX3hyw0+8dtCRNUAOy
8L/sT654A+KnxS+K3w++P/jXw1qXjb4TN8N/A3hy50+88R+C/hHfweFPA3hzQtX8OeEdb8V3
PhrWfD/hW88Dr4h8N+Ete0i5uLDU/FHi9ZfE91B4h1BZQD7xt0mjt4I7if7TPHDEk1z5aw/a
JlRVkn8pPki81w0nlp8qbtq8AUAfl/8AtBf8E9/hD4z+KvxN/aB8c/F7UfClh8SZfBukat4Y
8R22hn4aadrdzf8AwV8GWGoWsEl1ol5F4t8Y2fgOPwE+sR61bapqcXjxdMaS7Gj+H7SEA7bw
z+zDqfh7XPEHw8h/aR0vWfEOofsgaD8E9Q8N654IbVvEZ8O6fqfi7SvC/wAVtYt7r4iSSalH
Fd6v4g0KO2uLKOPUEsVspdcaW1lZwDf+Fn7FWr/Dz45+Cvjfqvx78deLZ/CXwl8O/C5/A7Ra
poXgq4Tw74Th8Ix3mmaDaeLrvSNM0TUI7a38UX3hnUNM18/8Jz5/iS01q1L29laAHH/GP/gn
s/xY+O3jn45237QPxH8Cal4z8PT+Gl0Hwv8A2jb2GnaXP8OLTwJJZSFfFMFne2N1d2z67qEM
Wladc3S3l3p0V9aTS/2qADnZf+CacGr6uZ/FX7QHj7WPDF78D/in8FdX8F2dld2GiHTfitcf
FGa+/wCEdTUPFWup4Z8N+EofiTb6d4H8OWtvdappWkeB/CGk6l4u1rT7KW2lAPr2D4I65F+z
VqHwCj+Icuk6xd/DrXfh/Z/EXw14c+wTaLHqthfabY6ppnh7W9e8Sy+ZpVndQxCO+8R3t3dP
A9x/altczJNbgHzz4T/Yg8Y+E/CPw78HR/tAXWuWXgH4IftCfBIar4j8BXer+JNU0j47+ILD
XrW8HiC5+IjarY23w6Tw74P0Tw5pj3V/Lc6JodxbXOqxXN/b3elgHHp/wThvLLVfhvrOhftI
/EnwvefD/wCCut/Cv7LoQ13+xdQ8Sa1ofxJ0u/8AilFpGs+OdZt28S+INR+Ii+JPHNl4sbxr
Z+Ldb8H+EbtpdLl0mCRQDlNI/wCCYt/o6fCl9Z+PXib4o2Pwi0/xxbab4R8ZQ+ItLsNatPFc
Hx5sz4W0nxbb+MvEGu/DvRbvRfjpP4W1PXrfTfGniqDSfh58MrrSry3n8LS2urgH23+yh8GN
f+A3wK8E+APGniafxp8RI7N9b+Jfi6bVr7WovEPj/W2F54jvNOvdQ0/RpjoltclNK0GNdD0Q
DRtPsXm0q1u3uQwB9GUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFAGVruny6toes6VBc
RWs+p6VqOnw3U0DXUNtLe2k1vHcTWyzWzXMULyCSSBbiBplUxiaItvUA/LvwB+xD8UPCEH7O
Ok6F+2nrH/CB/BXxJHejwppsfjea18e+GpPD/gLwt4g8F3Osah8bNY1OTS9Ul8J+PrjT7fUL
rxBpvg688ZPH4Z0exfw8huQCh4V/Zc1S28Wfs4W+g/8ABQr4jeIrvR/EHif4ljRX8Z63rVp8
bfAvhTXfhPo2iJZyp8Qr2PUG8K+AvDHhzwH46vftWvaN401n4lfED4g6l4e07V/Gd9ZSgH1T
8f8A4N+KvjL8QfgH4p8FftGan8J9J+Gvi3V9R13w34buby5X4lzQ6z4VvJdGuI7TxbpGj3Eu
l2vhjXtDnt9X0LxJ9kj8Sag7262kOq6NroB8UN+xf8RNStPg/qNr/wAFE/HN2D4v1Q+ENU8N
ax8WdT0nxp4k/wCEW8IPbySSWv7QerW2uS3tx8M/FvxA8Waf4gu9a8GnxH4r16y0DQ/DekSX
ena2AfaH7KnwV8TfATwl4y8MePP2lfEP7QGseK/Gl01h4g8bapdvf6dqFvotrpt7pEUFz4o1
hrfWdRutPuvEPiDS9Bm0Wwh1W7vpdO0fTgZJGAPh3wZ+xD8SfDMfwouYf+Ck/wATvEmiv8UN
MeK2sNb+IPiHTvGvi/R5Bc6/pkGs6n8ZvGupxTxWng3VdH/sO51abwlp1pdeJ49e0TUdSnSS
MA9fvP2HtVgi8Pad4W/aQtfDqeB/2iPi/wDFrwFetN8UdT8TaZ4g+KXiLUfEFx4S1bVrv9oD
Gq/2He+IrrS7jw3ZWOkeFPEFk0Nxr3gu51nUtSvroAyfHH/BPH42+NfC+t+Frz9sXxXc6bre
qedfafrun/FXV9H1RUkurgeL9asbb4+6TcXfj27eWCy1LRrHUNM+A1xp9upg+B9rfrb3tsAf
Uv7Q3w40P9pDTfhzp2h/EXRPDs3we/aO8IeMNRkvz4yji1PxF4Dgvkn8FwS+E/H3w3vhqc0v
iKzMdy+o6/pcF3GIZtC1C6UC1APB9S/Y5+JdnfSP4p/a98S3Wg6v8X/D3ja/0rWde+Lvhmbx
F4Z0hvixJrnhyfVvDfx+8OXGn654l0/4j+HdH1MeEU8P/DmLTfhL4Ilg+F0dwbtowD3X9rX4
R+Mfj74E8P8Ag/4YftIXP7PusaB4/sNSvvFOgreajqd5qOnaTqNvpHhyR9H8a+DNRhuLbXNU
0bXZdKn1We31gWEGnalptxb3qyRgHh/iD9jL4leLLn4g/Y/2svE0s3iz4mXfjKe1j8RfHa3S
XwxPdfFOG08Ka5B4O/aU8LvoT+CLnx1pdr4QvfhN/wAKo0+V/hJ4Kt/GmjeKWsY00gA4T4k/
sKfFLxxqnivd+3n8Q/DWn3XxEi16ey03xD8UNL1O2g1PUfHWpaLoet3eifH3QoLPU7fT/Gvh
zwXo1p4c07wp4b1Hwj4I8PTaj4S1XxHLbazpgBQ8D/slftFDwf8AHjRfiN+0/op1PXvH9jFp
dv4s1Hx/8VfDVroWi/Gg/E3wj4x8Q6R4k+MVovhLxN4h0Y6R4L0zwj4LPgjQ/DuiWy22or4+
v4tJ1i0APY/jJ+yz8a/i/D8efDfhz9q8/Dv/AIWL4w+HPivT08Fad4/h8RfDgeG/CqaBqekr
PF8aRHDp3i8Wun+IDYaZpfhnShqNlJeSabfahdvrEIB5prn7O2reDrr42z6P+2Z4Y8J6l8Z/
ib4X0qT+0V8cyWHhb4wWvibSfH+i20mm6T8eNIs9H8Xaz4S0xNJ1LRtLHhKDxbY38F94k0/X
Le5h0+6AOh+LX7Jv7QGuTfH3X/hz+0vq8/i7x62n6zYfDiPxR8VvDPh3S9QiuvA82gaHNqOn
/GO51LwH4SWHQPHFzN/wrqy8FarrMvixje3ep2Wk3Wl64Ae+eN/gz4w8V/s4/D74KN8cZvDX
xB8D6L8JrLxn4u/t/wAZ3P8Awm994a0mzstW0zxbqvh7x38Pvik+kePr6xu72XUdN8e+G/E2
pXUUUt7f6laPrGk6kAfM3jr9nj4l23hv9oeP4bftDap4m+Kkvhz4DXfwwvr74q/GTwtpnweb
w9pPgmysvEfie98U/FH4jeC/GHh/xZrHwxufHni3RG8N2Gt+PtP1fxR4U8WeI9QtfF767KAe
fa9+yJ4j1y+/aj07xd+1H4g0b4L+GvD/AIAt/CGmXfxk+LnxL16007wZ4F/Z58TaR4s+Kkdt
8WdHvPD11D4t+E3inxVHpngrTPC/jHxjF8XPEetTeO71NTtdJjAPX/iB+yt8cL+++JnijQ/2
s9cudbufBmjPa/D6y134j+E9AkvNLT4Xzjwvr1+3xsv9Q8M/Di9f4deKYbXVPDh8N/FMWvxb
8bvr/wAUvEdzE9xqoBV0b9jr4y2/w41M+Kf2rdS0/wATa7+zj8D/AIRjxTH4q+Mmvad4d8Y+
D9L0HT/i142tr3XPjTYaJr2ofGNrPUNOn8Wr4Y8OePNJVtH1q31+41q31A6mAePn9jP40X1x
490/40/tgJc/C/Svh78C9Mt/FeteN/iLNF8S9G8HeE/hVo3ijxf4w8N3XxqsPDnwxj1bxZ8O
tY8RW3iHwmy+M77xz4puPFH/AAs17M6t4T1MA910/wCBHxG1dfG/w/sv2zbC71Xwt8CPhl8J
/G5tbf4hR+L9L1zwpqkPxA07x14gvj8dDe6VaeP/AAdrp8M+L9T0NtD8caz4W1H7ZbfE+18Q
WVlqengHqfj74d2N1+zr4d/ZX/4aHPgb4jeOPD8Nx4a8f2Xin4kS+Ib/AEvwh4k0rx34vuvD
Wrat8XL34oSaWnhuC90e3u9R+LmpahZaBPvutV1XT7G6sZAD538LfsD/ABy0O21LVB+3/wDF
XXtIufgt4z+H+hT39740udL0S48R6Z4mtNL8WLft8Wri+1gaEdcsvEUWr6rrd14p/trQLGWz
8VWOlpa2GngGpYfsZ/GewuPCc1t+3f4oabTP2dvFnwss0uYvEGoRa1rvii2+I93p3xKls7n4
qm1v7vQ7LxTo9xY6hDAmqSW/w/sbqPVrfdZS+HADkbj9h/8AanuD8LNB0n9tLxzc+ENG+EHx
F8K698XbTxX8QNO8R6dea1oXxf0nwBqfhjwqnxG1nwt4vlsYPiX4Ov8AWPEHjuTVPERb4S+H
dW8N+MtBu5raxtAD7j/ZjPh7wH8BvC2iah8d7X4wxeHI/iFPqHxN1zXZXa6tPD/jjxLB4igk
vNf1zWNRj0T4c3sV14La41DVrmPS7Pw9DbXE1skKwRAH0Vaa5ouoR6dNYaxpd7FrFk2paTLa
ahaXMeqaciwu9/pzwzOt7ZKlzbu11bGWBVnhYyASoWAM3wn4y8K+O9Lm1vwdr+l+JNIt9Z1/
w9PqOkXUd5aR634W1q+8O+IdMaaMlftWk63pt/pt4mTsuLaQAsu1mAOmoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgDH8QiybQNcXU9Wk0HTm0fUxqGuRahHpUujWRspxd6tFqkxE
WmyadB5l4moSkR2bQi4c7YzQB+Wnwj/Yf/Y88Dv8MNM8C/tF63r0/gP4kR+L9KsZPH3wP124
8U6zrmu/Df4gWfhPU4rbwEbpNK1HXPB2l+IbS18KNoHiLUYfGnisNrN3YeJ40hALPgn9k/8A
YzvdB+AOm+HPizqOjaT4I8X+P7D4EeF9QsPhJ8NPElvq+g/GL4b6r438MeGtD1H4TeEfHza1
ofiz4E2fgjXdcgiX4hXmgax4usdZ8Tag+s6ZqOngGR8Of2Ff2GPhlbfCKPwz8cI5m8H/ABIm
vvhzqGs+Pfgtrup6v43sPGH7Ol3caFpur6l4QuNSvNfSb4G/DTwTriaBd2vifVNL8W+JdL1i
6nv/ABXYTWQB33hT4KfsoeAP+Gfvhb4G/aGt/C9p4R+MXj34nfBjQfDh+AlrpureIdGhs/Af
i/4aWuvaf8LRBqUumWnxN/sS80pdaT4v6uviCS4u/EOqroMUujAHn/h39if9jnV/DXwjGh/G
fxl4a0/4dftCDUfBBni+Ffwx1zxD8X/hFr/hPwxp3hvxDp+q/CHwxrfj7xb4X1D4UWug/wDC
U67Zat8SfFWj6j4pXUfGOv6X4niuUAPaz+y3+z/8Hbv4O+AbL4x3fwoJ/aM8TfGb4N+CYLb4
CeHJ9d8e6pZa/d+IfBnh6K7+Fket+ItLOk+Jtdtrpo7y88dvo97ZaXceLZbKw0i3gAPPPD//
AATk/ZU8WR3K+E/iZ4j8Ry+CvF/lfbfD2p/BnXL3wZ4m8OWF9YafY3t1a/Di/kh8f+HY9Zu5
7/xx4hN18XtcupNOn8beMNfOkaILAA+wfBXj3wJ4HuNW0nxn+0n4X8d678QPjp460DwnBrXi
DwRpT6Dr06XeuaX8BvDOnaPcRPPqfgLwjpaRz2Gpy3vizU7qLUdc1MQPqlvp9qAfI3iP9mH9
k74t+FvE82s/tHDxD4a1r9pP4keKLfVIdb/Z4Wx8JfHjxf4T8VfBvxF4W8L3a/DT7LYeLdKl
vr++0a2uft3jiDx1o1t4gbVL+8N8L0A6v9sb4bfsZ/tTf8IP4M+OPxf0SzHgHx5rehQW2g67
8Pr2LQvHd14Y1XxBPo3jjVNe8L+MLPwFqqaD4E8QXmmpq114Snv5dO1DT4pb+9+z2QAOfuf+
CVPwHv8A/hYD6p4++MOt3HxH8aXfxC1y88QXXwu127tPGNx4J+MPgK28R6PPqvwsu3ste0vR
/jTr1zpeuP8AaNYs9U8NeBLqO9EXhwW14AemfA/wN8EP2dfHH7SPxA174qfBqy8S/FX41FL9
bPX9J8M2PgCz1G2uvEGh/Cya31zxTqclj4m8R+NNX+J/xh8RWMUmkr4h8cfEfxfrOm+H7Gx8
i3twDwvxT+wt+yD8cda/aB+Bdn8WvF7+K9c8S6X8U/ixpHgab4WweLvDkfjPxB8ab/SNG8Qe
M0+Ft/rniK3j8WeL/iBrvhzSviJ4g8YeKPAN7pPhK60KTw9plppiasAYnxQ/Yc/Yd1JPjo/x
L/aLvtFm+Jfxf8L+NPiNLrHxY+FHhy00D4gWFr8Vr3TNAvNIn8P2OiJJq+mfEzx7cf2H4s07
VLy5is9O16zRNZ0GTWpQD234Q/Dz9k79mHxv8cvjV4S+Md54gvPHOofDnwx8RrGDX9C8c6d4
KubnX7jw74KhvtH+Hvhx9a0JLzWtclsLjX/FbXEUMInvdY1OFLfU9RIBj/E/9lP9kLxjr/xx
0/xJ8VvD3ho/FD4n+DPHvxW8FW1/8ALeOH4lad4IuNL0ObXE8ReAdV8TzXms6Dos3iey0fxf
qurJBqem6t4n8M22mPcaxLMAd58Jv2Yv2df2ZPGnj39qa0+JuqEfETwrpNn4i8c/Efx34Wm8
HtpepJ4QSPWoPEsun6TEkHiK58OeH7mwSXW5dBtJbya08MWGm6beWlhAAeBeP/2Lv2FfiP46
+Ouq6/8AHfZ4g/aIuPDd1480S1+Lfw0n1C3g1LX/AIe+KdPtvCtxrOk6t4o8NweJdQ8M+CX8
P3mnakmq6Hb38a/DzU/D51OwkhANTxt8Bf2QvEfgb4taf4o/azsF8D+LvAv7NHgvx0+neKv2
a9C0bw9YfCvX9DX4OeIZZPDHw50u20XUPFeqX0Gki6vmTRbyw1600rwdY+HrPSvCiaIAdNef
smfsoaLofxr8JWPxrtPCMHj/AOAHw8+G/wAXJxqv7P1z4lg8C+GvB3hb4f8AhX4h6/4g8UfD
vV9esdQ1TwfoWiaZZ6lrF4fA5vbkeItC8O2fiN9P1W1AOR+I37MX7LHjvUvix44i/aR8IXPx
R8c+BtN8S+I/Eeva/wDAe70e5ttIsP2bJvC/jrx3ouj+FNIPiXwTY3nwQ+GmuLo/iC6uPAF2
PHviu2XTBpPjLTLOxAO3+IHw0/ZMt/2MPD37IPxc+OHhL/hXvwt+HX7P/hjxjq+j3/gGHWV0
bwnrHw2sfCPirW/DF5p3jXTfCvhnxZr58KXGoatd6QdH0nSPES3w13T7EprMQB4zo3/BPD9g
vQbr4k2dx8SNd1bTNW+AEdt4nbxR4l8Bal4K8L/Cvx0lvpnhrxdp+qXvgpfBui6ZbQeANOuP
CWlNO3g+3bw+niF/DN3JeXF/dgHtGr/sOfs5eL7LV/jDqHxY1i+0jxF8NdH0fUviDps3wK03
wlfeBfDOk/Dp9EvJr/Q/hjZeE7vwPpM3ws8PeIk8K3Cz/Cyf7Rr9hqHha78Lavc6MADxq4/Y
O/Yx1PxHqGjx/Gnx5a3Z+BviPxbf3yD4Wx+Gbr4afEPT9X8J67440X4g3/wgl0TT/CSrM13a
/D/wL4s0v4WeBrgafrel/D3w/Fq8V1qIB9YaH4L/AGbbH9l4fstaD8etOXwB/wAKV13R4fFF
j8T/AALJ40i+GBOo6NrPjKHVoon0Y6Lp8rX+l3WtyaJJ4btxbzaZfI6xzxEA+UrT9jP9hLQ/
CGq6FqHxxv8AXPBtv+yd8QPBL+KLrX/hHN/whvwO0X4heNdR8T+NNH+LPhz4dWOoeDn8Oa98
RfE/hBI7fxTZeGr7w7p914a1DwxrVr4d1wRgHvuieF/2PtA/Z68RfsYwfHHSbHwcvwq1Lxdq
uq3XjfwloutyfDz4oeKfFusTfEHSNel0yz8D6v4cm8TJ4hhmmstL1jwlaxwJofinT7mwvzZ6
kAeSeEv2Fv2NNY8SfCO807483/j2Wz8JfHDRPBfhCz8Z/AxvDHj/AML/ABg1P473Hxag0vwh
4I8AaNp0vh+Wf4w+P7C703wBaaLoOlxeE/CcFzaed4KLzAGH8Sf2IP2IvDWs6ZbfE341+KdK
8T/Cj9mDxZo3/COWfiH4eeGvEFj8DNI0T4t6Ve+NtK+H3gH4faQ1iPDekfELx7Bc6r4L8LWc
XiSawsn8XWfie70+7+3gH0Z8A/AHwi+BVn8Pbf4f/tSaXqnwpXw/+0B8QrfwdNqXwWsNF+Im
pfETxxpnxB8SfEm2n+H+g+ENEt/CfwslsfGtlo2keCvD2l+G9GsvF+qy6/dXb6NpYtAD62s/
ih8PdU+HMnxd0bxdoviH4ap4YvvGcfjLw1djxLot34Z06wn1O81bTZ9BGovqsUVnbTyCHTY7
u6lkia3hgkucQkAytO+N/wAGdX0Pw74m074sfDm60DxdomteJPC+rp408OrY6/oHhq1lvvEu
saTPJqKJfaf4btILi48RXUBeLQo7e4bVms/Im2AGpY/FX4X6neaZp+m/EjwFqGoa3qeo6Lo1
jY+MPD13eavrOkWttfatpOmW0GoyTX+p6ZZXtneajYWiS3Vla3dtcXMUcU8TuAd7QAUAFABQ
AUAFABQAUAFABQAUAFABQAUAFAGF4pv7DSvDPiPVNV0+TVtM03QtXv8AUtKihtLmXU7Cz0+4
uLzT47fUJ7awuJL23jktkhvrm3tJWkCXM8ULPIoB+O3w5H/BMAw/sux+Efi1rPgDVrPX7TxN
8OPCet+IfEnhzxZrN7rPif4X/FLwzofxYsPEGkTagmiabfL8KtO8AzeI7vTNIvfDA8LeG/Ce
ua14dk0yKQA3vCkf/BO74my/B+HSv2hfGnxQnvPid4/m+HGp3F/r2qfafGHjn42/AH45+LNO
v9dsPAFlBoGk+Ifidc/B270i71a80Ky1ew+JNnovh7Vbyw8WabCoB0V7+z1+xB+xBq/7P+lW
13460jVtK+JazfDrwrpL6f4gma6+Klx8JP2dW8SeM7iTQY/7M8HeE7F/h34b/wCE01nWtJ1e
zt9sFtrPiDxHdW1jdAHhHgH4Yf8ABKJtJ8Bjwj8dvF3iPwzf/EfxlqWnyJ4m8XaloWv67qFh
+zXb+Lx411q28GxrpfhnUNO8Pfs+X9x4x1jVNAt9Wj1u28RxeLr2bxXrWqX4B6D4j8M/8E2P
EuofDDU/iP8AGbxfq2pW/wC0V8UdX+G138TP+Em0sah8RvFHxH8B6n8VfC+m2/iP4faTp114
LsfizovgW217WY7VbTwX40+yeGV8YaFeahc6PcAH0z8RvjV+xj8YdQ+CHivxB8Vr7Q9W8M/G
/wAPaJ8HPFdrovi7wvLrPj/xvoMdjpGk6FqniDwabHW/BfxD0DxNYQWXi3Sy3hXWl1HRrjQP
FsV++n3FAHD/AAM+KP7A/wCzVoF54o8L/EzUvBuk/E34h6n8E9Fb4nW/jPTblrv4G+Itf8Kr
4L8M2Gu+HtOvB4F+H2ra/q8B8aX8N9axLr9t/wAJV40upn0+K2AOV/Zz/Z//AGMvHnjL4xWH
wS1n4u3et+B/jX4J+NurfEG+1md7e+8d+IfCPjrw9Y+IPh74j17TLi88RaFq/hDW/EnhjVvF
ElrdnxBDbaXr+j+JtV1Kz0/xTQB758Q/+CeXwB+JnhfVvBPiG5+Idt4R1P4ua98a4fDmh+Ll
0jSNH8beKLjxNqOvTaVZW+lmFbW+13xbrPiCF79b/VdI1R7NdC1TTNNsLPTogD4P1Q/sDaxP
eeEPGfhj9qTwHoWi/tKW99onirxV4R13w7o3gD4sad4K+NfxO8La3oet2unXXiWHw74PsvE/
j34gaZe+JLTWU8IXnizQNa8Xrp/hKaA2QB+mv7OnxO+EvjnxJ8etH+Hfx+1D42+ING+KWoar
4z03UdTN7bfC97qH/hB9O8D+ELePTdO0+38Fadf/AA38QW8E+lPqlrqHjO28b313qlxq8+ox
QAH5xfH74Rfsa/CTUvjN40+M/gP9qPw/bfGb486f4Km1gzaLrll8TPiL448B/tGaf4aHw3jS
+1PVZrCWy+MHxM8KeF7nWUtNWstf1/wPoVj5emaHoUWlAHt3wo+If/BPj9nL4kfHTxn4V+OV
9D4nl1W98F/FHRNY1HxH4n0vwZq+k+I/jt8WNZ0S1g0/w1cmOeDxnb/Hi4vr0aprca+KLTVv
AdtqC39h4f8ADVuAeV/Ef9nH/gnDY3Hx08Z/EdfHvhTSbr9oPR77xxeS2PiG6XUfib4r8E+L
fjKsGmadpXhTXPG7eGbu2+N3jDxbcprlv/Zmn6rLcf2ZPZaHp9pbMAbXwL/ZE/ZJ1HxH8c/g
94U+N3jrxb4xvby41Qz+EF1vwtL4F+GUPxA8PanF4V0fxZd6brHhDxveQfEHwFp2neMfFVje
3eo3Or+GZ9Ck0zw5d2Xia2vwDnv2gfhn+wPdX/xx8M6x8ab/AMPeLtH+IHw9PxjtL7QfiD4/
1bwfbfEP4lD4zeJtH8E2PhK20fVdE1b40eJvCOsya3440688WW3hMS69oOn2ei6Zdy+HyAfY
3izxP+zR+1J4sj/ZW0zUfEFxqXw+0iw+LOheJ/h/aR6T4W8JX/gHWdF8MxWHhrxFcWlz4Z1j
WtDXxdZ6bqWgW+i+IdA0uy1C507VBY63Zx2dqAfJvxN8Efsfa7q37XH7Odn8R/EPw68aSa/+
zBb/ABPn1zwhP4oOjw2XhfwVB8Nj8F7nwa2h+KdJ16Twv4I8KeG7fW7bWLmXwd4s/wCEevIt
Ek1TW9Mj1oA5j/hAv2HLe9/av+Ius6/448c+GtR8a/BrwpPpPw9+FnirQtF+D2hfG3T/ANlE
/Dl/h/Yx2F3pfxBZbvwh8CPFRuvD2m63qml2WiDStO8CTRvqllr4Bf8AHugf8E4/Ed/8RpNN
/aB1G5+KCeEvA/imDVLe58e/EC+8L+JPG13+zjB4U+Jek+GPBNjpWseJ/GPibVtN/ZwuNV8O
6dqs8VtNqnh1T4e8O23irUl1QAvaD8L/ANhm3+D/AMf/AAtp3jj4u+PND+H/AOzl+zR/wtPU
9F0PUrCLVPh18IvhX4G8WfCfVvCeuv4Ks9A1KDxR4Q03RNT8TaFca9q3hie31PWF8VabY6Sm
pzWoBS/4Zq/Yd+FPxE+KOn+PPi74uuNO+G/gb4Uy6b4b/sHxlJZfCXQPgr8NPgJ4cNl4h+IG
naRr/hr4h+N9U8I+EPhRdXvhe82+Jk8K+J42HhfUBrljryAHX6b4V/Yh1jQPH6eFPiP8bPFv
h/4SfsmfBTxNPFoSa/caAnwe8I3w+O3wM8ZeEtcn8E22ia/4t0rWdNi8VaXDLq1/AzSz2HiT
QptFi1SwtgD374hePP2P9P8Agj4h/Zo8cfEXWvDnhLS/hpYWfiOLS7bxGNftNITQ/DPjGfT0
17wh4bvvDms+Mm8PeIvD/i3xF4F0VNWvL3wlry6tqvhO48EatK1wAec3X7NX7Knhr9mC8+JP
h3xz8Ubz4HeA/wBljxL4T0GKO88R+IrDS/h14Z1K8+JNrrH/AAhWmaXoXjvUfF3g7xNo9nfW
2kx3+j61BceHLbw5eW1oYbyEgHz58Nfg9+wXo/wt0fSvHvj74saF4hn+APibU/Hdn4t0/V/D
2uWw8T/BXx1/wl3inxBpGgaZ4y0HQfi1L8APEPjbUoPhzD4q13Wrb4cyS+Mp/Ceq6jYN4uQA
+t/GHw5/ZrT4JT/tD63q3xW8S/Bv4ffsr/E74W6v4dXSm8OW3ij4J6naCT4gXmpeCdS8J+DN
Zl1fU4/DNjrdrrFv/YEE66Pp+taGgsb559SAPmW40f8A4JzfFfwr4T8SeKfjH8SGt734Y6bY
W2o65d3cc6+C/CWl/tC2dhpWqaz4f8GXvhKOa98O+JfjJrei6RpGp/ZvGHg/w5beOPCNprPh
TQ7LXpAD0j4G/BL9hDwL+0D8Lx8KdW+KF18SvhZ8NPHWt+CdJXTPH1x4dsvClh4y+Lvw/wDG
NvqtxF4NtVl1bTPGN/8AEvSf+EN1bU4pJdWFvdWnh+8v49GuKAO0+J/ir9iz40a34Q8Z/EPx
74j+Hvif4o/sn+I5pljOo6FFqf7PnxQ8E+O/Edzb+LfE1voOueFdOvNM0Pwz8RfEWh2MXiex
1YXXh7X51tdYs7FrdQC/8JP2RP2RfihrXgP49fD/AFT4heJYvhx4k+Mui6Fba5da/oOj2et+
J/FHxe0n4seHNS8E+J/C+g3+mxLrHxS+JXhjWNJh07SIJojp9pqMd9ceFPD1xpQB9Z+C/wBn
/wAF+BfgdN+z5pOo+KrrwA/hLWfA1q2p6vBPrul+F9Y0u40VdL0zUbbT7OK1TStLn+zaXN9j
kuFeNb2/lv8AUJbq7uAD55sv+Cbv7N1n4q+G3iySDxxqN18K9Y8Taz4X0fVPE0V94YMnjGHV
rPxJYah4dk0oabNpOtabr+vaTrGnW0NnBrmmaobXXBqa6XoJ0kAt6F/wTj/Ze8OeIPgh4p0v
w1r/APbvwDknl8H6jqXiK41y61SZ/GR+IFrdeLLnXINRudY1LTfFpXVbDWYJtP1mNIbXTZ9Q
uNJsrKxtwD7toAKACgAoAKACgAoAKACgAoAKACgAoAKACgDH8Q2tnfaBrllqGmPrVheaPqdr
faPGYVk1azuLKeK50yNri4tIA9/C72qme7tYQ0oMtxCm6VQD8jvgF48/4JyeL/DvwT8W+C/2
cdc8CC8m8R6r8Mpr34V6prsdhoPh7QfhTqPiXxJrnjj4eaj498EDwB4R0fxR8PNOvbnxV4xu
PD3g+68OT+GI7bS9S8C3umaWAdt4C8U/8E7Jdc+FfhDwH8J9ZtBLe+KvEXhS5i+E3xS0bQvh
6PCNv8CPjRHrfiebVdNsT4J8N6lpdp8DvHfgzUdUtYPDB0zw5ocdtNpg0RtPiAOw8WfHb9g3
9oPxP8Or3xf4a1j4h+L/AA3qOmaz4ZW9+DPxbl1vwToV1qfwy8ZaB4/8XWsHhW3n8O/C671P
XfhV400zxZ4wii8GwXK6Z4mlmtZ/Cet3mgAHlegeEP2EvHniz9mrVPhh8MtVu/CmifFjxB4R
0rwhHod34M8IaNr3xS+E2hfF/wAIeKvFnw++Iei2Gva74Q1nwn8JPBGo/DtvDTW+g6dAmlQ/
2bLYWV/punAHdfCu9/Y2+O2geCtS/Zs+Cll8bfCXwq/aT8V+CdY1vTryXQ5fgh48u7rQfFHx
I16/Tx3q+ma/eWKas/h3VvF3gzTUvbm58Q2lsdW8ODXtIkitAD2D4g/s9/seeC7j4MeFfEHw
Q0G/uPFnxmGkfCrSNN0+7uV0bx3N4cu/iJeXliJNWtYdA8M+HfDnwaj8TJplq8eh6NJ4G8PH
QdEXVNN0OGMA+LZf2n/+CdGvxeFfGfjX4Hah4StPF/7cM3wF0TxB46f4daFLb/tLa5Lqd54n
1Gyth8WH1WPw3dazHbzeK4vD9jc2firUvEGn+JY/DPiSxlv9dtACr4V/aW/4J/6BbXniHwp+
yt46sJZP2q9K8B6laaR4a8DXV7Z/Hv4VaB4z+IHhSfRdMtfijcRalqPhfR08T3fhjwV4Hj1L
xLp6appdhp/giO38QeHIr8A/XfwH8S/D3xDvfiJpmix6nbal8LfiFqPw08XWWq2iWs1r4isv
D/hrxbby2rRT3MN3pmr+FPGPhnxBpd3HKHksdXgju4LS+iurOAA/LfxH+0d/wTn+JOn/ABWt
fhh4H/4ac8UQ/tM6T4A+Jvgv4c6Z4n1q+T40/GPRvGvwYvvEXiK7uLiGw0rSrzwf4S+IHg/V
tWjk+zLpGhnToLL7NqOgTXoB7B4E/aN/ZS+CXin9oi4074U+Lfg3YaX8X/EnhLxP4ltvh34s
uoPiZ4m8FaDrXxD+KvjTw74d8OadrN3b+APAVpqGteIvEfiuKx0/QriXVrrV445LzXLRtUAO
u+L/AMev2UviT9j8LfEj4c/ET4qaV4Z+Olh8IbeOL4HfE7xF4atvih4s8L+M/DU5srmHw/Hp
ninRl8GanrtprOsaE3iDR4NF8W6eXMh1RBEAYv7T3wy/Yl+Avw9u/H3xZs4fhX4D1/40fDHx
341bwvo7atB8Q/GXgHxZdfFbw/YeJfD50LxVd3+hx+JtE1D4jeL4vDOn6Zqeoy6VrPiDVdQl
8/WpL0A5X4weL/2GvANx8dPEfxk+GOsrbXXx38LeDvG9/Z+D/ij48vvG/wAStT+CR8VaLry+
HvDVhqt5BYp8OvE+t+H7TW7K1/sSXT7Y6b9tTZZWNuAdX+yZrH7Evij9oj9orWf2a9b/ALQ+
Kun+EPgzp3xU0K10u80LSfCnhbV9D1HX/h/9i0mfRNGmS48XW0194nv9U1t9T1rXZJ49Xhvn
0q7tXmAOb8QD9gh/GPxz1vxD8C/EK+M7D4y2vwz8c3MPwc+J13qXxL+JMvg3UPivJ/wglvoG
mXY8cW9n4Y1TxX401q78OwNHZKfE3ijU4Uj1qLVtaAPaNM0r9kD4D2Xhz9pHwP4L02xu/i1o
fhnwj4J1/wCHPhbxV4p8S/EDSPGelaL4g0PRfCvhbQbXUtSv31/SPCWl+J9Taz0iG4u4dBm8
Q6/OZbW9vaAPkL4k/Hj/AIJJ2Gn/ABB+JXxJsfCllpmoNFrPjPx5r/gPx/otprlz8V9b+D3j
PQrg+Jb/AEzTY5br4g34+F3ivwe4vbc6lp3h+51PQ3j03w34iazAO/1D4mfsK23h/U/FHgP4
O+KviBoOhWv7J+l3l94D+FvxOGhXegeI9b+A037Pd54YvX0uw0Xxlr+g6R4r+EXinSNG8NS6
n46fw54asLGW0lfw3b6bbgDPDXir/gmUni648JeDvC3h5vEw8Efs562LLw34I8et9s8M6trn
wPtvgRNF/Z9h5P8AbWm6vrH7PiutyIPEul2934CfxFt02ziezAPWPhx4A/ZU+L174j8CeHvg
rYxeBtX/AGYPgHPpGr+dqek6P8QP2f8A4lWnii08D+GrrQU1Cw13TDoVp8NpdFv7LxLp9vqz
aD/ZWkPcy6aLjTLUA4v4na9/wT28JfEH4mfCjxt4Tg1f4haL8MfAF/478MaJ4R+IvjLWNT8L
Wniv4TeE/A+xPDdvqsusePdL1zVPgslteWzSfEO20v8A4QnVJL1tG0i2utPAM/wJrH7CnxI8
e+Bfgf8ADP4TTa1o/jf9n/VvBra1pXhbxp4W8CaH8NvDnh74f+NdK+EOtX98mi2cuuf8Id8W
tI1KLwvbyXXiHwjoWpy6PqkGl2Woz2KgG78VtJ/Ym+D2vfEC2+Ivwagt9O+H3wV+HOq6/r9n
4V8aeLb2+8J+J/GFt8LPDWl6NpejWeq6r4g1u2n8I+GfD+q63pbXviSDw5a6DomtXKeHbK1i
UApaP+1r+wXq3wb8RfDfT7fxSnwXn+H3je/8QaBL8GfjXZeHrvw1f+HvHnj/AMdeF2upvCMc
t34ouvDHhj4l+JdT8EWt5J4sl0vw54mli0pltRHIAYvifxd/wTy07+2pPGfwu8QWFxpPwv1T
wX4k/wCEg+DPxlj1PT/C9n8Ltc1rUfBWum50Br6H4gr8BLHX9dksL9v+Fhj4NC/3Tr4WuntJ
wDvNB/ar/YO+K+u+Gv2F7bxjpesa58Svh9rum6F8F9f0/wAY2mpeIvh/oC+MdLuopG1i3h1K
fRNT0b4eeLdU0jVri+ay1/w1pcOrWmpXNnrugyasAc/8YbP9i/4XeJvjBpWr/s13XiLxR8MP
2c/F/wAbPE8WjfDLV5fB+sfD7xU3xbg8R6PY+I2hXwS3jbVoB8TrGw06/ltNX+w+LdY0Xw9e
CHXdZsFAOGg/aB/4JdeBvFvwy+GH2/Q/BnxDi+Gfxm8V+CvA83hz4k6N8RNI8GtqXxc1T4v2
uqaGLOPxcNWfxB8OvjRf3+natb3erW3iXQPEF3YfZtZ1jSpdYAMX4XfGf/gkr8QPE/7O/wAJ
Ph3qXw11bxT8Xvh3eP8AATwnNZ67q51j4eaLL8fvCNvb6dBq/wDamj3Xh0xP+0JpOjR3xvdC
uNKuPEFrEx0zWNEi1EA/SL4F/BLwR+zx8NNG+FXw9TUx4a0XUPEurpNrN5Ffapfav4v8Tav4
v8Rajez29rY2azahr2uajd/Z7CwsbC1SZbazs7e3ijjUA9doAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgDnvF2q6HofhTxPrfie6lsfDWj+Hta1XxDfQf2j59noen6bc3erXUP9jh
tX823sIbiaP+y1bUd6D7CDc+UKAPzV8B/Hn/AIJk6nN8AdJ8LfFS1il8GaJ4q+Cnwa0DxL4m
+O2krZ+GdUi8IaB4h8J+KPD/AI6ubKPVfDuoeb4L0Kwv/irY3+lXV9baTpGg6g9/pqW1qAV/
Beuf8E8LbXvg94R8IaD42trfxbr+s3/w98YXlr+0Dpml3uuWOifAHwJYeFfEXiHxRfWXiTUf
Ani/wd47+CGg+B9O8VQah8C/E+gWfh3w7pV3JdWuhaRdAC/Dq6/4JkLrPw6m+G+qGbWda8ba
z8PPCupaVq/7QN1LqWt+Grj4L+Dbn4e+ONYmupYp/AmmS6h8CPD3hrwb8TrtvhqYtQ8CWnhX
TJIL+yE4BvaRa/sDeAdM+Db3Ft4l+Hcur/tBeIdK+DumXviv45p4i1r4r/B3V3/Z1tYJrXS/
EOoatLoXh7TNLs/Bfh3wn458vwv4Z8J6gmhHQNGtbrU7CgC/+z9+03/wTw8FWhtvgl8RFs5v
jL8VtG0CaXW7D426t4q8bfEy/wBH8MeE9BW/vviTpV/4qnt00O18M6Bp+r308XhfTrLT0sY7
62GnXqQAH3L44+G3h/x9qnw31rWJdStdV+FXj6H4jeEb3S7qO2kt9dHhTxX4GvoLxZre5ivN
L1fwj438T6JqNoyI7Qakbi1ntb23trmEA+d9R/4J/fsiaxaJY6t8IINTtY21u4ji1Dxr8Rrz
y9U8Qujan4jSS48XySp4vMcVtZ2HjJXHivR9MstP0rR9ZsNN06xtLcA7Twp+yH+z74H17w94
n8KeCdR0bXfDHiafxnpd/b+P/iRI0viq60nxPoFzr2uQXPi+e18UalP4f8Ya9oE1x4mg1dpN
BnsNGbOmaJodrpwB6l4D+Gnh74eXvxF1PRZdTudS+KXxC1H4meLr7VbtLqa68RXvh/w14Sto
7VYoLeG00zSPCng7wx4e0u0jiLx2OjwSXU93fS3V3OAeaf8ADJ3wLWwg0mHw34ls9JsfiHpf
xT0nSdO+KXxX0zSvD/jXRtR17WNPv/DGm6d43tbLwvpUWq+J9d1Gbwr4fg03wneXl9597olw
9rZG2AKHiD9jr9nfxVF4ng8QeB9T1SLxj438TfELxAtx8Q/iaPtXibxpoV54X8Z/ZTH4yjbS
PD3i/wAN31zoHinwXo5sPBniHRmi03V9AvLS2tooQDbuf2XfgndaT4r0SXw1rq6f4z+I0fxb
1dbf4jfEyzvLP4iQypJH4l8KanaeMINT8B3CiNbb7F4GvPDulmw3ac1ibB3tmAOi+L/wG+Ff
x58J2Pgj4qeG7rxJ4b025vLuytbbxP4t8MXsMupeFfEHgfVU/tvwlruha7Ja6x4P8V+JPDWs
2UupPZ6vo2t6jY6nBdQXLqQDzvxL+xj+zp4yuvEV34q8Ga94gfxX4v0Tx7rsOrfFL4t3thee
LfDvhK98B6LrMWmTeOm06wlsPCF/PoMdvp1raWUllFYefbSzaXpktoAdf8Lv2bPgv8GPEGq+
Kvh14Qm0bxDrPhrQfBl3quoeKvGXiq6h8IeGJ7260DwtpR8XeIddTQfD2mXWo393b6Noaadp
/wBru7i6kt3uJXkIBn+LP2Wfgd431XxRrfiHwrq8up+Mde03xVrdzpXxB+JHhvb4q0rw0vgy
HxRocPhvxdpNv4U8SXng9f8AhE9c17wrFo2reJPDLzaD4hvNT0qee0kAOv8AFHwR+F/jDwL4
a+G2r+F0t/B3gt/DsvgzTvDmr694MvfBs3hK0/s7w3ceEfEHg/VNC8ReGLjSNN36Xa3Gh6tY
Tf2VPdaZJJJYXl1bzAHnn/DHf7NsaaoNP+GFhoM+rWXwo0+bUfC2u+LPCes2EHwN0q50L4US
eH9c8Na9pWseF73wZod3caNp+o+G73StQutJk/s7VLq+s0SFQDbH7MfwZz4sMmg+I7geOPEH
wz8V+J1u/iZ8ULxNQ8SfB5vDD/DzWoo7vxnMmmahoZ8GeFhcXGkrYv4gXRLJPEv9sIjq4BwV
j+wn+y3pnnf2b8OtUsPO8OeH/CyfY/id8Wrb7FpfhZvhZJoVxpIi8dJ/YviGxm+CXwnuT4v0
j7F4surrwJoV3e63cXMEsswB6j8Ov2e/hT8KNbtfEHgLRNc0W/svhr4J+EFnFP4++IWu6Pa/
Dv4cQ3EHgjw9B4d8Q+KtW8Pxf8I9HeagbPVk0wa48uq6xPc6nPNrGqSXYBzfij9kz4B+MvHm
ufEzxD4M1G68Z+I2sJNZ1K08e/EbR7K8udOufhtdW98PD+jeLdP8OW2pvL8Hvhet9qlppMGo
anb+BvDtpqVzd2lgkBAIPh/+yH+z38LfGeheP/AfgW80HxR4a0S68P6NdL45+Ieo6da2F9oH
hvwrfTy+HdW8WX/hy+1q/wDDXg7wjod/4lv9JuvEd7pfhfw9Z3Wqyw6Npy24Bp/EP9l34JfF
fxFr/ijx/wCGNb1/VvFHhnQPB2uofiJ8StM0a+8N+F/E9p4y0HTT4a0bxfp3hu2Gn+J7GDV1
urPSbe+nuGukurmeC/vobgA8Q0T/AIJx/syaN4i8d6mNC8VX3hvxv4VTwlD8Pp/Hfi618KeE
bG70Pxh4b8T33hVtK1jTtftte8X6H488WaTrHiHU9b1TXbPR/EGuaF4e1HRdB1rVdLuwD228
/ZX+A+peIZvFWreBn1vXLrw3J4X1C513xX411y21exm8D33wyn1TXNM1bxHeaVrvjG5+Hep6
j4HuviBrFlfeO7nwrf3eh3HiOTTriW3YA0fA/wCzd8GvhrrPhrXfAXhS88J3nhPwb4a8AaVa
6L4u8bWmhT+GPB2i3vh3wtbeIfDK+Iz4c8XanoOi6je6fpviPxZpWteJLeK4ZhqxlSKRAC18
RP2fPhL8VdV1PWvHHhzUNS1DW/Aeq/DLXJNO8Y+N/DFvr3gXWYdagu/D2vWHhbxHothrdvbr
4j16TSLnVLa7v/D9zrGo3mg3em3d3NM4BzVr+yd8CtPu9SvtL8M+I9Hu9a0vxXo2uT6L8UPi
toz69ZeM9c8f+JdZbXjpfja0/tq/g174peP9V8Oarqn2vVPBt34lu5PB95oX2fTxaAE/w/8A
2VfgV8K9Z0fX/h74Q1Hwpqejw6hF5ml+OviEltrr6p4i8aeLru88badL4ql034g6l/wk/wAR
fHOvWuq+ObTxDqNhqnijVruwuraWcMoB9DUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAF
ABQAUAZWvaHpHifQ9Z8NeILC31XQfEOlajoet6XdqXtdS0jVrSaw1KwuUBUvb3lncTW8yhgW
jkYAgnNAHz9ov7HH7Lfh3VdD1zQvgX8PNJ1fw3qFxqej6hY6JHBc295dLYCdp3Rx/aELtpem
z/Y9RF3Zrd2NpeJAt3BHMoBesP2TP2cNMtPD1hY/CDwhb2XhO8e+8N2otbl7fRZ38SeB/Fyr
YRS3TpDaW3iH4afD/ULGwANhp/8Awhvh20sba3stLtbaMAzfDn7Gf7LfhCPTIfDHwS8EaJFo
2r2+vaXHp9lcwJY6xZ6n8OtYs7+BVusLPZ6j8IvhfPaZylsPAPhWCBY7fRrOKIAsR/sgfs0R
2+gWp+D/AIVubbwv421v4j6Bb366jqMOm+OPEeqaTruu+JYY7+/uUfUtU1/QtH1+7ecSxvr+
n22uCMaqhuyAZul/sTfsnaLN4cuNK+Anw8sZPCeqaNrXh8QaOVisNV8PXUF9od6YDMYLybS7
+1tb+y+3x3Sw31rbXqr9qgilQA958I+BfB/gK31y08G+HdL8OW3iXxZ4l8da/DpVutsmreMP
GOqTa14o8RXoUnztU1zVbie/1C4PzT3ErOQM4oA6ugAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgDJ16
61ax0PWr3QdKi13XLPSdRutG0SfUI9Ih1nVrezmm07SptWlguYtMi1C8SG0k1CW2uI7JJjcv
BKsZRgD8wPhV/wAFFfFvifxR8H9P+IPwm8FaN4Z+LuueOvC9j4h+G3xe0z4gQaRqPhn4u/D/
AOCmhavc/wBt6N4EvdQ0nX/HvjHUdJuLLSNJv9T0vT9Gj8Tj7ZpF8VtwDudG/wCCi3gK5uvg
To0+gS+JdZ+Ofxq+LHwhtp/Aeu+F/EGjeC7n4e/GK0+GVjd6/Pp3iHVp79dSsPEPhPxKL3SU
m0+50G+l8Qs2lWl7o+n3YB6P+1d+2Hp/7NXiT4Q+Dx4Su/EOt/FPxh4N01bu5vdM0rSLLwzq
nxZ+Gnw48UNpAvdTtNX8X+N7Cz+IsevaX4O8JabruqHTNJ1PW9WtrPRLCe5cA8q8Jf8ABSvw
R42l8B2mh/Cbx0t9488Z2vhay/tfxT8KtD0aFb20+Fl+ttaeJtV8c2uga/8AELT7X4uaGNd+
EGg39/8AETSL7wv8RtOl0ea78JKmqgHA6r/wVw+FdheeGLWy+EnxG10axrcmjeIhpWt/DqW+
8DGw8IfCvxb4gfxDpc3i2G+a+8Nv8T/+Ea1nRbGK41S18UeEvEWkSQLOlp54Bu+Ff+CqXw38
VxeG76D4O/FbRNK174jXPga7vPE9z4C0C60DT4L34c2J8Rapot94tTWTcWVx8TNFt/EHhG2s
pvE+g3ljq0FxYzJBbz3QB9i/s7fHxPjxo/jq5vfCT+AfEvw++Jvj/wCHPiDwfe+LvCfirWbE
+DvGGveGdM1nU08LalfPoQ8U2ei/27p+k67Bp+pfYLqG8tY9Q0W60vWtTAPhnQv+CrXhPUPE
3ju1vPhT4m/4RvRPEHh7TPDRstd8E/8ACVz2d3ouo3+uaX4j0e48V/Z9P+K732nTWPhP4Gw3
Q+KuvX8Or6LJ4YtNT0DUNwBr3X/BV74Y23hzWvEj/Bn4yW0Gk/G7T/gullqtl4a0zVLq6vrP
xjfS6y+jTa9JrtjdabD4I1M6n4VutJXX7M6loLyQ+Te30umAH11+09+05oP7MHh/wh4k8QeE
9b8V2PijxDrek3CaHq/hXS59D0zwx4B8X/ErxH4guV8U63okeoQWHhjwTrIttN0uW61XUtYm
0rS7a13X/nwgHzpe/wDBSDwuuqXVrp3wl8WvpGhfGLw/8MfGfiTxB4u+HXhPRvBekeIrr4v6
JbeKfFN5rXiWKDwzrEHiP4RXFtP8PPFMuheLTovjbwBrEVu9x4q03SZAD6W/aX/aP0f9mzwh
4d8U6n4V1Xxc3inxK/hjS7Sz17wd4Q0qG9i8MeIvFpbW/GXxB1/wx4Q0H+0bHwzeaP4ch1TW
LeTxD4u1HQfDlntn1T7TbgHyx4v/AOCnXgHwnJ46iPwh+JOoyeBPFWr+HtThGrfDvTbiK18N
WXxm1DxDe6vDqnjC2PhnWI7H4G+K9Z8OeDdeez8T+MfDOseDvEegWNxp2uTtpoBd+IX/AAUn
8F/CvwZ8ffF/jX4Z+JYpPgn8UbHwDY+F9C8VeCNe8VeP9B1bSJ/EmieO9P0i31mObwtpWv8A
hmx1HV/Dtv4x/saPxJLBb6P4f1DU9ZuxZRAF/wAb/wDBRDwZ4IuPi48Ph6Px3H8P/F/wx8P6
ToPhPxZ4FtPEN/o/xC+F9x8RT4m1SXX/ABfZ2FlbWLadq+kvp1wun6ot3ZJBFa3zXEc1AHuX
x8/av8I/An4QeBfjNdeHtU8U+HPiDr/g3Q9Hitte8GeE1s08b6Lf63pOra1rfjnxF4e8N6Zp
scNkkF3LNq5kW4u4Ft47jJoA8Nuv+CjXg9YvHF9afCvxgujeCdU+FegX+qeIfF/wt8Jf2brn
xe8E+E/H/huHx3p+ueM4NS+Fek6fo3iebSPEPiD4h2ug6XZeONC1LwTZS6nrbW8UgBCP+Cjf
haG08b32r/CjxX4aj0O9+DTeErLxZ4v+HHhfV9d8M/Gb4f8AgTxrpnjPxvput+J7OX4ReFvD
moeNH8HeIPEXjR4vDy+KdLfw9p+sX3iWW50KwAK1t/wUs8DahZ+JtUtfhJ8QtP0vQNO8A3Bf
xfrvw18F6zp178Qrz4e2mkP8QPC+u+M4fEfwv8IJ/wALEsrs/Efxhp1n4KvrLQPEU2m6tePH
okWuAHufwH/al0j43/EXxB4Usho+kWsnwP8AgX8b/C3hrUrpbH4o6ZpXxXXxqmsaJ488Lm+v
IrG/8OHw94a1EXOlyzWbab430N5pHivdMvtTAPKPiv8A8FEvAfwq+Knxf+FN78O/F+ran8Hr
H4a3Osa4mueB9C8NX8/xN8afBvwTpqnXPEniPS9J8O2GkX3xu8M6hrOoeKr/AEUw6TpPibUI
LWe1sbCbVADhbb/gqj8NL/V9U0m0+DHxotjp/wAO/Avjwaj4ksvCHhPSEHj4/Db+zDquqa74
ptrPR/BWnL8UdGl134qzTT+AdMt/D3ja8k1Z7HQILnVADpvFf/BQXTNB8M/FbxDaeFdAk1rw
F+x7pH7UWi/DzUfiT8PF1zXbvUZfFpn8MT+JdB8WeIPD0VnawaR4blj1fTYtSsdStfE+m6ho
l/q66hZWbAGvfftz2XgiXVNN+IGneFtW8ReH/wBmv4W/G7UdD+G/ivwvrR1XVvH/AIoufDeq
Q6Vqlx4vk06w8DeGFn0HXtZ8Z6vKnh3S/B2oXPja48Qz6BZSyKAcRr//AAU78J6Zfan4X0j4
N+NfEXj+2/Zs8aftCaX4d03xX8Pr7R9Zm8G6ZqHiFvA1j4z0bxDrPh7VJte8KafL4q0Dxb4b
n8Q+G9S01bmxhuD4hsrzRYQD0jxN+3p4D8M626yWun65pS/s13nx8tdI8IeK/A3i/wAUatPZ
eLrbw3f6FptzoPjG80KWw0a3kn1TU/E0U1z4TOkW2reIYfE66N4b1iUAHCN/wU8+HNtJfPf/
AAw8cwafp3w68W+NpNWt/EfwzvtP1HVPCVp8dtQk0Dw7NF4zX/hIdI8Q6d+zv481bwr8QdPD
eCda0fUvBGpRapHH4nVbEA+qPgR+058Pfjr4Z+G+q6dJP4W8VfE3wX4s8f6J8PdfdR4nXwv4
H8YWngbxNrBWFPs0+naf4h1PR7ZbyORVuI9Z06eFGjmYoAe6+IdSbR9A1zV0n0i2fStH1PUl
ufEGotpGg27WNlPdLPrerLb3baXpERi8zUtRW1uWsrNZrkW8xi8tgD82vDf/AAUu8MP4b+F2
s+MPh6fM+IPwGt/jff6n8O/H/hDxT4W0KbUPCPxy8baf4AtrzxLd+B/EWreIY9M+AXjHRdY1
J/DOm6BoviybS9I1DUIYrqW8tgDU8I/8FIvDPiW28IeILr4PeOtI8G+MPgp8ZPi1pmotrHhS
68U6trHwT8T+LNC8S/DTwd4Bk1Oy8R+PfF2o2HhYa9o0PhaG/wDPsdc0h7qC1tTe31mAcnpf
/BWT4QXUXwsl1H4W/Fqwb4m6V8UdVjtLOy8Oa9f6ZH8N9J8X6raCwt9K12VfFY8cSeCNa0Pw
4mgzT31r4jm0bSvENho51zTZ5wD6A/Zb/bL8I/tBaRAdbuPCXhHxh4l+Jfxn8I/D3wfpfjHQ
vGNz4v8ADXwiu9Il1TxFper+GNR1rw/rMFhoviTw5da3qehatf6HFNq+m+ReK2pWtqAD0z4r
/HvTvhj8WPgT8Mrn+xJLv4z3vj+wsoL3XNE0/WLjUPCnhC417RdK0ix1PW9Lnkn8R6nGmlQa
iLS/06C9Ntpl21ndavYXAALn7Mnx1tv2jvgz4Q+K0fh0eDdR16wtj4h8Ev4p8NeL7/wZ4hNl
aXepeGNZ1XwrfX2nxazpTXkcOoaZdjT9b0yY/Y9c0fSNUjudPtwD32gAoAKACgAoAKACgAoA
KACgAoAKACgAoAxPE2palo3hzxBq+jaFc+KNY0rRNV1LSfDVnd2thd+ItSsbC4urHQrW+vmS
ys7nV7qKKwgu7x1tbeW4Wa4YRI5oA/LL4Q/tcftua5458FaF4z/ZO8RXHhPx78X9S0vVfGdz
4a+I3gnT/h18Pp9K+FJt7b7B4i+H+m6/PN4cu/FXjnUp/FXjHRfD+g+KW8H3fhrRtTa4ZtZs
wDv/AIO/HP8AahvND+B2q/F3wl4iOr/Ej9oT4yaL430jw78Cfi3pNt8N/hnpXhjxtbfDCPVY
9W+Hz6jpvhyfxJb+CZLrxbr13p1zrH9vpdWeuzaRo/irTLIA53wr+2F+2Zql38F9P1v9ifWr
U+NvGGlab8Rtcgb4i6fongXQNb8P/BfX1ZIda+H1vrkWp6BD8TvHGma1rGtabZeEZPEPwY8S
aAmrWd1rsEuiAH1P+yV8Yfi98bPh1rfir40fBfVfgd4msfGuo6PpXhfV7LX7GXUvDq6F4e1W
z16GHxPpuja2yNqGr6toc1xdaPpf2q60W5uI7K3SXyUAPl/T/wBpP9tOC5+E9z4g+BEc92nx
F+Jvg742+GfDXw/+MDaTB4XsviV8M/DHgnxX4N8T6l4OZLvUoPCviLxH4vS9gudQ8AeJNF0v
W3i8QQajpU9to4B9J/sl/Gn44fGrw14z1b44/AHUf2f9X0TxWNL0Lw9ql7rF5d6jpc2mWl9c
GeXU9A0a0vp9E1Ge50afxB4budY8MeI3tv7T0e7hgkNtGAfPvhT9rf8Aat8Xav8A2G/7KWue
ApL39oyf4aabrXjzwp8Yv7Hj+Ed14N1/xBpPxM1eTwx4D1y2sLu18UaJZ+Adad9UXwSmoeJd
K8Q2/i9fD1tdXMgByZ/bb/bKt9HOpal+wV48tb0fHTR/Br6JYp4y128tvhfJPfr4m8QXNxpf
hCW2n1rRrW3sr3RvEOif218PPEpubqxGsaTd22njWQD61/Zm+Mvxg+L158ZIvix8EtX+EFp4
J+JGoeG/AF1qll4gs4vHnhO2lu4rPxLa/wDCS6Xot9dM32OKaW7tdLh0qRL21Gn3F2qPNQB8
ha7+1l+3YNRnurT9kXWfD9l8OPiFrXhnxZpk2k+MfFFt8YtG0Hwd8ddZ1TW/hjqPhnw3rGpa
f4c1HUfBfwv0nwF4i1jT7KTXfE/jSOy1HTI9JvLCWUA7CH9rH9sDUNQ8VaX/AMMiXfhCS3+P
2kfC/wALap4ls/itr+m3HgPU5fijZT/ErXH8CfDnXI30jSx4M8B63JrWkXtz4XltPiTb6Jf6
zod1oD6tqgB9C/s//Gn44fE74j/HPwt8U/2f9S+EHhT4e+J5tJ+HfibUb7Vrw+P9Lt/E/i7R
ItVhludAsdAvrfU9E0Dw/wCNrK88N61q0NjZ+Mbfw/qkNtqejS3mpAHylo/7dnx+8b6h8V7H
4Z/Afw54y0/wF+0Zq3wHh8Y+H2+K/i7w1ptx4f8Aiz8QPhp4jufF8fg74c6zqJ1fw14e8LeH
viXr8fhldY0DRNN1+Hwf4h1/QfEF5pNxdgHc+KP2mf2woZPiFHoH7MlvaweA/iJ4L06TUdX0
n4sa1DqXgK5+LmreBfFV7oVj4a8E3Op+PdaufAWnaZ8X9GvvhjaeMtJ8O+HfEP8Awj3iSGTx
Zokmn6mAN8ZftYftV6XrPj3T/DX7J+r3Gj6R4im0zQPE+q6N8Wr600jRodW8Q2Wi654h0Xwn
8O9b1/x4nj/TdK0TWrGD4O2Xi1/hnF4tt7D4oHSr7QdWRwDjfi38Zfj/AONNI8d2Xij9lbUo
Lr4R+KvA3jz4calZ/DDxf8YpU8YeF/idoei2kmkaVqXgBLTxLdeMfA994k8a6D4v+Gct3qvw
r0Pz9I8aT+HfGrwWrgH2X+078WPiX8KPgnqvxB+DXwo1X4xeOReeGrbRvAVvpfil9QurXXNU
s7W/vbrSdC0TU9eQ6TYXE95dWtxZ6elu0TLqV9p0cczgA+DJ/wDgoR+0prep/GzRPhn+yhD8
TtT+E3iTw54O1228La54o1O/8Ca7qmk/CPXNRsPiDpVl4WuRqutWdh8SvESz+Dfh7qniTxLo
TfDvUr7xJbadpXiDTLuAA9V1H9pv9rDUvBfx21KX9nLU/Aet+EPg9Jr/AIE0C08NfFjx54u1
f4g3uieDbnR9J0e70/4U3HgfxhBq2p+IvEthaWukSX2u+D7vwtb3PxH8JadYX+rQaKAXPiJ8
cP2nrbxj+1Pqvg3wr4jf4feA/wBm3wh4i+AXh+3+BvxWl8U+PPit4tsrjUtQ82/u/AOpw3/i
LQZ30rQF8G6fbXA8Oz6h9u8aaE8Wk+I20cAxfjf8cPjF4mt/jDoL/sgSfFHwB4X0jwR4h+G2
heLfh/8AFPUNY8ceIjrvwf1rwf4x1HS3+Hr+HLbTfDuseKfFOq6r4U0rVrv4xfD3UfhRNrN3
4PZ9Rij0gA1R+0r+1TqPhr4qaxqPwC1bwZLc/sp+C/ix8H9Ds/AXxZ8VeMrf4va74MmufF3w
v8XSWXgTUfDb654S8duNAs9EEEXiK6tRaa7N4Yv9Cn1O500AseK/2qP2n7LWdS03wN+y94i1
/SB4Y8G3nh/XPFHh34o6NcT3Ov2XwvmvfEniS1sPh88NpZWereNPGHhbUfAGlJN8SvD978ON
U8W674e07wXqcF7YgHvOqfGP4xQ/ssWPxq0T4Havq/xdi8LeG/Ems/Ap11bTPEc9xHq2mxeO
vDugQ6tpunapLr8GiLr114NstXsNO/tfUYtHs9Rewt72a6hAPl0fth/tiLo+savefsV+ItOv
l+GPizx1ofheW3+Ieqay95beFde8X+BtK1vUfDfgfW9Bh1vVtUtvD3wj8R/D/SL/AFf4gaL4
41i+8Z2ejaj8ONLfU5wD1n4ZfGP9pzUf2jtN8C+P/hkY/g/4p+EfhrxZB8RNJ8IeO7Dw94d+
JU0XiW/1P4fWkmv+GdI1+ySbw1F4c1jUtW+ItloEemeImvfBNrGviO5h0iAA6v44fGz4sfDf
4jatpXgj4Y+L/iHomm/s2fFHx7oun6J4G8eX2ia38XfDmq6DP4P8Fan4y0HwN4g02yvPEehw
+Io9H0vTdUfVnuILmC60G+vdV8KbgDV0L4yfGe+/ZF1P41aj8FNR0v432Hw88a+JLL4HXNj4
jh1DUvFPhyXXYvD3hqOwtNN1TxTbjxaumabPYxJpF5q1tb6xBv09543t6APmvWf2wP2ytL1n
StL039h3xD4ut4vhz8UNb1fVNP1PxboFhr/jvwJqfxn0nRPD/hebX/BK/wBh2HjB/ht4D1TQ
x46Gj3+t6L8ZdDutBOpSeHZ4teAOG1T9sf8Abom/4Vbeaf8AsZ+KraeTT/HPiTxf4YsNG8e3
D+O10fwf+0GnhjwxZa9rngKy0j4SNqXi3wN8IZb1vH2o2XiCSX4n6Vb+HrHxJoel6xqd2Adr
4I/al/bF8afEL9mzw94h/Zk134YeGPFnim8PxX1r/hFfiPrto3hY6f8AHHSbVxPqHgXTLL4Z
w6dq/hH4Wa5qdv451bS9eu/+Fg6Va+G4tf0LTNd1SYA9v/aJ/aJ+N/wo+K3w/wDBPw1/Zy8W
fFbwh4i8HeN9Z8VeOtK0bxXe6X4Z1zT/AAx4s1DwVo6XPhnQ9egL6j4m8N6RofiCy1NNNvY7
TxnoOpeHzq7WmsW1kAfPth+0j+1l4p+If7ONrqX7LV94JvL/AMer4Z+KPjiPwB8RvENrB4C1
3XNes/E+m+GtX1b4fafN4F8OWkPh/wCGfifxHrPjXVfDEfiO9vNLHhe216Dwh4iWxAPqn40f
HP4tfDz44fAD4deCfgR4q+I3gH4kazdWPxP+I2l6brs+k/DXTrm5tdL0nUpL/SNN1XToHsr+
4Go69B4kbRLb+wA13peo3MttqK2IB9YdOnufxJyT+JOT6mgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKAKGrXr6bpepailtNevp9heXqWdussk929rbyTrbQpBDcTPNOYxFGsME8rO4EcMjkI
wB+Y/wAOf+CgHxp8d6h8CbC7/Yi+K3hqL4u+KtZ0DXtY1TUdattF8A2Wn694b0eDULu51H4e
6bcahKthr954l1WO5tdFsbXSPDOt2+nalq2tWuoaXpIB9afs4/GTx/8AFf4LReOfiR8NZPAv
xK0t9Y03xZ8OdHTxm5s/EOiQiS40fS734ieCvh1PqNxPIy2qXNhBqnhsXbGC18VaiIrmWAA+
V/D37Y37QnxG1z9nzTtK+A7/AAo03x98bpPCPxJ1LxxoHxj8Q/2X4F074Z6L47vYtBI+FXg9
dF8Rx+Kdaf4Ta9rnjeHR/Bml+NdD1O28Oav4ts5bnUtCAPrT40fGTxh8N/HHwO8F+EvhzH42
/wCFu+LtY8Oaxrt7qXjLSdI8Bafo+kLrDa1ql54X+GfxAsf+JmVbQ9Jt/EN/4QsrnXr7Son1
iPT21W/0oA+FY/8Agpf8UrTw34Z8SeMP2M/HXwytPEXxS0b4cSXPxI8TeI9C0zSJvEPij4Ue
FtOs9V1PSPhN4kg0rxlb3fxL1W5vNH8Qf2F4Nntfhp4yXTPiLe6gdO06YA9b8PftqeOPFNz4
BS/+CXjj4djUPj14S+FnjO11XwZ8V9cuLTSNa+E7eJtf1O0mk+FOg2yWHhb4n3cPw61bxRJK
nhHGmXGsWfiG4e5k0iyAMLXv26vjXo9hoGqWH7H/AIs8W2PiL44+PPhJCfDGv+OFudF0nwJ4
ln0KDxh4ntPFnwX8JXGmf8LG042Pir4b2unx614a1XQ57tdW8b6PqVnHZXgB5tpH/BST9oW8
Gmx3/wDwT7+LMMuq+MtB0O0utN1jxlJpC6DrVvqMyX97e+Kfgx4NurPxFJJYra2Oh/2fcaPJ
LKx1bxVorfYodQAPV7X9tT42X/2K7b9mPUND0nTvjjpngbxhqGpz/GXUYbP4Va3Z/FWw0v4g
6TBpPwAfXLzXpPFngDQrS78PWXh7WNC0/T/HPhM3ni6Ea4NQ0wA+gP2df2hPF3xu8UfHLQvE
nwX8VfCvT/hP4/uvB/hvXfEP9ttafEbTbfVvEml/2/pX9q+E/Dlvbho9AtdUksbK81prew8Q
aRPLcC1u9OvdUAPmDVf2zf2iPB+pfHLUtS/Z+ufH+ieF/jx4j+F/w18O+DdA+MOl6ofCfg/w
bqeuWuu67rNz8K9ebxL4h+LPiGxh8KeAG8L6CPhxZ+IbyDTde+INlbmz1TVwD66+CHxm8ZfF
jxT8Z9L134ar4C0D4Y/EDUPAfh/Ub/U/GEmu+NBpru8viQ6P4g+GvhHRLTQ7qCS3gsbzwx4t
8dWNzqNrq8aaidPh0zUdVAPzQP7Uv7Q3wSi/aEg+Gv7GnhzTltf2n/FFz4Q8M/DL9n/xx4d/
4Xj4L0nxL8S9W+Mvxo1/xFpus6Z4dT4ieJfBnw5tNI0TUtYt5tX8VeOrnwtrsdj4q8P/ABF8
IabagHX6r+29+2NcD4pL4T/Z+S4js/jV4R8FfA7UtY+DPxXsoPiH4G8SfEr4leCb/V9RtNR8
Z6Cmiv4e0jQPAXiLW/FPi7Vfh9Z6dbeI7+9/4RC80CbQNb1AA+1P2nfjh8V/gj+z/D458M/C
1vGPxS1SwXSJdC0SDxt4t8MeDPFt34H8Q63FqGqjwJ4H8V+Ndf8ADa+LdHsPBej/ANm+Ebd9
c8Q+JfDNrq974R0i/wBS8Q6KAfI17/wUX+PGkeFfiTqlz+w78VtR1P4fQ+BrbTEJ8SaOfHt/
4jcQ6hfWWjReBPEGo+H9MniSTXvD8TTa/cPo89vZ67Jo3iEpo9wAerfEz9tvxV8LpPjrrN78
Jtf1jRfhn4f+Cuu6bb32ifErwzounad440+/n8e6n4q8Yp8K9fkk/wCEH1F9JstY0zwT4d8c
3+nR32lXWpQ6ZFceIz4WANP9kj41Q/ED4i+NoLL9lPR/gZD8R/DujfF3WPiH4b0/VFHxK8U3
ngv4S6tq91451mT4RfD/AE3WvEFuvxLt/DOha83iXxZqfiFfAPi+R49Jt9JW0QAm+Kf7XPxj
+FmrftFWDfs2a349Hww8Q/DWL4XWvgufx7Le+PfA3jay8AWniDx5r+p3PwwfwfpWj+B/EPiT
xONXt/C/ifxb4jNj4S1ZJPDVra6Zea/IAeOeK/8Agoz8adEutb03R/2Gfi1qeq6f8N/hx4xs
LXUn+IFjZX/inxbafDq+8T+AJNY0D4MeLraO/wDC8HxAnWw1a1hvbPXbjwP4zhu4dAfTJBEA
e8fs5/tdfET43/FbUvhz4p/Zq8dfCbS9L+GOk+M7jxn4gPiqTSH8VXNv4KfVPBUJ1r4e+FLc
tbXnijWLXS9Snvbe61qLwhql1b6PHIurWXh8As/Ev9p74tfDf4lfGPwk/wADJvEvhnwh4U+F
niP4aeINGb4oXc3i2Dxf4l0/wz4/1fxNN4e+EfirQNF8OfC03114j8SRaBrHibx03hzR5bvS
vA2stfk6aAdj4t+PPxIg/Y48WftCeGvhLqGl/FSy+EfiTxt4b+EHi208YX93N4tsNOvn0LQL
zT/DfhWXx3qFtrV9BZzadZQ+ENI8TX1jf2dvqmkeFtRmvYtKAPD5/wBrD422MOv+CL/4WajJ
r+jfBG+8YR/GXRPAnxU1fwpfeK7f4S6D46s/E1h8OrrwPosmo+ANX8Xa3dfDfR9Ag+Icfxau
PGfhvWNP1L4eaPpYbW7UAt3/AO178SNFu9K1O3+HPiLxvZ6x+y74N+Ky+D9M+FXxY8N3emfE
a/8AFumaL4n0/UvFtx4c8QfY9J0rRdU1DxJq3hBPCupfEXSNE8IaldaVoninUNQstIlALvwx
/bQ+Kvjb4m+H/APib9kf4o+C9B1fQNc8cXnxTMHjHVPAdv4D0HR/EsQ1OxkvPhnoGu3Xi3xP
4x0C1tfBvw31TRtD8W6n4C8QaP411S10TWJ18DsAfdfhbxHp/jDwz4d8W6TDq9vpXijQtJ8R
abb+INB1vwrr0FhrVhb6lZw634Y8S2GleIvDmrR29zGmo6Fr+l6drWk3izWGqWFpe289vGAf
nf8AtMftVftM/CX4yePvB/w3+DMfjb4c+HP2f9W8eaX4z/4Vp8SvEUcfxaHgj40+I/DPgS6v
fCetPJ4jbXtZ+HHhXSU0vQfDlrBaxeL2g1fxtovia48FeG/GwB1fwv8Ajt+1BrXxO+FXgP4p
+E/Afg+HxN4I0DxvrlzpPwy+MWq6f4tg8TRfEy9vtD8K+NtP1TW/Bnw38SfC+00X4a2/jDSv
iFfatH4jvPFd+2iX2jpN4fh1EA6D45fHz48eCP2gNA+FvgT4Xfb/AAJrPwP8feNLX4mah4W8
XeJPDo+KOk6F49v9C8O+Jb7wxIH8M+D/AA/L4T8Pt4pntLHX/FviLUfiN4M0Lwno/mPql7bg
HFeCv2ovjtq2k/B19Y+H8k+veNvgz+0l4i17S7X4RfFPTba/+JHwk1rSrT4c3Hh/VLi7u49B
8FfFLS4fEmreEdD8ZWOm+MvFmkHRdTsDpV7LJoMoB3n7J/7Tvin4m+AfhBYfHnwzdeAvjt8V
bf4v6xpngux8DeNNIspfCfwn8VafomoeJ70amusQ+GbCWy8T+DDBPr2uW8Guajr9vF4fN5va
GAA+3KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA/Ozx54u/bR+FvxY/Z68BaHL/w
vHwHrVp431n47/Ea2+DT6Vf6asHjXwfYfDvw/oY0XxHZeEtJn12HxDqGga/e3l5d3vhfw1pe
p/FCbSdYsdE1HS6APPfhz+2n+1T4k1v4BeFfiD+zV4V+F3jL42fEPxR4Sk8F+I/F2vWfi3w5
4e8IaH4D+IXibxvNoGs6Hot/qPhfQPBc3xa8ISeIdDi1vSNW+KXh74aWlrPaaJ8SZn8MgHb6
R+01+0z/AMWxS2+AnirxNa658Ufi1oXxKvNd+HvxT8G6noPhDT/2iPBfgP4aal4Ws7vwJYWg
03UfhP8AEJviWNR8U/Z418OfDjxLZahqt9rcOranYgHrP7Gf7RXjz9pDwn8TPEHj7wJpHw/1
HwJ8Urj4cxaPpN/quqKbnTvAngTxN4itbvUdRsrK1v7/AMK+KvFet+AdQ1DQzd6JqOpeEb3U
dPuVhuxaWoB8yaX+1d+1R48g0SDxd+w/q9ro6fGe+0vW9J8WeDviDeXv/CtrHU/gxJ4W8X6P
ayeEtR0W28Y6fL498c/2k95qE3hqK++EesatoGvXelahZX8QB9H/ALIXxd/aB+Ld18aNS+Ov
w01b4WW2meLPCKfD3wzqXhbxJop03Rb/AOHvh+78T6HHrniLQ9Cfxzc+HPHA8Q6PqPinRre8
8OarewSX/hfUbzwxe6K4APmrwr+2F+2hZaXr9z4y/ZJ8d6kZ/itqcfgyS2+G/jXSdQn+Dvin
VLW7+GkmuaRos/jKWy8ZaVoWk+N9O+ItxfHR7Hw5qg8B3Wq6Xpa+Jls5QDp9e/aJ/bS0Wbw/
ct8FV1e+8OfHn4xeF/iB4a8M/Dr4r3OjeIfgtomp68Phv4i8NeJrrwxcNN4s1nQLHQtRsNT0
SbVPBl/day9jqs1hqsV3oejgGaP2v/22G0XxJq1z+xXqOj3ehfFTXdDtvD84+Iuuarq3w90H
wf8AEPxPNcWM2geCbrTb3xBqupeDvDHhPw94k0u81HwRrOs/EfTDDNF/YU8GsgHpN38f/wBp
TStF8TDxX8K9Yt9d8N/tZeHPA8EPw7+F3xY8UDWv2dtT+Kt3bL4wtbp/B+t6Xqt+vwrs4df8
T6t4dkvtG05LibRxfeG/Gt9pun2QBwXjn9r39sTwp4a8ZeINJ/Y91zxdqukfFey8KaJ4I0PR
PidPrK+ELO6+JEuu6jqmtjwkdE16bVdD8J+Dbvwn4w+Hx8U+Bk1nx/BoXiS60t9IN7qQB3Wu
fH/9pbRdM+LSa98K9Yi1Dwd+0n8PPDngv/hXfwt+K/iu78Ufs96/8RNGOreJll/4RDXtF1bx
BafDQazqHiCXw219Z6JdQz6Renw74lutEVwDkvG/7V/7Y2j3HxAi8LfsjXurR+GvF+tWOhve
WHxKmGo+HNDsvjTf2kKSaP4RvI/Ees+N9O+HPgHUdA17wn9v8HaBffF/RfB3ia/j8T6PNb6k
AfSX7V/jj4z+FvgJP4i+A2mXA+JWr+JPhho9qJvAHi34hX/hrw94r8ceG9K8ceIv+EN8K6Pq
+rXd/wCDvBt/r2vBLzSbqxt7jSv9NsL9/L0u8APAfFf7T37WWg6n8QNG0n9mq81GLw34x8Me
FvDfiO98N/FjVLK90rUfifa+BbrxZqkfg3wPqjeJbPUfh/Ld/HZZPh3b6rpvg/R9Ok+GfjS6
0nxtqWnyAA9g/bA8eftOfD34K+HtY/Zx8F6d4++NF94v8LaNeeG4PDup6/oNzaXul6tNrsjT
/wBo6X/wjejx6ha2qw+JNfvINPs45ILPUZ7OXUEvrUA8G8R/tOftPXkHjHT9V/Y/v/FHhTTb
PRpZ4rjwf8RL6W7sbu/8G6fZamPC934Xuv8AhMj4kk8Saj4xi8I+En1jxL8MtF8C6zonxJi0
7xJfWTWoBpal+0d+1cvw/wD2gNVv/ghrPh7xHongn4a+MPgdoXhb4c/FHxR4i1OLxZ4C+G+o
+KfDerTf8IZrPhu88aaB4613xv4Yt9KtLW4vNDbw8dS8Y+G7Pw9arq+rAE/xD/a8/aB8DX3x
y1V/2f8Ab8NPAtnYav4G8e+ILD4g+GLSTw1b3fwcXxP4m8bQ634ZsYXWw0z4neK9T0/wz4Zu
7jxFdf8ACofF1i8C3lz5elAHovjz42fHfUP2JPA3xz+G3gWeP42+N/B3wF8WyfD/AEjwdr/x
Cl0Z/iNrPgSXx1pEHh6OTQ9auz4V8NeIPEMp1C/Fj/Zz6QdS1Oy8mCexYA4Kf9oH9s3w9N44
0bX/AIFeFtb1L4feGvgpbajrvhLw18ar7RPEfivx+ng+H4l+J/BkMfhO6Xxn4K+Ect94q1C+
8MeDdV8QeP8AxDb2thp9tZ6ZPZahdXIBDa/tLftgQHxLe+IP2aBpkN78KPgl408E6DYaJ8S/
EmpaHrvjDWdK0X4wW/jPVtB8O3ml6vL8Lbe91LxZF8O/Dy2nxS8SaPpdvpWlaBPqV/dXGlAG
dYftVftiXsepXV9+ydN4cWx8GeF9UGkX2nfFPW9VkuNdvfh5bap42s7vQfBFxouq6N4ctfFP
jLU9Q+C9tfQfHkwfDu5tU8PfbfENlFZAFlP2lv2oLS28a+Jrj4DePrjWU/Zk8MeP/DXwqm+H
vjKbw5D8W4fGXifStY8P2Pj/AEfwdNql5e6/4Um8J+KX8B6lDN4q0KEtpNxa6Zq9tr6WoB9N
aD8Vvipd/sqSfGXXvhNqWk/GO2+DuveOZ/gzLDeQalJ440jw5qWqWfgqO3drjUoJNZ1Szt7C
0hmDalEl9DHcQpeLJCoB8WeJf2kf21LXxR4jv/Cvw8l8a/Ctf2T/AAr448DeIvBfwS8Ya7de
Mv2kPGPw+1rU9K8KWP2jxRZQw+AE1i203Xb3VkOoyaPJd23gnxJdaHcXdlrmoAHBXn7Uv/BR
zGoyp+z3qGnroX7O3ik+JFPwU8baqV/ag8LaH8cLWw0/wRZ6f4lnl8YeAviB4r+GvgbVvD13
p2o6lpmj+F/iJpmj6v4ik1nXPDmsMAfbHwk+Kfx8m8b/AAT+H/xd0Hws+reO/gv8YviL44uP
DGja9pT+Drzwl8RfhxpXwtg1dNWvZ49L1bxj4I8d6gnijw5LHI9l408I65/wj95caJZXYhAO
H/aI+N37Vnw3+M17pvwb+D2o/GPwTpnwlsPFMHg638D63pcXinxP/Zfx1v8AX7C1+Os2sJ4O
8M63peoeDfg7pOm+D77w7rWra8vxCvDZQMQt9owByfw7/au/az8ReMfhDoXjb9k/WfCPhnxZ
4L+IGv8AxF8X2mg/EzU4fBmo+Hp/ipF4TR9Kv/Cui3lpJ4ig8FeD7t/CTNrPi+SXx9Z2Gm2d
zFBp+q6yAcTN+21+0V4di/Zl8KXfwI1G/wDGnxa+Duv+IfEVr4y0bxl4b8ZXnxN8D/DH4q+L
fGnhvTPBNh4P0/UNOt9I8TeAfBuhLd6lounW3iWP4uaBceFI7ltHubbUAD7r/Z0+IHxH+Jfw
5i8Q/Fr4eN8NvHlnr/iPQdT0NbLxFZafd2umak6aZrehp4s0rR9dfSNX017OeOS7s1V7uO6E
TvGibQD3egAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA5nxrD4sufBvi238BXmk6d45n
8M69D4M1DXoZrjQrHxZLpV2nh281q3t0lnn0m21hrOfUYYY5JpbNJkjR3YKQD83/AIVw/wDB
RTwxfeAbTX/D15q3hfVfiNYJ47/4Tz4g/Cnxp4v0DwhDcfCuPxHrMuraDZeErJdJ1mzuPi1c
eH/D3hqDxBrOn6rpfh67lOi6PrS+E9EAM/XLL/gopqej/CPTdB8N3Ohf2d8ctf1/4hahqvjH
4fSeJtY8E237Tnhvxn4ctdf1Kw8b6lb6d4A1P4A3niTw7q/hvwUdU1o+KNKg8MQaDpfgt9Pu
ZgDrPhHH+37cj4Eax+0J4ctb7xXo/wAcfEj/ABFi+FXibwp4Y8GWvwf1n4M6job/APCQ6Hce
PLmDx3Zad8Y9Xs/EHg54dOXxdp3hHw1E+pabF4iedvEQBYsp/wBvy20/4cDRfDP9nnTvjD8X
dR+JNl4x1T4Za/feLfhvrHx18Kan8ObeDUbTx1qCeF4bT4L+IvHEM9p4dd59L8R+EdN0mx0u
00abSYb0A4nwtqP/AAVi8v4ar4y0X4QPeS/HC0k+Jw0KHwnY6ZbfB+M+Bf7attF1O78W6xqE
+lTSzfEB/Ct3H4ZXx9JYW2hW/iO10++El7fAH6PeAvAw8B2ev2Y8X+OvGP8Ab3ivWfFRuvHv
iJ/El5ox1k25PhzQJ3trU6b4U0v7P/xJtGVZVsPPucTyeacAHwR4guv+Ch9qEt/h54Rsbdrn
9qzxDqWsX3jvxF8P9T+2/s5Xt3p1xo8Gmyx+MdcTwylnarqOmvZ6XoNxroiisLy30a2vrvU7
iQA9+/av1P8Aa103S/ho/wCyd4b8K+IdUHxC0q7+JK+KNQ0G2hfwDZNHJqmjW9tr17pKhtdg
e6gGs6Vqq6xo19bad5GmX1nf39zpoBs/tLH9pZtP8DQ/s6SaXbPceJLyLx5qD6f4W1fX9P0p
tGvP7AudO0vxvrvhzw5d+H18RfZD42EOpr4rXQxjwlbzag8rRAHxf8QJv+Ct1zc6jF4Ah+Fu
mJH4vv5Yrm5sfAF9ZTaQmteKEistEXUPEseoN4Km8LDwPPpWpeIILT4h/wDCWv4zj1nTIPD6
eH94By+nfEf/AIKw+KfA3jTWfBvw+8JJr1n8YNT0zw5p/wAQvD2heAtU/wCEV8L+M/i9bXFt
b6Hrmr2A1rwF4n8L6V8G7a18Zz6lpHiiTUte8YeIvDNprPh6PRxGAe56xcft84+JQvPDUniL
Tv8Ahcvw48Q/DPT/AAvqnwy8JatH8MNF/aJ8Z3PjLwlqOrt48017u21T9n/QPh5eG9v7qy1W
+8W+Kda0G7tp9EXUrOyAMPxxd/8ABTuW5+II8F2PgCzgi8Yazc+C2Np4BvRceHrGx+NV54U0
rShqvimzlfQNdjsvgNpPjXVPFhsPF+l+LNY8ez+GLGXwjb2F9ZAH1b+0Va/tA6l8LNEvPgLq
X/CP/EfTvGnw41zX9JhsfCGrXmueDLTxDp0nxD8IaW/jLUdO8Lw6je6FJfizvbzWdOSR7P7N
b6rZveJdoAYfwevP2rbr4u/Ek/GDS/C2nfCVk1WXwNHp8miS3kEx8UTf8IfbaHdaTqV5rF/b
jwAYG+Jk/jax0uaH4jK8XgFb3wc/noAfP3xc8Nft+XOp/F6z+Hvii+miX43eC/GnwS1+xi+F
+l6Ro/wuh8CxweIvAOsaXqOv2WpeK1k8WjUbfWIvFtjbIsNzpeu6FqOo3O+20AAd8RtR/wCC
g32L423vwt8D2tj4u1rw5+z7L8M5tc8Q/DzVvCmk61bW7xfHDR9G0XUPHqwWiQTag9zpuua5
psc+oyW18jf23b6f4ZglAPoH44f8NO3H7PejwfCiy0cfGvUbPwfZeOEsL7R2vtMgvrGOHx1d
fD+98QX/AIX8L3GvWGpSFtJuddvtIsRpS397ZxnWItLsJgD5N8Mxf8FRNL8GwaNq1l4QvL7T
PAPw103Ub43fgHXfElxqVnH8JLTxVe+B9R1nxFb6d4i+JFzp3/C5rvxdL8UzovgGTxPB4Il8
H6hf6TPrBlAJ/iBdf8FTo7XUdD8AWXgq5v18LeHLjS/HV3YfC6Gwm8Rz6V8EDrFneeGL7xc9
1bTWmtJ8fRqoinvNKXTZ/Aa+HtS1K4S9nABW0Kf/AIKxXl74hsvFUfwo0XTH0D4aaZ4f1jwx
pHgrVdUiv18YfCOw+IfiqSHWvGdrY/8ACRv4Rb42a3N4fudNm8J7h4Ct/Dt7HqFtqunaoAei
WOrft6eHNK+KnizxVph1++1H9k3w1rngLwZ4W0D4ba1ZeDv2ndF8BXkPi/w3bWf/AAnGg654
w/4SP4gRW1/oVhc69a+DJtIvfsV3428PvZ+ZOAfQH7R+j/tBa7+zX4m0f4H62mh/tC3ukeDI
vD3iCzj0WCx0zxCniTw3J4k1OWx17UodMudEg0yPW5tQ0Q6zb3mp6SLjSNK1i11O6s9QiAPg
nXPCf/BURF8XWOg3erf2VqXwJ8N/DbQp7z4k/CjU/EmmfGzwqnhfxFffHS3vv7A8M2s2h+N9
Q1Hxt4E1bQB/Yt1Po+jeHdct/DPhS7llMoB7j+zr4B/bos/jLoOsfHT4kX6fDzwv8IfCei+K
dKEngLX/AA98UPihby+PtI8Uan4dg0iOx8R+DtIETfD3xVp2r6nZprGqpY3Wk6jZWNxqeuKA
Ct+0TZf8FDLr45XOqfAO38Kr8OvDfgTxs3ge31XWdEsvCGu+KtW+GOowaN/wsmwuNet/Fere
INO+JkUI0WxsdGj8G2eiyaBqF1r8F3P4qhtwCr4Nv/8AgpS3inwdH4/0XwjJ4JT4JeM28bze
GYvhxpfiaX4rvP8AEj/hC00uK78X65YXGvpYw/DCLUIY7rQ/h4+pXXiLU21aGz8rQ7EA8+1/
xj/wUm0uX4L+CPCvg1bDVb/9mrVf+ElmvdI0fxvZaf8AGzwl8IviJZibx38SNT1+78Nxt4l+
MVn8KZ/DNvD4xurzWvCWreKZfECQ6nFPfaaAfdHhey/aE1b9nrxJo3ijWNN8OfH6TSfiroHh
nxadO0CWyS+g1zxZpXwl8canouk3eseHorzUfDkfhHxL4g0a2lmsLXVLnUbD7HDFF9ijAPkq
DVP+Cn1tqXw0a18N/D7UfD2n/BPWV8e2viiTwJY+J/EfxrstF+JMduNU1Dw54pvtF8L6Xq+v
23wnm8K3nhSy8U6XBp1940/4TPTbO4bTI9KAOF8Mah/wV2bWfA2oeItE+GY0zSvCmv2XjbSJ
rL4aA+J/ET+LPiHaeGdZt7jS/HMt1pEy+CW+G2sa/o1hqcekP4pttX0/T77+y5XkUA+wPhBH
+11qX7LOsW/xbufC3hz9qa50T4kQaDqVtB4f1Tw/Ya1Jda6PhnqGrabojv4eZYLZtCbWNNs7
7ULcrFMsuozzSSlQDyb4aXP7eN/4n+D2v/HPwTpUFtqN38aG+JnhP4W+NfDS+FfAmkX+k+H9
J+F1mNWvvEPhvXPG+rG+0LXtfbUI9CvItGj8bw2beTfaAl8QCz8LNH/ao02H9j7/AITLwr8S
/tfhW4+KHh/48Sat8WPBGuwN4av9L1Cx8Dav4ujh8YXS+P8AVY9RXw3qVpq2nxar4j0yGw1s
3MiXGqXFvqQB+hFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAZeu22p3uiaxZ6LqH9k6xd6X
qFtpOq+TBcf2Zqc9pNFY6h5F1BdW0/2K6eK58m4trmCXy9ksE0bNGwB+cHh3wx/wU6uNf+EF
x4h8dfCrStG07xf4hufizZLqPh7X4db8KyaB4Ag0e3tp7P4PeGL9BH4htviTqNnp+kDTNQWy
1Pw7o+qeJmeKTXdOAPoz9k3w9+1ToHwy1Sw/a38deFPG3xOn8R3EthrXgrStM03TbPQz4f0G
2lhhhsdH0m1mhk8VweJdX0ZbzTWv7XQtQ0rTdUkuLmzlAAPmbw38Hv2/dFb4E3N38W01zxD8
NLrxl4c+Iuv+IfHfhzU9J+LvhbXvij8DLu11LxB4U034IeHrGH7H8NvD/wAWpNATT203x7of
iG80Sxk+IF1pOva7b24Bw9h8Nf8AgryNI8BHVPj98KZfEGk+JfEup+Ov7O0nwNpug+JtJSw+
Hq6FoEcF58GvEWqR6Jea/YfEe8gudNv/AA14i03w5r2k6Zf3t7qlrBe6YAfdvxt8LfHLVvG3
wI8TfCLxdPpnh3wf461Ob4teCDrWhaBp/jvwfrOhT6fanUL7V/h948u7qPwzqywaj/Y2jSeF
9Q1O2ubwWniLTtRt9Ou7YA+JvEGl/wDBT/wzpPgRJ/G+i+J77Vfi94A0DxJD4Htvh9d6vbeH
LzUPBo+IfjCTUtb+CNr4c0z4TJpmnfEe50DwZfWen/E3RTrfhMXnxk1++sX0C+AOv8G/Dj/g
pFHeeHdb+Jnxm8I6/ceGvj/Fr974W8Bv4T8DaF4t+D934Q8baFqOgXmo6n8KfGV8dFtPEmq+
DPEOmaLd20Xi6Ox0jX438aSa2fD2oWYBxth8JP8Agp/4a0TRPDXg/wCM/gO30qz+KF9rl5f+
Nb3TviF4mj8C6zqWt3dt4SttZ1LwBplzc+FfDCf2WskOs3GseP8AUbe+ktLLxxb22kQ21yAf
cn7P+h/HTSbT4hXXx38VXWv6rqfxJ8Zy+CNNS98D32i6D8Mv+En1q7+H9tYy+E/hr8P9Sj1d
fCV/o2leKI/E134supdY0R7+x1dIL2VJQD5d8RfDv/godpuk+NdF8BfFnQb+7uPjL8SfEnhL
xT4u17wVNdp4A8Wt4t1P4aeG/wCzh8A7yLSfCXw11bUvCln408P3T6/4x8YaJpWpWfg7x94R
hhs7fVQD6b/aB0P4/a9o3w20/wCCHin/AIRO/wD+FkaC/wAU9b0278HafqZ+GR0fXLbxHF4Z
j8e/Dv4oaO+sf2vcaJf6fDJpdpcCOylQ6uEaW3uwD5Zv/hx/wUzv734vtb/tAfDTRYL74m27
fCSOw8J+FjZaX8Ltc1X4h6FeSX76p4C1/Uf7d8CeDvE3w58cWGm6gl+viz4k/C+/8N3us2Xg
nxvqNyoBZ+J/gP8A4KCyRfGGH4H+M/BPhHUNc+OHhrxL4O8V+Mta0fxhqmo/Cm0+EFr4L1DQ
ofDsnw8sfDPhDUI/iZoGieOby2aDWDqfhbU/EGkw6pb648UswB7Z+z94W/bD0X4i/E24/aJ+
JXgPxd8Nbbz7H4PWXg/SrGy17VbXU/F3iPWZdb+Iqp4S0NdM1vw54ffw74U0Kz8Oand6Nf6O
Zp9dt73xLp83iXXQDwzx34P/AOCl+reNvjb/AMIh8S/h14a8Baz4p8NXXwW/sy68Itr3hfw5
o9v40g1ux1A+Kfgt4rt7hPF8V18P7vVE1VNZ1DSNb0vxPB4f1S10mayuNTAPRvgR4D/a9sv2
h/HfxC+PfijQdQ8Aar8Oo/DXhrw74W8Zm78NabrUPjS41/SptI8CxfD7wzJpc9l4W1RtA8Re
JfEfi3xpruu+INNvbvS5dF8KXukaFpYBzXj/AMFf8FD9Q8TfFe++H3xX+H+i6RFfz6p8KtM1
QeGJNE1e0XxV4Sm0Dwrf20nwc1bxL4Qt4fAsfxA0/wAf6/qPibx/f694yvfBer+CofB+hWGt
6LcAHIav8Pv+Cm2n6t8V7XTPjj4L8T+HvK+Hen/CXUYNG+HnhPxPLY6Z4n+HTeNdc1uTUfhX
4s0Gw8V654N034oQ6tbXHh/V/DUviXxP4cufC1p4a0vSGs7UAm174U/8FAfDl/8AH9Phb8V9
M1DT/HMmnXPwzvPiF4o8N6zqPhDU7K3+BOhX3iDTLIfCEadpOpeI9L0r43a/rXhuVr7wBB4l
vPC8nhjw74Wg1LVVtwBuvfD/AP4KE+KvBXxG8KeL9c8Cas3iX9ni90jQbnwn8Sp/h9Lpf7QG
q+CfghY2Gq6VrXhf4U6R4w0Hw/4M+JOifHPxbBrKeJr9tc8PeKfBug3HhhZNPuBYAH178bbf
48a58CNbh+C82m+Dfjpf6X4ak0V7rWtDutM0DVTrGjXHiS2/trxD4I8V6LqUUGkrrFlBc3ng
uZNRLRtFBpU80V1ZgHzpr3g39v8As/GeqXHhL4meGNV8D6fo/hG40Sw8U33ga31rxEmjwfC+
bX/DmqzaT8Doo9F8eeJtS0j4uW+s/EC0nu/Aq6B4u8KQ+Hfhn4d1rS5tW0kA5yy+Gv7ejeG/
ibF4r8f2XibX/iD+y14Z8J6TY2Hj7wloHh3wD+0Fp+g6noPijxBoRtPgHDqc1r4n1C7svE//
AAkP2mz0u0A1Owi8BQSxaAdNALWv6F/wUGsrzxh4h0TxR4W0rwyfhJbW2geA4NS8NeKLnw34
z0bwh8PbvUbjwzfN8GLrxJrPiTWvEOmfErRdJ1HxRqPjDw9atrnhvWrjwDq8drL4eABvahrn
7YWn/wDBPqXxFJb+KJv2wT4Di1aOwsNK+Hmq+LIfEl/4rjubXSn02z8HL8Pp9RsfC1zFp2oy
Q+Bvs8Jgurz+wW1KI2xAMDTPBf8AwUSuofENxffFTw/p16vwaEXgeBrv4cXukSfFS48aeOpC
fHKL+z/p+rzarafC7Vfh5pyeJfD76V4IHxQ8LeIPEM3wqufCGrw+E3AIrf4ef8FD7OXU9Zh+
LHh2+1bX/g1rfhvStJ1nXPBr+HvAvj7TfiD8Sda8IeI9XtNP+A8H/CW+MdS+G/iH4feEtc8S
aJ/wjPgqDxf4Y1jxFe/DvxD4fj0jw/egFGLwJ/wUudrl2+Lngi1kXwR4tHhiOS68B3Nlaa7d
XPxDTwvp/wAS41+Af23xV4wstO1X4aOvjbwJe+A/AlprHhjXJdS+F/ibTbiax8UgHQWvgP8A
bct7nw3r9xqfh3UfG0HwL/aW8Hz+JLr4lmKw07xl4t8Wab4h/ZuuPEngfTfhvpvw68Z+IPAW
j+HoND8Z+OdO8H+Go57/AMT6u2l6Df6HHcWd+Ae+fAGH9p/QvBnwx8P/AB6XwR4x8TNpXxGu
fih8QNL8SLp+pWWqR+L4pvhbpWjeD9I8A6ZoOsw6h4L1C6tvFepLrWiHw5qnh2ygtY/HB1y7
12zAPdPGGiTeJvCfifw5b6vrmgXGv+H9Z0aHXPDOpLo3iTR5dT0+4sk1TQNXe2vF0rWrFpxc
6XqRtLn7DexQXXkSmLYQD8rvAf7PP/BQbwBF4E1Xw18ZZrjxGfhprWg+O9M+LXxf1b4w+EV8
calL8QE0nVW/t74ef8JPrGjeF9Qn8C+KdMk0fXPCut3cd94m8KavdanoenaHZxAHSeH/AAN/
wVWi/wCFYR6p8YvhFPNZ6F8VV8f3Wr6R4eayvNe1PSvEtv8ACx9Ts9A8BW13qNp4b1qbw1qN
+PC914ZbWdOtp7C/ktLiK6utZAPsX9lvRv2i9C+FFpY/tReLNA8ZfFM63rE82reHrHSrG1i0
GWWL+ybC5/sTStD0q7vLcrdN9rtNKst9nLZw3KSXkNxPKAfRdABQAUAFABQAUAFABQAUAFAB
QAUAFABQAUAQXUL3FtcQR3M9nJPBLCl3bCA3Nq8sbItzbi6gubYzwMwliFxbXEBkVfOglj3R
sAfmZ4c+Bn/BRPRNL+BOgW/7S/hU6f4W0zTvDPxu1rxjd2/xD8W+Mrbwn4h0TWtM8ceEL+3+
DfgOC21/x5bprnhvxp4f8TrqSaZ4Pi0y20zxbf8AjDU9S8Y2AB9Nfs6eD/2mPCvw88VaX8fP
iN4d8ZePLzUhL4S1iy+z69baNF/wh+gWOoT6leaf4H+FcepWGp/EG28T+K9K0BfDkFx4b8N6
xpvhRvEer/2bHdQAHxx8PP2fP+Ckvhm8a+1P9oPwH9r8Q/FC08ZeLJp/Ep8YWronhT4C+Gtc
un0uf4AeELW98L6mngL4wHRfhR4WPw5GgXfxE8Oa3efEjWta0a8u4QDv9K+E/wDwUM0vwv4J
SX42+GNd8WR+L0n+Ih13xnoZ0u80BNa+C2o6jqPhK70X9lvRprO11Wy8GfGLS9L+H+paZNNo
EHxcs3b4m3yeGNKtdIAPNPBPwF/4KsaNdeAY/FH7WngDXtI0/wAZ6Pr3jkXFnoWoa3qWki70
T+19EstStPgT4TspfD0Oj6frlhDozaRZ6nqmp+JU1f8A4SXRm0WzioA9Q8F/BX9vDTb74Yat
42+PNv4ok8F/Fq28TeJtEtfHWj6Pp/jf4f678OLfQ/E/hnxBeaf+zZaxX9h4Y8fw3HiLwjoM
Oi6ZqGoaPqN3DdePND1i20i900A97/Zg8HftO+D4vir/AMNLfEXw14/l174jahrPw0/sCRJW
8NeCLiJY7bQb6WHwZ4KgLxTIssEcdhcmMyTqbnaUSgD5y8R/Bf8A4KKXtjpc/hP9o/w/4c1d
/jj4617xBZ63eeG/Fmnf8Ken8QX958KtD8NXlv8AAPwvJp9z4c8O30Gi+OvDutaZ4huvFt9p
ltq1t8Q7JWnsbgAuaf8As2ftFaPp3jjVW1mw8YePfEH7bGifHfR9S8VfH3xrDYab8HPD3jY6
npfg/Tjo3wfs/wCw3i+HKyfDp/h5Jp/iDwtPDqVzf3niu7S3htnAMMfBX/gpZLceMBq37TPg
2903VPije6toEHhX+wPBGraX4Em/4TlNGi03Vtb+A/xOtdMj0VdT+Hkmr+DNU0XxSPEr+EtW
WLxvo41bUG8SAH178BvA/wAZPAmofF2y+KXji8+IOia58UfFvi34a6zqnim11nU9J8H+KPEG
sa1p3g1tCtfhr4NHhfTfBun3um+H9NtpvFfxAa+Sxlube80KyW20sgHyn8Q/2dv20tVXxvH4
K+O9xDqFv8f/ABZ8XvhL4p1r4lRWlx4f8Ma38Kvipofh74Z3fhi3/Z/1jTrfwZoHj3xT4Mi1
XQ9b1X4gxa54U0vUdT0q58LeILHT4L8A9/8A2fPBH7WHhr4jfGvW/wBoH4r+E/HfgXxNrz3f
wl8NeGdNt7EeDtHPiPxPeWdnMo8L6PewvZeD77wh4avhda74jXV9Y8O6j4jQ6fPq90LsA8r+
Ifwk/bN1a6+Oq/DL4g+GPh43jX4x+H/GvgDxNbeO4L7XLfwLpfwjj8GXvhTV9O1v9n/xHpGh
Q3HjfQfD/iVbO0XxRePpWp6tZDxTaz2EK6mAeQaT4K/4KceKLj42X0HxJ0rwc1r478ZaR8Pt
B8aa14Ot9L1rSrldTsfD+veEtW8M/ArxBqPhPwV4fttdXVtLPihfiB4o8cal4e0WLV7H4fw2
ep2eugH2T8CfAnx98GeNvi5ffFnx6PHnhbxtqfhbxP4Njl8VW+oL4HvV8D+FdF8VeDtB8MQf
Czwm+keHF8V6X4i1qx1G48beIf7RtNT01x4e0HVTr1zqQB84fG/4C/tvfEm1+PvhvR/jVplh
4O8erHZ+BLLRfHR+H+p6fojfEb4eava6VY6vpPwP8Ra58PJ9O+GWk/ErwZ4t1Ftc+KJ+JOp+
MNI1e2t/h9baS9ioB75+0Z8Jvi34y+Cngnwd8EfEK+E/HXg/xp8Jdei1S5+IOoeFLo+HvBGs
abc+KdHt/GUfw4+I0N1qGveH7W/0GKbXvh1q+j3z6i13qemQBV8oA+dbv4Gf8FEtc0HxnpXi
P9pnQIdUvfCXhSTRNe8CXuleDjeeNvD3iT4Sa81vpVlL8Edal+HWl6hpnhr4t+F/Fmr3WofE
628Yx/EPQ9Wh8F+FLLw7/wAIsoB7l8G/hd+0d4R+O/xB8c+N/G+m33wp+IOnrqE3w/TxtN4t
Xw74y0/4d/s/eGNK1Tw+tz8JfBc1kL3XPCXxqvfFX2PWtP0DVV8QeENZ0/wXpGqXGuW1gAcX
8W/gH+054v8AGXxmPhb4xaxaeA/iD4g/Z98TeA4v+FkR+GNR+Es3w38d/DnU/iHpfg7Rrb4J
+JzDN4r8OeF/E99BqmseMNd0LU9X18aFrvgd9PubvWrcA0/gh8O/25tF+Mmm+Jvjl8avAnin
4VJ8JvC2ial4I8MafaxzP8SbPwV4G0/xJrS3LeANAvLtbz4g6Z8QvFFvrUOp6Lbz6D4s0fw/
J4PtF0K2a1AOa/aW/Z9/aS+JXiv406l8J/Gk3gyx8Z/Bj4deDPAmqQ/tFfGPwbLoHjvw98T4
fE3i/wAQReCPDvhjVvCfhmXXPBnkaDH4k0h9R1jUX0UaVq2nro/iTV5YwDxnWv2Mf2rrvRvG
cmi/Gvx1pPijWP2atM8E+G5Zf2wPj1f6JovxrU3Wg6hq72c3goIug2/hwaN4ms/Gdta/8Jfd
ePNNvhd6QNE1e4UAH2FrXwK8f+GPgbqGh/CT4g+IZfj/AGPwmvPAXhb4l/EXxz4i8RKur6jq
48QXeravLrth4vs7iWHVprpdL1C58L6lqGm6RHY6DZS2em20ItwCw3gL9oq8/ZAvPhxrnjrT
dS/aUvPhZqXhq5+IOh+Jr7wZZzeNbq0ubS31/T/Fth4J1S+8PXccckMyazaeBL57TUYzcQ6R
OgXcAfJmi/s/f8FK9AXRdO0L9pX4d6T4b034UeJNDh0e+l8QeML+Dx5qF38QbnTr/U/FXxC8
JeOPE2uXSNrHw/ktfE82pDTvDEnhrU7DT/h/qvhlo/DutAHd3nwp/wCCgtrBY2nh/wCMvhy4
s7j4c+L7W8k8WeO9Ev8AxFoXj7UPDPxtsPCqRavo37LWj6Z4psNK8QeJPgdqv/CU3GheHZrO
D4eeI4L7wf4tl124n1gA7C4+DX7Ut7N8PbWb4kATL+zh8aPhz49+IV58QrC68Z+H/i78S7zw
1q/hzx14L0rRPgJ4V8O65D4IvvDcunafe3S+DkGkapYf8UtNeaFLNrABj/Dbwf8Ati6b8Yvg
N4d8cePvFL/Dvwp8GrvUvjZqn2/wN4z8PeMfiJ4W1XVfD3g3RdK8an4e/DvxZd6p8QbDxjee
MviPG3gDRbLQrf4T+ANL0HxBc3viTxlea0AdX8Y/hZ+1br/7Sfgr4pfCr4g+HNC+FPhb4fap
4H134cah438baQ/ji58ZWPjZ9c8U3WnW/h7xJ4H0nxL4C16z+FN/8PtYuvDHiTVby1bx/pl9
qOhaXdR6frgB5TpXwb/4KQaZe/BW+X9o/wAF6jFoHw4vY/i/o/in+x9Zg8U/F6W38TLd6jBq
3h/4K+DGvPh7q1zN4Pl0XSdM0PwVrXgeLTdbQXfihr+MsAfR/wCz94V/an8Jfs+ah4Z+N/jn
wR46+Ptq/j7/AIRvxnb3F1d+HbqDUbvUr74dReK5LDwX4Klkl0GK70/RfEEuleHA95baW19B
NeXd05oA+YvB/wAHv+CmWn6L8N18SftDfDy98S+GP+E5g8TXhvbHU9A8U2/iDxnY3Xg+88Ta
P/wofRdS12/8D+ArzXtKFroXiDwNBrGvWOg3N9e3CNc6jCAfSP7H3wv+OPwt8E+PrL4/eLbX
xj4x8W/FPV/G9jfWvjS58dCx0bVfCfgvTp9OfVH+Gnwk06yDeJ9H8S6ra6NoXgnT9K0+x1S0
QT3l+9/cOAfWlABQAUAFABQAUAFABQAUAFABQAUAFABQBg+KdMuda8MeI9Hszbi71bQdX0y1
N3LdQWoub/T7i1gNzPYkXsNuJZVM0tmRdRx7ntyJghoA/Lr4JfsS/tZ/CHQ/hN4Sb9rC+1jw
/wCENY0/UfFMxv8AxXHeXMM9z4A1Lxdb2mmkro/iWHXLDRPGfw70yx1yLS7Dw9ZeIIfi/Zwy
fFG61o3YB6F8PP2aP2ttF8S/CLxh8Qf2hY/GGqfD3xrrK69olp4v+I2m+F/F/wAPtd+Hnwh8
MXl3rWnkMmt+KofGHw78W+O7Dw7qkJ8MafffEzU7Kx1K2tdJVdUADSP2bP2sbM/DA2/xo0Hw
jF4G+KHxZ8Z63p3hbxX47vdL8aaD8Sf2hvBHxTstP8W2uqaJbJ4t1Lw98Nm+LPw4R9eSWG91
LxPoviyec6lbyvZgHqv7GngH9oz4f+DPihZftD+LdV8Z+Kb/AOKF7N4G1PX/ABCdYkufBWl+
A/A3h6LV3tLfWPElt4Uh8ZeONH8aeOR4V0/VbqDw/a+JodNtrXTILaDRdPAPnj4O/se/ta/D
5vAOheKf2iovEHgrTPjVrHxf8bWnhrxl8S/CWq39n458KxXPjP4b6VIF1QXngHR/i+bnx14I
0W8vdMFvos934PvJbfQNRutNUApaL+yn/wAFCNH0rwVbXf7asfiTVdB+OmlfEbxPqmrRapaJ
4r8GaVJ4SGoeE1stN0OKDTfDvjS107xlHrHw6nGq6D4avvFGlah4T8R2lt4ZbSNaAPtz9oD4
e/Enx+PhFJ8ONT8LabceBPjJ4Q+IXiJfFV/rlrZ6r4d8PLqEWoaLbWuj6bqUN9e30WoO1kdT
jjttOv7ez1S3kS+s7eSMA5z9mX4UfG/4Vr8Qrb4v/Fmf4p2fiPXotd8LNfavruuX/hx7i/8A
ED6pp0V5rttBLZ6INLl8K2ml6NZvJZ2VxpmqXSqJ9RnmuAD54tv2X/2wpVsbLxB+0/qWs6W/
xh8MeJfEp0nxn458Haxr3gPTtM+JFj4wGn6tplhe3HhC+8bTeK/At0nw28PGDwL4Pl+GdvP4
a1mC78VatcWoB5XrP7Ev7clx4s+Inizw7+2FF4W1fxt4y8FXt7rejvrkes6/4W8HXXxxfS0u
k1LRtY0bwculRfErwVNb+AfDumaj4O1qXwHJY65dS6fq8ixgH3t8Bfhl8T/AWrfGHWPih491
Dxtc+N/id4o1/wAF2zeMfE+v6L4T+Hd5rmrap4T8LafoWu2NjY+HLzRLPVW0y/bSPty6nDZ6
es2oPbafp9pZgHzN4u/Zb/araD4t6b8Pf2ktR0ax8afGfXfiZ4Vvda8YfECfV9I0LxT4Y8V2
cXg6Oa3E3/CK+H/hx401rw74w8P+G/DU0+h+PLbwnF4W8VppGi6veogB7j+1X8BPGfx9+CGg
/CvTvE1nJqEXjn4TeIPGl7qeteI/BOneNvD3gbxTo/iLxboWojwTBd3C2njWHSpdPm0aSG40
SEX/AJtxDdR2ENvMAeH+Jv2Z/wBr7Urv4kLpv7Sk8ej+J/iN4T1vw/Y2fivxr4RurHwPpnxV
13xbrejWV9oun3//AAgVxL8Kb/SvgjDpHg+3l0fV4dMPxQ1G5svGzQLbgHoH7PX7Pv7RXwt+
N/xS8cfET9oXXPiV8LPGDeMU8H/DjXPEHifxEfBkF143t9V8CNZXGvqYra40XwaL3QdbazfG
pXtxDOWmS1jkoA7L4SfC79ovwp+0L8ePiB8RvjFp3jP4OfEKPRx8NPhrbLrCn4eT6Je3yw3F
nb6jHNa6adU0C9tdP8Rwadqdzaavreix+JYbfTv7Xl0jSgD5n8Q/spftuS/Ez4u+OfDH7Wt1
B4e8Y69q+peCfh3rHiPx43hzw5pdz43s9Q07SY2sl87w7HD4GOqaFK/h1X8nVJrK8tMfZVuV
AOmj/Zk/a20rT/iJJpH7RP2/xL41/wCFLeJINU1vxd8RU02x8VeDPBHw+8D/ABM8Nado9lvt
/C/gzx0PDfizxSmraAy622veJtO8/TLSbRZdV1IA5LVf2T/2zfE+kfHvw/49+PngL4i+Gvip
+zr4d+Fvhnwl4ki8Wr4b8M/FDSfDfgrSZfistqbDULrTNSTWbPxt4olk0W6WbXNdufDGoy2+
i3Ni7WgB2/xv+EH7UZn+PnxI+EsfhbS/iD4++GH7Plh4Lg+HPiS50vXJfi/8HvFniHXpr7x1
N4sm8F6Drnwp12Dxhc+FPGdnHrtl4v1b4Z+G4dM0tP7b1CxttJAPoL4n/CX4s6j+zQ3wf+Ff
xe1nSvibb+GvBvhq3+MHi3U9UPivUl0bUNDXxVr17r+iq99p3izxPotlq6Q65bWN/b6ZrGpp
dtpN7aQGzcA+Jtc/Z1/4KE6p4lm0VP2h72S2m/ZXsfCb/Ea28Uan4Q8O2vx6h034SeG213Tv
C2iXOq6hd3I1Hwl8UfifJr994P0/fd/Ey38F3t3r2i6HZW+nAHY+NP2Uf209R8TeOr3wF+2P
4h8H+EtZ+GPhTwx4K8MX2q6r4lm8L63pY+Hsnieyvdf1nQ7zXNUuPEVz4c8evbfGBdRt/iBp
cPxFNudFvIPCmjRsAcX4x/Y2/bk8X6dq2gav+1fpev8Ah7UfgF4Y+HSWOtXPii1nHxO8PeIP
h74qs/ijPcaFpOnrF4q0zWPC3ii3t/GOixaLqer6X4n0oajotvqvhh9U14A7vUP2Vv2tpYdV
vdF+Ofg3w94/1n9nbUfhRN8XII/EWo+PbTxB/wALUvvH3hm2e4vtLMOu6P4V8I3kvwwsPHmr
yt47kW81H4hNZJ4ju59PmAPoy3+Dvxvf9k1vhBefHHWF+PMXg26stO+NouJ7q8t/GFpqk2te
GbvVLmysfD2oa7odm0Ol+HfEEjW2m634m8OQ6h9tul1bUri+YA+Z7b9lj9ueC0u31D9sNtf1
/VPh98Q7G/1ZW8UeF9MtfHXi/Q/iva2EWgeF9OOpabpHhzSfF3jPwB420PxF51z4s8F23wxt
fAHh23l8L69ePbAHo/w1/Zh+OPgj49fDr4tXvxgk1fwvY/Bvw18Ovit4H1XxP4v8QX3jfxjp
d38Vdem+JF14rvLXTrrxHc6Lqvjy28P+E/DXiKwj8P6f4ZuNQu4bTTtU8PeE4LYAufEz4Xft
N+Lv2trXxH4U8UTaN+z1pnwk8Lw6t4e8R+IItR8CePfF63Hxs07xj4F1DwBBdXs0cPinT/Ev
wqudY8ZaloM39kaf4Tli8NG51K71C2nAPHF/ZV/besPDnwO8NeEv2ivB/gLRfhh+zT4g+C2v
+HvC1943j0jXvGMvw5+Ifgbwv49hkvNNnna60LWL/wCFPjfR7xodP1Xw1feC/EOhwSa7Y+JY
rzTgD7D+Cvgf49/D3S/B3hTxp478MePPDul3fxdk8Sa7rlz4t1/4jXllq3jSDVvgxp9j4l1G
e0t71fDHhK81jQPGt74gsL/UdWuLLw7c6VdwLHqRuQD6SoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgCpqGoWOlWN7qmqXtppumabaXOoajqOoXMNnY2FjZwvcXd7e3lw8dva2lrb
xyT3NzPJHDBDG8srqiswAPLPAn7QHwL+KOoW2l/DP4xfDP4h395a6teWkHgfxv4c8V/aINBl
0uHXDDLoWo38EkukPrmjHU7dZTcWMeradLcxRxXtu8gB3uk+LfDWuWdvqGla3p93Z3mrazod
nOLhYlvNW8P6rqGiaxY2Yn8p7qay1TStRtX+zrIshtZJoGltykrADfE3i/wv4MtdOvvFevaZ
4fs9X8QeH/CumXOq3UdpFfeI/FWr2egeHNGtnkIEmoa1rWoWWmWEA+ae8uoYl+ZxQBqHVdLC
RSHUrAJPeyabC5vLcJNqMTTJLYRMZMSXsb21wslqhM6NBMGQGKQKAMbWdIV4Y21XTVkuJFhg
Rr61DzzOIWSKFTLulkdbi3ZUQMzCeEgESoWAHf2tpRZEGp6eXku5tPjT7bbbpL+3cRz2SL5m
Wu4ZCI5rZQZo3IV0DcUAN0rWdI121e+0TVdN1myjvNR06S80q+tdRtU1DSL+50vVrF7i0lmi
W80zU7O707UbVnE9lf2tzZ3KR3EEsagGL4a8eeCvGWiaf4k8LeKtB17QdVvZ9N07VdN1S0ub
K81K2uJ7S402GZJcPqMF1bXFvNY/8fUU0EsbxK6MAAdHb3tndtcJaXdtdPaTta3a288U7Wty
gBe3uFjdjDOgILQy7ZFBBKjIoA5Ob4kfD+C+0LTZfGnhgXvibxLrPg3QLdNa0+VtW8XeHrfV
bvXfDFm0U7pJ4g0iDQ9ZfUdI3C/tG0rUI5oFltJ0QA6U6vpQaRDqenh4pre3lU3tsGjuLy5k
s7SCRTLlJrq7iltbeNgHnuYpIIlaVGUAFmK5tp5LiGG4gmltJFhu4opUkktpnhjuEiuEVi0M
jwTRTqkgVmhljkAKOrEAp/23ox80jV9MPkTwWs5+32p8m6upmt7a3l/e/u57i4RoIIXxJNMr
RRqzgrQBQt/Fvhq6u9fsodbsDc+F9UttF19JZxAmmare6VYa5bWE80/lwtcS6VqlhehIpJNs
dyiuVlDooBt3F1bWiCW7uYLWMtsElxNHChchm2h5GVSxVWbGc4Vj0BoArSatpcRull1LT4ms
WRL0SXluhs3khNxGl0GkBt2ktwZ0WXYWhBlUFAWoApxeJ/DdwNXaDxDoc40C4gtNdMWrWEg0
W7u9P0/VrW11cpcN/Ztxc6Vq2l6nBDeeTLNp+pafeRq1veW8kgBtqysoZWDKwDKykFWUjIYE
ZBBByCDgjmgDkfHPxB8BfDDw7deL/iV428JfD7wnZTWtveeJ/G3iLSPC3h+0uL2dbazgudY1
y8sdPhmu7h0gtopLhXnmZY4lZyBQBQ8IfFX4Z/EDT9W1bwN4/wDB/i7SdDaxGr6r4d8Q6Xq+
mWCanoGleKtNnn1CyuZrQWmoeG9c0jXLG8WZrS70vUbW8gmkhlD0AdB4o8VeGvBXhvW/GHi/
XtJ8M+FfDel3et6/4i1y/ttN0bR9JsIWubzUdR1C7kitrW0t4EaSWaWRUVR1JIBAMnQfiL4J
8TtaroXiTTtR+3eFvDvjW1aJ5ESXwt4tlu4fDesCSeOKNbfWJbG6SzjdluHMR3QqHjLgGpf+
LfCulWNxqeqeJvD+m6baacusXeo3+s6dZ2NtpLy+QuqXF3cXMcEOnNP+5W+kkW2aX92JS/FA
G3JcQRRfaJZ4o4MKfOkkRIsSEKh8xmCYdmUKd3zFgBkkZAKv9q6Zu2f2lYbzaR6gE+2W+42E
z+XFe7fMybSWQ+XHc48l3O1XLcUAV7PxDoOo39zpWn65pF/qlnY2Wp3em2epWV1f2um6ncal
Z6dqFzZwTvcQWOoXejaxa2V3LGsF3caVqUEEkktjdLEAXZL6yiklilvLWKWGF7maOS4hSSK3
j2eZPKjOGSFPNi3ysAi+Ym5hvXIBANY0gjI1TTiDDc3GRfWxH2eyuFs7yfPm/wCptLt1tbmX
7kFwywyssrBSAUv+Eo8P/wBt6d4dXVrOTWtW07WtX0+whk86W507w7e6Vp2t3avEHhRNPvtb
0u1nEsqSGe6CRq5in8oApeGfHPg7xnYjUvCvibRdfsW1LxLo63Omahb3Mb6n4N1u68N+KrJC
j5ebw/r1ldaVqoUEWl5EYpSCyFgDorW8tL62jvbK6tryzmUyQ3drPFcW0qAkF454meJ1BVgW
VyAQQTkGgCCDVtKuWtVttT0+4a+iaeyWC9t5WvIV3lprURyMbiJRHIWki3oNjkn5WwAaFABQ
AUAFABQAUAFABQAUAFABQAUAFABQAUAFABQBVvrGy1SyvNM1OztdR07UbW4sdQsL63hu7K+s
ruF7e7s7y1uEkgurW5gkkhuLeeOSGaJ3jlRkZlIB8GaB+wB8HNP1X4T+J7fxp4r1PXvhH4n8
T+J/DfiH+zPhDDqV9rPiX4u+Fvifrpvr7SPhpZSWzSXfgvTPhzNJ4ffRb1vhyLvwldXMrCG7
twCpB+wT8KJtR+B/iDVvix8QdcPwF+L3xB+JXgY7vhPoWnt4l+IXxV0b4j6/4Xu4PCXw50Gz
GiW3xE0aS1stG05LG7t7PVdR8Pyzyz22hz6MAeg/tKfssfC79oPxx8GfFHjfxN4/0XWvBPiS
xj8LReDbHQdUsLq90bxR4V+Mds2oX2t+BvGVx8P5v7U+E2lQSeOfDGq+Atbu9Ku7zwYfE8kv
iXSbMgHkfgr/AIJp/s9+F5vBV7pnifxTr6+AvFq61aW2v6Z8HPEmg3T6FF8LtFg06bw7efC+
bw3o3iLTZPgt4MTUfiT4Y0vQPi/dauvie61Hx21/r1y1uAcZq/8AwSX/AGdNTuvDE3iDx/8A
FC9bwxrc194HS8X4OW9z4evV8IfDjwZolroN/D8JrfVPtXh3wp8IPCdvpeoPeXHiCa4sb7WN
U1PUb54p7MAx/hF/wTq/ZO1C2kj+Gvj34qav/wAKp+MniC7j8RapY+HdQutM+I3hfWfh/Z6m
mieLPGXwxmbW9T8Nah8KrHwxq/jPwtqN5qd1qJ8V6Tr3iO81q3ePSgD61+BPhn4B/AGe98G/
DrxpYjTPjf8AFn4w+KfCvhy30bwZp+jQeOLTxZruqfFXw/o+r+C/Bfh+TULzSPFFxrNiYfHW
ta94itbbSIvDumX8ln4fa3iAPny//wCCXvwL1/TTpFn8UPixYWdh8XtL+MF5H4Zvvhdpmfih
oF/rGsQa/qkWnfDRbefxIL3XY5LvWL6CTxC1pa2tp/aEcM05mANH9l3Uv2LP2fbr4p3nw6/a
ItfEcnxp/aF0fRfEB8U63oqWdj8aPiDqPiC08NfD/SY9K8NeHLTT9a8Q6hZ6pp2maXeCW8v5
7PT7WNjcz2324A8K8dfDP/gnVrXh3x1pep/tHaR4R8Ial+0d8R/GWpabp+mfB7SbXwd8cPHH
hH436L4qv31HUfhFPrS6jozav8VfFHh/xd4w1LVpfBureALn+xfEWn6V4J1nTlAPdviB/wAE
yP2ePHei+IbHxb4m8YW7eLvjv4k+N2pa7pafDXwpqWqeJvH8XibSLrwvq91oXgLS4PF2hw/8
J1rsfg7/AIS2HX/E/h/U9Sjl0fXhJJPDdgGp8H/BX7Kf7KHxA/ak+Ifh3x948vtc8R/ELwxY
/FiPW9O8UeMLfR/G/wARPFeteMvDfgfwrdaL4Nl1Lxl4iv8AX/iy4tfDWlah4x8ReHtJ1nwz
o9zb6bamz+1gHl3iz/gkp+zJ4pt/i/JL8Rfir4aj+LXinWvGXxMl8N6h8K/Dy3Oo6xda54kj
/tGNPhgFQ+HD4nu9W8M3Gsrdajod2lhrv2ma9ikubgA9f8UfsUfBz4623xl0vW/ip4q8ZaR4
z+Men+MfGWiw6T8F7zTvC3xN8IfDE/C+e2t4G+Fk5XU08L3uh3l8/iBtY1m31vSdJ1S2v7Uy
38N8AegftQ/sof8ADRPwo+FHwoHi20sNP+H3xG8A+K9W1rxX4S8LePNS13Q/Cega74c1OGLS
/FGiat4NHijVbLW5LmDVdY8KazpFreCaQaGGkgktQD4Jt/2cf+Cf938Sfiv8OrL9qLxZrXjj
xT4x+CPg7xz4H8R3fw++JKab4g+Anje21X4d6BrMfjn4T+J4b46b4h0c+Dtc1TxVfaoZdIuo
/Bd/qdtLqFul2AfX/wATv+CfHwJ+KafHPQE1rWPBmnfG7VPhr4k8f+HfAei/CXSXtda+H2l+
FdE8NahBqTfDq78YQ2V3ongPSbKPRtR8QXWh2kn9u6loFjpupapd3agH1H4F8H6V8NpdTtU+
JvibW9D0bwZ8PPDNr4U8V6r4Qk0fwNp/grSL7S0160bTPDui65Bqnja3nt7zxVd+ItX1TTrq
50ewk8O2OgW4voL0Aj+OPw08IfG74YePfhV4q1t9E07xD4dvLDU9c0tPC1x4i8JWurWd5ZPr
+jnxZo3iPR9H1VbBtSi03Wr3RrhrItcXNmUuIBNGAfIfxI/4JvfAH4h6v8RdW1fxL420fUfH
Wm6FP4ks/BVv8PfDjNB4YPwGl8NiSx8O/D+DVNV0LTtQ/Zx0K60/wpqcupeHDceKviNa2elK
mu2kOkAHsY+BHwc+Nf7Fvhz4A+G/EWr3vwM8Z/BrwR4W8L+J0sPD2pa7feAYtI0S48Oaotj4
58JaroQ1O80u0sZv+Jx4O8zT7iXzoNN03ULa3NqAcx8Rv2L/AAD8T5/iZomufE7xXZW3xO+A
vgX4IeLfCmjeH/ghb2Ufg3wdq2pXnh3xFa6VdfCu+lg1V9QvfE1vZm7+1eF7BdRu7Tw/oOmH
StLGnAHmuof8E/v2WviN4++LFzJ4mvtW1Dxb8BdA+DXi/wAB6Fb/AAwtPCXh7wbreneFf+Ea
8Raf4P0vwGmi2Oo3d58MNP8AEvh8XVneeHI9UtdQNtoz6PDp2l6aAei/Hr4ceF/ip+z/APEz
9i/SvHsNt410n4SeCtTu9Q8TfDK11O0tfCEHiPzNG1yHwh4V8JeG/AOvwvN4H1XSrbwz4M0e
Sx0i7trG0u/DX2aW007UAD581r/gnN+zPZaVrnjXxF8Zvif4d0yX9mn4jfDrxHHq1z8M9H0b
RPhH8Sodc1vx5qf/AAhmvfC2O18GaNZajq99ruieGbfRNG8G/D/UrOO00fwppVrYrpduAfX/
AID/AGXPhN8NPi/o3xL8H3Gn6B40tPhB4e+F2taNong74QeH7bxX4X8K6p4m1HSNYu7XQfh9
puu+HXXWvF2u3eoWfgPU/CnhPVLxdIjv9Dmi0Syt1APlz9ov9lT4OeM/j38cvjl8X/ivaeF9
AtP2adI0bXtD8KeGPDM3jbwp4UvvC37QPw11bx34m1jVPCnjLXNY8L6l4e+I/jeDTfDcFrB4
Sm1zwfp2r+JND8ST+GtPNgAdvN/wTj/Zp1vUvDraleX+qaZF8L5vBEvhGwsfhjomg+J9E/4Q
zxz4Bu9fjs/DPgTSr7Rra8074s+IdX1vQ/BV74f+H+reN7vQPGmpeGJvEljDfXQBn+Nf2U/2
dvBfhiTw3r3xj8deE9B+Gf7LPxt8N/ESy0s+A38WeKPhp8W9SbxJ8YPjD4z1Kx+G+oeMrvxV
r3jfw8fGl7feGn03w7P4ottXiTwlcWGtatpN6Aclon/BLL9m6C+0HxJB8RfiPqV7L4U+KPhf
SbqC++F2maJcW/xdufjTr2tXfhnwn4b+HWj+CdDNnL8cPiJc6bpnhnw7Y6NdafBoNtr2m6zZ
+HitwAfWHwr+BPw0+DX7Ocf7PPhfx/4jXwbdeFviQdP8Vz+JNEXxlBpXjTUda17xL4i8P6tZ
aZb6fF/YF74uludI1GLSbuDSw2lvftfzFproA+b/AII/8E+P2dfh1ffAbxt4E+JvjLX38CJe
+K/hRqV9P8KrqTVPD3ijxJ4w+IusWei6nYfDuw1lPBut3fxQ1drjT/DmoafbjQbvSbJptsQu
LgA+/PEHxF8H+F/FPgzwVrWqTQ+KfiC2t/8ACJ6NaaRrWrXOoW/huGwm1/Urp9I06+g0XRNI
/tbSLfUNe12bTdGtr7WNI06S/F/qun21yAdUmoWEkixJfWbyyT3FqkaXMLSPdWis91bqgcs0
9sis1xCAZIVVmkVQCaAFs7+x1GI3Gn3tpfwBzGZ7O5huohIoVmQyQO6bwrqxXduAZSRhhkAt
0AFABQAUAFABQAUAFABQAUAFABQAUAFAHMeN7XT77wZ4ustX1XV9C0q88Ma/a6nrnh+6urLX
9G0+40q7ivdV0S9sobi9tNX062eW8026tLee6gvYYZYIZZURGAPwk+Gn7Pn/AATI03Vf2aNc
g+Meh63q9r4y8Q6j8OG0v4TaV4M0bU5rN/hBf6DpcGmab8O4IPhN/wAIT8U4PhN+0ZFraXXh
W71n4ueNdU+Kur3d1pXxLvluAD1P9lj/AIJ4/sfeIdC+FGpeA/F+mfHPwP8AAX4nfEHxL9i+
JnwjsNWtdc8R/E/wZ8INWGrRf8JxpVtNbXWpWvhHwH8WY/GvhW0OieOfG+rt8S4PP1q4ttQt
gCf4Qfs+fsSfCzXv2bvCPwO+K2laN4m0L9o7453XgvUtI+Dml6r4r8Ya18PPhvB+zN4q+HNj
400nwXYp4Q8N/Cn4JXHhH4V2/jO1ntIfEkHhnwf4kvdf8RX9tcXGoAHg/wAN/wBhv/gnxefD
34SXGhfHnxx4p8Fv8ex4FvdWPgG/udP+K938TdT+Afi5Pg/8Xv7c8Daqth4Y+L+r+BvhZ8Rb
3xRMPB2j/Ezxl4u0b4o6ZqM+rax4e1QAH6lftb/s7/C342+JPgHrXxI8fT+DNQ8IfEBbD4eW
66doOp3d/wCNdWvtA8X2uoeAZta0+/vvBfxa0vTfhvqNt4f+JXhUweI/C/gTV/ibYxyR6Zr2
pXdmAcf+x1f/ALLPwZ8GeMPDfw4+Knw5/sr4hfH7x540tL9/BeifBO18WeM/jNrR8eQad4VS
40/w5YfFSG6h161tvB3i3w3/AG9HrXhWPQNPsdT1GDToJnAPnvUv2Rv2RfE2h6Ba6R+0z8K4
PCfhL9qjx58Tvhx9gl+DGpx+Evj5421mbxUmkadrkl1LLefE3wlq2qTTeFJjLF4w0jSzpNrD
As1q2o3oB7L+yN8Nf2Yv2TLn4r2Pw7+P2nfE3UPjT8fLS18RRJ4u0bxZrsHxX8Rz+I2isPFc
fh3U9QN38RNVjsdY/wCEs8U6rp+l65rVh4Sim12PyfDLS24B5Hon7Avwd+JHhbxz8M/h7+15
rutwaN+0D4w+PPjq1+H+t+Adb1vwh+0dr3/CZR6Br+qz6ZNqWreGpPA9/f6PqOhfD/VrhdBj
1fwBpskek2kAvLNADxPQPhz+wz4p8Y6loeo/tna/r7eLP2jLzUPiVo3iWPxF4M8M+L/Fni3S
/wBqy/uPg9pniy8i8Nw+D/h74x8JfF/4pWNl4R8JeJofCXiC+0+5utJtbjV/HviG28UAH2b+
2X8Mv2U/2wPCXh3wF45/aS8D+EbL4NfFjS9R1Gw0f4leC1tNN8crpnivwzo2g+KNLl160l0f
xlo91b69qngK4a607xH4W8Z+Fm1rSIpL3QrqGMA8a+KP7LH7G7yfG2w8afGz9n3R7n4v/tqf
B74veK4PEfgv4Kajc6f8Z/C1tHqHg/4aeLo9TkaTWNV8S2fhm+u4T4tEXieaC+8cTWMyp4i1
BogC7qn/AATi/Zm+MHi/4yWkPxP8E/EXU9W+N/hH4o/FbwVqvhL4TfEZk1zRfGHxL8RQ6L8Y
dJa3k1LxLruo2/i/xN8KtP8AEfjjGv2PwV8Pw/CG3Fz4ds9XS8AOm+GOsfss+BfFP7Wmj/Bj
9q7w38INR1v4oaJ4o8fT3XhHwX4btPhx4usfEWmaR4q0m08U/Evwxb+FPF1h4ml0y78L2tqZ
NWXwxb+IZ59CnS/udH1CIA+/vit8bPhf8EfCtl43+KHiy38L+FdR1W00Wz1k6frGsW8+oX1j
f6nbRhNA07VbhLdtO0y/vZL+SFLCC2tZJri5iTaWAPzi+M37Kv7Hfxsv/jqPFvx3+C40f4ge
LPBXjTxL4YuYPg5f2ngxLbwvrHinUbDWItXu5pLqz+Iep6bF8Y9Tl8SQpLPq3hEeIrXfaWdz
cQgHUfA/4Wfsx/s6/G79qD9pC0/aRX4h+OJNF8D+EvjrFqHiLS9Z1/QdQuNF8BT+FofE8GjX
0t7qRu4JdFHww0q+0yWTw5aeLtY8NeGLy5TVry1oA8g+Ov7CX7HvxV+Iv7ZHjXxx+034M0PX
PijL8Kf+F4aLPrXwritfB2n+C9V8Kz+EPDPxhTUr4azqfg/U7vRbK00zwp4q1Dw9o88up+ZH
b3+pxaTd2gBf8d/sEfsp+D/h945+LfjD4m23iLwh8TdB+CXhuT4j638NvDPxr1Tx1oEPiD4T
WXgnwX4/1u00DxR4h/aB+D/jPW/B/grTdC+HPip9a8P2tpr+oW+l3rJqsF1bAHCWH7Fn7DN9
Z+Lta0P9rL4byP41+FXwvu/HOo+JL34K6vqHjf4a+GtC/ZctPh7d/HK01sWlx48+HFza/CnQ
5o/D/jaztfD06/G3xJZ2osxrmmIwB7v8W/hz8BPHn7FVt+xn4c+PX7P/AIt/4Z/0T9lJPE+s
/GHWfAep6Bp/gr4d+K/hV408O694+0NrLVvDf2X4g+DNGsbKwa60geFtf/4SiC0Yrp+pNEQD
w/xL+wT+yHd6r42tdY/bE8I3F94n/Y98L/BvWbDxpq3wV13UoPgfo1x8L9X8L+O79LyWwmuP
Dvh/xD4U0nxT8Oddu4F0rwbrHjrVp9A1Y2174at9HAPrf4OfDf8AZd+CXxp8SePvhv428A+B
NMtP2bfg/b+KtJ0LwR4W8E/CKb4e2174h0f4f+NfA/jm2sLLwjpPhS+uLDUbK58L+EdevNJt
bqz0OW6+xrNZpqIB2Xjv4V+BPj78QfiZHafG3wtr2l/HD9kqHwC3w5HhTwT478Oan8K/E+r+
JYbT4i2NxqD3lp420LUrvX9a0+6spTqHhq6tr7TI72IR3dk98AfOnxO/4J2fAjRpPGPx1+P3
xlaLRdE/Yw1n9l/xv4z8Q+HvA/h200r4YR+HDpd74hu9evrS+/saCyaC28SJoem/YtNuvFNr
BdXg1C1lbSJQDW+F/wAF/wBmTRv2xNH+OX/DRPg7XvjD8I/2W9F8LSaJFo3gHwrpr/BPU7bU
NVtPGnh3UvKdU+Fkcccl7czeCNRbQdN1XTYX8R+IJ5jcWl0Adt8Ufg3+zf8AtMfGLxxL4X+P
fgaL4ifGT9keX4Z+JvD/AIYm+HvjPXfEnwT8W3HxH07w1448MzXUl5qA0Y3+veMIby90l73S
dbXS9JtruSzt7aQaqAcX4G/Yj/Zq/Z2/aM+GfxbvPjlpPh7xZ8HvhT8QLTwj8OtZ1jwb4L0n
wn8GJNe+KWs3Nn4T8O2uoaS3hL4OeDNO+ILaXqmj21hP4OLfD7wNrF62nah4XtpEAPRvix8H
f2dv2lfiZB428NfH7wDa+NPix+zr8UvgFar4X1b4b+M9W8ZfD3XYPGWk32q+CZJ7y71EXHg7
WtQ8Vtql1oRvbS6k0670fVBapp9+GAPCNY/4J6fsr+CvFej+HfEfjzwx4RufD/7Nf7S3hzwP
JpvgP4eeCNb+Cnwp8VeOvFXiHXfHHw/8d29nG3wot/hDH8btT8JeBNSi+yafonhjU/EVhZtH
b6v4oW5AJvhH/wAE1v2dtIi/Z++Kngz42Wnif4bfA/wH8XfCfh5/Ddv4IuPhxqXgb4ot8VLL
4m6Jouv2F1qcXhvwJew+PZ4tR8OaXrVzoGlal8O/Bt3YR6S2i6rbamAR+A/2VP2TPDfxH/Yh
+IEf7VHwz13U/wBnLwz428I/ACwtr74M2R8X6RBb+LNC8TR+FZba7uTLd2dnf6hZfEPUvCFq
2ralfaNM9/f6Msd1ZoAe/wDxP8J/sr/Hz47/AAP+Lb/G79nvWvFnhj4XfHLwX4A0S9Hwe+IN
94s8O/E+xttH8Xaz4cvNW1G71ia00H/hCtRsNQj0Hz9KutMPjXQddV7W+1EW4B86eG/+CXH7
LPjb4P8Awl0X4dfETwZqHg34deAfEngFPGXw38F/CK/0nXry8P2DxN410zUtMsdU07wx478b
6bZW3gj4+67ol61z8ZfAVpdeBfGwXSp3SIA9T/4J1aF+xn+zt8GI/BP7PHxv8Fa38PPiX8UP
GmseBYbqHwr8PLPxJ4k0Ww0Hw34vi+Guhw2XhuLxXods2h2M51fw7Yanp8xlee11CezeFlAP
0P8ABPxD8AfEzSJPEHw48c+D/iBoMN7Jp0uueCfE2i+K9Ii1GK3tbyWwk1LQr2/skvY7S+sr
qS1aYTpb3lrOyCO4iZwDsKACgAoAKACgAoAKACgAoAKACgAoAKAM7V9Ot9Y0nVNJu5bmC11T
Tr3TrmezuJLS8ht722ltppbW7iIltbmOOVnguIyJIZQsqEMoNAH5d/BL4c/8E0/CXiT4IeHf
hH428IavNP4U+PXh74P+D4fGk/ijwxfWUun/AA68FftByadpt0LzTNP8Uan/AGR4Zn8WvHLp
Ws6pe6z4p1WGGe38Q+J3ugD379n34tfsleC/hV8KNP8Aht8fbbxF8PfilrEvhj4NX3j74k6x
4iudZuNK03T9Ps/APhW98ZXI1KCHQdLttN02w0Cby75p5Y2ujf63qk1zegHzl8PfD/8AwTd0
LUvhF8O/hj48sT4a1X49eL/if8OtH8O/EDUdV8Aan8btF1f4PeIYPCEF499eTR3GkTa38MfG
XgHwNpl1a6NN4YhfVrSG98JG/jugD2v4P/s9/sd/EXwTYz/BXXYfFfgXQv2grj41a/eeBfGL
/wBg+Lvjfpt34U8S2eteLDoQtdO1OXRP7F8D3mh22lxafp0Wi6fpNpbCfQtSv7bUwDpviP8A
GD9k/wCIF/8ACXxZqn7Qfw/0u6+FH7QOp6f4alt/Ffh949Q+J6eC/EXwk8U/DfVtOvjNJNc3
vhv4zHSprNI7e9ttT8TeELu1uDJqelQ6iAfL2m/sv/8ABOLVNZ+HT6Fqt38QtT0H49L8JfB4
j+J+p+MV8GeNPBXhHQtTT4OXNtrur3MeneG/DHhX4TeEJodDkhuPEIsfD+gTwX13aTPNKAUL
r4F/8Es/FieG9YvviT4V8Si3+MUfhPQJ734s3GtC4+Jd1I0mq+BorG6u7qG5fX5b2y/t61+y
GWWWx00LqFnLancAfSXwx+EP7M3xm8B3dp8KPih428U+FvB/7T3jz4nanqPhz4h6zDfaf8c9
G+Iuuaz4y0vVLwwW9/Lpdl8RJtc1pNBuRJpM1xfve2Bn0i7sy4A/4P8Aj39iT4A6X4u03wJ8
b/COn6HD43fwTqNp4h+Jbaxp3grW9GuvEu74b6TLrN7KNB0vwbc2ni2W+0Z53/4RWODV5Ncu
LO0s/wDRwDzH4i+G/wBgTxNLqmi+NvjP9pf4u/HTWJPsdt8UtXKn4rfEn4PeP/g5J4d0w6ZI
48OWF38O/CXjrw/o2ml7PSrDXPDV4bSWLxLaEMAc/wDEv4Mf8E9Nf0HxdoXxo8WJaaJp37WP
jeabUPiH4/W1g/4Xz438CP4h+IPhzQ7i8uHT+ydX8FeMNYGr6FqdukdhpcGrapZR2Gm6ZZ6w
gB6B4Q/Zj/Yl8Z/Er4+6d8PfGd9rHxW1Px14R8ffFeLwp8XNZvvFfgTxn4X8a/ErVvC2p2r2
2pXFz4XubDxP4o+Kfh6DJdo7d9c8HkpbeF7LTdDAND4aeJ/2Cv2e/GX7QfxF8LfG3wVpnibx
v8RYNM+NM+s/E8asNN+IC+KfiB9m8OzaPcXrrpuuT+Mbrx5o0MBtZtavtas5vCYubibR9O0m
zAOV+KJ/YF1G5+Jup+OPjxFZaj4k+NXgW88R32k/FnV7W+8GfFTxF4Q1X9n3RbLw9/Yk7Hwp
aeJPCD+I/ht4kgjj/sRZINfi1eTT/EOk3d3YgHX/AB5l/wCCfvjn4Xv8CPjL8QvhlF8MPgbq
/hOx1jwBdePY7Gx0iTwzpeqeFdC8Ma5bpqDajq9npNsmo2l/YLNdXej6pokl3qE9hq2gyz2g
B4x4y+Ff/BPiTR/iLdL458WeOL3SZtEHib/hX/xe8U+JfGPgK2+J/jrTj4t8UaD/AGVr32/S
7Dxv4z8RtrHxa1jTGvpPtmo6kk62EzLp4APefjT8DP2WvhX8M/iRf/FHx74z+GHw0+K8Xwr+
Gvju9j+JHifR9K1LVWHgT4TeDblntZLh7HxF4g0/QfBfhHWvEESxNLpNpPd31xYx3Wu6jcgH
h/xo+FP7DWq/8L8k1T9oGHwX8S9F0iz8RfEbxxqPxJ1u+1P4VajrZ+Cg0jx3qtjZa7of9jaz
eW3hb4ZnSJ57+xju7TWp5EgutM17U4LoA9e8X6l+xF4g/Z91D9mTxj8cPCd78Ofgh4T+COme
MYU+IGmWetado3hC/wDh9e/DK48Q3mnbI7yPxDqcXgCZ7S2tZLLxCviTQ7M2ctj4n063vgDk
Na07/gntqGtfFOc/G3wroWqarB8DPF2saN4b+Kdt4fb4fzfDaw8CXXwO1r4e+H9Klt5PC9zp
9jrvw+uNA0vRbOe11O38VeHo30i7tfFFlDfgHJ69on/BNPwJo2tRJ8adL8J6J4Y8BfAPVb+3
8I/F7xFcw+HNO8J6n8PH+APxa2aTf6rMfEiy3fgKLw54zvDew69psrtcpqNo+uysAeu6n+yV
+xz8MfhzqXjK51fVPAPwsttC+H+sxa2Pij4jsPDOgaz4Ul+GMfgL4oaLfXeqT/Z/iA8/w0+F
lrZa6k1zJ4gutB0m2m0/ULrVdRXVADyjUfh9/wAE6H8M6/4cuPjla2fg/U/gn4Y8Gax4ef4z
XkmjH4eaXf8Ahr416H4hl07Urm7E+s6pffEjQfGEmu3K3N14g/4WHbWssd5Br9rYuAdTpi/s
a6PLfaR4L/aUPgWT4WfsM6b4C8MappvjmKDU/hf8CPi9d2t3ofxf0bxj4kt76XU/EWr3fhDw
ZL4a1S+vtVj0i80LRfL0lW8TRQ3wB6bq37R/7C/jT4e638BfEP7Rvwy8WeHtU+DV9ZeJLDWP
inb6l4k1f4Zy+Csatruq+IpdTOs3mpS+GZX1LUtbN6deW9eS+mkj1MMVAI7D9kX9mr4z6Haf
ESz8TePfiBpnjz4c/wDCM23jaH4peJ7qTxL4R1Pwf4l8HR3qalbXcBlmk0TxZrBjkjWKCO6e
Am0EVpHbKAeLJq37Dn7D/wAQNJ8LWOofF3wr4o+EXwd8ZXd3ZaZovxf8Q+Eb/wCGek3HjX4w
6rD4r8SQ6JP4C1g+DpfHPizXtE0+912GXRn8Q2GlwW73K+GrC2AOn+KngD9hv47fE+0+Mviz
xzdXetXv7NXxM1lfHuh/E+90XwXpHwR0+08Q/Czx9q8kiatFZaS8Vr8VfEulancwWiQ2F/ZP
da2LLXtG0qRwD0rwD+zV+yd4h1/4SftVeDpB4u1L4bfDzTvCvgr4kf8ACQXGsWl94V8C2fjj
QdIutR3xGO71Lwxb+MfHmnrfW8NleF9W1C31NLt7WzS0AOY+I+v/ALHPx31bwN4k+IXxrfwx
qXjn9mLx5c6J4OufirD4KttT+APxo8J32qeNtf1bR7TUm02S3vvD3gu61c+Ift8h01fAFxqO
nXqw+H9RmUA3vAvjb9lDT/hxqvwp8I+ML3V/hJ8TfBn7SvxN1Tx0ddvNR8JQaPp/i1k+Pdtd
eNZLlZvDGq+HNc8fXV1Po9xFYnRLc3q23kHSpYIQD5vPwy/4Jo/Ce2+HHw8HjuOfS/G8Xj/4
MyeGofivq1/pXifRBefGbU/FC/Euwt9ZtrfS/DHgfW9a+L8VhraRaHp/hfVNS1lYJEh055dM
AMXR/wBnT/gn38Uvip4JvYfj5pXxT0P4teEvFvhqH4WXfxM1PXNR+M3jHSfEd3rWr+LvFeu6
b4ktdZ1q88M2umppdn4cvrC1stPfw1p17YNFNY3kN4Afcfw88OfszfsW+GvCHwL0fxVonw7i
8f6t4w1bwjpXifxDbQa/4y1qw0uDUvE9zYXNwtsdT1LTNFtbNnWKM3P2W1t/luJ9zyAHzD4B
8Cf8E77u0+B0Hg/4423iZdGj0LTfhfNH8bdU1S58Y2ei/GPw9rfw/wBLv2h1BT4rtfBvxu1b
wnq/guG7SRrXxBqmhLI9/pGsQW16AfoF8G/hL4U+Bfw28LfCnwO+tP4T8G2A0rQV8QatPrmq
wadHI721pPql0Bc3cdnGy2ts9wZJltooo5JZGUuQD06gAoAKACgAoAKACgAoAKACgAoAKACg
DkvH+qeHdE8CeNda8XwzXHhPSPCXiTVPFFvb29zeXE/h2w0e9u9ahgtLP/S7qaXTYrlIre1/
0md2WKD96y0Afj38Cv2gf+CW/hW++FHhz4UWfxO+H2rjx74svvDGmXcP7Q+latourar/AMKw
0PxDe+OTe65d3dz4B8S6lo3w0sJ9L8TSat4HvtT0G31q+0qK30nVdZgANmHW/wBgTxh4p/Zx
sdQ+Cnxgl8L3+v6zr3wh8XeM5fjpYeHPBWqy+Mf2ZdT8HEaFrviQR2Hwk8a698Tfg5deCXa2
l+GujapBL4em0XRLmXxBZxgGr8P/AIi/8E3/ABhN8Bl8H6F8TNal8NfEvXvBnwe8Q3N18edV
k+FfiS31f9nbwwq2niy+8TXs/g3wX4hh8dfs9+FfDL22pL4T1jwJ4zj8KWkH/CF69450q4AP
WvhN8Zv2Q/2UvA/gvwz4V8KeIfhfpXxs/aB+JXw80PQNnjjxhd33xD8DfEGz+Bmo6l4q1zxP
cXtxoc99d6H4Usxa3+pOClwkmnvrMFpqessAfFnhbxT/AMEsfFOn/Cqx+GsHxj+Fcer/ALS/
w6vNPgg0j4p6RqPiLxaL/wCGkXh7RvEmo/EKXW49O+FfiPWfAfwosdY0+zubC11eT4daKtrA
j+GTqFiAfWXxF8BfsU/sgeLPhL4Pv/hv8QPC3h/xv428RfG608S+DfiD8bL7R/CXj34V6b8O
vAtl4p8Zabo/jSa6Hhu18K+LbDR5J76G78JaTpOlLYalpLw30bqAclFoP/BPzx1/who0L4Z+
KPE6L8e/hJ4eEOv+KfjPp1n4d8beKtP1/XfB3iDULbVPEV9BcWtlM+saWtjdQLpn/CSSrpV8
bU/ZrgAH0F4C+OXwq+GfiHUdEtfh38TdE1X4o/tZ/FH4PXdnoereLPin4UsPHmn6P4u+MOte
NZYZtVvdI+GnhbxZY/274q1mx0LSdItLPxFqWsXmq2UsFjqeuQgF741fAz9m3wX4L8L6R4t+
H/ijxN4f8Z/HhdGWO4+JfxYuX07xH+0/4sPhj4hPqGuf8JTqOr2ngLx3feKdQTxd4BNxF8Pf
E+paytnrGkWyajJqFsAfO9r4u/YQj8Uapp/h34bfHVfEnjP9o7TvBmqzeGx8edHvNA8f6XqX
7TN7beMvDVxa+L9Nl8F/DQ+KNC/aP0G/v/h02leGtQur/wAURajpN14dvhdsAeweBPCX7GH7
TmufGHw9omnfEHxNeah4l1X4h+NY/EHjr476Rpfiefxd4c+JX7NGoeNvBz6h4ytrH/hGNW8P
eGviN8Koo/DA03TIbLwzbta6Xb22neE9ToA8j8M/Gv8AZy/Zv8efHz41aN4U+PotvGvx81L4
HfE2z1LwxqEnhzwNL8LPD3x4+MXiXxt8NfDEFpLd6x4Evtff4k+NfGur6VdXN3Le+KLjxFNp
8OyWG+ANf9nb4f8A7FXxh+JHx80Hwd4i+J/xM8f+Cfjr4i+IniXxNrOu/FDwbb+GfEL/ABo+
JHiaTwt8Odb8NXnhDQX8E+D/AIzD4gm40DSV2avrtlaa94th8TbPDniC4ALHiTW/2HfD+o/G
kX3w3+MNtqVv8Vx4H8RaloOmfG+0uLn4n6DrXij9pTV9M+CusaRr1pJ4cbRbzTvEnx38T3Pw
quvDejXE8lxq2oT3/iGQ6YoBxOt+Nf8AgnleT3Xi3QvBPxd8Za3ceNfBy6dq/wAObn47f8JP
4f1H4zfFzxT8PZvFXw7vdL8W6TrXgXS/G3jq+8Qat8R7rwDNoF34/i8VR6n4ns/E154liiuA
Dp/ikn7E/g65+Plv49+GnxGj0/SvFPgjwh4iPgbxJ8btS1fV7r4px2/xzuJ/Bmi+D/EVlN4O
8OeI/FOip4p8cXvgi707TvGXi7RZtY8bC81GzSRgD6Z034z/ALOP7S/iLxL+zPYXvizxVNoe
g6T4xvL63i+IHhuyZPBHiHwNq2l6r4e+J9nc6PrA8VeF/FGqeENTh1DStdg1611e3N9FdvNZ
XMqgHy78SvFf7AVzefH/AOF/xA8K/GbxPcf8Jt4FT4meHpj+0Z4kXxd418BXvwW+F+g3vgaa
LxDdDUtU0AfE/wCB2heJb3wTcWtxq2neKNBk8QvrEVrq8lgAcb4w1j/gnZpPhvxzoOofCX41
azDpOi+G/CuveD9Ni+PF5q19Z6Z4y/ZY+H2u+GtFtZfGEcN3q3wt8Q2v7NmkfEKxsLqO9s00
+PT0k11LjxZbXYBmXOl/8E9PAnxJ8dWWvJ8XvEviG6174f6P8NPClrZfFGBPAnjXwh4S/Zi+
H+l+Af2e73wpNot9pXxL0yx0/wDZy/4SXXotUXxtHLcWtpqPjObR9P8AEOn6UAdlN8Q/2IPD
ngL416V8Ovhz4/vyvwHsvEHiL4d6vrXxl+Hekav4Z+APw6+HnjKXwj4fufE+qrpfgP4p/DHw
L4z8BavqL6RaeHfFkGv6xbPf65N4ih8QXumgH1Zq/jf9mr4u+L/En7BHiH/hKfEWqWHw30Xx
Rr/h7WdS8eRDU/Cuk3PgrV7EH4k3GtReI/E2qwvr/hO/1W6j8QanPqIubu21nUb6aPW7NQD5
A+I/hf8AZM+GHjH9pPw1qXwl+MHjS0+H3wG/ZR+DV54E0nQ9Q0bwvY/B64+IaR+EfCHwm8fa
LLpvi/xh4juvEGsDXfFGl6/4q1HWPEB8Kaf4Y0+6Gm6Xf20YBieJfjZ/wS4l8Paj4GvPDvjn
XfDXhn9nz4W6DqvgnQdE+Ol7ov8AwriCbwx4n+GXhDWdDsNSi0zUviF4LHxY0LxR4fv9ZiuP
GnhSXxDd3WjeIbfV7LUoLMA4k+Ov+CQ09jLf3vhbxnpdrP8ABvVPHE82pzfH7RrhPCEbt8HN
Q8PQ283ie2vT4u1GQt4cutJ023kvbq4vLi/1O7W6u729YA+qPhj8Zv2XvhvbeH/GXw38BeOt
G+F/gj9kXXvGPhTWNPvviNqFxp3ww8MfFA2Pj3wze/BfV7yS/PiHw14igh1eTxlcaPq2tahp
UesW+n65/YVuo1MA5zx/+1R+wD8VfF+q/wDCdXXxE1nxBf8A7OvxR0rU0sdP+NdlpFz8DtTP
inxL4ktUsfB19baBKfiJo/wh1Xxd4M8T2Vs2qeJfDmkeG7rQfEcceveF7TVAD2f4YfC39kH4
/wDgrwt478IW3ii+0L4heAfjjoWkaJqHxb+LWk3up+DPif8AEHUL346wXnhNfiEscsurfEO+
WfXtaNrPqGi6tD4aj0zVNMXSvDkVmAaV78Uf2cf2VrfU/wBmhPDvjz4f+AvAXwL8V/GS98Qa
Jpnja88JeHvA93r3iuTxGkHj/TdQvfE9r40n1aHW9Usrayul1r7VfWR0S7S/ls7eMA4Pwx8H
f2HPFvwUv/HU3g/xJH8Nfg/4V8W/DzxLpPxJ8bfF8XngjQfhHpnxe8K+JfB3izSfF3jW6ece
D9H+J/xT0eFtTl1KGLS9eiOm6hJZaZ4bm00A4Lwz8Wv2FPH9v8Nte0yL4y+MLyXwF8VfDfhX
S/EmvfH3XtX1XRPGx+PX/C0vBvi7RvFHi68Xxd4i17VP2Zviho17b+Motcv49U8JeFrLTL62
tpvCb0AeJxaj/wAE4Ej+Gcvjb4N/Ffw18PPH/wAErv47ReJ/iL4j+Omp6OdIvrf4weJNS0L4
56DeeNdbuNX1GLQb34ma14Qj8dQeK9L1C08aeKbPwf5UWuzjVgDrfhP4w/4JpnxN8Bte+G/w
2+Jf/CR+Gx411P4S3dz4e+ON3H4d1xZ/EsWpWeorrmr3Wk3nijxNcWOoaf4XfWF1aTWftek6
fpV6IY7WKzAPYfHHi39kb4+T/spftDfEv4b+LrY+LvCHjDx14C8XeL734i/DzV/hv4f8GeBr
j4t3kviHQPDGpwW11qj6RaT6ppFvqQuIrzSV1TUtCvr+0ljttTAPJvC3ib9hbw38Wv2Ute0i
H4ueBdVbxR49svg18OPF/gzxjeyah408QfCn4e+BtO8Zarc+OLLxB8QLHS9b+HVj4P8ACfw7
ls/EFp4F13XgftNhceNtImutNAPqrwt/wUL/AGdvEr/s92M1x4/8NeJP2ltG0jXvh/4S8R/D
zxNa+IrHS9f1PRtC0TUPF1pZ2d/D4e07Vtf8QaRpVhqs1zNpk/2v+1/taeHre71iAA+46ACg
AoAKACgAoAKACgAoAKACgAoAxfEmu2vhfw7r/ia+hurmy8O6Lquu3lvYpDJez2uk2M+oXENn
HcT21u91LFbuluk9zbwtMyCWeJC0igH55r/wUu/Zg8VaT4T0vxL4Z+JEOl/ExJ9H1/RPEPgb
RvENl4W0HxF8NvCvxF8PXfxKtPD/AIh8Uacnhr4l+CPH2gDw0unN4jGqXl/e+HtYstN1PT9V
sbUA4vQ/2kv2WdN+IvwC0Vf2S7HwNH8S5fH+rfD/AF29+HvwltfEfg/xB4O8K/Cjx5L4ieDw
pea7oOh6P4j+G/j7SPEOl6rY+N4viBqd14eTw1pvgLVdUe0jgANL4QftAfsmfE7Ufglp/wAP
P2Pdb0fw78Rb7x7rnhXxB4i+A/w6+H2l+Dl8N2XwX+KLeOWsNcu9NvW0Txf/AMJN8O/E+m+J
PCNtq15J4i8JWQ1S3tvEHhqCPTwD0j9nfxp+xD8YvDejeIvBnwY+GfwtkufidP4K8HeGPiH8
MPhh8O/GOt+P7bwh4K+McD+EfDcbXF/eare+EPD/AIO+IWnCzWPXp9H8FaV4rFkmmeG9L1OE
A+nbf9n74CaVb2I0z4F/CO2XQtb1TxZottp/w18E2v8AZ3inVn0+41XX9JVNHgisPEOrz6Pp
D3+sQNb317NpmmyXd25srZ4gD81vA/x9+EWneJPhvB4//wCCenhD4U2lx8SvFPgPRvEPh3Tf
gz4xn+H3iX4efELwN8NE1x7fSNE0OfTNO0Tx94otNH1O98O3F7qujSxaNqXh6x8SafdajeeH
wD7K+C/xT/Z+/be0jTviVa/B/VNUg+Hus6dqfw98Q/G/4O2umagsOv6fpHiTRPH3wuv/ABLZ
6jNHpOt29tpl1Dq2kXOn6tb32lQwatZaffWMEagHy9qPx2/Zns7XwX4q139iPTtO8P8Ajv8A
aH+Lmh+J9R1T4d/Bm48R6D42+D3izX/Cknx2vtI0+41NNdsJtc07X4rrxIusQ/ELSZ3uhpmh
6+8lwSAesy+OfgPaf2zoc37I9h4ivPFf7W/iv4Yr4a8F/Dj4T6nceIPir4M8Ha18Qofin4vX
xFqXhbRItQvPC+j+IdesvFc2patrFpAba3u7u01rUJdLhAOq+Efxv+D/AO23rnxG8Lat8HdK
8ReB/hbc/DLxp4I1f4naN4V8TQeLYfGVp4qm0Dx3ovhW/ttXfwm1tL4b1E6Hc6pNa+KWs7tJ
r/SfD115tiwB84eIf2zP2DdG0jxqnif9ni6t7dPHEdl4k0GT4JfDPXLrxNb+Gfih8ddB1P4q
TaXousavHqnhLwJ8SPhn8a9V1jVtX8nxRol9Jqvia38Pv/wkwvr8A900z9pP4X+BfEmonwH+
y98QtIk8eftN6r8B/E/i7w14P+EPha38Y/ELQ7X4kXviHxxe3MXjvT9X8T6Fo0vgjUze6/rl
rb6nPHr9vNp1vf3cWtWdiAdL+1F4m/Ze+BWlWXjP4o/AGz+Jer/F3xi/h7+yvAvwN0P4neOP
G+v6Z8M/HupXt9qtgumm61hdH+FukeO7KW71C6uLtvD93qXhzTorsay2m3YB5ta/tm/sw/DX
UPi3r+mfBnxb4I1HRtd8TWfi/X9K+Hfw98O3nxCj8B6R+0Lq9/4li1C08U2d7q+mwn9nD4r6
bpp8XNpGu/2mmlIdJt7TXFvEAPHNb/bd/YZa/wDi94I1j9lfxlrOqXHxYuNJ8S+ErP8AZ3+H
/i+6+N3xI0W58VSaj4l03SNC1jWv+Es1PRrPwvrOuS6940i0jV3spYF037Zq1y+nIAeifEb9
ov8AZB8H+Hvj38Q/Gn7K2t3mg6XqHhfwh8RNdf4H/C7U9U+MN8ngbw58YbPQrXQrjXf+Ew8a
DwT8Nrqw+ImsWvi3RLCHwtpPhzVwwi13wxfaXaAFTxX+0B+yL4bi+LPifxN+yPqOoSWXxn8F
fB2zuPD/AMDPhz408S/Hbxbd/Ciy+JHhy/8ADOl6RdXWt6lbeH/h/q91cRS+NI9EuNM0t4rL
Tg97qsekUAem/ADxr+y14s/af+KA+F/wu8VeD/jBZfCvwPp+s+LNc8M3PhPw7rvw70yx8MPp
vhvwRpF3rKrAvhD+1/DGleL7Ox8J6M+japFpmia1ObuwsrSIA8f8deJP2d/AHiL9q/Vpv2Nt
T+JGsN+0Z8FvB/xZuPF9v8P/ABV/wtvXPH2k/B290rV/AEPjfxDrkbQeB7Txd4P1SDwdr0fg
PwxbXGlpqmnajp2p3XmAA9o+DXxm/ZR/aQ+JXxP8JeCfgnPqN/q3g2wTx78QvE3wL0/TPBPx
H0WHRfAd/J4J1Lxjf6dJ/wAJVeaBpnjbwnDP4Z8QRfZzDFdHRV1Gy0S8ntgD6cn+AnwLuY9V
iufgv8J7iLXdA0rwprkc/wAOfB8ses+F9B/s7+w/DeqpJo7LqOgaN/Y+k/2Vo94JtO07+y9O
+x28P2K28oAdd/Af4HagusJf/Br4U3qeIvDeneDvECXfw78IXK674Q0hdPTSfCusLNo7jU/D
elppOlJp2h3on0yyXTNPW2tYhZWwjANnQfhX8MPCuunxR4X+HHgLw34mbRLHw03iLQfB/h7R
9dbw5pdlpunaZoB1fT9Ot9QOiadp+jaPYWOlG4+w2llpWm2tvBHBY2qRACeIfhT8LvFust4i
8V/DbwD4m8QPpdpob674h8HeHta1l9F0/V4PEFhpDapqWnXN82l2Wv2ttrdpp5nNpbavbwal
DEl7DHMoBgP+z98BpECSfBL4RSIukWHh9Uf4beDXRdB0rUbbWNL0QK2ikDSNN1eys9UsNNA+
xWeo2ltfW8MdzBFKoAtr8APgPYy309l8E/hHZz6pod34Z1Oa1+G/g23l1Hw3qEkkt/4fvpIt
GR7vQ72WaaS70m4aSwuZJZHmgdpGJANDT/gt8HNJ1Ow1vS/hN8M9N1nSvDE3grS9X0/wJ4Ws
9T03wbctcPceErC/t9Kju7PwxcPd3TTaDbyx6VK1zcNJaMZpCwAy8+CPwX1FbNdQ+EXwwv10
/wAH/wDCvLBbzwD4UulsfAAsZ9LHgazE+kuLbwf/AGZdXOnf8IzDs0X7DcT2n2L7PNJGwBLo
Pwc+FXhbxPpXjLwz8P8Awp4d8SaF4KvfhzoWo6Ho9ppX9h+BtS8QQeK9T8L6NZ2McFhpWk6p
4ktbPWtUt7C1t/7S1Cx0+e+a4aws/JANjxF8Ovh94v1TTdb8WeBfBvijWtGsNZ0rSNX8ReGN
E1vVNK0vxHZtp3iHTdNv9Ssbm7sbDXtPd7HWbO1mit9Us2a2vo54WKEAk0zwB4D0Twg3w+0b
wT4R0jwE9hqGlP4I0zw3o1h4QfS9XNydV01vDVrZRaM1hqZvLs6hZmyNvem6uTcxymeXcAct
pPwG+BugXvhnUtC+DHwo0XUfBT6nJ4Nv9J+HXhDTr3wlJrcl3NrL+Gbqz0eGfQX1ebUL+XU2
0qS1a/kvbuS7MrXMxcAZYfAP4FaWdNOmfBX4S6cdGLHRzYfDnwdaHSi91qV85002+jR/YS97
rOr3jG18rddarqVwcy3108oBNpnwL+COiTaHcaN8HPhXpFx4Ykjm8Nz6Z8PfCVhN4elhv7rV
YZdDltNIifSZItUvb3Uo3sGt2jv7u6vFIuLiWRwCO0+AvwMsJfDU9j8GPhPZTeC7/VNV8HTW
nw68H28vhPVNcdZNa1Lw1JDo6PoV/rEiI+qXmlm1uNQdFa7kmZQQAR2H7P8A8B9Kbwu+l/BP
4R6a/gjUbjV/BbWHw38G2beENWu7+01W61TwubfRozoGo3OqWFjqVxe6UbS5mv7K0vJJWuLe
GRAC5YfBD4LaVc6Ne6X8Ifhfpt54c1rUvEnh67sPAHhSzudC8RaxLaz6vr+jT2+kxy6XrWqz
WNlNqWq2TwX19LZ2slzPK9vEUAPUKACgAoAKACgAoAKACgAoAKACgAoAyPEGi2niTQdb8O6g
9zHYa/pGpaLeyWU7Wt4lpqtnNY3L2l0gL21ysM7tBOgLQyhZFBKigD5b8B/sL/sj/C7wl8MP
Dvh/9n/4Z3cPwRiW7+H2q6h4G8L3/ifSdWt49NL+IIdUTSbWSbxRef2JpizaxtjvJfskMIlj
gBjoA+RvCPx2/wCCZ/hyP4E6VpfwT0/4eW/jq4Xx58Iba/8A2eNQ8PDS9MXxF4F1HTPiatvb
aDJc+HdAvvGdl4KsdM8RTwwyRXfhSwmuEsvDHhaDUbIA1fh58Vv+CbniOHwR4X8LfAzQNGsI
/iz4W1jwRp+r/ARPD9jZ/EfXf+GetA8I+LtMh1DSYfs7/wBmfG79nuHR9TSMDS9AvfDENvFZ
2ngtrfQgDu/Avi/9jrwVp3wN0fw/+zrpvhm4m+NXxvHwl0Pwh8JYNaPw38cfBfUdd+Avjfx7
d3dno9vH8Ob7TvhxDe6Veasrwx6d4BW98I6NqmraVa6bbaiALZ/8FWv2QtR03wNren6z8SL3
QviD4g1HQdC1yL4VeM10yKPTtP8ABOtt4h1O4n06E2fhi58PfEHwxr9vq4SZFsbm9truK11j
SdT0u0APNvCf7R//AATb8eReDp/DHwwXWdL8UfFvXX0HWf8AhR+ux6PaeMfGvin4P+ItR+JV
3qN9pMMVho/jbxX4j+EmvS+Kcma512DTp9Xgs9X0a6jtAD0H4YftSfsY/CLwz4S1zwb8LdW+
Blv+0F8cdc+GlvpKfCNfBd/q/jzw94ttPh3LrPigafGlhYeHo9XvLHTNEvLy+2RWslxZ6Xp8
Y0vVraxAPSfi/wCAf2R/hx42+Htn4t/Zt8Pa/r/7Rvxa1zR38Q+HfhTpOtwJ41ufB3irxvrX
in4harBBFLY2V5pfh/Xrm81a5F2ftV1q2q3MUcMuu6ioB8yaB+0j/wAE+dN0rR/HfjD4Q2Xw
08UzftOwo1hfeBJL7V7D4zarqGs+FbT41WV9psBfU/D2oR299Y3PxL0+B/sthffYdXitLe8W
OYA+xv2Ubb9ne+tviz4y+A/wQtPgzf6z8VfHfhb4ls3w3074d6z428W/DXx54y8Iah4ivVsY
kPiHS5fENr4ol0XVZZJNgu9Qtnisr5L+ygAPhryv+CZvw+8N/FDRvGXwCvPFGi3Xx9+MPiTx
zr3xI+BJ8WT+KfiL4M1H4peKfjF4ri1q70FrnxX4Z+FVpc+PtWv9WP2+DTdK8SPa6CdX1PWJ
7JgD1HVvix+wRqun3nwxT4Ejx14f+JXx30+z8ZeF7T4Ox69osvxL8T33xrtZfiD4s03UU8g2
02u/Av4m6Rr+v+TPdSGB5b23udF1h7mYA9I/aC+PH7L9/wCGPiB4a/aM+Fh8a+Bvhn8aIPhs
2g3vgCX4iJ/bNn8A2+M+o+L38Ox6XIuk+GrH4W6j4yjvtUt5b+1vfDFrrGmXLv8A27deHSAQ
+CtB/YM/aP8AGHxo+EOj/AzwH4vn8MXNvffEmLxF8I7KPwh4huG+I/xg0Vp7S71fTRYa8bf4
lWnxrsrwRQhWvr7xZcFZtK8TfadWAPH9Z8b/APBN2WT4n+GLr9nCy1zU9H+IB8G+J/D1n+zz
c6jq/jPxZqnxq1D4S3F74eX+yvM8U2tz8atPfwtqOuWtyYRfanBe38y+HtQutQoAd43+Jn/B
PM6f438B6x+zV/wmmn+KPiX4J0rxf4ItfgCus6b4q8VWvju1/Z0udeOiXlkmmanafC/xdqg+
E/i2WOFZbWCceGdJtNd0K9to7gA0PH3xK/4JySeIvG3h7xF8DdG8aeLdUu7XwAtlpfwIm8Ra
38Vp/g/ezeFdS0TwPfR6T5niKP4VXXguXRNXka90+KG28M2tvpc2sWFtpe8A6DTv2gP2QvhN
dfGPx78Efg1pOn+PtB8JS694sl07wJH8K38X+Fvh5qXw28I/EPTtH8RX2hw2j6p8Lo/E/gPR
td8N3UGlC61a38P6DBNNHpbX2jAHt/7TGkfskfCTw94s/aU+OHwm8I6zP5ngrTvEHi60+Hdl
4p8ZatLbeIvD8fg+Frm2s3v5o9P1rTfDV0l5c3cFpZr4f0S6vLpIdB0xrQA+btF/ax/4J0fB
LxF4q8Z+GfBFn4C8VaT4Z8H+DIPEnh/4NXthqHjPRLzTvgVpfh/wd4I17TtM+z67DDpPxD/Z
+tb62t7+2sDptx4NN/dTWfhF30EA94H7ffwY1jwf8SvGXgbS/iH4u0j4bfCjWPitfaw/gLxZ
4e8M3lto3hLwX42vvDMmuato63OmeJ9O8O/ETwhq2s6Pc6O+p2On3uptZ2Gqah4e1rTbMA1f
Hn7Ydh4K8a/tCeF1+GPjHVdE/Zy+Aml/G3xZ46Vkt/Dmsy6/b6zqGi+FPDn2az1K9vz/AGR4
f1fUtZ1sQZ05LG6gsdG1ma3mVADW8bftqfBfwDrXxE0bXR42mT4XaRFeeLPEGkeDNX1DwnH4
gutM8Bazp/w/0zxJ5cGn6n4+1jTPih4BudB8PwOH1yTxNZ6fpdxc6rBqNhZgHOaP+3f8JfFn
h/4leJPBWhfEDX9G+H37PfhH9pCz1258Kaho3hvxp4I8deDtQ8beHLPw3qtzHNdS642l6dcL
qulzaUt/p89vqEUdpez6XfQRAF3xT+3d8B/Bd9rGl67c+Lpr/QdAttWvz4d8G+IPEGm3ery+
C/CHxGufBugahbWMX9ueKbPwH478LeLXsILeJJdG1SPyp21S3vdMtQDZ+Hn7avwK+J/xR8Kf
B7wvqfiX/hOPGPw6l+Jml2OseFtT0S1j0i1uZbTUdHu7zUkgT/hKNJube8h1XR7Rbw2Mlldp
PcK0LAgHO/EX9vv9nz4VfGDxN8EvGdz46sPF3hLQbjxFq9/b+Atfv/Ci2Nn4Mi+IN7FbeJLS
CWxub6y8JSNqtxaJ+9CQXEMfmXETRUAYXiP/AIKNfs5+HZ9Q04SePdY1yy+FnxR+LMehaT4M
v5L7UdH+ENx8RbPxfoWmSXU1rZah4riu/hV42jtdJtLqZHh0tL25u7WxvLS5mAPobxH8e/BP
hT4HX/7QOuWXi2z8E6Z4Zh8U3+mnw1fP4ztrKaaG3+wy+FVzqC6xFcTpDNpp/fRSB1Y/KTQB
8n2P/BVj9jW8t9Nurjxj4y0qG8+H/ib4mal/afwz8bxSeFfC3hi3+Id7cT+LIbbR7qbRbvU7
D4VeOrzRrSVJGvI9It4JGtr3XNAtdUAPX/hJ+2t8JfjX438JeCPA+jfEx5vGPgbxB45sPEGt
+AtW0Hw1YxeGPGuueAta8PavqWpeS1p4gt9f0C8FrHHBc6XqllNp99pWq3tvqFo8oBD8cP23
fgx8CvG2o/CnxJcazd/Fw+B5fHvhLwFb6ZdRXPjjRYdD8d63d32ham0U1q+j6DF8PtZTxlrX
ly2nhKKaxvNTX7PM7IAcBY/8FLv2Y7ibwbpd/efEHR/FPi7wv4i8U3HhG9+HPiiXXfCFv4bu
vF+n3Vh4xisbK6ttHvtQ1XwF4r03R83E9reTaZHNPc2dpqOm3F2AfVXwW+M/gz49eBbb4geB
hrsOkTanqujXOn+J9DvvDfiHStU0e7a1vLHVtF1FEurKfHk3cKtuEtnd2s4YeYUUA9YoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAzNbubCy0bV7zVYGudLtNMv7nUrZbGfVGuLCC1llv
IF022gurnUWlt0kjFjb21zPdlvs8UE0kixsAfiP4Z/bx+But6L+zePhx+xxoPhd3+MVv4S0L
StY8D+DYLfwFpGq/ETwXoXiDUPgvb6DY2k+qeMdU0rxpovjS507wzZWE2jwGO48UQnKzKAUv
2c/j5+z7rfiiw0rw3+xz4Djm+JP7S/i7xf4KsH1rwnqs/gm/0L4I/s3eONX8a6RpXiifWLDQ
vHy6frqeFk8GfB230eK28ZfDJfC8lha6/Z6zrsYB2Hwo/bN/Zu1u8/Z4vPDn7C7eAdR+Inxu
8ReFPCM0vgH4Zabq/wAPNZ1iH4SJ4g8cxWnhvT77XdK169j+JGiab48t7ay0vUdKv/Bnii28
Q6vJp2jaVqWpgHSfDL9pP9mf4neH/gr4jg/Zg+Fnw10f4gftJ+IfguLLxv4H8By39omqfDKD
x3ceKNAax07T9LnfxNr8Xgfwpr2o6Td69ZW2uR2+l3r6peRWc1iAc9Zftmfs6v4X8H65dfsS
aNpl14p+MHhvwzFZS+Hvhc+laZrPxOuvgjqOheJLjxHBo7ad/wAJl4mvPHXhTVpvD4SLXbkf
DHxZfyX9xeeCbKG4APsn453Xwm+DvxC+Aa3P7Nvwu17S/iz8a9Xg1/4l3ejeBNCb4c+PNR0J
9d0/xvJJqGgzXmt+NPGGpaDbadbXNleWniHVNQ0+yt4by91JtMs5QD5cH/BQHwt428H6RZfG
b9mX/hMdc0r4kXMSaXbW/h3xR4XuToNzKfCHiXwPb+JIb24m+K3iiI3zfD34XqqeLdTutL15
LDXYxZyOwBweq/tn/sxyW95FN+wLJr9nbftF6n8Jovsvw2+F15pVxqXhq0ubmLxkdY1HTrPw
uniXUhres2/hPwzHrNxq9/NNrsMur6W0lwJwD9DPjZ8RPD37L0/gzxX4Z+D/AIZmsfjN8ZdM
8MfFrxhpV14a8AjQhqnhbxZqlr8Q/GeqvpoPie8k1fRdO8M2seo3C3+oah4gs9Ps72TUruw0
++APhrS/2ovhQ1nrPgvX/wBkD4U6j4n1P9qu98MaXpdpF8MvDngrxl4j1rxt8f8Awr4N+Neo
3PijTpBpPizUJvghq0XiCTUotQ8VwS+JdB1DTLvUo9ft7BADA8Y/t0/szaDo/wActa8Q/sOa
q0Nj8edF8FeObLVvhr8PI9W+JWraTqvxTvp/HHiDT5rC4kuvFHhgeAPEXizRNI8ZtDqus2vi
7wxdeGNYudY8Q6jY6aAdP8Uf2ofgT8OtK+PviDx1+xX4H1fxJ4f/AGip/h1rWgaTpHw21/xR
8SbXVPCfj2bQPi94mtG8NPrDf8Jh4Ig8RWGiWd7Za/ruuWPiyfTLCa70jUdZuYgD6T/aMv8A
w1+yD4Y8Z/H/AOC/w38Dt8Wvjp8RPgZ8OfEmseM/EupeH/Dj22p+J4fCWjazq8FxfRwWuj+C
NK8Ra9rs+h6GfDiXJl1LU9Uv7dIr29jAPle6+Nn7Mvw+m+PujQ/sf6dr15cftEaLqHi6T4i3
/hG7tvFnxR8dfG3xb4Ch8S+JtV+JDa3/AMIFNp/iuDW/ip4R8OaldSR6b8Gdem+IvhG0sYL2
fQpAD6T/AG1PGHh79n74NXvxI0b9ln4c/Fnxn8YPGXg3wv8AEL4dS+GNG1HVfiFdHRtc162s
tTnsPDWoyePtX0O+0GOLR49Xt7lQolvNNSW+is9OvAD5W1D9o3T9fPxx1C9/ZN/ZVt/hbP8A
FrwN8JtR+KvjSa0vfAeq6pF4Gi8e+FvE3xifSfhvrd/L4T8PxLY+A9H13UtOhtNN8e+IfBlr
okt1o+qXuoaOAfWP7VeseBPhN+zJ4r+N91+zN8JviX4q8Z2Hwh0zx9oi+D/C+ueHNQg1nX/C
uix634x1XxJpXhWfxX4J+GMd6de04eJpPDjS2eiWNsJ/Cclx9r00A8b+JP7VKT+E/wBqDwv4
v+Dfwl13wH8EfhJ8Lvix8NfC/jLw0mpeGtQ0qbRvCWpJ4b+KHhp7vWbn4XfEJ9d1NtN+HXw6
1jwnp2rxJp1vq1he61bWt41mASfDQ+D/ABR+1D+258GfAv7NnwoT+0fB3hjxfZfEbx7Zax4u
8KfEnX5fBPw0fwlp/iewv5dYOm/DqKW40eHR/DugaV4V8PR2/ga71HwMvjPUovElz4NAPafD
Pi79n/4hftTfGz9lu4/Zh8HLdeEfhn4ch8WeOdV8BeCdQ8NeNvDOnWfw21DRvA2oW8Wh3W7R
dFh8U6CNA0XxJeRxtJ4XvpNH0RbLR7e9ABjftL6XJ8DtA+I3xIs/2V/gF8XPhjfad8EvhtL4
D8L/AA5S6+MHjLQNQ8eeD/Bb+GtWsm8PXnhnxD4c8MJfafL4I8N3Qt9E0prCyutWvtD0jTLi
9tgD5kt/2xvgpF4M1TX/AB9+xD4bh121/Zx8NeJvEWlReE/BNk974Hh8K/DHx94d8DT2PjPw
5omr6Z8PWsfG3hzwz4IuPFdvp/h+6+LXhTXvh6mmaTf+HYdTkAPePhV8QPhl8Q/2hdd/Z38Z
fsq/CLQNNt/gj4bk8J+JLbwx4O1zwjeeCtV8P+E/FWu/BLR9bXQ30bxvBot94li8XajpPh6H
SfDVh4a1vwtqb6VfXuoXVzAAecfGr4w2Pw3+K/7Q/gPwT+xz8B/Fvhz4H/Bf4bLceLZ9K8P6
W76P4kn0W/8ACfwr1rTpvC9tEND1DVbKaz0HTdH1DUdI8MTwaH4n1WwS1t5bNACjY/t3fs4e
AfF6X3h39k9tA8XWX7N/iX4mN4i8MeFfAeiX1jd+HtUvn1j4QReJl0/SDLaXdxDrGq6f4j06
/ufC+pz2mrQNbxa5bX1hEAeg/Cf9qL4JftD/AB28GeCdT/Y/v9O8U/Fv4QWfxB1r4j+NfAng
qWI22ueC7+1udEvr7XLCx8TeLfDy+GdNm8BX/iWztLrT31CW18Jyaa2iySX8IB7VrGm/DfwN
+0P4a+DHw8+EP7Oega/4g/Zl+K/iLwPqEvgnTNJ1nSdV8O+LdB0uw8IX8ehaNAYvhr4o/wCF
ieK9Xv8ATNLuIb66k0nxjNDZzi5vpQAeq+DIfhvpuieD/wBmDx9ofwUtfHGqfDXVfG2q/Bbw
J4WRPhvJ4V0LxLoum6/rOieE9U01rO08LQeK/EujRW6azBDcXuq3c09tDcy2d9JbAHy3+0R8
R/h58AvHHiXwrpH7LnwjebQf2WPi98V/hv481HRvBlhZ6z4m8N6L4vufEPwi0rw3a6Jba/eW
+raVY20/idtC1ONTpPiR/wC0bI28rzSgHN/Cn9qz4NeIfjN+z78INN/Y/l8IeI57f4i2/h/x
Rpfhv4dSeE/hDrOl+Lfix4R8Y6f4G1+0t9MfU9N1DU/hTqN34p1TwRb2cqab418AahqWl3cX
iO7OlAHq37T37RPwe+FHxPh8M/EP4Gad4/8AEkvwq8UeItD8Q3+keFry61bwzbfDH9obxP4t
8K6Vea9p8032NNP+Gdx4P8S2rXkWmJJ8ZvCttfxyWmvXcM4B8eN+2z8BNT1D4KJpH7HXhHR9
P8TeJPEUfiDVtd8C+DNZsofBniDQPHjeL9Q+C1x4V0u9ufiVdX03hix0j4i3fhvT57LStR1r
TvCOv2mpanr1lLbgHsHwZ/b88DzaB4D1DwZ+zBqvw9+H3jjwr+0T4s1LTvDEng+31+X4l/BL
VdMspvAfg3wT4dtbKH4keK/iVoM9j4h8JXek3lvd6xpVxZXJt20+w1W904A+zP2Y/wBo1f2m
vgyvxb0n4eeI/BkkmpeINJtvC3iHUtCurjUbnRCnk3Gm6xpl5PYyafqRmitlnvo9PubLUIr+
1vLNEtFuLgA+dPh7/wAFDbbxfbfs+WusfBnxLo/if4zQ6BbeJNF0vxJo3iBfAXiTWvE+geEL
/wAKWc0UNpN4x8S+BL3X4vEvxV0Czt9M1b4a+ArHUvEniG2FzY3GkKAfpFQAUAFABQAUAFAB
QAUAFABQAUAFABQAUAUdUvl0vTdR1N7a9vV06xu75rPTbSa/1G7W0t5LhrawsbZZLi9vZxGY
rW0gR5rmd44YlZ3UEA+a/wBlD9onXv2kfhTqHxE8T/CHxd8FNX03xVrvh2bwf4xi1n7Xc2en
Wmm6ppniDTrjVvDHhi+vdM1fTNWtCXj0TbaapBqelLLdzWEkjgHzv4c/bp+Let6P8H9Yn/ZP
8Sx/8LZ1u8sI7DS9c+I9/d+Hra28Z+DvBbWOqDVvgN4cGm+LbZPEOv8AxA1LTPFK+FfC9v8A
DTwbquuaf421bWDdaBpgBo+A/wBtj4neO/Efwk3/ALOuu+DvA/jLxxqfw98eaz4ptvi/DrPg
7xE3w2+E/jbQ7fTtKHwPt21FT4j8b+Ofh5qup6sND8Grr/wy1q4g8apbSSJagDdP/bZ8eJYf
Dudfgj4h8Xr4r+L/AMWvBPjW/wBP0z4n+HP+EC8LeFPjr4V+Hfg7XNK03U/hDPN4xXXfAvj7
Q/iBa3eqz+BNL1Lw5oPiLUodTDWl9DpwB6D+zd8dNJ/bDt/iFN47+B+jeF734D/FnQ9G0zSP
Fz3firV9D8eWvgfw54ya9mtPFnw68Iv4R8deCJPF/wDwjWpT+HT4k0+11uy1WXwz4y1vSJLT
U70A8O+Df/BRDx78a7D4UX3h79m2TT7T4peP7Lwfb+Ib7xj8S5/Aul6bc+D9S8T32rjxdbfs
77NQvNC1PS08F6tGdNsfBTeJ/EvhKDSfiJq1tceJ5/CgB0+iftt/F/XtT8HTP+zFr3hXwnd/
F7QfAPxB1nxLJ8VpL7wfoniXwh8QtWgB0nS/ghPe3fj3wz4n8J+H/DfjHTtMt9b+GllqPjjw
lYaV8V9WGt3mqeHgCla/t4/Fi/ubOxt/2SfGemzX/i218NrqHiW++KGmaBpV3dNfr/wh2v3+
lfALxFqVr8VYGtIDPpWlaLrfwgWPULVk+OkkrpDKAaH/AA2l8R9W0r+2Jvg34o+GMOhfHL4M
+CNWt9d8C/E7x1ca14S8d+M9e8O+PdEnh03wb4Rl8K+Pfht4Z0hPHfirWdGHxH+GOj6fqfhy
1svGfiZtXum00A9d/aS/aA+Jn7Nvh/T/ABHafCvU/jy/jX4uWPhXw34c8AWHiLTdU8JeDbvw
f/aEl74hl03Q/Hc+vaqniLRNZhtWstM0ePUF8QaDpFpbS6lZt/aoBrftZ/tGeM/2cPC/gzXv
BfwF8b/Hm98V+L28NXmmeD7oWEXhq2TQdX1mHUtYvV0rW5Ym1m+0y28MaDG9hFY3Ov6xYQX+
qadG8ZnAPD9e/bc8d2t/8XtOn+B/ibwlYfC341fCXwFpniu40T4q+K4PiV4H8VfFq58J+OvH
Xg7RtO+D9j59j4P8KaLrcurKNVuEs9b07X7q2ur7wRbeA/HPxLAKGu/txfGKPWvixZ+H/wBl
7XY9B+EXx08CfDrU/Ffie8+I6aZ4m+HXiXxH478N6/8AEXQLTwr8HvE2rSyaBN4X8O6p/ZGm
2HiMto3jXTNUu5rbSxp2o62Ab3j39szx94Ll+OH/AAjnwY1z4m3/AMPvi/4c8F+GdAt9L+KH
hODUfBGp/CGPxpf+LF8RJ8IvFJ1m6t/F+j+KPCb2Oj6Leaba6z/Z+l3PiGKSe1e7AO++Bn7X
F98aPj18UfgtP8K9U8DR/DjwdoPjJdX8Qal4gh8RX1j4m13VNK8PLqvhbUvAWi6Ppcev6ZpM
virR7jQvHPjAnQ77ToNbg0LxD/auh6SAcj40/a7+KvgPUPjtpuqfAq21G++HXxj+F/gb4dWt
pqfxdW38b/Dz4knwXZSfE3Wtb0X4DeLtI0vT/Ct54i1zVNbtfDM/jCeHSfCPie1uorC90WCb
XADlfGH7dnxT8OfEL4q/DfTP2T/Gms6n8PJfhnp+j+Jrm/8AiDp3gTxnq3i7WfDeheNEsPEV
h8FNfuYNJ8DzeJItb0/V7bSNUTxb4UsL/XGt/DoiNqADi/FH/BSzxT4cuPFkt1+zF4q0Lw/o
k/7Ptnonibx/rPjvwnpetX/x1vfA2nzafdxaV8FvGGr2WqeCrnxsRqGiaPpPiXXtXj8M+JJN
P0sf2Zei0AOim/4KAfE+LQPGmuXH7HnxO0W58L+DfDXiaHw54mbx7Ya6moa7r3wm0b+w/Ey6
P8G/Een6XLqFv8SPEGteFm8KX3j3UbrTfhX43PjbR/h9d2ptLYA+lfhL8bfid4t+MnxF+F3x
G+GejeC7Lw94X8DeKvBPiTw/qvxE8Sad4xsPEHhfQLzxNJDrGufCjwb4YWy0Hxff6z4esXk1
2y8T6hHpXn3fgrTdt29sAeH/ABi/bi+I/wAMviR8bvAmg/sn/Ev4iab8JvD3gvVtJ8YaDPrU
WkeMLnxVrXwu0zUcuPA95Y6Xo3hTT/iJq+v6zqNpquu3sumfDzxU2naTePZawPD4AzTf23/i
hdz3E+p/sreMPDel6V4I+G3jTxBaavqPxBufF+m6f40T4TXPiTVrDSfDvwT1/wAL+IfDPge2
+Ifiu3vpdL8cN45vtY+EvjGxb4e6daNHqdqAVrT9tn4n+JfCvxI1jSvgFfeE5vCH7MPh3412
P/CTyfFuTXrvx94x8Oand2Pwx0/wgPgLZvreoeF/EVnZaZ4kEGs2/iJLfXvD8x8IW1zPrdjo
IBoeIf20vHvhEfFPXNR+ENne+AfBX7OXgr49+CfEWrap4/8AA1/48hkttQvfijomptrXwqvP
CPgnU/CNnp1z/Z+i614qTxBqOry6DpD6THF4lOpaCAfT/wAIvjS3xH0zwTD4j8F+JfAXjXxp
8NoPiwvhi60Txdqmi6L4S1PWf7P0Sz1b4gXHhDQvCVr44nsrnTL7WPh9cXkHi3RZLi+Q6bfa
XpkmtzgHudABQBTGnaeNQbVhY2Y1V7NNOfUxbQjUH0+KeS5isWvNn2lrOO5mmuEtjIYUnlkl
VBI7MQC5QAUAZ2saPpPiHSdU0DX9L07XNC1zTr7R9a0XV7K21LSdY0nU7aWy1LS9U069ims9
Q07ULOea0vbK7hltrq2mlgnikikdSALpOk6XoOlaboeh6bYaNoujafZ6To+kaXaW+n6ZpWl6
dbx2en6bp1haxxWtlYWNpDFa2dpbRR29tbxRwwxpGiqADQoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAzdN0fSNGiuoNI0rTdKhvb681S9h02xtrGK71PUZmuNQ1G6j
tYokuL6/nZp7y7lD3F1MzSzyO5LEAbouh6L4c0220Xw9pGl6Do9l532PSdF0+00vTbT7RcS3
Vx9msbGKC1g8+6nnuZvKiXzbiaWZ90kjsQDUoAKACgAoAKACgAoAKAM610fSbG/1PVLLS9Os
9T1t7STWdRtbK2t7/V5LC3FpYvqd3FElxfvZ2gFraNdSStb24EMJSMbaANGgAoAytX0LRPEF
vDaa9o+la3aW17Z6nb2ur6faalbwalp063On6hDDeQzRxXtjcolxZ3aKs9tOqywyJIAwANWg
AoAKACgAoAzNZ0XRvEemXmieIdJ0zXdG1GLyNQ0jWbC11TTL6Hesnk3lhfRT2t1F5iI/lzxO
m9VbGVBABoRxpEiRRIkccaLHHHGoRI0QBUREUBVRVAVVUAKAAABQA+gAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoA+K/j34/8A2ldC/aA+A3g/4Q+Fr7VPhr4g+2Tf
EzWU8GTarploZdWsrG3/ALU8WSy/2Vo+naTpv2/VtTsJL3wtrs9uYrrwzd+NNTjHgy4APHPC
/wC0p+2uLf8AZU0PxF+zPcap4h8d3d3oH7SniS18J+KPDfhb4casn9iaQmqeHorrXdXvDo+j
63qlxqmr6jqol0PxN4f03ULjwRq95HA10gBpeBv2i/2yF0j9nyz8ffs83F/4j8Y3GleHfjTq
Hh7wR4t0jR/BXiW08VeEdI8W3dsmo+IL9rLwtbeG/EWs+IdH8WXEmp6Hrt34N1ez0V76y1HT
b1AD3X9lf4sfH/4qfCDXfGXxz+Cx+FfxDtPEWt2eheBduoaKms6Na6Domo6VcLJ4jubjU7Y3
Os32q+HptR1Sw0iOWfSZdQt9KXTJLW6vAD5u8O/G/wDbh8e67+zxa638K7z4O6Jrfxvlsfi/
e6f8Ndc8QXEnw7074X6L4mm0WY61dasngnTI/ihq2p/C6/8AH1zbTQ+MIPDw8b+DJvDugXcr
AA+svjb41+Nng7x58BF+HXhWx8S/DXxJ421Tw98ariLw3rviXxPoGkXej+b4W1TQ49G1Ozh0
mybWIbm21rXdYs9Q0nTFlsZb4W1u0spAPlP4UfHn9sWbw78F7L4vfCjxdBr8vxo8LeF/iFrP
hn4X6vC2sfDDXfg++ty+Jtes5INRsPDN14c+Jmq6b4c8aX+jw6dpl1PpN/c6BHommJdWwAPp
D9k/4r/Hn4teGPHmrfHz4Ov8HNZ0X4h6jofhDS/suqWseveDYtG0W8tNZ265dNqt1cR6rd6t
pdzftpejafetYJNpdpLbE3MoB8EeC/2m/wDgqRpT6Qnjb9lrw94vj13X/AFtHe2WheLPCVvo
PhXU4fEcmqTa/bW0viHU7Xxlq7W9kmuSw2d74O+GMlhZjUZdaXxXatYgHVeFv2s/+CjF1aXj
eJ/2M7CC5bV7OTQZNN0vxhax6vaXNnfy2Xg3UbS+125uPDGq61fQQ2l38TdSnm8EeA0C3PiT
RrxNRtREAfrxQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUA
FABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFA
BQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQ
AUAFABQBla9pX9u6HrOif2lquj/2zpWo6V/a+hXh07XNL/tGzmtP7S0bUBHMbHVbHzvtWnXg
ilNreRQz+W+zaQD8wfhV+y3+2B8OfE/wh8UQ/GTW73+wdc8c/wDC0NB8aftA+OPi5pfiHwl4
o+Lnw/uNM0K1uviJ8LtT1e+TQfgx4a8QPpZtdQ8I3+l/E/W7l7XV5PDWqX/lgHb6H8Lv277C
6+BNpY+PPAXhbw54X+NPxY8UfGmxbxj/AMJnfeP/AIaeL/i9aeOfCmlrqNx8EvDki6/pXgXV
vFnhC8h0yPw7p41iPS9QjuJobyHUPC4B9KfGrwJ8RfF3jv8AZ51vwRcT2+geA/iXqniL4lxR
fF3x58ORq3hG58D+I9DsdJfwz4T0nUtD+JH2bxjqfhjxcNE8ay2Ojxp4Rk09ZZYtfvo6APmf
wJ8Hv289MX4Man4++Odt4q1bwL8SI9U8faXaeMvDejaV8QvA3iP4SeCNL8TWGvz6X+zdY2+o
xeE/jFY+Pde8G+HdP0Dwzf3vg3XdMtLnx5o2tWNrLpwBnfDb4Rf8FF7N/h7a/Fz9oXw54igt
fi9fa38SdU8B3HhPwtPqPw0HhCytYdD0LS9Y+AviQSW9/wDEOB/E0eijVfD+r6P4WN74XXxz
ejUreTRwDEsfhB/wU9hX4f28v7R3w++y6Z8QrTXvHdxfw6DrOs634budK+H39oaFaXdj8EfC
mmReHdL1XSviVBY6Iuiw67qdp4v0G8uPGdlceHkhUA+h/hr8OP2tfCmka3oGqfGnwlqZi+NH
jrxNp3iv4kaBd/F7WfEHwl8SeLta1/w/4NsdO8Kr+zzD8ONS8M6FqGm+HrS41HUvi9BFNZXT
2pi0SPSdJtgDwDwF+z5+3H4bn0G0vfjXe6b4dvvitp+o+PLex+Nmr/ELxFceAILb4rHWNS8P
a/8AGX4HeOG0a+13UPE/wmH/AArXQrfw/oOj6d8LNWfSPGVnf/EDUhpwBQ1z4Aft8/EDSvEW
gfFD4s+Fb/w/e/tTeBviVounfDr4j6p8PL21+Bejza/P4l+F99rdr8FL/Ur3S5tRg8I6ppWh
XM9zfalH/aNhrPjq3trYQaiAfZnwF8F/GbwNd/FnT/it42uvH+k6v8UvGXiv4a65qXiaw1jU
tO8F+KfEut67pHhBtEsfhp4K/wCEYsPBmlX2leHbC2ufFHxBkvvsE9xa6houmpZaXQB8z/Ef
4W/t43tt8Trf4PePfAPgG/8AE37S9t8QPDfiDWfGR8SXMvwdb4Z6d4Vn8Jatp9x8Efs+izW/
jTw7pfiC107TJdXuY/D+oy6ddeKNXutLuYfEgB9AftZ+FP2mPGXw20vSP2VfHvhz4c/ENfGF
hd6rr/idoBYP4Ui0XxBHcWKLP4O8aGSV/EU3hq8mSCxsZ20+yvsX1zF5uhayAfLfxR+DH/BQ
zxP4h1G68K/Frwbp2n+HPifJ4o+G2pW3xFTwzqaeG7uy/ad08WWvaUf2avF+iS2un6V8UfgP
od/4Y1+Dx1beII/g/rWu2Wu+FvEus2OrOAYsHwP/AOCkx0v4q2vjH42/D74kR+JvEPhzWPAm
iTeI7HwXpvhqLwz8V9B8VCygvtD/AGeZdWstD8QeCrHV9C1XSNRu/FupRG50yyt/EgmtLrxB
cgHqXjD4L/tkX5+NX/CM/GzVrFPEXxm+FfxZ+Fm34kaBpsugeEtCl8HP8QfgZEtz+zh4lTw1
4W1ePS/FCQa3fTfENNaa70QXnh/R1u/FrasAecfEb4J/8FKfFr/Hqxsvj38PIfCXj6/u7HwD
4Z0XULXwbqPhnwdq9h4ms4dL0zxxN8FPG2o+HtX8PnUfDI17XZ9B8T3XjW10LWX0OP4d6rr9
nqOggH1P8S/h38a9Y/ZKT4Y+D9V0eb43H4ceCvDU2val4y1HSdEl8UaVa6HF4h1K68V3Hgfx
fq99pl7cWOofanl8JJqut2F1NEs+g6hdrqNiAO+FnhX9p/TPjd8Q/FHxM8baHqfwd8T2l/N4
R8BWus6Zq1x4FvYrP4djQrHSZbT4T+DNUmtmvh8VpNfv9d8W+IpbuK48GCxs7VYryGxAPJvF
PwS/aij+NH7QvxX8D+PQh8Vp8DdO+D+i658U508N6V4N8H6t4evvi54PPhSb4MeIdN+H9946
t4fFIsvGNtP8Q9S/tHUbG7mt9MihWG0AOc1b4GftWa94G+N+ja9J4H1Txr8Uf2Tvg18PYvFV
n8cPiD4dtZP2k/BWk+LbLxd8SrfTtD+F1jB4G0i91PxZpOp2OqeDrW31HWV+Hmk2+qeGdOXV
410QA+r/AIyaR8cfFPwdaw+FWsaN4C+K91L4NutQb+24JbaHTrfW9HvPH3hrw/4z1bwB4ptN
O1TVfD8Wt6F4e8Z6l8MdYjsr25tdUl8NWsmHsQD5Q1X4Sf8ABQy4v7i20/8AaC0C30WTwt4B
0oaj/afg7+3vtFja/Ci38aS20f8AwzYukweM7jU9I+MOuP4+ksZPDHiDT/F3hvw3ZfCDwQ+n
w614dAMmP4B/tuT+JtR8f6l8VdPk8cp+zj8GvhtplxafE7Z4Wi8eaB8RZdb+PGt6T4Pl+An/
AAjvh3xD8VfAZtdE0D4lXWm+Jv8AhGfEVmL2T4cyaRHpNhpABLrXwe/4KK6poutW1v8AtCaT
o3iIfCj4caP4a1TRde8E2+jJ8TbXx/qNx8TNd17S9U/Zi1m9uxefDC90XR9D1eyv7TSL/wAY
eGtU1ofDvwpZ+Lo7bw2AcvYfCH/gqjDJBZ6l+0L8L7zT4fg/4i8HS6raX2mW3iC7+Il14mut
W8L/ABHkE/7PU+hRa1pOkLB4e1SOHR4/Dd9ps0cv/CLT6pDNfyAHYy/Cj/go1NZ6+lt8ffCG
m65H8L9a0HwPqk194a1bw3beMEstU0vQ9V8d+FD+z3Yat4l8R3c76X4oufG3h/xp4Q8P6Peh
tFb4TeItOsbmTxGAe/6Z4F/ahb9lC78F6p8WNGi/ajXw14gOj/EuKz0ubQE8TRa/qOr+C7HW
kHg5LS40n+x00Twj4u1a08HHUrizOr6xp1vLrL2944B4bafBf9uLV7K3g8a/Fjwkni/xB+zz
+0P4E8SfEfwR4om0K38B/Fj4leMbfxD8Lte+F/gq4+EVxcNoHw90fRdM8Ovqfibxbea8bW6t
rj7Hqup6Hdar4jAOp8DfCb9rfSvjP8K/iHr/AMQbQ+E7T4c+B/Avxi8IXfxHtvFlv4ruPD0P
7QU+qeKVtofgN4IsZ/F0ms+K/gxeWeteGl+HUN3p2k+L9F1+w1iHTPD91qIBu/tF/B/9o/x1
4x8U3/wr+JU+neB/GH7NvxN+FUvgq+8dnwZo3h74n61pviD/AIQ34l2q6X8K/GPiS91KO91X
TrG41HSPGXhG88PQ6Tbalb23iFRNo90AcR8Pvhb/AMFANG+LPwovfGHx58H618FfCsXinT/G
3h64h0jVfG3jDTz4q+J03hm98Q67a/Czwrbaprtx4O1X4RWM1zoUHg6HR9Z8F+KLiQ65H4kn
lvwD9EaACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA5rxnBq914P8AFlt4fN2NeufD
WuwaIbC6gsb4avNpd1Hppsr26lgtrO7+2ND9murieGC3m2SzSxxozgA/NX4Efs7ftxJo3wH1
P4yfHzX7O60LSvE2q/ETwyfH+o6jr1h4n1Xwd8LLfwxa6ze6TpWo6B8UbPQviJ4R+IPi/VtD
vde0rw+NP+Jlx4H02/1Twt4Z05b4A63wD+y7+1zp978Mrzx1+1nr99aeH/HaX3xB0PSdW8Q3
8PifwRYaR8OdaEGm6zf2+mX0Ov8Air4o/DvVbrWLDU7S60Dwx8LfjF8Qvh34b84aP4U1eAAT
Sv2df2wrW8+BsVr8Z/CfgzQPAPx3+LPxE+JWj+HPEXjLV4viR4C8ffGHT/iXovhnWZLzwzoV
9rus6PoF94x8D3E+p6jZ6fcPf2PijUF1y8kuNNtgCWz/AGdf2vYNG8CaZpvxq8LeB/8AhHvi
98XPGOtx+Gta8WarHqvh74h/GTSvif4f1DWLnUfDemXHjjW/CPhmfxz8Nbrwb4ljt/C3iiHx
TaeNtT1pNe0Gxs6AOS0T9l79uzTV+FlnP+1etzY+Ffi94d8e+N5tQ8R+LtavfFfhS30f4ax+
KfBlzLJoGmXupaNqOt+HfH1zo/h+bVtJ0fT7XxpELprxbCOyQA+qP2i/hf8AHj4iat8Nrr4N
fF9fhhY+HdQv5fFMDPfxfbLi51rwffaV4m+z2FrcweMB4d0bRvGGgn4ceJHsPCPiY+OBq+r6
lb3nhXSY5gCD9lv4FeJ/gonxuu/GWqWev+IPir8dfiJ8Tk1yHxX4n8V3kvhrxLrl1d+DtC1G
fxRpthcaW/g/w5JY+FrTSdMlvtGtbHS7dtOlt4ZBZwAHwz4D/wCCfv7R/hzUNQk8X/GXRfiB
4O1T4oeIfFcnwt1j4j/GrTdB0u18QX+rXFn400Hxb4WuPDfiex8W+CrCbSdN8NeE7qG/0y6d
dZ1TUPHEd/J4ZbwqAfan7Jf7O3i74DWfxTvfHHj7VfF+u/En4leMPFcGjxeJdc1vwT4S8N3/
AI38ZeIfCmm+G7HxDZ2+o6frFvoHimx8P+Jrx7i7i1G38MeHbazNvYaRaQKAfPXx5/YK8Z/E
O08cSfDL4haR8MtV8bftK+GfjHcvpkmvWdpH4Y0D4bat4WFrdCJNQ+1+K5fHviTxB8StQv7O
30nUL+c6Rpeg+LPBGt6HoHjXRAD6U/a8+GX7RfxU8AeHdC/Zr+L2mfBnxhp3jOx1/VfEt+NV
V7zSdN0nWPselJJptrqUVzYSeIptFu9d0TUtLuLLxBo1pd6Y15pskqXBAPkj4yfsf/tqfEbw
n8cvCOk/tNWdroPxa1fxlLaaHrPibxk9to2h+KL79oCx0vQtP1ay8OnVPDfh/wAL+G/HXwRl
m8K6KJtP8XX/AMKdW0jVL6w0/wAVXupSgH0B+2f+zh8Wv2ifgr4G+H3w1+IcHw58YeHvFVjr
2qeKrfxL4l8OypHb/Drxv4UEmk6jomlatd3Nzp/iTxJo/iWzt9SsFjmbQ45YbvSdZj07VrAA
+fPFX7B3xw8V+G/FXh/UfirpJ8S+JvjL4P8AF2s/GTTvHnxh0nxp4n+H2neOfGfijVNLufB1
zqOveBvCniPwx4b8VwfD3wQmjx6pp17oej6bca7e2sOmaRo2ngH2/wDHH4DwfFz4A6r8EX1J
dQkvtC0Tw7a+KvG8t9rurWv2P7Hpl54wuLu1lsrnUPHFppB1HV9G1SVo4v8AhMPsGp3aCJJA
ADxvwr+zb8Yvhh8YP2m/jD8OPiHo9zL8XoPhtZ+Afh98RdS8Q+JfBWhXHhrUJ38WeJdfn0rT
9B8Qx3l7oOoy+HPB+g22o65B4bstF0yI6/caRdx6FoQB92UAFABQAUAFABQAUAFABQAUAFAB
QAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQAE4yScAckn+ZoAhgube6j8
22nhuYiSBJBKk0ZYdRvjZlyMjIzkZ560ATAggEHIPII5BB7g980AFABkcZPJ6e/fj17mgCNp
okkiieWNJZy4hjZ1WSYxqXkESEhpCiAu4QEqoLNgDNAElAGfaavpV/dajY2Op6fe32kXEVpq
1naXttcXWl3U9sl5BbajbwyvNZXE1nLFdxQ3KRySW0iTopidXIBoUAFABQAUAVbi+srSWygu
7y1tp9SuWs9OhuLiKGW/vFtbi9a1so5HV7q5Wys7u7aCASSi1tbi4K+VBK6gCW+oWN3PfWtr
e2lzdaXcRWup21vcwzT6ddT2ltqENtfQxu0lpcTWF5aXsUNwscklpdW1yqmGeJ2ALdAFQahY
NfyaWt7aNqcNpDqE2nC5hN/FYXM09vb3sloH+0JaT3FrdQQ3LRiGWa3niR2eGRVALdABQAEg
dTjkDn1JwB9STgepNABQBBc3NtZW1xeXlxBaWlpBLc3V1cyxwW1tbQRtLPcXE8rLFDBDErSS
yyMsccas7sFBNADLO+stRs7XUdPvLW/0+/t4Lyxv7O4iurO8tLqNZra6tbqB3guLe4idJYJ4
XeOaN1eNmVgSAOhvLS5lu4Le6t7ifT50tb+GGeKWWyupLW3vUt7uNGZ7ad7K7tLtIZgkjWt1
b3AUxTRuwBJLLFBG0s0kcMSDLySuscaDOMs7kKoyQMkjk0AKkscsazRyJJE6CRJUdXjdGG4O
rqSrIRyGBII5BxQA+gAoAMjOM89SO+DnB/HB/I0AQG6thcC0NzALplMgtjNH9oZFwWcQ7vMK
gEEsFwMjJ5oAnoAqWF/Y6rZWmpaZe2mpadf28V3Y6hYXMN5ZXtpcIJYLq0urd5ILm3njZZIp
oZHjkRg6MykGgC3QBTm1Cwt7yz0+e+s4L/UVun0+xmuYY7y+SyWOS8eztncTXK2iSxPdNCji
BZY2lKB1JALlABQAUAFABQAUAFABQAUAFABQAUAFABQAUAFABQBWvZIYrO7luZbaC3jtp5Li
e92fY4YUidpZbvzJIk+zRoGeffLGnlB90iDLAA/MP4Ofsc2kdh8G9b+Gn7SPgy40D4SeMfHm
qX0PwL8Oa14T8BeKrnxx8ZfD3xS8RaTqGgeDPjlf+FRqcHg1fEXwrhutftPFNxYeHPGR1a2s
7Se0jsr0Ai8N/sMa/wCC9Y/Zr8EaP+1/4r0S0+BeqeIvF2ifDbT77xpBffEnwTp3i74dahLe
+K4NZ+M+teINevtH+xJ4I8S69C3/AAgJ0L4lX2iW3gHw8NX8nVgBIf2QX+HSfAXR/EP7Yd14
d8ceFfE2uatDqWpeJfibp+pfFjWNW+JPwc1qMW/h7xp+0dr8d/d6f4H8D6r8IrbSb5PGXh22
034mXuoaf4bsJ0fS9aANv4Y/8E/vGXw+t/hBf61+0949+KHjP4Q/FvWviLYeJ/iG3xF1OHW9
H8S+CNC8GeIdA1HRtM+MukQyapqlxoQ8ZHUL261LwjH4q1jX7i5+Ht/aa1qcF4Add8Vf2GdU
+KOs/DnU9d+P3i3xTJ4F17xZqkWt/E3wN4B8UeO9AsvFOu/C3XVg+EnirwRpfwssfhrrmhS/
DIQaJ4r1Dw1451m2XxLqbySSrb20BAOM1L9hv4kWuj/DaCy/a18Q+EtW8K/tC3/xk1zWbWw+
I1zF49N/430rX/CXw7uYPFfx712+0/RNC0CLWPhdbaHY6zN4U1rwhrkMc/goaxo9hekA5fRP
2Y/hJ4UvNP1rSv2lfhRpni3S/wBtf4nftAWuq2+r+LNPtda8T+PrPxfpus/Cvxlplr+0fb3P
ijxF4X07x1DaaPnVNO0m2i0jSLfVvhte2Gqa7Y6uAe0fsyaJ4K+ALfF+bxd+2J4X+MB+JHxZ
1HX7IeIvGel28fgjU71bgv4I0+XW/iF4vvZbpYkQvYtfWbj7EZIdLt1aRVAPOtC/YV+JNxce
IW8QftdeJvH+ga/+0jH8aNY0S4sPiLoltFp1vonjLwp4s+FtpfeBvj14dm0rStYk1zSdRvLK
0WDwrpniLwlbSSeA7iG5ls7YA+iP2af2bvF/wF8QfGTWvFHx68f/ABph+KPiw+I9KtPG82pv
/wAIdb/234s1ZbK0juPEWraQ10bLxJp/hya80LRfC9rcaJ4Q8NW8mmBbG3jtgD5Fg/YX8TeK
brx5aeE/2+/iNrgu/EN5qPhTRY9c1zWI/hV4C1G9+Ldt4f0SF/CfxZ0DW9e8R+D/ABJ4qudb
8G+PvF2pXvmeLvAEMHiLQfEmkabZeH/DgB3Hj39gPW/iXY+Pd/7R3iCx1/XP2h2+Mug+KNOt
/Huo33hPT9I8P+M9I0v4UG1vvjRdWWl+Hjqfi+8fxnL8No/hZe+IfDuo+LPDFhB4XuPEFhr3
hwA6T4m/sb/EPx5D8T7Wf9o8eB7X4k/F62+KOhv4R8OfEjwzqXhvXY/gVqfwc07RRqumftBa
fea9Y22txeE/ijZ6TA2jaLJ4p8Mz21xoN1BqUF1pAB1n7NPwa+Ing/45/tE/E/xD8X4fih8P
/G8+leH/AAMkfjbxV4ju9M1/w940+I+p/EWLV9BvNZ1LwP4TuPDmra/pfwt0nSvCdvY39n4e
+G2l6X4ohbWdNnvL8A8d8Wf8E/8Axr4v+K/xW+J1l+1DqkN941vJtPbTZdG+I9zc2Wi/8JL4
z8X6L4O8Wav4e+P3hm7n0TwRH49sIvBWieALf4UWdungb4c6n4qtvFs9n4gPigA1dV/YU+IU
ejeN0T9rfxyvibxTdaXbaR8QPFEnxM1HXXjurbWvD9zpvjTStM+O3hjwN4glNh4ml0jwbL4D
8KfCvUdJmsfD82r3Pi6+szJdAHlN7/wTq8e+NtW+Jus+Hv2/PiWt54k1kaT4ssPDV741v9Fs
NX0bxJoniO68L6tpcnxy1WLQnW1tYtO1fTfD3/CJav8AZ76Bp5k057jStRAPUtU/4J7+LNZt
fG9prP7TXjzXofFsXw3vY49cu/i1OE8TfCfXfgj4i8Iazq01h8eNNupYZdR+Ffi6XxJB4Rn8
Darr0/xc8SahLr1vqmmWl9dgHvnwk/Zv8d/Dz4+/E341+JvjnrvjnSviH4V8OeH7X4aPpniC
w8K+Fb3RNL8LWM2r6Muu+PvGJg+03Og6pdwWdrBZ+UniS7S8utRvobjVNTAPH/jd+wl4r+NG
pftCf2h+0L4it/Cvxz8G6x4Sj8HavpnjTWNF8PW+tH4aCO1vrDSfi14V0nVdB8KDwHr1z4N0
3w5pXgXVob74leMT4r8R+LdPvbnTr8A+jfi9+z3p/wAWP2dLv4AHWz4Qt38PeDNL0zWvDC+J
tLs9Iv8AwNqWgazor2llpPjPSfFK6D/aHh60gudIi8eW+qz6PJNYv4kN051EgHy342/YD8d+
KfEXxL8V6H+014i+HWu/FTwr4V8OeKrjwJoXjfTIr5vCWi/A7S7E3EOpfGbWUmsrwfCXxFpm
pXbqfHV74P8Aihr/AIYufHs76fFq+oAH0nqX7PGo6r+yXqX7Mer+PR4u1LVPhHffC2++I/xF
8P33jqTUZtQ0abR5PE+t+HtW8VpqGt3dsJvtlnbah4wkuVurezkudWuXheSUA+dte/4J/wCs
+JY/HWm33x11XRvC/j/4C3fwO1Hwb4M0fx54U8J6JaP8MfBfgnStY8I+HLL4zSeHvC0GheJ/
Cd141stO0TSLHUbmHX9Q8MX/AIjubZ7vU9QAOZ8S/sb+NPF3xJ8a2sP7bviHSvGWqfs5SeAB
8MtBv/HUNp4AtNd8N6n4E0f4laJ4XT49N44i0mLWLaXxXpGoeJvEeseJbv4k6PPqv/Cx5hCd
MtADrPFH7B/jfV9Q1298J/tP+P8A4ZJr3wi/4Vc0HhG5+J9+dFluPC+vWOqeINAk8Z/G7xPB
a3GoeMtV07xZ9rvrPUfGNtY6Ha+H4vHH2h4/EFqAdH8HP2XD8A/if8MvF2v/ALQdx4t8ST/C
28+EOoad481LxvJqvjyDw54m+KHxN0xvBVlqvxiutHs5fC2l+N72yvbbVfCvxB1O08GeDdMX
SdS8M2sOpTuAcz8bf2K7P47/ABh179pjw18ZPCnhCPxb+znJ8LfD3iXSvBGpaprnhzT9R8L/
ABXg074o+E/iRoXxX8KJZapHH8VIdRs9c03TbTVYPD+gDRtK8T2Nj4h1C8iAKafsb/G/Rfiv
8Ddb0P463+vfDz4fWfxTh8RaX4o8SfFhLKLTdci+On/Ct/DOl+E7T4kXq+MtO0o/F3wVpnii
+8c+KbjWb7SPgZ4IvfD2ueG9SP2dQDmtF/Y68VeLNG+H+l+GP23dSt9c8Cfs2eFPhXb698KU
8U6beS+ENV8FfHnwZ4Z+KFr4ff46eJ/D9prfil/GHhjxJp3i7WtG8RXWoeI/gZaXWia1Gszx
eHADR8FfsC/Ebwl4s+G+q3X7ZnxP8SJ4D8FeL9Fn8D6zceM5fDesy+Jb/wCJs0V+dOT4sLqy
6DCPiBoul6jpmq6lrjS2fw48GQeHdU8JzWNnJpwB3Oj/ALFXj7QfC/wg8P6Z8fZV1D4efCf4
tfDjxd4t1LQvir4g8T/ELWvir4e03RLr4gDWPEP7Qmqan4d13Tb3QtF8ShJr/wAR3H9tjV20
LVfDVpqa29oAcPpX7Evxy8H/ABB/ZrvNG/aF8QeLPAXwt8da3r/jbTvEPiv4q6S58LLNrWua
ToOjaZJ8QvFp8aahrviHXVtfE1x8SNX1nTY9A8OeHY9EtdIl0+5t9ZAP1CoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAztY0jS/EGk6poOt2Fpqui63p19pGr6XfwJc2OpaXqVtLZ6hYX
ttKGjuLS8tJpbe5gkBSWGR43BViKAPza8O/8E19B8K6r8BdX8O/F7XfC0/wR+JXjb4nS2fgn
wT4V8GaV471rxr4qsNXvItfsNB+zKIo/CNhB8MZvNk1GK68F2umW6W1pe2LXVyAUfhz/AMEx
9B+Hn/Ck7uP46fELXtV+B/xI8UfErRJdX0zR7vSNe1PxfL8JrfV9O8TaPeyXz6zYJpnwuN3p
Uup6jfajonjjxE/jrSL2yvvDnhmw00A+qPjL+y54N+OHxb+CfxR8Y3jzx/BOw+IsOj+GvsKP
b6jqvjxPCMllr8mordQywX/hDUvBul6xoVtdWuqaX/aqw6nLYjVdM0fUNPAPnXwX/wAE4/DX
hO4+FZvvilrvjDTfhn8S7j4ivovibwxpFzpniG4Hw88OfDyxjntrW9torDXJR4btviF4n8Tr
HeXPir4tS/8ACf3VjaX9pYW1sAc9bf8ABMHwvbJ8M/L+NvxItp/hx8S/+FgyXGkbvDr+ObiK
3+Hdraav46Ph/VtNfXfikIvhzaHUvinLKl/rU3ivx5JqGgyDxPOkAB9v/Fv4WXnxG174Ga9Z
6rZ2R+D3xls/ihc6ZqVpNd2HiSzHw8+Ivw9uNMkWGaM29/pq/EEeK9BvJEuIbfxD4c0oyQqG
+024B8c+Mv8AgnLpnjW/07UdS+KcUM2lftF/ED9oeyS3+FPg0Ww1Xx/o1polz4fv7Jrg2GvW
el21vJPFN4itdYsdZupIR4m0XWbS0jtGALVp/wAEzvgzH4n0XWbxPDVxoej/ALQeu/HFvCVj
8N/Dmg6Xq2kXfg7W/CHhf4Wa3PotxZ3GseD/AAdH4k17UbeLVBe22vy6reWHiLS7/TLie0lA
Po7wb8D/ABh4Rufipf6P8S38L3fxN/aVtPjfdxeHfDejX9jB4QtNI+HnhrVfhsbbxPbapDbr
4+0XwDPe+LvEmlQ6frFl4i8Y+INV8P3NpfJb38gB9LUAflLc/wDBKnwQZ/H95pfxm8e6HcfE
Xxjq/i/V7XTNF8MQaFpl7r2vfHbWr/UPD+jx2qf2b4p0+5+Omp674U8TveXLeFPiF4esfiFp
ml/21rPiOLUwDpfiR/wTP8IePNK+JegaX8XPHXgbQ/iP8b3+PF9Z+F7eHTLybxZqvh7xRoXi
a28S65pWoaTrfiuxurvxVdeKPDBuL7Tp/CHivS9C1q2fUZ9OxOAfU/7Qv7OHh79oP4f+EfBe
s6vNpt94B8c+CviJ4S8QX2mWnin7L4n8EySpZXWraTq8iwa1Fe2N5qNrdpPcxStLdi789pIt
koB8lfED/gmXo/jjQPjp4ftPjp468HQfH7xgnjXxnc+FtC0PTruXXI/HvxW8bw6ibiCWKd9X
sf8AhZthp2m6vay6fdwn4ceBZbz+0dMtNU0PVAD6q+CH7NmmfA/x38YfGuj+JpNVPxq1jw94
t8W2Vz4f0uzvbjxxpfhXQ/C+r+Ip9et3fULyDWxoY1aLSJlWDStR1bWWjuLuK4tI7EA+fvHP
/BOjwf49134qa9rXxK8TX0/xA8Y6B490az1nRdG1nT9C8T+HvivpPxc0u68TQTNbv8Q7bw7q
GlN4E8C2+sTafJ4I+FWp6n4L0m4cXCapEAc/8Sf+CaWifEfVPi/rM3xv8d+HL74z65oXiPxg
vhrStO0S013U/DMnw/TQrbxXb6Peaa/iXQdOsfBV/aQaK0+mxxt4ov54bmH7LDDKAfRPwD/Z
S0P4FePfiD4+i8UXfjTWPG+ieAfD1rqXiLTDN4o0PSfBHgLwd4FuLKTxbc6rqGpa5F4p/wCE
G0XxTrz3yR3d74qk1HV7y6vbi83RAHzb8Tf+CemufFD40/H7xxffFefRPB3xg8F6DommwPaD
xN4p0nW4fHXwq8aax5kktp4fFv4WsY/hNp+h+F9Hk17XbjS7TxR4jl0y70GJvsV4AdZrH/BP
HQLrxb4j8WeHvix4q8JPqFt4RPhrQ9L0HQpdA8NXXg/VPg/qekaPc6fcZXxH8ONI/wCFOafY
eFvh1qDQ6X4X07xv8R7ayvZl8TqbAA8O0v8A4Ja67dT/ABY03xL8dtestE8SeEvhd4C8H6v4
bWRfEWt6B4F8Afs8eF9Vv/inbx2+hrfXOpax8CbnVNP8P6Jrh0OxufiB4v1hHjv9WurZgD7T
+J/7JmifE/8AZS0P9lPVPHHiK30LR/DXws8Ly+N2sdJuPFGp2fwwvvDF5Fd3EMMFjpVvqHiF
PDKW+pTWdrBDAmoXZtbdRsQAHxtrf/BL7XtB0Pxld/Dv49eK/EHim5+BF98F/h9ofj65Oh+E
vC80Hifwt4x+H3iibUvDWm6xfPcfCHxd4S0nxd4ItZfD+pyTXra54c1m9uvC+vQ2OhAH3drn
7OOj3n7MNz+zJ4b8U674Q0Wb4e2/gCPxXZi11XXvs3kwx6vf3/2+NItQn8TEXy+IpIm0+8uY
9X1KTTL7R797S+swD5xt/wDgn/qVv4BsPhyf2h/G15omn/syXv7M8Wo3/hzTZvFM2jT+JU8Q
Wfie68T2+q2mryajYwWunaJ9hiuILe4020cm4iurkzxgHUfBX9hHSfgx4/8Ahn46tPi/498T
t8NvBGm+EbfTtZtdGhl1ZNM8H6t4Li02fVbGCK6tfh41rqzeKX+HUUctlP8AEbTdI8d3ur3m
sWtwbwA1fit+xZafE39oLTPj+fibq+najpPhnV9BsPCeseFtC8XaFZy6v8MviV8L7mOwl1SS
C8sfC19p3xJutf17wfbutlr3ijRtP1K7vEjkubZwDy65/wCCbWieI9Q8HT/EH41+OfF2m+Gf
2XNR/ZY1PSU0jSdLt/FPhW/8IeOPAza/qKTT6tZ2mtHQ/GUN3eSWFhFcaj4g8N6Pf3V+dLe+
0O5APSPDH7E1joHjL4deNr3xxpWval8MvgXrXwY8NWF78NNCg0Swm1DUteu9O8ZWWlQat9mt
b/SdO12bw8bB1uvt+iTa1aS6jF/wkWqtKAeSTf8ABM2x1eXwHJ4m+Pvji9k8Efs+6L+zuupa
D4Y8OeGPEWo+FPDGj/F7QtBu18QW7317pzyaf8W7geKNLhE2meKLnwn4ZuLiGzNvcpcAHXaX
/wAE9tLtdSsfEl/8Y/Fcvjeb4fftAfDTxL480Lw54f8ADHiqfw38e/GHjLx3cSeBtQsDN/wr
jV/A3iLxzrLeFNT0hL+SLTYtOspkM1q17MAfSH7Lv7P1l+zJ8JNN+FNh4u1zxrb6frGu6z/b
OuyXgkEuu37381np1jearrH9k6ZbyOzQ6baXn2KO4luriCCA3LxgA+h6ACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgDxrxp8cvB/w++IGk+BPFtvq2jW+pfDjxv8A
FK68e37aFY/D7w/4Y+H2reFNF8QjX9Zv9dtdRs9RS+8b+Gls7eDRruG6j1HeLpPs9yIgD590
T/go3+yb4i1LRBpHxCu7nwhr2iapq8HxNk8LeJ7T4f6TPpHiHwf4cudJ8X6ze6Tb3HgWe5vP
iF4Hk0fVvGlhoPhnXU8U6NbaPrt7qV7BYyAHeaR+2x+zXreu+GvDFj461keI/F+qadougaFf
/DL4raTq91qerXXgeDTra5sNV8EWdzpTXNp8S/APiEPq0djHD4M8WaP45uHh8HXJ1xADX0L9
qn4Za34h+GnhQ2njmz8QfFrWvjTovhCzPw/8ZXsEc/wJ8dSeAvGkviq+sNEuLbwQo1URTWye
Lm0ZkikeG++yXUEsNAHonwn+Mvw9+N/h7U/FXw31XVNX0PR/EuseENRudX8JeMPBtxB4h0D7
Ous2C6b420Hw7qdwunzXKWlzeW1nNYJqEV7pv2o6hp2oW1sAZ/wO+O3w1/aL8AwfEv4Ua9F4
i8J3Gsa9oaXaNbrcx6h4e1O40y7ivLKO5nuNNln8mO/tbPU1s9ROmXthdXVla/akQAHyz8NP
+Clv7OfxP1DwnY6fa/EjQP8AhLPF1/4Ejutf8HfabbQfE8cPw3m0K28UzeEdT8Vx+H9M8WN8
UPD9jo/iPUXh8P2OsQX+ieJtS0DVhZ2l6Aer+Hv22f2dPGHiTwr4V8GeLtc8Y6p4t+Kniv4M
Wb+Gfh/4/wBWsNL+IHgzwraeNdb0/wARX9v4aNvoWlL4a1HTtXsvE9+8fhrUNPvk1C01aXTr
bULuzAL+r/tg/AzwnZm/8feKJvAlrcfHHUf2fdHfX9H1vzdX+IFhfWumxxLa2GmXl1pejX95
eWy2mv61Dp2iG3u9Ov5NRSw1TTbq6APqCgAoAKAPnj9or9pPwh+zTo3gfWvGHhjx74pj+IXj
u3+HPh2w8AaTo+s6nL4pvfDniPxPYWk9rq/iHw+oXULDwtqsFl9mlup7jURa2KQGW6i3AHJa
5+3H+zN4c1Lxdo2r+OPEUOq+A/GL+APGWn23wl+MeqXXh3xfH4V8XePJNF1KLSvAF8Y5I/AH
gbxH8QZLtPM09PAEGmeOWvB4U8R+G9X1YA37/wDaw+D+kWHi3WdWv/EaaF4Y+JXg/wCFNpqW
h+CPG3jWbxV4r8eeCfCfjjwnH4X0TwT4d8Q+INW0/X7DxjpNlourW2lyaVrF/NBFpt7ci+sD
cgHFax/wUF/Y/wBBtfiPean8ZtNig+EviCz8LfEA2/hrxvfy6Dr17rHiPw6unfZ7Dwzc3GqT
2viHwj4o0DVBo8WoDSdb0O/0nUza6gsVvKAejftBftMfDn9mv4f6L8TfiDD4lu/COueINP8A
DsN/4Y0iLVGsLjVdD1vXbDUdZW7vtMj0nQZItEktbzW7yaPTtGmvLS81yfTNFj1LVtPAPPf+
G+P2W7fR7fWtY8f6p4ftp7VblxqvgH4gvHE0LTWut28Gq6X4Y1PQNZbwlr8D+DfGV74c1jWd
J8L+OpbDwXrGo2viXWNG03UADJ1//go1+xr4ZufEljq/xhdNS8HvpsXibSdP+HfxV1vWdGud
TtrW6Fje6LongfUdWj1DSUvbODxRYCzN54P1C5i0rxVBo2qE2YAKFr/wUg/ZLXTvEereI/iB
qHgvTtD1m10rTL3xR4P8XWlv47i1LTvAGraXqHw8ls9Fvl8Yvc2HxR8Cz6l4e0jz/GPhT/hI
LMeMvDnh7epYA+gfhv8AtC/Cf4u+INV8N/DrX9W8TXmi6F4c8SajqVv4I8eWfhOPSvF/hrwz
4y8LyW/jnVPDNj4M1C81zwr4w8Pa/p+ladr13q0umXstybJVsNR+yAGT4/8A2iPDnw6f45pq
3g/x3qLfAT4S+HfjT4k/sa18LTjxL4L8Q/8ACxBnwc1/4t04XOraQfhf4rGq6f4iPhonybI6
TNqq3iFQD3yOaOQLtYbnjSYI3yyCOTO1mQ/MoJBHI+8GHUGgD5l+Jn7U/hT4WeNPEfgbXfBH
xC1LVdF8D6R410q50CDwbqFj4sk8Q+OvCHw18O+FtLEvjO11HQtf8SeN/G+j6D4cufHuneD/
AAxrs9h4uuNM8R3Nl4K8T3OmAFLRf2ufA3ibRbzXPD3hLx3qFpD8BfCH7Q9k91/wgvh+21Lw
b4uvtc086adV8S+OtH0XQ9e8Lz+H76XxbJ4p1LQfDOm2RW+s/Emp20V3JbAHvXw88a6f8SfA
Xgv4h6Rp2uaRpXjnwroHi7TdL8T6a2j+ItOsPEWl2urWllrmlNLOdO1W2gu44r+z8+dYLlZI
0mlVRIwB2NABQAUAFABQAUANd1jR5HOFRWdjgnCqCxOBkngHgZJoA+KR+3p8F4tb+Aej6lpP
xA0eL9oz4a2PxW8CazqOi6F/Z1j4S1GJLqC48TW1l4nvde0+S2sbjT9T1mbT9F1fTPDWmalb
ah4l1HSLSK/lsgDStP2/v2Rr7QfDHii2+L9vJ4d8Wxa3Pp+tf8Id8Ql0zS4PD2p+LtH1a48Z
3reExb/D22g1HwD43t4Lrx5J4ct9RHhPxBPpkt5baVeTRAHuHwb+N/wu/aB8GL8QfhD4rg8Z
eE21TUNFbU4NP1jSZYdW0sxfbtPutM8QafpOq2dxCtxbzKt1ZQia2uba7gaW2uIZnAOR8L/t
IeD/ABPpXwg1UeHfG2hj4z/EXx98K9Asta0/Q/tug+NPh1YfE7Ude07xV/ZHiLV7S0gng+Ef
jJdM1DR7vXLK5mgsEmmthfxMAD6EoAKACgAoAKACgAoAKACgAoAKACgAoA8k8efAX4MfFDxN
4d8Y/EX4Z+D/ABt4m8J2/wBj8O6v4l0a11a50qzOrafrxtLdbtZITaNrek6Tqz20sUkEmo6X
pt48bXFhaSQgHF2H7H/7Lmm3Xha8tPgH8LVufBIv18JyzeENKuzoUWp3VrfXkFgLuCdY7aS9
sNNu0tmVre3udJ0ee2jik0jTGtQDqfC37O3wI8E/8Io3hL4R/D/w/L4F1rXvEfg6503wxpcF
54a17xR4fHhPxBq+j3otzd2V/qvhVYfDF3cwzrI/hy1sdDVl0uwsrWAApaL+zN8APDtn4esN
F+EngnT7Twl431L4keGYodHhJ0Px1rM0d1rPifTZZC81tqmr3kMN/qs0cgXUdQhi1C9Se9iS
dQDr/hp8JPhl8G/D1x4T+Ffgbw14A8NXep3WtXOh+F9Mt9L0ybVb2C2trq+e1t1WIzzW9laQ
M20DybeKMAKgAAIfhb8G/hR8EfD194T+D/w68HfDPwzqeuah4m1DQfBOgad4d0q98QarFaW+
o6zc2WmwW8EuoXdvYWNtNcuhkNtZWluGENtCiAHnWlfsgfsu6HbWNppHwH+GWnwaberqNitt
4W05GtryO98NajBLFL5RlAtb7wb4VurKIuYbKbQNMa0jhNrHgAuaP+yf+zV4es49P0L4H/Db
R7KHxnpnxDhtdO8L6bZww+NdG05tG0nxHEkESCPUdO0Nv7BtHTbHBoEcGhJGNJt4LOMApah+
x/8Asvaut2urfAn4a6oL/wAZ3/xDvDqPhqyvmuPG+qLCNS8TSPdJK51W/a1sZryfcPtFzp2l
3Uqvc6Xp8tsAfSFABQAUAeZ/E74NfCz4z6dpWkfFbwH4c8e6Zoeo3OraRY+JdPj1C20/UbzS
NR8P3l3bRyHCSXmhaxq2i3nVbrStU1DT51ktLy4ikAPFPHv7DP7L/wARdR0/U9b+FXhq0uYv
iHa/EvxCuj6VpVnB8QfEFtbfES2Nv8RYZbC6Txdo9yPit48lubDUcl5tfuWjniXagAO5uv2V
/wBnW9v9a1O6+D3geW/8R+MPDvj/AFu5Okosmo+NfCNvNaeF/E8+x1Uax4ftJns9JvI1SSxt
FhtbcpBbW8cQA3Xf2U/2b/E0Xi+DX/gp8PNUg8f6/B4p8Z2914csmt/EfiK3fVpRq+pQKixT
XtxPr+vXGoShF/tS51zWbnUhdT6rfyXAB6B42+FHwz+JPh7TfCXj7wH4U8YeFtHuorzTPDfi
DQ7DU9Cs54dJ1DQY/J0m5hexEI0PVtU0drZoGtpNL1C8sJIntbiWJgDhv+GXP2cfK8VQN8Dv
he9t43g0O18WWkvgzQ5bPXbXw3qmn65ottf2clm9q8Fjruk6XrqwrEkc+t6fZ6vcrNqNvFcq
AR+Iv2WP2cfFuteIPEPib4J/DjXNZ8V6pa634kv9S8MabdS6zrNnaTWEOrX6SQmKbUjaTyQX
N8Y/tN4vlm8lnaGFkAMKD9jD9k61h1+3tf2efhNap4oTTU1xrbwZo9vNe/2RNpdxpki3MNul
xZz2UuhaCYLixltp1XQdCjMhj0bTFtQD1TwZ8Ivhl8O9a8SeIfA3gjw/4V1rxhFoEHie/wBE
sUsZdai8LaRbeH/DqXyxERSDRtDsrPSNPxGpt9Ns7WzQiC3hRADI8T/AT4NeNdR8d6v4s+G/
hbxBqXxP8HWPw9+Id5qmnJdS+MfA2mzXFxYeE9f3sV1DQbSe9vpYdNmU2ytf358v/TrvzgDW
8L/CX4f+DPF/iHx54c8Px6d4p8T+EvAfgPVtTF7qNzu8HfDL/hJG8EeHLG0u7uey0rTNDm8X
+JbqODTbe1N5eaxd3eoNdz+XJGAc/rf7OvwL8SeJfHvjHXvhT4I1bxT8UfCtr4J+ImvX2h2k
+p+MvCtitmun6Lr9yyb7+104afYnTTKTNp72lvJZSwSRKwAM3Wv2XP2dfEdvqNnrnwY+HuqW
OrfDjR/g/qVhd+HLCWwvPhd4f1C21XQ/AUtiY/sh8L6RqVnbXun6UIRbWlxEskKIS24A9j0D
QdH8LaHpHhvw9p1tpGg6Bptlo+jaXZp5dpp2madbx2tlZW0eSVhtreKOKMEk7VGSTkkA1qAC
gAoAKACgAoAa6q6sjDKupVhzyrAgjjnkE980AeEeFP2Zvgp4S0PwpocPgfS9eXwb8H/+FA6R
qvi2JPEmty/BwxQW8vw+1bUtSSSTWfDlzb2trDe2OorcJfrbxte/aJd0jAHA3P7C/wCyzLrP
wy1e0+EPhPR4fhPq3jDXPDWh6PpGm2Oh3up+OtKudI8RTeJbZbN7nxDb3sF9qVxc6df3j6Zq
Oo6pqGoaxZaldXDSAA+gfAHw48CfCvw1b+Dvh14V0fwf4XtJ7m5t9E0S1W0sY7i8k8y5m8sF
meSVsBndmYRpHEpWKKNFAOH0j9nb4R+G1+Gdr4U8LQeEdH+EvjrxR8SvB/h3wzNLpGgQ+NPG
Hhrxn4V17W9S023Pl6nPead8QfF1w0dyxhbVtXl1aWOW+jimQA9uoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAo
AKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAK
ACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKAC
gAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgA
oAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoA
KACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKA
CgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACg
AoAKACgAoAKACgAoAKACgAoAKACgAoAKACgAoAKACgD/2XdLg1BLAwQUAAYACAAAACEAmJL7
t1oHAABgGQAAEQAAAHdvcmQvc2V0dGluZ3MueG1spFnbcts4En3fqv0Hl57XEe4gVeNMgSAw
k2yy44qSqX2lKFjmhhcVSFnrfP02STHOpZ2dmnkyiQM0uk93g9DxTz//t6mvHkLsq669WdEX
ZHUV2rLbV+3hZvXhvb9OVlf9ULT7ou7acLN6DP3q55d//9tP500fhgGm9Vdgou03TXmzuh+G
42a97sv70BT9i+4YWgDvutgUA7zGw7op4sfT8brsmmMxVLuqrobHNSNErS5mupvVKbabi4nr
pipj13d3w7hk093dVWW4/FlWxD+y77wy78pTE9ph2nEdQw0+dG1/Xx37xVrzZ61BiPeLkYcf
BfHQ1Mu8MyU/mnkJ99zF/ecVf8S9ccExdmXoe0hQU8/hNkXVfjZDxXeGPlP9Aqhez3uvR1Ow
nJLp6cnzvv5uPZLtOYtvql0s4pxmKIDRi6bcvDq0XSx2NRTVmYrVS6ioT13XXJ03xxBLSBKU
IxOr9QiEZhf228d+CI3v2qGfBodYlB/fhYdqrN15aB/uilM9vC9226E7gqmHAvzUjMxm9lV/
rIvHX7tYfQIzRZ3H4gwM/RKrvYMmeFxWfD3/9xCHqvz/s7t/dcOHPrwt4qFqe9/FL8z/FisY
nPxuu9tTWw6nqfb+GWILHkxAeV9ASEOI22NRwqAFH2NXL07tR/sWGidCXueA+uIh3EagIJxv
KzAZw2Romvl7UVf7YgjmAIz3w3bqySc4hw6NJeCvWiCp2v8bymSkeu7M8enUB+/eFI/dafgC
2c5dD061RQO5m+dfOvlttw8rgE6x+q48ni2vccGUJ6iCH2zUQYIgTwGSW4ft8FiHsRS21adg
2v3rUz9UcDZMnP4FD37kQGjHnX+DM+394zH4UIx8w7nxp8P90WZTCn1dHd9WMXbxVbuHjvir
m62/TC8c+ft+zPP48K7rhiUNhEgpc3rpgRF9QgBLpZ4d/wbRSqUURVLpMoYihsrM4YjKkwxF
HPEERzzxqcTWUMqUwhHGJcnRNRxWcRxhnKORUsVIgrJDEyoTfI3lgj6DSEIs6oHjjuP7eCm0
wdYwRoRFrQGSM5QDJiUVKG9M6tTh+yhBKJofBudwlqC+aUE5Wm8sVYlAI2VGkgTND8uUYSm6
j2Wc4V5bnVLcWk4TiXPgCMvxeDxjErfmmbGoB5xoh3vNqcjxCuFMMo5mjnOdEIdxwAXJczQ/
XCorGbpGaQgIRTSzKco11yrFq5enhOIVwlNqcN5GRKF1wDNmKc5oLhxF4xGEPMOOUMLnFItU
KJn5ZxAlEo+u0dTg54FwWnm0GyVjNkEZHXNt0CxIrtPk8vH8+lSWkgmDev38GS+VSA3KGxxh
1qEVLzNOcXZkJkiK5kdaZRnKG3x9hMI9yLkXeKS5EDnOjoPCxr322ni0TxVRyqMnkuKUcDQ/
SohUozlVQtsU30dBvtF4VMpYgnoNiE5R3lRO+HLX/boOFHwvCG7NgT30pNDwqyxFTxcNHzqL
cqC5SgXKgRZgD2VUA6UCZQeQXGRYZ8FlI1O414liBvfNADloL2ireY5H6rh/JlInHFOob057
gyIJIdShHCREE47mJxGCGxyB0klxJJHw0cJ8SwzTFq23xHBr0BM2yYnGeyFxjFF0n5RrgfOW
CsIVmtM0pTpBc5qm3OI3lNSR1KO9YAjxeDyGMcXxNYJYiyOKSPxbYsYORnNqIAsOrWuTiixF
s2AyzS1aO8bTJEE7C44whX81M6oFfnfJmLAZ2iWZkCJFz95MMe3QzGVK5ByNNFMqx2s0gxPJ
oz2XeWUUWteWCKJQrq0UwqO+Wc2yZ5CEK4MyalPlHHpSWMOlRdmxjhGD++YFXOSxboTGcng3
ws8vq9E6yKGo8Bt+ruAGhzKaa600yk4OZz/+pc2NMBY9D3KjFEG/6CMicK+hFPGKzy1l+M0h
h1DxrndEZxI9KRwlWuOIog7vbaeJxe+WLhUmRyN1RlCFVojLZJKjve0s3KzQLLicCIZy7Tz8
1sSteS3xX8ie6SxD681rQfD8+JQThUbqU6Usyqg3hOH3RG9lNlcIKA7jRQR0hmYzCqS3cXka
xZurZhZ+bNHsYlVcvR0lVJCAms0ufsyqdsF3ASTk8CWyPe0W8Pp6BvqmqGsPAtoCTBQ0m1H0
y8PdN6P1rNJ9MxrRUVAVX3+2OiqTIf4Su9Nx3vcci+O76nA/imTNpmqHN1WzmO1Pu+0yrwUJ
FIXWT9ScNwMo55Ow9aZoD4vuEtrrD9tRaApFP5i+Km5W/ymuX9+ODoCkU8dJ3APh8XgE2RDm
7Q70ZlWPTtFx2QBvexDep5fdgV0wNmHwNmLTS1GO4cHsy8M4YX6EWZeHpzG+jPGnMZCV53ni
aUwuY/JpTC1jIPyfN/cgqMW6aj+Carg8juN3XV1357D/dRm8WX03NJMw6WXmNHSLQHrRQy+6
8CiduklEBtUT9OHDoheXFZTN9rHZPemsL2aLdQWiaTiCJDt0EXyZJMp/TBgVm31XvgJdDJ5m
6dLQjHE6nb5Q88u/Rl7+DwAA//8DAFBLAwQUAAYACAAAACEA5cqzQwUBAACvAQAAFAAAAHdv
cmQvd2ViU2V0dGluZ3MueG1sjNBRS8MwEAfwd8HvUPK+ppUhUtYOQSa+DGH6AdL02gaTXMhl
i/v23jYVxJe95bjcj7v/av3pbHGASAZ9K+qyEgV4jYPxUyve3zaLB1FQUn5QFj204ggk1t3t
zSo3GfodpMQ/qWDFU+N0K+aUQiMl6RmcohIDeG6OGJ1KXMZJOhU/9mGh0QWVTG+sSUd5V1X3
4puJ1yg4jkbDE+q9A5/O8zKCZRE9zSbQj5av0TLGIUTUQMT3OHvxnDL+l6mX/yBndETCMZV8
jLxsJE8Uj9fV+eWsKJxuXiaPUfWWE8z1UnQcn7IW8+v2WZ6KAbeYduoAj7TjBSxsjAXuyD8x
d18AAAD//wMAUEsDBBQABgAIAAAAIQD26ITNjwkAANRJAAAaAAAAd29yZC9zdHlsZXNXaXRo
RWZmZWN0cy54bWzcXNty4zYSfd+q/QcW3z3WxZbGqmhStjyTcWqSOJGn9pmiIAsxSXBJyhrn
67fRICGIF7EhclKpfZJMAH36htOQjNYPP34LA+eVJSkX0dwdvhu4Dot8sebR89z9+vTp4r3r
pJkXrb1ARGzuvrHU/fHDv//1w36WZm8BSx0QEKWzfezP3W2WxbPLy9TfstBL34XcT0QqNtk7
X4SXYrPhPrvci2R9ORoMB/guToTP0hTQFl706qVuLi4UNGmh5xeCR4PB+8vQ45GWUdVIxCwC
fTciCb0sfSeSZ1iRvOziC9Aw9jK+4gHP3kC/wUSLeZ27uySa5VZdaKvkmhkoMHsNg2IyqN08
V3lgpl6KFUnF0Bol1ZJ74e9CFmWo3mXCAlBYROmWxwe/nSsN/LEtVDppsGHsPh5eVfC0eyhB
v0+8PcS+AN7HFXE1zlirRWGg/CAT6pBGZYnDASEiUoTWgaLCMWahiZl8+/Ncc8ikfQwbsMuG
+ikRu1hbFfNu0h6iFy1L8oCFZoMJbnXTtNRKQIUrllsvZq4T+rOH50gk3ioAjcDjjsxI9wNw
01r492zj7YIslX8mj0n+Z/4XvnwSUZY6+5mX+pw/AWeBlJCDwM+3UcpdGGFemt2m3DMHP+bP
5PhWTjQH9Uo/zQyBd3zN3UsJGnjRMyx89YK5y6KLr0sTZu7+6V38/CgfrWDF3PWSi+WtXHiJ
NhSvhi2xtkzNKhkOFAGEsVRMDW5hmy/Cf2HrZQYDcxfYHh9+fXhMuEiA+ubuzU3+cMlC/pmv
10wWhmJitOVr9p8ti76mbH14/vsnpNRcoi92UTZ3R9MJBiNI1x+/+SyWbAV4kScd/atcALwJ
dcTAQYV2/KCNelBCxYf/LSCHuWfrULbMk6XMQf1PAqHVu85AI2mRaQDKtdJ13F3EVXcR191F
QAnt6otpdxFwgOmqhcoNIyvpQc2Er5LPzInxzYmUlSsqWdS6opI0rSsqOdK6opISrSsqGdC6
ohLw1hWV+LauqITz5ArfQ+IqZ9EYvUHa2E88C6BctTDdsCPV5UXBefQS7znx4q0j61tZ7VNk
udytMpqqSKfnk+UyS4Q89bV4ZKS2wdmc/DGMt17K4XDcBtTR9U/yBOL8lHA4RbZAXavkq9ik
Dgd1Jewx8Hy2FcGaJc4T+6YiarH+V+EsY8/HY/YxEXaM4hf+vM0cOIvJCttq+KTBx82GK/lf
eIomnyzekwZT2oSTQjZpSMNm4b+wNd+FhWsIh4+Jom+LqJYgUMXTLrqSIaru2VYrZAAoJqjq
YG8Cyifor2qJvXwZY4r+qvKcKZ+gv6pTZ8rH/DgdX2tiuYdvPhzS9ppa792FCESy2QXFHmil
h6n1DtYQNBOsN7GWTyKJqfUOPqJP59b34YMaJU+tY3HgUQsU63AoFNxsdFusg1KivaGFRdYB
KmGNLLC6ca0FkDXp/sFeufyu17YYIEvro2Xrdh43eABKEOnI/PtOZO1H5lED51FRHiL4diRl
Dg1t3LDzqGh5Pql6ZxHjboXPAqhbBbQA6lYKLYAa8qP5zKNrIh2ke3G0wLKmZV3FMO3IzDy1
ZmYNZFcCeqqbhPNXw+5tzoVq3SSgWAeoWjcJKNbRKdUyXTcJWL3VTQJWQ9VojpHJqTZGWddN
E0ifBAgW9UPeBKB+yJsA1A95E4C6k3c7SH/kTcCy5gbNqSZ5E4Bwis1HfQ1kkjcByJobFNvl
3xkVdQ+lnP5w2wN5E1CsA1QlbwKKdXSayJuAhVNsMqGEpamOgNUPeROA+iFvAlA/5E0A6oe8
CUD9kDcBqDt5t4P0R94ELGtu0JxqkjcByJoeNJBJ3gQgnGLDDbXkjbv+u5M3AcU6QFXyJqBY
R6dEqPqQSsCyDlAJS5M3AQun2CRDjoXJbWNUP+RNsKgf8iYA9UPeBKB+yJsA1J2820H6I28C
ljU3aE41yZsAZE0PGsgkbwKQNTfUkjduxu9O3gQU6wBVyZuAYh2dEqFqniNgWQeohKXJm4CF
+dKZvAlAOOVcIBuL+iFvgkX9kDcBqB/yJgB1J+92kP7Im4BlzQ2aU03yJgBZ04MGMsmbAGTN
DbXkjXvku5M3AcU6QFXyJqBYR6dEqJq8CVjWASphaaojYPVD3gQgTMzO5E0AwilnAOEusglT
P+RNsKgf8iYAdSfvdpD+yJuAZc0NmlNN8iYAWdODBjLJmwBkzQ3yWi1cDyXfRh02JAH1nkFx
q4EMOGoIEhUwN/APtmEJNA+y9tshHQELCy0QG9KDauKdEC8O7R73uCFByFB8FXCBN7jf8JaO
0Xcwnp5oHHj6beF8Vv0ulXWYUsc3b6ClyOwOks1J2NEJemZvMXToxMVFcikNOodkN1Xe8YMT
H6D/J+/ikYtlWw9MxM6m/DH+3zZHxffQZrou5gwG19fX93DrXY08JqjBX8Xw6EoOGH1PiFnV
0t+Cmn7GkhNa5lfj9fUlvBhf1rnh/jxqd2jeKNTL79Efjl9q3tH1TqV/g96ZvDN+Qme8U37S
vQ5OUe6rKghtXKhSm4YQ7VWgnA9vHiIZn33ex6XyYP3NU6JgfMGC4BcPQ5WJuHlqwDaZGh0O
sHiWRK1ElomweX2Cd8tRkzoBkBamMupPaQS8a/B3tAtXLMlvqjdmsyw62LN2nM3qmmxDKlA9
3azb0U7Tewsu/vMIb/yXUxVHVDMA6rTyoBnvN9lbV9l9AY9eiuda4AL2TFveHJ/fEOZ4995N
rm7u7pUY6K+UOiZHHZVzdyF2CVc7EzslD09Uah42e7Gd/lrIhky0AqoSzAKnofBm5x0RgL9L
Ia+Wst+xTFXH1je71Dl4p+TXWhpBS2q93Obhf6Y763PxzgsCIeqzMR+zz0dD6MHnXZjs2KP3
18OP09uTCfpl5/O1B5078AMHSMZ5mlae+9CxfPywlMHD9wooNTJYPesvg8v+KuewGYiuWWxg
teVxqcL8PwRBc/BChPIXFw4HzbLPvSgS0EstO5sTff7F3CCTR38ZfzOeXi3yup9Tcqo5tkuG
1pNC7pzaEmX4JZNNa3UuMU+JJoMacr8HL9R6yag75xw8T9SdsjXlDMrHkT677loDq9OurXWR
LszoIDhoGVRHPa2fTCT4HPkn86vnLyOX0nxKXTpVjI8g8QqlK4M1CZfj/005t1I2LFJ8PezT
Uf6J6Mi9+Ky/SpJ7wzS4KS3zOc2ZaXj24Llm7/adl41u7D1LdetM2VV6ACMJP5ABP5mBb8nM
flwzx5PpaHStHFWh8aadVhyQ0w//AwAA//8DAFBLAwQUAAYACAAAACEAgMR8svIIAAByRgAA
DwAAAHdvcmQvc3R5bGVzLnhtbNxcwXLbNhC9d6b/wOHdkSXZVu2p0rHlpHEnbZzKmZ4pErLQ
kIRKUnHcr+9iQUIQSYgLk+l0erJEAvuwuw9vYQebH3/6msTeF5blXKRzf/zq1PdYGoqIp49z
/9PD25MffC8vgjQKYpGyuf/Mcv+n199/9+PTVV48xyz3wECaXyXh3N8UxfZqNMrDDUuC/JXY
shRerkWWBAV8zR5HSZB93m1PQpFsg4KveMyL59Hk9PTCL81kFCtiveYhuxXhLmFpgfNHGYvB
okjzDd/mlbUnirUnkUXbTIQsz8HpJFb2koCn2sz4rGEo4WEmcrEuXoEzI7WikTQF08en+CmJ
fS8Jr+4eU5EFqxiC9zQ+819D5CIR3rJ1sIuLXH7N7rPya/kNf7wVaZF7T1dBHnL+ACEFAwkH
W++u05z78IYFeXGd88B8+aZ8Jt9v5EDzpZ4Z5oVh8IZH3B9J0DhIH2HilyCe+yw9+bQ0Yeb+
n8HJL/fy0QpmzP0gO1ley4kj9KH6afiy1Z6pUTXHIWWQwKXiEYSFrd+L8DOLlgW8mPvARXz4
6e4+4yIDrsz9y8vy4ZIl/B2PIiZpWw1MNzxif2xY+iln0f75x7fIwdJiKHZpMfcnswtMRpxH
b76GbCvZA3hpIAP9m5wA+QOWGzi4oB3fr0Y9qKHiw78qyHEZ2TaUDQvkRvNw/UeB0Otdb6CJ
9Mh0AO06rXXa38RZfxPn/U2A5vSNxay/CZDXvqtQ3DBYSU9qIUJFPpMT08sjlJUzGizqnNEg
TeeMBkc6ZzQo0TmjwYDOGY2Ed85o5LdzRiOdR2eEAQpXnUVTjAZpYz/wImZy/lEBGveUurIo
ePdBFjxmwXbjyfpWX/YxsVzuVgVtqSinLxfLZZGJ9LEzIhO1DV6syW+S7SbIORxWOkI/6Rn6
B3n48H7OeNQJda7I1/BJHQ7aSth9HIRsI+KIZd4D+6oy6jD/N+Ett0EIVbDJBamMDVPwkETr
9/xxU3jLDVbYTscvLDG2O67sv+c5unx071xYCNllnJSyCwsN7cZ/ZRHfJVVoCIePCyXfjVSQ
IXCJx0N0hul3h5AJoLigqsML7RPWr2qJu32ZY8r6VeV5oX3C+lWdeqF95Mfx/DoLyy38quiR
ttfMee8uRCyy9S6u9kCnPMycd7CGoLngvIm1fZJIzJx38IF8etdhCL+oUXjqnIu9jjqgOKdD
oeBmo/vinJS6sjp45JygGtbEAauf1joAOYvu7+wLl3+Jci0GWAX00bJzO08tEaCeLT7uRNF9
ZJ5YNI+KcpfCX0dy5tHQppadR0Ur+YSRdCFTv8LnQKZ+FdABqF8pdACy8MN+rNI1kQ7Svzg6
YDnLsq5iSDuyMs+clVkDuZWAgeom4fxl2b12LjTrJgHFOUHNuklAcc5OrZaNK8oRsAarmwQs
S9Ww58jUVBennOumCaTFm+DRMOJNABpGvAlAw4g3Aai/eHeDDCfeBCxnbdCaaoo3AQiHNP+w
Y99GGsgUbwKQszYotSv/ZlSJEFo5/svtAOJNQHFOUFO8CSjO2bGJNwELh7gwoYalpY6ANYx4
E4CGEW8C0DDiTQAaRrwJQMOINwGov3h3gwwn3gQsZ23QmmqKNwHIWR40kCneBCAc4qINreKN
u/6bizcBxTlBTfEmoDhnpyao+pBKwHJOUA1LizcBC4e4kKHEQnK7ODWMeBM8Gka8CUDDiDcB
aBjxJgD1F+9ukOHEm4DlrA1aU03xJgA5y4MGMsWbAOSsDa3ijZvxm4s3AcU5QU3xJqA4Z6cm
qFrnCFjOCaphafEmYCFfeos3AQiHvBTIxaNhxJvg0TDiTQAaRrwJQP3FuxtkOPEmYDlrg9ZU
U7wJQM7yoIFM8SYAOWtDq3jjHvnm4k1AcU5QU7wJKM7ZqQmqFm8ClnOCalha6ghYw4g3AQiJ
2Vu8CUA45AVAuItc0jSMeBM8Gka8CUD9xbsbZDjxJmA5a4PWVFO8CUDO8qCBTPEmADlrg7xW
C9dDybdRxxYSUO8ZVLcayIATS5KogKWDv7M1y6C1iXXfDukJWHnogGihB9XFGyE+e7R73FML
QchQfBVzgTe4n/GWjtF3MJ0daRx4+LDw3ql+l8Y8pNThrV5oKTK7g2RzEvabwTqL5y106Gyr
i+TSGnQOyW6qsuMHB95B/0/ZxSMny7YeGIidTeVj/AenEhU/QxNcVI05PT0/P7+FW+/qzX2G
K/i7ej05ky+MvifEbK4y3MAyw4JlR1ZZXo3X15fwYnx9zZb787i6ffNGtbzyHv3++KXGHVzv
VOu3rLuQd8aPrBnvlB8Nr4dDVPiaC4Q2LlxS1woh26tYBR8+3KUyP9DVh//gpngQfQ2UKXi/
YHH8a4CpKsTWPjRm60K9HZ9i8ayZWomiEIl9foZ3y3ElbQaAFuZi1FfpBHyyxDvdJSuWlbfg
rWyWRQd71g7ZrK7JWqhAjbR9bQc7Te8tuPjPU7zxX6cqvlHNALimVQDNeB9kb11j98U8/Vw9
1wYXsGe6eHN4fkOYw917c3F2eXOrzEB/pVxjdtBROfcXYpdxtTOxU3L/RFFzv9mr7fT3QjZk
ohdQlWAUBA2N24N3IADhLgdeLWW/Y12qDr23h9TbR6cW11YZQU9ao9wV4f9mONu5eBPEsRDt
bCzfufPRMLqPeR8lO4zo7fn4zez6KEHf70IeBdC5A+3XKMYlTRvPw3zuHz6sMXj8gwLKDQar
Z8MxuB6vOofNRPRlsYHVxeNahfk/JEFr8EIksgN+f9CsxzxIUwG91LKzOdPnX+QGWTyGY/zl
dHa2KOt+Kcm51tg+DG0XhTI4rSXKiEshm9baQmKeEk0FNex+C11ojZJRd15y8DxSd+re1BlU
vkf57LtrDaxeu7Y1RLowY4DgoGVIHfW0fpRI8Hvknyxsnr8MLuXlkDY6NZxPgXjVohsvWwhX
4v9LnFspHxY5/tzvU2hGLZ8YnMRnw1WSMhqmwzZalmPszDQiu4+cPbpD89IaxsFZqltn6qHS
LzBv8B9kwH+ZgR/Jyn5YM6cXs8nkXAWqIeO2nVYdkPPX/wAAAP//AwBQSwMEFAAGAAgAAAAh
AOsqvep/AQAA8QIAABEACAFkb2NQcm9wcy9jb3JlLnhtbCCiBAEooAABAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIxSwU7DMAy9I/EPVe5dkiIYq7ZOArQLTEJi
CMQtJGYLa9Mo8dbt70nbrazAgVvs9/xsP2c83RV5tAXndWkmhA8YicDIUmmznJDnxSy+JpFH
YZTISwMTsgdPptn52VjaVJYOHl1pwaEGHwUl41NpJ2SFaFNKvVxBIfwgMEwAP0pXCAyhW1Ir
5FosgSaMXdECUCiBgtaCse0UyUFSyU7SblzeCChJIYcCDHrKB5x+cxFc4f8saJATZqFxb8NO
h3FPtZVswY6987ojVlU1qC6aMcL8nL7OH56aVWNtaq8kkGysZIoac8jG9PsZXn7z/gkS23QX
BEA6EFi67AnBrsBE92G3pvYI1JavYV+VTvlQ3otCvQIvnbYYDtmK9xKBnQuP83DZDw3qZv+j
z2+8budgq+ufkfHLy6Zjlwj7NXa2Y4OKgkFpa+cRebm4vVvMSJYwnsRsGHO24MOUjVLG3urF
evW1YW2iOIz4H0W+4KM0SfqKR4HWo/4nzb4AAAD//wMAUEsDBBQABgAIAAAAIQBSz0HTsAIA
AP8JAAASAAAAd29yZC9mb250VGFibGUueG1s1FW7btswFN0L9B8E7rEoWUkcI3LguHFRoOhQ
uB9A05RNVCQFkorj1dk7d2g+oejQAl3yNway5hd69bQTK42LwgVKw5B0yHtIHp57eXp2JWLn
kmnDlQyR18LIYZKqCZfTEH0YDQ86yDGWyAmJlWQhWjCDznovX5zOu5GS1jgQL01X0BDNrE26
rmvojAliWiphEjojpQWx8KmnriD6Y5ocUCUSYvmYx9wuXB/jI1TS6F1YVBRxyl4pmgombR7v
ahYDo5JmxhNTsc13YZsrPUm0oswY2LOICz5BuKxpvGCLSHCqlVGRbcFm3GJFbkYF4R7O30SM
HEG7b6ZSaTKOQbu5F6BeKZwz70oiABwQMdac5B0JkcowD/ouSRwi7OMAH+I2/AN8BE/4Rm7G
QGdEG2brgbiAIyJ4vKhQklpV4Am3dFbBlwSmg/UUXYZPoSM1YxyiCwzNHw5RgXghCjIkqBEf
1lS2ckz7IUJznnyId5LzAAI8dRSs3i2csyXE/e3X+9vvzt3nT3dfbhrlqFg2no1ydBrl0EoQ
WYyXyo50ykaLhOVyPtAn4ldssi1OOam3Fgd38HGGlkgtjlchT4kDji+idhdnxAUzzjs2d97n
28jU23aLn7skc8sheKW9f7f4/dobcMoD2NZxJ6gkqgXBJ8+7peDZXZCBSjVnutEnmb6Hmcbr
1ugTOIT8+P8ybcpZ2hvOKKHHzqi98pQzsrhcvt2FeJtSPiHOaw01mj0hxzn4AvI4d4W/9yri
wVz9i40qkp1F36udsvbFc4kCYpz/YRXpQ3GLfyNDANuvfnsvpo3pUflkLcMe0qMspqvlj9Xy
5+r6erX81igKnMzj1pgqzSVVqAnT/21NHZCYw9XbqIuPh+ts+Qc3b5YzWzdvf9CQMzuY5dmb
t7yCTe8XAAAA//8DAFBLAwQUAAYACAAAACEApNqLnZgBAADrAgAAEAAIAWRvY1Byb3BzL2Fw
cC54bWwgogQBKKAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACc
UkFu2zAQvBfoHwTdY0pO7RjBmkHjoOihCQJYSc4EuZKIUlyCZIL4911Vsa2gt/LEnSFnZ4eE
m/fBFW8YkyW/LetFVRboNRnru2351Py42JRFysob5cjjtjxgKm/k1y/wGClgzBZTwRI+bcs+
53AtRNI9DiotmPbMtBQHlbmMnaC2tRrvSL8O6LNYVtVa4HtGb9BchJNgOSlev+X/FTWkR3/p
uTkENiyhwSE4lVE+jHbcwlAeQJxQaCgr19gBZb2umTiV8Kg6TPJyCWLawQtFk2RdbVaXIKYC
dr2KSmeOUa7rzXoFYobA9xCc1SpzxPLe6kiJ2lzcK219ptQXowiI+SngjPaoX6PNB1mBmJfw
y3p2tKq5y7Rlj1F1UYWefX1jeFbDXiuHOw5DtsolBHEGYEdDUP4gb28figZ178lRxy/K9j+Y
sdnv9BQauhvT+5D4DM6mf7G53wel2d/VcnXFAZ1zmHGw57zQ8FRHxTMAP/nJohvb8l3foTme
+ZcYk32e/i4Pvqh4/c3xiHESp08l/wAAAP//AwBQSwECLQAUAAYACAAAACEAi0CrNpkBAABF
BgAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAA
IQDHwie8DAEAAN8CAAALAAAAAAAAAAAAAAAAANIDAABfcmVscy8ucmVsc1BLAQItABQABgAI
AAAAIQDY7b7+LgEAADwEAAAcAAAAAAAAAAAAAAAAAA8HAAB3b3JkL19yZWxzL2RvY3VtZW50
LnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhAKTAZ9ufDQEAYLMIABEAAAAAAAAAAAAAAAAAfwkA
AHdvcmQvZG9jdW1lbnQueG1sUEsBAi0AFAAGAAgAAAAhACuzOhk7HAAAlJwAABEAAAAAAAAA
AAAAAAAATRcBAHdvcmQvY29tbWVudHMueG1sUEsBAi0AFAAGAAgAAAAhAJ1ci74QBwAAhx0A
ABUAAAAAAAAAAAAAAAAAtzMBAHdvcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItAAoAAAAAAAAA
IQATcWcqdIwBAHSMAQAXAAAAAAAAAAAAAAAAAPo6AQBkb2NQcm9wcy90aHVtYm5haWwuanBl
Z1BLAQItABQABgAIAAAAIQCYkvu3WgcAAGAZAAARAAAAAAAAAAAAAAAAAKPHAgB3b3JkL3Nl
dHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQDlyrNDBQEAAK8BAAAUAAAAAAAAAAAAAAAAACzP
AgB3b3JkL3dlYlNldHRpbmdzLnhtbFBLAQItABQABgAIAAAAIQD26ITNjwkAANRJAAAaAAAA
AAAAAAAAAAAAAGPQAgB3b3JkL3N0eWxlc1dpdGhFZmZlY3RzLnhtbFBLAQItABQABgAIAAAA
IQCAxHyy8ggAAHJGAAAPAAAAAAAAAAAAAAAAACraAgB3b3JkL3N0eWxlcy54bWxQSwECLQAU
AAYACAAAACEA6yq96n8BAADxAgAAEQAAAAAAAAAAAAAAAABJ4wIAZG9jUHJvcHMvY29yZS54
bWxQSwECLQAUAAYACAAAACEAUs9B07ACAAD/CQAAEgAAAAAAAAAAAAAAAAD/5QIAd29yZC9m
b250VGFibGUueG1sUEsBAi0AFAAGAAgAAAAhAKTai52YAQAA6wIAABAAAAAAAAAAAAAAAAAA
3+gCAGRvY1Byb3BzL2FwcC54bWxQSwUGAAAAAA4ADgCNAwAAresCAAAA
--------------020507060409010901070104--

From shanna@juniper.net  Wed Jul 11 19:20:42 2012
Return-Path: <shanna@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAB0511E810F; Wed, 11 Jul 2012 19:20:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xW-RVuNHosO1; Wed, 11 Jul 2012 19:20:42 -0700 (PDT)
Received: from exprod7og118.obsmtp.com (exprod7og118.obsmtp.com [64.18.2.8]) by ietfa.amsl.com (Postfix) with ESMTP id 2AB7711E809A; Wed, 11 Jul 2012 19:20:33 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob118.postini.com ([64.18.6.12]) with SMTP ID DSNKT/40kb7m4HH3ifxxQIx3pl9X6T1R8V6z@postini.com; Wed, 11 Jul 2012 19:21:14 PDT
Received: from P-CLDFE02-HQ.jnpr.net (172.24.192.60) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 11 Jul 2012 19:19:36 -0700
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by p-cldfe02-hq.jnpr.net (172.24.192.60) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 11 Jul 2012 19:19:35 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Wed, 11 Jul 2012 22:19:35 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-6lowpan-btle.all@tools.ietf.org" <draft-ietf-6lowpan-btle.all@tools.ietf.org>
Date: Wed, 11 Jul 2012 22:19:33 -0400
Thread-Topic: secdir review of draft-ietf-6lowpan-btle-08
Thread-Index: Ac1f1Ma24oacIUSEQV6zGZ0doNIaNw==
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB833166881@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] secdir review of draft-ietf-6lowpan-btle-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 02:20:43 -0000

I have reviewed this document as part of the security directorate's=20
ongoing effort to review all IETF documents being processed by the=20
IESG.  These comments were written primarily for the benefit of the=20
security area directors.  Document editors and WG chairs should treat=20
these comments just like any other last call comments.

This document describes how IPv6 is transported over Bluetooth
Low Energy (BT-LE).

As a proviso, I am not an expert in IPv6, 6LoWPAN, or Bluetooth.
Still, this document seemed to be a clear specification of the
intended subject matter. The Security Considerations section
says that the security concerns are similar to those for IPv6
over 802.15.4. That makes sense, I suppose.

I was happy to see that this document says "IPv6 over BT-LE
SHOULD be protected by using BT-LE Link Layer security", whereas
RFC 4944 (IPv6 over 802.15.4) does not include any normative
language on using link layer security. Also, this document says
that "Key management in BT-LE is provided by the Security Manager
Protocol (SMP)", whereas RFC 4944 says that no key management
is provided by 802.15.4. So this specification is apparently
more secure that RFC 4944. That's good.

So based on my review (admitting little knowledge of BT-LE),
this document seems to be an improvement over the current
state of the art for 6LoWPAN from a security perspective.
And the overall level of security seems reasonable.
I have no objection to the publication of this document.

I did notice two typos:

gateway^1s =3D> gateway's
respectively =3D> respectively

Thanks,

Steve


From ynir@checkpoint.com  Wed Jul 11 22:50:25 2012
Return-Path: <ynir@checkpoint.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3CAD21F8718; Wed, 11 Jul 2012 22:50:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.259
X-Spam-Level: 
X-Spam-Status: No, score=-10.259 tagged_above=-999 required=5 tests=[AWL=0.340, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KEkwDRTjrSwe; Wed, 11 Jul 2012 22:50:25 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7698321F8573; Wed, 11 Jul 2012 22:50:23 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q6C5og8i005735; Thu, 12 Jul 2012 08:50:46 +0300
X-CheckPoint: {4FFE6435-1-1B221DC2-4FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 12 Jul 2012 08:50:42 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org IESG" <iesg@ietf.org>,  "draft-ietf-ipfix-ie-doctors.all@tools.ietf.org" <draft-ietf-ipfix-ie-doctors.all@tools.ietf.org>
Date: Thu, 12 Jul 2012 08:50:40 +0300
Thread-Topic: [secdir] secdir review of draft-ietf-ipfix-ie-doctors-03
Thread-Index: Ac1f8kW7m91df9JbQjKkatWBOTGI3w==
Message-ID: <82F50D2E-18BC-42DF-9F5C-3B04FBB55180@checkpoint.com>
References: <56C143E9-A517-4DDE-8CCC-3C4E1B0FF17F@checkpoint.com>
In-Reply-To: <56C143E9-A517-4DDE-8CCC-3C4E1B0FF17F@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [secdir] secdir review of draft-ietf-ipfix-ie-doctors-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 05:50:25 -0000

Reading my own review again, I think it's missing a summary.

The draft does a good job of describing the need to review new information =
elements for the security implications of sending them in IPFIX.  I'm missi=
ng two things:

 1. A list of security and privacy issues to consider (PII, actual data lea=
kage, traffic flow data)
 2. A clear statement that the IE doctors need to make these considerations=
. That would be clearer if the security stuff (that is part of the review p=
rocess) was not in the "Security Considerations" section, but could be made=
 clear with a clarifying sentence.

Yoav

On Jul 11, 2012, at 2:27 PM, Yoav Nir wrote:

> Hi
>=20
> I have reviewed this document as part of the security directorate's ongoi=
ng effort to review all IETF documents being processed by the IESG.  These =
comments were written primarily for the benefit of the security area direct=
ors.  Document editors and WG chairs should treat these comments just like =
any other last call comments.
>=20
> The document defines the criteria by which the "Information Element Docto=
rs" - experts to be appointed by the IESG - should evaluate requests for as=
signment in the IANA registry for IPFIX information elements. The registry =
has the "expert review" procedure, and these IE doctors are the designated =
experts.=20
>=20
> The target audience for this document are two groups: the IE doctors them=
selves, and the people who request assignments in the registry. The documen=
t itself does not define any new protocol or information elements.
>=20
> The documents has a lot of advice about meaningful names, about avoiding =
having >1 IEs with the same or similar semantics, and what registry applica=
tions should look like.
>=20
> The Security Considerations section is used in a surprising way. It does =
not specify how to securely implement this document (as this document speci=
fies no protocol), but it specifies what to consider when evaluating a requ=
est for assignment. This is important information, and the section is well-=
written. IMO there are a few issues with it:
>=20
> - The section says that you should "not give a potential attacker too muc=
h information". It would be better to explicitly list the kinds of threats =
that leaking too much information may lead to: breach of privacy, vulnerabi=
lity to traffic analysis, and leaking actual data.
>=20
> - The section also talks about what should be included in the Internet Dr=
aft that specifies the new information element. That I-D would have its own=
 security considerations sections, which would be reviewed in due course, b=
ut writing an I-D is not required. Section 9 says that "When a new applicat=
ion is complex enough to require additional clarification or specification =
as to the use of the defined Information Elements, this may be given in an =
Internet-Draft." This language is not strong enough to make anything with p=
otential security concerns go though the I-D route. IEs may still be submit=
ted directly to IANA, with the security concerns only mentioned in the IE d=
escription.=20
>=20
> I think this document should explicitly state that it is part of the task=
 of IE doctors to consider the security aspects of new IEs, as well as to g=
ive guidelines about what they should look for.
>=20
> Yoav Nir
>=20


From kathleen.moriarty@emc.com  Thu Jul 12 07:01:07 2012
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FBDA21F86B0; Thu, 12 Jul 2012 07:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.47
X-Spam-Level: 
X-Spam-Status: No, score=-2.47 tagged_above=-999 required=5 tests=[AWL=0.128,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kP+4H7KMvpvG; Thu, 12 Jul 2012 07:01:04 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 930B221F8847; Thu, 12 Jul 2012 07:01:04 -0700 (PDT)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6CE1SMl022618 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Jul 2012 10:01:29 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Thu, 12 Jul 2012 10:01:07 -0400
Received: from mxhub36.corp.emc.com (mxhub36.corp.emc.com [10.254.93.84]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6CE16jl014336; Thu, 12 Jul 2012 10:01:06 -0400
Received: from mx15a.corp.emc.com ([169.254.1.189]) by mxhub36.corp.emc.com ([::1]) with mapi; Thu, 12 Jul 2012 10:01:05 -0400
From: <kathleen.moriarty@emc.com>
To: <secdir@ietf.org>, <draft-ietf-v6ops-ra-guard-implementation.all@tools.ietf.org>, <iesg@ietf.org>
Date: Thu, 12 Jul 2012 10:01:05 -0400
Thread-Topic: SecDir review of draft-ietf-v6ops-ra-guard-implementation-04
Thread-Index: Ac1gNsc++cRE89ymRHadHZMhFDfvaw==
Message-ID: <F5063677821E3B4F81ACFB7905573F2403AAA236@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_F5063677821E3B4F81ACFB7905573F2403AAA236MX15Acorpemccom_"
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: fgont@si6networks.com
Subject: [secdir] SecDir review of draft-ietf-v6ops-ra-guard-implementation-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 14:01:07 -0000

--_000_F5063677821E3B4F81ACFB7905573F2403AAA236MX15Acorpemccom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

draft-ietf-v6ops-ra-guard-implementation-04 updates RFC6105 as a BCP.
   The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly
   employed to mitigate attack vectors based on forged ICMPv6 Router
   Advertisement messages.  Many existing IPv6 deployments rely on RA-
   Guard as the first line of defense against the aforementioned attack
   vectors.  However, some implementations of RA-Guard have been found
   to be prone to circumvention by employing IPv6 Extension Headers.
   This document describes the evasion techniques that affect the
   aforementioned implementations, and formally updates RFC 6105, such
   that the aforementioned RA-Guard evasion vectors are eliminated.

Review Summary:
The draft is mostly ready (the draft introduces new requirements to protect=
 against specific attack vectors and addresses them well), but I would reco=
mmend some stronger language in the Security Considerations section in the =
following areas:

In the start of the security considerations section, it says that 'advice' =
is given to correct the problems.  Reading through the draft this updates a=
nd this draft, would saying 'new requirements' or 'additional requirements'=
 be better?  The updates proposed in this draft use RFC2119 language with M=
UST statements to correct a few issues (RA guards were not handling fragmen=
tation or paying attention to IPv6 extension headers).

Also, to be compliant with this BCP, shouldn't the security considerations =
section just require compliance with RFC5722?  The indented paragraph in th=
e security considerations section could be updated to state this requiremen=
t to make it a clear requirement from this draft.

Thank you,
Kathleen





--_000_F5063677821E3B4F81ACFB7905573F2403AAA236MX15Acorpemccom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left:=
 #800000 2px solid; } --></style>
</head>
<body>
<font face=3D"Courier New, monospace" size=3D"2">
<div>I have reviewed this document as part of the security directorate's </=
div>
<div>ongoing effort to review all IETF documents being processed by the </d=
iv>
<div>IESG.&nbsp; These comments were written primarily for the benefit of t=
he </div>
<div>security area directors.&nbsp; Document editors and WG chairs should t=
reat </div>
<div>these comments just like any other last call comments.</div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">draft-ietf-v6ops-ra-guar=
d-implementation-04 updates RFC6105 as a BCP. </font></div>
<div>&nbsp;&nbsp; The IPv6 Router Advertisement Guard (RA-Guard) mechanism =
is commonly</div>
<div>&nbsp;&nbsp; employed to mitigate attack vectors based on forged ICMPv=
6 Router</div>
<div>&nbsp;&nbsp; Advertisement messages.&nbsp; Many existing IPv6 deployme=
nts rely on RA-</div>
<div>&nbsp;&nbsp; Guard as the first line of defense against the aforementi=
oned attack</div>
<div>&nbsp;&nbsp; vectors.&nbsp; However, some implementations of RA-Guard =
have been found</div>
<div>&nbsp;&nbsp; to be prone to circumvention by employing IPv6 Extension =
Headers.</div>
<div>&nbsp;&nbsp; This document describes the evasion techniques that affec=
t the</div>
<div>&nbsp;&nbsp; aforementioned implementations, and formally updates RFC =
6105, such</div>
<div>&nbsp;&nbsp; that the aforementioned RA-Guard evasion vectors are elim=
inated.</div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">Review Summary:</font></=
div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">The draft is mostly read=
y (the draft introduces new requirements to protect against specific attack=
 vectors and addresses them well), but I would recommend some stronger lang=
uage in the Security Considerations
section in the following areas:</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">In the start of the secu=
rity considerations section, it says that &#8216;advice&#8217; is given to =
correct the problems.&nbsp; Reading through the draft this updates and this=
 draft, would saying &#8216;new requirements&#8217; or &#8216;additional
requirements&#8217; be better?&nbsp; The updates proposed in this draft use=
 RFC2119 language with MUST statements to correct a few issues (RA guards w=
ere not handling fragmentation or paying attention to IPv6 extension header=
s).</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">Also, to be compliant wi=
th this BCP, shouldn&#8217;t the security considerations section just requi=
re compliance with RFC5722?&nbsp; The indented paragraph in the security co=
nsiderations section could be updated to state
this requirement to make it a clear requirement from this draft.</font></di=
v>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">Thank you,</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">Kathleen</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
<div><font face=3D"Calibri, sans-serif" size=3D"2">&nbsp;</font></div>
</font>
</body>
</html>

--_000_F5063677821E3B4F81ACFB7905573F2403AAA236MX15Acorpemccom_--

From fred@cisco.com  Thu Jul 12 11:27:41 2012
Return-Path: <fred@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4295021F85F1; Thu, 12 Jul 2012 11:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.441
X-Spam-Level: 
X-Spam-Status: No, score=-110.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gWy-dJF3ZhtJ; Thu, 12 Jul 2012 11:27:40 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id 622FB21F858F; Thu, 12 Jul 2012 11:27:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1682; q=dns/txt; s=iport; t=1342117694; x=1343327294; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=yyp62SAhCwY2nKuak6xUpqs7wD2T5Wh/WLQ1Ropcdvk=; b=h2//z8vy2AS8fy/0ha7A9EErw7v+HPyGw84Usvk0rWEZI9Mq2A37c/c+ E4amu5YsL9iNGG+JBN1Sti8/K8q1rHMAD+zhvTU/yCMU4Ypxf+T4ZvBV3 bTTJd/zrqMLRWY68wv5RvSup7T97vY5FK7hIqfnQ9MLeFi/uNfHh95/V6 E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EALIW/0+tJV2d/2dsb2JhbABFuAyBB4InEgEnOAcSAT5CJwQBDSeFb4F8nWagIItbhQFgA5U6jiCBZoJfgV8
X-IronPort-AV: E=Sophos;i="4.77,575,1336348800"; d="scan'208";a="98330518"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-9.cisco.com with ESMTP; 12 Jul 2012 18:28:14 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id q6CISEiH022778 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 12 Jul 2012 18:28:14 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.118]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0298.004; Thu, 12 Jul 2012 13:28:13 -0500
From: "Fred Baker (fred)" <fred@cisco.com>
To: "ops-dir@ietf.org" <ops-dir@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: IEC 62351-6 review
Thread-Index: AQHNYFwYYFRC2xFQYkOb0VhldhcMlw==
Date: Thu, 12 Jul 2012 18:27:40 +0000
Message-ID: <F61D99FE-2DE7-4B24-819C-A60B624FB589@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.21.86.152]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19034.004
x-tm-as-result: No--31.674300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-ID: <ABE13167C9499F4B8831F8A5C4FC4D52@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF SmartObjectDir <smartobjectdir@ietf.org>, John Lampe <john.lampe@iapsolutions.com>, Frances Cleveland <fcleve@xanthus-consulting.com>
Subject: [secdir] IEC 62351-6 review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 18:27:41 -0000

Hello from the SGIP meeting happening this week.

Francis Cleveland, whom some of you no doubt know, is a consultant to NIST =
and rapporteur-or-something-like-that for IEC 62351-6, which specifies how =
to secure communication profiles specified within IEC 61850, which in turn =
specifies the design of electrical substation automation. A large part of t=
hat is, surprise, management exchanges, both network and equipment; the rem=
ainder is ongoing event communication, maintaining synchronization among eq=
uipment. EPRI, which is a company that consults to the power industry, is l=
ooking at that with a view to potential updates to make it better and more =
useful. Francis asked me to work with John Lampe, a consultant to EPRI, on =
that. Marianne Swanson of NIST tells me that document access can be arrange=
d through the CyberSecurity Working Group of the SGIP, which uses NIST's re=
lationship with ANSI to get access less-onerous access to IEC documents.

To that end, I'd like to get some volunteers to review the document from an=
 "IP Network" perspective. I'm obviously looking for one or two security pe=
ople to look at the security recommendations, someone from NetConf to look =
at the network management issues, and someone from opsec to look at the "ho=
w does this work in a dual stack network" issues - a total of 3-6 people. I=
'm happy to have someone that is not a heavily-loaded directorate member; I=
 need your help in identifying whoever that set of people might turn out to=
 be.

BTW, 62351-7 is a bunch of MIBs; they likely need to be updated as well, pe=
rhaps with the addition of yang modules for netconf.

Help?=

From tlyu@mit.edu  Thu Jul 12 20:34:32 2012
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAC4E11E80E5; Thu, 12 Jul 2012 20:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.216
X-Spam-Level: 
X-Spam-Status: No, score=-104.216 tagged_above=-999 required=5 tests=[AWL=-0.617, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oaYi2UOnkeWZ; Thu, 12 Jul 2012 20:34:32 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (DMZ-MAILSEC-SCANNER-4.MIT.EDU [18.9.25.15]) by ietfa.amsl.com (Postfix) with ESMTP id A06D111E80B6; Thu, 12 Jul 2012 20:34:31 -0700 (PDT)
X-AuditID: 1209190f-b7f306d0000008b4-2e-4fff9764d71a
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 92.95.02228.4679FFF4; Thu, 12 Jul 2012 23:35:00 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id q6D3Z06t004333;  Thu, 12 Jul 2012 23:35:00 -0400
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id q6D3Yv2I008098 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 12 Jul 2012 23:34:58 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id q6D3Yumu018453; Thu, 12 Jul 2012 23:34:56 -0400 (EDT)
To: secdir@ietf.org, iesg@ietf.org, draft-hoffman-tao-as-web-page.all@tools.ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Thu, 12 Jul 2012 23:34:56 -0400
Message-ID: <ldvipdspc4f.fsf@cathode-dark-space.mit.edu>
Lines: 30
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrJIsWRmVeSWpSXmKPExsUixG6nrpsy/b+/wct5uhYn/n9ns5jxZyKz xYeFD1kcmD2WLPnJ5PHl8me2AKYoLpuU1JzMstQifbsErozud0oF83grVn2bwdzA+ISri5GT Q0LAROLa5jlMELaYxIV769m6GLk4hAT2MUr09XSxQDgbGCUubLrODOFcYZJ4+mM6I4TTxSgx 5dFidpB+EYFYiU33boDNEhawkni4eh1QnIODTUBa4ujiMpAwi4CqxMeLm1hBbF4BC4kH2y+z gdg8ApwSj85eZoKIC0qcnPmEBcRmFtCSuPHvJdMERr5ZSFKzkKQWMDKtYpRNya3SzU3MzClO TdYtTk7My0st0jXRy80s0UtNKd3ECAo1Tkn+HYzfDiodYhTgYFTi4f0d+99fiDWxrLgy9xCj JAeTkijvyslAIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8CtOAcrwpiZVVqUX5MClpDhYlcd6r KTf9hQTSE0tSs1NTC1KLYLIyHBxKEry7QBoFi1LTUyvSMnNKENJMHJwgw3mAhq8BG15ckJhb nJkOkT/FqMtx7eGtW4xCLHn5ealS4ry1IEUCIEUZpXlwc2Ap4hWjONBbwhCjeIDpBW7SK6Al TEBLZv38B7KkJBEhJdXA6Pk54ZXeunMyQSU+D7cfXr38BO/ywBvKxWrHLtoqCbkddr+sy9dd 8Of9DftQZbv9Ss+KTz7Q+bz+3VOm53N/iL3W6rZQWVAX6r4op3CRne3Xdsa+N7V73KZGzlw6 K1W1+sS5uAU8scpet9P4vNecWlbMU1NjsbLxsLvm1JcBpUsurBHccMSxQImlOCPRUIu5qDgR AIiC3rzsAgAA
Subject: [secdir] secdir review of draft-hoffman-tao-as-web-page-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 03:34:33 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The Security Considerations section says

   The Tao is available over TLS at <https://www.ietf.org/tao.html>.

This statement seems to imply that protecting the integrity of the Tao
while transmitting it to a reader is important.  The public nature of
the Tao implies that the confidentiality of this channel is also not a
significant concern.  It seems odd to make a statement about the
integrity of the channel between the reader and the www.ietf.org web
server, while saying nothing about the channel that the Tao editor
uses.  It is likely that an attack on the integrity of the editing
channel will have a far greater impact than an attack on the integrity
of the reading channel.

On the other hand, malicious manipulation of the Tao will probably at
worst mislead newcomers about the workings of the IETF, because the
formal process specifications for the IETF are BCP RFCs.
Additionally, if the editor of the Tao can only edit a proposed text,
rather than the officially published version, the IESG can presumably
discover any malicious alterations of the proposed text prior to
approving it.  It seems reasonable to assume that any process that the
IETF Secretariat uses to publish the proposed text after its IESG
approval is no less secure than the processes for publishing other
official information on the IETF web site.

From mehmet.ersue@nsn.com  Thu Jul 12 14:51:44 2012
Return-Path: <mehmet.ersue@nsn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EB7F11E80D2; Thu, 12 Jul 2012 14:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.569
X-Spam-Level: 
X-Spam-Status: No, score=-106.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P+5IzpR+fHJx; Thu, 12 Jul 2012 14:51:43 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B10B011E80CB; Thu, 12 Jul 2012 14:51:42 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q6CLq5tj019184 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 12 Jul 2012 23:52:05 +0200
Received: from DEMUEXC048.nsn-intra.net ([10.159.32.94]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q6CLq49q003376; Thu, 12 Jul 2012 23:52:04 +0200
Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by DEMUEXC048.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675);  Thu, 12 Jul 2012 23:52:05 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 12 Jul 2012 23:52:03 +0200
Message-ID: <80A0822C5E9A4440A5117C2F4CD36A640405E047@DEMUEXC006.nsn-intra.net>
In-Reply-To: <F61D99FE-2DE7-4B24-819C-A60B624FB589@cisco.com>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [smartobjectdir] IEC 62351-6 review
Thread-Index: AQHNYFwYYFRC2xFQYkOb0VhldhcMl5cmMFIQ
References: <F61D99FE-2DE7-4B24-819C-A60B624FB589@cisco.com>
From: "Ersue, Mehmet (NSN - DE/Munich)" <mehmet.ersue@nsn.com>
To: "ext Fred Baker (fred)" <fred@cisco.com>, <ops-dir@ietf.org>, <secdir@ietf.org>
X-OriginalArrivalTime: 12 Jul 2012 21:52:05.0044 (UTC) FILETIME=[937DA740:01CD6078]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 2332
X-purgate-ID: 151667::1342129925-00005506-721BAFAE/0-0/0-0
X-Mailman-Approved-At: Fri, 13 Jul 2012 03:14:05 -0700
Cc: IETF SmartObjectDir <smartobjectdir@ietf.org>, John Lampe <john.lampe@iapsolutions.com>, Frances Cleveland <fcleve@xanthus-consulting.com>
Subject: Re: [secdir] [smartobjectdir] IEC 62351-6 review
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2012 21:51:44 -0000

> someone from NetConf to look at the network management issues

Sure.

Cheers,=20
Mehmet=20

> -----Original Message-----
> From: smartobjectdir-bounces@ietf.org
[mailto:smartobjectdir-bounces@ietf.org] On
> Behalf Of ext Fred Baker (fred)
> Sent: Thursday, July 12, 2012 8:28 PM
> To: ops-dir@ietf.org; secdir@ietf.org
> Cc: IETF SmartObjectDir; John Lampe; Frances Cleveland
> Subject: [smartobjectdir] IEC 62351-6 review
>=20
> Hello from the SGIP meeting happening this week.
>=20
> Francis Cleveland, whom some of you no doubt know, is a consultant to
NIST and
> rapporteur-or-something-like-that for IEC 62351-6, which specifies how
to secure
> communication profiles specified within IEC 61850, which in turn
specifies the design of
> electrical substation automation. A large part of that is, surprise,
management
> exchanges, both network and equipment; the remainder is ongoing event
> communication, maintaining synchronization among equipment. EPRI,
which is a
> company that consults to the power industry, is looking at that with a
view to potential
> updates to make it better and more useful. Francis asked me to work
with John
> Lampe, a consultant to EPRI, on that. Marianne Swanson of NIST tells
me that
> document access can be arranged through the CyberSecurity Working
Group of the
> SGIP, which uses NIST's relationship with ANSI to get access
less-onerous access to
> IEC documents.
>=20
> To that end, I'd like to get some volunteers to review the document
from an "IP
> Network" perspective. I'm obviously looking for one or two security
people to look at
> the security recommendations, someone from NetConf to look at the
network
> management issues, and someone from opsec to look at the "how does
this work in a
> dual stack network" issues - a total of 3-6 people. I'm happy to have
someone that is
> not a heavily-loaded directorate member; I need your help in
identifying whoever that
> set of people might turn out to be.
>=20
> BTW, 62351-7 is a bunch of MIBs; they likely need to be updated as
well, perhaps with
> the addition of yang modules for netconf.
>=20
> Help?
> _______________________________________________
> smartobjectdir mailing list
> smartobjectdir@ietf.org
> https://www.ietf.org/mailman/listinfo/smartobjectdir

From alexey.melnikov@isode.com  Fri Jul 13 11:59:33 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C2F11E8097 for <secdir@ietfa.amsl.com>; Fri, 13 Jul 2012 11:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.039
X-Spam-Level: 
X-Spam-Status: No, score=-103.039 tagged_above=-999 required=5 tests=[AWL=-0.440, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvS2QPxqkWVY for <secdir@ietfa.amsl.com>; Fri, 13 Jul 2012 11:59:32 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9DC1D21F865E for <secdir@ietf.org>; Fri, 13 Jul 2012 11:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1342206033; d=isode.com; s=selector; i=@isode.com; bh=i/hiAgur7nRhId7pcAU1H29KbzpLaWRRDIs/VHiLdVs=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=JZUKaLPGTqFnG1/5HRdMDqkCbkfhxa6zV1NuUWtOpq0LvhOfoCjdL0D2NSKeLbR76Qct0d WrvRyMoeazZRFZFb28SwSzT6vP45hPJWs8tmZBhP6UpduzL8KggvIwDC9clZiq1O1SJkQq J6dNiaf+nBHpX9Ukq0Q1gdtkRfxjGtE=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <UABwUAAkREW2@waldorf.isode.com>; Fri, 13 Jul 2012 20:00:32 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <50007051.9010000@isode.com>
Date: Fri, 13 Jul 2012 20:00:33 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: Jeffrey Hutzelman <jhutz@cmu.edu>
References: <3f40470e03a3da0a21dcf09e26f1a723.squirrel@www.trepanning.net> <27876_1341435865_q64L4NNL000555_4FF4AFD6.4070303@isode.com> <1341461872.5329.22.camel@tuzanor.jhutz.local>
In-Reply-To: <1341461872.5329.22.camel@tuzanor.jhutz.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-krb-wg-kdc-model.all@tools.ietf.org, secdir <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-krb-wg-kdc-model-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 18:59:34 -0000

On 05/07/2012 05:17, Jeffrey Hutzelman wrote:
> On Wed, 2012-07-04 at 22:04 +0100, Alexey Melnikov wrote:
>
>> I do however have a long list of nits and minor issues which I think
>> need to be addressed:
> I think the majority of your comments can be addressed by noting that
> this is an abstract data model, not a schema or protocol.  So, it
> discusses values that must be representable, but not what the
> representation must look like, because that's up to some schema or
> protocol based on this data model (e.g. an LDAP schema or XML DTD).

Not too abstract though. If you say something is an integer and one 
protocol can only support 32bit integers, while another can support 
128bit, one of them might be unusable unless your definition is more 
specific.

> I thought at this point that the introduction makes this point
> reasonably clear, along with the notion that "implementations" of this
> documents are schemas or protocols, not pieces of software.  However, if
> you didn't pick up on that, then maybe there's a better way to get it
> across.

See above.

> Aside from those, you also pointed three specific issues (quoted below)
> which I think are answered by text in RFC3961.  If that information is
> sufficient to answer your questions, then appropriate references to that
> document should be inserted in the text.  Otherwise, we'll have to talk
> about what the document can say to be more clear.

Having very specific references (to section numbers) is likely to solve 
issues, yes.

>> In Section 4.1.1.13 - what is an enctype? :-).
> See RFC3961.
>
>> 4.3.1.2.  keyValue
>>
>>      The binary representation of the key data.  This MUST be a single-
>>      valued octet string.
>>
>>
>> Can it be zero-length?
> A valid question, I suppose.  But I don't see any point in saying,
> because then someone will just follow up with a question asking whether
> it is allowed to be length 1.
>
> In fact, a key held by the KDC will be a valid key for the appropriate
> enctype.  The set of valid keys is a property of the enctype, as
> specified in RFC3961 section 3.

Ok, a reference would do.

>> 4.3.1.3.  keySaltValue
>>
>>      The binary representation of the key salt.  This MUST be a single-
>>      valued octet string.
>>
>> As above.
> RFC3961 is quite clear that any valid UTF-8 string is permissible as a
> salt.
>
>
>
> You also pointed out several missing references; I agree with all of
> those.

Ok, good.

> Leif, can you make sure we get in whatever changes are needed to address
> Alexey's comments?


From weiler+secdir@watson.org  Fri Jul 13 13:49:57 2012
Return-Path: <weiler+secdir@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64BB311E80C7 for <secdir@ietfa.amsl.com>; Fri, 13 Jul 2012 13:49:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXae6ywH8odB for <secdir@ietfa.amsl.com>; Fri, 13 Jul 2012 13:49:56 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 7915611E8097 for <secdir@ietf.org>; Fri, 13 Jul 2012 13:49:56 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id q6DKoWTd014883 for <secdir@ietf.org>; Fri, 13 Jul 2012 16:50:32 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id q6DKoWet014880 for <secdir@ietf.org>; Fri, 13 Jul 2012 16:50:32 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Fri, 13 Jul 2012 16:50:32 -0400 (EDT)
From: Samuel Weiler <weiler+secdir@watson.org>
X-X-Sender: weiler@fledge.watson.org
To: secdir@ietf.org
Message-ID: <alpine.BSF.2.00.1207131648320.19913@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Fri, 13 Jul 2012 16:50:32 -0400 (EDT)
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2012 20:49:57 -0000

Review instructions and related resources are at:
        http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

Ondrej Sury is next in the rotation.

For telechat 2012-07-19

Reviewer                 LC end     Draft
Shawn Emery            T 2012-07-02 draft-melnikov-smtp-priority-tunneling-03
Jeffrey Hutzelman      T 2012-07-10 draft-ietf-abfab-gss-eap-08
Russ Mundy             T 2012-07-17 draft-ietf-pkix-caa-10
Magnus Nystrom         T 2012-07-17 draft-ietf-grow-private-ip-sp-cores-05
Hilarie Orman          T 2012-07-19 draft-ietf-grow-diverse-bgp-path-dist-07
Radia Perlman          T 2012-07-17 draft-ietf-dnsop-dnssec-dps-framework-08
Sam Weiler             TR2012-03-23 draft-sakane-dhc-dhcpv6-kdc-option-17
Nico Williams          T 2012-07-02 draft-farrell-decade-ni-09


For telechat 2012-08-16

Yaron Sheffer          T 2012-08-08 draft-yegin-pana-encr-avp-03

Last calls and special requests:

Rob Austein              2012-06-26 draft-ietf-bmwg-2544-as-04
Dave Cridland            2012-06-28 draft-ietf-nfsv4-federated-fs-admin-11
Donald Eastlake          -          draft-zheng-mpls-ldp-hello-crypto-auth-04
Warren Kumari            2012-07-11 draft-ietf-oauth-v2-threatmodel-06
Matt Lepinski            2012-07-11 draft-ietf-v6ops-6204bis-09
Alexey Melnikov          -          draft-ietf-krb-wg-kdc-model-12
Sandy Murphy             2012-07-19 draft-ietf-ospf-hybrid-bcast-and-p2mp-03
Tim Polk                 2012-07-23 draft-ietf-appsawg-http-forwarded-06
Eric Rescorla            2012-07-25 draft-ietf-websec-strict-transport-sec-11
Vincent Roca             2012-07-23 draft-ietf-xrblock-rtcp-xr-pdv-03
Joe Salowey              2012-08-09 draft-vegoda-cotton-rfc5735bis-02
Nico Williams            -          draft-ietf-httpbis-p5-range-19
Tom Yu                   -          draft-ietf-httpbis-p6-cache-19
Glen Zorn                -          draft-ietf-httpbis-p7-auth-19
Glen Zorn                2012-06-27 draft-hoffman-tao4677bis-15

From yaronf.ietf@gmail.com  Sat Jul 14 14:12:56 2012
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C513F21F85DF; Sat, 14 Jul 2012 14:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level: 
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBpspmcXRD2i; Sat, 14 Jul 2012 14:12:56 -0700 (PDT)
Received: from mail-wi0-f172.google.com (mail-wi0-f172.google.com [209.85.212.172]) by ietfa.amsl.com (Postfix) with ESMTP id 920CC21F85CE; Sat, 14 Jul 2012 14:12:55 -0700 (PDT)
Received: by wibhm11 with SMTP id hm11so1323123wib.13 for <multiple recipients>; Sat, 14 Jul 2012 14:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=PSVeY6pPY6i9l7Il0azc3VEMObMbinpmyO0wLX+KVA4=; b=foQ1gzjc46AA/azJrsOq+zzQgErBZj8LfV24gFDUVTx+0giunKVc6/sytepVzBCivt /jI2Duc6s/nblDetYFgAxUWZ6SiuIFuqoqGalNAC986t4+9Tcu/CChklXepKWRAoek3F uD9Zd3mEiKRTt0YKTpZhaM6a4ZdExQx+rRtbBMRizP6uEuJeG47s773sH3LkVVyO7sHe Z0PQeYOZUQ/c+UtsDe2rk/Cs7ijn+0JYMNpm38Ov5go5oEw6I2TlaUj7b4k5rMbH4pg5 9qdNJvQpupaNk9c51U74hyDNmjhOCk/LjU0grnmWyaeo6X31u0UsrgIgpElK5Zt/K0XO mFeQ==
Received: by 10.180.91.1 with SMTP id ca1mr7165252wib.8.1342300414908; Sat, 14 Jul 2012 14:13:34 -0700 (PDT)
Received: from [10.0.0.3] (bzq-79-182-163-254.red.bezeqint.net. [79.182.163.254]) by mx.google.com with ESMTPS id w7sm11841385wiz.0.2012.07.14.14.13.33 (version=SSLv3 cipher=OTHER); Sat, 14 Jul 2012 14:13:34 -0700 (PDT)
Message-ID: <5001E0FA.1070603@gmail.com>
Date: Sun, 15 Jul 2012 00:13:30 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: secdir@ietf.org, draft-yegin-pana-encr-avp.all@tools.ietf.org,  iesg@ietf.org
References: <4FBFAE5F.8010305@gmail.com>
In-Reply-To: <4FBFAE5F.8010305@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] SecDir review of draft-yegin-pana-encr-avp-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jul 2012 21:12:57 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

This protocol defines a new AVP that encapsulates multiple PANA AVPs 
within one message, and encrypts them. The encryption key is derived 
from EAP's MSK, and the only encryption algorithm defined is AES128-CTR.

Summary

I'm a bit worried about the quality of the proposed cryptographic
solution. While using Counter Mode as the preferred encryption mode is
completely legit, it does require some extra care.

Details

Please note that I am neither a PANA expert nor a cryptographer.

- Sec. 2: I am not clear why MSK is used for deriving the keys, in 
preference to EMSK. I understand that one of the main differences 
between the two is that MSK is possibly shared with an Authenticator 
server (where one exists), but the EMSK is not. It would seem to me that 
a generic confidentiality mechanism should use the key that's shared 
with fewer partners.

- Sec. 2: please clarify whether Encr-Encap can already be used in the 
first message that completes negotiation of the algorithm, i.e. the 
initial PANA-Auth-Answer.

- Sec. 2: according to RFC 5191 (PANA), Sec. 5.4, the AUTH AVP is not 
mandatory (or am I missing something?) It should be made mandatory for 
messages that contain an Encr-Encap (possibly with the exception of 
authenticated encryption algorithms, but none are defined in the current 
document). Emphatically so if Counter Mode is used.

- Sec. 3: I understand why the nonces are used in the derivation. I do 
not understand why the initial messages are used - cryptographic binding 
of message contents is appropriate for authentication 
(integrity-protection) messages, but seems redundant for generation of 
confidentiality keys.

- Sec. 4: Counter Mode is infamous for being extremely sensitive to the 
quality of the IV (a.k.a. "nonce"). So I would expect a random nonce to 
be used for this purpose, rather than the concatenation of 3 protocol 
values. Specifically, what is the likelihood of these parameters 
repeating after a reboot?

- Sec. 4: please explain where the initial 02 octet of the counter block 
comes from.

- Sec. 5: The value of the Encr-Encap AVP is defined as 13 here, but is 
left open in the IANA Considerations.

- Sec. 5: I suppose there is no (block cipher) padding. Please say so 
explicitly. In fact this AVP cannot be generic if neither padding nor IV 
are catered for. In other words, it's good for Counter Mode but for 
little else.

- Sec. 6.1: the Nonce AVPs used for deriving the encryption key 
obviously cannot be encrypted.

Thanks,
      Yaron


From hilarie@purplestreak.com  Mon Jul 16 12:32:55 2012
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B70AC21F892D; Mon, 16 Jul 2012 12:32:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lT8M7Bc4uEgO; Mon, 16 Jul 2012 12:32:55 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by ietfa.amsl.com (Postfix) with ESMTP id EB44B21F8929; Mon, 16 Jul 2012 12:32:54 -0700 (PDT)
Received: from mx01.mta.xmission.com ([166.70.13.211]) by out01.mta.xmission.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from <hilarie@purplestreak.com>) id 1Sqr33-0006LC-GT; Mon, 16 Jul 2012 13:33:37 -0600
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=sylvester.rhmr.com) by mx01.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1Sqr30-0001jn-AV; Mon, 16 Jul 2012 13:33:37 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id q6GJUsvm014864; Mon, 16 Jul 2012 13:30:54 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id q6GJUr6Z014862; Mon, 16 Jul 2012 13:30:53 -0600
Date: Mon, 16 Jul 2012 13:30:53 -0600
Message-Id: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx01.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=purplestreak.com; ; ; sender=hilarie@purplestreak.com; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: *;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country: 
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on mx01.mta.xmission.com)
Cc: draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org, robert@raszuk.net
Subject: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 19:32:55 -0000

Security review of draft-ietf-grow-diverse-bgp-path-dist-07
Distribution of diverse BGP paths.

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

This document presents a mechanism for distributing redundant BGP
paths based on the concept of parallel route reflector planes.  It
does not need any changes to the BGP protocol definition.

The general notion is that different groups of route reflectors would
be assigned find the "nth best route" where n varies from 1 to a small
number.  All n routes would be presented to devices connected to the
route reflectors.  This in turn would enable a multitude of benefits:
quick routing restoration, load balancing, and churn reduction.

The point of making this an IETF document is odd.  Its fundamental
message is "instead of using extensions to BGP for additional paths,
you could use route reflectors configured for nth best path."  And, as
it turns out, Cisco makes such a product.

The draft is sketchy on how route reflectors actually work, and the
writing is a testament to the complexity and redundancy of English, a
notoriously user unfriendly language.  The text is very difficult to
read, but eventually some non-ambiguous meaning emerges from each
sentence, despite the irregular grammar and run-on sentences.  Oddly
enough, Cisco's documentation about its route reflectors is
well-written.  I would refer interested readers there.

Still, we do not get to know if route reflectors put additional,
proprietary, information on the wire, how a listener could inquire
about their configuration, or what the stability and failure
properties might be.

All of this makes for difficulties in doing a security analysis.  The
document asserts that all security problems are subsumed by prior work
in analyzing BGP security.  This might be true, but BGP has a number
of documented vulnerabilities, and the new paths might multiply them.

Should BGP listeners trust the additional paths?  Are opportunities
for spoofing increased because listeners should expect more paths?
What are the interactions between spoofed failures and switching to
one of the diverse paths?  Could route reflectors be tricked into
permuting the path ordering so fast that paths never stabilize?

I think that the security considerations should address potential
problems in the context of the previous analyses of BGP security, if
this is indeed a protocol document in the ordinary IETF sense.
Perhaps it is not, maybe it is an infrastructure configuration guide
or an argument against BGP add-paths extensions.  I can't tell.

Hilarie

---------------------------
NB: "Hilarie Orman" is my actual name and not a pseudonym for any
other person with similar knowledge or interests. 

From shares@ndzh.com  Mon Jul 16 16:28:03 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AAC821F87A2; Mon, 16 Jul 2012 16:28:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1xX1PredRFo; Mon, 16 Jul 2012 16:27:58 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id E5C5421F8773; Mon, 16 Jul 2012 16:27:55 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3458997-1945496 for multiple; Mon, 16 Jul 2012 19:28:40 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'Catherine Meadows'" <catherine.meadows@nrl.navy.mil>, <iesg@ietf.org>, <secdir@ietf.org>, <draft-ietf-idr-rfc4893bis.all@tools.ietf.org>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>
In-Reply-To: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>
Date: Mon, 16 Jul 2012 19:28:37 -0400
Message-ID: <005401cd63aa$baeac2b0$30c04810$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0055_01CD6389.33DCF340"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1pYyEeWg
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
X-Mailman-Approved-At: Mon, 16 Jul 2012 16:29:56 -0700
Cc: "John G. Scudder" <jgs@juniper.net>, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2012 23:28:03 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0055_01CD6389.33DCF340
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Catherine:

 

I've read and re-read this email for a week (7/9 - 7/16). 

 

Misconfiguration is a fact of life in networks.  Security profiles must deal
with this point.  We can all say you should not misconfigure networks - but
life happens.  Therefore,  I'm confused by your question.  I would consider
it is just a security event the authors pointing happens. 

 

On your second comment

 

"I would also expect that the chance of routing loops arising out conversion
from 4-octet
to 2-octet occurring between confederations would be much less than of their
occurring
within a confederation (although one can't know for sure without knowing
what the 4-octet
to 2-octet mapping is), so following the recommendations in the Security
Considerations would
greatly reduce the probability of such a routing loop occurring.  Is this
correct? " 

 

It depends if someone configures a confederation within a confederation.
[see earlier comment on mis-configuration.] I've copied Sandy Murphy in case
as SIDR chair can put this discussion into a different "security" specific
light.  

 

Confused,

 

Sue 

 

 

From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] 
Sent: Monday, July 09, 2012 2:25 PM
To: iesg@ietf.org; secdir@ietf.org;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Cc: Catherine Meadows
Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend
of a resend)

 

I managed to screw up the email address again.  Here it is for what I hope
is the last time.

My apologies again to everyone who receives *three* copies of this message.

 

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document describes an added capability for four-octet Autonomous System
(AS) numbers in BGP.  This is intended to  replace the older two-octet AS
numbers,
since that space is filling up.

In order to preserve backward compatibility, AS's using the four-octet
systems (called New
BGP speakers in the document) must advertise both four-octet and two-octet
AS numbers.
This is the case even if the New BGP Speaker does not have a globally unique
two-octet number.
The document says that in this case the two-octet number is obtained by
mapping the four-octet
number to the two-octet space.  The procedure for doing this is not
specified.

The authors identify a risk of routing loops developing when ambiguities
develops as a
result of a BGP speaker using the old system aggregating two or more routes
carrying
4-octet attributes.  In the Security Configurations Section, the authors
point out that an
attacker might be able to exploit this in a denial of service attack.  They
point out that it is
a misconfiguration to assign 4-octet Member AS Numbers in a BGP
confederation until all BGP speakers
within the confederation have transitioned to support 4-octet numbers.

I think that this is a good recommendation.  I just have a couple of minor
comments.

It's not clear to me what the status of "misconfiguration" is in the
hierarchy of IETF.
Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're
saying
"misconfiguration" instead of one of those?

I would also expect that the chance of routing loops arising out conversion
from 4-octet
to 2-octet occurring between confederations would be much less than of their
occurring
within a confederation (although one can't know for sure without knowing
what the 4-octet
to 2-octet mapping is), so following the recommendations in the Security
Considerations would
greatly reduce the probability of such a routing loop occurring.  Is this
correct? 

Cathy Meadows

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil

 


------=_NextPart_000_0055_01CD6389.33DCF340
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 14 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.apple-style-span
	{mso-style-name:apple-style-span;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'>Catherine:<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'>I&#8217;ve read and re-read this email for a week (7/9 &#8211; 7/16). =
<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'>Misconfiguration is a fact of life in networks.&nbsp; Security =
profiles must deal with this point.&nbsp; We can all say you should not =
misconfigure networks &#8211; but life happens. &nbsp;Therefore, =
&nbsp;I&#8217;m confused by your question. &nbsp;I would consider it is =
just a security event the authors pointing happens. =
<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'>On your second comment<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'>&#8220;</span>I would also expect that the chance of routing loops =
arising out conversion from 4-octet<br>to 2-octet occurring between =
confederations would be much less than of their occurring<br>within a =
confederation (although one can't know for sure without knowing what the =
4-octet<br>to 2-octet mapping is), so following the recommendations in =
the Security Considerations would<br>greatly reduce the probability of =
such a routing loop occurring. &nbsp;Is this correct?&nbsp;&#8220; =
<o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal>It depends if someone configures a confederation =
within a confederation.&nbsp;&nbsp; [see earlier comment on =
mis-configuration.] I&#8217;ve copied Sandy Murphy in case as SIDR chair =
can put this discussion into a different &#8220;security&#8221; specific =
light.&nbsp; <o:p></o:p></p><p class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal>Confused,<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>Sue =
<o:p></o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497=
D'><o:p>&nbsp;</o:p></span></p><div><div =
style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span>=
</b><span style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> =
Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil] =
<br><b>Sent:</b> Monday, July 09, 2012 2:25 PM<br><b>To:</b> =
iesg@ietf.org; secdir@ietf.org; =
draft-ietf-idr-rfc4893bis.all@tools.ietf.org<br><b>Cc:</b> Catherine =
Meadows<br><b>Subject:</b> Spam:*******, Secdir Review of =
draft-ietf-idr-rfc4893bis-07 (resend of a =
resend)<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>I managed to =
screw up the email address again. &nbsp;Here it is for what I hope is =
the last time.<o:p></o:p></p><div><p class=3DMsoNormal>My apologies =
again to everyone who receives *three* copies of this =
message.<o:p></o:p></p></div><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>I&nbsp;have reviewed this document as part of the =
security directorate's&nbsp;<br>ongoing effort to review all IETF =
documents being processed by the&nbsp;<br>IESG. &nbsp;These comments =
were written primarily for the benefit of the&nbsp;<br>security area =
directors. &nbsp;Document editors and WG chairs should =
treat&nbsp;<br>these comments just like any other last call =
comments.<br><br>This document describes an added capability for =
four-octet Autonomous System<br>(AS) numbers in BGP. &nbsp;This is =
intended to &nbsp;replace the older two-octet AS numbers,<br>since that =
space is filling up.<br><br>In order to preserve backward compatibility, =
AS's using the four-octet systems (called New<br>BGP speakers in the =
document) must advertise both four-octet and two-octet AS =
numbers.<br>This is the case even if the New BGP Speaker does not have a =
globally unique two-octet number.<br>The document says that in this case =
the two-octet number is obtained by mapping the four-octet<br>number to =
the two-octet space. &nbsp;The procedure for doing this is not =
specified.<br><br>The authors identify a risk of routing loops =
developing when ambiguities develops as a<br>result of a BGP speaker =
using the old system aggregating two or more routes carrying<br>4-octet =
attributes. &nbsp;In the Security Configurations Section, the authors =
point out that an<br>attacker might be able to exploit this in a denial =
of service attack. &nbsp;They point out that it is<br>a misconfiguration =
to assign 4-octet Member AS Numbers in a BGP confederation until all BGP =
speakers<br>within the confederation have transitioned to support =
4-octet numbers.<br><br>I think that this is a good recommendation. =
&nbsp;I just have a couple of minor comments.<br><br>It's not clear to =
me what the status of &quot;misconfiguration&quot; is in the hierarchy =
of IETF.<br>Is it more like SHALL NOT or SHOULD NOT? &nbsp;Is there a =
reason why you're saying<br>&quot;misconfiguration&quot; instead of one =
of those?<br><br>I would also expect that the chance of routing loops =
arising out conversion from 4-octet<br>to 2-octet occurring between =
confederations would be much less than of their occurring<br>within a =
confederation (although one can't know for sure without knowing what the =
4-octet<br>to 2-octet mapping is), so following the recommendations in =
the Security Considerations would<br>greatly reduce the probability of =
such a routing loop occurring. &nbsp;Is this correct?&nbsp;<br><br>Cathy =
Meadows<o:p></o:p></p><div><div><p class=3DMsoNormal><span =
style=3D'font-size:9.0pt;font-family:"Helvetica","sans-serif";color:black=
'>Catherine Meadows<br>Naval Research Laboratory<br>Code 5543<br>4555 =
Overlook Ave., S.W.<br>Washington DC, 20375<br>phone: =
202-767-3490<br>fax: 202-404-7942<br>email:&nbsp;<a =
href=3D"mailto:catherine.meadows@nrl.navy.mil">catherine.meadows@nrl.navy=
.mil</a><o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></div></body></html>
------=_NextPart_000_0055_01CD6389.33DCF340--


From stbryant@cisco.com  Tue Jul 17 00:23:52 2012
Return-Path: <stbryant@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9B7311E8083; Tue, 17 Jul 2012 00:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.568
X-Spam-Level: 
X-Spam-Status: No, score=-110.568 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yYgjne-y9+vj; Tue, 17 Jul 2012 00:23:50 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 21DE221F857A; Tue, 17 Jul 2012 00:23:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=18222; q=dns/txt; s=iport; t=1342509876; x=1343719476; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to; bh=lK+d891Z0LOSdrZfwsa6kE8mkLGrWkFYxHO1b88g0tw=; b=C4AvC60v0/ZJooUWciOW2tuyp4sSoSFLAwKpNe7+V7bmCccfB3LTxJq7 k0hcZ2WRQup/BZPNAXSh7skmaWmOoYquntO7KVaI3jM5gwf01q5ewCKWt K1Q2Xqn5Dz8iTsucrSAs2sK7bEYn8GFg4E/Y2n11V4ev6XL6poMTKfgG2 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhYFAPoRBVCQ/khN/2dsb2JhbAA7BwOCSoh/rhaBB4IgAQEBBBIBAhhLAQ4CCxEEAQEBCRYIBwkDAgECAQkrCQgGDQEFAgEBFQmHawucLYNIEJxPBIs6EIMWgyEDlTuOIIEEYoJggV4
X-IronPort-AV: E=Sophos;i="4.77,599,1336348800"; d="scan'208,217";a="6686239"
Received: from ams-core-4.cisco.com ([144.254.72.77]) by ams-iport-3.cisco.com with ESMTP; 17 Jul 2012 07:24:34 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id q6H7OYYi000396 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jul 2012 07:24:34 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id q6H7OUvu008545; Tue, 17 Jul 2012 08:24:31 +0100 (BST)
Message-ID: <5005132E.9000000@cisco.com>
Date: Tue, 17 Jul 2012 08:24:30 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com>
In-Reply-To: <005401cd63aa$baeac2b0$30c04810$@ndzh.com>
Content-Type: multipart/alternative; boundary="------------040108060400060003010205"
Cc: "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 07:23:52 -0000

This is a multi-part message in MIME format.
--------------040108060400060003010205
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Sue, John,

Is there any reason not to reword the text concerned to more
conventional format:

OLD

It is a misconfiguration to assign a non-mappable four-octet AS
    number as the "Member AS Number" in a BGP confederation before all
    the BGP speakers within the confederation have transitioned to
    support four-octet AS numbers.  Such a misconfiguration would weaken
    the AS path loop detection within a confederation.

NEW

A network operator MUST NOT assign a non-mappable four-octet AS
number as the "Member AS Number" in a BGP confederation before all
the BGP speakers within the confederation have transitioned to
support four-octet AS numbers, as such an assignment would weaken
the AS path loop detection within a confederation.

Stewart

On 17/07/2012 00:28, Susan Hares wrote:
>
> Catherine:
>
> I've read and re-read this email for a week (7/9 -- 7/16).
>
> Misconfiguration is a fact of life in networks.  Security profiles 
> must deal with this point.  We can all say you should not misconfigure 
> networks -- but life happens.  Therefore,  I'm confused by your 
> question.  I would consider it is just a security event the authors 
> pointing happens.
>
> On your second comment
>
> "I would also expect that the chance of routing loops arising out 
> conversion from 4-octet
> to 2-octet occurring between confederations would be much less than of 
> their occurring
> within a confederation (although one can't know for sure without 
> knowing what the 4-octet
> to 2-octet mapping is), so following the recommendations in the 
> Security Considerations would
> greatly reduce the probability of such a routing loop occurring.  Is 
> this correct? "
>
> It depends if someone configures a confederation within a 
> confederation.   [see earlier comment on mis-configuration.] I've 
> copied Sandy Murphy in case as SIDR chair can put this discussion into 
> a different "security" specific light.
>
> Confused,
>
> Sue
>
> *From:*Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
> *Sent:* Monday, July 09, 2012 2:25 PM
> *To:* iesg@ietf.org; secdir@ietf.org; 
> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> *Cc:* Catherine Meadows
> *Subject:* Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 
> (resend of a resend)
>
> I managed to screw up the email address again.  Here it is for what I 
> hope is the last time.
>
> My apologies again to everyone who receives *three* copies of this 
> message.
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document describes an added capability for four-octet Autonomous 
> System
> (AS) numbers in BGP.  This is intended to  replace the older two-octet 
> AS numbers,
> since that space is filling up.
>
> In order to preserve backward compatibility, AS's using the four-octet 
> systems (called New
> BGP speakers in the document) must advertise both four-octet and 
> two-octet AS numbers.
> This is the case even if the New BGP Speaker does not have a globally 
> unique two-octet number.
> The document says that in this case the two-octet number is obtained 
> by mapping the four-octet
> number to the two-octet space.  The procedure for doing this is not 
> specified.
>
> The authors identify a risk of routing loops developing when 
> ambiguities develops as a
> result of a BGP speaker using the old system aggregating two or more 
> routes carrying
> 4-octet attributes.  In the Security Configurations Section, the 
> authors point out that an
> attacker might be able to exploit this in a denial of service attack. 
>  They point out that it is
> a misconfiguration to assign 4-octet Member AS Numbers in a BGP 
> confederation until all BGP speakers
> within the confederation have transitioned to support 4-octet numbers.
>
> I think that this is a good recommendation.  I just have a couple of 
> minor comments.
>
> It's not clear to me what the status of "misconfiguration" is in the 
> hierarchy of IETF.
> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're 
> saying
> "misconfiguration" instead of one of those?
>
> I would also expect that the chance of routing loops arising out 
> conversion from 4-octet
> to 2-octet occurring between confederations would be much less than of 
> their occurring
> within a confederation (although one can't know for sure without 
> knowing what the 4-octet
> to 2-octet mapping is), so following the recommendations in the 
> Security Considerations would
> greatly reduce the probability of such a routing loop occurring.  Is 
> this correct?
>
> Cathy Meadows
>
> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email: catherine.meadows@nrl.navy.mil 
> <mailto:catherine.meadows@nrl.navy.mil>
>


-- 
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html


--------------040108060400060003010205
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Sue, John,<br>
      <br>
      Is there any reason not to reword the text concerned to more<br>
      conventional format:<br>
      <br>
      OLD<br>
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <pre>It is a misconfiguration to assign a non-mappable four-octet AS
   number as the "Member AS Number" in a BGP confederation before all
   the BGP speakers within the confederation have transitioned to
   support four-octet AS numbers.  Such a misconfiguration would weaken
   the AS path loop detection within a confederation.</pre>
      NEW<br>
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <br>
      A network operator MUST NOT assign a non-mappable four-octet AS
      <br>
      number as the "Member AS Number" in a BGP confederation before all
      <br>
      the BGP speakers within the confederation have transitioned to <br>
      support four-octet AS numbers, as such an assignment would weaken
      <br>
      the AS path loop detection within a confederation.
      <br>
      <br>
      Stewart<br>
      <br>
      On 17/07/2012 00:28, Susan Hares wrote:<br>
    </div>
    <blockquote cite="mid:005401cd63aa$baeac2b0$30c04810$@ndzh.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.apple-style-span
	{mso-style-name:apple-style-span;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Catherine:<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I&#8217;ve
            read and re-read this email for a week (7/9 &#8211; 7/16). <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">Misconfiguration
            is a fact of life in networks.&nbsp; Security profiles must deal
            with this point.&nbsp; We can all say you should not misconfigure
            networks &#8211; but life happens. &nbsp;Therefore, &nbsp;I&#8217;m confused by
            your question. &nbsp;I would consider it is just a security event
            the authors pointing happens. <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">On
            your second comment<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&#8220;</span>I
          would also expect that the chance of routing loops arising out
          conversion from 4-octet<br>
          to 2-octet occurring between confederations would be much less
          than of their occurring<br>
          within a confederation (although one can't know for sure
          without knowing what the 4-octet<br>
          to 2-octet mapping is), so following the recommendations in
          the Security Considerations would<br>
          greatly reduce the probability of such a routing loop
          occurring. &nbsp;Is this correct?&nbsp;&#8220; <o:p></o:p></p>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal">It depends if someone configures a
          confederation within a confederation.&nbsp;&nbsp; [see earlier comment
          on mis-configuration.] I&#8217;ve copied Sandy Murphy in case as
          SIDR chair can put this discussion into a different &#8220;security&#8221;
          specific light.&nbsp; <o:p></o:p></p>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal">Confused,<o:p></o:p></p>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal">Sue <o:p></o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">
                Catherine Meadows
                [<a class="moz-txt-link-freetext" href="mailto:catherine.meadows@nrl.navy.mil">mailto:catherine.meadows@nrl.navy.mil</a>] <br>
                <b>Sent:</b> Monday, July 09, 2012 2:25 PM<br>
                <b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:iesg@ietf.org">iesg@ietf.org</a>; <a class="moz-txt-link-abbreviated" href="mailto:secdir@ietf.org">secdir@ietf.org</a>;
                <a class="moz-txt-link-abbreviated" href="mailto:draft-ietf-idr-rfc4893bis.all@tools.ietf.org">draft-ietf-idr-rfc4893bis.all@tools.ietf.org</a><br>
                <b>Cc:</b> Catherine Meadows<br>
                <b>Subject:</b> Spam:*******, Secdir Review of
                draft-ietf-idr-rfc4893bis-07 (resend of a resend)<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal">I managed to screw up the email address
          again. &nbsp;Here it is for what I hope is the last time.<o:p></o:p></p>
        <div>
          <p class="MsoNormal">My apologies again to everyone who
            receives *three* copies of this message.<o:p></o:p></p>
        </div>
        <div>
          <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        </div>
        <div>
          <p class="MsoNormal">I&nbsp;have reviewed this document as part of
            the security directorate's&nbsp;<br>
            ongoing effort to review all IETF documents being processed
            by the&nbsp;<br>
            IESG. &nbsp;These comments were written primarily for the benefit
            of the&nbsp;<br>
            security area directors. &nbsp;Document editors and WG chairs
            should treat&nbsp;<br>
            these comments just like any other last call comments.<br>
            <br>
            This document describes an added capability for four-octet
            Autonomous System<br>
            (AS) numbers in BGP. &nbsp;This is intended to &nbsp;replace the older
            two-octet AS numbers,<br>
            since that space is filling up.<br>
            <br>
            In order to preserve backward compatibility, AS's using the
            four-octet systems (called New<br>
            BGP speakers in the document) must advertise both four-octet
            and two-octet AS numbers.<br>
            This is the case even if the New BGP Speaker does not have a
            globally unique two-octet number.<br>
            The document says that in this case the two-octet number is
            obtained by mapping the four-octet<br>
            number to the two-octet space. &nbsp;The procedure for doing this
            is not specified.<br>
            <br>
            The authors identify a risk of routing loops developing when
            ambiguities develops as a<br>
            result of a BGP speaker using the old system aggregating two
            or more routes carrying<br>
            4-octet attributes. &nbsp;In the Security Configurations Section,
            the authors point out that an<br>
            attacker might be able to exploit this in a denial of
            service attack. &nbsp;They point out that it is<br>
            a misconfiguration to assign 4-octet Member AS Numbers in a
            BGP confederation until all BGP speakers<br>
            within the confederation have transitioned to support
            4-octet numbers.<br>
            <br>
            I think that this is a good recommendation. &nbsp;I just have a
            couple of minor comments.<br>
            <br>
            It's not clear to me what the status of "misconfiguration"
            is in the hierarchy of IETF.<br>
            Is it more like SHALL NOT or SHOULD NOT? &nbsp;Is there a reason
            why you're saying<br>
            "misconfiguration" instead of one of those?<br>
            <br>
            I would also expect that the chance of routing loops arising
            out conversion from 4-octet<br>
            to 2-octet occurring between confederations would be much
            less than of their occurring<br>
            within a confederation (although one can't know for sure
            without knowing what the 4-octet<br>
            to 2-octet mapping is), so following the recommendations in
            the Security Considerations would<br>
            greatly reduce the probability of such a routing loop
            occurring. &nbsp;Is this correct?&nbsp;<br>
            <br>
            Cathy Meadows<o:p></o:p></p>
          <div>
            <div>
              <p class="MsoNormal"><span
style="font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black">Catherine
                  Meadows<br>
                  Naval Research Laboratory<br>
                  Code 5543<br>
                  4555 Overlook Ave., S.W.<br>
                  Washington DC, 20375<br>
                  phone: 202-767-3490<br>
                  fax: 202-404-7942<br>
                  email:&nbsp;<a moz-do-not-send="true"
                    href="mailto:catherine.meadows@nrl.navy.mil">catherine.meadows@nrl.navy.mil</a><o:p></o:p></span></p>
            </div>
          </div>
          <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        </div>
      </div>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
For corporate legal information go to:

<a class="moz-txt-link-freetext" href="http://www.cisco.com/web/about/doing_business/legal/cri/index.html">http://www.cisco.com/web/about/doing_business/legal/cri/index.html</a>

</pre>
  </body>
</html>

--------------040108060400060003010205--

From jgs@juniper.net  Tue Jul 17 07:38:30 2012
Return-Path: <jgs@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB46621F85CE; Tue, 17 Jul 2012 07:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.49
X-Spam-Level: 
X-Spam-Status: No, score=-6.49 tagged_above=-999 required=5 tests=[AWL=0.109,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHKrw22jbXjc; Tue, 17 Jul 2012 07:38:29 -0700 (PDT)
Received: from exprod7og111.obsmtp.com (exprod7og111.obsmtp.com [64.18.2.175]) by ietfa.amsl.com (Postfix) with ESMTP id 9158C21F85C2; Tue, 17 Jul 2012 07:38:15 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob111.postini.com ([64.18.6.12]) with SMTP ID DSNKUAV5B8s6cD/1XhytBxDms9ECglAoUvgJ@postini.com; Tue, 17 Jul 2012 07:39:17 PDT
Received: from sa-nc-finance-32.static.jnpr.net (172.23.5.32) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server id 8.3.213.0; Tue, 17 Jul 2012 07:37:31 -0700
MIME-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="windows-1252"
From: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <5005132E.9000000@cisco.com>
Date: Tue, 17 Jul 2012 07:37:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-ID: <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com> <5005132E.9000000@cisco.com>
To: "stbryant@cisco.com" <stbryant@cisco.com>
X-Mailer: Apple Mail (2.1278)
X-Mailman-Approved-At: Tue, 17 Jul 2012 07:39:56 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-idr-rfc4893bis.all@tools.ietf.org" <draft-ietf-idr-rfc4893bis.all@tools.ietf.org>
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 14:38:30 -0000

Stewart,

I'm fine with the text you propose.

(I do find it a little odd to have this text -- either old or new -- in =
the Security section since routing loops aren't normally though of as a =
security issue unless maliciously triggered -- which this one isn't =
described as being. So I would also be fine with changing the text but =
moving it to a different section. But that is quibbling.)

--John

On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:

> Sue, John,
>=20
> Is there any reason not to reword the text concerned to more
> conventional format:
>=20
> OLD
> It is a misconfiguration to assign a non-mappable four-octet AS
>    number as the "Member AS Number" in a BGP confederation before all
>    the BGP speakers within the confederation have transitioned to
>    support four-octet AS numbers.  Such a misconfiguration would =
weaken
>    the AS path loop detection within a confederation.
>=20
> NEW
>=20
> A network operator MUST NOT assign a non-mappable four-octet AS=20
> number as the "Member AS Number" in a BGP confederation before all=20
> the BGP speakers within the confederation have transitioned to=20
> support four-octet AS numbers, as such an assignment would weaken=20
> the AS path loop detection within a confederation.=20
>=20
> Stewart
>=20
> On 17/07/2012 00:28, Susan Hares wrote:
>> Catherine:
>> =20
>> I=92ve read and re-read this email for a week (7/9 =96 7/16).
>> =20
>> Misconfiguration is a fact of life in networks.  Security profiles =
must deal with this point.  We can all say you should not misconfigure =
networks =96 but life happens.  Therefore,  I=92m confused by your =
question.  I would consider it is just a security event the authors =
pointing happens.
>> =20
>> On your second comment
>> =20
>> =93I would also expect that the chance of routing loops arising out =
conversion from 4-octet
>> to 2-octet occurring between confederations would be much less than =
of their occurring
>> within a confederation (although one can't know for sure without =
knowing what the 4-octet
>> to 2-octet mapping is), so following the recommendations in the =
Security Considerations would
>> greatly reduce the probability of such a routing loop occurring.  Is =
this correct? =93
>> =20
>> It depends if someone configures a confederation within a =
confederation.   [see earlier comment on mis-configuration.] I=92ve =
copied Sandy Murphy in case as SIDR chair can put this discussion into a =
different =93security=94 specific light.=20
>> =20
>> Confused,
>> =20
>> Sue
>> =20
>> =20
>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]=20
>> Sent: Monday, July 09, 2012 2:25 PM
>> To: iesg@ietf.org; secdir@ietf.org; =
draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Cc: Catherine Meadows
>> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 =
(resend of a resend)
>> =20
>> I managed to screw up the email address again.  Here it is for what I =
hope is the last time.
>> My apologies again to everyone who receives *three* copies of this =
message.
>> =20
>> I have reviewed this document as part of the security directorate's=20=

>> ongoing effort to review all IETF documents being processed by the=20
>> IESG.  These comments were written primarily for the benefit of the=20=

>> security area directors.  Document editors and WG chairs should treat=20=

>> these comments just like any other last call comments.
>>=20
>> This document describes an added capability for four-octet Autonomous =
System
>> (AS) numbers in BGP.  This is intended to  replace the older =
two-octet AS numbers,
>> since that space is filling up.
>>=20
>> In order to preserve backward compatibility, AS's using the =
four-octet systems (called New
>> BGP speakers in the document) must advertise both four-octet and =
two-octet AS numbers.
>> This is the case even if the New BGP Speaker does not have a globally =
unique two-octet number.
>> The document says that in this case the two-octet number is obtained =
by mapping the four-octet
>> number to the two-octet space.  The procedure for doing this is not =
specified.
>>=20
>> The authors identify a risk of routing loops developing when =
ambiguities develops as a
>> result of a BGP speaker using the old system aggregating two or more =
routes carrying
>> 4-octet attributes.  In the Security Configurations Section, the =
authors point out that an
>> attacker might be able to exploit this in a denial of service attack. =
 They point out that it is
>> a misconfiguration to assign 4-octet Member AS Numbers in a BGP =
confederation until all BGP speakers
>> within the confederation have transitioned to support 4-octet =
numbers.
>>=20
>> I think that this is a good recommendation.  I just have a couple of =
minor comments.
>>=20
>> It's not clear to me what the status of "misconfiguration" is in the =
hierarchy of IETF.
>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why =
you're saying
>> "misconfiguration" instead of one of those?
>>=20
>> I would also expect that the chance of routing loops arising out =
conversion from 4-octet
>> to 2-octet occurring between confederations would be much less than =
of their occurring
>> within a confederation (although one can't know for sure without =
knowing what the 4-octet
>> to 2-octet mapping is), so following the recommendations in the =
Security Considerations would
>> greatly reduce the probability of such a routing loop occurring.  Is =
this correct?=20
>>=20
>> Cathy Meadows
>> Catherine Meadows
>> Naval Research Laboratory
>> Code 5543
>> 4555 Overlook Ave., S.W.
>> Washington DC, 20375
>> phone: 202-767-3490
>> fax: 202-404-7942
>> email: catherine.meadows@nrl.navy.mil
>> =20
>=20
>=20
> --=20
> For corporate legal information go to:
>=20
>=20
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>=20
>=20
>=20


From afarrel@juniper.net  Tue Jul 17 07:43:45 2012
Return-Path: <afarrel@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13E0521F86E3; Tue, 17 Jul 2012 07:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z87zgBAdA7lb; Tue, 17 Jul 2012 07:43:44 -0700 (PDT)
Received: from asmtp5.iomartmail.com (asmtp5.iomartmail.com [62.128.201.176]) by ietfa.amsl.com (Postfix) with ESMTP id A49A521F86BB; Tue, 17 Jul 2012 07:43:43 -0700 (PDT)
Received: from asmtp5.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HEiRfL009812;  Tue, 17 Jul 2012 15:44:27 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp5.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HEiOGS009778 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 17 Jul 2012 15:44:25 +0100
From: "Adrian Farrel" <afarrel@juniper.net>
To: "'John G. Scudder'" <jgs@juniper.net>, <stbryant@cisco.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>
In-Reply-To: <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>
Date: Tue, 17 Jul 2012 15:44:24 +0100
Message-ID: <076b01cd642a$a9de13c0$fd9a3b40$@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qpYVR7ow
Content-Language: en-gb
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: afarrel@juniper.net
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 14:43:45 -0000

Quibble away. It is what you are paid for.
I think you make a good point about the location of the text.
A

> -----Original Message-----
> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of John
> G. Scudder
> Sent: 17 July 2012 15:38
> To: stbryant@cisco.com
> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
iesg@ietf.org;
> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> Subject: Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend
> of a resend)
> 
> Stewart,
> 
> I'm fine with the text you propose.
> 
> (I do find it a little odd to have this text -- either old or new -- in the
Security
> section since routing loops aren't normally though of as a security issue
unless
> maliciously triggered -- which this one isn't described as being. So I would
also be
> fine with changing the text but moving it to a different section. But that is
> quibbling.)
> 
> --John
> 
> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
> 
> > Sue, John,
> >
> > Is there any reason not to reword the text concerned to more
> > conventional format:
> >
> > OLD
> > It is a misconfiguration to assign a non-mappable four-octet AS
> >    number as the "Member AS Number" in a BGP confederation before all
> >    the BGP speakers within the confederation have transitioned to
> >    support four-octet AS numbers.  Such a misconfiguration would weaken
> >    the AS path loop detection within a confederation.
> >
> > NEW
> >
> > A network operator MUST NOT assign a non-mappable four-octet AS
> > number as the "Member AS Number" in a BGP confederation before all
> > the BGP speakers within the confederation have transitioned to
> > support four-octet AS numbers, as such an assignment would weaken
> > the AS path loop detection within a confederation.
> >
> > Stewart
> >
> > On 17/07/2012 00:28, Susan Hares wrote:
> >> Catherine:
> >>
> >> I've read and re-read this email for a week (7/9 - 7/16).
> >>
> >> Misconfiguration is a fact of life in networks.  Security profiles must
deal with
> this point.  We can all say you should not misconfigure networks - but life
> happens.  Therefore,  I'm confused by your question.  I would consider it is
just a
> security event the authors pointing happens.
> >>
> >> On your second comment
> >>
> >> "I would also expect that the chance of routing loops arising out
conversion
> from 4-octet
> >> to 2-octet occurring between confederations would be much less than of
their
> occurring
> >> within a confederation (although one can't know for sure without knowing
> what the 4-octet
> >> to 2-octet mapping is), so following the recommendations in the Security
> Considerations would
> >> greatly reduce the probability of such a routing loop occurring.  Is this
correct?
> "
> >>
> >> It depends if someone configures a confederation within a confederation.
> [see earlier comment on mis-configuration.] I've copied Sandy Murphy in case
as
> SIDR chair can put this discussion into a different "security" specific light.
> >>
> >> Confused,
> >>
> >> Sue
> >>
> >>
> >> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
> >> Sent: Monday, July 09, 2012 2:25 PM
> >> To: iesg@ietf.org; secdir@ietf.org;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> >> Cc: Catherine Meadows
> >> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend
> of a resend)
> >>
> >> I managed to screw up the email address again.  Here it is for what I hope
is
> the last time.
> >> My apologies again to everyone who receives *three* copies of this message.
> >>
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> >> IESG.  These comments were written primarily for the benefit of the
> >> security area directors.  Document editors and WG chairs should treat
> >> these comments just like any other last call comments.
> >>
> >> This document describes an added capability for four-octet Autonomous
> System
> >> (AS) numbers in BGP.  This is intended to  replace the older two-octet AS
> numbers,
> >> since that space is filling up.
> >>
> >> In order to preserve backward compatibility, AS's using the four-octet
systems
> (called New
> >> BGP speakers in the document) must advertise both four-octet and two-octet
> AS numbers.
> >> This is the case even if the New BGP Speaker does not have a globally
unique
> two-octet number.
> >> The document says that in this case the two-octet number is obtained by
> mapping the four-octet
> >> number to the two-octet space.  The procedure for doing this is not
specified.
> >>
> >> The authors identify a risk of routing loops developing when ambiguities
> develops as a
> >> result of a BGP speaker using the old system aggregating two or more routes
> carrying
> >> 4-octet attributes.  In the Security Configurations Section, the authors
point
> out that an
> >> attacker might be able to exploit this in a denial of service attack.  They
point
> out that it is
> >> a misconfiguration to assign 4-octet Member AS Numbers in a BGP
> confederation until all BGP speakers
> >> within the confederation have transitioned to support 4-octet numbers.
> >>
> >> I think that this is a good recommendation.  I just have a couple of minor
> comments.
> >>
> >> It's not clear to me what the status of "misconfiguration" is in the
hierarchy of
> IETF.
> >> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why you're
> saying
> >> "misconfiguration" instead of one of those?
> >>
> >> I would also expect that the chance of routing loops arising out conversion
> from 4-octet
> >> to 2-octet occurring between confederations would be much less than of
their
> occurring
> >> within a confederation (although one can't know for sure without knowing
> what the 4-octet
> >> to 2-octet mapping is), so following the recommendations in the Security
> Considerations would
> >> greatly reduce the probability of such a routing loop occurring.  Is this
correct?
> >>
> >> Cathy Meadows
> >> Catherine Meadows
> >> Naval Research Laboratory
> >> Code 5543
> >> 4555 Overlook Ave., S.W.
> >> Washington DC, 20375
> >> phone: 202-767-3490
> >> fax: 202-404-7942
> >> email: catherine.meadows@nrl.navy.mil
> >>
> >
> >
> > --
> > For corporate legal information go to:
> >
> >
> > http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> >
> >
> >


From adrian@olddog.co.uk  Tue Jul 17 08:43:26 2012
Return-Path: <adrian@olddog.co.uk>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0FC321F85AD; Tue, 17 Jul 2012 08:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level: 
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.133,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9Ng2GMDJKlc; Tue, 17 Jul 2012 08:43:25 -0700 (PDT)
Received: from asmtp4.iomartmail.com (asmtp4.iomartmail.com [62.128.201.175]) by ietfa.amsl.com (Postfix) with ESMTP id E53F221F858A; Tue, 17 Jul 2012 08:43:24 -0700 (PDT)
Received: from asmtp4.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HFi9ZE012415;  Tue, 17 Jul 2012 16:44:09 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id q6HFi7qq012403 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 17 Jul 2012 16:44:08 +0100
From: "Adrian Farrel" <adrian@olddog.co.uk>
To: "'Susan Hares'" <shares@ndzh.com>, "'John G. Scudder'" <jgs@juniper.net>,  <stbryant@cisco.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com>
In-Reply-To: <001301cd6431$87944a30$96bcde90$@ndzh.com>
Date: Tue, 17 Jul 2012 16:44:07 +0100
Message-ID: <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7Guwlf9QZyA=
Content-Language: en-gb
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 15:43:26 -0000

IMHO, you are right Sue. Stating "MUST NOT" in a specification does not prevent
something from happening.
Using "MUST NOT" for a specification is fine because we can test for conformance
to that and strike an implementation that does not respect the language.
Using "MUST NOT" in a description of an operator process is not as strong or
useful. 

I think that "weakening" loop detection is a bad thing, but it is also a price
an operator might want to pay to get moved to 4byte AS numbers quickly when a
few corner boxes might take another 12 months to be upgraded. 

I agree with John that the text is not security-related.

So, I would rephrase and reposition the text.
- Do explain the risk of switching to 4bytes before everyone is upgraded.
- Do explain the boundaries to the risk
- Do expect operators to consider the implications
- Don't mandate what an operator does in the privacy of their own bedroom

A



> -----Original Message-----
> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of Susan
> Hares
> Sent: 17 July 2012 16:34
> To: 'John G. Scudder'; stbryant@cisco.com
> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
iesg@ietf.org;
> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend
> of a resend)
> 
> John and Stuart:
> 
> This an acceptable text, and we can go on with this draft.
> 
> However,  my question to Catherine was substantive.  I wish to discuss with
> the Routing AD(s), Security people, and Benoit/Ron to understand the
> Routing/Operational issues.
> 
> "Must Not" configure is unrealistic.  People misconfigure. Yankee Group and
> other research houses places have indicated year-on-year 15-30% outages are
> caused by this misconfigured.  It's like the statement "stuff happens."
> Stating "Must not" is like spitting into the wind.  You end up with stuff on
> your face.  What is the security area stating?  How does this review match
> with the path validation/security in SIDR.
> 
> Can we get Catherine or other security people to respond to my question?
> Cross-area review is useful to find wholes in our process and our
> assumptions.  I want to make sure I understand the valuable technical
> feedback the security review is providing.
> 
> 
> Sue
> 
> -----Original Message-----
> From: John G. Scudder [mailto:jgs@juniper.net]
> Sent: Tuesday, July 17, 2012 10:38 AM
> To: stbryant@cisco.com
> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 'Murphy,
> Sandra'
> Subject: Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
> (resend of a resend)
> 
> Stewart,
> 
> I'm fine with the text you propose.
> 
> (I do find it a little odd to have this text -- either old or new -- in the
> Security section since routing loops aren't normally though of as a security
> issue unless maliciously triggered -- which this one isn't described as
> being. So I would also be fine with changing the text but moving it to a
> different section. But that is quibbling.)
> 
> --John
> 
> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
> 
> > Sue, John,
> >
> > Is there any reason not to reword the text concerned to more
> > conventional format:
> >
> > OLD
> > It is a misconfiguration to assign a non-mappable four-octet AS
> >    number as the "Member AS Number" in a BGP confederation before all
> >    the BGP speakers within the confederation have transitioned to
> >    support four-octet AS numbers.  Such a misconfiguration would weaken
> >    the AS path loop detection within a confederation.
> >
> > NEW
> >
> 
> > A network operator MUST NOT assign a non-mappable four-octet AS number
> > as the "Member AS Number" in a BGP confederation before all the BGP
> > speakers within the confederation have transitioned to support
> > four-octet AS numbers, as such an assignment would weaken the AS path
> > loop detection within a confederation.
> >
> > Stewart
> >
> > On 17/07/2012 00:28, Susan Hares wrote:
> >> Catherine:
> >>
> >> I've read and re-read this email for a week (7/9 - 7/16).
> >>
> >> Misconfiguration is a fact of life in networks.  Security profiles must
> deal with this point.  We can all say you should not misconfigure networks -
> but life happens.  Therefore,  I'm confused by your question.  I would
> consider it is just a security event the authors pointing happens.
> >>
> >> On your second comment
> >>
> >> "I would also expect that the chance of routing loops arising out
> >> conversion from 4-octet to 2-octet occurring between confederations
> >> would be much less than of their occurring within a confederation
> >> (although one can't know for sure without knowing what the 4-octet to
> >> 2-octet mapping is), so following the recommendations in the Security
> >> Considerations would greatly reduce the probability of such a routing
> >> loop occurring.  Is this correct? "
> >>
> >> It depends if someone configures a confederation within a confederation.
> [see earlier comment on mis-configuration.] I've copied Sandy Murphy in case
> as SIDR chair can put this discussion into a different "security" specific
> light.
> >>
> >> Confused,
> >>
> >> Sue
> >>
> >>
> >> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
> >> Sent: Monday, July 09, 2012 2:25 PM
> >> To: iesg@ietf.org; secdir@ietf.org;
> >> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> >> Cc: Catherine Meadows
> >> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
> >> (resend of a resend)
> >>
> >> I managed to screw up the email address again.  Here it is for what I
> hope is the last time.
> >> My apologies again to everyone who receives *three* copies of this
> message.
> >>
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> >> IESG.  These comments were written primarily for the benefit of the
> >> security area directors.  Document editors and WG chairs should treat
> >> these comments just like any other last call comments.
> >>
> >> This document describes an added capability for four-octet Autonomous
> >> System
> >> (AS) numbers in BGP.  This is intended to  replace the older
> >> two-octet AS numbers, since that space is filling up.
> >>
> >> In order to preserve backward compatibility, AS's using the
> >> four-octet systems (called New BGP speakers in the document) must
> advertise both four-octet and two-octet AS numbers.
> >> This is the case even if the New BGP Speaker does not have a globally
> unique two-octet number.
> >> The document says that in this case the two-octet number is obtained
> >> by mapping the four-octet number to the two-octet space.  The procedure
> for doing this is not specified.
> >>
> >> The authors identify a risk of routing loops developing when
> >> ambiguities develops as a result of a BGP speaker using the old
> >> system aggregating two or more routes carrying 4-octet attributes.
> >> In the Security Configurations Section, the authors point out that an
> >> attacker might be able to exploit this in a denial of service attack.
> >> They point out that it is a misconfiguration to assign 4-octet Member AS
> Numbers in a BGP confederation until all BGP speakers within the
> confederation have transitioned to support 4-octet numbers.
> >>
> >> I think that this is a good recommendation.  I just have a couple of
> minor comments.
> >>
> >> It's not clear to me what the status of "misconfiguration" is in the
> hierarchy of IETF.
> >> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why
> >> you're saying "misconfiguration" instead of one of those?
> >>
> >> I would also expect that the chance of routing loops arising out
> >> conversion from 4-octet to 2-octet occurring between confederations
> >> would be much less than of their occurring within a confederation
> >> (although one can't know for sure without knowing what the 4-octet to
> >> 2-octet mapping is), so following the recommendations in the Security
> Considerations would greatly reduce the probability of such a routing loop
> occurring.  Is this correct?
> >>
> >> Cathy Meadows
> >> Catherine Meadows
> >> Naval Research Laboratory
> >> Code 5543
> >> 4555 Overlook Ave., S.W.
> >> Washington DC, 20375
> >> phone: 202-767-3490
> >> fax: 202-404-7942
> >> email: catherine.meadows@nrl.navy.mil
> >>
> >
> >
> > --
> > For corporate legal information go to:
> >
> >
> > http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> >
> >
> >



From shares@ndzh.com  Tue Jul 17 08:32:52 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A3FC21F86F1; Tue, 17 Jul 2012 08:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5K9+H04AJUDU; Tue, 17 Jul 2012 08:32:50 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id 8C18F21F86B4; Tue, 17 Jul 2012 08:32:50 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3460893-1945496 for multiple; Tue, 17 Jul 2012 11:33:35 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'John G. Scudder'" <jgs@juniper.net>, <stbryant@cisco.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com> <5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>
In-Reply-To: <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>
Date: Tue, 17 Jul 2012 11:33:34 -0400
Message-ID: <001301cd6431$87944a30$96bcde90$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qpYVS+ug
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
X-Mailman-Approved-At: Tue, 17 Jul 2012 08:45:04 -0700
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 15:32:52 -0000

John and Stuart:

This an acceptable text, and we can go on with this draft.   

However,  my question to Catherine was substantive.  I wish to discuss with
the Routing AD(s), Security people, and Benoit/Ron to understand the
Routing/Operational issues.  

"Must Not" configure is unrealistic.  People misconfigure. Yankee Group and
other research houses places have indicated year-on-year 15-30% outages are
caused by this misconfigured.  It's like the statement "stuff happens."
Stating "Must not" is like spitting into the wind.  You end up with stuff on
your face.  What is the security area stating?  How does this review match
with the path validation/security in SIDR.   

Can we get Catherine or other security people to respond to my question?
Cross-area review is useful to find wholes in our process and our
assumptions.  I want to make sure I understand the valuable technical
feedback the security review is providing. 


Sue 

-----Original Message-----
From: John G. Scudder [mailto:jgs@juniper.net] 
Sent: Tuesday, July 17, 2012 10:38 AM
To: stbryant@cisco.com
Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 'Murphy,
Sandra'
Subject: Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend of a resend)

Stewart,

I'm fine with the text you propose.

(I do find it a little odd to have this text -- either old or new -- in the
Security section since routing loops aren't normally though of as a security
issue unless maliciously triggered -- which this one isn't described as
being. So I would also be fine with changing the text but moving it to a
different section. But that is quibbling.)

--John

On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:

> Sue, John,
> 
> Is there any reason not to reword the text concerned to more 
> conventional format:
> 
> OLD
> It is a misconfiguration to assign a non-mappable four-octet AS
>    number as the "Member AS Number" in a BGP confederation before all
>    the BGP speakers within the confederation have transitioned to
>    support four-octet AS numbers.  Such a misconfiguration would weaken
>    the AS path loop detection within a confederation.
> 
> NEW
> 

> A network operator MUST NOT assign a non-mappable four-octet AS number 
> as the "Member AS Number" in a BGP confederation before all the BGP 
> speakers within the confederation have transitioned to support 
> four-octet AS numbers, as such an assignment would weaken the AS path 
> loop detection within a confederation.
> 
> Stewart
> 
> On 17/07/2012 00:28, Susan Hares wrote:
>> Catherine:
>>  
>> I've read and re-read this email for a week (7/9 - 7/16).
>>  
>> Misconfiguration is a fact of life in networks.  Security profiles must
deal with this point.  We can all say you should not misconfigure networks -
but life happens.  Therefore,  I'm confused by your question.  I would
consider it is just a security event the authors pointing happens.
>>  
>> On your second comment
>>  
>> "I would also expect that the chance of routing loops arising out 
>> conversion from 4-octet to 2-octet occurring between confederations 
>> would be much less than of their occurring within a confederation 
>> (although one can't know for sure without knowing what the 4-octet to 
>> 2-octet mapping is), so following the recommendations in the Security 
>> Considerations would greatly reduce the probability of such a routing 
>> loop occurring.  Is this correct? "
>>  
>> It depends if someone configures a confederation within a confederation.
[see earlier comment on mis-configuration.] I've copied Sandy Murphy in case
as SIDR chair can put this discussion into a different "security" specific
light. 
>>  
>> Confused,
>>  
>> Sue
>>  
>>  
>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>> Sent: Monday, July 09, 2012 2:25 PM
>> To: iesg@ietf.org; secdir@ietf.org; 
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Cc: Catherine Meadows
>> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 
>> (resend of a resend)
>>  
>> I managed to screw up the email address again.  Here it is for what I
hope is the last time.
>> My apologies again to everyone who receives *three* copies of this
message.
>>  
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG.  These comments were written primarily for the benefit of the 
>> security area directors.  Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>> 
>> This document describes an added capability for four-octet Autonomous 
>> System
>> (AS) numbers in BGP.  This is intended to  replace the older 
>> two-octet AS numbers, since that space is filling up.
>> 
>> In order to preserve backward compatibility, AS's using the 
>> four-octet systems (called New BGP speakers in the document) must
advertise both four-octet and two-octet AS numbers.
>> This is the case even if the New BGP Speaker does not have a globally
unique two-octet number.
>> The document says that in this case the two-octet number is obtained 
>> by mapping the four-octet number to the two-octet space.  The procedure
for doing this is not specified.
>> 
>> The authors identify a risk of routing loops developing when 
>> ambiguities develops as a result of a BGP speaker using the old 
>> system aggregating two or more routes carrying 4-octet attributes.  
>> In the Security Configurations Section, the authors point out that an 
>> attacker might be able to exploit this in a denial of service attack.  
>> They point out that it is a misconfiguration to assign 4-octet Member AS
Numbers in a BGP confederation until all BGP speakers within the
confederation have transitioned to support 4-octet numbers.
>> 
>> I think that this is a good recommendation.  I just have a couple of
minor comments.
>> 
>> It's not clear to me what the status of "misconfiguration" is in the
hierarchy of IETF.
>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
>> you're saying "misconfiguration" instead of one of those?
>> 
>> I would also expect that the chance of routing loops arising out 
>> conversion from 4-octet to 2-octet occurring between confederations 
>> would be much less than of their occurring within a confederation 
>> (although one can't know for sure without knowing what the 4-octet to 
>> 2-octet mapping is), so following the recommendations in the Security
Considerations would greatly reduce the probability of such a routing loop
occurring.  Is this correct?
>> 
>> Cathy Meadows
>> Catherine Meadows
>> Naval Research Laboratory
>> Code 5543
>> 4555 Overlook Ave., S.W.
>> Washington DC, 20375
>> phone: 202-767-3490
>> fax: 202-404-7942
>> email: catherine.meadows@nrl.navy.mil
>>  
> 
> 
> --
> For corporate legal information go to:
> 
> 
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> 
> 
> 



From shares@ndzh.com  Tue Jul 17 08:43:54 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115CA21F8601; Tue, 17 Jul 2012 08:43:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJWpiERrolZZ; Tue, 17 Jul 2012 08:43:53 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id C0C2921F85C2; Tue, 17 Jul 2012 08:43:52 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3460931-1945496 for multiple; Tue, 17 Jul 2012 11:44:38 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'John G. Scudder'" <jgs@juniper.net>, <stbryant@cisco.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com> <5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com>
In-Reply-To: <001301cd6431$87944a30$96bcde90$@ndzh.com>
Date: Tue, 17 Jul 2012 11:44:37 -0400
Message-ID: <001501cd6433$12df5bb0$389e1310$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7Guwlf9QPdA=
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
X-Mailman-Approved-At: Tue, 17 Jul 2012 08:45:04 -0700
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 15:43:54 -0000

John and Stuart: 

Please substitute in the message below: 

/"wholes"/"holes"/  - the implied malapropism turn of phrase was a bit too
vague for multi-cultural environment with non-native speakers.  My
malapropism implied that we find the "whole truth" as well as "holes" in our
work from cross-area review. 

Sometimes writing to intelligent people (such as you and John) inspires my
creative writing skills and ironic tones. 

Sorry, 

Sue 

-----Original Message-----
From: Susan Hares [mailto:shares@ndzh.com] 
Sent: Tuesday, July 17, 2012 11:34 AM
To: 'John G. Scudder'; stbryant@cisco.com
Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 'Murphy,
Sandra'
Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend of a resend)

John and Stuart:

This an acceptable text, and we can go on with this draft.   

However,  my question to Catherine was substantive.  I wish to discuss with
the Routing AD(s), Security people, and Benoit/Ron to understand the
Routing/Operational issues.  

"Must Not" configure is unrealistic.  People misconfigure. Yankee Group and
other research houses places have indicated year-on-year 15-30% outages are
caused by this misconfigured.  It's like the statement "stuff happens."
Stating "Must not" is like spitting into the wind.  You end up with stuff on
your face.  What is the security area stating?  How does this review match
with the path validation/security in SIDR.   

Can we get Catherine or other security people to respond to my question?
Cross-area review is useful to find wholes in our process and our
assumptions.  I want to make sure I understand the valuable technical
feedback the security review is providing. 


Sue 

-----Original Message-----
From: John G. Scudder [mailto:jgs@juniper.net]
Sent: Tuesday, July 17, 2012 10:38 AM
To: stbryant@cisco.com
Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 'Murphy,
Sandra'
Subject: Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend of a resend)

Stewart,

I'm fine with the text you propose.

(I do find it a little odd to have this text -- either old or new -- in the
Security section since routing loops aren't normally though of as a security
issue unless maliciously triggered -- which this one isn't described as
being. So I would also be fine with changing the text but moving it to a
different section. But that is quibbling.)

--John

On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:

> Sue, John,
> 
> Is there any reason not to reword the text concerned to more 
> conventional format:
> 
> OLD
> It is a misconfiguration to assign a non-mappable four-octet AS
>    number as the "Member AS Number" in a BGP confederation before all
>    the BGP speakers within the confederation have transitioned to
>    support four-octet AS numbers.  Such a misconfiguration would weaken
>    the AS path loop detection within a confederation.
> 
> NEW
> 

> A network operator MUST NOT assign a non-mappable four-octet AS number 
> as the "Member AS Number" in a BGP confederation before all the BGP 
> speakers within the confederation have transitioned to support 
> four-octet AS numbers, as such an assignment would weaken the AS path 
> loop detection within a confederation.
> 
> Stewart
> 
> On 17/07/2012 00:28, Susan Hares wrote:
>> Catherine:
>>  
>> I've read and re-read this email for a week (7/9 - 7/16).
>>  
>> Misconfiguration is a fact of life in networks.  Security profiles 
>> must
deal with this point.  We can all say you should not misconfigure networks -
but life happens.  Therefore,  I'm confused by your question.  I would
consider it is just a security event the authors pointing happens.
>>  
>> On your second comment
>>  
>> "I would also expect that the chance of routing loops arising out 
>> conversion from 4-octet to 2-octet occurring between confederations 
>> would be much less than of their occurring within a confederation 
>> (although one can't know for sure without knowing what the 4-octet to 
>> 2-octet mapping is), so following the recommendations in the Security 
>> Considerations would greatly reduce the probability of such a routing 
>> loop occurring.  Is this correct? "
>>  
>> It depends if someone configures a confederation within a confederation.
[see earlier comment on mis-configuration.] I've copied Sandy Murphy in case
as SIDR chair can put this discussion into a different "security" specific
light. 
>>  
>> Confused,
>>  
>> Sue
>>  
>>  
>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>> Sent: Monday, July 09, 2012 2:25 PM
>> To: iesg@ietf.org; secdir@ietf.org;
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Cc: Catherine Meadows
>> Subject: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 
>> (resend of a resend)
>>  
>> I managed to screw up the email address again.  Here it is for what I
hope is the last time.
>> My apologies again to everyone who receives *three* copies of this
message.
>>  
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG.  These comments were written primarily for the benefit of the 
>> security area directors.  Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>> 
>> This document describes an added capability for four-octet Autonomous 
>> System
>> (AS) numbers in BGP.  This is intended to  replace the older 
>> two-octet AS numbers, since that space is filling up.
>> 
>> In order to preserve backward compatibility, AS's using the 
>> four-octet systems (called New BGP speakers in the document) must
advertise both four-octet and two-octet AS numbers.
>> This is the case even if the New BGP Speaker does not have a globally
unique two-octet number.
>> The document says that in this case the two-octet number is obtained 
>> by mapping the four-octet number to the two-octet space.  The 
>> procedure
for doing this is not specified.
>> 
>> The authors identify a risk of routing loops developing when 
>> ambiguities develops as a result of a BGP speaker using the old 
>> system aggregating two or more routes carrying 4-octet attributes.
>> In the Security Configurations Section, the authors point out that an 
>> attacker might be able to exploit this in a denial of service attack.
>> They point out that it is a misconfiguration to assign 4-octet Member 
>> AS
Numbers in a BGP confederation until all BGP speakers within the
confederation have transitioned to support 4-octet numbers.
>> 
>> I think that this is a good recommendation.  I just have a couple of
minor comments.
>> 
>> It's not clear to me what the status of "misconfiguration" is in the
hierarchy of IETF.
>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
>> you're saying "misconfiguration" instead of one of those?
>> 
>> I would also expect that the chance of routing loops arising out 
>> conversion from 4-octet to 2-octet occurring between confederations 
>> would be much less than of their occurring within a confederation 
>> (although one can't know for sure without knowing what the 4-octet to 
>> 2-octet mapping is), so following the recommendations in the Security
Considerations would greatly reduce the probability of such a routing loop
occurring.  Is this correct?
>> 
>> Cathy Meadows
>> Catherine Meadows
>> Naval Research Laboratory
>> Code 5543
>> 4555 Overlook Ave., S.W.
>> Washington DC, 20375
>> phone: 202-767-3490
>> fax: 202-404-7942
>> email: catherine.meadows@nrl.navy.mil
>>  
> 
> 
> --
> For corporate legal information go to:
> 
> 
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> 
> 
> 




From shares@ndzh.com  Tue Jul 17 08:46:29 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6784321F8601; Tue, 17 Jul 2012 08:46:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkdW6BFqjOfe; Tue, 17 Jul 2012 08:46:28 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id DD18921F85D4; Tue, 17 Jul 2012 08:46:27 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3460947-1945496 for multiple; Tue, 17 Jul 2012 11:47:14 -0400
From: "Susan Hares" <shares@ndzh.com>
To: <adrian@olddog.co.uk>, "'John G. Scudder'" <jgs@juniper.net>, <stbryant@cisco.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk>
In-Reply-To: <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk>
Date: Tue, 17 Jul 2012 11:47:12 -0400
Message-ID: <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7GuwApI1dQuV6sC0cA==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
X-Mailman-Approved-At: Tue, 17 Jul 2012 08:47:19 -0700
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 15:46:29 -0000

Adrian:

100% agree with your viewpoint and next steps. 

John and Stuart - can we change to this view point. 

Sue 

-----Original Message-----
From: Adrian Farrel [mailto:adrian@olddog.co.uk] 
Sent: Tuesday, July 17, 2012 11:44 AM
To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
iesg@ietf.org; 'Catherine Meadows';
draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
(resend of a resend)

IMHO, you are right Sue. Stating "MUST NOT" in a specification does not
prevent something from happening.
Using "MUST NOT" for a specification is fine because we can test for
conformance to that and strike an implementation that does not respect the
language.
Using "MUST NOT" in a description of an operator process is not as strong or
useful. 

I think that "weakening" loop detection is a bad thing, but it is also a
price an operator might want to pay to get moved to 4byte AS numbers quickly
when a few corner boxes might take another 12 months to be upgraded. 

I agree with John that the text is not security-related.

So, I would rephrase and reposition the text.
- Do explain the risk of switching to 4bytes before everyone is upgraded.
- Do explain the boundaries to the risk
- Do expect operators to consider the implications
- Don't mandate what an operator does in the privacy of their own bedroom

A



> -----Original Message-----
> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf 
> Of Susan Hares
> Sent: 17 July 2012 16:34
> To: 'John G. Scudder'; stbryant@cisco.com
> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
iesg@ietf.org;
> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> Subject: RE: Spam:*******, Secdir Review of 
> draft-ietf-idr-rfc4893bis-07
(resend
> of a resend)
> 
> John and Stuart:
> 
> This an acceptable text, and we can go on with this draft.
> 
> However,  my question to Catherine was substantive.  I wish to discuss 
> with the Routing AD(s), Security people, and Benoit/Ron to understand 
> the Routing/Operational issues.
> 
> "Must Not" configure is unrealistic.  People misconfigure. Yankee 
> Group and other research houses places have indicated year-on-year 
> 15-30% outages are caused by this misconfigured.  It's like the statement
"stuff happens."
> Stating "Must not" is like spitting into the wind.  You end up with 
> stuff on your face.  What is the security area stating?  How does this 
> review match with the path validation/security in SIDR.
> 
> Can we get Catherine or other security people to respond to my question?
> Cross-area review is useful to find wholes in our process and our 
> assumptions.  I want to make sure I understand the valuable technical 
> feedback the security review is providing.
> 
> 
> Sue
> 
> -----Original Message-----
> From: John G. Scudder [mailto:jgs@juniper.net]
> Sent: Tuesday, July 17, 2012 10:38 AM
> To: stbryant@cisco.com
> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org; 
> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org; 
> 'Murphy, Sandra'
> Subject: Re: Spam:*******, Secdir Review of 
> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
> 
> Stewart,
> 
> I'm fine with the text you propose.
> 
> (I do find it a little odd to have this text -- either old or new -- 
> in the Security section since routing loops aren't normally though of 
> as a security issue unless maliciously triggered -- which this one 
> isn't described as being. So I would also be fine with changing the 
> text but moving it to a different section. But that is quibbling.)
> 
> --John
> 
> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
> 
> > Sue, John,
> >
> > Is there any reason not to reword the text concerned to more 
> > conventional format:
> >
> > OLD
> > It is a misconfiguration to assign a non-mappable four-octet AS
> >    number as the "Member AS Number" in a BGP confederation before all
> >    the BGP speakers within the confederation have transitioned to
> >    support four-octet AS numbers.  Such a misconfiguration would weaken
> >    the AS path loop detection within a confederation.
> >
> > NEW
> >
> 
> > A network operator MUST NOT assign a non-mappable four-octet AS 
> > number as the "Member AS Number" in a BGP confederation before all 
> > the BGP speakers within the confederation have transitioned to 
> > support four-octet AS numbers, as such an assignment would weaken 
> > the AS path loop detection within a confederation.
> >
> > Stewart
> >
> > On 17/07/2012 00:28, Susan Hares wrote:
> >> Catherine:
> >>
> >> I've read and re-read this email for a week (7/9 - 7/16).
> >>
> >> Misconfiguration is a fact of life in networks.  Security profiles 
> >> must
> deal with this point.  We can all say you should not misconfigure 
> networks - but life happens.  Therefore,  I'm confused by your 
> question.  I would consider it is just a security event the authors
pointing happens.
> >>
> >> On your second comment
> >>
> >> "I would also expect that the chance of routing loops arising out 
> >> conversion from 4-octet to 2-octet occurring between confederations 
> >> would be much less than of their occurring within a confederation 
> >> (although one can't know for sure without knowing what the 4-octet 
> >> to 2-octet mapping is), so following the recommendations in the 
> >> Security Considerations would greatly reduce the probability of 
> >> such a routing loop occurring.  Is this correct? "
> >>
> >> It depends if someone configures a confederation within a
confederation.
> [see earlier comment on mis-configuration.] I've copied Sandy Murphy 
> in case as SIDR chair can put this discussion into a different 
> "security" specific light.
> >>
> >> Confused,
> >>
> >> Sue
> >>
> >>
> >> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
> >> Sent: Monday, July 09, 2012 2:25 PM
> >> To: iesg@ietf.org; secdir@ietf.org; 
> >> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> >> Cc: Catherine Meadows
> >> Subject: Spam:*******, Secdir Review of 
> >> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
> >>
> >> I managed to screw up the email address again.  Here it is for what 
> >> I
> hope is the last time.
> >> My apologies again to everyone who receives *three* copies of this
> message.
> >>
> >> I have reviewed this document as part of the security directorate's 
> >> ongoing effort to review all IETF documents being processed by the 
> >> IESG.  These comments were written primarily for the benefit of the 
> >> security area directors.  Document editors and WG chairs should 
> >> treat these comments just like any other last call comments.
> >>
> >> This document describes an added capability for four-octet 
> >> Autonomous System
> >> (AS) numbers in BGP.  This is intended to  replace the older 
> >> two-octet AS numbers, since that space is filling up.
> >>
> >> In order to preserve backward compatibility, AS's using the 
> >> four-octet systems (called New BGP speakers in the document) must
> advertise both four-octet and two-octet AS numbers.
> >> This is the case even if the New BGP Speaker does not have a 
> >> globally
> unique two-octet number.
> >> The document says that in this case the two-octet number is 
> >> obtained by mapping the four-octet number to the two-octet space.  
> >> The procedure
> for doing this is not specified.
> >>
> >> The authors identify a risk of routing loops developing when 
> >> ambiguities develops as a result of a BGP speaker using the old 
> >> system aggregating two or more routes carrying 4-octet attributes.
> >> In the Security Configurations Section, the authors point out that 
> >> an attacker might be able to exploit this in a denial of service
attack.
> >> They point out that it is a misconfiguration to assign 4-octet 
> >> Member AS
> Numbers in a BGP confederation until all BGP speakers within the 
> confederation have transitioned to support 4-octet numbers.
> >>
> >> I think that this is a good recommendation.  I just have a couple 
> >> of
> minor comments.
> >>
> >> It's not clear to me what the status of "misconfiguration" is in 
> >> the
> hierarchy of IETF.
> >> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
> >> you're saying "misconfiguration" instead of one of those?
> >>
> >> I would also expect that the chance of routing loops arising out 
> >> conversion from 4-octet to 2-octet occurring between confederations 
> >> would be much less than of their occurring within a confederation 
> >> (although one can't know for sure without knowing what the 4-octet 
> >> to 2-octet mapping is), so following the recommendations in the 
> >> Security
> Considerations would greatly reduce the probability of such a routing 
> loop occurring.  Is this correct?
> >>
> >> Cathy Meadows
> >> Catherine Meadows
> >> Naval Research Laboratory
> >> Code 5543
> >> 4555 Overlook Ave., S.W.
> >> Washington DC, 20375
> >> phone: 202-767-3490
> >> fax: 202-404-7942
> >> email: catherine.meadows@nrl.navy.mil
> >>
> >
> >
> > --
> > For corporate legal information go to:
> >
> >
> > http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> >
> >
> >




From stbryant@cisco.com  Tue Jul 17 09:03:05 2012
Return-Path: <stbryant@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9AA321F8496; Tue, 17 Jul 2012 09:03:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.569
X-Spam-Level: 
X-Spam-Status: No, score=-110.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdBOntaEcEXN; Tue, 17 Jul 2012 09:03:04 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 3E9C121F8674; Tue, 17 Jul 2012 09:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=9767; q=dns/txt; s=iport; t=1342541031; x=1343750631; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=ibJBCD+ys/9NdW6QSLUZohSjR+lKegkcOtQNjqdqRFI=; b=DhN2Cv816DpewERUvRNBUbW1YN8BxE7Bpu+UdiI2oxJrONnLiRplOfMh eFv8qUD64s6KCCh6JUxCiLS+psChLREV0V4w2xzHp25X0ypP8b5ZuaZm4 SiB+xOynOpwEcbTx9nD6xnd0QpYaUXkdlVWLpA2SrZtRJFIyk9Co89S78 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgAFAJCMBVCQ/khM/2dsb2JhbAA7BwO5HIEHgiABAQEEEgECI0ABDAICCw4DBAEBAQkWCAcJAwIBAgEJKwkIBg0BBQIBARUJh2sLnQKDSBCcWgSLPBAXgn+DIQOVPY4igQRigmCBVwcc
X-IronPort-AV: E=Sophos;i="4.77,603,1336348800";  d="scan'208";a="6699598"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-3.cisco.com with ESMTP; 17 Jul 2012 16:03:49 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id q6HG3neY003412 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jul 2012 16:03:49 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id q6HG3i4C014022; Tue, 17 Jul 2012 17:03:45 +0100 (BST)
Message-ID: <50058CE0.5010108@cisco.com>
Date: Tue, 17 Jul 2012 17:03:44 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: Susan Hares <shares@ndzh.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com>
In-Reply-To: <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, "'John G. Scudder'" <jgs@juniper.net>, adrian@olddog.co.uk, draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 16:03:06 -0000

It seems like a good suggestion to me

Stewart

On 17/07/2012 16:47, Susan Hares wrote:
> Adrian:
>
> 100% agree with your viewpoint and next steps.
>
> John and Stuart - can we change to this view point.
>
> Sue
>
> -----Original Message-----
> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
> Sent: Tuesday, July 17, 2012 11:44 AM
> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
> iesg@ietf.org; 'Catherine Meadows';
> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
> Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
> (resend of a resend)
>
> IMHO, you are right Sue. Stating "MUST NOT" in a specification does not
> prevent something from happening.
> Using "MUST NOT" for a specification is fine because we can test for
> conformance to that and strike an implementation that does not respect the
> language.
> Using "MUST NOT" in a description of an operator process is not as strong or
> useful.
>
> I think that "weakening" loop detection is a bad thing, but it is also a
> price an operator might want to pay to get moved to 4byte AS numbers quickly
> when a few corner boxes might take another 12 months to be upgraded.
>
> I agree with John that the text is not security-related.
>
> So, I would rephrase and reposition the text.
> - Do explain the risk of switching to 4bytes before everyone is upgraded.
> - Do explain the boundaries to the risk
> - Do expect operators to consider the implications
> - Don't mandate what an operator does in the privacy of their own bedroom
>
> A
>
>
>
>> -----Original Message-----
>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf
>> Of Susan Hares
>> Sent: 17 July 2012 16:34
>> To: 'John G. Scudder'; stbryant@cisco.com
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
> iesg@ietf.org;
>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Subject: RE: Spam:*******, Secdir Review of
>> draft-ietf-idr-rfc4893bis-07
> (resend
>> of a resend)
>>
>> John and Stuart:
>>
>> This an acceptable text, and we can go on with this draft.
>>
>> However,  my question to Catherine was substantive.  I wish to discuss
>> with the Routing AD(s), Security people, and Benoit/Ron to understand
>> the Routing/Operational issues.
>>
>> "Must Not" configure is unrealistic.  People misconfigure. Yankee
>> Group and other research houses places have indicated year-on-year
>> 15-30% outages are caused by this misconfigured.  It's like the statement
> "stuff happens."
>> Stating "Must not" is like spitting into the wind.  You end up with
>> stuff on your face.  What is the security area stating?  How does this
>> review match with the path validation/security in SIDR.
>>
>> Can we get Catherine or other security people to respond to my question?
>> Cross-area review is useful to find wholes in our process and our
>> assumptions.  I want to make sure I understand the valuable technical
>> feedback the security review is providing.
>>
>>
>> Sue
>>
>> -----Original Message-----
>> From: John G. Scudder [mailto:jgs@juniper.net]
>> Sent: Tuesday, July 17, 2012 10:38 AM
>> To: stbryant@cisco.com
>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>> 'Murphy, Sandra'
>> Subject: Re: Spam:*******, Secdir Review of
>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>
>> Stewart,
>>
>> I'm fine with the text you propose.
>>
>> (I do find it a little odd to have this text -- either old or new --
>> in the Security section since routing loops aren't normally though of
>> as a security issue unless maliciously triggered -- which this one
>> isn't described as being. So I would also be fine with changing the
>> text but moving it to a different section. But that is quibbling.)
>>
>> --John
>>
>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>
>>> Sue, John,
>>>
>>> Is there any reason not to reword the text concerned to more
>>> conventional format:
>>>
>>> OLD
>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>     number as the "Member AS Number" in a BGP confederation before all
>>>     the BGP speakers within the confederation have transitioned to
>>>     support four-octet AS numbers.  Such a misconfiguration would weaken
>>>     the AS path loop detection within a confederation.
>>>
>>> NEW
>>>
>>> A network operator MUST NOT assign a non-mappable four-octet AS
>>> number as the "Member AS Number" in a BGP confederation before all
>>> the BGP speakers within the confederation have transitioned to
>>> support four-octet AS numbers, as such an assignment would weaken
>>> the AS path loop detection within a confederation.
>>>
>>> Stewart
>>>
>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>> Catherine:
>>>>
>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>
>>>> Misconfiguration is a fact of life in networks.  Security profiles
>>>> must
>> deal with this point.  We can all say you should not misconfigure
>> networks - but life happens.  Therefore,  I'm confused by your
>> question.  I would consider it is just a security event the authors
> pointing happens.
>>>> On your second comment
>>>>
>>>> "I would also expect that the chance of routing loops arising out
>>>> conversion from 4-octet to 2-octet occurring between confederations
>>>> would be much less than of their occurring within a confederation
>>>> (although one can't know for sure without knowing what the 4-octet
>>>> to 2-octet mapping is), so following the recommendations in the
>>>> Security Considerations would greatly reduce the probability of
>>>> such a routing loop occurring.  Is this correct? "
>>>>
>>>> It depends if someone configures a confederation within a
> confederation.
>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy
>> in case as SIDR chair can put this discussion into a different
>> "security" specific light.
>>>> Confused,
>>>>
>>>> Sue
>>>>
>>>>
>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>> To: iesg@ietf.org; secdir@ietf.org;
>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>> Cc: Catherine Meadows
>>>> Subject: Spam:*******, Secdir Review of
>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>
>>>> I managed to screw up the email address again.  Here it is for what
>>>> I
>> hope is the last time.
>>>> My apologies again to everyone who receives *three* copies of this
>> message.
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the
>>>> IESG.  These comments were written primarily for the benefit of the
>>>> security area directors.  Document editors and WG chairs should
>>>> treat these comments just like any other last call comments.
>>>>
>>>> This document describes an added capability for four-octet
>>>> Autonomous System
>>>> (AS) numbers in BGP.  This is intended to  replace the older
>>>> two-octet AS numbers, since that space is filling up.
>>>>
>>>> In order to preserve backward compatibility, AS's using the
>>>> four-octet systems (called New BGP speakers in the document) must
>> advertise both four-octet and two-octet AS numbers.
>>>> This is the case even if the New BGP Speaker does not have a
>>>> globally
>> unique two-octet number.
>>>> The document says that in this case the two-octet number is
>>>> obtained by mapping the four-octet number to the two-octet space.
>>>> The procedure
>> for doing this is not specified.
>>>> The authors identify a risk of routing loops developing when
>>>> ambiguities develops as a result of a BGP speaker using the old
>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>> In the Security Configurations Section, the authors point out that
>>>> an attacker might be able to exploit this in a denial of service
> attack.
>>>> They point out that it is a misconfiguration to assign 4-octet
>>>> Member AS
>> Numbers in a BGP confederation until all BGP speakers within the
>> confederation have transitioned to support 4-octet numbers.
>>>> I think that this is a good recommendation.  I just have a couple
>>>> of
>> minor comments.
>>>> It's not clear to me what the status of "misconfiguration" is in
>>>> the
>> hierarchy of IETF.
>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why
>>>> you're saying "misconfiguration" instead of one of those?
>>>>
>>>> I would also expect that the chance of routing loops arising out
>>>> conversion from 4-octet to 2-octet occurring between confederations
>>>> would be much less than of their occurring within a confederation
>>>> (although one can't know for sure without knowing what the 4-octet
>>>> to 2-octet mapping is), so following the recommendations in the
>>>> Security
>> Considerations would greatly reduce the probability of such a routing
>> loop occurring.  Is this correct?
>>>> Cathy Meadows
>>>> Catherine Meadows
>>>> Naval Research Laboratory
>>>> Code 5543
>>>> 4555 Overlook Ave., S.W.
>>>> Washington DC, 20375
>>>> phone: 202-767-3490
>>>> fax: 202-404-7942
>>>> email: catherine.meadows@nrl.navy.mil
>>>>
>>>
>>> --
>>> For corporate legal information go to:
>>>
>>>
>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>
>>>
>>>
>
>
> .
>


-- 
For corporate legal information go to:

http://www.cisco.com/web/about/doing_business/legal/cri/index.html


From meadows@itd.nrl.navy.mil  Tue Jul 17 09:28:07 2012
Return-Path: <meadows@itd.nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA4621F84C9; Tue, 17 Jul 2012 09:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m38g0XVXOJQB; Tue, 17 Jul 2012 09:28:06 -0700 (PDT)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA5C21F84B4; Tue, 17 Jul 2012 09:28:06 -0700 (PDT)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q6HGSpCv007137; Tue, 17 Jul 2012 12:28:51 -0400 (EDT)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q6HGSmK6017603; Tue, 17 Jul 2012 12:28:48 -0400 (EDT)
Received: from [127.0.0.1] ([10.0.0.13]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012071712284710788 ; Tue, 17 Jul 2012 12:28:47 -0400
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Catherine A Meadows <meadows@itd.nrl.navy.mil>
In-Reply-To: <50058CE0.5010108@cisco.com>
Date: Tue, 17 Jul 2012 12:28:48 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com>
To: Susan Hares <shares@ndzh.com>
X-Mailer: Apple Mail (2.1084)
Cc: secdir@ietf.org, "Murphy, Sandra" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, "John G. Scudder" <jgs@juniper.net>, adrian@olddog.co.uk, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, Catherine A Meadows <meadows@itd.nrl.navy.mil>, stbryant@cisco.com
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 16:28:07 -0000

Hi  Susan:

My apologies for not responding earlier.  I had been away from my email =
while traveling.

My question was not so much intended to recommend specific wording.  It =
was simply that I didn't
understand what "misconfiguration" meant in this context, because it =
isn't the usual terminology used in
IETF documents.  But as I understand it from the discussion,  =
configurations are not really part of the
standard, so we can't mandate them, and because of that, this is to be =
downgraded to a recommendation, as well as
being removed from the security consideration section.   So that answers =
my question.


As I understand from the discussion, the security risk of looping only =
is an issue if an attacker can cause it
to happen, in which case it can be used in a DOS attack.  So if there is =
no way an attacker could cause this
looping to happen, I'm happy to have it removed from the Security =
Considerations section.  Otherwise, I'd recommend
you refer to it in the Security Considerations section (even if it is =
described in detail in another section). =20

As to my other question, if there is no straightforward answer to it, =
there's no reason to discuss it in the document.

Hope this helps,

Cathy




On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:

> It seems like a good suggestion to me
>=20
> Stewart
>=20
> On 17/07/2012 16:47, Susan Hares wrote:
>> Adrian:
>>=20
>> 100% agree with your viewpoint and next steps.
>>=20
>> John and Stuart - can we change to this view point.
>>=20
>> Sue
>>=20
>> -----Original Message-----
>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>> Sent: Tuesday, July 17, 2012 11:44 AM
>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org; 'Catherine Meadows';
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Subject: RE: Spam:*******, Secdir Review of =
draft-ietf-idr-rfc4893bis-07
>> (resend of a resend)
>>=20
>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does =
not
>> prevent something from happening.
>> Using "MUST NOT" for a specification is fine because we can test for
>> conformance to that and strike an implementation that does not =
respect the
>> language.
>> Using "MUST NOT" in a description of an operator process is not as =
strong or
>> useful.
>>=20
>> I think that "weakening" loop detection is a bad thing, but it is =
also a
>> price an operator might want to pay to get moved to 4byte AS numbers =
quickly
>> when a few corner boxes might take another 12 months to be upgraded.
>>=20
>> I agree with John that the text is not security-related.
>>=20
>> So, I would rephrase and reposition the text.
>> - Do explain the risk of switching to 4bytes before everyone is =
upgraded.
>> - Do explain the boundaries to the risk
>> - Do expect operators to consider the implications
>> - Don't mandate what an operator does in the privacy of their own =
bedroom
>>=20
>> A
>>=20
>>=20
>>=20
>>> -----Original Message-----
>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf
>>> Of Susan Hares
>>> Sent: 17 July 2012 16:34
>>> To: 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org;
>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07
>> (resend
>>> of a resend)
>>>=20
>>> John and Stuart:
>>>=20
>>> This an acceptable text, and we can go on with this draft.
>>>=20
>>> However,  my question to Catherine was substantive.  I wish to =
discuss
>>> with the Routing AD(s), Security people, and Benoit/Ron to =
understand
>>> the Routing/Operational issues.
>>>=20
>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee
>>> Group and other research houses places have indicated year-on-year
>>> 15-30% outages are caused by this misconfigured.  It's like the =
statement
>> "stuff happens."
>>> Stating "Must not" is like spitting into the wind.  You end up with
>>> stuff on your face.  What is the security area stating?  How does =
this
>>> review match with the path validation/security in SIDR.
>>>=20
>>> Can we get Catherine or other security people to respond to my =
question?
>>> Cross-area review is useful to find wholes in our process and our
>>> assumptions.  I want to make sure I understand the valuable =
technical
>>> feedback the security review is providing.
>>>=20
>>>=20
>>> Sue
>>>=20
>>> -----Original Message-----
>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>> To: stbryant@cisco.com
>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>> 'Murphy, Sandra'
>>> Subject: Re: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>=20
>>> Stewart,
>>>=20
>>> I'm fine with the text you propose.
>>>=20
>>> (I do find it a little odd to have this text -- either old or new --
>>> in the Security section since routing loops aren't normally though =
of
>>> as a security issue unless maliciously triggered -- which this one
>>> isn't described as being. So I would also be fine with changing the
>>> text but moving it to a different section. But that is quibbling.)
>>>=20
>>> --John
>>>=20
>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>>=20
>>>> Sue, John,
>>>>=20
>>>> Is there any reason not to reword the text concerned to more
>>>> conventional format:
>>>>=20
>>>> OLD
>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>    number as the "Member AS Number" in a BGP confederation before =
all
>>>>    the BGP speakers within the confederation have transitioned to
>>>>    support four-octet AS numbers.  Such a misconfiguration would =
weaken
>>>>    the AS path loop detection within a confederation.
>>>>=20
>>>> NEW
>>>>=20
>>>> A network operator MUST NOT assign a non-mappable four-octet AS
>>>> number as the "Member AS Number" in a BGP confederation before all
>>>> the BGP speakers within the confederation have transitioned to
>>>> support four-octet AS numbers, as such an assignment would weaken
>>>> the AS path loop detection within a confederation.
>>>>=20
>>>> Stewart
>>>>=20
>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>> Catherine:
>>>>>=20
>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>>=20
>>>>> Misconfiguration is a fact of life in networks.  Security profiles
>>>>> must
>>> deal with this point.  We can all say you should not misconfigure
>>> networks - but life happens.  Therefore,  I'm confused by your
>>> question.  I would consider it is just a security event the authors
>> pointing happens.
>>>>> On your second comment
>>>>>=20
>>>>> "I would also expect that the chance of routing loops arising out
>>>>> conversion from 4-octet to 2-octet occurring between =
confederations
>>>>> would be much less than of their occurring within a confederation
>>>>> (although one can't know for sure without knowing what the 4-octet
>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>> Security Considerations would greatly reduce the probability of
>>>>> such a routing loop occurring.  Is this correct? "
>>>>>=20
>>>>> It depends if someone configures a confederation within a
>> confederation.
>>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy
>>> in case as SIDR chair can put this discussion into a different
>>> "security" specific light.
>>>>> Confused,
>>>>>=20
>>>>> Sue
>>>>>=20
>>>>>=20
>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>> To: iesg@ietf.org; secdir@ietf.org;
>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>> Cc: Catherine Meadows
>>>>> Subject: Spam:*******, Secdir Review of
>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>>=20
>>>>> I managed to screw up the email address again.  Here it is for =
what
>>>>> I
>>> hope is the last time.
>>>>> My apologies again to everyone who receives *three* copies of this
>>> message.
>>>>> I have reviewed this document as part of the security =
directorate's
>>>>> ongoing effort to review all IETF documents being processed by the
>>>>> IESG.  These comments were written primarily for the benefit of =
the
>>>>> security area directors.  Document editors and WG chairs should
>>>>> treat these comments just like any other last call comments.
>>>>>=20
>>>>> This document describes an added capability for four-octet
>>>>> Autonomous System
>>>>> (AS) numbers in BGP.  This is intended to  replace the older
>>>>> two-octet AS numbers, since that space is filling up.
>>>>>=20
>>>>> In order to preserve backward compatibility, AS's using the
>>>>> four-octet systems (called New BGP speakers in the document) must
>>> advertise both four-octet and two-octet AS numbers.
>>>>> This is the case even if the New BGP Speaker does not have a
>>>>> globally
>>> unique two-octet number.
>>>>> The document says that in this case the two-octet number is
>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>> The procedure
>>> for doing this is not specified.
>>>>> The authors identify a risk of routing loops developing when
>>>>> ambiguities develops as a result of a BGP speaker using the old
>>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>>> In the Security Configurations Section, the authors point out that
>>>>> an attacker might be able to exploit this in a denial of service
>> attack.
>>>>> They point out that it is a misconfiguration to assign 4-octet
>>>>> Member AS
>>> Numbers in a BGP confederation until all BGP speakers within the
>>> confederation have transitioned to support 4-octet numbers.
>>>>> I think that this is a good recommendation.  I just have a couple
>>>>> of
>>> minor comments.
>>>>> It's not clear to me what the status of "misconfiguration" is in
>>>>> the
>>> hierarchy of IETF.
>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why
>>>>> you're saying "misconfiguration" instead of one of those?
>>>>>=20
>>>>> I would also expect that the chance of routing loops arising out
>>>>> conversion from 4-octet to 2-octet occurring between =
confederations
>>>>> would be much less than of their occurring within a confederation
>>>>> (although one can't know for sure without knowing what the 4-octet
>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>> Security
>>> Considerations would greatly reduce the probability of such a =
routing
>>> loop occurring.  Is this correct?
>>>>> Cathy Meadows
>>>>> Catherine Meadows
>>>>> Naval Research Laboratory
>>>>> Code 5543
>>>>> 4555 Overlook Ave., S.W.
>>>>> Washington DC, 20375
>>>>> phone: 202-767-3490
>>>>> fax: 202-404-7942
>>>>> email: catherine.meadows@nrl.navy.mil
>>>>>=20
>>>>=20
>>>> --
>>>> For corporate legal information go to:
>>>>=20
>>>>=20
>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>>=20
>>>>=20
>>>>=20
>>=20
>>=20
>> .
>>=20
>=20
>=20
> --=20
> For corporate legal information go to:
>=20
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html


From shares@ndzh.com  Tue Jul 17 09:33:25 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7AB121F84FD; Tue, 17 Jul 2012 09:33:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PhqwufmbTq+j; Tue, 17 Jul 2012 09:33:24 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id 2121021F84FF; Tue, 17 Jul 2012 09:33:24 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3461059-1945496 for multiple; Tue, 17 Jul 2012 12:34:10 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'Catherine A Meadows'" <meadows@itd.nrl.navy.mil>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com> <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil>
In-Reply-To: <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil>
Date: Tue, 17 Jul 2012 12:34:08 -0400
Message-ID: <004701cd6439$fdcc23a0$f9646ae0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7GuwApI1dQsB3roKPQK/Vk/KAgp26fiVtYlg4A==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
Cc: secdir@ietf.org, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, idr-chairs@tools.ietf.org, iesg@ietf.org, "'John G. Scudder'" <jgs@juniper.net>, adrian@olddog.co.uk, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, stbryant@cisco.com
Subject: Re: [secdir] Spam:*******, Re: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 16:33:25 -0000

Catherine:

An attacker with access to a trusted BGP router at the right point in the
network could cause this problem.  I suggest you discuss this point with
Sandy Murphy who has listen to operators on these issues and can speak
"security"  dialect. 

This is for your general information.  See Adrian solution for the right
viewpoint.

Sue 

-----Original Message-----
From: Catherine A Meadows [mailto:meadows@itd.nrl.navy.mil] 
Sent: Tuesday, July 17, 2012 12:29 PM
To: Susan Hares
Cc: Catherine A Meadows; adrian@olddog.co.uk; John G. Scudder;
secdir@ietf.org; stbryant@cisco.com; Murphy, Sandra;
idr-chairs@tools.ietf.org; iesg@ietf.org; Catherine Meadows;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org
Subject: Spam:*******, Re: Spam:*******, Secdir Review of
draft-ietf-idr-rfc4893bis-07 (resend of a resend)

Hi  Susan:

My apologies for not responding earlier.  I had been away from my email
while traveling.

My question was not so much intended to recommend specific wording.  It was
simply that I didn't understand what "misconfiguration" meant in this
context, because it isn't the usual terminology used in IETF documents.  But
as I understand it from the discussion,  configurations are not really part
of the standard, so we can't mandate them, and because of that, this is to
be downgraded to a recommendation, as well as
being removed from the security consideration section.   So that answers my
question.


As I understand from the discussion, the security risk of looping only is an
issue if an attacker can cause it to happen, in which case it can be used in
a DOS attack.  So if there is no way an attacker could cause this looping to
happen, I'm happy to have it removed from the Security Considerations
section.  Otherwise, I'd recommend you refer to it in the Security
Considerations section (even if it is described in detail in another
section).  

As to my other question, if there is no straightforward answer to it,
there's no reason to discuss it in the document.

Hope this helps,

Cathy




On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:

> It seems like a good suggestion to me
> 
> Stewart
> 
> On 17/07/2012 16:47, Susan Hares wrote:
>> Adrian:
>> 
>> 100% agree with your viewpoint and next steps.
>> 
>> John and Stuart - can we change to this view point.
>> 
>> Sue
>> 
>> -----Original Message-----
>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>> Sent: Tuesday, July 17, 2012 11:44 AM
>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org; 
>> iesg@ietf.org; 'Catherine Meadows'; 
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Subject: RE: Spam:*******, Secdir Review of 
>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>> 
>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does 
>> not prevent something from happening.
>> Using "MUST NOT" for a specification is fine because we can test for 
>> conformance to that and strike an implementation that does not 
>> respect the language.
>> Using "MUST NOT" in a description of an operator process is not as 
>> strong or useful.
>> 
>> I think that "weakening" loop detection is a bad thing, but it is 
>> also a price an operator might want to pay to get moved to 4byte AS 
>> numbers quickly when a few corner boxes might take another 12 months to
be upgraded.
>> 
>> I agree with John that the text is not security-related.
>> 
>> So, I would rephrase and reposition the text.
>> - Do explain the risk of switching to 4bytes before everyone is upgraded.
>> - Do explain the boundaries to the risk
>> - Do expect operators to consider the implications
>> - Don't mandate what an operator does in the privacy of their own 
>> bedroom
>> 
>> A
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf 
>>> Of Susan Hares
>>> Sent: 17 July 2012 16:34
>>> To: 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org;
>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07
>> (resend
>>> of a resend)
>>> 
>>> John and Stuart:
>>> 
>>> This an acceptable text, and we can go on with this draft.
>>> 
>>> However,  my question to Catherine was substantive.  I wish to 
>>> discuss with the Routing AD(s), Security people, and Benoit/Ron to 
>>> understand the Routing/Operational issues.
>>> 
>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee 
>>> Group and other research houses places have indicated year-on-year 
>>> 15-30% outages are caused by this misconfigured.  It's like the 
>>> statement
>> "stuff happens."
>>> Stating "Must not" is like spitting into the wind.  You end up with 
>>> stuff on your face.  What is the security area stating?  How does 
>>> this review match with the path validation/security in SIDR.
>>> 
>>> Can we get Catherine or other security people to respond to my question?
>>> Cross-area review is useful to find wholes in our process and our 
>>> assumptions.  I want to make sure I understand the valuable 
>>> technical feedback the security review is providing.
>>> 
>>> 
>>> Sue
>>> 
>>> -----Original Message-----
>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>> To: stbryant@cisco.com
>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org; 
>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>> 'Murphy, Sandra'
>>> Subject: Re: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>> 
>>> Stewart,
>>> 
>>> I'm fine with the text you propose.
>>> 
>>> (I do find it a little odd to have this text -- either old or new -- 
>>> in the Security section since routing loops aren't normally though 
>>> of as a security issue unless maliciously triggered -- which this 
>>> one isn't described as being. So I would also be fine with changing 
>>> the text but moving it to a different section. But that is 
>>> quibbling.)
>>> 
>>> --John
>>> 
>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>> 
>>>> Sue, John,
>>>> 
>>>> Is there any reason not to reword the text concerned to more 
>>>> conventional format:
>>>> 
>>>> OLD
>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>    number as the "Member AS Number" in a BGP confederation before all
>>>>    the BGP speakers within the confederation have transitioned to
>>>>    support four-octet AS numbers.  Such a misconfiguration would weaken
>>>>    the AS path loop detection within a confederation.
>>>> 
>>>> NEW
>>>> 
>>>> A network operator MUST NOT assign a non-mappable four-octet AS 
>>>> number as the "Member AS Number" in a BGP confederation before all 
>>>> the BGP speakers within the confederation have transitioned to 
>>>> support four-octet AS numbers, as such an assignment would weaken 
>>>> the AS path loop detection within a confederation.
>>>> 
>>>> Stewart
>>>> 
>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>> Catherine:
>>>>> 
>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>> 
>>>>> Misconfiguration is a fact of life in networks.  Security profiles 
>>>>> must
>>> deal with this point.  We can all say you should not misconfigure 
>>> networks - but life happens.  Therefore,  I'm confused by your 
>>> question.  I would consider it is just a security event the authors
>> pointing happens.
>>>>> On your second comment
>>>>> 
>>>>> "I would also expect that the chance of routing loops arising out 
>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>> confederations would be much less than of their occurring within a 
>>>>> confederation (although one can't know for sure without knowing 
>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>> recommendations in the Security Considerations would greatly 
>>>>> reduce the probability of such a routing loop occurring.  Is this
correct? "
>>>>> 
>>>>> It depends if someone configures a confederation within a
>> confederation.
>>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy 
>>> in case as SIDR chair can put this discussion into a different 
>>> "security" specific light.
>>>>> Confused,
>>>>> 
>>>>> Sue
>>>>> 
>>>>> 
>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>> To: iesg@ietf.org; secdir@ietf.org; 
>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>> Cc: Catherine Meadows
>>>>> Subject: Spam:*******, Secdir Review of
>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>> 
>>>>> I managed to screw up the email address again.  Here it is for 
>>>>> what I
>>> hope is the last time.
>>>>> My apologies again to everyone who receives *three* copies of this
>>> message.
>>>>> I have reviewed this document as part of the security 
>>>>> directorate's ongoing effort to review all IETF documents being 
>>>>> processed by the IESG.  These comments were written primarily for 
>>>>> the benefit of the security area directors.  Document editors and 
>>>>> WG chairs should treat these comments just like any other last call
comments.
>>>>> 
>>>>> This document describes an added capability for four-octet 
>>>>> Autonomous System
>>>>> (AS) numbers in BGP.  This is intended to  replace the older 
>>>>> two-octet AS numbers, since that space is filling up.
>>>>> 
>>>>> In order to preserve backward compatibility, AS's using the 
>>>>> four-octet systems (called New BGP speakers in the document) must
>>> advertise both four-octet and two-octet AS numbers.
>>>>> This is the case even if the New BGP Speaker does not have a 
>>>>> globally
>>> unique two-octet number.
>>>>> The document says that in this case the two-octet number is 
>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>> The procedure
>>> for doing this is not specified.
>>>>> The authors identify a risk of routing loops developing when 
>>>>> ambiguities develops as a result of a BGP speaker using the old 
>>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>>> In the Security Configurations Section, the authors point out that 
>>>>> an attacker might be able to exploit this in a denial of service
>> attack.
>>>>> They point out that it is a misconfiguration to assign 4-octet 
>>>>> Member AS
>>> Numbers in a BGP confederation until all BGP speakers within the 
>>> confederation have transitioned to support 4-octet numbers.
>>>>> I think that this is a good recommendation.  I just have a couple 
>>>>> of
>>> minor comments.
>>>>> It's not clear to me what the status of "misconfiguration" is in 
>>>>> the
>>> hierarchy of IETF.
>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
>>>>> you're saying "misconfiguration" instead of one of those?
>>>>> 
>>>>> I would also expect that the chance of routing loops arising out 
>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>> confederations would be much less than of their occurring within a 
>>>>> confederation (although one can't know for sure without knowing 
>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>> recommendations in the Security
>>> Considerations would greatly reduce the probability of such a 
>>> routing loop occurring.  Is this correct?
>>>>> Cathy Meadows
>>>>> Catherine Meadows
>>>>> Naval Research Laboratory
>>>>> Code 5543
>>>>> 4555 Overlook Ave., S.W.
>>>>> Washington DC, 20375
>>>>> phone: 202-767-3490
>>>>> fax: 202-404-7942
>>>>> email: catherine.meadows@nrl.navy.mil
>>>>> 
>>>> 
>>>> --
>>>> For corporate legal information go to:
>>>> 
>>>> 
>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>> 
>>>> 
>>>> 
>> 
>> 
>> .
>> 
> 
> 
> --
> For corporate legal information go to:
> 
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html



From jgs@juniper.net  Tue Jul 17 09:25:43 2012
Return-Path: <jgs@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08A5D21F86B2; Tue, 17 Jul 2012 09:25:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.796
X-Spam-Level: 
X-Spam-Status: No, score=-5.796 tagged_above=-999 required=5 tests=[AWL=-0.593, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUhrVW5ZMmCo; Tue, 17 Jul 2012 09:25:41 -0700 (PDT)
Received: from exprod7og116.obsmtp.com (exprod7og116.obsmtp.com [64.18.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id 5036321F8507; Tue, 17 Jul 2012 09:25:14 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob116.postini.com ([64.18.6.12]) with SMTP ID DSNKUAWR9FcjATHiYZaxtQUyCvmtGjzb4gL7@postini.com; Tue, 17 Jul 2012 09:26:29 PDT
Received: from magenta.juniper.net (172.17.27.123) by P-EMHUB01-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 17 Jul 2012 09:24:25 -0700
Received: from [172.19.168.5] ([172.19.168.5])	by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id q6HGOHh87649; Tue, 17 Jul 2012 09:24:21 -0700 (PDT)	(envelope-from jgs@juniper.net)
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com> <5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com>
In-Reply-To: <50058CE0.5010108@cisco.com>
MIME-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Message-ID: <FF8CF343-B2C4-4F22-B3CB-ED382000D79B@juniper.net>
X-Mailer: iPhone Mail (9B206)
From: "John G. Scudder" <jgs@juniper.net>
Date: Tue, 17 Jul 2012 09:24:10 -0700
To: "stbryant@cisco.com" <stbryant@cisco.com>
X-Mailman-Approved-At: Tue, 17 Jul 2012 10:04:53 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "Murphy, Sandra" <Sandra.Murphy@sparta.com>, "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "draft-ietf-idr-rfc4893bis.all@tools.ietf.org" <draft-ietf-idr-rfc4893bis.all@tools.ietf.org>, Susan Hares <shares@ndzh.com>
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 16:25:43 -0000

WFM.=20

--John

On Jul 17, 2012, at 9:03 AM, Stewart Bryant <stbryant@cisco.com> wrote:

> It seems like a good suggestion to me
>=20
> Stewart
>=20
> On 17/07/2012 16:47, Susan Hares wrote:
>> Adrian:
>>=20
>> 100% agree with your viewpoint and next steps.
>>=20
>> John and Stuart - can we change to this view point.
>>=20
>> Sue
>>=20
>> -----Original Message-----
>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>> Sent: Tuesday, July 17, 2012 11:44 AM
>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org; 'Catherine Meadows';
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07
>> (resend of a resend)
>>=20
>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does not
>> prevent something from happening.
>> Using "MUST NOT" for a specification is fine because we can test for
>> conformance to that and strike an implementation that does not respect th=
e
>> language.
>> Using "MUST NOT" in a description of an operator process is not as strong=
 or
>> useful.
>>=20
>> I think that "weakening" loop detection is a bad thing, but it is also a
>> price an operator might want to pay to get moved to 4byte AS numbers quic=
kly
>> when a few corner boxes might take another 12 months to be upgraded.
>>=20
>> I agree with John that the text is not security-related.
>>=20
>> So, I would rephrase and reposition the text.
>> - Do explain the risk of switching to 4bytes before everyone is upgraded.=

>> - Do explain the boundaries to the risk
>> - Do expect operators to consider the implications
>> - Don't mandate what an operator does in the privacy of their own bedroom=

>>=20
>> A
>>=20
>>=20
>>=20
>>> -----Original Message-----
>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf
>>> Of Susan Hares
>>> Sent: 17 July 2012 16:34
>>> To: 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org;
>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07
>> (resend
>>> of a resend)
>>>=20
>>> John and Stuart:
>>>=20
>>> This an acceptable text, and we can go on with this draft.
>>>=20
>>> However,  my question to Catherine was substantive.  I wish to discuss
>>> with the Routing AD(s), Security people, and Benoit/Ron to understand
>>> the Routing/Operational issues.
>>>=20
>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee
>>> Group and other research houses places have indicated year-on-year
>>> 15-30% outages are caused by this misconfigured.  It's like the statemen=
t
>> "stuff happens."
>>> Stating "Must not" is like spitting into the wind.  You end up with
>>> stuff on your face.  What is the security area stating?  How does this
>>> review match with the path validation/security in SIDR.
>>>=20
>>> Can we get Catherine or other security people to respond to my question?=

>>> Cross-area review is useful to find wholes in our process and our
>>> assumptions.  I want to make sure I understand the valuable technical
>>> feedback the security review is providing.
>>>=20
>>>=20
>>> Sue
>>>=20
>>> -----Original Message-----
>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>> To: stbryant@cisco.com
>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>> 'Murphy, Sandra'
>>> Subject: Re: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>=20
>>> Stewart,
>>>=20
>>> I'm fine with the text you propose.
>>>=20
>>> (I do find it a little odd to have this text -- either old or new --
>>> in the Security section since routing loops aren't normally though of
>>> as a security issue unless maliciously triggered -- which this one
>>> isn't described as being. So I would also be fine with changing the
>>> text but moving it to a different section. But that is quibbling.)
>>>=20
>>> --John
>>>=20
>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>>=20
>>>> Sue, John,
>>>>=20
>>>> Is there any reason not to reword the text concerned to more
>>>> conventional format:
>>>>=20
>>>> OLD
>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>    number as the "Member AS Number" in a BGP confederation before all
>>>>    the BGP speakers within the confederation have transitioned to
>>>>    support four-octet AS numbers.  Such a misconfiguration would weaken=

>>>>    the AS path loop detection within a confederation.
>>>>=20
>>>> NEW
>>>>=20
>>>> A network operator MUST NOT assign a non-mappable four-octet AS
>>>> number as the "Member AS Number" in a BGP confederation before all
>>>> the BGP speakers within the confederation have transitioned to
>>>> support four-octet AS numbers, as such an assignment would weaken
>>>> the AS path loop detection within a confederation.
>>>>=20
>>>> Stewart
>>>>=20
>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>> Catherine:
>>>>>=20
>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>>=20
>>>>> Misconfiguration is a fact of life in networks.  Security profiles
>>>>> must
>>> deal with this point.  We can all say you should not misconfigure
>>> networks - but life happens.  Therefore,  I'm confused by your
>>> question.  I would consider it is just a security event the authors
>> pointing happens.
>>>>> On your second comment
>>>>>=20
>>>>> "I would also expect that the chance of routing loops arising out
>>>>> conversion from 4-octet to 2-octet occurring between confederations
>>>>> would be much less than of their occurring within a confederation
>>>>> (although one can't know for sure without knowing what the 4-octet
>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>> Security Considerations would greatly reduce the probability of
>>>>> such a routing loop occurring.  Is this correct? "
>>>>>=20
>>>>> It depends if someone configures a confederation within a
>> confederation.
>>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy
>>> in case as SIDR chair can put this discussion into a different
>>> "security" specific light.
>>>>> Confused,
>>>>>=20
>>>>> Sue
>>>>>=20
>>>>>=20
>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>> To: iesg@ietf.org; secdir@ietf.org;
>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>> Cc: Catherine Meadows
>>>>> Subject: Spam:*******, Secdir Review of
>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>>=20
>>>>> I managed to screw up the email address again.  Here it is for what
>>>>> I
>>> hope is the last time.
>>>>> My apologies again to everyone who receives *three* copies of this
>>> message.
>>>>> I have reviewed this document as part of the security directorate's
>>>>> ongoing effort to review all IETF documents being processed by the
>>>>> IESG.  These comments were written primarily for the benefit of the
>>>>> security area directors.  Document editors and WG chairs should
>>>>> treat these comments just like any other last call comments.
>>>>>=20
>>>>> This document describes an added capability for four-octet
>>>>> Autonomous System
>>>>> (AS) numbers in BGP.  This is intended to  replace the older
>>>>> two-octet AS numbers, since that space is filling up.
>>>>>=20
>>>>> In order to preserve backward compatibility, AS's using the
>>>>> four-octet systems (called New BGP speakers in the document) must
>>> advertise both four-octet and two-octet AS numbers.
>>>>> This is the case even if the New BGP Speaker does not have a
>>>>> globally
>>> unique two-octet number.
>>>>> The document says that in this case the two-octet number is
>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>> The procedure
>>> for doing this is not specified.
>>>>> The authors identify a risk of routing loops developing when
>>>>> ambiguities develops as a result of a BGP speaker using the old
>>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>>> In the Security Configurations Section, the authors point out that
>>>>> an attacker might be able to exploit this in a denial of service
>> attack.
>>>>> They point out that it is a misconfiguration to assign 4-octet
>>>>> Member AS
>>> Numbers in a BGP confederation until all BGP speakers within the
>>> confederation have transitioned to support 4-octet numbers.
>>>>> I think that this is a good recommendation.  I just have a couple
>>>>> of
>>> minor comments.
>>>>> It's not clear to me what the status of "misconfiguration" is in
>>>>> the
>>> hierarchy of IETF.
>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why
>>>>> you're saying "misconfiguration" instead of one of those?
>>>>>=20
>>>>> I would also expect that the chance of routing loops arising out
>>>>> conversion from 4-octet to 2-octet occurring between confederations
>>>>> would be much less than of their occurring within a confederation
>>>>> (although one can't know for sure without knowing what the 4-octet
>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>> Security
>>> Considerations would greatly reduce the probability of such a routing
>>> loop occurring.  Is this correct?
>>>>> Cathy Meadows
>>>>> Catherine Meadows
>>>>> Naval Research Laboratory
>>>>> Code 5543
>>>>> 4555 Overlook Ave., S.W.
>>>>> Washington DC, 20375
>>>>> phone: 202-767-3490
>>>>> fax: 202-404-7942
>>>>> email: catherine.meadows@nrl.navy.mil
>>>>>=20
>>>>=20
>>>> --
>>>> For corporate legal information go to:
>>>>=20
>>>>=20
>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>>=20
>>>>=20
>>>>=20
>>=20
>>=20
>> .
>>=20
>=20
>=20
> --=20
> For corporate legal information go to:
>=20
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>=20

From Sandra.Murphy@sparta.com  Tue Jul 17 10:10:21 2012
Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ABFE21F86B6; Tue, 17 Jul 2012 10:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.539
X-Spam-Level: 
X-Spam-Status: No, score=-102.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UaVY16-dZmY; Tue, 17 Jul 2012 10:10:19 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by ietfa.amsl.com (Postfix) with ESMTP id 5044E21F8644; Tue, 17 Jul 2012 10:10:19 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q6HHArp1020411; Tue, 17 Jul 2012 12:10:53 -0500
Received: from Hermes.columbia.ads.sparta.com ([157.185.80.107]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q6HHAhtU024570; Tue, 17 Jul 2012 12:10:43 -0500
Received: from HERMES.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) by Hermes.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) with mapi id 14.01.0355.002; Tue, 17 Jul 2012 13:11:03 -0400
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: Catherine A Meadows <meadows@itd.nrl.navy.mil>, Susan Hares <shares@ndzh.com>
Thread-Topic: [secdir] Spam:*******,	Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
Thread-Index: AQHNZDlkVkR3CiI/FU+b6CcBlhRHaZctr6Bb
Date: Tue, 17 Jul 2012 17:11:03 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com>, <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil>
In-Reply-To: <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.185.63.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "secdir@ietf.org" <secdir@ietf.org>, "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "John G. Scudder" <jgs@juniper.net>, "draft-ietf-idr-rfc4893bis.all@tools.ietf.org" <draft-ietf-idr-rfc4893bis.all@tools.ietf.org>, "stbryant@cisco.com" <stbryant@cisco.com>
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 17:10:21 -0000

I agree with the sentiment that misconfigurations can not be forbidden.  An=
 approach that outlined the results of such misbehavior as Adrian mentioned=
 is OK with me, particularly if there's no way to prevent it.  (SIDR work f=
or path validation would prevent it, I think.)=0A=
=0A=
To John: if a behavior causes damage, I do not believe that attempting to c=
haracterize it as accidental/misconfiguration vs malicious is useful.  Woul=
d you be happy with a security protection that prevented malicious behavior=
 but not accidents?  (If such a thing were possible.)  In this case, delibe=
rate mis-configuration is just as easy as accidental misconfiguration and t=
he same harm.=0A=
=0A=
To Catherine: the mapping from 4-byte to 2-byte and vice versa is in sectio=
n 3, the last two paragraphs.  John and Sue: is there an implication in "wh=
ich are not mapped from two-octets" that if you have a mapable 4 byte AS nu=
mber you just use the two-byte mapping of your 4 byte ASN rather than the A=
S_TRANS?=0A=
=0A=
To John and Sue:  In section 4.1:=0A=
=0A=
  The new attributes, AS4_PATH and AS4_AGGREGATOR MUST NOT be carried=0A=
   in an UPDATE message between NEW BGP speakers.  A NEW BGP speaker=0A=
   that receives the AS4_PATH attribute or the AS4_AGGREGATOR attribute=0A=
   in an UPDATE message from another NEW BGP speaker MUST discard the=0A=
   path attribute and continue processing the UPDATE message.=0A=
=0A=
wrt "MUST discard the path attribute" - *which* path attribute?  AS_PATH or=
 AS4_PATH?  I presume AS4_PATH, as that is what the paragraph says is forbi=
dden.=0A=
=0A=
To Sue: wrt confeds within confeds.  In the SIDR consideration of confeds, =
the statement was made that no one nests confeds.  Does your experience dif=
fer?  The answer is important to the work we're doing.=0A=
=0A=
To John&Sue: I'm confused about the loop problem.  If a 4byteASN had a 2byt=
eASN neighbor, that would result in AS_TRANS in the AS_PATH that the 2byteA=
SN would receive.   If the update was propagated to another 4byteASN, it wo=
uld use the AS4_PATH to remap the AS_TRANS to the right 4byteASN and could =
detect loops.  If the update propagated to a 2byteASN, there might be multi=
ple appearances of AS_TRANS, which might look like a loop but would not act=
ually be a loop (the update propagated through multiple 4byteASNs at differ=
ent points.).  I'm not certain what implementations do.  The not-really-a-l=
oop would not involve the receiving 2byteASN (unless it had been misconfigu=
red with AS_TRANS as MyASN!).  Do implementations look further back in the =
AS_PATH as a clean-up activity?  Is the DOS that the 2b yteASNs might be dr=
opping updates that were actually well-formed?  Sounds similar to the first=
 problem with AS4_PATH that caused remote session cancellation, in this cas=
e it would be remote update drop.=0A=
=0A=
--Sandy=0A=
________________________________________=0A=
From: secdir-bounces@ietf.org [secdir-bounces@ietf.org] on behalf of Cather=
ine A Meadows [meadows@itd.nrl.navy.mil]=0A=
Sent: Tuesday, July 17, 2012 12:28 PM=0A=
To: Susan Hares=0A=
Cc: secdir@ietf.org; Murphy, Sandra; idr-chairs@tools.ietf.org; iesg@ietf.o=
rg; John G. Scudder; adrian@olddog.co.uk; draft-ietf-idr-rfc4893bis.all@too=
ls.ietf.org; Catherine A Meadows; stbryant@cisco.com=0A=
Subject: Re: [secdir] Spam:*******,     Secdir Review of draft-ietf-idr-rfc=
4893bis-07 (resend of a resend)=0A=
=0A=
Hi  Susan:=0A=
=0A=
My apologies for not responding earlier.  I had been away from my email whi=
le traveling.=0A=
=0A=
My question was not so much intended to recommend specific wording.  It was=
 simply that I didn't=0A=
understand what "misconfiguration" meant in this context, because it isn't =
the usual terminology used in=0A=
IETF documents.  But as I understand it from the discussion,  configuration=
s are not really part of the=0A=
standard, so we can't mandate them, and because of that, this is to be down=
graded to a recommendation, as well as=0A=
being removed from the security consideration section.   So that answers my=
 question.=0A=
=0A=
=0A=
As I understand from the discussion, the security risk of looping only is a=
n issue if an attacker can cause it=0A=
to happen, in which case it can be used in a DOS attack.  So if there is no=
 way an attacker could cause this=0A=
looping to happen, I'm happy to have it removed from the Security Considera=
tions section.  Otherwise, I'd recommend=0A=
you refer to it in the Security Considerations section (even if it is descr=
ibed in detail in another section).=0A=
=0A=
As to my other question, if there is no straightforward answer to it, there=
's no reason to discuss it in the document.=0A=
=0A=
Hope this helps,=0A=
=0A=
Cathy=0A=
=0A=
=0A=
=0A=
=0A=
On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:=0A=
=0A=
> It seems like a good suggestion to me=0A=
>=0A=
> Stewart=0A=
>=0A=
> On 17/07/2012 16:47, Susan Hares wrote:=0A=
>> Adrian:=0A=
>>=0A=
>> 100% agree with your viewpoint and next steps.=0A=
>>=0A=
>> John and Stuart - can we change to this view point.=0A=
>>=0A=
>> Sue=0A=
>>=0A=
>> -----Original Message-----=0A=
>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]=0A=
>> Sent: Tuesday, July 17, 2012 11:44 AM=0A=
>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com=0A=
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;=0A=
>> iesg@ietf.org; 'Catherine Meadows';=0A=
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org=0A=
>> Subject: RE: Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07=
=0A=
>> (resend of a resend)=0A=
>>=0A=
>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does not=
=0A=
>> prevent something from happening.=0A=
>> Using "MUST NOT" for a specification is fine because we can test for=0A=
>> conformance to that and strike an implementation that does not respect t=
he=0A=
>> language.=0A=
>> Using "MUST NOT" in a description of an operator process is not as stron=
g or=0A=
>> useful.=0A=
>>=0A=
>> I think that "weakening" loop detection is a bad thing, but it is also a=
=0A=
>> price an operator might want to pay to get moved to 4byte AS numbers qui=
ckly=0A=
>> when a few corner boxes might take another 12 months to be upgraded.=0A=
>>=0A=
>> I agree with John that the text is not security-related.=0A=
>>=0A=
>> So, I would rephrase and reposition the text.=0A=
>> - Do explain the risk of switching to 4bytes before everyone is upgraded=
.=0A=
>> - Do explain the boundaries to the risk=0A=
>> - Do expect operators to consider the implications=0A=
>> - Don't mandate what an operator does in the privacy of their own bedroo=
m=0A=
>>=0A=
>> A=0A=
>>=0A=
>>=0A=
>>=0A=
>>> -----Original Message-----=0A=
>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf=0A=
>>> Of Susan Hares=0A=
>>> Sent: 17 July 2012 16:34=0A=
>>> To: 'John G. Scudder'; stbryant@cisco.com=0A=
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;=0A=
>> iesg@ietf.org;=0A=
>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org=0A=
>>> Subject: RE: Spam:*******, Secdir Review of=0A=
>>> draft-ietf-idr-rfc4893bis-07=0A=
>> (resend=0A=
>>> of a resend)=0A=
>>>=0A=
>>> John and Stuart:=0A=
>>>=0A=
>>> This an acceptable text, and we can go on with this draft.=0A=
>>>=0A=
>>> However,  my question to Catherine was substantive.  I wish to discuss=
=0A=
>>> with the Routing AD(s), Security people, and Benoit/Ron to understand=
=0A=
>>> the Routing/Operational issues.=0A=
>>>=0A=
>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee=0A=
>>> Group and other research houses places have indicated year-on-year=0A=
>>> 15-30% outages are caused by this misconfigured.  It's like the stateme=
nt=0A=
>> "stuff happens."=0A=
>>> Stating "Must not" is like spitting into the wind.  You end up with=0A=
>>> stuff on your face.  What is the security area stating?  How does this=
=0A=
>>> review match with the path validation/security in SIDR.=0A=
>>>=0A=
>>> Can we get Catherine or other security people to respond to my question=
?=0A=
>>> Cross-area review is useful to find wholes in our process and our=0A=
>>> assumptions.  I want to make sure I understand the valuable technical=
=0A=
>>> feedback the security review is providing.=0A=
>>>=0A=
>>>=0A=
>>> Sue=0A=
>>>=0A=
>>> -----Original Message-----=0A=
>>> From: John G. Scudder [mailto:jgs@juniper.net]=0A=
>>> Sent: Tuesday, July 17, 2012 10:38 AM=0A=
>>> To: stbryant@cisco.com=0A=
>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;=0A=
>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;=0A=
>>> 'Murphy, Sandra'=0A=
>>> Subject: Re: Spam:*******, Secdir Review of=0A=
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)=0A=
>>>=0A=
>>> Stewart,=0A=
>>>=0A=
>>> I'm fine with the text you propose.=0A=
>>>=0A=
>>> (I do find it a little odd to have this text -- either old or new --=0A=
>>> in the Security section since routing loops aren't normally though of=
=0A=
>>> as a security issue unless maliciously triggered -- which this one=0A=
>>> isn't described as being. So I would also be fine with changing the=0A=
>>> text but moving it to a different section. But that is quibbling.)=0A=
>>>=0A=
>>> --John=0A=
>>>=0A=
>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:=0A=
>>>=0A=
>>>> Sue, John,=0A=
>>>>=0A=
>>>> Is there any reason not to reword the text concerned to more=0A=
>>>> conventional format:=0A=
>>>>=0A=
>>>> OLD=0A=
>>>> It is a misconfiguration to assign a non-mappable four-octet AS=0A=
>>>>    number as the "Member AS Number" in a BGP confederation before all=
=0A=
>>>>    the BGP speakers within the confederation have transitioned to=0A=
>>>>    support four-octet AS numbers.  Such a misconfiguration would weake=
n=0A=
>>>>    the AS path loop detection within a confederation.=0A=
>>>>=0A=
>>>> NEW=0A=
>>>>=0A=
>>>> A network operator MUST NOT assign a non-mappable four-octet AS=0A=
>>>> number as the "Member AS Number" in a BGP confederation before all=0A=
>>>> the BGP speakers within the confederation have transitioned to=0A=
>>>> support four-octet AS numbers, as such an assignment would weaken=0A=
>>>> the AS path loop detection within a confederation.=0A=
>>>>=0A=
>>>> Stewart=0A=
>>>>=0A=
>>>> On 17/07/2012 00:28, Susan Hares wrote:=0A=
>>>>> Catherine:=0A=
>>>>>=0A=
>>>>> I've read and re-read this email for a week (7/9 - 7/16).=0A=
>>>>>=0A=
>>>>> Misconfiguration is a fact of life in networks.  Security profiles=0A=
>>>>> must=0A=
>>> deal with this point.  We can all say you should not misconfigure=0A=
>>> networks - but life happens.  Therefore,  I'm confused by your=0A=
>>> question.  I would consider it is just a security event the authors=0A=
>> pointing happens.=0A=
>>>>> On your second comment=0A=
>>>>>=0A=
>>>>> "I would also expect that the chance of routing loops arising out=0A=
>>>>> conversion from 4-octet to 2-octet occurring between confederations=
=0A=
>>>>> would be much less than of their occurring within a confederation=0A=
>>>>> (although one can't know for sure without knowing what the 4-octet=0A=
>>>>> to 2-octet mapping is), so following the recommendations in the=0A=
>>>>> Security Considerations would greatly reduce the probability of=0A=
>>>>> such a routing loop occurring.  Is this correct? "=0A=
>>>>>=0A=
>>>>> It depends if someone configures a confederation within a=0A=
>> confederation.=0A=
>>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy=0A=
>>> in case as SIDR chair can put this discussion into a different=0A=
>>> "security" specific light.=0A=
>>>>> Confused,=0A=
>>>>>=0A=
>>>>> Sue=0A=
>>>>>=0A=
>>>>>=0A=
>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]=0A=
>>>>> Sent: Monday, July 09, 2012 2:25 PM=0A=
>>>>> To: iesg@ietf.org; secdir@ietf.org;=0A=
>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org=0A=
>>>>> Cc: Catherine Meadows=0A=
>>>>> Subject: Spam:*******, Secdir Review of=0A=
>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)=0A=
>>>>>=0A=
>>>>> I managed to screw up the email address again.  Here it is for what=
=0A=
>>>>> I=0A=
>>> hope is the last time.=0A=
>>>>> My apologies again to everyone who receives *three* copies of this=0A=
>>> message.=0A=
>>>>> I have reviewed this document as part of the security directorate's=
=0A=
>>>>> ongoing effort to review all IETF documents being processed by the=0A=
>>>>> IESG.  These comments were written primarily for the benefit of the=
=0A=
>>>>> security area directors.  Document editors and WG chairs should=0A=
>>>>> treat these comments just like any other last call comments.=0A=
>>>>>=0A=
>>>>> This document describes an added capability for four-octet=0A=
>>>>> Autonomous System=0A=
>>>>> (AS) numbers in BGP.  This is intended to  replace the older=0A=
>>>>> two-octet AS numbers, since that space is filling up.=0A=
>>>>>=0A=
>>>>> In order to preserve backward compatibility, AS's using the=0A=
>>>>> four-octet systems (called New BGP speakers in the document) must=0A=
>>> advertise both four-octet and two-octet AS numbers.=0A=
>>>>> This is the case even if the New BGP Speaker does not have a=0A=
>>>>> globally=0A=
>>> unique two-octet number.=0A=
>>>>> The document says that in this case the two-octet number is=0A=
>>>>> obtained by mapping the four-octet number to the two-octet space.=0A=
>>>>> The procedure=0A=
>>> for doing this is not specified.=0A=
>>>>> The authors identify a risk of routing loops developing when=0A=
>>>>> ambiguities develops as a result of a BGP speaker using the old=0A=
>>>>> system aggregating two or more routes carrying 4-octet attributes.=0A=
>>>>> In the Security Configurations Section, the authors point out that=0A=
>>>>> an attacker might be able to exploit this in a denial of service=0A=
>> attack.=0A=
>>>>> They point out that it is a misconfiguration to assign 4-octet=0A=
>>>>> Member AS=0A=
>>> Numbers in a BGP confederation until all BGP speakers within the=0A=
>>> confederation have transitioned to support 4-octet numbers.=0A=
>>>>> I think that this is a good recommendation.  I just have a couple=0A=
>>>>> of=0A=
>>> minor comments.=0A=
>>>>> It's not clear to me what the status of "misconfiguration" is in=0A=
>>>>> the=0A=
>>> hierarchy of IETF.=0A=
>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why=0A=
>>>>> you're saying "misconfiguration" instead of one of those?=0A=
>>>>>=0A=
>>>>> I would also expect that the chance of routing loops arising out=0A=
>>>>> conversion from 4-octet to 2-octet occurring between confederations=
=0A=
>>>>> would be much less than of their occurring within a confederation=0A=
>>>>> (although one can't know for sure without knowing what the 4-octet=0A=
>>>>> to 2-octet mapping is), so following the recommendations in the=0A=
>>>>> Security=0A=
>>> Considerations would greatly reduce the probability of such a routing=
=0A=
>>> loop occurring.  Is this correct?=0A=
>>>>> Cathy Meadows=0A=
>>>>> Catherine Meadows=0A=
>>>>> Naval Research Laboratory=0A=
>>>>> Code 5543=0A=
>>>>> 4555 Overlook Ave., S.W.=0A=
>>>>> Washington DC, 20375=0A=
>>>>> phone: 202-767-3490=0A=
>>>>> fax: 202-404-7942=0A=
>>>>> email: catherine.meadows@nrl.navy.mil=0A=
>>>>>=0A=
>>>>=0A=
>>>> --=0A=
>>>> For corporate legal information go to:=0A=
>>>>=0A=
>>>>=0A=
>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html=0A=
>>>>=0A=
>>>>=0A=
>>>>=0A=
>>=0A=
>>=0A=
>> .=0A=
>>=0A=
>=0A=
>=0A=
> --=0A=
> For corporate legal information go to:=0A=
>=0A=
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html=0A=
=0A=
_______________________________________________=0A=
secdir mailing list=0A=
secdir@ietf.org=0A=
https://www.ietf.org/mailman/listinfo/secdir=0A=
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview=0A=

From julien.ietf@gmail.com  Tue Jul 17 10:22:09 2012
Return-Path: <julien.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CED2121F863E; Tue, 17 Jul 2012 10:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dx5RRnTA6MTg; Tue, 17 Jul 2012 10:22:07 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9A74221F862F; Tue, 17 Jul 2012 10:22:07 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so1159046pbc.31 for <multiple recipients>; Tue, 17 Jul 2012 10:22:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=+/xKPjJbDGOwuIW50IFtln7lZAktrcZbZtcXhQ1b+rM=; b=j8vLj2EDTIAsRT2Q/6TPWyMGWfADnuWOIrfRbgIJ9geJX5g/t9CilkBIFI97fEKs/7 KyZyLeT7bPoVuB884/CLYr8F2DTAWQg3NoTRaFuZLUs3/MZxyk18QhZQNx5lb0487+xv ovQIVDSUdrb4pXCmkhsvS8YpqD5qE/EaDQ9qhrQCj7I9KWddPmAZUwSXesCYNP+YA1nD d0fhgZ4YpmpN08FZPt8R2pz+b/Tx7XgyTpKTTMm7Vio8WoCrHTF6KEK3MjTnFyzZo+Dm jMN9kQPkrv9hlsRJfDpJU/CKzDUjtDng+pMY0bSZeLVteTnhKy/ludkIQ4Bk/aNtlF+j t7pQ==
MIME-Version: 1.0
Received: by 10.68.193.195 with SMTP id hq3mr451824pbc.30.1342545775339; Tue, 17 Jul 2012 10:22:55 -0700 (PDT)
Received: by 10.68.138.137 with HTTP; Tue, 17 Jul 2012 10:22:55 -0700 (PDT)
In-Reply-To: <C03AAF38AD209F4BB02BC0A34B774CE70BF510@G2W2446.americas.hpqcorp.net>
References: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com> <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com> <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net> <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com> <C03AAF38AD209F4BB02BC0A34B774CE70BF510@G2W2446.americas.hpqcorp.net>
Date: Tue, 17 Jul 2012 10:22:55 -0700
Message-ID: <CAE_dhjuvs48V1hoFeRya8a3f2Jq-asJXxDwB8L_rVEyqGD9vQA@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: "Retana, Alvaro" <alvaro.retana@hp.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "secdir@ietf.org" <secdir@ietf.org>, Yi Yang <yiya@cisco.com>, Acee Lindem <acee.lindem@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ospf-prefix-hiding.all@tools.ietf.org" <draft-ietf-ospf-prefix-hiding.all@tools.ietf.org>, Abhay Roy <akr@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 17:22:09 -0000

Thank you Alvaro. With the new text it is much clearer to me how the
proposal improves security. I have no further concerns.

--julien

On Tue, Jul 10, 2012 at 10:37 AM, Retana, Alvaro <alvaro.retana@hp.com> wro=
te:
> Julien:
>
> To make sure that your concerns are clarified, I wrote in some new inform=
ation in the Security Considerations section.   Please see below and let me=
 know if you still have concerns.  We'll publish an update before the deadl=
ine on Monday (Jul/9).
>
> Thanks!!
>
> Alvaro.
>
> [Note: the 2 middle paragraphs are new.]
>
> 8. Security Considerations
>
> One motivation for this document is to reduce remote attack vulnerability=
 by hiding transit-only networks.  The result should then be that fewer OSP=
F core networks will be exposed to un-authorized access.
>
> The mechanisms described above result in reachability information from tr=
ansit-only networks not being installed in the routers' forwarding tables. =
 The effect is that even if the address of a transit-only network is known,=
 the forwarding information is not present in the routers to reach the dest=
ination.  Also, in some cases the address information is completely omitted=
 from the LSA.
>
> Some information in the LSA (such as the OSPF Router ID) cannot be omitte=
d.  Even though the Router ID is usually taken from an IP address on the ro=
uter, the configuration can be easily changed.  Note again that having an a=
ddress doesn't guarantee reachability if the information is hidden from the=
 forwarding tables.
>
> While the steps described in this document are meant to be applied to tra=
nsit-only networks ONLY, they could be used to hide other networks as well.=
  It is expected that the same care that users put on the configuration of =
other routing protocol parameters is used in the configuration of this exte=
nsion.
>
>
>> -----Original Message-----
>> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
>> Sent: Friday, July 06, 2012 9:33 PM
>> To: Retana, Alvaro
>> Cc: Julien Laganier; Yi Yang; Abhay Roy; secdir@ietf.org; draft-ietf-
>> ospf-prefix-hiding.all@tools.ietf.org; iesg@ietf.org
>> Subject: Re: SecDir review of draft-ietf-ospf-prefix-hiding-04
>>
>> Actually, with this draft, the OSPF LSAs do not necessarily contain any
>> IP addresses - only topology information. The OSPF Router ID certainly
>> doesn't have to be a routable IP address and can be explicitly
>> configured to avoid the default of configured address selection
>> supported by most implementations.
>> Thanks,
>> Acee
>>
>> On Jul 6, 2012, at 4:50 PM, Retana, Alvaro wrote:
>>
>> > Julien:
>> >
>> > Hi!
>> >
>> > [Thanks for forwarding.]
>> >
>> > In short, avoiding installation of the routing information (even if
>> still carried in the LSAs) means that the routers don't have forwarding
>> information to reach a specific transit interface.  IOW, even if you
>> know my IP address you can't send me a packet (if you're more than one
>> hop away).
>> >
>> > We'll expand on the security considerations.
>> >
>> > Thanks!!
>> >
>> > Alvaro.
>> >
>> >> -----Original Message-----
>> >> From: Julien Laganier [mailto:julien.ietf@gmail.com]
>> >> Sent: Friday, July 06, 2012 4:00 PM
>> >> To: Retana, Alvaro
>> >> Subject: Fwd: SecDir review of draft-ietf-ospf-prefix-hiding-04
>> >>
>> >> FYI.
>> >>
>> >>
>> >> ---------- Forwarded message ----------
>> >> From: Julien Laganier <julien.ietf@gmail.com>
>> >> Date: Fri, Jul 6, 2012 at 12:44 PM
>> >> Subject: SecDir review of draft-ietf-ospf-prefix-hiding-04
>> >> To: secdir@ietf.org, draft-ietf-ospf-prefix-
>> hiding.all@tools.ietf.org,
>> >> The IESG <iesg@ietf.org>
>> >>
>> >>
>> >> I have reviewed this document as part of the security directorate's
>> >> ongoing effort to review all IETF documents being processed by the
>> >> IESG.  These comments were written primarily for the benefit of the
>> >> security area directors.  Document editors and WG chairs should
>> treat
>> >> these comments just like any other last call comments.
>> >>
>> >> Disclaimer: I am no routing or OSPF expert and might be missing
>> >> something obvious...
>> >>
>> >> According to its abstract the draft describes a mechanism that
>> allows
>> >> hiding transit-only networks in OSPF:
>> >>
>> >>  A transit-only network is defined as a network connecting routers
>> >>  only.  In OSPF, transit-only networks are usually configured with
>> >>  routable IP addresses, which are advertised in Link State
>> >>  Advertisements (LSAs) but not needed for data traffic.  In
>> addition,
>> >>  remote attacks can be launched against routers by sending packets
>> to
>> >>  these transit-only networks.  This document presents a mechanism to
>> >>  hide transit-only networks to speed up network convergence and
>> >>  minimize remote attack vulnerability.
>> >>
>> >> While the desire to speed up the network convergence is probably
>> >> obvious and not of concern, I think the document and its security
>> >> considerations section in particular could do a better job at
>> >> explaining what the mechanism achieves in terms of minimizing remote
>> >> attack vulnerability.
>> >>
>> >> As per my understanding, the proposed mechanism essentially remove
>> the
>> >> subnet / netmask information from Link State Advertisements, but
>> these
>> >> still contain the routers' IP addresses.
>> >>
>> >> It is not clear to me how removing the subnet / netmask information
>> >> actually minimizes the risk of remote attacks.
>> >>
>> >> First of all, the type of remote attacks that minimized should be
>> made
>> >> more explicit. What is the target of the remote attacks? Is it any
>> >> address in the subnet? Or the address of a router? If the latter,
>> then
>> >> it is not clear how the mechanism actually improves -- the router's
>> IP
>> >> addresses are still in the LSAs so presumably an attacker can still
>> >> launch remote attacks on these addresses, no? If the former, then it
>> >> is not clear how effective is omission of the subnet in avoiding
>> >> attacks avoid addresses within that subnet -- addresses in the
>> >> (unknown) subnet can still be inferred from addresses of the
>> routers,
>> >> no? Or is it the case that the LSAs containing the IP addresses of
>> the
>> >> routers will not be propagated outside of an area that the attacker
>> >> has no access to?
>> >>
>> >> Expanding the security considerations might help answering these
>> >> questions...
>> >>
>> >> --julien
>

From shares@ndzh.com  Tue Jul 17 10:45:39 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD3A21F865D; Tue, 17 Jul 2012 10:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PSgcHXoPUNB; Tue, 17 Jul 2012 10:45:37 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id 4690B21F865C; Tue, 17 Jul 2012 10:45:37 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3461246-1945496 for multiple; Tue, 17 Jul 2012 13:46:22 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>, "'Catherine A Meadows'" <meadows@itd.nrl.navy.mil>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil>	<005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com>	<F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net>	<001301cd6431$87944a30$96bcde90$@ndzh.com>	<079e01cd6433$00f04b30$02d0e190$@olddog.co.uk>	<001701cd6433$6f7fd250$4e7f76f0$@ndzh.com>	<50058CE0.5010108@cisco.com>, <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil> <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com>
Date: Tue, 17 Jul 2012 13:46:11 -0400
Message-ID: <006201cd6444$13a003e0$3ae00ba0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7GuwApI1dQsB3roKPQK/Vk/KAgp26fgBRrWdLZWrZR2g
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
Cc: secdir@ietf.org, idr-chairs@tools.ietf.org, iesg@ietf.org, adrian@olddog.co.uk, "'John G. Scudder'" <jgs@juniper.net>, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, stbryant@cisco.com
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 17:45:39 -0000

Sandy and John: 

For just my input:

1. Adrian's behavior - ok with me
2.  security - Glad to hear from chance and malicious misconfiguration in
this view 
3. "not mapped from two octets" - your assumption from the draft - below
matches my understanding;  I'll wait for John's comment.  Maybe my memory is
failing (smile). 

John and Sue: is there an implication in "which are not mapped from
two-octets" that if you have a mapable 4 byte AS number you just use the
two-byte mapping of your 4 byte ASN rather than the AS_TRANS?

4. Agreed it is unclear.  My understanding it is AS4_PATH and/or
AS4_AGGREGATOR. 

To John and Sue:  In section 4.1:

  The new attributes, AS4_PATH and AS4_AGGREGATOR MUST NOT be carried
   in an UPDATE message between NEW BGP speakers.  A NEW BGP speaker
   that receives the AS4_PATH attribute or the AS4_AGGREGATOR attribute
   in an UPDATE message from another NEW BGP speaker MUST discard the
   path attribute and continue processing the UPDATE message.

wrt "MUST discard the path attribute" - *which* path attribute?  AS_PATH or
AS4_PATH?  I presume AS4_PATH, as that is what the paragraph says is
forbidden.

- Again,  I will await John and the authors (Enke) for additional comments. 

Thank you for taking time to review this draft.

Sue Hares


-----Original Message-----
From: Murphy, Sandra [mailto:Sandra.Murphy@sparta.com] 
Sent: Tuesday, July 17, 2012 1:11 PM
To: Catherine A Meadows; Susan Hares
Cc: secdir@ietf.org; idr-chairs@tools.ietf.org; iesg@ietf.org; John G.
Scudder; adrian@olddog.co.uk; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
stbryant@cisco.com
Subject: RE: [secdir] Spam:*******, Secdir Review of
draft-ietf-idr-rfc4893bis-07 (resend of a resend)

I agree with the sentiment that misconfigurations can not be forbidden.  An
approach that outlined the results of such misbehavior as Adrian mentioned
is OK with me, particularly if there's no way to prevent it.  (SIDR work for
path validation would prevent it, I think.)

To John: if a behavior causes damage, I do not believe that attempting to
characterize it as accidental/misconfiguration vs malicious is useful.
Would you be happy with a security protection that prevented malicious
behavior but not accidents?  (If such a thing were possible.)  In this case,
deliberate mis-configuration is just as easy as accidental misconfiguration
and the same harm.

To Catherine: the mapping from 4-byte to 2-byte and vice versa is in section
3, the last two paragraphs.  John and Sue: is there an implication in "which
are not mapped from two-octets" that if you have a mapable 4 byte AS number
you just use the two-byte mapping of your 4 byte ASN rather than the
AS_TRANS?

To John and Sue:  In section 4.1:

  The new attributes, AS4_PATH and AS4_AGGREGATOR MUST NOT be carried
   in an UPDATE message between NEW BGP speakers.  A NEW BGP speaker
   that receives the AS4_PATH attribute or the AS4_AGGREGATOR attribute
   in an UPDATE message from another NEW BGP speaker MUST discard the
   path attribute and continue processing the UPDATE message.

wrt "MUST discard the path attribute" - *which* path attribute?  AS_PATH or
AS4_PATH?  I presume AS4_PATH, as that is what the paragraph says is
forbidden.

To Sue: wrt confeds within confeds.  In the SIDR consideration of confeds,
the statement was made that no one nests confeds.  Does your experience
differ?  The answer is important to the work we're doing.

To John&Sue: I'm confused about the loop problem.  If a 4byteASN had a
2byteASN neighbor, that would result in AS_TRANS in the AS_PATH that the
2byteASN would receive.   If the update was propagated to another 4byteASN,
it would use the AS4_PATH to remap the AS_TRANS to the right 4byteASN and
could detect loops.  If the update propagated to a 2byteASN, there might be
multiple appearances of AS_TRANS, which might look like a loop but would not
actually be a loop (the update propagated through multiple 4byteASNs at
different points.).  I'm not certain what implementations do.  The
not-really-a-loop would not involve the receiving 2byteASN (unless it had
been misconfigured with AS_TRANS as MyASN!).  Do implementations look
further back in the AS_PATH as a clean-up activity?  Is the DOS that the 2b
yteASNs might be dropping updates that were actually well-formed?  Sounds
similar to the first problem with AS4_PATH that caused remote session
cancellation, in this case it would be remote update drop.

--Sandy
________________________________________
From: secdir-bounces@ietf.org [secdir-bounces@ietf.org] on behalf of
Catherine A Meadows [meadows@itd.nrl.navy.mil]
Sent: Tuesday, July 17, 2012 12:28 PM
To: Susan Hares
Cc: secdir@ietf.org; Murphy, Sandra; idr-chairs@tools.ietf.org;
iesg@ietf.org; John G. Scudder; adrian@olddog.co.uk;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org; Catherine A Meadows;
stbryant@cisco.com
Subject: Re: [secdir] Spam:*******,     Secdir Review of
draft-ietf-idr-rfc4893bis-07 (resend of a resend)

Hi  Susan:

My apologies for not responding earlier.  I had been away from my email
while traveling.

My question was not so much intended to recommend specific wording.  It was
simply that I didn't understand what "misconfiguration" meant in this
context, because it isn't the usual terminology used in IETF documents.  But
as I understand it from the discussion,  configurations are not really part
of the standard, so we can't mandate them, and because of that, this is to
be downgraded to a recommendation, as well as
being removed from the security consideration section.   So that answers my
question.


As I understand from the discussion, the security risk of looping only is an
issue if an attacker can cause it to happen, in which case it can be used in
a DOS attack.  So if there is no way an attacker could cause this looping to
happen, I'm happy to have it removed from the Security Considerations
section.  Otherwise, I'd recommend you refer to it in the Security
Considerations section (even if it is described in detail in another
section).

As to my other question, if there is no straightforward answer to it,
there's no reason to discuss it in the document.

Hope this helps,

Cathy




On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:

> It seems like a good suggestion to me
>
> Stewart
>
> On 17/07/2012 16:47, Susan Hares wrote:
>> Adrian:
>>
>> 100% agree with your viewpoint and next steps.
>>
>> John and Stuart - can we change to this view point.
>>
>> Sue
>>
>> -----Original Message-----
>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>> Sent: Tuesday, July 17, 2012 11:44 AM
>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org; 
>> iesg@ietf.org; 'Catherine Meadows'; 
>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>> Subject: RE: Spam:*******, Secdir Review of 
>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>
>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does 
>> not prevent something from happening.
>> Using "MUST NOT" for a specification is fine because we can test for 
>> conformance to that and strike an implementation that does not 
>> respect the language.
>> Using "MUST NOT" in a description of an operator process is not as 
>> strong or useful.
>>
>> I think that "weakening" loop detection is a bad thing, but it is 
>> also a price an operator might want to pay to get moved to 4byte AS 
>> numbers quickly when a few corner boxes might take another 12 months to
be upgraded.
>>
>> I agree with John that the text is not security-related.
>>
>> So, I would rephrase and reposition the text.
>> - Do explain the risk of switching to 4bytes before everyone is upgraded.
>> - Do explain the boundaries to the risk
>> - Do expect operators to consider the implications
>> - Don't mandate what an operator does in the privacy of their own 
>> bedroom
>>
>> A
>>
>>
>>
>>> -----Original Message-----
>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf 
>>> Of Susan Hares
>>> Sent: 17 July 2012 16:34
>>> To: 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>> iesg@ietf.org;
>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07
>> (resend
>>> of a resend)
>>>
>>> John and Stuart:
>>>
>>> This an acceptable text, and we can go on with this draft.
>>>
>>> However,  my question to Catherine was substantive.  I wish to 
>>> discuss with the Routing AD(s), Security people, and Benoit/Ron to 
>>> understand the Routing/Operational issues.
>>>
>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee 
>>> Group and other research houses places have indicated year-on-year 
>>> 15-30% outages are caused by this misconfigured.  It's like the 
>>> statement
>> "stuff happens."
>>> Stating "Must not" is like spitting into the wind.  You end up with 
>>> stuff on your face.  What is the security area stating?  How does 
>>> this review match with the path validation/security in SIDR.
>>>
>>> Can we get Catherine or other security people to respond to my question?
>>> Cross-area review is useful to find wholes in our process and our 
>>> assumptions.  I want to make sure I understand the valuable 
>>> technical feedback the security review is providing.
>>>
>>>
>>> Sue
>>>
>>> -----Original Message-----
>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>> To: stbryant@cisco.com
>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org; 
>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>> 'Murphy, Sandra'
>>> Subject: Re: Spam:*******, Secdir Review of
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>
>>> Stewart,
>>>
>>> I'm fine with the text you propose.
>>>
>>> (I do find it a little odd to have this text -- either old or new -- 
>>> in the Security section since routing loops aren't normally though 
>>> of as a security issue unless maliciously triggered -- which this 
>>> one isn't described as being. So I would also be fine with changing 
>>> the text but moving it to a different section. But that is 
>>> quibbling.)
>>>
>>> --John
>>>
>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>>
>>>> Sue, John,
>>>>
>>>> Is there any reason not to reword the text concerned to more 
>>>> conventional format:
>>>>
>>>> OLD
>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>    number as the "Member AS Number" in a BGP confederation before all
>>>>    the BGP speakers within the confederation have transitioned to
>>>>    support four-octet AS numbers.  Such a misconfiguration would weaken
>>>>    the AS path loop detection within a confederation.
>>>>
>>>> NEW
>>>>
>>>> A network operator MUST NOT assign a non-mappable four-octet AS 
>>>> number as the "Member AS Number" in a BGP confederation before all 
>>>> the BGP speakers within the confederation have transitioned to 
>>>> support four-octet AS numbers, as such an assignment would weaken 
>>>> the AS path loop detection within a confederation.
>>>>
>>>> Stewart
>>>>
>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>> Catherine:
>>>>>
>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>>
>>>>> Misconfiguration is a fact of life in networks.  Security profiles 
>>>>> must
>>> deal with this point.  We can all say you should not misconfigure 
>>> networks - but life happens.  Therefore,  I'm confused by your 
>>> question.  I would consider it is just a security event the authors
>> pointing happens.
>>>>> On your second comment
>>>>>
>>>>> "I would also expect that the chance of routing loops arising out 
>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>> confederations would be much less than of their occurring within a 
>>>>> confederation (although one can't know for sure without knowing 
>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>> recommendations in the Security Considerations would greatly 
>>>>> reduce the probability of such a routing loop occurring.  Is this
correct? "
>>>>>
>>>>> It depends if someone configures a confederation within a
>> confederation.
>>> [see earlier comment on mis-configuration.] I've copied Sandy Murphy 
>>> in case as SIDR chair can put this discussion into a different 
>>> "security" specific light.
>>>>> Confused,
>>>>>
>>>>> Sue
>>>>>
>>>>>
>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>> To: iesg@ietf.org; secdir@ietf.org; 
>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>> Cc: Catherine Meadows
>>>>> Subject: Spam:*******, Secdir Review of
>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>>
>>>>> I managed to screw up the email address again.  Here it is for 
>>>>> what I
>>> hope is the last time.
>>>>> My apologies again to everyone who receives *three* copies of this
>>> message.
>>>>> I have reviewed this document as part of the security 
>>>>> directorate's ongoing effort to review all IETF documents being 
>>>>> processed by the IESG.  These comments were written primarily for 
>>>>> the benefit of the security area directors.  Document editors and 
>>>>> WG chairs should treat these comments just like any other last call
comments.
>>>>>
>>>>> This document describes an added capability for four-octet 
>>>>> Autonomous System
>>>>> (AS) numbers in BGP.  This is intended to  replace the older 
>>>>> two-octet AS numbers, since that space is filling up.
>>>>>
>>>>> In order to preserve backward compatibility, AS's using the 
>>>>> four-octet systems (called New BGP speakers in the document) must
>>> advertise both four-octet and two-octet AS numbers.
>>>>> This is the case even if the New BGP Speaker does not have a 
>>>>> globally
>>> unique two-octet number.
>>>>> The document says that in this case the two-octet number is 
>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>> The procedure
>>> for doing this is not specified.
>>>>> The authors identify a risk of routing loops developing when 
>>>>> ambiguities develops as a result of a BGP speaker using the old 
>>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>>> In the Security Configurations Section, the authors point out that 
>>>>> an attacker might be able to exploit this in a denial of service
>> attack.
>>>>> They point out that it is a misconfiguration to assign 4-octet 
>>>>> Member AS
>>> Numbers in a BGP confederation until all BGP speakers within the 
>>> confederation have transitioned to support 4-octet numbers.
>>>>> I think that this is a good recommendation.  I just have a couple 
>>>>> of
>>> minor comments.
>>>>> It's not clear to me what the status of "misconfiguration" is in 
>>>>> the
>>> hierarchy of IETF.
>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
>>>>> you're saying "misconfiguration" instead of one of those?
>>>>>
>>>>> I would also expect that the chance of routing loops arising out 
>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>> confederations would be much less than of their occurring within a 
>>>>> confederation (although one can't know for sure without knowing 
>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>> recommendations in the Security
>>> Considerations would greatly reduce the probability of such a 
>>> routing loop occurring.  Is this correct?
>>>>> Cathy Meadows
>>>>> Catherine Meadows
>>>>> Naval Research Laboratory
>>>>> Code 5543
>>>>> 4555 Overlook Ave., S.W.
>>>>> Washington DC, 20375
>>>>> phone: 202-767-3490
>>>>> fax: 202-404-7942
>>>>> email: catherine.meadows@nrl.navy.mil
>>>>>
>>>>
>>>> --
>>>> For corporate legal information go to:
>>>>
>>>>
>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>>
>>>>
>>>>
>>
>>
>> .
>>
>
>
> --
> For corporate legal information go to:
>
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html

_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


From jgs@juniper.net  Tue Jul 17 13:43:20 2012
Return-Path: <jgs@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2CB21F84C9; Tue, 17 Jul 2012 13:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.472
X-Spam-Level: 
X-Spam-Status: No, score=-6.472 tagged_above=-999 required=5 tests=[AWL=0.127,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0StaCCqoL1I; Tue, 17 Jul 2012 13:43:18 -0700 (PDT)
Received: from exprod7og116.obsmtp.com (exprod7og116.obsmtp.com [64.18.2.219]) by ietfa.amsl.com (Postfix) with ESMTP id C5AF321F847F; Tue, 17 Jul 2012 13:43:08 -0700 (PDT)
Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob116.postini.com ([64.18.6.12]) with SMTP ID DSNKUAXOiwvzhT2y7bjw6GYh3bDPBYOehfVG@postini.com; Tue, 17 Jul 2012 13:44:07 PDT
Received: from jgs-sslvpn-nc.jnpr.net (172.23.5.32) by P-EMHUB02-HQ.jnpr.net (172.24.192.33) with Microsoft SMTP Server id 8.3.213.0; Tue, 17 Jul 2012 13:40:49 -0700
MIME-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset="us-ascii"
From: "John G. Scudder" <jgs@juniper.net>
In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com>
Date: Tue, 17 Jul 2012 13:40:48 -0700
Content-Transfer-Encoding: quoted-printable
Message-ID: <A369836F-199E-4B06-BD73-DFF3F0AF2BC0@juniper.net>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com>, <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil> <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com>
To: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
X-Mailer: Apple Mail (2.1278)
X-Mailman-Approved-At: Tue, 17 Jul 2012 13:48:19 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, "idr-chairs@tools.ietf.org" <idr-chairs@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "adrian@olddog.co.uk" <adrian@olddog.co.uk>, "draft-ietf-idr-rfc4893bis.all@tools.ietf.org" <draft-ietf-idr-rfc4893bis.all@tools.ietf.org>, Catherine A Meadows <meadows@itd.nrl.navy.mil>, Susan Hares <shares@ndzh.com>, "stbryant@cisco.com" <stbryant@cisco.com>
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 20:43:20 -0000

On Jul 17, 2012, at 10:11 AM, Murphy, Sandra wrote:
...
> To John: if a behavior causes damage, I do not believe that attempting =
to characterize it as accidental/misconfiguration vs malicious is =
useful.  Would you be happy with a security protection that prevented =
malicious behavior but not accidents?  (If such a thing were possible.)  =
In this case, deliberate mis-configuration is just as easy as accidental =
misconfiguration and the same harm.

No argument, but if we put any condition that can cause incorrect =
behavior in-scope for Security Considerations, those sections are going =
to get Awfully Big. I think practically speaking we have arrived at a =
simple modification to this section so we can probably move forward.

...
> To John and Sue:  In section 4.1:
>=20
>  The new attributes, AS4_PATH and AS4_AGGREGATOR MUST NOT be carried
>   in an UPDATE message between NEW BGP speakers.  A NEW BGP speaker
>   that receives the AS4_PATH attribute or the AS4_AGGREGATOR attribute
>   in an UPDATE message from another NEW BGP speaker MUST discard the
>   path attribute and continue processing the UPDATE message.
>=20
> wrt "MUST discard the path attribute" - *which* path attribute?  =
AS_PATH or AS4_PATH?  I presume AS4_PATH, as that is what the paragraph =
says is forbidden.

I guess there is some small ambiguity here though it was clear to me =
that AS4_* is intended. Let's make whatever edit is sufficient to remove =
the ambiguity. How about "MUST discard that path attribute"?

> To Sue: wrt confeds within confeds.  In the SIDR consideration of =
confeds, the statement was made that no one nests confeds.  Does your =
experience differ?  The answer is important to the work we're doing.

Speaking as co-author of the current confeds spec, it is simply not =
possible to nest confeds.=20

> To John&Sue: I'm confused about the loop problem.  If a 4byteASN had a =
2byteASN neighbor, that would result in AS_TRANS in the AS_PATH that the =
2byteASN would receive.   If the update was propagated to another =
4byteASN, it would use the AS4_PATH to remap the AS_TRANS to the right =
4byteASN and could detect loops.  If the update propagated to a =
2byteASN, there might be multiple appearances of AS_TRANS, which might =
look like a loop but would not actually be a loop (the update propagated =
through multiple 4byteASNs at different points.).  I'm not certain what =
implementations do.  The not-really-a-loop would not involve the =
receiving 2byteASN (unless it had been misconfigured with AS_TRANS as =
MyASN!).  Do implementations look further back in the AS_PATH as a =
clean-up activity?  Is the DOS that the 2b yteASNs might be dropping =
updates that were actually well-formed?  Sounds similar to the first =
problem with AS4_PATH that caused remote session cancellation, in this =
case it would be remote update drop.

The loop scenario of concern derives from this:

   A NEW BGP speaker that receives a malformed AS4_PATH attribute in an
   UPDATE message from an OLD BGP speaker MUST discard the attribute,
   and continue processing the UPDATE message.

This makes it explicitly possible that some ASes may be lost from the =
path, e.g. suppose you have "old" and "new" ASes in the path as follows =
("new" ASes are six-digit, "old" are three-digit) and we are considering =
routes to destination prefix "dest"

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest

What AS 200000 would expect to see in advertisements from 100 would be a =
path like

  100, 200, 23456, 23456 (recall that 23456 is AS_TRANS)

along with an AS4_PATH that carries 300000 and 400000. But if the =
AS4_PATH is corrupt, the final two ASes will remain 23456 forever and =
never have 300000 and 400000 substituted back in. Thus if we actually =
had the topology

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest
     |                                 |
     +---------------------------------+

We could have 200000 send routes back to 400000 and not have them =
loop-detected as they ought to be. In this case it is *likely* that the =
loop would be broken eventually when the route made it back to AS 200, =
the loop would be detected there, and the loop would unwind. There are =
pathological cases possible though, for example:

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest
     |                       |
     +-----------------------+

Suppose 300000 has a policy to prefer routes from 200000 over those from =
400000. In the malformed AS4_PATH scenario, a persistent routing =
oscillation would ensue, as 300000 selected the route with AS_PATH =
200000, 100, 200, 23456, 23456 (remember this is due to a corrupt =
AS4_PATH) over that with AS_PATH 400000 and propagated it to AS 200 =
which would loop-detect and withdraw it.=20

--John

>=20
> --Sandy
> ________________________________________
> From: secdir-bounces@ietf.org [secdir-bounces@ietf.org] on behalf of =
Catherine A Meadows [meadows@itd.nrl.navy.mil]
> Sent: Tuesday, July 17, 2012 12:28 PM
> To: Susan Hares
> Cc: secdir@ietf.org; Murphy, Sandra; idr-chairs@tools.ietf.org; =
iesg@ietf.org; John G. Scudder; adrian@olddog.co.uk; =
draft-ietf-idr-rfc4893bis.all@tools.ietf.org; Catherine A Meadows; =
stbryant@cisco.com
> Subject: Re: [secdir] Spam:*******,     Secdir Review of =
draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>=20
> Hi  Susan:
>=20
> My apologies for not responding earlier.  I had been away from my =
email while traveling.
>=20
> My question was not so much intended to recommend specific wording.  =
It was simply that I didn't
> understand what "misconfiguration" meant in this context, because it =
isn't the usual terminology used in
> IETF documents.  But as I understand it from the discussion,  =
configurations are not really part of the
> standard, so we can't mandate them, and because of that, this is to be =
downgraded to a recommendation, as well as
> being removed from the security consideration section.   So that =
answers my question.
>=20
>=20
> As I understand from the discussion, the security risk of looping only =
is an issue if an attacker can cause it
> to happen, in which case it can be used in a DOS attack.  So if there =
is no way an attacker could cause this
> looping to happen, I'm happy to have it removed from the Security =
Considerations section.  Otherwise, I'd recommend
> you refer to it in the Security Considerations section (even if it is =
described in detail in another section).
>=20
> As to my other question, if there is no straightforward answer to it, =
there's no reason to discuss it in the document.
>=20
> Hope this helps,
>=20
> Cathy
>=20
>=20
>=20
>=20
> On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:
>=20
>> It seems like a good suggestion to me
>>=20
>> Stewart
>>=20
>> On 17/07/2012 16:47, Susan Hares wrote:
>>> Adrian:
>>>=20
>>> 100% agree with your viewpoint and next steps.
>>>=20
>>> John and Stuart - can we change to this view point.
>>>=20
>>> Sue
>>>=20
>>> -----Original Message-----
>>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>>> Sent: Tuesday, July 17, 2012 11:44 AM
>>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>>> iesg@ietf.org; 'Catherine Meadows';
>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of =
draft-ietf-idr-rfc4893bis-07
>>> (resend of a resend)
>>>=20
>>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does =
not
>>> prevent something from happening.
>>> Using "MUST NOT" for a specification is fine because we can test for
>>> conformance to that and strike an implementation that does not =
respect the
>>> language.
>>> Using "MUST NOT" in a description of an operator process is not as =
strong or
>>> useful.
>>>=20
>>> I think that "weakening" loop detection is a bad thing, but it is =
also a
>>> price an operator might want to pay to get moved to 4byte AS numbers =
quickly
>>> when a few corner boxes might take another 12 months to be upgraded.
>>>=20
>>> I agree with John that the text is not security-related.
>>>=20
>>> So, I would rephrase and reposition the text.
>>> - Do explain the risk of switching to 4bytes before everyone is =
upgraded.
>>> - Do explain the boundaries to the risk
>>> - Do expect operators to consider the implications
>>> - Don't mandate what an operator does in the privacy of their own =
bedroom
>>>=20
>>> A
>>>=20
>>>=20
>>>=20
>>>> -----Original Message-----
>>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On =
Behalf
>>>> Of Susan Hares
>>>> Sent: 17 July 2012 16:34
>>>> To: 'John G. Scudder'; stbryant@cisco.com
>>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>>> iesg@ietf.org;
>>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>> Subject: RE: Spam:*******, Secdir Review of
>>>> draft-ietf-idr-rfc4893bis-07
>>> (resend
>>>> of a resend)
>>>>=20
>>>> John and Stuart:
>>>>=20
>>>> This an acceptable text, and we can go on with this draft.
>>>>=20
>>>> However,  my question to Catherine was substantive.  I wish to =
discuss
>>>> with the Routing AD(s), Security people, and Benoit/Ron to =
understand
>>>> the Routing/Operational issues.
>>>>=20
>>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee
>>>> Group and other research houses places have indicated year-on-year
>>>> 15-30% outages are caused by this misconfigured.  It's like the =
statement
>>> "stuff happens."
>>>> Stating "Must not" is like spitting into the wind.  You end up with
>>>> stuff on your face.  What is the security area stating?  How does =
this
>>>> review match with the path validation/security in SIDR.
>>>>=20
>>>> Can we get Catherine or other security people to respond to my =
question?
>>>> Cross-area review is useful to find wholes in our process and our
>>>> assumptions.  I want to make sure I understand the valuable =
technical
>>>> feedback the security review is providing.
>>>>=20
>>>>=20
>>>> Sue
>>>>=20
>>>> -----Original Message-----
>>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>>> To: stbryant@cisco.com
>>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org;
>>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>>> 'Murphy, Sandra'
>>>> Subject: Re: Spam:*******, Secdir Review of
>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>=20
>>>> Stewart,
>>>>=20
>>>> I'm fine with the text you propose.
>>>>=20
>>>> (I do find it a little odd to have this text -- either old or new =
--
>>>> in the Security section since routing loops aren't normally though =
of
>>>> as a security issue unless maliciously triggered -- which this one
>>>> isn't described as being. So I would also be fine with changing the
>>>> text but moving it to a different section. But that is quibbling.)
>>>>=20
>>>> --John
>>>>=20
>>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>>>=20
>>>>> Sue, John,
>>>>>=20
>>>>> Is there any reason not to reword the text concerned to more
>>>>> conventional format:
>>>>>=20
>>>>> OLD
>>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>>   number as the "Member AS Number" in a BGP confederation before =
all
>>>>>   the BGP speakers within the confederation have transitioned to
>>>>>   support four-octet AS numbers.  Such a misconfiguration would =
weaken
>>>>>   the AS path loop detection within a confederation.
>>>>>=20
>>>>> NEW
>>>>>=20
>>>>> A network operator MUST NOT assign a non-mappable four-octet AS
>>>>> number as the "Member AS Number" in a BGP confederation before all
>>>>> the BGP speakers within the confederation have transitioned to
>>>>> support four-octet AS numbers, as such an assignment would weaken
>>>>> the AS path loop detection within a confederation.
>>>>>=20
>>>>> Stewart
>>>>>=20
>>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>>> Catherine:
>>>>>>=20
>>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>>>=20
>>>>>> Misconfiguration is a fact of life in networks.  Security =
profiles
>>>>>> must
>>>> deal with this point.  We can all say you should not misconfigure
>>>> networks - but life happens.  Therefore,  I'm confused by your
>>>> question.  I would consider it is just a security event the authors
>>> pointing happens.
>>>>>> On your second comment
>>>>>>=20
>>>>>> "I would also expect that the chance of routing loops arising out
>>>>>> conversion from 4-octet to 2-octet occurring between =
confederations
>>>>>> would be much less than of their occurring within a confederation
>>>>>> (although one can't know for sure without knowing what the =
4-octet
>>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>>> Security Considerations would greatly reduce the probability of
>>>>>> such a routing loop occurring.  Is this correct? "
>>>>>>=20
>>>>>> It depends if someone configures a confederation within a
>>> confederation.
>>>> [see earlier comment on mis-configuration.] I've copied Sandy =
Murphy
>>>> in case as SIDR chair can put this discussion into a different
>>>> "security" specific light.
>>>>>> Confused,
>>>>>>=20
>>>>>> Sue
>>>>>>=20
>>>>>>=20
>>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>>> To: iesg@ietf.org; secdir@ietf.org;
>>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>>> Cc: Catherine Meadows
>>>>>> Subject: Spam:*******, Secdir Review of
>>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>>>=20
>>>>>> I managed to screw up the email address again.  Here it is for =
what
>>>>>> I
>>>> hope is the last time.
>>>>>> My apologies again to everyone who receives *three* copies of =
this
>>>> message.
>>>>>> I have reviewed this document as part of the security =
directorate's
>>>>>> ongoing effort to review all IETF documents being processed by =
the
>>>>>> IESG.  These comments were written primarily for the benefit of =
the
>>>>>> security area directors.  Document editors and WG chairs should
>>>>>> treat these comments just like any other last call comments.
>>>>>>=20
>>>>>> This document describes an added capability for four-octet
>>>>>> Autonomous System
>>>>>> (AS) numbers in BGP.  This is intended to  replace the older
>>>>>> two-octet AS numbers, since that space is filling up.
>>>>>>=20
>>>>>> In order to preserve backward compatibility, AS's using the
>>>>>> four-octet systems (called New BGP speakers in the document) must
>>>> advertise both four-octet and two-octet AS numbers.
>>>>>> This is the case even if the New BGP Speaker does not have a
>>>>>> globally
>>>> unique two-octet number.
>>>>>> The document says that in this case the two-octet number is
>>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>>> The procedure
>>>> for doing this is not specified.
>>>>>> The authors identify a risk of routing loops developing when
>>>>>> ambiguities develops as a result of a BGP speaker using the old
>>>>>> system aggregating two or more routes carrying 4-octet =
attributes.
>>>>>> In the Security Configurations Section, the authors point out =
that
>>>>>> an attacker might be able to exploit this in a denial of service
>>> attack.
>>>>>> They point out that it is a misconfiguration to assign 4-octet
>>>>>> Member AS
>>>> Numbers in a BGP confederation until all BGP speakers within the
>>>> confederation have transitioned to support 4-octet numbers.
>>>>>> I think that this is a good recommendation.  I just have a couple
>>>>>> of
>>>> minor comments.
>>>>>> It's not clear to me what the status of "misconfiguration" is in
>>>>>> the
>>>> hierarchy of IETF.
>>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why
>>>>>> you're saying "misconfiguration" instead of one of those?
>>>>>>=20
>>>>>> I would also expect that the chance of routing loops arising out
>>>>>> conversion from 4-octet to 2-octet occurring between =
confederations
>>>>>> would be much less than of their occurring within a confederation
>>>>>> (although one can't know for sure without knowing what the =
4-octet
>>>>>> to 2-octet mapping is), so following the recommendations in the
>>>>>> Security
>>>> Considerations would greatly reduce the probability of such a =
routing
>>>> loop occurring.  Is this correct?
>>>>>> Cathy Meadows
>>>>>> Catherine Meadows
>>>>>> Naval Research Laboratory
>>>>>> Code 5543
>>>>>> 4555 Overlook Ave., S.W.
>>>>>> Washington DC, 20375
>>>>>> phone: 202-767-3490
>>>>>> fax: 202-404-7942
>>>>>> email: catherine.meadows@nrl.navy.mil
>>>>>>=20
>>>>>=20
>>>>> --
>>>>> For corporate legal information go to:
>>>>>=20
>>>>>=20
>>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>>>=20
>>>>>=20
>>>>>=20
>>>=20
>>>=20
>>> .
>>>=20
>>=20
>>=20
>> --
>> For corporate legal information go to:
>>=20
>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>=20
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


From shares@ndzh.com  Tue Jul 17 16:17:55 2012
Return-Path: <shares@ndzh.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3CEB11E80E3; Tue, 17 Jul 2012 16:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CM1d1aAnFev6; Tue, 17 Jul 2012 16:17:53 -0700 (PDT)
Received: from hickoryhill-consulting.com (hhc-web.hickoryhill-consulting.com [64.9.205.140]) by ietfa.amsl.com (Postfix) with ESMTP id 148BE11E80C7; Tue, 17 Jul 2012 16:17:52 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=63.133.198.20; 
Received: from SKH2012HPLT (unverified [63.133.198.20])  by hickoryhill-consulting.com (SurgeMail 5.2a) with ESMTP id 3461905-1945496 for multiple; Tue, 17 Jul 2012 19:18:39 -0400
From: "Susan Hares" <shares@ndzh.com>
To: "'John G. Scudder'" <jgs@juniper.net>, "'Murphy, Sandra'" <Sandra.Murphy@sparta.com>
References: <9BA4B53E-9772-47D4-B336-3A98FAEB4045@nrl.navy.mil> <005401cd63aa$baeac2b0$30c04810$@ndzh.com>	<5005132E.9000000@cisco.com> <F71E3EEE-3082-47F9-961C-7B78EED4A4A6@juniper.net> <001301cd6431$87944a30$96bcde90$@ndzh.com> <079e01cd6433$00f04b30$02d0e190$@olddog.co.uk> <001701cd6433$6f7fd250$4e7f76f0$@ndzh.com> <50058CE0.5010108@cisco.com>, <A1419349-1781-4787-9273-4C9766154BC2@itd.nrl.navy.mil> <24B20D14B2CD29478C8D5D6E9CBB29F625F32E50@Hermes.columbia.ads.sparta.com> <A369836F-199E-4B06-BD73-DFF3F0AF2BC0@juniper.net>
In-Reply-To: <A369836F-199E-4B06-BD73-DFF3F0AF2BC0@juniper.net>
Date: Tue, 17 Jul 2012 19:18:37 -0400
Message-ID: <000301cd6472$7f18bf30$7d4a3d90$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJKmuJjwEjeN+Alq24qu8oI3WgY1gDXd0BoAZu+ckcBR6c4qgLA7GuwApI1dQsB3roKPQK/Vk/KAgp26fgBRrWdLQGptmKVlZ52TVA=
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com 
Cc: secdir@ietf.org, idr-chairs@tools.ietf.org, iesg@ietf.org, adrian@olddog.co.uk, draft-ietf-idr-rfc4893bis.all@tools.ietf.org, 'Catherine A Meadows' <meadows@itd.nrl.navy.mil>, stbryant@cisco.com
Subject: Re: [secdir] Spam:*******, Secdir Review of draft-ietf-idr-rfc4893bis-07 (resend of a resend)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2012 23:17:55 -0000

John and Sandy: 

Agree with your points: 

Ack- security status - ok,
Ack - AS-4* - ok
Ack - proper AS Confederation per spec - no nesting by design.  Outside of
spec -not our problem.
Ack = loop scenario matches my understanding of loop

Do we need any more changes? I do not think so. 

Sue 

-----Original Message-----
From: John G. Scudder [mailto:jgs@juniper.net] 
Sent: Tuesday, July 17, 2012 4:41 PM
To: Murphy, Sandra
Cc: Catherine A Meadows; Susan Hares; secdir@ietf.org;
idr-chairs@tools.ietf.org; iesg@ietf.org; adrian@olddog.co.uk;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org; stbryant@cisco.com
Subject: Re: [secdir] Spam:*******, Secdir Review of
draft-ietf-idr-rfc4893bis-07 (resend of a resend)

On Jul 17, 2012, at 10:11 AM, Murphy, Sandra wrote:
...
> To John: if a behavior causes damage, I do not believe that attempting to
characterize it as accidental/misconfiguration vs malicious is useful.
Would you be happy with a security protection that prevented malicious
behavior but not accidents?  (If such a thing were possible.)  In this case,
deliberate mis-configuration is just as easy as accidental misconfiguration
and the same harm.

No argument, but if we put any condition that can cause incorrect behavior
in-scope for Security Considerations, those sections are going to get
Awfully Big. I think practically speaking we have arrived at a simple
modification to this section so we can probably move forward.

...
> To John and Sue:  In section 4.1:
> 
>  The new attributes, AS4_PATH and AS4_AGGREGATOR MUST NOT be carried
>   in an UPDATE message between NEW BGP speakers.  A NEW BGP speaker
>   that receives the AS4_PATH attribute or the AS4_AGGREGATOR attribute
>   in an UPDATE message from another NEW BGP speaker MUST discard the
>   path attribute and continue processing the UPDATE message.
> 
> wrt "MUST discard the path attribute" - *which* path attribute?  AS_PATH
or AS4_PATH?  I presume AS4_PATH, as that is what the paragraph says is
forbidden.

I guess there is some small ambiguity here though it was clear to me that
AS4_* is intended. Let's make whatever edit is sufficient to remove the
ambiguity. How about "MUST discard that path attribute"?

> To Sue: wrt confeds within confeds.  In the SIDR consideration of confeds,
the statement was made that no one nests confeds.  Does your experience
differ?  The answer is important to the work we're doing.

Speaking as co-author of the current confeds spec, it is simply not possible
to nest confeds. 

> To John&Sue: I'm confused about the loop problem.  If a 4byteASN had a
2byteASN neighbor, that would result in AS_TRANS in the AS_PATH that the
2byteASN would receive.   If the update was propagated to another 4byteASN,
it would use the AS4_PATH to remap the AS_TRANS to the right 4byteASN and
could detect loops.  If the update propagated to a 2byteASN, there might be
multiple appearances of AS_TRANS, which might look like a loop but would not
actually be a loop (the update propagated through multiple 4byteASNs at
different points.).  I'm not certain what implementations do.  The
not-really-a-loop would not involve the receiving 2byteASN (unless it had
been misconfigured with AS_TRANS as MyASN!).  Do implementations look
further back in the AS_PATH as a clean-up activity?  Is the DOS that the 2b
yteASNs might be dropping updates that were actually well-formed?  Sounds
similar to the first problem with AS4_PATH that caused remote session
cancellation, in this case it would be remote update drop.

The loop scenario of concern derives from this:

   A NEW BGP speaker that receives a malformed AS4_PATH attribute in an
   UPDATE message from an OLD BGP speaker MUST discard the attribute,
   and continue processing the UPDATE message.

This makes it explicitly possible that some ASes may be lost from the path,
e.g. suppose you have "old" and "new" ASes in the path as follows ("new"
ASes are six-digit, "old" are three-digit) and we are considering routes to
destination prefix "dest"

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest

What AS 200000 would expect to see in advertisements from 100 would be a
path like

  100, 200, 23456, 23456 (recall that 23456 is AS_TRANS)

along with an AS4_PATH that carries 300000 and 400000. But if the AS4_PATH
is corrupt, the final two ASes will remain 23456 forever and never have
300000 and 400000 substituted back in. Thus if we actually had the topology

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest
     |                                 |
     +---------------------------------+

We could have 200000 send routes back to 400000 and not have them
loop-detected as they ought to be. In this case it is *likely* that the loop
would be broken eventually when the route made it back to AS 200, the loop
would be detected there, and the loop would unwind. There are pathological
cases possible though, for example:

  200000 -- 100 -- 200 -- 300000 -- 400000 -- dest
     |                       |
     +-----------------------+

Suppose 300000 has a policy to prefer routes from 200000 over those from
400000. In the malformed AS4_PATH scenario, a persistent routing oscillation
would ensue, as 300000 selected the route with AS_PATH 200000, 100, 200,
23456, 23456 (remember this is due to a corrupt AS4_PATH) over that with
AS_PATH 400000 and propagated it to AS 200 which would loop-detect and
withdraw it. 

--John

> 
> --Sandy
> ________________________________________
> From: secdir-bounces@ietf.org [secdir-bounces@ietf.org] on behalf of 
> Catherine A Meadows [meadows@itd.nrl.navy.mil]
> Sent: Tuesday, July 17, 2012 12:28 PM
> To: Susan Hares
> Cc: secdir@ietf.org; Murphy, Sandra; idr-chairs@tools.ietf.org;
iesg@ietf.org; John G. Scudder; adrian@olddog.co.uk;
draft-ietf-idr-rfc4893bis.all@tools.ietf.org; Catherine A Meadows;
stbryant@cisco.com
> Subject: Re: [secdir] Spam:*******,     Secdir Review of
draft-ietf-idr-rfc4893bis-07 (resend of a resend)
> 
> Hi  Susan:
> 
> My apologies for not responding earlier.  I had been away from my email
while traveling.
> 
> My question was not so much intended to recommend specific wording.  
> It was simply that I didn't understand what "misconfiguration" meant 
> in this context, because it isn't the usual terminology used in IETF 
> documents.  But as I understand it from the discussion,  configurations
are not really part of the standard, so we can't mandate them, and because
of that, this is to be downgraded to a recommendation, as well as
> being removed from the security consideration section.   So that answers
my question.
> 
> 
> As I understand from the discussion, the security risk of looping only 
> is an issue if an attacker can cause it to happen, in which case it 
> can be used in a DOS attack.  So if there is no way an attacker could 
> cause this looping to happen, I'm happy to have it removed from the
Security Considerations section.  Otherwise, I'd recommend you refer to it
in the Security Considerations section (even if it is described in detail in
another section).
> 
> As to my other question, if there is no straightforward answer to it,
there's no reason to discuss it in the document.
> 
> Hope this helps,
> 
> Cathy
> 
> 
> 
> 
> On Jul 17, 2012, at 12:03 PM, Stewart Bryant wrote:
> 
>> It seems like a good suggestion to me
>> 
>> Stewart
>> 
>> On 17/07/2012 16:47, Susan Hares wrote:
>>> Adrian:
>>> 
>>> 100% agree with your viewpoint and next steps.
>>> 
>>> John and Stuart - can we change to this view point.
>>> 
>>> Sue
>>> 
>>> -----Original Message-----
>>> From: Adrian Farrel [mailto:adrian@olddog.co.uk]
>>> Sent: Tuesday, July 17, 2012 11:44 AM
>>> To: 'Susan Hares'; 'John G. Scudder'; stbryant@cisco.com
>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org; 
>>> iesg@ietf.org; 'Catherine Meadows'; 
>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>> Subject: RE: Spam:*******, Secdir Review of 
>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>> 
>>> IMHO, you are right Sue. Stating "MUST NOT" in a specification does 
>>> not prevent something from happening.
>>> Using "MUST NOT" for a specification is fine because we can test for 
>>> conformance to that and strike an implementation that does not 
>>> respect the language.
>>> Using "MUST NOT" in a description of an operator process is not as 
>>> strong or useful.
>>> 
>>> I think that "weakening" loop detection is a bad thing, but it is 
>>> also a price an operator might want to pay to get moved to 4byte AS 
>>> numbers quickly when a few corner boxes might take another 12 months to
be upgraded.
>>> 
>>> I agree with John that the text is not security-related.
>>> 
>>> So, I would rephrase and reposition the text.
>>> - Do explain the risk of switching to 4bytes before everyone is
upgraded.
>>> - Do explain the boundaries to the risk
>>> - Do expect operators to consider the implications
>>> - Don't mandate what an operator does in the privacy of their own 
>>> bedroom
>>> 
>>> A
>>> 
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On 
>>>> Behalf Of Susan Hares
>>>> Sent: 17 July 2012 16:34
>>>> To: 'John G. Scudder'; stbryant@cisco.com
>>>> Cc: secdir@ietf.org; 'Murphy, Sandra'; idr-chairs@tools.ietf.org;
>>> iesg@ietf.org;
>>>> 'Catherine Meadows'; draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>> Subject: RE: Spam:*******, Secdir Review of
>>>> draft-ietf-idr-rfc4893bis-07
>>> (resend
>>>> of a resend)
>>>> 
>>>> John and Stuart:
>>>> 
>>>> This an acceptable text, and we can go on with this draft.
>>>> 
>>>> However,  my question to Catherine was substantive.  I wish to 
>>>> discuss with the Routing AD(s), Security people, and Benoit/Ron to 
>>>> understand the Routing/Operational issues.
>>>> 
>>>> "Must Not" configure is unrealistic.  People misconfigure. Yankee 
>>>> Group and other research houses places have indicated year-on-year 
>>>> 15-30% outages are caused by this misconfigured.  It's like the 
>>>> statement
>>> "stuff happens."
>>>> Stating "Must not" is like spitting into the wind.  You end up with 
>>>> stuff on your face.  What is the security area stating?  How does 
>>>> this review match with the path validation/security in SIDR.
>>>> 
>>>> Can we get Catherine or other security people to respond to my
question?
>>>> Cross-area review is useful to find wholes in our process and our 
>>>> assumptions.  I want to make sure I understand the valuable 
>>>> technical feedback the security review is providing.
>>>> 
>>>> 
>>>> Sue
>>>> 
>>>> -----Original Message-----
>>>> From: John G. Scudder [mailto:jgs@juniper.net]
>>>> Sent: Tuesday, July 17, 2012 10:38 AM
>>>> To: stbryant@cisco.com
>>>> Cc: idr-chairs@tools.ietf.org; 'Catherine Meadows'; iesg@ietf.org; 
>>>> secdir@ietf.org; draft-ietf-idr-rfc4893bis.all@tools.ietf.org;
>>>> 'Murphy, Sandra'
>>>> Subject: Re: Spam:*******, Secdir Review of
>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>> 
>>>> Stewart,
>>>> 
>>>> I'm fine with the text you propose.
>>>> 
>>>> (I do find it a little odd to have this text -- either old or new 
>>>> -- in the Security section since routing loops aren't normally 
>>>> though of as a security issue unless maliciously triggered -- which 
>>>> this one isn't described as being. So I would also be fine with 
>>>> changing the text but moving it to a different section. But that is 
>>>> quibbling.)
>>>> 
>>>> --John
>>>> 
>>>> On Jul 17, 2012, at 12:24 AM, Stewart Bryant wrote:
>>>> 
>>>>> Sue, John,
>>>>> 
>>>>> Is there any reason not to reword the text concerned to more 
>>>>> conventional format:
>>>>> 
>>>>> OLD
>>>>> It is a misconfiguration to assign a non-mappable four-octet AS
>>>>>   number as the "Member AS Number" in a BGP confederation before all
>>>>>   the BGP speakers within the confederation have transitioned to
>>>>>   support four-octet AS numbers.  Such a misconfiguration would weaken
>>>>>   the AS path loop detection within a confederation.
>>>>> 
>>>>> NEW
>>>>> 
>>>>> A network operator MUST NOT assign a non-mappable four-octet AS 
>>>>> number as the "Member AS Number" in a BGP confederation before all 
>>>>> the BGP speakers within the confederation have transitioned to 
>>>>> support four-octet AS numbers, as such an assignment would weaken 
>>>>> the AS path loop detection within a confederation.
>>>>> 
>>>>> Stewart
>>>>> 
>>>>> On 17/07/2012 00:28, Susan Hares wrote:
>>>>>> Catherine:
>>>>>> 
>>>>>> I've read and re-read this email for a week (7/9 - 7/16).
>>>>>> 
>>>>>> Misconfiguration is a fact of life in networks.  Security 
>>>>>> profiles must
>>>> deal with this point.  We can all say you should not misconfigure 
>>>> networks - but life happens.  Therefore,  I'm confused by your 
>>>> question.  I would consider it is just a security event the authors
>>> pointing happens.
>>>>>> On your second comment
>>>>>> 
>>>>>> "I would also expect that the chance of routing loops arising out 
>>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>>> confederations would be much less than of their occurring within 
>>>>>> a confederation (although one can't know for sure without knowing 
>>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>>> recommendations in the Security Considerations would greatly 
>>>>>> reduce the probability of such a routing loop occurring.  Is this
correct? "
>>>>>> 
>>>>>> It depends if someone configures a confederation within a
>>> confederation.
>>>> [see earlier comment on mis-configuration.] I've copied Sandy 
>>>> Murphy in case as SIDR chair can put this discussion into a 
>>>> different "security" specific light.
>>>>>> Confused,
>>>>>> 
>>>>>> Sue
>>>>>> 
>>>>>> 
>>>>>> From: Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
>>>>>> Sent: Monday, July 09, 2012 2:25 PM
>>>>>> To: iesg@ietf.org; secdir@ietf.org; 
>>>>>> draft-ietf-idr-rfc4893bis.all@tools.ietf.org
>>>>>> Cc: Catherine Meadows
>>>>>> Subject: Spam:*******, Secdir Review of
>>>>>> draft-ietf-idr-rfc4893bis-07 (resend of a resend)
>>>>>> 
>>>>>> I managed to screw up the email address again.  Here it is for 
>>>>>> what I
>>>> hope is the last time.
>>>>>> My apologies again to everyone who receives *three* copies of 
>>>>>> this
>>>> message.
>>>>>> I have reviewed this document as part of the security 
>>>>>> directorate's ongoing effort to review all IETF documents being 
>>>>>> processed by the IESG.  These comments were written primarily for 
>>>>>> the benefit of the security area directors.  Document editors and 
>>>>>> WG chairs should treat these comments just like any other last call
comments.
>>>>>> 
>>>>>> This document describes an added capability for four-octet 
>>>>>> Autonomous System
>>>>>> (AS) numbers in BGP.  This is intended to  replace the older 
>>>>>> two-octet AS numbers, since that space is filling up.
>>>>>> 
>>>>>> In order to preserve backward compatibility, AS's using the 
>>>>>> four-octet systems (called New BGP speakers in the document) must
>>>> advertise both four-octet and two-octet AS numbers.
>>>>>> This is the case even if the New BGP Speaker does not have a 
>>>>>> globally
>>>> unique two-octet number.
>>>>>> The document says that in this case the two-octet number is 
>>>>>> obtained by mapping the four-octet number to the two-octet space.
>>>>>> The procedure
>>>> for doing this is not specified.
>>>>>> The authors identify a risk of routing loops developing when 
>>>>>> ambiguities develops as a result of a BGP speaker using the old 
>>>>>> system aggregating two or more routes carrying 4-octet attributes.
>>>>>> In the Security Configurations Section, the authors point out 
>>>>>> that an attacker might be able to exploit this in a denial of 
>>>>>> service
>>> attack.
>>>>>> They point out that it is a misconfiguration to assign 4-octet 
>>>>>> Member AS
>>>> Numbers in a BGP confederation until all BGP speakers within the 
>>>> confederation have transitioned to support 4-octet numbers.
>>>>>> I think that this is a good recommendation.  I just have a couple 
>>>>>> of
>>>> minor comments.
>>>>>> It's not clear to me what the status of "misconfiguration" is in 
>>>>>> the
>>>> hierarchy of IETF.
>>>>>> Is it more like SHALL NOT or SHOULD NOT?  Is there a reason why 
>>>>>> you're saying "misconfiguration" instead of one of those?
>>>>>> 
>>>>>> I would also expect that the chance of routing loops arising out 
>>>>>> conversion from 4-octet to 2-octet occurring between 
>>>>>> confederations would be much less than of their occurring within 
>>>>>> a confederation (although one can't know for sure without knowing 
>>>>>> what the 4-octet to 2-octet mapping is), so following the 
>>>>>> recommendations in the Security
>>>> Considerations would greatly reduce the probability of such a 
>>>> routing loop occurring.  Is this correct?
>>>>>> Cathy Meadows
>>>>>> Catherine Meadows
>>>>>> Naval Research Laboratory
>>>>>> Code 5543
>>>>>> 4555 Overlook Ave., S.W.
>>>>>> Washington DC, 20375
>>>>>> phone: 202-767-3490
>>>>>> fax: 202-404-7942
>>>>>> email: catherine.meadows@nrl.navy.mil
>>>>>> 
>>>>> 
>>>>> --
>>>>> For corporate legal information go to:
>>>>> 
>>>>> 
>>>>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>>>>> 
>>>>> 
>>>>> 
>>> 
>>> 
>>> .
>>> 
>> 
>> 
>> --
>> For corporate legal information go to:
>> 
>> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
> 
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview



From jhutz@cmu.edu  Tue Jul 17 21:49:20 2012
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3252621F85D3; Tue, 17 Jul 2012 21:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aHF3Y2uZR8i8; Tue, 17 Jul 2012 21:49:18 -0700 (PDT)
Received: from smtp02.srv.cs.cmu.edu (SMTP02.SRV.CS.CMU.EDU [128.2.217.197]) by ietfa.amsl.com (Postfix) with ESMTP id 941EA21F85D4; Tue, 17 Jul 2012 21:49:18 -0700 (PDT)
Received: from [128.2.193.239] (minbar.fac.cs.cmu.edu [128.2.193.239]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q6I4o53Q020106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Jul 2012 00:50:06 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: The IESG <iesg@ietf.org>, secdir <secdir@ietf.org>, draft-ietf-abfab-gss-eap.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 18 Jul 2012 00:50:05 -0400
Message-ID: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3 
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.197
Cc: jhutz@cmu.edu
Subject: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 04:49:20 -0000

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

This document defines a family of GSS-API mechanisms which wrap EAP,
allowing applications which use GSS-API or SASL for authentiation to take
advantage of EAP mechanisms.  It is a core part of the ABFAB architecture,
which brings mechanism-agile federated authentication to a wide variety of
applications without requiring that a user's preferred (required)
authentication mechanism be supported by the services that he wishes to
use.

I've talked with the authors and others a lot about how ABFAB in general
and this mechanism in particular are supposed to work, so I'm already
comfortable with the general approach.  Thus, this review will be confined
to particular protocol specifics and some editorial issues.

This protocol combines existing security protocols and frameworks in new
ways, and thus invokes all of the security issues surrounding EAP, the
GSS-API, the per-message services of RFC4121, the cryptographic framework
defined in RFC3961, and the AES enctype defined in RFC3962.  It also
introduces new considerations related to layering, combination, and
involving additional parties in the authentication process.  Many of
these are incorporated by reference to the relevant documents, while
others are discussed directly.

Overall, I think this is basically done.  However, I did find a couple of
things, included in my comments below, which the authors should probably
address before the document is published.  In particular, I believe there
is a potential gap in the MN format (though this may be deliberate), an
ambiguity in how import of Kerberos principal names should be handled, and
a missing step in key derivation.  I also make suggestions related to
mechanism names and to integrity protection of the context establishment;
these may be things which the authors have already considered or don't
feel it is appropriate to pursue at this time.

-- Jeff


========================================

Section 3.1 discusses the format of the GSS-API Mechanism Names (MNs)
used by the family of mechanisms defined in this document.  However, it
sort of glosses over the notion that, in GSS-API jargon, "Mechanism Name"
means a name of an initiator or acceptor in a mechanism-specific format,
and _not_ the name of a mechanism, as one might otherwise assume.  I
suggest the following change to the first paragraph of this section:

  OLD:

   Before discussing how the initiator and acceptor names are validated
   in the AAA infrastructure, it is necessary to discuss what composes a
   name for an EAP GSS-API mechanism.  GSS-API permits several types of
   generic names to be imported using GSS_Import_name().  Once a
   mechanism is chosen, these names are converted into a mechanism name
   form.  This section first discusses the mechanism name form and then
   discusses what name forms are supported.

  NEW:

   Before discussing how the initiator and acceptor names are validated
   in the AAA infrastructure, it is necessary to discuss what composes a
   name for an EAP GSS-API mechanism.  GSS-API permits several types of
   generic names to be imported using GSS_Import_name().  Once a
   mechanism is chosen, these names are converted into a
   mechanism-specific name form, called a "Mechanism Name".  Note that a
   Mechanism Name is the name of an initiator or acceptor, not the name
   of a mechanism.  This section first discusses the mechanism name form
   and then discusses what name forms are supported.

----------------------------------------

At the end of section 3.1, you write "Mechanisms MAY support the
GSS_KRB5_NT_KRB5_PRINCIPAL_NAME name form", but not how names of this form
should be converted to GSS-EAP MNs.  This results in ambiguities and also
some potential for unexpected results, including importing invalid names.
Some Kerberos principal names will be invalid as EAP-GSS MNs, particularly,
those using principal name forms which contain at-signs or realm name forms
contianing slashes (the latter are not likely to be a practical problem,
but the former might be).  Others will be interpreted not as intended, or
may not be appropriate transformations (for example, user "instances" with
multiple principal name components).

To address this, I would recommend the following:

  1) Introduce an escaping syntax, such as the use of backslash as in
     RFC1964 section 2.1.1, to allow representation of name-strings which
     contain slash and at-sign characters.
  2) Admonish implementations which support importing of names of type
     GSS_KRB5_NT_KRB5_PRINCIPAL_NAME that when doing so they must process
     the escaping described in RFC1964 section 2.1.1 and convert to a
     canonical form in which only slash, backslash, and at-sign are
     escaped.
  3) Warn that direct import of Kerberos principal names may have
     unintended effects due to differences in name structure, and that this
     feature, if implemented, should be used carefully (possibly disabled
     by default).

  As an alternative to (1), you could continue to simply prohibit names
  containing slashes and at-signs as parts of name-strings.  In this case,
  implementations which support import of GSS_KRB5_NT_KRB5_PRINCIPAL_NAME
  names MUST verify that the imported name is valid and otherwise fail the
  import.

----------------------------------------

I am a bit confused by section 3.2.  You seem to be saying that the
representation of names and components of names transported in other
protocols is up to the protocol in question, but that the representation
when a name is sent as part of this protocol is UTF-8.  However, the ABNF
in section 3.1 permits only characters up to 0xff.  Is it the intent that
MNs be treated as UTF-8 strings?  If so, it would be better to specify the
MN form in two laters, first indicating that it is a UTF-8 string and then
using ABNF to define the permitted sequences of Unicode characters.

----------------------------------------

Why define a family of mechanisms parameterized by enctype, instead of
defining a single mechanism, specifying a mandatory-to-implement enctype,
and negotiating the enctype to be used as part of context establishment?
This would also work around a situation with SASL mechanism naming, which
is that you are effectively defining an entire family of GSs-API mechs but
specifying SASL mechanism names for only one member of that family.  This
means that either other enctypes cannot be used at all, or else they must
forever have non-friendly names encoded as per RFC5801 section 3.1.

Alternately, you could register a family of SASL mechansim names, of the
form EAP-<enc> and EAP-<enc>-PLUS, where <enc> is a numeric enctype.  This
is a bit uglier than EAP-AES128[-PLUS], but prevents future
interoperability problems due to SASL mechanism name mismatches and at
least is reversible, unlike the RFC5801 section 3.1 encoding.

----------------------------------------

In section 5.4, may the acceptor's message include a vendor subtoken?

----------------------------------------

In section 5.5, what is a "protected result indication" ?

----------------------------------------

Is it possible for the Extensions state to involve more than one round trip?

----------------------------------------

In section 5.6.1, initiators should be REQUIRED to send zeros for all flag
bits other than GSS_C_MUTUAL_FLAG, in order to guarantee that these bits
are available for future extension.

----------------------------------------

The MIC token described in section 5.6 currently protects only the
extension token containing it.  Is there any value to protecting the entire
context establishment exchange?

----------------------------------------

In section 6, the descriptions of the derivation of the GMSK and CRK
seem incomplete.  In particular...

- What happens if the EAP master session key is not large enough to
  satisfy the requirements of the GMSK enctype's random-to-key?
- What is the CRK enctype?
- I think you mean to indicate that the CRK is the result of applying
  the CRK enctype's random-to-key to the output of the indicated truncate
  call.  A mere string of random bits is not an RFC3961 protocol key.
- The definition of L is garbled.  I think you mean it is the length of
  data required by the CRK enctype's random-to-key.

----------------------------------------

It is frequently important to GSS-API initiators that they are talking to
the expected acceptor.  In the present mechanism, that requires not only
verifying the acceptor/NAS's identity with the EAP server (by means of EAP
channel bindings), but also verifying that the verified NAS identity agrees
with the GSS-API target name provided by the initiating application, if
any.  This issue is discussed in detail in sections 3.4 and 3.5, but could
bear an additional mention in the security considerations.




========================================

I also found a number of editorial issues:

Abstract:

  "... when using the EAP mechanism" should probably be "when using the
  Extensible Authentication Protocol (EAP)", at which point the second
  expansion of EAP could be removed.

Section 1, graf 6 (page 5): s/prospective/perspective/

Section 1.3, last graf (page 7): The phrase "security association
protocols" is used twice, where I believe "secure association protocols" is
intended.

Section 3.1 ABNF: This attempts to define name-char to match any character
except the slash (/) and at-sign (@), which are used to separate name
components.  However, it incorrectly prohibits uppercase G (decimal 71, hex
0x47) instead of slash (decimal 47, hex 0x2f).

Section 3.1, graf 3 (page 10, after ABNF): In "specifications of this
mechanism MUST NOT prepare the user-or-service according to these rules",
I think you mean "implementations", not "specifications".

Section 3.1, bottom of page 10: s/proceeding/preceeding/

Section 3.3, last graf: "canonicalizing it to a mechanism" should be
"canonicalizing it to a mechanism name".

Section 3.5, graf 4 (bottom of page 13): In "The EAP server MUST assure",
s/assure/ensure/.

In section 5, the table describing the format of an innerToken shows
the first subtoken body as occupying octets 10..10+n, which is a total
of n+1 bytes.  It should be 10+n-1, and the second subtoken type should
be at octets 10+n..10+n+3.

Sections 5.5.1, 5.5.2; the subtoken types are missing zeros.

Section 5.6; this state is variously called Extension (singular) or
Extensions (plural).

Section 7.2: The GSS mech parameters registry was indeed created by
RFC6542.  Also, it might be clearer if the last two entries in the table
explicitly referred to "this RFC", so someone doesn't think you mean
RFC4121 section 5.

Section 7.3: The table should be sorted by type, not defining section.

Section 7.4: draft-ietf-radext-radius-extensions is up to -06, and the
relevant section is now 10.3, not 9.3.

Section 7.5: s/EAP-ES128/EAP-AES128/

Section 10.1: Do you need a normative reference to RFC3962?



From shawn.emery@oracle.com  Wed Jul 18 00:00:52 2012
Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63BEF11E814E; Wed, 18 Jul 2012 00:00:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level: 
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FruaIbcsVH2Z; Wed, 18 Jul 2012 00:00:51 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 0CCD911E8147; Wed, 18 Jul 2012 00:00:47 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q6I71Zt5004055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 18 Jul 2012 07:01:36 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com [141.146.40.158]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q6I71XOh020116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Jul 2012 07:01:34 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by acsmt358.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q6I71VeH003004; Wed, 18 Jul 2012 02:01:32 -0500
Received: from [10.159.83.56] (/10.159.83.56) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 18 Jul 2012 00:01:31 -0700
Message-ID: <50065F08.1090307@oracle.com>
Date: Wed, 18 Jul 2012 01:00:24 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.5) Gecko/20120703 Thunderbird/10.0.5
MIME-Version: 1.0
To: secdir@ietf.org
References: <4F8687DA.6020402@oracle.com>
In-Reply-To: <4F8687DA.6020402@oracle.com>
Content-Type: multipart/alternative; boundary="------------050201040202020207040401"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: iesg@ietf.org, draft-melnikov-smtp-priority-tunneling.all@tools.ietf.org
Subject: [secdir] Review of draft-melnikov-smtp-priority-tunneling-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 07:00:52 -0000

This is a multi-part message in MIME format.
--------------050201040202020207040401
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This experimental draft describes a SMTP tunneling method to support 
priority message values for Mail Transfer Agents (MTA) that don't 
understand the MT-PRIORITY SMTP extension.

The security consideration section does exist and is quite detailed in 
listing the various attack scenarios and mitigating against these 
attacks.  It goes on to provide exceptions of when MT-Priority header 
values are not required to be stripped.  These have consequences such as 
breaking DKIM signatures, assuming subsequent MTAs are compliant with 
the new tunneling, or rejecting the messaging.  The document may clarify 
on when it is acceptable to break DKIM signatures and/or describe the 
environment.  On the other hand, if the MSA/MTA decides to alter the 
message and needs to resign the message then is there any ambiguity of 
what the message/fields would be when resigned?

General comments:

Thanks for providing the before and after examples as this was helpful 
in my understanding of the protocol.

Editorial comments:

s/Example of such/Examples of such/

Shawn.
--

--------------050201040202020207040401
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="content-type" content="text/html;
      charset=ISO-8859-1">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-forward-container"><tt>I have reviewed this document
        as part of the security directorate's ongoing effort to review
        all IETF documents being processed by the IESG. These comments
        were written primarily for the benefit of the security area
        directors. Document editors and WG chairs should treat these
        comments just like any other last call comments.<br>
        <br>
        This experimental draft describes a SMTP tunneling method to
        support priority message values for Mail Transfer Agents (MTA)
        that don't understand the MT-PRIORITY </tt>
      <meta charset="utf-8">
      <tt>SMTP extension.<br>
        <br>
        The security consideration section does exist and is quite
        detailed in listing the various attack scenarios and mitigating
        against these attacks.&nbsp; It goes on to provide exceptions of when
        MT-Priority header values are not required to be stripped.&nbsp;
        These have consequences such as breaking DKIM signatures,
        assuming subsequent MTAs are compliant with the new tunneling,
        or rejecting the messaging.&nbsp; The document may clarify on when it
        is acceptable to break DKIM signatures and/or describe the
        environment.&nbsp; On the other hand, if the MSA/MTA decides to alter
        the message and needs to resign the message then is there any
        ambiguity of what the message/fields would be when resigned?<br>
        <br>
        General comments:<br>
        <br>
        Thanks for providing the before and after examples as this was
        helpful in my understanding of the protocol.<br>
        <br>
        Editorial comments:<br>
        <br>
        s/Example of such/Examples of such/<br>
        <br>
        Shawn.<br>
        --</tt><br>
    </div>
  </body>
</html>

--------------050201040202020207040401--

From hartmans@mit.edu  Wed Jul 18 09:05:12 2012
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3821321F875E; Wed, 18 Jul 2012 09:05:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.996
X-Spam-Level: 
X-Spam-Status: No, score=-102.996 tagged_above=-999 required=5 tests=[AWL=-0.731, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtyQ3OplgBKL; Wed, 18 Jul 2012 09:05:10 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 4227121F8717; Wed, 18 Jul 2012 09:05:09 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 15ACC203BA; Wed, 18 Jul 2012 12:06:14 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 873DF41F3; Wed, 18 Jul 2012 12:05:29 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
References: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu>
Date: Wed, 18 Jul 2012 12:05:29 -0400
In-Reply-To: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu> (Jeffrey Hutzelman's message of "Wed, 18 Jul 2012 00:50:05 -0400")
Message-ID: <tsl1uk9njg6.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: draft-ietf-abfab-gss-eap.all@tools.ietf.org, The IESG <iesg@ietf.org>, secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 16:05:12 -0000

[Stephen, I have a new draft ready.
I think we'll still need to ask the WG about the escaping issue, but
should I publish?]

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:


    Jeffrey> ========================================

    Jeffrey> Section 3.1 discusses the format of the GSS-API Mechanism Names (MNs)
    Jeffrey> used by the family of mechanisms defined in this document.  However, it
    Jeffrey> sort of glosses over the notion that, in GSS-API jargon, "Mechanism Name"
    Jeffrey> means a name of an initiator or acceptor in a mechanism-specific format,
    Jeffrey> and _not_ the name of a mechanism, as one might otherwise assume.  I
    Jeffrey> suggest the following change to the first paragraph of this section:

    Jeffrey>   OLD:

    Jeffrey>    Before discussing how the initiator and acceptor names are validated
    Jeffrey>    in the AAA infrastructure, it is necessary to discuss what composes a
    Jeffrey>    name for an EAP GSS-API mechanism.  GSS-API permits several types of
    Jeffrey>    generic names to be imported using GSS_Import_name().  Once a
    Jeffrey>    mechanism is chosen, these names are converted into a mechanism name
    Jeffrey>    form.  This section first discusses the mechanism name form and then
    Jeffrey>    discusses what name forms are supported.

    Jeffrey>   NEW:

    Jeffrey>    Before discussing how the initiator and acceptor names are validated
    Jeffrey>    in the AAA infrastructure, it is necessary to discuss what composes a
    Jeffrey>    name for an EAP GSS-API mechanism.  GSS-API permits several types of
    Jeffrey>    generic names to be imported using GSS_Import_name().  Once a
    Jeffrey>    mechanism is chosen, these names are converted into a
    Jeffrey>    mechanism-specific name form, called a "Mechanism Name".  Note that a
    Jeffrey>    Mechanism Name is the name of an initiator or acceptor, not the name
    Jeffrey>    of a mechanism.  This section first discusses the mechanism name form
    Jeffrey>    and then discusses what name forms are supported.

    Jeffrey> ----------------------------------------

I like this change.

    Jeffrey> At the end of section 3.1, you write "Mechanisms MAY support the
    Jeffrey> GSS_KRB5_NT_KRB5_PRINCIPAL_NAME name form", but not how names of this form
    Jeffrey> should be converted to GSS-EAP MNs.  This results in ambiguities and also
    Jeffrey> some potential for unexpected results, including importing invalid names.
    Jeffrey> Some Kerberos principal names will be invalid as EAP-GSS MNs, particularly,
    Jeffrey> those using principal name forms which contain at-signs or realm name forms
    Jeffrey> contianing slashes (the latter are not likely to be a practical problem,
    Jeffrey> but the former might be).  Others will be interpreted not as intended, or
    Jeffrey> may not be appropriate transformations (for example, user "instances" with
    Jeffrey> multiple principal name components).

    Jeffrey> To address this, I would recommend the following:

    Jeffrey>   1) Introduce an escaping syntax, such as the use of backslash as in
    Jeffrey>      RFC1964 section 2.1.1, to allow representation of name-strings which
    Jeffrey>      contain slash and at-sign characters.

I think we discussed this between IETF 79 and IETF 80.
However I'd appreciate feedback from the abfab chairs on whether we
already discussed this and on polling the WG if we did not.
    Jeffrey>   3) Warn that direct import of Kerberos principal names may have
    Jeffrey>      unintended effects due to differences in name structure, and that this
    Jeffrey>      feature, if implemented, should be used carefully (possibly disabled
    Jeffrey>      by default).

    Jeffrey>   As an alternative to (1), you could continue to simply prohibit names
    Jeffrey>   containing slashes and at-signs as parts of name-strings.  In this case,
    Jeffrey>   implementations which support import of GSS_KRB5_NT_KRB5_PRINCIPAL_NAME
    Jeffrey>   names MUST verify that the imported name is valid and otherwise fail the
    Jeffrey>   import.

I've added text noting there are difference and indicating that import
SHOULD fail if the name is not syntactically valid.
That's a SHOULD to give mechanisms flexibility if they have some
particular cleanup they want to apply to make some application work.


    Jeffrey> ----------------------------------------

    Jeffrey> I am a bit confused by section 3.2.  You seem to be saying that the
    Jeffrey> representation of names and components of names transported in other
    Jeffrey> protocols is up to the protocol in question, but that the representation
    Jeffrey> when a name is sent as part of this protocol is UTF-8.  However, the ABNF
    Jeffrey> in section 3.1 permits only characters up to 0xff.  Is it the intent that
    Jeffrey> MNs be treated as UTF-8 strings?  If so, it would be better to specify the
    Jeffrey> MN form in two laters, first indicating that it is a UTF-8 string and then
    Jeffrey> using ABNF to define the permitted sequences of Unicode characters.

I disagree. I find the current construction easier to follow and would
rather not make this change.

    Jeffrey> ----------------------------------------

    Jeffrey> Why define a family of mechanisms parameterized by enctype, instead of
    Jeffrey> defining a single mechanism, specifying a mandatory-to-implement enctype,
    Jeffrey> and negotiating the enctype to be used as part of context establishment?
    Jeffrey> This would also work around a situation with SASL mechanism naming, which
    Jeffrey> is that you are effectively defining an entire family of GSs-API mechs but
    Jeffrey> specifying SASL mechanism names for only one member of that family.  This
    Jeffrey> means that either other enctypes cannot be used at all, or else they must
    Jeffrey> forever have non-friendly names encoded as per RFC5801 section 3.1.

    Jeffrey> Alternately, you could register a family of SASL mechansim names, of the
    Jeffrey> form EAP-<enc> and EAP-<enc>-PLUS, where <enc> is a numeric enctype.  This
    Jeffrey> is a bit uglier than EAP-AES128[-PLUS], but prevents future
    Jeffrey> interoperability problems due to SASL mechanism name mismatches and at
    Jeffrey> least is reversible, unlike the RFC5801 section 3.1 encoding.

I think this one is informed WG consensus. One reason to do things as we
have is that you run into an interop problem if policy or algorithm
evolution ever disables a mandatory enctype.
I think the implications have been discussed.

Since the SASL registry is FCFS, I don't see a problem with having to
register each enctype separately to get a friendly name.

    Jeffrey> ----------------------------------------

    Jeffrey> In section 5.4, may the acceptor's message include a vendor subtoken?
Well, if it does, the initiator is required by this spec to ignore it.

    Jeffrey> ----------------------------------------

    Jeffrey> In section 5.5, what is a "protected result indication" ?

An EAP term.
Meaning you have cryptographic verification of whether the EAP method
succeded or failed.

    Jeffrey> ----------------------------------------

    Jeffrey> Is it possible for the Extensions state to involve more than one round trip?

Not in this specification.
You could of course add  an extension advertized either in the initial
or extensions state permitting that.
So we can get that in the future if we need it, but I see no reason for
the complexity now.

    Jeffrey> ----------------------------------------

    Jeffrey> In section 5.6.1, initiators should be REQUIRED to send zeros for all flag
    Jeffrey> bits other than GSS_C_MUTUAL_FLAG, in order to guarantee that these bits
    Jeffrey> are available for future extension.

Yep, thanks.

    Jeffrey> ----------------------------------------

    Jeffrey> The MIC token described in section 5.6 currently protects only the
    Jeffrey> extension token containing it.  Is there any value to protecting the entire
    Jeffrey> context establishment exchange?

This was extensively discussed in the WG.
We went through a couple of different protocols and implementations
here.
This is where we ended up.
Yes, there is value in protecting the exchange, but the state required
to do that simply with RFC 3961 operations gets messy.
For many of the same reasons we made a similar change in RFC 6113, we
went with what we have here.

    Jeffrey> ----------------------------------------

    Jeffrey> In section 6, the descriptions of the derivation of the GMSK and CRK
    Jeffrey> seem incomplete.  In particular...

    Jeffrey> - What happens if the EAP master session key is not large enough to
    Jeffrey>   satisfy the requirements of the GMSK enctype's
    Jeffrey>   random-to-key?

I'm fairly sure for existing RFC 3961 enctypes and for existing
key-deriving EAP methods, that never happens.
For completness I've added a requirement that in this case
authentication MUST fail.

    Jeffrey> - What is the CRK enctype?

The GMSK enctype.

    Jeffrey> - I think you mean to indicate that the CRK is the result of applying
    Jeffrey>   the CRK enctype's random-to-key to the output of the indicated truncate
    Jeffrey>   call.  A mere string of random bits is not an RFC3961 protocol key.
    Jeffrey> - The definition of L is garbled.  I think you mean it is the length of
    Jeffrey>   data required by the CRK enctype's random-to-key.

I do for all of these.
Fixing.


    Jeffrey> ----------------------------------------

    Jeffrey> It is frequently important to GSS-API initiators that they are talking to
    Jeffrey> the expected acceptor.  In the present mechanism, that requires not only
    Jeffrey> verifying the acceptor/NAS's identity with the EAP server (by means of EAP
    Jeffrey> channel bindings), but also verifying that the verified NAS identity agrees
    Jeffrey> with the GSS-API target name provided by the initiating application, if
    Jeffrey> any.  This issue is discussed in detail in sections 3.4 and 3.5, but could
    Jeffrey> bear an additional mention in the security considerations.

There's a fairly lengthy discussion of channel binding already in the
security considerations section.
I've added a sentence explaining why channel binding is important.




Thanks.

I've addressed these where I agree with you. A couple cases I disagreed
or decided to leave it to the RFC-editor.

From jhutz@cmu.edu  Wed Jul 18 09:44:34 2012
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFDA011E80B3; Wed, 18 Jul 2012 09:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level: 
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XTUHuXFGQ8E; Wed, 18 Jul 2012 09:44:34 -0700 (PDT)
Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by ietfa.amsl.com (Postfix) with ESMTP id 01D7A11E80AA; Wed, 18 Jul 2012 09:44:33 -0700 (PDT)
Received: from [192.168.202.154] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q6IGjMJo002739 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Jul 2012 12:45:23 -0400 (EDT)
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: Sam Hartman <hartmans-ietf@mit.edu>
In-Reply-To: <tsl1uk9njg6.fsf@mit.edu>
References: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu> <tsl1uk9njg6.fsf@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Date: Wed, 18 Jul 2012 12:45:22 -0400
Message-ID: <1342629922.17068.36.camel@destiny.pc.cs.cmu.edu>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
X-Scanned-By: mimedefang-cmuscs on 128.2.217.198
Cc: draft-ietf-abfab-gss-eap.all@tools.ietf.org, secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, jhutz@cmu.edu
Subject: Re: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 16:44:35 -0000

On Wed, 2012-07-18 at 12:05 -0400, Sam Hartman wrote:

>     Jeffrey> I am a bit confused by section 3.2.  You seem to be saying that the
>     Jeffrey> representation of names and components of names transported in other
>     Jeffrey> protocols is up to the protocol in question, but that the representation
>     Jeffrey> when a name is sent as part of this protocol is UTF-8.  However, the ABNF
>     Jeffrey> in section 3.1 permits only characters up to 0xff.  Is it the intent that
>     Jeffrey> MNs be treated as UTF-8 strings?  If so, it would be better to specify the
>     Jeffrey> MN form in two laters, first indicating that it is a UTF-8 string and then
>     Jeffrey> using ABNF to define the permitted sequences of Unicode characters.
> 
> I disagree. I find the current construction easier to follow and would
> rather not make this change.

OK, but then what does it mean?  Is it intended to be UTF-8?


>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> Why define a family of mechanisms parameterized by enctype, instead of
>     Jeffrey> defining a single mechanism, specifying a mandatory-to-implement enctype,
>     Jeffrey> and negotiating the enctype to be used as part of context establishment?
>     Jeffrey> This would also work around a situation with SASL mechanism naming, which
>     Jeffrey> is that you are effectively defining an entire family of GSs-API mechs but
>     Jeffrey> specifying SASL mechanism names for only one member of that family.  This
>     Jeffrey> means that either other enctypes cannot be used at all, or else they must
>     Jeffrey> forever have non-friendly names encoded as per RFC5801 section 3.1.
> 
>     Jeffrey> Alternately, you could register a family of SASL mechansim names, of the
>     Jeffrey> form EAP-<enc> and EAP-<enc>-PLUS, where <enc> is a numeric enctype.  This
>     Jeffrey> is a bit uglier than EAP-AES128[-PLUS], but prevents future
>     Jeffrey> interoperability problems due to SASL mechanism name mismatches and at
>     Jeffrey> least is reversible, unlike the RFC5801 section 3.1 encoding.
> 
> I think this one is informed WG consensus. One reason to do things as we
> have is that you run into an interop problem if policy or algorithm
> evolution ever disables a mandatory enctype.
> I think the implications have been discussed.

OK, fair enough.

> Since the SASL registry is FCFS, I don't see a problem with having to
> register each enctype separately to get a friendly name.

The only problem is that if someone starts using that enctype with this
mechanism before the friendly name is registered, they end up using the
unfriendly name, and then you eventually have a false interop problem,
where two implementations both support that enctype but don't know it.
Avoiding this is why we wanted friendly names registered when the
mechanism is defined, but RFC5801 doesn't really contemplate mechanism
families like this one.  

Of course, it's possible to work around that problem, if implementations
which know about the friendly name also support and advertise the
unfriendly one.  If you're OK with that, I guess I am too.




>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> In section 5.4, may the acceptor's message include a vendor subtoken?
> Well, if it does, the initiator is required by this spec to ignore it.

Oh, that's true.

>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> In section 5.5, what is a "protected result indication" ?
> 
> An EAP term.
> Meaning you have cryptographic verification of whether the EAP method
> succeded or failed.

OK.


>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> Is it possible for the Extensions state to involve more than one round trip?
> 
> Not in this specification.
> You could of course add  an extension advertized either in the initial
> or extensions state permitting that.
> So we can get that in the future if we need it, but I see no reason for
> the complexity now.

OK.  That's what I thought I got from the text, but I wanted to be sure.

>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> The MIC token described in section 5.6 currently protects only the
>     Jeffrey> extension token containing it.  Is there any value to protecting the entire
>     Jeffrey> context establishment exchange?
> 
> This was extensively discussed in the WG.
> We went through a couple of different protocols and implementations
> here.
> This is where we ended up.
> Yes, there is value in protecting the exchange, but the state required
> to do that simply with RFC 3961 operations gets messy.
> For many of the same reasons we made a similar change in RFC 6113, we
> went with what we have here.

OK; this is definitely one of the places where I expected to find the
issue had already been discussed.  Good enough for me.


>     Jeffrey> - What is the CRK enctype?
> 
> The GMSK enctype.

Please say that explictly.


>     Jeffrey> ----------------------------------------
> 
>     Jeffrey> It is frequently important to GSS-API initiators that they are talking to
>     Jeffrey> the expected acceptor.  In the present mechanism, that requires not only
>     Jeffrey> verifying the acceptor/NAS's identity with the EAP server (by means of EAP
>     Jeffrey> channel bindings), but also verifying that the verified NAS identity agrees
>     Jeffrey> with the GSS-API target name provided by the initiating application, if
>     Jeffrey> any.  This issue is discussed in detail in sections 3.4 and 3.5, but could
>     Jeffrey> bear an additional mention in the security considerations.
> 
> There's a fairly lengthy discussion of channel binding already in the
> security considerations section.
> I've added a sentence explaining why channel binding is important.

The sentence I'd add is about the importance of insuring that the
acceptor name used at the GSS-API layer corresponds to the name
authenticated by EAP channel bindings.

> I've addressed these where I agree with you. A couple cases I disagreed
> or decided to leave it to the RFC-editor.

I assume you're referring to the editorial issues.

-- Jeff


From hartmans@mit.edu  Wed Jul 18 10:05:39 2012
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB25E21F8739; Wed, 18 Jul 2012 10:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.937
X-Spam-Level: 
X-Spam-Status: No, score=-102.937 tagged_above=-999 required=5 tests=[AWL=-0.672, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IoqtIWvzcfz4; Wed, 18 Jul 2012 10:05:39 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id 75CD021F8733; Wed, 18 Jul 2012 10:05:39 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 5451C203BA; Wed, 18 Jul 2012 13:06:49 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 1EA5A41F0; Wed, 18 Jul 2012 13:06:05 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Jeffrey Hutzelman <jhutz@cmu.edu>
References: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu> <tsl1uk9njg6.fsf@mit.edu> <1342629922.17068.36.camel@destiny.pc.cs.cmu.edu>
Date: Wed, 18 Jul 2012 13:06:05 -0400
In-Reply-To: <1342629922.17068.36.camel@destiny.pc.cs.cmu.edu> (Jeffrey Hutzelman's message of "Wed, 18 Jul 2012 12:45:22 -0400")
Message-ID: <tslfw8pm22q.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: draft-ietf-abfab-gss-eap.all@tools.ietf.org, abfab@ietf.org, Sam Hartman <hartmans-ietf@MIT.EDU>, The IESG <iesg@ietf.org>, secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 17:05:40 -0000

>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:


Yes.


    >> 
    Jeffrey> Why define a family of mechanisms parameterized by enctype, instead of
    Jeffrey> defining a single mechanism, specifying a mandatory-to-implement enctype,
    Jeffrey> and negotiating the enctype to be used as part of context establishment?
    Jeffrey> This would also work around a situation with SASL mechanism naming, which
    Jeffrey> is that you are effectively defining an entire family of GSs-API mechs but
    Jeffrey> specifying SASL mechanism names for only one member of that family.  This
    Jeffrey> means that either other enctypes cannot be used at all, or else they must
    Jeffrey> forever have non-friendly names encoded as per RFC5801 section 3.1.
    >> 
    Jeffrey> Alternately, you could register a family of SASL mechansim names, of the
    Jeffrey> form EAP-<enc> and EAP-<enc>-PLUS, where <enc> is a numeric enctype.  This
    Jeffrey> is a bit uglier than EAP-AES128[-PLUS], but prevents future
    Jeffrey> interoperability problems due to SASL mechanism name mismatches and at
    Jeffrey> least is reversible, unlike the RFC5801 section 3.1 encoding.
    >> 
    >> I think this one is informed WG consensus. One reason to do things as we
    >> have is that you run into an interop problem if policy or algorithm
    >> evolution ever disables a mandatory enctype.
    >> I think the implications have been discussed.

    Jeffrey> OK, fair enough.

    >> Since the SASL registry is FCFS, I don't see a problem with having to
    >> register each enctype separately to get a friendly name.

    Jeffrey> The only problem is that if someone starts using that enctype with this
    Jeffrey> mechanism before the friendly name is registered, they end up using the
    Jeffrey> unfriendly name, and then you eventually have a false interop problem,
    Jeffrey> where two implementations both support that enctype but don't know it.
    Jeffrey> Avoiding this is why we wanted friendly names registered when the
    Jeffrey> mechanism is defined, but RFC5801 doesn't really contemplate mechanism
    Jeffrey> families like this one.  


My assumption is that a implementation  will only include things for
which it has a friendly name in indicate_mechs output.

From turners@ieca.com  Wed Jul 18 11:52:57 2012
Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B017011E8132 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 11:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.357
X-Spam-Level: 
X-Spam-Status: No, score=-102.357 tagged_above=-999 required=5 tests=[AWL=-0.092, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APrbOuSqyq3S for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 11:52:51 -0700 (PDT)
Received: from gateway11.websitewelcome.com (gateway11.websitewelcome.com [67.18.94.11]) by ietfa.amsl.com (Postfix) with ESMTP id D9DD211E8150 for <secdir@ietf.org>; Wed, 18 Jul 2012 11:52:50 -0700 (PDT)
Received: by gateway11.websitewelcome.com (Postfix, from userid 5011) id 4FFF0B8CC20B5; Wed, 18 Jul 2012 13:53:42 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway11.websitewelcome.com (Postfix) with ESMTP id 36AECB8CC2057 for <secdir@ietf.org>; Wed, 18 Jul 2012 13:53:42 -0500 (CDT)
Received: from [71.191.15.186] (port=34944 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1SrZNV-0000ke-4l; Wed, 18 Jul 2012 13:53:41 -0500
Message-ID: <50070634.2090506@ieca.com>
Date: Wed, 18 Jul 2012 14:53:40 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: Sam Hartman <hartmans-ietf@mit.edu>
References: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu> <tsl1uk9njg6.fsf@mit.edu>
In-Reply-To: <tsl1uk9njg6.fsf@mit.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (thunderfish.local) [71.191.15.186]:34944
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 3
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: draft-ietf-abfab-gss-eap.all@tools.ietf.org, secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 18:52:57 -0000

I've got some nits to enter, but it looks like I won't have to pick 
these up.

spt

On 7/18/12 12:05 PM, Sam Hartman wrote:
>
> [Stephen, I have a new draft ready.
> I think we'll still need to ask the WG about the escaping issue, but
> should I publish?]
>
>>>>>> "Jeffrey" == Jeffrey Hutzelman <jhutz@cmu.edu> writes:
>
>
>      Jeffrey> ========================================
>
>      Jeffrey> Section 3.1 discusses the format of the GSS-API Mechanism Names (MNs)
>      Jeffrey> used by the family of mechanisms defined in this document.  However, it
>      Jeffrey> sort of glosses over the notion that, in GSS-API jargon, "Mechanism Name"
>      Jeffrey> means a name of an initiator or acceptor in a mechanism-specific format,
>      Jeffrey> and _not_ the name of a mechanism, as one might otherwise assume.  I
>      Jeffrey> suggest the following change to the first paragraph of this section:
>
>      Jeffrey>   OLD:
>
>      Jeffrey>    Before discussing how the initiator and acceptor names are validated
>      Jeffrey>    in the AAA infrastructure, it is necessary to discuss what composes a
>      Jeffrey>    name for an EAP GSS-API mechanism.  GSS-API permits several types of
>      Jeffrey>    generic names to be imported using GSS_Import_name().  Once a
>      Jeffrey>    mechanism is chosen, these names are converted into a mechanism name
>      Jeffrey>    form.  This section first discusses the mechanism name form and then
>      Jeffrey>    discusses what name forms are supported.
>
>      Jeffrey>   NEW:
>
>      Jeffrey>    Before discussing how the initiator and acceptor names are validated
>      Jeffrey>    in the AAA infrastructure, it is necessary to discuss what composes a
>      Jeffrey>    name for an EAP GSS-API mechanism.  GSS-API permits several types of
>      Jeffrey>    generic names to be imported using GSS_Import_name().  Once a
>      Jeffrey>    mechanism is chosen, these names are converted into a
>      Jeffrey>    mechanism-specific name form, called a "Mechanism Name".  Note that a
>      Jeffrey>    Mechanism Name is the name of an initiator or acceptor, not the name
>      Jeffrey>    of a mechanism.  This section first discusses the mechanism name form
>      Jeffrey>    and then discusses what name forms are supported.
>
>      Jeffrey> ----------------------------------------
>
> I like this change.
>
>      Jeffrey> At the end of section 3.1, you write "Mechanisms MAY support the
>      Jeffrey> GSS_KRB5_NT_KRB5_PRINCIPAL_NAME name form", but not how names of this form
>      Jeffrey> should be converted to GSS-EAP MNs.  This results in ambiguities and also
>      Jeffrey> some potential for unexpected results, including importing invalid names.
>      Jeffrey> Some Kerberos principal names will be invalid as EAP-GSS MNs, particularly,
>      Jeffrey> those using principal name forms which contain at-signs or realm name forms
>      Jeffrey> contianing slashes (the latter are not likely to be a practical problem,
>      Jeffrey> but the former might be).  Others will be interpreted not as intended, or
>      Jeffrey> may not be appropriate transformations (for example, user "instances" with
>      Jeffrey> multiple principal name components).
>
>      Jeffrey> To address this, I would recommend the following:
>
>      Jeffrey>   1) Introduce an escaping syntax, such as the use of backslash as in
>      Jeffrey>      RFC1964 section 2.1.1, to allow representation of name-strings which
>      Jeffrey>      contain slash and at-sign characters.
>
> I think we discussed this between IETF 79 and IETF 80.
> However I'd appreciate feedback from the abfab chairs on whether we
> already discussed this and on polling the WG if we did not.
>      Jeffrey>   3) Warn that direct import of Kerberos principal names may have
>      Jeffrey>      unintended effects due to differences in name structure, and that this
>      Jeffrey>      feature, if implemented, should be used carefully (possibly disabled
>      Jeffrey>      by default).
>
>      Jeffrey>   As an alternative to (1), you could continue to simply prohibit names
>      Jeffrey>   containing slashes and at-signs as parts of name-strings.  In this case,
>      Jeffrey>   implementations which support import of GSS_KRB5_NT_KRB5_PRINCIPAL_NAME
>      Jeffrey>   names MUST verify that the imported name is valid and otherwise fail the
>      Jeffrey>   import.
>
> I've added text noting there are difference and indicating that import
> SHOULD fail if the name is not syntactically valid.
> That's a SHOULD to give mechanisms flexibility if they have some
> particular cleanup they want to apply to make some application work.
>
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> I am a bit confused by section 3.2.  You seem to be saying that the
>      Jeffrey> representation of names and components of names transported in other
>      Jeffrey> protocols is up to the protocol in question, but that the representation
>      Jeffrey> when a name is sent as part of this protocol is UTF-8.  However, the ABNF
>      Jeffrey> in section 3.1 permits only characters up to 0xff.  Is it the intent that
>      Jeffrey> MNs be treated as UTF-8 strings?  If so, it would be better to specify the
>      Jeffrey> MN form in two laters, first indicating that it is a UTF-8 string and then
>      Jeffrey> using ABNF to define the permitted sequences of Unicode characters.
>
> I disagree. I find the current construction easier to follow and would
> rather not make this change.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> Why define a family of mechanisms parameterized by enctype, instead of
>      Jeffrey> defining a single mechanism, specifying a mandatory-to-implement enctype,
>      Jeffrey> and negotiating the enctype to be used as part of context establishment?
>      Jeffrey> This would also work around a situation with SASL mechanism naming, which
>      Jeffrey> is that you are effectively defining an entire family of GSs-API mechs but
>      Jeffrey> specifying SASL mechanism names for only one member of that family.  This
>      Jeffrey> means that either other enctypes cannot be used at all, or else they must
>      Jeffrey> forever have non-friendly names encoded as per RFC5801 section 3.1.
>
>      Jeffrey> Alternately, you could register a family of SASL mechansim names, of the
>      Jeffrey> form EAP-<enc> and EAP-<enc>-PLUS, where <enc> is a numeric enctype.  This
>      Jeffrey> is a bit uglier than EAP-AES128[-PLUS], but prevents future
>      Jeffrey> interoperability problems due to SASL mechanism name mismatches and at
>      Jeffrey> least is reversible, unlike the RFC5801 section 3.1 encoding.
>
> I think this one is informed WG consensus. One reason to do things as we
> have is that you run into an interop problem if policy or algorithm
> evolution ever disables a mandatory enctype.
> I think the implications have been discussed.
>
> Since the SASL registry is FCFS, I don't see a problem with having to
> register each enctype separately to get a friendly name.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> In section 5.4, may the acceptor's message include a vendor subtoken?
> Well, if it does, the initiator is required by this spec to ignore it.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> In section 5.5, what is a "protected result indication" ?
>
> An EAP term.
> Meaning you have cryptographic verification of whether the EAP method
> succeded or failed.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> Is it possible for the Extensions state to involve more than one round trip?
>
> Not in this specification.
> You could of course add  an extension advertized either in the initial
> or extensions state permitting that.
> So we can get that in the future if we need it, but I see no reason for
> the complexity now.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> In section 5.6.1, initiators should be REQUIRED to send zeros for all flag
>      Jeffrey> bits other than GSS_C_MUTUAL_FLAG, in order to guarantee that these bits
>      Jeffrey> are available for future extension.
>
> Yep, thanks.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> The MIC token described in section 5.6 currently protects only the
>      Jeffrey> extension token containing it.  Is there any value to protecting the entire
>      Jeffrey> context establishment exchange?
>
> This was extensively discussed in the WG.
> We went through a couple of different protocols and implementations
> here.
> This is where we ended up.
> Yes, there is value in protecting the exchange, but the state required
> to do that simply with RFC 3961 operations gets messy.
> For many of the same reasons we made a similar change in RFC 6113, we
> went with what we have here.
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> In section 6, the descriptions of the derivation of the GMSK and CRK
>      Jeffrey> seem incomplete.  In particular...
>
>      Jeffrey> - What happens if the EAP master session key is not large enough to
>      Jeffrey>   satisfy the requirements of the GMSK enctype's
>      Jeffrey>   random-to-key?
>
> I'm fairly sure for existing RFC 3961 enctypes and for existing
> key-deriving EAP methods, that never happens.
> For completness I've added a requirement that in this case
> authentication MUST fail.
>
>      Jeffrey> - What is the CRK enctype?
>
> The GMSK enctype.
>
>      Jeffrey> - I think you mean to indicate that the CRK is the result of applying
>      Jeffrey>   the CRK enctype's random-to-key to the output of the indicated truncate
>      Jeffrey>   call.  A mere string of random bits is not an RFC3961 protocol key.
>      Jeffrey> - The definition of L is garbled.  I think you mean it is the length of
>      Jeffrey>   data required by the CRK enctype's random-to-key.
>
> I do for all of these.
> Fixing.
>
>
>      Jeffrey> ----------------------------------------
>
>      Jeffrey> It is frequently important to GSS-API initiators that they are talking to
>      Jeffrey> the expected acceptor.  In the present mechanism, that requires not only
>      Jeffrey> verifying the acceptor/NAS's identity with the EAP server (by means of EAP
>      Jeffrey> channel bindings), but also verifying that the verified NAS identity agrees
>      Jeffrey> with the GSS-API target name provided by the initiating application, if
>      Jeffrey> any.  This issue is discussed in detail in sections 3.4 and 3.5, but could
>      Jeffrey> bear an additional mention in the security considerations.
>
> There's a fairly lengthy discussion of channel binding already in the
> security considerations section.
> I've added a sentence explaining why channel binding is important.
>
>
>
>
> Thanks.
>
> I've addressed these where I agree with you. A couple cases I disagreed
> or decided to leave it to the RFC-editor.
>

From hartmans@mit.edu  Wed Jul 18 13:07:24 2012
Return-Path: <hartmans@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A0F21F8847; Wed, 18 Jul 2012 13:07:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.919
X-Spam-Level: 
X-Spam-Status: No, score=-102.919 tagged_above=-999 required=5 tests=[AWL=-0.654, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SZU679ANs4S; Wed, 18 Jul 2012 13:07:24 -0700 (PDT)
Received: from permutation-city.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by ietfa.amsl.com (Postfix) with ESMTP id DA88321F8846; Wed, 18 Jul 2012 13:07:23 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A2588203BA; Wed, 18 Jul 2012 16:08:31 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 3BB6C41F0; Wed, 18 Jul 2012 16:07:47 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: Sean Turner <turners@ieca.com>
References: <1342587005.7190.56.camel@minbar.fac.cs.cmu.edu> <tsl1uk9njg6.fsf@mit.edu> <50070634.2090506@ieca.com>
Date: Wed, 18 Jul 2012 16:07:47 -0400
In-Reply-To: <50070634.2090506@ieca.com> (Sean Turner's message of "Wed, 18 Jul 2012 14:53:40 -0400")
Message-ID: <tslpq7sltnw.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: draft-ietf-abfab-gss-eap.all@tools.ietf.org, secdir <secdir@ietf.org>, Sam Hartman <hartmans-ietf@mit.edu>, The IESG <iesg@ietf.org>, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [secdir] secdir review of draft-ietf-abfab-gss-eap-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 20:07:24 -0000

>>>>> "Sean" == Sean Turner <turners@ieca.com> writes:

    Sean> I've got some nits to enter, but it looks like I won't have to pick
    Sean> these up.

I'm happy to publish  a draft with your nits and the secdir changes.
Waiting for go-ahead from Stephen to do that.
Depending on his timing I can   push that out before the telechat if
desired.

Assuming no DISCUSS positions it should probably hold in point-raised
writeup needed simply to give the WG a chance to look at the diffs and
to confirm the discussion of escaping.

From robert@raszuk.net  Wed Jul 18 15:29:10 2012
Return-Path: <robert@raszuk.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0BC11E81D9 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CGQHXCi3U2v7 for <secdir@ietfa.amsl.com>; Wed, 18 Jul 2012 15:29:09 -0700 (PDT)
Received: from mail1310.opentransfer.com (mail1310.opentransfer.com [76.162.254.103]) by ietfa.amsl.com (Postfix) with ESMTP id 21EE411E81C9 for <secdir@ietf.org>; Wed, 18 Jul 2012 15:29:08 -0700 (PDT)
Received: (qmail 28231 invoked by uid 399); 18 Jul 2012 22:29:59 -0000
Received: from unknown (HELO ?216.69.69.240?) (pbs:robert@raszuk.net@216.69.69.240) by mail1310.opentransfer.com with ESMTPM; 18 Jul 2012 22:29:59 -0000
X-Originating-IP: 216.69.69.240
Message-ID: <500738E6.9070902@raszuk.net>
Date: Thu, 19 Jul 2012 00:29:58 +0200
From: Robert Raszuk <robert@raszuk.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: Hilarie Orman <hilarie@purplestreak.com>
References: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
In-Reply-To: <201207161930.q6GJUr6Z014862@sylvester.rhmr.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 18 Jul 2012 15:38:39 -0700
Cc: draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: robert@raszuk.net
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 22:29:10 -0000

Dear Hilarie,

Many thx for your comments and apologies for delayed reply. Let me 
attempt to clarify some of the points you raised hoping that they may 
shed some more light on the topic.

> This document presents a mechanism for distributing redundant BGP
> paths based on the concept of parallel route reflector planes.  It
> does not need any changes to the BGP protocol definition.
>
> The general notion is that different groups of route reflectors would
> be assigned find the "nth best route" where n varies from 1 to a small
> number.  All n routes would be presented to devices connected to the
> route reflectors.  This in turn would enable a multitude of benefits:
> quick routing restoration, load balancing, and churn reduction.

Correct.

> The point of making this an IETF document is odd.  Its fundamental
> message is "instead of using extensions to BGP for additional paths,
> you could use route reflectors configured for nth best path."  And, as
> it turns out, Cisco makes such a product.

I am perhaps missing the background of the above comment, but please 
keep in mind that this document is worked on in GROW WG. This working 
group is not tasked to define new protocol extensions, but to document 
operational solutions to existing problems. GROW WG also provides best 
common practices documentation. IMHO the more solutions GROW or any 
other working group in IETF defines which do not require new protocol 
extension the faster velocity of improvement to Internet and other IP 
based services can be accomplished.


> The draft is sketchy on how route reflectors actually work,

True. But this is very well documented in RFC4456 and this draft does 
not intend to update that RFC. In fact the draft does not changes any 
route reflection protocol assumptions.

> Still, we do not get to know if route reflectors put additional,
> proprietary, information on the wire,

They do not otherwise the specification would be a protocol extension 
which you correctly already observed it is not.

> how a listener could inquire about their configuration,

I am not sure what do you mean by that in the light of regular IBGP 
session between route reflector and it's client.

> or what the stability and failure properties might be.

The stability and failure property is identical to any other iBGP 
session today.

> All of this makes for difficulties in doing a security analysis.  The
> document asserts that all security problems are subsumed by prior work
> in analyzing BGP security.  This might be true, but BGP has a number
> of documented vulnerabilities, and the new paths might multiply them.

While I understand your point it is extremely broad. One way of possible 
comparison would be to compare it with full mesh IBGP peering as in this 
case all clients would see all paths in the domain (assuming best 
external is enabled).

> Should BGP listeners trust the additional paths?

Yes. Remember those are intra-domain paths. Would BGP speaker trust any 
other iBGP peer ?

> Are opportunities for spoofing increased because listeners should
> expect more paths?
> What are the interactions between spoofed failures and switching to
> one of the diverse paths?  Could route reflectors be tricked into
> permuting the path ordering so fast that paths never stabilize?

I am not clear what spoofing risk you are referring to above.

> I think that the security considerations should address potential
> problems in the context of the previous analyses of BGP security, if
> this is indeed a protocol document in the ordinary IETF sense.
> Perhaps it is not, maybe it is an infrastructure configuration guide
> or an argument against BGP add-paths extensions.  I can't tell.

This document is to provide very easy solution for BGP speaker to 
receive more then best path. In most applications two paths is sufficient.

So the main objective of this document is to observe that by simply 
adding new session between RR and it's client RR can be instructed to 
send a 2nd best/backup path on such session.

Both above described functions are already very commonly available in 
number of BGP implementations. Authors just combine both to achieve easy 
deployable solution which does not require massive network wide upgrades 
which as I am sure we all realize may take years.

Best regards,
R.

> Hilarie
>
> ---------------------------
> NB: "Hilarie Orman" is my actual name and not a pseudonym for any
> other person with similar knowledge or interests.


From turners@ieca.com  Thu Jul 19 03:58:54 2012
Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5C321F86BB for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 03:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.322
X-Spam-Level: 
X-Spam-Status: No, score=-102.322 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KjkOGcwCs5aW for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 03:58:53 -0700 (PDT)
Received: from gateway02.websitewelcome.com (gateway02.websitewelcome.com [69.56.184.20]) by ietfa.amsl.com (Postfix) with ESMTP id 5D7E921F86B7 for <secdir@ietf.org>; Thu, 19 Jul 2012 03:58:53 -0700 (PDT)
Received: by gateway02.websitewelcome.com (Postfix, from userid 5007) id EA591BB6A7F2F; Thu, 19 Jul 2012 05:59:46 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway02.websitewelcome.com (Postfix) with ESMTP id BD7E0BB6A7F07 for <secdir@ietf.org>; Thu, 19 Jul 2012 05:59:46 -0500 (CDT)
Received: from [71.191.15.186] (port=43705 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1SroSP-0006dE-5U; Thu, 19 Jul 2012 05:59:45 -0500
Message-ID: <5007E8A0.1040805@ieca.com>
Date: Thu, 19 Jul 2012 06:59:44 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>
References: <CAMm+Lwi7W9CoNinCF+4jjygEHsph_nBmBfnbxiYR3yqZOQKFiA@mail.gmail.com> <4FEE4C12.6040208@ericsson.com>
In-Reply-To: <4FEE4C12.6040208@ericsson.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (thunderfish.local) [71.191.15.186]:43705
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 7
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: Joel Halpern <joel.halpern@ericsson.com>, Suresh Krishnan <suresh.krishnan@ericsson.com>
Subject: Re: [secdir] SECDIR Review of http://tools.ietf.org/html/draft-krishnan-nomcom-tools-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 10:58:54 -0000

Any additional thoughts on the cipher suite?  I think RSA is probably 
the right alg.  2048-bit is the minimum key size.  And, I think we 
should eat our own dogfood and not use MD5/SHA-1 and instead use 
SHA-256.  How do others feel about this?

spt

On 6/29/12 8:45 PM, Suresh Krishnan wrote:
> Hi Phil,
>    Thanks for the review. Please find responses inline.
>
> On 06/27/2012 10:20 AM, Phillip Hallam-Baker wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors. Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>
>>
>> Surprisingly for a non protocol draft, this one actually is almost
>> completely security requirements. Unfortunately I find it rather hard
>> to tell if the security architecture meets the security goals because
>> they are not separated from each other.
>>
>> I think the document should have a section stating the security goals
>> or reference another document that states them. Presumably these are
>> all derived from the Nomcom RFC.
>
> The goals are derived from RFC3777
>
> * Section 3 Rule 6
>
> "     All deliberations and supporting information that relates to
>        specific nominees, candidates, and confirmed candidates are
>        confidential."
>
> * Section 5 Rule 16
>
> "      The nominating committee should archive the information it has
>         collected or produced for a period of time not to exceed its
>         term.
>         ...
>         The implementation of the archive should make every reasonable
>         effort to ensure that the confidentiality of the information it
>         contains is maintained."
>
>
>>
>>
>> The document specifies creation of a public key but not the algorithm
>> or strength. Given that this is an RFP, I think it would be
>> appropriate to completely and uniquely specify the cipher suite to be
>> supported.
>
> As stated in the draft, the key is generated by the Nomcom chair out of
> band and not by the tool. In the example provided in Appendix A (based
> on what I actually did as chair), the key used is a RSA 2048-bit key.
> Since I am not even remotely close to a security expert :-), it would be
> great if you can provide suggestions to put in here for future Nomcom
> chairs.
>
> Thanks
> Suresh
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>

From alexey.melnikov@isode.com  Thu Jul 19 09:03:41 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD78421F8668; Thu, 19 Jul 2012 09:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.975
X-Spam-Level: 
X-Spam-Status: No, score=-102.975 tagged_above=-999 required=5 tests=[AWL=-0.377, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05c0ke9BKHXR; Thu, 19 Jul 2012 09:03:40 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 1A53E21F862F; Thu, 19 Jul 2012 09:03:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1342713912; d=isode.com; s=selector; i=@isode.com; bh=SuMFkTGUh8Ambp4ptUkmyzp8acMYTjW7e2ssde5hUmE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=AF1Z7Rx/V/ekdc3vd816ZXQA0vIpPKi+pHbOG3NAAKoe8/Z2TVxqGVw9HwXtffX0pETRvS HL3O+gGXG3EbbBg/sqQET7EHMVqcGrt75Fp4WvZGlc1fzf3L0X4QHgRLDmq+qTn0UAZh53 vdy0uMdWxzf4jdUfQG6On/m7RjiCtqI=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <UAgwNQAkRK99@waldorf.isode.com>; Thu, 19 Jul 2012 17:05:12 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <50083014.2080200@isode.com>
Date: Thu, 19 Jul 2012 17:04:36 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: Shawn Emery <shawn.emery@oracle.com>
References: <4F8687DA.6020402@oracle.com> <50065F08.1090307@oracle.com>
In-Reply-To: <50065F08.1090307@oracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------060405080200030504030901"
Cc: draft-melnikov-smtp-priority-tunneling.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-melnikov-smtp-priority-tunneling-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 16:03:42 -0000

This is a multi-part message in MIME format.
--------------060405080200030504030901
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi Shawn,

On 18/07/2012 08:00, Shawn Emery wrote:
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG. These comments were written primarily for the benefit of the 
> security area directors. Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> This experimental draft describes a SMTP tunneling method to support 
> priority message values for Mail Transfer Agents (MTA) that don't 
> understand the MT-PRIORITY SMTP extension.
>
> The security consideration section does exist and is quite detailed in 
> listing the various attack scenarios and mitigating against these 
> attacks.  It goes on to provide exceptions of when MT-Priority header 
> values are not required to be stripped.  These have consequences such 
> as breaking DKIM signatures, assuming subsequent MTAs are compliant 
> with the new tunneling, or rejecting the messaging.  The document may 
> clarify on when it is acceptable to break DKIM signatures and/or 
> describe the environment.

I don't think I know a clear answer to this and this might be 
implementation/deployment specific.

> On the other hand, if the MSA/MTA decides to alter the message and 
> needs to resign the message then is there any ambiguity of what the 
> message/fields would be when resigned?

As far as this extension is concerned, there is only one header field of 
relevance. So I don't think so.

>
> General comments:
>
> Thanks for providing the before and after examples as this was helpful 
> in my understanding of the protocol.
>
> Editorial comments:
>
> s/Example of such/Examples of such/

Fixed in my copy.


--------------060405080200030504030901
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Shawn,<br>
      <br>
      On 18/07/2012 08:00, Shawn Emery wrote:<br>
    </div>
    <blockquote cite="mid:50065F08.1090307@oracle.com" type="cite">
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <div class="moz-forward-container"><tt>I have reviewed this
          document as part of the security directorate's ongoing effort
          to review all IETF documents being processed by the IESG.
          These comments were written primarily for the benefit of the
          security area directors. Document editors and WG chairs should
          treat these comments just like any other last call comments.<br>
          <br>
          This experimental draft describes a SMTP tunneling method to
          support priority message values for Mail Transfer Agents (MTA)
          that don't understand the MT-PRIORITY </tt>
        <meta charset="utf-8">
        <tt>SMTP extension.<br>
          <br>
          The security consideration section does exist and is quite
          detailed in listing the various attack scenarios and
          mitigating against these attacks.&nbsp; It goes on to provide
          exceptions of when MT-Priority header values are not required
          to be stripped.&nbsp; These have consequences such as breaking DKIM
          signatures, assuming subsequent MTAs are compliant with the
          new tunneling, or rejecting the messaging.&nbsp; The document may
          clarify on when it is acceptable to break DKIM signatures
          and/or describe the environment.</tt></div>
    </blockquote>
    <br>
    I don't think I know a clear answer to this and this might be
    implementation/deployment specific.<br>
    <br>
    <blockquote cite="mid:50065F08.1090307@oracle.com" type="cite">
      <div class="moz-forward-container"><tt>On the other hand, if the
          MSA/MTA decides to alter the message and needs to resign the
          message then is there any ambiguity of what the message/fields
          would be when resigned?<br>
        </tt></div>
    </blockquote>
    <br>
    As far as this extension is concerned, there is only one header
    field of relevance. So I don't think so.<br>
    <br>
    <blockquote cite="mid:50065F08.1090307@oracle.com" type="cite">
      <div class="moz-forward-container"><tt> <br>
          General comments:<br>
          <br>
          Thanks for providing the before and after examples as this was
          helpful in my understanding of the protocol.<br>
          <br>
          Editorial comments:<br>
          <br>
          s/Example of such/Examples of such/<br>
        </tt></div>
    </blockquote>
    <br>
    Fixed in my copy.<br>
    <br>
  </body>
</html>

--------------060405080200030504030901--

From weiler@watson.org  Thu Jul 19 10:24:31 2012
Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E178521F87EA for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 10:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Level: 
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J-oSEgdK3E-i for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 10:24:30 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id D8C5F21F87E7 for <secdir@ietf.org>; Thu, 19 Jul 2012 10:24:29 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id q6JHPLH0047709 for <secdir@ietf.org>; Thu, 19 Jul 2012 13:25:21 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id q6JHPLsL047706 for <secdir@ietf.org>; Thu, 19 Jul 2012 13:25:21 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Thu, 19 Jul 2012 13:25:21 -0400 (EDT)
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org
Message-ID: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 19 Jul 2012 13:25:21 -0400 (EDT)
Subject: [secdir] Need a reviewer for iSCSI Drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 17:24:31 -0000

Two iSCSI drafts just entered a 4 week last call.

1) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-cons
2) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-sam

1) has 344 pages (!)
2) has 20 pages but is a companion document to 1)

For something list this, it seems best to ask for a volunteer.  Anyone 
want to read the iSCSI docs?

-- Sam

From turners@ieca.com  Thu Jul 19 10:26:44 2012
Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84EE021F87EA for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 10:26:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.32
X-Spam-Level: 
X-Spam-Status: No, score=-102.32 tagged_above=-999 required=5 tests=[AWL=-0.055, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7TKxtqaNt2Ro for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 10:26:44 -0700 (PDT)
Received: from gateway07.websitewelcome.com (gateway07.websitewelcome.com [69.56.236.22]) by ietfa.amsl.com (Postfix) with ESMTP id 79B7121F87E7 for <secdir@ietf.org>; Thu, 19 Jul 2012 10:26:43 -0700 (PDT)
Received: by gateway07.websitewelcome.com (Postfix, from userid 5007) id 85293C785583C; Thu, 19 Jul 2012 12:27:37 -0500 (CDT)
Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway07.websitewelcome.com (Postfix) with ESMTP id 73795C78557E5 for <secdir@ietf.org>; Thu, 19 Jul 2012 12:27:37 -0500 (CDT)
Received: from [71.191.15.186] (port=32880 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from <turners@ieca.com>) id 1SruVk-00016N-Ke; Thu, 19 Jul 2012 12:27:36 -0500
Message-ID: <50084387.3010402@ieca.com>
Date: Thu, 19 Jul 2012 13:27:35 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: secdir@ietf.org
References: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator1743.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (thunderfish.local) [71.191.15.186]:32880
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 6
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20=
Cc: secdir-secretary@mit.edu
Subject: Re: [secdir] Need a reviewer for iSCSI Drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 17:26:44 -0000

On 7/19/12 1:25 PM, Samuel Weiler wrote:
> Two iSCSI drafts just entered a 4 week last call.
>
> 1) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-cons
> 2) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-sam
>
> 1) has 344 pages (!)
> 2) has 20 pages but is a companion document to 1)
>
> For something list this, it seems best to ask for a volunteer.  Anyone
> want to read the iSCSI docs?

And, we'll give you an out on the next review too.

spt

From alexey.melnikov@isode.com  Thu Jul 19 11:19:49 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3F8221F869C for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 11:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.966
X-Spam-Level: 
X-Spam-Status: No, score=-102.966 tagged_above=-999 required=5 tests=[AWL=-0.367, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jccf7tTe89x3 for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 11:19:49 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id C768C21F867F for <secdir@ietf.org>; Thu, 19 Jul 2012 11:19:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1342722082; d=isode.com; s=selector; i=@isode.com; bh=gk3EA/5oe2Y47C9XO+PZJrFzRQ2q2JRBvdALpKWpwpU=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ENSq7eMt+hX2ycNKcEDIgsJ8c+y9SAaFrIpH081dDg8aBvXtQMs0hteRbRunaePgSPnAP/ 43FnfmpInGNDFOHHzBNzYfRh0ZmatHDTS6liCC/YxV+5qN0iGQh+JzOPqpd0WQe10y7kF5 wDFHaZ3abNdQEwIsjj6l9eoE2kg9wj8=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <UAhQHwAkRGTL@waldorf.isode.com>; Thu, 19 Jul 2012 19:21:22 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <50084FFA.1090901@isode.com>
Date: Thu, 19 Jul 2012 19:20:42 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: secdir-secretary@mit.edu
References: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Samuel Weiler <weiler@watson.org>, secdir@ietf.org
Subject: Re: [secdir] Need a reviewer for iSCSI Drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 18:19:49 -0000

On 19/07/2012 18:25, Samuel Weiler wrote:
> Two iSCSI drafts just entered a 4 week last call.
>
> 1) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-cons
> 2) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-sam
>
> 1) has 344 pages (!)
> 2) has 20 pages but is a companion document to 1)
>
> For something list this, it seems best to ask for a volunteer. Anyone 
> want to read the iSCSI docs?

Didn't I volunteer for this last summer? I think I went through half of 
it last Autumn...


From hilarie@purplestreak.com  Thu Jul 19 11:22:42 2012
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A55A21F86BD; Thu, 19 Jul 2012 11:22:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjWgGBRMobFW; Thu, 19 Jul 2012 11:22:41 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) by ietfa.amsl.com (Postfix) with ESMTP id 4AD9D21F86B6; Thu, 19 Jul 2012 11:22:41 -0700 (PDT)
Received: from mx02.mta.xmission.com ([166.70.13.212]) by out01.mta.xmission.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from <hilarie@purplestreak.com>) id 1SrvNs-000602-7c; Thu, 19 Jul 2012 12:23:32 -0600
Received: from 166-70-57-249.ip.xmission.com ([166.70.57.249] helo=sylvester.rhmr.com) by mx02.mta.xmission.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <hilarie@purplestreak.com>) id 1SrvNo-0007GT-TC; Thu, 19 Jul 2012 12:23:32 -0600
Received: from sylvester.rhmr.com (localhost [127.0.0.1]) by sylvester.rhmr.com (8.14.4/8.14.3/Debian-9.1ubuntu1) with ESMTP id q6JIKiKC026715; Thu, 19 Jul 2012 12:20:44 -0600
Received: (from hilarie@localhost) by sylvester.rhmr.com (8.14.4/8.14.4/Submit) id q6JIKhGv026714; Thu, 19 Jul 2012 12:20:43 -0600
Date: Thu, 19 Jul 2012 12:20:43 -0600
Message-Id: <201207191820.q6JIKhGv026714@sylvester.rhmr.com>
From: "Hilarie Orman" <hilarie@purplestreak.com>
To: robert@raszuk.net
In-reply-to: Yourmessage <500738E6.9070902@raszuk.net>
X-XM-SPF: eid=; ; ; mid=; ; ; hst=mx02.mta.xmission.com; ; ; ip=166.70.57.249; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-DomainKey: sender_domain=purplestreak.com; ; ; sender=hilarie@purplestreak.com; ; ; status=error
X-SA-Exim-Connect-IP: 166.70.57.249
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ***;robert@raszuk.net
X-Spam-Relay-Country: 
X-SA-Exim-Version: 4.2.1 (built Fri, 06 Aug 2010 16:31:04 -0600)
X-SA-Exim-Scanned: Yes (on mx02.mta.xmission.com)
Cc: draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Security review of draft-ietf-grow-diverse-bgp-path-dist-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 18:22:42 -0000

Thanks for explaining the GROW WG, I apologize for not reading its
charter before writing my review.  Other comments inline.

>  Date: Thu, 19 Jul 2012 00:29:58 +0200
>  From: Robert Raszuk <robert@raszuk.net>
>  MIME-Version: 1.0
>  To: Hilarie Orman <hilarie@purplestreak.com>
>  CC: iesg@ietf.org, secdir@ietf.org,
>	   draft-ietf-grow-diverse-bgp-path-dist.all@tools.ietf.org
>  Subject: Re: Security review of draft-ietf-grow-diverse-bgp-path-dist-07
>  Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>  Content-Transfer-Encoding: 7bit

>  Dear Hilarie,

>  Many thx for your comments and apologies for delayed reply. Let me 
>  attempt to clarify some of the points you raised hoping that they may 
>  shed some more light on the topic.

>  > This document presents a mechanism for distributing redundant BGP
>  > paths based on the concept of parallel route reflector planes.  It
>  > does not need any changes to the BGP protocol definition.
>  >
>  > The general notion is that different groups of route reflectors would
>  > be assigned find the "nth best route" where n varies from 1 to a small
>  > number.  All n routes would be presented to devices connected to the
>  > route reflectors.  This in turn would enable a multitude of benefits:
>  > quick routing restoration, load balancing, and churn reduction.

>  Correct.

>  > The point of making this an IETF document is odd.  Its fundamental
>  > message is "instead of using extensions to BGP for additional paths,
>  > you could use route reflectors configured for nth best path."  And, as
>  > it turns out, Cisco makes such a product.

>  I am perhaps missing the background of the above comment, but please 
>  keep in mind that this document is worked on in GROW WG. This working 
>  group is not tasked to define new protocol extensions, but to document 
>  operational solutions to existing problems. GROW WG also provides best 
>  common practices documentation. IMHO the more solutions GROW or any 
>  other working group in IETF defines which do not require new protocol 
>  extension the faster velocity of improvement to Internet and other IP 
>  based services can be accomplished.

>  > The draft is sketchy on how route reflectors actually work,

>  True. But this is very well documented in RFC4456 and this draft does 
>  not intend to update that RFC. In fact the draft does not changes any 
>  route reflection protocol assumptions.

>  > Still, we do not get to know if route reflectors put additional,
>  > proprietary, information on the wire,

>  They do not otherwise the specification would be a protocol extension 
>  which you correctly already observed it is not.

>From the draft, it was not apparent to me that RR communication was
specified in RFC4456.  I should have read the RFC, but shouldn't that
be a normative reference?  Also, as an editorial issue, it would help
to have some specific references to it in the descriptions of the
various routing plane scenarios.

>  > how a listener could inquire about their configuration,

>  I am not sure what do you mean by that in the light of regular IBGP 
>  session between route reflector and it's client.

A nit --- "its".

>  > or what the stability and failure properties might be.

>  The stability and failure property is identical to any other iBGP 
>  session today.

>  > All of this makes for difficulties in doing a security analysis.  The
>  > document asserts that all security problems are subsumed by prior work
>  > in analyzing BGP security.  This might be true, but BGP has a number
>  > of documented vulnerabilities, and the new paths might multiply them.

>  While I understand your point it is extremely broad. One way of possible 
>  comparison would be to compare it with full mesh IBGP peering as in this 
>  case all clients would see all paths in the domain (assuming best 
>  external is enabled).

My only point is that the burden of this should be on the writers of
the drafts.  I gather that it is common practice to keep saying
"no additional security concerns" without looking at what the base
security concerns are.  Surely it is worth some "consideration"?

>  > Should BGP listeners trust the additional paths?

>  Yes. Remember those are intra-domain paths. Would BGP speaker trust any 
>  other iBGP peer ?

>  > Are opportunities for spoofing increased because listeners should
>  > expect more paths?
>  > What are the interactions between spoofed failures and switching to
>  > one of the diverse paths?  Could route reflectors be tricked into
>  > permuting the path ordering so fast that paths never stabilize?

>  I am not clear what spoofing risk you are referring to above.

RFC4272 refers to several kinds of attacks that compromise the
authentication.  You might reference that in the security consideration
section.

>  > I think that the security considerations should address potential
>  > problems in the context of the previous analyses of BGP security, if
>  > this is indeed a protocol document in the ordinary IETF sense.
>  > Perhaps it is not, maybe it is an infrastructure configuration guide
>  > or an argument against BGP add-paths extensions.  I can't tell.

>  This document is to provide very easy solution for BGP speaker to 
>  receive more then best path. In most applications two paths is sufficient.

>  So the main objective of this document is to observe that by simply 
>  adding new session between RR and it's client RR can be instructed to 
>  send a 2nd best/backup path on such session.

>  Both above described functions are already very commonly available in 
>  number of BGP implementations. Authors just combine both to achieve easy 
>  deployable solution which does not require massive network wide upgrades 
>  which as I am sure we all realize may take years.

All well and good.  I'd like to note that your text is much clearer
than anything in the draft; you might use it in the abstract.  You might
use that style (short, simple sentences) as a guide to revising the
draft.

Nonetheless, any new usage of a protocol may have security
implications, and it is worthwhile asking if known security issues
might lead to some new form of compromised functionality.

Hilarie

From kathleen.moriarty@emc.com  Thu Jul 19 14:34:53 2012
Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828FB11E80C2 for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 14:34:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PEDRubxBi+-C for <secdir@ietfa.amsl.com>; Thu, 19 Jul 2012 14:34:53 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id C97C011E80C1 for <secdir@ietf.org>; Thu, 19 Jul 2012 14:34:52 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6JLZj8G026282 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 19 Jul 2012 17:35:45 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Thu, 19 Jul 2012 17:35:27 -0400
Received: from mxhub30.corp.emc.com (mxhub30.corp.emc.com [128.222.70.170]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6JLZPOT016924; Thu, 19 Jul 2012 17:35:27 -0400
Received: from mxhub38.corp.emc.com (128.222.70.105) by mxhub30.corp.emc.com (128.222.70.170) with Microsoft SMTP Server (TLS) id 8.3.213.0; Thu, 19 Jul 2012 17:35:24 -0400
Received: from mx15a.corp.emc.com ([169.254.1.189]) by mxhub38.corp.emc.com ([128.222.70.105]) with mapi; Thu, 19 Jul 2012 17:35:24 -0400
From: <kathleen.moriarty@emc.com>
To: <alexey.melnikov@isode.com>, <secdir-secretary@mit.edu>
Date: Thu, 19 Jul 2012 17:35:23 -0400
Thread-Topic: [secdir] Need a reviewer for iSCSI Drafts
Thread-Index: Ac1l2zvj7RMSLsTaTc2X+PvObsTXFQAGkwqw
Message-ID: <F5063677821E3B4F81ACFB7905573F2403B9596F@MX15A.corp.emc.com>
References: <alpine.BSF.2.00.1207191323390.76733@fledge.watson.org> <50084FFA.1090901@isode.com>
In-Reply-To: <50084FFA.1090901@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
Cc: weiler@watson.org, secdir@ietf.org
Subject: Re: [secdir] Need a reviewer for iSCSI Drafts
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 21:34:53 -0000

I must have done something wrong in a past life as I just had it assigned t=
o me via Gen-ART...  I'll do my best to look for opportunities to cut down =
the text in that review ;-).

I have not looked at it yet, but if there is a way to share the work, I can=
 help (I am swamped right now though)... since I have to read it anyway.

-Kathleen=20

-----Original Message-----
From: secdir-bounces@ietf.org [mailto:secdir-bounces@ietf.org] On Behalf Of=
 Alexey Melnikov
Sent: Thursday, July 19, 2012 2:21 PM
To: secdir-secretary@mit.edu
Cc: Samuel Weiler; secdir@ietf.org
Subject: Re: [secdir] Need a reviewer for iSCSI Drafts

On 19/07/2012 18:25, Samuel Weiler wrote:
> Two iSCSI drafts just entered a 4 week last call.
>
> 1) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-cons
> 2) https://datatracker.ietf.org/doc/draft-ietf-storm-iscsi-sam
>
> 1) has 344 pages (!)
> 2) has 20 pages but is a companion document to 1)
>
> For something list this, it seems best to ask for a volunteer. Anyone=20
> want to read the iSCSI docs?

Didn't I volunteer for this last summer? I think I went through half of=20
it last Autumn...

_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview


From weiler+secdir@watson.org  Sat Jul 21 03:41:15 2012
Return-Path: <weiler+secdir@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EAB621F8644 for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 03:41:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQqWjRsDaYyZ for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 03:41:14 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id A06B621F85C3 for <secdir@ietf.org>; Sat, 21 Jul 2012 03:41:14 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id q6LAgBnF098720 for <secdir@ietf.org>; Sat, 21 Jul 2012 06:42:11 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id q6LAgBVG098717 for <secdir@ietf.org>; Sat, 21 Jul 2012 06:42:11 -0400 (EDT) (envelope-from weiler+secdir@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Sat, 21 Jul 2012 06:42:11 -0400 (EDT)
From: Samuel Weiler <weiler+secdir@watson.org>
X-X-Sender: weiler@fledge.watson.org
To: secdir@ietf.org
Message-ID: <alpine.BSF.2.00.1207210641080.83173@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Sat, 21 Jul 2012 06:42:11 -0400 (EDT)
Subject: [secdir] Assignments
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2012 10:41:15 -0000

Review instructions and related resources are at:
        http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

Brian Weis is next in the rotation.

For telechat 2012-08-30

Reviewer                 LC end     Draft
Sam Weiler             T -          draft-ietf-nea-pt-tls-06


For telechat 2012-09-13

Alexey Melnikov        T 2012-08-13 draft-ietf-storm-iscsi-cons-06
Alexey Melnikov        T 2012-08-13 draft-ietf-storm-iscsi-sam-06

Last calls and special requests:

Rob Austein              2012-06-26 draft-ietf-bmwg-2544-as-04
Dave Cridland            2012-06-28 draft-ietf-nfsv4-federated-fs-admin-11
Donald Eastlake          -          draft-zheng-mpls-ldp-hello-crypto-auth-05
Warren Kumari            2012-07-11 draft-ietf-oauth-v2-threatmodel-06
Matt Lepinski            2012-07-11 draft-ietf-v6ops-6204bis-09
Alexey Melnikov          -          draft-ietf-krb-wg-kdc-model-12
Sandy Murphy             2012-07-19 draft-ietf-ospf-hybrid-bcast-and-p2mp-03
Tim Polk                 2012-07-23 draft-ietf-appsawg-http-forwarded-06
Eric Rescorla            2012-07-25 draft-ietf-websec-strict-transport-sec-11
Vincent Roca             2012-07-23 draft-ietf-xrblock-rtcp-xr-pdv-03
Joe Salowey              2012-08-09 draft-vegoda-cotton-rfc5735bis-02
Ondrej Sury              2012-08-13 draft-sparks-genarea-mailarch-05
Tina TSOU                2012-08-02 draft-ietf-avtcore-monarch-17
Carl Wallace             2012-08-17 draft-ietf-ccamp-rfc5787bis-05
Nico Williams            -          draft-ietf-httpbis-p5-range-20
Tom Yu                   -          draft-ietf-httpbis-p6-cache-20
Glen Zorn                -          draft-ietf-httpbis-p7-auth-20
Glen Zorn                2012-06-27 draft-hoffman-tao4677bis-16



From stephen.farrell@cs.tcd.ie  Sat Jul 21 12:19:32 2012
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F7421F853D for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 12:19:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2k9dJQcnshWI for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 12:19:31 -0700 (PDT)
Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 2B33321F853C for <secdir@ietf.org>; Sat, 21 Jul 2012 12:19:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 340FA153666 for <secdir@ietf.org>; Sat, 21 Jul 2012 20:20:29 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1342898428; bh=6yQtiiyP98KhILtnU3s+uD0z 0+OXomEZfxtt3mTjDZg=; b=b8bLVwkfzsznJUhB2uCq0qV4uCQZ5ukCG30wT1dD DkzKNWoqr6d82oWbwy3RUQ1QeHZPKzxwKTNPnVfYjGRqLdo+Kma9FIkwkSS/48u4 /PgHgjCU7Jvac3Mmoe4ezjYVZLFLYCgpNYqQ30UdvHH3sWvSdszSPF8fhwKQkVyJ 5c/TUswt8jAU3r75OKmijlme90YEAFtDVm7Xg/2qTH8NPK63JWSvU0Xe4OPK1rUh ewOJYptKcATLyy3UvvWcl1A6I0tB3ZX003hDGpKpmvp0g0ByoRIytKgvMqefxRsc J378wxgXJC2L414h4W713AStRLaCEW9RFZnqpMYThN/XHw==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id taBoHzv5xcpF for <secdir@ietf.org>; Sat, 21 Jul 2012 20:20:28 +0100 (IST)
Received: from [10.87.48.3] (unknown [86.42.23.254]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id D3A2A153656 for <secdir@ietf.org>; Sat, 21 Jul 2012 20:20:26 +0100 (IST)
Message-ID: <500B00FA.5050608@cs.tcd.ie>
Date: Sat, 21 Jul 2012 20:20:26 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>
X-Enigmail-Version: 1.4.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [secdir] secdir lunch at IETF 84 location...
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2012 19:19:32 -0000

...is "Plaza C" at the usual time: Tuesday 1130-and-a-bit.

S.

From paul.hoffman@vpnc.org  Sat Jul 21 14:20:12 2012
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B975521F8575 for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 14:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.579
X-Spam-Level: 
X-Spam-Status: No, score=-102.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxTzwF9GWqZm for <secdir@ietfa.amsl.com>; Sat, 21 Jul 2012 14:20:12 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 30F5A21F854A for <secdir@ietf.org>; Sat, 21 Jul 2012 14:20:12 -0700 (PDT)
Received: from [10.20.30.102] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q6LKTsqa036656 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for <secdir@ietf.org>; Sat, 21 Jul 2012 13:29:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1278)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <500B00FA.5050608@cs.tcd.ie>
Date: Sat, 21 Jul 2012 14:21:09 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <813C2B85-89D9-4846-80DE-CF335677D688@vpnc.org>
References: <500B00FA.5050608@cs.tcd.ie>
To: secdir <secdir@ietf.org>
X-Mailer: Apple Mail (2.1278)
Subject: Re: [secdir] secdir lunch at IETF 84 location...
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2012 21:20:12 -0000

On Jul 21, 2012, at 12:20 PM, Stephen Farrell wrote:

> ...is "Plaza C" at the usual time: Tuesday 1130-and-a-bit.

Has anyone been to the hotel before? If so, what is the availability of =
fast food to bring to the lunch? Many of us will be at websec or emu =
just before the lunch.

--Paul Hoffman=

From alan.b.johnston@gmail.com  Fri Jul 20 11:02:46 2012
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1125C11E8097; Fri, 20 Jul 2012 11:02:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level: 
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 96OQFXz1s3kb; Fri, 20 Jul 2012 11:02:45 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4EA4211E807F; Fri, 20 Jul 2012 11:02:44 -0700 (PDT)
Received: by lbbgo11 with SMTP id go11so5863274lbb.31 for <multiple recipients>; Fri, 20 Jul 2012 11:03:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eZmCFwUBiLn9GsLzUYzSwUJF6VMtubSyJsFrBOFd8kc=; b=oTWxalV+CpIg7rWGYTf1BNg8d0yj5k3y/CqBfbEOwXdhpeIEOekQG/h0WU75fknlGx x67pjNXpeMvl1eJtHRmq/zrstw1Gg1KWNZUItWElf0MDkEIR67Wyp5f5Bdh+9FDXRJJC lV/LgfM2wd2H6ATvwpovVKxKyfPjfOq802c2ONQM1Ls+JTxvkSPvFQoph4fadfGlK0pl 1UalQZQocFmFb/AV0BNkp6UQ77cCsTEJqLVSVfYSpprS/mjQArpv+c55116KO+CdGZJq DsJ66RPwIQuZBCaojbC+S0EXUIaUip1fuda+68i9iTgeFm1GLvZmV5FQjjIJxirqaDC2 hl+w==
MIME-Version: 1.0
Received: by 10.112.83.198 with SMTP id s6mr3415641lby.76.1342807420012; Fri, 20 Jul 2012 11:03:40 -0700 (PDT)
Received: by 10.112.133.130 with HTTP; Fri, 20 Jul 2012 11:03:39 -0700 (PDT)
In-Reply-To: <sjmfw9gnple.fsf@mocana.ihtfp.org>
References: <sjmfw9gnple.fsf@mocana.ihtfp.org>
Date: Fri, 20 Jul 2012 13:03:39 -0500
Message-ID: <CAKhHsXEr0bs6ecYH0V4OvHoiW_NL3TZxOd4LjeXZAiat9DhFNQ@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: Derek Atkins <derek@ihtfp.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Mailman-Approved-At: Mon, 23 Jul 2012 08:04:30 -0700
Cc: vvenkatar@gmail.com, msoroush@gmail.com, iesg@ietf.org, bliss-chairs@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] sec-dir review of draft-ietf-bliss-shared-appearances-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2012 18:02:46 -0000

Derek,

Thank you for your review of the document.  I will fix the issues you
identify below in the next version of the draft.  My proposed text for
the Security Considerations is included here.

- Alan -


12.  Security Considerations

   Since multiple line appearance features are implemented using
   semantics provided by SIP [RFC3261], the SIP Event Package for Dialog
   State [RFC4235], and the SIP Event Framework
   [I-D.ietf-sipcore-rfc3265bis] and [RFC3903], security considerations
   in these documents apply to this document as well.

   To provide confidentiality, NOTIFY or PUBLISH message bodies that
   provide the dialog state information and the dialog identifiers MAY
   be encrypted end-to-end using the standard mechanisms such as S/MIME
   described in [RFC3261].  Alternatively, sending the NOTIFY and
   PUBLISH requests over TLS also provides confidentiality, although on
   a hop-by-hop basis.  All SUBSCRIBES and PUBLISHES between the UAs and
   the Appearance Agent MUST be authenticated.  Without proper
   authentication and confidentiality, a third party could learn
   information about dialogs associated with a AOR and could try to use
   this information to hijack or manipulate those dialogs using SIP call
   control primitives.

   All INVITEs with Replaces or Join header fields MUST only be accepted
   if the peer requesting dialog replacement or joining has been
   properly authenticated using a standard SIP mechanism (such as Digest
   or S/MIME), and authorized to request a replacement.  Otherwise, a
   third party could disrupt or hijack existing dialogs in the
   appearance group.

   For an emergency call, a UA MUST NOT wait for a confirmed seizure of
   an appearance before sending an INVITE.  Waiting for confirmation
   could inadvertently delay or block the emergency call, which by its
   nature needs to be placed as expeditiously as possible.  Instead, a
   emergency call MUST proceed regardless of the status of the PUBLISH
   transaction.


On Wed, Jun 27, 2012 at 9:21 PM, Derek Atkins <derek@ihtfp.com> wrote:
> Hi,
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
>    This document describes the requirements and implementation of a
>    group telephony feature commonly known as Bridged Line Appearance
>    (BLA) or Multiple Line Appearance (MLA), or Shared Call/Line
>    Appearance (SCA).  When implemented using the Session Initiation
>    Protocol (SIP), it is referred to as shared appearances of an Address
>    of Record (AOR) since SIP does not have the concept of lines.  This
>    feature is commonly offered in IP Centrex services and IP-PBX
>    offerings and is likely to be implemented on SIP IP telephones and
>    SIP feature servers used in a business environment.  This feature
>    allows several user agents (UAs) to share a common AOR, learn about
>    calls placed and received by other UAs in the group, and pick up or
>    join calls within the group.  This document discusses use cases,
>    lists requirements and defines extensions to implement this feature.
>
> The first sentence of the first paragraph of the Security Considerations
> section is missing a reference.  It says:
>
>    ...
>    semantics provided by [RFC3261], Event Package for Dialog State as
>    define in , and Event Notification [I-D.ietf-sipcore-rfc3265bis],
>    [RFC3903], ...
>
> The "define in" should be "defined in", and needs a place where it is
> defined.
>
> The second paragraph says that dialog state information and dialog
> identifiers MAY be encrypted, but doesn't talk about why one would
> choose not to encrypt it.
>
> Similarly, the last paragraph provides guidance on waiting for
> confirmed seizures, but does not explain the details about why one must
> do so.
>
> Both of these might be obvious to writers, but to someone reading the
> document they are not clear.
>
> -derek
>
> --
>        Derek Atkins                 617-623-3745
>        derek@ihtfp.com             www.ihtfp.com
>        Computer and Internet Security Consultant

From mlepinski@bbn.com  Mon Jul 23 12:36:01 2012
Return-Path: <mlepinski@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE3311E809B; Mon, 23 Jul 2012 12:36:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvgKv+d6Esx9; Mon, 23 Jul 2012 12:36:00 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id A734311E80C4; Mon, 23 Jul 2012 12:36:00 -0700 (PDT)
Received: from mail.bbn.com ([128.33.0.48]:43961) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from <mlepinski@bbn.com>) id 1StOQ9-00059V-GG; Mon, 23 Jul 2012 15:35:57 -0400
Received: from [128.89.253.157] by mail.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from <mlepinski@bbn.com>) id 1StOQ9-0006Jh-CP; Mon, 23 Jul 2012 15:35:57 -0400
Message-ID: <500DA7BB.9090403@bbn.com>
Date: Mon, 23 Jul 2012 15:36:27 -0400
From: Matt Lepinski <mlepinski@bbn.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20120713 Thunderbird/14.0
MIME-Version: 1.0
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>,  draft-ietf-v6ops-6204bis.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir Review of draft-ietf-v6ops-6204bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Jul 2012 19:36:01 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This informational document is an update to the requirements for an IPv6 
Customer Edge Router (i.e., a router in a residence or small office that 
supports IPv6). Note that most of the security requirements (e.g., 
packet filtering / sanitation) for such a Customer Edge Router are 
provided not in this document but in RFC 6092 and RFC 2827 (which are 
included by reference, i.e., that draft states that Customer Edge 
Routers SHOULD be compliant with RFCs 6092 and 2827).

The most significant change between this draft and RFC 6204 (which it 
replaces) is that it adds a section recommending (at the SHOULD level) 
support for 6RD (RFC 5969) and DS-LITE (RFC 6333). Note that supporting 
6RD and/or DS-LITE the CPE is causes the Customer Edge Router to perform 
the additional role of encapsulation/decapsulation of tunneled packets. 
Due to the addition of support for 6RD, and DS-LITE the security 
considerations adds the additional clarification that it should be 
possible to apply filtering (as per RFC 6092) to decapsulated packets 
(i.e., apply filter rules after stripping off the outer header). Other 
than this consideration, I cannot see any additional security issues 
related to adding support for 6RD and/or DS-LITE to Customer Edge 
Routers (excepting, of course, the general 6RD/DS-LITE security 
considerations in RFCs 5969 and 6333 which need not be repeated in this 
document).

The only concern that I have is that requirement S-3 in the Security 
Considerations section is a "SHOULD" and not a "MUST". If I understand 
S-3 correctly it says "If the Customer Edge Router supports filtering as 
described in 6092, and if this feature is turned on, then it SHOULD be 
possible to apply this filtering after decapsulation (as opposed to 
applying filters before the outer tunnel header is removed)". I have 
trouble imagining why it would be a good idea to provide the packet 
filtering features described in RFC 6092 but only allow these firewall 
rules to be applied prior to decapsulation. It seems that if the user 
(who may not be well versed in IP tunneling) turns on some 
firewall/filtering service in a Customer Edge Router, that what the user 
probably wants is for the filtering rules to be applied to the packets 
"inside" the tunnel (after decapsulation) and not to packets containing 
the "outer" tunnel header. I would therefore recommend that S-3 be 
changed to a "MUST" instead of a "SHOULD".

[Note: Please correct me if I misunderstood, S-3]

As a concrete example, RFC 6092 (in REC-1) says that when a (Customer 
Premises) router receives a packet with a multicast source address, that 
this packet must not be forwarded. When the incoming packet is a 
tunneled packet, the outer IP header always has as its source address 
the IP address of the tunnel ingress device. Therefore, surely if this 
kind of filtering is turned on in a Customer Edge Router, it ought to be 
applied to the inner packet (after removal of the outer tunnel header).

- Matt Lepinski

From alexey.melnikov@isode.com  Wed Jul 25 07:22:31 2012
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61F7B21F84DA; Wed, 25 Jul 2012 07:22:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.926
X-Spam-Level: 
X-Spam-Status: No, score=-102.926 tagged_above=-999 required=5 tests=[AWL=-0.327, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iJhhSWbmXS9; Wed, 25 Jul 2012 07:22:30 -0700 (PDT)
Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 2999921F84D6; Wed, 25 Jul 2012 07:22:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1343226204; d=isode.com; s=selector; i=@isode.com; bh=gKbBx17M9WLjltmsQ0uanSZU8cb7IerdOdkuBTa7HN4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=kpcsa8befJMASsNgB0TrDug90ENoOK09tIjgieW/TJDfMzrW7/0C1+IqhsJk8/Yed6Ooii 6YJj+ka9TfaCsaZ+W8oRo9GirZ3jt5QhZHPpboGmmacdNfyygn2Al6SMWlvH52Mg4wYiCr yM/Hl9rJDSUrqx0OzrQeqzFSWqfypwM=;
Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <UBABXAAkREIl@waldorf.isode.com>; Wed, 25 Jul 2012 15:23:24 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <50100124.4040403@isode.com>
Date: Wed, 25 Jul 2012 15:22:28 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-storm-iscsi-sam.all@tools.ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] Secdir Review of draft-ietf-storm-iscsi-sam-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2012 14:22:31 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

The iSCSI protocol as specified in [draft-ietf-storm-iscsi-cons-xx] (and 
as previously specified by the combination of RFC 3720 and RFC 5048) is 
based on the SAM-2 (SCSI Architecture Model - 2) version of the SCSI 
family of protocols. This document defines enhancements to the iSCSI 
protocol to support certain additional features of the SCSI protocol 
that were defined in SAM-3, SAM-4, and SAM-5. In particular the document 
adds:

  1) Command Priority field
  2) Several new commands:

     9 - QUERY TASK - determines if the command identified by the
     Referenced Task Tag field is present in the task set.

     10 - QUERY TASK SET - determine if any command is present in
     the task set for the I_T_L Nexus on which the task management
     function was received.

     11 - I_T NEXUS RESET - perform an I_T nexus loss function (see
     [SAM5]) for the I_T nexus on which the task management
     function was received.

     12 - QUERY ASYNCHRONOUS EVENT - determine if there is a unit
     attention condition or a deferred error pending for the I_T_L
     nexus on which the task management function was received.

And a new response code that they use.

The document sends readers to review Security Considerations from RFC 
3720. This is probably appropriate, as extensions added by this document 
are minor and don't seem to change iSCSI model much. One thing that 
might be missing is some text about abuse of the priority field to 
perform Denial-of-service or to gain better service.

Other comments on the document (consider them minor, but I think editors 
should think about these):

The document can't decide which RFC for iSCSI it is referencing... Which 
one should be used in the new IANA registries created?

Repeating the list of Task Management Functions defined in another 
document is not a good idea. What if another extension adds additional 
functions?

From new-work-bounces@ietf.org  Thu Jul 26 23:03:47 2012
Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A51BA21F84BD; Thu, 26 Jul 2012 23:03:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1343369027; bh=0Eu0AacphI4irZHQBO2GyJO+nIbtEwB7ENWjsy9d94A=; h=To:Date:MIME-Version:From:Message-ID:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Transfer-Encoding:Content-Type:Sender; b=uaByAgvnzFyZNVc5OY5D2rnyQUk6pir4QmnUp9iHBfZdGVTosvtQEEK+HrEZP5z09 KNA8joR+6TE6P5Dn1m0k7g3r+S6DTasmygJr6meX+CEjIRcVVt9jaY1OQoXGH37H8G UyJzO6g/muAAM9af8J3YPWT7n7+Zqq3OnaSfjPQI=
X-Original-To: new-work@ietfa.amsl.com
Delivered-To: new-work@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485B121F8554 for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:07:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qizyPeVEmnHl for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:07:21 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id BC23E21F855B for <new-work@ietf.org>; Thu, 26 Jul 2012 13:07:21 -0700 (PDT)
Received: from bleuazur.com ([88.173.33.195] helo=sith.local) by jay.w3.org with esmtpsa (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.69) (envelope-from <coralie@w3.org>) id 1SuULB-0001Vp-4k for new-work@ietf.org; Thu, 26 Jul 2012 16:07:21 -0400
To: new-work@ietf.org
Date: Thu, 26 Jul 2012 22:07:19 +0200
MIME-Version: 1.0
From: "Coralie Mercier" <coralie@w3.org>
Organization: W3C 
Message-ID: <op.wh2kuhtgsvvqwp@sith.local>
User-Agent: Opera Mail/12.00 (MacIntel)
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:03:45 -0700
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: new-work-bounces@ietf.org
Errors-To: new-work-bounces@ietf.org
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:19:26 -0700
Subject: [secdir] [new-work] Proposed W3C Charter: Near Field Communications Working Group (until 24 August 2012)
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 06:03:47 -0000

Hello,

Today W3C Advisory Committee Representatives received a Proposal
to revise the Ubiquitous Web Applications Activity [0] (see the W3C Process
Document description of Activity Proposals [1]). This proposal
includes a draft charter for the Near Field Communications Working Group:
   http://www.w3.org/2012/05/nfc-wg-charter.html

As part of ensuring that the community is aware of proposed work
at W3C, this draft charter is public during the Advisory
Committee review period.

W3C invites public comments through 24 August 2012 on the
proposed charter. Please send comments to
public-new-work@w3.org, which has a public archive:
   http://lists.w3.org/Archives/Public/public-new-work/

Other than comments sent in formal responses by W3C Advisory
Committee Representatives, W3C cannot guarantee a response to
comments. If you work for a W3C Member [2], please coordinate
your comments with your Advisory Committee Representative. For
example, you may wish to make public comments via this list and
have your Advisory Committee Representative refer to it from his
or her formal review comments.

If you should have any questions or need further information, please
contact Dave Raggett, Team Contact <dsr@w3.org>.

Thank you,

Coralie Mercier, W3C Communications

[0] http://www.w3.org/2007/uwa/
[1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation
[2] http://www.w3.org/Consortium/Member/List

-- 
   Coralie Mercier  -  W3C Communications Team  -  http://www.w3.org
      W3C/ERCIM - B219 - 2004, rte des lucioles - 06410 Biot - FR
mailto:coralie@w3.org +33492387590 http://www.w3.org/People/CMercier/
_______________________________________________
new-work mailing list
new-work@ietf.org
https://www.ietf.org/mailman/listinfo/new-work

From new-work-bounces@ietf.org  Thu Jul 26 23:03:48 2012
Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3607E11E80C7; Thu, 26 Jul 2012 23:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1343369028; bh=t+U6iiY5rXUE57OgR+DhkVly0n/ljoKulCYOsTPqt9o=; h=To:Date:MIME-Version:From:Message-ID:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Transfer-Encoding:Content-Type:Sender; b=x2a1HyG7XUBamZFASWkKzv1M5TwQxbI9pFqTlZsS+r0sQ4rzphXLjaabp26rtZsN3 MDV0DzWoJ2lMNhmKm8v5wwlQnpRSfvPIs2GTTWVwWagwC7c7loEKrta0VTHol33Osk 0G5c6lx+889fEO7eJ2K+OvLRxIhyihQn9Nsv+NGc=
X-Original-To: new-work@ietfa.amsl.com
Delivered-To: new-work@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA7D21F855B for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:07:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U93ox8yno6dF for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:07:21 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id 2113E21F8554 for <new-work@ietf.org>; Thu, 26 Jul 2012 13:07:20 -0700 (PDT)
Received: from bleuazur.com ([88.173.33.195] helo=sith.local) by jay.w3.org with esmtpsa (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.69) (envelope-from <coralie@w3.org>) id 1SuUL9-0001Vp-NU for new-work@ietf.org; Thu, 26 Jul 2012 16:07:20 -0400
To: new-work@ietf.org
Date: Thu, 26 Jul 2012 22:07:18 +0200
MIME-Version: 1.0
From: "Coralie Mercier" <coralie@w3.org>
Organization: W3C 
Message-ID: <op.wh2kughpsvvqwp@sith.local>
User-Agent: Opera Mail/12.00 (MacIntel)
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:03:45 -0700
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: new-work-bounces@ietf.org
Errors-To: new-work-bounces@ietf.org
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:19:26 -0700
Subject: [secdir] [new-work] Proposed W3C Charter: System Applications Working Group (until 24 August 2012)
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 06:03:48 -0000

Hello,

Today W3C Advisory Committee Representatives received a Proposal
to revise the Ubiquitous Web Applications Activity [0] (see the W3C Process
Document description of Activity Proposals [1]). This proposal
includes a draft charter for the System Applications Working Group:
   http://www.w3.org/2012/05/sysapps-wg-charter.html

As part of ensuring that the community is aware of proposed work
at W3C, this draft charter is public during the Advisory
Committee review period.

W3C invites public comments through 24 August 2012 on the
proposed charter. Please send comments to
public-new-work@w3.org, which has a public archive:
   http://lists.w3.org/Archives/Public/public-new-work/

Other than comments sent in formal responses by W3C Advisory
Committee Representatives, W3C cannot guarantee a response to
comments. If you work for a W3C Member [2], please coordinate
your comments with your Advisory Committee Representative. For
example, you may wish to make public comments via this list and
have your Advisory Committee Representative refer to it from his
or her formal review comments.

If you should have any questions or need further information, please
contact Dave Raggett, Team Contact <dsr@w3.org>.

Thank you,

Coralie Mercier, W3C Communications

[0] http://www.w3.org/2007/uwa/
[1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation
[2] http://www.w3.org/Consortium/Member/List

-- 
   Coralie Mercier  -  W3C Communications Team  -  http://www.w3.org
      W3C/ERCIM - B219 - 2004, rte des lucioles - 06410 Biot - FR
mailto:coralie@w3.org +33492387590 http://www.w3.org/People/CMercier/
_______________________________________________
new-work mailing list
new-work@ietf.org
https://www.ietf.org/mailman/listinfo/new-work

From new-work-bounces@ietf.org  Thu Jul 26 23:03:48 2012
Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A602F11E80CD; Thu, 26 Jul 2012 23:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1343369028; bh=lo7YqfL//zrbKZY/UFEvstppvd8XFGddUIL+/iLw7Rg=; h=To:Date:MIME-Version:From:Message-ID:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Transfer-Encoding:Content-Type:Sender; b=Etn90lQl19RKSs7ZmWiO4ZAT+W/cJbm875Lr4UXB3E6ShEnFiNaG6YEGrvvHI8u8i 98KQc5EanVmNlsuCgSLL0PBHoonX9vxSHkePLI8Kv2sliwByqQOKQpqsfIlX6C2dAu vDhIvbjDPHETNoUntnd3zM3ghqT8ABiOt99ELWuI=
X-Original-To: new-work@ietfa.amsl.com
Delivered-To: new-work@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AC8621F85E0 for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:42:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.483
X-Spam-Level: 
X-Spam-Status: No, score=-10.483 tagged_above=-999 required=5 tests=[AWL=0.115, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id potjnNj0Dh4Q for <new-work@ietfa.amsl.com>; Thu, 26 Jul 2012 13:42:15 -0700 (PDT)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) by ietfa.amsl.com (Postfix) with ESMTP id 9E66021F85D8 for <new-work@ietf.org>; Thu, 26 Jul 2012 13:42:15 -0700 (PDT)
Received: from bleuazur.com ([88.173.33.195] helo=sith.local) by jay.w3.org with esmtpsa (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.69) (envelope-from <coralie@w3.org>) id 1SuUsw-0005Ci-QB for new-work@ietf.org; Thu, 26 Jul 2012 16:42:15 -0400
To: new-work@ietf.org
Date: Thu, 26 Jul 2012 22:42:14 +0200
MIME-Version: 1.0
From: "Coralie Mercier" <coralie@w3.org>
Organization: W3C 
Message-ID: <op.wh2mgoctsvvqwp@sith.local>
User-Agent: Opera Mail/12.00 (MacIntel)
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:03:45 -0700
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: new-work-bounces@ietf.org
Errors-To: new-work-bounces@ietf.org
X-Mailman-Approved-At: Thu, 26 Jul 2012 23:19:26 -0700
Subject: [secdir] [new-work] Proposed W3C Charter: Internationalization Working Group (until 24 August 2012)
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2012 06:03:48 -0000

Hello,

Today W3C Advisory Committee Representatives received a Proposal
to revise the Internationalization Activity [0] (see the W3C Process
Document description of Activity Proposals [1]). This proposal
includes a draft charter for the Internationalization Working Group:
   http://www.w3.org/2012/07/i18n-charter/charter.html

As part of ensuring that the community is aware of proposed work
at W3C, this draft charter is public during the Advisory
Committee review period.

W3C invites public comments through 24 August 2012 on the
proposed charter. Please send comments to
public-new-work@w3.org, which has a public archive:
   http://lists.w3.org/Archives/Public/public-new-work/

Other than comments sent in formal responses by W3C Advisory
Committee Representatives, W3C cannot guarantee a response to
comments. If you work for a W3C Member [2], please coordinate
your comments with your Advisory Committee Representative. For
example, you may wish to make public comments via this list and
have your Advisory Committee Representative refer to it from his
or her formal review comments.

If you should have any questions or need further information, please
contact Richard Ishida, Team Contact <ishida@w3.org>.

Thank you,

Coralie Mercier, W3C Communications

[0] https://www.w3.org/International/
[1] http://www.w3.org/2005/10/Process-20051014/activities#ActivityCreation
[2] http://www.w3.org/Consortium/Member/List

-- 
   Coralie Mercier  -  W3C Communications Team  -  http://www.w3.org
      W3C/ERCIM - B219 - 2004, rte des lucioles - 06410 Biot - FR
mailto:coralie@w3.org +33492387590 http://www.w3.org/People/CMercier/
_______________________________________________
new-work mailing list
new-work@ietf.org
https://www.ietf.org/mailman/listinfo/new-work

From smb@cs.columbia.edu  Fri Jul 27 17:08:01 2012
Return-Path: <smb@cs.columbia.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739FE11E80FC for <secdir@ietfa.amsl.com>; Fri, 27 Jul 2012 17:08:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cl8qKIuvDu1r for <secdir@ietfa.amsl.com>; Fri, 27 Jul 2012 17:08:00 -0700 (PDT)
Received: from rambutan.cc.columbia.edu (rambutan.cc.columbia.edu [128.59.29.5]) by ietfa.amsl.com (Postfix) with ESMTP id C214411E80BA for <secdir@ietf.org>; Fri, 27 Jul 2012 17:08:00 -0700 (PDT)
Received: from [10.9.0.70] (fireball.cs.columbia.edu [128.59.13.10]) (user=smb2132 mech=PLAIN bits=0) by rambutan.cc.columbia.edu (8.14.4/8.14.3) with ESMTP id q6S07wxn004681 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 27 Jul 2012 20:07:59 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <813C2B85-89D9-4846-80DE-CF335677D688@vpnc.org>
Date: Fri, 27 Jul 2012 17:07:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB809C5B-CA0F-4019-8C69-9422D9EDEB9B@cs.columbia.edu>
References: <500B00FA.5050608@cs.tcd.ie> <813C2B85-89D9-4846-80DE-CF335677D688@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1278)
X-No-Spam-Score: Local
X-Scanned-By: MIMEDefang 2.68 on 128.59.29.5
Cc: secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir lunch at IETF 84 location...
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2012 00:08:01 -0000

On Jul 21, 2012, at 2:21 PM, Paul Hoffman wrote:

> On Jul 21, 2012, at 12:20 PM, Stephen Farrell wrote:
>=20
>> ...is "Plaza C" at the usual time: Tuesday 1130-and-a-bit.
>=20
> Has anyone been to the hotel before? If so, what is the availability =
of fast food to bring to the lunch? Many of us will be at websec or emu =
just before the lunch.
>=20
I'm told there's a food court under the hotel.


		--Steve Bellovin, https://www.cs.columbia.edu/~smb






From warren@kumari.net  Sat Jul 28 07:11:02 2012
Return-Path: <warren@kumari.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A6D621F85D1 for <secdir@ietfa.amsl.com>; Sat, 28 Jul 2012 07:11:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.203
X-Spam-Level: 
X-Spam-Status: No, score=-105.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4,  USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2N-u8jmDBCfH for <secdir@ietfa.amsl.com>; Sat, 28 Jul 2012 07:10:55 -0700 (PDT)
Received: from vimes.kumari.net (vimes.kumari.net [198.186.192.250]) by ietfa.amsl.com (Postfix) with ESMTP id 6C4F121F855E for <secdir@ietf.org>; Sat, 28 Jul 2012 07:10:55 -0700 (PDT)
Received: from [192.168.1.2] (unknown [206.191.100.2]) by vimes.kumari.net (Postfix) with ESMTPSA id 67F491B401ED; Sat, 28 Jul 2012 10:10:54 -0400 (EDT)
References: <500B00FA.5050608@cs.tcd.ie> <813C2B85-89D9-4846-80DE-CF335677D688@vpnc.org> <CB809C5B-CA0F-4019-8C69-9422D9EDEB9B@cs.columbia.edu>
In-Reply-To: <CB809C5B-CA0F-4019-8C69-9422D9EDEB9B@cs.columbia.edu>
Mime-Version: 1.0 (1.0)
Content-Type: text/plain; charset=us-ascii
Message-Id: <6C6AD6C0-7458-4FC5-B1A7-7F004D9E7644@kumari.net>
Content-Transfer-Encoding: quoted-printable
X-Mailer: iPad Mail (9B206)
From: Warren Kumari <warren@kumari.net>
Date: Sat, 28 Jul 2012 07:10:53 -0700
To: Steven Bellovin <smb@cs.columbia.edu>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, secdir <secdir@ietf.org>
Subject: Re: [secdir] secdir lunch at IETF 84 location...
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jul 2012 14:11:02 -0000

There is a mall attached to the hotel, reachable the lobby -- food court is o=
n lower level.=20
Take 2 escalators down.

"Spice and Rice" ( or "Rice and Spice", cannot remember ordering) is recomme=
nded; tasty Indian fast food, be warned that they do not take credit cards..=
.

W

Sent from my iPad

On Jul 27, 2012, at 5:07 PM, Steven Bellovin <smb@cs.columbia.edu> wrote:

>=20
> On Jul 21, 2012, at 2:21 PM, Paul Hoffman wrote:
>=20
>> On Jul 21, 2012, at 12:20 PM, Stephen Farrell wrote:
>>=20
>>> ...is "Plaza C" at the usual time: Tuesday 1130-and-a-bit.
>>=20
>> Has anyone been to the hotel before? If so, what is the availability of f=
ast food to bring to the lunch? Many of us will be at websec or emu just bef=
ore the lunch.
>>=20
> I'm told there's a food court under the hotel.
>=20
>=20
>        --Steve Bellovin, https://www.cs.columbia.edu/~smb
>=20
>=20
>=20
>=20
>=20
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>=20

From d3e3e3@gmail.com  Sat Jul 28 23:45:50 2012
Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C5E11E8097 for <secdir@ietfa.amsl.com>; Sat, 28 Jul 2012 23:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.513
X-Spam-Level: 
X-Spam-Status: No, score=-103.513 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XlzLrPCD6InY for <secdir@ietfa.amsl.com>; Sat, 28 Jul 2012 23:45:50 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id EF72B11E8072 for <secdir@ietf.org>; Sat, 28 Jul 2012 23:45:49 -0700 (PDT)
Received: by obbwc20 with SMTP id wc20so7941888obb.31 for <secdir@ietf.org>; Sat, 28 Jul 2012 23:45:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc:content-type; bh=bgd5bRqhZ866+m7vGCum4oEOUAX4uMwA05ADUI6+//c=; b=ODu4gfCoizySCI+7Ugqglpxof4rdP2NeHvMFbu+Jbm+c5eYNuSs0JJF4wDGQDOrGym EgnJOpo1QjoEElF/iMFqu1jgQNW8sFqw+M7aH+ofh+4c+HTFVf3TCuxE5vnhI8ZogOZl 1Ui/GPpCaWwQJ8TfuvD2ZJbRTDb6TeJ/l6fri7asfUrRdN/Ryc76JBLuC6eZHOw/75b2 G/l81yOXuT9OYvabzBij6Mys/yEi92CPZyT8w+CUgRFI0dNSq8eYn8qwvZocOLzsptci GIu2I6oh1Pqo47E+Oj5x1GeutUxYuE4doyG7/PcIXiXqS8KpK0BIWcjcq0d7lQj1LCJT TTXQ==
Received: by 10.50.34.200 with SMTP id b8mr8388914igj.50.1343544349429; Sat, 28 Jul 2012 23:45:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.70.227 with HTTP; Sat, 28 Jul 2012 23:45:29 -0700 (PDT)
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 29 Jul 2012 02:45:29 -0400
Message-ID: <CAF4+nEFRqm+Mo2cu_jYMt13_kTBM=G3iH_ymFi4ghPcG2Uu4xg@mail.gmail.com>
To: draft-zheng-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Cc: secdir@ietf.org
Subject: [secdir] draft-zheng-mpls-ldp-hello-crypto-auth-05.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2012 06:45:50 -0000

As requested I have done an early review this document as part of the
security directorate's ongoing efforts.

There are no big problems with this draft but I have some medium,
small, and tiny comments below.

Medium Comments:

   Suggest removing the last sentence of Section 4.1 and adding to end
   of the first sentence of the second paragraph of the Security
   Considerations section something like ", and proper key handling.
   For example, unencrypted keys MUST NOT be exposed to adversaries
   through inclusion in unencyrpted Hellos or other messages."

   The draft is worded in such a way as to imply that only an "HMAC
   hash" would ever be used for authentication. It would seem better
   to word things so as just to say that a Message Authentication Code
   (MAC) will be calculated and verified. Then, somewhat separately,
   say that the MAC algorithms currently specified for this use are
   only HMACs based on the SHA family of hash algorithms. For example,
   in the second paragraph of 4.1, replace "HMAC Hash" with "MAC" and
   make other appropriate wording changes.

   Section 4.1, second paragraph, suggest replaceing "current
   authentication key" with "authentication key to be used".

   Section 4.2, 2nd paragraph, suggest replacing "configured
   authentication key" with "authentication key known to the
   receiver".  There might, in the future, be some mechanism to
   neogitate a key rather than always having it configured.

   In Security Considerations, suggest adding a reference after
   "random values" to [RFC4086].

Small Comments:

   Suggest adding a reference to [RFC6234].

   There should be postal addresses and phone numbers with the
   Authors' Addresses information.

Tiny Comments:

   Last paragraph of Security Considerations, "represents a
   significant increase in" -> "significantly increases".

   There seems to be this empty "8.2 References" section between the
   Normative References and Informative References Sections. It should
   be removed.

   I really suggest striking both occurance of the word "really" in
   the draft.

   I'm not sure all of Section 3 is needed, since it seems to me that
   lots of it is duplicated from referenced documents...

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

From david.black@emc.com  Sat Jul 28 23:00:38 2012
Return-Path: <david.black@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7917A21F861A; Sat, 28 Jul 2012 23:00:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.46
X-Spam-Level: 
X-Spam-Status: No, score=-102.46 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qSJhFtDjQrxB; Sat, 28 Jul 2012 23:00:37 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 8542E21F8609; Sat, 28 Jul 2012 23:00:36 -0700 (PDT)
Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6T60Zjv005024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 29 Jul 2012 02:00:35 -0400
Received: from mailhub.lss.emc.com (mailhubhoprd01.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor); Sun, 29 Jul 2012 02:00:26 -0400
Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q6T60MmG028331; Sun, 29 Jul 2012 02:00:22 -0400
Received: from mx15a.corp.emc.com ([169.254.1.189]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Sun, 29 Jul 2012 02:00:22 -0400
From: <david.black@emc.com>
To: <alexey.melnikov@isode.com>, <secdir@ietf.org>, <iesg@ietf.org>, <draft-ietf-storm-iscsi-sam.all@tools.ietf.org>
Date: Sun, 29 Jul 2012 02:00:20 -0400
Thread-Topic: Secdir Review of draft-ietf-storm-iscsi-sam-06
Thread-Index: Ac1qcQRshnoruYSaSS+tyb6GdrxeBQCsZBfQ
Message-ID: <8D3D17ACE214DC429325B2B98F3AE71208E7F85A@MX15A.corp.emc.com>
References: <50100124.4040403@isode.com>
In-Reply-To: <50100124.4040403@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-EMM-MHVC: 1
X-Mailman-Approved-At: Sun, 29 Jul 2012 09:01:29 -0700
Cc: david.black@emc.com
Subject: Re: [secdir] Secdir Review of draft-ietf-storm-iscsi-sam-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2012 06:00:38 -0000

Hi Alexey,

Thank you for this review.

> One thing that
> might be missing is some text about abuse of the priority field to
> perform Denial-of-service or to gain better service.

That would be a good security consideration to add.

> The document can't decide which RFC for iSCSI it is referencing... Which
> one should be used in the new IANA registries created?

Part of what's going on here is that it's not possible to move the replaced
RFCs to historic anytime soon, so RFC 3720 will be a reference for some
iSCSI implementations for many years to come, and it is appropriate to
reference it as the original specification of iSCSI.

That said, I think you've found a couple of things that need attention:
- I think a check of all the references is needed.  One subtlety is that
	the -sam- draft is intended to also be usable with RFC 3720 and
	RFC 5048, but there should be more citations of the consolidated
	draft in the body of the -sam- draft.
- A bunch of IANA text was added to the consolidated draft recently, and
	that includes instructions to IANA about what to reference in the
	registries.  It looks like that set of changes wasn't carried over
	to the new "iSCSI Task Management Response Codes" registry.
We'll get these sorted out - thank you for noticing this concern.
=09
> Repeating the list of Task Management Functions defined in another
> document is not a good idea. What if another extension adds additional
> functions?

The primary IETF reference for that is actually an IANA registry, and that
list is actually defined in SAM-2, a SCSI standard.  Nonetheless, I believe
that you're correct, that the list of existing Task Management Functions
in Section 6.1 isn't needed. =20

Thanks,
--David

> -----Original Message-----
> From: Alexey Melnikov [mailto:alexey.melnikov@isode.com]
> Sent: Wednesday, July 25, 2012 10:22 AM
> To: secdir@ietf.org; iesg@ietf.org; draft-ietf-storm-iscsi-
> sam.all@tools.ietf.org
> Subject: Secdir Review of draft-ietf-storm-iscsi-sam-06
>=20
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors. Document editors and WG chairs should treat these
> comments just like any other last call comments.
>=20
> The iSCSI protocol as specified in [draft-ietf-storm-iscsi-cons-xx] (and
> as previously specified by the combination of RFC 3720 and RFC 5048) is
> based on the SAM-2 (SCSI Architecture Model - 2) version of the SCSI
> family of protocols. This document defines enhancements to the iSCSI
> protocol to support certain additional features of the SCSI protocol
> that were defined in SAM-3, SAM-4, and SAM-5. In particular the document
> adds:
>=20
>   1) Command Priority field
>   2) Several new commands:
>=20
>      9 - QUERY TASK - determines if the command identified by the
>      Referenced Task Tag field is present in the task set.
>=20
>      10 - QUERY TASK SET - determine if any command is present in
>      the task set for the I_T_L Nexus on which the task management
>      function was received.
>=20
>      11 - I_T NEXUS RESET - perform an I_T nexus loss function (see
>      [SAM5]) for the I_T nexus on which the task management
>      function was received.
>=20
>      12 - QUERY ASYNCHRONOUS EVENT - determine if there is a unit
>      attention condition or a deferred error pending for the I_T_L
>      nexus on which the task management function was received.
>=20
> And a new response code that they use.
>=20
> The document sends readers to review Security Considerations from RFC
> 3720. This is probably appropriate, as extensions added by this document
> are minor and don't seem to change iSCSI model much. One thing that
> might be missing is some text about abuse of the priority field to
> perform Denial-of-service or to gain better service.
>=20
> Other comments on the document (consider them minor, but I think editors
> should think about these):
>=20
> The document can't decide which RFC for iSCSI it is referencing... Which
> one should be used in the new IANA registries created?
>=20
> Repeating the list of Task Management Functions defined in another
> document is not a good idea. What if another extension adds additional
> functions?


From weiler@watson.org  Tue Jul 31 09:17:13 2012
Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABD0921F86E3 for <secdir@ietfa.amsl.com>; Tue, 31 Jul 2012 09:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.372
X-Spam-Level: 
X-Spam-Status: No, score=-2.372 tagged_above=-999 required=5 tests=[AWL=0.227,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zn24bG2JNvjv for <secdir@ietfa.amsl.com>; Tue, 31 Jul 2012 09:17:13 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 15CD521F86E2 for <secdir@ietf.org>; Tue, 31 Jul 2012 09:17:12 -0700 (PDT)
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.5/8.14.5) with ESMTP id q6VGHCZs062748 for <secdir@ietf.org>; Tue, 31 Jul 2012 12:17:12 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.5/8.14.5/Submit) with ESMTP id q6VGHC1V062745 for <secdir@ietf.org>; Tue, 31 Jul 2012 12:17:12 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Tue, 31 Jul 2012 12:17:12 -0400 (EDT)
From: Samuel Weiler <weiler@watson.org>
To: secdir@ietf.org
Message-ID: <alpine.BSF.2.00.1207311216540.62441@fledge.watson.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Tue, 31 Jul 2012 12:17:12 -0400 (EDT)
Subject: [secdir]  secdir lunch at IETF 84 location... (fwd)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: secdir-secretary@mit.edu
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2012 16:17:13 -0000

just as a reminder...

---------- Forwarded message ----------
Date: Sat, 21 Jul 2012 20:20:26 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: "secdir@ietf.org" <secdir@ietf.org>
Subject: [secdir] secdir lunch at IETF 84 location...


...is "Plaza C" at the usual time: Tuesday 1130-and-a-bit.

S.
_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview