constrained-anima-dtls-join-proxy.xml

<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.14 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC6347 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6347.xml">
<!ENTITY RFC7049 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7049.xml">
<!ENTITY RFC8366 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8366.xml">
<!ENTITY I-D.ietf-anima-bootstrapping-keyinfra SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-anima-bootstrapping-keyinfra.xml">
<!ENTITY I-D.ietf-ace-coap-est SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-ace-coap-est.xml">
<!ENTITY I-D.ietf-core-multipart-ct SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-core-multipart-ct.xml">
<!ENTITY I-D.ietf-6tisch-enrollment-enhanced-beacon SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-6tisch-enrollment-enhanced-beacon.xml">
<!ENTITY I-D.ietf-anima-constrained-voucher SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-anima-constrained-voucher.xml">
<!ENTITY I-D.ietf-anima-grasp SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-anima-grasp.xml">
<!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC8174 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC6763 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6763.xml">
<!ENTITY I-D.richardson-anima-state-for-joinrouter SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.richardson-anima-state-for-joinrouter.xml">
<!ENTITY RFC6690 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6690.xml">
<!ENTITY RFC7030 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7030.xml">
<!ENTITY RFC7228 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7228.xml">
<!ENTITY I-D.kumar-dice-dtls-relay SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.kumar-dice-dtls-relay.xml">
<!ENTITY RFC4944 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4944.xml">
<!ENTITY RFC7252 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml">
<!ENTITY RFC6775 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6775.xml">
]>

<?rfc toc="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>

<rfc ipr="trust200902" docName="draft-vanderstok-anima-constrained-join-proxy-05" category="std">

  <front>
    <title abbrev="Join-Proxy">Constrained Join Proxy for Bootstrapping Protocols</title>

    <author initials="M." surname="Richardson" fullname="Michael Richardson">
      <organization>Sandelman Software Works</organization>
      <address>
        <email>mcr+ietf@sandelman.ca</email>
      </address>
    </author>
    <author initials="P." surname="van der Stok" fullname="Peter van der Stok">
      <organization>vanderstok consultancy</organization>
      <address>
        <email>consultancy@vanderstok.org</email>
      </address>
    </author>
    <author initials="P." surname="Kampanakis" fullname="Panos Kampanakis">
      <organization>Cisco Systems</organization>
      <address>
        <email>pkampana@cisco.com</email>
      </address>
    </author>

    <date year="2020" month="October" day="20"/>

    <area>Internet</area>
    <workgroup>anima Working Group</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<t>This document defines a protocol to securely assign a pledge to a domain, represented by an EST server, using an intermediary node between pledge and EST server. This intermediary node is known as a “constrained Join Proxy”.</t>

<t>This document extends the work of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> by replacing the Circuit-proxy by a stateless/stateful constrained (CoAP) Join Proxy.
It transports join traffic from the pledge to the Registrar without requiring per-client state.</t>



    </abstract>


  </front>

  <middle>


<section anchor="introduction" title="Introduction">

<t>Enrolment of new nodes into networks with enrolled nodes present is described in
<xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> (“BRSKI”) and makes use of Enrolment over Secure Transport (EST) <xref target="RFC7030"/>
with <xref target="RFC8366"/> vouchers to securely enroll devices.
BRSKI connects new devices (“pledges”) to extended EST servers (“Registrars”) via a Join Proxy.</t>

<t>The specified solutions use https and may be too large in terms of code space or bandwidth required for constrained devices.
Constrained devices possibly part of constrained networks <xref target="RFC7228"/> typically implement the IPv6 over Low-Power Wireless personal Area Networks (6LoWPAN) <xref target="RFC4944"/> and Constrained Application Protocol (CoAP) <xref target="RFC7252"/>.</t>

<t>CoAP can be run with the Datagram Transport Layer Security (DTLS) <xref target="RFC6347"/> as a security protocol for authenticity and confidentiality of the messages.
This is known as the “coaps” scheme.
A constrained version of EST, using Coap and DTLS, is described in <xref target="I-D.ietf-ace-coap-est"/>. The {I-D.ietf-anima-constrained-voucher} describes the BRSKI extensions to the EST server.</t>

<t>DTLS is a client-server protocol relying on the underlying IP layer to perform the routing between the DTLS Client and the DTLS Server.
However, the new “joining” device will not be IP routable until it is authenticated to the network.
A new “joining” device can only initially use a link-local IPv6 address to communicate with a neighbour node using  neighbour discovery <xref target="RFC6775"/> until it receives the necessary network configuration parameters.
However, before the device can receive these configuration parameters, it needs to authenticate itself to the network to which it connects.
IPv6 routing is necessary to establish a connection between joining device and the extended EST server.</t>

<t>A DTLS connection is required between Pledge and EST server.</t>

<t>This document specifies a new form of Join Proxy and protocol to act as intermediary between joining device and EST server to establish a connection between joining device and EST server.</t>

<t>This document is very much inspired by text published earlier in <xref target="I-D.kumar-dice-dtls-relay"/>.
<xref target="I-D.richardson-anima-state-for-joinrouter"/> outlined the various options for building a join proxy.
<xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> adopted only the Circuit Proxy method (1), leaving the other methods as future work.
This document standardizes the CoAP/DTLS (method 4).</t>

</section>
<section anchor="Terminology" title="Terminology">

<t>The following terms are defined in <xref target="RFC8366"/>, and are used
identically as in that document: artifact, imprint, domain, Join
Registrar/Coordinator (JRC), Manufacturer Authorized Signing Authority
(MASA), pledge, Trust of First Use (TOFU), and Voucher.</t>

</section>
<section anchor="reqlang" title="Requirements Language">

<t>The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”,
“MAY”, and “OPTIONAL” in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>

</section>
<section anchor="join-proxy-functionality" title="Join Proxy functionality">

<t>As depicted in the <xref target="fig-net"/>, the joining Device, or pledge (P), in an LLN mesh
can be more than one hop away from the EST server (E) and not yet authenticated into the network.</t>

<t>In this situation, it can only communicate one-hop to its nearest neighbour, the Join Proxy (J) using their link-local  IPv6 addresses.
However, the Pledge (P) needs to communicate with end-to-end security with a Registrar hosting the EST server (E) to authenticate and get the relevant system/network parameters.
If the Pledge (P) initiates a DTLS connection to the EST server whose IP address has been pre-configured, then the packets are dropped at the Join Proxy (J) since the Pledge (P) is not yet admitted to the network or there is no IP routability to Pledge (P) for any returned messages.</t>

<figure title="multi-hop enrolment." align="left" anchor="fig-net"><artwork><![CDATA[
          ++++ multi-hop
          |E |---- mesh  +--+        +--+
          |  |    \      |J |........|P |
          ++++     \-----|  |        |  |
       EST server        +--+        +--+
       Registrar       Join Proxy   Pledge
                                    "Joining" Device

]]></artwork></figure>

<t>Without routing the Pledge (P) cannot establish a secure connection to the EST server (E) in the network assuming   appropriate credentials are exchanged out-of-band, e.g. a hash of the Pledge (P)’s raw public key could be provided to the EST server (E).</t>

<t>Furthermore, the Pledge (P) may be unaware of the IP address of the EST server (E) to initiate a DTLS connection and perform authentication.</t>

<t>To overcome the problems with non-routability of DTLS packets and/or discovery of the destination address of the EST  Server to contact, the Join Proxy is introduced.
This Join Proxy functionality is configured into all authenticated devices in the network which may act as the Join Proxy for newly joining nodes.
The Join Proxy allows for routing of the packets from the Pledge using IP routing to the intended EST Server.</t>

</section>
<section anchor="join-proxy-specification" title="Join Proxy specification">

<t>A Join Proxy can operate in two modes:</t>

<t><list style="symbols">
  <t>Statefull mode</t>
  <t>Stateless mode</t>
</list></t>

<section anchor="statefull-join-proxy" title="Statefull Join Proxy">

<t>In stateful mode, the joining node forwards the DTLS messages to the EST server.</t>

<t>Assume that the Pledge does not know the IP address of the EST Server it needs to contact.
In that situation, the Join Proxy must know the (configured or discovered) IP address of a EST server.
(Discovery can be based upon <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> section 4.3, or via DNS-SD service discovery <xref target="RFC6763"/>)
The Pledge initiates its request as if the Join Proxy is the intended EST server.
The Join Proxy changes the IP packet (without modifying the DTLS message) by modifying both  the source and destination addresses to forward the message to the intended EST Server.
The Join Proxy maintains a 4-tuple array to translate the DTLS messages received from the EST Server and forward it to the EST Client.
This is a form of Network Address translation, where the Join Proxy acts as a forward proxy.
In <xref target="fig-statefull2"/> the various steps of the message flow are shown, with 5684 being the standard coaps port:</t>

<figure title="constrained statefull joining message flow with EST server address known to Join Proxy." align="left" anchor="fig-statefull2"><artwork><![CDATA[
+------------+------------+-------------+--------------------------+
| EST Client | Join Proxy | EST Server  |          Message         |
|    (P)     |     (J)    |    (E)      | Src_IP:port | Dst_IP:port|
+------------+------------+-------------+-------------+------------+
|      --ClientHello-->                 |   IP_P:p_P  | IP_Ja:5684 |
|                    --ClientHello-->   |   IP_Jb:p_Jb| IP_E:5684  |
|                                       |             |            |
|                    <--ServerHello--   |   IP_E:5684 | IP_Jb:p_Jb |
|                            :          |             |            |
|       <--ServerHello--     :          |   IP_Ja:5684| IP_P:p_P   |
|               :            :          |             |            |
|               :            :          |       :     |    :       |
|               :            :          |       :     |    :       |
|        --Finished-->       :          |   IP_P:p_P  | IP_Ja:5684 |
|                      --Finished-->    |   IP_Jb:p_Jb| IP_E:5684  |
|                                       |             |            |
|                      <--Finished--    |   IP_E:5684 | IP_Jb:p_Jb |
|        <--Finished--                  |   IP_Ja:5684| IP_P:p_P   |
|              :             :          |      :      |     :      |
+---------------------------------------+-------------+------------+
IP_P:p_P = Link-local IP address and port of Pledge (DTLS Client)
IP_E:5684 = Global IP address and coaps port of EST Server
IP_Ja:5684 = Link-local IP address and coaps port of Join Proxy
IP_Jb:p_Rb = Global IP address and port of Join proxy
]]></artwork></figure>

</section>
<section anchor="stateless-join-proxy" title="Stateless Join Proxy">

<t>The Join Proxy is stateless to minimize the requirements on the constrained Join Proxy device.
Stateless operation requires no memory in the Join Proxy device, but may also reduce the CPU impact as the device does not need to search through a state table.</t>

<t>When a client joining device attempts a DTLS connection to the EST server, it uses its link-local IP address as its IP source address.
This message is transmitted one-hop to a neighbouring (join proxy) node.
Under normal circumstances, this message would be dropped at the neighbour node since the joining device is not yet IP routable or it is not yet authenticated to send messages through the network.
However, if the neighbour device has the Join Proxy functionality enabled, it routes the DTLS message to a specific EST server.
Additional security mechanisms need to exist to prevent this routing functionality being used by rogue nodes to bypass any network authentication procedures.</t>

<t>If an untrusted DTLS Client that can only use link-local addressing wants to contact a trusted end-point EST server, it sends the DTLS message to the Join Proxy.</t>

<t>The Join Proxy extends this message into a new type of message called Join ProxY (JPY) message and sends it on to the EST server.</t>

<t>The JPY message payload consists of two parts:</t>

<t><list style="symbols">
  <t>Header (H) field: consisting of the source link-local address and port of the Pledge (P), and</t>
  <t>Contents (C) field: containing the original DTLS message.</t>
</list></t>

<t>On receiving the JPY message, the EST server retrieves the two parts.</t>

<t>The EST server transiently stores the Header field information.
The EST server uses the Contents field to execute the EST server functionality.
However, when the EST server replies, it also extends its DTLS message with the header field in a JPY message and sends it back to the Join Proxy.
The EST server SHOULD NOT assume that it can decode the Header Field, it should simply repeat it when responding.
The Header contains the original source link-local address and port of the DTLS Client from the transient state stored earlier (which can now be discarded) and the Contents field contains the DTLS message.</t>

<t>On receiving the JPY message, the Join Proxy retrieves the two parts.
It uses the Header field to route the DTLS message retrieved from the Contents field to the Pledge.</t>

<t>The <xref target="fig-stateless"/> depicts the message flow diagram:</t>

<figure title="constrained stateless joining message flow." align="left" anchor="fig-stateless"><artwork><![CDATA[
+--------------+------------+---------------+-----------------------+
| EST  Client  | Join Proxy |    EST server |        Message        |
|     (P)      |     (J)    |      (E)      |Src_IP:port|Dst_IP:port|
+--------------+------------+---------------+-----------+-----------+
|      --ClientHello-->                     | IP_P:p_P  |IP_Ja:p_Ja |
|                    --JPY[H(IP_P:p_P),-->  | IP_Jb:p_Jb|IP_E:p_Ea  |
|                          C(ClientHello)]  |           |           |
|                    <--JPY[H(IP_P:p_P),--  | IP_E:p_Ea |IP_Jb:p_Jb |
|                         C(ServerHello)]   |           |           |
|      <--ServerHello--                     | IP_Ja:p_Ja|IP_P:p_P   |
|              :                            |           |           |
|              :                            |     :     |    :      |
|                                           |     :     |    :      |
|      --Finished-->                        | IP_P:p_P  |IP_Ja:p_Ja |
|                    --JPY[H(IP_P:p_P),-->  | IP_Jb:p_Jb|IP_E:p_Ea  |
|                          C(Finished)]     |           |           |
|                    <--JPY[H(IP_P:p_P),--  | IP_E:p_Ea |IP_Jb:p_Jb |
|                         C(Finished)]      |           |           |
|      <--Finished--                        | IP_Ja:p_Ja|IP_P:p_P   |
|              :                            |     :     |    :      |
+-------------------------------------------+-----------+-----------+
IP_P:p_P = Link-local IP address and port of the Pledge
IP_E:p_Ea = Global IP address and join port of EST Server
IP_Ja:p_Ja = Link-local IP address and join port of Join Proxy
IP_Jb:p_Jb = Global IP address and port of Join Proxy

JPY[H(),C()] = Join Proxy message with header H and content C

]]></artwork></figure>

</section>
<section anchor="stateless-message-structure" title="Stateless Message structure">

<t>The JPY message is constructed as a payload with media-type application/multipart-core specified in <xref target="I-D.ietf-core-multipart-ct"/>.</t>

<t>Header and Contents fields use different media formats:</t>

<t><list style="numbers">
  <t>header field: application/cbor containing a CBOR array <xref target="RFC7049"/> with the pledge IPv6 Link Local address as a 16-byte binary value, the pledge’s UDP port number, if different from 5684, as a CBOR integer, and the proxy’s ifindex or other identifier for the physical port on which the pledge is connected. Header is not DTLS encrypted.</t>
  <t>Content field: Any of the media types specified in <xref target="I-D.ietf-ace-coap-est"/> and <xref target="I-D.ietf-anima-constrained-voucher"/> dependent on the function that is requested:</t>
</list></t>

<figure><artwork><![CDATA[
 * application/pkcs7-mime; smime-type=server-generated-key
 * application/pkcs7-mime; smime-type=certs-only
 * application/voucher-cms+cbor
 * application/voucher-cose+cbor
 * application/pkcs8
 * application/csrattrs
 * application/pkcs10
 * application/pkix-cert
]]></artwork></figure>

<t>(XXX- add CDDL for CBOR array above)</t>

<t>The content fields are DTLS encrypted. In CBOR diagnostic notation the payload JPY[H(IP_P:p_P), with cf is content-format of DTLS-content, will look like:</t>

<figure><artwork><![CDATA[
      [ 60, [IP_p, p_P, ident]
        cf, h'DTLS-content']
]]></artwork></figure>

<t>Examples are shown in <xref target="examples"/>.</t>

</section>
</section>
<section anchor="comparison-of-stateless-and-statefull-modes" title="Comparison of stateless and statefull modes">

<t>The stateful and stateless mode of operation for the Join Proxy have
their advantages and disadvantages.  This section should enable to
make a choice between the two modes based on the available device
resources and network bandwidth.</t>

<figure title="Comparison between stateful and stateless mode" align="left" anchor="fig-comparison"><artwork><![CDATA[
+-------------+----------------------------+------------------------+
| Properties  |         Stateful mode      |     Stateless mode     |
+-------------+----------------------------+------------------------+
| State       |The Join Proxy needs        | No information is      |
| Information |additional storage to       | maintained by the Join |
|             |maintain mapping between    | Proxy                  |
|             |the address and port number |                        |
|             |of the pledge and those     |                        |
|             |of the EST server.          |                        |
+-------------+----------------------------+------------------------+
|Packet size  |The size of the forwarded   |Size of the forwarded   |
|             |message is the same as the  |message is bigger than  |
|             |original message.           |the original,it includes|
|             |                            |additional source and   |
|             |                            |destination addresses.  |
+-------------+----------------------------+------------------------+
|Specification|The Join Proxy needs        |New JPY message to      |
|complexity   |additional functionality    |encapsulate DTLS message|
|             |to maintain state           |The EST server          |
|             |information, and modify     |and the Join Proxy      |
|             |the source and destination  |have to understand the  |
|             |addresses of the DTLS       |JPY message in order    |
|             |handshake messages          |to process it.          |
+-------------+----------------------------+------------------------+
]]></artwork></figure>

</section>
<section anchor="discovery" title="Discovery">

<t>It is assumed that Join Proxy seamlessly provides a coaps connection between Pledge and coaps EST server. In particular this section replaces section 4.2 of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/>.</t>

<t>The discovery follows two steps:</t>

<t><list style="numbers">
  <t>The pledge is one hop away from the EST server. The pledge discovers the link-local address of the EST_server as described in {I-D.ietf-ace-coap-est}. From then on, it follows the BRSKI process as described in {I-D.ietf-ace-coap-est}, using link-local addresses.</t>
  <t>The pledge is more than one hop away from a relevant EST server, and discovers the link-local address of a Join Proxy. The pledge then follows the BRSKI procedure using the link-local address of the Join Proxy.</t>
</list></t>

<t>Once a pledge is enrolled, it may function as Join Proxy. The Join Proxy functions are advertised as descibed below. Usually, the Join Proxy functions are offered via a “join” port, and not the standard coaps port. The Join Proxy MUST show the join port number when reponding to the .well-known/core request addressed to the standard coap/coaps port.</t>

<t>Three discovery cases are discussed: coap discovery, 6tisch discovery and GRASP discovery.</t>

<section anchor="pledge-discovery-of-join-proxy" title="Pledge discovery of Join Proxy">

<t>The pledge and Join Proxy are assumed to communicate via Link-Local addresses.</t>

<section anchor="coap-discovery" title="CoAP discovery">

<t>The discovery of the coaps EST server, using coap discovery, by the Join Proxy follows section 6 of <xref target="I-D.ietf-ace-coap-est"/>.</t>

</section>
<section anchor="autonomous-network" title="Autonomous Network">

<t>In the context of autonomous networks, the Join Proxy uses the DULL GRASP M_FLOOD mechanism to announce itself. Section 4.1.1 of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> discusses this in more detail.
The Registrar announces itself using ACP instance of GRASP using M_FLOOD messages.
Autonomous Network Join Proxies MUST support GRASP discovery of EST server as decribed in section 4.3 of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> .</t>

</section>
<section anchor="tisch-discovery" title="6tisch discovery">

<t>The discovery of EST server by the pledge uses the enhanced beacons as discussed in <xref target="I-D.ietf-6tisch-enrollment-enhanced-beacon"/>.</t>

</section>
</section>
<section anchor="join-proxy-discovers-est-server" title="Join Proxy discovers EST server">

<section anchor="autonomous-network-1" title="Autonomous Network">

<t>The pledge MUST listen for GRASP M_FLOOD <xref target="I-D.ietf-anima-grasp"/> announcements of the objective: “AN_Proxy”.
See section Section 4.1.1 <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> for the details of the objective.</t>

</section>
<section anchor="coap-discovery-1" title="CoAP discovery">

<t>In the context of a coap network without Autonomous Network support, discovery follows the standard coap policy.
The Pledge can discover a Join Proxy by sending a link-local multicast message to ALL CoAP Nodes with address FF02::FD. Multiple or no nodes may respond. The handling of multiple responses and the absence of responses follow section 4 of <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/>.</t>

<t>The presence and location of (path to) the Join Proxy resource are discovered by
sending a GET request to “/.well-known/core” including a resource type (rt)
parameter with the value “brski-proxy” <xref target="RFC6690"/>.
Upon success, the return payload will contain the root resource of the Join Proxy resources.
It is up to the implementation to choose its root resource; throughout this document the
example root resource /jp is used.
The example below shows the discovery of the presence and location of Join Proxy resources.</t>

<figure><artwork><![CDATA[
  REQ: GET coap://[FF02::FD]/.well-known/core?rt=brski-proxy

  RES: 2.05 Content
  <coaps://[IP_address]:jp-port/jp>; rt="brski-proxy";ct=62
]]></artwork></figure>

<t>Port numbers are assumed to be the default numbers 5683 and 5684 for coap and coaps respectively (sections 12.6 and 12.7 of <xref target="RFC7252"/> when not shown in the response.
Discoverable port numbers are usually returned for Join Proxy resources in the &lt;href&gt; of the payload (see section 5.1 of <xref target="I-D.ietf-ace-coap-est"/>).</t>

</section>
</section>
</section>
<section anchor="security-considerations" title="Security Considerations">

<t>It should be noted here that the contents of the CBOR map used to convey return address information is not protected.
However, the communication is between the Proxy and a known registrar are over the already secured portion of the network, so are not visible to eavesdropping systems.</t>

<t>All of the concerns in <xref target="I-D.ietf-anima-bootstrapping-keyinfra"/> section 4.1 apply.
The pledge can be deceived by malicious AN_Proxy announcements.
The pledge will only join a network to which it receives a valid <xref target="RFC8366"/> voucher.</t>

<t>If the proxy/Registrar was not over a secure network, then an attacker could change the cbor array, causing the pledge to send traffic to another node.
If the such scenario needed to be supported, then it would be reasonable for the Proxy to encrypt the CBOR array using a locally generated symmetric key.
The Registrar would not be able to examine the result, but it does not need to do so.
This is a topic for future work.</t>

</section>
<section anchor="iana-considerations" title="IANA Considerations">

<t>This document needs to create a registry for key indices in the CBOR map.  It should be given a name, and the amending formula should be IETF Specification.</t>

<section anchor="resource-type-registry" title="Resource Type registry">

<t>This specification registers a new Resource Type (rt=) Link Target Attributes in the “Resource Type (rt=) Link Target Attribute Values” subregistry under the “Constrained RESTful Environments (CoRE) Parameters” registry.</t>

<figure><artwork><![CDATA[
  rt="brski-proxy". This EST resource is used to query and return
  the supported EST resource of a Join Proxy placed between Pledge
  and EST server.
]]></artwork></figure>

</section>
</section>
<section anchor="acknowledgements" title="Acknowledgements">

<t>Many thanks for the comments by Brian Carpenter.</t>

</section>
<section anchor="contributors" title="Contributors">

<t>Sandeep Kumar, Sye loong Keoh, and Oscar Garcia-Morchon are the co-authors of the draft-kumar-dice-dtls-relay-02. Their draft has served as a basis for this document. Much text from their draft is copied over to this draft.</t>

</section>
<section anchor="changelog" title="Changelog">

<section anchor="to-05" title="04 to 05">

<t><list style="symbols">
  <t>Terminology updated</t>
  <t>Emphasized new Join Proxy port</t>
</list></t>

</section>
<section anchor="to-02" title="01 to 02">

<t><list style="symbols">
  <t>extended the discovery section</t>
  <t>removed inconsistencies from the the flow diagrams</t>
  <t>Improved readability of the examples.</t>
  <t>stateful configurations reduced to one</t>
</list></t>

</section>
<section anchor="to-01" title="00 to 01">

<t><list style="symbols">
  <t>Added Contributors section</t>
  <t>Adapted content-formats to est-coaps formats</t>
  <t>Aligned examples with est-coaps examples</t>
  <t>Added statefull Proxy to stateless proxy</t>
</list></t>

</section>
<section anchor="to-00" title="00 to 00">

<t><list style="symbols">
  <t>added payload examples in appendix</t>
  <t>discovery for three cases: AN, 6tisch and coaps</t>
</list></t>

</section>
</section>


  </middle>

  <back>

    <references title='Normative References'>

&RFC6347;
&RFC7049;
&RFC8366;
&I-D.ietf-anima-bootstrapping-keyinfra;
&I-D.ietf-ace-coap-est;
&I-D.ietf-core-multipart-ct;
&I-D.ietf-6tisch-enrollment-enhanced-beacon;
&I-D.ietf-anima-constrained-voucher;
&I-D.ietf-anima-grasp;
&RFC2119;
&RFC8174;


    </references>

    <references title='Informative References'>

&RFC6763;
&I-D.richardson-anima-state-for-joinrouter;
&RFC6690;
&RFC7030;
&RFC7228;
&I-D.kumar-dice-dtls-relay;
&RFC4944;
&RFC7252;
&RFC6775;


    </references>


<section anchor="examples" title="Stateless Proxy payload examples">

<figure><artwork><![CDATA[
Examples need to be redone
]]></artwork></figure>

<t>Examples are extensions of two examples shown in <xref target="I-D.ietf-ace-coap-est"/>.
The following content formats are used:</t>

<t><list style="symbols">
  <t>60:  application/cbor</t>
  <t>62:  application/multipart</t>
  <t>281: application/pkcs7-mime; smime-type=certs-only</t>
  <t>284: application/pkcs8</t>
  <t>286: application/pkcs10</t>
</list></t>

<t>For presentation purposes the payloads are abbreviated as follows:</t>

<t>cacrts request payload:</t>

<figure><artwork><![CDATA[
   <cacrts request payload> = <empty>
]]></artwork></figure>

<t>cacrts response payload:</t>

<figure><artwork><![CDATA[
   <cacrts response payload> =
   DTLS_encrypt(
   3082027b06092a864886f70d010702a082026c308202680201013100300b
   06092a864886f70d010701a082024e3082024a308201f0a0030201020209
   009189bcdf9c99244b300a06082a8648ce3d0403023067310b3009060355
   040613025553310b300906035504080c024341310b300906035504070c02
   4c4131143012060355040a0c0b4578616d706c6520496e63311630140603
   55040b0c0d63657274696669636174696f6e3110300e06035504030c0752
   6f6f74204341301e170d3139303130373130343034315a170d3339303130
   323130343034315a3067310b3009060355040613025553310b3009060355
   04080c024341310b300906035504070c024c4131143012060355040a0c0b
   4578616d706c6520496e6331163014060355040b0c0d6365727469666963
   6174696f6e3110300e06035504030c07526f6f742043413059301306072a
   8648ce3d020106082a8648ce3d03010703420004814994082b6e8185f3df
   53f5e0bee698973335200023ddf78cd17a443ffd8ddd40908769c55652ac
   2ccb75c4a50a7c7ddb7c22dae6c85cca538209fdbbf104c9a38184308181
   301d0603551d0e041604142495e816ef6ffcaaf356ce4adffe33cf492abb
   a8301f0603551d230418301680142495e816ef6ffcaaf356ce4adffe33cf
   492abba8300f0603551d130101ff040530030101ff300e0603551d0f0101
   ff040403020106301e0603551d1104173015811363657274696679406578
   616d706c652e636f6d300a06082a8648ce3d0403020348003045022100da
   e37c96f154c32ec0b4af52d46f3b7ecc9687ddf267bcec368f7b7f135327
   2f022047a28ae5c7306163b3c3834bab3c103f743070594c089aaa0ac870
   cd13b902caa1003100
   )
]]></artwork></figure>

<t>serverkeygen request payload:</t>

<figure><artwork><![CDATA[
   <serverkeygen request payload> =
   DTLS_encrypt(
   3081cf3078020100301631143012060355040a0c0b736b67206578616d70
   6c653059301306072a8648ce3d020106082a8648ce3d030107034200041b
   b8c1117896f98e4506c03d70efbe820d8e38ea97e9d65d52c8460c5852c5
   1dd89a61370a2843760fc859799d78cd33f3c1846e304f1717f8123f1a28
   4cc99fa000300a06082a8648ce3d04030203470030440220387cd4e9cf62
   8d4af77f92ebed4890d9d141dca86cd2757dd14cbd59cdf6961802202f24
   5e828c77754378b66660a4977f113cacdaa0cc7bad7d1474a7fd155d090d
   )
]]></artwork></figure>

<t>serverkeygen response payload:</t>

<figure><artwork><![CDATA[
   <serverkeygen response payload> =
   DTLS_encrypt(
   84                                   # array(4)
   19 011C                              # unsigned(284)
   58 8A                                # bytes(138)
   308187020100301306072a8648ce3d020106082a8648ce3d030107046d30
   6b02010104200b9a67785b65e07360b6d28cfc1d3f3925c0755799deeca7
   45372b01697bd8a6a144034200041bb8c1117896f98e4506c03d70efbe82
   0d8e38ea97e9d65d52c8460c5852c51dd89a61370a2843760fc859799d78
   cd33f3c1846e304f1717f8123f1a284cc99f
   19 0119                              # unsigned(281)
   59 01D3                              # bytes(467)
   308201cf06092a864886f70d010702a08201c0308201bc0201013100300b
   06092a864886f70d010701a08201a23082019e30820143a0030201020208
   126de8571518524b300a06082a8648ce3d04030230163114301206035504
   0a0c0b736b67206578616d706c65301e170d313930313039303835373038
   5a170d3339303130343038353730385a301631143012060355040a0c0b73
   6b67206578616d706c653059301306072a8648ce3d020106082a8648ce3d
   030107034200041bb8c1117896f98e4506c03d70efbe820d8e38ea97e9d6
   5d52c8460c5852c51dd89a61370a2843760fc859799d78cd33f3c1846e30
   4f1717f8123f1a284cc99fa37b307930090603551d1304023000302c0609
   6086480186f842010d041f161d4f70656e53534c2047656e657261746564
   204365727469666963617465301d0603551d0e04160414494be598dc8dbc
   0dbc071c486b777460e5cce621301f0603551d23041830168014494be598
   dc8dbc0dbc071c486b777460e5cce621300a06082a8648ce3d0403020349
   003046022100a4b167d0f9add9202810e6bf6a290b8cfdfc9b9c9fea2cc1
   c8fc3a464f79f2c202210081d31ba142751a7b4a34fd1a01fcfb08716b9e
   b53bdaadc9ae60b08f52429c0fa1003100
   )
]]></artwork></figure>

<section anchor="cacerts" title="cacerts">

<t>The request from Join Proxy to EST server looks like:</t>

<figure><artwork><![CDATA[
    Get coaps://192.0.2.1/est/crts
    (Accept: 62)
    (Content-format: 62)
    payload =
    82                    # array(2)
    18 3C                 # unsigned(60)
    83                    # array(3)
    69                    # text(9)
         464538303A3A414238 # "FE80::AB8"
    19 237D               # unsigned(9085)
    65                    # text(5)
         6964656E74       # "ident"
]]></artwork></figure>

<t>In CBOR Diagnostic:</t>

<figure><artwork><![CDATA[
    payload = [60, ["FE80::AB8", 9085, "ident"]]
]]></artwork></figure>

<t>The response will then be:</t>

<figure><artwork><![CDATA[
     2.05 Content
     (Content-format: 62)
       Payload =
     84                                # array(4)
     18 3C                             # unsigned(60)
     83                                # array(3)
     69                                # text(9)
         464538303A3A414238            # "FE80::AB8"
     19 237D                           # unsigned(9085)
     65                                # text(5)
         6964656E74                    # "ident"
     19 0119                           # unsigned(281)
     59 027F                           # bytes(639)
     <cacrts response payload>
     ]
]]></artwork></figure>

<t>In CBOR diagnostic:</t>

<figure><artwork><![CDATA[
    payload = [60, ["FE80::AB8", 9085, "ident"],
               62, h'<cacrts response payload>']
]]></artwork></figure>

</section>
<section anchor="serverkeygen" title="serverkeygen">

<t>The request from Join Proxy to EST server looks like:</t>

<figure><artwork><![CDATA[
    Get coaps://192.0.2.1/est/skg
    (Accept: 62)
    (Content-Format: 62)
      Payload =
    83                                # array(4)
    18 3C                             # unsigned(60)
    83                                # array(3)
    69                                # text(9)
         464538303A3A414238           # "FE80::AB8"
    19 237D                           # unsigned(9085)
    65                                # text(5)
         6964656E74                   # "ident"
    19 011E                           # unsigned(286)
    58 D2                             # bytes(210)
    <serverkeygen request payload>
]]></artwork></figure>

<t>In CBOR diagnostic:</t>

<figure><artwork><![CDATA[
    payload = [60, ["FE80::AB8", 9085, "ident"],
               286, h'<serverkeygen request payload>']
]]></artwork></figure>

<t>The response will then be:</t>

<figure><artwork><![CDATA[
     2.05 Content
     (Content-format: 62)
       Payload =
     83                                # array(4)
     18 3C                             # unsigned(60)
     83                                # array(3)
     69                                # text(9)
         464538303A3A414238            # "FE80::AB8"
     19 237D                           # unsigned(9085)
     65                                # text(5)
         6964656E74                    # "ident"
     19 011E                           # unsigned(286)
     59 0269                           # bytes(617)
     <serverkeygen response payload>
]]></artwork></figure>

<t>In CBOR diagnostic:</t>

<figure><artwork><![CDATA[
    payload = [60, ["FE80::AB8", 9085, "ident"],
               286, h'<serverkeygen response payload>']
]]></artwork></figure>

</section>
</section>


  </back>

<!-- ##markdown-source:
H4sIAJi7jl8AA+18bXPjRnLwd1Tdf5hHWxVLscgFCBAA6dvLyZLW1t6+KCtt
fFeOa2sADCScSIAPAEqrWJvfkt+SX5bunhlgAIKUdHFyX6I635Kct55+756e
GY1GVp3VCzFnx0Ve1SXPcpGwN0WWs/Oy+HLP0qJk3xdFjW2rVZZf4e91EReL
yuJRVIrbOXUfUXcrKeKcL2G6pORpPbrleSLKqi5uRjzPlnwUt6uM/orDVjhs
ZE8t6wWrauj+mS+KHCaoy7WwrGxV0seqntj2zJ5YvBR8zs7yWpS5qK27qzmj
mdlPRXmD4P1QFuuVdXPXdhqdICxWzOs5LJFY1iqbM/h7wWKes3UlGC9Lfs/2
s5TxxYLdi+qAwbaveXXNrkUpLMZgx3NsgI9VUdalSKs5TZGIlK8XdQU9dPv9
UjbjV4uv6+uinFuWNWJZDr++G7OPWXzNy6Qqcugu0fUOfxKLblNRwu4uEIWL
JUB6UaT1HeyftooriSXPFnO2jMtvM1Gnf6x013HMm/XOxwyoAHCW7ALo0Kx4
LgA7/SZasSUaQ3LB7nge37frGT/+se07hrHmon/iyxXP+U1WtUvyvKi6DbTg
cVbFBbu4r2qxNPa1upE9/xhj+zgulpaVF+WS19mtmEO/j6+PfdcL1MfA9mbq
Y+j6Pn48G52METOK+SKTj0c34j7L05J3O8YCeJSvRqKqOw1xUYrREradrXhZ
j+Juq18DiNcjkZfFYrEUeQ0frwFBwOWR4ICwAWhMUbgt1jFw2kCvq5JXq7kF
kPZ3Hviu7l82XKNGgSTVYgRDSMhAImo5OY7zZ3aDMbf5OJmEerab9ZKXoyQD
VCT1ohqVYsHvVT9v5nnNkOmkgSWYAouPRiPGI9xUXFvW5XVWMdAHa8QHygns
tGKcrZT+QImpRLyG6e8Zr6rsKsfWhUiuBLZxGAyMkB+yUqxKUcEsoJoi6Juz
04tLGFveivIQBBjFHn7MUN6XIsl4ec/yIhEsEvWdELmeFHjVGDlmBOHmKPjx
Ji/uABoEdy8eVIx74/4OxZda5AkogmvB7kBCWZGyX399Egt+/Yr7gm0ueIyb
wSmOszJeZ7VUkLRtRlRdiKp6SZ/S9YKZwO0fF0fnBwaMY+usBuXJ82oFOqti
yAv4PU2zmKVlsaSFWozjt4/iKsMZS3aXgeZa1wDW/19nJYK1EuUoXmS4WQJg
LEm+zJJkIVCBg8Yti2Qd1xnoL+sUpYFQA5jIxR1hlxBewNcacVTRKkzKDWxB
9lDURkLA17jMImjKcuvp2Nzf+/7jxZ/O9g6I5kt+A7OiogdADKhuUfERB7JL
jSW2DxxyAIRT8vH1q0Ug0g+oV2B2Ja1Vh4PlHgDgWxCcamwRAEifXMSAe9y/
agPoJM4rgA+mkIwjTN7EPg0lsNttxoEBTNIC9wlWrUScpRmMrYrFGtEu93ld
16tK7R2YB6lbsAUvgc7IAsDwFeIiRnavVqD00N5F0P8uS2CzkuQwK1p/k8Wa
3R1v/shWBQhxBKhADSmnbzs1BJeYBXUDiKzvV1kMJveeZUtACVEFmfDs/NaX
5Hlb3I3Oizv49BMAhLyPXAiKji/YEbgC7L2ed99/W/x0fvRe0Q4VFayAKDBh
PVqtFrAkYqpxZLTgKMimk69fAb34GzkIgL1ynUtGReBOeM1BKy8NnnnL7zUr
ZTU4EieXby/UfGigEA5UJZXu0KhAxC96CLDxLMYWhBfQlmYJ/sQX+BtgEtdd
wub5FSJf6i1DS2HzHpqtao+BHQJEjq2jDvqRp3DPKAAXl1ppHsMQWhIBPuzL
W0d7GXYR0MOQ+frSOGDQvjYTSiClUBDDV8SsSusYWtmyEBiEhTOpbEaypcUa
yhuCD/vBwWt0QeQvZ+fA5UgLmBf4BG0mdUELiO3aIBAdcZljqc4QB81vFwqQ
H4HvyMJgC8rvHipQmGZPsTzwBEh8XtTII7A0rsKjBUJUZwuWkQZryMvRfKn9
KmlAKg1OjHxX5CgXeYZsAJ/IT2WLLL8ZLQoQGikkPElKFAqYF/yj5TqndSSz
cpg7u7qOinUpDZskuvFrgo4VbPFe8SqYceDVBvpSxAIcjkqBHCMDopGUwEs+
vVqXUppA6MHJA9VSGZiLBJBA0HhjZ2pe/Bk2tW2aQwQhFyKh3ZlohIZKLNIe
MvHr3TV4QjhO610wgYgmTf+sMvaBqrdCgmUVIksNQSA0myiyaNg1lwwobGDb
I8k9xjSwWqNJ9ZTng65I35fQer0iIt4xYmSQXSMwwxlMVwp8LlQFHXdmxz7a
xf82POwAHj4TTy3XSAtQkRIBgHBAHFutaSH4RfASpK9sNc2g44nKWDY/ycsF
/oV/F6T0kFa3vMyKNVi7lbSOqHGjdbZIyGmULtFKWtSnuxc8gelgARJRw1lT
pAH+vS7AH3MODtlC8Fvt0hXwf6VqrZBY6bpG50Oqgh4HYCwMu83+Tckf2qOX
xGH7an7vYIxO1yXQO8uLRXF1z5q/X18YP3+VzkIK/klxR8CQA4ChpHTLlbZv
PJxDIjG2g9ZJLGmMpKEmFgOAeN3AChF4WWcpMOAh2nFwFeGD9t2RY63GlXl5
XBSwp5zXQIb9Nx+PAUPveL7GwYCJkh1RuAybTtgFBAQIrPqpvrf23x1dHMEI
6T0dggFeV+RovM4gBGWfQJnsX354/elAwv8v0gYRkj5KOURwKzDX+dUaTClg
CeRzAd8UhoDESAwgzt67TxeXe4fyX/b+A33+ePrPn84+np7g54sfj96+bT5Y
qsfFjx8+vT1pP7Ujjz+8e3f6/kQOhl9Z5ydr793RX/Yk2Hsfzi/PPrw/ersn
MW1yBZIExDUSUs7BUUY25JXVsdvfH5//5384HlD0/wFJJ44zA56VX0InQLfo
DnSpXI1YWH4FLru3gNlBLnEWTIXEfJXVfAG6GOheXaO7gQkRQCng1MwSrXPS
GOSwgCpERwJcu1rCg+z766+g5EegqpG78AetU05IpxyiA6oikf1zICACkLO3
b9+j33NtKUdsKa0JWUfwcgvwXu7AwW1iGUOr7Z9K5x/N872oe3aYgpCOJbbO
FLKrrF6TLSID1Fhi07zC4iNcHObIyLcHulR1a1jlDg387L85UNYXGrLSNOMd
Oy6qnttx3qCkNYUbhh6M0aguRvBP62IqD6AN566LqtaKqIemvnlFtF0J6Yqj
033LUSFReualNramuT9L+7BKt6Um+9W3ihsuH7BfUZEDpb2Za+C2iAL3Et1O
6R+IhFAi2QlilhtRKx1WFsC0IAb1ENoB67HYgK9q+SJZZvWma4b8iOpayL6t
e5eRTw6djenIjc8xggcthuq09dWtf4c/y2o187fwxyiRhCxkNDycsocRxdPA
8NBvNPq2GQOfzZ70P8b+VX19wx7G6u/hnD30F6OuOPNID9ST6J4GLYwVh1Zv
+Un+GchmCiPG8tv/9t5oj1fKv8LTr3P2QukJRnnpV980qJIRNqrB8TegnMA6
vNpbiLTeA+X9k85VKD+vR24QYiS36eXIuH03X6JsKPWluYJX1XpJXjQDTQmM
VyKbsxi4UwZskiXFF3BV8it0Edb1qEhHGFsfMjG+GsPalFgu+kLzDXiL/E76
RzGZorhYL9BzRAflNktaHu3CCEz2el0is6J63NAbKgOwzjklj9W6hrSpXzaV
gpbiASEm71MFWIbugCZ0BwsK3kFPScED8CEqWqpkTw7+mylKsDzN3oh0nrws
zNhEwQcmrkbPgZbfBF2FbVJB5jV5Iz11ILN9lKESiXK4thkx7NxqHmkv0CJ2
zYhOffS4RIYhiHjllfcAQX0Bbj1YFW0FKfE1JifE9PHRYZM+q+ZstWONrMby
KYJLI6OUFUmC5Bh0F5qQRQe4XRuuYg5JRQxnjDaygkBvCr5gr3cFmGKAeI6a
7R/ZhUpHLujX9ifK19BPsNYLo1s7NdndJp2JfbvuAQWugIA79PzbGF0r2MEE
whEKqZBOqoGbpBBS7WPeZIcQKEYyo0/FUWPpJMC0hpPQo+0SfdJmhX2Dhwym
FslBb3He2cL+ScP9yvOJOHjibL0q8mcklSslrd7YJQcLs4gn7y9GFye0EsZy
GykA3/369YAYUaGtteXo62BAi74OxgHpgIBtMJveUo+1pX6sNBkkP7N9nXQG
RsjSe63KTZIfYCTZNkcQVDHqVIHjpYLTAVUhWUUxkplP2ykhPaAxpKnhP3Rr
vFG9BodVnR3iJJgOXKCEbHKpyngkXU9VMRpCrAEDpjM4Wman2oQfbxIBKu3J
jnT+Ry1OHHlHfkuPNhyz0FzNQWupsPcsV865lsLFBFOzRuwMjt+q6qUhWQqq
iWwdhQWHUrdP/dADbtV000Eso9wkw1zpXFn6b0fG3/YvvW/dJuvBwBI4NMZu
H0wEt04PY+8U+I0bZFEjGkrlFeG3NwfNF7SFqumijD+fnc8p5fvATqpaf3v4
G7fT7WgpMEcjuaMfBaj/0egPG84T9js7/wxrfz7Hb/D5DZ8T7h+sh43uw1Oq
Sd5EMMubiCY5lXNsm2Tg72H7ty2T/H40klRRoLSQqNUfDKgeg2T+TEgGFt+Y
pEXmg4HkAUjmW748CyePTTJvv+nW33qS0eg1qHjMyLW8tomTZzDbwJR/J2Yj
iregGJA8wmwbwzYheSqfzLd9e+j88tD5Yu1Qe0/XJw1Yr9hb89yg8TvIiy/k
YZ2OGIxjkQOrxdQr9sOiiDaHt5pdnS0ppWsZfLJr+e54wy/UhPkYbV27M4qs
WTeKbA2aDibNI7GmtfE1O6aN7JkRE+mF5aEbGGnjMHYjHtXOLjnAprN7ueEw
NYf6OCeEltky+zehUi9GzlKddQ0XI6g4ZGy1i0pvHR0gNQ1lMZYCQsR7Ha5s
THDIIvS9MG5ZVAWMxEhJZp/PP2Fu1whn1FlA41SjrywPxHkZ40kpRCBX17pq
gdHBGPjmP2EGR5/sbRws1LVYruonZY0oO7eulFu6GGYw2Qi/aOdQNiiPStM7
U/6TSgQZ2T3jCA3B3G+PCw4oMhlbn/DwkVFZ0oLFeAywRK8HgsJDmU7Ui9zp
YL6Xruqd0bXpqh5ujJSVedRYlOqccTjPSQTJEyNeUnTp5D6blKNy6Y0TQrn4
9UAM24mWRY7QJEQUOojZjNUkPnWU2YkNwIvN5FxtAnMpMETIqmXVsJb4klXk
H69KAJdqBfCITUW6XYCkE4rHF1RaU1ythaouwfz5/YqTDmkPM7tJDKRxDNxf
UgrvLMVc9DqnOkSRdE6OKRpsksR4SGuwomI3hOSO57UZSgIq9HSYvl0BYus+
d1dNPVEfj11ajDf0SluLZLJ5rjj6DgsvKBOkm/Bsx9QofwEX+PwvB007p9Qy
zghgDUmjBuH8L82YFb9fFJzKGSqgmwwg7gqqDtGJgx8FR/HZ//GApZlYJHPd
20h1KNHdRGvHBnSTXnS2QSscFxjXwer7x+YaGMU1x3JldpUh75lYhg190CfV
uqOxu8N+yqwUdZkJfVje7FPhxTxtRU2DrAPsUtVFqUYoTBCErKn2w3Rabzyp
PHkgqHYmx5B8gPCo+NMY0REMQ9jvdDK9s40V8LU8eycboDkJ9WiHC5t6mOsu
5FimZHBBh3MiiPKH2Le3xfbsTOZbVSpHncYkgsqWDKS9xqWlxFyTlq2wnIgK
6oQcR1sFVK+KHA9+5YpqtOKGqssLT+c6Uxs04X1DZWX+iNLtkfe+zBDidjBT
FMk8DETKmBjSZQY9AnfgfDarGsphK6ue1S13dfgRSEZKfVMX6bmMzMYmX7ay
qcTByDegs/L1qzourDYzDElGxVaDaYOdkfb21IHOG2ii9TMHrHMg0rjzvcyB
dvR15mAgdWAmD4zcwcP2zMEzdtT5/OTUgYTNiOekmw7xD9+eOwBm+vnHfT3o
4JAmNkOnB4oTVp9P+SPx3PG+Ad/BL90orvN5a/ZgExgFiwLg4Ynpg+N9IxWA
oDwOy2D6oP+nI2RE6cPTA8ONWR6B5RmzbIb/T4+5nzTLUAZhYJa/I9dp+IjO
f1+u64HyJK7blYvQI387rhui9FPzEbu11LMSEq3VsFo8b0sFyMBsWxaCGG3X
mp3hA0mIN09MQqgoX3LLweHxPlD5VecEwfSelOf0o676RbPJjq2BJIbMD2zJ
YVDjUA7jkbyENmgw25rKrzZ9eHkIKjtQoRHe0FB+PW2BKg1HFE7wtrT6pXFR
Bit22jL1blXxxqUaqrxWrocq3TZ8CVnbnmRpKkpEFS3OpKssIwrmjDv+6LwD
VRwVpen8c3b8/YeP6gRHVfx7WCvV+LaqIolKdJB72NuuK4j4cPxRdA++UQR+
Y3nPbvlirXwuOfqbin06OZd8kq+XkYqz222Q54SJskM5IQGFx1FX2FV7g5R1
+AZP3bI8EV8w8Jf1hLI6L0W3MpVFK2x1fV9hvZ5izlwdSBs7koTF5IpIxtrZ
U1kEcvBEHpf3WOQ4JrxOxpoWGrFHuVGZjnRAJqi2krpbQE672jjHHCogJ9cQ
D+byWufAdDyjooLmTFIkc1Vo848dsq9u4ioYLbOl+I5V+A/x6yvp342uRE7n
2gkenD5jeCzAZx5h1D80SIE/ipfVt8h2O/sUldjaCVcPhxriCqCuy2rbIMce
bsm+jBB0y9r/85//PEJWZscnJ2+Jdwxx4FFxKw6kRohNyssClx6PsLNcDkZ3
PcdKsxhZiSsytcmAvh2VohaniiFxmZEUaF0XMlI/H8pq+0VR3EBUdiNkRKCK
jX5mvn3IfoZ5V4cMJj6UUvFLU4sUp4fs+htzvm9+ofHW6ReOd0+q9ixTcq5Q
v5NKegHcvwQdlVXyDkWrdym+7ZQ/VOpqjq5paHo01RA4Q5uf1UJrWIlrfiss
WSnIE6y+o9QdnWxnVfvLmMkrbPqYX0W/MhcHgZeFF58w2XpdYBLPvPzQVHCo
wgJFJn7LswWNlok/C9QcBcJydZ0sa24KjQfDsp3OwtZGDGJg+4CXGgvfDWfo
wiwPMT2VbpHJoKvyt8NCk2vHqJdfk4Uhjdf0vjBTNsjLChZwy4zfH7iR56yL
UiXz9Cy6ukAVy+sV+y7cg+4HA+SNbE1YmkUX4/Vdu/4sRO6+HyPtE9vqv27M
osuR2lsNNRVztjR6xizm3cy2cfssvxGlz2XtSYXnLpLS9FEBpaolgCgYxW9r
2KCRcbSAE/Kl0AcnncYou7rCpCCWNA/gRWejdKbHbDTTVYd4BpDHizVI9MYs
2xBIjSZLtgU0A7DsnGWw4Gb8G9LowixO2y2N78Vdx4fVEgY7igtU6V/wfKC7
9e7ZATaCbeOrak31PGbGa1OOikZwVa7PaOwlNtuG/iyG+pAun6xwUjRSLmCn
2HZolh1lUOwBjQoiYy1v7OtJN2dpK6bMDKdq7EQHYAvLRO5rYxbg6KS6RgPU
nD11kEYnLBWmhU1h/434pRNBxa3pViGUYcy17txhrjejqKY6z8KcKRZmUZo6
kR6pWVMp+BLnWdzrGl661khn3gP3rIzLYbKPqRHP6HIceFbAlKU82dGGX94c
F5VR8Dd51vVzlZdtiwHlXaGK/AQq/2rCq8tOEPHYNYxOfz291IMDqfXWDnzW
p+79K6nDAcWYvVZr40EcHQU0O7jW1041xz1xTn1JdhNOUG2/U0FRFxu7rqfw
9iqFecynnLpH8dK5/G0uS3veslk8wGzvnezAuDH376zfWR/wDJobG9MX9Amz
WB/QxGC82gBs4JBYetfguaJzV8lMAtKASBAJzFWwT9Uab5htHFd05ygoak7U
hXi6OLtHvsthc9tnS+XhBnB0tQs9/ua4veMEqTMjdWSkzzHGd2KxGFERyEvK
bTQFsYo3mhOPDggvDThQ1kphSlvMKxWA4G9rnGVOw9o+h0y+MWKMwv3+8PHo
4rz9bUwpnvOuuN3301MG9+AcZpEoUknrsu5NI0Q4JdDe9kQBl3xB1xPbFfvq
RLFZX6lpEetv1XR/dcW8ZHCt4Py+euveT5cwHa3rIi+WWMKq6mXVLS8V0n6h
IJO3vfQjBRs82ByLnXx6+1Yh/d3n128/fDhpCxWowCHPizVKj7yiPMZHAZRG
dsbO854E0bygjvHR4S/oyib4Ggt5hNlex9ELV/pytMTs0fE5XsGlihRcXYIu
29oN6MtKmwhrkYAxmZSY9YrEpMd6OvFqKu5WxxqV6M9DgiJln/kHGMxYXPHP
St+JUMTTb/Iw+SaPtARa4Hr5qkdf9FFc1imiavR4C8t2TjSkkPC6AEoKmQ7o
MtgGsuhNIEqiSZqrCjEpY0X0V8T1rZizvaP3n/VjNRegcDQRujz5dFroTIXk
wM0Vt6iCAZGTEt9cl1FF/wPsp5jtcMg16etY0K6LLFblBEoHUsGAGtqxocgj
WJcg88CGZaR0NCjk2gwgjkDqaVvvKWciL1cqE/r6tT2Zz1+fjNk7ymTLoqy8
UOVGaC1V5YG0QOgYL1R9y1KPkD0qlWeh2DwC8KTQto1y7600/S1OnnxdR4UI
uOdaPQyyv+KY9i4ONgsGdFBRCuMKC6DQalH4w+llYwsBY3sv+5ZyT0Wosnsz
J50d7Jf1gdVcKW3z75RMZ3tRWd1k8iWkPXVPxZ/ZuKNPeCGmWsfo2B2qqkm8
g2mcUiwWOucv2wE77eob/k/TJOshQO+uV80VEf1IDdclifF1gdkOuhhjzvud
rrNDtu5e4YaJLJVb7MHy8q8rWq+Sl9PwFqHsRg4SeSqq9LJvV7eSdHhfMjxi
7OPpP8+Jbig985cvf9as/MsG8f6prF8ZVLBo9MUcXGB7qk8G4Lffk4XHqc7O
PysB+WX+19UIhRj294fvGEzUoed3cf3Kn6hrsuet/1X1nZFIvyNCD+41vaZ+
6NK+qdRYPlikXrWR7gZKj9RPEIXtK9GpmDMZ+9QLPgRSjprnf6Tvh75kkxCW
rCXlcGzpAJBSpas+0GvpybbXgRGqIVLoif9hUX8HLmH6D1f1d+0NP8nAAHGr
uaebPkTH8ZEvQjQPEeHLRxBzykRzRcGqyhFHWA2JR3rqqpAqRo31eZsCgnL6
S0DnutIeYX4r9M4aFdhLfiLi8GkSebrUvdDeupSqs5mVbl824arOumwdHHT+
qYAOleOiFDy5V7d4ZfJSsTw2K8NyyKqCxiFAtxk+TkXaXPBbUVEZLuoiebEd
xeIIVEXjqYI4lXnVP8V66n07h05dlC1atbYIK730XTC8x8bBYtEdq6P3//pZ
b9+w6p0JSJdRnSkFK3zw5Zvm0R6O2jNLhl4ukzWtzaniS+PRNy7Jp+yluiXd
4JOCTdgGr2tMmpbqirK8zCcRh2esdIR0CBtuY8/2lTmqR9av0JHLLM8xZT21
gqvCt2OqWOR4BY0SfI0SUC5B8xwAlvdpngauwLfBkM7aWZFIRarL06qWr+VB
l3o+kNQmCm1zHogPeS6xvI0uY/f9bbmkevuJa8YChZ3lunofH8mUFfVZvVkn
nwAmCvNqX12s8Fm+ouw+C4PP6h29P9qQ5e5zMe1NVUAB3dhWkiMvG+Nt8ixP
zLvKWrTHjHXUwhUwD/EW2OL29Bm+SEOPgr5ecGPA2enla9bJz5If+FGbtUs0
8BoaBXfnrrFqJO1J1cndoeAbvDqQp++X+IId+Ik1UCWiInO1mb0nD2H/gi4F
vpO2jhoUUUpUTmQ+FgcW7hJTgqf5bVYW+VLVERcfTw/YefP+xV6zubF+56Fv
49RTkxgVNNZeWXqkGThNKpyXelXNIuVAMXt3cC8hxCj9139kSk2z8VoTcNRR
jOqVetGuLOsdFsNj6uqmakQHdTXtGTTV92UGcn/MyxW+w1mqM9FcYrUoYQZ6
qFas2J/wFadDdnEv8LAWWOZPoriWnPQBa1zZD7yMMz56V5TgPuXyTRtabSQf
y22sj3xDePBVqJEtk29ZKXvRDQXaoapSiXiV6Z0YgoJOOlZCYCCi05XNHHQG
vcLahUK9JCDHYqPcMOm5RXFFkZ/tYRd8upjhMbv5DtN6laAK+Z1sOV2uADx6
1AjZ26RbgSfxOJdDc03UXM0LY113T9kX2acUy+KW4lZVMw8KDoP0tgb5ultD
W8lxZ0tMRQtkNp4YjzDUrccJZoe6ms+Mtm+0VepiEPFukQu5AZs24KgNHCUI
vckgXeCPEk4vaHXP/Cv1FtlIem7qRzUCc/BYQq3P6+XTN01n/bu5fnsw31iB
NrWvHFkDeFsBz2mwdsCaBdHkrrAWJfsi+5kxKfIZJvUolTcHc94k7BpPVL6W
ijXwsGh7dK04ob/ary+aCgRZ6dAUKmgLQvYuQQJsFjIYTyyqaxfNxEaNw9b0
2eW1+VxYU/+hiKQfBlOXOHx7zjbqrGTLpNfS1HpR8yR05s8utcFh3uawUDX5
m00O0NV6je9LyXdl1Q2fdbkqdGZIYV/FHPSsecZVxZvKN8BmYx6XxhMIalBb
iPL74Q5/YK/Y7/Fe2/0fJKWabjKc2DVRtwfMhM14HvdZuTP7+INrhxN7EkS2
b88mPPS9MPTTwE5sxw7sCadWP5a9/NCewO+O69i2a9sRjh8c58hxnpDjPE7/
OqnNcSDOAb/aMxpvz5xwFsVJOotns4nnRTAzh1lDOWss3MT2cJRr+wGsjO0z
aHenUxrv2b4DrdPp1O22Qktox7C66zkbLQG24HgvxlbHc21n0rRyaI28aRD6
jp8Eth/704ntzXzhwxqOD3097IvjqX8E/RPf9afBJPD8me/Df67v0OfUFzAG
8SWa+V3oH0xpfWhPAw9mRyhtRziAQ9dxZ64N/2+7Af2/R/85U06trm4l+k26
PTaxtB1DCn+PYGk7hgh/j2JpO4Zo/49iqYuhKewd/vHtYMJxfMMjyFVdrnGJ
F10Yatte6HizGex1EvkidMJp6iYp0c9Np8KOhPBn4SwA3E6x+8RNkjQI48QJ
uOe5aZqESZJ4gJow8GfxdApb5TEd5MVxFExjj09tHsRBkkRBPJkkXPhxOI1j
PnWB82dpEkWpY3vxjLuwOuAS/t+R8uckcsfwr7A9x4f/vIk3mwKYvoC9pzHn
qTv1Y+HxJE2F68apBzIXEf556KJgqRlASDwHfwFRfXwWoh/NhLPYzSzIiDBp
CjSYuratvrW0AUhT/A3HUy9PSTXSvOkD5PScAH6Zho7jmrQPgBDwLZT0b3gH
+AZonWyTf6BkiMB4U3syAQ2UEP2FG8TAPs7Ui92JQLHl6XSSeH7qRoGIoS0E
oqQTP4hiEbt+mAZRkDru1J0ERL8UZrO9gE9CLqYxwAsQuZEbu6HrRRw+AFcC
/7nAStOZF9vhjHNu8zgMSP6ARdxoZk8AvagV4T/89UBqa+k3QwR1JfIdun9X
tx1624mBJoHUyUgkf1hKA9eP/GBCGJfYJrwDxrvS9FRJcojvojB2HCcIAfez
UABN/Nh2YW6RRgI4PgmFGwo+C8Qs8afJdBKHnm/H0xA+kd5xkgQwCYopsAH1
nhv4dgoSMwtmswQFz3VTQD0MAhvipU7gBGnoTNzUgd5Sb4O5SMGe2Dv4JSB+
8ZDCbhjEiSdmceqT3g0TYJQgSGcTEYnEC2d2Mkscz0limCZOJsEU2Mbx4iiZ
zsA4Ads6Ic4zSSce6Q3YZRgHQTAF2MMIFJpvc28GMwKzgw1OgEniOIh4EsA0
gceDNHGm0wRUSLKdQ7Za9Z39tvEIvpHx6N8LmczY9w6ILDNwxJ3jx4as84pc
6n0gHY2bhiw8enwprHav9h03PNA8DGKk+fepfOihjiAejqQ/YiNjRsBNQRBO
Ix/0OfC8HfkJUCiNnQRYaTaZojGZInsJEfNA2i43mEQgOLMgSkLucwd4peHy
3RxOtnMnl+/mcKk7dnG55PCWKLNnEMWRRMFxJ+7TiOL5gSYKIDVOdziEDiCC
/o3iZzmEsCs5biYdQ9BWHYeQkOJM/ESE08CZgpWe7HIHNxUerb9F6UmFt+Fg
4b8hWIMA/yWk9Zwscq2aHuhgbVe0kimH1n2aoiX4e8r2OYqW4H8WG3ZZkIRi
kA25GwAlglnrHpKb4CEdiIQx0p32b+NubAeoH3q4Q6CXkzq+k3jADv7UF1NA
phej0cVv6BaQEzj1iX7o6A040tNhR8mbeZGYzsIkDpMolkIJXBk4sRf6Eahn
QASY9Vj4E2e7o6RnwfFypl2zbDU3KqCBqX3ponAvcvwAvKUZT5IZsHjo2MKP
Up9PZjYQNk3SeBZB4JMKDo4kOVRxmMYu93zA1iydAJpophC0mBOBggLD5PAA
vBzXA4PCYUtxGoFX6vjRjNJ20dSNwPgk4GoKUIJ2CO6QN5nFdjrgoLx4AaYK
Q2R5vqt9D8oDGbmmujBLJPAeRdW/SPGDqJk+wXNmk7E9noydlzDZSwxHqcv+
EWBwVc8htj+QPxx3Ujhtg85okFlj4WRYb0m7pYY4IXM3zZahFH1bdgwH9aGe
zZWd/EFl+4KSf/uzg/adWqATePigGY7cI/Tb3RB67b0+De35/Oj7cE/CNmMT
NzjZDhuEFVO18HTHwlNjYRAMFJnTwGv67NHFlT1JWX2r5qS5VWMQq8Ev+5ku
vxgAHzIE5lBP9ou66nJpnGHKwyQ6QIk6d2l6J7psB4Xh77xD5Cc4K11PZRvJ
t6BYk38L/YfWUbywhRm6I57CGJ0BfR7ZwiRbdtMyzBaOGYBuJ/f0BmhW0pA9
4n4M+B7S+5gEr3cOk66H72rMbc1eyeZfuryd/Dd5+9DqAeRP8KrXViD0va8X
L0x3/H9QdVY3V49oztcbctUVq6dzu7dLj24h9m6dOrTKTv3aHfA8kXqq1t2y
k8c08ABoT5anrjhJaTp9GliT0JerQHx1MmgGjVFSmMBbkEN2pxX+hyUJACdR
2gnDN/97xuW5YvB/xkVC979kXJ4rDtK47MRdY1ycQBuX3UmUv49EbDEx1n8B
GcVG3V93AAA=

-->

</rfc>