rfc9308.original.xml   rfc9308.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.6.10 (Ruby 3.0. <!DOCTYPE rfc [
2) --> <!ENTITY nbsp "&#160;">
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> <!ENTITY zwsp "&#8203;">
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft <!ENTITY nbhy "&#8209;">
-ietf-quic-applicability-18" category="info" tocInclude="true" sortRefs="true" s <!ENTITY wj "&#8288;">
ymRefs="true" version="3"> ]>
<!-- xml2rfc v2v3 conversion 3.5.0 -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft
-ietf-quic-applicability-18" number="9308" submissionType="IETF" category="info"
consensus="true" tocInclude="true" sortRefs="true" symRefs="true" xml:lang="en"
updates="" obsoletes="" version="3">
<front> <front>
<title abbrev="QUIC Applicability">Applicability of the QUIC Transport Proto col</title> <title abbrev="QUIC Applicability">Applicability of the QUIC Transport Proto col</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-applicability-18"/> <seriesInfo name="RFC" value="9308"/>
<author initials="M." surname="Kuehlewind" fullname="Mirja Kuehlewind"> <author initials="M." surname="Kühlewind" fullname="Mirja Kühlewind">
<organization>Ericsson</organization> <organization>Ericsson</organization>
<address> <address>
<email>mirja.kuehlewind@ericsson.com</email> <email>mirja.kuehlewind@ericsson.com</email>
</address> </address>
</author> </author>
<author initials="B." surname="Trammell" fullname="Brian Trammell"> <author initials="B." surname="Trammell" fullname="Brian Trammell">
<organization>Google</organization> <organization>Google Switzerland GmbH</organization>
<address> <address>
<postal> <postal>
<street>Gustav-Gull-Platz 1</street> <street>Gustav-Gull-Platz 1</street>
<city>8004 Zurich</city> <city>Zurich</city>
<code>8004</code>
<country>Switzerland</country> <country>Switzerland</country>
</postal> </postal>
<email>ietf@trammell.ch</email> <email>ietf@trammell.ch</email>
</address> </address>
</author> </author>
<date year="2022" month="July" day="15"/> <date year="2022" month="September"/>
<keyword>Internet-Draft</keyword> <area>tsv</area>
<workgroup>quic</workgroup>
<keyword>QUIC</keyword>
<keyword>application protocol mapping</keyword>
<keyword>deployment</keyword>
<abstract> <abstract>
<t>This document discusses the applicability of the QUIC transport protoco l, <t>This document discusses the applicability of the QUIC transport protoco l,
focusing on caveats impacting application protocol development and deployment focusing on caveats impacting application protocol development and deployment
over QUIC. Its intended audience is designers of application protocol mappings over QUIC. Its intended audience is designers of application protocol mappings
to QUIC, and implementors of these application protocols.</t> to QUIC and implementors of these application protocols.</t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section anchor="introduction"> <section anchor="introduction">
<name>Introduction</name> <name>Introduction</name>
<t>QUIC <xref target="QUIC"/> is a new transport protocol providing a numb er of <t>QUIC <xref target="RFC9000"/> is a new transport protocol providing a n umber of
advanced features. While initially designed for the HTTP use case, it provides advanced features. While initially designed for the HTTP use case, it provides
capabilities that can be used with a much wider variety of applications. QUIC is capabilities that can be used with a much wider variety of applications. QUIC is
encapsulated in UDP. QUIC version 1 integrates TLS 1.3 <xref target="TLS13"/> to encapsulated in UDP. QUIC version 1 integrates TLS 1.3 <xref target="RFC8446"/> to
encrypt all payload data and most control information. The version of HTTP that encrypt all payload data and most control information. The version of HTTP that
uses QUIC is known as HTTP/3 <xref target="QUIC-HTTP"/>.</t> uses QUIC is known as HTTP/3 <xref target="RFC9114"/>.</t>
<t>This document provides guidance for application developers that want to <t>This document provides guidance for application developers who want to
use use
the QUIC protocol without implementing it on their own. This includes general the QUIC protocol without implementing it on their own. This includes general
guidance for applications operating over HTTP/3 or directly over QUIC.</t> guidance for applications operating over HTTP/3 or directly over QUIC.</t>
<t>In the following sections we discuss specific caveats to QUIC's applica bility, <t>In the following sections, we discuss specific caveats to QUIC's applic ability
and issues that application developers must consider when using QUIC as a and issues that application developers must consider when using QUIC as a
transport for their application.</t> transport for their applications.</t>
</section> </section>
<section anchor="fallback"> <section anchor="fallback">
<name>The Necessity of Fallback</name> <name>The Necessity of Fallback</name>
<t>QUIC uses UDP as a substrate. This enables userspace implementation and permits <t>QUIC uses UDP as a substrate. This enables userspace implementation and permits
traversal of network middleboxes (including NAT) without requiring updates to traversal of network middleboxes (including NAT) without requiring updates to
existing network infrastructure.</t> existing network infrastructure.</t>
<t>Measurement studies have shown between three <xref target="Trammell16"/ <t>Measurement studies have shown between 3% <xref target="Trammell16"/> a
> and nd
five <xref target="Swett16"/> percent of networks block all UDP traffic, though 5% <xref target="Swett16"/> of networks block all UDP traffic, though there
there
is little evidence of other forms of systematic disadvantage to UDP traffic is little evidence of other forms of systematic disadvantage to UDP traffic
compared to TCP <xref target="Edeline16"/>. This blocking implies that all appli cations compared to TCP <xref target="Edeline16"/>. This blocking implies that all appli cations
running on top of QUIC must either be prepared to accept connectivity failure running on top of QUIC must either be prepared to accept connectivity failure
on such networks, or be engineered to fall back to some other transport on such networks or be engineered to fall back to some other transport
protocol. In the case of HTTP, this fallback is TLS over TCP.</t> protocol. In the case of HTTP, this fallback is TLS over TCP.</t>
<t>The IETF TAPS specifications <xref target="I-D.ietf-taps-arch"/> descri be a system with a <t>The IETF Transport Services (TAPS) specifications <xref target="I-D.iet f-taps-arch"/> describe a system with a
common API for multiple protocols. This is particularly relevant for QUIC as common API for multiple protocols. This is particularly relevant for QUIC as
it addresses the implications of fallback among multiple protocols.</t> it addresses the implications of fallback among multiple protocols.</t>
<t>Specifically, fallback to insecure protocols or to weaker versions of s ecure <t>Specifically, fallback to insecure protocols or to weaker versions of s ecure
protocols needs to be avoided. In general, an application that implements protocols needs to be avoided. In general, an application that implements
fallback needs to consider the security consequences. A fallback to TCP and fallback needs to consider the security consequences. A fallback to TCP and
TLS exposes control information to modification and manipulation in the TLS exposes control information to modification and manipulation in the
network. Additionally, downgrades to older TLS versions than 1.3, which is network. Additionally, downgrades to TLS versions older than 1.3, which is
used in QUIC version 1, might result in significantly weaker used in QUIC version 1, might result in significantly weaker
cryptographic protection. For example, the results of protocol negotiation cryptographic protection. For example, the results of protocol negotiation
<xref target="RFC7301"/> only have confidentiality protection if TLS 1.3 is used .</t> <xref target="RFC7301"/> only have confidentiality protection if TLS 1.3 is used .</t>
<t>These applications must operate, perhaps with impaired functionality, i n the <t>These applications must operate, perhaps with impaired functionality, i n the
absence of features provided by QUIC not present in the fallback protocol. For absence of features provided by QUIC not present in the fallback protocol. For
fallback to TLS over TCP, the most obvious difference is that TCP does not fallback to TLS over TCP, the most obvious difference is that TCP does not
provide stream multiplexing and therefore stream multiplexing would need to be provide stream multiplexing, and therefore stream multiplexing would need to be
implemented in the application layer if needed. Further, TCP implementations implemented in the application layer if needed. Further, TCP implementations
and network paths often do not support the Fast Open option <xref target="RFC741 3"/>, which and network paths often do not support the TCP Fast Open (TFO) option <xref targ et="RFC7413"/>, which
enables sending of payload data together with the first control packet of a new enables sending of payload data together with the first control packet of a new
connection as also provided by 0-RTT session resumption in QUIC. Note that connection as also provided by 0-RTT session resumption in QUIC. Note that
there is some evidence of middleboxes blocking SYN data even if TFO was there is some evidence of middleboxes blocking SYN data even if TFO was
successfully negotiated (see <xref target="PaaschNanog"/>). And even if Fast Ope n successfully negotiated (see <xref target="PaaschNanog"/>). And even if Fast Ope n
successfully operates end-to-end, it is limited to a single packet of TLS successfully operates end to end, it is limited to a single packet of TLS
handshake and application data, unlike QUIC 0-RTT.</t> handshake and application data, unlike QUIC 0-RTT.</t>
<t>Moreover, while encryption (in this case TLS) is inseparably integrated with <t>Moreover, while encryption (in this case TLS) is inseparably integrated with
QUIC, TLS negotiation over TCP can be blocked. If TLS over TCP cannot be QUIC, TLS negotiation over TCP can be blocked. If TLS over TCP cannot be
supported, the connection should be aborted, and the application then ought supported, the connection should be aborted, and the application then ought
to present a suitable prompt to the user that secure communication is to present a suitable prompt to the user that secure communication is
unavailable.</t> unavailable.</t>
<t>In summary, any fallback mechanism is likely to impose a degradation of <t>In summary, any fallback mechanism is likely to impose a degradation of
performance and can degrade security; however, fallback must not silently performance and can degrade security; however, fallback must not silently
violate the application's expectation of confidentiality or integrity of its violate the application's expectation of confidentiality or integrity of its
payload data.</t> payload data.</t>
</section> </section>
<section anchor="zero-rtt"> <section anchor="zero-rtt">
<name>Zero RTT</name> <name>0-RTT</name>
<t>QUIC provides for 0-RTT connection establishment. Though the same facil ity <t>QUIC provides for 0-RTT connection establishment. Though the same facil ity
exists in TLS 1.3 with TCP, 0-RTT presents opportunities and challenges for exists in TLS 1.3 with TCP, 0-RTT presents opportunities and challenges for
applications using QUIC.</t> applications using QUIC.</t>
<t>A transport protocol that provides 0-RTT connection establishment is <t>A transport protocol that provides 0-RTT connection establishment is
qualitatively different from one that does not from the point of view of the qualitatively different from one that does not provide 0-RTT from the point of v iew of the
application using it. Relative trade-offs between the cost of closing and application using it. Relative trade-offs between the cost of closing and
reopening a connection and trying to keep it open are different; see reopening a connection and trying to keep it open are different; see
<xref target="resumption-v-keepalive"/>.</t> <xref target="resumption-v-keepalive"/>.</t>
<t>An application needs to deliberately choose to use 0-RTT, as 0-RTT carr ies a <t>An application needs to deliberately choose to use 0-RTT, as 0-RTT carr ies a
risk of replay attack. Application protocols that use 0-RTT require a profile risk of replay attack. Application protocols that use 0-RTT require a profile
that describes the types of information that can be safely sent. For HTTP, this that describes the types of information that can be safely sent. For HTTP, this
profile is described in <xref target="HTTP-REPLAY"/>.</t> profile is described in <xref target="RFC8470"/>.</t>
<section anchor="replay-attacks"> <section anchor="replay-attacks">
<name>Replay Attacks</name> <name>Replay Attacks</name>
<t>Retransmission or (malicious) replay of data contained in 0-RTT packe ts could <t>Retransmission or malicious replay of data contained in 0-RTT packets could
cause the server side to receive multiple copies of the same data.</t> cause the server side to receive multiple copies of the same data.</t>
<t>Application data sent by the client in 0-RTT packets could be process ed more <t>Application data sent by the client in 0-RTT packets could be process ed more
than once if it is replayed. Applications need to be aware of what is safe to than once if it is replayed. Applications need to be aware of what is safe to
send in 0-RTT. Application protocols that seek to enable the use of 0-RTT need send in 0-RTT. Application protocols that seek to enable the use of 0-RTT need
a careful analysis and a description of what can be sent in 0-RTT; see Section a careful analysis and a description of what can be sent in 0-RTT; see
5.6 of <xref target="QUIC-TLS"/>.</t> <xref target="RFC9001" sectionFormat="of" section="5.6"/>.</t>
<t>In some cases, it might be sufficient to limit application data sent in 0-RTT <t>In some cases, it might be sufficient to limit application data sent in 0-RTT
to that which only causes actions at a server that are known to be free of to data that does not cause actions with lasting effects at a
lasting effect. Initiating data retrieval or establishing configuration are server. Initiating data retrieval or establishing configuration are
examples of actions that could be safe. Idempotent operations - those for which examples of actions that could be safe. Idempotent operations -- those for which
repetition has the same net effect as a single operation - might be safe. repetition has the same net effect as a single operation -- might be safe.
However, it is also possible to combine individually idempotent operations into However, it is also possible to combine individually idempotent operations into
a non-idempotent sequence of operations.</t> a non-idempotent sequence of operations.</t>
<t>Once a server accepts 0-RTT data there is no means of selectively dis carding <t>Once a server accepts 0-RTT data, there is no means of selectively di scarding
data that is received. However, protocols can define ways to reject individual data that is received. However, protocols can define ways to reject individual
actions that might be unsafe if replayed.</t> actions that might be unsafe if replayed.</t>
<t>Some TLS implementations and deployments might be able to provide par tial or <t>Some TLS implementations and deployments might be able to provide par tial or
even complete replay protection, which could be used to manage replay risk.</t> even complete replay protection, which could be used to manage replay risk.</t>
</section> </section>
<section anchor="resumption-v-keepalive"> <section anchor="resumption-v-keepalive">
<name>Session resumption versus Keep-alive</name> <name>Session Resumption versus Keep-Alive</name>
<t>Because QUIC is encapsulated in UDP, applications using QUIC must dea l with <t>Because QUIC is encapsulated in UDP, applications using QUIC must dea l with
short network idle timeouts. Deployed stateful middleboxes will generally short network idle timeouts. Deployed stateful middleboxes will generally
establish state for UDP flows on the first packet sent, and keep state for establish state for UDP flows on the first packet sent and keep state for
much shorter idle periods than for TCP. <xref target="RFC5382"/> suggests a TCP idle much shorter idle periods than for TCP. <xref target="RFC5382"/> suggests a TCP idle
period of at least 124 minutes, though there is no evidence of widespread period of at least 124 minutes, though there is no evidence of widespread
implementation of this guideline in the literature. Short network timeout for implementation of this guideline in the literature. However, short network timeo
UDP, however, is well-documented. According to a 2010 study ut for
UDP is well-documented. According to a 2010 study
(<xref target="Hatonen10"/>), UDP applications can assume that any NAT binding o r other (<xref target="Hatonen10"/>), UDP applications can assume that any NAT binding o r other
state entry can expire after just thirty seconds of inactivity. <xref section=" 3.5" sectionFormat="of" target="RFC8085"/> further discusses keep-alive interval s for UDP: it state entry can expire after just thirty seconds of inactivity. <xref section=" 3.5" sectionFormat="of" target="RFC8085"/> further discusses keep-alive interval s for UDP: it
requires a minimum value of 15 seconds, but recommends larger values, or requires that there is a minimum value of 15 seconds, but recommends larger valu
omitting keep-alive entirely.</t> es, or that keep-alive is omitted entirely.</t>
<t>By using a connection ID, QUIC is designed to be robust to NAT addres <t>By using a connection ID, QUIC is designed to be robust to NAT
s
rebinding after a timeout. However, this only helps if one endpoint maintains rebinding after a timeout. However, this only helps if one endpoint maintains
availability at the address its peer uses, and the peer is the one to send availability at the address its peer uses and the peer is the one to send
after the timeout occurs.</t> after the timeout occurs.</t>
<t>Some QUIC connections might not be robust to NAT rebinding because th e routing <t>Some QUIC connections might not be robust to NAT rebinding because th e routing
infrastructure (in particular, load balancers) uses the address/port four-tuple infrastructure (in particular, load balancers) uses the address/port 4-tuple
to direct traffic. Furthermore, middleboxes with functions other than address to direct traffic. Furthermore, middleboxes with functions other than address
translation could still affect the path. In particular, some firewalls do not translation could still affect the path. In particular, some firewalls do not
admit server traffic for which the firewall has no recent state for a admit server traffic for which the firewall has no recent state for a
corresponding packet sent from the client.</t> corresponding packet sent from the client.</t>
<t>QUIC applications can adjust idle periods to manage the risk of timeo ut. Idle <t>QUIC applications can adjust idle periods to manage the risk of timeo ut. Idle
periods and the network idle timeout are distinct from the connection idle periods and the network idle timeout are distinct from the connection idle
timeout, which is defined as the minimum of either endpoint's idle timeout timeout, which is defined as the minimum of either endpoint's idle timeout
parameter; see <xref section="10.1" sectionFormat="of" target="QUIC"/>). There a re three options:</t> parameter; see <xref section="10.1" sectionFormat="of" target="RFC9000"/>. There are three options:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>Ignore the issue, if the application-layer protocol consists only <li>Ignore the issue if the application-layer protocol consists only o
of f
interactions with no or very short idle periods, or the protocol's resistance interactions with no or very short idle periods or if the protocol's resistance
to NAT rebinding is sufficient.</li> to NAT rebinding is sufficient.</li>
<li>Ensure there are no long idle periods.</li> <li>Ensure there are no long idle periods.</li>
<li>Resume the session after a long idle period, using 0-RTT resumptio n when <li>Resume the session after a long idle period, using 0-RTT resumptio n when
appropriate.</li> appropriate.</li>
</ul> </ul>
<t>The first strategy is the easiest, but it only applies to certain app lications.</t> <t>The first strategy is the easiest, but it only applies to certain app lications.</t>
<t>Either the server or the client in a QUIC application can send PING f rames as <t>Either the server or the client in a QUIC application can send PING f rames as
keep-alives, to prevent the connection and any on-path state from timing out. keep-alives to prevent the connection and any on-path state from timing out.
Recommendations for the use of keep-alives are application-specific, mainly Recommendations for the use of keep-alives are application specific, mainly
depending on the latency requirements and message frequency of the application. depending on the latency requirements and message frequency of the application.
In this case, the application mapping must specify whether the client or server In this case, the application mapping must specify whether the client or server
is responsible for keeping the application alive. While <xref target="Hatonen10 "/> suggests is responsible for keeping the application alive. While <xref target="Hatonen10 "/> suggests
that 30 seconds might be a suitable value for the public Internet when a NAT that 30 seconds might be a suitable value for the public Internet when a NAT
is on path, larger values are preferable if the deployment can consistently is on path, larger values are preferable if the deployment can consistently
survive NAT rebinding or is known to be in a controlled environment (e.g. survive NAT rebinding or is known to be in a controlled environment (e.g.,
data centres) in order to lower network and computational load.</t> data centers) in order to lower network and computational load.</t>
<t>Sending PING frames more frequently than every 30 seconds over long i dle <t>Sending PING frames more frequently than every 30 seconds over long i dle
periods may result in excessive unproductive traffic in some situations, and periods may result in excessive unproductive traffic in some situations and
unacceptable power usage for power-constrained (mobile) devices. Additionally, unacceptable power usage for power-constrained (mobile) devices. Additionally,
timeouts shorter than 30 seconds can make it harder to handle transient network timeouts shorter than 30 seconds can make it harder to handle transient network
interruptions, such as VM migration or coverage loss during mobility. interruptions, such as Virtual Machine (VM) migration or coverage loss during mo
See <xref target="RFC8085"/>, especially Section 3.5.</t> bility.
See <xref target="RFC8085"/>, especially Section <xref target="RFC8085" sectionF
ormat="bare" section="3.5"/>.</t>
<t>Alternatively, the client (but not the server) can use session resump tion <t>Alternatively, the client (but not the server) can use session resump tion
instead of sending keepalive traffic. In this case, a client that wants to send instead of sending keep-alive traffic. In this case, a client that wants to send
data to a server over a connection that has been idle longer than the server's data to a server over a connection that has been idle longer than the server's
idle timeout (available from the idle_timeout transport parameter) can simply idle timeout (available from the idle_timeout transport parameter) can simply
reconnect. When possible, this reconnection can use 0-RTT session resumption, reconnect. When possible, this reconnection can use 0-RTT session resumption,
reducing the latency involved with restarting the connection. Of course, this reducing the latency involved with restarting the connection. Of course, this
approach is only valid in cases in which it is safe to use 0-RTT and when the approach is only valid in cases in which it is safe to use 0-RTT and when the
client is the restarting peer.</t> client is the restarting peer.</t>
<t>The tradeoffs between resumption and keep-alives need to be evaluated on a <t>The trade-offs between resumption and keep-alives need to be evaluate d on a
per-application basis. In general, applications should use keep-alives only in per-application basis. In general, applications should use keep-alives only in
circumstances where continued communication is highly likely; <xref target="QUIC -HTTP"/>, for circumstances where continued communication is highly likely; <xref target="RFC9 114"/>, for
instance, recommends using keep-alives only when a request is outstanding.</t> instance, recommends using keep-alives only when a request is outstanding.</t>
</section> </section>
</section> </section>
<section anchor="use-of-streams"> <section anchor="use-of-streams">
<name>Use of Streams</name> <name>Use of Streams</name>
<t>QUIC's stream multiplexing feature allows applications to run multiple streams <t>QUIC's stream multiplexing feature allows applications to run multiple streams
over a single connection, without head-of-line blocking between streams. Stream over a single connection without head-of-line blocking between streams. Stream
data is carried within frames, where one QUIC packet on the wire can carry one data is carried within frames where one QUIC packet on the wire can carry one
or multiple stream frames.</t> or multiple stream frames.</t>
<t>Streams can be unidirectional or bidirectional, and a stream may be ini tiated <t>Streams can be unidirectional or bidirectional, and a stream may be ini tiated
either by client or server. Only the initiator of a unidirectional stream can either by client or server. Only the initiator of a unidirectional stream can
send data on it.</t> send data on it.</t>
<t>Streams and connections can each carry a maximum of <t>Streams and connections can each carry a maximum of
2<sup>62</sup>-1 bytes in each direction, due to encoding limitations on 2<sup>62</sup>-1 bytes in each direction due to encoding limitations on
stream offsets and connection flow control limits. In the presently unlikely stream offsets and connection flow control limits. In the presently unlikely
event that this limit is reached by an application, a new connection would event that this limit is reached by an application, a new connection would
need to be established.</t> need to be established.</t>
<t>Streams can be independently opened and closed, gracefully or abruptly. An <t>Streams can be independently opened and closed, gracefully or abruptly. An
application can gracefully close the egress direction of a stream by instructing application can gracefully close the egress direction of a stream by instructing
QUIC to send a FIN bit in a STREAM frame. It cannot gracefully close the ingress QUIC to send a FIN bit in a STREAM frame. It cannot gracefully close the ingress
direction without a peer-generated FIN, much like in TCP. However, an endpoint direction without a peer-generated FIN, much like in TCP. However, an endpoint
can abruptly close the egress direction or request that its peer abruptly close can abruptly close the egress direction or request that its peer abruptly close
the ingress direction; these actions are fully independent of each other.</t> the ingress direction; these actions are fully independent of each other.</t>
<t>QUIC does not provide an interface for exceptional handling of any stre am. <t>QUIC does not provide an interface for exceptional handling of any stre am.
If a stream that is critical for an application is closed, the application can If a stream that is critical for an application is closed, the application can
generate error messages on the application layer to inform the other end and/or generate error messages on the application layer to inform the other end and/or
the higher layer, which can eventually terminate the QUIC connection.</t> the higher layer, which can eventually terminate the QUIC connection.</t>
<t>Mapping of application data to streams is application-specific and desc <t>Mapping of application data to streams is application specific and desc
ribed for ribed for
HTTP/3 in <xref target="QUIC-HTTP"/>. There are a few general principles to appl HTTP/3 in <xref target="RFC9114"/>. There are a few general principles to apply
y when when
designing an application's use of streams:</t> designing an application's use of streams:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>A single stream provides ordering. If the application requires certa in data to <li>A single stream provides ordering. If the application requires certa in data to
be received in order, that data should be sent on the same stream. There is be received in order, that data should be sent on the same stream. There is
no guarantee of transmission, reception, or delivery order across streams.</li> no guarantee of transmission, reception, or delivery order across streams.</li>
<li>Multiple streams provide concurrency. Data that can be processed <li>Multiple streams provide concurrency. Data that can be processed
independently, and therefore would suffer from head of line blocking if forced independently, and therefore would suffer from head-of-line blocking if forced
to be received in order, should be transmitted over separate streams.</li> to be received in order, should be transmitted over separate streams.</li>
<li>Streams can provide message orientation, and allow messages to be ca ncelled. <li>Streams can provide message orientation and allow messages to be can celed.
If one message is mapped to a single stream, resetting the stream to expire an If one message is mapped to a single stream, resetting the stream to expire an
unacknowledged message can be used to emulate partial reliability unacknowledged message can be used to emulate partial reliability
for that message.</li> for that message.</li>
</ul> </ul>
<t>If a QUIC receiver has opened the maximum allowed concurrent <t>If a QUIC receiver has opened the maximum allowed concurrent
streams, and the sender indicates that more streams are needed, it streams, and the sender indicates that more streams are needed, it
does not automatically lead to an increase of the maximum number of does not automatically lead to an increase of the maximum number of
streams by the receiver. Therefore, an application should consider the streams by the receiver. Therefore, an application should consider the
maximum number of allowed, currently open, and currently used streams when maximum number of allowed, currently open, and currently used streams when
determining how to map data to streams.</t> determining how to map data to streams.</t>
<t>QUIC assigns a numerical identifier to each stream, called the stream I D. While <t>QUIC assigns a numerical identifier, called the stream ID, to each stre am. While
the relationship between these identifiers and stream types is clearly defined the relationship between these identifiers and stream types is clearly defined
in version 1 of QUIC, future versions might change this relationship for various in version 1 of QUIC, future versions might change this relationship for various
reasons. QUIC implementations should expose the properties of each stream reasons. QUIC implementations should expose the properties of each stream
(which endpoint initiated the stream, whether the stream is unidirectional or (which endpoint initiated the stream, whether the stream is unidirectional or
bidirectional, the stream ID used for the stream); applications should query for bidirectional, the stream ID used for the stream); applications should query for
these properties rather than attempting to infer them from the stream ID.</t> these properties rather than attempting to infer them from the stream ID.</t>
<t>The method of allocating stream identifiers to streams opened by the ap plication <t>The method of allocating stream identifiers to streams opened by the ap plication
might vary between transport implementations. Therefore, an application should might vary between transport implementations. Therefore, an application should
not assume a particular stream ID will be assigned to a stream that has not yet not assume a particular stream ID will be assigned to a stream that has not yet
been allocated. For example, HTTP/3 uses stream IDs to refer to streams that been allocated. For example, HTTP/3 uses stream IDs to refer to streams that
have already been opened, but makes no assumptions about future stream IDs or have already been opened but makes no assumptions about future stream IDs or
the way in which they are assigned (see <xref section="6" sectionFormat="of" tar the way in which they are assigned (see <xref section="6" sectionFormat="of" tar
get="QUIC-HTTP"/>).</t> get="RFC9114"/>).</t>
<section anchor="stream-versus-flow-multiplexing"> <section anchor="stream-versus-flow-multiplexing">
<name>Stream versus Flow Multiplexing</name> <name>Stream versus Flow Multiplexing</name>
<t>Streams are meaningful only to the application; since stream informat ion is <t>Streams are meaningful only to the application; since stream informat ion is
carried inside QUIC's encryption boundary, a given packet exposes carried inside QUIC's encryption boundary, a given packet exposes
no information about which no information about which
stream(s) are carried within the packet. stream(s) are carried within the packet.
Therefore, stream multiplexing is not intended to be used for differentiating Therefore, stream multiplexing is not intended to be used for differentiating
streams in terms of network treatment. Application traffic requiring different streams in terms of network treatment. Application traffic requiring different
network treatment should therefore be carried over different five-tuples (i.e. network treatment should therefore be carried over different 5-tuples (i.e.,
multiple QUIC connections). Given QUIC's ability to send application data in multiple QUIC connections). Given QUIC's ability to send application data in
the first RTT of a connection (if a previous connection to the same host has the first RTT of a connection (if a previous connection to the same host has
been successfully established to provide the necessary credentials), the cost been successfully established to provide the necessary credentials), the cost
of establishing another connection is extremely low.</t> of establishing another connection is extremely low.</t>
</section> </section>
<section anchor="prioritization"> <section anchor="prioritization">
<name>Prioritization</name> <name>Prioritization</name>
<t>Stream prioritization is not exposed to either the network or the rec eiver. <t>Stream prioritization is not exposed to either the network or the rec eiver.
Prioritization is managed by the sender, and the QUIC transport should Prioritization is managed by the sender, and the QUIC transport should
provide an interface for applications to prioritize streams <xref target="QUIC"/ >. provide an interface for applications to prioritize streams <xref target="RFC900 0"/>.
Applications can implement their own prioritization scheme on top of QUIC: an Applications can implement their own prioritization scheme on top of QUIC: an
application protocol that runs on top of QUIC can define explicit messages application protocol that runs on top of QUIC can define explicit messages
for signaling priority, such as those defined in for signaling priority, such as those defined in
<xref target="I-D.draft-ietf-httpbis-priority"/> for HTTP; it can define rules <xref target="RFC9218"/> for HTTP. An application protocol can define rules
that allow an endpoint to determine priority based on context; or it can that allow an endpoint to determine priority based on context or can
provide a higher level interface and leave the determination to the provide a higher-level interface and leave the determination to the
application on top.</t> application on top.</t>
<t>Priority handling of retransmissions can be implemented by the sender in the <t>Priority handling of retransmissions can be implemented by the sender in the
transport layer. <xref target="QUIC"/> recommends retransmitting lost data befor e new data, transport layer. <xref target="RFC9000"/> recommends retransmitting lost data be fore new data,
unless indicated differently by the application. When a QUIC endpoint uses unless indicated differently by the application. When a QUIC endpoint uses
fully reliable streams for transmission, prioritization of retransmissions will fully reliable streams for transmission, prioritization of retransmissions will
be beneficial in most cases, filling in gaps and freeing up the flow be beneficial in most cases, filling in gaps and freeing up the flow
control window. For partially reliable or unreliable streams, control window. For partially reliable or unreliable streams,
priority scheduling of retransmissions over data of higher-priority streams priority scheduling of retransmissions over data of higher-priority streams
might not be desirable. For such streams, QUIC could either provide an might not be desirable. For such streams, QUIC could either provide an
explicit interface to control prioritization, or derive the prioritization explicit interface to control prioritization or derive the prioritization
decision from the reliability level of the stream.</t> decision from the reliability level of the stream.</t>
</section> </section>
<section anchor="ordered-and-reliable-delivery"> <section anchor="ordered-and-reliable-delivery">
<name>Ordered and Reliable Delivery</name> <name>Ordered and Reliable Delivery</name>
<t>QUIC streams enable ordered and reliable delivery. Though it is poss ible for an <t>QUIC streams enable ordered and reliable delivery. Though it is poss ible for an
implementation to provide options that use streams for partial reliability implementation to provide options that use streams for partial reliability
or out-of-order delivery, most implementations will assume that data is or out-of-order delivery, most implementations will assume that data is
reliably delivered in order.</t> reliably delivered in order.</t>
<t>Under this assumption, an endpoint that receives stream data might no t make <t>Under this assumption, an endpoint that receives stream data might no t make
forward progress until data that is contiguous with the start of a stream is forward progress until data that is contiguous with the start of a stream is
available. In particular, a receiver might withhold flow control credit until available. In particular, a receiver might withhold flow control credit until
contiguous data is delivered to the application; see <xref section="2.2" section Format="of" target="QUIC"/>. contiguous data is delivered to the application; see <xref section="2.2" section Format="of" target="RFC9000"/>.
To support this receive logic, an endpoint will send stream data until it is To support this receive logic, an endpoint will send stream data until it is
acknowledged, ensuring that data at the start of the stream is sent and acknowledged, ensuring that data at the start of the stream is sent and
acknowledged first.</t> acknowledged first.</t>
<t>An endpoint that uses a different sending behavior and does not negot iate that <t>An endpoint that uses a different sending behavior and does not negot iate that
change with its peer might encounter performance issues or deadlocks.</t> change with its peer might encounter performance issues or deadlocks.</t>
</section> </section>
<section anchor="flow-control-deadlocks"> <section anchor="flow-control-deadlocks">
<name>Flow Control Deadlocks</name> <name>Flow Control Deadlocks</name>
<t>QUIC flow control <xref section="4" sectionFormat="of" target="QUIC"/ <t>QUIC flow control (<xref section="4" sectionFormat="of" target="RFC90
> provides a means of managing access 00"/>) provides a means of managing access
to the limited buffers endpoints have for incoming data. This mechanism limits to the limited buffers that endpoints have for incoming data. This mechanism li
mits
the amount of data that can be in buffers in endpoints or in transit on the the amount of data that can be in buffers in endpoints or in transit on the
network. However, there are several ways in which limits can produce conditions network. However, there are several ways in which limits can produce conditions
that can cause a connection to either perform suboptimally or deadlock.</t> that can cause a connection to either perform suboptimally or become deadlocked. </t>
<t>Deadlocks in flow control are possible for any protocol that uses QUI C, though <t>Deadlocks in flow control are possible for any protocol that uses QUI C, though
whether they become a problem depends on how implementations consume data and whether they become a problem depends on how implementations consume data and
provide flow control credit. Understanding what causes deadlocking might help provide flow control credit. Understanding what causes deadlocking might help
implementations avoid deadlocks.</t> implementations avoid deadlocks.</t>
<t>The size and rate of transport flow control credit updates can affect <t>The size and rate of updates to flow control credit can affect
performance. Applications that use QUIC often have a data consumer that reads performance. Applications that use QUIC often have a data consumer that reads
data from transport buffers. Some implementations might have independent data from transport buffers. Some implementations might have independent
transport-layer and application-layer receive buffers. Consuming data does not receive buffers at the transport layer and application layer. Consuming data doe
always imply it is immediately processed. However, a common flow control s not
implementation technique is to extend credit to the sender, by emitting MAX_DATA always imply it is immediately processed. However, a common
and/or MAX_STREAM_DATA frames, as data is consumed. Delivery of these frames implementation technique is to extend flow control credit to the sender by emitt
ing MAX_DATA
and/or MAX_STREAM_DATA frames as data is consumed. Delivery of these frames
is affected by the latency of the back channel from the receiver to the data is affected by the latency of the back channel from the receiver to the data
sender. If credit is not extended in a timely manner, the sender. If credit is not extended in a timely manner, the
sending application can be blocked, effectively throttling the sender.</t> sending application can be blocked, effectively throttling the sender.</t>
<t>Large application messages can produce deadlocking if the recipient d oes not <t>Large application messages can produce deadlocking if the recipient d oes not
read data from the transport incrementally. If the message is larger than the read data from the transport incrementally. If the message is larger than the
flow control credit available and the recipient does not release additional flow flow control credit available and the recipient does not release additional flow
control credit until the entire message is received and delivered, a deadlock control credit until the entire message is received and delivered, a deadlock
can occur. This is possible even where stream flow control limits are not can occur. This is possible even where stream flow control limits are not
reached because connection flow control limits can be consumed by other streams. </t> reached because connection flow control limits can be consumed by other streams. </t>
<t>A length-prefixed message format makes it easier for a data consumer to leave <t>A length-prefixed message format makes it easier for a data consumer to leave
data unread in the transport buffer and thereby withhold flow control credit. If data unread in the transport buffer and thereby withhold flow control credit. If
flow control limits prevent the remainder of a message from being sent, a flow control limits prevent the remainder of a message from being sent, a
deadlock will result. A length prefix might also enable the detection of this deadlock will result. A length prefix might also enable the detection of this
sort of deadlock. Where application protocols have messages that might be sort of deadlock. Where application protocols have messages that might be
processed as a single unit, reserving flow control credit for the entire message processed as a single unit, reserving flow control credit for the entire message
atomically makes this style of deadlock less likely.</t> atomically makes this style of deadlock less likely.</t>
<t>A data consumer can eagerly read all data as it becomes available, in order to <t>A data consumer can eagerly read all data as it becomes available in order to
make the receiver extend flow control credit and reduce the chances of a make the receiver extend flow control credit and reduce the chances of a
deadlock. However, such a data consumer might need other means for holding a deadlock. However, such a data consumer might need other means for holding a
peer accountable for the additional state it keeps for partially processed peer accountable for the additional state it keeps for partially processed
messages.</t> messages.</t>
<t>Deadlocking can also occur if data on different streams is interdepen dent. <t>Deadlocking can also occur if data on different streams is interdepen dent.
Suppose that data on one stream arrives before the data on a second stream on Suppose that data on one stream arrives before the data on a second stream on
which it depends. A deadlock can occur if the first stream is left unread, which it depends. A deadlock can occur if the first stream is left unread,
preventing the receiver from extending flow control credit for the second preventing the receiver from extending flow control credit for the second
stream. To reduce the likelihood of deadlock for interdependent data, the stream. To reduce the likelihood of deadlock for interdependent data, the
sender should ensure that dependent data is not sent until the data sender should ensure that dependent data is not sent until the data
it depends on has been accounted for in both stream- and connection- level flow it depends on has been accounted for in both stream- and connection-level flow
control credit.</t> control credit.</t>
<t>Some deadlocking scenarios might be resolved by cancelling affected s <t>Some deadlocking scenarios might be resolved by canceling affected st
treams with reams with
STOP_SENDING or RESET_STREAM. Cancelling some streams results in the connection STOP_SENDING or RESET_STREAM. Canceling some streams results in the connection
being terminated in some protocols.</t> being terminated in some protocols.</t>
</section> </section>
<section anchor="stream-limit-commitments"> <section anchor="stream-limit-commitments">
<name>Stream Limit Commitments</name> <name>Stream Limit Commitments</name>
<t>QUIC endpoints are responsible for communicating the cumulative limit of streams <t>QUIC endpoints are responsible for communicating the cumulative limit of streams
they would allow to be opened by their peer. Initial limits are advertised using they would allow to be opened by their peer. Initial limits are advertised using
the initial_max_streams_bidi and initial_max_streams_uni transport parameters. the initial_max_streams_bidi and initial_max_streams_uni transport parameters.
As streams are opened and closed they are consumed, and the cumulative total is As streams are opened and closed, they are consumed, and the cumulative total is
incremented. Limits can be increased using the MAX_STREAMS frame but there is no incremented. Limits can be increased using the MAX_STREAMS frame, but there is n
o
mechanism to reduce limits. Once stream limits are reached, no more streams can mechanism to reduce limits. Once stream limits are reached, no more streams can
be opened, which prevents applications using QUIC from making further progress. be opened, which prevents applications using QUIC from making further progress.
At this stage connections can be terminated via idle timeout or explicit close; At this stage, connections can be terminated via idle timeout or explicit close;
see <xref target="sec-termination"/>).</t> see <xref target="sec-termination"/>.</t>
<t>An application that uses QUIC and communicated a cumulative stream li <t>An application that uses QUIC and communicates a cumulative stream li
mit might mit might
require the connection to be closed before the limit is reached. For example, require the connection to be closed before the limit is reached, e.g.,
to stop the server to perform scheduled maintenance. Immediate connection close to stop the server in order to perform scheduled maintenance. Immediate connecti
on close
causes abrupt closure of actively used streams. Depending on how an application causes abrupt closure of actively used streams. Depending on how an application
uses QUIC streams, this could be undesirable or detrimental to behavior or uses QUIC streams, this could be undesirable or detrimental to behavior or
performance.</t> performance.</t>
<t>A more graceful closure technique is to stop sending increases to <t>A more graceful closure technique is to stop sending increases to
stream limits and allow the connection to naturally terminate once remaining stream limits and allow the connection to naturally terminate once remaining
streams are consumed. However, the period of time it takes to do so is dependent streams are consumed. However, the period of time it takes to do so is dependent
on the peer and an unpredictable closing period might not fit application or on the peer, and an unpredictable closing period might not fit application or
operational needs. Applications using QUIC can be conservative with open stream operational needs. Applications using QUIC can be conservative with open stream
limits in order to reduce the commitment and indeterminism. However, being limits in order to reduce the commitment and indeterminism. However, being
overly conservative with stream limits affects stream concurrency. Balancing overly conservative with stream limits affects stream concurrency. Balancing
these aspects can be specific to applications and their deployments.</t> these aspects can be specific to applications and their deployments.</t>
<t>Instead of <t>Instead of
relying on stream limits to avoid abrupt closure, an application-layer graceful relying on stream limits to avoid abrupt closure, an application layer's gracefu l
close mechanism can be used to communicate the intention to explicitly close the close mechanism can be used to communicate the intention to explicitly close the
connection at some future point. HTTP/3 provides such a mechanism using the connection at some future point. HTTP/3 provides such a mechanism using the
GOAWAY frame. In HTTP/3, when the GOAWAY frame is received by a client, it GOAWAY frame. In HTTP/3, when the GOAWAY frame is received by a client, it
stops opening new streams even if the cumulative stream limit would allow. stops opening new streams even if the cumulative stream limit would allow.
Instead, the client would create a new connection on which to open further Instead, the client would create a new connection on which to open further
streams. Once all streams are closed on the old connection, it can be streams. Once all streams are closed on the old connection, it can be
terminated safely by a connection close or after expiration of the idle time out terminated safely by a connection close or after expiration of the idle timeout
(see also <xref target="sec-termination"/>).</t> (see <xref target="sec-termination"/>).</t>
</section> </section>
</section> </section>
<section anchor="packetization-and-latency"> <section anchor="packetization-and-latency">
<name>Packetization and Latency</name> <name>Packetization and Latency</name>
<t>QUIC exposes an interface that provides multiple streams to the applica tion; <t>QUIC exposes an interface that provides multiple streams to the applica tion;
however, the application usually cannot control how data transmitted over those however, the application usually cannot control how data transmitted over those
streams is mapped into frames or how those frames are bundled into packets.</t> streams is mapped into frames or how those frames are bundled into packets.</t>
<t>By default, many implementations will try to maximally pack QUIC packet <t>By default, many implementations will try to pack STREAM frames
s from one or more streams into each QUIC packet, in order to minimize
DATA frames from one or more streams to minimize bandwidth consumption and bandwidth consumption and computational costs (see <xref section="13" sectionFor
computational costs (see <xref section="13" sectionFormat="of" target="QUIC"/>). mat="of" target="RFC9000"/>). If there is not enough data
If there is not enough data available to fill a packet, an implementation might wait for a short time to
available to fill a packet, an implementation might wait for a short time, to
optimize bandwidth efficiency instead of latency. This delay can either be optimize bandwidth efficiency instead of latency. This delay can either be
pre-configured or dynamically adjusted based on the observed sending pattern of preconfigured or dynamically adjusted based on the observed sending pattern of
the application.</t> the application.</t>
<t>If the application requires low latency, with only small chunks of data to <t>If the application requires low latency, with only small chunks of data to
send, it may be valuable to indicate to QUIC that all data should be sent out send, it may be valuable to indicate to QUIC that all data should be sent out
immediately. Alternatively, if the application expects to use a specific immediately. Alternatively, if the application expects to use a specific
sending pattern, it can also provide a suggested delay to QUIC for how long to sending pattern, it can also provide a suggested delay to QUIC for how long to
wait before bundle frames into a packet.</t> wait before bundling frames into a packet.</t>
<t>Similarly, an application has usually no control about the length of a <t>Similarly, an application usually has no control over the length of a Q
QUIC UIC
packet on the wire. QUIC provides the ability to add a PADDING frame to packet on the wire. QUIC provides the ability to add a PADDING frame to
arbitrarily increase the size of packets. Padding is used by QUIC to ensure that arbitrarily increase the size of packets. Padding is used by QUIC to ensure that
the path is capable of transferring datagrams of at least a certain size, during the path is capable of transferring datagrams of at least a certain size during
the handshake (see Sections <xref target="QUIC" section="8.1" sectionFormat="bar the handshake (see Sections <xref target="RFC9000" section="8.1" sectionFormat="
e"/> and <xref target="QUIC" section="14.1" sectionFormat="bare"/> of <xref targ bare"/> and <xref target="RFC9000" section="14.1" sectionFormat="bare"/> of <xre
et="QUIC"/>) and for path validation f target="RFC9000"/>) and for path validation
after connection migration (see <xref section="8.2" sectionFormat="of" target="Q after connection migration (see <xref section="8.2" sectionFormat="of" target="R
UIC"/>) as well as for Datagram FC9000"/>) as well as for Datagram
Packetization Layer PMTU Discovery (DPLMTUD) (see <xref section="14.3" sectionFo Packetization Layer PMTU Discovery (DPLPMTUD) (see <xref section="14.3" sectionF
rmat="of" target="QUIC"/>).</t> ormat="of" target="RFC9000"/>).</t>
<t>Padding can also be used by an application to reduce leakage of <t>Padding can also be used by an application to reduce leakage of
information about the data that is sent. A QUIC implementation can expose an information about the data that is sent. A QUIC implementation can expose an
interface that allows an application layer to specify how to apply padding.</t> interface that allows an application layer to specify how to apply padding.</t>
</section> </section>
<section anchor="error-handling"> <section anchor="error-handling">
<name>Error Handling</name> <name>Error Handling</name>
<t>QUIC recommends that endpoints signal any detected errors to <t>QUIC recommends that endpoints signal any detected errors to
the peer. Errors can occur at the transport level and the application level. the peer. Errors can occur at the transport layer and the application layer.
Transport errors, such as a protocol violation, affect the entire connection. Transport errors, such as a protocol violation, affect the entire connection.
Applications that use QUIC can define their own error detection and signaling Applications that use QUIC can define their own error detection and signaling
(see, for example, <xref section="8" sectionFormat="of" target="QUIC-HTTP"/>). A pplication errors can affect an (see, for example, <xref section="8" sectionFormat="of" target="RFC9114"/>). App lication errors can affect an
entire connection or a single stream.</t> entire connection or a single stream.</t>
<t>QUIC defines an error code space that is used for error handling at the <t>QUIC defines an error code space that is used for error handling at the
transport layer. QUIC encourages endpoints to use the most specific code, transport layer. QUIC encourages endpoints to use the most specific code,
although any applicable code is permitted, including generic ones.</t> although any applicable code is permitted, including generic ones.</t>
<t>Applications using QUIC define an error <t>Applications using QUIC define an error
code space that is independent of QUIC or other applications (see, for code space that is independent of QUIC or other applications (see, for
example, <xref section="8.1" sectionFormat="of" target="QUIC-HTTP"/>). The value s in an application error code example, <xref section="8.1" sectionFormat="of" target="RFC9114"/>). The values in an application error code
space can be reused across connection-level and stream-level errors.</t> space can be reused across connection-level and stream-level errors.</t>
<t>Connection errors lead to connection termination. They are signaled usi ng a <t>Connection errors lead to connection termination. They are signaled usi ng a
CONNECTION_CLOSE frame, which contains an error code and a reason field that can CONNECTION_CLOSE frame, which contains an error code and a reason field that can
be zero length. Different types of CONNECTION_CLOSE frame are used to be zero length. Different types of CONNECTION_CLOSE frames are used to
signal transport and application errors.</t> signal transport and application errors.</t>
<t>Stream errors lead to stream termination. These are signaled using <t>Stream errors lead to stream termination. These are signaled using
STOP_SENDING or STOP_SENDING or
RESET_STREAM frames, which contain only an error code.</t> RESET_STREAM frames, which contain only an error code.</t>
</section> </section>
<section anchor="acknowledgment-efficiency"> <section anchor="acknowledgment-efficiency">
<name>Acknowledgment Efficiency</name> <name>Acknowledgment Efficiency</name>
<t>QUIC version 1 without extensions uses an acknowledgment strategy <t>QUIC version 1 without extensions uses an acknowledgment strategy
adopted from TCP (see <xref section="13.2" sectionFormat="of" target="QUIC"/>). adopted from TCP (see <xref section="13.2" sectionFormat="of" target="RFC9000"/>
That is, it recommends every other packet is acknowledged. ).
That is, it recommends that every other packet is acknowledged.
However, generating and processing QUIC acknowledgments consumes resources However, generating and processing QUIC acknowledgments consumes resources
at a sender and receiver. Acknowledgments also incur forwarding costs and at a sender and receiver. Acknowledgments also incur forwarding costs and
contribute to link utilization, which can impact performance over some contribute to link utilization, which can impact performance over some
types of network. types of network.
Applications might be able to improve overall performance Applications might be able to improve overall performance
by using alternative strategies that reduce the rate of acknowledgments. by using alternative strategies that reduce the rate of acknowledgments.
<xref target="I-D.ietf-quic-ack-frequency"/> describes an extension to signal th e desired <xref target="I-D.ietf-quic-ack-frequency"/> describes an extension to signal th e desired
delay of acknowledgments and discusses use cases as well as implications for delay of acknowledgments and discusses use cases as well as implications for
congestion control and recovery.</t> congestion control and recovery.</t>
</section> </section>
<section anchor="ports"> <section anchor="ports">
<name>Port Selection and Application Endpoint Discovery</name> <name>Port Selection and Application Endpoint Discovery</name>
<t>In general, port numbers serve two purposes: "first, they provide a <t>In general, port numbers serve two purposes: "first, they provide a
demultiplexing identifier to differentiate transport sessions between the same demultiplexing identifier to differentiate transport sessions between the same
pair of endpoints, and second, they may also identify the application protocol pair of endpoints, and second, they may also identify the application protocol
and associated service to which processes connect" <xref target="RFC6335"/>. The assumption and associated service to which processes connect" (<xref target="RFC6335" secti onFormat="of" section="3"/>). The assumption
that an application can be identified in the network based on the port number that an application can be identified in the network based on the port number
is less true today due to encapsulation and mechanisms for dynamic port is less true today due to encapsulation and mechanisms for dynamic port
assignments, as also noted in <xref target="RFC6335"/>.</t> assignments, as noted in <xref target="RFC6335"/>.</t>
<t>As QUIC is a general-purpose transport protocol, there are no requireme nts that <t>As QUIC is a general-purpose transport protocol, there are no requireme nts that
servers use a particular UDP port for QUIC. For applications with a fallback to servers use a particular UDP port for QUIC. For an application with a fallback t
TCP that do not already have an alternate mapping to UDP, usually the o
registration (if necessary) and use of the UDP port number corresponding to the TCP that does not already have an alternate mapping to UDP, it is usually
TCP port already registered for the application is appropriate. For example, appropriate to register (if necessary) and use the UDP port number corresponding
the default port for HTTP/3 <xref target="QUIC-HTTP"/> is UDP port 443, analogou to the TCP
s to HTTP/1.1 port already registered for the application. For example,
the default port for HTTP/3 <xref target="RFC9114"/> is UDP port 443, analogous
to HTTP/1.1
or HTTP/2 over TLS over TCP.</t> or HTTP/2 over TLS over TCP.</t>
<t>Given the prevalence of the assumption in network management <t>Given the prevalence of the assumption in network management
practice that a port number maps unambiguously to an application, the practice that a port number maps unambiguously to an application, the
use of ports that cannot easily be mapped to a registered service name use of ports that cannot easily be mapped to a registered service name
might lead to blocking or other changes to the forwarding behavior by network might lead to blocking or other changes to the forwarding behavior by network
elements such as firewalls that use the port number for application elements such as firewalls that use the port number for application
identification.</t> identification.</t>
<t>Applications could define an alternate endpoint discovery mechanism to allow <t>Applications could define an alternate endpoint discovery mechanism to allow
the usage of ports other than the default. For example, HTTP/3 (Sections <xref t arget="QUIC-HTTP" section="3.2" sectionFormat="bare"/> and <xref target="QUIC-HT TP" section="3.3" sectionFormat="bare"/> of <xref target="QUIC-HTTP"/>) specifie s the use of HTTP Alternative Services the usage of ports other than the default. For example, HTTP/3 (Sections <xref t arget="RFC9114" section="3.2" sectionFormat="bare"/> and <xref target="RFC9114" section="3.3" sectionFormat="bare"/> of <xref target="RFC9114"/>) specifies the use of HTTP Alternative Services
<xref target="RFC7838"/> for an HTTP origin to advertise the availability of an equivalent <xref target="RFC7838"/> for an HTTP origin to advertise the availability of an equivalent
HTTP/3 endpoint on a certain UDP port by using the "h3" Application-Layer HTTP/3 endpoint on a certain UDP port by using "h3" as the Application-Layer
Protocol Negotiation (ALPN) <xref target="RFC7301"/> token.</t> Protocol Negotiation (ALPN) <xref target="RFC7301"/> token.</t>
<t>ALPN permits the <t>ALPN permits the
client and server to negotiate which of several protocols will be used on a client and server to negotiate which of several protocols will be used on a
given connection. Therefore, multiple applications might be supported on a given connection. Therefore, multiple applications might be supported on a
single UDP port based on the ALPN token offered. Applications using QUIC single UDP port based on the ALPN token offered. Applications using QUIC
are required to register an ALPN token for use in the TLS handshake.</t> are required to register an ALPN token for use in the TLS handshake.</t>
<t>As QUIC version 1 deferred defining a complete version negotiation mech anism, <t>As QUIC version 1 deferred defining a complete version negotiation mech anism,
HTTP/3 requires QUIC version 1 and defines the HTTP/3 requires QUIC version 1 and defines the
ALPN token ("h3") to only apply to that version. ALPN token ("h3") to only apply to that version.
So far no single approach has been selected for So far, no single approach has been selected for
managing the use of different QUIC versions, neither in HTTP/3 nor in general. managing the use of different QUIC versions, neither in HTTP/3 nor in general.
Application protocols that use QUIC need to Application protocols that use QUIC need to
consider how the protocol will manage different QUIC versions. consider how the protocol will manage different QUIC versions.
Decisions for those protocols might be informed by choices made by other Decisions for those protocols might be informed by choices made by other
protocols, like HTTP/3.</t> protocols, like HTTP/3.</t>
<section anchor="source-port-selection"> <section anchor="source-port-selection">
<name>Source Port Selection</name> <name>Source Port Selection</name>
<t>Some UDP protocols are vulnerable to reflection attacks, where an att acker is <t>Some UDP protocols are vulnerable to reflection attacks, where an att acker is
able to direct traffic to a third party as a denial of service. For example, able to direct traffic to a third party as a denial of service. For example,
these source ports are associated with applications known to be vulnerable to these source ports are associated with applications known to be vulnerable to
reflection attacks, often due to server misconfiguration:</t> reflection attacks, often due to server misconfiguration:</t>
<ul spacing="normal"> <ul spacing="normal">
<li>port 53 - DNS <xref target="RFC1034"/></li> <li>port 53 - DNS <xref target="RFC1034"/></li>
<li>port 123 - NTP <xref target="RFC5905"/></li> <li>port 123 - NTP <xref target="RFC5905"/></li>
<li>port 1900 - SSDP <xref target="SSDP"/></li> <li>port 1900 - SSDP <xref target="SSDP"/></li>
<li>port 5353 - mDNS <xref target="RFC6762"/></li> <li>port 5353 - mDNS <xref target="RFC6762"/></li>
<li>port 11211 - memcached</li> <li>port 11211 - memcache</li>
</ul> </ul>
<t>Services might block source ports associated with protocols known to be <t>Services might block source ports associated with protocols known to be
vulnerable to reflection attacks, to avoid the overhead of processing large vulnerable to reflection attacks to avoid the overhead of processing large
numbers of packets. However, this practice has negative effects on numbers of packets. However, this practice has negative effects on
clients: not only does it require establishment of a new connection, but in clients -- not only does it require establishment of a new connection but in
some instances, might cause the client to avoid using QUIC for that service for some instances might cause the client to avoid using QUIC for that service for
a period of time, downgrading to a non-UDP protocol (see <xref target="fallback" a period of time and downgrade to a non-UDP protocol (see <xref target="fallback
/>).</t> "/>).</t>
<t>As a result, client implementations are encouraged to avoid using sou rce ports <t>As a result, client implementations are encouraged to avoid using sou rce ports
associated with protocols known to be vulnerable to reflection attacks. Note associated with protocols known to be vulnerable to reflection attacks. Note
that following the general guidance for client implementations given in that following the general guidance for client implementations given in
<xref target="RFC6335"/>, to use ephemeral ports in the range 49152-65535, has t he <xref target="RFC6335"/>, to use ephemeral ports in the range 49152-65535, has t he
effect of avoiding these ports. Note that other source ports might be effect of avoiding these ports. Note that other source ports might be
reflection vectors as well.</t> reflection vectors as well.</t>
</section> </section>
</section> </section>
<section anchor="connection-migration"> <section anchor="connection-migration">
<name>Connection Migration</name> <name>Connection Migration</name>
<t>QUIC supports connection migration by the client. If the client's IP ad dress <t>QUIC supports connection migration by the client. If the client's IP ad dress
changes, a QUIC endpoint can still associate packets changes, a QUIC endpoint can still associate packets
with an existing transport connection using the Destination Connection ID with an existing transport connection using the Destination Connection ID
field (see also <xref target="connid"/>) in the QUIC header. field (see <xref target="connid"/>) in the QUIC header.
This supports cases where address information changes, such as NAT rebinding, This supports cases where the address information changes, such as NAT rebinding
, the
intentional change of the local interface, the expiration of a temporary intentional change of the local interface, the expiration of a temporary
IPv6 address <xref target="RFC8981"/>, or the server indicating a preferred IPv6 address <xref target="RFC8981"/>, or the indication from the server of a pr
address <xref section="9.6" sectionFormat="of" target="QUIC"/>.</t> eferred
address (<xref section="9.6" sectionFormat="of" target="RFC9000"/>).</t>
<t>Use of a non-zero-length connection ID for the server is strongly recom mended if <t>Use of a non-zero-length connection ID for the server is strongly recom mended if
any clients are behind a NAT or could be. A non-zero-length connection ID is any clients are or could be behind a NAT. A non-zero-length connection ID is
also strongly recommended when active migration is supported. If a connection also strongly recommended when active migration is supported. If a connection
is intentionally migrated to new path, a new connection ID is used to minimize is intentionally migrated to a new path, a new connection ID is used to minimize
linkability by network observers. The other QUIC endpoint uses the linkability by network observers. The other QUIC endpoint uses the
connection ID to link different addresses to the same connection connection ID to link different addresses to the same connection
and entity if a non-zero-length connection ID is provided.</t> and entity if a non-zero-length connection ID is provided.</t>
<t>The base specification of QUIC version 1 only supports the use of a sin gle <t>The base specification of QUIC version 1 only supports the use of a sin gle
network path at a time, which network path at a time, which
enables failover use cases. Path validation is required so that endpoints enables failover use cases. Path validation is required so that endpoints
validate paths before use to avoid address spoofing attacks. Path validation validate paths before use to avoid address spoofing attacks. Path validation
takes at least one RTT and congestion control will also be reset after path takes at least one RTT, and congestion control will also be reset after path
migration. Therefore, migration usually has a performance impact.</t> migration. Therefore, migration usually has a performance impact.</t>
<t>QUIC probing packets, which can be sent on multiple paths at once, are used to <t>QUIC probing packets, which can be sent on multiple paths at once, are used to
perform address validation as well as measure path characteristics. Probing perform address validation as well as measure path characteristics. Probing
packets cannot carry application data but likely contain padding frames. packets cannot carry application data but likely contain padding frames.
Endpoints can use information about their receipt as input to congestion control Endpoints can use information about their receipt as input to congestion control
for that path. Applications could use information learned from probing to inform for that path. Applications could use information learned from probing to inform
a decision to switch paths.</t> a decision to switch paths.</t>
<t>Only the client can actively migrate in version 1 of QUIC. However, ser vers can <t>Only the client can actively migrate in version 1 of QUIC. However, ser vers can
indicate during the handshake that they prefer to transfer the connection to a indicate during the handshake that they prefer to transfer the connection to a
different address after the handshake. For instance, this could be used to move different address after the handshake. For instance, this could be used to move
from an address that is shared by multiple servers to an address that is unique from an address that is shared by multiple servers to an address that is unique
to the server instance. The server can provide an IPv4 and an IPv6 address in a to the server instance. The server can provide an IPv4 and an IPv6 address in a
transport parameter during the TLS handshake and the client can select between transport parameter during the TLS handshake, and the client can select between
the two if both are provided. See also <xref section="9.6" sectionFormat="of" ta the two if both are provided. See <xref section="9.6" sectionFormat="of" target=
rget="QUIC"/>.</t> "RFC9000"/>.</t>
</section> </section>
<section anchor="sec-termination"> <section anchor="sec-termination">
<name>Connection Termination</name> <name>Connection Termination</name>
<t>QUIC connections are terminated in one of three ways: implicit idle tim eout, <t>QUIC connections are terminated in one of three ways: implicit idle tim eout,
explicit immediate close, or explicit stateless reset.</t> explicit immediate close, or explicit stateless reset.</t>
<t>QUIC does not provide any mechanism for graceful connection termination ; <t>QUIC does not provide any mechanism for graceful connection termination ;
applications using QUIC can define their own graceful termination process (see, applications using QUIC can define their own graceful termination process (see,
for example, <xref section="5.2" sectionFormat="of" target="QUIC-HTTP"/>).</t> for example, <xref section="5.2" sectionFormat="of" target="RFC9114"/>).</t>
<t>QUIC idle timeout is enabled via transport parameters. Client and serve <t>QUIC idle timeout is enabled via transport parameters. The client and s
r erver
announce a timeout period and the effective value for the connection is the announce a timeout period, and the effective value for the connection is the
minimum of the two values. After the timeout period elapses, the connection is minimum of the two values. After the timeout period elapses, the connection is
silently closed. An application therefore should be able to configure its own silently closed. An application therefore should be able to configure its own
maximum value, as well as have access to the computed minimum value for this maximum value, as well as have access to the computed minimum value for this
connection. An application may adjust the maximum idle timeout for new connection. An application may adjust the maximum idle timeout for new
connections based on the number of open or expected connections, since shorter connections based on the number of open or expected connections since shorter
timeout values may free-up resources more quickly.</t> timeout values may free up resources more quickly.</t>
<t>Application data exchanged on streams or in datagrams defers the QUIC i dle <t>Application data exchanged on streams or in datagrams defers the QUIC i dle
timeout. Applications that provide their own keep-alive mechanisms will timeout. Applications that provide their own keep-alive mechanisms will
therefore keep a QUIC connection alive. Applications that do not provide their therefore keep a QUIC connection alive. Applications that do not provide their
own keep-alive can use transport-layer mechanisms (see <xref section="10.1.2" se ctionFormat="of" target="QUIC"/>, and <xref target="resumption-v-keepalive"/>). However, QUIC implementation own keep-alive can use transport-layer mechanisms (see <xref section="10.1.2" se ctionFormat="of" target="RFC9000"/> and <xref target="resumption-v-keepalive"/>) . However, QUIC implementation
interfaces for controlling such transport behavior can vary, affecting the interfaces for controlling such transport behavior can vary, affecting the
robustness of such approaches.</t> robustness of such approaches.</t>
<t>An immediate close is signaled by a CONNECTION_CLOSE frame (see <t>An immediate close is signaled by a CONNECTION_CLOSE frame (see
<xref target="error-handling"/>). Immediate close causes all streams to become i mmediately <xref target="error-handling"/>). Immediate close causes all streams to become i mmediately
closed, which may affect applications; see <xref target="stream-limit-commitment s"/>.</t> closed, which may affect applications; see <xref target="stream-limit-commitment s"/>.</t>
<t>A stateless reset is an option of last resort for an endpoint that does not have <t>A stateless reset is an option of last resort for an endpoint that does not have
access to connection state. Receiving a stateless reset is an indication of an access to connection state. Receiving a stateless reset is an indication of an
unrecoverable error distinct from connection errors in that there is no unrecoverable error distinct from connection errors in that there is no
application-layer information provided.</t> application-layer information provided.</t>
</section> </section>
<section anchor="connid"> <section anchor="connid">
<name>Information Exposure and the Connection ID</name> <name>Information Exposure and the Connection ID</name>
<t>QUIC exposes some information to the network in the unencrypted part of the <t>QUIC exposes some information to the network in the unencrypted part of the
header, either before the encryption context is established or because the header either before the encryption context is established or because the
information is intended to be used by the network. For more information on information is intended to be used by the network. For more information on
manageability of QUIC see also <xref target="I-D.ietf-quic-manageability"/>. manageability of QUIC, see <xref target="RFC9312"/>.
QUIC has a long header that QUIC has a long header that
exposes some additional information (the version and the source connection ID), exposes some additional information (the version and the source connection ID),
while the short header exposes only the destination connection ID. while the short header exposes only the destination connection ID.
In QUIC version 1, the long header is used during connection establishment, In QUIC version 1, the long header is used during connection establishment,
while the short header is used for data transmission in an established while the short header is used for data transmission in an established
connection.</t> connection.</t>
<t>The connection ID can be zero length. Zero length connection IDs can be <t>The connection ID can be zero length. Zero-length connection IDs can be
chosen on each endpoint individually, on any packet except the first packets chosen on each endpoint individually and on any packet except the first packets
sent by clients during connection establishment.</t> sent by clients during connection establishment.</t>
<t>An endpoint that selects a zero-length connection ID will receive packe ts with a <t>An endpoint that selects a zero-length connection ID will receive packe ts with a
zero-length destination connection ID. The endpoint needs to use other zero-length destination connection ID. The endpoint needs to use other
information, such as the source and destination IP address and port number to information, such as the source and destination IP address and port number to
identify which connection is referred to. This could mean that the endpoint is identify which connection is referred to. This could mean that the endpoint is
unable to match datagrams to connections successfully if these values change, unable to match datagrams to connections successfully if these values change,
making the connection effectively unable to survive NAT rebinding or migrate to making the connection effectively unable to survive NAT rebinding or migrate to
a new path.</t> a new path.</t>
<section anchor="server-generated-connection-id"> <section anchor="server-generated-connection-id">
<name>Server-Generated Connection ID</name> <name>Server-Generated Connection ID</name>
<t>QUIC supports a server-generated connection ID, transmitted to the cl <t>QUIC supports a server-generated connection ID that is transmitted to
ient during the client during
connection establishment (see <xref section="7.2" sectionFormat="of" target="QUI connection establishment (see <xref section="7.2" sectionFormat="of" target="RFC
C"/>). Servers behind load 9000"/>). Servers behind load
balancers may need to change the connection ID during the handshake, encoding balancers may need to change the connection ID during the handshake, encoding
the identity of the server or information about its load balancing pool, in the identity of the server or information about its load balancing pool, in
order to support stateless load balancing.</t> order to support stateless load balancing.</t>
<t>Server deployments with load balancers and other routing infrastructu re need to <t>Server deployments with load balancers and other routing infrastructu re need to
ensure that this infrastructure consistently routes packets to the server ensure that this infrastructure consistently routes packets to the server
instance that has the connection state, even if addresses, ports, and/or instance that has the connection state, even if addresses, ports, or
connection IDs change. This might require coordination between servers and connection IDs change. This might require coordination between servers and
infrastructure. One method of achieving this involves encoding routing infrastructure. One method of achieving this involves encoding routing
information into the connection ID. For an example of this technique, see information into the connection ID. For an example of this technique, see
<xref target="QUIC-LB"/>.</t> <xref target="I-D.ietf-quic-load-balancers"/>.</t>
</section> </section>
<section anchor="mitigating-timing-linkability-with-connection-id-migratio n"> <section anchor="mitigating-timing-linkability-with-connection-id-migratio n">
<name>Mitigating Timing Linkability with Connection ID Migration</name> <name>Mitigating Timing Linkability with Connection ID Migration</name>
<t>If QUIC endpoints do not issue fresh connection IDs, then clients can not <t>If QUIC endpoints do not issue fresh connection IDs, then clients can not
reduce the linkability of address migration by using them. reduce the linkability of address migration by using them.
Choosing values that are unlinkable to an outside observer Choosing values that are unlinkable to an outside observer
ensures that activity on different paths cannot be trivially correlated ensures that activity on different paths cannot be trivially correlated
using the connection ID.</t> using the connection ID.</t>
<t>While sufficiently robust connection ID generation schemes will mitig <t>While sufficiently robust connection ID generation schemes will mitiga
ate te
linkability issues, they do not provide full protection. Analysis of linkability issues, they do not provide full protection. Analysis of
the lifetimes of six-tuples (source and destination addresses as well as the the lifetimes of 6-tuples (source and destination addresses as well as the
migrated CID) may expose these links anyway.</t> migrated Connection ID) may expose these links anyway.</t>
<t>In the case where connection migration in a server pool is rare, it i s trivial <t>In the case where connection migration in a server pool is rare, it i s trivial
for an observer to associate two connection IDs. Conversely, in the opposite for an observer to associate two connection IDs. Conversely,
limit where every server handles multiple simultaneous migrations, even an where every server handles multiple simultaneous migrations, even an
exposed server mapping may be insufficient information.</t> exposed server mapping may be insufficient information.</t>
<t>The most efficient mitigations for these attacks are through network design <t>The most efficient mitigations for these attacks are through network design
and/or operational practice, by using a load balancing architecture that and/or operational practices, by using a load-balancing architecture that
loads more flows onto a single server-side address, by coordinating the loads more flows onto a single server-side address, by coordinating the
timing of migrations in an attempt to increase the number of simultaneous timing of migrations in an attempt to increase the number of simultaneous
migrations at a given time, or through other means.</t> migrations at a given time, or by using other means.</t>
</section> </section>
<section anchor="using-server-retry-for-redirection"> <section anchor="using-server-retry-for-redirection">
<name>Using Server Retry for Redirection</name> <name>Using Server Retry for Redirection</name>
<t>QUIC provides a Retry packet that can be sent by a server in response to <t>QUIC provides a Retry packet that can be sent by a server in response to
the client Initial packet. The server may choose a new connection ID in that the client Initial packet. The server may choose a new connection ID in that
packet and the client will retry by sending another client Initial packet with packet, and the client will retry by sending another client Initial packet with
the server-selected connection ID. This mechanism can be used to redirect a the server-selected connection ID. This mechanism can be used to redirect a
connection to a different server, e.g., due to performance reasons or when connection to a different server, e.g., due to performance reasons or when
servers in a server pool are upgraded gradually, and therefore may support servers in a server pool are upgraded gradually and therefore may support
different versions of QUIC.</t> different versions of QUIC.</t>
<t>In this case, it is assumed that all servers belonging to a certain p ool are <t>In this case, it is assumed that all servers belonging to a certain p ool are
served in cooperation with load balancers that forward the traffic based on the served in cooperation with load balancers that forward the traffic based on the
connection ID. A server can choose the connection ID in the Retry packet such connection ID. A server can choose the connection ID in the Retry packet such
that the load balancer will redirect the next Initial packet to a different that the load balancer will redirect the next Initial packet to a different
server in that pool. Alternatively the load balancer can directly offer a Retry server in that pool. Alternatively, the load balancer can directly offer a Retr
offload as further described in <xref target="QUIC-RETRY"/>.</t> y
<t><xref section="4" sectionFormat="of" target="RFC5077"/> describes an offload as further described in <xref target="I-D.ietf-quic-retry-offload"/>.</t
example approach for constructing >
TLS resumption tickets that can be also applied for validation tokens, <t>The approach described in <xref section="4" sectionFormat="of" target
however, the use of more modern cryptographic algorithms is highly recommended.< ="RFC5077"/> for constructing
/t> TLS resumption tickets provides an example that can be also applied to validatio
n tokens.
However, the use of more modern cryptographic algorithms is highly recommended.<
/t>
</section> </section>
</section> </section>
<section anchor="quality-of-service-qos-and-dscp"> <section anchor="quality-of-service-qos-and-dscp">
<name>Quality of Service (QoS) and DSCP</name> <name>Quality of Service (QoS) and Diffserv Code Point (DSCP)</name>
<t>QUIC, as defined in <xref target="QUIC"/>, has a single congestion cont <t>QUIC, as defined in <xref target="RFC9000"/>, has a single congestion c
roller and ontroller and
recovery handler. This design recovery handler. This design
assumes that all packets of a QUIC connection, or at least with the assumes that all packets of a QUIC connection, or at least with the
same 5-tuple {dest addr, source addr, protocol, dest port, source port}, same 5-tuple {dest addr, source addr, protocol, dest port, source port},
that have the same DiffServ Code Point (DSCP) <xref target="RFC2475"/> will that have the same Diffserv Code Point (DSCP) <xref target="RFC2475"/> will
receive similar network treatment since feedback about loss or delay receive similar network treatment since feedback about loss or delay
of each packet is used as input to the congestion controller. Therefore, of each packet is used as input to the congestion controller. Therefore,
packets belonging to the same connection should use a single DSCP. packets belonging to the same connection should use a single DSCP.
Section 5.1 of <xref target="RFC7657"/> provides a discussion of DiffServ intera <xref target="RFC7657" sectionFormat="of" section="5.1"/> provides a discussion
ctions of Diffserv interactions
with datagram transport protocols <xref target="RFC7657"/> (in this respect the with datagram transport protocols <xref target="RFC7657"/> (in this respect, the
interactions with QUIC resemble those of SCTP).</t> interactions with QUIC resemble those of Stream Control Transmission Protocol (S
CTP)).</t>
<t>When multiplexing multiple flows <t>When multiplexing multiple flows
over a single QUIC connection, the selected DSCP value should be the one over a single QUIC connection, the selected DSCP value should be the one
associated with the highest priority requested for all multiplexed flows.</t> associated with the highest priority requested for all multiplexed flows.</t>
<t>If differential network treatment is desired, <t>If differential network treatment is desired,
e.g., by the use of different DSCPs, multiple QUIC e.g., by the use of different DSCPs, multiple QUIC
connections to the same server may be used. However, in general it is connections to the same server may be used. In general, it is
recommended to minimize the number of QUIC connections to the same server, to recommended to minimize the number of QUIC connections to the same server to
avoid increased overhead and, more importantly, competing congestion control.</t > avoid increased overhead and, more importantly, competing congestion control.</t >
<t>As in other uses of DiffServ, <t>As in other uses of Diffserv,
when a packet enters a network segment that does not support the DSCP value, when a packet enters a network segment that does not support the DSCP value,
this could result in the connection not receiving the network treatment this could result in the connection not receiving the network treatment
it expects. The DSCP value in this packet could also be remarked as the it expects. The DSCP value in this packet could also be remarked as the
packet travels along the network path, changing the requested treatment.</t> packet travels along the network path, changing the requested treatment.</t>
</section> </section>
<section anchor="use-of-versions-and-cryptographic-handshake"> <section anchor="use-of-versions-and-cryptographic-handshake">
<name>Use of Versions and Cryptographic Handshake</name> <name>Use of Versions and Cryptographic Handshake</name>
<t>Versioning in QUIC may change the protocol's behavior completely, excep t <t>Versioning in QUIC may change the protocol's behavior completely, excep t
for the meaning of a few header fields that have been declared to be invariant for the meaning of a few header fields that have been declared to be invariant
<xref target="QUIC-INVARIANTS"/>. A version of QUIC <xref target="RFC8999"/>. A version of QUIC
with a higher version number will not necessarily provide a better service, with a higher version number will not necessarily provide a better service
but might simply provide a different feature set. As such, an application needs but might simply provide a different feature set. As such, an application needs
to be able to select which versions of QUIC it wants to use.</t> to be able to select which versions of QUIC it wants to use.</t>
<t>A new version could use an encryption scheme other than TLS 1.3 or high er. <t>A new version could use an encryption scheme other than TLS 1.3 or high er.
<xref target="QUIC"/> specifies requirements for the cryptographic handshake as currently <xref target="RFC9000"/> specifies requirements for the cryptographic handshake as currently
realized by TLS 1.3 and described in a separate specification realized by TLS 1.3 and described in a separate specification
<xref target="QUIC-TLS"/>. This split is performed to enable <xref target="RFC9001"/>. This split is performed to enable
light-weight versioning with different cryptographic handshakes.</t> lightweight versioning with different cryptographic handshakes.</t>
<t>The QUIC Versions Registry established in <xref target="QUIC"/> allows <t>The "QUIC Versions" registry established in <xref target="RFC9000"/> al
for lows for
provisional registrations for experimentation. Registration, also of provisional registrations for experimentation. Registration, also of
experimental versions, is important to avoid collision. Experimental experimental versions, is important to avoid collision. Experimental
versions should not be used long-term or registered as permanent to minimize versions should not be used long-term or registered as permanent to minimize
the risk of fingerprinting based on the version number.</t> the risk of fingerprinting based on the version number.</t>
</section> </section>
<section anchor="enabling-deployment-of-new-versions"> <section anchor="enabling-deployment-of-new-versions">
<name>Enabling Deployment of New Versions</name> <name>Enabling Deployment of New Versions</name>
<t>QUIC version 1 does not specify a version negotiation mechanism in the base <t>QUIC version 1 does not specify a version negotiation mechanism in the base
specification, but <xref target="I-D.draft-ietf-quic-version-negotiation"/> prop oses an specification, but <xref target="I-D.ietf-quic-version-negotiation"/> proposes a n
extension that provides compatible version negotiation.</t> extension that provides compatible version negotiation.</t>
<t>This approach uses a three-stage deployment mechanism, enabling <t>This approach uses a three-stage deployment mechanism, enabling
progressive rollout and experimentation with multiple versions across progressive rollout and experimentation with multiple versions across
a large server deployment. In this approach, all servers in the deployment a large server deployment. In this approach, all servers in the deployment
must accept connections using a new version (stage 1) before any server must accept connections using a new version (stage 1) before any server
advertises it (stage 2), and authentication of the new version (stage 3) advertises it (stage 2), and authentication of the new version (stage 3)
only proceeds after advertising of that version is completely deployed.</t> only proceeds after advertising of that version is completely deployed.</t>
<t>See <xref section="5" sectionFormat="of" target="I-D.draft-ietf-quic-ve rsion-negotiation"/> for details.</t> <t>See <xref section="5" sectionFormat="of" target="I-D.ietf-quic-version- negotiation"/> for details.</t>
</section> </section>
<section anchor="unreliable-datagram-service-over-quic"> <section anchor="unreliable-datagram-service-over-quic">
<name>Unreliable Datagram Service over QUIC</name> <name>Unreliable Datagram Service over QUIC</name>
<t><xref target="RFC9221"/> specifies a QUIC extension to enable sending <t><xref target="RFC9221"/> specifies a QUIC extension to enable sending
and receiving unreliable datagrams over QUIC. Unlike operating directly over and receiving unreliable datagrams over QUIC. Unlike operating directly over
UDP, applications that use the QUIC datagram service do not need to implement UDP, applications that use the QUIC datagram service do not need to implement
their own congestion control, per <xref target="RFC8085"/>, as QUIC datagrams ar e their own congestion control, per <xref target="RFC8085"/>, as QUIC datagrams ar e
congestion controlled.</t> congestion controlled.</t>
<t>QUIC datagrams are not flow-controlled, and as such data chunks may be dropped <t>QUIC datagrams are not flow controlled, and as such data chunks may be dropped
if the receiver is overloaded. While the reliable transmission service of QUIC if the receiver is overloaded. While the reliable transmission service of QUIC
provides a stream-based interface to send and receive data in order over provides a stream-based interface to send and receive data in order over
multiple QUIC streams, the datagram service has an unordered message-based multiple QUIC streams, the datagram service has an unordered message-based
interface. If needed, an application layer framing can be used on top to interface. If needed, an application-layer framing can be used on top to
allow separate flows of unreliable datagrams to be multiplexed on one QUIC allow separate flows of unreliable datagrams to be multiplexed on one QUIC
connection.</t> connection.</t>
</section> </section>
<section anchor="iana-considerations"> <section anchor="iana-considerations">
<name>IANA Considerations</name> <name>IANA Considerations</name>
<t>This document has no actions for IANA; however, note that <xref target= "ports"/> <t>This document has no actions for IANA; however, note that <xref target= "ports"/>
recommends that application bindings to QUIC for applications using recommends that an application that has already registered a TCP port
TCP register UDP ports analogous to their existing TCP registrations.</t> but wants to specify QUIC as a transport should register
a UDP port analogous to their existing TCP registration.</t>
</section> </section>
<section anchor="security-considerations"> <section anchor="security-considerations">
<name>Security Considerations</name> <name>Security Considerations</name>
<t>See the security considerations in <xref target="QUIC"/> and <xref targ et="QUIC-TLS"/>; the security <t>See the security considerations in <xref target="RFC9000"/> and <xref t arget="RFC9001"/>; the security
considerations for the underlying transport protocol are relevant for considerations for the underlying transport protocol are relevant for
applications using QUIC, as well. Considerations on linkability, replay attacks, applications using QUIC. Considerations on linkability, replay attacks,
and randomness discussed in <xref target="QUIC-TLS"/> should be taken into accou and randomness discussed in <xref target="RFC9001"/> should be taken into accoun
nt when t when
deploying and using QUIC.</t> deploying and using QUIC.</t>
<t>Further, migration to a new address exposes <t>Further, migration to a new address exposes
a linkage between client addresses to the server and may expose this linkage a linkage between client addresses to the server and may expose this linkage
also to the path if the connection ID cannot be changed or flows can also to the path if the connection ID cannot be changed or flows can
otherwise be correlated. When migration is supported, this needs to be otherwise be correlated. When migration is supported, this needs to be
considered with respective to user privacy.</t> considered with respective to user privacy.</t>
<t>Application developers should note that any fallback they use when QUIC cannot <t>Application developers should note that any fallback they use when QUIC cannot
be used due to network blocking of UDP should guarantee the same security be used due to network blocking of UDP should guarantee the same security
properties as QUIC; if this is not possible, the connection should fail to properties as QUIC. If this is not possible, the connection should fail to
allow the application to explicitly handle fallback to a less-secure allow the application to explicitly handle fallback to a less-secure
alternative. See <xref target="fallback"/>.</t> alternative. See <xref target="fallback"/>.</t>
<t>Further, <xref target="QUIC-HTTP"/> provides security considerations sp ecific to HTTP. <t>Further, <xref target="RFC9114"/> provides security considerations spec ific to HTTP.
However, discussions such as on cross-protocol attacks, traffic analysis However, discussions such as on cross-protocol attacks, traffic analysis
and padding, or migration might be relevant for other applications using QUIC and padding, or migration might be relevant for other applications using QUIC
as well.</t> as well.</t>
</section> </section>
<section anchor="contributors">
<name>Contributors</name>
<t>The following people have contributed significant text to and/or feedba
ck
on this document:</t>
<ul spacing="normal">
<li>Gorry Fairhurst</li>
<li>Ian Swett</li>
<li>Igor Lubashev</li>
<li>Lucas Pardue</li>
<li>Mike Bishop</li>
<li>Mark Nottingham</li>
<li>Martin Duke</li>
<li>Martin Thomson</li>
<li>Sean Turner</li>
<li>Tommy Pauly</li>
</ul>
</section>
<section anchor="acknowledgments">
<name>Acknowledgments</name>
<t>Special thanks to last-call reviewers Chris Lonvick and Ines Robles.</t
>
<t>This work was partially supported by the European Commission under Hori
zon 2020
grant agreement no. 688421 Measurement and Architecture for a Middleboxed
Internet (MAMI), and by the Swiss State Secretariat for Education, Research, and
Innovation under contract no. 15.0268. This support does not imply endorsement.<
/t>
</section>
</middle> </middle>
<back> <back>
<displayreference target="RFC9000" to="QUIC"/>
<displayreference target="RFC9001" to="QUIC-TLS"/>
<displayreference target="RFC8999" to="QUIC-INVARIANTS"/>
<displayreference target="RFC9114" to="QUIC-HTTP"/>
<displayreference target="RFC8446" to="TLS13"/>
<displayreference target="I-D.ietf-taps-arch" to="TAPS-ARCH"/>
<displayreference target="RFC8470" to="HTTP-REPLAY"/>
<displayreference target="I-D.ietf-quic-ack-frequency" to="QUIC-ACK-FREQUENCY"/>
<displayreference target="I-D.ietf-quic-load-balancers" to="QUIC-LB"/>
<displayreference target="I-D.ietf-quic-retry-offload" to="QUIC-RETRY"/>
<displayreference target="I-D.ietf-quic-version-negotiation" to="QUIC-VERSION-NE
GOTIATION"/>
<displayreference target="RFC9312" to="QUIC-MANAGEABILITY"/>
<references> <references>
<name>References</name> <name>References</name>
<references> <references>
<name>Normative References</name> <name>Normative References</name>
<reference anchor="QUIC">
<front> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9000.
<title>QUIC: A UDP-Based Multiplexed and Secure Transport</title> xml"/>
<author fullname="J. Iyengar" initials="J." role="editor" surname="I <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9001.
yengar"> xml"/>
<organization/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8999.
</author> xml"/>
<author fullname="M. Thomson" initials="M." role="editor" surname="T
homson">
<organization/>
</author>
<date month="May" year="2021"/>
<abstract>
<t>This document defines the core of the QUIC transport protocol.
QUIC provides applications with flow-controlled streams for structured communic
ation, low-latency connection establishment, and network path migration. QUIC in
cludes security measures that ensure confidentiality, integrity, and availabilit
y in a range of deployment circumstances. Accompanying documents describe the i
ntegration of TLS for key negotiation, loss detection, and an exemplary congesti
on control algorithm.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9000"/>
<seriesInfo name="DOI" value="10.17487/RFC9000"/>
</reference>
<reference anchor="QUIC-TLS">
<front>
<title>Using TLS to Secure QUIC</title>
<author fullname="M. Thomson" initials="M." role="editor" surname="T
homson">
<organization/>
</author>
<author fullname="S. Turner" initials="S." role="editor" surname="Tu
rner">
<organization/>
</author>
<date month="May" year="2021"/>
<abstract>
<t>This document describes how Transport Layer Security (TLS) is u
sed to secure QUIC.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9001"/>
<seriesInfo name="DOI" value="10.17487/RFC9001"/>
</reference>
<reference anchor="QUIC-INVARIANTS">
<front>
<title>Version-Independent Properties of QUIC</title>
<author fullname="M. Thomson" initials="M." surname="Thomson">
<organization/>
</author>
<date month="May" year="2021"/>
<abstract>
<t>This document defines the properties of the QUIC transport prot
ocol that are common to all versions of the protocol.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8999"/>
<seriesInfo name="DOI" value="10.17487/RFC8999"/>
</reference>
</references> </references>
<references> <references>
<name>Informative References</name> <name>Informative References</name>
<reference anchor="Trammell16" target="https://ripe72.ripe.net/wp-conten t/uploads/presentations/86-atlas-udpdiff.pdf"> <reference anchor="Trammell16" target="https://ripe72.ripe.net/wp-conten t/uploads/presentations/86-atlas-udpdiff.pdf">
<front> <front>
<title>Internet Path Transparency Measurements using RIPE Atlas (RIP <title>Internet Path Transparency Measurements using RIPE Atlas</tit
E72 MAT presentation)</title> le>
<author initials="B." surname="Trammell"> <author initials="B." surname="Trammell" fullname="Brian Trammell">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Kuehlewind"> <author initials="M." surname="Kühlewind" fullname="Mirja Kühlewind" >
<organization/> <organization/>
</author> </author>
<date year="2016" month="May" day="25"/> <date year="2016" month="May" day="25"/>
</front> </front>
<refcontent>RIPE 72 MAT Presentation</refcontent>
</reference> </reference>
<reference anchor="Edeline16" target="https://arxiv.org/abs/1612.07816"> <reference anchor="Edeline16" target="https://arxiv.org/abs/1612.07816">
<front> <front>
<title>Using UDP for Internet Transport Evolution (arXiv preprint 16 <title>Using UDP for Internet Transport Evolution</title>
12.07816)</title> <author initials="K." surname="Edeline" fullname="Korian Edeline">
<author initials="K." surname="Edeline">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Kuehlewind"> <author initials="M." surname="Kühlewind" fullname="Mirja Kühlewind" >
<organization/> <organization/>
</author> </author>
<author initials="B." surname="Trammell"> <author initials="B." surname="Trammell" fullname="Brian Trammell">
<organization/> <organization/>
</author> </author>
<author initials="E." surname="Aben"> <author initials="E." surname="Aben" fullname="Emile Aben">
<organization/> <organization/>
</author> </author>
<author initials="B." surname="Donnet"> <author initials="B." surname="Donnet" fullname="Benoit Donnet">
<organization/> <organization/>
</author> </author>
<date year="2016" month="December" day="22"/> <date year="2016" month="December" day="22"/>
</front> </front>
<seriesInfo name="DOI" value="10.48550/arXiv.1612.07816"/>
</reference> </reference>
<reference anchor="Swett16" target="https://www.ietf.org/proceedings/96/ slides/slides-96-quic-3.pdf"> <reference anchor="Swett16" target="https://www.ietf.org/proceedings/96/ slides/slides-96-quic-3.pdf">
<front> <front>
<title>QUIC Deployment Experience at Google (IETF96 QUIC BoF present <title>QUIC Deployment Experience @Google</title>
ation)</title> <author initials="I." surname="Swett" fullname="Ian Swett">
<author initials="I." surname="Swett">
<organization/> <organization/>
</author> </author>
<date year="2016" month="July" day="20"/> <date year="2016" month="July" day="20"/>
</front> </front>
<refcontent>IETF96 QUIC BoF Presentation</refcontent>
</reference> </reference>
<reference anchor="PaaschNanog" target="https://www.nanog.org/sites/defa ult/files/Paasch_Network_Support.pdf"> <reference anchor="PaaschNanog" target="https://www.nanog.org/sites/defa ult/files/Paasch_Network_Support.pdf">
<front> <front>
<title>Network Support for TCP Fast Open (NANOG 67 presentation)</ti <title>Network support for TCP Fast Open</title>
tle> <author initials="C." surname="Paasch" fullname="Christoph Paasch">
<author initials="C." surname="Paasch">
<organization/> <organization/>
</author> </author>
<date year="2016" month="June" day="13"/> <date year="2016" month="June" day="13"/>
</front> </front>
<refcontent>NANOG 67 Presentation</refcontent>
</reference> </reference>
<reference anchor="Hatonen10">
<reference anchor="Hatonen10" target="https://conferences.sigcomm.org/im
c/2010/papers/p260.pdf">
<front> <front>
<title>An experimental study of home gateway characteristics (Proc. <title>An Experimental Study of Home Gateway Characteristics</title>
ACM IMC 2010)</title> <author initials="S." surname="Hätönen" >
<author initials="S." surname="Hatonen">
<organization/> <organization/>
</author> </author>
<author initials="A." surname="Nyrhinen"> <author initials="A." surname="Nyrhinen">
<organization/> <organization/>
</author> </author>
<author initials="L." surname="Eggert"> <author initials="L." surname="Eggert">
<organization/> <organization/>
</author> </author>
<author initials="S." surname="Strowes"> <author initials="S." surname="Strowes">
<organization/> <organization/>
</author> </author>
<author initials="P." surname="Sarolahti"> <author initials="P." surname="Sarolahti">
<organization/> <organization/>
</author> </author>
<author initials="M." surname="Kojo"> <author initials="M." surname="Kojo">
<organization/> <organization/>
</author> </author>
<date year="2010" month="October"/> <date year="2010" month="November"/>
</front>
</reference>
<reference anchor="RFC5077">
<front>
<title>Transport Layer Security (TLS) Session Resumption without Ser
ver-Side State</title>
<author fullname="J. Salowey" initials="J." surname="Salowey">
<organization/>
</author>
<author fullname="H. Zhou" initials="H." surname="Zhou">
<organization/>
</author>
<author fullname="P. Eronen" initials="P." surname="Eronen">
<organization/>
</author>
<author fullname="H. Tschofenig" initials="H." surname="Tschofenig">
<organization/>
</author>
<date month="January" year="2008"/>
<abstract>
<t>This document describes a mechanism that enables the Transport
Layer Security (TLS) server to resume sessions and avoid keeping per-client sess
ion state. The TLS server encapsulates the session state into a ticket and forw
ards it to the client. The client can subsequently resume a session using the o
btained ticket. This document obsoletes RFC 4507. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5077"/>
<seriesInfo name="DOI" value="10.17487/RFC5077"/>
</reference>
<reference anchor="QUIC-HTTP">
<front>
<title>HTTP/3</title>
<author fullname="Mike Bishop">
<organization>Akamai</organization>
</author>
<date day="2" month="February" year="2021"/>
<abstract>
<t>The QUIC transport protocol has several features that are desir
able in a transport for HTTP, such as stream multiplexing, per-stream flow contr
ol, and low-latency connection establishment. This document describes a mapping
of HTTP semantics over QUIC. This document also identifies HTTP/2 features tha
t are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP
/3.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-http-34"/>
</reference>
<reference anchor="RFC8085">
<front>
<title>UDP Usage Guidelines</title>
<author fullname="L. Eggert" initials="L." surname="Eggert">
<organization/>
</author>
<author fullname="G. Fairhurst" initials="G." surname="Fairhurst">
<organization/>
</author>
<author fullname="G. Shepherd" initials="G." surname="Shepherd">
<organization/>
</author>
<date month="March" year="2017"/>
<abstract>
<t>The User Datagram Protocol (UDP) provides a minimal message-pas
sing transport that has no inherent congestion control mechanisms. This documen
t provides guidelines on the use of UDP for the designers of applications, tunne
ls, and other protocols that use UDP. Congestion control guidelines are a prima
ry focus, but the document also provides guidance on other topics, including mes
sage sizes, reliability, checksums, middlebox traversal, the use of Explicit Con
gestion Notification (ECN), Differentiated Services Code Points (DSCPs), and por
ts.</t>
<t>Because congestion control is critical to the stable operation
of the Internet, applications and other protocols that choose to use UDP as an I
nternet transport must employ mechanisms to prevent congestion collapse and to e
stablish some degree of fairness with concurrent traffic. They may also need to
implement additional mechanisms, depending on how they use UDP.</t>
<t>Some guidance is also applicable to the design of other protoco
ls (e.g., protocols layered directly on IP or via IP-based tunnels), especially
when these protocols do not themselves provide congestion control.</t>
<t>This document obsoletes RFC 5405 and adds guidelines for multic
ast UDP usage.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="145"/>
<seriesInfo name="RFC" value="8085"/>
<seriesInfo name="DOI" value="10.17487/RFC8085"/>
</reference>
<reference anchor="SSDP" target="https://openconnectivity.org/upnp-specs
/UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf">
<front>
<title>UPnP Device Architecture 2.0</title>
<author initials="A." surname="Donoho">
<organization/>
</author>
<author initials="B." surname="Roe">
<organization/>
</author>
<author initials="M." surname="Bodlaender">
<organization/>
</author>
<author initials="J." surname="Gildred">
<organization/>
</author>
<author initials="A." surname="Messer">
<organization/>
</author>
<author initials="Y." surname="Kim">
<organization/>
</author>
<author initials="B." surname="Fairman">
<organization/>
</author>
<author initials="J." surname="Tourzan">
<organization/>
</author>
<date year="2020" month="April" day="17"/>
</front>
</reference>
<reference anchor="TLS13">
<front>
<title>The Transport Layer Security (TLS) Protocol Version 1.3</titl
e>
<author fullname="E. Rescorla" initials="E." surname="Rescorla">
<organization/>
</author>
<date month="August" year="2018"/>
<abstract>
<t>This document specifies version 1.3 of the Transport Layer Secu
rity (TLS) protocol. TLS allows client/server applications to communicate over
the Internet in a way that is designed to prevent eavesdropping, tampering, and
message forgery.</t>
<t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 50
77, 5246, and 6961. This document also specifies new requirements for TLS 1.2 i
mplementations.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8446"/>
<seriesInfo name="DOI" value="10.17487/RFC8446"/>
</reference>
<reference anchor="I-D.ietf-taps-arch">
<front>
<title>An Architecture for Transport Services</title>
<author fullname="Tommy Pauly">
<organization>Apple Inc.</organization>
</author>
<author fullname="Brian Trammell">
<organization>Google Switzerland GmbH</organization>
</author>
<author fullname="Anna Brunstrom">
<organization>Karlstad University</organization>
</author>
<author fullname="Godred Fairhurst">
<organization>University of Aberdeen</organization>
</author>
<author fullname="Colin Perkins">
<organization>University of Glasgow</organization>
</author>
<date day="27" month="June" year="2022"/>
<abstract>
<t> This document describes an architecture for exposing transpo
rt
protocol features to applications for network communication, a
Transport Services system. The Transport Services Application
Programming Interface (API) is based on an asynchronous, event-driven
interaction pattern. This API uses messages for representing data
transfer to applications, and describes how implementations can use
multiple IP addresses, multiple protocols, and multiple paths, and
provide multiple application streams. This document further defines
common terminology and concepts to be used in definitions of a
Transport Service API and a Transport Services implementation.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-taps-arch-13"/>
</reference>
<reference anchor="RFC7301">
<front>
<title>Transport Layer Security (TLS) Application-Layer Protocol Neg
otiation Extension</title>
<author fullname="S. Friedl" initials="S." surname="Friedl">
<organization/>
</author>
<author fullname="A. Popov" initials="A." surname="Popov">
<organization/>
</author>
<author fullname="A. Langley" initials="A." surname="Langley">
<organization/>
</author>
<author fullname="E. Stephan" initials="E." surname="Stephan">
<organization/>
</author>
<date month="July" year="2014"/>
<abstract>
<t>This document describes a Transport Layer Security (TLS) extens
ion for application-layer protocol negotiation within the TLS handshake. For ins
tances in which multiple application protocols are supported on the same TCP or
UDP port, this extension allows the application layer to negotiate which protoco
l will be used within the TLS connection.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7301"/>
<seriesInfo name="DOI" value="10.17487/RFC7301"/>
</reference>
<reference anchor="RFC7413">
<front>
<title>TCP Fast Open</title>
<author fullname="Y. Cheng" initials="Y." surname="Cheng">
<organization/>
</author>
<author fullname="J. Chu" initials="J." surname="Chu">
<organization/>
</author>
<author fullname="S. Radhakrishnan" initials="S." surname="Radhakris
hnan">
<organization/>
</author>
<author fullname="A. Jain" initials="A." surname="Jain">
<organization/>
</author>
<date month="December" year="2014"/>
<abstract>
<t>This document describes an experimental TCP mechanism called TC
P Fast Open (TFO). TFO allows data to be carried in the SYN and SYN-ACK packets
and consumed by the receiving end during the initial connection handshake, and
saves up to one full round-trip time (RTT) compared to the standard TCP, which r
equires a three-way handshake (3WHS) to complete before data can be exchanged.
However, TFO deviates from the standard TCP semantics, since the data in the SYN
could be replayed to an application in some rare circumstances. Applications s
hould not use TFO unless they can tolerate this issue, as detailed in the Applic
ability section.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7413"/>
<seriesInfo name="DOI" value="10.17487/RFC7413"/>
</reference>
<reference anchor="HTTP-REPLAY">
<front>
<title>Using Early Data in HTTP</title>
<author fullname="M. Thomson" initials="M." surname="Thomson">
<organization/>
</author>
<author fullname="M. Nottingham" initials="M." surname="Nottingham">
<organization/>
</author>
<author fullname="W. Tarreau" initials="W." surname="Tarreau">
<organization/>
</author>
<date month="September" year="2018"/>
<abstract>
<t>Using TLS early data creates an exposure to the possibility of
a replay attack. This document defines mechanisms that allow clients to communi
cate with servers about HTTP requests that are sent in early data. Techniques a
re described that use these mechanisms to mitigate the risk of replay.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="8470"/>
<seriesInfo name="DOI" value="10.17487/RFC8470"/>
</reference>
<reference anchor="RFC5382">
<front>
<title>NAT Behavioral Requirements for TCP</title>
<author fullname="S. Guha" initials="S." role="editor" surname="Guha
">
<organization/>
</author>
<author fullname="K. Biswas" initials="K." surname="Biswas">
<organization/>
</author>
<author fullname="B. Ford" initials="B." surname="Ford">
<organization/>
</author>
<author fullname="S. Sivakumar" initials="S." surname="Sivakumar">
<organization/>
</author>
<author fullname="P. Srisuresh" initials="P." surname="Srisuresh">
<organization/>
</author>
<date month="October" year="2008"/>
<abstract>
<t>This document defines a set of requirements for NATs that handl
e TCP that would allow many applications, such as peer-to-peer applications and
online games to work consistently. Developing NATs that meet this set of requir
ements will greatly increase the likelihood that these applications will functio
n properly. This document specifies an Internet Best Current Practices for the
Internet Community, and requests discussion and suggestions for improvements.<
/t>
</abstract>
</front>
<seriesInfo name="BCP" value="142"/>
<seriesInfo name="RFC" value="5382"/>
<seriesInfo name="DOI" value="10.17487/RFC5382"/>
</reference>
<reference anchor="I-D.draft-ietf-httpbis-priority">
<front>
<title>Extensible Prioritization Scheme for HTTP</title>
<author fullname="Kazuho Oku">
<organization>Fastly</organization>
</author>
<author fullname="Lucas Pardue">
<organization>Cloudflare</organization>
</author>
<date day="17" month="January" year="2022"/>
<abstract>
<t>This document describes a scheme that allows an HTTP client to
communicate its preferences for how the upstream server prioritizes responses to
its requests, and also allows a server to hint to a downstream intermediary how
its responses should be prioritized when they are forwarded. This document def
ines the Priority header field for communicating the initial priority in an HTTP
version-independent manner, as well as HTTP/2 and HTTP/3 frames for reprioritiz
ing responses. These share a common format structure that is designed to provid
e future extensibility.
</t>
</abstract>
</front> </front>
<seriesInfo name="Internet-Draft" value="draft-ietf-httpbis-priority-1 2"/> <refcontent>Proc. ACM IMC 2010</refcontent>
</reference> </reference>
<reference anchor="I-D.ietf-quic-ack-frequency">
<front>
<title>QUIC Acknowledgement Frequency</title>
<author fullname="Jana Iyengar">
<organization>Fastly</organization>
</author>
<author fullname="Ian Swett">
<organization>Google</organization>
</author>
<date day="11" month="July" year="2022"/>
<abstract>
<t> This document describes a QUIC extension for an endpoint to
control
its peer's delaying of acknowledgements.
Note to Readers <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5077. xml"/>
Discussion of this draft takes place on the QUIC working group <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9114.
mailing list (quic@ietf.org), which is archived at xml"/>
https://mailarchive.ietf.org/arch/search/?email_list=quic. Source
code and issues list for this draft can be found at
https://github.com/quicwg/ack-frequency.
Working Group information can be found at https://github.com/quicwg. <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8085. xml"/>
</t> <reference anchor="SSDP" target="https://openconnectivity.org/upnp-specs
</abstract> /UPnP-arch-DeviceArchitecture-v2.0-20200417.pdf">
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-ack-frequency
-02"/>
</reference>
<reference anchor="RFC6335">
<front>
<title>Internet Assigned Numbers Authority (IANA) Procedures for the
Management of the Service Name and Transport Protocol Port Number Registry</tit
le>
<author fullname="M. Cotton" initials="M." surname="Cotton">
<organization/>
</author>
<author fullname="L. Eggert" initials="L." surname="Eggert">
<organization/>
</author>
<author fullname="J. Touch" initials="J." surname="Touch">
<organization/>
</author>
<author fullname="M. Westerlund" initials="M." surname="Westerlund">
<organization/>
</author>
<author fullname="S. Cheshire" initials="S." surname="Cheshire">
<organization/>
</author>
<date month="August" year="2011"/>
<abstract>
<t>This document defines the procedures that the Internet Assigned
Numbers Authority (IANA) uses when handling assignment and other requests relat
ed to the Service Name and Transport Protocol Port Number registry. It also dis
cusses the rationale and principles behind these procedures and how they facilit
ate the long-term sustainability of the registry.</t>
<t>This document updates IANA's procedures by obsoleting the previ
ous UDP and TCP port assignment procedures defined in Sections 8 and 9.1 of the
IANA Allocation Guidelines, and it updates the IANA service name and port assign
ment procedures for UDP-Lite, the Datagram Congestion Control Protocol (DCCP), a
nd the Stream Control Transmission Protocol (SCTP). It also updates the DNS SRV
specification to clarify what a service name is and how it is registered. This
memo documents an Internet Best Current Practice.</t>
</abstract>
</front>
<seriesInfo name="BCP" value="165"/>
<seriesInfo name="RFC" value="6335"/>
<seriesInfo name="DOI" value="10.17487/RFC6335"/>
</reference>
<reference anchor="RFC7838">
<front>
<title>HTTP Alternative Services</title>
<author fullname="M. Nottingham" initials="M." surname="Nottingham">
<organization/>
</author>
<author fullname="P. McManus" initials="P." surname="McManus">
<organization/>
</author>
<author fullname="J. Reschke" initials="J." surname="Reschke">
<organization/>
</author>
<date month="April" year="2016"/>
<abstract>
<t>This document specifies "Alternative Services" for HTTP, which
allow an origin's resources to be authoritatively available at a separate networ
k location, possibly accessed with a different protocol configuration.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7838"/>
<seriesInfo name="DOI" value="10.17487/RFC7838"/>
</reference>
<reference anchor="RFC1034">
<front>
<title>Domain names - concepts and facilities</title>
<author fullname="P.V. Mockapetris" initials="P.V." surname="Mockape
tris">
<organization/>
</author>
<date month="November" year="1987"/>
<abstract>
<t>This RFC is the revised basic definition of The Domain Name Sys
tem. It obsoletes RFC-882. This memo describes the domain style names and thei
r used for host address look up and electronic mail forwarding. It discusses th
e clients and servers in the domain name system and the protocol used between th
em.</t>
</abstract>
</front>
<seriesInfo name="STD" value="13"/>
<seriesInfo name="RFC" value="1034"/>
<seriesInfo name="DOI" value="10.17487/RFC1034"/>
</reference>
<reference anchor="RFC5905">
<front> <front>
<title>Network Time Protocol Version 4: Protocol and Algorithms Spec <title>UPnP Device Architecture 2.0</title>
ification</title> <author initials="A." surname="Donoho" fullname="Andrew Donoho">
<author fullname="D. Mills" initials="D." surname="Mills"> <organization>IBM</organization>
<organization/>
</author>
<author fullname="J. Martin" initials="J." role="editor" surname="Ma
rtin">
<organization/>
</author>
<author fullname="J. Burbank" initials="J." surname="Burbank">
<organization/>
</author> </author>
<author fullname="W. Kasch" initials="W." surname="Kasch"> <author initials="B." surname="Roe" fullname="Bryan Roe">
<organization/> <organization>Intel</organization>
</author> </author>
<date month="June" year="2010"/> <author initials="M." surname="Bodlaender" fullname="Maarten Bodlaen
<abstract> der">
<t>The Network Time Protocol (NTP) is widely used to synchronize c <organization>Phillips</organization>
omputer clocks in the Internet. This document describes NTP version 4 (NTPv4),
which is backwards compatible with NTP version 3 (NTPv3), described in RFC 1305,
as well as previous versions of the protocol. NTPv4 includes a modified protoco
l header to accommodate the Internet Protocol version 6 address family. NTPv4 i
ncludes fundamental improvements in the mitigation and discipline algorithms tha
t extend the potential accuracy to the tens of microseconds with modern workstat
ions and fast LANs. It includes a dynamic server discovery scheme, so that in m
any cases, specific server configuration is not required. It corrects certain e
rrors in the NTPv3 design and implementation and includes an optional extension
mechanism. [STANDARDS-TRACK]</t>
</abstract>
</front>
<seriesInfo name="RFC" value="5905"/>
<seriesInfo name="DOI" value="10.17487/RFC5905"/>
</reference>
<reference anchor="RFC6762">
<front>
<title>Multicast DNS</title>
<author fullname="S. Cheshire" initials="S." surname="Cheshire">
<organization/>
</author> </author>
<author fullname="M. Krochmal" initials="M." surname="Krochmal"> <author initials="J." surname="Gildred" fullname="John Gildred">
<organization/> <organization>Pioneer</organization>
</author> </author>
<date month="February" year="2013"/> <author initials="A." surname="Messer" fullname="Alan Messer">
<abstract> <organization>Samsung</organization>
<t>As networked devices become smaller, more portable, and more ub
iquitous, the ability to operate with less configured infrastructure is increasi
ngly important. In particular, the ability to look up DNS resource record data
types (including, but not limited to, host names) in the absence of a convention
al managed DNS server is useful.</t>
<t>Multicast DNS (mDNS) provides the ability to perform DNS-like o
perations on the local link in the absence of any conventional Unicast DNS serve
r. In addition, Multicast DNS designates a portion of the DNS namespace to be f
ree for local use, without the need to pay any annual fee, and without the need
to set up delegations or otherwise configure a conventional DNS server to answer
for those names.</t>
<t>The primary benefits of Multicast DNS names are that (i) they r
equire little or no administration or configuration to set them up, (ii) they wo
rk when no infrastructure is present, and (iii) they work during infrastructure
failures.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="6762"/>
<seriesInfo name="DOI" value="10.17487/RFC6762"/>
</reference>
<reference anchor="RFC8981">
<front>
<title>Temporary Address Extensions for Stateless Address Autoconfig
uration in IPv6</title>
<author fullname="F. Gont" initials="F." surname="Gont">
<organization/>
</author> </author>
<author fullname="S. Krishnan" initials="S." surname="Krishnan"> <author initials="Y." surname="Kim" fullname="YoonSoo Kim">
<organization/> <organization>Samsung</organization>
</author> </author>
<author fullname="T. Narten" initials="T." surname="Narten"> <author initials="B." surname="Fairman" fullname="Bruce Fairman">
<organization/> <organization>Sony</organization>
</author> </author>
<author fullname="R. Draves" initials="R." surname="Draves"> <author initials="J." surname="Tourzan" fullname="Jonathan Tourzan">
<organization/> <organization>Sony</organization>
</author> </author>
<date month="February" year="2021"/> <date year="2020" month="April" day="17"/>
<abstract>
<t>This document describes an extension to IPv6 Stateless Address
Autoconfiguration that causes hosts to generate temporary addresses with randomi
zed interface identifiers for each prefix advertised with autoconfiguration enab
led. Changing addresses over time limits the window of time during which eavesdr
oppers and other information collectors may trivially perform address-based netw
ork-activity correlation when the same address is employed for multiple transact
ions by the same host. Additionally, it reduces the window of exposure of a host
as being accessible via an address that becomes revealed as a result of active
communication. This document obsoletes RFC 4941.</t>
</abstract>
</front> </front>
<seriesInfo name="RFC" value="8981"/>
<seriesInfo name="DOI" value="10.17487/RFC8981"/>
</reference> </reference>
<reference anchor="I-D.ietf-quic-manageability">
<front>
<title>Manageability of the QUIC Transport Protocol</title>
<author fullname="Mirja Kuehlewind">
<organization>Ericsson</organization>
</author>
<author fullname="Brian Trammell">
<organization>Google Switzerland GmbH</organization>
</author>
<date day="11" month="July" year="2022"/>
<abstract>
<t> This document discusses manageability of the QUIC transport
protocol,
focusing on the implications of QUIC's design and wire image on
network operations involving QUIC traffic. Its intended audience is
network operators and equipment vendors who rely on the use of
transport-aware network functions.
</t> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.
</abstract> xml"/>
</front> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-ta
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-manageability ps-arch.xml"/>
-17"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7301.
</reference> xml"/>
<reference anchor="QUIC-LB"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7413.
<front> xml"/>
<title>QUIC-LB: Generating Routable QUIC Connection IDs</title> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8470.
<author fullname="Martin Duke"> xml"/>
<organization>Google</organization> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5382.
</author> xml"/>
<author fullname="Nick Banks"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9218.
<organization>Microsoft</organization> xml"/>
</author> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-qu
<author fullname="Christian Huitema"> ic-ack-frequency.xml"/>
<organization>Private Octopus Inc.</organization> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6335.
</author> xml"/>
<date day="11" month="July" year="2022"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7838.
<abstract> xml"/>
<t> QUIC address migration allows clients to change their IP add <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.1034.
ress xml"/>
while maintaining connection state. To reduce the ability of an <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5905.
observer to link two IP addresses, clients and servers use new xml"/>
connection IDs when they communicate via different client addresses. <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6762.
This poses a problem for traditional "layer-4" load balancers that xml"/>
route packets via the IP address and port 4-tuple. This <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8981.
specification provides a standardized means of securely encoding xml"/>
routing information in the server's connection IDs so that a properly
configured load balancer can route packets with migrated addresses
correctly. As it proposes a structured connection ID format, it also
provides a means of connection IDs self-encoding their length to aid
some hardware offloads.
</t> <reference anchor="RFC9312" target="https://www.rfc-editor.org/info/rfc9312">
</abstract> <front>
</front> <title>Manageability of the QUIC Transport Protocol</title>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-load-balancer <author fullname="Mirja Kühlewind">
s-14"/> <organization>Ericsson</organization>
</reference> </author>
<reference anchor="QUIC-RETRY"> <author fullname="Brian Trammell">
<front> <organization>Google Switzerland GmbH</organization>
<title>QUIC Retry Offload</title> </author>
<author fullname="Martin Duke"> <date month="September" year="2022"/>
<organization>Google</organization> </front>
</author> <seriesInfo name="RFC" value="9312"/>
<author fullname="Nick Banks"> <seriesInfo name="DOI" value="10.17487/RFC9312"/>
<organization>Microsoft</organization> </reference>
</author>
<date day="28" month="March" year="2022"/>
<abstract>
<t> QUIC uses Retry packets to reduce load on stressed servers,
by
forcing the client to prove ownership of its address before the
server commits state. QUIC also has an anti-tampering mechanism to
prevent the unauthorized injection of Retry packets into a
connection. However, a server operator may want to offload
production of Retry packets to an anti-Denial-of-Service agent or
hardware accelerator. "Retry Offload" is a mechanism for
coordination between a server and an external generator of Retry
packets that can succeed despite the anti-tampering mechanism.
</t> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-qu
</abstract> ic-load-balancers.xml"/>
</front> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-qu
<seriesInfo name="Internet-Draft" value="draft-duke-quic-retry-offload ic-retry-offload.xml"/>
-00"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2475.
</reference> xml"/>
<reference anchor="RFC2475"> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7657.
<front> xml"/>
<title>An Architecture for Differentiated Services</title> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-qu
<author fullname="S. Blake" initials="S." surname="Blake"> ic-version-negotiation.xml"/>
<organization/>
</author> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9221.
<author fullname="D. Black" initials="D." surname="Black"> xml"/>
<organization/>
</author>
<author fullname="M. Carlson" initials="M." surname="Carlson">
<organization/>
</author>
<author fullname="E. Davies" initials="E." surname="Davies">
<organization/>
</author>
<author fullname="Z. Wang" initials="Z." surname="Wang">
<organization/>
</author>
<author fullname="W. Weiss" initials="W." surname="Weiss">
<organization/>
</author>
<date month="December" year="1998"/>
<abstract>
<t>This document defines an architecture for implementing scalable
service differentiation in the Internet. This memo provides information for th
e Internet community.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="2475"/>
<seriesInfo name="DOI" value="10.17487/RFC2475"/>
</reference>
<reference anchor="RFC7657">
<front>
<title>Differentiated Services (Diffserv) and Real-Time Communicatio
n</title>
<author fullname="D. Black" initials="D." role="editor" surname="Bla
ck">
<organization/>
</author>
<author fullname="P. Jones" initials="P." surname="Jones">
<organization/>
</author>
<date month="November" year="2015"/>
<abstract>
<t>This memo describes the interaction between Differentiated Serv
ices (Diffserv) network quality-of-service (QoS) functionality and real- time ne
twork communication, including communication based on the Real-time Transport Pr
otocol (RTP). Diffserv is based on network nodes applying different forwarding
treatments to packets whose IP headers are marked with different Diffserv Codepo
ints (DSCPs). WebRTC applications, as well as some conferencing applications, ha
ve begun using the Session Description Protocol (SDP) bundle negotiation mechani
sm to send multiple traffic streams with different QoS requirements using the sa
me network 5-tuple. The results of using multiple DSCPs to obtain different QoS
treatments within a single network 5-tuple have transport protocol interactions
, particularly with congestion control functionality (e.g., reordering). In add
ition, DSCP markings may be changed or removed between the traffic source and de
stination. This memo covers the implications of these Diffserv aspects for real
-time network communication, including WebRTC.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="7657"/>
<seriesInfo name="DOI" value="10.17487/RFC7657"/>
</reference>
<reference anchor="I-D.draft-ietf-quic-version-negotiation">
<front>
<title>Compatible Version Negotiation for QUIC</title>
<author fullname="David Schinazi">
<organization>Google LLC</organization>
</author>
<author fullname="Eric Rescorla">
<organization>Mozilla</organization>
</author>
<date day="11" month="July" year="2022"/>
<abstract>
<t> QUIC does not provide a complete version negotiation mechani
sm but
instead only provides a way for the server to indicate that the
version the client chose is unacceptable. This document describes a
version negotiation mechanism that allows a client and server to
select a mutually supported version. Optionally, if the client's
chosen version and the negotiated version share a compatible first
flight format, the negotiation can take place without incurring an
extra round trip.
</t>
</abstract>
</front>
<seriesInfo name="Internet-Draft" value="draft-ietf-quic-version-negot
iation-09"/>
</reference>
<reference anchor="RFC9221">
<front>
<title>An Unreliable Datagram Extension to QUIC</title>
<author fullname="T. Pauly" initials="T." surname="Pauly">
<organization/>
</author>
<author fullname="E. Kinnear" initials="E." surname="Kinnear">
<organization/>
</author>
<author fullname="D. Schinazi" initials="D." surname="Schinazi">
<organization/>
</author>
<date month="March" year="2022"/>
<abstract>
<t>This document defines an extension to the QUIC transport protoc
ol to add support for sending and receiving unreliable datagrams over a QUIC con
nection.</t>
</abstract>
</front>
<seriesInfo name="RFC" value="9221"/>
<seriesInfo name="DOI" value="10.17487/RFC9221"/>
</reference>
</references> </references>
</references> </references>
</back>
<!-- ##markdown-source:
H4sIAAAAAAAAA5V963IbSXbm/3yK8vSPoRwARFJ3tb02W5ceriU1LbJtjzc2
OoqoBFEjoAquCylOhyL2HfYN90n2fOeSlwLY7XGEp0WgUJl58tyv8/ncDfWw
8a+Ls91uUy/L63pTD/dFuyqGtS/+9efzN8VVVzb9ru2G4qJrh3bZblx5fd35
29fyffZLV7XLptzSC6uuXA3z2g+r+X+N9XJepo/NT166qhz8a7ek/71pu/vX
Rd2sWufqXfe6GLqxH06Pj18dn7ov/v6u7arXxXkz+K7xw/wt3uxcP5RN9Uu5
aRta7d73ble/Lv4XbXBW9LTbzq96+tf9Fv/4386V47Buu9euKOb0/wUt178u
Pi6Kfxn9euPv6qbij2XzH+vuL+X0q7a7eV286+pl37cNf+K3Zb15XWzx9OJL
ePqfvT60WLbbfMEfFoDndus3m2S5H7q6bPIveLEf2/Zm49OlAM9/HvTBxXLN
3/V0WD/Q4wS18nb+47jZzC825fDX4oS/XxLEXxcvj4+fFv850tbkV8t2bAYA
/vKuHv7quw2Bk+BPt9Bty6G+9YCV7enk+Wv+kWKL3UVxUQ5rxZCy883yvvjo
y37s/NY3Q1+Mfd3cFJ/PL94VZ8Om7Isj/PvFafHx7KrYdb6np2ittnnEb493
hP+b638fAN3eA/uXOZTdDQCzHoZd//rx467e+RenC/xnQbt/fLebL1s6SjM8
Hnebtqz6x+mm+scvn89L7Hs+VruqXq0Wu2rFb2bkLU6PT57Pj5/NT5/Rh+8q
v6kbP4HUzwyBn99eFATXCLdIVO9u282I1YqjsvuP+hZg2XV1MxQnz09OF8cv
Xp48/29A518WtoH/LnD+dgC/WxRn17558Ndv24bOdhDyZfe1vl0QUj8ur/vH
8WRTYJ6czk9P6cPLOz8ME1Ayt3nr6aLugV3Fu687IjRCOl+Ug9JKcXT+7ur9
q+fy8A/t+78Vy84XsvbBU9zd3S1AgXyQXdcuva/oevvHr54/7jd15Xv9z/zV
c+F6Tw5izIv56TF9eFGW/XL9qWzam+ygn/xALO9LcTnuGEWAOVdvLor3ZT8U
P+08ocqns08//Vg8f/G3Hu/NQld98HwNtsMH7OuBDlT5VTluhserekN/yY9/
0R3+ojs8eEi6zCf04Z/KgTh0c3KcHfGsKTxfH26y3BALGysWO+t264sbes1d
eV8s12VXLolk6n4gjlockQRaEhK++Vicf3yDdY4f5esez0+Ofx8Klwvb1uHv
zxbFp/tuXT/4wAeitpsb3w0Pvv9y6No7EkoHv7+g78uu3ZTroX6YXNu/tPTh
5/dvnh2/eIGTAKfnf7q6uiA0nb9dRNmK+5NHXx6/fIZHLy/fXuR86KK5IOK5
rYlazrrlmu52ORCfLogQMxCeHs+Pn85PXvw+FM+Y4tt1+yBD+Nw+zI1+aKtN
6ZvKd4cf+Z+L4sd6U3X+AW5Fq3/0ff/Qz/9MAKy3D+7sfVmTlHvgdmnpq3bs
/qrfT6mkJQpcgtUtSUqSaGViGXfNbt7v/LJ/DFDPS4LxXOCdgnt+S/CeA8rH
T09eMN04N5/PC2KLA3Dduat13RekRo3M5Kq6X450zJ4VsvJBLW0IAmWnWtrM
reglLH5IuCzLW1+SRK63O1oFH+q7WPTYb4rK3/pNu+OlSR+gv43duvbWd7zW
ojjHiyA3K18RjlTChLFt39c3je967O3gAlv6FCzTDS2/bMbL0K42rDK08lM6
Vu8PvqBfCLy2dVWRauS+g0zt2mpc4jHnGBi//vp3+O8/EkG8Oj4+/vYNeyuL
xt8dgBP+cVtXDJKiGbfXdMx25crqtqRTVcWK4EY31y+Kf18TD6SD10Ndbjb3
dtqKGTRuArRJOo8naPd+VtSDvpv4wLLcybXVfJUksJak8l17PF4VpIGtafXt
uFzTv4kmituSRJvccQIG2gQfsO4dgbzc9SOpefT7uoGKoV/SPfUA2Qnf0U1H
T/TF1YfL4mTxhEDzT/TPkyeAzcunT58TbIYWL+vud3TlGwJHeQ9VCAyh5MvZ
tiR2oCcRxyqCfkjabXFFZ7bVaKN8fJzNjUBY3WnxpWnvmoKUP3z/GFsIjOzb
t8UU4Q1ixc1YV7gBhm6KCoqjwDIG5F1JPyN0okVdoIdwuwBtOw4RxXDRdDP0
Inq4pru+45PUQOnlZuSlPeFwuXEPbYFwlJYv+VVMFnoyeqqqO6J0Qo5ILs6d
81r0ls2mvcOPer+U99x5o/ACzKNe1ctAqkohf+xzsp85ppi+Hw2THgDOdpR7
6xmh7takNwg7YADRfZQuUoOicJ2dcwH6wiV/8kvitcpz3hOWXJfLL8Wv3630
n9+U8Pjeoezi7UU/MlMbvMLXN+U1KRF4qiN7ASzDLkU2j4PR1rf10GNrQC3S
DWjJRjUiofrr9iu95UiuCwf6dHb1KFx050kmdvh43FWM+0Dwr1Ah6DN7E+Fx
R+pUNzJbpoMmdgtrI6DTNW2h6NdA32v6nfe4R7K1CIWjYUQUBMtpRRYTfa6K
K31IB1niZXH7fXG9aQluoDIAiY64ogufFdj4zRrw77wjQNE1k9AuPAgB6Eev
aPElbmnLDLK/7wcPMlwCf5hXDeWNB84kb3Zkf8Iuq/A5NMhffw1WCpGe3Arv
iYmCLiNwJ+wxxXjXjU2jsmRod9gD3zgjma95d8TNYLzYguVy6XeMgUFUFiuy
YgnKjt7Sg9kZZGagHfq9b25od17fAPQqGNXojx6aoYAhoK0zMieZJDQGzmu8
CIClAxqSgheBDTJlEjSY9fgCBkNxdXZxGShQaZxYZVCzBuK1LNPpYolDLLua
NlvqNSj7BrS3dLCzi3Mmpy2pzTXhdyK7lM/0xGQ7ujvi3h2xis5vPC6Qf6XE
6YhFlRWpP0H28/UE/rOKxypp0ZtDqzl3aScicTWLvyBokqLjl9D/wuO4Afri
zpdfIH+ErQuy8ZMuPkk3VDF/AhBuW8LSii9A+SZkesaUGKMCrfcubCS8KLAp
nJTXA7bgU6Jm0ADB7iw7ANAZdIcbJVOiBZgOCCk8um2rcK0i0cqm3kF04oOa
EccpJtIyVVXjC4FZRcRPIrRiNlK0G+wRSwb40NkaSNYZcdiaMJpEM4t0em0u
jWfEvW7W4E8ktQd8D+2BN9ZAYAjgHQvilpbc0ev4dkRWkM5KF+S/lgDjjOEk
b+IrCuKu8TctqSesDBECk5R/8eT4hLC2bWgNZmgEpRUYC7QYQDmuUdSroCjU
zKcrIZJcGVPRIjKQ9kL/XRN9CBlAwaxBv6uxWQocIbQMzKTnGkszxcpEflVc
3wvMmnYww1Z/F68+UjzBw2UYkdC2AIg1l/b6tm5H0jDq1cp3pqkySgKHqpZ2
QAs63QV708ptoKevrBgS0jB3Jrw6/MRdO24qxmehCxfQXXAh0d4Z0pvynnZa
r/gnIJ/3Y4cVZrypXC72LPFNcu3KYY07J/WbNs+w6tVRgEWik6Dd8UqKBU9P
nnz7pkjqTBIThFmAAoNStY8Q0DOn5Stl+NddogWS8P7iWbSxVu2Mx7es55Wb
vs0u9Xj++eqKFuuZEoC2253RnlgUnwgFRXVkMOOGmN+nIjAV/kFoXf75k2yZ
9B7B3/c/kUbYOxIv0FlWIzR1owrazlHP8jvxvXz79oioniBsrwggzF+i+A49
ppoP7Zz+wzo+C2zSWVTqFdCxwIcDjAgxHXGJql8ThTMuZRob7X5WjM2m/qK6
K4MLKgkhGxCabw36gGjp7CtklKKVWd7RAo8KVmB7iF+62/uo+4t14cTYAo0k
LCLQi1kjDFfm5quMnvA9MI0QW5HNV0JjydWTpgQigFC41ieUcCbSAMhJCs8A
I9DoHOpiPQAtgTqEHwAmfgptUchVJRbE7NjY28Bvm/KW9Ar8VpRtwq9t2d1j
+fvIObZ+SbdQ91u5sS+eoARJuIXwoPUrwKtSuKwc3TZLEfYv0jEAIXkkSqjv
C1IOPV9RXAa8kamS7gyc3RH/gZk2BQQp9vCBLQdbco8zE8OXa1TNG3pxSqes
n/+n79oC9PXrd3+lf867YTB1PNhSUCyECJPr8j3AXfdrMBqoJqaEFn25Bcdd
SkiHdWcgV5ANzBWYy8pL9Q5hFgE1xkbMXIbamuBCWp1swmVSJFojdJCzQ6Y5
X3s4xW+fAJjwXyMAx9EL2OfK8UmxIowiCSgsJrB8+RgH3rW1aOq3tb9TB0S6
V91qTWD67Df8fmy38vN2teoT4wDY2fOblpu2V9HhiIyJm4iHIWWVII7uHp8T
Hn7xfseGKXg36dBx+98TvnmS5pFxzm/neJwOe+vZhj7LFa6gV0Hbv2a2tYE7
tQWmi6ks0JyBXytcy67jW3Nd3X/BEUiXJzFVlMNAeL0oLNKX+2MEpOGFan6B
nugROI2dwFyVZtFlh/udZ70l09QSr0hfrrDjnjETik/U552+V/1N/FYWsSTo
8NT887uLD2d/FgfHi2MGz3ff0b3xYc74ML1znz3j27YWoURLHG0JnkvoCo/s
6LRDFi6Qe2XdyDqK88zeoXMSz3PLEhAQ5bUDz4Q2C0h3ZDkDW4J6vmx3tTcn
l1CakvLZRCjw6SE+Ga3INBNt6MDyYnm1EFUe/pqOgU6HYmVnpUJKzgTmfpZS
YdRZivIOeEdbu2OFvedrgPkMPSGsvfgtRCBMZWVMNAxj4Hin7BuruRLI5kmq
EgmUm/u+Fl5R6n3ujB/epRiRHp8porgUOnLPFs/xtHr95sSl+NIhCKBDQET2
LKlFAcfLRpjHDFHaK0vvPZmcr+hYGsHbxFo+a9N86bR19eWULMTk+sWGJmCK
80vAu4LrgCTLphRfhCf6Xg6wnGqWx/QRL9wRatZkEW6AlYHH4WsWEDdjp6YM
3bMaBOJw1Y0IIRli4A5pjcqTnBvYISG+Kzw5h+uhF/+WaIaEJH5g+4eMhT7i
KIKWsl/17YiSE95VzBPoYkX3J5OMgn2iFLZEbYwXMPm210RSBOGqJv4+sku1
PrhNYs4tIU1DjC95wExDdo+Eh+nif2KRbVchbgjjcqLemo7ZkHHoS7NyN+ym
EMnRE4ZCNXb6g1JJiKmZSCicLuK/KAgrnOmuvO+F+v8CiMUjuuyOAsTGhimt
XkUiJeMdyAuRO7EGJo75Pr6mVNCaKcNeBkYjx7ot3EEbP3hjb9HyM+s1YA3b
sLCdiUJvwg8gGYSdXu4r87B0yc76FxJMc5ZMpJE8ILKc+8ELyzQn8QF39qx4
QFsQFavypXh3HemdpDQEz14FINRb345Dv9CAMb2U6GhgnpPaEXf1ZmNuC9LU
ArHJ00wXHLvftHe9uozVFFL1HkxC1FyW3+Fnjn35vDPYedgTwp1tpR4Djeku
1Dx79uTlKRnp/XhDmtIAAmMzECEO+RnT91BsPGyTk9OndIpmHMDXUueh4nRq
NSGc0JOCVlZu4m1lEVSLo52dgmankgoFaoJftLjMYKtg5QPyDQX1t4Yve7OZ
mx+fxcxy2TIRiV2E8KwEet3Rr7+GuDCZXzPxGae3DWIqe0Ie1dmgyX86uyqu
a7VYO/EFOoG4RyoL/4hUalY/VoD7X4AodMhugC5B3LNSraO02F0Bn63qY08W
zxx9q2FUuo6V2ORJEO5LRG5o5h0x6d6w5DVxOqfqD26QbqjejtuCnhn5Kk6e
2SZmxTV7qmHKeGxqgxhjJ4+yM9S1JJNYJCRLwjLoiD8RCf5wrwSRaZTnb2eB
okJ0SoRP114zMFoGo7oWabsGUAFYaVeccDhGEnEf+c2uB5eCKk37FrV5S5oR
tKPeqRkm0clS/BG6EmwXogBaYmRpbIYhf1SLoGEFvWWnhJPtsK6oONcuyebq
jS/yKePJjQmKjTo5bDzktY+KWkcvBYPPIwFsWUfv7KxgY+u63MAO7EgzHEMs
Vg72WMMnYzcfxh3U3VaDQOaFD74dKGazCfshQ8ocZb15t8Ef7IJYSVVPpTBn
0h3gmxdZzCAshzW7X9Nts+ZDnMrfEWPr1VHkygqajukosr0o/I278W9Y/Dei
wHJIxPgh/Nwd7W3XCkwTRhgNKlFXF2qH7lN2xZSZs8UgbPh21AYJ6HgeeWEf
sOcQz1fbCSrWMt1RpBJmq/p0dNuq7K4KVXuMfGkTGt8wjCfDPV3QweWyJbHa
iVoaGcrJ8eLEIiXsZbpiJo0NShxJXHT9a+fmxflN03ZyeA7uzUBoE5fBXNyG
wT5mtznkBZNniyQcZkumZTB+0SW27NC/F3mUgZ0DL4xF+s4/QsvBS4Hw9L49
GoJZENTnBW38XYPAmQognI0W3CAkka6DBz975ec++AKN60yfnyl3M5syKBkI
Y9KuCCZdu+vg0tMwjkhliTfe3BtLIXFJ1tYg/JajvgQnBqg49ImmwbryGLtz
72qlxGDPKZSiGVYWU9RmzGZL6eL804+EeYQUPUI5kYNDXLPL65ZNjxwt2QQi
MUfXDJI2kmMEJgsFQo8IgQxXlRpKT5Z8oGZWshhfRoo9FuCaMc8mfYe0SPMA
q+inJZHFqWJM9EsOmdCFgTZXnWjdIfskCxefJ17J2Z7jT3M/RH2TvdzjQgOs
Fbp0IIG6Y5UbnEasBhwV52OVYvJyPjKJc0nSyPSLoFaJK+LJcdAFouYcvY8i
rg2qu5H0wWVM3OQwegmScCwVmfvOcvnNcKdLXvmO36h0HFV2xhSlXXEREgXd
QsLnpNZ2MX9CpDgjnnrhN8SrfHNbd23DLz3yi5uF2Ctg2QS4R3ieVDDPkT3S
YekfxjLZOUf2wCjaIOnSkHQQr4oRKRJDctnVI1bFIsozS0mgyc7iQMmBWW9h
OISgl//KqQS3MHp2mrgj3jQWRrUa7X09jILgrCvAx8t2nDiI+SSjICQBif9G
Ki/In3n40bYlNcQ/Qj5ELdHDNKxn3L8PGjqfKDkLbmgLdz0xjXVpIIQXf+PF
U8moqtB0zHW7cac75tg2yZF/+wgUUwuZNroEiLDrDRnCRTVymgJvFboogR6Y
G/TPGRn/oBK2jBMlFb6iDfBRHZ2zlHiOwOmgBkXm9YhPA/6wH4KhnRMOlpVY
wHLzwU6LGkxO2KUtFvJv+qC4afwo2t+MFZmWyr+CenENpylzfWCN3ULc+B97
l0n2o+Dnj3IdD/xiDyQuZJPJcvgets+9g8bN20AyF61t/ghVcsPXxs2jW3Mf
cjN6G2Gv8SLjnHVz225uLaerg0XZDfZQfP2i+An+ftJodXHHIq0UVYTFFDGT
mm1hdmDhH6qqpK65ZIugaGZPcF6boOotUmzbgMKtIpM92JkDOxG0ZtKaLEnc
hHBNjWyo4znQ+TzlxNckc/tJPkCqAGqYCBtPF+Az141b1h2ZkKJ/9DgQh3yQ
tzX6ai/4U6yJhdMPJZ7zfZ5cNmNDFRiOl81Sg0vUi731lb0zp+sZfOASqDSh
xznc8rOI2UuOAfei4JLOdCgmrAFu5NLAfZABAc6hsYlu4V7fp9Si7rWIL7OQ
37Qmap23qzlb7CEOajeo7yFBKDsUemTKhXtf0JJQSRj7TOELy0siRhq0FCq8
gyXNsop+DMXEuzSvRc8sr4LkkLVDZmNTiyEk4gUJPukHM/X5GuRISlxbdiXh
lrOkovs9tYBop9mIW1wfhzcAsejJkvpq2o94sBkWQJsh2a0IwmhIshMBdCiH
Jju+/KqGgCtO/6Efd//j+ek/PMZ/5ye0vUFok38SFp8Rc/fiB1+2zFTZyWzZ
O7Qf2Rqozw/TTbC/KQTb+Zd9yHDSYBsBQGLGcFvdBmbMfEwc2szQaFcSg89T
cmaaDpusyRkMLiVzc4aJNzK/XNJQWHeUnSBmBcsJpyDRhsgvSb2l18A5YfQ1
hOPmHoF2N9WZk0f516K537DbIEBULljBdg1OITY7THjJgBYBRA+9P/9EqKZa
+uXV53dnHwVJkblskeyDi9LL2OqOqxrVlcw458LRwPpokZkk7HLgHtFRuPOC
1wRYpPaiY5NXIfCbR+wC5xGPs/lM8h+7ZKvx199b1rSFI6Cy8fmSu2JrFpjK
rgazz0NA1BzHZSN25KrU5FdobTulKlaCNGsE9orcCSn/yQWZw3zZEX0u6Ufs
OciDlPhakWWqzINiDdQFKVbgOmKABC/sfjINZ7UhnCjOJDPZgZWPSQzgQwgL
6Kh4Pri8RZVtBolADMg/bSxcP3EzISlDjZhJgrupPcp/OeJxwPJS371FLSGe
NHeYA5hpYnTiLChJlNyZNC1QHbasOegDPYtWEbnlxOMnQedJooEah7o79jec
mZDRKwthdjYYIO6QBDIFdfBvmuWsB3fwuml0JFgdM423czQtJIewp0hvkWNL
ikB6YFKFmra4GUmBIxTkbaeRWpbigovsu4Drmg0RsXPKZQfV2sQgDvpxImMD
ltO9LseOyxYXxdsQ51EOFwKqLuN1wXWpyWCS+AWPCPJzoZWuVZ3OBTQZgfT8
kl6n/th9YEUQ6YEH1rE4nMx5PYPPDpayZDuT2ektKuMG4/WgAighkYpkE0vo
RTAkmXqhBdjv657N9UlOk6yOKyCpFbRao/k2ON8bttdguNK7b3x0H6RFD3h+
yxGfEKjq6DKtklgscETJ5LeI6K7M7aLQ69iMUOnDTjuV1XxaVhf1igeVuInr
uefqIw7OLSVPnFeLGX7CQyVBD2FMF/hkOQ4tZ18zy9jgwgEmcM0l/VKILd1P
rCuxV2tc3w6i2L9iF/GEUSpepDmybu/FduRZoQdWsSznjZ8x6G0TyjaE5+E6
14Qj7IjdTTla8OX2YDK91Mqg0JmuTXKWVrUwYZYvhimAkN6Nosn5W/PSOAGA
eLf7db1LE2l6n7xWFCTDM04eYenhOX9aHbdEp0nti7pdyQQYWQkPCbvi80Eq
GLuaWUtKtgC0Q/FNOyI6UvZJ0c0kDKvXIsnH5kMlY2jQ/I4EDu5IZE2ImQQ1
N4HMLPOF6WGRhjvVo91Ej86AKxds7iv5+NH3By0w0jSIb65ENvbZ9onXxFAE
sSEYhRLHIxErO9xGGzzerBiWZHivNWRJSLmU1AY7UHKpibxUGlaqSHbr5L7o
Su4jegQzf3Inv09FjslXAotlEjFJAMgxYfgE+xhAyxUbCY0Mxb0fHPsw9JgI
euZp2ircOWgUVtDUgJWQi0GAs185QbvcIFx7L+4RAYw4sOGQ4qAMH2Cnet41
R2QFy5M1VOVBHW1wHdAH96JR2NmO8ojFc6Mb1UIeabRfXqsR/veQJB8TSzcx
pjrPGRX0IULtbFNrHmdyF99DniwjjidJYDVK5cRSrZndWQ1UkvxKB24qye8s
bmokNqjZqnUA0B/SdwqEJL9FljzqH/FWJ0axRNPwqoVLEOmQbV8LBoQqSJGn
gfZC7p7k9QSuj0W81vCEoDp9NUgOZppYZR7RWM8UXur2fmokHfWS63g61iCS
ZEgCmcQqUUS1IMEaLPppVPURinABYCtE09husLWmGnDduJgiAacUW22JlXlU
rzg10EtSfuoVbKNGuEYSJVGZUFeWhZ1YpWmqi0QD8RgYBQlhTaPtH1macj8g
uJ+lU5WNWAlpbBBJuQMiHxDs7Z3g/wXJA1gyfxWWpOgOTTz52HBCsFD0mxhH
sitTxhzkvrvYe4mEQQMzFD0l6i2Tel/law+ablO3U9h0VHPE8EDS3Nk0UhsY
LJaWasnpsfslCQM/KQx7DSXwYAUwc9BubPppKVmSP0UgRCpm0P161gbBskq2
PHUH99HTLnlsFsKtufgF1VtJGxrUb1/X/dx+jAQPzSz9Hk7VZP1uJOJwVghH
3C6x5iWtVlQmH3YCr6c4RLmjyNfhe47e8Fvj3QQDFFWayT3hakmZufUaKDIj
NNJFBksBHKHmha2e2uRdltkaPTZJQUqGWVaaE1GK7eNFQIvUbxpeLur/BoTK
lH8tbAdOJa5oIAtgw3kfql5XkQMRZe3LefXIq34fgA3J6YTyxThI7DhWcjLT
cIKZB4AB4Q5b9ZqkKmLY0F4bLXGWPNEVPcEcviluUNWEu0HmplSUSo4EoYQz
9xwaqhCfYLmvdky6Wfp0bKZbn7mAN6Ceanzo7oR1s9typcgzjz9Vn3GW+gIn
AIcdZUdMH8H0Uf7Oaquwpsg2XCC6iJdSmSclPxlo1fTu6lvTfDMGWfllzXp4
UBETy06x3zKg1XsENvsT7GD1I342kL1VA1/tD7t8TTBuk58EKJtPgLQxrWoQ
d2hIPxVv1DQhLhEnmphRhOT2FOcOWavwQI8D/PLih7AtzAS3prYD65hpfpu6
6Z2e4d5ekDgICEY/N2L/wbsUVMBZzp2YvYp0CTonvz2iCfRIcNS7sqtwZPEk
jiQwN0WW78pxl5sRkjpUgnEkKfPG1iHzC1g3zUQqo7EuO8Cb1i2hYOblhsim
W+JNuGRdi19EeBzUJzMt9nRxGtNuSJVrkwq5mMVLzOsGuRAp9PheWLVJISeQ
YRxyqVtjRj/sJYgbL1Hz3gKYcmOu184a2XtEX5IyjvwiJcE8Ud4sRnvtyVSo
GY2r6L8NdW5iTaiRK3WZ5kuWS0BcYgSdF2mdk3YVYNouK7iueqFMVvnf6FW9
te/QAYC+mOsdzsOPrAApu+F4P0/j7US3YxlTsVkBYgWNFT+nN25VdtfsbOsD
qLRQf8XlUiSpLJGeyR/6VCj8klAKq6jlFucPFR6p548Izpaom2SVVkQlB//N
gxnrhtOESXPc9vgAacrIBw9WmOzC3HbVuGRXpKQnqNYhQbeR69JyHdn4ttwa
eiyAV21LDbTYFdC1xWuqJxElzk/JeeH9REELHTwswdglzgmYpst2q0U+9JJt
IR5S1ungQ5ryO/iuRi11YfQ3RnuABxAomc9Z2NXKQHhLdj5OnGBMRlKq20uR
R1V6hsTwS/RQellSgETMsSwJnId4kfaP4PAN51umRYGTMpogKRjxpTxXrPlQ
QgQIdMagy6qX2KyIyLARxbxFwWmu03PpkcvbLAIXVTdNEJzUmOqnxvfCEm94
T6HuJJRClxtBWORMqOisSf+raqkjC57xNNxVaPeDFJB7ApYIsan/a5QKbLiL
YT0buM0AVHOHVERvaubHs//45e3Z1ZmTWA7/LYE9/jhEs8soLxTe1SIoELGx
kDyOBC651qgRWxaH8m0u6ATzaEhhSXQZlWe6YyzpZNscM9HzBHNQXQQcjkSm
CoFwi1cKq3DG0qdh0ViOO9PSGylOGdZEqcMmeN9lYec+IActT7gzb3/KalIK
0sw0OlC94xh7QAEgaJHg59qnXjd4uaVzG0K6GiZKQgeaDmfpPO4QdcVcHjNs
97fBrTHgTi9D9laufKdag8RUOUU+3UsItEjoTbWIGVebCSQ4Psvp5UmDDmOP
XDgjWRKW77AfnNe0VwabBNw10fy3Y/p2zYarwELxSESn+1mB8tlhPUdCYf01
iaWIg0udggQEznXthJ9PeU4r5qVTdYZvVx1eU9YT41u0m9/S1XDx7tCp0vzW
Do1LWWtljTGmkRJSXXvphcQVNM5uQ3QwSRhE0amev5DzKwfkarKkxhAmc0gT
4HQq9IBl6W4CEUEHnyfEJsVbzFJjdCytznKxtDItfUOVs0TCulvO9jmA4+aG
z7HSlQMpKRI7kttjtbQf7jc+3XLBBrTkeDAm5JcqiSpEZ2xulhziUwHL+CAy
uo+ENkvTQR1nN2bsTNnxQWJl84r5B3vT1pKdhTt1CYSDOBC3zGTDaoAgw0Sw
XBQ+AAk4xjzQSb7DkrXT0vSTYZ2xAMmMpm0hfyuzyVLp5Ow6E12IiyghzoE/
TPLggZYXlKjZMYzP1nAQtQvHPS/71Gxjj0xgD3C6wvRSh4gJCM6V0/RSe5Qs
5ZDSpwoUY3xAgMCYjFOHLHc1JzZ+NSg9w6fAdGeCIdwrE5tc7u8hquzPWUS+
uGrTa2dUrNetxHbCLlfapyBCSZtamHQDQ9NgmdUKlHZie9rEJRtIkZ+zbI3g
KbQuVaIugiXqcofW3g7m7JhPUqrm6nU4ID2spCgVjP2SmEtXt0mKOFG6JHZe
31vcXOqmVIMIMVWUJF5e/XTxy+W7T2+RRE2b+/zu8t2VqiwE1jfx95LtrL+1
jj619RKw7TvhlSE5pQqJ0mm7pxip+cAZYG9IJasH6bnkMr+aSKxpbn2SXGkJ
qyNH6Nla5lfGJBLHhoCkP4iTVGIgWSSv7iThVGucM3lZVreINoKvcjamiwl9
m1+25ddfdKFfEO6UNpEHvqT9Hkr7JXCchTQQXm4vRy1Gw0z+Rh97cu6hRYNa
kihB64FS+SET4Bb215PwK6KOeikKJ4fwhlim6aJdOgQys2S/n5L4WAIz1S9m
XLmcZirAzRyAb6lNyhAmqadJIS1zBhIEzBa02NH8QQTAwQQTp25MciSRphLR
8bYu8yosjoKqQ5Hh/b0TJw2xmHni35YY46R/RW6CWq2C4iYuMb2gFEpCrlaF
OSEiS3qR20/48zRfMu+15ThI2+6UQXaq+QcLXBy4UMxKDgeKcXhuBlO6AUnf
s74BnNTHn43SdqE0FT9N0uAS5lils5ZoRBohj4AKjl5J1g/F3E3wCouPYAiN
lxkk6kpqu8y+hcbBOGapkmGrUzuOoWNmjNEC912cYHDIQ9q/mAa50pMMPO5f
IRpkGkRNSTarU7XqMSschFwdRMFqUQJJMp89iWY2axKaqBycKchFKXRvS9E9
rImLvjZ6UFeThhEo2LUWBOVG+q9MHAQJ2SVqP0qIGYvZSce9XzRlRGGWVvCk
Glhg7coZQxZPv01gwmKDk8o39wfWm1wPi7LgNM7S437gCljl0jDIkNEYGWDI
b9SMxHBqZah1l3Ys4OYcVnYCl/e9Ine+H7yL/Tg5pUwzO9S7YVjqJME2MtdJ
zlnCSAqROKjBMu+asqw0TzfrbjZoZa2kW7AsXViWR3BlqvYbtxCkgvvxp7N/
P/tzSEdu9LezULlRpE9k9iuSuDUXnrPRQHWSOCONTe9ibEQbmU0kWcYoE8G9
sNvIConkAdDy4PezxduQUtIK1qr4cIFriQiDTZLRrTBfpbx2k+poM4vCks2V
iBbtBSTHn/BSzi3nGlJOPUwaG/gojhCZcZzowmr/AyLou+KCUz8seAjM/SDu
IFOetM1kFmLPW1RN6zkOBSvcOuVYeZcpyUHWFHVTU8HyxUk9TQvlqLdLjBXN
2UTDFKvdY+vqTgPkVpSKBJERtWz6rLYTksYC2vIfVaLN/eHQFbotcJ7gV3U9
4wVpCUnvEsdc7L+FRO5UbcE7UGcNx+w1Qfyuroa1MvdQh+TyOkWkcvTTxKWT
J1mhtbikTNNCuIPDgGxNRMcTgMSBON00c5aJz1JjVqUaSaXWUAOvUMzr2Pue
b99rdfRSqhQsHVhwSV1MlUc/FTbhrXku7Le5dfjBDRPPvG9K8xRIzTz4QJlS
0DVrJFUQvzuk63XcwW4aYecE2inOhYRuiGXd40ylEbK3etwvGfxj86WP0RJp
CSVNlaRwh2vCFKgW87cW1kVoKXwwFZyoM3Evk9jMixv3y+C1b15v9W9lkD9u
AobAUtKelFztyxXBvtKLsI2ulFq4ipVOyfeumqIQjKE0k00Z0sXcJWEBt/Pd
SzyEvWqU3cSAumSlsfopDq7WspvdfhXWInQ1Fz7DAInJWGUFnfji7O3bULSL
3ZfddU08o6u5CEQzkwcLhHDTTyF7Yn2VFfeznLROrFzBFEx2Jwlyw1oKynai
UGoYZeW7zkIJJIslxy20rClDwQDWnmntqxRlhNaYOU33xcvFCbPhk6dZHwVJ
yWCnD22FyyRFERZJkMiIWHw7YRcv0wjxIzjM0L0G/8V73+oRXC4RPrCecfHx
6ufibd1zLe99cfT24gN98vbRHkd6ush4knMG5ICPppXslWelBqEvv3BC/8rt
5zQG55IF7KVh3tmhhGXrjsPNLhs3kWBWo9gcLqyxan3ND5eik52ch2XnOy7S
+ZOmIanATPKGeJHofZBULo47iusWtex4BVsNppQv5LV94gfT6HqSq8RunUN9
RvmbhYujlmSBmDNWxpintOiUZIrYWUXdtmn9z2/E/JL8sZgrJ8VL0T3NeeyW
x8ZKyUwLrDRjOMHRvVzcLD/UR9DolpHDM91x0SblpCHXRqq+eK9857LLZYvW
pruAE8YMeH/8REgzk2vYTxlTJxMKm9mRHm9cWTUHitrQ/wHjDmjVmSs32scK
KGHzDrgCtmIhLmMBuKds7PvPFVH0CtIs+ryBYmZu6aXYOd2Bc05K5CSGqy2m
coMmXJk7dGWRT8VLQ+RZG0MgBJhTWIS8kx2ptdJ5Br2WMyV+zIjv6uiUDwQb
CAhvkvaogiFWnpLa21H55f2JG0zwMjixSvfmp0+f3r25Ov/p0y9vPvx0+U4k
S+wVJ22fJggkVb1SOkHqleesZElpgIcKPWpV4i2IjZrDPXQEPbwm708tOKfM
IyLftKVyAIZ6QyeAsFT+CRB6fwAKU0+uSz25SRV1AhBtMpMChVnkWcj4kfFl
QUtUeoy1K1Z0yj77XtFZKLXMX2L9blxZkSIKWoWmjd5xe/pxJvGQ386YzwpS
wqelqYfgvaohCJMnyUpJZ0ct0bQO6Rp5iSNGsr2GkDy7uYlB0LNOe2ZyiEBi
TFYONQGXNpCs4ZIoNHVNOmL24lgSp359PYraSVzqSzEOpCFZwmKs9pQZSFni
kxTZkWXvAiJaYk/OVvZ6LdLLSCmTN/D4nPhWdx2atEWN1q4sTNpInDqWljIB
3MKloyhkmubyyzy04klmUggxGtowsiuxrDU11FdOVN79dSRCHnrd2SCjPlWP
sikUK2amaO4sCoZptnKRrB8R5sOyBpVeSoNNFYKpKHtnOW9Rrfr1O1A2EsnS
PhJM7VLy1osrtqBLKnZjx5b56+IPHCCbiWs/qPt04rx4I6tXS2s1Us1CW37k
7Z1RnuAw4YArvEy6SeBAgme6OMwiQVlZbC/hOSgf3N2/7Pt2KRVhHFCW5Ftz
40tEM8iBP2jXyOdPnjzTSuEkH1Tz1ptDCSXh5CH8b3UJmVWZwJnn0SAOPXTc
0aCic8XeBtqz0y41eLxEj1bzlV/npOSIEW0WpgSQbR6aN8cDOcRurI9hadc/
12s+NOssybnjnnVJ9yo2XMRt36u1mJR9ofFkGIAkswjeT4smdDpXMmvCgcNq
L3EpCNWSLcn4agLB+9D0amilp6lZglCfOmIDzA6sMiZUsIiNM8ZC0rBPLfjM
e/BpjQB2JQJRtyMLcNZsCKPnFfhpI7VJ1IM5BnuCIoQOjfDCa8L2nj59MuOu
zu0NsndpY/yTk8WJs5+f6lSBfBSP1BlJLjkazFj/0iHDbaBKGAbFZTI8m27H
He+CLZNBaosk/pEQ8VoyiqUibdoOA+BTcDPjCToLe4/KHib0tc9qohPgGsli
nK+m45uyEQrAgzopWbnBNZgIsxCJub4PnaW8Ds0JVkts6hjMjwnJTst+nFF9
8APlZT7sjYlKcsTdkItcBb6cxSzZaGREkV5cAXhJI8sEjRYHayOPEoOflBTm
hk+i6Wx6tBkM6vwY45in1F9EQoZvorfhNy+fvNQ6n1J87aiMv6kb8ZpoAFqQ
LG1eyq0tCrARRsXBujQEiHA2h7k0AvYHgY8X/mH95A+pmJuz/8DZFO3iUzKH
4+jsw8WnR0U2sWdov3i+LPrKxqJJPEIc9CJyLBwZU7+1Q/kqZB/HLCcrbR17
a94k9ZNpX6q0hDa4s8uDOlAYBSLvUiszQiMVKXwKPhKa3oBq8okCqcXmJNTN
TLwSX4iQGi4leRGuFYigogwcJTiTEiESFesKRbedV2y39rnaFNseS+ejBHSf
GQYEf+nk1ZJdKBY1LinZ5hEw4RFHSqz9pFbFEv3qGxbuEvPOOogvhWNoCBYS
XqRFufYNCUnyCTnEBKZ0dyRvG/Uy1xZwonX4L5WtmZZ7aLiDzGWS5kAudCJY
ayg3mba42Vgb1wc2s3BvtTrIele2fTqGLGCXuLs04Wbdgqrp1aTPWZZknEg2
kyY8cjRNhGELY6J5aqYPY2hYEMh2O24a7dYotdlBVZV5EdYoq7RPuGuxsx/k
DX9FPKDtdMWqxr04m4gJ1zLOUMXFvsBFoZHsW/iolmqbZiiKSEozaW/I7Azu
0Bl0aNSobZY7qcnps6kCr537eyHfZ0+KefH206VypZPjJ0+/fbMvT07x7aer
C2tg/ur4WfLtq+Nj+hpTiGGD0n/id8+e8Iu38c3PXzw/TX57cnpyggf8dsnZ
GGhJKUzdcIOzznJATYAUbzeBkPv9Ww4hZ46tEHysmUti23JyszMrJPWi5y2z
g1LC7QL8jQgor0F2Qkbh42S1QMdg1sB5z7XNsPSTATc2bisLmXJj28ZxVNo6
3fU2ay52u7aGjXa+NAnIGq2YFsODeiapFHESXujnjnEMKSWZyyEMBZXMnp5V
pZ4DitaVcFqt0fnoNKymm0wv2v23Lvp3yVkGjomhFKeyAk7WZCkb/frAtkV2
1jZoT4yXmXk6/Q5l0Sx/GUVVSHVckvX01cmz0//3f/7v82dEDjMbteF0wgYu
GgDQTfV6+GRMmqWJpzQQ8pWT897Sf+H6Ugue/VCJh/CjxUesuFIEen84hpKN
oglp//LnH/vi/CJ0LVcVd7ZXzsu9OActfpSLDAFj4W5wX+is1mjnJduJ+tVb
uB20SDo50/lbJ17HNOKPF9QV1Ei9Bt4WiBulExyRjWdnn4fye+ten4RewuFM
I8+a9s5cSChBrFoq8NSOQZOQpOxbEgDyxAWSGxhw0pEN6M4vbp+HHQiOvXz1
8gQ4FtJ1mYdrvFX0GWk8DD9P/Kl5AV8tnkcnIOpJRW0QWubpYRqLzGYKJNnB
shynCLWkpNxH1yHM+JWD917ZmiQZ+HXN/mDAiJ2hEvlFjOq314R0xd0dXEna
dErn4Iif8RJ1gl2aL+I0lVtvBqn3tc7HY+35Tjs572W68F7iPBTNVnBwMJq1
EM01i8d30opGyXS/pH2aV0SLmNMyqk3J/NekN0ZyJOicOBBtof79W6zjpE2t
h4OCnk+9DcGPpJESZwEYcSTKpoWVXDqZUqYgicTIZ01i9C/b+8GvSAbARR7B
lXwn1fv7dhI1dPqg1xmYGpcfZaaZpoopzhPfaFcSqVKOP13LSWZgiFAjPcXa
6B5wakrFtkZtuf+ZJh5hLy4gYdaBKKKmeX3WEnZMS27ZGb2IE/uu41CFPvVa
J53z4qxfhgPEAfe3TYMklp5qAEmAnLhztzL1Wq6OmBVUFpL7dPQlg0y248K0
MU1Mks6o0+YvUEV0rqKFQjREHHrEvgvxQGuvfDCoXWux4o6nTdXNbhw0gjW5
ltglTqZgHHBsTBdB07DGIiUG79A70kFP1+YFUJJJKMEDCzjzZKlNNo6Ng6+W
tKv8pDjUhizRDc0VueQgvCbKVFZFnqZDaENX9mRbtyhLtTiQQVu6PdZRxDEq
0TBmqyM2RZ6kChufI1J1DKI4jCRmGax5xjexvZjvpqdS19rkByNnC1sdd5Ba
sgXhlPph2suQ/kki8Kml5mbiEJFUdyDvP4Vk5g+Iqf3x6sSeNv8+O7IQTiBe
ypUk0sZfOWZxGbWJh8RppltdJT1cfv1umnKo9J4m1fNYkKzAgzPmoDpgVghK
cl9r/KUesmT7WdK7I6adIz9yluXhc90UO/OZgf1G+9fU0QcSiyngB4PI3z80
2PNwUkR4W9rnRi0sCbC7B3IinsUoZtKhTEIFafVBbQ1CpDLhYIFI8WbqR3Ng
b6NMj7M3qRlk2BMKcSdzIvIWUpDuyfwYQyzJAiAutTfcSFfxm3LXy1CvySud
TZPVDFo0Up5O1bXx1MkYXhu1p0mF3AWCbiC0j+QdzVKJIBEM7rtgaoekX6LA
IZtoJUdHw7bEezjZFUfBKh3DFdthZneF9+RDpPvcdRh7XHKmsWC0OMKS38ys
qZxMdLARD5Z6gZ2gjc983MX4sySjIqL6RUospyLNfxUNvorZ6dYHIua5sVex
j2ZFOl/oUJeApGeZEkQy4ysJoXGvonivPGCunPZos8En+8toaCpbzU1WMyk8
bSCQ7CJPJHCYaZSmEkjo8+HhtI8S0XcgKy3mofVagiazTdjwh32VlCdbdASb
vpX+f0KNmlsvU78aYC6cbGydqQ9V8oOaKXtkYWb5Hpxg/kD6yZFM4OWMjrll
QUmm8eSNVtyT5L2zT2Ip7RxCmquz3tei4TGhaBpXcpPW2cZyfZC6P4+1H70E
S6eMnQN7YQA85x73A2O9hvH2GgYFEQDyd5H8EzzjNTD/GBkaYmoeXtasUTVo
0QtYswGYH2lGXDaga7mXtFQ3Qf0J9XL7NR+pXpfYNiSIz5Nv3iHpkQcxKBPP
vAUknNU7MEnzV5daMqC4zSLm6kkYG21N6cXba+Ojxbkwi/ndodwsaWWpzeJY
XiWNDRECjKPqXN4g82DTSfXNhG407y3TPv0tuqmybz4Jc4nfJ+o2k0ST7Hlg
mzhO2IzhJGk5pkTZM8gl9drpHo6wTdOPQytm8WNl9uqjmZOx9/wAJ93rWrZM
a9p4lXiCsnfwRKrcnp2pJyZu3ax71RxTXEzdrw9uJ02TTMs0ZGCMpPwll5uK
SzHDczNdbb0sT+4/4x/501aA5ZaIonBZDrcdThoNx+m6Mw7TNfexXSoaqUsQ
Oplp2jsbPG2enN+BzKHGVaJaA0sedkhoowdpSmMmpngBXfqrh6+XLYewcJh6
zg4KjhAlmJf2igwYp+34w+ujD1My2pKgOtnUIZUn5PslOp+53ehBrfEQowpN
DgIvSy6mR490VdBoh8t1olFknLfPG6DW1sVGFRtRUGZOy3gnmmPaOCau9+C4
MbNhZd6yOsVs4i9U5PmPYQJG7nOdOJBt/FMyMSO7ullWzGSKpijkWhvwELpN
Uxtf5JmNutHefI8Ya+bCAE8WtDbkJDQBn9LgIXN8Fma5SKF6pZ43a/EW5gTu
ezSgdSdzRNnB0yJrqW5cKO60FnVRqOY/WUgczGeVlEIu+YxSxlxxPOqM02Iy
49TiuGk3BnYDTJ5bJiPq+F2EbkanmS0fZiwVoT/2BKh8qlmoTAyuTcnpkwS6
x5JOmHE3viGlJwlwWGxs2fJwYQ1N2PgjvXskhOaHQUl91pl8ua79rdwyn5zH
dvVxYE8yHzYK3yaYRBkbeq86lRisYbJyqJOG1wf64z+x4frhh3/MhSzubx7u
T1wJ3xUfSXzeiFf/SuY/fkh8znzxuSKTRHPOV7nT2SbASoc/GEL9VJKwYGwC
zxdXn8u6f8TV23CFeXwoRGe2C/dm3Ur1tDIqyc2Ci7KRVwkvgqI6Dtzq25zn
ipj2k6XMas47tIjrUx2SPDKDHpLqSaTG8SBxF4NFE7XAyZjIOMiUEZyHBuec
wFKcW+tzrEk0W7mcPA4g7RM1AXRifoF5JwPXYSmXm/seE8akUm9TrzyMRjFe
6q+hRfcDoipGBxLrXRwPGtd4Q0oU87s4oqCXawSB3N+V91yILfBBKCAMW9uP
/dVNnOgH3sUSr4STWzonKPidWhd2k3zBIdIHH0iOdNyDDhQrlX5a04gGOzXD
liuVeVeSmK5vlTmMabltjX+WjUfSYdh1rwxHmtty4bFlPdgoUps6FjEh5d82
zwAFKz48oHdfJ9NXkVYqgQab7svFLGYqyGQe616XdgqwJIFZpJ5yKivKjngV
8CbU4eEBm8qpo+mHdEyLiF6mKUUTfn9kmWox21zZVQIzK1KRqQ/iGU9KB6Mz
JoW5S37PESCJjUsciEEkAEn6PgmT+5mPrILtsx9kIAX9K0y4iJER6xMqj6kS
mzbuNL21jC5m63Hjra5MdQzrR6P1m6kLGjixBO86UPaOMJpoc1akOXErq06L
DV7fh6Lc0Gj+0OLSMSgK03lI89pTdrNmppO+Bp2CjAd0Z3GBrH1sx54YjIoN
M+rScJSOPCl4JrhvQuL0Hv0zI98hIYSWx3/UxMinIwGWqtgk0Ykwi8WiI24y
OVh4ivRH1vIhdqgEzQ72W0hEsTRM25fTkmiMzmwDsR1UlTQDRDohD+s4hzZ1
QLrJPZylwQrFlH0dUplZhqywQFywBbK9GOZYKhkb81/3cCW/TxfxXDyLBAGk
VaYF1AeWYqc8r8NTw7npn2zU0V/8LBKNtSFQHFcmefqsw3x+d/X5z6zGVOMX
L2oMo/1c38BazKTlL/LEjl+82K9XEbUpJDyqIzAO+EMkJ5lNSgxTdNCE9tl9
IZO9Kx3iEwKenIbZz/LGCxrFZia6bSvUzLNbpiVk3q0xqm1zg57ma+msoHNG
kywEDvj8K6G9KkSapVYc/Wt7Kfn7by/fXAj7ktakYTpBaK0/U1dKnPc5CXBu
pDDKWT2Nir4utBEQwdJLYVWgFNPSQ015ljPWdjHsbX29HScXPBOto/gVmgbL
jlkwlfmPWHHBT4CwZ2ka0reZUxNAO8Pza1HnB/CQtK+QkwkD+AjQsZTn06cv
nhFasMfbPAK9VNTvz0lRR/+KrBiuxxAji0cqy0C48t7Z/KVYwzZqA8cQTVaS
3Qd4GsMPoe+M5xxIxkjH2ob7xBEx1tmCVxwP1iTv589e5O2vtfJK/aYBZOwg
16GOkiNlfoIDhTB9/vajWtlqx5OkB/UmxhfK9Wuxdu+30k+z1Rm3b64uHrGu
7Jt8+k3Qu1j7mAyt3UM3EW0q0wASDSAl8+7WPIN2L7uPDXBMPQCq2dgDHZGp
ZA5sD3vz0r2yl1YXSWHX5gAWKfmgGawTeahO1L1kauy5T7LhOUc9ddCkKJFo
ESqdkwhIzLjWdvJpVlPaDCVXtfZixfsLcjMSyYGJ3ehCBmuJujTxByO7jLQ2
HmWIyJ4f1Lc3IQTJ3UQUmqUARzUSvIQ7lOd1mDMRWMVj4RTQvb/RuTFpfCE2
4vcJKoBpBIdZnBU/EarSENjCD6krPlwqWkVqcxDR6RJ0M1rQDS+1AZJl9GzL
7otwCBCJiduO+BhyxKUhSLKkZIuxfyI23DTEjCOdkpHR/2ZaD0TDm0zU/Mmc
TM7pU+K1kYsXhTS4qozW/9gnITEtYsClilvXWWRax3GJKMAcUXVbc5JkX0Ru
zSUGlV9uyi7EFuoGs/AIW0iU/x0L/vNP/3b2+fzs09XlP3I+4qtXqEA8Cw52
xVbN5rSBN6G2QlCadR0ZWCAFb/UmKdeEN2fwneUjzxzPPmPnj8xxTx5Nxlrp
tG0kNhRnUi+114uFXcQ6gTM4QyULRHy6U9UUZBoG3BMNcLgNRoGdKCYZcVAt
RHZsKtIQKqGgxJygsKlTqKCuV6cgxOKmrHYxZBdk2JLktPRxsiN6T2+IdXAs
yNbKx82qEm+jRNPEv3C/9Etc7Ktj1CCpltETAAftwqA1GYO1XyYjnS5mfudl
TF/EXhFV4XoeOIK15mdYBwr5LIWR+bSvRG2ydiXIVGdc6MWaTgsqe+2rgdSK
EG5e2Kut2Qf3AV655LFNUjbDje+VX8YcwyXi01y0g9Bi+J0LuKOCTT1TrHiA
f3ACkAx5DpWDpbS2ICtaVgj5pcxQ6v4LEBGJjL7D3F/m1VlyRE5Z0osFF4MH
3wZHMd7yibDWILzXciAyaO30Uv52PZSxZ+zFZZgkJQn747fYRNB3zpN3ihJk
ndVcUryedVYDh6PnQbMHNsZYZOWs0Pt0cAqnTs2lgWl0mydlXYLFnOOofU+h
ekIP5KnfTTXFIMHroAqEO5dOHa6U8hDTAuKaOr892eMss2lrK5W0H7gtvJEI
xe+GTPablyjlQkdyxJNHFmfmwdya1GRljlxaok+ePtKxwCO8vkMSsBcht/fq
J48cx1s5TQtxNkkttJerhElL2mQKg8klPZnMks/iN8/ww78BW1bSUKesuecx
5Gucr2Wdm4IxxqopCySt0nh1enqSMVwrUUibJmhneXXfuNiZAsdMxnklva5s
nQVth4vR1PHAcxvN1MZ1cBV4uZetY4U6kpFnx7CSHHUmW+Aq5NC4mEO0r8HN
wFoI0JDTxy+5NqXs8wXYXXmghwOPhHb7j0rz02Tmz8a6JpdaoSwt36VdnOrA
FZH3DvN5w7QJ6UteC9jgLYCS/O8hvB7gm0XSDRamYSSmk6bHCGPMxpf1OgE+
xJl1TKU2VeUbycdfJj10/f5FsLmONrE2eEybzMvaMZuJ6w9sdPTBrlpILLJu
YElJLjcaJk2e2+QGWa1e3tVh5BN9JrWCWkkenRgqmhpz9umMR7+ghFNQULln
1S5H5o8y4LYwIxEUh199XwQPShMqkX79VTp1fHPTdl/pmTXG3Ged9vaTRrmF
Qaj2tUriPu8oIDgfyoTiT/Q0LASJu4xsLk5PCuYjFqk+sMweyNUMTm0LitG3
b99nP3WTn5q6hn7LnTS13TfRtY/3xt9CqeBau8O5syEtczE5A243CTthCMUO
HV2silH4Ff1Pu+VkOGvpoipUcpzUBC+/eA1wal99mw4Otm0tfuLuCMjvxUGY
1jlIYSBJD4sO2kjeUnZ840Oo1qrY94pcRHJyO5E0doU+JPIKKQzSx6Ud4eqA
AzbGBkMOZ6eEhNx71szvUP3PrZgtZqhzKA9XFWm2fEg0ufYBBcxloZ4W6RwP
qkZH9fq2XO7ll6JvF4REqi9aBwuS3rHdCKKJo4TnmpBVjeCssQ3144dWLqHl
xIpJSF9/MxIvIf6U+OUCIiejv1VEfC9AlWk4HMjUiTh7ycn6etT3RM6FZyYN
DZPeyuLETDuqIOpFaDDnHeGGgwdbMu/TstIU9fJOJLED8wPEnfapxm+SZlbR
/RZ7bUAgQq2bR+INlcIaKCg1jMtEp+Uus5hKo1FUGyERqf5Qb7m0A0JesCmd
rdquF2sp1qzufAvJxQZ87IAlPQZZJYdZgTgCR9o5/Gh+U2l/nrB9Lv3+sUVt
z/uy7tZj1w/0yTkJqMs7Msnx7xt6wYeRhN3a39LfH8Yl7fSi7AgF6c+PUHx+
IHOt3eGvkpDxU8sjvNblVj6hP4q34xcf/7pat9ueLNC/p4uGmTx2DQnlvy+u
SJjc07tHsm332qeBkeMuubVVCWUD9XNlP8zRLbfAfGl/B9p6syYrqvjQNiS+
vzBXOUeLhs8YW9eb2cBkcwdbLIyRib0t1Cv4bgSNlI1M1RCVhBl98ae2q/9K
f50enx67G9BYQYLZy9jkpl0Uz1++fHp6UnyUYqvQtP0sjetKc+GPdUWEcd2S
DHfn0CWIpoujj2cfz1Vf181cEuPqi0ueg0OSriN1GD18+C3vqtEssc++94ge
82/phU17q/VovHFGGLRCwyZPni2OT5+/NJNf/XTBLhTHCwl3QkIvrq3/D6hB
sf0/wAAA
<section anchor="acknowledgments" numbered="false">
<name>Acknowledgments</name>
<t>Special thanks to Last Call reviewers <contact fullname="Chris Lonvick"
/> and <contact fullname="Ines Robles"/>.</t>
<t>This work was partially supported by the European Commission under Hori
zon 2020
grant agreement no. 688421 Measurement and Architecture for a Middleboxed
Internet (MAMI) and by the Swiss State Secretariat for Education, Research, and
Innovation under contract no. 15.0268. This support does not imply endorsement.<
/t>
</section>
<section anchor="contributors" numbered="false">
<name>Contributors</name>
<t>The following people have contributed significant text to or feedback
on this document:</t>
<contact fullname="Gorry Fairhurst"/>
<contact fullname="Ian Swett"/>
<contact fullname="Igor Lubashev"/>
<contact fullname="Lucas Pardue"/>
<contact fullname="Mike Bishop"/>
<contact fullname="Mark Nottingham"/>
<contact fullname="Martin Duke"/>
<contact fullname="Martin Thomson"/>
<contact fullname="Sean Turner"/>
<contact fullname="Tommy Pauly"/>
</section>
</back>
</rfc> </rfc>
 End of changes. 169 change blocks. 
1436 lines changed or deleted 416 lines changed or added

This html diff was produced by rfcdiff 1.48.