<?xml version="1.0" encoding="us-ascii"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.10 -->

<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC8174 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
<!ENTITY RFC8484 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8484.xml">
<!ENTITY RFC1035 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.1035.xml">
<!ENTITY RFC3552 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3552.xml">
<!ENTITY RFC7258 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7258.xml">
<!ENTITY RFC6973 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6973.xml">
]>

<?rfc rfcedstyle="yes"?>
<?rfc toc="yes"?>
<?rfc tocindent="yes"?>
<?rfc sortrefs="yes"?>
<?rfc symrefs="yes"?>
<?rfc strict="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc docmapping="yes"?>

<rfc docName="draft-mglt-abcd-doh-privacy-analysis-00" category="info">

  <front>
    <title abbrev="A privacy analysis on DoH deployment">A privacy analysis on DoH deployment</title>

    <author initials="D." surname="Migault" fullname="Daniel Migault">
      <organization>Ericsson</organization>
      <address>
        <postal>
          <street>8275 Trans Canada Route</street>
          <city>Saint Laurent, QC</city>
          <code>4S 0B6</code>
          <country>Canada</country>
        </postal>
        <email>mglt.ietf@gmail.com</email>
      </address>
    </author>

    <date year="2019" month="November" day="04"/>

    <area>operational</area>
    <workgroup>dnsop</workgroup>
    <keyword>Internet-Draft</keyword>

    <abstract>


<t>This document provides an analysis on DoH impact on privacy</t>



    </abstract>


  </front>

  <middle>


<section anchor="requirements-notation" title="Requirements Notation">

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described BCP 14
<xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all
capitals, as shown here.</t>

</section>
<section anchor="introduction" title="Introduction">

<t>DNS Queries over HTTPS (DoH) <xref target="RFC8484"/> differs from the traditional
DNS <xref target="RFC1035"/> in that DNS exchanges between the DNS client and the
resolver are now encrypted and that DNS traffic is not signaled as DNS
traffic (with port 53) but instead uses (port 443).</t>

<t>Such approach could enhance end user's privacy by preventing any
on-path party to infer any DNS related information from the observed
traffic. However, such enhancement may also have counter effects such as
the loose of control of the DNS traffic by the end user itself.</t>

<t>This draft aims at providing an analysis on the impact of the deployment
of DoH on the current internet.</t>

<t>Section <xref target="dns-traffic"/> details privacy sensitive information carried by
the DNS traffic and evaluate how specific this information is specific
to DNS or could be inferred from other traffic such as the web traffic
depending on Internet concentration.</t>

<t>Section <xref target="doh"/> exposes the privacy implication of possible usage of DoH
and more precisely the ability to circumvent or enforce the end user
policies.</t>

<t>While encrypting the DNS traffic enables the section of a DNS resolver,
section <xref target="resol"/> exposes the privacy implications associated to the
selection of a resolver and show that choosing a resolver outside the
boundaries of an ISP provides in fact limited protection toward that
ISP.</t>

<t>Finally, section <xref target="concentration"/> shows that despite the advantages
that concentration could provide by obfuscating the IP address, the
overall picture of concentration shows that it represents a threat to
the end user's privacy.</t>

</section>
<section anchor="dns-traffic" title="DNS traffic and privacy">

<t>DNS data are public data available to everyone. As a result, the value
associated to a DNS exchange are mostly carried by the DNS request that
answers to "What this specific end users is interested in?" or "Which
end users contact this site?" rather the DNS information provided by the
response. Such information is carried by associating the destination IP
address (of the IP header) as well as the DNS query field. There are
good and bad reasons for monitoring the sites as well as end user that
connects to them.
Typically, a network administrator may prevent the end user to connect
to malicious web sites as well as monitor the sites the end user is
connecting to. However, it is out of the control of any protocol to
impact the usage of this information.</t>

<t>In most cases, the DNS exchanges are followed by a web connection. If
the web session were not encrypted, observation of the web traffic would
provide the same information as those carried in the DNS traffic.  This
information would be richer and more accurate, as web traffic really
reflects the web sites the end user is accessing. However, the amount of
web traffic is huge compared to the DNS traffic and the DNS traffic was
clearly distinct from the HTTP traffic with different port from HTTP(S)
with a distinct termination point (DNS resolver).</t>

<t>With an increasing number of encrypted web traffic, analysis of the HTTP
traffic is not anymore possible as it is being protected by TLS.
However, HTTPS traffic still reveals the destination IP address and the
domain name within a TLS field designated as SNI. As mentioned earlier,
analysis of the HTTPS traffic, due to the volumes invoked remains a
challenge in itself.  However, the encryption of the SNI as well as the
fact that one IP address provided by cloud provider can be shared by
multiple web sites clearly limit the meaning of the information provided
by a supposed analysis of the HTTPS traffic. As a result, in addition to
be more convenient, the information associated revealed by the DNS
traffic may not be inferred from other traffic.</t>

<t>As a result, the information carried by the DNS traffic has the
following characteristics:</t>

<t><list style="symbols">
  <t>The DNS traffic is a good representation of the web traffic of one end user.</t>
  <t>When not carried over HTTP, the DNS traffic is by construction
logically  separate from the web traffic.</t>
  <t>The DNS traffic is terminated in one point, while web traffic
is generally terminated at multiple destinations</t>
</list></t>

<t>The privacy sensitive information carried by the DNS traffic are the IP
addresses that "identify" the end user and the content of the DNS query,
that reflects the activity of the end user. This information is limited
to the administrative domain the DNS traffic is steered to when the DNS
traffic is not encrypted. When the DNS traffic is encrypted, this
information is limited to the two end points, that is the end user and
the DNS resolver.</t>

<t>The same activity can be inferred from the encrypted web traffic unless
ESNI together with a high concentration of web sites behind a limited
number of IP addresses. In that sense web site concentration and ESNI
adds boundaries to the information associated to the DNS traffic, which
could enhance the privacy against on-path monitoring. However,
concentration of the web traffic transfers the information from the
internet providers to large cloud providers. Section
<xref target="concentration"/> details furthermore how concentration represents a
direct threat to privacy.</t>

<t>As a result privacy sensitive information carried by the DNS traffic is
shared between the DNS client, the DNS resolver via DNS traffic. Similar
information is provided by the web traffic that is shared between the
HTTP client as well as the internet service provider and major cloud
providers. The balance between these two depends on the level of
concentration.</t>

</section>
<section anchor="doh" title="Privacy impact of DoH">

<t>The use of DoH to perform DNS exchanges has the following impacts on the
DNS traffic:</t>

<t><list style="symbols">
  <t>DNS traffic is encrypted</t>
  <t>DNS traffic is no different from the encrypted web traffic</t>
</list></t>

<t>As mentioned in section <xref target="dns-traffic"/>, since DNS traffic is encrypted,
the privacy sensitive information of the DNS is exchanged between the
DNS client and the DNS resolver. As per the Internet threat model of
<xref target="RFC3552"/>, it is expected that "the end-systems engaging in a
protocol exchange have not themselves been compromised. Protecting
against an attack when one of the end-systems has been compromised is
extraordinarily difficult.". The purpose of the protection is to protect
against an attacker that may have a complete control of the network.
With that threat model in mind, encryption protects the DNS exchanged
via DNS exchange between the DNS client and the DNS resolver and as such
improves the end user's privacy. In particular it protects against
pervasive monitoring attacks <xref target="RFC7258"/>.</t>

<t>However, as mentioned in <xref target="RFC6973"/> privacy analysis needs to question
the assumption of <xref target="RFC3552"/> on end-systems "since systems are often
compromised for the purpose of obtaining personal data". In addition,
privacy also includes the ability of the end user to control and protect
its information.</t>

<t>The ability to enforce policies for the DNS traffic has been performed
until today by having the DNS client centralized in the system of the
end user. The configuration at the operating system level ensures that
all applications were aligned with the end user policy. A typical policy
typically includes the domains that needs to be resolved, the interface
to be used, the DNS resolver to contact&#8230;</t>

<t>DoH changes this paradigm in the way that an application can circumvent
the policy set by the end user, without the end user being aware of it.
Firstly, the encryption is performed by the application and as such does
not provide any visibility to the operating system. Second, the use of
HTTPS makes DNS traffic indistinguishable from the web traffic. To that
extend, DoT would signal the system that some encrypted DNS traffic is
being handled by the application. The end user may accept or refuse such
traffic depending on its policy. DoH does not provides such
capabilities.</t>

<t>Another way to see this issue is to consider that the communication
between the DNS client and the DNS resolver is a communication that is
secured between the two application end-point. The end resolver policy
enforcement is performed on-path inside the end user system, but
encryption prevents it to be enforced.</t>

<t>In a nutshell, DoH encrypts and makes DNS traffic undetectable. This
provides the ability for an application to circumvent the policies
defined by the system and can be seen as a loose of control. The
alignment with the policies of the system is enforced by explicit
policies from the application and trust the application enforces the
claimed policies.</t>

<t>The impact on privacy needs to balance the DNS policies provided by the
system versus those provided by the application and more explicitly
which of these policies better protects the end user.</t>

<section anchor="dns-systems-polices-lost-of-control-versus-independence" title="DNS systems polices:  lost of control versus independence">

<t>The DNS system policies may or may not reflects the end user's
preferences, however, these are part of the configuration parameters of
the system and the end user can at least be aware of the policies of its
system.</t>

<t>There are cases were the DNS policies in the system expresses the end
user's policies. This includes typically the choice of a specific DNS
resolver, the subscription to parental control. For such end user, the
ability that an application circumvents the policies of the system
represents a threat to their ability to control their DNS traffic.</t>

<t>Similarly, there are cases were the DNS policies are not explicitly
specified by the end user, but there is a agreement of the end user to
have these policies. This typically includes corporate users that have
agreed to comply with the corporate policies with potentially some web
sites cannot be accessed. For these end users, the ability that an
application can circumvent the DNS policies of the company exposes the
end user to risks he may not want to take.</t>

<t>For the two latest category of users the ability for each application
to have specific DNS policies present the following drawbacks:</t>

<t>1) A per-application control results in defining at multiple places the
DNS policies. This at least can create some confusions to the end user,
makes configuration prone to errors and eventually debugging harder.</t>

<t>2) While some applications may have clear and explicit DNS policies,
that the end user could in principle check or configure against the
policies he is enforcing, these policies are subject to change over time
and without notice, typically during updates. While constantly checking
the policies is not something we can rely on, the end user or company
may delay the applications to be updated which adds an additional risk
to the end user privacy.</t>

<t>There are cases where the DNS policies are imposed to the end user
against its will and without agreement from his side. Motivations for
such policies could be to enforce surveillance of the end user. In such
situation the ability to circumvent the DNS policies by an application
improves the end user's privacy. It is also safer that DNS policies are
enforced by the application as the application will be in these
situation the trusted system of the end user.</t>

<t>As a result, that an application can enforce there own policies improves
or reduce the control of the DNS traffic of the end user depends on what
the trust system of the end user is. If the trust system of the end
user is the application, this ability clearly improves, otherwise, this
may represent a threat. In the later case, applications should follow
the configuration of the system.</t>

</section>
</section>
<section anchor="resol" title="Privacy impact related to the choice of the  DNS resolver">

<t>As mentioned in section <xref target="dns-traffic"/> DoH provides end-to-end
encryption and as such provides the ability for the end user to chose a
specific DNS resolver and share the DNS data only with that resolver.
One motivation to chose a specific DNS resolver is to move to a DNS
resolver that considers the end user's privacy with more attention. This
includes, among other things, not profiling the end users, not selling
user's information, or in some places not tracking specific end users.
In that sense, the ability for a end user to chose a DNS resolver
represents major improvement. When the DNS resolvers are not on-path,
and the end user changes from one DNS resolver to the other, encryption
does not provide additional protection. In fact, encryption is clearly
aiming at protecting against an attacker that would be on-path.</t>

<t>On the other hand, as mentioned in section <xref target="dns-traffic"/>, web traffic,
unless using more advance IP routing such as with TOR, also leaks
similar information.  Though gathering the information from the web
traffic instead of the DNS traffic raises the bar, it represents a major
improvement only if the bar remains sufficiently high. Unfortunately,
the bar is nonexistent for user tracking, and remains weak to generalize
the tracking to all users. As such the decision is more on the network
side to decide the value associated to the DNS traffic or legal
requirements to put the necessary infrastructure in place for it. It
does not seem to be entirely in the end user's hand. As result, the
encryption provides limited protection against on-path parties - such as
an ISP. Unless combined wit TOR, moving to a DNS resolver that is not
managed by the ISP does not hide much information to the ISP.</t>

<t>The remaining of this section considers that DNS information is not
inferred from the web traffic and analyses how moving from a DNS
resolver hosted in the ISP network to an DNS resolver outside the ISP
network impacts the end user's privacy. The perspective is considering
the information shared with the DNS resolver, and motivations such as
bad privacy protection, better latency, DNSSEC resolution, parental
filtering are out of scope of this analysis.</t>

<t>Note that even if one is connected to an ISP and the DNS resolver is
provided by the ISP, it could be interpreted that encryption is not
necessary. This is not the case, especially as wireless communication
might be unprotected or provide the ability to man-in -the middle. As
such we assume in this section that the channel between the end user and
the DNS resolver is encrypted.</t>

<t>In general a DNS resolver can be seen as an anonymizer. It receives a
DNS request from a specific end user, resolves the request under the
resolver's identity and sends the response back to the end user. Local
ISPs are believed to be fairly close to the end user and as such the IP
address of the resolver can be used as a fairly good approximation of
the localisation of the end user without revealing information about its
identity.</t>

<t>When the end user is using a DNS resolver that is not located into the
ISP network, the end user is clearly providing this information to
another entity that used not to have this information and that cannot
infer it from observing the traffic. Similarly to the ISP, the level of
information depends on what is already shared with that entity. If the
end user were not sharing any information with that entity, the end user
may provide sufficient information to get profiled by an additional
entity. If that DNS resolver already got a significant amount of data on
that user, that data may fill the little remaining privacy but could
have a much smaller impact. For example, in a highly concentrated
Internet with one cloud provider for all services, the end user traffic
would use one - or a few - destination IP addresses. That cloud provider
would have access to all the history of the end user, while the ISP
would have little information from the IP addresses or the encrypted
SNI. In this specific situation the end user may chose that cloud
provider for it DNS resolutions, to minimize the information leakage.
Such scenario is currently believed to be purely hypothetical.</t>

<t>As a result, using a public resolver rather than a local resolver can be
seen as sharing the web history of the end user. The balance between
sharing partially that history versus completely transferring this
information depends on the level of concentration of the Internet and
the ability of the resolver not to further share that information. Using
a public resolver also means that the user has to trust the public
resolver handling the information according to the user's wishes.</t>

</section>
<section anchor="concentration" title="Privacy impact of concentration">

<t>Section <xref target="dns-traffic"/> pointed out that concentration was one factor
that could contribute in enforcing boundaries between the information
carried through the DNS traffic and the information provided by
observing the web traffic. This section analyses how concentration
impacts privacy.</t>

<t>At first sight the ability that concentration has to 'hide' multiple web
sites behind a single IP address has to be balanced by the fact that a
significant amount of your traffic is going into one place - or at least
a single actor. In other words, concentration represent a direct threat
to privacy with all you data being provided to one person. The cost
associated to hide the signification of the IP address is too high, and
even a higher trust in one cloud provider rather than your ISP could
hardly justify such an approach.</t>

<t>Firstly, in order to hide the signification of the destination IP
address, mechanisms such as TOR should be used instead. Secondly, trust
may change over time, but provided data can hardly be retired. As such
privacy should be designed in a way that does not depends on one or few
players. Ideally, the data should be sufficiently spread among the
various players so that none of them could exploit them. This can only
be enforced by a <spanx style="strong">large number of player</spanx>. Typically as long as the
fraction of data shared with one player is sufficient to start being
analysed, privacy is at risk.</t>

<t>To balance that risk, it matters to reduce the amount of data shared as
well as to minimize the level of information associated to that data.
Typically suppose that a cloud provider proposes both a DNS resolution
service as well as hosts the web server www.example.com. Performing the
DNS resolution over that cloud provider for www.example.com will provide
limited additional information as the DNS resolution will follow an web
connection.</t>

<t>Note that concentration here includes the access to the data. In other
words, a cloud provider hosting various web servers without possible
access to that data will not fall into the concentration concept
described in this section.</t>

<t>While the concentration represents a threat to the privacy, the
remaining of this section analysis the impact of a cloud provider
providing both a DNS resolution service and hosting service and exposes
how this could contribute in balkanizing the internet, or more precisely
capturing end users into close to wall gardened networks.</t>

<t>Typically, one cloud provider hosting a DNS resolver is likely to
redirect the end user traffic within its data center rather than to the
data center of a competitor. Note that such choice may be appropriated
according to the localisation of the DNS resolver. The problem may arise
when the end user would benefit of a better connectivity by accessing
the web site instantiated in the cloud of an other cloud provider. In
this case, the choice of the DNS resolver may be motivated by its own
interest rather than the interest of the end user thus capturing the end
user. Furthermore, the former optimization of the data center of the DNS
resolver might lead in capturing the end user. Here capturing would mean
the cloud provider is keeping the end user - as much as it can - within
its borders. Such capture represents a major threat to privacy as the
end user is literally kept into one entity, independently of its
willingness.</t>

<t>The ability to capture an end user is problematic as it might become a
mean to bring the end user into a different jurisdiction as its local
jurisdiction. This may represent a direct threat to its private
information as some jurisdictions provide little protection regarding to
privacy. The comparison of local jurisdiction versus other jurisdictions
is not the topic of the document. We do not ignore that certain
jurisdictions represent a permanent threat to privacy. However, those
jurisdictions put apart, it might also to notice that the local
jurisdiction is probably the one best understood by the end user, and
that bringing its data into other jurisdiction may goes against its
believes. Similarly, some aspects of jurisdictions may also reflect the
choice of societies, like the protection of the weakest of their members
<xref target="IWF"/>.</t>

<section anchor="acknowledgment" title="Acknowledgment">

<t>We would like to thank the feed backs we received from Bengt Sahlin,
Christian Schaefer and Mirja Kuhlewind.</t>

</section>
</section>


  </middle>

  <back>

    <references title='Normative References'>

&RFC2119;
&RFC8174;
&RFC8484;
&RFC1035;


    </references>

    <references title='Informative References'>

<reference anchor="IWF" target="https://www.iwf.org.uk/news/dns-over-https-why-we%E2%80%99re-saying-doh-could-be-catastrophic">
  <front>
    <title>DNS over HTTPS Why we're saying DoH could be catastrophic</title>
    <author >
      <organization></organization>
    </author>
    <date year="n.d."/>
  </front>
</reference>
&RFC3552;
&RFC7258;
&RFC6973;


    </references>



  </back>

<!-- ##markdown-source:
H4sIALZPwF0AA51c25LbRpJ974j+B6wcDlsOkrZ8Gdt6mdXoEu5Y3axuh2If
i0CRLDcIcFBAU7TCEfsb+3v7JZsnM+sCgK3x7syD1SRQl6zMkycvxeVyeXnR
u762j4snxaFzd6Y8FaYx9ck7X7RN8az9pajsoW5Pe9v0lxeXF2a97uzdX3++
asvG7GmCqjObfrnf1v3SrMtqWbW7pQ6xDEMsv/kG79AsnTWPi/ZgO9O7lr69
vDhuaYzGt4fLi9vj4+Kq6W3X2H75DONeXpSmf1y4ZtPi9bKtXEPPD35pfOnc
5cXBPb68KIpuU9rK9yfs+GQ9PurbMv+3aypaefzEt13f2Y1PH5z247/7zpXp
+bLdY+fpe9fUrkmzkTj25nDg1fFHtNeh37UdLw//W4Z/4F0a59mqeOW2Zqj7
9IVI9JlpnK3n37YdDf6cluV926SPaaXW0kp/+vbHH4qbzjS+eEqCr0zxrh16
mx4sXX96XFwb1/TFSzN0tJ9F8evT7IG2oum/vy6++cff8k+Hpu/oTRk1fWH3
xtWPCxz9ytl+8+9bfLAiUclh49S6PR30nWUpXL1/odJQ0RTyV2+6LTaw6/uD
f/z118fjceWOmxXtdzXcft3Yo/+aNGTZ3tluyQ8tj7vT8mg/f/7t5z998/nP
P3d26c2JhM/aRwuuq+XaLkl3DEmnPexcqVOJUTx7fV1gtOKXm5u318X73ak4
2v/5r//ubCHjsMLzOMXaFuNx8P/lclmYNX1mSraGmx3ZCenAACUhC2rvXGU9
mdDMitz+QO/gLzWSMNzeVVVtZXj8/7Pinf3n4DrLele8bns2GZnNFreW1tx2
lS8evPrt+ubBQv5bvH7D/373/Nffrt49f4Z/X//y5OXL+A954vKC/nrz20t9
AP9Krz598+rV89fP5G36tJh89OrJf9J/TFPRKG/e3ly9ef3k5QPS6qIfiYGM
nSwPAnQw6kNne1sVhp6wvuzcmv74x9O3xaPvLy8+fvy3dy+efvvo0c9//lnI
Hz89+vF7+uO4sw3PRSKrT/pnv6Pdk7lZ02FaU9cAioPrTe0XmMHv2mNT7Gxn
V0GaBCxdWw1lECJ04NfBdo7OKdOFL+mQHoYlfP8TllC5zcZ2vth07R5TF3Ts
lQv4hXHk8UfffPcDPc5yMD0rmf1Q7kyzpSnWtj9a2/D7+KasHcuINkYfXV50
1rc1lgGpNe2xsE3ZnQ4sMX5GR6S5NxtXFiTopu0L77a0ChErfU2wr99/eXT9
rjgQzBU/fPewWA89YKe3piL0pPV8yV99//13D1cFxHE9lDuItGsN/UNU3za0
+NLSf/ml7gsfncP6RP+0d7QFWItpSI3bZnkwmNN0/QkHT/aP/TQnXnhna4Pd
RFQgE4gSbdc0/J2t4vpXxS/tkcbvFoXHynQprFd7Q4df+7bYmTsr8ETzWDqk
kgyFHzeEwBi3bltPo2/oKRx/jX+GEwiSoq3go7DJwvXe1huRitg1PFFh3J4M
Ohi37Hpk3RgkWLfMkntM+gjmr8+VQwf4FcMgb6dnYFk7SZ0Ad7o+KKDtCViT
8L1tvAOsjoRZmo6UmQDrJHvP9wgVsnemHugICrKNwh9s6fANm2w+DP0ZvqRx
WsHKLoEhn2pH8/DhtTRTF6dR2fMWj3YdPie2YA8kXwiNZgguHodSkhSEC6wI
nidCaHe0efvh0EJhMWYQAIm5dqWslwRLD3i3ri2dn9nycZOoyQHTpvdth9do
P3SoctBm7WonGlq6jrAKWowtWkiB1D3XBmIYLU1FILGS5b3fudoG48SGpqK2
jaGlyHq97oVWZNQIxMoJf33cJ3/4r3dK2keOv3RsRbR4hg3aVT5HQhFaP0BQ
gKPckR2wyqYniBt4clIyzJqMqDKChRso9tX12+TGCNE2UOva7R0mpy96nbVv
j6YTeLq8oJdEkV84sov6tCjSJkdnTZvF4rysjqYg6Ba5m+rOND2dIhuwmeiI
aqEuDJbbrjeDh3z0JK7e0hAVbdIvZGeAdlpLcSA2R5RHsSAbMluI60k8pCye
Pa6hD4mu9rRHMag5DKpOiIOZ2ls4wo+f5dZcBN9TEalgsD8Mazpi/fuODB36
gwMG/J3axq6KJ15Ojuggb6uAKdPmxgphRi6Hx963vie1T9AQ1bUjcmF9rydH
pPEIF0ejPHgPUTAsRJAIO/cFgwWZL73KWP73B7AceseVu8uL9BzwFioj49Dp
0oMkcAYLXUEOOnqiYYXsDg+k8rR3dkwTgMr2E0QQFICUif4tT169pZ2JNhRf
KiaTguzICdruIYDqaEk1FLCwJpJJdyo2RL+rVXED/gAxXl5s21b88Jr8JymF
hznSkkjAjevbLsyOnfp84OhVRM4kloa9lNjvntjJzYlUU6zFFISKROpuSYf3
rnHglz0mMdHbjl0VIExGZKjeG0BVO3gG39ladK3ZQsd+z8f18XbazAeTZcDJ
DdG1Zf4UDh6I0Jb0N2xFnSAei4A8dTOCE1cNayidJ+HeIp5CYk3Q4U1b17QO
OW3eWVglhrnaiHHyjumgce5HyxyqTxxqoQwjuoyJhyIqTcBCYK/IwiKiYGyk
eKwn4BNB/Vyic5G2FKAMWeyD5QTXSaHbTrGZ/ZIpiQeQ9S7klNJqSMNIIWAF
m1rUJezw3LFhHOy82WYnxmC6Bzei7VKUnY1Ob+yGLc6QDqqLzmQGYNPPjmBV
ZU2kmyClcrAzOubI4cCf07Ngn0KcOSIC2eQn8dSX1w9pRXjCpHEIVPbBcA8t
YtQvc4+pNPU9v0UgQCdLZghFbYb9Gv5sk1HmbLuLjKRt4kITUVYiTVosXCFw
CToS0fq1xSzq80QNb15ek+VGWUvkEElQ78jeYK5EUs9gUnBQiftXLQXODUf/
LDiENJhDgAivg+Vr8HT9+oodAmglDUgf4kAcc4pzO71OgqgGG876rq0pSINJ
3rW3FpiGJdCa6IR3pHwWHoTWEcjwWLEC/Um2RKua4OnlxUZQwCDazT3zCO3L
uh2iRyeaSWdLluJ3rJigsntyeu5Q5/ofdJD5CE+/t6ZhdimrOedaiOQAP/xw
AMuqzmpFZscjl4sDqSTkY4RbWzFgAiICZceJlOm8mW8WXRj536R/AHco4Kep
tWj/jAec5/8zy93FI2EshaTolJG8oPiXdLP0jzH8V3B50yjTFOz8IjG6F0Lp
I5xzAKYVxntP4TrvLiwuRtqL2SJhaieIlNxeCNPrdivOsSBwJ7BC+BIBJ5uc
idjZ5QdYEbjGAhlcFsWRifwoSqHHt7ZhvnjKXyQNjlqY2bIPuZi/GpfNUbaz
SkoiUbHKRR845Cvd5vRgDPcBmOGAOW5JAS2Tl4Xy5pHroIN2d4h59Ol4Ruyt
puxKaT5TCuHkkYxgb4pWZ46POKFVf4I8zVzXFWsjTq9EQc4MlXnufuZQ0xoD
nBFr4k3x2TKTMIzdU9GlyDj4lRB23gSPH2WlUDQ2ygz9xm6mGBqK+mihzwGF
fbu1bL7q5XZuu5vEHXQUCdHWlkCfFC3JPnm1BJwIQq80uwRdS5g4GRtKgnWw
VtHoKbpTed0DVHMiwHYCaj/OCOUhqtnCcwDkJf+TKHGiI8wsx5ufwkePzDXn
2aYLDIKHEmjmIPgL3lCN/PHEkZCkNJGA5OI0+AwJlc3Q4ZQYyxEsjxeZx4Lk
pF1n2Z9pTJhiwAky///hAHoePN/ZdGECzRjG3zkzJqDXpEEkkZnFTEKssezV
XOaTE8sBrQvZynHEFI8D1NqVNrlxprjmd+SNcCyRWONcYGlrU7MeZTN5sWLJ
FMWEWk3qUzODnSSLJOZ+m9IkmndDko0i7nb3Z7DqwYeUEJ+a7SCWSZyhDrJI
/lFGDOuQkF3Fpb7yPsQ6813TZlz40ziiypTYHUGtP58XXJDpQ4j3Qqeg3afV
MfMfeFclMtGBecJ6gqG04oOG9jG7p5aybys9wY8f//7uxdPvfvjhW6xdyLX9
cBBWLU5P8XrpT+RL9tjL1mz5OBrYYAwzY5KDU8DwKYimiareMZjahoMbErTz
8DJvNWHVbAkRFa6Qve17U96KrwIzSN4xLgCKMR2P7dR+IJG3XUVcoHMcD0H+
ZP6rB6Lih6E7aPJZTiHmzJwX+OAPzixIswXMDHl/hmevbW+neWzNF6w0MOol
dZPJneRGzpu8aEbZdeaU9YinfnkR4CQK+NN1izEW4UMjGXjOApDNT6LVPHVG
ngylAggNZZw+rUslQueNkN1DZbM8iwjJF6JOP377w09//il4EGMUMzEgefRv
P//4HYH/rL7dWFvxkXBGjF0G0x7vh30McnLlBSjkSvJA7DD8aTjNSOwMoJW0
ZqOpl0wx2jX5IQ5caKce9SROAz5g4YSIYwG91yWj6kFz1UOlgg3J7Amx08wQ
q4rkIlXZKJ4bpWECSGZJ8ZAGD4nvuPBpRMF2oXgK3RlI4sgAVYbrQ6S6eX5c
FUcwvHZ/pPyJyE23kJKIYka0i43bDoHYSLinDQQ0ur4rboIAbuiUQJNdwVEd
svQ5p4Vo6i204ij2komM90t6+aToJSWnn5A2hBTdWPZChJWvRyVCnkcMogox
GgEixcKWCfWaHVJ1xpPrkZHXWa34XLgGrQ6K82cIgCq33QfBHc1JJgd0pJ0y
c02lDfUCvBdyAv204LVgWSC3NxKHpD3MUbSZ7HOFvH6HfPIsCeB80oMwfL6g
DBhIasjtA7JDsg0JxDvnXVLBc2fMhK5tVHLi1IWdXBNS3lo/9oONJJa2gyNS
g3zO+bDxplVtITy3GPxZe6MJOymt5hoqxLvd5657yt9EbHRqVX1WFqLVUcpc
yyxLe+AKFAVt2JgAaBh1VDuD/QZF5aYckmaRCTOgb2kOYtJcuWJS0UhCgZWm
JUWwmpQlmLPqkxB8M39TR8I5wv3Q6Nqxu7/uDTh3MHo/8Ewufg1Tmgv2lysN
EJbjuSSyOHawTMUqLguPlDAEI64JRa4kcznNBWriGCHzi5xi57yfWKoOX2md
B6BcNEPvd0SCFyx/fd0r452qIcVdFsALDVxpajieVI7fwNiJFY/rk9GGHcyn
shvXJP1S/cQaQgINUjU4gWkJnKUJdCT1ZrlFJIyAr85ER2VKKXLAfMTY8Fif
KqPJtKY233eD72ff6Giakipr43Biqc4afNKsVSYDWY0fgtLFpcwKSboJUho/
hPz9NBSaLpvjwbBP5OE5Blax+ExQpL5oPRgRquS+OESRumCgBvym9Y8LOhbf
540JukC0qcHcSa9skEMaIM0M3NDKEKx/lO1JZAvKZjnsKFFf2WU5XC8FQjCw
rKaTuVo4mz0pb+cZaCdqNjKokqkrOWHjOY8ZncZUqwi9womsYtpFamxSAxIf
PTvVMVGgk4mZMl4FUQ/lllGHNK8VvHV04LzPXYtglQvmscTJeapYnpfphjX6
lA7BGlEsIf9cJ0t6QUeg7SnBl7LSRTZ1zjlHm/afsDqs5VwlGo+4btTDoAok
X4xSAdxOIekAddp/QdYm1M4y/VcpJYtJ+10Lb+is4L3ZdlbgeM5ILy84mhnb
kB7VGYpVtsSTOeMrJWUWJkZAyESzVLJ7CoxOCcPSS3FD2giFbKnjGdiDEwug
fUk5wTSagJdCGvD+hXBenzag9cnJ0dJa7iVec9lGQyNka055w0eivdhV5zwF
OKhrqH0fTSOnTx5GWyyUlMNrorGKq6i93bYdBwNBZGMPY400edXRoffaRZXb
QY6mrIGT1EjVmeMaIRgnQh49RM+w7ZYjQahSSkaMDZhdlsRvKZt+qE10BPnM
qhURVFiwMAErpweoGjyzeqWLUSMvL8QNT9CsQ4CP6Kbr2s5rQxTtbWCVqOx6
2G6FuXVVAO9vHxbS7sNzjmKJGJtzLUqGU4MZiTCk48d4yfzSsV9rShZEubPl
rfRZybJtzKuycOKR7GxyyLTexcSc2HwJuH7nXGWr8YOUXXrys9IVFQg/qRYh
4SKzvmrgGHs4VNCple6fizKkgmglwUI5kTICr9COSIJC/XJL9sWH1qHrqm0W
YwHwPtkGcFoQf21mrjhEU7KWShLRBSe0TYqOCY5hLbFYkcK5PD07czO7e7GP
WAfXByfjpTwNKPgRJd5ckgn3mAxJ10tFtvqKRHyn+6EzI8yBv4gzxra6LPCm
IPbO0gTMcGYVGyKhQvEJvIZAq+/rapvtEDXQZgwB/zpRw9yacw/ebEJ0MBVc
JOPnaZWffcQy5AKL6PB0R0weabRReiATxLmK6PlYOGvsAy85Npne6uYvLzj8
qgYllZ/oF506tixjfeRQMi7+nqWTNNG3UnziOWE0oYKV7UfKYfG0QyU8bGMh
VeOj8zYUzmBfkUtEKqGFJMu+o2OrWIyNz+9YNQX2ZVNjSB3xlXsS8qHpV40p
MS/8NQ4XP34mfZD/hwQ4R2AxnEK82LdLll4W1eW5h3tDr1nujOMEE5lPOU90
cq0kKgd370mHekzExvT45cWbBinMgATZDMX5CSQc37d3Njb2ZS3ioTHSawns
rN3KQqTPqO9FmqvYnSQca4EWISQWemnMI+CmzzSdsCHxaP4u40CM8hT+sgvQ
GbOE4gLYjhODx1Tvzun5zrDbONNTuOLAOhU1F7PTMefOZiSwEV2WwpOaBPRo
UmYOLyWuq9mChXjHsa/WBJy0ZDTznB3nqiC/PMeOnp5xYiZ3WKkWwGaIPplR
gt7FFhdaEPF3IU2HWMQo7i0ZxFYz3ZGY5ZsmrZJTU/MM+b0lpryTCileFLlJ
MliF6BYadktu7+nIEfIRaxc4K+DNm3cL8R20o1uEfxKQjJsBSS/bYbsrttwi
GtTu7FUBJu4pzSdXGs7AdGdcCBHXRloYRyEVa0n0fhKywH7dJrwTm6L8gBGR
6aLvUcpfFb9haf2A/pD6pIU2vMI8qLEfnOfuDGiv6K3qv1xlCQMfSSTQIe06
cX/Y4D3UWmD85CXFTlBlY9ly8hkt7aosfBDqNbUiBDlXDB54UDNg3DX86Xo/
zLe2W1xs6fLrRwh/NUPcWARJpkOotumMdOuAsILQwuJ51w4ups/swFtkUDWt
1jsmhhrXZ+AF7eSNZl1OkySdQviZZvRpJwKXl+jRZboUIq3tOD9WZGKha6fl
AFFVwtwg+Impa42c9gKn2phtYjrolo8b3UHc+2nXsoo6tsgjsSNqEPvWwBl1
Jzm4K9ealPN5GfPelLyqz56Pi1yIG9pj2Bs/PPUpBKp9KslgQ6EXGaJoxrLI
7g7g0cuL8Gyomt9HJbFrlLpQ9OVKtI9bjTFFvlFtSIjh/egOhebqEr+Op4wu
7eAGk34sQr4OnKQpTwsMd/38qYw4yCMhyXN5Qf6vFyzibJb0PvuyPaSG5lBC
lCN93fIlBjovRJYAEvgL2WKjVe42XK64J2Ue08O5bjF4ZRdw0mU6mW3kOVgx
oo2GTJgPRXKlepb9MId8jNRkjmoPebp/T1jHiZGhSf2vbRd92iTwIKtYkgIt
8bFcZ4Qpa8hz1IqqjRcFg7KnYgNZf2PrUVXg091bo36H2FOucDq14GlqHNyw
bU57gt2Oo5yOpOYQCRnJRoQ7EmowM+qyCGOLwofHkfTvBLjC3CBJ3M/Xn4Q8
csQgL8lFhwIZlWnQuSpetiV0kZRA2Mra1o60q1Ik3RgH+l/WoETTCDhnvqxJ
2XUIdZhT2QxemoxNGFkuPuBa4AcXO0bC3TpamvOjYCDOHeJiaX2VDo6s5WyN
7zgbHMSi7d276bG7wDbuh2NeiYBXuBaV4ddiNl4ImtJNvtklOCQrjRbM9Nh4
QpYPW5LmzWZvxsuaklVUjIYBC4PkawiB4EybtupT5idk4akBKp9lEnNKfE5x
XXWaQCbDg8j3alJfT9ck8Ipe4xztZTrGWJQSWgYoSBxp6va2NoQTeocjT95g
Odny1NelQEs3tUWHPldkYYBIhsa7DSH00kRbyMLjXhm+wBo3yDSwMF3f17nf
jddZBwVYzVEbceB+j1b4Tt2aZIXtB4NeHGkKZzZYn7LGQTRCxBYoFiCcwKTL
nYMaWpP2zfmJjsZWMKHzXOumQZYFx0Ibe6R/nr9TIJlTaN9owjCS7I2T3IFa
YmLS4V7zxuPkvvRIRy+fDaKSPMvQ8+UUMbiO3XF8geEq+ICAqePcz6g+LgFf
H7eVugmVaSadYScOcbZoe3KA9lkkgTiEyNtK7zx7OjhS/5aRQa7l0oFOcPYw
MF/dnQ7AhB7J0jMd+QGo9EZf1OJ48Q2qL7g5RV6UxMUtBWMMbO6ewznbRynt
o6zYoL5a8ULZRAfRKmNoJ8PX2nbbBRy8F2hyNJr3MvPBB72PvnrSnhQ3rRCq
/bcxl2L6cVj4m5eWvZlEOaDEpQ+f2APrCzdytlnhWd7MiS5aM85FmGQX3M+3
DRis5PXo/M76+DsC85bTsSw+fjbuNv7UxW5ubwClGvqY1MmGOhrPho8EAWJV
fQRGyPlJR7DFdCqWA/JW75xFZftEb4h0IPe7joPuaQgYqOk9FzQvL8ZObNxP
kxO7UfAx2lq4JOjHafon5CXRYgSk3/VjejkXj571Fwi4vijye0Khshfb6qFH
9egOkr68jjYUCXe6toT831mXc2qHLm+53bbCcGhAvmHCUbDAtVawoMS6CD5M
RkBtyMGveCzu6z3nK3JZ5zkXOkYpPqA4LUjcXbysJqcVFsTdhaGhjlczSgLs
4p3HsN2RWSepcV6yZa+nPwDCoY74QfZcsDu9aDNxejkKsgBB0qLT7SoCo9/p
bbc5aSDXxN+jCLfKtfsM43eVpN8+vfR7bgNTmG8RbDi/j1Ejwv+Q9A5MWNNL
ofWMi+jYoVCfaW1NiuFR9nweQHfdHDcGIvFRxUxO6uxME8ttPwnFTWrxi+mF
DJG5Z7kDIaCBanPiJNFVZeU2Me8fa0hjjxJZ/gBupRlgZoZ38IPkHnSswktz
HGe0VKL78NMgHw51K5fv9mr12CoyaHw9Lq8FmeKrr+SORrrUIlN89RW9G2uP
dAY11hIvq+GCmh6mbiRRW7Wzk1D6jH2it61HVwubQrgTiY7L+JsKXFhG1VBT
MXk/kX7DIfceiXO5Y5KVhibMUxeFtEO8GzFhH9FrfurajRLW/EZ4uKyoaDQ1
KPqH9A+sW75kNGZBYBRyKyO7tYEsT3abGL+5QgB0PK6U1eLHm1bFW2mjc0Ev
xgOrws9ZJrOxyWBS5dMnLi9C0i5Lhs9uWNvJRmQIqUMBFBjf8yvg49zLxEdw
Z8qoYzrS32AgCYtBcRmMZ7KG4CCPYCJJfD7GuuHqMOlcNkcIRHgXMOANADuE
qrPft2jQC4oGv/ATSZNsSYiTAzG//8pSMWoaCtq/CImJ+1KPsS2eKUAkOVOJ
BBIupOOM/sVLQaATQXz5Z9r9QuDPP1Pi/FlqQ5Z5S0D9R2JswjG50DT+dRfu
eu2lgSH7xQpIOiZIjhD+Fj0egFhNEYTfdsl+iuGM/wp7MLMMVO1umUq3kGv0
1vOALlzuRgeBeAfLP12Ue8aQwci/F/ETZyf3wdwhaTs7Ly2rwietrThNOm2J
RWes9lzaZnyZh5O0XUuavJf+ZAJEiybIaW4mVJsau3GqJJphDebJFynXp/QL
BdmPNTg+YO4rcSbLPYvY5WdohCGNDwLmimHY5YRy4biyPDogFYsmisUl4QTa
Y6M3CpG0G51B0DPrz/Sx7RBARUXr84L9qniRbhTKwrgfmY7w0MMfjMnJ+Ih1
4VmoIunXGl7aNfM5NQ78xXJbS/hSDgWxkRbtx1pMUru19jAdhtgqSoJKhZx0
XC1VYeXayJo5l9dfZJEJ7ZmaWjG7Ihk9ep6FI1avN61v0f0eyXNINaVOWJCV
0DwKFKW1N6RNqYN01Pyi6+K2jzSb6jPJv9QNhtx2yb1dxOisWN96JmJZm8mu
8P1OovaVK4PTgnhqydTmXykxmnZgzG6SuhAH9XYcfSMdgOXlg8Ye55CDyQpg
nQW0ibFHbhloP37sw3lRP8lBjLahqQGxuNGEfDE+lA/69pB6YMJP/a2K9/iD
HyLy2oZgvrQdLjiNpeJHwqDQZG8a6VWa3azNfnSiBQRN5IC+KyQ6Fuk8OTHQ
t9rZlpIDZ04nqIVZa18wtG8dE/i+R+p71u+qqQ0alhWF474A56LDMwGyAmzB
37MWMrBkTjH5LPu70E5Dro9xkn684/jLd9rvLVaVsA+M0qLkuWCfpH4/qke8
dY0GyYBsjnDGgpZ73NC8ev8i3Kbj5vUn5W3THmtbbcMPv9JJC8TIDExxmlvB
OjTlcmcoqj1aTdHi5D9ss+2La7Mj811cXjzd8Q9PkMldUxhlN1queOW6303x
H8OutkfXyL2L/wWXdDFHzlYAAA==

-->

</rfc>

