<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-porfiri-tsvwg-sctp-dtls-handshake-01" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="TLS for DTLS in SCTP">Transport Layer Security (TLS) based key-management of the Stream Control Transmission Protocol (SCTP) DTLS Chunk</title>
    <seriesInfo name="Internet-Draft" value="draft-porfiri-tsvwg-sctp-dtls-handshake-01"/>
    <author initials="M." surname="Westerlund" fullname="Magnus Westerlund">
      <organization>Ericsson</organization>
      <address>
        <email>magnus.westerlund@ericsson.com</email>
      </address>
    </author>
    <author initials="J." surname="Preuß Mattsson" fullname="John Preuß Mattsson">
      <organization>Ericsson</organization>
      <address>
        <email>john.mattsson@ericsson.com</email>
      </address>
    </author>
    <author initials="C." surname="Porfiri" fullname="Claudio Porfiri">
      <organization>Ericsson</organization>
      <address>
        <email>claudio.porfiri@ericsson.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>Transport</area>
    <workgroup>TSVWG</workgroup>
    <abstract>
      <?line 68?>

<t>This document defines how Transport Layer Security (TLS) 1.3
is used as a key-management method for the SCTP DTLS Chunk mechanism.
It specifies how a TLS handshake establishes the initial security
context for an SCTP association and how subsequent TLS handshakes
provide key updates and re-authentication. The goal is to enable
authenticated and confidential communication over SCTP using the
DTLS Chunk, leveraging standardized TLS 1.3 features for key
management and rekeying.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-porfiri-tsvwg-sctp-dtls-handshake/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        Transport Area Working Group (tsvwg) Working Group mailing list (<eref target="mailto:tsvwg@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/tsvwg/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/tsvwg/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/teiclap/draft-porfiri-tsvwg-sctp-dtls-handshake"/>.</t>
    </note>
  </front>
  <middle>
    <?line 79?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Stream Control Transmission Protocol (SCTP) <xref target="RFC9260"/> is a
transport protocol designed to support message-oriented communication
with features such as multiple streams for messages and multi-homing.
In many deployments, particularly telecommunication networks, it is
essential to provide confidentiality, integrity, and peer
authentication for SCTP traffic.</t>
      <t><xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/> defines a mechanism for
securing SCTP by encapsulating SCTP chunks within DTLS 1.3 records at
the chunk level.  That specification defines the DTLS chunk format,
negotiation procedures, and an abstract API for key management, but
delegates the actual key management to external methods identified by
a DTLS Key Management Identifier.</t>
      <t>This document defines one such method: it uses TLS 1.3 <xref target="RFC8446"/>
handshakes carried as SCTP user messages to perform mutual
authentication and derive keying material for the DTLS Chunk
Protection Operator.  The combination of the SCTP DTLS Chunk and the
key-management defined in this document is referred to as "TLS for
DTLS in SCTP".</t>
      <t>The key advantages of this approach are:</t>
      <ul spacing="normal">
        <li>
          <t>It requires no extensions to TLS 1.3 to support long-lived sessions.</t>
        </li>
        <li>
          <t>It is based on TLS 1.3 rather than DTLS 1.3, leveraging widely
available TLS implementations.</t>
        </li>
      </ul>
      <section anchor="conventions">
        <name>Conventions</name>
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
        </t>
        <t>In this document, || denotes concatenation of byte sequences.</t>
      </section>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>This document uses the following terms:</t>
        <dl>
          <dt>Association:</dt>
          <dd>
            <t>An SCTP association.</t>
          </dd>
          <dt>Client:</dt>
          <dd>
            <t>The endpoint that has the key management client role. This
corresponds to the "client" role (C bit) in the DTLS Key Management
Parameter of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>.</t>
          </dd>
          <dt>Connection:</dt>
          <dd>
            <t>A TLS 1.3 connection used for key management.</t>
          </dd>
          <dt>DTLS Key Context (DKC):</dt>
          <dd>
            <t>The keying material (record payload key, sequence number key, and
IV) for both send and receive directions, together with the replay
window and last used sequence number.  Each DKC is identified by a
tuple of (SCTP Association, restart indicator, DTLS epoch).</t>
          </dd>
          <dt>Initiator:</dt>
          <dd>
            <t>The endpoint initiating the SCTP association. In case of simultanous open
both SCTP endpoints may have started as Initiator.</t>
          </dd>
          <dt>Primary DKC:</dt>
          <dd>
            <t>A DTLS Key Context used to protect regular SCTP association traffic.</t>
          </dd>
          <dt>Responder:</dt>
          <dd>
            <t>The endpoint acting as server during SCTP association
establishment.</t>
          </dd>
          <dt>Restart DKC:</dt>
          <dd>
            <t>A DTLS Key Context reserved exclusively for the SCTP association
restart procedure.</t>
          </dd>
          <dt>Server:</dt>
          <dd>
            <t>The endpoint taking the key management server role. This corresponds
to the "server" role (S bit) in the DTLS Key Management Parameter of
<xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>.</t>
          </dd>
        </dl>
      </section>
      <section anchor="abbreviations">
        <name>Abbreviations</name>
        <dl>
          <dt>AEAD:</dt>
          <dd>
            <t>Authenticated Encryption with Associated Data</t>
          </dd>
          <dt>DKC:</dt>
          <dd>
            <t>DTLS Key Context</t>
          </dd>
          <dt>DTLS:</dt>
          <dd>
            <t>Datagram Transport Layer Security</t>
          </dd>
          <dt>PPID:</dt>
          <dd>
            <t>Payload Protocol Identifier</t>
          </dd>
          <dt>SCTP:</dt>
          <dd>
            <t>Stream Control Transmission Protocol</t>
          </dd>
          <dt>TLS:</dt>
          <dd>
            <t>Transport Layer Security</t>
          </dd>
          <dt>ULP:</dt>
          <dd>
            <t>Upper Layer Protocol</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="overview">
      <name>Overview</name>
      <t>This section provides an informational overview of TLS for DTLS in
SCTP.  Normative procedures are specified in <xref target="procedures"/>.</t>
      <section anchor="architecture">
        <name>Architecture</name>
        <figure anchor="overview-layering">
          <name>Architecture</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="464" width="440" viewBox="0 0 440 464" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,32 L 8,272" fill="none" stroke="black"/>
                <path d="M 8,368 L 8,448" fill="none" stroke="black"/>
                <path d="M 72,280 L 72,320" fill="none" stroke="black"/>
                <path d="M 96,320 L 96,360" fill="none" stroke="black"/>
                <path d="M 136,32 L 136,272" fill="none" stroke="black"/>
                <path d="M 152,32 L 152,272" fill="none" stroke="black"/>
                <path d="M 168,80 L 168,224" fill="none" stroke="black"/>
                <path d="M 176,384 L 176,432" fill="none" stroke="black"/>
                <path d="M 192,64 L 192,96" fill="none" stroke="black"/>
                <path d="M 192,128 L 192,160" fill="none" stroke="black"/>
                <path d="M 192,208 L 192,256" fill="none" stroke="black"/>
                <path d="M 280,160 L 280,208" fill="none" stroke="black"/>
                <path d="M 288,280 L 288,320" fill="none" stroke="black"/>
                <path d="M 352,384 L 352,432" fill="none" stroke="black"/>
                <path d="M 368,64 L 368,96" fill="none" stroke="black"/>
                <path d="M 368,128 L 368,160" fill="none" stroke="black"/>
                <path d="M 368,208 L 368,256" fill="none" stroke="black"/>
                <path d="M 392,80 L 392,400" fill="none" stroke="black"/>
                <path d="M 408,32 L 408,272" fill="none" stroke="black"/>
                <path d="M 408,368 L 408,448" fill="none" stroke="black"/>
                <path d="M 8,32 L 136,32" fill="none" stroke="black"/>
                <path d="M 152,32 L 408,32" fill="none" stroke="black"/>
                <path d="M 192,64 L 368,64" fill="none" stroke="black"/>
                <path d="M 168,80 L 184,80" fill="none" stroke="black"/>
                <path d="M 368,80 L 392,80" fill="none" stroke="black"/>
                <path d="M 192,96 L 368,96" fill="none" stroke="black"/>
                <path d="M 192,128 L 368,128" fill="none" stroke="black"/>
                <path d="M 168,144 L 192,144" fill="none" stroke="black"/>
                <path d="M 192,160 L 368,160" fill="none" stroke="black"/>
                <path d="M 192,208 L 368,208" fill="none" stroke="black"/>
                <path d="M 168,224 L 184,224" fill="none" stroke="black"/>
                <path d="M 192,256 L 368,256" fill="none" stroke="black"/>
                <path d="M 8,272 L 136,272" fill="none" stroke="black"/>
                <path d="M 152,272 L 408,272" fill="none" stroke="black"/>
                <path d="M 72,320 L 288,320" fill="none" stroke="black"/>
                <path d="M 8,368 L 408,368" fill="none" stroke="black"/>
                <path d="M 176,384 L 352,384" fill="none" stroke="black"/>
                <path d="M 360,400 L 392,400" fill="none" stroke="black"/>
                <path d="M 176,432 L 352,432" fill="none" stroke="black"/>
                <path d="M 8,448 L 408,448" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="400,360 388,354.4 388,365.6" fill="black" transform="rotate(90,392,360)"/>
                <polygon class="arrowhead" points="368,400 356,394.4 356,405.6" fill="black" transform="rotate(180,360,400)"/>
                <polygon class="arrowhead" points="296,280 284,274.4 284,285.6" fill="black" transform="rotate(270,288,280)"/>
                <polygon class="arrowhead" points="192,224 180,218.4 180,229.6" fill="black" transform="rotate(0,184,224)"/>
                <polygon class="arrowhead" points="192,80 180,74.4 180,85.6" fill="black" transform="rotate(0,184,80)"/>
                <polygon class="arrowhead" points="104,360 92,354.4 92,365.6" fill="black" transform="rotate(90,96,360)"/>
                <polygon class="arrowhead" points="80,280 68,274.4 68,285.6" fill="black" transform="rotate(270,72,280)"/>
                <g class="text">
                  <text x="72" y="52">ULP</text>
                  <text x="264" y="52">TLS</text>
                  <text x="296" y="52">1.3</text>
                  <text x="240" y="84">Key</text>
                  <text x="292" y="84">Exporter</text>
                  <text x="240" y="148">Key</text>
                  <text x="300" y="148">Management</text>
                  <text x="224" y="196">ContentType</text>
                  <text x="240" y="228">TLS</text>
                  <text x="284" y="228">Record</text>
                  <text x="244" y="244">Protection</text>
                  <text x="324" y="244">Operator</text>
                  <text x="420" y="324">keys</text>
                  <text x="68" y="340">PPID</text>
                  <text x="92" y="404">SCTP</text>
                  <text x="236" y="404">DTLS</text>
                  <text x="280" y="404">Chunk</text>
                  <text x="228" y="420">Protection</text>
                  <text x="308" y="420">Operator</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
+---------------+ +-------------------------------+
|      ULP      | |            TLS 1.3            |
|               | |    +---------------------+    |
|               | | +->+    Key Exporter     +--+ |
|               | | |  +---------------------+  | |
|               | | |                           | |
|               | | |  +---------------------+  | |
|               | | +--+    Key Management   +  | |
|               | | |  +----------+----------+  | |
|               | | |             |             | |
|               | | | ContentType |             | |
|               | | |  +----------+----------+  | |
|               | | +->|    TLS Record       |  | |
|               | |    | Protection Operator |  | |
|               | |    +----------+----------+  | |
+-------+-------+ +-----------------------------+-+
        ^                          ^            |
        |                          |            |
        +--+-----------------------+            | keys
      PPID |                                    |
           V                                    V
+-----------------------------------------------+-+
|                    +---------------------+    | |
|        SCTP        |     DTLS Chunk      |<---+ |
|                    | Protection Operator |      |
|                    +---------------------+      |
+-------------------------------------------------+
]]></artwork>
          </artset>
        </figure>
        <t>Application data is never transmitted in TLS application_data records.
Instead, application data is sent via SCTP DATA chunks protected by
the DTLS Chunk Protection Operator.  TLS 1.3 is used solely for key
management: performing handshakes, deriving keys via the TLS Exporter,
and then closing the TLS connection.</t>
      </section>
      <section anchor="protocol-flow-summary">
        <name>Protocol Flow Summary</name>
        <t>The protocol operates in three phases:</t>
        <ol spacing="normal" type="1"><li>
            <t><strong>Initial Establishment:</strong> After SCTP association setup (with
DTLS Key Management Parameter negotiation), a TLS 1.3 handshake
derives the initial Primary and Restart DKCs.  Protection is then
enforced.</t>
          </li>
          <li>
            <t><strong>Rekeying:</strong> Either endpoint initiates a new TLS 1.3 handshake
to derive fresh DKCs for the next epoch, providing forward secrecy
and re-authentication.  Old DKCs are removed after draining.</t>
          </li>
          <li>
            <t><strong>SCTP Restart:</strong> The pre-established Restart DKC protects the
COOKIE ECHO/COOKIE ACK exchange, followed by a new TLS handshake
to establish fresh Primary and Restart DKCs.</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="tls-config">
      <name>TLS Configuration Requirements</name>
      <section anchor="tls-version">
        <name>TLS Version</name>
        <t>This document defines the usage of TLS 1.3 <xref target="RFC8446"/>.  Earlier
versions of TLS MUST NOT be used.  Only one version of TLS MUST be
used during the lifetime of an SCTP Association.</t>
      </section>
      <section anchor="cipher-suite-constraints">
        <name>Cipher Suite Constraints</name>
        <t>Parameters not marked as "Y" in the "Recommended" column of TLS
registries are NOT RECOMMENDED to support.  Non-AEAD cipher suites
or cipher suites without confidentiality MUST NOT be supported.
Cipher suites and parameters that do not provide ephemeral
key-exchange MUST NOT be supported.</t>
        <t>The cipher suites negotiated in the key-management TLS connection
MUST only include those supported by the DTLS Chunk Protection
Operator.  The DTLS Chunk provides an API to query supported cipher
suites (see Section 7.3 of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>).</t>
      </section>
      <section anchor="tls-auth">
        <name>Authentication and Identity</name>
        <t>TLS for DTLS in SCTP MUST be mutually authenticated.  It is
RECOMMENDED to use certificate-based authentication.</t>
        <t>When certificates are used, the application is responsible for
certificate policies, certificate chain validation, and identity
authentication.  The application defines what the identity is and
how it is encoded.  Guidance on server certificate validation can be
found in <xref target="RFC9525"/>.</t>
        <t>All security decisions MUST be based on the peer's authenticated
identity, not on its transport layer identity.  Since SCTP
associations can use multiple IP addresses per endpoint, DTLS records
may arrive from different source IP addresses than those originally
authenticated.</t>
        <t>Clients and servers MUST NOT accept a change of identity during the
setup of a new TLS connection, but MAY accept negotiation of stronger
algorithms and security parameters.</t>
      </section>
      <section anchor="rekey-policy">
        <name>Rekeying Policy</name>
        <t>Implementations MUST have policies for how often to set up new TLS
connections with ephemeral key exchange.  Implementations SHOULD
rekey at least every hour and every 100 GB of data, which is a common
policy for IPsec <xref target="ANSSI-DAT-NT-003"/>.</t>
        <t>Implementations MUST set up a new TLS connection using a full
handshake with new certificates before any last used certificates
expire.</t>
        <t>The PSK key exchange mode psk_ke MUST NOT be used as it does not
provide ephemeral key exchange.  TLS Key Update MUST NOT be used as it
doesn't provide a new ephemeral key for the key exporter.</t>
        <t>TLS 1.3 tickets MAY be used for resumption. Resumption can be used to
chain the connections, increasing security by forcing an adversary to
break them in sequence <xref target="KTH-NCSA"/>.</t>
        <t>The endpoints MUST limit the number of simultaneous TLS connections
to one.</t>
      </section>
    </section>
    <section anchor="tls-user-message">
      <name>TLS Message Transport</name>
      <t>TLS records and control messages for key-management are sent as SCTP
user messages using reliable in-order delivery on stream 0 with the
DTLS Key Management Messages PPID (4242)
<xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>.</t>
      <t>Each SCTP user message uses the format defined in
<xref target="sctp-dtls-user-message"/>.</t>
      <figure anchor="sctp-dtls-user-message">
        <name>Key Management User Message Structure</name>
        <artset>
          <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="176" width="528" viewBox="0 0 528 176" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
              <path d="M 8,64 L 8,160" fill="none" stroke="black"/>
              <path d="M 24,64 L 24,96" fill="none" stroke="black"/>
              <path d="M 136,64 L 136,96" fill="none" stroke="black"/>
              <path d="M 264,128 L 264,160" fill="none" stroke="black"/>
              <path d="M 520,64 L 520,128" fill="none" stroke="black"/>
              <path d="M 8,64 L 520,64" fill="none" stroke="black"/>
              <path d="M 8,96 L 136,96" fill="none" stroke="black"/>
              <path d="M 264,128 L 520,128" fill="none" stroke="black"/>
              <path d="M 8,160 L 264,160" fill="none" stroke="black"/>
              <g class="text">
                <text x="16" y="36">0</text>
                <text x="176" y="36">1</text>
                <text x="336" y="36">2</text>
                <text x="496" y="36">3</text>
                <text x="16" y="52">0</text>
                <text x="32" y="52">1</text>
                <text x="48" y="52">2</text>
                <text x="64" y="52">3</text>
                <text x="80" y="52">4</text>
                <text x="96" y="52">5</text>
                <text x="112" y="52">6</text>
                <text x="128" y="52">7</text>
                <text x="144" y="52">8</text>
                <text x="160" y="52">9</text>
                <text x="176" y="52">0</text>
                <text x="192" y="52">1</text>
                <text x="208" y="52">2</text>
                <text x="224" y="52">3</text>
                <text x="240" y="52">4</text>
                <text x="256" y="52">5</text>
                <text x="272" y="52">6</text>
                <text x="288" y="52">7</text>
                <text x="304" y="52">8</text>
                <text x="320" y="52">9</text>
                <text x="336" y="52">0</text>
                <text x="352" y="52">1</text>
                <text x="368" y="52">2</text>
                <text x="384" y="52">3</text>
                <text x="400" y="52">4</text>
                <text x="416" y="52">5</text>
                <text x="432" y="52">6</text>
                <text x="448" y="52">7</text>
                <text x="464" y="52">8</text>
                <text x="480" y="52">9</text>
                <text x="496" y="52">0</text>
                <text x="512" y="52">1</text>
                <text x="16" y="84">T</text>
                <text x="72" y="84">Epoch</text>
                <text x="264" y="100">Payload</text>
              </g>
            </svg>
          </artwork>
          <artwork type="ascii-art" align="center"><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|T|   Epoch     |                                               |
+-+-+-+-+-+-+-+-+            Payload                            |
|                                                               |
|                               +-------------------------------+
|                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
        </artset>
      </figure>
      <dl>
        <dt>T (Message Type): 1 bit</dt>
        <dd>
          <t>Indicates the type of payload carried in this user message.
A value of 0 indicates that the payload contains TLS records.
A value of 1 indicates that the payload is a control message
(see <xref target="control-messages"/>).</t>
        </dd>
        <dt>Epoch: 7 bits</dt>
        <dd>
          <t>The 7 lowest bits of the DTLS Key Context epoch that this
message corresponds to — i.e., the DKC that will be created from
this handshake, or that already exists.  The receiver uses this
field to associate incoming data with the correct key-management
session.</t>
        </dd>
        <dt>Payload: variable length</dt>
        <dd>
          <t>When T=0, one or more complete TLS records.  When T=1, a control
message as defined in <xref target="control-messages"/>.</t>
        </dd>
      </dl>
      <section anchor="control-messages">
        <name>Control Messages</name>
        <t>When the T bit is set to 1, the payload of the user message is a
control message with the following format:</t>
        <figure anchor="control-message-format">
          <name>Control Message Format</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="112" width="528" viewBox="0 0 528 112" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 8,64 L 8,96" fill="none" stroke="black"/>
                <path d="M 136,64 L 136,96" fill="none" stroke="black"/>
                <path d="M 392,64 L 392,72" fill="none" stroke="black"/>
                <path d="M 392,88 L 392,96" fill="none" stroke="black"/>
                <path d="M 520,64 L 520,96" fill="none" stroke="black"/>
                <path d="M 8,64 L 520,64" fill="none" stroke="black"/>
                <path d="M 8,96 L 520,96" fill="none" stroke="black"/>
                <path class="jump" d="M 392,88 C 398,88 398,72 392,72" fill="none" stroke="black"/>
                <g class="text">
                  <text x="16" y="36">0</text>
                  <text x="176" y="36">1</text>
                  <text x="336" y="36">2</text>
                  <text x="496" y="36">3</text>
                  <text x="16" y="52">0</text>
                  <text x="32" y="52">1</text>
                  <text x="48" y="52">2</text>
                  <text x="64" y="52">3</text>
                  <text x="80" y="52">4</text>
                  <text x="96" y="52">5</text>
                  <text x="112" y="52">6</text>
                  <text x="128" y="52">7</text>
                  <text x="144" y="52">8</text>
                  <text x="160" y="52">9</text>
                  <text x="176" y="52">0</text>
                  <text x="192" y="52">1</text>
                  <text x="208" y="52">2</text>
                  <text x="224" y="52">3</text>
                  <text x="240" y="52">4</text>
                  <text x="256" y="52">5</text>
                  <text x="272" y="52">6</text>
                  <text x="288" y="52">7</text>
                  <text x="304" y="52">8</text>
                  <text x="320" y="52">9</text>
                  <text x="336" y="52">0</text>
                  <text x="352" y="52">1</text>
                  <text x="368" y="52">2</text>
                  <text x="384" y="52">3</text>
                  <text x="400" y="52">4</text>
                  <text x="416" y="52">5</text>
                  <text x="432" y="52">6</text>
                  <text x="448" y="52">7</text>
                  <text x="464" y="52">8</text>
                  <text x="480" y="52">9</text>
                  <text x="496" y="52">0</text>
                  <text x="512" y="52">1</text>
                  <text x="44" y="84">Ctrl</text>
                  <text x="84" y="84">Type</text>
                  <text x="240" y="84">Control</text>
                  <text x="292" y="84">Data</text>
                  <text x="352" y="84">(variable</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|  Ctrl Type    |         Control Data (variable)               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork>
          </artset>
        </figure>
        <dl>
          <dt>Ctrl Type: 8 bits</dt>
          <dd>
            <t>Identifies the control message type.</t>
          </dd>
          <dt>Control Data: variable length</dt>
          <dd>
            <t>Type-specific data.  May be empty.</t>
          </dd>
        </dl>
        <t>The following control message type is defined:</t>
        <table anchor="control-message-types">
          <name>Control Message Types</name>
          <thead>
            <tr>
              <th align="left">Ctrl Type</th>
              <th align="left">Name</th>
              <th align="left">Description</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">0x01</td>
              <td align="left">Protection Established</td>
              <td align="left">Signals that DTLS chunk protection has been enforced</td>
            </tr>
          </tbody>
        </table>
        <section anchor="protection-established">
          <name>Protection Established</name>
          <t>The Protection Established control message (Ctrl Type = 0x01) is sent
by the Server to the Client after the Server has installed
all keys and enforced DTLS chunk protection.  This message carries no
Control Data (the payload following the Ctrl Type byte is empty).</t>
          <t>Upon receiving this message, the Client enforces DTLS chunk
protection and informs the ULP that the association is protected.</t>
          <t>The message is also used during rekeying to confirm to the endpoint
with the client role in that procedure that the server has installed
all keys, and the client can install write keys.</t>
        </section>
      </section>
    </section>
    <section anchor="dtls-key-derivation">
      <name>Key Derivation</name>
      <section anchor="role-determination">
        <name>Role Determination</name>
        <t>Role determination and method selection follow the procedure defined
in Section 5.1 of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>.  After
the SCTP association is established, the key-management function
retrieves from the SCTP stack's DTLS chunk API the assigned role
(Client or Server), the selected DTLS Key
Management Method, and the downgrade prevention data (both endpoints'
DTLS Key Management Parameters) used as input to key derivation.</t>
      </section>
      <section anchor="exporter-context">
        <name>Exporter Context</name>
        <t>DTLS Key Contexts are derived using the TLS Exporter as defined in
Section 7.5 of <xref target="RFC8446"/>.  The exporter context is constructed as
the concatenation of the following fields:</t>
        <table>
          <thead>
            <tr>
              <th align="left">Field</th>
              <th align="left">Length</th>
              <th align="left">Value</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">Direction</td>
              <td align="left">1 byte</td>
              <td align="left">0x00 = Client to Server, 0x01 = Server to Client</td>
            </tr>
            <tr>
              <td align="left">Key role</td>
              <td align="left">1 byte</td>
              <td align="left">0x00 = primary/traffic, 0x01 = restart</td>
            </tr>
            <tr>
              <td align="left">Key type</td>
              <td align="left">1 byte</td>
              <td align="left">0x00 = Key, 0x01 = SN_KEY, 0x02 = IV</td>
            </tr>
            <tr>
              <td align="left">Client KM Param</td>
              <td align="left">variable</td>
              <td align="left">DTLS Key Management Parameter sent by the endpoint designated as Client</td>
            </tr>
            <tr>
              <td align="left">Server KM Param</td>
              <td align="left">variable</td>
              <td align="left">DTLS Key Management Parameter sent by the endpoint designated as Server</td>
            </tr>
          </tbody>
        </table>
        <t>Each DTLS Key Management Parameter (Section 4.1 of
<xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>) is included as the
sequence of bytes sent on the wire, including the parameter header
and excluding padding.</t>
        <t>This construction ensures that any modification to the DTLS Key
Management Parameter during the SCTP handshake (a downgrade attack)
results in mismatched keys and association failure.</t>
      </section>
      <section anchor="exporter-labels">
        <name>Exporter Labels</name>
        <t>A single TLS Exporter label is used to derive all keying material:</t>
        <artwork><![CDATA[
EXPORTER_TLS_FOR_DTLS_IN_SCTP
]]></artwork>
        <t>The specific key material (direction, role, and type) is
differentiated by the exporter context (<xref target="exporter-context"/>).  Each
combination of Direction, Key role, and Key type values produces a
distinct export, yielding 12 values in total (2 directions × 2 roles
× 3 types).</t>
        <t>The Client installs exports with Direction=Client to server as its
write keys and Direction=Server to client as its read keys.  The
Responder does the reverse.</t>
        <t>The length of exported material depends on the negotiated cipher
suite.</t>
      </section>
      <section anchor="dkc-installation">
        <name>DKC Installation</name>
        <t>Each successful TLS handshake produces one or two (if restart is
supported) DKCs:</t>
        <ul spacing="normal">
          <li>
            <t>A Primary DKC for regular SCTP traffic.</t>
          </li>
          <li>
            <t>A Restart DKC for the SCTP restart procedure.</t>
          </li>
        </ul>
        <t>The first DKC established for any SCTP association MUST use DTLS
epoch 3.  Each subsequent Primary DKC uses the next consecutive
epoch.  After an SCTP restart, the epoch resets to 3.</t>
        <t>If SCTP Restart is supported the endpoint MUST generate Restart DKC
for each epoch where a Primary DKC is generated.  The Restart DKC MUST
be maintained in a well-defined state (initialized but never used for
regular traffic) so that both endpoints have a consistent view of
sequence numbers and replay window.</t>
      </section>
    </section>
    <section anchor="procedures">
      <name>Procedures</name>
      <section anchor="initial-establishment">
        <name>Initial Establishment</name>
        <figure anchor="initial-establishment-diagram">
          <name>Initial Establishment</name>
          <artset>
            <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="400" width="584" viewBox="0 0 584 400" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                <path d="M 40,48 L 40,368" fill="none" stroke="black"/>
                <path d="M 80,160 L 80,304" fill="none" stroke="black"/>
                <path d="M 424,160 L 424,304" fill="none" stroke="black"/>
                <path d="M 472,48 L 472,368" fill="none" stroke="black"/>
                <path d="M 504,336 L 504,368" fill="none" stroke="black"/>
                <path d="M 40,64 L 232,64" fill="none" stroke="black"/>
                <path d="M 288,64 L 464,64" fill="none" stroke="black"/>
                <path d="M 48,80 L 216,80" fill="none" stroke="black"/>
                <path d="M 304,80 L 472,80" fill="none" stroke="black"/>
                <path d="M 40,96 L 200,96" fill="none" stroke="black"/>
                <path d="M 312,96 L 464,96" fill="none" stroke="black"/>
                <path d="M 48,112 L 208,112" fill="none" stroke="black"/>
                <path d="M 312,112 L 472,112" fill="none" stroke="black"/>
                <path d="M 40,176 L 72,176" fill="none" stroke="black"/>
                <path d="M 432,176 L 472,176" fill="none" stroke="black"/>
                <path d="M 80,208 L 152,208" fill="none" stroke="black"/>
                <path d="M 352,208 L 416,208" fill="none" stroke="black"/>
                <path d="M 400,240 L 424,240" fill="none" stroke="black"/>
                <path d="M 80,256 L 96,256" fill="none" stroke="black"/>
                <path d="M 392,256 L 416,256" fill="none" stroke="black"/>
                <path d="M 88,288 L 104,288" fill="none" stroke="black"/>
                <path d="M 352,288 L 424,288" fill="none" stroke="black"/>
                <path d="M 40,336 L 136,336" fill="none" stroke="black"/>
                <path d="M 368,336 L 464,336" fill="none" stroke="black"/>
                <path d="M 48,352 L 136,352" fill="none" stroke="black"/>
                <path d="M 368,352 L 472,352" fill="none" stroke="black"/>
                <path d="M 504,352 L 576,352" fill="none" stroke="black"/>
                <path d="M 488,320 C 496.83064,320 504,327.16936 504,336" fill="none" stroke="black"/>
                <polygon class="arrowhead" points="472,336 460,330.4 460,341.6" fill="black" transform="rotate(0,464,336)"/>
                <polygon class="arrowhead" points="472,96 460,90.4 460,101.6" fill="black" transform="rotate(0,464,96)"/>
                <polygon class="arrowhead" points="472,64 460,58.4 460,69.6" fill="black" transform="rotate(0,464,64)"/>
                <polygon class="arrowhead" points="440,176 428,170.4 428,181.6" fill="black" transform="rotate(180,432,176)"/>
                <polygon class="arrowhead" points="424,256 412,250.4 412,261.6" fill="black" transform="rotate(0,416,256)"/>
                <polygon class="arrowhead" points="424,208 412,202.4 412,213.6" fill="black" transform="rotate(0,416,208)"/>
                <polygon class="arrowhead" points="96,288 84,282.4 84,293.6" fill="black" transform="rotate(180,88,288)"/>
                <polygon class="arrowhead" points="80,176 68,170.4 68,181.6" fill="black" transform="rotate(0,72,176)"/>
                <polygon class="arrowhead" points="56,352 44,346.4 44,357.6" fill="black" transform="rotate(180,48,352)"/>
                <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/>
                <polygon class="arrowhead" points="56,80 44,74.4 44,85.6" fill="black" transform="rotate(180,48,80)"/>
                <g class="text">
                  <text x="40" y="36">Initiator</text>
                  <text x="472" y="36">Responder</text>
                  <text x="20" y="68">1.</text>
                  <text x="260" y="68">[INIT]</text>
                  <text x="260" y="84">[INIT-ACK]</text>
                  <text x="232" y="100">[COOKIE</text>
                  <text x="288" y="100">ECHO]</text>
                  <text x="492" y="100">2.</text>
                  <text x="20" y="116">3.</text>
                  <text x="240" y="116">[COOKIE</text>
                  <text x="292" y="116">ACK]</text>
                  <text x="72" y="148">Key</text>
                  <text x="120" y="148">Manager</text>
                  <text x="180" y="148">Client</text>
                  <text x="328" y="148">Key</text>
                  <text x="376" y="148">Manager</text>
                  <text x="436" y="148">Server</text>
                  <text x="20" y="180">4.</text>
                  <text x="104" y="180">TLS</text>
                  <text x="144" y="180">START</text>
                  <text x="352" y="180">TLS</text>
                  <text x="392" y="180">START</text>
                  <text x="192" y="212">[DATA(TLS</text>
                  <text x="260" y="212">Client</text>
                  <text x="320" y="212">Hello)]</text>
                  <text x="452" y="212">5.</text>
                  <text x="60" y="244">7.</text>
                  <text x="128" y="244">&lt;-[DATA(TLS</text>
                  <text x="204" y="244">Server</text>
                  <text x="256" y="244">Hello</text>
                  <text x="296" y="244">...</text>
                  <text x="356" y="244">Finished)]</text>
                  <text x="452" y="244">6.</text>
                  <text x="60" y="260">8.</text>
                  <text x="136" y="260">[DATA(TLS</text>
                  <text x="224" y="260">Certificate</text>
                  <text x="288" y="260">...</text>
                  <text x="348" y="260">Finished)]</text>
                  <text x="452" y="260">9.</text>
                  <text x="448" y="276">10.</text>
                  <text x="56" y="292">12.</text>
                  <text x="172" y="292">[DATA(Protection</text>
                  <text x="296" y="292">Established)]</text>
                  <text x="448" y="292">11.</text>
                  <text x="16" y="340">13.</text>
                  <text x="160" y="340">[DTLS</text>
                  <text x="244" y="340">CHUNK(DATA(APP</text>
                  <text x="336" y="340">DATA))]</text>
                  <text x="528" y="340">APP</text>
                  <text x="564" y="340">DATA</text>
                  <text x="160" y="356">[DTLS</text>
                  <text x="244" y="356">CHUNK(DATA(APP</text>
                  <text x="336" y="356">DATA))]</text>
                  <text x="256" y="372">...</text>
                </g>
              </svg>
            </artwork>
            <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                             Responder
    |                                                     |
 1. +------------------------[INIT]---------------------->|
    |<---------------------[INIT-ACK]---------------------+
    +--------------------[COOKIE ECHO]------------------->| 2.
 3. |<--------------------[COOKIE ACK]--------------------+
    |                                                     |
    |  Key Manager Client              Key Manager Server |
    |    |                                          |     |
 4. +--->| TLS START                      TLS START |<----+
    |    |                                          |     |
    |    +---------[DATA(TLS Client Hello)]-------->|  5. |
    |    |                                          |     |
    | 7. |<-[DATA(TLS Server Hello ... Finished)]---+  6. |
    | 8. +--[DATA(TLS Certificate ... Finished)]--->|  9. |
    |    |                                          | 10. |
    |12. |<--[DATA(Protection Established)]---------+ 11. |
    |    |                                          |     |
    |                                                     | -.
13. +------------[DTLS CHUNK(DATA(APP DATA))]------------>|   | APP DATA
    +<-----------[DTLS CHUNK(DATA(APP DATA))]-------------+   +---------
    |                         ...                         |   |

]]></artwork>
          </artset>
        </figure>
        <t>The diagram <xref target="initial-establishment-diagram"/> shows the case
where SCTP Initiator ends up with the Key Manager client role.
The opposite case is identical but with inverted roles among
Key Managers. In the following procedure we use Initiator
and Responder referring to SCTP, Client and Server referring
to Keymanager role, and implicitly TLS roles.</t>
        <t>The procedure is as follows:</t>
        <ol spacing="normal" type="1"><li>
            <t>The Initiator sends INIT containing the DTLS Key Management
Parameter (Section 4.1 of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>)
with this method's identifier (see <xref target="sec-iana-psi"/>) in its
preference-ordered list.</t>
          </li>
          <li>
            <t>The Responder enters ESTABLISHED state.  It retrieves the agreed
DTLS Key Management Method and role from the SCTP stack (e.g.,
using the "Get Agreed DTLS Key Management Method and Role" API
defined in Section 7.2 of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>)
and verifies that the selected method matches the one defined in
this document (see <xref target="sec-iana-psi"/>) and gets the assigned role
as key manager client or server (in the example depicted in
<xref target="initial-establishment-diagram"/> it is server).</t>
          </li>
          <li>
            <t>The Initiator enters ESTABLISHED state.  It performs the same
retrieval and verification as the Responder, confirming the
assigned role as key manager client or server (in the example
depicted in <xref target="initial-establishment-diagram"/> it is client).</t>
          </li>
          <li>
            <t>The client key manager starts a TLS 1.3 handshake, limiting
offered cipher suites to those supported by the DTLS Chunk
Protection Operator, and sends TLS ClientHello per
<xref target="tls-user-message"/>.</t>
          </li>
          <li>
            <t>The server key manager receives the TLS ClientHello.  If a
HelloRetryRequest is needed, an additional round-trip occurs
before proceeding.</t>
          </li>
          <li>
            <t>The server key manager sends its TLS ServerHello through Finished
messages.</t>
          </li>
          <li>
            <t>The client key manager receives the TLS ServerHello message,
exports all Primary and Restart DKC keys, and installs the server to client
key material as its read (receive) key.</t>
          </li>
          <li>
            <t>The client key manager sends its TLS
Certificate/CertificateVerify/Finished.</t>
          </li>
          <li>
            <t>The server key manager receives
Certificate/CertificateVerify/Finished, it exports both direction
key material for both the Primary and Restart DKCs, and installs both
read (receive) keys and as its write (send) keys.</t>
          </li>
          <li>
            <t>The server key manager calls Require Protected SCTP Packets to
enforce DTLS chunk protection for all future packets and informs
the ULP that the association is protected.</t>
          </li>
          <li>
            <t>The server key manager sends a Protection Established control
message (<xref target="protection-established"/>) to the client key manager.</t>
          </li>
          <li>
            <t>The client key manager receives the Protection Established control
message, and installs the client key material as its write (send)
key, calls Require Protected SCTP Packets to enforce DTLS chunk
protection for all future packets, and informs the ULP that the
association is protected.</t>
          </li>
          <li>
            <t>Application traffic can begin.</t>
          </li>
        </ol>
        <t>If the TLS handshake fails, the SCTP association MUST be aborted.</t>
        <t>After key installation, the TLS connection SHOULD be closed promptly.</t>
      </section>
      <section anchor="rekeying">
        <name>Rekeying</name>
        <section anchor="triggering-criteria">
          <name>Triggering Criteria</name>
          <t>Rekeying is triggered by implementation-configurable criteria,
including:</t>
          <ul spacing="normal">
            <li>
              <t>Time elapsed since last peer authentication.</t>
            </li>
            <li>
              <t>Volume of data transferred since last forward-secrecy rekeying.</t>
            </li>
            <li>
              <t>Approaching the cipher suite's AEAD usage limits.</t>
            </li>
          </ul>
        </section>
        <section anchor="rekey-procedure">
          <name>Procedure</name>
          <figure anchor="rekey-diagram">
            <name>Rekeying Procedure</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="288" width="504" viewBox="0 0 504 288" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 40,48 L 40,256" fill="none" stroke="black"/>
                  <path d="M 80,112 L 80,176" fill="none" stroke="black"/>
                  <path d="M 416,112 L 416,176" fill="none" stroke="black"/>
                  <path d="M 464,48 L 464,256" fill="none" stroke="black"/>
                  <path d="M 80,128 L 152,128" fill="none" stroke="black"/>
                  <path d="M 352,128 L 408,128" fill="none" stroke="black"/>
                  <path d="M 400,144 L 416,144" fill="none" stroke="black"/>
                  <path d="M 80,160 L 96,160" fill="none" stroke="black"/>
                  <path d="M 392,160 L 408,160" fill="none" stroke="black"/>
                  <path d="M 88,176 L 104,176" fill="none" stroke="black"/>
                  <path d="M 352,176 L 416,176" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="416,160 404,154.4 404,165.6" fill="black" transform="rotate(0,408,160)"/>
                  <polygon class="arrowhead" points="416,128 404,122.4 404,133.6" fill="black" transform="rotate(0,408,128)"/>
                  <polygon class="arrowhead" points="96,176 84,170.4 84,181.6" fill="black" transform="rotate(180,88,176)"/>
                  <g class="text">
                    <text x="40" y="36">Initiator</text>
                    <text x="464" y="36">Responder</text>
                    <text x="92" y="68">(traffic</text>
                    <text x="168" y="68">continues</text>
                    <text x="232" y="68">using</text>
                    <text x="280" y="68">epoch</text>
                    <text x="312" y="68">N</text>
                    <text x="340" y="68">DKC)</text>
                    <text x="84" y="100">Client</text>
                    <text x="128" y="100">Key</text>
                    <text x="176" y="100">Manager</text>
                    <text x="320" y="100">Key</text>
                    <text x="368" y="100">Manager</text>
                    <text x="428" y="100">Server</text>
                    <text x="60" y="132">1.</text>
                    <text x="192" y="132">[DATA(TLS</text>
                    <text x="260" y="132">Client</text>
                    <text x="320" y="132">Hello)]</text>
                    <text x="436" y="132">2.</text>
                    <text x="60" y="148">4.</text>
                    <text x="128" y="148">&lt;-[DATA(TLS</text>
                    <text x="204" y="148">Server</text>
                    <text x="256" y="148">Hello</text>
                    <text x="296" y="148">...</text>
                    <text x="356" y="148">Finished)]</text>
                    <text x="436" y="148">3.</text>
                    <text x="60" y="164">5.</text>
                    <text x="136" y="164">[DATA(TLS</text>
                    <text x="224" y="164">Certificate</text>
                    <text x="288" y="164">...</text>
                    <text x="348" y="164">Finished)]</text>
                    <text x="436" y="164">6.</text>
                    <text x="60" y="180">8.</text>
                    <text x="172" y="180">[DATA(Protection</text>
                    <text x="296" y="180">Established)]</text>
                    <text x="436" y="180">7.</text>
                    <text x="92" y="212">(traffic</text>
                    <text x="176" y="212">transitions</text>
                    <text x="236" y="212">to</text>
                    <text x="272" y="212">epoch</text>
                    <text x="312" y="212">N+1</text>
                    <text x="348" y="212">DKC)</text>
                    <text x="84" y="244">(after</text>
                    <text x="152" y="244">draining,</text>
                    <text x="220" y="244">remove</text>
                    <text x="272" y="244">epoch</text>
                    <text x="304" y="244">N</text>
                    <text x="332" y="244">DKC)</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                            Responder
    |                                                    |
    |  (traffic continues using epoch N DKC)             |
    |                                                    |
    |  Client Key Manager             Key Manager Server |
    |    |                                         |     |
    | 1. +---------[DATA(TLS Client Hello)]------->| 2.  |
    | 4. |<-[DATA(TLS Server Hello ... Finished)]--+ 3.  |
    | 5. +--[DATA(TLS Certificate ... Finished)]-->| 6.  |
    | 8. |<--[DATA(Protection Established)]--------+ 7.  |
    |                                                    |
    |  (traffic transitions to epoch N+1 DKC)            |
    |                                                    |
    |  (after draining, remove epoch N DKC)              |
    |                                                    |

]]></artwork>
            </artset>
          </figure>
          <t>The diagram <xref target="rekey-diagram"/> shows the case where SCTP Initiator is
initiating the rekeying.  The opposite case where the Responder
initates rekeying is identical but inverts which key manager role that
executes the various steps between Client and Server temporarly for
this exchange only. The initially determined Key manager roles are
only used to handle the case both sides initiate a rekey
simultanously, see <xref target="sim-rekeying"/>.</t>
          <t>Either endpoint may initiate rekeying.  The procedure is as follows:</t>
          <ol spacing="normal" type="1"><li>
              <t>The peer willing to rekey becomes the TLS client for this rekey
procedure.  It sends a TLS ClientHello in a key management message
using epoch N+1. The key management messages are carried inside
DTLS chunks (the association is already protected).</t>
            </li>
            <li>
              <t>The other peer becomes the TLS server for this rekey procedure.  It
receives and processes the ClientHello for the key management epoch
N+1.</t>
            </li>
            <li>
              <t>The server sends its TLS ServerHello through Finished messages to
the client.</t>
            </li>
            <li>
              <t>The client receives the TLS ServerHello message, exports all
Primary and Restart DKC keys, and installs server to client key
material as its read (receive) key.</t>
            </li>
            <li>
              <t>The client sends its TLS Certificate/CertificateVerify/Finished
encrypted with the old keys.</t>
            </li>
            <li>
              <t>The server receives and process the TLS message, exports and
installs the client key material for both the Primary and Restart
DKCs as its read (receive) key and the server key material as write
(send) key.  Then it starts the drain timer to remove the old
(epoch N) DKC.  From now on the server uses new keys.</t>
            </li>
            <li>
              <t>The server key manager sends a Protection Established control
message (<xref target="protection-established"/>) to the client key manager.</t>
            </li>
            <li>
              <t>The client key manager receives the Protection Established
control message, exports the client Primary and Restart DKC keys,
and installs the client key material as its write (send) key,
and starts the drain timer to remove the old (epoch N) DKC.
From now on the client uses new keys.</t>
            </li>
          </ol>
          <t>The new DKCs use epoch N+1 (where N is the current epoch).  Both old
(epoch N) and new (epoch N+1) DKCs coexist temporarily until the
drain timer expires (see <xref target="drain-timer"/>).</t>
          <t>All rekeying MUST use ephemeral key exchange.  TLS Key Update MUST
NOT be used.</t>
        </section>
        <section anchor="drain-timer">
          <name>Drain Timer Considerations</name>
          <t>The drain timer determines how long old (epoch N) DKCs are retained
after new (epoch N+1) DKCs have been activated.  Its purpose is to
allow in-flight packets protected with the old keys to be received
and processed before those keys are removed.</t>
          <t>The drain timer value depends on whether the delivery of the final
rekeying message has been confirmed:</t>
          <ul spacing="normal">
            <li>
              <t>If delivery of the last rekeying message has been confirmed (e.g.,
through SCTP acknowledgment of the DATA chunk carrying the TLS
Finished), the old DKC MAY be removed after a short drain timer.
A value of 120 seconds (one Maximum Segment Lifetime) is
RECOMMENDED in this case.</t>
            </li>
            <li>
              <t>If delivery has not been confirmed, the drain timer MUST be set to
at least the SCTP association failure time (T_fail).  This ensures
that if the final rekeying message is lost and requires
retransmission, the old DKC remains available for as long as SCTP
continues retransmission attempts.  If the association fails
(i.e., SCTP declares the peer unreachable), the DKCs are removed
as part of association teardown.</t>
            </li>
          </ul>
          <t>The SCTP association failure time depends on the Retransmission
Timeout (RTO) and the maximum number of retransmissions
(Association.Max.Retrans, as defined in <xref target="RFC9260"/>).  With the
default values from <xref target="RFC9260"/> (RTO.Initial = 1s, RTO.Max = 60s,
Association.Max.Retrans = 10), T_fail is approximately 303 seconds.</t>
          <t>Implementations SHOULD set the drain timer to at least T_fail when
delivery of the final rekeying message has not been confirmed.</t>
        </section>
        <section anchor="sim-rekeying">
          <name>Simultaneous Rekey Resolution</name>
          <t>As either endpoint can initiate a TLS handshake at the same time,
either endpoint may receive a TLS ClientHello when it has already sent
its own.  In this case, the ClientHello from the endpoint with the
initial keymanager client role SHALL be processed, and the other SHALL be
dropped.</t>
        </section>
        <section anchor="key-transition-state-machine">
          <name>Key Transition State Machine</name>
          <t>This specification allows up to 2 Primary DKCs to be active at the
same time.  The following state machine governs the transition:</t>
          <figure anchor="dtls-rekeying-state-diagram">
            <name>State Diagram for Rekeying</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="624" width="496" viewBox="0 0 496 624" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 8,208 L 8,592" fill="none" stroke="black"/>
                  <path d="M 24,224 L 24,560" fill="none" stroke="black"/>
                  <path d="M 96,32 L 96,64" fill="none" stroke="black"/>
                  <path d="M 96,192 L 96,240" fill="none" stroke="black"/>
                  <path d="M 96,320 L 96,368" fill="none" stroke="black"/>
                  <path d="M 96,480 L 96,528" fill="none" stroke="black"/>
                  <path d="M 136,64 L 136,184" fill="none" stroke="black"/>
                  <path d="M 136,240 L 136,312" fill="none" stroke="black"/>
                  <path d="M 136,368 L 136,472" fill="none" stroke="black"/>
                  <path d="M 144,528 L 144,560" fill="none" stroke="black"/>
                  <path d="M 160,144 L 160,184" fill="none" stroke="black"/>
                  <path d="M 176,32 L 176,64" fill="none" stroke="black"/>
                  <path d="M 176,192 L 176,240" fill="none" stroke="black"/>
                  <path d="M 176,320 L 176,368" fill="none" stroke="black"/>
                  <path d="M 176,480 L 176,528" fill="none" stroke="black"/>
                  <path d="M 240,480 L 240,528" fill="none" stroke="black"/>
                  <path d="M 288,432 L 288,472" fill="none" stroke="black"/>
                  <path d="M 288,528 L 288,592" fill="none" stroke="black"/>
                  <path d="M 296,320 L 296,368" fill="none" stroke="black"/>
                  <path d="M 320,480 L 320,528" fill="none" stroke="black"/>
                  <path d="M 336,368 L 336,432" fill="none" stroke="black"/>
                  <path d="M 344,224 L 344,312" fill="none" stroke="black"/>
                  <path d="M 376,320 L 376,368" fill="none" stroke="black"/>
                  <path d="M 384,480 L 384,528" fill="none" stroke="black"/>
                  <path d="M 424,352 L 424,472" fill="none" stroke="black"/>
                  <path d="M 464,480 L 464,528" fill="none" stroke="black"/>
                  <path d="M 96,32 L 176,32" fill="none" stroke="black"/>
                  <path d="M 96,64 L 176,64" fill="none" stroke="black"/>
                  <path d="M 160,144 L 304,144" fill="none" stroke="black"/>
                  <path d="M 96,192 L 176,192" fill="none" stroke="black"/>
                  <path d="M 8,208 L 88,208" fill="none" stroke="black"/>
                  <path d="M 24,224 L 88,224" fill="none" stroke="black"/>
                  <path d="M 176,224 L 344,224" fill="none" stroke="black"/>
                  <path d="M 96,240 L 176,240" fill="none" stroke="black"/>
                  <path d="M 96,320 L 176,320" fill="none" stroke="black"/>
                  <path d="M 296,320 L 376,320" fill="none" stroke="black"/>
                  <path d="M 184,352 L 296,352" fill="none" stroke="black"/>
                  <path d="M 376,352 L 424,352" fill="none" stroke="black"/>
                  <path d="M 96,368 L 176,368" fill="none" stroke="black"/>
                  <path d="M 296,368 L 376,368" fill="none" stroke="black"/>
                  <path d="M 288,432 L 336,432" fill="none" stroke="black"/>
                  <path d="M 96,480 L 176,480" fill="none" stroke="black"/>
                  <path d="M 240,480 L 320,480" fill="none" stroke="black"/>
                  <path d="M 384,480 L 464,480" fill="none" stroke="black"/>
                  <path d="M 96,528 L 176,528" fill="none" stroke="black"/>
                  <path d="M 240,528 L 320,528" fill="none" stroke="black"/>
                  <path d="M 384,528 L 464,528" fill="none" stroke="black"/>
                  <path d="M 24,560 L 144,560" fill="none" stroke="black"/>
                  <path d="M 8,592 L 288,592" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="432,472 420,466.4 420,477.6" fill="black" transform="rotate(90,424,472)"/>
                  <polygon class="arrowhead" points="352,312 340,306.4 340,317.6" fill="black" transform="rotate(90,344,312)"/>
                  <polygon class="arrowhead" points="296,472 284,466.4 284,477.6" fill="black" transform="rotate(90,288,472)"/>
                  <polygon class="arrowhead" points="192,352 180,346.4 180,357.6" fill="black" transform="rotate(180,184,352)"/>
                  <polygon class="arrowhead" points="168,184 156,178.4 156,189.6" fill="black" transform="rotate(90,160,184)"/>
                  <polygon class="arrowhead" points="144,472 132,466.4 132,477.6" fill="black" transform="rotate(90,136,472)"/>
                  <polygon class="arrowhead" points="144,312 132,306.4 132,317.6" fill="black" transform="rotate(90,136,312)"/>
                  <polygon class="arrowhead" points="144,184 132,178.4 132,189.6" fill="black" transform="rotate(90,136,184)"/>
                  <polygon class="arrowhead" points="96,224 84,218.4 84,229.6" fill="black" transform="rotate(0,88,224)"/>
                  <polygon class="arrowhead" points="96,208 84,202.4 84,213.6" fill="black" transform="rotate(0,88,208)"/>
                  <g class="text">
                    <text x="132" y="52">INIT</text>
                    <text x="240" y="52">Association</text>
                    <text x="320" y="52">started</text>
                    <text x="204" y="68">No</text>
                    <text x="232" y="68">TLS</text>
                    <text x="264" y="68">H/S</text>
                    <text x="296" y="68">yet</text>
                    <text x="156" y="100">1.</text>
                    <text x="184" y="100">TLS</text>
                    <text x="232" y="100">initial</text>
                    <text x="280" y="100">H/S</text>
                    <text x="208" y="116">completed</text>
                    <text x="360" y="148">Association</text>
                    <text x="440" y="148">Restart</text>
                    <text x="136" y="212">YOUNG</text>
                    <text x="364" y="260">3.</text>
                    <text x="400" y="260">Aging</text>
                    <text x="448" y="260">event</text>
                    <text x="156" y="276">2.</text>
                    <text x="196" y="276">Client</text>
                    <text x="248" y="276">Hello</text>
                    <text x="372" y="276">Send</text>
                    <text x="420" y="276">Client</text>
                    <text x="472" y="276">Hello</text>
                    <text x="188" y="292">from</text>
                    <text x="228" y="292">peer</text>
                    <text x="204" y="324">4.</text>
                    <text x="244" y="324">Client</text>
                    <text x="280" y="324">H</text>
                    <text x="404" y="324">5.</text>
                    <text x="432" y="324">TLS</text>
                    <text x="464" y="324">H/S</text>
                    <text x="132" y="340">REMOTE</text>
                    <text x="248" y="340">tie-break</text>
                    <text x="336" y="340">LOCAL</text>
                    <text x="440" y="340">Timeout</text>
                    <text x="132" y="356">AGED</text>
                    <text x="332" y="356">AGED</text>
                    <text x="44" y="420">7.</text>
                    <text x="92" y="420">Finished</text>
                    <text x="212" y="420">6.</text>
                    <text x="252" y="420">Server</text>
                    <text x="304" y="420">Hello</text>
                    <text x="132" y="500">REMOTE</text>
                    <text x="280" y="500">LOCAL</text>
                    <text x="424" y="500">ABORT</text>
                    <text x="128" y="516">OLD</text>
                    <text x="280" y="516">OLD</text>
                    <text x="44" y="548">8.</text>
                    <text x="80" y="548">Flush</text>
                    <text x="44" y="580">9.</text>
                    <text x="80" y="580">Flush</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
           +---------+
           |  INIT   |  Association started
           +----+----+  No TLS H/S yet
                |
                | 1. TLS initial H/S
                |    completed
                |
                |  +------------------ Association Restart
                |  |
                V  V
           +---------+
+--------->|  YOUNG  |
| +------->|         +--------------------+
| |        +----+----+                    |
| |             |                         | 3. Aging event
| |             | 2. Client Hello         | Send Client Hello
| |             |    from peer            |
| |             V                         V
| |        +---------+  4. Client H +---------+  5. TLS H/S
| |        | REMOTE  |    tie-break |  LOCAL  |    Timeout
| |        |  AGED   |<-------------+  AGED   +-----+
| |        +----+----+              +----+----+     |
| |             |                        |          |
| |             |                        |          |
| | 7. Finished |        6. Server Hello |          |
| |             |                  +-----+          |
| |             |                  |                |
| |             V                  V                V
| |        +---------+       +---------+       +---------+
| |        | REMOTE  |       |  LOCAL  |       |  ABORT  |
| |        |  OLD    |       |   OLD   |       |         |
| |        +-----+---+       +-----+---+       +---------+
| | 8. Flush     |                 |
| +--------------+                 |
|   9. Flush                       |
+----------------------------------+

]]></artwork>
            </artset>
          </figure>
          <dl>
            <dt>INIT:</dt>
            <dd>
              <t>Initial state.  Only event 1 (TLS handshake completed) transitions
to YOUNG.</t>
            </dd>
            <dt>YOUNG:</dt>
            <dd>
              <t>Only the Current DKC is populated.  Event 2 (peer ClientHello)
transitions to REMOTE OLD; event 3 (aging) transitions to LOCAL
AGED.</t>
            </dd>
            <dt>LOCAL AGED:</dt>
            <dd>
              <t>A supervision timer runs.  Event 5 (timeout) causes the key manager to check
for local aging expire, in that case ABORT otherwise return to YOUNG.  Event
4 (peer ClientHello with tie-break yielding server role) transitions
to REMOTE OLD.  Event 6 (ServerHello received) transitions to LOCAL
OLD.</t>
            </dd>
            <dt>LOCAL AGED:</dt>
            <dd>
              <t>TLS handshake happens in this state. Local keys are installed.
Event 7 (peer sends Certificate..Finished enable transition to REMOTE_OLD)</t>
            </dd>
            <dt>REMOTE OLD:</dt>
            <dd>
              <t>Both Old and Current DKCs exist.  Old DKC is used for sending until
Protection Established control message is sent.
Event 8 (flush timer expires) transitions to YOUNG.</t>
            </dd>
            <dt>LOCAL OLD:</dt>
            <dd>
              <t>Both Old and Current DKCs exist.  Old DKC is used for sending,
until Protection Established control message is received.
Event 9 (flush timer expires) transitions to YOUNG.</t>
            </dd>
          </dl>
          <t>In REMOTE OLD and LOCAL OLD, if a new ClientHello or Aging event
arrives, the flushing timer is cleared and behavior is as in YOUNG.</t>
        </section>
      </section>
      <section anchor="sctp-restart">
        <name>SCTP Association Restart</name>
        <section anchor="prerequisites">
          <name>Prerequisites</name>
          <t>For protected SCTP restart to succeed:</t>
          <ul spacing="normal">
            <li>
              <t>Both endpoints MUST have a valid Restart DKC.</t>
            </li>
            <li>
              <t>The Restart DKC MUST be stored securely and persistently to
survive crash events (see
Section 10.4 of <xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>).</t>
            </li>
            <li>
              <t>Both endpoints MUST have indicated restart support (R bit) in the
DTLS Key Management Parameter.</t>
            </li>
          </ul>
        </section>
        <section anchor="restart-procedure">
          <name>Restart Procedure</name>
          <figure anchor="restart-diagram">
            <name>SCTP Restart Procedure</name>
            <artset>
              <artwork type="svg" align="center"><svg xmlns="http://www.w3.org/2000/svg" version="1.1" height="352" width="584" viewBox="0 0 584 352" class="diagram" text-anchor="middle" font-family="monospace" font-size="13px" stroke-linecap="round">
                  <path d="M 40,48 L 40,320" fill="none" stroke="black"/>
                  <path d="M 464,48 L 464,320" fill="none" stroke="black"/>
                  <path d="M 496,96 L 496,112" fill="none" stroke="black"/>
                  <path d="M 496,160 L 496,176" fill="none" stroke="black"/>
                  <path d="M 40,96 L 240,96" fill="none" stroke="black"/>
                  <path d="M 280,96 L 456,96" fill="none" stroke="black"/>
                  <path d="M 48,112 L 224,112" fill="none" stroke="black"/>
                  <path d="M 296,112 L 464,112" fill="none" stroke="black"/>
                  <path d="M 496,112 L 552,112" fill="none" stroke="black"/>
                  <path d="M 40,160 L 144,160" fill="none" stroke="black"/>
                  <path d="M 352,160 L 456,160" fill="none" stroke="black"/>
                  <path d="M 48,176 L 144,176" fill="none" stroke="black"/>
                  <path d="M 344,176 L 464,176" fill="none" stroke="black"/>
                  <path d="M 496,176 L 576,176" fill="none" stroke="black"/>
                  <path d="M 48,256 L 128,256" fill="none" stroke="black"/>
                  <path d="M 376,256 L 464,256" fill="none" stroke="black"/>
                  <path d="M 40,288 L 136,288" fill="none" stroke="black"/>
                  <path d="M 368,288 L 456,288" fill="none" stroke="black"/>
                  <path d="M 48,304 L 136,304" fill="none" stroke="black"/>
                  <path d="M 368,304 L 464,304" fill="none" stroke="black"/>
                  <path d="M 480,80 C 488.83064,80 496,87.16936 496,96" fill="none" stroke="black"/>
                  <path d="M 480,128 C 488.83064,128 496,120.83064 496,112" fill="none" stroke="black"/>
                  <path d="M 480,144 C 488.83064,144 496,151.16936 496,160" fill="none" stroke="black"/>
                  <path d="M 480,192 C 488.83064,192 496,184.83064 496,176" fill="none" stroke="black"/>
                  <polygon class="arrowhead" points="464,288 452,282.4 452,293.6" fill="black" transform="rotate(0,456,288)"/>
                  <polygon class="arrowhead" points="464,160 452,154.4 452,165.6" fill="black" transform="rotate(0,456,160)"/>
                  <polygon class="arrowhead" points="464,96 452,90.4 452,101.6" fill="black" transform="rotate(0,456,96)"/>
                  <polygon class="arrowhead" points="56,304 44,298.4 44,309.6" fill="black" transform="rotate(180,48,304)"/>
                  <polygon class="arrowhead" points="56,256 44,250.4 44,261.6" fill="black" transform="rotate(180,48,256)"/>
                  <polygon class="arrowhead" points="56,176 44,170.4 44,181.6" fill="black" transform="rotate(180,48,176)"/>
                  <polygon class="arrowhead" points="56,112 44,106.4 44,117.6" fill="black" transform="rotate(180,48,112)"/>
                  <g class="text">
                    <text x="40" y="36">Initiator</text>
                    <text x="464" y="36">Responder</text>
                    <text x="20" y="68">1.</text>
                    <text x="92" y="68">(install</text>
                    <text x="160" y="68">restart</text>
                    <text x="212" y="68">keys</text>
                    <text x="252" y="68">from</text>
                    <text x="308" y="68">storage)</text>
                    <text x="20" y="100">2.</text>
                    <text x="260" y="100">INIT</text>
                    <text x="528" y="100">Plain</text>
                    <text x="20" y="116">3.</text>
                    <text x="260" y="116">INIT-ACK</text>
                    <text x="20" y="164">4.</text>
                    <text x="168" y="164">[DTLS</text>
                    <text x="244" y="164">CHUNK(COOKIE</text>
                    <text x="324" y="164">ECHO)]</text>
                    <text x="544" y="164">Protected</text>
                    <text x="20" y="180">5.</text>
                    <text x="168" y="180">[DTLS</text>
                    <text x="244" y="180">CHUNK(COOKIE</text>
                    <text x="320" y="180">ACK)]</text>
                    <text x="20" y="196">6.</text>
                    <text x="20" y="212">7.</text>
                    <text x="76" y="228">(TLS</text>
                    <text x="136" y="228">handshake</text>
                    <text x="192" y="228">for</text>
                    <text x="224" y="228">new</text>
                    <text x="264" y="228">keys,</text>
                    <text x="312" y="228">steps</text>
                    <text x="360" y="228">8-13)</text>
                    <text x="16" y="260">15.</text>
                    <text x="196" y="260">[DATA(Protection</text>
                    <text x="320" y="260">Established)]</text>
                    <text x="488" y="260">14.</text>
                    <text x="16" y="276">16.</text>
                    <text x="16" y="292">17.</text>
                    <text x="160" y="292">[DTLS</text>
                    <text x="244" y="292">CHUNK(DATA(APP</text>
                    <text x="336" y="292">DATA))]</text>
                    <text x="504" y="292">APP</text>
                    <text x="540" y="292">DATA</text>
                    <text x="160" y="308">[DTLS</text>
                    <text x="244" y="308">CHUNK(DATA(APP</text>
                    <text x="336" y="308">DATA))]</text>
                  </g>
                </svg>
              </artwork>
              <artwork type="ascii-art" align="center"><![CDATA[
Initiator                                            Responder
    |                                                    |
 1. |  (install restart keys from storage)               |
    |                                                    | -.
 2. +------------------------(INIT)--------------------->|   | Plain
 3. |<---------------------(INIT-ACK)--------------------+   +-------
    |                                                    | -'
    |                                                    | -.
 4. +-------------[DTLS CHUNK(COOKIE ECHO)]------------->|   | Protected
 5. |<------------[DTLS CHUNK(COOKIE ACK)]---------------+   +----------
 6. |                                                    | -'
 7. |                                                    |
    |  (TLS handshake for new keys, steps 8-13)          |
    |                                                    |
15. |<----------[DATA(Protection Established)]-----------+ 14.
16. |                                                    |
17. +------------[DTLS CHUNK(DATA(APP DATA))]----------->|   APP DATA
    +<-----------[DTLS CHUNK(DATA(APP DATA))]------------+
    |                                                    |

]]></artwork>
            </artset>
          </figure>
          <ol spacing="normal" type="1"><li>
              <t>The restarting endpoint (Initiator) retrieves the restart key
material from persistent secure storage and installs the Restart
DKC for both send and receive directions.</t>
            </li>
            <li>
              <t>The Initiator sends INIT (VTag=0). Include the DTLS Key Management
Parameter with the same method list but a new random Tie Breaker.</t>
            </li>
            <li>
              <t>The Responder (the not restarting endpoint) replies INIT-ACK in
plain text per <xref target="RFC9260"/>.  Include the DTLS Key Management
Parameter with the same method list but a new random Tie Breaker.</t>
            </li>
            <li>
              <t>The Initiator sends COOKIE ECHO in a DTLS chunk protected with
the Restart DKC (R bit set).</t>
            </li>
            <li>
              <t>The Responder replies COOKIE ACK in a DTLS chunk protected with
the Restart DKC (R bit set).</t>
            </li>
            <li>
              <t>Both endpoints have a new established association.  Each endpoint
immediately calls Require Protected SCTP Packets to enforce DTLS
chunk protection (using the Restart DKC), then retrieves the
agreed DTLS Key Management Method and role from the SCTP stack
(e.g., using the "Get Agreed DTLS Key Management Method and Role"
API defined in Section 7.2 of
<xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/>) and verifies that the
selected method matches the one defined in this document (see
<xref target="sec-iana-psi"/>) and that the assigned role is as expected.</t>
            </li>
            <li>
              <t>The ULP MAY be informed that the association is protected at this
point.  ULP traffic MAY begin immediately using the Restart DKC.</t>
            </li>
            <li>
              <t>The client key manager starts a TLS 1.3 handshake, limiting
offered cipher suites to those supported by the DTLS Chunk
Protection Operator, and sends TLS ClientHello per
<xref target="tls-user-message"/>, protected by the Restart DKC.</t>
            </li>
            <li>
              <t>The server key manager receives the TLS ClientHello. If a
HelloRetryRequest is needed, an additional round-trip occurs before
proceeding.</t>
            </li>
            <li>
              <t>The server key manager sends its TLS ServerHello through Finished
messages.</t>
            </li>
            <li>
              <t>The client key manager receives the TLS ServerHello message,
exports all Primary DKC keys, and installs the server key material as
its read (receive) key for the Primary DKC.</t>
            </li>
            <li>
              <t>The client key manager sends its TLS
Certificate/CertificateVerify/Finished.</t>
            </li>
            <li>
              <t>The server key manager receives
Certificate/CertificateVerify/Finished, it exports the client and
server key material for the Primary DKC, and installs client key
as its read (receive) key and the server key as its write (send)
key.</t>
            </li>
            <li>
              <t>The server key manager sends a Protection Established control
message (<xref target="protection-established"/>) to the client key manager.
The server endpoint export and install the new Restart DKC key
material (both send and receive directions), remove the old
Restart DKC, and commit the new Restart DKC to persistent secure
storage.</t>
            </li>
            <li>
              <t>The client key manager receives the Protection Established control
message. Installs the primary client Key as its write (send) key.</t>
            </li>
            <li>
              <t>The client key manager export and install the new Restart DKC key
material (both send and receive directions), remove the old
Restart DKC, and commit the new Restart DKC to persistent secure
storage.</t>
            </li>
            <li>
              <t>Application traffic uses to the new Primary DKC.</t>
            </li>
          </ol>
          <t>After restart, the new Primary DKC MUST use epoch 3 (the epoch
resets).</t>
          <t>The Responder MUST NOT change the Restart DKC during the restart
procedure.  After the new Restart DKC is installed, the old one is
removed.</t>
          <t>It is RECOMMENDED to complete the TLS handshake and install new DKCs
as soon as possible after restart, to minimize the window during
which no Restart DKC is available for a subsequent restart.</t>
          <t>Note: There MAY exist a short time gap after association establishment
where no Restart DKC is yet installed.  If an SCTP restart is
initiated during that time, it will fail.  However, this is unlikely
as the restarting endpoint sends INIT multiple times with exponential
back-off.</t>
        </section>
      </section>
    </section>
    <section anchor="error-handling">
      <name>Error Handling</name>
      <t>TLS has its own error reporting via TLS alert messages.  When a TLS
handshake error occurs, the TLS alert is sent in an SCTP user message
(see <xref target="tls-user-message"/>) with the DTLS Key Management Messages PPID
(4242).</t>
      <t>If a TLS handshake fails during initial establishment, the SCTP
association MUST be aborted.</t>
      <t>If a TLS handshake fails during rekeying, and the current DKC has not
yet reached its usage limits, the implementation SHOULD retry the
handshake.  If retry is not possible or the current DKC is aged
beyond policy limits, the association MUST be aborted.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <section anchor="general">
        <name>General</name>
        <t>The security considerations given in <xref target="RFC8446"/>, <xref target="RFC9147"/>, and
<xref target="RFC9260"/> also apply to this document.  BCP 195 <xref target="RFC9325"/>
          <xref target="RFC8996"/> provides recommendations and requirements for improving
the security of deployed services that use TLS.  BCP 195 MUST be
followed.</t>
      </section>
      <section anchor="privacy-considerations">
        <name>Privacy Considerations</name>
        <t>Although TLS for DTLS in SCTP provides privacy for user messages and
almost all SCTP chunks, the SCTP common header, DTLS chunk header,
and DTLS record header are not confidentiality protected.  An
attacker can correlate TLS connections over the same SCTP association
using the SCTP common header.</t>
        <t>To provide identity protection, it is RECOMMENDED to use
certificate-based authentication in TLS 1.3 and to not reuse tickets.
TLS 1.3 with external PSK authentication does not provide identity
protection.</t>
        <t>By mandating ephemeral key exchange and cipher suites with
confidentiality, TLS for DTLS in SCTP effectively mitigates many
forms of passive pervasive monitoring.  Frequent rekeying forces
attackers to perform dynamic key exfiltration and limits the amount
of compromised data due to key compromise.</t>
      </section>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="sec-iana-psi">
        <name>DTLS Key Management Method Identifier</name>
        <t>IANA is requested to assign one DTLS Key Management Method Identifier
in the "DTLS Key Management Method" registry defined by
<xref target="I-D.ietf-tsvwg-sctp-dtls-chunk"/> to identify the
key-management method defined in this document.</t>
        <table anchor="iana-psi">
          <name>DTLS Key Management Method Identifier</name>
          <thead>
            <tr>
              <th align="right">Identifier</th>
              <th align="left">Key Management Method Name</th>
              <th align="left">Reference</th>
              <th align="left">Contact</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="right">192</td>
              <td align="left">TLS for DTLS in SCTP</td>
              <td align="left">RFC-TBD</td>
              <td align="left">Draft Authors</td>
            </tr>
          </tbody>
        </table>
      </section>
      <section anchor="iana-export-label">
        <name>TLS Exporter Labels</name>
        <t>IANA is requested to register the following value in the TLS
Exporter Label Registry <xref target="RFC5705"/> with Reference RFC-TBD and empty
Comment.</t>
        <table anchor="iana-tls-exporter">
          <name>TLS Exporter Label</name>
          <thead>
            <tr>
              <th align="left">Value</th>
              <th align="left">DTLS-OK</th>
              <th align="left">Recommended</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">EXPORTER_TLS_FOR_DTLS_IN_SCTP</td>
              <td align="left">Y</td>
              <td align="left">N</td>
            </tr>
          </tbody>
        </table>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="August" year="2018"/>
            <abstract>
              <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8446"/>
          <seriesInfo name="DOI" value="10.17487/RFC8446"/>
        </reference>
        <reference anchor="RFC8996" target="https://www.rfc-editor.org/info/rfc8996" xml:base="https://static.ietf.org/tmp/reference.RFC.8996.xml">
          <front>
            <title>Deprecating TLS 1.0 and TLS 1.1</title>
            <author fullname="K. Moriarty" initials="K." surname="Moriarty"/>
            <author fullname="S. Farrell" initials="S." surname="Farrell"/>
            <date month="March" year="2021"/>
            <abstract>
              <t>This document formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Accordingly, those documents have been moved to Historic status. These versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLS version 1.2 became the recommended version for IETF protocols in 2008 (subsequently being obsoleted by TLS version 1.3 in 2018), providing sufficient time to transition away from older versions. Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.</t>
              <t>This document also deprecates Datagram TLS (DTLS) version 1.0 (RFC 4347) but not DTLS version 1.2, and there is no DTLS version 1.1.</t>
              <t>This document updates many RFCs that normatively refer to TLS version 1.0 or TLS version 1.1, as described herein. This document also updates the best practices for TLS usage in RFC 7525; hence, it is part of BCP 195.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="8996"/>
          <seriesInfo name="DOI" value="10.17487/RFC8996"/>
        </reference>
        <reference anchor="RFC9147" target="https://www.rfc-editor.org/info/rfc9147" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9147.xml">
          <front>
            <title>The Datagram Transport Layer Security (DTLS) Protocol Version 1.3</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <author fullname="H. Tschofenig" initials="H." surname="Tschofenig"/>
            <author fullname="N. Modadugu" initials="N." surname="Modadugu"/>
            <date month="April" year="2022"/>
            <abstract>
              <t>This document specifies version 1.3 of the Datagram Transport Layer Security (DTLS) protocol. DTLS 1.3 allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t>
              <t>The DTLS 1.3 protocol is based on the Transport Layer Security (TLS) 1.3 protocol and provides equivalent security guarantees with the exception of order protection / non-replayability. Datagram semantics of the underlying transport are preserved by the DTLS protocol.</t>
              <t>This document obsoletes RFC 6347.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9147"/>
          <seriesInfo name="DOI" value="10.17487/RFC9147"/>
        </reference>
        <reference anchor="RFC9260" target="https://www.rfc-editor.org/info/rfc9260" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9260.xml">
          <front>
            <title>Stream Control Transmission Protocol</title>
            <author fullname="R. Stewart" initials="R." surname="Stewart"/>
            <author fullname="M. Tüxen" initials="M." surname="Tüxen"/>
            <author fullname="K. Nielsen" initials="K." surname="Nielsen"/>
            <date month="June" year="2022"/>
            <abstract>
              <t>This document describes the Stream Control Transmission Protocol (SCTP) and obsoletes RFC 4960. It incorporates the specification of the chunk flags registry from RFC 6096 and the specification of the I bit of DATA chunks from RFC 7053. Therefore, RFCs 6096 and 7053 are also obsoleted by this document. In addition, RFCs 4460 and 8540, which describe errata for SCTP, are obsoleted by this document.</t>
              <t>SCTP was originally designed to transport Public Switched Telephone Network (PSTN) signaling messages over IP networks. It is also suited to be used for other applications, for example, WebRTC.</t>
              <t>SCTP is a reliable transport protocol operating on top of a connectionless packet network, such as IP. It offers the following services to its users:</t>
              <t>The design of SCTP includes appropriate congestion avoidance behavior and resistance to flooding and masquerade attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9260"/>
          <seriesInfo name="DOI" value="10.17487/RFC9260"/>
        </reference>
        <reference anchor="RFC9325" target="https://www.rfc-editor.org/info/rfc9325" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9325.xml">
          <front>
            <title>Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="T. Fossati" initials="T." surname="Fossati"/>
            <date month="November" year="2022"/>
            <abstract>
              <t>Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are used to protect data exchanged over a wide range of application protocols and can also form the basis for secure transport protocols. Over the years, the industry has witnessed several serious attacks on TLS and DTLS, including attacks on the most commonly used cipher suites and their modes of operation. This document provides the latest recommendations for ensuring the security of deployed services that use TLS and DTLS. These recommendations are applicable to the majority of use cases.</t>
              <t>RFC 7525, an earlier version of the TLS recommendations, was published when the industry was transitioning to TLS 1.2. Years later, this transition is largely complete, and TLS 1.3 is widely available. This document updates the guidance given the new environment and obsoletes RFC 7525. In addition, this document updates RFCs 5288 and 6066 in view of recent attacks.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="195"/>
          <seriesInfo name="RFC" value="9325"/>
          <seriesInfo name="DOI" value="10.17487/RFC9325"/>
        </reference>
        <reference anchor="I-D.ietf-tsvwg-sctp-dtls-chunk" target="https://datatracker.ietf.org/doc/html/draft-ietf-tsvwg-sctp-dtls-chunk-04" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-tsvwg-sctp-dtls-chunk.xml">
          <front>
            <title>Stream Control Transmission Protocol (SCTP) DTLS Chunk</title>
            <author fullname="Magnus Westerlund"/>
            <author fullname="John Preuß Mattsson"/>
            <author fullname="Claudio Porfiri"/>
            <author fullname="Michael Tüxen"/>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>This document describes a method for adding Datagram Transport Layer
   Security (DTLS) based authentication and cryptographic protection to
   the Stream Control Transmission Protocol (SCTP).</t>
              <t>This SCTP extension is intended to enable communication privacy for
   applications that use SCTP as their transport protocol and allows
   applications to communicate in a way that is designed to prevent
   eavesdropping and detect tampering or message forgery.  Once enabled,
   this also applies to the SCTP payload as well as the SCTP control
   information.</t>
              <t>Applications using this SCTP extension can use most of the transport
   features provided by SCTP and its other extensions.  The use of the
   SCTP Authentication extension defined in RFC 4895 is incompatible
   with the extension defined in this document but would not provide any
   additional service.  This implies that the Dynamic Address
   Reconfiguration as specified in RFC 5061 can only be used as
   described in this document.</t>
              <t>This document obsoletes RFC 6083 and updates RFC 5061.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tsvwg-sctp-dtls-chunk-04"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC5705" target="https://www.rfc-editor.org/info/rfc5705" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.5705.xml">
          <front>
            <title>Keying Material Exporters for Transport Layer Security (TLS)</title>
            <author fullname="E. Rescorla" initials="E." surname="Rescorla"/>
            <date month="March" year="2010"/>
            <abstract>
              <t>A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5705"/>
          <seriesInfo name="DOI" value="10.17487/RFC5705"/>
        </reference>
        <reference anchor="RFC9525" target="https://www.rfc-editor.org/info/rfc9525" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9525.xml">
          <front>
            <title>Service Identity in TLS</title>
            <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"/>
            <author fullname="R. Salz" initials="R." surname="Salz"/>
            <date month="November" year="2023"/>
            <abstract>
              <t>Many application technologies enable secure communication between two entities by means of Transport Layer Security (TLS) with Internet Public Key Infrastructure using X.509 (PKIX) certificates. This document specifies procedures for representing and verifying the identity of application services in such interactions.</t>
              <t>This document obsoletes RFC 6125.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9525"/>
          <seriesInfo name="DOI" value="10.17487/RFC9525"/>
        </reference>
        <reference anchor="ANSSI-DAT-NT-003" target="&lt;https://www.ssi.gouv.fr/uploads/2015/09/NT_IPsec_EN.pdf&gt;">
          <front>
            <title>Recommendations for securing networks with IPsec</title>
            <author initials="" surname="Agence nationale de la sécurité des systèmes d'information">
              <organization/>
            </author>
            <date year="2015" month="August"/>
          </front>
          <seriesInfo name="ANSSI Technical Report DAT-NT-003" value=""/>
        </reference>
        <reference anchor="KTH-NCSA" target="http://kth.diva-portal.org/smash/get/diva2:1902626/FULLTEXT01.pdf">
          <front>
            <title>On factoring integers, and computing discrete logarithms and orders, quantumly</title>
            <author initials="M." surname="Ekerå" fullname="Martin Ekerå">
              <organization/>
            </author>
            <date year="2024" month="October"/>
          </front>
          <seriesInfo name="KTH, School of Electrical Engineering and Computer Science (EECS), Computer Science, Theoretical Computer Science, TCS. Swedish NCSA, Swedish Armed Forces." value=""/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA91923IbyZLYe31FmXoYYAhABEXd6JmzS1HUiCuJlElIsxOz
tqIJFMG2Gt043Q1ysKQ29iMc4Uf7xRHe3/D8ib/EeatLX0CCkuzYNU/sDtRd
l6ysrLxndb/fV5NsnEYzs6sneXRe9udZfh7ncb8sLq+m/WJczvuTMin6F1E6
KS6iz6a/NVRlXCbQY5RHaQEdSv02Wppcn5rxIo/Lpe6M3p529VlUmIn+bJb9
WZRGUzMzaamzc11eGH1a5iaa6f0sLfMs4ZFmcVHEWarf51mZjeFp53R/9L6r
X8Joev9ikX5W0dlZbi5hZnhynuX8Kk41NlTZWZElpjTFrhpH5a4uyomK5/mu
LvNFUW5vbT3f2lZXU+h9+vHXX1QEEARrUMXiTCAol3NY3eHB6JXWD3SUFNmu
3ojTiZkb+H9pudHTG4d7L+A/AMLG4cno1YZSlyZdmF2l9TTPFvMQOXswkf41
yz/H6VT/gm91h9DbhdazKE4AQvzn38amPB9k+RQHicuLxRm8MPE4ieYP19wc
paJFeZHlu6oPgwBmil2t3w30r6YoTZ4s0gk+5v1+F03TRVF7BbPv6oM8HhdF
luIDwwDOqPHgyjX+WyONBuNsFsz2dwPYP7P487/B+GVpR+EZ/y67SNverpr0
P0P7wUwarppwHyZktPiJ9pNoMYmz8MWqOcbcdCCorc6i4hSoDCCIL2lrT17t
P3669Vh+Pn+8DT/h997R6elh/+XeqH806m9tPcL3WpdRPjVAhj9dlOW82H34
8OrqagD0NZhmi8vBef5wMU+yaFI83N4aPn649fzh0ejT4fvCjD8dHA3mk/O/
8Ch81E4MwAMHaAKwZGlBxF/QcQOaSk15BeRV6CugGk1jUN8CFmMKXANDJJDq
kRlfpPE4SmBYolAPOrWzNMR9+vJfwffe1KRjA4hGQKLE6InRSaSLP/+FDv+f
/wIPCl0si/LP/zmDX5MfHBIZ8RrWACvaW0zhVGpcPOLwzeh1/2j/dK+Kuw3E
HaDuc3kxmMSXEZ6AMkrwkDwsZlFx8RCaPcQ327tDON5Ptp88fPXh7dvRwd+P
toaIxY0QixvHqT6PxmVGaIvT0kxNXvQ0HB8N+J0vSnw+iYtxDnxEJ9k0giVd
zApqkeUTav3XRZSWi1my3FiB5Q1YTE+fji8yYGLA8A4SMy5zQvhBOo1TY2h+
HHOfZkXeOY4Jr52Dg/3Tbq/xoqdHFyYDsGiYlrf7pwN9emUA+AuNiOy5f+3l
M+DDr7J8bIrBxm07TBsM7OLgs8n//B/2qWUXOWAnfMX7eAzoPANItre2d5RK
a8fl2c7OE/vz+XP78/lw56n9uf1ky/58tE1HC47SAFlhg82NUQbAiVP9fl9H
Z0WZw14qNbqIgcyy8YIEzMScA4YLfZFd3SWghoNHCrouUExFsMd1WTUzgKUJ
nTWSWSBkAmEEr8fAeONiNlCHpS7mZhyfxzJzRCLK8WUNfDM6S2A34D2OFadx
GcNGFgKRGoPYMX+UNFnEAg1gKrJxTAeHiAUHBilVmL8uELzKDIWa59llDIcR
FqEXc9wcJtvc9HG7oQeQDo41QFLS0wymh9WXmTYpwGZU0AoRQmciPY9R4iGo
yIAWqYyhs0vEJ0K5KJCYoavyuOnpxECDaIqvYOnAt/JJ/I8wLDYBvOtzE5WL
3DAnA5BVgHeGGh5C7wHv9iyeTABE9UAfosYwWYwJiusHcfDPL0gL99Mtrq+F
Br98QWREqnQkM7dNgZ/F0xRgB1QVizm9BM5WALh94CQAsZlUsaOIEbslFovx
BRLYbJGU8RxYZkEQ8tplJN4ratG/yGa08sMU5G66BABAUiwRNcB95ngOx4sk
ypMlqAeJqe6LlQU9HZewIgWjy/4B9JZEwn0F4usxK8zpJ4IxBw6lqkRDsNJ+
A4bOz+MxbMz19e1HFXBqT2PkTwuOpJzsoiHPlkCD42hewLJK95TGYKEGjOel
pZwcVpxPYMhS4UmiVkRuyUADZUfuKArgFgRsTINwD5ZJPZWaaVbKIQP8jM0E
94zxAAfRshm99/7Q0qr2tNrTZ4tSTWAbpnTgcBJovQB8VxvSOfsDWDbITGEs
heY9AKYxARSoiMF7A/3e+X6Htk0+WMXqstQwjfG4u7j1wNQKd9iIypEVf/mi
PMfQ4yjPY+Z9cpJNQI9ILyZHNAFZ4orqFIEYAokIzF7zWYXlwgKR1izLDFR3
PHmGT+0xjBuBEKb9QmqcncWpsJXzVlaLUyGHqTFoRsAELYCyghn4nZtzk+d8
amGBG2IyqNBk2Bgwx8CtiiaXINZp5QQEcoM5EESEZzcHeaZ+1MDmc2C+MR7q
lPczLUgfg0kssgMukWTptJ8AgibA6IkBFQMZB4Zn+wgW7Sg7gjUi4iJP7hVO
egUEkyxBREaXoLwi06a+8QyYCq6blUOY4sEDZH+XuFnwwC/yik7OxrsPpyM0
YvC/+uiYfp8c/IcPhycHL/H36eu9t2/dDyUtTl8ff3j70v/yPfeP3707OHrJ
neGprjxSG+/2ftvgE7Vx/H50eHy093ajuWmAZUTemSF2lM9RB0PihOMFCll8
xhv9Yv/9//rvwx2g6X8HRL09HD4HNsP/eDZ8ugP/uAIi5dmyFHgk/xMwCyds
PjdRjqNECQi0aB6DMolnHXg0CNdUA/rNQP30NwmQle4/+Zu/gLJxWIOzp//h
5h9ugPbSDE888FIUmJ5+z5agOrKMRoWLNmNkcmDpGSiUS5BZpf/Xl/qZpnOL
R+A8S5LsikQrNAebVu15dWBXgQLd1BJgsv0EBRK+xz0Hg2Gexch9kC9eRDx0
jTONqYsGWWlQNQChoWFVcHZADgKvwD3BXhvcboMa6s6+PovLLu+iaeNcMMr7
KAfdEfVUwMvd0gLBz9KUuQQt0R2NsXvO6lqTE0NnB8S+KFOdl2/2uxYXdR7V
YUECAnWJdhi+77l90+lihlotPYzINj782KVpzzKQ7SBUJ6KnjA1ywAkwBYIP
yKnMwCrBk0xqAKInBwke4cGFDZ2gegg9k6goeTG1SYEtHiDXAeCRTVSEBGgo
YM0sUIkAlJISowO66MFMoG4B64F5kE9neY/3Bgy98UV3gOSMmmeJ2n+NRlgn
LUWbaxIXqF5wZgqauYhRVYnSbAHscm7QsCO8UCc7Img80RKo7hI1HgCKRY0D
AIABqRDPonyJa+UNb+whYYh1F5QfsMApKj9NDdnrJSdMuaa5RBDNZHkVaLWh
BjsJtJBgMFiO09iFuE4EsashBdTjoBOQC+MEtGLQSJZV46E6g90qp3XALKcE
VvP4Rp/tttQOr6zDH97w6CKtyOHldvbwnt51eCtHF4ZZ6/ACo9sjBx0vEeTO
3sHeS8JWxbQ4SMf5ck6bRifEEjC8ehmVERxkxnEdw3zC6Q00mwKAKy08oKz3
hzT1ezneTvP3ChWgG3YFG61jMgCn5slXz/nhLY32AcRMLi99b7BdjmELLmNz
BTIgk59WABTC3URFR3NAB44T4Fe2Bx6/mv+T1gFs48ha34EmS2LVGqckQa+v
/Vu3b/n4IsbzBQ8Buij4J0D4T/5PR1FxOVWb/erfpq4/qf9tqht2JwCS+MeN
vtHBn2X1wd+NqrTwfdon21zdZ7P/F3qL1HTwB24e7I2MtLmiz80t89ys7rPy
75Y+955nU1ZbO7Uw0rrzbK41z03tyXrrofOalqPl3Kzd5/6wwZ7SYyScE5bl
DsxVfeg/LabIHX1uhW2z9uaus7AJZ8GO/5/0yr/KqxvX4xYKq7zyPTYrQNcp
LOwOsqWQbsg+b6Xmlong7+M6PT422Mddf5uefVT/bmME4XaS+HXrxL/AuuSn
P/XbWYH0WUE0jIH7wqYDsrkHFkJGrK53tZMi/QSFDakI6On+eSPk5xsgAsgp
1I+SeJr+vDFGl1W+AYx9bz5PnJ8EZCrqmynam7pkEViWLDMQWZFv/IkaiycG
HVVFaaJJL2zixkP/kwaVQIz6vdGe9eyISsfej6q7oA3dAy8jrNcWA36iZFV9
iLvWd4E48S6PHjss8CHSOoGFE+O4Viz0lHgbQNtNMuvcpCbeCmGp6XSKV2Cq
6dPFDHVZtrad9zAj6EEOk7KVG3gFdhgGKdVwoH/88VA8wQehvrn7449677w0
LWpuYUoMIKLipCwZr9TdAudWtydOacSfDxjCEOzDqfqlrV6OqAg03wL2INiZ
mDpxOA11FVAqADHbuKwT8d/iSg5isobqhga5BVNQaFqhAsVVnEvnoKeQNVQ4
bTpFfZtMmp5oTLhN8PYqytGeGgNporm1ygGuj5MJj4jaUW5mGertEWF8kkcA
IHmeH+FKaAcEB7ga3l3T9y79CoosVRNqEIT94+M3hwf6YP/18UP5vbf/Bo0E
WO/U9MTSF/POIaSODDed4GPlDpGmSQcJvbzTRc50c8KOK/Iiow8CNXdq8IU9
FNDho8lR413lZkTEL9A3aDXQmmuR7NY8QcX6kkcqbEvraELnDh5c3AH0zaDn
UtpWmp4ZRedbzDOcOYnPTRnPaHIbINmruD7Q6RXPkdJOF8D7cP3ou0VDFMwB
eybQc1eCBZV/ZnN047cNawdtuCirmWzAYU8WMwuWArMzhtFiUahrTq7A6Udq
eNpHy0ePGZwCwSkU0G7lARk/2aKsu+Mr2JJR8WDtVzqTn94vihw8k4wWZ938
BtrPgPsk5De1BLdqeGJbVQAt+7AuVlOPkFWZoqKRyekWp2ACAwiwwCKYBUl8
JaNXNb9w0Ci0itARD+j+68IA9fuRGXIlkHcKYLSnwqaeAp2u5YDqijHU9HOz
0Vgu5eQgP/lCBmEjDcUSsDjNAReVuBqsjby/qkY9QO56bPKS4xamz87hGt9S
6lcSS74dUyOelR7HHgIBTE5wdAQUMXqK0fkd9NTzDFrGKBPDp0AjsJBLIMSJ
eJRw+bEsXzUY6ag2qWUWV0iPJFEs5mKiWYVBTApNYcgnmxBGflnAbOgAI/lG
Do0QJg+NHgMBAHM4zxap2LKSiEGG7F7iI6oAyThmJmR3xDncES6Mcf1QVDdH
WWB7dI4Qh8jHnb1PWpZbEQB+GiPUlH0UyOiCwMQddRG/QxDik0mO0bgCVRMn
DMU9J6qUQocZRmVI7GUzPYnPz01Ojp5sAfK1OhBFCviIZXk8jVOkt2oc17mE
mWMwdgvPA6Lx2MxLkDvCHOCcuB3z3Fex1oGs1wkof+4pCKbf7f1mRwtjaugs
LPMMxs5VlEyzIKHCbZXnY3wArfKg3yON4qGjcHCfSBZ95ofViAcvhxyNlqrp
XCKtZSDUU+LPptSwBgFfefAlb8ZxS3KxWW6J57U2GUc/FIGkgcoTg55c1JqX
MOMip7XxP4dbW/qXF4gD1IZ7cCri8QWdBAoYA8/jJRG0lLgDFF1PJyLSbl2x
LKltTyQsH+nzRZL4oB8vFZtXmMiZAQDgIKfLwC0dtlDmj3lMHko88O9P31SQ
pGdwkPW8+Pzps2nIehSyMcomCpqVqiGd6vi2Gu0HSmJYMZ7C8dIfvLBjJFQH
teoiT8Dq/YDZNkXq4vFnAwcDKdcOjl3gdC1mc2ZwJ+638B7rkFbMKSkE7UkJ
Q+mgfEaEfEffZwTKmJN+MNIIlI66G4xyBo0/4ygzZGcuEnB9bROiaPdDZ7Ds
fRKDdcbKMIcqAq+8Qbd8lR4KBUcA1C2vHr7jQG/gzmTZhlHgvkSBRca5kDvn
hJCP1MWJxfgK1QJyOdIPjiyramSZSTM3SUwhzDjtU2oVcGyMleZLEgPskd1y
MRTVZum8s0OSu6Kzs72z3V0jLQGQQBGWRtQ7DL+hKzWIMMOwfpwKjnC4pocU
QG/+DVuebbc8e4Tdh/Dqkd7Rj/UT/VQ/08/v80xt9r/xf+pmhG6NA7SyAr/J
+n83TRjC19Yxf+sI953z/iOs7be+ZY67cVl33LSTkvXe1Kj8A1KoPa6nZb64
y60z0h13updz090FGjkDnrmrDzksKESOic7IN2wI1CaE2NB8eDQGmOiKqtiC
umzZCKMR24N0KjsO8AhgjsyDnJeo0n94W38RkBVGA91Jqb++lhcWaQXr7USn
u3AAYKGFxM+eajSsQZ7hM5tb0ojbkR/BAkHRb7sdtSj4//7n/6LjgRmwqo22
PnW6ikHtBMGAfB8tEVTcMPKGGHSCl3LFqXmUQLsJCiQwKAtRoSWMnFsGRGCc
xyaR/BUJkKF0oeQw9q65+DIBOi5rfFhpm3YyQAOYcLsLW5Az301MOi0vAFVk
VIx+3uqRPY45aagMYEIsptNXNlHbxsOe36IAY8Dwg6Sctr1y2Sm0uY6BXz9o
NBVrh5xvuIPsTKRMqmGvQi+ysxVOTtl8NRryCPPZFczod/8/ZeFa75d5QlyA
WJUDz24ARlJ1x9JE9/6s7d6sr7bPfZG0wvpqhIFpy/D2Fl7n1rcLeJOz70K8
hdXPKlSAbI9zTRwK2o4FDtq3uYR04ID834GBBmfdgE64FMXM01LbREiIciSA
yG6C/bjRR2D1tEoU/ZJSnljvXCl2bgIxdbNSgK1+EzYCyLb+2Bra+QMn70Hg
54Q3p4D/KBGmHeRTzn0PzDM6M3B0rVMYYG3beURPsWrjEUXFBjknH6wC5/qB
nzX0x0oi8Ipe9V3q+C35mZDQtWELJe4qzsqwuRRsT4u3OHiNywahV4IRbiYK
M8woxkDWoEVEK8JIBsCUTuyQGEZrSVWPacjzgvwwhMktgdLP0LuCFIqC8QPI
L5Ev3NrP1AvXIzAWAYwq2FRyA1FCAh8qDOM7wR0GKOIgsCMnJOTJSZHp0Ldr
E70Ru+QIzWcW0dbiUV7O+VQ1VlKiIH3Gg1PctiE9m01qRxtTqgU101c5eo6x
GcopUhNeYhQiknRzUtlQyk7cU/afnyBILw2n9tnWCCe0DB5CY2pZecip31xs
UGBGtyRc4waznHNLFE6i0Nko7R4Phmum12mOKam2fCQiGX9Iem3e3vNFyo7a
3KAnHGNG5KRy40H/8ecfQgpiby1TCCfRI05UR2gOc8ppr7o92biEA4JWSVMV
Yw8x5Ldvkl2l0zyaUDhGcl1ZL+pQLpozmH9otR19RKDr/QrpfEEKBnoM/Baz
zuLyRqzieP3AOhX6Ur7xpZmEyB5aDmVNfLFEJeRYVZuU91s/5p0NQyzkCrD9
bNUIpX1htGMxlpxZkXvV1NSa5oPqZUFC6RVpmjf6Lck++PGR9HQvYpwQuQkE
xkub8wgdhsx4SIpsAR+VDQZU8gb3WLz8HPBSaYIjIb7oUDcHmnOc66Gk97lx
bPac7V6ySK13f4MJnHbqo09vDn6jf27DPw8/UmcB4807pgjo6lSBmzvCq+Tj
EBnhoptcLhJJtmOwSFn5/6WJZPQbcW3cPl7HktgOMY81XCYkEyWqQ/OxV1jc
VZL2LMF+8bBfAXn0pI+leufp1RdgBKFLOJV8SWoyjyYTDr1KKqPQNIJq0oLy
2diISpfodPRVHiIy2viGX3YQTiR+5d2inShgJ1GJfKyr0A+YlBS5n8UFqKHj
Cy5oZqEecs/zKE44gzNkFG+jM5MUIZ9I6AlmXmjkBEmND9Brl93gQ+Aiu8L8
Zao81frg798fn4wOTj7BOJ9eHZ98Qgx8Ojz6RH43kr5OheXUUZv+7DKWe3T0
hK+iuwDDUy7wwOE/S3t1xtO5vm7wQDDHOYNZ1So7XvoZ7YHnWd35JfcA6Q+T
BaoiEcBRlEBCpUzd00tkVYiI4bZtjppAVuKatoM8bP3nfwWrCicpFPx8RDMU
XVFJ5FyK3C9keAkFOEB/9mxMdApyPhfK6wm0AN/BszfRLriDRpuf9Qpi4T5H
mR3jnCSOfmHrY2czBNEmCJ74veNK9MIetCBMG0ZBmRjRTXHIq3RKzOdxPw4e
fRGeUSzGgPTifJHUqhfdfoh/AEwx3YnPfbJ5oVwgtktZCFQus6eD9G7xrAfJ
2y5hG1uGGRSVnOm2LGmyuuK84OZhIgaXTy6b6g35zDEkh+dDscvnkc20D4oq
Q4idM5jSTZAZmfEC02u5v9WnXDqCgMqqDE+BOeElOY8eYRDnXIfZJGRmuAB2
hbcTuFOTUu5QiByFKzQINE9whSUrOqrADcParhPRGEL04tgKA9SYGhFZX02k
r0yS9K0aAs1h4o7kA1HpJgb5ODnMRkqU3U/Zyq4uMubPVQWMQ3PkLyrgPHNC
GGUyq1rtgy1ZxXIJKZbgiMV7n9BMVp/NXyYab82houJQet6v5PK35jP7sohV
5nbrnzvFqupduc/fjdLDwWo39O+HR4ej/9j+7i+ce0mpiyt69vf237T35iTU
1nl/D3KW2jr/5UZvDxSen/apf/d5Tq1zb34burivV25yy80rf+F7pxy5ee8x
+Y2dd4e3CVaP7PF0tHcyau/hXzN+Nr9tXvvb79XvmEbZofwYXvlrOLtZ1yEb
E6MfD751vfT7KW2yn1BQSRPqwWAAtkNKvJdm39T6iZ/3GSEsADZI6mh0RZif
fz3Mwy3Xd7jNhMkTt3uBPK4A5uHw++Dqa/5udH+gho9qHOB3Tn56/eHoTYdW
sfeec2e73cqJogz4G23f8pH+6SsGoticB+GOBeHm3YaSG9Vw+7by4v4k5joe
cQK2MvLbAl3oBpAhrq9vneLLF6rxFI9wVBjFopMEsuf+pFct5j5SELKRsFKS
5s5AeBeoCVJdnCvWwys6UFrSIHEK56UUzwfIt1mWTlUwakGFdVXT3Dt8riis
4QFUku8pyiNXOYv7DJfSc+5JaCdn1TXCHACYeSbL8Qo4VhDHY9iDJUd7ENKB
S2QWUNB7VwiQkr6MDTzuCkIeSh0bAbTWVnt56GqDdJ1cPRxAdok8mugc+iEo
l8xtvBC0tn4M8/bnRUyGLKV1Yfc5YQbVD85AgE0Csik5h1nUJkE0kVyhD4Ct
v3h7ePr64CWrSJzP5x1i5Oua5sZMVmVnsxuL9Rx0ebS40HTHDKaDHo7gHUYb
v5hS79HQd42LLsYNdL1xereLx3nH0vY9kIwjAhnZeIrzsYqrThyXbB4zAtBM
CPxZWtcqvVdsDE40NWXR4jBEMIqg9tGdRSI7ovKOZOOYPyIMXKKRFI9LB8Hd
7MFGGMkfydnfVfq+nQak4IChL4CucVYhDOAHHos2rZRbOhLrWfe3zbmjNQdI
uC8GePMdEtbGAI+LGNhhDMhE4dxkTRRtFQU9zkxCbgPzZ+RFmNTyislZc0di
MPGHZhFITzIHkdN4/Ye1kTnr4dfXrSk6j3kxgqtwMRJ8L5xfNhgU9/acqq5Z
5TmBDV1iLj2mFVC1jJkYckpjXmYstZo55qf2YevnOhuPFzlxG0myI4ZqxM31
ZCVQvER0HXiti5dZXsDw0wunPeHYNmgOQz5duWmNdYaj2pAQFXOIMwTdTivq
DIJQivOhBKEX5//A4Sp+p9Af0hGIutgEQH+2mt5CbFBVhVclHwa/P+IJWz60
qIExn9+57esPR5fqWOSQievcTY11uqsCSopEthdr1BCI7Zlr1JFjPY6EAnY+
dRAnXRurQvV3xTrHNLbUf9gzBUeO5M37iHMgy4xUPgkCrgjskncFaOJ8QXXC
c+kbhAb5trV7hAeHwztOQHRHGJdmdKFcqm1uiwiDeBEXcZO6EIzt9U7N+rC0
nI3K4NXjEG4pjUIXT6y5cy27RmPcuXO9W6O6fFPcLVsHAjIsIBQnkOTJTuOU
PV6W2Xh3IjrLi17rtQguVz86s2Up7GNDpIU+y15LUZ5kZlMuVpKhjwrAnc1B
q62llUs+OfyU/IJRHk+nXEC5jzsBW4M3PkhzLHPjBiyoqvftSBnVIqdIzli6
95QLfJAvdISlSyaJ5lS2SGUDlGmNZQiNMo8f9UcsPjI2cZxLEOQ+o6CzFLz1
peAtuDTtR9wZurzIqo+hBAY1meqTuJqL5DVn3gd+Np90b598R8fZd/CbOZu7
4+gODmGcLlyCMTtIj5DRdtu7fsOsNmoYWIfh3/dyPlX9CxU/4R0+IPLR+a47
93HjbJJr3HZ9fA8vDsz6JOj67D6OmE30NX2XzXEkQecmLu0VXUIRm8MGTXyX
Wav1oz2pK11Nh982a8PDwse15lHxpTT2GK/tTqmM13Cf6Fb3SVyo2jVCjidx
IKLqMeExKmYQ9ae04Dzgv1W/CrtUCimnqQhrtJNQgCnzBwZrRGxjoB1rIorS
zDE3rbzC9LSmp6Q0M1Du6GpFDG+Q1eqKXLCwkbUEsaOSpcvjMRzEDMGgxA9F
1ZA2mosiMDEehXyVFBU22ppoHfG6VXDDUkIXU5HFHM/6TnShUaPqtdVYQObG
quH+TlcOCSNMZxaHEpc4nWFVbGA1iBrDUbpY9ondKTZERwax1d/qZhoFm2rX
GPkk7yrz3hTI2ptzbo3PWkdUOreLXDLQaVFAbQq202a63uWTET4JE/WFi45a
XXht1ay+i8ZINbr4urCRxBAPYXVSsDZaOQ6Di3deCJl7faswvMiRPTBWAW0Y
9mvZhaFRyLb52nZh3SbUQi9r2YSPK6BW17+e1cbXE9CVU4AW59jNkok1nqpW
eNv2OdQ00cEXp9+p6N9lDxLd0o0Eq5DhEt8qtpJHIdkQOIy3DPngo7/Temwo
cS6nyjXQSHM+5SSmBCc0gJw+iuXDGK/QRZliMWUaAkDxcay6EzQ+/Q6m3Ddb
cqt9CGsYcghBLT3Y73Qw5a3Eb32mX2P7kd1nB1h3y2r7hd3rOybT13dsRMkN
V0x4GGfwGlKHZfORXPKhx4s8d+wJM3xeIDEjwfjZEWgcruOG4WwQwClVuzj5
GqNQBIGekJ0ZLo7rTAvrIqZXfXrFZT5Y4u0UA5fUcZ9aUhXeQ8FGz0sCYEQA
4K0RIEZyqbO9fhCCICpSAK9TAPjeb7zxtbkl9poRzrZQrCe2IooSJSh3Hq8q
vHQ3BoDlvcjnGQeZgKFHlBsMcJ2DDndROleMv1KnwefkblU5BRMVCqeJdU6y
W5YdTv5mlEFz3VzIFSQiAbmUF5IQ7ws5JecUK9OV2zZ7xl2dgDi+qULiR/S3
1gcga3eN/j5wYsUhOxjGn+EsJGYyDb9B4q8iIhViGWTmwgDOquk5LFLyDNcK
V6+MiVA3BhYQIKhe7ra9heXAVEnWwfDIu+gPUPBmIGoZprdyvQkl3+nK3SK2
Gg9VxkEdQYgDvKugiodeg2lYvwoXUOEVwrZwvdUNI/mM1Fl3Rp/w311bpyCZ
mIRlGCYONrm5SdA+yQp7qTtfnqw4MOIvWaziOMdvc8DZ87cck/uq4NNla4p1
YPBXR8METix/KNh5X1cAyf2E5YRcy0drn5hxEuUiG0j5W6Q5pllRVZQr+Kuc
CkUxKbyPnS5GCK8iNVGO6aRybm7Hbi2Z76SyFIVMCe+I6ZyMjrtOA5gJ9fjS
7yoGCtUJ78YBYhvIuL1GiZ67AB/391dbbQ1NIrA/bIolBSnDy/IRnoEN1/+s
hzAwPoGZ4F9PtkAKrgAAG28BRpmmtL1mG9YDzA7EwqOtR/aktFx7IB4+ouKm
WHQ0LYPj1c+qlRm1M5PmQRIBcRoW1pNJjWI/SxaSUVmxy/CmZm1qdhkXmTgb
r+oQtSFVLAfDxfRUvTuadfaq4aZFdSU6Hq7B2jZUv0Rlr1dYYHQYMJGw7EdM
ERuDdhO6snt7I9hnnzcQVuHQDeHIWJwo8QUabErZFiDmwfh3KEWpPHLuGX1K
+YbvyGFp7J2olXv8SeRRbgbs9HaY8GhFG4lMi03lsCnWr8+u4NzGGc+lp3iJ
XioF0Q6g1oLQ8KZD74jbDB/faE6AoF974b1tfANyY4hNSb454hvkXz881UtT
hs0CV1HlCboD+eIh3iHo2tKINFqu5J2sNWpbSmBlJYHBUu/aHO8jXve4Am3+
N6Yx/Xb84egXrtjfDB43+oU5Syq4obSCzebfjbr9NtPqGwxt0JX7VFjU0nV7
UHG7Bm9O8Wrw8F37xHTkSNLcCuTqCzU/NhZv87h2PGzVF48HlsbCvjegbbw7
Hh0IYGVs+nwrCfzz7fH+3lt5IaKo2lXv/QIqSiMHddO92LzHTtVf3GPPghff
0uupd2f7l08GVXf5fefa7NfWulavxqO1iKPxaDWZ3P3kFiphAEPy4Cd7L44x
K/amRiXHb1+Ga8L/8qPwScsyBXUN8JpPPMDPYA+TRbHq0pKQwdSWXm1E6ah+
pObfWne4bjYd9ZRhZdWFPkmjutuexeFLeYjqr3Xk3+K+Vyh5dumWD/m6lGQn
0V2LxMn0kL59FegeTjh0w2gJ3xxPLBnkNf0XB6aBSHkQb4CUG8yzOX66h4zV
A5pnW3eIuQVaBga2awEZISkghX8v8D3SHfrWSbfelEhNMVsBkJjy8B98G3+x
mONVuKT+sz6YL9LCgfNYd0pmX11QgVxhR+geQvfkhRlj6BzxnWQYbeDvrrBT
oudKjsl5z5ROOs5VXJB5v8hTjzaZGobbaeJC9CvHal1VU3Cff8uGeHy5lT3B
3EnvrrXm/Ur8Yd86+qoUcYGfSUkLZ3cKFb0lhDjXgCusHigG5Kmskn19gTt2
MHAslb80FoDmF/UJAOsCDfslImTkZMLLWuljeZ7oCr4+xd/k6ormziURFZFJ
Lial170IQKr+0XTnJT3TnXM6/xXfVAO19pgwUr8H5OjBYP/Y+qDbnffgP78f
+GAieOQT2G5BPTTy+Ya1kIgB4FBL4osLJbODZuYbqXFyyisEs1i+LHdmLqLL
mAKGXHftoEBrq3a3q3OxXvO9SVJn5e6GMORXKOiSVfUKBp1XM2VsCRld0jrG
5DvyM72o1ij5OwQjvnEy9OxiRsWopY6KXCplRnkZeNsbWrD8BbVcKp2SJftb
igWwp0tMEIlgRwhh7OWEdzYvd7g12Fn7ptJbFmCvVpq4pdsvUnVOwi9/qDvu
jxZTzS66mhtCz/4VZ4dgTQc6eeRmB4sJYmCkfOO+wZKbd958/axYy4GmwUq9
oIMiutv6Sko53icRJiyvrK3iIbCsq3WYsIzjmxbyw7eiYaeOhrAUJSgwq9Wh
WDTYI6yokOmnOwZCdNRLzaoVLYCNJ4NvwcbTr+3t8kNqWXBZ7kIxPclMeNYf
Puq2dP2aWYc1vK1ZDUX1UDsDNfxqbKnh06+rZqKt//ZSpm+oLmzNqmFGV1fQ
wzredXJrJJFBhiOhaX1tHcclu7VKkoBpVQLm4jywMkZkj+VozehjNca81mfM
fEZEa4FP5+Momv681cXiJXvV9xp1Pi4qRd45KR3BmhvK62ENA7STCSxvFBv9
ApVjkkOP6gU5lNeBDtsWjHapghjLVSyvlCKQeUL+YiznxkuYA4c2uUj/Xyxk
px2pAUPkBJlmBrYE9WwyR6iKsFhHt3jXp0yEVWKMjeDzA986B3CHF6013nQL
b6CpVr4gx+X27l4nmCWezcwkZtf/16Q7U8S+nqfe8VVTwQo4jJNWjxjF2tcq
qlpVrMUJExh2/IZiLUWc73B1sRYXttx9S0trsRZ2Xr9eq6VYi2dvq9cKc/yD
UiVW68HisMnikhuC+eUSQuW0c1MdojXXXPubOTURzoC/ImazPHnAKdb1BdTU
SgO3F5n8Gytq6lW+oNOy1LtrX9pLnr5HxZNkFLi8QFvxdEuhyv1KnsKaJ1tF
8i1FT61VT3dXOtUyemikFflbNuEvGPz20pNG1dP6ZU/DR2vVPX1N4VOQTyTJ
b624aFltDYvVbMD7Jb7dUjeDq9/511BVhGMEUDh9jxEZ4oKGQMlZSyZjMNyV
TXfpbF2Xcx4k84Vj9uQK95m7O742J3/0u6pW8g6zaom4ffy9S6UG9oIiSb8Q
ghn7EosVmXIIzZOV0PwbR/PT9uoq9l1nbtgqM+FiqcpFRLVGYdIcXYLEmjRn
HfN1RfaOLK9Aum8wSCp8XTcMLlaTuVWYFr3nrkqtIyIObuj0SUCoj4C499ln
/MH02idz3AXVlrMHCRXBntv8RoVf/c248HqeFfxRnKiGLxAJwPJm8T/yqPK5
Zl6e4nKDNKuvoJanFF4nJSPDEo7gNNCt5KDaosLCCZE2c4wygabR3CaUBZpQ
pVhbLq1owrA0ZeCS56Ll6rVUQW1G+GWtiCcnDk83mWPmDAzwOrsydG8jaYPo
o06T+DN+fj6q2KYVSzYwEN2nb3B0+4kVOJEp3SmXqDNQnfugSfH1Tgd5Dqh7
jfURXKBn8EH/Qh7IdyguhA/gp9qpAVo2GcOAn/KjrxQmIMW8biAXltO74DMo
3Js1FV9KyH3tNwvRREqb34hQkpra1Me63iq882MVij9WwSWS9XwgylCzW2TT
Oyp04Ksn1e3Vk3eNbsOQwa24QWhPkqIUUhelw6GBUBaVwkEGpVoTafO00NQi
xdSjnmmTX8SccuVOo2gM42pwEaaaqDOzzNCvzp/LCWe+ff1AW/b7zM3UXvuB
lv648oYvFfuFrlBL5A5FO0a1pZ6CZEhdHh1f0toTv8Jw5yn+A3WkMHOObkDG
T2YtmY0HthZmVe+/18Pnj2WIR/hhK+797PlzGNt/CS2336oTSIL8Sv7GH/Ii
2BVsjze/hIvAslIzT7Kl4S9CxWNrLKJcAGoJALHf47NfKbRfvowvo3EdpZie
jZ+0A0299dNoDvi5dMcW1W/DILaiZEYZo8CMqBtX8gQFw/ztJLlCtBe6MeQR
JTcHH9aS5xS4RIqrf3HPlzWDsEoVXwBKpfMpf1sBg9v1L+rQF7m9D6jxhXdv
gDaBRgmbuW8XuS9ueTWzJ5dxND8Tp+76TJz9XitasHSoM/GT4ebKN48G7iNI
wphB6qAZh192qo1mP9zUgDa4HRyW84IUrwkX/rXn47NW1PgEoqrtRq+deAxY
3ZTgBwcHbfEpFQnCnEvF9ev0IRPgJPgVMCDqiH4BymPQqbgI7lXuxLJkf/KV
527DC9HMcEA9WabRTK5NNX+cx0mZ++u6mQMxA5qB7VsqmB41kjybxXS9OdZt
TxbG3ibt3zFXOtw72mtyJHKvtHGjW5xI/oP2zNK8jwbYP85CwWGy3439nEg8
TUnLWmtYZb+Pubr1hpYPZC6dI+lsuca1wgiO3NjEcuJz9cpxcVatck4N8PLq
YP03K9biPrRwA3qTXPmk+Tvl0djeG4g5P8Pn7lseN+1kGAQLNLDl/ugFpzG9
BP28pE9HZkBG/MEDuxE2aLAWtunLo8XPG7lO8H8b/vuszXuFaQK2c/hq4VVb
zrsj7MpnwnJ9gmwvakjVKQBZsqkkgh4/3QJxxBzDo9EigW5yxo8OqH0STLw5
cpE44bB//IY2wH1klVB+6w3G0P43+L+jEKFIPu4iYsFsEz0WjRaJ/wd7GG23
7JYAAA==

-->

</rfc>
