<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.2.3) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-sriram-sidrops-asra-verification-05" category="std" consensus="true" submissionType="IETF" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="Enhancement using ASPA and ASRA">Autonomous System Relationship Authorization (ASRA) as an Extension to ASPA for Enhanced AS Path Verification</title>
    <seriesInfo name="Internet-Draft" value="draft-sriram-sidrops-asra-verification-05"/>
    <author initials="K." surname="Sriram" fullname="Kotikalapudi Sriram">
      <organization>NIST</organization>
      <address>
        <postal>
          <city>Gaithersburg, MD 20899</city>
          <country>United States of America</country>
        </postal>
        <email>ksriram@nist.gov</email>
      </address>
    </author>
    <author initials="N." surname="Geng" fullname="Nan Geng">
      <organization>Huawei</organization>
      <address>
        <postal>
          <city>Beijing</city>
          <country>China</country>
        </postal>
        <email>gengnan@huawei.com</email>
      </address>
    </author>
    <author initials="A." surname="Herzberg" fullname="Amir Herzberg">
      <organization>University of Connecticut</organization>
      <address>
        <postal>
          <city>Storrs, CT 06269</city>
          <country>United States of America</country>
        </postal>
        <email>amir.herzberg@uconn.edu</email>
      </address>
    </author>
    <date year="2026" month="July" day="06"/>
    <area>ops</area>
    <workgroup>sidrops</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 50?>

<t>An Autonomous System Provider Authorization (ASPA) record authorizes provider ASes of a customer AS.
While ASPA-based AS_PATH verification can correctly detect and mitigate route leaks and some forged-origin or forged-path-segment hijacks, it fails to detect some malicious path manipulations for routes that are received from transit providers.
This document utilizes a new RPKI object called Autonomous System Relationship Authorization (ASRA) that significantly enhances AS_PATH verification complementing ASPA.
ASRA fills in a significant gap in the ASPA method by adding the capability to detect fake links in the AS_PATHs in BGP Updates propagated from providers to customers.
ASRA achieves this by allowing an AS to register additional AS relationships, i.e., customers and lateral peers.</t>
    </abstract>
  </front>
  <middle>
    <?line 58?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>Autonomous System Provider Authorization (ASPA) record authorizes provider ASes of a customer (subject) AS <xref target="I-D.ietf-sidrops-aspa-profile"/>.
While ASPA-based AS_PATH verification can correctly detect and mitigate route leaks and some forged-origin or forged-path-segment hijacks, it fails to detect some malicious path manipulations for routes that are received from transit providers (see Appendix B and Section 7 of <xref target="I-D.ietf-sidrops-aspa-verification"/>).
This document utilizes a new RPKI object called Autonomous System Relationship Authorization (ASRA) that significantly enhances AS_PATH verification complementing ASPA.
The Cryptographic Message Syntax (CMS) protected content type for the RPKI ASRA object is defined in <xref target="I-D.geng-sidrops-asra-profile"/>. 
ASRA fills in a significant gap in the ASPA method by adding the capability to detect fake links in the AS_PATHs in BGP Updates propagated from providers to customers.
ASRA achieves this by allowing an AS to register additional AS relationships, i.e., customers and lateral peers.</t>
      <t>ASPA already has the capability of detecting forged-origin or forged-path-segment hijacks (<xref target="use-case"/>) when a verifying AS receives a BGP Update from a customer or lateral peer.
ASRA adds the capability of detecting the same when a verifying AS receives a BGP Update from a provider.
A forged-origin or forged-path-segment hijack involves a fake link (i.e., forged AS peering).
The ASRA algorithm operates in conjunction with ASPA in such a way that it fully preserves the route leak detection capabilities of ASPA while adding the fake link detection capability.
<!--
The algorithm is designed judiciously so that it introduces no vulnerability (or fragility) in the fundamental ASPA-based method.
This is accomplished by the following principle in the design: Given AS(i) and AS(i+1) are two consecutive unique ASes in the AS path, an ASRA attestation from AS(i+1) to AS(i), i.e., ASRA in the direction opposite to the BGP Update flow, is given no consideration ({{Alg}}).
-->
      </t>
      <t>Incremental benefit is accrued by early adopters. An AS that deploys ASPA and ASRA prevents an offending AS from faking a link to it if the receiving/verifying AS also deploys ASPA and ASRA. The fake link will be detected by the receiving AS even if no other AS in the received AS path has adopted ASPA or ASRA.</t>
      <t>The reader is expected to be familiar with the following related documents: <xref target="I-D.ietf-sidrops-aspa-profile"/>, <xref target="I-D.ietf-sidrops-aspa-verification"/>, <xref target="I-D.ietf-sidrops-8210bis"/>.</t>
      <section anchor="terminology">
        <name>Terminology</name>
        <t>The usage of terms follows Section 3 of <xref target="I-D.ietf-sidrops-aspa-verification"/>.</t>
        <!--
Additional term used in this document:

        - Fake-Link function: The function Fake-Link(AS(i), AS(i+1)) =
          Detected/Not Detected indicates whether or not AS(i+1)
          is detected to be faking the link to AS(i) in the AS_PATH.   

Detected/Not Detected better because False implied not Fake 
-->

</section>
      <section anchor="requirements-language">
        <name>Requirements Language</name>
        <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
        <?line -18?>

</section>
    </section>
    <section anchor="use-case">
      <name>AS Path Security Problems Addressed by ASRA</name>
      <section anchor="fake-link-attack-provider-attacking-a-customer">
        <name>Fake-Link Attack: Provider Attacking a Customer</name>
        <t>ASPA's properties of detection of forged-origin or forged-path-segment hijacks work only when the BGP Update is received from a customer or lateral peer (see Appendix B in <xref target="I-D.ietf-sidrops-aspa-verification"/>).
The use of ASRA (together with ASPA) extends these properties to scenarios where the Update is received from a transit provider.
This is achieved due to the added capability of detecting fake links in the AS path with the assistance of ASRAs.
ASPA alone cannot detect fake links.</t>
        <t>An example scenario is illustrated in <xref target="fig-path-shortened-1"/>.
Assume that all ASes shown in the Figure (the attacker AS(6) being a possible exception) register ASPA records and do ASPA-based AS_PATH verification.
Where a link is marked C2P (Customer-to-Provider), it indicates that the AS shown below is a customer of the provider AS shown above.
AS(1) originates the BGP route for prefix P which propagates to the other ASes. The AS_PATH received by AS(6) is path{5,4,3,2,1}.
However, the misbehaving AS(6) shortens the path by faking a link with AS(2) and propagates the route to AS(7) with a shortened path {6,2,1} to AS(7).
AS(7) fails to detect the manipulated path based on verification using only ASPAs.
It chooses this path over the other valid path via AS(8).
However, if ASRA is deployed by AS(2), then AS(2)'s ASPA and ASRA can indicate that AS(6) is not connected to AS(2), and the faked link from AS(6) to AS(2) will be detected.
If ASRA is deployed by AS(1), AS(2), and AS(4) also, then AS(6) is prevented from conducting the forged-origin or forged-path segment type of attack on its customer AS(7) (in this scenario).
The details about the registration of ASRA and the algorithms for AS path verification using ASPAs and ASRAs are provided in <xref target="record"/> and <xref target="Alg"/>, respectively.</t>
        <figure anchor="fig-path-shortened-1">
          <name>AS_PATH shortened by a misbehaving provider.</name>
          <artwork><![CDATA[
            +-------+      +-------+  path{5,4,3,2,1}
            | AS(4) |------| AS(5) |--------------
            +-------+      +-------+              \
    path{3,2,1}/                \                  \ (C2P)
              /(C2P)             \                  \
      +-------+                   \              +-------+
      | AS(3) |    path{5,4,3,2,1} \             | AS(8) |
      +-------+               (C2P) \            +-------+
path{2,1} |                          \               |
    (C2P) |                           \              |
      +-------+    (Fake link)     +-------+         |path{8,5,4,
      | AS(2) |********************| AS(6) |         |    3,2,1}
      +-------+                    +-------+         | (C2P)
  path{1} |                            |path{6,2,1}  |
    (C2P) |                       (C2P)|(shortened)  |
      +-------+                    +-------+         /
      | AS(1) |                    | AS(7) |--------/
      +-------+                    +-------+
          | (Origin)            (Validating AS)
          P     
]]></artwork>
        </figure>
      </section>
      <section anchor="fake-link-attack-customer-attacking-its-non-adopting-provider-and-other-customers">
        <name>Fake-Link Attack: Customer Attacking its Non-Adopting Provider and Other Customers</name>
        <t><xref target="fig-path-shortened-2"/> illustrates a scenario in which one customer AS(6) of the non-adopting provider AS(7) attacks the provider, which in turn propagates the attack (Update) to its other customer AS(5).
In this example (<xref target="fig-path-shortened-2"/>), the provider AS(7) has not adopted ASPA but all other ASes have.
AS(5) is the receiver performing ASPA-based AS path verification.
AS(6) conducts a fake-link (forged-origin) attack on AS(7) which accepts the route and propagates it to AS(5).
AS(5) receives two routes (one each from AS(7) and AS(4)) and per-ASPA verification, the shorter route from AS(7) is Unknown while the longer route is Valid.
But since both Valid and Unknown routes are eligible for path selection, AS(5) would select the shorter path from AS(7) and is thus deceived in effect by AS(6).
If ASRA is deployed by AS(1) and AS(5), then AS(5) can detect and mitigate the fake-link (forged-origin) attack using ASRA and ASPA data (<xref target="Alg"/>).</t>
        <figure anchor="fig-path-shortened-2">
          <name>Customer attacking its non-adopting provider and another customer.</name>
          <artwork><![CDATA[
            +-------+                                 +-------+
            | AS(3) |---------------------------------| AS(4) |
            +-------+                                 +-------+
      path{2,1}/                                             |
              /(C2P)                            path{4,3,2,1}|
      +-------+                        +-------+       (C2P) |
      | AS(2) |                        | AS(7) |             |
      +-------+                        +-------+             |
  path{1} |                     path{6,1}/    \path{7,6,1}   /
    (C2P) |                       (C2P) /      \(C2P)       /
      +-------+  (Fake link)     +-------+      +-------+  /
      | AS(1) |******************| AS(6) |      | AS(5) |_/
      +-------+                  +-------+      +-------+
          | (Origin)                          (Validating AS)
          P     
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="record">
      <name>ASRA Registration Recommendations</name>
      <t>The term "Compliant AS" or "compliant BGP router" in this document refers to one that is compliant with the specifications in this document.
A compliant AS that has a valid ASRA record <bcp14>MUST</bcp14> also have a valid ASPA record.
A valid ASRA record for a signer (subject) AS that does not have a valid ASPA record <bcp14>MUST</bcp14> be ignored (considered unusable) for AS path verification purposes.</t>
      <t>ASRA-C, ASRA-LP, and ASRA-CLP <xref target="I-D.geng-sidrops-asra-profile"/> are subcategories of ASRA distinguished by a subcategory field by setting its value to 1, 2, and 3, respectively.
ASRA-C and ASRA-LP are used to register the lists of customers and lateral peers, respectively.
Alternatively, if the subject AS does not wish to separately disclose customers and lateral peers, it <bcp14>MAY</bcp14> choose to register an ASRA-CLP to register the combined list of customers and lateral peers.
An ASRA-compliant AS <bcp14>MUST</bcp14> either register ASRA-CLP alone or register both ASRA-C and ASRA-LP.
To signal that there are no neighbors to report in a subcategory, AS 0 <bcp14>MUST</bcp14> be included in the corresponding ASRA subcategory in the payload field.
<!-- To signal that the AS does not wish to disclose certain type of neighbors (e.g., Customers), it MAY create an ASRA of the corresponding type and include a special AS number (TBD) in the payload field. -->
      </t>
      <t>If it is found that an AS has X.509 valid ASRA-CLP and simultaneously has X.509 valid ASRA-C and/or ASRA-LP, then only the ASRA-CLP <bcp14>MUST</bcp14> be considered for AS path verification and the ASRA subcategories ASRA-C and ASRA-LP <bcp14>MUST</bcp14> be ignored.</t>
      <t>It is highly <bcp14>RECOMMENDED</bcp14> that an AS (compliant signer AS) register and maintain either a single ASRA-CLP object or a single object of each subcategory ASRA-C and ASRA-LP.
Such a practice helps prevent race conditions during ASRA updates.
If multiple X.509 valid ASRAs of a subcategory exist for a given subject AS, the ASes listed in all such ASRAs will be combined (by the relying party) into one list of neighbors of the subcategory in consideration.
This combined list will be used for AS path verification purposes.</t>
      <t>All neighbors that are customers or lateral peers of the signer AS <bcp14>MUST</bcp14> be included in an ASRA(s) of an appropriate subcategory following the above-mentioned recommendations.</t>
      <t>A pair of compliant ASes in a mutual transit relationship are required to include each other in their respective ASPA (Sec. 4 of <xref target="I-D.ietf-sidrops-aspa-verification"/>).
They <bcp14>MUST NOT</bcp14> further include each other in ASRA-C, ASRA-LP, or ASRA-CLP.</t>
      <t>If a compliant AS has a complex relationship with a neighbor AS, where one of the relationships is Provider, then the compliant AS must include the neighbor AS in its ASPA (Sec. 4 of <xref target="I-D.ietf-sidrops-aspa-verification"/>).
(Note: By the term "relationship is foo" it is meant here that the neighbor's role is foo.)
The AS <bcp14>MUST NOT</bcp14> further include the other AS in ASRA-C, ASRA-LP, or ASRA-CLP.
A compliant AS that has a complex relationship with a neighbor AS where none of the relationships are Provider implies that its relationships with the neighbor AS are customer and lateral peer.
In such a case, the AS <bcp14>MUST</bcp14> include the neighbor AS in its ASRA-CLP if doing ASRA-CLP, otherwise in its ASRA-C as well as ASRA-LP.</t>
      <t>The Route Server (RS) to RS-client relationship is similar to the provider-to-customer relationship. So, a compliant non-transparent RS AS <bcp14>MUST</bcp14> either (1) list all its RS-clients as customers in ASRA-CLP, or (2) list all its RS-clients as customers in ASRA-C and register an ASRA-LP with only AS 0 listed in the set of lateral peers.</t>
      <t><em>Transparent Internet Exchange RS AS case:</em></t>
      <t>In the case of a transparent RS AS, the peering between any pair of clients is effectively lateral peering (note that the RS AS is absent in the AS_PATH).
There are three possible methods proposed here for discovering the effective lateral peering relationships in this scenario for the purposes of AS_PATH verification:</t>
      <t><em>Method 1:</em> A fourth ASRA subcategory type, named ASRA-TIX (subcategory value set to 4), is used by a transparent RS AS to register itself. 
A transparent RS AS <bcp14>SHOULD</bcp14> register an ASRA-TIX, and an RS client at that RS AS <bcp14>SHOULD</bcp14> include the registered RS AS in the Set of Provider ASes (SPAS) of its ASPA.
When two adjoining ASes in an AS_PATH are found to have included the same RS AS (from an ASRA-TIX) in their respective SPAS, they are considered lateral peers for AS_PATH verification purposes.</t>
      <t><em>Method 2:</em> This method uses a different semantic for ASRA-TIX. 
Here ASRA-TIX is used by a transparent RS AS to not only register itself but also to register a list of all its RS clients.
A transparent RS AS <bcp14>SHOULD</bcp14> register an ASRA-TIX. When two adjoining ASes in an AS_PATH are found to be included in the client list of the same ASRA-TIX, they are considered lateral peers for AS_PATH verification purposes.</t>
      <t><em>Method 3:</em> Typically, an Internet Exchange (IX) with an RS publishes a list of all its RS clients so that each RS client can choose which other clients to peer with.
The peering relationships are normally set up  by using BGP Community tags or through policies configured at the RS AS.
An RS client of a transparent RS AS <bcp14>SHOULD</bcp14> include in its ASRA (ASRA-LP preferably or ASRA-CLP) all the AS numbers of other RS clients that it peers with at the RS.
If an RS client has selected to receive all routes from a transparent RS AS, then the RS client <bcp14>SHOULD</bcp14> include in the ASRA (ASRA-LP preferably or ASRA-CLP) the full published list of RS clients of the transparent RS.</t>
      <t>Authors' notes: The SIDROPS WG's feedback and guidance will be sought about these methods. The ideas from the above methods may be combined into one comprehensive proposal for ASRA registrations for the transparent RS AS case.</t>
    </section>
    <section anchor="Alg">
      <name>Algorithms for Enhancement of AS Path Verification Using ASRA</name>
      <t>In this section, two algorithms are described which enhance AS path verification by augmenting ASPA-based verification <xref target="I-D.ietf-sidrops-aspa-verification"/> with ASRA data. 
The basic principles behind each algorithm are explained.
(The intention is that the SIDROPS WG discussions will help decide which algorithm to select.)</t>
      <t>Same as in Sec. 5.1 of <xref target="I-D.ietf-sidrops-aspa-verification"/>, let the sequence COMPRESSED_AS_PATH {AS(N), AS(N-1),..., AS(2), AS(1)} represent the AS_PATH after removing consecutive duplicate ASNs, where AS(1) is the origin AS, and AS(N) is the most recently added AS as well as a neighbor of the receiving/verifying AS.
AS(N+1) represents the local (receiving/verifying) AS; it does not explicitly appear in the description of the AS_PATH verification procedures.
COMPRESSED_AS_PATH is used in the verification procedures.</t>
      <t>For a given AS hop, say AS(i) to AS(i+1), AS(i) is the sender and AS(i+1) is the receiver.
For each such AS hop in the COMPRESSED_AS_PATH, the algorithms seek to check if the hop is a fake link, i.e., AS(i+1) forging a connection to AS(i).</t>
      <t>In the descriptions that follow, a valid ASPA or ASRA is one that is X.509 valid.</t>
      <section anchor="AlgAB">
        <name>Overview Comments About Algorithms A and B</name>
        <t>For a given AS hop AS(i) to AS(i+1), algorithm A gives precedence to the ASPA created by the receiver AS(i+1) over the ASRA created by the sender AS(i), and hence it is less strict (compared to Algorithm B (<xref target="AlgB"/>)).
Algorithm A can be used under the assumption that AS(i+1) is very unlikely to create a false ASPA record (i.e., falsely asserting that AS(i) as a provider) because it is a digitally signed object and hence repudiation is arguably hard.
However, this algorithm does not guard against the creation of a false ASPA record, and when that is a concern, the stricter Algorithm B (<xref target="AlgB"/>) <bcp14>SHOULD</bcp14> be used. In Algorithm B, an ASPA assertion in the direction opposed to the Update flow (i.e., AS(i+1)'s assertion using ASPA that AS(i) is Provider) can be superceded by a contrary ASPA+ASRA assertion in the opposite direction of the Update flow (i.e., AS(i)'s assertion using ASPA+ASRA that AS(i+1) is not connected).</t>
        <t>Both algorithms do not give any consideration to an ASRA assertion in the direction opposite to the Update flow, i.e., within the context of AS_PATH verification, the ASRA assertion of AS(i+1) about AS(i) is not utilized. The reason for this can be illustrated by a simple example: AS(i+1) using ASRA-C falsely asserts that AS(i) is a customer -- when in fact it is a provider -- for the purpose of evading route leak detection.</t>
      </section>
      <section anchor="AlgA">
        <name>Algorithm A (Less Strict)</name>
        <section anchor="FL-a">
          <name>Fake Link Determination (Alg. A)</name>
          <t>The following is the procedure (per Algorithm A) for determining if the AS(i) to AS(i+1) hop in the AS path is a fake link.</t>
          <ul spacing="normal">
            <li>
              <t>If AS(i) has valid ASPA(s) and they do not include AS(i+1) as a Provider,</t>
            </li>
            <li>
              <t>AND if AS(i) has valid ASRA(s) and they do not include AS(i+1) as a customer or lateral peer,</t>
            </li>
            <li>
              <t>AND {EITHER AS(i+1) has no valid ASPA OR {AS(i+1) has valid ASPA(s) and they do not include AS(i) as a Provider},</t>
            </li>
            <li>
              <t>then set Fake-Link(AS(i), AS(i+1)) = Detected,</t>
            </li>
            <li>
              <t>Else, set Fake-Link(AS(i), AS(i+1)) = Not Detected.</t>
            </li>
          </ul>
        </section>
        <section anchor="enhancement-to-as-path-verification-using-asra-alg-a">
          <name>Enhancement to AS Path Verification Using ASRA (Alg. A)</name>
          <section anchor="algorithm-for-upstream-paths">
            <name>Algorithm for Upstream Paths</name>
            <t>Remains unchanged and the same as described in Section 5.4 of <xref target="I-D.ietf-sidrops-aspa-verification"/>.</t>
          </section>
          <section anchor="DA-a">
            <name>Algorithm for Downstream Paths (Alg. A)</name>
            <t>The parameters min_up_ramp and min_down_ramp represent ramp lengths (in # ASes), and are computed using only ASPAs (see Section 5.3 of <xref target="I-D.ietf-sidrops-aspa-verification"/> and <xref target="ramps"/> below).
Successive ASPAs affirm the up-ramp from AS(1) to AS(K), where K = min_up_ramp.<br/>
The up-ramp stops at AS(K) because AS(K) does not have a valid ASPA or its valid ASPA(s) do not include AS(K+1) as a provider.
The down-ramp from AS(L) to AS(N) is also affirmed by successive ASPAs, where L = N - min_down_ramp + 1.
The top of the down-ramp is at AS(L) because AS(L) does not have a valid ASPA or its valid ASPA(s) do not include AS(L-1) as a provider.
<!-- The up-ramp ends at K due to ASPA-Auth(AS(K), AS(K+1)) = Not Provider+ or No Authorization, while all other hops from 1 to K satisfy are attested customer-to-provider per ASPA. The down-ramp begins at L due to ASPA-Auth(AS(L), AS(L-1)) = Not Provider+ or No Authorization. -->
            </t>
            <figure anchor="ramps">
              <name>Illustration of min-up-ramp and min-down-ramp</name>
              <artwork><![CDATA[
          L = N - min_down_ramp + 1       K = min_up_ramp

                    AS(L) ............. AS(K)  
                     /                     \
                 AS(L+1)                  AS(K-1)
                    .                       .
                   .                         .
    (down-ramp)   .                           .  (up-ramp)
                 .                             .
                .                               .
              AS(N-1)                          AS(2)
                /                                \
             AS(N)                               AS(1)
              /                                (Origin AS)
    Receiving & verifying AS
           (customer)

        Each ramp has consecutive ASPA-attested
        customer-to-provider hops in the bottom-to-top direction
]]></artwork>
            </figure>
            <t>First, run the verification algorithm for downstream paths as described in Section 5.5 of <xref target="I-D.ietf-sidrops-aspa-verification"/>.
The obtained outcome is one of these: Valid, Invalid, Unknown. 
Now enhance the outcome using the following algorithm where ASRA data is applied.
For the Fake-Link(AS(i), AS(i+1)) function, use the one described in <xref target="FL-a"/>.</t>
            <ol spacing="normal" type="1"><li>
                <t>If the outcome is Invalid, it remains unchanged and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if min_up_ramp = N or {min_up_ramp + min_down_ramp} &gt; N, then the outcome remains unchanged (Valid) and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if for any i value from min_up_ramp to (N - min_down_ramp), Fake-Link(AS(i), AS(i+1)) = Detected, then change the outcome to Invalid and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if for any i value from (min_up_ramp + 1) to (N - min_down_ramp), if AS(i) has ASPA and ASRA asserting that AS(i+1) is a lateral peer (and not a Provider or Customer), then change the outcome to Invalid and the procedure halts.</t>
              </li>
              <li>
                <t>Else, the outcome remains unchanged and the procedure halts.</t>
              </li>
            </ol>
            <t>In Step 3, the algorithm tries to determine if the AS_PATH is Invalid due to the presence of a fake link. In Step 4, the algorithm tries to utilize ASPA and ASRA information of one AS to detect a route leak while compensating for the lack of ASPA information of the next AS in the AS_PATH. This speaks to the added benefit of ASRA to detect route leaks which would have been missed otherwise due to partial deployment of ASPA.</t>
          </section>
        </section>
      </section>
      <section anchor="AlgB">
        <name>Algorithm B (Strict)</name>
        <t>As mentioned earlier in <xref target="AlgAB"/>, Algorithm B does not give precedence to the ASPA created by the receiver AS(i+1) over the ASRA created by the sender AS(i), and hence it is strict (compared to Algorithm A).
This algorithm considers the possibility that AS(i+1) could maliciously create a false ASPA record (i.e., falsely include AS(i) as a provider) to try evading fake link detection.</t>
        <section anchor="FL-b">
          <name>Fake Link Determination (Alg. B)</name>
          <t>The following is the procedure (per Algorithm B) for determining if the AS(i) to AS(i+1) hop in the AS path is a fake link.</t>
          <ul spacing="normal">
            <li>
              <t>If AS(i) has valid ASPA(s) and they do not include AS(i+1) as a Provider,</t>
            </li>
            <li>
              <t>AND if AS(i) has valid ASRA(s) and they do not include AS(i+1) as a customer or lateral peer,</t>
            </li>
            <li>
              <t>then set Fake-Link(AS(i), AS(i+1)) = Detected,</t>
            </li>
            <li>
              <t>Else, set Fake-Link(AS(i), AS(i+1)) = Not Detected.</t>
            </li>
          </ul>
        </section>
        <section anchor="enhancement-to-as-path-verification-using-asra-alg-b">
          <name>Enhancement to AS Path Verification Using ASRA (Alg. B)</name>
          <section anchor="algorithm-for-upstream-paths-1">
            <name>Algorithm for Upstream Paths</name>
            <t>Remains unchanged and the same as described in Section 5.4 of <xref target="I-D.ietf-sidrops-aspa-verification"/>.</t>
          </section>
          <section anchor="DA-b">
            <name>Algorithm for Downstream Paths (Alg. B)</name>
            <t>Here the min_up_ramp parameter is the same as discussed in <xref target="DA-a"/>.
First, run the verification algorithm for downstream paths as described in Section 5.5 of <xref target="I-D.ietf-sidrops-aspa-verification"/>.
The obtained outcome is one of these: Valid, Invalid, Unknown.
Now enhance the outcome using the following algorithm where ASRA data is applied.
For the Fake-Link(AS(i), AS(i+1)) function, use the one described in <xref target="FL-b"/>.</t>
            <ol spacing="normal" type="1"><li>
                <t>If the outcome is Invalid, it remains unchanged and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if min_up_ramp = N, then also the outcome remains unchanged (Valid)
        and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if for any i value from min_up_ramp to (N - 1), Fake-Link(AS(i), AS(i+1)) = Detected, then change the outcome to Invalid and the procedure halts.</t>
              </li>
              <li>
                <t>Else, if for any i value from (min_up_ramp + 1) to (N - 1), if AS(i) has ASPA and ASRA asserting that AS(i+1) is a lateral peer (and not a Provider or Customer), then change the outcome to Invalid and the procedure halts.</t>
              </li>
              <li>
                <t>Else, the outcome remains unchanged and the procedure halts.</t>
              </li>
            </ol>
            <!-- xxx The differences between the above procedure and the corresponding procedure in {{DA-a}} for Algorithm A are at steps #2 and #5. -->

</section>
        </section>
      </section>
    </section>
    <section anchor="ops">
      <name>Operational Considerations</name>
      <t>Every AS operator doing ASPA/ASRA <bcp14>SHOULD</bcp14> periodically check their own ASPA/ASRA objects for correctness and completeness. They <bcp14>SHOULD</bcp14> also ensure that the same are refreshed well before their expiry dates.</t>
      <t>Every AS operator doing ASPA <bcp14>SHOULD</bcp14> periodically monitor all the ASPAs in the RPKI repositories to check if their AS number is incorrectly included or incorrectly not included as a provider in an ASPA (X.509 valid), and if so, they <bcp14>SHOULD</bcp14> report it to the responsible parties so that the ASPA can be rectified.</t>
      <t>Every AS operator doing ASRA <bcp14>SHOULD</bcp14> periodically monitor all the ASRAs in the RPKI repositories to check if their AS number is incorrectly included or incorrectly not included in an ASRA (X.509 valid), and if so, they <bcp14>SHOULD</bcp14> report it to the responsible parties so that the ASRA can be rectified.</t>
    </section>
    <section anchor="sec-security">
      <name>Security Considerations</name>
      <t>Security concerns for AS path verification using ASPA and ASRA are largely alleviated if the operational recommendations (<xref target="ops"/>) are followed.</t>
    </section>
    <section anchor="sec-iana">
      <name>IANA Considerations</name>
      <t>This document does not have IANA considerations.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>The authors wish to thank Mingqing (Michael) Huang, Alexander Azimov, Jeff Haas, Doug Montgomery, and Oliver Borchert for very helpful comments and discussions.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="I-D.ietf-sidrops-aspa-verification" target="https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-26" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-aspa-verification.xml">
          <front>
            <title>BGP AS_PATH Verification Based on Autonomous System Provider Authorization (ASPA) Objects</title>
            <author fullname="Alexander Azimov"/>
            <author fullname="Eugene Bogomazov"/>
            <author fullname="Randy Bush"/>
            <author fullname="Keyur Patel"/>
            <author fullname="Job Snijders"/>
            <author fullname="Kotikalapudi Sriram"/>
            <date day="6" month="July" year="2026"/>
            <abstract>
              <t>This document describes procedures that make use of Autonomous System
   Provider Authorization (ASPA) objects in the Resource Public Key
   Infrastructure (RPKI) to verify the Border Gateway Protocol (BGP)
   AS_PATH attribute of advertised routes.  This AS_PATH verification
   enhances routing security by adding means to detect and mitigate
   route leaks and AS_PATH manipulations.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-sidrops-aspa-verification-26"/>
        </reference>
        <reference anchor="I-D.ietf-sidrops-aspa-profile" target="https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-profile-27" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-aspa-profile.xml">
          <front>
            <title>A Profile for Autonomous System Provider Authorization</title>
            <author fullname="Job Snijders" initials="J." surname="Snijders">
              <organization>BSD Software Development</organization>
            </author>
            <author fullname="Alexander Azimov" initials="A." surname="Azimov">
              <organization>Yandex</organization>
            </author>
            <author fullname="Eugene Uskov" initials="E." surname="Uskov">
              <organization>JetLend</organization>
            </author>
            <author fullname="Randy Bush" initials="R." surname="Bush">
              <organization>Internet Initiative Japan</organization>
            </author>
            <author fullname="Russ Housley" initials="R." surname="Housley">
              <organization>Vigil Security, LLC</organization>
            </author>
            <author fullname="Ben Maddison" initials="B." surname="Maddison">
              <organization>Workonline</organization>
            </author>
            <date day="19" month="June" year="2026"/>
            <abstract>
              <t>This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Provider Authorization (ASPA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASPA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its transit providers. When validated, an ASPA's eContent can be used for detection and mitigation of route leaks.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-sidrops-aspa-profile-27"/>
        </reference>
        <reference anchor="I-D.geng-sidrops-asra-profile" target="https://datatracker.ietf.org/doc/html/draft-geng-sidrops-asra-profile-03" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.geng-sidrops-asra-profile.xml">
          <front>
            <title>A Profile for Autonomous System Relationship Authorization (ASRA)</title>
            <author fullname="Nan Geng" initials="N." surname="Geng">
              <organization>Huawei</organization>
            </author>
            <author fullname="Kotikalapudi Sriram" initials="K." surname="Sriram">
              <organization>NIST</organization>
            </author>
            <author fullname="Mingqing(Michael) Huang" initials="M." surname="Huang">
              <organization>Zhongguancun Laboratory</organization>
            </author>
            <date day="20" month="April" year="2026"/>
            <abstract>
              <t>This document defines a Cryptographic Message Syntax (CMS) protected content type for Autonomous System Relationship Authorization (ASRA) objects for use with the Resource Public Key Infrastructure (RPKI). An ASRA is a digitally signed object through which the issuer (the holder of an Autonomous System identifier), can authorize one or more other Autonomous Systems (ASes) as its customers and lateral peers. When validated, an ASRA's eContent can be used for detection and mitigation of BGP AS path manipulation attacks together with Autonomous System Provider Authorization (ASPA). ASRA is complementary to ASPA.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-geng-sidrops-asra-profile-03"/>
        </reference>
        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" xml:base="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="I-D.ietf-sidrops-8210bis" target="https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-8210bis-25" xml:base="https://bib.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-sidrops-8210bis.xml">
          <front>
            <title>The Resource Public Key Infrastructure (RPKI) to Router Protocol, Version 2</title>
            <author fullname="Randy Bush" initials="R." surname="Bush">
              <organization>Arrcus, DRL, &amp; IIJ Research</organization>
            </author>
            <author fullname="Rob Austein" initials="R." surname="Austein">
              <organization>Dragon Research Labs</organization>
            </author>
            <author fullname="Tom Harrison" initials="T." surname="Harrison">
              <organization>Asia Pacific Network Information Centre</organization>
            </author>
            <date day="2" month="March" year="2026"/>
            <abstract>
              <t>In order to validate the origin Autonomous Systems (ASes) and Autonomous System relationships behind BGP announcements, routers need a simple but reliable mechanism to receive Resource Public Key Infrastructure (RFC6480) prefix origin data, Router Keys, and ASPA data from a trusted cache. This document describes a protocol to deliver them. This document describes version 2 of the RPKI-Router protocol. [RFC6810] describes version 0, and [RFC8210] describes version 1. This document is compatible with both.</t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-sidrops-8210bis-25"/>
        </reference>
      </references>
    </references>
    <?line 390?>



  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+096XLbRpr/+RQ9dtWGjEnaUuwc2rkoWY61lmWtKM9Rm61U
E2ySiEEAgwZ0jOx5ln2WfbL9rm40QJCS56qZmmWlEhHs4+vvvhoZjUa9Mi4T
c6AmVZml2TqrrJre2tKs1YVJdBlnqV3FOf68yor4j/RE9SfTi8lAaat0qo5v
SpNafFxmajI9n6hFVqjjdKXTyMzhiTrX5Ur9xhTxIo5ogZ6ezQpzdeBGrU1a
qsrG6ZIX0CnOu5j0evMsSvUa4JsXelGObBEXej2y8bzIcjvSttCjq2Dh0bMX
vWxms8SUxh70qnyu6Q/8z0EPxphlVtweKFvOe7aarWOLgF/e5rDDyfHlq14v
zosDVRaVLfefPfvu2X5PF0YfKNitd50VH5ZFVuUwnwHofTC38HQOk9PSFKkp
Ry8Rzl5PE74OemrUUypO7YF6M1ZTgh4e8JHeZGX8QSc6r+Zx/VtWLHUqiD5Q
ZyfTS3ho1jpODtQHPv+v09iW42V2Bb9EcQnn+V7H5coUdlYVy6F6+1LtP/v2
u+/w56xKSzzx+zQugRrTEhGisoWarAFvke4FIJ6N1fcmXXoAz4C68qAJ1etK
X5u4hmsJg1Kd/npFz8dRtvaQHZr4p5iW8KAcreJUw4Ng58lYvTbFH2emqHef
rOMifNoEAc4DhLewBx7mKEtTE5VxVJU1VBoWGK9kgV9XEYwZm3nlQZuWWVHY
oTq6VM++3v/6gehKs2INMFwBPyl1Mno5jk25CDgyb3Lk9lF5kS3ixC+DOGwy
th8Qp4udm367v/dsFgObj8fjXm80Gik9s2WhI2DESdoh2udFdhXPTbEp1ucg
1oWJgKeVlt/g/LkfP2VsaBWBhGRrejTu/XYFcJLojmbaktD/eD65fK1CTKgI
2AlWhuXL5FbNQUSjkkR9HZfxEhCtQLjg34nRHyz9YGEH1CZLMx8BKMs4BS5w
D3LQKiNrlqQ8VvFPOvoAxIxLtQDqW1RGsgWtstZJHMWIA5wHX9M4r0TBkcKi
vWHaSgNQhUEsGED4XC2KbA0aQYOOKz0m7Lh3uYqtAv1UsfYq44RwpVVqrtXF
+ZsTlc1+wv0jnSSIkz9DwxI0Nl6mhMUU8WZYZdotOM7WeUL61CnTcQ+XUsBJ
gBRAoA7XU0ud40NQHqx51wagmKvZrdLzOS6Bv0Q61zM4HshajdWF/gCkitMP
tl6AAKLvh9+fq/esfRFnuUb6Ci49DnE1x0dW4NTRKjZXRAhAL8KRJNk1QgLc
A7YEphRmCfoPWA9BxFPrBH8pAmwiI4zNeFgvT/wEA0wBo3NDG5KorOP5PDG9
3mPU4UU2ryKyUL2/rdT0wfogcwwQ8ru7nRri06d/SQkDHBk4cp6bdB7fqEOC
d2qIPOobxOc2vIU4+fRp8E8kqpcgRkfFbV5my0LnqzhSb421emkAjrTUN6p/
9HY6QBwh3gFSMGolnqkEF4aQjIJIJyJpkmPh6c0iTmECEJjRttXeALup/9cZ
W3UGO6gJeIXzW7XStn1a4Es+Le7/OZKl+nd3lTWjCOQbuFZdrwxinnjmllnE
iQyybo0txlCgXGCfEGqHpfl8N7D4mwXX6/N3dtSBnT7nyED0qyzhRT1rqD5T
gafh1ngGgGLA4sFnScCPB5d3DY45nBM5JkaJSn+qUlYQ1/Arsyf8YKtoBXtc
61sWU1RhVQISmhfGmoJZJ1SODiukUwVbsTiCuOY1qeOA3WvwO2bejns//xmE
Wgh+DTkJJcoVnPInCAFIdwJMNvNAxmKRYOc0U1dVksJhhXR9RG2hl/Rt4ORp
UaVzjSgm/vbWgkVUFCH8oyPSPrFdGRJcmpo5qckB3VEMysmtynBCmAEcgBLV
jwcSo/XjJ3sD0ubldYYEsAZ8cBimqjT+Q2XY9nlhJ9MwZLFEMpZAuZLVIbGS
W5AiSdjFiSSNdsDEhSA4y/MMTIbB4fhLyJhwlCGedEkgpwwb8qgo7bu7SbIk
4zAa/bLXO0mjwgjeZiYFZVkKnoqKUWR0kaCGy/ISFYGasGpBSs1NnmS3thm7
Im/B1iXFyNligVaMRYlOCgxDCoqZBg6AGy6YDUnU4NenDQnUic26txqrywYL
XoPehlMIK9YU9gvjcggc7gioyTB2xGeCYW+YhWCk5vjkc945K2TjXo+4GrUh
LAEYMzc57wlHmiFQa2BQXbA8NtmMlC+MdIYZ4sB7PaHhA41+5ziJk9DA4Qd8
vsfq0hTrOM2SbHnLR6nI3IKgA5nXVsC13vH46uGOBxgLEvtJbXJwTdiB7XAZ
eiUHEIjLZ6ReASlHp0jKheizAyax025+QF/ERARnoH7hl1HqpdD/6VlW+i+w
8xxBBLEEPU+UB2qmMELWCBYgFVU26fnBqTzHuKwOmvZ8TOjt3n9mSjTEMxNp
wAQcJYF/x6iN4EeEAw+nUCyFRBfmD1XM0mnVqU6XFVCIifXB3CpMwFj16O37
6eWjIf9Xnb2jvy+O//P9ycXxS/x7+npyeur/6MmI6et3709f1n/VM4/evX17
fPaSJ8NT1XjUe/R28vtHQxLBR+/OL0/enU1OH21QlTUjYS7GDBHoBESBtj1Q
qVERz5gTDo/O//d/9p4DX/3s4tXR/t7ed58+yZdv9755Dl/QJPNuWQpqiL8C
wm97GhxkkC/00kDqwebEoMPAlwGRtavsOlVAYQOs+OV/IWb++0D9fBble89/
KQ/wwI2HDmeNh4SzzScbkxmJHY86tvHYbDxvYboJ7+T3je8O78HDn/8K2NKo
0d63vwKtDkGdSz+C/FYF2k2I4mbgdoMKnc/B+ltWj6Sx7x57/4sYrxbDSVmC
v3IQhID0gDX4kfhd7Bt+wc6rKZzDUDsE8OWzHEJMONb0bps4YLNmBLXdA9wI
pXwU8KDgCZWiYd8HsNSH4IT1hvexBqD2IQxh/xKGBggA5reRSXURZ6RwUB5g
we1naMeBodNCbj4YjMqbfHDBMAra5n53xBts0bw50tZCYIBhmjsgRRXk42cp
Ossp6qSNAMaZEHADzI3GSM6fE2EFC1xhCq50IdciXgqRIXQEXAHN99BETKwF
TSFBcZKwv8SCKyC/ipcVYK1P0BLbkbHufz0AtcIcCG6QjYGrAZTI5Ei5QR3x
0GE4O8ERzTy7L5GA+QaklHgncJ61Lj7A4KP9cwhBhctGZTZyAjEYsr/qTAud
RxDOp5kZsKNExoBN2eEJEiUyWM+yK4N06IMzyMIiy7IIsKeO8S5o1AWw9Dm6
5ODk+7jROg5xzo2x7Ca583q+I+lHbMacubh7MXw+/Gq4P9wD8rzOroHlCtK1
ah3bmVlp8aBwihCTASPGgtWarp0ISX+fXeYQQB9ysBX9ZsCDtfI8wmvefU3Q
+GGEGBjdTsMQjC7t4iYzlUH7NJIPXGwh3YK8ADx/UqpolWXWhdE0GahQBFi8
0kksy17FGoH5dhDgKBYNQW4D+qkeu/sDwmDKf3/RdpUxb+V4h1nHUwSFL+Ls
PjshshrOdYHXnDHtIoivB37chisM59wK5B77UW51+PP5gLzuGnbhEvbsnc4C
8Chr6ELBHSpeORVP+RpMCZJAI3licG6CpDrSt+/cCadZRBvDYYjyICVVKR47
CrvENk5ROxT5kJPTcE4FdvADsYIniyXvRYRT1BjrEXBIcJDEUEPY3qLXD+KU
3LLr96c//SnwI5V6MuLPk42vLZFrzPooRPjIo+nrC//VfR64Ufj5gebQ1rzt
U9X6/NB+gI/6oP8GvebTp/Tw3rm9nfB0TfNDZSqd/is4vQe9xlpr7kcWTfXx
nl0Z9Mbcelfaghb/2AHslqPyjrzujmnteZ2A9l85azvYcoqPBOO3Q0REiCUQ
/I9fdnw+igzXkNFfDc7bRaEuEDxTECy7seUgFn3+IGzRrx/73iQMtmDrflCf
hija27LjR9E9XsaeftZmvXCl/jvSgQ3h6P8GbYiWnHcoTOf0b9IcdwfqcZfD
pBR1K/zikTPitaHErG/DQHv/8dE2Z/7Ia1vvzKMSPsvS0QSTHfjAO/yo796R
ETzy6eFer9Ov2wf1WPt/6PDUnmEqfgq5loG2B6YUZyiF7bXbPvCMkChsLWzD
aRrKimgrqiJtOxhiYPrscA8402TFnocQvADjciL2xnm0/W3nY3PeBg/TRGiv
G6miWcWObe2HwThx7l6QOQ1STuDPmQKL3c4aeSd102bRCoA3Mb8uiTziJHLD
Cg8COyuOFuFMR+guh55Yy0UDn5ZdiRcDB7BPhGPCU0pafSSngfjE+yDfDGof
Qhw/cJgJIeEZGI2M2sJ5tfUSgJz36YcUPWLOOFPeJUuXfjCMIIEa9w4rLD9h
HDPLsN2GXDXc2K0gsKJNNwlgBeMF8qDZL0k4SB2Kjb3OqmQujxtA0vDWMYmI
FTpU4lMDM5rFAqc673q34+WQ9SLwEwEI9Au7qpjO8dtJa+fSXDhHE3APMqCD
3O/9jsqOT5fOC6z06L6Pd27+Svt7e73hy+z8fLzfn2l9aCPneTzIFnUNEKvX
NttbwXR2qRP4z969nr7bbIu5FqT+QF+/GX5N1lsM6gPMtxKS/BDitsOw3uPx
BF83bPm9zo53nn98gEXftvG95r11+L/A2O97Y+/ttG7Y6W5DiaKu06Z5IxeA
coGgCy7CUOkCwpk1BGRzaVO4eywBDqeXKV3/6IhKZVj5nkwfYUD3KPJPfDKi
6Ej+FmYhFWu0D1zUs6qe7JNQGD15m2A3FsKyahQAwUtRUUZCcjqZdKBQVpeK
RWhngyE+DYTrbc5DW8CF/nZ/Che5MsPWfduqvDFmupdpVoBy77uSG/xdpZXV
YHEG20PQvCpyTD+gVka4Rkdc9xudng99TDo6Oj2/v4GBjBycQBo+feUWDjsH
4gPDVL70qYOBt2oRm4QeW1OWjtPgqJxx3BuqfYblq1bQKxDXcAKYCATVesL+
A66c2JIg2tFpsLF+gg2mmr8OXalQqIQI9fS5hqNR2tXkGh1Q7ASKbZQAbndv
CM7O28nvJQvUbJpIa+S3DwOMOaPOEjzVPYcaUzsirtRgZ2IcQx2sYdpSNuQ8
bBb8RA7OJsLHvcuM+BcLbZJ/xCRmgU61Sk28XM0ylsfC5KBnpLWlJj8ynHpW
M3IaJdXcFesMt1bZPHOVXGCnkHdkVK5vk0zPmZW48q82AeskWU0nU5Qa15M0
UQ1834yX42EdhAxquhVGkwfLkEk40YSZ1iOPjY+Gx0fdw90wabWeoexfHr4c
dJ9GYVWuh64c18cXWUVJJkxeUz0cldLvxi+efRcoGKYiNpvF6yopdWq40aF7
LI58KvVlEn3yBylTWUr7By3oiBQoma2qxWXCWiSLqTVrQ25bemzcw9woHHYF
NAAogupUePJ+zdKiQ8HihSIE/iuQlMgqvI7aNl0mwaGkXysLfnOPFhxghAzX
JQJTbnXJsfs3hmBgZZLcZywVPCWMcUEaLExVeFaWZnly1JFO1ADSpo/0MYZQ
mBsUfLYe3G1Ra6WhoB0QjeqBRQmjQerI4QVditYrkr5vV0io9wHUGHe4iCF1
iqYWisxrw1AYGx0fUkZqaiu3NWnp+w0T2CUYHygS18lYq7xW4a0GzbFEp3IR
me1bygLAN51jEFrEKNAN8+SbJyi2xyrJiDoIMzxT0fRmEF44Tkx1llDhGmnq
W1dlhSpJKm5hM5w0aFLhnQyYUxjEhOxesYaIi8BSsT/Qn5porJ5/ZoumuVWu
IK0WVSFbdO264R1ktbkYk3bSTX+JXSVuuLxpnlMqLo6oxLNcpiSr4zpygjZB
VAXnPvlSuspsY8M1MIQHnrI69fp4AvQq/mxU9c+y0hyoQ5YS9lEbZyLFnD0S
Hb02CJRUXsX4OHC+sOC9JkZmjAfSYbedEGFF7X5SbHdbH0gLIUW6lRbIpj5H
x00k1rXP2dZY726HG4Tiu+GwUEZMmgexLcCpM8bPvfQVpQ6+2jxzahafDBmF
YPVNczA2bVwb0DHa1hqdaHJB2Z4p9iqCgb6YUiLvYjqK4MBpS3SxYBSv40QX
rgbqoiOs2PrDhnPGapoNG1KD0RUpBtC+uMPFtO2pYdhJWhT1OZ7Bg2MR/lon
xml4cpi4/7kTiTAb3iiglkgqVUxw3GobQzrXkJloN/B+eRkcy93bUsc30Uqn
SyMHRWoffImujki35g4I6U8IkSKpUG5Sxe6ma4Pts+ltrXvlcJhZpawYOfEN
wHBqH1zBQEYZECyYzyxu1uywYpUp7m25KoypuwC425P7UDI0bTQQ7Rs6mFjT
dRbEg7MBTEvltQqRvtXc2UaOrzY7CQ445u99+ZabxPcAqdgjjGpl04NG93RI
17/Eo7k8+R2Fon4Eh2JIWWDt5wNq8aysi+Q2GTaMVoDVTLLA5vaOgdKmtMFk
AMFQkgo4UuSNSKRbc0N94NYByISOTL0p8+R542pIHyzBlEy/swvUgJFSilnP
fwLlwepDDHfqUa2JruSDS7jv3Qrfzc3797m9pj7VoNN+IyTcWMaasXaum24N
O0sdtxrqKJ7o7gm/D4QnD0xuC1SWKiPzGDiQyGDNGvROHMnSDCQQ6zXyrmeG
+8mN8RRphBbdpRCB3dVhZOu9yVoZOXkdfy6jjNWfQbWuOJOZzEHmKVkz5F+D
QDVtvkLa3OYx3n65pe7sTbXYR45hA02CkFczah+3O1Hom9nJgavlhy4qcZ5B
6mGcsJNZgBZqW8P9uOWhWy1xaF+sEW5SClWukDU49Y+5uSNwiKuUbqHoJbnn
oCuzarkCbYnXlQyGBOmCWqzmKtS8lKuoIe7W/W3RD6w53wtCI5VTHlDPAMbA
OxoQusSf4MibtChjIkChuwzAdGUSODgpWGtoJnSvuGrjEk9UkqHNpAIUNtpt
GLLUYUDW2zygD6TvPSCVaSrY2DFLnSQKzicc3gRnTBfwVhBlfYESbSw3QE9P
Xl68O5+q334PnuvCmPkMKz2onpdVPKcuPhfTWaRyWffIWG8XuQ8MpEYLLnws
5S3nWt82QlIfe6KDVJgVXni/MmJgQeaczmo04lhvJTf5Bv0J34WuJs0OnfBW
PNnVzRv06n1d3bp7jOWsnq/eWlfJI0VUL43SUrcds9zJFbXuwBeVbLUMb6hJ
ObYx6mFxi+uDu+AiHCh2JAIsBxrf3zexgPRVDNQkdVFflaGa5U2eaCQGBEBE
P7r4hgDEQbthzSDk61R0v19yDJgKwRIlUN7Vf/0OlC9FqYEYqDdFZatJa1N4
9mK89/AAbagSIxVTCJ8NIvfo3dvzi+Pp9Pjlj04l302m/TPuNzsb7Q2G4/HY
N59RRecT5ijxdlJahm6f0guqFJt1Rl0O4Y2beQW+O7XQTaZn1oWxXB+SMrs0
paGsS8X1zP+2zmxJ6oLuLnJjLQZIdUgShGbZrqsqVCo/w3s8/gxWStdgYlS/
YxbWGf4dtZzPiSK9QUETLL7FvVw5Fs5dq1uInKahK7LIzEGvg6nroIDzJGTV
bVNRQF8FuS3MJmT5EAwyla5jf1fpibQPxh6hcG5XkXL3mlrdDmNaWvJ6lBDD
xR1Im0AP2/181hi6gxGtDF6nY2zQEo07dfU1KgYDC+bcoiqtlf7tHQD+2Ac9
AaZFxDj/NGyWf5zugz3DOleQOhzzRY53cOSr2FyTVSammJB2DtQf1+oPWadN
Dj91Ib8D77UgT2goZTyBhCR+EgQTrJwkb92I4gYWwoxveOW+1OZoIahcuUFA
V7QB51lAfQFByiKOSk4Ga0md+ePBubj34PDTpwE2lARQo0fkMpEVbVNyd3q1
ZlZ3bbGOjwBQcHTSJP6AsSTygOT/gex4oyaszLkrlfgDypO12J1PMaAsyi9z
8YmCgb+eI/fgQJsu8WIJ+ll8ZVHy0jUWQNareaydStbFsiKXYKWx4hg0UuOP
/uRe3mE0Xp9fgo63rPLoQCLlHadiCsjNCC1gAj9H4LlKXw0RAynWSQHn2wja
x+D1hiPlmiL2KTO+Mt+S37qCyGQu62sNePvQIV1I9oUNlgledRNQIMgrDhw/
2Co3BTKyhDx437vQBXdtP+HmljZ0/lpkAOZiF3jbgOP124zX6MimHppDrMcF
WmnOUdiS/M70tnX1ElDl73/eg9jgbmfzXieBjh6Fr8yBN3BTbstCDGuRrrek
sXJ/ldWQowICLy8JmLOzCJxo8Y4q+XNYRmDqhLc8uJQcU9+c9M8d+A3qXqTR
UUsMbYsFgusRoxGzNxxyoaPSy6JvdoABrUQM1YmuNBX7uq4zj4PuDNLJoQ7q
n6IKm5LUDEQFU/Mkd08q6p7Ee3zYn+defpAsx2qCo1+djrT0TdRlitg3K7JB
Vf28IY8TbgiYy6I0xdn0ppIPLaPzVptWDllxpE4WMhUjodpKYW1FyoC3jkFd
UOPZAJfzqX1Ya3L2ki81tNe7ePh62+5kufXvjk8uXx9f1MfUfNm7tq/vLshd
9L8+/FCtI33CPSnGw1h5xx1Sf1kTJxwnmPi+b0Z4xXPMPBOGMUTH3WGMYyWa
HDImMsj7HOTM6DUtYXu9C3zHE3glVcr5ibmv8Vpx3hsXLN3t3Rfjzyi1jDsh
eZldpyEsoQi8nHgRwN6LNXI1BJNx+mOV/wjfc2ljTH+cwyr8pHbz6Wti0iWt
ClA/puSRuBqc7VnnFSqb9vUdvuBXn/IzbinLTQ7c3MI3uqY1oDpyBNrA1fSA
jRaLuOBYucpHBKvrAvUX9t8MXNTxBlgiODe60ZfBTBAJTN+UPMk7G/xtR6dR
VriGnEACNhn/jZe+8BYhmBfAehP0Uwc6x0GUH+STskq3LTS4850iy6tRi5ZP
1B5vBMdzNrfeM3YnPm2c+PSvceLT0eaJufMkwDrd0AQQ3rgblBTSY56lL8QT
3DmBdorjCYJxljVffDN0b8Hwzd0rJCphdg9XfwOyWMZ2wZlKftcDXtYMrg96
S5bLRUU2tzXOZmaJYg5An3YCfcpA4/EfBDR3sEjfb9CPuJWe8nuLn3utpln+
MDHH4UdYWnWOV92duj9sDsaVkae7fngz2mvfSeLPuOshPu8avW2wG973NBns
HE2/9YXjOuDaNbMLtN3jN2dIQmX7BEqybGxzb890iyisMXZ/SDO2u6vv20ea
apVrl73w7+z4t8YLecJ1+06kBjVfHmNSgZgYXYYwTUTy46TRj++UShJo8blm
WQkD8GdUbt5R9y28ZEB8z+6J84zF0wbZGTk1JDZw5DkK23NfxYUth6qoOtIx
umGA57UBzskAbzf2Lz7H2KPiyWYl5RgVuM4RvtRMchqsyy149NTRPIRQ8Yr/
kNsV4HueQVDl0qkUhskSbKvLhltcn8gl6SQvSkYip3dhcHII5233u9wLQYZ0
Q592TU0TG3d35JijN7M3Ru84hA128yehDqBtXlXtwK90UmKP7v5YPMN40fBw
UI8C3HfhsydNvfpJ/VKdBdUGB83m9txAPtgKRu+rAApqQYNwM5YqMVmiEAww
Hv0NJQ/ofJAnzOBKNSyEGlYVHG4H8/l9YPab6GKPqhPYRjzSvEbdkdeRmF23
XgeBU+imVl2JzuqbbYO/7LAv3GF303brfKeSMA05LU2OzdaNvKcqC3m1hIsb
TR01+uyugzN4WwR72pFxGSUfOLqdnm/dSfIBLYz7N7OylkPh4yq0u7UUBuHs
LqEPb1Kr3fvhODFOl9Pk5WKtRbm96IY6qNpv2aGKus3pdY6NN2K4d1i5tvca
pPANkFwF4ate5HrOsHUF34qMKtD3KAkGsQ8TO4X59lZdncJ2hWYq4VD1G1kE
zONOsPTvOhXxZVoxN/NROm5yiIWTcIE6L8iFtr93Nnd3InfiXipZc4pLcknC
g3px5P2HoTBGhGz/rkwI4B6et+0I7euELeIFu3El+dPxQrrxQ1I5h5LKmX12
KufwXzqV8w+eVjn8J02rHEpaBdnxtXt5UGgrfZ7FV90coFz+dU4QpWZg7392
P/Mf2s2c/V3dTPFSuKfrIW5kGDP9dT3KvX90L3LvX8Jz5JTXzc0NZ5GktzCi
vhJuy61bferJbrnmVan690B/cKNPUDLhzBZ4CwaC38f7tNbjF3JPSvUeq3e5
1L0Ag0dhHQwvm4KOAL12TKVc0OP8LltSPa4E95TII4VK+DnO5tymJyX/kho4
8Xp/PZors9xKJG8DT7Gwg7Bx3z3esLXcB3XrFicxAse0Cu8JsDKlqyALwA12
cFEzyMzA4kZ2Nzd5DAfg20Nq93k6j7LO0hiH1Q1xmHAWB4FeZo339SyOEW88
7HeIqele7q7hq9fS+hXovrMyKxrPAxM/bzpSvlUTL2cELQziIsKW8j6o27oT
lO8Sls41ZSbiVmzymU3dB1m7rlxBpCzKgtTwDrxtYYFNvF38PfFWX1z622Hq
ogtTFBw+rl/puCFX1kQjK7+CgPmB0h3woPdgBcqxwACtWFLNNknMVcyv9RMb
Fwh46wIW9hqgiH8aSMsv2mX249TJ5GzSDXisUy4ihVfJmxUCmtyoqltadBKh
k5CY+ZLflsouPP8vCay/ZQroBef/LRz0D3Tt4C0EgdokA/zfuqRLDMPMjebY
6I/xOrsaqv8wi4V6rbUdgp9WLdXbLC2XqO9vmdbvEgq7DrMCGKzgy4DEzNhy
t6gSFbmGH3r/YN2YJ/8PBuzi7PX+D5LavyCOaAAA

-->

</rfc>
