From nobody Thu Apr 1 02:40:05 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 440443A1283 for ; Thu, 1 Apr 2021 02:40:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.4 X-Spam-Level: X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meinberg.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10g-s_tMGdU3 for ; Thu, 1 Apr 2021 02:39:57 -0700 (PDT) Received: from server1a.meinberg.de (server1a.meinberg.de [176.9.44.212]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77ADD3A127B for ; Thu, 1 Apr 2021 02:39:46 -0700 (PDT) Received: from seppmail.py.meinberg.de (unknown [193.158.22.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server1a.meinberg.de (Postfix) with ESMTPSA id 8F7AA71C0BB0; Thu, 1 Apr 2021 11:39:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meinberg.de; s=dkim; t=1617269981; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Hv/w/DygUCTG6s/kU2clbenfYUWkAOR3ZK/EaPG4btE=; b=jfmSRUC4BRYgBX9l6h6O/0h5woaf6O1qxQHmc9+9YAhPnsdxB8K3xZHxNt3+H11s4xIvi5 6HcpVN9NvL6y5eno5WpGBixdAlxfm9iLPDq4dRiYrdTptdk0UkqQwYYq6HovJXN/L0bxbj 6yj6yJr6JoePPi63layhCwuhGoHS7ogaiBVxv/jAZ6zR/9IUSBRFLEWD4jxdf7mXmRS+t1 GnkZDZ1Mty0YFndgfqymEPfrNBHhHjY0NmVs9iIHX4o7/dplUADMb7nFcZAfP9SxQmj5O1 KI1tAsqPP+wyz/Pbg8nrmEXKElBpxd51VhRX52R6C+sFPZ3gPqfoyZ9pdbIG4Q== Received: from srv-kerioconnect.py.meinberg.de (srv-kerioconnect.py.meinberg.de [172.16.3.65]) (using TLSv1.3 with cipher AEAD-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by seppmail.py.meinberg.de (Postfix) with ESMTPS; Thu, 1 Apr 2021 11:39:40 +0200 (CEST) X-Footer: bWVpbmJlcmcuZGU= Received: from localhost ([127.0.0.1]) by srv-kerioconnect.py.meinberg.de with ESMTPSA (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)); Thu, 1 Apr 2021 11:39:38 +0200 To: Daniel Franke , NTP WG Cc: bob.hinden@gmail.com References: From: Martin Burnicki Organization: Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany Message-ID: <71a20585-797d-f0a2-11b2-7770adc317bd@meinberg.de> Date: Thu, 1 Apr 2021 11:39:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0 In-Reply-To: X-SM-outgoing: yes Content-Language: en-US MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="----D6EE9D9C71F74DD7C439A91D71252A51" Archived-At: Subject: Re: [Ntp] An RFC6921-compliant NTP implementation X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2021 09:40:03 -0000 This is an S/MIME signed message ------D6EE9D9C71F74DD7C439A91D71252A51 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit MIME-version: 1.0 Hi, On 2021-04-01 02:00 Daniel Franke wrote: > Building on the groundbreaking results from CERN's OPERA experiment > showing that neutrinos can be accelerated to superluminal speeds merely > by loosening the contacts on a transmission cable, I'm pleased to report > a mostly-successful experiment building an RFC6921 ("Design > Considerations for Faster-Than-Light (FTL) Communication") compliant > implementation of NTP. > [...] This sounds like a real cool improvement. I can imagine that "bad guys" will try to spoof this. Will it be possible to use NTS to avoid that? ;-) Martin -- Martin Burnicki Senior Software Engineer MEINBERG Funkuhren GmbH & Co. KG Email: martin.burnicki@meinberg.de Phone: +49 5281 9309-414 Linkedin: https://www.linkedin.com/in/martinburnicki/ Lange Wand 9, 31812 Bad Pyrmont, Germany Amtsgericht Hannover 17HRA 100322 Geschäftsführer/Managing Directors: Günter Meinberg, Werner Meinberg, Andre Hartmann, Heiko Gerstung Websites: https://www.meinberg.de https://www.meinbergglobal.com Training: https://www.meinberg.academy ------D6EE9D9C71F74DD7C439A91D71252A51 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIIXjgYJKoZIhvcNAQcCoIIXfzCCF3sCAQExDTALBglghkgBZQMEAgEwCwYJKoZI hvcNAQcBoIIT2DCCBbowggOioAMCAQICCQC7QBxD9V5PsDANBgkqhkiG9w0BAQUF ADBFMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQD ExZTd2lzc1NpZ24gR29sZCBDQSAtIEcyMB4XDTA2MTAyNTA4MzAzNVoXDTM2MTAy NTA4MzAzNVowRTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEf MB0GA1UEAxMWU3dpc3NTaWduIEdvbGQgQ0EgLSBHMjCCAiIwDQYJKoZIhvcNAQEB BQADggIPADCCAgoCggIBAK/k7n6LJA4SbqlQLRZEO5KSXMq4XYSSQhMqvGVXgkA+ VyTNUIslKrdv/O+i0MAfAiRKE5aPIxPmKFgAo0fHBqeEIyu7vZYrf1XMi8FXHw5i ZQ/dPVaKc9qufm26gRx+QowgNdlDTYT6hNtSLPMOJ3cLa78RL3J4ny7YPuYYN1oq cvnaYpCSlcofnOmzPCvL8wETv1rPwbUKYL3dtZlkU7iglrNv4iZ3kYzgYhACnzQP pNWSM1Hevo26hHpgPGrbnyvs3t4BP25N5VCGy7Sv7URAxcpajNrSK3yo7r6m5Qqq DqXfBVK3VcciXTJql5djE9vJ23k2e4U6SsVSifkk5513qYL/VRylcWkr0QIk8rMm 1GvaBFXlwQrHbTA3kCrknhQzXhYXVcVbtcs0iZLxnSaPoQfUxrJ4UNsMDAt8C4xB 17np3YyI96NNsjLM2BfazbfOZp3U/V7/vZc+KXXnfqdiWK8lNKVBxz28DVDKAwMP CFoflXN4Yr+vchRpDqXlAw54jiYoQvAHC2IgEGc5RvqpA8wEOHpm7yCDtYxKVo6R APyOXILeiKDD4mhufY3vPN1l9F2sUe8kgK6qVpdv+a192mE/mHc8pZG2HIwm2mWi CW3B4lTjucpMTICPd3tgmh7ftvJIHg66TlRtmODhohqid1DPxGOS7EcZnevma87B AgMBAAGjgawwgakwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYD VR0OBBYEFFsle5akZVF+uDnzwHhmXug65/DuMB8GA1UdIwQYMBaAFFsle5akZVF+ uDnzwHhmXug65/DuMEYGA1UdIAQ/MD0wOwYJYIV0AVkBAgEBMC4wLAYIKwYBBQUH AgEWIGh0dHA6Ly9yZXBvc2l0b3J5LnN3aXNzc2lnbi5jb20vMA0GCSqGSIb3DQEB BQUAA4ICAQAnuuOUfPGuwN4X5uXY1fVUsIP0u81eBXtPn3VmrzzoVn78cng4A9kr YhsAufjpYM3MzlGKx1AxbuFKfhgvaVm2PWSBK+ODhOYih4594O4CmWG4HvS4K4gS FoTCMZM4ljGmuTtTP8Mkk1ZbaZLsxcG7OADj7BepuNzHfAGDnzJHulIiNB0yeglW p3wlNqk9S9rAgm8KuxLIh0snEfkeLceTP57bXyZrUtkuivEUxkSNFam3v73ephru ri37SHcX/rvsrxj1KlHwOYSXlWxuG8MrxHRgeSWwCiff317SOc9FfUJL37MsHsXG XcpVOqCcaZqP2u+ysDyfh2wSK2VwFVIxGiTPbzEjUB+MT48jw3RBYxxVqBTdPuBR UM/xGzBWDpKwgoXYg8siZLwtuCXVVKK4BuqtkqQkoMGGtUoTakfPLgtWlVTLzprb arSmsttBCIYnd/dqoEJsCzjO13VQMpLC3yswIkjQ1UE4JV2k6V2fxpR10EX9MJdD j5CrCseGc2BKaS3epXjXBtpqnks+dzogEyIB0L9onmNgazVNC226oT3Ak+B/I7NV rXIlTkb50hbvsGTBAZ7pyqBqmA7P2GDyL0m45ELhODUW9MhuT/eBVui6o74jr679 bwPgAjswdvobbUHPAbHpuMlm9Nsm8zqkdPJJJFvJsNBXwfo+euGXyTCCBrgwggSg oAMCAQICDxkXldwidBsSHdtUTFzL3DANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQG EwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMR8wHQYDVQQDExZTd2lzc1NpZ24g R29sZCBDQSAtIEcyMB4XDTE0MDkxOTE0MTAyNVoXDTI5MDkxNTE0MTAyNVowVDEL MAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEuMCwGA1UEAxMlU3dp c3NTaWduIFBlcnNvbmFsIEdvbGQgQ0EgMjAxNCAtIEcyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAJ639E9iRbMeDT2/k1ASJz4L/Z1MhfXTCYe7EC+u h8m6wdnXr6jXNfhqvnxU+LXwWvYWyPsakUagjtC6EDid791zJTs0N80y/m98IA77 P3fLWey1hjkmBePNP6y9WmgSEBZaxOthg0L3JpB/wvEMbEkvk/oGthUIQvwa/27b 3jXD+nM/O1srIRfCFP+7DimKod6OZm8SOuNUdbt/s2ohqvAPettKUqFt2/T9TH+b eM+dYn6m/v0LGLQ7etHcPplREurJPHJfVUS3o3LolxclSWo+2MiE4qK9927s4Xh7 82XcWkEoHqtJiK75l6raZWaKl0Ndoq0e8Ybn/8PVLRQW6gsCAwEAAaOCApQwggKQ MA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBTa MvlJ+FHMmHFmDNnOttuSPwlL7zAfBgNVHSMEGDAWgBRbJXuWpGVRfrg588B4Zl7o Oufw7jCB/wYDVR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5u ZXQvNUIyNTdCOTZBNDY1NTE3RUI4MzlGM0MwNzg2NjVFRTgzQUU3RjBFRTCBqKCB paCBooaBn2xkYXA6Ly9kaXJlY3Rvcnkuc3dpc3NzaWduLm5ldC9DTj01QjI1N0I5 NkE0NjU1MTdFQjgzOUYzQzA3ODY2NUVFODNBRTdGMEVFJTJDTz1Td2lzc1NpZ24l MkNDPUNIP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz cz1jUkxEaXN0cmlidXRpb25Qb2ludDBfBgNVHSAEWDBWMFQGCWCFdAFZAQIBBjBH MEUGCCsGAQUFBwIBFjlodHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3 aXNzU2lnbi1Hb2xkLUNQLUNQUy5wZGYwgcYGCCsGAQUFBwEBBIG5MIG2MGQGCCsG AQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9k b3dubG9hZC81QjI1N0I5NkE0NjU1MTdFQjgzOUYzQzA3ODY2NUVFODNBRTdGMEVF ME4GCCsGAQUFBzABhkJodHRwOi8vb2NzcC5zd2lzc3NpZ24ubmV0LzVCMjU3Qjk2 QTQ2NTUxN0VCODM5RjNDMDc4NjY1RUU4M0FFN0YwRUUwDQYJKoZIhvcNAQELBQAD ggIBAK3r26gjjx+r2tMeKBG+FL4slycyKJJeTI0QA5RjAxV2ipudplPiGZSfT43K gYhF4Y4w9aEfLleWlUVlx/mriOiYEGc+S/rtmt9PWw7t23Ip3j+Ob2fpwLqA77pZ sdp6o5aAjrbq2pLO9u8P5xwqM+9t3mB+On4P/6v2uUJzqAXvliImVk+9U3MnF+IY lXD8Faged7S/SDNqntm2pZwqWSqK2VlR0F2FkjuTCAWsP4jDsAgqX5Q0VO+U67hz 43xOAbuFPTZtzQbd83HOcpHEPGWyc5Fi50oti2PK+9VJXN48asljmUG4EteMfwc1 UI+EZPfl/CqLxqaKABVSAUf23VP89iHWZRDYKDzaSaJLhB+TkulGUsjZoYV4yNkB l5/dRvkFePvpK3lc+oXlToQz4DqDn0Vy2BvTv/cKjzLYZlEIHE68pqee2z6TNMyG KR8XCn8YaGKa0HTty7lNRdsZGRNrxS1lQfboB813dQAyCq6xoCVz3zJbl0/cCvAc 03COXDqoREreAMKuavX5oltzlAETi9AmtGf7EUHL7yf3sJWby3bMpnH41eibTe/y AYCCeA/ybOA0VgsAL9Y4QYhBrEQJYYiZnqf/1NRxGk/aK3nbfT2EtYim5HDLgxLT 7mF60PvDkJjBMDGzhW6GTDEzlTTnpyx/hIhugVJ6ME8Kqo7QMIIHWjCCBkKgAwIB AgIUTQMuBka/4RIEus1xuyK8+0E0N6MwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE BhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEuMCwGA1UEAxMlU3dpc3NTaWdu IFBlcnNvbmFsIEdvbGQgQ0EgMjAxNCAtIEcyMjAeFw0yMTAxMTMxMjIzMTdaFw0y MjAxMTMxMjIzMTdaMIGLMQswCQYDVQQGEwJERTELMAkGA1UECBMCTkkxKTAnBgNV BAoMIE1laW5iZXJnIEZ1bmt1aHJlbiBHbWJIICYgQ28uS0cuMSowKAYJKoZIhvcN AQkBFhttYXJ0aW4uYnVybmlja2lAbWVpbmJlcmcuZGUxGDAWBgNVBAMTD01hcnRp biBCdXJuaWNraTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMBYpsJP 55R7KF4xAdN6HKhL2s9AOt0F5niQcMnG+pc85OxfSctE4Ci1OpuCvovbN1dcHL+B wTsy9/qvf4hjA68fZtteiXXvz+6SqOEeO/6cHh+5LTlpLU8doELTwJvmXflDCXhL e6R8XtROURbGIhl0ucpXrD+/3NSpwY/xtO7jGjDXktgnj9uh+8sQ9P+8hUiIZgR1 JMZjSnzrvnV58gMoeXCdvwHUsGDjrUKc2dc33DIu/g/VRulSpmS98Au1IAScWisT N0aegxmbU0hGsi/02PB7z1gMAaq1+QKn3ukq5XjaDx/wuCTIsShsP3LZ1Dl3D8jt SMgfDoDs+xKza7ntci/dN4+QgF6Z5KZAcWXomh3IQlmYnLTc1TntcIb/kYT/0FES blEoiq9DpFptkPstfLfQPLXyY2VO9ET93M/GA5Y/fQYjPYPuir/t5oQoao6ZrlIb aS/+Btp3wc2aZ10iBrWw7nUF1Hs9Xxr3JgTkNL1P8MeMlKTQVEcNTal2gnW/QNxr kmSvFiDFyqjSImjB/0PrtEGiwlqFBF1j9nFwrvOM6jBSTrDgqsKdNZemjY+b4SPg hmwe5vvzGSrkyDpwi7mthvcizlDufDwzIDLSfQ9X1pDp1dSvmrhWCYG6aq+kTBWE MtfGgMQhtP8obY1L1t1dNwUOCvQKVx5hkbYtAgMBAAGjggLqMIIC5jAmBgNVHREE HzAdgRttYXJ0aW4uYnVybmlja2lAbWVpbmJlcmcuZGUwDgYDVR0PAQH/BAQDAgP4 MDUGA1UdJQQuMCwGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNwoDBAYKKwYB BAGCNxQCAjAdBgNVHQ4EFgQUODXLPhk2zU6onZnTIVVnY9H9BC4wHwYDVR0jBBgw FoAU2jL5SfhRzJhxZgzZzrbbkj8JS+8wgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0 cDovL2NybC5zd2lzc3NpZ24ubmV0L0RBMzJGOTQ5Rjg1MUNDOTg3MTY2MENEOUNF QjZEQjkyM0YwOTRCRUYwgaiggaWggaKGgZ9sZGFwOi8vZGlyZWN0b3J5LnN3aXNz c2lnbi5uZXQvQ049REEzMkY5NDlGODUxQ0M5ODcxNjYwQ0Q5Q0VCNkRCOTIzRjA5 NEJFRiUyQ089U3dpc3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25M aXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwagYDVR0g BGMwYTBVBglghXQBWQECAQ4wSDBGBggrBgEFBQcCARY6aHR0cHM6Ly9yZXBvc2l0 b3J5LnN3aXNzc2lnbi5jb20vU3dpc3NTaWduLUdvbGQtQ1AtQ1BTLnBkZjAIBgYE AI96AQEwgcYGCCsGAQUFBwEBBIG5MIG2MGQGCCsGAQUFBzAChlhodHRwOi8vc3dp c3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC9EQTMyRjk0OUY4 NTFDQzk4NzE2NjBDRDlDRUI2REI5MjNGMDk0QkVGME4GCCsGAQUFBzABhkJodHRw Oi8vb2NzcC5zd2lzc3NpZ24ubmV0L0RBMzJGOTQ5Rjg1MUNDOTg3MTY2MENEOUNF QjZEQjkyM0YwOTRCRUYwDQYJKoZIhvcNAQELBQADggEBAAjiuGr5LPM8wFZjmeNY 0StMalPYnGqFqkSOYQizdY9GyfBBekSmqn0LvWMp9z1+s1VRrbl5EfdFeKilHhjy u47UC9SVeHfuMoUa53FwtdOMOGztDub4/9IBXYuOtdMvHJIlUljmPjNi5vrbzstH IIdsv9wl5u+HwFKOSJZrrutpxBHCgWNJmh5GTuivFoigh5Bqznq4tVXSucZYAD0L 8eVDd0w5O8M8Hgdukr2Jvbp+eOKz4aklMr7n212nGXvMJQmzAMTe3/qwT2DVAUCO M0valHuIPto/1BtUmz8Sqw1F9oXGw0N1izZGnPaxu/yuq87YRSqXkwslLzDyKpru 2koxggN8MIIDeAIBATBsMFQxCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxTd2lzc1Np Z24gQUcxLjAsBgNVBAMTJVN3aXNzU2lnbiBQZXJzb25hbCBHb2xkIENBIDIwMTQg LSBHMjICFE0DLgZGv+ESBLrNcbsivPtBNDejMAsGCWCGSAFlAwQCAaCB5DAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA0MDEwOTM5 NDFaMC8GCSqGSIb3DQEJBDEiBCAzpBfP4vHthPh/ol314B6Vdq2NUtF+x5vFDIRf zHZQfzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYw CwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG 9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASC AgAevdssKyf98YQlPn0ewJYzYcfk02ZY1BIRKmtqus8b2c87b2IOpzHhHDmwVWvU JeorHINLuczBbj1dT+VGjWvXn3PEETtA5SrOMxxaGOd96Y0f9ejUzrYRcMnHCwoM KQUwUrH4IrZa1CD+bkLWvMK5xmiujOx+XidVIvwBFgzDpf7y99KfvWBMwe/00dsT kWwBtjlnXd1QJao8hN+E5fEg3nTfWI4GmKMud43XcZufqiTTp08f4AsZCXsf8uSG thys4K5+K2u08XaUdoCdqO4m+qp9eChrTCv4pw2xqNbTqxzclqy5nLrT+75wTNZ7 5tKlVT+dE9dnnAN3BkBkTkUUQSvoSjrSZvTOyH6jSf8YUhPQwnG5kMe+/hXEA+iw yIYgA9fEiFkfdwlKijA8tGrfOO1quboeqVfnhiB4idgBlwg8DQ3VfP4vbGU+HlnO V8n1Mn+Br4fpj/U6vZ9o8BQVc8PeRbkfIW27TeGni+YQ8rXDVR2qYSDkOcDaFG6I jX0SJcaasNc7d1zq4Hd2LWkiwxTC5VUtmnxwduNUxpnzpokKRnYvNGtE6RopDomE y6sJ/R2o9AuBrpVyTUNLiggmUfVmc5JVM7adfOQgr+qMBNuR7rNJjfZvxPgtomAr PRNOY26AQTJjLtGOCX09QHHYXxNTnmfcZ4tcQ5Fqf2PCGQ== ------D6EE9D9C71F74DD7C439A91D71252A51-- From nobody Thu Apr 1 08:05:06 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABEB3A1712 for ; Thu, 1 Apr 2021 08:05:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Zo8EWCq_8q8 for ; Thu, 1 Apr 2021 08:04:58 -0700 (PDT) Received: from mail-pj1-x102c.google.com (mail-pj1-x102c.google.com [IPv6:2607:f8b0:4864:20::102c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB6B13A170D for ; Thu, 1 Apr 2021 08:04:58 -0700 (PDT) Received: by mail-pj1-x102c.google.com with SMTP id k23-20020a17090a5917b02901043e35ad4aso3226635pji.3 for ; Thu, 01 Apr 2021 08:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6OYeGNWIGCIyL9cvkfiPhO8ui2FfirBhPqZH3H2t85o=; b=F/hXP5nrMW04jd9e0CQRgSJJmX1o6uO03MVZ58OFAXX79GX/aCGgADSWUqCIF9zx0C GaDpw1goA+TLjSZkU1ERs1PYLFWa/fTBxZET1ovoDF7yQmq4vGGe7GeJRmE2+X4dPrV3 oILguCkOu3xh/UOif6r5jb5vo2bOpW06cENapp0m3lpvCoMPIl+TjeMaplCBUIOKY0Pi IDMeOD4b357ho7MNvPElbApQaSSfg8PlmW43vNvCcFH0YJb8sYp62F1sRy2Wudxgl7H3 cq8TnUtL60RgB1rMRXNmuXyPCJAN3zBdvChozLu5GPXfAOZMr9TcMZE7b+d5Guia0cP1 4ZAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6OYeGNWIGCIyL9cvkfiPhO8ui2FfirBhPqZH3H2t85o=; b=nbGYzUes52ABMh2QwA2lgJh3k/DfJrCCx5fGo7D7cBDP4TJ5JJRMyONuzdldCNLXzJ G1z0B4G42/RXSZr81OTG7nANA+F+Bx3mYKCQHdiVTHRepetxeWB1l3XKBFEPKYv1xxWz IsmKdNocWe7lmKlHRZxw5vOhsmfF3x61CkeP4nIJ5pCBMtvX5+db2k1GJMB3KNhvSN5j baASBxpSgBK6su5YRcY7yX5q5VyIARMiIgoYPk9TGP+MVyWRUFc9pSHLA4zGRrWafQia sJaIYiorOChf6UV0hqH+QH/KgQfwLTx5dF9k/vfLVUHHlj1ogiDdLS1VpMiXbpKk/yYj vwkA== X-Gm-Message-State: AOAM532YvxUauYh3LgZS7X/lzPtGbZk5zgh6TmO1uDKkhMqnILVi/ajv 1E0nVGyBuasGDvvKGugFQxaS+7lZeePdNvP6/LA= X-Google-Smtp-Source: ABdhPJz0RhCgiJs6Ei2lXZkXaG3n/LpGgEKE74dJao9fxXzCzrv602ZcDXSIewdg2XvZCzNto6IRCMyR6CV7JlRpsc8= X-Received: by 2002:a17:902:e312:b029:e7:3f29:c06d with SMTP id q18-20020a170902e312b02900e73f29c06dmr8409430plc.85.1617289497108; Thu, 01 Apr 2021 08:04:57 -0700 (PDT) MIME-Version: 1.0 References: <71a20585-797d-f0a2-11b2-7770adc317bd@meinberg.de> In-Reply-To: <71a20585-797d-f0a2-11b2-7770adc317bd@meinberg.de> From: Daniel Franke Date: Thu, 1 Apr 2021 11:04:46 -0400 Message-ID: To: Martin Burnicki Cc: NTP WG , bob.hinden@gmail.com Content-Type: multipart/alternative; boundary="000000000000f9633005beea8d08" Archived-At: Subject: Re: [Ntp] An RFC6921-compliant NTP implementation X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2021 15:05:04 -0000 --000000000000f9633005beea8d08 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable FTL is an annoyance for NTS if you have a common reference frame, and a disaster if you don't. Suppose you have a client and server that are 25 light-milliseconds apart. If you get a response back 60 milliseconds after you send your request, then in a subluminal universe you can deduce that you're getting an error of at most 5ms on account of network asymmetry (I don't think any NTP implementation supports this optimization, but byztimed does). With no speed limit on communication, this trick doesn't work any more and the error could be up to 30ms. With time travel, you can't bound your error at all, because latencies can be negative. On Thu, Apr 1, 2021 at 5:39 AM Martin Burnicki wrote: > Hi, > > On 2021-04-01 02:00 Daniel Franke wrote: > > Building on the groundbreaking results from CERN's OPERA experiment > > showing that neutrinos can be accelerated to superluminal speeds merely > > by loosening the contacts on a transmission cable, I'm pleased to repor= t > > a mostly-successful experiment building an RFC6921 ("Design > > Considerations for Faster-Than-Light (FTL) Communication") compliant > > implementation of NTP. > > [...] > > This sounds like a real cool improvement. > > I can imagine that "bad guys" will try to spoof this. Will it be > possible to use NTS to avoid that? ;-) > > Martin > -- > Martin Burnicki > > Senior Software Engineer > > MEINBERG Funkuhren GmbH & Co. KG > Email: martin.burnicki@meinberg.de > Phone: +49 5281 9309-414 > Linkedin: https://www.linkedin.com/in/martinburnicki/ > > Lange Wand 9, 31812 Bad Pyrmont, Germany > Amtsgericht Hannover 17HRA 100322 > Gesch=C3=A4ftsf=C3=BChrer/Managing Directors: G=C3=BCnter Meinberg, Werne= r Meinberg, > Andre Hartmann, Heiko Gerstung > Websites: https://www.meinberg.de https://www.meinbergglobal.com > Training: https://www.meinberg.academy > --000000000000f9633005beea8d08 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
FTL is an annoyance for NTS if you have a common reference= frame, and a disaster if you don't. Suppose you have a client and serv= er that are 25 light-milliseconds apart. If you get a response back 60 mill= iseconds after you send your request, then in a subluminal universe you can= deduce that you're getting an error of at most 5ms on account of netwo= rk asymmetry (I don't think any NTP implementation supports this optimi= zation, but byztimed does). With no speed limit on communication, this tric= k doesn't work any more and the error could be up to 30ms. With time tr= avel, you can't bound your error=C2=A0at all, because latencies can be = negative.

On Thu, Apr 1, 2021 at 5:39 AM Martin Burnicki <martin.burnicki@meinberg.de> wrote:<= br>
Hi,

On 2021-04-01 02:00 Daniel Franke wrote:
> Building on the groundbreaking results from CERN's OPERA experimen= t
> showing that neutrinos can be accelerated to superluminal speeds merel= y
> by loosening the contacts on a transmission cable, I'm pleased to = report
> a mostly-successful experiment building an RFC6921 ("Design
> Considerations for Faster-Than-Light (FTL) Communication") compli= ant
> implementation of NTP.
=C2=A0> [...]

This sounds like a real cool improvement.

I can imagine that "bad guys" will try to spoof this. Will it be =
possible to use NTS to avoid that? ;-)

Martin
--
Martin Burnicki

Senior Software Engineer

MEINBERG Funkuhren GmbH & Co. KG
Email: mar= tin.burnicki@meinberg.de
Phone: +49 5281 9309-414
Linkedin: https://www.linkedin.com/in/martinburnicki/=

Lange Wand 9, 31812 Bad Pyrmont, Germany
Amtsgericht Hannover 17HRA 100322
Gesch=C3=A4ftsf=C3=BChrer/Managing Directors: G=C3=BCnter Meinberg, Werner = Meinberg,
Andre Hartmann, Heiko Gerstung
Websites: https://www.meinberg.de=C2=A0 https://www.meinbergglobal.c= om
Training: https://www.meinberg.academy
--000000000000f9633005beea8d08-- From nobody Tue Apr 6 11:39:26 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D5D3A2C12; Tue, 6 Apr 2021 11:39:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_kAwtT0gC5l; Tue, 6 Apr 2021 11:39:15 -0700 (PDT) Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 296B53A2BEA; Tue, 6 Apr 2021 11:39:14 -0700 (PDT) Received: by mail-pl1-x629.google.com with SMTP id l1so7987797plg.12; Tue, 06 Apr 2021 11:39:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KcEBmMjZJ7uCTCYg783Tpw1PMTd/T8L7z2pbkHQREa4=; b=jyOSeALkELmbpbIOkBDw92zlTZeiVAsYo09MkKGb0J6R4GsUN0ACcUkiG4hLhvNFYk +zrgZ+MNyMoC1U1tSO0Z6X9Ykzom/e1FL+q2B38mtoj5EICnvtAPQhUPOp4hMXjI5v5+ 4yRKLO32fRPvl9ZCJAeG54CXZkXhUKRhYwPLn9kP+zX9w3nASQo9bOorkaJPTtJwszSC kuXMBjtRF3fxVYxzm5DvhayIG1AeymHQopOk5/xNroIHgHZecM7qscVXktiNtwEDFtcV uTll3jd5p65By4C2NbujBVy0QhYoJNrVigvEalHdk5S7y0Txm1qDKcvrW5xpJscy+jtN 2i1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KcEBmMjZJ7uCTCYg783Tpw1PMTd/T8L7z2pbkHQREa4=; b=qaZ0UP6NeeLBv3+R8xb8nyR+BwIanyQ5kN8qq6o8bcwyNAWGuI4VlOyosA0QOuLPTe ZHxHhrD3AMFc+SiW8vbrUv5rZ6tcnDjBhAcy0NeGwKVVcFTDytjirjmIEjCc/sWgMJ75 YJThFzYqN2TBxTuM5f1KiXOtMokJzJ0M5ZVvMD9zpBA2irBPMZ8cdwh8twEQNvgLekWh zZjrJqdw1l4+vd+GeH+ep1Yzlbwsfn+aTUBD7mnHcT3Cet9NlJz+PzZDNdUbapvjHSG4 txi6hbnYYZRcxMePb9wBvG4YJjUuo7amYAy+kmbwr6Q6HRNkIOGfmn6JsRKpm0EMXXZH l58Q== X-Gm-Message-State: AOAM532ZcjEHCXY5uB3C4DKisYMnUi7/cH5yWqPjxh3Q4POUrc/iDWy3 WoTZeFNc5eM/AQwcoeaIFegXrHv6Q56L6VPCx9sMWvTKa2A= X-Google-Smtp-Source: ABdhPJxI6ASjZwv4zA+SuIbrGEwykZ6lWEuZjI3Ulh9k+g6xSiV6RfkIV1tzJ2qe73bfTi/ge0KRRX/5RpjBbxPIDdQ= X-Received: by 2002:a17:902:e2d1:b029:e9:ec4:e0da with SMTP id l17-20020a170902e2d1b02900e90ec4e0damr10844752plc.85.1617734351657; Tue, 06 Apr 2021 11:39:11 -0700 (PDT) MIME-Version: 1.0 References: <161719557520.16220.12856615921222543758@ietfa.amsl.com> In-Reply-To: <161719557520.16220.12856615921222543758@ietfa.amsl.com> From: Daniel Franke Date: Tue, 6 Apr 2021 14:39:00 -0400 Message-ID: To: last-call@ietf.org Cc: IETF-Announce , ek.ietf@gmail.com, ntp-chairs@ietf.org, NTP WG , draft-ietf-ntp-interleaved-modes@ietf.org, "Karen O'Donoghue" Content-Type: multipart/alternative; boundary="0000000000005f1f7a05bf522199" Archived-At: Subject: Re: [Ntp] Last Call: (NTP Interleaved Modes) to Proposed Standard X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2021 18:39:26 -0000 --0000000000005f1f7a05bf522199 Content-Type: text/plain; charset="UTF-8" I think the feature introduced by this draft is fundamentally misdesigned. The objections that I'm raising here are ones that I've already raised during and prior to WGLC. When it was clear from the ensuing discussion that I was coming out in the rough on consensus, I asked Karen to go ahead and advance the draft but to note my objections in the shepherd write-up. This seems to have been missed, but no matter; this email captures my concerns. Interleaved mode, as specified by this draft, works by conditionally altering the semantics of certain NTP packet fields, to mean something entirely different from what they mean in RFC 5905. This change of semantics is not signaled anywhere else in the packet; both parties are required to maintain state to keep track of which semantics are intended. The means for a client to signal that it wants to enter interleaved mode is arguably another incompatible change from RFC 5905 semantics, though there is room for some interpretation on this point. A client which fully implements and strictly adheres to RFC 5905 will, on its first request to a given server, set the origin timestamp field in its request packet to zero; on subsequent requests, it will set it by copying the transmit timestamp from the server's most recent response. However, the client's origin timestamp is of no actual significance to the protocol; RFC 5905's description of how a server is to construct its reply makes no use of it at all. SNTP clients typically always set it to zero, and I-D.ietf-ntp-data-minimization recommends that all clients do this, since the behavior of copying the server's transmit timestamp enables tracking. RFC 5905 is vague on what's actually expected of clients here, since there is no RFC 2119 language on the matter. My interpretation, however, is that an SNTP client can put whatever it wants into the origin timestamp, because RFC 5905 Section 14 allows clients to implement "any subset of the NTP on-wire protocol", and phrases all interoperability requirements in terms of how a server is expected to construct its response to a given request packet. In the interleaved-mode draft, a client signals that it wants to enter interleaved mode by setting its origin timestamp from the server's last *receive* timestamp instead of from its transmit timestamp. But in light of the above, I think that such behavior is already allowed of clients that are ignorant of interleaved mode, and so I think this signaling mechanism introduces an incompatibility. One can dismiss this concern as theoretical, saying that no interleaved-mode-ignorant client would ever actually behave this way, and I might be sympathetic to this if no cleaner negotiation mechanism were apparent. But a cleaner mechanism *is* apparent. NTPv4 supports extension fields, and we should use them. Instead of messing with the semantics of existing fields in the base packet, leave those alone and put the interleaved timestamp into an extension. A second problem with this draft, one of more immediately practical concern, involves state management, especially when NATs are involved. Servers supporting interleaved mode are required to keep state on their clients, but the means of distinguishing one client from another is underspecified. It states, "The server MAY separate the timestamps by IP addresses, but it SHOULD NOT separate them by port numbers". A server which opts out of the MAY would just keep one global table mapping every receive timestamp it has produced to a matching (hardware) transmit timestamp, and make lookups into this table based on the client's origin timestamp, removing such entries only when they time out. The draft does not specify what the timeout period should be, but it needs to be at least a decent multiple of 1024 seconds, since that's the polling interval that most clients use by default. A server which behaved this way would be easily DoSed, since a single IP could spam it with requests and quickly exhaust memory. Authentication wouldn't be enough to prevent this, since an adversary who captures even a single authenticated packet can then replay it endlessly. To avoid such a vulnerability, the server really needs to maintain a separate table per IP address, and limit how much it's willing to put into a given table. Actually, that's still not enough: source IPs can be spoofed, so there's a need for some sort of SYN-cookie-esque mechanism to make sure that a client is really able to receive traffic on its purported IP before the server is willing to keep any state for it. Let's imagine for the moment that this mechanism exists: we're *still* in trouble on account of NATs. We can't just assume, "one IP, one client", because there may be multiple, and indeed a very large number, of clients behind a single NAT address. Therefore these per-IP tables still need to be allowed to get quite large to prevent such clients from stepping on each others' state. I think the most tractable solution to the state problem is with a different design that avoids state entirely. Don't wait for another request from the client: just send one packet, capture the hardware timestamp, and immediately send that out in a second packet so that related state can be forgotten. The draft already discusses this approach, but dismisses it on the basis that it would allow for amplification attacks. This would be true of a naive design, but it's easy to problem to solve: just do exactly what DTLS does vis a vis HelloVerifyRequests, where before the server will send follow-up packets to a client, the client must obtain and echo back a server-generated, self-authenticated cookie bound to the client's IP address. This of course can again be done through extension fields. On Wed, Mar 31, 2021 at 9:01 AM The IESG wrote: > > The IESG has received a request from the Network Time Protocol WG (ntp) to > consider the following document: - 'NTP Interleaved Modes' > as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits final > comments on this action. Please send substantive comments to the > last-call@ietf.org mailing lists by 2021-04-14. Exceptionally, comments > may > be sent to iesg@ietf.org instead. In either case, please retain the > beginning > of the Subject line to allow automated sorting. > > Abstract > > > This document extends the specification of Network Time Protocol > (NTP) version 4 in RFC 5905 with special modes called the NTP > interleaved modes, that enable NTP servers to provide their clients > and peers with more accurate transmit timestamps that are available > only after transmitting NTP packets. More specifically, this > document describes three modes: interleaved client/server, > interleaved symmetric, and interleaved broadcast. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/ > > > > No IPR declarations have been submitted directly on this I-D. > > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > --0000000000005f1f7a05bf522199 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I think the feature introduced by this dr= aft is fundamentally
misdesigned. The objections that I'm raising he= re are ones that I've
already raised during and prior to WGLC. When = it was clear from the
ensuing discussion that I was coming out in the ro= ugh on consensus, I
asked Karen to go ahead and advance the draft but to= note my
objections in the shepherd write-up. This seems to have been mi= ssed,
but no matter; this email captures my concerns.

Interleaved= mode, as specified by this draft, works by conditionally
altering the s= emantics of certain NTP packet fields, to mean something
entirely differ= ent from what they mean in RFC 5905. This change of
semantics is not sig= naled anywhere else in the packet; both parties
are required to maintain= state to keep track of which semantics are
intended.

The means f= or a client to signal that it wants to enter interleaved
mode is arguabl= y another incompatible change from RFC 5905 semantics,
though there is r= oom for some interpretation on this point. A client
which fully implemen= ts and strictly adheres to RFC 5905 will, on its
first request to a give= n server, set the origin timestamp field in its
request packet to zero; = on subsequent requests, it will set it by
copying the transmit timestamp= from the server's most recent response.
However, the client's o= rigin timestamp is of no actual significance to
the protocol; RFC 5905&#= 39;s description of how a server is to construct
its reply makes no use = of it at all. SNTP clients typically always set
it to zero, and I-D.ietf= -ntp-data-minimization recommends that all
clients do this, since the be= havior of copying the server's transmit
timestamp enables tracking. = RFC 5905 is vague on what's actually
expected of clients here, since= there is no RFC 2119 language on the
matter. My interpretation, however= , is that an SNTP client can put
whatever it wants into the origin times= tamp, because RFC 5905 Section
14 allows clients to implement "any = subset of the NTP on-wire
protocol", and phrases all interoperabili= ty requirements in terms of
how a server is expected to construct its re= sponse to a given request
packet.

In the interleaved-mode draft, = a client signals that it wants to enter
interleaved mode by setting its = origin timestamp from the server's
last *receive* timestamp instead = of from its transmit timestamp. But
in light of the above, I think that = such behavior is already allowed
of clients that are ignorant of interle= aved mode, and so I think this
signaling mechanism introduces an incompa= tibility. One can dismiss
this concern as theoretical, saying that no in= terleaved-mode-ignorant
client would ever actually behave this way, and = I might be sympathetic
to this if no cleaner negotiation mechanism were = apparent. But a
cleaner mechanism *is* apparent. NTPv4 supports extensio= n fields, and
we should use them. Instead of messing with the semantics = of existing
fields in the base packet, leave those alone and put the int= erleaved
timestamp into an extension.

A second problem with this = draft, one of more immediately practical
concern, involves state managem= ent, especially when NATs are
involved. Servers supporting interleaved m= ode are required to keep
state on their clients, but the means of distin= guishing one client
from another is underspecified. It states, "The= server MAY separate
the timestamps by IP addresses, but it SHOULD NOT s= eparate them by
port numbers". A server which opts out of the MAY w= ould just keep one
global table mapping every receive timestamp it has p= roduced to a
matching (hardware) transmit timestamp, and make lookups in= to this
table based on the client's origin timestamp, removing such = entries
only when they time out. The draft does not specify what the tim= eout
period should be, but it needs to be at least a decent multiple of<= br>1024 seconds, since that's the polling interval that most clients us= e
by default. A server which behaved this way would be easily DoSed,
= since a single IP could spam it with requests and quickly exhaust
memory= . Authentication wouldn't be enough to prevent this, since an
advers= ary who captures even a single authenticated packet can then
replay it e= ndlessly.

To avoid such a vulnerability, the server really needs to = maintain a
separate table per IP address, and limit how much it's wi= lling to put
into a given table. Actually, that's still not enough: = source IPs can
be spoofed, so there's a need for some sort of SYN-co= okie-esque
mechanism to make sure that a client is really able to receiv= e traffic
on its purported IP before the server is willing to keep any s= tate for
it. Let's imagine for the moment that this mechanism exists= : we're
*still* in trouble on account of NATs. We can't just ass= ume, "one IP,
one client", because there may be multiple, and = indeed a very large
number, of clients behind a single NAT address. Ther= efore these per-IP
tables still need to be allowed to get quite large to= prevent such
clients from stepping on each others' state.

I = think the most tractable solution to the state problem is with a
differe= nt design that avoids state entirely. Don't wait for another
request= from the client: just send one packet, capture the hardware
timestamp, = and immediately send that out in a second packet so that
related state c= an be forgotten. The draft already discusses this
approach, but dismisse= s it on the basis that it would allow for
amplification attacks. This wo= uld be true of a naive design, but it's
easy to problem to solve: ju= st do exactly what DTLS does vis a vis
HelloVerifyRequests, where before= the server will send follow-up
packets to a client, the client must obt= ain and echo back a
server-generated, self-authenticated cookie bound to= the client's IP
address. This of course can again be done through e= xtension fields.

On Wed, Mar 31, 2021 at 9:01 AM The IESG <iesg-secretary@ietf.org> wrote:
=

The IESG has received a request from the Network Time Protocol WG (ntp) to<= br> consider the following document: - 'NTP Interleaved Modes'
=C2=A0 <draft-ietf-ntp-interleaved-modes-04.txt> as Proposed Standard=

The IESG plans to make a decision in the next few weeks, and solicits final=
comments on this action. Please send substantive comments to the
last-call@ietf.org<= /a> mailing lists by 2021-04-14. Exceptionally, comments may
be sent to iesg@ietf.org= instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


=C2=A0 =C2=A0This document extends the specification of Network Time Protoc= ol
=C2=A0 =C2=A0(NTP) version 4 in RFC 5905 with special modes called the NTP<= br> =C2=A0 =C2=A0interleaved modes, that enable NTP servers to provide their cl= ients
=C2=A0 =C2=A0and peers with more accurate transmit timestamps that are avai= lable
=C2=A0 =C2=A0only after transmitting NTP packets.=C2=A0 More specifically, = this
=C2=A0 =C2=A0document describes three modes: interleaved client/server,
=C2=A0 =C2=A0interleaved symmetric, and interleaved broadcast.




The file can be obtained via
https://datatracker.ietf.org/doc/d= raft-ietf-ntp-interleaved-modes/



No IPR declarations have been submitted directly on this I-D.





_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp
--0000000000005f1f7a05bf522199-- From nobody Tue Apr 6 18:43:23 2021 Return-Path: X-Original-To: ntp@ietf.org Delivered-To: ntp@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C873A39A4; Tue, 6 Apr 2021 18:43:12 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Theresa Enghardt via Datatracker To: Cc: draft-ietf-ntp-interleaved-modes.all@ietf.org, last-call@ietf.org, ntp@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.27.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <161775979281.30506.6808949864064810668@ietfa.amsl.com> Reply-To: Theresa Enghardt Date: Tue, 06 Apr 2021 18:43:12 -0700 Archived-At: Subject: [Ntp] Genart last call review of draft-ietf-ntp-interleaved-modes-04 X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2021 01:43:13 -0000 Reviewer: Theresa Enghardt Review result: Ready with Issues I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please treat these comments just like any other last call comments. For more information, please see the FAQ at . Document: draft-ietf-ntp-interleaved-modes-04 Reviewer: Theresa Enghardt Review Date: 2021-04-06 IETF LC End Date: 2021-04-14 IESG Telechat date: Not scheduled for a telechat Summary: The draft is basically ready for publication as a Standards Track RFC, but it has some clarity issues that need to be addressed before publication. Major issues: None. Minor issues: Section 1: The introduction describes design considerations for changing the semantics of existing timestamps, rather than introducting additional packets. However, it does not mention negotiation. Please add ome text to the introduction clrifying how interleaved mode is negotiated, implicitly (if I understand correctly). Furthermore, the introduction should mention that clients, servers, and peers now have to infer whether a received packet is in basic mode or interleaved mode from the timestamps themselves and their cached knowledge (if I understand correctly). Has explicit negotiation been considered? What would be the consequence of a client, server, or peer failing to correctly determine whether a received packet is in basic or interleaved mode, perhaps due to an implementation error? Please consider adding a few sentences to discuss this scenario. The introduction also does not mention whether a client, server, or peer that supports interleaved mode has to operate in interleaved mode exclusively, or whether it can switch between interleaved mode and basic mode. The document later clarifies this, but please consider already clarifying here that an implementation must support both modes if it wants to use interleaved mode, and that a given sequence of messages can switch between both modes, to make the scope clearer and the subsequent sections easier to understand. Section 2: Here the document first mentions the origin timestamp, where previously the document has only talked about transmit and receive timestamps. I think it would be good to briefly explain what the origin timestamp is, how this document is changing its semantics, and why. Section 7.3 of RFC 5905 defines "Origin Timestamp (org): Time at the client when the request departed for the server", but this document says "A client request in the basic mode has an origin timestamp equal to the transmit timestamp from the previous server response, or is zero." If basic mode is RFC 5905, I would have expected these definitions to match. Has the definition of origin timestamp changed from RFC 5905 to what this document terms basic mode? Please clarify. Can a server only respond in interleaved mode if the client request was in interleaved mode? Please clarify. (Section 3 says that a peer "MUST NOT respond in the interleaved mode if the request was not in the interleaved mode", but I have not found a similar statement for client/server interleaved mode.) "Both servers and clients that support the interleaved mode MUST NOT send a packet that has a transmit timestamp equal to the receive timestamp in order to reliably detect whether received packets conform to the interleaved mode." I think the document should reiterate in this section that a server or client has to perform such detection (on each incoming packet?), and how to make this determination. Section 3: "The peer A has an active association with the peer B which was specified with an option enabling the interleaved mode" This sentence reads as if there is an option to explicitly enable the interleaved mode. Howeve, this document does not change the NTP packet format or add an option. Please clarify/rephrase. Nits/editorial comments: Section 1: "in the user space" -> "in user space" "would enable a traffic amplification" -> "would enable a traffic amplification attack" To make Section 2 easier to navigate, maybe it would help to add subsections, e.g., "Field semantics", "Protocol operation", and "Example". Section 3: "The peers SHOULD compute the offset and delay using one the two sets of timestamps specified in the client/server section" -> "[…] using one of the two sets of timestamps […]" From nobody Wed Apr 7 01:52:05 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30AAE3A11FF; Wed, 7 Apr 2021 01:52:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7S_pmekfCx4b; Wed, 7 Apr 2021 01:52:01 -0700 (PDT) Received: from mx2.uni-regensburg.de (mx2.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:3:bdf8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ADF83A11FB; Wed, 7 Apr 2021 01:51:59 -0700 (PDT) Received: from mx2.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 55F3C6000058; Wed, 7 Apr 2021 10:51:55 +0200 (CEST) Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx2.uni-regensburg.de (Postfix) with ESMTP id 1C737600004D; Wed, 7 Apr 2021 10:51:52 +0200 (CEST) Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Wed, 07 Apr 2021 10:51:51 +0200 Message-Id: <606D72A7020000A100040358@gwsmtp.uni-regensburg.de> X-Mailer: Novell GroupWise Internet Agent 18.3.1 Date: Wed, 07 Apr 2021 10:51:51 +0200 From: "Ulrich Windl" To: "Daniel Franke" , Cc: ,, , "ntp@ietf.org" , "ntp-chairs@ietf.org" , References: <161719557520.16220.12856615921222543758@ietfa.amsl.com> In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Archived-At: Subject: [Ntp] Antw: [EXT] Re: Last Call: (NTP Interleaved Modes) to Proposed Standard X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2021 08:52:04 -0000 Reading this I have the feeling that the best way to signal interleaved = mode would be using an appropriate extension field. >>> Daniel Franke schrieb am 06.04.2021 um 20:39 in Nachricht : > I think the feature introduced by this draft is fundamentally > misdesigned. The objections that I'm raising here are ones that I've > already raised during and prior to WGLC. When it was clear from the > ensuing discussion that I was coming out in the rough on consensus, I > asked Karen to go ahead and advance the draft but to note my > objections in the shepherd write-up. This seems to have been missed, > but no matter; this email captures my concerns. >=20 > Interleaved mode, as specified by this draft, works by conditionally > altering the semantics of certain NTP packet fields, to mean something > entirely different from what they mean in RFC 5905. This change of > semantics is not signaled anywhere else in the packet; both parties > are required to maintain state to keep track of which semantics are > intended. >=20 > The means for a client to signal that it wants to enter interleaved > mode is arguably another incompatible change from RFC 5905 semantics, > though there is room for some interpretation on this point. A client > which fully implements and strictly adheres to RFC 5905 will, on its > first request to a given server, set the origin timestamp field in its > request packet to zero; on subsequent requests, it will set it by > copying the transmit timestamp from the server's most recent response. > However, the client's origin timestamp is of no actual significance to > the protocol; RFC 5905's description of how a server is to construct > its reply makes no use of it at all. SNTP clients typically always set > it to zero, and I-D.ietf-ntp-data-minimization recommends that all > clients do this, since the behavior of copying the server's transmit > timestamp enables tracking. RFC 5905 is vague on what's actually > expected of clients here, since there is no RFC 2119 language on the > matter. My interpretation, however, is that an SNTP client can put > whatever it wants into the origin timestamp, because RFC 5905 Section > 14 allows clients to implement "any subset of the NTP on-wire > protocol", and phrases all interoperability requirements in terms of > how a server is expected to construct its response to a given request > packet. >=20 > In the interleaved-mode draft, a client signals that it wants to enter > interleaved mode by setting its origin timestamp from the server's > last *receive* timestamp instead of from its transmit timestamp. But > in light of the above, I think that such behavior is already allowed > of clients that are ignorant of interleaved mode, and so I think this > signaling mechanism introduces an incompatibility. One can dismiss > this concern as theoretical, saying that no interleaved-mode-ignorant > client would ever actually behave this way, and I might be sympathetic > to this if no cleaner negotiation mechanism were apparent. But a > cleaner mechanism *is* apparent. NTPv4 supports extension fields, and > we should use them. Instead of messing with the semantics of existing > fields in the base packet, leave those alone and put the interleaved > timestamp into an extension. >=20 > A second problem with this draft, one of more immediately practical > concern, involves state management, especially when NATs are > involved. Servers supporting interleaved mode are required to keep > state on their clients, but the means of distinguishing one client > from another is underspecified. It states, "The server MAY separate > the timestamps by IP addresses, but it SHOULD NOT separate them by > port numbers". A server which opts out of the MAY would just keep one > global table mapping every receive timestamp it has produced to a > matching (hardware) transmit timestamp, and make lookups into this > table based on the client's origin timestamp, removing such entries > only when they time out. The draft does not specify what the timeout > period should be, but it needs to be at least a decent multiple of > 1024 seconds, since that's the polling interval that most clients use > by default. A server which behaved this way would be easily DoSed, > since a single IP could spam it with requests and quickly exhaust > memory. Authentication wouldn't be enough to prevent this, since an > adversary who captures even a single authenticated packet can then > replay it endlessly. >=20 > To avoid such a vulnerability, the server really needs to maintain a > separate table per IP address, and limit how much it's willing to put > into a given table. Actually, that's still not enough: source IPs can > be spoofed, so there's a need for some sort of SYN-cookie-esque > mechanism to make sure that a client is really able to receive traffic > on its purported IP before the server is willing to keep any state for > it. Let's imagine for the moment that this mechanism exists: we're > *still* in trouble on account of NATs. We can't just assume, "one IP, > one client", because there may be multiple, and indeed a very large > number, of clients behind a single NAT address. Therefore these per-IP > tables still need to be allowed to get quite large to prevent such > clients from stepping on each others' state. >=20 > I think the most tractable solution to the state problem is with a > different design that avoids state entirely. Don't wait for another > request from the client: just send one packet, capture the hardware > timestamp, and immediately send that out in a second packet so that > related state can be forgotten. The draft already discusses this > approach, but dismisses it on the basis that it would allow for > amplification attacks. This would be true of a naive design, but it's > easy to problem to solve: just do exactly what DTLS does vis a vis > HelloVerifyRequests, where before the server will send follow-up > packets to a client, the client must obtain and echo back a > server-generated, self-authenticated cookie bound to the client's IP > address. This of course can again be done through extension fields. >=20 > On Wed, Mar 31, 2021 at 9:01 AM The IESG = wrote: >=20 >> >> The IESG has received a request from the Network Time Protocol WG (ntp) = to >> consider the following document: - 'NTP Interleaved Modes' >> as Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits = final >> comments on this action. Please send substantive comments to the >> last-call@ietf.org mailing lists by 2021-04-14. Exceptionally, comments >> may >> be sent to iesg@ietf.org instead. In either case, please retain the >> beginning >> of the Subject line to allow automated sorting. >> >> Abstract >> >> >> This document extends the specification of Network Time Protocol >> (NTP) version 4 in RFC 5905 with special modes called the NTP >> interleaved modes, that enable NTP servers to provide their clients >> and peers with more accurate transmit timestamps that are available >> only after transmitting NTP packets. More specifically, this >> document describes three modes: interleaved client/server, >> interleaved symmetric, and interleaved broadcast. >> >> >> >> >> The file can be obtained via >> https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/=20 >> >> >> >> No IPR declarations have been submitted directly on this I-D. >> >> >> >> >> >> _______________________________________________ >> ntp mailing list >> ntp@ietf.org=20 >> https://www.ietf.org/mailman/listinfo/ntp=20 >> From nobody Wed Apr 7 03:15:10 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A383A15B8 for ; Wed, 7 Apr 2021 03:15:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.12 X-Spam-Level: X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZeB6e052eg8 for ; Wed, 7 Apr 2021 03:15:03 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA5FF3A15C2 for ; Wed, 7 Apr 2021 03:15:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617790502; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=KeBcWgA580pYkQMaX9XKfHnQuuC/Q08EucuW3nlI9pA=; b=bcUolNwWOx6AkK162AJ1L3atULAqqpCKyrk1nieVvpttEE4nPHa5AirscfTKdg7QRaBv4d prdgQejnRyQ/Z0dLTcPyqktse9GVG1gO5zgzWV+WoPa/zz3+DzXzmm6KivvzEoT2sgKM37 KjTp04T4+1UbtzEorFPtmet5It/mVec= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-498-7VGztT1yPD-4_2K14MWqQw-1; Wed, 07 Apr 2021 06:13:52 -0400 X-MC-Unique: 7VGztT1yPD-4_2K14MWqQw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4F005107ACCA; Wed, 7 Apr 2021 10:13:51 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C0C69610A8; Wed, 7 Apr 2021 10:13:49 +0000 (UTC) Date: Wed, 7 Apr 2021 12:13:48 +0200 From: Miroslav Lichvar To: Daniel Franke Cc: last-call@ietf.org, ek.ietf@gmail.com, ntp-chairs@ietf.org, NTP WG , draft-ietf-ntp-interleaved-modes@ietf.org, Karen O'Donoghue Message-ID: References: <161719557520.16220.12856615921222543758@ietfa.amsl.com> MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] Last Call: (NTP Interleaved Modes) to Proposed Standard X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Apr 2021 10:15:05 -0000 On Tue, Apr 06, 2021 at 02:39:00PM -0400, Daniel Franke wrote: > I think the feature introduced by this draft is fundamentally > misdesigned. The objections that I'm raising here are ones that I've > already raised during and prior to WGLC. When it was clear from the > ensuing discussion that I was coming out in the rough on consensus, I > asked Karen to go ahead and advance the draft but to note my > objections in the shepherd write-up. This seems to have been missed, > but no matter; this email captures my concerns. This email tries to briefly explain the counterpoints to those concerns in case people don't want to go through the WG archives. > Interleaved mode, as specified by this draft, works by conditionally > altering the semantics of certain NTP packet fields, to mean something > entirely different from what they mean in RFC 5905. They are not entirely different in the draft's authors view. The transmit timestamp is still a transmit timestamp and the origin timestamp is still a copy of a timestamp from the last received packet. The only thing that changes is the reference. > My interpretation, however, is that an SNTP client can put > whatever it wants into the origin timestamp, because RFC 5905 Section > 14 allows clients to implement "any subset of the NTP on-wire > protocol", and phrases all interoperability requirements in terms of > how a server is expected to construct its response to a given request > packet. An analysis of traffic captured on several public NTP servers in different locations showed that there were no clients doing that, except those that already supported the interleaved mode. It should be noted that the first implementation of interleaved mode using this mechanism was published before RFC 5905, by one of its authors, so if the description of the origin timestamp seems too vague to allow this mechanism to exist, it certainly was not intended. > But a > cleaner mechanism *is* apparent. NTPv4 supports extension fields, and > we should use them. Instead of messing with the semantics of existing > fields in the base packet, leave those alone and put the interleaved > timestamp into an extension. An extension field would be problematic for the NTP filter, which relies on measured delay (shorter delay means a more accurate measurement). Packets in the interleaved mode would be longer than packets in the basic mode, i.e. their NTP delay would be larger and the filtering wouldn't always work as expected. Detecting server support would be problematic. Some mechanism would need to be specified, which would need to make assumptions about existing implementations, outside of what is specified in RFC 5905. This is an issue that was proposed to be fixed in NTPv5. > I think the most tractable solution to the state problem is with a > different design that avoids state entirely. Don't wait for another > request from the client: just send one packet, capture the hardware > timestamp, and immediately send that out in a second packet so that > related state can be forgotten. The draft already discusses this > approach, but dismisses it on the basis that it would allow for > amplification attacks. This would be true of a naive design, but it's > easy to problem to solve: just do exactly what DTLS does vis a vis > HelloVerifyRequests, where before the server will send follow-up > packets to a client, the client must obtain and echo back a > server-generated, self-authenticated cookie bound to the client's IP > address. This of course can again be done through extension fields. This approach has some advantages, but also disadvantages, as discussed recently wrt NTPv5 design. Some of the issues are: - It doesn't really change much in the susceptibility to DoS attacks. On most current hardware, transmit timestamps can be requested only one at a time. The server could send the follow-up messages synchronously or asynchronously, but in any case the maximum rate would be limited and could be exploited by attackers. IP-specific rate limits are not very useful in IPv6, where attackers have practically unlimited number of addresses. - Clients need to have a timeout for the follow-up message and deal with reordered messages. - It is wasting network bandwidth. - It creates an asymmetric network load, which can lead to an asymmetric congestion and asymmetry in NTP measurements. - It has potential security issues in the cookie implementation due to extra complexity and dependency on crypto. The interleaved mode described in this draft is simpler, inherently immune to amplification attacks, and it gracefully falls back to the basic mode. -- Miroslav Lichvar From nobody Thu Apr 8 08:42:48 2021 Return-Path: X-Original-To: ntp@ietf.org Delivered-To: ntp@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3793A0ADD; Thu, 8 Apr 2021 08:42:42 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: ntp@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 7.27.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: ntp@ietf.org Message-ID: <161789656260.22323.15415711720909179684@ietfa.amsl.com> Date: Thu, 08 Apr 2021 08:42:42 -0700 Archived-At: Subject: [Ntp] I-D Action: draft-ietf-ntp-interleaved-modes-05.txt X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 15:42:43 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Network Time Protocol WG of the IETF. Title : NTP Interleaved Modes Authors : Miroslav Lichvar Aanchal Malhotra Filename : draft-ietf-ntp-interleaved-modes-05.txt Pages : 13 Date : 2021-04-08 Abstract: This document extends the specification of Network Time Protocol (NTP) version 4 in RFC 5905 with special modes called the NTP interleaved modes, that enable NTP servers to provide their clients and peers with more accurate transmit timestamps that are available only after transmitting NTP packets. More specifically, this document describes three modes: interleaved client/server, interleaved symmetric, and interleaved broadcast. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-ntp-interleaved-modes-05 https://datatracker.ietf.org/doc/html/draft-ietf-ntp-interleaved-modes-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-ntp-interleaved-modes-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Thu Apr 8 08:45:26 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B1B93A0B5A for ; Thu, 8 Apr 2021 08:45:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.821 X-Spam-Level: X-Spam-Status: No, score=-2.821 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 57YnAOvYOVlm for ; Thu, 8 Apr 2021 08:45:20 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 954043A0B3F for ; Thu, 8 Apr 2021 08:45:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1617896719; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=fupLjbBcD/SqYYJxP2LA5B7VV1zmOzdlzKK+gre3e0Q=; b=bQPyoIxDFsIMaPEOKQLljBW1sHlPLiwc1GcyTZziL66YAtRLNJrHE7CaDNSqJNS+LrT6Rn piN4znNiJZcQddGw6XUFhLsBKbHPWJ1LmlDNbHZgqjKj1aEa0L5H0krQD32W88vCL+bZXa /sEiyuUiwa/nL076EIMt6U9mL5rZWRg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-558-VNfBTAALOG2QFyyw7E0zSA-1; Thu, 08 Apr 2021 11:44:11 -0400 X-MC-Unique: VNfBTAALOG2QFyyw7E0zSA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 34706801814; Thu, 8 Apr 2021 15:44:10 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 14EA460C25; Thu, 8 Apr 2021 15:44:08 +0000 (UTC) Date: Thu, 8 Apr 2021 17:44:07 +0200 From: Miroslav Lichvar To: Theresa Enghardt Cc: gen-art@ietf.org, draft-ietf-ntp-interleaved-modes.all@ietf.org, last-call@ietf.org, ntp@ietf.org Message-ID: References: <161775979281.30506.6808949864064810668@ietfa.amsl.com> MIME-Version: 1.0 In-Reply-To: <161775979281.30506.6808949864064810668@ietfa.amsl.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] Genart last call review of draft-ietf-ntp-interleaved-modes-04 X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 15:45:22 -0000 On Tue, Apr 06, 2021 at 06:43:12PM -0700, Theresa Enghardt via Datatracker wrote: > Reviewer: Theresa Enghardt > Review result: Ready with Issues > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. Thank you for the review. I tried to address all issues that you pointed out, with one exception noted below. A new version of the draft is available (-05). It also has a few smaller changes suggested by Erik Kline earlier. > Section 2: > Here the document first mentions the origin timestamp, where previously the > document has only talked about transmit and receive timestamps. I think it > would be good to briefly explain what the origin timestamp is, how this > document is changing its semantics, and why. Section 7.3 of RFC 5905 defines > "Origin Timestamp (org): Time at the client when the request departed for the > server", but this document says "A client request in the basic mode has an > origin timestamp equal to the transmit timestamp from the previous server > response, or is zero." If basic mode is RFC 5905, I would have expected these > definitions to match. Has the definition of origin timestamp changed from RFC > 5905 to what this document terms basic mode? Please clarify. The description you quoted from RFC 5905 seems to be from the server's point of view, i.e. the response has a copy of the transmit timestamp from the request. The section "8. On-Wire Protocol" has more details and an example of the fields in an exchange. I added a new paragraph briefly explaining the purpose of the origin timestamp. > Can a server only respond in interleaved mode if the client request was in > interleaved mode? Please clarify. (Section 3 says that a peer "MUST NOT respond > in the interleaved mode if the request was not in the interleaved mode", but I > have not found a similar statement for client/server interleaved mode.) This should be covered by the list of conditions after "When the server receives a request from a client, it SHOULD respond in the interleaved mode if the following conditions are met:" I added "(i.e. the request is not detected to conform to the interleaved mode)" to the paragraph starting with "If the conditions are not met" to make this more clear. > "Both servers and clients that support the interleaved mode MUST NOT send a > packet that has a transmit timestamp equal to the receive timestamp in order to > reliably detect whether received packets conform to the interleaved mode." I > think the document should reiterate in this section that a server or client has > to perform such detection (on each incoming packet?), and how to make this > determination. I'm not sure what exactly is missing in that section. The server has to check those two conditions for each packet, before sending a response in interleaved mode. The client has an extended test for bogus packets, starting with "The check for bogus packets SHOULD compare the origin timestamp". It needs to be performed for each packet. > Section 3: > "The peer A has an active association with the peer B which was specified with > an option enabling the interleaved mode" This sentence reads as if there is an > option to explicitly enable the interleaved mode. Howeve, this document does > not change the NTP packet format or add an option. Please clarify/rephrase. Symmetric interleaved mode is supposed to be enabled with an option to prevent an interoperability issue with peers that don't support the interleaved mode. I added a new paragraph to explain that. Thanks, -- Miroslav Lichvar From nobody Fri Apr 9 12:29:10 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05D1D3A2BF9 for ; Fri, 9 Apr 2021 12:29:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNdmnN4fbaPH for ; Fri, 9 Apr 2021 12:29:06 -0700 (PDT) Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F583A2BF8 for ; Fri, 9 Apr 2021 12:29:06 -0700 (PDT) Received: by mail-ej1-x631.google.com with SMTP id r9so10377327ejj.3 for ; Fri, 09 Apr 2021 12:29:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=N5YZbjiQUbYjez7DWyh8nljbwWrAioKmtuzjw1TYtIk=; b=ErJyRiPmcIkt7JjvO1EqNg+mCntNMQc3AyegscqRXj5aMP48V0n/Vai4gNf11GvswI FrphokkJ0oNuhDmcho6l6mI5P4itN2OYx9ArUY7za1UOZBNsORQmhzF5I/Ak54LvcZMp OUc8s5Lx7ipnJCXRxFWGZWjr5mr5rZBaHjjGTC5yy3V09oohQE2xRtwkjAAITsu5LSN0 GNLXU2JuE0zLaeRq2OxvEI7IDUdErWGTS1lLd1Db0EL+iBtbgtFxJT+/h3VhlWzaL1CX Mr/fqXNP2SMdbJLIygAa5auSG52es4fntE83fiYJd8u7/gGtp7H02/Y3lpnHpNwrfjtO tZtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=N5YZbjiQUbYjez7DWyh8nljbwWrAioKmtuzjw1TYtIk=; b=UqeJUuziLBLSf4CwucYhJ3ZaV5T6lEHgMH0+PFgXhjVUo7YM7lihrIsbTtrzyLaBRg s7HOlwidmaxJOBx7lOkIdWlD5ZgSSHqVkCTGRLgfRSwu16e9RlqGsg+Dgghncxw5nTtN qZc4hkKlFkhd95+V0fQ9IZlEWiCxLEq5pXQh1/dYcxRt/zSseJUvn2lInGoFZ3Nnu5m+ AkKrHIUGwOBRPPwicqZrfn/YVwzvdOO3zx1tOHH8IF+nMfj1nz6QIfIFmQBSuMst0wFL 7tn+3i8Fgc22jmLgVlBUgDrPf19/xk9ResdUJUKdGika8ZZmCLt/48KiazZg1t+y5cQP amcQ== X-Gm-Message-State: AOAM531Fxq7RPiwQP9DmD+qI4BoyQY8PpxTEcOvvr1W1f2lSYHLqRziN IYhf77LokPA5v8zc7jDW7UrB04W2AxXOTlQZtNnjolZm7T8= X-Google-Smtp-Source: ABdhPJxGPPlOJY8kV8Wn7USd9wFbkOTKig69OOUgszKIlc4Y+NL/b+jL/dnh1xldywNbDgIlDIhJhipPvg4HBw7fRU8= X-Received: by 2002:a17:906:f42:: with SMTP id h2mr16599866ejj.317.1617996543134; Fri, 09 Apr 2021 12:29:03 -0700 (PDT) MIME-Version: 1.0 From: Watson Ladd Date: Fri, 9 Apr 2021 12:28:50 -0700 Message-ID: To: NTP WG Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [Ntp] Please look at draft-ietf-ntp-roughtime-04 X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2021 19:29:09 -0000 Dear all, I haven't received many comments on it. Given that we have independent interoperable implementations I'm planning to do a -05 with any text nits I find, and then ask for WGLC to commence on that -05. Any comments you have would be appreciated before I finish that -05, likely in the next few weeks. We've also got the ecosystem draft that is likely to be more involved: your input is appreciated. Sincerely, Watson Ladd -- Astra mortemque praestare gradatim From nobody Sun Apr 11 13:25:46 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78EF83A1CCC; Sun, 11 Apr 2021 13:25:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, STOX_BOUND_090909_B=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IXG2bpuwhFzC; Sun, 11 Apr 2021 13:25:35 -0700 (PDT) Received: from whimsy.udel.edu (whimsy.udel.edu [128.4.24.99]) by ietfa.amsl.com (Postfix) with ESMTP id E98063A1CCB; Sun, 11 Apr 2021 13:25:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by whimsy.udel.edu (Postfix) with ESMTP id D9B4FA521E; Sun, 11 Apr 2021 16:25:32 -0400 (EDT) X-Virus-Scanned: amavisd-new at whimsy.udel.edu Received: from whimsy.udel.edu ([127.0.0.1]) by localhost (whimsy.udel.edu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id RtXaCe0QfU1g; Sun, 11 Apr 2021 16:25:08 -0400 (EDT) Received: from [128.4.2.6] (backroom.udel.edu [128.4.2.6]) (Authenticated sender: mills) by whimsy.udel.edu (Postfix) with ESMTPSA id C2C80A528A; Sun, 11 Apr 2021 16:25:07 -0400 (EDT) Message-ID: <60735B24.8060505@Udel.edu> Date: Sun, 11 Apr 2021 16:25:08 -0400 From: "David L. Mills" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.2; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Franke CC: last-call@ietf.org, NTP WG , Karen O'Donoghue , ntp-chairs@ietf.org, ek.ietf@gmail.com, draft-ietf-ntp-interleaved-modes@ietf.org, IETF-Announce References: <161719557520.16220.12856615921222543758@ietfa.amsl.com> In-Reply-To: Content-Type: multipart/alternative; boundary="------------040102030608080805060803" Archived-At: Subject: Re: [Ntp] Last Call: (NTP Interleaved Modes) to Proposed Standard X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2021 20:25:40 -0000 This is a multi-part message in MIME format. --------------040102030608080805060803 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Daniel Franke wrote: > I think the feature introduced by this draft is fundamentally > misdesigned. The objections that I'm raising here are ones that I've > already raised during and prior to WGLC. When it was clear from the > ensuing discussion that I was coming out in the rough on consensus, I > asked Karen to go ahead and advance the draft but to note my > objections in the shepherd write-up. This seems to have been missed, > but no matter; this email captures my concerns. > > Interleaved mode, as specified by this draft, works by conditionally > altering the semantics of certain NTP packet fields, to mean something > entirely different from what they mean in RFC 5905. This change of > semantics is not signaled anywhere else in the packet; both parties > are required to maintain state to keep track of which semantics are > intended. > > The means for a client to signal that it wants to enter interleaved > mode is arguably another incompatible change from RFC 5905 semantics, > though there is room for some interpretation on this point. A client > which fully implements and strictly adheres to RFC 5905 will, on its > first request to a given server, set the origin timestamp field in its > request packet to zero; on subsequent requests, it will set it by > copying the transmit timestamp from the server's most recent response. > However, the client's origin timestamp is of no actual significance to > the protocol; RFC 5905's description of how a server is to construct > its reply makes no use of it at all. SNTP clients typically always set > it to zero, and I-D.ietf-ntp-data-minimization recommends that all > clients do this, since the behavior of copying the server's transmit > timestamp enables tracking. RFC 5905 is vague on what's actually > expected of clients here, since there is no RFC 2119 language on the > matter. My interpretation, however, is that an SNTP client can put > whatever it wants into the origin timestamp, because RFC 5905 Section > 14 allows clients to implement "any subset of the NTP on-wire > protocol", and phrases all interoperability requirements in terms of > how a server is expected to construct its response to a given request > packet. > > In the interleaved-mode draft, a client signals that it wants to enter > interleaved mode by setting its origin timestamp from the server's > last *receive* timestamp instead of from its transmit timestamp. But > in light of the above, I think that such behavior is already allowed > of clients that are ignorant of interleaved mode, and so I think this > signaling mechanism introduces an incompatibility. One can dismiss > this concern as theoretical, saying that no interleaved-mode-ignorant > client would ever actually behave this way, and I might be sympathetic > to this if no cleaner negotiation mechanism were apparent. But a > cleaner mechanism *is* apparent. NTPv4 supports extension fields, and > we should use them. Instead of messing with the semantics of existing > fields in the base packet, leave those alone and put the interleaved > timestamp into an extension. > > A second problem with this draft, one of more immediately practical > concern, involves state management, especially when NATs are > involved. Servers supporting interleaved mode are required to keep > state on their clients, but the means of distinguishing one client > from another is underspecified. It states, "The server MAY separate > the timestamps by IP addresses, but it SHOULD NOT separate them by > port numbers". A server which opts out of the MAY would just keep one > global table mapping every receive timestamp it has produced to a > matching (hardware) transmit timestamp, and make lookups into this > table based on the client's origin timestamp, removing such entries > only when they time out. The draft does not specify what the timeout > period should be, but it needs to be at least a decent multiple of > 1024 seconds, since that's the polling interval that most clients use > by default. A server which behaved this way would be easily DoSed, > since a single IP could spam it with requests and quickly exhaust > memory. Authentication wouldn't be enough to prevent this, since an > adversary who captures even a single authenticated packet can then > replay it endlessly. > > To avoid such a vulnerability, the server really needs to maintain a > separate table per IP address, and limit how much it's willing to put > into a given table. Actually, that's still not enough: source IPs can > be spoofed, so there's a need for some sort of SYN-cookie-esque > mechanism to make sure that a client is really able to receive traffic > on its purported IP before the server is willing to keep any state for > it. Let's imagine for the moment that this mechanism exists: we're > *still* in trouble on account of NATs. We can't just assume, "one IP, > one client", because there may be multiple, and indeed a very large > number, of clients behind a single NAT address. Therefore these per-IP > tables still need to be allowed to get quite large to prevent such > clients from stepping on each others' state. > > I think the most tractable solution to the state problem is with a > different design that avoids state entirely. Don't wait for another > request from the client: just send one packet, capture the hardware > timestamp, and immediately send that out in a second packet so that > related state can be forgotten. The draft already discusses this > approach, but dismisses it on the basis that it would allow for > amplification attacks. This would be true of a naive design, but it's > easy to problem to solve: just do exactly what DTLS does vis a vis > HelloVerifyRequests, where before the server will send follow-up > packets to a client, the client must obtain and echo back a > server-generated, self-authenticated cookie bound to the client's IP > address. This of course can again be done through extension fields. > > On Wed, Mar 31, 2021 at 9:01 AM The IESG > wrote: > > > The IESG has received a request from the Network Time Protocol WG > (ntp) to > consider the following document: - 'NTP Interleaved Modes' > as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and > solicits final > comments on this action. Please send substantive comments to the > last-call@ietf.org mailing lists by > 2021-04-14. Exceptionally, comments may > be sent to iesg@ietf.org instead. In either > case, please retain the beginning > of the Subject line to allow automated sorting. > > Abstract > > > This document extends the specification of Network Time Protocol > (NTP) version 4 in RFC 5905 with special modes called the NTP > interleaved modes, that enable NTP servers to provide their clients > and peers with more accurate transmit timestamps that are available > only after transmitting NTP packets. More specifically, this > document describes three modes: interleaved client/server, > interleaved symmetric, and interleaved broadcast. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/ > > > > No IPR declarations have been submitted directly on this I-D. > > > > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > >------------------------------------------------------------------------ > >_______________________________________________ >ntp mailing list >ntp@ietf.org >https://www.ietf.org/mailman/listinfo/ntp > > Folks, There is a much easier way to do this, as I proposed in the recent document posted for review. See Section 4.3 for explanation. The way I propose can be used in all protocol modes and does not requre any specific configuration or extension fields. Briefly, the onwire protocol operates as usual, except that the devstamp of the last transmitted packet is saved in a state variable. In the reply packet, the origin timestamp is replaced by the saved devstamp. The offset and delay are computed as usual. However, the full interleave function requires two protocol rounds to develop a full compliment of timestamps. There's no need to do anything special, especially not modify any other header field in the reply. This change is compatible with legacy versions and rfc 5905. Dave --------------040102030608080805060803 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Daniel Franke wrote:
I think the feature introduced by this draft is fundamentally
misdesigned. The objections that I'm raising here are ones that I've
already raised during and prior to WGLC. When it was clear from the
ensuing discussion that I was coming out in the rough on consensus, I
asked Karen to go ahead and advance the draft but to note my
objections in the shepherd write-up. This seems to have been missed,
but no matter; this email captures my concerns.

Interleaved mode, as specified by this draft, works by conditionally
altering the semantics of certain NTP packet fields, to mean something
entirely different from what they mean in RFC 5905. This change of
semantics is not signaled anywhere else in the packet; both parties
are required to maintain state to keep track of which semantics are
intended.

The means for a client to signal that it wants to enter interleaved
mode is arguably another incompatible change from RFC 5905 semantics,
though there is room for some interpretation on this point. A client
which fully implements and strictly adheres to RFC 5905 will, on its
first request to a given server, set the origin timestamp field in its
request packet to zero; on subsequent requests, it will set it by
copying the transmit timestamp from the server's most recent response.
However, the client's origin timestamp is of no actual significance to
the protocol; RFC 5905's description of how a server is to construct
its reply makes no use of it at all. SNTP clients typically always set
it to zero, and I-D.ietf-ntp-data-minimization recommends that all
clients do this, since the behavior of copying the server's transmit
timestamp enables tracking. RFC 5905 is vague on what's actually
expected of clients here, since there is no RFC 2119 language on the
matter. My interpretation, however, is that an SNTP client can put
whatever it wants into the origin timestamp, because RFC 5905 Section
14 allows clients to implement "any subset of the NTP on-wire
protocol", and phrases all interoperability requirements in terms of
how a server is expected to construct its response to a given request
packet.

In the interleaved-mode draft, a client signals that it wants to enter
interleaved mode by setting its origin timestamp from the server's
last *receive* timestamp instead of from its transmit timestamp. But
in light of the above, I think that such behavior is already allowed
of clients that are ignorant of interleaved mode, and so I think this
signaling mechanism introduces an incompatibility. One can dismiss
this concern as theoretical, saying that no interleaved-mode-ignorant
client would ever actually behave this way, and I might be sympathetic
to this if no cleaner negotiation mechanism were apparent. But a
cleaner mechanism *is* apparent. NTPv4 supports extension fields, and
we should use them. Instead of messing with the semantics of existing
fields in the base packet, leave those alone and put the interleaved
timestamp into an extension.

A second problem with this draft, one of more immediately practical
concern, involves state management, especially when NATs are
involved. Servers supporting interleaved mode are required to keep
state on their clients, but the means of distinguishing one client
from another is underspecified. It states, "The server MAY separate
the timestamps by IP addresses, but it SHOULD NOT separate them by
port numbers". A server which opts out of the MAY would just keep one
global table mapping every receive timestamp it has produced to a
matching (hardware) transmit timestamp, and make lookups into this
table based on the client's origin timestamp, removing such entries
only when they time out. The draft does not specify what the timeout
period should be, but it needs to be at least a decent multiple of
1024 seconds, since that's the polling interval that most clients use
by default. A server which behaved this way would be easily DoSed,
since a single IP could spam it with requests and quickly exhaust
memory. Authentication wouldn't be enough to prevent this, since an
adversary who captures even a single authenticated packet can then
replay it endlessly.

To avoid such a vulnerability, the server really needs to maintain a
separate table per IP address, and limit how much it's willing to put
into a given table. Actually, that's still not enough: source IPs can
be spoofed, so there's a need for some sort of SYN-cookie-esque
mechanism to make sure that a client is really able to receive traffic
on its purported IP before the server is willing to keep any state for
it. Let's imagine for the moment that this mechanism exists: we're
*still* in trouble on account of NATs. We can't just assume, "one IP,
one client", because there may be multiple, and indeed a very large
number, of clients behind a single NAT address. Therefore these per-IP
tables still need to be allowed to get quite large to prevent such
clients from stepping on each others' state.

I think the most tractable solution to the state problem is with a
different design that avoids state entirely. Don't wait for another
request from the client: just send one packet, capture the hardware
timestamp, and immediately send that out in a second packet so that
related state can be forgotten. The draft already discusses this
approach, but dismisses it on the basis that it would allow for
amplification attacks. This would be true of a naive design, but it's
easy to problem to solve: just do exactly what DTLS does vis a vis
HelloVerifyRequests, where before the server will send follow-up
packets to a client, the client must obtain and echo back a
server-generated, self-authenticated cookie bound to the client's IP
address. This of course can again be done through extension fields.

On Wed, Mar 31, 2021 at 9:01 AM The IESG <iesg-secretary@ietf.org> wrote:

The IESG has received a request from the Network Time Protocol WG (ntp) to
consider the following document: - 'NTP Interleaved Modes'
  <draft-ietf-ntp-interleaved-modes-04.txt> as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2021-04-14. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


   This document extends the specification of Network Time Protocol
   (NTP) version 4 in RFC 5905 with special modes called the NTP
   interleaved modes, that enable NTP servers to provide their clients
   and peers with more accurate transmit timestamps that are available
   only after transmitting NTP packets.  More specifically, this
   document describes three modes: interleaved client/server,
   interleaved symmetric, and interleaved broadcast.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-ntp-interleaved-modes/



No IPR declarations have been submitted directly on this I-D.





_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp

_______________________________________________
ntp mailing list
ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp
Folks,

There is a much easier way to do this,  as I proposed in the recent document posted for review. See Section 4.3 for explanation.

The way I propose can be used in all protocol modes and does not requre any specific configuration or extension fields.  Briefly, the onwire protocol operates as usual, except  that the devstamp of the last transmitted packet is saved in a state variable.
In the reply packet, the origin timestamp is replaced by the saved devstamp.  The offset and delay are computed as usual. However, the full interleave function requires two protocol rounds to develop a full compliment of timestamps. There's no need to do anything special, especially not modify any other header field in the reply.  This change is compatible with legacy versions and rfc 5905.

Dave
--------------040102030608080805060803-- From nobody Mon Apr 12 03:49:41 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6E8B3A1821 for ; Mon, 12 Apr 2021 03:49:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.839 X-Spam-Level: X-Spam-Status: No, score=-1.839 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=0.28] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKrW1vSWdDvZ for ; Mon, 12 Apr 2021 03:49:36 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA0443A181F for ; Mon, 12 Apr 2021 03:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618224574; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Ea3gBZEfsxkXMJ4GcTnpdrgNLwQ5WPqrNnr8+JTqBDg=; b=VZXlpZTnm6DsYracCYA4IPKrIC6T5XIADAXxJlqOCyVsL5k595bJVpe+AmriA5nsRQ4Pa5 NHu1/4//ynb8VqnSo2zBdybEA9N2Ic2hyhrnQajzigBcdlyHPUk1WvPxyC0Bv+cWrg/5yd Grh3VQbrg/WnIqge3yjJ5yeFyn1ZpYY= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-603-JdwGWYOPOBqmAPABBhzPww-1; Mon, 12 Apr 2021 06:49:31 -0400 X-MC-Unique: JdwGWYOPOBqmAPABBhzPww-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 748636D4E0; Mon, 12 Apr 2021 10:49:29 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C5A485C559; Mon, 12 Apr 2021 10:49:27 +0000 (UTC) Date: Mon, 12 Apr 2021 12:49:26 +0200 From: Miroslav Lichvar To: "David L. Mills" Cc: Daniel Franke , last-call@ietf.org, NTP WG , Karen O'Donoghue , ntp-chairs@ietf.org, ek.ietf@gmail.com, draft-ietf-ntp-interleaved-modes@ietf.org Message-ID: References: <161719557520.16220.12856615921222543758@ietfa.amsl.com> <60735B24.8060505@Udel.edu> MIME-Version: 1.0 In-Reply-To: <60735B24.8060505@Udel.edu> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] Last Call: (NTP Interleaved Modes) to Proposed Standard X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 10:49:41 -0000 On Sun, Apr 11, 2021 at 04:25:08PM -0400, David L. Mills wrote: > There is a much easier way to do this, as I proposed in the recent document > posted for review. See Section 4.3 for explanation. I think you are referring to https://www.eecis.udel.edu/~mills/Autokey3.txt > The way I propose can be used in all protocol modes and does not requre any > specific configuration or extension fields. Briefly, the onwire protocol > operates as usual, except that the devstamp of the last transmitted packet > is saved in a state variable. > In the reply packet, the origin timestamp is replaced by the saved devstamp. If the origin timestamp in a response contained a transmit timestamp of a previous response to the same client/peer, how could it pass the loopback test at the client/peer? It needs to be a timestamp copied from the request. For compatibility with RFC 5905 it needs to be the transmit timestamp from the request (aka basic mode). > The offset and delay are computed as usual. However, the full interleave > function requires two protocol rounds to develop a full compliment of > timestamps. There's no need to do anything special, especially not modify > any other header field in the reply. This change is compatible with legacy > versions and rfc 5905. The linked document doesn't describe the on-wire protocol in enough detail for me to understand it. I'd like to see an example with few exchanges showing all timestamps in packets. If the protocol really is supposed to be compatible with the current ntp.org implementation, I don't think it could be very different from the ntp-interleaved-modes draft discussed in this last call. The compatibility was one of the goals. The main difference to the ntp.org implementation is that it automatically switches between processing packets in basic and interleaved mode, which is needed in some corner cases, e.g. when polling intervals of two peers in a symmetric association don't match. -- Miroslav Lichvar From nobody Mon Apr 12 08:48:54 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021A93A238D for ; Mon, 12 Apr 2021 08:48:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.54 X-Spam-Level: X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=0.28] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8GmuD0k9SvA for ; Mon, 12 Apr 2021 08:48:45 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F148D3A236A for ; Mon, 12 Apr 2021 08:48:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618242524; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=nTn5lnOBLreDRHRMyxYGyZJu4QVONVw6Hqo7DHjp56g=; b=fNCkuwG6+mp+0+Am07jon+qiNDV+9DO79sQRGTu7hOpyt5OH5vkiAlOlzS2pPLN8Nlyg/e 28uhjyK1ekEzmT+EVxuzTvcjysavQkokJzCCQBsP+W4KP+/1vYnO8OtJO2zTF/GmyZnjsm 5LS/DsWcgAYV55VZHplEtNpr1JP73i0= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-122-IJMAY7sGNsWKcmmnLbCZcg-1; Mon, 12 Apr 2021 11:48:40 -0400 X-MC-Unique: IJMAY7sGNsWKcmmnLbCZcg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 38AE31856A63; Mon, 12 Apr 2021 15:48:39 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8D94350DD4; Mon, 12 Apr 2021 15:48:38 +0000 (UTC) Date: Mon, 12 Apr 2021 17:48:36 +0200 From: Miroslav Lichvar To: David Mills Cc: NTP WG Message-ID: References: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> MIME-Version: 1.0 In-Reply-To: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] Protocol and Security Enhancements for the Network Time Protocol (NTP) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Apr 2021 15:48:52 -0000 On Sun, Mar 28, 2021 at 01:36:44PM -0400, David Mills wrote: > Recent > discussion in the newsgroup has centered on dramatic security mechanisms and > exotic services for ntp version 5, but less attention has been on the > underlying onwire protocols evolved from current NTP version 4. > URL: https://www.eecis.udel.edu/~mills/Autokey3.txt I didn't see any comments about this document. Others here would know better how this works as a replacement of the old Autokey. I'll just point out few non-crypto things that didn't seem quite right to me. The protocol doesn't prevent amplification attacks using the cookie response. The document claims that rate limiting prevents such attacks, but I don't think that is true. Rate limiting is not a security mechanism. It actually creates other security issues. The server has a limited amount of memory. Attackers can avoid rate limiting by using more addresses than the server can remember. That's easy if the victim is using IPv6. It doesn't have a fully random nonce in addition to the transmit timestamp. It claims that transmit timestamps are not predictable while it recommends to not use the data minimization. The cookie seems to be constructed just from a secret key and client address, without a nonce. The handshake in the symmetric mode seems to be still vulnerable to off-path DoS attacks. In the broadcast mode the transmit timestamp is used as a sequence number, which means the server cannot have a backward step. It doesn't have a mechanism to protect against delay attacks. (That was a goal in earlier NTS designs.) The described parser detects legacy MACs by checking whether the length field of an extension field is zero. I guess that was meant to be the type of the field? That would work only with key IDs below 65536. It claims that NTS doesn't support interleaved mode. How could it, are those two not at different layers? NTS+xleave definitely works for me. -- Miroslav Lichvar From nobody Wed Apr 14 00:11:47 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92963A10AD for ; Wed, 14 Apr 2021 00:11:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYXxOZzOFHpg for ; Wed, 14 Apr 2021 00:11:42 -0700 (PDT) Received: from mx4.uni-regensburg.de (mx4.uni-regensburg.de [194.94.157.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B29D3A10AC for ; Wed, 14 Apr 2021 00:11:40 -0700 (PDT) Received: from mx4.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 6453A6000057 for ; Wed, 14 Apr 2021 09:11:36 +0200 (CEST) Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx4.uni-regensburg.de (Postfix) with ESMTP id 3C0E06000055 for ; Wed, 14 Apr 2021 09:11:34 +0200 (CEST) Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Wed, 14 Apr 2021 09:11:34 +0200 Message-Id: <607695A4020000A100040673@gwsmtp.uni-regensburg.de> X-Mailer: Novell GroupWise Internet Agent 18.3.1 Date: Wed, 14 Apr 2021 09:11:32 +0200 From: "Ulrich Windl" To: "ntp@ietf.org" References: <607692F2020000A10004066D@gwsmtp.uni-regensburg.de> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part5F5E44B4.0__=" Archived-At: Subject: [Ntp] Wtrlt: NTv5 and polling interval X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 07:11:45 -0000 This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=__Part5F5E44B4.0__= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Sorry, the first address was undeliverable, so I'm trying this one. --=__Part5F5E44B4.0__= Content-Type: message/rfc822 Date: Wed, 14 Apr 2021 09:00:02 +0200 From: "Ulrich Windl" To: Subject: NTv5 and polling interval Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part0E0F15E2.1__=" --=__Part0E0F15E2.1__= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi! I feel there's an issue with NTPv4 and the polling interval (see attached = image): After a host reboot, the polling interval goes up while "the sync" is not = stable yet, so it goes down again, then going up again, etc. Maybe the polling interval is going up too early and going down too late. (In the graph you also see some "micro clock hopping effect" that I really = couldn't tame in the LAN) I'm attaching another graph that shows that clock hopping in more detail. It would be great if those issues could be addressed in NTPv5. Regards, Ulrich --=__Part0E0F15E2.1__= Content-Type: image/png; name="NTP-Polling.PNG" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="NTP-Polling.PNG" iVBORw0KGgoAAAANSUhEUgAAA4gAAAOiCAYAAAAyh/meAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7P152BxVmf+PB5BAAJVNQVBAlN0F BERgWBwVXFBQQPmxGcmMo7KJwgAjAg7MDAiMwjhhCUwUFZWdRMBEJCD4hQFcYEwgJIEgO1kg+Md8 rmv+OL/nfeqpPqfrOV1d1dVVz+mnX6/rel3VXcvpqrvq7q67TnX3JAMAAAAAAAAwAgUiAAAAAAAA WNoKxD/+8Y+IiIiIiIg4AM6bN2+0kusfFIiIiIiIiIgDporD//qv/xqt5PpHsED861//ioiIiIiI iJGq4pACERERERERESkQERERERERMZECEREREREREa0UiIiIiIiIiEPgDTfcENSfhwIRh8pJkyZ1 HJ8amj7sdotPt+mp3aZj/yTW5b3lllvMW97ylihi9/vf/97ccccdVq3PBRdcYM4888zK3nzzza12 O6nX9tclpmPpnHPOMQceeGBwWj8lf3CQVE6ce+65wWmInVy+fHmrMKRARMyRk4J8u8WH+MUj+6K8 u+66q5k9e3ZwWhMuW7bMHH/88WaTTTax+2881TqooNR66Xl2XcfDl19+2Wy44YbmD3/4Q3B6P41l mxGLqJzYaKONbI6EpiNmfeWVV+xfWeii4bPPPmsvkPrTKRBxIExPWqZMmWLe9a53mWnTppn58+cH 561iXScFanfq1KnB8XmG5lMMttlmG3PWWWfZqz9+e52sunyqlg+NT+02fbz0t3+dddaxx9BJJ51k /vKXvwTn72Ss2xeyzLqqMPnOd75jdtxxR7PuuuuaN73pTeaTn/zkmGKp7u0f7/iut956ZsWKFcFp dfvcc8+Z973vfTYGMamCVcPQOvv6y2SnPf300+ZLX/qS2Xzzzc1aa61lh3qu8dl587zqqqvG9B7q pHjx4sVt4+SiRYvMxhtvPGZ8UYtsc9Yf/OAHdrnp06cHp9dpXvx99bnZSy/5pZdearbeemuz5ppr 2qG2NZ3Wr/0rQ+vnb5uvv1yeoWWlP89jjz1mjjzySLPZZpvZbdx+++3Nz372s7Z5Ojlr1izziU98 wrz5zW+2ny/bbbed+da3vtVWrOXFr8jyndbbV7kxY8aM4DREXx3vt956q3n44Ydtnqo4zF54o0DE gTB9U1RB8+ijj5p//dd/NW9/+9v7fiU57823impX63vXXXeNGZ/3PDReV33uueces+eee5qvfOUr bfN1suryqZ3WL7Xb9PHSXy8VQ3pTPOqoo8z+++/fNl83Y92+kGXW9ZBDDrHx0K2FKpCeeeYZ8/Of /9x8+MMfbpuv7u0f7/iO1+vrmIyxOPQNrXfI0LzKs3/4h38wjz/+uD2+NNTzsvn32c9+1lxxxRVt 4/baay9z++23t42Tv/zlL83ee+89ZnxRy2xzqk7ydZKuiyuh6U2Yt96vvvqq2X333c2//du/ldq+ H//4x/bz68477zQvvviivQ1ZReB1111np/dr/3Zav172hW+35XVO8ba3vc3eoqkTZ51nPPDAA3Z/ hubPuscee5jLL7/cLFiwwKxcudIWucccc0xr+W7x67a8b962qI3Pfe5zwWmIvjoH7NbbTIGIA2Ho TVFX4A499NDW82uuucb2DK299tpm3333beth1PKp6biQnabvvPPO9mpL+lwndLrVqegVUrX7k5/8 xLznPe+xH4L++Ox8/vO88foQfutb3zpmfMhuy+uN4rjjjrPPdfVWPbShN49O65eat/6pnaYrPu9+ 97vt/ttll13M7373u9Z0nXR87Wtfs+umXoELL7ywY1shQ/Oq91C9qenzosePbzr9tddeM2effbbZ csstzfrrr2+vRL/00kut6UXs9vp58dHxqBMyxUc9KrqA4q9fNxUH3WISmib9bfbNznP++efbEyFd Bdc6+NOrxNd/HBqnxzoxUux1W+RHP/pRezX++9//ftsynUxfz9efXiQ/tEze9ud50EEHjXn92Mw7 /nw1b3ac4vH888+3jVOPqXqr/XHdVH7pZN4fp56qSy65pG2c1DjtMz3ulp9V80fqeHjjG99o/vzn P9uhLsSl09SWih61rdfQhbns3Ruap9fjxzdvvU8++WTz8Y9/3Lz++uultk/5OnPmzLZxV199tdlv v/3s46L7V6/Zy/oVXddO7Xdb/vDDDzf/8i//EpzWq4pH+vnSLX4h/eV987blT3/6k9lqq62C0xB9 /R+m8fXnoUDEgTD0prhkyZK2Aunggw+2x5k+qHUlUCeJ/vyy2wdFp+k60VQvS/pcVwTL/FBC2q6W 0UlAdnyn53njdbVR3xPKjg/ZbXndbqmr3rpVS7dmaT2//vWvj1mm0/ql9jpd4xVfFQ06cdPtNbqq mk7/p3/6J7tOCxcutPs9PaH228jTn1fF5v/8z/+YL3/5y237sMrxo5MLXS3X+qvQ0tVf3ZoXmreT ea/fLT6nnnpqa/89+eST9iSrTHz0WoqprnD7J7ZZ89rUtI985CP2JEUXTv72b/+2bXqV+IbG++P0 WD1Gc+fOtY91y9ZvfvMbs8UWW7Qt081Or18kP7Rs3vZ3UieOWjZ2844/X82bHXfEEUfYCzxPPPGE 7SHRUM9VqGXnzVMnzDp+/HH68R7lsh6ruHrHO95hH//93/+9+e53v2sfd8vPqvkjdTti2mOmE/9f /OIXrWlqS+3r2NFr6HH6/U5/nl6On6yd1lvfM1J8dHeAnpfZPl1s0br74xSnDTbYwD4uun/1mr2s nx5vuumm9vZM3QKq9w4/vv58ofa7La/zCH3G77DDDvYWWV1I+OY3v5n7XthNXRA74IAD7ONu8Qvp L+8b2r5U5UaoqETspC5UpYUhBSIOpKE3RfXEveENbxgzXuqNUlc1s+Pz3lxlp+m6LURXnp966in7 XCfTSpzsfJ1M29UJiq4gq/fOH5+dL6s/Pr1FVCdo6YlRN7strxNpnZik8+jWXX1Ips9TO61faq/T NV4nFenz7P575zvf2fYeonXt9lq+mlfHir5jJvX885///JiTzdSyx4++06lbk9LnOk7SE9VezL5+ t/hoX2X3X5n4vPDCC/aE9b3vfa89QdL3b/Qd1Wx88trUNPWehKZlLRvf0Hh/nB7rg04np/5jnRD6 y3Sz0+sXyQ8tW3T7fXVLnZaN3bzjz1fzZsepN0Q/AOS3p+c67rLz5hkqEHVnhwoy7RPdtif1XqFe m9tuu83O0y0/q+aPPProo81FF11kH6swVRGaTlNbfvt6rO+hpc/TeXo5frKG1lvFiS4G/upXv2qN K7N9q6++ur2wpsfpZ4aer7HGGvZx1f1bZv1054eKSd2No1+0Dc2TZ2h5bYcu+vz3f/+37U1WL7U+ 44t+vma99tpr7ed8+pnVLX5Zs8v75u035QYFIhZV54L8SA0OvKE3RfUk6U1Uj++77z77fSkVcekH VGiZvDdXmTf92GOPtb1/SiTdXpo9UcnTb/ef//mfzac+9akx40PP/fGp+gDQrV5nnHGG/TALzZ+1 2/IqCvxbnjRet5Klz1O1fHacb6/TQ+P9cVoXf/30uNtr+Wbnfeihh2zReeONN9rnVY8fxdRfTuqk IDRvyG6v7z8OjcvGR/svtEwRdTve//f//X/26v+nP/3ptml5bWqabg0LTasa327zFnlcxE7zF8kP Ldtp+/PUcoNgaL2z4zqN1/udbuHUXQs6MdZQPXzp+2BRs4Wc1MU2FRcXX3yxLdL0XVrdXqpxaVHb LT+r5s+qVavsZ5EuAOp5eiFQ4/VcbWXfv7In8pqnl+Mna2i999lnH9vr648rs33qAVPPpz/O7wGr un97WT8V/PocDk0ror+8fpRLd6f407W9/h1KRdRFKd1toJ7Qe++9tzW+W/xSOy3vmxcXnWeHLuwi ZtXxz4/U4IQw9KbofwdRJ/v/+Z//ab/3oOcq4kLLdPvQ0Yd2WjRlVa+bCqvLLrus9K1R/uvqQ0C/ FqlbXLLr02n9uq13N7stn+0hUb6Gbs/Li4/sNr3M9vnjtH/9/2bT+pWJSWhe/VCA9qdO4ooeP6ut tlrwJE6/OqdlsuOL2u31Q+vij9P3TrL7L7RMGbUu6m31x3Xafpn3elXjq+PKvyCjosBfvsjjInaa v0h+lH2tVLWjZWNVJ7caZtc7NK7TePU2pvs+Vc879UJ2MvQjNVLHqX6sRrfl6btdKjj8Y7dbflbN n/TW5qzpj5Lpsd++Hme/K6Z5/Oe9GmonXZ+Q2XlDKp4//OEP28Yp1v53EKvs39B6pYbmlypCdcEp NK2I/vL6wbaqBaJOuNVr+rGPfcwsXbq0bVq3+Mm85X3zYqIfqVGOhKYh+vIjNThhTN8UdXVSb6T6 3omusqVXPPT9guuvv95O19Vbfek89Eaa9+YqdbuXvougXpTQdN2Cpw8NvVZoeiezr/vrX/+6dWLo j++0ft3Wu5vdlj/xxBPtLTX6UJT6joyuZGbn6xafbtPLbJ8/Tt9B1AenegR0e9hnPvOZUjHpNK9u s/3pT39a+PjR7Wu6Tz+7fToe1dumY1O9A/r+W9FfwJPdXj+0Lv640047ze4/9arrdi3tv07bHFIn MPperV5b66Bb3fQDH4q5P1+n7Zd5r1c1vh/84AfNt7/9bfuBphM7fR/OX77I4yJ2mr9IfpR9rdT0 byRiVceGhtn1Do3rNP5v/uZvbI+S9p0ukGmoW+10G2h23jxDf3MhdWKtiws6/qUea1w6vVt+Vs0f /bhK9juFp59+eut7qmorPX70Gnqs1/TnL/N6eRZtp8zr6b1Bn1dz5syx30HVraD6/E1/hbPo/tVr 9rJ+eh9SD4duWdV7gE5uVdQp7tllQu13W14XHXSHg+4s0fGR3mKqH6PKthVSfy2hCynqBQ1d4OoW v27L++bFT9upHAlNQ/TV52xIfx4KRBwI0zd+3eql727o5FUnmul0dZXrC+aTJ0+2V2Z1tc5/I02X 902n+eq2Dl1t1glGaB7duqTejLJfXg+19cUvfnHM+E7r1Wl8Ubstrw8trY9+IVTqscZl5+sWn07T 9Tirv1z2eXacCgv96EG6ftoPnb5/GjLUvlRxqOKj2/GTqjdLfbDr9jR/unohdRK67bbb2tvV9Ku3 attfNs8ix68/f3acem3TX2HUbVNlf4VR39XSibdutdL66zYltZf9n8hO2y/zXq9qfPWLmfrlTOW/ en0VW396kcdF7DR/kfwo+1q+OrHT8jHa6X8Qs+P8ZVLTaSqMdOunfiBEx4CG+o5e+p3uourkXr8E 6t9NIHVHx0477dR6rsd6vfR5t/ysmj86JnUbtT/ut7/9rf3uox6rrfPOO8/eUqjjR8VT9k6LMq8X Mo25b2i+1G7Ts+rCn+4E0Pd6NfT/x6/o/i2yXqn+fCqwdPFRn716j9J7ge7kSW/h9ZcJtV9kef0y dvo/hXoPOuGEE7r2sKSmrxsy7VnNi19oudR0+dC0dHn5yCOPlP7qCw6v+nqNf/zrcfqVm1QKRMQS Kll0dTk0DZtTtwNlb/FDHGR1wUsnkeqJ0sls6ISwF/VdPPUCqt2QaQ9hJ7M/zz/e6hdwQ72IMas4 hsYj9kv94qlyIzQNMavuYtOdQrpbRz/4qMfZ/+mmQEQsqG490a00oe/AYP1+4QtfsLcU64qqenDK /o0E4qCoXq5sodYP9Wf86ulRIarv4MpuBaJ/pwb2puIYGo+IOB7ql/nvvvtu+wumUo+zd8VQICIW VB/yOpnS7Y6h6Viv+m7F2972NnuLmU5y9QYXmg9xkFVB5hdo4ym99P1RsQyNR0SMRb6DiIiIGKnq Ic8WauOl/z0+REScuFIgIiIiRuxhhx0WLNiaVreihtYPEREHV/+XS339eSgQERERI1K9iN2+G9iE +m5KaP0QEXFiSYGIiIg4AOqHA9JfNtWviaY/LCNVvOkW0PSP7Putfign/Yl9RESc2FIgIiIiTiD1 P5EqIFVIqmhU72PVwpFfCUZEHF4pEEv46OzZ5tFf/jI4DRERMSb1B+bqaVTheNBBB9lfJQ0Vg1kp DhERJ65Lly41c+fObf3NhR4/88wzbfNQIBb01WXLzPf22sv66vLlwXkQERFjVreN+reppn+YL/Uf r7///e+DyyEi4sRw1qxZZsmSJWbVqlVWXUzUOH8eCsSCzrngAnPuFltY5154YXAeRERERETEWKVA 7JPPPf64OX+bbVoF4vnbbmvHheZFRERERESMUd1iOmfOHHPTTTdZ9Vjj/HkoEAt47THHtIrD1GuP PTY4LyIiIiIi4qBKgVjCb3zjG8HxctGiRcHxZexHG69kfqa2rLFsR9U2qsZBxrAd/ViHGGIRQywl +ZFIfjjJDyf5kUh+OMkPJ/mRSH44Y4lFWfmRmj6bVyAuWLAgOL6M/Whj2Z13BscXNZbtqNpG1TjI GLajH+sQQyxiiKUkPxLJDyf54SQ/EskPJ/nhJD8SyQ9nLLEoK99B7LMqEDuxcOHC0Ue90482XhvZ wVWIZTuqtlE1DiKG7ejHOsQQixhiKciPBPLDQX44yI8E8sNBfjjIjwTyw9FkLEJ1Sa9SIPbZvAIR AAAAAACg34Tqkl7lR2r6bF6B+NRTT40+6p1+tPHXefNGH/VGLNtRtY2qcRAxbEc/1iGGWMQQS0F+ JJAfDvLDQX4kkB8O8sNBfiSQH44mYxGqS+qUArGE9CACAAAAAECThOqSXr3hhhuC+vNQIJaQHsRi xNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmLUF3Sq9liMCQFYgnpQQQAAAAAgCYJ 1SW9SoHYZ+lBLEYMbXCFyxFDLGKIpSA/EsgPB/nhID8SyA8H+eEgPxLID0eTsQjVJb1Kgdhn6UEE AAAAAIAmCdUldUqBWEJ6EIsRQxtc4XLEEIsYYinIjwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmd UiCWkB5EAAAAAABoklBdUqcUiCWkB7EYMbTBFS5HDLGIIZaC/EggPxzkh4P8SCA/HOSHg/xIID8c TcYiVJfUKQViCelBBAAAAACAJgnVJXVKgVhCehCLEUMbXOFyxBCLGGIpyI8E8sNBfjjIjwTyw0F+ OMiPBPLD0WQsQnVJL86dO9csXLjQvP7668HpqRSIJaQHEQAAAAAAmiRUl/Tic889Z+6//34ze/Zs W5stX748OB8FYgnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SVVVGGo 2kyFogpGFY7+dArEEtKDCAAAAAAATRKqS/rhqlWr7C2nuvXUH0+BWEJ6EIsRQxtc4XLEEIsYYinI jwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmdUiCWkB5EAAAAAABoklBdUqcUiAVcsWKFWbBggZk6 daqZdKUxO01/aswwtdP0IsNP/OCBQvPlDQ85e16h+ToNU4vOHxr2YztSi86fHVaNg4YxbEdq0flD w2nn3VZovrxhatH5s8PUovOHhv3Kj91nJFfr0qt2ZYap6fNehg888IAdFp0/NExNn5cd6qpnkfny hjFsR2r6vJfhgttus8Oi84eGqenzssPU9HkvwyL7Y+YTxrz/CpcPk2cY8x/3uOlVj4vU9HmR4Yz7 kvVI85TPDzdMLTp/dphadP7QkM8PN+T8KhmSH27YRH68aaaxt4CqDlm0aFGwTqlDCsQS0oMIAACD ypULRj6cR046UvT4e4+NPhknsusEAABjCdUldUqBWEK+g1iMGNrgHnlHDLGIIZaC/EggPxzDlB/d CsTxyI/sOjUVizzID8cw5Uc3xiM/ssTQBvnhaDIWobqkTikQS0gPIgAADCrZYmydq42ZMuJ4Qg8i AEB3QnVJnVIglpAexGLE0AZXuBwxxCKGWAryI4H8cAxTfmSLsezz8cgPehA7U7WNfqzDMOVHN8Yj P7LE0Ab54WgyFqG6pJ/ecMMNbc8pEEtIDyIAAAwq3QrE8SCGdQAAiJ1QXdJPKRArSA9iMWJogytc jhhiEUMsBfmRQH44hik/ssWYftXUfz4e+UEPYmeqttGPdRim/OjGeORHlhjaID8cTcYiVJf0qorB kP48FIglpAcRAAAGldB3DulBBACIn1Bd0k8pECtID2IxYmiDK1yOGGIRQywF+ZFAfjiGKT9UiGX/ 1mK8exCzRWtTsciD/HAMU350YzzyI0sMbZAfjiZjEapL+ikFYgXpQQQAgEGlW4E4HoTWCQAA2gnV JXVKgVhCehCLEUMbXOFyxBCLGGIpyI8E8sMxTPkRYw9idp2aikUe5IdjmPKjG+ORH1liaIP8cDQZ i1Bd0qtLly41c+fONTfffLNVj5955pm2eSgQS0gPIgAADCrdCsTxILROAADQTqgu6dVZs2aZJUuW mFWrVlkXL15sx/nzUCCWkB7EYsTQBle4HDHEIoZYCvIjgfxwDFN+dCsQxyM/suvUVCzyID8cw5Qf 3RiP/MgSQxvkh6PJWITqkl6lQOyz9CACAMCg0q1AHA9C6wQAAO2E6pJe1S2mc+bMMTfddJNVjzXO n4cCsYT0IBYjhja4wuWIIRYxxFKQHwnkh2OY8kPF2A/+PPpkFL9AHI/8yBaITcUiD/LDMUz50Y3x yI8sMbRBfjiajEWoLqlTCsQS0oMIAACDSqi3MDSuSbIFIgAAjCVUl/Sq/+f4vv48FIglpAexGDG0 wRUuRwyxiCGWgvxIID8cw5Qf3QrE8cgPvb7fq9lULPIgPxzDlB/dGI/8yBJDG+SHo8lYhOqSXk2L Qb8opEDMqIBsu+22Zq211rLDG2+8MTifpAcRAAAGlW4F4ngw3q8PADAIhOqSXtVfWzz//PO25tHw xRdfNLfddlvbPENfIG688cbmlltuMcuXL7df1NTz0HySHsRixNAGV7gcMcQihlgK8iOB/HAMU350 KxDHIz+y69RULPIgPxzDlB/dGI/8yBJDG+SHo8lYhOqSXn3ooYds7TN//nwze/Zs+/jxxx9vm2fo C8T3vve9tmpesWKFufXWW8373//+4HySHkQAABhUuhWI48F4vz4AwCAQqkvqdOgLxHvuucesv/76 ZtKkSXZ47733jpnntaVLzQuXXmq+ftxxrasF2eFT119vh52mFxnqKkKR+fKGy6ZPt8Oi82eHsWxH 1fWoGgcNY9iOfuyP1PR5L8MYtoP8cMOq6+HHYeYTxhx2zjx7on7I2WOHk2eE26lzOzqtj8br+2rd li8zTE2f+8M7rku2PxQXf3j8Wdd3jFORYS/bkd1vO01/qut6av50+XTob995J07vOF+RYd52dDrO snHj88MNq25H3flRdBjDdvD54YZV14P8cMPU9HkvwyLr8X/Lltk6ZOVDD42pUXox+33D0LihLxC3 2WYbe2upbjHVvbjbbbddcD5JDyIATDSuXJDfi5M3rS46vabGN/mLl91i49N0nMqsW1nqaLfO9QUA mOiE6pJeVTEY0p9n6AvEDTfc0BaIusVU9+ButNFGwfkk30EsRgxtVI2DiGE7+rEOMcQihlgK8iPB j0OvBWKd29HpNTW+3/+Zl3dMFC1qtB5F5utEL9uRXbd+xqLXbclbhzKxrErVNmJ4zxRV2+jHOsQQ ixhiKarGIpbtqNoG+eFoMhahuqRXs8VgaNzQF4jXXXedefe7320mT55sh7/4xS+C80l6EAFgorHO 1cZMGbETVQqfXun0mhpPD2JCmXUrSx3t1rm+AAATnVBdUqdDXyCWkR7EYsTQBle4HDHEIoZYCvIj wY+DTtrziq5OJ/V1bken18yuaz/WIe+YKNPrVWS+TvSyHdl162cset2WvHUoE8uqVG0jhvdMUbWN fqxDDLGIIZaiaixi2Y6qbZAfjiZjEapL6pQCsYT0IALAREMn7b0UiHXS6TW7rWu/KdPr1XSc6uyR q6PdOtcXAGCiE6pL6pQCsYT0IBYjhja4wuWIIRYxxFKQHwl+HHTSrl8G7USnk/o6t6PTa2Zvh+3H OuQdE91uv03RelQpfnrZjrp7EPOOiU7krQM9iOWp2kY/1iGGWMQQS1E1FrFsR9U2yA9Hk7EI1SV1 SoFYQnoQAWCi0e2kvUrh0yudXrPpXii9VtEey6bjVLR47YUy210UehABAHonVJfUKQViCelBLEYM bXCFyxFDLGKIpSA/Evw4dDtp7zS9zu3o9Jp19pqF0GsVKZS0Ht3imEcv25Fdt37Gouh2Z8lbhzK9 sVWp2kYM75miahv9WIcYYhFDLEXVWMSyHVXbID8cTcYiVJfUKQViCelBBICJRrfCpkrh0wv6Q/VO rxl7D2Ivt2X2Spl1K0sdbde5vgAAE51QXVKnFIglpAexGDG0wRUuRwyxiCGWgvxI8OOgE/c8Ok2v azvyisDYexB7LYB62Y7s6/UzFr1uS946lIllVaq2EcN7pqjaRj/WIYZYxBBLUTUWsWxH1TbID0eT sQjVJb26dOlSM3fuXHPzzTdb9fiZZ55pm4cCsYT0IALAREMn7nl0m95v8grEvN7FOtBr6TWLoHl7 LRB7oc7Xq6PtpuMDADCRCNUlvTpr1iyzZMkSs2rVKuvixYvtOH8eCsQS0oNYjBja4AqXI4ZYxBBL QX4k+HHQiXsenabXtR3dbiP1p/VjHfKOiW6xSdF6aN5eC6BetiP7ev2MRa/bkrcORdvsx3ZUbSOG 90xRtY1+rEMMsYghlqJqLGLZjqptkB+OJmMRqkt6lQKxz9KDCAATjW5FULfp/aZMgVg3ZV5L8zbZ Q1bn69XxC6lNxwcAYCIRqkt6VbeYzpkzx9x0001WPdY4fx4KxBLSg1iMGNrgCpcjhljEEEtBfiT4 cehWBKUn9tkfYKlrO+hBLIZez7/9tZ+x6LYPOpG3DkXj04/tqNpGDO+Zomob/ViHGGIRQyxF1VjE sh1V2yA/HE3GIlSX1CkFYgnpQQSAiUa3QkDTV/6/5np/uvVe9VK49EqZ16rzfwlD1BmHXgvEPNQe PYgAAL0Rqkt69YYbbgjqz0OBWEJ6EIsRQxtc4XLEEIsYYinIjwQ/Dt0KAU0PFYh1bUe3QsJf336s Q94x0S02KVqPKkVVL9uRfa1+xqKuHsQiP/jTj+2o2kYM75miahv9WIcYYhFDLEXVWMSyHVXbID8c TcYiVJf0aloM+kUhBWIF6UEEgIlGt0JAPWOap6neMb1W0QKxbsq8Vh29bnnU+Vp19SACAEBvhOqS XqVA7LP0IBYjhja4wuWIIRYxxFKQHwl+HLqduKtYUA9idr66tkOvQw9id+rYH2ks6upBLEI/tqNq GzG8Z4qqbfRjHWKIRQyxFFVjEct2VG2D/HA0GYtQXdKrFIh9lh5EAJhodDtx71Qg1oVehx7E7tT5 WnVsS5OxAQCYaITqkn5KgVhBehCLEUMbXOFyxBCLGGIpyI8EPw7dTtw7FYh1bYdep2wPotZP9oJi 0WnZokWN1qNKUdVLLOvYH+lx0eu25K1DmVhWpWobMbxniqpt9GMdYohFDLEUVWMRy3ZUbYP8cDQZ i1Bd0k8pEHtwxYoVZsGCBWbq1Kl2e9KdyZAhQ4axD99/RfIXDDtNDw81XXRafsZ9SfHjtzN5Ruf5 ywzVTmh99GMmnZbLbo+eq6D8j3vC83cbavtC66Fhme3026kan07r4w+77bcqQ8U/G+eqwzrXlyFD hgwn8nDhwoW2Dlm0aFGwTimrisGQ/jwUiCWkB7EYMbTBFS5HDLGIIZZiGPNDJ+dZqsZBbfZjO1Q8 VEHroHVRD2Ber2Mes346LxijMmRjUba9qsuLfuwPPj8S+Pxw8PnhID8SyA9Hk7EI1SX9lAKxgnwH EQAGjarFT4h+tdmPdtRGlQIxxu/b9Xt9AABgsAnVJf2UArGC9CAWI4Y2uMLliCEWMcRSDGN+hIqN qnFQm/3YDnoQE6ouL/qxP/j8SODzw8Hnh4P8SCA/HE3GIlSX1CkFYgnpQQSAQaNq8ROiX232ox21 QQ8iAABMZEJ1Sa9mewtD4ygQS0gPYjFiaIMrXI4YYhFDLMWw5Yd+bCRUbFSNg9rsx3b0owex6h/5 f/7ceT0vm5KNRdkCr+ryoh/7g8+PBD4/HHx+OMiPBPLD0WQsQnVJr6oYDOnPQ4FYQnoQAWCQqKN3 TPSrzX60o21UD2KvbWm5XnsfO1F1u/oVXwAAmBiE6pJezRaDoXEUiCWkB7EYMbTBFS5HDLGIIZZi 2PKjU4FYNQ5qsx/b0Y8exKoF4iFnz6tcIGZjUXZdqi4v+rE/+PxI4PPDweeHg/xIID8cTcYiVJfU KQViCelBBIBBIuYexE63v5Yl1h7EH/x59EkP9CMuAAAwcQjVJXVKgVhCehCLEUMbXOFyxBCLGGIp hi0/Yu5B1LpN5B7EMm2Gli9L1f0h+PxI4PPDweeHg/xIID8cTcYiVJf0qv+9Q19/HgrEEtKDCACD RMw9iP1aN/VEqhjrtS0tpzb6idqsUnT2Iy4AADBxCNUlVX3kkUfM3LlzzYoVK8ZMo0AsIT2IxYih Da5wOWKIRQyxFMOWH8PQg5jSa1GlHsSqZGNRtkAMLV+WqvtD8PmRwOeHg88PB/mRQH44moxFqC7p 1VdeecXMG1n3OXPmmMWLF9vHy5Yta5uHArGE9CACwCChv4Co+hcOIXotxnz63bvZa1v9XIcUtdlr D2K/vpsJAAATh1Bd0qu33nqrefTRR83rr79un6cFoz8PBWIJ6UEsRgxtcIXLEUMsYoilGLb86FSo VI2D2v2Pe6ptBz2IDn/5XgvnfhxXfH4k8Pnh4PPDQX4kkB+OJmMRqkt69aWXXhozLnubKQViCelB BIBBomyhUpR+tNvv3s1eC8Rel8ujyrb1u2cVAAAGn1Bd0quhH6iR/jwUiCWkB7EYMbTBFS5HDLGI IZZi2PKjUyFXNQ623burbUc/2vDj0GtRVUcPYtkiz1+eHsTxb4PPDwefHw7yI4H8cDQZi1Bd0qtp MegXhRSIFaQHEQAGCVuE1dCD2I/ev36vW68FYq/L5VGlF7Cu740CAMDgEqpLepUCsYC65/a0004z W265pVlttdXMpEmTgvNJehCLEUMbXOFyxBCLGGIphi0/OhVhVeOgAqjq9wftutGDaMluRy+Fcz+O Kz4/Evj8cPD54SA/EsgPR5OxCNUlvUqBWMAzzzzTbL/99ub+++83q1atCs6TSg8iAAwSvRYb3ajS Q5bS73XrdX2qbkeIKvHpd1wAAGDwCdUldTr0BeJWW21lf+41NC0rPYjFiKENrnA5YohFDLEUw5Yf nYqNqnGgB7Gd7P6gB7F3YmiDzw8Hnx8O8iOB/HA0GYtQXdKr6i0M6c8z9AXiWmutZU444QSzzjrr 2GLx+uuvHzPPa0uXmhcuvdR8/bjjWgcDQ4YMJ8bwTTOTIkEn5v0Yqr3s6/z//rl9vJ4XbW/yDGNu +cnY9faHh50TXl7j9b96nZbrdXjHdcl6hda36FDLqx1R9HXzhr2uj5Yr0n6ZYZX49DsuDBkyZMhw sIf/t2yZrUNWPvTQmBqlisuXL28VhhSIGTfZZBNz44032u8izpo1yz4PzSfpQSxGDG1UjYOIYTv6 sQ4xxCKGWIpBzA8VDtkepWwbmqcM5IeD/HAMYn6EqNoG+eEgPxzkRwL54WgyFqG6pIrpn+PffPPN 5tlnnzW33HJL2/ShLxAPPfTQtgLxbW97W3A+yXcQAaBpQgVilrIFIgAAAAwOobqkVx977DH79bqH H37YPP3007Y4/MMf/tA2z9AXiAsWLDD77LOPvcX0Xe96ly0WQ/NJehCLEUMbXOFyxBCLGGIpBjE/ 6EHsTD/WgfxwDGJ+hKjaBvnhID8c5EcC+eFoMhahuqRX77nnHvPyyy8Hp6UOfYFYRnoQAaBp6EEE AAAYbkJ1SZ1SIJaQHsRixNAGV7gcMcQihliKQcyPbj2I+hEaehB7h/xwDGJ+hKjaBvnhID8c5EcC +eFoMhahuqROKRBLSA8iADRNtx7EfvwnIQAAAMRLqC6pUwrEEtKDWIwY2uAKlyOGWMQQSzGI+dGt B7GXApH8cJAfjkHMjxBV2yA/HOSHg/xIID8cTcYiVJfUKQViCelBBICmWedqY6aM2Al6EAEAACY2 obqkTikQS0gPYjFiaIMrXI4YYhFDLMUg5keoAPTboAexGuSHYxDzI0TVNsgPB/nhID8SyA9Hk7EI 1SV1SoFYQnoQAaBpuhWA9CACAABMbEJ1SZ1SIJaQHsRixNAGV7gcMcQihliKQcwPehA70491ID8c g5gfIaq2QX44yA8H+ZFAfjiajEWoLqlTCsQS0oMIAE3TrQDs9h1FAAAAGGxCdUmdUiCWkB7EYsTQ Ble4HDHEIoZYikHMj249iJrW7Y/0s5AfDvLDMYj5EaJqG+SHg/xwkB8J5IejyViE6pI6pUAsIT2I ANA03XoQeykQAQAAYHAI1SV1SoFYQnoQixFDG1zhcsQQixhiKQYxP+hB7Ew/1oH8cAxifoSo2gb5 4SA/HORHAvnhaDIWobqkTikQS0gPIgA0zcwnxhaIPvQgAgAATGxCdUmdUiCWkB7EYsTQBle4HDHE IoZYikHND3oQw/RjHcgPx6DmR5aqbZAfDvLDQX4kkB+OJmMRqkvqlAKxhPQgAsB4QA8iAADA8BKq S+qUArGE9CAWI4Y2uMLliCEWMcRSDGp+0IMYph/rQH44BjU/slRtg/xwkB8O8iOB/HA0GYtQXVKn FIgFXLFihVmwYIGZOnWq3Z50ZzJkyJBhE8PJM4zZafpTthjMDt9/xVP2e4pF2mHIkCFDhgwZDtZw 4cKFtg5ZtGhRsE6pQwrEEtKDWIwY2uAKlyOGWMQQS0F+JJAfDvLDQX4kkB8O8sNBfiSQH44mYxGq S+qUArGEfAcRAAAAAACaJFSX1CkFYgnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8S yA9Hk7EI1SV1SoFYQnoQAQAAAACgSUJ1SZ1SIJaQHsRixNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8 cJAfDvIjgfxwNBmLUF1SpxSIJaQHEQAAAAAAmiRUl9QpBWIJ6UEsRgxtcIXLEUMsYoilID8SyA8H +eEgPxLIDwf54SA/EsgPR5OxCNUldUqBWEJ6EAEAAAAAoElCdUmdUiCWkB7EYsTQBle4HDHEIoZY CvIjgfxwkB8O8iOB/HCQHw7yI4H8cDQZi1BdUqcUiCWkBxEAAAAAAJokVJfUKQViCelBLEYMbXCF yxFDLGKIpSA/EsgPB/nhID8SyA8H+eEgPxLID0eTsQjVJXVKgVhCehABAAAAAKBJQnVJnVIglpAe xGLE0AZXuBwxxCKGWAryI4H8cJAfDvIjgfxwkB8O8iOB/HA0GYtQXVKnFIglpAcRAAAAAACaJFSX 1CkFYgnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQAQAA AACgSUJ1SZ1SII567rnnmkmTJgWnpdKDWIwY2uAKlyOGWMQQS0F+JJAfDvLDQX4kkB8O8sNBfiSQ H44mYxGqS+qUAnHE3/3ud2bjjTeuVCACAAAAAAD0m1BdUqdDXyAuX77c7Ljjjubqq6+mB3GEWLaj ahtc4XLEEIsYYinIjwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmdDn2BeNJJJ5nPfe5z9nGnAvG1 pUvNC5dear5+3HGtg4EhQ4YMGTJkyJAhQ4YM6xz+37Jltg5Z+dBDwTqlDoe+QFx99dVtYegbmk/S g1iMGNqoGgcRw3b0Yx1iiEUMsRTkRwL54SA/HORHAvnhID8c5EcC+eFoMhahuqROh75A9M0rDiXf QQQAAAAAgCYJ1SV1SoHoWaVAjOFqiOAKVwJXuBwxxCKGWAryI4H8cJAfDvIjgfxwkB8O8iOB/HA0 GYtQXVKnFIglpAcRAAAAAACaJFSX1CkFYgnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nh ID8SyA9Hk7EI1SV1SoFYQnoQAQAAAACgSUJ1SZ1SIJaQHsRixNAGV7gcMcQihlgK8iOB/HCQHw7y I4H8cJAfDvIjgfxwNBmLUF1SpxSIJaQHEQAAAAAAmiRUl9QpBWIJ6UEsRgxtcIXLEUMsYoilID8S yA8H+eEgPxLIDwf54SA/EsgPR5OxCNUldUqBWEJ6EAEAAAAAoElCdUmdUiCWkB7EYsTQBle4HDHE IoZYCvIjgfxwkB8O8iOB/HCQHw7yI4H8cDQZi1BdUqcUiCWkBxEAAAAAAJokVJfUKQViCelBLEYM bXCFyxFDLGKIpSA/EsgPB/nhID8SyA8H+eEgPxLID0eTsQjVJXVKgVhCehABAAAAAKBJQnVJnVIg lpAexGLE0AZXuBwxxCKGWAryI4H8cJAfDvIjgfxwkB8O8iOB/HA0GYtQXVKnFIglpAcRAAAAAACa JFSX1CkFYgnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQ AQAAAACgSUJ1SZ1SIJaQHsRixNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmLUF1S pxSIBVyxYoVZsGCBmTp1qt2edGcyZMhwAgx3nzHyjnWleWqn6f0Zqj2167/Om2a2j9fz0PKTZ5in /uMeNx9DhgwZMmTIcKiHCxcutHXIokWLgnVKHVIglpAexGLE0AZXuBwxxCKGWIro82OkUDTfe2z0 SWeqrgf54SA/HNHnR0GqtkF+OMgPB/mRQH44moxFqC6pUwrEEvIdRAColYIFIgAAAAwPobqkTikQ S0gPYjFiaIMrXI4YYhFDLEX0+UEPYin6sQ7khyP6/ChI1TbIDwf54SA/EsgPR5OxCNUldUqBWEJ6 EAGgVuhBBAAAgAyhuqROKRBLSA9iMWJogytcjhhiEUMsRfT5QQ9iKfqxDuSHI/r8KEjVNsgPB/nh ID8SyA9Hk7EI1SV1SoFYQnoQAaBW6EEEAACADKG6pE4pEEtID2IxYmiDK1yOGGIRQyxF9PlBD2Ip +rEO5Icj+vwoSNU2yA8H+eEgPxLID0eTsQjVJXVKgVhCehABoFbWudqYKSMCAAAAjBKqS+qUArGE 9CAWI4Y2uMLliCEWMcRSRJ8fVy5IehG7UHU9yA8H+eGIPj8KUrUN8sNBfjjIjwTyw9FkLEJ1SZ1S IJaQHkQAqJWCBSIAAAAMD6G6pE4pEEtID2IxYmiDK1yOGGIRQyxF9PlBD2Ip+rEO5Icj+vwoSNU2 yA8H+eEgPxLID0eTsQjVJXVKgVhCehABoFboQQQAAIAMobqkTikQS0gPYjFiaIMrXI4YYhFDLEX0 +UEPYin6sQ7khyP6/ChI1TbIDwf54SA/EsgPR5OxCNUldUqBWEJ6EAGgVuhBBAAAgAyhuqROKRBL SA9iMWJogytcjhhiEUMsRfT5QQ9iKfqxDuSHI/r8KEjVNsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQ AaBW6EEEAACADKG6pE4pEEtID2IxYmiDK1yOGGIRQyxF9Pkx8wl6EEvQj3UgPxzR50dBqrZBfjjI Dwf5kUB+OJqMRaguqdOhLxBnzJhhtt56azNlyhSz6667mrlz5wbnk/QgAkDt0IMIAAAAHqG6pE6H vkA85JBDzIMPPmiWLVtmi8VNN900OJ+kB7EYMbTBFS5HDLGIIZZiIPKDHsTC9GMdyA/HQORHAaq2 QX44yA8H+ZFAfjiajEWoLqnToS8QfefPn2/WXHNNs3LlyuB0ehABoHboQQQAAACPUF1SpxSIoy5d utTeYnriiSeOmfbayLQXLr3UfP2448xf3362PYHLDp/a46zg+DLDp3aaXmi+vOGy951YaL5Ow1i2 o+p6VI2DhjFsRz/2R2rR+UPDGLajb/nxppmtq35lh09df70dFp0/NNTVwtz5Js/ouh3kRzIkP9yQ zw83rLoe5IcbphadPzSMYTvIDzesuh7khxumFp0/NOy6Htv8s/m/ZctsHbLyoYfG1Ch1SYE44n33 3We23HJL20O4atWq4DySHkQAAAAAAGiSUF1Sp0NfIE6fPt32HN51113B6b58B7EYMbRRNQ4ihu3o xzrEEIsYYinIjwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmdDn2BOGnSpDG+9NJLwXnpQQQAAAAA gCYJ1SV1OvQFYhnpQSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SV1SoFY QnoQAQAAAACgSUJ1SZ1SIJaQHsRixNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmL UF1SpxSIJaQHEQAAAAAAmiRUl9QpBWIJ6UEsRgxtcIXLEUMsYoilID8SyA8H+eEgPxLIDwf54SA/ EsgPR5OxCNUldUqBWEJ6EAEAAAAAoElCdUmdUiCWkB7EYsTQBle4HDHEIoZYCvIjgfxwkB8O8iOB /HCQHw7yI4H8cDQZi1BdUqcUiCWkBxEAAAAAAJokVJfUKQViCelBLEYMbXCFyxFDLGKIpSA/EsgP B/nhID8SyA8H+eEgPxLID0eTsQjVJXVKgVhCehABAAAAAKBJQnVJnVIglpAexGLE0AZXuBwxxCKG WAryI4H8cJAfDvIjgfxwkB8O8iOB/HA0GYtQXVKnFIglpAcRAAAAAACaJFSX1CkFYgnpQSxGDG1w hcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQAQAAAACgSUJ1SZ1SIJaQ HsRixNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmLUF1SpxSIJaQHEQAAAAAAmiRU l9QpBWIBV6xYYRYsWGCmTp1qtyet9v1havq8l+EDDzxgh0XnDw11NaPIfJ2GqenzXob92I7U9HnZ YdU4iBi2IzV93stwwW232WHR+UPD1PR52WFq+ryXIfnhhqnp87JD8sMNyQ83JD+SIfnhhuSHG5If yZD8cMOm8mPhwoW2Dlm0aFGwTqlDCsQS0oMIAAAAAABNEqpL6pQCsYR8B7EYMbRRNQ4ihu3oxzrE EIsYYinIjwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmdUiCWkB5EAAAAAABoklBdUqcUiCWkB7EY MbTBFS5HDLGIIZaC/EggPxzkh4P8SCA/HOSHg/xIID8cTcYiVJfUKQViCelBBAAAAACAJgnVJXVK gVhCehCLEUMbXOFyxBCLGGIpyI8E8sNBfjjIjwTyw0F+OMiPBPLD0WQsQnVJnVIglpAeRAAAAAAA aJJQXVKnFIglpAexGDG0wRUuRwyxiCGWgvxIID8c5IeD/EggPxzkh4P8SCA/HE3GIlSX1CkFYgnp QQQAAAAAgCYJ1SV1SoFYQnoQixFDG1zhcsQQixhiKciPBPLDQX44yI8E8sNBfjjIjwTyw9FkLEJ1 SZ1SIJaQHkQAAAAAAGiSUF1SpxSIJaQHsRgxtMEVLkcMsYghloL8SCA/HOSHg/xIID8c5IeD/Egg PxxNxiJUl9QpBWIJ6UEEAAAAAIAmCdUldUqBWEJ6EIsRQxtc4XLEEIsYYinIjwTyw0F+OMiPBPLD QX44yI8E8sPRZCxCdUmdUiCWkB5EAAAAAABoklBdUqcUiCWkB7EYMbTBFS5HDLGIIZaC/EggPxzk h4P8SCA/HOSHg/xIID8cTcYiVJfU6dAXiE8++aTZb7/9zHrrrWf2339/s3jx4uB8kh5EAAAAAABo krQWufaYY8xzjz/eVp/U4dAXiEcccYQ58cQTzfPPP29OOOEEc9RRRwXnk/QgFiOGNrjC5YghFjHE UpAfCeSHg/xwkB8J5IeD/HCQHwnkh6PJWKS1yLlbbGHO33ZbM+eCC8yry5e31Sn9dOgLxE033dQs XLjQPtZws802GzNPKj2IAAAAAADQJGktogIx9Xt77WUenT27rVbpl0NfIE6ePNmsXLnSHHjggXao 5+m0Rx55xBaFpxx/vDnxU58y++65pzn5yCPtuOzw7w4+ODi+zHDq1KmF5ssbnvCxjxWar9Mwlu2o uh5V46BhDNvRj/1x0iGHFJovbxjDdpAfblh1PcgPNyQ/3JD8SIbkhxuSH25IfiRD8sMNm8qPtA75 +nHHUSA2pXoQ9T1EPS7SgxgaLxcsWBAcX8Z+tLHszjuD44say3ZUbaNqHGQM29GPdYghFjHEUpIf ieSHk/xwkh+J5IeT/HCSH4nkh3M8YqHCkFtMG/ALX/iCOfnkk80LL7xgTjrpJHPkSKUemk/mFYgr VqwIji9jP9p44dJLg+OLGst2VG2jahxkDNvRj3WIIRYxxFKSH4nkh5P8cJIfieSHk/xwkh+J5Idz PGLBj9Q0pHoN9913X7PuuuvaYdqbGDKvQIzF15YuDY4fNomDk1g4iUUicXASCyexSCQOTmLhJBaJ xME5kWMx9AViGfWdxNB4REREjN9JkyYFxyMi+YFOCkRsXL0BZQ3N16ud2p0xY4bZeuutzZQpU8yu u+5q5s6d2zY9a6f/yCzz35mIZfWP39BxXNVO7d5www1m2223NWuttZYd3njjjW3Ts5If2LQbbrih WbJkSeu5jq2NNtqobZ5udsunfh3X5Ac27Xjmh26TPO2008yWW25pVltttcbyDOuTAhHHzW5vIFXN tn/IIYeYBx980CxbtswWi/qBIn961k7/kVnmvzMRe7Xp/Nh4443NLbfcYpYvX25uuukm+9yfnpX8 wKbdY489zK9+9Svztre9zf6g3J133mk+9KEPBeftZLe86tdxTX5g045nfpx55plm++23N/fff79Z tWrVmOWykh/xS4GI42b2jajT8z/96U/2+6HrrLOO2WGHHczdd9/dNl8n897o5s+fb9Zcc0371yZ6 Hpq3039klvnvTMRebTo/3vve95rbbrvNXgm+9dZbzfvf//6O80ryA5v26KOPNuedd57tpdhiiy3s 42OOOcZO65QHOmF93/veZ8frB+lCx7JvL8c1+YExOJ75sdVWW9nPDX/eVPJjMKVAxHEz+6bR6bmu gF1zzTW2Z0M9HDvuuGPbfJ3s9Ea3dOlSe4uprlKFpqd2+o/MvP/OROyXTefHPffcY9Zff307XsN7 7723bXpW8gObVie8u+22mznssMPMoYceanbffXdz/vnn22md8mCXXXYx06dPN6+88oq59NJLxxz3 Wft1XPerHcSijmd+6KsJ6vFToali8frrrx+zrG+ndjqNx+alQMRxM/tG5D9/9dVXW8/1hqPHqWus sUZrvjz99lLvu+8+e3VNv0jb7TYIXcnS/fB6nL3CFRqP2E+zx6//vI782GabbeytpTqB0PcPt9tu u7bpWckPbNqf//zn9vtNF154obngggvs41/84hd2Wqc80HfOdfKrxy+//PKY4z5rv45r8gObdjzz Y5NNNrGfG7oDZdasWfa5v1xW8iN+KRBx3My+EemNQbco6DuC3/ve91rT99prL/vGp/H+/N3Mtq+r ZOo5vOuuu9rGd7LTf2SW+e9MxF5tOj/0AwcqEPUBryvM3X7cgPzApv3DH/5gj9t58+bZW+T0OD23 6JQHO++8c6uH5D/+4z/GHPdZ+3Vckx/YtOOZH+qx9AtEfQ8yu6wv+RG/FIg4bmbfiK666ir7wxgb bLCBufjii1vTH3vsMXPAAQeYN77xjXZctzewdB7fTuNfeuml1jS/DamrV7pnP/sfmZ3GI/bT7DFZ d35cd9115t3vfre9pUfD9Mpzukz6OJX8wKZVz7mOK52EqqdbjzVO0zrlwW9/+1v7/Vr1oJxyyinB Y9m3l+Oa/MAYHM/8WLBggdlnn31sO+9617vafgWb/BhMKRARERERERHRSoGIiIiIiIiIVgpERERE REREtFIgIiIiIiIiopUCEREREREREa0UiIiIiIiIiGilQEREREREREQrBSIiIiIiIiJaKRARERER ERHRSoGIE9pJkyYFx3ez1+UQsbrkH2JvKndSQ9MREYtIgdhn63pT5s1+rIrJ+eef33p+3nnnEacB dNddd7WGpmG8kn/NqbjK9dZbz+y5557mJz/5SXC+JkzXZbXVVjObbLKJOfzww83ChQuD82LiokWL zFFHHWU23XRTs9Zaa5k99tjDXH/99cF5+yW5iIhVpEDss3W9KfNmP1bFZPvttzevvvqqVY+J02C5 ZMkSs/7661ufeuqp4DwYp+Rfc6ZxffHFF83s2bPNdtttZ374wx+Oma8J03V5/fXXbeFz4oknmn33 3XfMfOj80Ic+ZM4880z7Hrd8+XLzm9/8xhx00EHBefsluYiIVaRA7LN5b8qaJtdcc02z8847m1// +tetabqa+J73vMdeXUzn85fxTZcZdhWLE044wR7A11xzjT1RSeOTFy+Nu/jii80GG2xgr+j+7Gc/ a5uWt5w+6I899lh7MvylL32pbVp2Xv9xp+WG3csvv9x87nOfM5/97GfNFVdc0Rq/7bbbmt/97nf2 8f33329PiNNpKio/8YlP2N6UHXbYwdx9992taVLx/ta3vmXWWWedtp5JjZeh/Pvzn/9sPvjBD9pl vvnNb7btv26vN6wqRt3yLxTrww47zHzta1+zj7/61a/aHqh0Wrpc2o6vxg1r/mW3b+7cueYDH/iA efrpp+372Msvv2zHq3jcZZddWvNpuU7vdb2aXZcXXnjB5k06TYb2e966TPT8e9Ob3mS3MTStW8zy jnnFSjFT7ObPn9+alk73n6fyfoaIRaRA7LOd3pR9dbV9zpw5ZvPNN2+N23DDDe2Hvqb586YWaXfY VEwWLFhgdt99d7PbbrvZx9k4heKmcWeddZY9qfrRj35ktt566+A8oXHz5s2zQ32oqtfLn5ad13/c ablh9zOf+Yy56qqrzJVXXmkOOeSQ1nid+Jxzzjn28dlnn21OO+201rRDDz3UFiS6En/LLbeYHXfc sTVNKs6nnHKKPXGdNm1a2zQZyj+dMJ1xxhm2h+bb3/522/7r9nrDqmLULf9CsX722WfN29/+drtP NXzuuefalpHZdtJxw5p/2e1btmyZmTJlin38yU9+0kyfPt0+1rF66aWXtubTct3e68rqr8vSpUvN 6aefbvbbb7+2eUL7PW9dJnr+ffe737XH3QEHHGBOPfVUezxm5+kUs7xjXvF86aWX7FAxTKel0/3n qbyfIWIRKRD7bKc3Zamru+olnDx5sp1P3+FIp+2///5mp512Mscff7yZOXNm64pwal67w2oaE/VA fP7zn28bl50nOy6N72uvvWbWWGON4DyhcfoQT4f+/svO7z/PW26YXblypXnzm99sTzKlHmucpt17 7732yrke6/s69913X2s59UAolqnZ/adxOtH0x8m8/NNrP//88/axCktNT6d1e71hNY1RKP/yYi1v u+02O15Df3xq2k523LDmX3b7VCCuvfba9vF1111ne5CUQzpW/WNfy3V7ryur2tR+1UVNrYMuEKjo 17S8/Z63LsOQf3/5y19sr+k//dM/2d5AFdYa3y1mece8YqXHGmYvfGi6/zyV9zNELCIFYp/t9KYs dbVcH+YrVqywH+L+vHrzv/XWW21vyT777NM6OU7Na3dYDcUkO65f8/jjskOpD1md9OixToL8aXnL DbOzZs2ysfD95S9/2Zq+1VZbmUcffdS8853vbFtuo402GnMBxbdTfPPyL+8EtdvrDauhOKfj8mIt 1culcZdddlnb+NS8trNDOdHzL7vOug1RtyPqsS6qbLzxxuboo4+2tyL682WX68e2+21o/37605+2 P1Ck53n7PW9dhi3/VMy/8Y1vtI+LxCw7TB/7BaJimE6Tq6++uv2eqD9O8n6GiEWkQOyz/ht4Vr0x 6zZSfQicfPLJwXl1knPnnXfaef3x+g7DQw891DZu2A3FLzuuX/P447JDqSJGt03pg1dFvj8tb7lh Vr3l6W2kUlfW9Z229Lm+p6bb5/xxUr1VX/nKV4K3JspO8c3LP92epSv6ul0ru/+6vd6wGopzOi4v 1vphExU01157rXnLW95in6fTUvPazg7lRM+/dJ11fN5+++32u2O6TTCdru9yah7/+2syu62hbS8b j+z8jz/+uN3f+g5c3n7PW5eJnn8HHnigueOOO2wRrN7W73znO/aOIU0rErPsMH2sWKUx02uk0+QW W2xhfwzHHyd5P0PEIlIg9lm9aYfUtBkzZtgTIt0KctFFF7XG+8vpNhN9cNx4442taVLfy9CXyv1l ht1QLNJxaTx9s/OEnvvzp2bnyw7lT3/6U/uT77p959///d8LLzfMvutd72r9EI3UbaQalz7X93EU K508peOkrr7rh06UR5qejWen+Obln/8jGfpu3Bve8IbWtG6vN6yG4pCOy4u1epz0fTM91lDP02lp fH39aaGhnOj5p3WW6667rr3lWsWwP/2GG24Y09Mus9sa2vay8QjNrx5EFXndPuP8ZfznEz3/fv7z n9tbcdNbc1XMPfLII3ZakZhlh+lj/TKqYqa2/+d//qc1TeoCgnoV/WUk72eIWEQKRETEUVetWmW/ J/Te9743OB0xNl955RVz8MEH24uIoemDJPlXXAo7RKxTCkRExBF1wqXv7egvNe66667gPIixqR8u 2XvvvVvfRxtUyb9yUiAiYp1SICIiIiIiIqKVAhERERERERGtFIiIiIiIiIhopUBERERE7LP6nmA3 Q8tNFIdlOxEnohSIPfinP/3JfOQjH7F/dLvZZpvZ/xRatmxZcF7f5cuXm6lTp9r/NNSyX/rSl+yf 41aZhuX1P7TKfHix/+JQf3vxoQ99yP7ti372f8899xzz/28hb7vtNvPhD3/YrL322vZ/+PQfiw8/ /LCdlpfTveY7huX9c7DtNZ55eTtR95/9fLly5ISok10+e/zPqNTQfCHLzFu3Ma0LIhaTArEH9X9N 3/rWt+yvxulPb0855RRraF5f/TnufvvtZ5544gnrPvvsY84///xK07C8vX5Ysf/icNNNNzVXX321 /VN0qccaF5rX92Mf+5gtErWM/pT6iiuuMFtttZWdlpfTveY7huX9c7DtNZ55eTtR958t6kKFYWrB z6JePrNiKspiWhdELCYFYg/qj2n1AZc+14nO1ltv3TZPyB133NHce++9refz5s0z73nPeypNw/L2 +mHF/ovDXXbZxcycOdP+/5v84Q9/aHbdddfgvCH1X2tPPfWU/UP1nXbayY7Ly+le8x3D8v452PYa z7y8naj7T581wcIwteBnUWg+jbv44ovNBhtsYAtt/X9kOj6rv9ySJUvMJz7xCduTu8MOO5i77767 bbrm1wUc5an/vrrtttua3/3ud/bx/fffb/+OxF9GrrnmmmbnnXcec0dHdh0QMX4pEHtQt8mce+65 thfiueeeM6effrqZPHlycF5fvSGnJ0YHHnigeemll+wtM1WmYXn1YfWWt7zF3mr4zne+05x88sk2 pqF5fdl/cTh//nyzxRZbtE5K9FjjQvNmTZeRKkoef/xxOz4vp3vNdwzL++dg22s88/J2ou4/u62h wjB1ZHpouayh+TTurLPOsrH50Y9+NOYiS6e2Dz30UHPNNdfYW3dvueUWW4D707WcevR14WbatGmt 8d/85jfNOeecYx+fffbZ5rTTTmtNS3311VfNnDlzzOabb942vuh2ImI8UiD2YPodGn1wbbLJJvbN csqUKcF5ff0POtnpQ7DMNOzdlStX2uPyqKOOMp/+9KeD8/iy/+LwgAMOMGeccYZ5/vnnbYHxj//4 j+ajH/1ocN6Q2u/KYe33z3zmM3ZcXk73mu8YlvfPwbbXeObl7UTdfyqMgoVhasHCKTSfxqVxee21 18waa6wxZrr/PFU9jna9Rg0tp4s3/jipXlxd3NHjPfbYw9x3332tabNnz7a9urrQo+VXW2211jSp cf5zRIxfCsQ+eNVVVxW6xS17q8w999zT8TaaotOwuvoelH4AITTNl/0Xhyom/BMYPdbtUP48RdR+ 77RcXk4XzXcsJu+fg2Wv8czL24m6/2wRFioMUwsWTqH5suO6PU/daKON2grurHnrpO9sP/roo/bO G3/829/+dnPdddfZHw/Sfs22sfrqq5vXX3+9bRwixi0FYgV1FfTHP/6x/UXEa6+9tm1a6E1WX7bX ryguXLjQqi/e+1/E72Ua9q4+sBTPr371q/bWJX8a+y9eVUyo90H5p94I3aK42267tc0T2n8HHXSQ /f6STmIWL15sjj/+ePuDF/48eTmdNw3Ly/vnYFoknqH9l5e3E3X/KQ7BwjA1EKeQofmy47LPddHz oYceahsnP//5z9tfDtZ+yE6Teev0ta99zf768wknnNA2XkWnfqVWxaG+spFtQ7cT/+Y3v2kbh4hx S4HYg3rzk/oO2wc+8AF7/39onuw43fP/xS9+0d4eI/XT3f5PefcyDcub7j9d1dR3JfSz6X/5y1/G zOM/l+y/ONQVbN2uphMgqcca588T2n8333yzPSHVbVBvfetbzRFHHGEWLVrUml+GcjpvGpa3SDw1 PTuO/IvDIvEM7b+8vJ2o+88e66HCMDUQJ1+7fEZ/WnZe//m3v/1te3tudvzSpUvNYYcdZtZff/0x bcrsc199v1DTVQz642fMmGG/1682L7roojFt6DuPb37zm3PbRsS4pEBERERE7LMqiLoZWg4Rcbyl QEREREREREQrBSIiIiIiIiJaKRARERERERHRSoGIiIiIiIiIVgpERERExD4b+lGarKHlEBHHWwrE HvzFL35h9thjD7PWWmvZn8vX/wo98cQTwXl99XPd+olu/cS3fq5bf6/g/5R3L9OwvOy/wbaO/Xfb bbfZ/1rTXy/of/n0X18PP/ywncZJXX/Ni3We5F8c9hpP/TXChz70IfvXC+uuu67Zc889za9//Ws7 baLuP71XhP/fIrHbe4n+hueoo44ym266qX2/0/ve9ddf35pex3sR72+IKCkQe1AnNzfeeKN56aWX 7B/+6v+G9CfAoXl99Ye/+pNfncxK/Um3/2fAvUzD8rL/Bts69t/HPvYxW7i8/PLL9s+er7jiCrPV VlvZaZww9de8WOdJ/sVhr/FUkXP11Vfb/S71WOM0baLuv6oFogrqM8880zz11FO2UNafzR900EGt 6RSIiFiXFIh98IUXXjBTpkwJTvPdcccdzb333tt6Pm/ePPOe97yn0jSsLvtvsO3H/ktdtWqVPRn7 93//d7PTTjvZcZww1WMo1nmSf3HYazx32WUXM3PmTPPKK69Yf/jDH7Yu7EzU/Ve1QFSv6Z///Ocx 47Vc1tA83/rWt8w666zTdgEtnX/NNdc0O++8c6sXNx3vmy6TTu/0XI9VzB577LFm++23t728/ryI OHhSIPbBr371q+bII48MTvPVrTW6cqrHBx54oO0B0S0zVaZhddl/g20/9p9MT4rk1ltvbR5//PHW +Le85S32lsh3vvOd5uSTT7bLpstheTvFOk/yLw57jef8+fPNFlts0drveqxxmjZR95+2M1QYpmp6 aLnU7373u2b99dc3BxxwgDn11FNtcexPz1te00455RR7AW3atGljpr/66qtmzpw5ZvPNN28b36nN 7Hj/uR5r3TS8++677Tr78yLi4EmBWEFdBf3CF75gr8I999xzwXl8/Q862elDsMw07F3232Dbz/2X unLlSvOnP/3Jfu/nM5/5zJhpeh/TtE9/+tNt07C8ebEOSf7FYa/xVJFzxhln2NvCla//+I//aD76 0Y/aaRN1/6lgChWGqdmiK+Rf/vIX87Of/cz80z/9k+2dO/3001vT8pbXNN3CnR0/e/Zs2wM7efJk O89qq63WNr1Tm9nx/nM9VsGZDrNtIuLgSYHYo7///e/tbVFHH31024dXntlbZe65556Ot9EUnYa9 yf4bbPu9/7I+++yz9tasTtN061doGpY3L9a+5F8c9hpP3QbuFyx6nO73ibr/VDCFCsPUbNHVzaVL l7YVx3nLd5r29re/3Vx33XX2h360D7LzdVpujTXWMK+99pp9rPdcf770cXaIiIMrBWIPXnnlleYd 73iHufbaa4PTZegNUl+21w9sLFy40Kov3vtfxO9lGpaX/TfY1rH/9MMPukVKJ02LFy82xx9/vP0x DH/5119/3S6nW1p1q5s/DYtbJNbkX7wWiWdo/+l7cOo1VO+hehHVE7bbbrvZaRN1/ykOocIwNRQn X73P3HHHHTZeupCiWPjf19WFqoceeqhtmdRObW+00Ub2F2VVHOp2+ex8ndrU7fU/+tGPbHF49tln ty2XPs4OEXFwpUDsQb35hdStL/48/jJSv0L2xS9+0V4BlPrpbv+nvHuZhuXN7rdU9t9gmN1vqVX2 380332xPVnXblf4644gjjrA/Ma9pafurr766/b6OfoBBt335bWNx82KdWnb/kX/NWSSeof336KOP 2ttMVYBIPdY4TZuo+09xCBWGqaE4+f785z83u+++u82VDTfc0BaMjzzySGu6fsFZt+CG2unU9owZ M+x3qvU9wYsuumjMfJ3a/OlPf2o22WQTs8EGG9gflvKnp4+zQ0QcXCkQEREREfusCqVuhpZDRBxv KRARERERERHRSoGIiIiIiIiIVgpEREREREREtFIgIiIiIiIiopUCEREREREREa0UiIiIiIiIiGil QERERERERERrYwXivHnzWi+GiIiIiIiI8dpv2gpEikNERERERMTBsd+0FYgAAAAAAAAwvGQKxCsH 1j/+8Swzb943zauvfi84HREREYdVAAAoysAXiN/73ufNVlttZCZNmtRSz2fO/GJwfkRERBw2AQCg KO0F4u17J0XWboebJ5dcZk7d7CJzeMtLzE1LQm+6Nfjk4Wa3kXX43s/+zmy//aatwm///bc1X//6 R8zTT/+reeCB083OO7+jNS2kpo8pFEfbftIf1+aJZtqkvc3t3rgnL9nStTvtRG/egDZufqwuNzd9 vNfY/cBc9vHLzLPmPHPJbsnrT7s9NN+o/v5LH7fc0lzyZGAZ3zQ2XWM01gdPuchc9uv254fbdR8d p7j4z4saWq6Xtp580Ow2aWVb/J685JmRuMxv29fFnWOm7fZgEiO1nT727TS+o9eP7Of2dUy9fdpK s9sl148ZX8rc9enhGLPjdHz38D7x6+97y7QfO705kiubfd88GJyW1W1rsdxI5t/tkvPGTLPvDSVy 5fZp/uu2v8+ELRvfZP5TL798zLRnL7+kPScLWSauyfE7aSTPEp/pEtdk/tBxbXOzcO5kXnfanMA8 Wccvrnb+9HVP+UFwnnbHK67J+076urnvCy3Hb11TtVzSXvY9DQAAijK2QEwLoOxJuE7oSp9c5Hv5 5UeZ9ddfx76Bp6r3b+rntjKbbbZj23jftdde0xqaFvKccw5yr5tb/Kg41DLeiVvb/MkHTu4HpS0Q /Q9+nVj0WCBm9oFOLruevKf7z38stR2FTkhH7KFA1EmPO3lKCtubTnEnlu3TS9jPAnG3kROH1smj TkxGnu/WY4HoF1t9KxBlsl5tJ1W3zy940tvFAutT6hgLnTTbwq9LQWFzxJvHPu/1IopUEaMT7iKF TKDYs0Vvl9zQPGNyosD7QZuav8CFmpY9xjf4Xp20Va4QLxPXwIm+jttuF2A0z5hjMmmraFxtIdGW 192WHce4tr13FVl2/OLa/r4zZ+Szsdt75Tiua6re40YKU38d3HsaAAAUpXiBmD63w++PFADeiYP9 cNVzVxhlC4Lsc/XshYq52jxyWvLatvjZ20wbvbLoTnZ18qaTxEwP4pgCscsJ3micbjolPeHVSYB3 8huIVXtvW3ry8p92aOcbneY+6Mb2clr9/dd2Ip/on/wHe0XTbR0dzhiZf8yJdKbNltrutCgeeXzZ yL7WPk9Pfh5sxWPEQAw6jk+Pu5HHas+OHx13+0jcxpzk+e35jhZHl1ySnoiMnPBMG3nuFYj2RHP0 ynfrBEPLTZs/Eu/RK+L2hCk5ebHPdWJj2x6ZJx2XnlSNvuaMbO9f24lXwNHlWuvpnzzZE67M64zo r3v766frNbKdBdan1DGmeLeOW2fbvg7p7dPsNOVCeJ8meZEeH24ejdf7UMGeLq1/4OLH7dOK9CJm 5vHeGzrnU/peMxJLPe9WiPr2Gt/se47M5lEwz/z39bJxDZ3kK65FepAy83jHf6HjOl1uVNeD1D6+ 5TjG9fbM52BXo4lrgQJx3Nc1aWfayOtRIAIAVKN8D6LG+1f7M/O1bjVsGz/2gzXbc1i3n3r76IeE PUlLT/RCJ8GBcXYZtVPg6n+63Rq2TmxHt71TrEYf68TBFottJxdufr/AC+rvv0Axp5NYW/B5J7Zt 25uO94etWHTrLXEnkq3CcOSYSU6GvJPMTjHoNr7VljdOw9bJq+KcczV+9ITj9kvmJ/tw5GRmt0vm jGzT6MmFprdONHQyNHrCMma8N396MmTnSU9wAvO0tZEUl7n7ccT0JLft5Mp/zRF1+1dyTPvjM6/v 3+JVYH3KHGPaz6VOdj3tcW5PpjPFR6d9qvefNC+CRUuxQqaVA4Fp3bRFoJdTilXXfPLfM2xxOvL6 6ftSJj+zVomvLVZa8XLvL+15lsnLYC9u0bh2KcpytAVAeuI/Yut26qLHdZvefB0cz7ja97XLNW70 +PfaChlDXG07I8VZ0fes0LRu9mNd09fPrgcFIgBAefILxPRDzBoucuyJW9t87up+64qslvE+CPUd wmwBV7cnHvDmkQ+N7MlcqEcwUyDakzp//i4n0F58ku33CsScWKUnw21XtjOx7luBqOf25DWNz2gM 0ti0YuRtb1vcwrrtTU8oR06UtP7+/u8Ug07jtax97p2ktuLiFRCZWI0xPdEYKQy1PU/aQlHF0egJ h65+Z05Qku32T1C8K93++K7zeEVY27z5tk6S0nFax/RK+qit6Wq3NT6wjuk8XdanSoHoir6cQn2M Opn292+Hfdo6DkYMnlQXLWTaC0Rtb/oekbvdVv+9IfM+kZdPreU17rzWc61L3mtWi68fj0xs/Fh2 el9vWTSu2ZNyd4x2j6tf1GUKvCLHdUst2140hBzPuNrXyjzPe8044prYek8MTJPjuq7ecwpEAIDq FO9BTM2Ob7uyn3F0WvZD8H//9wcjb/TuxKwJLzhio+TEsO2krXuBOKbHIVB4tenHR49Puay9QOwU K83rn1ik47xYVy0QW8trWtuJbqcCcXTekXbGxCGgTrwu+/XISVNrnUeLxZHtbp2QdYpBp/GjMXjQ P6nz4zK6XPakb4ytE4iRk4/WraVNFYgjj0fbz5685DnmhCyzjm3j206uup9EdVqfUseYYu8dn6nd TnpDtu2/vH3aypPsaxQrZOz6By50dN3uUdP5lA9tuZaXT97yvl1zqmJ80/kUx1Zuqc22Aqc/BaI9 nvxjbdRuRUVqOp+Ox9YxXvS4lhpXoDi0jmNcs6/R9X1rvOPq2fW9axzX1S7TKiIT03V1uQ0AAEWp XiDaE7a0qPGu/tvpKhb0/YuxJxhf+cq+I2/i4WKu32666Xrmwg+MfkiULBCzJ5T6sMk9qQucELRd TQ7Gynvsn7xk2ip18u4/ltrudLuy8+UViKMnvPouVSsmnRxZ38tGimH/hMeeRLW2OZknGIO88TYG nU66kvH6nk/uSWzrhGKkgNN3VOwJiFcg2hPMbiciFQrE0Tb1vZmucRx1zImVXcfRtu3rjE7XSVTb CVX4JKrI+pQ6xkb3U/sJrvaH/x4QsO1kWvq5IMfu07aT8RGVV2Nft8sxYE16xdtzWMd4l+1Otbmh 7xV67xvd8ildti12OqnN70HsOb6pNk/0/uvln2LfVtSEcsq3aFyT47G9gNAxVqw4SI5NfacsPb5H LHNct3K3iOMYV3++EbsXpeMYV3++EbsXeuO4rp7ZQpYCEQCgPNULRGk/EJOr+v6Hn7QFUmucK770 h/aHHLLzyBt+uKjru+l2tZ20FSgQR9QHzJh2AvNZs/HR8/RkQc/HxCo5WcmeNCTPk5OWtGB0H3Qd XnvMiaq33ulJq503OSFOtmfkZHdkaNsNFojJiWzX7bYGTrLs9mZOMDsdL6Hxfjw1XY8zMW4vHjqs n3dC4U4gdELjTiz9q9CtE5q2ExHNn568JCc+9op5p3kyJzFtV8Zz45gYPCGzJ0mjV8lbbY2uix03 coI1Mkz2Z+YkKnd9EksdY6MmF0GcRU6ykwsHbpn2k/WxBaFsex0/x6zZQiY/vm05nR7/gfnGmhSY 7b2Qeq3RtkL55C3vv64rUvPXtZf4Jo6+t7TFavQ9RZ4yUuSk7YXe11vzl4nr6HE4avG4JsVFew9U seM6+5oyye844+of++64jy+u0n9dV3TFua6pFIgAANXpXCDW5O0jJ1D+B8sf/3iW/bN7/RWFCsYy f19R1J/97O/a1qFfZrelbt0HXQdr2X9ji+imtztfnax5BfiIca1fql9cJo7veo5dHzk+x1jWsfu0 F+M8DsKyrvXIutbjYK0rBSIAQFnGFogqqnY7vHWFs5/aYuOS/JNLfT9RBd0RR+zet2Jx3rxvBl+r muFtCW13dU8fOZlPtqXrybu2OdNr0bNpe20FQZPbnW+rx3G0p8mO67B+/hXtpm31+o321tlx47ie ofWZNOnh0seYvy+yJj3noWlJ4Td2fGJon/ZikfeaMarHT9s2xuxdBv22fE71Gt+q9nLc2t6ewPj0 dsGx4/sjcQ1Nq+7grGv2PQ0AAIrSXiBGxv/+7/+OFHfzRgrGn5lzzjmn5S233GLHf+hDH7Jv/nnu v//+o60BAAAAAABAHlEXiEWYOXOm2Xnn8HcZt9pqK/Piiy+OzgkAAAAAAAB5DHyBmKJCUL2KaS/j 5ZdfbnsgAQAAAAAAoBgTpkAEAAAAAACAalAgAgAAAAAAgIUCEQAAAAAAACwUiAAAAAAAAGChQAQA AAAAAAALBSIAAAAAAABYKBABAAAAAADAQoEIAAAAAAAAFgpEAAAAAAAAsLQViH/84x8RERERERFx CJw3b95oJeigQERERERERBwyVRz+13/912gl6AgWiH/9618RERERERFxgqrikAIRERERERERKRAR ERERERExkQIRERERERERrRSIiIgYlcuWLTN33HGHmTlzpjnzzDPNtGnTzD777GPdfffdzaRJk7q6 xRZb2PkPO+wwc8EFF5jf/e53wddCREQcJm+44Yag/jwUiIgDrE6EO41PDU1HlLfccot5y1ve0vhx Mn/+fFsAyp/97Ge2CDzooINsQbf22mu3Hb/99M1vfrN9HRWM6euHCkfNmx03Xp5zzjnmwAMPDE7r pzFtM2I3lRPnnntucBoiFnP58uWtwpACEXGI5KQP89x1113N7Nmzg9Pq8IorrjCbbLJJq2CLRRWl xx9/vO251HpqXHbdx8OXX37ZbLjhhuYPf/hDcHo/jWWbEYuonNhoo41sjoSmI2K+r7zyiv0ri5tv vtk8++yz9oKxP50CEXEcTE9Mp0yZYt71rnfZW+jUqxKat4p1nfSp3alTpwbH5xmaTzHYZpttzFln nWWvZvntddJfPmtofgy73nrrmRUrVgSn9dvvf//7wf0Vk0cddZRdVz3Orn9Wf7nstKefftp86Utf MptvvrlZa6217FDPNT47b55XXXXVmN5DnRQvXry4bZxctGiR2XjjjceML2qRbc76gx/8wC43ffr0 4PQ6zYu/r95Xe+klv/TSS83WW29t1lxzTTvUtqbT+rV/ZWj9/G3z9ZfLM7Ss9Od57LHHzJFHHmk2 22wzu43bb7+97c335+nkrFmzzCc+8QnbI7/OOuuY7bbbznzrW99qK9by4ldk+U7r7avcmDFjRnAa InZW+X/rrbeahx9+2L5vqTjMXoikQEQcB9MPPRVEjz76qPnXf/1X8/a3v73vPQV5H65VVLta37vu umvM+LznofG6inXPPfeYPffc03zlK19pm6+TdW3XsNlkHHUyqNeLXZ2waxjahpCheffff3/zD//w D+bxxx+3BbiGeq7x2Xnz/OxnP2t7Xf1xe+21l7n99tvbxslf/vKXZu+99x4zvqhltjlVJ/k6Sf/k Jz8ZnN6Eeev96quv2u+s/tu//Vup7fvxj39s39/uvPNO8+KLL9pbkVUEXnfddXZ6v/Zvp/XrZV/4 dltenzlve9vb7C2aOlHU59ADDzxg92do/qx77LGHufzyy82CBQvMypUrbc4cc8wxreW7xa/b8r55 26I2Pve5zwWnIWJndc7VrfedAhFxHAx96OkK66GHHtp6fs0119jeRd3+tu+++9oP0XSalk9Nx4Xs NH3nnXe2V4/S57q1TreyFb0CrnZ/8pOfmPe85z32JMcfn53Pf543XidZb33rW8eMD9mpXV/Nc/75 59sTFV2lVhGeTnvttdfM2Wefbbbcckuz/vrr2yvpL730Umu64qETPl3ZV6+MvrPmv2bo9f1x3drX vIrfu9/9brt/d9lllzHfhfvhD39obwFVL59+cMXvpenH/svqT9cHx3HHHWf3h2KgHu7sh4mW6RTf rCpysq8Xq/phHA277Z9UzZsdp3g8//zzbeOee+45s+6667aN66aOH53M++PUU3XJJZe0jZMap32m x2WOb/VIat+FtiNPHQ9vfOMbzZ///Gc71IWedJraUtGjtvUauvCTvTtA8xQ9fvLMW++TTz7ZfPzj Hzevv/56qe3T+62OA3/c1Vdfbfbbbz/7uOj+1Wv2sn5F17VT+92WP/zww82//Mu/BKf1quKhu0H0 uFv8QvrL++Zty5/+9Cez1VZbBachYmf9H6bx9eehQEQcB0MfekuWLGkrkA4++GCbdzoR05Xej370 o23zy24nAp2m63a/Qw45pPVcV3zL/BBG2q6W0Ulednyn53njdTVZ30/Ljg/ZqV1fzfORj3zEnkSo cPrbv/3b1jSdHOlqv4pu3Xuvq9f6Dlo6/bTTTrO9IrqVT7fu6STOf83Q6/vjurWveRV/TdeJu26v 0lX1dPpFF11kdtxxR/PrX//a7v/f//735thjj21Nr7r/UkPbIU866aS27VfbX//619vm0bKd4pt1 2223tfMPgmkxm7d/fDVvdtwRRxxhvva1r5knnnjC9pBoqOcq1LLz5qkT5mxhrosVX/7yl+1jFVfv eMc77OO///u/N9/97nft427H36mnntrav08++eSY47uIuh0x7THTif8vfvGL1jS1pfZ17Og19Fg/ RJROT+cpevzk2Wm99b0axeeZZ56xz8tsn3q7te7+OMVpgw02sI+L7l+9Zi/rp8ebbrqpvT1Tt4Dq vd+Prz9fqP1uy+tzRu8hO+ywg71FVhcSvvnNb7YV+WXVBc0DDjjAPu4Wv5D+8r6h7UtVboSKSkQs Jj9SgxiZoQ899cS94Q1vGDNe6oNQV62z4/M+PGWn6brtRz0LTz31lH2uX3bUG0F2vk6m7eoEVD0E 6v3zx2fny+qPT28x1Ql4euLbTS3fSX8e9W74y6XqO4+6tSp9rjikJ9pSV6V14po+162/2bbTx6Fx 3drXvDqpTJ9n969eXzFJn2etuv9SQ9sh1WOZ3X6dRPrzaNlO8fVVz4rmHRTTAjFv//hq3uw49Yao 99dvV89feOGFMfPmGSoQ1XOsgkz7RLftSX0+q9fmtttus/N0O/60L/OO7yIeffTR9kKGHqswVRGa TlNbfvt6rO+hpc/TeYocP90MrbeKE11s+tWvftUaV2b7Vl999dZ3c9P3JD1fY4017OOq+7fM+v3l L3+xxaTu1tAv2obmyTO0vLZDF33++7//2/Ymq5da7yFF33+zXnvttfZzID1P7Ba/rNnlffP2GwUi Yu/yIzWIERr60FMPoj4k9fi+++4zH/7wh20RkJ6AhJbJ+/CUedPVI6XeP70x6PbE7Ilonn67//zP /2w+9alPjRkfeu6PT9UHvG7lO+OMM+zJSmj+rJ3a9dU8unUrNE2v6a+D1ElNOl23Ffq3xGm9NE/6 3H8cGtetfX/e0DhdKOi2P6rsv9TQekj1KmS3XzHx59GyneKbdVC+fyjTAjG7DaFxncYrH3QLp3rF dWKsoXr40jwparaQk7oYo+Li4osvtkWaflhHt5dqXFrUVj2+u7lq1Sr7XqULRHqeXijSeD1XW377 epw9kdc8RY+fPEPrrb9LUa+vP67M9ul4zf4QkN8DVnX/9rJ+KviV56FpRfSXf9Ob3mQWLlzYNl3b W/QW/1T1nupuA/WE3nvvva3x3eKX2ml537y46Lw0e+EKEbur9wN+pAYxQkMfev53EN/5znea//zP /7S9L3quIiC0TLeTCp2UdSq61EOlwuyyyy4rfeub/7r6kNftkLqFKbs+ndav23p3s8jyefPoV/MU 09A0mT0x1/uf357i6hdkOmn3p3drP7Ru/ji9fqcTptQq+y+1U4yyPYjafo3z5+m0bEj1Tmj+QbAf BaJ6G9PcTdXzTr2QnQz9SI3U91L1YzW6LU/f7VLBoXHp9G7HX7aHPHt8d3Pu3Ll2/qzpj1bpsd++ Hme/K6Z5/Oe9GmonXZ+Q2XlDKp76DrA/TrH2v4NYZf+G1is1NL9UEaoLhqFpRfSX1w+CVS0QdYKp XtOPfexjZunSpW3TusVP5i3vmxcT/UiNciQ0DRE7y4/UIEZq+qGnq8/6oNT3inQVNb2Co++PXH/9 9Xa6rs7rRwVCH5R5H55Sv5Cn75roRytC09/73vfakwK9Vmh6J7Ovq+/KqYDIju+0ft3Wu5tFls+b R/H+9Kc/bWOv3o3f/OY3bb+gp+9oqahRr276HSq/vQ9+8IPm29/+tn2D1YmXvq/mT+/Wfmjd/HG6 ZU+3hGk5vYbef/VDMf78stf9l9opRieeeKLdfm17uv260u/P02nZkPqBF80/CPajQPybv/kb26Ok Y0MXUDTUrXa6DTQ7b56hv7mQOrFebbXV7PEp9Vjj0undjj99xzY9vnW7Y/b47qZ+XCX7ncLTTz+9 9T1VtZUeP3oNPdZr+vOXeb08i7ZT5vX0nV69n82ZM8d+B1W3gur9Of0VzqL7V6/Zy/qpaNIVfd2y qvzXyZyKOsU9u0yo/W7L6xjXHSoPPfSQPT7SW0xD7zEh9dcS6iVUL2ioF7hb/Lot75sXP22nciQ0 DRE76/8wja8/DwUi4jiYfrDrVj59N0e/PpjeriXV9a8fEJg8ebK98q6rsf4HZbq8bzrNV71Q6k3Q CWRoHt2apt6wsj9OEGrri1/84pjxndar0/iiFlk+bx7dCqeTaP14im6306+C/vSnP21NV6+rTvj0 C6b6JUbN67engke/bKn9p148LetP79Z+aN2y43TFXa+hX0bUyZV6lP3pstf9l9opRjqp0/7U9ks9 1jh/nk7LdvKwww6zy8Ru0QLRXyY1nabCSLd+6gdClMMa6jt66XdGi6qTex1/+pEif7x6jHfaaafW cz1O/8NRFjm+018x1W2HZX/FVMe8boP3x/32t7+1333UY7V13nnn2VsKdfwol7J3MpR5vZBpzH1D 86V2m55VF9Z0J4d+6EVD/3/8iu7fIuuV6s+nAksX95Tbuh1U7wO6UyC9hddfJtR+keUvvPDC1v8U 6v3lhBNOsMeb304n09cNmfas5sUvtFxqunxoWrq8fOSRR3q+tR5x2L3xxhvb3g/0WOP8eSgQEYdY Jb96D0LTsN3sCUoMDtL+U4Hwvve9b8xJX2x2+juL8VK/YNzLL9SOp4pjaDxiv9Qvnio3QtMQMV/d 9aUfCdPdZfqBRD3O/q81BSLikKpbi3SrVOg7TjjW2E56B3H/qXdAf7egXi2/KItF9bqE1hvLqViG xiMi4virX0K/++677S+YSj3O3iVEgYg4pOokTj8moO85hqZju7Gd9A7y/lNvov5HT99jk7r9VNsS Ut8zSudL1e2Td9xxRym/853vmG984xu2CFTssmq8f5s39q7iGRqPiIhxyncQERFx6FXRqEJThaMe h+ZBREQcBikQERERERERh1D/l0t9/XkoEBEREREREYdUCkRERERERES0UiAiIiIiIiJiUArEEj46 e7Z59Je/DE5DRERERESM2aVLl5q5c+e2/uZCj5955pm2eSgQC/rqsmXme3vtZX11+fLgPIiIiIiI iLE6a9Yss2TJErNq1Srr4sWL7Th/HgrEgs654AJz7hZbWOdeeGFwHkRERERExFilQOyTzz3+uDl/ m21aBeL5225rx4XmRUREREREjFHdYjpnzhxz0003WfVY4/x5KBALeO0xx7SKw9Rrjz02OC8iIiIi IuKgSoFYwm984xvB8XLRokXB8WXsRxuvZH6mtqyxbEfVNqrGQcawHf1YhxhiEUMsJfmRSH44yQ8n +ZFIfjjJDyf5kUh+OGOJRVn5kZo+m1cgLliwIDi+jP1oY9mddwbHFzWW7ajaRtU4yBi2ox/rEEMs YoilJD8SyQ8n+eEkPxLJDyf54SQ/EskPZyyxKCvfQeyzKhA7sXDhwtFHvdOPNl4b2cFViGU7qrZR NQ4ihu3oxzrEEIsYYinIjwTyw0F+OMiPBPLDQX44yI8E8sPRZCxCdUmvUiD22bwCEQAAAAAAoN+E 6pJe5Udq+mxegfjUU0+NPuqdfrTx13nzRh/1RizbUbWNqnEQMWxHP9YhhljEEEtBfiSQHw7yw0F+ JJAfDvLDQX4kkB+OJmMRqkvqlAKxhPQgAgAAAABAk4Tqkl694YYbgvrzUCCWkB7EYsTQBle4HDHE IoZYCvIjgfxwkB8O8iOB/HCQHw7yI4H8cDQZi1Bd0qvZYjAkBWIJ6UEEAAAAAIAmCdUlvUqB2Gfp QSxGDG1whcsRQyxiiKUgPxLIDwf54SA/EsgPB/nhID8SyA9Hk7EI1SW9SoHYZ+lBBAAAAACAJgnV JXVKgVhCehCLEUMbXOFyxBCLGGIpyI8E8sNBfjjIjwTyw0F+OMiPBPLD0WQsQnVJnVIglpAeRAAA AAAAaJJQXVKnFIglpAexGDG0wRUuRwyxiCGWgvxIID8c5IeD/EggPxzkh4P8SCA/HE3GIlSX1CkF YgnpQQQAAAAAgCYJ1SV1SoFYQnoQixFDG1zhcsQQixhiKciPBPLDQX44yI8E8sNBfjjIjwTyw9Fk LEJ1SS/OnTvXLFy40Lz++uvB6akUiCWkBxEAAAAAAJokVJf04nPPPWfuv/9+M3v2bFvbLV++PDgf BWIJ6UEsRgxtcIXLEUMsYoilID8SyA8H+eEgPxLIDwf54SA/EsgPR5OxCNUlVVRhqNpOhaIKRhWO /nQKxBLSgwgAAAAAAE0Sqkv64apVq+wtp7r11B9PgVhCehCLEUMbXOFyxBCLGGIpyI8E8sNBfjjI jwTyw0F+OMiPBPLD0S0WK//f6AOP7Dith8Zlx2efh+qSOqVALCE9iAAAMAykJycarnPNyEnBlYiI 2LRvmpm8F4fqkjqlQCwhPYjFiKENrnA5YohFDLEU5EcC+eEYj1hMntF+ArDT9KfanvdiP9o45Ox5 wfFa35lPjK58DjEcE6JqG+SHg88PB58fCeSHo8lYhOqSOqVALCE9iAAAUIS0By5bDKYFFwAAQFFC dUmdUiCWkB7EYsTQBle4HDHEIoZYCvIjgfxwKBZVb6PM670rUgzGEEtBfiSQH44YYhFDLAX5kUB+ OJqMRaguqVMKxBLSgwgAMPh06tUrchslAABA04TqkjqlQCwhPYjFiKENrnA5YohFDLEU5EfCsOVH tiD0e/XIDwf5kTBs+ZEH+eEgPxLID0eTsQjVJf30hhtuaHtOgVhCehABAAYD9QamhaFfEAIAAAwa obqkn1IgVpAexGLE0AZXuBwxxCKGWAryI2Ei54ffW6jvFXaD/HCQHwkTOT/KQn44yI8E8sPRZCxC dUmvqhgM6c9DgVhCehABAOJDPzJDbyEAAExUQnVJP6VArCA9iMWIoQ2ucDliiEUMsRTkR8Ig54df DPq/HtprYUh+OMiPhEHOD59+rAP54SA/EsgPR5OxCNUl/ZQCsYL0IAIA9B8Vff53BrtJLyEAAAwT obqkTikQS0gPYjFiaIMrXI4YYhFDLAX5kRDDMaGC8P1XtP9/YJHvDPrEcEyIqusRwzEhyI+EGI4J UbWNfqwD+eEgPxLID0eTsQjVJb26dOlSM3fuXHPzzTdb9fiZZ55pm4cCsYT0IAIAVMPvJSxbEAIA AAwjobqkV2fNmmWWLFliVq1aZV28eLEd589DgVhCehCLEUMbXOFyxBCLGGIpyI+Epo+JTn85UXU7 +hFL8sNBfiTEcEyIqm30Yx3IDwf5kUB+OJqMRagu6VUKxD65YsUKs2DBAjN16lQbj3RnMmTIkCHD /OEHrkxuI9VQFF2OIUOGDBkyZGjMwoULbR2yaNGiYJ1SVt1iOmfOHHPTTTdZ9Vjj/HkoEEtID2Ix YmiDK1yOGGIRQywF+ZHQ1DGhnkMVhxqGqLod/Ygl+eEgPxJiOCZE1Tb6sQ7kh4P8SCA/HE3GIlSX 1CkFYgn5DiIAQHf4niEAAED/CNUlver/Ob6vPw8FYgnpQSxGDG1whcsRQyxiiKUgPxLqPCbSXsMi VN2OfsSS/HCQHwkxHBOiahv9WAfyw0F+JJAfjiZjEapLejUtBv2ikAKxgvQgAgCE8XsNp1w9OhIA AAAqE6pLelV/bfH888+bG2+80Q5ffPFFc9ttt7XNQ4FYQnoQixFDG1zhcsQQixhiKciPhH4fE2V6 DX2qbkc/Ykl+OMiPhBiOCVG1jX6sA/nhID8SyA9Hk7EI1SW9+tBDD5lbbrnFzJ8/38yePds+fvzx x9vmoUAsIT2IAABjUe8hvYYAAAD1EKpL6pQCsYT0IBYjhja4wuWIIRYxxFKQHwn9PiZ66T0UVbej H7EkPxzkR0IMx4So2kY/1oH8cJAfCeSHo8lYhOqSXs1+3zA0jgKxhPQgAgCMpdcCEQAAALoTqkt6 VcVgSH8eCsQS0oNYjBja4AqXI4ZYxBBLQX4k9OOYmHHfU60fptGwF6puRwzHhIhhO2KIRSzbUbWN GI4JUbWNfqwD+eEgPxLID0eTsQjVJb2aLQZD4ygQS0gPIgBAwjpX871DAACAJgjVJXVKgVhCehCL EUMbXOFyxBCLGGIpyI+EfhwTO01/yv56aRWqbkcMx4SIYTtiiEUs21G1jRiOCVG1jX6sA/nhID8S yA9Hk7EI1SV1SoFYQnoQAQAS+N4hAABAM4TqkjqlQCwhPYjFiKENrnA5YohFDLEU5EdC1Tisc40x 779i/LcjhmNCxLAdMcQilu2o2kYMx4So2kY/1oH8cJAfCeSHo8lYhOqSOqVALCE9iAAASe9h1dtL AQAAoBihuqROKRBLSA9iMWJogytcjhhiEUMsBfmR0Esc1GuowjD91dIYtqMf60B+OMiPhBiOCVG1 jX6sA/nhID8SyA9Hk7EI1SV1SoFYQnoQAWCYWPn/kmIwLQrpNQQAAGieUF1SpxSIJaQHsRgxtMEV LkcMsYghloL8SMjGIS0CQ3b6j8MYtqMf60B+OMiPhBiOCVG1jX6sA/nhID8SyA9Hk7EI1SW9unTp UjN37lxz8803W/X4mWeeaZuHArGE9CACwETBLwo7FYEAAAAw/oTqkl6dNWuWWbJkiVm1apV18eLF dpw/DwViCelBLEYMbXCFyxFDLGKIpRj2/NAtoioGDzl7XuWiMIZY9GMdyA8Hnx8JfH44yA8H+ZFA fjiajEWoLulVCsQ+Sw8iAAwiaWGo3kL92AwAAAAMDqG6pFd1i+mcOXPMTTfdZNVjjfPnoUAsIT2I xYihDa5wOWKIRQyxFMOWH50KQ/LDQX44hi0/OkF+OMgPB/mRQH44moxFqC6pUwrEEtKDCACDhIpD egwBAAAGm1Bd0qs33HBDUH8eCsQS0oNYjBja4AqXI4ZYxBBLMUz5od5D9RyGID8c5IdjmPIjD/LD QX44yI8E8sPRZCxCdUmvpsWgXxRSIFaQHkQAGBTWudqYKSMCAADAYBOqS3qVArHP0oNYjBja4AqX I4ZYxBBLMUz5od7DTn9sT344yA/HMOVHHuSHg/xwkB8J5IejyViE6pJepUDss/QgAkDM6PuGKgxl 1b+xAAAAgDgI1SX9lAKxgvQgFiOGNrjC5YghFjHEUkz0/MjrNfQhPxzkh2Oi50dRyA8H+eEgPxLI D0eTsQjVJf2UArGC9CACQGzQawgAADCxCdUlvapiMKQ/DwViCelBLEYMbXCFyxFDLGKIpZhI+ZH+ x6Es0mvoQ344yA/HRMqPKpAfDvLDQX4kkB+OJmMRqkv6KQViBelBBIBYuHJB0msIAAAAE5tQXdJP h75APPfcc82kSZNaz5988kmz3377mfXWW8/sv//+ZvHixW3z+9KDWIwY2uAKlyOGWMQQSzGR8qPK 31iQHw7ywzGR8qMK5IeD/HCQHwnkh6PJWITqkjodqgLxd7/7ndl4443bCsQjjjjCnHjiieb55583 J5xwgjnqqKPalvGlBxEAYkG9hz/48+gTAAAAmLCE6pJezfYWhsYNTYG4fPlys+OOO5qrr766rUDc dNNNzcKFC+1jDTfbbLPWtKz0IBYjhja4wuWIIRYxxFJMpPyocnsp+eEgPxwTKT+qQH44yA8H+ZFA fjiajEWoLulVFYMh/XmGpkA86aSTzOc+9zn72C8QJ0+ebFauXGkOPPBAO9TzdFrqa0uXmhcuvdR8 /bjjWgcDQ4YMGY7nUAVikfkYMmTIkCFDhoM7/L9ly2wdsvKhh8bUKL2YLQZD44amQFx99dVtYeir 8epB1PcQ9ZgexHi2o2obVeMgYtiOfqxDDLGIIZZiIuUHPYj9WQfywzGR8qMK5IeD/HCQHwnkh6PJ WITqkjodmgLR1+9B/MIXvmBOPvlk88ILL9hexiOPPLJtXl++gwgAscAvmAIAAAwHobqkToe+QFSv 4b777mvWXXddO0x7E0PSg1iMGNrgCpcjhljEEEsxkfKDHsT+rAP54ZhI+VEF8sNBfjjIjwTyw9Fk LEJ1Sa/63zv09ecZygKxV+lBBIBYoAcRAABgOAjVJVV95JFHzNy5c82KFSvGTKNALCE9iMWIoQ2u cDliiEUMsRQTKT/oQezPOpAfjomUH1UgPxzkh4P8SCA/HE3GIlSX9Oorr7xi5o2s+5w5c+z/v+vx smXL2uahQCwhPYgAEAv0IAIAAAwHobqkV2+99Vbz6KOPmtdff90+TwtGfx4KxBLSg1iMGNrgCpcj hljEEEsxkfKDHsT+rAP54ZhI+VEF8sNBfjjIjwTyw9FkLEJ1Sa++9NJLY8ZlbzOlQCwhPYgAEAOT ZyQCAADAxCdUl/Rq6AdqpD8PBWIJ6UEsRgxtcIXLEUMsYoilmCj5sdP0am2QHw7ywzFR8qNqG+SH g/xwkB8J5IejyViE6pJeTYtBvyikQKwgPYgAMN7MfILvHwIAAAwTobqkVykQ+yw9iMWIoQ2ucDli iEUMsRQTIT+uXEAPYkoMx4SIYTtiiEUs21G1DfLDQX44yI8E8sPRZCxCdUmvUiD2WXoQAWC8UYFI DyIAAMDwEKpL6pQCsYT0IBYjhja4wuWIIRYxxFJMhPygB9ERwzEhYtiOGGIRy3ZUbYP8cJAfDvIj gfxwNBmLUF3Sq+otDOnPQ4FYQnoQAWC8WedqY6aMCAAAAMNBqC6p6vLly1uFIQViBelBLEYMbXCF yxFDLGKIpZgI+aHbS793d7U2yA8H+eGYCPkhqrZBfjjIDwf5kUB+OJqMRaguqWL65/g333yzefbZ Z80tt9zSNp0CsYT0IALAeGMLxMdGnwAAAMCEJ1SX9Opjjz1mbr31VvPwww+bp59+2haHf/jDH9rm oUAsIT2IxYihDa5wOWKIRQyxFBMhP+hBdMRwTIgYtiOGWMSyHVXbID8c5IeD/EggPxxNxiJUl/Tq PffcY15++eXgtFQKxBLSgwgA440KxB/8efQJAAAATHhCdUmdUiCWkB7EYsTQBle4HDHEIoZYiomQ HyoQq7ZBfjjID8dEyA9RtQ3yw0F+OMiPBPLD0WQsQnVJnVIglpAeRAAYb1QgAgAAwPAQqkvqlAKx hPQgFiOGNrjC5YghFjHEUkyE/KAH0dGPdSA/HBMhP0TVNsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQ AWC8oQcRAABguAjVJXVKgVhCehCLEUMbXOFyxBCLGGIpJkJ+0IPo6Mc6kB+OiZAfomob5IeD/HCQ Hwnkh6PJWITqkjqtVCBOmjQp1+z8gy49iAAw3tCDCAAAMFyE6pI6rVQgnn/++Wb77bc3J554onn8 8cfHTJ9o0oNYjBja4AqXI4ZYxBBLMRHygx5ERz/WgfxwTIT8EFXbID8c5IeD/EggPxxNxiJUl9Rp pQJRvvrqq+aaa64xu+++u/n85z8fnGeiSA8iAIw39CACAAAMF6G6pE77UiCqARWIhx9+eHCeiSI9 iMWIoQ2ucDliiEUMsRQTIT/oQXT0Yx3ID8dEyA9RtQ3yw0F+OMiPBPLD0WQsQnVJnVYqENNbTE84 4QSzYMGCMdMnmvQgAsB4Qw8iAADAcBGqS+q0UoEY+mEa3+z8gy49iMWIoQ2ucDliiEUMsRQTIT/o QXT0Yx3ID8dEyA9RtQ3yw0F+OMiPBPLD0WQsQnVJnVYqEIdNehABYLyhBxEAAGC4CNUldVqpQJw/ f77Ze++9zbrrrmuHE/02U3oQixFDG1zhcsQQixhiKSZCftCD6OjHOpAfjomQH6JqG+SHg/xwkB8J 5IejyViE6pI6rVQgHnTQQeakk04yzz//vDn++OPNwQcfPGaeiSQ9iAAwXsx8wpjvPUYPIgAAwLAR qkvqtFKBuNFGG9nKV48XL15sNt544zHzTCTpQSxGDG1whcsRQyxiiKUY5Py4coExK/8fPYg+/VgH 8sMxyPnhU7UN8sNBfjjIjwTyw9FkLEJ1SZ1WKhCzP0QzEX+YRq5YscLePjt16lQbj3RnMmTIkGFT w+n3PmULxJ2mF5ufIUOGDBkyZDj4w4ULF9o6ZNGiRcE6pQ4pEEtID2IxYmiDK1yOGGIRQyzFIOcH PYhj6cc6kB+OQc4Pn6ptkB8O8sNBfiSQH44mYxGqS+q0coGYZ3b+QZfvIALAeOEXiAAAADA8hOqS Oq1UIA6b9CAWI4Y2uMLliCEWMcRSDHJ+0IM4ln6sA/nhGOT88KnaBvnhID8c5EcC+eFoMhahuqRO KxWI/M0FAEAz0IMIAAAwnITqkjqtVCDyNxeOGK6GCK5wJXCFyxFDLGKIpRjk/KAHcSz9WAfywzHI +eFTtQ3yw0F+OMiPBPLD0WQsQnVJnVYqEPmbCwCAZqAHEQAAYDgJ1SV1WqlAzP4QzUT8YRpfehCL EUMbXOFyxBCLGGIpBjk/6EEcSz/WgfxwDHJ++FRtg/xwkB8O8iOB/HA0GYtQXVKnFIglpAcRAMYL ehABAACGk1BdUqeVC8Q8s/MPuvQgFiOGNrjC5YghFjHEUgxyftCDOJZ+rAP54Rjk/PCp2gb54SA/ HORHAvnhaDIWobqkTisViMMmPYgAMF7QgwgAADCchOqSOqVALCE9iMWIoQ2ucDliiEUMsRSDnB/r XJ0Uh1NGhlXXg/xwkB+OQc4Pn6ptkB8O8sNBfiSQH44mYxGqS+qUArGE9CACwHih4lA9iN97bHQE AAAADAWhuqROKRBLSA9iMWJogytcjhhiEUMsxSDnh18gVl0P8sNBfjgGOT98qrZBfjjIDwf5kUB+ OJqMRaguqVMKxBLSgwgA4wU9iAAAAMNJqC6pUwrEEtKDWIwY2uAKlyOGWMQQSzHI+UEP4lj6sQ7k h2OQ88Onahvkh4P8cJAfCeSHo8lYhOqSOqVALCE9iAAwXtCDCAAAMJyE6pI6pUAsIT2IxYihDa5w OWKIRQyxFIOcH/QgjqUf60B+OAY5P3yqtkF+OMgPB/mRQH44moxFqC6pUwrEEtKDCADjBT2IAAAA w0moLqlTCsQS0oNYjBja4AqXI4ZYxBBLMcj5QQ/iWPqxDuSHY5Dzw6dqG+SHg/xwkB8J5IejyViE 6pI6pUAsIT2IADBe0IMIAAAwnITqkjqlQCwhPYjFiKENrnA5YohFDLEUg5wf9CCOpR/rQH44Bjk/ fKq2QX44yA8H+ZFAfjiajEWoLqlTCsQS0oMIAOMFPYgAAADDSaguqVMKxBLSg1iMGNrgCpcjhljE EEsxyPlBD+JY+rEO5IdjkPPDp2ob5IeD/HCQHwnkh6PJWITqkjqlQCwhPYgA0DQznzBm8ozEKxck zwEAAGB4CNUldUqBWEJ6EIsRQxtc4XLEEIsYYikGMT9UFKr30KfqepAfDvLDMYj5EaJqG+SHg/xw kB8J5IejyViE6pI6pUAsIT2IANA0oQIRAAAAhodQXVKnFIglpAexGDG0wRUuRwyxiCGWYhDzY52r jZkyok/V9SA/HOSHYxDzI0TVNsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQAaBp1HvIL5cCAAAML6G6 pE4pEEtID2IxYmiDK1yOGGIRQyzFIOZHqECsuh7kh4P8cAxifoSo2gb54SA/HORHAvnhaDIWobqk ToemQJwxY4bZeuutzZQpU8yuu+5q5s6da8c/+eSTZr/99jPrrbee2X///c3ixYvHLJtKDyIANI0K RH65FAAAYHgJ1SV1OjQF4iGHHGIefPBBs2zZMlssbrrppnb8EUccYU488UTz/PPPmxNOOMEcddRR Y5ZNpQexGDG0wRUuRwyxiCGWYhDzI/QDNVXXg/xwkB+OQcyPEFXbID8c5IeD/EggPxxNxiJUl9Tp 0BSIvvPnzzdrrrmmWblypS0UFy5caMdruNlmm42ZP5UeRABoGn7BFAAAYLgJ1SV1OnQF4tKlS+0t puo11PPJkyfbQvHAAw+0Qz3PLvPayDIvXHqp+fpxx7WuFmSHT11/vR12ml5kqKsIRebLGy6bPt0O i86fHcayHVXXo2ocNIxhO/qxP1LT570MY9iOYc0PFYjZ8VXXg/xww9T0eS/DGLZjWPMjNKy6HuSH G6amz3sZxrAd5IcbVl0P8sMNU9PnvQyLrMf/LVtm65CVDz00pkapy6EqEO+77z6z5ZZb2p7AVatW 2XHqQdT3EPWYHkQAiA16EAEAAIabUF1Sp0NTIE6fPt32HN51111t47/whS+Yk08+2bzwwgvmpJNO MkceeWTbdF++g1iMGNqoGgcRw3b0Yx1iiEUMsRSDmB98B7Ez/VgH8sMxiPkRomob5IeD/HCQHwnk h6PJWITqkjodmgJx0qRJY3zppZdsr+G+++5r1l13XTtMexND0oMIAE1DDyIAAMBwE6pL6nRoCsR+ SA9iMWJogytcjhhiEUMsxSDmBz2InenHOpAfjkHMjxBV2yA/HOSHg/xIID8cTcYiVJfUKQViCelB BICmoQcRAABguAnVJXVKgVhCehCLEUMbXOFyxBCLGGIpBi0/Js9IzFJ1PcgPB/nhGLT86ETVNsgP B/nhID8SyA9Hk7EI1SV1SoFYQnoQAaBJ6D0EAACAUF1SpxSIJaQHsRgxtMEVLkcMsYghlmLQ8qNT gVh1PcgPB/nhGLT86ETVNsgPB/nhID8SyA9Hk7EI1SV1SoFYQnoQAaApZj5BDyIAAABQIEYtPYjF iKENrnA5YohFDLEUg5QfVy6gB7Eb/VgH8sMxSPmRR9U2yA8H+eEgPxLID0eTsQjVJXVKgVhCehAB oCnyCkQAAAAYHkJ1SZ1SIJaQHsRixNAGV7gcMcQihliKQcoPehC70491ID8cg5QfeVRtg/xwkB8O 8iOB/HA0GYtQXVKnFIglpAcRAJqCHkQAAAAQobqkTikQS0gPYjFiaIMrXI4YYhFDLMUg5Qc9iN3p xzqQH45Byo88qrZBfjjIDwf5kUB+OJqMRaguqVMKxBLSgwgATbHO1cZMGREAAACGm1BdUqcUiCWk B7EYMbTBFS5HDLGIIZZikPJDvYffe2z0SYaq60F+OMgPxyDlRx5V2yA/HOSHg/xIID8cTcYiVJfU KQViCelBBICmyCsQAQAAYHgI1SV1SoFYQnoQixFDG1zhcsQQixhiKQYpP+hB7E4/1oH8cAxSfuRR tQ3yw0F+OMiPBPLD0WQsQnVJnVIglpAeRABoCnoQAQAAQITqkjqlQCwhPYjFiKENrnA5YohFDLEU g5Ifk2ck/uDPoyMyVF0P8sNBfjgGJT+6UbUN8sNBfjjIjwTyw9FkLEJ1SZ1SIJaQHkQAaIJOf28B AAAAw0eoLqlTCsQS0oNYjBja4AqXI4ZYxBBLMQj5MfOJ7gVi1fUgPxzkh2MQ8qMIVdsgPxzkh4P8 SCA/HE3GIlSX1CkFYgnpQQSAusn7g3wAAAAYPkJ1SZ1SIJaQHsRixNAGV7gcMcQihliKQciPIn+Q X3U9yA8H+eEYhPwoQtU2yA8H+eEgPxLID0eTsQjVJXVKgVhCehABoG749VIAAADwCdUldUqBWEJ6 EIsRQxtc4XLEEIsYYikGIT+KFIhV14P8cJAfjkHIjyJUbYP8cJAfDvIjgfxwNBmLUF1SpxSIJaQH EQDqRgWifqgGAAAAQITqkjqlQCwhPYjFiKENrnA5YohFDLEUg5AfRX6gpup6kB8O8sMxCPlRhKpt kB8O8sNBfiSQH44mYxGqS+qUArGE9CACQN3wC6YAAADgE6pL6pQCsYT0IBYjhja4wuWIIRYxxFIM Qn7Qg1icfqwD+eEYhPwoQtU2yA8H+eEgPxLID0eTsQjVJXVKgVhCehABoG7oQQQAAACfUF1SpxSI JaQHsRgxtMEVLkcMsYghliL2/NCP09CDWJx+rAP54Yg9P4pStQ3yw0F+OMiPBPLD0WQsQnVJnVIg lpAeRACokysX0IMIAAAA7YTqkjqlQCzgihUrzIIFC8zUqVNtPNJq3x+mps97GT7wwAN2WHT+0FBX M4rM12mYmj7vZdiP7UhNn5cdVo2DiGE7UtPnvQwX3HabHRadPzRMTZ+XHaamz3sZDkN+qEDcaXp4 OX+Ymj4vOyQ/3JD8cEM+P5Ih+eGG5Icbkh/JkPxww6byY+HChbYOWbRoUbBOqUMKxBLSgwgAdUIP IgAAAGQJ1SV1SoFYQr6DWIwY2qgaBxHDdvRjHWKIRQyxFLHnR9ECsep6kB8O8sMRe34UpWob5IeD /HCQHwnkh6PJWITqkjqlQCwhPYgAUCf0IAIAAECWUF1SpxSIJaQHsRgxtMEVLkcMsYghliL2/KAH sRz9WAfywxF7fhSlahvkh4P8cJAfCeSHo8lYhOqSOqVALCE9iABQJ/QgAgAAQJZQXVKnFIglpAex GDG0wRUuRwyxiCGWIvb8oAexHP1YB/LDEXt+FKVqG+SHg/xwkB8J5IejyViE6pI6pUAsIT2IAFAn 61xtzJQRAQAAAFJCdUmdUiCWkB7EYsTQBle4HDHEIoZYitjzQ72H33ts9EkOVdeD/HCQH47Y86Mo VdsgPxzkh4P8SCA/HE3GIlSX1CkFYgnpQQSAOilaIAIAAMDwEKpL6pQCsYT0IBYjhja4wuWIIRYx xFLEnh/0IJajH+tAfjhiz4+iVG2D/HCQHw7yI4H8cDQZi1BdUqcUiCWkBxEA6oQeRAAAAMgSqkvq lAKxhPQgFiOGNrjC5YghFjHEUsSeH/QglqMf60B+OGLPj6JUbYP8cJAfDvIjgfxwNBmLUF1SpxSI JaQHEQDqhB5EAAAAyBKqS+qUArGE9CAWI4Y2uMLliCEWMcRSxJ4f9CCWox/rQH44Ys+PolRtg/xw kB8O8iOB/HA0GYtQXVKnFIglpAcRAOqEHkQAAADIEqpL6pQCsYT0IBYjhja4wuWIIRYxxFLEnh/0 IJajH+tAfjhiz4+iVG2D/HCQHw7yI4H8cDQZi1BdUqcUiCVUgagTOEQcXN80c/SNbRQ9D83Xq9n2 hcb54zu95uQZxsx8YnQmAAAAgBFCdUmdUiCWkB7EYsTQBle4HDHEIoZYCvIjgfxwkB8O8iOB/HCQ Hw7yI4H8cDQZi1BdUqcUiCXkO4gAAAAAANAkobqkTikQS0gPYjFiaIMrXI4YYhFDLAX5kUB+OMgP B/mRQH44yA8H+ZFAfjiajEWoLqlTCsQS0oMIAAAAAABNEqpL6pQCsYT0IBYjhja4wuWIIRYxxFKQ Hwnkh4P8cJAfCeSHg/xwkB8J5IejyViE6pI6pUAsIT2IAAAAAADQJKG6pE4pEEtID2IxYmiDK1yO GGIRQywF+ZFAfjjIDwf5kUB+OMgPB/mRQH44moxFqC6pUwrEEtKDCAAAAAAATRKqS+qUArGE9CAW I4Y2uMLliCEWMcRSkB8J5IeD/HCQHwnkh4P8cJAfCeSHo8lYhOqSOqVALCE9iAAAAAAA0CShuqRO KRBLSA9iMWJogytcjhhiEUMsBfmRQH44yA8H+ZFAfjjIDwf5kUB+OJqMRaguqVMKxBLSgwgAAAAA AE0SqkvqlAKxhPQgFiOGNrjC5YghFjHEUpAfCeSHg/xwkB8J5IeD/HCQHwnkh6PJWITqkjod+gLx ySefNPvtt59Zb731zP77728WL14cnE/SgwgAAAAAAE2S1iLXHnOMee7xx9vqkzoc+gLxiCOOMCee eKJ5/vnnzQknnGCOOuqo4HySHsRixNAGV7gcMcQihlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmL tBY5d4stzPnbbmvmXHCBeXX58rY6pZ8OfYG46aabmoULF9rHGm622WZj5kmlBxEAAAAAAJokrUVU IKZ+b6+9zKOzZ7fVKv1y6AvEyZMnm5UrV5oDDzzQDvU8nfbII4/YovCU4483J37qU2bfPfc0Jx95 pB2XHf7dwQcHx5cZTp06tdB8ecMTPvaxQvN1GsayHVXXo2ocNIxhO/qxP0465JBC8+UNY9gO8sMN q64H+eGG5Icbkh/JkPxwQ/LDDcmPZEh+uGFT+ZHWIV8/7jgKxKZUD6K+h6jHRXoQQ+PlggULguPL 2I82lt15Z3B8UWPZjqptVI2DjGE7+rEOMcQihlhK8iOR/HCSH07yI5H8cJIfTvIjkfxwjkcsVBhy i2kDfuELXzAnn3yyeeGFF8xJJ51kjhyp1EPzybwCccWKFcHxZexHGy9cemlwfFFj2Y6qbVSNg4xh O/qxDjHEIoZYSvIjkfxwkh9O8iOR/HCSH07yI5H8cI5HLPiRmoZUr+G+++5r1l13XTtMexND5hWI sfja0qXB8cMmcXASCyexSCQOTmLhJBaJxMFJLJzEIpE4OCdyLIa+QCyjvpMYGo+IiIjxO2nSpOB4 RCQ/0EmBiI2rN6Csofl6tVO7M2bMMFtvvbWZMmWK2XXXXc3cuXPbpmft9B+ZZf47E7Gs/vEbOo6r 2qndG264wWy77bZmrbXWssMbb7yxbXpW8gObdsMNNzRLlixpPdextdFGG7XN081u+dSv45r8wKYd z/zQbZKnnXaa2XLLLc1qq63WWJ5hfVIg4rjZ7Q2kqtn2DznkEPPggw+aZcuW2WJRP1DkT8/a6T8y y/x3JmKvNp0fG2+8sbnlllvM8uXLzU033WSf+9Ozkh/YtHvssYf51a9+Zd72trfZH5S78847zYc+ 9KHgvJ3sllf9Oq7JD2za8cyPM88802y//fbm/vvvN6tWrRqzXFbyI34pEHHczL4RdXr+pz/9yX4/ dJ111jE77LCDufvuu9vm62TeG938+fPNmmuuaf/aRM9D83b6j8wy/52J2KtN58d73/tec9ttt9kr wbfeeqt5//vf33FeSX5g0x599NHmvPPOs70UW2yxhX18zDHH2Gmd8kAnrO973/vseP0gXehY9u3l uCY/MAbHMz+22mor+7nhz5tKfgymFIg4bmbfNDo91xWwa665xvZsqIdjxx13bJuvk53e6JYuXWpv MdVVqtD01E7/kZn335mI/bLp/LjnnnvM+uuvb8dreO+997ZNz0p+YNPqhHe33XYzhx12mDn00EPN 7rvvbs4//3w7rVMe7LLLLmb69OnmlVdeMZdeeumY4z5rv47rfrWDWNTxzA99NUE9fio0VSxef/31 Y5b17dROp/HYvBSIOG5m34j856+++mrrud5w9Dh1jTXWaM2Xp99e6n333WevrukXabvdBqErWbof Xo+zV7hC4xH7afb49Z/XkR/bbLONvbVUJxD6/uF2223XNj0r+YFN+/Of/9x+v+nCCy80F1xwgX38 i1/8wk7rlAf6zrlOfvX45ZdfHnPcZ+3XcU1+YNOOZ35ssskm9nNDd6DMmjXLPveXy0p+xC8FIo6b 2TcivTHoFgV9R/B73/tea/pee+1l3/g03p+/m9n2dZVMPYd33XVX2/hOdvqPzDL/nYnYq03nh37g QAWiPuB1hbnbjxuQH9i0f/jDH+xxO2/ePHuLnB6n5yad8mDnnXdu9ZD8x3/8x5jjPmu/jmvyA5t2 PPNDPZZ+gajvQWaX9SU/4pcCEcfN7BvRVVddZX8YY4MNNjAXX3xxa/pjjz1mDjjgAPPGN77Rjuv2 BpbO49tp/EsvvdSa5rchdfVK9+xn/yOz03jEfpo9JuvOj+uuu868+93vtrf0aJheeU6XSR+nkh/Y tOo513Glk1D1dOuxxmlapzz47W9/a79fqx6UU045JXgs+/ZyXJMfGIPjmR8LFiww++yzj23nXe96 V9uvYJMfgykFIiIiIiIiIlopEBEREREREdFKgYiIiIiIiIhWCkRERERERES0UiAiIiIiIiKilQIR ERERERERrRSIiIiIiIiIaKVARERERERERCsFIiIiIiIiIlopEDFqJ02aFBzfzV6XQ8Tqkn+Ivanc SQ1NR0RsQgrEjHW9KfNmP1bF5Pzzz289P++884jTALrrrrtaQ9MwXsm/5lRc5XrrrWf23HNP85Of /CQ4XxOm67LaaquZTTbZxBx++OFm4cKFwXkxcdGiReaoo44ym266qVlrrbXMHnvsYa6//vrgvP2S XETE8ZQCMWNdb8q82Y9VMdl+++3Nq6++atVj4jRYLlmyxKy//vrWp556KjgPxin515xpXF988UUz e/Zss91225kf/vCHY+ZrwnRdXn/9dVv4nHjiiWbfffcdMx86P/ShD5kzzzzTvsctX77c/OY3vzEH HXRQcN5+SS4i4nhKgZgx701Z0+Saa65pdt55Z/PrX/+6NU1XE9/znvfYq4vpfP4yvukyw65iccIJ J9gD8JprrrEnKml88uKlcRdffLHZYIMN7BXdn/3sZ23T8pbTB/2xxx5rT4a/9KUvtU3Lzus/7rTc sHv55Zebz33uc+azn/2sueKKK1rjt912W/O73/3OPr7//vvtCXE6TUXlJz7xCdubssMOO5i77767 NU0q3t/61rfMOuus09YzqfEylH9//vOfzQc/+EG7zDe/+c22/dft9YZVxahb/oVifdhhh5mvfe1r 9vFXv/pV2wOVTkuXS9vx1bhhzb/s9s2dO9d84AMfME8//bR9H3v55ZfteBWPu+yyS2s+Ldfpva5X s+vywgsv2LxJp8nQfs9bl4mef29605vsNoamdYtZ3jGvWClmit38+fNb09Lp/vNU3s8QsQkpEDN2 elP21dX2OXPmmM0337w1bsMNN7Qf+prmz5tapN1hUzFZsGCB2X333c1uu+1mH2fjFIqbxp111ln2 pOpHP/qR2XrrrYPzhMbNmzfPDvWhql4vf1p2Xv9xp+WG3c985jPmqquuMldeeaU55JBDWuN14nPO OefYx2effbY57bTTWtMOPfRQW5DoSvwtt9xidtxxx9Y0qTifcsop9sR12rRpbdNkKP90wnTGGWfY Hppvf/vbbfuv2+sNq4pRt/wLxfrZZ581b3/72+0+1fC5555rW0Zm20nHDWv+Zbdv2bJlZsqUKfbx Jz/5STN9+nT7WMfqpZde2ppPy3V7ryurvy5Lly41p59+utlvv/3a5gnt97x1mej5993vftcedwcc cIA59dRT7fGYnadTzPKOecXzpZdeskPFMJ2WTvefp/J+hohNSIGYsdObstTVXfUSTp482c6n73Ck 0/bff3+z0047meOPP97MnDmzdUU4Na/dYTWNiXogPv/5z7eNy86THZfG97XXXjNrrLFGcJ7QOH2I p0N//2Xn95/nLTfMrly50rz5zW+2J5lSjzVO0+6991575VyP9X2d++67r7WceiAUy9Ts/tM4nWj6 42Re/um1n3/+eftYhaWmp9O6vd6wmsYolH95sZa33XabHa+hPz41bSc7bljzL7t9KhDXXntt+/i6 666zPUjKIR2r/rGv5bq915VVbWq/6qKm1kEXCFT0a1refs9bl2HIv7/85S+21/Sf/umfbG+gCmuN 7xazvGNesdJjDbMXPjTdf57K+xkiNiEFYsZOb8pSV8v1Yb5ixQr7Ie7Pqzf/W2+91faW7LPPPq2T 49S8dofVUEyy4/o1jz8uO5T6kNVJjx7rJMiflrfcMDtr1iwbC99f/vKXrelbbbWVefTRR8073/nO tuU22mijMRdQfDvFNy//8k5Qu73esBqKczouL9ZSvVwad9lll7WNT81rOzuUEz3/suus2xB1O6Ie 66LKxhtvbI4++mh7K6I/X3a5fmy734b276c//Wn7A0V6nrff89Zl2PJPxfwb3/hG+7hIzLLD9LFf ICqG6TS5+uqr2++J+uMk72eI2IQUiBn9N/CsemPWbaT6EDj55JOD8+ok584777Tz+uP1HYaHHnqo bdywG4pfdly/5vHHZYdSRYxum9IHr4p8f1recsOsesvT20ilrqzrO23pc31PTbfP+eOkequ+8pWv BG9NlJ3im5d/uj1LV/R1u1Z2/3V7vWE1FOd0XF6s9cMmKmiuvfZa85a3vMU+T6el5rWdHcqJnn/p Ouv4vP322+13x3SbYDpd3+XUPP7312R2W0PbXjYe2fkff/xxu7/1Hbi8/Z63LhM9/w488EBzxx13 2CJYva3f+c537B1DmlYkZtlh+lixSmOm10inyS222ML+GI4/TvJ+hohNSIGYUW/aITVtxowZ9oRI t4JcdNFFrfH+crrNRB8cN954Y2ua1Pcy9KVyf5lhNxSLdFwaT9/sPKHn/vyp2fmyQ/nTn/7U/uS7 bt/593//98LLDbPvete7Wj9EI3Ubqcalz/V9HMVKJ0/pOKmr7/qhE+WRpmfj2Sm+efnn/0iGvhv3 hje8oTWt2+sNq6E4pOPyYq0eJ33fTI811PN0WhpfX39aaCgnev5pneW6665rb7lWMexPv+GGG8b0 tMvstoa2vWw8QvOrB1FFXrfPOH8Z//lEz7+f//zn9lbc9NZcFXOPPPKInVYkZtlh+li/jKqYqe3/ +Z//aU2TuoCgXkV/Gcn7GSI2IQUiIk4YV61aZb8n9N73vjc4HTE2X3nlFXPwwQfbi4ih6YMk+Vdc CjtEjFkKREScEOqES9/b0V9q3HXXXcF5EGNTP1yy9957t76PNqiSf+WkQETEmKVARERERERERCsF IiIiIiIiIlopEBEREREREdFKgYiIiIiYUd8T7GZoOUTEQXfCFohF3sj1i2v6cYDQtJC33Xab+fCH P2zWXntt+z9g+o+3hx9+2E7TT/nrz/H1Vxb6KfM999yz9Z9Wv/jFL+xPm6+11lrmrW99q/0foyee eKKtbSxv2f2Xt4/yjpM//elP5iMf+Yj9Y+TNNtvM/gfVsmXLxsyHzrxckT/5yU/Mrrvuaqd3invW vDwqso/KHi/DbLpPfLPz8P45mGb3q9RfN4Tmzdopb5cvX26mTp1q/+9XOfilL33J/nG8pnV7L4hZ u41XjpwQdXJ0+zuZxihraF5ExJic0AViaLzvWWedZT+4ir5hf+xjH7MfdvozZ/0p7hVXXGG22mor O23TTTc1V199tZ0m9VjjNE2vof9F1B/i6o929XPm+pD128bylt1/efsoNdSW/t/rW9/6lv2VQf1J 8imnnGLNzofOvFzRSWb6R+uKZ3bZTublUZF9VPZ4GWZ5/xweP/vZz9r/QQxN883LW/1x/H777WcL d7nPPvuY888/307L2++xq2M7WBimdjn2ea9BxEF1aAvE3/zmN/aPmRctWlT6TVxXzp966in7h876 U3yN22WXXczMmTPtf1rJH/7whx1PYnQSO2XKlOA0LGYv+6/IPgq1pT8y1slN+lz7b+utt26bB8OG ckUx159LZ+ctq59H3fZRlXwfRnn/HA4feOABW4j7udPJvLzdcccdzb333tt6Pm/ePPOe97ynbZ7Q fo9dHdvBwjC1y7FfZLoubOn9yz/elyxZYj7xiU/YHvUddtjB3H333a1p+kN9XRDTMqeeemrba2Rf z3+e16bmu/jii80GG2xgjwf9l2U6TUX93/3d35m3ve1tdr60zaefftrOnx47s2fPtnmcLoeIg+2E LhDf8pa32Nta3vnOd5qTTz7ZXoHWNF2F3nLLLc3111/fmtdfNs/0DVLqBPTxxx+34+fPn2+22GKL 1jQ91rjs8vKrX/2qOfLII4PTsLu97r8i+yjUlm59O/fcc+0H5XPPPWdOP/10M3ny5DHzYbtpnKWf K8pJxVMFhm5H++hHP2oee+yxMct308+jvH1UJd+HVcWI98+Jr273vPDCC4PTsublrYqOtFA48MAD 7bGiedJlO+332LXrHCoMU0emh5ZL9bfb15+uOx100WPatGmt8Yceeqi55ppr7K27t9xyiy3A02mK r3rv9V535plnjmkvfZx9ntem5lOb2oc/+tGP2i6uHXvssfa27ieffLI1LlXHz/Tp0+1jtX/ppZeO mQcRB9MJWyCmrly50q77UUcdZT796U/bcYcffrj58pe/3Jon+6baTbWp7zypzc985jN23AEHHGDO OOMMe/KkE9R//Md/tB+g/nK6Mv6FL3zB7LzzznYefxoWt9f9V2QfhdpKv9+mkyCdHJ199tn0YBQ0 lCsq3BR73aamkxzFU985yy7byVAe5e2jqvk+zPL+OXFVj9/mm29uC4bQ9Kx5eesXiDJbIMrQfo9d HdvBwjC1y7FfZLpimR2vnjn72qOuscYarWn6nqcKSj1Wvviv4T/OPs9rU8/T/ffaa6+1TdNtxeot TJ/7XnfddbY3c+nSpbb90LYg4mA64QvEVH2o6Y1Vj/03Sd/sMt1Um7rNQ491Muq/OepxOk3+/ve/ t7fVHH300W0fpFje0L6ToXl9u+0jWaSdq666quPtbxjWzxX1SPn7QSeT2f3QyaJ55O+j7HGSml0G O8v758RTBfj3v//94LSQeXmbvcX0nnvuGXOLaaq/32PXHtuhwjC1y3Hf6/SNNtqo43GeVyCqsFOB p8da3p+W12Z2PfznKhB1a7A/PVVFv6YrL9XTGJoHEQfTCV8gvv7662bhwoX2tiTdmhGaJ/QmHRp3 0EEH2e9W6NfZFi9ebI4//nj7ZXxN08morq7qyrbetHWL22677WanXXnlleYd73iH/XK/3x72x6L7 L28fpYaWS9VyP/7xj1s/1BCaBxPzckW3K6b7QSecoR7E0H4okkdF9lHePsZ2ef+cmOoXYnUbr07w Q9ND+y8vb/UjNfoxIR0rUj9Yk/5ITd5+j13FIVgYpnZ5L+l1um7p1C8xK9bZaeptV+xVoOu2UL8N FfG6RVSFoObxp+W1mV0P/3l6i6m+b+zPk6r3Bs2f/uowIk4MJ2yBqDcsufrqq9vbaPSz23/5y186 zltk3M0332xPWnSrjX5u/Ygjjmi9aT766KP2jVtX96Qea5ympeuSVW/wfvvYm4plkXFl91G6XPpc 38H5wAc+YD+A02kYNi9XdKugblHUjyHo1jT/u0ypfvz9cSGVR+njIvtI84XGozONJ++fE9N9993X XH755cFpUvHNjsvLW92m+sUvftHeVir1lxfp31zk7ffYtcdaqDBMDcTJt9fpumXzsMMOM+uvv36y Dt58ygvFU72w55xzTtu0n/70p/YWe93uqR8D8qfltek/zj7XxQD9SI32e3Y5ecMNN9jC1B+HiIPv hO9BRERERCxrWhDlGVquScdzHXTR4OCDD7Z/PROajoiDKwUiIiIi4gA6ngXiaqutZvbee+/WdyIR ceJIgYiIiIiIiIhWCkRERERERES0UiAiIiIiIiKilQIRERERERERrRSIiIiIiIiIaKVARERERERE RGvhAnHevHmtmREREREREXHimqWtQKQ4REREREREHB6ztBWIAAAAAAAAMLxkCsQrERERESeYAABQ FApEREREnOACAEBR2gvE2/c2kyZNMpN2O9w8ueQyc+pmF5nDW15ibloSetPtry++eJGZ9+P9zXbb 7W9+PO+bZl5FH3/8O+2v8eThZjdtnz+uzRPNtEl7m9u9cU9esmUSFzntRG/egDZufqwuNzd9vNfY /cBc9vHLzLPmPHPJbsnrT7s9NN+o/v5LH7fc0lzyZGAZ3zQ2XWM01gdPuchc9uv254fbdR8dp7j4 z4saWq6Xtp580Ow2aWVb/J685JmRuMxv29fFnWOm7fZgEiO1nT727TS+o9eP7Of2dUy9fdpKs9sl 148ZX8rc9enhGLPjdHz38D7x6+97y7QfO705kiubfd88GJyWtew6J/OfevnlY6Y9e/kl7cd5F21e tF63yPq6/VIsj5P5d7vkvDHT7PtYybwOvR92Njl+J43kWeIzXdY1mT90XNvcLJw7mdedNicwT9bx Owbs/OnrnvKD4Dztjldck/ed9HVz3xdajt+6pmq5pL3sexoAABRlbIGYFkDZk3Cd0JU9KS/hzJlf NFtttZF9M++3a6+9pjnjjI+b//3fkQ/j3OJHJ0Naxjshaps/+cDJ/aC0BaL/wa8Tix4LxMw+uH1a gZP3dP/5j6W2o+iJXg8Fok563MlTUtjedIo7AW6fXsJ+Foi7jZw4tE4edWIy8ny3HgtEv9jqW4Eo k/VqO6m6fX7Bk94uFlifUsdY6KTZFn5dCh+bI9489nmvF1GkikOdcBcpuHpc5+D7X9JW8eK27HtB oNizBXqXPNY8Y/K3wHvXGAPvhx0NnOjruO12AUbzjDkmk7aKrqstJNryutuy43gMtL13FVl2/OLa /r4zZ+RY6PZeOY7rmqr3uJHC1F8H954GAABFKV4gps/t8PsjBYB3QmY/XNuviGYLgrwC4Wff+9DI h0h7UVeHRxyx+8gHiIqfvc200SuL7mRXJ1A6EcpcMR9TIHa5gj8ap5tOSU8EMyeFgVi197alJy// aYd2vtFp7oOuw1V9f/+1ncgn+if/wV7RdFtHhzNG5h9zcppps6W2Oy2KRx5fNrKvtc/Tk58HW/EY MRCDjuPT427ksdqz40fH3T4StzEneX57vqPF0SWXpCciIyc800aeewWiPdEcvfLdOsHQctPmj8R7 9Iq4PWFKTl7sc53Y2LZH5knHpSdVo685I9v713biFXB0udZ6+idP9oQr8zoj+uve/vrpeo1sZ4H1 KXWMKd6t49bZtq9Devs0O025EN6nSV6kx4ebR+P1PlSwB7HXdc7mscwem8Fj13uv1PMi65iqWAcu 1Nw+rUgvYmYe732sc+6n74va7x3eDzsZPMnXuhbpQcrM4x3/hY7rdLlRXQ9S+/iW43gM3J7zORg0 mrgWKBDHfV2TdqaNvB4FIgBANcr3INqTHO9DMjNf61bDtvGBD1bPrTZfd+RNfvSEpWb/eNvHzG6t 27RCJz+BcTp5sst3OzEbMd1uDVsntqPb3ilWo4914mCLxbaTCze/X+AF9fdfoJjTiaEt+LyTxbbt Tcf7w1YsuvVAuBP0VmE4cswkJ0PeyXunGHQb32rLG6dh64Rbcc65Gj96wnH7JfOTfThyMrPbJXNG tmn05ELTWycaOhkaPWEZM96bPz0ZsvOkJziBedraSIrL3P04YnqS23Zy5b/miLr9y7bTNj7z+v4t XgXWp8wxpv1c6mTX0x7n9mQ6UzB12qd6/0nzIlgMFisQq6yzLQBa6+Bytv3YzRzr/nulfQ8def1s EdHBVr4GpnXTFoFe/mu/ds394PtbsQKxa1GWoy0A0hP/EVu3Uxc9rtv05uvgeB4D9n3tco0regyM f1xtOyPFWdH3rNC0bvZjXdPXz64HBSIAQHnyC8T0Q8waLnLsSU/bfO7qfuuKrJbp8EGo7xyGCrm6 nHnB7t4JUqhHMHNCpJi0zd/lBNqLT7L9XoGYE6v0ZLjtynYm1n0rEPXcnhCmcRmNgV8Y2m32trft xDKs2970RH3kREnr7+//TjHoNF7L2ufeyX8rLl4BkYnVGNMTjZHCUNvzpC0UVRyNnnDo6nfmBCXZ bv8ExbvS7Y/vOo9XhLXNm2/rJCkdp3VMr6SP2pqudlvjA+uYztNlfaoUiK7oyynUx6iTaX//dtin reNgxOB7SW8FYrl19l8j83r++nV6r7TzXd56rnXJe81sgah9k76P5e4jq/8+lnlPy8v91vKpvRWI OnbTY7T7uvpFXabAK3Jct9Sy7UVDyPE8BuxrZZ7nHwMxxDWx9Z4YmCbHdV295xSIAADVKd6DmJod rxP7TldBR6d1+xBc/01rjrzxu5OfOtUP4JQpEMdcxQ8UXm368dHjUy5rLxA7xUrz+icW6Tgv1lUL xNbymtZ28tipQBydd6SdIr0ZyQnvyElTa51Hi8WR7W6dkHWKQafxozF40D+p8+Myulz2pG+MrROI kZOP1q2lTRWII49H28+evOQ55oQss45t49tOrrqfRHVan1LHmGLvHZ+p3fI9ZNv+y9unrTzJvkbm ZL2TFdc5nU/r1jpe1WZb0ZBTIHp2PWYV60DR1nUfjZrO19ab2C33veUTixWI9njyj7VRuxUVqel8 Oh5bx3jR41pqXIHi0DqOx0D2NbofA+McV8+u713juK52mVYRmZiuq8sXAAAoSvUC0Z6wpUWNd/Xf TlexoO9f5J+4fX3qNiNv6OGCrp+u//ZNzf/+z+e8E6GyPYjJh01uoRQ4IWi7mhyMlffYP3nJtFXq 5N1/LG2vweh2ZefLKxBHTyL1/aRWTDo5sr6X6RY674THnkS1tjmZJxiDvPE2Bp1OupLx+p5PbnHQ OqEYKeD0HRV7AuIViPYEs9uJSIUCcbRNfW+maxxHHXNiZddxtG37OqPTdRLVdkIVPokqsj6ljrHR /dR+gqv94b8HBGw7mZZ+Lsix+7TtZHxE5dXY1+1yDFh7XOdUe+zpPc07prU9bYVC6DjNzDeitin/ NZMe/Pb3G+VjsQIxyWd9r9B7j+uW+/7y1oIF4ujx2F5A6BgrVhwkx6a+U5Ye3yOWOa5buVvEeI6B 7kXpOMbVn2/E7oXeOK6rZ7aQpUAEAChP9QJR2g/E5Kq+/+EnbYHUGhc+2VDRtvHGW428+YcLu764 /gbmj388a+SDxT8RKlAgjqgPmFY7rZPjDidO2fjoeXqyoOdjYpWcrGRPGpLnyUlLWjC6D7oOrz3m 5M9b7/RE0M6r5dPtGTmBHBnadoMFoj5w/e8zdXhta+Aky25v5sS90/ESGu/HU9P1OBPj9uKhw/p5 JxTuBEInNO7E0r8K3TqhaTsR0fzpyUty4mOvmHeaJ3MS03ZlPDeOicETMnuSNHqVvNXW6LrYcSMn WCPDZH9mTqJy1yex1DE2anIRxFnkJDu5cOCWaT9ZH1sQyrbX8XPMmi0Q8+PbyzonjuZr2+uP5qk8 ZaRwSNsLvFf6r+u2OX9d295/0lwNzDfWpMBs74XUa422Fcr9tuXT+f1167auo8fhqMXXNSku2nug ih3X2deUSX7HeQz4x37xY6B9+5qIq/Rf1xVdca5rKgUiAEB1OheINXn7yElJpw+WBx443Vx++VHm nHMOqu6JO5rNNtvRfPPfPmv/D9H+xUXgNauYty116D7oOljL/htbRDe93fnqZM0rwEeMa/1S/eIy cXzXc+z6yPE5xrKO3ae9GOdxEJZ1rUfWtR4Ha10pEAEAyjK2QNSV5d0Ob13h7Ke22Lik7pPLUTte Ee+X4W0JbXd1Tx85mS/Qe+Dtv75sd9peW0HQ5Hbn2+pxHO1psuM6rJ9/RbtpW71+o711dtw4rmdo fSZNerj0Mebvi6xJz3loWlL4jR2fGNqnvdjLcdrrOle107rmqvc37YcxZu+I6Lflj1vb2xMYn94u OHZ8f5wIx0Bou1Jji2to3tTxWdfsexoAABSlvUAEAAAAAACAoYUCEQAAAAAAACwUiAAAAAAAAGCh QAQAAAAAAAALBSIAAAAAAABYKBABAAAAAADAQoEIAAAAAAAAFgpEAAAAAAAAsFAgAgAAAAAAgIUC EQAAAAAAACwUiAAAAAAAAGChQAQAAAAAAABLW4H4xz/+EREREREREYfAefPmjVaCDgpERERERETE IVPF4X/913+NVoKOYIH417/+FRERERERESeoKg4pEBEREREREZECERERERERERMpEBEREREREdFK gYiIiI159913mzvuuKPN73//++bMM89secUVV4yZx/d3v/tdsG1ERETM94Ybbgjqz0OBiDhETpo0 qeP41ND0YfGWW24xb3nLWzrGodv08Ta29VMxqOJP67P77rvbYR1usskm5rDDDjO///3vg+uheULj x8NzzjnHHHjggcFp/TSmbUbspnLi3HPPDU5DxHpcvnx5qzCkQETEjg77SeWuu+5qZs+eHZwmu00f b2NYv8WLF5tp06aZN7/5za0Crin1mjfffPOYddK07Ljx8OWXXzYbbrih+cMf/hCc3k9j2WbEIion NtpoI5sjoemI2F9feeUV+1cW+sx89tln7QVmfzoFIuIAmJ4AT5kyxbzrXe+yJ+Dz588PzlvFuk4q 1e7UqVOD4/MMzacYbLPNNuass86yV7/89vK86KKLzJZbbmnWXHNNs9VWW5lLLrlkzDzrrbeeWbFi xZjxqd2mV9Xf5l6se/26+bOf/WxcCkPftddee0xPosb7z0P6bWSnPf300+ZLX/qS2Xzzzc1aa61l h3qu8dl587zqqqvG9B7qpFhFtT9OLlq0yGy88cZjxhe1yDZn/cEPfmCXmz59enB6nebF31fve730 kl966aVm6623tvmvobY1ndav/StD6+dvm6+/XJ6hZaU/z2OPPWaOPPJIs9lmm9lt3H777W0++vN0 ctasWeYTn/iEzd111lnHbLfdduZb3/pWW7GWF78iy3dab1/lxowZM4LTELF/6v3i1ltvNQ8//LB9 n1NxmL1wSYGIOACmH6oqiB599FHzr//6r+btb39733si8j68q6h2tb533XXXmPF5z0PjddXrnnvu MXvuuaf5yle+0jZfJ6+++mqz7bbb2qtlOmnRrY/vfve7zQ9/+MO2+bptf7fpVa3aft3r18mZM2fa 2zz1+jH4vve9r61I1Dh/ffMMzbv//vubf/iHfzCPP/64LcA11HONz86b52c/+1n7/Up/3F577WVu v/32tnHyl7/8pdl7773HjC9qmW1O1Um+TtI/+clPBqc3Yd56v/rqq/ZW5X/7t38rtX0//vGP7fvP nXfeaV588UX7PVYVgdddd52d3q/922n9etkXvt2W12fC2972NnuLpk789DnxwAMP2P0Zmj/rHnvs YS6//HKzYMECs3LlSlvkHnPMMa3lu8Wv2/K+eduiNj73uc8FpyFi/9Q5VLfeegpExAEw9KGqK7iH Hnpo6/k111xjexfVg7Lvvvu29TBq+dR0XMhO03feeWd7tSl9vmzZMnurXNEr7Gr3Jz/5iXnPe95j T6L88dn5/Od543US99a3vnXM+JA6CddVbn+crpj9zd/8jX2s9rP683abfv/995uPfexjNiaTJ082 u+yyi93edPprr71mzj77bNuDuf7669sr/S+99FJreqh9mU7vZrdl9UFw3HHH2Xipd0M90NkPBy1z /vnn2xNB9QLoIoQ/vZMqeLKvHYPqCVLhqnXUc+0PXRRQfmj/dPqhG82bHad4PP/8823jnnvuObPu uuu2jeum9r9O5v1x6qkK9WZrnPaZHnc7fpSPKmi0b9UjqX0X2o48dTy88Y1vNH/+85/tUBdi0mlq S0WP2tZr6MJMtvde8/Ry/GTNW++TTz7ZfPzjHzevv/56qe3T+2F6LKTqotF+++1nHxfdv3rNXtav 6Lp2ar/b8ocffrj5l3/5l+C0XlU8dLeGHneLX0h/ed+8bfnTn/5k7+4ITUPE/un/MI2vPw8FIuIA GPpQXbJkSVuBdPDBB9s81YmeriR/9KMfbZtfdjvR6DRdPzRyyCGHtJ7rinKZH9pI29UyOonMju/0 PG+8rlar1yo7PuSb3vSm4Amgbonyx3V6/dRO07fYYgtboOukXSfrc+fObeuF0cmbeiNUtOtef11d P/7449vakN1ev5udlj/ppJPs+uhWRt26qP3w9a9/vW0eLfuRj3zEnqSp8P/bv/3btumd1LZr2RhN bzfVYx2/ir/2kW5/U69HaHs0b3bcEUccYb72ta+ZJ554wvaQaKjnKtSy8+apE+ZsYX7BBReYL3/5 y/axiqt3vOMd9vHf//3fm+9+97v2cbfj59RTT23t3yeffNIWKaHtyFO3I6Y9Zjrx/8UvftGaprbU vo4dvYYe69dm0+npPL0cP1k7rbe+J6P4PPPMM/Z5me1Tnmvd/XGK0wYbbGAfF92/es1e1k+PN910 U3t7pm4B1XuzH19/vlD73ZbX54Deo3fYYQd7YUQXEr75zW+2Ffll1fvZAQccYB93i19If3nf0Pal KjdCRSUi1iM/UoM44IY+VNUT94Y3vGHMeKkPWl0Vz47P+3CWnabrtiL1XDz11FP2+UEHHWTfOLLz dTJtVye46oFQ758/PjtfVn98eoupTvDTE+turr766mbVqlVt49Qrs8Yaa7SN6/T6qZ2m64TstNNO M7/61a/siVT2tfSdSd36lT5XHNNCwLfb63ez0/Iq4nTinj7XrclaZ38eLaveI39cN1Vka7mY1bGq oU760/XulB9S82bH6eKCfgDIb1fPX3jhhTHz5hkqENUzr4JM+0S37Ul93qrX5rbbbrPzdDt+tC+z +ze0HXkeffTR9nu6eqzCVEVoOk1t+e3rsb6Hlj5P5yl7/IQMrbdySheDlF/puDLbp/xPv5ubvmfo eZr/VfdvmfX7y1/+YotJ3U2hX7QNzZNnaHlthy76/Pd//7e9QKVeah33Rd8fs1577bX2fTo97+sW v6zZ5X3z9hsFImJz8iM1iBPA0IeqehD1IazH9913n/nwhz9si7j0BCe0TN6Hs8ybfuyxx9reP72R 6FbK7Ilunn67//zP/2w+9alPjRkfeu6PT9UJhG4VPOOMM+zJUGj+rHX3IKqXSvHRd9+0fvpxkR/9 6Eet6Rrnb4PUSZffhuzUflE7La9eBf+WQMVNvWv+PFpWt8b544qoGKbbFLPZ9Q6N6zRex6tu4VSv tU6MNVQPX3ocFzVbyEldLFFxcfHFF9si7aijjrK3l2pcWtR2O360L7P7N7QdndQFDb2XpLelpxdy 0gsdastvX4+zJ/Kap5fjJ2tovffZZx/b6+uPK7N9OkazPwTk94BV3b+9rJ8Kfr2PhqYV0V9e728L Fy5sm67tLXoLfqp6T3W3gXpC77333tb4bvFL7bS8b15cdJ6ZvXCFiP1X7x/8SA3iBDD0oep/B/Gd 73yn+c///E9b9Oi5irjQMt1OWnTS16noUq+dCrPLLrus9K11/uvqJGLHHXe0t0hl16fT+nVb727q B22y30HUm2P6HcTUbq9TZD3Us6s3VX1fKx2nX/XTPvHnC7naaqtVOsnutH7ZHkS9n2ucP0+vMdat jlo2drPrHRrXabx6G9PcStXzTr2QnQz9SI3Ur8/qe7K6LU/f7VLBoXHp9G7Hj763ld2/nbYvpG6J TuPkm/6olB5nexCz3xXTPP7zXg21k65PyOy8IRXP7A9SKdb+dxCr7N/QeqWG5pcqQnVBLzStiP7y en+rWiDqhFG9pvou9dKlS9umdYufzFveNy8m+pEa5UhoGiL2T36kBnGCmH6o6uq2Poj1vSVdpU2v +Oj7Kddff72drqv/+tGC0Adx3oez1C/w6bssuv0yNP29732vPenQa4WmdzL7ur/+9a9b313zx3da v27r3U39vYB+9j19U9RQv2qqNz9/vm6v02m6vm9100032e+3qX0V7yqm0+naX5/+9KftvlPvy29+ 85vgL/zp9kJ9D6BT/LvZaf1OPPFEe8uZThqlvkOmK/3+PL3GWBcU0ts4Yza73qFxncbrQoJ6lHRS rgscGupWO90Gmp03z9DfXEidWOvigO4KkHqscen0bsePbm/WPtCyut1R+7fT9oXUj6tkv1N4+umn t76nqrbS40evocd6TX/+Mq+XZ9F2yryevjOt95s5c+bYHNWtoHr/TH+Fs+j+1Wv2sn4qmnSFXres pu8/KuoU9+wyofa7La+LDrqD5KGHHrLHR3qLqX6MKttWSP21hHoJ1QsaukDVLX7dlvfNi5+2UzkS moaI/TP9UZqs/jwUiIgDYHrioFsF9d0f/bphejuYVG+YfqBAv6CpK/u62ut/EKfL+6bTfHVbkHor dIIamke3vqmXseyPH4Ta+uIXvzhmfKf16jS+jPoVRp3k6Hubuo0p/QEQ326v02m6ikOdZGr/6Lar 9PtA6XTdqqeTfBWluh1Qvwr705/+tK0NqTdjnXjp9sFetrnTMjqpU7x166vUY43z56kaYy0fo4q5 hqH1zT7Pmk5TYaRbP/UDIcoxDfUdvfQ7uUXVyb16lrP/06ge+Z122qn1XI/1eunzbsePivT0V0x1 22HZXzHVxQzdpu6P++1vf2u/+6jHauu8886zx7aOHxVP2TsNyrxeyDTmvqH5UrtNz6oLX7rTQj/0 oqH/P35F92+R9Ur151OBpYtveu/U7aD6FV3diZH9rnKn9ossf+GFF7b+p1DvISeccII93vx2Opm+ bsi0ZzUvfqHlUtPlQ9PS5eUjjzxS+qsLiNibN954Y9v7hx5rnD8PBSIiFlZvFuqdCE3D4Va/ghk6 CUxVj8Y3vvENe7uaipzQPP1W3wnN3jo43uoXhkO9iDGrWIbGI/ZL/eKpciM0DRH7q+7i0o+K6W4l fS1Gj7P/U02BiIiF1K1L6iULfYcKMf1hlE5mb2FU4aaiUoVjaP6yqhjU9yH1Oupt6/Q/h1hexTc0 HhERB0/9Mv3dd99tf8FU6nH2riIKREQspE4S1fuj7zmGpuNwq1ue/YIta7ZA9FWxqD/i1jxSx1me fiF4xx132PZD7WJ/JL6IiBNbvoOIiIi16BeEWdVbGFoGERERx1cKRERErMVOf3mhHwfq9PcpiIiI 2Jz+L5f6+vNQICIiYl/UraK6BdQvDvWH73wfEBERMV4pEBERsVb1vUB9R1C3ldJziIiIGLcUiIiI iIiIiBiUArGEj86ebR795S+D0xAREREREWN26dKlZu7cua2/udDjZ555pm0eCsSCvrpsmfneXntZ X12+PDgPIiIiIiJirM6aNcssWbLErFq1yrp48WI7zp+HArGgcy64wJy7xRbWuRdeGJwHEREREREx VikQ++Rzjz9uzt9mm1aBeP6229pxoXkRERERERFjVLeYzpkzx9x0001WPdY4fx4KxAJee8wxreIw 9dpjjw3Oi4iIiIiIOKhSIJbwG9/4RnC8XLRoUXB8GfvRxiuZn6ktayzbUbWNqnGQMWxHP9YhhljE EEtJfiSSH07yw0l+JJIfTvLDSX4kkh/OWGJRVn6kps/mFYgLFiwIji9jP9pYduedwfFFjWU7qrZR NQ4yhu3oxzrEEIsYYinJj0Tyw0l+OMmPRPLDSX44yY9E8sMZSyzKyncQ+6wKxE4sXLhw9FHv9KON 10Z2cBVi2Y6qbVSNg4hhO/qxDjHEIoZYCvIjgfxwkB8O8iOB/HCQHw7yI4H8cDQZi1Bd0qsUiH02 r0AEAAAAAADoN6G6pFf5kZo+m1cgPvXUU6OPeqcfbfx13rzRR70Ry3ZUbaNqHEQM29GPdYghFjHE UpAfCeSHg/xwkB8J5IeD/HCQHwnkh6PJWITqkjqlQCwhPYgAAAAAANAkobqkV2+44Yag/jwUiAVc sWKF/RLp1KlTbTzSat8fpqbPexk+8MADdlh0/tBQVzOKzNdpmJo+72XYj+1ITZ+XHVaNg4hhO1LT 570MF9x2mx0WnT80TE2flx2mps97GZIfbpiaPi87JD/ckPxwQ/IjGZIfbkh+uCH5kQzJDzdsKj/0 PUXVIf36xdNsMRiSArGE9CACAAAAAECThOqSXqVA7LN8B7EYMbRRNQ4ihu3oxzrEEIsYYinIjwTy w0F+OMiPBPLDQX44yI8E8sPRZCxCdUmvUiD2WXoQAQAAAACgSUJ1SZ1SIJaQHsRixNAGV7gcMcQi hlgK8iOB/HCQHw7yI4H8cJAfDvIjgfxwNBmLUF1SpxSIJaQHEQAAAAAAmiRUl9QpBWIJ6UEsRgxt cIXLEUMsYoilID8SyA8H+eEgPxLIDwf54SA/EsgPR5OxCNUldUqBWEJ6EAEAAAAAoElCdUmdUiCW kB7EYsTQBle4HDHEIoZYCvIjgfxwkB8O8iOB/HCQHw7yI4H8cDQZi1Bd0otz5861/6v4+uuvB6en UiCWkB5EAAAAAABoklBd0ovPPfecuf/++83s2bNtbbd8+fLgfBSIJaQHsRgxtMEVLkcMsYghloL8 SCA/HOSHg/xIID8c5IeD/EggPxxNxiJUl1RRhaFqOxWKKhhVOPrTKRBLSA8iAAAAAAA0Sagu6Yer Vq2yt5zq1lN/PAViCelBLEYMbXCFyxFDLGKIpRik/Fj5/xJDVF0P8sNBfjgGKT/yqNoG+eEgPxzk RwL54WgyFqG6pE4pEEtIDyIANMHkGYk/+PPoCAAAABhaQnVJnQ5NgThjxgyz9dZbmylTpphdd921 1ZX65JNPmv3228+st956Zv/99zeLFy8es2wqPYjFiKENrnA5YohFDLEUg5Ifk65M/N5joyMyVF0P 8sNBfjgGJT+6UbUN8sNBfjjIjwTyw9FkLEJ1SZ0OTYF4yCGHmAcffNAsW7bMFoubbrqpHX/EEUeY E0880Tz//PPmhBNOMEcdddSYZVPpQQSAJuhWIAIAAMDwEKpL6nRoCkTf+fPnmzXXXNOsXLnSFor6 cqbGa7jZZpuNmT+VHsRixNAGV7gcMcQihliKQckPFYfrXG3MlBFDVF0P8sNBfjgGJT+6UbUN8sNB fjjIjwTyw9FkLEJ1SZ0OXYG4dOlSe4upeg31fPLkybZQPPDAA+1Qz7PLvDayzAuXXmq+ftxxrYOB IUOGDOsaHnL2PHPlgmQoii7HkCFDhgwZMpxYw/9btszWISsfemhMjVKXQ1Ug3nfffWbLLbe0PYH6 WVeNUw+ivoeox/QgxrMdVduoGgcRw3b0Yx1iiEUMsRSDkh/qQVSBqGGIqutBfjjID8eg5Ec3qrZB fjjIDwf5kUB+OJqMRagu6ac33HBD2/OhKRCnT59uew7vuuuutvFf+MIXzMknn2xeeOEFc9JJJ5kj jzyybbov30EEgCboViACAADA8BCqS/rp0BaIkyZNGuNLL71kew333Xdfs+6669ph2psYkh7EYsTQ Ble4HDHEIoZYikHJDxWGM5/oXCBWXQ/yw0F+OAYlP7pRtQ3yw0F+OMiPBPLD0WQsQnVJr6oYDOnP MzQFYj+kBxEAmiAtDOlBBAAAgFBd0k8pECtID2IxYmiDK1yOGGIRQyzFIOSH33OY/mF+lqrrQX44 yA/HIORHEaq2QX44yA8H+ZFAfjiajEWoLumnFIgVpAcRAOom+91DehEBAACGm1BdUqcUiCWkB7EY MbTBFS5HDLGIIZZiEPKjSIFYdT3IDwf54RiE/ChC1TbIDwf54SA/EsgPR5OxCNUlvaq//Js7d665 +eabrXr8zDPPtM1DgVhCehABoG7oQQQAAACfUF3Sq7NmzTJLliyxf/knFy9e/P9v79yDJavKsw8h DHLRcEucYIIIBoGRyE1EU8xMKgmUKWMwoPAxqEdTuRguE8oYNSKYT6o+NZaEaI0Ml0KNonKbGYgS iMxAMCGFxBICBw5nGCeRGYGZM4B/WZU/1se79qyzVu9Z3b12r732vH3696t6avW+9Oq9372f7n72 6oudF65DQGwgRhDT0NAHV7g8GmqhoZbCOPiDEcR02tgG/OEZB3+kkNsH/vDgDw/+qMAfni5rEcsl o4qA2LIYQQSA0jCCCAAAACGxXDKq5COmd999t7ntttus5LbMC9chIDYQI4hpaOiDK1weDbXQUEth HPzBCGI6bWwD/vCMgz9SyO0Df3jwhwd/VOAPT5e1iOWSkiIgNhAjiABQGkYQAQAAICSWS0ZV+Of4 ocJ1CIgNxAhiGhr64AqXR0MtNNRSGAd/MIKYThvbgD884+CPFHL7wB8e/OHBHxX4w9NlLWK5ZFS5 MBiGQgJihhhBBIDSMIIIAAAAIbFcMqrkry22bNlibr31Vtv+9Kc/NevWretZh4DYQIwgpqGhD65w eTTUQkMthXHwByOI6bSxDfjDMw7+SCG3D/zhwR8e/FGBPzxd1iKWS0bVQw89ZNasWWMef/xxc+ed d9rbTzzxRM86BMQEzc3NmenpaTM1NWXr4Q4mLS0tbdvtqvs32VDoppes2mS+9Njw+9HS0tLS0tIu vHZmZsbmkNnZ2WhOKSECYgMxgpiGhj64wuXRUAsNtRTGwR+xEcSrHt05sZPc7cAfHvzhGQd/pJDb B/7w4A8P/qjAH54uaxHLJaOq/n3D2DwCYgPxHUQAKE1KQAQAAIDJIZZLRpWEwZjCdQiIDcQIYhoa +uAKl0dDLTTUUhgHfzCCmE4b24A/POPgjxRy+8AfHvzhwR8V+MPTZS1iuWRU1cNgbB4BsYEYQQSA 0jCCCAAAACGxXFJSBMQGYgQxDQ19cIXLo6EWGmopjIM/6gFxv+uN2fdlheRuB/7w4A/POPgjhdw+ 8IcHf3jwRwX+8HRZi1guKSkCYgMxgggApakHxPo0AAAATBaxXFJSBMQGYgQxDQ19cIXLo6EWGmop jIM/UgJi7nbgDw/+8IyDP1LI7QN/ePCHB39U4A9Pl7WI5ZKSIiA2ECOIAFCa+kdKGUEEAACYbGK5 pKQIiA3ECGIaGvrgCpdHQy001FIYB39IGAx/lIYRxP60sQ34wzMO/kghtw/84cEfHvxRgT88XdYi lktKioDYQIwgAkBp6gHxxid3DYgAAAAwOcRySUkREBuIEcQ0NPTBFS6PhlpoqKUwDv6oB0TBBcQd P6+Uux34w4M/POPgjxRy+8AfHvzhwR8V+MPTZS1iuWRUbd682dxzzz3m9ttvt5Lb//3f/92zDgGx gRhBBIDSxALiousqyfwvPbZzJgAAAEwEsVwyqu644w7z9NNPm5deeslq48aNdl64DgGxgRhBTEND H1zh8miohYZaCuPgj1hAFGS+jB7KstztwB8e/OEZB3+kkNsH/vDgDw/+qMAfni5rEcslo4qA2LIY QQSA0qQERAAAAJgcYrlkVMlHTO+++25z2223WcltmReuQ0BsIEYQ09DQB1e4PBpqoaGWwjj4gxHE dNrYBvzhGQd/pJDbB/7w4A8P/qjAH54uaxHLJSVFQEzQ3NycmZ6eNlNTU7Ye7mDS0tLStt0uWbWp JwSG821AXB+/Hy0tLS0tLe3Ca2dmZmwOmZ2djeaUprrllluiCtchIDYQI4hpaOiDK1weDbXQUEth HPzBCGI6bWwD/vCMgz9SyO0Df3jwhwd/VOAPT5e1iOWSUeXCYBgKCYgZ4juIAFCalIAIAAAAk0Ms l4wqAmLLYgQxDQ19cIXLo6EWGmopjIM/GEFMp41twB+ecfBHCrl94A8P/vDgjwr84emyFrFcMqoI iC2LEUQAKA0jiAAAABASyyVtioCYIUYQ09DQB1e4PBpqoaGWwjj4gxHEdNrYBvzhGQd/pJDbB/7w 4A8P/qjAH54uaxHLJW2KgJghRhABoDSMIAIAAEBILJeMKgmDMYXrEBAbiBHENDT0wRUuj4ZaaKil MA7+YAQxnTa2AX94xsEfKeT2gT88+MODPyrwh6fLWsRySZsiIGaIEUQAKA0jiAAAABASyyVtioCY IUYQ09DQB1e4PBpqoaGWwjj4o19A3O/6atm+L7e524E/PPjDMw7+SCG3D/zhwR8e/FGBPzxd1iKW S0qKgNhAjCACQGn6BcTV09UIoiwHAACAySGWS0ZVfbQwNo+A2ECMIKahoQ+ucHk01EJDLYVx8IcE wBuf3DkREAbE3O3AHx784RkHf6SQ2wf+8OAPD/6owB+eLmsRyyWjSsJgTOE6BMQGYgQRAErTb4SQ EUQAAIDJJJZLRlU9DMbmERAbiBHENDT0wRUuj4ZaaKilMA7+SAmIuduBPzz4wzMO/kghtw/84cEf HvxRgT88XdYilktKioDYQIwgAkBpGEEEAACAkFguKSkCYgMxgpiGhj64wuXRUAsNtRTGwR+MIKbT xjbgD884+COF3D7whwd/ePBHBf7wdFmLWC4ZVeH3DkOF6xAQEzQ3N2emp6fN1NSUrYc7mLS0tLRt t0tWxeevun+TDYj9ltPS0tLS0tIuvHZmZsbmkNnZ2WhOGVUPP/ywueeee2zOqS8jIDYQI4hpaOiD K1weDbXQUEthHPzBCGI6bWwD/vCMgz9SyO0Df3jwhwd/VOAPT5e1iOWSUfX888+bDS9v+9133202 btxob2/btq1nHQJiA/EdRAAoTUpABAAAgMkhlktG1dq1a80jjzxifvazn9lpFxjDdQiIDcQIYhoa +uAKl0dDLTTUUhgHfzCCmE4b24A/POPgjxRy+8AfHvzhwR8V+MPTZS1iuWRUPfvss7vMq3/MlIDY QIwgAkBpGEEEAACAkFguGVWxH6gRhesQEBuIEcQ0NPTBFS6PhlpoqKUwDv5gBDGdNrYBf3jGwR8p 5PaBPzz4w4M/KvCHp8taxHLJqHJhMAyFBMQMMYIIAKVhBBEAAABCYrlkVBEQWxYjiGlo6IMrXB4N tdBQS2Ec/NEvAN74ZBUSGUH0tLEN+MMzDv5IIbcP/OHBHx78UYE/PF3WIpZLRhUBsWUxgggApRk2 QsgIIgAAwGQRyyUlRUBsIEYQ09DQB1e4PBpqoaGWwjj4IyUg5m4H/vDgD884+COF3D7whwd/ePBH Bf7wdFmLWC4ZVTJaGFO4DgGxgRhBBIDSMIIIAAAAIbFckqvt27fPB0MCYoYYQUxDQx9c4fJoqIWG Wgrj4A9GENNpYxvwh2cc/JFCbh/4w4M/PPijAn94uqxFLJfkyP05/u23325+8pOfmDVr1vQsJyA2 ECOIAFAaRhABAAAgJJZLRtWjjz5q1q5da37wgx+YH//4xzYc/vCHP+xZh4DYQIwgpqGhD65weTTU QkMthXHwByOI6bSxDfjDMw7+SCG3D/zhwR8e/FGBPzxd1iKWS0bVfffdZ5577rnoMicCYgMxgggA JZG/smAEEQAAAEJiuaSkCIgNxAhiGhr64AqXR0MtNNRS0O4P9z+Hg2AE0dPGNuAPj3Z/pJLbB/7w 4A8P/qjAH54uaxHLJSVFQEzQ3NycmZ6eNlNTU7Ye7mDS0tLSttlKQFyyavB6w5bT0tLS0tLSLpx2 ZmbG5pDZ2dloTikhAmIDMYKYhoY+uMLl0VALDbUUtPuDEcRmtLEN+MOj3R+p5PaBPzz4w4M/KvCH p8taxHJJSREQG4jvIAJASVIDIgAAAEwOsVxSUgTEBmIEMQ0NfXCFy6OhFhpqKWj3ByOIzWhjG/CH R7s/UsntA3948IcHf1TgD0+XtYjlkpIiIDYQI4gAUBJGEAEAAKBOLJeUFAGxgRhBTENDH1zh8mio hYZaCtr9wQhiM9rYBvzh0e6PVHL7wB8e/OHBHxX4w9NlLWK5pKQIiA3ECCIAlIQRRAAAAKgTyyUl RUBsIEYQ09DQB1e4PBpqoaGWgnZ/MILYjDa2AX94tPsjldw+8IcHf3jwRwX+8HRZi1guKSkCYgMx gggAJWEEEQAAAOrEcklJtRIQ99hjD9s+99xz5tRTTzWHHnqoue2223ZZb9zFCGIaGvrgCpdHQy00 1FLQ7g9GEJvRxjbgD492f6SS2wf+8OAPD/6owB+eLmsRyyUl1WpAlI5OP/10853vfMccf/zxu6w3 7mIEEQBKwggiAAAA1InlkpJqJSDus88+5sUXXzQXXnihueKKK8wLL7xg58XWHWcxgpiGhj64wuXR UAsNtRS0+yM1IH7xvrztwB8e/OHR7o9UcvvAHx784cEfFfjD02UtYrmkpFoJiMcdd5y59957zZIl S8zatWvtPDequJDECCIAlCQ1IF716M4JAAAAWPDEcklJtRIQv/nNb5qDDz7YLF++3I4eyjxtAVG2 xymc/9RTT5lly5aZAw44wG7/xo0be5aHYgQxDQ19cIXLo6EWGmopaPdHckBcn7cd+MODPzza/ZFK bh/4w4M/PPijAn94uqxFLJeUVCsBcZxUD4jnnXeeufjii82WLVvMRRddZFasWNGzPBQjiABQEkYQ AQAAoE4sl5TUxAfExYsXm5mZGXtb2sMOO6xneShGENPQ0AdXuDwaaqGhloJ2f6QExP2uN+bE1Xnb gT88+MOj3R+p5PaBPzz4w4M/KvCHp8taxHJJSbUSEN///vebAw880Oy55559P8qpRfXtWrRokdmx Y4c588wzbSvT4XLRi5s3m61XX23+8oMfnD8ZaGlpadtu7/jGBhsQB60nIfKsy/svp6WlpaWlpV04 7f9u22ZzyI6HHtolo5RSKwHxmGOOMRte3gH3/UPNio0gyvcQ5TYjiHr2I7eP3DoIGvajjW3QUAsN tRS0+yNlBFHWWbIqbzvwhwd/eLT7I5XcPvCHB3948EcF/vB0WYtYLimpVgLi+973vp6RQ6fYurtb 9e0699xzzcqVK83WrVvNJZdcYs4///ye5aH4DiIAlCQ1IA5bBwAAABYOsVxSUq0ExFNPPVX9CGI9 vLqgKKOGS5cuNfvvv79t3WhiTIwgpqGhD65weTTUQkMtBe3+SAl/Nz7JCKJDwzkhaNgPDbXQsh+5 feAPD/7w4I8K/OHpshaxXFJSrQTEWPgSxdYdZzGCCAAlSR0dXHRdJQAAAFj4xHJJSbUSECdFjCCm oaEPrnB5NNRCQy0F7f5IDYjSR87HTPGHB394tPsjldw+8IcHf3jwRwX+8HRZi1guKSkCYgMxgggA JWny/cKcgAgAAADjQyyXlBQBsYEYQUxDQx9c4fJoqIWGWgra/cEIYjPa2Ab84dHuj1Ry+8AfHvzh wR8V+MPTZS1iuaSkCIgNxAgiAJSEEUQAAACoE8slJUVAbCBGENPQ0AdXuDwaaqGhloJ2f2gfQdzx 8503XkbDMW1jG/CHR7s/UsntQ8M5IeT20cY24A8P/qjAH54uaxHLJSVFQGwgRhABoCQaRxDlbzWu erTSlx7bORMAAAA6I5ZLSoqA2ECMIKahoQ+ucHk01EJDLQXt/tA4gijbJCOHIgmJDg3HtI1twB8e 7f5IJbcPDeeEkNtHG9uAPzz4owJ/eLqsRSyXlBQBsYEYQQSAkmgcQdzv+uqxRPu+fBsAAAC6JZZL SoqA2ECMIKahoQ+ucHk01EJDLQXt/tA4giiPI6OH8vHS8DE1HNM2tgF/eLT7I5XcPjScE0JuH21s A/7w4I8K/OHpshaxXFJSBMQGYgQRAEqicQRRHke2S76L2NVjAgAAgCeWS0qKgNhAjCCmoaEPrnB5 NNRCQy0F7f7QOoLoWHRdNS2thmPaxjbgD492f6SS24eGc0LI7aONbcAfHvxRgT88XdYilktKioCY oLm5OTM9PW2mpqZsPdzBpKWlpW2zlYC4ZFXa+qnr5baxx5GQ2G99WlpaWlpa2vbamZkZm0NmZ2ej OaWECIgNxAhiGhr64AqXR0MtNNRS0O4P7SOIjjAg5pDbRxvbgD882v2RSm4fGs4JIbePNrYBf3jw RwX+8HRZi1guKSkCYgPxHUQAKInW7yDWkXnhn+YDAABAOWK5pKQIiA3ECGIaGvrgCpdHQy001FLQ 7g/5S4mUv5KQPnICYkod5Edp5LuGojoy78TVu/+YajgnBA37oaEWWvYjtw8N54SQ20cb24A/PPij An94uqxFLJeUFAGxgRhBBICSSOgL/4x+EKVHEAeFVX7RFAAAoDtiuaSkCIgNxAhiGhr64AqXR0Mt NNRS0O6P1IAofZQeQRy2Le7Ha3LIraeGc0LQsB8aaqFlP3L70HBOCLl9tLEN+MODPyrwh6fLWsRy SUkREBuIEUQAKElqQBRKj+BJ/zJS2I/Sjw8AAAAVsVxSUgTEBmIEMQ0NfXCFy6OhFhpqKWj3R2pA lD5yAlpKHYb1LyOIX3ps58SI5NZTwzkhaNgPDbXQsh+5fWg4J4TcPtrYBvzhwR8V+MPTZS1iuaSk CIgNxAgiAJQkNSAKpUfwhvXfZFsBAABgdGK5pKQIiA3ECGIaGvrgCpdHQy001FLQ7o/U0CV95ATE lDoM6/+k1ZuSfnF1ELn11HBOCBr2Q0MttOxHbh8azgkht482tgF/ePBHBf7wdFmLWC4pKQJiAzGC CAAlaTIqlxMQUxjWf5P/bAQAAIDRieWSkiIgNhAjiGlo6IMrXB4NtdBQS0G7P1IDovSRE8761cH9 96H0Hfv/w5BV9+dtg5BbTw3nhKBhPzTUQst+5Pah4ZwQcvtoYxvwhwd/VOAPT5e1iOWSkiIgNhAj iABQktSAKOSGsxipf9Qv8F+IAAAA3RDLJSVFQGwgRhDT0NAHV7g8GmqhoZaCdn+kBkTpIyec9atD k4Aq25A62tiP3Hq2cTzwh0e7P1LJ7UPDOSHk9tHGNuAPD/6owB+eLmsRyyUlRUBsIEYQAaAkTQJa TkDsh/Q56L8P+1FiWwAAAKAilktKioDYQIwgpqGhD65weTTUQkMtBe3+SA2I0kdOKOtXhyZ9hvsx 6rbk1rON44E/PNr9kUpuHxrOCSG3jza2AX948EcF/vB0WYtYLikpAmKC5ubmzPT0tJmamrL1cAeT lpaWts3WBsT1aevLH9ULw9Zr0srjp6xXb0e9Hy0tLS0tLe3gdmZmxuaQ2dnZaE4pIQJiAzGCmIaG PrjC5dFQCw21FLT7wwbEBiOIX3ps54yG9KuD9JlKuB9N7heSW882jgf+8Gj3Ryq5fWg4J4TcPtrY BvzhwR8V+MPTZS1iuaSkCIgNxHcQAaAkqQFRaLJuKqMGvVHvBwAAAMOJ5ZKSIiA2ECOIaWjogytc Hg210FBLQbs/UkOf9JETEMM6NPnvw5BwP0YNiLn1bON44A+Pdn+kktuHhnNCyO2jjW3AHx78UYE/ PF3WIpZLSoqA2ECMIAJASZqEvpyAGCKhMPW/D/sxakAEAACA4cRySUkREBuIEcQ0NPTBFS6Phlpo qKWg3R+poU/6aPKn9nXCOrQx+tdGH6PQxvHAHx7t/kgltw8N54SQ20cb24A/PPijAn94uqxFLJeU FAGxgRhBBICSNBkVXD09ejAL0dIHAAAAxInlkpIiIDYQI4hpaOiDK1weDbXQUEtBuz9SA6L0kRMQ pQ7y3UN5rFH7CPejjT5GoY3jgT882v2RSm4fGs4JIbePNrYBf3jwRwX+8HRZi1guKSkCYgMxgggA JUkNiELuCKL7YZrc7x8K0s+of7kBAAAAg4nlkpIiIDYQI4hpaOiDK1weDbXQUEtBuz9SA6L0kTuC mBMuhXA/Ure7Tm492zge+MOj3R+p5Pah4ZwQcvtoYxvwhwd/VOAPT5e1iOWSkiIgNhAjiABQkiZB y/09xaC/ppB1+o3s5QbEkFEDIgAAAAwnlktKioDYQIwgpqGhD65weTTUQkMtBe3+SA1aYR+Dgp77 GKm0YVCUOuQGxPo2MII4Om3sh4ZaaNmP3D40nBNCbh9tbAP+8OCPCvzh6bIWsVxSUgTEBmIEEQBK MkrQGhT03LKw3zA0tsUo2w0AAABpxHJJSREQG4gRxDQ09MEVLo+GWmiopaDNHzt+vvPGTlKDVtiH C4Ex3DL3n4nykVOZ1/Y5MWpAzK1nG8cDf3i0+WNUcvvQcE4IuX20sQ34w4M/KvCHp8taxHJJSREQ G4gRRABoi/1u2PUXREcJWv0CoguDgvtBm5w/1x9EqX4BAACAgKhajCCmoaEPrnB5NNRCQy0FTf6Q wFYPdzLd1ghi+CunLiy6/ts+J0b9RdXcerZxPPCHR5M/csjtQ8M5IeT20cY24A8P/qjAH54uaxHL JSVFQGwgRhABoC1cYAtxAa4J/YJZPbTJdw5FEhbbJucvNwAAAGAwsVxSUgTEBM3NzZnp6WkzNTVl 6+HSftg6uelR2gcffNC2qevHWrmakbJev9bJTY/StrEfTm66aZtbB0HDfji56VHa6XXrbJu6fqx1 ctNNWyc3PUq70PyxZNUmG6rC5TYgrh98f2mdBOlHqK+36v5d+3dt2/6QgNhvOwa1Tm66aevkpkdp 8Ydvef2oWl4/fIs/fIs/qhZ/+LYrf8zMzNgcMjs7G80pJURAbCBGEAGgLSS81UfdbEAsNIJYEkYQ AQAAyhHLJSVFQGwgvoOYhoY+cusgaNiPNrZBQy001FLQ5A8JVPVQJdNtfQdx0A/HtH1OhD+I04Tc erZxPPCHR5M/csjtQ8M5IeT20cY24A8P/qjAH54uaxHLJSVFQGwgRhABoC1yAmJIv2A2Sl859NsO AAAAyCOWS0qKgNhAjCCmoaEPrnB5NNRCQy0FLf64abYKVPVQlRrqwu3oF8wG9VXinAj/gP9Lj+2c OYTcerZxPPCHR4s/csntQ8M5IeT20cY24A8P/qjAH54uaxHLJSVFQGwgRhABoC0kTNXD3aBQ1496 H45R+mqD3fW4AAAAC5VYLikpAmIDMYKYhoY+uMLl0VALDbUUNPlDgpQoHG1LDVfhdsh9Ygzqq+Q5 kboPQm492zge+MOjyR855Pah4ZwQcvtoYxvwhwd/VOAPT5e1iOWSkiIgNhAjiADQFhKk6j8k0yRc OUYJiCUZ9OM4AAAA0JxYLikpAmIDMYKYhoY+uMLl0VALDbUUNPlDApz8+qf77p4o9Y/sw+0YFBD7 9VXynGjylxe59WzjeOAPjyZ/5JDbh4ZzQsjto41twB8e/FGBPzxd1iKWS0qKgNhAjCACQFukhqhh DAqIuwP+ExEAAKBdYrmkpAiIDcQIYhoa+uAKl0dDLTTUUtDkj5wQFW7HKAGx5DnBCGJz2tgPDbXQ sh+5fWg4J4TcPtrYBvzhwR8V+MPTZS1iuaSkCIgNxAgiALRFW6NsowTEkoz6p/mphB/Jdd913PHz SgAAAAuRWC4pKQJiAzGCmIaGPrjC5dFQCw21FDT5IydEhdvRr59B/Zc+J1L3rWk9w/Apt990zSY7 LZLgOAr4w6PJHznk9qHhnBBy+2hjG/CHB39U4A9Pl7WI5ZKSIiA2ECOIANAWqSFqGP36aav/USj1 2IN+IdWNLI4aFAEAALQSyyUlRUBsIEYQ09DQB1e4PBpqoaGWghZ/HHFT3l9BhNsxSkAsfU7IY4f/ 79iP1HrKaKEEP1H4y6yx+zcNp/jDo8UfueT2oeGcEHL7aGMb8IcHf1TgD0+XtYjlkpIiIDYQI4gA 0BZt/UdhPRC57+I1DUpt0vZ/ITbpb3fuNwAAQAliuaSkCIgJmpubM9PT02ZqasrWw6X9sHVy06O0 Dz74oG1T14+1cjUjZb1+rZObHqVtYz+c3HTTNrcOgob9cHLTo7TT69bZNnX9WOvkppu2Tm56lHah +eOq9Wnrx1onYckqPz/8Xp60bn69Le0P2Y5wu/q1Tm66Xyv7c90Du853ctNCyuOGLf7wLa8fVcvr h2/xh2/xR9XiD9925Y+ZmRmbQ2ZnZ6M5pYQIiA3ECCIAtEWJEcS2R+5yCL8T2PQXRve7obqvU5Pv Fcr6KR9vBQAAGBdiuaSkCIgNxHcQ09DQR24dBA370cY2aKiFhloKmvyRExDD7ZBA5JDb4Xf0+tHl OeGCYiy4xvqQ9UUp+xG7f9OQjD88mvyRQ24fGs4JIbePNrYBf3jwRwX+8HRZi1guKSkCYgMxgggA bVFiBDG8rQkJey4o1hWODrpwmEOTP+oHAAAYB2K5pKQIiA3ECGIaGvrgCpdHQy001FLQ5I82RxDd RypTg5Emf4TBsWk4jG2DC6OilI+a4g+PJn/kkNuHJn/k0MY24A8P/qjAH54uaxHLJSVFQGwgRhAB oC3aHEF0faUGxElAvseYOxoJAACggVguKSkCYgMxgpiGhj64wuXRUAsNtRQ0+aPNEcSmAXFS/OFG JwcFRfzh0eSPHHL7mBR/pIA/PPijAn94uqxFLJeUFAGxgRhBBIC2aGsEMfxRFkYQ43RRF/loq3yk 1anpL7cCAAD0I5ZLSoqA2ECMIKahoQ+ucHk01EJDLQVN/mhrBDH8URZGEONIXfp9HzG3FvJRVvnv RXmMUE0+3qqhloImf+SQ28ek+WMQGmqhoZYC/qjAH54uaxHLJSVFQGwgRhABoA1umk37G4cUJCDK CGLTUDJJtP3/kO6jq67msWPp1pFWLgak/GAOAABAjFguKSkCYgMxgpiGhj64wuXRUAsNtRQWoj8k IEr4aBI4J80f7pdNXagL9Z5PpdciDH0hg7ZDwqncZ1BA1VBLgdePCl4/PLx+ePBHBf7wdFmLWC4p KQJiAzGCCKAX952v+ne/wmkJCte9HKgWErJPTcIheMLgKK0b5ZNzRlQPlfVgmII8hvsYsMZRxHAf 3f7F9rvuq0kjPFeoCQB0TSyXlBQBsYEYQUxDQx9c4fJoqEWbtay/UatLljnkdjgto0WHf2PnxAi0 uR855PaBPzyuFu5vMcJzKzx3BpGyHeHfbtSDxe6qpXhJ9tNxzhUbovtdr0m/oLu79qOO6yPcbpGM 4tbnufkhck7E1pNj6JBp+ehwvTZu2n0vNZwXWy+cVz8vrnug939C3Xr9CO8vt2O1rD9Gvf/6Y0gt +j3nyrx6fzFyj2l4/9i2hNsbEm5bG+dV7vNmG9ugoY+uXj9i51zoVddH7BzMOS/r95VzTrweflVA ngtke866vHrO7Kd+52ZI6vGI5ZKSmviA+NRTT5lly5aZAw44wCxfvtxs3Lgxup6IEcSyOBPWnxTa +u5QyhMGeKReTsNIXS/EHW/3hOte+OtPqOF8eYxh3yeTc0Zwb8jdtCC35ft/ADFi51+buPPRqY3n Nuc717o3LqkKQ08KzldC/bFduzuo11YUHkt5Hok9d7jnl/B+so60g4h9dDjWv+szpN96sX2oH5/Y ejId24dYf3XJOnVi94udJyn9xyT3G/W+ovq25PQ1quQxQ1K3QdYTn6R4JXW9cSfmQVerkH7rlZQ8 nns+qM+X7RnGqNsr96sf+1guKamJD4jnnXeeufjii82WLVvMRRddZFasWBFdT+QCojto0roTVq4W SutwJ4W08gbYreemHeF69auFclsITSFtfTrsz13ZCU+scHuF+n3D/t50jb8iI/Pq/bt5gtwvDHRu Xbcfbj2HmxfrT+ZJK/3Ik7+7olLfV0GWy/Qgxa7qiMlT7iuSx0q9qjOI3D5y7u9qJ7VwtXO1dPvo zgmpS/iGJaxTWAu5LXLHsN6fw813805a7X/l0T2Oe4Pl1nFvmmRez5W6nfPl3HTLZd/6ET52eP6I ZIQkBw3nhJDbR1dXgIeR20cb27C7ahGem7FfQW2qcMRqkD8GkVqL0FOhwv2QdcLXIUGm3bzwuWdQ H+HrhaP++G7akXNeSO3keUL6HISsJx8dDmstt9202wbpp95XuJ4jFhpj+1F/rhbqjyF9yzonvvy8 GxJ73GGU8EesJoPIOZ6ONvoIayHbXz8HhyHbUL9fU7X5XDGqho2apai+DfVzOoXcY5pyf/GbeLOf b0q9foTnyaturObFcklJTXxAXLx4sZmZmbG3pT3ssMN2WcdJAmL4YiYndPikLvMc7rZbXm8dbj1p +y2rP0Y4Hd6WE9idVG5eeJKFfQjuvrv0v3Mf5b71/l1fgiyT22653C+8j1tP7idv+GU61l99/X7I cnmzIG39hXkY4ban3C+sW6rkPvURULktyGPKbVH4hid8wyS4+7r7CeG88L4y3W89Iay1zHfHwCHr hcvr065Orl+3juvXHW+H6zuc7+4rrRwzUTjPHRdBWpkOPRauF9ZQE25/nNyTOUAq7vxeSNR90U/O 3zHqzwXhfUJkuj5v3FiI5wAAtEcsl5TUxAfERYsWmR07dpgzzzzTtjJdX+fFzZvN1quvNn/5wQ/a K4vyJP7dm6orjG5608032xcudzVBrrAI9fVkOraeLJcRElkuyHK5nxv9cfPdlU037fp3V3T+3yWr 7OPIejItbX09aaV/t17Y3yWfvNlO3/K1DTaMyHy3vRIM5DtcYT93fKPqx+1PuB9uPbm/tBIq6vOl v3A7XD9ST8FN28d/+c1CuP1ufqzdtmqVbcP5cj9Xj373C1u5qpOynmvd9knr5l942c22jvK4Ml/2 V+ogy8M6yHKZ77ZP5sv97lztzyu5v1vujotbLzxO0q88jkzLfJnnpqUVZF79PImdN7KeEB6P2Hnj Htcdn3C+EDuerg3vF1vu2qbHI9bGzgsJdO44xFp3XGRajmd9+bDtFv7P/60eR6bb2I9B9UxpY3Vo 2mrYj9z7S+vkpkdpNexHKX80abXsR+524A/fOrnpUVoN+4E/fJu7HfjDt05uepQ2ZTv+d9s2m0N2 PPTQLhmllBhBXLzYfg9RbqeMIA5C3ijKm0aR3O5H6npacNsrrYQDSEdCXXicpX5hPR2yngRwV193 P5Hcdrj7itwoXn099xhh/zAa1BIAAAB2N7FcUlITHxDPPfdcs3LlSrN161ZzySWXmPPPPz+6nohf MU1DQx+5dRA07Ecb26ChFhpqKeCPCvzhwR8e/FGBPzz4w4M/KvCHp8taxHJJSU18QJRRw6VLl5r9 99/ftm40MSZ+xRQAAAAAALoklktKauIDYhMxgpiGhj64wuXRUAsNtRTwRwX+8OAPD/6owB8e/OHB HxX4w9NlLWK5pKQIiA3ECCIAAAAAAHRJLJeUFAGxgRhBTENDH1zh8miohYZaCvijAn948IcHf1Tg Dw/+8OCPCvzh6bIWsVxSUgTEBmIEEQAAAAAAuiSWS0qKgNhAjCCmoaEPrnB5NNRCQy0F/FGBPzz4 w4M/KvCHB3948EcF/vB0WYtYLikpAmIDMYIIAAAAAABdEsslJUVAbCBGENPQ0AdXuDwaaqGhlgL+ qMAfHvzhwR8V+MODPzz4owJ/eLqsRSyXlBQBsYEYQQQAAAAAgC6J5ZKSIiA2ECOIaWjogytcHg21 0FBLAX9U4A8P/vDgjwr84cEfHvxRgT88XdYilktKioDYQIwgAgAAAABAl8RySUkREBuIEcQ0NPTB FS6PhlpoqKWAPyrwhwd/ePBHBf7w4A8P/qjAH54uaxHLJSVFQGwgRhABAAAAAKBLXBb52nvfa555 4omefFJCBMQEzc3NmenpaTM1NWXr4dJ+2Dq56VHaBx980Lap68dauZqRsl6/1slNj9K2sR9Obrpp m1sHQcN+OLnpUdrpdetsm7p+rHVy001bJzc9Sos/fOvkppu2+MO3+MO3+KNq8Ydv8Ydv8UfV4g/f duWPmZkZm0NmZ2fNpw4/3Fx59NHm7s98xrywfXs0t7QhAmIDMYIIAAAAAABd4rKIBESnq972NvPI nXf2ZJW2REAcoIcfftiGQqdly5b1TIeS0cXY/CZqo49LzjorOj9VWvYjt4/cOog07Ecb26ChFhpq KcIflfCHF/7wwh+V8IcX/vDCH5Xwh9fuqAUBUaHkwMTmi2ToNza/idroY9tdd0Xnp0rLfuT2kVsH kYb9aGMbNNRCQy1F+KMS/vDCH174oxL+8MIfXvijEv7w2h21kGDIR0yVaVBAlO8pxuY3URt9bL36 6uj8VGnZj9w+cusg0rAfbWyDhlpoqKUIf1TCH174wwt/VMIfXvjDC39Uwh9eu6MW/EiNQg0KiFr0 4ubN0fmTJurgRS28qEUl6uBFLbyoRSXq4EUtvKhFJergtZBrQUBsIPlOYmw+QgghhPRrjz32iM5H COEP5EVARJ1LnoDqiq03qvr1e91115kjjzzS7Lvvvubkk08299xzT8/yup566in7w0QHHHCAWb58 udm4cePA+Qi1ofD8jZ3HuerX7y233GKOPvpos88++9j21ltv7VleF/5AXevggw82Tz/99Py0nFuH HHJIzzrDNMxPbZ3X+AN1rd3pD/mY5Ec+8hHz2te+1uy5556d+QyVEwER7TYNewLJVb3/s846y/zH f/yH2bZtmw2Lixcv7lle13nnnWcuvvhis2XLFnPRRReZFStWDJyPUJvq2h+HHnqoWbNmjdm+fbu5 7bbb7HS4vC78gbrWW97yFvPP//zP5ld/9VfNYYcdZu666y5z2mmnRdftp2G+auu8xh+oa+1Of3z8 4x83xxxzjPn+979vXnrppV3uVxf+0C8CItptqj8R9Zv+0Y9+ZJYuXWr2228/c+yxx5r169f3rNdP g57oHn/8cbP33nubHTt22OnYuhIg5c9J5ba08oQ7aD5Cbaprfxx//PFm3bp19krw2rVrzZve9Ka+ 64rwB+paF1xwgfn0pz9tRykOP/xwe/u9732vXdbPB/KG9Td/8zft/JUrV0bP5VCjnNf4A2nQ7vTH EUccYV83wnWd8Md4ioCIdpvqTxr9puUK2A033GBHNmSE47jjjutZr5/6PdFt3rzZfsRUrlLFljst WrTIBsgzzzzTtjI9aD5Cbaprf9x3333mwAMPtPOlvf/++3uW14U/UNeSN7ynnHKKOeecc8zZZ59t 3vzmN5srr7zSLuvngxNPPNGsWrXKPP/88+bqq6/e5byvq63zuq1+EErV7vSHfDVBRvwkaEpYvPnm m3e5b6h+/fSbj7oXARHtNtWfiMLpF154YX5annDkttNee+01v94ghf05PfDAA/bqmvwi7bCPQciV LPk8vNyuX+GKzUeoTdXP33C6hD9+4zd+w360VN5AyPcP3/CGN/Qsrwt/oK71rW99y36/6bOf/az5 zGc+Y29/+9vftsv6+UC+cy5vfuX2c889t8t5X1db5zX+QF1rd/rj1a9+tX3dkE+g3HHHHXY6vF9d +EO/CIhot6n+RCRPDPIRBfmO4FVXXTW//G1ve5t94pP54frDVO9frpLJyOH3vve9nvn9dO6559qP XGzdutVccskl5vzzzx84H6E21bU/5AcOJCDKC7xcYR724wb4A3WtH/7wh/a83bBhg/2InNx27036 +eCEE06YHyH54he/uMt5X1db5zX+QF1rd/pDRizDgCjfg6zfNxT+0C8CItptqj8RXXvttfaHMQ46 6CDz+c9/fn75o48+as444wzzyle+0s4b9gTm1gnVb/6zzz47vyzsQyRXr+Qz+/vvv79tw6tasfkI tan6OVnaHzfddJN5/etfbz/SI6278uzu42474Q/UtWTkXM4reRMqI91yW+bJsn4++Nd//Vf7/VoZ Qbn00kuj53KoUc5r/IE0aHf6Y3p62px++um2n6OOOqrnV7Dxx3iKgIgQQgghhBBCyIqAiBBCCCGE EELIioCIEEIIIYQQQsiKgIgQQgghhBBCyIqAiBBCCCGEEELIioCIEEIIIYQQQsiKgIgQQgghhBBC yIqAiBBCCCGEEELIioCIEEIIIYQQQsiKgIhUa4899ojOH6ZR74cQyhf+Q2g0iXecYssRQqgLERBr KvWkzJP9rpKaXHnllfPTn/70p6nTGOrkk0+2ii1DeoX/upPUVXTAAQeYt771rebrX/96dL0u5LZl zz33NK9+9avNu9/9bjMzMxNdF1WanZ01K1asMIsXLzb77LOPectb3mJuvvnm6LptCS8ihHanCIg1 lXpS5sl+V0lNjjnmGPPCCy9YyW3qNF56+umnzYEHHmi1adOm6DpIp/Bfd3J1/elPf2ruvPNO84Y3 vMF85Stf2WW9LuS25Wc/+5kNPhdffLFZunTpLushr9NOO818/OMft89x27dvN/fee695xzveEV23 LeFFhNDuFAGxpkFPyrJMtPfee5sTTjjB/Mu//Mv8Mrma+MY3vtFeXXTrhfcJ5e4z6ZJaXHTRRfYE vOGGG+wbFVefQfWSeZ///OfNQQcdZK/ofvOb3+xZNuh+8kL/vve9z74Z/sAHPtCzrL5ueLvf/SZd X/7yl80f/dEfmXe9613mmmuumZ9/9NFHm3/7t3+zt7///e/bN8RumYTKt7/97XY05dhjjzXr16+f XyaSen/iE58w++23X8/IpMwXxfz32GOPmVNPPdXe58Mf/nDP8Rv2eJMqqdEw/8Vqfc4555i/+Iu/ sLc/9KEP2REot8zdz/UTSuZNqv/q+3fPPfeYk046yfz4xz+2z2PPPfecnS/h8cQTT5xfT+7X77lu VNW3ZevWrdY3bpkodtwHbctC99+rXvUqu4+xZcNqNuicl1pJzaR2jz/++PwytzycduL5DCHUhQiI NfV7Ug4lV9vvvvtu85rXvGZ+3sEHH2xf9GVZuK5TSr+TJqnJ9PS0efOb32xOOeUUe7tep1jdZN5l l11m31R99atfNUceeWR0ndi8DRs22FZeVGXUK1xWXze83e9+k653vvOd5tprrzWrV682Z5111vx8 eeNzxRVX2NuXX365+chHPjK/7Oyzz7aBRK7Er1mzxhx33HHzy0RS50svvdS+cf3jP/7jnmWimP/k DdPHPvYxO0LzyU9+suf4DXu8SZXUaJj/YrX+yU9+Yn7t137NHlNpn3nmmZ77iOr9uHmT6r/6/m3b ts3su+++9vbv//7vm1WrVtnbcq5effXV8+vJ/YY91zVVuC2bN282H/3oR82yZct61okd90HbstD9 97nPfc6ed2eccYb5q7/6K3s+1tfpV7NB57zU89lnn7Wt1NAtc8vDaSeezxBCXYiAWFO/J2WRXN2V UcJFixbZ9eQ7HG7Z8uXLzZIlS8yFF15obrzxxvkrwk6D+p1UuZrICMR73vOennn1derzXH1ffPFF s9dee0XXic2TF3HXhsevvn44Peh+k6wdO3aYX/qlX7JvMkVyW+bJsvvvv99eOZfb8n2dBx54YP5+ MgIhtXSqHz+ZJ280w3miQf6Tx96yZYu9LcFSlrtlwx5vUuVqFPPfoFqL1q1bZ+dLG853cv3U502q /+r7JwHxFa94hb1900032REk8ZCcq+G5L/cb9lzXVNKnHFe5qCnbIBcIJPTLskHHfdC2TIL//ud/ /seOmv7N3/yNHQ2UYC3zh9Vs0DkvtZLb0tYvfMjycNqJ5zOEUBciINbU70lZJFfL5cV8bm7OvoiH 68qT/9q1a+1oyemnnz7/5thpUL+TqlhN6vPaWiecV29F8iIrb3rktrwJCm6D2lMAAAq3SURBVJcN ut8k64477rC1CPVP//RP88uPOOII88gjj5jXve51Pfc75JBDdrmAEqpffQf5b9Ab1GGPN6mK1dnN G1RrkYxyybx/+Id/6JnvNKjveita6P6rb7N8DFE+jii35aLKoYceai644AL7UcRwvfr92tj3sA85 vn/wB39gf6BIpgcd90HbMmn+kzD/yle+0t5OqVm9dbfDgCg1dMtEv/ALv2C/JxrOE/F8hhDqQgTE msIn8LrkiVk+RiovAitXroyuK29y7rrrLrtuOF++w/DQQw/1zJt0xepXn9fWOuG8eiuSECMfm5IX Xgn54bJB95tkyWi5+xipSK6sy3fa3LR8T00+PhfOE8lo1Z//+Z9HP5oo6lffQf6Tj2fJFX35uFb9 +A17vElVrM5u3qBayw+bSKD52te+Zn75l3/ZTrtlToP6rreihe4/t81yfn7nO9+x3x2Tjwm65fJd Tlkn/P6aqL6vsX1vWo/6+k888YQ93vIduEHHfdC2LHT/nXnmmea73/2uDcEy2vq3f/u39hNDsiyl ZvXW3ZZauZrJY7hlosMPP9z+GE44T8TzGUKoCxEQa5In7Zhk2XXXXWffEMlHQf7u7/5ufn54P/mY ibxw3HrrrfPLRPK9DPlSeXifSVesFm6eq2eo+jqx6XB9p/p69Vb0jW98w/7ku3x85wtf+ELy/SZZ Rx111PwP0YjkY6Qyz03L93GkVvLmyc0TydV3+aET8ZEsr9ezX30H+S/8kQz5btwv/uIvzi8b9niT qlgd3LxBtZYRJ/m+mdyWVqbdMlffUOGyWCta6P6TbRbtv//+9iPXEobD5bfccssuI+2i+r7G9r1p PWLrywiihLxhr3HhfcLphe6/b33rW/ajuO6juRLmHn74YbsspWb11t2WX0aVmknf//Vf/zW/TCQX EGRUMbyPiOczhFAXIiAihBaMXnrpJfs9oeOPPz66HCFtev75580f/uEf2ouIseXjJPyXLoIdQkiz CIgIoQUhecMl39uRv9T43ve+F10HIW2SHy75rd/6rfnvo42r8F8zERARQppFQEQIIYQQQgghZEVA RAghhBBCCCFkRUBECCGEEEIIIWRFQEQIIYQQqkm+JzhMsfs10TXXXBP9tdJhyxBCqKQmMiBu377d TE1N2f8mlD+7/cAHPmD/5Da2bqhBLwrhMif5OWxZNurjobhKHL8f/ehH5nd+53dsf4cddpj9n6lt 27b1rCO/0Cc/JhG7P0rXqMdP/i7jtNNOs38XI38X8Na3vnX+f+MG9TnouKO4vv3tb9u/Y9hnn33M r/zKr9j/XnvyySftstzns5iPwmPk5J4/RV//+tfNySefbF7xilfML3fLUDOlPNfFtG7dOvPbv/3b 9hjI/2DKf5z+4Ac/sMvC41a/3yDfapfdp9UvvyHqpyHnoXjlz/7sz+xfuIik1nWv/Pqv/3rP3wWl LhtFw7YXIYScJjIgyp/cLlu2zL7hEZ1++unmyiuvjK4bU8qT7Lve9S7731JyO/fxUK9KHD/5D69P fOIT9pcE5Y+QL730Uqtwncsuu8y+QeJFNk+jHr/Fixeb66+/3v6ZukhuyzxZltInxy1dcp7Lf7nK n3jLn4PLXzBIQJNluf5L8VH4/Cnh0P0xv3izvi5qppTnuph+7/d+z4ZE8Z78KbyMbh1xxBE968SO 6SDfapfsTzQYOg15TpG6yn8mzs7OWslt+Z/IcB355ddwOtSgZaOI50CEUKomMiAed9xx5v7775+f 3rBhg3njG9/Ys84gDXuSffDBB+0LoLwYynTu46FelTh+8mfF7niJ5M3TkUceOT9977332ivA8iLP i2yeRj1+J554ornxxhvt/8aJvvKVr8yHlpQ+OW6jS/yw77772ts5/kvxUf35U46x/Bl5fT00moY9 1w2TjABv2rTJfOELXzBLlizpWRY7poN8q12yP9Fg6DTkOUXqKuezm/73f/938/rXv97etn3X5NYb tOzmm2+2fpPR/fqyp59+2rz97W+3o7XHHnusWb9+/dD+EEIopokMiPLk6V4g5YqeXCWXj9vU1+un YU+u8tGbz372s/PTuY+HelXi+MlHoD71qU/ZK+PPPPOM+ehHP2oWLVpkl8kIymtf+1r7wizTvLjm adTj9/jjj5vDDz98/g2O3JZ5siylT47b6PrQhz5kzj//fHt71OOX6qP686d8pFG8KcFSHud3f/d3 zaOPPtpzH5SuQc91w+S8J5Lw88QTT+yyPJwWDfKtdtltjgVDp8j+htp7773nvSKS2/VaD+ojtkw+ ei0f233hhRd2WXb22WebG264wX60dc2aNfZiTrh82PYihJDTxAdEURsBw0murL/mNa+xT9BuXu7j Taqkzk7h/BLHz30vR/qWN6KXX375/IjJu9/9bvOnf/qn8+sOOv5ouEY9fmeccYb52Mc+ZoOGvLH9 67/+axsWZFlKnxy35pIRn3PPPdeccMIJtuYyb9Tjl+Kj2POnvKGWYy0fh5RQI96U77GF90PpGvRc l6IdO3bYPlasWGHe+c539iyLHdNBvtUu2Z9oMHQa8pxSIiAuX77cjtxeeOGFdmQ27P+ggw6qtnmn 9tprr577DnoshBAKNZEBsf4Rqfvuuy/7I4pO8sL393//9z3zch8P9ark8XO69tpr5z8G5V5s66rf B6Vp1OMnb2IlILhpuS0fl5PbKX1yzJrpP//zP+0b0QsuuKDnTeiox6/uH6dwndjz5+te97qe4y6B 1B13lK/wua6JJLDXj0P9eIoG+Va77DkaC4ZOkf0NVf+Iqdw+6qijetYZ1EdsmYwcrl271gZ7+f6v jAi7ZYccckiPV+satr0IIeQ0kQFRfmRBfiRhZmbGSn5wockPWvRbJr/MJh+fkSus4fyUx0PpKnX8 RHKF+x//8R/nfxQjtg4vsnka9fjJm1gZfZBjJKMR8tG4U045xS7LPSdQr1avXm1/QTHmgbZqXV+n 3/PnypUr54+7hAtGENvRoOe62PF7xzveYb9vKr/CuXHjRjuCJQElXKepb7VL9icaDJ2GnOdy7sp3 AqVeIrn94Q9/uGedQX0MWvbiiy+au+66y4ZCN09+bVh+KVVqHa7rJL88/NBDD0WXIYRQqIkMiPLx pfe///32Y1Ei+cn2+k9Px56Y7YtFTeHypUuXmi9/+cs980Qpj4fSVeL4uWn5vtNJJ51kvvrVr/bc N1R4P9Rcox6/Rx55xH5cTd7kiOS2zJNlg/p0xzZU2C/aVbGaiWT0btTjV1d9nX7Pn/IxV/loqvxw jXwsku8g5skdy0HPdbHjd/vtt9tgJx+RlL8+Oe+88+yPDbn163L3G+Rb7bL7EguGTsF+xiR/H/In f/Intl4iOY/FP+E6g/qILbPb9LLkOMgIv/zasFu2efNmc84555gDDzxwfr3wvvJrxOKhWL8IIRRq IgMiQgghhNAguZA1SLH7IYTQuIuAiBBCCCGEEELIioCIEEIIIYQQQsiKgIgQQgghhBBCyIqAiBBC CCGEEELIioCIEEIIIYQQQsiKgIgQQgghhBBCyIqAiBBCCCGEEELIKjkgbtiwYX5lhBBCCCGEEEIL V3V6AiLhECGEEEIIIYQmR3V6AiIAAAAAAABMLrWAuBohhBBCaIEJAABSISAihBBCaIELAADSMOb/ A9mEc7TyruK5AAAAAElFTkSuQmCC --=__Part0E0F15E2.1__= Content-Type: image/png; name="NTP-CLock-Hopping.PNG" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="NTP-CLock-Hopping.PNG" iVBORw0KGgoAAAANSUhEUgAAA4kAAAOiCAYAAADdRZKgAAAAAXNSR0IArs4c6QAAAARnQU1BAACx jwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAP+lSURBVHhe7L15tCRFmb/fgOyorIKgrLKDgsCA MCyOI6iDI8oiw2ZDO44Lq8JBFAEHZgYFRBin2WRUVBSatVvEbpAGwR8M4gLKxaYXGtnpBRr/mO85 80f87ifyRkVU3siqzKrKvHHvfZ5znpNVuURlvplvVb4ZWVVTnn32LwYREXtz/vwF0fGIiIiI49Up Jsfvf/97REREREREHAfOnTt3pJIbHBSJiIiIiIiI41AViP/93/89UskNjsIi8a9//SsiIiIiIiIm qgpEikRERERERES0UiQiIiIiIiJiS4pEREREREREbEmRiIiIiIiIOEmcMWNG1HAeikScdE6ZMqVw vDM2fbLbLT7dpju7TcfBSayre/vtt5uNNtooudiN9fqkFI/zzz/fHHLIIdFpg5T8wfGkcuKCCy6I TkMscunSpa3ikCIRsYucGHS2W3yIXzqyL6q7xx57mFmzZkWnNeWTTz5pfv7zn7epfekef/3rXzfn nHNO1J/85Cdtyy1ZsiT6GlVN5Vh65ZVXzPrrr29+97vfRacPUvIHx5PKiQ022MDmSGw6Yt5XX33V /s3FbbfdZp577jl7kTScTpGI40Z9YMs111zTbLPNNmbatGn2ZCo2bz/WdWKgdqdOnRod38nYfIrB tttua84991x7FShsr8h+l3dq+dh4Z7fpY2W4/WuttZY9hk499VTzl7/8JTp/kaluX8wq66piQsXH TjvtZNZee23zlre8xXzkIx8ZVTDVvf1jHd911lnHLFu2LDqtbr/3ve+ZjTfe2MZgkKrNQw891Fx9 9dWtovG+++5rKyZjhu+vasc9LjJ8zfy0l19+2XzhC18w73znO81qq61m8++yyy4bNV83r7322lG9 iDoxXrBgQds4OX/+fLPhhhuOGl/WMtuc9zvf+Y5dbvr06dHpddop/qHar730ll9xxRVm6623Nquu uqodalvdtGeeecaceOKJZrPNNjOrr766Heq5xodtlDG2fuG2hYbLdTK2rAzneeKJJ8wxxxxjNt10 U7uNO+ywg73oEs5T5MyZM82HP/xh89a3vtV+vmy//fbmq1/9alvB1il+ZZYvWu9Q5cZ1110XnYYY quP9jjvuML/5zW9snqpAzF98o0jEcaN7Y1RR8/jjj5t///d/N+94xzsGfkW50xtwP6pdre+99947 anyn57Hxuvpz//33m/e9733ms5/9bNt8Rfa7vLNo/Zzdpo+V4XrpRFlvjMcee6w56KCD2ubrZqrb F7PKuh522GE2Hr/97W9tkfTss8+an/70p+b9739/23x1b/9Yx3esXl8Fol47Zb/4xS9G1z2v5s2P +9SnPmUvOvzhD3+w+fc///M/9thS0Zeft5Mf//jHbbEbjtt3333NXXfd1TZO/uxnPzP77bffqPFl jW1HN3WirxN1bWtsehN2Wu/XXnvN7LXXXuY//uM/Km3fD3/4Q/v5dffdd5uXXnrJXkRQIXjjjTfa 6Xof/Zd/+Rfz1FNP2fcPDfW86vtr0fr1si9Cuy2vc4q3v/3t9nZNnTzrPOPhhx+2+zM2f969997b XHXVVWZoaMgsX77cFrrHH398a/lu8eu2fGinbVEbn/jEJ6LTEEN1Dtit15kiEceNsTdGXYk7/PDD W8+vv/56e4V6jTXWMAcccMCoK+FONy5m0fTddtvNXnVxz3Wio9ueyl4pVbs/+tGPzC677GI/CMPx +fnC553G64P4bW9726jxMbstrzeLk046yT7XVVz11MbeQIrWz9lp/Z1F0xWfd73rXXb/7b777ubX v/51a7pOPD7/+c/bdVPvwDe+8Y3CtmLG5lUvonpV3fOyx0+om/7666+b8847z2yxxRZm3XXXtVek 1Xvippex2+t3io+OR52UKT7qWdFFlHD9uqk46HaT2DQZbnNofp6LLrrIngzparjWIZzeT3zDx7Fx eqyTI8Vet13+/d//vb0q/+1vf7ttmSLd64WG08vkh5bptP2d3HzzzUe9fooqprHjL1Tz5ccpZ/O9 ffPmzbMXqsJx3VR+6YQ+HKceq1ivpMZpn+lxt/zsN3+kjoc3v/nN5k9/+pMd6mKcm6a2VPiobb2G Ls7l7+LQPL0eP6Gd1vu0004zH/rQh8wbb7xRafuUr7qQEY777ne/aw488ED7WOv7wgsvtE1//vnn 7V0J4Ti9Zi/rV3Zdi9rvtvyRRx5p/u3f/i06rVcVD/f50i1+McPlQzttiy7CbLnlltFpiKHhj9WE hvNQJOK4MfbGuHDhwrYi6WMf+5g9zvRhrSuCOlEM55fdPiyKputkU70t7rmuDFb58QTXrpbRiUB+ fNHzTuN11VG3kuXHx+y2vG691NVvncjpNi2t5+mnnz5qmaL1c/Y6XeMVXxUOOnnTrTa6uuqmf+Ur X7HrpBNL7XfdPtfttULDeVVw/vGPfzSf+cxn2vZhP8ePTjB01Vzrr2JLV4F1e11s3iI7vX63+Jx5 5pmt/ff000/bE60q8dFrKaa60h2e3Obt1KamfeADH7AnKrp48nd/93dt0/uJb2x8OE6P1XM0Z84c +1i3b/3yl7+0xVe4TDeLXr9MfmjZTttf5Le+9S277HhRvfD54y9U8+THqTBS3objlMu6rTkc102d NOv4CcddfPHFNpf1WAWWbmnV43/+53823/zmN+3jbvnZb/5I3Zroes508n/TTTe1pqktta9jR6+h x7qY4aa7eXo5fvIWrbe+d6T46C4BPa+yfbo4oHUPxylO6623nn189NFH24t4f/7zn21PmIZ6rmI8 XEav2cv66fEmm2xib9XU7aB67wjjG84Xa7/b8jqP0Gf8jjvuaG+X1cWEL33pSx3fC7upi2IHH3yw fdwtfjHD5UNj2+dUbsQKS8QidbHKFYcUiThujb0xqkfuTW9606jxUm+WurqZH9/pDVYWTdctIroC vWjRIvtcJ9RKnvx8Rbp2dZKiEyb14oXj8/PlDce720V1kuZOjrrZbXmdTOvkxM2j23j1QemeO4vW z9nrdI3XiYV7nt9/W221Vdt7iNa122uFal4dK/rOmdTzo446atQJp7Pq8aPveOo2Jfdcx4k7We3F /Ot3i4/2VX7/VYnPiy++aE9ad911V3uSpO/j6Dur+fh0alPT1IsSm5a3anxj48NxeqwPO52gho91 Uhgu082i1y+TH1q27PY7deuklhtPHnHEEYX7T2qe/LhPf/rT9iKBu5Xv0UcftYV20ft3kbEiUXd4 qCjTPtEtfFLvFeq9ufPOO+083fKz3/yRxx13nLnkkkvsYxWnKkTdNLUVtq/H+l6ae+7mqXr8xIyt twoUXRD8xS9+0RpXZftWXnnl1nd13WeGnq+yyir2sXq99KNPatOp53pfcW10ssr66Q4QFZS6K0e/ dBubp5Ox5bUdOh51G7R6ldVbrc/4sp+veW+44Qb7Oe8+s7rFL29++dBO+025QZGIZdW5ID9cgxPC 2BujrkzrjVSPH3zwQfsdFxVy7kMqtkynN1jZafoJJ5xgewGVTLrVNH+y0smw3X/91381//AP/zBq fOx5ON6pDwHddvjlL3/ZfqDF5s/bbXkVBuHtTxqv28rcc6eWz48L7XV6bHw4TusSrp8ed3ut0Py8 OklV4XnLLbfY5/0eP4ppuJzUiUFs3pjdXj98HBuXj4/2X2yZMurWvP/v//v/bC/ARz/60bZpndrU NN0mFpvWb3y7zVvmcRmL5i+TH1q2aPuLHC+3mebVraYaxrYpNl7vlep5VTGmWKrHRj2o4Z0gZcwX c1IX3FRgXHrppbZQ03drdaupxrkLK93ys9/8WbFihf0s0kVAPXcXAzVez9VW/v0rfzKveaoePzFj 673//vvb3t9wXJXtU0+YekDDcWFPmD7PdLuu7k5R8aOhenLd51w3e1k/Ff36HI5NK2O4vHq01bMd Ttf2Vj0+dWFKdx2oR/SBBx5oje8WP2fR8qGd4qLz7PzFK8SYOv754RqcMMbeGMPvJOqE/7/+67/s 9yD0XIVcbJluHzz64HaFU171vqm4uvLKK0fdRtPN8HX1QaBfkdTtLvn1KVq/buvdzW7L53tKlK+x W/U6xUd2m15l+8Jx2r/6URX3XOtXJSaxefXjAdqfOpEre/ystNJK0RM5/RqdlsmPL2u314+tSzhO 30PJ77/YMlXUuqjXNRxXtP2y0+v1G18dV+FFGRUG4fJlHpexaP4y+VH1tXTSqGXGo64HNLZdRePz 6oKbevNj04qM/XCN1HGqH7DRLXr6rpeKjvDY7Zaf/eaPu805r/uhMj0O29fj/HfHNE/4vFdj7bj1 iZmfN6bi+f3vf79tnGIdfifR5bZTz4t6m/PG1ssZm1+qENVFp9i0MobL67ux/RaJOulW7+kHP/hB s3jx4rZp3eInOy0f2ikm+uEa5UhsGmIoP1yDE0r3xqirlHoz1fdQdLXNXfnQ9w1uvvlmO11XcfVF 9Nibaac3WKlfVtN3E9SbEpuu2/H0waHXik0vMv+699xzT6sXIRxftH7d1rub3ZY/5ZRT7O01+mCU +s6Mrmjm5+sWn27Tq2xfOE7fSdSHp3oGdKvYP/7jP1aKSdG8uuX2xz/+cenjR7ey6b79/PbpeFSv m45N9RLo+3BlfxlPdnv92LqE48466yy7/9S7rlu3tP+KtjmmTmL0PVu9ttZBt73pRz8U83C+ou2X nV6v3/j+zd/8jfna175mP9R0cqfvZ4bLl3lcxqL5y+RH1deSWmY8qgssGhZtU36cYqfee+WGvg+s 2/x0TISFUxljf4EhdXKtCww6/qUea5yb3i0/+80f/eBK/juGZ599dut7q2rLHT96DT3Wa4bzV3m9 TpZtp8rr6b1Bn1ezZ8+234nWbaH6/HW/zvm3f/u3tudQuamLoBrqtkrd8hu2o9fsZf30PqSeDt2+ qvcAneCqsFPc88vE2u+2vC486E4Hd4y62031A1X5tmLqbyfUW6je0NhFrm7x67Z8aKf4aTur/mIw Tk71ORsznIciEceN7s1ftyrpuxw6gdXJppuubnPdwqT/4NIVWl21C99M3fKhblqobvHQVWedZMTm 0W1M6tWo+oX2WFv6Wfj8+KL1Khpf1m7L64NL66NfIZR6rHH5+brFp2i6HucNl8s/z49TcaEfQnDr p/1Q5ftMsfalCkQVIN2OH6feMPXhrlvVwunqjdSJ6HbbbWdvXdOv4artcNlOljl+w/nz49R7636d UbdQVf11Rn13Syffuu1K669bltRe/n8ki7Zfdnq9fuOr2xv1i5rKf/X+Krbh9DKPy1g0f5n8qPpa UiehWm48qWM8djtmfr5wun6ZV98LVM7qrwb+6Z/+yRZs4fJl1Am+fiE0vKtA6s6OnXfeufVcj3Xb qXveLT/7zR8dk7qlOhz3q1/9ym6zHqutCy+80N5eqONHBVT+josqrxfTxTw0Np+z2/S8uvinOwL0 PV8Nw//5U/GreOtHYZTjGuo7me47/M4y6+UM51ORpQuQ+uzVe5TeC3RHj7udN1wm1n6Z5fWL2e5/ DPUedPLJJ3ftaXG6143pelg7xS+2nNMtH5vmlpePPfZY5a/B4ORVX7UJj389dl+/cVIkIlZUCaOr zLFp2Jy6NSh/ux/ieFOFgnosYieAUr0L+oVD3Z6uAis2T5OqyCr664um1C/jxnoTU1axi41HHJR6 n1BuxKYh5tXdbLpjSHft6Ecg9Tj/P94UiYgV1G0ouq0m9p0YrN9PfvKT9vZiXVlVT07Vv5hATFUV Xurp0i2LTr3P5L/ndd9999lpuj04VD2Sml/T3bzq3dFtoV//+tfb2g3Vf7fp1jsVMbHpTrWhtvK9 X1hOikRETEn9Yr8+L/TLplKP83fHUCQiVlAf9Doh062PselYr/quhW5V0+1murVJb3Kx+RCxmhQx 9Up8ETF1+U4iIiIiIiIitqRIREREREREnKSGv2gaGs5DkYiIiIiIiDiJpUhERERERETElhSJiIiI iIiIWChFYkUfnzXLPP6zn0WnISIiIiIipuzixYvNnDlzWn+BocfPPvts2zwUiRV8bckSc/m++1pf W7o0Og8iIiIiImKqzpw50yxcuNCsWLHCqv/V1bhwHorECs6++GJzweabW+d84xvReRAREREREVOV InGAPv/UU+aibbdtFYkXbbedHRebFxERERERMUV1u+ns2bPNrbfeatVjjQvnoUgs6Q3HH98qEJ03 nHBCdF5ERERERMTxKkViRb/4xS9Gx8v58+dHx1dxEG28mvsJ26qmsh39ttFvHGQK2zGIdUghFinE UpIfmeSHl/zwkh+Z5IeX/PCSH5nkhzeVWFSVH66pwU5F4tDQUHR8FQfRxpK7746OL2sq29FvG/3G QaawHYNYhxRikUIsJfmRSX54yQ8v+ZFJfnjJDy/5kUl+eFOJRVX5TmINqkgsYt68eSOPemcQbbw+ vJP7IZXt6LeNfuMgUtiOQaxDCrFIIZaC/MggPzzkh4f8yCA/POSHh/zIID88TcYiVpf0KkViDXYq EgEAAAAAAAZNrC7pVX64pgY7FYmLFi0aedQ7g2jjr3PnjjzqjVS2o982+o2DSGE7BrEOKcQihVgK 8iOD/PCQHx7yI4P88JAfHvIjg/zwNBmLWF1SpxSJFaUnEQAAAAAAmiRWl/TqjBkzoobzUCRWlJ7E cqTQBle6PCnEIoVYCvIjg/zwkB8e8iOD/PCQHx7yI4P88DQZi1hd0qv5gjAmRWJF6UkEAAAAAIAm idUlvUqRWIP0JJYjhTa40uVJIRYpxFKQHxnkh4f88JAfGeSHh/zwkB8Z5IenyVjE6pJepUisQXoS AQAAAACgSWJ1SZ1SJFaUnsRypNAGV7o8KcQihVgK8iOD/PCQHx7yI4P88JAfHvIjg/zwNBmLWF1S pxSJFaUnEQAAAAAAmiRWl9QpRWJF6UksRwptcKXLk0IsUoilID8yyA8P+eEhPzLIDw/54SE/MsgP T5OxiNUldUqRWFF6EgEAAAAAoElidUmdUiRWlJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e8iOD/PCQ Hx7yI4P88DQZi1hd0otz5swx8+bNM2+88UZ0upMisaL0JAIAAAAAQJPE6pJefP75581DDz1kZs2a ZWuzpUuXRuejSKwoPYnlSKENrnR5UohFCrEU5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkH1Uc qjZTsaiiUcVjOJ0isaL0JAIAAAAAQJPE6pJBuGLFCnv7qW5DDcdTJFaUnsRypNAGV7o8KcQihVgK 8iOD/PCQHx7yI4P88JAfHvIjg/zwNBmLWF1SpxSJFaUnEQAAAAAAmiRWl9QpRWJJly1bZoaGhszU qVPNlGuM2Xn6olFDZ9H0MsMPf+fhUvN1Gh523txS8xUNnWXnjw0HsR3OsvPnh/3GQcMUtsNZdv7Y cNqFd5aar9PQWXb+/NBZdv7YkPzwQ2fZ+fND8sMPyQ8/JD+yIfnhh+SHH5If2ZD88MMm8uMt3zP2 dlDVIfPnz4/WKXVIkVhRehIBAAAAAKBJYnVJnVIkVpTvJJYjhTa4Z96TQixSiKUgPzLIDw/54SE/ MsgPD/nhIT8yyA9Pk7GI1SV1SpFYUXoSAQAAAACgSWJ1SZ1SJFaUnsRypNAGV7o8KcQihVgK8iOD /PCQHx7yI4P88JAfHvIjg/zwNBmLWF0ySGfMmNH2nCKxovQkAgAAAABAk8TqkkFKkdin9CSWI4U2 uNLlSSEWKcRSkB8Z5IeH/PCQHxnkh4f88JAfGeSHp8lYxOqSXlVBGDOchyKxovQkAgAAAABAk8Tq kkFKkdin9CSWI4U2uNLlSSEWKcRSkB8Z5IeH/PCQHxnkh4f88JAfGeSHp8lYxOqSQUqR2Kf0JAIA AAAAQJPE6pI6pUisKD2J5UihDa50eVKIRQqxFORHBvnhIT885EcG+eEhPzzkRwb54WkyFrG6pFcX L15s5syZY2677TarHj/77LNt81AkVpSeRAAAAAAAaJJYXdKrM2fONAsXLjQrVqywLliwwI4L56FI rCg9ieVIoQ2udHlSiEUKsRTkRwb54SE/PORHBvnhIT885EcG+eFpMhaxuqRXKRJrkJ5EAAAAAABo klhd0qu63XT27Nnm1ltvteqxxoXzUCRWlJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e8iOD/PCQHx7y I4P88DQZi1hdUqcUiRWlJxEAAAAAAJokVpf0avgH+qHhPBSJFaUnsRwptMGVLk8KsUghloL8yCA/ POSHh/zIID885IeH/MggPzxNxiJWl/SqKwjDwpAiMaKCst1225nVV1/dDm+55ZbofJKeRAAAAAAA aJJYXdKr+tuLF154wdY8Gr700kvmzjvvbJuHInHYDTfc0Nx+++1m6dKl9subeh6bT9KTWI4U2uBK lyeFWKQQS0F+ZJAfHvLDQ35kkB8e8sNDfmSQH54mYxGrS3r10UcftbXPk08+aWbNmmUfP/XUU23z UCQOu+uuu9rqedmyZeaOO+4w73nPe6LzSXoSAQAAAACgSWJ1SZ1SJA57//33m3XXXddMmTLFDh94 4IFR87y+eLF58YorzOknndS6apAfLrr5Zjssml5mqKsJZebrNFwyfbodlp0/P0xlO/pdj37joGEK 2zGI/eF0z3sZprAd5Icf9rse5IcfOt3zXoYpbAf54Yf9rgf54YdO97yXYQrbQX74Yb/rQX74odM9 72VYZj3+b8kSW4csf/TRUTVKL+a/fxgbR5E47LbbbmtvM9Xtpro3d/vtt4/OJ+lJBAAAAACAJonV Jb2qgjBmOA9F4rDrr7++LRJ1u6nuyd1ggw2i80m+k1iOFNroNw4ihe0YxDqkEIsUYinIjwzyw0N+ eMiPDPLDQ354yI8M8sPTZCxidUmv5gvC2DiKxGFvvPFG8653vcusttpqdnjTTTdF55P0JAIAAAAA QJPE6pI6pUisKD2J5UihDa50eVKIRQqxFORHBvnhIT885EcG+eEhPzzkRwb54WkyFrG6pE4pEitK TyIAAAAAADRJrC6pU4rEitKTWI4U2uBKlyeFWKQQS0F+ZJAfHvLDQ35kkB8e8sNDfmSQH54mYxGr S+qUIrGi9CQCAAAAAECTxOqSOqVIrCg9ieVIoQ2udHlSiEUKsRTkRwb54SE/PORHBvnhIT885EcG +eFpMhaxuqROKRIrSk8iAAAAAAA0SawuqVOKxIrSk1iOFNrgSpcnhVikEEtBfmSQHx7yw0N+ZJAf HvLDQ35kkB+eJmMRq0t6dfHixWbOnDnmtttus+rxs88+2zYPRWJF6UkEAAAAAIAmidUlvTpz5kyz cOFCs2LFCuuCBQvsuHAeisSK0pNYjhTa4EqXJ4VYpBBLQX5kkB8e8sNDfmSQHx7yw0N+ZJAfniZj EatLepUisQbpSQQAAAAAgCaJ1SW9qttNZ8+ebW699VarHmtcOA9FYkXpSSxHCm1wpcuTQixSiKUg PzLIDw/54SE/MsgPD/nhIT8yyA9Pk7GI1SV1SpFYUXoSAQAAAACgSWJ1Sa/OmDEjajgPRWJF6Uks RwptcKXLk0IsUoilID8yyA8P+eEhPzLIDw/54SE/MsgPT5OxiNUlveoKwrAwpEjsU3oSAQAAAACg SWJ1Sa9SJNYgPYnlSKENrnR5UohFCrEU5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkVykSa5Ce RAAAAAAAaJJYXTJIKRL7lJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e8iOD/PCQHx7yI4P88DQZi1hd MkgpEnt02bJlZmhoyEydOtVuj9uhDBkyZMiQIUOGDBkyZFjXcN68ebYOmT9/frROqaoKwpjhPBSJ FaUnsRwptMGVLk8KsUghloL8yCA/POSHh/zIID885IeH/MggPzxNxiJWlwxSisQ+5TuJAAAAAADQ JLG6ZJBSJPYpPYnlSKENrnR5UohFCrEU5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkTikSK0pP IgAAAAAANEmsLunVfK9hbBxFYkXpSSxHCm1wpcuTQixSiKUgPzLIDw/54SE/MsgPD/nhIT8yyA9P k7GI1SW9qoIwZjgPRWJF6UkEAAAAAIAmidUlvZovCGPjKBIrSk9iOVJogytdnhRikUIsBfmRQX54 yA8P+ZFBfnjIDw/5kUF+eJqMRawuqVOKxIrSkwgAAAAAAE0Sq0vqlCKxovQkliOFNrjS5UkhFinE UpAfGeSHh/zwkB8Z5IeH/PCQHxnkh6fJWMTqkl4Nv4cYGs5DkVhRehIBAAAAAKBJYnVJvz722GNm zpw5ZtmyZaOmUSRWlJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e8iOD/PCQHx7yI4P88DQZi1hd0quv vvqqmTu87rNnzzYLFiywj5csWdI2D0ViRelJBAAAAACAJonVJb16xx13mMcff9y88cYb9rkrGsN5 KBIrSk9iOVJogytdnhRikUIsBfmRQX54yA8P+ZFBfnjIDw/5kUF+eJqMRawu6dWXX3551Lj8LacU iRWlJxEAAAAAAJokVpf0auxHa2Q4D0ViRelJLEcKbXCly5NCLFKIpSA/MsgPD/nhIT8yyA8P+eEh PzLID0+TsYjVJb3qCsKwMKRI7FN6EgEAAAAAoElidUmvUiSWVPfgnnXWWWaLLbYwK620kpkyZUp0 PklPYjlSaIMrXZ4UYpFCLAX5kUF+eMgPD/mRQX54yA8P+ZFBfniajEWsLulVisSSnnPOOWaHHXYw Dz30kFmxYkV0Hic9iQAAAAAA0CSxuqROKRKH3XLLLe1Pwcam5aUnsRwptMGVLk8KsUghloL8yCA/ POSHh/zIID885IeH/MggPzxNxiJWl/Sqeg1jhvNQJA67+uqrm5NPPtmstdZatmC8+eabR83z+uLF 5sUrrjCnn3RS64BgyJAhQ4YMGTJkyJAhwzqH/7dkia1Dlj/66KgapR+XLl3aKg4pEiNuvPHG5pZb brHfTZw5c6Z9HptP0pNYjhTa6DcOIoXtGMQ6pBCLFGIpyI8M8sNDfnjIjwzyw0N+eMiPDPLD02Qs YnVJP7o/0L/tttvMc889Z26//fa26RSJwx5++OFtReLb3/726HyS7yQCAAAAAECTxOqSXn3iiSfs V+1+85vfmGeeecYWiL/73e/a5qFIHHZoaMjsv//+9nbTbbbZxhaMsfkkPYnlSKENrnR5UohFCrEU 5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkV++//37zyiuvRKc5KRIrSk8iAAAAAAA0SawuqVOK xIrSk1iOFNrgSpcnhVikEEtBfmSQHx7yw0N+ZJAfHvLDQ35kkB+eJmMRq0vqlCKxovQkAgAAAABA k8TqkjqlSKwoPYnlSKENrnR5UohFCrEU5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkTikSK0pP IgAAAAAANEmsLqlTisSK0pNYjhTa4EqXJ4VYpBBLQX5kkB8e8sNDfmSQHx7yw0N+ZJAfniZjEatL 6pQisaL0JAIAAAAAQJPE6pI6pUisKD2J5UihDa50eVKIRQqxFORHBvnhIT885EcG+eEhPzzkRwb5 4WkyFrG6pE4pEitKTyIAAAAAADRJrC6pU4rEitKTWI4U2uBKlyeFWKQQS0F+ZJAfHvLDQ35kkB8e 8sNDfmSQH54mYxGrS+qUIrGi9CQCAAAAAECTxOqSOqVIrCg9ieVIoQ2udHlSiEUKsRTkRwb54SE/ PORHBvnhIT885EcG+eFpMhaxuqROKRIrSk8iAAAAAAA0SawuqVOKxIrSk1iOFNrgSpcnhVikEEtB fmSQHx7yw0N+ZJAfHvLDQ35kkB+eJmMRq0vqlCKxovQkAgAAAABAk8TqkjqlSKwoPYnlSKENrnR5 UohFCrEU5EcG+eEhPzzkRwb54SE/PORHBvnhaTIWsbqkTikSS7ps2TIzNDRkpk6darfH7VCGDBky ZMiQIUOGDBkyrGs4b948W4fMnz8/WqfUIUViRelJLEcKbXCly5NCLFKIpSA/MsgPD/nhIT8yyA8P +eEhPzLID0+TsYjVJXVKkVhRvpMIAAAAAABNEqtL6pQisaL0JJYjhTa40uVJIRYpxFKQHxnkh4f8 8JAfGeSHh/zwkB8Z5IenyVjE6pI6pUisKD2JAAAAAADQJLG6pE4pEitKT2I5UmiDK12eFGKRQiwF +ZFBfnjIDw/5kUF+eMgPD/mRQX54moxFrC6pU4rEitKTCAAAAAAATRKrS+qUIrGi9CSWI4U2uNLl SSEWKcRSkB8Z5IeH/PCQHxnkh4f88JAfGeSHp8lYxOqSOqVIrCg9iQAAAAAA0CSxuqROKRIrSk9i OVJogytdnhRikUIsBfmRQX54yA8P+ZFBfnjIDw/5kUF+eJqMRawuqVOKxIrSkwgAAAAAAE0Sq0vq lCKxovQkliOFNrjS5UkhFinEUpAfGeSHh/zwkB8Z5IeH/PCQHxnkh6fJWMTqkjqlSKwoPYkAAAAA ANAksbqkTikSK0pPYjlSaIMrXZ4UYpFCLAX5kUF+eMgPD/mRQX54yA8P+ZFBfniajEWsLqlTisSK 0pMIAAAAAABNEqtL6pQisaL0JJYjhTa40uVJIRYpxFKQHxnkh4f88JAfGeSHh/zwkB8Z5IenyVjE 6pI6pUisKD2JAAAAAADQJLG6pE4pEgMvuOACM2XKlOg0Jz2J5UihDa50eVKIRQqxFORHBvnhIT88 5EcG+eEhPzzkRwb54WkyFrG6pE4pEkf89a9/bTbccMO+ikQAAAAAAIBBE6tL6pQicdilS5eanXba yXz3u9+lJ3GYVLaj3za40uVJIRYpxFKQHxnkh4f88JAfGeSHh/zwkB8Z5IenyVjE6pI6pUgc9tRT TzWf+MQn7OOiIvH1xYvNi1dcYU4/6aTWAcGQIUOGDBkyZMiQIUOGdQ7/b8kSW4csf/TRaJ1ShxSJ w6688sq2OAyNzSfpSSxHCm30GweRwnYMYh1SiEUKsRTkRwb54SE/PORHBvnhIT885EcG+eFpMhax uqROKRJzdioQJd9JBAAAAACAJonVJXVKkZiznyIxhasigitdGVzp8qQQixRiKciPDPLDQ354yI8M 8sNDfnjIjwzyw9NkLGJ1SZ1SJFaUnkQAAAAAAGiSWF1SpxSJFaUnsRwptMGVLk8KsUghloL8yCA/ POSHh/zIID885IeH/MggPzxNxiJWl9QpRWJF6UkEAAAAAIAmidUldUqRWFF6EsuRQhtc6fKkEIsU YinIjwzyw0N+eMiPDPLDQ354yI8M8sPTZCxidUmdUiRWlJ5EAAAAAABoklhdUqcUiRWlJ7EcKbTB lS5PCrFIIZaC/MggPzzkh4f8yCA/POSHh/zIID88TcYiVpfUKUViRelJBAAAAACAJonVJXVKkVhR ehLLkUIbXOnypBCLFGIpyI8M8sNDfnjIjwzyw0N+eMiPDPLD02QsYnVJnVIkVpSeRAAAAAAAaJJY XVKnFIkVpSexHCm0wZUuTwqxSCGWgvzIID885IeH/MggPzzkh4f8yCA/PE3GIlaX1ClFYkXpSQQA AAAAgCaJ1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDQ354yI8M8sNDfnjIjwzyw9NkLGJ1SZ1S JFaUnkQAAAAAAGiSWF1SpxSJFaUnsRwptMGVLk8KsUghloL8yCA/POSHh/zIID885IeH/MggPzxN xiJWl9QpRWJF6UkEAAAAAIAmidUldUqRWFF6EsuRQhtc6fKkEIsUYinIjwzyw0N+eMiPDPLDQ354 yI8M8sPTZCxidUmdUiSWdNmyZWZoaMhMnTrVbo/boQwZMmTIkCFDhgwZMmRY13DevHm2Dpk/f360 TqlDisSK0pNYjhTa4EqXJ4VYpBBLQX5kkB8e8sNDfmSQHx7yw0N+ZJAfniZjEatL6pQisaJ8JxEA AAAAAJokVpfUKUViRelJLEcKbXCly5NCLFKIpSA/MsgPD/nhIT8yyA8P+eEhPzLID0+TsYjVJXVK kVhRehIBAAAAAKBJYnVJnVIkVpSexHKk0AZXujwpxCKFWAryI4P88JAfHvIjg/zwkB8e8iOD/PA0 GYtYXVKnFIkVpScRAAAAAACaJFaX1ClFYkXpSSxHCm1wpcuTQixSiKUgPzLIDw/54SE/MsgPD/nh IT8yyA9Pk7GI1SV1SpFYUXoSAQAAAACgSWJ1SZ1SJFaUnsRypNAGV7o8KcQihVgK8iOD/PCQHx7y I4P88JAfHvIjg/zwNBmLWF1SpxSJFaUnEQAAAAAAmiRWl9QpRWJF6UksRwptcKXLk0IsUoilID8y yA8P+eEhPzLIDw/54SE/MsgPT5OxiNUldUqRWFF6EgEAAAAAoElidUmdUiRWlJ7EcqTQBle6PCnE IoVYCvIjg/zwkB8e8iOD/PCQHx7yI4P88DQZi1hdUqcUiRWlJxEAAAAAAJokVpfUKUViRelJLEcK bXCly5NCLFKIpSA/MsgPD/nhIT8yyA8P+eEhPzLID0+TsYjVJXVKkVhRehIBAAAAAKBJYnVJnVIk VpSexHKk0AZXujwpxCKFWAryI4P88JAfHvIjg/zwkB8e8iOD/PA0GYtYXVKnFInDXnfddWbrrbc2 a665ptljjz3MnDlzovNJehIBAAAAAKBJYnVJnVIkDnvYYYeZRx55xCxZssQWjJtsskl0PklPYjlS aIMrXZ4UYpFCLAX5kUF+eMgPD/mRQX54yA8P+ZFBfniajEWsLqlTisScTz75pFl11VXN8uXLo9Pp SQQAAAAAgCaJ1SV1SpEYuHjxYnu76SmnnDJq2uvD01684gpz+kknmb++47zhLbxm1HDR3udGx1cZ Ltp5eqn5Og2XvPuUUvMVDVPZjn7Xo984aJjCdgxifzjLzh8bprAd5Icf9rse5IcfOsvOHxumsB3k hx/2ux7khx86y84fG6awHeSHH/a7HuSHHzrLzh8bdl2Pbf/V/N+SJbYOWf7oo6NqlLqkSBzxwQcf NFtssYXtKVyxYkV0HklPIgAAAAAANEmsLqlTisRhp0+fbnsQ77333uj0UL6TWI4U2uCeeU8KsUgh loL8yCA/POSHh/zIID885IeH/MggPzxNxiJWl9QpReKwU6ZMGeXLL78cnZeeRAAAAAAAaJJYXVKn FIkVpSexHCm0wZUuTwqxSCGWgvzIID885IeH/MggPzzkh4f8yCA/PE3GIlaX1ClFYkXpSQQAAAAA gCaJ1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDQ354yI8M8sNDfnjIjwzyw9NkLGJ1SZ1SJFaU nkQAAAAAAGiSWF1SpxSJFaUnsRwptMGVLk8KsUghloL8yCA/POSHh/zIID885IeH/MggPzxNxiJW l9QpRWJF6UkEAAAAAIAmidUldUqRWFF6EsuRQhtc6fKkEIsUYinIjwzyw0N+eMiPDPLDQ354yI8M 8sPTZCxidUmdUiRWlJ5EAAAAAABoklhdUqcUiRWlJ7EcKbTBlS5PCrFIIZaC/MggPzzkh4f8yCA/ POSHh/zIID88TcYiVpfUKUViRelJBAAAAACAJonVJXVKkVhRehLLkUIbXOnypBCLFGIpyI8M8sND fnjIjwzyw0N+eMiPDPLD02QsYnVJnVIkVpSeRAAAAAAAaJJYXVKnFIkVpSexHCm0wZUuTwqxSCGW gvzIID885IeH/MggPzzkh4f8yCA/PE3GIlaX1ClFYkXpSQQAAAAAgCaJ1SV1SpFYUXoSy5FCG1zp 8qQQixRiKciPDPLDQ354yI8M8sNDfnjIjwzyw9NkLGJ1SZ1SJFaUnkQAAAAAAGiSWF1SpxSJJV22 bJkZGhoyU6dOtdvjqv5w6HTPexk+/PDDdlh2/thQVzXKzFc0dLrnvQwHsR1O97zqsN84iBS2w+me 9zIcuvNOOyw7f2zodM+rDp3ueS9D8sMPne551SH54Yfkhx+SH9mQ/PBD8sMPyY9sSH74YVP5MW/e PFuHzJ8/P1qn1CFFYkXpSQQAAAAAgCaJ1SV1SpFYUb6TWI4U2ug3DiKF7RjEOqQQixRiKciPDPLD Q354yI8M8sNDfnjIjwzyw9NkLGJ1SZ1SJFaUnkQAAAAAAGiSWF1SpxSJFaUnsRwptMGVLk8KsUgh loL8yCA/POSHh/zIID885IeH/MggPzxNxiJWl9QpRWJF6UkEAAAAAIAmidUldUqRWFF6EsuRQhtc 6fKkEIsUYinIjwzyw0N+eMiPDPLDQ354yI8M8sPTZCxidUmdUiRWlJ5EAAAAAABoklhdUqcUiRWl J7EcKbTBlS5PCrFIIZaC/MggPzzkh4f8yCA/POSHh/zIID88TcYiVpfUKUViRelJBAAAAACAJonV JXVKkVhRehLLkUIbXOnypBCLFGIpyI8M8sNDfnjIjwzyw0N+eMiPDPLD02QsYnVJnVIkVpSeRAAA AAAAaJJYXVKnFIkVpSexHCm0wZUuTwqxSCGWgvzIID885IeH/MggPzzkh4f8yCA/PE3GIlaX1ClF YkXpSQQAAAAAgCaJ1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDQ354yI8M8sNDfnjIjwzyw9Nk LGJ1SZ1SJFaUnkQAAAAAAGiSWF1SpxSJFaUnsRwptMGVLk8KsUghloL8yCA/POSHh/zIID885IeH /MggPzxNxiJWl9QpReKwTz/9tDnwwAPNOuusYw466CCzYMGC6HySnkQAAAAAAGgSV4vccPzx5vmn nmqrT+qQInHYo48+2pxyyinmhRdeMCeffLI59thjo/NJehLLkUIbXOnypBCLFGIpyI8M8sNDfnjI jwzyw0N+eMiPDPLD02QsXC1yweabm4u2287Mvvhi89rSpW11yiClSBx2k002MfPmzbOPNdx0001H zeOkJxEAAAAAAJrE1SIqEp2X77uveXzWrLZaZVBSJA672mqrmeXLl5tDDjnEDvXcTXvsscdsYXjG F75gTvmHfzAHvO995rRjjrHj8sNPf+xj0fFVhlOnTi01X6fhyR/8YKn5ioapbEe/69FvHDRMYTsG sT9OPeywUvN1GqawHeSHH/a7HuSHH5Iffkh+ZEPyww/JDz8kP7Ih+eGHTeWHq0NOP+kkisQmVU+i vpeox2V6EmPj5dDQUHR8FQfRxpK7746OL2sq29FvG/3GQaawHYNYhxRikUIsJfmRSX54yQ8v+ZFJ fnjJDy/5kUl+eMciFioOud20IT/5yU+a0047zbz44ovm1FNPNccMV+yx+WSnInHZsmXR8VUcRBsv XnFFdHxZU9mOftvoNw4yhe0YxDqkEIsUYinJj0zyw0t+eMmPTPLDS354yY9M8sM7FrHgh2saVL2H BxxwgFl77bXt0PUqxuxUJKbi64sXR8dPNomDl1h4iUUmcfASCy+xyCQOXmLhJRaZxME7kWNBkVhR fUcxNh4RERHTd8qUKdHxiEh+oJciEcdEvQnljc3Xq0XtXnfddWbrrbc2a665ptljjz3MnDlz2qbn LfoPzSr/rYlY1fD4jR3H/VrU7owZM8x2221nVl99dTu85ZZb2qbnJT+waddff32zcOHC1nMdWxts sEHbPN3slk+DOq7JD2zascwP3TJ51llnmS222MKstNJKjeUZ1idFIo6p3d5E+jXf/mGHHWYeeeQR s2TJElsw6keLwul5i/5Ds8p/ayL2atP5seGGG5rbb7/dLF261Nx66632eTg9L/mBTbv33nubX/zi F+btb3+7/ZG5u+++2+yzzz7ReYvslleDOq7JD2zascyPc845x+ywww7moYceMitWrBi1XF7yI30p EnFMzb8ZFT3/wx/+YL8vutZaa5kdd9zR3HfffW3zFdnpze7JJ580q666qv3bEz2PzVv0H5pV/lsT sVebzo9dd93V3HnnnfaK8B133GHe8573FM4ryQ9s2uOOO85ceOGFtrdi8803t4+PP/54O60oD3TS +u53v9uO14/UxY7l0F6Oa/IDU3As82PLLbe0nxvhvE7yY3xKkYhjav6No+i5roRdf/31todDPR07 7bRT23xFFr3ZLV682N5uqqtVsenOov/Q7PTfmoiDsun8uP/++826665rx2v4wAMPtE3PS35g0+qk d8899zRHHHGEOfzww81ee+1lLrroIjutKA923313M336dPPqq6+aK664YtRxn3dQx/Wg2kEs61jm h76moJ4/FZsqGG+++eZRy4YWtVM0HpuXIhHH1PybUfj8tddeaz3Xm44eO1dZZZXWfJ0M23M++OCD 9iqbfqm22y0RuqKl++P1OH+lKzYecZDmj9/weR35se2229rbTHUSoe8jbr/99m3T85If2LQ//elP 7fedvvGNb5iLL77YPr7pppvstKI80HfQdQKsx6+88sqo4z7voI5r8gObdizzY+ONN7afG7oTZebM mfZ5uFxe8iN9KRJxTM2/GenNQbcr6DuDl19+eWv6vvvua9/8ND6cv5v59nW1TD2I9957b9v4Iov+ Q7PKf2si9mrT+aEfPVCRqA95XWnu9oMH5Ac27e9+9zt73M6dO9feLqfH7tyiKA922223Vk/Jf/7n f4467vMO6rgmP7BpxzI/1HMZFon6XmR+2VDyI30pEnFMzb8ZXXvttfbHMtZbbz1z6aWXtqY/8cQT 5uCDDzZvfvOb7bhub2JuntCi8S+//HJrWtiG1FUs3cOf/w/NovGIgzR/TNadHzfeeKN517veZW/v 0dBdgXbLuMdO8gObVj3oOq50Iqoebz3WOE0ryoNf/epX9vu26kk544wzosdyaC/HNfmBKTiW+TE0 NGT2339/284222zT9uvY5Mf4lCIRERERERERW1IkIiIiIiIiYkuKRERERERERGxJkYiIiIiIiIgt KRIRERERERGxJUUiIiIiIiIitqRIRERERERExJYUiYiIiIiIiNiSIhERERERERFbUiTihHfKlCnR 8d3sdTlE7F/yD7E3lTvO2HRExDJSJNZgXW/MvOGPVjG56KKLWs8vvPBC4jQO3WOPPayxaZiu5F9z Kq5ynXXWMe973/vMj370o+h8TejWZaWVVjIbb7yxOfLII828efOi82Lm/PnzzbHHHms22WQTs/rq q5u9997b3HzzzdF5ByW5iIj9SJFYg3W9MfOGP1rFZIcddjCvvfaaVY+J0/hy4cKFZt1117UuWrQo Og+mKfnXnC6uL730kpk1a5bZfvvtzfe///1R8zWhW5c33njDFj+nnHKKOeCAA0bNh9599tnHnHPO OfY9bunSpeaXv/ylOfTQQ6PzDkpyERH7kSKxBju9MWuaXHXVVc1uu+1m7rnnntY0XVXcZZdd7FVG N1+4TKhbZrKrWJx88sn2IL7++uvtyYqLT6d4adyll15q1ltvPXtl9yc/+UnbtE7L6cP+hBNOsCfE J554Ytu0/Lzh46LlJrtXXXWV+cQnPmE+/vGPm6uvvro1frvttjO//vWv7eOHHnrInhS7aSosP/zh D9telR133NHcd999rWlS8f7qV79q1lprrbYeSo2Xsfz705/+ZP7mb/7GLvOlL32pbf91e73JqmLU Lf9isT7iiCPM5z//efv4c5/7nO2JctPccq6dUI2brPmX3745c+aY9773veaZZ56x72OvvPKKHa8C cvfdd2/Np+WK3ut6Nb8uL774os0bN03G9nundZno+feWt7zFbmNsWreYdTrmFSvFTLF78sknW9Pc 9PC5k/czRCwjRWINFr0xh+qq++zZs81mm23WGrf++uvbD35NC+d1lml3sqmYDA0Nmb322svsueee 9nE+TrG4ady5555rT6x+8IMfmK233jo6T2zc3Llz7VAfrOr9Cqfl5w0fFy032f3Hf/xHc+2115pr rrnGHHbYYa3xOvk5//zz7ePzzjvPnHXWWa1phx9+uC1KdEX+9ttvNzvttFNrmlSczzjjDHvyOm3a tLZpMpZ/Omn68pe/bHtqvva1r7Xtv26vN1lVjLrlXyzWzz33nHnHO95h96mGzz//fNsyMt+OGzdZ 8y+/fUuWLDFrrrmmffyRj3zETJ8+3T7WsXrFFVe05tNy3d7rqhquy+LFi83ZZ59tDjzwwLZ5Yvu9 07pM9Pz75je/aY+7gw8+2Jx55pn2eMzPUxSzTse84vnyyy/boWLoprnp4XMn72eIWEaKxBosemOW usqr3sLVVlvNzqfvdLhpBx10kNl5553NF77wBfO9732vdWXY2andyaqLiXoijjrqqLZx+Xny41x8 X3/9dbPKKqtE54mN0we5G4b7Lz9/+LzTcpPZ5cuXm7e+9a32RFPqscZp2gMPPGCvoOuxvr/z4IMP tpZTT4Ri6czvP43TyWY4TnbKP732Cy+8YB+ruNR0N63b601WXYxi+dcp1vLOO++04zUMxztdO/lx kzX/8tunInGNNdawj2+88Ubbk6Qc0rEaHvtartt7XVXVpvarLmxqHXSRQIW/pnXa753WZTLk31/+ 8hfbe/qVr3zF9gqquNb4bjHrdMwrVnqsYf7ih6aHz528nyFiGSkSa7DojVnqqrk+0JctW2Y/yMN5 9QFwxx132F6T/fffv3WC7OzU7mQ1FpP8uEHNE47LD6U+aHXio8c6EQqndVpuMjtz5kwbi9Cf/exn relbbrmlefzxx81WW23VttwGG2ww6iJKaFF8O+Vfp5PUbq83WY3F2Y3rFGup3i6Nu/LKK9vGOzu1 nR/KiZ5/+XXWLYm6NVGPdWFlww03NMcdd5y9LTGcL7/cILY9bEP796Mf/aj90SI977TfO63LZMs/ FfRvfvOb7eMyMcsP3eOwSFQM3TS58sor2++NhuMk72eIWEaKxBoM38Tz6s1Zt5Tqg+C0006LzqsT nbvvvtvOG47XdxoeffTRtnGT3Vj88uMGNU84Lj+UKmR0C5U+fFXoh9M6LTeZVa+5u6VU6gq7vuPm nut7a7qVLhwn1Wv12c9+NnqboiyKb6f8061aurKvW7fy+6/b601WY3F24zrFWj92oqLmhhtuMBtt tJF97qY5O7WdH8qJnn9unXV83nXXXfa7ZLpl0E3Xdzs1T/h9Npnf1ti2V41Hfv6nnnrK7m99J67T fu+0LhM9/w455BDz85//3BbC6nX9+te/bu8c0rQyMcsP3WPFysVMr+Gmyc0339z+QE44TvJ+hohl pEisQb1xx9S06667zp4U6baQSy65pDU+XE63nOjD45ZbbmlNk/qehr5oHi4z2Y3Fwo1z8QzNzxN7 Hs7vzM+XH8of//jH9ufgdSvPt771rdLLTWa32Wab1o/TSN1SqnHuub6fo1jpBMqNk7oKrx8/UR5p ej6eRfHtlH/hD2fou3JvetObWtO6vd5kNRYHN65TrNXzpO+f6bGGeu6mufiGhtNiQznR80/rLNde e217+7UK4nD6jBkzRvW4y/y2xra9ajxi86snUYVet8+4cJnw+UTPv5/+9Kf2tlx3m64Kuscee8xO KxOz/NA91i+mKmZq+49//GNrmtRFBPUuhstI3s8QsYwUiYiIgStWrLDfG9p1112j0xFT89VXXzUf +9jH7IXE2PTxJPlXXoo7RKxTikRExBF10qXv8ejvNu69997oPIipqR8z2W+//VrfTxuvkn/VpEhE xDqlSERERERERMSWFImIiIiIiIjYkiIRERERERERW1IkIiIiItagvjfYzdhyE8XJsp2IE1GKxB79 wx/+YD7wgQ/YP8PddNNN7X8OLVmyJDpv6NKlS83UqVPtfx5q2RNPPNH+gW4/07C67L/xLftvfMv+ G9/2Gs/JuP9sgXTN8ElRkV2Kp7DIcsbmi1ll3rpNaV0QsZwUiT2q/3P66le/an9NTn+Me8YZZ1hj 84bqD3QPPPBA8+c//9m6//77m4suuqivaVhd9t/4lv03vmX/jW97jedk3H+2sIsVh86SxVMvRRZF IiL2I0Vij+rPa1955ZXWc53sbL311m3zxNxpp53MAw880Ho+d+5cs8suu/Q1DavL/hvfsv/Gt+y/ 8W2v8ZyM+6/OIlHjLr30UrPeeuuZTTbZxP6/pBufN1xu4cKF5sMf/rBZZ511zI477mjuu+++tuma XxdxlKd77LFHa/x2221nfv3rX9vHDz30kP2rknAZueqqq5rddtvN3HPPPa1pbnr4HBHTlyKxR/fZ Zx9zwQUXmJdeesk8//zz5uyzzzarrbZadN5QvSm7k6NDDjnEvPzyy/b2mX6mYXXZf+Nb9t/4lv03 vu01npNx/9niKVYcOksWT7H5NO7cc8+1sfnBD34w6kJLUduHH364uf766+1tvLfffrstwsPpWk49 +7p4M23atNb4L33pS+b888+3j8877zxz1llntaY5X3vtNTN79myz2WabtY0vu52ImI4UiT3qvlOj D6+NN97YvmGuueaa0XlDww87WfRBWGUaVpf9N75l/41v2X/j217jORn3n4qjaHHoLFk8xebTOBeX 119/3ayyyiqjpofPnep5tOs1Ymw5XcAJx0n15uoCjx7vvffe5sEHH2xNmzVrlu3d1cUeLb/SSiu1 pkmNC58jYvpSJA7Ia6+9tu22jCLzt83cf//9hbfUlJ2G/cv+G9+y/8a37L/xZa/xnIz7zxZiseLQ WbJ4is2XH9ftuXODDTZoK7rzdlqnLbfc0jz++ONmq622ahv/jne8w9x44432B4VUYObbWHnllc0b b7zRNg4R05YisU91q9QPf/hDs+GGG5obbrihbVrsjVZfwH//+99v5s2bZ9WX8cMv5/cyDXuX/Te+ Zf+Nb9l/49My8WT/ZSoO0eLQGYlTzNh8+XH55/o12EcffbRtnDzqqKPsLwor//LTZKd1+vznP28+ 8pGPmJNPPrltvArPOXPm2ALxtNNOG9XG5ptvbn75y1+2jUPEtKVI7FG9Aco11ljDvPe977XfB4jN kx+n7wB86lOfsrfKSP2sd/gz371Mw+qy/8a37L/xLftvfFsmnuy/THusx4pDZyROoXb5nOG0/Lzh 86997Wv2Vt38+MWLF5sjjjjCrLvuuqPalPnnofq+oaarIAzHX3fddWajjTaybV5yySWj2tB3IN/6 1rd2bBsR05IiEREREbEGVRR1M7YcIuJYS5GIiIiIiIiILSkSERERERERsSVFIiIiIiIiIrakSERE RERERMSWFImIiIiINRj7oZq8seUQEcdaisQevemmm8zee+9tVl99dfO2t73N/u/Qn//85+i8ofop b/18t/6/SD/lfeKJJ7b9zHcv07C67L/xLftvfMv+G9/2Gs/JuP9UBMb/+yKzW5E4f/58c+yxx5pN NtnE5ovy5uabb25Nr6PIpHBFREmR2KP6Y99bbrnFvPzyy+aFF16w/0e0xx57ROcN1Z8C64+AdUIk 999//7Y/DO5lGlaX/Te+Zf+Nb9l/49te4zkZ91+/ReI+++xjzjnnHLNo0SJbLOsP6Q899NDWdIpE RKxLisQB+eKLL5o111wzOi10p512Mg888EDr+dy5c80uu+zS1zTsX/bf+Jb9N75l/40ve43nZNx/ /RaJ6j3905/+NGq8lssbm+erX/2qWWuttdouwrj5V111VbPbbruZe+65p218qFvGTS96rscqaE84 4QSzww472N7ecF5EHH9SJA7Iz33uc+aYY46JTgtdZ511zCuvvGIfH3LIIfZKum6f6Wca9i/7b3zL /hvfsv/Gl73GczLuPxVPseLQmS+88n7zm9806667rjn44IPNmWeeaQvkcHqn5TXtjDPOsBdhpk2b Nmr6a6+9ZmbPnm0222yztvFFbebHh8/1WOum4X333WfXOZwXEcefFIl9+uqrr5pPfvKT9mrc888/ H50nNPywk0UfhFWmYe+y/8a37L/xLftvfNprPCfj/lPRFCsOnfnCK+Zf/vIX85Of/MR85Stfsb10 Z599dmtap+U17aWXXho1ftasWbYndrXVVrPzrLTSSm3Ti9rMjw+f67GKTjfMt4mI40+KxD787W9/ a3beeWdz3HHHtX2AdTJ/28z9999feEtN2WnYm+y/8S37b3zL/hu/9hrPybj/VDTFikNnvvDq5uLF i9sK5E7LF017xzveYW688Ub74z8qIvPzFS23yiqrmNdff90+Vs6G87nH+SEijl8pEnv0mmuuMe98 5zvNDTfcEJ0uY2+S+gK+frRh3rx5Vn0ZP/xyfi/TsLrsv/Et+298y/4b35aJJ/svU3GIFYfOWJxC dXvtz3/+c/sDT88995yNhS6uuOn6zuKjjz7atoyzqO0NNtjAzJkzxxaIp5122qj5itrcaqutzA9+ 8ANbIJ533nlty7nH+SEijl8pEntUb4AxdRtMOE+4jNSvk33qU5+yVwKlftY7/JnvXqZhdfP7zcn+ Gx/m95uT/Tc+zO83J/tvfFgmnuy/TMUhVhw6Y3EK/elPf2r22msve2vo+uuvb4vGxx57rDVdvwys 23Fj7RS1fd1115mNNtrIfm/wkksuGTVfUZs//vGPzcYbb2zWW289861vfattunucHyLi+JUiERER EbEGVSx1M7YcIuJYS5GIiIiIiIiILSkSERERERERsSVFIiIiIiIiIrakSERERERERMSWFImIiIiI iIjYkiIRERERERERW1IkIiIiIiIiYstGi8S5c+e2XhARERERERHTddCMKhIpEBEREREREcePg2ZU kQgAAAAAAACTl0iReA0iIiLiBBMAAMqSZJH41FNfN3PnfqnNn/zk0+b88w8t9O67T7XzadlYm4iI iDiZBQCAsowuEu/az0yZMsVM2fNI8/TCK82Zm15ijmx5mbl1YeyNdzD+x3983Ky77lrZ6/eh2pg6 dV/zzDP/Hn0d8/SRZk9tX2ya9RQzbcp+5q5g3F3TfPvT7grnjaj2p2xhLnvajbvQXLZn+LyKw+ti 11VtlHj9cP+5xy1LrIOLTdcYjfaRMy4xV97T/vzID11pnnPz6HgKn5c1tlwvbT39yPB+Wd4Wv6cv e3Y4Lk+27evyzh7eN49kMVLb7nFo0fhCbx7ez+3r6Lxr2nKz52U3jxpfyY7r08MxZsddZW79UA/v E/d8O1im/djpze+YKzf9tnkkOi2v39ZyuZHNv+dlF46a9vRlWwSx6G74XjIl9z4Tt2p8s/nPvOqq UdOeu+qy9pwsZZW4jtW65l73jO9E5sk7dnG181da1+x9Ycrw+1fms12O12z+2PuFfc+r8J6k9x33 ul0/+6xjt65OLZe1l39PAwCAssSLxGmnDD8YfkPNn4jrpK7yCUY5L7/8KPtGPmhPP/0Drd7IVtHY sQBSgahlg5M3xaQ1vz50upxQ2iJxuA0XxzLLFJlbV51gdj2Bd68bPpZ2vcqclA7bQ5GoEx9/AjV8 Yjl8rNx6hj+5bJ9ewUEWiXsOnzxMmz0yTicnw8/37LFIDAuugRWJMluvtuPlrieH96Vb7z4ssT6V jrHYibMt/roUFdp/4Tz2eT8XoVTI6KS7TDETKfi0Td1yo+19wJm1Ve7kWVZ9L+gxvtH36qytasV4 lbiO3braoqtVbJVZdgzj2vbeVWbZSBGl94NuF7c0z6hcz9oqfby2ve/MHv5s7PZeOYbr6tR73HBx Gq6Df08DAICyVCsS3XM7/PZwERCcPNgP2PYro/mioFORsO5bVrVFXd2ql/HL/7KDee9732emuZ6E tmJOJ4rtPYnqKQhPKPPPRzlSYF02zZ0M5k4M7Qlp+2vb3oW2QlQnsafboZ1vZJr/sBvd29lq221P +HjEsACwPSC59WgVhyPD64bnH3UynWuzpY4Ld6I2/PjK4X2tfe5OgB45IygCIsdL4fjgOGydDI6M u+uMyIle2F7oSIF02WXuZGT4pGfa8POgSMx6FrMr4K2TDC037cnheI9cGbcnTdkJjH2ukxvb9vA8 bpw7sRp5zevyvYBtJ18RR5ZrrWd4AmVPunKvM2y47u2v79ZreDtLrE+lYyx60pzb1zGDfZqfph7o +D7NTqjd8eHn0Xi9D5Xs8dL6t3LNe1crX4uMFHjBxZTifNpv5L1mOJZ63q0YDe01vjYmuXnyeRTN s/B9vWJcx3Rdg2VHlin6rLGO4bre1W3d8kYLKB2vZXrocvME7yul3i/cctYSReKYr2vWzrTh16NI BADoj956EjU+vOqfm69122Hb+MiH64i///25w2/yIydXDbnRlDePfCDFToRz49pOKl0B171ItIWW jWVwchmcVGresGjTY7Wr4aiiLTJ/1HD/hY9HbBW4be0G2xuuuxu2YpFte/Hr+5NJnSzZY2D4mMlO iIITzVLHS2R8q61gnIatk0QdYx2uyo+cdNx12ZPZvhg+odnzstnD2zRygqHprZMNnRCNnLSMGh/M 706I7DzuJCcyT1sb5a6Qu1um2k6wwtccVreC2XbaxudeP7zdq8T6VDnGup6Md9DejmxPqHMn+UX7 VO8/rQsAscKlXDHT9SJPB20hGOSUy9mO+RTeymrfS4Zf370X5fIzbz/xtQVLK15ZvG1bbXmWy8to b265uKaxrrL7+o7lutr3tas0LldMFujeB2LTummLq+BCUuuW9bLvFyO6Iq3se1ZsWjcHsa7u9fPr 4d/TAACgLN2LRPdBZh35oGv7MBxWJ29t8/mr/K0rs1qm4MNQt4Lmi7gmnGtvP430DkQKR1u42eW2 MNOmletJ1Ida1jsRvIbim1sP31ZWhLX1crSdfIYfdgWG+y98PGLbCbI9gXXrkStiW68bFIa5dYmZ 7W+d2LuTtOGTJVfMuf1fdLwUjW8dh8GJX+sYDIqI/HGZ151sDBeH2p6nbbGoAmnkpCPoTZPxAiy4 4h2O7zpPUIi1zdvZ1omSG6d1dFfUR2xNV7ut8ZF1dPN0WZ9+ikRf+HUo1kepE+pw/xbs09ZxMGz0 vaR7cSDzRaLP7S7bbQ3fG3LvE53yqbW8xl3Yeq516fSa/cU3jEcuNmEsi97XW5aLazrrOjLPqGne sVxX+1q5551ec3TB43O/+/EaFFVtj4ct836Rs/WeGJkmx3Rdg+cUiQAA/VOtJ9GZH992hT/nyLRO H4RjVSRe/pNPD79+uSIxtOtJdHhiqMfTjvSvESnc2paz6xasT+4ks98isbW8prWd7BYViSPzDrdT pgdGJ19X3jN84tQ6PkYKxuHjoHVSVnS8FI0fOd4eCU/swmNwZLn8id8oWycRwycgrdtMmyoShx+P tJ8/genkqJOy3Dq2jW87wep+IlW0PpWOMcU+8h7R7cQ3Ztv+67RPte+jJ/S5E/Yitf75wm3Yrts9 opuvrVexWz4Fy4d2zak+4+vmUxxbuaU224qcwRSJY76u9rjoXiBax3Bd868RPcZDladhDo/YrWBz uvmU5633jrLvFzm7vneN4braZVqFZKZbV5/bAABQlsEUiW0fzkEvgJ0+/GFpv49RfJLx8MNnD7+h jy7i6vbO3587/PolisQwJraQKy4grZHCrq1noVUEBr104ePwJDbSVscP23Bdw8cyXPf8fJ2KxJGT Xn23quN2y+Fj4coPtZ/02BOp8OSt6HjpNN4eb0UnXtl4fe+n44ls66RiuIjTd1bsSUhQJGp615OR PorEkTar/FDOqJMru44jbdvXGZk+UvDZeexJVfxEqsz6VDrGRvZT+0mu9kf7ifAo206oZeR9I7dP 207Ih9XJ9ujX7XIMWLNcay/OdIx32W6nzQ19zzB43+iWT27ZtthlRWLn1+wxvk6bJ3r/DfJPsW8r bGI5FVo2rmO4rnpeah2dY7iu4XzDdi9MszxvL86Uu+UKryzn9d09974xbNn3i3C+YbsXe2O4roHF F74AAKAsgykSpf1QHLnNJvgAlPoQ9ONyBdiw//u/3xl+4x9dxDm/d8a2Zsr2B5kfzv2Sufn4YNrw ydcfh5edO/cT5iNu3Lpr+ukdXHvtDUY+XMr1JGaFXqb/sBs9nzV/YqjnrcJwWHsSOdKejXV20hqe PNrXs8+zk1dXNPoPu4LXHnWyOvI61nA7R9qV04ZPeIeHtl237rltaOs1KXpta+REyx4buRO4ouMl Nj483jRdj3PHYHsBUbRf/EmFP4nQSY0vksKr0a393HYyEhSAIyc//odrIvPkTmTarpB3jGNm9KTM niiNXC1vtTWyLnbc8EnW8DDbn7kTqY7rk1npGBvR5rjbb8OWOdHOLh74ZdpP2EcXhbLtdUa9N+WL mc7xDXNajopzoSP5Gua4fa2RtmL5FCwfvq4vVDuvay/xzcyKofZYZTlq2zpjuNBx7RW931eM61is a/41ZXY8pRnX8Nj3x32343Ukv0csf7xmhVt7D1/J94thw9f1hVea6+qkSAQA6J/ORWJN3jV8EpX/ cDn66L2GPwT8yZNzt93eaYvIcN5Ovvba5eZDH9o52pZzn322Lv4PxYrGtqVO/YddgbXsv9GFdNPb 3VmdsAVX9IdNa/2cYYGZObbrOXp95NgcY3lH79NeTPM4iMu61iPrWo/ja10pEgEAqhIvElVM7Xlk 60rnILUFx2WjTzBfeukSW7yFxdwOO2xinnrq66PmLaNuYb38K7uZTTfdyZxy/qHm/GH1Z/36/mNs /t6Mb0s9jvReDMel6wn8yP6LXWGtrGuvrSiIb3dsf9dtq+dxpMfJjitYv/DKdtO2ev9Geu3suDFc z9j6TJnym8rHWLgv8toelMh4dxve6PGZsX3aiz3lp+31z2LQbv5ug0FbPad6jW+/sq6xaf3by/uB 7U2LjHe3ZI4ePxjHz7rm39MAAKAso4vEMWbu3LnDBd355u677zb/+7//OzIWAAAAAAAAmiC5IhEA AAAAAADGDopEAAAAAAAAaEGRCAAAAAAAAC0oEgEAAAAAAKAFRSIAAAAAAAC0oEgEAAAAAACAFhSJ AAAAAAAA0IIiEQAAAAAAAFpQJAIAAAAAAEALikQAAAAAAABoQZEIAAAAAAAALUYVib///e8RERER ERFxEjh37tyRStBDkYiIiIiIiDgJVYH43//93yOVoKewSPzrX/+KiIiIiIiIE1QViBSJiIiIiIiI aKVIRERERERExJYUiYiImJxLliwxV199tfngBz9o1lhjDTNlyhTr/vvvb4444gjz9a9/3fz85z+P LouIiIj9SZGIiIhJ+eSTT5p3v/vdrcKwm4ceeqgtKGNtISIiYrszZsyIGs5DkYg4ztVJctF4Z2w6 orz99tvNRhttNKbHiXoNf/KTn5hzzjnHHHvsseatb31r2/FbVvUyLliwIPoaVVV7sfFj4fnnn28O OeSQ6LRBmtI2I3ZTOXHBBRdEpyFiOZcuXdoqDikSESeZnPhhJ/fYYw8za9as6LQmVHG48cYbtwq9 sXLzzTe3t7C69dK4cD3HyldeecWsv/765ne/+110+iBNZZsRy6ic2GCDDWyOxKYjYmdfffVV+zcX t912m3nuuefsReNwOkUi4hjpTk7XXHNNs80225hp06bZ2+xi8/ZjXSd+anfq1KnR8Z2MzacYbLvt tubcc8+1V7XC9ooMl88bmx/jrrPOOmbZsmXRaYP24osvbisI3/e+97XttxRUT6bWVY/z6583XC4/ 7eWXXzZf+MIXzDvf+U6z2mqr2Ry/7LLLRs3XzWuvvXZUL6JOjGM9pvPnzzcbbrjhqPFlLbPNeb/z ne/Y5aZPnx6dXqed4h+q99VeesuvuOIKs/XWW5tVV13VDrWtbtozzzxjTjzxRLPZZpuZ1Vdf3Q71 XOPDNsoYW79w20LD5ToZW1aG8zzxxBPmmGOOMZtuuqndxh122MFetAnnKXLmzJnmwx/+sO31X2ut tcz2229vvvrVr7YVbJ3iV2b5ovUOVW5cd9110WmIWKzy/4477jC/+c1v7PuWCsT8xUiKRMQx0n3w qSh6/PHHzb//+7+bd7zjHQPvMej0AduPalfre++9944a3+l5bLyuZt1///22aPjsZz/bNl+RdW3X ZLOpOKqXTq81Hvztb39rh7HtiBmb91Of+pT5yEc+Yv7whz/Y22n/53/+x7z//e+3RV9+3k5+/OMf H/V9y3333dfcddddbePkz372M7PffvuNGl/WKtvs1Im+TtS1rbHpTdhpvV977TWz1157mf/4j/+o tH0//OEP7fvb3XffbV566SX7I0kqBG+88UY7/aCDDjL/8i//Yp566il7kUVDPdf4fFudLFq/XvZF aLfl9Znz9re/3d6uqZNFfQ49/PDDdn/G5s+79957m6uuusoMDQ2Z5cuX20L3+OOPby3fLX7dlg/t tC1q4xOf+ER0GiIWq3Oubr3wFImIY2Tsg09XWg8//PDW8+uvv972QOjXHQ844IC2nkYt73TjYhZN 32233exVJPdcJ7K6ra3slXC1+6Mf/cjssssu9kQnHJ+fL3zeabxOtN72treNGh+zqN1QzXPRRRfZ kxVdrVYh7qa9/vrr5rzzzjNbbLGFWXfdde0VdfX+uOmKh076dIVfvTPqBQtfM/b64bhu7Wtexe9d 73qX3b+77767+fWvf92aLr///e/b20HV26fbIcPemkHsv7zhdH14nHTSSXZ/KAbq6c5/oGiZoviG at3CXyhNXRVlGnbbP07Nmx+nYybf2zdv3jx7ISQc100dPzqhD8epxyrWK6lx2md6XOX4Vs+k9l1s Ozqp4+HNb36z+dOf/mSHutjjpqktFT5qW6+hiz/5uwQ0T5njp5ud1vu0004zH/rQh8wbb7xRafv0 fvu9732vbdx3v/tdc+CBB9rHWt8XXnihbfrzzz9v1l577bZxes1e1q/suha13235I4880vzbv/1b dFqvKh66K0SPu8UvZrh8aKdt0UWYLbfcMjoNEYsNf6wmNJyHIhFxjIx98C1cuLCtSPrYxz5m804n Y7ri+/d///dt88tuJwNF07/97W+bww47rPVcV36r/DiGa1fL6EQvP77oeafxuqqs2xHz42MWtRuq eT7wgQ/YEwkVT3/3d3/XmqYTJF31V+Gte/F1FVu3B7rpZ511lu0d0Ym+buPTiVz4mrHXD8d1a1/z Kv6arpN33Wqlq+tu+iWXXGJ22mknc88999j9r96tE044oTW93/3njG2HPPXUU9u2X22ffvrpbfNo 2aL4hmobNe94Ud/P0LDT/gnVvPlxKoyUz+E4FYlvectb2sZ1UyfN+eJcFyw+85nP2McqsHRLqx7/ 8z//s/nmN79pH3c7/s4888zW/n366adHHd9l1K2JrudMJ/833XRTa5raUvs6dvQaeqwfJnLT3Txl jp9uFq239qPi8+yzz9rnVbZPt0Fq3cNxitN6661nHx999NHm85//vPnzn/9se8I01HMV4+Eyes1e 1k+PN9lkE3urpm4H1Xt/GN9wvlj73ZbX54zeQ3bccUd7u6wuJnzpS19qK/SrqouaBx98sH3cLX4x w+VDY9vnVG7ECktELCc/XIOYoLEPPvXIvelNbxo1XurDUFev8+M7fYDKoum6BUg9DIsWLbLP9TcC ejPIz1eka1cnoTohVi9gOD4/X95wvLvdVCfh7uS3m1q+yHAe9XKEyzn1HUjdZuWeKw7uZFvq6rRO Xt1z3Qacb9s9jo3r1r7m1Ymle57fv3p9xcQ9z9vv/nPGtkOq5zK//TqRDOfRskXxDVWvleYdL6pA 1rDT/gnVvPlxn/70p+1FHncr36OPPmoL7aL8LjJWJKoHWUWZ9olu4ZP6fFbvzZ133mnn6Xb8aV92 Or7LeNxxx9mLGXqs4lSFqJumtsL29VjfS3PP3Txljp9uxtZbBYouOP3iF79ojauyfSuvvHLru7ru PUnPV1llFftYvV7q5VebTj1/8cUXW210ssr6/eUvf7EFpe7a0C/dxubpZGx5bYeOR90GrfxUb7Xe Q8q+/+a94YYb7OeAO0/sFr+8+eVDO+03ikTE3uWHaxATNfbBp54HfVDq8YMPPmi/w6RCwJ2ExJbp 9AEqO01Xz5R6AfXmoFsV8yejnQzb/dd//VfzD//wD6PGx56H4536kNdtfV/+8pftCUts/rxF7YZq Ht3GFZum1wzXQerExk3XLYbh7XGu0HHPw8excd3aD+eNjVMx0W1/9LP/nLH1kOpdyG+/YhLOo2WL 4ptXf4Cv+ceT+W2IjSsar32hnlcVY4qlemy+9a1vlb6d2pkv5qQuyKjAuPTSS22hph/b0a2mGucK 236P726uWLHCvlfpIpGeu4tFGq/naitsX4/zJ/Oap+zx08nYeuvvUNT7G46rsn3qCcvfLhz2hOn9 Trfr6u4HFT8aqifXvQ92s5f1U9GvPI9NK2O4vHq01bMdTtf2Vj0+1YuqiyrqEX3ggQda47vFz1m0 fGinuOi8NH/xChG7q/cDfrgGMVFjH3zhdxK32mor81//9V/2ey56rkIgtky3EwudmBUVXuqpUnF2 5ZVXjrpNqpvh6+qDXrdG6nam/PoUrV+39e5mmeU7zaNf01NMY9Nk/uRc739he4prWJTpxD2c3q39 2LqF4/T6RSdNzn72n7MoRvmeRG2/xoXzFC0bU8dxlT/IT8H8NsTGdRqfVwX9UUcdFZ1WZOyHa6S+ p6ofsNEtevqul4oOjXPTux1/+Z7y/PHdzTlz5rTiFOp+yEqPw/b1OP/dMc0TPu/VWDtufWLm542p eOo7weE4xTr8TqJ7b3bqeVFvc97Yejlj80sVorpoGJtWxnB5fTe23yJRJ5nqPf3gBz9oFi9e3Dat W/xkp+VDO8VEP1yjHIlNQ8Ri+eEaxIR1H3y6Cq0PS33PSFdT3ZUcfZ/k5ptvttN1lV4/NBD7sOz0 ASr1y3n67ol+yCI2fdddd7UnBnqt2PQi86+r786piMiPL1q/buvdzTLLd5pH8f7oRz9qY69ejl/+ 8pdtv6yn72zp9iv17rrvVIXt/c3f/I352te+Zt9kdfKl76+F07u1H1u3cJxu39PtYVpOr6H3X/14 TDi/7HX/OYtidMopp9jt17a77dcV/3CeomWL1Em0vhennjUtm7r59Y+NKxqv2OkWU+37P/7xj/Y2 P+V0WDiVMfYXGFIn1yuttJI9PqUea5yb3u3403du3fGtWx/zx3c39YMr+e8Ynn322a3vraotd/zo NfRYrxnOX+X1Olm2nSqvp+/46v1s9uzZ9jupui1U78/u1zn/9m//1vYcKvd1kUxD3VapW37DdvSa vayfCidd2dftq8p/ndCpsFPc88vE2u+2vC486E4Vd4y6201j7zEx9bcT6i1Ub2isN7hb/LotH9op ftrOqr8YjIj8cA1i0roPd50w67s6+lVCd+uW1G0AukVN/7GmK/C6Kht+WLrlQ920UPVGqVdBJ5Gx eXSbmnrFqv5gQawt/ex/fnzRehWNL2uZ5TvNo9vidCK93Xbb2Vvv9GuhP/7xj1vT1fuqkz79SqV+ oVHzhu3ply71i5faf+rN07Lh9G7tx9YtP05X3vUa+sVEnWCpZzmcLnvdf86iGOnETvtT2y/1WOPC eYqW7aaOc/cLojqRVC+0/rpBvQ9OTdMJqwoRqSJcP76hn9JXXNUjp1vX3HFdh/n1zo/Lzx9O1y+j 6nuBum1YfzXwT//0T7ZgC5cvo07wdfzph4vC8eo53nnnnVvP9dj9x6Msc3y7XzfVLYhVf91Ux7xu iQ/H/epXv7LbrMdq68ILL7T7SMePcil/R0OV14vpYh4am8/ZbXpeXVzTHR368RcNw//5U/GreOtH YfQeraG+k+m+I+wss17OcD4VWbrAp9zWraF6H9AdA+523nCZWPtllv/GN77R+h9Dvb+cfPLJ9ngL 2ynSvW5M18PaKX6x5Zxu+dg0t7x87LHHer7NHnGye8stt7S9H+ixxoXzUCQiTnL1BqBehNg0bDd/ kpKC7L/M++67zxaQThVIKi5dwVlFnVzHXmOs1C8b9/LLtWOp4hgbjzgo9Uuoyo3YNETsrO7+0g+H 6S4z/WiiHuf/95oiEXESq9uMdNtU7DtPONrUTnzZf+VUr68rGqV6KMOiMFQFYtijj72pWMbGIyLi 2KtfSNfFVf2yqdTj/N1CFImIk1idyKmnxf1UOXY2tRNf9l/vKnYqBtXrqMJRRaQex+bF6lIkIiKO L/lOIiIiIiIiIrakSERERERERJykhr9oGhrOQ5GIiIiIiIg4iaVIRERERERExJYUiYiIiIiIiFgo RWJFH581yzz+s59FpyEiIiIiIqbs4sWLzZw5c1p/gaHHzz77bNs8FIkVfG3JEnP5vvtaX1u6NDoP IiIiIiJiqs6cOdMsXLjQrFixwrpgwQI7LpyHIrGCsy++2Fyw+ebWOd/4RnQeRERERETEVKVIHKDP P/WUuWjbbVtF4kXbbWfHxeZFRERERERMUd1uOnv2bHPrrbda9VjjwnkoEkt6w/HHtwpE5w0nnBCd FxERERERcbxKkVjRL37xi9Hxcv78+dHxVRxEG6/mfsK2qqlsR79t9BsHmcJ2DGIdUohFCrGU5Ecm +eElP7zkRyb54SU/vORHJvnhTSUWVeWHa2qwU5E4NDQUHV/FQbSx5O67o+PLmsp29NtGv3GQKWzH INYhhVikEEtJfmSSH17yw0t+ZJIfXvLDS35kkh/eVGJRVb6TWIMqEouYN2/eyKPeGUQbrw/v5H5I ZTv6baPfOIgUtmMQ65BCLFKIpSA/MsgPD/nhIT8yyA8P+eEhPzLID0+TsYjVJb1KkViDnYpEAAAA AACAQROrS3qVH66pwU5F4qJFi0Ye9c4g2vjr3Lkjj3ojle3ot41+4yBS2I5BrEMKsUghloL8yCA/ POSHh/zIID885IeH/MggPzxNxiJWl9QpRWJF6UkEAAAAAIAmidUlvTpjxoyo4TwUiRWlJ7EcKbTB lS5PCrFIIZaC/MggPzzkh4f8yCA/POSHh/zIID88TcYiVpf0ar4gjEmRWFF6EgEAAAAAoElidUmv UiTWID2J5UihDa50eVKIRQqxFORHBvnhIT885EcG+eEhPzzkRwb54WkyFrG6pFcpEmuQnsT6WP7/ Rh5E6DQNAAAAAGAiE6tL6pQisaL0JJajahurXTd80F3T7s7TF7Uea7qoUixypcuTQixSiKUYj/kR o982yA8P+eEhPzLIDw/54SE/MsgPT5OxiNUldUqRWFF6EgfLWte3F4FFuCIynE8F42TsYaTHFQAA AGByEatL6pQisaL0JJajUxvf+3N70afnMWJtuOWca353ZEKEiXilyxXVRYZFtEOFYwqxSCGWIvX8 KEu/bUzE/OgV8sNDfmSQHx7yw0N+ZJAfniZjEatL6pQisaL0JPaPCrtOxV0ZVFheM5QVRiETqSct ti3a3qKiWuSLaBkrHAEAAABg/BCrS+qUIrGi9CSWo6gNFSyyU6HjKLMe+aIoLD7H85WusMcw9t3M KmiZw86b29ZGL8V0v7EYq1jm4UpwBleCPSnEIoVYCvIjg/zwkB8e8iOD/PA0GYtYXdKLc+bMMfPm zTNvvPFGdLqTIrGi9CRWJyxIVKTUhQpP1/547FHMx6lMId0LKhJjPbnjMWYAAAAAk4FYXdKLzz// vHnooYfMrFmzbG23dOnS6HwUiRWlJ7Ecro18T1+VnrBe1sO9noaKQ7+FT1P7NP9dwzBOg1iH8JhQ 8ZnfL/nXjNHvejQVy26klB/90G8bTV797ES/bQxiHVKIRQqxFORHBvnhIT885EcG+eFpMhaxuqQf VRyqtlOxqKJRxWM4nSKxovQkVkPFx1iggkd+508jIxJHcaqr57AsY7WvAAAAAKAzsbpkEK5YscLe fqrbUMPxFIkVpSexHNc9uKhVqPVKv+tx1AVz+/6BnLr3qevp7FSgNXVMaF9pPZz5Irvf9ag7lmXh SnAGV4I9KcQihVgK8iOD/PCQHx7yI4P88DQZi1hdUqcUiRWlJ7Ecaw3gF0z7JfyOYioU/YVFP8V0 XaSwDwEAAACAIjF56UksJvyu23uuXtT37ZP9xkJxyPeOuaKn7HcVB7lPXdFaNS5jdUyE+1O6X1nN 9zCWZZCx7Iexyo+QFNpo8upnJ/ptYxDrkEIsUoilID8yyA8P+eEhPzLID0+TsYjVJXVKkVjSZcuW maGhITN16lQbD7dDGfqhCrDdryk/f9NDFT0qXlXk/Of95Zcb1FA9cynHp+wwvx0quDvNz5AhQ4YM GTJkyLD3ob4zqDpk/vz50TqlDikSK0pPYhzdRqniy/WSpRCLojhUuY2yn3VQ8aTXCXvgqvYiihSO CeHWI9/DqMdlSOGYEGORH3lSaKPJq5+d6LeNQaxDCrFIIZaC/MggPzzkh4f8yCA/PE3GIlaX1ClF YkX5TmIcFQvj5ZdEVeRofevEFVG9FobjiaJY9vv3IwAAAACQEatL6pQisaL0JMbJFwopxKJTHFwR 161Hseo6xH6ttN/tGEQs67zSFfYqhuZ7GAexHSnEIpXt6LeNJq9+dqLfNgaxDinEIoVYCvIjg/zw kB8e8iOD/PA0GYtYXTJIZ8yY0facIrGi9CTGUVEw3ghvm8wXNL0QFkuDaG+8Mx6PCQAAAIAUidUl g5QisU/pSYyTLwhSiEWVOLgCL9+zqHXodNtkOK2oKOp3OwYRy7G46hcWzVLfzSz7XdAiUojFINYh hTbG4piI0W8bg1iHFGKRQiwF+ZFBfnjIDw/5kUF+eJqMRawu6VUVhDHDeSgSK0pPYpyiAmm8oF7F a4ZGFzayqLDJz0vvYWfyP3jjYqbvsobFNt9lBAAAAGgnVpcMUorEPqUnMY5O+ENSiMUgru5c92D2 y6SO8M/wyxaF/W5HCseEqGM79EuzLp5l4ppCLAaxDim0kcIxIfptYxDrkGp+VCWFWKSyHf22QX54 yA8P+ZFBfniajEWsLhmkFIl9Sk9iHJ3cT1TC3i89Vo/jRP/F0qZQHPOxLDqW6GEEAACAyUqsLqlT isSKTtaexG4n6PkT+xRiwZUuTwqxKLt8WJSHanwKsRjEOqTQBvnhGU/50YkUYpHKdvTbBvnhIT88 5EcG+eFpMhaxuqRXFy9ebObMmWNuu+02qx4/++yzbfNQJFZ0MvYkFp20h2oegDoJj0M9Hi//ywkA AADQL7G6pFdnzpxpFi5caFasWGFdsGCBHRfOQ5FY0cnWk6hbAXVSXpUUYsGVLk8KsRhkLMPvhoaW uVgxyPzolRTaID88Ey0/+oH8yCA/POSHh/zIID88TcYiVpf0KkViDU62nkSddOuEHGA8oEKRHkYA AACYaMTqkl7V7aazZ882t956q1WPNS6chyKxopOtJ1En3b2QQiy40uVJIRZNxLKohzH0sPPm9nV7 dBPbUYZ+2yA/PJMlP8owyM+PXkmhDfLDQ354yI8M8sPTZCxidUmdUiRWdLL1JOqkGmCioeOaHkcA AAAYL8Tqkl4N/0A/NJyHIrGiE70nUd9BfM/V2X8Dyl57XFKIBVe6PCnEIoVYCsVC/8+45rC9kMp2 9NsG+eEhPzz9xiKV7ei3DfLDQ354yI8M8sPTZCxidUmvuoIwLAwpEvt0ovck8h1EmAzoYoiO9fBi CP/DCAAAAKkSq0t6VX978cILL5hbbrnFDl966SVz5513ts1DkVjRidyTqBNlmcp29NsGV7o8KcQi hViKWCyq3H6aynb02wb54SE/PP3GIpXt6LcN8sNDfnjIjwzyw9NkLGJ1Sa8++uij5vbbbzdPPvmk mTVrln381FNPtc1DkVjRidqT2OtfXQBMBNR7Tm8iAAAApEqsLqlTisSSLlu2zAwNDZmpU6faeLiq Pxw63fNehg8//LAdlp0/NtRVjTLzhcP3XrPIfkdLz52i1+EgtsPpnlcd9hKH/DCF7XC6570Mh+68 0w7Lzh8bOt3zqkOne97LsM78UJG48/Ts+7hFQ31f94l5aWyH0z2vOiQ//JD88MN+jwune97LkPzw Q6d7XnXodM97GZIffkh+ZEPyww+byo958+bZOmT+/PnROqWq+e8fxsZRJFZ0ovUk6sRYJ78a8muP AJ1x+ZK31x/BAQAAAChDrC7pVRWEMcN5KBIrOpG+k1h0i2kq29FvG2Xj0IkUtmMQ65BCLFKIpeg3 Fvl1iP0ITrcLLinEgvzwkB+eQedHL6TQBvnhIT885EcG+eFpMhaxuqRX8wVhbBxFYkUnUk+iTmbp AQEYLO77jQAAAACDIlaX1ClFYkUnSk9ipx+qSWU7+m2DK12eFGKRQixFv7Eosw5FueVIIRbkh4f8 8DSRH91IoQ3yw0N+eMiPDPLD02QsYnVJnVIkVnSi9CT282fiANCZou8u0sMIAAAAvRCrS+qUIrGi 47UnMX/SqudF35tKZTv6bYMrXZ4UYpFCLEW/sehnHZR7IoVYkB8e8sMzlvnhSKEN8sNDfnjIjwzy w9NkLGJ1SZ1SJFZ0PPYk8h+IAGkQXqzpdKEGAAAAICRWl9QpRWJFx0NP4hHnz22diDqr3Fqaynb0 2wZXujxcCfakciVYeXn5EyMjeqDf9SA/POSHJ5X86Jd+2yA/POSHh/zIID88TcYiVpfUKUViRVPr Scz//L7UcwBIG74XDAAAAGWJ1SV1SpFY0bHuScwXhDJ/osmVrgyudHlSiEUKsRSp5EfsAo8se5Gn 3/UgPzzkhyeV/OiXftsgPzzkh4f8yCA/PE3GIlaX9OrixYvNnDlzzG233WbV42effbZtHorEio5l TyL/vwYw8VGhCAAAABASq0t6debMmWbhwoVmxYoV1gULFthx4TwUiRXtpScx1ltQ5M7Ts+8qxVQ7 ZX7ogitdGVzp8qQQixRiKVLPD+V6GfpdD/LDQ354Us+PsvTbBvnhIT885EcG+eFpMhaxuqRXKRJr sFORWFQM0vsHAGXR+wXvGQAAABASq0t6Vbebzp4929x6661WPda4cB6KxIqqSIwVgvI9V4/9VRHB la4MrnR5UohFCrEU4yE/wgtORQVjv+tBfnjID894yI8y9NsG+eEhPzzkRwb54WkyFrG6pE4pEis6 lt9JBIDJhwpFAAAAmNzE6pJenTFjRtRwHorEivbyncQqpHBVI5Xt6LcNrnR5UohFCrEU4y0/3O2n +e8j97se5IeH/PCMt/woot82yA8P+eEhPzLID0+TsYjVJb3qCsKwMKRI7FN6EgGgafTLxu720yJj hSQAAABMDGJ1Sa9SJNYgPYnlSKENrnR5UohFCrEUEzU/qv45P/nhIT88EzU/qkJ+eMgPD/mRQX54 moxFrC7pVYrEGqQnEQBSpNOf89PDCAAAML6J1SWDlCKxR5ctW2aGhobM1KlTbTxc1R8One55L8OH H37YDsvOHxvqqkaZ+YqGTve8l+EgtsPpnlcd9hsHkcJ2ON3zXoZDd95ph2Xnjw2d7nnVodM972VI fvih0z0vGupWVff/qxqqaPzP+8mPcEh++CGfH9mQ/PBD8sMPyY9sSH74YVP5MW/ePFuHzJ8/P1qn DEKKxD6lJxEAxjNF329U8QgAAABpEqtLelUFYcxwHorEivKdxHKk0Ea/cRApbMcg1iGFWKQQS0F+ ZOTjUHSraidS2I5BrAP54SE/MlI4JkS/bQxiHcgPD/mRQX54moxFrC4ZpBSJfUpPIgBMFnopHAEA AGDwxOqSQUqR2Kf0JJYjhTa40uVJIRYpxFKQHxm9xkGF4vL/lz1OYTsGsQ7kh4f8yEjhmBD9tjGI dSA/PORHBvnhaTIWsbqkTikSK0pPIgBMZvK9i3rOr6cCAADUS6wu6dV8r2FsHEViRelJLEcKbXCl y5NCLFKIpSA/MgZ1TMR+CKdK4djvdgwiluSHh/zISOGYEP22MYh1ID885EcG+eFpMhaxuqRXVRDG DOehSKwoPYkAAJ3pt3AEAACAdmJ1Sa/mC8LYOIrEitKTWI4U2uBKlyeFWKQQS0F+ZDR9TBQVjvrP xn5I4ZgQ/a5HCseEID8yUjgmRL9tDGIdyA8P+ZFBfniajEWsLqlTisSK0pMIADAY6HEEAAAoR6wu qVOKxIrSk1iOFNrgSpcnhVikEEtBfmSkmh9VC8dBrAP54SE/MlLNj6oMYh3IDw/5kUF+eJqMRawu 6dXwe4ih4TwUiRWlJxEAoFlUOKpQBAAAmKzE6pJ+feyxx8ycOXPMsmXLRk2jSKwoPYnlSKENrnR5 UohFCrEU5EfGeMsPFYmxnsVBrAP54SE/MsZbfhQxiHUgPzzkRwb54WkyFrG6pFdfffVVM3d43WfP nm0WLFhgHy9ZsqRtHorEitKTCAAwttCzCAAAk41YXdKrd9xxh3n88cfNG2+8YZ+7ojGchyKxovQk liOFNrjS5UkhFinEUpAfGeM9P1zP4s7TF7X1MPYC+eEhPzLGe344BrEO5IeH/MggPzxNxiJWl/Tq yy+/PGpc/pZTisSK0pMIAJAm4S2pzjW/OzIRAABgHBOrS3o19qM1MpyHIrGi9CSWI4U2uNLlSSEW KcRSkB8ZkyE/vvfneOEoNX75/8vmIz885EfGZMiPspAfHvIjg/zwNBmLWF3Sq64gDAtDisQ+pScR AGD8U1Q8drLX21kBAAD6JVaX9CpFYg3Sk1iOFNrgSpcnhVikEEtBfmSQH56ysVChWNf/NaYQS0F+ ZJAfnhRikUIsBfmRQX54moxFrC7pVYrEGqQnEQBgchL7o3/J9x4BAKBuYnVJnVIkllS/+DM0NGSm Tp1q4+Gq/nDodM97GT788MN2WHb+2FBXNcrMVzR0uue9DAexHU73vOqw3ziIFLbD6Z73Mhy68047 LDt/bOh0z6sOne55L0Pyww+d7nnVIfnhh73mx3UPLjLXDBnznqsX2V9Zlbol9T/vL7d8OHS6570M yQ8/dLrnVYfkhx/y+eGH5Ec2JD/8sKn8mDdvnq1D5s+fH61Tqqpew5jhPBSJFaUnEQAAiuA/HAEA oA5idUm/Ll26tFUcUiT2Kd9JLEcKbfQbB5HCdgxiHVKIRQqxFORHBvnhGXQsdAtqVVKIpSA/MsgP TwqxSCGWgvzIID88TcYiVpf0o/sD/dtuu80899xz5vbbb2+bTpFYUXoSAQCgE0W/nMp3FwEAoFdi dUmvPvHEE+aOO+4wv/nNb8wzzzxjC8Tf/e53bfNQJFaUnsRypNAGV7o8KcQihVgK8iOD/PDUHQv9 X6O+u5gvHvXc/VdjCrEU5EcG+eFJIRYpxFKQHxnkh6fJWMTqkl69//77zSuvvBKd5qRIrCg9iQAA MAiKehz5TiMAAOSJ1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDk1p+xHocy5BCLAaxDim0QX54 UsuPXkkhFqlsR79tkB+eJmMRq0vqlCKxovQkAgBAk8SKxsufKP5jfwAAmHjE6pI6pUisKD2J5Uih Da50eVKIRQqxFORHBvnhGW/5UfSn/rtfM/axSOGYEP22QX54xlt+FJFCLFLZjn7bID88TcYiVpfU KUViRelJBACA1NCP46hQBACAiUmsLqlTisSK0pNYjhTa4EqXJ4VYpBBLQX5kkB+eiZIf77l6UVvP Yi+3pZIfGeSHZ6LkRwqxSGU7+m2D/PA0GYtYXVKnfReJU6ZM6Wh+/vEuPYkAADAeiN2WqsLR/e0G AACMH2J1SZ32XSRedNFFZocddjCnnHKKeeqpp0ZNn2jSk1iOFNrgSpcnhVikEEtBfmSQH57JlB8q Ejv9qT/5kUF+eCZTfnSD/MggPzxNxiJWl9Rp30WifO2118z1119v9tprL3PUUUdF55ko0pMIAADj FX13MfZrqQAAkDaxuqROB1YkqhEViUceeWR0nokiPYnlSKENrnR5UohFCrEU5EcG+eGZ7PkRFo2H nTe39bhTj2MRY7kdIf22QX54+Pzw8PmRQX54moxFrC6p076LRHe76cknn2yGhoZGTZ9o0pMIAAAT HX4tFQAgLWJ1SZ32XSTGfqwmND//eJeexHKk0AZXujwpxCKFWAryI4P88JAfnjAWvdyWmsp29NsG +eEhPzz9xiKV7ei3DfLD02QsYnVJnfZdJI6lRcXo008/bQ488ECzzjrrmIMOOsgsWLCgbXre6667 zmy99dZmzTXXNHvssYeZM2dOdD5JTyIAAExG8kWjKxz5tVQAgPqJ1SV12neR+OSTT5r99tvPrL32 2nY4Frec5ovEo48+2v7a6gsvvGBvgz322GPbpuc97LDDzCOPPGKWLFliC8ZNNtkkOp+kJ7EcKbTB lS5PCrFIIZaC/MggPzzkh6dqLFQkht9dTGU7+m2D/PCQH55+Y5HKdvTbBvnhaTIWsbqkTvsuEg89 9FBz6qmn2oLsC1/4gvnYxz42ap66zReJKvLmzZtnH2u46aabtk3vpIreVVdd1Sxfvjw6nZ5EAACA jPyvpepxlT/vBwCAcsTqkjrtu0jcYIMNbAWsx7qtc8MNNxw1T93mi8TVVlvNFnmHHHKIHep5OL3I xYsX29tN1QuZn/b68LQXr7jCnH7SSa2rBvnhoptvtsOi6WWGNpYl5us0XDJ9uh2WnT8/TGU7+l2P fuOgYQrbMYj94XTPexmmsB3khx/2ux7khx863fNehilsRwr5cfp5N9ti0f1KqhsedUG55TUkP/yQ /MiGEyU/UtmOfteD/PBDp3vey7DMevzfkiW2Dln+6KOjapS67LtIzBdo+edNGOtJ1PcS9bhsT+KD Dz5otthiC9tTuGLFiug8kp5EAACA8vBLqQAA/ROrS+p0QhaJn/zkJ81pp51mXnzxRXsr7DHHHNM2 Pe/06dNtD+K9994bnR7KdxLLkUIb/cZBpLAdg1iHFGKRQiwF+ZFBfnjID09d+VGlSEwhFuSHh/zw 1JUfVUihDfLD02QsYnVJnQ6kSOxkfv5BWvR66j084IAD7I/paOh6Fd0y7nE4Lu/LL788aj5JTyIA AEA19F1FCQAAvRGrS+q07yJxsklPYjlSaIMrXZ4UYpFCLAX5kUF+eMgPT535Ef7AjSwqGlOIBfnh IT88deZHWVJog/zwNBmLWF1Sp30XiSn8BUaT0pMIAADQP/miMabm4ddSAQDGYZGYwl9gNCk9ieVI oQ2udHlSiEUKsRTkRwb54SE/PKnlx1rfbf8fxrL0ux7kh4f88KSWH73Sbxvkh6fJWMTqkjrtu0hM 4S8wmpSeRAAAgGbI/w9j2MMIADCZiNUlddp3kagfeen0fKJJT2I5UmiDK12eFGKRQiwF+ZFBfnjI D894yY984Zi/LbXf9SA/POSHZ7zkRzf6bYP88DQZi1hdUqcUiRWlJxEAACAter0tFQBgvBCrS+p0 IEViJ/Pzj3fpSSxHCm1wpcuTQixSiKUgPzLIDw/54Rmv+ZG/LXXn6YtG9S5WgfzwkB+e8Zofefpt g/zwNBmLWF1Sp30XiZNNehIBAADSR8Xi5U+MPAEAGOfE6pI6pUisKD2J5UihDa50eVKIRQqxFORH BvnhIT88Eyk/+rkFlfzwkB+eiZQf/UB+eJqMRawuqVOKxIrSkwgAAJA+sV9G1XMAgPFIrC6pU4rE itKTWI4U2uBKlyeFWKQQS0F+ZJAfHvLDM9HzQ4ViGcgPD/nhmej5URbyw9NkLGJ1SZ1SJFaUnkQA AIDxSb5n0ckvowJA6sTqkjqlSKwoPYnlSKENrnR5UohFCrEU5EcG+eEhPzyTMT9it6UecT754SA/ PHx+ZPD54WkyFrG6pE4pEitKTyIAAMDERoUiAEBKxOqSOqVIrCg9ieVIoQ2udHlSiEUKsRTkRwb5 4SE/PORHxmHnkR8O8sNDfmTw+eFpMhaxuqROKRIrSk8iAADAxIbvLgJAasTqkjqlSCzpsmXLzNDQ kJk6daqNh6v6w6HTPe9l+PDDD9th2fljQ13VKDNf0dDpnvcyHMR2ON3zqsN+4yBS2A6ne97LcOjO O+2w7PyxodM9rzp0uue9DMkPP3S651WH5Icfkh9+SH5kw1gcrntwkS0ed56+yBaMGup5bHlBfvih 0z2vOnS6570MyQ8/dLrnVYd8fvhhU/kxb948W4fMnz8/WqfUIUViRelJBAAAABHrcdQ4AIBBE6tL 6pQisaJ8J7EcKbTRbxxECtsxiHVIIRYpxFKQHxnkh4f88JAfGf3EQYWiSGE7BrEO5IeH/MhI4ZgQ /bYxiHVoMhaxuqROKRIrSk8iAAAAFJHvXdTz7/xpZCIAQI/E6pI6pUisKD2J5UihDa50eVKIRQqx FORHBvnhIT885EfGII8JFYqXP2EfVqbf7RhELMkPD/mRkcIxIfptYxDr0GQsYnVJnVIkVpSeRAAA ACjLWt/lV1EBoH9idUmdUiRWlJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e8iNjkMfENUNZb2Iv9Lsd g4gl+eEhPzJSOCZEv20MYh2ajEWsLqlTisSK0pMIAAAAZfnen/meIgD0T6wuqVOKxIrSk1iOFNrg SpcnhVikEEtBfmSQHx7yw0N+ZNR9TJS9BbXf7RhELMkPD/mRkcIxIfptYxDr0GQsYnVJnVIkVpSe RAAAAOiHot5FAIAiYnVJnVIkVpSexHKk0AZXujwpxCKFWAryI4P88JAfHvIjYyyOCRWKefrdjkHE kvzwkB8ZKRwTot82BrEOTcYiVpfUKUViRelJBAAAgEETKxIBAByxuqROKRIrSk9iOVJogytdnhRi kUIsBfmRQX54yA8P+ZExFsdE/vZTufP0RX39fUYKx4Todz1SOCYE+ZGRwjEh+m1jEOvQZCxidUmd UiRWlJ5EAAAAaAJ9d5EeRgAQsbqkTikSK0pPYjlSaIMrXZ4UYpFCLAX5kUF+eMgPD/mRkVJ+9PMD N4NYB/LDQ35kpJQf/TCIdWgyFrG6pE4pEitKTyIAAACMFSoS+7kFFQDGJ7G6pE4pEitKT2I5UmiD K12eFGKRQiwF+ZFBfnjIDw/5kZFyfsT+PkPGCsdBrAP54SE/MlLOjyoMYh2ajEWsLqlTisSK0pMI AAAAKcH/LgJMfGJ1SZ1SJFaUnsRypNAGV7o8KcQihVgK8iOD/PCQHx7yI2Mi5IcKxUGsA/nhIT8y JkJ+iEGsQ5OxiNUldUqRWFF6EgEAACB1VCR+508jTwBg3BOrS+qUIrGky5YtM0NDQ2bq1Kk2Hq7q D4dO97yX4cMPP2yHZeePDXVVo8x8RUOne97LcBDb4XTPqw77jYNIYTuc7nkvw6E777TDsvPHhk73 vOrQ6Z73MiQ//NDpnlcdkh9+SH74IfmRDSdCfrz3mkX2fxalCkYNdQtq2eXdkPzwQ/IjG/L54YdN 5ce8efNsHTJ//vxonVKHFIkVpScRAAAAxiMqFgFgfBKrS+qUIrGifCexHCm00W8cRArbMYh1SCEW KcRSkB8Z5IeH/PCQHxkTNT96uQWV/PCQHxkTNT96oclYxOqSOqVIrCg9iQAAADAeWev6rFB06vZT vrcIMD6I1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDQ354yI+MyZIfa323+x/zkx8e8iNjsuRH GZqMRawuqVOKxIrSkwgAAAATAf2/YtH3FJf/v5EHAJAEsbqkTikSK0pPYjlSaIMrXZ4UYpFCLAX5 kUF+eMgPD/mRMZnyI/8n/PnbUMkPD/mRMZnyoxtNxiJWl9QpRWJF6UkEAACAiYy+u6hCMexNpGcR YGyJ1SV1SpFYUXoSy5FCG1zp8qQQixRiKciPDPLDQ354yI8M8sP3MB523ty+f+BmLLfDMYg2yI8M 8sPTZCxidUmdUiRWlJ5EAAAAmEy4nkUAGDtidUmdUiRWlJ7EcqTQBle6PCnEIoVYCvIjg/zwkB8e 8iOD/PC4WKhXMXbLaZnbUFPYjkHGoldS2Y5+2yA/PE3GIlaX1ClFYkXpSQQAAIDJhrv9NG/+LzT4 7iJAPcTqkjqlSKwoPYnlSKENrnR5UohFCrEU5EcG+eEhPzzkRwb54ekUC/2FRr54jP3vYgrbUXcs ypDKdvTbBvnhaTIWsbqkTikSK0pPIgAAAMBo3P8u5nsT6V0E6J9YXVKnFIkVpSexHCm0wZUuTwqx SCGWgvzIID885IeH/MggPzxVY5HvWdTz/7x/7LdjLGKRJ5Xt6LcN8sPTZCxidUmdUiRWlJ5EAAAA gHKs9d34LagAUI1YXVKnFIkVpSexHCm0wZUuTwqxSCGWgvzIID885IeH/MggPzz9xkK3oO48fey3 I4VYpLId/bZBfniajEWsLqlTisSK0pMIAAAAUJ7YLagAUI1YXVKnFIkVpSexHCm0wZUuTwqxSCGW gvzIID885IeH/MggPzx1xEKFYhVSiKUgPzLID0+TsYjVJXVKkVhRehIBAAAAekc9iXxPEaAasbqk TikSS7ps2TIzNDRkpk6dauPhqv5w6HTPexk+/PDDdlh2/thQVzXKzFc0dLrnvQwHsR1O97zqsN84 iBS2w+me9zIcuvNOOyw7f2zodM+rDp3ueS9D8sMPne551SH54Yfkhx+SH9mQ/PDDOvJD31N8z9WL bI+ivq/ohioew/nc0Ome9zIkP/zQ6Z5XHZIfftjU58e8efNsHTJ//vxonVKHFIkVpScRAAAAYPDQ wwhQTKwuqVOKxIryncRypNBGv3EQKWzHINYhhVikEEtBfmSQHx7yw0N+ZJAfniZjoR7G/I/cqGjM L9/Ln/OnEItBrEMKbZAfniZjEatL6pQisaL0JAIAAADUT6xodIUjwGQjVpfUKUViRelJLEcKbXCl y5NCLFKIpSA/MsgPD/nhIT8yyA9PavmhwlGFYkiZnsUUYjGIdUihDfLD02QsYnVJnVIkVpSeRAAA AICxI3ZLKsBEJ1aX1ClFYkXpSSxHCm1wpcuTQixSiKUgPzLIDw/54SE/MsgPT+r5UdSzmO9dTCEW g1iHFNogPzxNxiJWl9QpRWJF6UkEAAAASIfY9xZlvoexlx+8AUiFWF1SpxSJFaUnsRwptMGVLk8K sUghloL8yCA/POSHh/zIID884zU/8j96o/9h7Pe2VPIjg/zwNBmLWF1SpxSJFaUnEQAAAGB8Ufa2 VIBUidUldUqRWFF6EsuRQhtc6fKkEIsUYinIjwzyw0N+eMiPDPLDM5Hyo9+/0yA/MsgPT5OxiNUl dUqRWFF6EgEAAADGN+pZvGYoKxTpTYTxQKwuqVOKxIrSk1iOFNrgSpcnhVikEEtBfmSQHx7yw0N+ ZJAfnomeH+pdlI5OBSP5kUF+eJqMRawuqVOKxIrSkwgAAAAwcQhvQ+U/FyFVYnVJnVIkVpSexHKk 0AZXujwpxCKFWAryI4P88JAfHvIjg/zwTKb8yP8iqtTzy58w5jt/Ij8c5IenyVjE6pI6pUisKD2J AAAAAJODtb6bFYv0MMJYE6tL6pQisaL0JJYjhTa40uVJIRYpxFKQHxnkh4f88JAfGeSHZ7Lnh/uB G/UoHnbe3LYexqqM5XaE9NsG+eFpMhaxuqROKRIrSk8iAAAAwOQmdlsqQJ3E6pI6pUisKD2J5Uih Da50eSb7leAQ8iOD/PCQHx7yI4P88JAfnk6xUKHYjVS2o982yA9Pk7GI1SV1SpFY0mXLlpmhoSEz depUGw+3QxkyZMiQIUOGDBlO7uF7rl5kC8Wdp/uhehf/8/5yyzNk2Gk4b948W4fMnz8/WqfUIUVi RelJLEcKbXCly5NCLFKIpSA/MsgPD/nhIT8yyA8P+eGpGgv96E34gzepbEe/bZAfniZjEatL6pQi saJ8JxEAAAAAuqEfvSlzGypAGWJ1SZ1SJFaUnsRypNAGV7o8KcQihVgK8iOD/PCQHx7yI4P88JAf nl5iEf7AjbsVNa/m0f8wliGFWJAfniZjEatL6pQisaL0JAIAAADAoMjflgoQI1aX1ClFYkXpSSxH Cm1wpcuTQixSiKUgPzLIDw/54SE/MsgPD/nhqSs/qtyWmkIsyA+Pi0XsL1FivcP5+WRRD7PzLd/L lo3VJXVKkVhRehIBAAAAYJCExUOV20+heVTUx4rCkLWub59eNF8VYnVJnVIkVpSexHKk0AZXujwp xCKFWAryI4P88JAfHvIjg/zwkB+epvKj0+2nKcRisudHuH+ajEWsLqlTisSK0pMIAAAAAHUR66ly vVD0MNZLLO55NY/2UdPE6pI6pUisKD2J5Uihjcl+pSskhVikEEtBfmSQHx7yw0N+ZJAfHvLDM9b5 oVsYu31/TXa7pbHf9ZjI+aH4VaHJWMTqkjqlSKwoPYkAAAAAkCplesNkt2JyohOLU8oxidUldUqR WFF6EsuRQhsT+UpXVVKIRQqxFORHBvnhIT885EcG+eEhPzwTLT/yRVLZAmk85kesIHzP1f2vQ5Ox iNUldUqRWFF6EgEAAABgolHUszaevgfZ6fuc451YXVKnFIkVpSexHCm0MR6vdMUYxDqkEIsUYinI jwzyw0N+eMiPDPLDQ354JmN+6HuQ+QJr0MdEUWHXzaLvZ2qdy5DCMSHKrkesLqlTisSK0pMIAAAA AJOFsIDT4357FmMFYdnCbjITq0vqlCKxovQkliOFNlK4+in6bWMQ65BCLFKIpSA/MsgPD/nhIT8y yA8P+eEhP7Ji7rDz5o4q8qqoIjGFWAxiHZrMj1hdUqcUiRWlJxEAAAAAAJokVpfU6bguEqdMmdIy HP/000+bAw880KyzzjrmoIMOMgsWLGibnreonZj0JJYjhTa4EuzhSrCH/MggPzzkh4f8yCA/POSH h/zIID88TcYiVpfU6YToScwXd0cffbQ55ZRTzAsvvGBOPvlkc+yxx7ZNL7LfIhEAAAAAAGDQxOqS Op2QReImm2xi5s2bZx9ruOmmm7ZNL5KexIxUtqPfNrjS5UkhFinEUpAfGeSHh/zwkB8Z5IeH/PCQ Hxnkh6fJWMTqkjqdkEXiaqutZpYvX24OOeQQO9TzcHqRnYrE1xcvNi9ecYU5/aSTWgcEQ4YMGTJk yJAhQ4YMGdY5/L8lS2wdsvzRR80Nxx9vnn/qqWi9MkgnbE+ivpeox/QkVieV7ei3jX7jIFLYjkGs QwqxSCGWgvzIID885IeH/MggPzzkh4f8yCA/PE3GwtUiF2y+ublou+3M7IsvNq8tXdpWpwzSCVkk fvKTnzSnnXaaefHFF82pp55qjjnmmLbpRfZbJAIAAAAAAAwaV4uoSHRevu++5vFZs9pqlUE5rotE FXV5NV69hwcccIBZe+217dD1Krpl3ONwXF437bHHHrOFoVO/mho+D506dWp0fBUH0caphx0WHV/W VLaj3zb6jYNMYTsGsQ4pxCKFWEryI5P88JIfXvIjk/zwkh9e8iOT/PCORSwoEhNVOyc2Xg4NDUXH V3EQbSy5++7o+LKmsh39ttFvHGQK2zGIdUghFinEUpIfmeSHl/zwkh+Z5IeX/PCSH5nkh3csYqHi kNtNE7RTkbhs2bLo+CoOog19sTU2vqypbEe/bfQbB5nCdgxiHVKIRQqxlORHJvnhJT+85Ecm+eEl P7zkRyb54R2LWPDDNYnaqUhMRf0Sa2z8ZJM4eImFl1hkEgcvsfASi0zi4CUWXmKRSRy8EzkWFIkV 1XcUY+MRERExfcPfHUDEdskPdFIk4pgY/kiQMzZfrxa1e91115mtt97arLnmmmaPPfYwc+bMaZue Vz96pB8rWmeddcxBBx1kFixY0HE84iAMj9/YcdyvRe3OmDHDbLfddmb11Ve3w1tuuaVtel7yA5t2 /fXXNwsXLmw917G1wQYbtM3TzW75NKjjmvzAph3L/NAtk2eddZbZYostzEorrdRYnmF9UiTimNrt TaRf8+0fdthh5pFHHjFLliyxBaP+UzOcnvfoo482p5xyinnhhRfMySefbI499tiO4xEHadP5seGG G5rbb7/dLF261Nx66632eTg9L/mBTbv33nubX/ziF+btb3+7/Q/ku+++2+yzzz7ReYvslleDOq7J D2zascyPc845x+ywww7moYceMitWrBi1XF7yI30pEnFMzb8ZFT3/wx/+YP/OZK211jI77rijue++ +9rmK7LTm92TTz5pVl11VbN8+XL7PDavikj9pYoea6g33U7jEQdp0/mx6667mjvvvNNeEb7jjjvM e97znsJ5JfmBTXvccceZCy+80PZWbL755vbx8ccfb6cV5YFOWt/97nfb8foP5dixHNrLcU1+YAqO ZX5sueWW9nMjnNdJfoxPKRJxTM2/cRQ915Ww66+/3vZwqKdjp512apuvyKI3u8WLF9vbTXW1Kjbd udpqq9ki8pBDDrFDPe80HnGQNp0f999/v1l33XXteA0feOCBtul5yQ9sWp307rnnnuaII44whx9+ uNlrr73MRRddZKcV5cHuu+9upk+fbl599VVzxRVXjDru8w7quB5UO4hlHcv80NcU1POnYlMF4803 3zxq2dCidorGY/NSJOKYmn8zCp+/9tprred609Fj5yqrrNKar5Nhe84HH3zQXmXTL9V2uyVCV7R0 f7we5690xcYjDtL88Rs+ryM/tt12W3ubqU4i9H3E7bffvm16XvIDm/anP/2p/b7TN77xDXPxxRfb xzfddJOdVpQH+g66ToD1+JVXXhl13Ocd1HFNfmDTjmV+bLzxxvZzQ3eizJw50z4Pl8tLfqQvRSKO qfk3I7056HYFfWfw8ssvb03fd9997ZufxofzdzPfvq6WqQfx3nvvbRtf5Cc/+Ul7+8WLL75oTj31 VHPMMcd0HI84SJvOD/3ogYpEfcjrSnO3HzwgP7Bpf/e739njdu7cufZ2OT125yZFebDbbru1ekr+ 8z//c9Rxn3dQxzX5gU07lvmhnsuwSNT3IvPLhpIf6UuRiGNq/s3o2muvtT+Wsd5665lLL720Nf2J J54wBx98sHnzm99sx3V7E3PzhBaNf/nll1vTwjakrmLpHv61117bDsOrW7HxiIM0f0zWnR833nij ede73mVv79HQXYF2y7jHTvIDm1Y96DqudCKqHm891jhNK8qDX/3qV/b7tupJOeOMM6LHcmgvxzX5 gSk4lvkxNDRk9t9/f9vONtts0/br2OTH+JQiEREREREREVtSJCIiIiIiImJLikRERERERERsSZGI iIiIiIiILSkSERERERERsSVFIiIiIiIiIrakSERERERERMSWFImIiIiIiIjYkiIRERERERERW1Ik YvJOmTIlOr6bvS6HiP1L/iH2pnLHGZuOiNiEFIkR63pj5g1/tIrJRRdd1Hp+4YUXEqdx6B577GGN TcN0Jf+aU3GV66yzjnnf+95nfvSjH0Xna0K3LiuttJLZeOONzZFHHmnmzZsXnRcz58+fb4499liz ySabmNVXX93svffe5uabb47OOyjJRUQcSykSI9b1xswb/mgVkx122MG89tprVj0mTuPLhQsXmnXX Xde6aNGi6DyYpuRfc7q4vvTSS2bWrFlm++23N9///vdHzdeEbl3eeOMNW/yccsop5oADDhg1H3r3 2Wcfc84559j3uKVLl5pf/vKX5tBDD43OOyjJRUQcSykSI3Z6Y9Y0ueqqq5rddtvN3HPPPa1puqq4 yy672KuMbr5wmVC3zGRXsTj55JPtQXj99dfbkxUXn07x0rhLL73UrLfeevbK7k9+8pO2aZ2W04f9 CSecYE+ITzzxxLZp+XnDx0XLTXavuuoq84lPfMJ8/OMfN1dffXVr/HbbbWd+/etf28cPPfSQPSl2 01RYfvjDH7a9KjvuuKO57777WtOk4v3Vr37VrLXWWm09lBovY/n3pz/9yfzN3/yNXeZLX/pS2/7r 9nqTVcWoW/7FYn3EEUeYz3/+8/bx5z73OdsT5aa55Vw7oRo3WfMvv31z5swx733ve80zzzxj38de eeUVO14F5O67796aT8sVvdf1an5dXnzxRZs3bpqM7fdO6zLR8+8tb3mL3cbYtG4x63TMK1aKmWL3 5JNPtqa56eFzJ+9niNiEFIkRi96YQ3XVffbs2WazzTZrjVt//fXtB7+mhfM6y7Q72VRMhoaGzF57 7WX23HNP+zgfp1jcNO7cc8+1J1Y/+MEPzNZbbx2dJzZu7ty5dqgPVvV+hdPy84aPi5ab7P7jP/6j ufbaa80111xjDjvssNZ4nfycf/759vF5551nzjrrrNa0ww8/3BYluiJ/++23m5122qk1TSrOZ5xx hj15nTZtWts0Gcs/nTR9+ctftj01X/va19r2X7fXm6wqRt3yLxbr5557zrzjHe+w+1TD559/vm0Z mW/HjZus+ZffviVLlpg111zTPv7IRz5ipk+fbh/rWL3iiita82m5bu91VQ3XZfHixebss882Bx54 YNs8sf3eaV0mev5985vftMfdwQcfbM4880x7PObnKYpZp2Ne8Xz55ZftUDF009z08LmT9zNEbEKK xIhFb8xSV3nVW7jaaqvZ+fSdDjftoIMOMjvvvLP5whe+YL73ve+1rgw7O7U7WXUxUU/EUUcd1TYu P09+nIvv66+/blZZZZXoPLFx+iB3w3D/5ecPn3dabjK7fPly89a3vtWeaEo91jhNe+CBB+wVdD3W 93cefPDB1nLqiVAsnfn9p3E62QzHyU75p9d+4YUX7GMVl5rupnV7vcmqi1Es/zrFWt555512vIbh eKdrJz9usuZffvtUJK6xxhr28Y033mh7kpRDOlbDY1/LdXuvq6ra1H7VhU2tgy4SqPDXtE77vdO6 TIb8+8tf/mJ7T7/yla/YXkEV1xrfLWadjnnFSo81zF/80PTwuZP3M0RsQorEiEVvzFJXzfWBvmzZ MvtBHs6rD4A77rjD9prsv//+rRNkZ6d2J6uxmOTHDWqecFx+KPVBqxMfPdaJUDit03KT2ZkzZ9pY hP7sZz9rTd9yyy3N448/brbaaqu25TbYYINRF1FCi+LbKf86naR2e73JaizOblynWEv1dmnclVde 2Tbe2ant/FBO9PzLr7NuSdStiXqsCysbbrihOe644+xtieF8+eUGse1hG9q/H/3oR+2PFul5p/3e aV0mW/6poH/zm99sH5eJWX7oHodFomLopsmVV17Zfm80HCd5P0PEJqRIjBi+iefVm7NuKdUHwWmn nRadVyc6d999t503HK/vNDz66KNt4ya7sfjlxw1qnnBcfihVyOgWKn34qtAPp3VabjKrXnN3S6nU FXZ9x8091/fWdCtdOE6q1+qzn/1s9DZFWRTfTvmnW7V0ZV+3buX3X7fXm6zG4uzGdYq1fuxERc0N N9xgNtpoI/vcTXN2ajs/lBM9/9w66/i866677HfJdMugm67vdmqe8PtsMr+tsW2vGo/8/E899ZTd 3/pOXKf93mldJnr+HXLIIebnP/+5LYTV6/r1r3/d3jmkaWVilh+6x4qVi5lew02Tm2++uf2BnHCc 5P0MEZuQIjGi3rhjatp1111nT4p0W8gll1zSGh8up1tO9OFxyy23tKZJfU9DXzQPl5nsxmLhxrl4 hubniT0P53fm58sP5Y9//GP7c/C6ledb3/pW6eUms9tss03rx2mkbinVOPdc389RrHQC5cZJXYXX j58ojzQ9H8+i+HbKv/CHM/RduTe96U2tad1eb7Iai4Mb1ynW6nnS98/0WEM9d9NcfEPDabGhnOj5 p3WWa6+9tr39WgVxOH3GjBmjetxlfltj2141HrH51ZOoQq/bZ1y4TPh8ouffT3/6U3tbrrtNVwXd Y489ZqeViVl+6B7rF1MVM7X9xz/+sTVN6iKCehfDZSTvZ4jYhBSJiDihXLFihf3e0K677hqdjpia r776qvnYxz5mLyTGpo8nyb/yUtwhYspSJCLihFEnXfoej/5u4957743Og5ia+jGT/fbbr/X9tPEq +VdNikRETFmKRERERERERGxJkYiIiIiIiIgtKRIRERERERGxJUUiIiIiYkR9b7CbseUQEce7E7pI 7PQmvnTpUjN16lT734X6Q9wTTzzR/hFufr68ndosO61oHmy3U6zq2H+d2gyXK1oe2+0Uq1733003 3WT/PmD11Vc3b3vb2+z/hf35z3+208q0qV9e1A+EsP+62/T++8Mf/mA+8IEP2PY23XRT+z9wS5Ys sdM6rQtWt9f912m5iZp/9ri7ZvikqMgu2+KO27yxeRERU3JS9CTG3pD1R7gHHnigPUGR+++/v7no ootGzVdkpzf52DQ+FHq3qf3XqU32X+8Ocv+9//3vt/8/qj+f1p9a6y8D9thjDzutTJvnnnuubYP9 Wd6m9p/+Y++rX/2q/YVP/Vn5GWecYQ2XZ78Nxl73X6flJmr+aV2jxaGzy7ZwzCLieHXSFok77bST eeCBB1rP586da3bZZZe2eTrZ6Y0/No0Pit5tav91apP917t17D+nCoo111zTPu7W5i9/+Uv7Z+3z 589nf1awqf2nPxR/5ZVX2qZtvfXWreeS/TYYe91/nZabqPmndY0Wh84u21Jmui6O6Ph3F0zkwoUL zYc//GGzzjrrmB133NHcd999rWn6031dVNEyZ555Zttr5F8vfN6pTc136aWXmvXWW89ssskm9r8u 3bSXXnrJfPrTnzZvf/vb7XyuzWeeecbO7/J21qxZZvfdd28th4jj20lbJOpN0r2xHXLIIfbKtm6R yc9XZKxNZ2yaxm200UZmjTXWMFtttZU57bTT7Gvm58PRNrX/OrXJ/uvdOvaf83Of+5w55phj7ONO barXaosttjA333yzfR5bJ4zb1P7bZ599zAUXXGBPSJ9//nlz9tlnm9VWW61tfvbbYOx1/3VabqLm n9Y1Whw6u2yLXT5iOF095rooMm3atNb4ww8/3Fx//fX2Nt7bb7/dFuFumuKrXlnlyjnnnDOqPfc4 /7xTm5pPbWof/uAHP2i7QHPCCSfYW8Offvrp1jjnRz7yETN9+nT7WO1fccUVo+ZBxPEpReLI86on ObE2nZ2mLV++3Mbx2GOPNR/96Eej82C7Te2/Mm2y/6pbx/579dVXzSc/+Umz22672YJC4zq1eeSR R5rPfOYzrWmdchTbbWr/ue8kqm31OJ133nmtXkYn+20w9rr/Oi03UfNP6xotDp1dtqXMdBV7+fHq obOvPeIqq6zSmqbvfaqo1GMV4OFrhI/zzzu1qedu/73++utt0zbccEPba+ieh9544422V3Px4sW2 /di2IOL4dNIWiflbY+6///5Kt0vF2nR2mubUd270Rh+bhu02tf+qtMn+K++g999vf/tbs/POO5vj jjuu7aS0U5tah5huXiw2Fqc69l/ea6+9tu32O8k+G4y97r9Oy03U/LPrGisOnV22o9fpG2ywQWF+ dCoSVdypyNNjLR9O69Rmfj3C5yoSFy1a1DbdqQunmq58Vo9jbB5EHJ9O2iJRX7LXF+jnzZtn1Rfu 81+yjy3n7HXaG2+8YV9Pt1nplpHYPNhuU/uvTJvsv+oOcv9dc8015p3vfKe54YYbRk0r06az07GB 7Ta1/5zqWfzhD39oTzzz87HfBmOv+6/TchM1/7Su0eLQ2WVbep2u2zv1C7+upz304IMPtj3t6q3V LaJhG/o6hG4XVTGoecJpndrMr0f43N1uqu+ThvM49Xmo+e+5557odEQcn07oIlFvWnndNN2T/6lP fcreDiP10935n+sO5w/H5a0ybeWVVzabbbaZ/Xnwv/zlL63pONowjk43rY7916lNNy/7r7xhjJ1u 2iD3n9TJUpk2w3Zi49Gbj3EYszr2n3us7/2+973vtSe6nZYL28Vq9rr/Oi03UfPPHm+x4tDZZVt6 na7bN4844giz7rrrZusQzPf444+bPffc0/5wzfnnn9827cc//rG9XVu3fn7rW99qm9apzfBx/rn7 4Rr9oE1+OTljxgxbnIbjEHH8Oyl6EhERERGr6oqiTsaWa9KxXAd9v/hjH/uY/Tub2HREHL9SJCIi IiKOU8eySFxppZXMfvvt1/qOJCJOHCkSERERERERsSVFIiIiIiIiIrakSERERERERMSWFImIiIiI iIjYkiIRERERERERW1IkIiIiIiIiYstKReLcuXNbCyAiIiIiIuLENc+oIpECERERERERcfKYZ1SR CAAAAAAAAJOXSJF4DSIiIuIEEwAAypJskfjUU183c+d+yfz+9+dGp3fzpZcuscu/9trl0emIiIg4 mQQAgLKMLhLv2s9MmTLFTNnzSPP0wivNmZteYo5seZm5dWHsjXcw/u//fsecfvoHzCabvCVbh5xb brmBOfrovcxPfvJpO69bTgXlVVcda6fts8/W0WU1XvPY5Z4+0uyp7Qteu91TzLQp+5m7gnF3TfNt TbsrnDei2p+yhbnsaTfuQnPZnuHzKg6vi11XtVHi9cP95x63LLEOLjZdYzTaR864xFx5T/vzIz90 pXnOzaPjKXxe1thyvbT19CPD+2V5W/yevuzZ4bg82bavyzt7eN88ksVIbbvHoUXjC715eD+3r6Pz rmnLzZ6X3TxqfCU7rk8Px5gdd5W59UM9vE/c8+1gmfZjpze/Y67c9Nvmkei0vFXXOZv/zKuuGjXt uasuaz/Ou2jzovW6ZdbX75dyeZzNv+dlF46a9vRlWwT7rayj3w+LHau45l73DP/5UOzYHQN2/krr mr0vTBl+/8p8tssxkM0fe7+w73kV3pP0vuNet+tnn3Xs1tWp5bL28u9pAABQlniROO2U4QfDb6j5 E3Gd1FU9MS+pircPfWhn+2ZexjXWWNXstts7o9M6qULzmbkf6VAA6YRI8wYnRYpJa3596HQ5SbNF 4nAbLo5llikyV6ypWO16Au9eN3ws7XqVPNnroUjUiY8/gRo+YR8+Vm49w58Et0+v4CCLxD2HTx6m zR4Zp5OT4ed79lgkhgXXwIpEma1X2/Fy15PD+9Ktdx+WWJ9Kx1jsxNkWf12KH+2/cB77vJ+LUCoQ ddJdpujqcZ2j739ZW+ULXM1fZTsjBZ/i3y2P296znFlb5U70nZH3w0LHLq626GoVW2WWHbt1bX/v KrNspIjS+0G3i1uaZ1SuZ22VPgba3ndmDx8L3d4rx3BdnXqPGy5Ow3Xw72kAAFCWakWie26H3x4u AoKTMvsB235lNF8UdCoSTp+67fAHiS/m6nTLzdY273nPXmaauzrfVszpZKj9yrmuvocnafnnoxwp sC6b5grDXJFoT/LaX9v2VLYVojoxPN0O7Xwj0/yHXcHV/XD/hY9HDAsA26uQW49WcTgyvG54/lEn qLk2W+q4cCdqw4+vHN7X2ufuBOiRM4KT48jxUjg+OA5bJ4Mj4+46I3KiF7YXOlIgXXaZOxkZPumZ Nvw8KBKznsXsCnjrJEPLTXtyON4jV8btSVN2AmOf6+TGtj08jxvnTqxGXvO6fC9g28lXxJHlWusZ nkDZk67c6wwbrnv767v1Gt7OEutT6RiLnjTn9nXMYJ/mp6mnLb5PsxNqd3z4eTRe70MlexJ7XWf7 Orl58sdm9NgN3iv1vMw6OhXr1vuC967We0uRufccGVz4Kc79/UbeF7Xf4++HhY5lXN1yI3b6rLGO 4bre1W3d8kYLKB0DZXrocvME7yul3i/cctYSReKYr2vWzrTh16NIBADoj956EjU+vOqfm69122Hb +MiHa+AmG60x/EY/ctLSgOtPWXvkAyl2ApQb13ai5gq47kWiLbRsLIMTtuBETfOGRZseq10NRxVt kfmjhvsvfDxiq8BtazfY3nDd3bAVi2zbi1/fn6TrZMkeA8PHTHZCFJzAlzpeIuNbbQXjNGydJOoY 63BVfuSk467Lnsz2xfAJzZ6XzR7eppETDE1vnWzohGjkpGXU+GB+d0Jk53EnOZF52tood4Xc3TLV doIVvuawuhXMttM2Pvf64e1eJdanyjHW9WS8g/62y9xJftE+1ftP6wJArCAsVyT2s862CGitQ7YN tq22Yzd3rIfvlfY9dPj184VEgV0vSHXQFoJB/rv3l465H72VtVyROKZxbbP7cTCW62rf167SuLLH QHvBU0VbXAUXklq3rJd9vxjRFWll37Ni07o5iHV1r59fD/+eBgAAZeleJLoPMuvIB13bh+GwOvFp m89f5W9dmdUyBR+G+k5hrJCr05VXXsX8+qVLhl8/csU9clJkCze77BZm2rRyPYn6UMuu+Aevofjm 1sW3lRVhbT0HbSd04YddgWWLRD23J4VuPXJFbOt1g8Iwty4xs/2tE3t3kjZ8suSKObf/i46XovGt 4zA48Wsdg0ERkT8u87qTjeHiUNvztC0WVSCNnHQEvWkyXoAFV7zD8V3nCQqxtnk72zpRcuO0ju6K +oit6Wq3NT6yjm6eLuvTT5HoC78OxfoodUId7t+Cfdo6DoaNvpd0Lw5kf+scvkbu9cL1K3qvtPNd 1Xquden0mvki0b8PddlH1vB9LPee1in3W8s7eysSG4+rVcuOzDNqmncs19W+Vu5552MgX/D43O9+ DARFVdvjYcu8X+RsvSdGpskxXdfgOUUiAED/VOtJdObHt13hzzkyrdMHoX6J1J34NOn02z83/Prl isTQrifR4cmWHk870r9GpHBrW86uW7A+uRO3fovE1vKa1nYCWVQkjsw73E6ZXo3spHf4xKl1fIwU jMPHQeukrOh4KRo/crw9Ep7YhcfgyHL5E79Rtk4ihk9AWreZNlUkDj8eaT9/AtPJUSdluXVsG992 gtX9RKpofSodY4p95D2i24lvzLb912mfat9HT+hzJ+xF9rnObj6tW+t4VZtthUO3Yiaz6zGrWEcK t677aEQ3X1uvYrfcD5bPLFckjnlc7XHRvUC0juG65l+j+zEwnKdhDo/YrWBzuvmU5633jrLvFzm7 vneN4braZVqFZKZbV58vAABQlsEUiW0fzkEvgJ2ugkHfx+h88nbY3282/KY+upCr01889fXh1y5R JIYxsYVclxOmSGHXdrW+VQQGvXTh4/DEMNJWxw/bcF3DxzJc9/x8nYrEkRNJfV+p43bL4WPhSt1O F5z02BOp8OSt6HjpNN4eb0UnXtl4fe+nY4HQOqkYLuL0nRV7EhIUiZre9WSkjyJxpM0qP5Qz6uTK ruNI2/Z1RqaPFHx2HntSFT+RKrM+lY6xkf3UfpKr/dF+IjzKthNqGXnfyO3TthPyYXWyPfp1uxwD 1h7X2WmPPb2nBce0tqetWIgdp7n5htU2dX7N7H2h/eKM8rHLPnLaPNb3DIP3uG65Hy5vLVkkjmVc 9bzUvnemcwx0L0yzPG8vzpS75QqvLOf13T33vjFs2feLcL5huxd7Y7iugcUXvgAAoCyDKRKl/VAc uc0m+ACU+hD04+InHC/9+qNm7bU3GP4A8EXcqquuYU45/1Bz/jHvNFPWf6dZfY1V26b341prrTvy 4VKuJzEr9DL9h13ByVP+ZEvPW4XhsPbEbKQ9G+vsRNCfeI+8nn2enRC6otF/2BW89qgTwJHXsYbb OdKunDZ8Ejk8tO26dc9tQ/v3mwpe2xo50bLHRu4Eruh4iY0PjzdN1+PcMdheQBTtF39S4U8idFLj i6TwanRrP7edjAQF4MjJj//hmsg8uROZtivkHeOYGT0psydKI1fLW22NrIsdN3ySNTzM9mfuRKrj +mRWOsZGtDnu9tuwZU60s4sHfpn2E/bRRaFse51R7035IrFzfHtZ58yswGh//ey4t22dMVw8uPYi 75Xh6/pt7ryu4fuPHHVMFDry3tJW/Om1RtqK5X7b8m7+cN3Si2v+NWUW2zSPgfDYL38MjOT3iOWP gaxwa+/hK/l+MWz4ur7wSnNdnRSJAAD907lIrMm7hk9Mij5c7r77VHP+cGHY+k/DYJqe33775+x/ Kfby9xfOHXbYxN7iGrbdq522pQ79h12Btey/0YV009vdWZ2wBVf0h01r/ZxhgZk5tus5en3k2Bxj eUfv015M8ziIy7rWI+taj+NrXSkSAQCqEi8SVUzteWTrSucgtQXHZYM5wXzttctbReXUqfuagw7a rt29NzIbbrhl1hs54u9/f260rd4c3LZ0d6RHYHjfdD2BH9l/sSuslXXttRUF8e2O7e+6bfU8jvQ4 2XEF6xde2W7aVu/fSK+dHTeG6xlbnylTflP5GAv3RV7bgxIZ727DGz0+M7ZPe7GX47TXde7XonXt qL1DIdtf7ebvjBi04z+usXmdqa1rmLd5bW9aZLy7JXP0+ME4ftY1/54GAABlGV0kAgAAAAAAwKSF IhEAAAAAAABaUCQCAAAAAABAC4pEAAAAAAAAaEGRCAAAAAAAAC0oEgEAAAAAAKAFRSIAAAAAAAC0 oEgEAAAAAACAFhSJAAAAAAAA0IIiEQAAAAAAAFpQJAIAAAAAAEALikQAAAAAAABoMapI/P3vf4+I iIiIiIiTwLlz545Ugh6KRERERERExEmoCsT//u//HqkEPYVF4l//+ldEREREREScoKpApEhERERE REREK0UiIiIiIiIitqRIRERERERExJYUiYiIiIiIiJPEGTNmRA3noUhEnGROmTKlcLwzNn2yePvt t5uNNtqoMA7dpo+1qa7fWK9PSvE4//zzzSGHHBKdNkhTPUYRYyonLrjggug0RKzHpUuXtopDikRE 7OhkP7HcY489zKxZs6LTZLfpY22q60eRmPnKK6+Y9ddf3/zud7+LTh+kFIk4nlRObLDBBjZHYtMR cbC++uqr9m8ubrvtNvPcc8/Zi8zhdIpExHGiTvjkmmuuabbZZhszbdo08+STT0bn7ce6TizV7tSp U6PjOxmbTzHYdtttzbnnnmuvgoXtdfKSSy4xW2yxhVl11VXNlltuaS677LJR86yzzjpm2bJlo8Y7 u03v13Cbe7Hu9evVfrcr5oIFC8zPf/7zNn/9619H5y3z+prHmZ/28ssvmy984Qvmne98p1lttdVs DsaOn25ee+21o3oRdWKsbQnHyfnz55sNN9xw1Piy9hLz73znO3a56dOnR6fXaaf4h+p9r5fe8iuu uMJsvfXWNv811La6ac8884w58cQTzWabbWZWX311O9RzjQ/bKGNs/cJtCw2X62RsWRnO88QTT5hj jjnGbLrppnYbd9hhB/OTn/ykbZ4iZ86caT784Q+bt771rWattdYy22+/vfnqV7/aVrB1il+Z5YvW O1S5cd1110WnIeLg1PvFHXfcYX7zm9/Y9zkViPmLlxSJiONE98Gqoujxxx83//7v/27e8Y53DLxH otMHeD+qXa3vvffeO2p8p+ex8br6df/995v3ve995rOf/WzbfEV+97vfNdttt529aqYTl/vuu8+8 613vMt///vfb5uu2/d2m92u/7de9fr3a73ppf1199dXmi1/8otl///3tyajaLHLzzTe387rlNS5s r5OxeT/1qU+Zj3zkI+YPf/iDWbJkifmf//kf8/73v98Wffl5O/nxj3/cbkc4bt999zV33XVX2zj5 s5/9zOy3336jxpe1yjY7daKvE3Vta2x6E3Za79dee83stdde5j/+4z8qbd8Pf/hD+/5z9913m5de esleUFAheOONN9rpBx10kPmXf/kX89RTT9mLLBrqucbn2+pk0fr1si9Cuy2vz4S3v/3t9nZNnfzp c+Lhhx+2+zM2f969997bXHXVVWZoaMgsX77cFrrHH398a/lu8eu2fGinbVEbn/jEJ6LTEHFw6hyq W689RSLiODH2waoruYcffnjr+fXXX297ONZYYw1zwAEHtPU0anmnGxezaPpuu+1mrzq55zpR1m1z Za+0q90f/ehHZpdddrEnUuH4/Hzh807jdSL3tre9bdT4mDoR19XucJyunP3t3/6tfaz284bzdpv+ 0EMPmQ9+8IM2Jupp2n333e32uumvv/66Oe+882xP5rrrrmuv+Kt3yk2PtS/d9G52W1YfBieddJKN l3o51BOd/4DQMhdddJE9GVRvgC5EhNOL1AnjEUccMer1i1R83vKWt5g999zTFnxS8VpvvfVsL8XK K69se0QVq9jyVTz22GPtOuqx9ocuDCg/9HpVeh3Vo5fv7Zs3b569UBGO66a2SSf04Tj1WMV6JTVO +0yPux0/ykcVNdq36pnUvottRyd1PLz5zW82f/rTn+xQF2PcNLWlwkdt6zV0cSbfi695ejl+8nZa 79NOO8186EMfMm+88Ual7dP74fe+9722cbpwdOCBB9rHWt8XXnihbfrzzz9v1l577bZxes1e1q/s uha13235I4880vzbv/1bdFqvKh66a0OPu8UvZrh8aKdt0UUY3eURm4aIgzP8sZrQcB6KRMRxYuyD deHChW1F0sc+9jGbpzrZ0xXlv//7v2+bX3Y72Sia/u1vf9scdthhree6slzlxzdcu1pGJ5L58UXP O43XVeuNN9541PiYKkpiJ4HqkQrHFb2+s2i6eq5UpOvEXSfsc+bMaeuN0QmceiVUuOvef11l1+2L YRuy2+t3s2j5U0891a6PCh3dxqj9cPrpp7fNo2U/8IEP2BM1Ff9/93d/1zY9popNLZeyv/3tb+1Q x6/ir32kW+HU+xHbJs2bH6fCSPkWjlORqOMqHNdNnTTni/OLL77YfOYzn7GPVWDpllY9/ud//mfz zW9+0z7udvyceeaZrf379NNP20Ilth2d1K2JrudMJ/833XRTa5raUvs6dvQaenzOOee0prt5qh4/ MYvWW9+bUXyeffZZ+7zK9inPte7hOMVJFyb0+Oijjzaf//znzZ///GfbE6ahnqsYD5fRa/ayfnq8 ySab2Isguh1U781hfMP5Yu13W16fA3qP3nHHHe3tsrqY8KUvfamt0K+q3s8OPvhg+7hb/GKGy4fG ts+p3IgVlohYj/xwDeIEMPbBqh65N73pTaPGS33Y6up4fnynD2hZNF23GKkHY9GiRfb5oYceat88 8vMV6drVSa5OuNULGI7Pz5c3HO9uN9VJvju57qZ6p1asWNE2Tr0zq6yyStu4otd3Fk3XSdlZZ51l fvGLX9iTqfxr6TuUug3MPVccXTEQ2u31u1m0vIpYnby757pNWesczqNl1YsUjuukigQtk7oqfjTU ib9b96L8kJo3P+7Tn/60vQjjbuV79NFHbaFdlH9FxopE9dCrKNM+0S18Up+36r2588477Tzdjh/t y/z+jW1HJ4877jj7vV09VnGqQtRNU1th+3qs76W5526eKsdPkbH1Vk7pgpDyy42rsn3Kf/ddXfee oecu/3UBST/6pDadev7iiy+22uhklfX7y1/+YgtK3VWhX7qNzdPJ2PLaDh2Pug1aF6nUW6336LLv j3lvuOEG+z7tzvu6xS9vfvnQTvuNIhGxOfnhGsQJYuyDVT0b+iDW4wcffNB+R0qFnDvJiS3T6QNa dpp+wgkn2F5AvZnotsr8yW4nw3b/9V//1fzDP/zDqPGx5+F4p04idNvgl7/8ZXtCFJs/b909ieqt Unze/e532/XT7Yk/+MEPWtM1LtwGqROvsA1Z1H5Zi5ZX70J4e6Diptsuw3m0rG6TC8cV6ZZ325Ky uh1Ww/w2xMYVjdexrp5XFWOKpXpsvvWtb5W+3dmZL+akLpiowLj00kttoaZbZHWrqca5wrbb8aN9 kd+/se0oUhc19F7iblF3F3PcxQ61Fbavx/mTec1T9vjpZGy9dUuyen/DcVW2T3mev1047AnT+5Fu 19XdCSp+NFRPrnuf6mYv66eiX++jsWllDJfX+5t6tsPp2t6qx6d6UXXXgXpEH3jggdb4bvFzFi0f 2ikuOs/MX7xCxMGr9w9+uAZxghj7YA2/k7jVVluZ//qv/7KFj56rkIst0+3ERSd+RYWXeu9UnF15 5ZWjbsPqZvi6OpHYaaed7O1S+fUpWr9u691NfXcs/51EvUG67yQ6u71OmfVQD6/eWPX9LTdOv/an fRLOF3OllVbq60S7aP3yPYl6P9e4cJ4qMdb3+TR/6mobiwqm2LhO4/PqgslRRx0VnVZk7IdrpL6D qe/N6hY9fddLRYfGuendjh99jyu/f8tuh9Tt0Zo/r/uhKT3O9yTmvzumecLnvRprx61PzPy8MRXP /I9UKdbhdxLde6dTz4t6m/PG1ssZm1+qENVFvdi0MobL6/2t3yJRJ43qPdV3qxcvXtw2rVv8ZKfl QzvFRD9coxyJTUPEwckP1yBOIN0Hq65y68NY32PS1Vp35UffV7n55pvtdPUC6IcMYh/GnT6gpX6Z T99t0a2Ysem77rqrPfHQa8WmF5l/3XvuuceewOfHF61ft/Xupn6FUj8J794YNdSvneoNMJyv2+sU Tdf3r2699Vb7fTe1rwJeBbWbrv310Y9+1O479cL88pe/jP7yn2411PcCiuLfzaL1O+WUU+ztZzpx lPpOma74h/NUibHrnUtZ/eiI+3EaPc9vQ2xc0XjFTreYat/98Y9/tLf5KefyvYLdjP0FhtTJtS4Q 6O4Aqcca56Z3O350q7PWUcvq1kft36Lti6kfXMl/x/Dss89ufW9VbbnjR6+hx3rNcP4qr9fJsu1U eT19h1rvN7Nnz7Y5qttC9f7pfp1TF4vUc6jCSxexNNRtlbrlN2xHr9nL+qlw0pV63b7q3n9U2Cnu +WVi7XdbXhcedCeJO0bd7ab6znC+rZj62wn1Fqo3NHaRqlv8ui0f2il+2s6qvxiMiNV1P1STN5yH IhFxnOhOHnSrm74LpF89dLeGSfWK6RY4/XKkrvDrqm/4YeyWD3XTQnWLkHotdJIam0e3wam3seoP IsTa0t8K5McXrVfR+Crq1xl1oqPvkemWJvejIKHdXqdougpEnWhq/+gWLPf9IDddt+3pRF+FqW4N 1K/F/vjHP25rQ+oNWSdfupWwl20uWkYndoq3boOVeqxx4TxVXi/l2011fOoHVMKeIY0P1z82LmzD 6abpl1H1vUAdO/qrgX/6p3+yBVu4fBl1gq8eZt2eHI5Xz/zOO+/ceq7H7pdZZbfjR/vD/bqpbkGs +uumuqChW9bDcb/61a/sNuux2rrwwgvtsa3jRwVU/o6DKq8X08U8NDafs9v0vLr4pTsu9OMvGob/ 86fiV/HWj8LoPVRDfSfTfQfbWWa9nOF8KrJ0AU7Hpm4N1a/r6o6M/HeXi9ovs/w3vvGN1v8Y6j3k 5JNPtsdb2E6R7nVjujzqFL/Yck63fGyaW14+9thjlb/GgIi9ecstt7S9f+ixxoXzUCQiYiX1hqFe itg0nFzqpDp24jeW6kQ6tq4pqV8ejvUmpqxiGxuPOCj1S6jKjdg0RBysuptLPzSmu5b0FRk9zv+P NUUiIpZWtzGptyz2nSqcfKonSbeH5Qu1sVIFYti7joNT8Y2NR0TE8ad+sf6+++6zv2wq9Th/dxFF IiKWVieK+gED91PoiFIXDXQbZFiwDULdGqzj7Ytf/KL9vlyRX//61+38sXXDwUh8EREntnwnERER a1E9i/pBGxVuKuxU4En18IXFX1794IWbV8up6KRHEBERsTkpEhERERERESep4S+ahobzUCQiIiIi IiJOYikSERERERERsSVFIiIiIiIiIhZKkVjRx2fNMo//7GfRaYiIiIiIiCm7ePFiM2fOnNZfYOjx s88+2zYPRWIFX1uyxFy+777W15Yujc6DiIiIiIiYqjNnzjQLFy40K1assC5YsMCOC+ehSKzg7Isv Nhdsvrl1zje+EZ0HERERERExVSkSB+jzTz1lLtp221aReNF229lxsXkRERERERFTVLebzp4929x6 661WPda4cB6KxJLecPzxrQLRecMJJ0TnRUREREREHK9SJFb0i1/8YnS8nD9/fnR8FQfRxqu5n7Ct airb0W8b/cZBprAdg1iHFGKRQiwl+ZFJfnjJDy/5kUl+eMkPL/mRSX54U4lFVfnhmhrsVCQODQ1F x1dxEG0sufvu6PiyprId/bbRbxxkCtsxiHVIIRYpxFKSH5nkh5f88JIfmeSHl/zwkh+Z5Ic3lVhU le8k1qCKxCLmzZs38qh3BtHG68M7uR9S2Y5+2+g3DiKF7RjEOqQQixRiKciPDPLDQ354yI8M8sND fnjIjwzyw9NkLGJ1Sa9SJA7QZcuW2Up/6tSpNh6LFi1iyJAhQ4YMGTJkyJAhw1qHKiRVhwzq1lR+ uKYGO/Ukuh3ZD4No469z54486o1UtqPfNvqNg0hhOwaxDinEIoVYCvIjg/zwkB8e8iOD/PCQHx7y I4P88DQZi1hdUqcUiRXtVCQCAAAAAAAMmlhd0qszZsyIGs5DkVhRehLLkUIbXOnypBCLFGIpyI8M 8sNDfnjIjwzyw0N+eMiPDPLD02QsYnVJr+YLwpgUiRWlJxEAAAAAAJokVpf0KkViDdKTWI4U2uBK lyeFWKQQS0F+ZJAfHvLDQ35kkB8e8sNDfmSQH54mYxGrS3qVIrEG6UkEAAAAAIAmidUldUqRWFF6 EsuRQhtc6fKkEIsUYinIjwzyw0N+eMiPDPLDQ354yI8M8sPTZCxidUmdUiRWlJ5EAAAAAABoklhd UqcUiRWlJ7EcKbTBlS5PCrFIIZaC/MggPzzkh4f8yCA/POSHh/zIID88TcYiVpfUKUViRelJBAAA AACAJonVJXVKkVhRehLLkUIbXOnypBCLFGIpyI8M8sNDfnjIjwzyw0N+eMiPDPLD02QsYnVJL86Z M8fMmzfPvPHGG9HpTorEitKTCAAAAAAATRKrS3rx+eefNw899JCZNWuWre2WLl0anY8isaL0JJYj hTa40uVJIRYpxFKQHxnkh4f88JAfGeSHh/zwkB8Z5IenyVjE6pJ+VHGo2k7FoopGFY/hdIrEitKT CAAAAAAATRKrSwbhihUr7O2nug01HE+RWNHJ2pO4/P+NPChJCrHgSpcnhVikEEtRR35UJYU2yA8P +eEhPzLIDw/54SE/MsgPT5OxiNUldUqRWNHJ2JP4vT8bs9p1wwfFNcVqOgAAAAAADJ5YXVKnFInD TpkypWVseuhk7Em8ZigrBDuRn55CLLjS5UkhFinEUgw6P3ohhTbIDw/54SE/MsgPD/nhIT8yyA9P k7GI1SV1SpEY2G+ROFHppUgEAAAAAIDBEKtL6pQiMZCexIz8Oqz1XWPWHLYT9CQW028bg1iHFGKR QizFoPOjF1Jog/zwkB8e8iOD/PCQHx7yI4P88DQZi1hdUqcUiYGdisTXFy82L15xhTn9pJNaB8RE Hb58T/vzw86bay5/ovNyKhI7TWfIkCFDhgwZMmTIkGH14f8tWWLrkOWPPhqtU+qQIjGQnsTsR2re c/UiW/RJ94M1KhI7QU9iMf22MdbHhCOF7UghFqlsR79tkB8e8sNDfmSQHx7yw0N+ZJAfniZjEatL BumMGTPanlMkBvKdxNHfP3TFoorHTuSLRAAAAAAAGAyxumSQUiRGVHGYNzafnOg9iSoSd57u18EV id3Iz5NCLLjS5UkhFinEUvQbi1S2o982yA8P+eEhPzLIDw/54SE/MsgPT5OxiNUlvaqCMGY4D0Vi RSd6T2L+R2p6LRIBAAAAAGAwxOqSQUqR2KcTvSdRxd7l9/l16LVITCEWXOnypBCLFGIp+o1FKtvR bxvkh4f88JAfGeSHh/zwkB8Z5IenyVjE6pJBSpHYpxO9J9EWicGP1PRaJAIAAAAAwGCI1SV1SpFY 0cnQk3jdg34dei0SU4gFV7o8KcQihViKfmORynb02wb54SE/PORHBvnhIT885EcG+eFpMhaxuqRX Fy9ebObMmWNuu+02qx4/++yzbfNQJFZ0MvQkhvRaJAIAAAAAwGCI1SW9OnPmTLNw4UKzYsUK64IF C+y4cB6KxIpOhp7EcB16LRJTiAVXujwpxCKFWIp+Y5HKdvTbBvnhIT885EcG+eEhPzzkRwb54Wky FrG6pFcpEmuQnsQ4ZeYBAAAAAIDqxOqSXtXtprNnzza33nqrVY81LpyHIrGi9CTGyc+TQiy40uVJ IRYpxFL0G4tUtqPfNsgPD/nhIT8yyA8P+eEhPzLID0+TsYjVJXVKkVhRehLjlJkHAAAAAACqE6tL ejX8A/3QcB6KxIrSkxgnP08KseBKlyeFWKQQS9FvLFLZjn7bID885IeH/MggPzzkh4f8yCA/PE3G IlaX9KorCMPCkCKxTydaT+Jq12UFnobf+dPoYq/XIhEAAAAAAAZDrC7pVf3txQsvvGBuueUWO3zp pZfMnXfe2TYPRWJFJ1pPoivuNNSf6GsYroOelykA8/OkEAuudHlSiEUKsRT9xiKV7ei3DfLDQ354 yI8M8sNDfnjIjwzyw9NkLGJ1Sa8++uij5vbbbzdPPvmkmTVrln381FNPtc1DkVjRidaT6Io7DV2R GKLn+XExyswDAAAAAADVidUldUqRWFF6EuPk50khFlzp8qQQixRiKfqNRSrb0W8b5IeH/PCQHxnk h4f88JAfGeSHp8lYxOqSXs1//zA2jiKxovQkxikzDwAAAAAAVCdWl/SqCsKY4TwUiRWlJzFOfp4U YsGVLk8KsUghlqLfWKSyHf22QX54yA8P+ZFBfnjIDw/5kUF+eJqMRawu6dV8QRgbR5FY0mXLlpmh oSEzdepUGw+3Q8fz8Ht/Nmbn6dlzDVUkuuduPj0PC8eiYX45hgwZMmTIkCFDhgwZ9j+cN2+erUPm z58frVPqkCKxohOpJ/GaId8DqCE9iaNJYTsGsQ4pxCKFWIp+Y5HKdvTbBvnhIT885EcG+eEhPzzk Rwb54WkyFrG6pE4pEis6kb6TWFQkhuh5flwMN0/+fxcBAAAAAKA/YnVJnVIkVpSexDhhO8LdvtoP /caCK12eFGKRQixFv7FIZTv6bYP88JAfHvIjg/zwkB8e8iOD/PA0GYtYXVKnFIkVpScxTtiOG/Zb JAIAAAAAAEVi8k7UnsS1vmvMmsPqebgOeu7m6YSbxw3pSfT020aTx0QnUtiOFGKRynb02wb54SE/ PORHBvnhIT885EcG+eFpMhaxuqROKRIrOlF7Et3jfEEYGxdD8+jXUt28GtKTCAAAAADQP7G6pE4p Eis6UXsSwyIxXAc3rhuaJ2yPnkRPv200eUx0IoXtSCEWqWxHv22QHx7yw0N+ZJAfHvLDQ35kkB+e JmMRq0t6dfHixWbOnDnmtttus+rxs88++/+3d65BuxTV2YYQQA5GTolEE0QwyEEiCCJqcUhVAjFl DAYQClC3oXIwgHyUGjUxakp+aNQganEQKYyFqCCywSABhQ3BJBYSS4hsstmAJArhtDfgr6/q+zHf vmdYb6+33zUz3dM98/T7PPdVddfM9PT0dK/p1TNr+jksy8MgMVKLNpMoH0Ptww8SseRMIiGEEEII IelYcclQ3XDDDdVDDz1UPffcc7UefPDBOk3nYZAYqUWbSUR6SLCH43R5nEl0pJYxZZ/oooR2lGCL UtqRWgb9w0H/cNA/GugfDvqHg/7RQP9wTGkLKy4ZKgaJI2jRZhLxPUOoDz9IxJIziYQQQgghhKRj xSVDhY+b3nzzzdW1115bC+tI03kYJEZq0WYSQ8FxujzOJDpSy5iyT3RRQjtKsEUp7Ugtg/7hoH84 6B8N9A8H/cNB/2igfzimtIUVl4wpBomRWrSZxFBwHIJCOT70u4yEEEIIIYSQbqy4ZKiuueYaUzoP g8RIcSbRBsd94SeuvIvueHhpfSiptuCbLkcJtijBliDVFqW0I7UM+oeD/uGgfzTQPxz0Dwf9o4H+ 4ZjSFlZcMlQSEOrAkEFiojiTaIPjXnSFmz3UZW/+v82SEEIIIYQQEo8VlwwVg8QRNK8zifJH+NCQ Osix8j1EmUlEudtd5vZjPZRUW/BNl6MEW5RgS5Bqi1LakVoG/cNB/3DQPxroHw76h4P+0UD/cExp CysuGSoGiSNoXmcSgQRyQ5BjJUiUsv3vJg4tnxBCCCGEkEXFiktyikFiouZpJtEK4KAhdUBZ+Lip P5MI6V85jQkSU23BN12OEmxRgi1Bqi1KaUdqGfQPB/3DQf9ooH846B8O+kcD/cMxpS2suCSnGCQm ap5mEq0ALiaI02DmEN899GcSIf0/i0PLJ4QQQgghZFGx4pKhQkBoSedhkBipeZpJRMBmBYlD6uAH iXomUeNvd5FqC77pcpRgixJsCVJtUUo7UsugfzjoHw76RwP9w0H/cNA/GugfjiltYcUlOcUgcaA2 bdpUrV+/vlqzZk1tD7mgq3mJgO2C29w2flTm1Zf0H2ctERTWQeLz5UmQiD/VB5LP3+aSSy655JJL Lrnkkksu25cbNmyo45CNGzeacUoOMUhM1DzPJApD6sCZxHZSy5iyT3RRQjtKsEUp7Ugtg/7hoH84 6B8N9A8H/cNB/2igfzimtIUVl4wpBomRmufvJKaA7x0iUJTvH+q/1NDEBImEEEIIIYSQvEGiP2to pTFIjBRnEsNAGalBYmo9+KbLUYItSrAlSLVFKe1ILYP+4aB/OOgfDfQPB/3DQf9ooH84prSFFZcM FQJCSzoPg8RIcSYxnNQgkRBCCCGEEJI/SOxLY5AYKc4khoEyUoPE1HqU+KYL39uMJUcdSrBFblsO JdUWpbQjtYwS/WMIOepA/3DQPxroHw76h4P+0UD/cExpCysuGVMMEiPFmcRwuoJE/JIq1rH8wk+a tHllkdpKCCGEEELyY8UlY4pBYqQ4kxgGykD5EhQKsq2XbYFqaj1KedMlf/vR1dYupuwTXaTWI0c7 SrBFKe1ILaMU/0gtI0cd6B8O+kcD/cNB/3DQPxroH44pbWHFJUOlv4eopfMwSIwUZxLDwcwZpIkJ EueFRWorIYQQQgjJjxWXpOruu++ubrnllvr/4P19DBIjxZnEMNrK0AGTLNsCp9R6lPKmizOJDTna UYItSmlHahml+EdqGTnqQP9w0D8a6B8O+oeD/tFA/3BMaQsrLhmqJ598slq3pe4333xz9eCDD9br Tz311LI8DBIjxZnENHBO+Q9F2Z732bVFaishhBBCCMmPFZcM1dq1a6t77rmn+sUvflFvS9Co8zBI jBRnEsNoKwPnxJ/uhwROqfUo5U0XZxIbcrSjBFuU0o7UMkrxj9QyctSB/uGgfzTQPxz0Dwf9o4H+ 4ZjSFlZcMlSPP/74ijT/I6cMEiPFmcQ0YoLEeUHauuOXqmqHLZJfO9Xyv7tJCCGEEEKIYMUlQ2X9 aA2k8zBIjBRnEsNoKwPnnNeZRHyMVgJAHfTJTKK0W9qusdKEKftEF6n1yNGOEmxRSjtSyyihT4DU MnLUgf7hoH800D8c9A8H/aOB/uGY0hZWXDJUEhDqwJBBYqJWy0yinq3CuvX/fNiHwGZKcM55nUn0 2yXI+tAgkRBCCCGELDZWXDJUDBJH0GqZSfSDFCsQawtMxmwHzomPXEKyPS8ziVaQiCCcM4kNOdpR gi1KaUdqGSX0CZBaRo460D8c9I8G+oeD/uGgfzTQPxxT2sKKS4aKQeIIWi0ziTrowHpMkDgmOKeu T1vdViNWkKjT+oJEa7aXEEIIIYQQKy4ZUwwSIzUvM4n6byh8xmwHzqnrIz/mYpFaj6nfdLUFiSEz iWPaAZTw1i9HO0qwRSntSC2jhD4BUsvIUQf6h4P+0UD/cNA/HPSPBvqHY0pbWHHJUGHW0JLOwyAx UvMyk6gDmilBMPSiK1x9ZlWPMWgLEv11q73zZAdCCCGEEJIXKy5J1dNPP70UHDJITNRqmEn8zlX9 M4ldQcmY7cB5N//fsCAxtR5Tv+nSs4HSJrRPZhJl9tZqr/5lVEj/OmqO68E3wQ6+CW7gm2AH/cNB /2igfzjoHw76RwP9wzGlLay4JEXyB/rf+ta3qp/97GfVddddt2w/g8RA4Q8m169fX61Zs6a2h1zQ Epc6MME2go4Lblue76I7mnTr+DGXOG8dJD5fn1nVY4yltrPY328f0kPaq68fl1xyySWXXHLJJZeL u9ywYUMdh2zcuNGMU2J17733VmvXrq1++MMfVj/96U/rAPFHP/rRsjwMEiO1GmYSb/hquTOJmDHD ubEE8zSTqO0sbdIBO0B6W3s1Ok+O68E3wQ6+CW7gm2AH/cNB/2igfzjoHw76RwP9wzGlLay4ZKhu v/326oknnjD3iRgkRmo1fCfRD7ywHhMkTkkp9ciBtrOs67/7AEgPae+82IQQQgghhKRjxSVjikFi pFbjTKL1y5ljzuCB0DLGrMfUb7rQDh0k4mO1ddrzH0EF2G5rr0bnyXE9+CbYwTfBDXwT7KB/OOgf DfQPB/3DQf9ooH84prSFFZeMKQaJkVqNM4lWIFbKDF4p9cgB2mEGiWoWt+uvLjTzYhNCCCGEEJKO FZeMKQaJkVqNM4mxQeKU7ZB6WL/umVqPqd90od7yh/gIBrFd/92HmklEe3XQ2AaOFXJcD74JdvBN cAPfBDvoHw76RwP9w0H/cNA/GugfjiltYcUlY4pBYqTmZSYxdEZrbKRufh39+q4GfJtjJlH/3QdA emiQKAEnIYQQQghZbKy4ZEwxSIzUvMwkYrstWJmyHVI3P2hFWmo9xn67I7Of8p+Gvs2XgsSBM4mS L8f14JtgB98EN/BNsIP+4aB/NNA/HPQPB/2jgf7hmNIWVlwyphgkRmpeZhJ1EDJLEGihLpD8LQbw 61siYlepq64z2oL9kG4X1kNmCFFWCdeHEEIIIYTMHisuGVMMEiPFmcQwYspAXaz6pdZj7Lc7XUGi Zkg79MxqjuvBN8EOvglu4JtgB/3DQf9ooH846B8O+kcD/cMxpS2suGRMMUiMFGcS84O6WPUrndAg cQjWNSOEEEIIIYuJFZeMKQaJkUKQiId3+R6apoS3IoAziQ1jv90JDRKHtENfsxzXg2+CHXwT3MA3 wQ76h4P+0UD/cNA/HPSPBvqHY0pbWHHJmGKQGCmZSWwLCMbG/5sI6/ttflAo3/vTYJsziWnIR0Kl rjnrzJlEQgghhBAiWHHJmMoWJG611Vb18oknnqiOOOKIao899qiuvfbaFflWu3SQ6AdsoW8C9HFy rAR7XWX4wR7WrUDvbR9bt+LvLfRxoO1YkOPNSkwZqItVv9R6jP12R2wodffbIAxpB6619JODLnq4 XkJIGwLfBDv4JriBb4Id9A8H/aOB/uGgfzjoHw30D8dYttCxwq9c0aRZccmYyh4korCjjjqquvHG G6uDDz54Rb7VLh0kQoJe78PPi+2QWT1/dkmOs4JOvzx9HJBjS0DqrfG3S0RsKHWdos6rwS6EEEII IWQ41vOeFZeMqWxB4vbbb189++yz1VlnnVV99KMfrZ555pk6zcq7mtUVJIa8kej76GdXGdZ/Ceog RcB3Ev0A0AokUReLHG9WYspAXSAN6phaj7HfdKGOIUFiajv08W3n6INvgh18E9zAN8EO+oeD/tFA /3DQPxz0j4Z59g/9vIx1fNIP/3ntI2lj2cJ63rPikjGVLUg88MADq1tvvbU66KCDqrVr19ZpMrs4 T0qdSbS+a4ZtP6iz8PNhG53XLw/nCCmvZPw2lYhcD6nrFHVeDXYhhBBCCCkdHRCK9KQFtvGcbeXT kmAyJyjXx4pLxlS2IPFrX/tatdtuu1XHHntsPYuItEULEi+78+EVHUl3NtAWJEonxPfP2job8vlB It5k+OVZM4kxlPB2B21KLWPsN11y3fTSIrUd+nicw3qj1QffBDv4Jrhhnt8Ex0L/cNA/GugfDvqH g/7RMC/+gWfuLuSZq+35DsAW/if9YrHaYZ3TikvGVLYgcVHUFSQiuNvx8ucTngfpSJP9VjCB7Rdd 4ToYthHkIT/WRdjWHxFFmtV5OZM4DVJHLPWM4pjgHNYLBEIIIYQQEk7fcxv29wWJwPoqWSpWeVZc MqYYJEaqK0i03khIPulAVmfTefA2AetdM1MC9lvlcSaxYew3XWJ3LLuCxNR26OPlXLHwTbCDb4Ib 5uVNcI460D8c9I8G+oeD/uGgfzTMi3/0zSRihhCTOG3Pd0Bs0ZWnD6sdVnlWXDKmsgWJ73znO6td dtml2nrrreuPmYqsvKtRmzZtqtavX1+tWbOmtof8LYFcWH/bSsfy3g0r82FbOmpXPn/Zlq+eSbyt /bjVsNT2KHUpdscS9u67XjmWr7n04XrGOTQ/l1xyySWXXHLJ5TwsMZny6kua5y08J+ITdp+/Pfx4 f9n33Ibn6bbne3+Z+7nVL2/Dhg11HLJx40YzThlD2YLE/fffv1q3JZqW7yPOq4bOJMp610wiQGdo y+fTlo8ziQ1jv+kSu/t/qu+T2g59vPWd1hD4JtjBN8EN8/ImOEcd6B8O+kcD/cNB/3DQPxpy9wn5 WpZIvp6FZ1yN/6ktPHf7z7sIJK2va1lf1bGe2zXyzKXP6SO26MrTh3U9rPKsuGRMZQsS3/GOdyyb QZy3mURRV5BoXVCdjmVfkAja8vm05eN3EqdB6hgyiOTCH/ywTgghhBCyWrCCODzfCEhDUOc/7/hf xcK6/7xr/YhM2w/L6LIsUCc5fx8heYDfdghpPlZ5VlwyprIFiUcccQRnEjmTuERqGWhTahljv/0U u/cFiantCKlDH3wT7OCb4IYS+gRILSNHHegfDvpHA/3DQf9w0D8aUu3Q94yH/f7zrZVmzSRivzW7 qI8T+mYSAY6zjhXEFl15NKH1sPJZccmYyhYkWrOIkJV3NaukmcS2L9RyJnEapI4yu2e9CRqb1WAn QgghhBCh79kF+0OCRKxbQaKelRT0cYKV5oM8ofl8UF9/5jB01tBKs+KSMZUtSFwUlTST2DaDxZnE hrHffvZdHyG1HTnqwDfBDr4JbiihT4DUMnLUgf7hoH800D8c9A8H/aMh1Q59z3jY7z8HWxMj8mN+ OhBre2GvjxNCZhLbPqoqiC2sYDDknwrA3M8kLopKmklsCxI5k5gXmSlEnbCEbUMdf2xQB+vL2IQQ QgghJdL3/GQFhNYzb9tzsIWVJ+S4oc/UKBvH5aybFZeMKQaJkSptJlH/Cb/AmcSGXG8/ZRACcm1C HR+ktqPreNQh5FrzTbCDb4IbSugTILWMHHWgfzjoHw30Dwf9w0H/aEi1Q98zXltA6D/zXnRH88ys 87VhzfSFzCT2BYlttsA5Qp8VUQ+88MfzpWAdZ8UlY4pBYqRSZxKtoM6fyka+0CBRAhYNZr6sz2Ov JvraPiU6SMS1wjquVwl17PsYBCGEEEJIKeD5NOT5Fnl0PuuZ18oXSuhxOEfIy3gfeT4LOQfyIEjU n1qzjrPikjHFIDFSsTOJuNAQkGP8zqY7IN6sWNPsFpbDgHl404W2z/pNF0AdZBACYnO5liGktqPr eF23LnLZIoXU40GOMubBP0BqGSX0CZBaRo460D8c9I8G+oeD/uGgfzSk2EGCp6464NnGn1SRCRD9 zBszk+iDY8acSZTns5C6oR56cqjtOCsuGVMMEiMVO5OokeCvK0gEoR0L+awgcR7oa/uUyPWQ9dgg cUwwYOo3T/x+IiGEEEJKBc8rfc+tVkAI/Odl5Bn6PBZ6nH/OUOTZMeQcyMMgcQ4UO5OokQCjq9Pj zUpox2orbx7edKHts3zTJejrATAghV4fIbUdocejPm0DWS5bpJB6PMhRxjz4B0gto4Q+AVLLyFEH +oeD/tFA/3DQPxz0j4YYO8iLbBG28SzVVwf9bCz4aShDyo0Fx4w5kxgTwPoziW1fJbLikjHFIDFS KTOJ6Gh9QSLAtvXdRZ+28uaBPltOieWsIdd7alCfeewLhBBCCFmdDH1WsoIzK23o81hbIOZjnTOU 0Lohjw4SEWBanwyz4pIxxSAxUlPNJIYEf2355uFNF+yZWkaut5+oi29j//p3kdqO0OOtegq5bJFC 2/EYDEM/MptaBzAP/gFSyyihT4DUMnLUoWT/iKEEW5TSjtQy6B8O+oeD/tEQY4e2Z6W+OljBmZ+G MmKexzR49rjszn47WPXQdNkitG7+TGIbVlwyphgkRmqqmcSUIHEegC1L+X4d6uLbGMEMVBJWPVcD 6MfiO6u1DYQQQghZidzfY/GfjYE1w4byh54jBJwTGkJo3ZCHQeIcqKSZROm4fr55eNMFe15wW1oZ ud5+1nXpuRZdpNoi9PiueuayRQptx8cEial1APPgHyC1jBL6BEgtI0cdSvaPGEqwRSntSC2D/uGg fzjoHw1tdpBPBUHyySC5v/v01cEKEn1QhpxvCDls2dUnQuvGmcQ5UUkziSDEiVYjsGUp7SqpLl2E fr6+NNCHxXdWi60JIYQQshz9HCz3c50WQ+jzLcofeo6xCa0b8oT8FokVl4wpBolb9MADD1THHHNM tfPOO1fHHnts9eCDD5r5IAkS/Y8b4gJPPZMILCeahzddsCdnEhtCj0dfaBuMctkiBRyv3zJC2Nb1 xrLN1vCJ1DqAefAPkFpGCX0CpJaRow6l+EcqJdiilHaklkH/cNA/HPSPhjY7yL0cyP1cp2n66hDy MU+UgfLbztFHDlt29YnQur3m0ofNv8jzseKSMcUgcYtOPfXU6pxzzqkeffTR6uyzz65OP/10Mx8k QaJPSEdoC/78QK8tn0WIE61GYMuQ9k8B6rIabNwVJJaCXz9s63rLbKgVTJbyHVVCCCGErETu5QDr eI7TaWMgzwklElq30Od+Ky4ZUwwSt2jPPfesNmzYUK9j+ZKXvGRFHlFXkDiLmUSLeXjThWDh0Eub maehAUKut5+pg0+qLUKP18GWBFliu1y2SMGyJbZ1vWXdygd/SK0DmAf/AKlllNAnQGoZOepQin+k UoItSmlHahn0Dwf9w7HI/qGfK667cqUd8DJd37vlpa9/PxdytQPlt52jjxx16OoToXW76I7mO4kM EgvUdtttV23evLk6/vjj6yW2/TzPPvJI9diFF1b/50/+ZKlD6CU6wQkfWZmulzd8dV3dCa75ysp0 dIy+fIu0RLDwto+tq3a8vLGrts/Uy77rWsoS/Qb9ENt6WVI/knrpbV1vXHfY28qHmxJuTtiPpd7P JZdccskll1yOt5T7MpbWc4Xcv/1t/36ee4nyS31OC21/yHP//3vqqToO2XzXXStilLHEIHGLMJOI 7yVifehMIh5aX31J9xsJ+Wio/6YAjiRpeKuB7UWfSaxt8vx3EuFgQ2yRagcgb6lSSLVF6PGwmdRV L3WAnUKOdvi2xLaut6z7+fBGEp/Xl9l6f38M8+AfILWMEvoESC0jRx3abIHxWt6eQ1hvo4R2jGmL UEppR2oZ9A9HCbYowZZgkf1D7rtYSjCj8X88r+1+LuRqR9c5+shRh64+EVo3ziQWrFNOOaU699xz q8cee6x6z3veU5122mlmPqgtSAxFAkVNHRCpjtEWTC4S2iZwsFnaYujgMzU62NLLkvqRb0ts63q3 3VT8dH8/IWOAoBCfZhDY7wghi4q+/8pzBQIbCOh00HY/z80U5xhKaN1gKwaJhQqzh0cffXS10047 1UuZVbTUFSQOfSOhA0cpAx1m6MP9PLzpqtvPmcSa0OPRh6SuegnblfIm2LcltvXbR2mDn09uNpxJ dKSWUUKfAKll5KgDbKFnDEX+zGFXvyuhHblskUIp7Ugtg/7hKMEWJdgSzKN/SJAn+GMhtvX/HWKJ mUSZzJD8WMqzLGi7nwu52tF1jj5y1KGrT4TWjTOJc6LUmcRQ4Fza2RYN3X442NCAOQdDB59ZIHXV y1naTt9sZF0j+3QdJU3jv5H09xMSC8YXv3/2gXz6OCzRdyGdxl/iJYSsBvBJCRkDZfzCUoNtjHGS Li92ZfbLz6/Bvq79OfA/5loSoe2HLXHf6Hvut+KSMcUgMVJjzCRqxn6rEUIp7ZAy4GBDAp1cbz9T B7hUW8QcL3WVpQyes3oTrG2HWUDfltiG+oJEDJxI40yiI7WMWfUJn9Qyhh4vLx5AqC2QXx+HJR6S IN03h4xXJdgS0D8aFt0/NCXYogRbgnnzD4xXOjDBtoxvgoxpko4xED/Ikhok5moH6jFkzAU56tDV J7rar8FMYkgbrLhkTDFIjNRUM4nEAQcbOgDkIMTBS0HqKkv9QKtnOqZC2w7rehtImr6+Vj6g0639 hMSgfSMU5NfHYSlBok6b5XhFCCEA45LG3wYybgnYttIwpkm6jIFYpgSJuUA9Sh1zQ9sf2gYrLhlT DBIjxZnEMHKWAQcbMgDkevuZOsCl2iLmeKmrLGUwhy38fbF01QNvInGN/I/c6XOlzCQCzIrivzOB tT+UefOPoeTyj1SsMqQfiaQ/WfjH62O7jhPfAKG2QH59HJYSJHImsaGUdqSWUbJ/xJCjDiXYogRb gjH9w/8oe9vYhV/SRx4R8vrocdCS3I/9Y2W/Rj6RJOkYAzmT6OjqE13t13AmcU7EmcTpgYMNHQBy EOLgpSC2kjr7D7R6CUJuSCH4NwssdT0A1vU2kDR9fa18QN8IZL9/I8S2vtFCOb+r4Jct50yxHVkJ 7KrBdugYoI/tOk77RijI7/uUBIk6LbSuhJDVi38/wHoK/tjSNo5IHsG/J0FD6yLHa6Reki7bCB6x 7LrHTvF9QVwHqERC2x/aBisuGVMMEiPFmcQwcpaBQWjIQ1eut58yMA4l1RYxx6Ou+oFVBnPYQtJ0 e3QabKxvev5NpqseOE9fkJg6k4hz6F+8RWDm58O2tBmgPX6elH6hZzMFfPE/9oac2idATBn6IQLr sF0u/0jFKsO/Zti2xgC0RfqVbp/QdhzQN+9QW6A8fRzWkeb/h2fbObuYuk+0kdovSmlHahkl+0cM OepQgi1KsCXQtvADAPh+H6gD7ksYI6xxWcroGkdkrEmhzRZSH43cUyUd9Zc/icd9v2u8q+/bLftL uKa5+4RPV/s1ofWw4pIxxSAxUpxJnB5/IJ4af8AsGRm0pc46YPKXQKdhILPyh4Dj+oJErPtlSpoe RK18QA+2coyfD9u6DUDfiEU6kOhCB81yHNJ8sG8W+HVrm9HU9Zu1P/VhBfbYRtukvdJWPx+O1dcH +3Xf0nTtawPH6ON0v4eA2Ne/Njim7foQQlYf8G1/vAlBXi75AaZ1D/WxxsecoGy/fDmnTpftlCBx EcjdfisuGVMMEiPFmcQwcpbhP/SHMtQO+uFOPvufQqotYo6XQVvqLIM7bCFpuj06DQOZtrXOB3Q9 UC7sJA/r+mEZyIOyLiP3TCKO8fNhu6+/aFv0YZVlXY/Q8oTUPgFQhj4v1ttuRjqfXDt5EyxCWiy5 2qGxbI5t6wEKy646dAXEUgYIHStwjD5O+j1mEmWGWeoPCfIz876N9c/Pwz+wH2UPDSZzXI95u38M JdUOYMp2iF9Lf5L+lqMOJdhiSlt2oW0BG2tkW18HrGt/Rh2QjnEC10xAmjXG+WBM8z/NMoQ2W+C8 UgeNn86ZREeXf+Aa6+vcRmg9rLhkTDFIjBRnEqdHPzTK4ItlysNUF3ogxLreLp22N5TWEug02FPb Wufz0Q/Ccpy+wen9gr8NJE3fRKx8AGVKPjnGz4dt3YY2+vYLIWWB0PJyghuPPi/WtR01pbbBwgrs ULe2ILGLrusnZcSAY/RxKB/10g9Kck7rvPrhEcK29aAYW695AvbQdsI66cfq6/42yUubvXU61n1/ tq4L0qwxzqctPRfwN8vncF6pG5DtvvEK/XKRx7PcWHHJmGKQGCnOJIaRswx989PLvsFpqB3kHOA1 lz7cOhMRSqotYo6Xh1ZtF7QHtvBtCGRdHswtWwPcNGQmEOuSD8K55LxyjN4vWLaUPP6Dsj5OQJlT zyRaAYt1PULLE3L4B34NTZ8X65Y/+MGk4PtHbBtAjnb4ZVjtwHXAbJ3UUfJg2VWHrr6AdOl3oWMF jpFzA+n3tc893zetvh8C2mG95Ikhx/UYOm4KMXXAWCK20sJYIWAb9o0l1RZtdvDr0lW3HNcjtIy2 lysl9AmQWo8pbdnF4991toB9NbKt07GO8UL6unxiwAf7MMbJNZTjgPYTrF9253i2wJio78eCnF+Q mUSMd1Z+oa08UMI1zVGHKf3DikvGFIPESHEmcXr0g55e1g9m3sNkDvRAiHOPcY6xkIdWXWfLdoKs i40tWwN/XfJBOJecV/Lp/YJ1s/DzACsNoExpF/Zj3ToWs8vW8RrsR13k5mvdtAH2hVz/vvONgf9Q 2FZXfU27mEUbgH4AgrDtf0IAbbAeoPrq3NX2vmMtcAwk/RhLnANLsb2cc0j5Ut6QY1cjIe1EnjE+ MTIEPWaI2saOnIScE+m+/yMtBdhdzo1lKddhVvjX378OYm9td6yHjFXYL3llW6/PGut+U0K9Fg0r LhlTDBIjxZnEMHKWoR+a9LIvSBxqBz3w4Y1d6o0x1RYxx8NWVpD4nau6ZxLFxvpG4OeTemBdPwjj XP4MiN4vWO1oe/utjxNwg5Y3qNiP8/r5sK2DVQv0C+zHdZV8bfmR7vcxqx1d57NI7RMAb6T96+zX FWj/0fj+gTx+X9cPRJZkdtlX2wOlVR6+99uH36+l3+D4LluizyCPhU4PHSukzj6oX46ZRCH2WOHe Den9qssW1vXzH5Tho36+tv6AfRa+Lax+3UeMj1kP/9ddudIOli/5bZXjQQ4/Rxn+OeUc/jnRDg3S rTro9mKJa2OVBx+DZMwcch2EVFvksmUKuP6YQWsDNtJLIHaTtLY6YL/kBW33YjALW9RjnLr+MpOY QgnXNEcdQu8fXYTWw4pLxhSDxEhxJnF69I1ZL/uCxKGkDnyzBLaygkTLhkDWZT8kx1r5ANYlv35Y 1+eVh3N9nAXK8a9hyHHYj+P8fNjWM05tIJ8OJrFse1DyH7ws9HFYtx6Ic4NzadtZATfQ174L/SMq IrRlCFZdpE8MAW3Q/Uv31z7a8gypS5eNY/t+F/6xfr8MFY6D3aAcoEwfP83qb9j2/Tz0r2OsY1No syXqI7Rd57Z0H5SXE788qXMfbXn0NcIS9vXzYhuSsUzyzSvSL7BEm/1AGm3Hte+6/sirl0DsptMs 0Ldw7xIb+9do1ugxDqBOJdRr0bDikjHFIDFSnEkMI2cZMljqh0ws9UOjxVA76IGvBFvEHA8bwV5Y CmjPDV9dPpOob/xAbAyJTWUfwLrUA+vysKSP86+HpAtWO/wbD/CP0+g64Dg/nxzb1y+QB/WV47GE TWS7i77rEfIgGXNNBf/hFjNw+jrLtfBpSx/z7af2VaHNLiG2QBt0/9L9ru94q+1Ap4fawuqvAO39 /O2uHlK3GHQ7/GNDy/JtgeNQ35iXFl22sOqBNF2+/11ZIPXQfRjruv9qdDtCAzOftn7h180C19ma MZJ29CHn6OubIaAMv87YDmkH8lh10DZFHmvs0+eQMRP5/HEI2yH9K9UWuWzZhrQVS1xjPW5iKfeL a77S7x+yBFhHeZLWVoe2MQ7o8sDYtrDwxz7OJDrGvJf6WHHJmGKQGCnOJE6PDJbWoB1yw44ldeAr Dct2YjdJk/3WPuCvSz59nH89JL0LHO9fw5CHQsnjly/n9Mv0QR656VvbKVgBUg76ytTXWNOWPjb+ ObHdd13aQBusB6iQdrXlCTnWx+qvFqF1a0MfGzrjZgE/QVlDgiyftnqgfG0Tq7+1+WsIbf03NFix 8vXR5sNIC73+ubDqgu2Qc7TlQboE6Fi3xj5s6zSsW5/SCBmvZwXa6F9/LezD9dRBMpZI0/0OS7FR 1/XX+YXQvo/zoR5yXfzzzxrUR7cddSqhXouGFZeMKQaJkeJMYhg5y5DB0hq0uwbsoXbQA18Jtkg9 Hu2xZhJhO0mTBxFIbCr7ANalHjqfXBPIvx6SLljt8G88wEoTpAx9Xo2ktR0P5K24fjDyt7sIuR5t 5cgDi/zCXcgbeMEv06+H9g9N20Pc2G8//YczbMsDkCbEnmib9QAF9R2PPBY6PdQWIX0TSN1i0Mdr 27XZzcK3BY5Dnf1roYV9uh9qW4TUA/u0TaxfMdbXKwTdDjnWx0/z+7mUEXpOH8yU+HZrs4GPnNO/ HkNom5n10yyQx6qDPhbr1tiHbUmTMRPy249tv59Y4xrq4eeLYYgtcQ6rTwioh9y3sC5p2Nb9TvJh ie/3tyHHynHA7/tt7UA+7Uf++TVDbOETWwaus772nEl0jH0v1VhxyZhikBioTZs2VevXr6/WrFlT 20MuKJfjLzFY4qFalgAPIhig8KeyGLjw0TvcEOQjXyHlti1Rbki+1bJEe+TBTbbxAxe46Yk9JR3b uFHJttizLR9+pEK265vt8z/eofPJtrXEA5CcD2BZ3yxVOdZSHpz88rGN9L7jpb5yvL/ddlzoEuWg P2Ip9cRSfqQF+ULqqZfI37Vf+4dOjz1PiUv0M/i53ha7gq7j2+zWZ09rafVXaynXuy9fCUsEV/Ln 3P7+UPv6fu/3tzZ/DVnK+C7HyxL+1ZdPtq1y+5ZSjmzHLIceZy0tv5b2dR0H2uqh01EO7gd+eX77 Q+2BfG3jjV+evz/3sq++2C/3LamP1F/bXfKFlqfzSTl97fXve/75QdfxUy/RnhLrNc/LDRs21HHI xo0bzThlDDFIjBRnEsPIWQZu/hiQMGhiCbCOwVinQ/pN3FA7yDlACbZIPR7twVs/sQ22YTuxn4B1 SOfT61IPKx+E8rT9JV2w2lHfGNUxwEoTpAx9zTWS1nY8kLfi/l8q+PZoI+R6SD3aQBnY31VPH788 vx7iJz5t55ny7WcXQ8tAu6C+4y2bAJ0eaouQvgmkbjHMypZ+v9G2CGkD8mib4MHRt5GcI9QmuWwR c06flJkSOS5HO6yZxNCPeOI4qw66PKxbYx+2JU3GTD+PRVvd5HoIbWX5P6AlM45DbOmfwy8D++W+ JXmxxLZuB9aRju2usULKk7KAf69qa4c/tshxQJcHhtjCJ7WMkz7azLSnUEI7ctRhynupFZeMKQaJ keJ3EmcDBkk9aGJdBmMZzLHuP5zE0vagvZpBe7RtsA7b+TczyQcbyLY+RpB8eh8kN1tB0rvwb4zA SvORvuCXj76gfyGuDTlWt8G3RwpSfhf6/D64BrgBI4/ciEPqZuXpOs9qBu0KsYnY0deQBxxcF/GP LuQcq4W2uoa0wQ8KcIzV32Zhk5Rzph6bC33fE0LGSNBWD52OdWvss65rW3kaq76CTu/Ko30Mfqrr IaDOffTVF/tRDj4eK3mxhG1lCdAm//5moYNJoe1e5eNfU9hA14UQYMUlY4pBYqQ4kxhG7jIwSOqb lgzaMvj6gzoYYgf/BleCLVKPR3v0TKIEUv6DAdb9bTkG61IPySc3ctmG7fTNXdIFqx3+jRGgDF2O RsqQ66TLB9Iv/DI1+q24bp9vjzZCroeU3wbK0Of30f0QS3lg0Fj1sM7Zdp4p3352MbQMGQ9y1CG3 LWBz61p0MUtb6rpqW4S0QfdVgJlE6ztpMTbJZYuYc/qkzCTKiwnYAsshLyQEaybRGjctcJxlS10e 1q2xT58DfcIPGtvAWOW/mME2vrqgz+GfT/DTpTyxZYx8u/u2QB60XbcfS7RblkDfV7rGCp1PEP+Q 8tv6tnXfwzHWtcnlHyms9vuHkKMOU9rCikvGFIPESHEmcTbIIOsP2pIubwL14DwEGdDnCdwoIbkB oY0IEtFOfdMXWwrann5617bQlq6xbowh+DdeAenoC31lSqCs22fdjIdi1c0H+9v6q+6HWIb2SytP 13lWM7BJqe2CzUOuVylYdYUPhbTB75ttxyA9pLycpJwzZ31RDsZgKVO2rWDax/L90L7vHyfodKxb Y59/jhR/Q9l6tg745xPa0scA9wGcT+6HAEu0U5YAbfeDPwv4DPLo6yrXT8qPAcfkvC+R1Y8Vl4wp BomR4kxiGLnLkEHWH7QlHej9YIgdZEAXSrBFjjpoW4jt/JuetiXAOm52yIN1qYeVT28L/pvnnLZE G3Bj999sI123yQK2EBtIXtQ/9GYc0o42mwgoA/vb6qpth3x+vwRWPfwHUUi/INBM+fazi6FlyLXO UYfcthDbxzBLW+q6ii1CZ478vik/ZuETY5Nctog5p0/OX2+06oHtvrEKtP1abMixOIdlS10XrFtj nz6HjJkh57RA2fLjOALWMS5ZwbNFrj6hQZuk7RCQfo9tCfZQT+TFMnaswDG6/Jh24Bjr2oxhi1hW +/1DyFGHKW1hxSVjikFipDiTOBtkkJWblDW46/1DQblS3rwitoO0vbQtAdYln073Hx794wScJ/V6 tCFt8MsPPad/POpvBZ1DabOJBvtxfushSfZJPtQXS+IYs3+lItdyteD3QQhp1ssFH/9BH+sWsn9K Us6Zs75WWdgO6b9WvtC+31Z/nY7xXM+kCf45UvwNZfv3EazPelzD+aVeUg+pU856DS0Px/h2I4uN FZeMKQaJkeJMYhi5y5BBVm5S1uCu94MhdvBvWiXYIkcdtC3EdpC2l7YlkIcHsbPUA8d3HSf4+XLa Utqgywf+OS1gC/94aWvfsSCkHW02EVAG9uN8fj45Vt5iYx319fOl2nPKt59dDC1DrnWOOuS2hVzD GGZpS02qLdrqEGOTXLYYch2EUmYS234tNiSAxzksW+q6yNji10+PpTJmhtTXAmVbM4n+C8cucvUJ Ddok9zepW5s9hCH+odsZ0w7UQeqnGcMWsaz2+4eQow5T2sKKS8YUg8RIcSZxNsigLTcp3CD9wVzv H4qUOc/IjdEPsrQtgdjCv0khves4wc+XE7n+/oNS6DmRD0GYHI9t3x4ptNlEg/04n5/PPxbrqJ+f b9HBtdPf/SmJmIffRcHv11OQcs6c9bXKwnbIeBOaz6Kt/jodY0vIR/f97RhwPv8+gnVoaJk5kHFf 6iJpejsHQ22HcQT14FhCBCsuGVMMEiPFmcQwcpchg7Y/0OrB3N8/xA5ygxBKsEWOOmhb4OEadoL0 Q7a2JRBbyE1U6uHf8PzjBD/fFLYMuRnDFn4+bIcGiSHtaLOJgDKwH+fz8/nHYh318/Ol2nPKt59d pJaRow65bRHSD31KsCVItUVbHfx+3UUuW8Sc06fkmcRQcA7LlroubWOf7sPWmBkDzmfNJEL+i742 cvUJjbRdB8lIk7pZDPEPbbuYdkj9fLuPYYtYeP9wTGkLKy4ZUwwSI8WZxNmA77lY35HRgzmWQ29i gtwgFhFtSwBbyHdV9JtMfcMD/nECrlXoA0AucL6Q2SW/DW0346GEzCTBZqirbzvfnlhf5H65GvH7 F1nZr6cg5Zw562uVhe2QPhKaz6Kt/jq9bezzx++UPo3z4Rz6vFhvq99UoH1oF5bSNhlrc9ZtqO3a rg1ZXKy4ZEwxSIwUZxLDmKoMPZjrB3MElCd9dF30x9H8h/sSbJGjDiF9wr8xyg1KblJSD//hwT+u jRJsCWAL/6YdczMOqUPfQwHKQF+TIFzj2xPrKM/Pl2oLvgl25LZF3/W3KMGWYKz7h9+vu8hli5hz +ow9kxjyIgnMaiZRY42ZMeB8bTOJoeTqExa6bTLWttVtiH/o8mPa0XZtxrRFKLx/OKa0hRWXjCkG iZHiTGJZ6MFcBncg6V03NQQ68qt88ot8fcfMMzJbK8gNqu8BQmy9mvAD3bab8VD0Q0Eb0l992/lp WNd9m5RPyPVfNPx+PQUp58xZX6usUJ9GnqF9qa18nY56hIx9/pgZg/VCDOtt9Zsa7a9yXXLWbeh4 EHptyOJgxSVjikFipDiTGMZUZejBXAZ3gCXeBHcNrn5+WepjSrBFjjoMffupg8S2evjBZRsl2BJY toi5GYfUAeV1lYUypP9J3xP8NKzrviqk2oJvgh25bTHkgboEW4Kx7h9+v+4ily1CZ+ssxp5JtHwa 46jkFb36kocHB2c43rIl0oWQsS+1T+AcmBHV55X2hZKrT1igftJ+uS5tdRtiCz0exLSj7dqMaYtQ eP9wTGkLKy4ZUwwSI8WZxLLQg7kM7kDSu258fn5Zdh2zSOCmBltApf6KZC7absZDQXl9ZUn/k74n +GlY132VkNWI36+nIMQP28hZX6ssy6dznU9oK0+nox45xz4LnMP/BVXUIXd7h6L7iVyXEuqGezDq M/QlAZk/rLhkTDFIjBRnEsOYqgw9iyWDO8CSM4mOEt76lWBLYNkCfQGBcMjNOKQOKK+r76EM6X/S 9wQ/DevWjEiqLfgm2EH/cIx1/7D6ehu5bNHnh13knEm0/FfffwTrfCm2QHnW8fo8qMcUM4n4TqI+ B+pgtbeNXH3CQvcT3AO66jaWf8RQQhm8fzimtIUVl4wpBomR4kxiueibrgzyXTc+P78shz5UkNWL fkjIQUh50v+k7wl+mmyzX5LVjN+vpyDFr3PW16qH+L8mt31QnvUpEH0eBEXIM+b4grb6gSjqkLu9 Q4EN9AvCkupGiMaKS8YUg8RIcSYxjFmUITddeRPYN5Oo3+7KDQFLfUwJtshRhxLe+pVgS2DZQh6U QgipQ9/DKcqQ/ip9T/DTZNsvL9UWfBPsoH84xrp/+P26i1y26PPDLnLOJFr1EP/XWOdLsQXKu+C2 lcf75+mzU2qfQPklzyT6dNVtLP+IoYQyeP9wTGkLKy4ZUwwSI8WZxHKRm64soa4bn94v633HEBJC 30MXQB7/ezpA+q4g2+yXZDWT8iMyQwnxwzZ8P0zBqgdeTPk/VBPyA2AxtNncb1eKnUJA+SXPJPqU XDey2FhxyZhikBgpziSGMYsycCPCwC5LfyZRbsoQZo2QR/ZjHTcxnQZKsEWOOpTw1q8EW4Ip/KNv ZhJlWA9OAH0QEmTbz5dqC74JdtA/HGP5R0wgkssWMef0GXsmMZQUW2Acwq+jyhgCSWCqQT6ojdQ+ gfZzJrFhynZ0kVoG7x+OKW1hxSVjikFioDZt2lStX7++WrNmTW0PuaBclrPEjQg/sy1LDPLyURu9 X9L1/tdc2mwfcVlzI+s6D5dc5ljqByedjn6Ifupvs19yuZqXCEIuuzM8f47lRXcM9xvfD1OWKfXI vUSQiMBRtqdY4rrj+uv7cU775l7Kc0Jofi65nGK5YcOGOg7ZuHGjGaeMIQaJkeJMYhizKAMP3RjY Zfm2j61b9lEbSYdww5YlwA0M+yH9RrUEW+SoQwlv/UqwJSjFP9DXOJOYXkaOOtA/HPN0/4CP+X4T in//GIK0I6UeqbbIYcsc/iGBsuCPc33k6hMhdNVtnvwjBd4/HFPawopLxhSDxEjxO4nlguAOAztu yHopyDaEm5UsCZkF6K/123WvD0ofFXSfJYSEkxKciX/mIKUe84Jvg1l8RzUUfwwmpBSsuGRMMUiM FGcSw5hVGRjYJRi84avLv1MiNyWk4WaFZd9DQAm2yFGHEt76lWBLUJJ/WA+P6Je638q2ny+1HnwT 7KB/OObp/pES6OXsEylBYqotctgyhy3wkVP9Pe1Ym+TqEyH4Y7BmnvwjhRLGTJBaRo46TGkLKy4Z UwwSI8WZxLLBwC7BoASLgjxo6yUhsyQkSER/xq+gDn3IJITMlpQgcV7JOVObG/mBO0JKw4pLxhSD xEhxJjGMWZUhD9i4IfsziZKul32UYIscdSjhrV8JtgQl+Yf18Oh/DAt5rO8uptaDb4Id9A/HIt8/ NDn7REqQmNqOHLakfzjoHw0l9AmQWkaOOkxpCysuGVMMEiPFmcSyQeAnQSBuzDoQxLr+6wu9j5BZ YD08+mltQSIhZHWQEiQSQohgxSVjikFipDiTGMasykDgJ0GgNZMI9HcT+yjBFjnqwDfBjpL8w/rI lf9Aif1I8/Ol1oNvgh30D8ci3z80OfuE5eehpLYjhy3pHw76R0MJfQKklg1a2OYAABtiSURBVJGj DlPawopLxhSDxEhxJrFsdJCIB2srSJR0vY+QUkh5oCSEEELIfGLFJWOKQWKkOJMYxqzKkOCvayYx JkgswRY56sA3wQ6+CW7gm2AH/cNB/2igfzjoHw76RwP9wzGlLay4ZEwxSIwUZxLLRoI/ziQSQggh hJB5wYpLxhSDxEhxJjGMWZUhP12Nj+t95yrOJAp8E+zgm+AGvgl20D8c9I8G+oeD/uGgfzTQPxxT 2sKKS8YUg8RIcSZxdZEaJBJCCCGEEDJrrLhkTDFIjBRnEsMooQzYITVILKEdOepQwlu/EmwJ6B8N JfQJkFpGjjrQPxz0jwb6h4P+4aB/NNA/HFPawopLxhSDxEhxJnF1kRokEkIIIYQQMmusuGRMMUiM FGcSwyihDNjBChLxfcXQILGEduSoQwlv/UqwJaB/NJTQJ0BqGTnqQP9w0D8a6B8O+oeD/tFA/3BM aQsrLhlTDBIjxZnE1YUVJILQIJEQQgghhJBZY8UlY4pBYqQ4kxhGCWXADqlBYgntyFGHEt76lWBL QP9oKKFPgNQyctSB/uGgfzTQPxz0Dwf9o4H+4ZjSFlZcMqYYJEaKM4mri9QgkRBCCCGEkFljxSVj ikFipDiTGEYJZcAOqUFiCe3IUYcS3vqVYEtA/2gooU+A1DJy1IH+4aB/NNA/HPQPB/2jgf7hmNIW VlwyphgkBmrTpk3V+vXrqzVr1tT2kAvKZdnLgy5y2wgKdbre5pJLLrnkkksuueSSyxKXGzZsqOOQ jRs3mnHKGGKQGCnOJIZRQhmww3aXuVlDrAuS1kcJ7chRhxLe+pVgS0D/aCihT4DUMnLUgf7hoH80 0D8c9A8H/aOB/uGY0hZWXDKmGCRGit9JnA8QMOqgkRBCCCGEkFKx4pIxxSAxUpxJDKOEMvimy1GC LUqwJaB/NNA/HPQPB/2jgf7hoH846B8N9A/HlLaw4pIxxSAxUpxJJIQQQgghhEyJFZeMKQaJkeJM YhgllME3XY4SbFGCLQH9o4H+4aB/OOgfDfQPB/3DQf9ooH84prSFFZeMKQaJkeJMIiGEEEIIIWRK rLhkTDFIjBRnEsMooQy+6XKUYIsSbAnoHw30Dwf9w0H/aKB/OOgfDvpHA/3DMaUtrLhkTDFIjBRn EgkhhBBCCCFTYsUlY4pBYqQ4kxhGCWXwTZejBFuUYEtA/2igfzjoHw76RwP9w0H/cNA/Gugfjilt YcUlY4pBYqQ4k0gIIYQQQgiZEisuGVMMEiPFmcQwSiiDb7ocJdiiBFsC+kcD/cNB/3DQPxroHw76 h4P+0UD/cExpCysuGVMMEiPFmURCCCGEEELIlFhxyZhikBgpziSGUUIZfNPlKMEWJdgS0D8a6B8O +oeD/tFA/3DQPxz0jwb6h2NKW1hxyZhikBgpziQSQgghhBBCpsSKS8YUg8RIcSYxjBLK4JsuRwm2 KMGWgP7RQP9w0D8c9I8G+oeD/uGgfzTQPxxT2sKKS8YUg8RIcSaREEIIIYQQMiUSi3zl7W+vfn7/ /cvikzHEIDFSnEkMo4Qy+KbLUYItSrAloH800D8c9A8H/aOB/uGgfzjoHw30D8eUtpBY5GN77VWd v99+1c2f+ET1zNNPL4tTcopBYqQ4k0gIIYQQQgiZEolFECSKLnjDG6p7vv3tZbFKLjFI7NHdd99d B4aiY445Ztm21po1a8z0GOUo4z0nnGCmh6qUdqSWkWoHqIR25KhDCbYowZYQ/aMR/cOJ/uFE/2hE /3CifzjRPxrRP5xmYQsGiYUKF8dKh9avX2+mxyhHGU/ddJOZHqpS2pFaRqodoBLakaMOJdiiBFtC 9I9G9A8n+ocT/aMR/cOJ/uFE/2hE/3CahS0QHPLjpgWqK0jctGmTmR6jHGU8duGFZnqoSmlHahmp doBKaEeOOpRgixJsCdE/GtE/nOgfTvSPRvQPJ/qHE/2jEf3DaRa24A/XFKquILEUPfvII2b6ool2 cKItnGiLRrSDE23hRFs0oh2caAsn2qIR7eA0z7ZgkBgpfEfRSqcoiqIoqnxttdVWZjpFUfQPyolB IjUTYRDyZeUbqrZyL7vssmqfffapdthhh+qwww6rbrnllmX7fT3wwAP1jxXtvPPO1bHHHls9+OCD nekUlUO6/1r9OFVt5V5zzTXVfvvtV22//fb18pvf/Oay/b7oH9TU2m233aqHHnpoaRt9a/fdd1+W p099/pSrX9M/qKk1S//ARybf//73Vy972cuqrbfeejI/o8YTg0RqpuobRFLll3/CCSdUP/jBD6qn nnqqDhj33HPPZft9nXrqqdU555xTPfroo9XZZ59dnX766Z3pFJVTU/vHHnvsUV133XXV008/XV17 7bX1tt7vi/5BTa3Xve511T//8z9Xv/7rv1695CUvqW666abqyCOPNPO2qc+vcvVr+gc1tWbpHx/6 0Ieq/fffv/r+979fPffccyuO80X/KF8MEqmZyh+M2rZ//OMfV0cffXS14447VgcccEB12223LcvX pq7B7r777qu23XbbavPmzfW2lRdB5IYNG+p1LDHodqVTVE5N7R8HH3xwdf3119dvhNeuXVu9+tWv bs0L0T+oqXXGGWdUH//4x+vZir322qtef/vb317va/MDPLT+9m//dp1+7rnnmn1Za0i/pn9QJWiW /rH33nvX9w2dV0T/WJ1ikEjNVP7A0baNN2GXX355PcOBmY4DDzxwWb42tQ12jzzySP1xU7ytsvaL tttuuzqIPP744+sltrvSKSqnpvaP22+/vdpll13qdCzvuOOOZft90T+oqYWH3sMPP7w66aSTqhNP PLF67WtfW51//vn1vjY/OPTQQ6uLLrqoevLJJ6sLL7xwRb/3latf5yqHokI1S//A1xQw84dgEwHj 1VdfveJYrbZy2tKp6cUgkZqp/MFIbz/zzDNL2xh0sC7aZpttlvJ1SZcnuvPOO+u3bPil2r6PROCN Fj4fj3X/TZeVTlE55fdfvT2Gf/zWb/1W/TFTPETg+4ivfOUrl+33Rf+gptbXv/71+vtOn/zkJ6tP fOIT9fo3vvGNel+bH+A76HgAxvoTTzyxot/7ytWv6R/U1Jqlf7z4xS+u7xv4JMoNN9xQb+vjfNE/ yheDRGqm8gcjDA74uAK+M3jBBRcs7X/DG95QD35I1/n75JePt2WYQfze9763LL1Np5xySv3xi8ce e6x6z3veU5122mmd6RSVU1P7B370AEEibvJ409z3gwf0D2pq/ehHP6r77bp16+qPy2Fdnk3a/OCQ Qw5Zmin5/Oc/v6Lf+8rVr+kf1NSapX9g5lIHifhepH+sFv2jfDFIpGYqfzD64he/WP9Yxq677lp9 +tOfXtp/7733Vscdd1z1whe+sE7rG8Qkj1Zb+uOPP760T5cB4S0WPsO/00471Uv9dstKp6ic8vvk 2P5x1VVXVa94xSvqj/dgKW+g5RhZF9E/qKmFGXT0KzyIYsYb60jDvjY/+Jd/+Zf6+7aYSTnvvPPM vqw1pF/TP6gSNEv/WL9+fXXUUUfV5ey7777Lfh2b/rE6xSCRoiiKoiiKoiiKWhKDRIqiKIqiKIqi KGpJDBIpiqIoiqIoiqKoJTFIpCiKoiiKoiiKopbEIJGiKIqiKIqiKIpaEoNEiqIoiqIoiqIoakkM EimKoiiKoiiKoqglMUikKIqiKIqiKIqilsQgkaIoiqIoiqIoiloSg0SqeG211VZmep+GHkdRVLro fxQ1TPAdkbWfoihqCjFINDTWwMwBf6Vgk/PPP39p++Mf/zjttAp12GGH1bL2UeWK/jedYFdo5513 rl7/+tdXV155pZlvCkldtt566+rFL35xdfLJJ1cbNmww81KNNm7cWJ1++unVnnvuWW2//fbV6173 uurqq6828+YSfZGiqFmKQaKhsQZmDvgrBZvsv//+1TPPPFML67TT6tJDDz1U7bLLLrUefvhhMw9V puh/00ns+r//+7/Vt7/97eqVr3xl9eUvf3lFvikkdfnFL35RBz/nnHNOdfTRR6/IRzkdeeSR1Yc+ 9KF6jHv66aerW2+9tXrzm99s5s0l+iJFUbMUg0RDXQMz9kHbbrttdcghh1Tf/e53l/bhreKrXvWq +i2j5NPHaMkxiy7Y4uyzz6474eWXX14/rIh9uuyFtE9/+tPVrrvuWr/Z/drXvrZsX9dxuNm/4x3v qB+I3/Wudy3b5+fV623HLbouvvji6o//+I+rt771rdUll1yylL7ffvtV//qv/1qvf//7368fimUf Ass3velN9azKAQccUN12221L+yDY+2/+5m+qHXfccdkMJdIhy/9+8pOfVEcccUR9zHvf+95l16/v fIsq2KjP/yxbn3TSSdVf/uVf1uvvfve765ko2SfHSTlaSFtU//Pbd8stt1Svec1rqp/+9Kf1OPbE E0/U6QggDz300KV8OK5trBsqvy6PPfZY7TeyD7Kue1dd5t3/fuVXfqVuo7Wvz2ZdfR62gs1gu/vu u29pn+zX2yKOZxRFTSEGiYbaBmYtvHW/+eabq5e+9KVLabvttlt948c+nVcUUu6iCTZZv3599drX vrY6/PDD63XfTpbdkPbhD3+4frD6x3/8x2qfffYx81hp69atq5e4sWL2S+/z8+r1tuMWXW95y1uq L37xi9Wll15anXDCCUvpePj56Ec/Wq9/5CMfqd7//vcv7TvxxBProARv5K+77rrqwAMPXNoHwc7n nXde/fB65plnLtsHWf6Hh6YPfvCD9UzN3/7t3y67fn3nW1TBRn3+Z9n6Zz/7WfUbv/Eb9TXF8uc/ //myYyC/HElbVP/z2/fUU09VO+ywQ73+B3/wB9VFF11Ur6OvXnjhhUv5cFzfWBcrXZdHHnmk+sAH PlAdc8wxy/JY172rLvPuf3//939f97vjjjuuet/73lf3Rz9Pm826+jzs+fjjj9dL2FD2yX69LeJ4 RlHUFGKQaKhtYIbwlhezhdttt12dD9/pkH3HHntsddBBB1VnnXVWdcUVVyy9GRZ1lbuoEptgJuJt b3vbsjQ/j58m9n322WerbbbZxsxjpeFGLkt9/fz8ervruEXW5s2bqxe96EX1gyaEdaRh3x133FG/ Qcc6vr9z5513Lh2HmQjYUuRfP6ThYVOnQV3+h3M/+uij9TqCS+yXfX3nW1SJjSz/67I1dP3119fp WOp0kZTjpy2q//ntQ5D4ghe8oF6/6qqr6pkk+BD6qu77OK5vrIsVysR1xYtN1AEvCRD4Y1/Xde+q yyL43//8z//Us6d//dd/Xc8KIrhGep/Nuvo8bIV1LP2XH9ivt0UczyiKmkIMEg21DcwQ3prjhr5p 06b6Rq7z4gawdu3aetbkqKOOWnpAFnWVu6iybOKn5cqj0/wlhBstHnywjgchva/ruEXWDTfcUNtC 65/+6Z+W9u+9997VPffcU7385S9fdtzuu+++4iWKVpt9u/yv6yG173yLKsvOktZlawizXUj73Oc+ tyxd1FW2v4Tm3f/8OuMjifhoItbxYmWPPfaozjjjjPpjiTqff1yOtusycH3/8A//sP7RImx3Xfeu uiya/yGgf+ELX1ivh9jMX8q6DhJhQ9kH/dIv/VL9vVGdBnE8oyhqCjFINKQHcV8YnPGRUtwIzj33 XDMvHnRuuummOq9Ox3ca7rrrrmVpiy7Lfn5arjw6zV9CCGTwESrcfBHo631dxy2yMGsuHymF8IYd 33GTbXxvDR+l02kQZq3+4i/+wvyYItRm3y7/w0e18GYfH93yr1/f+RZVlp0lrcvW+LETBDVf+cpX ql/91V+tt2WfqKtsfwnNu/9JndE/b7zxxvq7ZPjIoOzHdzuRR3+fDfLbarU91h5+/vvvv7++3vhO XNd176rLvPvf8ccfX33nO9+pA2HMuv7d3/1d/ckh7Auxmb+UddhKbIZzyD5or732qn8gR6dBHM8o ippCDBINYeC2hH2XXXZZ/VCEj4V86lOfWkrXx+EjJ7h5fPOb31zaB+F7GviiuT5m0WXZQtLEnlp+ Hmtb5xf5+fwl9NWvfrX+OXh8lOcf/uEfgo9bZO27775LP04D4SOlSJNtfD8HtsIDlKRBeAuPHz+B H2G/b882+3b5n/7hDHxX7pd/+ZeX9vWdb1Fl2UHSumyNmSd8/wzrWGJb9ol9tfQ+awnNu/+hztBO O+1Uf/waAbHef80116yYcYf8tlptj7WHlR8ziQj0+u5x+hi9Pe/+9/Wvf73+WK58TBcB3d13313v C7GZv5R1/GIqbIay//M//3NpH4SXCJhd1MdAHM8oippCDBIpiporPffcc/X3hg4++GBzP0WVpief fLL6oz/6o/pForV/NYn+Fy4GdxRFlSwGiRRFzY3w0IXv8eDvNr73ve+ZeSiqNOHHTN74xjcufT9t tYr+FycGiRRFlSwGiRRFURRFURRFUdSSGCRSFEVRFEVRFEVRS2KQSFEURVEURVEURS2JQSJFURRF UZQhfG+wT9ZxMbrkkkvMXzHt20dRFDWmFjZIfPrpp6s1a9bU/12IP8R917veVf8RrpVX6xvf+Eb9 8+Xbb7999Wu/9mv1/xX913/9V71P3zRE+KlsfTx++Q0/UIB9Op2K09DrB1155ZXVYYcdVr3gBS9Y uk5I77q2XfuoeA29fl3HXX/99dXv/M7v1NcV/+GH/2f84Q9/uOx4+l8eid/E2jHkulvXCH+hcuSR R9Z/IYS/kHj961+/4v8EqXAN9b+hPhZyXKmq+/mlWx6K2tTjA7D1n//5n9d/7wLh/w19W//mb/7m sr8SCt03RLE+S1HU4mphg0T8Ee4xxxxTP+hDRx11VHX++eebebVwo8P/H+LPb/GnuvjJcgQcVt63 vvWt9X9P6bQPf/jDdRkcqNM09PohQJQ/AccfIut9Xdc25rpT/Rp6/bqO+73f+736YRR/xo4/tcYb +L333nvZ8fS/vIq1Y8h1t67RnnvuWX3pS1+qry2EdaTp46hwDfW/oT4WclypQjvM4FDU4wPnnXde /Z+KGzdurIV1/I+kzoNfhNXbWl37hijWZymKWlwtbJB44IEHVnfcccfS9rp166pXvepVy/KECD9Z vsMOO6xI//d///f6IQY3RUm79dZb6zeJuFFwoE7T0OuHwA5/fGzt89V2bfv2Uf0aev1CjsNMxsMP P1z/IftBBx20lE7/y69YO/Zdv7ZrdOihh1ZXXHFF/X+C0Je//GW+pElQ6v1vqI+1HVey0A4zOBT1 +MA+++xTPw/I9r/9279Vr3jFK+r1umxPkq9r39VXX11fL3yyxd/30EMPVW9605vqWfcDDjiguu22 23rLoyiKsrSwQSIGUAng8GYPM0T42I2fr0/vfve7q9NOO21FOj5O88lPfnJpG7NPL3vZy+rBHdsc oNM09Prh404f+9jH6gcZ5P/d3/3d6t577zXztl3bvn1Uv4Zev77j9AMQHs7uv//+Op3+N45i7dh1 /bqu0X333VfttddeS9cW60iT/VScUu5/cg2gGB9rO6501XW2gkOR105f22677ZKtIaxvt912y/J0 lWHtw9dY8BHsZ555ZsW+E088sbr88svrj7led9119QsBvb+vvhRFUSIGic9vx9wkIbzNPuWUU6pD Djmk+vnPf75sH97QvvSlL60HaUk7+eSTqz/7sz9b2uZAHSbYSaTTh14/3Jz/6q/+qv6oKT729JGP fKT+fpPO03Vtu/ZRK5X7+oUct3nz5urHP/5xdfrpp1dvectb6jT63ziKtWPX9eu6Rscdd1z1wQ9+ sA5E4HfwYbzgkf1UnFLvf0N9zDqudKEdZnAo6vGBMYLEY489tp6JPeuss+oZdl3+rrvu2tT5eW2z zTbLju06F0VRlNbCBon+x21uv/324I/b/Md//Ec9QJ9xxhnLBmcRHl4++9nPLkvTg7aWzkOFa+j1 e/nLX14Hh7KNh6Mdd9xxabvr2vZddypcQ69fzHF4ESDX1vI9yD+GilOsDbuun39tRNiHj3Zrv8W6 9lsqTin3P62hPqaPK111O6zgUNTSRpH/cVOs77vvvsvydJVh7cMM4tq1a+uXnPg+KX7USfbtvvvu nfenvvpSFEWJFjZIxBf38eX6DRs21MKX+P0v7luD6aWXXlr/2hh++MTfB+EX9/BRKLwxtfaLOFCn aej1O/fcc+tZCMxG+DOJXde277pTcRp6/bqOe/Ob31x/twq/HPjggw/Wb9nxAOWXAdH/8qjLjrHX z5c+Ht8/FL/FbOIHPvCB6vDDD1+WnwrXUP8b6mMxx5UmtMMMDkWGnbRwz8F3BNFuCOvvfe97l+Xp KqNr37PPPlvddNNNdWAoafjlbfyCatsnXfCLtnfddZe5j6IoSmthg0R8FPSd73xn/REbCD8H7v8s tTU41zcMQ5iRwv6jjz66uvjii1cc5wvHWOlUmIZeP3xcFB+Jwo8K4SNX+juJ+npq4dpa6ZBcdypO Q69f13Hf+ta36sABH+XC35Sceuqp9Q9o+GVAVtlUuLQPiKw8flrIdRfp4++55576I6d4wIWwjjSd nwrXUP8b6mMxx5UmtMMMDkWGnbSeeuqp6k//9E/rdkO4/8D+Ok9XGda+uk5bBHvi0y345W3Z98gj j1QnnXRStcsuuyzl08fil7lx77PKpSiK0lrYIJGiKIqiKKpLEmh1yTqOoihqtYtBIkVRFEVRFEVR FLUkBokURVEURVEURVHUkhgkUhRFURRFURRFUUtikEhRFEVRFEVRFEUtiUEiRVEURVEURVEUtSQG iRRFURRFURRFUdSSGCRSFEVRFEVRFEVRS4oKEtetW7d0AEVRFEVRFEVRFDW/8lkRJDJApCiKoiiK oiiKWhz5rAgSCSGEEEIIIYQsLkaQeClFURRFUdSciRBCSCgMEimKoiiKWgARQggJZWWQeOMbq622 2qra6vCTqwce+EF1+Fabt2yL/rv6zAPWwDuCHji5Ohx1sPalqrfsc6ozt3pjdaNKu/HMLTaBXbbo zBt1XkMof6uXKVt9vPrM4Xo7RlvqUtcVZQScX18/WV9SQB3ENgPs/4PzPlV97rvLt0/+/c9VP5M8 D32uep/eDpV13JCynu/P2n4PfOa/t9jlvmXXOlw3b7k2P2hshLJlXastvVVXb7nOy+souvHMzdXh n7l6RXqUOuszoI/VaRdX1/7+lmv9EtFnqmsf8o6x9N3PqmOW951h+kL1uZd8tvqBuc9XbJ2b/O+7 +OIV+3528WeW9/Me1X6xdN6Q+s6uro1i7Or6UNiY0+Q//DMfX7Hvgc+8TPWxPnnnPfMcI4+v2dm1 zi/nPe8LZp7lasaF8Htxk98aL+oxL2JMwrgj5+2999WaXV1FOK4pzx/TCCGEhFFV/x9RS7P9se0M dwAAAABJRU5ErkJggg== --=__Part0E0F15E2.1__=-- --=__Part5F5E44B4.0__=-- From nobody Fri Apr 16 12:32:56 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFD693A3266 for ; Fri, 16 Apr 2021 12:32:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, STOX_BOUND_090909_B=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XySwj2gYUPJL for ; Fri, 16 Apr 2021 12:32:45 -0700 (PDT) Received: from whimsy.udel.edu (whimsy.udel.edu [128.4.24.99]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB123A3243 for ; Fri, 16 Apr 2021 12:32:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by whimsy.udel.edu (Postfix) with ESMTP id 66F61A52E5; Fri, 16 Apr 2021 15:32:44 -0400 (EDT) X-Virus-Scanned: amavisd-new at whimsy.udel.edu Received: from whimsy.udel.edu ([127.0.0.1]) by localhost (whimsy.udel.edu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 5PoLO5wRx_H4; Fri, 16 Apr 2021 15:32:21 -0400 (EDT) Received: from [128.4.2.6] (backroom.udel.edu [128.4.2.6]) (Authenticated sender: mills) by whimsy.udel.edu (Postfix) with ESMTPSA id 1E616A528A; Fri, 16 Apr 2021 15:32:21 -0400 (EDT) Message-ID: <6079E644.2030301@Udel.edu> Date: Fri, 16 Apr 2021 15:32:20 -0400 From: "David L. Mills" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.2; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Miroslav Lichvar CC: NTP WG References: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000700060208000002030801" Archived-At: Subject: Re: [Ntp] Protocol and Security Enhancements for the Network Time Protocol (NTP) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Apr 2021 19:32:56 -0000 This is a multi-part message in MIME format. --------------000700060208000002030801 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Miroslav Lichvar wrote: >On Sun, Mar 28, 2021 at 01:36:44PM -0400, David Mills wrote: > > >>Recent >>discussion in the newsgroup has centered on dramatic security mechanisms and >>exotic services for ntp version 5, but less attention has been on the >>underlying onwire protocols evolved from current NTP version 4. >> >> > > > >>URL: https://www.eecis.udel.edu/~mills/Autokey3.txt >> >> > >I didn't see any comments about this document. Others here would >know better how this works as a replacement of the old Autokey. I'll >just point out few non-crypto things that didn't seem quite right to >me. > >The protocol doesn't prevent amplification attacks using the cookie >response. The document claims that rate limiting prevents such >attacks, but I don't think that is true. Rate limiting is not a >security mechanism. It actually creates other security issues. The >server has a limited amount of memory. Attackers can avoid rate >limiting by using more addresses than the server can remember. That's >easy if the victim is using IPv6. > > Rate limiting in itself is not the issue. See the DDoS section . The effect is to delete packets with a headway less than two seconds. The LRU list includes up to 700 distinct IP addresses, so the goal is to amputate those enemy attacks before generating a response packet. This scheme has been used at NIST for several years. >It doesn't have a fully random nonce in addition to the transmit >timestamp. It claims that transmit timestamps are not predictable >while it recommends to not use the data minimization. > > I submit that in this context, the transmit timestamp can be an adequate nonce. It would be possible to replace this function by an explicit nonce, but this means to be overkill. The data minimization issue is not relevant. >The cookie seems to be constructed just from a secret key and client >address, without a nonce. > > I don't see that the cookie requires a nonce. It is incrypted according to the key generated by a Diffiee-Helman agreement. >The handshake in the symmetric mode seems to be still vulnerable to >off-path DoS attacks. > > By handshake I think you mean agreement. The agreement is vulnerable to attack, but the agreement is done seldomly and may represent a relatively minor exposure. The problem is the requirement that error recovery must be available with no preconceived requirement. >In the broadcast mode the transmit timestamp is used as a sequence >number, which means the server cannot have a backward step. It doesn't >have a mechanism to protect against delay attacks. (That was a goal >in earlier NTS designs.) > > The hazzard is mitigated by the rules explained in section 4.3. An old duplicate is recognized by a check on the apparent poll interval. >The described parser detects legacy MACs by checking whether the >length field of an extension field is zero. I guess that was meant to >be the type of the field? That would work only with key IDs below >65536. > > The proposed scheme does not work with legecy autokey. Fancy that . >It claims that NTS doesn't support interleaved mode. How could it, are >those two not at different layers? NTS+xleave definitely works for me. > > The proposed onwire protocol combines basic and interleave modes in a single protocol where the transmit devstamp is used for all protocol rounds. The detailed design is described in section 4.3. Please forgive my ackward sentences. It is hard to deal with technical issues using a screen-reader and my wife as editor . Dave --------------000700060208000002030801 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Miroslav Lichvar wrote:
On Sun, Mar 28, 2021 at 01:36:44PM -0400, David Mills wrote:
  
Recent
discussion in the newsgroup has centered on dramatic security mechanisms and
exotic services for ntp version 5, but less attention has been on the
underlying onwire protocols evolved from current NTP version 4.
    

  
URL: https://www.eecis.udel.edu/~mills/Autokey3.txt
    

I didn't see any comments about this document. Others here would
know better how this works as a replacement of the old Autokey. I'll
just point out few non-crypto things that didn't seem quite right to
me.

The protocol doesn't prevent amplification attacks using the cookie
response. The document claims that rate limiting prevents such
attacks, but I don't think that is true. Rate limiting is not a
security mechanism. It actually creates other security issues. The
server has a limited amount of memory. Attackers can avoid rate
limiting by using more addresses than the server can remember. That's
easy if the victim is using IPv6.
Rate limiting in itself is not the issue.  See the DDoS section .
The effect is to delete packets with a headway less than two seconds.
The LRU list includes up to 700 distinct IP addresses, so the goal is to
 amputate those enemy attacks before generating a response packet.
This scheme has been used at NIST for several years.
It doesn't have a fully random nonce in addition to the transmit
timestamp. It claims that transmit timestamps are not predictable
while it recommends to not use the data minimization.
I submit that in this context, the transmit timestamp can be an adequate nonce.  It would be possible
to replace this function by an explicit nonce, but this means to be overkill.  The data minimization
issue is not relevant.
The cookie seems to be constructed just from a secret key and client
address, without a nonce.
I don't see that the cookie requires a nonce.  It is incrypted according to the key generated by
a Diffiee-Helman agreement.  
The handshake in the symmetric mode seems to be still vulnerable to
off-path DoS attacks.
By handshake I think you mean agreement.  The agreement is vulnerable to attack, but the
agreement  is done seldomly  and may represent a relatively minor exposure.  The problem
is the requirement that error recovery must be available with no preconceived requirement.
In the broadcast mode the transmit timestamp is used as a sequence
number, which means the server cannot have a backward step. It doesn't
have a mechanism to protect against delay attacks. (That was a goal
in earlier NTS designs.)
The hazzard is mitigated by the rules explained in section 4.3.  An old duplicate
is recognized by a check on the apparent  poll interval.
The described parser detects legacy MACs by checking whether the
length field of an extension field is zero. I guess that was meant to
be the type of the field? That would work only with key IDs below
65536.
The proposed scheme does not work with legecy autokey.  Fancy that .  
It claims that NTS doesn't support interleaved mode. How could it, are
those two not at different layers? NTS+xleave definitely works for me.
The proposed onwire protocol combines basic and interleave modes in a single protocol where
the transmit devstamp is used  for all protocol rounds.  The detailed design is described in section 4.3.

Please forgive my ackward sentences.  It is hard to deal with technical issues using a screen-reader
and my wife as editor .

Dave 



--------------000700060208000002030801-- From nobody Sun Apr 18 21:26:42 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 066413A1D37 for ; Sun, 18 Apr 2021 21:26:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.197 X-Spam-Level: X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sXz1u2sYS3ou for ; Sun, 18 Apr 2021 21:26:36 -0700 (PDT) Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B863A1D31 for ; Sun, 18 Apr 2021 21:26:36 -0700 (PDT) Received: by mail-oi1-x232.google.com with SMTP id i81so34255921oif.6 for ; Sun, 18 Apr 2021 21:26:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2HhukdmKnE8pAxarsleQ5slJSJ0W4myXbJkkYoSo4aU=; b=a7zXLh+zJnR4piJ/dEFpkcYMx9sXx9hu3hYPZ0XrreSY2rJ5aJd4d0QL3fNXnI+Xa0 nrM0nJCaJNhb7OR2XRGNeZ/tGvxWpqbluvzZe5Q3KkcwLbsIAq6SGuGaXPLfJrEYdkNo Md2lhnBcxEW/lrYrbslNx72HytmBqdjd0KxMJmEx4M6YSZZxa0jgCGj5xhp/GUilMLAc S1KBHg5mN3XdbDkXp41JzkMnC21mwtLm2VKWCRlENQ2tGDawnm/5UAPFQD6RgIcl/3k3 8XaYo+XZ25Q7kbc87GqSWhZ3nY1K/gw2hFhcLup86hcSxUi8VqTbeFHApYZ4IYEiUZG/ jVkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2HhukdmKnE8pAxarsleQ5slJSJ0W4myXbJkkYoSo4aU=; b=TTqXgp3qWg3XrINKekb+QJTmjmFSt8237YBTUlKmlGn+fLL64xyjPxPouKOd537bUe 0v5Rxb2fMAtXhUz2987XUVbtyPvsxlAPs1bf5FInL0bgg7Aw3ObcI204ac9JE4yb7S31 pvWvI504NX4TykDa/yebR+52C6ev40tca0mW7VJMEM0Kl2/CFfcKuRFtMEtowbu5SQkp HkpwBmgEqFq6JO9iMMdJiZ1FHvbW/k0dIJ+iAV5fIqec+4epgfPgcmOJP8sho6XN5lVm ZbK9ircoX0GeMgISbFkm5vr9/Wc+z+L5Nv/wyjIDMN1NLrs3f6qkBBrbF1kpOz/Ppfpp e9tg== X-Gm-Message-State: AOAM530iEVFf98uACZfBntdZU2XpQlXBsSe6NekypbWHJ7EySqWB8CZA PINgZnudhsYA1rOSr7RsNco/xzWJoOYMDhr+W4vErxbNU9U= X-Google-Smtp-Source: ABdhPJxvMUT2FYvde9kWNigBBYMkBtmjcX6KAgahxWarZkrFqQhSddDSgGe1EdgC6Xg1hQ+PqM/4QQShjwr8H7VY384= X-Received: by 2002:aca:bed7:: with SMTP id o206mr5052036oif.77.1618806394564; Sun, 18 Apr 2021 21:26:34 -0700 (PDT) MIME-Version: 1.0 References: <20210417113938.5909CF407D4@rfc-editor.org> In-Reply-To: <20210417113938.5909CF407D4@rfc-editor.org> From: Erik Kline Date: Sun, 18 Apr 2021 21:26:23 -0700 Message-ID: To: NTP WG Cc: "Eric Vyncke (evyncke)" , Dieter Sibold , "Karen O'Donoghue" , isomer@gmail.com Content-Type: multipart/alternative; boundary="0000000000001bb54405c04bbc48" Archived-At: Subject: Re: [Ntp] [Technical Errata Reported] RFC5905 (6550) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 04:26:41 -0000 --0000000000001bb54405c04bbc48 Content-Type: text/plain; charset="UTF-8" All, Any objection to me marking this as "verified" (or, since it's in appendix code, an argument for "held for document update" might be made, I suppose). Thanks, -ek On Sat, Apr 17, 2021 at 4:39 AM RFC Errata System wrote: > The following errata report has been submitted for RFC5905, > "Network Time Protocol Version 4: Protocol and Algorithms Specification". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6550 > > -------------------------------------- > Type: Technical > Reported by: Perry Lorier > > Section: A.5.2 > > Original Text > ------------- > for (i = 0; i < NSTAGE; i++) { > p->disp += f[i].disp / (2 ^ (i + 1)); > p->jitter += SQUARE(f[i].offset - f[0].offset); > } > > Corrected Text > -------------- > for (i = 0; i < NSTAGE; i++) { > p->disp += f[i].disp / (1 << (i + 1)); > p->jitter += SQUARE(f[i].offset - f[0].offset); > } > > Notes > ----- > ^ is the xor operator in C, not the exponent operator. 2 xor (i+1) will > be zero when i == 1, causing a division by zero error. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC5905 (draft-ietf-ntp-ntpv4-proto-13) > -------------------------------------- > Title : Network Time Protocol Version 4: Protocol and > Algorithms Specification > Publication Date : June 2010 > Author(s) : D. Mills, J. Martin, Ed., J. Burbank, W. Kasch > Category : PROPOSED STANDARD > Source : Network Time Protocol > Area : Internet > Stream : IETF > Verifying Party : IESG > --0000000000001bb54405c04bbc48 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
All,

Any objection to me marking this a= s "verified" (or, since it's in appendix code, an argument fo= r "held for document update" might be made, I suppose).

Thanks,
-ek

On Sat, Apr 17, 2021 at 4:39 AM = RFC Errata System <rfc-edit= or@rfc-editor.org> wrote:
The following errata report has been submitted for RFC5905= ,
"Network Time Protocol Version 4: Protocol and Algorithms Specificatio= n".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid6550

--------------------------------------
Type: Technical
Reported by: Perry Lorier <isomer@gmail.com>

Section: A.5.2

Original Text
-------------
=C2=A0 =C2=A0 =C2=A0 =C2=A0 for (i =3D 0; i < NSTAGE; i++) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 p->disp +=3D f[i= ].disp / (2 ^ (i + 1));
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 p->jitter +=3D S= QUARE(f[i].offset - f[0].offset);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }

Corrected Text
--------------
=C2=A0 =C2=A0 =C2=A0 =C2=A0 for (i =3D 0; i < NSTAGE; i++) {
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 p->disp +=3D f[i= ].disp / (1 << (i + 1));
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 p->jitter +=3D S= QUARE(f[i].offset - f[0].offset);
=C2=A0 =C2=A0 =C2=A0 =C2=A0 }

Notes
-----
^ is the xor operator in C, not the exponent operator.=C2=A0 2 xor (i+1) wi= ll be zero when i =3D=3D 1, causing a division by zero error.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, ple= ase
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party=C2=A0
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC5905 (draft-ietf-ntp-ntpv4-proto-13)
--------------------------------------
Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Network Time = Protocol Version 4: Protocol and Algorithms Specification
Publication Date=C2=A0 =C2=A0 : June 2010
Author(s)=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: D. Mills, J. Martin, Ed= ., J. Burbank, W. Kasch
Category=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : PROPOSED STANDARD
Source=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : Network Time Proto= col
Area=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : Internet
Stream=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 : IETF
Verifying Party=C2=A0 =C2=A0 =C2=A0: IESG
--0000000000001bb54405c04bbc48-- From nobody Sun Apr 18 21:39:16 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0DA3A1DA5 for ; Sun, 18 Apr 2021 21:39:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.001 X-Spam-Level: X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ta9cEySe08c3 for ; Sun, 18 Apr 2021 21:39:10 -0700 (PDT) Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09B6A3A1DA4 for ; Sun, 18 Apr 2021 21:39:08 -0700 (PDT) Received: from [10.208.75.157] (075-139-201-087.res.spectrum.com [75.139.201.87]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4FNvGf6H7zzMNJk; Mon, 19 Apr 2021 04:39:06 +0000 (UTC) To: Erik Kline , NTP WG Cc: "Eric Vyncke (evyncke)" , Dieter Sibold , isomer@gmail.com, Karen O'Donoghue References: <20210417113938.5909CF407D4@rfc-editor.org> From: Harlan Stenn Autocrypt: addr=stenn@nwtime.org; keydata= mQGNBFI2xmQBDACrPayw18eU4pIwCvKh7k0iMkAV9cvzs49kBppM+xoH+KKj4QWmkKELD39H ngQnT3RkKsTLlwxyLqPdUmeQNAY2M5fsOK+OF6EvwLPK9hbmE3Wx2moX+sbEUxJ2VzFhKSKb OPZALXwk1XxL0qBedz0xHYcDwaSAZZkEFXURv2pDIdrmnoUnq2gdC8GpoFJiXoUaCLSYzzaY ac4Njw7Mue8IqfzRQb70aMjXl/qmsmfmEVAyGXywDdc/ler4XSgiuYOV7Kf69bj9PFZZSMdJ MWgEyZH6lJ0TU5ccR2zp5ZRmWzQQkxJMyH2th7q0Nmz3aX4A0K4yE0Ba9/5Dr7ctpF15BrMF aEo4s5lwI6tUnkgMWo265mMzCz4mAPV/ac0w0OXQg7r9E2r0+dRapnzUlG43D0JLDqDr9uRR L6IrRQqoCWUC75lfmPYQYSlaTJaK68r3lXd0z1cXJUgVtEL5H3/Z71R2B20twcQVAnw2iIH6 L5vdrsIjHrMmkqRVbs9nNyEAEQEAAbQ5SGFybGFuIFN0ZW5uIChOZXR3b3JrIFRpbWUgRm91 bmRhdGlvbikgPHN0ZW5uQG53dGltZS5vcmc+iQG5BBMBAgAjBQJSNsblAhsvBwsJCAcDAgEG FQgCCQoLBBYCAwECHgECF4AACgkQyIwAt1pH+kBlzgv/QOg70vdj8wU/z97UPdlbxtN4THAB gfSX4N0VPKT5fjX1tFhuXZQAOv7wedR3Trh7TGteyg33TBAFf9A42mXZKi1IxAiQG118Hd8I 51rXwnugURIYQaIyQI+vbchRbwVyz+mVLTI/h6FdbsVzT4UFmir+ZMkb/XeZPu0HItk4OZHE 6hk+TuTiCnlqlCPLq371fXV54VOb91WZYD8EQFtK02QHGHsQqWvapdphiDVpYehmsPyiTESq NMKLVtjtyPkQ6S7QF3slSg+2q3j8lyxEA78Yl0MSFNU8B/BtKgzWP2itBOfi+rtUKg+jOY1V /s2uVk2kq2QmHJ/s5k5ldy3qVvoTpxvwBe0+EoBocTHYt+xxp0mTM6YY1xLiQpLznzluqg9z qtejX1gZOF4mgLiBIrhXzed3zsAazhTp5rNb1kn0brZFh6JC5Wk941eilnA4LqX8AWo0lmwo eb+mpwZK/5lNdage/anpVqft9wJ/8EcvST9TLUO4fPrmT3d/0LpWuQGNBFI2xmQBDADXLsBk I7CSa5UXlrNVFJQHER1VxRBKqjWWCh/8Qv9v3p3NrIc2UnhoZ1uWQ2voBGty5Xfy9k4afV5k WwDyRDUIb7PX+Tj4HjVVr7qvnOVe/0KzZpNq0Azd0ggFbsM+8mydktHIwJykW0NUsGwPRYuD OA0Lro0ohb5IiCt3sSQi1X1hYjo7O1Vmn8Gy/XYOnhnMux+5zDPO2yTkCNX5PocYi9IJJy6p Mq1yQV4Y2Dl8KtQzvtq55vCUxx6n0MMzFViGwNW6F4ge9ItO4tDScsgowDrHa208ehwOpv/i wjf93lCClQ6vaKmOBX872K/tdY/hwhxPPjgl1bcrOwMRYVemOPPehwnXH5bwclk1hvDQdkJQ 5pJOkE4VCryTF/iDAt4g2QnHocUwt3b6/ChUUWmj2GZ22OR12rbnCtLedwp0DpViKPUCQHBO vpgXdzE/L9zWar9fqM0EREMgfWbsJc9028qluCcFLIN1gYsq4cC+YGAcOu7HOI5orBBV4m9j XfsAEQEAAYkDPgQYAQIACQUCUjbGZAIbLgGpCRDIjAC3Wkf6QMDdIAQZAQIABgUCUjbGZAAK CRDfCQ/G52/8P/uWDACe7OEM+VETDRqjQgAwzX+RjCVPvtgrqc1SExS0fV7i1mUUxr/B8io3 Y1cRHFoFKmedxf8prHZq316Md5u4egjFdTT6ZqEqkK0hvv+i0pRpCa5EX9VIStcJStomZp8F cY34grA+EOWITaLQ4qNZUP7rf2e7gq1ubQTj7uLr6HZZvMZ5em+IvrOWEuWDI6yOiI6px04w RDfkoR2h6kgdw4V0PT4NjK9WYYKrVCf1bjLlVImNBEcXfvlUTrIYO8y6ptvoUsBQky5pQRvP 99Pn42WfyLy50aII6+vyudD4T0yLjXAz4KteUttxtIte64m/F9/7GEIZAxTUcLyOq/7bP4le h39jBckwc62iYzeK/VkU/bMMh2D68Z3QylMnhhcW27BcgQHPKsHhmFa2SNytYcuQiSdf9+pj 4i32ETz1nJAvYAAqgTF/0PL+8ZNQoEpe/n9woMKrlZrqD4EgFmhQ3bNVhlaXz1nuTZDrwPt1 yMxBuUNbCF4jFnaruwrSiGTRoIfUZQwAjQglahrV4/mcjfnvbNoseHX0PKd9q+wjg7MIjWqr f2CI8Fa6MdanqwYphz43I2yXANKFZuMWsWqyQYlvGuPUlUUcAL3stp24RkzDB1Q+JS0IZJST T2JSu0aTfUdWVNqr2UI19eX+zxbOTckSi3Ng14ezG8ZX194ZH10b8JzntQOwmA20pd5JDhug zQfASER+CZDiPPcQ4mvC4y7rMrfV6XGQbDynC3ekDxo8SC5SvjaczXMwXg6SZ8iFtEWmEwW9 r7zPjjIPDrX8w5LXBgxArM5o/HbERpc2EdAvMh1D7LC0SvmoE7fBKxsicVBe4h6vXjEZ+LLr /wuZiBld9OnxAUIpwptbBspO6WKTQYvgFH2OeDG27hiE5P4Xs4WSp5j9ez8OVB1iZnA2nCQ+ tNTjO8c+C/P92vPLx5+bpGRXTXMNaLh34PS3ZsYoUDkKZNhczRZUWJ7nynSbeeyF+QW7SLwA qY7O7dyk9LFTsfJqRQJ7tWnIAjJPCwmSgQ8Kl0UJ Message-ID: <59a1296e-4f25-3e44-0636-54ed562da006@nwtime.org> Date: Sun, 18 Apr 2021 21:39:05 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [Ntp] [Technical Errata Reported] RFC5905 (6550) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 04:39:15 -0000 FWIW, no objection here. On 4/18/2021 9:26 PM, Erik Kline wrote: > All, > > Any objection to me marking this as "verified" (or, since it's in > appendix code, an argument for "held for document update" might be made, > I suppose). > > Thanks, > -ek > > On Sat, Apr 17, 2021 at 4:39 AM RFC Errata System > > wrote: > > The following errata report has been submitted for RFC5905, > "Network Time Protocol Version 4: Protocol and Algorithms > Specification". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6550 > > -------------------------------------- > Type: Technical > Reported by: Perry Lorier > > > Section: A.5.2 > > Original Text > ------------- >         for (i = 0; i < NSTAGE; i++) { >                 p->disp += f[i].disp / (2 ^ (i + 1)); >                 p->jitter += SQUARE(f[i].offset - f[0].offset); >         } > > Corrected Text > -------------- >         for (i = 0; i < NSTAGE; i++) { >                 p->disp += f[i].disp / (1 << (i + 1)); >                 p->jitter += SQUARE(f[i].offset - f[0].offset); >         } > > Notes > ----- > ^ is the xor operator in C, not the exponent operator.  2 xor (i+1) > will be zero when i == 1, causing a division by zero error. > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party  > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC5905 (draft-ietf-ntp-ntpv4-proto-13) > -------------------------------------- > Title               : Network Time Protocol Version 4: Protocol and > Algorithms Specification > Publication Date    : June 2010 > Author(s)           : D. Mills, J. Martin, Ed., J. Burbank, W. Kasch > Category            : PROPOSED STANDARD > Source              : Network Time Protocol > Area                : Internet > Stream              : IETF > Verifying Party     : IESG > > > _______________________________________________ > ntp mailing list > ntp@ietf.org > https://www.ietf.org/mailman/listinfo/ntp > -- Harlan Stenn http://networktimefoundation.org - be a member! From nobody Mon Apr 19 04:09:40 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E723A2D3F for ; Mon, 19 Apr 2021 04:09:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.22 X-Spam-Level: X-Spam-Status: No, score=-0.22 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdllKoyQlikX for ; Mon, 19 Apr 2021 04:09:33 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7399E3A2D3E for ; Mon, 19 Apr 2021 04:09:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618830571; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=2wOnc7991nKNHX1aN8IXq+2PpFfCAnMTdKK48grSynw=; b=XUQofalfHG3tzT//7n2QtxdjMhwrZkA1fBcjlz6f3bsJ90r8MFSvXBMEC/ULYexa4TiYG/ GGMjE8QX31FkR+5lfuyH6/yUgOLejG/Y3omAuxderrUeZTeZ7t5rzdsyqU8vpt9/JkkCHj iAc7HQegJlxtDvksFYjkCTjX5IvXOds= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-362-u5w8-vPhNUuVDNLDVFiRBA-1; Mon, 19 Apr 2021 07:09:24 -0400 X-MC-Unique: u5w8-vPhNUuVDNLDVFiRBA-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4513F6D241; Mon, 19 Apr 2021 11:09:23 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C170B5D71D; Mon, 19 Apr 2021 11:09:21 +0000 (UTC) Date: Mon, 19 Apr 2021 13:09:20 +0200 From: Miroslav Lichvar To: "David L. Mills" Cc: NTP WG Message-ID: References: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> <6079E644.2030301@Udel.edu> MIME-Version: 1.0 In-Reply-To: <6079E644.2030301@Udel.edu> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] Protocol and Security Enhancements for the Network Time Protocol (NTP) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 11:09:38 -0000 On Fri, Apr 16, 2021 at 03:32:20PM -0400, David L. Mills wrote: > Miroslav Lichvar wrote: > > The protocol doesn't prevent amplification attacks using the cookie > > response. The document claims that rate limiting prevents such > > attacks, but I don't think that is true. Rate limiting is not a > > security mechanism. It actually creates other security issues. The > > server has a limited amount of memory. Attackers can avoid rate > > limiting by using more addresses than the server can remember. That's > > easy if the victim is using IPv6. > > > Rate limiting in itself is not the issue. See the DDoS section . > The effect is to delete packets with a headway less than two seconds. > The LRU list includes up to 700 distinct IP addresses, so the goal is to > amputate those enemy attacks before generating a response packet. > This scheme has been used at NIST for several years. If the server's LRU list is limited to 700 addresses, the attackers will simply use 701 or more addresses to prevent any address from accumulating requests and effectively disable the rate limiting. Generally, it cannot prevent an amplification attack. What is worse, it can be exploited for a DoS attack on real NTP clients if it doesn't randomly let some packets through. An attacker can send requests to the server with spoofed source address frequently enough to keep the rate limiting constantly enabled in order to prevent the real client from getting any responses to its own requests. This was reported years ago, but it is still not fixed in the ntp.org implementation. It is a widespread issue. A third of public servers included in the pool.ntp.org project seems to be affected. > > It doesn't have a fully random nonce in addition to the transmit > > timestamp. It claims that transmit timestamps are not predictable > > while it recommends to not use the data minimization. > > > I submit that in this context, the transmit timestamp can be an adequate > nonce. It would be possible > to replace this function by an explicit nonce, but this means to be > overkill. The data minimization > issue is not relevant. The data minimization draft requires clients to use fully random transmit timestamps. That's a good nonce, but it can be used only in the client-server mode, not the symmetric mode. > > In the broadcast mode the transmit timestamp is used as a sequence > > number, which means the server cannot have a backward step. It doesn't > > have a mechanism to protect against delay attacks. (That was a goal > > in earlier NTS designs.) > > > The hazzard is mitigated by the rules explained in section 4.3. An old > duplicate > is recognized by a check on the apparent poll interval. That is not always sufficient. An attacker who can prevent packets sent by the genuine server from reaching the client, can replay old packets at a consistent rate with a constant delay (arbitrarily large). The client will not see anything suspicious, except that the time is in past. If it accepts the backward step, it will be susceptible to the attack. > > The described parser detects legacy MACs by checking whether the > > length field of an extension field is zero. I guess that was meant to > > be the type of the field? That would work only with key IDs below > > 65536. > > > The proposed scheme does not work with legecy autokey. Fancy that . The trouble is that it will fail to parse messages of implementations implementing RFC 5905 but not RFC 5906, using MACs with key IDs larger than 65535. > > It claims that NTS doesn't support interleaved mode. How could it, are > > those two not at different layers? NTS+xleave definitely works for me. > > > The proposed onwire protocol combines basic and interleave modes in a single > protocol where > the transmit devstamp is used for all protocol rounds. The detailed design > is described in section 4.3. The document doesn't have enough details for me to fully understand the new combined protocol. Is a server or peer supposed to send responses with transmit timestamp of a previous response whenever it has this timestamp saved, meaning interleaved mode constantly enabled, except it is not indicated by the origin timestamp as it used to? How would an older client or peer not implementing this new protocol be able to process received responses? I suspect it would be dropping all measurements due to a large delay. Another issue is that the symmetric mode cannot always work in interleaved mode. When the polling intervals of the peers don't match, there are multiple responses per request, using the same origin timestamp. This means there is an ambiguity for the interleaved transmit timestamp. The peer doesn't know if it actually received the response to which the transmit timestamp corresponds to. In such a case the symmetric mode needs to switch to basic mode. This is how it works in the ntp-interleaved-modes draft. -- Miroslav Lichvar From nobody Mon Apr 19 09:31:15 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99EC13A39A1 for ; Mon, 19 Apr 2021 09:31:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.197 X-Spam-Level: X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slDB2FzEsZi6 for ; Mon, 19 Apr 2021 09:31:08 -0700 (PDT) Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B5813A399F for ; Mon, 19 Apr 2021 09:31:07 -0700 (PDT) Received: by mail-wr1-x430.google.com with SMTP id e7so25736734wrs.11 for ; Mon, 19 Apr 2021 09:31:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=fhfYvbMPS30RF1iCjaxJRsjyv4Xed71saCdw051sASg=; b=Cp31t2lRraS7hPBjcbrQFP0ONBVqe3mYlzmqdThP4HI/iLjzbgwzCOWlKq6/V8XVG4 6jCV+MIpEmEpLe0O8rbSbHnOFZx7IADPQ4bsFV/t8GI3+FpmoILNkIBzwVwOp0HhQ0XO 9hfEOIp3gOKGkH4iIWL6gCLCVAeDvFuEKt7FjyqHvLugxrnvfDugDqRAyh/3IeMeXVxv SQ2rxTACOXmmrEpW1fWGAwUJym6RD4LLV5PzYTOMr1zGbWdvl4YWM1pqihlDicq5g8OY fOcRldfvcduxQd0QReZPM8V2ELD+0OREN1ESC73dzQHf31iCRBbsrRtgrYnx+LlSp7l9 AKWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=fhfYvbMPS30RF1iCjaxJRsjyv4Xed71saCdw051sASg=; b=WJRUWzqWQiUYnMJzvBoLW8v63QnRPYdvxQKyyDxhoGOiTARbdDgjfGKKy/aJ+hzT6H pJY7b1o+GrmOXq45DFsO2oOntBu0rBEYWyzTbGGDYeGI1tvjCuyWztRe0axUlgNjfpMA oqGouAw9gwU7bnm0ER+NxyjULUocj8gGFmwnfH0q/r6eNlau1BHP2npQQuMamduaDqJq Beh3W8GvYZ572Wn0lCrPa2yoLmMTvXruUuWDi2xe+dKPxv+/aYhd59ipuVEyRFMxPimV dGgKgAlsdMGp3xBjjFua2vV+A3WbjwlsIEymrWfHAJ5I5eaTI/yiEwsXwASwS+Dwnaxj 4ODQ== X-Gm-Message-State: AOAM530cXrdiGUCntc/8z/ZJPvHIVFPr5uRP6vDbWfjhygp/sqCWnFKr UcCdxjKHNQuAzsfxDD7I30RGzPDA9jE= X-Google-Smtp-Source: ABdhPJxw0koDMLVRCM6TCOgEFDyBFRyaXc0laTsvghqVA4IKWhqesQsH6Cvw4Y+k72Za1mcYmZ/eHA== X-Received: by 2002:a5d:628e:: with SMTP id k14mr15540444wru.150.1618849865266; Mon, 19 Apr 2021 09:31:05 -0700 (PDT) Received: from [192.168.111.41] (p200300d17f11700004e3069d323c415c.dip0.t-ipconnect.de. [2003:d1:7f11:7000:4e3:69d:323c:415c]) by smtp.gmail.com with ESMTPSA id f1sm18933722wru.60.2021.04.19.09.31.04 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Apr 2021 09:31:04 -0700 (PDT) From: Dieter Sibold To: "NTP WG" Date: Mon, 19 Apr 2021 18:31:03 +0200 X-Mailer: MailMate (1.14r5757) Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: [Ntp] Minutes from NTP WG session, IETF 110 X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 16:31:13 -0000 Dear all, you may find the minutes from the last NTP WG session here: https://datatracker.ietf.org/meeting/110/materials/minutes-110-ntp-00 The minutes are basically taken unchanged from Watson’s note taking in CodiMD. Many thanks to Watson! Dieter From nobody Mon Apr 19 10:38:31 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AC943A3C06 for ; Mon, 19 Apr 2021 10:38:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.608 X-Spam-Level: *** X-Spam-Status: No, score=3.608 tagged_above=-999 required=5 tests=[HELO_DYNAMIC_IPADDR=3.243, RDNS_DYNAMIC=0.363, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AczcnD4tacBe for ; Mon, 19 Apr 2021 10:38:25 -0700 (PDT) Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 99F203A3C02 for ; Mon, 19 Apr 2021 10:38:25 -0700 (PDT) Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id CF68C40605C; Mon, 19 Apr 2021 10:38:23 -0700 (PDT) X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3 To: NTP WG cc: hmurray@megapathdsl.net From: Hal Murray In-Reply-To: Message from Miroslav Lichvar of "Mon, 19 Apr 2021 13:09:20 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 19 Apr 2021 10:38:23 -0700 Message-Id: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> Archived-At: Subject: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 17:38:30 -0000 mlichvar@redhat.com said: > What is worse, it can be exploited for a DoS attack on real NTP clients if it > doesn't randomly let some packets through. How many is "some"? What fraction of the responses does a client need? Is this a solvable problem? If I let 1/N through, is there a value of N that lets through enough real replies without also letting through enough bogus traffic to make traditional DDoS practical? There is a horrible complication in this area: NAT. If there are X clients behind a NAT box, then that IP Address needs X times as much legitimate traffic. -------- One tool in this area is to have the NTS cookies tied to an IP Address. We discussed this a long time ago. Nobody was interested, but I've forgotten why. Maybe it was more important to allow laptops to keep using their cookies across migrations that change IP Addresses. We could make it an option. Then people with fixed addresses could turn it on and servers could have 2 modes of rate limiting. That doesn't help if the bad guy can capture traffic from the client. The server can't tell a replay from normal traffic. -------- Is there any group within IETF where DDoS discussions would be appropriate? -- These are my opinions. I hate spam. From nobody Mon Apr 19 11:04:59 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFBB43A3D16 for ; Mon, 19 Apr 2021 11:04:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.196 X-Spam-Level: X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HH_cNZrPli46 for ; Mon, 19 Apr 2021 11:04:53 -0700 (PDT) Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C9053A3D15 for ; Mon, 19 Apr 2021 11:04:53 -0700 (PDT) Received: by mail-pl1-x635.google.com with SMTP id g16so1322248plq.3 for ; Mon, 19 Apr 2021 11:04:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zGdQZ/GMeobmgJuwcubZXXOm0v5YNzpIdW7gic11XiU=; b=n0WGjyJk2sel2CxjzPmRZ223pI/HtIKoGpvsgcH7WdPcwjiYKBl2VjSWZhO4R9i2wr 6gL7JMsTQQbCjIfKCHWi+ozx2wbZ4wixs8OO7bj09vJdyckTTYAsD9+c5dUmP40iBE+1 zk62+POY1UqaJM/TwCr38o7dWJ1vzx2gewgbxkjtnNvpYuOxstV747hN+VK6IoZs0IEc 6ORx4oBiieo0NNVb+aYAqLkDbBhA5ZvqUbB1edK3e/AxmjNEiGeXRIDpXKyz4vYie/92 hSK0yiS3N1vn36udRCTfLrtaxoLaO5wFuZKMkzrMLdJ5jTtgTR9PMP96PNHZHXd7pDiw h3Mw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zGdQZ/GMeobmgJuwcubZXXOm0v5YNzpIdW7gic11XiU=; b=pWwRek0A1Ou3D3NVIfEZjl5NystgQthvBzExNVwKWgO9hb3sJjeSomVSP3zjxr0Vuk f1zU3Z/8exNAhHKsId0wQnC9pq4MKo6+H/6GccmNakbrc5yPKiCyrVQZR0o+tn9b7TaB kqKk7A23US5ABi8HYVlVjdlOasGtltHLDentE8ZVtGcY5YsL+8P78vk3hTtxkhkP4lpL J//l3T4bX1/+ctetKC7qyO0pLHLoNpaKXefILOYxdDEDT8aRp2f4JXGHjqpBVvz9gOWC fAPvbaNJhESFwyB0kwoSNJ3EgZMRDEYVzNgOvW5DzfGgX8MFdbtqlWI1PPGhdgE51+3v sHlw== X-Gm-Message-State: AOAM532lA320lOazuVmLD7rbHkl0xAQezMiEZ0ZEQ+BshLINU4NxmGpZ +8Qmxw1cdYjRupMXx89zcjPU1kCW+lKLey6BI3zBKJIgWVs= X-Google-Smtp-Source: ABdhPJzWb1Ctd1ARoCEVciF+EWfTCUO6IPpVqV3uOzCax2VK8DKC4470F+mnE7hWNAxyCVO3sE5jL4Nfxcl7lWQTAAU= X-Received: by 2002:a17:90a:4b4e:: with SMTP id o14mr317252pjl.199.1618855491954; Mon, 19 Apr 2021 11:04:51 -0700 (PDT) MIME-Version: 1.0 References: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> In-Reply-To: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> From: Daniel Franke Date: Mon, 19 Apr 2021 14:04:41 -0400 Message-ID: To: Hal Murray Cc: NTP WG Content-Type: multipart/alternative; boundary="0000000000008a6d8c05c0572af3" Archived-At: Subject: Re: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 18:04:58 -0000 --0000000000008a6d8c05c0572af3 Content-Type: text/plain; charset="UTF-8" On Mon, Apr 19, 2021 at 1:38 PM Hal Murray wrote: > > Is this a solvable problem? If I let 1/N through, is there a value of N > that > lets through enough real replies without also letting through enough bogus > traffic to make traditional DDoS practical? > No. A client will treat a server as unreachable after 8 dropped replies, so an attacker can DoS a client by sending spoofed packets at the rate limit plus eight times the client's burst interval, which at conventional rate limits is an absolutely trivial amount of traffic. Trying to rate-limit NTP is just absolutely counterproductive no matter how you approach it. The way to make NTP DDoS-resilient is to spec your server with enough CPU to keep up with requests coming in at the full capacity of your network link. Do this, and attackers will achieve no more by hammering you with NTP requests than by hammering you with random garbage. --0000000000008a6d8c05c0572af3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Apr 19, 2021 at 1:38 PM Hal Murra= y <hmurray@megapathdsl.net> wrote:

Is this a solvable problem?=C2=A0 If I let 1/N = through, is there a value of N that
lets through enough real replies without also letting through enough bogus =
traffic to make traditional DDoS practical?

=
No. A client will treat a server as unreachable after 8 dropped replie= s, so an attacker can DoS a client by sending spoofed packets at the rate l= imit plus eight times the client's burst interval, which at conventiona= l rate limits is an absolutely trivial amount of traffic. Trying to rate-li= mit NTP is just absolutely counterproductive no matter how you approach it.= The way to make NTP DDoS-resilient is to spec your server with enough CPU = to keep up with requests coming in at the full capacity of your network lin= k. Do this, and attackers will achieve no more by hammering you with NTP re= quests than by hammering you with random garbage.
--0000000000008a6d8c05c0572af3-- From nobody Mon Apr 19 12:12:39 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952B43A3FB0 for ; Mon, 19 Apr 2021 12:12:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 3.609 X-Spam-Level: *** X-Spam-Status: No, score=3.609 tagged_above=-999 required=5 tests=[HELO_DYNAMIC_IPADDR=3.243, RCVD_IN_DNSWL_BLOCKED=0.001, RDNS_DYNAMIC=0.363, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DWQODuBFy56 for ; Mon, 19 Apr 2021 12:12:33 -0700 (PDT) Received: from ip-64-139-1-69.sjc.megapath.net (ip-64-139-1-69.sjc.megapath.net [64.139.1.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE143A3FAA for ; Mon, 19 Apr 2021 12:12:31 -0700 (PDT) Received: from shuksan (localhost [127.0.0.1]) by ip-64-139-1-69.sjc.megapath.net (Postfix) with ESMTP id 5AD8740605C; Mon, 19 Apr 2021 12:12:26 -0700 (PDT) X-Mailer: exmh version 2.7.2 01/07/2005 with nmh-1.3 To: Daniel Franke cc: Hal Murray , NTP WG From: Hal Murray In-Reply-To: Message from Daniel Franke of "Mon, 19 Apr 2021 14:04:41 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 19 Apr 2021 12:12:26 -0700 Message-Id: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net> Archived-At: Subject: Re: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 19:12:38 -0000 dfoxfranke@gmail.com said: > No. A client will treat a server as unreachable after 8 dropped replies, so > an attacker can DoS a client by sending spoofed packets at the rate limit > plus eight times the client's burst interval, which at conventional rate > limits is an absolutely trivial amount of traffic. Trying to rate-limit NTP > is just absolutely counterproductive no matter how you approach it. The way > to make NTP DDoS-resilient is to spec your server with enough CPU to keep up > with requests coming in at the full capacity of your network link. Do this, > and attackers will achieve no more by hammering you with NTP requests than by > hammering you with random garbage. If I don't rate limit, then a bad guy can use my server as a reflector to DDoS any target. Making my server run at full line rate just makes things worse for victims. -- These are my opinions. I hate spam. From nobody Mon Apr 19 12:39:20 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DCB3A4087 for ; Mon, 19 Apr 2021 12:39:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.196 X-Spam-Level: X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQ6HKwr_yjY6 for ; Mon, 19 Apr 2021 12:39:14 -0700 (PDT) Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C9F53A4085 for ; Mon, 19 Apr 2021 12:39:14 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id y62so77107pfg.4 for ; Mon, 19 Apr 2021 12:39:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HEBJZBgJ6mYSGEO9u2fv2RQnnZz3PU+72o53cjuORr0=; b=fqIHX7SLHQc/DpoGfnhfwt9ctcbaHZ6xnfYeSer7fUj6LzIw9vQzlzS7F6x1nrDj2b 60lZ37vqSSiJlD/cYIqTA54Kjf4LCSyr5d8j7OV790DbPAVdaIQOXjP+0VDqWP8R2WPC lqy+iD81QW6bUxtUzwlkjKK6lLiWFvT7b5Wn7GHCmng+AkOJbXi24UVWm8CkX+IgzigS 9IUV2FxcHztBdBJF5tF1/+X545/1VNdlS9AmGXjznmOPFf125e3+dUZODOh4m6isvohI daN/YRUCB9Lb3Dgcz1lGwS39MkUAQcKFMUrRUfKsfuKXn3uH0iaNPo+cPH+1C+G0Yxzp jhWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HEBJZBgJ6mYSGEO9u2fv2RQnnZz3PU+72o53cjuORr0=; b=aZcI6mhbmrFHcD7bX+RdSWyrR/2iSmPlN1lmO9ayLpFQv9rHC5xdkQUfNURtf4cqNI y1Q8DgtMk2kpSIAvPdqaACXa+045xZWvnXRZWoC9bNn3tgyX2k75hOd9Dajpl0uCJdyi L1PD9hUFWWIlAxJtxAx2q2b9rMbykZXBdOHIaZTGk3MQAXWjLTmQDQ/eh3fVzkm5n48U ZwujNP3eSKaGtNR/Qawo239+NbLMK2Ci4xslNS7x01xWkooMzRa67XxpL/Ag0E7KqVxI lcBPN5RLIF38RH9dw/2UwzdJtLvxocpgS3ILiQSpT+XSj92hDVdC5+vzXUcAqSfQYIhR bh/Q== X-Gm-Message-State: AOAM5316pbhmRXktAlUO+Jntis/W1YRUCJFDP4+/LYhbbSG7uADDXhWZ rs9SaOnHUcLF1VtMxBwr5busJk1BYiG+n7CM2HxztUIDhkk= X-Google-Smtp-Source: ABdhPJxP1ZsHhMRXjt1iVps7lGRthMUiICG+lSzM2BIsjKPSY3KEq04LKkpVr9J5Wr0heDeE2yYuN94ohP/tEebX9dU= X-Received: by 2002:a63:1921:: with SMTP id z33mr13537077pgl.211.1618861153186; Mon, 19 Apr 2021 12:39:13 -0700 (PDT) MIME-Version: 1.0 References: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net> In-Reply-To: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net> From: Daniel Franke Date: Mon, 19 Apr 2021 15:39:02 -0400 Message-ID: To: Hal Murray Cc: NTP WG Content-Type: multipart/alternative; boundary="000000000000f9f71a05c0587bff" Archived-At: Subject: Re: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 19:39:19 -0000 --000000000000f9f71a05c0587bff Content-Type: text/plain; charset="UTF-8" On Mon, Apr 19, 2021 at 3:12 PM Hal Murray wrote: > If I don't rate limit, then a bad guy can use my server as a reflector to > DDoS > any target. Making my server run at full line rate just makes things > worse > for victims. > If your server is correctly configured, then you never amplify any traffic so adversaries gain no benefit from doing this. They can hammer the ultimate victim just as hard on their own as they can by using your server as a reflector. --000000000000f9f71a05c0587bff Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable --000000000000f9f71a05c0587bff-- From nobody Mon Apr 19 15:33:57 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974213A4728 for ; Mon, 19 Apr 2021 15:33:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[NICE_REPLY_A=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naofdCIgBylQ for ; Mon, 19 Apr 2021 15:33:52 -0700 (PDT) Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D0A33A4726 for ; Mon, 19 Apr 2021 15:33:50 -0700 (PDT) Received: from newusers-MBP.fios-router.home (pool-108-26-201-164.bstnma.fios.verizon.net [108.26.201.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4FPM6j4R8wzMNJk; Mon, 19 Apr 2021 22:33:49 +0000 (UTC) To: Hal Murray , NTP WG References: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> From: Danny Mayer Message-ID: <6a2a9a69-c213-847c-ee2f-7a73ffddba65@pdmconsulting.net> Date: Mon, 19 Apr 2021 18:33:48 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 MIME-Version: 1.0 In-Reply-To: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: Re: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 22:33:57 -0000 On 4/19/21 1:38 PM, Hal Murray wrote: > One tool in this area is to have the NTS cookies tied to an IP Address. We > discussed this a long time ago. Nobody was interested, but I've forgotten > why. Maybe it was more important to allow laptops to keep using their cookies > across migrations that change IP Addresses. > > We could make it an option. Then people with fixed addresses could turn it on > and servers could have 2 modes of rate limiting. That doesn't help if the bad > guy can capture traffic from the client. The server can't tell a replay from > normal traffic. This doesn't work at all. You should never be tying cookies to an IP address. Which address would that be? An IPv4 address, an IPV6 address, a VPN IP address, all of which can be active at the same time and being used at the same time. This is just as bad as the ReferenceID being used as the IP address from which it got it's preferred truechimer clock. Danny From nobody Tue Apr 20 00:01:07 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C98383A0DC0 for ; Tue, 20 Apr 2021 00:01:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jpYOuh4PJ3n4 for ; Tue, 20 Apr 2021 00:01:02 -0700 (PDT) Received: from mx3.uni-regensburg.de (mx3.uni-regensburg.de [IPv6:2001:638:a05:137:165:0:4:4e79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3255B3A1398 for ; Tue, 20 Apr 2021 00:01:01 -0700 (PDT) Received: from mx3.uni-regensburg.de (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 156416000055 for ; Tue, 20 Apr 2021 09:00:57 +0200 (CEST) Received: from gwsmtp.uni-regensburg.de (gwsmtp1.uni-regensburg.de [132.199.5.51]) by mx3.uni-regensburg.de (Postfix) with ESMTP id F3FE76000051 for ; Tue, 20 Apr 2021 09:00:56 +0200 (CEST) Received: from uni-regensburg-smtp1-MTA by gwsmtp.uni-regensburg.de with Novell_GroupWise; Tue, 20 Apr 2021 09:00:56 +0200 Message-Id: <607E7C26020000A100040A49@gwsmtp.uni-regensburg.de> X-Mailer: Novell GroupWise Internet Agent 18.3.1 Date: Tue, 20 Apr 2021 09:00:54 +0200 From: "Ulrich Windl" To: "Daniel Franke" , "Hal Murray" Cc: "ntp@ietf.org" References: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net> <78A017D50200007043047E14@gwsmtp.uni-regensburg.de> <118C0E41020000F8AB59E961@gwsmtp.uni-regensburg.de> <788187C10200009C43047E14@gwsmtp.uni-regensburg.de> <8C96E46D020000BCAB59E961@gwsmtp.uni-regensburg.de> In-Reply-To: <8C96E46D020000BCAB59E961@gwsmtp.uni-regensburg.de> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Archived-At: Subject: [Ntp] Antw: [EXT] Re: DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2021 07:01:07 -0000 >>> Daniel Franke schrieb am 19.04.2021 um 21:39 in Nachricht : > On Mon, Apr 19, 2021 at 3:12 PM Hal Murray = wrote: >=20 >=20 >> If I don't rate limit, then a bad guy can use my server as a reflector = to >> DDoS >> any target. Making my server run at full line rate just makes things >> worse >> for victims. >> >=20 > If your server is correctly configured, then you never amplify any = traffic > so adversaries gain no benefit from doing this. They can hammer the > ultimate victim just as hard on their own as they can by using your = server > as a reflector. But the point is: Will they realize (or just continue the mis-use)? From nobody Tue Apr 20 00:23:32 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34DD73A149E for ; Tue, 20 Apr 2021 00:23:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.12 X-Spam-Level: X-Spam-Status: No, score=-2.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVRLTVZcn5DH for ; Tue, 20 Apr 2021 00:23:25 -0700 (PDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F3FB3A149C for ; Tue, 20 Apr 2021 00:23:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1618903403; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=kqHqgjwEqIProwHaQMlANUzPtsBp4+FlMENacM5iOWk=; b=gNGakLQQcXK+iTbIN8QwZGgqexBeT1aYClrkhxAzUFGp/aDYrG2+3I+aW3okfRQdlumz1z uSmpxVK/au/+l77vFb2ou31vfAXeZV/DFiejIP0fCZcaXZg3mlsc0RcuGPMx8pP/R1iEYM +kJvFC4u5aK8AFrHIJuo9PU1oMLcE70= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-569-fRn2mSPJMACCyGIrdRSpAA-1; Tue, 20 Apr 2021 03:23:21 -0400 X-MC-Unique: fRn2mSPJMACCyGIrdRSpAA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id BB8AD107ACCA; Tue, 20 Apr 2021 07:23:20 +0000 (UTC) Received: from localhost (holly.tpb.lab.eng.brq.redhat.com [10.43.134.11]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1EE0F610F1; Tue, 20 Apr 2021 07:23:19 +0000 (UTC) Date: Tue, 20 Apr 2021 09:23:18 +0200 From: Miroslav Lichvar To: Hal Murray Cc: NTP WG Message-ID: References: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> MIME-Version: 1.0 In-Reply-To: <20210419173823.CF68C40605C@ip-64-139-1-69.sjc.megapath.net> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Archived-At: Subject: Re: [Ntp] DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2021 07:23:30 -0000 On Mon, Apr 19, 2021 at 10:38:23AM -0700, Hal Murray wrote: > > mlichvar@redhat.com said: > > What is worse, it can be exploited for a DoS attack on real NTP clients if it > > doesn't randomly let some packets through. > > How many is "some"? What fraction of the responses does a client need? > > Is this a solvable problem? If I let 1/N through, is there a value of N that > lets through enough real replies without also letting through enough bogus > traffic to make traditional DDoS practical? Address-specific rate limiting in NTP can be circumvented. I think its only purpose can be saving network traffic on broken and misconfigured clients. That's all. As for the highest usable N, it depends on the client implementation. For a public server, N=4 (a leak rate of 25%) seems to be about the highest value where most clients still appear to do something useful. This can save up to 37.5% of network traffic (TX+RX). -- Miroslav Lichvar From nobody Tue Apr 20 02:06:45 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E60783A1945 for ; Tue, 20 Apr 2021 02:06:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.097 X-Spam-Level: X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v64ih7RyPdja for ; Tue, 20 Apr 2021 02:06:40 -0700 (PDT) Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62EF03A1943 for ; Tue, 20 Apr 2021 02:06:40 -0700 (PDT) Received: by mail-pg1-x535.google.com with SMTP id w10so26177990pgh.5 for ; Tue, 20 Apr 2021 02:06:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jne5W3lAAXg2eMRT9PeK8ocFcY3OMa3cvWSUCrZdI9A=; b=INGtJGA0sK4knB2ONCU5uSGuRZCIw7nb/3ut0oeXznSkNouflqzr/5/Q4GA8rMuFVX XhBD7Y+1n4OGta8cQG1Ki6qFl1dRcwAaNoqAmV7bo8w5IBEMv3v7gtXtEdSZTp2NytzV B1XdXBmpf4g+p1dfQTtWOEO0B69JRs2DE7WdqoY6UN/6dvonBiafhhqWEOGWwxJ7wxHf nQ+1Pzlvhf1lZZ4XhV6R1IoNfVtTYYklY6/2dExyWUCTyZP4n3eDBvG5AJT8hUy/ZzGD MKplct2zx+/hBMp+bRLpz0teoT87AE02dwAKjXMB7SCEkLoJd6Tnw4z23OPGw68flfc7 azvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jne5W3lAAXg2eMRT9PeK8ocFcY3OMa3cvWSUCrZdI9A=; b=pxnmo7S/p3cPpeujjt5B/lU2T4AliPHcqEZQlLLXCdFGwSVOQVuMUDFyJNbnq+Jv6+ tSzXRIp1gylnFtNNbxbRbi6ouJXkR3lJ0aA53zkLdLrBy8CZY/PmhCLCJQWbwrQJ6ntp aI6DikiXI0n/Al47zDvGzYbFzHZDBIi4OPgZwLGhYlLJ3++g1eVBI+v5A0e9447p3Ki6 YClkQGPuUj1FwjvcbmAia2UDYWxP4jYlwbWkB271Fyf//2c9pxCAuoWibWtuEKCNTAcU LoL4QKR2rLliti4x8ZjlSzp7F4e8WYRnSCKFL2gAyz4XUgw1w5LRjoMx9GCT7ANyOz/c 2N4g== X-Gm-Message-State: AOAM532Al0b8cAh/8BWIlCB2kQG/jB5TWw2l4vrQJcEqEQQPDe5lMgcI loUbGysuRk0ZC4QKTdeh3HW6WhPiA/0YQKlpWD0= X-Google-Smtp-Source: ABdhPJy4hxNGkIl5UpWkN0XOrNjrHPOruRFjBx+g+rL97rr/oEgcEPZnizSymIThWHQ4f3uxWWNwm06gBZawBKQUUgs= X-Received: by 2002:aa7:82ce:0:b029:242:deb4:9442 with SMTP id f14-20020aa782ce0000b0290242deb49442mr24264973pfn.73.1618909597290; Tue, 20 Apr 2021 02:06:37 -0700 (PDT) MIME-Version: 1.0 References: <20210419191226.5AD8740605C@ip-64-139-1-69.sjc.megapath.net> <78A017D50200007043047E14@gwsmtp.uni-regensburg.de> <118C0E41020000F8AB59E961@gwsmtp.uni-regensburg.de> <788187C10200009C43047E14@gwsmtp.uni-regensburg.de> <8C96E46D020000BCAB59E961@gwsmtp.uni-regensburg.de> <607E7C26020000A100040A49@gwsmtp.uni-regensburg.de> In-Reply-To: <607E7C26020000A100040A49@gwsmtp.uni-regensburg.de> From: Daniel Franke Date: Tue, 20 Apr 2021 05:06:26 -0400 Message-ID: To: Ulrich Windl Cc: Hal Murray , "ntp@ietf.org" Content-Type: multipart/alternative; boundary="0000000000007855b905c063c37f" Archived-At: Subject: Re: [Ntp] [EXT] Re: DDoS meets NTP X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Apr 2021 09:06:45 -0000 --0000000000007855b905c063c37f Content-Type: text/plain; charset="UTF-8" On Tue, Apr 20, 2021 at 3:00 AM Ulrich Windl < Ulrich.Windl@rz.uni-regensburg.de> wrote: > But the point is: Will they realize (or just continue the mis-use)? Regardless, mitigating non-amplifying reflection is impractical and pointless. Literally every server on the internet is "vulnerable" to this. You can spam TCP SYNs to any server with a TCP stack and flood the victim with SYN/ACKs (if the port is open) or RSTs (if it's closed). Or send UDP traffic to a closed port and hit the victim with ICMP port-unreachable messages. Or ICMP echo-request and hit with echo-replies. --0000000000007855b905c063c37f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
But the point is: Will they r= ealize (or just continue the mis-use)?

Rega= rdless, mitigating non-amplifying reflection is impractical and pointless. = Literally every server on the internet is "vulnerable" to this. Y= ou can spam TCP SYNs to any server with a TCP stack and flood the victim wi= th SYN/ACKs (if the port is open) or RSTs (if it's closed). Or send UDP= traffic to a closed port and hit the victim with ICMP port-unreachable mes= sages. Or ICMP echo-request and hit with echo-replies.
--0000000000007855b905c063c37f-- From nobody Fri Apr 23 05:25:32 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B40863A1B50 for ; Fri, 23 Apr 2021 05:25:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.42 X-Spam-Level: X-Spam-Status: No, score=-1.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.377, HTML_NONELEMENT_30_40=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gb4324_S658a for ; Fri, 23 Apr 2021 05:25:27 -0700 (PDT) Received: from mx1.bs.ptb.de (mx1.bs.ptb.de [192.53.103.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAB33A1B4F for ; Fri, 23 Apr 2021 05:25:26 -0700 (PDT) Received: from smtp-hub.bs.ptb.de (smtpint01.bs.ptb.de [141.25.87.32]) by mx1.bs.ptb.de with ESMTP id 13NCPN90029681-13NCPN92029681 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 23 Apr 2021 14:25:23 +0200 Received: from lotus.bs.ptb.de (lotus.bs.ptb.de [141.25.85.200]) by smtp-hub.bs.ptb.de (Postfix) with ESMTPS id 6BCD3B3B7DE; Fri, 23 Apr 2021 14:25:23 +0200 (CEST) MIME-Version: 1.0 Sensitivity: Importance: Normal X-Priority: 3 (Normal) In-Reply-To: References: From: kristof.teichel@ptb.de To: "Daniel Franke" Cc: "NTP WG" Date: Fri, 23 Apr 2021 14:25:20 +0200 Message-ID: Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: [Ntp] Antwort: An RFC6921-compliant NTP implementation X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Apr 2021 12:25:31 -0000 So I had this lying around in a forgotten folder of my inbox and onl= y today managed to review it (and familiarize myself with RFC 6921, and app= reciate the temporal context, which had completely eluded me).
Just wan= ted to say: outstanding work, Daniel!
And I do hope we hear more = from this project, perhaps in a year or so (give or take 22 days)?


-----"ntp" <ntp-bounces@ietf.org> schrieb: -----
An: "NTP WG" <ntp@ietf= .org>
Von: "Daniel Franke"
Gesendet von= : "ntp"
Datum: 01.04.2021 02:02
Kopie: bob.hinden@gmail.com
Betreff: [Ntp] An RFC6921-compliant NTP i= mplementation

Building on the groundbreaking result= s from CERN's OPERA experiment showing that neutrinos can be accelerated to= superluminal speeds merely by loosening the contacts on a transmission cab= le, I'm pleased to report a mostly-successful experiment building an RFC692= 1 ("Design Considerations for Faster-Than-Light (FTL) Communication") compl= iant implementation of NTP.

As a preliminary test intend= ed simply to verify the correct functioning of the experiment hardware, I p= ositioned two hosts, both running unmodified NTP software, 25 light-millise= conds apart, and networked them point-to-point via a superluminal neut= rino transceiver. I measured a ping time of 49.998ms, confirming FTL c= ommunication. As expected, NTP was able to operate normally in this rather = unchallenging configuration.

FTL communication can= lead to backward causality only when the communicating parties are in rela= tive motion, and since the speed of our communication is only slightly grea= ter than c, the communicating parties' speed of travel needs to be only sli= ghtly less than c. Even in the subluminal case, this already causes some pr= oblems for NTP. NTP is a clock synchronization protocol, but as soon as rel= ativistic effects become non-negligible the whole notion of synchronicity n= eeds to be abandoned; thus it needs to be carefully stated what NTP is even= trying to accomplish. I decided on the following problem statement: given = a client on a long journey through space, in continuous communication with = a server located on Earth, allow the client to maintain a clock that will b= e synchronized with the server's clock at such point as the client ever rej= oins the server's reference frame. The effects of time dilation mean that s= uch a clock may run at a rate quite different from the proper time experien= ced by the client, but here we nonetheless have a well-defined goal, f= ree of paradox. Note the necessity of restricting ourselves to discussing c= lient/server mode; symmetric mode makes no sense in this setting.

The client will at all times need a priori knowledge of its= velocity relative to the server, and must make the following adjustments t= o the usual NTP algorithms:

1. It must scale = its clock frequency according to the time dilation formula, 1/sqrt(1-v^2/c^= 2). 
2. It must apply a Lorenz transformation to the receive= and transmit timestamps, to bring these from the server's reference frame = into the client's (the origin and destination timestamps are already in the= client's reference frame).
3. It must adjust for the fact that i= ts distance from the server may be different on one leg of a round-trip com= munication than it was on the other. This would be necessary even in a Newt= onian universe, whenever the client and server are in relative motion.

These modifications are sufficient when only sublumina= l communication is involved, but in the FTL setting, backward causality cre= ates an additional wrinkle, since a response mayan arrivan fore-when its co= rresponding request on-sent. As far as our basic formula for clock offset, = ((t=5F2 - t=5F1) + (t=5F3 - t=5F4))/2, goes, this is just fine: it has= no special behavior for negative values and needs no modification to accom= modate them. The issue, rather, is that it mayant be immediately possible t= o validate the origin timestamp. Rather than discarding a packet with an un= recognized origin timestamp, the client must retain it until its next reque= st on-generates, and check the match at that time.

I deployed an NTP client with the aforementioned modifications, again equi= pped with an FTL neutrino transceiver, out to a distance of roughly a light= -hour, and then accelerated it back toward Earth, beginning tests once= it reached 0.99999c (I won't bore with the details of the propulsion syste= m because, since time flies, they're straightforward). For the duration of = its trip, it reported nominal results consistent with successful synchroniz= ation, thus experimentally confirming the correctness of these algorithm mo= difications.

I will not be releasing the code from= this experiment, for two reasons:

1. The aforementioned requirement= to store an unbounded number of unauthenticated server packets until the c= lient can determine whether it willan on-generate a matching origin timesta= mp constitutes an unfixable DoS vulnerability, and releasing known-vulnerab= le code would be irresponsible.

2. I no longer have it available, be= cause when the returning client struck Earth's atmosphere at relativistic s= peed, the fireball destroyed the experimental apparatus, the server hosting= my git repo, and most of Antarctica. Sorry about that.
=0D<= div>=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F= =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
ntp mailing list
= ntp@ietf.org
https://www.ietf.org/mailman/listinfo/ntp
 From nobody Tue Apr 27 08:01:58 2021 Return-Path: X-Original-To: ntp@ietfa.amsl.com Delivered-To: ntp@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2D6D3A0E81 for ; Tue, 27 Apr 2021 08:01:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IuRPjpXkeLRQ for ; Tue, 27 Apr 2021 08:01:48 -0700 (PDT) Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37FE23A0E82 for ; Tue, 27 Apr 2021 08:01:48 -0700 (PDT) Received: by mail-yb1-xb2e.google.com with SMTP id i4so32150976ybe.2 for ; Tue, 27 Apr 2021 08:01:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zC09GyPXlLBeOvH0gVgHKWGGqmE63nTIDeMDw45AIqo=; b=jRM+UpiONcz6t94iS//4S2xEG3fjFJsA0+Rpr1WZSBvmJy3hW2VOcguR0KNHGcI13m hg4aDJ+R9ZUHOi/JbGzLDBLlnUsQoIKj29Jo3lrvKSRYJcri+RsAwkRB1/dx4W1x4OyO o3c4rT8k9ZuYM4OEZjNzigl87dIp5IFaWweVfJhjjE5fpF5ymHbEJpk5CkjI524oC+w+ oUkll22kmC9f3R0zoRMGSMg9O0CXGM99p9e84HWCIkjw9Y0s/m1pjHxGhv9/DWPxTXho NQ4u1Dnv0+BkPPC8IvD+8c29Kja7346UooCpeKkt6MCdmPu0u04pXQ06lftgzcqKldsK XEBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zC09GyPXlLBeOvH0gVgHKWGGqmE63nTIDeMDw45AIqo=; b=VyQ03zvRL13xdhjOhkW7q0bvJHw1j+ARO6gSkQJHHKjPdjDa6AeQ6qj5etCZD2PrhO vf3M9GrCBQbnND1lJMfDTnPDTS+8RcS3hz0yRzNkonfpYwcP5zaN1OTDyS6w93DnkM1Y bCmNTuGgMt0xkHEQSYbhdcgU4q+hx5ncQ7448bKqadoKNSD44ixVh4V9S4dsgHrYNLN9 oSsaa1dJRQRwfLyXcVpsjbao9s1WYtbNAXRV7T44t0FIw7XEQpKMFaqjZtoBgjaKTPXw KADY8tI1DEMrh/zml0/PqYEPFdqGxgX5joIUAVX9MM4K8rtKL6r3lqXBr2VWDm6FcUgC IwAA== X-Gm-Message-State: AOAM5312rrVMHBXKBmcNE0kbivVm40/bi2LIX7l0YOtGrSGP2+bC0U6K 4jrPmg6n5EOJT1iMh0C4UDWTlFOFAuQmBJGnlUwuLnuRKlj4 X-Google-Smtp-Source: ABdhPJyEKex15hRHxyUkDWi4HaAKo6NwFeQizYPAG5f+Df/HTWiO+QUByBZzCqHUCM4MiwK2VmKL6h1G7BGtkDsOb5E= X-Received: by 2002:a25:b44d:: with SMTP id c13mr33282082ybg.86.1619535706259; Tue, 27 Apr 2021 08:01:46 -0700 (PDT) MIME-Version: 1.0 References: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> In-Reply-To: <61c01bcb-0f07-27e0-f809-1bee2aa31f71@Udel.edu> From: James Browning Date: Tue, 27 Apr 2021 08:00:00 -0700 Message-ID: To: NTP WG Cc: David Mills , James Browning Content-Type: multipart/alternative; boundary="00000000000079051a05c0f58ac6" Archived-At: Subject: Re: [Ntp] Protocol and Security Enhancements for the Network Time Protocol (NTP) X-BeenThere: ntp@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Apr 2021 15:01:50 -0000 --00000000000079051a05c0f58ac6 Content-Type: text/plain; charset="UTF-8" Many weeks late and totally lacking funds here are some comments I made while reading through the autokey3 document and mostly not understanding it. Also, I am clear as mud. = begin dump = pre didn't I hear some apocryphal thing about Asimov actually hating the three laws a going out of his way to try and prove they were flawed and got annoyed that people associated them with him. 2.1 Is fragmentation and consequences eeevil or just annoying... reserve type/length? zero for legacy crap mac please not. shove into an extension. Ah, no critical bits no errors... a type 3 instead of just request/response the dogleg... 2.2 no server persistent state you say... it does not shove persistent bits of the state info into the keys list... 2.3 interesting choices using RSA and SHA[23] in 256-bit modes isn't RSA256 kind of weak sauce though. 3.2 usually DNS and PKI are available. what onwire proto tests? association keys? 3.6 root nodes not singular, or ntp-tree not network initially topology changes due to hosts getting their act together (only early? 4. re-order 'format, private key, and onwire' to 'format, onwire, private key' Ah, checking the signing before checking the contents. 4.1 see 2.1 remarks for snark about legacy MAC crap 4.2 thought it was 1-65535? I thought key 0 was reserved as a not a key? invasion from foreign nationals? append to 4 expire autokeys after N time unused >35minutes probably expire autokeys after O longer time even if used >1week I don't think there is a SHA160 4.3 should it be earlier than the current outstanding packet unless P-random 433 totally unrelated top NTS I am sure 4.4 ensure? Yes, I am sure I noticed that thing from autokey in your notes I never read. 4.5 it is so easy to create and set new variables in compiled code. Also not well explained to me, but I are dum 451 what is skew again? expressed differently, please 452 compiled code, not script 453 sigh " 461 wordy and clear as mud to me 462 protected by mac not 'NAC', and I think annoyingly many rounds. 463 gethostname, not gethostbyaddr which is so wrong and deprecated. not even partially qualified, pool unfriendly? 465 reject anything more than panic in the future and less than 2**(poll-1) in the future. 5.3 the rub is that the lack of saved state really means the state is pushed to mismanaged global state space 5.4 memory resources are scarce? maybe associate bloom filters for each step and reset them periodically 5.5 no mention of people using the IERS leap file? a.1 not just the globe random() function I suppose a Mersenne twister prng is too hard. urban dogfights? a.7 so much wrong... MRU by default starts at 37 entries and increases by 37/38 entries to a maximum of 9532ish. which can/should be adjusted in the config file. furthermore, at 3000 distinct peers per second, the MRU list starts growing in about a quarter of a second (not tens of seconds) and a reasonable MRU size will be at least 3,072,000 which would chew up a whopping 300MB of ram. b3 shitting on NTS will not make autokey3 grow and may well have to opposite influence. --00000000000079051a05c0f58ac6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Many weeks late and totally lacking funds here are some co= mments I made while reading through the autokey3 document=C2=A0 and mostly = not understanding it. Also, I am clear as mud.

=3D begin= dump =3D

pre didn't I hear some apocryphal th= ing about Asimov actually hating the three laws a going out of his way to t= ry and prove they were flawed and got annoyed that people associated them w= ith him.

2.1 Is fragmentation and consequences eeevil or just annoyi= ng...
=C2=A0 =C2=A0 reserve type/length? zero for legacy crap mac please= not. shove into an extension.
=C2=A0 =C2=A0 Ah, no critical bits no err= ors...
=C2=A0 =C2=A0 a type 3 instead of just request/response the dogle= g...

2.2 no server persistent state you say...
=C2=A0 =C2=A0 it d= oes not shove persistent bits of the state info into the keys list...
2.3 interesting choices using RSA and SHA[23] in 256-bit modes isn't = RSA256 kind of weak sauce though.

3.2 usually DNS and PKI are availa= ble.
=C2=A0 =C2=A0 what onwire proto tests? association keys?

3.6= root nodes not singular, or ntp-tree not network initially
=C2=A0 =C2= =A0 topology changes due to hosts getting their act together (only early?
4. =C2=A0re-order 'format, private key, and onwire' to 'f= ormat, onwire, private key'
=C2=A0 =C2=A0 Ah, checking the signing b= efore checking the contents.

4.1 see 2.1 remarks for snark about leg= acy MAC crap

4.2 thought it was 1-65535? I thought key 0 was reserve= d as a not a key?
=C2=A0 =C2=A0 invasion from foreign nationals?
=C2= =A0 =C2=A0 append to 4
=C2=A0 =C2=A0 expire autokeys after N time unused= >35minutes probably
=C2=A0 =C2=A0 expire autokeys after O longer tim= e even if used >1week
=C2=A0 =C2=A0 I don't think there is a SHA1= 60

4.3 should it be earlier than the current outstanding packet unle= ss P-random

433 totally unrelated top NTS I am sure

4.4 ensur= e? Yes, I am sure I noticed that thing from autokey in your notes I never r= ead.

4.5 it is so easy to create and set new variables in compiled c= ode.
=C2=A0 =C2=A0 Also not well explained to me, but I are dum

4= 51 what is skew again? expressed differently, please

452 compiled co= de, not script
453 sigh "

461 wordy and clear as mud to me
462 protected by mac not 'NAC', and I think annoyingly many r= ounds.

463 gethostname, not gethostbyaddr which is so wrong and depr= ecated. not even partially qualified, pool unfriendly?

465 reject an= ything more than panic in the future and less than 2**(poll-1) in the futur= e.

5.3 the rub is that the lack of saved state really means the sta= te is pushed to mismanaged global state space

5.4 memory resources a= re scarce? maybe associate bloom filters for each step and reset them perio= dically

5.5 no mention of people using the IERS leap file?

a= .1 not just the globe random() function I suppose a Mersenne twister prng i= s too hard. urban dogfights?

a.7 so much wrong... MRU by default sta= rts at 37 entries and increases by 37/38 entries to a maximum of 9532ish. w= hich can/should be adjusted in the config file. furthermore, at 3000 distin= ct peers per second, the MRU list starts growing in about a quarter of a se= cond (not tens of seconds) and a reasonable MRU size will be at least 3,072= ,000 which would chew up a whopping 300MB of ram.

b3 shitting on NTS= will not make autokey3 grow and may well have to opposite influence.
--00000000000079051a05c0f58ac6--