<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.21 (Ruby 2.6.10) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-dekok-protocol-error-01" category="bcp" consensus="true" submissionType="IETF" updates="2865, 2866, 5176, 6613, 6614, 7360, 7930" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.24.0 -->
  <front>
    <title abbrev="Protocol-Error">Standardising Protocol-Error</title>
    <seriesInfo name="Internet-Draft" value="draft-dekok-protocol-error-01"/>
    <author initials="A." surname="DeKok" fullname="Alan DeKok">
      <organization>InkBridge Networks</organization>
      <address>
        <email>aland@inkbridgenetworks.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="03"/>
    <area>Internet</area>
    <workgroup>RADEXT Working Group</workgroup>
    <keyword>Internet-Draft</keyword>
    <abstract>
      <?line 48?>

<t>We extend and standardise the Protocol-Error packet Code, first
defined in RFC 7930 for the Remote Authentication Dial In User Service
(RADIUS) protocol.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-dekok-protocol-error/"/>.
      </t>
      <t>
        Discussion of this document takes place on the
        RADEXT Working Group mailing list (<eref target="mailto:radext@ietf.org"/>),
        which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/radext/"/>.
        Subscribe at <eref target="https://www.ietf.org/mailman/listinfo/radext/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/freeradius/protocol-error.git"/>.</t>
    </note>
  </front>
  <middle>
    <?line 54?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>The Remote Authentication Dial In User Service (RADIUS) protocol is
designed as a request / response protocol, where clients send requests
to servers, and servers send responses to clients.  There are a few
different types of requests defined, and each type of request has one
or more associated valid responses.  However, these requests and
responses are limited to indicating success or failure of the
requested action, such as authentication or accounting.</t>
      <t>There is no way for clients and servers to exchange information about
their state, or their inability to perform the requested action.
Instead, for actions such as authentication, servers can only reply
with accept, reject, or simply fail to respond to the request.  There
is no way for the server to respond to a client with an error
indicating "invalid request" or "unable to answer this request".</t>
      <t>The result is that when the server experiences a failure, it either
stops responding to requests, or returns a type-specific response
which is arguably wrong.  Depending on the kind of failure, the server
may stop responding to only one request, or else the server could stop
responding to all requests.  The client then has to make sense of the
situation where some requests get a positive acknowledgement (ACK)
response, other requests get negative acknowledgement (NAK) response,
and other requests simply never see a response.</t>
      <t>This failure for the server to respond meaningfully means that the
client has no way of knowing if the server is slow, is off line, or
else if the server is a proxy and one of the next hops has failed.
The only course of action that the client can take is to guess as what
it should do when the server fails to respond.  Such guesses are
likely to be wrong.  Incorrect decisions based on incomplete knowledge
contribute to network instability and to congestive collapse.</t>
      <t>This failure of RADIUS to provide for protocol level signaling has
caused issues with deployments for decades.  The network as a whole
operates not because the underlying protocol is robust, but instead
because of local workarounds built by implementers and operators.  It
is time to address this deficiency.</t>
      <t>This document standardises the Protocol-Error packet code, which was
first defined as an experimental code in <xref section="4" sectionFormat="comma" target="RFC7930"/>.  This
packet code allows for servers to reply to any request with a
Protocol-Error packet, which serves as an explicit protocol layer
signal that the server has received a request, but is unable to
process it.  The Protocol-Error packet contains an Error-Cause
attribute (<xref section="3.1" sectionFormat="comma" target="RFC3576"/>) which indicates whether the error
is limited to just this packet or to the connection as a whole.  The
Error-Cause attribute also indicates whether this error is temporary
or permanent.</t>
      <t>Explicitly signaling errors for protocol-layer failures increases the
stability of the network, and decreases the likelihood of congestive
collapse on failure.</t>
      <t>Where <xref target="RFC7930"/> gives a very short description of the Protocol-Error
packet Code, this document gives a more detailed definition.  It
explains the reasons for standardising Protocol-Error, fully defines
the behavior of clients and servers with respect to Protocol-Error,
and gives suggestions for migrations paths for implementations and
deployments.</t>
    </section>
    <section anchor="terminology">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
<?line -6?>
      </t>
    </section>
    <section anchor="review-and-motivation">
      <name>Review and Motivation</name>
      <t>This specification defines an extension to the RADIUS protocol which
makes significant changes to how the protocol operates in the event of
a failure.  In order to motivate this change, we need to describe the
historic issues with the protocol.  We describe how the request /
response nature of RADIUS is not, in fact, fully met: only some packet
types have a NAK response defined, and there are other cases where the
existing standards require that valid requests do not get any response
at all.</t>
      <t>The result is that the RADIUS protocol is missing an important piece:
signaling of protocol-level errors.  This section explains the
numerous situations where these errors are not signaled, and what
impact this problem has for running networks.</t>
      <section anchor="request-response-packets">
        <name>Request / Response Packets</name>
        <t>This section reviews what types of request and responses are defined
in RADIUS, along with their behavior.</t>
        <t>The Access-Request packet Code is defined in <xref section="4.1" sectionFormat="comma" target="RFC2865"/>,
with Access-Accept (<xref section="4.2" sectionFormat="comma" target="RFC2865"/>) as an ACK indicating
that authentication has succeeded, and Access-Reject (<xref section="4.3" sectionFormat="comma" target="RFC2865"/>) as an explicit NAK that authentication has failed.</t>
        <t>The Accounting-Request packet Code is defined in <xref section="4.1" sectionFormat="comma" target="RFC2866"/>, with Accounting-Response defined in <xref section="4.2" sectionFormat="comma" target="RFC2866"/>,
as an ACK that the accounting data has been stored.  There is,
however, no corresponding NAK which indicates that accounting has
failed.  Instead, <xref section="4.1" sectionFormat="comma" target="RFC2866"/> states:</t>
        <ul empty="true">
          <li>
            <t>Upon receipt of an Accounting-Request, the server MUST transmit an
Accounting-Response reply if it successfully records the
accounting packet, and MUST NOT transmit any reply if it fails to
record the accounting packet.</t>
          </li>
        </ul>
        <t>Failing to acknowledge a request with a response is, at best,
impolite.  More practically, it causes problems with networks.  These
problems will be discussed in more detail later in this document.</t>
        <t>The CoA-Request packet code is defined in <xref section="2.2" sectionFormat="comma" target="RFC5176"/>,
along with CoA-ACK to indicate that the change was successful, and
CoA-NAK as an acknowledgement that the change of authorization action
could not be performed.</t>
        <t>The Disconnect-Request packet code is defined in <xref section="2.1" sectionFormat="comma" target="RFC5176"/>, along with Disconnect-ACK to indicate that the disconnection
was successful, and Disconnect-NAK as an acknowledgement that the user
or device could not be disconnected.</t>
        <t>While most requests have an ACK and NAK response defined,
Accounting-Request packets only have an ACK response defined.  If a
request does not receive a response, clients retransmit as
per<xref section="2.2.1" sectionFormat="comma" target="RFC5080"/>.  For Accounting-Request packets, these
retransmits are unlikely to yield a positive response.</t>
        <t>Even when the request has a NAK response defined, there are still
situations where a valid request could never have a response returned.
Some implementations choose to discard well-formed and authentic
packets, in violation of previous specifications.  Even where
implementations follow the specificiations there are many cases where
those specifications suggest or even require that a server discard
authentic requests, and therefore never send a response.</t>
      </section>
      <section anchor="silently-discard">
        <name>Silently Discard</name>
        <t>The existing RADIUS specifications require that a server "silently
discard" requests without a response for many reasons.  In some cases,
this discard process is necessary for security reasons, such as when
the Message-Authenticator (<xref section="5.14" sectionFormat="comma" target="RFC2869"/> fails
verification.  Discarding packets for security reasons is necessary,
and this specification does not change that behavior.</t>
        <t>In other cases, this "silently discard" process is done for reasons
which are not related to security.  For example, a server could
discard a request which contains data that the server does not
understand, but which also does not affect the requested action.  Or,
the server could discard a request which has been authenticated, and
is well-formed, but which contains unexpected protocol state.</t>
        <t>In an ideal world, the server would instead either ignore only the
portions of the packet which it could not understand, or else the
server would respond to the client with an indication that the request
was improper.  A server could also respond to a request containing
invalid protocol state, and indicate that the request was authentic
and well-formed, but it could not be processed because it contained
unexpected protocol state.</t>
        <t>All of these issues are grouped under the term "silently discard",
which is defined in <xref section="1.2" sectionFormat="comma" target="RFC2865"/> as:</t>
        <ul empty="true">
          <li>
            <t>This means the implementation discards the packet without
further processing.  The implementation SHOULD provide the
capability of logging the error, including the contents of
the silently discarded packet, and SHOULD record the event
in a statistics counter.</t>
          </li>
        </ul>
        <t>The specifications for other packet Codes contain the exact same text
in <xref section="1.2" sectionFormat="comma" target="RFC2866"/>, and in <xref section="1.3" sectionFormat="comma" target="RFC5176"/>.</t>
        <t>While there is not a lot of quantitative data publicly available,
these silent discards are colloquially known to be a large source of
instability in RADIUS deployments.  There has been substantial work
done by server implementations and operators of proxy networks to
stablize the network by attempting to determine whether or not the
lack of a response indicates an actual failure, or only an illusory
one due to the limitations of the RADIUS protocol.</t>
        <t>One ad-hoc workaround to failures involves increasing the number of
Status-Server checks <xref target="RFC5997"/>, in violation of the <xref section="2.6" sectionFormat="comma" target="RFC2865"/> suggestion of "Keep-Alives Considered Harmful", which we
quote in full here:</t>
        <ul empty="true">
          <li>
            <t>Some implementers have adopted the practice of sending test RADIUS
requests to see if a server is alive.  This practice is strongly
discouraged, since it adds to load and harms scalability without
providing any additional useful information.  Since a RADIUS request
is contained in a single datagram, in the time it would take you to
send a ping you could just send the RADIUS request, and getting a
reply tells you that the RADIUS server is up.  If you do not have a
RADIUS request to send, it does not matter if the server is up or
not, because you are not using it.</t>
            <t>If you want to monitor your RADIUS server, use SNMP.  That's what
SNMP is for.</t>
          </li>
        </ul>
        <t>Experience has shown that this analysis is incomplete.  SNMP is not
suitable for monitoring servers across the wider Internet, and it is
not suitable for monitoring servers in a different administrative
domain.  The quoted text also does not address the situation where a
server is responding to only a subset of requests.  This position is
implied in <xref section="2" sectionFormat="comma" target="RFC5997"/>, which says:</t>
        <ul empty="true">
          <li>
            <t>The Status-Server packet is not a "Keep-Alive" as discussed in
<xref section="2.6" sectionFormat="comma" target="RFC2865"/>.  "Keep-Alives" are Access-Request packets
sent to determine whether a downstream server is responsive.  These
packets are typically sent only when a server is suspected to be
down, and they are no longer sent as soon as the server is available
again.</t>
          </li>
        </ul>
        <t>In some cases, there is a sufficiently low volume of packets that the
large inter-packet spacing triggers these Status-Server checks.  In
other cases, implementations will send Status-Server when some
requests do not get a response, even if the server is actively
responding to other requests.</t>
        <t>Some implementations and deployments have chosen to continuously send
Status-Server requests, in contradiction to the recommendations of
<xref section="2.6" sectionFormat="comma" target="RFC2865"/>.  Feedback from those systems indicate that
this practice increases the information available to administrators,
and decreases operational outages.</t>
        <t>The rest of this section describes in more detail the numerous
situations where requests are silently discarded.</t>
        <section anchor="unknown-attributes">
          <name>Unknown Attributes</name>
          <t>Some implementations discard requests when the request contains
attributes which the implementation does not recognize.  The behavior
of servers with respect to unknown attributes is defined by <xref section="5" sectionFormat="comma" target="RFC2865"/> which says that implementations:</t>
          <ul empty="true">
            <li>
              <t>MAY ignore Attributes with an unknown Type.</t>
            </li>
          </ul>
          <t><xref section="2.8" sectionFormat="comma" target="RFC6929"/> makes a stronger suggestion that:</t>
          <ul empty="true">
            <li>
              <t>It is RECOMMENDED that Attributes with unknown Type, Extended-Type,
TLV-Type, or EVS-Type are treated as "invalid attributes".</t>
            </li>
          </ul>
          <t>Despite this recommendation to ignore these unknown attributes, some
implementations will instead silently discard the entire request.
This behavior is not standards compliant, and is not allowed by any
interpretation of the text in <xref section="5" sectionFormat="comma" target="RFC2865"/>.</t>
          <t>For example, the BlastRADIUS mitigations (TBD) were negatively
affected by some implementations which would discard packets which
contain a Message-Authenticator attribute.  This behavior was seen in
2024, even though that the attribute had been defined decades earlier
in <xref section="5.12" sectionFormat="comma" target="RFC2869"/> (2000).  This failure to handle unknown
attributes in a reasonable manner made it difficult and expensive for
operators to secure their networks via the recommended BlastRADIUS
mitigations.</t>
        </section>
        <section anchor="invalid-attributes">
          <name>Invalid Attributes</name>
          <t><xref section="2.8" sectionFormat="comma" target="RFC6929"/> defines "invalid attributes" as attributes
where the Type is known, but the Value is malformed.  This topic was
not discussed in the previous RADIUS specifications, which led to a
wide range of implementation-specific behavior, including ones where
the packet would be silently discarded.</t>
          <t>The behavior of implementations with respect to invalid attributes was
clarified in <xref section="2.8" sectionFormat="comma" target="RFC6929"/>, which requires the following
behavior:</t>
          <ul empty="true">
            <li>
              <t>The existence of an "invalid attribute" in a
packet or attribute MUST NOT result in the implementation discarding
the entire packet ...</t>
            </li>
          </ul>
          <t>Even though this specification being over a decade old, some
implementations still do not follow this requirement.  Instead, some
implementations will silently discard the entire request.  This
behavior has caused wide-spread issues in proxy networks, most notably
with Operator-Name <xref section="4.1" sectionFormat="comma" target="RFC5580"/>.</t>
          <t>One widely used implementation had erroneously created a local
definition for attribute 126, which was then in conflict with
Operator-Name when that attribute was defined.  The implemenation also
discarded requests which contained invalid attributes.  The
combination of the two behaviors led to wide-spread outages and
significant effort by operators to perform a root-cause analyis and
then to correct the issue.</t>
          <t>The behavior of discarding authentic, but unexpected data violates the
robustness principle on which the Internet was founded.</t>
        </section>
        <section anchor="attribute-order">
          <name>Attribute Order</name>
          <t>XXXX attributes in "unexpected" order cause the packet to be dropped.</t>
        </section>
        <section anchor="unknown-state">
          <name>Unknown State</name>
          <t>In some cases, as server can receive a request which contains a State
attribute (<xref section="5.24" sectionFormat="comma" target="RFC2865"/>) with an unknown value.  This
situation can occur, for example, when EAP <xref target="RFC3579"/>
authentications are sent through a load balancer, and one of the final
home servers fails.  The load balancer does not necessarily know
anything about the underlying EAP session, and therefore may
redistribute requests for an ongoing EAP session to a server which is
unaware of that session.</t>
          <t>The result is that a home server receives a request which is in the
middle of an EAP session.  Since the server recieving the request did
not start the EAP session, it does not recognize the value of the
State attribute, and is unable to process the request.</t>
          <t>Some implementations will response with an Access-Reject.  Others will
silently discard the request.  Both behaviors cause problems, just
different ones.</t>
        </section>
      </section>
      <section anchor="unexpected-request-code">
        <name>Unexpected Request Code</name>
        <t><xref target="RFC2865"/> and <xref target="RFC2866"/> defined different ports for Access-Request
and Accounting-Request packets.  <xref target="RFC5176"/> defines a different port
entirely for both CoA-Request and Disconnect-Request packets.  In
contrast, <xref target="RFC6613"/>, <xref target="RFC6614"/>, and <xref target="RFC7360"/> define one port
for all request Codes.  Some implementations have also chosen to
accept multiple request Codes on one port, even for RADIUS/UDP.</t>
        <t>As more than one port is used for RADIUS, there is a potential for
mismatched configuration between a client and server.  Each RADIUS
specification (<xref section="3" sectionFormat="comma" target="RFC2865"/>, <xref section="3" sectionFormat="comma" target="RFC2866"/>, and
<xref section="2.3" sectionFormat="comma" target="RFC5176"/>) has the same text related to receiving
packets:</t>
        <ul empty="true">
          <li>
            <t>The Code field is one octet, and identifies the type of RADIUS
packet.  Packets received with an invalid Code field MUST be
silently discarded.</t>
          </li>
        </ul>
        <t>However, this text does not address the issue where a client sends a
packet which is authenticated, but where the request Code is
unexpected.  It is reasonable for the server to not perform the
requested action, as there is no requirement for every server to
support every possible request Code.  It is not reasonable, however,
for the server to fail to respond to authentic requests.</t>
        <section anchor="accounting-failure">
          <name>Accounting Failure</name>
          <t><xref section="4.1" sectionFormat="comma" target="RFC2866"/> says that servers need to respond to
Accounting-Request packets when the accounting action is successful,
but not when the accounting action fails:</t>
          <ul empty="true">
            <li>
              <t>Upon receipt of an Accounting-Request, the server MUST transmit an
Accounting-Response reply if it successfully records the
accounting packet, and MUST NOT transmit any reply if it fails to
record the accounting packet.</t>
            </li>
          </ul>
          <t>In other words, servers are mandated to silently discard packets which
are authentic, and which are sent to the correct destination.  The
packets are discarded not because the server is offline, but are
discarded instead due to a transient operational failure.</t>
        </section>
        <section anchor="network-loss-and-fragmentation">
          <name>Network Loss and Fragmentation</name>
          <t>When RADIUS/UDP is used, it is possible for either valid requests or
responses to be lost in the network.  RADIUS/UDP has another issue
noted in <xref section="2.4" sectionFormat="comma" target="RFC3579"/>, which notes that packets can be
fragmented.  <xref section="1" sectionFormat="comma" target="RFC6613"/> also notes that:</t>
          <ul empty="true">
            <li>
              <t>Transport of fragmented UDP packets appears to be a poorly tested
code path on network devices.  Some devices appear to be incapable
of transporting fragmented UDP packets, making it difficult to
deploy RADIUS in a network where those devices are deployed.</t>
            </li>
          </ul>
          <t>RADIUS/TCP and RADIUS/TLS are only partial solutions to the above
problems.  While they solve the fragmentation issue, there is still
the issue where a server can receive a request, and then the
connection can drop before the response is sent.  From the clients
point of view then, the request was sent, and then was silently
discarded by the server.</t>
          <t>This specification cannot address the issue where packets are lost due
to connection failures.  We simply note that issue here for
completeness.</t>
        </section>
        <section anchor="proxy-chains">
          <name>Proxy Chains</name>
          <t>Even when none of the above problems are seen, a server which is
correctly configured, operating normally, and responsive could still
fail to respond when it is acting as a proxy.  A proxy is conceptually
just a server which then acts as a client to another server.  The
client side of the proxy can therefore run into the above issues when
the next hop in the proxy chain fails to respond to a request.</t>
          <t>When the next hop fails to respond to the proxied request, there is
very little meaningful action that the proxy can take.  It can
sometimes send the request over a different connection to the same
server, or to a different server entirely.  At some point, a proxy
will run out of options, and decide that it is unable to forward the
packet.  It then has to determine the correct course of action.</t>
          <t>A proxy could originate an answer itself (e.g. Access-Reject, CoA-NAK,
etc.), in the interest of replying to the client.  Or, it may just
silently discard the request.  As noted earlier, both of these
behaviors have problems.</t>
        </section>
        <section anchor="mismatched-timers">
          <name>Mismatched Timers</name>
          <t>When a client sends a request, it has to set a timeout as per
<xref section="2.2.1" sectionFormat="comma" target="RFC5080"/> in case it never sees a response.  This
timeout is set not just on the NAS which originated the request, but
also on any proxy which forwards the request.</t>
          <t>Since there are multiple clients involved in forwarding a packet,
there is the near-certainty that different parts of the proxy chain
will have different timers.</t>
          <t>One possibility is that a client will have shorter timers than a
subsequent proxy.  The client will therefore give up on the request
while a subsequent proxy erroneously believes the request to still be
active.  This specification does not help with that issue.  Fixing
that would require additional protocol-layer signaling as to timer values.</t>
          <t>Another possibility is that client will have longer timers than a
subsequent proxy.  The proxy will then give up on the request while
the client is still waiting for a response.  In that case, the proxy
has the same two choices as noted earlier for similar situations:
either synthesize a response, or silently discard the request.</t>
        </section>
      </section>
      <section anchor="impact">
        <name>Impact</name>
        <t>Thare a number of impacts which result from NAK responses which do not
distinguish between different types of failures, and frqqrom requests
simply disappearing into the network without response.</t>
        <t>It may seem useful for a server or a proxy to NAK an action which it
cannot perform, but this response is not appropriate for a number of
reasons.  The most relevant one is that the NAK is an inaccurate
response.  A NAK response is typically made when the packet containing
a requested action is authentic and expected, but where the action
itself is not appropriate.  For example, the requested action could
violate a policy, or else request that action be taken for a user
session which does not exist.</t>
        <t>In contrast, sending a NAK response for protocol-layer issues is
overloading a NAK to contain protocol-layer signaling, which is
inappropriate.  An NAK informs the user or device that its requested
action is inappropriate.  It does not inform any network element that
there is a protocol-layer problem.</t>
        <t>For example, if a user is attempting to access the network, an
Access-Reject is normally interpreted as indicating that the users
credentials are invalid.  Sending an inappropriate Access-Reject could
result in the user device taking an action such as invalidating or
discarding the users password.  The user device could even present the
user with a prompt which indicates that the password is incorrect, and
that the user should re-enter it.  Such actions are likely to confuse
the user, and to cause problems for network administrators.</t>
        <t>For accounting, the situation is made worse by the behavior of
Acct-Delay-Time (<xref section="5.2" sectionFormat="comma" target="RFC2866"/>).  Instead of retransmitting
the same request over a long period of time, the client instead
updates the Acct-Delay-Time attribute, and sends a new request.  This
behavior greatly decreases the time available for a server to respond
to a request.  It also negates the benefits of the <xref section="2.2.2" sectionFormat="comma" target="RFC5080"/> packet deduplication cache, and the multiple new packets then
contribute to congestive collapse of the network.</t>
        <t>The impact for CoA-Request and Disconnect-Request packets is similar:
either an inappropriate NAK is sent back, or the request never sees a
response.</t>
        <t>The lack of responses contributes to network instability.  When a
client sends a request which never yields a response, it can only
assume that the server is down.  The client may then fail over to a
different server, or open new connections to the same server, or
simply stop sending packets to the server.</t>
        <t>In contrast, a server instead could respond to the client with a
protocol-layer signal indicating that the request was received but not
acted on.  The client could then be better informed, and would be more
likely to take an appropriate action to address the issue.  The result
would then be increased network stability, and decreased congestion.</t>
        <t>This specification standardizes the Protocol-Error packet Code as a
response packet which carries this signal about protocol-layer issues.</t>
      </section>
    </section>
    <section anchor="protocol-error-code">
      <name>Protocol-Error Code</name>
      <t>This document make the RADIUS packet Code 52 (Protocol-Error) standard
instead of experimental, as an update to <xref target="RFC7930"/>.  In order to
have one document defining this RADIUS packet Code, the definition of
Protocol-Error is repeated here with only minor edits from the
original in <xref section="4" sectionFormat="comma" target="RFC7930"/>.</t>
      <t>The Protocol-Error packet Code may be used in response to any request
packet, such as Access-Request, Accounting-Request, CoA-Request, or
Disconnect-Request.  It is a response packet sent by a server to a
client.  The packet indicates to the client that the server is unable
to process the request for some reason.</t>
      <t>A Protocol-Error packet MUST contain an Original-Packet-Code
attribute, along with an Error-Cause attribute.  Other attributes MAY
be included if desired.  The Original-Packet-Code contains the code
from the request that generated the protocol error so that clients
can disambiguate requests with different codes and the same ID.
Regardless of the original packet code, the RADIUS Server calculates
the Message-Authenticator attribute as if the original packet were an
Access-Request packet.  The identifier is copied from the original
request.</t>
      <t>Clients processing Protocol-Error MUST ignore unknown or unexpected
attributes.</t>
      <t>This RADIUS packet Code is hop by hop.  Proxies MUST NOT simply
forward a Protocol-Error response that they receive. Instead, a proxy
MUST examine the Error-Cause attribute to determine whether the error
is due to a fault at the home server, or if it is a fault in
the RADIUS proxy network.</t>
      <t>Where the Error-Cause value indicates a fault in the RADIUS proxy
network, the proxy which receives the Protocol-Error SHOULD try to
proxy the request over a different connection to the same destination,
or to a different destination.  That is, it should try to re-proxy the
original request, as if it had just been received.  This re-proxy
process MUST NOT send the packet over the same connection as the
previous proxied packet.</t>
      <t>Futher handling of proxy fail-over is out of scope of this
specification.</t>
      <t>The following values for Error-Cause indicate a fault in the RADIUS
proxy network.  Other values for Error-Cause are possible, and may be
defined in a future specification:</t>
      <ul spacing="normal">
        <li>
          <t>502, Request Not Routable (Proxy)</t>
        </li>
        <li>
          <t>505, Other Proxy Processing Error</t>
        </li>
      </ul>
      <t>The remainder of the Error-Cause values SHOULD be interpreted as
originating at the home server.  The proxy SHOULD return the
Protocol-Error to the client, and include the Error-Cause attribute
from the response to the Proxied Request.</t>
      <section anchor="impact-on-existing-systems">
        <name>Impact on existing systems</name>
        <t>TBD - clients ignore packet Codes they don't understand.  Therefore
Protocol-Error is always safe to send.  Even if the client does not
process it and take action, an administrator can see the packet and
take action.</t>
      </section>
      <section anchor="negotiation-and-configuration">
        <name>Negotiation and Configuration</name>
        <t>TBD - no negotiation, but configuration based on agreement of
administrators of client and servers.</t>
        <t>TBD - if a proxy knows that a client does not understand
Protocol-Error, it MAY instead respond to the client with a relevant
NAK packet.  This SHOULD NOT be done when the client is another proxy,
but only when the client is a NAS.</t>
      </section>
      <section anchor="when-to-send-protocol-error-responses">
        <name>When to send Protocol-Error Responses</name>
        <t>TBD - mainly authentic packets, where there is no NAK
(Accounting-Request), or where the NAK is not appropriate (unknown EAP
State, etc.)</t>
        <t>See the (TBD Solutions) section below for more details.</t>
      </section>
    </section>
    <section anchor="original-packet-code-attribute">
      <name>Original-Packet-Code Attribute</name>
      <t>This document standardizes the Original-Packet-Code attribute, which
was originally defined in <xref target="RFC7930"/>.</t>
      <t>Description</t>
      <ul empty="true">
        <li>
          <t>The Original-Packet-Code contains the packet Code from the request
that generated the Protocol-Error response.  It allows clients to
disambiguate requests with different packet Codes which use the same
ID.</t>
          <t>The Original-Packet-Code attribute MUST NOT be sent in any packet
Code other than Protocol-Error.</t>
          <t>A client which receives a Protocol-Error in a packet Code other than
Protocol-Error MUST treat it as an "invalid attribute" as per
<xref section="2.8" sectionFormat="comma" target="RFC6929"/>.</t>
        </li>
      </ul>
      <t>Type</t>
      <ul empty="true">
        <li>
          <t>241.4</t>
        </li>
      </ul>
      <t>Length</t>
      <ul empty="true">
        <li>
          <t>6</t>
        </li>
      </ul>
      <t>Data Type</t>
      <ul empty="true">
        <li>
          <t>integer</t>
        </li>
      </ul>
      <t>Value</t>
      <ul empty="true">
        <li>
          <t>The Value is taken from the original request packet Code which was
received by the server.  Values which are not in the the IANA
"RADIUS Packet Type Codes" registry are likely to be invalid.</t>
          <t>A client which receives an Original-Packet-Code attribute that does
not match any outstanding request MUST silently discard the response.</t>
        </li>
      </ul>
    </section>
    <section anchor="fewer-silent-discard">
      <name>Fewer Silent Discard</name>
      <t>This section defines new behavior which addresses the issues noted
above in <xref target="silently-discard"/>.</t>
      <section anchor="invalid-attributes-1">
        <name>Invalid Attributes</name>
        <t>We reiterate here the mandate of <xref section="2.8" sectionFormat="comma" target="RFC6929"/>:</t>
        <ul empty="true">
          <li>
            <t>The existence of an "invalid attribute" in a packet or attribute
MUST NOT result in the implementation discarding the entire packet
...</t>
          </li>
        </ul>
        <t>Implementations which discard packets due to invalid attributes are
not standards compliant.</t>
      </section>
      <section anchor="unknown-attributes-1">
        <name>Unknown Attributes</name>
        <t>Some implementations discard requests when the request contains
attributes which the implementation does not recognize.  This behavior
is permitted by <xref section="5" sectionFormat="comma" target="RFC2865"/> which says that
implementations:</t>
        <ul empty="true">
          <li>
            <t>MAY ignore Attributes with an unknown Type.</t>
          </li>
        </ul>
        <t><xref section="2.8" sectionFormat="comma" target="RFC6929"/> makes a stronger suggestion that:</t>
        <ul empty="true">
          <li>
            <t>It is RECOMMENDED that Attributes with unknown Type, Extended-Type,
TLV-Type, or EVS-Type are treated as "invalid attributes".</t>
          </li>
        </ul>
        <t>We update <xref target="RFC2865"/>, <xref target="RFC2866"/>, <xref target="RFC5176"/> and <xref target="RFC6929"/> here
to say that implementations MUST NOT silently discard packets which
contain attributes of an known Type, Extended-Type, TLV-Type, or
EVS-Type.  This mandate applies to all RADIUS packets, for all values
of the packet Code field.</t>
        <t>Note that this prohibition does not apply to known attributes which
have unknown values.  For example, <xref section="5.6" sectionFormat="comma" target="RFC2865"/> says that
for the Service-Type attribute:</t>
        <ul empty="true">
          <li>
            <t>A NAS is not
required to implement all of these service types, and MUST treat
unknown or unsupported Service-Types as though an Access-Reject
had been received instead.</t>
          </li>
        </ul>
        <t>That requirement is not changed by this specification.</t>
      </section>
      <section anchor="unknown-state-1">
        <name>Unknown State</name>
        <t>TBD - try not to send Access-Reject.  Maybe recommend a new
Error-Cause value?</t>
      </section>
    </section>
    <section anchor="tbd">
      <name>TBD</name>
      <t>This section outlines some notes which should be addressed by further
discussion.</t>
      <ul spacing="normal">
        <li>
          <t>We may want to omit Proxy-State from Protocol-Error.  It isn't
needed for link-local signalling.  However, it is an odd corner
case, and it may be more consistent with other practices to leave it
it.  At the minimum, the client MUST accept Protocol-Error even if
it is missing Proxy-State.</t>
        </li>
        <li>
          <t>One new corner case provided by Protocol-Error is a next hop which
responds to all packets with Protocol-Error.  </t>
          <ul spacing="normal">
            <li>
              <t>Without Protocol-Error, the next hop won't reply, and the proxy
will think it's down, and do a fail-over.</t>
            </li>
            <li>
              <t>With Protocol-Error, the next hop is "up", and the proxy will
continually send packets to it.  Only for it to reply, and say "send
the packets elsewhere".  There isn't a way to signal that an entire
realm is down.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>suggest to use Protocol-Error instead of CoA-NAK, as it's likely
better.  CoA-NAK goes back to the client immediately, and does not
allow for the packet to be proxied to a different destination</t>
        </li>
        <li>
          <t>Migration path needs to be addressed:  </t>
          <ul spacing="normal">
            <li>
              <t>servers MUST always accept Protocol-Error as a valid reply.</t>
            </li>
            <li>
              <t>existing clients will discard it, if they follow the RFCs.  But
some may misbehave.</t>
            </li>
            <li>
              <t>servers SHOULD have a flag which controls whether or not they send
Protocol-Error to clients.  The flag should be global and also per
client.  The default SHOULD be to enable it.</t>
            </li>
            <li>
              <t>if a client doesn't support Protocol-Error, the server can swap
the response to Access-Reject, CoA-NAK, etc.  This behavior could
likely also be configurable.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>Add more Error-Cause valuesL  </t>
          <ul spacing="normal">
            <li>
              <t>unknown attribute</t>
            </li>
            <li>
              <t>invalid attribute, for malformed ones</t>
            </li>
            <li>
              <t>no room to add Proxy-State</t>
            </li>
            <li>
              <t>all next hops are down</t>
            </li>
            <li>
              <t>all next hops are busy</t>
            </li>
            <li>
              <t>next hop didn't get a response to its forwarded packet</t>
            </li>
            <li>
              <t>accounting failure (can't write data, etc.)</t>
            </li>
            <li>
              <t>CoA-NAK failure - unable to take requested action
              </t>
              <ul spacing="normal">
                <li>
                  <t>RFC8559 already says send NAK with Error-Cause</t>
                </li>
              </ul>
            </li>
            <li>
              <t>overload - try again later</t>
            </li>
            <li>
              <t>Perhaps also for TCP buffering issues?</t>
            </li>
          </ul>
        </li>
        <li>
          <t>require that implementations MUST check that packets are
well-formed, AND a reply to an outstanding request before checking
M-A in Protocol-Error.  "well-formed" here includes checking that
Original-Packet-Code matches an outstanding request.  </t>
          <ul spacing="normal">
            <li>
              <t>Proxies MUST replace Original-Packet-Code if they're sending a
Protocol-Error to the client.  Otherwise it could be wrong.</t>
            </li>
          </ul>
        </li>
        <li>
          <t>if a server sends a Protocol-Error response, and the client sends a
duplicate request, the server should reply with a duplicate response.
We don't know if the response was lost due to networking issues, or
if the client doesn't support Protocol-Error.</t>
        </li>
      </ul>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <t>IANA is instructed to update the "RADIUS Packet Type Codes" registry,
and change the Protocol-Error entry from Reference RFC7930 to
THIS-DOCUMENT.</t>
      <t>IANA is instructed to update the "RADIUS Attribute Types" registry,
and change the Original-Packet-Code entry from Reference RFC7930 to
THIS-DOCUMENT.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>There are no privacy considerations in this specification.  It does
not add or change any transport protocols, and it does not change the
roles of any participant in the RADIUS ecosystem.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This specification has no direct impact on security.  It does not add
or change any existing cryprography in RADIUS.  It is compatible with
all RADIUS standards, including (ALPN draft).</t>
      <t>This specification does, however, recommend ways that networks can be
better protected from a variety of problems, misconfigurations, and
erroneous implementations.  As a result, RADIUS proxy networks which
implement this specification should become more stable, and therefore
more secure.</t>
    </section>
    <section anchor="acknowledgements">
      <name>Acknowledgements</name>
      <t>This document came out of discussions both in the RADEXT WG, and in
the 2025 RADIUS Technical Conference in Tampere, Finland.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC2865">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="S. Willens" initials="S." surname="Willens"/>
            <author fullname="A. Rubens" initials="A." surname="Rubens"/>
            <author fullname="W. Simpson" initials="W." surname="Simpson"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying authentication, authorization, and configuration information between a Network Access Server which desires to authenticate its links and a shared Authentication Server. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2865"/>
          <seriesInfo name="DOI" value="10.17487/RFC2865"/>
        </reference>
        <reference anchor="RFC3576">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="July" year="2003"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3576"/>
          <seriesInfo name="DOI" value="10.17487/RFC3576"/>
        </reference>
        <reference anchor="RFC5176">
          <front>
            <title>Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)</title>
            <author fullname="M. Chiba" initials="M." surname="Chiba"/>
            <author fullname="G. Dommety" initials="G." surname="Dommety"/>
            <author fullname="M. Eklund" initials="M." surname="Eklund"/>
            <author fullname="D. Mitton" initials="D." surname="Mitton"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="January" year="2008"/>
            <abstract>
              <t>This document describes a currently deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, allowing dynamic changes to a user session, as implemented by network access server products. This includes support for disconnecting users and changing authorizations applicable to a user session. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5176"/>
          <seriesInfo name="DOI" value="10.17487/RFC5176"/>
        </reference>
        <reference anchor="RFC6929">
          <front>
            <title>Remote Authentication Dial In User Service (RADIUS) Protocol Extensions</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <date month="April" year="2013"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Service (RADIUS) protocol is nearing exhaustion of its current 8-bit Attribute Type space. In addition, experience shows a growing need for complex grouping, along with attributes that can carry more than 253 octets of data. This document defines changes to RADIUS that address all of the above problems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6929"/>
          <seriesInfo name="DOI" value="10.17487/RFC6929"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2866">
          <front>
            <title>RADIUS Accounting</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes a protocol for carrying accounting information between a Network Access Server and a shared Accounting Server. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2866"/>
          <seriesInfo name="DOI" value="10.17487/RFC2866"/>
        </reference>
        <reference anchor="RFC2869">
          <front>
            <title>RADIUS Extensions</title>
            <author fullname="C. Rigney" initials="C." surname="Rigney"/>
            <author fullname="W. Willats" initials="W." surname="Willats"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="June" year="2000"/>
            <abstract>
              <t>This document describes additional attributes for carrying authentication, authorization and accounting information between a Network Access Server (NAS) and a shared Accounting Server using the Remote Authentication Dial In User Service (RADIUS) protocol described in RFC 2865 and RFC 2866. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2869"/>
          <seriesInfo name="DOI" value="10.17487/RFC2869"/>
        </reference>
        <reference anchor="RFC5080">
          <front>
            <title>Common Remote Authentication Dial In User Service (RADIUS) Implementation Issues and Suggested Fixes</title>
            <author fullname="D. Nelson" initials="D." surname="Nelson"/>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="December" year="2007"/>
            <abstract>
              <t>This document describes common issues seen in Remote Authentication Dial In User Service (RADIUS) implementations and suggests some fixes. Where applicable, ambiguities and errors in previous RADIUS specifications are clarified. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5080"/>
          <seriesInfo name="DOI" value="10.17487/RFC5080"/>
        </reference>
        <reference anchor="RFC6613">
          <front>
            <title>RADIUS over TCP</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>The Remote Authentication Dial-In User Server (RADIUS) protocol has, until now, required the User Datagram Protocol (UDP) as the underlying transport layer. This document defines RADIUS over the Transmission Control Protocol (RADIUS/TCP), in order to address handling issues related to RADIUS over Transport Layer Security (RADIUS/TLS). It permits TCP to be used as a transport protocol for RADIUS only when a transport layer such as TLS or IPsec provides confidentiality and security. This document defines an Experimental Protocol for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6613"/>
          <seriesInfo name="DOI" value="10.17487/RFC6613"/>
        </reference>
        <reference anchor="RFC6614">
          <front>
            <title>Transport Layer Security (TLS) Encryption for RADIUS</title>
            <author fullname="S. Winter" initials="S." surname="Winter"/>
            <author fullname="M. McCauley" initials="M." surname="McCauley"/>
            <author fullname="S. Venaas" initials="S." surname="Venaas"/>
            <author fullname="K. Wierenga" initials="K." surname="Wierenga"/>
            <date month="May" year="2012"/>
            <abstract>
              <t>This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6614"/>
          <seriesInfo name="DOI" value="10.17487/RFC6614"/>
        </reference>
        <reference anchor="RFC7360">
          <front>
            <title>Datagram Transport Layer Security (DTLS) as a Transport Layer for RADIUS</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="September" year="2014"/>
            <abstract>
              <t>The RADIUS protocol defined in RFC 2865 has limited support for authentication and encryption of RADIUS packets. The protocol transports data in the clear, although some parts of the packets can have obfuscated content. Packets may be replayed verbatim by an attacker, and client-server authentication is based on fixed shared secrets. This document specifies how the Datagram Transport Layer Security (DTLS) protocol may be used as a fix for these problems. It also describes how implementations of this proposal can coexist with current RADIUS systems.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7360"/>
          <seriesInfo name="DOI" value="10.17487/RFC7360"/>
        </reference>
        <reference anchor="RFC7930">
          <front>
            <title>Larger Packets for RADIUS over TCP</title>
            <author fullname="S. Hartman" initials="S." surname="Hartman"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>The RADIUS-over-TLS experiment described in RFC 6614 has opened RADIUS to new use cases where the 4096-octet maximum size limit of a RADIUS packet proves problematic. This specification extends the RADIUS-over-TCP experiment (RFC 6613) to permit larger RADIUS packets. This specification compliments other ongoing work to permit fragmentation of RADIUS authorization information. This document registers a new RADIUS code, an action that required IESG approval.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7930"/>
          <seriesInfo name="DOI" value="10.17487/RFC7930"/>
        </reference>
        <reference anchor="RFC5997">
          <front>
            <title>Use of Status-Server Packets in the Remote Authentication Dial In User Service (RADIUS) Protocol</title>
            <author fullname="A. DeKok" initials="A." surname="DeKok"/>
            <date month="August" year="2010"/>
            <abstract>
              <t>This document describes a deployed extension to the Remote Authentication Dial In User Service (RADIUS) protocol, enabling clients to query the status of a RADIUS server. This extension utilizes the Status-Server (12) Code, which was reserved for experimental use in RFC 2865. This document is not an Internet Standards Track specification; it is published for informational purposes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5997"/>
          <seriesInfo name="DOI" value="10.17487/RFC5997"/>
        </reference>
        <reference anchor="RFC5580">
          <front>
            <title>Carrying Location Objects in RADIUS and Diameter</title>
            <author fullname="H. Tschofenig" initials="H." role="editor" surname="Tschofenig"/>
            <author fullname="F. Adrangi" initials="F." surname="Adrangi"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Lior" initials="A." surname="Lior"/>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <date month="August" year="2009"/>
            <abstract>
              <t>This document describes procedures for conveying access-network ownership and location information based on civic and geospatial location formats in Remote Authentication Dial-In User Service (RADIUS) and Diameter.</t>
              <t>The distribution of location information is a privacy-sensitive task. Dealing with mechanisms to preserve the user's privacy is important and is addressed in this document. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="5580"/>
          <seriesInfo name="DOI" value="10.17487/RFC5580"/>
        </reference>
        <reference anchor="RFC3579">
          <front>
            <title>RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP)</title>
            <author fullname="B. Aboba" initials="B." surname="Aboba"/>
            <author fullname="P. Calhoun" initials="P." surname="Calhoun"/>
            <date month="September" year="2003"/>
            <abstract>
              <t>This document defines Remote Authentication Dial In User Service (RADIUS) support for the Extensible Authentication Protocol (EAP), an authentication framework which supports multiple authentication mechanisms. In the proposed scheme, the Network Access Server (NAS) forwards EAP packets to and from the RADIUS server, encapsulated within EAP-Message attributes. This has the advantage of allowing the NAS to support any EAP authentication method, without the need for method- specific code, which resides on the RADIUS server. While EAP was originally developed for use with PPP, it is now also in use with IEEE 802. This memo provides information for the Internet community.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="3579"/>
          <seriesInfo name="DOI" value="10.17487/RFC3579"/>
        </reference>
      </references>
    </references>
  </back>
  <!-- ##markdown-source:
H4sIAHrLR2oAA+V9624cR7Lm/3yKWs6PkQbdHN1tCQvNoUX5mBjdVqLGM1gs
FtVd2WQdVVe160Kqx9C77LPsk218ccnMqq7m2OfXAseAbbJZlZfIyIgvrr1c
Ll1f9pV/kX3q87rI26Lsyvoq+9A2fbNuquXrtm1al69Wrb95Mf24aNZ1vqWX
izbf9MvCf2m+LHf2jMczywcP3bAr8t53L7JH3z97usB/ny2ypw+/o/8+e/bw
Mf/3ySL77vGzB/Tf548fONdhNf87r5qaRu/bwbty1/JPXf/owYPnDx65vPX5
i+yi7n1b+97dXr3IPp6dv/77ZfZz037BJv69bYad+3Ibn1qeY6FunfcvstV6
57phtS27rmzqy/2OZrp4ffmjc7vyRUb//CFb53U2dD7L2zbfZ/fKTZZXVbb3
3f2sabPrvLvOrn3rXZbRjl/gD/Rj17R96zfdCx6i8Jt8qPqOnrC/77fyZ/zq
8qG/btoXzi2zsqYPz06zc//X5gs9KKQ9q2gR9lHTXmEzX35oy+LKZ+98f0t7
xah+m5fVC1of0e3fyvrLip+o9YHTdbN1rm7abd6XN/4FvfDxx1ffP/zuif6I
k9EfHz/97pn+iDPSH589f/ScVlnWm8kgOM3443N788H3D+xNOuL4o02Iw7Yf
6cRp6BtfDzzoFY7NDpN+l521eeG/9v9W+n5zSmTAc2V/PaxeZJvWe/prOXR/
HvPeKT1BhF0us3zV9W2+pt9+9hkN4+siI0JlXWB6n/XXfsLf2S5ff/F99qop
/CLblG3XOzrPsvYFHRaWztyaEUn47Y9+2/Q+O6Mj9XVfEpcRY2XnZV7RmWWf
O99mn3x7U669u0e7u/j86X5mKz6VhW7Loqi8c38Ay7ZNMawxhnOXv2v47GD4
rOxo6V15hbXnXZZnrf9l8F2f/Zl+6nZNTRSwhxfZLdg6W1clTdRlHcilz3eO
GJmmuvFttxAayi/2lIzF/K7vn2bZJY+X499s429dUW429EndZz3duy5rNmH8
TCksg/t8fc3PJI/g4mUkGByRfdtgzK5r1iWJmCK7yasyWQVN/VNz62l9C5wQ
7TFMQ6O7uFosrSq3JcaglZd1wfQlIdIN67XvOlz4DTHi0PJSaDCnQ4GgfEoL
PHvN1B0fEb2ar9fNUGPAUz5MGqXssrrJbkmwgH+M1ilFaSH+6/o6r+mqh4tH
4+WrZugdTVG24OCemFM4kH4v63xVVmW/x9s73+ItZs7pak/dRU2/5kToDS8Q
H3ZHtrAIa4JIbOpqT+Ptqr27pTuIzfldv6CP/sOve15MV27pz0wxLEQIzaRN
1mKM4cakwBMy3eTVXKmUyax1xrfcJYd1UtbGATzDCdZyMhBNKs8j1N0thr2m
Ge0RORDMQ3Iap9Jf5z1uQJ2uxH8lYtLkazCLccIiK/vM02J8Sxqr2XW2WqyF
1y7MxiRpfT+0Nd4GPy+7nV+Xm3IdmNXdXpdE+xLMeDXQivfZbdsQw2Qk/nde
Bm1kUaTeCrBhWEdcqdsSGbGYyVr40OjW2KJ4Tb5Swae7JCatCn7bjd+G3rPd
yLHZWYBN+EbSU9v8C4aCLNE70pX9IEwrIqVrtskdvCLhmme7hp4ihUJ89KVu
bitPimuLoe+dvfrr/XBJacEg9Pjt2l/l8+++O/vr/UDbhcO9mryvPFpDPNCq
PQtFeZ55gk7Cbvxxttz6vCYabYaKhsIvyj/YvFIIxFH2JqpgmSBquUlHpLm6
qrld4IdmsyFZVPOtdnxCB8/mkNVf9ywtcKZCbdrKV5oOfIg5sXhfnDJ38+nT
6bZyNHLbw0rtLHG5e5xhycd5NUDw0Ui39JwjVu+umT+K5uB6YK4uoQvxyCdI
Eh5C5Kuryi++Yrm08oG1L+p107YkNkjur8uOZdAq7zz2RcKMcMuu8qT1wum6
dUOasVwNPd9oRTgAT71JvlzEBT14RQcN7iClVuW7w3MlUoimZGnZNjdlIYcd
9GZF3FFlUJwkV+jYiLAEHwcskIAj7U6EUUHSsNlvWYTjfdoM4RW7KrZIVry3
1w1p+IbECUAxcUZP9OAhmaBDXfi22mOuRHlnbbMacGlp37xXEtzOXqNdVM2a
YAAmyQk91QURcShJnK32Gbic7wTENzMMT920WN1FD+Hbl1sRj0XR4shZPkIP
ryHx9kY1gvsDX64ENnV34KY14yYRa7dEN0ZQpt+ZGLXKVYxK68cLQFa//qqw
cEGIRlj1ybdvTEzCMcnokEvNrZA80Zqsm0Te7wNqEKXhZpdqq+Qxuri0iijQ
J8yQ7yHpmRni5dErgCtHjOyJ34qIr/TEuiwoIUfDMaIoVQEepR7RpKx5KfyH
5Suctst7Y/97TCfg9Uinx6cPv327r9tRzQgmvfYs/LBe1ZpdCnj+g5hLjl1n
b1pT1rSOWgeP/Csrd8m6sriuvOqa2blpeJ6c5Yvf7po2b/eAccQD27wmJiBW
e61kpxOM145f60ZXc8mnYVe5g7Agi1A50kVpEGQj30GBlXQ947MZC6byumlY
p0ax4UxsQBbpPLTAn1mTBR799o0sEeaajNhgDyHZgsu7dVvuBP9tZi6JGxkX
/eh+2XiMbgvfsyCXi1MyduOLC/5kBhFIlXeQnXwT7jDlCe2xqpJb2AFFkvi5
zm9KehG7n8GhfHMg2CGmiSsmI7JulSV3wxXTzlayLa/aXH7d5f21fBgEkv4F
SDyRn6ewfi6JIcq6qZqrvcCzL34P8UaC7eTt50+XJwv5f/buPf/88fX/+Hzx
8fU5fv7009mbN+EHp098+un95zfn8af45qv3b9++fncuL9On2egjd/L27B8n
wjYn7z9cXrx/d/bmBFJqfGawIES1lRC1O4J7LOSccMJKbMYfXn34v//n4RPi
nv8Gg/nhw+fEPvILrHH6BZp1oYodEJB/pVPau3y38zkQPqOxdb4rSWbCCOvA
c7c1+yJO3X//C8BDtnz2l5cOpPzob0p/yyO+bYitc7MogTkUhApEU54Q2Uc2
cscYQaSAqskgClnAOAC+jq8pjwIIweYKS2FaE78a3gk6rxTsQKqV3mg2LgBq
BgQkewoBWVtZrxdSy9AkqnGZRWwZbfnK0zOk1QhRp4o5XQCN/rOP79j6giUc
oGZW5/0YHrCFQsK8hCCAjWOAr38h58TAVq60E5uW7hQgJeHQaGGPbNs+GMUC
TNcskAQnYz/+K22ITVC9z2KzlPxn0j0jSwecyFiCMTWrPTUr6Enil3krZ+5k
6W/sE6OJiRFKSOkeJ7srSbm9cFEmE3WiLGaYJFJa9TSJD9EaqZxyNd0WQihg
GrUMki133gQ9qILdyGxGMcGhWyKzKSuCRSRLBO7CxhpqoPEs+L3oAuAGmKvj
ox3EBz6pzq6BrrTlqyJ498AzwSsYewz0OB2cQUxFWmZF6iOwHhnkJlz1AM7Y
m7C0JSVKICuD7yNgIHGYBgwE3b4Qm1vHOWPTW5HA9OlHQAKCZciSSpwajg9/
4qUADdnZ4Qujd1gs7Pp0EhcneRwnCYAJPH9sCrNKjBrqFvkdFIloxwlFMqNI
HGt83+bfFgqR+goUCnciumuyIu9zXvjKk8kDCeOL4NEqu4W7NgdTDZOjTexm
kGEKxIQscXjYE0oSyD71yMwulrYq7p7uhXMvs8875lgCnLuebbp6hpypZyBj
hdm3ZKMS7qPnaZA5ogl6JpsTFp94v0Ta0WSsgXGPX6abMBDNOka1cjrRfjSm
2Yo0how4JbkMRyzyIz1pDoho3yfOS8H0Ub6WUIewp2jnEBQNIUAolbcAUjt4
gOkYaCvsuGHjKcgQ1RdBcvARk/hM/kxal9QGwar10HXCVQlCI+ug9+0BMFBO
f9WcTVl8fYTFJTJi5/5ImTTKFQzF3BpBdmLJi7vw1i4znx2fjMN7YEnh96nD
ZDoCOIpjE+U/1esoV05cRGK1moMx3Odzoo2YC/+pzbpHcp+TzSYjHt1zEZ7B
GDNbT0f5DRQgtmgdG/HsTB/tOM7Fm/75mq4ucQFtNChiUfwiUTD5LAJwR0Vf
J4AiHWX6NkQFHY95oInX1JGg9mdyJRYB0RMgDTeSjGjfCv0ffP9gxGw4ARr/
R9r/8SWqN93FMUUhDnV08uxLXxWpey9xrr0m5Bd9SKlf/xhgimCJMFFVuQP4
kI/xkJ2aF9N8RBN1xeIAPwG2TQ2SNZmCHaN5nDYBL4KcVbUUTucjDXrNBYIQ
Q5Oar3Kz+HYAEwx0UowNuWKbh+N7MvOmgT9DZLa+VuqfIgG2EKgJWCRtjuWO
5zFTjL28mHAEHXNTCbpBFzaU+KwDRt1AyJmbtC7GflLCV5/oDtSw18+VXL/+
odOPljrBN5EPAdIq6JyseX6NJzaY08FO4l2DjGiGPj1ctjtF57BJLDYF43Mm
2sKJfNa1Bm8M3SCPn/J2r/6k9dDCgaDjxPAOGJcN57d4/Movk5AcvRhw0vN4
sZ6ePoRxx6rP0abCpuHdl5VEzdfNzj9aoRjd/YwNZ6JAxTiTMsGgMK+itaGO
h0DhLFA4IUsBDzOja1mIBioMore+ytWLZEtW+eG/5uDvRTxKvpR2jKke5xGD
x4sx19S/Zjtz7CFlm0ica7ocOJ3C7vPNhp0Vc4GvLHvfLtxB1OPYqgL2S8Cs
AmQ40RLRkC4n7GWo4eKEuogmFqM4OQyYWIUX321VjODaLS9Lnb0aZsrIHsJt
ZBUBHAbrjO+OOplU3Srs7BPllZItCf240WyTQN0k3mYWRBo6UGKx2iVx1sLI
JxKfjYnLpzMK5UU5zYSCVWLBuzGdRBAdav1wSmm0kq/FwZGM6LDyxtx0JOZC
L8NCyJy768jOCAQKqRlusqMBN4GTFugFpjKvj8DgduZmLWKc725r7yGAH4kb
Bvtsplp4aaqxbOxuxAEiGendzdAy6+iuS467XB6Oon4xC4MIyl/nu8SRWjVX
VwzIzY0MvbeuhsI+BBEZbTQbepmZeUIAEDUxF3TSxBBgrxC9DD8Xkx0qY91l
jEW82dETzQHxJHItsR87O1MZ9yvcBl2OUIf/2rt5m5Cpbiw3h8cfwuINyK+P
oXwooaphU+yXISdm7CUyycJsN6zINCYq5DekAhAJYAnUGX3iEYKZ4HduSBXC
VOHIV62uRZohb68QRh3aNTC6S+NewQ2RhqOCrRpt2GEFMdCXGjFyLOBX+xBf
PPTPxpiRen2+7oOlBEsOa6jKf/rU044R8x5u/l5tOLKT2K3rQ0iATg2EA6tV
dG5sdCTWXLCaGa0T4KtixBsHDiEIsVRVQ9cgkkBDF4M36cXxjXwkHifOLjrH
9/ROXiyvm3USPsMISWDhpqluYoTBeL0etivsYeM+0SxDt/ykEu/ar4ksv/76
FzDP8+ffgaGm8BADzPhTHp0+g5Uf3Oh49OSv3u+WZxV72F/RZuh2tnSNfsrb
LVk4JyHE5t0vAzKE4KQkg539wSw9xigXLn1BxEWzY819HYxjtvs6TTboIV6F
YmyrK+ZiRc9B6TwNSWN95voLowGf9Aj1Enp7KcbT0BJkIsFMdFyz4M2Lgget
mlzQ9TVtjN4jS904OwozkU7inNzjVQ6IEGOQFKdNp3kyiEHzHLkdu+mql1hX
kPcqaWjMSm7rVZtvF+ak5tgorVL0I0fH980g7gtFwzssBx+KkuFYGv8p4bgQ
DuRgie/5TuRMVo5VksrqZOCJXzZSeNiJ3Yen1Nkrx0ijjGeRI4KiLxPjcIvb
2B4mEww7JBq8FAe3KURMYghvYJYv+1P3kh7TFdzCJ8w++roE6qXP2vGaF5w7
+end2w/MFnn/R80keMkfYuoNY9LXIbdGnJAczFA6gLPoePddyVg0ZgTgdHUU
gMJuKHsOsDL8lzWx71xjWPm6bTpRkLe4PyElVGU9fOKOPc7/YiBmlpi/lhck
0EpkF3LEsGi2xFOqX/k2FqxtpvA0BNp9Nk2RyV08mpkUnpzlt+/TnLlw7djU
RuJEx6ZlmTpaSBAlhj67TSXmne8NY/hsLMlUlwb1lkiiExhCqSuMBpgBMSzP
aHmpDDthxpp1hHdyqfp5bUF0J84gWvt8m02J1Jn4gV/iZbCkOCy334nbT8YO
cbWR/OqGTjEfq1pIK5osWMF7vQ0ZXFNiCPcceWskLj7JzzEtDz/pFTiCwX5i
hEbkgAPdSKoFYBLsf9I3w5ZFsW0j5BSJ/ucQ41KPp6P/M4e0JamNtlNwOqeU
2BZ2IwNwqu3ZzcnSazwAEwwbcLMRp8ThxO6Gw5SlNS4IqYEJT49ysohMsx4Z
idnHFBuWe2u4PWrN9CF5OjRDJ2dcTDRy9GnQbeD8oZyQRZ+EN4E/tzR2EeCC
u4Obf/S+WAGvbNoG2ZXsftmTnbbtxoaK68faME1RGKd0GsNIGk6QKYS4xNSP
GQsCxUTpkU4kZdrF4F4v2CKJaVm4s5u6qxXCcDTu0J0W82TbOQzPjp8/ZJ9r
QadnlvvRHTlAM66j42bq/DODOea3dCqg5gyexOHZXNWEPFXkmqfDMYyZT18Y
dNHJRIkxRqh1Bpc95ci8iUu5jpM9sgx9e/YPM9HPkn2o/Wwzo9iAKMjzILE+
5bDvaSYJq+cKnSBtIiDE1DzVBQvmJFdBVjWdNp1zkb3m3HdfLPlXCP03f5Of
Aahf/+0T/yJSk/hNUhhiWm0k2QkR3Llzompp8fnxHWJXvVBC5NEh2RciT2Yl
kLk9pqwnphxd98ijpxLEDVksqq5i1JwhQ0l4RXW9qjO4WuXACUq6kLUxguis
u+ft86dsBo78XHjjhyrvesVBZH6UV7qre5c/nN8njM6uVElaJWEofipZRTd3
cRTajzxUphQkB8Ns3PyIOzLQ21BCIBRHSmARkvZ+9ODRExXdgNpX10kwNCR2
XeeFmJB2WTTNMfN5S2CjTW3qsfMTrox7jx48eHDfVmEpmEgUoVOpAoOkAoC3
JW5HFo7bvK493LsFY3LAsHKNhAauFSAYyTAA0M1Fi9Uck14j8sFwvSnzsfCn
HSXH55LjU3l3ofcglXdHb7Gl08zdHg5BxUFCBgRfU3Aok0K8V/j4b3k18Ofb
vNKIm9KxbwjccHolmHoUnBS7TsMQsx53w4CVwJ7cARtnrQUAx8wYU9aNg1Lv
T1Mn8YjohWLGXR1RIanEPpzvUHIfEpI3viZQROtKwO7McdhWNcYgKljiLfA9
2jICEuZQBdskEls/PEVOAssD1szSuxbD4JZxU9/huMMCXqaSTUc8PbVYWbiT
Bw7/lWfq3wg+5vuYNfAkz8pWDp4ZcAvRpjKEXjhinSQiHBfQv0Uwa8JuOGJY
d5o8DUYjhmoh49WNSiQae5YWElilpaIaQvJe3uu1Xr6DI099LE/TGCYnSqhj
B7PQEiVde0x6yDK4MGsvsHFt6k5yqV3MtpT6mHCyDx89S5Kase1aYeWmIlDJ
TOvGy1Swg6BWGAbvxnBu6o5VREgGo4s+0wQ4JeEFZvnpndDcXJJpq7Iea7Pb
Jty3zi59ehKKJzm2kWb1+c0GSa2kpEZi1eqLSEY3Tb8UzwGb66WMwcTpNS9G
4zF82jOXP96F6M4XAZj449mZKo40TfSVxPga1vSODPV1SUTM2Jg27GiWPpN8
A/dewK9BjmfvkXPo3N/pn2ysgE7i9Ceamhiz9fWiine2aJvd7gAbwxTxB+Yf
q16xzPJ6FLefjYjlOsw0+XsCSU4fPeHs7wnevIH2sNsY/Q1cy7UmzSglYAHG
MLu+Pvug1+vx0++ef/vmxrlcahhI3kTLwikXD94KNahruH8m1SnE63SvrkEE
g+YcD1X2H70cEb6FPEt1hZM1tCeJBS5BGZwkbMSaCSy781zSO41gb3MYnwUM
KyFhuFN8wVHXdtVMxpBYlYXINHDjhjq/za0QMO/t4fkcyzxLtmwn3R0cdWlp
sU5qQFXtJGsJ/szEsKbhSlLw6pEO+SBl4RQCt0KhEVnKfsaA4seYUax2izku
XoYAnmM5nQWJk7mPWfCsM4Jn3xh0lGCIwCxOSx52swomapYfGhoiCjO5kpas
tWAnbFJmCnQiyQqfozAx3xNiRS7a+4i60U5DcChAuSLx+yHuKowzdmQ5zZs8
kjhDCw8xpQQi5pORnSjSSjIRVo1mfdlgk5SmwzkuaimTyuFxFkT07OFjgCD7
5YlFuaSO4fGzB2E5fGd5FXwvYuWfBNXAhnMnLL5ouDmDY8ZJZWi2pfvAcnk0
EKS0TaWmByYUoPrnz+cfEG7txGdBNyk+zEwIlR4fH/nTdg1ikAhvwRDYlt02
79fX9Dx0dHk1tIac+luO61uYO9Y8IEsHlcdqCIwR15zkjbQdhxMfK5ndbGYf
585em/fQIpNpRoWIC+BDPdyATzlBdsM5VmUnYpaY2kzcAgSgv8rQVkAdYjma
YZlZHnQsXIqhfoEVyTQMadkzOgvmk0JrLu/52s/7u1n/h6QtJT2cdnR0bpy+
0E1zLiS/wmyllJtELNvV5gIZ8Q0H2/GwhhMrS0qkZwq68y7yVd2kIFk0phT8
2ICuG3bMn/L5riF5u5pwfViZCF9b3SKzNGJ3uM6ZKurDfC1DNDGN9kexsKNk
O8wmDr4sU8hWWBGnuitRMTjxkuRdLS0tR0mYDgeHHd/xBmOB/yqZzSENi2ua
Ynm95vcVIaNqqgTHvh/uqBDBstRIWHKWBVIkL8OKbJF/Z+FRmAlpoCSaG9Oq
1OjHbzYbKU7GkaKsN75kPjsNwedCKL7fqdM6VtKBYbWHSfYG4Tls4Mc2vwpq
havt6kQnmOxfSMguXjK+j5IjNSmMIR0wakuxAtbsgkmu1iaRI5mFU1FrOSIW
WMBTiYMBmDiV5E+igwEP6q0y2gJok+Dc6M5YPgWtnKSWAHlAgcYhRNyDjCxY
UPIfBsmw0HB8XBxm+4MObFqOK0OeIY8HMhI1eNC6lqEhCc5Bo+uvOlaoZuMU
IA5lARjaWsDO82tZwH8tEePEQ8e3QmI4oagKutfWYmK96ZKFcLQCr7CG0fO5
fPWBGcV+ffNJiqgQ1tsR4IXi75pq0LxZuQBkLNzEZH5Ugln+Dhyv1Y2w+Sbl
PTn4BFlI5vGhDrvLkAtGiGD7pJgWj8NiJCJvmqDRQiEDX1/EmiTEFLqxuB3Z
KMwJXNbXW33gKB8O7yYz80eTJFrxOce7fTpbEkiLvEt/p8KD7xRdfScBOdum
pdFI8Z31XGgsk09G48EA1iy6D3teBcQH9gm9uubgUJI5XiemJZ9urOQQ6cd1
lAe2m0pCbocgaBDCROUTSscQk+MSkaTeS3oISG8M8MBUI/OCRCBBm0GphSYN
nAwpji3JOgEkHjCF40yRyRL5wGgQqUIPXTaaII4CQr2MLSaQEhQyQHkqbuUQ
TN92AKJLr0IokrRcZusdER3HPAzIftDdYZTBeaoyejTI3Bs2ahndWfFyOYZM
Vdn3cPOHphoHnSqS3eVfFE3Rbw6+FaTqdDHzxi6E+UaDhZVwpy4L2NtZ1oqU
vqcvWA8YNcpwor1WfOIyLuyonVi5RGx4Jug8mp262TWEK3mVea+8Ei1pOqVb
tXFdAOcX4+4qMSEi1ejTph4wmoxKzLFNW15B5XM1iTbAKfvOV5vsnj+9Oh0b
4YtMy4QWzvfr0/shD4rjYxpgZsyjAfwomiSxGltDCxo2wP+FDX/GMNgXFj9a
iKlr+bUumvdsXAbpLYLhbTTsLunk204ZcWpURGYre6NlxzkLYBiuHuhgB7jj
BTHs4M0lTzj0i+nSQgh1rtmILL8F8vIl1749784+6TUPpzKiCaMqxxgALmCC
l3KS8o4yyYG/xZxCVh9i1rZV/mgCI6MXHYNFlKFbFzSc3OG8Xa59C8cj2kiB
XRPvRN723UTUQEYI6/MxJc29+FjUFy9ITTNVg28sZJjb29w+AXYPvyuGf+44
54k2XPdBqF6m+elVlUg79CLgrLZRhgHyritv+VPJWKMwwMrTkDd+RGNmmF7K
/5zksYQa5/nii2tf7awI2JQcdHn5NVTfWr69VLwkiYyT/hax3lo4l+kijjpQ
9ky1whx1D2iruUu/ibTKeErZ+ghRMyaqi0Ig4CQCHaWARDiR0otyoeIcF2oR
+ciNHSG37EcSGDgRE1IeU27LKm+TOvIXTvF/t68hP+DUTPOS+KU75BG7By+4
uhxYSLrVhSTfTOrOuxBGZCcvJwClFWv2dwmxAWyBCEPZXQd/00zzOwNJoig2
7S+/YNzQck9REw0m0JzBtanzAKC1FCqpzboQUUyyamv5sXIaqtD4ZzloGowr
I63OM1SQOIWA6iixkHTMu4vp7ztUf7RoxKfTxAzpWIsF3tJ6ycrf5OKbHTUk
wDo4foRmdghPIPCR8M/ZuEQQr4YEP84MCE6GcScdXL2gDIKTZ+RlCnkE6xl3
kxbAqu483PS06inhrTibVEBpBIvttKpc72NFThA5UieujkoGOxqIlPJUi08Y
t6ng4ai1+BeiA9jyuSe1lTPNdCwS2zmAJkRk4nuaZ5dLmHZWRC0izKajG1Hm
rJZz5Zw3uefYRxbLbBUXdZFmLp7QdLiLxLkoY7K2tLvgq1jSG7VbPl24Aopp
Gg9ntvPqym5SwpCvQ8AjaSjkxo0SmDXEipg0g0kbS47KjckuITtEvNZiv6gD
Fra5HV89JsOkPYNw1jjdgDdh9BWjPN5wK2fUmWRV6OobA7FheXSVug6+Kr3B
6cACM9l/TxvVkKB3/IgW6NOaiYbzzRDkosroluLN0HahIeSETNaBrvVLLmSQ
Hlrcac4aWEonTytCho2Hplk2wCI0hxvFi/guhC5to/RLZY7oxFPHY4iiclIO
pE4DHK42dRLYBnP0y3NPLLcETo3xg2ejyO23b/dj5oWgbHM0as8OVY0Tu4Zr
5ZFAL+2roNwXWaqQtVucdmHmP02XNAnyGXCu/e3RXI4r5EtwI6k0p5WrJWIy
60jbRGvQjexHvs3i90JinI608rXflBFrHoJzB3COxDIV84UvBjQgMc8FWQbB
BxJBMfYUs6p9PeknONM0cNJBTKO82oYGO/ztoTlGRwJcAlo5uNaq//giIcvY
uruGg08tEJeoe46iaxlVxCNxf92RhonsDYPh5OYNJ3Ns8rRc1t+NgFXZh7aw
ji4yUtenxbtcRnxbj2E7sAljS3anNMojuZsa3lLstYPPhw4vWu9dar4nzxpe
4i6opvzCmTdjp9dIU8aCAL2G639ZFetmleGsoE89dCHgppER6DpuejkmkczP
RFrhTkgFT23FrezwtxQ7BEqTJptcqgRpn7BWHrweBx49nVf0h7sdzWt560Xg
nsA74356Rbg/mg1xYCKF3nT/vLN1JIf08pS/x5XNpKBaiW6WnZFc8kFmEQ33
lJvMJFH/cWNLbmCLVVmdYLKap4+ye+Mh7ofduDKK7bSj5UJbjYjsBd2TtoHj
ZmeOLTSuYLTVSAoac1DZzSxJxHySqEbKZrJJhuk7yWxjGMRMy65y9Ncj0FNA
xmodA1pqs1uiuqMLp8iZO44N13rlNemujnhz3I/TWWjNYMg4j2IxG/JLJC1f
9ENJG+KrSR2p1cmwQN2PFJKJPDN6teApIpTRjZ+RauLCc/PJMGKoSstj2D/s
m5unHAcXQyp3nb3Xg1hKhH7J3Jqq6dgiZ9wfdJTv/V40TMxne3v2DycXuho4
ZLdBSLAMPa1m541paOJ4LBDKakZtxYU0+MKBNo8lpVo7Lz0/uyb1SqCLLue/
5ttVeTXkaTqWdNRN3LWFpCRGWX9xfuo+Elhoi4p7s4uCDsw76j+bXGerhcqr
9cAZhHd08UjamXZWzTSdgLP5U/ifKnvL6rRUjFbc/zu4vwP5bEQXnRCv1GsX
y/WnLMO8orUVluJHH8f0hySF3qTwjECjT+GqpxtB/0MuCPvmuxjnFjXqzDed
T9cRb7bei72ptdOYQWyucR4VJpY5sOd7x84W/uHx0LU2RJf5izUyvZFJjh3D
BQnIl114rpQwRywAj4nGoafrdFmSDpeUoYexsulYLpiD0TFqniLN+JvRdtr9
oG/32hj46/4/E7pIw/oLdxi/mEb92SXJuE3tKVkAzKqwhqgKYiSzU7Iid5rd
2lwMYlDGfKI2Smh0HBnKQjOWMX+jh8ubGDca5kiIFS9Y2Ch2hhuYMbhyJPai
/CrfOLBsLFdBojCkI3beCuPGyVyqzUIdgDpWWXCnnBCq+mZZwI3ZyeTukbFg
oVragsAn0Zjpd4vQNAO3IB2t9oVzf8qePni0CKmL75o++4isbVhb9zhUep+f
ebrQRUj49EMUJtJ9WDNVUa1ciH9zlvk7Y9HDvrYWwWCnwsElHHmRQ5MPtN3i
k53cg5Gate4brKKOi4pUB0WEoZeMueXjoWM3436k1ldVSjaJFj+cZ8sYLhHJ
OmokwsKtaOo/pn10rLUGgg4zwCuvbpFf1eUbbwX51v1L9YnCitDZKHYGF3XH
CN5S0eqxY4JNLvRhSO4T+0viS7Lxd/6q6UstKqiR0ZckQdreaza+7TnxfE6y
Ja0pf06Wv3jX0Ll35CuJDaTT/tGnNgn71YQjoLSmMaDg0IsUnlCVRRaXWCrc
vsswCw5mB4M60cllYGrIJOTtN3XiNI5xDIu485Ilhy3Wjk8eRWhP6P2z1jyw
sJtwhWWiBZ7D/UNRf3BAhxya4HcO2Ye0DXfvEBXfZ30X3dTqPph65O8ZUnh9
9kFSuxcZR3id+6RchBLF7JNlztwPJcQrjzKhjX3djtQPi001CxdDVcXR7w0w
42/29QTlSpYb7GXTRqF1eTEyUdguOY891y1L9l/D2RQRTVEtF2Ud4NojKMj8
WPyFBCZLJOvpt6DckbgR5BCS75Cd8JJB78u79jVTfbbSNMBSo8nSoPqlbLdR
cEWCZLwnmecs3KcxjjnAgayvUjrGgWmYOfDKtcUs5rpjtXUak395tKAPYmW/
8zjpR08enj7JUJD8xtdX/TU+e0b8gGIhewba6wolPlxKafwR6io1wDLF5QGJ
pduL32jxMvHjjJKpMhnZTtI6qVhPGfr34uzdGb1/oiBSzlHKP5kH0OTwCpJ1
P3Fpr2Js4O5jmjciU6zNoX2SutL8JeNsCuYTQhR8V6EljQJ8cEcCqLEbZPaj
R4KJtIS01oaTNttW9QBvXixGFkKJW8onjikN/jpNW6qz//m/7h30l7yvSn6m
PvdnLLDs+QJnQUpqki001jEG+92loHOFoOgJ8DtLQcXcSQtBaRAuBb2YLQ6f
pgargTRTLIt03SOl8VYc8/9VP4ekWB2WH74lpOz7aZOG7I4mDdPa1f+KTRp+
9uZ/TEqcFml902JUlBSqgrBr+l1quhsQNZtrfJE6DO7MVg/urbh7uVDHNz/a
urOtG3PYJSacU5XirUO50sjX0en329HnYtG4cafMWOBCh/0u5KXa1wtcl6ty
zKKYjAXxQRcR2SX7cUeVl900M2C2dPNZWpARqkD0Gx31xG0u5q0zTifT/lcv
LZVIvr/QToj3HfpVdvr1kJx3khQ1MBfRECNnkhaz0IDpGjqxzaXgc1LARyOE
DhFBLypUZ0M770clNGXaqVY16DRgMJZLWksr2BmqkbsHKtaeFhO+zferpLmD
xDPdgYn7F/6+mR/OJ0qKVGDFWor9t5KRr8Ll2iIupq147dpm02kLBln7n5D0
DPPe2qU1qBthm3wp9ZUMOSbwS33YZG3ia2D5CxmYiWlBX5byVV8S86ikmWco
vVKXF62+QCimJdhKI0iilbY5U+88I/k1Upuh2tRmMnNH2hVJUz4Pdi6xEI61
n4mlD6tvO2xHgWZmJa34m4A+bQnFg6RfMJIQgomFPEGJ8WHpknKp/UiZxjNG
dsw5luuXmVEYxEEQQtjiFOjS83RGmjo1tTYl6mvDs/XPqa8xrCyOrszy5Oh8
aId/7JLeYUWj3xfJXqlkwrtnQ1fmYXcymUkqYzNreGU9zYo0usnH9L7W2tGy
D1+IprF9Ov8T7pGVJWKw4+wjNiJPkm+3wI5z/uZCrkWK33uGb/tghML0zqtt
iPDiGK33OJotdQcGUxIrs1xjdi2CbgJzaVAJddJS7FsLriB/uenW2Ngv6XIX
sHBtg8GbkokxFgr/RrX65lE87inFRt7a91dJ6QyuYiixsbv/Qo7UKrjkFojr
Z/4ycF6/1SjRuShPBLeU2Y7MU6ZJy36hXqN92iWe9Ai0yw8DtpuJrMINpwvG
yMmfjlenjg9tiL+p8quk00DbVPHb2mJrVm2phvEP3Xaj7/iVAaN8vKqaFQKz
tTaA3rE4yrJRzE2/ITtxNNKwXjLj0XOS18+uo8RPBMa0asu5e5SU5HS3+Y5n
nboKj+S9s1dk2ipJkqswihpivJ+Vj04yWi7z/hlJXhauh77UN7KXg0ZYssMp
eltoJ3vt98Ml7PwkClEb2KkcxU9lKP8ZIi9+ESiXUKGr0vyfVkO3l0FN8BRl
AeKOm/qJXOksezx44mXUWN9oTZ3uEeFpkNsWzcHQs8N8TXjebrQ9vEzqINh7
OU2aZLr/ib+x/OnT57QL9CrZC1hi6cdftAORmn5PIl6xLEZFC9yKUb6nhf/8
wbfXOSiBwwS1UVq2GiAMOMWWzc+/AEP/KWRqH0fA3GIxGxX+5SwgR/3Iz96d
M2HDN1TOGttaE8ZDIvmL0MzyDJbjAVI4SUY/EftWXeddeF0gZTbvD5Aaiu7I
SvT+jWKDWHy+PuKEUiH1RylAlcTFI7IjSnELmdyW1otdJYh8TSzon7Ybtvyk
I564qDQn1eVZZhliScVFIi5CdiEOR73I6Rvm5pDvkWM8gKts7vzY3oJEvJXD
JTlXkafYmslmwgDH5Ro7V+A0Ci2ghfec4w85cZJM0cFamFrKCY3/G3xM0mQy
fGfEgc6m9eFrMYBVP3rWlWtWPvC9wsl5+dPFp+X5+1efycq9PP0da4odeNi6
uGNFs9z2e9eFLKDyJl/vD6h4GepnauRyyEPr0UPhu53GFkrIRnZaKgndqQuH
My2UzIaMiC6g8cOv60BHo8osYy1oXZe7vJ6GncmukQAWb+uTfVvI4b4OcrD0
C6mLkgvIyhAYS76+42LcvMGNdxShSrunPRFG2l0n7edDDg68SzQlZDt3xUqM
8+CCSnvI3Tt78+FdVrT5pr8/nz6GRcVeCYlxdxtaGYT2flp1rUlzoL20fWFu
AQJrSy9faxDbxmw5oSiGveSkXKgQmkp+KWLL1bW3mE0vMMdANMpn2rgF0LRm
CNfwFx3lIULchzij/In7GfLBn42/xaqbxlzWCK1rIDyapp1U2kWOev33y+zn
f7fQK6dKPHrw6Klt6NKvr2vUWHD4UO8ZvX2ZbwnU0SJ/LOsKIVHnlssl43T3
/wC4ZricXYYAAA==

-->

</rfc>
