<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-netmod-immutable-flag-14" category="std" consensus="true" submissionType="IETF" updates="8040, 8526" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title abbrev="immutable flag">YANG Metadata Annotation for Immutable Flag</title>
    <seriesInfo name="Internet-Draft" value="draft-ietf-netmod-immutable-flag-14"/>
    <author fullname="Qiufang Ma" role="editor">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>101 Software Avenue, Yuhua District</street>
          <city>Nanjing, Jiangsu</city>
          <code>210012</code>
          <country>China</country>
        </postal>
        <email>maqiufang1@huawei.com</email>
      </address>
    </author>
    <author fullname="Qin Wu">
      <organization>Huawei</organization>
      <address>
        <postal>
          <street>101 Software Avenue, Yuhua District</street>
          <city>Nanjing, Jiangsu</city>
          <code>210012</code>
          <country>China</country>
        </postal>
        <email>bill.wu@huawei.com</email>
      </address>
    </author>
    <author fullname="Balazs Lengyel" role="editor">
      <organization>Ericsson</organization>
      <address>
        <email>balazs.lengyel@ericsson.com</email>
      </address>
    </author>
    <author fullname="Hongwei Li">
      <organization>HPE</organization>
      <address>
        <email>flycoolman@gmail.com</email>
      </address>
    </author>
    <date year="2026" month="July" day="02"/>
    <area>Operations and Management</area>
    <workgroup>netmod</workgroup>
    <keyword>immutable flag</keyword>
    <keyword>system configuration</keyword>
    <abstract>
      <?line 77?>

<t>This document defines a mechanism to formally document an existing behavior,
   implemented by servers of YANG-driven network management protocols (e.g., NETCONF and RESTCONF), on the immutability of some
   system-provided nodes, using a YANG metadata annotation called
   "immutable" to flag which nodes are immutable.</t>
      <t>Clients may use "immutable" annotations provided by the server, to
   know beforehand why certain otherwise valid configuration requests
   will cause the server to return an error.</t>
      <t>The immutable flag is descriptive, documenting an existing behavior, not
   prescriptive, dictating server behaviors.</t>
      <t>This document updates RFC 8040 and RFC 8526.</t>
    </abstract>
    <note removeInRFC="true">
      <name>Discussion Venues</name>
      <t>Discussion of this document takes place on the
    Network Modeling Working Group mailing list (netmod@ietf.org),
    which is archived at <eref target="https://mailarchive.ietf.org/arch/browse/netmod/"/>.</t>
      <t>Source for this draft and an issue tracker can be found at
    <eref target="https://github.com/netmod-wg/immutable-flag"/>.</t>
    </note>
  </front>
  <middle>
    <?line 93?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>This document defines a YANG metadata annotation <xref target="RFC7952"/> to formally document
   an existing model handling behavior that has been used by
   multiple standard organizations (e.g., 3GPP TS 32.156 <xref target="TS32.156"/>, 28.623 <xref target="TS28.623"/>, and ONF TR-531 <xref target="TR-531"/>) and vendors.</t>
      <t>YANG <xref target="RFC7950"/> is a data modeling language used to model both state
   and configuration data, based on the "config" statement. However,
   there exists some system configuration data that cannot be modified
   by clients (that is, it is immutable), but still needs to be declared as
   "config true" to:</t>
      <ul spacing="normal">
        <li>
          <t>allow configuration of data nodes under immutable lists or containers;</t>
        </li>
        <li>
          <t>place "when", "must" and "leafref" constraints between configuration
   and immutable nodes;</t>
        </li>
        <li>
          <t>ensure the existence of specific list entries that are provided and
   needed by the system, while additional list entries can be created,
   modified or deleted.</t>
        </li>
      </ul>
      <t>If a server always rejects a client's attempt to override some
   system-provided data because it internally thinks the data is immutable, it should document
   it towards the clients in a machine-readable way rather than writing as
   plain text in the "description" statement.</t>
      <t>This document defines an approach to formally document an existing behavior,
   implemented by servers in production, on the immutability of some
   system-provided data, using a YANG metadata annotation <xref target="RFC7952"/>
   called "immutable" to flag which nodes are immutable. A server <bcp14>MUST NOT</bcp14> set the immutable flag to true for configuration data that is not system-provided. This document does not
   regulate server behaviors. That said, it is expected that a server will return
   an error with an error-tag value of "invalid-value" if a client attempts to
   modify an immutable node.</t>
      <t>A non-exhaustive list of already implemented and potential use cases is provided below:</t>
      <ul spacing="normal">
        <li>
          <t>UC1: Modeling of server capabilities (<xref target="sec-uc1"/>)</t>
        </li>
        <li>
          <t>UC2: Hardware based auto-configuration (<xref target="sec-uc2"/>)</t>
        </li>
        <li>
          <t>UC3: Predefined administrator roles (<xref target="sec-uc3"/>)</t>
        </li>
        <li>
          <t>UC4: Declaring immutable system configuration from the perspective of a Logical Network Element (LNE) (<xref target="sec-uc4"/>)</t>
        </li>
      </ul>
      <section anchor="updates-to-rfc-8040">
        <name>Updates to RFC 8040</name>
        <t>This document updates Sections <xref target="RFC8040" section="4.8" sectionFormat="bare"/> and <xref target="RFC8040" section="9.1.1" sectionFormat="bare"/> of <xref target="RFC8040"/> to add an
  additional query parameter named "with-immutability", as specified in <xref target="RESTCONF-ext"/>.</t>
      </section>
      <section anchor="updates-to-rfc-8526">
        <name>Updates to RFC 8526</name>
        <t>This document updates <xref section="3.1.1" sectionFormat="of" target="RFC8526"/> to add an additional input parameter
   named "with-immutability" for the &lt;get-data&gt; operation, as specified in <xref target="NETCONF-ext"/>.</t>
      </section>
      <section anchor="editorial-note-to-be-removed-by-rfc-editor">
        <name>Editorial Note (To be removed by RFC Editor)</name>
        <t>Note to the RFC Editor: This section is to be removed prior to publication.</t>
        <t>This document contains placeholder values that need to be replaced with finalized
  values at the time of publication.  This note summarizes all of the
  substitutions that are needed.  No other RFC Editor instructions are specified
  elsewhere in this document.</t>
        <t>Please apply the following replacements:</t>
        <ul spacing="normal">
          <li>
            <t>XXXX --&gt; the assigned RFC number for this draft</t>
          </li>
          <li>
            <t>YYYY --&gt; RFC number assigned to <xref target="I-D.ietf-netmod-system-config"/></t>
          </li>
          <li>
            <t>2026-05-26 --&gt; the actual date of the publication of this document</t>
          </li>
        </ul>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The document uses the following term defined in <xref target="RFC6241"/>:</t>
      <ul spacing="normal">
        <li>
          <t>configuration data</t>
        </li>
      </ul>
      <t>The document uses the following terms defined  in <xref target="RFC7950"/>:</t>
      <ul spacing="normal">
        <li>
          <t>data node</t>
        </li>
        <li>
          <t>leaf</t>
        </li>
        <li>
          <t>leaf-list</t>
        </li>
        <li>
          <t>container</t>
        </li>
        <li>
          <t>list</t>
        </li>
        <li>
          <t>anydata</t>
        </li>
        <li>
          <t>anyxml</t>
        </li>
        <li>
          <t>interior node</t>
        </li>
        <li>
          <t>data tree</t>
        </li>
      </ul>
      <t>The document uses the following term defined in <xref target="RFC8341"/>:</t>
      <ul spacing="normal">
        <li>
          <t>access operation</t>
        </li>
      </ul>
      <t>The document uses the following terms defined in <xref target="RFC8342"/>:</t>
      <ul spacing="normal">
        <li>
          <t>client</t>
        </li>
        <li>
          <t>server</t>
        </li>
      </ul>
      <t>The document uses the following term defined in <xref target="I-D.ietf-netmod-system-config"/>:</t>
      <ul spacing="normal">
        <li>
          <t>system configuration</t>
        </li>
      </ul>
      <t>This document defines the following term:</t>
      <dl>
        <dt>immutable flag:</dt>
        <dd>
          <t>A read-only server-provided metadata value that describes the
   immutability of the configuration, which is conveyed via a YANG metadata annotation
   called "immutable" with a boolean value.</t>
        </dd>
      </dl>
    </section>
    <section anchor="applicability">
      <name>Applicability</name>
      <t>While the immutable flag applies to all configuration nodes, its value <bcp14>MUST NOT</bcp14> be set to true for configuration data that is not system configuration.</t>
      <t>The immutable flag is only visible in read-only datastores (i.e., &lt;system&gt;
   <xref target="I-D.ietf-netmod-system-config"/>, &lt;intended&gt;, and &lt;operational&gt;)
   when a "with-immutability" parameter is carried (<xref target="with-immutability"/>).
   However, this only serves as descriptive information about the
   instance node itself, but has no effect on the handling of the read-only
   datastore. If the immutable flag is requested to be returned for an invalid
   datastore (i.e., any datastore other than &lt;system&gt;, &lt;intended&gt;, or &lt;operational&gt;), then the server <bcp14>MUST</bcp14> return an error response with the error-tag value
   "unknown-element".</t>
      <t>Configuration data has the same immutability if it appears in different datastores.
   The immutability of configuration data is protocol and
   user independent.</t>
    </section>
    <section anchor="immutable-metadata-annotation">
      <name>"Immutable" Metadata Annotation</name>
      <section anchor="immutable-def">
        <name>Definition</name>
        <t>The immutable flag which is defined as the metadata annotation takes a boolean
   value, and it is returned as requested by the client using a "with-immutability"
   parameter (<xref target="with-immutability"/>). If the "immutable" metadata annotation for
   a configuration node is not specified, the default "immutable" value is the
   same as the value of its parent node in the data tree (<xref target="interior"/>).
   The "immutable" metadata annotation value for a top-level instance
   node is "false" if not specified.</t>
        <t>A node annotated as immutable indicates that the server does not allow it to be changed by configuring
   a different value in read-write configuration datastores (e.g., &lt;running&gt;),
   or deleted from the intended datastore, which is the merged result of &lt;running&gt; and &lt;system&gt; as defined in <xref section="4" sectionFormat="of" target="I-D.ietf-netmod-system-config"/>. The node <bcp14>MAY</bcp14> be explicitly configured by a client in &lt;running&gt; with the
   same value and that configuration in &lt;running&gt; may subsequently be removed,
   but neither of these edits will change the configuration in &lt;intended&gt; (if implemented) on the device.</t>
        <t>Note that "immutable" metadata annotations are used to annotate data node
   instances.  A list may have multiple instances in the data tree,
   servers may annotate some of the instances as immutable, while others as
   mutable.</t>
        <t>Servers <bcp14>MUST</bcp14> ignore any immutable annotations sent from the client.</t>
      </section>
      <section anchor="with-immutability">
        <name>"with-immutability" Parameter</name>
        <t>This section specifies the NETCONF <xref target="RFC6241"/> <xref target="RFC8526"/> and RESTCONF <xref target="RFC8040"/>
   protocol extensions to support the "with-immutability" parameter.
   The "immutable" metadata annotations are not returned in a response unless
   explicitly requested by the client using this parameter.</t>
        <section anchor="NETCONF-ext">
          <name>NETCONF Extensions to Support "with-immutability"</name>
          <t>This document updates <xref target="RFC8526"/> to augment the &lt;get-data&gt;
   operation with an additional parameter named "with-immutability" when interacting with read-only datastores.
   If present, this parameter requests that the server includes
   the "immutable" metadata annotations in its response.</t>
          <t><xref target="tree"/> provides the tree structure <xref target="RFC8340"/> of augmentations to NETCONF
   operations, as defined in the "ietf-immutable-annotation" module (<xref target="module"/>).</t>
          <figure anchor="tree">
            <name>Augmentations to NETCONF Operations</name>
            <artwork><![CDATA[
module: ietf-immutable-annotation
  augment /ncds:get-data/ncds:input:
    +---w with-immutability?   empty
]]></artwork>
          </figure>
          <t>To discover if the "with-immutability" parameter is supported by a server,
a NETCONF client can query if the server implements "ietf-immutable-annotation" module (<xref target="module"/>) by reading the YANG library information from the operational state datastore, as per <xref target="RFC8526"/>.</t>
          <t>Refer to <xref target="NETCONF-example"/> for an example of a NETCONF operation with "with-immutability" input parameter.</t>
        </section>
        <section anchor="RESTCONF-ext">
          <name>RESTCONF Extensions to Support "with-immutability"</name>
          <t>This document extends Sections <xref target="RFC8040" section="4.8" sectionFormat="bare"/> and <xref target="RFC8040" section="9.1.1" sectionFormat="bare"/> of <xref target="RFC8040"/> to add a query
   parameter named "with-immutability" to the GET operation. If present, this parameter
   requests that the server includes the "immutable" metadata annotations in its
   response. This parameter is only allowed with no values carried when interacting with read-only datastores.
   If it has any unexpected value, then a "400 Bad Request" status-line <bcp14>MUST</bcp14> be returned. The error-tag value "invalid-value" is used in this case.
   RESTCONF protocol operations for the datastore resources are defined in <xref target="RFC8527"/>.</t>
          <t>To enable a RESTCONF client to discover if the "with-immutability" query parameter
   is supported by a server, the following capability URI is defined:</t>
          <artwork><![CDATA[
    urn:ietf:params:restconf:capability:with-immutability:1.0
]]></artwork>
          <t>If the "with-immutability" query parameter URI is listed in the "capability"
leaf-list defined in <xref section="9.3" sectionFormat="of" target="RFC8040"/>, then the server supports the
"with-immutability" query parameter.</t>
          <t>Refer to <xref target="RESTCONF-example"/> for an example of a RESTCONF operation with "with-immutability" query parameter.</t>
        </section>
      </section>
    </section>
    <section anchor="use-of-immutable-flag-for-different-statements">
      <name>Use of Immutable Flag for Different Statements</name>
      <t>This section defines what the immutable flag means to the client for
   each instance of YANG data node statements.</t>
      <section anchor="the-leaf-statement">
        <name>The "leaf" Statement</name>
        <t>When a leaf node instance is immutable, it cannot be configured with a
   different value in read-write configuration datastores (e.g., &lt;running&gt;) or
   removed from &lt;intended&gt; (if implemented). Though it can be created/deleted
   in read-write configuration datastores (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
      </section>
      <section anchor="the-leaf-list-statement">
        <name>The "leaf-list" Statement</name>
        <t>When a leaf-list entry is immutable, it cannot be
  removed from &lt;intended&gt; (if implemented). Though it can be created/deleted
  in read-write configuration datastores (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
        <t>The immutable annotation attached to an individual leaf-list entry
   provides immutability with respect to the entry itself. As per the restrictions in <xref target="RFC7952"/>,
   annotations cannot be attached to an entire leaf-list instance and only
   to individual leaf-list entries, which implies a leaf-list as a whole
   can only inherit immutability from a parent node (e.g., container).</t>
        <t>If a leaf-list as a whole is immutable via inheritance from a parent node, any leaf-list entries cannot be added,
   modified, or reordered (if it is ordered-by user).</t>
        <t>Refer to <xref target="imm-leaf-list"/> for an example of immutability of leaf-lists.</t>
      </section>
      <section anchor="the-container-statement">
        <name>The "container" Statement</name>
        <t>When a container node instance is immutable, it cannot be removed from &lt;intended&gt; (if implemented).
   Though it can be created/deleted in read-write configuration datastores
   (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
        <t>Descendant nodes of a container recursively inherit the immutability of the container, unless
   the immutability is overridden by an "immutable" annotation on a descendant node (<xref target="interior"/>).</t>
      </section>
      <section anchor="the-list-statement">
        <name>The "list" Statement</name>
        <t>When a list entry is immutable, it cannot be removed from &lt;intended&gt; (if implemented).
  Though it can be created/deleted in read-write configuration datastores
  (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
        <t>Descendant nodes of a list entry recursively inherit the immutability of the list entry, unless
  the immutability is overridden by an "immutable" annotation on a descendant node (<xref target="interior"/>).</t>
        <t>The immutable annotation attached to an individual list entry provides
   immutability with respect to the entry itself. As per the restrictions in <xref target="RFC7952"/>,
   annotations cannot be attached to an entire list instance and only
   to individual list entries, which implies a list as a whole
   can only inherit immutability from a parent node (e.g., container).</t>
        <t>If a list as a whole is immutable via inheritance from a parent node, any list entries cannot be added, removed, or reordered (if it is ordered-by user).
   Each list entry inherits the immutability of the list by default, unless the immutability is
   overridden by an "immutable" annotation on a list entry.</t>
        <t>Refer to <xref target="imm-list"/> for an example of immutability of lists.</t>
      </section>
      <section anchor="the-anydata-statement">
        <name>The "anydata" Statement</name>
        <t>When an "anydata" node instance is immutable, it cannot be removed from &lt;intended&gt; (if implemented).
   Though it can be created/deleted in read-write configuration datastores
   (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
        <t>Additionally, as with all interior nodes, immutability is recursively applied to
   descendants (<xref target="interior"/>).</t>
      </section>
      <section anchor="the-anyxml-statement">
        <name>The "anyxml" Statement</name>
        <t>When an "anyxml" node instance is immutable, it cannot be removed from &lt;intended&gt; (if implemented).
   Though it can be created/deleted in read-write configuration datastores
   (see Sections <xref format="counter" target="immutable-def"/> and <xref format="counter" target="system-interact"/>).</t>
        <t>Additionally, as with all interior nodes, immutability is recursively applied to
   descendants (<xref target="interior"/>).</t>
      </section>
    </section>
    <section anchor="interior">
      <name>Immutability of Interior Nodes</name>
      <t>Immutability is a property of a configuration data node instance, conveyed as metadata <xref target="RFC7952"/>. It is
   recursively applied to descendants, which may reset the immutability
   state as needed, thereby affecting their descendants.  There is no limit
   to the number of times the immutability state may change in a data tree.</t>
      <t>If the "immutable" metadata annotation for a returned child node is omitted,
   it has the same immutability as its parent node. For each top-level returned node, the default "immutable" annotation value is false unless explicitly annotated. Servers may suppress the
   annotation if it is inherited from its parent node or uses the default value
   as the top-level node, but are not precluded from returning the annotation
   on every single element.</t>
      <t>Refer to <xref target="inherit"/> for an example of how immutability is recursively
   inherited or explicitly reset by descendants.</t>
    </section>
    <section anchor="system-interact">
      <name>System Configuration Datastore Interactions</name>
      <t>Immutable configuration can only be created, updated and deleted by the server,
   and it is present in &lt;system&gt;, if implemented. That said, the existence of
   immutable configuration is independent of whether &lt;system&gt; is implemented or
   not. For example, a server that does not support &lt;system&gt; may have predefined hardware-specific configuration in use that cannot be overridden or removed by clients.
   Not all system configuration data is immutable. Immutable configuration
   does not appear in &lt;running&gt; unless it is explicitly configured.</t>
      <t>As specified in <xref target="immutable-def"/>, a client <bcp14>MAY</bcp14> create/delete immutable nodes
   with same values as defined by server in read-write configuration datastore (e.g.,
   &lt;candidate&gt;, &lt;running&gt;), which merely makes immutable nodes
   visible/invisible in the datastore.</t>
    </section>
    <section anchor="nacm-interactions">
      <name>NACM Interactions</name>
      <t>The server rejects an operation request due to immutability when it
   tries to perform the operation on the request data. Any immutability checking
   <bcp14>MUST</bcp14> be performed after
   access control decisions, if the Network Configuration Access
   Control Model (NACM) <xref target="RFC8341"/> is implemented on a server. For
   example, if an operation requests to override an immutable
   configuration node, but the server checks the user is not authorized
   to perform the requested access operation on the request data, the
   request is rejected with an "access-denied" error.</t>
    </section>
    <section anchor="module">
      <name>YANG Module</name>
      <t>This module imports definitions from <xref target="RFC7952"/>, <xref target="RFC8342"/>, <xref target="RFC8526"/>, and <xref target="I-D.ietf-netmod-system-config"/>.</t>
      <sourcecode markers="true" name="ietf-immutable-annotation@2026-05-26.yang"><![CDATA[
module ietf-immutable-annotation {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-immutable-annotation";
  prefix imma;

  import ietf-yang-metadata {
    prefix md;
    reference
      "RFC 7952: Defining and Using Metadata with YANG";
  }
  import ietf-netconf-nmda {
    prefix ncds;
    reference
      "RFC 8526: NETCONF Extensions to Support the Network
                 Management Datastore Architecture";
  }
  import ietf-system-datastore {
    prefix sysds;
    reference
      "RFC YYYY: System-defined Configuration";
  }
  import ietf-datastores {
    prefix ds;
    reference
      "RFC 8342: Network Management Datastore Architecture
                 (NMDA)";
  }

  organization
    "IETF Network Modeling (NETMOD) Working Group";
  contact
    "WG Web:  https://datatracker.ietf.org/wg/netmod/
     WG List: NETMOD <mailto:netmod@ietf.org>
     
     Editor: Qiufang Ma
             <mailto:maqiufang1@huawei.com>
     Editor: Qin Wu
             <mailto:bill.wu@huawei.com>
     Editor: Balazs Lengyel
             <mailto:balazs.lengyel@ericsson.com>
     Editor: Hongwei Li
             <mailto:flycoolman@gmail.com>";
  description
    "This module defines a metadata annotation called 'immutable'
     to allow the server to formally document existing behavior on
     the mutability of some system configuration. Clients may use
     'immutable' metadata annotation provided by the server to know
     beforehand why certain otherwise valid configuration requests
     will cause the server to return an error.

     Copyright (c) 2026 IETF Trust and the persons identified
     as authors of the code. All rights reserved.

     Redistribution and use in source and binary forms, with
     or without modification, is permitted pursuant to, and
     subject to the license terms contained in, the Revised
     BSD License set forth in Section 4.c of the IETF Trust's
     Legal Provisions Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     All revisions of IETF and IANA published modules can be found
     at the YANG Parameters registry group
     (https://www.iana.org/assignments/yang-parameters).

     This version of this YANG module is part of RFC XXXX; see
     the RFC itself for full legal notices.";

  revision 2026-05-26 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: YANG Metadata Annotation for Immutable Flag";
  }
  
  md:annotation immutable {
    type boolean;
    description
      "The 'immutable' metadata annotation indicates the
       immutability of an instantiated data node. It takes as a
       value 'true' or 'false'. An immutable node cannot be changed
       via configuring a different value in read-write configuration
       datastores (e.g., <running>), though it can be created/deleted
       in read-write configuration datastores. If not specified for
       a given configuration data node, the immutability is the
       same as the value of its parent node in the data tree. The
       default value of 'immutable' annotation for a top-level
       instance node is false if not specified.";
  }

  augment "/ncds:get-data/ncds:input" {
    description
      "Allows the server to include 'immutable' metadata
       annotations in its response to get-data operation.";
    leaf with-immutability {
      when
        "derived-from-or-self(../ncds:datastore,'sysds:system') "
      + "or derived-from-or-self(../ncds:datastore,'ds:intended') "
      + "or derived-from-or-self(../ncds:datastore,'ds:operational')";
      type empty;
      description
        "Requests that immutable metadata annotations be returned.
        
         This parameter is only valid when the datastore is system,
         intended, or operational. See RFC XXXX Section 3 for the
         required error behavior when used with other datastores.";
    }
  }
}
]]></sourcecode>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="the-ietf-xml-registry">
        <name>The "IETF XML" Registry</name>
        <t>IANA is requested to register the following URI in the "ns"
registry within the "IETF XML Registry" group <xref target="RFC3688"/>:</t>
        <artwork><![CDATA[
URI: urn:ietf:params:xml:ns:yang:ietf-immutable-annotation
Registrant Contact: The IESG
XML: N/A; the requested URI is an XML namespace.
]]></artwork>
      </section>
      <section anchor="the-yang-module-names-registry">
        <name>The "YANG Module Names" Registry</name>
        <t>IANA is requested to register the following YANG module in the "YANG
Module Names" registry <xref target="RFC6020"/> within the "YANG Parameters"
registry group.</t>
        <artwork><![CDATA[
Name: ietf-immutable-annotation
Maintained by IANA?  N
Namespace: urn:ietf:params:xml:ns:yang:ietf-immutable-annotation
Prefix: imma
Reference: RFC XXXX
]]></artwork>
      </section>
      <section anchor="restconf-capability-urn-registry">
        <name>RESTCONF Capability URN Registry</name>
        <t>IANA is requested to register the following capability identifier URNs in the
"RESTCONF Capability URNs" registry defined in <xref target="RFC8040"/>:</t>
        <dl>
          <dt>Index:</dt>
          <dd>
            <t>:with-immutability</t>
          </dd>
          <dt>Capability Identifier:</dt>
          <dd>
            <t>urn:ietf:params:restconf:capability:with-immutability:1.0</t>
          </dd>
        </dl>
      </section>
    </section>
    <section anchor="operational-considerations">
      <name>Operational Considerations</name>
      <t>This document specifies a mechanism for clients to discover immutable system configuration before attempting modifications. Clients can leverage this information to avoid sending edit requests that would otherwise fail due to immutable nodes.</t>
      <t>The mechanism defined in this document is backward compatible with existing implementations. A legacy client unware of this mechanism will not include the "with-immutability" query parameter in its retrieval requests. Consequently, servers will process the request normally without returning any "immutable" metadata annotations. Conversely, a client explicitly requesting the immutable flag from a legacy server may either receive an error response for unsupported query parameter or have the parameter ignored, depending on the server's implementation.</t>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>This section is modeled after the template described in <xref section="3.7.1" sectionFormat="of" target="RFC9907"/>.</t>
      <t>The "ietf-immutable-annotation" YANG module defines a data model that is
   designed to be accessed via YANG-based management protocols, such as the Network Configuration Protocol (NETCONF) <xref target="RFC6241"/> and RESTCONF <xref target="RFC8040"/>. These YANG-based management protocols (1) have to
   use a secure transport layer (e.g., Secure Shell (SSH) <xref target="RFC4252"/>, TLS <xref target="I-D.ietf-tls-rfc8446bis"/>, and QUIC <xref target="RFC9000"/>) and (2) have to use mutual authentication.</t>
      <t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341"/>
   provides the means to restrict access for particular NETCONF or
   RESTCONF users to a preconfigured subset of all available NETCONF or
   RESTCONF protocol operations and content.</t>
      <t>The YANG module specified in this document defines a metadata annotation,
   it also extends the RPC operations of the NETCONF protocol in <xref target="RFC6241"/>
   and <xref target="RFC8526"/>.</t>
      <t>The "immutable" metadata annotation exposes the immutability of configuration data,
   which may provide hints for attackers to find vulnerabilities in the network,
   e.g., to leverage the immutability of some configuration to better craft an attack.
   Since immutable annotations are attached to the instances of configuration data nodes,
   it is only accessible to clients that have the permissions to read the annotated configuration nodes.</t>
      <t>The security considerations for the NETCONF protocol operations (see
   <xref section="9" sectionFormat="of" target="RFC6241"/> and <xref section="6" sectionFormat="of" target="RFC8526"/>) also apply to
   the operations extended in this document.</t>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC7952">
          <front>
            <title>Defining and Using Metadata with YANG</title>
            <author fullname="L. Lhotka" initials="L." surname="Lhotka"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>This document defines a YANG extension that allows for defining metadata annotations in YANG modules. The document also specifies XML and JSON encoding of annotations and other rules for annotating instances of YANG data nodes.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7952"/>
          <seriesInfo name="DOI" value="10.17487/RFC7952"/>
        </reference>
        <reference anchor="RFC7950">
          <front>
            <title>The YANG 1.1 Data Modeling Language</title>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <date month="August" year="2016"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration data, state data, Remote Procedure Calls, and notifications for network management protocols. This document describes the syntax and semantics of version 1.1 of the YANG language. YANG version 1.1 is a maintenance release of the YANG language, addressing ambiguities and defects in the original specification. There are a small number of backward incompatibilities from YANG version 1. This document also specifies the YANG mappings to the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7950"/>
          <seriesInfo name="DOI" value="10.17487/RFC7950"/>
        </reference>
        <reference anchor="RFC8040">
          <front>
            <title>RESTCONF Protocol</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <date month="January" year="2017"/>
            <abstract>
              <t>This document describes an HTTP-based protocol that provides a programmatic interface for accessing data defined in YANG, using the datastore concepts defined in the Network Configuration Protocol (NETCONF).</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8040"/>
          <seriesInfo name="DOI" value="10.17487/RFC8040"/>
        </reference>
        <reference anchor="RFC8526">
          <front>
            <title>NETCONF Extensions to Support the Network Management Datastore Architecture</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." surname="Schoenwaelder"/>
            <author fullname="P. Shafer" initials="P." surname="Shafer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="R. Wilton" initials="R." surname="Wilton"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This document extends the Network Configuration Protocol (NETCONF) defined in RFC 6241 in order to support the Network Management Datastore Architecture (NMDA) defined in RFC 8342.</t>
              <t>This document updates RFCs 6241 and 7950. The update to RFC 6241 adds new and operations and augments existing,, and operations. The update to RFC 7950 requires the usage of the YANG library (described in RFC 8525) by NETCONF servers implementing the NMDA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8526"/>
          <seriesInfo name="DOI" value="10.17487/RFC8526"/>
        </reference>
        <reference anchor="I-D.ietf-netmod-system-config">
          <front>
            <title>System-defined Configuration</title>
            <author fullname="Qiufang Ma" initials="Q." surname="Ma">
              <organization>Huawei</organization>
            </author>
            <author fullname="Qin Wu" initials="Q." surname="Wu">
              <organization>Huawei</organization>
            </author>
            <author fullname="Chong Feng" initials="C." surname="Feng">
         </author>
            <date day="28" month="January" year="2026"/>
            <abstract>
              <t>   The Network Management Datastore Architecture (NMDA) in RFC 8342
   defines several configuration datastores holding configuration.  The
   contents of these configuration datastores are controlled by clients.
   This document introduces the concept of system configuration
   datastore holding configuration controlled by the system on which a
   server is running.  The system configuration can be referenced (e.g.,
   leafref) by configuration explicitly created by clients.

   This document updates RFC 8342.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-netmod-system-config-20"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
        <reference anchor="RFC6241">
          <front>
            <title>Network Configuration Protocol (NETCONF)</title>
            <author fullname="R. Enns" initials="R." role="editor" surname="Enns"/>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." role="editor" surname="Schoenwaelder"/>
            <author fullname="A. Bierman" initials="A." role="editor" surname="Bierman"/>
            <date month="June" year="2011"/>
            <abstract>
              <t>The Network Configuration Protocol (NETCONF) defined in this document provides mechanisms to install, manipulate, and delete the configuration of network devices. It uses an Extensible Markup Language (XML)-based data encoding for the configuration data as well as the protocol messages. The NETCONF protocol operations are realized as remote procedure calls (RPCs). This document obsoletes RFC 4741. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6241"/>
          <seriesInfo name="DOI" value="10.17487/RFC6241"/>
        </reference>
        <reference anchor="RFC8341">
          <front>
            <title>Network Configuration Access Control Model</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>The standardization of network configuration interfaces for use with the Network Configuration Protocol (NETCONF) or the RESTCONF protocol requires a structured and secure operating environment that promotes human usability and multi-vendor interoperability. There is a need for standard mechanisms to restrict NETCONF or RESTCONF protocol access for particular users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content. This document defines such an access control model.</t>
              <t>This document obsoletes RFC 6536.</t>
            </abstract>
          </front>
          <seriesInfo name="STD" value="91"/>
          <seriesInfo name="RFC" value="8341"/>
          <seriesInfo name="DOI" value="10.17487/RFC8341"/>
        </reference>
        <reference anchor="RFC8342">
          <front>
            <title>Network Management Datastore Architecture (NMDA)</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." surname="Schoenwaelder"/>
            <author fullname="P. Shafer" initials="P." surname="Shafer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="R. Wilton" initials="R." surname="Wilton"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>Datastores are a fundamental concept binding the data models written in the YANG data modeling language to network management protocols such as the Network Configuration Protocol (NETCONF) and RESTCONF. This document defines an architectural framework for datastores based on the experience gained with the initial simpler model, addressing requirements that were not well supported in the initial model. This document updates RFC 7950.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8342"/>
          <seriesInfo name="DOI" value="10.17487/RFC8342"/>
        </reference>
        <reference anchor="RFC8527">
          <front>
            <title>RESTCONF Extensions to Support the Network Management Datastore Architecture</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="J. Schoenwaelder" initials="J." surname="Schoenwaelder"/>
            <author fullname="P. Shafer" initials="P." surname="Shafer"/>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="R. Wilton" initials="R." surname="Wilton"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This document extends the RESTCONF protocol defined in RFC 8040 in order to support the Network Management Datastore Architecture (NMDA) defined in RFC 8342.</t>
              <t>This document updates RFC 8040 by introducing new datastore resources, adding a new query parameter, and requiring the usage of the YANG library (described in RFC 8525) by RESTCONF servers implementing the NMDA.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8527"/>
          <seriesInfo name="DOI" value="10.17487/RFC8527"/>
        </reference>
        <reference anchor="RFC3688">
          <front>
            <title>The IETF XML Registry</title>
            <author fullname="M. Mealling" initials="M." surname="Mealling"/>
            <date month="January" year="2004"/>
            <abstract>
              <t>This document describes an IANA maintained registry for IETF standards which use Extensible Markup Language (XML) related items such as Namespaces, Document Type Declarations (DTDs), Schemas, and Resource Description Framework (RDF) Schemas.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="81"/>
          <seriesInfo name="RFC" value="3688"/>
          <seriesInfo name="DOI" value="10.17487/RFC3688"/>
        </reference>
        <reference anchor="RFC6020">
          <front>
            <title>YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)</title>
            <author fullname="M. Bjorklund" initials="M." role="editor" surname="Bjorklund"/>
            <date month="October" year="2010"/>
            <abstract>
              <t>YANG is a data modeling language used to model configuration and state data manipulated by the Network Configuration Protocol (NETCONF), NETCONF remote procedure calls, and NETCONF notifications. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6020"/>
          <seriesInfo name="DOI" value="10.17487/RFC6020"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="TR-531" target="https://opennetworking.org/wp-content/uploads/2018/08/TR-531_UML-YANG_Mapping_Gdls_v1.1-1-1.pdfhttps://opennetworking.org/wp-content/uploads/2018/08/TR-531_UML-YANG_Mapping_Gdls_v1.1-1-1.pdf">
          <front>
            <title>UML to YANG Mapping Guidelines</title>
            <author>
              <organization>ONF</organization>
            </author>
            <date year="2018" month="July"/>
          </front>
        </reference>
        <reference anchor="TS28.623" target="https://www.3gpp.org/ftp/Specs/archive/28_series/28.623/28623-i02.zip">
          <front>
            <title>Telecommunication management; Generic Network Resource Model (NRM) Integration Reference Point (IRP); Solution Set (SS) definitions</title>
            <author>
              <organization>3GPP</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="TS32.156" target="https://www.3gpp.org/ftp/Specs/archive/32_series/32.156/32156-h10.zip">
          <front>
            <title>Telecommunication management; Fixed Mobile Convergence (FMC) Model repertoire</title>
            <author>
              <organization>3GPP</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="RFC8792">
          <front>
            <title>Handling Long Lines in Content of Internet-Drafts and RFCs</title>
            <author fullname="K. Watsen" initials="K." surname="Watsen"/>
            <author fullname="E. Auerswald" initials="E." surname="Auerswald"/>
            <author fullname="A. Farrel" initials="A." surname="Farrel"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="June" year="2020"/>
            <abstract>
              <t>This document defines two strategies for handling long lines in width-bounded text content. One strategy, called the "single backslash" strategy, is based on the historical use of a single backslash ('\') character to indicate where line-folding has occurred, with the continuation occurring with the first character that is not a space character (' ') on the next line. The second strategy, called the "double backslash" strategy, extends the first strategy by adding a second backslash character to identify where the continuation begins and is thereby able to handle cases not supported by the first strategy. Both strategies use a self-describing header enabling automated reconstitution of the original content.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8792"/>
          <seriesInfo name="DOI" value="10.17487/RFC8792"/>
        </reference>
        <reference anchor="RFC8340">
          <front>
            <title>YANG Tree Diagrams</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <author fullname="L. Berger" initials="L." role="editor" surname="Berger"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document captures the current syntax used in YANG module tree diagrams. The purpose of this document is to provide a single location for this definition. This syntax may be updated from time to time based on the evolution of the YANG language.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="215"/>
          <seriesInfo name="RFC" value="8340"/>
          <seriesInfo name="DOI" value="10.17487/RFC8340"/>
        </reference>
        <reference anchor="RFC9907">
          <front>
            <title>Guidelines for Authors and Reviewers of Documents Containing YANG Data Models</title>
            <author fullname="A. Bierman" initials="A." surname="Bierman"/>
            <author fullname="M. Boucadair" initials="M." role="editor" surname="Boucadair"/>
            <author fullname="Q. Wu" initials="Q." surname="Wu"/>
            <date month="March" year="2026"/>
            <abstract>
              <t>This document provides guidelines for authors and reviewers of specifications containing YANG data models, including IANA-maintained YANG modules. Recommendations and procedures are defined, which are intended to increase interoperability and usability of Network Configuration Protocol (NETCONF) and RESTCONF protocol implementations that utilize YANG modules.</t>
              <t>This document obsoletes RFC 8407; it also updates RFC 8126 by providing additional guidelines for writing the IANA considerations for RFCs that specify IANA-maintained YANG modules.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="216"/>
          <seriesInfo name="RFC" value="9907"/>
          <seriesInfo name="DOI" value="10.17487/RFC9907"/>
        </reference>
        <reference anchor="RFC4252">
          <front>
            <title>The Secure Shell (SSH) Authentication Protocol</title>
            <author fullname="T. Ylonen" initials="T." surname="Ylonen"/>
            <author fullname="C. Lonvick" initials="C." role="editor" surname="Lonvick"/>
            <date month="January" year="2006"/>
            <abstract>
              <t>The Secure Shell Protocol (SSH) is a protocol for secure remote login and other secure network services over an insecure network. This document describes the SSH authentication protocol framework and public key, password, and host-based client authentication methods. Additional authentication methods are described in separate documents. The SSH authentication protocol runs on top of the SSH transport layer protocol and provides a single authenticated tunnel for the SSH connection protocol. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="4252"/>
          <seriesInfo name="DOI" value="10.17487/RFC4252"/>
        </reference>
        <reference anchor="I-D.ietf-tls-rfc8446bis">
          <front>
            <title>The Transport Layer Security (TLS) Protocol Version 1.3</title>
            <author fullname="Eric Rescorla" initials="E." surname="Rescorla">
              <organization>Independent</organization>
            </author>
            <date day="13" month="September" year="2025"/>
            <abstract>
              <t>   This document specifies version 1.3 of the Transport Layer Security
   (TLS) protocol.  TLS allows client/server applications to communicate
   over the Internet in a way that is designed to prevent eavesdropping,
   tampering, and message forgery.

   This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes
   RFCs 5077, 5246, 6961, 8422, and 8446.  This document also specifies
   new requirements for TLS 1.2 implementations.

              </t>
            </abstract>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-tls-rfc8446bis-14"/>
        </reference>
        <reference anchor="RFC9000">
          <front>
            <title>QUIC: A UDP-Based Multiplexed and Secure Transport</title>
            <author fullname="J. Iyengar" initials="J." role="editor" surname="Iyengar"/>
            <author fullname="M. Thomson" initials="M." role="editor" surname="Thomson"/>
            <date month="May" year="2021"/>
            <abstract>
              <t>This document defines the core of the QUIC transport protocol. QUIC provides applications with flow-controlled streams for structured communication, low-latency connection establishment, and network path migration. QUIC includes security measures that ensure confidentiality, integrity, and availability in a range of deployment circumstances. Accompanying documents describe the integration of TLS for key negotiation, loss detection, and an exemplary congestion control algorithm.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="9000"/>
          <seriesInfo name="DOI" value="10.17487/RFC9000"/>
        </reference>
        <reference anchor="RFC8343">
          <front>
            <title>A YANG Data Model for Interface Management</title>
            <author fullname="M. Bjorklund" initials="M." surname="Bjorklund"/>
            <date month="March" year="2018"/>
            <abstract>
              <t>This document defines a YANG data model for the management of network interfaces. It is expected that interface-type-specific data models augment the generic interfaces data model defined in this document. The data model includes definitions for configuration and system state (status information and counters for the collection of statistics).</t>
              <t>The YANG data model in this document conforms to the Network Management Datastore Architecture (NMDA) defined in RFC 8342.</t>
              <t>This document obsoletes RFC 7223.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8343"/>
          <seriesInfo name="DOI" value="10.17487/RFC8343"/>
        </reference>
        <reference anchor="RFC8530">
          <front>
            <title>YANG Model for Logical Network Elements</title>
            <author fullname="L. Berger" initials="L." surname="Berger"/>
            <author fullname="C. Hopps" initials="C." surname="Hopps"/>
            <author fullname="A. Lindem" initials="A." surname="Lindem"/>
            <author fullname="D. Bogdanovic" initials="D." surname="Bogdanovic"/>
            <author fullname="X. Liu" initials="X." surname="Liu"/>
            <date month="March" year="2019"/>
            <abstract>
              <t>This document defines a logical network element (LNE) YANG module that is compliant with the Network Management Datastore Architecture (NMDA). This module can be used to manage the logical resource partitioning that may be present on a network device. Examples of common industry terms for logical resource partitioning are logical systems or logical routers. The YANG model in this document conforms with NMDA as defined in RFC 8342.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8530"/>
          <seriesInfo name="DOI" value="10.17487/RFC8530"/>
        </reference>
      </references>
    </references>
    <?line 623?>

<section anchor="use-cases">
      <name>Sample Use Cases</name>
      <section anchor="sec-uc1">
        <name>UC1: Modeling of Server Capabilities</name>
        <t>System capabilities might be represented as immutable configuration.
   Configurable data nodes might need constraints specified using
   "when", "must", or "path" statements to ensure that configuration is set
   according to the system's capabilities. For example, configurable timer (e.g., for an "interface-timer" or a "bfd-interval-timer") values are dependent on the underlying system timer resource limits.</t>
        <ul spacing="normal">
          <li>
            <t>A timer might only support the values 1, 5, and 8 seconds, determined by the system capabilities. This is defined in the leaf-list 'supported-timer'.</t>
          </li>
          <li>
            <t>When the configurable 'interface-timer' leaf is set by a client, it should be ensured that one of the supported values is used.  The natural solution would be to make the "interface-timer" a leafref pointing at the "supported-timer".</t>
          </li>
        </ul>
        <t>However, this is not possible as "supported-timer" must be
   read-only thus "config false" while 'interface-timer' must be writable
   thus "config true".  According to the rules of YANG it is not allowed
   to put a constraint between "config true" and "config false" data nodes (<xref section="9.9" sectionFormat="of" target="RFC7950"/>).</t>
        <t>A solution is that the 'supported-timer' data node in the YANG
   Model shall be defined as "config true" and shall also be marked with
   the "immutable" annotation making it unchangeable. After this the
   'interface-timer' shall be defined as a leafref pointing at the
   'supported-timer-values'.</t>
      </section>
      <section anchor="sec-uc2">
        <name>UC2: Hardware-based Auto-configuration - Interface Example</name>
        <t><xref target="RFC8343"/> defines a YANG data model for the management of network
   interfaces.  When a system-controlled interface is physically present,
   the system creates an interface entry with valid name and type
   values in &lt;system&gt; (if exists, see <xref target="I-D.ietf-netmod-system-config"/>).</t>
        <t>The system-generated type value is dependent on and represents the hardware
   present, and as a consequence cannot be changed by clients.  If a
   client tries to set the type of an interface to a value that can
   never be used by the system, the request will be rejected by the
   server.  The data is modeled as "config true" and thus should be annotated
   as immutable.</t>
        <t>An alternative would be to model the list and these leafs
   as "config false", but that does not work because:</t>
        <ul spacing="normal">
          <li>
            <t>The list cannot be marked as "config false", because it needs to contain
  configurable child nodes, e.g., IP address or enabled;</t>
          </li>
          <li>
            <t>The key leaf (name) cannot be marked as "config false" as the list
  itself is "config true";</t>
          </li>
          <li>
            <t>The type cannot be marked "config false", because we may need to
  reference the type to make different configuration nodes
  conditionally available.</t>
          </li>
        </ul>
      </section>
      <section anchor="sec-uc3">
        <name>UC3: Predefined Administrator Roles</name>
        <t>User and group management is fundamental for setting up access
   control rules (see <xref section="2.5" sectionFormat="of" target="RFC8341"/>).</t>
        <t>A device may provide a predefined user account (e.g., a system
   administrator that is always available and has full privileges) for
   initial system set up and management of other users/groups.  It is
   possible that a new user/group can be defined granted particular privileges,
   but the predefined administrator account and its granted access are immutable.</t>
      </section>
      <section anchor="sec-uc4">
        <name>UC4: Declaring Immutable System Configuration from the Perspective of a Logical Network Element (LNE)</name>
        <t>An LNE, as described in <xref target="RFC8530"/>, is an independently managed virtual
   network device made up of resources allocated to it from its host or
   parent network device.  The host device may allocate some
   resources to an LNE, which from an LNE's perspective is provided by
   the system and may not be modifiable.</t>
        <t>For example, a host may allocate an interface to an LNE with a valid
   MTU value as its management interface, so that the allocated
   interface should then be accessible as the LNE-specific instance of
   the interface model.  The assigned MTU value is system-created and
   immutable from the context of the LNE.</t>
      </section>
    </section>
    <section anchor="examples-of-servers-immutable-behavior">
      <name>Examples of Server's Immutable Behavior</name>
      <t>This section provides some examples to illustrate the server's behavior with
  immutable flag. These examples are not intended as recommendations for
  real-world deployments. Long lines within examples are handled in accordance with the line-wrapping specified in <xref target="RFC8792"/>.</t>
      <t>The following fictional module is used throughout this section:</t>
      <artwork><![CDATA[
module example-user-group {
  yang-version 1.1;
  namespace "urn:example:user-group";
  prefix ex-urp;

  import iana-crypt-hash {
    prefix ianach;
  }
 
  organization
    "Example, Inc.";

  contact
    "Support at example.com";

  description
    "An example module for basic user and group management.";

  revision "2026-05-26" {
    description
      "Initial version.";
    reference
      "RFC XXXX: YANG Metadata Annotation for Immutable Flag";
  }

  container user-groups {
    description
      "A container for user and group management.";
    list group {
      key "name";
      description
        "Specifies the list of access user-groups.";
      leaf name {
        type string;
        description
          "Indicates a unique name identifier for the user-group.";
      }
      leaf description {
        type string;
        description
          "Provides a human-readable description of the group.";
      }
      leaf access-level {
        type enumeration {
          enum admin;
          enum power;
          enum normal;
          enum guest;
        }
        description
          "Indicates permission level assigned to the group.";
      }
      list user {
        key "name";
        description
          "A list of users that belong to a group.";
        leaf name {
          type string;
          description
            "Specifies a unique name identifier for the user.";
        }
        leaf password {
          type ianach:crypt-hash;
          description
            "Records a cryptographically-hashed user password.";
        }
        leaf full-name {
          type string;
          description
            "Indicates a human-readable full name of the user.";
        }
      }
      leaf-list tag {
        type string;
        ordered-by user;
        description
          "Indicates user-ordered tags for categorizing the
           user-group.";
      }
    }
  }
}
]]></artwork>
      <section anchor="NETCONF-example">
        <name>NETCONF Example to Retrieve Immutable Configuration</name>
        <t><xref target="NETCONF-with-immutability"/> illustrates a NETCONF request example to retrieve "user-groups"
   configuration in &lt;system&gt; with "with-immutability" parameter and the response that a server might return if it supports this query parameter. For illustrative clarity, some annotations that could otherwise be omitted are shown explicitly in the response.</t>
        <figure anchor="NETCONF-with-immutability">
          <name>A NETCONF Example to Retrieve Immutable Configuration</name>
          <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

<rpc message-id="101"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <get-data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda"
            xmlns:sysds="urn:ietf:params:xml:ns:yang:ietf-system-\
                                                          datastore">
    <datastore>sysds:system</datastore>
    <subtree-filter>
      <user-groups xmlns="urn:example:user-group"/>
    </subtree-filter>
    <with-immutability/>
  </get-data>
</rpc>

<rpc-reply message-id="101"
       xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <data xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-nmda">
    <user-groups xmlns="urn:example:user-group"
      xmlns:imma="urn:ietf:params:xml:ns:yang:ietf-immutable-\
                                                          annotation"
      imma:immutable="false">
      <group imma:immutable="true">
        <name>administrator</name>
        <description imma:immutable="false">administrator group</\
                                                         description>
        <access-level>admin</access-level>
        <user>
          <name>ex-username-1</name>
          <password>$5$rounds=10000$mysalt123456789$l4BjA1p/8q.qCYJ.\
                               2pLqjR5mCJf2bP7cLpYWmnC7Hq8</password>
        </user>
        <user imma:immutable="false">
          <name>ex-username-2</name>
          <password>$1$/h1234q$abcdef1234567890abcdef</password>
        </user>
        <tag>system</tag>
        <tag>non-editable</tag>
      </group>
      <group imma:immutable="false">
        <name>power-users</name>
        <description>Power user group</description>
        <access-level>power</access-level>
        <user>
          <name>ex-username-3</name>
          <password>$1$/h4567q$abcdef2345678901abcdef</password>
        </user>
        <tag>system</tag>
        <tag>editable</tag>
      </group>
    </user-groups>
  </data>
</rpc-reply>
]]></artwork>
        </figure>
      </section>
      <section anchor="RESTCONF-example">
        <name>RESTCONF Example to Retrieve Immutable Configuration</name>
        <t><xref target="RESTCONF-with-immutability"/> illustrates a RESTCONF request example to retrieve "user-groups"
  configuration in &lt;system&gt; with "with-immutability" query parameter and the response a server might return if it supports this query parameter. The JSON representation of the metadata annotations in the response follows the encoding specified in <xref section="5.2" sectionFormat="of" target="RFC7952"/>. For illustrative clarity, some annotations that could otherwise be omitted are shown explicitly in the response.</t>
        <figure anchor="RESTCONF-with-immutability">
          <name>A RESTCONF Example to Retrieve Immutable Configuration</name>
          <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

GET /restconf/ds/ietf-system-datastore:system/example-user-group:\
                               user-groups?with-immutability HTTP/1.1
Host: example.com
Accept: application/yang-data+json


HTTP/1.1 200 OK
Date: Fri, 9 Jan 2026 15:56:30 GMT
Server: example-server
Content-Type: application/yang-data+json
Cache-Control: no-cache
ETag: "a74eefc993a2b"
Last-Modified: Mon, 5 Jan 2026 14:02:14 GMT

{
  "example-user-group:user-groups": {
    "@": {
      "ietf-immutable-annotation:immutable": false
    },
    "group": [
      {
        "@": {
          "ietf-immutable-annotation:immutable": true
        },
        "name": "administrator",
        "description": "administrator group",
        "@description": {
          "ietf-immutable-annotation:immutable": false
        },
        "access-level": "admin",
        "user": [
          {
            "name": "ex-username-1",
            "password": "$5$rounds=10000$mysalt123456789$l4BjA1p/8q.\
                                    qCYJ.2pLqjR5mCJf2bP7cLpYWmnC7Hq8"
          },
          {
            "@": {
              "ietf-immutable-annotation:immutable": false
            },
            "name": "ex-username-2",
            "password": "$1$/h1234q$abcdef1234567890abcdef"
          }
        ],
        "tag": ["system", "non-editable"]
      },
      {
        "@": {
          "ietf-immutable-annotation:immutable": false
        },
        "name": "power-users",
        "description": "Power user group",
        "access-level": "power",
        "user": [
          {
            "name": "ex-username-3",
            "password": "$1$/h4567q$abcdef2345678901abcdef"
          }
        ],
        "tag": ["system", "editable"]
      }
    ]
  }
}
]]></artwork>
        </figure>
      </section>
      <section anchor="inherit">
        <name>The Inheritance of Immutability</name>
        <t>In the example in <xref target="NETCONF-with-immutability"/> and <xref target="RESTCONF-with-immutability"/>, there are two "group" list entries inside "user-groups"
container node. The "immutable" metadata attribute for "user-groups" container
instance is "false", which is also its default value as the top-level element,
and thus can be omitted. The "administrator" list entry is immutable
with the immutability of its descendant nodes "description" and "user" list entry of "ex-username-2" being explicitly toggled.
Other descendant nodes (e.g., "access-level", "ex-username-1" user list entry, and "tag" leaf-list) inside "administrator" list entry inherit the immutability of the list entry, thus are also immutable.</t>
        <t>The "immutable" metadata attribute
for "power-users" list entry is "false", which is also the same
value as its parent node (i.e., the "user-groups" container), and thus can be omitted.
Descendant nodes (e.g., "description", "access-level", "user" list, and "tag" leaf-list) inside "power-users" group inherit the immutability of the list entry, thus are also mutable.</t>
      </section>
      <section anchor="imm-list">
        <name>Immutability of the list</name>
        <t>In the example in <xref target="NETCONF-with-immutability"/> and <xref target="RESTCONF-with-immutability"/>, the "group" list as a whole inherits immutability from the
 container "user-groups", which is mutable. One of the list entry named "administrator" is immutable,
 and the other entry named "power-user" is mutable. The client is able to copy the entire "user-groups"
 container in &lt;running&gt;, add new "group" entries, modify the values of descendant nodes of "power-users" list entry,
 but the values of descendant nodes of "administrator" list entry cannot be overridden with different values except
 for the "description" and "ex-username-2" user list entry nodes, which is explicitly reset to be mutable.
 The client may also subsequently delete any copied "group" entries or the entire
 "user-groups" container, which will not prevent the deleted data being present in &lt;intended&gt; (if implemented) assuming it
 is still contained in &lt;system&gt;.</t>
        <t>The "user" list inside the "administrator" group list entry as a whole inherits immutability from the
 list entry, which is immutable. Thus the client cannot add new user entries inside "administrator" group.
 As one of the user entry named "ex-username-1" is immutable through inheritance,
 and the other "ex-username-2" user entry is explicitly set to be mutable. The client cannot
 modify the "password" parameter, or add a "full-name" value for user "ex-username-1".
 but is allowed to update (e.g., modify the "password" value, or add a "full-name" value)
 the list entry for user "ex-username-2". The client may copy or subsequently delete any of the two list entries in &lt;running&gt;,
 but there is no way to delete the nodes from &lt;intended&gt; (if implemented).</t>
      </section>
      <section anchor="imm-leaf-list">
        <name>Immutability of the leaf-list</name>
        <t>In the example in <xref target="NETCONF-with-immutability"/> and <xref target="RESTCONF-with-immutability"/>, the user-ordered "tag" leaf-list node inside the "administrator" group entry as a whole inherits immutability from the list entry, which is immutable. Thus the client cannot add, modify, or reorder
entries, the client may copy or subsequently delete any of the two leaf-list entries in &lt;running&gt;,
but there is no way to delete the nodes from &lt;intended&gt; if those entries appear in &lt;system&gt;.</t>
        <t>The leaf-list node instance inside the "power-users" group entry as a whole inherits
immutability from the list entry, which is mutable. Thus the client can add or reorder
entries, the client may copy or subsequently delete any of the two leaf-list entries in &lt;running&gt;,
but there is no way to delete the nodes from &lt;intended&gt; if those entries appear in &lt;system&gt;.</t>
      </section>
      <section anchor="error-responses-to-clients-overriding-immutable-configuration">
        <name>Error Responses to Clients Overriding Immutable Configuration</name>
        <t>This section provides examples of a client's attempts to override immutable configuration and error responses that the server might return. Separate examples are provided for NETCONF and RESTCONF protocols, in <xref target="NETCONF-error"/> and <xref target="RESTCONF-error"/> respectively.</t>
        <figure anchor="NETCONF-error">
          <name>A NETCONF Example to Override Immutable Configuration with Error Response</name>
          <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

<rpc message-id="102"
     xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <user-groups xmlns="urn:example:user-group">
        <group>
          <name>administrator</name>
          <access-level>guest</access-level>
        </group>
      </user-groups>
    </config>
  </edit-config>
</rpc>

<rpc-reply message-id="102" 
       xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>invalid-value</error-tag>
    <error-severity>error</error-severity>
    <error-path xmlns="urn:example:user-group">
      /user-groups/group[name="administrator"]/access-level
    </error-path>
    <error-message xml:lang="en">
      Invalid access-level value because the target node is marked \
                                                         as immutable
    </error-message>
  </rpc-error>
</rpc-reply>
]]></artwork>
        </figure>
        <figure anchor="RESTCONF-error">
          <name>A RESTCONF Example to Override Immutable Configuration with Error Response</name>
          <artwork><![CDATA[
=============== NOTE: '\' line wrapping per RFC 8792 ================

PATCH /restconf/ds/ietf-datastores:running/example-user-group:user-\
                     groups/group=administrator/access-level HTTP/1.1
Host: example.com
Content-Type: application/yang-data+json

{
  "example-user-group:access-level": "guest"
}

HTTP/1.1 400 Bad Request
Content-Type: application/yang-data+json

{
  "ietf-restconf:errors": {
    "error": [
      {
        "error-type": "application",
        "error-tag": "invalid-value",
        "error-severity": "error",
        "error-path": "/example-user-group:user-groups/group[name='\
                                       administrator']/access-level",
        "error-message": "Invalid access-level value because the \
                                  target node is marked as immutable"
      }
    ]
  }
}
]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="implementations">
      <name>Existing Implementations</name>
      <t>Note to the RFC Editor: Please remove this section prior to publication.</t>
      <t>There are already a number of full or partial implementations of
   immutability:</t>
      <ul spacing="normal">
        <li>
          <t>3GPP TS 32.156 <xref target="TS32.156"/> and 28.623 <xref target="TS28.623"/>: Requirements
   and a partial solution</t>
        </li>
        <li>
          <t>ITU-T using ONF TR-531 <xref target="TR-531"/> concept on information model level but
   no YANG representation.</t>
        </li>
        <li>
          <t>Ericsson: requirements and solution</t>
        </li>
        <li>
          <t>YumaPro: requirements and solution</t>
        </li>
        <li>
          <t>Nokia: partial requirements and solution</t>
        </li>
        <li>
          <t>Huawei: partial requirements and solution</t>
        </li>
        <li>
          <t>Cisco using the concept at least in some YANG modules</t>
        </li>
        <li>
          <t>Junos OS provides a hidden and immutable configuration group
   called junos-defaults</t>
        </li>
      </ul>
    </section>
    <section numbered="false" anchor="acknowledgments">
      <name>Acknowledgments</name>
      <t>Thanks to Kent Watsen, Jan Lindblad, Jason Sterne, Robert Wilton, Andy Bierman,
   Juergen Schoenwaelder, Reshad Rahman, Anthony Somerset, Lou Berger, Joe Clarke,
   and Scott Mansfield for reviewing, and providing important inputs to this document.</t>
      <t>Thanks to Per Andersson for the YANGDOCTORS review.</t>
      <t>Thanks to Mahesh Jethanandani for the AD review.</t>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+196XLb1prgfz7FGTpVknJJarMdm5aVKLJiy23LupZc6dR1
KgWRhyJiEGAA0DKjUj/LPMs8WX/b2QCQouSku3pmdG/FJAic5TvfvqHb7bbK
uEx0X7V/OTh5qd7qMhpGZaQO0jQrozLOUjXKcnU8mczK6CLR6qckumy3oouL
XH+Gp2L7w4h+GESlvszyeV8V5bA1m8JguuirJ1sPtzrqyaOdx63WMBuk0QSm
HObRqOzGuhx1U11OsmHXjtbF0brbD1vF7GISFwWso5xP4Znjo/OfWulscqHz
fgsH77cGWVrotJjBNGU+0y1Y1m4rynUEy3s31TntolBROlRvozS61BOdlu3W
VZZ/usyz2RRu4+nbrU96DpeH/ZbqqnBneKWYF6WeKJhvFF/OeNxWK5qV4yzH
R1oK/kazJOHt/TOejaL0EialH7L8MkrjP+mpvno1i650TD/kGcJfD+Myy+lC
UeZal321vbWtzrJReQWbUQefdTrTHfXLbDyL1IsYbooHJd0/iEuA90mU/h6n
lx31OoZZixn/lA1h7J3tra3tHbkwS0s8nsNxnPLC9CSKk76aRH/wgrd/GNPi
eoNs0rSrVP08W76j/54NXMRJ0ruaLV39j1ES/VmoNzq9nOukYRdHsKiigHNt
PBkzE43SS3iUH7Q80zzlqyy9hPWoN3ET0E6P/IFHyXyQZckkSn+4xCs0YivN
8gnc/xlwvRWnI++bUufvu492t/s0iBJS/vD2jSozxQQdTacAVPVyFg91Eqe6
4Fst1vJf13yorK/97uSntgwe5Zd4qOOynBb9zc1sqlOgGyQjmKAHz21eTbtA
HCWQ1+ZsmmTRsNjc2dp+srn1ZJPX+RssrYvr+k3W9dvLYVL89nm7t92F//Wm
w9HfPDzvhRiHej1L5gpHIECe7TzpPd7ZDUHZPteJhkOYzNJ4wOxwYnnIM/VS
p3j46oQXqt7rIpvlA63eAtomav3k/dsNdQxLvmRuATeMdK5TuOM0i9NSrR+/
P914BkSSzOj3Mw3Xzs421FCP4jQmztW+24ntvjw9XXBkV1dXvd3L6ZSgOSqn
m2dTPSg2o3wwBnza3HnyWwHb0QBWAgX8A//txls7vT/jqQ+5UZQUmqG2u9Pb
fvT4TlD7Kf6igRdnQLBaHWbpZw3LRJis//T2cENgl2tg3WUW5/q/bP+7O2b/
vCn4B/7bHW9vLdz/+58On3z3dAdIsdvtqugCmFoETA3vPR/HhQJZN8NN83lq
kEJqogdjWG8xQRolYk4ADe2NUar0F2COSLQXehx9jrO8g+PFk2lCAATYXcwV
rBTgVqhsRITeHeawhVQJyXjwVtM8K7NBlhRqXfcuex11cnR+CHRNEvH90Rl9
2egoOKVyrI3cixNgyjh6kU00zs/SrwujfQZWMlQpHFPRUbMCVxoxt5kY9SFy
6sMA9qeHOIJTFtq0dxCr6mocD8Y8lkIpYW/pERAPkxi2UMB25jCTDoZwcxTK
rgogg5tg6HRgGhzlU5pdATAB2ABQ2PTVeK4GgF0RyLIMbs+vYhj7c5TEw1C6
Axb+MdNFSUzzCuQL7AaX4abAjeS6nOUpnVyeZ3lPjl9XVAiF+KCLQR5PkX13
7JkTAJuOHeBCAnKaB4+B2IzoRlmCub/oNSCeqGCIqaSF8anjF1DGeoy3k3g4
TACfHyCvyrPhbMCqzRIsXnjc19f/C0b/7umjnZubRgzHUf3dTojc8VwSf/MA
46iEywVcAbwGqOPh4sOTWVLGQAugZsBDUT4MOIDFcuQDwJ8U0zKsy/Cqm5uO
YgZHF/kjXkTIIF2wMMEf6cPNzQb9BOQ1tECm/du9bsFeYwQLQYN2hHtJQI+Z
ARny6gEYvNcLwDlcfKkZFlWkw0E6oGTgQ0KUbb6jzY8hGHugWFxpRHIcBJFY
M0wLothGZZWXR4Ad0JEBbHFN8ShmCgXqGQjFrdNtMVB4jP84XAZOcTErYSFI
DqnWwwJ3BgMN9SABEh6qiMhFlkw6OdI7qSvqWwXIANQYrgvYDC2N+cAsHQJW
O+JJaFeAEij9gWaB7T2TwaZJBHKjfTXWabuj2pNZUbYJou1ER6Ncj9r4EHLl
GDd1AdwRsSlU4eUQ3IS0DDMFmhY5kzzBlyQV8kWQHQC4AS0P7ipRcjBwkZFZ
jgRD40AIKY8/0el0kP3BfNFwSKI+SsLB4JAQsAOwZYDr00Gb00JwAC5puM4I
eTwC9BOGECVX0bwAvvS7HpSIlnyoa/CxhGmnJZ5YBnfmsMKFDJ5O5EIzx0Mk
ANGTp0TLJejenwraCd3l4wchTDHOZskwoPkYZwVLYMjPGTwDFgwUE4EETnUX
NjqkE4D1KzidsSY+kKqrPGY2SagFpw6PlfoLLorpwzLWLPWJZBkPg4mnsFmY
+q+RxLCUqWWedxanTPS3SlOfveIwLF3vKFrVgcGUtx/OztXJu3P4XvrLNSIL
xkL6JR/AIlYCwEVWUtlQrwr2TBdGnuX6cpbAEdUFGDwEIxZRPDR8R38BOkNI
M2WZR0gYs+A1AgVlL1wH3mq+dUvYAoj1GRFsO05JxHfpSlvFI0sZhi4KURiI
yuY4TsgUGJ8O4HPa1V/GQBkokploYYYoQQSeBwiCnGWaodESA3kjKQ2AsRe4
Nae0aGCJhj9+ONzusw6MqIAYwzseRFNGI+QM69fXhR50ZwOUTua5HbAngb7I
2mbpATpz1g3PzT654z2521enwLmJMuCp4QRsD2SaYPeSEexNuOs99rCvXhDT
x5U6SDWKnlGeTQjDQK1H1kmAQ5ipN9klWAmJNaKOGHZq/c3J0Yab+CFO3Hrw
QH0QjQZw0yg1ZIo0qj3X12d6wHrBw94TOo2nPbAHcWqkJHyaFRVgwvAzDORx
Y1D+8rmaRjlY8sD8FFr0QGyIZF2fsEH2gKIiEgHuiJFQjWoNmFLe3PQa104O
sYU6m1282g3WDE/5a/ZXHKdTEM52xSR5Fi2aqBqP5OMemEldpOiP+yozLrOm
PYnpYLeEezoi/whi9wnguVo/J20g1xOQMMQgcad80wZulu5CxgIzu5/6DINC
NhwbrcKMM81JKczUdHaRiFXZq5+7qAgFawbjLEFVggheZDPKYTs03TRkpgG4
D9zhT1KE5IGIeWIZTwhV/Zll3hT3UswmE6CBP/EJ4EpwJzwFoxQzsAfjcsbo
ZzUD1gR6CAi2PjwoAJSB7maCsXi3PQAYUIPVeUWaHok9b98EiVPQeYC/gFRL
WMsYZahrIXHKVvHWghjNt+rf4U91u/t0Z1QU8SXSPi6F3auCHTgJ+mnpmV/g
j57xbrOPAlBBOh13X/R8l66IBWYGJLO+VTtbO4+7W4+6O4/dAgblDDAI8V4A
6IObL3n7RVuFPAepc+6+cC6TVgvNr096rtCdW6g2yjlUEI28w8/vj/754fj9
0Qv8fPbq4M0b+6Eld5y9evfhzQv3yT15+O7t26OTF/wwys/gUqv99uCXNhsU
7Xen58fvTg7etGuHRufLqEi6FZh5JavPrM1cMNX9eHj6f/739kMR/Tvb20+B
+PnLk+3vgC0qVH95tiyFo+evAMJ5C3BBRzkpWWS8TuMySgqm7HF2lSrEJkCe
b/+FkPm1r/YuBtPth/tyATccXDQwCy4SzOpXag8zEBsuNUxjoRlcr0A6XO/B
L8F3A3fv4t736AFV3e0n3++3rJXu2G6hiwrdwKlMlJGLsVG/Hu88BLlrBHZd
L1p56MKO7QZnc9IMbs0i/opWjfvURcXDLoJNI/nV/hClc1qS+fJlkvBnQjnk
qW501ulyrb8CNk92fdhEg4EuCidT7gEZf+QdD+qkuPFn1pDuuejvb+FYZsLm
6M9C86I+LQ8UKtjkzuyDRomKY5eolzfjDANrBbAiS2LE8IdCJE3NyiALy19p
R8wBWOoA+eYcRv4cR0tMjQXWBSvY6iIDtRBUD1oU6jbqAMQOsGteA231ZzJu
G6wKlFAxa0HElgICEr9iDMo479jaKBeazZS72iThXcvcc3QAn+Mixotx6p0K
Dl2AgEZVOO7pXgeUJh794z6Odzse4RNIcykc6sd9Ztcf9yxlRMnHfVKskXsD
gJv0NaeI4jFGYL7D4YCCXLsVVOUejmVcRCx3HHoVKAA8X6SyYSWAYnSRzUqL
WCl62QZs/uCh6GTEDiB0zaWZ0qMRqGzG2rVuPMFBC8AW+84Zhj30VjTgRVwY
h6uno6GJB1/xtNEeYxsuGM6cCHA372LmvAfuqKqHAINWz4AkZ+q7eAkBK05e
+F5MMfDMBEHeodDkJB/YLEXfMxiLbNO0xatdx1qEJk0JBxxSM5ipYAmzICcn
A5imFEQqPaTsVXDaMoIGAmHLk0ICxjkFjBKVhKGeImRInXyg2seO6hvyAkj3
dzqXun7govfABG8WkZnlQ9bc5J03eTvK6BN5m4Xb4IgEW6YedhBYDIl87BE/
m5j3xq3SQFTkT7J0tYiYDML6nLBpwSMOFEcNPM3yJKPQd9h/pkfRLCmDkZnv
xZa7E1IImKw7AxkkLBy3x8Onzh+HMhz3YmS84QfnK2yBJyByAxqcdhPgIInl
A2RQym7aFAYjR0qwMeclgftkZD4fhwqAbKjbG6vMozbjKBJHMbkNyQsKlHzJ
J2uAC4fK0HYkIaAT1o1uQ91AA4aTc6Tg414+S1MYDKm/RRFF41t1bgvDNdzz
nkhl/M1xeTAuHicckDesMHvDhZj7ejqIMfMf4nO3CZIeHSMBF3ReBI3+gqI3
LhMHGgaU9W/FabAcw7MscjHYcJUcHQggVnkYY3Fo2iKtpTins9IJeigcUh0T
+2UxAFwSkygKCaHRQdZVFJ7HcWdg6yPflbZhhMxQf44H4otjZwKu+Ra8Zmva
BGIMVob6tUHyoofoS1493Ow4Aglpo072phrF0e6NNxgftLNQREZEons+Crzm
HAogqVWInzsIhZ7JwCSNwOJGGYcSz9GUv9kCT90iL2MBu6CaFItTywCvH9T5
n9NyjXfGkDpjvokn+8aR0dnZVeVHms0v5Hjj6KYII/0Fjr5gZ0kGKDadZjmz
hqXK0KqcjTEAOYsVGRR8sJJ8liZgrOBoHkEtFymkV3krAQA/sPA4CvZzJvtp
2sv1A9+xttQjWHEAzi7p96oXj7iYUWusU9zzE67g02RNlERINKAoCI3TpBP3
JAKFgWpYTqcCFxtGrzH7OB0ksyEnJa0gX4nmkJGYM2PSuL5G8gOIiNHEaElC
kL1pGMADDZ2NSPT3ouOZQSfjAizlCALQsavE49W8SGTOTttx62tj5GCWkOzl
TyR5W/8Bfy2+0FcLn0bfs5znZjoYFn1znvyNXLuc//KPbrd7pWpH9j2i7mQK
5hdNeN1XDwgIlJbzvH2wYMfKZUm2gUbIC98FLfsyfd4eIOvNASXPM5CyxSCj
UxvdTpUoFoWEjSySpIxWZCcWWsI4J7vaZWSDHYb5F3eFOU6IiMo0qtnITeKL
PMJJPGPHskjPCOD4oS/oAQemyBw96oNTpWQudns68o1wzYBhYq/IBY50mG1X
KLMJjhU/vnAWy0PvwlqCOEQDbyG2O7xzqIRPLFSfF/MS8fe/PDp3u+8tYRkc
JryFa9yFZfCAwjUYAgGuEkcjldMEBMC4lTiAMbXvzhBjtpNRTs9SG8oUG6YU
S//h1pb6MQIJyfvl+PWs6JKzksS9Zwiz9lcNb9ZimwWrOsbljDFHWpPFICt1
Ha+z8SBnROeS0Miys+6Se7TzHZECIlWmdMp6iJtFCLxcjXlUwm2kki3iIhUH
m42OztWH98eeedkX7otsEwDYRz7SpymKPuyuRBW0757u15bV3+5t8RCt45WX
bhaBOqQnONw87ZZ14DabAk97uyHh1f0SAhg2E1dYVMiyPLawjGfZo1yBadXn
az1QHwoaKawgoKleWKvtzCRsFHVd0zhUrwwTqPgTJjpiLugpZ2KGa8ztsB4s
yZR0Kr/LEylYNSYlEs+l7VYknkyiVPzJGNsyaC3zxSVWeaYYK2DktPrLLFWV
CZPk+CgJsqXmE3KObHY5llV6mUWbYu2yDbTaggrQK6y8uL7eC50/rPLDZbFd
DdNkdcgHNZFABd4euLs2IWq+BNatvxwO/xVgqPnHPC9MVJaAvMZYJXcJaLYY
Iq1ARSwoVnsD758IJ0q2MPQhgCQ3bk8dsFrDjlquxzAS088z6nCGjZOoDscr
y8RwLMgJt0RLJyY4SYp+tng/Mfr+xa8y4SiBjwgoS+HnLNEcnkhZbscpWM3o
DvT3T5gQBT4yISMbLNvwcueaJglQjuIlMhPtqT4B+6BrO/IBNhxWMvnICZ3r
LB9qZBXr7O9FjYSvdC8o9dms1ePgsLKunauRfVe9wfZun+FZaCzgevb31Vnf
HYiRqWA5Pa5IjTjU1xLkC12AyTOM5EALFoIOBLkezPIi/qw9rGtK8xPvFj/V
8VwLtZvxpDkVcwjgvqCss+Y0d/R/RRS28VZYc/M67rqYsa7CU+94iH/dGX7l
ETafoLfluxyhe8w7w7//CO8pGdwejUSoxYb/G4XCqvJguSj4u6XAXyIAlvF+
6ytfne/D4o5QlfXplpdRLMdcGELiSwZ9m5CXPF53wV+3DoJcVSStLI0qgkhS
VZrFUOr9/v+AHDqwrtpkTv4nNiGSJMzbwUSJCify2RsnWgwlq9mxnWKx1OAU
oWVnQD///yP4G47AGMmWQo7NRCckya4f2AeYY1XmjZDvY9nk3Kot1eB/cG4d
lwsE27POM5/N99RxKSyieVf+lgy7xtgXuvXqcpUiZORdxewRSoTtcPESch1K
JRGXbZz7I1O+LSW+UtJJEk/iUkQHTiGpqMj64oluYHI8J65Loo8U+bGROysA
VozxU9RIYkiDcZwMbUw8g4WZWh1x/jWndWDwL4zg99RPMLLmehQTd7fTsHRZ
lDFQi9/DUig6b9i+F9GyEfmejSlySHeKvlibdOANaUWTSB1DztUUBFi+Tbkz
q7S5MAIJtzXeEUaLTVwO5ifHrgzPezcu/DAzDVaFmU2wbPgdxIsk2NRtJF5x
ozwaY3rBYtJlb4jZMB6NHxVE7Cbx6nAUKfiMM87CDJ8X1p96bJzHxJIeVFmP
T9VJlbtZPccrCZPAIJeZGBYZ1sDyWZpsGXG3c6zdZUWFrDgowykrhW9hEmMl
gl/4WUQI46uxpkQAL/mBhIUrkGE3Fpyt4D+fT8eV+nDGo8kKMWFhb0Abo5+6
GpaxFMJ0bZleLdeAC3mDWkhPCyLlzJYwSLVaT1IOSAosrrD0xWFv0XmSOLC5
LjZP28+0ENq1hVD1JA+RVLU6jYqo67hMEEwZYewRkVqte6QcRJR0LjGk8IOg
tuJtNVEs2jaO+nEPID2MEWE5E89LuzGSA3g8bHBCeV8NC5PczM049bI0g5AF
O51PDg7fBsRmbSpZu62NTD3HtgSc1HBGefmh4USxHxY6uSSvwoMYSQzjhyZL
xQ4GKwOrymVq8HhgIA0+SQKTifHIeEjOI4l/SAI12ip5lmCNbVxwXFriKKZq
KuQ4B/SY5BrSk6YjBQBmI0jVrtFjakmPKJLzIYQosWauAWJFUFDql82RgVbL
hWO274UyCBosIDgXUciCej5IUU4V4i4zo5pl3nQEHSPXzMXYFMha/zyqtzQS
EE0KpNS29fwPpJkKB5qvH0ic2QUrJAQNcKSAjNe9g0VZYDkH+eydIKrcEaX0
tjIak1Owd/juxZH68ejl8cnZvhphBtHiSPkPru6mNwctqN0yy170hLqGHeKt
XVQT8MJ2b/tZi2vKiinVXleDamAe9NOij0/1FwftcRBg16P4C+JKRMXWDD1e
DU3qNFIK38n9k+Ez+pqbXir0Tak2FiUhiPuSlkptFYbqA2Xq2AxWOms8TlrD
TWVeADfCuJtOhpVpMQdjycR4fv1bUn88epVHvT/Xm8rTFw6wNUmpKYOlcb2C
F47dBmuGX5cuGuu5+qKzdA2DDzhJ46ReACSYbjmAAN37ll3duts6gNZP3r44
2JAFtcK+L3R3G5uDuRlMCe06HMrbdy821M/cS0i9xK5fNA65gKQJVfvnl+pn
fdFXtl0MbhP7uXwCToj75iZEl5tMkpu8QnjqDShHdPQwi9rDvk1l1uebfjDP
7fPd/F9T8VjpEGb/zBiNLbn2q2PYfly15+sdsSoPN7TDqg+yuNlVZbRKp6va
SE3drfbpHLzqfT4Ln6n6rXMWtZdRa5bLrPHkXFsCGr4nZRrL/Gs1/koWwVm9
teL95qKSaqcaHsFbVePim9vW4DqxbIDH+Oq+NXftXIM6w3Sex5fjUq0PNqha
k/ruqfN8ht5RyhLmQm5yDKOub1uIkKHHcrtwgRC0bg+wYh9HpfQ9XMPQTPhe
D6kf3AV3wcIZqOlEqqSfFl65iFPM3sITRE8DsHF+WKr+sWiFY2oDqXiKyZPN
Brmaglk3iygXpWPKHqhE93fPEw4KtsZMUK5AMw5i1KnZDnqvQe00+/zx7AWg
Oj+A1iAsrMR0A2WzuXsDAwEHvjU5kzf6MkrUKSIAy4n3OuGuPrAWuv2FYKg8
sG7YUonDaO1Ykqy6i3ltGwakBG1tBkdfEo6JcDw+ODng4toCnfRMZbbZyCib
GeBIvgWpPjZDGA/vEg9rrqh7YmVx2GIrBt5OC+PSYNrDJgl0mxpS2HUSpRvt
wpT5ck2aKCfkYyBjEsUIli0/A3hrR6N4maMXZORj6z2VEHiB0GJM526TfmHA
4dcfs/yq8h+UJai/RQ6GvfYS2YaL6qu7dNA0YhX+Pxn2fV+LvY+Xhm0vTf3L
s0WLRcPmNl7jV1xY6Vp1yVNACZ2DsPfS9IBh59RxacpxCmXlFTub1rAebw0J
cY2cTmto71TMNz8xhis57Bix81Rymc4dkmTMIPVcGWNdckXX7YkvBI6VnMuU
txhUvJiEI6IadUmd2BY4XzuN4UPvSO5V7ENZgRYWvusNn/ZRo+bItA45B4Sg
5M84EmtVPk4TM1nL7YVpy+3FhHaAUrqoCCbJ8GxEagvoxWnhOIRZhZdvKiRM
aVy19DVZIRdgWgWmPdTYWG/YRTOum+VdZDPrvR7vzaUIr5Gq3WfdYG1DSQdC
9Q/Vpmqi1QYhcHGA5GvG8HKZ1zZk08JJKD3cXKmfBvKzIOvWEXFjbq2fmGqH
cNrfgjRb1liuTDqjM14w7Y87Y7kxDEAoXurtDL3X2ooEK3R3TRarGwGVoRhj
rFy5afU8WgClyZJNyAWjHpkL5G4IzW/E1j46eXG2L/mgD1iWgsFUgBIkWbQu
lEYS99/fvmmDbGeR2WrRA9U6V5aoEnR3Oa2UQyqZo9gG1ApeXK75wUxi52iz
XBa3wu7jJ0+ohp1WDCP2a1mwKxnsLRkeNahDtpr6tMvjo7OXLZgfDKDNg2cV
x4xkwQLPxRVap0HPwE8A5TtXTvCm+0Is0BsEQHitFQ5uASkVS1s7mNjuQ7Wi
83iwJ+Aa98sJdfhdDLS32HYuMm5T3Mn3Sp3QYwSI+x7GKdnbfXKdtGxP2b6l
Bgdfm7576CdIn9wTvl6WtdX6Mdf5xBTDtdoLJvShXk8jpwRnQNJjIPQv/VZf
1dOwWy1vwGM7Od58/7RuoOB3Xt1HlZDDOglX9OY3caUuBGL7BWnuy9thsVVn
+o5JH0xruxTOnkSFBcVzHlHNJEVYXPkKWrmfM2CmBfBIHAXrLCuFE1fUis/Z
iyMwvSsubuNi73HjHLe7oPLJBwZ8vogGn7CfH+xsMoXlUN8+ZKTWorZuZbOp
A9LLB3NbRJdSszKj9rt5yWJFdcMoAqvm3VtFAJ30n0l/Z1j06HRNzWrH1mnS
TGCHD0xyjPEPp8ZTYIxLF47EHJ/byk560tkYxPTcC7/UKwtNfLOS1i65RQIv
0YzQuSCVtbkeaOzcUG9IgBg5S13VRBVE8DNFy8iGd4CjilKQshy+ox4OfrXB
WlE5Tg60nGG8FEmySjuqksbP/hydmOAGB4MB+akRYNDwyG979h3XH2Hp3tOn
W67Y5JYyPF8QOP+R684qyg2Z1jC3bWCFWVoUApD2KNRamXvpNXVUBjSaDcZG
W28OxZyaQpt1cQ6b8IsUyi6sjSWdvtC3rUGtb2/IgVKKCTpOMIAzoK6lILAL
ctwm0Rz7G7BtdMa/no01IP/62dmrDSmPfLjDEYrzN2dBS5MyKbr5aPDk4cPH
F3Fh4hT//HB8KA8+3draMo1y13fsgmg1cECY2IdOIWTbXu82OsdlEazbw1c4
SlD2aetBTPaiCQ8hXaAnIR7Mkih3xXhkudkTwPATd6ahdARXw0El79LmETbz
GbgoUeuCcZrqq6TVb+l1JtUBqgZR3LK5bWkTtzHpJmCoZbaej1wjp4f+AsQb
ZZZs11jpbGVSBir1jmq1BhLA4rKiKQmnsR0JLd2lDclRqjH16yULFbNJP8mh
AAyAMGdJCluyzTBFaZPW5zQgozk84InO5l6slSURDyiRPw2w6x1VTdMCyLw5
iynbrbHiPsrDzNcyqPVvbsXC+WNyeLYIkdCVxCkMY3ULbodt+Db6NQsbYEKn
hZ8ko6v+YCPdlQmCC9ceBFzbFgDWEMTDoXXxvXmlaqZQzeNo7tfHYdvKDUZS
aVJIHCsInxeCvw00IN3KUe8g0cOJPFhfdkgtVa8fAPF2qb3qDXfbrLZS5Xwn
p5rG9JTppMptFkRb82+ZkC+cO0Zy/ky1nUmlw5Tyevzgz15zax6LulD6nakd
5VNjARwh7GpN5m8b9Kyx19+YDt82qK437kDxW0oaQZYPxbtMQp0dFUWw0UoG
zsDfAibWWfkhuVRtSlwagSHTpZ/bijxK7YvRkHOaQAGTXzZsJgnVkdoMISZd
6vidzKmnPcOfpzPlp5zwJwj8LaiR/DPDkttaeSFWmWm7ox6xnHqCCJ8BT0Tt
Bn37xiJzkKjAgVSXuFb57yp71qx+xRtcM2v72Xg1AuitVSC1xk4oPiC/U4vf
PRs7u9DZSleWLLVNRJx2J5uVgl/OkwRLG1RVLGQ37xW5MgNiE/rok+jTtePj
KigwLtUUX09Cuq504KjsVzpZhQ3GJGsD2D+zLyCR2nMKsZlL9rzK6XI8K2zH
eGkrxA1R6pCTAagnuEkxCZ6njvPYwqWK9DkFOkwdaGzbxEnZNw2EDWZLzp0V
4rRd48OO9tTcM1yxR+brfiXvU6PCcm9Hk1/sjif2atxrmBUk7tqIDI7ASlEx
RoXkwpVnR0XDUvku4r3Y9D/KP4nfy3DgBemkgC1kyqGxxo57aSEuSrxzXtdP
qmllC1GMhqjsncvZizVpnux3uBaN+KDe4brLiV+4EHUk2Z6Gye/cSMMQ6QWy
C+Kq8lILz0gw4tBTu+EgU5fBYXeMCcpSXOUydVBxTYh5mOWgN3Q8L7DddTK3
rQ/MCRhORLGJgmMx5kmu+iDzmr2nKYUJMBQ7nxLsDCPwEzspx57fCoEWr16h
TaFXfiS/XOJLjkinIA+yzS8OuDiuxEpH1v1MCiZr6NLlAe8jLBgYa3zQEBry
Uy65MAcHMc0ETPqdSTCnZZnglQEYafBey8wBt49LNTecNy8U8QDfCcx/8guQ
yJccMb4XxzDJcdxsVBI+rXHbRHzEnhxXt1oaiWY/WZQZA3brpXctUG/GgHeL
8Sr1PRKKL1gyFTJcyJVMrp2fREv2lrzaQdpBn5sxvTeDMJNoGtG9FcK+AUSi
5S0VSj6XHg8oyNrD8SmWQlGuOaob1DRi+MwtA/s2k3hcRyTfWGFFxgKXtrcS
DI4rR+FNQShTG3fRNq+4dEBah7e8ILDDPyNYXeyyQQNn4LiyEmdGGg4XduI/
CDrxv6dO/IaV7TIr+4DpkogH7PX3WBVG7kCxishjw8wMKIY4LtwY2QxRk1vK
0nGd2YQRXju9R1Z/J3vbCi/uwhYYbZGfgU15nKh3zrCXP5+84Y6EqMHeTNdW
eXWJM69xa1hFQVH9aR5/BqXgUhcbJuQaS5xemCfyBNxdOqxwbY7ukHW/SaAi
zmJ8QFZlkbdMpPqK7uVbTdTYbO0SwyCYU+K8CW5ltgce2WmL3qpgAMOZ+YUd
UnwV1VdhEW4Er1tw+QSNJQe2r9Hp3V63YLDr4Y1hRXC549rFWhcdCdBHu9SY
JBZhZSUCpXAj9NGLlqP3h3kvz2gxB1AGgAur8trMgCo2iCQKEZeuzmSc4Ts2
6MhNIDwYTtgx3eahphnPvnfFTcXVqbQ99j+wy5UurRXBeyqCl3XMK/KacW2u
gvcpOW5eKWqgBQYrq4ktWoFptGzb3b49/2DaNHLpkE/q5nmQ8plTJS0wA13F
CCL0xjmHp1HY8TmY3tVNeP1TzMbdUCSPBPT2RQBupTae25WEC5N55Tm7bY9C
dIx9KY2FA2ugxGvR4ApnvsPZOOT/UYK59k0Qxt9sfYLk5NFmFMSqJJkRGfrZ
cGuFFxdmrTh0yBtvrB3JFC3ZxqDUfxbfeoj1QNafQtICzGBAVXwhkp4m2Zxb
zgAl4jvCuLkNxx6DwamXsjQpJEuGTsG2G8YHu1e5vN+z+u4Rfi+huO3OgyDe
iCu6gQW4DCvuiznOMU2Guz87UPaD/nVmjV1kj10JNbdWyhKXJ/vuST8NXH/p
zvJpkAgOCA6IM5+WXZAA4zDXGH8cjCWNqtWUDXxkiO44HUgGWJDva7Kyo9Ls
CRNS+cZaQuqBqxwTOKA8BRsEKGS2SARX887aLvFsSUKMyTwTYP4tiWcGFtTT
wp1HsSRNx3tgxIV+izeNT5Ay6fAD/1CxayNStJdmoJwF3UXty5VYMnqL7dlh
uDETWkTXdhjSyjACkF4+sxeb5iOQm9y4CMzcGCwAHs0Lchtb0M3vpr/xl+FN
cc/VnBrWBdJiBoB1r0XzxxY+uWwpUs3C5ZaVteh0NjHlMtfe7HiddZVn1avT
7ErntascJ61dvkQryl29Wf0InG9b8cr9N8ws2zIiCqGl208d4xYu4MBimoSA
UIrim7nYfxRVp23GugUnvWjWANtXwj1/ATfhUqYAKHzfTX05zCz7jpeutLL3
ekBvzwFjHR/MQEedjtl3QYMYJd/Mu2RpqL13vxpUPplWKIPMA5pA6GIRrHwC
YVcudlG8hVArLTnuwE+IXZgeHzATx1jwt0ssbJPgv7/NxQzGJKLZ5B5XbcSS
Cd8qxokP2mP7oWHgtxrmvn/iETOXG/rfeypT4bUxNa4S7abPzfRtj0+3xcqs
tvq2XqqFDQVdeoIpOnAZnsHrADkSIOUMXK7udUcEXabampDUcrst1PHJsCox
MySbhJE9iayEWTRYLSylBfSaLnqbkpfdEafBek3G2PPwD99rctRXax/XSJ9T
Vp+bymvBUItTlYeet1p7+XSgQLkqQOh24+Hz9vbWtqSLfpkkafF8UVme1Lf1
0XuKKVBtrOGxjaNvedhlpfllcu2ASGmEPmXDrjCOWAcfgyHu9mcTNttcjrRn
L+z7Obl7m+4631fMLjB1ujuK0dkmtUxqz9eGPHA0KK+bMtBm00h7NXSm2/c2
Daz3W3ubcIr7fJhdfEPbfMGR3u9Q73+gsoPVIdHyzx6TEleY0SXufM3pe0k/
MgpO37eDP5eXVNjjZY20ehP5B/ftOvZQkuwHHpu9TbrmbvF1sQVzhi4fmnlv
8yt2603pLcTX8njKvc3gmrsVj2zfm5/3iZZXge7mie5uV/cJNxn5vv/No29y
LA8qnm9vwd83k3kRJeX2zu7DR4+/e/L0m+Thj78fbE83n/zR++Pwl9e9W7e6
M33zx+/vH00OX492Lk6/G7yZ/vLzJD387tUfT/Y27bRu/ZvhBva4VnzpgTdv
c2fpNre/2Rzjrv74JroYDPXI7nCLv6+0NhD2+4b14OfwF3qD7JADmMHve+xy
vAVfq3vkHZKCTpsslqHr/inex7qbIOUKmEWDfwVm7d4KcoSxAbmF+PZfBvLb
wc0DCstjbu1xambR+663/kKNyTbcv4+G1r5phZnbd9Puam2dUb3zuj3frt7Z
ie+i391LvatmptaUvK/Q79Dn9frs3YmLSka+2byoU3wwPfvM2A2h00E2bPC0
mUDJo96OF+Wnzln/s1VMbNW/aVLpN4fFZmO/AdGuNutewf6t3N9Doe/rNPTq
/Px0c7u33XqVYXm956JrYW7oFK5F/MpBBCHXl+Ky/vF7gS8na5nn1c7Wlnr3
b60XgN599VMed9RT9TriKlC1/aj/6HF/d0u9fHveYv+ynasr75U85JTN7jmY
hksnPcTkv66krPZVmnUHeKV1dB5d9lU7+u6h1qPB06e70c5Fu/UGINh9K12A
MU8t7ahH3soe9rd2+tsPaWUtNFDbDUD2ybAvZmz7B/tRLcmSdvIEbieBwlYm
1161WbPrq3/JQM5EDsa/wxyoZDl73JV4sYMGAeTrS23vBk881e5jEebf/UN4
+z1W6qBRXaov/uxS/MnxQDyohZALdhuoXd4QdJORdnjjHdSu1ZRLUs6W6F6+
RXfTWbyTKh7cG8K1iRaAaWcpmG5T24Jt2c+/eocHigGeXZuZGuZe+npa+1fj
jun8ZTSxGNPM/j2lbglJVFW69hKcpRG/Hmd3bz2MZQrdfQ6jfhD076++XwwV
s8XKjtPM7qNeGdWM6h69PsDu9RZSSfzAtB3EkjZWH2QW0hmWudo4eXqZuiYN
M/nt4VeZ4dRh1+GY8roralrYyb23JJu/5GYcHOUKBvHeNO23f22bnBn7TkRK
NYy5GZZXjl5rAymdGzstmygl2Rai+8gyQ9mwqIV5y4ZHq7n+vJJKa/CAijij
k2jBHx6erfAgWByV2jlNrMwuLxMsgX7HNcTVeST9JaTETlUEMPn6LcdpRUgH
zl29YY92CUTu0NWcIE61C3ReXs7J7djRIuzwGVTlXBZgBYXdYc+tIJ8haNHN
b/SlvNRm7NvoqEUI06q1gDfw94+74Tjc2d8C+mDLYqHfG+ZBlk+1A7B9lF6v
y721waL7m7hKyEv8Nuim3Xi9tzqFLxxnCY7LO3jbDvOdy2L3kEXeHFbB6aCv
dMvah5zLFTzoTqQdzIZIbN6BCtsxRTXZdC5WHfWmr1izbjdhQ84OvfkMc8MM
nGyfesr6mfvlB9mozgeQlywgF9ieSRq7ZYDFdN/YyJQ4YqWjChbZoAnVsqHF
Bk5YYXoV5mRSOu0B17rjcjmlxW7/KDj/qcjC98hKP1KsroUDQgu7AmYli+VT
ay1iDWZRtoh4mgOFy1syTZNc4mTMyIOeuMvePwv6zWzC2fAtym0qY359vW0T
5bk9MPPm3PCvtn39QWyKmSvHyFzEg+8dqM/nLfY8vA6058hvSgd+wRODzHSy
VcWhaXlwiAeFX4Zin7R0WJFowesTJL/If4VCjagbsc7KEw/H6hjmIxjvsOWT
pVNPnZuIiqr4bYZtG6Jue6/Apukrm+oxpcaFfV0g1rlSH2YjaJqnldf+LZ5y
o1Vli81r2Gn3qtREHA0zfBcQlBwY6osVPTFgcJYJ2VbrV9Gcu7zTUFRnSZxo
lX7+CwWajb2LVLMvMfrb9OUwEF8R7LYr/nLivCNdfgVZGgzy3xHSsrKmvP/R
195MVT3/+x8/9SPOCm2H9ntae0zxPECAynskvCNo0LEWHkDrDgewDPxEmP/3
gRzI8Ih6RLwXVzHlwZoOI+9YVwiTygO7Vzqh1FJrtZebawoY1wrT1CRsCr2o
ZTzSb9jAov6+V9/7j22fkH+XlVRcm5+NLNOEXYLeCl7XhoCr0Ox1TmIuy8uS
6JUAf38Wx85XZHGge0TquCSeVUb5pS5trEuQzuYt+D/v+Q/eKfjvhdmC0CVd
uT2QXo0zUuLgwjhjJTpaDdjhJbeRvc0AJLfmW4C+8TUJFzgsYY2sRF7SO58C
BFzQABblrgc3Rpf7wWt87Z0mXCk3FljDBoxun76au+xV/1asF1/x+HxQMpT/
hQf1vCILfw1ORkDuJgtmF+jiAvpJlF4+b+vUznfMWw2TVFnzMnVXxEMJR20v
QqnU+ookCr/eLli+rJYRxzvL5cFf5l3LAr7vDAtcFLQlCy1k0ORp/CtZzenB
+eGrhniea3fXN9xhUZRpAcx9jHke4EqAKcvieSsH2BaGwaoubmIi7daNFwas
vGX7rpMStGxnMTp1L+JG35uDZY7aKV7k5vE98JbQ8Z7wXd61uwyhkz+e5q3d
Qm0i4OeFZ1kn87WVSSo447WQH9SXIlSFq1mR4ldZSDNX8EnbxBduCxFU6Lcp
LHBfAsbiJemEdhx2QiO7J7jCWbgnWalNljsSs+msfgpaZGHepRYU52DhYZZz
24KLpNpbSaIEUYJ50thkwr0oixKmTUekKKn2agtf9MMd86TDxe7L01N1fqZ2
d3rbjx6DynR+xh9Fh9p50nu8s0vX+ePNTZ+oLs617WdNdeB2ctMIQWY4Pv/Q
PedGKArP4vx999HuNo5IH2AeIEL0XynKNXHt8Lg8mhEL1GocDRRqKo8J00BM
t44j6WbfN01CuasKNUwI1/TLbBKd5tntN55kn+Kob7d22+2vqDf/6vcfYoNB
gY2UzREkQGNGJCm5afok6CtVyLOvZ2kG+v6Z0+AjNWYvIdWhLlDRbZ9v6bX/
Ow7TlbBOQW3gDgbYsB5+vOQTvu4zpumhyVUzL0uJ0k9kGPwb2lI/RyUcSYeS
Ht7E6fAiiYb4DU5EnWEFvO6o9xmMA7fiKwTg1oMUEPnHWMORc9ur1zMNvADu
H4wznV5FOhmiYwcIcYzcPhrjjfAYWEpgmZ0BaPJClx31JpupH/FRuPl1BiSd
IBOxr8s6G2Rlia+pKEYxDElmBRZyaayh4/AAQ1EaHWY5ds1W1O1YXkcfti4K
dn8KRHiATW8Q+awTFo/sxbvD83fvz2Su6nNvozHsS73WYCKlEXqGY/v0wQv7
0H8C9vBz69ivAAA=

-->

</rfc>
