From owner-freebsd-questions@freebsd.org  Sat Jul 11 20:22:43 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id EB15236FBE0
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Sat, 11 Jul 2020 20:22:43 +0000 (UTC) (envelope-from jon@radel.com)
Received: from radel.com (fly.radel.com [70.184.242.170])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.radel.com", Issuer "GoGetSSL RSA DV CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4B41YZ6gsPz4XCX
 for <freebsd-questions@freebsd.org>; Sat, 11 Jul 2020 20:22:42 +0000 (UTC)
 (envelope-from jon@radel.com)
X-CGP-ClamAV-Result: CLEAN
X-VirusScanner: Niversoft's CGPClamav Helper v1.19.2 (ClamAV engine v0.99.2)
X-ExtFilter: Niversoft's DomainKeys Helper
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; d=radel.com; s=20170108.radel;
 h=Subject:To:References:From:Message-ID:Date:User-Agent:
 MIME-Version:In-Reply-To:Content-Type;
 b=lSwaj4AO9cmjci5Gg0nZ7E7HsIWDC1+qy5JmKJCOqMWI9Dj/Cq2yJsLH0svT2SgLjx
 eq4buVWB0ZVX0MPqFwr4YKulZssbcAAnW3vPBVhgYA888pKBMDdQJVP9OQnQ3MQsbllE
 QQDripVGL773bpiaMvwpRjkGew6athUNdusvTF0WvuXyTJmOcZMX32uCGRPbmJyNSfcy
 Nm1Bot35YjTh7S9E1TNPrwdj9TWNHSKxA0cILPi99e8Ca4Krhh87x1SdAcCDQOdRE17J
 aAQyKvDtJppjSmU96Xy5h1eH8l7KlvFeW82qsxK+3z54pVnjdqa088Wf1KMDnB5hkjc0
 v0rw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=radel.com; s=20170108.radel; t=1594498955; x=1595103755;
 q=dns/txt; h=Subject:To:References:From:Message-ID:Date:
 User-Agent:MIME-Version:In-Reply-To:Content-Type; bh=I5W3b/kwy8d
 FKEcdofTnaAtW49bmvVV4d+WTO1xu4UE=; b=M2umIgsvTKY9U4VPOo+8WslMx79
 Qy9atUdjuLZFmPzYITEOuV15SkuT3Z/HWiOgHCkjBWEF0jyh1uhUHKuO15dx/cbF
 8aGArE8F07VBt1g4tzKBrhkTkOXlzp4DUuWhQcrTuog/KDVRS5SRR39eKof2LRai
 7oZAkvCqLZeAxAHKnlKlFX5K0RS3uWndpsTVMdzd9mQoSYD1xXzQdwtVSiRmKR3V
 VjGGhZcC4butJE7hUUROSUQczR7E40gYP4HhNNhjVepnwOMRAXmTeh5M7T3jrASK
 oKhjOKut+S0/JXMz8wCd1lHC+WwALqTKuZUY2vF3UrVVn93SWRBYzvn561g==
Received: from [2001:470:880a:4389:9181:2e3a:4973:7a42] (account jon@radel.com
 HELO haralson.local)
 by radel.com (CommuniGate Pro SMTP 6.1.14 _community_)
 with ESMTPSA id 2189386 for freebsd-questions@freebsd.org;
 Sat, 11 Jul 2020 20:22:35 +0000
Subject: Re: trouble setting up ipv6
To: freebsd-questions@freebsd.org
References: <5F088CAE.2090400@gmail.com>
 <a8339776-478e-2274-428e-5f451c06f0dc@radel.com> <5F08A3BA.8060401@gmail.com>
 <f63ed225-5b6a-765e-aee3-259469bd8609@radel.com> <5F08D889.8080708@gmail.com>
 <b80af7d7-e7fc-b6aa-2df1-b2969f9cbf65@radel.com> <5F0A0808.9070802@gmail.com>
From: Jon Radel <jon@radel.com>
Message-ID: <b1b46043-cfc1-93a6-ced6-2f00d6b70d37@radel.com>
Date: Sat, 11 Jul 2020 16:22:35 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
 Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <5F0A0808.9070802@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-256; boundary="------------ms070401080209020805050604"
X-Rspamd-Queue-Id: 4B41YZ6gsPz4XCX
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=radel.com header.s=20170108.radel header.b=M2umIgsv;
 dmarc=pass (policy=none) header.from=radel.com;
 spf=pass (mx1.freebsd.org: domain of jon@radel.com designates 70.184.242.170
 as permitted sender) smtp.mailfrom=jon@radel.com
X-Spamd-Result: default: False [-4.21 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 ARC_NA(0.00)[];
 R_DKIM_ALLOW(-0.20)[radel.com:s=20170108.radel];
 MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[];
 SIGNED_SMIME(-2.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:70.184.242.160/28];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 TO_DN_NONE(0.00)[]; HFILTER_HELO_IP_A(1.00)[radel.com];
 HAS_ATTACHMENT(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.02)[-1.020];
 NEURAL_HAM_MEDIUM(-1.02)[-1.017];
 DKIM_TRACE(0.00)[radel.com:+];
 DMARC_POLICY_ALLOW(-0.50)[radel.com,none];
 NEURAL_HAM_SHORT(-0.08)[-0.077]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:22773, ipnet:70.184.240.0/21, country:US];
 RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2020 20:22:44 -0000

This is a cryptographically signed message in MIME format.

--------------ms070401080209020805050604
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US


>>> ifconfig_vtnet0_ipv6=3D"inet6 accept_rtadv"
>>> gateway_enable=3D"YES"
>>> ipv6_gateway_enable=3D"YES"=20
>> The last line sets your FreeBSD machine up as a router.=C2=A0 If a dev=
ice is
>> a router, it completely ignores, by design, routing information from
>> incoming RAs.
>>
>> So I think your two primary choices are to, if you don't need the
>> FreeBSD machine to route ipv6, remove the
>>
>> ipv6_gateway_enable=3D"YES"
>>
>> and if you do want the machine to route, explicitly set a default
>> gateway
>>
>> ipv6_defaultrouter=3D"fe80::1"
>>
>> Either should give you a usable routing table.
>>
>>
>>
Your followup makes clear that you want to route ipv6 traffic on your
host, so

ipv6_defaultrouter=3D"fe80::1"

would almost certainly be worth putting in your rc.conf.

You could

ping6 fe80::1

before changing anything; as a sanity check.=A0=A0 Based on other things
you've sent, that should work fine.

That may be all you need.

>
>
> The production system is running 12.1-p6 on real hardware using only
> ipv4 addresses. This production system has many non-vnet jails and a
> few vnet jails that use the bridge/epair method with private ipv6
> addresses that get NATed by the ipf firewall NAT service. All the
> jails have public internet access. There is also a cabled/wifi LAN
> behind the gateway host. This current environment has been running for
> 10+ years now. Qjail is used to create and administrate the non-vnet
> jails. The vnet jails are defined in jail.conf and use the native
> "service jail" command for start/stop/restart.
Personally, I'd avoid private ipv6 addresses entirely if you mean
addresses in fd00::/8 or fec0::/10, and use only public addresses.=A0
Assuming your ISP hasn't done something obnoxious such as giving you a
single /64 and you're not subject to local NAT=3D=3Dsecurity rules.
>
> Ipv6 has been available for 2 years now and with the current pandemic
> there is time to add ipv6 support to the production system first
> working out the details using the development vm system.
I can only imagine you mean that ipv6 transit has been provided by your
ISP for 2 years.=A0 ipv6 itself has been loose in the wild for a lot
longer than that.
>
> Now about ipv6. It's my understanding that the gateway host primary
> interface connects to the ISP and through them to the public internet
> gets automatically assigned a static/permanent ipv6 address by just
> having this statement in the hosts rc.conf.
> ifconfig_vtnet0_ipv6=3D"inet6 accept_rtadv"
Could well be.=A0 Ask your ISP what they actually do, but that would be a=

standard and dull way of doing it.
>
> vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0
> mtu
> options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_H=
WCSUM,
> TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
> =A0=A0=A0=A0=A0=A0=A0 ether f2:3c:92:bc:54:37
> =A0=A0=A0=A0=A0=A0=A0 inet6 fe80::f03c:92ff:febc:5437%vtnet0 prefixlen =
64 scopeid 0x1
> =A0=A0=A0=A0=A0=A0=A0 inet xx.xx.xx.x netmask 0xffffff00 broadcast xx.x=
x.xx.255
> =A0=A0=A0=A0=A0=A0=A0 media: Ethernet 10Gbase-T <full-duplex>
> =A0=A0=A0=A0=A0=A0=A0 status: active
> =A0=A0=A0=A0=A0=A0=A0 nd6 options=3D23<PERFORMNUD,ACCEPT_RTADV,AUTO_LIN=
KLOCAL>
>
> fe80::f03c:92ff:febc:5437 is what is called the ipv6 prefix

Nope.=A0 That's an ipv6 address.=A0 It's a link-local address associated
with the vtnet0 interface, to be precise.=A0 Link-local addresses in
fe80::/10 are valid only on a single LAN or link and are completely
non-routable.=A0 That's why FreeBSD reports it as
fe80::f03c:92ff:febc:5437%vtnet0 -- it's only valid on vtnet0.=A0 The
machine could also have a fe80::f03c:92ff:febc:5437 address on another
interface, but the addresses wouldn't actually have anything to do with
each other.=A0 Normally, these addresses happen automatically and allow
the interface to talk locally, which you don't want to break.=A0 These
should always happen automatically by default once you turn on ipv6, and
you really don't want to break them if you want to do ipv6 at all.

One big thing you have to get used to with ipv6 is that your interfaces
will almost certainly have many addresses.

However, my suggestion is, assuming an ample supply of addresses from
your ISP (it'd be nice if they gave you at least a /56), is that you
explicitly assign a public /64 to every LAN you have and then explicitly
and statically assign addresses to every device acting as a router and
every device acting as server.=A0 Personally, I find life easier and less=

confusing if devices I need to put in DNS or routing tables have
addresses more along the lines of 2600:3c02::1, 2600:3c02::2, etc.

If Linode is giving you a single /64, or a single virtual server with a
single address in a shared /64, then life becomes more complicated and
outside the scope of this discussion.

>
>
> Now this is about the end of my ipv6 knowledge.
There are plenty of tutorials out there.
>
>
>
> This is were I am requesting your advice on how to configure this. I
> think the host needs a ipv6 router service because without one I was
> not able to ping6 anything.
>
Yes, it does sound like you want to route.=A0=A0 And maintain your firewa=
ll
with care.

--=20
--Jon Radel
jon@radel.com



--------------ms070401080209020805050604
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
C9owggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTla
MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH
EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP
IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9
Olg+nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUBy
RjXCA6RQyDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBl
gvnkCos+KQWWCo63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtV
V4/Vwdax720YpMPJQaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5N
ATksUsbfJAr7FLUCAwEAAaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ
MjLUMB0GA1UdDgQWBBSCr2yM+MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYD
VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7
aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0
eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2Nh
LmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz
9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/H
v+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2ps
ZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3
I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7
+1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr8
4JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2
PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv
xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9
cbm/vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pW
R8p6EjCCBewwggTUoAMCAQICEHQDryTAYaEsgncP8aGW6o4wDQYJKoZIhvcNAQELBQAwgZcx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1Nh
bGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNB
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDMwNDAw
MDAwMFoXDTIxMDMwMzIzNTk1OVowgfoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjE1MDEL
MAkGA1UECBMCVkExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMRowGAYDVQQJExE2OTE3IFJpZGdl
d2F5IERyLjEVMBMGA1UEChMMSm9uIFQuIFJhZGVsMTIwMAYDVQQLEylJc3N1ZWQgdGhyb3Vn
aCBKb24gVC4gUmFkZWwgRS1QS0kgTWFuYWdlcjEfMB0GA1UECxMWQ29ycG9yYXRlIFNlY3Vy
ZSBFbWFpbDESMBAGA1UEAxMJSm9uIFJhZGVsMRwwGgYJKoZIhvcNAQkBFg1qb25AcmFkZWwu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/dFQxMTnVPcP1TI09m30v8
rSG/VWSFWfFvu/2jzPkNL+ivx6A4LNUbqw4CS73GIKcbp8IrpNQz2oQV6mTv+KVJzJMf8GjA
y8EzZjhc2tAXL+Q57omCTuAc6cw2KDYFL0aNWX4CEe/LqfoBDKpJF7HCrwwus55+tTEkAY8j
tRkQRMHf47YQVJjD/4pdC/h+7jjI0oSgh1npT7Q3K47g6IkVzjhiH8LCsCSVYaLzRZfgcl3s
0GLE858PV/84l5d/hUVD0u9J2EdKpf+hnFqZnA3qw9R0xFQIE6yOkUvhALw1zxXaiGj0047a
gBE2Bhv2UIlj6Q0zPa5kRYDy9vBI6QIDAQABo4IBzTCCAckwHwYDVR0jBBgwFoAUgq9sjPjF
/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFHS/Ewun4pYC9Lla5kkmj4zo7tKcMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2Nh
LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3Js
MIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29t
L0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAYBgNVHREEETAPgQ1qb25AcmFk
ZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBUNLBptNFZRBkOUPOCI9TPM6QauLK6jojtbxZO
XWvZfKvq8ukWUZTPtaDS5UjsMhlxLf/Crv8HkiVXSzC36cVQyjNjl1u+u/Sbl/6q/TfQk+aK
5jzDd4onQVzlfE33ymtZJgh+4dMPWKuXjRS0OyMLzv3mYCvFO83l1G9rBiaCEfFJHKgVGY1z
3ZU/gsPCQ2a0xf3908lwl5H3SPB3ZzLWDf41o5zV70HXfsgP862KzxU9t46XBGZ8TRl/5fl+
Xj2KQdpyWlNZUS00/UHznxeFO5+bkNaOg24BjwfBOWi0D47CE+6BRWvtrmgciWxefUuYeeIy
Qr58KK8DlBCkVF06MYIENTCCBDECAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh
bmQgU2VjdXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMA0GCWCGSAFlAwQCAQUAoIIC
WTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA3MTEyMDIy
MzVaMC8GCSqGSIb3DQEJBDEiBCBYHCupqeGCTUy8UnsoyOfIO6GuxdR6vNzInr0twVHIkzBs
BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy
IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p
dGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMIG/BgsqhkiG9w0BCRACCzGBr6CBrDCB
lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS
U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHQDryTAYaEs
gncP8aGW6o4wDQYJKoZIhvcNAQEBBQAEggEAcmSnBkRXoIfUz0jStNlML1V8W1JQphCxtjcD
zwnkr4Bhrb7yg93jvhrf1VvPmpMHAd+M0oFKufgFHDmKvPCw8Vcr8LfLwLF46bHG1RPeA6/7
gzIw2SN+vTI2KUmT7s3HsXlcKFtIxyTf+BJYpqslw025I95NU0KI0zD9FFAN7L5Ks/5PockA
d2U23KkHmhVXLOmORb3oncAE+Ott2ZgVw4gCNsVAoEIlx2XEd3ILp8UppIgPJi4UvcQLaBug
N4iRvap424hUrDuS+p2Y8MlRLylXXEMsQXd4oWafV0sASK9JqpqcRHsy/opuMw1tiCmCO6s/
22VknKpbuOk90Lg/CgAAAAAAAA==
--------------ms070401080209020805050604--