From f039aecbc96493d9acc14ed9ad1d3a0fcf8a5bf7 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 15 Oct 2025 16:12:40 -0400 Subject: [PATCH 01/58] adding smart os download for review, and common TPM documenation as a placeholder/starting point. --- docs/concept-tpm.md | 39 +++++++++++++++++++ docs/config-smart-download.md | 73 +++++++++++++++++++++++++++++++++++ sidebars.js | 4 +- 3 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 docs/concept-tpm.md create mode 100644 docs/config-smart-download.md diff --git a/docs/concept-tpm.md b/docs/concept-tpm.md new file mode 100644 index 0000000000..bddbaeb9fa --- /dev/null +++ b/docs/concept-tpm.md @@ -0,0 +1,39 @@ +--- +title: Trusted Platform Module Overview +sidebar_label: Trusted Platform Module +--- + +A Trusted Platform Module (TPM) is a hardware component that ensures your device is running optimally. It serves as a secure storage mechanism for essential security artifacts such as cryptographic keys and digital certificates. + +## TPM-Based Certificates + +Beginning with the SSR 7.1 software release and the SSR4x0 series hardware, you can use the TPM based certificate with the SSR400 and SSR440 Series devices. + +The SSR4x0 uses the TPM-based certificate to ensure secure identification of the device. The device has a burnt-in idev-id certificate on the TPM. The idev-id certificate provides the device's JNPR serial number and model, proving that the device was manufactured in a Juniper facility. Hence, TPM certificate is a secure way for a Juniper device to prove its identity. + +### Benefits of TPM-Based Certificates + +- Provides trust. Helps to establish advanced security in an insecure digital world. +- Provides confidentiality. Data sent is encrypted and only visible to the server and client. +- Provides integrity. Ensures that the data has not been modified during the transfer. + +### How Does a Conventional SSL/TLS Certificate Work? + +Secure Socket Layer (SSL) is a protocol that allows encryption. It helps to secure and authenticate communications between a client and a server. It can also secure email, VoIP, and other communications over unsecured networks. SSL is also referred to as Transport Layer Security (TLS). + +In unsecured HTTP connections, hackers can easily intercept messages between client and server. SSL certificates use a public/private keypair system to initiate the HTTPS protocol. Hence, SSL certificates enable secure connections for users and clients to connect. SSL/TLS works through: + +- Secure communication that begins with a TLS handshake. The two communicating parties open a secure connection and exchange the public key. + +- During the TLS handshake, the two parties generate session keys. The session keys encrypt and decrypt all communications after the TLS handshake. + +- Different session keys encrypt communications in each new session. + +- TLS ensures that the user on the server side, or the website the user is interacting with, is who they claim. + +- TLS also ensures that data has not been altered, since a Message Authentication Code (MAC) is included with transmissions. + +When a signed SSL certificate secures a website, it proves that the organization has verified and authenticated its identity with the trusted third party. When the browser trusts the CA, the browser now trusts that organization’s identity too. + + + diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md new file mode 100644 index 0000000000..c5418ed0d5 --- /dev/null +++ b/docs/config-smart-download.md @@ -0,0 +1,73 @@ +--- +title: Smart Download +sidebar_label: Smart Download +--- + +Sometimes network connections can become unreliable, slow, or just plain break. To mitigate these disruptions, the SSR download process provides the following features for better recovery and control over software downloads. + +* [Failover Resiliency](#download-failover-resiliency) +* [Resumable Download](#resumable-ssr-download) +* [Sequenced HA Download](#sequenced-ha-download) +* [Bandwidth Limiting](#bandwidth-limiting) +* [Show Download Progress](#show-download-progress) + +Downloads that have been stopped either by a manual pause or due to connection issues are able to be resumed, starting from where they left off. + +## Download Failover Resiliency + +SSR images can be downloaded from a variety of sources, depending on software access mode (eg. internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the mist proxy to artifactory (cloud deployments only). + +To improve resiliency to network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If more than 50% of requests to a source fail within a window of 10 requests, the SSR marks that source unavailable and moves on to the next source. The following priority order is used for sources: + +1. Peer +2. Conductor node 1 +3. Conductor node 2 +4. Artifactory +5. Mist proxy + +Only when the SSR has tried all available sources and reached the consecutive failure threshold on each is the download considered **failed due to connectivity issues**. In that case, an error is reported and the download stopped. + +## Resumable SSR Download + +Downloads can be paused manually using a CLI command, or automatically paused if the connection fails. When manually paused, the process can be continued by manually restarting the download. In the case of a failed connection, the SSR will automatically resume the download when the connection is restored. In both instances, the download resumes from the point where the download was stopped. + +To manually pause a download from the CLI, use the `request system software download pause` command. + +Example: + +``` +request system software download pause version SSR-7.0.1-1 +request system software download pause router Router1 node Node1 version 6.3.6-1 +``` +The GUI also supports pausing and resuming downloads. + +### Auto-resume Download on WAN Failures + +In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. + +When the timeout is enabled, the SSR waits for a configurable amount of time (default is 10800s) for the download to complete. When the timeout value is reached, the download is marked as **Failed** and the retry delay begins. + +The retry delay time starts lower than the configured time and exponentially backs off up to the configured maximum (default is 3600 seconds). A maximum number of times to retry can also be configured. + +The retry timeout can be disabled. If it is disabled, the download will retry indefinitely. + +Use the command `configure authority router system software-update download enable-timeout [enabled]` to enable auto-resume. The following fields allow you to configure the feature for your needs: + +- `enable-timeout`: True/false, default is true. This enables a time limit for the overall download. +- `timeout`: Amount of time in seconds that the SSR waits for the software download to complete. When the timeout value is reached the download is marked as **Failed**, and the retry delay begins. The default download wait time is 10800s. Range is 1800s - 604800s. +- `max retry delay`: The maximum amount of time in seconds to wait in between retry attempts. The retry delay will start off low and back off exponentially up to this duration. Range is 0 to 86400s. Default is 3600s. +- `max retry attempts`: The maximum number of attempts to download before considering the download as failed. If set to 0, the SSR will retry the download until the timeout is hit. Default is 10. + +### Sequenced HA Download + +The SSR supports sequenced downloading; one node of an HA pair downloads an image from the remote repository, and the other node waits for it to complete. Once that download is complete, the second node downloads it from the first. When targeting an HA router, the download is sequenced by default. To disable this sequencing, use `request system software download simultaneous disable`. + +## Bandwidth Limiting + +In some deployments, downloads speeds may be restricted by bandwidth sharing, or cabling or signal limitations. The `software-update` configuration command allows administrative controls over the speeds used to retrieve software. + +Use the `configure-authority-router-system-software-update-max-bandwidth` command to define the bandwidth limiter applied to software downloads. Valid values are; unlimited, 1-999999999999 bits/second. + +## Show Download Progress + +To display the progress of a software download on the command line, use the `show system software download [{router | resource-group }] [version ] [force] [node ]` command. diff --git a/sidebars.js b/sidebars.js index 6ccbe31ad8..d11ed84cc8 100644 --- a/sidebars.js +++ b/sidebars.js @@ -207,6 +207,7 @@ module.exports = { "intro_upgrading", "upgrade_ibu_conductor", "upgrade_router", + "config-smart-download", "upgrade_restricted_access", "upgrade-ssr-4x0-manual", "upgrade_legacy", @@ -369,7 +370,8 @@ module.exports = { "sec_hardening_guidelines", "sec_security_policy", "sec_adaptive_encrypt", - "sec_firewall_filtering", + "sec_firewall_filtering", + "concept-tpm.md", "sec-config-seim-syslog", "sec-ddos-resilience", "sec-usb-security", From 23dee8c872c18572e08459f08d4d7d2c849c8397 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 15 Oct 2025 16:18:12 -0400 Subject: [PATCH 02/58] typo --- sidebars.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sidebars.js b/sidebars.js index d11ed84cc8..8f2a6480d2 100644 --- a/sidebars.js +++ b/sidebars.js @@ -371,7 +371,7 @@ module.exports = { "sec_security_policy", "sec_adaptive_encrypt", "sec_firewall_filtering", - "concept-tpm.md", + "concept-tpm", "sec-config-seim-syslog", "sec-ddos-resilience", "sec-usb-security", From e69fbb4e4e7dac6cf9e24a15deae30c0b8daa9f5 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 22 Oct 2025 08:36:54 -0400 Subject: [PATCH 03/58] began edits --- docs/config-smart-download.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index c5418ed0d5..d2ff5dc76e 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -15,9 +15,9 @@ Downloads that have been stopped either by a manual pause or due to connection i ## Download Failover Resiliency -SSR images can be downloaded from a variety of sources, depending on software access mode (eg. internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the mist proxy to artifactory (cloud deployments only). +SSR images can be downloaded from a variety of sources, depending on software access mode (eg. internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the Mist proxy to artifactory (cloud deployments only). -To improve resiliency to network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If more than 50% of requests to a source fail within a window of 10 requests, the SSR marks that source unavailable and moves on to the next source. The following priority order is used for sources: +To improve resiliency against network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If more than 50% of requests to a source fail, the SSR marks that source unavailable and moves on to the next source. The following priority order is used for sources: 1. Peer 2. Conductor node 1 @@ -43,7 +43,7 @@ The GUI also supports pausing and resuming downloads. ### Auto-resume Download on WAN Failures -In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. +In the event that all sources have reached the threshold of consecutive failures and a download attempt has failed, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. When the timeout is enabled, the SSR waits for a configurable amount of time (default is 10800s) for the download to complete. When the timeout value is reached, the download is marked as **Failed** and the retry delay begins. From 8d07a8d90db5c2ff5a422285102d694d4bf80999 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 14 Nov 2025 16:39:53 -0500 Subject: [PATCH 04/58] updates per review from Philippe, and input from conversation. --- docs/config-smart-download.md | 79 +++++++++++++++++++++++++++++++---- 1 file changed, 72 insertions(+), 7 deletions(-) diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index d2ff5dc76e..fdd5b17951 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -17,7 +17,7 @@ Downloads that have been stopped either by a manual pause or due to connection i SSR images can be downloaded from a variety of sources, depending on software access mode (eg. internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the Mist proxy to artifactory (cloud deployments only). -To improve resiliency against network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If more than 50% of requests to a source fail, the SSR marks that source unavailable and moves on to the next source. The following priority order is used for sources: +To improve resiliency against network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If a request to a source fails, the SSR moves on to the next source. The following priority order is used for sources: 1. Peer 2. Conductor node 1 @@ -43,25 +43,90 @@ The GUI also supports pausing and resuming downloads. ### Auto-resume Download on WAN Failures -In the event that all sources have reached the threshold of consecutive failures and a download attempt has failed, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. +In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. Use the `software-update download enable-timeout` command to enable the retry feature. -When the timeout is enabled, the SSR waits for a configurable amount of time (default is 10800s) for the download to complete. When the timeout value is reached, the download is marked as **Failed** and the retry delay begins. +When the timeout is enabled (software-update download enable-timeout true) the SSR will wait for a configurable amount of time (default is 10800s) for the download to complete. If the timeout value is reached without successfully downloading the software, the download is marked as "Failed". -The retry delay time starts lower than the configured time and exponentially backs off up to the configured maximum (default is 3600 seconds). A maximum number of times to retry can also be configured. +The retry delay time is the longest time to wait between retry attempts. For example, the initial retry delay starts at 30 seconds. With each failure the delay is increased exponentially. However, when that calculated value reaches the maximum retry delay time, successive wait times for additional attempts do not exceed the maximium retry delay time. The default is 3600 seconds. A maximum number of times to retry can also be configured. -The retry timeout can be disabled. If it is disabled, the download will retry indefinitely. +If the retry timeout is disabled, the download will retry indefinitely -Use the command `configure authority router system software-update download enable-timeout [enabled]` to enable auto-resume. The following fields allow you to configure the feature for your needs: +Use the command `configure authority router system software-update download enable-timeout [enabled]` to enable auto-resume. The command parameters are listed below: - `enable-timeout`: True/false, default is true. This enables a time limit for the overall download. - `timeout`: Amount of time in seconds that the SSR waits for the software download to complete. When the timeout value is reached the download is marked as **Failed**, and the retry delay begins. The default download wait time is 10800s. Range is 1800s - 604800s. +- `attempts`: The maximum number of attempts to download before considering the download as failed. If set to 0, the SSR will retry the download until the timeout is hit. Default is 10. - `max retry delay`: The maximum amount of time in seconds to wait in between retry attempts. The retry delay will start off low and back off exponentially up to this duration. Range is 0 to 86400s. Default is 3600s. -- `max retry attempts`: The maximum number of attempts to download before considering the download as failed. If set to 0, the SSR will retry the download until the timeout is hit. Default is 10. + +#### Examples + +In this example, the router will retry downloads up to 10 times, or for an hour, whichever comes first. The retry delay will back off exponentially until it reaches 10 minutes, then all further retries will have a 10 minute delay. + +``` +configure + authority + system + software-update + + download + enable-timeout true + timeout 3600 + attempts 10 + maximum-retry-delay 600 + exit + exit + exit + exit +exit +``` + +In this example, the router will retry downloads up to 50 times, no matter how long that takes (because the timeout is disabled). The retry will back off exponentially until it reaches an hour and all further retries will have a delay of an hour. + +``` +configure + authority + system + software-update + + download + enable-timeout false + attempts 50 + maximum-retry-delay 3600 + exit + exit + exit + exit +exit +``` + +In this example, the router will retry downloads for up to 10 hours, no matter how many retries it takes (because attempts is set to 0). The retry will back off exponentially until it reaches 30 minutes and all further retries will have a delay of an hour. + +``` +configure + authority + system + software-update + + download + enable-timeout true + timeout 3600 + attempts 0 + maximum-retry-delay 1800 + exit + exit + exit + exit +exit +``` ### Sequenced HA Download The SSR supports sequenced downloading; one node of an HA pair downloads an image from the remote repository, and the other node waits for it to complete. Once that download is complete, the second node downloads it from the first. When targeting an HA router, the download is sequenced by default. To disable this sequencing, use `request system software download simultaneous disable`. +:::note +The second node will download the software from the first node, unless it encounters a connectivity issue. In that case, the router would move on to the next source as described in [Failover Resiliency](#download-failover-resiliency). +::: + ## Bandwidth Limiting In some deployments, downloads speeds may be restricted by bandwidth sharing, or cabling or signal limitations. The `software-update` configuration command allows administrative controls over the speeds used to retrieve software. From b6751c7030afb529345ad9d3c4b4205be444def7 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 18 Nov 2025 13:21:46 -0500 Subject: [PATCH 05/58] mid update commit for this topic - sec-conductor-onboard.md --- docs/sec-conductor-onboard.md | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index b00c6c12e7..b2a8642999 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -9,7 +9,7 @@ When a router has SCO enabled, asset-id based onboarding is disabled. Ports 4505 ## Configuration -Three components: Onboarding conductor, router, Operational conductor. +Configuration components: Onboarding conductor, router, Operational conductor. On the onboarding conductor create the minimum router configuration necessary for secure onboarding; @@ -168,16 +168,7 @@ The CA certificate is read from disk at the location given in `authority > secur The next step in the process is to generate an onboarding token from conductor Web interface, command line, or using APIs. The generated tokens are signed by the conductor’s private key so that they cannot be altered once generated. The SSR supports two modes; Authority Wide and Router Specific tokens. These are mutually exclusive and are defined in the configuration. -#### Authority-Wide Tokens - -When using a single authority level PSK, the token can be generated once and used for any router within that authority. The authority wide token contains the following information: - -- conductor-public-cert: a base64 encoded public cert -- conductor-ca-cert: a base64 encoded ca cert -- secret: a base64 encoded 48 byte string -- expiration: 1234567 - -#### Router-Specific Tokens +### Router-Specific Tokens For better control over distribution and re-use of tokens the user can request unique tokens per router. In this mode it is required that an asset-id be assigned to each of the node(s) within the router before generating a token. From 7e04963306346aaba297c7985ec3d537c2ff7e4a Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 21 Nov 2025 17:03:05 -0500 Subject: [PATCH 06/58] updating Secure conductor onboarding --- docs/sec-conductor-onboard.md | 163 ++++++++++++++++++---------------- sidebars.js | 1 + 2 files changed, 86 insertions(+), 78 deletions(-) diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index b2a8642999..51345212d5 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -9,108 +9,89 @@ When a router has SCO enabled, asset-id based onboarding is disabled. Ports 4505 ## Configuration -Configuration components: Onboarding conductor, router, Operational conductor. +Configure the Conductor where the router will onboard. +- Configure the conductor to accept the router. +- Run the `create token` command on the conductor to create the token for the router. -On the onboarding conductor create the minimum router configuration necessary for secure onboarding; +### Prerequisites -- thing one -- thing two -- thing three -Run the `create token` command for the router to create the token. +- The `secure-conductor-onboarding mode` must be enabled +- The `secure-conductor-onboarding public-key` field must be configured +- The `secure-conductor-onboarding ca-certificate` field must be configured -The SSR4x0 is flashed with an image that tells it upon boot to reach out to Mist to get the onboarding conductor connection information. - -The router then connects to the Onboarding Conductor, and receives the the SCO token, the certificates, and the IP address of the Operational Conductor. - -It redirects to the Operational Conductor to complete the secure conductor onboarding process which includes downloading the SVR configs, certificates, and necessary pre-shared secrets to operate in a secure manner/environment. - -Use the information in this guide to configure the SCO process. - -**Prerequisites** - -1. The secure conductor onboarding mode must be enabled -2. The secure-conductor-onboarding > public-key field must be configured -3. The secure-conductor-onboarding > ca-certificate field must be configured - -To provide a secure and mutually authenticated onboarding mechanism, the following information must be configured and in place: +To provide a secure and mutually authenticated onboarding mechanism, the following information must be configured. - Pre-shared key: The onboarding pre-shared key is a 48-character alpha-numeric string, configured at the authority or the router level. This key is mandatory for the SCO process. -- Conductor Public certificate: A public-private key certificate +- Conductor Public certificate: A public-private key certificate. - Conductor CA certificate: Optionally, you can configure a public certificate signed by a preferred CA signing authority. -The public certificate and CA certificate are configured on the conductor. - -- must be configured at ALL(?) the Authority, Conductor, and router level - - what has to be configured at each level? +The public certificate and CA certificate are configured on the conductor at the Authority, Conductor, and Router level. ### Authority Level Configuration Parameters The following parameters are required, and are configured at the Authority level. -#### `configure authority secure-conductor-onboarding` +#### `configure authority secure-conductor-onboarding public-certificate` -From the GUI, **authority > router > node > secure-conductor-onboarding** +This configures the public certificate which the conductor will present on port 933 to prove that it is the correct conductor. This references the `client-certificate` list. -**`mode`** +#### `configure authority secure-conductor-onboarding ca-certificate` -- `disabled` (default) -- `psk-only`: Configured on devices with no TPM, but which require the Sceure Conductor Onboarding workflow. -- `weak`: This setting enables, SCO but allows the router to use a self-signed certificate. This conductor will skip the CA certificate validation for this router. -- `strong`: On SSR devices manufactured with a device ID (SSR400/440), `strong` mode ensures that the asset-id matches the serialNumber field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the configuration at **authority > router > node > secure-conductor-onboarding > endorsement-key**. +This identifies the certificate to be included in the token, referencing the `trusted-ca-certificate` list. This must be the CA certificate used to sign the public certificate, and is verified at commit time. -- **authority > secure-conductor-onboarding > pre-shared-secret**: 48-character alpha-numeric string -- **authority > secure-conductor-onboarding > public-certificate** This configures the public certificate which the conductor will present on port 933 to prove that it is the correct conductor. This references the **authority > client-certificate** list. -- **authority > secure-conductor-onboarding > ca-certificate**: This identifies the certificate to be included in the token. This references the **authority > trusted-ca-certificate** list. This must be the ca certificate used to sign the public certificate, and is verified at commit time. +### Router Level Configuration Parameters +The following parameters are required, and are configured at the Router level. -### Per Router Configuration +#### `configure authority router secure-conductor-onboarding mode` -The following parameters are required, and are configured at the router level. +- `disabled`: Default is true, must be false to enable. +- `psk-only`: Configured on devices with no TPM, but which require the Secure Conductor Onboarding workflow. +- `weak`: This setting enables SCO but allows the router to use a self-signed certificate. This conductor will skip the CA certificate validation for this router. +- `strong`: On SSR devices manufactured with a device ID (SSR400/SSR440), `strong` mode ensures that the asset-id matches the serial number field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the `endorsement-key` configuration. -• authority > router > secure-conductor-onboarding > pre-shared-secret -o When SCO is enabled, any empty PSK will auto generate random 32-byte alphanumeric string using FIPS approved highly secure DRBG function from OpenSSL library on the conductor. Once generated, the key will not automatically change and can be updated by the user if necessary. -• authority > router > secure-conductor-onboarding > mode -o auto (default) – defer to the authority level setting -o disabled – means use legacy onboarding model -o psk-only – same as above -o weak – same as above -o strong – same as above -o strict – same as above +#### `configure authority router secure-conductor-onboarding pre-shared-secret` + +The pre-shared secret is a 48-character alpha-numeric string. When enabled, any empty PSK will auto generate a random 48-byte alphanumeric string using the FIPS-approved, highly secure DRBG function from OpenSSL. Once generated, the key does not automatically change. It can be updated by the user if necessary. ### Conductor Configuration -To enable this feature on the conductor, a few prerequisites must be met. -1. The secure conductor onboarding mode should not be disabled -2. The secure-conductor-onboarding > public-key field must be configured -3. The secure-conductor-onboarding > ca-certificate field must be configured -When all routers have SCO enabled, the legacy asset-id based onboarding will be disabled and thus port 4505 and 4506 will be disabled on the conductor to disable any devices not using this feature will fail to onboard to the conductor. In addition, if a SCO enabled device onboards using the legacy method or vice versa, the onboarding will be rejected. +To enable this feature on the conductor, verify the following: + +- The `secure conductor onboarding mode` should not be disabled (see above). +- The `secure-conductor-onboarding public-key` field must be configured. +- The `secure-conductor-onboarding ca-certificate` field must be configured. + +When all routers have SCO enabled, the legacy asset-id based onboarding is disabled. Ports 4505 and 4506 are disabled on the conductor to prevent any devices not using this feature from onboarding. In addition, if a SCO enabled device attempts to onboard using the legacy method, the attempt will be rejected. + +To provide secure and mutually authenticated onboarding, the following additional information is required. + +- Pre-shared key +- Conductor Public certificate +- Conductor CA certificate -To provide a secure and mutually authenticated onboarding mechanism, the following additional pieces of information are required during the process -1. Pre-shared key -2. Conductor Public cert -3. Conductor CA cert The onboarding pre-shared key will be 48-character alpha-numeric string which can configured at the authority or the router level. This key is mandatory for SCO process to work successfully. -The conductor is expected to contain a public-private key certificate with the additional option to sign the public cert by the organization’s preferred CA signing authority. The public cert and CA cert will be configured in the conductor data model. +The conductor is expected to contain a public-private key certificate with the additional option to sign the public certificate by the organization’s preferred CA signing authority. The public certificate and CA certificate will be configured in the conductor data model. -## Tokens +## Token Creation -Use the following command to create an authority level token: +Create an authority level token: `create secure-conductor-onboarding token global [expiration-timeout <1d>]` -Use the following command to create a router level token: +Create a router level token: `create secure-conductor-onboarding token router [expiration-timeout <1d>]` `expiration-timeout` is optionaL. Default is 1 day. 1 year (1y) is the maximum value. -Token creation requires the following settings be in place: +Token creation requires the following: -1. The fields `authority > secure-conductor-onboarding > ca-certificate` and `secure-conductor-onboarding > public-certificate` must be configured, valid, and signed by the root CA of the conductor. +- The fields `authority > secure-conductor-onboarding > ca-certificate` and `secure-conductor-onboarding > public-certificate` must be configured, valid, and signed by the root CA of the conductor. -2. SCO must be enabled on the conductor at the Authority or per router level (can be both). +- SCO must be enabled on the conductor at the Authority or per router level (can be both). -3. The router and node must be configured with at least the minimum valid configuration. For example, a minimum configuration for a standalone node: +- The router and node must be configured with at least the minimum valid configuration. For example, a minimum configuration for a standalone node: ``` router min-router @@ -126,7 +107,7 @@ exit If any checks fail, the `create system connectivity` command returns an error explaining why. This command can be run as many times as needed for each node. All information to form the token is present in the configuration. -The CA certificate is read from disk at the location given in `authority > secure-conductor-onboarding > ca-certificate`. +The CA certificate is read from disk at the location given in `secure-conductor-onboarding ca-certificate`. ## Token Management @@ -140,13 +121,13 @@ Use the following command to create a router level token: `expiration-timeout` is optionaL. Default is 1 day. 1 year (1y) is the maximum value. -Token Management requires the following settings be in place: +Token Management requires the following settings: -1. The fields `authority > secure-conductor-onboarding > ca-certificate` and `secure-conductor-onboarding > public-certificate` must be configured, valid, and signed by the root CA of the conductor. +- The fields `secure-conductor-onboarding ca-certificate` and `secure-conductor-onboarding public-certificate` must be configured, valid, and signed by the root CA of the conductor. -2. SCO must be enabled on the conductor at authority or per router level (can be both). +- SCO must be enabled on the conductor at authority or per router level (can be both). -3. The router and node must be configured with at least the minimum valid configuration. For example, a minimum configuration for a standalone node: +- The router and node must be configured with at least the minimum valid configuration. For example, a minimum configuration for a standalone node: ``` router min-router @@ -162,15 +143,15 @@ exit If any checks fail, the `create system connectivity` command returns an error explaining why. This command can be run as many times as needed for each node. All information to form the token is present in the configuration. -The CA certificate is read from disk at the location given in `authority > secure-conductor-onboarding > ca-certificate`. +The CA certificate is read from disk at the location given in `secure-conductor-onboarding ca-certificate`. ### Token Contents -The next step in the process is to generate an onboarding token from conductor Web interface, command line, or using APIs. The generated tokens are signed by the conductor’s private key so that they cannot be altered once generated. The SSR supports two modes; Authority Wide and Router Specific tokens. These are mutually exclusive and are defined in the configuration. +The next step in the process is to generate an onboarding token from the conductor Web interface, command line, or using APIs. The generated tokens are signed by the conductor’s private key so that they cannot be altered once generated. The SSR supports two modes; Authority-wide and Router-specific tokens. These are mutually exclusive and are defined in the configuration. ### Router-Specific Tokens -For better control over distribution and re-use of tokens the user can request unique tokens per router. In this mode it is required that an asset-id be assigned to each of the node(s) within the router before generating a token. +For better control over distribution and re-use of tokens the user can request unique tokens per router. In this mode it is required that an `asset-id` be assigned to each node within the router before generating a token. - conductor-public-cert: a base64 encoded public cert - conductor-ca-cert: a base64 encoded ca cert @@ -178,20 +159,46 @@ For better control over distribution and re-use of tokens the user can request u - asset-id: `[node0-asset-id, node1-asset-id]` - expiration: 1234567 -The onboarding-token will use the JSON Web Token format and the above represents the payload section. Additional information about the router configuration necessary for initialization can also be included in the token. +The onboarding-token uses the JSON Web Token format, and the above represents the payload section. Additional information about the router configuration necessary for initialization can also be included in the token. ### Token Invalidation -The onboarding tokens are stateless and self-contained. As a result, there needs to be a mechanism where the tokens can be invalidated if they are compromised or are not necessary anymore. There are a few different methods to perform invalidation: +The onboarding tokens are stateless and self-contained. If a token is compromised or no longer necessary, they can be labeled invalid, and removed. Thefoloowing methods can be used to perform invalidation: -1. Expiration: Token is automatically invalid past its expiration date. Since the token is signed by the conductor, the expiration time cannot be modified by the end user. +- Expiration: Token automatically becomes invalid after the expiration date. Since the token is signed by the conductor, the expiration time cannot be modified by the end user. :::note -The conductor’s current date/time is used to validate the expiration. If the conductor undergoes any significant time skew that could result in accidental invalidation of user tokens. It’s imperative that conductor clocks towards an external NTP source. +The conductor’s current date/time is used to validate the expiration. If the conductor undergoes any significant time skew, it could result in accidental invalidation of user tokens. It is imperative that conductors use an external NTP source. ::: -2. Change pre-shared key: To invalidate unexpired tokens, the user can change the pre-shared key in the conductor config. This would be done at the authority or router level depending on the mode of operation -3. Update conductor certificate: When the conductor certificate expires and a new certificate is installed instead, all existing tokens signed by the old certificate will no longer be valid. The details of how to update the conductor cert should follow existing supported procedures and are outside the scope of this document. +- Change pre-shared key: To invalidate unexpired tokens, the user can change the pre-shared key in the conductor configuration. This is done at the authority or router level, based on the mode of operation. + +- Update conductor certificate: When the conductor certificate expires and a new certificate is installed, all existing tokens signed by the old certificate are no longer valid. The details of how to update the conductor certificate follow existing supported procedures. + +## Secure Conductor Onboarding Workflow + +After the user generates an onboarding token, enter the token and other onboarding details in the onboarding UI or using CLI commands. Two main methods are supported to onboard a router: + +- UISO via `onboarding-config.json` suing the `secure-conductor-onboarding-token` command. +- Mist Conductor Redirect – using a field alongside the conductor IP address. This information is sent to the router once SZTP has been complete and then passed to the router client to perform secure conductor onboarding. + +Once the process is initiated, the conductor CA certificate is loaded on the system as a trusted CA. This allows the device to trust the conductor in subsequent workflows. If empty, the CA cert validation is skipped. + +### Onboarding Workflow + +Once the Secure Conductor Onboarding workflow is initiated, the router performs the following: + +1. Establish a TLS connection to the conductor on port 933. +2. Perform mutual authentication over TLS socket to ensure the client and server can trust one another. +3. Once the connection is validated by both parties, exchange the persistent SSH keys for establish SSH tunnels between router and conductor. +4. Router connects to conductor over port 930 using the SSH keys exchanged in previous steps. +5. The router is prepped and initialized by the conductor. During this process, the system goes through the reboot cycle. + +Once the secure SSH tunnels are established, the SCO workflow concludes. All future communication between the router and conductor will occur on standard SSR to conductor ports such as 930, 4505, 4506, etc. + + + + diff --git a/sidebars.js b/sidebars.js index dfa1dfa9d2..4e57f2af04 100644 --- a/sidebars.js +++ b/sidebars.js @@ -124,6 +124,7 @@ module.exports = { "initialize_u-iso_device", "initialize_u-iso_adv_workflow", "sec-ztp-web-proxy", + "sec-conductor-onboard", ], "Cloud / Hypervisor Installations": [ "supported_cloud_platforms", From 16869fd01d24888a805a191eb7279cd99eef0c97 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 24 Nov 2025 13:13:08 -0500 Subject: [PATCH 07/58] updated secure conductor onboarding with information from the latest spec updates. --- docs/sec-conductor-onboard.md | 153 +++++++++++++++++++++------------- 1 file changed, 95 insertions(+), 58 deletions(-) diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index 51345212d5..9653c90242 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -3,16 +3,10 @@ title: Secure Conductor Onboarding sidebar_label: Secure Conductor Onboarding --- -Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. SCO employs asymmetric cryptography (e.g., RSA key pairs) to perform digital signatures and verification. The secure conductor onboarding process leverages the physical or virtual TPM module for mutual authentication. +Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. SCO employs asymmetric cryptography (RSA key pairs) to perform digital signatures and verification. The secure conductor onboarding process leverages the physical or virtual TPM module for mutual authentication. When a router has SCO enabled, asset-id based onboarding is disabled. Ports 4505 and 4506 are disabled on the conductor, so any devices not using this feature will fail to onboard to the conductor. In addition, if an SCO enabled device attempts to onboard using the legacy method, the onboarding is rejected. -## Configuration - -Configure the Conductor where the router will onboard. -- Configure the conductor to accept the router. -- Run the `create token` command on the conductor to create the token for the router. - ### Prerequisites - The `secure-conductor-onboarding mode` must be enabled @@ -27,30 +21,103 @@ To provide a secure and mutually authenticated onboarding mechanism, the followi The public certificate and CA certificate are configured on the conductor at the Authority, Conductor, and Router level. -### Authority Level Configuration Parameters +## Basic Configuration + +The following information are the required steps to configure and use Secure Conductor Onboarding. For details about any of the commands and steps, see [How It Works](#how-it-works) + +- Configure the Conductor where the router will onboard. + - Configure the conductor to accept the router. +- Generate signed certs for the conductor and place the certs in appropriate location on the conductor. + ``` + mv myCA.key /etc/128technology/pki/myCA.key + mv myCA.pem /etc/128technology/pki/myCA.pem + mv server.key /etc/128technology/pki/server.key + mv server.pem /etc/128technology/pki/server.pem + ``` +:::note +Only RSA keys are supported at this time. +::: + +- Load the certificate for SCO configuration. + ``` + configure authority client-certificate server file server + configure authority trusted-ca-certificate myCA file myCA + ``` + +- Enable ssh-only for asset resiliency. + `configure authority asset-connection-resiliency ssh-only true ` + +- Enable SCO on the conductor. + - For devices with a built-in dev-id certificate + ``` + config authority router router1 system secure-conductor-onboarding mode strong + config authority router router1 system secure-conductor-onboarding pre-shared-secret (removed) + ``` + - For Public cloud VMs with vTPM + ``` + config authority router router1 system secure-conductor-onboarding mode strong + config authority router router1 system secure-conductor-onboarding pre-shared-secret (removed) + config authority router router1 node node0 secure-conductor-onboarding endorsement-key (text/plain) + ``` + +:::note +To read the EK from the public cloud instance, run tpm2_readpublic -c 0x81010001 -f DER -o /dev/stdout -Q | base64 -w0 and configure the contents in the endorsement-key field above. +::: + +- Disable salt state on conductor (this is optional). + ``` + /usr/bin/firewall-cmd --permanent --remove-port=4505-4506/tcp + ``` + +- Create the SCO token on the conductor. + ``` + create secure-conductor-onboarding token router-name [expiration-timeout <1d>] + ``` + +- Enter the token and other onboarding details using CLI commands, or in the Onboarding interface. + + After the user generates an onboarding token, enter the token and other onboarding details in the onboarding UI or using CLI commands. There are two methods to onboard a router: + + - Using the Command line: `secure-conductor-onboarding-token` command and `onboarding-config.json`. + - Mist Conductor Redirect: In the Mist interface, token information is entered with the conductor IP address. This information is sent to the router once SZTP has been completed and then passed to the router client to perform secure conductor onboarding. + +Once the process is initiated, the conductor CA certificate is loaded on the system as a trusted CA, allowing the device to trust the conductor in subsequent workflows. + +### Onboarding Workflow + +Once the Secure Conductor Onboarding workflow is initiated, the router performs the following: -The following parameters are required, and are configured at the Authority level. +1. Establish a TLS connection to the conductor on port 933. +2. Perform mutual authentication over TLS socket to ensure the client and server can trust one another. +3. Once the connection is validated by both parties, the persistent SSH keys for establishing SSH tunnels between router and conductor are exchanged. +4. The router connects to the conductor over port 930 using the SSH keys exchanged in previous steps. +5. The router is prepped and initialized by the conductor. During this process, the system goes through the reboot cycle. -#### `configure authority secure-conductor-onboarding public-certificate` +Once the secure SSH tunnels are established, the SCO workflow concludes. All future communication between the router and conductor will occur on standard SSR to conductor ports such as 930, 4505, 4506, etc. -This configures the public certificate which the conductor will present on port 933 to prove that it is the correct conductor. This references the `client-certificate` list. +### Known Caveats -#### `configure authority secure-conductor-onboarding ca-certificate` +- During SCO onboarding of the router in an HA deployment, both the conductor nodes should be online and able to talk to each other. +- Once SCO is enabled on the HA conductor, both conductor nodes must be restarted. -This identifies the certificate to be included in the token, referencing the `trusted-ca-certificate` list. This must be the CA certificate used to sign the public certificate, and is verified at commit time. +- Only RSA key-based certs are supported on the conductor at this time. + +## How It Works + +The following sections provide details about the commands and parameters used for Secure Conductor Onboarding. ### Router Level Configuration Parameters The following parameters are required, and are configured at the Router level. -#### `configure authority router secure-conductor-onboarding mode` +`configure authority router secure-conductor-onboarding mode` - `disabled`: Default is true, must be false to enable. - `psk-only`: Configured on devices with no TPM, but which require the Secure Conductor Onboarding workflow. - `weak`: This setting enables SCO but allows the router to use a self-signed certificate. This conductor will skip the CA certificate validation for this router. - `strong`: On SSR devices manufactured with a device ID (SSR400/SSR440), `strong` mode ensures that the asset-id matches the serial number field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the `endorsement-key` configuration. -#### `configure authority router secure-conductor-onboarding pre-shared-secret` +`configure authority router secure-conductor-onboarding pre-shared-secret` The pre-shared secret is a 48-character alpha-numeric string. When enabled, any empty PSK will auto generate a random 48-byte alphanumeric string using the FIPS-approved, highly secure DRBG function from OpenSSL. Once generated, the key does not automatically change. It can be updated by the user if necessary. @@ -75,10 +142,6 @@ The conductor is expected to contain a public-private key certificate with the a ## Token Creation -Create an authority level token: - -`create secure-conductor-onboarding token global [expiration-timeout <1d>]` - Create a router level token: `create secure-conductor-onboarding token router [expiration-timeout <1d>]` @@ -87,7 +150,7 @@ Create a router level token: Token creation requires the following: -- The fields `authority > secure-conductor-onboarding > ca-certificate` and `secure-conductor-onboarding > public-certificate` must be configured, valid, and signed by the root CA of the conductor. +- The fields `secure-conductor-onboarding ca-certificate` and `secure-conductor-onboarding public-certificate` must be configured, valid, and signed by the root CA of the conductor. - SCO must be enabled on the conductor at the Authority or per router level (can be both). @@ -111,16 +174,6 @@ The CA certificate is read from disk at the location given in `secure-conductor- ## Token Management -Use the following command to create an authority level token: - -`create secure-conductor-onboarding token global [expiration-timeout <1d>]` - -Use the following command to create a router level token: - -`create secure-conductor-onboarding token router [expiration-timeout <1d>]` - -`expiration-timeout` is optionaL. Default is 1 day. 1 year (1y) is the maximum value. - Token Management requires the following settings: - The fields `secure-conductor-onboarding ca-certificate` and `secure-conductor-onboarding public-certificate` must be configured, valid, and signed by the root CA of the conductor. @@ -153,17 +206,21 @@ The next step in the process is to generate an onboarding token from the conduct For better control over distribution and re-use of tokens the user can request unique tokens per router. In this mode it is required that an `asset-id` be assigned to each node within the router before generating a token. -- conductor-public-cert: a base64 encoded public cert -- conductor-ca-cert: a base64 encoded ca cert -- secret: a base64 encoded 48 byte string -- asset-id: `[node0-asset-id, node1-asset-id]` -- expiration: 1234567 +The onboarding-token uses the JSON Web Token format. Below is an example of the payload section. Additional information about the router configuration necessary for initialization can also be included in the token. -The onboarding-token uses the JSON Web Token format, and the above represents the payload section. Additional information about the router configuration necessary for initialization can also be included in the token. +``` +{ + “conductor-public-cert": “”, + “conductor-ca-cert": “”, + “secret”: “”, + “asset-id”: [“node0-asset-id”, “node1-asset-id”], + “exp”: 1234567 +} +``` -### Token Invalidation +### Invalid Tokens -The onboarding tokens are stateless and self-contained. If a token is compromised or no longer necessary, they can be labeled invalid, and removed. Thefoloowing methods can be used to perform invalidation: +The onboarding tokens are stateless and self-contained. If a token is compromised or no longer necessary, they can be labeled as invalid, and removed. - Expiration: Token automatically becomes invalid after the expiration date. Since the token is signed by the conductor, the expiration time cannot be modified by the end user. @@ -175,26 +232,6 @@ The conductor’s current date/time is used to validate the expiration. If the c - Update conductor certificate: When the conductor certificate expires and a new certificate is installed, all existing tokens signed by the old certificate are no longer valid. The details of how to update the conductor certificate follow existing supported procedures. -## Secure Conductor Onboarding Workflow - -After the user generates an onboarding token, enter the token and other onboarding details in the onboarding UI or using CLI commands. Two main methods are supported to onboard a router: - -- UISO via `onboarding-config.json` suing the `secure-conductor-onboarding-token` command. -- Mist Conductor Redirect – using a field alongside the conductor IP address. This information is sent to the router once SZTP has been complete and then passed to the router client to perform secure conductor onboarding. - -Once the process is initiated, the conductor CA certificate is loaded on the system as a trusted CA. This allows the device to trust the conductor in subsequent workflows. If empty, the CA cert validation is skipped. - -### Onboarding Workflow - -Once the Secure Conductor Onboarding workflow is initiated, the router performs the following: - -1. Establish a TLS connection to the conductor on port 933. -2. Perform mutual authentication over TLS socket to ensure the client and server can trust one another. -3. Once the connection is validated by both parties, exchange the persistent SSH keys for establish SSH tunnels between router and conductor. -4. Router connects to conductor over port 930 using the SSH keys exchanged in previous steps. -5. The router is prepped and initialized by the conductor. During this process, the system goes through the reboot cycle. - -Once the secure SSH tunnels are established, the SCO workflow concludes. All future communication between the router and conductor will occur on standard SSR to conductor ports such as 930, 4505, 4506, etc. From d5c6851a21086a17be62b897722b3d5672a0ce97 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 24 Nov 2025 16:12:43 -0500 Subject: [PATCH 08/58] interim commit --- docs/release_notes_128t_7.1.md | 21 +++++++++++++++++++++ docs/sec-cert-based-encrypt.md | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index b3d5361099..8578a81bf0 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -40,6 +40,27 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. +## Release 7.1.3-1r2 + +**Release Date:** November 25, 2025 + +### New Features + +- **I95-56719 Conductor Scaling:** Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers. It should be noted that there are scaling limitations, such as a reasonable configuration complexity. Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view. +------ +- **I95-58959 Secure Conductor Onboarding:** +------ +- **I95-54248 + + + ## Release 7.1.0-48r1 **Release Date:** November 25, 2025 diff --git a/docs/sec-cert-based-encrypt.md b/docs/sec-cert-based-encrypt.md index fd03b16c45..848e217367 100644 --- a/docs/sec-cert-based-encrypt.md +++ b/docs/sec-cert-based-encrypt.md @@ -40,7 +40,7 @@ Periodic revocation checks of the base certificate are performed based on the co ## Certificate Revocation List -Managing the Certificate Revocation List (CRL) includes the discovery, fetching, and periodic updates to CRLs. The SSR can be configured to either dynamically learn revoked and expired certificates and add them to the local CRL, or have the location or locations of the CRL assigned and poll that location at set intervals. The lists of known valid and revoked certificates are gathered and saved locally. The list is then shared with the configured routers. +Managing the Certificate Revocation List (CRL) includes the discovery, fetching, and periodic updates to CRLs. The SSR can be configured to either dynamically learn revoked and expired certificates and add them to the local CRL, or have the location or locations of the CRL assigned and poll that location at set intervals. The lists of known valid and revoked certificates are gathered and saved locally. The list is then shared among the configured routers. In cases where a certificate has been revoked, the peer path is shut down and traffic from the peer associated with the certificate is rejected. If the CRL cannot be retrieved, an alarm will fire and persist until such time as that CRL can be retrieved. From df1505af4c80eca7d9f005d5eaea35d12ebf171c Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 25 Nov 2025 09:02:59 -0500 Subject: [PATCH 09/58] updating landing page with link to 7.1 release notes --- src/pages/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/index.js b/src/pages/index.js index f0d530b873..1440fde601 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -63,7 +63,7 @@ const features = [ }, { title: <>Release Notes, - link: 'docs/release_notes_128t_7.0', + link: 'docs/release_notes_128t_7.1', description: ( <> Release information for SSR Software and components. From f5f399563df28ac92de9b76c878e4e4b96dcdac7 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 25 Nov 2025 11:12:20 -0500 Subject: [PATCH 10/58] topic review comments added. --- docs/config-smart-download.md | 10 ++++------ docs/release_notes_128t_7.1.md | 7 ++++--- docs/sec-conductor-onboard.md | 34 ++++++++++++++++++---------------- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index fdd5b17951..080e5426be 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -15,7 +15,7 @@ Downloads that have been stopped either by a manual pause or due to connection i ## Download Failover Resiliency -SSR images can be downloaded from a variety of sources, depending on software access mode (eg. internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the Mist proxy to artifactory (cloud deployments only). +SSR images can be downloaded from a variety of sources, depending on software access mode (e.g., internet-only, prefer-conductor, conductor-only, offline-mode): the HA peer, both conductor nodes, artifactory, and the Mist proxy to artifactory (cloud deployments only). To improve resiliency against network connectivity issues, the SSR queries available versions from all sources before beginning the download. It compiles a list of sources where the requested version is available and begins the download. If a request to a source fails, the SSR moves on to the next source. The following priority order is used for sources: @@ -43,14 +43,12 @@ The GUI also supports pausing and resuming downloads. ### Auto-resume Download on WAN Failures -In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. Use the `software-update download enable-timeout` command to enable the retry feature. +In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. -When the timeout is enabled (software-update download enable-timeout true) the SSR will wait for a configurable amount of time (default is 10800s) for the download to complete. If the timeout value is reached without successfully downloading the software, the download is marked as "Failed". +The timeout is enabled by default (`software-update download enable-timeout true`). The SSR waits for a configurable amount of time (default is 10800s) for the download to complete. If the timeout value is reached without successfully downloading the software, the download is marked as "Failed". The retry delay time is the longest time to wait between retry attempts. For example, the initial retry delay starts at 30 seconds. With each failure the delay is increased exponentially. However, when that calculated value reaches the maximum retry delay time, successive wait times for additional attempts do not exceed the maximium retry delay time. The default is 3600 seconds. A maximum number of times to retry can also be configured. -If the retry timeout is disabled, the download will retry indefinitely - Use the command `configure authority router system software-update download enable-timeout [enabled]` to enable auto-resume. The command parameters are listed below: - `enable-timeout`: True/false, default is true. This enables a time limit for the overall download. @@ -121,7 +119,7 @@ exit ### Sequenced HA Download -The SSR supports sequenced downloading; one node of an HA pair downloads an image from the remote repository, and the other node waits for it to complete. Once that download is complete, the second node downloads it from the first. When targeting an HA router, the download is sequenced by default. To disable this sequencing, use `request system software download simultaneous disable`. +The SSR can be configured to perform sequenced downloading; one node of an HA pair downloads an image from the remote repository, and the other node waits for it to complete. Once that download is complete, the second node will download it from the first. For HA routers, the download is NOT sequenced by default. To enable sequencing, use `request system software download router RouterName version SSR-X.Y.Z sequenced`. :::note The second node will download the software from the first node, unless it encounters a connectivity issue. In that case, the router would move on to the next source as described in [Failover Resiliency](#download-failover-resiliency). diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 8578a81bf0..19a388547e 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -40,7 +40,7 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. -## Release 7.1.3-1r2 +## Beta Release 7.1.3-1r2 **Release Date:** November 25, 2025 @@ -55,9 +55,10 @@ An issue has been identified when onboarding SSR routers installed with older ve ---> - **I95-56719 Conductor Scaling:** Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers. It should be noted that there are scaling limitations, such as a reasonable configuration complexity. Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view. ------ -- **I95-58959 Secure Conductor Onboarding:** +- **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). +------ +- **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. ------ -- **I95-54248 diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index 9653c90242..25f7a5f8cd 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -9,17 +9,17 @@ When a router has SCO enabled, asset-id based onboarding is disabled. Ports 4505 ### Prerequisites -- The `secure-conductor-onboarding mode` must be enabled +- The `secure-conductor-onboarding` must be enabled - The `secure-conductor-onboarding public-key` field must be configured - The `secure-conductor-onboarding ca-certificate` field must be configured To provide a secure and mutually authenticated onboarding mechanism, the following information must be configured. -- Pre-shared key: The onboarding pre-shared key is a 48-character alpha-numeric string, configured at the authority or the router level. This key is mandatory for the SCO process. +- Pre-shared key: The onboarding pre-shared key is a 48-character alpha-numeric string, configured at the router level. This key is mandatory for the SCO process. - Conductor Public certificate: A public-private key certificate. -- Conductor CA certificate: Optionally, you can configure a public certificate signed by a preferred CA signing authority. +- Conductor CA certificate: A public certificate signed by a preferred CA signing authority. -The public certificate and CA certificate are configured on the conductor at the Authority, Conductor, and Router level. +The public certificate and CA certificate are configured on the conductor at the Authority level. ## Basic Configuration @@ -27,7 +27,7 @@ The following information are the required steps to configure and use Secure Con - Configure the Conductor where the router will onboard. - Configure the conductor to accept the router. -- Generate signed certs for the conductor and place the certs in appropriate location on the conductor. +- Generate signed certs for the conductor and place the certificates in the appropriate location on the conductor. ``` mv myCA.key /etc/128technology/pki/myCA.key mv myCA.pem /etc/128technology/pki/myCA.pem @@ -47,7 +47,7 @@ Only RSA keys are supported at this time. - Enable ssh-only for asset resiliency. `configure authority asset-connection-resiliency ssh-only true ` -- Enable SCO on the conductor. +- Enable SCO for each router. - For devices with a built-in dev-id certificate ``` config authority router router1 system secure-conductor-onboarding mode strong @@ -61,14 +61,18 @@ Only RSA keys are supported at this time. ``` :::note -To read the EK from the public cloud instance, run tpm2_readpublic -c 0x81010001 -f DER -o /dev/stdout -Q | base64 -w0 and configure the contents in the endorsement-key field above. +To read the EK from the public cloud instance, run `tpm2_readpublic -c 0x81010001 -f DER -o /dev/stdout -Q | base64 -w0` and configure the contents in the endorsement-key field above. ::: -- Disable salt state on conductor (this is optional). +- Disable salt state on conductor. ``` /usr/bin/firewall-cmd --permanent --remove-port=4505-4506/tcp ``` +:::note +In the current beta delivery (7.1.3-1r2) this step must be performed to disable ports 4505 and 4506 so any devices not using this feature will fail to onboard to the conductor. +::: + - Create the SCO token on the conductor. ``` create secure-conductor-onboarding token router-name [expiration-timeout <1d>] @@ -78,7 +82,7 @@ To read the EK from the public cloud instance, run tpm2_readpublic -c 0x81010001 After the user generates an onboarding token, enter the token and other onboarding details in the onboarding UI or using CLI commands. There are two methods to onboard a router: - - Using the Command line: `secure-conductor-onboarding-token` command and `onboarding-config.json`. + - Using the Command line: `create secure-conductor-onboarding-token` command and `onboarding-config.json`. - Mist Conductor Redirect: In the Mist interface, token information is entered with the conductor IP address. This information is sent to the router once SZTP has been completed and then passed to the router client to perform secure conductor onboarding. Once the process is initiated, the conductor CA certificate is loaded on the system as a trusted CA, allowing the device to trust the conductor in subsequent workflows. @@ -93,7 +97,7 @@ Once the Secure Conductor Onboarding workflow is initiated, the router performs 4. The router connects to the conductor over port 930 using the SSH keys exchanged in previous steps. 5. The router is prepped and initialized by the conductor. During this process, the system goes through the reboot cycle. -Once the secure SSH tunnels are established, the SCO workflow concludes. All future communication between the router and conductor will occur on standard SSR to conductor ports such as 930, 4505, 4506, etc. +Once the secure SSH tunnels are established, the SCO workflow concludes. All future communication between the router and conductor will occur over port 930. ### Known Caveats @@ -110,16 +114,14 @@ The following sections provide details about the commands and parameters used fo The following parameters are required, and are configured at the Router level. -`configure authority router secure-conductor-onboarding mode` +`configure authority router system secure-conductor-onboarding mode` - `disabled`: Default is true, must be false to enable. - `psk-only`: Configured on devices with no TPM, but which require the Secure Conductor Onboarding workflow. - `weak`: This setting enables SCO but allows the router to use a self-signed certificate. This conductor will skip the CA certificate validation for this router. - `strong`: On SSR devices manufactured with a device ID (SSR400/SSR440), `strong` mode ensures that the asset-id matches the serial number field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the `endorsement-key` configuration. -`configure authority router secure-conductor-onboarding pre-shared-secret` - -The pre-shared secret is a 48-character alpha-numeric string. When enabled, any empty PSK will auto generate a random 48-byte alphanumeric string using the FIPS-approved, highly secure DRBG function from OpenSSL. Once generated, the key does not automatically change. It can be updated by the user if necessary. +`configure authority router system secure-conductor-onboarding pre-shared-secret` ### Conductor Configuration @@ -137,7 +139,7 @@ To provide secure and mutually authenticated onboarding, the following additiona - Conductor Public certificate - Conductor CA certificate -The onboarding pre-shared key will be 48-character alpha-numeric string which can configured at the authority or the router level. This key is mandatory for SCO process to work successfully. +The onboarding pre-shared key will be 48-character alpha-numeric string configured at the router level. This key is mandatory for SCO process to work successfully. The conductor is expected to contain a public-private key certificate with the additional option to sign the public certificate by the organization’s preferred CA signing authority. The public certificate and CA certificate will be configured in the conductor data model. ## Token Creation @@ -200,7 +202,7 @@ The CA certificate is read from disk at the location given in `secure-conductor- ### Token Contents -The next step in the process is to generate an onboarding token from the conductor Web interface, command line, or using APIs. The generated tokens are signed by the conductor’s private key so that they cannot be altered once generated. The SSR supports two modes; Authority-wide and Router-specific tokens. These are mutually exclusive and are defined in the configuration. +The next step in the process is to generate an onboarding token from the conductor Web interface, command line, or using APIs. The generated tokens are signed by the conductor’s private key so that they cannot be altered once generated. The SSR supports Router-specific tokens. These are mutually exclusive and are defined in the configuration. ### Router-Specific Tokens From 5ebd93e6860c044161ac288a5851b646485a3ce0 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 25 Nov 2025 12:15:26 -0500 Subject: [PATCH 11/58] additional review comments and updates to the release notes and about releases pages. --- docs/about_releases.md | 2 +- docs/config-smart-download.md | 8 ++++---- docs/release_notes_128t_7.1.md | 15 +++++++++++++-- docs/sec-conductor-onboard.md | 31 ++----------------------------- 4 files changed, 20 insertions(+), 36 deletions(-) diff --git a/docs/about_releases.md b/docs/about_releases.md index a638d6a982..b145db157f 100644 --- a/docs/about_releases.md +++ b/docs/about_releases.md @@ -35,7 +35,7 @@ However, issues resolved in `4.3.12`, which was released on 3/12/2021 are not ad | Version | Initial GA Version | First Release Shipping Date | Latest GA Version | End of Engineering support | End of Support | | -- | -- | -- | -- | -- | -- | -| Release 7.1 | [7.1.0](release_notes_128t_7.1.md#release-710-48r1) | November 25, 2025 | [7.1.0](release_notes_128t_7.1.md#release-710-48r1) | August 25, 2026 | February 25, 2027 | +| Release 7.1 | [7.1.0](release_notes_128t_7.1.md#release-710-48r1) | December 4, 2025 | [7.1.0](release_notes_128t_7.1.md#release-710-48r1) | September 4, 2026 | March 4, 2027 | | Release 7.0 | [7.0.1](release_notes_128t_7.0.md#release-701-1r1) | October 14, 2025 | [7.0.1](release_notes_128t_7.0.md#release-701-1r1) | July 14, 2026 | January 14, 2027 | | Release 6.3 | [6.3.0](release_notes_128t_6.3.md#release-630-107r1) | September 30, 2024 | [6.3.6-6-sts](release_notes_128t_6.3.md#release-636-6-sts) | May 6, 2026 | November 6, 2026 | | Release 6.2 | [6.2.0](release_notes_128t_6.2.md#release-620-39r1) | November 16, 2023 | [6.2.9-lts](release_notes_128t_6.2.md#release-629-5-lts) | September 6, 2026 | March 6, 2027 | diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index 080e5426be..c67a3a1539 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -45,16 +45,16 @@ The GUI also supports pausing and resuming downloads. In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. -The timeout is enabled by default (`software-update download enable-timeout true`). The SSR waits for a configurable amount of time (default is 10800s) for the download to complete. If the timeout value is reached without successfully downloading the software, the download is marked as "Failed". +The retry delay time is the longest time to wait between retry attempts. For example, the initial retry delay starts at 30 seconds. With each failure the delay is increased exponentially. However, when that calculated value reaches the maximum retry delay time, successive wait times for additional attempts do not exceed the maximum retry delay time. The default is 3600 seconds. A maximum number of times to retry can also be configured. -The retry delay time is the longest time to wait between retry attempts. For example, the initial retry delay starts at 30 seconds. With each failure the delay is increased exponentially. However, when that calculated value reaches the maximum retry delay time, successive wait times for additional attempts do not exceed the maximium retry delay time. The default is 3600 seconds. A maximum number of times to retry can also be configured. +The timeout is enabled by default (`software-update download enable-timeout true`). The SSR waits for a configurable amount of time (default is 10800s) for the download to complete. If the timeout value is reached without successfully downloading the software, the download is marked as "Failed". -Use the command `configure authority router system software-update download enable-timeout [enabled]` to enable auto-resume. The command parameters are listed below: +Use the command `configure authority router system software-update download` to adjust the download retry behavior. The command parameters are listed below: - `enable-timeout`: True/false, default is true. This enables a time limit for the overall download. - `timeout`: Amount of time in seconds that the SSR waits for the software download to complete. When the timeout value is reached the download is marked as **Failed**, and the retry delay begins. The default download wait time is 10800s. Range is 1800s - 604800s. - `attempts`: The maximum number of attempts to download before considering the download as failed. If set to 0, the SSR will retry the download until the timeout is hit. Default is 10. -- `max retry delay`: The maximum amount of time in seconds to wait in between retry attempts. The retry delay will start off low and back off exponentially up to this duration. Range is 0 to 86400s. Default is 3600s. +- `maximum retry delay`: The maximum amount of time in seconds to wait in between retry attempts. The retry delay will start off low and back off exponentially up to this duration. Range is 0 to 86400s. Default is 3600s. #### Examples diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 19a388547e..5afd9cfc74 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -44,6 +44,10 @@ An issue has been identified when onboarding SSR routers installed with older ve **Release Date:** November 25, 2025 +:::important +These release notes are Beta only and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. +::: + ### New Features +- **I95-48934 Configuration Integrity:** SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see [Configuration Integrity](concepts-config-integrity.md). +------ - **I95-56719 Conductor Scaling:** Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers. It should be noted that there are scaling limitations, such as a reasonable configuration complexity. Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view. ------ - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. - +------ +- **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhance-sec-key-mgmt.md#post-quantum-cryptography-support). ### Resolved Issues From 122de1acac14abacc4785f28004d7c6f643a4a7e Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 10 Dec 2025 16:50:06 -0500 Subject: [PATCH 28/58] fixing typo in link --- docs/release_notes_128t_7.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 1217e74d67..e59a953f49 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -64,7 +64,7 @@ These release notes are Beta only and are in progress. They are furnished to hel ------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. ------ -- **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhance-sec-key-mgmt.md#post-quantum-cryptography-support). +- **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). ### Resolved Issues From d0f0f20462a94ff4084b36951675f96559ec35ce Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 11 Dec 2025 10:48:00 -0500 Subject: [PATCH 29/58] hiding new feature info in the release notes about ML-KEM --- docs/release_notes_128t_7.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index e59a953f49..97348b3040 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -63,8 +63,8 @@ These release notes are Beta only and are in progress. They are furnished to hel - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. ------- -- **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). + + ### Resolved Issues From 636e1ceedb83a56bd8a69d8228460e9fa6ab8428 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 11 Dec 2025 13:55:46 -0500 Subject: [PATCH 30/58] fixed typo --- docs/concepts-config-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts-config-integrity.md b/docs/concepts-config-integrity.md index 628cb155c0..796494e0ec 100644 --- a/docs/concepts-config-integrity.md +++ b/docs/concepts-config-integrity.md @@ -60,7 +60,7 @@ Once a system is onboarded, the Integrity Handler is responsible for unlocking t 3. Pass unencrypted FEK to fscrypt. 4. fscrypt uses the FEK to automatically unlock the necessary encrypted directories. -If any of these steps fail, it is interpreted as an integrity event. Network activities are blocked. An emergency log is generated and broadcast to all consoles on the system that the system integrity is compromised and it must be reprovisioned. The SSR will repeatedly try to start the integrity service to unlock the encrypted directories and fail, each time writing the emergency log. +If any of these steps fail, it is interpreted as an integrity event. Network activities are blocked. An emergency log is generated and broadcast to all consoles on the system that the system integrity is compromised and it must be reprovisioned. The SSR will repeatedly try to start the integrity service to unlock the encrypted directories and fail, each time writing the emergency log. ``` Broadcast message from systemd-journald@TESTsystem1 (Mon 2025-12-01 17:15:20 UTC): From 3c0a2d6a1f4c4012cb8cd65befded23241894808 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 16 Dec 2025 13:28:48 -0500 Subject: [PATCH 31/58] adding LED diagrams and other info to match hardware guide. --- docs/ssr-chassis-manager.md | 51 ++++++++++++++++++++++++++++++++++--- 1 file changed, 48 insertions(+), 3 deletions(-) diff --git a/docs/ssr-chassis-manager.md b/docs/ssr-chassis-manager.md index 645d66ba22..5e01f668a8 100644 --- a/docs/ssr-chassis-manager.md +++ b/docs/ssr-chassis-manager.md @@ -22,15 +22,25 @@ The System LED displays the following colors to report system state: The presence of any major or critical alarms will cause degraded service, resulting in the system LED showing purple. If a Purple or Red LED is seen, use `show alarms` to view the details of the error or alarm. -Port LEDs have the following behavior to identify port status. +### Port Status LEDs -#### Left LED - Link Activity +Port LEDs have the following behavior to identify port status. The following diagrams identify the port status LEDs for SFP and RJ-45 ports. + +**SFP Network Port Status LED Orientation** + +![SFP Port Status LEDs](/img/ssr-4x0-ports-g103129.png) + +**RJ-45 Network Port Status LED Orientation** + +![RJ-45 Port Status LEDs](/img/ssr-4x0-ports-g103131.png) + +#### Left LED (1) - Link Activity - Blinking Green: The port and the link are active, and there is link activity. - Green On Steadily: The port and the link are active, but there is no link activity. - Off: The port is not active. -#### Right LED - Port Speed +#### Right LED (2) - Port Speed Port speed is indicated with the following behavior. @@ -83,4 +93,39 @@ The following `show` commands allow you to see the chassis status from the CLI. | `show chassis hardware` | Reports the hardware SKU, CLEI, revision (rev), and serial numbers from `/sys/kernel/leopard_idprom`. | | `show chassis firmware` | Shows CPLD and boot firmware versions from `/sys/kernel/leopard_cpld/version` and `/sys/devices/virtual/dmi/id/bios_version`, respectively. | +### Power Supply Adapter LEDs + +The Power Supply Adapter LEDs are not managed by the Chassis Manager, but the LEDs are used to indicate status. + +- Steady Green: Receiving power +- Off: Power failure or no power + +![Power Supply LEDs](/img/ssr-4x0-power-supply-LEDs.png) + +### HA Port Status LEDs + +The HA Port Status LEDs are located on the HA ports on the rear of the device, and are not managed by the Chassis Manager. However, the LEDs are used to indicate the Link Activity and Speed. + +![HA Port LEDs](/img/ssr-4x0-ports-g103130.png) + +**Left LED (1) - Port Activity** + +Port activity is indicated with the following behavior: + +- Blinking Green: The port and the link are active, and there is link activity. + +- Steady Green: The port and the link are active, but there is no link activity. + +- Off: The port is not active. + +**Right LED (2) - Port Speed** + +Port speed is indicated with the following behavior. + +- Blinking Green: 1000 Mbps (1 blink per second) + +- Steady Green: 100 Mbps + +- Unlit: 10 Mbps + From 90ca30f5a50a9336bd24c4ed5e0ea644f6129be0 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 17 Dec 2025 09:05:04 -0500 Subject: [PATCH 32/58] addig graphics for port status leds --- docs/ssr-chassis-manager.md | 2 -- static/img/ssr-4x0-ports-g103129.png | Bin 0 -> 32031 bytes static/img/ssr-4x0-ports-g103130.png | Bin 0 -> 32971 bytes static/img/ssr-4x0-ports-g103131.png | Bin 0 -> 59932 bytes 4 files changed, 2 deletions(-) create mode 100644 static/img/ssr-4x0-ports-g103129.png create mode 100644 static/img/ssr-4x0-ports-g103130.png create mode 100644 static/img/ssr-4x0-ports-g103131.png diff --git a/docs/ssr-chassis-manager.md b/docs/ssr-chassis-manager.md index 5e01f668a8..184613edaa 100644 --- a/docs/ssr-chassis-manager.md +++ b/docs/ssr-chassis-manager.md @@ -100,8 +100,6 @@ The Power Supply Adapter LEDs are not managed by the Chassis Manager, but the LE - Steady Green: Receiving power - Off: Power failure or no power -![Power Supply LEDs](/img/ssr-4x0-power-supply-LEDs.png) - ### HA Port Status LEDs The HA Port Status LEDs are located on the HA ports on the rear of the device, and are not managed by the Chassis Manager. However, the LEDs are used to indicate the Link Activity and Speed. diff --git a/static/img/ssr-4x0-ports-g103129.png b/static/img/ssr-4x0-ports-g103129.png new file mode 100644 index 0000000000000000000000000000000000000000..fbcce789c72aebb8a9d94d013e79d6ae29751f65 GIT binary patch literal 32031 zcmeEuXH-;M)@^ysir`fg$*2e@2na}yDk3=vNERgLoRgq(1p&#DGl&RC5-F03h)4#> z6h)9w#VPxB|9E4(Z;bC}SC8f*b;90juQ2D_>ztPgauR1wQJg}dP-i3`+*3lK zPJcq74ilaD3;rTg<9P%AbJFI4x;+Y|bszu#L!=RR#ZV|Zl;l0Jhc59mm^RnGzAkQs z!X(mUWwB!B4@ytPkAAsu>Bfg_)LZyp*zTDxEa{N@i*J^7umxtG&CsK!RMq<;jDieMa#ER#55e z&ex4QADzmik*g{hR*WGVT>an6|SVB5@l%VOcY|@81&8WWuzKS#@=FAKiUO=0x^4=@!ANt3} z4DAaxR}e5ZbQKIRx>dcuT|NHwZyHpV^|CsK=rD5aA-~N5r^BDCr_kJ=eeD0Pv!$w| z-i|6dCmz~(aPG)7Eckj&BhL!V4rh3%R?`bKLn#S%;=>`cS=OtfeI-He( zo#*l6*Wrqh;ZJC0K0QQoLHt&Xj7|(1etsWa?23~Nt5~`!VE#2}dj;1q9oIUEEENh4 z*R|w93<^Kz{|i6=i^>si_%B)cHx4IUib2^#{Vb#+_Ls-1=c;O&zo^kukBW=#?(W|8 z+IJ3gD92>6C6Uz^&dkkOEpteQ;T*QyLU9hU^!3cS!fbZ0w=r2N!Il$7J)3X(`gW{M z9FwjbH@$$Ey7_rB(ZWSX?QX})O;xYyhK>8`QP?U^^Qy?|^78G?+AVs{O(4fy)wcl@I$vYSuJa5Xvh+GxzSLV1hec45yawWq8Yb;20xQa zxx&U+WHL5aWFijfu+xMjdF#qe8x{4c{(PD>H#fH=XkC8#qoKOde;lXUy=ua>)meQ} zyx_LV$mU4yTiMu5P4l(ukcV~I3aZNepZtkp3rscPq9DIve`QH9I;^+DfuEY_n5DB=RtJt$JTx== zB|%4sCx)9uZ|!;|PQ0*>_ucgH^7Ob&XP(T9oo z*Bh2_4J-{GUwF(Y8#F9mQBhgl-p#6ZFb*BI`Lya@s^O{gn{Ivkg(?p-SzxU&v*|b6 zc=~$46wWkT%O0FF9x|4edpyNx`OqiDXw&)eaigS2WPl4+M+|+a4{(R3HGUyY$2Vhh ztvj}N_h4-?SCWK1-70^mKBt#-x)>vurK!yN5xH5pd=480(J_I;v=%S%VY9W#8=erS zH}S;Ge7QQM(=&i7y_4*We+|9lnmU4YQ1jp0q)}PTDbn#*ajeMg_EJfI_s*zkyt`541X zWiM{O=|AFD9Ur$>0#ca*7{Vo&Ib=H~%mGeT<3H9q@Tp395Stlyl_SNv!`y6aVqo!{3B z^(#gf{lE{)yDH7Xi*SOjcL@gh6@FG6|6eB=2WIno`)&$i87Gj|W@6rCz~Q>Jw6(<_ zJeoBRDG(xxt=eO=eSY1$^g)y%q=|tF_{emuIBR0mA=}Ll&vkGTkXRgL4~)T2~XN=hDA>X3;ST>rEhw3jFjcjUIV@=UAt&JhR%pYRN@ zd3d~+h3V9k&$b;MF(q_MVhn=_9i89=L zam7$w*fYjZU6Hi9f2tX(i(?Cfpf>o3PW(+n^>Np#)#KiCba7wC_dBb0m&O{V3E_{L zmr*$8A{%8`sbkHbFsG$XT8p=Pvsp=>#xkxWD~m0w!!$Ni9^3owHGMs0fQ6?qc79zV zt!@4zc!`(>ChI}R0%Y^9mL+i1DYTc1OONqblJ&8;{aQ~=Jk4>T$VSZI(*;?q`eFB~ zhp_h|v(2D#Y~}&Wfz(GCUT=`(Kqhga&X!bMbJ-NJd$Km(>1@#B%dYv|{jM%&<{xuW z04w-d&P$>mRSOA3vOlO5_*H>5atGe);MNUO=;mdQ=^q#R+NW3XWg&2xJ*j23|2&|3 zdm`2TAmrkot0ApKgB|1I;y#uS=_-<5lf1%Q)M3DZTXnSBlSCkImLh1-_q71`!e*QbN>4XFkFK6dc zo&2OKNWWl9^Qx2|s*K`_6)Bww;>7J!^A}&HPOj>Th0!l>dhD;_eXrURVU?fpwHsgV z`mLUl4Ga!K)PKa(;?Px9dz;I~{n{ULvGe_ZGWiL}7n!i^EnSHGW8Ir_%}HHZY+Dn*T3v{rrVg zd=XdeRbo_>%oIRI_Ns2wNUXHq(>~Oyw4dctNS(EnqcJ|O$p0NYg?GZ^2gU+CQ8s(b zhvbTE2avh$?inq1ilF;xZL}8wW#zN=WFh7e7UzA3A0jPcVSH30zoAh7FU9;BzDgZ| zEL(4&6lK^SM5RatbeSo5^dsf)WAKl{nZ3QL+55rp7g&CJ$v!KDc%p(E?vW4eYH4dX z85Mz><*_uNF;@NBHV_@H5%9-ISBi)#4%=ECxgSjvjZO3Ur}U8h|yZ}v-6Q>2M_lZ=V%?{utL zR<_xd&Ft{(uRIl3B(1ZJ&9vOF#99?R0zmujUEiK20dlnig%xZxDoSNi%~9zOs?b&> zwWX3!`~|j%rk7NYvUFZ_>cDXYkA8W)Fp*Kn64zuDSUcj8wCz?ocjWBCRQ!I`?D}@4 z&ivHWlma;$GFoAJnE7GXM0tkrF+0~PQ$M)}S*hu!8l>X=+B>1O`apy^zfCqBz;3wO z`y_YX?X{()!o2CC#2@YV3W>uOk>L%cor`#?tQIx)n4NdMSWHF5QCk-uB|qFhefl)% zz;7%Re>EU=%nq_+l%aKw0$#G94!RG+NzSb-O=Y@siLqmIeo<*6aZ!UcT17>cA^amH zA#vaH#8>m%a7AtH1k*l%v#<ffaHhMyVm$k zJC(!b*Vfi9RZ^>HcSBU$V>Ydqa5d&1Cm~n1B#Fd1v$C=_&xJDvq}J-U%{n24t>20e z7~xM+iQ}+*FKjJuE z?M@|czt*H*z$>LG!5t&RZSN54f9b*JoDLimde^R|DxtbB4;%zrL*=HRkH&bi5Z(wb9!~8{PrNqR5F& z1CCx16??N|eqR6q@Sim0Ja%0&tkbMh^~ro1pTRqp1_nw8clUn5R_xXc|KGCTb6`w! zR$BSpP2yB_5;#O6@=@h;I~i=wc|U_GV3!2Tw_g0kfCE5ff2p;K$_4SZZ^XV^U1cX9 z0DLDESC3L8y?HV4%VV41grK`Umh1cipQyo7xli6IsCBOvB)~< znBkq)9Y)N6yLNYAt-c^l5{~@7Z1J@71ZvE6P>ZYJG9h3tod@f{+K+zX`+Tis*^?og z%hV6&;Ff9XSIAPt;_l+|Muq`=T)nHpJCi)LbQ3DXL_N=nEtQC%V7jSW=5hAhVo87_ zVqULkX?LrssX?uv${GiIq4OBS>+Q2aQv;%!Y$O)i4M z9f#k5Bbt?LZLLllaFkV43>bT=sKh;NjhQn*MyO+)N<@WWpyG^?ae5&>g{C1o1}SmE zoma8LTSY}Z>SlBU-=9eGjy?Nbzkn$~pEG}?0-RNg)xTyq z{{@~{bIB$pmOAPj^ApSO4jgsijtiJ6nA6WQHllud^%%tBRO`0WL-+0D;R5$+19lKTR==zR7XfawT6i)6}gBTc@V7y0Q?Pbt}~9ofHTo;j+T-zC2bS zt?in1=1-{AFW~b5sOl6e@T^JB>qhYCGNv>^4l>^XM|Q6qRDF@{Y7=*&R^oPC(?Pk^ zEXDrze^E1R!o@#b{W);kY1C9IlRRTt#}moR3xjx&^-RA+<96EhgY5XJx*8PjmZGCg zIBrWW7nHc-`|j!78guTg-95L;=ECqS-9 z^ztEIcgfQ_TNSoN1ejngL z;)L;TL}2QM%AG~rw|u#*A}!WZB`YK(Jm^7~mpdS@5N}Ofp@J=O_i9&HSEtj6o2Bim z>htAps4(0WFKL zQnzE2AygvH;cRk`)x|;uWPpOJxW&bSSsFUJgCb{n=J!94U&IWi&t9YPrOyjj-FDMbgdRs24Ih~2>NfTI=q-@~qNo-5NPtv$+;%2KIlW2tNWORNYEM)-vazzJ zGHvCG5zOgviQy;89}0Thw~zv={Qg&C3ybboEHFa7Xo5qa@SJ9$?H54F)1RLLHP!lN zJ77jol+-*3OE25l+jTEbi08PTsyvRX&|j|mo6s^c^d4B0|KeCf^te8!tM3Fb z99HhKD;lM)7pGUz7&*D#-Ca-nzr_{H6OcQ8P67%+d{wq%{7TC*z&eYuXMjO&lf{XU z<>Ij>Yat8g!*Mlk@_cJ-RY^ZV3E4RbWP&}6zE@`a649|)Zu{6m7UqD|vZ}H&(-N}1 ztnTUC%1TpcAUT$$_IQ0F+$%8kZTEBuhM2H+3CTn@>`>#&m;&yo8cC~1)eL_qn>*lE zeZ>1o{r&yp`rL6)t<2aM85;^0T?VwkZTZ~@+fGGmh-3PMJOTH%J7yZodhztj*XX>7 zNG3iOAF{&^q5}T-VF>4WT)*4)Lb7P7Mnw4 zPak_mro&W^w7YADTQ_gF)Y?{PvDOgj#6L&p<>%!Eq?(k6hKJKbC5;Fp-23oG4p5vB z20YHY{P)sBQgQIh;o&dX-x0T$z2eE%9#YkH;C`_XI(&qQfK6Nl8I&nt9$T#jS|Hoa ze^Qww!(cEv`Q1)zJBfuX^YimL?@rlIe+R8@5%#J8x342kj`FAfH>Cj)t^-mblV~n; zhtcC@qS(y+kjm|sL8HRU&vbv9KbE)7k#oOw)X4|qcj?f~<6CDh(?33c{-l$yy7IY0 zy$fGt4=E06$((u}Uh^%L$(@+y{Mqb=nI4}9Hy`)>W%4qSuHbTusO$`pn6_%u^9RjM zvaf|3uh%9v46e|aDY2Fq1bCy%V=+lBVjC(28#!4yap)DYmM5QEn{Px)WhnLb^e{y? z)Yqr)$`m{zs$nmm;#VFRFnRJMO(~n6F}&*f^E+QSy;GP1Mvf^)N?i*`{q0fk=+*v0 zkTEjde4eQWu=S?>O}I;XZjczC6#U<2n|(L9*Xd@MQ5QP}N1wSGA0Qpcok#z7bl>Ozwg% zar&Mj7e7CRb0{B-F+(~Ue;V0dSAu|ZW@hHd!k3MW4Y*INj!AiJVq#)^{HxSSxFi{? z)+Yy?(z#z7!oVbGJy+V`1ZXiMJyldx^!2_w2Opp7Y+ni8iC}60r?H=rYB1gBEgq(( zxaI_bMNYPhfpDC*@B^lVpmLkxuaV4ZVK$BHy#oUk_7lx@wBEoysb37w%*-q-*f5(B zHW9SXgI$%fAHI0;V&rvQW1|e(yU}W(%zk33GY68w^E<;|{ElO~^g#G*h-RykmCe&C zD~$U`rVp}tPft&Kdsr7oIhlA{Z;>%nrM5JQe66yj2Hib7`RXb(nxC6{ZDVniwZ*lu zsVOKp_?XzjR8GE5wb$)rwowZI15!u_oIAhQF zK6Y|aRW&lk84C*tlxMj}^!>tr9=7JTcsMvXSXs?YwxvO?ss=mlajR=+P*7821_z@e zkvx%{3;ljA(dhSmHXU4Sw=?2 z;^HDDj}@0qzf;kN4>oHvy%15m9U{BRcVP_lrHf5GSO<@Gll)AO9CfP(J{u^pB)Y3G zkm+az20CfZn@?$#*^R;a+1uMgF&d7e)qxXW7iuZG+QNe4x)Ycb?ja{H5BkeOQ@;eH z6<}4t)a7<#QZ+o@W07h)kdn+w_<4A`7n%^~dMpp9BJ11bSEtEXxvoz9edG%`xm*JO z1#f2TtKA~tuPZAn5J+*M+$YdiO^elRcTy!!h8%?b8blT}Xc*nA>yua>vAvZ<(AN8& zfg43^#4Rxx66-HMjt2h2Gk;MXvhY8tlV6{oF4M}BEd69Nd}rWcW)WrljLwdj*-UXV ze>AK1Dc{F#ZfMuiAF3r9LH+gd{EqJ=OL?7UdSF!VI;XyVy%TPQ3>;Ms{S6*jKwNG_ zo@bQfdh$&6O0b*5@Aa{pCoJi=oqr!5@OO!ok2f?8(_(cV{`#CLfPXcnE-i*rb7EgsvspVeUxfp7T%o2k$5oM*j+wOodiRYvzvA4HFC!!R z%JX(i4|BkbZjkZEOBP<%UJjA-9Jh73wx@Nw1rBS^KFNoyEAig|lmwWWnPF9}cciXV ziTl?Qj||8+B2V6Ln>78m$Qx&1*$AcDsg+;QS zCaZtW9TD4!^zir8rO9HFi|1|gb%(0+t|oDCub8DTvSADoaaX8V%!c1D-w2t7iG58E z2V`nLV4G?o;ZwoA(^jO6l>9T>OS7}H$=7bB!79=SQ8)~Msh9#Zobn;;N|u~%p7##W zILm!%kE#y$qk=FHfBaT-MAs2RUb+N6{hO4P_wIh%ulyEDV1GYg$&opuP}4w|9~CFR7dEZV<;%ZK%ondU7s$>yIAePRLSV67<^nbo8eENH7O=)N6#M z57_|nu3GLh&p#@*014&x_I+KiO~bQCs4uRbs9`6j;wtBppz33;s=saI7rH`Dg)LveC2?*9)wd@GzgTxtUbjqC?<_TBu0=i4&?(W-=#bqm{E4=;1%g-%Ne7xQALAeGR-0>f(ivR$W z0ZuJUFx?NAk(E74z2)gjrDHnP5%}aj&~N2B)NE%@&!e+PXuWrAm#u6kniIe~l(K)h zw&gvFf32yZVWwl9sFCXgU$7G$tw65(BMR>h1qB7{L{Q{L8E!|utbWxpv21%KtL9t2 zxxIanYgtf^TK+LH_FK2w(sxNMjC& z?--t|7<>V@w6cnl%4oJ4K41MAzqmxinjq1}#-6JAAi1A|OyKhzg!?L##-+`jXkD+~ zg^Sc``8q-NG}MA#*OFRv%bjw`CDV8<&mQ?QGh^|@S$HO(b_9?TY(Cc{ZML^7#VO|zet1s!CukENy7FvH$l*)>M5al9iP_CKDRmlupjD(nIR{bx>w=oefv zuDCBDLD>^$3@`wuUsF>vIyxHEcOIG7nk)og@SPMmzPz&16YA>=14HpiAqS z7{3iehWsrb*u#UNj2seeKh|>Lg&vi0Ol<7d#%Ksh)i5aW@D+>(j4$x%kW#|SmoEVq zLxd&?IOknfkAY=ptKQ+*+y6aOj%1k6U+|S(?M7tS`^H1Y?6R`5wXUJPy}fr*T9g0k z*SPdTQgz&Cmk+#se}rvs1ctpR(Ej;~fJ}EaMsK)HKMZ2KH?77ywx6vFC10RRPvP~<7N3~s$T)yaDe4-r^B z#_N;J;v;)?-4pYxwx(d5Y*A5B(298QG2xL&6m$)9JR_=^^YDgoOJc5SjzkE}?iic5 zE3O^5!1`Bg-@rh8Y;1sL8|kU%07!r~WOny?r7{7Y(|+{mgzpeg1hqUZJPx<=T79s7=Ut? zoKT#|BW-PM4g64<8E zhxPuB@dHc8#l&Pkyip$mfPtPbWW^$rok%*Py{G4mu}+p2Yn}H-eGDKdhR`&SwRx$| zQ-W?vNqIgLaq?tKaB_Fm?1xnwBY}2hRN{*KzL3*u*r}+fSS|)WzjL|fRKGebRdfR| z^2IBBNstgXJyH}dQBln-rHGtS%T)#Jr>d%&xZMazYbT}YeN_!zKAy%EYdD|2- z$=lPSeX}$-2$!`HJ^1Q5H;nTBbB96?VcHjZc1(X%nAU@@VUYCG=)nOWQHBjoN03D@C1(gy+AKpMvEu=ORplK*%-FW{oalCX6<@1I%5nlB*i- z2w2AHxx**)S*5K41goHI@Mg{XRl*Geb^TAf-3Qw^W#r{c3MaK>2G70rssPN|dx4-E zwJPfTM5Bgm9@O2Q(nu`MlFB$I-UdL}qX&xx7blUv8V_)VKHTAtqnbe5*kiSJ+aM<^ zM(`YCBO@SXsZ4HbS$daoIgEQki1o;wUL7AiM5XnfHlpo$NkSNf`5E zEEtI_M>PlcNYb5{9S*5 zbP|*y@V@$pw@d-R)jF=m0Js1B`#0z$8k)GgUuR0+J-lHl%p4$;y?r_$^@q<*WXL9G z0It`<8R3q?NhCGwHTsFbpdd5aJz^rA!<4H<-#+R47*HFqVraCHOgDnblyvKuw-8Ac zJd&ZPx3I7<&^UcYm8|7Pbi>`dchxTtR!_Tj^4d^s`z&kXnPdYiBO?af`S6wrT0xfu zPw^LeyaECOf`ak!WuDtkr*91SJ9PX#OF)1qiaUS^3RWgFxM!-vXwVL$--F1wDMpa{D|GjjKOS#m11@;_mpE5@ zf?VGhaP~sEI$ftIuM4xiiVQCN;l-amz0tl*xGFV%+)o{9A~B^FrZFpz-eR1~O-nzu z*k|aQru@6rqMiyhC~ms21Y7XB+D&qG8CNIKubeQ@Hyg(_Jx3wdVe zm6H&r=za|<8$EUN17{vndFXUlCu3yGP3ZryqnQ zy-7}U5#f0^15zFQ2%RseH7Q_1I*vDG`ZyH|tB3F5203R36f@^yPXBpWlnPJFD~ZJw z7=+?YY;A3$t0TQkXE)LMdY3Z8Ma#XP5=JG6=TthBl$7;o%MNz@8<*ji#o`1+|}Jc1!JF*<~aw`xMX> zn3gEQnhdEQoKVNn?kU^X1oWd2bjJZcSx79fc@bU%^rPY{MQUj&kNSTO-vj)v?o!FJ zM=F%G-!1^HC@3@@J#v|gjFd7oF=2Wc_e}2%ac^-JT1U9>Pb<*&no`$Ml;u0t*KHru zqV++SgveUt4@fOCZn=2sIbd7Jq>!A&+rVYrMwDhit(_gX&bVfwklBPKFioG2uvmh+ z{7mPOwO+nct8eS%Or7>~0C;RwMV@m?pz&OXz7#Bx#BeYON9z-|3nnK5Cnw@jAUUva1YRX4(oOwv(%wo|&4m?$hnt+| z2VAe%{n3DD`Bh&>N^>3kl#Y0Y5+92Yq4^Wl_wzuzl5o5m_>H3ws08|XBNT@hwS>u2 z>A+IkzsFa(W|N`QIiZws>ZyFdv~?9BvlFZ@i8qVF*nD{L}}4|V%iD} z2?hi+JdVbHfx~;KFNfuogh+LD_4*Izkh}TZh4^_JO|19pHpk_=xNk~jTFvhXV9Mt% zM8w-@n(3=d9m4JN&!G<(`D`y7I2I!&Hyuh;`5l*^Lqm@X^Hg&bNuTSz(Gx-mXzFUZ zf2yb`S)JYL(>QyiZhOnFYyiiZ6|%l+s7-NjmDWlaR@SeQ8okD6DI=W5zvodU(Y$=eY zdEyiH=@_*0sbp%v>$TWkE4sToWN=Zl5)I}Cq_)5oU}9lmVc7eU za8n*YvFcga>po5jIh}(ZyFvN$SnOCWPgd6cc8mAl&asGNn4AHR&Pv~oNPj|J><84I zHG0$$^P0t{ad+*fz_ht}{qSN{RflnNJQXiFt(WKiG)%?urU6U^f6?~Z!0PfXD`|6N zsnL;;m`KH9oVox|ybu3IBr4$YsUm(QtbWXnR>sq1t1)KfDC6;CAQ5cGP0xD@i|DSG z+m~7iY3c0sXOn;}OWtZ7*fLp@yz+?PHB1&gbpy=)OpR1lEUM7a-i<-sd#N|e@p{Z7 zs^sh16_;o;pWK3Bdao|)rt=WybPO-GIm${oL|hZnkpI&QV9Em-(9>k=Tq^@`=9;lF zm)*6EjpiUdFXvSZpar@URhYi5-$nAHjx%81xcutH*)CP(9KzHN)EqSNHOF0PljFFR zcE~V*@aVg`yTVpCLzmeq_GT9ghD1hglk5+Nc=PhHzuuV~URuJhl5-My3$nfkh}fB% zn>)-=d-+`7J^o6A6&Mc)dAt52QEdFmEN%Z9Q&R)XN4W2Mj>yQvek=#zR>awNg ze70Rs6mO?#AQp;)sKQDfX9H9zk6Ra4IA+3AE?J+>*5B6`(7_HT;?D==xNLlSdp%HO z6W6^y&yyyHoNSIi8B#?(8d7uloedp4NP^}OBefHvPw1b-$q^In?7=h!yQ6pBs^;u& zwdW63?;gaVv}o4<^Vj5N@W{+^th&M5;G4lwQlZSeZ)wX&$V z4o+B%<;|Ax)%vGTjoEm4IF{;-lZ1s{;IJfG3A1?$nrl5bM+ z+0m7c$(z&~7mZPKD=1%;fiv%6)_W@!F^ByXU0;EOc6XjuY94a>=iI@+)RYtqmE+*}FZ-$0W>~TdmR0;|2k$CU;MIbBw`eihJW8^gM zgE(6As0NqpgYdIyVz^5uZhQGcAA zpKtka>qdO=nQkUna2GItQx~cI)6EQB45vGRZtcgkIN-eUHXAW1nHqx0HKK#1L1SZcLb*A=jEZ^iE3tdn(e#n z?{%+N=XIJv#)1msO9yGf#_RV^gOE@;*4Wc>7MA#BH-zpVtaKc-N5Kn459-)VjPVIw zLh)g)s^j6m`o4gJBFWzl?+ZKgO*mZm;lmIw!>pqmI9X(N6eD;^z~Frz`O6QrdZENW zkI0uE{p-h1>->ska8aidp9HmZXm;x5t>s#Z3vV2pN{hSXKcfmh7QZY5b%XGxgRz{3@qo`hm}|^ zhL^TXUZc~rFEt8Zg?QXwY{No!36Fx0#BOMyYR$@BXDun0wuQDSQyEqYyUGi_lqed76GlNPf;@X!* z)p9!bgwz=qqoKRB47%u)Jb94D>=0Bqd!;iwD7!T8Hqu9VR=~wtA&YA?5!hiF*1ZySu=$gZ!ITZ?Y&#+`AsXa>8HsJ_17-wQ^Mb+*C@3tPZGC0t2{U2SKA9Y^&d^cf zc*XI!)?Xt<;lW@lY)V)J9)divP;Yz~qKPCr+PuUYyDkiP>e7)fFt#9Oq-|-^3H%}B zK)}ikA{KN#K1MkZzznQrm=sgRp2r51g6MwwW|yK?Mo0`NI+oJTUjy zMqhpn<-niMr4I=Mx<$YDr%{E9ApRk0R4WP(7Jzjz1#qwsusU8+73Fzn&L1`>@m23( z_xT6Pe<=9`bnaV4B$ksN5i5Aqm`O}Q4^2Qs;dlQv1Gqr4|)KM${tPh0Oq?~v?E@A*SYD$GMdeewtxAgEpJ6tyA$UC_-6 z<&LKiviyS+KSjG={$HL!k(tM-kfBun_AGLM&l+$-?JU+idMirCOcw)jcRQj9rzYaR zVWf^YS)-tk`6NBds>N> zMA9k*h}%j|-dG!%>*qjx(#^Fir8g_0Xy3cQ`bdcXbYPbwYk!zIrvOr6sE+Uf6zo zNC2CVgzf9&-w;L&a!ZVSk`>2#6&55B7R0LYqNuVb`>NjABd|5ppPSoZEJr&(Eim*E zJoPA2WqpouxSd1?Cd(KfR6|MqW68Jowx-G@IRNfeZf;Rxf5Q8{@E^h6nr) z#f;xlW@Tg(wMs#q4{s5cH8$LZt);57rROnP1|-UQJ9l}XZZ<{3(ZF1lfN z_Lo1t6H7~1b9*&I*HDvy+hV~mq3E7_+UtMw-`%p*2G$6vMVfkkdK*GF{Cy*k0su*j z{b9&x&VfIPBVc{{Z~pse#n-_cq6`p5yK__J^}`T*y4dO@V21}E1mPq&SbQDGkb|BU z;P@jY$waRs?XO-HJG(R9QfUBW0dP%Gh-Y(1ya*pVY)RHX4L`$zs7R9<_}jG?yaY%| z#GK*^(p@+_cY)7-{Rx!huAg=m0KLK50LdozG)o=qXN` zx}Ne(aU>L2Tj@&&1N3oPz(=x1dS2N-ZPE!hz%fWgwk19_|Rd zJMUlN1+FP)g);7trw=;0)9DCr7QzU{w=GkrNw1&+N5B$qy#2h(pL=>yJCI= z@IP$l%@{)S&-h9sPza6OsQAV)J8*4RcMlnTBzfU?J|<6rP+qTLlu8LZe)LS?iRh!P z7O=YeJl)v9{+jdzTJp{5ocYXA4#>fPSnl&*ISRLu6KTcBchXF8Yiz!dK_$W{AS0PKa*4G=6S2dN?CT4s}u6i0WJe)P7t<-t_IkK z3t6A9vor!9oojBX3*0D#st!;zf$GvfB%^`Y>OGxvX))!F(>p%^pL^bPNAi~Fae<}Z z_2JN#6`S*KyHa1-8$Zx!jQ$9{TJPrM^zq>hL$%Ybn_li?3F!$k^71WM&y{t@wx}}A z(vd-SV7^eEs;az2PWS>;+`&kA@6TAlqBV76AAIG)IwPgzvkv6E1Z!K{Tj~?buGeE& zL#-|s5s=aYB@QG_cz!%2gBz*EYJ2jW@XgK5<-G=J4|vQ%S$S>TZ@aRM1z^L~m_9RA z+<~Pt?ufZZ!~bZjGVkFHV3Q72;7Ijohs6;9=Pi}*0ZYhFNr2->rn0wy z8fyDtyqC}=H4_JUrOM&K6^!At<^$yea8{<25&cmyo2^D1bsp4P*)HG+a}~2K&GC|5 z=H}Dexrih+Bmlm=*?yT2^pTK=3xiXcFpo|o7nqfJ%XhU9YfDM*J4`V9(ft^+tG|t7 zK~DT!1s>v`V}31+SiZG)Y7kGQsAsM-oj>x0xF`k*tTpK0;n(G7zs%Gj1Pd~;ya<5} z)FM|gr_*U8dk87AuX7KmS>BzL1!zfwR}zld!Q)NQccn3(Y_Ag40HAWbEb1@7XTzbs zKf1d;asR&4rwvHRnBC_3Z`V#D+B$y2AzAZ*v_lGLnD3=g=sRxzfIlY9Q$_Icv43c= z>;|1=kE=YU1HoMjcktxXh7RFyi(81{i;D-8e83q&&t?#9s(tRV&k4rQYNsH$B(3K+N=LTWt9OG>(PLGIb^#!8olgJ9J2 z=EgzZ^vQDuw`ElChId?~0MN#(S&%(e>LFoN@3;J%bAD5PTL8dguBx=$+RDmK4ekEx zhA|3t<^$Wd=HfTWk`Do(1McEx_n6MJP&H?^D!UP@S#ifI0Yy) zD4*~D6mj514S9KayQQ&TZpOHOWDdX?o{&RW1+gG~Gm}al?zKgvQwLA~?- zv|}S*4H_B_{z2lKoRu{JiW3x1uu+yFH-D>SRblaA5d@ zxlkzdSG?N$=cDm&Zw1Ob&_YqI!;lF8bihwPx{W`X7&`DO^4ahiIa+rP2TS|f7TM+$ zCF3RJ0aWr~PoQ@qgZo<$YJi`u@}Sn?BLT(=9fQ3kNa4Z&OG5b^gUpAQyXL5h4(JWQ zf)QA7_=whkMulo+hlGn)zd!>zv<^BV=#6t=kQWaT5O5a1tDbxdQWl;WOb}~;`y$jD zq^sfpbzMz-ho8pmw(sqXKr+1eGJXM(BpfL5)}VL{v^(ExFK{IW<^}>~QUaf+-Q%I> z_7O01pbXx^`>xt1o8Ubgb_DOix8Q#kgG=x4E$doXT3#~-QIk!Z%2Q8xTpgef zK40>);svnFbN7+@Y9orT3n&zEWtnD?q!a@H6_D6m+&wI4@w=dZBsUR`uz1(~E%%^o z1h!1N;ft(|LT%Cx*U6t;?+!JB5I6;<9bFv}+0Tcw~rr4%m=qZK@S5yi*2ezGsre8R|& zoT3fdJId!UAFK-yxfU+7evpziz2}(hE9PC&J|fGB?hR#>Pc+az{2?4x4d1fz_Tdfa zQEAa>#bRO89p8grP?7;JHyeZ28bwk7u~APz4$S){N%}#3?<3rl&j*3Ts%C^+iSC)jk9L|C}pp7 zXzjkQ~X;^~AcD&4WzeFP; zKECmWj|$_#vlZ~&`_qRw7FKt+z3q1^0R#A1EFlOj=mw%7(*bk1$pQVEe0;sJmwDYe z1O)|e-O{7!NVzCs04)xMtm!(JUO+b3J&yJfcEYOx;cIGOFDY}752|B(1^)FE#z_HU1uTTO@KYoOiBC;L}sUAT+a-isf zDppI-DYcxB~C{5o%96S$18`;0b+n{T{#Jqd0@-Da<>8ah_ z-A#`w1*Qu2igU*)Km>&)Ez=rwJ{;#EEFvJl+|)V_-4c_NlU1Bbi~jEvn7|c#~!p}vd!GS!we&V-QT(EeitU5=pcKjMiJ0{_x0=7+5Xb?*f->~ zwAHqw_c^5qyN4UX;7ja^r10DbD+|la(iWk0tmjL=`%F8W21ZK!>kRCz!qY_RM+?ZH zxg{+vtz2Hl(v+O7bq48i6{2Q^~{YX86PP)Tc`jdJjn%HZJQDvpbQebMeb?QPg+ zW`Jv%r7JR#!c#D?l@O=hJOVd`R-3+#9tH|?cxEN~dW?R-20RA>&%YQ%hMn|Het5%k zxrqm+U%vTFLXiuuxZOio+s^>AK8ry|z%D$gGAJ8NPkh$kQmACZ#Pa$arr(e=#IB5m zIs7G4fY;6_?L31-SVao?eS`K9`E9Eup~XgyKaZy*ABA@Sh(e%21FWu#dWwR}!q691 zcZ*`Bf=3>(r4Bx-^XSpQZ3)%P$Pp{%a@<1)=<9?g&Dlb6g@$K(yti&G0#?NsI2#xu z<;dsa*@&mR{f1Hu#J7qilR_q9-@NIOH78e(QSF02CbfvbBQ~;qq(W-(=lbz~M<@j< zx%Y_S<0Pl>u#+_lU;}97&ApDJ1J{L;^1ZIkxk^Sg^R`nAzMD0KMyRi8;eBImt|0_o zb2LbP$Vb+ZfF%9p4|Z+(He)}9-tS-A+z^J01?`=Ke5dRm==NQP)qw)zTxE2?h)Pmp zze5dyH2_&?qJel++K;ug>LWhK#}?b?s-E^8nq6Fk-rZPR1gIzHfb|n+GjpV}AI2sm zSgK0~mBf+p3JQ8a^FdVPFBP30m1{&b(63su%$}bxn`zmohl@D;4KhwOc#do(bp9WV zxb^IPwl9PC6dm9J9b&n9c)to0X%%=!!V`QW7Yx`+T@v#I8k(M8j{&!!8jJvp3J$@x zbC{fh0`?$pUPqWXYVwLN#|Iwhp~Y-&Z)2XJ`gG&J_wX?P=T?M8ZOnc$f^JbHh zrLXM0R_9Dbw<^-BMqPxque?_I|1JepS$bvtM1zarxX=(rK-tl2lSVJ`^e*qsz0aQ>$)b z9WuJHnee25EtRp*FqhDotcXk;v@pw2Kog4z*D2rRAK97k4kjLopm;{D)iD``8@fU+ z3pwi|J^O2`nx(8`>FM$!d%xo*T9|_gy-KY0)y;0GPaNMzZN08_Sa9bnUsHDN{qnn* z1KyWG5d?ktzQ@a>mdM^75o?`Z&4X{VA2RH-@#V@?W2@~ah-96o8#5r*?=zh&185@;fSoitd!-kFdgZo3ca7NB} zWNC+(Qi$TE$}w_b^wS_hc5nE+VJCvOnl_*3=HamqHXgYr8TPvl|AG|_RgUxUq`&cn zj+a3c>}p=yo5t1yRh9pzy(|BRdVTxTX)n*}HJw5J?ts-VuO~-dTJ*E-p@k^|=cO zuT<}#prGN1we0`%fG7I90m5hjpPylE8rfrF!2d}OM>3cp>^E{QXSi6t>88oHxkql9J*NR{#$Oj( zo2yMyGJMSE((6?PCB-i?8=XF{!UCZa3}D5GOS|r?lnhqS7Bn(fJ~h%*#3GhC|1^$T zVO$CtezEM$McvEIi3jAao!#6~0+KW}HH3hGu&`P+y3-<{0HS#YXX0j0coouDV|eG%0#}W77>F zd1fxEX5-jhl@qoNwskA1n``$}B(=F=U=w-ViEunfrGv=A!j<(h&cGzB%0Eo`t8VS! znPpr3ji%iqO8N@>=y662GbB0b!kCGKxwLW`B#*<1-(H17Dlsmfxp>aVQz(9vLNVI3 z8OlfZ?IXngBah_UwiT(OEQ$k72VDK5mpu3&`^o;=SwzRv$i`gDHiJqJA=OTOU!>Te zgyKH5G#p?Yj(qe4 z?cvX!283Q!0#o?tE4EzM=p}zk(Cw_N3!i%Y6SYn0a1x2Sac=?{@|pSQvs725_FWiR zeTo_3it;z!i2G8K6nyT0w2I(eOi}7&U@gshlY%9kPRHOy)x)jF#V=C$`r78#Sb6DS z&_Pp$`+>$UW#tmRZJ zbE-$mxZ#Ue{o3Lgd;coV-syJXZbdz9P+306pMb$%Gvo9cw4|8y2^e$g^shQ_xNF=) zCk&~3_HWTFvdS9bC^F1n_`8n|S+AYf7+>tmtqP$pb|pbyW|a&FrWfZYh^^Ak{Pccx z$YIUs;3%uVHb$~zgN7q%iC#-!t?d148$;Q#UvW`$3m>AmJUZu$CHu11StNb5*pRW- zhHWPoBc%QAoJ7xDF!HqULkpYM+vR?>uN?Fe3!MzD9|8?Id;dA2mH_DDxK){;XX0yj z7e4_7g|-93YEkPP(_6<>esf^3s8JO2OF3w^Cg!p}x^qFqNcc?!A8SgpY|poY`~(XH z9f2F}${>$bUV7SZe5%iP)hvS;Gy!J?*;CwfgJKUv4yU%R~8yC$XRQam!~Ijos9Dm z2xTtMYP+cF8lfM(jFI_D*TI37)nX$In)Psig^OBSiWLxznD9{X;$#9XH?kL|f^wrO ztE*8V-}`2wOggv+ttsGG+KrYn_4Te>=VS+cP_~yZpB2j7q6sQ*ei_vr=Z(~yXk=6H ztqWS_m!-_nW*GoH{B;eI^Hicz#1Dvmg(yDGF?dQM=zy&hXRA~D6~)TJsfUj( zPJ^9RnHgerHL|ZeIzp)>2=J;#a|1b)%mY4TM#cBMQoa0v>EfcIBkj^~a+5B&oDjKv zk5MU9>O0=v)^;YJMLs*NGUdv^5+AC)*EDa6V z3ou}MZS>B}2f=`-Gx`VPT~veIj_rui7o`i4PR4j} z9PV20n;CUBjF#oy=vmAzt67I(GhwjPMYTavcsOQ9m``JAvPV|qyc?MJymK@(La%YT z(ck$W@P!*A$r${ufr)NUWq}4@D@BqnD7pz5NxRT=no~O(NtIXogZjol7H4N?!vTlt zl9{O~TW0c!iJXoQmz=X* zRN`37wKLZi_i=MvqI>qXH!V3u%!|g4t}7@11cpOb?5(Hr_Sj~%iwfxO>^Slry9hKMf&ss0j|9QBaU(M=n! zCtC1l&I3+qN_%E^ymVrd!Nq~9$Gws;b+mW#V}%u2g3Ygg(lqAN*yvKjx%oSBet zw{W_dn@7L2Yak|dVHlt9MvdncUPWKs={#~qH^u4liK#S#%!xuqDP!y}lE{?a$IF*4 zT}lvz)Sg#${zls4+qgy$K{@Z|h4XM{b8g zy%jFPmh59ftv$^S0_s|Iz7@dEz0IhB-NnyE+r?=}sp;c)tr)lZ`w$ zLK>=$2!q7-l*;hcSt*uWm_~g>n4{w;3<4hQ?||+21P8PPY-2(s6ATx}19jF0Es3o> ztgT>YE#cpCJt8qaNufys@)t4qZlzN`du2h56mAp~)?+}Ebh%8&W9!91ZwGg%?SeD*I(m+)do2-FkHTQWBLWu~+%h)%vn>mgza{kL;)o=(5@J(*$)zxzD zqW9f4+18*a3Tc-gYtGqze9)7~pV^fJcpoa~L{(+~?wNG8ipBYQxHnx^H} zgYn^zb+IB>U@weua2;gGJT_aQ$8P61Tn_Ao&Qyq~@D~%fhzzwyN3OZ;rh=_4z;fz3$-njyrj>Y{;Ux4-tL!#-9Ws3P` zPYo*nISJd-)pzzS7C`P|Edg@Y23J{P?C*34iZlu)Au8h7OMtGXt^aN`*i>;WZPQ2? zAdSXhjpaWoY%JRl_%HB1$~;rWYdCVO(aU%)GcIoHE$(sk@j7=1g-H=F7rh|^*9|0q zSY2I{`Z_X%H_85sYP7;(`1{Gvc_(W;)g3}3sScQ8DjPTLD zsqh^Nt;=OQTPV1Y#p$YH(Y5M0vF*+QQsqUzPc)`Hb!ybc_;T4&MAI|Q*NG;t%?RO` znJ(K``xWs4v7Pd1HG=5|lqh=&`y_W1O{U;?l1(N)mYE5NIP8n9!#a>jS*_9)4S`zcT~;i4OZzb*HySWm*dZGC2Uj01lGmwZP|0G4Qw zl1U@lGg5!0=yE?N}a1m;{DMW_7-Zv-&#z55N zej~P{7RIcXMqK*deWb|gA9><{UVh4v_Uc-0_oK@N!LE;o&wD*J$N-7Tsj>awDFb4K z1B2k}8$lKJQk&D@<@6~MH@-z2P2}|I_CwN@kYCx$WogYfzJ5fFmP{i-ik#DU~RRvuLY zfXX#cwH%cQT1gbfZ&A2&dOz34AsoEG@RyS6KvpX+yLldTGl>@*p-lNLqdW&xepGwW z*!|OxH2Ab(-V(so!FaM=rn`T)R~4>441~*lP-?>pSxSaL`pT+eic!g_;^@Vc04{Be zXhQFR#))+;lllqbx+&>FPn^n}ghkDvu4rJ|Xi~-4(&$et5Ie`Dc)PQBJ7Ast@s2{; zWV^$Fu-8ttOVghJ1x3|D=r-XL2F1Wz6O^CKS37%B^WCiC(;3FxD*(h@@E_z>jMcr= z_%ss=#zMK>30#)uUSyaX3TgN1p|hUf(4HWkY=MuuM)2&XS0tC{8i+^%Og_Uyx&pjz z1=GammTA|nsiwKtz-d*iP)@8{is*7!QqpQnFH%lUPAp8C zuLVF$42_@#oWS+#)9*q4{JOXI0W~hpNBEpYfnFybyJ}WDDC?K9qJ-oxKS7Y^vs74t z^HCtEfm1aEpkjZ{<-D(R6UnWQa)|4~m9?PN-Mar70A)px52`a+w!R z$icCV!)3xd1=D~r8b6nKYkg_b~qn3F8|Q+;@|1OF_f&|ee}I@Lmje@BwF8j&f}5CNw%%xAs!*?qX{uCC;cp4 z0V-=jvvK4k)=^EAeo)pFB14XvF@GZRnyAv@JwJXSe-;jfrcwJ|vhP!V2fZGpf<4`* ziCXY&xJPhR(hESCgK{p8jJf!q4!vTHyh=P!p0jCU5Gt`Lv?X{akxkKlmCh+rQPJlq z6i8`!C*iB{PZK@+!>4Ev~5zZ{^+c8Tzk4Xa;6z-$g= z1cyulatahq59jVqZCrS?Q9cbx((l#!KqM1b0k_O+XGi23D?&@u>&-WcO{0@0TN z!SV?x9YFu`2a?#x(S3PGyeks$<*aNI&cssYXWX@Lv$ z-wH_v)3L$1_08;K?Zaoo1Kzn>jQ`Qs+uv_P8MV^f3-aOg1LDBsFk3z44~`=Zd3M%E zQW@R^q-_c!yfCtvCBW?Pn4=ri2T|{JB~BlFE@W)HP+hrXTVAigiqvRKaZ}DZ!DFpQ z1V0?#?2_8JnCF+Y*iOvvD4ibj%dW2YqB@<9K7A72AprzXX$ZHw(F&!e+bH>c^v^E4 z`mUCAJbK?+;>O=vDRHGdM8rm#1Yef9n)6lgkIwRPa$xq|Ip$AS_m7(2k9P7imxRSihVI{y8{ zi8q7N``VjUphx>IaZbr}AZ%({<+VS0o)3C~rION3VH>0y+=Fy}Lm5SMhilGN5}XA1 z)YOE0QndVG@SlUcuZHlOq{@@(fO$vTP@?R>V-nwO=Eur{pftmmqOkjm4 z{U=T+p;_OB)46~MVY1@^pKS~(*%(XecnLEFue#_+Oa(zjuPWmjT0U?ls@a4tTN|Lb z(rR>tw1Eh=DKZNBD;3^BRZ-D99cauj22m&n`THv!++qEG2t1G<&_$J%`^mFzImj)V z|Y1bo0@^h_FHj~P)pd-Sz*u5FPOyuSo;IxKWlsRTio4Z-+PkmR1d zDb1TI{a?~<=wtI^uStGgSOrzB+aDf-8a?PVLkg*LC(zt6N53qDDo&n4eVtDTH@xXs z-OvDMc+&6;7=)gxpVIM~TEHE3$8e~| z@1re>!h9R5fiSYvY!xTn9)EBZ^8?YG=W~?tgw!N-6_ETOv>3ID@VEjuGH|JT_*dS> zbb=`JbK+R_J6B?b2&5VSr|4b*wM8Hb)%=@?ZVLGP1OYK%GZhz3?>iPBLY)qT#X?8= zu)n=nHq}`R>O+5H9KRh}pEH)hn}JU|ogHlYrvs}7&gwi;0F6#g3U4uq1gp**BXlbz zjiGc?yc=18-Lkgh0or^FIo*^CdA`(Mg|(QYe?A1$3L+YXqx$Hs+>fT9e+dkH@)-8z z={2Pv9)b^^a63gD4sFZmcflxH^A$;5aCWkEmF=3P&z`;WRF4Khj4!lt-il^Op3S|6r;F@1ntUmbPGuf1_U11M{-7>wdU%%`WWV-1ec_33O zY_3ydx#L1OOQqe20rD`gHsaQ92U-1kyW#imTQx!w(4Y@rJ1EMZz{r5Rx$0-nOiTJ) z&hkLm?~eg7$8>fDLWT>h2)x(m{6zo#!fDV@TmVW;kY~{xig!3WYy&0I{(ewnRor

z*xNuoR4|J1s3G&C1Af_q_pp3$O;A>?kALbPZ>at7I~6YA&8#v;^c#Tx}+H}=+xxu;+te}j+ zTpZyJIXzGw9|GiDv%Us%R3PtoX82{e4TLw{ZG1+$ck=E$5s2e)QG^BF@*ofE5+a~d(jp}(21=(W4brG|w{Qze7<7Xopi%;dhEiEym zbV&|9|253O^SmGS{_XvB?{|Ja_oHxKXRLF@v5vLQd99>y|I`VZ69@$2l=OqUDhR~M zLImO%>G7lR6S-;+Huygh>jxTk2!ys2_J2nx!tO{S5DW>#mZt zKtk}Ghu7`2vtDHhcjcAAlj>)lhV=gNzIM#8vNwVyH`&FvJb622?#YVcqel)N;=hwh zJZrN22S(mjEe1}ytS+ERF2MTsKN-bVoFxbUK(P8Ikskabn1S^e{_nT09&b4K@vq}P zya#{h^ZDP$|5q~qs|5dR9{+#x1V50GI*3lGm{g63GWSj1#$1lZWl_Zr`|f5*^1I5N z7Wtz>d%HuJUDkk)tS5Yue!3o6Fe|M{G2i0GEOSeTeAmoeDi@sHTiO#CL=Splc6mt0 zgt*clY%lnIiWm=A>l$2c(Sfp(|Jrh!=H$HD9{NM@tXl7@3VT#k#2 z&e9pLW}5IpI`Mz zo@wiazUxov;uTB>3{8rRar^wm=flgV8N#^h=`~GU8|uR_wdM-*^l>7{o(j>fZ|{a^ z{Yw!zwlO?>OB+8=`|*ZfO6PBHa;?ym30%Nl{j>fIs zy>?>G=BuRD$;rvE>ABn9#WEqE`sdXJuH3lxW~@q|+;1fJc?gBI6U8Krg0-EYzaFOYYT_zVvZC-uytM%r#2yF^cq-rg;l7l`afp-e6ZpSv+R zIVl}7@Vr!q%Fnl|l93rV^aV*JKPe$`@xh^?impfk$zPU8_>2j8{vISUj}doUf5u0H zDp>UC=B*4~=zhRVS`88@DY1$@Bw;ms%%iKDKw zDJ?1Kw?tBkZC{n|2n`L@il--*!(KI8C?nU$@*>NICYgbnb(sQ`&lHF7C3+JZ^E=DcHndZbROb!q0 z7kQinHQTX?R!Fn6w^v&x5meGZSvm>Pw%D1H6WqUlA2ctA@O;C{&YwSjHa47FI9++D zIFS0d5!L;YNYl;tT29P6Zcj~p7ETs>^Y-ob?w+WBoiYV%ufE|{b+d%NrG}1?3AIyX z^o^m8*|j%s-dxZ=gBu`SQOWPTy}Ns9MTOVca|5c=M7}2!R{vdb_ww>es5aD~HY*fu zMHUpa^OY^Ne0_P8n@KviqC%n-`D@yq$XAkt38#qPeh?Tx=C^C1pI&n%CMJIPCW=wI zecsV3?k6Mrv0#2v8Rp|YRr+wejbCOgLB-+7f|2!jSZ1vVM;7MtM$?x;NK7nK|7vvl zMBL{q?8i>=!HaLkIyyQu=g7=s7Ut##qE3f})S5lN5~XMlnA(M=`*oP){*AV`0EY<4}U~Df2KcSH&%+fsysj{PX9}nWR;$t1Uhm z)lSqmz_x^L`i1k+<*L8CMD3LL73E!|5wpIFh5QJF($VC|&q&XTp|~))r{$+lh=_>P z>^gYI6z5bo=<_^I>3l$OFD)&NP_XHS6B%w2W|9UaL-QCqI=Tx3-=18H&H-5sbBH$P zS|YVfq;HX|qtPder88$}KMK7e_LZzU1^$(fCR`o=x`XNJS%>h+&DvV22;)4RwWCeoFojMBOJ`43?Wt=b~u;#^a-=Lo81d$J#W2|tZnLtt_;se=P} z`*$HlIV6&(d&+7%r!KrTJ2I2vT=@$YJ`yIE-UVVKoUd9I74*iR_RU@Hn$V|7F}WQ5 zy}i--G=3w!y}gUOgNxxBDw}(M$uNK0lJ850XqRkdW8lxa6=t2qYnf&I0-Nn)p3VrNAHvyz`~9#d;W>t|4O52v9@5>njCvRYbNc}K5gs?W~N zal9E@{;KhHl)lD7(eMTHzq!v04GqS(-ycX~=Ffh=zQKNipY|Q7DT=LdzWk7xIGY=1s?imeK$s}A0MuD`Y#W7u?((jjWK+yYw3@y zhRVy_x7$Klm?#-U3HINv^f=z2bc1l-2pp_F4=XaxOK_(vdvA+H0-j9PUA$jb)}8?P zptiO)qpNnpKdC$5+-2iET}(%;pq}SaO{AXtW=VE=aq-s1(%9Ps(apgQMVXV$tJ}NP z)zwcUBf{x%x|_tc?+7l0Fh+-mKo|l)IAFVndMmN}jF(BZoHYRE&*<{3(0jsJSV zxQuXU3lql|72^U*J_xL`BlOrSCe9vMY)f= zhlQS`-J5w7>$O_9vS?*BSi0FLfeEDd+UouDEcM=TpCtXdbEj}3OY%-4&3|vK5yIHR zMJV|V`DidMS#~U}DTC`I)5&TjRqDsogx4TaoV(Zd@noT0a)yml^gUB!;dli})o2Yb z4&151q4f#fycwPUJy3o+xbwxe-}Ceh{?;#dnvx# z$X&jH6~&jpxAYQwZ!zN%Ug)v6*@GB#Ya)iejs-*&UA%{s!1SUM#C6odGu0C&XJ={v@deve*JW6;SH>K&;*@>bWodWl|u=>%edUf$?X5 zjj|(vnL$%&YJ)F$ZtrY%t}S}*EM-ezekJQ?rBf3pB0&(_)r**63z><~ zG)2rpWW{4GE%vk^7m6LZ?~lD_*f+#sc*!_v%Vam< z!j6SR*pSCs$rtt^x2;w6L>_+sh53G@YJDv6Bl1(C5)yh-$v7AG`Klzfg?_gIAfZ5U z0n2<%(B?Jlnww(sSdgO z54etNdribFGVKy7}cB;ne#znU*vFX)tUt)h_BzI#rag=J+_aq<0 zz@6!x-bAqtQ*qrL%c8O}4|jL>d6f`Grkw%&Bxf!ee=hckKrl7w&}{qGy{+Rk5_j2J z?McL>j$Vtt&Uqo}jmfUxn+_``N;~3;?V0p1>`c$12$iWs=x`&bLR6SBakxd|lk`0a zeBM?IG5rpT+e^7`Y=JxABP0fE#ci@m#u^biZe>mL3*y*=T%PY7D6V<^ajH))h)xqX zkX)Ox-&gjjY$aQ!H5Hyni*8nS{b`eVXUHcE>ca=B7R$FRL_aRH-&afsTba`EI%7ik z7WbwZha~k^OZBgJlu{p4`Q=44U3p=__Q0X@N!|ALWJP@Oa(#zlgUf2hrB+9reOFRo zU+BILdcgEZg_}^48gwbf;!@aVnxGZdI{t)XPx<+3d&V1)0ukISsc_B?d2eo>lsb7` zfSrA1dA!l~?Jpce1(M0og$Og9+Y=ZkCi_Ozkn=sGwu6ay^*70w-SW|qI=()Z=-(Mf-g>KZ#$jszS z$729ipfcHIBaT1*jIE408ybGjmAQ9pHYB8e#a;c~R5h6d2NF+ae^r2y z*^fJ#v8n2Jlhq9{ea_XWdc)BuW67o(3E1SX)eAEQ-0oCCV#N%{P4XWLNl0)bBl=i{ z1iJN(e9gGhR++vpe2Y{g&6i#$3Gj49)D>{gO%^^MlbblWbxWi2KP8i@X;fL6nYUHC zrWk2vc0=G=FP_JtYVY*&GDxgUVq;^gNB+*NiMHNPRxUwtm3{mgd;T)eLdSh*f9AHh|fy9i}NpO-X2-`^kT#)X@Re{Bj?;?$UR#IhhK$L9IQ)#E-^ z<(sK-G@cu~^aGh6euQB)`DMZ5-$O$Z;^O6w)2pj$$LKy6ax?;*$<~>%7Y=;Nwt__= zU1^D&qoJ6@xwR|ejsTW-``+*x?>XS+Ns__>PkpXD%@2QEJm=L?nJ)%Q_2`oMfCYW! zCavZn&DNm_mU2npo+_&F*y|_sSca5__vu2&fux^84nv-sQCTRrpGnnD{iFP`LHywQO{4YOsSBw+O} zk*_yl2g{-rSVYJ}+Q^A_kbU4F6;8wuKw_`q8%^^Bn22tbv<{nRq-$phB(r;B^ZOuk z=Sa24<>*kryQ-4?x{z@X0{JaJpFchPHf^1$sp)ux>UrsqXV0HEYkKT%{7_rHy`k0WohzNTg9uLesxKC{{4N23mzO$E?gnS3@tVRUn@V~S_ z^vp`v-$Fr#Ga!}DAd)MyEIQQNd#zAX1aHw0Htui|N?Kc6^E`DB^)^>O<`-_`?yk+_ zz!dP&hyIMx)p!MP6B>{h3mE(v=&yt|d7+GHD$eIX61_C^PWR`oR?f=1=t;)p{+aC(VNCLR-xnO_w&F$P%%_%es{)1G#6 zbPNbwv==VZ%?5VMcpA7D4bZACAQ5*xZ?1`Eh_=EbmZV#82?<$E|6IeZ23V!)fL9-< zR#(4oB=E_DJ_q{qJ(LG>%2C}cv*Fn_eFYe>W13>f&e_@7urkY{);9%?bm_To)h#qW zH(iiY^6NTNw-jvfUbIzEKwzfb%)s5m-O%)qhcH@>>HemEXpEV*l%RiRPqPH(zyeODJ-P$2T{8)PBt`v|v zeSLjHL)o@Zqd6KK9UUjGsT?31H{f);g7UyxDTX2#>%kQHwHkqKf^Y##ABzWSc64;K z*6PCJhjv8wfl_7f*EG@Y4<3uqRKce_qW|Da9e@AU-U*zTP6ArKs!Hsghr=FkNstXOg8T(O zEn!W-W`*HP;AFS&Q>$wvOaha)!lED1uEV@fg5O-Zo~h1`Cu1o!D3l~toZ4w-?S&x< z+0b(5el~}g4;7Xbt41J@6B5)v5#qTvcAyoyfN~<^7@gHV=mj7no2-yH?z6OMLvimU z`&Z!e%=m;Gk#ao0A$5Ow!Ac!^126*$yV8O=B=*j?fz@ z7SIb^4^5qRE-86<@5;l z-}e)>#&?ap38h2+z}a?9bDblQEJ0m(k8=`9az4Dj8dlu-Xx6rOIT|A#`W`b(qSc6q zkBfsC%tS;`%`?#74?04`iF-kbSCV?e$vh?@E-pwanYZ5-QJ*x-T!^;Z zdFctTOzS^wu2?%cJ?g;Qe#AW`qOA9f^&30Rl42%446nu>ixWLAwvo*Q@zxl_G^GPe z7nU~hW-cK~%^HHmDBODGavglqA=~b1RDQ}7fT*REKgAwZk{k#es-h4#yiRIX{`lOm4zweAXv68JlkJqKD|6R9U~=^(GEslunq0k!dTq3U3_u zVGRHj49Um%Q{3#IA>Y9L4S}E;(Q3p)OZZX4|8|!Azi*yZ#pG{O<=`g}AxkQrrmgSMUx z#Obnk3S_w!B-K0t9~+U796f$={T51o;j$#T+`T2-)Jag9O|o@#a^lugbnrzKhSz7Q z9fSc;hHxMc{xUS-QM&gv*wjq}DnA3~&F)pEVaxyVi+iDyy{X(soD3K6kVNiG*bBBk z6e`~R>DF0mE%TU|5`5kaSzZz(Tf815g>Ow;6LiW2oN(m}L@oU0qnzH+h3Ww&+zO%k zM8wtrv$eGIHRsMPXBNrge!;`cdhEP0jBGlAPoyjJ;q7AP)`Cz*4c*JPnxhWp>p2_t zVkRc8JZ!RPTDDU3aM>Ez=drWt+b*cc-p5--6n5hREr{zo#9V!oi^0f{L`7@NoFmh&GhWB(UXGo&zx zb(h*dE&naJnW|N$q~B2J=hBP)Z(+E?K&<))2i0^(iD<^)tHe+6C!jlDYY&Eq@`t>_ z4@AasC}Ic+NdnBKU*v){j>J5(xbu5pK>Ki;#<0zcsybJgFFruXn;Z@=4a5J06Z~5L zTbtsZ0Tov^K9+sv1EHP+pWteH9pw?zylCs-73>U2E!@UcOO2)94c`?D28TC zOnI1b@3O@Qg@8%+X$7^bha$QJTFNQk{J2fc&jmuBXzQZgu`YwdVPC*H+dEg8f^S9D zbykEj9EbRxws6hz<{byQ7M&B-zYcb^uM1s&R#W)o<@G*3jxd%Ek<$fu{b+J6E-o(Y z(K#o6ekbXJ^eHM7#tomA9cbtxXaa0R<)?~ymo;JjIqAy~I{gI;&MvTNztW>rZX0&h z8{vQt$YzUTa{gL<*-D+@x~Kg8=M&sxNm8J6wQ_n-6skvfT371XBR8V}sVFp249KM% znv)aw1O5wjOMkRFBBP9Rk4UF?L6Z*@z02d>#RR%M{bUX;cL8f+&n*4~yuPW;4k9VWxSNDFC{GzKGxHkz$AR zS1Dya^4c`VgD&Jwh<0|SgZBaqq0DPmv#07cdG-%JU7w#GCowkQ_ zW66dC*3CwKYcC9}&r&{Af#+hb=mk{nQ^W$G)3vp=MkG}6f1F}+Tb)uiZ!PXh6|2JPwbEVd_X$B;!uMTg3f z3bgilxl;zwajmxv<@tSq{O_0^*m(G8G1@}5I#+H_msm0>84pJXs*;@+2RTcKhL6zF z(=RSA>Xq+K#9Co}wOH`-R9kXA5~AZo!~&#fU)b#|`!pglv$GX-q4xu1=CtvHhg7e^ zQ>^ul#%BoXi@C|rZ$(W?)R;+(Q`MQNe!x@CRIpxNR%qjyFsJ`<1)6Rg9oHG?`OjBH z52=YjItq1H!B$E?gWr}&mNX}*M=(m$);XpBLwudz$sE+|bq#K~TOQP91nfUnnV999 zWdp{9NULvFK(Kb2Y3TZWis{Bd2%!5Xi8SL)eFDAeE{j>%f!KN@k7C94a4fN-U4DJz zJw9*t76Iqlb^W|wl&D6Uaw<(Ffuwc+O>I^5q{~8L$5|%nL!T@93S0FVuDYvC;WuK; z{vNv41_bD;PC#*=t@CW1O$Z}$>m7Q?%WI~gzW%kBLgRnlgrde{IJ9l(>H($YVma>$&@c=DLXq?*&*YZH_37vVYFM?jnGHx)2+AzH4fP(=lW3#;`M4?0$J z<<%Mw{7@l1cIdHb*+?rEmV#ddfPZ+^mWJsQFpBF7lgLbwGRnU;G)d{aEKlvoO|DtW zC7(>MB$fMM$Z5jEAAdcSB$wQr;>J|%**3;Jv$OTm0@N27#^u|%I4sUEQn6llAii<3 z$eVTGWYBkByX#2;s!>w>W+e^RG2UBTE&Npt7no!}p7s(Y^BHzK-MYEVWNuMSHYgZC z^!+CB^z$=D2Yxl~T@q>(Nz0W3W zi$dq>+vd0BJR)%>I{Z(In8z01G>x~aI#*KK8M@f?;cz>uEUd>2Sz$9`+Io75 zSr=OVU9pRtn4DBBe-4k=?!MBEr#|#|o!~H>XLjXvG7RSO`{z9pm&?C(O0NpA25@q7 zCpNUK_H0Ls5B1^AO^8U6no6-uRr5Q7+O5^AJgr@UIihtEZEP8X6^>};uFK_vq4mkZ zQHYMOY!2?7OXUtmdT{C{Bu3ibZmqNA3#aD$ACEnQyn@9U$^~NbQOS7#vUgFeJ9pkHv&OMfPuRb;pf18YNof zYjQ=F_z!uYr1Cal9WcJm2R(U7% ze;-EZV@#m)t*cB_=gX7}w7DYdjY851aj(>3?M0#^QlD{d+qI>+ndvd!VFxk6GQCo{ zs~#MB2_ktVBIeuTiHlkCdOjnECPx~RL@GxBL;QOP`Ah+iGyf>3=7RUX!LgP39|k4{ zNTTl^ul|O1a)MWWXJltP^&I}v8-Do-AhMr2#l5m6{zKKcr7K^I7!CsAs(b-$*3oGm zwxj_Ro-Cc&J-WntBRVnH zuxDbg3ms;=+uK#zA6h3hH#fVBC)%Gk%|w?(H;&VZyGK34XL~$ZfH_HWt+v{Y93R3q zq$6)h06QohY2AHjWH$^~&&s{?=!l$I+xqe2w$B>l(h7m6~)EE^^(ytDZDSPdir%UzWu4Gr?;4OBU+9*R5}Zf(5dXCxT}n&KcgJ1UN5R5dMQh1u+F&#;gD*E5_$R5^@+#;;u_lM+t4$mPC~kNFRc@ zmMD1t<6!OiRBlNXuvMq$htBs1Jb!oFGeppXq(!$(_wC2eZf5`Um+;Q$q3rU&L7jsX z^MN{ql!L<_eg;bL52UDP4>gSOHY~5RT$vk$5Bmu{%#$8K{FTcZWWKPyrG+?lh}rj_ zkDQi$_sXN_J9uuE1ErRO@EE1NO;oC>bo@9-D@!6hH+c;H{EQ?z?we| z)P<}8#Z^h};`9Vn`A>U7ILt;lxwvWr7dAdfCBJ{nZ~A0tASL}#HuK@)Xkc+>ORFiC zjz$oCN_}}78ylBCI!&mN6GY3Us(cCZ5RAW^Q(UZ>-nAY-=XnMC*W1i~UQf;WkDwq~ zVb&2(Onf&j3%}LOtepkKwy-Jm(Pp+g6Exk%W4<~WSozttmoHx~n4Sr|dUZ+eqixa7 z-;wHnPS6S+90G%6Hlq&W-M7JiAN-Z@s-b6DbM-JWVWx9A=VxFw7RN&>C@5%Gq>VmG z^hrHEym1_crfj(wlbHCHve{$>SXINDzF*qR4i$_96!sr@&aVFTN7l$jW8P>>u_f&& zle}pChrZVHeff?hmnv$*!^1t|4S(=}cYYsE{n=8+WN08g3xejiZ{*pr%@a*ca_txk z1yx!}w~>LA9z8FyFJE=NcGo8B^l^q!Nd*w=pZSZo>}p5p7u_Z+zzWt=Ol#{QtV*s} z7HdRXe)8*3;fmZ&GkO9pJT{z~1tr%6VR6(-TjeFBKE=f`oq71`SuYIs`T`p1JhGbN z+s=5EEwr8@u;%_-y0z0fuDWsIML)hn>oqZR}focc*{r3jOCTAKqK!rDj|0{}3DdFtA<-1V8gATQ@xXW`b>z z_7}BJMo-G@B9C4&#%-D5vJWqhc9u@b1@wrJEby`r{FGSjV;eeW*9I3TeM1|^*}@yB zMcZ=5ZHxAO@m2GGukr$r(B?`U?{Mg`k(mfOc|5_Rqji}Yw@Llq;3TZS^vp_Z_qLX! z%NFCuL-#flF)ri;6&p3&dvmROa~z3ixN|ZDy}Iv+jj0|%m*0NZZC>IoR6-W8S5Hc2 zEB4^eA_o5Kv|{GOZkko>tz}p2u4^4Iwajrzq@?i`yZsfr=@nb)H$2;+(F5Z=pWm}L zLcce{k+_Pk!0cvw?at=8OHHknEqW{lVVa$Gd%SjgUY?}n(k`?%Y2DZ!!t6CAoWzO4 zubW+(60ZyhgsG$w-Y+A(U;l>&uDt8aKYbLjwI6jVlYnu2;aQH25cQ;%UbvU_|G-VV z>U7P_h{o|x>H125RWj8t4(u6Fd7@EHzWw;V6{?#)yp?}lm;XqY!b$l)J*5KuzWJIt zk7{S;|P+G2k8^eo0{L-NrMO0hS;`<(HyjP96(2h`e5oa2em(wJS{cUC?58K^-o` z1QjY{jfJ6#A-FOyzU;l8Xw+Fr4 z>Tpd2ypyx&FNXER$I297mte3Q7l?Db@_I`h=lfs@AC#zm?&0_Gn;iBb9T)!Ee}nW1 zMw<%~XAQRSnC1z1T@JuVGxY|wkK77Un`;=+Xs zL^(I{qKE)dD1+}75ER5V`m|2Mrm6hE6_IBuG2f-t2lN6TiM8hbc}G#k*-obeoB=q2 z=f@~(Ey%F_<=>;eQ2|{5yE3bu5oGGQv+%FuUnJn{;!Mz#EKV{{+0jSGvzsR z(3ONhMEzGGL5|?Sj1dUt|L+Vx()H;iVtspK?5&>LeEz3&p_9-WC0$Iw+(*Cn*B>r3 zu;|oKZ&uUq@ra1T+MmY>>>Ur_c`gV~A4jixp`E-U?MdW513363E2Ijo(~;bI3dMNS zeE=i)YX6R(B2iRd|)OJJ8rva zya?`t{2&{72l3OO&5ZAjP0x5^q+S7uJiv868US&CO?sbgmBn3mgtYjR>=a9Ay%BG; zHkZ@LkCzYt>W$vy)GseDFYUSF7GFt##Sai2O!8dj`V&Q6Y=5#RvqH#)z*DA3iFx2P zXDV?FT#Ad!&B#Xcxau|tXMnO=CqudZkV7B=>cfx={E(+-xe{w>X9W}%Jwj;wcDV7{ z6vrh={or@CKiS*1Q%@Wm^3~HXEse4UL_}iK_yN&WC01>?lor`|$}5NgTi62uzy~bC z*jNaveBd3`)zt%Pp0wxFN&_(>5DS|GS`Pwx<2VSirluwmm8SBg^w|s(>74_mWCq@n zagpjpI5Z<%)uqO)(%l2Ym6er+a9nqBF(hmsX2A>}VFs?q`>agh-oz7ICs$6MJPDhH zb!ujEadN_5!3kHW1sJQfTj5VT32RzZNh)9L0bIdGA|fF3`CeEkq3 zd6KBu$XMv#-=B<%As&c6l~c$23k4wLgFa{>&;Q|geb5VF30I^5TLL;%)RQUx+;N$` zdZm^dD~Ei|U_B_^f=={4W7fgnJPSGoN-hXq-P{}^le4`nSLDfR>$ngmSR_qjnA{h& zVuxAv6cyM$bOeDLhsYU-(`;`W2)<*?dy*c;#!R90KTT`7HQGJyL2uc#=7aW3Eo3cR z{DAvg+!h7~mlInBX-*xB!pVC059C`Je2@uY6%M$V#Z8;$2JKSk>(jR%$YFzW`dDO$ zxj^i;Zs+Le6LJE8_4QqN(Hf3ojafl;N7Z#FZ%Z8HnF4ZVLsfWHpe%c40T`~`;QkvH zEWhAy`068TCvdR{`(0(V z>>kK1capbPKu3KTK6hDw(3Du4nwuT!ZUlb@-Gor{DV>43=7|k-r%$sfSa^7V>HTv$s+t7_^`lz>RUVi?0f+~nYWW@{tkcYTq_B^gpQ?c2I zM2j1K`oYsQxzcRXQHU?+36a3@(nEH3+(%qY04OlPA->GCJf47?q36R+GR`WnVgk4O z$|XRE8(@i$I<*qQWsr!F7b6s2F57%TE@Q!h``36)A0Ftd^{~b<42=SL>s;9w?Ree)87V#V5@qm&f$+cq=6!7;Myf0(H9Z#R5 zR%Uij`5;uzp674r!Mz)9c}2aL^403zULi3YV&PH7hBGPXPuw(lp6O_1Y-P3h3JDiQ z=QA@s$_gT6JY0<(*C&4LY}&gf-NUIbY50CD^^PpaE87*6*jh48ba!11lgm~}TUqPt zQ}kRNE9n|n&Biqa>6=Ys7xQF6J#tY!-Gl2vii&FQv(g27Vd7vTXjOGe??S21u81Jz zpWudPhH@36lGVjPW};zkE@fI)wRcWUz)k6oF|rG)5Ksu*>%u9R?>Z!NnEdxV?{6tvu#X_;RbX($Un*M%c8c~9NQC5b*iM*hc_)Mq!+1$#<#iEhG50_>Sp){*<*e9BZ%5xWmLzdcSZwe_a()1 z6So*Ofs5RZ1xQ7k{y|i+BF!{_yJun93973OO z$9i4HX}6apF`?n#PgdRC#nG|!EiDP|clKxSHh@|kf`=xnsU@{z+PSRXqHKFz#H+7g zq~0&z4K41xxVvC5Ej4|24L2yM7{n^?_e-1c{irp|^tDj>-3?2JO{z>|Sl^Jxc6_V& z=6AP=i61{UO|Q}7rm)#3(Gk{ak*R4`TpVyTW7W_-gw!n4%G8aHFXQttXN!$*Fj4)| zd2$i;JRjTTQ{c4cU}(7LRq(NhPt3#4z;hUX&46)#S78I%QHm*hACc5@E+)v0VWlQ+PP#Y4M?MF_QX&uvs0|_!I0iZM!P8H#J6wMrfrHhhh zGG}{+iakA$U0bg6vtTN}xOl;U1Y&nb=E7kmrmC0sS5m2T2CEUz!CL(3O~=*}*Vji~ z0>+mxuYeA#OwKF5oS3e?=gMIsO~@ z2I(F}P;f}-O~x&+7lRe9TJA&K?yw{toZ+gzp`oc8Jaxi{AzVf$rraKE&t14| zF&BF{#XHS?nrR)q=wFI(RkVl)vx8G<#26$`2>qXP&#W+5Ij*m}DvJO9y)hT62<8OG zvRDuRwdlq2T?N`ym%*N=PvLmP!H$qwdi2h1xFz2i4u=?r7-n+MD_CFXU!0Szx9?g& zxuNHsiv2xQcyqupIsFzMe+Reybzz0H1XZXRTPqn8w%9UW z5jQ)7k@i)45lzIZ;&7K=e_d!z=QG)b(Fw4NSeX$4zPFyS*U)6a>j$KOIx4bgc{C0>; zig< zrTiJP%k^7MTM1q(%=ke?R%SFZVpz{uRlKv?$nVjHn<1%4CiAi3vmt! z#UMLyV}b#;*)eTjn$TcEX2H_YH7^JM+WU@l8s)`lieDtoOJO*O?WPEOO;Jy_3i&*~ zlnkE3XI-_x^dl+@rwih4@~QlfSarwgRmc%(+yT_#mYAB*tc=|;rXlv^iq|uVEyL|L zSm_-ks&{ZYt3&t~?rB4u-_njQJIf87AA(PxrsY4knydZHy#IUsQk*jfqe87gOe^lU zh<9)8D|176xT0}BoJw}zH;=dr?{>`gj5(xrxPWFU{C;GD>?+pMS)g+i>Bh|!#Ex@k zZ|S|lWKu@q$<5(1^vV#XihIbdqGP(WQyjWo^y*AqRfo6?)wKq<8Qrruc8cVtlxi>ihAfw2}cn#^w4aR0DS-cHvIxUJqPKaV&|iH-c*y18%9?7t-h>zah@0TrAXp0%`#+N+YN|Aq92?d`EGw%4U-5$e0nJX5F7Fu_2s(XS$~CAvBI* zLb3>PyZ^Rdx?%zt&K6!gZv;p+cMb8n(TEpvxGoF+<33PaW)0Xe9yXpY(8T)D(mlg% z<=h(Ff=R>P@bd72glhsRORhx&=LB^^P7*32NMBG#WquM@Fg+0ctE8K#eku=12s>UMymbGDqbG@IZA;7k_YNX3Gh7< z(5(QG@G!%<1Duwh8pS=xYupOIe_w@O4@fJ3$<&4wHBPPozxY^1L{o)3Ai!^VJq|3Kek1m*pEs{F^3j;VLUU{16Ld&GUbi--Sgwo z+=K5WfNoO2G-501BFNT6A+bD&g6s8ZECaYD=`%uR^RB^&7g8*3t~!5I0lEL+c@~pF z=doaIE=u~-Sr3Lue=0`-tFT`mC6lRL&B@K>P3jXe#JR7XSo&ROD=TjCJX@=AaA$Im z5nsT8XC7>I+nJMt1Na!|cCbXgb(Y-`*(z6)7f&Rs=22+<-v7Lfno85=A{1{n|I~-V z7u@uppKu0)O;KsHw21qp^2KW_(#sQEFnomoIYCKg_Yh`>68xWWy8|xH1Yw&8EcS~4 zKbImYb>Vu|c}&>gWQ>p?Hp4arUWY3Z7*Yc&_$Hvu&PJj)SN0}6p#WziG%-+QcfUe# zZ*O8{vq#r$K8ZFcL1oN>Ep``TuGexheVspmybAZl-PXkcg#xyHMeu%ajdyEtF@=Qp zc1qkR?%k*TO%ZsX{~=p=+m`X}z)i0@<~B(3p&veo-eiTscT!CYSu2vwK7vPsid)W}!v7cKK;M-o07IE6R zGQ$N<;JD7RPZ5-FFO&cmI0ikZbGxVMv@+Gtg+&`B4i%xM?E#C&8HIj%whnqEni;Y` z3c@cM3lxrT@3hR9A<A{E*AMD(KcEF_2=_Mx;{Ophyib!ONVNgdKF^2rVzgSeBNA{nIN@gxaU)@C-Uxk0 zvERRc_YT5SJ`9irN2YS?M8}IIDlC>{Kr>q=7l6|4Y5R4tRe%;&Tul;QxFQZ74qV48 zTUlAzU?>*(f*TqQz6cSuB=ZTNnG&mtbN=QDXvn~QgM-N=_NE|lAlBvEUqL0g^FFF~ zCK<}e#O7h!D!e+7g$+VpwP27KCI>5U2lNZSjkm=EiaXHKi_kZkE6}7bMelv+ffW)< zS_5p24T)|r$!=;H)P7tDSv|SEX4+dAxE7I?=3b1^sHdwD5y$9(4;HgEgy+9!XNW026W*R*>ji6#USZD)! zfI<$v=I(!<4=S{3iMv_CQPy2f)W+l$qA~gfXRs^hP;NwVO39T z$7FuCg9BGd)8E)98T?S{?7E*irr`{TbsX&s%F%!QJz{@qN5@0LIp!d!g$J!!xMW)J z-?QkToBzT#?S(I81HIteS8wki(qS(gFEKwKUnsY~QST9Gp8>L@MWV5a)>U#{0~saG zC9gM=g~pBoAMc#~tlF}e)AV$3=l+in*iHk;8h%~+XmksQ8?b~FmX`QpY8Qsxam6w) z9rXQg_kMfY+ZpWrdhS%0l<5sDN4BT5|?l#cI~M^>9#j0IVhcs5kt$ z#p04Yqn)ujdWh24C$UVx4t)0vmUpoi=FV44>nPIF*{gr+IZ$>zUZG-*w8OjW-Hmw7KOUeh_ z?S#sI_E7^Pe{3^r0My%%L!PnroIDypTmnR%i2l@Qz*y$6y9E@_Vu2=@FId7`=N|B~ zfW=$Z9fjk|i+H%N;5N74E^-{;)o~y2t_#9@67RzHtC7Y222{}hw}HtnTi0}o*M1Qc z1Rl`1jt8Y3Mdss@7qP!hZ}`I6V^^;wwpM&2tf@bC9ZKY4<~Eg8KX}|nHdzBkt)78VJ`-_ww!W;Ez*OS~Wx6;zPZFQ0l5;#xCHi&SO&d0lDo{-h(3? zbrCM9C`-T`5T7=9JXayCM$1X*oe;VKbv+xK9Jk-k1Y}cGAYur_LUHNl6YmLDon+|D zc>H+E17EX?GJ;r93T6HET;I@QLyaFirPd?Rh*ucDuop^>)7?$q;6&jhN-|L>_4JNu0!hfVFG=u)H$%@0TsM{n z<(mYSG*K}vG~@ifWEr5Q&GQKg-hxcfJg~gEBe|kFdMoG%J5L0FmXobc=WYPwD?a4| z;Pt-6*RGkJ9d|2}H#W;)M!vzs;Hgg+>m$1YC{a^#!ttIEauaniUw-0q3%Hu2{{X(~ ztR@iGgJ~3a#IL#BM46l7UK`->u?)H7HXhyQJDu>g!CE?Rw(Cm6AOJvC2l*dl{E*}p z4&jEXWW>67Z_3#>>d}dbir>lg)m|F>K2=BC>AasRU=0!|v{fpozJTXn9>Pc>$MLWJ z?obBY%oQ1UpBp-%;e7u|KO&_HO;waurAtz|;no2_0syrzx%mn>2jG0be?fSY*{uOu zED@|059bKI`yQLLIs}wxD4Dv_3Ym6wgFY`tZSM0eioye-gTDq1Xj5p zrgsSrx#y{|K?m!G5%l1yvAyoD`LfwDs5?JcwlD&|W$*9UTL2_WjzIS9R(PWOEq?${ zux0Xmo&w*0N%aI;@BTt20+|U^O8R9}p@vBlJU%`Sc?)z;nmOFb)XWrjS^k9Khe{py zT+W$$ZOhBH7&mM=_DRm~;OlFUeM7&A|6uvIZ-0OILu(-Tp?=Idk_cUc#;$O)h=hTDAz?jk@9ALF)NYDFNal-&b12%V5Dfi+K3R9r^fT3E4+ z3J^w*ok3^MSw`W4D)?CPR$JF^OT&NM@ch{gEX0Oy&)d&}(=SHiQa;#GE-yE<6oSzx zXTjI^x$hZ4;pBA2^i=@dE1Q$8*;!cteeYOFu>Q>{Ep-p0)>2Fq_ZZoH+LLw3)hf9S zAfWpm&~2-&&1YlY z1Y{REH&nNlq`qKk?gIk@Fcj!vUkvq6oUg|+IXp)pl@L#~5{SiizfD1I3?LMmGN&H> zovaC#hC(KnUir?ClcSw&l5gR{5PXxs7q!zTjG)62mhwwv=$U{ogR{Ze6!f|$_plKX zotOtoV)yHgO~-rK)>QA9;HOsXSHG&Ufr*##u-ZY*nc+D2kdqyQgISf>>!&4|JP8a(rWU8O6{+o100t!PVj&O0CavghV0($tAeSO!hko{1q zQdEK#AKLFO=yhMZ=X^B8YhPbq626nxDl4*oPj$^}U0gEyj@4rP)dIy2O0NVZrq=&Y zdsq4o^&YmJQzvB2DA`jPl#H$HoMZ`ua7H=yealutS*8$;y~Z+QEo+u?kkF6_Df?QM zA)}InM6!GCG5S2`4|rZYFV4L1BAVatyWQ8lT=(?_cFB_`P~=K8 zq5P%;+K`^fdHz*%yDE+`dDJpdfC7L8Z(JcYvKBV)`UiMaMx4!s(Og#DF0vFRs}&dE zw^xm9+Dp)P2tdA=Rq{u?7~hSC2Sx-u@J52Ql;B)IY`ML>a(cO@u8S4Ej_fJOSqU&? z#L2(paySCWJ3IAD)q@82Z`29YPuU*U-F4>w#KJ1yfZFfRs&D5aSJ0_Y<2=If*s5-L zJ2dQ*M6=MnFo9Vs?+X`@Tk>mDmqYQIws0(TJk{RR1>cicV4BDKPA|HA`x>hvT8O~9 zEqo|ZUG>qr?C4O%kbrVtg23wfK_6Nd_{N+WFp zF1#eHghJcZGaGmJlb_RkapxH6gRxikG}zwLMdzaF+L~)Wn7@$B%!QY8KSZijeckIl}L_JRQQfu-+9g(|I29V5-gB zI^fJIZ*$UIEqid_wT!F0n(!iq9H$(rn<^fzLcGK-2u8e(Z`*)HW=xqsYIIbWS z`532`s;WRZ_e!QAV1}g}&UL++xza=g1OVXYPoF86-seMmYD*IEf{+xgW7O?#AZ*af z*M9}siCxku<4X+#J7s%VfHQ}2?TkA&l?P0g7k(7KBsUG>!VFLRV&0MBNZr zS^5sAC{(M1G-Rau$93d07pJMQ$J_+{eBCx6l0e|TzRu<4@r}=~pgbESpVaXj@K5Y7 znh!161k5I>164xPGX9`tSuKe6_a0F7QOz;bCd!Lmy>JgCFh!%*;_Gq#@}I>h+T)O5 zQB`8@e^7xBeVMP+thD5M0#UylmMytZ(5FU^z&7Qhq{^VUWawByehE41RZx|yFjSrW zWXTG7!RKb?)RG4k^8uAtAQiX<-fV$2&7FFYaGgr{GteGA<>cu(cb|z>zqd&$RaGY? z0NHbvi*MNL(*^LvKqTZoUsqu@cv|dxA(@3@o>`i{-3LSlD*vD-V1m^r%EjG%=KfD$ zt3ZBK)hr#zmcR>)Z8@t1C4WFjIBw82;!-IYLeXfW=4Qw-del8ax=8XzCFw$V1*I%- zB%t7yRsaADe#8+5@HOD2xwPD<#htN@f7KUSpzB}Ncg}dU`NNliVpPzRq03rE{UTb3 zbS*W4Rt_{Pb-d>1xjmg_$Cz37A}sX{->?xht^}!C7Y~4g&NLnc+|d>V!j@55^-R0b zJr&6i2-LTKkjA$*yRc>8Tm(J`ndHk}^GeqrLQ39n`+L`Jr}T?(5Zb=m&yVg)a|KoI zU?+-iDI;szBbg|QrxXC{W+@}sTY}zb!l(OXx@B8ZDd2t5YkwB)6B+4o9_uCo>u7WP zU^7ZGq^t`}bN9mzAS$_64zI1PF^v}k!6L%8&dS=%Ou;1*vZ!EXiwA%jx2D`930cXy zdBA3%;Q*hmn>TBlKIn5*W*MLwHOz&|D>cM=I+z#AawOm6d_+OBMj&vs0r47a=1O60D7otukzR;G)=2uJ*ABKcdyIMp7x8&=3) z$LW6_ZK^9bh}H<|#<^%JkNI3fP5uE=PxkhcL?%eunss)QK7CK~ z5=TY1(kw#_(CCT%o>lgdz-0U)@9_p2 z-R>fL!`J(p_xwavWMr8=^0|zf+IGe2DtjX&d?8QH#KZ+VgR(0V2>l+vIa!t9fySv* zf~(2a*ekTq=K@Md$C>Pligf4MbIwe4Wf_*}L@U+yyR_C^ol+;uW*HRV&pS1lb9!C0 zi@s;L2o20}#kA$3+W=`< z$q~v%h6V$YZ{YRuE0X#=ju9_y?as#d=8o7=QkxWti*7VLB_M^8Kz>=NP=qXMq7+=X z%(0M;JMDAcG|2l^#)FaBmO^tJ6U_yrQwD$}c=*g2w`2IGU`h6C^B?b$r7EoZ9nCd1 zKa4nesW(Y`E|l=VE(6UD6Ey&q=mvEke)mw%UzdfkX74Sn~T#EM5^2n<0C)xeXCbH@##NMb zCmY~%PwPn@03o8Pz`7OZVQ1PH0%`!PxDRPB=1xg8i?+aC@L{r((Zy>KeJ>z0d|WRb z#>Wk#HI$v7jUoH_<@xh*auqr`=Y&Cwr`k`0r}z)k*6q(@zzAmsL7_6!T)z$< zvE-s6STqvZ;P_uKIVlaYM3S%FZ7Gz5K)FsKTJa=)Oh`3x!aKm?DAbRkk95f)?-J7C zm%3#)bdX6FgD4gT1A2~2sX7C%!`VB5+@R`x{!mMkerJZ#MbhiG!Q25PjJHyD!B2R< zy?U525%jc+NtzQH{7ijY#U^=EGga@1cfbCjDb^tzNHI=-@dd))$G30QR!p(6k z){QGXN9k#Oeb(4<%M%DW9Sc#3J8Wz63lsTocQ>X63=myZMAhIDjT+V>CWyzlj)^XY z=A>jJ9Z#XmXSq}5-oSQU@XYNy1ADfy2dbpFzLYrLiQTe~MQ-wZkR7_bg$`B-tcoGySiDjqgnol-J5c>7l-DGbPwPzwQ#uUME>ZC){!k$M zYZ^gg812>jsmGwJv(tbU_h!rN=~vg5WnB{)gg01lZ>h{fmp3RmEBBq3Dp{+(@DOg)mab6 z=PzQCtPptFX?FDGbA=wEg^%)v#>d&NJxDhZ7C0@S^nmPHz+_L!a4koYz58bUii?UY z5pmB2yq^N%2d}LDT)cE#pDrJApFedlYOQaS73EjP zu`83l@w6=`i2#FW#<8yM1_p6e38vcOg872+h-ja~oH0H)8^QFZ-#|Z#saIce(h;Yu zZ;{{`%BanDv`k#}4eTE|uQ6sJUyVvIeUk^wh&av& zw}j4nCk9tf*n7Q^fei=-rNQO`r>0#NxRa4BGD#fk>1SBtd0>({g7RS(XFp^aZKA&` z8UqTWm5*d5K1Um+72J}Ur1bV$tF8uYyd9|<<7C@Spi_rI>^c4$A}&g&cOnUHv;e?3 zh|+hnp`;EY39xU+3jA7o0Fbink3B+hg3A0>aQrZsfyeNK>9%J2RMv)=McK+8 zK6#n3OI9KN9;co^uYR&Ld8P(_V&7n!)$mF*I_3*k2!z{XxqA|5^6P={L%v zB=U{j(ri-0Z78?g_efMW%Pj26Kc@i8^(ZR)&RgB8`6lHKuqkU-yjwO_@$uu9B!$`C zOh!8}5p2$YaDPz|hl}(W*4haF{{6BzSU{;vx+pOU8UnUy?=7@fq1OJw54N z!5K8-C#)|It;$4qvjC`2GDkWs|F*RBC>Q4s#c3X^oK7aR+!0Hdlr6c1yPn9%s;S7W z|F<)bM6^HYj3^={@2aE}8XoUj&D=@oaar>An(t|7c)~_AYTiI@fN#tBhn9M({5t20ZHVWeG;Z&x%4MA z%g!EG$rS5!D$=iNTEqKhf&|OpK2P-ucJ#|f$cKXh8y!D`K^d82rx$BoyKa@DmQ z#r{228?&#~Lzc0TY9^H8K;oEaA_pm|T7nHTee>E3_% z3xnY`mA`FguA{icp?;V(($VaYW?5xr(pZtsamO7pQHw0c@DUTo zibSK3)`VskdG9#}S6S)R@D z94U0XIs;dVgq6kLik=JLKGp}$Zx)QJDJ$0kycA?%{cLR~gfnS%jrR_&iMK5N!cFCuKmgZDakj34%;?2s0|a4DzX>dER--f#&zNER`4BE&W| z_o_iWG~{L~|G_dlTC-SeE&hCQa0DDlusAS9*dNi&8A|?{H7j!&B*U$1At52aU3w1K zK!qU)ai&FRG!S_)9>*hGK!cw5BaMuV^r^NkinUz<@(|fmE}itGtn4mBY12Cmj~sM~ z5d=AAkoNWLfB>z2+}gqd*a}r6a4p06lA+Pjn1iTF5Igs81=PK z&8PKQ4_(Z!koM8{_#GJ{NV(`@dinC@M8}$n3Ypn3N&It_sM>ILaI7{z;^8urjS4W^ zU&G>6`3y~-kx4%szI=qUv+`p*X!bjvWEnDBNk{`NBEzShG%v3mbi?G=L0va0`+QfS zLI%%rQ#ku`h?UtJXG-fcFCq2_Qo~Fy3pR9qoRyf9ET`4{@V>w| zbmd6Iu}Nig;#kftJSZ?cNOJBK%Iy0D#WX0H;BVY<_~tcvKg2j-Jomzo0Uq9}3Z*ORs zwzgR^qyQ$*>KQ)U7IGfdv3$jLnmMxs)_yZ!Jd`aZt z^V;|tJr-~>E3}9p0o`4)2kdXA_wP>S5bi@%xj5Ao`HUT1n>WpxCaRk6i_U!=p3klh z^$btB&TmC^bJGwRx3okUb7!_qOjIp2-!4Fk#x@H!Q)m!)Q@Kuhb`Kp&4}*ba1?{Jd zp8G9uCmMq-XnDepnNE`0a~Iq^Toi$?hTYw)!ID3@99@kMp6 zWu?Mair|E@?F)+_sX&UN4#V)^wdcZLYy!&XmHPrNg08Tepv$NS=rcXNkpy`nP-+US z8v~`@CtWn4qjLs9y>zoGPjb{X9_l1;njCX98;np;X8;NoV)W5+elt;nMNijlksD7w z71A4F66ofv-h3bZlI#|y3YL9UT0xRELJTn>^n0@Mij4I$ z(A~pRyUwtAh$3~in;~=g=~MpE{RCGq+a0{Yt)ud7R{{c7er&EAqE^689=28cxK0W}+IhVG=a#(6;^+78ALjmFzPqPb&rQ=F zU;sUj>8CLmz{&Btz^VZ^{dMsd(SO4wF;RA)H%xs*$=J#^u?Uojg26znQAeIpS)HlJ&TsnMMl;v~c)%S_D>wKWXip+sD@CuCQk_fqWk2tb9}oz|wM z_Lp^a+bdOAEO@!ji;Ez^+fpCs<2vo!#nZk!_0h26Xz=eq3T0D3hRTuFF@*!9`_po9`mlzTQVa$Jn&EoQ^7LWiO&yZ&G+ZgiWVnfE6Z#8tIzz_i z@8EAektx=sjgNIGfw|e{AsyH;67_!9f3(Cdq{2`EcH+X4?K03oi__s95RI%fHa6;H z@b6fQ_j&8DK~_v{R)((216Bj@3sMsXccEh6(tg^i8&Ww+{&R7YrvXLzUb*c2AG*$c zvB2UBXK(xx%WHV3i}sJ{Dp2FYdydt*KIf1G0$u;F+TW?1U0qK)y4FU+f?(R8!%ule zDxrz?arjsJ_rIE565x)OUw=~mzfuW*9@^z$!S7oC)#YvWzs=%DnEw0nUo-dLwCu)H z|LvCl4iPXiX`laW3$S@?#%CmU^#VH-!Ip(Q}7Ac;J9aG&Bp-f-BqpB*zL+Q>#DU_4> zv+do+NjuL4#jH~pDe1RsdL0zWV)9zIgi`%#Q~h@FYsaDMy$?g>oSXQ;A4KZX>_-TH zNO2RJ9sK_G*ejBQ?noZ{=dc#MDc%O z`9EzT=)(VPqW|C7mYwpcL&lun1=^OxlyL<{b%J!^Eb_I!$~3_yH1K_7WQ3VGo&8i` z+Rv*dCDTkPDJgWjf1AKmZk zM~F&rqzNiP-@rhl^oIExx2pcRHOk}F(ioP8AwGGG0ofv2H?OO)QHG(ZijnY;@zf*K zbQRVV#Xwrj)wjaT`@ChIV=L|}SJ+7T;9LvAlleDXjxj;A%7349S>=z?>9Q-6%ZO@t z!5)=qRnXnne#=}Zr;{#R_9yTDNPerFH0zPmiCgiinRMCQA-gvC{OnPXc}x3*r-bC! zD=kH9Wx~?r%UgK6vaN5C4MW%^A7KVVL&MtLn=+~tN9)UkoHIIJunC7%Z6+TNs&8z3 zyn1@SX<@M&w5#97#>O0kTbH)a)CrL^2uDOlMrN=lY8`vH^F=_pn9JM4<2Gir?V)5k zJ6&Ycpe)IcE*Fs*7ZLlagdpZ8Bf_ESI2?|TqOOHocv z4u~mxBw<*%wxS}6`iEv>riFz?L8V1Hy9nG@)~8pKkcFG4G`QRyA_1|BmVH#fJq%*kf0S+OXc zI2Npfus;7ROzm?HreIGo-DAIUd28_C?8=%(7UI|tWCx#~i?2vTqcg3Fds~-$#yDY9 zSPJ|M$u{nV1zhpciOchOQ~mq*nCF0vV7GkjurOn|?3UYQEes3HFnI%%pv`>i-yFh> zs_WgW82uATQhma5_Kl z$~A=nMK*c&c#FdnvT!=c?}VlIQ4wrbDRJdUU?%=Dve4Gn7UIDs5i!!#)TEiCv4iq9 zBW+KNZ8he50TVF73ebhKhtAH;_070#v`ohm<|FY|GS|85xJ|Pd*ZNqzk%Hm*qxCj| zTT7|C`n~FNYxuRn-7#MD#`5Gn3=1o-B5rxAyMSp*G2^R9tP=TAG=9oxcg$$#P0>5S z^iJ!?CLZ42dW(rhej8(R=-sVm2?A0zE)e#5`ZxDHmCy1egDxFXTS9+8I+D*Ik>OVJC3BR!<>2v!Vwn5 zI(x^N+O8_TH1$`4i^i~!4UNIYmjS5{88b)naoc2gqb5SmCQvLcl!sC6!W<8Zd4lm4f zIyxKl>fRTki0DX;kFotMwCCaFjb^!0Nq4j!mi*N~>zE|$V;3;^|9O}mq&=g6dEIM6 zWpF0YSTIRORekI>B|T{fn3q4+6f&TOlo1Vmd13*Uf=P{z`a`!gl9Vp9COrsb_VDo$ z`+A3Xe;C3vXm-!jOaleIHgS)RA*)R$%4I1)=g1%_Cbr$ayWJk9h29v8XC~fR&XUv+ zqqKK$bJJX&=&=-#&FC=NS&ZkHcxOls^09gufyZ#&|s%1?;hLlq)>w1 ztS5cZjAPICX$gP(HtOl;BO z9ElzXT113Hm+fBJrI6;xH0!dyk%jVRPmjEej7#ru`Wt7}9U0oqi$moIRzVwwY~-NM zsTBoMgKRzOb4`wAecY8I2}+?CNmivdnEv$;%fE|k?N5AMy~ko%ur4BbPK^6q`mgk| zH)xvbxVgBfyOc6ak0{&31-cDY5-pPI$_IwOk}9}Jbosmq273Y z_|2Z`mW)it@9A}DzJ!ECu!;7Na4uhhl1TEmuy_VObwBn_8$nL&CqlPw!(=kjN2+__ z18cTA{06KO**~{2EWMIoN;u*Jx0i8u;bWCp>#@?rg#JM_9cx&i<-!8yH8lP0Pe(e> zl-=#6c7Pl1yU#Nxp%JR1^=pG@qXoV}^e%pPXKojK-f-vLREZMZJnI8g2sRp1H1or+bpK>jCTQ7o77|;B05&T9^BwR?Y_tz&`;vKag+6xr7KMz=!v{rN zeH$KJfOIGgKzlk{pHFN!2#bk`{9W;4jaAC%xQ+XOn`F3f!NAZ^lV2~RgE%m4RPSnn z5=YVj?zwP-R`5#uQu?<`Bn|y34VcWyjt*5%Yn23y`P

Gx%XoXL-NsvB7)3MRGH z8>@UM8q@PkS@WtXE-qd{w}{62Z~~&sNg$|;u`;yx&Xm5{t{clD{~Z=b@r0&z3D}HU z53Fp0I3T4sGZ4bKM}{ZsQt5|>U<2G5;sqR72X7MeG?~1)P@c6K50b7MEU-y=%+(SR z5n)*UW5!J`L$z^fzO|#HBdky56Q7Td&#zSrdt{?~grs#s%89spzu<l@!FELpqi=cIE$8j#sX*gCHd;XV z776MA8+5R(ZIKpUtD`eBGnwX`s^=PFSzHJMq&(kTcvZ$$u5rrLFxNDYnFau;;L$1# z47s?Nn7SBAOK5h1trjZWzA}!Pn1_d_YjA=bf>AZH8L#!j>-G|CE)nvu zY=>;Z-(%AM&bYaYH*(%mUA~{7`l0)gt#@gZ*{h;XuDOMoyTcN>PFJiW30-om_UE7Y z{V_QuW!CGFuh!TnvVoDC+wulRMv~s+E%CguzN_i%S#QM&p6l%kmE&%?>~)2Y9%zMj zUGm-8uJ|c!$lbm)=~B6^L=(((|19Z#%Tm{1JW_FHRg6PNIRDac4fP0_&_ExQ`T6-N z{epNuv{nO`^Z!cjc+4Y|jNE&oq*$|FV?J%a%OnkMRR&`u;Kg_)?8OP_q>v4`#*j4J zq?ot47^9Zh&5rB$33CDQADJJ5AdN*nE)|^9>UDzdiCv00wBB<$8oRf$suba}83t{H zH7hJbgpQ2!5GkN?U$;MMw~q8{BZWQ5dm|xsQEYI9*hk$e z(N7QCYF^Ao;*M(XE-*6kkqAu>Wg~Rz5rv4#@?=P?@K!vy9fH>v`r{ZY2?88nt-<*uOxaV9Po(abdsv9%rz}8GmLrAkGhE+i(aK zY%a84ow)nAQ31qI);DuOc^MsggI3XQ|9*dQFa`XfU8y~M@4pxSG8tN4{xB^6f-_qr zbmuikX&E?`^@)Bj0@5|U3y|+wI?nnLY77JT?lpH$Z2FuJmPylWwE|;Bv0Kf=#H1xk zKxQ9X5LHuUFDA3Cm*BkK)?{_9O0B5HqHL%;MGKWpz_P}>5Hvr-l%~BtHUyu>iLg(X zI8+wf28Y_JC!qV~r1MRVkAnznM*%>CmUZebSL_wlA5_|G#Wzi8sBEPws;Y84UR2-< zOz9d284gH{LP=x*cFJg{A~u4Cm?WAtNu*xt#?_o=EqvgtaJ zjjSW+)WQZINf@aaLF3-0s04>!@sz9nqr5DVbSEn!yVpXdLJiCG>v)Ye)}^W+pKDsg z#rc!YESa#k3$n$Yw= zJ3F<*p6i+^6X5_*jD1-^@6Zz4kq=gD5^!7p{x2QDv z_U2SU-&QqYQ43a@49Gr8KTT&RY2a$9tr192+Qj>H^eQD?OHcx~tINj`!y*&^t-ZZW zzyT|gu(Y&f>mzH(NgSw|vod`7HCGEDzAvwC!2H5xABZH^T7 zzzl42`rT(qm9D8zM?3_RY_}V}CBJ<6+G=z74LANMVINobB4GWdv!kP`%jDu>(Oc4Y zv5RLII1=!xPWL-tbse3*i`r&jdb3&NLpc)oNHhq!kdL*%xtOrdMND}5xw>l12zzI3 zC;k5Q#uqq(Fdjh1r%v?VV;y{iF(+68V=V+W11n`CXjBcX(a6Yyj<^VAKqWGIJcech zbTX>TJCVh}Qji`GqUL>UvcA4v-g~!66xazQ7;qhtJ57oIU44&2CZof0gb8BHl;q?Z zk9Ucw1b6P=4cm+o;H%6D+CAYV^#XkB=(H=-TO1+V z@2l`;gyDTX42u=Sky>4JBH*1(T zmnM(l+QBYuPfzEvXI!UQ;w>IMW@oUC()O^1>qat(I4y2$$P49j-``zcG`C)Pf zYXZ`RNGy*lom2`oz;)@|PU~17G-2|q0U7Zdkny?`Zv z$Xp}hGonop0jo)r^v&Gt&jvo}ax~19nV6A@Y03dZx8L0SE4&FG&9v8XQhl0WLWmt^ z=-};5A8bM)qj5(g0FCcP2uJx7|n)tuj?zUkc2`n!^N7vO1@0|k`H7R`CUu7`ga z+*vI{Z)Tyhtr-YX7IIoXrvZH4*yP9NvLVTru|^%10#1Lv%l)t`YoTWDoHw6!t0Fzn zEQzCXysA;L7F`0Qe@HTcuQ|l@@4XY8WS!POCe0&|ovm?=u*E)B5u3felbFfI#x_>4 z@y8RE3YbZGOicCV(DbdXt?bM9IlE5Q5qO~2w%R(_MsC&ohj!sII-#J>4{V{54sn`M?&^vXYwxk=Y+UCgyu_ZczD|0fi?b0!$VME!|Xd{SQlly>)~2*NL-5zjb|MC6a30 zmZbBaCiG#l4<6ZCqipnwpwkZFi);z-bi zNB}qa+NyGV%00H_wUw8vYl-N2a@=CE*Wqo+R z!3BZb7$jxzYhtxUN0D%6{T7h4QVD=`z>BBa4*-U*Ne&mMK-dOgLcBdBy6+1fAYO+a zo0y@77k9F>w6sKxzC!k?s=v0p{5i$ExjaVS$ms6nXalnQtb`azh4%)n#0#z#2(@4+ zD-%~69ew=#2JFf>cd8k(xmw0Iv{rxy?8pZ z4&h&(W=q$ZQd2*EHhEx_G$lK#BOMQ7wh~qtk|It(9s{urSTM1{uT9U=*$E4n_bUyh z6US{gu1slcLc?Qc?n|&CDiFz#0*R&**Wcf7rl`4-&mI~GX{_}SCchVKC_N?$O)Qcx zg+@1mwEA0BDIm(c9-6+vTPDdx7-Oe!$6OWwZscYxQmm9SP3)iXRi53GT48v2=9xX=!7Esk;i~6 zFf2<=(&P|AflH%u|7pzkXKhRL0>KviHooq4^3*ZuLXYY{G{z%wbNP_sp0gt-EZq^d zn1CBCA-_#^N~@%WP227AAh6~qJS%mE*evZ|*r&seab}(=a}G458i|=LbuOQ%2|BTg z+)&)l*dBPi=SfINNaKSk0%#*DRe;fb;v)$(UQmQ!yU@qzB!My8yJQBgO3ZLz`%n_t zj^X#t@q|eskD0~YOc+Z$BxvTD(FzG1(u3$;*y9E*docqKi+m9bR;m5l5vb^ zBF*A-C_@bad=}c?pw%AIsr|joDmbR&&U#S7)guV^&vO~w#<|D^Iao3>GEzm32oLl# z6GY+qPfS2(+@)Y(ANtRHlGcgH&y7Cl%3tNUW>~uALJx4~G6ylY%2jA^6)bJz2#dU% z5OK(*_9d})>N+uT@%|w`LaW#IS`}&rAJ5g|CO{lA(rcY=u}0X-M19QADM4Bubz@cR z;2wzGgb4zZQYJPt<_6Qk2>GCCJ95&`;5dfgyB}r48rxUC5^MxMUxwQww%z1>G zKh^T8wfKmOv2u%h#DB(;%@Px!r7gkQ)S+12wwU}N<3Rqg$P+-$g*CzO1zX&|EnXmi z2t=2EQ>I*qiDtptjsI@&a%&g%BBc4#6mHOZJhnJ7ChYsP`~P(zSvZ0^l8KQKG=}Lr zvYrcz2dXP|4Ehsku^0o4R3*LsJTB7EX_m0%q#BWHdtE59>iK(f$=x3U0;; z&y!JM>vf+5tqW}AotvEn z-D3(nSUlr0q`c?%2(TOSn2nLKXqU8K$cP=G8igLV+wZiO$;o-1D5t$>yp1er!ZQn( zfF1>;=2nHDK8BlI{`=Q@XMKF!d}FsW1`?!8Xl>#K2QkKijjEoTvrvrb9|>w(0QrZD zF^xtA5xPGI5veI&L zHQE~j>ED;YHdX(eXiue%e2mJq->}oE4Fh%R5d!Q0w=z+44-f|$pJnIj^3Da0hD!8y z*Bt#@vNgy!ek|>UA*|X^-%iXd4JuSinP};I(T@}p(F42EY*aXY^4e06{dgn<=h(sD zK;^JS%Om+JftDgZ5-q=Zs2kY`a;vJ@d3t^N`d*7C76}M{e!&MAC`kM;ZW##!LV~=w z{`O+G5qia54e8+hy5eT$PQnzxT)%l`h9=GbN;Nc1*26C~At*q2=VdgM|W%v5%f90IMKy$>(3)!p}F5C z#D2v7Jwr33$L7}DMaj18chJ@2FRNhf3sd9BYA4sWrmCF>?aC(Jf2!tYHxdzTXNE2s z8ylM=e@(hj6%>4d3K$@HVpF3Y*Ho^3gXN=Dx%SJOh)627wr_=K{vYn$hmGkk0?xI( zdWQc3gWr0Gn}mqnQeapZ0^q4_$hlAjd_v+uPRPR#&jn903|DVcW35~3+}!RL%+~y! zJBr9$g%yzrx!3r<^k{5~5+ey_M5-(fx?_vK0YrWn5g*hZ#kdU+_Qj5PJVtoC&1|RC&|X za7>V9PRW-IRjD6)#oX*yN(~QpnbHK$Z8<5Wkx(g`$NaNzzy!YvK>1(;-?Q{To90)8 zO+NJ54z5kDRI*F}WW&xMlTrP|H@&vyG%b7w6_o45E%QfNK$&0p-X{uJsa95>!N?F& z^PQ7pGW|%z?T@*bK~k6rh#ra!UmO}&2v&<4+w0+=8@6SM`us8UW?XB@JH(S ziP)cXSW?X0yCi-5ba_7g#9uy=2T;R^zMIkUeCf7n(4$)f4#NDuEl{Iq}#H`pG;LQkcxI6 zlYUO336(ded45_7m^=MRrwG+q`^5KpZ(i)oht2#~CMy{uk8#mRe2fdjUE-WZ3>p#9 z#?zqVq-10xL3+`i>$SZ7A`N`QI@_?|NdtqH0;ahiT@Ct5N49A*t@3}e{&4lJx4h}Z z`ej&ymcRbQf}oUhhrMz`S658}`pte%#7Iw#8T6s)k4$J}&eGm@G;p$f`fLxq6*{&o zHyLz?yN5iT7>Qmuar$%psg~E6*tDaQC%sar=Uxk0=uKEdMq)MHRBXiO^S+E zT`4jdw|J>^SuusGEPYmWPi!$~15h6~%|+&=$)Ep2)y*mwhN;&;CgfkW#jo#8Xsp_sk}|K;ki>kJ$->;oH6|pxOqOp~r>eECqN%>O?3(8wpA0)9hWZf3tTeqY)RzFQq z2}+ma%vdw1@^P*P198grn2wW~Rz=q7UIgP~xCUIoBF_<(`}tE}sw6l=Kk-tS|FACc z_$S^>Ct_q&caNEUiyB-DV)octwOwq4ibI3$Zc=LE1{JC=mWid`w~~DVjT;*TZ|>0kU8#uJ}UQkoh*+|Xmg>m zmkYN&FQdx9n!(;YG-ML-7!fPs1N-im1}bC*`1c4_>5kT;ccNww;sv;6Q6`PVK?_?G z_mw^9wW+U)hK5Eb!)XF1h%~_r1IjT?BtLBS+{Mq2ktzBP0pKGSo#c?Gfd*c1qzT@j zJo-4A)UyM<20h zH$vKV?{e7MA`g+uF#z!k@8`B)jK?so>^Jw7W%Sz`zQb~K%de;|6H!3OnT3m`rA$Do ziFMGXZx!Xe2!-dtuefR;kP5wc<+W{}qT!x{y3z!ZIMn4T`jJl(EHGl>Y(BO++@uLU zD$AUp_r!NEEM}HNp(WkT6v>ZDlb7c|Ow1e+&d%mR{{+n)(`vchQy+-FKpK)i_049a z>iEg8&qw%3PHKLocHPV8oO+TM?|9T?`^aj(~D>4K9^;)Khr9!TUm&v6yG@vXW_w3Sf{cc;xF&?A(b?YKY7kkQtr{n9u{HcDs zwTOUY0Fg-{y~(e*et1d;DSa zN>`GCp`F}bzf>05z>J|4j-!@QE$)qZ&{6~y4i_#_LT*W@>bO(Q7;^z-?2 zFsP6d_vuA}=)0h$h-8?l9S41|ehK+g=Qs;T|HiM|Lcw@FPivf+YgK;&>hoMT9PFsR zljVGm<81p9B(}@?Y|HvipW>$rA7vg`k&R&0u3xI=BbiJ!53by|^(v+|HAiifirVXp zpC67D;?HjE+Kb&)PC1T0gTT;ifN5=qitKQCzPEz|-%^UOz(1ksfFF0kjv*xXZBo=N z)gMq?kKa*_f0BMX@EnEAdoE5tgYK2`yL58=Y5x0a`kWQkI$VCX@Mc=8pkjpe+5Mb` zhFN0fXQ8**);gL6-AUC@2@M6=3=Yg^Ph#6I2T_ia)ELe|Qek-b#y94sQro6~DBy=o zmrK~&j}yY3hFO>vyj2eE3$7foQ{nQ#w{EF^FfGzozw0yweIjB@%lzto^&}G-{-*->0kB1!cPELAh#0SJ zb9{L$hs(tPY?;$b{TFAKe2q3=C1%nFJJyh7S~Xu4{jE;2Z;QIXXck`0&c2*+5n`4l z&eKl((Mo^j=lSZ2kj9A?so7RvRHa|0RdR@i$hoEdS9r<@`6G|4B-(|kl!^D*7CHO4 z%$Nrxp{#Jcx%Gmy)L5I(oar8^=3o7*4vl`Z)^wq=E#LD=yPyzT6H0XTi$M!}sQJ#7 z(2L!!W5N-k<$h1sIapS|9(U!fJ-RnCsY5mK?uYypu9940^fG?c>PGNDr!J@&3{M5_Kv&yK8DCX@F|iGJguP*kiomD=KUE_t)y!Etsl2 z_Wf~GvrQIg+4}nC&M#z+{;ez%>%N0VzvL8;3vfkSjYJH4JTa3cqpG$LW@ttZxO_H! zWb(&zAdi0bcf?!o?tMr_aRPvKl0fk{^8}N_>Pk+;SAvGPk@h}9h!D0lS!TE8glv0y zqb2gS^U)R&aGIs^n&Cg+bVPA&%f9Gvm(pqf=tF-8^aYE_nm^_talk@I#BdupPveuYj(fLob*gdXNQt9F-BhD zn+%40_jcA@aRN{fFnk|Q8rcX^$}EWSlH7DVb%)-SS9TAZs0bWDo+~A~+;>=TQ!72b zo;gr6_q#r5y&xL;Oa{KZ?=4`K;*yP9U18?h0aaylQxwva_45qTiuFw*g2yw|%>C@oo3iLZ_>N zy#O8dMG!MFl*SI{w7>jkr^3Y`^-dNiUdu8O(zm6pat_o#YNnV7UgI!m_Zi3@V|27s zDKs?T%$5^3DXOt-&!Ha!TLhju&)%6~!pkorDG;JEsJ)HXXD<8h>I-3yk-}LS)f&Ud z_PX!1!xR^s!^E{vXTPo#lDrN8EWM9j(}ew=gTiND2fquNqU+RixRbn~OD%t9;0&Tw zU&Cy{M3_noDW5avx<1AW^-I0I3ATM<-stS?(!QCBs8fruUY{Lbnuu|T2=j}wxZp`NOwfF zY{Z8L*9L2S>FbKBsvgpO3Dgc?CLX@VSDD`)ex101k2nw<^Jv)G++eq>@5a@DDYJVN zWApP4v$U{qL6n-hS!dBIsuW*1i*6nGH&T#doA>;0X|d-(G*$N7)s9J<&-PbQGx4UP z{|CQ5KZ5`O-inmV71U(ew&PWXg_j9@D>Ae_bl9di9(g8^xh|0T9{=Dqt4IGu$7z;` zQ?_?^7m~QFV(!i2ew6K?gbaC_f*eAjan>?JwI{K?bXeX*ss9|whOiY0{n{?6n2SC( zpoz(I z>U=j)1%dnH`^^Klq)2$L?nJLidMsR=+w(9zETx7wuHj+4b?c41yHn`i-6f;##lCpn z;%69Dim@u(y|Jw-UU`bfn{ltyzhyK<#?H;X@*iJ1s0FBcUA^^Jo^3z4Q89$tw?QBL zO6u-#{O(HKG+L0xTVwEK$>KR)gGJE?@V{TVs0sZ4rKn<6(3em+geWZ)!!zMm89YMk=lpw zD7c?RXu7kEw+WdooyrT6kJ5mNl@r*S?qROR;thTB%6$OXVkNVC;Sm<_W_Ehv+qp( zPZ0a@3;xeg18?o-VuO3mVy&n+KFnwvHFy!x6m9wd)Z4)J;|-=UO0!Q*?_-~#OlTmw ze9fM4M|NW;e!qsvzj=KfcXwDj!M=896SQTC8!^THD=>=hTlgfQ)HBDOwqa6@Pcf>s zsroD=4Wj}!)7XW zb?Bw>Bv{pvNJ;#y&9{xOtaMRz!~v+-m~GvYgskJ+QrLKwzROVzRjKF{dlRJl+yE)s zn4~4UjxV5?gXl$;!B4HR&tBfnWRy087>fzAF#n0SP3t$`(z3;Fgt+IdBhSV(dV5k6 zl}DpJH`GWInXYw9VCM#_J(tGYf)$oik?CZFkhvN}9=S67<5Gc9&Cm6*=kJq~lR-5? zOkVh?4yVIbdVXnvyKS@Be=86GDg6HOR z@8Ax8uf_r17oAv2WiB z&|P*qOuiplEhOnl`r9S%%GTO(Tu1!!so}*%wW7myek*@haJ$xp z81$JyDcpxhNwZja85aI#%f!nkjC@wicn}h(+t=M|bF-6k&3OW>{GOQ=#oH}J_dsWN z(c9-we)ZeMMw1!&tp8bfkZuf5WGgUIvqt{52&zYB1p8l6wgyr96#6<*abh3bLOU&WEPIgbHEb>!w$T z10mLA2Ma(^52~6MDY3Xaw>yQbHHFN^_*4OUDaVM{V>cC#P4#p4s)WUD)Y=;YQ?-Y5 z3@o_RW9-N*kugbZ59ja} zzns54TO0E%N9q_$-M>J-GAIHpq$&m_vzNf%Ql(g1Y9F~EX0hGS4K3L$W-&vhgLviA=ce(h1L9N&EPb1egzwLzVB;;q2lh@cFX;fn zG&Jxjt?1@YrKF~2c|G;HMi)N(IiuAlsjqqkGq(l#TF>~4GQefUnT;8oY7I^Q>e^ps zKR9mioB}YphQ<=lF>{UD5;$p;>yTmY`(qo#TDP$|1vbTWJQX&pFYN98eL1RDYNHYm z6~;#bN4*B#-0r|{t#P-cck(3KdgybhGtpk%{Q3rI!iLWS9s-dby^9E00|>*?#wo1= zN*UOcI;-(_%wtq38rSeKUuJy=;e?pg%L-wi!BnNop7Fzyu=d~<1{X`;bx(ndHVAc@ ztgIaybUFkS8|2E|uc&p;xGnJ<1_&A0TvnQ$4b@_!2B9B7<<^H9LhJ{sJ;CECZ7+k< z)1Vjw%}0Hcc)`lSw+J=gzJu*m6qDawlbQ3r5x9y94X7V%GGZ}-al76h$cPH!KM)E}_alh^Hwj{82?MIsd zR?%;Czif^@24mIeob>V3Z>^#zSAA^nB{OyD(z{Q-qqdf|$Rjf?@q@{J@$S;d*j_)D zqO}QwCa#2Hx;Kp>WpFIUYNE1RApG&O-rIIH>R8Xs*tglbouOJY&w438{p$|?KLNKh#SWP+&)f{`QcwWR$puWjNU zgyIDMb0$v@>QZd@0Sj}rPPat=DmuY>ZHcvL1+cDJ{W%k4Qt;_92ifbq=#5X5N;oAf zDH%yf!t7u5R|A&$>uslpDM0;ip9*Y)nF9XZzli)l<}d(iSxf**ntW7?+(s6~t+Lp% zmpRsk)l8CAcEr8{c%x@vD7$b~YKK z*w?BeoA34Y0gJO=)Sf3XVuq`LAH^a+2Av?otb`{Sj;RJjU44pz49WdGw=A6Mz{*OG zahX3LbP5>=+Qfu~_u2rycALM5G|PXOx6!p9>B%!CtGdrGF&~U1k-wTZFF>xo`H~062jpCeP}vO@Kw5Sgv83}u(Vk{M+-HUxXI7=E(Du+q)b%io9R@ERx|hWIO3iF5)7j(9;NXOAp5}mPg|L`djNY48ts37g!MSsJyu^pwms|{l zl{8K+cQnm@JbC7#gwt;EG0V`D3nj-u4YeJDTNazyDJ zrvn_^(EKf%ag~OILo-0A$Ly;NLoU1qVU!Xlu!XN35gxNGNovbXXP-!M z-TLr;**#`?>nrVZf1toe*(c&xs^!vbi$V|p%zj5 z&2EqEYpi>fI~>=|f7+E56)=>8q5)80NG>w8L0JC0Q{BAq=Ndn-8QjbK~^g&(AMe=WlytbyG&dS>_F9OW`E zPl!o85Nx~=|ScQrB&KTOnoe~Rm|7KcH=63JB7lJ#Vwrj)s2%;b4*v?(eze|mT;=@;wk5^h%}9o@bJ z38!n{4S$x3ubrrybX*Ye^w*y!K}>Sm3m{~+vzAL|o(~0$GT(T);dxIh1}}#x_)`g0 zCvZ}WCU}fa)Y+h{*G44bfll1q78YH^r5FcUxDUHunWDKq&d%mn*N#3(VX=yT(0eIu z`XuC|QxhVb7_xe8x~xl_#$uyfohtKeHA#uUVAa!=xJFA89UmGryRRs6Ogi<@w&1mHCO% z!`{B&mV1(I&PTJ|r{jO!0N7QX%Y5k$1slPywwr&sl<{`77rp+gQ7x?bWvSY!K4DSo?wZh*C-B{9`RwEKv{Mq;wp^+iymn`8*D6Z6ercGDi;1Qf|fwG(8C)NoI8E4`g&d@UrIWbHO)OfS%rWodQ zs&UvxJPeC}_MYAEWIUTr8x%kp#wBETSeho9)4frC$F27TW2>{ESpNN_ZQrbmh?!0b zqeZFW$msQa?%I@5E^+nW47Q%fc;IOZ9eCFShiXp$q>D}8oe_z9+ad26?7ghScz}{T zw-N;}l!97;Y6S~{y@*hb!aWy3w#zi89cSNDjAdMIS@@C*SH!?7=-F`Wy8|mue z67$6>q`{=1TXCedr4XTwdHwFfXoAmaRL2~Zh7{@Z?#}pLirjTp{hLqKBwoj_!TFPM z;RJ9-_Q~I__?^_!$Y1$&rKB{d{`aP=eFAWy36H&00+wRcj;;DiR+#92iF^04k#~qr z;fHmWP+8(g!;9=};Frs4ZSC!OgFdyEm_i%r5>8%`VH>MbW^C^o=b+hcmAKIO6rVm6 zPM~ST(NGI1fly%p4CD-ad7IGS_7KyK$(L??|D4|%oC`Jg>Bw7@Lodr2q4BP(-M$OM zjhHP%>bghTP#A#Us@wHmjo+EEM{n8huG*K?=B=}S{^_>^@BP`HkZj+nl-wR7i+?7> z?RWBhHWCi>#F_cXa5!j;eZQQq9uQ`9Blp$1_`k#PW;pM?*}00T(}AaQb2S3){oJwl{xP+(GEDi2FIRTu zG*bO>O?O5>u&^V=^C-+xAiEl15+)|~m8?O1hh_FuWo5(Gi2C`o>;A|kTO z%KqyjQltCRMa0#>y|X^-FuaWcF`mWS?S77q^@rQSpBDzj?ks@=b1^9Bp7MYv}aLL)OWN^wIc0_PA5r& z_M}C;1PW$KL~$Na^2ryO@UFHvCgmE(-@)@)|W;vIahN4Fjw2Tr(ZY7p{8~6565;)EI8I8<64_&J3|WUM z0a4uxaE7CbtRH+gB6~{ntaN*C=9uXOjtIA$sJ%T)t2?87mE=LEM3HTu8ChPOMV(z) zm5&T2(lSvq+(x8AFC$Xy|6%SeqoQoPuwhgL1r$&k1eI?{BsEjkiHRpB4-p4+UV<##4%yK@p zD41H(UfqQQc( z$RO)R(ImwPbqNZzMBNq=FUE3ZV~6D{9H$+%e<`T3YSfLT?|*Smi%U*1(;X|wz#@LF zXlVXDYh=YUUB*tI*G_v51`=*OQ?OP+OSGDqFtz$~0g1cd3`dEF)$3pIJ7e?)<;UTQ zw^H5Ts-~@Z)z~NZBftHOJL>vd9^Veq>LeUyZ9nYhq=*Pfxgle~-n?aSS)vd-@cG6u ztH`ljES@hKM!-N<;2&K_gU;RVKB}A{en{6*;2V*v~c*C+$~nU(O-D@JIM$|86wD3FkF2Gr@^)_ z9#sdvXNV;0K>P;<1X}7B~($;v%|M+8v=sicg6;y~_~M-x}P+0SzhPT_eo%Zbnwjkawa{$kIsy-IuBG;7cAF!_Hs2j`7N zLktYoNcv`MZ0z3B0QPycd*IKdX(-xvH~8*YcaD6}9=-3w8B001r9iV*Xo4d-(_)xb z-5TBikI}QW@Jv~&p?Lph37k`2sPMyYv2}>M!C#|FWRqN_=J}$p+CftPk*&sD%A@D% z^koPj^c*fRsdm&cW(+GdiQ!3(@M`zOzKN4<*WW{yg%WcHXTq!r&io>yJm~GaFsvyI z$=s{9AJI}pGWmeJ6vmH8sZ%1&$?*LSjs0mc6x~7i#OjELzSnD18Nh9}k{Tn2? z8q|R97Zf;5j;_-}tf)yt3TJ+<4Sii%LX@R$zm;oFuy)CqmTK&tp8h}ILLR{FcRm`L z>_gVu1!I3!pg23ijBB-0XY`}4x?^DiGA|1HR-k^e7;M3o=$@Wy(1yy<`VpL0bT%^d zJ^nheCsy$jeoq4_j%C`xccTM}FIm$i?9jNtyJ2(@6+Kk{c|2o-BkDgtz~9e`0oni8 z&lpvJLj3#ZZ#e$|O8EN&xaPVM-R$Hxbw5Jfe&O%=c{f^xS==()< z0gAFz$+_HQ+H&nQQ=IVIf__GPCWc@su%O^_a}E*wYcSrYSYxh$J4DspXd5Fo~6~5JXMD(Dd?7QgCak1_1Rf6I!3Ft>sviEub61a7wu~lAGNJaQQiZk z6o@$H^q5Z*zb;kgj2le}-Gek8NCfd>KLWW{bSDn{d@gJ_UK-)? z%2bdd%wSx}9n+bYqRiWg9{72>f@#h&Xx`X_HSaG!&fc$wXnMOwk3$Tv>m^HraSJ65!5u-ztVZ}y2m*2M1TH*DM{n2jz2#-=?v(VeE$zh)g`;&wZD3J){nf{+ zmp2|pEqR47Zft-`<}XWSikZL*qka#Mk`14@MqXa^`Fsk%2-O1!qf$>*qS})C6k)^R zEMP7d!q^o>XDs7QtfESk?z51WyWRE@Mc5^Yjn`Ti5PU&PhNW`vj2U@;s34zLUcVBJS4?yEh2;O&~48rc=f zB;~v+hu*Y2qtaR4$?vE=l2p2M$y*VfxHJ3*eN7u1YioQdO6ced=`9AT>f%w`B4VRx zRNbEUG%_`|DICQ4Tb@NWdU+!glau;fZDn(G;PN_St~(Y`4Iw8gFV6BE9AJNi{9snK zLbD~Nn5V8cxd`W9;i#LT$_lEct_}=M0BqlBXl!h}Z1;tLhu#iosG_^Cmx#F#A~$s%X|>;}XYyN;K^PoTVxcK!VTJCJR0m2Y&? ze5-1lb8tQG8YYb)M|L9B)@UJ?{AiA3k!(t6H(tI4Nj`2DC-FolC=^34zS8q;(R~D-q(l~AM-W=OBr5)L2RQ{% zOV!%0Rz-dR7*SeKMRrH%%f9q#Xk+-)v*bMF~nelSi{5;IdEfy zw?eLtQpJz!dd&mji-H0d{&eIQfEOqvb%p{Jx})BW)R@mLbtg0$JgFkLa@!FQxgzk| z%Gu=DWBL#74w1pOI%J(K@FR*YhURk*+b?v=5oOYk$B|b6E{~d;l@s|_TN2&AI3d;jSwl0<&A1@7=T@-S&~ zgAz9c^@Y$<*l!#r0el_x{nBp26{)!b7n5|EpiA&w^pD$5YrBN4<5dyzW|_eD03X@? zMYaD+Td9o3fkQiz`Bxyu=BB)yfyeAR_lmwRGGvg0YQje}5l+f(_H-Nshbc6!dy;vFYniR#i+P z-bpPSlmW=K`OrE!7l;@|t-SqUA{3l=JHG|-Fs-OXoWSCX?POK|*J%SNN$EUi@9lYa zv6p_~jLlsood)3<3`G=i0)iQ#ge9-=`4^^%`=ob_JyKnj3yh1kaND>>v!9iqf=ro; ztAsgv#v*s4cH$JE1k#H%^bn-VOGCq;d!R6d$45>&o@=1@6sAte&1VWmo1KCWlm;u9 zT7BhZPu~Sxd3J*aO$&`xiu>Z;DAlci0Hn8|VB%v{(?)N&6Vh(dwi1!JK7A#>Wt%nY z(Q{l$>hYa|mN04BH5{s-3=5jr<{oLf?V7}ilC&gxe5QmxYSK2Y*hZ(HBI$T-UwGNq zJYW8BX1YKwpBZri#XK9n;d;kV(QSjIy{IfEoVE|sj`zcFR{O#su?GCubOYHlxPuEu zVVO)7A_LYArM=~qK&8N12H9P`5{S=4T?~lP0p}b8#EFGlzGC;rvI=a;g8t^~eK?W* zuO(|O4vA$YRv;8^zDpSeRK6KH(4dszxptPKMOs4>6S`J6Z~Wf(O~VWahMi~I>pzs* znxnk^Q0LtJNlbSr?h>gw@(~R-BdvO$)Xw)?PCl_RevYbx)KxA24e+R8bJyTpJw8)x zzuv~xdkw70YCSfLtj1YF*z_m4@bIr+x8S)9B9(%Iag_9h?vF~_#4OH)78AC;qL$r8 zff^=*JHz_F*1ggT3cAO{tx7AVwqA9%*CGl%gEN743m0O+$D_ov)^J^%fKDG7GBaYExmlXb2Up*hM=DP0csdvKyJ>2^YbdyWLCl z!!-@fN{6Rb{bt`&m@&m~kKXrd-+?$&&aqjO?xkk=y4?N5eWeZHnjZ$!3CM2*Gf^mw z0IL zId9MI|4U;wwG0Fr;C6T=pesAy@cz*k{paofFTU?gFTlb7_hE7gI5Uk64T|$0Da9D! z$w<=wjqm$_*^^apF>UOrM+<`(KB$t}^ll`c?hgefSE% z@~VG}E)y^Tf&4!o@;(44U#CEmJUQg_OY&UI-y4$g5MBfJjo;Dy+o>%&c;N%_5C8kU z#9OT)q}^SK=qo$l+#A0a|Mw#)KvUOS=dm%<_xzD&rB)%p1E{0Fgda6czKDx=4gWHZ zWT5kgIJ(se95M@(z~S*)4F3carkrt9w@v9=v0%U*uC+ZPS_IUnuEc3`mFYE_JrtG6 z)U=_nmr{F~dE8N+^2hO+l7NWPh|laesJcE*PaF1@^ZU6kaG(_&KoV!IuD^Z7w(@)5 z(~{Lyv)}HYE#Rf?u%nGb9udHv-wVl&t1)Qc z5L7G2O?Z+#7>08FR_edVc$IM5Hgk{OG4+7Sp5ei|cC5HaZ#gJ&_WVUeMV}asbK%V% zv;lzNFCO*C2&^T!$d=KV*pe5>gV4P9`+>KY-Gox=O3=Cc;Ax&!1#|Od&}fN2c&A7& z=MJexZY5qDbr1-_X;>^TZP~8zR4;_6r_rbyG*1TEZ`I_WuAgfoPQV7`8U9;K-s;%dBP-U) zBo7IF7i?oh%cZ0sQ*v5GA`e9o#SSmsg>Kn6xEs>oVd3gc_U}h2tj?>5ffLB-`mTm* zEO7tO{LJ$|gXgd@+sg3J@s3pV?`P%4wFceo`4La{2OWx z>k^2bE`#1F0gy$<+&%T1JvhB@bp2%xst!*GTih9?=bX>)aYs|Y=(QKaC4+w$~r1$9hyAQx?4F}pEqDac@SxC^*YSR7uQ6`C4Tf|^0TtkV#F zvi)g0`%S~VnNofo?%j{i$Pvut6ECFgvM!oyQs%cncH8J7enembOH-Tx4=b=fRVtcs zTIk-j&)M3O_WT>)Wa0}H>_X_}wC2DkaWNwk$dTu$jdPCh(8KlJT~5EPUY`)4cKw5$ zg+Y;Q90e0ub2O#u_JtB2$iRwjUx8?N3|AKzGr%Ma&U{j@)NnDL(W3w=RM2WgCwu+) z3^-4yy1J5>9I9T>C)btKqeXWgI>_9J9;(?8KLm;B&Z6W)8+3Iii>YAL)&ozu5%-P8 zJNOpKxd18DYnarcu*6N0876O=c~vIG&RfuV}T%LlJADzUD6bq4>Bvjj-qKn~b2Yxx!xbnOAAz-L(5O02hlqKA7TA zD+87f-4|H%9#fLo`hZbEeicK5e5kiw0n{N-VMhm>3sYC{-(rP0!jXIYx^iQPU-LPr zpIS{GT<)N#n=Wyfv_mIZ2mAYUOjXm45uNkAA#Vzzl#E(NN}oyIQ6Tnw&4AISPJy5YbL(KDjRf#7J0! zQS)z$kDu-Ww#|4qW z7>lp*mO$YylfG%kr36E$7=L&jE0EsYa&-?NF~kxuZO3kxA#QNYAD=~6I6@qH7Z0$2 zDJ~u+7M9$}H89A9JJg!rE0a582+E}tc49I+$gT^u=D6@+T95?=nF3A}P=LmO!C(i* z-#G~iL4A4f3)pC3k_e>@%XAdbRlgGE=%_B&7hCi)f-GNj+f9i6Imy`VOKe-_ll+}M z!oK^zfup+sE9*qJKF&iIeUDF|RNZ%n_8G!H%|rK*S#oYzr+HF~ppa1A-YFoEsJD zrRGd!_5@5;+Gt`=L8_S}zx)Nngktu^b%{@)sNL~BAKM(`!lQqmEPHt>N|-}lwAfP5 zp_UuSpGRFaxGS{1$&tTZ2}pW?^!~vP9SPh<-wt)nxO?~u0l}}r9%;I#RGY|zYc;+> zj!4SMjpkgu#8j$z+^`#UAr{h1_zT|j86AH-AnYC>JXoI&F$S!8+#Sut1Ce!X^Di9< zB6*^R;soHa3XUnPh|)YY;FC4%2?JES1CqLUpCK;1d?(SKaQXHWT!{9-i>W@q47CVyjvSmKBdUwr=j*>}N`niS-jh-!v6HnNVxAKyi=xkrpWdD?Z$hKo#=U{%R?!NOOk=`R!L z-8OpSManhR>`-Ao#{)vTdWi~2hdFPWa^9$InM9761xuz;X{YOrMkAH$biAhOZv+%a zLYHJ0^bp?|&HJ|u6buf2?(+PV$U-BT{Tx-r8&G$gQ5tyCh51c-o5VW#m!R^AcI}Fx zF&2e(L(Lg$FqCTSC#^`b%@)pf(1OrhQvc(We*H*$2T0P7m-aN|T=qZ|IHrZwO8%<^ zcqM?V`NX`z&mL>{!o`XH6^s)~uAnt{pJ9dzk2c*Yz6Dh1B}+%a8^C`M;gE(9#-aX7 zv*@?mURL!hNF-dchNhAzM~6UTiW)sV4e9+fLYg?Sb=7yjU;G+4)qllP<*WQfql>B!q+1kbYP0PxkayxnU20gcG>>Wt ztq_!x`abX}>4MY%gMcnx3T_)#NylBJ^L6LW3sQG3+;tduL|T*Ff8pz=xbe0hV(+To z^Mom%23v&uW?)`D7ALU&&R$M`sxz&*S7^NGa)uGIALZUg7OLMDIyXJW zS(dAR&-NI-=&!tyB8P)}aj~$Fb??bl4d-WrG_hN+vO#SQrxmBFG-nfjd_#~L%Ysl> z#>$UhfP7hfqc3}Bi4g6jmZHwalbm-&f;i27Z z&Jq{xp`YdLUpN|ke9$sI#ucQJneL9uQ=!k105yxe$4%#T7Ytb9uFP>$w$Yvbxl}Xl zhyt%DBzNMvQ?>(;Xd^YLf?_}kU_d1{ed|h0GE_*wsg*8lFzvoafbYU>v6&MJd;op* ziaUbhmCtr4E-lr^ zHIPAz*2l(WXrLhgm1p>X{p+U$Ut|G&(nAiuBF1?skwJjcf0qDcv*)za-utZUtWh@l z=7}+Lj`x|t2*2+ZETWZR#Fp{Udkc(+A0KdX{vAVX*xey`15Dsj}DElu3=++O`?CKzmuPz;yAjB8G8B6e~Z$6 z$xizRc7wJ;3epO6HxBsuMLB+x)pE}M-ta$Lc|7eX;Q5HLzh*Ffky`jq&4(CSx(+wA zs`Ei#lfVkP8uHI03J3!<)90HpuOb3;5l4S^PEY-hx>cGdV2k#vXg=?5laY>Bj6D85 zA#))1+ZCO5J6A;hw{+g}`_J;(tF!C!YCv6bwKhsi^WEMYY9aM;ed8jw^Khmfc?bU z+x^Ke(ZY8BL-?=yE;5hryJzpOZaux-HB6hx80VQe|pOgNx zCS%WE_$t)R&6SI9b8p(s%zi&Q&3h~2U#~JUBEJ||j6Z{GF^C=t0Yc*cX5xvLVHA%k z>57X=&U%|q?YI=AnfK1d#uAMEa};|2ELyBP*ke{$_`rP&VT{;tu>T{Iz9ANY8iwWl z40-22u9z6lbe&y%e)^xjVvHzWnld!#6Y+c(yRB{ucWT$GpEF%}|G@rezdgj71C1#p zQr-C16~M&UC1ouv^xc>35$QTMX1sAVYc=#vl(N%+fhi|=%{EO z{f(>VFV1ukPR0)H=SK^FJYV3V(*cGEssDmMjtPg=dsatzU#)$EN8tZ31g`(@HcfFX zG{IAIV|V}cMdmiLcGp5kPX`Tj4G(J`{i%6$#j)^fuZNR|8+uMywHz@1r?!?pgAPj6n4Tn?owZz>F78)IayrHQCpoP z<@7t<93oYrj`)-OR@etRY3+@R&3q%UtQcg=VWK6kCF42 z{*0ffN_OG5N^zstPRDsN@5`h-^L!1KLz$EJ3OQ=7uCA?up_{&^+B>vsySrb{lbL7q zKkYO?`?d48t@Xu@yC*Fv1&k$g?Jus*tt53zf0V#-elbMp!+h#Y=3}r>;!C+q*0r>A zM#yMlYI-N}!A;HIhSd>@SptOtz7}GJR;j)VbJJQwGEKLlyR(Fu$-g|8_@Z4F{NubZ$9rU13K9?eI$sAd! zDS=#ePwZBwuCeh(1(`DbeW*{W<$r`~L+@h8lYBCKkr{0!BKU31Rwde1@+@&U%8|f3 zY;3&cqKPaVEzm0T76n2cT}(GLHnVfoi8#wvV-^wBDI5*@GsLwBbwJSRSXId9%jf(Q zR4%<^atq(DEhiR;_%9{y^woQ&YZq&s%0kCiu;BE~9aGDXofm}upzhOP2bZrW7A(8m zyfQO01IjUAdi`zVD6|@I7$DD_RzPgOtCs(DU_iO+kZar>3=7WcMplSI+POUR$K65x z04gH_F^XIRp|r7LT}VVUSn@Rr#;3=Ssb*!%=R8S@&|Vld=3*a;!I98==#!4o)L%l} zvglH4z=85NVtodIK&9RutLFSD zDbp6aGh((o&7Y=xP&+9E4xv#o-Pw-29p1Guu1@CjfyKpeKabwRwgNLdI~EYgb2m;m zkwnL8lxSh?VESRDMXXvaHhxf76*{QNz4iw2tQ|Vdx!?Fsb37KZ5~l|8418zQM7UbM z)bu!ce7D6e0W=H*NtDKO_UfZ?;V<2om-6Ugbe&aW2kV3iAUEr^^d*OJ7`2Tm;wprD z?`R6$TS2^VovzlRVbqrVnl?~HYHGesPNL3_z;DRQOZV4j!SJk`W+#?*d+7&82TU4bX`Nb$k>N(u#9; zqhUvR6B$*%UsNv2p@+Ii@f_$2z!kn8eI~IV6^7nCyvFucX|ZWYi+vZQv$nPud!Kti z4Ki>v+DEAFXg3OK{p$l#Tk2-3m>X4oxK?Ylz4dG0gSytOJvPaHSc~{>Y~(|UP=$Ov z*Z)tJNpPsz>iW;0otM?Vz`%3i%En$`+r@+e-W^x6<-xbht2~9O`5M9PKcSyrOVZUw z7T?qupPJf$n`L9BqK$jtv~uaD#`(3D#GQ^nv zl6CG~d80FW;0Uo2jBDZO>bLa_OfHFF{%3phX89U*A~8N>dd@eg3YGJ+MvUF!!bLe3 zz0#FG3JD6%Aqh`k%3-l5^yaAL8PE_bPTcMGXqbU7D+mW8?u;OnJ&{0^mKGyugE(W!UnN97<^X!*^RqK zvt;u1kc>2)qXX^}C-bbm>SlD<@RXABZvZwOIa^a+x4QJXZ*cG&p66^n3uZ$fnSFS0 z(1y4P0iHNMK5mJ$x!nLb07rs*j&3yqfn6)L){NcBkQR3;i zd;7M0PW0eX*r%^8m7eJdgG;P&!6klTnNgQ^MJ_3PK& zuGuzXkF>V7x~I$6ZHvT!m;9Iz|qt$oMbKi{(z%5uU3*T)KSZ zy8yd6m%Euu?G&_%8Cc;Y34sf2HJ;ZXmt?%F=o#_D#@WPECB=m1UP{068dtB|QU8YD z{S^hceHcF_9+J06s8FIDKJ4lJfc_dQA?417<2r*&b&k#^(7}W}i*CCMe6u&-)=@v$ zl&#d`3s(FiiKhoHcnO3jVSE(V%nxB7#kr2_oeo)HST9$2Y_H`!V*BvqYe^RL&HlRihlOZKLKY^I)mnty6Sh&?(LXxmrs~C7VKtCWwQf3A zPfBz3eu!#*FyCY83CH-HC7e3aS%kvk)Jf2~+uYR^B%jbMl(H<6hZhFxOBR97@&253<|nT39yaSYC$!r>jU??S%-1wj_|xbESs&e=(RXP zZRtWC;Di*C`9Swchm(ugRl)FCGrM6bNev%XGF&giv1YIi29%1nCNHcQo>`K0O&+yi z#1Gm?Vmc>I)*;Dx2wJ>tjw>(fyftQta}yVwXW$dz7Z3>a=S)*07Zwjv%28YK*N6H| z>vEg`(r$NOtkqi|->9}B6g4xJ7i@fwFHIRzba25yoXr1(W5%vB*;vm?=(uaqMOXA1 z*4r6u(Q7?Aw|-V}v`t>2oXCqT&KzLAY9xK$0RqNXL(z|@7bKKRcr7C)jf{{tTP;e6w%9?PnYg;K)>1#3W4syd;5y@OE zbl_e?T=I;vuul81HDD+3a$cP_xo5ek>uZnvQCoRfsiP>&#$;#eVJVXB{oL0Q^s zlrlz5KI9EmkU0xyJYxEz{nXvv-P3bf@O;y5Xhq!DXlHe`$66?$`2u@NKP-IFQZHv` z6Dn1CxKGFDKBq^OYO9b7w~kLuPU8B77(IH*$8koZeI|${vK=j-6EN;?2sSF-x`|u8 z2bVdsG+6eUv#nPi?zGZE;6`Qx|0f;UB|9PsPawR*Y7pUFVlVi-!#ud}_WzMGcq2P< zIVXVet1aJrXN2Zv1gpOd)-4|C3TH#_zVC2VC%pinQY{6(uqS~K074$5gLFkC{MzP^ zuqF*SNQGNpvz~Ia-UK3i7#Z1J?=ab?(93k|O=Of+LvGUtlid!MKb>)6;jM!jWT&^n z#NKaloLNF$?JR+)__@GsLw+{TfKXoA5{vuH^F4xy51JpPO9^c{7=Ox3B@d;8oDJd| z&=@c z^_(7@zCD)=Z^ZOBkJ^n28*jJ~#X#d5CX2hXOj)?;FQ*PW-}CT!GKE-(^fyy25cvr#M>2?{P}OM<=%A)$_ZF*8aqG3^=B>`5%g@7d z^hVwpl|Du!%@NX;0CHY-DpfztpZOkkOPQe8AD>(BIT!<$9#B1u`mf<9^=chc;fxR@Vs=(}#>(f;!)L}F;U-i} zild^RHNN8J_WN=Kklf~?pf@_LJ(@orAAjPnr{B=!AszYL_M<0yQCdzZLKnVGkEX^( zhZnjGF-hMgnC0`CCyvdNFMV@2q}(WCUoxo=#QbF(({93@LUh;gCk3z%<#%? z3kLrgW|E?nkiN37CY(E2m>*{9rI;=4_qne@;Ht_2s!1%G+i<`mlJI6?UwNWkzAqgk zF6F2(o5v7l?cBW|_;-k0sXCFVCfO^!=~YM)pR4i3(T+?Dc}SFsp^aW?eo{a zX(=6&Lkod5hVs*}Bo$0j+}{v~Bxb($>oVc}Z~zPgIa9hVLaC7)2`K}j<&KSZmEW0s z7c^LM4i1tAN`imWVn=lO1&6ZQWs#nQ!6bpmfRJ;P?5V2!N3G=6CQwtY1_T8kI3tm!sqhD( zOnCs+c8t2mrA{*lH#XgOQ@4o1+pV)+g;BrdtHOUPn8tU5N`G7?^q#r-?ja=DU0;S# zbtkmj8({zFj(s64!(xsDL+bSn5B;Qg7RpAhYM%MjoSYo4Fr&@X=M&Gp<2gK)`BV796|egGr>1{MN@u-l z%S$2MW_`_Mf{WsU@a82^u4k55KfZrYMoP`ZhS8c{)H$8UEP$2;-!Z69^Yz8LRZJzo z`}Nz*%ynvR#K%v4X31I-4u%F)QJqJl@VHblv|Cp@f#7siVjN*??=CC zT=6l3hFsD#6S7vL9=!9fqtb5g6pZfq8+9T>{Zh*kElfi4?B(>N?^gbSjh|bT1m;nhrGxWZ@quY(JJc-6~vgOk1O`2 z=+H-z>J6er$?}$OylV%Hh|x^-yKaAG>D$NnFt`*^#KlY8^yI(;;0R&k^ReQCl5h+KiJGx|~5I&XE;7s_WSPKp8$)5{+?t4|4992eh^C!r}U20RyHlq73 z^IGwRu7N3kc;!&N;}6VkGK2V5o3z8_W;OMRZQ{iBTRZ@K_$Fw)&b+eiNZD;R%M~gt zmZKq*#t)q->aL9aen8uoxZaqt&|$i|#{c9@OmaQmdO@?$ljN~J$;rt+ z@`xlwZebyzXa}3~4)tG(z2V)?6D1uE-;*=kr+2k(uf z>^PY;NziG2E~2+6Nx7BSZ{^f;y`87e-7qO*)W721gk8MX=-8tM4!h3Jf-+jZF|9Uh zwAd<SWjH3?O@-J}{GUP~rn9*MX#MLa4&_~B_x@t zE&P62LLx$Q&%1KYGL-$wo=%18C_s*w=S-IpdYE&B2YDp86;~DE^mB153fO|sC)CvJ z-cE)(Re;!6$oQaL3=z)J+q&c^?zs0m#Gw&7iYHBg)tn(5$H`yr9f8m2Ej%hSugivh^y}q)!+?%epcL zfKC+#byuBwB4GMA3s9n8IDd@R~}EglztfgIX;xn%PmZ! zuFiJrS=GJk+hvB*k$qpHYo7u2m@HV{joW)sGh${o_FD39K2$7Qv-nQ+>Gt5)qzA3n zwHac#sjma&rc4LVPrC@Y5T`+=7Q)D5BB?ppL=jAU#GmHs@G7`V;c0HF6Au*@x!Ay9&>UI4d$%r*? z2N#Js5#bR1;^{es!CjIy9pLx_?#=;6J*&TG7a38wT%!^Gzy#~$b>lIKBbOc}qYvEC ztk@S86DzZ2V!|rDTW=Qe(74OVs=o>3IzG+Nwxn zS(L%ba^BD~XQ=1vH#5&=t+28D&&yjvr_QALz2UTBk=6^n!9#OaWh|YQXSej{yl-iz zHDPp?T3zzif}rw;^suPbth22Onzen+qe1pblIcGv1u(i){64h|M3kv2Y2{k-rLH1T zT~hH=^Q>`H_>?~3xOabh_d^t2eqSlcLlUVe!4u@uC^DKrFgU zTxmBetEsLg^=OiSiE**?+|QP9byQ}ond;Wk{0gmy(5-QIU_S?9hjobiV_80t*rY;j z^ehMA9W0C#K2hCVBOxIPwfd4gV@o%(EcX07`-foomMl3{;im9zSAj^2^CJ?y%J9`j1N2#cdf|hG{mgX*(yn*CWv)d_BUmYcF139#kkQp+*Kbld~48$lW7y`w$UToiOBhpaT! zyrKRiiuT?Tr2EjnX-P2rrtlJUbKIsnjOkF~7i^VgCgY-2lV1@4Sfb;8&m2vlL`G!q zVt|arrMr~ahbR^zoR0Qh*9Cm0!6;Ku0hUh`A;SrWftA*wa%Yek-gGZtqeoEYjK8Dh zsCzr&k4HD*WlEKa;PCVOO6_@qlR14#?0G6LPOu=7XNYO7ui8W2?W64^Sn6^f9SLrw zMSs%0vA4XA+dE|TvC_4Z)aR!g=s`ZKIPL($)!%3MB&pz0q8+2t}%+}#0c37zdA>r&C$d`-hen_MO8Qmnd*fnrGSOUz#JRM(52w^wR1Ny@6!#>Cd=g^4PF8qJ95YHOKf= zi4>PmjJ;wAd79ese-c8!pa$LDQp?yoS}>PPynQ&M?I|(lK>!(6+3d|6rz&e)Vv2~b z=;c#19k?o4f;86Gk2#(uTVi8p?{?ko`8|i~O8XEP@{NGTzg26~Bx{I^Alh1*%XTT`_59 zOUyijz4eVqGU3kGnzt4(H_1HH89i!2;L&la-C+dh^m=o-`A;u6=TeatbCUyBL6p8j7Jr-@*@r8`QiNZ+zHE8-PbW!UTG{}a-+4J;{w9x{F zv1~`*D=HEVGd6~lehPE$qj##9WXKN#^TBvT|+r#4LPmuXDbOPRr6Nzp%;J)6qxAlRK@h3fM2*T&dq%`7rNT~MFchPd zDxBFiQ)8!JaVb#AfInrlwxQM4Vu1B0_)mn1#O(%s=wM;+V$?jZxg5<`s`txCrt-MJ ze%AuKGx?Ua!_NRfH1It1VZ1Q}fcnvL4UXj^)_AM|a?sL{yLPy+Nh?pwfzy?{R-1`Z z0C(>C?jSvBUv~rcJ(9NDb7YW3m=iq89eAOe%Z&12D&sfw)0QyHOS5PTPH!%sH-c05EN_jHjAr5lnrgAyc zrlGS z?qm0lzkDKErXXu6ry@PXnZGkBmm~xh8H=f9s-?X`G*p^ip)g64FwHGgdyU@gsXp?k zKcRIQNQ4M0(ll4<$vZqAOICWOr=Q1OXxGkJTp2^?NiXT0SNJ~x1Cx*YQQg|FC%+UX zF1!oItGME%Q!XB3E(qm?ZK``jHyQ4K*%6-TZ2jZwcHVaWbL!2BKk#0hhsDqp9s+WR zmnfx6bjr2%B6l3df)O1yMO|wgYmdtUdy1dmTAeN32m1qDQWXW zJS;nM{BE-7sRN?^#$wiBUa00Dp(!+@p!A<5%bAQZv~)p-)Dttn|m-7&VRrT77;T5Jc-gAA6&!+PR*ZN+oGx(24p;t%c_o7sQN_GZ(I=Ar4hP8iy*_@eL2@TF2fKT>(B zlxy2H_-Fkq=fsLLtowYr$jyjL{!TGaQ%c``ha<4a(3$1#Ls81PL!22bZAZ?2Z|9Cm z%#d~3x;s^;`}9!h%|>ux0WbFX*JXN*+Ij^=v0TnPxf$K<%VW|i13qNpIbzn*e6(3= z0cy67AHVwDLMcx2d?dyTl5qUUo~jPRpk1g(y#Uy!0`Jvz6Z-P^6QXR6<=UB2*}AO8 zdLDnGD{B^5^*wf|GQYkmx|AnnrTAx8D`^B2nK08LIE=YJ$gr^*_dueMf7OL2m#b*< zrv6*}ux~~>I+6Ezby?dkH>(~*g=yzTP*rmkCb|v87x~=dV%J>NOmctCnqU`iAsWwj z|I2G$J3iWfJWw2Q(4#3eINaTil4KkCc>QzNPaMK%C&tI3MS)*CK9)_z{;d`Ery`+| zeK@MFW4Xd0mb^SRDs?on8^`p?g$g}58XsmCAL0Opc_?D4W!uAs-H9Z_4pjk6kR-P^ z^Gajx6xJAzwko5|W!(_gt|WX^{9VNTN6H_#rzu%aCukBgh^=~{Hmti*)e)5;fQ+1c z`9k;2Od&@=>XhY9a*FIZauKhrtYw;_r6cRz-V?SkVV-|Nn$y7?P}R! z#FP@yfE->E-+V;pl*)RF9<~9jU-rzC)BG0k=PkjAf=(;?4#K3g+r7xYfN1BunGc|E z90@VvmKIz(74Iz*uaSyHSL%g^>e$_6Jnp(wacK`*NsA{lf{JEvrwA7Msdkkif&$PK zK6dG#M_r$IBze8Z9GWejy!%ayLS_8i_zV;-|nP0?b-#WKYurlJdG_$^}T z#BMySTHM4q_pyEx-!v{Bn(_~?+=F1J(s{`oY{H(+nK!lYso$FM*z%EXo4tvgt7V~K zwz&%R9pgI;rongLJF7d6G3(dzi}dxC?2$0*#(WI5{;f$WZiP+pJVB8GvhWH=bwH|n zFydpp#xSnOXtQ4uR2a1V!;^D4ZcLMSjvAcL`C1eH5ctGqLmm=jASGPR0CU)h>tT(6J(IQ~abf z6DlCglnYX2-nF~Nk^?CDl!si2*|3rfBpR+J8j}<~d$ME1@-BB`sLEDGW%!L)Qu@mm zr#|}{d^an+8Y4t+k$pQtYh+${@lUvRm%O>72c&tdGcMfK0RnX9=J7QbFO#4)v+E}9h5 zvEw3pDPpm9xAuuTbIwvIEJ7eNbRgVDvzR0j*PIq^n0gH`jktI#{GayT!Yj(P?E}RE z13|?AK@dSex;qR)T99s}L>i@25m6+h8wCU;N4iU-5rmOJ8X0;B>1NLL=-%J^e(Rin z;H>pMYp?Av@x*;!9ls0pT!ygJj(J#4vBe>FDL9nxUdL-`ocUAkQ+@H#!g_DdI~GdX zT79zSp#f?M@}gQlkEM)TO7g}K@PBcNBnXLK0itKl`u@>t-%ZUQjln zyU_foxh~*w7$IPyIE089U(H(O&vduYtt^R!U?mL#jJY&0& zbS1*id?kZ|;T=;a$75R)$-zLKOmsk9l{zMWA>?ib=_^?-HL+gZyp2ocRxJ%W$Mbt0 zLy54id{gUDTH|@WSM(7Z9(?Y{_F6$=ZN&$pXX#ob$K=3tF<_Amsw)Ka0y%lU+MYF0 zs~i32a`WO8N|*X%qM@`oRH12XZUrfiSei&ZtQ=ZAoWD}H;9M0^Ll5g}YN@M;TVSPcZny=qf-@#>5AH(U*U)<+(>no&B35rhX zPh4kCyV=5u1FDbh|AUha)a>vmKzZ><5G(>@6XvKiL!89Zq&`CmXNJ|1KehVT( z()QGo*)5R?!yOF!B+zcdGq0{9y`*Q7_x2ov$h#-f4?E%?eL5!CIr_StpN6%rXE3qd zuhGAl&$sc)=1GeBz9&wvt?tpR66RTVzr*P0A#RMmh{BiRD1}&!Qjme+(LuZe>S2^& zOhaCJ`0<6>i);sb#Y>V@)-T*gJ~U3McTgAb#hK3r&*v(pV+Eyu#Uan*dBV*vBVL6H z0{?>oUS~+qG9+=DV$aen@!R8cCUcn7@wchwSi+^ZW z4xwG*z9;G-;vMSCHPbt9CYp+Apt7KWa1H&$Z-gR`<_h&0D*q*MIF-xbb{c%B8}0wOmu?BS{VJI<2xH zoQpvvLD5v1rO~{MBKE55wT^}SulQ7)jN}@~bwqK;KZ`P1ID6RanVAylxWu5VIJibc z{MVa}jgS6xk5A+wi6i6TwR-ZRQ|R;P2bohw6(Xmk>2ut*T(nP1SXe98Mc=U+ZpoW8 z7tp{6+hge2;ECfSB<4St%!n_5ho8ut>>_(=0|fdn)B5*%?kj?u^$j z@QF0n_qxgFqyaVYcaroisy{5qb+k0SI}>+T+(L&(uTk{gyv#{l?|HYYkfn5RaaalU zIgG$}L!F~C%Wxuw$w1S-G zIA8tETbw7yWK&B!(3$B*X5r#GWJ#=?4pIU>n#pMhCq9Vt zE$G2GeH^G3s~puTKht7_0R=J`UGmPmwODPS zR(s~|-NI=T?YHLOw>=Qsboi{a)jO-0VsOM-6xLdvSou&)RAXDI1LJR znkNMkgv57!=e~Mdf4KFN=bYPU{i2;(Xuv%yLOhdOfOITmW3)YPHuHSkptx?zN4I+E z2K0J6m3`%eR_X&}RFtVf$&4FR7x(DdhMpzMOBV-Ams{k!D@k!Q<&Oc%uLdt6gu))f zL(;DMnOLeXEi%k{I9Jy`r0|{Wfb*LYe)mEawz7lp1gHGGyf#YQ<|cm?hhiv{sY{5u zE#TKI)43bo{wW_lj(E35`UM|Z?vv)ur?>|-wXW2@d&>=T3xhO^7^<}T%XPaWkMYui znj8HYSP=VZBYWPMm__%@T*obe3N@v-pT9rjz_1gX&fv2nJ1|}58r1ueQPnYnbR*$5{V9t%8#?_^nA$?cs+AC*D}k|rqYSs zRMObla2`xD4W971lL}i(DdI;UOP7bN_$%UZ1A(oSjX@@hS%T;S7+-RaK&CZ5<>o^& z)6=>0VVZeg8-FpK^4H+@&ZW>PJd{BZv$@g4^aVZZVkx*11!yc)jWx`TXOlG9mU{|C zL~rc0W)@il`4&5?Pcj&;hqc_sd{-?kjx})WlOB4!m?=3r+ZOVsBuIlfirY2~Y?fR| z=6!n|Scjg5y1vjeCk{5+=jZJ?3ZajJX0+na@L3E3{Gb5M7k^fj{){4SafDN?^-N zQ~f;_3vqXwy_*61lgz(hVsgh+?9S^zzI*bQrDjVM9#RumFckqHGb?NBmB?Rg+E$Tm52l z4UPbM+C9S03U*NiS8W_lC@K+l2-|b#(V7~QS_!dV>*GG;da0C&t<3NA4YTCJj9kbY z8hcqC8oFA~QN@EHW*bnRiyCDndz{-BhQ8{xBT;30|wLL{{=cj_~xt-N@iHzi>M_SZ-&ZphtMK{tHFML$FLu$ zy+~?HO0omG?sDco2P;aQ@ zP5w61sbcO)3A4oj-4C1qkGVtlgLYHa4d=LwASPVo5Mx1sQe70m12IMwDeIw;1;W71Ge zsm9#!pdkM)ILXk;d%E_+p%z8v9N6I8Uic3X`uOn8ya?*x4x4ZA-gFuI^z~Xj7-c$r zjjkkAT)tx6Jlu*h#6|=3o2QMmQ@&oUuPh8X58u!yv@g-Q=IWLf8%_|im!C(53x2PL zKNX}1739&@T!V|HDy4Enc@FW`LQ$%Ybc}fYSGb;aW;1#ZUQ9yO%06_+S+KQ~R9CY~ zWEWY8dQHY~7+xhZBhd2TUCmP6_||guMyhFc&HQ%pIG8j&rzpP*=08oHEUBeIp{c(oaOPY*%H$twev){`OA7()S`fi%{n*~ zB|SXuH&=Ha66N*0L5o~$xk~=9SElw(?Mdr;q&RBW5dy4qLc+p;R1F(eTlU@WN}*B^ z^&_5FO3=MeXkeU)hOCAoAv9BvH&!|3>p(D$R@44!9R+S2`{fG^S#LfwUwE^b9%6`4 zPF%PUO!c;HX03oEX11pjKy0>0Qzg3B)=9~6@joo+ZxGn zP;~s*ZQBfN#QB@u4pcJIkyIKO?2pw(mZud^tC6nCWsm{|RJ7S^mrP$v1D$E3#haz^ z;{}&(!mD0>Dtl<#{Lvghg@TilqfZ(bqbx(A0*oOwQWcs!x3zf=*Bi=6C{lrx1P!dO zbtz?{cRWX3@3c5v4Sp5&F{)!Ku<22*3RFDj_F-G3iEih*=;BED=53N<$8}+tu-nrg z!O0H(HS;$B*~mz;ZBYMkg;S!?)|%+mr^8!8MricQ!XB2(Z>3-JUp&&>2NQB3W9 zC)i?tZnl+f0-V2nF;c=0+qpl*>kXRu*NH z0b^iKY!IPi?>kd5zVB`kwqaePZ?+Z%+07^|ar~;lfOD08PG68+zt0^y$-F+Is99f# zy;=!8*bMV=SA)r_$xT#BqE7t$3BHz6<6 z0hajT3dayjgz~73ZeDZ{(?D9mC{ zDav9NdN7BOk_lQXp)MjHr$hFp`GXegw4;y^+xZm0P_3x2+&{G**^TQ*`Egk)p6&4w zr%1(=%t0QkL7?!}CkE_S;j1FgUTZL4!j&54F8KE7$K8qvu|FRz93Cus*ADjllRW@1M>jB8fW8xxT(2)7R~P z>Sds=ggcMzZa(hvTd9i0L04E+)vRaU-qbjrM(FnmBCA;r-{0Pvr|Xbmb<+X6*WuCP zVd#a_LYXvy@QBbOn1y-;1~OumgX51xpUivuL#yp}DhMqtl)W`@ICQF%wAt`p<<68t zJ#s(Tb^2{2{$8MzR>Q9U*vnHYmzL&~Hp++E(Nry`$Wq;9qqw3W&J9W%bB?cY{aMpk zNeN%v5sH*Y1zN0^O>8s~72Nr8S#kHMFQoz_%UAuu6sQAdo`R=nmMk=orw^dpkb8vn z$iw;Fqb61kY0#FD-$=db_B|eDL~J-OL|ehh4jHQwh1B#2TIivX#B@TDC$6yQv9^^Q zj+hP0F;r+%>kT{MqQ3l07$X^%!oi)S)WIc!vuZ!v`eSG$Cg{pSNvNMgM)D+Q*N>gk zzw*8AgUm^ufu3eumDWz%X$KA>;A}8Sn(w$t){Iyyz4}CzSzBKIdFl3*#n##lmy*&_ zbDQ;C#klk4P|Z&IopLNEGLUbRss$3tJD%dTWwZCXH=1j>Yas(k%oaEEvE!H)kaP6+ z%Fj+;t6pIRS1*}XoU{_0izCH$rl;Q=2n3i>E8ccLME0={YRD}vE<$!!3upXQk;r~H zt^}NoFGQcKqjYJGVqF&;s9GLh$WwlmM)cX59#Rlkl5w3p{w#t`QIr~U+uf@@j{2Gw zr-(@Bbt}$GIL@&4c?f6?xVH0S+y`e(-$7PBZ7^WNLB&q;5mKER_S~W-N`@t-V{ZQZ zN{tkaur}?|HQKzJPeIH(u=IQVG7vgwpu;dW3buL_Z?ruq4bGNXD~A;jWuNc7i&aQM zowH)RyA|fN^KN@I{ffRS?~=G9^fI{Uj>zzn=#agFD%l_dSyYAs2{tIN2ko!vCzDH? zt$P! zT3WDam&|Td&L`($y=u(Gb4|DqXRR%)&2*xRz7^0!Ve0}XG!DP4m*Wipi9>kGJV-p? zJCcKRL|)-(5meikWJ%+b(;@y-zYk+0PBgiunh z3mezrYamV9%;AYv&6AdpK#fniBrfuO+gXhCO5x2Q%*XKJb-2=uyHkTRE;6C#!hBVp zQ~S5qH6S~zh8~XuwYkgEX5KS>h`|v;2GxBkyB*;-I+M=93(_o6a*CX?R?o1q8sDu3 zATW;-GNGuaEjlHmjCWs~R{Y&saN#8JRy)ZLQs#RG zE+-=tdy#S{`=@}$#u-#_ljR4_373p^3~#I?^F#@A$z7yfR;R5nKvAaA*K`%z&d|5` z=MDAYBq`FUy({!eGg8Q}ylXSft$H|@(yP^f0`N3JibI*W!{r$2?k~^8?2r-!%O2@8 zWBP!(_?=Y_q#mue#Xb4D!jqn+CV#%zJQ@KZ^L~qm&J>+;x3G+VO?PuJXw_eE#40eX z?NmE}q|epJDG2GEe<2H|90njPy)PY4l$jW9rw4KA5feY6Tk`SI#?> z_4zPpM=8D$EEtWMV%F^wNu0C_aW!-$Pwu9pDi`# ze|2?19tksX1Z@W_0U@rh1koks>kkt}AJ$eW&4(Yc_98q(QJPJ*JAZ0K zhI-9A$sJWt?lC3oVklnF5n%6?v4OJF`$$s3*(k{TtXp$nskBB_eKL+)Qx~Q6Zp$qF z2h14w{WMd)pk3y{h)hVyRytq z7IrXgOqoc{5inv;}nl4^xRWJ%S`dKUzz;H(KV5w7~b?E^U zG!28F(Yz}yUc>1{+;$qqcYuV&LK&#zkIvn_7)#Td!wknKhJ<??^_JErhdEV zT0OkH3J!z5n>l|%l*MKx2W7*8V8})%Gyu7Dj5AsW^RV$gq*?Gty5%>pTWwlHkBbYzwkj8F zG;l}BX~TObg#`o{$5?c{!!bWsFSSptl80aV;pAQmap6@zy94GrJFgV8ZD%|lzRjBf^GdGu-FJ}L-Rc~DY*Fj-38}{9IR{w~Ah7)Sl z@5Btz86_ta_it0LX?wemM0+rzZe1%>=^;$Hq*?0YG+F;4FPy|4CAa&U+6QJoQmsTe zRnNurp=dm>3_C*qM3mgz^&XiQM|f@^h0B;_*eEFE#R{Sf>!=T+9MI4s1(R3AF8wNV zJk)oTY-ol=SIo!I(db9~&{J?X5}*}t8l<`F5j(p*8;24+=!ohuq~NKi;aSnGP}yy*fpNhH1VZaPljM4b%lHHB z9W;IhfB2@hYYLCW@8b{03`JqguYR)IX5C?oPy9+<2_6@~aoB<<$2TEk306`d2Wx}P zN)1g&)yRSJ%Me;>y?%8$kYB>KFM-DToxqJ8w&U&cpNsW&zhxu-o~F?w*arDjC$F@+ z+S7014$*JLVfNDw-#dm|&eg*{1N2(nPuh$`!_&6J%j&F`TOOpI5_n-KYel^B!Q-9@ zQ|@cZhA~t`zSVcM+=gZP1<~F`=Q^0W1@H||x}W&Cu5Lp@Nc?bqVIggg20StxP7fxw zLvm=}$O;EJIFmXAZ_SAH4{nNW@`_qdi(*P<0~F8>+d=Cbb2g^Vq)3Um3WH_P6ajLkUk))3)O$cuZgb%X?OeF@R@*_b#reBWjNfIzg}J zx{SKX`22Dkty-=X8F<@p5h@iOtaqtB2Ow(IYDmLVZA!YT!m#vdB&K(Ild~|wzyrX$tGBANXBO2`k&Z*e9U>*iDVz0^Ah&3GXSqR=CeBh;1_sk;ofJBlf1D45Gnin9xhj|D2FH`P%wKF{&=?T ztu0LrO#ogAT=|2KQg9uC#fWHA*u7xC_E9zKykUbwB4u&Q@rkQr<)-6k)h z4WB;&&LgjTdH!5h;vE8$lVQj0`4g@wr*L!z-LEWL4|C8D`ymZOZfGI6uDE-F0lNiY zGCoQ7=>cD5c<86AowvcQjroO6FAcOMFWkmc(p7J{Z$!Gf`2DIeh6|?-Cem-l{96kE zOt0>B$Vf_4BP@a@LLg*l?5wwEV3`R7E`oz>NkYiqcj~t1P#U>?Pb@CKyCg#Zu|w5X^LoR z0BYFN)upkvxs|>j86SE^q{e_V?EXIOyL)S%csJ8OctHv${{!pN`J$+7h<-$0@5d0M zHbop4AO`JLPmeT7;a`I23qzfUE5vgCH>3<|l%ajSEnG#eMnJ;H#eu6c&aPWK%P4nn5iXJ$U=T?-ub`L zVqkdyXM*`Fq3qh)@|25mR(iK~ z0fCiall})*<|hm+{(Arbj~zA{U$U2bxy{PCYNW2(HKk68{(^NML_T~ILjHq@W8M%d zz`rjUof*|Gu(y|1H;tB4*UVCp8yWgZesBVA#JBCg;c(vFr*|Z!-Uh6uUunRQ>mx(F zF|+`-gaBjUJ$-O~Vfjd}eeBWyS|&P#EcNx)@jISAK8pboa`@jekjKm45Jq5A0E1~w zSz;|TH#a{&H(%O01%6)t@_!*M0V>jq3U0Zqjt==PZMJRfSQ-c# zUY@H0W=CKeAzQb$%fz z9a$}-TpIYlMv;#1?@GT^0FpV}ajEM|N2ISWMI%POoDGm=`WBp@!R?;wb%}|=U@MzD z+g93KIS@P~wExkUgC1*ZrftZ%G{TtthF-)W=VeM)3JHx;WyxV_cF;GO?i(05o{vz- z!+R3vM)j*j=FT9`f9^`D!55o?!pc=oA3W#=*e!)!9r%Eg0(J>7D*A>T{qAh>FNx); zJ-d1qKCsQSE!zW7r1s5nL3xmOb6aM*yHG+2^i_%c8OflTsna&~s~ zRPcd28h3Vl-xsM0yxWF<=HlSs?R^N7=Djvq0r>ML2Xg9&OqweYJpy1WrCpsHo1mL^ z4%dK9pYvUWw?Ur5f8Nyv4NC|lK&-5F&C8)1VfSZGg#s~tyrKYaj%)0g``~vDYgOkD z@~+iZt2-sg3X*-r$j6?bjp3ue@CK5G`#FaDtFVI-2a}l~!Io@>b+z@q?7YR7Sb*~D zC1;ZaMlATm1b#za#?E_dNPGsr((ThL+lLf;nmKI%;+Lx)d^6T~Oy3}xiUue4CQ=nN z7Jhq1!he7C7E0%!Sk+4>Yh4I|+7eN4f{}M;&cGlbKnsJ*g1RdrLwo`AMiFGFPc5O* zefOk*KY%QC`$KiF_Va-z_LL>i>RVn7>P1s5CwS2-BVEH??gOH?~4 zeq&T$&-4|tRSfg^@>q}G<2niK2Uli74krM>W3E_?MyCit8Uu*{Vq;{gko?z__uyp|ECYJ>grWRyb{M)y$ zB}}s;D?vAo9qwnUY+i7BFSfT2)`k!D!6Irw0U+`I2=QTS@6gEh_i#GoX#OyS0Oiot ztlLIzcsOhWz}jDcD!_*WE!;O-fki;_R)2>b3IoF-RC3-Bk!G>Ef8vH=lQfeXSAba6 znh>!9$2oy5ZAFVVpuntlP=^OoO=XAubvq+=bXlK~C4=1SP`?k??iqwbBBX#rO1GwG zz<-!U`5ZWF|EmJO{;KMb*Pqb273J~UsPGCMI7xFHU=ZvMu%&g>=%ZZS+~$@aArfmC z)a!Wjn!FcqB4Jqv(u4_z?_&Vh3o}$|R;G!gMwGK;>`jyEc>HDfto|%=*=o3~1pCGH zepp9%M&(WSKR-l5q97P1m+^;SIfPkTUyOK+vWfRmg-^#TK?bt|Lf})-tv(09!ju1M z_SYB`jkx=v^Z1Hi9-EKM_T0rqLRsrF;2vM?yQ#$HUy-b*gaoSY5Yd8ldA_h8e~z^6 zrPWn1rgycufwk&@C<Wr>}v_qQCOTm#CA;uq963bvhn*ZT&vUsiB06~!Mu^7c-)iG}Ohqk$3! zQuaOpg3!OfRgs6kLWeE7LEb5D4*qj@!`DHci-UoO2)AO@6)R1j&m|ii_)Qc#@zyFf z*yFJOz0a;Ty?Pmfg80sUQA1FJX9z z7N|K85o1-SEN{%w9Ky5$RUa?7^SXl_<>i`@BJY#1F>vxYe0N&ifm5U=@~jz0-f+h% z0$+&dsl6}y7vA6ZJS+{!(h8y-OThPh255#o2c!o+BwhzVn#wGFMqS?_@!aB{)cO}a z@Z1G6&W_5FB`{wYTNpvpa{Wz6!xijJ;9TI;dQfhG9Ui}4qBr!%6?#NfT~+`Z4_RCU zfbwIUriBGqV(@z(x0Np(@@Y^$>kYM>4*Fbh8cu1T%2HP+=gVy&)&D%S`4BL#;+RqE zPj1=Mw(4Vx&cOT|LOTGHhb%;7yfA$6w$Fc=K~|uQeGYzysgO@s!g9d_z*DN|BS8F| z4*&JNgxY~IADt|cFm}MMgxhYHXdPRhKu+fi7;^typ1^zn?2DPbZn!EalP!rgK*oXt zkfjjIt^1D(F_BLF6Zb`aQ`Q7_LuI`}*^rmh<`eHjF?}9}u=^li6W9BYJuZMUwSUk3 z=lg%qr~dn$dcpq~Wyt%!y8m@M$Q#3_$KJ31!?N)49JnA0py1GkK1fw;4I-?KB>(fE zzR9p@AXh)45b5!nP?rO_kAIJG4RDwK{R8>8?C5_?dgSl&OMlHb1gs4y3M<;SdE^WWl%!`>x+V2k{qXbnw&-e z@A3Bx`sEE00AI3bGAfgTNJlzgSAbi~9hdk$-MD#<{V8A$QLpcH93Qm?TL`o0jCCDo zHAIwYY@`dsAQ-&P64=Iq1D>a$-@oVssU&ehL8IR%dRAf37dzzNjNGFk`~^9&R?HW2 zNJ9Y%+rb9Fp2_OGZWLLrCR^=;pn(!7 zTmzggdmBjEz*3^;VCSs)tBQ-^F0ZvXPysBhTe2pqf5Z0!Kv**0l)M?I5RJ4=evIt> zRaROGuh(}wAg2zXfE(^1!xBw{)i7Z%8GaYN)qCvQGk zzG}o-KPIV;Q&_*{zE2Vi(Wpoqy`t+92T5q^^qydth{1IEEu?SBs*RAxioFPr#Tf*s z;&SP`#5e71ZRct00OSW?@mBOHY@b69EaX8M_CLK3)tdVvwTpuQX<^@$39Mbs*EA7Z zCOjrL5`yeVBR`Re-0TZ~;gsj!>dvLOjCpCc^g*Kf{jiri`)du@h!egMZIdw93Pm00 z6R!$zQ;EC{18ZQg*X=fO_{o6zB;zvx=Gy#%g3mYDUSOsr5Nc<2mba$=(xZeNx z`$qgK+DFj0`(p?v9Y<4cVh|2?{=V|k1Pq42Lqu@7U6!=;KB#N)rOB#yf zH)cplj&fO+=tRj$`9M7ag9jHlg`(Z)P=5#yvQj8e0%X)+4ptBcp`vGO&{ zKJ&|nbfmH{dQn1?9yHqdd2D~F3_KcmG{iy+jzBis(+6S~M*KU+cyr%1Zo?SAgAWt??@nyH3c!T7owkqS7jI>%77~|4 z?HU8r6DSmzPZ=@doZZ?R^WIy0TsAN;z}gY1I1ve$(wb*yY?bulGy2-xZEW&JY$ft^ z^`CZRC6YzbxAE)+DOD7*CcWs+8S~n0OOpxB_UyD5+;8gkKFqA!-}#o6B^wHWGz`iQ z2+7~>dXE7P7Nf|87u@8;8X6k&7LIbWJS57x&n!($(wG8SJ4CIqrhV##&Mq#xc^asG zk3w4wsumcX?B=#3*ex~AE9SZV`AH{)5OQ;WoDfaE*iujuC#ZPfT}N_lH!X~;th`)H zDkmm7y7pjm2#PtW1!bxnjXjf{v%TUQjK;5JK3!PjsN06SGq5l_Y~k?P*oiTOma4z^ zsPKSL&<%l2@QM=*5#u!XoSvD~ zeh~UhWg=O87;UBk3;nE0-@>3Pa`$I>L4m{i1c{lpvv86Ds;sE!=~X&9SEsXIM7yI@ z$G=Xw9sd5+IKSKs0&DJ>G)p}I?DurRG>@_YkioqPISk5~X<1a5ssf?TrN`36))Te0CJo8%D0{~_Qtdl3S zPTtjy7O)-uG$`j{|HQ!OV55hoh*duPW3qQ2Grv=CoJLMmMpl4L;vIFl3^^6UI&T`iFWTdjPS3&*J9es*s8(#OvwOkB+KeACF9fhLnyC9oSRyf{}#vf%3oS1b}4>)nE zA>rXeb^SPImbHx<4~|W-U}@}X6bqv;FWg~lf9>8p>OsVd+&)QL1T1v7|WB=<5tbR(>_)Qq+omakITu8*i z!U8b=Phb-Lv8fQF7t+cY%XnKGn`^=W9fgVS-=n_p%7%-2?{BZay8jNearX8LG655y zHrPs1eYTahU>PdvUll*Du*!x*QIV*PYVc^~o7BgE>FEFTWNod>a(~^v`bDYb;-TeY zwk<+}+q1{be93s+bDACsGo+3!gY?GO*|@JZoB}1IE(C<);_RHv%J@)>m>(A#*^}ET zakxTCIwVLp|Dm%-c_EeQDluUUyMFeduCA_jbkdjKCm(7@Ut!n#^yM@RtWtmVj!ZLp zDqTKie#&lD)KE`P^qeHjnV_VkRL`JY6`*JQIJVr+a*LoCkZU7;C49YOACT%h8d;Y4m$|3Px591R+AzO6bYZHILt)QVD zZCAY_-FKOLeBqNHH?%K1Ic>~#A$J$p4upFqj8l9g>g}pjP}^+ZN>4vsnpje;(0Qk( zTovVLZaH+Z@Qm~eKx4oC&YKg)x6L%nj?~Q47DN)0LCzSL&_iSp<#z?tZ?;IsH}kdc zkqQURoC+|ZW+MgVy>P^$1$h7cKqfl|1}qAU_M9t?ii*lEsIC?r2(veU%!o#?Xm_a6 z;*6U?fXTdaLx&a={OIe8*(*=qmSX@Y?3(!|XluK!Ad$FE;Hx?M7nd~a-GpHNWiC&hx!mC3;A}1d0hcFfUWnR@y2$vz{_Pj6XvQ>w5<~J3A)MuN*)lIJI7v4VNW3A>H}y8+U1ZGz72iZ{Kh%bB?;I3Lqx(3 zSy?&BF$AWfmWJc@IPe>xE=!5)-@%btFaT+`%pgWMeu*bOysdB{PCz4^e#MrGF_nGr zyp#&eN%uZ*kIzW!?j`hVn4X>nh#@B|tStCzZ9!4>KO%TKxG$LrYJ*q?PFJ~jQ&#ob zt~8x5w~_Z{Mon~_IkCwBIj6-(b*YaZae zS|lDX)VW=~(oEU+OO5>P!v`0eo^$IsQ1$mSz-X!U$)$FGGM9C)1lEqF(Hg6sbfat6 z+~CrK%i;$g0m0|zVS>xp-u(M06PQ5PXVw3z@mK%WQlIYOdW?jw-zgxK*Xc0?u4dLY zHW0eR=4M3Fzw!81FZ7_saCGij$isv@^xS=Ndw%$^%4L~aEEp@uA3*Uwm1#a*`lG4f z3AbcB8=GM2t?Y2>sGdlLXft56d_BPvvfdBZ}5=A+c?P|&oS zh6gO=CA9M4B5B>&;gDg@Y2LmVV8u)Aei+DUWUp=b)rsL(g0tWoCY#weqEpDpqCe(vZL?` z*FamyyQh}xwclV)yZZN5x9IksOJ>YFdAiF!+jkDIV5xQEEjPdGkBPdkgN^a=i5-3s z6$s(5-`VH>PS*5YTZV@M&dokhsyf*GGNfKPl^_%9z1P!1x-^Dz4$d%;F5-Ldv(q%i zqA6YX*&u4}fK;N@ZbUd~3hhO;AKRI>}&?t&Z4z6#7F6sH1rxqV>Y`zPAx z%aa1egqSv$-vEQ(m)Vz zv<{;S#2S<`*NQ)W`DB0+kdQFE*whvpy4Ep_^{+u2Bg0@50P84T-}tt9~UM5TtKR`rind zr*b%bKs1i2!;zC*4X>fQdvFLj`T6-LBbiKr!k*_^9Fk{X!P7d1fxUnMVN7;9ML0b) z*vJG;3gQ+Nl$B|){S%jrmbf(RloV@#yzy%zTgjMT6P=xVG~V_gQw{N}nrTC023oIE zXLCec5Y}n37y%_*>$d($sja%^v(em5U=>=#xPmnilMQF(;GpSAVV+Zwx{SeKE?>EV zyAP_w{NN@Cr!+2qxoERRXOY0vR3^}m5KN2kg4hU+*o7{Nr=boWR>r?%f}8C|y-*<) zKUQ_ivZJB^M`IK5#}K+uk96}e{$(hU`8_y_fZ&w7tmGZF{qeDYMxbCyk^or34R-~V zi%{MHK}$dMK8UmNn}4~heoYp=zBE#W*stCTU>aO{2O5eGD&0fx)57fQnVpo9d*dgk zsX3PCORQq>&Qti&s;%)uKju}(o%X1l{(OVPxU4FkNm%n0QTnctPJ1oPprT|Kkga49ZUg$B#j$z)O!e)wWF68R0zz8HQ)uPtvIK0x3%e~UTi4d zr$|!N?B9pg)zQhma0+I@YirnrVqLAQpeCqK}v@ah&md}aqMW0i|47ta#FIXCp`?GSe>A$zuxq z6UV^x_No>QBqk&PNrzy06?4SF?BOK022WDfADNsfu`YrWmq|!Y_8t^Cck~ZsZ2z+* z$GJ)i$9_ZIT5_R{y()Zx6l25=u-H~oqyCi zyu5z$|Gob3w(s@7OaU(mU}ErJ6$`Kb@8o~&oBvyu|KV0xivOdQ|6?K`gFnar&t%IN a{4qYIgRZ+hM?NFBFDs=anSa;l#s35R{>cCU literal 0 HcmV?d00001 From f95613a18e36e930df41d9639c0f2ba211105812 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 5 Jan 2026 15:05:37 -0500 Subject: [PATCH 33/58] interim commit --- docs/enhanced-sec-key-mgmt.md | 1 - docs/ssr-chassis-manager.md | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/enhanced-sec-key-mgmt.md b/docs/enhanced-sec-key-mgmt.md index 5a2d9cb9a5..f741be7bdf 100644 --- a/docs/enhanced-sec-key-mgmt.md +++ b/docs/enhanced-sec-key-mgmt.md @@ -262,7 +262,6 @@ ML-KEM cryptography is configured under `key-exchange-algorithm` and has the fol | `diffie-hellman` | Use the diffie-hellman-key-size parameter to define the key size to use. Possible values in order of increasing security strength and decreasing performance are 1024, 2048 or 4096. | | `diffie-hellman-ml-kem` | Use this parameter if you require hybrid mode cryptograhy. This employs both methods of encryption for greater security. Be aware that there is a performance impact with this selection. The above values are used and set individually in the configuration. | - **ML-KEM Example** The ML-KEM key size values are as follows: diff --git a/docs/ssr-chassis-manager.md b/docs/ssr-chassis-manager.md index 184613edaa..1ed005db14 100644 --- a/docs/ssr-chassis-manager.md +++ b/docs/ssr-chassis-manager.md @@ -7,7 +7,7 @@ The SSR400 and SSR440 support an integrated Chassis Manager to help monitor conn ## Chassis Manager -Interaction with the Chassis Manager is performed through CLI commands and button presses on the front of the SSR400/SSR440 chassis. Components include the LED Manager and Temperature Manager. +Interaction with the Chassis Manager is performed through CLI commands and button presses on the front of the SSR400 and SSR440 chassis. Components include the LED Manager and Temperature Manager. ### LED Manager From d384a94b2bf18e632091a57da22458d2a4b8adaa Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 6 Jan 2026 15:43:46 -0500 Subject: [PATCH 34/58] Iain B review, other input. --- docs/config-custom-certs.md | 2 +- docs/config-factory-reset.md | 22 +++++++++++----------- docs/enhanced-sec-key-mgmt.md | 4 ++-- docs/release_notes_128t_7.1.md | 4 ++-- docs/sec-disable-ports.md | 8 +++++--- docs/ssr-chassis-manager.md | 4 ++-- 6 files changed, 23 insertions(+), 21 deletions(-) diff --git a/docs/config-custom-certs.md b/docs/config-custom-certs.md index 6a7c164924..c863361ed2 100644 --- a/docs/config-custom-certs.md +++ b/docs/config-custom-certs.md @@ -166,7 +166,7 @@ Store the value of the token in a file called `token.txt` for use later. ### Issue a Private-key Creation Request :::important -It is necessary for all of the following REST APIs to use the name `custom_ssr_peering` in order for this private key and certificate to be visible and usable by Enhanced Security Key Managementin 7.0. This is a reserved name specifically used by Enhanced Security Key Management. +It is necessary for all of the following REST APIs to use the name `custom_ssr_peering` in order for this private key and certificate to be visible and usable by Enhanced Security Key Management in 7.0. This is a reserved name specifically used by Enhanced Security Key Management. ::: The goal of this workflow is to ensure that the private key of the SSR never leaves the SSR. To do so, we need to instruct the SSR to create a private key. To accomplish this, we provide the SSR some details, including: diff --git a/docs/config-factory-reset.md b/docs/config-factory-reset.md index c8fa76204d..56767b50c6 100644 --- a/docs/config-factory-reset.md +++ b/docs/config-factory-reset.md @@ -11,7 +11,7 @@ sidebars_label: Factory Reset The SSR software, SSR1x0, SSR1x00, and SSR4x0 series provide the ability to reset to factory defaults. The SSR software and SSR1x0/1x00 devices use a software reset to return to the original factory defaults, and remove customer configurations. -The SSR400 and SSR440 provides software-activated reset as well as a reset button on the device. With the reset button, you have the option of resetting to a previously defined golden configuration, or reset to the factory configuration and perform a secure zeroization. +The SSR400 and SSR440 provides software-activated reset as well as a reset button on the device. With the reset button, you have the option of resetting to a previously defined rescue configuration, or reset to the factory configuration and perform a secure zeroization. Use the information below to determine the best option for your deployment. @@ -20,7 +20,7 @@ Use the information below to determine the best option for your deployment. The SSR400 and SSR440 devices are equipped with a reset button to perform the following actions: 1. Press and hold for 1 to 4 seconds to **reboot** the device. -2. Press and hold for 5 to 15 seconds initiates a reset to a **rescue, or golden**, configuration. +2. Press and hold for 5 to 15 seconds initiates a reset to a **rescue** configuration. 3. Press and hold for 16 to 30 seconds initiates a reset to the **factory default** configuration. Holding the reset button for longer than 30 seconds cancels any of the button press actions described above. @@ -31,11 +31,11 @@ This action is the standard system reboot, often performed as part of troublesho ### Reset to the Rescue Configuration -Press and hold the **Reset** button for more than 5 seconds but less than 15 to load and commit the rescue configuration. The rescue, or golden configuration is used as a manual fall back if the device configuration becomes corrupt or is unable to establish communications with the network. +Press and hold the **Reset** button for more than 5 seconds but less than 15 to load and commit the rescue configuration. The rescue, configuration is used as a manual fall back if the device configuration becomes corrupt or is unable to establish communications with the network. -Note that if a golden configuration has not been set, holding the reset button for 5-15 seconds does nothing. +Note that if a rescue configuration has not been set, holding the reset button for 5-15 seconds does nothing. -The rescue, or golden configuration is set via API at onboarding. For information about using the API to generate a golden configuration, see [Create a Golden Reset Configuration](#create-a-golden-reset-configuration). It should be noted that in an HA configuration, if one node is reset to the golden config, the other node (standby node) will receive the same golden config from it's HA peer. +The rescue configuration is set via API at onboarding. For information about using the API to generate a rescue configuration, see [Create a Rescue Reset Configuration](#create-a-rescue-configuration). It should be noted that in an HA configuration, if one node is reset to the rescue config, the other node (standby node) will receive the same rescue configuration from it's HA peer. ### Factory Reset @@ -101,9 +101,9 @@ A log file of the platform cleanup operation is written out to `/tmp` while the ### Additional Security - Zeroization Process -When equipment is discarded or removed from its operational environment, the following process can be used to ensure there is no unauthorized access possible to sensitive residual information (e.g. cryptographic keys, keying material, PINs, passwords, etc.) on SSR network equipment. +This process is for use with SSR Software and SSR1x0 and SSR1x00 devices. -This process is to be used with SSR Software and SSR1x0 and SSR1x00 devices. +When equipment is discarded or removed from its operational environment, the following process can be used to ensure there is no unauthorized access possible to sensitive residual information (e.g. cryptographic keys, keying material, PINs, passwords, etc.) on SSR network equipment. For the certified SSR platforms, all software and configuration reside on the SSD hard drive `/dev/sda`. Use the following procedure to zeroize/erase the SSD hard drive. @@ -131,9 +131,9 @@ For the certified SSR platforms, all software and configuration reside on the SS The system is wiped of all information, and is no longer operational as an SSR. If the system is to be reused in future, perform the ISO installation process. -## Create a Golden Reset Configuration +## Create a Rescue Configuration -The following API allows an administrator the ability to create a configuration snapshot to be used as a golden configuration for routers should they experience a catastrophic failure or become corrupt. This configuration is generated at the router level, and then imported by the Chassis Manager during a reset operation. +The following API allows an administrator the ability to create a configuration snapshot to be used as a rescue configuration for routers should they experience a catastrophic failure or become corrupt. This configuration is generated at the router level, and then imported by the Chassis Manager during a reset operation. #### Endpoint: @@ -141,7 +141,7 @@ The following API allows an administrator the ability to create a configuration #### Purpose: -Exports the current configuration (running or candidate) to a predefined golden config file that can be later imported. +Exports the current configuration (running or candidate) to a predefined rescue config file that can be later imported. #### Authentication & Authorization: @@ -164,7 +164,7 @@ Request Body (JSON): #### Behavior: - Automatically uses the filename `_golden-config` (predefined, not user-specified) -- Always overwrites any existing golden config file +- Always overwrites any existing rescue config file - The export is directed to the active node - Creates a configuration export file to be imported later diff --git a/docs/enhanced-sec-key-mgmt.md b/docs/enhanced-sec-key-mgmt.md index 6f51f213bb..58239948c3 100644 --- a/docs/enhanced-sec-key-mgmt.md +++ b/docs/enhanced-sec-key-mgmt.md @@ -12,7 +12,7 @@ sidebars-label: Enhanced Security Key Management Security is a critical component of [SD-WAN (software-defined wide area network)](https://www.juniper.net/us/en/products/routers/session-smart-router.html) products in today’s market. [The SSR (Session Smart Router)](about_128t.md) offers several means of ensuring the integrity of data transmitted through the router, such as encrypting application payload content, encrypting SVR (Secure Vector Routing) metadata, and authentication for metadata. -As an example, let's look at the needs of a financial institution. They have to keep transaction traffic secure. If not, the results are catastrophic for both the instution and the individual/companies whose transaction gets hijacked. SSR technology uses SVR along with Enhanced Security Key Management, allowing you to configure unparalelled security without the increased packet size, fragmentation, and increased transaction time [common with IPSec](about_svr_savings.md). This design creates maximum scale, avoids mid-network re-encryption, and provides the ability to rotate keys as required. +As an example, let's look at the needs of a financial institution. They have to keep transaction traffic secure. If not, the results are catastrophic for both the institution and the individual/companies whose transaction gets hijacked. SSR technology uses SVR along with Enhanced Security Key Management, allowing you to configure unparalelled security without the increased packet size, fragmentation, and increased transaction time [common with IPSec](about_svr_savings.md). This design creates maximum scale, avoids mid-network re-encryption, and provides the ability to rotate keys as required. The following diagrams show simple examples of how Enhanced Security Key Management can be deployed. @@ -260,7 +260,7 @@ ML-KEM cryptography is configured under `key-exchange-algorithm` and has the fol | `key-exchange-algorithm` | The algorithm to use for exchanging keys between peers. Algorithm types include: `diffie-hellman`, `ml-kem`, or `diffie-hellman-ml-kem`. | | `ml-kem` | Use the `ml-kem-key-size` parameter to define the key size to use. Possible values in order of increasing security strength and decreasing performance are 512, 768 or 1024. | | `diffie-hellman` | Use the diffie-hellman-key-size parameter to define the key size to use. Possible values in order of increasing security strength and decreasing performance are 1024, 2048 or 4096. | -| `diffie-hellman-ml-kem` | Use this parameter if you require hybrid mode cryptograhy. This employs both methods of encryption for greater security. Be aware that there is a performance impact with this selection. The above values are used and set individually in the configuration. | +| `diffie-hellman-ml-kem` | Use this parameter if you require hybrid mode cryptography. This employs both methods of encryption for greater security. Be aware that there is a performance impact with this selection. The above values are used and set individually in the configuration. | **ML-KEM Example** diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 97348b3040..e59a953f49 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -63,8 +63,8 @@ These release notes are Beta only and are in progress. They are furnished to hel - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. - - +------ +- **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). ### Resolved Issues diff --git a/docs/sec-disable-ports.md b/docs/sec-disable-ports.md index aec275eb0b..9b68c5a8c9 100644 --- a/docs/sec-disable-ports.md +++ b/docs/sec-disable-ports.md @@ -37,7 +37,7 @@ config authority router router1 node node1 reset-button-enabled true ![Disable ports from the GUI](/img/sec-disable-ports-gui.png) :::note -Changes made and committed require a reboot to enable or disable. +Changes made and committed require a reboot to take effect. ::: ## How It Works @@ -60,7 +60,7 @@ See [Uninterruptable Boot Process](#uninterruptable-boot-process) below for impo ### Disable Firmware Recovery -When disabled (set to **false**), the boot firmware `Press Esc to boot from USB` option and the image boot menu are prevented. The configured active boot image will be auto loaded; no recovery paths are available in the event of a boot failure. +When disabled (set to **false**), the boot firmware `Press Esc to boot from USB` option and the image boot menu are prevented. The configured active boot image will be auto loaded; no recovery paths except system zeroization are available in the event of a boot failure. See [Uninterruptable Boot Process](#uninterruptable-boot-process) below for important information. @@ -68,7 +68,9 @@ See [Uninterruptable Boot Process](#uninterruptable-boot-process) below for impo This feature is configured on the SSR400 and SSR440 by setting **both** the Serial Console Port and Firmware Recovery as **disabled**. When configured, it means that a failed upgrade will not allow the user to select the image on the other volume (since the Console port is disabled, no user input is possible). -If **both** the Serial Console Port and Firmware Recovery are disabled, and an incorrect or empty IP address is configured for one of the Ethernet ports (or system boot repeatedly fails for any other reason), use the Fail-Safe Restore process for recovery. +If **both** the Serial Console Port and Firmware Recovery are disabled, and an incorrect or empty IP address is configured for one of the Ethernet ports (or system boot repeatedly fails for any other reason), use the push button to [Reset to the Rescue configuration](config-factory-reset.md#reset-to-the-rescue-configuration). + +If the Reset Pushbutton is also disabled, the [Zeroization process](config-factory-reset.md#ssr400-and-ssr-440-zeroization) or RMA to Juniper are the only methods available for recovery. **It is strongly recommended that recovery not be disabled on production units until post-deployment boot has been successfully validated.** diff --git a/docs/ssr-chassis-manager.md b/docs/ssr-chassis-manager.md index 1ed005db14..188b50f40a 100644 --- a/docs/ssr-chassis-manager.md +++ b/docs/ssr-chassis-manager.md @@ -93,9 +93,9 @@ The following `show` commands allow you to see the chassis status from the CLI. | `show chassis hardware` | Reports the hardware SKU, CLEI, revision (rev), and serial numbers from `/sys/kernel/leopard_idprom`. | | `show chassis firmware` | Shows CPLD and boot firmware versions from `/sys/kernel/leopard_cpld/version` and `/sys/devices/virtual/dmi/id/bios_version`, respectively. | -### Power Supply Adapter LEDs +### DC Power LEDs -The Power Supply Adapter LEDs are not managed by the Chassis Manager, but the LEDs are used to indicate status. +The DC Power LEDs are not managed by the Chassis Manager, but the LEDs are used to indicate status. - Steady Green: Receiving power - Off: Power failure or no power From 3955dd47bfb4b8df17b3b70f4dcb04ccec87b235 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 9 Jan 2026 15:17:15 -0500 Subject: [PATCH 35/58] adding review input/feature updates. --- docs/sec-conductor-onboard.md | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index e5bb6bbeca..dbf929b2c7 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -12,6 +12,7 @@ When a router has SCO enabled, asset-id based onboarding is disabled. Ports 4505 - The `secure-conductor-onboarding` must be enabled - The `secure-conductor-onboarding public-key` field must be configured - The `secure-conductor-onboarding ca-certificate` field must be configured +- The conductor nodes must have asset-id's configured To provide a secure and mutually authenticated onboarding mechanism, the following information must be configured. @@ -23,7 +24,7 @@ The public certificate and CA certificate are configured on the conductor at the ## Basic Configuration -The following information are the required steps to configure and use Secure Conductor Onboarding. For details about any of the commands and steps, see [How It Works](#how-it-works) +The following information are the steps to configure and use Secure Conductor Onboarding. For details about any of the commands and steps, see [How It Works](#how-it-works) - Configure the Conductor where the router will onboard. - Configure the conductor to accept the router. @@ -47,7 +48,7 @@ Only RSA keys are supported at this time. - Enable ssh-only for asset resiliency. `configure authority asset-connection-resiliency ssh-only true ` -- Enable SCO for each router. +- On the conductor, enable SCO for each router. - For devices with a built-in dev-id certificate ``` config authority router router1 system secure-conductor-onboarding mode strong @@ -60,17 +61,14 @@ Only RSA keys are supported at this time. config authority router router1 node node0 secure-conductor-onboarding endorsement-key (text/plain) ``` +Configuring a pre-shared-secret is an optional parameter. If one is not specifically configured, it will be automatically generated. + :::note To read the EK from the public cloud instance, run `tpm2_readpublic -c 0x81010001 -f DER -o /dev/stdout -Q | base64 -w0` and configure the contents in the endorsement-key field above. ::: -- Disable salt state on conductor. - ``` - /usr/bin/firewall-cmd --permanent --remove-port=4505-4506/tcp - ``` - :::note -In the current beta delivery (7.1.3-1r2) this step must be performed to disable ports 4505 and 4506 so any devices not using this feature will fail to onboard to the conductor. +Ports 4505 and 4506 are automatically closed after SCO is enabled on the conductor and the conductor is restarted. ::: - Create the SCO token on the conductor. @@ -101,10 +99,9 @@ Once the secure SSH tunnels are established, the SCO workflow concludes. All fut ### Known Caveats -- During SCO onboarding of the router in an HA deployment, both the conductor nodes should be online and able to talk to each other. - Once SCO is enabled on the HA conductor, both conductor nodes must be restarted. -- Only RSA key-based certs are supported on the conductor at this time. +- Only RSA key-based certificates are supported on the conductor at this time. ## How It Works @@ -118,11 +115,9 @@ The following parameters are required, and are configured at the Router level. - `disabled`: Default is true, must be false to enable. - `psk-only`: Configured on devices with no TPM, but which require the Secure Conductor Onboarding workflow. -- `weak`: This setting enables SCO but allows the router to use a self-signed certificate. This conductor will skip the CA certificate validation for this router. +- `weak`: This setting enables SCO but allows the router to use a self-signed certificate, and can be used on devices with no TPM. Generates a self signed certificate per authentication attempt for non-TPM devices. For TPM devices, the certificate from the TPM is used. The conductor does not verify that these certificates are signed by a CA. - `strong`: On SSR devices manufactured with a device ID (SSR400/SSR440), `strong` mode ensures that the asset-id matches the serial number field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the `endorsement-key` configuration. -`configure authority router system secure-conductor-onboarding pre-shared-secret` - ### Conductor Configuration To enable this feature on the conductor, verify the following: @@ -169,7 +164,7 @@ router min-router exit ``` -If any checks fail, the `create system connectivity` command returns an error explaining why. This command can be run as many times as needed for each node. All information to form the token is present in the configuration. +If any checks fail, the `create secure-conductor-onboarding token` command returns an error with an explanation. This command can be run as many times as needed for each router. All information to form the token is present in the configuration. The CA certificate is read from disk at the location given in `secure-conductor-onboarding ca-certificate`. From a507ba4e5c005778b47c4da11612aa91a4024fee Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 9 Jan 2026 15:47:15 -0500 Subject: [PATCH 36/58] clarification and missed comment addressed. --- docs/sec-conductor-onboard.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/docs/sec-conductor-onboard.md b/docs/sec-conductor-onboard.md index dbf929b2c7..0b12c5125f 100644 --- a/docs/sec-conductor-onboard.md +++ b/docs/sec-conductor-onboard.md @@ -68,7 +68,7 @@ To read the EK from the public cloud instance, run `tpm2_readpublic -c 0x8101000 ::: :::note -Ports 4505 and 4506 are automatically closed after SCO is enabled on the conductor and the conductor is restarted. +After SCO is enabled on the conductor and the conductor is restarted, ports 4505 and 4506 are automatically closed. ::: - Create the SCO token on the conductor. @@ -114,7 +114,6 @@ The following parameters are required, and are configured at the Router level. `configure authority router system secure-conductor-onboarding mode` - `disabled`: Default is true, must be false to enable. -- `psk-only`: Configured on devices with no TPM, but which require the Secure Conductor Onboarding workflow. - `weak`: This setting enables SCO but allows the router to use a self-signed certificate, and can be used on devices with no TPM. Generates a self signed certificate per authentication attempt for non-TPM devices. For TPM devices, the certificate from the TPM is used. The conductor does not verify that these certificates are signed by a CA. - `strong`: On SSR devices manufactured with a device ID (SSR400/SSR440), `strong` mode ensures that the asset-id matches the serial number field in the subject line of the router’s public certificate. For vTPM workflows, the router’s endorsement key must match the `endorsement-key` configuration. @@ -202,10 +201,3 @@ The conductor’s current date/time is used to validate the expiration. If the c - Update conductor certificate: When the conductor certificate expires and a new certificate is installed, all existing tokens signed by the old certificate are no longer valid. The details of how to update the conductor certificate follow existing supported procedures. - - - - - - - From e51a34b86a397b0536a8b7deee7b860c3b65cfd6 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 12 Jan 2026 15:38:48 -0500 Subject: [PATCH 37/58] feature updates for Swift beta drop of 7.1.3-r2 --- docs/config-smart-download.md | 6 ++++ docs/enhanced-sec-key-mgmt.md | 60 +++++++++++++++++++++++++++++++++- docs/release_notes_128t_7.1.md | 14 ++++---- 3 files changed, 73 insertions(+), 7 deletions(-) diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index bbead5f8ee..1cad503d44 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -33,6 +33,12 @@ To improve resiliency against network connectivity issues, the SSR queries avail Only when the SSR has tried all available sources and reached the consecutive failure threshold on each is the download considered **failed due to connectivity issues**. In that case, an error is reported and the download stopped. +### HA Download Resiliency + +If the HA Conductor acting as the repository fails during the download, the download automatically switches over to the second conductor node. The process continues downloading from there, even if the first conductor node comes back online. + +If an HA Router fails during download and another download is requested after failover to the second node, a new download is begun. If the router returns to the original node and then resumes the original download, it will resume from where it left off. However, if the original node experienced a catastrophic failure where the shutdown was not clean, a new download is initiated. + ## Resumable SSR Download Downloads can be paused manually using a CLI command, or automatically paused if the connection fails. When manually paused, the process can be continued by manually restarting the download. In the case of a failed connection, the SSR will automatically resume the download when the connection is restored. In both instances, the download resumes from the point where the download was stopped. diff --git a/docs/enhanced-sec-key-mgmt.md b/docs/enhanced-sec-key-mgmt.md index 58239948c3..160ef89393 100644 --- a/docs/enhanced-sec-key-mgmt.md +++ b/docs/enhanced-sec-key-mgmt.md @@ -210,7 +210,7 @@ config authority enhanced-security-key-management true - + router RTR_EAST_CONDUCTOR name RTR_EAST_CONDUCTOR @@ -233,6 +233,64 @@ config inter-node-security internal ``` +#### Key Exchange Algorithm Router Override + +The key exchange algorithm is set at the Authority level, and all existing sessions and keys remain in use until the next key exchange cycle. Any change to the selected algorithm, such as the key-size, will impact the existing environment. + +If an administrator selects a new algorithm, you must be certain that all routers/peers in the authority are on the correct version, otherwise new session creation will fail. + +To address this use case, a router/peer-path override has been added to enable the transition to a new algorithm within authority. At the router level, configure `key-exchange-algorithm-override`: + +**ML-KEM Example** + +``` +configure + authority + router + key-exchange-algorithm-override + ml-kem + ml-kem-key-size 1024 + exit + exit + exit + peer + key-exchange-algorithm-override + ml-kem + ml-kem-key-size 1024 + exit + exit + exit + exit + exit +exit +``` + +**Hybrid Example** + +``` +configure + authority + router + key-exchange-algorithm-override + diffie-hellman-ml-kem + ml-kem-key-size 1024 + exit + exit + exit + peer + key-exchange-algorithm-override + diffie-hellman-ml-kem + ml-kem-key-size 1024 + exit + exit + exit + exit + exit +exit +``` + +The `diffie-hellman-key-size` can also be specified, or it will use the default value of `2048`. + ## Post Quantum Cryptography Support ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index cb8cde69e4..1f296b291d 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -71,21 +71,23 @@ These release notes are Beta only and are in progress. They are furnished to hel ---> - **I95-48934 Configuration Integrity:** SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see [Configuration Integrity](concepts-config-integrity.md). ------ +- **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. +------ - **I95-56719 Conductor Scaling:** Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers. It should be noted that there are scaling limitations, such as a reasonable configuration complexity. Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view. ------ - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ -- **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. +- **I95-59948 SHA-384 and SHA-512 Support:** Added support for CNSA 2.0 algorithms SHA-384 and SHA-512 to support US Federal government deployments. ------ - **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). +------ +- **I95-61176 Multicast Failover Optimization:** Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM. +------ +- **I95-63476 Router/Peer path override for `key-exchange-algorithm`:** A router/peer-path override has been added to enable the transition to a new algorithm within authority. For more information, see [Key Exchange Algorithm Router Override](enhanced-sec-key-mgmt.md#key-exchange-algorithm-router-override). ### Resolved Issues - - -### Caveats - -- **I95-63368 Leopard PMTU cannot exceed 8978:** This issue has been resolved in other versions of SSR software, but is still a known issue in 7.1.3-r2. This will be resolved in an upcoming Beta release. +- **I95-63368 SSR400/SSR440 PMTU cannot exceed 8978:** Resolved an issue where SSR400/SSR440 PMTU discovery was lower than other platforms. The issue has been resolved, and SSR400/SSR440 PMTU now discovers at 9198. ## Release 7.1.0-50r1 From f686e99f5048b4dc2f939afa007c28fa1f53dd92 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 13 Jan 2026 11:04:12 -0500 Subject: [PATCH 38/58] review feedback. --- docs/release_notes_128t_7.1.md | 2 +- docs/sec-disable-ports.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 1f296b291d..7f8ee122d2 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -81,7 +81,7 @@ These release notes are Beta only and are in progress. They are furnished to hel ------ - **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). ------ -- **I95-61176 Multicast Failover Optimization:** Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM. +- **I95-61176 Multicast Failover Optimization:** Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM, as well as failover times in general. ------ - **I95-63476 Router/Peer path override for `key-exchange-algorithm`:** A router/peer-path override has been added to enable the transition to a new algorithm within authority. For more information, see [Key Exchange Algorithm Router Override](enhanced-sec-key-mgmt.md#key-exchange-algorithm-router-override). diff --git a/docs/sec-disable-ports.md b/docs/sec-disable-ports.md index 9b68c5a8c9..c72c1316a4 100644 --- a/docs/sec-disable-ports.md +++ b/docs/sec-disable-ports.md @@ -50,7 +50,7 @@ When disabled (set to **false**), the USB host controller is excluded from the ` ### Disable Reset Pushbutton -When disabled (set to **false**), the pushbutton interrupt is disabled, and no action will be taken by the operating system or applications in response to a button push. However, with the pushbutton disabled, device reboot is possible from either the command line or through Mist. +When disabled (set to **false**), the push button interrupt is disabled, and no action will be taken by the operating system or applications in response to a button push. However, with the push button disabled, device reboot is possible from either the command line or through Mist. ### Disable Serial Console Port @@ -70,7 +70,7 @@ This feature is configured on the SSR400 and SSR440 by setting **both** the Seri If **both** the Serial Console Port and Firmware Recovery are disabled, and an incorrect or empty IP address is configured for one of the Ethernet ports (or system boot repeatedly fails for any other reason), use the push button to [Reset to the Rescue configuration](config-factory-reset.md#reset-to-the-rescue-configuration). -If the Reset Pushbutton is also disabled, the [Zeroization process](config-factory-reset.md#ssr400-and-ssr-440-zeroization) or RMA to Juniper are the only methods available for recovery. +If the Reset push button is also disabled, the [Zeroization process](config-factory-reset.md#ssr400-and-ssr-440-zeroization) or RMA to Juniper are the only methods available for recovery. **It is strongly recommended that recovery not be disabled on production units until post-deployment boot has been successfully validated.** From 58425f4da1df8d51f354ebaca6dc361ba2ed2a63 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 14 Jan 2026 15:01:09 -0500 Subject: [PATCH 39/58] listing resolved issues, updating CLI doc. --- docs/cli_reference.md | 549 ++++++++++++++++++++++++++++++++- docs/release_notes_128t_7.1.md | 35 ++- 2 files changed, 574 insertions(+), 10 deletions(-) diff --git a/docs/cli_reference.md b/docs/cli_reference.md index d11e812ceb..8f91effca6 100755 --- a/docs/cli_reference.md +++ b/docs/cli_reference.md @@ -691,6 +691,7 @@ create certificate request [] | [`delete certificate webserver`](#delete-certificate-webserver) | Delete the webserver certificate. | | [`import certificate`](#import-certificate) | Import a certificate. | | [`show certificate webserver`](#show-certificate-webserver) | Display the webserver certificate | +| [`show certificate-revocation`](#show-certificate-revocation) | Shows the config revocations on a given system. | #### Description @@ -716,6 +717,7 @@ create certificate self-signed webserver | [`delete certificate webserver`](#delete-certificate-webserver) | Delete the webserver certificate. | | [`import certificate`](#import-certificate) | Import a certificate. | | [`show certificate webserver`](#show-certificate-webserver) | Display the webserver certificate | +| [`show certificate-revocation`](#show-certificate-revocation) | Shows the config revocations on a given system. | #### Description @@ -774,6 +776,70 @@ Force re-generation of all automatically generated configuration items. Both int Configuration generation is done automatically as part of a `commit`. This command serves only to aid in debugging. +## `create secure-conductor-onboarding` + +Parent command group for Secure Conductor Onboarding commands. + +#### Usage + +``` +create secure-conductor-onboarding [{router | resource-group }] [force] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node | +| resource-group | The name of the resource group | +| router | The name of the router (default: <current router>) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`token`](#create-secure-conductor-onboarding-token) | Create a Secure Conductor Onboarding (SCO) token for router onboarding. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show secure-conductor-onboarding`](#show-secure-conductor-onboarding) | Show Secure Conductor Onboarding (SCO) state of all assets. | + +#### Description + +Usage: create secure-conductor-onboarding token ... + +## `create secure-conductor-onboarding token` + +Create a Secure Conductor Onboarding (SCO) token for router onboarding. + +#### Usage + +``` +create secure-conductor-onboarding token [{router | resource-group }] [expiration-timeout ] [force] [node ] router-name +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| expiration-timeout | Optional expiration (default: 1d). Supports durations such as 1h, 2d, 1w, 1M, 2y. (default: 1d) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node | +| resource-group | The name of the resource group | +| router | The name of the router (default: <current router>) | +| router-name | Router for which to generate the onboarding token. | + +#### Description + +Example: create secure-conductor-onboarding token router-name RTR_EAST_COMBO [expiration-timeout 1h] + +:::note +This command can only be run on a Conductor. +::: + ## `create session-capture` Creates a session capture at the specified node and service. @@ -1056,7 +1122,8 @@ delete certificate webserver [force] | [`create certificate request`](#create-certificate-request) | Create a certificate signing request. | | [`create certificate self-signed webserver`](#create-certificate-self-signed-webserver) | Create a self-signed certificate. | | [`import certificate`](#import-certificate) | Import a certificate. | -| [`show certificate webserver`](#show-certificate-webserver) | Display the webserver certificate | +| [`show certificate webserver`](#show-certificate-webserver) | Display webserver certificates | +| [`show certificate-revocation`](#show-certificate-revocation) | Shows the config revocations on a given system. | #### Description @@ -1837,7 +1904,7 @@ import certificate [] | [`create certificate self-signed webserver`](#create-certificate-self-signed-webserver) | Create a self-signed certificate. | | [`delete certificate webserver`](#delete-certificate-webserver) | Delete the webserver certificate. | | [`show certificate webserver`](#show-certificate-webserver) | Display the webserver certificate | -#### Description +| [`show certificate-revocation`](#show-certificate-revocation) | Shows the config revocations on a given system. | This command allows administrators to load certificates into their SSR by pasting them into their active PCLI session. By issuing the `import certificate` command, the PCLI prompts the user for the name of the certificate they plan to import, then asks whether it is a CA (certificate authority) certificate or not. Once these questions are answered, administrators can paste the certificate, and is reminded to press CTRL-D once the pasting is complete. Pressing CTRL-D causes the SSR to validate the configuration to ensure it is a valid X.509 certificate before loading it into persistent storage. If the X.509 validation fails, the user is informed as follows: @@ -2005,7 +2072,7 @@ Initializes the current device as a conductor-managed router. #### Usage ``` -initialize conductor-managed [password-hash ] [management-proxy ] router-name conductor-ip
[
] +initialize conductor-managed [password-hash ] [management-proxy ] [onboarding-token ] router-name conductor-ip
[
] ``` ##### Keyword Arguments @@ -2014,6 +2081,7 @@ initialize conductor-managed [password-hash ] [management-proxy < | ---- | ----------- | | conductor-ip | The address(es) of the conductor node(s) | | management-proxy | A proxy server(s) including port (x.x.x.x:port). | +| onboarding-token | Onboarding token provided by the conductor. This will force the device to use Secure Conductor Onboarding. | | password-hash | A salted SHA-512 hash of the password to set for the 'admin', 't128' and 'root' users. | | router-name | Assign a name to the router | @@ -5702,6 +5770,393 @@ show certificate webserver | [`create certificate self-signed webserver`](#create-certificate-self-signed-webserver) | Create a self-signed certificate. | | [`delete certificate webserver`](#delete-certificate-webserver) | Delete the webserver certificate. | | [`import certificate`](#import-certificate) | Import a certificate. | +| [`show certificate-revocation`](#show-certificate-revocation) | Shows the config revocations on a given system. | + +## `show certificate-revocation` + +Shows the config revocations on a given system. + +#### Usage + +``` +show certificate-revocation [{router | resource-group }] [force] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node | +| resource-group | The name of the resource group | +| router | The name of the router (default: <current router>) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary (default: summary) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`create certificate request`](#create-certificate-request) | Create a certificate signing request. | +| [`create certificate self-signed webserver`](#create-certificate-self-signed-webserver) | Create a self-signed certificate. | +| [`delete certificate webserver`](#delete-certificate-webserver) | Delete the webserver certificate. | +| [`import certificate`](#import-certificate) | Import a certificate. | +| [`show certificate webserver`](#show-certificate-webserver) | Display webserver certificates | + +## `show chassis` + +Display information about the chassis + +#### Usage + +``` +show chassis [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`power`](#show-chassis-power) | Show chassis power | +| [`temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis firmware` + +Show information about the chassis firmware + +#### Usage + +``` +show chassis firmware [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The node to show firmware information for | +| router | The router to show firmware information for (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis hardware` + +Show information about the chassis hardware + +#### Usage + +``` +show chassis hardware [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis led` + +Show the status of the chassis LEDs + +#### Usage + +``` +show chassis led [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`system`](#show-chassis-led-system) | Show the status of the System LED | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis led phy` + +Show the status of the port LEDs + +#### Usage + +``` +show chassis led phy [port ] [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| port | The port number for an ethernet port [type: port] | +| router | The name of the router (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis led system` + +Show the status of the System LED + +#### Usage + +``` +show chassis led system [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis power` + +Show chassis power + +#### Usage + +``` +show chassis power [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis temperature` + +Show chassis temperature sensor readings + +#### Usage + +``` +show chassis temperature [sensor ] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| router | The name of the router (default: <current router>) | +| sensor | The name of the target temperature sensor | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary (default: summary) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature-thresholds`](#show-chassis-temperature-thresholds) | Show chassis temperature thresholds | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: + +## `show chassis temperature-thresholds` + +Show chassis temperature thresholds + +#### Usage + +``` +show chassis temperature-thresholds [region ] [router ] [node ] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| node | The name of the node | +| region | The target region for temperature thresholds | +| router | The name of the router (default: <current router>) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show chassis`](#show-chassis) | Display information about the chassis | +| [`show chassis firmware`](#show-chassis-firmware) | Show information about the chassis firmware | +| [`show chassis hardware`](#show-chassis-hardware) | Show information about the chassis hardware | +| [`show chassis led`](#show-chassis-led) | Show the status of the chassis LEDs | +| [`show chassis led phy`](#show-chassis-led-phy) | Show the status of the port LEDs | +| [`show chassis led system`](#show-chassis-led-system) | Show the status of the System LED | +| [`show chassis power`](#show-chassis-power) | Show chassis power | +| [`show chassis temperature`](#show-chassis-temperature) | Show chassis temperature sensor readings | + +#### Description + +:::note +This command can only be run on an SSR400/SSR440. +::: ## `show config candidate` @@ -5788,8 +6243,8 @@ config | command | description | | ------- | ----------- | -| `authority` | Show configuration data for 'authority' | -| `generated` | Show configuration data for 'generated' | +| [`authority`](#show-config-candidate-authority) | Show configuration data for 'authority' | +| [`generated`](#show-config-candidate-generated) | Show configuration data for 'generated' | ## `show config disk-cache` @@ -6054,8 +6509,8 @@ config | command | description | | ------- | ----------- | -| `authority` | Show configuration data for 'authority' | -| `generated` | Show configuration data for 'generated' | +| [`authority`](#show-config-running-authority) | Show configuration data for 'authority' | +| [`generated`](#show-config-running-generated) | Show configuration data for 'generated' | ## `show config version` @@ -7604,6 +8059,29 @@ This command queries the LTE devices and displays the following state info: - registration-status - connection-status (show IP if connected, otherwise, show previous error) - signal-strength (rating, RSSI, and SNR) + +## `show management-proxy` + +Show management-proxy state data + +#### Usage + +``` +show management-proxy [force] [node ] {router | resource-group } +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The node for which to display status | +| resource-group | The name of the resource group | +| router | The router for which to display status | + +#### Description + +Query the management-proxy to check state details. ## `show mist` Display information about the link between the SSR and the Mist Cloud @@ -10244,6 +10722,34 @@ show roles [name ] [rows ] | [`show user`](#show-user) | Display information for user accounts. | | [`show user activity`](#show-user-activity) | Show the most recent usage of SSR. | +## `show secure-conductor-onboarding` + +Show Secure Conductor Onboarding (SCO) state of all assets. + +#### Usage + +``` +show secure-conductor-onboarding [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| asset_id | Show detailed state for a specific asset | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`create secure-conductor-onboarding`](#create-secure-conductor-onboarding) | Parent command group for Secure Conductor Onboarding commands. | + +#### Description + +:::note +This command can only be run on a Conductor. +::: + ## `show security key-status` Display detailed security key status. @@ -10820,6 +11326,7 @@ show system [{router | resource-group }] [force] [node | [`resource-allocation`](#show-system-resource-allocation) | Display information for reserved hugepages and CPU core masks. | | [`services`](#show-system-services) | Display a table summarizing statuses of SSR systemd services. | | [`software`](#show-system-software) | <available> \| <downgrade> \| <download> \| <health-check> \| <revert> \| <sources> \| <upgrade> | +| [`utilization`](#show-system-utilization) | <session-processors> | | [`version`](#show-system-version) | Show system version information. | ##### See Also @@ -11637,6 +12144,31 @@ show system software upgrade [{router | resource-group | [`show system software sources`](#show-system-software-sources) | Display information about software sources. | | [`show system version`](#show-system-version) | Show system version information. | +## `show system utilization session-processors` + +Display system utilization session processor thread CPU usage + +#### Usage + +``` +show system utilization session-processors [force] [node ] {router | resource-group } [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node | +| resource-group | The name of the resource group | +| router | The name of the router | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary (default: summary) | + ## `show system version` Show system version information. @@ -12225,6 +12757,9 @@ traceroute to 172.16.1.201, 64 hops max | 6.1.0 | Introduced | | 6.2.3-R2 | Updates and improvements made to the keyword arguments | +The only mandatory parameter is the destination IP. + + ## `validate` Validate the candidate config. diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 7f8ee122d2..827501172e 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -53,9 +53,9 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. -## Beta Release 7.1.3-3r2 +## Beta Release 7.1.3-8r2 -**Release Date:** December 11, 2025 +**Release Date:** January 15, 2026 :::important These release notes are Beta only and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. @@ -87,8 +87,37 @@ These release notes are Beta only and are in progress. They are furnished to hel ### Resolved Issues +- **The following CVEs have been identified and resolved in this release:** CVE-2024-5642, CVE-2025-6069, CVE-2025-6075, CVE-2025-8291. +------ +- **I95-57605 BFD link-test-interval not accurate:** Resolved as part of I95-59720. Several modifications have been made to the BFD timers to improve accuracy. +------ +- **I95-61823 Change `ESKM_DISABLED` to `ESKM_STANDBY` for HA router in standby state:** For routers configured as part of an HA Enhanced Security Key Management (ESKM) deployment, the standby state is now correctly identified as `ESKM_STANDBY`. +------ +- **I95-61856 Add `reload local certificates` command for ESKM:** The `reload local certificates` command has been added to allow the updating of local certificates. See [`reload local certificates`](cli_reference.md#reload-local-certificates) for more information. +------ +- **I95-62074 Highway requests metadata key from SKM when feature is disabled:** Resolved an issue where even when `enhanced-security-key-management` was disabled, it continued to attempt to get the key information. +------ +- **I95-62772 Add details to `show peers certificate` output:** The `show peers certificate` output no longer just shows PEM file output; the data has been rendered in a more friendly format. +------ +- **I95-62859 Duplicate alarms created for duplicate asset IDs:** Resolved an issue where the Conductor created a duplicate asset ID alarm each time an asset with a duplicate ID tried to authenticate. +------ +- **I95-63124 Harden HTTPS security:** HTTPS security has been improved and hardened by following best practices. Security headers and SSL algorithms have been updated so that browsers and external clients are only using strong algorithms. Users on older Windows/IE versions can choose to extend the SSR secuirty using `configure authority router system services webserver ssl ciphers` to allow older ciphers. +------ +- **I95-63190 SSC process errors causing node disconnections from Conductor:** Resolved an issue where SSC process errors were filling the buffer queue, dropping messages, and causing node disconnections. +------ +- **I95-63202 Unable to bind interfaces in Azure F8 flavor in West Europe region:** Resolved an issue where driver optimization on lower core count systems required more more memory usage, causing initialization failures. +------ +- **I95-63292 Add upgrade timeout and rpm operation timeout:** Added the ability to configure the timeout for upgrades and for rpm download/install operations under `config authority router RouterName system software-update`. The defaults are 1 hour for SSR upgrade and 10 minutes for rpm operations. +------ +- **I95-63356 Do not allow new sessions after peer's certificate expired/revoked:** Resolved an issue where sessions were one peer continued to send new sessions after the other peers' certificate was revoked. When the peer's certificate expires, the peer is now forced to re-initiate the key exchange. +------ - **I95-63368 SSR400/SSR440 PMTU cannot exceed 8978:** Resolved an issue where SSR400/SSR440 PMTU discovery was lower than other platforms. The issue has been resolved, and SSR400/SSR440 PMTU now discovers at 9198. - +------ +- **I95-63422 Factory reset routers not re-onboarding when ESKM enabled:** Resolved an issue where if ESKM was initially started using invalid certificate on one node, it would be unable to onboard until the remote peering relationship is restarted. +------ +- **I95-63675 Node page in the GUI appears to load indefinitely:** Resolved an issue where the GUI Node page would load infinitely. +------ +- **I95-63729 Asset state not accurately reported in conductor:** Resolved an issue where issue where the SSH authorized keys from one HA conductor node were deleted after restarting both HA conductor nodes. ## Release 7.1.0-50r1 From 0cb5921196c9901433fb70ef9edaa8a0ea04e17a Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 14 Jan 2026 15:39:42 -0500 Subject: [PATCH 40/58] fix broken links --- docs/cli_reference.md | 32 +++++++++++++++++++++++++++----- 1 file changed, 27 insertions(+), 5 deletions(-) diff --git a/docs/cli_reference.md b/docs/cli_reference.md index 8f91effca6..acb9e96db6 100755 --- a/docs/cli_reference.md +++ b/docs/cli_reference.md @@ -2393,6 +2393,29 @@ release dhcp lease [force] [node ] {router | resource-group ] {router | resource-group } +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The node on which to reload local certificates (default: all) | +| resource-group | The name of the resource group | +| router | The router on which to reload local certificates | + +#### Description + +Signal to highway that the local certificate contents have been updated and we should reload them from disk. + ## `repeat` Repeat any command multiple times. @@ -6243,8 +6266,8 @@ config | command | description | | ------- | ----------- | -| [`authority`](#show-config-candidate-authority) | Show configuration data for 'authority' | -| [`generated`](#show-config-candidate-generated) | Show configuration data for 'generated' | +| `authority` | Show configuration data for `authority` | +| `generated` | Show configuration data for `generated` | ## `show config disk-cache` @@ -6509,8 +6532,8 @@ config | command | description | | ------- | ----------- | -| [`authority`](#show-config-running-authority) | Show configuration data for 'authority' | -| [`generated`](#show-config-running-generated) | Show configuration data for 'generated' | +| `authority` | Show configuration data for `authority` | +| `generated` | Show configuration data for `generated` | ## `show config version` @@ -11326,7 +11349,6 @@ show system [{router | resource-group }] [force] [node | [`resource-allocation`](#show-system-resource-allocation) | Display information for reserved hugepages and CPU core masks. | | [`services`](#show-system-services) | Display a table summarizing statuses of SSR systemd services. | | [`software`](#show-system-software) | <available> \| <downgrade> \| <download> \| <health-check> \| <revert> \| <sources> \| <upgrade> | -| [`utilization`](#show-system-utilization) | <session-processors> | | [`version`](#show-system-version) | Show system version information. | ##### See Also From 27914654a9f5cf240fadc52af8ce5065cee28857 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 15 Jan 2026 15:42:37 -0500 Subject: [PATCH 41/58] typo? --- docs/release_notes_128t_7.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 827501172e..d216ba9f8f 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -87,8 +87,8 @@ These release notes are Beta only and are in progress. They are furnished to hel ### Resolved Issues -- **The following CVEs have been identified and resolved in this release:** CVE-2024-5642, CVE-2025-6069, CVE-2025-6075, CVE-2025-8291. ------- + - **I95-57605 BFD link-test-interval not accurate:** Resolved as part of I95-59720. Several modifications have been made to the BFD timers to improve accuracy. ------ - **I95-61823 Change `ESKM_DISABLED` to `ESKM_STANDBY` for HA router in standby state:** For routers configured as part of an HA Enhanced Security Key Management (ESKM) deployment, the standby state is now correctly identified as `ESKM_STANDBY`. From 1baf75ddc42609f6e0ec8bc50791c1eaee446ca0 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 21 Jan 2026 16:29:59 -0500 Subject: [PATCH 42/58] IMA, SHA-384/512 info. --- docs/config_command_guide.md | 1006 +++++++++++++++++++++++++++++++- docs/enhanced-sec-key-mgmt.md | 4 +- docs/release_notes_128t_7.1.md | 2 +- docs/sec-secure-boot.md | 17 + 4 files changed, 1009 insertions(+), 20 deletions(-) diff --git a/docs/config_command_guide.md b/docs/config_command_guide.md index c2cc3cae07..889acd228a 100755 --- a/docs/config_command_guide.md +++ b/docs/config_command_guide.md @@ -49,6 +49,7 @@ Authority configuration is the top-most level in the SSR configuration hierarchy | [`resource-group`](#configure-authority-resource-group) | Collect objects into a management group. | | [`router`](#configure-authority-router) | The router configuration element serves as a container for holding the nodes of a single deployed router, along with their policies. | | [`routing`](#configure-authority-routing) | authority level routing configuration | +| [`secure-conductor-onboarding`](#configure-authority-secure-conductor-onboarding) | Configure Secure Conductor Onboarding | | [`security`](#configure-authority-security) | The security elements represent security policies for governing how and when the SSR encrypts and/or authenticates packets. | | [`security-key-management`](#configure-authority-security-key-management) | Configure Security Key Management | | [`service`](#configure-authority-service) | The service configuration is where you define the services that reside within the authority's tenants as well as the policies to apply to those services. | @@ -5049,12 +5050,14 @@ configure authority router | [`icmp-probe-profile`](#configure-authority-router-icmp-probe-profile) | Profile for active ICMP probes for reachability-detection enforcement | | [`idp`](#configure-authority-router-idp) | Advanced IDP configuration. | | [`inter-node-security`](#configure-authority-router-inter-node-security) | The name of the security policy used for inter node communication between router interfaces | +| [`key-exchange-algorithm-override`](#configure-authority-router-key-exchange-algorithm-override) | Key exchange algorithm selection for security key management for the router. | | [`location`](#configure-authority-router-location) | A descriptive location for this SSR. | | [`location-coordinates`](#configure-authority-router-location-coordinates) | The geolocation of this router in ISO 6709 format. Some examples: (1) Degrees only: +50.20361-074.00417/ (2) Degrees and minutes: +5012.22-07400.25/ or (3) Degrees, minutes, and seconds: +501213.1-0740015.1/ | | [`maintenance-mode`](#configure-authority-router-maintenance-mode) | When enabled, the router will be in maintenance mode and alarms related to this router will be shelved. | | [`management-proxy`](#configure-authority-router-management-proxy) | Settings to enable forwarding of SSR management traffic to a proxy | | [`management-service-generation`](#configure-authority-router-management-service-generation) | Configure Management Service Generation | | [`max-inter-node-way-points`](#configure-authority-router-max-inter-node-way-points) | Maximum number of way points to be allocated on inter-node path. | +| [`ml-kem-keygen-priority`](#configure-authority-router-ml-kem-keygen-priority) | Priority for ML-KEM key generation with peers. Higher values indicate higher priority. | | [`name`](#configure-authority-router-name) | An identifier for the router. | | [`nat-pool`](#configure-authority-router-nat-pool) | A pool of shared NAT ports. | | [`node`](#configure-authority-router-node) | List of one or two SSR software instances, comprising an SSR. | @@ -6981,6 +6984,173 @@ configure authority router inter-node-security [] This type is used by other entities that need to reference configured security policies. +## `configure authority router key-exchange-algorithm-override` + +Key exchange algorithm selection for security key management for the router. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`diffie-hellman`](#configure-authority-router-key-exchange-algorithm-override-diffie-hellman) | Diffie-Hellman algorithm. | +| [`diffie-hellman-ml-kem`](#configure-authority-router-key-exchange-algorithm-override-diffie-hellman-ml-kem) | Diffie-Hellman and ML-KEM hybrid algorithm. | +| [`ml-kem`](#configure-authority-router-key-exchange-algorithm-override-ml-kem) | ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'key-exchange-algorithm-override' | + +## `configure authority router key-exchange-algorithm-override diffie-hellman` + +Diffie-Hellman algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`dh-key-size`](#configure-authority-router-key-exchange-algorithm-override-diffie-hellman-dh-key-size) | The key size used for Diffie-Hellman algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'diffie-hellman' | + +## `configure authority router key-exchange-algorithm-override diffie-hellman dh-key-size` + +The key size used for Diffie-Hellman algorithm. + +#### Usage + +``` +configure authority router key-exchange-algorithm-override diffie-hellman dh-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| diffie-hellman-key-size | The value to set for this field | + +#### Description + +##### diffie-hellman-key-size (enumeration) + +The key size to use in the Diffie-Hellman key exchange + +Options: + +- 1024: 1024 bit key size +- 2048: 2048 bit key size +- 4096: 4096 bit key size + +## `configure authority router key-exchange-algorithm-override diffie-hellman-ml-kem` + +Diffie-Hellman and ML-KEM hybrid algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`dh-key-size`](#configure-authority-router-key-exchange-algorithm-override-diffie-hellman-ml-kem-dh-key-size) | The key size used for Diffie-Hellman algorithm. | +| [`ml-kem-key-size`](#configure-authority-router-key-exchange-algorithm-override-diffie-hellman-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'diffie-hellman-ml-kem' | + +## `configure authority router key-exchange-algorithm-override diffie-hellman-ml-kem dh-key-size` + +The key size used for Diffie-Hellman algorithm. + +#### Usage + +``` +configure authority router key-exchange-algorithm-override diffie-hellman-ml-kem dh-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| diffie-hellman-key-size | The value to set for this field | + +#### Description + +##### diffie-hellman-key-size (enumeration) + +The key size to use in the Diffie-Hellman key exchange + +Options: + +- 1024: 1024 bit key size +- 2048: 2048 bit key size +- 4096: 4096 bit key size + +## `configure authority router key-exchange-algorithm-override diffie-hellman-ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority router key-exchange-algorithm-override diffie-hellman-ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + +## `configure authority router key-exchange-algorithm-override ml-kem` + +ML-KEM algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`ml-kem-key-size`](#configure-authority-router-key-exchange-algorithm-override-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'ml-kem' | + +## `configure authority router key-exchange-algorithm-override ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority router key-exchange-algorithm-override ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + ## `configure authority router location` A descriptive location for this SSR. @@ -7292,6 +7462,28 @@ An unsigned 32-bit integer. Range: 50000-1000000 +## `configure authority router ml-kem-keygen-priority` + +Priority for ML-KEM key generation with peers. Higher values indicate higher priority. + +#### Usage + +``` +configure authority router ml-kem-keygen-priority [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +##### uint32 + +An unsigned 32-bit integer. + ## `configure authority router name` An identifier for the router. @@ -7590,6 +7782,7 @@ configure authority router node | [`recovery-mode-enabled`](#configure-authority-router-node-recovery-mode-enabled) | Allow booting from USB storage devices. | | [`reset-button-enabled`](#configure-authority-router-node-reset-button-enabled) | Enable the reset button for restarting or factory resetting. | | [`role`](#configure-authority-router-node-role) | The node's role in the SSR system. | +| [`secure-conductor-onboarding`](#configure-authority-router-node-secure-conductor-onboarding) | Configure Secure Conductor Onboarding | | [`serial-console-enabled`](#configure-authority-router-node-serial-console-enabled) | Enable serial console. | | [`session-processor-count`](#configure-authority-router-node-session-processor-count) | The number of threads to use for session processing when using 'manual' session-processor mode. | | [`session-processor-mode`](#configure-authority-router-node-session-processor-mode) | The method by which the number of threads used for session processing should be determined. | @@ -21507,6 +21700,43 @@ Options: - combo: A combined Control and Slice. - conductor: A remote management system. +## `configure authority router node secure-conductor-onboarding` + +Configure Secure Conductor Onboarding + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`endorsement-key`](#configure-authority-router-node-secure-conductor-onboarding-endorsement-key) | The public endorsement key of the router's TPM in base64 encoded DER format. Required for strong mode onboarding on devices with vTPM. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'secure-conductor-onboarding' | + +## `configure authority router node secure-conductor-onboarding endorsement-key` + +The public endorsement key of the router's TPM in base64 encoded DER format. Required for strong mode onboarding on devices with vTPM. + +#### Usage + +``` +configure authority router node secure-conductor-onboarding endorsement-key [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| string | The value to set for this field | + +#### Description + +##### string + +A text value. + +Must be a base64 encoded string. + ## `configure authority router node serial-console-enabled` Enable serial console. @@ -22611,6 +22841,8 @@ configure authority router peer | `delete` | Delete configuration data | | [`description`](#configure-authority-router-peer-description) | A description of the peer router. | | [`generated`](#configure-authority-router-peer-generated) | Indicates whether or not the Peer was automatically generated as a result of routers existing in the same neighborhood. | +| [`key-exchange-algorithm-override`](#configure-authority-router-peer-key-exchange-algorithm-override) | Key exchange algorithm selection for security key management for the peer router. | +| [`ml-kem-keygen-priority`](#configure-authority-router-peer-ml-kem-keygen-priority) | Priority for ML-KEM key generation with peers. Higher values indicate higher priority. | | [`name`](#configure-authority-router-peer-name) | An arbitrary name that represents the properties associated with the peer router. Typically this will be the name of the authority or the value of the name field in the peer's router configuration. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | [`peering-common-name`](#configure-authority-router-peer-peering-common-name) | The identifier to use with enhanced-security-key-management. | @@ -23089,6 +23321,197 @@ A true or false value. Options: true or false +## `configure authority router peer key-exchange-algorithm-override` + +Key exchange algorithm selection for security key management for the peer router. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`diffie-hellman`](#configure-authority-router-peer-key-exchange-algorithm-override-diffie-hellman) | Diffie-Hellman algorithm. | +| [`diffie-hellman-ml-kem`](#configure-authority-router-peer-key-exchange-algorithm-override-diffie-hellman-ml-kem) | Diffie-Hellman and ML-KEM hybrid algorithm. | +| [`ml-kem`](#configure-authority-router-peer-key-exchange-algorithm-override-ml-kem) | ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'key-exchange-algorithm-override' | + +## `configure authority router peer key-exchange-algorithm-override diffie-hellman` + +Diffie-Hellman algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`dh-key-size`](#configure-authority-router-peer-key-exchange-algorithm-override-diffie-hellman-dh-key-size) | The key size used for Diffie-Hellman algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'diffie-hellman' | + +## `configure authority router peer key-exchange-algorithm-override diffie-hellman dh-key-size` + +The key size used for Diffie-Hellman algorithm. + +#### Usage + +``` +configure authority router peer key-exchange-algorithm-override diffie-hellman dh-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| diffie-hellman-key-size | The value to set for this field | + +#### Description + +##### diffie-hellman-key-size (enumeration) + +The key size to use in the Diffie-Hellman key exchange + +Options: + +- 1024: 1024 bit key size +- 2048: 2048 bit key size +- 4096: 4096 bit key size + +## `configure authority router peer key-exchange-algorithm-override diffie-hellman-ml-kem` + +Diffie-Hellman and ML-KEM hybrid algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`dh-key-size`](#configure-authority-router-peer-key-exchange-algorithm-override-diffie-hellman-ml-kem-dh-key-size) | The key size used for Diffie-Hellman algorithm. | +| [`ml-kem-key-size`](#configure-authority-router-peer-key-exchange-algorithm-override-diffie-hellman-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'diffie-hellman-ml-kem' | + +## `configure authority router peer key-exchange-algorithm-override diffie-hellman-ml-kem dh-key-size` + +The key size used for Diffie-Hellman algorithm. + +#### Usage + +``` +configure authority router peer key-exchange-algorithm-override diffie-hellman-ml-kem dh-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| diffie-hellman-key-size | The value to set for this field | + +#### Description + +##### diffie-hellman-key-size (enumeration) + +The key size to use in the Diffie-Hellman key exchange + +Options: + +- 1024: 1024 bit key size +- 2048: 2048 bit key size +- 4096: 4096 bit key size + +## `configure authority router peer key-exchange-algorithm-override diffie-hellman-ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority router peer key-exchange-algorithm-override diffie-hellman-ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + +## `configure authority router peer key-exchange-algorithm-override ml-kem` + +ML-KEM algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`ml-kem-key-size`](#configure-authority-router-peer-key-exchange-algorithm-override-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'ml-kem' | + +## `configure authority router peer key-exchange-algorithm-override ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority router peer key-exchange-algorithm-override ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + +## `configure authority router peer ml-kem-keygen-priority` + +Priority for ML-KEM key generation with peers. Higher values indicate higher priority. + +#### Usage + +``` +configure authority router peer ml-kem-keygen-priority [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +Default: 0 + +##### uint32 + +An unsigned 32-bit integer. + ## `configure authority router peer name` An arbitrary name that represents the properties associated with the peer router. Typically this will be the name of the authority or the value of the name field in the peer's router configuration. @@ -27123,6 +27546,7 @@ PIM configuration | `delete` | Delete configuration data | | [`interface`](#configure-authority-router-routing-pim-interface) | List of PIM interfaces | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| [`restart-time`](#configure-authority-router-routing-pim-restart-time) | PIM graceful restart duration | | [`rp`](#configure-authority-router-routing-pim-rp) | PIM RP Configuration | | `show` | Show configuration data for 'pim' | @@ -27253,6 +27677,34 @@ configure authority router routing pim interface node [] A reference to an existing value in the instance data. +## `configure authority router routing pim restart-time` + +PIM graceful restart duration + +#### Usage + +``` +configure authority router routing pim restart-time [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint16 | The value to set for this field | + +#### Description + +Units: seconds + +Default: 120 + +##### uint16 + +An unsigned 16-bit integer. + +Range: 0-1800 + ## `configure authority router routing pim rp` PIM RP Configuration @@ -38675,6 +39127,7 @@ System group configuration. Lets administrators configure system-wide properties | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | [`radius`](#configure-authority-router-system-radius) | Configure Radius | | [`remote-login`](#configure-authority-router-system-remote-login) | Configure Remote Login | +| [`secure-conductor-onboarding`](#configure-authority-router-system-secure-conductor-onboarding) | Configure Secure Conductor Onboarding | | [`services`](#configure-authority-router-system-services) | Address information for internal services | | `show` | Show configuration data for 'system' | | [`software-access`](#configure-authority-router-system-software-access) | Configuration for SSR software access for this router. Supported on managed assets only. Any settings configured here will override the authority software access settings. | @@ -40742,6 +41195,73 @@ Options: - use-authority-setting: Use the authority wide remote-login state. +## `configure authority router system secure-conductor-onboarding` + +Configure Secure Conductor Onboarding + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`mode`](#configure-authority-router-system-secure-conductor-onboarding-mode) | The secure conductor onboarding mode. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| [`pre-shared-secret`](#configure-authority-router-system-secure-conductor-onboarding-pre-shared-secret) | A 48-byte base64 encoded string used for conductor and router onboarding verification. | +| `show` | Show configuration data for 'secure-conductor-onboarding' | + +## `configure authority router system secure-conductor-onboarding mode` + +The secure conductor onboarding mode. + +#### Usage + +``` +configure authority router system secure-conductor-onboarding mode [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| enumeration | The value to set for this field | + +#### Description + +##### enumeration + +A value from a set of predefined names. + +Options: + +- disabled: The secure conductor onboarding process is disabled. +- weak: Allows routers with a TPM to use pre-loaded self-signed certificates when onboarding. +- strong: For devices with DevID. Ensures the asset-id matches the serialNumber field in the router's public certificate. For public cloud instances with a vTPM, the router's endorsement key must match the configured endorsement key on the node. + +## `configure authority router system secure-conductor-onboarding pre-shared-secret` + +A 48-byte base64 encoded string used for conductor and router onboarding verification. + +#### Usage + +``` +configure authority router system secure-conductor-onboarding pre-shared-secret [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| string | The value to set for this field | + +#### Description + +##### string + +A text value. + +Must be a 48 byte, base64 encoded string (64 characters). +Length: 64 + ## `configure authority router system services` Address information for internal services @@ -41710,15 +42230,42 @@ Configure SSL encryption for HTTPS. | command | description | | ------- | ----------- | -| [`ciphers`](#configure-authority-router-system-services-webserver-ssl-ciphers) | Configure the allowed ciphers. The full list of available ciphers can be viewed by running the 'openssl ciphers' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. | +| [`cipher-suites`](#configure-authority-router-system-services-webserver-ssl-cipher-suites) | Configure the allowed ciphers for TLSv1.3. The full list of available ciphers can be viewed by running the 'openssl ciphers -s -tls1_3' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. | +| [`ciphers`](#configure-authority-router-system-services-webserver-ssl-ciphers) | Configure the allowed ciphers for TLSv1.2. The full list of available ciphers can be viewed by running the 'openssl ciphers' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. | | `delete` | Delete configuration data | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | -| [`protocol`](#configure-authority-router-system-services-webserver-ssl-protocol) | Configure the allowed protocols. By default both 'TLSv1.2' and 'TLSv1.3' are used. | +| [`protocol`](#configure-authority-router-system-services-webserver-ssl-protocol) | Configure the allowed protocols. By default both 'TLSv1.2' and 'TLSv1.3' are used. If compatibility with older browsers is not required then only TLSv1.3 should be used. | | `show` | Show configuration data for 'ssl' | +## `configure authority router system services webserver ssl cipher-suites` + +Configure the allowed ciphers for TLSv1.3. The full list of available ciphers can be viewed by running the 'openssl ciphers -s -tls1_3' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. + +#### Usage + +``` +configure authority router system services webserver ssl cipher-suites [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| string | The value to set for this field | + +#### Description + +Default: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + +##### string + +A text value. + +Must contain only alphanumeric characters or any of the following: . - _ : + ## `configure authority router system services webserver ssl ciphers` -Configure the allowed ciphers. The full list of available ciphers can be viewed by running the 'openssl ciphers' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. +Configure the allowed ciphers for TLSv1.2. The full list of available ciphers can be viewed by running the 'openssl ciphers' shell command. See 'CIPHER LIST FORMAT' and 'CIPHER STRINGS' in the OpenSSL documentation https://www.openssl.org/docs/man1.1.1/man1/ciphers.html for the permitted values and their meanings. #### Usage @@ -41734,15 +42281,17 @@ configure authority router system services webserver ssl ciphers [] #### Description -Default: HIGH:!aNULL:!MD5 +Default: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 ##### string A text value. +Must contain only alphanumeric characters or any of the following: . - _ : + ## `configure authority router system services webserver ssl protocol` -Configure the allowed protocols. By default both 'TLSv1.2' and 'TLSv1.3' are used. +Configure the allowed protocols. By default both 'TLSv1.2' and 'TLSv1.3' are used. If compatibility with older browsers is not required then only TLSv1.3 should be used. #### Usage @@ -41977,10 +42526,137 @@ Configuration for SSR software updates. Supported on managed assets only. | command | description | | ------- | ----------- | | `delete` | Delete configuration data | +| [`download`](#configure-authority-router-system-software-update-download) | Configuration for software downloads. Supported on managed assets only. | | [`max-bandwidth`](#configure-authority-router-system-software-update-max-bandwidth) | Bandwidth limit for downloads of software updates. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | [`repository`](#configure-authority-router-system-software-update-repository) | Configuration for how to retrieve software updates. | +| [`rpm-operation-timeout`](#configure-authority-router-system-software-update-rpm-operation-timeout) | The timeout in seconds for rpm downloads and installs. Once the timeout is reached, the rpm operation will fail. | | `show` | Show configuration data for 'software-update' | +| [`timeout`](#configure-authority-router-system-software-update-timeout) | The timeout in seconds for the upgrade. Once the timeout is reached, the upgrade will fail. The timeout is reset when the device reboots during the upgrade. | + +## `configure authority router system software-update download` + +Configuration for software downloads. Supported on managed assets only. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`attempts`](#configure-authority-router-system-software-update-download-attempts) | The maximum number of attempts to try the download before considering it failed. If set to 0, the download will retry until the timeout is hit. | +| `delete` | Delete configuration data | +| [`enable-timeout`](#configure-authority-router-system-software-update-download-enable-timeout) | Whether to set a timeout on the overall length of the download. | +| [`maximum-retry-delay`](#configure-authority-router-system-software-update-download-maximum-retry-delay) | The maximum amount of time in seconds to wait in between download attempts. The retry delay will start off small and back off exponentially up to this duration. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'download' | +| [`timeout`](#configure-authority-router-system-software-update-download-timeout) | The timeout in seconds for the download. Once the timeout is reached, the download will fail. | + +## `configure authority router system software-update download attempts` + +The maximum number of attempts to try the download before considering it failed. If set to 0, the download will retry until the timeout is hit. + +#### Usage + +``` +configure authority router system software-update download attempts [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint8 | The value to set for this field | + +#### Description + +Default: 10 + +##### uint8 + +An unsigned 8-bit integer. + +Range: 0-255 + +## `configure authority router system software-update download enable-timeout` + +Whether to set a timeout on the overall length of the download. + +#### Usage + +``` +configure authority router system software-update download enable-timeout [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| boolean | The value to set for this field | + +#### Description + +Default: true + +##### boolean + +A true or false value. + +Options: true or false + +## `configure authority router system software-update download maximum-retry-delay` + +The maximum amount of time in seconds to wait in between download attempts. The retry delay will start off small and back off exponentially up to this duration. + +#### Usage + +``` +configure authority router system software-update download maximum-retry-delay [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +Units: seconds + +Default: 3600 + +##### uint32 + +An unsigned 32-bit integer. + +Range: 0-86400 + +## `configure authority router system software-update download timeout` + +The timeout in seconds for the download. Once the timeout is reached, the download will fail. + +#### Usage + +``` +configure authority router system software-update download timeout [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +Units: seconds + +Default: 10800 + +##### uint32 + +An unsigned 32-bit integer. + +Range: 1800-604800 ## `configure authority router system software-update max-bandwidth` @@ -42182,6 +42858,62 @@ Options: - prefer-conductor: Download software from the Conductor, using the Internet if the Conductor has not already downloaded the requested software. - internet-only: Download software from publicly available sources via the Internet. +## `configure authority router system software-update rpm-operation-timeout` + +The timeout in seconds for rpm downloads and installs. Once the timeout is reached, the rpm operation will fail. + +#### Usage + +``` +configure authority router system software-update rpm-operation-timeout [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +Units: seconds + +Default: 600 + +##### uint32 + +An unsigned 32-bit integer. + +Range: 300-86400 + +## `configure authority router system software-update timeout` + +The timeout in seconds for the upgrade. Once the timeout is reached, the upgrade will fail. The timeout is reset when the device reboots during the upgrade. + +#### Usage + +``` +configure authority router system software-update timeout [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint32 | The value to set for this field | + +#### Description + +Units: seconds + +Default: 3600 + +##### uint32 + +An unsigned 32-bit integer. + +Range: 1800-604800 + ## `configure authority router system syslog` Syslog configuration lets administrators configure the SSR's interaction with external syslog services. @@ -44632,6 +45364,131 @@ configure authority routing resource-group [] This type is used by other entities that need to reference configured resource groups. +## `configure authority secure-conductor-onboarding` + +Configure Secure Conductor Onboarding + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`ca-certificate`](#configure-authority-secure-conductor-onboarding-ca-certificate) | The CA certificate used to sign the public certificate. | +| `delete` | Delete configuration data | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| [`public-certificate`](#configure-authority-secure-conductor-onboarding-public-certificate) | The public certificate the conductor will use to prove it is the correct conductor. | +| [`rate-limits`](#configure-authority-secure-conductor-onboarding-rate-limits) | Rate limits for secure conductor onboarding requests. | +| `show` | Show configuration data for 'secure-conductor-onboarding' | + +## `configure authority secure-conductor-onboarding ca-certificate` + +The CA certificate used to sign the public certificate. + +#### Usage + +``` +configure authority secure-conductor-onboarding ca-certificate [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ca-certificate-ref | The value to set for this field | + +#### Description + +##### ca-certificate-ref (leafref) (required) + +This type is used by other entities that need to reference configured CA certificate. + +## `configure authority secure-conductor-onboarding public-certificate` + +The public certificate the conductor will use to prove it is the correct conductor. + +#### Usage + +``` +configure authority secure-conductor-onboarding public-certificate [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| client-certificate-ref | The value to set for this field | + +#### Description + +##### client-certificate-ref (leafref) (required) + +This type is used by other entities that need to reference configured client certificate. + +## `configure authority secure-conductor-onboarding rate-limits` + +Rate limits for secure conductor onboarding requests. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`global`](#configure-authority-secure-conductor-onboarding-rate-limits-global) | The maximum number of SCO requests per second allowed from all clients. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| [`per-client`](#configure-authority-secure-conductor-onboarding-rate-limits-per-client) | The maximum number of SCO requests per second allowed from a single client IP. | +| `show` | Show configuration data for 'rate-limits' | + +## `configure authority secure-conductor-onboarding rate-limits global` + +The maximum number of SCO requests per second allowed from all clients. + +#### Usage + +``` +configure authority secure-conductor-onboarding rate-limits global [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint16 | The value to set for this field | + +#### Description + +Default: 100 + +##### uint16 + +An unsigned 16-bit integer. + +Range: 1-1000 + +## `configure authority secure-conductor-onboarding rate-limits per-client` + +The maximum number of SCO requests per second allowed from a single client IP. + +#### Usage + +``` +configure authority secure-conductor-onboarding rate-limits per-client [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint16 | The value to set for this field | + +#### Description + +Default: 1 + +##### uint16 + +An unsigned 16-bit integer. + +Range: 1-100 + ## `configure authority security` The security elements represent security policies for governing how and when the SSR encrypts and/or authenticates packets. @@ -44904,6 +45761,8 @@ Options: - sha1: SHA1 160-bit Key Hashed Message Authentication Code Mode. - sha256: SHA256 256-bit Key Hashed Message Authentication Code Mode. - sha256-128: SHA256 128-bit Key Hashed Message Authentication Code Mode. +- sha384: SHA384 384-bit Key Hashed Message Authentication Code Mode. +- sha512: SHA512 512-bit Key Hashed Message Authentication Code Mode. ## `configure authority security hmac-key` @@ -45031,7 +45890,7 @@ Configure Security Key Management | `clone` | Clone a list item | | `delete` | Delete configuration data | | [`invalid-certificate-behavior`](#configure-authority-security-key-management-invalid-certificate-behavior) | Behavior when a certificate is revoked, expired, or invalid. | -| [`key-exchange-algorithm`](#configure-authority-security-key-management-key-exchange-algorithm) | Configure Key Exchange Algorithm | +| [`key-exchange-algorithm`](#configure-authority-security-key-management-key-exchange-algorithm) | Key exchange algorithm selection for security key management for authority. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | [`payload-key-rekey-interval`](#configure-authority-security-key-management-payload-key-rekey-interval) | Hours between payload security key regeneration. | | [`peer-key-rekey-interval`](#configure-authority-security-key-management-peer-key-rekey-interval) | Hours between security key regeneration for peer routers. | @@ -45171,33 +46030,35 @@ Options: ## `configure authority security-key-management key-exchange-algorithm` -Configure Key Exchange Algorithm +Key exchange algorithm selection for security key management for authority. ##### Subcommands | command | description | | ------- | ----------- | | `delete` | Delete configuration data | -| [`diffie-hellman`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman) | Configure Diffie Hellman | +| [`diffie-hellman`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman) | Diffie-Hellman algorithm. | +| [`diffie-hellman-ml-kem`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman-ml-kem) | Diffie-Hellman and ML-KEM hybrid algorithm. | +| [`ml-kem`](#configure-authority-security-key-management-key-exchange-algorithm-ml-kem) | ML-KEM algorithm. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | `show` | Show configuration data for 'key-exchange-algorithm' | ## `configure authority security-key-management key-exchange-algorithm diffie-hellman` -Configure Diffie Hellman +Configure the Diffie-Hellman algorithm. ##### Subcommands | command | description | | ------- | ----------- | | `delete` | Delete configuration data | -| [`dh-key-size`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman-dh-key-size) | Configure Dh Key Size | +| [`dh-key-size`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman-dh-key-size) | The key size used for Diffie-Hellman algorithm. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | `show` | Show configuration data for 'diffie-hellman' | ## `configure authority security-key-management key-exchange-algorithm diffie-hellman dh-key-size` -Configure DH Key Size +The key size used for Diffie-Hellman algorithm. #### Usage @@ -45223,6 +46084,117 @@ Options: - 2048: 2048 bit key size - 4096: 4096 bit key size +## `configure authority security-key-management key-exchange-algorithm diffie-hellman-ml-kem` + +Diffie-Hellman and ML-KEM hybrid algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`dh-key-size`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman-ml-kem-dh-key-size) | The key size used for Diffie-Hellman algorithm. | +| [`ml-kem-key-size`](#configure-authority-security-key-management-key-exchange-algorithm-diffie-hellman-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'diffie-hellman-ml-kem' | + +## `configure authority security-key-management key-exchange-algorithm diffie-hellman-ml-kem dh-key-size` + +The key size used for Diffie-Hellman algorithm. + +#### Usage + +``` +configure authority security-key-management key-exchange-algorithm diffie-hellman-ml-kem dh-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| diffie-hellman-key-size | The value to set for this field | + +#### Description + +##### diffie-hellman-key-size (enumeration) + +The key size to use in the Diffie-Hellman key exchange + +Options: + +- 1024: 1024 bit key size +- 2048: 2048 bit key size +- 4096: 4096 bit key size + +## `configure authority security-key-management key-exchange-algorithm diffie-hellman-ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority security-key-management key-exchange-algorithm diffie-hellman-ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + +## `configure authority security-key-management key-exchange-algorithm ml-kem` + +ML-KEM algorithm. + +##### Subcommands + +| command | description | +| ------- | ----------- | +| `delete` | Delete configuration data | +| [`ml-kem-key-size`](#configure-authority-security-key-management-key-exchange-algorithm-ml-kem-ml-kem-key-size) | The key size used for ML-KEM algorithm. | +| `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | +| `show` | Show configuration data for 'ml-kem' | + +## `configure authority security-key-management key-exchange-algorithm ml-kem ml-kem-key-size` + +The key size used for ML-KEM algorithm. + +#### Usage + +``` +configure authority security-key-management key-exchange-algorithm ml-kem ml-kem-key-size [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| ml-kem-key-size | The value to set for this field | + +#### Description + +##### ml-kem-key-size (enumeration) + +The key size to use in the ML-KEM key exchange + +Options: + +- 512: 512 bit key size +- 768: 768 bit key size +- 1024: 1024 bit key size + ## `configure authority security-key-management payload-key-rekey-interval` Hours between payload security key regeneration. @@ -47880,27 +48852,27 @@ An unsigned 32-bit integer. ## `configure authority service-policy reverse-gateway-change-detection` -Compare the forward packet `source-mac` against the `reverse next-hop arp` entry, and trigger a flow-move for the session to pick up the reverse next-hop update. +Trigger a session-modify when the packet source-mac does not match the reverse next-hop ARP resolution for sessions that are not from inter-router or inter-node. #### Usage ``` -configure authority service-policy reverse-gateway-change-detection enabled +configure authority service-policy reverse-gateway-change-detection [] ``` ##### Positional Arguments | name | description | | ---- | ----------- | -| enumeration | The value to set for this field | +| boolean | The value to set for this field | #### Description -Default: disabled +Default: false -##### enumeration +##### boolean -A value from a set of predefined names. +A true or false value. Options: diff --git a/docs/enhanced-sec-key-mgmt.md b/docs/enhanced-sec-key-mgmt.md index 160ef89393..1e9a20f587 100644 --- a/docs/enhanced-sec-key-mgmt.md +++ b/docs/enhanced-sec-key-mgmt.md @@ -42,9 +42,9 @@ To understand the value of Enhanced Security Key Management, we can draw some co | Encrypt Original IP SA/DA | ESP | Encrypted with AES-CBC-256 encrypted Metadata sent within first Payload packet using metadata key. | | Secure Channel to exchange keys | IKEv2 | Diffie-Hellman. DH provides 4096-bit Peer key used to encrypt BFD Metadata. | | Confidentiality | Payload is encrypted with the IPSec Tunnel key; however, all individual sessions with the same IPSec tunnel share the same key. There is no confidentiality between sessions sharing the same source and destination address. | Payload encrypted with Per-Flow Payload key; SVR Metadata (containing the Per-Flow Payload key) is encrypted with the SVR Metadata Key. Because each session has a separate key, each session has confidentiality, even between the same source and destination address. | -| Integrity | ESP Authentication Header | HMAC SHA-384 signature signs all SVR Metadata and/or Payload in SVR packet. | +| Integrity | ESP Authentication Header | HMAC SHA-384 nd HMAC-SHA-512 signature signs all SVR Metadata and/or Payload in SVR packet. | | Authentication | IKEv2 PSK or x.509v3 certificates | SSR-signed x.509v3 certificate through root of trust to Intermediate CA installed on SSR| -| Data Origin Authentication | HMAC-SHA-384 | HMAC SHA-384 signature| +| Data Origin Authentication | HMAC-SHA-384 and HMAC-SHA-512 | HMAC SHA-384 and HMAC-SHA-512 signature | | Replay Protection | Yes | Nonce added for Replay Protection.| | Perfect Forward Secrecy | Yes | Keys in DH are seeded by Salt. | | IPv4 and IPv6 | Yes | Yes | diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index d216ba9f8f..07032bd6b3 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -77,7 +77,7 @@ These release notes are Beta only and are in progress. They are furnished to hel ------ - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ -- **I95-59948 SHA-384 and SHA-512 Support:** Added support for CNSA 2.0 algorithms SHA-384 and SHA-512 to support US Federal government deployments. +- **I95-59948 SHA-384 and SHA-512 Support:** Added support for CNSA 2.0 algorithms SHA-384 and SHA-512 to support US Federal government deployments. For additional information, see [`configure-authority-security-hmac-cipher`](config_command_guide.md#configure-authority-security-hmac-cipher). ------ - **I95-60209 ML-KEM support [FIPS-203]:** ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism) is a cryptographic protocol used in post-quantum cryptography to securely exchange keys over public channels. This level of protection offers security against both quantum and classical adversaries. On the SSR, ML-KEM can be used alone, or in conjuction with Diffie-Hellman as a hybrid approach to peer-key exchange and encryption. For more information, see [Post Quantum Cryptography Support](enhanced-sec-key-mgmt.md#post-quantum-cryptography-support). ------ diff --git a/docs/sec-secure-boot.md b/docs/sec-secure-boot.md index 3c76e1f5ae..7b9d9c2947 100644 --- a/docs/sec-secure-boot.md +++ b/docs/sec-secure-boot.md @@ -15,3 +15,20 @@ Secure boot ensures that only trusted (Juniper-signed) code will run from power- If authentication fails due to corruption or tampering, the boot processes terminates and the system will reset. +### IMA + +IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA validation using GPG Signatures. + +During the SSR IBU build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. + +When an IMA enforcement policy is enabled, the kernel checks the signature of each file before loading it for execution. If the check fails, execution is denied with an error. + +### Enable IMA Signature Validation + +A default IMA policy (`ima-policy.disabled`) is included in the SSR image. The policy is disabled and must be renamed to be enabled prior to installation. + +Rename the default disabled policy; + +`mv /etc/ima/ima-policy.disabled /etc/ima/ima-policy` + +And reboot. \ No newline at end of file From 6ce365102428dfffe2c73bba3247a77a1dcb65e3 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 23 Jan 2026 09:22:16 -0500 Subject: [PATCH 43/58] Add EoSVR release note, IMA release note, and text describing IMA. Waiting on IMA error text. --- docs/release_notes_128t_7.1.md | 10 ++++------ docs/sec-secure-boot.md | 13 ++----------- 2 files changed, 6 insertions(+), 17 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 07032bd6b3..b92429e433 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -62,19 +62,17 @@ These release notes are Beta only and are in progress. They are furnished to hel ::: ### New Features - - **I95-48934 Configuration Integrity:** SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see [Configuration Integrity](concepts-config-integrity.md). ------ +- **I95-54247 IMA - SSR Signed packages only execution:** IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA validation using GPG Signatures. IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with an error. for more information, see [Secure Boot - IMA](sec-secure-boot.md#ima). +------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. ------ - **I95-56719 Conductor Scaling:** Several improvements have been made to increase the scale of conductor managed router/node deployments, as well as the reporting of router information, and the efficiency of the device communications. The conductor can now manage up to a combination of 5000 nodes and routers. It should be noted that there are scaling limitations, such as a reasonable configuration complexity. Improvements to web interface responsiveness and updates to the following pages: Peer Path table, Event history, and Peering Connections panel of the Topology view. ------ +- **I95-58446 EoSVR Loop Prevention:** EoSVR A/S Loop Prevention has been added, allowing EoSVR traffic to pass Broadcast, unknown-unicast, and multicast traffic through a switch without causing the port to be shut down. +------ - **I95-58959 Secure Conductor Onboarding:** Secure Conductor Onboarding (SCO) provides the ability to onboard a router to a conductor ensuring that each device proves possession of a private key, and that the connection is trusted and authenticated. For more information, see [Secure Conductor Onboarding](sec-conductor-onboard.md). ------ - **I95-59948 SHA-384 and SHA-512 Support:** Added support for CNSA 2.0 algorithms SHA-384 and SHA-512 to support US Federal government deployments. For additional information, see [`configure-authority-security-hmac-cipher`](config_command_guide.md#configure-authority-security-hmac-cipher). diff --git a/docs/sec-secure-boot.md b/docs/sec-secure-boot.md index 7b9d9c2947..57bf3554db 100644 --- a/docs/sec-secure-boot.md +++ b/docs/sec-secure-boot.md @@ -8,6 +8,7 @@ sidebar_label: Secure Boot | Release | Modification | | ------- | --------------------------- | | 7.1.0 | Secure Boot support added. | +| 7.1.3 | IMA support added. | The SSR400 and SSR440 are factory configured with a cryptographic public key that only allows an authenticated firmware image to run on the device. @@ -21,14 +22,4 @@ IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA valida During the SSR IBU build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. -When an IMA enforcement policy is enabled, the kernel checks the signature of each file before loading it for execution. If the check fails, execution is denied with an error. - -### Enable IMA Signature Validation - -A default IMA policy (`ima-policy.disabled`) is included in the SSR image. The policy is disabled and must be renamed to be enabled prior to installation. - -Rename the default disabled policy; - -`mv /etc/ima/ima-policy.disabled /etc/ima/ima-policy` - -And reboot. \ No newline at end of file +IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with an error. From 83de898212071abc7b2be80de4ad27e4d16bcaee Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 23 Jan 2026 10:44:55 -0500 Subject: [PATCH 44/58] added IMA error info. --- docs/sec-secure-boot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sec-secure-boot.md b/docs/sec-secure-boot.md index 57bf3554db..e4927c4850 100644 --- a/docs/sec-secure-boot.md +++ b/docs/sec-secure-boot.md @@ -22,4 +22,4 @@ IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA valida During the SSR IBU build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. -IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with an error. +IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with a **Permission denied** (EACCES) error code. From bd7f03221405cff7211b85f93f4c6ccbba405455 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 28 Jan 2026 09:05:08 -0500 Subject: [PATCH 45/58] update IMA info --- docs/sec-secure-boot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sec-secure-boot.md b/docs/sec-secure-boot.md index e4927c4850..fa305c7ff0 100644 --- a/docs/sec-secure-boot.md +++ b/docs/sec-secure-boot.md @@ -18,8 +18,8 @@ If authentication fails due to corruption or tampering, the boot processes termi ### IMA -IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA validation using GPG Signatures. +IMA is Linux’s Integrity Measurement Architecture. The SSR400 and SSR440 support IMA validation using GPG Signatures. IMA is not available on virtual machines or on the SSR1x0 and SSR1x00 series devices. -During the SSR IBU build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. +During the SSR software build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with a **Permission denied** (EACCES) error code. From 4366650e184690294766d106216aa99e7be9f99f Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 28 Jan 2026 11:19:09 -0500 Subject: [PATCH 46/58] IMA edits --- docs/sec-secure-boot.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/sec-secure-boot.md b/docs/sec-secure-boot.md index fa305c7ff0..690ed6ddca 100644 --- a/docs/sec-secure-boot.md +++ b/docs/sec-secure-boot.md @@ -20,6 +20,10 @@ If authentication fails due to corruption or tampering, the boot processes termi IMA is Linux’s Integrity Measurement Architecture. The SSR400 and SSR440 support IMA validation using GPG Signatures. IMA is not available on virtual machines or on the SSR1x0 and SSR1x00 series devices. -During the SSR software build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. +During the SSR software build process, every executable file (binaries, libraries, scripts, etc.) is signed. The signature is embedded into the root file system extended attributes of the file. -IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with a **Permission denied** (EACCES) error code. +IMA validation is enabled by default for the root user, allowing the kernel to check the signature of each file before loading it for execution. Secondary kernels, and kernel loadable modules, are also validated before execution. If these checks fail, execution is denied with a **Permission denied** (EACCES) error code. + +:::important +IDP is excluded from IMA. +::: \ No newline at end of file From 29c440fd46b19e6102639678d7090b4c574a0e03 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 29 Jan 2026 13:54:27 -0500 Subject: [PATCH 47/58] date and build number for swift Beta. --- docs/release_notes_128t_7.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index d51a9bfb37..100281527f 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -61,9 +61,9 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. -## Beta Release 7.1.3-8r2 +## Beta Release 7.1.3-10r2 -**Release Date:** January 15, 2026 +**Release Date:** January 29, 2026 :::important These release notes are Beta only and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. From b109d709da00eac03099392fc5fb28ca72bf2d52 Mon Sep 17 00:00:00 2001 From: Chris Date: Fri, 30 Jan 2026 15:14:26 -0500 Subject: [PATCH 48/58] date change, typo fixes, and adding better IMA info to the release notes. --- docs/release_notes_128t_7.1.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 100281527f..2f1d2709bf 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -63,7 +63,7 @@ An issue has been identified when onboarding SSR routers installed with older ve ## Beta Release 7.1.3-10r2 -**Release Date:** January 29, 2026 +**Release Date:** January 30, 2026 :::important These release notes are Beta only and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. @@ -73,7 +73,7 @@ These release notes are Beta only and are in progress. They are furnished to hel - **I95-48934 Configuration Integrity:** SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see [Configuration Integrity](concepts-config-integrity.md). ------ -- **I95-54247 IMA - SSR Signed packages only execution:** IMA is Linux’s Integrity Measurement Architecture. The SSR supports IMA validation using GPG Signatures. IMA validation is enabled by default, allowing the kernel to check the signature of each file before loading it for execution. If the check fails, execution is denied with an error. for more information, see [Secure Boot - IMA](sec-secure-boot.md#ima). +- **I95-54247 IMA - SSR Signed packages only execution:** IMA is Linux’s Integrity Measurement Architecture. The SSR400 and SSR440 support IMA validation using GPG Signatures. IMA validation is enabled by default for the root user, allowing the kernel to check the signature of each file before loading it for execution. If these checks fail, execution is denied with a Permission denied (EACCES) error code. For more information, see [Secure Boot - IMA](sec-secure-boot.md#ima). ------ - **I95-54248 Smart OS Download:** The SSR download process is now configurable, to provide better recovery and control over software downloads when a network connection fails. To improve resiliency against these network connectivity issues, the SSR queries available versions from all sources before beginning the download. If a request to a source fails, the SSR moves on to the next source. See [Smart OS Download](config-smart-download.md) for more information. ------ From f0bdf7dd2ab9593e66107e3eaa410ebe88d2d1e7 Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 2 Feb 2026 10:42:13 -0500 Subject: [PATCH 49/58] mnior edits. --- docs/concept-tpm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concept-tpm.md b/docs/concept-tpm.md index 0613b72670..aea652bc33 100644 --- a/docs/concept-tpm.md +++ b/docs/concept-tpm.md @@ -13,7 +13,7 @@ A Trusted Platform Module (TPM) is a secure cryptoprocessor that stores cryptogr ## TPM-Based Certificates -The SSR400 and SSR440 use the TPM-based certificate to ensure secure identification of the device. The device has a burnt-in idev-id certificate on the TPM. The idev-id certificate provides the device's JNPR serial number and model, proving that the device was manufactured in a Juniper facility. Hence, TPM certificate is a secure way for a Juniper device to prove its identity. +The SSR400 and SSR440 use the TPM-based certificate to ensure secure identification of the device. The device has a burnt-in idev-id certificate on the TPM. The idev-id certificate provides the device's Juniper serial number and model, proving that the device was manufactured in a Juniper facility. The TPM certificate is the most secure way for a Juniper device to prove its identity. ### Benefits of TPM-Based Certificates From e09863e1264db5f471988223dbad22fcd07231ad Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 3 Feb 2026 14:16:43 -0500 Subject: [PATCH 50/58] adding draft info for vTPM, updating build number and date for Swift Beta. --- docs/concept-tpm.md | 5 +++++ docs/release_notes_128t_7.1.md | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/concept-tpm.md b/docs/concept-tpm.md index aea652bc33..49b6546019 100644 --- a/docs/concept-tpm.md +++ b/docs/concept-tpm.md @@ -39,5 +39,10 @@ In unsecured HTTP connections, hackers can easily intercept messages between cli When a signed SSL certificate secures a website, it proves that the organization has verified and authenticated its identity with the trusted third party. When the browser trusts the CA, the browser now trusts that organization’s identity too. +### Support for vTPM on Conductor-managed Deployments + +If a vTPM is present on a platform, the SSR will first check to see if a trusted certificate and private key already exists. For Azure, AWS, and GCP it is expected that these platforms generate their own keys and certificates. On other platforms, if no certificate and private key is present, a single `DevID` certificate and `master` private key are created and stored in the vTPM. + +Each certificate installed on the system is signed with a uniquely created private key pair and stored on disk, encrypted with the master key stored in the vTPM. diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 2f1d2709bf..1a76f749bc 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -37,7 +37,7 @@ Routers running SSR software versions earlier than 6.3.5 cannot connect to condu If your conductor is currently running SSR version 6.3.5+, you may upgrade to 7.0.1 normally. -**Conductor Upgrades 6.2.x to 7.x** +**VM Upgrades 6.2.x to 7.x** Users upgrading a virtual machine, including those on AWS or Azure, previously installed with package-based SSR releases (6.2 and prior on Conductor-managed deployments only) should be aware of the following: @@ -61,12 +61,12 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. -## Beta Release 7.1.3-10r2 +## Beta Release 7.1.3-11r2 -**Release Date:** January 30, 2026 +**Release Date:** February 5, 2026 :::important -These release notes are Beta only and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. +These release notes are Beta only, and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. ::: ### New Features From 9d07673873eb71d5729726f28983ab7882e70e16 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 4 Feb 2026 15:43:25 -0500 Subject: [PATCH 51/58] adding link to config integrity topic --- docs/concept-tpm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/concept-tpm.md b/docs/concept-tpm.md index 49b6546019..85b90e87d7 100644 --- a/docs/concept-tpm.md +++ b/docs/concept-tpm.md @@ -39,6 +39,8 @@ In unsecured HTTP connections, hackers can easily intercept messages between cli When a signed SSL certificate secures a website, it proves that the organization has verified and authenticated its identity with the trusted third party. When the browser trusts the CA, the browser now trusts that organization’s identity too. +For additional details on how SSR uses TPM, see [Configuration Integrity](concepts-config-integrity.md). + ### Support for vTPM on Conductor-managed Deployments If a vTPM is present on a platform, the SSR will first check to see if a trusted certificate and private key already exists. For Azure, AWS, and GCP it is expected that these platforms generate their own keys and certificates. On other platforms, if no certificate and private key is present, a single `DevID` certificate and `master` private key are created and stored in the vTPM. From 0107322489d454b3a8940401134db80420253d89 Mon Sep 17 00:00:00 2001 From: Chris Date: Thu, 5 Feb 2026 09:08:45 -0500 Subject: [PATCH 52/58] Correct security metadata-key regenerate command to rotate security metadata-key per i95-64076 for the swift beta ahead of the fix in master. --- docs/enhanced-sec-key-mgmt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/enhanced-sec-key-mgmt.md b/docs/enhanced-sec-key-mgmt.md index 1e9a20f587..481cb3cff0 100644 --- a/docs/enhanced-sec-key-mgmt.md +++ b/docs/enhanced-sec-key-mgmt.md @@ -201,7 +201,7 @@ config invalid-certificate-behavior fail-soft ``` -In cases where you want to manually force key rotation on the routers, use the `security metadata-key regenerate` command to tell the active node to immediately regenerate the metadata key with an incremented rekey index. The active node will push the new metadata key to the peer node. +In cases where you want to manually force key rotation on the routers, use the `rotate security metadata-key` command to tell the active node to immediately regenerate the metadata key with an incremented rekey index. The active node will push the new metadata key to the peer node. #### Sample Default Configuration: From c78101f024891955f6e6b58bb23460d621f6b9ce Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 9 Feb 2026 09:44:40 -0500 Subject: [PATCH 53/58] updates with a couple new issues --- docs/release_notes_128t_7.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 816c381fa1..07bdfb2947 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -124,6 +124,10 @@ These release notes are Beta only, and are in progress. They are furnished to he - **I95-63675 Node page in the GUI appears to load indefinitely:** Resolved an issue where the GUI Node page would load infinitely. ------ - **I95-63729 Asset state not accurately reported in conductor:** Resolved an issue where issue where the SSH authorized keys from one HA conductor node were deleted after restarting both HA conductor nodes. +------ +- **I95-63817 Default peering certificates are unable to used configured peering-common-name:** Resolved an issue where the default peering certificates were generated before receiving the configuration. The default generated peering certificate now properly uses the `peering-common-name` SSR configuration element. +------ +- **I95-63923 Redundant conductor fails to upgrade:** Resolved an issue where a minion disconnects from the conductor node and never attempts to reconnect. The minion watchdog process now restarts the salt minion if it is not connected to all conductor nodes. ## Release 7.1.0-50r1 From 3b594b64b1308fe43c7a74cf9500c191182e635f Mon Sep 17 00:00:00 2001 From: Chris Date: Mon, 9 Feb 2026 13:47:25 -0500 Subject: [PATCH 54/58] interim commit with some new jiras for the release notes. --- docs/release_notes_128t_7.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 07bdfb2947..2d62a40c3a 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -71,6 +71,8 @@ These release notes are Beta only, and are in progress. They are furnished to he ### New Features +- **I95-26081 Display negotiated BFD Interval:** The command `show peers bfd-interval` has been added to display the negotiated bfd-interval in three columns, `Rx Timer`, `Tx Timer`, and `Multiplier`. See [Negotiated BFD Intervals](howto_tune_bfd.md#negotiated-bfd-intervals) for more information. +------ - **I95-48934 Configuration Integrity:** SSR Configuration Integrity protects authentication credentials, keys and certificates, network topology information, and other pieces of sensitive SSR configuration from unauthorized access when the system is powered off. It prevents network and SSR operations from executing when the system is determined to be in a compromised state. To learn more, see [Configuration Integrity](concepts-config-integrity.md). ------ - **I95-54247 IMA - SSR Signed packages only execution:** IMA is Linux’s Integrity Measurement Architecture. The SSR400 and SSR440 support IMA validation using GPG Signatures. IMA validation is enabled by default for the root user, allowing the kernel to check the signature of each file before loading it for execution. If these checks fail, execution is denied with a Permission denied (EACCES) error code. For more information, see [Secure Boot - IMA](sec-secure-boot.md#ima). @@ -97,6 +99,8 @@ These release notes are Beta only, and are in progress. They are furnished to he ------ ---> - **I95-57605 BFD link-test-interval not accurate:** Resolved as part of I95-59720. Several modifications have been made to the BFD timers to improve accuracy. ------ +- **I95-60545 Attempting network interface lookup with invalid ID:** Resolved an issue where errors due to an invalid ID were flooding the logs. Error logs in highway regarding a failed interface lookup for an invalid interface are now suppressed. +------ - **I95-61823 Change `ESKM_DISABLED` to `ESKM_STANDBY` for HA router in standby state:** For routers configured as part of an HA Enhanced Security Key Management (ESKM) deployment, the standby state is now correctly identified as `ESKM_STANDBY`. ------ - **I95-61856 Add `reload local certificates` command for ESKM:** The `reload local certificates` command has been added to allow the updating of local certificates. See [`reload local certificates`](cli_reference.md#reload-local-certificates) for more information. From 96ea63ca2f885d2cf9f25370917166ccc5925c37 Mon Sep 17 00:00:00 2001 From: Chris Date: Tue, 10 Feb 2026 16:29:18 -0500 Subject: [PATCH 55/58] interim commit --- docs/cli_reference.md | 65 +++++++++++++++++++++++++++++++--- docs/config-smart-download.md | 26 +++++++++++--- docs/release_notes_128t_7.1.md | 2 ++ 3 files changed, 83 insertions(+), 10 deletions(-) diff --git a/docs/cli_reference.md b/docs/cli_reference.md index b955a27bef..971c48b46a 100755 --- a/docs/cli_reference.md +++ b/docs/cli_reference.md @@ -2659,7 +2659,7 @@ Download a new version of the SSR. #### Usage ``` -request system software download [{router | resource-group }] [cohort-id ] [force] [node ] version +request system software download [{router | resource-group }] [cohort-id ] [sequenced] [force] [node ] version ``` ##### Keyword Arguments @@ -2671,8 +2671,15 @@ request system software download [{router | resource-group | resource-group | resource-group }] [force] [node ] version +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt | +| node | The node on which to pause the software download | +| resource-group | The name of the resource group | +| router | The router on which to pause the software download (default: <current router>) | +| version | The version to pause the software download | + +#### Description + +Pause an SSR download on a router or node. When targeting a router, both nodes will issue the download pause request at the same time. The command can also be addressed to all routers or a particular resource-group. + ## `request system software health-check` Perform a health check of an SSR. @@ -5774,6 +5805,29 @@ Completed in 0.01 seconds | Release | Modification | | ------- | ----------------------------| | 4.4.0 | This feature was introduced | +## `show certificate ca` + +Display certificate authority certificate data + +#### Usage + +``` +show certificate ca [name ] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| name | An identifier for a certificate | +| node | The node for which to display certificates | +| router | The router for which to display certificates (default: <current router>) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary (default: summary) | ## `show certificate webserver` @@ -6617,8 +6671,8 @@ config | command | description | | ------- | ----------- | -| `authority` | Show configuration data for `authority` | -| `generated` | Show configuration data for `generated` | +| [`authority`](#show-config-candidate-authority) | Show configuration data for 'authority' | +| [`generated`](#show-config-candidate-generated) | Show configuration data for 'generated' | ## `show config disk-cache` @@ -6883,8 +6937,8 @@ config | command | description | | ------- | ----------- | -| `authority` | Show configuration data for `authority` | -| `generated` | Show configuration data for `generated` | +| [`authority`](#show-config-running-authority) | Show configuration data for 'authority' | +| [`generated`](#show-config-running-generated) | Show configuration data for 'generated' | ## `show config version` @@ -11701,6 +11755,7 @@ show system [{router | resource-group }] [force] [node | [`resource-allocation`](#show-system-resource-allocation) | Display information for reserved hugepages and CPU core masks. | | [`services`](#show-system-services) | Display a table summarizing statuses of SSR systemd services. | | [`software`](#show-system-software) | <available> \| <downgrade> \| <download> \| <health-check> \| <revert> \| <sources> \| <upgrade> | +| [`utilization`](#show-system-utilization) | <session-processors> | | [`version`](#show-system-version) | Show system version information. | ##### See Also diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index 1cad503d44..d5fe6d8d11 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -41,17 +41,33 @@ If an HA Router fails during download and another download is requested after fa ## Resumable SSR Download -Downloads can be paused manually using a CLI command, or automatically paused if the connection fails. When manually paused, the process can be continued by manually restarting the download. In the case of a failed connection, the SSR will automatically resume the download when the connection is restored. In both instances, the download resumes from the point where the download was stopped. +Downloads are automatically paused if the connection fails. When the connection is restored, the SSR automatically resumes the download from the point where it stopped. -To manually pause a download from the CLI, use the `request system software download pause` command. +Downloads can also be manually paused, resumed, or deleted from either the CLI or the GUI. -Example: +#### Command Line + +To pause a download from the CLI, use the `request system software download pause` command. ``` -request system software download pause version SSR-7.0.1-1 -request system software download pause router Router1 node Node1 version 6.3.6-1 +request system software download pause version SSR-7.1.3-4 +request system software download pause router Router1 node Node1 version 7.1.0-1 ``` +The download process can be continued by restarting the download; `request system software download`. The download resumes from the point where the download was paused. + +As a system cleanup operation, you can delete stale versions of the software using the `delete system software` command. + +#### GUI + +On the Software Lifecycle page, an in-progress download can be paused by selecting the download, and clicking the Pause button in the Details view. + + + +Using the same window, you can also resume or delete a download. + + + ### Auto-resume Download on WAN Failures In the event that all sources have reached the threshold of consecutive failures and a download attempt has returned an error, the SSR can be configured to wait for a specified amount of time and then retry the download. If a connection is successfully made, the download will resume where it left off. diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 2d62a40c3a..8e462b10a0 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -127,6 +127,8 @@ These release notes are Beta only, and are in progress. They are furnished to he ------ - **I95-63675 Node page in the GUI appears to load indefinitely:** Resolved an issue where the GUI Node page would load infinitely. ------ +- **I95-63676 Waypoints fail to allocate when the `service-path peer next-hop gateway` is off the subnet:** Resolved an issue where the first network-interface IP was selected as the local IP for waypoint allocation, even if that IP is not a valid waypoint. +------ - **I95-63729 Asset state not accurately reported in conductor:** Resolved an issue where issue where the SSH authorized keys from one HA conductor node were deleted after restarting both HA conductor nodes. ------ - **I95-63817 Default peering certificates are unable to used configured peering-common-name:** Resolved an issue where the default peering certificates were generated before receiving the configuration. The default generated peering certificate now properly uses the `peering-common-name` SSR configuration element. From ac610762639baade5f2bc0f160d5bda758007cec Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 11 Feb 2026 14:30:41 -0500 Subject: [PATCH 56/58] updating smart download topic with gui info, and adding latest cli docs. --- docs/cli_stats_reference.md | 2734 ++++++++++++----- docs/config-smart-download.md | 4 +- docs/config_command_guide.md | 80 + docs/release_notes_128t_7.1.md | 8 +- static/img/config-smartdwnld-pause.png | Bin 0 -> 60753 bytes .../img/config-smartdwnld-resume-delete.png | Bin 0 -> 64259 bytes 6 files changed, 2099 insertions(+), 727 deletions(-) create mode 100644 static/img/config-smartdwnld-pause.png create mode 100644 static/img/config-smartdwnld-resume-delete.png diff --git a/docs/cli_stats_reference.md b/docs/cli_stats_reference.md index 1df549243b..ad56b56bb7 100755 --- a/docs/cli_stats_reference.md +++ b/docs/cli_stats_reference.md @@ -30979,6 +30979,7 @@ show stats app-id [since ] [force] [router ] [node ] [] [for For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ +## `show stats app-id summary-tracking` + +Statistics for 'summary-tracking' + +#### Usage + +``` +show stats app-id summary-tracking [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`stale-contributor`](#show-stats-app-id-summary-tracking-stale-contributor) | Statistics for 'stale-contributor' | + +## `show stats app-id summary-tracking stale-contributor` + +Statistics for 'stale-contributor' + +#### Usage + +``` +show stats app-id summary-tracking stale-contributor [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`detected`](#show-stats-app-id-summary-tracking-stale-contributor-detected) | The count of times when stale contributors were detected (in-memory) | +| [`stack-generated`](#show-stats-app-id-summary-tracking-stale-contributor-stack-generated) | The count of times when stale contributors stack traces were generated (in-memory) | +| [`stack-skipped`](#show-stats-app-id-summary-tracking-stale-contributor-stack-skipped) | The count of times when stale contributors stack traces were skipped (in-memory) | + +## `show stats app-id summary-tracking stale-contributor detected` + +The count of times when stale contributors were detected (in-memory) + +#### Usage + +``` +show stats app-id summary-tracking stale-contributor detected [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats app-id summary-tracking stale-contributor stack-generated` + +The count of times when stale contributors stack traces were generated (in-memory) + +#### Usage + +``` +show stats app-id summary-tracking stale-contributor stack-generated [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats app-id summary-tracking stale-contributor stack-skipped` + +The count of times when stale contributors stack traces were skipped (in-memory) + +#### Usage + +``` +show stats app-id summary-tracking stale-contributor stack-skipped [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + ## `show stats app-id url-lookup` Statistics for 'url-lookup' @@ -37218,6 +37370,7 @@ show stats bfd [since ] [force] [router ] [node ] [] [peer-node-id ] For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-node-id salt` +## `show stats bfd by-peer-node-id ml-kem-key` -Stats pertaining to BFD salt exchange peer peer node-id +Stats pertaining to BFD ml-kem-key exchange peer peer node-id #### Usage ``` -show stats bfd by-peer-node-id salt [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38289,8 +38443,8 @@ show stats bfd by-peer-node-id salt [peer-name ] [peer-node-id ] [peer-node-id ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key received [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38330,8 +38484,8 @@ show stats bfd by-peer-node-id salt received [peer-name ] [peer-node- | command | description | | ------- | ----------- | -| [`miss`](#show-stats-bfd-by-peer-node-id-salt-received-miss) | BFD salt exchange packets not received in time for the peer node-id. (in-memory) | -| [`success`](#show-stats-bfd-by-peer-node-id-salt-received-success) | BFD salt exchange packets received for the peer node-id. (in-memory) | +| [`miss`](#show-stats-bfd-by-peer-node-id-ml-kem-key-received-miss) | BFD ml-kem-key exchange packets not received in time for the peer node-id. (in-memory) | +| [`success`](#show-stats-bfd-by-peer-node-id-ml-kem-key-received-success) | BFD ml-kem-key exchange packets received for the peer node-id. (in-memory) | ##### See Also @@ -38340,14 +38494,14 @@ show stats bfd by-peer-node-id salt received [peer-name ] [peer-node- | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-node-id salt received miss` +## `show stats bfd by-peer-node-id ml-kem-key received miss` -BFD salt exchange packets not received in time for the peer node-id. (in-memory) +BFD ml-kem-key exchange packets not received in time for the peer node-id. (in-memory) #### Usage ``` -show stats bfd by-peer-node-id salt received miss [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key received miss [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38378,14 +38532,14 @@ show stats bfd by-peer-node-id salt received miss [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-node-id salt received success` +## `show stats bfd by-peer-node-id ml-kem-key received success` -BFD salt exchange packets received for the peer node-id. (in-memory) +BFD ml-kem-key exchange packets received for the peer node-id. (in-memory) #### Usage ``` -show stats bfd by-peer-node-id salt received success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key received success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38416,14 +38570,14 @@ show stats bfd by-peer-node-id salt received success [peer-name ] [pe For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-node-id salt sent` +## `show stats bfd by-peer-node-id ml-kem-key sent` -BFD salt exchange packets sent for the peer node-id. +BFD ml-kem-key exchange packets sent for the peer node-id. #### Usage ``` -show stats bfd by-peer-node-id salt sent [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key sent [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38447,7 +38601,7 @@ show stats bfd by-peer-node-id salt sent [peer-name ] [peer-node-id < | command | description | | ------- | ----------- | -| [`success`](#show-stats-bfd-by-peer-node-id-salt-sent-success) | BFD salt exchange packets sent successfully for the peer node-id. (in-memory) | +| [`success`](#show-stats-bfd-by-peer-node-id-ml-kem-key-sent-success) | BFD ml-kem-key exchange packets sent successfully for the peer node-id. (in-memory) | ##### See Also @@ -38456,14 +38610,14 @@ show stats bfd by-peer-node-id salt sent [peer-name ] [peer-node-id < | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-node-id salt sent success` +## `show stats bfd by-peer-node-id ml-kem-key sent success` -BFD salt exchange packets sent successfully for the peer node-id. (in-memory) +BFD ml-kem-key exchange packets sent successfully for the peer node-id. (in-memory) #### Usage ``` -show stats bfd by-peer-node-id salt sent success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id ml-kem-key sent success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38494,28 +38648,26 @@ show stats bfd by-peer-node-id salt sent success [peer-name ] [peer-n For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path` +## `show stats bfd by-peer-node-id salt` -Stats pertaining to BFD per peer path +Stats pertaining to BFD salt exchange peer peer node-id #### Usage ``` -show stats bfd by-peer-path [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38527,23 +38679,8 @@ show stats bfd by-peer-path [peer-name ] [peer-host ] [dev | command | description | | ------- | ----------- | -| [`async`](#show-stats-bfd-by-peer-path-async) | Stats pertaining to BFD async mode per peer path | -| [`average-latency`](#show-stats-bfd-by-peer-path-average-latency) | Rolling average latency in milliseconds for the SSR peer path. | -| [`cert`](#show-stats-bfd-by-peer-path-cert) | Stats pertaining to BFD certificate exchange per peer path | -| [`dh-public-key`](#show-stats-bfd-by-peer-path-dh-public-key) | Stats pertaining to BFD dh-public-key exchange per peer path | -| [`dynamic-damping`](#show-stats-bfd-by-peer-path-dynamic-damping) | Stats pertaining to Dynamic BFD Damping | -| [`echo`](#show-stats-bfd-by-peer-path-echo) | Stats pertaining to BFD echo mode per peer path | -| [`jitter`](#show-stats-bfd-by-peer-path-jitter) | Jitter in milliseconds for the SSR peer path. | -| [`latency`](#show-stats-bfd-by-peer-path-latency) | Latency in milliseconds for the SSR peer path. | -| [`link-down`](#show-stats-bfd-by-peer-path-link-down) | Stats tracking BFD link down event per peer path | -| [`link-up`](#show-stats-bfd-by-peer-path-link-up) | The number of link-ups on the peer path. (in-memory) | -| [`local-source-nat-change`](#show-stats-bfd-by-peer-path-local-source-nat-change) | The number of local source nat changes on the peer path. (in-memory) | -| [`local-source-nat-reset`](#show-stats-bfd-by-peer-path-local-source-nat-reset) | The number of local source nat resets on the peer path. (in-memory) | -| [`loss`](#show-stats-bfd-by-peer-path-loss) | Packet loss percentange for the SSR peer path. | -| [`metadata-key`](#show-stats-bfd-by-peer-path-metadata-key) | Stats pertaining to BFD metadata-key exchange per peer path | -| [`mos`](#show-stats-bfd-by-peer-path-mos) | MOS value calculated for the SSR peer path. (hundreths of a decimal) | -| [`neighbor`](#show-stats-bfd-by-peer-path-neighbor) | Stats pertaining to BFD Neighbor | -| [`salt`](#show-stats-bfd-by-peer-path-salt) | Stats pertaining to BFD salt exchange per peer path | +| [`received`](#show-stats-bfd-by-peer-node-id-salt-received) | BFD salt exchange packets received for the peer node-id. | +| [`sent`](#show-stats-bfd-by-peer-node-id-salt-sent) | BFD salt exchange packets sent for the peer node-id. | ##### See Also @@ -38552,28 +38689,26 @@ show stats bfd by-peer-path [peer-name ] [peer-host ] [dev | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path async` +## `show stats bfd by-peer-node-id salt received` -Stats pertaining to BFD async mode per peer path +BFD salt exchange packets received for the peer node-id. #### Usage ``` -show stats bfd by-peer-path async [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt received [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38585,8 +38720,8 @@ show stats bfd by-peer-path async [peer-name ] [peer-host | command | description | | ------- | ----------- | -| [`received`](#show-stats-bfd-by-peer-path-async-received) | BFD async packets received on the peer path. | -| [`sent`](#show-stats-bfd-by-peer-path-async-sent) | BFD async packets sent on the peer path. | +| [`miss`](#show-stats-bfd-by-peer-node-id-salt-received-miss) | BFD salt exchange packets not received in time for the peer node-id. (in-memory) | +| [`success`](#show-stats-bfd-by-peer-node-id-salt-received-success) | BFD salt exchange packets received for the peer node-id. (in-memory) | ##### See Also @@ -38595,28 +38730,26 @@ show stats bfd by-peer-path async [peer-name ] [peer-host | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path async received` +## `show stats bfd by-peer-node-id salt received miss` -BFD async packets received on the peer path. +BFD salt exchange packets not received in time for the peer node-id. (in-memory) #### Usage ``` -show stats bfd by-peer-path async received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt received miss [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38624,13 +38757,6 @@ show stats bfd by-peer-path async received [peer-name ] [peer-host

] [peer-host

] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt received success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38678,28 +38806,26 @@ show stats bfd by-peer-path async received miss [peer-name ] [peer-ho For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path async received success` +## `show stats bfd by-peer-node-id salt sent` -BFD async packets received on the peer path. (in-memory) +BFD salt exchange packets sent for the peer node-id. #### Usage ``` -show stats bfd by-peer-path async received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt sent [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38707,6 +38833,12 @@ show stats bfd by-peer-path async received success [peer-name ] [peer | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`success`](#show-stats-bfd-by-peer-node-id-salt-sent-success) | BFD salt exchange packets sent successfully for the peer node-id. (in-memory) | + ##### See Also | command | description | @@ -38714,32 +38846,26 @@ show stats bfd by-peer-path async received success [peer-name ] [peer | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path async sent` +## `show stats bfd by-peer-node-id salt sent success` -BFD async packets sent on the peer path. +BFD salt exchange packets sent successfully for the peer node-id. (in-memory) #### Usage ``` -show stats bfd by-peer-path async sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-node-id salt sent success [peer-name ] [peer-node-id ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | | peer-name | The name of the peer generating this metric (comma-separated list) | +| peer-node-id | The node id of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -38747,14 +38873,6 @@ show stats bfd by-peer-path async sent [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38791,45 +38913,28 @@ show stats bfd by-peer-path async sent arp-failure [peer-name ] [peer | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### See Also +##### Subcommands | command | description | | ------- | ----------- | -| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | -| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | - -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path async sent buffer-allocation-failure` - -BFD async packets tx allocation failure on the peer path. (in-memory) - -#### Usage - -``` -show stats bfd by-peer-path async sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] -``` - -##### Keyword Arguments - -| name | description | -| ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | -| force | Skip confirmation prompt. Only required when targeting all routers | -| node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | -| peer-name | The name of the peer generating this metric (comma-separated list) | -| router | The router for which to display stats (default: <current router>) | -| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | - -##### Positional Arguments - -| name | description | -| ---- | ----------- | -| verbosity | detail \| summary \| debug (default: detail) | +| [`async`](#show-stats-bfd-by-peer-path-async) | Stats pertaining to BFD async mode per peer path | +| [`average-latency`](#show-stats-bfd-by-peer-path-average-latency) | Rolling average latency in milliseconds for the SSR peer path. | +| [`cert`](#show-stats-bfd-by-peer-path-cert) | Stats pertaining to BFD certificate exchange per peer path | +| [`dh-public-key`](#show-stats-bfd-by-peer-path-dh-public-key) | Stats pertaining to BFD dh-public-key exchange per peer path | +| [`dynamic-damping`](#show-stats-bfd-by-peer-path-dynamic-damping) | Stats pertaining to Dynamic BFD Damping | +| [`echo`](#show-stats-bfd-by-peer-path-echo) | Stats pertaining to BFD echo mode per peer path | +| [`jitter`](#show-stats-bfd-by-peer-path-jitter) | Jitter in milliseconds for the SSR peer path. | +| [`latency`](#show-stats-bfd-by-peer-path-latency) | Latency in milliseconds for the SSR peer path. | +| [`link-down`](#show-stats-bfd-by-peer-path-link-down) | Stats tracking BFD link down event per peer path | +| [`link-up`](#show-stats-bfd-by-peer-path-link-up) | The number of link-ups on the peer path. (in-memory) | +| [`local-source-nat-change`](#show-stats-bfd-by-peer-path-local-source-nat-change) | The number of local source nat changes on the peer path. (in-memory) | +| [`local-source-nat-reset`](#show-stats-bfd-by-peer-path-local-source-nat-reset) | The number of local source nat resets on the peer path. (in-memory) | +| [`loss`](#show-stats-bfd-by-peer-path-loss) | Packet loss percentange for the SSR peer path. | +| [`metadata-key`](#show-stats-bfd-by-peer-path-metadata-key) | Stats pertaining to BFD metadata-key exchange per peer path | +| [`ml-kem-key`](#show-stats-bfd-by-peer-path-ml-kem-key) | Stats pertaining to BFD ml-kem-key exchange per peer path | +| [`mos`](#show-stats-bfd-by-peer-path-mos) | MOS value calculated for the SSR peer path. (hundreths of a decimal) | +| [`neighbor`](#show-stats-bfd-by-peer-path-neighbor) | Stats pertaining to BFD Neighbor | +| [`salt`](#show-stats-bfd-by-peer-path-salt) | Stats pertaining to BFD salt exchange per peer path | ##### See Also @@ -38838,18 +38943,14 @@ show stats bfd by-peer-path async sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38871,45 +38972,12 @@ show stats bfd by-peer-path async sent success [peer-name ] [peer-hos | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### See Also +##### Subcommands | command | description | | ------- | ----------- | -| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | -| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | - -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path average-latency` - -Rolling average latency in milliseconds for the SSR peer path. - -#### Usage - -``` -show stats bfd by-peer-path average-latency [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] -``` - -##### Keyword Arguments - -| name | description | -| ---- | ----------- | -| device-name | The name of the device port for which this metric was generated (comma-separated list) | -| force | Skip confirmation prompt. Only required when targeting all routers | -| node | The name of the node generating this metric | -| peer-host | The host of the peer generating this metric (comma-separated list) | -| peer-name | The name of the peer generating this metric (comma-separated list) | -| router | The router for which to display stats (default: <current router>) | -| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | -| vlan | The vlan for which this metrics was generated (comma-separated list) | - -##### Positional Arguments - -| name | description | -| ---- | ----------- | -| verbosity | detail \| summary \| debug (default: detail) | +| [`received`](#show-stats-bfd-by-peer-path-async-received) | BFD async packets received on the peer path. | +| [`sent`](#show-stats-bfd-by-peer-path-async-sent) | BFD async packets sent on the peer path. | ##### See Also @@ -38918,14 +38986,14 @@ show stats bfd by-peer-path average-latency [peer-name ] [peer-host < | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path cert` +## `show stats bfd by-peer-path async received` -Stats pertaining to BFD certificate exchange per peer path +BFD async packets received on the peer path. #### Usage ``` -show stats bfd by-peer-path cert [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38951,8 +39019,8 @@ show stats bfd by-peer-path cert [peer-name ] [peer-host ] | command | description | | ------- | ----------- | -| [`received`](#show-stats-bfd-by-peer-path-cert-received) | BFD certificate exchange packets received on the peer path. | -| [`sent`](#show-stats-bfd-by-peer-path-cert-sent) | BFD certificate exchange packets sent on the peer path. | +| [`miss`](#show-stats-bfd-by-peer-path-async-received-miss) | BFD async packets not received in time on the peer path. (in-memory) | +| [`success`](#show-stats-bfd-by-peer-path-async-received-success) | BFD async packets received on the peer path. (in-memory) | ##### See Also @@ -38961,14 +39029,14 @@ show stats bfd by-peer-path cert [peer-name ] [peer-host ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path cert received` +## `show stats bfd by-peer-path async received miss` -BFD certificate exchange packets received on the peer path. +BFD async packets not received in time on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path cert received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async received miss [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -38990,12 +39058,6 @@ show stats bfd by-peer-path cert received [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39043,14 +39109,14 @@ show stats bfd by-peer-path cert received success [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path cert sent` +## `show stats bfd by-peer-path async sent` -BFD certificate exchange packets sent on the peer path. +BFD async packets sent on the peer path. #### Usage ``` -show stats bfd by-peer-path cert sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39076,9 +39142,9 @@ show stats bfd by-peer-path cert sent [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39127,14 +39193,14 @@ show stats bfd by-peer-path cert sent arp-failure [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path cert sent buffer-allocation-failure` +## `show stats bfd by-peer-path async sent buffer-allocation-failure` -BFD certificate exchange packets tx allocation failure on the peer path. (in-memory) +BFD async packets tx allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path cert sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39167,14 +39233,14 @@ show stats bfd by-peer-path cert sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path async sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39207,14 +39273,14 @@ show stats bfd by-peer-path cert sent success [peer-name ] [peer-host For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path dh-public-key` +## `show stats bfd by-peer-path average-latency` -Stats pertaining to BFD dh-public-key exchange per peer path +Rolling average latency in milliseconds for the SSR peer path. #### Usage ``` -show stats bfd by-peer-path dh-public-key [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path average-latency [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39236,13 +39302,6 @@ show stats bfd by-peer-path dh-public-key [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39283,7 +39342,8 @@ show stats bfd by-peer-path dh-public-key received [peer-name ] [peer | command | description | | ------- | ----------- | -| [`success`](#show-stats-bfd-by-peer-path-dh-public-key-received-success) | BFD dh-public-key exchange packets received on the peer path. (in-memory) | +| [`received`](#show-stats-bfd-by-peer-path-cert-received) | BFD certificate exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-by-peer-path-cert-sent) | BFD certificate exchange packets sent on the peer path. | ##### See Also @@ -39292,14 +39352,14 @@ show stats bfd by-peer-path dh-public-key received [peer-name ] [peer | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path dh-public-key received success` +## `show stats bfd by-peer-path cert received` -BFD dh-public-key exchange packets received on the peer path. (in-memory) +BFD certificate exchange packets received on the peer path. #### Usage ``` -show stats bfd by-peer-path dh-public-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39321,6 +39381,12 @@ show stats bfd by-peer-path dh-public-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39361,14 +39423,6 @@ show stats bfd by-peer-path dh-public-key sent [peer-name ] [peer-hos | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-by-peer-path-dh-public-key-sent-arp-failure) | BFD dh-public-key exchange packets tx arp failure on the peer path. (in-memory) | -| [`buffer-allocation-failure`](#show-stats-bfd-by-peer-path-dh-public-key-sent-buffer-allocation-failure) | BFD dh-public-key exchange packets tx allocation failure on the peer path. (in-memory) | -| [`success`](#show-stats-bfd-by-peer-path-dh-public-key-sent-success) | BFD dh-public-key exchange packets sent successfully on the peer path. (in-memory) | - ##### See Also | command | description | @@ -39376,14 +39430,18 @@ show stats bfd by-peer-path dh-public-key sent [peer-name ] [peer-hos | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path dh-public-key sent arp-failure` +#### Description -BFD dh-public-key exchange packets tx arp failure on the peer path. (in-memory) +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path cert sent` + +BFD certificate exchange packets sent on the peer path. #### Usage ``` -show stats bfd by-peer-path dh-public-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39405,6 +39463,14 @@ show stats bfd by-peer-path dh-public-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39456,14 +39518,14 @@ show stats bfd by-peer-path dh-public-key sent buffer-allocation-failure [peer-n For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path dh-public-key sent success` +## `show stats bfd by-peer-path cert sent buffer-allocation-failure` -BFD dh-public-key exchange packets sent successfully on the peer path. (in-memory) +BFD certificate exchange packets tx allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path dh-public-key sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39496,14 +39558,14 @@ show stats bfd by-peer-path dh-public-key sent success [peer-name ] [ For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path dynamic-damping` +## `show stats bfd by-peer-path cert sent success` -Stats pertaining to Dynamic BFD Damping +BFD certificate exchange packets sent successfully on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path dynamic-damping [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path cert sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39525,13 +39587,6 @@ show stats bfd by-peer-path dynamic-damping [peer-name ] [peer-host < | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`current-hold-down-time`](#show-stats-bfd-by-peer-path-dynamic-damping-current-hold-down-time) | The hold-down duration in seconds. This value will be used for the next time the hold-down timer is started (in-memory) | -| [`hold-down-link-flaps`](#show-stats-bfd-by-peer-path-dynamic-damping-hold-down-link-flaps) | Number of link flaps that have occured within a hold-down period since the last path-down notification (in-memory) | - ##### See Also | command | description | @@ -39539,14 +39594,18 @@ show stats bfd by-peer-path dynamic-damping [peer-name ] [peer-host < | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path dynamic-damping current-hold-down-time` +#### Description -The hold-down duration in seconds. This value will be used for the next time the hold-down timer is started (in-memory) +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path dh-public-key` + +Stats pertaining to BFD dh-public-key exchange per peer path #### Usage ``` -show stats bfd by-peer-path dynamic-damping current-hold-down-time [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39568,6 +39627,13 @@ show stats bfd by-peer-path dynamic-damping current-hold-down-time [peer-name

] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39608,6 +39670,12 @@ show stats bfd by-peer-path dynamic-damping hold-down-link-flaps [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39648,13 +39712,6 @@ show stats bfd by-peer-path echo [peer-name ] [peer-host ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`received`](#show-stats-bfd-by-peer-path-echo-received) | BFD echo packets received on the peer path. (in-memory) | -| [`sent`](#show-stats-bfd-by-peer-path-echo-sent) | BFD echo packets sent on the peer path. | - ##### See Also | command | description | @@ -39662,14 +39719,18 @@ show stats bfd by-peer-path echo [peer-name ] [peer-host ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path echo received` +#### Description -BFD echo packets received on the peer path. (in-memory) +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path dh-public-key sent` + +BFD dh-public-key exchange packets sent on the peer path. #### Usage ``` -show stats bfd by-peer-path echo received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39691,6 +39752,14 @@ show stats bfd by-peer-path echo received [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39731,14 +39796,6 @@ show stats bfd by-peer-path echo sent [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39786,14 +39847,14 @@ show stats bfd by-peer-path echo sent arp-failure [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path echo sent buffer-allocation-failure` +## `show stats bfd by-peer-path dh-public-key sent success` -BFD echo packets buffer allocation failure on the peer path. (in-memory) +BFD dh-public-key exchange packets sent successfully on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path echo sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dh-public-key sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39826,14 +39887,14 @@ show stats bfd by-peer-path echo sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dynamic-damping [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39855,6 +39916,13 @@ show stats bfd by-peer-path echo sent success [peer-name ] [peer-host | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`current-hold-down-time`](#show-stats-bfd-by-peer-path-dynamic-damping-current-hold-down-time) | The hold-down duration in seconds. This value will be used for the next time the hold-down timer is started (in-memory) | +| [`hold-down-link-flaps`](#show-stats-bfd-by-peer-path-dynamic-damping-hold-down-link-flaps) | Number of link flaps that have occured within a hold-down period since the last path-down notification (in-memory) | + ##### See Also | command | description | @@ -39862,18 +39930,14 @@ show stats bfd by-peer-path echo sent success [peer-name ] [peer-host | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path jitter` +## `show stats bfd by-peer-path dynamic-damping current-hold-down-time` -Jitter in milliseconds for the SSR peer path. +The hold-down duration in seconds. This value will be used for the next time the hold-down timer is started (in-memory) #### Usage ``` -show stats bfd by-peer-path jitter [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dynamic-damping current-hold-down-time [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39902,14 +39966,18 @@ show stats bfd by-peer-path jitter [peer-name ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path dynamic-damping hold-down-link-flaps [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39938,14 +40006,18 @@ show stats bfd by-peer-path latency [peer-name ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -39971,10 +40043,8 @@ show stats bfd by-peer-path link-down [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40023,14 +40093,14 @@ show stats bfd by-peer-path link-down local-oper-down [peer-name ] [p For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path link-down remote-admin-down` +## `show stats bfd by-peer-path echo sent` -The number of link-downs triggered by remote-admin-down on the peer path. (in-memory) +BFD echo packets sent on the peer path. #### Usage ``` -show stats bfd by-peer-path link-down remote-admin-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40052,6 +40122,14 @@ show stats bfd by-peer-path link-down remote-admin-down [peer-name ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`arp-failure`](#show-stats-bfd-by-peer-path-echo-sent-arp-failure) | BFD echo packets arp failure on the peer path. (in-memory) | +| [`buffer-allocation-failure`](#show-stats-bfd-by-peer-path-echo-sent-buffer-allocation-failure) | BFD echo packets buffer allocation failure on the peer path. (in-memory) | +| [`success`](#show-stats-bfd-by-peer-path-echo-sent-success) | BFD echo packets sent successfully on the peer path. (in-memory) | + ##### See Also | command | description | @@ -40059,18 +40137,14 @@ show stats bfd by-peer-path link-down remote-admin-down [peer-name ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path link-down remote-down` +## `show stats bfd by-peer-path echo sent arp-failure` -The number of link-downs triggered by remote-down on the peer path. (in-memory) +BFD echo packets arp failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path link-down remote-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40103,14 +40177,14 @@ show stats bfd by-peer-path link-down remote-down [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path link-down timer-expiry` +## `show stats bfd by-peer-path echo sent buffer-allocation-failure` -The number of link-downs triggered by timer-expiry on the peer path. (in-memory) +BFD echo packets buffer allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path link-down timer-expiry [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40143,14 +40217,14 @@ show stats bfd by-peer-path link-down timer-expiry [peer-name ] [peer For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path link-up` +## `show stats bfd by-peer-path echo sent success` -The number of link-ups on the peer path. (in-memory) +BFD echo packets sent successfully on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path link-up [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path echo sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40183,14 +40257,14 @@ show stats bfd by-peer-path link-up [peer-name ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path jitter [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40219,18 +40293,14 @@ show stats bfd by-peer-path local-source-nat-change [peer-name ] [pee | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path local-source-nat-reset` +## `show stats bfd by-peer-path latency` -The number of local source nat resets on the peer path. (in-memory) +Latency in milliseconds for the SSR peer path. #### Usage ``` -show stats bfd by-peer-path local-source-nat-reset [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path latency [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40259,18 +40329,14 @@ show stats bfd by-peer-path local-source-nat-reset [peer-name ] [peer | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd by-peer-path loss` +## `show stats bfd by-peer-path link-down` -Packet loss percentange for the SSR peer path. +Stats tracking BFD link down event per peer path #### Usage ``` -show stats bfd by-peer-path loss [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path link-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40292,6 +40358,15 @@ show stats bfd by-peer-path loss [peer-name ] [peer-host ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`local-oper-down`](#show-stats-bfd-by-peer-path-link-down-local-oper-down) | The number of link-downs triggered by local-oper-down. (in-memory) | +| [`remote-admin-down`](#show-stats-bfd-by-peer-path-link-down-remote-admin-down) | The number of link-downs triggered by remote-admin-down on the peer path. (in-memory) | +| [`remote-down`](#show-stats-bfd-by-peer-path-link-down-remote-down) | The number of link-downs triggered by remote-down on the peer path. (in-memory) | +| [`timer-expiry`](#show-stats-bfd-by-peer-path-link-down-timer-expiry) | The number of link-downs triggered by timer-expiry on the peer path. (in-memory) | + ##### See Also | command | description | @@ -40299,14 +40374,14 @@ show stats bfd by-peer-path loss [peer-name ] [peer-host ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path metadata-key` +## `show stats bfd by-peer-path link-down local-oper-down` -Stats pertaining to BFD metadata-key exchange per peer path +The number of link-downs triggered by local-oper-down. (in-memory) #### Usage ``` -show stats bfd by-peer-path metadata-key [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path link-down local-oper-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40328,13 +40403,6 @@ show stats bfd by-peer-path metadata-key [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path link-down remote-admin-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40371,12 +40443,6 @@ show stats bfd by-peer-path metadata-key received [peer-name ] [peer- | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`success`](#show-stats-bfd-by-peer-path-metadata-key-received-success) | BFD metadata-key exchange packets received on the peer path. (in-memory) | - ##### See Also | command | description | @@ -40384,14 +40450,18 @@ show stats bfd by-peer-path metadata-key received [peer-name ] [peer- | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path metadata-key received success` +#### Description -BFD metadata-key exchange packets received on the peer path. (in-memory) +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path link-down remote-down` + +The number of link-downs triggered by remote-down on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path metadata-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path link-down remote-down [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40424,14 +40494,14 @@ show stats bfd by-peer-path metadata-key received success [peer-name For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path metadata-key sent` +## `show stats bfd by-peer-path link-down timer-expiry` -BFD metadata-key exchange packets sent on the peer path. +The number of link-downs triggered by timer-expiry on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path metadata-key sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path link-down timer-expiry [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40453,13 +40523,45 @@ show stats bfd by-peer-path metadata-key sent [peer-name ] [peer-host | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands +##### See Also | command | description | | ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-by-peer-path-metadata-key-sent-arp-failure) | BFD metadata-key exchange packets tx arp failure on the peer path. (in-memory) | -| [`buffer-allocation-failure`](#show-stats-bfd-by-peer-path-metadata-key-sent-buffer-allocation-failure) | BFD metadata-key exchange packets tx allocation failure on the peer path. (in-memory) | -| [`success`](#show-stats-bfd-by-peer-path-metadata-key-sent-success) | BFD metadata-key exchange packets sent successfully on the peer path. (in-memory) | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path link-up` + +The number of link-ups on the peer path. (in-memory) + +#### Usage + +``` +show stats bfd by-peer-path link-up [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | ##### See Also @@ -40468,14 +40570,18 @@ show stats bfd by-peer-path metadata-key sent [peer-name ] [peer-host | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path metadata-key sent arp-failure` +#### Description -BFD metadata-key exchange packets tx arp failure on the peer path. (in-memory) +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path local-source-nat-change` + +The number of local source nat changes on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path metadata-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path local-source-nat-change [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40508,14 +40614,14 @@ show stats bfd by-peer-path metadata-key sent arp-failure [peer-name For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path metadata-key sent buffer-allocation-failure` +## `show stats bfd by-peer-path local-source-nat-reset` -BFD metadata-key exchange packets tx allocation failure on the peer path. (in-memory) +The number of local source nat resets on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path metadata-key sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path local-source-nat-reset [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40548,14 +40654,14 @@ show stats bfd by-peer-path metadata-key sent buffer-allocation-failure [peer-na For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path metadata-key sent success` +## `show stats bfd by-peer-path loss` -BFD metadata-key exchange packets sent successfully on the peer path. (in-memory) +Packet loss percentange for the SSR peer path. #### Usage ``` -show stats bfd by-peer-path metadata-key sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path loss [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40584,18 +40690,57 @@ show stats bfd by-peer-path metadata-key sent success [peer-name ] [p | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description +## `show stats bfd by-peer-path metadata-key` -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ +Stats pertaining to BFD metadata-key exchange per peer path -## `show stats bfd by-peer-path mos` +#### Usage -MOS value calculated for the SSR peer path. (hundreths of a decimal) +``` +show stats bfd by-peer-path metadata-key [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`received`](#show-stats-bfd-by-peer-path-metadata-key-received) | BFD metadata-key exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-by-peer-path-metadata-key-sent) | BFD metadata-key exchange packets sent on the peer path. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd by-peer-path metadata-key received` + +BFD metadata-key exchange packets received on the peer path. #### Usage ``` -show stats bfd by-peer-path mos [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path metadata-key received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40617,6 +40762,12 @@ show stats bfd by-peer-path mos [peer-name ] [peer-host ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`success`](#show-stats-bfd-by-peer-path-metadata-key-received-success) | BFD metadata-key exchange packets received on the peer path. (in-memory) | + ##### See Also | command | description | @@ -40624,14 +40775,54 @@ show stats bfd by-peer-path mos [peer-name ] [peer-host ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path neighbor` +## `show stats bfd by-peer-path metadata-key received success` -Stats pertaining to BFD Neighbor +BFD metadata-key exchange packets received on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path neighbor [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path metadata-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path metadata-key sent` + +BFD metadata-key exchange packets sent on the peer path. + +#### Usage + +``` +show stats bfd by-peer-path metadata-key sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40657,8 +40848,9 @@ show stats bfd by-peer-path neighbor [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path metadata-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40707,14 +40899,14 @@ show stats bfd by-peer-path neighbor failover [peer-name ] [peer-host For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path neighbor source-nat-change` +## `show stats bfd by-peer-path metadata-key sent buffer-allocation-failure` -The number of neighbor source nat changes on the peer path. (in-memory) +BFD metadata-key exchange packets tx allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path neighbor source-nat-change [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path metadata-key sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40747,14 +40939,54 @@ show stats bfd by-peer-path neighbor source-nat-change [peer-name ] [ For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path salt` +## `show stats bfd by-peer-path metadata-key sent success` -Stats pertaining to BFD salt exchange per peer path +BFD metadata-key exchange packets sent successfully on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path salt [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path metadata-key sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path ml-kem-key` + +Stats pertaining to BFD ml-kem-key exchange per peer path + +#### Usage + +``` +show stats bfd by-peer-path ml-kem-key [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40780,8 +41012,8 @@ show stats bfd by-peer-path salt [peer-name ] [peer-host ] | command | description | | ------- | ----------- | -| [`received`](#show-stats-bfd-by-peer-path-salt-received) | BFD salt exchange packets received on the peer path. | -| [`sent`](#show-stats-bfd-by-peer-path-salt-sent) | BFD salt exchange packets sent on the peer path. | +| [`received`](#show-stats-bfd-by-peer-path-ml-kem-key-received) | BFD ml-kem-key exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-by-peer-path-ml-kem-key-sent) | BFD ml-kem-key exchange packets sent on the peer path. | ##### See Also @@ -40790,14 +41022,14 @@ show stats bfd by-peer-path salt [peer-name ] [peer-host ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd by-peer-path salt received` +## `show stats bfd by-peer-path ml-kem-key received` -BFD salt exchange packets received on the peer path. +BFD ml-kem-key exchange packets received on the peer path. #### Usage ``` -show stats bfd by-peer-path salt received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40823,7 +41055,7 @@ show stats bfd by-peer-path salt received [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40872,14 +41104,14 @@ show stats bfd by-peer-path salt received success [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path salt sent` +## `show stats bfd by-peer-path ml-kem-key sent` -BFD salt exchange packets sent on the peer path. +BFD ml-kem-key exchange packets sent on the peer path. #### Usage ``` -show stats bfd by-peer-path salt sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40905,9 +41137,9 @@ show stats bfd by-peer-path salt sent [peer-name ] [peer-host ] [peer-host ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40956,14 +41188,14 @@ show stats bfd by-peer-path salt sent arp-failure [peer-name ] [peer- For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd by-peer-path salt sent buffer-allocation-failure` +## `show stats bfd by-peer-path ml-kem-key sent buffer-allocation-failure` -BFD salt exchange packets tx allocation failure on the peer path. (in-memory) +BFD ml-kem-key exchange packets tx allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd by-peer-path salt sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -40996,14 +41228,14 @@ show stats bfd by-peer-path salt sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path ml-kem-key sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41036,24 +41268,28 @@ show stats bfd by-peer-path salt sent success [peer-name ] [peer-host For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats bfd cert` +## `show stats bfd by-peer-path mos` -Stats pertaining to BFD certificate exchange mode in total. +MOS value calculated for the SSR peer path. (hundreths of a decimal) #### Usage ``` -show stats bfd cert [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path mos [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41061,13 +41297,6 @@ show stats bfd cert [since ] [force] [router ] [node ] [] [force] [router ] [node ] [] [force] [router ] [node ] [] +show stats bfd by-peer-path neighbor [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41104,8 +41337,8 @@ show stats bfd cert received [since ] [force] [router ] [node ] [force] [router ] [node ] [force] [router ] [node ] [] +show stats bfd by-peer-path neighbor failover [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41146,24 +41383,32 @@ show stats bfd cert received miss [since ] [force] [router ] [nod | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd cert received success` +#### Description -BFD certificate exchange packets received on the peer path. +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path neighbor source-nat-change` + +The number of neighbor source nat changes on the peer path. (in-memory) #### Usage ``` -show stats bfd cert received success [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path neighbor source-nat-change [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41178,24 +41423,32 @@ show stats bfd cert received success [since ] [force] [router ] [ | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd cert sent` +#### Description -BFD certificate exchange packets sent on the peer path. +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path salt` + +Stats pertaining to BFD salt exchange per peer path #### Usage ``` -show stats bfd cert sent [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41207,9 +41460,8 @@ show stats bfd cert sent [since ] [force] [router ] [node ] | command | description | | ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-cert-sent-arp-failure) | BFD certificate exchange packets arp failure in total. | -| [`buffer-allocation-failure`](#show-stats-bfd-cert-sent-buffer-allocation-failure) | BFD certificate exchange packets buffer allocation failure in total. | -| [`success`](#show-stats-bfd-cert-sent-success) | BFD certificate exchange packets sent successfully in total. | +| [`received`](#show-stats-bfd-by-peer-path-salt-received) | BFD salt exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-by-peer-path-salt-sent) | BFD salt exchange packets sent on the peer path. | ##### See Also @@ -41218,24 +41470,28 @@ show stats bfd cert sent [since ] [force] [router ] [node ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd cert sent arp-failure` +## `show stats bfd by-peer-path salt received` -BFD certificate exchange packets arp failure in total. +BFD salt exchange packets received on the peer path. #### Usage ``` -show stats bfd cert sent arp-failure [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt received [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41243,37 +41499,11 @@ show stats bfd cert sent arp-failure [since ] [force] [router ] [ | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### See Also +##### Subcommands | command | description | | ------- | ----------- | -| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | -| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | - -## `show stats bfd cert sent buffer-allocation-failure` - -BFD certificate exchange packets buffer allocation failure in total. - -#### Usage - -``` -show stats bfd cert sent buffer-allocation-failure [since ] [force] [router ] [node ] [] -``` - -##### Keyword Arguments - -| name | description | -| ---- | ----------- | -| force | Skip confirmation prompt. Only required when targeting all routers | -| node | The name of the node generating this metric | -| router | The router for which to display stats (default: <current router>) | -| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | - -##### Positional Arguments - -| name | description | -| ---- | ----------- | -| verbosity | detail \| summary \| debug (default: detail) | +| [`success`](#show-stats-bfd-by-peer-path-salt-received-success) | BFD salt exchange packets received on the peer path. (in-memory) | ##### See Also @@ -41282,24 +41512,28 @@ show stats bfd cert sent buffer-allocation-failure [since ] [force] [rout | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd cert sent success` +## `show stats bfd by-peer-path salt received success` -BFD certificate exchange packets sent successfully in total. +BFD salt exchange packets received on the peer path. (in-memory) #### Usage ``` -show stats bfd cert sent success [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt received success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41314,24 +41548,32 @@ show stats bfd cert sent success [since ] [force] [router ] [node | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd dh-public-key` +#### Description -Stats pertaining to BFD dh-public-key exchange mode in total. +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path salt sent` + +BFD salt exchange packets sent on the peer path. #### Usage ``` -show stats bfd dh-public-key [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt sent [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41343,8 +41585,9 @@ show stats bfd dh-public-key [since ] [force] [router ] [node ] [force] [router ] [node ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt sent arp-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41378,13 +41625,6 @@ show stats bfd dh-public-key received [since ] [force] [router ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`miss`](#show-stats-bfd-dh-public-key-received-miss) | BFD dh-public-key exchange packets not received in time on the peer path. | -| [`success`](#show-stats-bfd-dh-public-key-received-success) | BFD dh-public-key exchange packets received on the peer path. | - ##### See Also | command | description | @@ -41392,24 +41632,32 @@ show stats bfd dh-public-key received [since ] [force] [router ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd dh-public-key received miss` +#### Description -BFD dh-public-key exchange packets not received in time on the peer path. +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd by-peer-path salt sent buffer-allocation-failure` + +BFD salt exchange packets tx allocation failure on the peer path. (in-memory) #### Usage ``` -show stats bfd dh-public-key received miss [since ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt sent buffer-allocation-failure [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41424,24 +41672,32 @@ show stats bfd dh-public-key received miss [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd by-peer-path salt sent success [peer-name ] [peer-host ] [device-name ] [vlan ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments | name | description | | ---- | ----------- | +| device-name | The name of the device port for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| peer-host | The host of the peer generating this metric (comma-separated list) | +| peer-name | The name of the peer generating this metric (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | +| vlan | The vlan for which this metrics was generated (comma-separated list) | ##### Positional Arguments @@ -41456,14 +41712,18 @@ show stats bfd dh-public-key received success [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd cert [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41485,9 +41745,8 @@ show stats bfd dh-public-key sent [since ] [force] [router ] [nod | command | description | | ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-dh-public-key-sent-arp-failure) | BFD dh-public-key exchange packets arp failure in total. | -| [`buffer-allocation-failure`](#show-stats-bfd-dh-public-key-sent-buffer-allocation-failure) | BFD dh-public-key exchange packets buffer allocation failure in total. | -| [`success`](#show-stats-bfd-dh-public-key-sent-success) | BFD dh-public-key exchange packets sent successfully in total. | +| [`received`](#show-stats-bfd-cert-received) | BFD certificate exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-cert-sent) | BFD certificate exchange packets sent on the peer path. | ##### See Also @@ -41496,14 +41755,14 @@ show stats bfd dh-public-key sent [since ] [force] [router ] [nod | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd dh-public-key sent arp-failure` +## `show stats bfd cert received` -BFD dh-public-key exchange packets arp failure in total. +BFD certificate exchange packets received on the peer path. #### Usage ``` -show stats bfd dh-public-key sent arp-failure [since ] [force] [router ] [node ] [] +show stats bfd cert received [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41521,37 +41780,12 @@ show stats bfd dh-public-key sent arp-failure [since ] [force] [router ] [force] [router ] [node ] [] -``` - -##### Keyword Arguments - -| name | description | -| ---- | ----------- | -| force | Skip confirmation prompt. Only required when targeting all routers | -| node | The name of the node generating this metric | -| router | The router for which to display stats (default: <current router>) | -| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | - -##### Positional Arguments - -| name | description | -| ---- | ----------- | -| verbosity | detail \| summary \| debug (default: detail) | +| [`miss`](#show-stats-bfd-cert-received-miss) | BFD certificate exchange packets not received in time on the peer path. | +| [`success`](#show-stats-bfd-cert-received-success) | BFD certificate exchange packets received on the peer path. | ##### See Also @@ -41560,14 +41794,460 @@ show stats bfd dh-public-key sent buffer-allocation-failure [since ] [for | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd dh-public-key sent success` +## `show stats bfd cert received miss` -BFD dh-public-key exchange packets sent successfully in total. +BFD certificate exchange packets not received in time on the peer path. #### Usage ``` -show stats bfd dh-public-key sent success [since ] [force] [router ] [node ] [] +show stats bfd cert received miss [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd cert received success` + +BFD certificate exchange packets received on the peer path. + +#### Usage + +``` +show stats bfd cert received success [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd cert sent` + +BFD certificate exchange packets sent on the peer path. + +#### Usage + +``` +show stats bfd cert sent [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`arp-failure`](#show-stats-bfd-cert-sent-arp-failure) | BFD certificate exchange packets arp failure in total. | +| [`buffer-allocation-failure`](#show-stats-bfd-cert-sent-buffer-allocation-failure) | BFD certificate exchange packets buffer allocation failure in total. | +| [`success`](#show-stats-bfd-cert-sent-success) | BFD certificate exchange packets sent successfully in total. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd cert sent arp-failure` + +BFD certificate exchange packets arp failure in total. + +#### Usage + +``` +show stats bfd cert sent arp-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd cert sent buffer-allocation-failure` + +BFD certificate exchange packets buffer allocation failure in total. + +#### Usage + +``` +show stats bfd cert sent buffer-allocation-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd cert sent success` + +BFD certificate exchange packets sent successfully in total. + +#### Usage + +``` +show stats bfd cert sent success [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key` + +Stats pertaining to BFD dh-public-key exchange mode in total. + +#### Usage + +``` +show stats bfd dh-public-key [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`received`](#show-stats-bfd-dh-public-key-received) | BFD dh-public-key exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-dh-public-key-sent) | BFD dh-public-key exchange packets sent on the peer path. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key received` + +BFD dh-public-key exchange packets received on the peer path. + +#### Usage + +``` +show stats bfd dh-public-key received [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`miss`](#show-stats-bfd-dh-public-key-received-miss) | BFD dh-public-key exchange packets not received in time on the peer path. | +| [`success`](#show-stats-bfd-dh-public-key-received-success) | BFD dh-public-key exchange packets received on the peer path. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key received miss` + +BFD dh-public-key exchange packets not received in time on the peer path. + +#### Usage + +``` +show stats bfd dh-public-key received miss [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key received success` + +BFD dh-public-key exchange packets received on the peer path. + +#### Usage + +``` +show stats bfd dh-public-key received success [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key sent` + +BFD dh-public-key exchange packets sent on the peer path. + +#### Usage + +``` +show stats bfd dh-public-key sent [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`arp-failure`](#show-stats-bfd-dh-public-key-sent-arp-failure) | BFD dh-public-key exchange packets arp failure in total. | +| [`buffer-allocation-failure`](#show-stats-bfd-dh-public-key-sent-buffer-allocation-failure) | BFD dh-public-key exchange packets buffer allocation failure in total. | +| [`success`](#show-stats-bfd-dh-public-key-sent-success) | BFD dh-public-key exchange packets sent successfully in total. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key sent arp-failure` + +BFD dh-public-key exchange packets arp failure in total. + +#### Usage + +``` +show stats bfd dh-public-key sent arp-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key sent buffer-allocation-failure` + +BFD dh-public-key exchange packets buffer allocation failure in total. + +#### Usage + +``` +show stats bfd dh-public-key sent buffer-allocation-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd dh-public-key sent success` + +BFD dh-public-key exchange packets sent successfully in total. + +#### Usage + +``` +show stats bfd dh-public-key sent success [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41662,18 +42342,330 @@ show stats bfd dynamic-damping hold-down-link-flaps [since ] [force] [rou | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -#### Description - -For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ - -## `show stats bfd echo` +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats bfd echo` + +Stats pertaining to BFD echo mode in total. + +#### Usage + +``` +show stats bfd echo [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`received`](#show-stats-bfd-echo-received) | BFD echo packets received on the peer path. | +| [`sent`](#show-stats-bfd-echo-sent) | BFD echo packets sent on the peer path. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd echo received` + +BFD echo packets received on the peer path. + +#### Usage + +``` +show stats bfd echo received [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd echo sent` + +BFD echo packets sent on the peer path. + +#### Usage + +``` +show stats bfd echo sent [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`arp-failure`](#show-stats-bfd-echo-sent-arp-failure) | BFD echo packets tx arp failure in total. | +| [`buffer-allocation-failure`](#show-stats-bfd-echo-sent-buffer-allocation-failure) | BFD echo packets tx allocation failure in total. | +| [`success`](#show-stats-bfd-echo-sent-success) | BFD echo packets sent successfully in total. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd echo sent arp-failure` + +BFD echo packets tx arp failure in total. + +#### Usage + +``` +show stats bfd echo sent arp-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd echo sent buffer-allocation-failure` + +BFD echo packets tx allocation failure in total. + +#### Usage + +``` +show stats bfd echo sent buffer-allocation-failure [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd echo sent success` + +BFD echo packets sent successfully in total. + +#### Usage + +``` +show stats bfd echo sent success [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd link-down` + +Stats tracking BFD link down event + +#### Usage + +``` +show stats bfd link-down [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`local-oper-down`](#show-stats-bfd-link-down-local-oper-down) | The number of link-downs triggered by local-oper-down. | +| [`remote-admin-down`](#show-stats-bfd-link-down-remote-admin-down) | The number of link-downs triggered by remote-admin-down on the peer path. | +| [`remote-down`](#show-stats-bfd-link-down-remote-down) | The number of link-downs triggered by remote-down on the peer path. | +| [`timer-expiry`](#show-stats-bfd-link-down-timer-expiry) | The number of link-downs triggered by timer-expiry on the peer path. | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd link-down local-oper-down` + +The number of link-downs triggered by local-oper-down. + +#### Usage + +``` +show stats bfd link-down local-oper-down [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd link-down remote-admin-down` + +The number of link-downs triggered by remote-admin-down on the peer path. + +#### Usage + +``` +show stats bfd link-down remote-admin-down [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### See Also + +| command | description | +| ------- | ----------- | +| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | +| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | + +## `show stats bfd link-down remote-down` -Stats pertaining to BFD echo mode in total. +The number of link-downs triggered by remote-down on the peer path. #### Usage ``` -show stats bfd echo [since ] [force] [router ] [node ] [] +show stats bfd link-down remote-down [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41691,13 +42683,6 @@ show stats bfd echo [since ] [force] [router ] [node ] [] [force] [router ] [node ] [] [force] [router ] [node ] [] +show stats bfd link-down timer-expiry [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41737,14 +42722,14 @@ show stats bfd echo received [since ] [force] [router ] [node ] [force] [router ] [node ] [] +show stats bfd link-up [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41762,14 +42747,6 @@ show stats bfd echo sent [since ] [force] [router ] [node ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands - -| command | description | -| ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-echo-sent-arp-failure) | BFD echo packets tx arp failure in total. | -| [`buffer-allocation-failure`](#show-stats-bfd-echo-sent-buffer-allocation-failure) | BFD echo packets tx allocation failure in total. | -| [`success`](#show-stats-bfd-echo-sent-success) | BFD echo packets sent successfully in total. | - ##### See Also | command | description | @@ -41777,14 +42754,14 @@ show stats bfd echo sent [since ] [force] [router ] [node ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd echo sent arp-failure` +## `show stats bfd local-source-nat-change` -BFD echo packets tx arp failure in total. +The number of local source nat changes on the peer path. #### Usage ``` -show stats bfd echo sent arp-failure [since ] [force] [router ] [node ] [] +show stats bfd local-source-nat-change [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41809,14 +42786,14 @@ show stats bfd echo sent arp-failure [since ] [force] [router ] [ | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd echo sent buffer-allocation-failure` +## `show stats bfd local-source-nat-reset` -BFD echo packets tx allocation failure in total. +The number of local source nat resets on the peer path. #### Usage ``` -show stats bfd echo sent buffer-allocation-failure [since ] [force] [router ] [node ] [] +show stats bfd local-source-nat-reset [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41841,14 +42818,14 @@ show stats bfd echo sent buffer-allocation-failure [since ] [force] [rout | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd echo sent success` +## `show stats bfd metadata-key` -BFD echo packets sent successfully in total. +Stats pertaining to BFD metadata key exchange mode in total. #### Usage ``` -show stats bfd echo sent success [since ] [force] [router ] [node ] [] +show stats bfd metadata-key [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41866,6 +42843,13 @@ show stats bfd echo sent success [since ] [force] [router ] [node | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`received`](#show-stats-bfd-metadata-key-received) | BFD metadata key exchange packets received on the peer path. | +| [`sent`](#show-stats-bfd-metadata-key-sent) | BFD metadata key exchange packets sent on the peer path. | + ##### See Also | command | description | @@ -41873,14 +42857,14 @@ show stats bfd echo sent success [since ] [force] [router ] [node | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd link-down` +## `show stats bfd metadata-key received` -Stats tracking BFD link down event +BFD metadata key exchange packets received on the peer path. #### Usage ``` -show stats bfd link-down [since ] [force] [router ] [node ] [] +show stats bfd metadata-key received [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41902,10 +42886,8 @@ show stats bfd link-down [since ] [force] [router ] [node ] | command | description | | ------- | ----------- | -| [`local-oper-down`](#show-stats-bfd-link-down-local-oper-down) | The number of link-downs triggered by local-oper-down. | -| [`remote-admin-down`](#show-stats-bfd-link-down-remote-admin-down) | The number of link-downs triggered by remote-admin-down on the peer path. | -| [`remote-down`](#show-stats-bfd-link-down-remote-down) | The number of link-downs triggered by remote-down on the peer path. | -| [`timer-expiry`](#show-stats-bfd-link-down-timer-expiry) | The number of link-downs triggered by timer-expiry on the peer path. | +| [`miss`](#show-stats-bfd-metadata-key-received-miss) | BFD metadata key exchange packets not received in time on the peer path. | +| [`success`](#show-stats-bfd-metadata-key-received-success) | BFD metadata key exchange packets received on the peer path. | ##### See Also @@ -41914,14 +42896,14 @@ show stats bfd link-down [since ] [force] [router ] [node ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd link-down local-oper-down` +## `show stats bfd metadata-key received miss` -The number of link-downs triggered by local-oper-down. +BFD metadata key exchange packets not received in time on the peer path. #### Usage ``` -show stats bfd link-down local-oper-down [since ] [force] [router ] [node ] [] +show stats bfd metadata-key received miss [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41946,14 +42928,14 @@ show stats bfd link-down local-oper-down [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd metadata-key received success [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -41978,14 +42960,14 @@ show stats bfd link-down remote-admin-down [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd metadata-key sent [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42003,37 +42985,13 @@ show stats bfd link-down remote-down [since ] [force] [router ] [ | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### See Also +##### Subcommands | command | description | | ------- | ----------- | -| [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | -| [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | - -## `show stats bfd link-down timer-expiry` - -The number of link-downs triggered by timer-expiry on the peer path. - -#### Usage - -``` -show stats bfd link-down timer-expiry [since ] [force] [router ] [node ] [] -``` - -##### Keyword Arguments - -| name | description | -| ---- | ----------- | -| force | Skip confirmation prompt. Only required when targeting all routers | -| node | The name of the node generating this metric | -| router | The router for which to display stats (default: <current router>) | -| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | - -##### Positional Arguments - -| name | description | -| ---- | ----------- | -| verbosity | detail \| summary \| debug (default: detail) | +| [`arp-failure`](#show-stats-bfd-metadata-key-sent-arp-failure) | BFD metadata key exchange packets arp failure in total. | +| [`buffer-allocation-failure`](#show-stats-bfd-metadata-key-sent-buffer-allocation-failure) | BFD metadata key exchange packets buffer allocation failure in total. | +| [`success`](#show-stats-bfd-metadata-key-sent-success) | BFD metadata key exchange packets sent successfully in total. | ##### See Also @@ -42042,14 +43000,14 @@ show stats bfd link-down timer-expiry [since ] [force] [router ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd link-up` +## `show stats bfd metadata-key sent arp-failure` -The number of link-ups on the peer path. +BFD metadata key exchange packets arp failure in total. #### Usage ``` -show stats bfd link-up [since ] [force] [router ] [node ] [] +show stats bfd metadata-key sent arp-failure [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42074,14 +43032,14 @@ show stats bfd link-up [since ] [force] [router ] [node ] [ | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd local-source-nat-change` +## `show stats bfd metadata-key sent buffer-allocation-failure` -The number of local source nat changes on the peer path. +BFD metadata key exchange packets buffer allocation failure in total. #### Usage ``` -show stats bfd local-source-nat-change [since ] [force] [router ] [node ] [] +show stats bfd metadata-key sent buffer-allocation-failure [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42106,14 +43064,14 @@ show stats bfd local-source-nat-change [since ] [force] [router ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd local-source-nat-reset` +## `show stats bfd metadata-key sent success` -The number of local source nat resets on the peer path. +BFD metadata key exchange packets sent successfully in total. #### Usage ``` -show stats bfd local-source-nat-reset [since ] [force] [router ] [node ] [] +show stats bfd metadata-key sent success [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42138,14 +43096,14 @@ show stats bfd local-source-nat-reset [since ] [force] [router ] | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd metadata-key` +## `show stats bfd ml-kem-key` -Stats pertaining to BFD metadata key exchange mode in total. +Stats pertaining to BFD ml-kem-key exchange mode in total. #### Usage ``` -show stats bfd metadata-key [since ] [force] [router ] [node ] [] +show stats bfd ml-kem-key [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42167,8 +43125,8 @@ show stats bfd metadata-key [since ] [force] [router ] [node ] [force] [router ] [node ] [force] [router ] [node ] [] +show stats bfd ml-kem-key received [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42206,8 +43164,8 @@ show stats bfd metadata-key received [since ] [force] [router ] [ | command | description | | ------- | ----------- | -| [`miss`](#show-stats-bfd-metadata-key-received-miss) | BFD metadata key exchange packets not received in time on the peer path. | -| [`success`](#show-stats-bfd-metadata-key-received-success) | BFD metadata key exchange packets received on the peer path. | +| [`miss`](#show-stats-bfd-ml-kem-key-received-miss) | BFD ml-kem-key exchange packets not received in time on the peer path. | +| [`success`](#show-stats-bfd-ml-kem-key-received-success) | BFD ml-kem-key exchange packets received on the peer path. | ##### See Also @@ -42216,14 +43174,14 @@ show stats bfd metadata-key received [since ] [force] [router ] [ | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd metadata-key received miss` +## `show stats bfd ml-kem-key received miss` -BFD metadata key exchange packets not received in time on the peer path. +BFD ml-kem-key exchange packets not received in time on the peer path. #### Usage ``` -show stats bfd metadata-key received miss [since ] [force] [router ] [node ] [] +show stats bfd ml-kem-key received miss [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42248,14 +43206,14 @@ show stats bfd metadata-key received miss [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd ml-kem-key received success [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42280,14 +43238,14 @@ show stats bfd metadata-key received success [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd ml-kem-key sent [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42309,9 +43267,9 @@ show stats bfd metadata-key sent [since ] [force] [router ] [node | command | description | | ------- | ----------- | -| [`arp-failure`](#show-stats-bfd-metadata-key-sent-arp-failure) | BFD metadata key exchange packets arp failure in total. | -| [`buffer-allocation-failure`](#show-stats-bfd-metadata-key-sent-buffer-allocation-failure) | BFD metadata key exchange packets buffer allocation failure in total. | -| [`success`](#show-stats-bfd-metadata-key-sent-success) | BFD metadata key exchange packets sent successfully in total. | +| [`arp-failure`](#show-stats-bfd-ml-kem-key-sent-arp-failure) | BFD ml-kem-key exchange packets arp failure in total. | +| [`buffer-allocation-failure`](#show-stats-bfd-ml-kem-key-sent-buffer-allocation-failure) | BFD ml-kem-key exchange packets buffer allocation failure in total. | +| [`success`](#show-stats-bfd-ml-kem-key-sent-success) | BFD ml-kem-key exchange packets sent successfully in total. | ##### See Also @@ -42320,14 +43278,14 @@ show stats bfd metadata-key sent [since ] [force] [router ] [node | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd metadata-key sent arp-failure` +## `show stats bfd ml-kem-key sent arp-failure` -BFD metadata key exchange packets arp failure in total. +BFD ml-kem-key exchange packets arp failure in total. #### Usage ``` -show stats bfd metadata-key sent arp-failure [since ] [force] [router ] [node ] [] +show stats bfd ml-kem-key sent arp-failure [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42352,14 +43310,14 @@ show stats bfd metadata-key sent arp-failure [since ] [force] [router ] [force] [router ] [node ] [] +show stats bfd ml-kem-key sent buffer-allocation-failure [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -42384,14 +43342,14 @@ show stats bfd metadata-key sent buffer-allocation-failure [since ] [forc | [`show stats packet-processing action failure bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`show stats packet-processing action success bfd`](#show-stats-packet-processing-action-success-bfd) | Statistics for 'bfd' | -## `show stats bfd metadata-key sent success` +## `show stats bfd ml-kem-key sent success` -BFD metadata key exchange packets sent successfully in total. +BFD ml-kem-key exchange packets sent successfully in total. #### Usage ``` -show stats bfd metadata-key sent success [since ] [force] [router ] [node ] [] +show stats bfd ml-kem-key sent success [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -56401,6 +57359,7 @@ show stats packet-processing action failure [core ] [since ] [force | [`aes`](#show-stats-packet-processing-action-failure-aes) | Statistics for 'aes' | | [`bfd`](#show-stats-packet-processing-action-failure-bfd) | Statistics for 'bfd' | | [`dpi`](#show-stats-packet-processing-action-failure-dpi) | Statistics for 'dpi' | +| [`egress`](#show-stats-packet-processing-action-failure-egress) | Statistics for 'egress' | | [`ethernet-header-transform`](#show-stats-packet-processing-action-failure-ethernet-header-transform) | Statistics for 'ethernet-header-transform' | | [`fec`](#show-stats-packet-processing-action-failure-fec) | Statistics for 'fec' | | [`flow-move`](#show-stats-packet-processing-action-failure-flow-move) | Statistics for 'flow-move' | @@ -57310,6 +58269,66 @@ show stats packet-processing action failure dpi ftp pinhole-timeout [core | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +## `show stats packet-processing action failure egress` + +Statistics for 'egress' + +#### Usage + +``` +show stats packet-processing action failure egress [core ] [port ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +##### Subcommands + +| command | description | +| ------- | ----------- | +| [`invalid-egress-interface`](#show-stats-packet-processing-action-failure-egress-invalid-egress-interface) | Packet drop due to invalid egress interface | + +## `show stats packet-processing action failure egress invalid-egress-interface` + +Packet drop due to invalid egress interface + +#### Usage + +``` +show stats packet-processing action failure egress invalid-egress-interface [core ] [port ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + ## `show stats packet-processing action failure ethernet-header-transform` Statistics for 'ethernet-header-transform' @@ -62158,14 +63177,45 @@ show stats packet-processing action success flow-move generated-keep-alive [core For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats packet-processing action success flow-move generated-keep-alive-retransmission` +## `show stats packet-processing action success flow-move generated-keep-alive-retransmission` + +The number of generated packets retransmitted after flow move has been triggered when no forward traffic is present (in-memory) + +#### Usage + +``` +show stats packet-processing action success flow-move generated-keep-alive-retransmission [core ] [port ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +#### Description + +For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ + +## `show stats packet-processing action success flow-move packets-enqueued` -The number of generated packets retransmitted after flow move has been triggered when no forward traffic is present (in-memory) +The number of packets enqueued as a result of a flow move #### Usage ``` -show stats packet-processing action success flow-move generated-keep-alive-retransmission [core ] [port ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success flow-move packets-enqueued [core ] [port ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62185,18 +63235,44 @@ show stats packet-processing action success flow-move generated-keep-alive-retra | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +## `show stats packet-processing action success flow-move sessions-closed` + +The number of sessions closed for flow move keep-alives (in-memory) + +#### Usage + +``` +show stats packet-processing action success flow-move sessions-closed [core ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + #### Description For more information regarding in-memory metrics, please refer to this retention document - https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/config_in-memory_metrics/ -## `show stats packet-processing action success flow-move packets-enqueued` +## `show stats packet-processing action success flow-move sessions-install-rate` -The number of packets enqueued as a result of a flow move +The rate of sessions created for flow move keep-alives (sessions added per second) #### Usage ``` -show stats packet-processing action success flow-move packets-enqueued [core ] [port ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success flow-move sessions-install-rate [core ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62206,7 +63282,6 @@ show stats packet-processing action success flow-move packets-enqueued [core ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success flow-move sessions-opened [core ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62246,14 +63321,14 @@ show stats packet-processing action success flow-move sessions-closed [core ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success forward [core ] [port ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62263,6 +63338,7 @@ show stats packet-processing action success flow-move sessions-install-rate [cor | core | The core number for which this metric was generated (comma-separated list) | | force | Skip confirmation prompt. Only required when targeting all routers | | node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | | router | The router for which to display stats (default: <current router>) | | since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | @@ -62272,14 +63348,21 @@ show stats packet-processing action success flow-move sessions-install-rate [cor | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -## `show stats packet-processing action success flow-move sessions-opened` +##### Subcommands -The number of sessions opened for flow move keep-alives (in-memory) +| command | description | +| ------- | ----------- | +| [`eosvr-loop-prevention`](#show-stats-packet-processing-action-success-forward-eosvr-loop-prevention) | Statistics for 'eosvr-loop-prevention' | +| [`to-wire`](#show-stats-packet-processing-action-success-forward-to-wire) | The number of packets successfully forwarded | + +## `show stats packet-processing action success forward eosvr-loop-prevention` + +Statistics for 'eosvr-loop-prevention' #### Usage ``` -show stats packet-processing action success flow-move sessions-opened [core ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success forward eosvr-loop-prevention [core ] [port ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62289,6 +63372,7 @@ show stats packet-processing action success flow-move sessions-opened [core ] [port ] [since ] [force] [router ] [node ] [] +show stats packet-processing action success forward eosvr-loop-prevention broadcast [core ] [port ] [since ] [force] [router ] [node ] [] ``` ##### Keyword Arguments @@ -62329,11 +63417,59 @@ show stats packet-processing action success forward [core ] [port ] | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | -##### Subcommands +## `show stats packet-processing action success forward eosvr-loop-prevention multicast` -| command | description | -| ------- | ----------- | -| [`to-wire`](#show-stats-packet-processing-action-success-forward-to-wire) | The number of packets successfully forwarded | +Multicast packets dropped to prevent an Ethernet-over-SVR loop + +#### Usage + +``` +show stats packet-processing action success forward eosvr-loop-prevention multicast [core ] [port ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +## `show stats packet-processing action success forward eosvr-loop-prevention unicast` + +Unicast packets dropped to prevent an Ethernet-over-SVR loop + +#### Usage + +``` +show stats packet-processing action success forward eosvr-loop-prevention unicast [core ] [port ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| port | The device interface for which this metric was generated (comma-separated list) | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | ## `show stats packet-processing action success forward to-wire` @@ -68815,10 +69951,66 @@ show stats packet-processing enqueue [core ] [since ] [force] [rout | command | description | | ------- | ----------- | +| [`from-worker-core-invalid`](#show-stats-packet-processing-enqueue-from-worker-core-invalid) | The number of invalid packets dropped on injection within the Fast Lane | +| [`from-worker-core-invalid-low-volume`](#show-stats-packet-processing-enqueue-from-worker-core-invalid-low-volume) | The number of invalid packets dropped on injection within the Fast Lane | | [`to-deferred-ring-failure`](#show-stats-packet-processing-enqueue-to-deferred-ring-failure) | The number of packets dropped due to deferred ring overflow | | [`to-deferred-ring-success`](#show-stats-packet-processing-enqueue-to-deferred-ring-success) | The number of packets enqueued deferred ring | | [`to-worker-core-failure`](#show-stats-packet-processing-enqueue-to-worker-core-failure) | The number of failures when re-enqueuing packets within the Fast Lane | +| [`to-worker-core-failure-low-volume`](#show-stats-packet-processing-enqueue-to-worker-core-failure-low-volume) | The number of failures when re-enqueuing packets within the Fast Lane | | [`to-worker-core-success`](#show-stats-packet-processing-enqueue-to-worker-core-success) | The number of packets re-enqueued within the Fast Lane | +| [`to-worker-core-success-low-volume`](#show-stats-packet-processing-enqueue-to-worker-core-success-low-volume) | The number of packets re-enqueued within the Fast Lane | + +## `show stats packet-processing enqueue from-worker-core-invalid` + +The number of invalid packets dropped on injection within the Fast Lane + +#### Usage + +``` +show stats packet-processing enqueue from-worker-core-invalid [core ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + +## `show stats packet-processing enqueue from-worker-core-invalid-low-volume` + +The number of invalid packets dropped on injection within the Fast Lane + +#### Usage + +``` +show stats packet-processing enqueue from-worker-core-invalid-low-volume [core ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | ## `show stats packet-processing enqueue to-deferred-ring-failure` @@ -68900,6 +70092,32 @@ show stats packet-processing enqueue to-worker-core-failure [core ] [since | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +## `show stats packet-processing enqueue to-worker-core-failure-low-volume` + +The number of failures when re-enqueuing packets within the Fast Lane + +#### Usage + +``` +show stats packet-processing enqueue to-worker-core-failure-low-volume [core ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + ## `show stats packet-processing enqueue to-worker-core-success` The number of packets re-enqueued within the Fast Lane @@ -68926,6 +70144,32 @@ show stats packet-processing enqueue to-worker-core-success [core ] [since | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +## `show stats packet-processing enqueue to-worker-core-success-low-volume` + +The number of packets re-enqueued within the Fast Lane + +#### Usage + +``` +show stats packet-processing enqueue to-worker-core-success-low-volume [core ] [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| core | The core number for which this metric was generated (comma-separated list) | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + ## `show stats packet-processing fib-action` Summary of stats pertaining to packet processing actions after fib table hit @@ -76955,6 +78199,7 @@ show stats redundancy session-errors [since ] [force] [router ] [ | [`invalid-buffer-received`](#show-stats-redundancy-session-errors-invalid-buffer-received) | Number of times invalid buffer was received from database | | [`invalid-session-key`](#show-stats-redundancy-session-errors-invalid-session-key) | Number of times invalid session-key was received from database | | [`new-session-creation-failure`](#show-stats-redundancy-session-errors-new-session-creation-failure) | Number of times database miss processing resulting in failure to create new session | +| [`no-service-path`](#show-stats-redundancy-session-errors-no-service-path) | Number of times recovery failed due to no service path | | [`session-not-found`](#show-stats-redundancy-session-errors-session-not-found) | Number of times redundancy session was not found in the session table | | [`session-update-failures`](#show-stats-redundancy-session-errors-session-update-failures) | Number of times session update failed | | [`source-lookup-error`](#show-stats-redundancy-session-errors-source-lookup-error) | Number of times recovery failed due to source lookup miss | @@ -77110,6 +78355,31 @@ show stats redundancy session-errors new-session-creation-failure [since | ---- | ----------- | | verbosity | detail \| summary \| debug (default: detail) | +## `show stats redundancy session-errors no-service-path` + +Number of times recovery failed due to no service path + +#### Usage + +``` +show stats redundancy session-errors no-service-path [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + ## `show stats redundancy session-errors session-not-found` Number of times redundancy session was not found in the session table @@ -81399,6 +82669,7 @@ show stats service-area received [since ] [force] [router ] [node | [`flow-expired-reverse-metadata-packets`](#show-stats-service-area-received-flow-expired-reverse-metadata-packets) | Number of reverse metadata packets received with no matching flow | | [`flow-move-packets`](#show-stats-service-area-received-flow-move-packets) | Number of packets received for flows requiring modification to use a better path | | [`flow-move-packets-local-ip-change`](#show-stats-service-area-received-flow-move-packets-local-ip-change) | Number of packets received for flows requiring modification as the local egress ip changed | +| [`flow-move-packets-reverse-arp-change`](#show-stats-service-area-received-flow-move-packets-reverse-arp-change) | Number of forward packets received for flows from a different source-mac, indicating a reverse-arp change | | [`flow-move-packets-reverse-flow-idle`](#show-stats-service-area-received-flow-move-packets-reverse-flow-idle) | Number of packets received for flows requiring modification as the reverse flow as idle | | [`forward-metadata-wayport-range-miss`](#show-stats-service-area-received-forward-metadata-wayport-range-miss) | Number of packets with forward metadata that missed the waypoint range | | [`hierarchical-service-validation`](#show-stats-service-area-received-hierarchical-service-validation) | Stats pertaining to hierarchical service packet validation | @@ -82041,6 +83312,31 @@ show stats service-area received flow-move-packets-local-ip-change [since ] [force] [router ] [node ] [] +``` + +##### Keyword Arguments + +| name | description | +| ---- | ----------- | +| force | Skip confirmation prompt. Only required when targeting all routers | +| node | The name of the node generating this metric | +| router | The router for which to display stats (default: <current router>) | +| since | The displayed stats will be calculated as a delta from the given time. The given time can either be a timestamp or a delta, such as 45m, 1d, or 1mo. Providing "launch" ensures that no start time for the delta is set [type: timestamp] | + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| verbosity | detail \| summary \| debug (default: detail) | + ## `show stats service-area received flow-move-packets-reverse-flow-idle` Number of packets received for flows requiring modification as the reverse flow as idle diff --git a/docs/config-smart-download.md b/docs/config-smart-download.md index d5fe6d8d11..2743021b72 100644 --- a/docs/config-smart-download.md +++ b/docs/config-smart-download.md @@ -62,11 +62,11 @@ As a system cleanup operation, you can delete stale versions of the software usi On the Software Lifecycle page, an in-progress download can be paused by selecting the download, and clicking the Pause button in the Details view. - +![Pause button](/img/config-smartdwnld-pause.png) Using the same window, you can also resume or delete a download. - +![Resume or Delete buttons](/img/config-smartdwnld-resume-delete.png) ### Auto-resume Download on WAN Failures diff --git a/docs/config_command_guide.md b/docs/config_command_guide.md index 889acd228a..a07a018582 100755 --- a/docs/config_command_guide.md +++ b/docs/config_command_guide.md @@ -5393,6 +5393,32 @@ A true or false value. Options: true or false +## `configure authority router application-identification summary-corruption-upload-interval` + +A corruption event will be reported at most once every interval. Zero disables all uploads. + +#### Usage + +``` +configure authority router application-identification summary-corruption-upload-interval [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| duration | The value to set for this field | + +#### Description + +Default: 15m + +##### duration (string) + +A simple time duration. Valid units are s - seconds, m - minutes, h - hours, and d - days: 5s, 10m, 24h, 15d + +Must be a duration with units of seconds, minutes, hours, or days. e.g. 5s, 10m, 23h, 5d + ## `configure authority router application-identification summary-retention` Configure Summary Retention @@ -42069,6 +42095,8 @@ Web server & REST API. | `clone` | Clone a list item | | `delete` | Delete configuration data | | [`enabled`](#configure-authority-router-system-services-webserver-enabled) | Enable Web server & REST API on all control nodes in this router. | +| [`max-sockets-per-request`](#configure-authority-router-system-services-webserver-max-sockets-per-request) | The maximum number of sockets the webserver will use per outbound request. Zero means no per-request limit but the max-total-sockets still applies. | +| [`max-total-sockets`](#configure-authority-router-system-services-webserver-max-total-sockets) | The maximum number of total sockets the webserver will use when making outbound requests. | | `override-generated` | Force auto-generated configuration and any modifications to it to persist on commit | | [`port`](#configure-authority-router-system-services-webserver-port) | The port on which the Web servers listen. | | [`server`](#configure-authority-router-system-services-webserver-server) | List of control node server addresses. When present, they override the defaults from global configuration. | @@ -42101,6 +42129,58 @@ A true or false value. Options: true or false +## `configure authority router system services webserver max-sockets-per-request` + +The maximum number of sockets the webserver will use per outbound request. Zero means no per-request limit but the max-total-sockets still applies. + +#### Usage + +``` +configure authority router system services webserver max-sockets-per-request [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint16 | The value to set for this field | + +#### Description + +Default: 50 + +##### uint16 + +An unsigned 16-bit integer. + +Range: 0-65535 + +## `configure authority router system services webserver max-total-sockets` + +The maximum number of total sockets the webserver will use when making outbound requests. + +#### Usage + +``` +configure authority router system services webserver max-total-sockets [] +``` + +##### Positional Arguments + +| name | description | +| ---- | ----------- | +| uint16 | The value to set for this field | + +#### Description + +Default: 250 + +##### uint16 + +An unsigned 16-bit integer. + +Range: 1-65535 + ## `configure authority router system services webserver port` The port on which the Web servers listen. diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 8e462b10a0..644bc9d5b6 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -61,13 +61,9 @@ An issue has been identified that may be observed in conductor deployments runni An issue has been identified when onboarding SSR routers installed with older versions of software (such as 5.4.4) to Conductors running 6.3.x, when running in offline-mode. In some cases, certain software packages are not available to be installed during onboarding. To work around this issue, import the **package-based** (the "128T" prefixed) ISO for the current conductor version onto the conductor. This provides the necessary software packages to complete the onboarding process. This issue will be resolved in a future release. -## Beta Release 7.1.3-11r2 +## Release 7.1.3-11r2 -**Release Date:** February 5, 2026 - -:::important -These release notes are Beta only, and are in progress. They are furnished to help provide information about updated and new features for controlled beta deliveries. They do not represent a full feature set. -::: +**Release Date:** February 25, 2026 ### New Features diff --git a/static/img/config-smartdwnld-pause.png b/static/img/config-smartdwnld-pause.png new file mode 100644 index 0000000000000000000000000000000000000000..decd4298fc3d60d2e82d467b3a5cd939d73ce224 GIT binary patch literal 60753 zcmZ^L19+v$@^>_`?PS79Cbn&BGO=yjw(U$f6WjL06Whj#jql9v-Mf4L_kJhOdAi?L zbyruv)%B}730II4M}WnJ1pxs;kdzQn0s#Rx0|5b*gN6i_Tzm2H10Ph)g@qL)g@uU~ z9BfU@t&BlHu#>IhYNUk}(Fc7~$deU>6%+ykMFPdlM1;{z6a)j!1RHpBi~W!G%#%Dt z%8;j#Y44y|=B7}mHKY|4ZjkCB=_snM>y^qpIkSj1UeC8K1mQB2sJN@sCvdh}a29?Z zXN+D_AZa^IiMJJ-ej!HJK!@AtcuXR!QGZ>x9B<8{nOsM}=X2lh5a({PIIikCavI!L z*M16}jjN2pUtI0YKg+6Bi_j5HL0xa+P~0($EMVm;^GN9x+``);i*6iz1P>%0nM6V#Ie+phy8YINUx!hf zD0d?)L_4aTU5;gz>B?!J1TFI`MUgfQke+f+GM*t?UAJB|%tP)Hiz|#KE1$htUF3vU z%FH{F0t-Nr1I$w*i`A)qzF;-~^aWE9&_7!seWeC6+Q3*%(nMAkAh7QKY zHjZYtPIabpp&%e&yyhxuPHM6;T!yyRboxfN2F7%5)^@+Ufbh6+0khV|PWr@d)>bx- zTyDH1f3)BN=6@H{lMw&W#L1GEL`_zKSlHIVn3#=@fsTQM50;pin8(4$giA?8>|fo1 zPrM{%PEK}Q^z^Q-u5_-}LKqB^$?oEep6n`rkG5jC2h2|Ersm zxyk>h+wYn`yZy1QKgsd@9*j%D+|AfZUBuiP$W`Ff_?Velc>W;sUp0SE^v|AO9E}}> zZLNVFo%sIVmVb5rXXXFx_yd`)bxMzkdKjv{=drp z)t-m`H-rDd@IQC+k5b@v^1<@Z|64TpV12^#6hJ@(KqN&3Rop;NwV|?RRnT%zTvafT zF+?KJ1*v`&!iIqbe88ywd>8Pc%?DG3Ca*NC0}EY|>l-n3X%v zkg|9IBze%Ez#{zqne0J;8c+Rv5G~hk3t_W*Xo|8_?2Mco8!I#(O;z&o@p-H)otOJR z#6D4g4H!&S+pX6aLY*x)B-#<4fqAU8@*hrc+ZIh|FV9GJw9Z7~%v20fe_Hfx8qPn@ zKhDj}l*ZEbB3$#nCz!tu>FteB38BPex5+!m!4rL7YaRoT zP|xIui@>nf{&Tv($t#FKiwxwAKbUc4J6PBryKi64Hf>1Gw#mzL0zAB+U}A67O}v>B zJ2URdv)v5nTMv7CW~=o{N4D2ohm=w)ho&Pi_{B1eTf%&Mf)6BKJE#-W(j?fm_>(61 z-$_14U}35TG4U-mTH|$a+t9pT?A$9Z7(L%v2aFQ9u5V`ym8%ntdiRyO9<3%bw#H?! zaQHjS?1RO)y! zKM{iW>d@}#>BRj?E0IDLnO3pRM0_SuJ}SSVt1^F*FI(1e-$zcf(JJL(h+x6r!wDd{ z)_TjJF6M>LQOeJ1?b^vj7yGbO*I>G|bj`K~y&yvMd`bvzzFJY7#ZtERY3 zs8+-jp~S|J)MGU@26}ES7f%1$>X_yIM(BJz8_f4&M_ut`j-fqhy+=Av7}|Gn-WIBU z`wQ*=oK#{|2ojSiAp6LCIT{}hHhd4Kgb{CPkRq3w()AB#zcXh${4`HWi<7WicoUj& z>*;VhLVenNrJAifki5AZ!>P3kp~5S@+X_`K38Jg5LWqLI9AW*jkQZn^^O& zobsOZ_3;_d^<6AFkSgY6FF1JPDwRf^ENWCglt3&HGDkR>`fKeE<%0{Z-tvi814P3* zC2Rsm$IETNZVT|_3*}#xI;+vTQ&JGb_`cp^t#RCNai!(vFGzYHZU$QZdb;(U7ANwR z$o1ySESAX;gn@y%BSXnGH8PTTt*xv3L{A@k-f~YjV%V(?{@o$@N0c`4=<%GzFw8RC zoe0+oqD_cp;!Ls6*y8}oI^0{=n+ab7Un4@c?|Sg;H+MLV>(NPc#6AJ*o3DSr-F|)s z8?*)6_j>V+-*D48l67-&VY6PY5C5TBA(c%1Vct}2gZMoH<8y{t5JS1M48Eh`&R}!` zCM=w=W|K`aL*0as&PtPQNgyKEun0S}u~vuzLJD6~9v-yv3q)%4o05`}YYo~yoamZTvWO3>i!F|n z`rOFq3^w(N3)`G6oPtf%Un_+!F7=KfM){yG*PzwNFPOhnDv=+uU478`v?AvgqTS}F z|HacTJPRuIv;aCS(?2gCn_<(*{jeZ|r6?pCSFw*2PjRL3jOKzromYAr(f2}8N=hoh z@x`x3*rR>cva%({NBz1^YiCss=jEz;nD1oFA5+*rm>oI_0$NY7P5-cI!v_P>nwFp%6hk_- zn+4=nng9Z5ls?1}&mUIlLK|IbHQq7lY$!A-gH6bwa zoloXr5>MM}EcRec zycx{$8CdLZOaIoGduaZO1%w52{I4SH8xEf}pIL6pcMVC!r|4<2I?fuoOBHtpb1sF} z+;(mk4p(fk6fjI6Tmb8|mT8U?ys^ddxr1Yqs;yT)%PMx6`QO6c9uJ6G_m@BR!neP_ zdEUHU?e*gC?d~ew9?zLgn&%hw}>AcJ}Ac9rl#Zd-D8t1seyYg5pSIuI+_MD1qE4J9E0p;G z5`iLe>W4ovR@VFO2$~vcZBFf@F&QO!WHC?#1l>4YevC|-l{lTt5OXUBTCxaCb&c7j zkUi3FY{Gc09X9W9Ninc!e${c0&N|rLoqBn^Zbl;z)9dWp+ZuDl>jIBsL}0nctKLU} zh%UzJ5wRajD`~fB3laVaAqjo#b<3Jsr;wN54%H4f`*D?USYnwh%_Yrpc?2os?!lw- zZ()0;2YY|HW`}d``c^W;bMk%UQs`jGbf~&2G~;GhSzc446R6v>L-^hJdG8+3W@`+^ zGv05#A_bq1N9luGo}MzRj-r?+lB{~Lb)4r|4Mg{84hnFXOI^JCcR(j;4-O;tXbYT!L_Jug(iU zGwgA$p{@@mOSX`Bt;~<}FxsAdU6o+3u?e^#8+pAi2ei04HQB#|GX?JvV^4!4!JAQv z^S)s-XGDMBpelh(CMb&x!(l;(N9%oiovb|up~b}A41xj71cd_}4IibjSw0Iz$uC!n zL1wU;ja;SmK{^B0m9gtt$5;YRAZMWWt2G*q4N%!lCroR_zYD&Sw#1`ZueXQ8@9Z>r zEEe4LC&sEzU-n8TMriV>^oPU;hf|I*>7PR%FBfIv7rZh)L&Q`+mD2qNPyer%G}z{W9~02r|kxO5!J+?B#mZ!B}627AG`)05>a z{$dyICY9ZJuTLi$jP_Qmg)kLPHF5!sM~??NMQwl<`ckt1|-4cY?9BX`)cwAk7Bbp(pvQmsMJ~BR;!Z&T3>#94u&e z4F!zn*nGAmem9OL{S;qu`{QesO&9G!bthO=LRJGLu20k*J+OT!X##-#BTU%)S zFqSimg?Qdkm@Ss&K9@KngN0liZ+At;U5k(9m4aK+LbEtZC`{H z>vQ)#?OZexyqGHj+yFZxv&=`m~|kCB}x5);|ioB$|zt3a-&L&LNdBnC6e ztf?6h+IT}5Y!+qaQV~HDWdcHI6RYY=8G||@;lbye>%Gk9{V*(ersoM6w;26One^~_(qyLQ^wv&itFvK$TvMt!mxs(?3(4*S!A65-II~!=C?o+f zV?bbn$*Q>kXE5%U>&k5Fl4fgE$ZNT2v-l{)N?9NwvUjdya=i6OXPhnt>Kw!wAU3 z^Ds%18nj*YKCd3?ZGq}RfPm=swLPG%62IGWItz|1#2m)!ZUYfw0|&QJh38PQD)thq zrhK@H7LpkVrK{23kFu4?Zd=@P>P`?v^8yv+K~h~*3g`bMQ^dtG)va$d{y*3FcFH` zSIUtWVkWzxhBMZF! zDL5n1b=_V17r|P23%=z%kH|LPh>4@#xeH)f6izJy6v^8MdL2#>;LD)HVe8h+7=$=m z_Vpq}(s2@BJQ`PDuEMavV(w@=5<=z&Se+~8D-R`$i)b*xX{Df_>}Fx&_avDnf@(bH6% zw_YPYMKzR^Fe-cTFc(fi#1Op`W{)8%>3B|es?516kv?}0N?M)8|3an-e0x>AE_y^63D*@HC! zfsg-q8p!22<-V_^wV{dCn3z(&)zj3{{h&XYt{v!%&kd$NK1PChI_M77=?)p7jLgx& zz}9(?<=DxR7M{pQ{8Es^>v2<`6)gaV7I8saB@L-728i}eW#@skH4x#{fyd<{HoHQH z5+2ppBVNU3@q+A@^cm%U+*LNx#k}x2Ib#o~aowuTE-;?X=2{-NtD4PzVAI--b6Z@PVbo{?fmo2gUv)=Wk1awxLBb z*0k;Ln{>JDvU>wTm-VmR6KD9~{I9qOU;mA<`M<(}s>QvI;}&IxtP_ucv||XNp zcYAN)a?D0{SO;2CZHV9|b-M8mUzy9xj_No-r`-m52I%!5%-sxN?)Ev=B0~k6SU_x% zW6?ibX}|)cxUN3(dt65^n6q&+_u!&g4toMRYLi?bahP3qz_2iR>QKlvlU{W@lGTnBtQj$DwW_V%Yx1qb9K*=? zHDvb)YIpB$YGN1UU{l?VC{y@;!jn6@g-;FTrJFz@0^saD#=~;Xh}Y zt_@e55$o8m6cWL&9T({TjbkdXLG#=#LfcpH-xOyGx6a@HSOY3Y)E8Wl9fyr_O?b4u zFCkw!=2weqIvrAo)NHR+^Pv~cC%k^{u+GmB_X&$AiEpAJ&~G)tyJCdI&X%I9gv=oD6V362|R+fsd<7`J%M<2;c=ZkE=|UVVv*{_epNc~8HEzwF9I86KZJyb zUgRyv=~&`HTldRCr$#c>(jxUSHwe53n8rC;a+liLFBj^h?hUZO`-9t)CF9q2cg&qehdn8KPynTFbOE$TpdXXjbY8Lf-&fz? zu=E`cL=Mh%J%e6o?M(DZRhMFCy7Aqo9!rvT)ZV%0-H}AI{UM_1njyl^8;8rLAX89O zU!j}vHdD%|EsXzjB;b4nL1OrQp3IX^OS+=?^P-S&12@f)--%B-k4Fh1H0#(!XI35kGI&ozYGf;?{TU$(r+G{0D$;5YwG75J@iY#eEV+8Uvlq&&Sc>c1iMd zyP!);zyA^KV!Wy=N51MZGy~8E@ZoBg%eI>)?TnSz+p1G`en^zE3G!Uf#d4MzCkHVEDDHR$m`xXA= zfdVb2Q`J;;7%Pt+Ez$HiYIl=bUC%c8R$;t{c@}~ofwRtxlAKel8?O!mlN84XgaAezwd|w3l8r=``wJA>zQbss-zPH>5X434vPcP=*bd|2Fu9#F%dW~&xIV4*6Z<1_PUW> zH@3PL$b*KJ0(suZs%=Os#w)|4Eyv9xUIY=g$arVoG#Uwt;|;>SoMYY?v?Gv z@7AynX}6g~H}}z3m_8WI%lO#(Vo}+QFSD`$%BmuQGW~%1dBl?ml?3gahfcS13 zVZ%YlxYhDNE`wt$P(e}ZB`5db0&U1v)G$4DgQ;&IFbI+D-9@AMLQ^R7tI}V(N(#*% z@)l3R-naajv~=-vWqSl&^96}IUbGPfZDxbHZ_O003{0t5^tX+8grD691F5<`f}^SQ zsjt?QOr*(iaT1A?vV|Wuyhu5L_!?TrPl|*#m$O1X%6p6uXo{5Za7m}-qgR+1+3tD- zY>u!A9!r5?q)(*s99*10D+72XbS(?%viF($@ue<}*|ET|M6NzimI#44!kJHo=V0t7wT@DIfQSJS>yJioVQeT}0V)^DRJ~9$X zr+|^N+PJIstK$=$roND8T1qQ1WBi^;$A|Epdq#tQu~5|ozX|Xh!mB6Rv70bj?#Qe7 zZ$83;LMNRG?X}(>ODghvz4N}lJp*3!k6RrO#?j_m^*G+Nnqm?X6U~?FsT`0j>(ta; z1(oO9T!}t+t$WKAI_|JuVLKktXtHB*zY+-t z>)}53MP;^lDDTeott3seL`=xLJz3CfCf+>vJg=+F#lGdJ&}tEyF9YI^W&Qk@ zg^7zs4%pt$XJ8hyr8PlEvAz&MEzn&dpTXi!*StwmR$rmnG#pu~@;w0~BvGC(T{PF5 zE3^9XVwg0xFp|Er|0>S$dR+KujCt}K5ZH0pS(dV1X)Ks|zArhR16P7s?K(L3G>2vO zxlYrB8qawRFLmyDEErqR^_1nfq5kqisp));HkpCVxKgJhBac;mR3i_FJ;vYM5$)bm zy%*RxyY1|M`KtRFHE3F%S8|bKsa+KA^HcTndA>A#hZdV#=hc-o3F|{l(HjFy`}q?d zwDZ|yLKM*Z5^jMT?X&c&h{b*zs@{G_%x3uZaJwf^{TIq1NPZ3hwXxL`{_TSy2}VmU z&YUo|qj21|02o*@``BFuyRG2sBu5~(4Q+V9lfFLU+>5U78&z|z$MVspHW`%d(N z8E09+&bAxK@%*^anTLq`B=2+7A_tM%rXWw;O>rfUnSY*!?@fH@QO%I}h~GWXojJ2D z8d<2*fW)6Q!Fj;Lh$Ns@x-p|hYqKue+^9c z_clFUVN&xO0ZiqSX7^ab?}d=G$6ilx=WZ-OERWqCmOi&=-9xUL2-*Nv%U(f0OQf{k zbM#Q70xU)n$er#u4>TtIVS2+ClE3QE0#+Z(x0c;iO+q9#g*u2-C{)_|UVWEXwtz$n zHhiAH$e>q$#H|blJZ-G0G#rD58KBhb0XnZ^yh!)`z!5j!76P9x`VEFFd_N+vNec_d z+)e%X^7+WM8><*IElOZ(S*+9^ycjpv`-$ql4dGYrBsU-+uhZ(dMEp-J<^Kxh?{RxP zW5Gu1brr5yi4@KGn4GFxcw&qF)5Hr@J|-;eR=7_r`cPPBLw_x(L9|O*&VHOULx91D z0ZZ%kS{~@JC?`&;NnRMp!)(V427}lS9>Sl=im_N$*_S&=K@Z2@KRC7wnc|v9H^>g* z+1UYGr&3m)5fMI=iMb^jo`^EY)@_OlAK*Qe2M?UjHx$=`)#oR=JGNf0UxGMd1cUg- zWH0jeD#w|O>C+a+#<-(@*kQkO$YKJ9ih6(H?a22ogX#KJ+Z%!Ran@|>8tB$kN@3?1gJn(%uB`@Q?W=8eUj3AIVk#>j@_c~_z{(0G@{qvB zB7?p?jg7&U6t~+6B?FtZG@XdU+yfYCZneF+B1L;_Q~gjXf-UQ#+)6<{?@OxUmG&ld zcY<);H@SInoXl7W0(e`Qn!~Z^-t%98y!N2}7L)N-0FS>r3D-gOGm)Ojfs6_DU_?FS z<&}GWb|Ttgx8uH-96z%%PZTTA=fEUXDA$m#*w5@|$1;|l3zYO3of!9fy>AyUP3tb9 zULvRz8F=hgd3~H-yM_gaI(KRHE@v7j_!1w4UN*hkUw%b8@p&=}5pcVlip28sDPbFv zId(cKLoNDqujm3@@H6G=bpcYD1823LLsxS95a`>bJ+l<{@<7V6uQzeeUx|H6U7%+A zwvg88$H;Sz_A_nC8MyU&;jRL$uj3c0qRu2cJf>$1bI6-1a@d?BSSj3YtM1NX6TL2D zrU;4AK|yuv{FmidE^yiPbfP`K>N?UcoZuYALg8bNsY&@i75r)ASL=S9x(>=2Tg1n! z=O2Xu2};rnD!%f9oZ&T_?R+|x#=Si3`$hw@62OI$1$(BM^p2G2#h4; zTmea|R_L?rj||+d>(1=Ho)xUGmqSD>=WDKqzr8MB%2YExb;jzIS7Wx=AIjFcWO2Jz z7FG;t^he{d{Uqe}G%1oUwZRzt*U9+Nb1WrW_PDcP9H2Gh#Nrs-30@oO4f>HHK*6Ra~iGNTpWC- z^6HM(Jpp%nt>_!&-3Ie%JO;{pbM1@Z%1%mE>j^}-81*`LA$05yL+b1d+3^aA6yh)i z7QY10<|1(F6as}jPM9U2pBKExkdF1|&67|LKp z(%*m447i)xwf%+80G^qYBr}plkKL*h4Cq;HBFcVfYe3-6xvSq_Lo)KTM80r)h!@|( zCrr+$zJm=C1jo&uJn*8B>45M63R;%uI%fdhx2$gP#|&McE!V~{kNYFi@23EKnX<3X zo=*LSG*-jN6a>~p#h_Ea2))M`zhyIjx#)!(Yx;Oyp1<6(aUaMd+`xS!Z8mgCCvd1N z9J(&kwC<3o#qE0v=+f^Cf!MeF*ko_Ulnr1{c-xaXnP+Q%LOc$8%gM^>x32y+N0jZn zVENZ;63!nSkteQ_z#;oUSor9IOEXSyWA?^eIkLYm19c1syGRWcq8W-vE0NFuiU5dj zbiVtve1VvELBM6%eDCH$ND*pU^I-O7bd4!jSD=TsJhK$|%$Q63g2k3-HQQW+5mlX) zr4{kn2qK<8YoO-}cHWAZ1E)^|^Mtytv7Tuv5ml7f0urGi0EU=Fq3eR=?)7q~Ke!|t zrFS$m9HrTTd#-9jfDBb{N?=M0r*{Z+nqlh+EwW7EhTGCBE;T#PIiQ}%-LJcF@x*A` zV{Uxam3yCawV;v4N!B73jr`OQd@`=SCx2W~Q0%$@Bl_?NXTCOA!NyMVEva zWEwPror6b!0Rc#L37CaQ$d9^#XMAQF!`asJM;aWD%&3K&h#|EL^;D;HKAlx36A-p- z*SQL8!A%qP)F`~{?J`?g3@quOX>zqa2P`*4@@*nX2qA+<99dyDQuY-@<)>p`e4L zG24V++Gx=vka_OA)-RwRyV0xV$c$y^aYD4yaZA6lgZ~m^e&DkaJF-x=_Bw7|2lRQ# zvT%ZN&lCsPTznWK0|pa}Z3L=+24LfIn8kLiS21_2G<;qDX5Ht#>X%M0BMs;{uwj(; zf23!V!-L7yOvf$$3l!8t@HnwWdxj?2+zUh_mdf+L8d zBs|BV6C@=~M3dEJBbv)T1`!dKN=l30{3#IpstqmBn&#^{L0*Ttg9}hVJl4NJT3|bM z%V4tWC-DLjxg$Qoe=geOJw#!v5$X6S;C3>;Q1P5E_qN{{(cu{~rMi_r9QT@CfSA9$ zarrVf#dEePkFK{FoL-jLe$lIE{Yi^6?BM=2jVJq3mLo0CerLU59j&(~$p6umwBLF> zLFBZjpF5bBdn{@E`Sw_M7|yyUT4veKy6*%hj*_Jed@&vQPFK!AUJV#kBqs6wyCyG- z%%4#rdhfy@jtZu4=tysdqV31=<(siRk{xdH{N*Cmbb%kR_cftCqv;|0s~p`3YBYMq z3kB6Q``lqxHv_9x2i93W$qIb=p^9KIrBNretE)pKyaTxbPpn3me_A(z`)L8WAF<;I zGvGiJI#m(LO0;>i7w&tCH37tD{8P<3GzR4e+TVe93K(e=J};NzEOD}EYtR%vYK0r_ z2k(W9-N|voV};>dO>m(=X%J27w^ICi6b zgpd@Mzzb&Maih_Qfg&iG(*h?wE1t2LkoPREl%CGxOK10>X!GU0~=|q&eO( zyYsOTF3Tald~^`+1}+V!KY9TbKV`kZ-3Kb{vfW+u9&~fQyN6SMUVcYJS+LnT+pBN4 zU~iC+T=Q*!m|Lx&Oedchps|ToLUlMBoyijKkQV_}RP-h812cBN$a;xdR-?b``?6(K zSbYha<(VH+mP{6_o*zTDo7mSiOpjrIBId0Sr(nOW7`WJnE zoDRFt_S*rLl)=5D{Rm%U!m%PrWrWdCw~vmd<-=Rf@6J|4@Q#vQDVoe>(9MLWa=d@W zaB^Y!AknM5bA@R?3Z(_WfQ+?kXGYdW%&>K<1TqG}{M&dXu|ms}sW$i1&wW;-6ra%)w^aZ4%vAuiHJWE_juh76_lL$pQ1*~aj7#5_D#~*e95=}Sw&zai-`Af* zTF|jJi>I+KFz&bk&Dx!Kpvfl$W99iMZt=Xfp72u#V1} z){_8&PKS$vW9g?y?Gw*+yPybDvj~L8m3usb7v0d~L$7`3J0V%3w3?0IGJ=WDuYXSB z!~}oD59^jDA|quW4T4jtIuQ1F?m&}26`i~+o(9@K6gtrQTqe-PnHOR1*Rt#puXe!D zze3^A1cODun#0N2P4D&Ow6kz!ypvleX{?o5Et2m|T#8;i;t?Dde;UJSS3n{?G0lY+=Ho6JD>>FW48@8x-qiarB)A|js6X{3kAm|3g&Ap$DF^WfV`i>Z9- zNZ*+o6Cm4T^X*v#1Z14(jwN8piF6h;AXMQD$@7BHefQ%!lzX}+X76nCmhnd5en}Qd zx@UVX$t5hfOq(!X@D7fbnZr{()poivaen43@4?a8&y zOmD65ZPhW2mw<2Q*3-wNgp8jur#pgQK2J2qCnr;x5ZXNi*!JT)NXTC1z*aC1h6ABE zzEYZwf5+nf1P3#ryZZq*Z*L=$7!EKxm1%wrYruIEMma|Lk)>dMt7C;6wvwH5WMhh+ z`4Z?*lR5igE$jkpwX4n^gWb03CQfyeU#kS>9@@qkF?DbiDH-!tEVO}Hmm)jY(0;}< zc`Mnr^uml$EXT(DqvRE{TDobo&2WPi(^H<=q>#SN_DZadbM+96^LcP2v#kB7{r-VV zbgXEmJlrN98$w_>{J>&R-*VZykKLWriK?q-n&w6{8@*@eKO;{f1SCn2GlFC6M{FVw z%_8iWOot1a-93xw5w8t>*_yak0HIt+$@69F`B!xtpKUxmb?zLiyhst64vw79lTFEh zVL||fH13`4s zXq*83DNr@x&|>{Rhy3G7#1A+wieHi9e`3jhz|@~4f8)H8POP^7T*1E(Y!U$=&<@@G ztMq>innVWnGcTE}HKXY-wEiCxLm|$C*MQJ7SNR`AqE2LwgqX)HC-2We_{7RLD*28ATKRXa5aS%WbG)ZIPd}GVro{uSMrj@4R z$vsGE2%-AR9q`X3fcOVkRD9~{A&w|>m6D*KwQ=<*US!1Gr{U+%H9LZic;B-YRr)*B z@^9M2A<(<*?S7?mXXr#k^idhprRgLASwVi1qwm%kOs0?oy#IDT{7ny87$OfEeDcHk zXfzEZ0?O6Z)hC;Awu!(l(B81LR+elMwGw29n+E zjYA7l%KyiSVMO_)7z0xrEr|dnfw5CYAS)RSb}&$0N3k)ABEj*X_QUSUNq_bJN_>g( zNA9m%MkyQTSH4S{C*=5#3ejcscp@6QzrnJQaR=|yZQsUpv``zMQKi9<#B z!}BJF(uEc1=BZIhF&KMYEo3Q17|Jni>=KqKt52#wU(ZOXhu3kuYhXrHj<)C4kFIOY z7Vu=-0jU?+&4p4gmjMve!^?`j(NL&%!)yf8<-?r<6 z!=z*M0}Ko{RTHIB%Mp(0Ddf)S(WtIRHOGv{VkHse4qRKJYg73MuG`OW23u|Wx%fS` z?^CbSIz0(9cM{4J1P4u^yzGB%?3A&RKV3Txbzo~_*71umQIO9c3th5mVzq6@Cml6a z2Q9CCvKg`!ki=;}!B1UUsVG5dD?5#Ne-gTi3<=lTPVdr1iQUTQ zD2D|Z>I8YgiE|SDBAmG81M7$?rBs(#>n|AtDHiJX7>LCYroO`J*MM(Xxr50TOM6At zX@+rW6k|APj0c-pUCv*^`R>kLR}=+pM&vDO&hcs{sze0oO45g})+mV_Kae+drn_{^ z`;`)RspN9(zt*T&cEw^221qH)_lADgTkznFEwh6rpFa|;u9W1w;gGWMVk?s8=djM6_t!`gLzhl*}4k*!C2(lVv+}dJDCCK(Pu}xJ=^zzpC3&JEFBP) z1=N%ZoqUpNJ6p$FZL`tuIU_UIe}vsje!nA%JqRyzQtQqbXv@e4xb5O44a;ZcL7-?Q z8LdxPh$yL&*=O%~BJHxfo*u9fob-6K_f2W& zT9xP7QVxysh*}$0PoNHqPil$3UE~sqH9zUjRr#f-0veuX??7Qa1tV#o*z$2@seW8g zG8z)r1ZQR!f*{etc72E_qy^hX=`5SH0@` z3G4DMz4Te9B#TI=k+Nx`Pai}%IH@vL87$Lbdkx*l>f5TWslt4~a|KTpB~Y9s72aaL zS@+;9_*gGf)ToOKt*u9?5BP=mPofpJ7ZzhF0p%PT7m|AOesW(vJr{o8<)S1R;c9rJ zGlYqc>uYay7e)RcV^W8i%BHqz>BlXJ#K#e1!N`hwAGBs`Lb0}u6SKWgwEB*S1KR!I z1%jlux6wFn@XN%EEMZA4dGmwSrm20Vu4c|sntt%$6U(qfwJsvS01oxCl~%!q5xr+f zUjEHDyI0X)1LO)t(mwi$Gn!O2HbiWaN5ro?3o*|fj*c$49>Fb>vMu79}oTy-}O`zO<>lQvzwsp~aR!EAOCd$)Ty`Yaleu!&Eq zKdQ#R;hT3MEfBrxndFeitaxYu*gthrTY~EUAT*(={w2z&s&4L`f+I=9=)QwpNw3mw z_F=C^RBAtK)4LP{(&yuIkZbJTW1krIMxr~>dgTJ%k`O7sY_11aEZp^{qv07^NLno- z_=WqvBG-AQw{EdoTe!)b=aW!R8%NCwr>)pk)6Sx(*vSpF3DZSoF-h|zzDqJ4X^7Zt zK@@KtwVku81FDuiXY^F1xn8!}G-O0LYJA_?{SD#p_IILd#R+;I`my)iS@`{uaA*0H z8r&4|M?AIXo1^4a`Z{pd16E;+R1}^;=M)aL>s`QGXl)n4#QyhOHF?Tw?TvddL-r~_ zbqDx7Yd*xG&xW#SJ9t!CE>g|UK1roIX*U9QcFPkyDNPw0I7t4O@w?Upb0q}faMmcpk-{o2j#Vv3)-ZyIK&{C zPjNYbuwlM&O00zNU1aN(Y`WN>Bf=SRjJ!`tUvu)+kZs3HHvSM}@=MaY6T4VNJ?+u!JcUP5NEqc)?1%6yd3*XhRI{+Up1Wf0X zk?(r|4K`|ePxtSP8MWGO}aH^AZmO*({$9W|teLj9x8PGyn$erwmaJ{r%8a zPCxsdUHflD$tDj!_lQIJQ-}aBzeX@O z4TdpMMuD$+vj?)d1=Xr+&u2?J@G`wl#4!UrQGFdPRjrG@sJ=~l+dvUe7>8Y5+}wM_ zyqj&<4StP~m{Vwib-k-lFf3wt6;m}9NRM`By6yecSkTlo-Y~PM!Wf8(mqop|?|Y?G8Z>ss|y>TQ9lekP)$z#v0Pv;68}3R-)0A zh>pL$MFrCW-N?q&`n3(-f>1v}+PIiAaz$fe60lNNH_>;S%Da5aA+`7PP50nx8#K|& z;Oso=`6y{{M|Ut3yqsqm^R++Nj(AmVx6L=*WewmxsD}q9F$ia9Q#PBU+#h|l1{et% zUrf`N&d72#`DQ8Z}}4%*kEA+JrK@I$V4zfMy1+9 z#uU3s(~oxLVH*;58*nU%D|i8$#9m0Wll%d*wQ|DdGTjpN`w2H#g#s8`F#GJv`gAD8*4!8*whP= zUvBV2g<|>JD44)(2eD^pd&%sMd-PAhr_>Xw9dSOmUiVipf7E@hvFGoU9b!1lkmsP| zCs7Nn?s!<&b=RIy>to%xz1*R8><24QvT=mcDE?{8W+P|r`L?!eF87g#)Hb8YV`WI{k6dW?P5ZtXY==vx&+||mYiUax zRzn;bLc8~%=!wljwm+b@k0ngIPiff$J|^Hb0gq&hDP9m#Y=+^vY3@b=r=z^LniMX| z$X312Fq1Iwi!x4o#(2Ah0FH@W`3cJZU`&T4ffct2_!}FG@QjJbuh&-glJBGvnF*Tk zHOJ6240ihQ6!kCa(uv{zn29!TjdP$t8%VIv2qsa5ry%i)jkd(gL?J(W`1#-@kJn5s zPVi>{N61BcGUWT1C&Gli=@fPw?5ip44#@skT34R8UKd!sx1N(gH`1@cLW%<=MEb+- z=D{F00V$%5B?p~AUNnq}H1cQj+8#5e8N(6~`Q?4nubO8VV{G_G(2k8qo>I9k86u+3{w6qM zszT8zFF7gd>gc@TXsiDG&{1e)m5UEZkW(@@qBAW)L5Fx@(O#G3M`)fJ;rSiqZf^$a z5=JuoeXyyC43GL(0gcZ04|F8M0=V^k5#aj~jjNG@*E7215q53kX^g`f%_eoqkTgNW zQQg?ch2O7H*c%Qa^@qMmJg1s9x?4qNk@()nl^U*s1Y+t%Tt{M#2Glr7G`OE)JTd7k zn*%l4(zlP@d7?7_;oG4w#+}ZbHy^CB7&G9p1>+HCaYh6|eh5||*GfmZkM9M0x%n{W zZe9-BV?cxC$fT@Pb^_+e%&a(doaW7|w`|a&7gz*~tq0A{!1s6*sB=wod`8K;y+n22 zgj0(((a9mZ%L$o+WN*&;ur6Sk6SxnVbY0Nq9L&2hJkc^)@vKr$NTI#RxHWE)V~Lm; zim#5=?rDWLZMB69&z@Gd+Mpc3^5*V4X(|iv32H0|yDZY1Phf;Nn&oZ&F3I5h*Z%?_ z<|Y+^(Ngcy%W%DZF^7H>UWBMfsZnLTA7jk8H~PgD%K#^mDZt&UBc6qaD!)CJC1{q* z`OJhy(;EtF>itt@?DOhXW0by!UgQJjiy?o3w{^y^I~R3fNb}TJlOLB6(E?sIj@8C~hzNB=+&wc$ zGCIUP)o9oyWD?)MQB-na_vF1B<)~bdiPJ=U{2*n6rEoxsysr}$`+);mMuM>H_M>3P zQNiP+{yw5fm;ojQ<6|h+rJUo)s;+wC|6}VdqvBekwOw3-OK^90cXuZcoW>!zySqaO z(6~bqG&sTCo#0Ne;O=nOKHt&1Ge-aFC0(m}R;{YH-uYC2m=&_LY0uCh79koYQ9k*F zB3pbNmQsjVk^teJQkAZmPR)^Hl`Be1A}P2S(RE-FnFa%sA6y&MSB_0u*Fi|WmuMQm z;0c9*ZCl8bj_Ral}c%72rUIq>43>Ju6Uy^A9m*p z;lm*-4e@e|VR?`f`;N3I>s+HO=E9i{w)|U2pO79yv}dC8)Y4==dyss3!RLd!WRSKw z(`HP@i@K4SxbqQF)tL2D)J6xHHoDz*+Um2y6@l04(RfJlLl0M1+(HtY0~1;FQb^?# z%xHbE+++T?lovc@pA1begP={cFmKWqcHavuQ)cLbSn{#02Yqc_C_^lgSjq~Y$+c?BZF!fsF9TkRB;?dw|FCNU0&PF+6Q za3<1`khVlr7vzx{X_!#gDh>C_?0gAnjh5!bNR$8Xe02q=;6AX$NG6?g`PmS991Iwl zDW;2R5plyPgsS7KzNIhIohuU;x$_kTIBNIh3MGr=0@ND^ftT=muR?uWCTalT$({=Y zW?O8)xqZg8^{g91$+vOAq+v7V9BKXno!t~;U=`q9CwErhFenN)X28?HF=mIb>(F;5BiBXEARFw zhv>Twq8OSrP}AVmKj7jq;dEEzYa>jy5Bc0KXE(5U`n^i}=U72?HR)-uvX)9&7F^`4SEj9kXs7$-N6ViNtgy+CS=aAEzs;kx< z6<41qHG_Mp(*=zpiZK8F-T;c~0(B&; zCU&-HB3(FnfRTdh#Q8niP9>(Kxi3_ATk?kV-gee%42u!oZE+pEgk*9YB2D}Pd-W7l z|7v2SS{!1g3Ge5ZbU)~)jv1fM;mN?9XUWZQ{}P0z$$kFvb(YU4x8K8Si(~eLVc+-I z@`{EDzik&Rn!twEgQ&<4U^UJ5*0(20lH<6y{*ZouTb?z2f`Ms4KM(y+ro!jSb*xxFh$Oh2vtoP41T$)&F19LlI3I}*eg7l;hU z#u`Ke`}FOd7bwl2mm~w%{LG`X*OxyAT`;&tQ=w_P0#V7Vax5Ma1qrPtsrG}A=wdx{ z0s zEZ>J0b0rkHr)(P}u)KT8Dg;ZCNVNGkw$FAo?^|yQzip#A5Syn(<9VrqIIfnYrdSIq zizZ|Q@xLTc*E?+{H@)oVZ#v#@ACgq2v6nh0B(lkN{E^@6 zj{1>?=st+zgfjUW)(;xPA4iEG+aqc=O9IQ9PfyNrR)mcmTxa&sF7@NnmNQDv2Q?~x zHB7#MLgmB`_+MtS zJFnyPmX$P|vU8Ko$ltn1m0a1bCLtB_n|!vFsano^Gjf9jK|jc2fSIEe9C4`sy+ zLQut~H~8M~!Qu!mQYJ1zIEjd%Bs6?Wj=dxiV;t zr)L&J*wuoCgw?%4WcD%K)!Y3uX{5Ku&g5fst%}SA$~el^%qS{Yi`@vhE3y2pQmi+M z4+d~t(+P;0c>Y%Q29I!K<>z+8C#MJjlh0$$T7Tej*D?}YP*X{58*{$&tnW9o;mnV@ zuYb1fe1T2gvV*6Q^9Z5B(ik&{yrL9!28?aVx2(Qv3Ohu;-^4B|+@sP8PwswClm17{ zk^K?C4Z;48_iyTitZ`Bz(UlPio2icV-mAcxPxus-_$XqTK4|qggq2YPo7Uzy9B-$6 zi6Mx|?@m0ugH+u|*59Ig#f5s8m_N0ZypbnIXf9u{o>iAkpDip4nJlB8bE3*Wd_?^cPYHZFBrUO@kgfqO9FSm;IP^Y?gm<4CUtUU&N++gVrY|&8zeMM zk$;_NU7oAXsu-B%=zZ>Jt>H8J{jls#9~`89d7_A9o6m5UH^D@Z`n*B{{JAqQ0@%~in2R+VH1UhR5JPUZ; zTnTBBwKa9?JschPn+T%5x) zHbGgHTS9{$CmO>$p~0YW{E;#Mi^gzxYyh+8XG2@(=3t;-)hl@nQ%b7^N(==PfokED zr8qeC7JHkH#!G3k^3B#CA2e|Arnx+B68mA520we91>tsQ7xx752m2eJuMRl>=++){ ze9&DRLJDQF6qtQXu!85vyXg4No1y-qTOYHS4wE9jZ^Zr^Wt{p^4f70AoKQSVZnOR4 zHcy^%{AT;NHq3QjOvUwCA0b8luYygGN+c?Kus5DZg#6F^(9Os)f#00=XlD|pw57^N zmUa9tdzjL)@w|57PwY7y9jcu6>>LE`0(wu7Lg0_zhvP@4Z}xizic2rLQJutPm|{{J z5iMQ3TPA{$kX8!t>$~Cnrz_3&O1*Yx@qHJbL|gJ?z0?UENxrnWLjWnga@PK6Rt)Z@ z4_na*a)z;JROVPM*0-|xE$*fzL;F_dqs830zTdUjHD#9G5Q zjSTmgZa+u8ST8<8$PoK3$0!DDVBM~oIeg`_?%*R0vBX$mXL}W(&r`-BHwfa!l?Bn7 z2F83N$;HjoL+~I+4w6x6W2kG|Mt)V&s2Doa!5ZevXuo%MMy5SNJoQCS61%sXpKIw1 z9Q(xz+8Vyuo`YL<5F&Jnil}ku^}*PI2s=h!4LYwB2KSkY>V2)0p8oR9rVWEmBowZW z-Lm#Llm2YG?JR#*YUX0gh4{_k%WJ?#UAiq2DyZS(3%Jq%6-^0b5fHMbS7ET;M;Nr)FR7mwP7%wOYaYskzfJ1D1CyGuH;5z)A(_c>qs9X_awTGwX#CT2T3$0x+8;&hc$ z;B?^;ZMCpO!ux@vihm&KBNN?M5mAXd&?MLqIatI4*4Um<@<~%mv;J6SUWIiv$~L|m2R)`Iay8Ne5hDiw$x}; zvQvWSk?$M~*g>>RfQV1IA>LaE=MVkFw^>7eHCuk%ueT3*ruwqfwlB}aDv(mr5WFub zz&D9-^TGu>Ugqh|;8|X-_)t95pw+&K)$OP%*h`k+7*gWqC00C^#ASvVto@-aY3b7a zh!8ZjNd;+%eNFU__;U&`*0Swe5_uqgMtPwOivkqE0J3P4YqdD@|7BwyHFXlVJ3rmC>0pHqG?f3wvIKDy*YyYuyV_ zM=(6-M?kQ4#NESAog{tEvK;%tq<35A&!MK;?8%tL14?HWG-`h7^IUI-pnWxj7pNl~ zBhB+BgNqF4eF2(Sf6U?wADBElNR!h(qwm0aM~W&fwOG^u4t=eWiR+pY&Qz%Pilo6t zzNfC&AZ(|w&3y%1{KmzSZ??H2ep00npG$H}TzJ!cKuv|}y|DN>Y@Gpm2lu;u;d{%9 z)j@FoQ{tAhH=1|7;^0+bwWJejcZYvF@~l7j%|}=AgkE;iG+J!+^je9BpC!Ld=oUF8 zRoX^Ve~{y?oq<*Ex~;evLlhwkev^>IG}ls<$;jP{?3``7PBwmtpA)gxgg5L9*31ts z%eYPAp>HHfT^P!gc8!` za>wC&P8+_UIHjZ`%j_U~k8}ae*(~>{9aRzH5dJ6hHp<9 zd$r3BU>a4fRe)l2-9UB&nRKh!-LUeVJ#CxlfB25buFC9?oJ3DUqC$QPutl z+!*b%PA|MNwu(CFV&}EKcIBIcGOt}K^m_>A*^OWg4GlW-;6aaDNRzMk1Y9YzB2IDm zu5e6VHLhz;dN?RVp~<5V;F$}^X|BC15pL_AeBszI{$4X5(>)E6ZCOPOPAj^oJi$V@ zB$^-j6dIR(5ctx;l1Yr0a*Ud37cU~^A2-C-9*Cu$p8QtpbI@;^Pw&SK+HZxXfxP8HBT|6T~2;Y4z>r21n81e^=8^!&kKA zz6Iw0Y%yo$9J`dCty) zQA5un-)!aCw#5A`L@nI~4|Tu^dzj@XpGp~hRAe3h-%hkX97rRiZca;*jx${iy^F

#P6vJJCVK0baIcQVmUpi)!$=eM%k5Go`7@>?VMHiZ9efBK)F%+DqRv0FPkJBPg; zGsvc=e7E8LpM(F+G+n$yhnTduXWgIGMJ90Q8ywV>IhoCNzSjFo>7>bI5Q6rh&UR%m zKQ;48F?^j(_aIu{V6OVRe+?TN@?3ATrOOvzWGvSZ=!nLkV6d^V)dB)Uc7L1CCJ?`= zcRS90yNtm9(&(Ei-0^oum{gRQOn;HJ)p!T?$208jdJXRYuA075rf@kKV7#+wY2mN8 zU2srPRV_O{wli5hj=nbdThY5np{CNPX=ydX-@X5;Q4;e73^r%CnkrlxHl0F8fE$0_ z-`&M{Ezpt#|1Xxn|NIqVzY&5Ep;OY5lE~f$>ZgaZ$@isvZ)rm0gOJ5W@|Vs)B ze5Ty|U6(Wy#_x(~I(3YZEQZfXYv5D)7ZaEpf)~5R?P?4F_{s|4s2N=N+wHJ}4=|iO zJ4pQlGXHM-Qvghov6y_y|D9a%zsg?$v`Oaqs80cZakfcC1JSAuRW|&W_=w_$%2kn= z3pJ}Kn1BA)aZsQvSvKVW1u_91=M~!d7xk5mtR#`ne+4NvE@Urw%ldWg64`XBD{gmx z-xaEG?h6$_M|4sA-{6V=)r2r8l2TG6b(i?ZT;Hqt`L!Jley3d73Z@h<9xN1YSO#Yn?VzPd;_|JQH@QkLtg}BG?o#CNffm!cCyOd3$?*`TW_S zqKE6pzl#4)J@P{RXDE}*&g7G$8)W}IP5_Oo-&YqolkiTvR%>SUFZRGiQH=BLP9`|} zw=n6vzcjPp%YO{EyZeUL%Kxr!QCYz2`qBn@u=6kbq}YQvaP0DmrJm+rwNjHuSu@FL zeVzb?o3@+W0niaM`J7F?D>CQ5Wm6^rAYsS$8=QY~?RMKr^@OGKkI{#Qhsm!~FQo{1 z?DBcny+UVZXGb*~>RDpMexQSeeLecFlBH3~)^D~*v&x$Ms zDmenvCFw>4*JS9J1_2MdbJfP8{}2U2PNiLwlas~&f!)EO5TGwN{!{bE;+sI)HIRrh zFdg{zLL030{X+o~OS9Nx>55JpZAm95!t366mMq}Mr}}MAd+q*ZSDJU#DYW=xwhT?{ zt6Dc>W&|S?bwrmk@0!%x>yu;h^V!cM7683f6dU%0h$kA*R$*~`g@IQiOX@$z?F}F# zzq#&D{DgCnmW3Y0gtU6=;#;dS6cjjXyZUO{AJbozxxsIpXFetJa;*tKa2CEwMxwgS z>sqOsnie8MA*=v6!3;JjAZdtG7@!b}BQJLaLnFQ^JfT7X+@5^hI?HJQ1v^RVulj=o zInK+{(sB$2CYAAHDXy{K^oX%45D8>K5L_P)2nR_6g@Dp14!oUpJSA*zZ&QV==n&C+ z9E`HIokOhwBpPYF`mit=@l5W}s#xFYuj-WLtYZ1>u6s%ZB7V*0Ku)1lB(Vn=_{WiI zOB4B_ZeJly?k{&orME&ao=;oPSUkJ~_VfJ{#C!V?Wsdu>RExVq;q}FMZ0F-ph0et? z*-S!|R+H8Z0CT$A2z^-;7gm?#r7MsCu6DIIPHhOFg8>ATV!hj;MoeNNt_|7@s4$Pi z;+@INU~z2!9hlwhA24bWz`lz7hw%x#1ipWPK3N1f3-k|UnsVCgbn$rX5|=@xX#4rf zSv=FDter{#iw~29c)8JaQh0&kY{juN^%950Ku#y$>;f`APS;D0=25d0L5u-)`~)DR zzVC|zE{snQzSYqkdjZhA*CUM8Q>>lO5VrFdH3~#ap3gnTC2_P zp=2(PW1XH>pgIMKU53bEn2C$Ctz&`aLJ4rT6lPTNL~=luP=`t{k2kv_31ofJzT*1* z{&TSQbwIGY7zbhp`@=%U^^(Qy%CuU5i&|XwevY{$ z$-u4dc>Gkpp$PM$4pS)BwJr)Aqc|b7Wde^&HV5%T>+JxMpF+0SC4joag^+1oF$#x_ z2TF}|UjfpkKSpH@k@z$hV)cV~`)D*R_FP1QsnD|Et=c zBJ75e$W0xf+=Xc5(QyXZ6vNVx;#RZyUBe!Fg^T+oKo{HnJyhZ+(YO(?7XWUCHIoCG zLG<}N6x@wh$J5pfAb8<)2eD8emw6*t5g6e5Gn%f;6ngB9z92V_7cNb^$)2Rp)LXuF)SJ_ zR<0ht-b9Y5AUTu<4+{+^6OT{K8f$53$t9sNFSI@Os zZ6B1nJjUVzy7hAXHz7nx2Omav~Kwlh19U=o*pcv6(Go!0l0Dj(7zgn`Jq1tvF(Xo^kH$}fRwscuQo%` z^!yDe4ihQR;UFuxYm7MFjuxt$H1fwIGg(Oj?oC3HAZ#hwwAh*=orE+b_-|jMkAS31 zoq6+6I24MpoCQPAoNF|uAfPW-B=tLo1o#;mF_{3Qi_H<;(hL%Li!Y4UVa&AHefB;k zh!~RcSaKyK2_@z|!dOkN<6=#L&Id6YXbEF6{YI>+f{d%o&|~NE2az&yXjjv1gyDF+Mv)W^<2=cr+i!Qw}YKZ>|{ zySYfsgqaus5D{kvG#LVn$*Pz!dE9C#QN4DR~=|U^WC+ah-z@#9jgf-&S$UwNMe1Eov@@skG23R>ziI9Fya7 zA%z$*XN({=6noTVPV2yKSrBprH`YCL#cWN^yEJ)pmi(6piY9*R*}cjt`CESAy~_j< zBh6Zm?;&9|SnABD%@(HOfDlJ4aKGGO8y+orZ7XzB8>OfC6PVLL5)(G!U1&P_ zlL!^oo`+P1PG7IvG&)UyQ0&rJtZxLrB+=aaKUyW1;SgN4I#d!+i1s)*+5l zsoYpe-&)pmA*h%J?B17B$|b_mF4JCi9M_IY1%YNvd%_-yrisXil!$Q>ZRac4r=qSuSQQ3^=S88`kVW5>5E`qxIH+!@ka0raU_oc^_w3 zKMMkqxg?u0Ko`M6{vIQ{rT=> zW8KOL#UzAK+{WzEx%KRQ<0QMaC0XzuxkpC84^@-Xq-$?aZOa%(kw7Cz@2NHHtK3CVkTrJf`b89fZOfq z;0ZvIx0gy_lJ~*>kdR7Y)*E0U@@s*I-zojyAzv_Fdg6QH*Cu|f|K3W?YdO2K-srTX z@%II{cS_J9%v$b5^?iY~()o{f%2cUD1Ag^GPenZ22Hpw#ZLD-1gnM~;`7B+K<) zBT~VlXrUZi>LwQ;_ZJ}?;tTIut7p15OdeOyEha*{I9_N@8+6sU51Kt*2$!VgTS?2U z@9O?-eu0^UEhH^U&1_^S8knGG2ZxJ5Exgxn8XZh=^@7Uh5Y+h2G7-GEH3p4j3Wfwh zgka-5g#x_AOEy`hOgyf0mvf0YVTMyeWx_GFF%rHMR9QJSc2Ex&Dl3kK=`;jZh>m>e z@$RAbFa-#Yk`Erz)slv|&8j}xD$iegopYIR`P2qkX>eT!X z3&b#XydyV0Cup+>W*R4t*-Cxh7Bp#$M!Dclom%tgd;BgG$|={ZP^y9*t32!$6Y)4{ zHarfqLWFVH4rSOBc0ou#Hlsycm=!hawYUhBtg#=e@Dtc%#89)AM1G4`Z2L7S0XM%s zT5Ld2Re{ctO`IVJ|CHqg=;5(gs{yM-7%IdyH68o8zQwO>>`tE`Pi(H+o+*N0iPm{( zkmb%%wuFlew}j2qVMF9o46Q-i+fmZE+0gm%A?lIdk^ZWM(Xs7T))14{HLnW@S39ZQ69m(Lc4nuL=b7TVJKw&v@k6 zw)ty>TEefN^&R$Sld~$F24rydp}k*F^?&XY=U4FMg-TZXRIprz6%NR>vws>WYFNoP z8$6LG4|pab{t5K%)y=d-{ngJ1vGpC)>hR;PZ_*Ga8_M_UI8k)2+BjcrGYaPQw;pAi zTg>uSLUH6>gKx*Y#$u>)2DJX2^OsMBzPQhAT_C0j|E^$a+V@}cTeW3`;{}5H894n> z&3|7`h7BZvhD*qv{a+38KhzPmn1A%R7?7>{ziyh35GDc4sMQV*g#RM$C}03;odSj( zv%+6=1vTKNIPZwt%l@ME&{F_er}QC}(tjxp`a9sJ5(Pzn%Q&TzhKcd}>N8uaT%yy4 zQ}XXScLhX=8H5~3;+jkW(?SEvPx*fnGQ{lA>CT5_l!=6cra^yuF2aAFi_n?*FM0_i z8lW&;LCA#uMb@CR|0hM)zOO;(FEQ~#C9$i;B^d9%AMp%c|I@K1+{t`%Cu)!Q=QrYJiCsd|4T6@Mi9C_554}?##;3K7@)o$hU4bNGE~xNzyN8)&(D6wOPyDzD<4W+ zER3CVlAqJIlyGB@q+>gZ0G?AH1>?9R2Aw<1$QN-%`3k9(^h#Vf`5xQxz%Ysa(-h?@5h}+WHg6w>5y%H#|JtT`)GJO8oL+0?jhu za+(hk2AJ$A^pg4n0f0k;pQn$uhojYP;b>Vrj)kkM1_Jk+nK*t6$SpA}E!U<5KC>v= z;45J8WI3JVxyE8);CAuAwU;qn56lRy>M`420RVZu&FnypMa8zej_zG*P3jziMM9V0 zSpu_Ggy@g4yk-~%Huq(0pW7CzifqQ>67}AQ_ye$6rY68g{3gFcGv8h-l)-z(_)T-R zC^OBPyU~6{VP`P0$aO-bNosU@3>rbq^lqe_b@pz9wJ7lQB^~vv4@86AlE!)U$LbEL z$88`r$KsE<-Vc{>gN5>si7KbF>5sXqiI{Jb>$*Ym&RizVPPBaDA+}`Au%0NV1gnTR zWX-+^EWw-TOyn?;VVmee!&B{&Yo|>A1CWt>o|plh0m_9-Q2Yn z!q8Z0RdbVW|8(2Hxbp=(!+Zt=vTugvRREW2!LIhHzqdXh^ry#BMIZpmp|Q~@OLpC# zlpoa|x6c{~;5Fj#|0Jqb3)=F_;0>%|j@OmTr200N$v^nq@KmYQ8nN0Ms9J5iT%0lY z?WCRQz%Cw-Ux`9Cfyq!H(7s9ZEh#7vW3j=vtU|v@`}TN^@^H2!y(c_YuHpMHYJ+B{ zM|8r#m9LG}(|2U2(-hJ%3WpjcH+4OF5o>{`X(6!hJ|QhPUzpiv%~u(*0%wvX967xa zw74A>8npQ7uDva3>D>(q`rgJpw>{H#*OBYhTYn#uc5lVtv{cHW7WmxEnn)r{p_(g_ zO7SN<28W&o_QOM5{?*IuYIr!`Uf!38tI8p87@N3-87;I798)r_6OSf*!2eN5ty}d2G`mM)7)n9 zd50hqut}K?CfKKUmU#;ZqAr9BLAmaat51eVTmoA!!Hx{K2Y!Yb*@D_9!$Ta-VQg|c zyNwswj7?|#4QzYzb5>A?dkkpl=|1j9D{E1~nj9q5#aKa?!Rr0k^cq78hOLU9N|1q3 zv+6DBBCY4yTI!c~5C$bv^xd~4!afRfU)6VyGdLfEBjAyLkGEpHSSSX}zvT)0(!Ave z(EDmx)hVxNb9i5VxDku5Zqn^s|Gp!M!)#!Bhu*^;cyIEPN;OT%@r~+`*7VY0x;De- z+#799v&cvJ+r2b(4v8^d^z%=B+;92|4TW#Lak`HM{O-%<>6FhkdxblECeKge*el}A zVoZ_Wp;`54twh6Nlqj zO|_mIB=}!*Z6qU+XLmy-7J(h^=yhwqTpw|YG2*E`_H<|}R9d)d-$r3jE-%BTc&tD3 zyGYT8dAsa$mtR-cy-eG9ew4AL;r);WMP29LT3t~N`|i*e)5$jKI>06 zi(RYF$#)`6h3;$o+23*7Q#In0?MO4?(Ovvh@}H%u>jGY`CQTmvXB{=94eyd@tR{1Q zg_@Npq|KK_bawz7E(|$-&lS|1dc8MGLB|5%$&Sg#ewqCf;Pr5s3heHt>#*9)!l=!(pr9Y%j@D>5 ztwA9b^>wyrmPpvg?Z)p})u_Yk8$6>L{8-%__VY+8BG(eL#&-=9M9opyz@39lZ- z*#hngaHxM+0sa2R_35vVxuStp@T{*dcTwx@#ika25{45ysnDljB#J}etdl9EYiC`i zGsaUn)BP@_rEO+QOZ+Z}X&a}-gyzy%^eNy`kJArECIx&OiDtxvo1JGTGX(X|r$QvG ze&1i1T`EtWayXt!ypXXUv2Ul*s*=c;R8T>~-KGPA=5XQ&Rm`-Cjwpa=rMFN>=N@i< z5z(S7WGgsb>HJ7S|1s!z$yLt%m%I!-6x3Z1wIc3tuCTA06@S4er73H%BHqh`Y08_; zjIxQ{AfGPLwCq3GvG183c&>PZ5J6m*GrNjF%So0*z^+kxQ2F zO-vqgWeI`9;zyQ9Dw;NJCUf{`O>*oL+MAAlI4HcMH)c?c^^0F@ThN zTi^CpgIk_^spRzAY?-Pp?8(#N?1!?tBp;TxCS-g#55e!E6BF?B@Utvr!q{s-dp&|A zuQy9_)DlD&@q;-m7MMs7>Y6shuY8hZfBl_e?lCwAuWr1#n~))I`y$Oh&cBIE!g#dK6qD|NXV=4*@2uf*Pf){76WnRis(wxc=*uKeLysR1~^+K5~&Lx9y%m4)#k;cW8uy(e8=c zX<^8~k-pRrW(nIAe1rxjTY+Q>rT=#iFNgEQn)Xc>?kI8v>6E3qji zZ~hpu=$B?QtFnX{KzT)UAwk+7S?oe4lS{${%O(}w7Yl;xpS1i3#8$R?Bi%`>oC$re$9SkEIg(!WVd1a^zGPEINu}GG;dkD?^sFB&{p&XSM zmc_=Y6`#v1pM|#3Y_4o0NaWFEtx;JpN48il`DO^cQ4=Z`LV#{K)fQF8PQ57`5e{PN zLR|PVcH@at>&~dnYm3R&(2A`Yq&2}N78H>m;$m|V+eK|2^?mf4X2~=(Zon|~Q@$CS zp0EM@HEFR70~S5wGQRuk#AI*v;AQ}o)6M|Onn-Wu8Ur4Bmw?V}_OOjbe?+lduEg6m z(y1YyTrkD9K7WbKwey+zhml}TXCad10ISox3{H!A`=50}Y+r#UN=vPrS^tO+>p39- zi)2F$?J(n1FyPwF3Wdu}r%4%+SX(#W%gyF}`J2SbhMCf%_O!Y>l|Zh~z^)!`b2o*L zRmCX8Up3rn$_r_+d!XG|ma9Yi?;0$=;qezs`kKZUG zQzI0T=Kc|ng&zWQIZdG#2u|ybG2r~B%l;&fP;EhoD!-*WhFPQ0? zj!gmG+u<_i1J}AgO}co5+|D)v$wmVoGM|K72LX^AsckxFKYo@&z=hUNRT(^#2v>4$=wadr-G?Ksr!i+$mfMYD(JCjo z9nLaVCmx50OCWqn$mRC2u10C5He+)Zdkg+aTzhiR-BX*FcKD%gf9wl~#mJ|RDngW7 zkH>^R(lDO*PdoK>#TprWNHgtX%ol=o1z| zQ`C{4llg5AtyeGfA)H)&%F(Gpb@}@qTYj+XVE#EDH{LN}a6b<8m+`CyCm*yz)OPQu z0T#vP>qwLx3)Z0B5r&#g-8|lN7oXSX4DRT)OZ`+&FaUnF0(*K7YUX}0*{}~~bcWhp z`mF%s<{}|S#H321OD<|w7`Y*jf+#I!(i&N+r=O(;me(K0*woOCya`Musxqm+Ews!M zPpyxE`3;vF?5m%Q7ZD$nw6A!lQ44Yg{9YJR%l|xQ`-cl45s-DY**n~KzKRsnCKB!< zuWZeSt6V2jM&9%`eE7!ENGE$9tC~v@KBuvFMLF`tv4Se=OPf z7uJTWD2W5N{qd(3Wq!^lad9E9^ZbYM{pkYJuJ@RvZU^jn@FBxX6IWhmP&T7cNRToR z9oIEZ6WT0gQdPVWIKovr2Xh%WC~zNrGG^`_e`oQsmzDeT z)%~NZDd?fKbZ>jJd2fdg(;hWM97RbXa+C#I`W+$+6{OJf)RLzqeHSS8&@F?bivZ;e z7TAz9n9J$x0D@G-AaT5-DuDeRTGKW~c&xYL_OTZRrH}4Gu28@>v+!!{w7feuavCVC zQMM`fkspLT6OBbXbf9iFC$^@f+vwJEO4hZz-n2CkNx#s^U$=Ldk9t1WMMS+3V}?(B zcedaeG?r78Yk`C_`q)4SyG~wbIXSluJ6}Hm)@{;HSIy=t*ncoxKY50AEeX#wYqdDS z`DR=l%$;Erq0e9O9j`BBEQePgcJf{VzHy3CViQ*&T1~2nfd+jJsd+%)XH_p$+~Irm zLa&y_KYb*A-LWvxSin$C^KMJI9sU&Ftffb2LOM2}Ue{x~tf$N6-LLA)*sh)7Y$O9B z+}CC`k;(K87DhUMYg}ONLZ@42K8vB-O;+IIAJNrt(fEl|O+_frgj*=!xw$qV@O$c= zlS!|<5ch#3;sea4{TDf9QjU=fezOA@ZRavUkOJo8-UIQiq<#V!w^M86R;erQ(?ip| zS(pM6!Pv5Ht@$)juCRY8O|ehLawUlEBRranocjAUq`h%V<*ZTCthcF@`U^Iua+&u{ z^qPD$1ZEVMV!J;r-gAA>j>Zv=7(E}x!-&C~_T}$kOzA+}gh)>j4~07zU~TziKAof^ z3p3r~nI;Q^dlg(^u~Yko)iuN`qNc!>?A?(`sH4_GiZ4zqu?Yz3rmGd+X8djk`Hf#Q zxH_wz`h|mPZS&S&t{Vp7=GbR3+>gCX1u3K@hIy~HY9?4iYI`o9oO`5Znr$eF z?Z`cj`Ic{be_IJe?R7o?tI+YegQ5H)2__j^0{B|)5RbQq)t5159$T!4_ZdMyhD=4i zn&k+1o@Qe+YOkj8!V#c5JV)1p;_-N9CPM6?{B$TgmOR|*Aev0;#}m-JKMwYa5eo6L z7`Obk&x^%n{R5Jmm!z1Qa4GpfHkIH#0a~YJQtMA`Sa0_1p++{s1u(@^!6NT|H<5DH z?;SP+kgIyad(ip~;EbtnEi)7N_?DA8t)*8nc!hjIxw?W%A_U5!JdMdHZ+q1aty-uu z{*_fE8(X!a>BSA&9LwmMnXL!%<5>M?OE)am+rlS4hlAa}PJ$=cO}6>$4@0EiIb39L zSTqXC>IC^`b~+HxHLj??*vvF%R2bZpXYR2}d1J55XB8j=3;P=Fs?4R0MD-sbz4O&f zK<3Rq@0?zQF|?RZsH_sQebz;Cf1uBiw>~U=g8$+^H{@vX9QK35Y~XIB7FQQdNK7}Z zE0ae1#?9?WRIodXLr!dM!yBf)2LQR3Z_-3mtAZ^m6}LHU$BS)Zq7TG?(HU z#d7pNcKXu%pKkv|emI&pI<>%~?y%>yAD3>#ErRID~HJrSa- zBIu&egYK1mPI8*zz?}SG)ct+s2*W($T}`b-clVHpgqoxhal@%un#p(LmQN*dgo51_ zm%msIN-Llt=5wYG^2chZT2l-@k?eOt-iG2Xmc0c9XcVmCVv36U33qlGima+Y<)Vvu z`HYz@<*$oIJkZIoO(GVZfE5wN1w~!voK8M*xZGPira@tC_8y;Q8IQ3_TllH(Y3aINTg?ta&h>dzaJ*M8|HM&P$klegYcxThRLFm^ z0IHgsv5;@OQm1~r^aNBvz449CmT_cWZwA+9h)G!rFArHO{0M0_v%LNBI{#g3@MD_K zSYU{3?&x}-Rd$v8Bq$gq2p=NxuZ~U4N_ZIXB%YG+a^zGeKq#1_}rs+w993q z(e`#@Hv~{;Ky@$(UQ?UUSR#8?TWcS{gkf3OSFL1TXLGWR#kP=W>~htH3PxJ6;}_K1U|ZNbDR6I{x%byb7r&SXivnr-R}yZWQtO%g(xv z0{c3+A(ydPL;Ueqgf6IRNIIw{hqamgxcxN|_ez)jiIZCbev&)M*9FaLRPp9O&a!98 z%XcbIKQ)BTvwOO759I=e`1u*E=GzR2H!=riEq+^QO&FZ)GZ0TK(OFp<|K88D;Ci^^ zJ-`&}yV)KYE%eMY0(QVXQbE`C?~!_H0p}i|-W>7H{D3=GQTZLphh_NF1M_-(B3HP` zcs+rCwu(whZ^}uNTtRjB`x*47E`ONmkb!cU!N)4JxW%{+mIK}+LLxhnhmH9t8wsxy zrBRS1G|%0tD+JRBysr4~*&x%H>1=t_2k)fRRIr2*i#lr3Ht~RMQfIJQF(^pm%>}eP z5TFt^gIDrR3|~YeHU0q1f0NYiRp>E94(~2Q^S<-sWp0hLzG?_+2;MGK;tq{dS1nUri$YftnG>PiSoTn$C z6Y>b(C&fHZf>^$P{d7&l(y?bLwIU>+zzW!>CkuAeB53LhXp;K z1xE&MI&JUdgmy}ma+oN!&XExIDku)Z%f-=cmoUPcEk?B&lpa(CE*WnlZC%nQ4DE}$ zqCQ0?v_@xJt!<=mWWHdmKW`O9);di?y^t^vA&I9>o#qqw2PLU446zG|+}@Q339kq4 z(oIx#nq?+EZe)!5sR@3RGIjHdG*V-v9L0J@=%NsmZFj{y8|d}3JV3KfM_*g3_XNV@ zATLtWr{{A?>`i%79FhQ3W%mv43ANE(jrp)kSyGQsz@?HmciS&Z<2a)4_W~+d5fQ0u z{yPOvK>FSIjT86fZ+U)p(^x;g$E&yUmd!-MDcS|HX3Fjjezv1*&U7qBYO57?`Hixx zn$t-OOauiOC$z@_%%H|Pl{GzqwzeH24%G=HBLXLzDqyR6+Tonii{g0CpG6kbr)ENv z&yUCu@MD8c*^FKnx|La@e4D@US;DE}9D=*QL-PFh-cNR&Q}v$Dr)m|oikY=m_dPv5 z-FN@4tA~aX$o@JY2ONMXEbXn1|M%|)n}cl-j4=YKnV8bs?ALhx>(xmF159Z9ENp9Y zxO%&j{#Cr!g517-Ex!|C+`m8O51xUV6S#v8r~cQ^eG*(p%L&B19rh6YcZ5Ju?WO%; z)0F9Tr2bu3L9hUMAgJqXyC{FI=YN;4lLnO5T<)7a#lIp7L>HVNI1n(FAwmA{C=i1d z0_FX`tqAl<<28`z{(p*(XgKzQh3zVOt^3(euJ`@_D@MTjhRFJJkc1rDm#DA*xAn7Q zjEN~eUTvdGO}XA0Km(}qq)pRjs=uoh3loe)r1wSqBP}r9OP>E`?A5AoF17bH&~zAaksMh8+*@TFSa?8H=rd{m zt10DXfLtM*V021AAjGLs|8%e|*S~rdb zMQwB6RgwYli{CpB?co4gR`!2YWjz@ru{sQiXbGpcjK=~l?ORp|9F`og&cUc&sh46t z@x|OKje{lS?*{7+?kx|}JiF9jw|$mSh)N_T8Vt4-j_*jHrmZV1E^6v` zmEnwypWOdy5I~P}$^-hfsA;e(JI-reT+NAqCM(w8pC$(FKn6Mq zEX(Dvzb^)uKL|!Gi2oq{-x2I&0@oQ8GX8|zvA)IscX-y*{981LR?*q1O?QHa=auJ?`c9N9~f@ zO}`!V0yFH15RE2BD50vnO4a=&kR(WF z@NQcP%r1WKTcQ%C{MIHp>A+NY-U#`*rfnR1cBE(&p?U8{z@Pg@7&0LIVB!4N9b92W z%wnKvB3tV6&+pIFA2K+`0)GdhGph5#jFjpHW#O!)zuktk?-{kp<-O(*biX_}^2@u` zK2n^Th%H8XrK&v1<}p!Hv1?`5<%r)OC3Z$_1ln?z((B?*96uDP3v6h%=BPaWrEK1q^?RwD~_`O9Rp;wqwpVxw)G!$910 z@x`S_QY;HsW}r3YqA%keiXqZjZRP5cnv~Lsl}AHs{HH_cd;?bD%ml1<(c$u=|892y z$bulip229OrI-K*ingAEd`y~_O!?i^<{9cHerGKDNU)0{ z`8g|%q>dZWj!3GuU&3x8@wtc{B}TTFTD7(^9I-;q)xK3o4qi$RDTpU>T&Co3_)4m!G?hxh+HX`?r*x)xQP{U+Na8mWprpe{R- zspM4j&TY_6U3F|*+3EIqxh%1UgH+-sidRuuCor~+-oizTCZ%s!W%5xx#VZczaRrM= z>@Q{sBG75#gO!86Qi2P}t(pqKage)zd2RQ|lQ5l*klWT*s3seVpn^XskZF|U@|1ky ztUXjaqf$vS1v|5d(3i?0jSr%w_f=>6lid8!7&EOqTfZSr1W;^^;DaXLyA{R}K$icaq3QvyS;hrp9#C?3Vo1T?cfmT6oV`l_T zs|QHxe=6iol@t09SZO`qs0RuEi>gwuZIbGn*-7?!&oEBcO|ZA-Igl?L1m@LSvkVx; z4F21(0&fRmqg1H(i78`Th?yh9+#uWC&$|0W3|mSYdLA0dIOF~Gq1R0YUW#uVSCj&T zzKEZB!noj$l^a(e-u;|G(`>9MrC(hULH#aE=5i66TuE0J|2*R+J@m6Cf74R@nn!lO{`GmO+B5!#4W%6F?Lgr5$~?;} zZl&!y@kKldSjdry`NfrI(A6E!A)~hRRvwd(*PVE-Qa=G;Zlr^uQFs@`3K!aaTFP`A z#JSxLNQr#VWv)-wsDS#$?~G`OnP%$|) zN8oEh?3_!SB?N}XP=65Y2)MuL9l~n0XU-uu*;81ph)~>TIUyCe9YrI=*v5R#+ znRu^Ou0tk;O68Dn|Fk3Y21=$ft4$@0cJU$UxoT@|cNa+vwp#ObI8TGcVKO*9;P`94 zBcA2!Q_)kt43a>Y3!UxlenYYx6NvN(` zbHJGQCbtK2Xi$|dU+f}zl2Vtuyb8caWuH}Hb?4J)r<>xj#`Gma;c@ch%9}04$F!Rq zHba}6Vr9nk)~F$Fnf521@cKj!Un~Tc~87y85_$d@5rMG+3SR2GV!h zCQniwewjz)3w1fL+Uj!Ld8~n0=vjvX3#jjrtd=Ka(ydFoLtzSq7YaY6c|aB4*$*CE z%4M~AlLw_>DaD~}4sj;EO`ExIc#*#&S1&11Vv#^#wVM^Fn%5<-yx0$l|jiGr};}NudnZ%t>0s@`nq<&P(g=ewTj*x7%cAU$55-p z6@5oj%0GisP+1UIti&2%_vd{wE?NtP(W-L$jqc|~Gv>l=DhLFg9!s@iC6k2M=MWhz z9r!{Y0o8bNDbgf5)rmv-EMA%mtlUCm*&s6#3qO}$AKosd1f$D1dY znRf4Xka)5^CC@fMxvkdVJ`f8Kb{=i~W}_MBs$ns-c9kfL3r?nkl^qqIk~%6TmIylD z+AYv`ytFFgbClI=l#t+WvUR zNp82=s-*1FUsJqkSo_=`=l5ZDn5(`=FwSD3qzN9MStAllor%kb3P3a!2oB~veOeH0 zwiEKCX2KsNz;1*!uxpCt9H~qgWHSd{cCB_R2&x^oE43UX9JG8Y*Q!fX8^>hQ%p0;@ zssFH#`qbcAti3Z=+iDK`eb(F1=TNH(*PahFn|w$SPi3r1W{_qE>f^q*^O z7sOZ0#hf+qJL-#?gSlDkJBic3z(mQ^6zI(^HrTCMZkI(Hg>akZS$}pkow$CGnv`!{ z;Zd-6I5E)I*u6(_1(=gWEr79*rHCa`KSS0!YOT>y_ z_Aw4QyGyRfLyY5Xc25cai8Aa79gS9Pk>wk1E|U+5*;jb87Wq@h{)m1VD{BB(I+xt* zGl;5RWIzJi1K@FRi*bH4Pk|4WvY)HZ#XyE%O2BVaRI8}=UgJyGaNz?eA!ue&H;;3_eE`Ho2rhPz>M6kQtsaLFO7X|5xY>Cm z(Fu|Id2pTY_?b~R{Fqj{oZ6|s2tie$SC*lPD^9x9OjDNrV9U@u<5(;CZ7T|Y<-@>n zmgDh`kQ9#oNP{D3;m2cg-PHIa5XGXyJmQnnD;>M9Cqg%FE%ub(^|60V^iK&tn!d}P18Yq5xs17TW$5p zFZ1KdlTEI4_Pj_s{mO27*5kKXdgzY?J{QUuqep-H{&k4i73{A#h@Zq>>S#K7dqZO+;J1QfvzS*rtKj$W#JPX&Vz#tQ82$Ja*pNF1-9^>nWTk@%;8Q=135-<^ zq3bm%82KXWj5E?<39W_KT!=`Vm&zTP9Jg`}*0H76S9C5f)M^^v9iDU~qG|}fWU2PC zRlBZe9YsQvMx!`us8gGuZ3puzZ0j{!7a!LG{eosBIt?X{+fm~6AP2(kk?eTfuTxbo zn~^erl2_Ym&*p#c)|q=NR8Y)irCy;o0sG--(WUkaxXIc5$3xEti|xpeQHsQU%bAi= zLcrV=Ld4Wc=>z zbnu8uJmGLSeaoV8`ILa9LB-;yWut%~Xf#X(||)V~@f z#@mH*gBn|i^xB7@u27Tby$^glK|*RCHZWG(uJ*D<)s4QRKAqj~7TQsBs~;04z(>Hr zlDl33jecfpKs-J(`TE1NeQ_k6a~k@Ll}52TF*9njl1}Y#G>gW#)%~ol z+fjrDP2s0E>eT*AftNfWF_mwnSUK-|%aUnihv%cQ;qI&5U=s&8XACr+{8%buQjo;; zSr9BJ8s#kuP|(QL0RU!cw^g+=jf!#-?L-O~0^Z^5AXONpMg_wst9D%`OKP5Er}K0#b)+HqL~l zYL(L+byhRUL+XrlAx3elkch}Se#83d#q<(uA8`ujHsD%ieF8YZ)V@?EMtz{j&k*7+ zF;V{s^QMMr8OEWU_+205Aa0-)m`vQ)PF(NPbzK=si!0m(`>s=w0D^1DAm^9a3jCYh}eV z>vHgzq(%)z=O(l^tj=-QbRQxdZUqvM|7)?XH0^y4UO|JNxrrS)*yxW_Ia#G)83rNk8q}=p;7y803TsakV#X1>w*S+TBEVXXB zm(Ki%(jyV)&Z2DIJ6cMd<tL-qYeD159Q`tH(Laatrb3a{nbHQhV91 z+v&Pcxq^o7<~pWEg^tJ3L4>1vxt6ZQGF@F@z1s<4dDSQ(pSa~rMea&riAn|S;cVs1 zMS9uAempIw;@6B^jk{F{yT)8}Er|e#U(IP_(@G;xY=bzHIU+?E>=^5BU~vHYb^OSN(+-{76tZoJ|V*n{935V^H-Wx z&XX*rmpODV05LQf0wp3ns! ze@v0r#Nax}WgPl|Br(8huHv(*Ye!>&0_lX%YA(H)Lea)xi%OIIXcmV$5*YD(Uv<8~ zP(aXwY8nCUi0KGnveK{>EY>Jslar!P?V$h*_@LyAo75k0PZS%Q`N-mL^5lbK2hcGl zYL<4!gFC=48ol4N1%@5etZvu5T*Y8f#Pg$bD=mZZVlpnBSdH`Ts*LW)8sEj?iMH8! zroUFKG*d$~Wb~OhxQ+3ut0|Keb=ZfzRgy$7uwH6^Z@bpMU5~*0@a`cb1a1y6pYzwQ zf6P50nw|rC_@x87vU+jmcgg_B=kiiEb;0n_s$$_dU0>stBx@PTzKtEWedwW!6Y556 z@pL1xdKWHYedy9&|M9Am83yZZ>z3qM2>)aO*%Y}$89XYT7O4rSa`IhJ&-M+Oa-P;P zC}B#T?XzOFxw_lk!=u*S;Ug|gWtl4lYeO6h*IHLB-)cejPX#I|xN4 z7B}!rp6GBgg*RYw#N0$Wo9pfGEV@6mSmVF3{eHi<@)$9vM_^`U1fK0L>S@NswiK;& z`ZHv1?;gNq>K+UL`B;)t+;9Oqc0r@w=nfLsj@5a?^V^~|1#Z^^;?y_j@5NYxwo8SA zLb(Sn+_rmKIZMG{;E4Ds?cbo9-Luy)Xeas&#G7cL1STP2ib~$t@;QI!(-y8;m&p83^$QUT?pA3(&)enJjyZrYDWN!49DZ~HcoT8 zqpH0LEun+zMnoJ#@}2O6Sm_x_c4uaoi>O;;+@D9UuU67@?k3Nn33tb z@8S6Rh?&~uq*B*vkvibz!@3=Qi^teEg!(ggpUpp_bc-d6hftc&4frwHC6~X9CL)CO z!R@4W*`USKSilr#+NCmNGh?dDEe#@Rc5-w=1zK&6zxA?N=lrt-qCjQfVkN5ik%ED^ z-2AyDN62G;y6Njqv>-9EGbxK7%ms590Uxz>m9$`Y$OUbvi!H{EU>7O7%OLy8f*5xr z%+JjT1F-gE*^a14C^*IaY6_FgYIH%N9#>}tAF|O=q_2D7%V8*I!=DAF7K9cA4Ps?! z$6XQ0PMu2r8z!xIu1&sqGZ7&$k8+(|^wAhu~4szkd}gnj~@bWZ;3B z3fhm_NA;YcsC-F+4F~PYU>QbZ3k0Dma!(a7Ez^KjIN!|@IO0B{Y`emmh054nZgL`z z^n5|$zVmSO%2b}E*L0p#DOQ3L?!fy-2sJCtU^uK+xi&A&#d+awplh+zUY7+G{Ao|^ zEI5Fp%`O>b9-H5OP_%6!VITlg#X(C0isX-BQkw&O7os%fpfrtZ^>$17NC90ijUT#y zdfcq)c4bH_>z@sRH@?Nad(wR{hD1T7ko&@r6N)$4wLL|<4&!k@Y*ht2Lv|(MQMU)uNeGd#);cjdAv)@!KxL zc>VGZRPnRhNOO3TMh>nrZmAFY;z{*fBT53J1>X{86zBGu!7T6Kn zyR_OL+SN$CJo|JF3EKsFw|YP67>op&9M{N8?;|C48%t}l!Q$@B-pvY|yD7N&5ia+B zFsf8(e4D&idhELG`sXR0Bh*=vp@~uLuQu7rPA0(IS@gn<@eAx+_9H5gKTv7O5h})I zvCbRO@)tx`fK7XARTjiTu10_>s>WMRy33%5azF0T)k@Rf>fw|qqa(yuNC_a5o-2Up z!NmZ)^#V>vgf}UFD7jx8qYCsm=qxFUf_wfG_@HIrsQwkMYAqd+uoDlO{1{Sl5tlTI z#Z-NgCz3E!d9biy4}K%dTFi{**B(8o5yNg?BFVUJF`(s&rXO9u!uU z53|TF9Ndi%Y%-rN`o{QX^5$@9ZI(;E06U3MRZBauLa(i)Jai9UUg?r(_v3#`?bsmaMYT)p-pt0Zi*hPyGVA#`pyR%pkHVAUDUGf zIH(JT+WZ}snbSBgAp5?9xMV#Z^Yyv65cAj@?^;ZnnN|mf6%tI7XEQ|=brV&Q7?xpE zbJFNAlj4wene$Lz^MujY}Un|!*i)vqEK@Jf@e`zH;r;wySzb*Hqsa6`drG_Kq zhe_~8ZZ^uU|MXc~Yp}VaPr9ir(?w6jilBDeLbv_tG_Z`HU0Oo>`y*2}xzTOWxrf$6 z7e-#+!=Rkr3JnAsdo{t>7Mp{JjnD@PYIEqX9o}n#pKEhtv~0=kRhPZ)%`l``W5}aY z#2}nJ7({$&NV6$vXt|Wsl8aD`2UppK>Ow|vb0t-(~iwwC)-ydJW~E%GKMYz*P$^JSA>(K7?Fof`-Xg}hPLx@eML?IHnMblbG8Ww zP(3AkIPDzve^kIE-YauHS{&KY3qynl6By1Gke2}aj!#LAzSsCgM5R(lcja4GIPXp# z&cxTIo!I-jX9+0GV^io^5TUy?4x0jr9>b6TtGF4XLbNs@;d@8Y*@whtdSHJK3^}Hq zBAE3LTUd-C;%=e^K?4Fqa}X)t!6Yh!f9mwgN6uQIHS8&#*monFslSSOS+jw@7)6C{ zP;5kER3`ADMpt+)DMr4{Aax3HTqLtrF)vxn(0H>$Uji<(21U1hxqW`zaEC`aY>4oMa-d&) zA+EX}Rk}FNq0TKs1|PxZw+_~=!fWd~4|&SnBQ_#VUD&hiqZ^aT6ZEjTP=&JMh76}?Zl^DI_}xSU{YE@~;N#8&7QM5>@$OuV*4 zE|A(RsHaEy02u@cor1(^qVaLVH_FN)>H4TWzIclA@XoWUOhoA7(wCVxF1z$0*OT9* zH=}aL^|=u83u6{WlfBkfjm|9TttXdDH*Y+!!nxqPY~}xh+9C!=h%3Fl=`*j_nL^1f zp@EsIlWf#W#X;|^agEFQ7o4>Vjt8=gmq3C{h!fKuo^e}&=AxlG(Kcc{R8CLU?a6nm zhx3EgVQvjJT-QO^L%2IR8#>hm)OOV>m2cjWv%TePc5${LE0wA;FtGxyCzPln!#9XIEEuu8&fT$#pEmL09{NsIP*^z^%{D>LoLaUM%$<$7?LgWTX9 z_iZlCt~h8by&4@fnq62y;#9RymkOGO>r52Wf$)nnT@lqPicNz%kbX<>x#W#m<6_Je zlOA83iC5x`YMTzX&llmrb5#im*JyN-v}GS}u^7EaUDvEfMa{xh^KJUC)mjh*ygm;4 zq{U5+v+AH4u}E|M>VqpN+fT@6!AZK$sVVP7npnnEh#Ko>l^M4Q?rG3g`dkNY|3Egx zd#F`jqs`O>R2DkFO4Qd{T_g^v$3K?&hzn?rdvkx1Us`s#)TMbtH0kkufScBg`YRp9 zMB#bMQmFCWw2*5T30xLZ#fdd3qOth)L0+qf z_qHJ(XSJnAsX?LgIdH&E8^n@oU@q_NZT5a*@1+Dly;5%hNF)X~87^^gua!R7Jb39z z80tH>C;L5S^|yoRq}!-jCdHZYUImbn7<}YAryAIxVlY?H*!`vD*8H*fvS{z*vf5=u zMO>y*EDbW$&AxAw#e$?b3g*T75uKowDIHL+&~6j9p7@&Z*agLJP;mqn3GOJiM(%@ z7B!4^X5xvI4l6Q)f2TJ5%!oW?$gTCu68HPgq%;uhfFud9Sp&rDM#x6YMoRu+h)ZgH z%GaU-Scd8=qfs(6lJLrCOn^@oyRjsfGsY{mE#D8Y#g!k5CXb+U`3){v6iR>6meW~a zOgYA%NoKc$5x#@f8100N?i?)lXVD1a0*d@fAp949fCawya}Q2K_BZV+lqQ(hKWOw- zZy`Y8A*#>|0$#J`ducyMy61?L*Y0unjStD?<7d2wT2xYLl3Wd#;E7~5=JT@^b9<{` z0Ia~#*wl4~hF8i>26_{Y{~{@v06z8tf}Zjfj}0J}Cl(@&i*yk?UcuBXM-R115%bku zzv}o6!q^0e6|pb`z!pr2wnW@yHk~&*aQ}hnZsS2P*!97T z9e)St99*dYt9WX#H1*K$8tA5!2XXZbbjt!I+l^@L#VAKVo*#yM_Zmf(CW>Q4iH2|* zU7v*>!bxNUR-69=-1!qhgC9hdJSp)1!+EV^fgNlwI9><$mxv8s*%oW@A8+@DyA_y> z(!^85dJ3dOGN#hkrQ}nI)1x$Qvf#J!9nDpWWzlUPZt&&r>0K!~z9@I8o@TKHPfFB^ zgM)Wvur+dY0}zmG8(!=mluQteAI1LaizTf&zvAZG-!(Y~&r$g`PYfor*tJ6HmUKu) zZiycEoko;j%AztSMD;}Ft8FgIzJ-TfP7WW2hrRw*flgv@hC1gYMS6zGeF~2MWeo;7=&9a6f$c zCbplioC}WdKA9HTo4{L8O1D=mE?``yGb!)~mw9f3-03jD^a#U&QX^&;E1VT4;_3P3 z%Rbh~ZwYXO!RBtDh;AJ-#7PW>oNUX)%|-8+t21=dI2i>)(^g5-n=mMY3i8X5#`Asz zNG_+_PIRW+9k0<}pU#ke_W+$?C^=D^VP~7GuW4-LM`!~*j2$^$rDIQZCK`zM3<93i z=RcdOONwn0Z@|~jaaiJ&#*L^U-jA%wB&v`XJHqwq@Q==UjYY`(NrSgj3c{sT#yR|k zz@c-&b2PrIGkV^BK+4_ipZarm5eFDZcg``!Kq2Bo7ZeT}CH$Mp1~6&leqgARjksk6 zF;WS2uDsuf_PebAI(xicndW#I^YvF`M#7_^H9$$pvCqKjsh7%jKVZD;ybm|p}z$e1Ooi1X5 z6&0e-;0?Th2?pt0g>DT758!MP515`5>vyz^Mq!TBuU5hpnM=gr#|ekP-f_USJOPF# zlz>rn61U5NBw+k&z4S^czfWV219bT^$IDGNhfT<}Fgee?QCRYTU#*GyIN+$N^=eA) zQ-1W;{nl(Co&rFDT%@vio5H-@Dd39EZ%dG6AG=rmWamQU?-}5fPlkH1Y)7wFe8WNKmqee1nqn34H)DZCX*gL;Jk2};@fyc+~rQ9LTiq# zJDS3j4Oj(fX7T&b0zU8!Wx6eD>ZANV_ui-5ydLLyvYFg7Yv}CG(ZofqucW#2{-lpR z&gZU|SdarE^ji!%HOVAeRcnYY7vG2L@*_V32JpIb@L7+ryv_BEYrqFw25_{=ll{z! z%J1#I&|sGx41*?~T>!)cn>y{SP1@z*+*o=bU@ZO)2QW(K$0R&A?u$usJzA8S%#*rm zmgm0{J>MC@i~n??6Nm$P=(MJF34DXri|;9G*4U0-r~eNi{a^xkT63>KqmWAe{2r07 zR<1?ljc*DF4WvMxkfxY^_%8u0)rW`cBUblQgV>KCz|;tp+9HeAyb;Nrsj)pWS4rqi z3}C(AZ))K`88p~rIYS%Zg^a66ZG%nF;(qoe2Q+NE1Yl6o$i*nf~o#Gq@mR6UR9il73JFJI*Kc8dN1B0BfMo@_2#P+T1#M({iY zArWy7WM<{`eRS{I3;mii3`l?zOVuk6E=0@_Ffs4}bL;0k6fET_sJbnf@2sbrku9m)EA8(ZFOEZwku4XejT-$?G{T8@USrM!kwOe zdD2PJkr;FZP)n4uslB?0Bc1SbxmD022-8QSU47RiJ znKTYIHy8W)DnqR4xL|Y&B8|*FA0wS1byC4=o~X#g46WGW zYO~TM_|*#B#T{sdo?GxsOgfFk1l-Q!nFQ2N_FcO5)}J2%Z+uTIcxdmN6*o@>kVrC} zC>ABRi=Fog6n;KJAQj(`;kyM%Le2b9)NSJBk3x*o!A;;8jgWc0y>5U(3aJ=tnEiv* zBGIF;LdrNw3?W~0MTf#-ZtY06fIh$u<}(ZdhUrsB7?U;a{$Sf8Fw4y@GV5w4{3%TO z^(GPA9iCT~N3*JxdVGA?A)pXs$BQ}%qbp1?#%%&VORo3zHg4*Kwp5_%;OhYaLaen* z*pgnCdvVt}f=@OJ)%hPr(p2fJuv5jjAH!Hf+L`V@&l4@>bQ;nkqBqkh7tG(&#@qzb zKt)3X+jxA!<*?iXGL3JAJ>YFnEg8&rgunhI01~I#W6Xmga!|vyMIV4DO<};#f<+hQ zzB#b1z)Iw9ybz3DJAQh&*#>k-+yWY_#0sI~I6}J%(Bj1-=9!viPa&uaZC-9GFd}AH zv(TmNmeZ0iA?f(yFY9nfSa8eifC?Nj(*c^BuW|qW`lvKXQ3E=i!-^7k%uGAwdehc8 zWU}6!&$)qjA~}sRb3(y#a?h#(oq_PTAh5YQEA;_j+_Z{t=y|zkI0W_)k6x>)NN`;y zW>d&PI*v3%&+N%joe&?2XqtiA1AC^M_zm}=xV>G@M5v&qs05f3ISUkQ-~;^N8}TlC zUw{so41$@5yy2ww+p9GO3Hr$cW{$U>g+TX|CzWtHx*iQmYG#9q>OQHbu|z&i0xd42 ztLftchSb4~g@EJ;y(mj<4rl-x>LScJ74^q8O?}RgX%p@wL4tB_v4ymudxxO2((Ok= z*4qO(;mVr!B%7_A-V^%XUAQ0Qb{x4v)h@42)Yx4ZpSGnNNz-B9gzqL(g_#uamgb%W2lVDIdd96fv{nSg=|8FGh3V1Jc-26+&^Oi2N8tKda1UD ze}%=M=+NcnbbTDA#l{f*1i~vB{Vv844+3RrVxv188o2AIKWh9a`trH|q-5A$>Weov zXk#&M2;On+>s3j+|6l_?(G{|U1D**(tx&Xis{xU$#qK%!z3{x#1_e`J<3pUlcl@!f zkkOAQnDvLpN35Ik^M1jmKz+*ma=62YYQkDrbT6Vrz8)8TO! zbeKPD`%Q#?B?4n2B-@j}C1)lzut$_8y2nYKf<&qY8u~-6cK8yeB?fymV^0Sr0=u^r zi!{i40x&U{WXRHW0r5wYQx=J^uJAK9&KCl|4MOm){*1bbUT)=YBTTbRXyD0$5;&PG zr8#dhiG{#ygn#To$`0%mY4?^?Z7i2NNq!m~Mmo}VVlwH2G&zN*TEHSxL`~d%Cx?5Zhe81PACQ9lQw*e0Wr#|DRg|;K60*< z@DV;cd!xOsXb$}C57H7s?o8xV3@QIZsF z8qpit&jo5@amzwu21-NTz^Z6P+Zvy@@2Bp;^FDU-ry~8FUl0$&;sn9?PRhJf!Oo$)+?KolO@ciO6GDZd{a7#S@|yQS zMyfFn9nt{?uA%dy;Z-mB6%tAY5j~&4^X*sL;0@a-kayv=;%9uI?r(AkMAC!e20Nbb zWn#6A6kuK-1Hojs^=*Q?7&dS_=z^MISA12$R}@u}VZSyFI#FHb?u9h$-F`}?A2K4n zEIyOiwD=_j+y%>m?L7NKA>B8mJ_i=FrVUYg$J5Sg>4Z*g}4a|*bT0zop7pUs*<6H zpeRc;K5-Fb8Hy=5$b-R8Qf^M{%+Mjw$G-9|gmIegRy@)6uKqXTcDN ziO~eVC-$sV)(vB~`Fr7m38Y@7p1diA+^NeYL&zTwmok3doSP{MlR6|asV9sbI)TCd zp%G+4y&UdoKHE|n)cCeY9ojVLKA1cF$IP$T946$}TNE;R^L6Cbo}|>LsufKS<~5Xx zq@tRlDSJ2npS#j!cU&?-7b1F%eatBc9$(OGNkO=m!VY!NIv)kW4Z05bqTwv1w^97L zAsl8Y@22(M@t{`FEDF_nxsQ`VM@QURzPDS%up+2p)SgN+aa+>Vho^b=g$9LZTsOuT z9s*3)0$q}(On{bLles)&)$wZ+=zAAf04-n!O4TaS-c2_)C=))LKRlMmGSulP>&d;y z%R(ce5h4pb5}()gw2#hZz{E+XlW$CQ-Uip!AX|@Tr67yQ8eS;;B?2=a*jVW}r6Hk! zM*+Nmo>LLBCY>*DWz|A1LU8GYm>A1fkQj?j1fnSthh@ULt z%!Bv}^uogJL`qN&&yAG?<>kKHKi6E~wxPp$pFDj@33E;eQ_+Te|COkk#Z@e-xl;OGtN%*2xC)^B2GUtT>PMZVcEx zzx(JrujHmB&UZE)9)~f*FP{^1`v(|-i(fo#BmuDgS8zy2g){_8JEB%mclcH#11{jY!hdDHb7II!-0rQ!N_ zCB=YzNO*GwFV0^F)@6xX?cn@?q2AhY_vK$-M~++q{XLdwO@8;Nx@m0tL_ z*1z^u>%TY`mjAbMU+gugU!q2o|JM31z6SN^uxIjB$n`&7Kwbz4>O}8O@n7P5a2v4p zn4f!og%@f7-%R5r_e9P~lo6*L%P2V}-EpUXJ^V+y`Ja#i5e~!&c!>(UzCWT{aC8o} zes&8Lg~t+$?;9ftndF2u-P6$dcZdK@us&EoMNXUNla8siE#usAc0BAti_|K69l15O zyH@Dg8k@20|BBo&G91o{6D}nqL5d)nxY9XCf8I2wRuEP5i7I{J6-&X?jFc?eOP>DVUSl^XQhy(98oIM4E; zv(QJ;OtZFn*hybSG9dztRU*KiMCp0rBbKg*fJFmI60Q0tKw-X6?sl`Af-&^!bG#bQ z=l86mR-r=zh(XTkKhjAOQ=S>q;cV33+Td>s_H zk+)ANlB5##CP5iRD6+K1Bx=8jjj0ShU1n^_GzCV;4l z#^(?|6?95u&~A`CGwQ8_7|}WzchG$v8mm8yw28@F0JioU=!L@~m(ObbIdJy;aFPd) zJue@L&Op6An38<*BPP!4W_67yYx+pL!FFKYVNL3&nSJz#$=PIVUic>u0M-|f&Sh3L3N%|>hQx~C+VY^C<3 zP|NMAez`%PXk=n3)S&%~K|tUu+}={7(coLIRw9?hYoXm?_o6otM^+e&^x}IRX8Z)H z%$924YlG9O-RbEKI3SR2{*e0wDEJQ<3PdbNdS==+>?U~%HvC=7)YFyIR zij`kr?w4-x?}g;h9vru?36@N{0`JC7pS*dY)K{WhO1q)>OKa-;(DVUfYy8v=)B>*uPeMj6`1BTY!4=3O*2h5 zL0n)izU2XIxr;E@Csn^0nY^0YEo~AAIOr_a+Av5Z_yUc8I0c1FeCVqLQe7Y@#YjRk zLP(WG4HJdsG&QT|7WP8DN!aD#lD^~4un9x5o~zomWE|2nkgvR3nHN#w787_so})33p)ij8uly519BVd^EejzBS+$}pxsZCt9Si7U1kk-^diOMOb<0rttd$TiA*O2`1AOuF!bJHUV>f6bDt|Vq3jm>ZAPc*Os%IwME*TuU~ zZBpZ_VFCy`78?%NZ8&*vcSqC701aJyDv?j#ijV!7@%L~;nU;sKm1^N8PW*TFf`Gu2 z9IzIT4+Xewz%{>r!Y_7^se?Wxlc(YEa?iQJVnywg*puej^AQDCoWGaQ@l{1R6L=@ z`G~&F>nd(xkdH#@C;246)hS0CJis0H>ifOq4|UkC;Ob)Sl#ZUViRHIDv)_TdvRg|BN1F@IZ0kN-K{0o`HlctodA47c{$MhV*?Uq2Y9{@5 za@`i^8f~N~{qnRr3h!WO#!5Ck?`$mAHZ(kOKb7V3fkBTg^v5L9*;;&@oEqxYZvxmQZ-2TbohN=J6AYQMYld#$==* z)}o$^XB9xa^K4fa9TI>fk4F8;Jf+D@r=sE&z2$OVZmsQ%`1)$2aUbGU#y*+-&Al?; zk{=+*coi=y=q=S-F?1Alu|bRPOTgn5XT_dmf7FOIBcY#P^PW;3hY8{JdzO9qd3gU3 zPfPK~`b;{f-4*e&;Wl4@m&smLS3JKDBo6n7M!8s4dd=qfdL}GM;vAS90>KV=r&znS zW(EjY^zj>+1C?T%u+YAq*1HSm4s4%zqroY#Blbl_X!^cA&aW>KwN;Xw7L&3Fva-pu zB_GBAPjlDV)?~D0Rhmi{lqNw0snQh%gn$SlNL3(6iGVc0ASHAn9qCFH6(UkpN)SQ~ zi3kWt6OB=lXsuJbKZPdXRoy;!ZrvtR~7MwBNfDt zWShoqYqj?`8kAjorONJ8lW4z+O%;BvT)+|x|h1L{`YfDZO+ zQ&S>QfC%{#@y0q&VI@-<4}lC!YNr3ge`DWkZ2ki>rwf=Cf;&Xg&VD>s!*4#*P3+8J zpq|GGd$)e`Q3k-#PXGlgj80?gq6Z)MAeLm=V*qT|0KH&*DQYDw^)R5^pNffpYi`IO z2$hoNk}_H!um3s1F*gWI657-p+z!`K5*(>=W;ryF4#`l)TLAL4)8?tmJh~nP_RV(QXVB}M~aAN&q`ND=Yu;MpJall z`@%)H)AD_%--nzE>Ic=SN%HG?5i!LepAM;zdK3}vf-JfF!z%Lda6XA|#8N%2bAI(7H`wQnw-vXrg!R3G0oPg;yH>HJ`hN8C`19~EjT<|}jJ)@f)p2d7F%3^QbrG7xK zSK84+3@|mzMdoe#0rMwO&-BwkV(eKL6S@7jwByHf-yMD3yQ~|R9HOG{B5D@m2oD0F z&!f$i9-n7!%VudB@Iyo3E|`+u)4JfFpe?k=@s?R ziAdQK$zN+d@r+~u(BB80<{xdr40b=*YTp0BG@iJEowYTy;TEyfmis7m*(;i4!`)|L zreiQ4Zmy%WeQxT;Ej{jAdW;)-7iGBSiW8nceEh)NdHB9ZHk0^@VM;^mnOZF~A@f0g z+n;q)-q3wVWTW4Y+$6GHB$Ymb3H*^eh9>uVFRUHz*EeszxpLUnk%E9LCU4C*F6P65 zzp;IWmo?#u6>WNP0(rBkn)0=fY8>8y8W>p4E}kCM+8v%NLBjQY<#lQF%t0YukT3%6 ziV-nd>QCrSt0O4eS)$x>rBk$(t;+dYfJ8fr3Z9s8ex!?~1DHHcDP~F;t#pSEgH2pB zO1JS1E!c$G{NZV>VpOY~2_sjrbLHBkFyZ^eIKZt!?lXH$gNx|?jhTGKLSWqbo+(B? zp#Qx8fDQ`2Di#g}Y3ocSms~Pz6)zWLM$B#4&hs|$;mSuV` zMTszE+r`9xJugIJDU)73G%uJF@e)2t%t{-&UcVmzV~|5I#C}knJZ}3Co ze&=~-blr!8KL3Xe2_~Oy`Ua{jUtLsm-EFW7)3r18r3cv_^sa5PY&Jt@)wx7EuXfAC zqWnf^mKzg1zsWJmoeWo{dq-K?l_%q7v^;*@@(yQH(erX!SXluSD)m&JNmLp1=i|0{ z@t^&wH9>C)Jrx`pmwCJ7s(OL@>q_6LSxyp87?j^jQEKz~E*ei^k&Pa1D&M?;-mxK} zE`gl|^f%swrmYg2(%PrtBpO&hYuq3#d5v!~t@tpOFF&yVwXD=)+UoW@9loXl-MC@* zi(TdVkr!q8{Yh^VHMImc$3}(bB#iTyShxua4e39WteadoHD^FjOHJMTMdS7XJpGH_ zUyeG2#FmYs&7*Q_-1?+QRraizx-p)-$uFj3==l7U;Y}~N>JCA^{D<6PKXOrGoXykH zvRHuahYw&y-uom89J6?3m1C5C?2RL}o9~x)z>K1uz4BZqZ0nLPPU(5%IY+_W>F?&ZYkgQm ze4jV@4+SWkY8IV`&i9rQyjj!GBKe3?vP2vInYnn^x#r-RNA$f-6ZNtB1U{ijkJzG2 z6YMX4C${T%zcIEv4LZy!^h$T~gjjC&gb2UO`&HLk0a59q(MWi8*TFBWE$dvX*8Fc{ zotFrQcfs1MQ>V^>yii<@;hgp9k)I`w*Iu7^>N?u4Q1xB3fzOdiLUo4V z7doC2R*sY>x*lG?1ePEFB{_BMq)VYj55Z-+SiT2dS0R*I>|1*CAM7qd} zPvc09OvtOZRc03Vo`q3jwGo8J3Ab6Jy?C*ZE@yR6Y>jzg$5lJ<;64&=o%OR66jtx< z^SRG}BcNG@6+wY7Jt#Xq4hsVkJR z(i%XP_uno8X75{qE`jxDzgeDHy!!BKY~wwR*=5v;9l)6j|6Y& zbJ~?Cx=x>Ao4S&#UOt%s!gCGp7{Uwu`y-h*LPI6nuwl0-0O01(NPRByYBmCAXc9FNE(4-_o!ddZDQ^I`BJySpO zq&0!53OK7UqPpLQ-fM=+8k6(os7az4tWpc?jYL+)TcxR$mw8q}J;?(}vjpfD3KsOB zeC*q`sjw%8-hDpH4hvTNtjF8^YwnEoj65MyY9}c0y^pUqW9L5X^sW00okc7}{|=9e z6}VvGy|WbWf{-g1V!pP*L@!G38VNRE{8k<^(*>=^hBP4v=pdi5PReHCu%C)K& za&p->;q5Nz$lNHHQ|DV=r`!gus(0F|;*O=D`e7>H<=(#MC3#@xI8oiW*T}%5yVeD? zs`0o`j(S^0CdGC2wc5T4Nmx#G)qr#}eKK$pbzbD2?oo09^BtAXFW8Q^E1yghCKW?R z*{re}3Cv>0CUm3Ht|!@#Rt{|sTSH0ct9NFt3-;alDr4wDW}iDM(Lp%{s$hc#<`3+>qBrQW5-xAq+2yd<^`AGp>UYjilR14Dg~wx$z&O&4Nc z#jbbFhp0%+IP_1&u?vO$`39zK`xyEA`d5FXYf)Y+!BCAV+@9M2eY*iLMEj6EL9}vW zd^B>VSmk5~`%GOU2SMZHxzOY)KHC$*%2DaD`&z7)zeCQZml&6+T(yGso4_c^9C+;e_KlRnDnd*y}%LVt7n^{T3%z^`R=N z3V9?9+*9t8&bl1AF?u3a>nT#)Wvq?!aCblHoctc_I4Quc(aHK!osa2Dtb{=ot;>U7ezR$fmC|W^Wd{w?)MdzT4)KSf!UkbE5=|KJ6nO!o(TF z0Ndmo0xmXb{oXmTD~Lbv#?nOM#IDY_+K!v8ENnVb^~Et-=d4@jlC`L@0vHSUXWXb# z9BsO#s@>{w9ckipqQ10i0V+uC8$m3(EFAk~z-{J}fjpeXjt{;TZnrKN_3(R8a5y}@ zG91v`*77eJU;D;xug9j?}TMwo=gBSDaaT6W` zl1t72hPeK$@Q(?;GIWftk2oBiZJavYg%iJMX3coimrt{{L%2-RQm=6)EO1fA1N+)8 z>@OrtNE9*QA{a%dzqo27Xau-UV}m$Ip{K*O(2-?Unhvs@$r!E9)`fQ%n1^jRHM}xb zD0t*V;4Snlp?b=0H9x4hbi~JWYGL5H`2|ICX<4N|V`j#m2pxQl#*Umht#5u-npH}o zjMc~UQI%NFne3RszVQTLG_IQ%G|1T56#sEi?p{nByT}ZJ#F<99d<9bf-75MQCU}Qs zLymgB-0Mr!x8_8|@Dr`A-xlZ?`p?c}qSBL6>yJ_)%f&f|`_DPwYo_bjX;Nf_E(8Qt zJQz-%HMozYj#qj&uSE1N5n#xWvcQ7gv(=oBcEw6!MEFRamqn_Q5mlM$uFM{gu4hj+ zN41qizh_E&xYA&`%3aSoJ98nbzXUTTLjrRE{KvNB9bfq49r9!-eoDlj!xAlnqmv!a zWkk2~A1O+_ohWQ_yOpiD!LA&}ZI&dtw2@)x_V$;3WfN+|@QmV(Cr%<(T9{w; zrdauK_|q)cV-UlUSKOthQw~S-CE{DZ$;@q?>(h6$!7+h3?aQMX@ND&t&)`!K848)S zDJ8a$;8!vwc1c5Euv*cm4p%sJn@waoHb{1Y@b#&RIdVk)|1aHH3^D=q$D&Pq(5V<%4aN9e&;frDvE+8ef< zx7VtNs*{{=>15l8q$<^*iXGerT3a>;=d|(7vrka>sE!DV^0F0Qca~@HDlcztXjq*( zL6~2=_pSM|%9XercjrrQyyX)gsfrt2JVF-{vCmpAij4MDO{aeT(762jNE@sBv{n?& zuJgS&J(*vP0O+j2RDKJn&HRe`5bJ5?o9g1x(R*CsA7b+LVI{csWbdsA`)Z9$b> zozp;Rep~Owlqm-aKdpUzE$~Y}hIfBj*s=y38jxjM6ZFzlUkA&GY9zr8n|=&Mp85F^ zcwf`wXJPI}C+ghB?jD1|>WPT5G^VA&50yw#Jd^zMX%`%hvfJCH8(>Mn-aMtX6!@Z{ zG8JD@JLc^w=|s-3Sbw>a*IV~Ud46)kc{BDsXS?27w`@gP6;+}KXDqV&HJydn+byuM z(8WXZ2>@u3lDLx_vj~@61+9RYgw9mqMJS9y#Y-Mo?831|a=oq(xmswF4IS-NH#Oj} zN)L4*Lg??ACU+t`48r?&;%nBX?H`q!HtBcm9%N3KN78mR+(t(24WF@#?^Q?P`~6jg zXWKZzyB!%X?w2_TT8pvg9}CwwwetP4##SpUHs7ZdcXSe$JbF9EjZt0Er|z!)yQafO zAtf5j%Z_S%-%nEC_hBob&68wrK)b~c7eanYy+T~5a(vQ$6UhU%ZLO<;r&M?;IU<9= zbX-gh2*Xu1h%Kj{4K-07n9Kbdkp&576ccAKc6!~_-P7|~>29Ivj?DXfRgYF#rxlC+ zgBb<-6A)+^=Kn3X#@!)r?!COwSnle~w4mJ?R$)nb4!b!gPI=cZr<^Yh@&s>#U2~z9 z^hDmr8E-E2K^s(`m}T!QHp~jCSEOEEG+TK!$R8V8$<U5qMwhlHw zj^9AY+=oK?YYR6lMrJOPb;jWw>+UvS#_C;9(#xl`Civ!xh(#BFb%R|&e}=@=S_XG4 z8#=c8tSzz_DOU%cXdo~37!o^US0WimXS$}WKYgh%3wI13KYFWBUDzqOGGf7aOPg^e zUHcp^Sxe5??W;<}D>CH6TrCJNC-mv3htytU!_QZZ=-KbKBg6MUU3&01- zV@nQ*a~YX}U$?SjNH`pS*&+acVXulf74WfMwMY0+Q+$`Rc4-JTb=M@j)%$gW++9CE`tV&-J&&4TB0C<_ zks?U7wmN@c%|a=kHU-ma(t=$|9=m126)JW%uPj(fHsHMvA0>ruK=bz;!GZnx85(m9 z{qnnN)(sq5R}KVf)E|D70h;;G6<~2f@ZEY5U&*=n;^Pk-A#hD?S%Sr~T+mqggW7J~ zmud1wG^f@U+9T#O*F8ITGi%JqcFyl%J^G*CNPRg^k#a~=QB6)DI#Hv?fv zuzDVG@;{b#@F`wjpCPsf!Hs1B|M{Kc+~4nNGt~5cyl?ie!v43yZX+PDy=}Sv?;ZVf zcQ0}ynB8;DKfU|UEDqHGS9#DKaqoTaGoNR=y1Ty3 z>FVn0nov0zF+@0AI1msJMDgE06+l41^}c977^tuBB7T;a}g0aaS;(>IR{%4 zb1P#Ikl&$+$Z@Fhws?QN z{j^8}(?=o#p+eh67eW$%-!=^K*^)GN0Fi@^ZF&}Nc1oxsDW?;G`}s6XRUCO+EH8s& z$m&K*Nf8#wNC3i{Iv8IFDwq}4cijBO`ZJif1zIdr@VgKvk^W|RxfN(n1&k&cm%<;h z`&4S5Y4O)|lQ4<+K}p5yC!GNVBC3(tFt_l}$=#>TBytt0@@~P540`xT;a_xnV_8Nf zj>@#+sW?pCq}^&C*u^x$hLkDUy)tQA`1Y)({*Y~gl@emSES~;~qTQwVu^Hc3x_dHm zj$o6F#Yz^W6KmAJjm1kZo{f?BVzn#EEr#{rr-Q6s4k68HBt#l z^u={Cs}u!}-#vp%oJ_?`T|s_bUObguN3pw5lB^UCFG-Ms@W;i*#x4wFKf;3yN`Vsp zpfrpi1euHBvD4?%B^f1%&K2`v^o5!8W1j*a=)zY6_t-*M^W(UJ79vLY>5Cl$a{$W! z8(RJMKD-dW8fcghwHh?L-;ZkWGpN^Y5<3W1KNUNu4Cv%;HoI?Y&=OO~I{rdepa>!; ze*&mbFlGXzh$V-R9D-6}7|sGm9O@Xb`qsIrI44mD9v?J7lsPd!P#(g4QgUR+|=;hES ze?ub_21SPz6-muIlb1rr!|;<3F3dCfYy1~Y39=MQIod+VIj=H5;jil7Ni*8Cu%i6) z>5U^fC)%`V9bcUwdJ)y!$9%kLf}_(Tojc+eo*;jwz9s!OMtmtS3dA}T#fXxwvwr-+ zjNY}rJ41fG8a3P`zx%ErgKsrBOXN$;XY5wsjfks}=e06oC-A~`!Aap~jx`?{6dmgv4w}WAEAte2=Nc@S3X(`Id&%V}e zCE5#Y?@wvcfFqFz5)%|v6q?ZcKF2=jKG*MP!x4MpX`*PcaK94^dJEtSbY@IzF_)9Z zC?-j0hAf9(hphKn_gvB8`onf)#q)-!EvXt3>Jr2fWG$4~pxL6*1g)Dj8Z`1XqE{@P z{aXsTCB3rTv)lt;CN_t_0V&)C%jPeDe|A-9=)8xIZHa>IoY0g zPv@UP9vh!jELzTZ{Ec1!&Sw{P%K5Z@aJ{QStw3!+c?O^bkU>2n=!{yaAFPk~6>_KV=PvnIkC*C2w@`rn$9rKvgnv@Tlbvm=`#ot?GVlE=acj&pJiTms536! z7o!PMZkzv6Mp1T%pbZrqJNVa-x4KB}Rh^-_vZg~nph17dXvM0o*#v&IWw~foWmTsk z;C$`;r_1VDOR+(byG)`~MXLL1mepkKWJ6WmrE?C~A0BjWR<5=z6DB(Il^65O*$$o- zt}uc}&JEWY2RO$cP8Rm=r&gz9u9Yqw+rsv+F6tLEXEy`$6Us*|>-SN3^VUJDKY%Vk z+Y7=A=12EOP-OUMqv#4kVCu@)Zxftbf64)tF2`omvO`k_SBB#;T@#XXr>B-=2*|o=+?FGZt=ILjIaqoy8fl)h>9YPEw zKJwGhg8_pv5Hb%;1WXdF)xX}~AfVKr5HcOI7;+I3IjAX+7SN-+WfB35_VHe#WjLSqra&GOs$TQZnW_pff>DKRyA&!m%hjjR{maY}2E6~Pu=chMIb zR81vv_juH_8nRtOlb;72W2p9RO(gKyi5bqqdE~~z=( z_QoELIT_7d;||sZ;w^dADsMSQ@Y@_f+Wml{@#?~~>?B_YU@B?u&GBs!C>N9o`9?iBZB$t)EX zohqDlTfGQeGL6kR5@ncHgJ z!uyk)H9J%aRoBar{@N^AG&$cdM6W`ux;MVsR&DCn=Q|B1XXa(Px&)qCl-HD&EJdzo zw!R)`HSuK%u=rH2mvsW2E`eTgUL)`FuRIof7M94^gld}5i_|AjNE2LubGfbD1NYY# zZN&PZncl7HovU!&IG<+cKOP0|RJUgDOrwUH(TdT@tiqAuc+lxH=?UYZQpZk%;sc$`k0a{&`wAzZUIF*dy%86G#T-uPD8XOerX z!ak?o3{Ndj7Y9G?K5s|#dh|Z=meXT_#+P>+=N^|Y9bQxpN7KRO$h}08{KsA^pQ+Ey zw~}wkroHf;I~^+CbUHZH(@<6uBAjz>f520c!h z0tPyv2VmYP2`@Vb5stM^V)g6k41l0^*!E>$Kk=@olc)xWy6EYDWFG|#x zfQubp1T{l$5wUMfeimN%MCmEbW4t-OVb#tcfOJWnp?&GF0An?A6KQFXA73;K2qY*P z2>2HT`t<<;#RY-<7Yza;0gCtEv;rvAe|W$^K!VLdApXOn@fH5_{Qi2s(Eka+a=`wJ z16(f${J&@rzkgUyZbNUr0$97>>W&~F@ZbJGh3l z4UFjl)^`7(KzIS%U!=9MlRh!P+RDa}8^A~UFAnZ6`k!P5QsRHHI9c+Ms!7Wci`Y6C z6SLDZ(le6s!x0k`^Ew!ra4Y=$^&j|GjE~gJ$;pnJfx*?)mEM(w-qyjCfr*QYi-D1u zfti`^i-XS5&BjR|KxgAf_U}UetDK+4j)o5Ac24HDHpKswt8ZZI?8HY(`cFmw{rtO~ zPUa^6QF7?|i88UAlDV}SYp5A2_uf5ZOOuYXs^`%huqvJU3PUk(1J zS^P}A|El2sk@i2$k&xU`h;mcGkcw98UADVs^TYoLYv=d4^bc8*lLy71{e9W~DC5gIb9<0J`nHV! znGFUizBF&=+FDmvw|Q|sadvionVggrEBk9`lHtazU`aFFSG0>%549Rb4T2U76ZAh( zPJ9Tk%(3T$!Jx$&YtL@RJD!Y|BvM;@W3x0J$?l84@q+9ufZoxB%{Go(f)Ovbn;(+T z!3s9&w+V?Iv^TBh(I)D_3J;wmy5^%01Yj@iRlFu`8>h<5L^}fe-MeyO{J8ssk<9fM zVs*51idBWwt*opgRc)0TMLJ&BY_sDY@f#6~9_?vP#_bHqgvNBYX497IckbUu`EZS& z;yPK4lY<7ZK1CuIneR`+qf>1*((nE$f4+d`)XVLP$}&|fT<5fCF<<#&n!cFz{`S`{ zU8PekbnUXJo15F-;h`8wclX||ox)oe=h+`Vy4OF#hvDl@mJix*><3dl69!i2Gbg3zqg(Wfv-a~_^s?rx>#NGQt+ziaZtQepFDA1M2g$0M5sy?is$?ymS*sB5e;XWh?UiKa>UZ&HLN z88a5#l^2|JV&+Qxyr+DXFcM|gGUX!0j}nLB1KJ%2vw(K@-F#kYx3+!~TYFZGqF0Lr zWb-20gSvrJVeUMyjYfR%LO<>7V*3G0m5Fy9 zKAoody}CK;M&>51rnw#4@s-t${h_?Zl)2rYIia-b^HuqyM$n8!TdLTl{XBC5p*;n1 zyI30(OLS4Xea@^ydtti0M0nY-h&jq7-QPBeVz)$<>~+-wOPw`K?=>>2_S?O;vb!AT zO-pYU!sdkN0kTTgdI@lM#1WC%wrdrQsitGLaWA&xwreGw{=`!mmQlM~R`bM(h*=Nm z*|&qbja@kRihzOE-7!-RpFR6Se7Vnwl^~#?LQ)`EbX28 z3!irm={h+1`wQK6m38bjDs@IjfCZi=EpECC4oJxx+U!|u_%ffWgu(94qx<2q=0{Sv z?Tcj$9k{yq+VT8)H8_;gmw{>H6NT&BAK`DBTL2P^hzK@+FRy5Rb!3nX z46+m4g;!;LVfhQl`GMlQII4?;zf$ADQdmIA1ab9Dd^GR&gZEi}mbWMrO{tdVBw4n* zn*<$8F<3aD^o2JCc7zT6lz_)&s>ACQ&fZQ$Ekyxvh_3i#b@_t;?8z-XCI+Qcu{cVr z0#)TWZAoS5pK7Ea-drfp$B~f{3#+T;vg6P7ll1HUX%D8KAv7pE2)nhm431kXRgpX0 zO|Z~GoQxD*)Sj;Ro_!4?YHNvJm-0y0{oU@SpOnnHY)Od+b*_yj9DJ#K!H0$|w%+Mt zRWUd;Qb^qS=r@Wm4)DJyaFuQ6VEbRDI8?#UrB>G}>_h1^)@{Wk5x!0i4L3_`OOt2BZvHYWc0Cz~aR9uijJX zLcp0W7(BhK@Y{WdR=Q#z?SIcrGQF9$ApF5F?!&p*TQZuPpsD57Uq~RKe&ND{PS|nN zv^s6oTU+4QnYyT*m7bhh`7DJSsmRSDy=&(@OHxT&pTiKXmvk&mk)S_gmfB&))}E(@ zjQ>0T@6Zn`Pf_&p5v=>koQsc-xBNSN!B*Q({*mF~+?*W2QjLZmpJrYK1>2Oo_?a_G zwB2P*rbhEOcD6G+%Ls-0%J|6pszYT*1T*lrJkF2B7Rna0zczGI#JDnW`&f&{z7MD> zDJ4)XH8(dyq>d-#XhRA!HkhCZOYKGNT_W5fyl zFY}mMAzeK-w_?^!Rz!Uk#b(^dY$Mw(I+=HkI2F8rdCuk%x};Xn&*IG(Eb__cXNWu0 zis0de;luX#+pAgl3|XdGPYNAeQyt}4yF-@iTZ-@-#$%Mj^dz8lu0j6~(~*WdRoi>V z(Y;70^1c0i%q{1q%ZOW@WSxtf!aeUF2-B+0Fis~Bw0fS#CImTwl0~yU(gJc6*2Q|A zKN8}TMLztV=NhL$EEWqG0-=7fP)u;{4-I-n+IDHOuX6>W_i=h5qW>1*%JMKeh*(;p zdgjXBbInrw72MS=b!(14!VqHU?-}9xo7umS;Ysj&8{3E8fUE+c8T<{GF-eab&`wq1 z>VZB-m-2i~+_B>|3(PxPyxXeHBp5>OqXT_Kp_QFH!xd`&$bobpx;8g_Gmn;5E$myf z98tcV05nK+c^t((NUY+wzEEDsdzR-Pvc@HCs0`iOgkpJ88-GSzMS&%x(Rk+l%iDoI z)9g~_3(_M~aiSWz)CrNJ*N2{jXdO&9mN;9dcO)=i;!mlmLr>w99h1AYU5jJUVi0?x z?Nf(x33q&xDq6*M6tPMPg0prRFO;j-JD;j>??$kECmIs{Lx-cEiz%To_;XyQCrMoE-;0cq4_4tElr>!sm3RJOuq}K5e z>7$Z36s)* zT8Y2a+cfP=o(14S^OFbnxHy}^GyNGehgLWmq`s6_cp#c zkrUo~uqc{b4Qm!X+k-!&^O`rkBGsEhdU-*K|pu0^DM z9wNb6$VD$16k2)90>{(D;EBAm(sbA(PP7>#ZbX)Pp|;`tM|PnzSZA6fTI=4-9Fb$< zF6M9@uy(*`QJOlpbq`9q@oa7F1G!j>9oepL=071sQVla66;?W^@J1Mp1PPZR;46rt z;iZttpjE&0gqW9GjAwmMA(!~znKTE|><3ua_Kf~N!Vp(c{xl<^gwoWN+Da4&yRdqC z0slGgpbK>sgHnK3O3irRJs;*DH?Gm)Nwj@UX;Hz87J=?7Qsfp0@0-b3+4&3Z)xVF`sF!{+TN`zV;Gqp&+*5{2wBipMs8zAWh)h$wxOAI+bS z%VxmWB$dUQdeL+%!F}DQgRWfoLpt>ZzQJt6ujBbelO3tdZ3LXX>*J2aL-8^zKyARz zJl^LcRS1v0ych}*7f!ZcVpXK3Tlrc6mt|aPk$tt*m5A?Z>%HFS8cc^|GT*lIId*4v zSCnE39Gn)d-gYxfhVLG|o05$$vQ(+$m+QJc*8RnLI*-`2E7CK{TCJcCVv#2fPU_w3 zWv2qrX1!@s)Z>cLyzN?1C+*-u)5MM9y!(+h*&-e?RL)l3TgRLJ{pB$^fv`G;{_K-c z8PRMQokSP|LrRH^Bo=q^M8c4=U9fZfIRwhJJreA_G&~NDbi3Ef#r6hirN*^=H&D;@ z7lf^5`L}dIzmM32{%|l&mx>~AuGc_96Y#mUmxgo&qu;dW5-Y!W;uhp(yeX8ca77v{ zSq&uFV%RTrgzVXNs7R@zB;j((Go)4;Ey?>Gw9Et%tk+tS5KnN?3CC`>-uFM{iudNe zuOv4np3GZ~8M-3j#nMnwa-=KTcm1YkFoRGOq32=E!3C1M_$mR%KFvPYMh9MPqXk4V zd0g^eM4%MnblK^$@4gi}Y+5eog3lk%#QGDK2#1UDO8YS}DV^RaW`3Arjy<+6R2I{2 zbR0qF0{lq-0C|5=_Qm^9HU7MLn0g;hsCP$vzI}~oIoLmtXJpXmYcLlbZrf+#F&F4( zHJ5sB%js4L!=@Z=eUQ5eirgD?^X0|_AKQQ z8O`^?<50};?S0RfEnO&=Rz}+`)WZIbt?E*)Ap%;`CO5qFdQB?-eX&9!;Dwe46TVtH zp05lCN&BKQ6CEE%h$#|R-YoKjdB9q|Cc|Q(L^8K+$qy;5AD*ODwW=`f8WvrS+}|*R zyVz#^*F3<_k}`VJ{{BP`W!Im1`+B9t6SDsXb28>+x<0cebf>=|gu5Zb8)hm6%8QhZ zJkqU-q|?iT`p@P$t~45TwM4-zQjD&df*Au)DDzh+I!b?d1%5Q7KS7y_BE8`yv=mO6 zoOf{kH{4p+6f9xnVsIgTynh*Ky6pXZWx>bF1rRDJv)wannx8S5@@fGFX*{;{i1?f# z{2xyuEq61cMsi|V?YudcE6w4gWce^7j8GmKL97;YR7`8tpPdqkKk}|bYJz~oiIf!< z^QEya12y2t3X@Bk7H6vC#QO;zSTxs zELl()2Vvh}kgRZx1`Bci1kh;ENjZavo>Tv}RW70gEo|@ZZW(Pm>)FQ0J#Yr8hZq9F zL}GTRletQ=4Kym2EgHhOg6~Yc@`SwFG2faaD`Ix0Zm0UhSmsmB;6>-mQsJjSLNN9;n ziFrxA;VV*-$ZAgMmi>j>p@No`^mcHI5PQ8c3f^%;lK>UcUzQbA&hwRqaEutOV+J!z z?a;s(Fv4&w29xM*E>_0_gs+iI1mvJVlku_Kf~-57jyv7YFNUb1E?Mb8!UqAN03}&I zAEFkE4-nj4gx!Ub$k456~6gOaCG(H){Q%YCgkoUtG+JwGz0d&kOwU3)yS*^wZ z#q}0v^RYui(JV0{ybE*5tw2VjBb1X>TX4~ze`e#zB~x7Rz23IH3_OMSAqvlD3Rx;N z8${aTHQ8-*b4?L)kp(=nPv*-;-?4+5W+#RM*r831R2g05Kl1=Z3eGkhZ9a@`)4Efp z%1ltvC*>*a_Xn%>?)N`h&Thg}eDud-qd;C<2sCEOs@i`!H(i3&34FYTzua*Jt{RZ+ zZr$m6A(LQ5rL!B0%WO>E%*VRtRRSivv9d;=Zx4rG`Sg1ryeWBx)O=lnncIv<7r;c) zu=JkDyde_6kttua6=rlo#Wc`59X*!FaB}ZdlAIS3rob2F5=l$M?#`t@NY zNPf-9d43NpIf*hVU9925lS?-r4+ECG``G3WJye)K9M#MfcLmav%(ErWB0ma972gRYrd{z}UKd!ggHZ~6!XdU_yEAo}`0$3U zxSah&HAUKcFZ32WP#50dSNm+k!JRH7t!UZ9LN07UQmFETZ9NeE zmzBw1umqu+S7oW}O2S)7X&ZviY)dbV{oM9J@Gd8-U1q2GFRFlSe(Pm>`VJm@jxvqv zR0VKNCRy7hkg6q~LN+IfZgpy$V^a_r(dSQOOe5>gG%Bmt0Bh;!$m(6{?6D6+hlEHl z0tWbYO>Fcub@^4M^MZO_O5ybn-UJx{6rsl(lY}W5bvO{>d>dn&$*?1bTCr%Vtg1t* z^Nm?NLO=>#Zi6XS?^KQz4+Rxf{s!8%pYO9d8L<(;{kCH9cs^MdYxg|Ub+ag1z$5x( z(UK}`i-w`|S0*6O>uy@?*dKlZ%b4Iu`h6FfdpEDnY<*{*)~z1t$4EX&*zA>iu6w4#x48w~nPh+Yfb~f9oP* zC_yq`?J(KWL?oWaEiuD_!|6X>WUf&z{LTu25z|)z!X!xMLHWp^32R zgHm=vUBPPg!^t8xNP9fK8)dRF{x-`4IP;dmO;^`V=BC>;haQY&l0hwnVbDCc1OB+2 zZwTRdqPq=7WxAanx6?{$GgWT@b`f9p;$@AyL99CQ9}C+C53_wp+V3CIokmL9kMm^( zj4roq@2+~us07HebpYFLFK#;!=B9I>C4<>X9Z=D0hGb$>uvUW6?-mGN_xr#$|7?jz z0XqSW=&~-vqH$A@hga(!2Tk0XeJd`{7(IqKE&J zKwrO#wPdk#a~LTsJRIZIHtcTrnITOW{9w`#Ga~7I(dzSA)9K-WAUVBWjky%WR4?mv zML|Z)s--P`aCTDSke+mo+!d=W+EOe@50#3%CJpU^Y)hV;sVzMnBTieYdG2sT8A8n) z#pl*GSAiT1E0B5*69^A2FzOZ`4vD61+`JHBtr)CUW?=)kLz+Gk2s>>{#A7i;+tv=V z#mVvFB}LgH?Xz|9jbtgZ6pYI$i?Pu7uTPelk|*2UK^L9L{t+!&A2y@{HV%7OvMFC`2pDklO%CSN?*Mx4%)7 zU#IAL9huK~qB2cKgwJC2x(U(8AWFhwi#)AQZuL(rGqn9WU#&0v6FzCU)HI-C51soU zVNSCx!RzmyH`i1zTkFwB2pecnvM32ZJzM{X6M!b`J-i8u`pL&lGPm7M@Z1d#W>241 zby5#V1S1islXyz0yu}V?4CT5S)h!}{W`Pbx-w6dkPYbkZ(?zy(=|p#ad<(NaGzieANH|yXVciq`Z+5p942h$&_K9h^WrH za5l| z=k#5Db7Y_DD0sK}!*_c&OG=24dA;d1sVSH~-D=x8>WnSsXfm0X?VUw@Z1UQmpT8sU z*&NL6Y#}+xdyD@5a{B!N%o>9maGK@yAd1VVM~vqRoL367lxRc)s`S8CiW!>VT zni5nG1`Dh8#Q@to+3f5D*j^#*e|EfH9G(MBcjR9Ra9Or?e{y5JtIi61JdwHYC#n`q zf+9mC1l-)ow#V)cMi)a90%Cyj`(fA79Z0xW!i0OBCuuZpHThVPFIEVVc(0L5USwkY zKQ4`6JieDtMMIuIX%0XkQ;6w8 zfllLDeDRSJxHG}@t!E1Uk4Uu zcE1`~p0{4Mi3vny3#w|_Lq4|ZQKK~_;=`Hy!tzD}7#<64bDE9-7Z_H~5?e$RCdjL$ zncvLEYq4-AU^nGrmNH|a6A&8JcL#zpM?-;F=Pk)c7;=-1+p8}_}WmFVaahz1SAFo3AyBc z$NJL!IfBuGRA~(O>vA7&wh%{@>cGG-V>DIXA5X>P2aMSl%@MQLHOS%IrK;USc$=Bf><5H^f>Kc8Uw&@0M ztzDae%&!e?JQznN0TK8cijQeTC*vn7I=wSj=>{K;bHh6Zx&G$sunA?@57#U2||4-BZ%m| za{M7=$&@33;g|}D4=~@ajrh%HjO2}SyS(n_)jpE;lvJh+jc5$eX)aRgs}m~`t9rV@ zA@a?LY_-c5tJ!DI;=$4V!NB<>m=5-}2=AC8dtMzL*FW`Nw1W;ew(e-m%Iu6 z63d;TRyE*t5HZPQB_Zm7@4*~q=zNLG0$3GTN&bwQh0c}%u6vhx%Fcb(&mL8Nu8n=$ z%BMZ_Ug|oND9KX;sHSA)IJlMXLSu7XXQ9JHe zP-#(sRX%-~4y6Vh`NK2B(YeR$U$kE4x@4~0K1wdu*e}E)FQg3Xw1?&)7+Mk~EM=_W zznrAozgcfkolJG)U!9H<=3+f>#qmLg@sle14e~Xv_#Ljhu8|W)VCi~>^1*y!^kSaR zx0%DUe=LM_gT8crW(l#FjOq36(r$3O`&PD`SeP>uu$iy?$pTz^e?(RC_}tF_NwZJy z;t8cQvW9Og)<4zGU=8Kp0d(bEZx3@u!>ZOufi#5_xMivd$dwOB7AzZFPFJSyF> zZvJ?|!-?mj5;jtO-oD10*of?IqjN^05tQY-FR&W-+>HeObv&f6<+Jbh$E>yZ^0 zzNO6e?9nu2z~CpzC1EulL0@Sz4+oql(dqsYka_a!Jbn?1u*D8J3V;cKMozli(RJjc9U6rW?Z{K?_IE#w;NrfSK^yBr`d6JZDPPq-;iXu5*QR*Plpk$L7{M^_dcYU4lV7btVGg2iy@%)*mR&Rf%cn zmzQzoDs~}RZKrkX9d21AR*8P=&&QRxt?Seqjnh^_e;9&C49+BKe&nHa7A9mR3Rj4< zTye66%=Tn(qhA@#FhdKl>%1-3ofN|pT0soh?4Ga81Kv!eYF#N5?{wHF>QaLE*skWE znA#sANg;*9P4l7Hv3X5Dy1U=jl{la0LyD{(e4+l-b;q_v&lHX4WyA=M9CCJcc!lu5 zn(mFgRqilkBO+lN){^-f4=uF>&U`$jJ1qI`bVnZ1vNyU}()$aT#y;oftc%ingU+f} z=0epYjFVyr^byZx_3T}m7=jW z^wC8T(`QgQ9!rS%bfL&RT0mA?*WKUW*xT92ms2YQoidyb!G-%UU!#VW$LF%2(51!} zCx{q8g#+%1m)sp5q1jy74uxoptPUgUY9otR^wzx?HB@i73PViRHW(ryqM*l= z?aar8#7&o*lc_)Zyx%V#154tM{cq{fMcGK<;Lysn z-;xtkrS;1*NQQn+z_BCQZ!uUWBx)75bN={RR2M#1pbx)g&;nT4zTCb&iTyzl3+dVD zL>pb8>bh^)ZuLmMc$m|v}a9E={7kv*ceVD5# z90fhZZe6`h)`gAm&<#W=dhsGe{2_R_Ag04(%y>az?;(Vg*y9GCG@(B7 zC^Zsqr3>F7!j3^_d!)AaW@8EA-wHdT>(secyfLCs*GR(H)>YVgN&-x?E zn#N=4^^Rv*Q5QfRjO>&0@pdcAPvD$I`*Y5u@O4^@5JR@y{5uah<|o6?pU+psO0X4T z;;*juP}qCjq>k<;xc&We1%7-s`P}m7O`i^}Ok=H&Ho2v-&P$`p%6Ia`l`<7}2KpB6 z%+_lSAu|dlvtj49Q-J{+IVoF>^}&&=C^qRN?UjW;{IG%OupRrJ6}zv)x=7@+9G&gI zSdzSjytuW-TCZ*ZtIq7bLk{*szbE$sNN=8ekv$)AsGu#CV8in-tS9sBJEOO*X)`9c z&Rteo(`wOTso`GpcgrpO6&LS+O<~>CAY7tG`ZzyK{clJb&S$ z4fRqcvy!wnn3E^NA-I$Q-SobJdXIV(kD=#p?IyS10IlC!=prEVKX=%D?S(anfm}Vm zHeS-|T)v4eRP<(5pQ9%&g`nB)o~Ol%&U*t`-vPYa@9EXAjP~N*fDi+2*SvwY913Fz z+JWzbvl)}SYzMf=v`2VWKNs-kvT=1!R{V#&ew`w+FTG&-GIK#-XsKSeDkctAnh{DW zHv0S)KZ7lkucLW}=DMZs@R5G^U{`M4h8kYX@!(ity+*z4sfgUPCiVV>lR_fO}* zG%L_f$zE_ooct8xHTlzz=@~#YVnMS{ou! zw%I$o-}Zac@4u2f36IrYMz zec!`RK|f6PP5G6!D_buxk-tUh5i#!}sGMx(P(-GWK)-VWwy$GltARTV`T+qLSsowe zS)Mn?$Hm#nhGVjam-sfFw=N$SMGb>If7ncxRR&VJpM-sBx#f4moci?VKgL*o&5~p3 zN_f3Ke6y;?uv}6VC6RB`b_d85qmqd!yt)uP z4?VhjmaZGP?}Umif9u}FLWiKkg5$p82}Uf&vuO+3@c5+LplA0_R37BKm}zF=dz?|c zTM8vBu~~1i`gwkM8L1NDN|P!u@vGIaN6hzasUuhf%ckQPlj*>MO+3f=Y}<0NlCQ9U zTykBb-c0D5&r2e(OM1(83kvQaJMtxBqVvdeS-8>tK8-ZR7pQ3;^mfE?g>JJ{trPLh z^Alr8;+LEp4AF_aCX&Fj#|rDifOBpdr;|Shk=3{m2tiL)duu`G))ma1uIDFfC~%@ye!~q5Ci5fU0aQn^NGg}47%}ggjGkx+_{&7C@#vDsf*?SUA3!D)&fnm4jK-dq z7P^QYtX;p=t4$2vku2=nJ)h?$IjK(=5`fz6D<2$1&`0Hm z`XuAjANKXfL@S}i>g&jg>c6qK2X3WGJ&28Q-8@5^)@)YN0+R$X=bBkR*@RbX?N7zV z(N-1OTfm>1actk=&}kpeH$`X~-+#WpZgoL;ZYr@FnHVdM<06{r9gZ%uh84ojo?N+R zch$qg13FZDTQ{ z?(Btz)8Nj=8h)5fB1osAqY8UwQQ?(Qt{R}Eh7xrk>fzC;r!REtY4Uvt4GYQnMZhzY zbloX89^bM}UN9CaNe%Si-M{vF=($hWjNPPUFJG9{{3&kEEQE>3l<{$b=xU0e zxb#|S8Bg#ePJD0_P`kZZox3ijdE%7#&~7|WKk8aIPw084q2U(BB)yuqML-(VOE!YS zbA?u^D6H2bbaeYD)v4nDA!+{Q(SYkwKeNrYTZ0ParTjsk_~<^u-edLQ^6jz!iWZLC zc1ify>Z$O?Rc&bof8su3$F^fGJffxe)?nS6aIyAjs@UlPV7-$q!^L<2eR4Mk0~b;D zD-GIx=KI?5KvSRw{WsV%Xk?U=@;%v4@Y|E{y&2k%d!(Apv$!jKu;yryPRX8#` z>^5CbI_`&{<#VRZ1flCzY@-VuWHlvyAlA7{g_`uLu3K~q-wTLOW5{`J#Con1Y3$0! zzmNS<$p1LIcKiA~1MginJ zfyWOs9+#fPs|nn7ai1e)3{&Fm#W&mduGQTv39?(QS(UBZ+!h&2DUo#zJ5DY_Y6Nv^5k=?)~=Sy@6?X!gvLxr%VKTzgp)Sjr}(?H1sBN z%~&;CjPj9Jnb8;Qb1r_e*0bTr@0G9!`q?*XINm#vPG9$G*yHQa9Cy`in`gaTo4Vp` zBM$zOH4#klq`2xr2^c}m10%`7C&`IyaXBX$1ZI0G*oO8BERnXjtmB?c6|xcC*(3R2 z)kdsT*UW?+$2$KX^4{_xj<3zu#vK}W2_Zle++BhMf)fbtgaE-M(6~cz5-hj}65OqU z#@!PG!%Om zF>vQ^Zu3aE1*WW7iqh(V@j?eiu!v>s>DfBHK$znEnR7dDWY)6I-rTzBVO_&ct~J9{ zhNRhv__jvFN0!N`F~~k&pXP*TkL~S-Uq(`*WR1Tv4c^d|Iw#Z$$fMw1e!>c|dQPnc^Za;_=Opb>=VeqPzR z=V)eHb>*i)HPXAx?X+K1XLi58SJWOPSGeP}+**Eg9XBBDY9nd%<9~(cEZUh`j8<^&`mg-XnwFc_^vb;peQ!^97X0U*JoC59^>&5j>Svr=SUH>C zYH1opJ$oW3q(b0mth_({MiJFN=Xs<|<0bWqol&bkY$$or=F&|J69?!}tdL5N8|9LD z`r(EMWHmQ`{H>f*{&Nu9NhAm<@Om7#q;Gu^7hK7Mw;l((&*-d!=_BYH zOJS5q>O29nl}7A}zHpH{h?6)Z^BL-~9Njt_ni=?x$HC==NMrtbQ?CnDBzE+o9Ir6v znhS({fx_7cTYI5!e@KF|2x6EiZ1>owzr`nzw_9$0Lv+J!cJ~D5JUd13` zfMp9GbBNu$aux|_=Yoeb2*1v(H0xBy<2q+|RH3a5so#R4|Hdn2IEGj6DOA+vvD7Z2e;R4%7R%vXHwl+vO+IEzzD9X&uTA z4%cF%QIqo~!;@M;>r^?<7KM{ZD93fGlk*~XkPhp0OGB4^7iHS%+`V(jblDp^ z*pG0wAAkMf&RD{oH;jUkEg)uN|EPg$7fRB{{Q(TQ03m0)l-hLZD@g}7(l?p}d z@5GmxXo#;_a-04P@t>Xrs#CL`>N7`>CG=$tu_>LpU^9+pHlYtY$JY=gfed*+q%)7e zj6jr1EExQo>tb8*t3i}3Z_wy7ZgqRom8|jX6mMCdaaaLgbv%ay1X1$+%sJeZ3d$_X zz@bCmuXTOwDYZUrFv3>}?GXsplkfZxk?+!w?$-}{k6}e3t#+zJ} z8xj1Y)7O{sLXQ244{}l!thSE-&Mpq{qA*jN!}|GKT7$aHUnVht>U}=VWS~~2Z-F1j zWezO&*TW(2c3i5g*H-XY@HhNZ?6$hvf0Q$VSg`n?jdN%t^d4_xB@RXWUuR6WAby<+ z($!;iY-H<{a2$J$*ni(|zx!#OetNUS*fT|_@G$Dit_G9sk$-b5&xf)HiC z=j)IWAwT3xk>Dr00HJrdAG@t0V)21sXqT&SNd4|E=Yp;3JfQN8AeM_$#3jL7fT?I|ywrxL=g<_};yz{op zFdeHERIkbyC_3p^8DXo8A12W|);3&bl9qk*i63#ylF73kD4>?>`Ww139i7Br_u+}p zdxL)0kOC13@ybdq`=ltgLzMUdBPoF@!Iy+d;;uje`o?}by*3Clq)CLexSA_Ezn>y) zA}*cV;8|L#<0)ryldags`ogDeEuT1H>)#@Xs`^{w``=nRRCadS!kl|#ROE908qg52 z23pmnE6$Qw+DBej)7>hnKgk7h8=^K~XQIulpN$-eoP!3B$;RNg@|;#(+t6&9k<_=ev%Uur%Q<^XudM#+b+vh+?VnMox*CV z5->X%)Pc<)=jTm^crDn7qQBqBf7v{T8>{B^Cnzp5Z6nrAaA#gCs7l^9D(O^}ngz`{ z;ctfG&0fQ^1U=D2%-ZJb=Vc`l4ATeDeP~rr!dBJv1O1i1tAyW)>)B<0Pb~jYgP$-c?&@`!U2|%()ASyISm@aJ zGQnwPVEe~ACaF-QBQj%4Ex^q6Wu|HSkW+s;U;5P`P$9xdvU%g}H`O|V$>8kD@>F{) zD<#~1x3FpQc41|@y)U?=3F7Sf;im7870pSGz~f_L!fWnIg6qRFWeDfZS$~2TyY6D* zaO4phMyTstmv=8)Hkg7AMz0UakJ1Hu zUk3OtQvU;)Kt#&?XndAx=9-%HuPD~FFj0^VYuc={!C_ARsphdbY|arR!-_r09o z;B}Rd*gz!pVViIFzOx-HKQ<+Tp}MFVimO)JMPNKh8AcLC1;v(Jjtj1;?Cr4B??u6>DO%$e{2!Ixwt9I~!`b zN>v=06@3mK_guN0kG#GKx|E>F;f{cYc1)ktQez zocTaEqEcU~8yf$`+`wcq$FC0Mt>FdW8#2s_NEm3cTJ2GhPp3)gChrbKd!fd=s+U#V*d`>J7Xp9(eOA^IcEKX+LC?*|k!%INP%SLWl(8gvv~r$yM-J z8olEDKSYuLit@|!$>qs|z6B^5o&5a3{O>jZw)=l$NCwFN88jCb7TlJr1$*NwBI>69 z8=d6e+ad!6TjKL%S=Ku)35mI^A)%w8&1=WKG`%y7`k(s^w!->nX-GSefbhbLvRA12 zSL6RbJ0_#}XCa-D)zzFCE!WIBWvBmh;{SPov?^H1wm}OF+7hW5Bg2;ea{-us(esiCm5&3U*no!aAS67#ifH|&CFD8f^&F`Z4 zbWd@ob8)qSTaG;Lj5#f?2}?&F?PWc3L>e)w?CaMUjw{e~K7RgU{O<1VQuS;xQflg# z+*~`yCEUW5J_&fY1^X(M6G}6FJ_%(Q#r!w+w3UhWOO1{?odNzhcpiD<7Hc^vvr6p8^(}oEZci<|k)ze*E}RZ$HQN zQL_^n9Swt!g%BT)(P{@Q_dy(KuJiF$WwAmolHe=m?jph9QO9cQCw6p9Ol{!%wx}XM z?`Xb8?sT@&#Arj}hL$z%7-@AHE!k$c)LT_l;1B{W7@MA+-prQER8&+PnI|MB-Z)2x z^j%A@A=IKY{erU>W1+8mjgnOQ4W z%3s3Y=Hd1t`Rmu`_lex>>@ky1u1_P}B>#jRu3|MHr#hkN6RQQR_ym^N%2N)^MuEkqKQ_>9cgScPxDVa=8&VNuP~tuP!~&Q3~# z=Oa4{n{iHJ2xjrm?FKmJSis_s$HU9+~U6V_KbXt z?fG-rMHFsfQ+>FcXg{lZntrY{kV{qKtwp)bd*ve)mD`!Xe}dlYI~z3ofEoI?RVqWdNFJC z!+m?4l!k^qvD~CBb;bY61bA9fTs=GkZ4pF-_fs7I@|5WZawMM%{uC(S4i(xh3K_E4 z5?%e)Gn;B!4Nw6BYDwtGy-)XN6ZH-Yd_Zw7`}p$Myb$EQ?D!MfZjv(F6MDuDGESJw zYla;M0IVw8_3rR#C+Yj+P%tiVj}!oI*U-0bwM&7(c^sZUrPq!zL$_^>78! zqE|x?h%_@S|9v2bTLOe;rn%@*&5`;C21f4U!zm_TayvVIq&8!z*y6pLKUwTZDPCDj z-Qj0?9h<1o24td#u7g@o&Oms)j=puBV2nk@ciw$Kqw6KCHAd<2P!r>%; zsf9th4a5_bp8%#x1)hdCx)sTA&?wKPgq_5=tz@E;970ZJ=_)tyF(2^BX)Ol!MUx45 zpT3u+B~P!JL@ONrBV3rv#aZRn>*o?u$xhoaiH zecCsamrcI<>pt-|Zl3xV)Z3j3qA7&I7S`gvJsp8h^MW2nlvEBf&SPQu4x6vbcedTv z%fKJS|NZ--U&yFb7)*l_{`&Jr}e0} z1Sn98I-7~q6kD()&_l@`roOvxjeZg8{#aj0&jeb;ZY~7n1$yjGD=gyRcn1XrB?mWl zzxdtkYSntXS62MzK~zn$;5cF|S2{P(!ERN)&3U<5>z4iYck3s610s7aiR$jS0K5R6 z4K3m1$bcH3i;wAOfLzJ;uw-lz1_fN)Ts*PWGNDLWMCQqXH;6P#`F#9VkHhEvl#3`i zeDyX1@pK9|CJi4`HbX6u&{4`@Jg{mQN)PoxP(aw#NrrvpmjF~a{X;Pj`+vKV%4t+| zl-HiuEW-lswpD@F+4`P$w)bon^WeFC`{fU%B7zmZ+F@xAE9b zzi2(_r?FlRn#0F^#dBP(f^Y$^|H4xwYF6Za@e)Esb+fW#`~Mb<=y zqc5?7KDH`T1m9FUuXcDGG|WYJgz~y>^hTZk($<*bpO9d}&DtsCw;50N#Xf7otkxYy$jXyP<39?{L1iX>Zwp2|e zu)HjngBOQwLwZG0q91NFixi@`Rua_X*Wxn4L9+N&FB)r5R-Yb@0&9O0&cB*^ z1bSELKLO|+zsm(1%jIVWG29*I#n$PRP|cjF0YV;&okk&5F2JRmNjbghcc%8LwNPXo z`2iNA6 zIGD*e=b+8V?kKX=&!3e*wLg!aqg-v>VJc8a5ar1m2izbEf?&^lflFTW)J53ad<+Dt zqQ77)9`y$fSoM0?8F5f{+4eSDE|Kr(_GgsAd`xE?ghvC~2&-WXg54mAAm)&O*BLyT|HT#uq>d@}>b)s5Glqja@MrkRS zN;}{YVPk;{T8d-{0MiR_D4EwF5)<7o4MOaEo&$E%On{JR^kR>Y`0^sE@f0k7iT>Q-r*${BsRPw&536b!-b}_i= zQD$VJ@c(jBU?mgWjq6MrO9MXCM+BcP*IKiudzcTtN)KTSOQHGO)QLznl0c2Qq{Vyo zZ607oyoe?PM%~|FlCpG{vL2Bhd8`~TO%lgpKB=i|A6YF9_QWud$K+6^(T%F!dz_R5 zMFq35U)ue!M3WJ9n9K{N{HPSkXQRiQJsaePBuBNxYMz$`*@!AoEsU$S7OZhC059ZW zL=-9paw!YpZMGe@8YR1#M+Gw=V-V{;R`-!cOXwD@TcEB23@2}w36aECal|xJdBLGY z(%tUio*}j2L7a&^86N1gWeZrgZFS>fDiY0kimNiYp^6k&rJz{haKs+5xc*HfZ=4tIFo#Rbwqx+O`;$thHOUB~FsRzX2vRu8 z5m)l4`?#p$imQ2)7qv1lY9}zW@0tlG^C~Z8B0$A?bgAM4{>k}njmMzp^T^P6e(We78$P={ z&)yn(s9RL4IZ}O>mcV2Hj5L~C0&o5U2^AHyzLhVC06rP?*qs=|2+HDRe3mEu41c~G zJit$C13s`NfxPk9&@>fUL-j}VKU|MwNG01dbbtukAh3~_NNO_TIH@#SdD0p4K(Oi= z8%TSeOBbaKtT!S6nVTL3T6Vl9^S!L9)sP&O5R?HI&3pWIeiHdxhjNUe_UihCHHT22 z=Y}ay(jw0h&Kc}D|4jccZ?3Y=UEmoSD=J{#i-}B zW#qmklVIeTE^_pyVZRN*Pr*e#kAmo09(CL~d2dfWwq~MSeF*G=207M3uBHZfyli3D zojDYAV|fpRdgqM(82J6Q_kN0B&>0RQDcNh*KKIdwVO>Tu62QS*RLSkJ?N8rUtH;RQ zDMN;gp8u6jAwZ_1$TwR9S&@(z)>Ma2u<@8$E^*xAY;ka~03*NtfNHGc{8ZA{EZGXf zrmv4hw*!dc;$|!=--FL^Ly-QQWa)M^?tF)m82!o29d0-{zc52j;#Jsn@M&D5j9Hfuw>j1kc6I+te!ML7Gm6P?yjEyll!`n*%^_td zD9qSNaZ%#8@r^VR6vw4_+mBI=s7C;;BIYFgw-b2w?(*=gUi3ET5)&->K^oQU9D8u8 z`jy-eDv02HL>Jc4%kGn(gvi3b==wQX93T`Bvr_0>e!0#DjU<>@leF3mw@S4Cv+3Ux zsf%CQhzBih=0%Wl5Js#ZrAnT|Gw$g>B863UZA=WeXd8sf_mhp+GkK12kLcml(ayP2 zC7;u14*a1_6&pGWl{?PgPMiSd|a#xhgyEmAd;|H%)P2x}ajjk(#dOnqP=YNlTt}XQEq|`ZgUFl*4!on*y>O4no$^ znDCZZs|O&GRRoq*;!?GdUQFLGBb+-QUT^TWn3EBb;7wNx;w^RLov-z1C+FWKP3_EY zgm+<}5+&PH8i*n92B9$F=7^NPkTrOYP1kV=ba0z?P&QS^aa5kT#Ux76eA0_rXHN zeL#W0vqPq15<2p~bwBH7i1n;TU6BK0erSU~$S?i0#6cy*!MI*G!IadEB&x0;drjBR zhUVam&Ygk{?=cH}U|U7)zU~%xmP5QkdJqs~ez#(BF6nm_<*dxhVtxqI4|)uGj6yFZ%C zx7s@&DYcyMk4a_p43+$QH9Ecb3Bj}64phU+c3pZj5BhFe>~;)O?onYLC>In+IxovU z$w_Mhk7x=w%huc2rt5gZ7}LSf8lok=DNNoKS?8W_k$)ugjb&P$8u~(*I-Gm&f@>{4 z??SL!8~_-n{C@yLZF-nEMsLQ-qxG@zZoi?K!=9CTAxGel(n&DU;Se_J2N6UkzbyUs z*(Ko}HFQU5Kn0(=d@%^~ktEum~_1jNk+c*a@;w&r2^4#zP5_q+%s zv$KWGvQI$;QMcVO1-16+PA&0GHuVW@arJaTxlxQR{qn&<5=uQ}2bHU)c4pdH`FLFr zMTS>P-;nFEY>f~l2POXfC!Sk;PcHdWk9NbczGf4P<2#CL*aiSfGQl$R5;efq zs27>WxUR02O`O$ek$mDdps=DL`wQsYmI5t_btBKE8TB+o{Vw%X<}NRR5iEVcw35?> zYF+5474IYLu+&OaH9ujiagOWNW~usW_0{BKzCZTFA_XtTE-eZuB%YJyhvcIZ zpHEgLBF{`u1bKTU9|ivO>YlxfOOFuo0{?K>xu z;F-J{?^WaF-<2u5xuDm>S1$7wq}TJxxN%rXleZtnGIX|PT#1N|3j#QKoX`vDVucI< zquhKotD#EGIZ*UzHT3n(H}Ce8ANPM7+?etnVCBsH+GuKWPdwWK2Xao-XH-{Mi%rW{ z;2sK%A={@KEFBrNm*L2|hRb7VOQUdhdVxa$38o!$CQ#%}LR+kywVtUTLBsuU;sixR z$A;GS#^&hjVWvzD3RyBpiocPq6<0gCj&frWv| z2oup$ta;*iL7*u5hJOXh9d~bC%#E+1VnuY_L?{ATUG8Ka(gM$=h3vD_KW~{?oQe;4~x zsFCf1-tBEQq}2USks+QLtsL2tqah-t?|%^heqqrvqyAl+S&vuKVJs0g@b6 zjK5#m%d5?>+iL&Lu-71B3h-_}dPn9=bp7DC0qH%~ZgS%~8tiFO8=6_)MRVg%oaV8a z+=M@LHuI^O`c%zroTen}(n~~h7yf-{gaj08NG`XgFb5jgs+fgNYqgHd+O(&}tK4X( zRNhZtfRfTy_Agvs0Oa+)G_%%QvI+R)TTqje^$^fda%FKx#)q{R22~yI^b5(;DQ2yY z7XR?5>D4)hLlsXDX_WzeXCn2#n9Q2wlFFd&E&D$vd@kOZzS-?K1&ru7>TYj`w+jcN zPvyKjHqXh-h1T& z?JsITYZUJ@uyD7}?XUkTkbsby1?=wWNhHXr{AWvmDug=RTmET@+i~yr+RAzXySI@; zDn}PSA`RgGyCo9*{t&2Do{l3bOQiOH>v=O5-wo>l9|_XOnQ4)$@~30H-~X3;;vZRU z2rGF9xu+^2Q`*>&PesMze@aLHthho5o~`VIc!JpXrX?4J!$5dn*^=YpP2 z-;76^ufJ!tT9>vao%{MPEcE}gcyM%#Occiax(>cg=yeSuJOT6J9#{IgJHfu(M|zUA zXRp=7&u8Qb6xB25{^$J&NTT>?@!ya!Cep1SHzQq#q6WLkx!JFgkpoD9tfFJ(vr020 z#C8{!IQ6>*>;LVvg99monJk04u1~ML@T%IE^t7fkZju{pq|j}+8C}EP?JECiI3yC^t*}b{JW~qlls3XZvY+q84AKF=*LM)O3EvmEsgI`GHy*(W2A7F9JSze zNjBj~u+_G#a{5#xpRTEzV5_kPGVj3xmX+2#Rw%#flVr$6WBI?NL75sXSg0BODlC;E z*D|~zYJd|3@w;<4X2NxeuyNyGEuM#mb$y_|n8`p-t!!bDkNEDewsT9y-%&Cdr=cC{ z)b!T;AxHkP!JvE%Wy+1sYxU!zB;2u}et~pp+u$_eu=h1(AZY8RtESc;6j6Bk2ia5v z&DlGd79$&u}k;#fMVLVWxA{_pN8pO>B7mg`OC2WFffK7Kr%^K%Lq zOvuw)_AQ+9@S^%~a|kVFWAG+aU93$$+VtGiqaxbg%J%>dm|&{8&!L}0*GzxYGxL)v zgf6>XN9%PMVjfG8hYXk1+WPzT0n-w^ifq09XeP|Cc^1LGLwFwTn*z*|z``vIGPC;t z?dkKq$@qRDb9Ox>ypi$Nk3sikokUY?p4MYCH`|}`&h&{`z+`}Y-f`_4qenleNByWA zSYO4`0bVkpAYtVn%bqYYt>em54B&^v@Xs8yE95s@L3 zYL-3Y4a2p8zf8hRL5dCdyS{h^5B;MbHVqCTr__S>Hx_sV+q;V5wDF5v?}@cE+& zR9Z9v7P+(2+@LoFTlLU`uR_18pXxUrM%4@fwyc2LUDK?o34+IV@o%1bjcq6JP-NUs z@C&&8PPGrsu+q?lSA$vYUarK1#^H$ATtZKxg!=u$et(te;X%8D-pvpKcA=pHOXi@V z9pA~2Lx|I;O%|knD*1HkJryB65Vh?-_HtsxUp4R%73A(}&6YIDWL?DxbE9(hOQ4-ewgKzyq^0{?bW5rftjm{J97SYLWk z4QN8_s2$5K?lf`=M1@WZwRd5Fnh{RMu3O4gxHV~K{;2s=hs_FUXq2CT7&q)|BLIC= zwF14C%LF)#;j-a4)_iG>OO4?v?0OL!eKDD`2;99o)4+n(3PwV3ZYoD8TG$h zU?mZT$=?Av!3ayLgAJ<#uvy8erEc%?4(>I~;&8bI@Ad76$__3a({`Uv`W=4WgFi%5 zW+iY)!KH4>0Y^V)wwhQ6L^(GyV{EubUgknK-2&sU6xyc>Uq=@7MMnT+U+EzG)30~S ze;~=$DSpt^nY5;S>BW=3=c!~S10xHdNx^-+Mh64?w0D{1<`1l!yk^HwGaAwhg1PE9 zD#>6AfpLii8enb#Vft56QGQp=ftL#<`QB&bshzIy@71kYq#kP9lWyaDp4bD^SrWaHTlK6wZ`0z(+&2p!f*2{4X!N+TZ)QQb=r4_liAAHAzB;coOF5VdDDm6V z3RRgBo|e;=W>l0bbiIAoUGTi3XOY=mw#HwG-K;w`K0prT3n9m6@9Xu*hF!g|^Yi*@ zi)l06yp2~6uVi_hE{8>-FKFns#5fRyk#EE6xLJyp(=9N4DSZ6 z3=2f)jea>!5~~K5BE7*x&i=0-BXHZ@HfIG@B^x5WaX z!j_&`vBv$B=`)T^f4<*F9RslPFu+6*W{62|i{jFEsuXS)!OO?y8bsJzZh@$ap>-P=hE*XqN>{! zO)I~!CrcAkbI3oa=8}J;)dUK=E(TzoYE3*{`^$vK;1#Lc9i}CBuoD2FNoEVtkT?nB z)x$%xy$-?U!m2QgVxW>9BHEhBp| zbl-aGekC?Ae$@Lnd>Gqv=_OK(NKzLYn#B!20~7$fi@o2tRqdCC*MN6Ip5}KqQLMN zlYF+q#JSnt+j!&{ki)2Q!&aTrW^DI`W-HAgyL}z`uj5c-4+|ub+FuLY4YPBr$PnOj zLytp}>+Zj=Y1=^6-C+v=?LEV8a5|#)V5up>_pn8r)_s(Bqh_GYEV((m5IyLuN@+%?wawywG^1zBZ?sDS6m2>@B!Qdh0ZlpegK1x z#n^Mf`m5uBq2wj{e%MB=Rygw94{g>q0y;4PDBw@{F48T>Q~Gq4`=sQlgCiY#!|1WU z!YNR?3Y%1>!nt^bN%!72UUl|ECT(n0=ZTNZ_wU8;h>z0g#XSEyxFv~R9j!|Hoer_S z?jd1`o!Rw>aXB3-(f<|aKE@Du&v?Fj27T|pS@ezHCjQvdQDiew?tQs4QH~j?ClUnu zhxc~5#1WT7&(*r~+#Ll4^Yw%H5tQV^coyR_0vpie(o)(_huPNwXG|KjoOV9RM!5<= z{bQ?nDieXa7HY)m9X=U1>)u_L*Nr!N*UsKc0?lL5`SV@(Zb^1d`q5pOzbE2db`QLr zA&uZI*Xt{B{IfLaYbZ}8eIT@nYDpwob!$$H$JozRd`S_gNvE<^{PuX+CNI!nJ)(OO zqMk1suDlMs1=O@J77f)DZt+Du=XcU*gX|{__5TlLU9@ ztkQ8a(0xtsw|V$s;Djr?l*hlIqaermYAyef684#+gvU3wh78hU8HwL+#<8P%_kwSm zEq)zk*};it?i$oy2*qoRKHZM>ZfI!C&}Wp^G%`1q&2BPQv8Lj6sw0h#P(C$vJUVk=`jE&NO8j<%7%-t|KI+ok0g+{ma^nU*M)dJT{;IOdy{ts@ItjMaPJPxR z=TVRq@h1Xl9$vRimx}${-VbBm>l(Nu{-!%g`qeJMr$R3lO_sS%M)@^Zi$1e9{;Z1o ziAftr{aXX@GK}}%zj2f|!p45@yEU*r^?ew;Z^2U+Z{pm}%AQ**?yG5lgbc&(wtsC0hxl>fWflrQV)mraSD_uoETuBK0E-HCwe2NJ0IodJ2y z3uq_uGvC!n_yQaP?!o2kCtI1$RO3bZFIIey=>9mXIV?9bp6nDRyg1xj8QUAr5M*+_ z_^tPGqH+jq=6v7nDhjx!dQH6kq$GA(_z#=&Wz`;*Wcw&@EID`91o!|H;hm{MMcLup zbzS8T8^D;+WD_pS(s6&P5}F+lNkEmM`R&{7je)O?+dqIxEf+@t{dMtUb~8|9=!sFi z!_Qk1M<}}ClD4|2D5FjC^|h#5{P!E(KAA z(>$8zU1Y3F#AkyAY{tvwOVssVaJ3YfSnf>Pc6N;@y-kjj2Iec6%&}{8G}6H^3#)oV zRnK?p?)PA#m&Oa&ZsMkJgNDr22k$cG>s^z&t^j(;hv_in%3R=6O_=w?C@6|KChY~a zuwBvJQOaH2NzLT}_fWDw-@QT;h~|J1Gv5l1xiM1I6^h9UaD>Cd@M6LMhn~Ge!2PxS z*_K+|5mF&7==H!FNyh%~GQEvpO#14E{Ol~M{;MDCs3KGCzM%c5e`Y#4-z6DRx+be9 ztZ*-K7RjDgj3h|=OrNSRPL&b`ct<{KaPf({j*D*3O9E^`Ze`_cj9 z>necM$)_~MfPMKkQ)t_e?s(?=*uqBf$X_baaH(g79Cg41Dr(tc%&rU8X@?K=JKtB0quZRaW-`)?hEJ48JHf-;`ovI8RYHZkzV z@$-+Iv^{fRUJ{KnRLe)HzKSYRw7X9H(;m3vtZ>(Hhw^^tm6P6k62I^;+EB0OG+*XE zI!P$7M(K`g)IwPjJh?Qel0M~WLk#);CL7NwTp{30qG})+6rHMTdi%k_ZUR zqzBl%2VF{%OcO4YV<|)#>pw{(O-OnZnMGaV-_q`<#FFgg);u2tmc+9RBT@oDPZFr5{k<#J@$6X%y3iB`j>-sL?Y>H=eQFXf&qcu zDxbX)dK+TZn~%q%EC$>Bq0rCX6?oiypWe{MB~^cyoX?bPSmUOqOR(<5{9J(4}9+PheUm90a>gsf)<<8kjVU_l+-N zVMHPw7Gu*@5y(Dz&8RUdpHsK8z8*=Bt4Q~byRNxhqUd0;vCd|N3T)jm$bys@t%1s#J1Ru=UJX9`@7ji?9~p~BTNuTI*)fTpefaE2nv zFIRZn`t|3?5?Arq@Ch{my@Uw#{&Zx^t^wz^3w}2!mk?1_*}+Hac}QPn}~h8VS47jZJ18JbR-V4 zq-s4aKX0LD6=;7(K|c*&He6Dt6JPj&dQPnIi^8gACP}OCwZ1LWQlWbZyIjjDVoZg= zpMuR$f2E(<2UL_giy+1YFs2`q7u!EFio}p}5^x&UV~xU@vZcP#`|WhObe{~2>=$z< zeKeL3x8%`fIO4*Nd{OV;Jd2+7U_^2k!6W1{giRWl^HaBinm}X?3AcnXLGr~b(#pSn zDbP0U@X&*G`Rv#_@)pwQU*E^PZ^aco>Qo;b`6oEnWsiA>-?)itxu3Z ze|R2<&6>)>ptk@tIM#ciH1sNI#(AgIq9v@(^V$hctUDYI2 z)B@KdE{``9wpG8YYyHW@W?RluJYS}YYgB3$4+n@5iA*jM6O7vBB^#Z<&f+fD;AxtyuXLFowUI{rkNuX)%6OF6=%cbMaWBhvM#S_ zr5+(c*@T+pxe30{u+=_J6%Qy!_(gCxy>XXrXSLAueaaM-@;^9T+82wPE7 z+Zi8(s*pw-zU8bU#kzg8rWO&|1s8em4~~@T!e(7~%N1KG_1N5bk|swmH5c|fRXcoy ztIe2|EFpZhLPJP{i?J%}{3MO>v79RuwwftmSCG_CeYyR4t;MoWpr@0TO!o;eH#Rmz zY`qVo>=adDbsUIEOVnqFIAx1P?*2M_Hv&|I{y)0jI;_d?@BdbjE|G2t3F)o@N{S$< z(%oGG8zZGekXAro2uLVMBLbsFjFOP95u*{tsL?#v_kND&Iga1&zVH9WF|KRpu3d4S zpU?aKdbjRTvt>o`+B|OhcX3dJ3uq3>9+Pwg(yAy*-+PB$pBVGx&(cTNrw;JF_y(z? zTR9q0q6|nbW3FspxftCq3=BNfl(S6Wme8Foq&Ax^S-quw>|K;%zxGNl@6>DY*JPos zu-o*T(jr`}+w1aKtJBcOkN@h@k?`swJoe;$YL4m-Fh8csOmM{ zkElLa|0>eOSel<2@4a=EEA1Q?c8xN2ct+^1$DV69uuNoG*)#waJ31@n&gY_%&*j+| zX5H2=e({N_Ro%T-XJz!?EuW-h+&+%ZTF%7iAYk}Y(@pM9gtfz;*T$Coa!s#z!wkw= zXwD7*by{3@ozu?!)#8quPk1lEmh?a>0$X#yZb{gosT$s~s9m=x+8Lj=pp#!2L_hn{ z!+WZtX^#qQv=3_P()-{dYfUASi)g(>LGLb>L5`e$5!Ai)3n{kQKC)mZeTk3rBgukw zxh`=fgIESgde0G^shX^;!5L9ffJvoduC?W=PoPg-}03<=81+C8Z}6{8^^t5Zj7cC$eicL(PjqKhrTce^VrUF z&qd;h(~)uS(g+U{b&cQFy5KYN%4dgbgoH=+8|_#__fF{A`mRR{R1paxtu9rcY2IY{ zq$1Rd+g}K4aHq(5AKMnv0QE=D(lWnTlPydSeNc6}tPL0tkt6E2jc5@$%7STO{*#}K zwPcjKISqhf&5cjby0HnLGP+Px8LNiz+5Oo_tl8;ee{5NhkM~y z0>Afs?VFE%kEHkIyxxGC?;rkZ_`qMKub%wD_tw<2(5apD$DU!v;q&arHBDL% zNc+@ke$}X-Jz!FKw}w!W_HoJqJxF+H%XsMFUZk1WD_(cjpDE(aAlOytvtq}?!Xd~& zyrRuVo!H6qIdf6^MUlqGL|^LI=kgm_7gIMIIk)zRDD^6nnlvg!&sItZ`vg5RcOzAe zgxZCT#8IODaJE7mgM&kdnDPC4I(PBngVDXo5>Xj}dy0@;h=MNv z`Qxq7^Zg`Bs%m2@e(-snF7~lV?MG6t_<*?I>)*wSJwEzO8*``_TLws};zNvjB6R!2 z1DWv;mZK<$C3+;qLPC_LM47_~DA_pGYrTK(R_@zv&~mT!4)~b44DA)fv3CgX&pB0L)d$)VZ|4S)Ac%Up-5-KWhFGKM8gk{&d{ zD5&0V;FjcbW*bMk|4CzHlw~DwDfHIz_r;Fz+#M=+?DeX>YS2|`)p-0U<~oe$jBjMW z0V{@E`_xoT5Aq!WWwF;_4ui8(N?ACDV0^}5OQIV^VkP%4*c?Q#H?ITa$ivbOwfi!3 zkweRlWC!#51@#lp40sNDmmZs8{Nr! z1fDabH#mfJMQI%vWrVj`kttH~sM>{!WkDLXO264o?tG$Sx~&C^K^e_{7;TDTFSy9P zm4&YQGw6d}oGINM0fJ9!<@xfX)i`rfBqj=SgBT%{WSg%ca=%0?k3N)&B?F6X_YX9{ zq_a_jofLvRr5ldtO0ICXjTueFHN24g?Kwa4E(g~UG=z@8b9>KLl6A%XmQwRkfoU`) zqI{((QJc>zo~&zNoync#qkS%3m7GZTARxtm0gK~bnz!r1-+l-aPZ3y9hgxN5@|nHkzMJYO7&3hbsKK;l5drYp>Z^u74L42 z{p?5gU^SlV_ZtEYq=5Wfm@Rt&-dCT8B@0@^4FD0<1?($(Lu|Zx8S-ttB*&}z!OK%- z5G9(;qONiDE>V83NvsuM%=>69N_b2^mAht)SfRb;1_UEt?gcR{R#OHa|2BuNbNRCsbOr1NYJw|pQ3W`AJ#)TmlbC2~ zX)oy0`s2UaA_ENW9tQ_)`*-BRMk!~MWsw>KsgMS%q8V=I>4s@50ei3TZJFKm=j}=% z0@>k-V4mYZBx_KXV5HKlGv$+4nNq#JwYnjcaX@~JdczdC8gJ_O-7nkMU`&e4l9kih z=4Xo2n6oWMKb72Y6eN~6kw#s07EVIb=Y96N-r)Cb8=;CXW6+lWiMsN^f(T)_tt9xu zwN$GlMo#T*y`!p%j4P7By|N^u%Ht$O zHV$+^{vLGiid9Hm1X^#$!fPX7n(y~pNic1C%{s5;#E42;vAw%J^Fgxw9)=gsqye*& za^g+!t1Spl(TRxqOISc=IYQzcadt#aKmlTb)RhAM5Nm=#BF6O;?V;HX_~EdxIr(%V zWDqsYBF&`FS6MW$kSpRzb(F4zDIm6&C5?;L0DrRC&uv-(G9}1mmTHq3|4t{wy=^K< zKz&!7LrH`JRY*jJtC0tYnXp(k$0!=>u_Y=0CrzgAJ?ioa*u+G}`}40go?W@{wtEE! zO5!AbYvlL|pDE6@r&4)J$xDfUnu-goSqrIuecQaF0b5hPNAb>fwVT-XB5~Wc;sH6= z(^0OgS-2ow04K|SVjsXEXGqVN^N;mxt7<=&Kh9VUJ>=(Q=1@55XR2f|{3Wd&Z(h|- zK9{?zQ{eBED1Nu*(XrM?8q&*2Bd~o7u%7SP2_Rl8S zYR_zwmYDzqA%EItY*fB_8Q+cR<19`#RtA#Lj^_t~cNKCTsM3lIy3Q?k&!8iniljJ*<=-ywxY z${BYvgrgaV*9DFDE$%vv^p_^h(&pTLp9=cQzf!?*Odw?Qo5MwPP8MtPli@a;Lrgj2 z1fTBFpYGm!^X#aYl-w{P%ai)G=!@S1?wIRl8E3m21gTQK1r*32>JaHS-kQ{nq6 z7;HBL6z1kzKydabm00X1EU*eWdD_;?8R>s>CQ4K~lKU{lZDK|leztmK_=w5%s_5;& zr55-mW;4i)_w2!k-}wg#IinL(nGKuVD;K-oDYc3wx{>?xQrnLo7yY>Kuq(aCw*;mz zgjitY0}6ItU687=^~almM21IzfB8scivFViXK1A;X0$Ao zMLY;6sm{L1a)_^_Y6xy&+#lt1*SW2KE&Gk8{?gN1pAxxB!8G90{r+>GKRABk5tYFm zOO_xD0Vu&H$;tS4t5ED8vni27Ihd$4TEFZwgn$z`^ zw4l6ID^W%QsF(L;j_>No0?&mV0e*Cv;;uw>I*^fsQ{s?8t-m4;;E4agtmJS_&=Eydz7Zz-v_J^d|!*HS9u0xD_w%ASXpl z@~JQ&4ufz9H&R~%B9n#|;JpA2@+iF$`YhB)`SEfytBa6G3rcW&$Q;n*#NT(XTk8a=BHzd-R{>IL1mzdLFH zrKP|>RhANDUF4_XGv-1=#lC(@FBMJPr3R`mjb4Z)vRxxsOXL~QUH0v6-z16|$wU@E?06TL@@1YlU=k*IbTS$Ou<%^Iq5j$1pjj8E=l2!5A4{0=_{Vm%VWs! zeNjZ~(@2%W=T!~V+e8!_bXeuMT}<1BMI;`V3TA>4)7|lC`#Prjh4^sZlVWWQS4>c) zZa~FMm=CP_=0N<6{CJ07v9&fgENGs;=L~!CDA7mH&SEO!!NToU2Krn{#7X`E19YvA z>W#=8sa&GwYMEcNBOKKV&3We!%xRymd>(q8AENV4S&vUfZ_visLS{#Fc%^{PEY+5E zj0H-bthl{Zw98++=415P;CVp~mYRo2NPqvp{}zTAL>;HdS!Ir!&Z_72HRsT&hCd`->i)kZfU)m(H zc2y;yk1}#2++6lEw0_;Pzf4=C)q+KOuDH(2IwR*k6fzr zCXy$$Oe`6fxLx9>?=TI{5{wKNhous7+aM#3@9PbHQgAlmSNfnzcTJ+{*`J1V`b!+} z-B?Yx@PlmwpGvkl>-TA4n+`|`b57JCx;L+i2F-Z7EU0$)Lt-{7BuV%^RG zSG^*3G+&|Kvbr^=CyGUmPK<74-n2NEDY@o(&Pj|l*$yIDgK+axT&1OV!-Li1W62XC zJcCP#Lh8=PvWoH%r~h6bi}k+L)1ypQS{QtrPp?T<*BUVXQl>mqsjCSkMw`DvIs!E< zySVXl2)q0flCEm@ZWoo}cNrC_Dp4;~U!nk+an{oLB)~wRQY+vC4 zeob@_)4rYUh@_g^iU?#zyGB_NJ#IW9?V)UXy3Uz#fB7j%yK*Os{1aW;giD}fNsei~ zt%T#L0zu>WNDj4bf{(lpP%CK^r^3Sk^MhK0jM=&L6(6Su8xh}m@}HNS%1z26n%mD@ z6c3hF=}wU?w7Fmq?jI=+nLf_}5s)gE!}EEDdwbipgh*2^^)QZeJs!JyAS)Q%WXWBg zM~)z7KA%8qt1*N`GqG0b{XPvnc}yHgX&xxY!a@<60KSyZJSW;%~fm<$r`mKQQm*#HC9?V6z+1BP;e^GM+%bU`~KjN(HVDY;RDlmVbultJ~ecoxde#K7YpV4ueZ?!sv&Uc60SH zTNfpFO3PXAMIETq#Fe~EZWz^=iavM(H{;!||7uXwYnP^8-_AK_)#&syvC@9MvrU(m zS+PqIcakA$;wdULsgNd^_X2+tv+BZH#iJOGWtDbkAPt*Lp2*~8KWJ|j?( z&%;%9Iq=rCn#iRg>xwt`MOVW48Coy41Svh)BJBKQsdwX>EKnP~cdX4$6cQSus+*fV zmBgNbZxidKNOc;UmiTZuEWm2n|NOKCqhk7Vgj{B!Owl*Dm9V$PEhwO6x-Csp`Cy<= zj^^JtLF=}6b4TSb@0PH@?%WivO(!DTu?P##Tc-#hviSOC*zxwbW^ABC$Xzx}rkzKN zNUQq*wvwt^W%&NWH>;#G0|+wyjgbHmV7Z)E|yWPMx={YCV&)wOpC zR-L2w9);}I-1!}7fk{o_-IzGB0%jWNwr@oFkAG5QHdz^6I;f!queQ^E@%G#283djg zidgG#)o7^QhvQK5zhc)4SX8`6AN!#@3E3x%m6@48KC=HRW_WvZ-Q^N9pv>E)P{}|I ztJf8mf$6986XH6E1V10=nxFYxpd~Xy@!Quz(={DuBCQ{KS}56{UE>-Wzmes;i|12k znS1R&QGJwoI>J!Sj^%9m!XNwclK#jRWP23DY-rrB;_THjBk7c-5Zlg$t|jk7L-rlTz+Yd z>%HtaXjH)uu*>Dp+e%l~lhyd;fpRMKtPl~;c%Kc3r}thZ_t6~-wB_o&6DI0v!JsY^ zDW6g@h(-sc&rsJn4I921vLWRlZ11R|Y{{2k&#)|YO|$sL_6ALno&#X`Z1;r6 zwjzj^HRlrK{9YKNBH4B`ZRPHA6-Hf0Ev(WUPPSFex~{MF8+qsgqK0ZBZWi~eBTk)n zkRsLLETyiCRir}!%X_tx4(60GIN?IwW@})uoKC7*2a*NoW4Y&IqXNa=N2Tgj48mTxjLv37zh*G0d}o`_B}^u8xJEV@3;PznwA-uiW8GuBDdO_p zyxqgVL;^Qht(S^l;1E^Gp;^PFF8Sr{U(Rc`4%uIE&!DS(xaQrehDnQ1(Vvd61#gm(F-b}@Rg~`AO~q%51Q7*YcDmm-&QP^ z@XeUUQXuALW2JTV1I6K#Bxy{*s<&t@8$5_7UE&KdyjjF8#nwxrFz+)O zfV{viC0pq0%;A-4`8aphUwvHCk}Rf~50Xhe+m7+Q>bM}*(R?R6C+}6-o1?k9t78X9 zgEA09!tiCzquK>uQ6iX3RxRCH$PY&1A!Y9J-Ply5ny$Wv?AekLsc{ptFKlsVQ{czR9R3*@Qy=(cWcg@E)*4@dx6?-!0}`N zjuM0ilL?sCl^)zvjp~iaN!PJE6Vs*m9{L=7{)xT;mhDy8l@L*?&^ z+zR5m%Nw%=kmdZMw{#J~h4aU-dvA@AtN_O6ITAhfgQG*C0p|Ss?R%%@G#6uY_q(^M zGyqBEMqcVwpuDulna$-gIRe|2d=ax-+4StX--XKa2u2&<3LW^)yZdumsGuM*ftZ>{ zYi!PiA_C~~cA|oo6{!&V@r#@5At=|*zAl5muL^h?7lP|hPrm5z3FUTd z#F(&oEajiK|0c#V)K06asBW*+yDmQd!}oWI!O4o9or{vjkD&E(CC5-v%tDU$d)T`2 zx{=SoBc*|RbAj&yedB&zH12D}j;Ql4{~We$SbwZEuya9azl&$0QMHDxqZ@aR!te8LY=Fh~c^jH-Xw4)P1p2iRIdg57pU{iXAA;C$FZI`a{!-ZSr9W;zq^4 zdsDdu&ZhZkd%8~ob7e6(2+;KcI8YRfbU!CX2mlQu6vx&p1DjS>{R@a9^KOpC9cjT3 z$j#R%%Cw4I-mt^kkIBwC0hk{+BUAIK9%?E;wl{86>Mg_g^4M4*^n7$9u3|Z#bw<#c zv-Dmrk<90N@5K`zYBPx4g1UpT9zNqgFZ1X=4_wMzDM0wlOUuGTr6!aTUs>|jjLtjf zhYO=ybH?!YFmSYPsDqZs5@~n_+Cidu9NKuWyQl0u?u;PZDw3pUVyAL-+LuTiudzoG z=}qU14{i3G03?a=O>BMxHOQfRWWErBc6nOaOa5;SXTExUm4`c^F8ly=z{*&nktWZv z#@5N751Fo2m#ueiP?!5uAEj$Yp=7mKYGhnx<6EifRH6O)1!4Rze0dweGD)}uw%`NX zF2>`3#Dw5nrDeQ?6Fu%M3**O#J@k6LI&UO>@H^?NdTnjTcu@s!K*g?Jv;-KRv@r>} zzPWFt7PG;HW0ax;W~fcyBG9Us`L>?9vhh)`!PwJ^}~nh-RsHyAl!p+ zm`!cLttNZl*Y-&=_5raDq8e77BC>^z!A$L28hxQqo89Qq^&i5o#6qaN=#fHiTSCqU zhCnJik?B%xrW8>v%}d4ly)_y~c!XgUp}v_u27)ZyR{r@Y)~@^1XeFHLq9lyuGwkL$Sem$F%xzu%Zs(MQJ)M8S0IShiFK>;Ka8p<}Mv z_M`3ulsL9AXey{QHL_t~|BdHJ^&gEcc}D*lO3YwQAdqh!p$tIF1@m%QI768wkk``_j)c5$ZQ- zg#1fk;%$e&VYhLF8(aBY1~-cWMC6fwklaMJ9l;yf9}^B#YTm8X5L4X~eOd|jgA09- zej}?xuj-nY6yo16@hH^%Hf-{ZL@t;kVEw~uI=c>-^Bh>zwwjNQ2(sz{_>5d3l{#Oy z{N5&~AOsNC7M>vKJLsB7xeoznMC7Y#q#8(&6R8!M?0ao zHkH#9p%Q+$O*D1cP5nGXFtjKFIJbIqZ4#SYsS)}I8E<|z=krUpiK5sx-rEsZaO+Zr z{VnNy)cO7?mcKIP`NiY45$p>WcK2!%oy2g7k7sT>cO*hv{yxv2P0gYN6DsrZluIqu z8hVuP8&5Kb*gx><|Bfg6Anjr6D;6>tBHIljiz|*-2Mezzrt4XZb&bGI=YG^Ah6=4T7|^-Sv}2^N$hUc%@&`{ViTc_Vz)N#MWA~YbbMUp zh({dQ_<|Y4GOn2oL-q>vbX&d#F^FI~#f()l{oO`ZpF^(OZ>5|PMej5&_e_WUIOu7^ zPwq+3ETsZ_hoDV=lXidqlmww(|x`jAtuI%*AGGx z2e;|hN0qNT8Y7_L5d0Nl?o)gX84bo#<7Hw((z7C^-r2CZc0RUa{BXNAFojt2vO%IY zdk4}4zz$L{H?T+I-4KR9@^u@!SzQ}DZ=l^GTs$*hNogpr&s( z+o(G|fra*N7KbBN`;L^#j)J(Yxi&_=Q-X*X4DKvz!4vwfOhlCWx}bcGi@_}`bSx19 zeS?+lsxKEMy(4#`~a!E7mTTDJ^y);(pQit2x|X6F@SvSK1&zc{f*Hu`Q?sjtn0+JTD)AEf;^1pC`ePlYM1BV*!>Vvk5~`q~`zx+vp|R<30>62xe+ zC$+yuBJgJuI5LGx9b7x_C2iq-Q71sFsmC7nm^(22wtO#RarAe)ogdF1T`p^F33iy7 zUA>dCv(y^JS5@g+qfhM5A!sNU#(A0LIQ`s`xLo}o0=P?2rRe{$gRuBUSGH64r>0{%Y=jJ`Ca z&EiWsZ>8P0?zl5AsHATyZ)Iloc2&oG`QFsP_BMigN&o#Z9m+i_d7QV_cCLO~T1kUO z^bRk$qn{AfDOK9C91|TD*QRz`@$xY%liGzAML#HX)V^18ykPJ-fv@h90a1!}xQL*bY5O4n)N^W9t=IzQUbSyy5YSn1_LL&kY8ijP8%dK*nJ^_S-}1S-3Y6`45Ze1+Z}pBUEZl*s6g0Cg@a z-Y`m?tH{qx|kt62>C1e@gc zZKwur38%nef0<6kXBsW-o=py3@0?Fuw@_EhlKWspdAedclWW2N-=$L}d#?sdIEttI zdf%~65+Nt|a)cMpH3*&{osrI>0UaILcj?=82nd*2b@XKcD?v=xq32bddndp5e|Y%; zpEz~zdw#bY*YB_WF86=kiFKEx*ri{;^nSD3FS|C+z(~G&(sx^0EF0oG<01UFF|EY& zbqEYKm7i^$3tK%pX@0wW-VeFSwb&o2e_5HHt7#d>p_`5xwmos4LsGA!l$3-6(&o7{ zjd+!mMzCt8Z`LWO1JL&1TiE6ZHW)^qnlrweBsVJ4zv)1Efei#fZ>=__WraZ_RVbK1 zXi-;S(*{#$ZF>S^n^ki8h_^8sY~AuC8MltBk56p3-q}U52Lw$z!;^5?tka5i5qo!Z z$nLXo4&vw)#=(R6GVl;V^Q&*ZoZm1rHWLAAy;OOx*#fqy9X*V-+}#p(_RuG**GNoj zQe#0PG`u7i4rUg?y`&O3y1Cl91~ZRnnr%uWUymt4*w#|FrpGIH zz>rhRpqs;NblMHN8o9!ezvjPoGkpjLHF^25TZt&KdDgy|IJw9`+6Gwwm`tUnmmw@7 z37b906D2gHAI+0_J)WQUIdtC_+}{P&Tvd|mnde3emW%JCFi3>uFL=YNDlQ7bK*}i8 z{6ox0IQK}xbixvHT1r>7-(Ky5gCyYqs0X7c0-WP)j^EBCa5p-PB6g%cUJ{#3aeqkc zl-rVODu(7+&q~@YnZ=aax-w@wmqMuH1Q_)qG+^V~Nlp8Am{g^sXu_V6@?}~PHOoCd zUPC)c@dT{8vsBgjhfT4UA2uY8Tfy_XmZvRG^v?GOR?og#`5lU(L-mnIO{J7^GUswA zVN`4|tkAchr4PG%9(HoWs&vu+1kzeDa6=67wE$v_ockSpE%w|{Enh@V(tT;FnA-`H zDlTq?Af}TA7};MU6svGeaYKL_PWJbB5cbrXw=9;UAH`?ENX zDv$L0b0)j;cBL*z3!E{;U4a=jm@I=$ub9@IFc>!J4i=L?eLSD!>Js0*w}DS7pSUID z;`?A@1`EN-PS@17b4Ap;0Wd@dz#oG?Q8=x~{Q0-#PN^q1dENd1Z&s_6pXr+Z;Zu?| z8iE@_(PcPtef_p0BMe7Vd(Oqu!nCCGiuOi4wqCtBC#ZCht~M!svPN|Gd?6+hv@cO)`^BE^K}1yU60;Fyi3C zG(5|~D` z&Uh+Ve6{(EAxrvaTV5PU)HcW3+@Kv5b&hnjlz$tgc6*DMhm{0xMj2GAFSX@3|01Z@ z!gemQo+UfZtz9r-a^QWOPUR8wzL}qS@W>CvliGpOFgRru^+=H}2$Bc3It+z}zBvik zhP>GeVVQ$M;36V8@$gdto@O48Xy{sry1LHz+#3+&$5|tI(&nBU*+6UJC3qgJ?K zRjR;#Hv?*);A+X<|4XwFvEpqKL?uCYoL)N{pQCQ32U=0q0gIElis8ooiQ{wufv=a2 zLY1&LdnOdG6sa3vnw=~E>@k?lpk8Ik2}AK zzcB6mT^@o#|7VX&kVRJEFn7iS=NR_Y}yYlucZN0*4~=c78upF(T*uEElwNwCZ2t0g&-+ z0sce*K%rOI%UcUwz3#@Y+K+Ams9OZE2vG$T5Gp7*M56qhE$H{}U~8-xZ~|z@P9I4q zOnq$B8pea=Uf5%9uKc_0%Tz;w$iDP>elAJS=MW3yv+G&x#_Lv*!zN(e7d3r(EasB) znjNc@j>L)g&RWj1$USxmBZkS`x>wzMoaBwfdn(%o@D!{EzWxNzCNTgeM#f|5rY`Z? zW%2h&KZ`^f4n1Pgsy6^|#pwV*OsPKLEd3@HPUoo>DzDU9C7b6*>0$aw?DM8SrvLKD zx$+pji#a&YvM)Ri1~hNJCNJ?@#Qu61CDW| zG#n!X8&N!Oam%#8VZedE(XtnCVX$_DA3}T z_GsS7{$lRtlYhT(h}^&9#?s{_(}5eUKGW{}p5?GFvYZ)$M%*-Ikk~-0lWMo~57pq_ zAP(fO2HPG^M(4Wr$;7F+R-BwDO=YOPiPZLNiiwo;8n7n6AdKN8I#j;60~vEt?_7c% z)AL{ZehW5#OW^H(@1IOZUC|x|!)j>Mn~Oy2Jq|RXEPq^T>J{TgLlNfe+AHGkeG|fY z{T~|aO6--#n%T)K_Q5%_3lp0n2xC09GY{uGQf7 zSs9Pt=TgE8TRq9n9FH51K`S$6P5@V!dlm@t;tU(d-qrh&xr;7T&t^Ec>GQ2#Zz{(+ z<&CIFZg_cp>Fp1>i!191nn@P6<2yYZBWXC*n&zLXeRcUC8|`M_RXch#>X%sHs=cOWQlRT~9Irxj(pEb3 z;eR`AhrdM~7bKY$=#O>1vbO!u&J|gf-!KN?N!x8Nj<-v;s<*Ku(q0pM|JuVpiux=g zZO;y<3ZADTb{Knk2{=SBbi~z3dGax)63#J=OAv(&K~wQ7!IIi(D@Ydrd!|YP)mDnp zJ2(4Q1Iqn#Kr`8;$sS5WLNCk$_#-MW+`9m(KRaM^bJHQ=kqFvfIGA&%!btBtoQ_Euys*V^0I`#YY0%; z?6frlP*VRvS|GZ$sQ=WN{eGT0`pp-u-+FN)&2!RreL61+K3J}HJ>ucFkm~~Q2{d0M zT_2LrjAFk%WE%^+zK8)-)|Oy_G}pd!27v7%fqzmzu3L9;eTkz407{lKPz*wvaOX7u zH>r0SLrmRcc~`Y9;S{Z>e6FT3Al@)Y_2hMhOTa+JEU!P=u4qnpMBM$>ZcINq`)Umu zzQN>;l;D?3-V8#8AvZ#SMv-H%3;KFo_$HT(biJRyDU9XKPH#RMXSHD;5w7cCBUtf$ z(O6?W+4udqSq3kcqrz4I0LTNFe{AoZCh&{A?faQbTr+ZU zy2t#c!i4H@ebD*xrn-xQlotlJ+sJ4;-^dv)Gf>^dL{Tb<7BkKy0SI*;zy{$w^&g8P zf2Zgr9wkWhsWLt(-Cu_C9_H8>Ku7%LAwo-Ycj~8Vwzwk#*yYF44sVA1O^sCuz@r+p zFrUf_ur3?_7=~%5rxP-Ba1RH-6f?OivxAu;)Rep4!+79lfD{Npr8yxr16L#&1>EN` zjTl7mn7-}aQM#@h>)&w!cfnlM)Kmi2RsfVy;PmH90nppgP0Ps)$)Aw3BR2ci(bzjf10tlwSbQ=|5 zjIAI&XD^!k*2SkMA)`at5?$}9xDck!d5-W;AvTxg=_66;rJ2@Ya$hT0{Q5XnfanWy z0pm)^8<6MRtMt3HPhLG}(-RNjP)N*tfua?$vM4PlG`R+}s=Pzl3cNHll*%j7)E?x~ z5dNS3YP?lU*MOu}p~9?T;6f#-dUKYS!Md*^l}q!B;JvuMdO(=^_*I$y*g@2PxzU;O zov#SUcj7KicFU6&G>iei7bHu>G2tdR)>QTMueo%*e==;!J(ts(1_i@_$K*R5L zCS)Dv-0X12di)Q7%i7GxP*W&WByB%b(%U!#NCd7+-{#FO&4Lxc13BKUi~#+|kni=6 z3Ej8e)Mw1$5v*MSGt~u!kr@2>Ky0T44_Ak6r3D1>O)H)3_JDh%{`TgQc|;A>p*%`$ zaT*a0R_oUDzqPB}VrM_O6@5jQ+ys!VJgcmro|y+j5+gIg^19FBG1k4u&h3qfiSjV| zDhzI-2vokg^f&1gC2ge~rkA&tVR5snEy6^pRDu%AmW{{dOe%)*;Lwl>ocQ7D2x=Oz zsoR3uty+tM6rA8Az*U@N?L3@Ib#vJpu8Q+g^uQpe|4rK*9#$+D57|0{3_;#OxQWHr z`6$Ye)Yh50&BX%EWLWkwL2}=4Mr$i^?Frx~Z1t-oZz9di;1UuS^>Y`89MTzl_v5~E zxW-=zB^Tn}7_bI;@S{XMEaWU92Jg+78wblP}y~S;=MRC9WmRhN}U%)X3j*EkWq*ri(e{RSE1KO*PM+w;e^Ncp{elP+@=Rr(i@V_N4s zQ9V69(qz!Z`)D*MR=W5&Rg;}8j@>saBSqq6N`c8@;QY^r!vYn-vV|dqCMo|RqSzMrmnIebYjgC-d$4bQV(=Nb za`B~~1h9xq@#TcEcwG=$TcGVBZJA<%o>#Mjt$EhybqY6K#$_+jy7*Sz5Gz!ECYD76 z*T#~xc2TblOUKcAqxXIvYO17ycYn(KgGs~SEcmzZqv1Naud>%U)Mv=|pwpRNaWAFu zR}aNSk%VMFf=`mtR>Qq!fKwkK)VN^ROM0TUOw?5fP|8+jo%4xR;x@qCukH;??SKs)s4K$Q$+yGd{*Fo zW_#Sp23?MXHsEq%r8gT=Rh@Lez+_jFAcWj;Q{j_TrkGz6{|MmWsQx&jB@n9yOoBbC z@VH`=c}uA>fa|N-VEEI$6~r&kKTYE`Xvbd4U#_={P)w+}Vc1l2Bk@Nj84^9vtT{!w zZFaqOc*lhGz^E8&49_M(Az2bG9W=p=8pn z;!q`ER#pO_|KA*bP0g{CCrhlC{@`!(hM&h`JAi3bn>Ou(e?GM z(%v@~QRy{hP~dFS4rAl9KZ1`|+eVE7Y4wa(MdGe_ab*4-*lw1sppBvJsr~9Mw|TP+ zVN3A^-%ZbrZ<2Fqc${)Cvq5qeKvIlfVVga#3{^;~Z$#J0aLfMt-27F!p(R(J(XS$^ zm)di2LVn#TAmygp_KVpSo7=Wiv!&5`SL*Z?S+W%Bilva1i(v(C`fx3og+`Y#9a*zN z>bXw@!o5;Z)(cTZZC$q0LX6Rc4}RY6`<1SqMz4qD3tk~imgGg!e%~~C3zt7B&mGc- zpF-Pv2eXrv6@;&|%Xu*hsJQ7P`I~zPBaT)%`cYNM=o4T#?BN?b z0U?QN&T+&@9ng>dU4VCuP6Ud5_C1>)+0+KoovTvJW1ILEV61`OyFNYnXtXSgm59|w z=vYl-o*-;cawZ@>-r-$?cS<@lXVMh()ABrzg2#M<=;g|+$x(?Tm>?>_Q8y(gavHdpy( z&S&`}aou>SJ$R-)m>lxDFxWxmA0cbV^XJ;yjq+Eoeq`}PZEGmVJuy(>wQo59;?x7y z)_+()G{aHED4_xDQ{6oImsZE@s`*MI*+{}j%~kFnzG$8cg(=wh_>VsKz~B3wsiiFM z&Li~8HzHwJ(q6L2R2zLjNlqu+{_k+8IrpA40Q%A`Z96|@ChlznT;!+Z>Irm%75-ZV z4P8-`C~p{gIIrsOmK*|~K9}AKT%cD5U8AyHs$JI^Rjp?*%-vALuAxhQ`|iXM-lV8f zd~U2abjoK{u%eO=+Gi1NJvKD*0l->;#BkI~1Rh0Sh0#%j*$#Bc2NQ~mwQ6M}g#=s> zwK^Cder&MmyhmLI5H{;@kC~)BGF-VS>5GtA4qmx7ES6QUvHNVN#D*j<+^)s+4c?eb zdNUsU2(K`joUL@LD66+1lct(*~MsKd*bk7E?QTcjN6#!SSmlLp8!T6egdZyjIs!elIda9rCFQ zxC8R`6t`eSg16^R-uQ>v5dCrsfU~^#x%PX&5zl81xFfFz1~)n$y)ie=_zHfp@j8lt z@-Kh?%?g5a-b@NK0K{ZwYTo)|3%Oo?_nzM86cDhkRQbI>$Be*R#RuCckAK&IwZ1j{ znohB?eDAy8`t=%s((kfK%{6)K*~a%dm#FOkL8_1!Y@f06r^=}Gm+lEk>}Me}r&YuX zOy1G$Y_;xLLGl@WET?Pxlgrsj969CC$ACN;Zy4hMfJ3DcfsXkMF>vnyCg@RJB#`~+ zRzLKmI&%ifm*V;Vv~`wIZ9P%D$K9p47c1_;9g16VcXxMpD-hhRNO70o#T{C-NN_Fg zcJsgQTK9f=^D%3ZbLLFeWY6CF`8_j&#(~lSbh3GW^e}@rFdM?sBqG0@?%B9!@!Piz zKpH-3(PhsR7HHKc>bw8xt*7Prx#}SVwk*jZD+}YTCuw`Mb=6ES)voh=EblQ0>QvO_ zma+3?hC3i`m6uG?TVP>h-JMdDRwmPU>Ft7tWRAFP(i48(#eIH~>If32HwS2hgN7a^ zpnByTlQ_vQlISPudY|p)2W~iZW?FGM&>WS4JF%T&7Omh4ll^lgzfVj|^*z_@g>E|~_VbU)k zPEnlO0l_F+Tig376+ON3{;E%$O%RxHo7dcZ@W+cWsv+dShuONcHK`j^ZShx&-z6$e zB!`%_@6}DUlEHvl;Z)Abec~yc8ecyB3zxAu@giPflh8gD}=p^Re^+DFk;KzGI@MK-D4I)bG$+~8kd35CIGW)*v*J&nRR>h&T<_u=MDvJ21IOm}Jk}+f{m+u@6wzq( z`1X5oxa0dDykQTJ1q^);;LydR+kmJ_gi?A>0FohuxM&H2^Gm{E9#010QHQ?qGt71B zAz^NZ@10Hxn+N1t8!a_9C)X7j?yx$P!@p=0JZ zS~46zD84`iSyz*riH1JTLv&^SD&o}N6V*+Y=XyP6#UMi95!XgAX)W-r@ z^m$uE8a?SmX(nI;rn5LUNTs9_@Ufif2Ax#OV{R+XDuwD|CE?{eW?uU6-7e^2kW;vwBFZ^?QGEfHER|MPk=97VWyH@A&Zr! zYa{~vp%QQT{0UXULd`34Me3#;t;VQl0tom-n9QX(8k_SS5zjHg0Ft_pCZ*x(u2CzE zLM!ne+NKKMW6`r?m-#D{f{aQ<_KFQ7asA{=-#@Fvu(6f+q*YMGRTJ|x@ZG-@3W`Nk zPD=b6G~yjH`e$?;*q+zx8LI#e?FkO%uRbftAL8PNh9YQugW;P#Z=QeRf$}?Phzc%P zUY(|I2#NMej<1k%k%DS{db?Z7PSzpQZ}TGG?tYpIQwNL$wvmL9M3;>kU3ZRBNLAvu z?GlmYYD(U?DU`9dVWz6hMc7C~#)-v_Qa%iaEN}=Cbx#PrK%8sKgbr1r9`4>TZS&Ep zv_@MO7!l*_gf*7Bw*s|0_Luafw3+Y`{7U9YH?1QOkfkdpJ+))2640k}_;_YFG_}1s z+1Tx+vSxZ7HfRPs8qn%T)G0+W2rkPNEs+eKC|Y>5jLwXbMXRrpQxTuOA!kv*R=|CR zBL~ovwicsJkPG|iAYocQYy|fK@AIyC3t609J&9~@etnyetEwaTB8OG7WH!(U^@RZn^!nO;?(1{ zuq?w$?@I>mCP9|=2h(|GeIGfC?8LI!Kh#>x%dgLNx7t=M4M~^Mhb%~q<0rWdviGlr25U8`5>I$8rDpKQG$yY#d4u^RZ@Ggu_u~^&(nVyPazF*m`S5hCRz#3?gdh=Z% z4u#SpSG9`Ae%WT0wb3oe%Dyk)eV@P&)3kLS&OQ0EO`C2uVzxE|CZXXocw6ikqVex` z#B9jS59*LGwqLH}8i?6}0xkYfnao?ZkcQ!Q^s2eiS8jt4hAm&G1d`t#|Hd$E!!i;U z=B=4Y`NM3MNXOgF8e4CA-qYF7qo1KqIZLQAy#fW>SL?K+l=?u9)JX+G-%|$+WZ=08+nAOy#qh^1esh_+G-JYac}#$AJvH zKAOju>@qlgP?^JN8JDkU8URfb+Y@3Q))V4}elC!h3_(R6<@(K`j0m_~%OaJ~8^hvF zJe3r~V#FxB1d`{eV=s-^LqinBznNfC9Qu8EB#X;5DwHxM+U7~|ZqxNK*!L=CAvx0Q zHGSK*cR>9dE;}`nWF!KA?QnxR`YYy&;-*syNYeuqWIA$7gwbT<(Q^*b364Kx*VE8T zKnzWR1509V<-Mc;>^_98{tivQ34P~2B7||VA>V`7u(YD)8N9waJz?DUDe;d35@UJ^ zbpMAS#hE>ho#6TI=rJdpiQDY~$?|QCmY!3g#Vg!no0NimOGt3Y5fqgc0*6r?IEbSl zuPtypCn>SfC7Wgb={+4vPupk8q1KIKBi+@y? zowoKHj+-w8O}!pe;+!xkc+q7z^N?c&7f2_|tc-Q9A54VP+(Q5L@(vMV`YCifCYde3 z)U<;-F96<@+>5YZ|M%LUz1cHW#TPhod)aXEEV7Cq0;L%H<_d{kW82AziTUhsM3w-6 zk*_zy8oi&`sBm^5`A~F_;`+Ec}ob-ma)!A*0xtj|z3Q_cLS*D3%d;F9_YaaAC zlP3gFrck4}A(-M4Io`E+;90&`fm8f-#^3|Jf8TaK<^=eT0ZZz@1dqly{R?1T*<`w)1>WwgIRABh0d3p)Qb z#pF>$7Kwsdzf>c!NnPhF@ahl^r@Xvn#G18b{|y&}A?&|tF29*_egAO&QXPq&&Sq>x z9+jewQF_Ub2MgNTnsjfHM#C}d`*=re9Y^~)Fa zzw7L)evmTx#4f4+r}~e>;&f)1cnn049oRDC2E_m^n|re!F@jDK{i+_JB2w|-~8#P zK)#Vw+-`IIkK8*~I~K)zqtzJjlGi*Ht}RU-oJHspT33Xbz_p1eW*XHylP3Q6U#iz9 zzX&(=z93=$%*KEx6!6NA(VT6>q+tbu^}NgLq9VVY{Mdb*&;RbiH`Rh#uB1@;r%UnX z*Dp4LMFvGLPCT~1H)7r|RAIc7>$i9BeFjL9&mY01^-LTa7YKFkYwCBIe^?W8A&ES~ zw8T+G$p-!Ha5ar|0jLjNH%->C^{>-X%CWNaKcp>P#3FDhq&pk_d&h7-qyeo7&$FTG7 zE^S0IZZAdtkI1RDweA-R|51pDB>sH%tOg0k{A{5-z7_tXh~gi74}=6e)ftu+|4gq^ z;D7;jgfbv{US|uT!NlG(S6TO0w}a#U>oH59B{zEP{y zr42E-PyA7_#l?a~!8>S^el>@}%w_kR;b$hW4U%xuH{NhZSK6f-W*pumyMF@1 zkEU%D55>k+AE`2cM~m{lcRkSiB`ZI{Zb`kcI}~g3O|ieKtw5=pp8mFlgeE~hCr*vj zWJIfieRmKG8RLd~$r3p4eUpfJMvh3I!yh=3w+Vz6>0WbhhhAR;xGJjV6y1ho%h#{L~Bqv}gmn){lSkx5A$?(-e^xIFZ{Q8l2pV7yG zEUHu)ZrfjD*s0l$dqO&lL+ThX^XRr`!v42q9d}!!s%2=A`p#r*;V%N+(YSEWV8Ppv zU6>rJ3qBuO%kLaeHJVLgW6S`hP4^?mza6KNPEK`rAWN;JHzMFUV9i5t#{^Z*~%Mx-;op+ZUkA+N-p_-2gjl?hU8GBrh^v(j# zG_Tc$TpH|_P8O;rg97PLT0(A*JZ-^PXK+LPd;3#g(U`JyA5`d#=}znJ0yOt%abDJX zvH4&f1#?P!tbdWXFQImx($*|*`G>ZgOlBR0afe3Etg}WHwD}ZecW%{Gpk} zxsM^p71G3KAj-P;(81o2nSIvyv!2|}M=Yvf`AulOJK!MOI$QjY#ItH&P|82ay))

zL)hct3?-s$C{_~r1dF>KMPVv;6p1l$t2kjaPJ*r8uFwnCPT6$Ad?neF$|f>laAvQM`*RY7k~oW!n<0urOuot(VOJ~BgCH9PYiESr zyW|{5wgk$V@?_y9vh7El^aRN4ClZG&bnG-qr)m{`t#*DXz20M1Epa)N#F+<#z0% zs=-}Fn1lmACf@ott%4+zp0Ij)+a!XrebQ1F7 zKw9_3o*&K$u_6P&E4Zb)K&$5<-GC5|l3ziTmV}|GSgYdM@S+sK*RD3f2KxF_Ky#u0 z=mV}mYZN3OTe=Y&BjdYF-`e_bOT?qH$H=S!u?&s2r2Q}MVI>4m*n`!7s@EQk(;H-| zoHKH1XgX68^AFVs<%s%^q+NSn{uz@fueFQL;K^S~5levuBS&;peUcW1N7}@1#tO<% zP@0$38OWVkqnV(FT8&|L-Ii*yGn_8nIZk=yn>T)3Ewaj^9;Y%?`{1jUxP0r!Qu_+f z0l&c0{v@}AqP2mPWDX21KR)eBZ-eoz+35TKveQEqJiwN_fb&+Fhm(J!pf!Yr!3f7g z0oa+}#?`qju#(RFsRoAwIHFsSH|dr0Ok|!f!ANG*82AqP;CaM=>8AHeiXt?5pF$CM zI)EDJYI}$AFnJaU{mA0=QJ;B1xx2S_8#Pyb27RRR1ZLBWMW1n5ljR)6GOI^|MUT5V zW>l&DFU}V^M))H1qv@-t=nUAn6(-mQW5@fv3WvT01$kITz3!zEDIjS%u4G!PN9DZ> zWy3K6)VV2ps+mI01r6rM5-AZ75z-*=rTzd-0}7Bmj~@sG<1=MsnkElmh5(o^7ZMzWLz~|V~ z53~63mT2tFVVxI>NLDE`{1wAz*qmriBGshBuv5P8J&%pYgD}ChhtJr>yBF}Ix9rhGJUttSS zpV3%yyvm#h>p-~qU5r&y)u)r}jyd^14`bZU8$1`P7Ud2S!t2JD#1Bn2u-}G4VCo4y zj%-8~j)eh_P0h_UwwGeYu2XK8*jVMGspSpBoaPXmg3WS~At@V~h06|bwU~1BT;qp) zL4er+j5>yWj8*Z63b)hkC#b-f-;*E^sKMh22dJYxaNc`Ey`|Nxbdz8j9EO3Q*WUZp z5-??}rNewkT~#%_V|fX^grS+zimyEm-rCN(+O7GwR&GzoZQ)X>UR7ctVNLd9aoR(4 ziNz1QWzv-Wj46WPdya3MdO}L+(bc739?Oy4jJBCoL}D?s5p^76d`{)icV^nQ{VJ3V zVFHnyVB^YlSCdME+E}zkj3s$^_Y$7g+xo-{ArcH7PlZZGuptw;0CS> zeyCcp1nowq7ZR#fC_$@uBGVI!U_v(b1-;fUdVza$2QlNd=@K$!7i;#> z*-f%vtO77r&JuP)y-{Meno-MrOkFud%hCq&uy3J`t3CHZ4L-x~K_t)W*+XXnM%)GfxL6%&+pF=zdLM<7=b)DVQkFeODHVKlr1Sb>J^PG6wfg1%^S77Y1Z9zf*N;zq4p zEzxwGQ=RXd{_?b&UHshXs&H=7-HSgqEbT|#r?0kYOk5d?K2sX-ydm)O^AB1Z*50YG z1m|lUKrIn)OA#ZcR6sD}>z+o$+?3as>An`&M^l1#sd_OBh}+-5MdUy^<*$$}`o5pE znr?f0nlL`0lUwp_IrshZ!O00YT1f0J`?)y_%R_ zcxOZ&947A`;^e5Fhki_3y_$twkz(MXA(a?0d;svWVDa44Ex$g&MEi)z@kw-24JW+W zm*F&D+|>uaG32y=lbngcqoq6{rD| z7x|dvz)&lEspa9kU$x;c7|KPI@%H%Lt@Q1-b6V}s_zQ~9RiwMmJ|>rAWBxH7kWY*m zx?#9}%>CXp#k0j2HBn&}+p`}@c<~sUy-3H2lH^fG{vHm1&Qq4V2)u$+Ni#XLYtTs% zYO2~%w;J(mDMsV3cihL&LrU@Z2SvAM1TVhBmUPz1Cc$Kym*s8onu5sYXA9V(HGgX9 z?-3aQT9%353hCb&qJM8mTJjfxFm{P{W?AE_wd+%~SbgvL7Aq#Pmo}?S^L;xZ#l-5q$mx0YYOZ}7KmSJKFw`JV8FDNh_|E7z`WGwB!YFQpjshH;Yqb;3e z_U|=>DlhpKk%Leq)<-7jar#<&JgS1|%%VencIy`OMHZ@mEcdK>-DuB@}ZqZ)5qO1ft{ll z&*}!ZpnkvwqXL&z@QU&|YQfD}AxnCrraipqFKr^O*_|^)Qa;j{!)$_H4Bd*cj)$!e zRr}s3aN3<<@BkAyEPiHLWW%~VUJHrui#=+NtoKuCNlZXgVPB6=;{t~YmvCmAR$ajI z!I&@RGE}cS%0EbAhSs}fS$>2d#2q~v>$vEqrQ&>P-AU8%&vc{f8~XAp2-kPB$?_+W z{QY+$7qL+DkX|gTPO*C^UD7nXbm`?tauU87ExH9uUc~Ll#sPnqFf8A*jTf_d&0i`@ zwTmiNa?V}>mPrG|O#7&RHwi`V#0bmnq`q3J;{RO6yi@6<3%DFSYIqwTDE2xf2NykG zL*RT&1FxDZSF2H%tJjBvp%-rg+(Pezs>S2SoB?)ggKNuImoExPFve4`h!_|fUEXPk z#RVLI=iwDz+Y-thK#>lXI6!C^>6&c{b0`WE6;tRjq@4F`0&Yh|CQc}q9fH@V8Mcka z=9XtSHKZ0%v?>hi?H2lV^+0ep)&8BYqO6$EV^IQ9)vROGPZoWDVc%I(JGNE@t-c={c`aokj;%I4u_)tSi}uZ9TZsr!3z7`qGaA)kOcY41q(XB&5l4e zVk@;21vWC1R`An{>L5M{TJ-HWd#&E1j02{3u_D=`!>3ROD^k80AT@{%kCQw@ou8*w z*`o^kjLH5(Nq%RpSUYy?B`dQ)fbw-!9f3|I$4utOEUqK)Q)T?HPYSRZ(z&%Ju~ViP z@tHpA?$lqd<0y>WYV4N6rD{JSt!=H{*;rxN9C`;m33d}ZfeuPq?nebj4|A>Wz>j|7Y!I{ASn^}17ugh!m7x(P`av^sZBmMr!HLyP_z+ zWk;r`u(={SZX-B-nV-APoPRIbEwV+*lf-xY0+oPVjuuX2+0rhw+iFLKlavu6CDz}u zI;C{WUvF73jVkj+o?iZZEQKchXHeBV&oQMo8mYw$n!0TD*M`PrSo7z3SqkLyBztRl z$@#9&+ebKuVLFp_Wi)roF`1Z6DKDv z;`wmQDImRH?!9S3%M=``aar^h@0C`$g`vZQ;rUwY-fcXZjtf`u%&IUg6+((_L6|t!}dc*Du**A}aHSsBvpjhqM;w z1CY~(W}i9`_-`6o_6U0lo}NL1ARq|het^$mWAb{%A$>Up9B6ppFZv+ibx_^AAou-8 z!7E$6q1Y4hpxaEIYCvHtZ|v$ip+*;U6Jc?KnUshoeL!e9V#{YV`u;riN-67Ymk4qE zQj(GO-1Q}Fx{ROBIBZkg{uN;Cgzy)$Cd$zLFlPZ zWu;Y_GmC?Dbi+q-Y-XbEkl5CKFz1i`*(Gnu>=E~C4H8uFhk*bPRyhm=GEdkVJdHWo zAw6Lgn4Fl=Y8(qqQiHmnC>P!jk2YX5uW<8`2f5vAG}EGvWRVV}1m&09!`2hpAX*8P zjd2ihSsX(F^0wiVnNs82MaK>&H~-y4uG1=@)}jG6KI=VjtV{QVh(6MZjYJBLLHc^B z$t)9;YkCJs=`n?T`p5)QX?HF6uf3IIBbQQ4y&3=H1zJL>%}{A$05=1Ik5-CHYkTxZ zk{1P@QkKx||HiGN1`e9!3hncfSUWkn3*PRM9mk*1TFnadMYaWP7*7FS@`G|r2VOI4 z`;K-Yi>?Gz3+TL*vN&{kco*%^Mq)Qs?+qAY_RLv1XdGbGLr>X4LY4R{20kEqNo|qBh~k+ zg5!ffldC_Y6h!%J?h;Tsh2KQU89)cyA@IWon$Nd&n@>G#Ag0WT25=eG z$lz;HP18sCRh?ez0thD@5wnq-AL2q1irPrp0$sZ6y#Zhjm1H4At>Ve6gmq+3A}|h6 zR*U%q9yJVhp#OwDzt;HXe4U`FbZEWU?uY|oAT7{>XJz-vi8&T$BD{Hn5c@T%ioPw1 z>bLA&Pa+TxMIg7@%>SiE&9jT3C!vXLVYY#>LSo$wCe)q!b2BSS@`<3=5g>fLmo|l} zB=QO|$7bn*c0XNht|+hN!RftXbuHuBn?d?LtR2hG6m7e}D=^5k zu9ZjmAffY(6=v7eVH;o1DNynBGL%=5W@YvFR1V$6i(xJHeKPB}oTDnUHGt!5wve>< zcJgezNYQyb>xn6SoCF0#fA3hzL$aVtFa31k-y;{gdmRi!dmmVX2wD+E=< zZXKE@7Ljr<|Fu$JNYnpVh-X^~l2B(@VVdZYOmWOfx36$$T1F-RrDAWwUgBe})7!j9 zMk0Hv#o{QcKO7f#FQ*%7lr2at#ZYl6k@T0Y)*>c?Ssvj5tQ-6(u(;#mn>-4(+A}QW z*b(C6P%hFNtD(A$e`|((|4?R=6wMrFFmUK+j5vzpRlbdgKe4jNlSMpUU*l0?KgWhn zj1NsIu2f&!(J$*YW>Mz>p__z4*AW$NiV9*w&QCrBGH%x8PS{E^;5c>J(jHqWRjjq` zw9`wb1cRg3%F-k)dL zVw2TH6c^HtVu<~KVZ82~cB^G3x#LHnc&3`pLBEa7_JzroukaRprBQBh2 zMfPstZ>AEYkzAkNfDS$-@Y|TbvatCFD@OAV{?!SmN*1nvR_7wSj*U)|(;Rt)3*FC9Mm~Z2hpGwjTpe-w0dn+Q;!Gjt zl-Xnrm|SA_KXuhH`$lDb%oTt_KI#?eJ|i*;)V~Z@^Gl0kwvgAk0{Cp$-d-cJ;N`*HqJCPH8aB^Y(~|M zfr&;ZT+H&Oq~l9-NM`q1q#&Bl_&xTpV67_k)%%kaYUSU_u4;%Krosz|Xm$rLwBx=@ z_}s3*JHZ`3<%iosMHc01!}_lTx-y4eg4&NY&LdwyXd5u2i>a3Ku?`#Z&!)ZLP!4lA zu1_8!d0RoXp1E3d6@(P#5)@(?&6#9=ZQn!;N9PBh*I1(=#y%x-{QBGLH9Z8MZ{|YR z?U=`CTsBoby3I$oSoTSWqFLybc>dAp>bCVny2EUyB;Bo@)@Lui5%jQrG9?9?`n-KZt(m7N(7p&*`+vpe`9 z*{abLo8o@xh}?Uv>Ol>k^xeg5WQDMb5L2Z zcVNihH={m%tMq-S761N~E^D+5GfBr-oj@W;iFdHmB86QBb9hZBVlCeTTF;){%&D5?d~Xjff0|@+1+(QgN^%Rxa>NVdbRpda!uzYM?3Ae%2@ zZ8Y*COGGImQ=i*=qSj52ZuXA`q(-qnfjXyR^ZR8VaO0cof>r)nbaa#JoD}}J!nG`T z=WDo~e(^e__G^~n_T>|32XscB4Gk-{ZG{pjK7A?=_rH*xe)_bjUSEC2KE zWqm^UA$RE#K>-u%4`W($<|?Kc72OML769wcDP?tYgmP(P#%0h@_H(QTEL?x{uH#L1 zuLhrGY{P;qh5l>7ZixN+=uJpw1$pl4mJw@@$F|c-P5%?2jBA^@H82GP&*T z$#6|G`>S)pk&uY;#1-kR?02)0=Rx6mHi*4kdKKGcz~@;nCTGy%S6*SOc=8_^1`*LV zXf0sJk(WJCmjA7=o0;@!d)XH4DgVZD7OAN3JP^CZ7 z67n}GIm`c5EXC2~dX~OWuj4ssd}~ZLPdHI0YqUGdK@!5)`j*6rRRFsWRcO;k9{i#A ztKS*!S7H3t;Z4CaR-e;3VGcDIHS`C(flRPX^z}!LigFRv>~Pvh_DRold^@E`3HDIem+CF@c6 z<(|Ojy{+BC^Ae+bujva}PqDis{R6%`P>zWc6x+r5`tYLyO7vCdo)_q1iYhFmZD;w( zVas#&(60WxeC=I(vOF&Hg>M9wHRRE{*PSex)E@D|l9cmGESuZNyk(FJxSx!KTA(*1 z?4FMQt8dh<0K5a`#l=^Z>$XI-;8)%#DK_s?>S7IitTa<~ZH2)$XO$PJFL zmV~zdi7bfhL(v#i6S&k-B>r>Vrm)NV0&!MWIUXr<{=sJR{#!c)x6sb3ag*S|8Z23CbvC}GRWU2m^I^z=2)KftOe`#PfOuk3uN^6vLls{`R)!Od;{ zqLtqD-x*V#qKI$ov%uALke{(5StV%RtVa0xU}TnjIp%Wc! zwS(S8nS;OtrXZVuiQkNEcXWb+>j{Dr(8nTWBJR`c8$ErDWK1&pTL!#5ynjZ8)LH8u zp51wQ|4|hd-3VjT=YN6yN@S9b5B<|2LUSn*0=}Z1pr;ZG)@ut;6n_pkX3)Oim8%+` zJ|j%)5Z%sw!Sj{8mn}@?#YGFy=IHlxD<6oow;jPDSSYWe_vIZBBZZw~oZ;Iv#7^4! z;4MtKc}<7!3C{IOYeGiALHkSy1zULRy;rR{KWjO5tg9DvZ#Z0uqkinSm))SUW#Vx5 z0!1^# zTw_%Vl=_q>3;a>Aw+aWFO-PxD(4VMFY&6?!DSeS0sMt$S_?7*;iHS2|rD6P=O_|si zN*V@q(RF?O{k!*pnV7ep8vJNrr>4>9NA2@I+|I?;37C`Bfc#l?L{h$5fxW?)Lsbg` zK{{EjANxwowoJ%?+L<$F+gY$v=8lZeyG*!UK{yui@-Y?t*!e(sc1`Og{FG%vIUp7m z3J3c?6aVk}|M!gr)BXp_%({$=`$eMMtb1em4R4Y}xeHv#!})(>{{M#>ywNNOP2}Jl zE*KQ#|JMGBa`1hA+a8!mQcD`t-U4Q#uF8e=U`Rb0Q1DAl_GfzeO0djHU`(N+y zzoGYJuvQ_iWh~>-A0t~N>ks5~Ds=zb{e3st_74jUhDy!E+(xrZL4bn1Lg6U F{tq!KI%@y` literal 0 HcmV?d00001 From c08eb3d11adc71425c9245e0630bee5408572433 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 11 Feb 2026 15:10:50 -0500 Subject: [PATCH 57/58] fix broken link --- docs/cli_reference.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/cli_reference.md b/docs/cli_reference.md index 971c48b46a..789583d5c1 100755 --- a/docs/cli_reference.md +++ b/docs/cli_reference.md @@ -6671,8 +6671,8 @@ config | command | description | | ------- | ----------- | -| [`authority`](#show-config-candidate-authority) | Show configuration data for 'authority' | -| [`generated`](#show-config-candidate-generated) | Show configuration data for 'generated' | +| `authority` | Show configuration data for 'authority' | +| `generated` | Show configuration data for 'generated' | ## `show config disk-cache` @@ -6937,8 +6937,8 @@ config | command | description | | ------- | ----------- | -| [`authority`](#show-config-running-authority) | Show configuration data for 'authority' | -| [`generated`](#show-config-running-generated) | Show configuration data for 'generated' | +| `authority` | Show configuration data for 'authority' | +| `generated` | Show configuration data for 'generated' | ## `show config version` From 9160fa8b1fee6d64d292fc042895cabf0239ca13 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 11 Feb 2026 16:01:33 -0500 Subject: [PATCH 58/58] another broken link --- docs/cli_reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/cli_reference.md b/docs/cli_reference.md index 789583d5c1..2c88b35666 100755 --- a/docs/cli_reference.md +++ b/docs/cli_reference.md @@ -11755,7 +11755,7 @@ show system [{router | resource-group }] [force] [node | [`resource-allocation`](#show-system-resource-allocation) | Display information for reserved hugepages and CPU core masks. | | [`services`](#show-system-services) | Display a table summarizing statuses of SSR systemd services. | | [`software`](#show-system-software) | <available> \| <downgrade> \| <download> \| <health-check> \| <revert> \| <sources> \| <upgrade> | -| [`utilization`](#show-system-utilization) | <session-processors> | +| [`utilization`](#show-system-utilization-session-processors) | Display system utilization session processor thread CPU usage. | | [`version`](#show-system-version) | Show system version information. | ##### See Also