Re: [I2nsf] Help on turning I2NSF Information Models to Data Models
"Susan Hares" <shares@ndzh.com> Thu, 16 June 2016 02:02 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C119412DA8D for <i2nsf@ietfa.amsl.com>; Wed, 15 Jun 2016 19:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.738
X-Spam-Level: *
X-Spam-Status: No, score=1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, RDNS_NONE=0.793] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3l8Jv2elM-u for <i2nsf@ietfa.amsl.com>; Wed, 15 Jun 2016 19:02:48 -0700 (PDT)
Received: from hickoryhill-consulting.com (unknown [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 716B812D7C2 for <i2nsf@ietf.org>; Wed, 15 Jun 2016 19:02:48 -0700 (PDT)
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=118.21.137.13;
From: Susan Hares <shares@ndzh.com>
To: 'Aldo Basile' <cataldo.basile@polito.it>, 'DIEGO LOPEZ GARCIA' <diego.r.lopez@telefonica.com>
References: <010801d1c1aa$6ac56ee0$40504ca0$@ndzh.com> <B2C68D9F-53FB-4819-ADDF-9EEF28FD4094@telefonica.com> <c760a113-8e84-7d67-019c-fc3eae638d61@polito.it> <006e01d1c285$71a2d230$54e87690$@ndzh.com> <230501e1-207e-971d-d6c4-cdd6d5b0dbc4@polito.it>
In-Reply-To: <230501e1-207e-971d-d6c4-cdd6d5b0dbc4@polito.it>
Date: Wed, 15 Jun 2016 22:02:24 -0400
Message-ID: <000001d1c773$21b1c540$65154fc0$@ndzh.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGUWGDrTkkdwdvmZukIjVNPPNrRjwH2MpTVAdeBMx4DOXsT1gKXvbARoBkzhjA=
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/GKyMkBW1nSzThFxK4n9_E8GiuxM>
Cc: i2nsf@ietf.org, adrian@olddog.co.uk, 'Linda Dunbar' <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2016 02:02:52 -0000
Aldo: I'm going to answer in summary, and then with "sue:" in the text below. On, hares-i2rs-pkt-eca-policy - I agree it is missing -----Original Message----- From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Aldo Basile Sent: Friday, June 10, 2016 6:46 AM To: Susan Hares; 'DIEGO LOPEZ GARCIA' Cc: i2nsf@ietf.org; adrian@olddog.co.uk; 'Linda Dunbar' Subject: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models Dear Susan, more comments in-line... On 09/06/2016 21:30, Susan Hares wrote: >> Alod: >> >> The minor changes to getting IPTable deployments are why I started >> this thread. >> >> On 1) I turned the packet matching into a ordered list where a match >> causes the processing to stop. Your action_to_enforce <-- >> Resolution{Rx,Ry,Rt,...}. You can see some of the ideas in my I2RS draft >> (draft-hares-i2rs-pkt-eca-policy), but it needed changes for I2RS and for >> the policy. The draft-hares-i2rs-fb-rib-data-model shows how you can use >> this policy on specific interfaces, and have a default RIB for things >> which do not match. I am interested to discuss your ideas on the more >> complex policy model. >I have checked your draft, I see that you can easily model iptables rules. I also noticed that you mapped an incredibly high number of conditions on the > most important (if not all) protocols at the first four ISO layers. Excellent work that we may want to reuse. Thank you. >Compared to our model, there is a missing information: the condition matching algorithm, i.e., the types of operations allowed when specifying a >condition on a given field. That is, when you express conditions on IP Protocol Type field you specify a list of values >and don't need to use ranges (= set based), for source or dest ports you may want to use > inequalities or ranges (= range based) and for IP source and dest you may want to use prefixes (= prefix based ~ range based). >For URLs and other upper protocol conditions on strings you may want to use string match (like squid dstdomain acl) or regex match > (like squid url_regex acl). Sue: I agree. I am waiting for the WG LC to be completed to release a version with more matching conditions. However, I'd be very interested in yours. >Finally, to describe cases like antivirus or malware detection conditions we have introduced the custom >match conditions (i.e., we describe the list of fields that the condition match verifier will take into account when taking the decision > without explicitly referring to the algorithm to map these inputs into a Boolean answer). >'Other capabilities' in the Capabilities draft will likely be Custom Match conditions. Sue: You are correct this is missing. My struggle was where to draw the line for simple filtering (aka IPTable or netfiltesr) and the security custom. I was trying to create a base model for simple filtering and augment it. Do you think I have a good base. >Since our objective in SECURED was also to model policy specification needs at a higher level (and to perform refinement), we concentrated on the >definition of resolution strategies that may be useful for administrators, regardless of the fact that they are actually implemented in some security >controls. Sue: Excellent! I would love to see this policy. I tried to get work on the node filters (I2RS and I2NSF). Is this the user to I2NSF Manager? >For instance we considered the Deny Take Precedence (DTP) resolution strategies, borrowed from the DB world, >where if more a rule matches, the action to enforce will be Deny (drop in your model) if at least one of the matching rule enforce the Deny. >This is a way to implement conservative policies. Sue: An interesting strategy for top-down (management). Is that what you were doing? > Moreover, there is also the Most Specific Take Precedence (MSTP) which applies the rule that more precisely matches the PDU (e.g., if there is a rule for > a subnet and one specific for a given IP, the one for the single IP prevails). This MSTP - is often the default in routing. >Note that not all the device use prioritized rules (= list of rules) to make decisions. A simple example: the ipsec tools use the {Default, Use, Require, >Unique} attributes that slightly change the ordered list behavious. Therefore, the concept of resolution strategy needs to be explicitly reported in a data >model (in my opinion). Yes - the resolution strategy does need to indicate whether it is ordered or "all rules match", or something else If you are interested in my policy model, a more detailed (and formal definition) description of resolution strategies and the policy model for our work on capabilities can be found here: (for packet filters) http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6111329 (extension on application filters) http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=6690252 Could you send me a copy via email (outside the mail list) with this documents. I cannot get access. >> >> On 2) My packet filters can be expanded to include application filters >> or we can create a another grouping of filters. >I agree it is a very easy step in your model. Thank you for your input. > > On 3) security controls in network security control I agree that the > matching is complex or the actions are complex. In many > cases, these actions are specific to a vendor. However, let's start with > simple URL filtering as an example. I assumed that the URL Filtering > was point to a URL Filtering list. There could be public lists or vendor > generated lists. Therefore in high level yang, the first part of the i2NSF > Security content might be: > > Module -i2nsf-sec-content > +--rw i2nsf-sec-content-cap* [order-id rule] > +--rw order-id > +--rw rule-name > +--rw anti-virus > | +--rw public-anti-virus* [name] > | .... > | +--rw vendor-anti-virus* [vendor] > | .... > +--rw IPS > | +--rw snort-rules* [date] > | | ... > | +--rw vendor-IPS-rule* [Vendor] > | | ... > +--rw URL Filtering > | +--rw public-url* [name] > | | ... > | +--rw vendor-url*[vendor] > | | .... > > I think this matches your work. However, I think the results of the filter > process can be match or not. The question is once you match, what do > you do? Aldo's comments: >If I understand correctly, you implicitly assume an action when using URL filters. >For me, URL filtering is just a condition of regex/string based type. > If (the URL in the PDU under examination matches some_URL_strings) then return TRUE. Sue: Agreed >>some_URL_strings can be either manually written by the policy editor or obtained by some vendor or public source of URLs. > Then this condition on URLs can be mixed with other conditions to form other rules. > if (URLcondition) ^ (other conditions) Then ACTION >You can see a simple example of what I'm describing in squid > > acl goodurl url_regex myurl1 myurl2 myurl3 acl goodip dst 1.1.1.1 > > http_access allow goodurl goodip >If the list {myurl1 myurl2 myurl3 } is downloaded from a site, the matching does not change, the way to retrieve the data of course changes. >>I follow the same approach (i.e., I model them as conditions) also for for snort rules, VendorIPS rules etc. This was my assumption in my code. The reason I had two places was to allow the user a mount point for the public rules (e.g. snort filters from a public site), and vendor developed (from IDS/IPS). I am missing your point, but I have not read your documents yet. >> >> The packet eca actions can have many types >> | +--rw eca-actions >> | | +--rw eca-ingress-act* >> | | | ... (permit, deny, mirror) >> | + +--rw eca-fwd-actions* >> | | ... (invoke, tunnel encap, fwd, drop) >> | | +--rw eca-egress-act* >> | | | (rate limit output,..) >> | | +--rw eca-qos-actions* >> | | | .. (set bits in packet >> | + +--rw eca-security-actions* >> | | uses i2nsf-sec-content-cap >> >> I was starting to work on these complex set of actions when I felt I needed >> to make sure I was on the right track. >I agree on these action types, I have considered all of them in my model. >To the URL filter example before, for me, the eca-fwd-actions drop is >the one that it is actually applied for blacklists of URL and fwd > (~allow/accept) is the one in case of white lists. >Hope this has clarified my idea on the complex actions that I saw in the > Capabilities draft. Yes I has clarified our work. > > 4) PDP and PEP is a valuable concept. I think that ordered lists of > packet-based ECA policy is simply a means for the PDP to send the PEP a > specific set of ordered filters. Similarly, the exchange of capabilities > is simply the I2NSF sending the NSF its capabilities as ordered rules. > > +--rw i2nsf-policy-list > +--rw policy-list-name string > +--rw policy-rule [name] > +--rw name string > +--rw net-sec-ctl-rules* > uses ietf-pkt-eca-policy-cfg > +--rw net-sec-content > uses i2nsf-content-rules* > +--rw net-attack-mitigate* > uses i2nsf-mitigate-rules > > Have I misunderstood previous conversations on this topic? >Yes, you interpreted correctly my idea of events. However, in our model >we see in a slightly different way the PDP-PEP exchanges and capability >interfaces. > >The PEP sends the PDP the stateful info (i.e., the context) together >with the flow/packet/PDU data to evaluate (note that some additional >info can be obtained from a PIP, but this is a minor detail). >This context info also contains the events that triggered the evaluation >from the PEP. This is a lot of backhaul for a simple security device (iptables) for more sophisticated devices, it may be the best way. >The PDP looks into the Policy in the PolicyDB, checks matching rules and >decides actions (some of these rules will contain conditions on the >events), then the PDP sends the PEP the action (+ provisional data). >[maybe it is not 100% compliant with IETF but just for lack of room, > it's already a long email.] I understand the concept. It is the original PDP/PEP work. Is there a benefit in this for security work that I am missing? >In a SECURED-equivalent approach, the I2NSF controller knows (from a >repository) or asks the NSF its capabilities (through an API), >capabilities that include the list the actions that can enforce, the >conditions that allow to determine the traffic on which enforce actions, >plus all the other info needed to build a valid configuration for that >device. >Then the SECURED infrastructure uses this info to derive a configuration >for the NSF (i.e., a policy composed of rules for the specific NSF), >based on high-level policies (i.e., vendor- NSF-agnostic security >requirements). Sue: This is a reasonable approach, the only problem is how much "backhaul" of data needs to be done. In modern switches fabrics, You can get a lot of logic done on site. (Age-old trade off: tunnel to process or process on edge of network) >That is, the policy is built on the NSF capabilities (capabilities that >describe what an NSF can do if the infrastructure wants to use it for > enforcing security policies) but it is not a capability. Hope I am not cryptic and boring with these long emails... Not cryptic and I really appreciate your long email. I will do better once I've seen the papers or your model. Regards, Aldo > > -----Original Message----- > From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Aldo Basile > Sent: Thursday, June 09, 2016 1:29 PM > To: DIEGO LOPEZ GARCIA; Susan Hares > Cc: i2nsf@ietf.org; adrian@olddog.co.uk; Linda Dunbar > Subject: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models > > Dear Susan, > > I'm currently working on a model of security control capabilities based on > the work within the SECURED project. The SECURED project also aims at > performing policy refinement, thus we probably need a more detailed model > than the one that may suffice for management purposes. > > I also started from the draft "Capability model for South Bound interface > (I2NSF manager to NSF device)" > https://datatracker.ietf.org/doc/draft-xia-i2nsf-capability-interface-im/). > The other two documents are too related to DDoS and monitoring. > I think there are (minor) issues in that information model that will make > impossible to represent iptables rules and policies, and more in general, > for an unambiguous description of the functions performed by a NSF. Thus > much before the actual deployment of the configurations. > Our model is not ready (it will be ready soon). So I'll add a few notes here > related to the creation of Data models. > > As a first general comment, I like the approach in the Capability document. > It is not far from what we are doing and the positions are easily > reconcilable. However, I have a few comments on specific topics. > > > 1) The policy rule evaluation algorithm at page 13 is too simple to model > the behaviour of several existing security controls, including iptables. > It does not take care of cases where more than a rule matches a > flow/packet/PDU, that is, the model does not consider the resolution > strategies. > That is, the match part is rule-specific (i.e., conditions are evaluated for > each rule), the action to enforce is decided at policy level by considering > all the matching rules. > > Moreover, there are devices/security controls that stop when the first rule > matches (like iptables, resolution = First Matching Rule) other security > controls where the decision to stop the evaluation of other rules at lower > priorities is written in the rule itself (like ModSecurity that includes > some "actions" for rules order processing / rules control flow management). > > Therefore, the part that needs to be refined is: > > THEN execute <action-clause> > > maybe into > > action_to_enforce <-- Resolution{Rx,Ry,Rt,...} > > where Rx,Ry,Rt,... are the matching rules, i.e., the rules whose conditions > are all satisfied. > > Finally, the model must consider that if no rules match, then the security > control must apply the default action (However, this is easier to add into > the model and can be described with a normal rule.) To precisely cover all > these cases, in our work, we are relying to a more sophisticated policy > model. > > 2) security controls in the same category (e.g., network security > control) may 'expose' different conditions and actions, thus they need to be > described with more granularity in order to guarantee inter-operability and > management correctness. > > This is evident as the draft considers in the same category packet filters > and application layer filters. Even in the same sub-category, e.g., > application layer filters, they have very different set of conditions (and > underlying policy models). > > That is, attributes (=conditions) in the reported tables and in the EBNF > syntax description do not apply to all the elmements in each category and > need to be associated to each control individually. There are not so many of > these security controls/products thus the problem is manageable. > Moreover, if this becomes a standard, the security control > vendors/developers would provide these data. > This consideration should affect your Yang model. > > > 3) The 'Other security capabilities' (see Figure 2) as subclass of Actions. > In my opinion, in the great majority of the cases listed, the 'other > security capabilities' classes are conditions (for instance the 'URL > filtering' is a condition = the action is deny/allow based on a string > match/regex match condition on the URL field). > In same cases, e.g., anti-virus and IPS signature recognition may be > probably split in a condition part and some additional actions to add in the > model (to be thus modelled separately), even if in my opinion they are again > additional conditions whose domain is not a specific field. In these cases, > the type of match is not based on simple operations (like =, !=, <, regex > match) but on ad hoc, possibly sophisticated algorithms. > In the end, they return a Boolean value that says whether the > flow/packet/PDU matches or not. > > Maybe, it can be reconciled with our current work by just 'appending' > these features in another class that originates from Rule (is it a > composition?), or better, as a subclass of the Condition class (e.g., > Ingress, Egress, OtherConditionType). > > > 4) Finally, I personally don't like ECA models because they mix PEP concepts > with PDP/policy model concepts. Events are useful, no discussion. But for > me, event information is just another kind of stateful info (or Context, as > named in this document) collected by the PEP and passed to the PDP as any > other Context info. The Policy model must then have a corresponding > context/stateful condition type in the Policy model, to decide how to react, > also on a per-rule basis. [you can see that events are exactly another kind > of condition from the rule evaluation algorithm I mentioned before] But I > know this topic has been already discussed in this WG. > > > Regards, > Aldo > > > On 08/06/2016 23:40, DIEGO LOPEZ GARCIA wrote: >> Hi, >> >> Just a quick reply from a not too deep reading and a few minutes of >> thinking about it. I see this approach promising, and better >> structured than previous proposals on how to work at the Capability >> interface. It is my impression that this is well aligned with the >> model we have been applying in the SECURED project. >> >> Be goode, >> >>> On 8 Jun 2016, at 19:23 , Susan Hares <shares@ndzh.com >>> <mailto:shares@ndzh.com>> wrote: >>> >>> Im working on some data models for I2NSF that intersect with I2RS >>> Filter-Based RIB Models and BGP Flow Specification Data models. I >>> could use some advice from the authors of the following information >>> models. >>> >>> My focus is to be able to drive the use the flow filter Yang models >>> (I2NSF packet-filters, Filter-Based RIB (config, I2RS, BGP input), >>> and BGP Flow Specification transmission of filters) to drive the >>> simple firewall rules found in the Linux iptables user program >>> (netfilter kernel module). I am trying to get a set of Yang data >>> models that can interact with a process (e.g. iptable++ user program >>> named flow-filters) that communicates with a confd (cisco netconf >>> deamon set) that handles NETCONF/RESTCONF and uses Yang to create the >>> data base. I am creating prototype Data models that mirror the >>> following drafts: >>> >>> · Capability model for South Bound interface (I2NSF manager to >>> NSF >>> device) > https://datatracker.ietf.org/doc/draft-xia-i2nsf-capability-interface-im/ >>> · Inter-Cloud DDoS Mitigation API >>> > https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-mitigatio > n-api/ >>> · *An Information Model for the Monitoring of Network Security >>> Functions >>> - >>> https://tools.ietf.org/html/draft-zhang-i2nsf-info-model-monitoring-0 >>> 0* >>> >>> My understanding is the I2NSF capability interface focus on the >>> south-bound interface to the NSF. To start out a Yang data model, I >>> have created high-level Yang structures for these three models. Ill >>> be asking questions about each model in a separate email thread, but >>> answer me in any email thread. >>> >>> First on the capability model, network security control is a list of >>> ECA policies, network security content capability is a list of >>> security content capabilities, and attack mitigation is a list of >>> attack mitigation capabilities. A suggested Yang High-level model >>> structure is below. My question is how does an I2NSF manager engage >>> the packet security policies? Does putting a policy in the network >>> security control means it gets transmitted to the NSF device, and >>> installed? Does the capability model provide both the way to list >>> the functions (security content and mitigation) and a way to engage >>> these functions? >>> >>> Sue Hares >>> >>> >>> Initial Yang models >>> ---------- >>> ietf-i2nsf-capability-SBI >>> +--rw i2nsf-policy-list >>> +--rw policy-list-name string - name of policy list >>> +--rw i2nsf-policy-rule* [name] >>> +--rw name string - name of policy rule >>> +--rw net-sec-ctl-rules >>> uses ietf-pkt-eca-sec-policy // packet ECA security >>> policy >>> >>> +--rw net-sec-content // list of content security >>> capabilities >>> uses i2nsf-sec-content // grouping of security >>> capabilities >>> >>> +--rw net-attack-mitigate // list of mitigation >>> capabilities / >>> uses i2nsf-mitigate-rules //grouping of mitigation >>> capabilities >>> >>> Is this a good way to start the capabilities structure? I have >>> definitions for each of the uses statements in different models, >>> but I need help understanding if this structure is correct. >>> >>> ietf-pkt-eca-sec-policy can be an extension of the I2RS/Configuration >>> filters for packet Filter-Based RIBS. For the >>> i2nsf-sec-content-capbility, does this form make sense: >>> >>> +--i2nsf-sec-content >>> +--rw i2nsf-sec-content-cap* [order-id function-set-name] >>> +--rw order-id // order # if >>> in ordered list >>> +--rw function-set-name string // name for function >>> +--rw anti-virus // basic >>> security content action >>> | +--rw public-anti-virus [name] // anti-virus capability >>> from public sources >>> | // >>> (yang structure details) >>> | +--rw vendor-anti-virus [vendor] // anti-virus capability >>> from vendor >>> | | >>> . >>> >>> The mitigation has a similar structure to the i2nsf-sec-content. >>> >>> +--i2nsf-attack-mitigation >>> +--rw i2nsf-attack-mitigate-fcn* [order-id, fcn-name] >>> +--rw order-id >>> +--rw fcn-name >>> +--rw syn-flood >>> | +--rw public-syn-flood* [name] >>> | | ... >>> | +--rw vendor-syn-flood* [vendor] >>> | | ... >>> +--rw UDP flood >>> >>> >>> >>> _______________________________________________ >>> I2nsf mailing list >>> I2nsf@ietf.org <mailto:I2nsf@ietf.org> >>> https://www.ietf.org/mailman/listinfo/i2nsf >> >> -- >> "Esta vez no fallaremos, Doctor Infierno" >> >> Dr Diego R. Lopez >> Telefonica I+D >> http://people.tid.es/diego.lopez/ >> >> e-mail: diego.r.lopez@telefonica.com >> Tel: +34 913 129 041 >> Mobile: +34 682 051 091 >> ---------------------------------- >> >> >> ---------------------------------------------------------------------- >> -- >> >> Este mensaje y sus adjuntos se dirigen exclusivamente a su >> destinatario, puede contener información privilegiada o confidencial y >> es para uso exclusivo de la persona o entidad de destino. Si no es >> usted. el destinatario indicado, queda notificado de que la lectura, >> utilización, divulgación y/o copia sin autorización puede estar >> prohibida en virtud de la legislación vigente. Si ha recibido este >> mensaje por error, le rogamos que nos lo comunique inmediatamente por >> esta misma vía y proceda a su destrucción. >> >> The information contained in this transmission is privileged and >> confidential information intended only for the use of the individual >> or entity named above. If the reader of this message is not the >> intended recipient, you are hereby notified that any dissemination, >> distribution or copying of this communication is strictly prohibited. >> If you have received this transmission in error, do not read it. >> Please immediately reply to the sender that you have received this >> communication in error and then delete it. >> >> Esta mensagem e seus anexos se dirigem exclusivamente ao seu >> destinatário, pode conter informação privilegiada ou confidencial e é >> para uso exclusivo da pessoa ou entidade de destino. Se não é vossa >> senhoria o destinatário indicado, fica notificado de que a leitura, >> utilização, divulgação e/ou cópia sem autorização pode estar proibida >> em virtude da legislação vigente. Se recebeu esta mensagem por erro, >> rogamos-lhe que nos o comunique imediatamente por esta mesma via e >> proceda a sua destruição >> >> >> _______________________________________________ >> I2nsf mailing list >> I2nsf@ietf.org >> https://www.ietf.org/mailman/listinfo/i2nsf >> > > > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf >
- [I2nsf] 答复: Help on turning I2NSF Information Mod… Xialiang (Frank)
- Re: [I2nsf] Help on turning I2NSF Information Mod… Diego R. Lopez
- Re: [I2nsf] 答复: Help on turning I2NSF Information… Aldo Basile
- [I2nsf] 答复: Help on turning I2NSF Information Mod… Xialiang (Frank)
- Re: [I2nsf] Help on turning I2NSF Information Mod… Aldo Basile
- Re: [I2nsf] 答复: Help on turning I2NSF Information… Susan Hares
- [I2nsf] 答复: Help on turning I2NSF Information Mod… Xialiang (Frank)
- Re: [I2nsf] Help on turning I2NSF Information Mod… DIEGO LOPEZ GARCIA
- Re: [I2nsf] Help on turning I2NSF Information Mod… Susan Hares
- Re: [I2nsf] Help on turning I2NSF Information Mod… Susan Hares
- [I2nsf] 答复: Help on turning I2NSF Information Mod… Xialiang (Frank)
- Re: [I2nsf] Help on turning I2NSF Information Mod… Susan Hares
- [I2nsf] Help on turning I2NSF Information Models … Susan Hares
- Re: [I2nsf] Help on turning I2NSF Information Mod… Linda Dunbar
- Re: [I2nsf] Help on turning I2NSF Information Mod… DIEGO LOPEZ GARCIA
- Re: [I2nsf] Help on turning I2NSF Information Mod… Aldo Basile
- Re: [I2nsf] Help on turning I2NSF Information Mod… Susan Hares
- Re: [I2nsf] Help on turning I2NSF Information Mod… Susan Hares
- Re: [I2nsf] Help on turning I2NSF Information Mod… Linda Dunbar
- Re: [I2nsf] Help on turning I2NSF Information Mod… Aldo Basile