--- 1/draft-ietf-i2nsf-nsf-monitoring-data-model-18.txt 2022-05-23 02:13:21.490326571 -0700 +++ 2/draft-ietf-i2nsf-nsf-monitoring-data-model-19.txt 2022-05-23 02:13:21.662330952 -0700 @@ -1,23 +1,23 @@ Network Working Group J. Jeong, Ed. Internet-Draft P. Lingga Intended status: Standards Track Sungkyunkwan University -Expires: 21 October 2022 S. Hares +Expires: 24 November 2022 S. Hares L. Xia Huawei H. Birkholz Fraunhofer SIT - 19 April 2022 + 23 May 2022 I2NSF NSF Monitoring Interface YANG Data Model - draft-ietf-i2nsf-nsf-monitoring-data-model-18 + draft-ietf-i2nsf-nsf-monitoring-data-model-19 Abstract This document proposes an information model and the corresponding YANG data model of an interface for monitoring Network Security Functions (NSFs) in the Interface to Network Security Functions (I2NSF) framework. If the monitoring of NSFs is performed with the NSF monitoring interface in a standard way, it is possible to detect the indication of malicious activity, anomalous behavior, the potential sign of denial-of-service attacks, or system overload in a @@ -35,21 +35,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 21 October 2022. + This Internet-Draft will expire on 24 November 2022. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -105,21 +105,21 @@ 10.1. I2NSF System Detection Alarm . . . . . . . . . . . . . . 86 10.2. I2NSF Interface Counters . . . . . . . . . . . . . . . . 88 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 89 12. Security Considerations . . . . . . . . . . . . . . . . . . . 90 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 92 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 92 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 92 15.1. Normative References . . . . . . . . . . . . . . . . . . 93 15.2. Informative References . . . . . . . . . . . . . . . . . 97 Appendix A. Changes from - draft-ietf-i2nsf-nsf-monitoring-data-model-16 . . . . . . 98 + draft-ietf-i2nsf-nsf-monitoring-data-model-18 . . . . . . 98 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 98 1. Introduction According to [RFC8329], the interface provided by a Network Security Function (NSF) (e.g., Firewall, IPS, or Anti-DDoS function) to enable the collection of monitoring information is referred to as an I2NSF Monitoring Interface. This interface enables the sharing of vital data from the NSFs (e.g., events, records, and counters) to an NSF data collector (e.g., Security Controller) through a variety of @@ -1289,21 +1289,21 @@ initialization of the local management subsystem, then this node contains the time the local management subsystem was re- initialized. The time format used is following the rules in Section 5.6 of [RFC3339]. 7. YANG Tree Structure of NSF Monitoring YANG Module The tree structure of the NSF monitoring YANG module is provided below: - module: ietf-i2nsf-nsf-monitoring + module: ietf-i2nsf-monitoring-interface +--ro i2nsf-counters | +--ro vendor-name? string | +--ro device-model? string | +--ro software-version? string | +--ro nsf-name union | +--ro timestamp? yang:date-and-time | +--ro acquisition-method? identityref | +--ro emission-type? identityref | +--ro system-interface* [interface-name] | | +--ro interface-name if:interface-ref @@ -1323,34 +1323,34 @@ | | +--ro in-traffic-peak-rate? uint64 | | +--ro in-traffic-average-throughput? uint64 | | +--ro in-traffic-peak-throughput? uint64 | | +--ro out-traffic-average-rate? uint64 | | +--ro out-traffic-peak-rate? uint64 | | +--ro out-traffic-average-throughput? uint64 | | +--ro out-traffic-peak-throughput? uint64 | +--ro nsf-firewall* [policy-name] | | +--ro in-interface? if:interface-ref | | +--ro out-interface? if:interface-ref - | | +--ro policy-name -> /nsfintf:i2nsf-security-policy/name + | | +--ro policy-name -> /i2nsfnfi:i2nsf-security-policy/name | | +--ro discontinuity-time yang:date-and-time | | +--ro measurement-time? uint32 | | +--ro total-traffic? yang:counter64 | | +--ro in-traffic-average-rate? uint64 | | +--ro in-traffic-peak-rate? uint64 | | +--ro in-traffic-average-throughput? uint64 | | +--ro in-traffic-peak-throughput? uint64 | | +--ro out-traffic-average-rate? uint64 | | +--ro out-traffic-peak-rate? uint64 | | +--ro out-traffic-average-throughput? uint64 | | +--ro out-traffic-peak-throughput? uint64 | +--ro nsf-policy-hits* [policy-name] - | +--ro policy-name -> /nsfintf:i2nsf-security-policy/name + | +--ro policy-name -> /i2nsfnfi:i2nsf-security-policy/name | +--ro discontinuity-time yang:date-and-time | +--ro hit-times? yang:counter64 +--rw i2nsf-monitoring-configuration +--rw i2nsf-system-detection-alarm | +--rw enabled? boolean | +--rw system-alarm* [alarm-type] | +--rw alarm-type enumeration | +--rw threshold? uint8 | +--rw dampening-period? centiseconds +--rw i2nsf-system-detection-event @@ -1419,21 +1419,21 @@ | +--:(i2nsf-system-detection-event) | | +--ro i2nsf-system-detection-event | | +--ro event-category? identityref | | +--ro user string | | +--ro group* string | | +--ro ip-address inet:ip-address-no-zone | | +--ro l4-port-number inet:port-number | | +--ro authentication? identityref | | +--ro changes* [policy-name] | | +--ro policy-name - -> /nsfintf:i2nsf-security-policy/name + -> /i2nsfnfi:i2nsf-security-policy/name | +--:(i2nsf-traffic-flows) | | +--ro i2nsf-traffic-flows | | +--ro interface-name? if:interface-ref | | +--ro interface-type? enumeration | | +--ro src-mac? yang:mac-address | | +--ro dst-mac? yang:mac-address | | +--ro src-ip? inet:ip-address-no-zone | | +--ro dst-ip? inet:ip-address-no-zone | | +--ro protocol? identityref @@ -1498,21 +1498,21 @@ | | +--ro type? enumeration | | +--ro cause? string | +--:(i2nsf-nsf-log-dpi) {i2nsf-nsf-log-dpi}? | +--ro i2nsf-nsf-log-dpi | +--ro attack-type? identityref | +--ro src-ip? inet:ip-address-no-zone | +--ro src-port? inet:port-number | +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-port? inet:port-number | +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name | +--ro action* identityref +---n i2nsf-nsf-event +--ro vendor-name? string +--ro device-model? string +--ro software-version? string +--ro nsf-name union +--ro message? string +--ro language? string +--ro acquisition-method? identityref +--ro emission-type? identityref @@ -1521,75 +1521,75 @@ +--:(i2nsf-nsf-detection-ddos) {i2nsf-nsf-detection-ddos}? | +--ro i2nsf-nsf-detection-ddos | +--ro attack-type? identityref | +--ro start-time yang:date-and-time | +--ro end-time? yang:date-and-time | +--ro attack-src-ip* inet:ip-address-no-zone | +--ro attack-dst-ip* inet:ip-address-no-zone | +--ro attack-src-port* inet:port-number | +--ro attack-dst-port* inet:port-number | +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name | +--ro attack-rate? uint64 | +--ro attack-throughput? uint64 +--:(i2nsf-nsf-detection-virus) {i2nsf-nsf-detection-virus}? | +--ro i2nsf-nsf-detection-virus | +--ro src-ip? inet:ip-address-no-zone | +--ro src-port? inet:port-number | +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-port? inet:port-number | +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name | +--ro virus-name? string | +--ro virus-type? identityref | +--ro host? union | +--ro file-type? string | +--ro file-name? string | +--ro os? string +--:(i2nsf-nsf-detection-intrusion) {i2nsf-nsf-detection-intrusion}? | +--ro i2nsf-nsf-detection-intrusion | +--ro src-ip? inet:ip-address-no-zone | +--ro src-port? inet:port-number | +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-port? inet:port-number | +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name | +--ro protocol? identityref | +--ro app? identityref | +--ro attack-type? identityref +--:(i2nsf-nsf-detection-web-attack) {i2nsf-nsf-detection-web-attack}? | +--ro i2nsf-nsf-detection-web-attack | +--ro src-ip? inet:ip-address-no-zone | +--ro src-port? inet:port-number | +--ro dst-ip? inet:ip-address-no-zone | +--ro dst-port? inet:port-number | +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name | +--ro attack-type? identityref | +--ro req-method? identityref | +--ro req-target? string | +--ro filtering-type* identityref | +--ro cookies? string | +--ro req-host? string | +--ro response-code? string +--:(i2nsf-nsf-detection-voip-vocn) {i2nsf-nsf-detection-voip-vocn}? +--ro i2nsf-nsf-detection-voip-vocn +--ro src-ip? inet:ip-address-no-zone +--ro src-port? inet:port-number +--ro dst-ip? inet:ip-address-no-zone +--ro dst-port? inet:port-number +--ro rule-name - -> /nsfintf:i2nsf-security-policy/rules/name + -> /i2nsfnfi:i2nsf-security-policy/rules/name +--ro source-voice-id* string +--ro destination-voice-id* string +--ro user-agent* string Figure 1: NSF Monitoring YANG Module Tree 8. YANG Data Model of NSF Monitoring YANG Module This section describes a YANG module of I2NSF NSF Monitoring. The data model provided in this document uses identities to be used to @@ -1597,41 +1597,41 @@ identity used in the document gives information or status about the current situation of an NSF. This YANG module imports from [RFC6991], [RFC8343], and [I-D.ietf-i2nsf-nsf-facing-interface-dm], and makes references to [RFC0768] [RFC0791] [RFC0792] [RFC0826] [RFC0854] [RFC1939] [RFC0959] [RFC2595] [RFC4340] [RFC4443] [RFC4861] [RFC5321] [RFC5646] [RFC6242] [RFC6265] [RFC8200] [RFC8641] [RFC9051] [I-D.ietf-httpbis-http2bis] [I-D.ietf-httpbis-messaging] [I-D.ietf-httpbis-semantics] [I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tsvwg-rfc4960-bis] [IANA-HTTP-Status-Code] [IEEE-802.1AB] - file "ietf-i2nsf-nsf-monitoring@2022-04-19.yang" - module ietf-i2nsf-nsf-monitoring { + file "ietf-i2nsf-monitoring-interface@2022-05-23.yang" + module ietf-i2nsf-monitoring-interface { yang-version 1.1; namespace - "urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring"; + "urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface"; prefix - nsfmi; + i2nsfmi; import ietf-inet-types { prefix inet; reference "Section 4 of RFC 6991"; } import ietf-yang-types { prefix yang; reference "Section 3 of RFC 6991"; } - import ietf-i2nsf-policy-rule-for-nsf { - prefix nsfintf; + import ietf-i2nsf-nsf-facing-interface { + prefix i2nsfnfi; reference - "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-17"; + "Section 4.1 of draft-ietf-i2nsf-nsf-facing-interface-dm-28"; } import ietf-interfaces { prefix if; reference "Section 5 of RFC 8343"; } organization "IETF I2NSF (Interface to Network Security Functions) Working Group"; contact @@ -1661,21 +1661,21 @@ without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices."; - revision "2022-04-19" { + revision "2022-05-23" { description "Latest revision"; reference "RFC XXXX: I2NSF NSF Monitoring Interface YANG Data Model"; // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. } /* * Typedefs @@ -2564,21 +2564,21 @@ "A set of characteristics of a monitoring information."; leaf acquisition-method { type identityref { base acquisition-method; } description "The acquisition-method for characteristics"; } leaf emission-type { when "derived-from-or-self(../acquisition-method, " - + "'nsfmi:subscription')"; + + "'i2nsfmi:subscription')"; type identityref { base emission-type; } description "The emission-type for characteristics. This attribute is used only when the acquisition-method is a 'subscription'"; } } grouping characteristics-extended { description @@ -2661,22 +2661,22 @@ "The destination IPv4 or IPv6 address of the packet"; } leaf dst-port { type inet:port-number; description "The destination port of the packet"; } leaf rule-name { type leafref { path - "/nsfintf:i2nsf-security-policy" - +"/nsfintf:rules/nsfintf:name"; + "/i2nsfnfi:i2nsf-security-policy" + +"/i2nsfnfi:rules/i2nsfnfi:name"; } mandatory true; description "The name of the I2NSF Policy Rule being triggered"; } } grouping i2nsf-nsf-event-type-content-extend { description "A set of extended common IPv4 or IPv6 related NSF event content elements"; @@ -2691,21 +2691,21 @@ description "The source port of the packet or flow"; } uses i2nsf-nsf-event-type-content; } grouping action { description "A grouping for action."; leaf-list action { type identityref { - base nsfintf:ingress-action; + base i2nsfnfi:ingress-action; } description "Action type: pass, drop, reject, mirror, or rate limit"; } } grouping attack-rates { description "A set of traffic rates for monitoring attack traffic data"; leaf attack-rate { @@ -2877,22 +2877,22 @@ } uses traffic-rates; } grouping i2nsf-nsf-counters-type-content { description "A set of contents of a policy in an NSF."; leaf policy-name { type leafref { path - "/nsfintf:i2nsf-security-policy" - +"/nsfintf:name"; + "/i2nsfnfi:i2nsf-security-policy" + +"/i2nsfnfi:name"; } mandatory true; description "The name of the policy being triggered"; } } grouping enable-notification { description "A grouping for enabling or disabling notification"; @@ -3004,33 +3004,33 @@ } leaf component-name { type string; description "The hardware component responsible for generating the message. Applicable for Hardware Failure Alarm."; } leaf interface-name { when "derived-from-or-self(../alarm-category, " - + "'nsfmi:interface-alarm')"; + + "'i2nsfmi:interface-alarm')"; type if:interface-ref; description "The interface name responsible for generating the message. Applicable for Network Interface Failure Alarm."; reference "RFC 8343: A YANG Data Model for Interface Management"; } leaf interface-state { when "derived-from-or-self(../alarm-category, " - + "'nsfmi:interface-alarm')"; + + "'i2nsfmi:interface-alarm')"; type enumeration { enum up { value 1; description "The interface state is up and not congested. The interface is ready to pass packets."; } enum down { value 2; description @@ -3095,38 +3095,38 @@ leaf event-category { type identityref { base system-event; } description "The event category for system-detection-event"; } uses i2nsf-system-event-type-content; list changes { when "derived-from-or-self(../event-category, " - + "'nsfmi:configuration-change')"; + + "'i2nsfmi:configuration-change')"; key policy-name; description "Describes the modification that was made to the configuration. This list is only applicable when the event is 'configuration-change'. The minimum information that must be provided is the name of the policy that has been altered (added, modified, or removed). This list can be extended with the detailed information about the specific changes made to the configuration based on the implementation."; leaf policy-name { type leafref { path - "/nsfintf:i2nsf-security-policy" - +"/nsfintf:name"; + "/i2nsfnfi:i2nsf-security-policy" + +"/i2nsfnfi:name"; } description "The name of the policy configuration that has been added, modified, or removed."; } } } } case i2nsf-traffic-flows { @@ -3608,22 +3608,22 @@ leaf-list attack-dst-port { type inet:port-number; description "The transport-layer destination ports of the DDoS attack. Note that not all ports will have been seen on all the corresponding destination IP addresses."; } leaf rule-name { type leafref { path - "/nsfintf:i2nsf-security-policy" - +"/nsfintf:rules/nsfintf:name"; + "/i2nsfnfi:i2nsf-security-policy" + +"/i2nsfnfi:rules/i2nsfnfi:name"; } mandatory true; description "The name of the I2NSF Policy Rule being triggered"; } uses attack-rates; } } case i2nsf-nsf-detection-virus { @@ -4106,21 +4106,21 @@ The following example shows an alarm triggered by Memory Usage on the server; this example XML file is delivered by an NSF to an NSF data collector: 2021-04-29T07:43:52.181088+00:00 + xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface"> subscription on-change on-repetition en-US memory-alarm 91 90 Memory Usage Exceeded the Threshold time_based_firewall @@ -4155,39 +4155,39 @@ To get the I2NSF system interface counters information by query, NETCONF Client (e.g., NSF data collector) needs to initiate GET connection with NETCONF Server (e.g., NSF). The following XML file can be used to get the state data and filter the information. + xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface"> Figure 5: XML Example for NETCONF GET with System Interface Filter The following XML file shows the reply from the NETCONF Server (e.g., NSF): + xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface"> query 2021-04-29T08:43:52.181088+00:00 ens3 549050 814956 0 5078 @@ -4208,30 +4208,30 @@ Figure 6: Example of I2NSF System Interface Counters XML Information 11. IANA Considerations This document requests IANA to register the following URI in the "IETF XML Registry" [RFC3688]: - URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring + URI: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. This document requests IANA to register the following YANG module in the "YANG Module Names" registry [RFC7950][RFC8525]: - name: ietf-i2nsf-nsf-monitoring - namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-nsf-monitoring - prefix: nsfmi + name: ietf-i2nsf-monitoring-interface + namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-monitoring-interface + prefix: i2nsfmi reference: RFC XXXX // RFC Ed.: replace XXXX with an actual RFC number and remove // this note. 12. Security Considerations The YANG module described in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer @@ -4542,33 +4542,33 @@ messaging-19.txt>. [I-D.ietf-httpbis-semantics] Fielding, R. T., Nottingham, M., and J. Reschke, "HTTP Semantics", Work in Progress, Internet-Draft, draft-ietf- httpbis-semantics-19, 12 September 2021, . [I-D.ietf-i2nsf-capability-data-model] - Hares, S., Jeong, J. (., Kim, J. (., Moskowitz, R., and Q. + Hares, S., Jeong, J. P., Kim, J. T., Moskowitz, R., and Q. Lin, "I2NSF Capability YANG Data Model", Work in Progress, - Internet-Draft, draft-ietf-i2nsf-capability-data-model-30, - 13 April 2022, . + Internet-Draft, draft-ietf-i2nsf-capability-data-model-31, + 14 May 2022, . [I-D.ietf-i2nsf-nsf-facing-interface-dm] - Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, + Kim, J. T., Jeong, J. P., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf- - i2nsf-nsf-facing-interface-dm-25, 13 April 2022, + i2nsf-nsf-facing-interface-dm-27, 14 May 2022, . + facing-interface-dm-27.txt>. [I-D.ietf-tcpm-rfc793bis] Eddy, W. M., "Transmission Control Protocol (TCP) Specification", Work in Progress, Internet-Draft, draft- ietf-tcpm-rfc793bis-28, 7 March 2022, . [I-D.ietf-tsvwg-rfc4960-bis] Stewart, R. R., Tüxen, M., and K. E. E. Nielsen, "Stream @@ -4593,54 +4593,53 @@ [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, "Handling Long Lines in Content of Internet-Drafts and RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, . [I-D.ietf-i2nsf-consumer-facing-interface-dm] - Jeong, J. (., Chung, C., Ahn, T., Kumar, R., and S. Hares, + Jeong, J. P., Chung, C., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", Work in Progress, Internet-Draft, draft-ietf-i2nsf-consumer- - facing-interface-dm-18, 13 April 2022, + facing-interface-dm-19, 18 May 2022, . + consumer-facing-interface-dm-19.txt>. [IANA-HTTP-Status-Code] Internet Assigned Numbers Authority (IANA), "Hypertext Transfer Protocol (HTTP) Status Code Registry", September 2018, . [IEEE-802.1AB] Institute of Electrical and Electronics Engineers, "IEEE Standard for Local and metropolitan area networks - Station and Media Access Control Connectivity Discovery", March 2016, . -Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-16 +Appendix A. Changes from draft-ietf-i2nsf-nsf-monitoring-data-model-18 The following changes are made from draft-ietf-i2nsf-nsf-monitoring- - data-model-16: + data-model-18: - * This version is added following Benjamin Kaduk, Francesca - Palombini, and Robert Wilton's comments + * The YANG module's prefix is updated from 'nsfmi' to 'i2nsfmi'. - * This version updated the IETF Trust Copyright statement in the - YANG data model. + * The YANG module's name is updated from 'ietf-i2nsf-nsf-monitoring' + to 'ietf-i2nsf-monitoring-interface'. Authors' Addresses - Jaehoon (Paul) Jeong (editor) + Jaehoon Paul Jeong (editor) Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea Phone: +82 31 299 4957 Email: pauljeong@skku.edu URI: http://iotlab.skku.edu/people-jaehoon-jeong.php @@ -4657,21 +4656,21 @@ Email: patricklink@skku.edu Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 United States of America Phone: +1-734-604-0332 Email: shares@ndzh.com - Liang (Frank) Xia + Liang Frank Xia Huawei 101 Software Avenue, Yuhuatai District Nanjing Jiangsu, China Email: Frank.xialiang@huawei.com Henk Birkholz Fraunhofer Institute for Secure Information Technology Rheinstrasse 75