--- 1/draft-ietf-i2nsf-consumer-facing-interface-dm-04.txt 2019-06-12 06:13:28.855333710 -0700
+++ 2/draft-ietf-i2nsf-consumer-facing-interface-dm-05.txt 2019-06-12 06:13:28.939335827 -0700
@@ -1,56 +1,56 @@
I2NSF Working Group J. Jeong
Internet-Draft E. Kim
Intended status: Standards Track Sungkyunkwan University
-Expires: October 6, 2019 T. Ahn
+Expires: December 14, 2019 T. Ahn
Korea Telecom
R. Kumar
Juniper Networks
S. Hares
Huawei
- April 4, 2019
+ June 12, 2019
I2NSF Consumer-Facing Interface YANG Data Model
- draft-ietf-i2nsf-consumer-facing-interface-dm-04
+ draft-ietf-i2nsf-consumer-facing-interface-dm-05
Abstract
This document describes an information model and a YANG data model
for the Consumer-Facing Interface between an Interface to Network
Security Functions (I2NSF) User and Security Controller in an I2NSF
system in a Network Functions Virtualization (NFV) environment. The
- information model defines various managed objects and relationship
- among these objects needed to build the interface. The information
- model is organized based on the "Event-condition-Event" (ECA) policy
- model defined by a capability information model for Interface to
- Network Security Functions (I2NSF)[i2nsf-capability-im], and the data
- model is defined for enabling different users of a given I2NSF system
- to define, manage, and monitor security policies for specific flows
- within an administrative domain.
+ information model defines various types of managed objects and the
+ relationship among them needed to build the interface. The
+ information model is organized based on the "Event-Condition-Action"
+ (ECA) policy model defined by a capability information model for
+ I2NSF [i2nsf-capability-im], and the data model is defined for
+ enabling different users of a given I2NSF system to define, manage,
+ and monitor security policies for specific flows within an
+ administrative domain.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on October 6, 2019.
+ This Internet-Draft will expire on December 14, 2019.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -68,24 +68,24 @@
4. Information Model for Policy . . . . . . . . . . . . . . . . 5
4.1. Event Sub-model . . . . . . . . . . . . . . . . . . . . . 7
4.2. Condition Sub-model . . . . . . . . . . . . . . . . . . . 7
4.3. Action Sub-model . . . . . . . . . . . . . . . . . . . . 9
5. Information Model for Multi-Tenancy . . . . . . . . . . . . . 10
5.1. Policy Domain . . . . . . . . . . . . . . . . . . . . . . 10
5.2. Policy Tenant . . . . . . . . . . . . . . . . . . . . . . 11
5.3. Policy Role . . . . . . . . . . . . . . . . . . . . . . . 12
5.4. Policy User . . . . . . . . . . . . . . . . . . . . . . . 13
5.5. Policy Management Authentication Method . . . . . . . . . 13
- 6. Information Model for Policy Endpoint Groups . . . . . . . . 14
+ 6. Information Model for Policy Endpoint Groups . . . . . . . . 15
6.1. User Group . . . . . . . . . . . . . . . . . . . . . . . 15
6.2. Device Group . . . . . . . . . . . . . . . . . . . . . . 16
- 6.3. Location Group . . . . . . . . . . . . . . . . . . . . . 16
+ 6.3. Location Group . . . . . . . . . . . . . . . . . . . . . 17
7. Information Model for Threat Prevention . . . . . . . . . . . 17
7.1. Threat Feed . . . . . . . . . . . . . . . . . . . . . . . 18
7.2. Payload Content . . . . . . . . . . . . . . . . . . . . . 19
8. Role-based Acess Control (RBAC) . . . . . . . . . . . . . . . 19
9. YANG Data Model for Security Policies for Consumer-Facing
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 20
10. Example XML Output for Various Scenarios . . . . . . . . . . 38
10.1. DB Registration: Information of Positions and Devices
(Endpoint Group) . . . . . . . . . . . . . . . . . . . . 39
10.2. Scenario 1: Block SNS Access during Business Hours . . . 39
@@ -93,21 +93,21 @@
a Company . . . . . . . . . . . . . . . . . . . . . . . 41
10.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a
Company Web Server . . . . . . . . . . . . . . . . . . . 42
11. Security Considerations . . . . . . . . . . . . . . . . . . . 44
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 44
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
13.1. Normative References . . . . . . . . . . . . . . . . . . 44
13.2. Informative References . . . . . . . . . . . . . . . . . 45
Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-
- interface-dm-03 . . . . . . . . . . . . . . . . . . 47
+ interface-dm-04 . . . . . . . . . . . . . . . . . . 47
Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 47
Appendix C. Contributors . . . . . . . . . . . . . . . . . . . . 47
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
1. Introduction
In an I2NSF framework, each vendor can register their NSFs using a
Developer's Management System (DMS). Assuming that vendors also
provide the front-end web applications registered with an I2NSF User,
the Consumer-Facing Interface is required because the web
@@ -121,32 +121,32 @@
These policies can easily be translated by the Security Controller
into low-level security policies. The Security Controller delivers
the translated policies to Network Security Functions (NSFs)
according to their respective security capabilities for the required
securiy enforcement.
The Consumer-Facing Interface would be built using a set of objects,
with each object capturing a unique set of information from Security
Administrator (i.e., I2NSF User [RFC8329]) needed to express a
Security Policy. An object may have relationship with various other
- objects to express a complete set of requirement. An information
+ objects to express a complete set of requirements. An information
model captures the managed objects and relationship among these
objects. The information model proposed in this document is
- structured in accordance with the "Event-Condition-Event" (ECA)
+ structured in accordance with the "Event-Condition-Action" (ECA)
policy model.
An NSF Capability model is proposed in [i2nsf-capability-im] as the
basic model for both the NSF-Facing interface and Consumer-Facing
Interface security policy model of this document.
[RFC3444] explains differences between an information and data model.
- This document use the guidelines in [RFC3444] to define both the
+ This document uses the guidelines in [RFC3444] to define both the
information and data model for Consumer-Facing Interface. Figure 1
shows a high-level abstraction of Consumer-Facing Interface. A data
model, which represents an implementation of the information model in
a specific data representation language, is also defined in this
document.
+-----------------+ +-----------------+
| Consumer-Facing | | Consumer-Facing |
| Interface +--->+ Interface |
|Information Model| | Data Model |
@@ -173,32 +173,32 @@
+-------------+ +-------------+ +-------------+
Figure 1: Diagram for High-level Abstraction of Consumer-Facing
Interface
Data models are defined at a lower level of abstraction and provide
many details. They provide details about the implementation of a
protocol's specification, e.g., rules that explain how to map managed
objects onto lower-level protocol constructs. Since conceptual
models can be implemented in different ways, multiple data models can
- be derived by a single information model.
+ be derived from a single information model.
The efficient and flexible provisioning of network functions by a
Network Functions Virtualization (NFV) system leads to a rapid
advance in the network industry. As practical applications, Network
Security Functions (NSFs), such as firewall, Intrusion Detection
System (IDS)/Intrusion Prevention System (IPS), and attack
mitigation, can also be provided as Virtual Network Functions (VNF)
- in the NFV system. By the efficient virtual technology, these VNFs
- might be automatically provisioned and dynamically migrated based on
- real-time security requirements. This document presents a YANG data
- model to implement security functions based on NFV.
+ in the NFV system. By the efficient virtualization technology, these
+ VNFs might be automatically provisioned and dynamically migrated
+ based on real-time security requirements. This document presents a
+ YANG data model to implement security functions based on NFV.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC3444]
RFC8174 [RFC8174].
3. Terminology
@@ -209,21 +209,21 @@
YANG types defined in [RFC6991], and adopts the Network Management
Datastore Architecture (NMDA). The meaning of the symbols in tree
diagrams is defined in [RFC8340].
4. Information Model for Policy
A Policy object represents a mechanism to express a Security Policy
by Security Administrator (i.e., I2NSF User) using Consumer-Facing
Interface toward Security Controller; the policy would be enforced on
an NSF. Figure 2 shows the XML instance of the Policy object. The
- Policy object SHALL have following information:
+ Policy object SHALL have the following information:
Name: This field identifies the name of this object.
Date: Date when this object was created or last modified.
Rules: This field contains a list of rules. If the rule does not
have a user-defined precedence, then any conflict must be
manually resolved.
+--rw policy
@@ -256,34 +256,34 @@
Condition: This field contains all the checking conditions to
apply to the objective traffic. See details in
Section 4.2.
Action: This field identifies the action taken when a rule is
matched. There is always an implicit action to drop
traffic if no rule is matched for a traffic type. See
details in Section 4.3.
- IPsec: This field contains the information about IPsec type.
- There are two types such as IPsec-IKE and IPsec-IKEless
- [i2nsf-ipsec].
+ IPsec-Method: This field contains the information about IPsec
+ method type. There are two types such as IPsec-IKE and
+ IPsec-IKEless. [i2nsf-ipsec].
Owner: This field contains the onwer of the rule. For example,
the person who created it, and eligible for modifying it.
+--rw rule* [rule-name]
+--rw rule-name string
+--rw date? yang:date-and-time
+--rw event* [name]
+--rw condition
+--rw action
- +--rw ipsec
+ +--rw ipsec-method
+--rw owner? string
Figure 3: YANG Data Tree for Rule
4.1. Event Sub-model
The Event Object contains information related to scheduling a Rule.
The Rule could be activated based on a time calendar or security
event including threat level changes. Figure 4 shows the XML
instance of the Event object. Event object SHALL have following
@@ -314,21 +314,21 @@
+--rw recur boolean
+--rw recursive-type? enumeration
Figure 4: Event Sub-model YANG Data Tree
4.2. Condition Sub-model
This object represents Conditions that Security Administrator wants
to apply the checking on the traffic in order to determine whether
the set of actions in the Rule can be executed or not. The Condition
- Sub-model consists of 3 different types of three containers each
+ Sub-model consists of three different types of containers each
representing different cases, such as general firewall and DDoS-
mitigation cases, and a case when the condition is based on the
payload strings of packets. Each containers have source-target and
destination-target to represent the source and destination for each
case. Figure 5 shows the XML instance of the Condition object. The
Condition Sub-model SHALL have following information:
Firewall-condition: This field represents the general firewall
case, where a security admin can set up firewall conditions
using the information present in this field. The source
@@ -616,40 +616,41 @@
Mutual-Authentication: This field indicates whether mutual
authentication is mandatory or not.
Token-Server: This field stores the information about server that
validates the token submitted as credentials.
Certificate-Server: This field stores the information about
server that validates certificates submitted as
credentials.
- IPsec: This field contains the information about IPsec type.
- There are two types; 1) IPsec-IKE and IPsec-IKEless.
+ IPsec-Method: This list has IPsec method types based on the
+ identities defined. There are two types such as IPsec-IKE
+ and IPsec-IKEless.
Single Sign-on-Server: This field stores the information about
server that validates user credentials.
+--rw policy-mgnt-auth-method* [name]
+--rw name string
+--rw date? yang:date-and-time
+--rw mutual-authentication? boolean
+--rw password
| +--rw password? password-type
+--rw token
| +--rw token? string
| +--rw token-server? inet:ipv4-address
+--rw certificate
| +--rw certificate? certificate-type
| +--rw certificate-server? inet:ipv4-address
- +--rw ipsec* [ipsec-method]
- | +--rw ipsec-method identityref
+ +--rw ipsec-method* [method]
+ | +--rw method identityref
+--rw single-sign-on
+--rw credential? certificate-type
+--rw certificate-server? inet:ipv4-address
Figure 12: Policy Management Authentication Method YANG Data Tree
6. Information Model for Policy Endpoint Groups
The Policy Endpoint Group is a very important part of building User-
Construct based policies. A Security Administrator would create and
@@ -958,21 +959,21 @@
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
- revision "2019-04-04"{
+ revision "2019-06-12"{
description "latest revision";
reference
"draft-ietf-consumer-facing-interface-dm-03";
}
identity permission-type {
description
"Base identity for the permission types.";
}
identity read-only {
@@ -1058,35 +1059,35 @@
identity trojan {
base malware-file-type;
description
"Identity for Trojan infection event types.";
}
identity ransomeware {
base malware-file-type;
description
"Identity for ransomeware infection event types.";
}
- identity ipsec-type {
+ identity i2nsf-ipsec {
description
- "Base identity for the IPsec types.";
+ "Base identity for IPsec method types.";
}
- identity ike {
- base ipsec-type;
+ identity ipsec-ike {
+ base i2nsf-ipsec;
description
- "Identity for ipsec-ike";
+ "Identity for ipsec-ike.";
}
- identity ikeless {
- base ipsec-type;
+ identity ipsec-ikeless {
+ base i2nsf-ipsec;
description
- "Identity for ipsec-ikeless";
+ "Identity for ipsec-ikeless.";
}
identity continent {
description
"Base Identity for continent types.";
}
identity africa {
base continent;
description
@@ -1477,30 +1478,30 @@
'AUTHENTICATE-SESSION', 'IPS, 'APP-FIREWALL', etc.";
}
leaf secondary-action {
type string;
description
"This field identifies additional actions if
a rule is matched. This could be one of 'LOG',
'SYSLOG', 'SESSION-LOG', etc.";
}
}
- container ipsec {
+ container ipsec-method {
description
- "This container represents the IPsec-IKE/IKEless cases.";
- leaf ipsec-method {
+ "This container represents the IPsec IKE and IKEless cases.";
+ leaf method {
type leafref {
- path "/policy/multi-tenancy/policy-mgnt-auth-method/ipsec/ipsec-method";
+ path "/policy/multi-tenancy/policy-mgnt-auth-method/ipsec-method/method";
}
description
- "This represents the IPsec-method, which
- is defined by policy-mgny-auth-method.";
+ "This references the IPsec method types,
+ which includes IPsec IKE and IPsec IKEless cases.";
}
}
leaf owner {
type string;
description
"This field defines the owner of this
policy. Only the owner is authorized to
modify the contents of the policy.";
}
}
@@ -1537,21 +1538,21 @@
path "/policy/multi-tenancy/policy-domain/name";
}
description
"This field identifies the domain to which this
tenant belongs. This should be reference to a
'Policy-Domain' object.";
}
}
leaf authentication-method {
type leafref {
- path "/policy/multi-tenancy/policy-mgnt-auth-method/ipsec/ipsec-method";
+ path "/policy/multi-tenancy/policy-mgnt-auth-method/ipsec-method/method";
}
description
"Authentication method to be used for this domain.
It should be a reference to a 'policy-mgmt-auth-method'
object.";
}
description
"This represents the list of policy domains.";
}
container policy-role {
@@ -1663,31 +1664,31 @@
leaf certificate-server {
type inet:ipv4-address;
description
"The certificate-server information if
the authentication method is
certificate-based";
}
description
"This describes the certificate-based authentication list.";
}
- list ipsec {
- key "ipsec-method";
- leaf ipsec-method {
+ list ipsec-method {
+ key "method";
+ leaf method {
type identityref {
- base ipsec-type;
+ base i2nsf-ipsec;
}
description
- "This represents the IPsec-IKE or IPsec-IKEless cases.";
+ "This represents IPsec IKE and IPsec IKEless cases.";
}
description
- "This represents the list of IPsec-method.";
+ "This represents the list of IPsec method types.";
}
list single-sign-on {
key "credential";
leaf credential {
type certificate-type;
description
"This represents the authentication
using user credentials.";
}
leaf certificate-server {
@@ -1844,44 +1845,45 @@
sns-websites
drop
-
- ikeless
-
+
+ ipsec-ike
+
Figure 25: An XML Example for Time-based Firewall
Time-based-condition Firewall
1. The policy name is "security_policy_for_blocking_sns".
2. The rule name is "block_access_to_sns_during_office_hours".
3. The Source-target is "employees".
4. The destination target is "sns-websites". "sns-websites" is the
key which represents the list containing the information, such as
URL, about sns-websites.
5. The action required is to "drop" any attempt to connect to
websites related to Social networking.
- 6. The IPsec-method is set to "ikeless".
+ 6. The IPsec method type used for nsf traffic steering is set to
+ "ipsec-ike".
10.3. Scenario 2: Block Malicious VoIP/VoLTE Packets Coming to a
Company
The second example scenario is to "block malicious VoIP/VoLTE packets
coming to a company" using a VoIP policy. In this scenario, the
calls comming from from VOIP and/or VOLTE sources with VOLTE IDs that
are classified as malicious are dropped. The IP addresses of the
employees and malicious VOIP IDs should be blocked are stored in the
database or datastore of the enterprise. Here and the rest of the
@@ -1907,23 +1909,23 @@
employees
drop
-
- ikeless
-
+
+ ipsec-ikeless
+
Figure 26: An XML Example for VoIP Security Service
Custom-condition Firewall
1. The policy name is
"security_policy_for_blocking_malicious_voip_packets".
@@ -1935,21 +1937,22 @@
admin can read every stored malicious VOIP IDs that are named as
"malicious-id".
4. The destination target is "employees". "employees" is the key
which represents the list containing information about employees,
such as IP addresses.
5. The action required is "drop" when any incoming packets are from
"malicious-id".
- 6. The IPsec-method is set to "ikeless".
+ 6. The IPsec method used for nsf traffic steering is set to "ipsec-
+ ikeless".
10.4. Scenario 3: Mitigate HTTP and HTTPS Flood Attacks on a Company
Web Server
The third example scenario is to "Mitigate HTTP and HTTPS flood
attacks on a company web server" using a DDoS-attack mitigation
policy. Here, the time information is not set because the service
provided by the network should be maintained at all times. If the
packets sent by any sources are more than the set threshold, then the
admin can set the percentage of the packets to be dropped to safely
@@ -1971,23 +1974,23 @@
webservers
100
drop
-
- ikeless
-
+
+ ipsec-ike
+
Figure 27: An XML Example for DDoS-attack Mitigation
DDoS-condition Firewall
1. The policy name is "security_policy_for_ddos_attacks".
2. The rule name is "100_packets_per_second".
@@ -2000,21 +2003,22 @@
second. In this case the rate limit is "100" packets per second.
This amount depends on the packet receiving capacity of the
server devices.
5. The Source-target is all sources which send abnormal amount of
packets.
6. The action required is to "drop" packet reception is more than
100 packets per second.
- 7. The IPsec-method is set to "ikeless".
+ 7. The IPsec method used for nsf traffic steering is set to "ipsec-
+ ike".
11. Security Considerations
The data model for the I2NSF Consumer-Facing Interface is based on
the I2NSF framework [RFC8329], so the same security considerations
with the I2NSF framework should be included in this document. The
data model needs a secure communication channel to protect the
Consumer-Facing Interface between the I2NSF User and Security
Controller.
@@ -2088,78 +2092,82 @@
[client-facing-inf-req]
Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic,
S., and L. Xia, "Requirements for Client-Facing Interface
to Security Controller", draft-ietf-i2nsf-client-facing-
interface-req-05 (work in progress), May 2018.
[i2nsf-capability-im]
Xia, L., Strassner, J., Basile, C., and D. Lopez,
"Information Model of NSFs Capabilities", draft-ietf-
- i2nsf-capability-04 (work in progress), October 2018.
+ i2nsf-capability-05 (work in progress), April 2019.
[i2nsf-ipsec]
Marin-Lopez, R., Lopez-Millan, G., and F. Pereniguez-
Garcia, "Software-Defined Networking (SDN)-based IPsec
Flow Protection", draft-ietf-i2nsf-sdn-ipsec-flow-
protection-04 (work in progress), March 2019.
[i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-07 (work in
progress), January 2019.
Appendix A. Changes from draft-ietf-i2nsf-consumer-facing-interface-
- dm-03
+ dm-04
The following changes have been made from draft-ietf-i2nsf-consumer-
- facing-interface-dm-03:
+ facing-interface-dm-04:
- o This version added an I2NSF IPsec field for configuration and
- state data for IPsec management (i.e., IPsec method such as IKE
- and IKEless [i2nsf-ipsec]) in the I2NSF framework.
+ o In Section 4 and Section 5.5, a field named "ipsec-method" is
+ added to support IPsec method types (i.e., IPsec IKE and IPsec
+ IKEless) for the configuration and state data of IPsec management
+ in the I2NSF framework, which is specified in [i2nsf-ipsec].
Appendix B. Acknowledgments
This work was supported by Institute for Information & communications
- Technology Promotion(IITP) grant funded by the Korea government(MSIP)
- (No.R-20160222-002755, Cloud based Security Intelligence Technology
- Development for the Customized Security Service Provisioning).
+ Technology Promotion (IITP) grant funded by the Korea government
+ (MSIP)(No. R-20160222-002755, Cloud based Security Intelligence
+ Technology Development for the Customized Security Service
+ Provisioning).
Appendix C. Contributors
This document is made by the group effort of I2NSF working group.
Many people actively contributed to this document, such as Mahdi F.
Dachmehchi and Daeyoung Hyun. The authors sincerely appreciate their
contributions.
The following are co-authors of this document:
Hyoungshick Kim
- Department of Software
+ Department of Computer Science and Engineering
+ Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: hyoung@skku.edu
Seungjin Lee
- Department of Electrical and Computer Engineering
+ Department of Electronic, Electrical and Computer Engineering
+ Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: jine33@skku.edu
-
Jinyong Tim Kim
- Department of Electrical and Computer Engineering
+ Department of Electronic, Electrical and Computer Engineering
+ Sungkyunkwan University
2066 Seo-ro Jangan-gu
Suwon, Gyeonggi-do 16419
Republic of Korea
EMail: timkim@skku.edu
Anil Lohiya
Juniper Networks
1133 Innovation Way
Sunnyvale, CA 94089
@@ -2195,33 +2203,33 @@
Huawei
101 Software Avenue
Nanjing, Jiangsu 210012
China
EMail: Frank.Xialiang@huawei.com
Authors' Addresses
Jaehoon Paul Jeong
- Department of Software
+ Department of Computer Science and Engineering
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 31 299 4957
Fax: +82 31 290 7996
EMail: pauljeong@skku.edu
URI: http://iotlab.skku.edu/people-jaehoon-jeong.php
Eunsoo Kim
- Department of Electrical and Computer Engineering
+ Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419
Republic of Korea
Phone: +82 31 299 4104
EMail: eskim86@skku.edu
URI: http://seclab.skku.edu/people/eunsoo-kim/
Tae-Jin Ahn